Wonders of the Digital Envelope Avi Wigderson Institute for Advanced Study
Modern Cryptography Secrecy / Privacy Resilience / Fault Tolerance TasksImplements Encryption Code books Identification Driver License Money transfer Notes, checks Public bids Sealed envelopes
Modern Cryptography TasksImplements Information protection Locks Poker game Play cards Public lottery Coins, dice Sign contracts Lawyers ALLNONE No trusted parties
Complexity Based Cryptography TIME (multiply) = n 2 23, P P TIME (factor) = 2 n 23, Axiom 2: Factoring is computationally hard Axiom 1: Players are computationally limited n = binary input length, TIME = grows slowly with n Axiom 0 : Players can toss coins
xf(x) Easy Hard Theorem: One way function digital that Axiom 2: There exist one-way functions:
Properties of the Envelope f(x) x Easy to insert x (any value, even 1 bit) Hard to compute content (even partial information) Impossible to change content (f(x) defines x) Easy to verify that x is the content Cryptography Theorem : OPENCLOSED
Public bid (players in one room) Phase 1: Commit Phase 2: Expose P1P1 $130 P2P2 $120 P3P3 f(130)f(120)f(150) Theorem: Simultaneity $150
Public Lottery (on the phone) AliceBob Bob: flipping... You lost! Theorem: Symmetry breaking Alice: if I get the car (otherwise you do) What did you pick?Bob: flipping...
Identification - Password Public passwd file Namef(pswd)… aliceP alice… aviP avi =f(einat)… bobP bob… Computer 1 checks if f(pswd) = P avi 2 erases password from screen. login:avi password:einat
Theorem: Identification Problem: repeated use! Computer should check if I know x such that f(x)=P avi without getting x Zero-Knowledge Proof: Convincing Reveals no information
Copyrights Dr. Alice: I can prove the Riemann Hypothesis Dr. Alice: Lemma…Proof…Lemma…Proof... Prof. Bob: Impossible! What is the proof? Prof. Bob: Amazing!! I will recommend tenure
Zero-Knowledge Proof “Claim” BobAlice (“proof”) Accept/Reject “Claim” false Bob rejects “Claim” true Bob accepts Bob learns nothing With high probability }
Map Coloring Input: planar map G 4-COL: is G 4-colorable? 3-COL: is G 3-colorable? YES! HARD!
Why is it a Zero-Knowledge Proof? Exposed information is useless (Bob learns nothing) G 3-colorable Probability[Accept] =1 (Alice always convinces Bob) G not 3-colorable Probability[Accept] <.99 Prob[Accept in 300 experiments]<1/billion (Alice rarely convince Bob) Why did you let me use physical implements?
What does it have to do with the Riemann Hypothesis? Theorem: There exists an efficient algorithm A: A “Claim” + “Proof length” Map G “Claim” trueG 3-colorable “Proof” A 3 coloring of G
Theorem: + short proof efficient ZK proof Theorem: fault tolerant protocols
Making any protocol fault-tolerant 1. P 2 : m 1 =g 1 (s 2 ) 2. P 7 : m 2 =g 2 (s 7,m 1 ) 3. P 1 : m 3 =g 3 (s 1,m 1,m 2 ) P2P2 s2s2 P7P7 s7s7 P1P1 s1s1 P3P3 s3s3 g i easy to compute, m i public knowledge s i secret
Problem: Did P 1 cheat in step 3? i.e. does m 3 =g 3 (s 1,m 1,m 2 ) ?? Solution: The claim “m 3 =g 3 (s 1,m 1,m 2 )” has a short proof! Which is …. P 1 will prove it in Zero-Knowledge! s1s1
So Far... Fault Tolerance (we can force players to behave well!) ?Privacy/Secrecy (cannot prevent listening)
Undecipherable communication line Public Key Encryption AliceBob Eavesdropper: listens, does not understand even if Alice & Bob never met before
Computing Functions on Secret Inputs g... X1P1X1P1 X2P2X2P2 XnPnXnPn Example: Ballot g = Majority The players P i are honest. All players learn g(x 1,x 2,…x n ) No subset learns anything more
The Millionaires’ Problem AliceBob BA Both want to know who is richer Neither gets any other information
a Alice b Bob AND Possible with personal
How to ensure Privacy Oblivious Computation 011 g(inputs) V V V V V V 1
Theorem: every “game”, with any secrecy requirements, can be implemented personal Game Theory: description of partial information games in extensive form
Trap-Door Function (personal envelope) xf B (x) Easy for all Book of Functions … Alice f A … Bob f B... Public New axiom: there exist personal Easy for Bob Hard for others Factoring is hard
... Nature... Alice Nature... Alice Bob Information Sets Player’s action depends only on its information set
Completeness Theorems Every game with: n players, s listeners, t faults can be implemented if: Players are computationally limited* Trap-door functions exist s n,t n/2 * P i, P j communicate over a secure line i,j s n/2,t n/3 No limit on Computation Information Theoretic Security
Digital Signature Bob signs document m with signature y: Easy for anyone to check Hard for everyone else to forge (m, y)
Oblivious Transfer “AND” protocol xAxA Alice b=x B Bob
+ a Alice b Bob XOR a Alice b Bob AND Trivial! Possible with personal
Any efficient function g g + ++ xAxA yAyA zBzB xBxB ybyb Many players: Secret sharing Computing with shares personal
Oblivious computation: any efficient function g g(inputs) 1
Oblivious computation: any efficient function g g(inputs) 1