SECURITY and CRYPTOGRAPHY 15-827 4 OCT 01
Lecture #6 M.B.
4615 Wean
What is a PHONOID, intuitively? It is a challenge-response protocol that
can be done mentally over the telephone.
Did anyone come up with a PHONOID that they would be willing to show off in
class?
Toward a somewhat FORMAL DEFINITION of a PHONOID:
An n-party PROTOCOL is a collection of n instructions, I1,...,In, one for
each person, P1,...,Pn respectively.
A CHALLENGE-RESPONSE PROTOCOL is an n=2 party protocol for
P1 = CHALLENGER and P2 = RESPONDER. Challenger P1 selects an allowable
challenge-response pair at random, and tells the challenge (only) to P2. P2
responds to the challenge. P1 accepts if the response is correct; rejects
otherwise.
(Consider the pros and cons of allowing more interaction.)
A PHONOID is a challenge-response protocol with the following properties:
1.The protocol says exactly what constitutes a (legitimate permissible)
CHALLENGE. There must be at least 500 distinct challenges.
For example, a challenge could be any string of 3 distinct positive digits
(in which case there are 9*8*7 = 504 permissible challenges).
2. The protocol says exactly the range of all possible RESPONSES. In
addition, every (legitimate) challenge must have exactly one correct
response. (What are the pros and cons of allowing up to 10 correct
responses to each challenge? Why stop at 10?)
3. The human creator of the protocol can mentally (in his head) generate
the correct response to "most" spoken not necessarily written challenges in
"at most" 10-15 seconds preferably, 15-30 seconds in "rare" worst case.
The challenge need only be heard clearly just once. The error probability
is "low."
4. With "high" probability, k=2 randomly chosen challenge- response pairs
do not suffice to reduce the number of possible correct responses to a new
randomly chosen challenge to at most 1 in 10. (Rudich's protocol #31 fails
because the output is just one digit, so correct response is at most 1 in 10.)
A more precise criterion 4:
4' The challenge-response protocol is chosen at random from a publically
known finite collection of protocols. To the "eavesdropper," no matter what
the (chosen unknown) protocol, any k=2 chosen challenge-response pairs
yield no information whatsoever about the response to a new challenge: all
possible responses are equally likely.
An EAVESDROPPER is a person who knows the above general public
information, but not the specific privately chosen protocol, and overhears
k=2 challenge-response pairs.
EXAMPLE k=1 of 4': The collection of protocols contains exactly 2 protocols
(k=1):
1. The constant or "output a PIN" protocol, and
2. The "add a PIN" protocol.
Here, PIN = Personal Identification Number.
A single challenge-response pair gives no information whatsoever about
which protocol was chosen.
Another EXAMPLE k=1 of 4': The collection of protocols contains exactly
11^2 = 121 protocols, each protocol being of the form:
CHALLENGE = an element 0,1,...,10 of GF(11), the field of integers mod 11
under + and x mod 11.
RESPONSE = (a0 + a1*challenge) (mod 11), for some fixed privately chosen
integers a0, a1 in GF(11).
EXAMPLE k=2 of 4': The collection of protocols contains exactly 11^3 = 1331
protocols, each protocol being of the form:
CHALLENGE = an element randomly chosen from GF(11).
RESPONSE = (a0+ a1*challenge + a2*challenge^2) (mod 11) for some fixed
integers a0, a1, a2 in GF(11).
Note that Van der Monde matrix is invertible: ....
General EXAMPLE k of 4': .....
HOMEWORK:
1. Break protocol #67.
See Nick Hopper's detailed description of the problem, and exactly how it
will be graded at
http://www.cs.cmu.edu/~hopper/cs827-f01/
Better start working on it... NOW!
2. Come up with an original PHONOID. More specifically, come up with 10
original PHONOIDS, but show us only your single "best" one.
Be prepared to exhibit your protocol in class on Tue October 9.
OTHER STUFF:
What is Gaussian Elimination?
What if anything is Gaussian Elimination with Errors?
NP-completeness of Gaussian Elimination with Errors.
The relation of Learning to Cryptography.
Reading: Johan Hastad, "Some optimal inapproximability results," in Proc of
the 29th ACM STOC(Symposium on Theory of Computing), pp1-10, El Paso,
Texas, 4-6 May 1997.
ABSTRACT: We prove optimal, up to an arbitrary epsilon > 0,
inapproximability results for Max-Ek-Sat for k >= 3 and optimizing the
number of satisfied linear equations modulo a prime p. Max-Ek-Sat is the
variant of CNF-Sat where each clause is of length exactly k. As a
consequence of these results we get improved lower bounds for many problems
studied previously. In particular, for Max-E2-Sat, Max-Cut, Max-Di-Cut and
Vertex cover. For Max-E2-Sat the obtained lower bound is essentially 22/21
~ 1.047 while the strongest upper bound is around 1.074.