This action might not be possible to undo. Are you sure you want to continue?

:

Using Hard AI Problems For Security

Luis von Ahn

1

, Manuel Blum

1

, Nicholas J. Hopper

1

, and John Langford

2

1

Computer Science Dept., Carnegie Mellon University, Pittsburgh PA 15213, USA

2

IBM T.J. Watson Research Center, Yorktown Heights NY 10598, USA

Abstract. We introduce captcha, an automated test that humans can

pass, but current computer programs can’t pass: any program that has

high success over a captcha can be used to solve an unsolved Artiﬁ-

cial Intelligence (AI) problem. We provide several novel constructions of

captchas. Since captchas have many applications in practical secu-

rity, our approach introduces a new class of hard problems that can be

exploited for security purposes. Much like research in cryptography has

had a positive impact on algorithms for factoring and discrete log, we

hope that the use of hard AI problems for security purposes allows us

to advance the ﬁeld of Artiﬁcial Intelligence. We introduce two families

of AI problems that can be used to construct captchas and we show

that solutions to such problems can be used for steganographic commu-

nication. captchas based on these AI problem families, then, imply a

win-win situation: either the problems remain unsolved and there is a

way to diﬀerentiate humans from computers, or the problems are solved

and there is a way to communicate covertly on some channels.

1 Introduction

A captcha is a program that can generate and grade tests that: (A) most

humans can pass, but (B) current computer programs can’t pass. Such a program

can be used to diﬀerentiate humans from computers and has many applications

for practical security, including (but not limited to):

– Online Polls. In November 1999, slashdot.com released an online poll ask-

ing which was the best graduate school in computer science (a dangerous

question to ask over the web!). As is the case with most online polls, IP

addresses of voters were recorded in order to prevent single users from vot-

ing more than once. However, students at Carnegie Mellon found a way to

stuﬀ the ballots by using programs that voted for CMU thousands of times.

CMU’s score started growing rapidly. The next day, students at MIT wrote

their own voting program and the poll became a contest between voting

“bots”. MIT ﬁnished with 21,156 votes, Carnegie Mellon with 21,032 and

every other school with less than 1,000. Can the result of any online poll be

trusted? Not unless the poll requires that only humans can vote.

– Free Email Services. Several companies (Yahoo!, Microsoft, etc.) oﬀer free

email services, most of which suﬀer from a speciﬁc type of attack: “bots”

that sign up for thousands of email accounts every minute. This situation

can be improved by requiring users to prove they are human before they can

get a free email account. Yahoo!, for instance, uses a captcha of our design

to prevent bots from registering for accounts. Their captcha asks users

to read a distorted word such as the one shown below (current computer

programs are not as good as humans at reading distorted text).

Fig. 1. The Yahoo! captcha.

– Search Engine Bots. Some web sites don’t want to be indexed by search

engines. There is an html tag to prevent search engine bots from reading

web pages, but the tag doesn’t guarantee that bots won’t read the pages; it

only serves to say “no bots, please”. Search engine bots, since they usually

belong to large companies, respect web pages that don’t want to allow them

in. However, in order to truly guarantee that bots won’t enter a web site,

captchas are needed.

– Worms and Spam. captchas also oﬀer a plausible solution against email

worms and spam: only accept an email if you know there is a human be-

hind the other computer. A few companies, such as www.spamarrest.com are

already marketing this idea.

– Preventing Dictionary Attacks. Pinkas and Sander [11] have suggested

using captchas to prevent dictionary attacks in password systems. The idea

is simple: prevent a computer from being able to iterate through the entire

space of passwords by requiring a human to type the passwords.

The goals of this paper are to lay a solid theoretical foundation for captchas,

to introduce the concept to the cryptography community, and to present several

novel constructions.

Lazy Cryptographers Doing AI

Note that from a mechanistic point of view, there is no way to prove that a

program cannot pass a test which a human can pass, since there is a program —

the human brain — which passes the test. All we can do is to present evidence

that it’s hard to write a program that can pass the test. In this paper, we take

an approach familiar to cryptographers: investigate state-of-the-art algorithmic

developments having to do with some problem, assume that the adversary does

not have algorithms for that problem that are are much better than the state-

of-the-art algorithms, and then prove a reduction between passing a test and

exceeding the performance of state-of-the-art algorithms. In the case of ordi-

nary cryptography, it is assumed (for example) that the adversary cannot factor

1024-bit integers in any reasonable amount of time. In our case, we assume that

the adversary cannot solve an Artiﬁcial Intelligence problem with higher accu-

racy than what’s currently known to the AI community. This approach, if it

achieves widespread adoption, has the beneﬁcial side eﬀect of inducing security

researchers, as well as otherwise malicious programmers, to advance the ﬁeld of

AI (much like computational number theory has been advanced since the advent

of modern cryptography).

A captcha is a cryptographic protocol whose underlying hardness as-

sumption is based on an AI problem.

An important component of the success of modern cryptography is the practice

of stating, very precisely and clearly, the assumptions under which cryptographic

protocols are secure. This allows the rest of the community to evaluate the as-

sumptions and to attempt to break them. In the case of Artiﬁcial Intelligence, it’s

rare for problems to be precisely stated, but using them for security purposes

forces protocol designers to do so. We believe that precisely stating unsolved

AI problems can accelerate the development of Artiﬁcial Intelligence: most AI

problems that have been precisely stated and publicized have eventually been

solved (take chess as an example). For this reason it makes practical sense for

AI problems that are used for security purposes to also be useful. If the under-

lying AI problem is useful, a captcha implies a win-win situation: either the

captcha is not broken and there is a way to diﬀerentiate humans from comput-

ers, or the captcha is broken and a useful AI problem is solved. Such is not the

case for most other cryptographic assumptions: the primary reason algorithms

for factoring large numbers are useful is because factoring has applications in

cryptanalysis.

In this paper we will present constructions of captchas based on certain

AI problems and we will show that solving the captchas implies solving the

AI problems. The AI problems we chose have several applications, and we will

show that solutions to them can be used, among other things, for steganographic

communication (see Section 5).

Related Work

The ﬁrst mention of ideas related to “Automated Turing Tests” seems to appear

in an unpublished manuscript by Moni Naor [10]. This excellent manuscript

contains some of the crucial notions and intuitions, but gives no proposal for an

Automated Turing Test, nor a formal deﬁnition. The ﬁrst practical example of

an Automated Turing Test was the system developed by Altavista [8] to prevent

“bots” from automatically registering web pages. Their system was based on

the diﬃculty of reading slightly distorted characters and worked well in practice,

but was only meant to defeat oﬀ-the-shelf Optical Character Recognition (OCR)

technology. (Coates et al [5], inspired by our work, and Xu et al [14] developed

similar systems and provided more concrete analyses.) In 2000 [1], we introduced

the notion of a captcha as well as several practical proposals for Automated

Turing Tests.

This paper is the ﬁrst to conduct a rigorous investigation of Automated

Turing Tests and to address the issue of proving that it is diﬃcult to write a

computer program that can pass the tests. This, in turn, leads to a discussion

of using AI problems for security purposes, which has never appeared in the

literature. We also introduce the ﬁrst Automated Turing Tests not based on the

diﬃculty of Optical Character Recognition. A related general interest paper [2]

has been accepted by Communications of the ACM. That paper reports on our

work, without formalizing the notions or providing security guarantees.

2 Deﬁnitions and Notation

Let ( be a probability distribution. We use [(] to denote the support of (. If

P() is a probabilistic program, we will denote by P

r

() the deterministic program

that results when P uses random coins r.

Let (P, V ) be a pair of probabilistic interacting programs. We denote the

output of V after the interaction between P and V with random coins u

1

and u

2

,

assuming this interaction terminates, by ¸P

u1

, V

u2

) (the subscripts are omitted

in case the programs are deterministic). A program V is called a test if for all

P and u

1

, u

2

, the interaction between P

u1

and V

u2

terminates and ¸P

u1

, V

u2

) ∈

¦accept, reject¦. We call V the veriﬁer or tester and any P which interacts with

V the prover.

Deﬁnition 1. Deﬁne the success of an entity A over a test V by

Succ

V

A

= Pr

r,r

[¸A

r

, V

r

) = accept].

We assume that A can have precise knowledge of how V works; the only piece

of information that A can’t know is r

**, the internal randomness of V .
**

CAPTCHA

Intuitively, a captcha is a test V over which most humans have success close

to 1, and for which it is hard to write a computer program that has high success

over V . We will say that it is hard to write a computer program that has high

success over V if any program that has high success over V can be used to solve

a hard AI problem.

Deﬁnition 2. A test V is said to be (α, β)-human executable if at least an α

portion of the human population has success greater than β over V .

Notice that a statement of the form “V is (α, β)-human executable” can only

be proven empirically. Also, the success of diﬀerent groups of humans might

depend on their origin language or sensory disabilities: color-blind individuals,

for instance, might have low success on tests that require the diﬀerentiation of

colors.

Deﬁnition 3. An AI problem is a triple T = (S, D, f), where S is a set of

problem instances, D is a probability distribution over the problem set S, and

f : S → ¦0, 1¦

∗

answers the instances. Let δ ∈ (0, 1]. We require that for an

α > 0 fraction of the humans H, Pr

x←D

[H(x) = f(x)] > δ.

Deﬁnition 4. An AI problem T is said to be (δ, τ)-solved if there exists a pro-

gram A, running in time at most τ on any input from S, such that

Pr

x←D,r

[A

r

(x) = f(x)] ≥ δ .

(A is said to be a (δ, τ) solution to T.) T is said to be a (δ, τ)-hard AI problem

if no current program is a (δ, τ) solution to T, and the AI community agrees it

is hard to ﬁnd such a solution.

Deﬁnition 5. A (α, β, η)-captcha is a test V that is (α, β)-human executable,

and which has the following property:

There exists a (δ, τ)-hard AI problem T and a program A, such that if

B has success greater than η over V then A

B

is a (δ, τ) solution to T.

(Here A

B

is deﬁned to take into account B’s running time too.)

We stress that V should be a program whose code is publicly available.

Remarks

1. The deﬁnition of an AI problem as a triple (S, D, f) should not be inspected

with a philosophical eye. We are not trying to capture all the problems that

fall under the umbrella of Artiﬁcial Intelligence. We want the deﬁnition to

be easy to understand, we want some AI problems to be captured by it, and

we want the AI community to agree that these are indeed hard AI problems.

More complex deﬁnitions can be substituted for Deﬁnition 3 and the rest of

the paper remains unaﬀected.

2. A crucial characteristic of an AI problem is that a certain fraction of the

human population be able to solve it. Notice that we don’t impose a limit

on how long it would take humans to solve the problem. All that we require

is that some humans be able to solve it (even if we have to assume they will

live hundreds of years to do so). The case is not the same for captchas.

