SECURITY and CRYPTOGRAPHY 15-827 4 OCT 01 Lecture #6 M.B. 4615 Wean What is a PHONOID, intuitively? It is a challenge-response protocol that can be done mentally over the telephone. Did anyone come up with a PHONOID that they would be willing to show off in class? Toward a somewhat FORMAL DEFINITION of a PHONOID: An n-party PROTOCOL is a collection of n instructions, I1,...,In, one for each person, P1,...,Pn respectively. A CHALLENGE-RESPONSE PROTOCOL is an n=2 party protocol for P1 = CHALLENGER and P2 = RESPONDER. Challenger P1 selects an allowable challenge-response pair at random, and tells the challenge (only) to P2. P2 responds to the challenge. P1 accepts if the response is correct; rejects otherwise. (Consider the pros and cons of allowing more interaction.) A PHONOID is a challenge-response protocol with the following properties: 1.The protocol says exactly what constitutes a (legitimate permissible) CHALLENGE. There must be at least 500 distinct challenges. For example, a challenge could be any string of 3 distinct positive digits (in which case there are 9*8*7 = 504 permissible challenges). 2. The protocol says exactly the range of all possible RESPONSES. In addition, every (legitimate) challenge must have exactly one correct response. (What are the pros and cons of allowing up to 10 correct responses to each challenge? Why stop at 10?) 3. The human creator of the protocol can mentally (in his head) generate the correct response to "most" spoken not necessarily written challenges in "at most" 10-15 seconds preferably, 15-30 seconds in "rare" worst case. The challenge need only be heard clearly just once. The error probability is "low." 4. With "high" probability, k=2 randomly chosen challenge- response pairs do not suffice to reduce the number of possible correct responses to a new randomly chosen challenge to at most 1 in 10. (Rudich's protocol #31 fails because the output is just one digit, so correct response is at most 1 in 10.) A more precise criterion 4: 4' The challenge-response protocol is chosen at random from a publically known finite collection of protocols. To the "eavesdropper," no matter what the (chosen unknown) protocol, any k=2 chosen challenge-response pairs yield no information whatsoever about the response to a new challenge: all possible responses are equally likely. An EAVESDROPPER is a person who knows the above general public information, but not the specific privately chosen protocol, and overhears k=2 challenge-response pairs. EXAMPLE k=1 of 4': The collection of protocols contains exactly 2 protocols (k=1): 1. The constant or "output a PIN" protocol, and 2. The "add a PIN" protocol. Here, PIN = Personal Identification Number. A single challenge-response pair gives no information whatsoever about which protocol was chosen. Another EXAMPLE k=1 of 4': The collection of protocols contains exactly 11^2 = 121 protocols, each protocol being of the form: CHALLENGE = an element 0,1,...,10 of GF(11), the field of integers mod 11 under + and x mod 11. RESPONSE = (a0 + a1*challenge) (mod 11), for some fixed privately chosen integers a0, a1 in GF(11). EXAMPLE k=2 of 4': The collection of protocols contains exactly 11^3 = 1331 protocols, each protocol being of the form: CHALLENGE = an element randomly chosen from GF(11). RESPONSE = (a0+ a1*challenge + a2*challenge^2) (mod 11) for some fixed integers a0, a1, a2 in GF(11). Note that Van der Monde matrix is invertible: .... General EXAMPLE k of 4': ..... HOMEWORK: 1. Break protocol #67. See Nick Hopper's detailed description of the problem, and exactly how it will be graded at http://www.cs.cmu.edu/~hopper/cs827-f01/ Better start working on it... NOW! 2. Come up with an original PHONOID. More specifically, come up with 10 original PHONOIDS, but show us only your single "best" one. Be prepared to exhibit your protocol in class on Tue October 9. OTHER STUFF: What is Gaussian Elimination? What if anything is Gaussian Elimination with Errors? NP-completeness of Gaussian Elimination with Errors. The relation of Learning to Cryptography. Reading: Johan Hastad, "Some optimal inapproximability results," in Proc of the 29th ACM STOC(Symposium on Theory of Computing), pp1-10, El Paso, Texas, 4-6 May 1997. ABSTRACT: We prove optimal, up to an arbitrary epsilon > 0, inapproximability results for Max-Ek-Sat for k >= 3 and optimizing the number of satisfied linear equations modulo a prime p. Max-Ek-Sat is the variant of CNF-Sat where each clause is of length exactly k. As a consequence of these results we get improved lower bounds for many problems studied previously. In particular, for Max-E2-Sat, Max-Cut, Max-Di-Cut and Vertex cover. For Max-E2-Sat the obtained lower bound is essentially 22/21 ~ 1.047 while the strongest upper bound is around 1.074.