interesting primitives and applications of cryptographycrysp/files/csass_bhavana_slides.pdf · for...

Interesting Primitives and Applications Of Cryptography

O.S.L.Bhavana

Advisor: Dr. Bhavana KanukurthiCryptography, Security and Privacy lab

CSA, IISC

July 5, 2017

O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 1 / 49

Bit Commitment Schemes

Zero knowledge proofs

O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 2 / 49

Coin flipping

O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 3 / 49

Coin flipping over distance

O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 4 / 49

Coin flipping over distance

O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 5 / 49

Coin flipping over distance

O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 6 / 49

Coin flipping over distance

O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 7 / 49

Coin flipping over distance

O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 8 / 49

Coin flipping over distance

O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 9 / 49

Coin flipping over distance by commitment

O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 10 / 49

Coin flipping over distance by commitment

O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 11 / 49

Mathematically..

O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 12 / 49

Properties of Bit-Commitment schemes

Sender’s security: HidingThe receiver should not know whether the committed bit is 0 or 1, onseeing the commitment com.Receiver’s security: BindingAfter committing to 0, sender shouldn’t be able to generate dec ′ thatdecommits com to 1 and vice-versa.

O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 13 / 49

Properties of Bit-Commitment schemes

Sender’s security: HidingThe receiver should not know whether the committed bit is 0 or 1, onseeing the commitment com.

Receiver’s security: BindingAfter committing to 0, sender shouldn’t be able to generate dec ′ thatdecommits com to 1 and vice-versa.

O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 13 / 49

Properties of Bit-Commitment schemes

Sender’s security: HidingThe receiver should not know whether the committed bit is 0 or 1, onseeing the commitment com.Receiver’s security: BindingAfter committing to 0, sender shouldn’t be able to generate dec ′ thatdecommits com to 1 and vice-versa.

O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 13 / 49

Building blocksAdversary

Information theoretic: Has unbounded computing power

Example: Can easily run exponential time algorithms.

Computational: Has limited computing power

Example: Can only run polynomial time algorithms.Probabilistic Poly time Adversary is a computational adversary that canflip coins.

Adversary is an algorithm!!!

O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 14 / 49

Building blocksAdversary

Information theoretic: Has unbounded computing power

Example: Can easily run exponential time algorithms.

Computational: Has limited computing power

Example: Can only run polynomial time algorithms.Probabilistic Poly time Adversary is a computational adversary that canflip coins.

Adversary is an algorithm!!!

O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 14 / 49

Building blocksAdversary

Information theoretic: Has unbounded computing power

Example: Can easily run exponential time algorithms.

Computational: Has limited computing power

Example: Can only run polynomial time algorithms.Probabilistic Poly time Adversary is a computational adversary that canflip coins.

Adversary is an algorithm!!!

O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 14 / 49

Building blocksAdversary

Information theoretic: Has unbounded computing power

Example: Can easily run exponential time algorithms.

Computational: Has limited computing power

Example: Can only run polynomial time algorithms.Probabilistic Poly time Adversary is a computational adversary that canflip coins.

Adversary is an algorithm!!!

O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 14 / 49

Building blocksOne way function

O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 15 / 49

Building blocksOne way function

O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 15 / 49

Building blocksOne way function

O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 16 / 49

Building blocksOne way function

A function f : {0, 1}n → {0, 1}∗ is one-way if

Given x, f(x) is efficiently computable.

Pr[Adversary wins in OWF game] is negligible.

O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 17 / 49

Building blocksOne way function

A function f : {0, 1}n → {0, 1}∗ is one-way if

Given x, f(x) is efficiently computable.

Pr[Adversary wins in OWF game] is negligible.

O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 17 / 49

Building blocksOne way function

Why randomly chosen x ?

Do OWF’s exist information theoretically?

No

Proving existence of a OWF is an open problem.

O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 18 / 49

Building blocksOne way function

Why randomly chosen x ?

Do OWF’s exist information theoretically?

No

Proving existence of a OWF is an open problem.

O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 18 / 49

Building blocksOne way function

Why randomly chosen x ?

Do OWF’s exist information theoretically?

No

Proving existence of a OWF is an open problem.

O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 18 / 49

Building blocksOne way function

Why randomly chosen x ?

Do OWF’s exist information theoretically?No

Proving existence of a OWF is an open problem.

O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 18 / 49

Building blocksOne way function

Why randomly chosen x ?

Do OWF’s exist information theoretically?No

Proving existence of a OWF is an open problem.

O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 18 / 49

Building blocksHard core predicate

A boolean function hcp : {0, 1}n → {0, 1}, is hard core predicate of a functionf : {0, 1}n → {0, 1}∗, if

Given x, hcp(x) is efficiently computable.

Pr[Adversary wins in HCP game] is 12+ negligible.

Every OWF has a HCP.

O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 19 / 49

Building blocksHard core predicate

A boolean function hcp : {0, 1}n → {0, 1}, is hard core predicate of a functionf : {0, 1}n → {0, 1}∗, if

Given x, hcp(x) is efficiently computable.

Pr[Adversary wins in HCP game] is 12+ negligible.

