Security

1
Security

• Zero-knowledge and information-based security
• in part adapted from slides by Vitaly Shmatikov

2
Zero-knowledge proof

• A zero-knowledge proof or zero-knowledge protocol
  is an interactive method for one party to prove
  to another that a statement is true, without
  revealing anything other than the veracity of the
  statement.

3
Zero-Knowledge Proofs

• An interactive proof system involves a prover and
  a verifier
• The prover proves a statement to the verifier
  without revealing anything except the fact that
  the statement is true
• Zero-knowledge proof of knowledge (ZKPK) prover
  convinces verifier that he knows a secret without
  revealing the secret
• Ideal functionality ?

slide 3
4
Properties of zero-knowledge proofs

• Completeness
• If both prover and verifier are honest, protocol
  succeeds with overwhelming probability
• Soundness
• No one who does not know the secret can convince
  the verifier with non-negligible probability
• Intuition the protocol should not enable prover
  to prove a false statement
• Zero knowledge
• The proof does not leak any information

slide 4
5
Example of zero-knowledge proof
Jean-Jacques Quisquater and others "How to
Explain Zero-Knowledge Protocols to Your
Children" Peggy (Prover) has uncovered the secret
word used to open a magic door in a cave. The
cave is shaped like a circle, with the entrance
on one side and the magic door blocking the
opposite side. Victor (Verifier) says he'll pay
her for the secret, but not until he's sure that
she really knows it. Peggy says she'll tell him
the secret, but not until she receives the money.
They devise a scheme by which Peggy can prove
that she knows the word without telling it to
Victor.
slide 5
6
Peggy proves to Victor she knows the magic word
to open the secret door without telling it to
Victor.
slide 6
7
Peggy proves to Victor she knows the magic word
to open the secret door without telling it to
Victor.
slide 7
8
Peggy proves to Victor she knows the magic word
to open the secret door without telling it to
Victor.
slide 8
9
Dining Cryptographers(anonymity example)

• Three cryptographers are having dinner. Either
  NSA is paying for the dinner, or one of them is
  paying, but wishes to remain anonymous.
• Each diner flips a coin and shows it to his left
  neighbour
• Each diner sees two coins his own and his right
  neighbours
• Each diner announces whether the two coins are
  the same. If he is the payer, he lies (says the
  opposite).
• odd number of same ? NSA is paying
• even number of same ? one of them is
  paying
• But a non-payer cannot tell which of the other
  two is paying!

10
Non-Payers View Same Coins
same
different
?
Without knowing the coin toss between the other
two, non-payer cannot tell which of them is lying
11
Non-Payers View Different Coins
same
same
?
Without knowing the coin toss between the other
two, non-payer cannot tell which of them is lying
12
Superposed Sending

• This idea generalizes to any group of size N
• For each bit of the message, every user generates
  1 random bit and sends it to 1 neighbour
• Every user learns 2 bits (his own and his
  neighbours)?
• Each user announces own bit XOR neighbours bit
• Sender announces own bit XOR neighbours bit XOR
  message bit
• XOR of all announcements message bit
• Every randomly generated bit occurs in this sum
  twice (and is canceled by XOR), message bit
  occurs once

13
Dining-Cryptropher Based Anonymity is Impractical

• Requires secure pairwise channels between group
  members
• Otherwise, random bits cannot be shared
• Requires massive communication overhead and large
  amounts of randomness
• DC-net (a group of dining cryptographers) is
  robust even if some members collude
• Guarantees perfect anonymity for the other members

14
Information-based crypto --- unconditional
security

• There are two types of cryptographic security.
  The security of a cryptographic system can rely
  either on the computational infeasibility of
  breaking it (computational security) or on the
  theoretical impossibility of breaking it, even
  using infinite computing power. The latter is
  called information-theoretic security or
  unconditional security.

15
Example of unconditionally secure protocol
Russian Cards

• From a pack of seven known cards 0, 1, 2, 3, 4,
  5, 6, Alice and Bob each draw three cards and Eve
  gets the remaining card. How can the players with
  three cards openly inform each other about their
  cards, without the third player learning from any
  of their cards who holds it?
• Alice holds 012, Bob holds 345, Eve holds 6.

16
Example of unconditionally secure
protocolRussian Cards

• From a pack of seven known cards 0, 1, 2, 3, 4,
  5, 6, Alice and Bob each draw three cards and Eve
  gets the remaining card. How can the players with
  three cards openly inform each other about their
  cards, without the third player learning from any
  of their cards who holds it?
• Moscow Math Olympiad, 2000 Thomas
  Kirkman, 1846 ....

17
Russian Cards
Alice and Bob wish to communicate their hand of
cards
Alice
Bob
012
345
Eve
6
18
Russian Cards
Alice and Bob wish to communicate their hand of
cards
Alice
complexity based e.g. 012 345?
Bob
012
345
Eve
6
19
Russian Cards
Alice and Bob wish to communicate their hand of
cards
Alice
unconditionally secure 'I have 0 or 2 or 4'
Bob
012
345
Eve
6
20
Russian Cards
Alice and Bob wish to communicate their hand of
cards
Alice
unconditionally secure 'I have 0 or 2 or 4'
Bob
012
345
Eve
6
21
Russian Cards
Alice and Bob wish to communicate their hand of
cards
Alice
Bob
012
'I have 012 or you have 012'
345
'I have 345 or you have 345'
Eve
6
22
Russian Cards
Alice and Bob wish to communicate their hand of
cards
Alice
Bob
012
One of 012 034 056 135 246'
345
Eve has 6
Eve
6
23
Russian Cards
Fischer and Wright, Bounds on secret key exchange
using a random deal of cards, Journal of
Cryptology, 1996 Hans van Ditmarsch, The Russian
Cards Problem, Studia Logica, 2003
24
That's all
This ends the four week security block. Thanks
for your attention! Don't forget the 8 May
deadline of the assignment.