Chapter 6 Other Security Building Blocks1

1
Overview

• Beyond basic cryptography
• Secret splitting - divide a message into n
  pieces, such that all n pieces must be combined
  to recover the message
• Blind signatures produce an unlinkable digital
  signature
• Bit commitment allows a user to commit to a
  prediction without revealing it
• Cryptographic protocols make use of cryptography
  to accomplish some task securely
• Authentication
• Key-exchange
• Zero-knowledge proofs allows a person to prove
  that he knows a secret without revealing it

2
Motivation for Secret Splitting

• A professor, Carol, encrypts her grade file with
  a symmetric-key cryptosystem
• Good only Carol can read grades (privacy)
• Good only Carol can modify grades (integrity)
• Bad if Carol becomes incapacitated nobody else
  can recover the grades
• Carol needs some kind of a mechanism that will
  allow someone other than her to decrypt the grade
  file in case of an emergency

3
Secret Splitting

• Secret splitting makes it possible to divide a
  message into n pieces called shadows, such that
• Combining less than n shadows yields nothing
• Combining all n shadows yields the message
• Carol can split her key into n shadows and give
  one to n different people she trusts
• Good if Carol becomes incapacitated all n people
  can get together and recover the grade file
• Good Unlikely that all n people would betray
  Carols trust

4
Secret Splitting Using One-Time Pads

• M THEKEYISTHREE
• Create four shadows
• Generate n-1 one-time pads (as long as M)
• P1 PDJEUVNSKTUEG
• P2 NBEXUYYKPAQJZ
• P3 ICMKELDAOFGMC
• Encrypt M with P1
• C1 JLOPZUYLEBMJL
• T (20) P (16) mod 26 J (10)
• H (8) D (4) mod 26 L (12)
• E(5) J (10) mod 26 O (15)

5
Secret Split. with One-Time Pads

• Encrypt C1 with P2
• C2 XNTNUTXWUCDTL
• Encrypt C2 with P3
• C3 GQGYZFBXJIKGO
• P1, P2, P3, and C3 are the four shadows
• Good all four shadows are required to
  reconstruct M
• Use P3 to decrypt C3 yielding C2
• Use P2 to decrypt C2 yielding C1
• Use P1 to decrypt C1 yielding M
• Bad What happens if Carol and one of the shadow
  holders become incapacitated?

6
Secret Sharing

• Secret sharing (also called a threshold scheme)
  makes it possible to divide a message into n
  shadows, such that
• Combining less than k shadows yields nothing
• Combining any k (or more) yields the message
• Example
• Carol uses a (3-8)-threshold scheme to divide her
  key into eight shadows (any three required to
  recover M)
• Give three to Alice, one to Bob, two to Dave, and
  one each to Elvis and Fred
• Carols key can be recovered by
• Alice (3)
• Dave (2) and Bob (1)
• Bob (1), Elvis (1), and Fred (1)
• Etc.
• Good Need some, not all, shadows to recover the
  key

7
Motivation for Blind Sigs

• Dave owns a bank
• Carol has an account at Daves bank
• Carol wants to withdraw some digital money
• Carol would like for the digital money to be
• Valid it should be accepted as payment by
  merchants (perhaps after some verification
  procedure)
• Anonymous Dave should not be able to determine
  where Carol spends her money
• Blind signatures allow Dave to create digital
  money that is both valid and anonymous

8
Blind Signatures

• Blind signatures enable a user to digitally sign
  a document without seeing its contents
• Assume Daves RSA public/private keys are
• Public e 413, n 629
• Private d 53
• Before giving a message, m, to Dave for his
  signature, Carol can blind it
• Choose a random blinding factor, b
• 1 lt b lt n-1
• b is relatively prime to n
• Example (using small numbers) m 250 and b 5

9
Blind Signatures (cont)

• Carol blinds the message
• B (m ? (be)) mod n
• B (250 ? (5413)) mod 629
• B 172
• Carol gives the blinded message, B, to Dave
• Dave cannot read the blinded message because he
  does not know the blinding factor
• If n is large, exhaustive search for b is
  unfeasible

10
Blind Signatures (cont)

• Dave signs the blinded message as he would any
  other message
• S Bd mod n
• S 17253 mod 629
• S 168
• Dave sends the signed blinded message, S, to
  Carol

11
Blind Signatures (cont)

• Carol unblinds the signed blinded message by
  multiplying it by bs multiplicative inverse
  modulo n
• In our example, b 5, so b-1 126 since
• (126 ? 5) mod 629 1
• Carol computes
• S (S ? b-1) mod n
• S (168 ? 126) mod 629
• S 411
• Note that the resulting digital signature, S
  411, is identical to the one that would be
  produced by Dave signing m 250 with his private
  key!

12
Properties of Blind Signatures

• Validity as with normal digital signatures
• Anyone can use Daves public key to verify his
  signature on the document is valid
• Daves signature still cannot be forged or moved
  to another document, and Dave cannot repudiate
  his signature
• Unlinkability unlike normal digital signatures
• Dave cannot subsequently link the unblinded
  signed document to the blind document that he
  signed

13
Unlinkability of Blind Signatures

• Suppose
• Carol gives Dave two blinded documents to sign
• Dave signs them, returns them to Carol, and keeps
  copies of the two blind documents
• Carol unblinds them and gives Dave copies of the
  two unblinded documents bearing his signature
• Then
• Dave will not be able to determine which
  unblinded document corresponds to which blinded
  document

14
Example of Unlinkability

• Carol gives Dave two blinded documents to sign
• B1 542, B2 492
• Dave signs them, returns them to Carol, and keeps
  copies of the two blind documents
• Carol unblinds them and gives Dave copies of the
  two unblinded documents bearing his signature
• S1 217, S2 121
• Dave can verify his signature and learn the
  contents of the documents he signed
• m1 217413 mod 629 200, m2 121413 mod 629
  100
• Dave cannot link an unblinded document to the
  corresponding blind document
• B1 m1 and B2 m2?
• B1 m2 and B2 m1?

15
Example of Unlinkability (cont)

• To link an unblinded document to the
  corresponding blind document
• B1 (542) m1 (200) and B2 (492) m2 (100), or
• B1 (542) m2 (100) and B2 (492) m1 (200)
• Dave must determine the blinding factor used to
  blind each document
• Dave can use exhaustive search to find the
  blinding factors
• b1 409 since (100 409413) mod 629 542
• b2 557 since (200 557413) mod 629 492
• Dave knows that the first blind document he
  signed, B1, was m2 and the second blind document
  was m1
• For large values of n, exhaustive search is not
  feasible and therefore the signatures are
  unlinkable

16
Motivation for Blind Signatures (cont)

• Why would Dave sign a blind document that he
  could not read and create an unlinkable
  signature?
• Recall
• Dave owns a bank
• Carol has an account at Daves bank
• Carol wants to withdraw some digital money
• Carol would like for the digital money to be
• Valid it should be accepted as payment by
  merchants (perhaps after some verification
  procedure)
• Anonymous Dave should not be able to determine
  where Carol spends her money
• Blind signatures allow Dave to create digital
  money that is both valid and anonymous

17
Digital Money Without Blind Sigs

• Carol creates a message containing a serial
  number and a value
• Serial number 603482, Value 10
• Dave signs the message and deducts 10 from
  Carols account
• Carol uses the signed message to pay a merchant
• The merchant uses Daves public key to verify his
  signature
• The merchant redeems the money with Dave for 10
• Good Carols digital money is valid
• Bad Carols digital money is not anonymous
• Dave could keep a record each serial number and
  to whom it was issued
• When a merchant redeems digital money Dave could
  determine to whom that money was issued

18
Digital Money With Blind Signatures

• Carol creates a message containing a serial
  number and a value
• Serial number 603482, Value 10
• Carol blinds the message before giving it to Dave
  to sign
• Dave does not know the blinding factor so he
  cannot see the contents of the message (e.g. the
  serial number)
• Dave signs the message and deducts 10 from
  Carols account
• Carol unblinds the message uses the signed
  message to pay a merchant
• The merchant uses Daves public key to verify his
  signature
• The merchant redeems the money with Dave for 10
• Good Carols digital money is valid
• Good Carols digital money is anonymous

19
Digital Money With Blind Signatures (cont)

• Problem 1 double spending
• Carol uses her digital money to pay one merchant
• The merchant uses Daves public key to verify it
  is valid
• Carol uses the same piece of digital money to pay
  another merchant
• The merchant uses Daves public key to verify it
  is valid
• Twenty dollars worth of digital money has cost
  Carol 10
• Solution merchant must check with Dave and make
  sure the digital money has not already been spent
  before accepting it

20
Digital Money With Blind Signatures (cont)

• Problem 2 fraud
• Carol creates a message worth 1000
• Carol blinds the message before giving it to Dave
  to sign telling him it is worth 10
• Dave does not know the blinding factor so he
  cannot see the contents of the message
• Dave signs the message and deducts 10 from
  Carols account
• 1,000 worth of digital money has cost Carol 10
• Solution Dave needs to be pretty sure of the
  value of the digital money without actually
  seeing it (and the serial number)

21
Digital Money With Blind Signatures (cont)

• Dave requires Carol to create and submit 100
  messages
• m1 Serial number 935076, Value 10
• m2 Serial number 104766, Value 10
• . . .
• m100 Serial number 337147, Value 10
• Carol chooses 100 different blinding factors, b1,
  b2, , b100
• Carol uses the blinding factors to create 100
  blinded messages
• Carol gives all 100 blinded messages to Dave and
  tells him their value (10 each in this case)

22
Digital Money With Blind Signatures (cont)

• Dave chooses 99 of the 100 messages at random to
  challenge
• Dave asks Carol for the corresponding blinding
  factors
• Dave unblinds each of the 99 messages and checks
  to see that each is worth 10
• If all checks succeed Dave signs the one blind
  message he did not challenge and returns it to
  Carol
• Carol unblinds the message
• Carol now has a valid, anonymous piece of digital
  money from Dave

23
Digital Money With Blind Signatures (cont)

• For Carol to get 1,000 worth of digital money
  for 10 she would have to
• Create 99 messages containing the value 10
• Create one message containing the value 1,000
• Hope that the 1,000 message is the one message
  that Dave does not challenge
• Carols chances of succeeding are one in 100
• Dave can lower the odds of fraud by requiring
  1,000 or 1,000,000 messages to be submitted

24
Motivation for Bit Commitment

• Might want to commit to a prediction without
  revealing it
• Chuck and Bills virtual coin flips Scenario 1
• Chuck thinks of a value, either heads or
  tails
• Bill announces his guess
• Chuck tells Bill his value
• Problem Chuck can cheat Bill
• Chuck has not committed to a value - he can
  change it after Bill guesses
• Chuck and Bills virtual coin flips Scenario 2
• Bill thinks of his guess
• Chuck thinks of a value and announces it to Bill
• Bill tells Chuck his guess
• Problem Bill can cheat Chuck
• Chuck had to reveal his value in order to commit
  to it

25
Motivation for Bit Commitment (cont)

• Chuck and Bills virtual coin flips Scenario 3
• Chuck chooses a value, writes it on a piece of
  paper, seals it in an envelope, and hands the
  envelope to Bill
• Bill announces his guess
• Bill opens the envelope and both learn whether
  Bill was right
• Good neither can cheat
• Fairness requirements
• Chuck must commit to his value in such a way
  that
• Chuck cannot subsequently change the value
• Bill does not learn Chucks value until after
  Bill has guessed

26
Bit Commitment

• Bit commitment allows someone to commit to a
  prediction without revealing it
• Bit commitment has two phases
• Commitment phase one party commits to a
  prediction in such a way that it cannot be
  subsequently changed
• Verification phase the second party learns the
  first partys prediction
• Cheating is impossible if
• The prediction cannot be changed after the
  commitment phase
• The prediction is not revealed until the
  verification phase

27
Bit Commitment Using a Symmetric-Key Cryptosystem

• Commitment phase
• Chuck chooses a random key, k, and encrypts his
  prediction
• M Encrypt(p,k)
• Chuck gives a copy of M to Bill
• Problem easy for Chuck to change prediction by
  finding M such that
• Decrypt(M, k1) 0, and
• Decrypt(M, k2) 1
• Solution
• Bill send a random string of bits, R, to Chuck
• Chuck concatenates his prediction to R and then
  encrypts
• M Encrypt(Rp, k)

28
Bit Commitment Using a Symmetric-Key Cryptosystem

• Commitment phase
• Bill send a random string of bits, R, to Chuck
• Chuck concatenates his prediction to R and then
  encrypts
• M Encrypt(Rp, k)
• Chuck gives a copy of M to Bill
• Verification phase
• Chuck sends k to Bill
• Bill decrypts M, checks R, and learns p
• Decrypt (M, k)

