Before we start with the technical
material, I wanna give you a quick
overview of what cryptography is about and
the different areas of cryptography. So
the core of cryptography of course is
secure communication that essentially
consists of two parts. The first is
secured key establishment and then how do
we communicate securely once we have a
shared key. We already said that secured
key establishment essentially amounts to
Alice and Bob sending messages to one
another such that at the end of this
protocol, there's a shared key that they
both agree on, shared key K, and beyond
that, beyond just a shared key, in fact
Alice would know that she's talking to Bob
and Bob would know that he's talking to
Alice. But a poor attacker who listens in
on this conversation has no idea what the
shared key is. And we'll see how to do
that later on in the course. Now once they
have a shared key, they want exchange
messages securely using this key, and
we'll talk about encryption schemes that
allow them to do that in such a way that
an attacker can't figure out what messages
are being sent back and forth. And
furthermore an attacker cannot even tamper
with this traffic without being detected.
In other words, these encryption schemes
provide both confidentiality and
integrity. But cryptography does much,
much, much more than just these two
things. And I want to give you a few
examples of that. So the first example I
want to give you is what's called a
digital signature. So a digital signature,
basically, is the analog of the signature
in the physical world. In the physical
world, remember when you sign a document,
essentially, you write your signature on
that document and your signature is always
the same. You always write the same
signature on all documents that you wanna
sign. In the digital world, this can't
possibly work because if the attacker just
obtained one signed document from me, he
can cut and paste my signature unto some
other document that I might not have
wanted to sign. And so, it's simply not
possible in a digital world that my
signature is the same for all documents
that I want to sign. So we're gonna talk
about how to construct digital signatures
in the second half of the course. It's
really quite an interesting primitive and
we'll see exactly how to do it. Just to
give you a hint, the way digital
signatures work is basically by making the
digital signature via function of the
content being signed. So an attacker who
tries to copy my signature from one
document to another is not gonna succeed
because the signature. On the new document
is not gonna be the proper function of the
data in the new document, and as a result,
the signature won't verify. And as I said,
we're gonna see exactly how to construct
digital signatures later on and then we'll
prove that those constructions are secure.
Another application of cryptography that I
wanted to mention, is anonymous
communication. So, here, imagine user
Alice wants to talk to some chat server,
Bob. And, perhaps she wants to talk about
a medical condition, and so she wants to
do that anonymously, so that the chat
server doesn't actually know who she is.
Well, there's a standard method, called a
mixnet, that allows Alice to communicate
over the public internet with Bob through
a sequence of proxies such that at the end
of the communication Bob has no idea who he
just talked to. The way mixnets work
is basically as Alice sends her messages
to Bob through a sequence of proxies,
these messages get encrypted and
decrypted appropriately so that Bob has no
idea who he talked to and the proxies
themselves don't even know that Alice is
talking to Bob, or that actually who is
talking to whom more generally. One
interesting thing about this anonymous
communication channel is, this is
bi-directional. In other words, even
though Bob has no idea who he's talking
to, he can still respond to Alice and
Alice will get those messages. Once we
have anonymous communication, we can build
other privacy mechanisms. And I wanna give
you one example which is called anonymous
digital cash. Remember that in the
physical world if I have a physical
dollar, I can walk into a bookstore and
buy a book and the merchant would have no
idea who I am. The question is whether we
can do the exact same thing in the digital
world. In the digital world, basically,
Alice might have a digital dollar,
a digital dollar coin. And she might wanna
spend that digital dollar at some online
merchants, perhaps some online bookstore.
Now, what we'd like to do is make it so
that when Alice spends her coin at the
bookstore, the bookstore would have no
idea who Alice is. So we provide the same
anonymity that we get from physical cash.
Now the problem is that in the digital
world, Alice can take the coin that she
had, this one dollar coin, and before she spent
it, she can actually make copies of it.
And then all of a sudden instead of just
having just one dollar coin now all
of a sudden she has three dollar coins and
they're all the same of course, and
there's nothing preventing her from taking
those replicas of a dollar coin and
spending it at other merchants. And so the
question is how do we provide anonymous
digital cash? But at the same time, also
prevent Alice from double spending the
dollar coin at different merchants. In
some sense there's a paradox here where
anonymity is in conflict with security
because if we have anonymous cash there's
nothing to prevent Alice from double
spending the coin and because the coin is
anonymous we have no way of telling who
committed this fraud. And so the question
is how do we resolve this tension. And it
turns out, it's completely doable. And
we'll talk about anonymous digital cash
later on. Just to give you a hint, I'll
say that the way we do it is basically by
making sure that if Alice spends the coin
once then no one knows who she is, but if
she spends the coin more than once, all of
a sudden, her identity is completely
exposed and then she could be subject to
all sorts of legal problems. And so that's
how anonymous digital cash would
work at a high level and we'll see how to
implement it later on in the course.
