310 likes | 446 Views
Zero Knowledge Proofs and Nuclear Disarmament. Boaz Barak – Microsoft Research New England Joint work with Alexander Glaser – Princeton University Robert Goldston – Princeton Plasma Physics Laboratory. Encryption. Canonical Cryptography Results: Find digital analogs to physical concepts.
E N D
Zero Knowledge Proofs andNuclear Disarmament Boaz Barak – Microsoft Research New EnglandJoint work withAlexander Glaser – Princeton UniversityRobert Goldston – Princeton Plasma Physics Laboratory
Encryption Canonical Cryptography Results: Find digital analogs to physical concepts. Commitment Digital Signature This talk: reverse direction. Physical Zero Knowledge Proofs Zero Knowledge Proofs (see also “Applied Kid Cryptography”, Naor-Naor-Reingold 1999)
Zero Knowledge Proofs (Goldwasser-Micali-Rackoff, 1982) 123359087852340237583427239has a prime factor ending in 7. Really? Show me the prime factors. I won’t reveal anything about them, but I can still prove to you this is true Introduced in 1982, initially thought to apply only in limited special cases. 1987: Everystatement can be proved in zero knowledge (Goldreich-Micali-Wigderson) Since then, much work on efficientprotocols and applications: Digital Signatures, Chosen-Ciphertext secure encryption, electronic voting, electronic auctions, privacy preserving data mining,….
Nuclear Disarmament One of three pillarsof the Non-proliferation Treaty (NPT). The existence of thousands of nuclear weapons is the most dangerous legacy of the Cold War… the United States will take concrete steps towards a world without nuclear weapons. President Barack Obama, 2009 There has emerged a consensus in the international community that there should be no pause in nuclear disarmament … radical progress along this way has really been called for. Russia is ready to go for it. President Vladimir Putin, 2000
Nuclear Disarmament Future treaties: reduce total number "Going forward, we’ll continue to seek discussions with Russia on a step we have never taken before -- reducing not only our strategic nuclear warheads, but also tactical weapons and warheads in reserve." Currently: limits on deployed (strategic) nuclear weapons. President Barack Obama, March 2012 …requires verified warhead dismantlement. Verification is necessary (“trust but verify” , “Доверяй, но проверяй”): Prevent cheating: e.g. keeping high quality fissile material, dismantling fake or obsolete warheads, etc.. Cheating could seriously affect balance of power between countries. Not just political but also a technical challenge: How do you verify a warhead offered for dismantlement is authentic, without revealing its design?
How do you verify a warhead offered for dismantlement is authentic, without revealing its design? We did not think that any design information could be obtained from this spectrum, but we were wrong. One could not infer the design from the spectrum but weapon designers could compare the spectrum with the spectra from known designs. Frank von Hippel
Information Barrier Approach To Warhead Verification Test that 300 warheads in plant are identical to template taken from silo Green if two objects are similar Black box Developed over years by U.S.-Russia Control logic Main issue: hard to verify that Template:known to be authentic Test:unknown if authentic • Cannot be spoofed (authentication) • Does not leak more info than intended.(certification) Measuring device Intuition behind need for information barrier: If measurement is useful to verify warhead, it necessarily contains sensitive information. Zero Knowledge Proofs challenge this intuition!
Our Approach Black box Remove the black box Template:known to be authentic Test:unknown if authentic Control logic Ensure measurement allows to compare but does not reveal information. Measuring device Use techniques from (information theoretic) cryptography. Approach minimizes physical requirements such as information barrier and uses simpler components. Currently at conceptual stage. Experiments will start in few months.
Talk Outline • Formal definition of authentication problem • Cartoon of our protocol • Actual implementation • Proof (of simplified case)
Talk Outline • Formal definition of authentication problem • Cartoon of our protocol • Actual implementation • Proof (of simplified case) Anastasia (Inspected) and Bob (Inspector) engage in protocol to verify XX’ Completeness: If XX’ and both sides follow protocol then w.h.p. Bob outputs “accept”. Soundness / authentication: If X far from X’ then regardless what Anastasia does, w.h.p. Bob outputs “reject”. Zero-Knowledge / certification: If XX’ and Anastasia follows protocol then regardless what Bob does, if we let be the total data observed by Bob, then is distributed independently from X. (I(|X))
Our Protocol - Cartoon She wants to prove to Bob that both contain the same number without revealing . Anastasia has two cups each containing marbles. Anastasia prepares 10 pairs of buckets, both buckets in the pair containing a random number of marbles. … … Bob chooses one of the pairs at random, and inspects the other 9 pairs to ensure that each pair indeed contains an identical number of marbles.
Our Protocol - Cartoon She wants to prove to Bob that both contain the same number without revealing . Anastasia has two cups each containing marbles. Anastasia prepares 10 pairs of buckets, both buckets in the pair containing a random number of marbles. … … Bob chooses one of the pairs at random, and inspects the other 9 pairs to ensure that each pair indeed contains an identical number of marbles.
