MELJUN CORTES -- AUTOMATA THEORY LECTURE - 24
-
Upload
meljun-cortes-mbampa -
Category
Documents
-
view
220 -
download
0
Transcript of MELJUN CORTES -- AUTOMATA THEORY LECTURE - 24
-
7/31/2019 MELJUN CORTES -- AUTOMATA THEORY LECTURE - 24
1/21
CSC 3130: Automata theory and formal languages
Andrej Bogdanov
http://www.cse.cuhk.edu.hk/~andrejb/csc3130
Interaction, randomness,and zero-knowledge
-
7/31/2019 MELJUN CORTES -- AUTOMATA THEORY LECTURE - 24
2/21
Authentication
What happens when you type in your password?
-
7/31/2019 MELJUN CORTES -- AUTOMATA THEORY LECTURE - 24
3/21
Nave authentication
The server knows your password
So they can impersonate you at other web sites
where you use the same password
login: me
password: opensesame
OK
you server
acme.com
-
7/31/2019 MELJUN CORTES -- AUTOMATA THEORY LECTURE - 24
4/21
Zero-knowledge authentication
acme.com
Can you convince the server that you know your password,
without revealing it (or any other information)?
I know the password
Can you prove it?
-
7/31/2019 MELJUN CORTES -- AUTOMATA THEORY LECTURE - 24
5/21
What is knowledge?
Example 1: Tomorrows lottery numbers
We are ignorant of them because they are
random
What is ignorance?
(lack of knowledge)
2 31 12 7 28 11
-
7/31/2019 MELJUN CORTES -- AUTOMATA THEORY LECTURE - 24
6/21
What is ignorance?
Example 2: A difficult math problem
We are ignorant because it takes a lot of work tofigure out the answer
Questions of this type include Finding satisfying assignments to Boolean formulas
Finding cliques in graphs
All NP-hard problems
Prove that P NP
-
7/31/2019 MELJUN CORTES -- AUTOMATA THEORY LECTURE - 24
7/21
Using ignorance to our advantage
acme.com
I know the password
Can you prove it?
We want to convince the server that we know the password,
while keeping it ignorant of the password itself
The server is convinced, but gains zero-knowledge!
-
7/31/2019 MELJUN CORTES -- AUTOMATA THEORY LECTURE - 24
8/21
A protocol for non-color-blindness
You want to convince me you are not color-blind
I pull at random either a red ball
or a blue ball and show it to you
You say red or blue
We repeat this 10 times
If you got all the answers right,I am convinced you know red from blue
-
7/31/2019 MELJUN CORTES -- AUTOMATA THEORY LECTURE - 24
9/21
Interaction and knowledge
What knowledge did I gain from this interaction?
I learned that you can tell blue from red
But I also learned the colors of the ballsin each glass
Suppose I was color-blind
Then I used you to gain some knowledge!
-
7/31/2019 MELJUN CORTES -- AUTOMATA THEORY LECTURE - 24
10/21
A different protocol
box 1
box 2
I pull at random either two balls from same box
or one ball from box 1 and one from box 2
You say same color or different color
We repeat 10 times
If you got all the answers right,
I am convinced you know red from blue
But I did not gain any other knowledge!
-
7/31/2019 MELJUN CORTES -- AUTOMATA THEORY LECTURE - 24
11/21
Zero-knowledge
Suppose I am color-blind but you are not
In the first protocol, I cannot predict your answer
ahead of time
In the second protocol, I know what you will say,
so I do not gain knowledge when you say it
-
7/31/2019 MELJUN CORTES -- AUTOMATA THEORY LECTURE - 24
12/21
Zero-knowledge password
authentication
acme.com
Oded Goldreich Silvio Micali Avi Wigderson
-
7/31/2019 MELJUN CORTES -- AUTOMATA THEORY LECTURE - 24
13/21
Graph coloring
Theorem
Task: Assign one of3 colors tothe vertices so that no edge has
both endpoints of same color
3COL = {G: Ghas a valid 3-coloring}
3COL is NP-complete
-
7/31/2019 MELJUN CORTES -- AUTOMATA THEORY LECTURE - 24
14/21
NP-hardness of3COL
Proof sketch ofNP-hardness: Reduce from 3SAT
We describe G:
3CNF formulaf graph G
G has a valid 3-coloring
R
fis satisfiable
Part I: 3 special verticesT (true), F (false), and X
T F
X
-
7/31/2019 MELJUN CORTES -- AUTOMATA THEORY LECTURE - 24
15/21
NP-hardness of3COL
Part 2: For each variable xi
xi
X
xi
Eitherxihas color of Tand xihas color of F
Orxihas color of F
and xihas color of T
Part 3: For each clause, e.g. x1x2x3
Can be 3-colored
iff clause is satisfied
x1
x2
x3
T
-
7/31/2019 MELJUN CORTES -- AUTOMATA THEORY LECTURE - 24
16/21
Password authentication via 3-coloring
Step 0: When you register for the web service,
choose your password to be a valid 3-coloring of
some (suitable) graph
acme.comregistration
password:1
2
3 4
5
6 G
-
7/31/2019 MELJUN CORTES -- AUTOMATA THEORY LECTURE - 24
17/21
Password authentication via 3-coloring
When the server asks for your password
do not send the password, but send the graph G
instead (without the colors)
acme.com
password:1
2
3 4
5
6 G
password?
G
-
7/31/2019 MELJUN CORTES -- AUTOMATA THEORY LECTURE - 24
18/21
Intuition about registration phase
Because 3-coloring is hard, the server will not beable to figure out your password (coloring) from G
Later, when you try to log in, you will convincethe server that you know how to colorG, without
revealing the coloring itself
The server will be convinced you know yourpassword but remain ignorant about what it is
-
7/31/2019 MELJUN CORTES -- AUTOMATA THEORY LECTURE - 24
19/21
The login phase
password: You randomly permute the colors
You lock each of the colors in a
box
and send the boxes to the server
1
2
3 4
5
6
The server chooses an edge at
random and asks for the keys tothe boxes at the endpoints
You send the requested keys
The server unlocks the two
boxesand checks the colors are
differentRepeat this 1000 times. Login
succeeds if colors always different
-
7/31/2019 MELJUN CORTES -- AUTOMATA THEORY LECTURE - 24
20/21
Analysis in the login phase
If you are an impostor, you wont know how tocolor the graph, so at least one of the edges will
have endpoints of the same color, and the server
is likely to catch this
If you are honest, the server remains ignorant
about your password, because all he sees are
two random different colors
But how do we send locked boxes and keys over
the internet?
-
7/31/2019 MELJUN CORTES -- AUTOMATA THEORY LECTURE - 24
21/21