Although our deﬁnition says nothing about how long it should take a human

to solve a captcha, it is preferable for humans to be able to solve captchas

in a very short time. captchas which take a long time for humans to solve

are probably useless for all practical purposes.

AI Problems as Security Primitives

Notice that we deﬁne hard in terms of the consensus of a community: an AI

problem is said to be hard if the people working on it agree that it’s hard.

This notion should not be surprising to cryptographers: the security of most

modern cryptosystems is based on assumptions agreed upon by the community

(e.g., we assume that 1024-bit integers can’t be factored). The concept of a

hard AI problem as a foundational assumption, of course, is more questionable

than P ,= NP, since many people in the AI community agree that all hard AI

problems are eventually going to be solved. However, hard AI problems may be a

more reasonable assumption than the hardness of factoring, given the possibility

of constructing a quantum computer. Moreover, even if factoring is shown to be

hard in an asymptotic sense, picking a concrete value for the security parameter

usually means making an assumption about current factoring algorithms: we

only assume that current factoring algorithms that run in current computers

can’t factor 1024-bit integers. In the same way that AI researchers believe that

all AI problems will be solved eventually, we believe that at some point we will

have the computational power and algorithmic ability to factor 1024-bit integers.

(Shamir and Tromer [13], for instance, have proposed a machine that could factor

1024-bit integers; the machine would cost about ten million dollars in materials.)

An important diﬀerence between popular cryptographic primitives and AI

problems is the notion of a security parameter. If we believe that an adversary can

factor 1024-bit integers, we can use 2048-bit integers instead. No such concept

exists in hard AI problems. AI problems, as we have deﬁned them, do not deal

with asymptotics. However, as long as there is a small gap between human and

computer ability with respect to some problem, this problem can potentially

be used as a primitive for security: rather than asking the prover to solve the

problem once, we can ask it to solve the problem twice. If the prover gets good

at solving the problem twice, we can ask it to solve the problem three times, etc.

There is an additional factor that simpliﬁes the use of hard AI problems

as security primitives. Most applications of captchas require the tests to be

answered within a short time after they are presented. If a new program solves

the hard AI problems that are currently used, then a diﬀerent set of problems

can be used, and the new program cannot aﬀect the security of applications

that were run before it was developed. Compare this to encryption schemes: in

many applications the information that is encrypted must remain conﬁdential

for years, and therefore the underlying problem must be hard against programs

that run for a long time, and against programs that will be developed in the

future.

1

We also note that not all hard AI problems can be used to construct a

captcha. In order for an AI problem to be useful for security purposes, there

needs to be an automated way to generate problem instances along with their

solution. The case is similar for computational problems: not all hard computa-

tional problems yield cryptographic primitives.

1

We thank one of our anonymous Eurocrypt reviewers for pointing this out.

Who Knows What?

Our deﬁnitions imply that an adversary attempting to write a program that

has high success over a captcha knows exactly how the captcha works. The

only piece of information that is hidden from the adversary is a small amount

of randomness that the veriﬁer uses in each interaction.

This choice greatly aﬀects the nature of our deﬁnitions and makes the prob-

lem of creating captchas more challenging. Imagine an Automated Turing Test

that owns a large secret book written in English and to test an entity A it ei-

ther picks a paragraph from its secret book or generates a paragraph using the

best known text-generation algorithm, and then asks A whether the paragraph

makes sense (the best text-generation algorithms cannot produce an entire para-

graph that would make sense to a human being). Such an Automated Turing

Test might be able to distinguish humans from computers (it is usually the case

that the best text-generation algorithms and the best algorithms that try to de-

termine whether something makes sense are tightly related). However, this test

cannot be a captcha: an adversary with knowledge of the secret book could

achieve high success against this test without advancing the algorithmic state

of the art. We do not allow captchas to base their security in the secrecy of a

database or a piece of code.

Gap Ampliﬁcation

We stress that any positive gap between the success of humans and current

computer programs against a captcha can be ampliﬁed to a gap arbitrarily

close to 1 by serial repetition. The case for parallel repetition is more complicated

and is addressed by Bellare, Impagliazzo and Naor in [3].

Let V be an (α, β, η)-captcha, and let V

m

k

be the test that results by repeat-

ing V m times in series (with fresh new randomness each time) and accepting

only if the prover passes V more than k times. Then for any > 0 there exist

m and k with 0 ≤ k ≤ m such that V

m

k

is an (α, 1 − , )-captcha. In gen-

eral, we will have m = O(1/(β −η)

2

ln(1/)) and sometimes much smaller. Since

captchas involve human use, it is desirable to ﬁnd the smallest m possible.

This can be done by solving the following optimization problem:

min

m

∃k :

m

i=k+1

m

i

β

i

(1 −β)

m−i

≥ 1 − &

k

i=0

m

i

η

i

(1 −η)

m−i

≤

**Notice that amplifying a gap can roughly be thought of as increasing the
**

security parameter of a captcha: if the best computer program now has success

0.10 against a given captcha (for example), then we can ask the prover to pass

the captcha twice (in series) to reduce the best computer program’s success

probability to 0.01.

3 Two AI Problem Families

In this section we introduce two families of AI problems that can be used to

construct captchas. The section can be viewed as a precise statement of the

kind of hardness assumptions that our cryptographic protocols are based on. We

stress that solutions to the problems will also be shown to be useful.

For the purposes of this paper, we deﬁne an image as an h w matrix (h

for height and w for width) whose entries are pixels. A pixel is deﬁned as a

triple of integers (R, G, B), where 0 ≤ R, G, B ≤ M for some constant M. An

image transformation is a function that takes as input an image and outputs

another image (not necessarily of the same width and height). Examples of

image transformations include: turning an image into its black-and-white version,

changing its size, etc.

Let 1 be a distribution on images and T be a distribution on image transfor-

mations. We assume for simplicity that if i, i

∈ [1] and i ,= i

then T(i) ,= T

(i

)

for any T, T

**∈ [T ]. (Recall that [1] denotes the support of 1.)
**

Problem Family (T1). Consider the following experiment: choose an image

i ← 1 and choose a transformation t ← T ; output t(i). T1

I,T

consists of writing

a program that takes t(i) as input and outputs i (we assume that the program

has precise knowledge of T and 1). More formally, let S

I,T

= ¦t(i) : t ∈ [T ]

and i ∈ [1]¦, D

I,T

be the distribution on S

I,T

that results from performing

the above experiment and f

I,T

: S

I,T

→ [1] be such that f

I,T

(t(i)) = i. Then

T1

I,T

= (S

I,T

, D

I,T

, f

I,T

).

Problem Family (T2). In addition to the distributions 1 and T , let L be a

ﬁnite set of “labels”. Let λ : [1] → L compute the label of an image. The set

of problem instances is S

I,T

= ¦t(i) : t ∈ [T ] and i ∈ [1]¦, and the distribution

on instances D

I,T

is the one induced by choosing i ← 1 and t ← T . Deﬁne

g

I,T ,λ

so that g

I,T ,λ

(t(i)) = λ(i). Then T2

I,T ,λ

= (S

I,T

, D

I,T

, g

I,T ,λ

) consists

of writing a program that takes t(i) as input and outputs λ(i).

Remarks

1. Note that a (δ, τ) solution A to an instance of T1 also yields a (δ

, τ + τ

)

solution to an instance of T2 (where δ

≥ δ and τ

**≤ log [[1][ is the time that
**

it takes to compute λ), speciﬁcally, computing λ(A(x)). However, this may

be unsatisfactory for small δ, and we might hope to do better by restricting

to a smaller set of labels. Conversely, T1 can be seen as a special case of

T2 with λ the identity function and L = [1]. Formally, problem families T1

and T2 can be shown to be isomorphic. Nonetheless, it is useful to make a

distinction here because in some applications it appears unnatural to talk

about labels.

2. We stress that in all the instantiations of T1 and T2 that we consider, 1, T

and, in the case of T2, λ, will be such that humans have no problem solving

T1

I,T

and T2

I,T ,λ

. That is, [T ] is a set of transformations that humans

can easily undo in [1]. Additionally, it has to be possible to perform all the

transformations in [T ] using current computer programs.

3. There is nothing speciﬁc to images about these problem deﬁnitions; any other

space of objects which humans recognize under reasonable transformations

(e.g., organized sounds such as music or speech, animations, et cetera) could

be substituted without changing our results.

4. It is easy to build a (δ

I

, τ

I

)-solution to T1

I,T

, where δ

I

= max¦Pr

j←I

[j =

i] : i ∈ [1]¦ and τ

I

is the time that it takes to describe an element of

[1], by always guessing the image with the highest probability in 1. Sim-

ilarly, it is easy to build a (δ

I,λ

, τ

I,λ

)-solution to T2

I,T ,λ

, where δ

I,λ

=

max¦Pr

j←I

[λ(j) = λ(i)] : i ∈ [1]¦ and τ

I,λ

is the time that it takes to de-

scribe a label in L. Therefore, we restrict our attention to ﬁnding solutions

to T1

I,T

where δ > δ

I

and solutions to T2

I,T ,λ

where δ > δ

I,λ

.

Hard Problems in P1 and P2

We believe that T1 and T2 contain several hard problems. For example, the

captcha shown in Section 1 (and other captchas based on the diﬃculty of

reading slightly distorted text) could be defeated using solutions to T2. To see

this, let W be a set of images of words in diﬀerent fonts. All the images in W

should be undistorted and contain exactly one word each. Let 1

W

be a distri-

bution on W, let T

W

be a distribution on image transformations, and let λ

W

map an image to the word that is contained in it. A solution to T2

IW,TW,λW

is a

program that can defeat a captcha such as the one that Yahoo! uses (assuming

T

W

is the same set of transformations they use). So the problem of determining

the word in a distorted image is an instantiation of T2 (it can be easily seen

to be an instantiation of T1 too). Reading slightly distorted text has been an

open problem in machine vision for quite some time. (For a good overview of

the diﬃculties of reading slightly distorted text, see [12].)

But T1 and T2 are much more general, and reading slightly distorted text

is a somewhat easy instance of these problems. In general it will not be the case

that the problem is reduced to matching 26 ∗ 2 + 10 diﬀerent characters (upper

and lowercase letters plus the digits).

The hardness of problems in T1 and T2 mostly relies on T . In particular, it

should be computationally infeasible to enumerate all of the elements of [T ], since

1 will normally be such that enumeration of [1] is feasible. Thus we are mainly

interested in (δ, τ) solutions where τ ¸ [[T ][, while τ > [[1][ may sometimes be

acceptable. In addition to the size of the transformation set, the character of the

transformations is also important: it is necessary to defeat many simple checks

such as color histogram comparisons, frequency domain checks, etc.

