Cryptography and Sudoku
Moni Naor
‫מוני נאור‬
WEIZMANN INSTITUTE
OF SCIENCE
Joint work with: Ronen Gradwohl, Benny Pinkas, Guy Rothblum
What is Cryptography?
Traditionally: how to maintain secrecy in communication
Alice and Bob talk while Eve tries to listen
Bob
Alice
Eve
Eve
Cryptography
 Very ancient occupation
Biblical times: Atbash in Jeremiah
‫איך נלכדה ששך ותתפש תהלת כל הארץ‬
‫איך היתה לשמה בבל בגויים‬
 Egyptian Hieroglyphs
 Unusual ones
...
 Many interesting books and sources, especially
about the Enigma (WW2)
Modern Times
The
UpStudy
to the
70’s:
classified
military
work
ofofmid
the
needed
to solve
Prevalence
theresources
Internet:
computational
problems
is in the Turing*
news (daily!)
•Cryptography
Exception: Shannon,
•Cryptography is relevant to ``everyone” - security and
 Since
then
- explosive
growth
privacy
issues
for individuals
 Commercial applications
 Scientific work: tight relationship with
Computational Complexity Theory
 Major works: Diffie-Hellman, Rivest, Shamir and
Adleman (RSA)
 Recently: more involved models for more diverse tasks.
How to maintain the secrecy, integrity and functionality
in computer and communication system.
Computational Complexity Theory
 Study the resources needed to solve computational problems
 Computer time
 Computer memory
 Communication
 Parallelism
A computational problem:
 Randomness
 …
•multiplying two numbers,
•selecting a move in a chess position
•Find the shortest tour visiting all cities
 Identify problems that are infeasible to compute by any reasonable
machine
 Taxonomy: classify problems into classes with similar properties wrt
the resource requirements
 Help find the most efficient algorithm for a problem
P=NP?
The Crypto Arms Race: ~3000 BC - ~1980
“Secure”
System
System+
“Secure”
System++
System+
System
“Break”
“Break++”
“Break+”
Traditional crypto: 8 attack 9defense
Modern crypto (1976 -): 9 defense 8attack
Sudoku
 Fill in the empty entries
in the grid so that
every row,
every column, and
every 3 x 3 subgrid
contains the digits 1
through 9.
Sudoku
 Fill in the empty entries in the
grid so that
every row,
every column, and
every 3 x 3 subgrid
contain the digits 1 through 9.
 Can be generalized to an nn
grid, where n=k2.
 The size of an instance is
O(n2log(n)) bits.
 Nothing special about the
numbers 1…9.
The Plot
Oh yeah?
Prove it!
I know the
solution!
Veronica
Well, I
could show
you, but…
…I don’t want
to tell you how
to solve it…
Paul
Zero-Knowledge Proofs
Paul wants to prove that “A is true”
Blah
Blah
Blah?
Blah?
Blah!
Oh!
If “A is true”: Veronica is convinced, but doesn’t learn
about A! She can’t prove that “A is true”.
Why Study Zero-Knowledge Proofs?
 Authentication: prove your identity to someone
using secret information, without revealing the
secret
 Force malicious adversaries to act according to
protocol
Design protocol with benign adversaries.
Then compile to withstand malicious ones
 Why study zero-knowledge for Sudoku?
 It has nice properties
 It’s educational – everybody knows Sudoku
 It’s FUN!
Outline
 Definitions
 Physical model
 A basic protocol
 2 variations
Interactive Proof
 Probabilistic protocol between 2 parties: Prover and Verifier
 Both know instance of a problem
 Prover might know a witness/solution
 Players “chat”, and at the end, verifier accepts or rejects
 Completeness: probability that honest verifier accepts correct proof
 Soundness error: probability that verifier accepts incorrect proof
Zero-Knowledge Proof
 Interactive Proof
 Zero-knowledge property:
Whatever Verifier learned from Prover,
could have learned by himself
 Exists efficient Simulator that can simulate
conversation, without access to Prover
 zero-knowledge proof for all NP
 Proof of 3-colorability
 Proof for Hamiltonicity
Set of problems that
have efficient
verification
Sudoku and Complexity
 Sudoku is in NP
 Means: easy to verify solutions
 In fact: Sudoku is NP Complete – not all that relevant
 There are zero-knowledge proofs for all problems in NP
 Therefore there is a ZK proof for Sudoku.
 Direct ZK proofs for Sudoku are preferable:
 Efficiency: avoiding the overhead of the reduction
 Practicality: Implementable without the aid of computers
 Understandability (by non-experts!): Ensure that
participants have intuitive understanding of the proof.
