interesting primitives and applications of cryptographycrysp/files/csass_bhavana_slides.pdf · for...
TRANSCRIPT
Interesting Primitives and Applications Of Cryptography
O.S.L.Bhavana
Advisor: Dr. Bhavana KanukurthiCryptography, Security and Privacy lab
CSA, IISC
July 5, 2017
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 1 / 49
Bit Commitment Schemes
Zero knowledge proofs
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 2 / 49
Coin flipping
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 3 / 49
Coin flipping over distance
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 4 / 49
Coin flipping over distance
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 5 / 49
Coin flipping over distance
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 6 / 49
Coin flipping over distance
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 7 / 49
Coin flipping over distance
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 8 / 49
Coin flipping over distance
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 9 / 49
Coin flipping over distance by commitment
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 10 / 49
Coin flipping over distance by commitment
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 11 / 49
Mathematically..
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 12 / 49
Properties of Bit-Commitment schemes
Sender’s security: HidingThe receiver should not know whether the committed bit is 0 or 1, onseeing the commitment com.Receiver’s security: BindingAfter committing to 0, sender shouldn’t be able to generate dec ′ thatdecommits com to 1 and vice-versa.
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 13 / 49
Properties of Bit-Commitment schemes
Sender’s security: HidingThe receiver should not know whether the committed bit is 0 or 1, onseeing the commitment com.
Receiver’s security: BindingAfter committing to 0, sender shouldn’t be able to generate dec ′ thatdecommits com to 1 and vice-versa.
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 13 / 49
Properties of Bit-Commitment schemes
Sender’s security: HidingThe receiver should not know whether the committed bit is 0 or 1, onseeing the commitment com.Receiver’s security: BindingAfter committing to 0, sender shouldn’t be able to generate dec ′ thatdecommits com to 1 and vice-versa.
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 13 / 49
Building blocksAdversary
Information theoretic: Has unbounded computing power
Example: Can easily run exponential time algorithms.
Computational: Has limited computing power
Example: Can only run polynomial time algorithms.Probabilistic Poly time Adversary is a computational adversary that canflip coins.
Adversary is an algorithm!!!
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 14 / 49
Building blocksAdversary
Information theoretic: Has unbounded computing power
Example: Can easily run exponential time algorithms.
Computational: Has limited computing power
Example: Can only run polynomial time algorithms.Probabilistic Poly time Adversary is a computational adversary that canflip coins.
Adversary is an algorithm!!!
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 14 / 49
Building blocksAdversary
Information theoretic: Has unbounded computing power
Example: Can easily run exponential time algorithms.
Computational: Has limited computing power
Example: Can only run polynomial time algorithms.Probabilistic Poly time Adversary is a computational adversary that canflip coins.
Adversary is an algorithm!!!
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 14 / 49
Building blocksAdversary
Information theoretic: Has unbounded computing power
Example: Can easily run exponential time algorithms.
Computational: Has limited computing power
Example: Can only run polynomial time algorithms.Probabilistic Poly time Adversary is a computational adversary that canflip coins.
Adversary is an algorithm!!!
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 14 / 49
Building blocksOne way function
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 15 / 49
Building blocksOne way function
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 15 / 49
Building blocksOne way function
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 16 / 49
Building blocksOne way function
A function f : {0, 1}n → {0, 1}∗ is one-way if
Given x, f(x) is efficiently computable.
Pr[Adversary wins in OWF game] is negligible.
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 17 / 49
Building blocksOne way function
A function f : {0, 1}n → {0, 1}∗ is one-way if
Given x, f(x) is efficiently computable.
Pr[Adversary wins in OWF game] is negligible.
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 17 / 49
Building blocksOne way function
Why randomly chosen x ?
Do OWF’s exist information theoretically?
No
Proving existence of a OWF is an open problem.
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 18 / 49
Building blocksOne way function
Why randomly chosen x ?
Do OWF’s exist information theoretically?
No
Proving existence of a OWF is an open problem.
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 18 / 49
Building blocksOne way function
Why randomly chosen x ?
Do OWF’s exist information theoretically?
No
Proving existence of a OWF is an open problem.
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 18 / 49
Building blocksOne way function
Why randomly chosen x ?
Do OWF’s exist information theoretically?No
Proving existence of a OWF is an open problem.
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 18 / 49
Building blocksOne way function
Why randomly chosen x ?
Do OWF’s exist information theoretically?No
Proving existence of a OWF is an open problem.
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 18 / 49
Building blocksHard core predicate
A boolean function hcp : {0, 1}n → {0, 1}, is hard core predicate of a functionf : {0, 1}n → {0, 1}∗, if
Given x, hcp(x) is efficiently computable.
Pr[Adversary wins in HCP game] is 12+ negligible.
Every OWF has a HCP.
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 19 / 49
Building blocksHard core predicate
A boolean function hcp : {0, 1}n → {0, 1}, is hard core predicate of a functionf : {0, 1}n → {0, 1}∗, if
Given x, hcp(x) is efficiently computable.
Pr[Adversary wins in HCP game] is 12+ negligible.