Since instantiations of T1 and T2 have never been precisely stated and pub-

lished as challenges to the AI and security communities, there is no way to

tell if they will withstand the test of time. For now we refer the reader to

www.captcha.net for examples of 1’s and T ’s which are believed to be good

candidates. Any instantiation of T1 and T2 for security purposes requires that

the precise 1 and T be published and thoroughly described.

4 Two Families of captchas

We now describe two families of captchas whose security is based on the hard-

ness of problems in T1 and T2. Notice that if T1

I,T

is (δ, τ)-hard then T1

I,T

can be used to construct a captcha trivially: the veriﬁer simply gives the prover

t(i) and asks the prover to output i. According to our deﬁnition, this would be

a perfectly valid captcha. However, it would also be a very impractical one:

if [1] is large, then humans would take a long time to answer. The captchas

we present in this section can be quickly answered by humans. The ﬁrst family

of captchas, matcha, is somewhat impractical, but the second family, pix, is

very practical and in fact several instantiations of it are already in use.

4.1 MATCHA

A matcha instance is described by a triple M = (1, T , τ), where 1 is a distri-

bution on images and T is a distribution on image transformations that can be

easily computed using current computer programs. matcha is a captcha with

the following property: any program that has high success over M = (1, T ) can

be used to solve T1

I,T

.

The matcha veriﬁer starts by choosing a transformation t ← T . It then ﬂips

a fair unbiased coin. If the result is heads, it picks k ← 1 and sets (i, j) = (k, k).

If the result is tails, it sets j ← 1 and i ← U([1]−¦j¦) where U(S) is the uniform

distribution on the set S. The matcha veriﬁer sends the prover (i, t(j)) and sets

a timer to expire in time τ; the prover responds with res ∈ ¦0, 1¦. Informally,

res = 1 means that i = j, while res = 0 means that i ,= j. If the veriﬁer’s timer

expires before the prover responds, the veriﬁer rejects. Otherwise, the veriﬁer

makes a decision based on the prover’s response res and whether i is equal to j:

– If i = j and res = 1, then matcha accepts.

– If i = j and res = 0, then matcha rejects.

– If i ,= j and res = 1, then matcha rejects.

– If i ,= j and res = 0, then matcha plays another round.

In the last case, matcha starts over (with a fresh new set of random coins): it

ﬂips another fair unbiased coin, picks another pair of images (i, j) depending on

the outcome of the coin, etc.

Remarks

1. It is quite easy to write a computer program that has success probability

1/2 over matcha by simply answering with res = 1. For most applications,

a distinguishing probability of 1/2 is unacceptable. In order for matcha to

be of practical use, the test has to be repeated several times.

2. Our description of matcha contains an obvious asymmetry: when i = j,

matcha presents the prover with (i, t(i)) for i ← 1, and when i ,= j matcha

presents (i, t(j)), where i is chosen uniformly from the set [1] − ¦j¦. This

gives the prover a simple strategy to gain advantage over M: if i seems to

come from 1, guess that t(j) is a transformation of i; otherwise guess that it

isn’t. The reason for the asymmetry is to make the proof of Lemma 1 easier

to follow. We note that a stronger captcha can be built by choosing i from

the distribution 1 restricted to the set [1] −¦j¦.

3. The intuition for why matcha plays another round when i ,= j and res = 0 is

that we are trying to convert high success against matcha into high success

in solving T1; a program that solves T1 by comparing t(j) to every image

in [1] will encounter that most of the images in [1] are diﬀerent from t(j).

4. In the following Lemma we assume that a program with high success over

M always terminates with a response in time at most τ. Any program which

does not satisfy this requirement can be rewritten into one which does, by

stopping after τ time and sending the response 1, which never decreases the

success probability. We also assume that the unit of time that matcha uses

is the same as one computational step.

Lemma 1. Any program that has success greater than η over M = (1, T , τ) can

be used to (δ, τ[[1][)-solve T1

I,T

, where

δ ≥

η

1 + 2[[1][(1 −η)

.

Proof. Let B be a program that runs in time at most τ and has success σ

B

≥ η

over M. Using B we construct a program A

B

that is a (δ, τ[[1][)-solution to

T1

I,T

.

The input to A

B

will be an image, and the output will be another image.

On input j, A

B

will loop over the entire database of images of M (i.e., the set

[1]), each time feeding B the pair of images (i, j), where i ∈ [1]. Afterwards,

A

B

collects all the images i ∈ [1] on which B returned 1 (i.e., all the images in

[1] that B thinks j is a transformation of). Call the set of these images S. If S

is empty, then A

B

returns an element chosen uniformly from [1]. Otherwise, it

picks an element of S uniformly at random.

We show that A

B

is a (δ, τ[[1][)-solution to T1. Let p

0

= Pr

T ,I,r

[B

r

(i, t(i)) =

0] and let p

1

= Pr

T ,j←I,i,r

[B

r

(i, t(j)) = 1]. Note that

Pr

r,r

[¸M

r

, B

r

) = reject] = 1 −σ

B

=

p

0

2

+

p

1

+ (1 −p

1

)(1 −σ

B

)

2

=

p

0

+p

1

1 +p

1

,

which gives σ

B

≤ 1 −p

0

and p

1

≤ 2(1 −σ

B

). Hence:

Pr

T ,I,r

[A

B

r

(t(j)) = j] ≥

n

s=1

Pr

T ,I,r

[A

B

r

(t(j)) = j[[S[ = s] Pr

T ,I

[[S[ = s] (1)

=

n

s=1

1 −p

0

s

Pr

T ,I

[[S[ = s] (2)

≥

1 −p

0

E

T ,I

[[S[]

(3)

≥

1 −p

0

1 +[[1][p

1

(4)

≥

σ

B

1 + 2[[1][(1 −σ

B

)

(5)

(2) follows by the deﬁnition of the procedure A

B

, (3) follows by Jensen’s in-

equality and the fact that f(x) = 1/x is concave, (4) follows because

E

T ,I

[[S[] ≤ 1 +

i=j

Pr

I,r

(B(i, t(j)) = 1)

and (5) follows by the inequalities for p

0

, p

1

and σ

B

given above. This completes

the proof.

Theorem 1. If T1

I,T

is (δ, τ[[1][)-hard and M = (1, T , τ) is (α, β)-human

executable, then M is a (α, β,

(2−|[I]|)δ

2δ−|[I]|

)-captcha.

4.2 PIX

An instance T2

I,T ,λ

can sometimes be used almost directly as a captcha. For

instance, if 1 is a distribution over images containing a single word and λ maps

an image to the word contained in it, then T2

I,T ,λ

can be used directly as a

captcha. Similarly, if all the images in [1] are pictures of simple concrete objects

and λ maps an image to the object that is contained in the image, then T2

I,T ,λ

can be used as a captcha.

Formally, a pix instance is a tuple X = (1, T , L, λ, τ). The pix veriﬁer works

as follows. First, V draws i ← 1, and t ← T . V then sends to P the message

(t(i), L), and sets a timer for τ. P responds with a label l ∈ L. V accepts if

l = λ(i) and its timer has not expired, and rejects otherwise.

Theorem 2. If T2

I,T ,λ

is (δ, τ)-hard and X = (1, T , L, λ, τ) is (α, β)-human

executable, then X is a (α, β, δ)-captcha.

Various instantiations of pix are in use at major internet portals, like Yahoo!

and Hotmail. Other less conventional ones, like Animal-PIX, can be found at

www.captcha.net. Animal-PIX presents the prover with a distorted picture of a

common animal (like the one shown below) and asks it to choose between twenty

diﬀerent possibilities (monkey, horse, cow, et cetera).

Fig. 2. Animal-Pix.

5 An Application: Robust Image-Based Steganography

We detail a useful application of (δ, τ)-solutions to instantiations of T1 and

T2 (other than reading slightly distorted text, which was mentioned before).

We hope to convey by this application that our problems were not chosen just

because they can create captchas but because they in fact have applications

related to security. Our problems also serve to illustrate that there is a need

for better AI in security as well. Areas such a Digital Rights Management, for

instance, could beneﬁt from better AI: a program that can ﬁnd slightly distorted

versions of original songs or images on the world wide web would be a very useful

tool for copyright owners.

There are many applications of solutions to T1 and T2 that we don’t mention

here. T1, for instance, is interesting in its own right and a solution for the

instantiation when 1 is a distribution on images of works of art would beneﬁt

museum curators, who often have to answer questions such as “what painting is

this a photograph of?”

Robust Image-Based Steganography.

Robust Steganography is concerned with the problem of covertly communicating

messages on a public channel which is subject to modiﬁcation by a restricted

adversary. For example, Alice may have some distribution on images which she

is allowed to draw from and send to Bob; she may wish to communicate addi-

tional information with these pictures, in such a way that anyone observing her

communications can not detect this additional information. The situation may

be complicated by an adversary who transforms all transmitted images in an

eﬀort to remove any hidden information. In this section we will show how to

use (δ, τ)-solutions to instantiations of T1

I,T

or T2

I,T ,λ

to implement a secure

robust steganographic protocol for image channels with distribution 1, when

the adversary chooses transformations from T . Note that if we require security

for arbitrary 1, T , we will require a (δ, τ)-solution to T1 for arbitrary 1, T ; if

no solution works for arbitrary (1, T ) this implies the existence of speciﬁc 1, T

for which T1 is still hard. Thus either our stegosystem can be implemented by

computers for arbitrary image channels or their is a (non-constructive) hard AI

problem that can be used to construct a captcha.

The results of this subsection can be seen as providing an implementation of

the “supraliminal channel” postulated by Craver [6]. Indeed, Craver’s observa-

tion that the adversary’s transformations should be restricted to those which do

not signiﬁcantly impact human interpretation of the images (because the adver-

sary should not unduly burden “innocent” correspondents) is what leads to the

applicability of our hard AI problems.

Steganography Deﬁnitions

Fix a distribution over images 1, and a set of keys /. A steganographic protocol

or stegosystem for 1 is a pair of eﬃcient probabilistic algorithms (SE, SD) where

SE : / ¦0, 1¦ → [1]

and SD : / [1]

**→ ¦0, 1¦, which have the additional
**

property that Pr

K,r,r

[SD

r

(K, SE

r

(K, σ)) ,= σ] is negligible (in and [K[) for

any σ ∈ ¦0, 1¦. We will describe a protocol for transmitting a single bit σ ∈

¦0, 1¦, but it is straightforward to extend our protocol and proofs by serial

composition to any message in ¦0, 1¦

∗

with at most linear decrease in security.

Deﬁnition 6. A stegosystem is steganographically secret for 1 if the distribu-

tions ¦SE

r

(K, σ) : K ← /, r ← ¦0, 1¦

∗

¦ and 1

**are computationally indistin-
**

guishable for any σ ∈ ¦0, 1¦.

