-
Before we start with the technical
material, I wanna give you a quick
-
overview of what cryptography is about and
the different areas of cryptography. So
-
the core of cryptography of course is
secure communication that essentially
-
consists of two parts. The first is
secured key establishment and then how do
-
we communicate securely once we have a
shared key. We already said that secured
-
key establishment essentially amounts to
Alice and Bob sending messages to one
-
another such that at the end of this
protocol, there's a shared key that they
-
both agree on, shared key K, and beyond
that, beyond just a shared key, in fact
-
Alice would know that she's talking to Bob
and Bob would know that he's talking to
-
Alice. But a poor attacker who listens in
on this conversation has no idea what the
-
shared key is. And we'll see how to do
that later on in the course. Now once they
-
have a shared key, they want exchange
messages securely using this key, and
-
we'll talk about encryption schemes that
allow them to do that in such a way that
-
an attacker can't figure out what messages
are being sent back and forth. And
-
furthermore an attacker cannot even tamper
with this traffic without being detected.
-
In other words, these encryption schemes
provide both confidentiality and
-
integrity. But cryptography does much,
much, much more than just these two
-
things. And I want to give you a few
examples of that. So the first example I
-
want to give you is what's called a
digital signature. So a digital signature,
-
basically, is the analog of the signature
in the physical world. In the physical
-
world, remember when you sign a document,
essentially, you write your signature on
-
that document and your signature is always
the same. You always write the same
-
signature on all documents that you wanna
sign. In the digital world, this can't
-
possibly work because if the attacker just
obtained one signed document from me, he
-
can cut and paste my signature unto some
other document that I might not have
-
wanted to sign. And so, it's simply not
possible in a digital world that my
-
signature is the same for all documents
that I want to sign. So we're gonna talk
-
about how to construct digital signatures
in the second half of the course. It's
-
really quite an interesting primitive and
we'll see exactly how to do it. Just to
-
give you a hint, the way digital
signatures work is basically by making the
-
digital signature via function of the
content being signed. So an attacker who
-
tries to copy my signature from one
document to another is not gonna succeed
-
because the signature. On the new document
is not gonna be the proper function of the
-
data in the new document, and as a result,
the signature won't verify. And as I said,
-
we're gonna see exactly how to construct
digital signatures later on and then we'll
-
prove that those constructions are secure.
Another application of cryptography that I
-
wanted to mention, is anonymous
communication. So, here, imagine user
-
Alice wants to talk to some chat server,
Bob. And, perhaps she wants to talk about
-
a medical condition, and so she wants to
do that anonymously, so that the chat
-
server doesn't actually know who she is.
Well, there's a standard method, called a
-
mixnet, that allows Alice to communicate
over the public internet with Bob through
-
a sequence of proxies such that at the end
of the communication Bob has no idea who he
-
just talked to. The way mixnets work
is basically as Alice sends her messages
-
to Bob through a sequence of proxies,
these messages get encrypted and
-
decrypted appropriately so that Bob has no
idea who he talked to and the proxies
-
themselves don't even know that Alice is
talking to Bob, or that actually who is
-
talking to whom more generally. One
interesting thing about this anonymous
-
communication channel is, this is
bi-directional. In other words, even
-
though Bob has no idea who he's talking
to, he can still respond to Alice and
-
Alice will get those messages. Once we
have anonymous communication, we can build
-
other privacy mechanisms. And I wanna give
you one example which is called anonymous
-
digital cash. Remember that in the
physical world if I have a physical
-
dollar, I can walk into a bookstore and
buy a book and the merchant would have no
-
idea who I am. The question is whether we
can do the exact same thing in the digital
-
world. In the digital world, basically,
Alice might have a digital dollar,
-
a digital dollar coin. And she might wanna
spend that digital dollar at some online
-
merchants, perhaps some online bookstore.
Now, what we'd like to do is make it so
-
that when Alice spends her coin at the
bookstore, the bookstore would have no
-
idea who Alice is. So we provide the same
anonymity that we get from physical cash.
-
Now the problem is that in the digital
world, Alice can take the coin that she
-
had, this one dollar coin, and before she spent
it, she can actually make copies of it.
-
And then all of a sudden instead of just
having just one dollar coin now all
-
of a sudden she has three dollar coins and
they're all the same of course, and
-
there's nothing preventing her from taking
those replicas of a dollar coin and
-
spending it at other merchants. And so the
question is how do we provide anonymous
-
digital cash? But at the same time, also
prevent Alice from double spending the
-
dollar coin at different merchants. In
some sense there's a paradox here where
-
anonymity is in conflict with security
because if we have anonymous cash there's
-
nothing to prevent Alice from double
spending the coin and because the coin is
-
anonymous we have no way of telling who
committed this fraud. And so the question
-
is how do we resolve this tension. And it
turns out, it's completely doable. And
-
we'll talk about anonymous digital cash
later on. Just to give you a hint, I'll
-
say that the way we do it is basically by
making sure that if Alice spends the coin
-
once then no one knows who she is, but if
she spends the coin more than once, all of
-
a sudden, her identity is completely
exposed and then she could be subject to
-
all sorts of legal problems. And so that's
how anonymous digital cash would
-
work at a high level and we'll see how to
implement it later on in the course.