29
Bit Commitment Using a Symmetric-Key Cryptosystem

• Neither can cheat
• The prediction cannot be changed after the
  commitment phase
• A good cryptosystem will not allow Chuck to
  create an M such that
• Decrypt(Rp1,k1) M
• Decrypt(Rp2,k2) M
• The prediction is not revealed until the
  verification phase
• Bill does not know the key Chuck chose and connot
  read M without it

30
Bit Commitment Using a One-Way Hash Function

• Commitment phase
• Chuck creates two random strings of bits, R1 and
  R2
• Chuck concatenates R1, R2, and his prediction, p,
  and sends the result through the one-way hash
  function, H
• h H(R1R2p)
• Chuck sends h and R1 to Bill
• Verification phase
• Chuck sends R2 and p to Bill
• Bill computes the hash
• h H(R1R2p)
• Bill verifies that h h

31
Bit Commitment Using a One-Way Hash Function

• Neither can cheat
• The prediction cannot be changed after the
  commitment phase
• A good one-way hash function will not allow Chuck
  to create an R1, R2, and p such that there is a
  collision
• H(R1R2p1) h
• H(R1R3p2) h
• The prediction is not revealed until the
  verification phase
• Since the hash function is one-way, Bill cannot
  deduce p from h and R1

32
Cryptographic Protocols

• A protocol is an agreed-upon sequence of actions
  performed by two or more principals
• Cryptographic protocols make use of cryptography
  to accomplish some task securely
• Example
• How can Alice and Bob agree on a session key to
  protect a conversation?
• Answer use a key-exchange cryptographic protocol

33
Key Exchange with Symmetric Cryptography

• Assume Alice and Bob each share a key with a Key
  Distribution Center (KDC)
• KA is the key shared by Alice and the KDC
• KB is the key shared by Bob and the KDC
• To agree on a session key
• Alice contacts the KDC and requests a session key
  for Bob and her
• The KDC generates a random session key, encrypts
  it with both KA and KB, and sends the results to
  Alice

34
Key Exchange with Symmetric Cryptography (cont)

• Agreeing on a session key (cont)
• Alice decrypts the part of the message encrypted
  with KA and learns the session key
• Alice sends the part of the message encrypted
  with KB to Bob
• Bob receives Alices message, decrypts it, and
  learns the session key
• Alice and Bob communicate securely using the
  session key

35
Key Exchange with Symmetric Cryptography (cont)

• The key-exchange protocol
• A gt KDC (A,B)
• KDC gt A (E(KAB,KA), E(KAB,KB))
• A gt B (E(KAB,KB))

36
Key Exchange with Symmetric Cryptography (cont)

• Issues
• Security depends on secrecy of KA and KB
• KDC must be secure and trusted by both Alice and
  Bob
• KA and KB should be used sparingly
• The use of a new session key for each
  conversation limits the chances/value of
  compromising a session key

37
Attacking the Protocol

• Alice and Bob set up a secure session protected
  by KAB
• An intruder, Mallory, watches them do this and
  stores the KDCs message to Alice and all the
  subsequent messages between Alice Bob encrypted
  with KAB
• Mallory cryptanalyzes the session between Alice
  and Bob and eventually recovers KAB
• The next time Alice and Bob want to talk Mallory
  intercepts the KDCs reply and replays the old
  message containing KAB
• Alice and Bob conduct a secure conversation
  which is protected by KAB which is known to
  Mallory

38
Attacking the Protocol (cont)

• A gt KDC (A,B)
• KDC gt A (E(KAB,KA), E(KAB,KB))
• A gt B (E(KAB,KB))
• // Alice and Bob encrypt their messages using KAB
• // Mallory recovers KAB by analyzing Alice and
  Bobs session
• A gt KDC (A,B)
• KDC gt A (E(KAB,KA), E(KAB,KB))
• // Mallory intercepts the above message and
  replaces it
• M gt A (E(KAB,KA), E(KAB,KB))
• A gt B (E(KAB,KB))
• // Mallory reads all traffic session between
  Alice and Bob

39
What Went Wrong?

• Alice and Bob need to be able to distinguish
  between a current (or fresh) response from the
  KDC and an old one
• Solutions
• Alice and Bob could keep track of all
  previously-used session keys and never accept an
  old session key
• KDC could include freshness information in its
  messages
• Timestamps
• Nonces

