security through complexity ana nora sovarel
DESCRIPTION
Security through complexity Ana Nora Sovarel. Projects. Please fill one slot on the signup sheet. One meeting for each group. All members must agree. Turing Machine. Finite Control. 0. 0. 1. 1. 0. 0. 1. 0. 0. 0. Definition. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Security through complexity Ana Nora Sovarel](https://reader030.vdocument.in/reader030/viewer/2022033102/56815a81550346895dc7ea62/html5/thumbnails/1.jpg)
1
Security through complexity
Ana Nora Sovarel
![Page 2: Security through complexity Ana Nora Sovarel](https://reader030.vdocument.in/reader030/viewer/2022033102/56815a81550346895dc7ea62/html5/thumbnails/2.jpg)
2
Projects
Please fill one slot on the signup sheet.
One meeting for each group.
All members must agree.
![Page 3: Security through complexity Ana Nora Sovarel](https://reader030.vdocument.in/reader030/viewer/2022033102/56815a81550346895dc7ea62/html5/thumbnails/3.jpg)
3
Turing Machine
Finite Control
0 0 1 1 0 0 1 0 0 0
![Page 4: Security through complexity Ana Nora Sovarel](https://reader030.vdocument.in/reader030/viewer/2022033102/56815a81550346895dc7ea62/html5/thumbnails/4.jpg)
4
Definition
A Turing Machine is a 7-tuple (Q, ∑, Γ, δ, q0, qaccept, qreject) where Q, ∑, Γ are finite sets and
1. Q is the set of states
2. ∑ is the input alphabet
3. Γ is the tape alphabet
4. δ : Q X Γ Q X Γ X {L,R} is the transition function
5. q0 is the start state
6. qaccept is the accept state
7. qreject is the reject state, where qaccept ≠ qreject
![Page 5: Security through complexity Ana Nora Sovarel](https://reader030.vdocument.in/reader030/viewer/2022033102/56815a81550346895dc7ea62/html5/thumbnails/5.jpg)
5
Nondeterministic Turing Machine
Finite Control
0 0 1 1 0 0 1 0 0 0
Finite Control
0 0 1 1 0 0 1 0 00
Finite Control
0 0 0 1 0 0 1 0 00
![Page 6: Security through complexity Ana Nora Sovarel](https://reader030.vdocument.in/reader030/viewer/2022033102/56815a81550346895dc7ea62/html5/thumbnails/6.jpg)
6
Definition
A Turing Machine is a 7-tuple (Q, ∑, Γ, δ, q0, qaccept, qreject) where Q, ∑, Γ are finite sets and
1. Q is the set of states2. ∑ is the input alphabet3. Γ is the tape alphabet4. δ : Q X Γ P(Q X Γ X {L,R}) is the transition function5. q0 is the start state6. qaccept is the accept state7. qreject is the reject state, where qaccept ≠ qreject
![Page 7: Security through complexity Ana Nora Sovarel](https://reader030.vdocument.in/reader030/viewer/2022033102/56815a81550346895dc7ea62/html5/thumbnails/7.jpg)
7
More Power?
Does nondeterminism affect the power of Turing Machine?
NO – more power means it recognizes more languages
But, maybe it can do things faster …
![Page 8: Security through complexity Ana Nora Sovarel](https://reader030.vdocument.in/reader030/viewer/2022033102/56815a81550346895dc7ea62/html5/thumbnails/8.jpg)
8
Complexity Classes
• P = decidable in polynomial time by a deterministic TM
• NP = decidable in polynomial time by a nondeterministic TM
![Page 9: Security through complexity Ana Nora Sovarel](https://reader030.vdocument.in/reader030/viewer/2022033102/56815a81550346895dc7ea62/html5/thumbnails/9.jpg)
9
Reduction
f – polynomial time transformation
What we know about A and B?A is at most as hard as B ( can be easier if
we find another way to solve it )B is at least as hard as A.
A’s Input
f(A) B Yes/No
B’s Input
![Page 10: Security through complexity Ana Nora Sovarel](https://reader030.vdocument.in/reader030/viewer/2022033102/56815a81550346895dc7ea62/html5/thumbnails/10.jpg)
10
More definitions …
• NP-Hard = the set of problems Q such that any problem Q’ in NP is polynomial reducible to it.
• NP-complete = the problems Q such that Q is in NP-Hard and Q is in NP
![Page 11: Security through complexity Ana Nora Sovarel](https://reader030.vdocument.in/reader030/viewer/2022033102/56815a81550346895dc7ea62/html5/thumbnails/11.jpg)
11
How do we prove a problem is hard?
• Let A be a known hard problem
• Find a polynomial transformation from A’s input to your problem’s input
• Why it works? – If your problem is easy ( P ) then we can solve
A easy ( P ).– So A is not hard. Contradiction
• Need a hard problem to start with ….
