Download presentation
Presentation is loading. Please wait.
Published byReginald Jennings Modified over 9 years ago
1
Wonders of the Digital Envelope Avi Wigderson Institute for Advanced Study
2
Modern Cryptography Secrecy / Privacy Resilience / Fault Tolerance TasksImplements Encryption Code books Identification Driver License Money transfer Notes, checks Public bids Sealed envelopes
3
Modern Cryptography TasksImplements Information protection Locks Poker game Play cards Public lottery Coins, dice Sign contracts Lawyers ALLNONE No trusted parties
4
Complexity Based Cryptography TIME (multiply) = n 2 23,67 1541 P P TIME (factor) = 2 n 23,67 1541 Axiom 2: Factoring is computationally hard Axiom 1: Players are computationally limited n = binary input length, TIME = grows slowly with n Axiom 0 : Players can toss coins
5
xf(x) Easy Hard Theorem: One way function digital that Axiom 2: There exist one-way functions:
6
Properties of the Envelope f(x) x Easy to insert x (any value, even 1 bit) Hard to compute content (even partial information) Impossible to change content (f(x) defines x) Easy to verify that x is the content Cryptography Theorem : OPENCLOSED
7
Public bid (players in one room) Phase 1: Commit Phase 2: Expose P1P1 $130 P2P2 $120 P3P3 f(130)f(120)f(150) 130120150 Theorem: Simultaneity $150
8
Public Lottery (on the phone) AliceBob Bob: flipping... You lost! Theorem: Symmetry breaking Alice: if I get the car (otherwise you do) What did you pick?Bob: flipping...
9
Identification - Password Public passwd file Namef(pswd)… aliceP alice… aviP avi =f(einat)… bobP bob… Computer 1 checks if f(pswd) = P avi 2 erases password from screen. login:avi password:einat
10
Theorem: Identification Problem: repeated use! Computer should check if I know x such that f(x)=P avi without getting x Zero-Knowledge Proof: Convincing Reveals no information
11
Copyrights Dr. Alice: I can prove the Riemann Hypothesis Dr. Alice: Lemma…Proof…Lemma…Proof... Prof. Bob: Impossible! What is the proof? Prof. Bob: Amazing!! I will recommend tenure
12
Zero-Knowledge Proof “Claim” BobAlice (“proof”) Accept/Reject “Claim” false Bob rejects “Claim” true Bob accepts Bob learns nothing With high probability }
13
Map Coloring Input: planar map G 4-COL: is G 4-colorable? 3-COL: is G 3-colorable? YES! HARD!
14
Why is it a Zero-Knowledge Proof? Exposed information is useless (Bob learns nothing) G 3-colorable Probability[Accept] =1 (Alice always convinces Bob) G not 3-colorable Probability[Accept] <.99 Prob[Accept in 300 experiments]<1/billion (Alice rarely convince Bob) Why did you let me use physical implements?
15
What does it have to do with the Riemann Hypothesis? Theorem: There exists an efficient algorithm A: A “Claim” + “Proof length” Map G “Claim” trueG 3-colorable “Proof” A 3 coloring of G
16
Theorem: + short proof efficient ZK proof Theorem: fault tolerant protocols
17
Making any protocol fault-tolerant 1. P 2 : m 1 =g 1 (s 2 ) 2. P 7 : m 2 =g 2 (s 7,m 1 ) 3. P 1 : m 3 =g 3 (s 1,m 1,m 2 ) P2P2 s2s2 P7P7 s7s7 P1P1 s1s1 P3P3 s3s3 g i easy to compute, m i public knowledge s i secret
18
Problem: Did P 1 cheat in step 3? i.e. does m 3 =g 3 (s 1,m 1,m 2 ) ?? Solution: The claim “m 3 =g 3 (s 1,m 1,m 2 )” has a short proof! Which is …. P 1 will prove it in Zero-Knowledge! s1s1
19
So Far... Fault Tolerance (we can force players to behave well!) ?Privacy/Secrecy (cannot prevent listening)
20
Undecipherable communication line Public Key Encryption AliceBob Eavesdropper: listens, does not understand even if Alice & Bob never met before
21
Computing Functions on Secret Inputs g... X1P1X1P1 X2P2X2P2 XnPnXnPn Example: Ballot g = Majority The players P i are honest. All players learn g(x 1,x 2,…x n ) No subset learns anything more
22
The Millionaires’ Problem AliceBob BA Both want to know who is richer Neither gets any other information
23
a Alice b Bob AND 0 01 0 01 0 1 Possible with personal
24
1 01 100 How to ensure Privacy Oblivious Computation 011 g(inputs) V V V V V V 1
25
Theorem: every “game”, with any secrecy requirements, can be implemented personal Game Theory: description of partial information games in extensive form
26
Trap-Door Function (personal envelope) xf B (x) Easy for all Book of Functions … Alice f A … Bob f B... Public New axiom: there exist personal Easy for Bob Hard for others Factoring is hard
27
... Nature... Alice Nature... Alice Bob Information Sets Player’s action depends only on its information set
28
Completeness Theorems Every game with: n players, s listeners, t faults can be implemented if: Players are computationally limited* Trap-door functions exist s n,t n/2 * P i, P j communicate over a secure line i,j s n/2,t n/3 No limit on Computation Information Theoretic Security
29
Digital Signature Bob signs document m with signature y: Easy for anyone to check Hard for everyone else to forge (m, y)
30
Oblivious Transfer “AND” protocol xAxA Alice 0 01 0 01 b=x B Bob
31
+ a Alice b Bob XOR 0 10 1 01 0 1 a Alice b Bob AND 0 01 0 01 0 1 Trivial! Possible with personal
32
Any efficient function g g + ++ xAxA yAyA zBzB xBxB ybyb Many players: Secret sharing Computing with shares personal
33
Oblivious computation: any efficient function g 1 0 01 0 110 10 1 g(inputs) 1
34
Oblivious computation: any efficient function g 0 1 0 010 10 1 g(inputs) 1
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.