Wonders of the Digital Envelope Avi Wigderson Institute for Advanced Study

Modern Cryptography Secrecy / Privacy Resilience / Fault Tolerance TasksImplements Encryption Code books Identification Driver License Money transfer Notes, checks Public bids Sealed envelopes

Modern Cryptography TasksImplements Information protection Locks Poker game Play cards Public lottery Coins, dice Sign contracts Lawyers ALLNONE No trusted parties

Complexity Based Cryptography TIME (multiply) = n 2 23, P P TIME (factor) = 2  n 23, Axiom 2: Factoring is computationally hard Axiom 1: Players are computationally limited n = binary input length, TIME = grows slowly with n Axiom 0 : Players can toss coins

xf(x) Easy Hard Theorem: One way function  digital that Axiom 2: There exist one-way functions:

Properties of the Envelope f(x) x Easy to insert x (any value, even 1 bit) Hard to compute content (even partial information) Impossible to change content (f(x) defines x) Easy to verify that x is the content  Cryptography Theorem : OPENCLOSED

Public bid (players in one room) Phase 1: Commit Phase 2: Expose P1P1 $130 P2P2 $120 P3P3 f(130)f(120)f(150) Theorem:  Simultaneity $150

Public Lottery (on the phone) AliceBob Bob: flipping... You lost! Theorem:  Symmetry breaking Alice: if I get the car (otherwise you do) What did you pick?Bob: flipping...

Identification - Password Public passwd file Namef(pswd)… aliceP alice… aviP avi =f(einat)… bobP bob… Computer 1 checks if f(pswd) = P avi 2 erases password from screen. login:avi password:einat

Theorem:  Identification Problem: repeated use! Computer should check if I know x such that f(x)=P avi without getting x Zero-Knowledge Proof: Convincing Reveals no information

Copyrights Dr. Alice: I can prove the Riemann Hypothesis Dr. Alice: Lemma…Proof…Lemma…Proof... Prof. Bob: Impossible! What is the proof? Prof. Bob: Amazing!! I will recommend tenure

Zero-Knowledge Proof “Claim” BobAlice (“proof”) Accept/Reject “Claim” false   Bob rejects “Claim” true  Bob accepts Bob learns nothing With high probability }

Map Coloring Input: planar map G 4-COL: is G 4-colorable? 3-COL: is G 3-colorable? YES! HARD!

Why is it a Zero-Knowledge Proof? Exposed information is useless (Bob learns nothing) G 3-colorable  Probability[Accept] =1 (Alice always convinces Bob) G not 3-colorable  Probability[Accept] <.99  Prob[Accept in 300 experiments]<1/billion (Alice rarely convince Bob) Why did you let me use physical implements?

What does it have to do with the Riemann Hypothesis? Theorem: There exists an efficient algorithm A: A “Claim” + “Proof length” Map G “Claim” trueG 3-colorable “Proof” A 3 coloring of G

Theorem: + short proof  efficient ZK proof  Theorem:  fault tolerant protocols

Making any protocol fault-tolerant 1. P 2 : m 1 =g 1 (s 2 ) 2. P 7 : m 2 =g 2 (s 7,m 1 ) 3. P 1 : m 3 =g 3 (s 1,m 1,m 2 ) P2P2 s2s2 P7P7 s7s7 P1P1 s1s1 P3P3 s3s3 g i easy to compute, m i public knowledge s i secret

Problem: Did P 1 cheat in step 3? i.e. does m 3 =g 3 (s 1,m 1,m 2 ) ?? Solution: The claim “m 3 =g 3 (s 1,m 1,m 2 )” has a short proof! Which is …. P 1 will prove it in Zero-Knowledge! s1s1

So Far... Fault Tolerance (we can force players to behave well!) ?Privacy/Secrecy (cannot prevent listening)

Undecipherable communication line Public Key Encryption AliceBob Eavesdropper: listens, does not understand even if Alice & Bob never met before

Computing Functions on Secret Inputs g... X1P1X1P1 X2P2X2P2 XnPnXnPn Example: Ballot g = Majority The players P i are honest. All players learn g(x 1,x 2,…x n ) No subset learns anything more

The Millionaires’ Problem AliceBob BA Both want to know who is richer Neither gets any other information

a Alice b Bob AND Possible with personal

How to ensure Privacy Oblivious Computation 011 g(inputs) V V V V V V 1

Theorem:  every “game”, with any secrecy requirements, can be implemented personal Game Theory: description of partial information games in extensive form

Trap-Door Function (personal envelope) xf B (x) Easy for all Book of Functions … Alice f A … Bob f B... Public New axiom: there exist personal Easy for Bob Hard for others Factoring is hard 

... Nature... Alice Nature... Alice Bob Information Sets Player’s action depends only on its information set

Completeness Theorems Every game with: n players, s listeners, t faults can be implemented if: Players are computationally limited* Trap-door functions exist s  n,t  n/2 * P i, P j communicate over a secure line  i,j s  n/2,t  n/3 No limit on Computation Information Theoretic Security

Digital Signature Bob signs document m with signature y: Easy for anyone to check Hard for everyone else to forge (m, y)

Oblivious Transfer “AND” protocol xAxA Alice b=x B Bob

+ a Alice b Bob XOR a Alice b Bob AND Trivial! Possible with personal

Any efficient function g g + ++ xAxA yAyA zBzB xBxB ybyb Many players: Secret sharing Computing with shares personal

Oblivious computation: any efficient function g g(inputs)    1

Oblivious computation: any efficient function g g(inputs)    1