cryptography and sudoku moni naor weizmann institute of science מוני נאור joint work with:...
Post on 28-Mar-2015
221 Views
Preview:
TRANSCRIPT
Cryptography and Sudoku
Moni NaorWEIZMANN INSTITUTEOF SCIENCE
מוני נאור
Joint work with: Ronen Gradwohl, Benny Pinkas, Guy Rothblum
What is Cryptography?
Traditionally: how to maintain secrecy in communication
Alice and Bob talk while Eve tries to listen
AliceBob
EveEve
Cryptography
Very ancient occupation
Biblical times: Atbash in Jeremiah
ותתפש תהלת כל הארץששךאיך נלכדה
בגוייםבבלאיך היתה לשמה
Egyptian Hieroglyphs
Unusual ones
...
Many interesting books and sources, especially about the Enigma (WW2)
Modern Times
Up to the mid 70’s: classified military work
Exception: Shannon, Turing*
Since then - explosive growth
Commercial applications
Scientific work: tight relationship with Computational Complexity Theory
Major works: Diffie-Hellman, Rivest, Shamir and Adleman (RSA)
Recently: more involved models for more diverse tasks.
How to maintain the secrecy, integrity and functionality in computer and communication system.
Prevalence of the Internet:•Cryptography is in the news (daily!)•Cryptography is relevant to ``everyone” - security and privacy issues for individuals
The Study of the resources needed to solve computational problems
Computational Complexity Theory
Study the resources needed to solve computational problems
Computer time
Computer memory
Communication
Parallelism
Randomness
…
Identify problems that are infeasible to compute by any reasonable machine
Taxonomy: classify problems into classes with similar properties wrt the resource requirements
Help find the most efficient algorithm for a problem
A computational problem:
•multiplying two numbers,
•selecting a move in a chess position
•Find the shortest tour visiting all cities
P=NP?
The Crypto Arms Race: ~3000 BC - ~1980“Secure” System
“Break”
Traditional crypto: 8 attack 9defense
Modern crypto (1976 -): 9 defense 8attack
“Secure” System+
“Secure” System+
+
“Break+”“Break++”
“Secure” System
“Secure” System+
Sudoku
Fill in the empty entries in the grid so that every row, every column, and every 3 x 3 subgridcontains the digits 1 through 9.
Sudoku
Fill in the empty entries in the grid so that every row, every column, and every 3 x 3 subgridcontain the digits 1 through 9.
Can be generalized to an nn grid, where n=k2.
The size of an instance is O(n2log(n)) bits.
Nothing special about the numbers 1…9.
The Plot
I know the solution!
Oh yeah?Prove it!
Well, I could
show you, but…
…I don’t want to tell you
how to solve it…
Veronica
Paul
Zero-Knowledge Proofs
Paul wants to prove that “A is true”
If “A is true”: Veronica is convinced, but doesn’t learn about A! She can’t prove that “A is true”.
Blah Blah?
BlahBlah?
Blah!
Oh!
Authentication: prove your identity to someone using secret information, without revealing the secret
Force malicious adversaries to act according to protocol
Why study zero-knowledge for Sudoku?
It has nice properties
It’s educational – everybody knows Sudoku
It’s FUN!
Why Study Zero-Knowledge Proofs?
Design protocol with benign adversaries.
Then compile to withstand malicious ones
Outline
Definitions
Physical model
A basic protocol
2 variations
Interactive Proof
Probabilistic protocol between 2 parties: Prover and Verifier
Both know instance of a problem
Prover might know a witness/solution
Players “chat”, and at the end, verifier accepts or rejects
Completeness: probability that honest verifier accepts correct proof
Soundness error: probability that verifier accepts incorrect proof
Zero-Knowledge Proof
Interactive Proof
Zero-knowledge property:
Whatever Verifier learned from Prover,
could have learned by himself
Exists efficient Simulator that can simulate conversation, without access to Prover
zero-knowledge proof for all NP
Proof of 3-colorability
Proof for HamiltonicitySet of problems that
have efficient verification
Sudoku and Complexity
Sudoku is in NP
Means: easy to verify solutions In fact: Sudoku is NP Complete – not all that relevant
There are zero-knowledge proofs for all problems in NP
Therefore there is a ZK proof for Sudoku.
Direct ZK proofs for Sudoku are preferable:
Efficiency: avoiding the overhead of the reduction
Practicality: Implementable without the aid of computers
Understandability (by non-experts!): Ensure that participants have intuitive understanding of the proof.
