Moni Naor מוני נאור Cryptography and Sudoku WEIZMANN INSTITUTE OF SCIENCE מוני נאור Joint work with: Ronen Gradwohl, Benny Pinkas, Guy Rothblum

Alice and Bob talk while Eve tries to listen What is Cryptography? Traditionally: how to maintain secrecy in communication Alice and Bob talk while Eve tries to listen Bob Alice Eve Eve

Cryptography Very ancient occupation Biblical times: Atbash in Jeremiah איך נלכדה ששך ותתפש תהלת כל הארץ איך היתה לשמה בבל בגויים Egyptian Hieroglyphs Unusual ones ... Many interesting books and sources, especially about the Enigma (WW2)

Modern Times The Study of the resources needed to solve computational problems Up to the mid 70’s: classified military work Exception: Shannon, Turing* Since then - explosive growth Commercial applications Scientific work: tight relationship with Computational Complexity Theory Major works: Diffie-Hellman, Rivest, Shamir and Adleman (RSA) Recently: more involved models for more diverse tasks. How to maintain the secrecy, integrity and functionality in computer and communication system. Prevalence of the Internet: Cryptography is in the news (daily!) Cryptography is relevant to ``everyone” - security and privacy issues for individuals

Computational Complexity Theory Study the resources needed to solve computational problems Computer time Computer memory Communication Parallelism Randomness … Identify problems that are infeasible to compute by any reasonable machine Taxonomy: classify problems into classes with similar properties wrt the resource requirements Help find the most efficient algorithm for a problem A computational problem: multiplying two numbers, selecting a move in a chess position Find the shortest tour visiting all cities P=NP?

The Crypto Arms Race: ~3000 BC - ~1980 “Secure” System+ “Secure” System “Secure” System+ “Secure” System “Secure” System++ “Break” “Break+” “Break++” Traditional crypto: 8 attack 9defense Modern crypto (1976 -): 9 defense 8attack

Sudoku Fill in the empty entries in the grid so that          every row,          every column, and          every 3 x 3 subgrid contains the digits 1 through 9.

Sudoku Fill in the empty entries in the grid so that          every row,          every column, and          every 3 x 3 subgrid contain the digits 1 through 9. Can be generalized to an nn grid, where n=k2. The size of an instance is O(n2log(n)) bits. Nothing special about the numbers 1…9.

The Plot Veronica Paul Oh yeah? Prove it! I know the solution! Well, I could show you, but… …I don’t want to tell you how to solve it… Paul

Zero-Knowledge Proofs Paul wants to prove that “A is true” Blah Blah? Blah Blah? Blah! Oh! If “A is true”: Veronica is convinced, but doesn’t learn about A! She can’t prove that “A is true”.

Why Study Zero-Knowledge Proofs? Authentication: prove your identity to someone using secret information, without revealing the secret Force malicious adversaries to act according to protocol Why study zero-knowledge for Sudoku? It has nice properties It’s educational – everybody knows Sudoku It’s FUN! Design protocol with benign adversaries. Then compile to withstand malicious ones

Outline Definitions Physical model A basic protocol 2 variations

Interactive Proof Probabilistic protocol between 2 parties: Prover and Verifier Both know instance of a problem Prover might know a witness/solution Players “chat”, and at the end, verifier accepts or rejects Completeness: probability that honest verifier accepts correct proof Soundness error: probability that verifier accepts incorrect proof

Set of problems that have efficient verification Zero-Knowledge Proof Interactive Proof Zero-knowledge property: Whatever Verifier learned from Prover, could have learned by himself Exists efficient Simulator that can simulate conversation, without access to Prover zero-knowledge proof for all NP Proof of 3-colorability Proof for Hamiltonicity Set of problems that have efficient verification

Means: easy to verify solutions Sudoku and Complexity Sudoku is in NP Means: easy to verify solutions In fact: Sudoku is NP Complete – not all that relevant There are zero-knowledge proofs for all problems in NP Therefore there is a ZK proof for Sudoku. Direct ZK proofs for Sudoku are preferable: Efficiency: avoiding the overhead of the reduction Practicality: Implementable without the aid of computers Understandability (by non-experts!): Ensure that participants have intuitive understanding of the proof.

Physical Objects Typical Cryptographic metaphor: Physical “locked box” Hard to find physical locked box that: Can never be opened Are readily available Have transparent operation Tamper-evident seal Tampering is evident Can open, but can’t reseal Scratch-off card, sealed envelope

Scratch-Off Cards Can’t tell them apart (until unsealed) Can shuffle them effectively Like picking a random permutation Can triplicate them Stronger requirement Used in perfect soundness protocol

Human Behavior Paul and Veronica are in same room Shuffling: Paul wants a fair shuffle, Veronica wants to make sure no cards were switched More benign adversary: Either protocol works, or cheating player is labeled a “cheater”

Playing Cards Can use playing cards instead of scratch-off cards: Sealing = turning card face down Revealing = turning it face up Not really tamper evident Works when players in same room, watching each other

A Simple Physical Protocol Flip coin: rows or columns?