Every OWF has a HCP.

O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 19 / 49

Building blocksHard core predicate

A boolean function hcp : {0, 1}n → {0, 1}, is hard core predicate of a functionf : {0, 1}n → {0, 1}∗, if

Given x, hcp(x) is efficiently computable.

Pr[Adversary wins in HCP game] is 12+ negligible.

Every OWF has a HCP.

O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 19 / 49

Building blocksOne way permutation

f : {0, 1}n → {0, 1}n is a OWP if f is a

Permutation

One way function

O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 20 / 49

Constructing commitments from OWP

O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 21 / 49

Constructing commitments from OWP

O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 22 / 49

Constructing commitments from OWP

O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 23 / 49

Constructing commitments from OWP

O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 24 / 49

Constructing commitments from OWP

O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 25 / 49

Bit commitments : Summary

Motivation

Building blocks

An explicit construction

O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 26 / 49

Zero Knowledge Proofs

Motivation

Properties

ZKP for graph coloring

O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 27 / 49

Zero Knowledge Proofs

Motivation

Properties

ZKP for graph coloring

O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 27 / 49

ZKP: Motivation

O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 28 / 49

ZKP: Motivation

O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 29 / 49

ZKP: Motivation

O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 30 / 49

ZKP: Motivation

O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 31 / 49

Important application of ZKP

Cloud computation

O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 32 / 49

Properties of ZKP

Verifier’s security: SoundnessThe prover should not be able to prove verifier false statementsProver’s security: Zero knowledgeThe verifier should not learn any additional information other than thestatement being proved.

O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 33 / 49

Properties of ZKP

Verifier’s security: SoundnessThe prover should not be able to prove verifier false statements

Prover’s security: Zero knowledgeThe verifier should not learn any additional information other than thestatement being proved.

O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 33 / 49

Properties of ZKP

Verifier’s security: SoundnessThe prover should not be able to prove verifier false statementsProver’s security: Zero knowledgeThe verifier should not learn any additional information other than thestatement being proved.

O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 33 / 49

Graph 3-Coloring

Given graph G = (V ,E ), can we assign each vertex a color (one of thethree colors) such that no two adjacent vertices have same color?

For a graph G that is 3-colorable, the witness is the color assignment.

Graph 3-Coloring is an NP-Complete problem.

Therefore, no known algorithm with polynomial running time candecide whether a graph G is 3-colorable or not?

O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 34 / 49

Graph 3-Coloring

Given graph G = (V ,E ), can we assign each vertex a color (one of thethree colors) such that no two adjacent vertices have same color?

For a graph G that is 3-colorable, the witness is the color assignment.

Graph 3-Coloring is an NP-Complete problem.

Therefore, no known algorithm with polynomial running time candecide whether a graph G is 3-colorable or not?

O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 34 / 49

Graph 3-Coloring

Given graph G = (V ,E ), can we assign each vertex a color (one of thethree colors) such that no two adjacent vertices have same color?

For a graph G that is 3-colorable, the witness is the color assignment.

Graph 3-Coloring is an NP-Complete problem.

Therefore, no known algorithm with polynomial running time candecide whether a graph G is 3-colorable or not?

O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 34 / 49

ZKP for Graph 3-Coloring

O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 35 / 49

ZKP for Graph 3-Coloring

O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 36 / 49

ZKP for Graph 3-Coloring

O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 37 / 49

ZKP for Graph 3-Coloring

O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 38 / 49

ZKP for Graph 3-Coloring

O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 39 / 49

ZKP for Graph 3-ColoringSoundness

If G isn’t 3-colorable, there exists an edge (u, v) such thatcolor(u) = color(v)

Verifier would reject the graph if he chose edge (u, v)

Pr[Verifier rejects the graph] ≥ 1n2

Pr[Verifier accepts a non 3-colorable graph] ≤ 1− 1n2

Repeat the experiment n3 times

Pr[Verifier accepts the non 3-colorable graph in all runs]

≤ (1− 1

n2)n

3 ≤ e−n

O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 40 / 49

ZKP for Graph 3-ColoringSoundness

If G isn’t 3-colorable, there exists an edge (u, v) such thatcolor(u) = color(v)

Verifier would reject the graph if he chose edge (u, v)

Pr[Verifier rejects the graph] ≥ 1n2

Pr[Verifier accepts a non 3-colorable graph] ≤ 1− 1n2

Repeat the experiment n3 times

Pr[Verifier accepts the non 3-colorable graph in all runs]

≤ (1− 1

n2)n

3 ≤ e−n

O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 40 / 49

ZKP for Graph 3-ColoringSoundness

If G isn’t 3-colorable, there exists an edge (u, v) such thatcolor(u) = color(v)

Verifier would reject the graph if he chose edge (u, v)

Pr[Verifier rejects the graph] ≥ 1n2

Pr[Verifier accepts a non 3-colorable graph] ≤ 1− 1n2

Repeat the experiment n3 times

Pr[Verifier accepts the non 3-colorable graph in all runs]

