Keeping secrets; how to prove a theorem so that no one else can claim it.Keeping Secrets The trouble with sitting down at a computer keyboard to enter a password is that someone may be looking over your shoulder. Because your password could be stolen as you type it in, the computer system isn't completely secure. But if you could somehow provide the computer with information that persuades the computer you know the password without actually giving away the password itself, then you would be on your way to solving the security problem. Furthermore, if no onlooker could reconstruct the password from the information you gave the computer, then no one could break into the system--at least by using a purloined password. The mathematical basis for such a scheme has now been found. It depends on something called a "zero-knowledge' proof. The idea is that a "prover' has found a proof for a theorem and wants to let a "verifier' know that he knows the proof without revealing the proof itself. The verifier can ask a special question that requires the equivalent of a yes or no answer. If the prover really knows the proof, then he can answer the question correctly every time it is asked. If he doesn't know the proof, then the prover has only a 50 percent chance of being right each time. After, say, a dozen tries, the chances of fooling the verifier get very small. Neither the question nor the possible answers give away even a hint of the proof itself--hence, the term zero-knowledge proof In cryptography, a zero-knowledge proof or zero-knowledge protocol is an interactive method for one party to prove to another that a (usually mathematical) statement is true, without revealing anything other than the veracity of the statement. . The concept of zero-knowledge proofs was first defined last year by Shafi Goldwasser Shafrira Goldwasser (born 1958) is the RSA Professor of electrical engineering and computer science at MIT, and a professor of mathematical sciences at the Weizmann Institute of Science, Israel. Born in New York City, she obtained her B.S. and Silvio Micali Silvio Micali (born October 13 1954) is an Italian-born computer scientist at MIT Computer Science and Artificial Intelligence Laboratory and a professor of computer science in MIT's Department of Electrical Engineering and Computer Science since 1983. of the Massachusetts Institute of Technology Massachusetts Institute of Technology, at Cambridge; coeducational; chartered 1861, opened 1865 in Boston, moved 1916. It has long been recognized as an outstanding technological institute and its Sloan School of Management has notable programs in business, (MIT MIT - Massachusetts Institute of Technology ) and Charles Rackoff Charles W. Rackoff is a noted modern cryptologist. He was born and raised in New York City. Charles attended MIT as both an undergraduate and graduate student, and earned a degree in Computer Science in 1974. He spent a year as a post-doc at INRIA in France. of the University of Toronto Research at the University of Toronto has been responsible for the world's first electronic heart pacemaker, artificial larynx, single-lung transplant, nerve transplant, artificial pancreas, chemical laser, G-suit, the first practical electron microscope, the first cloning of T-cells, . Earlier this year, Micali, MIT's Oded Goldreich Oded Goldreich is a professor of Computer Science at the Faculty of Mathematics and Computer Science of Weizmann Institute of Science, Israel. His research interests lie within the theory of computing. and Avi Wigderson Avi Wigderson is an Israeli mathematician and computer scientist who received the Nevanlinna Prize in 1994 for his work on computational complexity. He was educated at Technion and Princeton. He is a currently a professor at the Institute for Advanced Study. of Hebrew University Hebrew University of Jerusalem, at Mt. Scopus, Givat Ram, Ein Karem, and Rehovot, Israel; coeducational. First proposed in 1882, formally opened 1925. It is the world's largest Jewish university and is noted for its work on the Dead Sea Scrolls. in Jerusalem took a major step forward by showing that such a scheme works for a large class of mathematical theorems. They demonstrated the procedure for a mathematical coloring problem, which involves ensuring that no two points in certain networks of connected points have the same color. Recently, Manuel Blum Manuel Blum (born 26 April 1938 in Caracas, Venezuela) is a computer scientist who received the Turing Award in 1995 "In recognition of his contributions to the foundations of computational complexity theory and its application to cryptography and program checking". of the University of California at Berkeley (body, education) University of California at Berkeley - (UCB) See also Berzerkley, BSD. http://berkeley.edu/. Note to British and Commonwealth readers: that's /berk'lee/, not /bark'lee/ as in British Received Pronunciation. showed how to give an efficient zero-knowledge proof for any mathematical theorem. He refined the earlier work and simplified the overall procedure. Blum described his work at this month's International Congress of Mathematicians The International Congress of Mathematicians (ICM) is the largest congress in the mathematics community. It is held once every four years under the auspices of the International Mathematical Union (IMU). , held in Berkeley. One of the more difficult steps, says Blum, is finding the right question for the verifier to ask. Once this is done, a zero-knowledge scheme can handle any theorem provable within any logic system. All a verifier finds out is that a theorem is provable and that the prover actually knows the proof. And because the prover has to use at least as many words as the proof itself contains, he gives away an upper limit for the proof's length. To show how the scheme works, Blum chose an example from graph theory. Any network of points (or nodes) connected by lines (or edges) is called a graph. In Blum's example, the graph consists of a star-shaped pattern of lines linking 11 points. The prover has found a continuous path along the connecting links that passes only once through each of the 11 points on the graph and returns to where it started. This special type of path is called a Hamiltonian cycle. The prover's aim is to persuade a verifier that such a path is known without giving the verifier the slightest idea of how to construct the path. To do this, the prover privately marks 11 nodes along the circumference of a circle and labels them randomly from one to 11. Then the nodes on the circle are connected in the same way as the points in the original graph. That is, lines would join nodes one and five, two and six, and so on. Now the resulting diagram is covered up by, say, an erasable e·ras·a·ble adj. 1. Capable of being erased: erasable ink. 2. Capable of producing something that can be erased: an erasable pen. opaque film like that used on some lottery or contest tickets. The verifier can ask the prover to uncover the complete graph, which shows that all the points are properly linked, or she can ask to see the Hamiltonian cycle. In the latter case, the prover erases enough of the film to reveal just the lines that make up the cycle. He can do this only if he knows the right path. However, because the nodes are still covered up, the verifier doesn't know the actual path from point to point. All she can verify is that a Hamiltonian cycle exists. This process can be repeated as many times as the verifier wishes. Each time, the prover sets up a new circle diagram, which is then hidden. Because he doesn't know whether the verifier will ask for the graph or the cycle, he has to be ready for either choice and therefore must know the cycle. Failure to produce either the correct graph or the cycle during any turn is equivalent to a wrong answer, and the verifier then knows that either the prover is lying or he doesn't actually have the proof. As outlined, this scheme sounds somewhat cumbersome. But the opaque film used in the example can be replaced by encryption schemes that hide information. Thus, proof checking can be done electronically when the whole procedure is encoded as strings of binary digits. This makes it possible to use this concept for password protocols and in cryptological cryp·tol·o·gy n. The study of cryptanalysis or cryptography. cryp  to·log games like tossing a coin by telephone or exchanging secret keys (SN:9/26/81, p.205). And in the sometimes turbulent world of mathematics research, it gives a wary mathematician a way to claim credit for being the first to find a particular proof without the necessity of giving away the proof's details. All that someone else can find out, until the proof itself is finally revealed, is that a particular theorem is provable. Photo: Deciding whether a particular graph--a network of points and connecting lines-- has a Hamiltonian cycle is often difficult. This involves finding a continuous path along the links that passes only once through each of the graph's points and then returns to where it started. In this example (top and bottom), such a path passes through points in the order: 1, 5, 6, 2, 8, 4, 10, 11, 9, 3, 7 and then back to 1. For a zero-knowledge proof, the star-shaped graph (top) can be redrawn so that all of the points fall on the circumference of an imaginary circle (bottom), yet the connecting lines still join the same points as in the original graph. |
|
||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion