CSC 3130: Automata theory and formal languages

1
Fall 2008
The Chinese University of Hong Kong
CSC 3130 Automata theory and formal languages
Interaction, randomness,and zero-knowledge
Andrej Bogdanov http//www.cse.cuhk.edu.hk/andrej
b/csc3130
2
The bright side of NP-hardness
Disclaimer
Today, I will say a few things that are not
completely true, but they are good lies
3
Authentication
What happens when you type in your password?
4
Naïve authentication
login mepassword opensesame
acme.com
OK
you
server

• The server knows your password
• So they can impersonate you at other web sites
  where you use the same password

5
Zero-knowledge authentication
I know the password
acme.com
Can you prove it?
Can you convince the server that you know your
password, without revealing it (and anything
else)?
6
What is knowledge?
What is ignorance?
(lack of knowledge)

• Example 1 Tomorrows lottery numbersWe are
  ignorant of them because they are random

7
What is ignorance?

• Example 2 A difficult homework problem
• We are ignorant because it takes a lot of work to
  figure out the answer
• Questions of this type include
• Finding satisfying assignments to Boolean
  formulas
• Finding cliques in graphs ...

8
Using ignorance to our advantage
I know the password
acme.com
Can you prove it?
We want to convince the server that we know the
password, while keeping it ignorant of the
password itself
The server is convinced, but gains zero-knowledge!
9
I can convince you Bin Laden is in there, without
revealing his secret location!
10
Zero-knowledge

• I can convince you that I know where he is
• But you have zero information about how to find
  him yourself!

11
A protocol for non-color-blindness

• You want to convince me you are not color-blind

I pull at random either a red ballor a blue ball
and show it to you
You say red or blue
We repeat this 10 times
If you got all the answers right, I am convinced
you know red from blue
12
Interaction and knowledge

• What knowledge did I gain from this interaction?

I learned that you can tell blue from red
But I also learned the colors of the balls in
each glass
Suppose I was color-blind
Then I used you to gain some knowledge!
13
A different protocol
I pull at random either a red ballor a blue ball
and show it to you
We repeat 10 times
box 1
Each time, you say same color as previous or
different color from previous
If you got all the answers right, I am convinced
you know red from blue
box 2
But I did not gain any other knowledge!
14
Zero-knowledge

• Suppose I am color-blind but you are not
• In the first protocol, I cannot predict your
  answer ahead of time
• In the second protocol, I know what you will say,
  so I do not gain knowledge when you say it

15
Zero-knowledge password authentication
acme.com
Oded Goldreich
Silvio Micali
Avi Wigderson
16
Graph coloring
Task Assign one of 3 colors to the vertices so
that no edge has both endpoints of same color
3COL G G has a valid 3-coloring

• Theorem

3COL is NP-complete
17
NP-hardness of 3COL

• Proof sketch of NP-hardness Reduce from
  3SATWe describe G

R
3CNF formula f
graph G
G has a valid 3-coloring
f is satisfiable
X
T
F
Part I 3 special vertices T (true), F (false),
and X
18
NP-hardness of 3COL
Either xi has color of T and xi has color of F
X
xi
xi
Or xi has color of F and xi has color of T
Part 2 For each variable xi
x1
Can be 3-colorediff clause is satisfied
x2
T
x3
Part 3 For each clause, e.g. x1?x2?x3
19
Password authentication via 3-coloring

• Step 0 When you register for the web
  service,choose your password to be a valid
  3-coloring of some (suitable) graph

acme.com
registration
G
1
6
password
2
5
3
4
20
Registration phase

• When the server asks for your passworddo
  not send the password, but send the graph G
  instead (without the colors)

acme.com
password?
G
G
1
6
password
2
5
3
4
21
Intuition about registration phase

• Because 3-coloring is hard, the server will not
  be able to figure out your password (coloring)
  from G
• Later, when you try to log in, you will convince
  the server that you know how to color G, without
  revealing the coloring itself
• The server will be convinced you know your
  password but remain ignorant about what it is

22
The login phase
You randomly permute the colors
password
You lock each of the colors in a box and send
the boxes to the server
The server chooses an edge at random and asks
for the keys to the boxes at the endpoints
You send the requested keys
The server unlocks the two boxes and checks the
colors are different
1
6
2
5
Repeat this 1000 times. Login succeeds if colors
always different
3
4
23
Analysis in the login phase

• If you are an impostor, you wont know how to
  color the graph
• At least one of the edges will have endpoints of
  the same color, and the server is likely to catch
  this
• If you are honest, the server remains ignorant
  about your password
• Each time, he merely sees two random different
  colors
• But how do we send locked boxes and keys over the
  internet?

24
THE END
25
Whats next
CSC 3120 Compilers
Fall 2010
Teaches you how to write parsers and compilers
for your favorite programming language
CSC 5170 Computational Complexity
Spring 2010
Computational hardness beyond NP-completeness
http//www.cse.cuhk.edu.hk/andrejb/csc5170/
CSC 5251 Cryptography
Spring 2011
(Pending approval)
Tells you about the bright side of hardness!