40
Using Timestamps to Establish Freshness

• A gt KDC (A,B)
• KDC gt A (E((KAB,TKDC),KA), E((KAB,TKDC),KB))
• A gt B (E((KAB,TKDC),KB))
• Where TKDC is a timestamp from the KDCs clock
  and
• Alice and Bobs clocks are both synchronized with
  the KDCs
• Alice and Bob both check the KDCs message to
  make sure it was generated recently

41
Using Nonces to Establish Freshness

• A nonce is a randomly-generated value that
• Is never reused
• Can be used to prove the freshness of a message
• A gt KDC (A,B,NA)
• B gt KDC (A,B, NB)
• KDC gt A (E((KAB,NA),KA))
• KDC gt B (E((KAB,NB),KB))

42
Key-Exchange with Public-Key Cryptography

• Alice learns Bobs public key (by either asking
  Bob or some third party)
• Alice generates a random session key, KAB
• Alice encrypts the session key with Bobs public
  key
• Alice sends Encrypt(KAB,BPublic) to Bob
• Bob receives Alices message and decrypts it with
  his private key
• Alice and Bob encrypt their subsequent
  communications with KAB

43
Attacking the Protocol

• Recall the man-in-the-middle attack
• If Mallory can trick Alice into thinking that
  MPublic is Bobs public key
• Mallory can decrypt Alices first message to Bob
• Encrypt(KAB,MPublic)
• Mallory learns the proposed session key KAB
• Mallory can send Bob Encrypt(KAB,BPublic)
• Alice and Bob will encrypt their subsequent
  communications with KAB thinking that it is
  secure
• This is a very serious problem because its often
  difficult to be sure you know somebodys public
  key

44
The Interlock Protocol

• Combating the man-in-the-middle attack
• Alice and Bob exchange public keys
• Alice encrypts her message using Bobs public
  key. Alice sends half the encrypted message to
  Bob (e.g. every other bit)
• Bob encrypts his message using Alices public
  key. Bob sends half the encrypted message to
  Alice (e.g. every other bit)
• Alice sends the other half of her encrypted
  message to Bob. Bob puts the two halves together
  and decrypts them using his private key
• Bob sends the other half of his encrypted message
  to Alice. Alice puts the two halves together and
  decrypts them using her private key

45
The Interlock Prot. (cont)

• Foiling the man-in-the-middle
• Assume Mallory can trick Alice into using MPublic
  instead of BPublic
• When Mallory receives the first half of Alices
  message she wont be able to decrypt it and
  re-encrypt it with BPublic
• Mallory must invent a completely new message,
  encrypt it and send half of it to Bob
• When the second half of Alices message arrives,
  Mallory can put the two halves together, decrypt,
  and learn what Alices original message was
• However, Mallory has already committed to the
  first half of the message and it is too late to
  change
• Therefore, Bob will not get the message Alice
  sent, and Alice and Bob will probably be able to
  figure out that there is an intruder between them

46
Authentication

• Authentication is the process of proving your
  identity to someone else
• One-way
• Two-way
• Authentication protocols are often designed using
  a challenge and response mechanism
• Authenticator creates a random challenge
• Authenticatee proves identity by replying with
  the appropriate response

47
One-way Authentication Using Symmetric-Key
Cryptography

• Assume that Alice and Bob share a secret
  symmetric key, KAB
• One-way authentication protocol
• Alice creates a nonce, NA, and sends it to Bob as
  a challenge
• Bob encrypts Alices nonce with their secret key
  and returns the result, Encrypt(NA, KAB), to
  Alice
• Alice can decrypt Bobs response and verify that
  the result is her nonce
• A gt B(NA)
• B gt A(Encrypt(NA, KAB))

48
One-way Authentication Using Symmetric-Key
Cryptography

• Problem an adversary, Mallory, might be able to
  impersonate Bob to Alice
• Alice sends challenge to Bob (intercepted by
  Mallory)
• Mallory does not know KAB and thus cannot create
  the appropriate response
• Mallory may be able to trick Bob (or Alice) into
  creating the appropriate response for her
• A gt M(NA)
• M gt B(NN)
• B gt M(Encrypt(NA, KAB))
• M gt A(Encrypt(NA, KAB))

