Security and Cryptography December 4 2001 Portions stolen
Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)
Administrivia o. Homework assignment 7 due today o. Homework Assignment 8 due January 7, 2002 o. Homework 9 o o o Part a due next Tuesday Part b due next Thursday Part c due next Friday o. Lab 8 this week o. No lab next week o. Guest lecturer(s) Thursday o. Final Exam CS 104 01/23/2002@8: 30 AM
Last Time • We saw examples of undecidable problems that computers can’t solve • We saw examples of search problems that we believe computers can’t solve quickly.
“Easy” undecidable problems Halting Problem Post's Correspondence Problem (PCP)?
Post's Correspondence Problem (PCP)? An instance of Post's correspondence problem of size s is a finite set of pairs of strings (gi , hi) ( i = 1. . . s s>=1) over some alphabet . A solution is a sequence i 1 i 2. . . in of selections such that the strings gi 1 gi 2. . . gin and hi 1 hi 2. . . hin formed by concatenation are identical.
Sample PCP g 1 = g 2 = g 3 = g 4 = aba bbab baaa a h 1 = h 2 = h 3 = h 4 = abaa abab a bb So, 1, 3, 1, 2 would correspond to aba baaa aba bbab from g’s abaa abab from h’s (not a match)
Sample PCP (cont. ) g 1 = g 2 = g 3 = g 4 = aba bbab baaa a h 1 = h 2 = h 3 = h 4 = 1, 4, 2, 1, 3 aba a bbab aba baaa abaa bb abaa a abab a bb
PCP is undecidable _Post's correspondence problem shown to be undecidable by Post in 1946. _The problem with size 2 has been proved decidable. _The problem with size 7 has been proved undecidable. _The decidablility of problems with size between 3 and 6 is still pending.
Last Time – hard search problems • We saw examples of search problems that we believe computers can’t solve quickly. • A search problem is a problem where • Is hard to find solution • Is easy to check possible solution • A complete search problem is as hard as any search problem • Search problem is believed to be hard because • We can’t solve it • No one else can • No one can solve any of the complete search problems
Classes of search problems • In computer-science terminology: • NP = All Search Problems • P = Problems we can solve quickly • We believe that P NP, i. e. not every search problem can be solved quickly on a computer. • Search problem is NP but not P are used in situations where we want a problem that is • Hard to solve • Easy to check a solution.
Coloring
Coloring (cont. ) • We can build a computer as a coloring problem • Build simulations of gates • • • NOT, AND, OR Combine simulations to build circuit for, e. g. Carryripple adder Result • Here is a graph, • Color a few circles to mark inputs • Find a valid coloring of all circles • Read off values of output circles to get result
Coloring (cont. ) • Coloring is complete • In particular, we can reduce solving any search problem to finding a valid coloring for some collection of circles! • So, if we could solve Coloring quickly, then P = NP • That’s why we believe Coloring can’t be solved quickly by any computer. • We call such problems NP-Complete.
NP-complete problems I Coloring ITraveling Salesman Problem IKnapsack problem IPartition Problem
Knapsack problem ÌWe are given a set of items each having a weight measured by an integer ÌWe are given a capacity for the knapsack ÌWe ask if we can exactly pack the knapsack
Sample Knapsack problem ÌItem weights 2, 4, 9, 13, 17, 23, 32, 70, 123, 157 ÌCapacity is 228 ÌPacking 157 + 32 + 17 + 13 + 9 ÌCapacity is 226 ÌPacking (there are none)
Partition problem ÌWe are given a set of items each having a weight measured by an integer ÌWe are asked if we can divide the items into 2 groups that have the same total weights. ÌLike a knapsack problem ÌWeight is half of total weight
Sample Partition problem ÌItem weights 2, 4, 9, 13, 17, 23, 32, 70, 123, 157 ÌTotal weight is 450 ÌPacking 123 + 70 + 32 = 225 ÌPacking 157 + 23 + 17 + 13 + 9 + 4 + 2 = 225 ÌWhy is this different from the PCP?
Other Hard Problems? • There are other problems besides NP-Complete Problems that we also believe are hard. • Can we be sure? • No. • But humanity has been trying to solve certain mathematical problems for centuries. • So. it seems reasonable to assume that nobody will figure out how to solve them soon.
Cryptography • Why do we care so much about hard problems? • Because sometimes we want to make things hard. • Protecting Privacy, Authenticity • Want to make it hard for adversaries to: • Steal our credit cards • Impersonate us • Etc. • Makes it possible for companies to protect intellectual property.
Cryptography • Science of making things hard for adversaries = Cryptography • Dates back to Julius Caeser • Caesar cipher – shift each character by a few places • "UHWXUA WR URPH" encodes “RETURN TO ROME“ • Used extensively during WW 2 (and every other war) • Used to encode passwords • Used to prevent copying of software and data (e. g. DVD).
Requirements of a cryptosystem Easy to encode messages Hard to decode messages
One Approach. . . It’s so complicated! It must be secure! Cryptosystem XYZ (Patent Pending)
One Approach. . . Cryptosystem XYZ Broken 2 Days After Release!
