Wonders of the Digital Envelope Computational complexity based cryptography Theoretical ideas behind e-commerce and the internet revolution

Lecture III - plan - Cryptography before computational complexity - The ambitions of modern cryptography The assumptions of modern cryptography The “digital envelope” and its power Zero-knowledge proofs Private communication Oblivious computation

Cryptography before computational complexity Secret communication Assuming shared information which no one else has

What do we want to do? Here are the ambitions of modern cryptography

Modern Cryptography The basic conflict between: Secrecy / Privacy Resilience / Fault Tolerance Tasks Implements Code books Encryption Driver License These two basic issues occur in lots of human interactions. Usually, physical implements were invented to deal with privacy & resilience Identification Money transfer Notes, checks Sealed envelopes Public bids

Digitally, with no trusted parties Modern Cryptography Tasks Implements ALL NONE Info protection Locks Poker game Play cards Public lottery Coins, dice Sign contracts Lawyers We want to do everything digitally, with no physical implements (and no trusted parties). Digitally, with no trusted parties

What are we assuming? The axioms underlying modern cryptography

Axiom 1: Agents are computationally limited. Consequence 1: Only tasks having efficient algorithms can be performed This can be defined in many ways – one common one is that Agents can toss coins, and compute for polynomial time (but other definitions make sense, such as memory bounds etc).

Easy and Hard Problems asymptotic complexity of functions Multiplication mult(23,67) = 1541 grade school algorithm: n2 steps on n digit inputs EASY Can be performed quickly for huge integers Factoring factor(1541) = (23,67) best known algorithm: exp(n) steps on n digits HARD? We don’t know! We’ll assume it. Axiom 2: Factoring is hard!

Axiom 1: Agents are computationally limited Axiom 2: Factoring is hard Easy p,q pq Impossible (p,q) and pq are information theoretically equivalent for primes p,q. However, computationally they are very different! Theorem: Axioms  digital

One-way functions Axiom 1: Agents are computationally limited Axiom 2’: The exist one-way functions E x E(x) Easy Impossible Example: E(p,q) = pq E is multiplication We have other E’s More generally, we can assume “one-way” functions, and multiplication is one of a few candidates for such function we have. Nature may provide others (but this is only an analogy). Easy Impossible Nature’s one-way functions: 2nd law of Thermodynamics

Properties of the Envelope x E(x) OPEN CLOSED Easy to insert x (any value, even 1 bit) Hard to compute content (even partial info) Impossible to change content (E(x) defines x) Easy to verify that x is the content To prove this properties from the axioms is very difficult (even defining these exactly is difficult). These definitions are initiated in the seminal paper of Goldwasser-Micali “Probabilistic Encryption” 1981. Theorem:  Cryptography

Examples of increasing difficulty The power of the digital envelope Examples of increasing difficulty Mind games of the 1980’s – before Internet & E-commerce were imagined Theory came much before practice!

Public bid (players in one room) $130 $120 $150 Phase 1: Commit E (130) E (120) E (150) Phase 2: Expose Everyone sees what everyone else does And hears whatever everyone else says This is the simplest and most ideal application of real envelopes! Commitment protocol 130 120 150 Theorem:  Simultaneity

Public Lottery (on the phone) Blum 1981 Public Lottery (on the phone) Alice Bob Alice: if I get the car (else you do) Bob: flipping... Bob: flipping... You lost! What did you pick? Here the players are on the phone, They cannot see what the other is doing. They decide to toss a coin and see who gets the car – can they do it? The envelope prevents Bob from seeing the value, but Alice can’t change her mind later. Theorem:  Symmetry breaking

Identification / Passwords Public password file Name E (pswd) … … alice Palice =E (…) avi Pavi=E (einat) bob Pbob =E (…) login: avi password: einat Password file can be public, since the envelopes do not reveal their contents (the passords). On the other the computer can quickly check that a candidate password is correct, by the envelope property (applying E is easy). Computer: 1 checks if E (pswd)= Pavi 2 erases password from screen

Problem: Eavesdropping & repeated use! Wishful thinking: Theorem:  Identification Problem: Eavesdropping & repeated use! Wishful thinking: Computer should check if I know x such that E (x)=Pavi without actually getting x We login many times into the system. Very different than previous examples, where critical information was of no use for anything after it was being revealed. Someone may be (surely is) monitoring the communication line It would be nice if we could convince the computer (or our bank, etc) that we know our password, without actually giving it (in this way, noone can copy it) Zero-Knowledge Proof: Convincing Reveals no information

