Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSCI 3130: Formal languages and automata theory Andrej Bogdanov The Chinese University of Hong Kong Interaction,

Published byCandice Golden Modified over 9 years ago

Similar presentations

Presentation on theme: "CSCI 3130: Formal languages and automata theory Andrej Bogdanov The Chinese University of Hong Kong Interaction,"— Presentation transcript:

1 CSCI 3130: Formal languages and automata theory Andrej Bogdanov http://www.cse.cuhk.edu.hk/~andrejb/csc3130 The Chinese University of Hong Kong Interaction, randomness, and zero-knowledge Fall 2011

2

3 Authentication What happens when you type in your password?

4 Naïve authentication The server knows your password So they can impersonate you at other web sites where you use the same password login: chief password: 123456 OK you server acme.com

5 “Zero-knowledge” authentication acme.com Can you convince the server that you know your password, without saying it? I know the password Can you prove it?

6 What is knowledge? Example 1: Tomorrow’s lottery numbers What is ignorance? (lack of knowledge) 2311272811 We are ignorant of them because they are random

7 What is ignorance? Example 2: A difficult homework problem Problem 4 (a) Show that P ≠ NP. (If you collect $1,000,000, give it to your CSCI 3130 instructor.) We are ignorant because it takes a lot of work to figure out the answer

8 Using ignorance to our advantage acme.com I know the password Prove it! You want to convince server you know the password, but you don’t want to reveal the password itself The server is convinced, but gains zero-knowledge! but I don’t want to say it!

9 I can convince you he is in there, without telling you where!

10 Zero-knowledge I can convince you that I know where he is But you have zero knowledge about how to find him!

11 A protocol for non-color-blindness You want to convince me you are not color-blind I pull at random either a red ball or a blue ball and show it to you You say red or blue We repeat this 10 times If you got all the answers right, I am convinced you know red from blue

12 Interaction and knowledge What knowledge did I gain from this interaction? I learned that you can tell red from blue But I also learned the colors of the balls in each glass Suppose I was color-blind Then I used you to gain some knowledge!

13 A different protocol box 1 box 2 I pull at random either a red ball or a blue ball and show it to you Each time, you say “same color as previous” or “different color from previous” We repeat 10 times If you got all the answers right, I am convinced you know red from blue But I did not gain any other knowledge!

14 Zero-knowledge Suppose I am color-blind but you are not In the first experiment, I cannot predict your answer ahead of time In the second one, I know what you will say, so I do not gain knowledge when you say it

15 Zero-knowledge proofs acme.com Oded GoldreichSilvio MicaliAvi Wigderson grrrrr!

16 Graph coloring Task: Assign one of 3 colors to the nodes so that every edge has different endpoints 3COL = {G: G has a valid 3-coloring } 3COL is NP -complete

17 GMW protocol: Choosing a password acme.com registration donald tsang chief@gmail.com your password will be a random string of colors  = {,, }

18 GMW protocol: Commitment phase Instead of sending the password to the server, you: 1 2 345 6 Construct a graph with vertices colored as in password Put some (random) edges between vertices of different colors Delete the colors of the vertices G donald tsang chief@gmail.com 1 2 34 5 6 1 2 34 5 6

19 GMW protocol: Commitment phase Your real password is the coloring, which you hide from the server You give the server a graph G that you know how to color, but the server doesn’t Since 3COL is hard, the server shouldn’t be able to figure out your coloring (password) from G

20 GMW protocol: Login phase Randomly permute the colors Lock each of the colors in a box The server picks a random edge and asks for the keys to boxes You send the requested keys The server unlocks the two boxes and checks the colors are different Repeat 100 times. Login succeeds if colors always different 1 2 34 5 6 email password chief@gmail.com 1 2 345 6 Send the locked boxes to server ✔

21 GMW protocol: Security Why can’t an impostor log in instead of you? 1 2 34 5 6 An impostor does not know how to color the graph Some edge will be colored improperly When the server asks to see this edge, impostor will be detected hello, I am ✘

22 GMW protocol: Zero-knowledge Why doesn’t the server learn your password? 1 2 34 5 6 When you send the password, the server can only see some locked boxes The server then asks you to unlock some boxes Colors in the password were shuffled, so server will only see two random colors!

