350 likes | 367 Views
Lecture 15: From Here to Oblivion. David Evans http://www.cs.virginia.edu/~evans. CS588: Security and Privacy University of Virginia Computer Science. Menu. Oblivious Transfer Zero-Knowledge Proofs (Not “No Knowledge Proofs”). Oblivious Transfer. Joe Kilian’s story:
E N D
Lecture 15: From Here to Oblivion David Evans http://www.cs.virginia.edu/~evans CS588: Security and Privacy University of Virginia Computer Science
Menu • Oblivious Transfer • Zero-Knowledge Proofs (Not “No Knowledge Proofs”) University of Virginia CS 588
Oblivious Transfer Joe Kilian’s story: “Suppose your netmail is being censored by Captain Yossarian. Whenever you send a message, he censors each bit of the message with probability ½, replacing each censored bit by some reversed character. Well versed in such concepts as redundancy, this is no real problem to you. The question is, can it actually be turned around and used to your advantage?” University of Virginia CS 588
Oblivious Transfer • Before: • Alice knows secret b • Bob knows nothing • After: • Either: • ½ probability: Bob knows b • ½ probability: Bob knows nothing • Alice doesn’t know if Bob knows b University of Virginia CS 588
Alice Bob H (R1 || R2 || b), R1 Pick R1, R2, b g Guess g b, R2 Bob wins if g = b Is this useful? Fair Coin Toss: Does this really (information theoretically) work? University of Virginia CS 588
Coin Toss with Capt. Yossarian Alice picks b1, b2, …, bn such that b = b1 b2 … bn Sends out b1, b2, …, bn over ½ censored channel Bob receives half of the bi’s (and doesn’t know anything about the others) Bob guesses g and sends it to Alice University of Virginia CS 588
Oblivious Coin Toss Alice Bob b1, b2, …, bn Pick b = b1 b2 … bn b1, X, X, b4, b5 , …, bn-1 , X g Guess g Bob wins if g = b “You Lose” University of Virginia CS 588
b1, b2, …, bn Better Oblivious Coin Toss Yossarian’s channel Alice Bob b1, b2, …, bn Pick b = b1 b2 … bn b1, X, X, b4, b5 , …, bn-1 , X g Guess g Bob wins ifg = b Checks the bis he knows match Calculates b = b1 b2 … bn Is this secure? University of Virginia CS 588
Oblivious Transfer Can we approximate oblivious transfer without Capt. Yossarian? University of Virginia CS 588
Public-Key Oblivious Transfer Bob Alice Generates 2 public-private key pairs: (KU1, KR1) (KU2, KR2) Generates symmetric key K KU1, KU2 Picks eitherKU1 or KU2. EKU1(K) or EKU2(K) K1 = EKR1(EKU?(K)) = K or meaningless bits K2 = EKR2(EKU?(K)) = K or meaningless bits University of Virginia CS 588
Bob Alice Generates 2 public-private key pairs: (KU1, KR1) (KU2, KR2) Generates symmetric key K KU1, KU2 Picks eitherKU1 or KU2. EKU1(K) or EKU2(K) K1 = EKR1(EKU?(K)) = K or meaningless bits K2 = EKR2(EKU?(K)) = K or meaningless bits EK1 (b1), EK2 (b2) If Bob used KU1: DK (EK1 (b1)) = b1 DK (EK2 (b2)) = Meaningless University of Virginia CS 588
Trick or Treat Protocols University of Virginia CS 588
“Trick or Treat” Protocols • Trick-or-Treater must convince victim that she poses a credible threat • Need to prove you know a trick, without revealing what it is (otherwise you don’t need to give the treat)! • Technical literature calls them Zero- Knowledge “Proofs” University of Virginia CS 588
Cave Protocol • Victim (Verifier) stands at 1 • Trick-or-Treater enters cave and walks to either 3 or 4 • Victim moves to 2 • Victim yells to Tricker to come out either left or right • Repeat n times • Tricker must know magic word to open door. 1 2 Magic word door 4 3 Quisquater and Guillou, CRYPTO ’89 University of Virginia CS 588
If there’s no cave? • Trick-or-Treater uses constructs a problem that only someone who knows the magic word could solve. • Trick-or-Treater commits the solution (using a bit commitment protocol) • Victim picks part of the solution for Trick-or-Treater to reveal • Trick-or-Treater reveals part of the problem, enough to be hard to do without knowing whole solution, but not enough to help victim learn anything. • Repeat n times. University of Virginia CS 588
Graph Coloring Given a graph, pick colors of the vertices so that no connected vertices have the same color: Adapted from Steven Rudich’s www.discretemath.com slides. University of Virginia CS 588
3-Coloring How can you prove you know how to 3-color G? University of Virginia CS 588
How many 3-Colorings do you know? 2 3 1 5 4 6 8 7 If (Y, R, Y, R, B, Y, B, R) is a valid 3-coloring, so is (R, Y, R, Y, B, R, B, Y) and (B, Y, B, Y, R, B, R, Y) University of Virginia CS 588
2 3 1 5 4 6 8 7 How many 3-Colorings do you know? Can permute color names in any order: 3! = 6 University of Virginia CS 588