-
Another application of cryptography has to
do with more abstract protocols, but
-
before I speak the general result, I
want to give you two examples. So the
-
first example has to do with election
systems. So here's the election problem.
-
Suppose ... we have two parties, party zero
and party one. And voters vote for these
-
parties. So for example, this voter could
have voted for party zero, this voter voted for
-
party one. And so on. So in this election,
party zero got three votes and party two
-
got two votes. So the winner of the
election, of course, is party zero. But
-
more generally, the winner of the election
is the party who receives the majority of
-
the votes. Now, the voting problem is the
following. The voters would somehow like
-
to compute the majority of the votes, but
do it in such a way such that nothing else
-
is revealed about their individual votes.
Okay? So the question is how to do that?
-
And to do so, we're gonna introduce an
election center who's gonna help us
-
compute the majority, but keep the votes
otherwise secret. And what the parties
-
will do is they will each send the funny
encryption of their votes to the election
-
center in such a way that at the end of
the election, the election center is able
-
to compute and output the winner of the
election. However, other than the winner
-
of the election, nothing else is revealed
about the individual votes. The individual
-
votes otherwise remain completely private.
Of course the election center is also
-
gonna verify that this voter for example
is allowed to vote and that the voter has
-
only voted once. But other than that
information the election center and the
-
rest of the world learned nothing else
about that voter's vote other than the
-
result of the election. So this is an
example of a protocol that involves six
-
parties. In this case, there are five
voters in one election center. These
-
parties compute amongst themselves. And at
the end of the computation, the result of
-
the election is known but nothing else is
revealed about the individual inputs. Now
-
a similar problem comes up in the context
of private auctions. So in a private
-
auction every bidder has his own bid that
he wants to bid. And now suppose the
-
auction mechanism that's being used is
what's called a Vickrey auction where the
-
definition of a Vickrey auction is that
the winner is the highest bidder. But the
-
amounts that the winner pays is actually
the second highest bid. So he pays the
-
second highest bid. Okay, so this is a
standard auction mechanism called the
-
Vickrey auction. And now what we'd like to
do is basically enable the participants to
-
compute, to figure out who the highest
bidder is and how much he's supposed to
-
pay, but other than that, all other
information about the individual bids
-
should remain secret. So for example, the
actual amount that the highest bidder bid
-
should remain secret. The only thing that
should become public is the second highest
-
bid and the identity of the highest
bidder. So again now, the way we will do
-
that is we'll introduce an auction center, and
in a similar way, essentially, everybody
-
will send their encrypted bids to the
auction center. The auction center will
-
compute the identity of the winner and in
fact he will also compute the second
-
highest bid but other than these two
values, nothing else is revealed about the
-
individual bids. Now, this is actually an
example of a much more general problem
-
called secure multi-party computation. Let
me explain what secure multi-party
-
computation is about. So here, basically
abstractly, the participants have a secret
-
inputs to themselves. So, in the case of
an election, the inputs would be the
-
votes. In the case of an auction, the
inputs would be the secret bids. And then
-
what they would like to do is compute some
sort of a function of their inputs.
-
Again, in the case of an election, the
function's a majority. In the case of
-
auction, the function happens to be the
second highest, largest number among x one
-
to x four. And the question is, how can
they do that, such that the value of the
-
function is revealed, but nothing else is
revealed about the individual votes? So
-
let me show you kind of a dumb, insecure
way of doing it. What we do is introduce a
-
trusted party. And then, this trusted
authority basically collects individual
-
inputs. And it kinda promises to keep the
individual inputs secret, so that only it
-
would know what they are. And then, it
publishes the value of the function, to
-
the world. So, the idea is now that the
value of the function became public, but
-
nothing else is revealed about the
individual inputs. But, of course, you got
-
this trusted authority that you got to
trust, and if for some reason it's not
-
trustworthy, then you have a problem. And
so, there's a very central theorem in
-
crypto and it really is quite a
surprising fact. That says that any
-
computation you'd like to do, any function
F you'd like to compute, that you can
-
compute with a trusted authority, you can
also do without a trusted authority.
-
Let me at a high level explain what this
means. Basically, what we're gonna do, is
-
we're gonna get rid of the authority. So
the parties are actually not gonna send
-
their inputs to the authority. And, in
fact, there's no longer going to be an
-
authority in the system. Instead, what the
parties are gonna do, is they're gonna
-
talk to one another using some protocol.
Such that at the end of the protocol all
-
of a sudden the value of the function
becomes known to everybody. And yet
-
nothing other than the value of the
function is revealed. In other words, the
-
individual inputs is still kept secret.