Copyrights Dr. Alice: I can prove Riemann’s Hypothesis Prof. Bob: Impossible! What is the proof? Dr. Alice: Lemma…Proof…Lemma…Proof... Another example where wishful thinking helps. Any other situation if protecting intellectual rights is relevant. Prof. Bob: Amazing!! I’ll recommend tenure Amazing!! I’ll publish first

Zero-Knowledge Proof “Claim” Bob Alice (“proof”) Accept/Reject Goldwasser-Micali -Rackoff 1984 “Claim” Bob Alice (“proof”) Accept/Reject Formally defining zero-knowledge is quite complicated. But the inuition is simple. Alice and Bob both know the claim to be proven. They can each toss random coins. They interact for a few rounds, after which Bob decides to accept or reject the claim. They can use randomness, and Bob fails to detect a false claim by an arbitrarily small probability (which he chooses, and depends only on his coin tosses). Bob accepts Bob learns nothing “Claim” true  “Claim” false  Bob rejects with high probability

The universality of Zero-Knowledge Goldreich-Micali -Wigderson 1986 Theorem: Everything you can prove at all, you can prove in Zero-Knowledge We’ll see the intuition for the proof of this universality theorem in several stages. First, we’ll argue it for “map-coloring claims”, and demo a zero-knowledge proof for such claims. Then we explain why the ability to do that takes care of all possible mathematical claims

ZK-proofs of Map Coloring Input: planar map M 4-COL: is M 4-colorable? YES! 3-COL: is M 3-colorable? Let’s look at different types of claims. We had”I know my password” and “I can prove the Riemann hypothesis”. Now – “I can color this map in 3 colors”. Famous 4-color theorem of Appel and Haken, states that every planar map can be 4-colored (so a claim that a map is 4-colorable is not an interesting one – always true). HARD! Typical “claim”: map M is 3-colorable Theorem [GMW]: Such claims have ZK-proofs

I’ll prove this claim in zero-knowledge Claim: This map is 3-colorable (with R Y G ) Note: if I have any 3-coloring of any map Then I immediately have 6 Q P F M O N L K J I H G E C B D A This basic combinatorial property of colorings, namely that the colors can be renamed at random, will be essential.

Q P F M O N L K J I H G E C D A Structure of proof: Repeat (until satisfied) - I hide a random one of my 6 colorings in digital envelopes You pick a pair of adjacent countries I open this pair of envelopes Reject if RR,YY,GG or illegal color Q P F M O N L K J I H G E C B D A

Zero-knowledge proof demo For each one of these colorings (encrypted by digital envelopes) which I chose randomly For each slide, do the following. First, you need to get out of presentation mode. Let the audience pick a pair of adjacent countries. Then drag the white covers of the envelopes, only on these two countries, to reveal the underlying colors. Don’t reveal the colors of any other country.

L K E I J G O M D B A F C N Q H P

L K E I J G O M D B F A C N Q H P

L K E I J G O M D B F A C N Q H P

L K E I J G O D M B F A C N Q H P

L K E I J G O M D B F A C N Q H P

L K E I J G O M D B F A C N Q H P

L K E I J G O M D B F A C N Q H P

L K E I J G O M D B F A C N Q H P

L K E I J G O M D B F A C N Q H P

L K E I J G O M D B F A C N Q H P

L K E I J G O M D B F A C N Q H P

L K E I J G O M D B F A C N Q H P

A, B are integers, describing the wealth of these millionaires They want to engage in a kind of “zero-knowledge “ conversation, Which will reveal nothing to either, except who is richer.

Why is it a Zero-Knowledge Proof? Exposed information is useless (Bob learns nothing) M 3-colorable  Probability [Accept] =1 (Alice always convinces Bob) M not 3-colorable Prob [Accept] < .99  Prob [Accept in 300 trials] < 1/billion (Alice rarely convince Bob) If the coloring was legal, and each time a random renaming of the 6 possible ones was chosen: 1) ZK – at every step, only a pair of random distinct colors was exposed. 2) Bob would never find a reason to reject. But if the map is not 3-coloring, there must be either a pair of adjacent countries with the same color, or an illegal color somewhere. If the pair is picked randomly, Bob would catch this error with at least 1% probability. If he repeats it k times, the probability he doesn’t catch an error drops exponentially like .99k Which becomes tiny very quickly.

