SECURITY and CRYPTOGRAPHY 15-827 18-SEP-01 Lecture #2 M.B. 4615 Wean HANDOUT: "Iris Recognition" by John Daugman, American Scientist, pp 326-333 (July-August 2001). HANDOUT: Newspaper article on the COmanche COde, South China Morning Post, Features Section, pp 1-3 (Sat 9 June 2001). RECALL: cell:510 469-8730 My name: Manuel Blum mblum@cs W:268-3742 /\ office= WEAN 4113 Your TA: Nick Hopper hopper@cs W:268-2993. office = 8303 WEAN Assigned Homework will always be due on the Tuesday following, before class begins. For example, any homework I assign today or this Thursday 20 Sept will be due on the morning of Tuesday 25 Sept. I WOULD LIKE THIS CLASS TO PUBLISH AN ORIGINAL RESEARCH PAPER IN A COMPLETELY NEW FIELD OF CRYPTOGRAPHY. As much as I would like to base your grade on the extent to which you help me in this enterprise,... Grades will actually be determined by HW (10%), 2 MidTerm Exams (20% each), and a Final Exam (50%). The HumanOID Problem: Informal version: How can a naked person in a glass house authenticate himself? More Formal version: Give a procedure for giving people individualized challenge-response algorithms (more generally protocols) such that any "reasonably intelligent" 6 to 60 year old can "easily" perform the algorithm entirely in his head but such that an eavesdropper with a powerful computer and a source of previously eavesdropped challenge-response pairs cannot correctly respond to any new challenges. The PhonOID Problem: Same as HumanOID, except that challenge-response is done over the phone. For HW#1, you were asked to come up with 2 challenge-response pairs. What did you come up with? Let's hear the suggestions. Let's comment on them. What are the good features? What are the bad ones? 1.Can a person make up a page of questions whose answers they alone are likely to know? Good sources of questions: family relationships. early memories. My 84 year old mother remembers the names of her 8 siblings (6 boys and 2 girls), and the names of her mothers 10 siblings (5 boys and 5 girls). Spelling is a problem. For authentication, she may have to choose/fix a spelling. 2.Can anyone and everyone come up with a rich source of challenges to which he alone can respond? (For me, I would take simple sentences and respond in Gwong dung wa, YALE notation.) 3.MUCH HARDER PROBLEM: Can a person use his personal info as a seed in an algorithm to generate a virtually infinite number of challenge-response pairs? As usual, it must be easy for a person to respond to any challenge, doing all computations in his head. It must be hard for an eavesdropper with a computer to respond to any new challenge. It is just as important to try to prove that this is NOT possible as to prove that it IS possible. How? A fundamental reason this appears to be hard is this: unlike computers, which can give each other their algorithms, the algorithms that humans learn are learned from observation. If a human is to learn a secret protocol for responding to a challenge, what's to keep eavesdroppers from learning, from observation of challenge-response pairs, how to respond to challenges? BIRTHDAY PARADOX QUESTION: In a world with n days per year, how many people should one invite to a party so that there is a roughly 50% chance that at least 2 people have the same birthday? ANSWER: (1.2)*sqrt(n) COUPON COLLECTORS PROBLEM QUESTION: A cereal box contains one of n coupons, each coupon chosen uniformly at random (i.e. each coupon is equally likely to appear in a box). How many cereal boxes should one expect to buy in order to get all n coupons? ANSWER: approximately n*(lg n). QUESTION: What base? n/e empty cells when you throw n balls into n cells. n/e^2 empty cells when you throw 2n balls into n cells. n/e^(ln n) = 1 (ln n)n = 23 n = 10 n/e^(ln 2n) = 1/2 (ln 2n)n = 30 n = 10 ZERO-KNOWLEDGE. * Early attempts at 0-knowledge proofs of knowledge that one knows how to find the root of a cubic or quartic polynomial. * A 0-knowledge proof that two graphs G1, G2 are isomorphic. * An (almost but not quite) 0-knowledge proof that I have an efficient method for distinguishing G1 from G2.