Steganographic secrecy ensures that an eavesdropper cannot distinguish traf-

ﬁc produced by SE from 1. Alice, however, is worried about a somewhat mali-

cious adversary who transforms the images she transmits to Bob. This adversary

is restricted by the fact that he must transform the images transmitted between

many pairs of correspondents, and may not transform them in ways so that they

are unrecognizable to humans, since he may not disrupt the communications

of legitimate correspondents. Thus the adversary’s actions, on seeing the image

i, are restricted to selecting some transformation t according to a distribution

T , and replacing i by t(i). Denote by t

1...

← T

the action of independently

selecting transformations according to T , and denote by t

1...

(i

1...

) the action

of element-wise applying transformations to images.

Deﬁnition 7. A stegosystem (SE, SD) is steganographically robust against T

if it is steganographically secret and

Pr

t

1...

←T

,r,r

,K

[SD

r

(K, t

1...

(SE

r

(K, σ))) ,= σ]

is negligible (in [K[ and ) for any σ ∈ ¦0, 1¦.

Let F : / ¦1, . . . , ¦ L → ¦0, 1¦ be a pseudorandom function family.

We assume that λ : [1] → L is eﬃciently computable and A : S

P2

→ L is a

(δ, τ)-solution to T2

I,T ,λ

as deﬁned above (recall that T1 is a special case of

T2), i.e. A operates in time τ and

Pr

t,i,r

[A

r

(t(i)) = λ(i)] ≥ δ .

Let c = Pr

i,j←I

[λ(i) = λ(j)]. We require that c < 1 (that is, we require that there

is enough variability in the labels of the images to be useful for communication).

Notice that L can simply be equal to [1] and λ can be the identity function (in

case the images in [1] have no labels as in T1). We prove in the Appendix that

the following construction is an eﬃcient, robust stegosystem for T .

Construction 1

Procedure SE:

Input: K ∈ /, σ ∈ ¦0, 1¦

for j = 1 . . . do

draw d

0

← 1, d

1

← 1

if F

K

(j, λ(d

0

)) = σ then

set i

j

= d

0

else

set i

j

= d

1

Output: i

1

, i

2

, . . . , i

Procedure SD:

Input: K ∈ /, i

1...

∈ [1]

for j = 1 . . . l do

set σ

j

= F

K

(j, A(i

j

))

Output: majority(σ

1

, . . . , σ

)

Proposition 1. Construction 1 is steganographically secret and robust for 1, T .

The proof of Proposition 1 is similar in ﬂavor to those of Hopper, Langford

and von Ahn [7] and relies on the fact that when A returns the correct solution

on received image i

j

, the recovered bit σ

j

is equal to the intended bit σ with

probability approximately

1

2

+

1

4

(1 − c) and otherwise σ

j

= σ with probability

1/2; therefore the probability that the majority of the σ

j

are incorrect is negli-

gible in . For details, see the Appendix.

Remarks

1. Better solutions to T2

I,T ,λ

imply more eﬃcient stegosystems: if δ is larger,

then can be smaller and less images need to be transmitted to send a bit

secretively and robustly.

2. Since we assume that T2

I,T ,λ

(or, as it might be the case, T1

I,T

) is easy for

humans, our protocol could be implemented as a cooperative eﬀort between

the human recipient and the decoding procedure (without the need for a

solution to T1

I,T

or T2

I,T ,λ

). However, decoding each bit of the secret

message will require classifying many images, so that a human would likely

fail to complete the decoding well before any sizeable hidden message could

be extracted (this is especially true in case we are dealing with T1

I,T

and

a large set [1]: a human would have to search the entire set [1] as many as

times for each transmitted bit). Thus to be practical, a (δ, τ)-solution (for

small τ) to T1

I,T

or T2

I,T ,λ

will be required.

6 Discussion and Closing Remarks

Interaction with the AI community

A primary goal of the captcha project is to serve as a challenge to the Artiﬁcial

Intelligence community. We believe that having a well-speciﬁed set of goals will

contribute greatly to the advancement of the ﬁeld. A good example of this process

is the recent progress in reading distorted text images driven by the captcha in

use at Yahoo!. In response to the challenge provided by this test, Malik and Mori

[9] have developed a program which can pass the test with probability roughly

0.8. Despite the fact that this captcha has no formal proof that a program

which can pass it can read under other distributions of image transformations,

Malik and Mori claim that their algorithm represents signiﬁcant progress in

the general area of text recognition; it is encouraging to see such progress. For

this reason, it is important that even Automated Turing Tests without formal

reductions attempt to test ability in general problem domains; and even though

these tests may have speciﬁc weaknesses it is also important that AI researchers

attempting to pass them strive for solutions that generalize.

Other AI problem domains

The problems deﬁned in this paper are both of a similar character, and deal with

the advantage of humans in sensory processing. It is an open question whether

captchas in other areas can be constructed. The construction of a captcha

based on a text domain such as text understanding or generation is an important

goal for the project (as captchas based on sensory abilities can’t be used on

sensory-impaired human beings). As mentioned earlier, the main obstacle to

designing these tests seems to be the similar levels of program ability in text

generation and understanding.

Logic problems have also been suggested as a basis for captchas and these

present similar diﬃculties, as generation seems to be diﬃcult. One possible source

of logic problems are those proposed by Bongard [4] in the 70s; indeed [1] presents

a test based on this problem set. However, recent progress in AI has also yielded

programs which solve these problems with very high success probability, exceed-

ing that of humans.

Conclusion

We believe that the ﬁelds of cryptography and artiﬁcial intelligence have much to

contribute to one another. captchas represent a small example of this possible

symbiosis. Reductions, as they are used in cryptography, can be extremely useful

for the progress of algorithmic development. We encourage security researchers

to create captchas based on diﬀerent AI problems.

Acknowledgments

We are greatful to Udi Manber for his suggestions. We also thank Lenore Blum,

Roni Rosenfeld, Brighten Godfrey, Moni Naor, Henry Baird and the anonymous

Eurocrypt reviewers for helpful discussions and comments. This work was par-

tially supported by the National Science Foundation (NSF) grants CCR-0122581

and CCR-0085982 (The Aladdin Center). Nick Hopper is also partially supported

by an NSF graduate research fellowship.

References

1. Luis von Ahn, Manuel Blum, Nicholas J. Hopper and John Langford. The

CAPTCHA Web Page: http://www.captcha.net. 2000.

2. Luis von Ahn, Manuel Blum and John Langford. Telling Humans and Computers

Apart (Automatically) or How Lazy Cryptographers do AI. To appear in Commu-

nications of the ACM.

3. Mihir Bellare, Russell Impagliazzo and Moni Naor. Does Parallel Repetition Lower

the Error in Computationally Sound Protocols? In 38th IEEE Symposium on Foun-

dations of Computer Science (FOCS’ 97), pages 374-383. IEEE Computer Society,

1997.

4. Mikhail M. Bongard. Pattern Recognition. Spartan Books, Rochelle Park NJ, 1970.

5. A. L. Coates, H. S. Baird, and R. J. Fateman. Pessimal Print: A Reverse Turing

Test. In Proceedings of the International Conference on Document Analysis and

Recognition (ICDAR’ 01), pages 1154-1159. Seattle WA, 2001.

6. Scott Craver. On Public-key Steganography in the Presence of an Active Warden.

In Proceedings of the Second International Information Hiding Workshop, pages

355-368. Springer, 1998.

7. Nicholas J. Hopper, John Langford and Luis von Ahn. Provably Secure Steganog-

raphy. In Advances in Cryptology, CRYPTO’ 02, volume 2442 of Lecture Notes in

Computer Science, pages 77-92. Santa Barbara, CA, 2002.

8. M. D. Lillibridge, M. Abadi, K. Bharat, and A. Broder. Method for selectively

restricting access to computer systems. US Patent 6,195,698. Applied April 1998

and Approved February 2001.

9. Greg Mori and Jitendra Malik. Breaking a Visual CAPTCHA.

Unpublished Manuscript, 2002. Available electronically:

http://www.cs.berkeley.edu/~mori/gimpy/gimpy.pdf.

10. Moni Naor. Veriﬁcation of a human in the loop or Identiﬁcation via

the Turing Test. Unpublished Manuscript, 1997. Available electronically:

http://www.wisdom.weizmann.ac.il/~naor/PAPERS/human.ps.

11. Benny Pinkas and Tomas Sander. Securing Passwords Against Dictionary Attacks.

In Proceedings of the ACM Computer and Security Conference (CCS’ 02), pages

161-170. ACM Press, November 2002.

12. S. Rice, G. Nagy, and T. Nartker. Optical Character Recognition: An Illustrated

Guide to the Frontier. Kluwer Academic Publishers, Boston, 1999.

13. Adi Shamir and Eran Tromer. Factoring Large Numbers with the

TWIRL Device. Unpublished Manuscript, 2003. Available electronically:

http://www.cryptome.org/twirl.ps.gz.

14. J. Xu, R. Lipton and I. Essa. Hello, are you human. Technical Report GIT-CC-

00-28, Georgia Institute of Technology, November 2000.

A Proof of Proposition 1

Lemma 1. Construction 1 is steganographically secret.

Proof. Consider for any 1 ≤ j ≤ and x ∈ [1] the probability ρ

j

x

that i

j

= x,

i.e. ρ

j

x

= Pr[i

j

= x]. The image x is returned in the jth step only under one of

the following conditions:

1. D

0

: d

0

= x and F

K

(j, λ(d

0

)) = σ ; or

2. D

1

: d

1

= x and F

K

(j, λ(d

0

)) = 1 −σ

Note that these events are mutually exclusive, so that ρ

j

x

= Pr[D

0

] + Pr[D

1

].

Suppose that we replace F

K

by a random function f : ¦1, . . . , ¦ L → ¦0, 1¦.

Then we have that Pr

f,d0

[D

0

] =

1

2

Pr

I

[x] by independence of f and d

0

, and

Pr

f,d1

[D

1

] =

1

2

Pr

I

[x], by the same reasoning. Thus ρ

j

x

= Pr

I

[x] when F

K

is replaced by a random function. Further, for a random function the ρ

j

x

are

all independent. Thus for any σ ∈ ¦0, 1¦ we see that SE(K, σ) and 1

are

computationally indistinguishable, by the pseudorandomness of F.

Lemma 2. Construction 1 is steganographically robust for T .

Proof. Suppose we prove a constant bound ρ >

1

2

such that for all j, Pr[σ

j

= σ] >

ρ. Then by a Chernoﬀ bound we will have that Pr[majority(σ

1

, . . . , σ

) ,= σ] is

negligible, proving the lemma.