One Approach. . . • Unfortunately, this approach is often used in real life. • This is one of the reasons why you hear about so many security systems being broken! • Examples: DVD encryption (De. CSS), Cell phones in Europe (GSM), encoding of fonts by Adobe, many more
More sophisticated approach • Use theory of hard search problems and the notion of reducing one problem to another. • Show that if you break this security system, you do so by solving some of the world’s greatest unsolved problems first!
Encryption • The most basic problem in Cryptography is Encryption: Private Message m Alice Bob
Encryption • The most basic problem in Cryptography is Encryption: Private Message m Bob Alice Eve the eavesdropper
Encryption • The most basic problem in Cryptography is Encryption: Encrypted Message E(m) Bob Alice Eve the eavesdropper
Encryption • Have to make it easy for Bob to recover m • But hard for Eve to learn anything about m Encrypted Message E(m) Bob Alice Eve the eavesdropper
![Public-Key Cryptography [Diffie -Hellman 1976] Bob’s Public Key Bob’s Secret Key Bob • Everybody](http://slidetodoc.com/presentation_image_h/f5767417f391323b8520c88280e42db4/image-31.jpg "Public-Key Cryptography [Diffie -Hellman 1976] Bob’s Public Key Bob’s Secret Key Bob • Everybody")
Public-Key Cryptography [Diffie -Hellman 1976] Bob’s Public Key Bob’s Secret Key Bob • Everybody knows Bob’s published Public Key. • Only Bob knows his secret key.
Public-Key Encryption Encrypted Message E(m) Alice Bob • Alice uses Bob’s public key to encrypt m. • Bob uses his secret key to recover (decrypt) m.
Public-Key Encryption Encrypted Message E(m) Alice Eve the eavesdropper Bob • Alice and Eve both know Bob’s public key. • Eve must not be able to “break” the encryption even though she knows the public key.
Basic Math Review • Let’s recall some basic mathematics: • A number p is called prime if its only factors are 1 and itself. • Examples:
Basic Math Review • Let’s recall some basic mathematics: • A number p is called prime if its only factors are 1 and itself. • Examples: 2, 3, 5, 7, 11, 13, 17, 19, …
Basic Math Review • Let’s recall some basic mathematics: • A number p is called prime if its only factors are 1 and itself. • Examples: 2, 3, 5, 7, 11, 13, 17, 19, … • There are lots of prime numbers. • Fact: It is known how to check quickly if a number is prime or not. • So, to find a big prime number, we can just keep generating large random numbers until we find a prime.
Basic Math Review • Given two primes p and q, it is easy to multiply them together: N = pq • But given N, how do you find p and q quickly? i. e. how do you factor N? • Easy for small numbers (e. g. 6 or 35). • For centuries, mathematicians have been trying to find ways to factor large numbers quickly. No one knows how! • Factoring a 10, 000 digit N would take centuries on the fastest computer in existence!
How do we know factoring is hard? Problem has a long history Prizes are offered and have been for a long time Factoring progress happens slowly
Factoring RSA-130 (4/10/96) RSA-130 = 1807082088687404805951656164405905566278102516769 4013491701270214500566625402440483873411275908123 03371781887966563182013214880557 = 3968599945959745429016112616288378606757644911281 0064832555157243 * 4553449864673597218840368689727440886435630126320 5069600999044599 Moore’s Law would add a digit or 2 every year.
Basic Math & Crypto • We want to make it so that if Eve the eavesdropper breaks our system, she would have to factor a very large number. • We’ll (almost) do that.