But again there's no authority, there's
-
just a way for them to talk to one another
such that the final output is revealed. So
-
this is a fairly general result, it's kind
of a surprising fact that is at all
-
doable. And in fact it is and towards the
end of the class we'll actually see how to
-
make this happen. Now, there are some
applications of cryptography that I can't
-
classify any other way other than to say
that they are purely magical. Let me give
-
you two examples of that. So the first is
what's called privately outsourcing
-
computation. So I'll give you an example
of a Google search just to illustrate the
-
point. So imagine Alice has a search query
that she wants to issue. It turns out that
-
there are very special encryption schemes
such that Alice can send an encryption of
-
her query to Google. And then because of
the property of the encryption scheme
-
Google can actually compute on the
encrypted values without knowing what the
-
plain texts are. So Google can actually
run its massive search algorithm on the
-
encrypted query and recover in encrypted
results. Okay. Google will send the
-
encrypted results back to Alice. Alice
will decrypt and then she will receive the
-
results. But the magic here is all Google
saw was just encryptions of her queries
-
and nothing else. And so, Google as a
result has no idea what Alice just
-
searched for and nevertheless Alice
actually learned exactly what she
-
wanted to learn. Okay so, these are
magical kind of encryption schemes. They're
-
fairly recent, this is only a new
development from about two or three years
-
ago, that allows us to compute on encrypted
data, even though we don't really know
-
what's inside the encryption. Now, before
you rush off and think about implementing
-
this, I should warn you that this is
really at this point just theoretical, in
-
the sense that running a Google search on
encryption data probably would take a
-
billion years. But nevertheless, just the
fact that this is doable is already really
-
surprising, and is already quite useful
for relatively simple computations. So in
-
fact, we'll see some applications of this
later on. The other magical application I
-
want to show you is what's called zero
knowledge. And in particular, I'll tell
-
you about something called the zero
knowledge proof of knowledge. So here ...
-
what happens is there's a certain
number N, which Alice knows. And the way
-
the number N was constructed is as a
product of two large primes. So, imagine
-
here we have two primes, P and Q. Each one
you can think of it as like 1000 digits.
-
And you probably know that multiplying
two 1000-digit numbers is fairly easy. But if
-
I just give you their product, figuring
out their factorization into primes is
-
actually quite difficult. And, in fact,
we're gonna use the fact that factoring is
-
difficult to build public key cryptosystems
in the second half of the course.
-
Okay, so Alice happens to have this number
N, and she also knows the factorization of
-
N. Now Bob just has the number N. He
doesn't actually know the factorization.
-
Now, the magical fact about the zero
knowledge proof of knowledge, is that
-
Alice can prove to Bob that she knows the
factorization of N. Yes, you can actually
-
give this proof to Bob, that Bob can
check, and become convinced that Alice
-
knows the factorization of N, however Bob
learns nothing at all. About the factors P
-
and Q, and this is provable. Bob
absolutely learns nothing at all about the
-
factors P and Q. And the statement
actually is very, very general. This is
-
not just about proving the factorization
of N. In fact, almost any puzzle that you
-
want to prove that you know an answer to,
you can prove it is your knowledge. So if
-
you have a crossword puzzle that you've
solved. Well, maybe crosswords is not the
-
best example. But if you have like a
Sudoku puzzle, for example, that you want
-
to prove that you've solved, you can prove
it to Bob in a way that Bob would learn
-
nothing at all about the solution, and yet
Bob would be convinced that you really do
-
have a solution to this puzzle. Okay. So
those are kind of magical applications.
-
And so the last thing I want to say is
that modern cryptography is a very
-
rigorous science. And in fact, every
concept we're gonna describe is gonna
-
follow three very rigorous steps, okay,
and we're gonna see these three steps
-
again and again and again so I wanna
explain what they are. So the first thing
-
we're gonna do when we introduce a new
primitive like a digital signature is
-
we're gonna specify precisely what the
threat model is. That is, what can an
-
attacker do to attack a digital signature
and what is his goal in forging
-
signatures? Okay, so we're gonna define
exactly what does it mean for a signature
-
for example to be unforgeable.
Unforgeable. Okay and I'm giving digital
-
signatures just as an example. For every
primitive we describe we're gonna
-
precisely define what the threat model is.
Then we're gonna propose a construction
-
and then we're gonna give a proof that any
attacker that's able to attack the
-
construction under this threat model. That
attacker can also be used to solve some
-
underlying hard problem. And as a result,
if the problem really is hard, that
-
actually proves that no attacker can break
the construction under the threat model.
-
Okay. But these three steps are actually
quite important. In the case of
-
signatures, we'll define what it means for
a signature to be, forgeable, then we'll
-
give a construction, and then for example
we'll say that anyone who can break our
-
construction can then be used to say
factor integers, which is believed to be a
-
hard problem. Okay, so we're going to
follow these three steps throughout, and
-
then you'll see how this actually comes
about. Okay, so this is the end of the
-
segment. And then in the next segment
we'll talk a little bit about the history
-
of cryptography.