Physical Objects
Typical Cryptographic metaphor:
Physical “locked box”
Hard to find physical locked box that:
Can never be opened
Are readily available
Have transparent operation
Tamper-evident seal
Tampering is evident
Can open, but can’t reseal
Scratch-off card, sealed envelope
Scratch-Off Cards
Can’t tell them apart (until unsealed)
Can shuffle them effectively
Like picking a random permutation
Can triplicate them
Stronger requirement
Used in perfect soundness protocol
Human Behavior
Paul and Veronica are in same room
Shuffling: Paul wants a fair shuffle, Veronica wants to make sure no cards were switched
More benign adversary:
Either protocol works, or cheating player is labeled a “cheater”
Playing Cards
Can use playing cards instead of scratch-off cards:
Sealing = turning card face down
Revealing = turning it face up
Not really tamper evident
Works when players in same room, watching each other
A Simple Physical Protocol
Flip coin: rows or
columns?
A Simple Physical Protocol
3 21
2 13
23
1
A Simple Physical Protocol
Props: 81 sealed scratch-off cards, and a board with 81 cells (like Sudoku)
P places a sealed card on each cell
Corresponding to his solution
“filled-in” values are unsealed
V chooses one of rows/cols/subgrids
P makes packet for each row, shuffles it
V takes each packet, unseals cards, verifies that each contains cards 1…9
If yes -- accept, otherwise reject
Analysis
Completeness: perfect
Soundness: cheating P must cheat in one of rows, columns, or subgrids
P is caught with probability ≥ 1/3
Zero-knowledge: V only sees some permuted values of 1…9
Better Soundness
Better Soundness
3 21
2 13
23
1
32 1
321
231
Better Soundness
Props: 81 scratch-off cards
P places 3 cards on each cell, corresponding to solution
For each cell, V assigns each card to one of rows/cols/subgrids, collects to corresponding packet
P shuffles each of 27 packets
V takes each packet, unseals cards, verifies that each contains 1…9
If yes -- accept, otherwise reject
Analysis of Soundness
P can no longer cheat as before
New way to cheat: 3 cards on a cell are not the same value
Say some cell gets 3 values, not all the same.
One of three cards is different from others
Belongs to one of rows/cols/subgrids
o/w P is always caught cheating
V assigns card to correct row/col/subgrid with probability at most 1/3
⇒ Cheating P caught with probability 2/3
Actually: can show that P is caught with probability 8/9
At least 2 cells are mislabeled
o/w P is always caught cheating
Reducing Number of Shuffles
Previous protocol required 27 shuffles. Too much!
New protocol: same as before –
3 cards on each cell
V assigns each to row/col/subgrid
Make 27 packets
For each packet, V assigns a random number 1…c
For each i, P assembles all packets with number i
P shuffles each of c piles
V takes each pile, unseals cards, verifies that each contains correct number of cards 1…9.
If yes -- accept, otherwise reject
Analysis
Only c shuffles required
Soundness:
With probability 8/9, some packet j is unbalanced
However, two unbalanced packets, if shuffled together, may balance each other
Suppose all packets except j are assigned to one of c piles
If piles are balanced, then assigning j will cause imbalance ⇒ P will be caught
If 2+ piles are unbalanced ⇒ P will be caught
If 1 pile is unbalanced, j will balance it only if assigned to it, with probability 1/c
⇒ Cheating P is caught with probability 8(c-1)/9c
Perfect Soundness
If 3 cards on each cell are guaranteed to have same value, cheating P would always get caught!
Implementing triplicate:
With trusted setup: 3 cards (with same value) are connected and can be torn apart
Without trusted setup:
Use colors instead of numbers
Each card is a circle, prepared by P
V cuts each card into 3 equal pieces (randomly)
If card was not uniformly colored, random cut will reveal non-uniformity when card is scratched
3
3
3
Perfect Soundness with a trusted copy machine:
Prepare three copies of the solution.
Puzzle should be printed on the back.
One copy is cut along the rows
One copy is cut along the columns
One copy is cut along the subgrids
Each strip is then cut into cells
The cells are shuffled (or sorted by the prover)
Verifier checks that
all values 1…9 are there
The “filled-in” cells have the same values on both sides
To prove that the correct puzzle was solved
EncryptionAuthenticationDigital signatures
Protocols Zero-knowledge proofs Secure computation
Cryptographic Protocols
ALICE BOB
Cryptographic protocols: proceed by exchanging digital message
Assumptions needed: existence of a one-way
function
Open problems:
Implement physical protocol over the mail?
Parties need not be in the same room
Possible to implement commitments from scratch-off cards.
However, an amplification stage requires many repetitions
Not easy for humans
Other puzzles?
Cryptography Today
phlegmon of the pharynx
Cryptography Today
Cryptography is a very active research area
Research activities range:
providing firm foundations
Relationship with complexity theory
providing actual constructions and analysis for specific needs.
Some recent topics
Obfuscation of programs
Maintaining privacy of released data
Voting Schemes
Any questions?
Based on:
R.Gradwohl, M. Naor, B. Pinkas and G. Rothblum, Cryptographic and Physical Zero-Knowledge Proof Systems for Solutions of Sudoku Puzzles, FUN 2007.
Available:
www.wisdom.weizmann.ac.il/~naor/PAPERS/sudoku_abs.html
Thank you
רבה תודה
top related