≤ (1− 1

n2)n

3 ≤ e−n

O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 40 / 49

ZKP for Graph 3-ColoringSoundness

If G isn’t 3-colorable, there exists an edge (u, v) such thatcolor(u) = color(v)

Verifier would reject the graph if he chose edge (u, v)

Pr[Verifier rejects the graph] ≥ 1n2

Pr[Verifier accepts a non 3-colorable graph] ≤ 1− 1n2

Repeat the experiment n3 times

Pr[Verifier accepts the non 3-colorable graph in all runs]

≤ (1− 1

n2)n

3 ≤ e−n

O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 40 / 49

ZKP for Graph 3-ColoringSoundness

If G isn’t 3-colorable, there exists an edge (u, v) such thatcolor(u) = color(v)

Verifier would reject the graph if he chose edge (u, v)

Pr[Verifier rejects the graph] ≥ 1n2

Pr[Verifier accepts a non 3-colorable graph] ≤ 1− 1n2

Repeat the experiment n3 times

Pr[Verifier accepts the non 3-colorable graph in all runs]

≤ (1− 1

n2)n

3 ≤ e−n

O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 40 / 49

ZKP for Graph 3-ColoringSoundness

If G isn’t 3-colorable, there exists an edge (u, v) such thatcolor(u) = color(v)

Verifier would reject the graph if he chose edge (u, v)

Pr[Verifier rejects the graph] ≥ 1n2

Pr[Verifier accepts a non 3-colorable graph] ≤ 1− 1n2

Repeat the experiment n3 times

Pr[Verifier accepts the non 3-colorable graph in all runs]

≤ (1− 1

n2)n

3 ≤ e−n

O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 40 / 49

ZKP for Graph 3-ColoringZero knowledge

In a single run, verifier would only know colors of two vertices.

Colors of other vertices are hidden by commitments

In the next run the colors are randomly permuted, so the informationof colors about previous run would not help

O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 41 / 49

ZKP for Graph 3-ColoringZero knowledge

In a single run, verifier would only know colors of two vertices.

Colors of other vertices are hidden by commitments

In the next run the colors are randomly permuted, so the informationof colors about previous run would not help

O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 41 / 49

ZKP for Graph 3-ColoringZero knowledge

In a single run, verifier would only know colors of two vertices.

Colors of other vertices are hidden by commitments

In the next run the colors are randomly permuted, so the informationof colors about previous run would not help

O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 41 / 49

Reference

Foundations of Cryptography, Volume 1, Oded Goldreich.

O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 42 / 49

Thank you

O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 43 / 49

ZKP for Graph 3-coloring

G=(V,E) is 3-colorable

Prover Verifier

3-coloringC

(com1, .., comn)

Chooses an edge(u, v) ∈ Euniformly

reveal colors of u, v

coloru , colorv , decu , decv

If Decommit(coloru , comu , decu) = 1

and Decommit(colorv , comv , decv ) = 1

Accept that G is 3-colorable Else reject

O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 44 / 49

Building blocksComputational hardness

Why bother about Computational adversary?

Theorem

IT secure schemes are costly

O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 45 / 49

construction from OWP

Sender Receiver Hiding holds as hcp(y) is unpredictable. Binding holdsas f is a OWP. Decommit(com, dec){Parse com as (a, b)Parse dec as yIf a == f (y)Output b ⊕ hcp(y)Else Output ⊥}

O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 46 / 49

Coin flipping over distance

I can count the number of leaves.Let me test.Tosses a coin.Plucks a leaf if heads.Please count the leaves now.Prob[cheating wizard fails] = 1

2 Alice makes her callLocks her call in a boxsends this box to Bob without keyBob tosses a coinBob reveals the toss resultAlice reveals her call and sends the box keyBob opens the box and crosschecks Alice’s callWinner is declared according to the toss result

O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 47 / 49

Building blocksAlgorithms

Deterministic: For a given input, output of the algorithm is fixed

Example: f (x , y) = xy

Randomized: Algorithm that has access to uniform bits.

For a given input there may several possible outputs depending on theuniform bits

Example: frand(x , y) =

{xy if r = 01

2xy if r = 10

Randomized algorithm is deterministic given the uniform bits.

O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 48 / 49

Building blocksAlgorithms

Deterministic: For a given input, output of the algorithm is fixed

Example: f (x , y) = xy

Randomized: Algorithm that has access to uniform bits.

For a given input there may several possible outputs depending on theuniform bits

Example: frand(x , y) =

{xy if r = 01

2xy if r = 10

Randomized algorithm is deterministic given the uniform bits.

O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 48 / 49

Building blocksAlgorithms

Deterministic: For a given input, output of the algorithm is fixed

Example: f (x , y) = xy

Randomized: Algorithm that has access to uniform bits.

For a given input there may several possible outputs depending on theuniform bits

Example: frand(x , y) =

{xy if r = 01

2xy if r = 10

Randomized algorithm is deterministic given the uniform bits.

O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 48 / 49

Coin flipping over distance

Alice Bob

Makes her call x

(dec , com) = Commit(x)

com

coin toss results in b

b

x , dec

If Decommit(com, dec) = 1,

Announce winner

else STOPO.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 49 / 49