Another application of cryptography has to
do with more abstract protocols, but
before I speak the general result, I
want to give you two examples. So the
first example has to do with election
systems. So here's the election problem.
Suppose ... we have two parties, party zero
and party one. And voters vote for these
parties. So for example, this voter could
have voted for party zero, this voter voted for
party one. And so on. So in this election,
party zero got three votes and party two
got two votes. So the winner of the
election, of course, is party zero. But
more generally, the winner of the election
is the party who receives the majority of
the votes. Now, the voting problem is the
following. The voters would somehow like
to compute the majority of the votes, but
do it in such a way such that nothing else
is revealed about their individual votes.
Okay? So the question is how to do that?
And to do so, we're gonna introduce an
election center who's gonna help us
compute the majority, but keep the votes
otherwise secret. And what the parties
will do is they will each send the funny
encryption of their votes to the election
center in such a way that at the end of
the election, the election center is able
to compute and output the winner of the
election. However, other than the winner
of the election, nothing else is revealed
about the individual votes. The individual
votes otherwise remain completely private.
Of course the election center is also
gonna verify that this voter for example
is allowed to vote and that the voter has
only voted once. But other than that
information the election center and the
rest of the world learned nothing else
about that voter's vote other than the
result of the election. So this is an
example of a protocol that involves six
parties. In this case, there are five
voters in one election center. These
parties compute amongst themselves. And at
the end of the computation, the result of
the election is known but nothing else is
revealed about the individual inputs. Now
a similar problem comes up in the context
of private auctions. So in a private
auction every bidder has his own bid that
he wants to bid. And now suppose the
auction mechanism that's being used is
what's called a Vickrey auction where the
definition of a Vickrey auction is that
the winner is the highest bidder. But the
amounts that the winner pays is actually
the second highest bid. So he pays the
second highest bid. Okay, so this is a
standard auction mechanism called the
Vickrey auction. And now what we'd like to
do is basically enable the participants to
compute, to figure out who the highest
bidder is and how much he's supposed to
pay, but other than that, all other
information about the individual bids
should remain secret. So for example, the
actual amount that the highest bidder bid
should remain secret. The only thing that
should become public is the second highest
bid and the identity of the highest
bidder. So again now, the way we will do
that is we'll introduce an auction center, and
in a similar way, essentially, everybody
will send their encrypted bids to the
auction center. The auction center will
compute the identity of the winner and in
fact he will also compute the second
highest bid but other than these two
values, nothing else is revealed about the
individual bids. Now, this is actually an
example of a much more general problem
called secure multi-party computation. Let
me explain what secure multi-party
computation is about. So here, basically
abstractly, the participants have a secret
inputs to themselves. So, in the case of
an election, the inputs would be the
votes. In the case of an auction, the
inputs would be the secret bids. And then
what they would like to do is compute some
sort of a function of their inputs.
Again, in the case of an election, the
function's a majority. In the case of
auction, the function happens to be the
second highest, largest number among x one
to x four. And the question is, how can
they do that, such that the value of the
function is revealed, but nothing else is
revealed about the individual votes? So
let me show you kind of a dumb, insecure
way of doing it. What we do is introduce a
trusted party. And then, this trusted
authority basically collects individual
inputs. And it kinda promises to keep the
individual inputs secret, so that only it
would know what they are. And then, it
publishes the value of the function, to
the world. So, the idea is now that the
value of the function became public, but
nothing else is revealed about the
individual inputs. But, of course, you got
this trusted authority that you got to
trust, and if for some reason it's not
trustworthy, then you have a problem. And
so, there's a very central theorem in
crypto and it really is quite a
surprising fact. That says that any
computation you'd like to do, any function
F you'd like to compute, that you can
compute with a trusted authority, you can
also do without a trusted authority.
Let me at a high level explain what this
means. Basically, what we're gonna do, is
we're gonna get rid of the authority. So
the parties are actually not gonna send
their inputs to the authority. And, in
fact, there's no longer going to be an
authority in the system. Instead, what the
parties are gonna do, is they're gonna
talk to one another using some protocol.
Such that at the end of the protocol all
of a sudden the value of the function
becomes known to everybody. And yet
nothing other than the value of the
function is revealed. In other words, the
individual inputs is still kept secret.