49
One-way Authentication Using Public-Key
Cryptography

• Alice sends a nonce to Bob as a challenge
• Bob replies by encrypting the nonce with his
  private key
• Alice decrypts the response using Bobs public
  key and verify that the result is her nonce
• A gt B(NA)
• B gt A(Encrypt(NA, BPrivate))
• Encrypting any message that someone sends as an
  authentication challenge might not be a good idea

50
One-way Authentication Using Public-Key
Cryptography

• Another challenge-and-response authentication
  protocol
• Alice performs a computation based on some random
  numbers (chosen by Alice) and her private key and
  sends the result to Bob
• Bob sends Alice a random number (chosen by Bob)
• Alice makes some computation based on her private
  key, her random numbers, and the random number
  received from Bob and sends the result to Bob
• Bob performs some computations on the various
  numbers and Alices public key to verify that
  Alice knows her private key
• Advantage Alice never encrypts a message chosen
  by someone else

51
Authentication and Key-Exchange Protocols

• Combine authentication and key-exchange
• Assume Carla and Diane are on opposite ends of a
  network and want to talk securely
• Want to agree on a new session key securely
• Want to each be sure that they are talking to the
  other and not an intruder
• Wide-Mouth Frog
• Assumes a trusted third-party, Sam, who shares a
  secret keys, KC and KD, respectively, with Carla
  and Diane

52
Authentication and Key-Exchange Protocols

• Wide-Mouth Frog
• C gt S(C,Encrypt((D,KCD,TC),KCS))
• S gt D(Encrypt((C, KCD, TS), KDS))
• Observations
• Reliance on synchronized clocks to generate
  timestamps
• Depends on a third-party that both participants
  trust
• Initiator is trusted to generate good session keys

53
Authentication and Key-Exchange Protocols

• Yahalom
• C gt D (C,NC)
• D gt S (D,Encrypt((C,NC,ND),KD))
• S gt C (Encrypt((D,KCD,NC,ND),KC),Encrypt((C,KCD)
  ,KD))
• C gt D (Encrypt((C,KCD),KD),Encrypt(ND,KCD))
• Note Diane is the first one to contact Sam who
  only sends one message to Carla

54
Authentication and Key-Exchange Protocols

• Denning and Sacco (public-key)
• Carla sends a message to Sam including her name
  and Dianes name
• Sam replies with signed copies of both Carla and
  Dianes public key
• C gt S(C,D)
• S gt C(Encrypt((C,CPublic,TS),SPriavte),Encrypt
  ((D,DPublic,TS),SPriavte))
• C gt D(Encrypt((C,CPublic,TS),SPriavte),Encrypt
  ((D,DPublic,TS),SPriavte))
• Carla generates the session key, KCD, and signed
  a message containing it and a timestamp with her
  private key
• C gt D(Encrypt(Encrypt((KCD,TC),CPrivate),DPubl
  ic))

55
Authentication and Key-Exchange Protocols

• A weakness of the Denning and Sacco protocol
• Harry can trick Diane into thinking that she is
  communicating with Carla when she is really
  communicating with Harry
• Harry establishes a session key, KCH, with Carla
• C gt H(Encrypt(Encrypt((KCH,TC),CPrivate),HPubl
  ic))
• Harry decrypts Carlas message and learns KCH
• Harry encrypts Carlas signed message with
  Dianes public key, and sends the result to Diane
  claiming to be Carla
• H gt D(Encrypt(Encrypt((KCH,TC),CPrivate),DPubl
  ic))
• Diane will decrypt the message, check the
  signature and timestamp, and believe that she is
  talking to Carla with KCH as the session key

56
Authentication and Key-Exchange Protocols

• Fixing the Denning and Sacco protocol
• Add the other partys name to the key exchange
  message
• C gt D(Encrypt(Encrypt((D,KCD,TC),CPrivate),DPubl
  ic))

57
Motivation for Zero Knowledge Proofs

• Many challenge and response authentication
  protocols
• Prove identity by demonstrating knowledge of a
  certain piece of information (e.g. a password)
• Bob authenticates Alice based on her knowledge of
  a secret, S
• Only Alice knows the secret, S
• This person knows
• Therefore, this person is Alice
• Drawbacks
• Requires Alice to disclose S to Bob
• Bob may subsequently be able to impersonate Alice