Every OWF has a HCP.
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 19 / 49
Building blocksHard core predicate
A boolean function hcp : {0, 1}n → {0, 1}, is hard core predicate of a functionf : {0, 1}n → {0, 1}∗, if
Given x, hcp(x) is efficiently computable.
Pr[Adversary wins in HCP game] is 12+ negligible.
Every OWF has a HCP.
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 19 / 49
Building blocksOne way permutation
f : {0, 1}n → {0, 1}n is a OWP if f is a
Permutation
One way function
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 20 / 49
Constructing commitments from OWP
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 21 / 49
Constructing commitments from OWP
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 22 / 49
Constructing commitments from OWP
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 23 / 49
Constructing commitments from OWP
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 24 / 49
Constructing commitments from OWP
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 25 / 49
Bit commitments : Summary
Motivation
Building blocks
An explicit construction
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 26 / 49
Zero Knowledge Proofs
Motivation
Properties
ZKP for graph coloring
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 27 / 49
Zero Knowledge Proofs
Motivation
Properties
ZKP for graph coloring
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 27 / 49
ZKP: Motivation
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 28 / 49
ZKP: Motivation
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 29 / 49
ZKP: Motivation
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 30 / 49
ZKP: Motivation
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 31 / 49
Important application of ZKP
Cloud computation
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 32 / 49
Properties of ZKP
Verifier’s security: SoundnessThe prover should not be able to prove verifier false statementsProver’s security: Zero knowledgeThe verifier should not learn any additional information other than thestatement being proved.
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 33 / 49
Properties of ZKP
Verifier’s security: SoundnessThe prover should not be able to prove verifier false statements
Prover’s security: Zero knowledgeThe verifier should not learn any additional information other than thestatement being proved.
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 33 / 49
Properties of ZKP
Verifier’s security: SoundnessThe prover should not be able to prove verifier false statementsProver’s security: Zero knowledgeThe verifier should not learn any additional information other than thestatement being proved.
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 33 / 49
Graph 3-Coloring
Given graph G = (V ,E ), can we assign each vertex a color (one of thethree colors) such that no two adjacent vertices have same color?
For a graph G that is 3-colorable, the witness is the color assignment.
Graph 3-Coloring is an NP-Complete problem.
Therefore, no known algorithm with polynomial running time candecide whether a graph G is 3-colorable or not?
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 34 / 49
Graph 3-Coloring
Given graph G = (V ,E ), can we assign each vertex a color (one of thethree colors) such that no two adjacent vertices have same color?
For a graph G that is 3-colorable, the witness is the color assignment.
Graph 3-Coloring is an NP-Complete problem.
Therefore, no known algorithm with polynomial running time candecide whether a graph G is 3-colorable or not?
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 34 / 49
Graph 3-Coloring
Given graph G = (V ,E ), can we assign each vertex a color (one of thethree colors) such that no two adjacent vertices have same color?
For a graph G that is 3-colorable, the witness is the color assignment.
Graph 3-Coloring is an NP-Complete problem.
Therefore, no known algorithm with polynomial running time candecide whether a graph G is 3-colorable or not?
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 34 / 49
ZKP for Graph 3-Coloring
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 35 / 49
ZKP for Graph 3-Coloring
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 36 / 49
ZKP for Graph 3-Coloring
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 37 / 49
ZKP for Graph 3-Coloring
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 38 / 49
ZKP for Graph 3-Coloring
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 39 / 49
ZKP for Graph 3-ColoringSoundness
If G isn’t 3-colorable, there exists an edge (u, v) such thatcolor(u) = color(v)
Verifier would reject the graph if he chose edge (u, v)
Pr[Verifier rejects the graph] ≥ 1n2
Pr[Verifier accepts a non 3-colorable graph] ≤ 1− 1n2
Repeat the experiment n3 times
Pr[Verifier accepts the non 3-colorable graph in all runs]
≤ (1− 1
n2)n
3 ≤ e−n
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 40 / 49
ZKP for Graph 3-ColoringSoundness
If G isn’t 3-colorable, there exists an edge (u, v) such thatcolor(u) = color(v)
Verifier would reject the graph if he chose edge (u, v)
Pr[Verifier rejects the graph] ≥ 1n2
Pr[Verifier accepts a non 3-colorable graph] ≤ 1− 1n2
Repeat the experiment n3 times
Pr[Verifier accepts the non 3-colorable graph in all runs]
≤ (1− 1
n2)n
3 ≤ e−n
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 40 / 49
ZKP for Graph 3-ColoringSoundness
If G isn’t 3-colorable, there exists an edge (u, v) such thatcolor(u) = color(v)
Verifier would reject the graph if he chose edge (u, v)