Consider replacing F

K

for a random K with a randomly chosen function

f : ¦1, . . . , ¦ L → ¦0, 1¦ in SE, SD. We would like to assess the probability

ρ

j

= Pr[σ

j

= σ]. Let A

j

be the event A(i

j

) = λ(i

j

) and A

j

be the event

A(i

j

) ,= λ(i

j

), and write λ(d

j

b

) as l

j

b

. We have the following:

Pr

f,ij,t

[σ

j

= σ] = Pr[σ

j

= σ[A

j

] Pr[A

j

] + Pr[σ

j

= σ[A

j

] Pr[A

j

] (6)

= δ Pr[σ

j

= σ[A

j

] +

1

2

(1 −δ) (7)

= δ(Pr[f(j, l

j

0

) = σ or (f(j, l

j

0

) = 1 −σ and f(j, l

j

1

)) = σ)] +

1 −δ

2

(8)

= δ(

1

2

+ Pr[f(j, l

j

0

) = 1 −σ and f(j, l

j

1

) = σ and l

j

0

,= l

j

1

]) +

1 −δ

2

(9)

= δ(

1

2

+

1

4

(1 −c)) +

1 −δ

2

(10)

=

1

2

+

δ

4

(1 −c) (11)

Here (7) follows because if A(i

j

) = l ,= λ(i

j

) then Pr

f

[f(j, l) = σ] =

1

2

, and

(8) follows because if A(i

j

) = λ(i

j

), then f(j, A(i

j

)) = σ iﬀ f(j, λ(i

j

)) = 0; the

expression results from expanding the event f(j, λ(i

j

)) = 0 with the deﬁnition

of i

j

in the encoding routine.

For any constant δ > 0, a Chernoﬀ bound implies that the probability of

decoding failure is negligible in when F

K

is a random function. Thus the

pseudorandomness of F

K

implies that the probability of decoding failure for

Construction 1 is also negligible, proving the lemma.

This situation can be improved by requiring users to prove they are human before they can get a free email account. uses a captcha of our design to prevent bots from registering for accounts. There is an html tag to prevent search engine bots from reading web pages. etc. 1. Pinkas and Sander [11] have suggested using captchas to prevent dictionary attacks in password systems.spamarrest. Their captcha asks users to read a distorted word such as the one shown below (current computer programs are not as good as humans at reading distorted text). such as www. The idea is simple: prevent a computer from being able to iterate through the entire space of passwords by requiring a human to type the passwords. we take an approach familiar to cryptographers: investigate state-of-the-art algorithmic developments having to do with some problem. in order to truly guarantee that bots won’t enter a web site. A few companies. Yahoo!. it only serves to say “no bots.) oﬀer free email services. Fig. assume that the adversary does . – Search Engine Bots. In this paper.com are already marketing this idea. please”. most of which suﬀer from a speciﬁc type of attack: “bots” that sign up for thousands of email accounts every minute. – Worms and Spam. Microsoft. since there is a program — the human brain — which passes the test. However. Some web sites don’t want to be indexed by search engines. to introduce the concept to the cryptography community.– Free Email Services. since they usually belong to large companies. respect web pages that don’t want to allow them in. – Preventing Dictionary Attacks. captchas are needed. there is no way to prove that a program cannot pass a test which a human can pass. The goals of this paper are to lay a solid theoretical foundation for captchas. Search engine bots. The Yahoo! captcha. but the tag doesn’t guarantee that bots won’t read the pages. captchas also oﬀer a plausible solution against email worms and spam: only accept an email if you know there is a human behind the other computer. and to present several novel constructions. All we can do is to present evidence that it’s hard to write a program that can pass the test. Lazy Cryptographers Doing AI Note that from a mechanistic point of view. Several companies (Yahoo!. for instance.

A captcha is a cryptographic protocol whose underlying hardness assumption is based on an AI problem. An important component of the success of modern cryptography is the practice of stating.not have algorithms for that problem that are are much better than the stateof-the-art algorithms. This approach. The ﬁrst practical example of an Automated Turing Test was the system developed by Altavista [8] to prevent “bots” from automatically registering web pages. For this reason it makes practical sense for AI problems that are used for security purposes to also be useful. has the beneﬁcial side eﬀect of inducing security researchers. . In the case of ordinary cryptography. or the captcha is broken and a useful AI problem is solved. very precisely and clearly. Their system was based on the diﬃculty of reading slightly distorted characters and worked well in practice. we assume that the adversary cannot solve an Artiﬁcial Intelligence problem with higher accuracy than what’s currently known to the AI community. it is assumed (for example) that the adversary cannot factor 1024-bit integers in any reasonable amount of time. This excellent manuscript contains some of the crucial notions and intuitions. nor a formal deﬁnition. This allows the rest of the community to evaluate the assumptions and to attempt to break them. and we will show that solutions to them can be used. In this paper we will present constructions of captchas based on certain AI problems and we will show that solving the captchas implies solving the AI problems. but using them for security purposes forces protocol designers to do so. Such is not the case for most other cryptographic assumptions: the primary reason algorithms for factoring large numbers are useful is because factoring has applications in cryptanalysis. The AI problems we chose have several applications. it’s rare for problems to be precisely stated. if it achieves widespread adoption. the assumptions under which cryptographic protocols are secure. In our case. among other things. as well as otherwise malicious programmers. We believe that precisely stating unsolved AI problems can accelerate the development of Artiﬁcial Intelligence: most AI problems that have been precisely stated and publicized have eventually been solved (take chess as an example). for steganographic communication (see Section 5). to advance the ﬁeld of AI (much like computational number theory has been advanced since the advent of modern cryptography). In the case of Artiﬁcial Intelligence. but gives no proposal for an Automated Turing Test. and then prove a reduction between passing a test and exceeding the performance of state-of-the-art algorithms. a captcha implies a win-win situation: either the captcha is not broken and there is a way to diﬀerentiate humans from computers. Related Work The ﬁrst mention of ideas related to “Automated Turing Tests” seems to appear in an unpublished manuscript by Moni Naor [10]. If the underlying AI problem is useful.

That paper reports on our work. . Deﬁnition 2. We use [C] to denote the support of C. reject}. we introduced the notion of a captcha as well as several practical proposals for Automated Turing Tests. 2 Deﬁnitions and Notation Let C be a probability distribution. We assume that A can have precise knowledge of how V works. which has never appeared in the literature. the only piece of information that A can’t know is r . We denote the output of V after the interaction between P and V with random coins u1 and u2 . u2 . We also introduce the ﬁrst Automated Turing Tests not based on the diﬃculty of Optical Character Recognition. A test V is said to be (α. A related general interest paper [2] has been accepted by Communications of the ACM. β)-human executable if at least an α portion of the human population has success greater than β over V . we will denote by Pr (·) the deterministic program that results when P uses random coins r. leads to a discussion of using AI problems for security purposes. the interaction between Pu1 and Vu2 terminates and Pu1 . We will say that it is hard to write a computer program that has high success over V if any program that has high success over V can be used to solve a hard AI problem. This paper is the ﬁrst to conduct a rigorous investigation of Automated Turing Tests and to address the issue of proving that it is diﬃcult to write a computer program that can pass the tests. CAPTCHA Intuitively. Deﬁnition 1. If P (·) is a probabilistic program.but was only meant to defeat oﬀ-the-shelf Optical Character Recognition (OCR) technology. V ) be a pair of probabilistic interacting programs. by Pu1 . a captcha is a test V over which most humans have success close to 1. and Xu et al [14] developed similar systems and provided more concrete analyses. assuming this interaction terminates. This. Deﬁne the success of an entity A over a test V by SuccV = Pr [ Ar . Let (P. (Coates et al [5]. We call V the veriﬁer or tester and any P which interacts with V the prover. Vu2 (the subscripts are omitted in case the programs are deterministic). the internal randomness of V . inspired by our work. Vr A r. without formalizing the notions or providing security guarantees.) In 2000 [1].r = accept]. A program V is called a test if for all P and u1 . Vu2 ∈ {accept. and for which it is hard to write a computer program that has high success over V . in turn.

and f : S → {0. such that if B has success greater than η over V then AB is a (δ. An AI problem P is said to be (δ. 1]. 2. we want some AI problems to be captured by it. running in time at most τ on any input from S. and the AI community agrees it is hard to ﬁnd such a solution. Although our deﬁnition says nothing about how long it should take a human to solve a captcha. for instance. 1}∗ answers the instances. A crucial characteristic of an AI problem is that a certain fraction of the human population be able to solve it. τ )-hard AI problem P and a program A. β)-human executable. the success of diﬀerent groups of humans might depend on their origin language or sensory disabilities: color-blind individuals. η)-captcha is a test V that is (α. β. and which has the following property: There exists a (δ.r Pr [Ar (x) = f (x)] ≥ δ . (Here AB is deﬁned to take into account B’s running time too. Deﬁnition 5.) We stress that V should be a program whose code is publicly available. We are not trying to capture all the problems that fall under the umbrella of Artiﬁcial Intelligence. τ ) solution to P. Deﬁnition 3. A (α. Also. τ )-solved if there exists a program A. More complex deﬁnitions can be substituted for Deﬁnition 3 and the rest of the paper remains unaﬀected. it is preferable for humans to be able to solve captchas in a very short time. We want the deﬁnition to be easy to understand. Deﬁnition 4. An AI problem is a triple P = (S. Let δ ∈ (0. τ ) solution to P. f ) should not be inspected with a philosophical eye. Prx←D [H(x) = f (x)] > δ.Notice that a statement of the form “V is (α. f ). D. τ ) solution to P. . β)-human executable” can only be proven empirically. (A is said to be a (δ. D is a probability distribution over the problem set S. Remarks 1.) P is said to be a (δ. Notice that we don’t impose a limit on how long it would take humans to solve the problem. where S is a set of problem instances. We require that for an α > 0 fraction of the humans H. such that x←D. All that we require is that some humans be able to solve it (even if we have to assume they will live hundreds of years to do so). captchas which take a long time for humans to solve are probably useless for all practical purposes. D. might have low success on tests that require the diﬀerentiation of colors. τ )-hard AI problem if no current program is a (δ. The case is not the same for captchas. The deﬁnition of an AI problem as a triple (S. and we want the AI community to agree that these are indeed hard AI problems.