![Page 12: Security through complexity Ana Nora Sovarel](https://reader030.vdocument.in/reader030/viewer/2022033102/56815a81550346895dc7ea62/html5/thumbnails/12.jpg)
12
Cook’s Theorem (‘71)
SAT is NP-complete.
( SAT = given a boolean formula, is it satisfiable? )
3SAT is NP-complete.
Example: Ф(x1,x2,x3,x4)=(x1+x2+x3)(x’1+x3+x4)
![Page 13: Security through complexity Ana Nora Sovarel](https://reader030.vdocument.in/reader030/viewer/2022033102/56815a81550346895dc7ea62/html5/thumbnails/13.jpg)
13
Subset Sum
Given a set {x1,x2,…,xn} of integers and an integer t, find {y1,y2,…,yk} a subset of {x1,x2,…,xn} such that:
k
i
iyt1
![Page 14: Security through complexity Ana Nora Sovarel](https://reader030.vdocument.in/reader030/viewer/2022033102/56815a81550346895dc7ea62/html5/thumbnails/14.jpg)
14
Subset Sum
To prove NP-complete:
1. Prove is in NP• Verifiable in polynomial time• Give a nondeterministic algorithm
2. Reduction from a known NP-complete problem to subset sum
• Reduction from 3SAT to subset sum
![Page 15: Security through complexity Ana Nora Sovarel](https://reader030.vdocument.in/reader030/viewer/2022033102/56815a81550346895dc7ea62/html5/thumbnails/15.jpg)
15
Subset Sum is in NP
sum = 0
A = {x1,x2,…,xn}for each x in A
y choice(A)sum = sum + yif ( sum = t ) then successA A – {y}
donefail
![Page 16: Security through complexity Ana Nora Sovarel](https://reader030.vdocument.in/reader030/viewer/2022033102/56815a81550346895dc7ea62/html5/thumbnails/16.jpg)
16
Reduction
Goal: Reduce 3SAT to SUBSET-SUM.How: Let Ф be a 3 conjunctive normal formformula. Build an instance of SUBSET-SUMproblem (S, t) such that Ф is satisfiable if and only if there is a subset T of S whoseelements sum to t.Prove the reduction is polynomial.
![Page 17: Security through complexity Ana Nora Sovarel](https://reader030.vdocument.in/reader030/viewer/2022033102/56815a81550346895dc7ea62/html5/thumbnails/17.jpg)
17
1. Algorithm
Input: Ф - 3 conjunctive normal form formula
Variables: x1, x2, …, xl
Clauses: c1,c2,…,ck.
Output: S, t such that
Ф is satisfiable iff there is T subset of S
which sums to t.
![Page 18: Security through complexity Ana Nora Sovarel](https://reader030.vdocument.in/reader030/viewer/2022033102/56815a81550346895dc7ea62/html5/thumbnails/18.jpg)
18
1. Algorithm (cont.)x1 x2 …. xl c1 c2 …. ck
y1 1 0 0 1 0 0
z1 1 0 0 0 1 0
y2 1 0 0 0 1
z2 1 0 0 0 0
…
yl 1 0 0 0
zl 1 0 0 0
g1 1 0 0
h1 1 0 0
g2 1 0
h2 1 0
…
gk 1
hk 1
t 1 1 … 1 3 3 … 3
![Page 19: Security through complexity Ana Nora Sovarel](https://reader030.vdocument.in/reader030/viewer/2022033102/56815a81550346895dc7ea62/html5/thumbnails/19.jpg)
19
1. Algorithm (cont.)
(yi,xj), (zi,xj) – 1 if i=j, 0 otherwise
(yi,cj) – 1 if cj contains variable xi, 0 otherwise
(zi,cj) – 1 if cj contains variable x’i, 0 otherwise
(gi,xj), (hi,xj) – 0
(gi,cj), (hi,cj) – 1 if i=j, 0 otherwise
Each row represents a decimal number.
S={y1,z1,..,yl,zl,g1,h1,…,gk,hk}
t is the last row in the table.
![Page 20: Security through complexity Ana Nora Sovarel](https://reader030.vdocument.in/reader030/viewer/2022033102/56815a81550346895dc7ea62/html5/thumbnails/20.jpg)
20
2. Reduction ‘’
Given a variable assignment which satisfies
Ф, find T.
1. If xi is true then yi is in T, else zi is in T
2. Add gi and/or hi to T such all last k digits of T to be 3.
![Page 21: Security through complexity Ana Nora Sovarel](https://reader030.vdocument.in/reader030/viewer/2022033102/56815a81550346895dc7ea62/html5/thumbnails/21.jpg)
21
3. Reduction ‘’
Given T a subset of S which sums to t, find a
variable assignment which satisfies Ф.