But again there's no authority, there's
just a way for them to talk to one another
such that the final output is revealed. So
this is a fairly general result, it's kind
of a surprising fact that is at all
doable. And in fact it is and towards the
end of the class we'll actually see how to
make this happen. Now, there are some
applications of cryptography that I can't
classify any other way other than to say
that they are purely magical. Let me give
you two examples of that. So the first is
what's called privately outsourcing
computation. So I'll give you an example
of a Google search just to illustrate the
point. So imagine Alice has a search query
that she wants to issue. It turns out that
there are very special encryption schemes
such that Alice can send an encryption of
her query to Google. And then because of
the property of the encryption scheme
Google can actually compute on the
encrypted values without knowing what the
plain texts are. So Google can actually
run its massive search algorithm on the
encrypted query and recover in encrypted
results. Okay. Google will send the
encrypted results back to Alice. Alice
will decrypt and then she will receive the
results. But the magic here is all Google
saw was just encryptions of her queries
and nothing else. And so, Google as a
result has no idea what Alice just
searched for and nevertheless Alice
actually learned exactly what she
wanted to learn. Okay so, these are
magical kind of encryption schemes. They're
fairly recent, this is only a new
development from about two or three years
ago, that allows us to compute on encrypted
data, even though we don't really know
what's inside the encryption. Now, before
you rush off and think about implementing
this, I should warn you that this is
really at this point just theoretical, in
the sense that running a Google search on
encryption data probably would take a
billion years. But nevertheless, just the
fact that this is doable is already really
surprising, and is already quite useful
for relatively simple computations. So in
fact, we'll see some applications of this
later on. The other magical application I
want to show you is what's called zero
knowledge. And in particular, I'll tell
you about something called the zero
knowledge proof of knowledge. So here ...
what happens is there's a certain
number N, which Alice knows. And the way
the number N was constructed is as a
product of two large primes. So, imagine
here we have two primes, P and Q. Each one
you can think of it as like 1000 digits.
And you probably know that multiplying
two 1000-digit numbers is fairly easy. But if
I just give you their product, figuring
out their factorization into primes is
actually quite difficult. And, in fact,
we're gonna use the fact that factoring is
difficult to build public key cryptosystems
in the second half of the course.
Okay, so Alice happens to have this number
N, and she also knows the factorization of
N. Now Bob just has the number N. He
doesn't actually know the factorization.
Now, the magical fact about the zero
knowledge proof of knowledge, is that
Alice can prove to Bob that she knows the
factorization of N. Yes, you can actually
give this proof to Bob, that Bob can
check, and become convinced that Alice
knows the factorization of N, however Bob
learns nothing at all. About the factors P
and Q, and this is provable. Bob
absolutely learns nothing at all about the
factors P and Q. And the statement
actually is very, very general. This is
not just about proving the factorization
of N. In fact, almost any puzzle that you
want to prove that you know an answer to,
you can prove it is your knowledge. So if
you have a crossword puzzle that you've
solved. Well, maybe crosswords is not the
best example. But if you have like a
Sudoku puzzle, for example, that you want
to prove that you've solved, you can prove
it to Bob in a way that Bob would learn
nothing at all about the solution, and yet
Bob would be convinced that you really do
have a solution to this puzzle. Okay. So
those are kind of magical applications.
And so the last thing I want to say is
that modern cryptography is a very
rigorous science. And in fact, every
concept we're gonna describe is gonna
follow three very rigorous steps, okay,
and we're gonna see these three steps
again and again and again so I wanna
explain what they are. So the first thing
we're gonna do when we introduce a new
primitive like a digital signature is
we're gonna specify precisely what the
threat model is. That is, what can an
attacker do to attack a digital signature
and what is his goal in forging
signatures? Okay, so we're gonna define
exactly what does it mean for a signature
for example to be unforgeable.
Unforgeable. Okay and I'm giving digital
signatures just as an example. For every
primitive we describe we're gonna
precisely define what the threat model is.
Then we're gonna propose a construction
and then we're gonna give a proof that any
attacker that's able to attack the
construction under this threat model. That
attacker can also be used to solve some
underlying hard problem. And as a result,
if the problem really is hard, that
actually proves that no attacker can break
the construction under the threat model.
Okay. But these three steps are actually
quite important. In the case of
signatures, we'll define what it means for
a signature to be, forgeable, then we'll
give a construction, and then for example
we'll say that anyone who can break our
construction can then be used to say
factor integers, which is believed to be a
hard problem. Okay, so we're going to
follow these three steps throughout, and
then you'll see how this actually comes
about. Okay, so this is the end of the
segment. And then in the next segment
we'll talk a little bit about the history
of cryptography.