Modular Arithmetic • Ordinary Arithmetic: … -4 -3 -2 -1 0 1 2 3 4 …
Modular Arithmetic • Ordinary Arithmetic: … -4 -3 -2 -1 0 1 2 • Arithmetic Modulo N: N = 0 1 (N – 1) 2 (N – 2) (N – 3) 3 … 3 4 …
Modular Arithmetic • Example: Arithmetic Modulo 12 (like Arithmetic on time) • 3 + 11 (Modulo 12) = • 2 – 4 (Modulo 12) = • 5 * 4 (Modulo 12) = • 4 * 3 (Modulo 12) =
Modular Arithmetic • Example: Arithmetic Modulo 12 (like Arithmetic on time) • 3 + 11 (Modulo 12) = 2 • 2 – 4 (Modulo 12) = • 5 * 4 (Modulo 12) = • 4 * 3 (Modulo 12) =
Modular Arithmetic • Example: Arithmetic Modulo 12 (like Arithmetic on time) • 3 + 11 (Modulo 12) = 2 • 2 – 4 (Modulo 12) = 10 • 5 * 4 (Modulo 12) = • 4 * 3 (Modulo 12) =
Modular Arithmetic • Example: Arithmetic Modulo 12 (like Arithmetic on time) • 3 + 11 (Modulo 12) = 2 • 2 – 4 (Modulo 12) = 10 • 5 * 4 (Modulo 12) = 8 • 4 * 3 (Modulo 12) =
Modular Arithmetic • Example: Arithmetic Modulo 12 (like Arithmetic on time) • 3 + 11 (Modulo 12) = 2 • 2 – 4 (Modulo 12) = 10 • 5 * 4 (Modulo 12) = 8 • 4 * 3 (Modulo 12) = 0
![The RSA Encryption Scheme [Rivest Shamir Adleman 1978] • Bob picks two large primes](http://slidetodoc.com/presentation_image_h/f5767417f391323b8520c88280e42db4/image-48.jpg "The RSA Encryption Scheme [Rivest Shamir Adleman 1978] • Bob picks two large primes")
The RSA Encryption Scheme [Rivest Shamir Adleman 1978] • Bob picks two large primes p and q, and computes: N = pq • Fact: Because Bob knows p and q, he can pick numbers e and d such that: • For all m: d e (m ) = m (Modulo N) • Bob’s Public Key will be e, N • Bob’s secret key will be d
The RSA Encryption Scheme • Fact: Because Bob knows p and q, he can pick numbers e and d such that: • For all m: d e (m ) = m (Modulo N) • To Encrypt a message m, Alice computes: • E(m) = me (Modulo N)
The RSA Encryption Scheme • Fact: Because Bob knows p and q, he can pick numbers e and d such that: • For all m: d e (m ) = m (Modulo N) • To Encrypt a message m, Alice computes: • E(m) = me (Modulo N) • To Decrypt, Bob computes: • m = E(m)d (Modulo N)
The RSA Encryption Scheme • To Encrypt a message m, Alice computes: • E(m) = me (Modulo N) • The only known way to compute m from E(m) involves factoring N. • For Eve to break this system, she would have to solve a long-standing open problem in Mathematics. • This is probably the most widely used Public-Key Encryption Scheme in the world.
Shifting Gears: Proofs… • Bob wants to convince Alice of the validity of some statement (like “I really am Bob!”) Alice Bob • But Bob doesn’t want to reveal his secrets to Alice in the process…
Zero-Knowledge Proofs • What is the least amount of information Bob can reveal, while still convincing Alice? • Amazingly, it is possible for Bob to convince Alice of something without revealing any information at all! • How can that be?
Magic Tricks • Magic tricks are like zero-knowledge proofs: • Good magic tricks reveal nothing about how they work. • What makes a magic trick good?
A Magic Trick • Two balls: Purple and Red, otherwise identical • Blindfolded Magician • You give a random ball to magician
A Magic Trick (cont. ) • Magician tells you the color! • Magician proves he can distinguish balls blindfolded. • You learn nothing except this. Abracadabra, Goobedy goo! It is Red! Wow! He’s so cool!
A Magic Trick (cont. ) • You knew exactly what magician was going to do. • And he did it! • Since you knew to begin with, you could not have learned anything new! It’s Red! I knew he would say that.
Zero Knowledge • What it means: • Alice “knows” what is going to happen. • CS-speak: Alice can simulate it herself! Simulation Abracadabra, Goobedy goo! It is Red!
Another Magic Trick • Magician asks you to think of either • “Apple” or • “Banana” • Magician then gives you a sealed box.
Mind Reading • You tell Magician what you were thinking. I was thinking of a banana.
Mind Reading (cont. ) • Magician tells you to open box, and read piece of paper in box. • Magician proves he can predict what you will say. Banana How did he do that!!
Mind Reading (cont. ) • Again, you knew what was going to happen. Zero-Knowledge Simulation Banana I was thinking of a banana.
Mind Reading (cont. ) • But why was it convincing? • Because Magician committed to his guess before you told him.
Cryptographic Commitment • Public Key Encryption Scheme • To commit to a string x, I send y = E(x). • To open the commitment, I reveal my secret key. • Commitment is secret. • And I can’t change my mind about x once I’ve sent the encryption.
NP-Completeness • Remember we can reduce any search problem to Coloring.
NP-Completeness (cont. ) • “y is an encryption of a valid tax return” reduction
ZK Proof for Coloring • Input: Collection of circles. • Magician Knows: Coloring using R, B, G • First, Magician picks random permutation : R, B, G , and applies to coloring:
ZK Proof (cont. )
ZK Proof (cont. )
ZK Proof (cont. )
ZK Proof: Analysis • Suppose NO valid coloring exists. • Then at least one pair of connected circles where colors equal. Alice catches Magician cheating with probability at least 1/n 2. • Repeat protocol 100 n 2 times, Alice catches Magician cheating almost always!
Simulator
Simulated ZK Proof
ZK Proof: Analysis (cont. ) • Only difference between real & simulated: • In real life, commitments are to valid coloring. • In simulator, commitments are to invalid coloring. • But commitments are secret, by security of encryption scheme. Simulator output and real life are indistinguishable.
Wrap-up • Today we saw some examples illustrating techniques from modern cryptography: • Encryption • Zero Knowledge Proofs
- Slides: 75