Pr[Verifier rejects the graph] ≥ 1n2
Pr[Verifier accepts a non 3-colorable graph] ≤ 1− 1n2
Repeat the experiment n3 times
Pr[Verifier accepts the non 3-colorable graph in all runs]
≤ (1− 1
n2)n
3 ≤ e−n
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 40 / 49
ZKP for Graph 3-ColoringSoundness
If G isn’t 3-colorable, there exists an edge (u, v) such thatcolor(u) = color(v)
Verifier would reject the graph if he chose edge (u, v)
Pr[Verifier rejects the graph] ≥ 1n2
Pr[Verifier accepts a non 3-colorable graph] ≤ 1− 1n2
Repeat the experiment n3 times
Pr[Verifier accepts the non 3-colorable graph in all runs]
≤ (1− 1
n2)n
3 ≤ e−n
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 40 / 49
ZKP for Graph 3-ColoringSoundness
If G isn’t 3-colorable, there exists an edge (u, v) such thatcolor(u) = color(v)
Verifier would reject the graph if he chose edge (u, v)
Pr[Verifier rejects the graph] ≥ 1n2
Pr[Verifier accepts a non 3-colorable graph] ≤ 1− 1n2
Repeat the experiment n3 times
Pr[Verifier accepts the non 3-colorable graph in all runs]
≤ (1− 1
n2)n
3 ≤ e−n
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 40 / 49
ZKP for Graph 3-ColoringSoundness
If G isn’t 3-colorable, there exists an edge (u, v) such thatcolor(u) = color(v)
Verifier would reject the graph if he chose edge (u, v)
Pr[Verifier rejects the graph] ≥ 1n2
Pr[Verifier accepts a non 3-colorable graph] ≤ 1− 1n2
Repeat the experiment n3 times
Pr[Verifier accepts the non 3-colorable graph in all runs]
≤ (1− 1
n2)n
3 ≤ e−n
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 40 / 49
ZKP for Graph 3-ColoringZero knowledge
In a single run, verifier would only know colors of two vertices.
Colors of other vertices are hidden by commitments
In the next run the colors are randomly permuted, so the informationof colors about previous run would not help
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 41 / 49
ZKP for Graph 3-ColoringZero knowledge
In a single run, verifier would only know colors of two vertices.
Colors of other vertices are hidden by commitments
In the next run the colors are randomly permuted, so the informationof colors about previous run would not help
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 41 / 49
ZKP for Graph 3-ColoringZero knowledge
In a single run, verifier would only know colors of two vertices.
Colors of other vertices are hidden by commitments
In the next run the colors are randomly permuted, so the informationof colors about previous run would not help
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 41 / 49
Reference
Foundations of Cryptography, Volume 1, Oded Goldreich.
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 42 / 49
Thank you
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 43 / 49
ZKP for Graph 3-coloring
G=(V,E) is 3-colorable
Prover Verifier
3-coloringC
(com1, .., comn)
Chooses an edge(u, v) ∈ Euniformly
reveal colors of u, v
coloru , colorv , decu , decv
If Decommit(coloru , comu , decu) = 1
and Decommit(colorv , comv , decv ) = 1
Accept that G is 3-colorable Else reject
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 44 / 49
Building blocksComputational hardness
Why bother about Computational adversary?
Theorem
IT secure schemes are costly
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 45 / 49
construction from OWP
Sender Receiver Hiding holds as hcp(y) is unpredictable. Binding holdsas f is a OWP. Decommit(com, dec){Parse com as (a, b)Parse dec as yIf a == f (y)Output b ⊕ hcp(y)Else Output ⊥}
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 46 / 49
Coin flipping over distance
I can count the number of leaves.Let me test.Tosses a coin.Plucks a leaf if heads.Please count the leaves now.Prob[cheating wizard fails] = 1
2 Alice makes her callLocks her call in a boxsends this box to Bob without keyBob tosses a coinBob reveals the toss resultAlice reveals her call and sends the box keyBob opens the box and crosschecks Alice’s callWinner is declared according to the toss result
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 47 / 49
Building blocksAlgorithms
Deterministic: For a given input, output of the algorithm is fixed
Example: f (x , y) = xy
Randomized: Algorithm that has access to uniform bits.
For a given input there may several possible outputs depending on theuniform bits
Example: frand(x , y) =
{xy if r = 01
2xy if r = 10
Randomized algorithm is deterministic given the uniform bits.
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 48 / 49
Building blocksAlgorithms
Deterministic: For a given input, output of the algorithm is fixed
Example: f (x , y) = xy
Randomized: Algorithm that has access to uniform bits.
For a given input there may several possible outputs depending on theuniform bits
Example: frand(x , y) =
{xy if r = 01
2xy if r = 10
Randomized algorithm is deterministic given the uniform bits.
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 48 / 49
Building blocksAlgorithms
Deterministic: For a given input, output of the algorithm is fixed
Example: f (x , y) = xy
Randomized: Algorithm that has access to uniform bits.
For a given input there may several possible outputs depending on theuniform bits
Example: frand(x , y) =
{xy if r = 01
2xy if r = 10
Randomized algorithm is deterministic given the uniform bits.
O.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 48 / 49
Coin flipping over distance
Alice Bob
Makes her call x
(dec , com) = Commit(x)
com
coin toss results in b
b
x , dec
If Decommit(com, dec) = 1,
Announce winner
else STOPO.S.L.Bhavana Interesting Primitives and Applications Of Cryptography July 5, 2017 49 / 49