1 / 55

Information Magic: Zero-Knowledge

Great Theoretical Ideas In Computer Science. Information Magic: Zero-Knowledge. Lecture 27. 15-251. n=pq. I know the factors of n. Prove it!. Odette. Bonzo. p,q. pq=n, yes you proved it. Odette. Bonzo. p,q. pq=n, yes you proved it. Bonzo knows: The factors of n

kevinthomas
Download Presentation

Information Magic: Zero-Knowledge

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Great Theoretical Ideas In Computer Science InformationMagic: Zero-Knowledge Lecture 27 15-251

  2. n=pq I know the factors of n. Prove it! Odette Bonzo

  3. p,q pq=n, yes you proved it. Odette Bonzo

  4. p,q pq=n, yes you proved it. • Bonzo knows: • The factors of n • Odette knows the factors of n Odette Bonzo

  5. GOAL: After conversation, Bonzo should know that Odette knows the factors of n, but Bonzo should not have learned anything else. Odette Bonzo

  6. How can Odette prove that she knows the factors of n while revealing ZERO KNOWLEDGE about anything else? Odette Bonzo

  7. There is a zero-knowledge proof of knowledge of the factors of n. • To understand the import and subtlety of what this means, let’s assume we can do this and solve one of the most significant security problems of our time: IDENTITY THEFT

  8. My credit card number is 32543-22243-2232 Thanks. He He He Odette Merchant

  9. Public Notice • Odette is the only one who knows the factors of the number n.

  10. Zero Knowledge Proof that Odette knows the factors of n. Odette Merchant

  11. The merchant can’t turn around and prove to someone else that he is Odette. He does not know the factors of n. Merchant

  12. RECALL:Quadratic Residues Mod n=pq • A quadratic residue x mod n is a square mod n. It has 4 roots r1, -r1, r2, -r2. • A pair of roots is called primitive if one is not the negative of the other. • Knowing 2 primitive roots, allows you to quickly calculate the factors of n. Knowing the factors of n, allows you to quickly calculate all square roots mod n.

  13. RECALL:An efficient way to calculate a square root of random number mod n can be transformed to an efficient way to factor n. • Let A be an algorithm to give one root of a random input x. • Pick r at random. Let x=r2. r1 = A(x). • With 50% chance (r,r1) are primitive and you can factor n. Repeat until n is factored.

  14. RECALL:Being able to quickly find a root of random number is equivalent to being able to factor n. • Let A be an algorithm to give one root of a random input x. • Pick r at random. Let x=r2. r1 = A(x). • With 50% chance (r,r1) are primitive and you can factor n. Repeat until n is factored.

  15. Pick r at random. X=r2. x A root of x Crude Attempt

  16. Pick r at random. X=r2. Pick a random bit b. X Y b If b=0: root of Y If b=1: root of XY Catch a crook with probability 1/2

  17. a2 =Y and b2 = XY • Sqrt(X) = a-1 b • (a-1b)2 = a-2 b2 = Y-1 XY = X

  18. Pick r at random. X=r2. Pick a random bit b. X Y b If b=0: root of Y If b=1: root of XY Catch a crook with probability 1/2

  19. Pick r at random. X=r2. Pick a random bit b. REPEAT K INDEPDENT TIMES. X Y b If b=0: root of Y If b=1: root of XY Catch a crook with prob 1-1/2k

  20. Pick r at random. X=r2. Pick a random bit b. How can we be sure this is zero-knowledge? X Y b If b=0: root of Y If b=1: root of XY

  21. Can Bonzo simulate the distribution of conversations by himself? Random square X Random square Y Random bit b If b=0: root of Y If b=1: root of XY

  22. Pick a random bit b. Pick random r. If b=0, set Y=r2; X to random square. If b=1, set X= r2Y-1; Y to random square X Y b If b=0: root of Y If b=1: root of XY r

  23. Bonzo can perfectly simulate the probability distribution on conversations with Odette. • HENCE those conversations contain no knowledge that Bonzo could not generate himself.

  24. How Do You Flip A Coin Over The Telephone? • Alice and Bob want to make a difficult decision…..

  25. ENVELOPES or SAFES

  26. ENVELOPE Or SAFE:Bit Commitment • Imagine that you had an envelope that: • Only you can open • But you could not change its contents once it was sealed • Put a bit in it to COMMIT to the bit, and reveal when it suits you.

  27. ENVELOPE:Bit Commitment • Quadratic Residue Method to Commit to b • Let n-pq, where p and q are secret. Let r be random in Zn*. Let m be a non-residue mod n. • E(r,b) = r2 mb mod n • TO OPEN: Reveal r and b

  28. Coin Flipping Over Phone • Alice picks random bit b • She sends ENVELOPE(b) • Bob announces his random bit c • Alice reveals b • SELECTED BIT = b XOR c

  29. Romantic Information Game • I need 2 romantic guys….. • ….who have to fall in love with one of the girls in class…..

  30. A Graph Named “Gadget”

  31. How To Prove That Gadget Is 3-colorable?

  32. Now Prove It Without Revealing Anything About The Coloring.

  33. 3 Coloring:Zero Knowledge Proof

  34. Prover knows a way to 3-color gadget. We will call this the secret coloring

  35. 3! = 6 ways to permute the color names • Notice that the secret coloring of gadget, there are 6 colorings that can be obtained by permuting the 3 color names.

  36. Prover randomly chooses of one the 6 coloring obtainable form the secret coloring.

  37. Prover randomly chooses of one the 6 coloring obtainable form the secret coloring. Each node will have an associated envelope. The prover places the coloring in the corresponding envelopes.

  38. Verifier: Picks an edge at random and asks to open envelopes at both ends of the edge.

  39. Verifier: Picks an edge at random and asks to open envelopes at both ends of the edge.

  40. Verifier: Picks an edge at random and asks to open envelopes at both ends of the edge.

  41. REPEAT USING AN INDEPENDENT, RANDOM CHOICE OF THE 6 PERMUTATIONS OF COLOR NAMES

  42. Prover randomly chooses of one the 6 coloring obtainable form the secret coloring.

  43. Prover randomly chooses of one the 6 coloring obtainable form the secret coloring. Each node will have an associated envelope. The prover places the coloring in the corresponding envelopes.

  44. Verifier: Picks an edge at random and asks to open envelopes at both ends of the edge.

  45. Verifier: Picks an edge at random and asks to open envelopes at both ends of the edge.

  46. REPEAT USING AN INDEPENDENT, RANDOM CHOICE OF THE 6 PERMUTATIONS OF COLOR NAMES

  47. Prover randomly chooses of one the 6 coloring obtainable form the secret coloring.

  48. Prover randomly chooses of one the 6 coloring obtainable form the secret coloring. Each node will have an associated envelope. The prover places the coloring in the corresponding envelopes.

  49. Verifier: Picks an edge at random and asks to open envelopes at both ends of the edge.

  50. Verifier: Picks an edge at random and asks to open envelopes at both ends of the edge.

More Related