1. No category

Lecture 15: Oblivious Transfer and Trick-or-Treat

Lecture 15:
From Here to Oblivion
CS588: Security and Privacy
University of Virginia
Computer Science
David Evans
http://www.cs.virginia.edu/~evans
Menu
• Oblivious Transfer
• Zero-Knowledge Proofs
(Not “No Knowledge Proofs”)
31 Oct 2001
University of Virginia CS 588
2
Oblivious Transfer
Joe Kilian’s story:
“Suppose your netmail is being censored by
Captain Yossarian. Whenever you send a
message, he censors each bit of the
message with probability ½, replacing each
censored bit by some reversed character.
Well versed in such concepts as redundancy,
this is no real problem to you. The question
is, can it actually be turned around and used
to your advantage?”
31 Oct 2001
University of Virginia CS 588
3
Oblivious Transfer
• Before:
– Alice knows secret b
– Bob knows nothing
• After:
– Either:
• ½ probability: Bob knows b
• ½ probability: Bob knows nothing
– Alice doesn’t know if Bob knows b
31 Oct 2001
University of Virginia CS 588
4
Is this useful?
Fair Coin Toss:
Alice
Bob
Pick R1, R2, b
H (R1 || R2 || b), R1
g
Guess g
b, R2
Bob wins if g = b
Does this really (information theoretically) work?
31 Oct 2001
University of Virginia CS 588
5
Coin Toss with Capt. Yossarian
Alice picks b1, b2, …, bn such that
b = b1  b2  …  bn
Sends out b1, b2, …, bn over ½ censored
channel
Bob receives half of the bi’s (and doesn’t
know anything about the others)
Bob guesses g and sends it to Alice
31 Oct 2001
University of Virginia CS 588
6
Oblivious Coin Toss
Alice
Pick b = b1  b2
 …  bn
Bob
b1, b2, …, bn
Bob wins if g = b
31 Oct 2001
b1, X, X, b4, b5 , …, bn-1 , X
g
Guess g
“You Lose”
University of Virginia CS 588
7
Better Oblivious Coin Toss
Yossarian’s channel
Alice
Pick b = b1  b2
 …  bn
Bob
b1, b2, …, bn
Bob wins if g = b
Is this secure?
31 Oct 2001
b1, X, X, b4, b5 , …, bn-1 , X
g
Guess g
b1, b2, …, bn
Checks the bis he knows match
Calculates b = b1  b2  …  bn
University of Virginia CS 588
8
Oblivious Transfer
Can we approximate oblivious transfer
without Capt. Yossarian?
31 Oct 2001
University of Virginia CS 588
9
Public-Key Oblivious Transfer
Alice
Generates 2 public-private key pairs:
(KU1, KR1) (KU2, KR2)
Bob
Generates
symmetric key K
KU1, KU2
EKU1(K) or EKU2(K)
Picks either
KU1 or KU2.
K1 = EKR1(EKU?(K)) = K or meaningless bits
K2 = EKR2(EKU?(K)) = K or meaningless bits
31 Oct 2001
University of Virginia CS 588
10
Bob
Alice
Generates 2 public-private key pairs:
(KU1, KR1) (KU2, KR2)
Generates
symmetric key K
KU1, KU2
EKU1(K) or EKU2(K)
Picks either
KU1 or KU2.
K1 = EKR1(EKU?(K)) = K or meaningless bits
K2 = EKR2(EKU?(K)) = K or meaningless bits
EK1 (b1), EK2 (b2)
If Bob used KU1:
DK (EK1 (b1)) = b1
DK (EK2 (b2)) = Meaningless
31 Oct 2001
University of Virginia CS 588
11
31 Oct 2001
University of Virginia CS 588
12
Trick or Treat
Protocols
31 Oct 2001
University of Virginia CS 588
13
“Trick or Treat” Protocols
• Trick-or-Treater must convince victim
that she poses a credible threat
• Need to prove you know a trick,
without revealing what it is (otherwise
you don’t need to give the treat)!
• Technical literature calls them ZeroKnowledge “Proofs”
31 Oct 2001
University of Virginia CS 588
14
Cave Protocol
• Victim (Verifier)
stands at 1
• Trick-or-Treater
enters cave and walks
to either 3 or 4
• Victim moves to 2
• Victim yells to Tricker
to come out either left
or right
• Repeat n times
Tricker must know
magic word to open
door.
31 Oct 2001
1
2
Magic word door
3 4
Quisquater and Guillou, CRYPTO ’89
University of Virginia CS 588
15
If there’s no cave?
1. Trick-or-Treater uses constructs a problem
that only someone who knows the magic word
could solve.
2. Trick-or-Treater commits the solution (using a
bit commitment protocol)
3. Victim picks part of the solution for Trick-orTreater to reveal
4. Trick-or-Treater reveals part of the problem,
enough to be hard to do without knowing
whole solution, but not enough to help victim
learn anything.
5. Repeat n times.
31 Oct 2001
University of Virginia CS 588
16
Graph Coloring
Given a graph, pick colors of the
vertices so that no connected vertices
have the same color:
Adapted from Steven Rudich’s www.discretemath.com slides.
31 Oct 2001
University of Virginia CS 588
17
3-Coloring
How can you prove you know how to 3-color G?
31 Oct 2001
University of Virginia CS 588
18
How many 3-Colorings do you
know?
2
3
1
5
8
4
6
7
If
(Y, R, Y, R, B, Y, B, R) is a valid 3-coloring,
so is (R, Y, R, Y, B, R, B, Y)
and (B, Y, B, Y, R, B, R, Y)
31 Oct 2001
University of Virginia CS 588
19
How many 3-Colorings do you
know?
2
3
1
5
8
4
6
7
Can permute color names in any order: 3!
31 Oct 2001
University of Virginia CS 588
=6
20
ZeroKnowledge
“Proof”
2
3
1
5
8
7
4
6
• Trick-or-Treater randomly picks one of the 6
colorings
• Uses bit commitment to commit to the
coloring – sends Victim
