1. CSCI 3130: Formal languages and automata theory
Andrej Bogdanov
http://www.cse.cuhk.edu.hk/~andrejb/csc3130
The Chinese University of Hong Kong
Interaction, randomness,
and zero-knowledge
Fall 2011
4. Naïve authentication
• The server knows your password
• So they can impersonate you at other web sites
where you use the same password
login: chief
password: 123456
OK
you server
acme.com
6. What is knowledge?
• Example 1: Tomorrow’s lottery numbers
What is ignorance?
(lack of knowledge)
2 31 12 7 28 11
We are ignorant of them because they are random
7. What is ignorance?
• Example 2: A difficult homework problem
Problem 4
(a) Show that P ≠ NP.
(If you collect $1,000,000, give it to your CSCI 3130 instructor.)
We are ignorant because it takes a lot of work to
figure out the answer
8. Using ignorance to our advantage
acme.com
I know the password
Prove it!
You want to convince server you know the password,
but you don’t want to reveal the password itself
The server is convinced, but gains zero-knowledge!
but I don’t want to say it!
9. I can convince you he is in there,
without telling you where!
10. Zero-knowledge
• I can convince you that I know where he is
• But you have zero knowledge about how to find him!
11. A protocol for non-color-blindness
• You want to convince me you are not color-blind
I pull at random either a red ball
or a blue ball and show it to you
You say red or blue
We repeat this 10 times
If you got all the answers right,
I am convinced you know red from blue
12. Interaction and knowledge
• What knowledge did I gain from this interaction?
I learned that you can tell red from blue
But I also learned the colors of the balls
in each glass
Suppose I was color-blind
Then I used you to gain some knowledge!
13. A different protocol
box 1
box 2
I pull at random either a red ball
or a blue ball and show it to you
Each time, you say “same color as previous”
or “different color from previous”
We repeat 10 times
If you got all the answers right,
I am convinced you know red from blue
But I did not gain any other knowledge!
14. Zero-knowledge
• Suppose I am color-blind but you are not
• In the first experiment, I cannot predict your answer
ahead of time
• In the second one, I know what you will say, so I do
not gain knowledge when you say it
16. Graph coloring
Task: Assign one of 3 colors to
the nodes so that every edge
has different endpoints
3COL = {G: G has a valid 3-coloring}
3COL is NP-complete
18. GMW protocol: Commitment phase
• Instead of sending the password to the server, you:
1 2 3 4 5 6
Construct a graph with vertices
colored as in password
Put some (random) edges between
vertices of different colors
Delete the colors of the vertices
G
donald
tsang
[email protected][email protected]
1
2
3 4
5
6
1
2
3 4
5
6
19. GMW protocol: Commitment phase
• Your real password is the coloring, which you hide
from the server
• You give the server a graph G that you know how to
color, but the server doesn’t
• Since 3COL is hard, the server shouldn’t be able to
figure out your coloring (password) from G
20. GMW protocol: Login phase
Randomly permute the colors
Lock each of the colors in a box
The server picks a random edge
and asks for the keys to boxes
You send the requested keys
The server unlocks the two boxes
and checks the colors are different
Repeat 100 times. Login
succeeds if colors always different
1
2
3 4
5
6
email
password
[email protected]
1 2 3 4 5 6
Send the locked boxes to server
✔
21. GMW protocol: Security
• Why can’t an impostor log in instead of you?
1
2
3 4
5
6
An impostor does not know how
to color the graph
Some edge will be colored improperly
When the server asks to see this edge,
impostor will be detected
hello, I am
✘
22. GMW protocol: Zero-knowledge
• Why doesn’t the server learn your password?
1
2
3 4
5
6 When you send the password, the
server can only see some locked boxes
The server then asks you to unlock
some boxes
Colors in the password were shuffled, so
server will only see two random colors!
23. But how do you send boxes and keys
over the internet?