even if factoring is shown to be hard in an asymptotic sense. we can use 2048-bit integers instead. Compare this to encryption schemes: in many applications the information that is encrypted must remain conﬁdential for years. this problem can potentially be used as a primitive for security: rather than asking the prover to solve the problem once.1 We also note that not all hard AI problems can be used to construct a captcha. In order for an AI problem to be useful for security purposes. Moreover. AI problems. we assume that 1024-bit integers can’t be factored). have proposed a machine that could factor 1024-bit integers. do not deal with asymptotics. is more questionable than P = N P . There is an additional factor that simpliﬁes the use of hard AI problems as security primitives. The concept of a hard AI problem as a foundational assumption. and against programs that will be developed in the future. However. If we believe that an adversary can factor 1024-bit integers. there needs to be an automated way to generate problem instances along with their solution. as we have deﬁned them. since many people in the AI community agree that all hard AI problems are eventually going to be solved. No such concept exists in hard AI problems. the machine would cost about ten million dollars in materials. (Shamir and Tromer [13].) An important diﬀerence between popular cryptographic primitives and AI problems is the notion of a security parameter. and therefore the underlying problem must be hard against programs that run for a long time. Most applications of captchas require the tests to be answered within a short time after they are presented. we can ask it to solve the problem three times. for instance. of course. If the prover gets good at solving the problem twice. we believe that at some point we will have the computational power and algorithmic ability to factor 1024-bit integers.AI Problems as Security Primitives Notice that we deﬁne hard in terms of the consensus of a community: an AI problem is said to be hard if the people working on it agree that it’s hard. However. If a new program solves the hard AI problems that are currently used.g. we can ask it to solve the problem twice. etc. 1 We thank one of our anonymous Eurocrypt reviewers for pointing this out.. The case is similar for computational problems: not all hard computational problems yield cryptographic primitives. then a diﬀerent set of problems can be used. picking a concrete value for the security parameter usually means making an assumption about current factoring algorithms: we only assume that current factoring algorithms that run in current computers can’t factor 1024-bit integers. This notion should not be surprising to cryptographers: the security of most modern cryptosystems is based on assumptions agreed upon by the community (e. as long as there is a small gap between human and computer ability with respect to some problem. . and the new program cannot aﬀect the security of applications that were run before it was developed. In the same way that AI researchers believe that all AI problems will be solved eventually. given the possibility of constructing a quantum computer. hard AI problems may be a more reasonable assumption than the hardness of factoring.

01. In general. Then for any > 0 there exist m and k with 0 ≤ k ≤ m such that Vkm is an (α. This can be done by solving the following optimization problem: m k min ∃k : m i=k+1 m i β (1 − β)m−i ≥ 1 − & i i=0 m i η (1 − η)m−i ≤ i Notice that amplifying a gap can roughly be thought of as increasing the security parameter of a captcha: if the best computer program now has success 0. The only piece of information that is hidden from the adversary is a small amount of randomness that the veriﬁer uses in each interaction. then we can ask the prover to pass the captcha twice (in series) to reduce the best computer program’s success probability to 0. and let Vkm be the test that results by repeating V m times in series (with fresh new randomness each time) and accepting only if the prover passes V more than k times.Who Knows What? Our deﬁnitions imply that an adversary attempting to write a program that has high success over a captcha knows exactly how the captcha works. Imagine an Automated Turing Test that owns a large secret book written in English and to test an entity A it either picks a paragraph from its secret book or generates a paragraph using the best known text-generation algorithm. Since captchas involve human use. This choice greatly aﬀects the nature of our deﬁnitions and makes the problem of creating captchas more challenging.10 against a given captcha (for example). it is desirable to ﬁnd the smallest m possible. we will have m = O(1/(β − η)2 ln(1/ )) and sometimes much smaller. Gap Ampliﬁcation We stress that any positive gap between the success of humans and current computer programs against a captcha can be ampliﬁed to a gap arbitrarily close to 1 by serial repetition. The case for parallel repetition is more complicated and is addressed by Bellare. β. . and then asks A whether the paragraph makes sense (the best text-generation algorithms cannot produce an entire paragraph that would make sense to a human being). 1 − . η)-captcha. Let V be an (α. this test cannot be a captcha: an adversary with knowledge of the secret book could achieve high success against this test without advancing the algorithmic state of the art. Such an Automated Turing Test might be able to distinguish humans from computers (it is usually the case that the best text-generation algorithms and the best algorithms that try to determine whether something makes sense are tightly related). Impagliazzo and Naor in [3]. However. We do not allow captchas to base their security in the secrecy of a database or a piece of code. )-captcha.

For the purposes of this paper. it is useful to make a distinction here because in some applications it appears unnatural to talk about labels.T that results from performing the above experiment and fI. A pixel is deﬁned as a triple of integers (R.T . P1I. However. P1 can be seen as a special case of P2 with λ the identity function and L = [I]. will be such that humans have no problem solving P1I. In addition to the distributions I and T .T : SI. Then P1I. in the case of P2.T = {t(i) : t ∈ [T ] and i ∈ [I]}. i ∈ [I] and i = i then T (i) = T (i ) for any T. gI. We stress that solutions to the problems will also be shown to be useful. where 0 ≤ R. The set of problem instances is SI. etc. Conversely.T .T . τ ) solution A to an instance of P1 also yields a (δ .T (t(i)) = i. DI. (Recall that [I] denotes the support of I. Note that a (δ. Deﬁne gI. Let I be a distribution on images and T be a distribution on image transformations. let L be a ﬁnite set of “labels”.T . We assume for simplicity that if i.3 Two AI Problem Families In this section we introduce two families of AI problems that can be used to construct captchas. DI.λ .T ). Examples of image transformations include: turning an image into its black-and-white version. changing its size. problem families P1 and P2 can be shown to be isomorphic.T be the distribution on SI. speciﬁcally. More formally.) Problem Family (P1). fI.λ = (SI. Let λ : [I] → L compute the label of an image. Then P2I.T and P2I. λ.T = {t(i) : t ∈ [T ] and i ∈ [I]}. this may be unsatisfactory for small δ. T ∈ [T ].T . G. B).λ ) consists of writing a program that takes t(i) as input and outputs λ(i). and we might hope to do better by restricting to a smaller set of labels. computing λ(A(x)). G. That is. I. and the distribution on instances DI. DI.T . The section can be viewed as a precise statement of the kind of hardness assumptions that our cryptographic protocols are based on.T . Formally. let SI.T . Problem Family (P2). T and. Nonetheless. B ≤ M for some constant M . τ + τ ) solution to an instance of P2 (where δ ≥ δ and τ ≤ log |[I]| is the time that it takes to compute λ). Remarks 1. [T ] is a set of transformations that humans .λ (t(i)) = λ(i).T consists of writing a program that takes t(i) as input and outputs i (we assume that the program has precise knowledge of T and I).T .T → [I] be such that fI. Consider the following experiment: choose an image i ← I and choose a transformation t ← T .λ so that gI. we deﬁne an image as an h × w matrix (h for height and w for width) whose entries are pixels. 2.T is the one induced by choosing i ← I and t ← T .T = (SI. We stress that in all the instantiations of P1 and P2 that we consider. An image transformation is a function that takes as input an image and outputs another image (not necessarily of the same width and height). output t(i).

So the problem of determining the word in a distorted image is an instantiation of P2 (it can be easily seen to be an instantiation of P1 too). In particular.TW . and reading slightly distorted text is a somewhat easy instance of these problems. There is nothing speciﬁc to images about these problem deﬁnitions. Since instantiations of P1 and P2 have never been precisely stated and published as challenges to the AI and security communities. see [12].λ where δ > δI. the character of the transformations is also important: it is necessary to defeat many simple checks such as color histogram comparisons. Thus we are mainly interested in (δ. it has to be possible to perform all the transformations in [T ] using current computer programs. the captcha shown in Section 1 (and other captchas based on the diﬃculty of reading slightly distorted text) could be defeated using solutions to P2. et cetera) could be substituted without changing our results. The hardness of problems in P1 and P2 mostly relies on T . In addition to the size of the transformation set. τI )-solution to P1I. Similarly. any other space of objects which humans recognize under reasonable transformations (e.T . let TW be a distribution on image transformations. while τ > |[I]| may sometimes be acceptable.λW is a program that can defeat a captcha such as the one that Yahoo! uses (assuming TW is the same set of transformations they use). (For a good overview of the diﬃculties of reading slightly distorted text.λ )-solution to P2I. Additionally. τ ) solutions where τ |[T ]|. etc. it should be computationally infeasible to enumerate all of the elements of [T ].net for examples of I’s and T ’s which are believed to be good candidates.λ is the time that it takes to describe a label in L. organized sounds such as music or speech. since I will normally be such that enumeration of [I] is feasible. frequency domain checks.g.λ .can easily undo in [I]. τI.λ . For now we refer the reader to www. 4. where δI = max{Prj←I [j = i] : i ∈ [I]} and τI is the time that it takes to describe an element of [I]. Reading slightly distorted text has been an open problem in machine vision for quite some time. where δI. To see this.) But P1 and P2 are much more general. 3. All the images in W should be undistorted and contain exactly one word each. it is easy to build a (δI. . A solution to P2IW . we restrict our attention to ﬁnding solutions to P1I. let W be a set of images of words in diﬀerent fonts. animations. Hard Problems in P1 and P2 We believe that P1 and P2 contain several hard problems. Therefore.λ . It is easy to build a (δI . there is no way to tell if they will withstand the test of time.T .. by always guessing the image with the highest probability in I.captcha. and let λW map an image to the word that is contained in it.T . For example. Let IW be a distribution on W .T where δ > δI and solutions to P2I. In general it will not be the case that the problem is reduced to matching 26 ∗ 2 + 10 diﬀerent characters (upper and lowercase letters plus the digits).λ = max{Prj←I [λ(j) = λ(i)] : i ∈ [I]} and τI. Any instantiation of P1 and P2 for security purposes requires that the precise I and T be published and thoroughly described.

T . T . The matcha veriﬁer sends the prover (i. is very practical and in fact several instantiations of it are already in use. it picks k ← I and sets (i. etc. The matcha veriﬁer starts by choosing a transformation t ← T . where I is a distribution on images and T is a distribution on image transformations that can be easily computed using current computer programs. j) = (k. where i is chosen uniformly from the set [I] − {j}. This gives the prover a simple strategy to gain advantage over M : if i seems to . In order for matcha to be of practical use. rejects. If the veriﬁer’s timer expires before the prover responds. a distinguishing probability of 1/2 is unacceptable. then then then then matcha matcha matcha matcha accepts. but the second family. The captchas we present in this section can be quickly answered by humans. matcha is a captcha with the following property: any program that has high success over M = (I.4 Two Families of captchas We now describe two families of captchas whose security is based on the hardness of problems in P1 and P2. For most applications. τ )-hard then P1I. while res = 0 means that i = j.1 MATCHA A matcha instance is described by a triple M = (I. the test has to be repeated several times.T can be used to construct a captcha trivially: the veriﬁer simply gives the prover t(i) and asks the prover to output i. is somewhat impractical. Our description of matcha contains an obvious asymmetry: when i = j. res = 0. res = 1. res = 1 means that i = j. τ ). this would be a perfectly valid captcha. the prover responds with res ∈ {0. matcha. then humans would take a long time to answer. 4. matcha presents the prover with (i. In the last case. picks another pair of images (i.T is (δ. matcha starts over (with a fresh new set of random coins): it ﬂips another fair unbiased coin. j) depending on the outcome of the coin. 1}. It is quite easy to write a computer program that has success probability 1/2 over matcha by simply answering with res = 1. and when i = j matcha presents (i. If the result is tails. If the result is heads. rejects. pix. k). it would also be a very impractical one: if [I] is large. According to our deﬁnition. t(i)) for i ← I. 2. t(j)) and sets a timer to expire in time τ . The ﬁrst family of captchas. Remarks 1. t(j)). Informally. the veriﬁer makes a decision based on the prover’s response res and whether i is equal to j: – – – – If If If If i=j i=j i=j i=j and and and and res = 1. However. Notice that if P1I. it sets j ← I and i ← U ([I]−{j}) where U (S) is the uniform distribution on the set S. res = 0. the veriﬁer rejects. It then ﬂips a fair unbiased coin. T ) can be used to solve P1I. plays another round. Otherwise.