Physical Objects
 Typical Cryptographic metaphor:
 Physical “locked box”
 Hard to find physical locked box that:
 Can never be opened
 Are readily available
 Have transparent operation
 Tamper-evident seal
 Tampering is evident
 Can open, but can’t reseal
 Scratch-off card, sealed envelope
Scratch-Off Cards
 Can’t tell them apart (until unsealed)
 Can shuffle them effectively
 Like picking a random
permutation
 Can triplicate them
 Stronger requirement
 Used in perfect soundness
protocol
Human Behavior
 Paul and Veronica are in same room
 Shuffling: Paul wants a fair shuffle, Veronica
wants to make sure no cards were switched
 More benign adversary:
 Either protocol works, or cheating player is
labeled a “cheater”
Playing Cards
 Can use playing cards instead of scratch-off cards:
 Sealing = turning card face down
 Revealing = turning it face up
 Not really tamper evident
 Works when players in same room, watching each other
A Simple Physical Protocol
Flip coin:
rows or
columns?
A Simple Physical Protocol
A Simple Physical Protocol
 Props: 81 sealed scratch-off cards, and a board with 81 cells (like
Sudoku)
 P places a sealed card on each cell
 Corresponding to his solution
 “filled-in” values are unsealed
 V chooses one of rows/cols/subgrids
 P makes packet for each row, shuffles it
 V takes each packet, unseals cards, verifies that each contains
cards 1…9
 If yes -- accept, otherwise reject
Analysis
 Completeness: perfect
 Soundness: cheating P must cheat in one of rows,
columns, or subgrids
 P is caught with probability ≥ 1/3
 Zero-knowledge: V only sees some permuted values of
1…9
Better Soundness
Better Soundness
Better Soundness
 Props: 81 scratch-off cards
 P places 3 cards on each cell, corresponding to
solution
 For each cell, V assigns each card to one of
rows/cols/subgrids, collects to corresponding
packet
 P shuffles each of 27 packets
 V takes each packet, unseals cards, verifies that
each contains 1…9
 If yes -- accept, otherwise reject
Analysis of Soundness
 P can no longer cheat as before
 New way to cheat: 3 cards on a cell are not the same value
 Say some cell gets 3 values, not all the same.
 One of three cards is different from others
 Belongs to one of rows/cols/subgrids
 o/w P is always caught cheating
 V assigns card to correct row/col/subgrid with probability at most 1/3
⇒ Cheating P caught with probability 2/3
 Actually: can show that P is caught with probability 8/9
 At least 2 cells are mislabeled
 o/w P is always caught cheating
Reducing Number of Shuffles
 Previous protocol required 27 shuffles. Too much!
 New protocol: same as before –
 3 cards on each cell
 V assigns each to row/col/subgrid
 Make 27 packets




For each packet, V assigns a random number 1…c
For each i, P assembles all packets with number i
P shuffles each of c piles
V takes each pile, unseals cards, verifies that each contains
correct number of cards 1…9.
 If yes -- accept, otherwise reject
Analysis
 Only c shuffles required
 Soundness:
 With probability 8/9, some packet j is unbalanced
 However, two unbalanced packets, if shuffled together,
may balance each other
 Suppose all packets except j are assigned to one of c piles
 If piles are balanced, then assigning j will cause imbalance
⇒ P will be caught
 If 2+ piles are unbalanced ⇒ P will be caught
 If 1 pile is unbalanced, j will balance it only if assigned to
it, with probability 1/c
⇒ Cheating P is caught with probability 8(c-1)/9c
Perfect Soundness
 If 3 cards on each cell are guaranteed to have same
value, cheating P would always get caught!
 Implementing triplicate:
 With trusted setup: 3 cards (with same value) are
connected and can be torn apart
 Without trusted setup:
 Use colors instead of numbers
 Each card is a circle, prepared by P
 V cuts each card into 3 equal pieces (randomly)
3
3
3
 If card was not uniformly colored, random cut will reveal nonuniformity when card is scratched
Perfect Soundness with a trusted copy machine:
Prepare three copies of the solution.
 Puzzle should be printed on the back.
 One copy is cut along the rows
 One copy is cut along the columns
 One copy is cut along the subgrids
 Each strip is then cut into cells
 The cells are shuffled (or sorted by the prover)
 Verifier checks that
 all values 1…9 are there
 The “filled-in” cells have the same values on both sides
 To prove that the correct puzzle was solved
Cryptographic Protocols
ALICE
BOB
Protocols
Encryption
Zero-knowledge
proofs
Authentication
Secure
computation
Digital
signatures
Assumptions needed: existence
of a one-way function
Cryptographic protocols:
proceed by exchanging
digital message
Open problems:
 Implement physical protocol over the mail?
Parties need not be in the same room
 Possible to implement commitments from scratch-off cards.
 However, an amplification stage requires many repetitions
 Not easy for humans
 Other puzzles?
Cryptography Today
phlegmon of the pharynx
Cryptography Today
Cryptography is a very active research area
 Research activities range:
 providing firm foundations
 Relationship with complexity theory
 providing actual constructions and analysis for specific
needs.
Some recent topics
 Obfuscation of programs
 Maintaining privacy of released data
 Voting Schemes
Any questions?
Based on:
 R.Gradwohl, M. Naor, B. Pinkas and G. Rothblum,
Cryptographic and Physical Zero-Knowledge Proof
Systems for Solutions of Sudoku Puzzles, FUN 2007.
Available:
www.wisdom.weizmann.ac.il/~naor/PAPERS/sudoku_abs.html
Thank you
‫תודה רבה‬