58
Zero-Knowledge Proofs

• Alice can perform a zero-knowledge proof so that
• Bob can verify that Alice knows the secret
• Bob does not gain any information about the
  secret
• Overview
• Bob will ask Alice a series of questions
• For each question
• If Alice knows the secret she will have a 100
  chance of answering correctly
• If Alice does not know the secret she will have a
  50 chance of answering correctly
• If Alice answers many questions in row correctly
  chances are good that she knows the secret
• None of the questions or answers give Bob any
  information about Alices secret

59
Zero-Knowledge Proofs (cont)

• Bob asks Alice up to n questions
• If Alice ever answers incorrectly, Bob stops and
  knows Alice does not know S
• If Alice always answers correctly, she probably
  knows S
• How many questions should Bob ask?
• n 1
• Efficient but chance of getting fooled
• Alices odds of guessing right once are 1 in 2
• n 10
• Less efficient, less chance of getting fooled
• Alices odds of guessing right ten times are 1 in
  210 (1,000)
• n 20
• Much less efficient, little chance of getting
  fooled
• Alices odds of guessing right twenty times are 1
  in 220 (1,000,000)

60
The Zero-Knowledge Cave

• A cave with a single entrance
• The entry passage forks into left and right
  passages
• The two passages eventually meet each other
• A door has been built where they join
• The only way to open the door is to say the
  magic words

61
The Zero-Knowledge Cave (cont)

62
The Zero-Knowledge Cave (cont)

• Alice can prove to Bob that she knows the magic
  words
• Alice need not reveal the magic words to Bob
• Alice and Bob stand at the entrance to the cave
• Alice walks all the way into the cave until she
  is standing at the door
• Bob walks into the cave and to the fork
• Bob does not know whether Alice chose to take the
  left or the right passage to the door
• Bob chooses at random to ask Alice to come out of
  either the passage to Bobs right or the one to
  his left
• Alice exits from the appropriate passage (using
  the magic words if necessary)

63
The Zero-Knowledge Cave

• There are four possiblities
• (1) Alice enters the left passage and Bob asks
  her to come out the left
• Alice does not need to pass through the door
• (2) Alice enters the left passage and Bob asks
  her to come out the right
• Alice must say the magic words to pass through
  the door
• (3) Alice enters the right passage and Bob asks
  her to come out the left
• Alice must say the magic words to pass through
  the door
• (4) Alice enters the right passage and Bob asks
  her to come out the right
• Alice does not need to pass through the door
• If Alice knows the magic words she can come out
  of the proper passage 100 of the time
• If Alice does not know the magic words she can
  come out of the proper passage 50 of the time

64
The Zero-Knowledge Cave (cont)

• No matter how many times this protocol is run Bob
  learns nothing about Alices secret
• If Alice is able to complete 20 successful exits
  from the cave then either
• (1) Bobs requests were not random (Alice was
  able to predict them)
• (2) There was no barrier in the cave
• (3) Alice guessed correctly 20 times in a row (1
  in 1,000,000)
• (4) Alice knew the secret
• So when performing a zero-knowledge proof, Bob
  should try to make sure neither (1) nor (2) hold

65
Mathematical Background - Graph Isomorphism

• A graph is a set of verteces and the edges that
  connect them
• If two graphs are identical except for the names
  given to verteces they are called isomorphic

66
Graph Isomorphism

• Graphs (I) and (II) are isomorphic

I II A G B C C H D I E E F A G D H F I B
(I)
(II)
67
Graph Isomorphism (cont)

• Graphs (II) and (III) are isomorphic
• Are graphs (I) and (III) isomorphic?

II III A I B F C B D E E D F H G C H A I G
68
Graph Isomorphism (cont)

• Graphs (I) and (III) must be isomorphic because
  graph isomorphism is transitive
• Can find the isomorphism by mapping from (I) to
  (II) to (III)

I II A G B C C H D I E E F A G D H F I B
II III A I B F C B D E E D F H G C H A I G
I III A C B B C A D G E D F I G E H H I F
69
Graph Isomorphism is a Hard Problem

• In general, determining whether two graphs are
  isomorphic is a difficult problem
• Best-known algorithm runs in time exponential to
  the number of verteces
• As the number of verteces gets large, finding an
  answer is intractable
• A claimed isomorphism between two graphs can be
  checked in polynomial time
• As the number of verteces gets large, verifying
  an answer is tractable