H (R11 || R12 || C1), R11
H (R21 || R22 || C2), R21
…
H (R81 || R82 || C2), R81
31 Oct 2001
University of Virginia CS 588
21
Zero-Knowledge
“Proof”
2
3
1
5
8
7
4
6
• Victim picks two random connected nodes, j
and k
• Asks Trick-or-Treater to reveal colors of those
nodes
• Trick-or-Treater sends:
Cj, Rj2,Ck, Rk2
• Victim verifies Cj and Ck are different colors,
and checks the hashes
31 Oct 2001
University of Virginia CS 588
22
2
3
1
5
Proof?
8
7
4
6
• If Trick-or-Treater does not know a coloring,
there are two connected nodes that have the
same color
• If Victim picks randomly, chances are 1/d
(number of edges) that he will pick that edge
• Repeat k times, but each time the Trick-orTreater uses a random color mapping (from
the 3! possible permutations)
• Probability cheating Trick-or-Treater is not
caught: (1 – 1/d)k
31 Oct 2001
University of Virginia CS 588
23
How many repetitions?
• (1 – 1/d)k
• If k = dm
p = (1 – 1/d)dm = (1 – 1/d) * (1 – 1/d) … * (1 – 1/d)
ln (p) = ln (1 – 1/d) + ln (1 – 1/d) + … + ln (1 – 1/d)
= dm ln (1 – 1/d)
• You may (or may not) recall from the Birthday
Paradox proof:
– For 0 < x < 1:
ln (1 – x)  x
• So, ln (p) < dm (1/d) < m
p < (1/e)m
31 Oct 2001
University of Virginia CS 588
24
Will Tricker Get the Treat?
p < em
k = dm
For p < .01, we need m = 5
(1/e)5 = 0.006738
How big is d?
In example, 8 (way too small – anyone can
color the graph!)
If P  NP, graph coloring takes time O(ed)
d around 25 becomes intractable
Need md = 125 trials.
31 Oct 2001
University of Virginia CS 588
25
Does the Victim Learn
Anything?
• No – victim could already easily color
two connecting vertices differently
• Since the Tricker uses a different color
mapping permutation (unknown to
Victim), knowing the two vertex colors
doesn’t help
• Committing to the colors of all vertices
is what makes it convincing
31 Oct 2001
University of Virginia CS 588
26
A Faster Approach
1. Trick-or-Treater uses her secret and random
number to transform original problem into
an isomorphic hard problem.
2. Trick-or-Treater commits the solution (using a
bit commitment protocol)
3. Trick-or-Treater reveals new problem.
4. Victim asks Trick-or-Treater to either:
a) Prove new problem is isomorphic to old one
b) Show the solution to the new problem
5. Repeat n times.
31 Oct 2001
University of Virginia CS 588
27
Making an isomorphic
hard problem
• Requirements:
– Can’t use solution to new problem to solve old
problem (without knowing mapping)
– Can’t easily solve new problem
– Can show that old problem and new problem
are equivalent
• Hmmm...any theory experts?
31 Oct 2001
University of Virginia CS 588
28
Graph Isomoprhism
• Given two graphs,
G1 = <V1, E1> and
G2 = <V2, E2> is there
a mapping between
V1 and V2 such that
G1 and G2 are identical?
• This is an NP-complete problem:
– Its hard to find the mapping.
– Given mapping, easy to check it is correct.
31 Oct 2001
University of Virginia CS 588
29
Using Graph Isomorphism
• Trick-or-Treater constructs a graph to
represent the magic word:
– Vertices are letters
– Chooses edges as necessary
– Hamiltonian cycle is magic word (path that
goes through each vertex exactly once)
– Finding a Hamiltonian cycle is NPcomplete
31 Oct 2001
University of Virginia CS 588
30
Trick or Treat
• Trick-or-Treater wants to show Victim she
knows a Hamiltion Cycle in graph G
• Trick-or-Treater constructs H, a random
permutation of G
– If she knows a Hamiltonian Cycle for G, it is easy to
find on for H
• Shows Victim H, but not the cycle
• Victim asks for either:
– Map showing G and H are isomorphic
– Hamiltonian cycle for H
• Repeat n times (different H each time)
– Each iteration catches cheater with 50% probability!
31 Oct 2001
University of Virginia CS 588
31
Can we perform zero-knowledge
proofs for other problems?
Yes! Any NP problem can be
transformed into any NP-complete
problem (either graph coloring or
Hamiltonian cycle)
31 Oct 2001
University of Virginia CS 588
32
Variation:
Oblivious Circuit Evaluation
• Alice wants to find a Hamiltonian Cycle of
G.
• Bob has a quantum computer that can
find Hamiltonian Cycles fast
• Bob is willing to compute for Alice, but
Alice does not trust Bob to know G.
• Can Alice get Bob to find a Hamiltonian
Cycle in G for her, without revealing G to
Bob?
31 Oct 2001
University of Virginia CS 588
33
Oblivious Circuit Evaluation
Bob
Alice
Generates H an isomorphism of G
H
Cycle in H
Finds a cycle in H
Maps to cycle in G
Andrew Yao got the Turing Award
for something like this (and lots of
other contributions) last year!
31 Oct 2001
University of Virginia CS 588
34
Charge
• Keep cracking on your projects!
• Ask your trick-or-treaters for Hamiltonian
cycles and graph isomorphisms (and
keep the candy for yourself)
• Monday: Laura Brown, guest lecture
31 Oct 2001
University of Virginia CS 588
35

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz