Title: CSC 3130: Automata theory and formal languages
1Fall 2008
The Chinese University of Hong Kong
CSC 3130 Automata theory and formal languages
Interaction, randomness,and zero-knowledge
Andrej Bogdanov http//www.cse.cuhk.edu.hk/andrej
b/csc3130
2The bright side of NP-hardness
Disclaimer
Today, I will say a few things that are not
completely true, but they are good lies
3Authentication
What happens when you type in your password?
4Naïve authentication
login mepassword opensesame
acme.com
OK
you
server
- The server knows your password
- So they can impersonate you at other web sites
where you use the same password
5Zero-knowledge authentication
I know the password
acme.com
Can you prove it?
Can you convince the server that you know your
password, without revealing it (and anything
else)?
6What is knowledge?
What is ignorance?
(lack of knowledge)
- Example 1 Tomorrows lottery numbersWe are
ignorant of them because they are random
7What is ignorance?
- Example 2 A difficult homework problem
- We are ignorant because it takes a lot of work to
figure out the answer - Questions of this type include
- Finding satisfying assignments to Boolean
formulas - Finding cliques in graphs ...
8Using ignorance to our advantage
I know the password
acme.com
Can you prove it?
We want to convince the server that we know the
password, while keeping it ignorant of the
password itself
The server is convinced, but gains zero-knowledge!
9I can convince you Bin Laden is in there, without
revealing his secret location!
10Zero-knowledge
- I can convince you that I know where he is
- But you have zero information about how to find
him yourself!
11A protocol for non-color-blindness
- You want to convince me you are not color-blind
I pull at random either a red ballor a blue ball
and show it to you
You say red or blue
We repeat this 10 times
If you got all the answers right, I am convinced
you know red from blue
12Interaction and knowledge
- What knowledge did I gain from this interaction?
I learned that you can tell blue from red
But I also learned the colors of the balls in
each glass
Suppose I was color-blind
Then I used you to gain some knowledge!
13A different protocol
I pull at random either a red ballor a blue ball
and show it to you
We repeat 10 times
box 1
Each time, you say same color as previous or
different color from previous
If you got all the answers right, I am convinced
you know red from blue
box 2
But I did not gain any other knowledge!
14Zero-knowledge
- Suppose I am color-blind but you are not
- In the first protocol, I cannot predict your
answer ahead of time - In the second protocol, I know what you will say,
so I do not gain knowledge when you say it
15Zero-knowledge password authentication
acme.com
Oded Goldreich
Silvio Micali
Avi Wigderson
16Graph coloring
Task Assign one of 3 colors to the vertices so
that no edge has both endpoints of same color
3COL G G has a valid 3-coloring
3COL is NP-complete
17NP-hardness of 3COL
- Proof sketch of NP-hardness Reduce from
3SATWe describe G
R
3CNF formula f
graph G
G has a valid 3-coloring
f is satisfiable
X
T
F
Part I 3 special vertices T (true), F (false),
and X
18NP-hardness of 3COL
Either xi has color of T and xi has color of F
X
xi
xi
Or xi has color of F and xi has color of T
Part 2 For each variable xi
x1
Can be 3-colorediff clause is satisfied
x2
T
x3
Part 3 For each clause, e.g. x1?x2?x3
19Password authentication via 3-coloring
- Step 0 When you register for the web
service,choose your password to be a valid
3-coloring of some (suitable) graph
acme.com
registration
G
1
6
password
2
5
3
4
20Registration phase
- When the server asks for your passworddo
not send the password, but send the graph G
instead (without the colors)
acme.com
password?
G
G
1
6
password
2
5
3
4
21Intuition about registration phase
- Because 3-coloring is hard, the server will not
be able to figure out your password (coloring)
from G - Later, when you try to log in, you will convince
the server that you know how to color G, without
revealing the coloring itself - The server will be convinced you know your
password but remain ignorant about what it is
22The login phase
You randomly permute the colors
password
You lock each of the colors in a box and send
the boxes to the server
The server chooses an edge at random and asks
for the keys to the boxes at the endpoints
You send the requested keys
The server unlocks the two boxes and checks the
colors are different
1
6
2
5
Repeat this 1000 times. Login succeeds if colors
always different
3
4
23Analysis in the login phase
- If you are an impostor, you wont know how to
color the graph - At least one of the edges will have endpoints of
the same color, and the server is likely to catch
this - If you are honest, the server remains ignorant
about your password - Each time, he merely sees two random different
colors - But how do we send locked boxes and keys over the
internet?
24THE END
25Whats next
CSC 3120 Compilers
Fall 2010
Teaches you how to write parsers and compilers
for your favorite programming language
CSC 5170 Computational Complexity
Spring 2010
Computational hardness beyond NP-completeness
http//www.cse.cuhk.edu.hk/andrejb/csc5170/
CSC 5251 Cryptography
Spring 2011
(Pending approval)
Tells you about the bright side of hardness!