70
A Zero-Knowledge Proof Using Graph Isomorphism

• Alice creates two graphs, G1 and G2, which are
  isomorphic to each other
• Randomly create G1
• Randomly permute the verteces of G1 to create G2
• Save the permutation of G1s verteces used to
  produce G2
• It is the isomorphism between the two
• Alice can use a zero-knowledge proof to convince
  Bob that she knows the isomorphism without
  revealing it

71
Zero-Knowledge Proof Using Graph Isomorphism

• Alice randomly permutes G1 to produce another
  graph, H, which is isomorphic to both G1 and G2
• Alice knows the isomorphism between G1 and G2
• Alice knows the isomorphism between G1 and H
• Alice knows the isomorphism between G2 and H (by
  transativity)
• For anybody who does not know the isomorphism
  between G1 and G2
• Finding the isomorphism between G1 and G2 is
  hard
• Finding the isomorphism between G1 and H is as
  hard as finding the isomorphism between G1 and G2
• Finding the isomorphism between G2 and H is as
  hard as finding the isomorphism between G1 and G2

72
Zero-Knowledge Proof Using Graph Isomorphism

• Alice and Bob repeat the following protocol until
  Bob is satisfied
• Alice randomly permutes G1 to produce another
  graph, H
• Alice sends H to Bob
• Bob asks Alice either to
• Prove that H and G1 are isomorphic, or
• Prove that H and G2 are isomorphic
• Alice complies (without providing the other
  isomorphism)
• Bob verifies whether or not Alices answer is
  correct

73
Zero-Knowledge Proof Using Graph Isomorphism

• Without knowing the isomorphism between G1 and G2
  Alice cannot create a graph H for which she knows
  the isomorphism to both G1 and G2
• Otherwise she would know the isomorphism between
  G1 and G2 by transitivity
• In each round Alices must choose
• Permute G1 to produce a graph, H1, for which she
  knows the isomorphism to G1 (but not G2), or
• Permute G2 to produce a graph, H2, for which she
  knows the isomorphism to G2 (but not G1)

74
Zero-Knowledge Proof Using Graph Isomorphism

• Alice only sends one graph to Bob in each round
• Four possibilities each round
• Alice sends H1 and Bob asks for (H1,G1) Alice
  will be able to answer
• Alice sends H1 and Bob asks for (H1,G2) Alice
  will not be able to answer
• Alice sends H2 and Bob asks for (H2,G1) Alice
  will not be able to answer
• Alice sends H2 and Bob asks for (H2,G2) Alice
  will be able to answer
• Results
• Alice has a 50 chance in each round of answering
  correctly whether or not she knows the
  isomorphism between G1 and G2
• Each round Bob learns the isomorphism between a
  random graph and either G1 or G2

75
Zero-Knowledge Proof Using Graph Isomorphism

• If Alice is able to answer correctly 20 times in
  a row
• Bobs requests were not random
• Alice was able to predict them and generate H
  accordingly
• (2) Graph isomorphism is not a hard problem
• (3) Alice guessed correctly 20 times in a row
• (4) Alice knew the secret

76
Problem With Zero-Knowledge Proofs

• Remember the man-in-the-middle attack?
• Carol is going to prove to Bob that she knows the
  isomorphism between G1 and G2 (even though she
  doesnt)
• Carol asks Alice to prove she knows the
  isomorphism
• Alice generates a graph, H, and sends it to Carol
• Carol contacts Bob and says shes ready to start
  the proof she sends H to Bob
• Bob chooses either G1 or G2 and asks Carol for
  the isomorphism
• Carol asks Alice the same question
• Alice answers Carol
• Carol repeats the answer to Bob
• Results
• Carol will answer Bob correctly in every round
• Bob will believe that Carol knows the isomorphism
• Carol does not know the isomorphism

77
Summary

• Beyond basic cryptography
• Secret splitting - divide a message into n
  pieces, such that all n pieces must be combined
  to recover the message
• Blind signatures produce an unlinkable digital
  signature
• Bit commitment allows a user to commit to a
  prediction without revealing it
• Cryptographic protocols make use of cryptography
  to accomplish some task securely
• Authentication
• Key-exchange
• Zero-knowledge proofs allows a person to prove
  that he knows a secret without revealing it