2 3 1 5 4 6 8 7 Zero-Knowledge “Proof” • Trick-or-Treater randomly picks one of the 6 colorings • Uses bit commitment to commit to the coloring – sends Victim H (R11 || R12 || C1), R11 H (R21 || R22 || C2), R21 … H (R81 || R82 || C2), R81 University of Virginia CS 588
2 3 1 5 4 6 8 7 Zero-Knowledge “Proof” • Victim picks two random connected nodes, j and k • Asks Trick-or-Treater to reveal colors of those nodes • Trick-or-Treater sends: Cj, Rj2,Ck, Rk2 • Victim verifies Cj and Ck are different colors, and checks the hashes University of Virginia CS 588
2 3 1 5 4 6 8 7 Proof? • If Trick-or-Treater does not know a coloring, there are two connected nodes that have the same color • If Victim picks randomly, chances are 1/d (number of edges) that he will pick that edge • Repeat k times, but each time the Trick-or-Treater uses a random color mapping (from the 3! possible permutations) • Probability cheating Trick-or-Treater is not caught: (1 – 1/d)k University of Virginia CS 588
How many repetitions? • (1 – 1/d)k • If k = dm p = (1 – 1/d)dm = (1 – 1/d) * (1 – 1/d) … * (1 – 1/d) ln (p) = ln (1 – 1/d) + ln (1 – 1/d) + … + ln (1 – 1/d) = dm ln (1 – 1/d) • You may (or may not) recall from the Birthday Paradox proof: • For 0 < x < 1: ln (1 – x) x • So, ln (p) < dm (1/d) < m p < (1/e)m University of Virginia CS 588
Will Tricker Get the Treat? p < em k = dm For p < .01, we need m = 5 (1/e)5 = 0.006738 How big is d? In example, 8 (way too small – anyone can color the graph!) If P NP, graph coloring takes time O(ed) d around 25 becomes intractable Need md = 125 trials. University of Virginia CS 588
Does the Victim Learn Anything? • No – victim could already easily color two connecting vertices differently • Since the Tricker uses a different color mapping permutation (unknown to Victim), knowing the two vertex colors doesn’t help • Committing to the colors of all vertices is what makes it convincing University of Virginia CS 588
A Faster Approach • Trick-or-Treater uses her secret and random number to transform original problem into an isomorphic hard problem. • Trick-or-Treater commits the solution (using a bit commitment protocol) • Trick-or-Treater reveals new problem. • Victim asks Trick-or-Treater to either: • Prove new problem is isomorphic to old one • Show the solution to the new problem • Repeat n times. University of Virginia CS 588
Making an isomorphic hard problem • Requirements: • Can’t use solution to new problem to solve old problem (without knowing mapping) • Can’t easily solve new problem • Can show that old problem and new problem are equivalent • Hmmm...any theory experts? University of Virginia CS 588
Graph Isomoprhism • Given two graphs, G1 = <V1, E1> and G2 = <V2, E2> is there a mapping between V1 and V2 such that G1 and G2 are identical? • This is an NP-complete problem: • Its hard to find the mapping. • Given mapping, easy to check it is correct. University of Virginia CS 588
Using Graph Isomorphism • Trick-or-Treater constructs a graph to represent the magic word: • Vertices are letters • Chooses edges as necessary • Hamiltonian cycle is magic word (path that goes through each vertex exactly once) • Finding a Hamiltonian cycle is NP-complete University of Virginia CS 588
Trick or Treat • Trick-or-Treater wants to show Victim she knows a Hamiltion Cycle in graph G • Trick-or-Treater constructs H, a random permutation of G • If she knows a Hamiltonian Cycle for G, it is easy to find on for H • Shows Victim H, but not the cycle • Victim asks for either: • Map showing G and H are isomorphic • Hamiltonian cycle for H • Repeat n times (different H each time) • Each iteration catches cheater with 50% probability! University of Virginia CS 588
Can we perform zero-knowledge proofs for other problems? Yes! Any NP problem can be transformed into any NP-complete problem (either graph coloring or Hamiltonian cycle) University of Virginia CS 588
Variation:Oblivious Circuit Evaluation • Alice wants to find a Hamiltonian Cycle of G. • Bob has a quantum computer that can find Hamiltonian Cycles fast • Bob is willing to compute for Alice, but Alice does not trust Bob to know G. • Can Alice get Bob to find a Hamiltonian Cycle in G for her, without revealing G to Bob? University of Virginia CS 588
Oblivious Circuit Evaluation Bob Alice Generates H an isomorphism of G H Finds a cycle in H Cycle in H Maps to cycle in G Andrew Yao got the Turing Award for something like this (and lots of other contributions) last year! University of Virginia CS 588
Charge • Keep cracking on your projects! • Ask your trick-or-treaters for Hamiltonian cycles and graph isomorphisms (and keep the candy for yourself) • Monday: Laura Brown, guest lecture University of Virginia CS 588