A Simple Physical Protocol 1 2 3 3 1 2 3 2 1

A Simple Physical Protocol Props: 81 sealed scratch-off cards, and a board with 81 cells (like Sudoku) P places a sealed card on each cell Corresponding to his solution “filled-in” values are unsealed V chooses one of rows/cols/subgrids P makes packet for each row, shuffles it V takes each packet, unseals cards, verifies that each contains cards 1…9 If yes -- accept, otherwise reject

Analysis Completeness: perfect Soundness: cheating P must cheat in one of rows, columns, or subgrids P is caught with probability ≥ 1/3 Zero-knowledge: V only sees some permuted values of 1…9

Better Soundness

Better Soundness 1 2 3 3 1 2 3 2 1 2 3 2 1 2 1 3 1 3

Better Soundness Props: 81 scratch-off cards P places 3 cards on each cell, corresponding to solution For each cell, V assigns each card to one of rows/cols/subgrids, collects to corresponding packet P shuffles each of 27 packets V takes each packet, unseals cards, verifies that each contains 1…9 If yes -- accept, otherwise reject

Analysis of Soundness P can no longer cheat as before New way to cheat: 3 cards on a cell are not the same value Say some cell gets 3 values, not all the same. One of three cards is different from others Belongs to one of rows/cols/subgrids o/w P is always caught cheating V assigns card to correct row/col/subgrid with probability at most 1/3 ⇒ Cheating P caught with probability 2/3 Actually: can show that P is caught with probability 8/9 At least 2 cells are mislabeled

Reducing Number of Shuffles Previous protocol required 27 shuffles. Too much! New protocol: same as before – 3 cards on each cell V assigns each to row/col/subgrid Make 27 packets For each packet, V assigns a random number 1…c For each i, P assembles all packets with number i P shuffles each of c piles V takes each pile, unseals cards, verifies that each contains correct number of cards 1…9. If yes -- accept, otherwise reject

Analysis Only c shuffles required Soundness: With probability 8/9, some packet j is unbalanced However, two unbalanced packets, if shuffled together, may balance each other Suppose all packets except j are assigned to one of c piles If piles are balanced, then assigning j will cause imbalance ⇒ P will be caught If 2+ piles are unbalanced ⇒ P will be caught If 1 pile is unbalanced, j will balance it only if assigned to it, with probability 1/c ⇒ Cheating P is caught with probability 8(c-1)/9c

Perfect Soundness If 3 cards on each cell are guaranteed to have same value, cheating P would always get caught! Implementing triplicate: With trusted setup: 3 cards (with same value) are connected and can be torn apart Without trusted setup: Use colors instead of numbers Each card is a circle, prepared by P V cuts each card into 3 equal pieces (randomly) If card was not uniformly colored, random cut will reveal non-uniformity when card is scratched 3 3 3

Perfect Soundness with a trusted copy machine: Prepare three copies of the solution. Puzzle should be printed on the back. One copy is cut along the rows One copy is cut along the columns One copy is cut along the subgrids Each strip is then cut into cells The cells are shuffled (or sorted by the prover) Verifier checks that all values 1…9 are there The “filled-in” cells have the same values on both sides To prove that the correct puzzle was solved

Cryptographic Protocols ALICE BOB Protocols Zero-knowledge proofs Secure computation Encryption Authentication Digital signatures Cryptographic protocols: proceed by exchanging digital message Assumptions needed: existence of a one-way function

Open problems: Implement physical protocol over the mail? Parties need not be in the same room Possible to implement commitments from scratch-off cards. However, an amplification stage requires many repetitions Not easy for humans Other puzzles?

Cryptography Today phlegmon of the pharynx

Cryptography Today Cryptography is a very active research area Research activities range: providing firm foundations Relationship with complexity theory providing actual constructions and analysis for specific needs. Some recent topics Obfuscation of programs Maintaining privacy of released data Voting Schemes

Any questions?

Based on: R.Gradwohl, M. Naor, B. Pinkas and G. Rothblum, Cryptographic and Physical Zero-Knowledge Proof Systems for Solutions of Sudoku Puzzles, FUN 2007. Available: www.wisdom.weizmann.ac.il/~naor/PAPERS/sudoku_abs.html

Thank you תודה רבה