What does it have to do with Riemann’s Hypothesis? Theorem: There is an efficient algorithm A: A “Claim” + “Proof length” Map M “Claim” true M 3-colorable Here we use the fact that 3-coloring is NP-complete, which allows a translation of any problem with a short proof into a map coloring problem (as well as the proof itself to a legal coloring) via the Cook-Levin theorem. “Proof” 3-coloring of M A is the Cook-Levin “dictionary”, proving that 3-coloring is NP-complete

 Theorem [GMW]: + short proof  efficient ZK proof Theorem [GMW]: The incredible utility of ZK protocols – They guarantee correct behavior of agents, despite the existence of secrets. Theorem [GMW]:  fault-tolerant protocols

si secret Making any protocol fault-tolerant 1.P2 send m1(s2) 2.P7 send m2(s7,m1) 3.P1 send m3(s1,m1 ,m2) P1 s7 P7 A protocol is just a sequence of instructions (like a program) but to many players. Each should send a message, according to a specified rule (function) at appropriate steps. The problem is how do others make sure a particular player sent the correct message – after all it depends on his/hers private secrets! We are oversimplifying here. The secrets si are encrypted before hand via E(si) The properties of the envelope allow using the proof that the players can use these short proofs without cheating, as they are committed to them. Suppose that in step 1 P2 sends X How do we know that X=m1(s2)? s2 is a short proof of correctness! P2 proves correctness in zero-knowledge!!

So Far... Fault Tolerance (we can force players to behave well!) Privacy/Secrecy (even when all players behave well)

Private communication Alice and Bob want to have a completely private conversation. They share no private information Many in this audience has already faced and solved this problem often! Alice, Bob and their problems were born before cryptography! This famous 60’s movies is about discussing your feelings. Alice and Bob want to do so in a manner that will not allow carol and Ted To understand a single word. They share no common private information.

Public-key encryption E-commerce security Diffie-Hellman, Merkle Rivest-Shamir-Adleman 1976-77 I want to purchase “War and Peace”. My credit card is number is 1111 2222 3333 4444 you EA EC EB This is the important idea of public-key cryptography, which initiated computationally based crypto. We need more than the digital envelope as we defined it, but rather “personal” envelopes. Eg Bob’s envelopes can allow anyone to send him secret information, which only he can understand. No prior shared information is needed – only the hardness of factoring (the famous RSA protocol) Easy for everyone Personal Digital envelope x E (x) B Hard for everyone Easy for Bob Factoring is hard

The Millionaires’ Problem Both want to know who is richer Neither gets any other information Privacy problems exist even when there are no eavesdroppers! A, B are integers, describing the wealth of these millionaires They want to engage in a kind of “zero-knowledge “ conversation, Which will reveal nothing to either, except who is richer. 0 if A>B g(A,B)= 1 if AB

Computing with secret inputs winner 0 Democrats Si = 1 Republicans g … … S1 S2 Si Sn Elections: g = Majority Here is another basic problem – elections. We want to do it digitally, so that everyone learns the outcome, But no user (or subset of users) Learns anything more than can be inferred from their secrets and the outcome. All players are honest. All players learn g(S1,S2,…,Sn) No subset learns anything more

Yao 1987 Oblivious computation How to compute natural functions privately? Generalize: Try to do it for every function Specialize: Identify a universal function Solve it (using special envelopes) Here is yao’s famous “Oblivious computation” solutions to all these problems. (Yao did the 2-player case. It was generalized to any number of players in Goldreich-Micali-Wigderson 1987)

Computation in small steps OR V Ignore privacy. Every g has a Boolean circuit g(inputs) AND V 1 V 1 V V 1 First, we abstract it and generalize it, to attempt any functions. Any function g has such a “Boolean circuit” (which is how you’d implement it in hardware). One needs to add “negation” gate, but we’ll ignore it. If privacy is no issue, the players can evaluate the circuit gate by gate V V V 1 1

Computing with envelopes I AND is universal 1 Possible with personal a Alice b Bob AND The locality and simplicity of computation reveals that we should first somehow handle the basic steps –AND and OR. AND is a universal (complete ) problem. If we manage to solve it “privately” (OR is dual, so similar) Yao shows how to do that with personal envelopes – it is an ingenious protocol, and defining exactly what it means to “compute with envelopes”, namely how the players jointly hold the value without any of them having access to it or the ability to change it, is complex. Than we can compute any function privately! Axiom 2: Factoring is hard

Computing with envelopes II g(inputs) 1 1 V 1 V V 1 Once we can do a basic step, we can do them all in sequence! At the end, the players have the ability to open the last envelope – the one they are interested in opening. V V V 1 1

Summary Practically every cryptographic task can be performed securely & privately Assuming that players are computationally bounded and Factoring is hard. Computational complexity is essential! Hard problems can be useful! - The theory predated (& enabled) the Internet - What if factoring is easy? - We have (very) few alternatives. Major open question: Can cryptography be based on NP-complete problems ?