Using B we construct a program AB that is a (δ. τ |[I]|)-solution to P1.r Pr [ Mr . j). On input j. it picks an element of S uniformly at random. where η . Let p0 = PrT . AB collects all the images i ∈ [I] on which B returned 1 (i. t(j)) = 1]. Hence: . otherwise guess that it isn’t. and the output will be another image.I. In the following Lemma we assume that a program with high success over M always terminates with a response in time at most τ . where i ∈ [I]. We show that AB is a (δ. 1 + 2|[I]|(1 − η) δ≥ Proof.. We also assume that the unit of time that matcha uses is the same as one computational step. Afterwards. Otherwise. 4.j←I. then AB returns an element chosen uniformly from [I]. Note that p0 p1 + (1 − p1 )(1 − σB ) p0 + p 1 + = ..r [Br (i. t(i)) = 0] and let p1 = PrT . τ ) can be used to (δ. Let B be a program that runs in time at most τ and has success σB ≥ η over M . τ |[I]|)-solution to P1I. all the images in [I] that B thinks j is a transformation of). by stopping after τ time and sending the response 1.T . each time feeding B the pair of images (i. which never decreases the success probability. We note that a stronger captcha can be built by choosing i from the distribution I restricted to the set [I] − {j}. The intuition for why matcha plays another round when i = j and res = 0 is that we are trying to convert high success against matcha into high success in solving P1. 2 2 1 + p1 r. If S is empty. Any program that has success greater than η over M = (I.e.r [Br (i. τ |[I]|)-solve P1I.e. Br = reject] = 1 − σB = which gives σB ≤ 1 − p0 and p1 ≤ 2(1 − σB ). T .i. AB will loop over the entire database of images of M (i. a program that solves P1 by comparing t(j) to every image in [I] will encounter that most of the images in [I] are diﬀerent from t(j). the set [I]). Call the set of these images S. 3.T .come from I. Lemma 1. The input to AB will be an image. guess that t(j) is a transformation of i. The reason for the asymmetry is to make the proof of Lemma 1 easier to follow. Any program which does not satisfy this requirement can be rewritten into one which does.

β)-human executable. cow. Theorem 1. P responds with a label l ∈ L.I. L. For instance.I. β. can be found at www. (3) follows by Jensen’s inequality and the fact that f (x) = 1/x is concave. τ |[I]|)-hard and M = (I. (4) follows because ET . T . If P1I. like Animal-PIX. V then sends to P the message (t(i). The pix veriﬁer works as follows. Theorem 2. and rejects otherwise.I [|S|] 1 − p0 ≥ 1 + |[I]|p1 σB ≥ 1 + 2|[I]|(1 − σB ) ≥ (2) follows by the deﬁnition of the procedure AB . V accepts if l = λ(i) and its timer has not expired. p1 and σB given above. like Yahoo! and Hotmail. λ. (2−|[I]|)δ )-captcha. L). a pix instance is a tuple X = (I.captcha. then M is a (α. τ )-hard and X = (I. λ. V draws i ← I. L. T . β.T . τ ) is (α.T is (δ.r Pr(B(i. This completes the proof.T .T .λ can be used as a captcha. Similarly. if I is a distribution over images containing a single word and λ maps an image to the word contained in it.r B Pr [Ar (t(j)) = j||S| = s] Pr [|S| = s] T .r Pr [AB (t(j)) r = j] ≥ s=1 n T . Formally. If P2I. 2δ−|[I]| 4.T .I 1 − p0 ET .I (1) (2) (3) (4) (5) = s=1 1 − p0 Pr [|S| = s] s T . and t ← T . τ ) is (α. First. T . then P2I. if all the images in [I] are pictures of simple concrete objects and λ maps an image to the object that is contained in the image. Animal-PIX presents the prover with a distorted picture of a common animal (like the one shown below) and asks it to choose between twenty diﬀerent possibilities (monkey.λ can sometimes be used almost directly as a captcha.net. and sets a timer for τ .2 PIX An instance P2I.n T .λ can be used directly as a captcha. . β)-human executable. δ)-captcha. then P2I. Other less conventional ones. then X is a (α. τ ).λ is (δ. t(j)) = 1) and (5) follows by the inequalities for p0 . et cetera). horse.I [|S|] ≤ 1 + i=j I. Various instantiations of pix are in use at major internet portals.

Animal-Pix. For example. There are many applications of solutions to P1 and P2 that we don’t mention here. for instance. T . in such a way that anyone observing her communications can not detect this additional information. Robust Steganography is concerned with the problem of covertly communicating messages on a public channel which is subject to modiﬁcation by a restricted adversary. In this section we will show how to use (δ. τ )-solutions to instantiations of P1I.T . when the adversary chooses transformations from T . T .Fig. who often have to answer questions such as “what painting is this a photograph of?” Robust Image-Based Steganography. 2. τ )-solution to P1 for arbitrary I. we will require a (δ. is interesting in its own right and a solution for the instantiation when I is a distribution on images of works of art would beneﬁt museum curators. which was mentioned before). T for which P1 is still hard. 5 An Application: Robust Image-Based Steganography We detail a useful application of (δ. Alice may have some distribution on images which she is allowed to draw from and send to Bob. The situation may be complicated by an adversary who transforms all transmitted images in an eﬀort to remove any hidden information. could beneﬁt from better AI: a program that can ﬁnd slightly distorted versions of original songs or images on the world wide web would be a very useful tool for copyright owners. she may wish to communicate additional information with these pictures. Our problems also serve to illustrate that there is a need for better AI in security as well.λ to implement a secure robust steganographic protocol for image channels with distribution I. if no solution works for arbitrary (I. for instance. Note that if we require security for arbitrary I. Thus either our stegosystem can be implemented by . τ )-solutions to instantiations of P1 and P2 (other than reading slightly distorted text. P1. Areas such a Digital Rights Management.T or P2I. We hope to convey by this application that our problems were not chosen just because they can create captchas but because they in fact have applications related to security. T ) this implies the existence of speciﬁc I.

1}∗} and I are computationally indistinguishable for any σ ∈ {0. Steganographic secrecy ensures that an eavesdropper cannot distinguish trafﬁc produced by SE from I. Thus the adversary’s actions. σ) : K ← K. but it is straightforward to extend our protocol and proofs by serial composition to any message in {0. σ))) = σ] is negligible (in |K| and ) for any σ ∈ {0. A stegosystem is steganographically secret for I if the distributions {SEr (K. 1}..r [SDr (K.. since he may not disrupt the communications of legitimate correspondents. 1}. Deﬁnition 6. This adversary is restricted by the fact that he must transform the images transmitted between many pairs of correspondents. . 1} be a pseudorandom function family. Let F : K × {1. r ← {0. A stegosystem (SE. i.. Denote by t1. 1}. We will describe a protocol for transmitting a single bit σ ∈ {0. ← T the action of independently selecting transformations according to T . on seeing the image i. 1} → [I] and SD : K × [I] → {0. and replacing i by t(i). and denote by t1. (i1.. σ)) = σ] is negligible (in and |K|) for any σ ∈ {0. Indeed. . .i. A operates in time τ and t.. SD) where SE : K × {0.r Pr [Ar (t(i)) = λ(i)] ≥ δ . t1. .computers for arbitrary image channels or their is a (non-constructive) hard AI problem that can be used to construct a captcha.. are restricted to selecting some transformation t according to a distribution T .r . Steganography Deﬁnitions Fix a distribution over images I. and a set of keys K.r. 1}.T . τ )-solution to P2I. A steganographic protocol or stegosystem for I is a pair of eﬃcient probabilistic algorithms (SE. Craver’s observation that the adversary’s transformations should be restricted to those which do not signiﬁcantly impact human interpretation of the images (because the adversary should not unduly burden “innocent” correspondents) is what leads to the applicability of our hard AI problems. (SEr (K..K Pr [SDr (K. Alice. .r..e. however. SD) is steganographically robust against T if it is steganographically secret and t1.. and may not transform them in ways so that they are unrecognizable to humans. 1}∗ with at most linear decrease in security. which have the additional property that PrK. We assume that λ : [I] → L is eﬃciently computable and A : SP2 → L is a (δ.λ as deﬁned above (recall that P1 is a special case of P2). ) the action of element-wise applying transformations to images.. Deﬁnition 7. 1}. } × L → {0. The results of this subsection can be seen as providing an implementation of the “supraliminal channel” postulated by Craver [6]. SEr (K. ←T . is worried about a somewhat malicious adversary who transforms the images she transmits to Bob.

