SECURITY and CRYPTOGRAPHY 15-827 18-SEP-01
Lecture #2 M.B.
4615 Wean
HANDOUT: "Iris Recognition" by John Daugman, American Scientist, pp 326-333
(July-August 2001).
HANDOUT: Newspaper article on the COmanche COde, South China Morning Post,
Features Section, pp 1-3 (Sat 9 June 2001).
RECALL: cell:510 469-8730
My name: Manuel Blum mblum@cs W:268-3742 /\ office= WEAN 4113
Your TA: Nick Hopper hopper@cs W:268-2993. office = 8303 WEAN
Assigned Homework will always be due on the Tuesday following, before class
begins. For example, any homework I assign today or this Thursday 20 Sept
will be due on the morning of Tuesday 25 Sept.
I WOULD LIKE THIS CLASS TO PUBLISH AN ORIGINAL RESEARCH PAPER IN A
COMPLETELY NEW FIELD OF CRYPTOGRAPHY. As much as I would like to base your
grade on the extent to which you help me in this enterprise,...
Grades will actually be determined by HW (10%), 2 MidTerm Exams (20% each),
and a Final Exam (50%).
The HumanOID Problem:
Informal version: How can a naked person in a glass house authenticate
himself?
More Formal version: Give a procedure for giving people individualized
challenge-response algorithms (more generally protocols) such that any
"reasonably intelligent" 6 to 60 year old can "easily" perform the
algorithm entirely in his head but such that an eavesdropper with a
powerful computer and a source of previously eavesdropped
challenge-response pairs cannot correctly respond to any new challenges.
The PhonOID Problem: Same as HumanOID, except that challenge-response is
done over the phone.
For HW#1, you were asked to come up with 2 challenge-response pairs. What
did you come up with?
Let's hear the suggestions. Let's comment on them. What are the good
features? What are the bad ones?
1.Can a person make up a page of questions whose answers they alone are
likely to know?
Good sources of questions: family relationships.
early memories.
My 84 year old mother remembers the names of her 8 siblings (6 boys and 2
girls), and the names of her mothers 10 siblings (5 boys and 5 girls).
Spelling is a problem. For authentication, she may have to choose/fix a
spelling.
2.Can anyone and everyone come up with a rich source of challenges to which
he alone can respond?
(For me, I would take simple sentences and respond in Gwong dung wa, YALE
notation.)
3.MUCH HARDER PROBLEM: Can a person use his personal info as a seed in an
algorithm to generate a virtually infinite number of challenge-response
pairs? As usual, it must be easy for a person to respond to any challenge,
doing all computations in his head. It must be hard for an eavesdropper
with a computer to respond to any new challenge.
It is just as important to try to prove that this is NOT possible as to
prove that it IS possible. How?
A fundamental reason this appears to be hard is this: unlike computers,
which can give each other their algorithms, the algorithms that humans
learn are learned from observation.
If a human is to learn a secret protocol for responding to a challenge,
what's to keep eavesdroppers from learning, from observation of
challenge-response pairs, how to respond to challenges?
BIRTHDAY PARADOX
QUESTION: In a world with n days per year, how many people should one
invite to a party so that there is a roughly 50% chance that at least 2
people have the same birthday?
ANSWER: (1.2)*sqrt(n)
COUPON COLLECTORS PROBLEM
QUESTION: A cereal box contains one of n coupons, each coupon chosen
uniformly at random (i.e. each coupon is equally likely to appear in a
box). How many cereal boxes should one expect to buy in order to get all n
coupons?
ANSWER: approximately n*(lg n).
QUESTION: What base?
n/e empty cells when you throw n balls into n cells.
n/e^2 empty cells when you throw 2n balls into n cells.
n/e^(ln n) = 1 (ln n)n = 23 n = 10
n/e^(ln 2n) = 1/2 (ln 2n)n = 30 n = 10
ZERO-KNOWLEDGE.
* Early attempts at 0-knowledge proofs of knowledge that one knows how to
find the root of a cubic or quartic polynomial.
* A 0-knowledge proof that two graphs G1, G2 are isomorphic.
* An (almost but not quite) 0-knowledge proof that I have an efficient
method for distinguishing G1 from G2.