sen-material: handouts/ho06.tex@40511897fcc4 (annotated)

283 40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	1	\documentclass{article}
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	2	\usepackage{../style}
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	3
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	4	\begin{document}
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	5
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	6	\section*{Handout 6 (Zero-Knowledge Proofs)}
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	7
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	8	Zero-knowledge proofs (short ZKP) solve a paradoxical puzzle:
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	9	How to convince somebody else that one knows a secret without,
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	10	revealing what the secret is? This sounds like a problem the
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	11	Mad Hatter from Alice in Wonderland would occupy himself with,
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	12	but actually there some serious and not so serious
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	13	applications of it. For example, if you solve crosswords with
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	14	your friend, say Bob, you might want to convince him that you
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	15	found a solution for one question, but of course you do not
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	16	want to reveal the solution, as this might give Bob an
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	17	advantage somewhere else in the crossword. So how to convince
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	18	Bob that you know the answer (secret)? One way would be to
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	19	come up with the following protocol: suppose the answer is
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	20	\textit{folio}. Then look up the definition of that word in a
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	21	dictionary. Say you find
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	22
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	23	\begin{quote}
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	24	``an \textit{individual} leaf of paper or parchment, either
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	25	loose as one of a series or forming part of a bound volume,
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	26	which is numbered on the recto or front side only.''
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	27	\end{quote}
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	28
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	29	\noindent
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	30	Take the first non-article word in this definition,
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	31	in this case \textit{individual}, and look up the definition
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	32	of this word, say
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	33
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	34	\begin{quote}
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	35	``a single \textit{human} being as distinct from a group''
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	36	\end{quote}
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	37
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	38	\noindent
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	39	In this definition take the second non-article word, that
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	40	is \textit{human}, and again look up the definition of this
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	41	word. This will yield
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	42
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	43	\begin{quote}
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	44	``relating to \textit{or} characteristic of humankind''
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	45	\end{quote}
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	46
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	47	\noindent
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	48	You could now go on to look up the definition of the third
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	49	non-article in this definition and so on. But let us assume
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	50	you agreed with Bob to stop after three iterations with the
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	51	third non-article word in the last definition, that is
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	52	\textbf{or}. Now, instead of sending to Bob the solution
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	53	\textit{folio}, you send to him \textit{or}. How can
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	54	Bob verify that you know the solution? Well, once he solved
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	55	it himself, he can use the dictionary and follow the same
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	56	``trail'' as you did. It the final word agrees with what
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	57	you send him, he must infer you know the solution earlier
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	58	than him. This protocol works like a one-way hash function
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	59	because \textit{or} does not give any hint as to what was
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	60	the first word was. I leave you to think why this
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	61	protocol avoids article words.
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	62
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	63	After Bob found his solution and verified that according to
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	64	the protocol it ``maps'' also to \textit{or}, can he be
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	65	entirely sure no cheating is going on. Not with 100\%
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	66	certainty. It could have been entirely possible that
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	67	he was given \textit{or} as the word but it derived
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	68	from an entirely different word---this seems very unlikely,
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	69	but is at least theoretical a possibility. Protocols
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	70	based on zero-knowledge proofs will produce a similar
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	71	result---they give an answer that might be erroneous
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	72	in a very small number of cases. The point is to itterate
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	73	them long enough so that the theoretical possibility of
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	74	cheating is negligibly small.
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	75
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	76	By the way, the authors of the paper ``Dismantling Megamos
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	77	Crypto: Wirelessly Lockpicking a Vehicle Immobilizer'' who
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	78	were barred from publishing their results used also a hash to
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	79	prove they did the work and (presumably) managed to get into
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	80	cars without a key. See Figure~\ref{paper}. This is very
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	81	similar to the method about crosswords. They like to prove
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	82	that they did the work, but not giving out the ``solution''.
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	83	But this also shows what the problem with such methods
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	84	are: yes, we can hide the secret temporarily, but if
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	85	somebody else wants to verify it, then the secret has
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	86	to be made public. Bob needs to know that \textit{folio}
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	87	is the solution before he can verify the claim that somebody
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	88	else had the solution first. Similarly with the paper:
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	89	we need to wait until the authors are finally allowed to
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	90	publish their finding in order to verify the hash. This
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	91	might happen at some point, but equally it might never
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	92	happen (what for example happens if the authors loose
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	93	their copy of the paper because of a disk failure?).
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	94	Zero-knowledge proofs, in contrast, can be immediately
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	95	be checked, even if the secret is not public yet.
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	96
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	97	\begin{figure}
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	98	\begin{center}
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	99	\fbox{\includegraphics[scale=0.4]{../pics/Dismantling_Megamos_Crypto.png}}
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	100	\end{center}
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	101	\caption{The authors of this paper used a hash in order to prove
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	102	later that they have managed to break into cars.\label{paper}}
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	103	\end{figure}
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	104
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	105
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	106	\subsubsection*{ZKP: An Illustrative Example}
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	107
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	108	The idea behind zero-knowledge proofs is not very obvious and
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	109	will surely take some time for you to digest. Therefore
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	110	lets start with an illustrative example. The example will
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	111	not be perfect, but hopefully explain the gist of the ideas.
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	112	The example is called Alibaba's cave:
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	113
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	114	\begin{center}
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	115	\begin{tabular}{c@{\hspace{8mm}}c@{\hspace{8mm}}c}
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	116	\includegraphics[scale=0.1]{../pics/alibaba1.png} &
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	117	\includegraphics[scale=0.1]{../pics/alibaba2.png} &
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	118	\includegraphics[scale=0.1]{../pics/alibaba3.png} \\
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	119	Step 1 & Step 2 & Step 3
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	120	\end{tabular}
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	121	\end{center}
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	122
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	123	\noindent Lets have a look at the picture in Step 1:
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	124	The cave is a loop where at the end is a magic wand.
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	125	The point of the magic wand is that Alice knows the
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	126	secret word for how to open it. She wants to keep here
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	127	word secret, but wants to convince Bob that she knows it.
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	128
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	129
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	130	\end{document}
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	131
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	132	%%% Local Variables:
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	133	%%% mode: latex
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	134	%%% TeX-master: t
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	135	%%% End:

author	Christian Urban <christian dot urban at kcl dot ac dot uk>
	Wed, 05 Nov 2014 12:01:05 +0000
changeset 283	40511897fcc4
child 288	fd4bf1a2d38d
permissions	-rw-r--r--