23 But how do you send boxes and keys over the internet?

24

Download ppt "CSCI 3130: Formal languages and automata theory Andrej Bogdanov The Chinese University of Hong Kong Interaction,"

Similar presentations

A less formal view of the Kerberos protocol J.-F. Pâris.

A less formal view of the Kerberos protocol J.-F. Pâris.
Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.

Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.
13.4 Map Coloring and the Four Color Theorem. We started this chapter by coloring the regions formed by a set of circles in the plane. But when do we.

13.4 Map Coloring and the Four Color Theorem. We started this chapter by coloring the regions formed by a set of circles in the plane. But when do we.
CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.

CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.
1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes.

1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes.
1 Adapted from Oded Goldreich’s course lecture notes.

1 Adapted from Oded Goldreich’s course lecture notes.
Zero Knowledge Proofs By Subha Rajagopalan Jaisheela Kandagal.

Zero Knowledge Proofs By Subha Rajagopalan Jaisheela Kandagal.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Zero-Knowledge Proof System Slides by Ouzy Hadad, Yair Gazelle & Gil Ben-Artzi Adapted from Ely Porat course lecture notes.

Zero-Knowledge Proof System Slides by Ouzy Hadad, Yair Gazelle & Gil Ben-Artzi Adapted from Ely Porat course lecture notes.
ITIS 6200/8200. time-stamping services Difficult to verify the creation date and accurate contents of a digital file Required properties of time-stamping.

ITIS 6200/8200. time-stamping services Difficult to verify the creation date and accurate contents of a digital file Required properties of time-stamping.
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.
CSC 3130: Automata theory and formal languages Andrej Bogdanov The Chinese University of Hong Kong Limitations.

CSC 3130: Automata theory and formal languages Andrej Bogdanov The Chinese University of Hong Kong Limitations.
CRYPTOGRAPHY WHAT IS IT GOOD FOR? Andrej Bogdanov Chinese University of Hong Kong CMSC 5719 | 6 Feb 2012.

CRYPTOGRAPHY WHAT IS IT GOOD FOR? Andrej Bogdanov Chinese University of Hong Kong CMSC 5719 | 6 Feb 2012.
Introduction to Modern Cryptography, Lecture 7/6/07 Zero Knowledge and Applications.

Introduction to Modern Cryptography, Lecture 7/6/07 Zero Knowledge and Applications.
233-234233-234 Sedgewick & Wayne (2004); Chazelle (2005) Sedgewick & Wayne (2004); Chazelle (2005)

Sedgewick & Wayne (2004); Chazelle (2005) Sedgewick & Wayne (2004); Chazelle (2005)
Zero Knowledge Proofs. Interactive proof An Interactive Proof System for a language L is a two-party game between a verifier and a prover that interact.

Zero Knowledge Proofs. Interactive proof An Interactive Proof System for a language L is a two-party game between a verifier and a prover that interact.
Lecture 20: April 12 Introduction to Randomized Algorithms and the Probabilistic Method.

Lecture 20: April 12 Introduction to Randomized Algorithms and the Probabilistic Method.
Introduction to Modern Cryptography, Lecture 9 More about Digital Signatures and Identification.

Introduction to Modern Cryptography, Lecture 9 More about Digital Signatures and Identification.
Module 8 – Anonymous Digital Cash Blind Signatures DigiCash coins.

Module 8 – Anonymous Digital Cash Blind Signatures DigiCash coins.
233-234233-234 Sedgewick & Wayne (2004); Chazelle (2005) Sedgewick & Wayne (2004); Chazelle (2005)

Sedgewick & Wayne (2004); Chazelle (2005) Sedgewick & Wayne (2004); Chazelle (2005)

Similar presentations

Ads by Google