Our Protocol - Cartoon She wants to prove to Bob that both contain the same number without revealing . Anastasia has two cups each containing marbles. Anastasia pours the marbles from the first cup to the first bucket, and from the second cup to the second bucket. Both contain marbles
Our Protocol - Cartoon She wants to prove to Bob that both contain the same number without revealing . Anastasia has two cups each containing marbles. Anastasia pours the marbles from the first cup to the first bucket, and from the second cup to the second bucket. Both contain marbles
Our Protocol - Cartoon She wants to prove to Bob that both contain the same number without revealing . Anastasia has two cups each containing marbles. Anastasia pours the marbles from the first cup to the first bucket, and from the second cup to the second bucket. Both contain marbles Both contain marbles Bob accepts the proof if both buckets contain the same number of marbles. Soundness: If the cups contain a different number of marbles, Bob rejects with prob Zero Knowledge: The number Bob sees is distributed close to the uniform distribution on . (Other 9 numbers are independent of )
From cartoon to implementation Template and Test Warheads are inside containers, Anastasia wants to prove to Bob that they are similar. First, we consider a non zero knowledge protocol for this task: 1) Subject each container to a source of neutrons for T seconds. 2) Place detectors in a (cut off) circle around the container and measure the number of neutrons arriving at each detector. “Claim”: Objects are “similar” iff the corresponding vectors of counts are “close” Counts vector: Differences in match case: Differences in diversion case:
From cartoon to implementation Template and Test Warheads are inside containers, Anastasia wants to prove to Bob that they are similar. First, we consider a non zero knowledge protocol for this task: 1) Subject each container to a source of neutrons for T seconds. 2) Place detectors in a (cut off) circle around the container and measure the number of neutrons arriving at each detector. “Claim”: Objects are “similar” iff the corresponding vectors of counts are “close” Counts vector: Differences in match case: Differences in diversion case:
From cartoon to implementation Template and Test Warheads are inside containers, Anastasia wants to prove to Bob that they are similar. “Claim”: Objects are “similar” iff the corresponding vectors of counts are “close” “Claim”: Objects are “similar” iff the counts at position are close for a random Counts vector: Differences in match case: Differences in diversion case:
From cartoon to implementation Template and Test Warheads are inside containers, Anastasia wants to prove to Bob that they are similar. “Claim”: Objects are “similar” iff the counts at position are close for a random Counts vector: Differences in match case: Differences in diversion case:
Actual Implementation* Template and Test Warheads are inside containers, Anastasia wants to prove to Bob that they are similar. 1) Anastasia prepares 10 pairs of detectors, and initializes the two detectors in the pair with an identical offset chosen at random in “number of marbles in bucket” 2) Bob selects 9 of the 10 pairs to examine, see that they work and are initialized identically. 3) Bob selects a random angle , and they place a detector from remaining pair in the positions of template and test warheads. 4) They run the neutron source for T seconds on both warheads, and Bob measures the resulting counts in both detectors, accepting iff only if they are close. Protocol is -zero knowledge! Bob learns Number of neutrons arrived at “Number of marbles in cup”
Conclusions • Suggested approach to minimize use of information barrier in warhead verification, based on tools from cryptography. • Simulation results look promising, but many questions/concerns remain. • Next step: implementing system and running actual experiments.
Actual Implementation* Template and Test Warheads are inside containers, Anastasia wants to prove to Bob that they are similar. We subject each warhead to a source of neutrons for a certain period. We pick a random angle and let (resp) be number of neutrons that arrive at position “number of marbles in cup” Inspected party (Anastasia) pre-initializes a pair of random detectors to a random initial value . The detectors are placed in position before source is fired. “number of marbles in bucket” Inspector (Bob) observes the numbers and at both detectors and accepts iff they are close to one another.
Proof by simulation: Neutron Beam Detector array Authentic Template 500g Pu removed Actual counts Theorem: Under reasonable physical assumptions, the digital counter implementation satisfies completeness, soundness, and zero knowledge.
Proof by picture: Detector array Neutron Beam Authentic Template 500g Pu removed Actual counts Theorem: Under reasonable physical assumptions, the digital counter implementation satisfies completeness, soundness, and zero knowledge.
Authentic Template 500g Pu removed Actual counts Mod 2
Authentic Template 500g Pu removed Actual counts Mod 2 Mod 2 + random offset Differences
Actual implementations: X-Ray neutron beam Detector array Film Bubble detector. Contains liquid which each neutron hitting has some probability of creating a bubble. Can count bubbles w/ microscope. Digital detector. Outputs one particular (binary) digit of the total neutron count. Random Image XOR with random string. Perfect secrecy as in “one time pad” encryption.
Zero Knowledge Proofs (Goldwasser-Micali-Rackoff, 1982) 123359087852340237583427239has a prime factor ending in 7. Really? Show me the prime factors. I won’t reveal anything about them, but I can still prove to you this is true Introduced in 1982, initially thought to apply only in limited special cases. 1987: Everystatement can be proved in zero knowledge (Goldreich-Micali-Wigderson) Since then, much work on efficientprotocols and applications: Digital Signatures, Chosen-Ciphertext secure encryption, electronic voting, electronic auctions, privacy preserving data mining,….
Our Protocol - Cartoon She exposes each pair to identical random images and puts both in sealed envelope. Anastasia (inspected party) prepares 100 pairs of X-ray films.
Our Protocol - Cartoon She exposes each pair to identical random images and puts both in sealed envelope. Anastasia (inspected party) prepares 100 pairs of X-ray films. Bob selects one envelope to use in the test. The rest he will inspect for validity.
Our Protocol - Cartoon She exposes each pair to identical random images and puts both in sealed envelope. Anastasia (inspected party) prepares 100 pairs of X-ray films. Bob selects one envelope to use in the test. The rest he will inspect for validity. They take X-ray pictures of both warheads using the two films from the envelope. Bob develops both films and compares the two pictures. Identical warheads + random images Pictures identical Large intensity for random images Low signal to noise ratio