λ (or. 6 Discussion and Closing Remarks Interaction with the AI community A primary goal of the captcha project is to serve as a challenge to the Artiﬁcial Intelligence community. The proof of Proposition 1 is similar in ﬂavor to those of Hopper. λ(d0 )) = σ then set ij = d0 else set ij = d1 Output: i1 . a (δ.Let c = Pri. A(ij )) Output: majority(σ1 . then can be smaller and less images need to be transmitted to send a bit secretively and robustly.T and a large set [I]: a human would have to search the entire set [I] as many as times for each transmitted bit). i1. However. robust stegosystem for T . . 1} for j = 1 . . l do set σj = FK (j. . σ ) Proposition 1. decoding each bit of the secret message will require classifying many images.T .. T . τ )-solution (for small τ ) to P1I. P1I. Since we assume that P2I. we require that there is enough variability in the labels of the images to be useful for communication).T . We require that c < 1 (that is. . We prove in the Appendix that the following construction is an eﬃcient.λ ). i2 .λ will be required.j←I [λ(i) = λ(j)]. Thus to be practical.λ imply more eﬃcient stegosystems: if δ is larger. Remarks 1. therefore the probability that the majority of the σj are incorrect is negligible in .T . Notice that L can simply be equal to [I] and λ can be the identity function (in case the images in [I] have no labels as in P1). . Construction 1 Procedure SE: Input: K ∈ K. see the Appendix. .T ) is easy for humans. For details. Better solutions to P2I. so that a human would likely fail to complete the decoding well before any sizeable hidden message could be extracted (this is especially true in case we are dealing with P1I. We believe that having a well-speciﬁed set of goals will .. . . ∈ [I] for j = 1 . the recovered bit σj is equal to the intended bit σ with 1 probability approximately 1 + 4 (1 − c) and otherwise σj = σ with probability 2 1/2. Construction 1 is steganographically secret and robust for I. i Procedure SD: Input: K ∈ K. as it might be the case. Langford and von Ahn [7] and relies on the fact that when A returns the correct solution on received image ij . . our protocol could be implemented as a cooperative eﬀort between the human recipient and the decoding procedure (without the need for a solution to P1I.T . do draw d0 ← I.T or P2I. . . d1 ← I if FK (j. σ ∈ {0.T or P2I. . 2.

contribute greatly to the advancement of the ﬁeld. . This work was partially supported by the National Science Foundation (NSF) grants CCR-0122581 and CCR-0085982 (The Aladdin Center). Acknowledgments We are greatful to Udi Manber for his suggestions. it is encouraging to see such progress. and deal with the advantage of humans in sensory processing. Nick Hopper is also partially supported by an NSF graduate research fellowship. However. and even though these tests may have speciﬁc weaknesses it is also important that AI researchers attempting to pass them strive for solutions that generalize.8. Henry Baird and the anonymous Eurocrypt reviewers for helpful discussions and comments. We encourage security researchers to create captchas based on diﬀerent AI problems. In response to the challenge provided by this test. The construction of a captcha based on a text domain such as text understanding or generation is an important goal for the project (as captchas based on sensory abilities can’t be used on sensory-impaired human beings). Malik and Mori [9] have developed a program which can pass the test with probability roughly 0. For this reason. Other AI problem domains The problems deﬁned in this paper are both of a similar character. Reductions. Roni Rosenfeld. exceeding that of humans. Moni Naor. A good example of this process is the recent progress in reading distorted text images driven by the captcha in use at Yahoo!. Despite the fact that this captcha has no formal proof that a program which can pass it can read under other distributions of image transformations. Malik and Mori claim that their algorithm represents signiﬁcant progress in the general area of text recognition. indeed [1] presents a test based on this problem set. can be extremely useful for the progress of algorithmic development. captchas represent a small example of this possible symbiosis. recent progress in AI has also yielded programs which solve these problems with very high success probability. One possible source of logic problems are those proposed by Bongard [4] in the 70s. as they are used in cryptography. Logic problems have also been suggested as a basis for captchas and these present similar diﬃculties. the main obstacle to designing these tests seems to be the similar levels of program ability in text generation and understanding. it is important that even Automated Turing Tests without formal reductions attempt to test ability in general problem domains. Conclusion We believe that the ﬁelds of cryptography and artiﬁcial intelligence have much to contribute to one another. We also thank Lenore Blum. Brighten Godfrey. as generation seems to be diﬃcult. It is an open question whether captchas in other areas can be constructed. As mentioned earlier.

1999. 13. and R. Does Parallel Repetition Lower the Error in Computationally Sound Protocols? In 38th IEEE Symposium on Foundations of Computer Science (FOCS’ 97). To appear in Communications of the ACM. Applied April 1998 and Approved February 2001. pages 374-383. A. Lillibridge. pages 1154-1159. J. are you human. D. Bharat. 4. Baird. The CAPTCHA Web Page: http://www.698. Abadi. Springer.edu/~mori/gimpy/gimpy. 2. G. Hopper and John Langford. M. Breaking a Visual CAPTCHA.weizmann. Rice. Adi Shamir and Eran Tromer. The image x is returned in the jth step only under one of x the following conditions: . J. S. Spartan Books. 8. x i. Available electronically: http://www. Rochelle Park NJ. K. Available electronically: http://www. pages 355-368. Unpublished Manuscript. 7. R. 2002. Securing Passwords Against Dictionary Attacks. Hello. volume 2442 of Lecture Notes in Computer Science. In Proceedings of the ACM Computer and Security Conference (CCS’ 02). Russell Impagliazzo and Moni Naor. Coates. Seattle WA. Lipton and I. CRYPTO’ 02. 6. 11. Scott Craver. Consider for any 1 ≤ j ≤ and x ∈ [I] the probability ρj that ij = x. A Proof of Proposition 1 Lemma 1.wisdom. 1998. 1997. Construction 1 is steganographically secret. ACM Press.pdf. Proof. Manuel Blum. Greg Mori and Jitendra Malik. In Proceedings of the Second International Information Hiding Workshop. 2000. Pattern Recognition. Pessimal Print: A Reverse Turing Test.captcha. 10. John Langford and Luis von Ahn. Santa Barbara. 1997. and T. 2003. Manuel Blum and John Langford. Available electronically: http://www. 2002. pages 77-92. ρj = Pr[ij = x]. Fateman. US Patent 6. 3. Moni Naor. S. and A. Luis von Ahn. On Public-key Steganography in the Presence of an Active Warden.ps. Essa. Nartker. pages 161-170. 2001. Unpublished Manuscript. H. Mikhail M. Bongard. M. In Proceedings of the International Conference on Document Analysis and Recognition (ICDAR’ 01). Kluwer Academic Publishers. Boston. Hopper.cs.gz. Veriﬁcation of a human in the loop or Identiﬁcation via the Turing Test. Broder. Nicholas J. November 2000.org/twirl. Georgia Institute of Technology.ps.e. Optical Character Recognition: An Illustrated Guide to the Frontier. 9.cryptome.net.il/~naor/PAPERS/human. Technical Report GIT-CC00-28. Telling Humans and Computers Apart (Automatically) or How Lazy Cryptographers do AI.berkeley.References 1.195. Nagy. IEEE Computer Society. 12.ac. Unpublished Manuscript. 14. 5. L. Method for selectively restricting access to computer systems. Nicholas J. In Advances in Cryptology. Mihir Bellare. November 2002. Factoring Large Numbers with the TWIRL Device. Provably Secure Steganography. Benny Pinkas and Tomas Sander. 1970. Xu. CA. Luis von Ahn.

. proving the lemma. . for a random function the ρj are x all independent. σ) and I are computationally indistinguishable. } × L → {0. D0 : d0 = x and FK (j. λ(ij )) = 0. and write λ(db ) as lb . 1} in SE. . by the same reasoning. . Construction 1 is steganographically robust for T . l1 )) = σ)] + (6) (7) 1−δ 2 (8) 1 1−δ j j j j = δ( + Pr[f (j. D1 : d1 = x and FK (j. For any constant δ > 0.ij . σ ) = σ] is negligible. We would like to assess the probability ρj = Pr[σj = σ]. and (8) follows because if A(ij ) = λ(ij ). or 2. λ(d0 )) = 1 − σ Note that these events are mutually exclusive. Lemma 2. λ(ij )) = 0 with the deﬁnition of ij in the encoding routine. and 1 Prf. so that ρj = Pr[D0 ] + Pr[D1 ]. λ(d0 )) = σ . 1 Proof. . 1}. . l0 ) = σ or (f (j. . 1 Then we have that Prf. a Chernoﬀ bound implies that the probability of decoding failure is negligible in when FK is a random function. by the pseudorandomness of F . Consider replacing FK for a random K with a randomly chosen function f : {1. then f (j. l) = σ] = 2 . . We have the following: f. 1} we see that SE(K. Then by a Chernoﬀ bound we will have that Pr[majority(σ1 . proving the lemma. Thus ρj = PrI [x] when FK x is replaced by a random function. . . Let Aj be the event A(ij ) = λ(ij ) and Aj be the event j j A(ij ) = λ(ij ). the expression results from expanding the event f (j. Thus the pseudorandomness of FK implies that the probability of decoding failure for Construction 1 is also negligible. } × L → {0. l0 ) = 1 − σ and f (j. . Thus for any σ ∈ {0. x Suppose that we replace FK by a random function f : {1. Suppose we prove a constant bound ρ > 2 such that for all j.d0 [D0 ] = 2 PrI [x] by independence of f and d0 . l0 ) = 1 − σ and f (j. . .1. A(ij )) = σ iﬀ f (j. Further. l1 ) = σ and l0 = l1 ]) + 2 2 (9) 1−δ 1 1 (10) = δ( + (1 − c)) + 2 4 2 1 δ = + (1 − c) (11) 2 4 1 Here (7) follows because if A(ij ) = l = λ(ij ) then Prf [f (j. SD.d1 [D1 ] = 2 PrI [x]. Pr[σj = σ] > ρ.t Pr [σj = σ] = Pr[σj = σ|Aj ] Pr[Aj ] + Pr[σj = σ|Aj ] Pr[Aj ] 1 = δ Pr[σj = σ|Aj ] + (1 − δ) 2 j j j = δ(Pr[f (j.

- Software Security
- Sim Mod
- Panduan BPPS 2011
- Java Generic Dan Collection
- 9 - Pemrograman Socket
- 9 - Pemrograman Socket
- 8 - Sprite and Collision Detection
- 7 - Skala Rotasi Dan Translasi
- 6 - Grafik Bitmap
- 5 - Grafik Vektor
- 4 - EFEK SUARA
- 3- EVEN HAndling
- 2- Collection & Thread
- 1- Pen Gen Alan GAME
- 03- Sistem Sandi dan Teknik Transmisi Data
- 12 - ISDN
- 11 Internet Working
- 10- Jaringan Komunikasi Data
- 09-Model OSI
- 08- Teknik Switching
- 07-Data Link Control
- 06 Multiplexing
- 05-Deteksi Dan Koreksi Error
- 04- Sinyal Dan Modulasi

Sign up to vote on this title

UsefulNot useful- Captcha Crypt New
- DeNero-Klein 2010 Pacman Paper
- Intelligent Systems Unoversity Papers
- Game Development Using Panda 3D Game Engine
- Assignment AI 2011
- AI
- AI-SAMS-T1-v3
- first-law-aaai94
- Artificial Intelligence
- Alpha Beta
- Website Content - 11-10-2015
- Intro-1-fall08 (1)
- Alan Turing- Historical significance
- Embodiment - Does a Laptop Have a Body
- MCSE-003
- ES 1
- Can Computers Think
- AIR Report
- p119 Artificial Intellegent
- Limitations of Ai
- 1592730043.pdf
- A i Philosophy and History
- The Frame Problem
- Final Document of Ai
- aI
- ALIFEFAQ
- Artificial Intelligence - Unification Theory
- Untitled
- Artificial Intelligence Paper
- Artificial Intellegence
- Captcha Crypt