1. If yi is in T then xi is true
2. If zi is in T then xi is false
![Page 22: Security through complexity Ana Nora Sovarel](https://reader030.vdocument.in/reader030/viewer/2022033102/56815a81550346895dc7ea62/html5/thumbnails/22.jpg)
22
4. Polynomial
Table size is (k+l)2
O(n2)
![Page 23: Security through complexity Ana Nora Sovarel](https://reader030.vdocument.in/reader030/viewer/2022033102/56815a81550346895dc7ea62/html5/thumbnails/23.jpg)
23
Back to cryptology
• P=NP is still an open question
• factorization is not known to be NP-complete
• cipher based on a known NP-complete problem
![Page 24: Security through complexity Ana Nora Sovarel](https://reader030.vdocument.in/reader030/viewer/2022033102/56815a81550346895dc7ea62/html5/thumbnails/24.jpg)
24
Knapsack Cipher
• Public Key: {a1,a2,…,an} set of integers
• Plain Text: x1…xn
• Cipher Text:
[Merkle and Hellman, ’78]
n
i
iiaxs1
![Page 25: Security through complexity Ana Nora Sovarel](https://reader030.vdocument.in/reader030/viewer/2022033102/56815a81550346895dc7ea62/html5/thumbnails/25.jpg)
25
Decryption
• Based on an easier problem
• {a1,a2,…,an} is a superincreasing sequence
1
1
i
j
ji aa
![Page 26: Security through complexity Ana Nora Sovarel](https://reader030.vdocument.in/reader030/viewer/2022033102/56815a81550346895dc7ea62/html5/thumbnails/26.jpg)
26
Linear Time Decryption
• xn = 1 iff
• Solve it recursively on {a1,a2,…,an-1}
and s - xnan
n
i
ias1
![Page 27: Security through complexity Ana Nora Sovarel](https://reader030.vdocument.in/reader030/viewer/2022033102/56815a81550346895dc7ea62/html5/thumbnails/27.jpg)
27
How to build the keys?
• Modular multiplication (Merkle and Hellman)
• Starts with superincreasing sequence {b1,b2,…,bn}
• Choose M and W such that
• Compute {a1,a2,…,an} such that
1),(,1
WMGCDaMn
i
i
MWba ii mod)(
![Page 28: Security through complexity Ana Nora Sovarel](https://reader030.vdocument.in/reader030/viewer/2022033102/56815a81550346895dc7ea62/html5/thumbnails/28.jpg)
28
Decryption
• C = (s W-1) mod M, where (W-1W) mod M = 1
• Solve subset sum problem with superincreasing sequence {b1,b2,…,bn} and sum c.
![Page 29: Security through complexity Ana Nora Sovarel](https://reader030.vdocument.in/reader030/viewer/2022033102/56815a81550346895dc7ea62/html5/thumbnails/29.jpg)
29
Trade offs
• bi large M large n bits encoded with log2M bits
• bi small easy to break
– If bi = 1 aj = W.
– Break O(n)
• Merkle and Hellman recommended:
b1 ≈ 2n, , bn ≈ 22n 12,
1
1
nibbi
j
ji
![Page 30: Security through complexity Ana Nora Sovarel](https://reader030.vdocument.in/reader030/viewer/2022033102/56815a81550346895dc7ea62/html5/thumbnails/30.jpg)
30
Evaluation
+ speed ( 100 times faster than RSA )
- needs twice the communication capacity
(m bits encoded into approximate 2m bits)
- larger public key
(2n2 bits, 20,000 for n=100, RSA - 500)
? security
![Page 31: Security through complexity Ana Nora Sovarel](https://reader030.vdocument.in/reader030/viewer/2022033102/56815a81550346895dc7ea62/html5/thumbnails/31.jpg)
31
Knapsack Cipher - Summary
• Secret – superincreasing sequence {b1,b2,…,bn}
– M– W
• Public– {a1,a2,…,an}
Remember:
MWba ii mod)(
![Page 32: Security through complexity Ana Nora Sovarel](https://reader030.vdocument.in/reader030/viewer/2022033102/56815a81550346895dc7ea62/html5/thumbnails/32.jpg)
32
Shamir’s break (’82)
• based on the choice of superincreasing sequence
• linear transformation to generate public key
• What do we need to guess ?
(Only one of W and M is enough)
![Page 33: Security through complexity Ana Nora Sovarel](https://reader030.vdocument.in/reader030/viewer/2022033102/56815a81550346895dc7ea62/html5/thumbnails/33.jpg)
33
Shamir’s break (cont.)
Given the public key {a1,a2,…,an} find M and W such that (ai W) mod M is a superincreasing sequence.
b1 = (ai W) mod M b1 = ai W + k1M
b1/(Mai) = W/M + k1/ ai
b2/(Maj) = W/M + k2/ aj
b1/(Mai) - b2/(Maj) = k1/ ai - k2/ aj
| k1/ ai - k2/ aj | < 2-3n
![Page 34: Security through complexity Ana Nora Sovarel](https://reader030.vdocument.in/reader030/viewer/2022033102/56815a81550346895dc7ea62/html5/thumbnails/34.jpg)
34
Shamir’s break (cont.)
Now a lot of math follows …
Main steps:
- Find ki’s, which gives an approximation of W/M
- Find a pair W’/M’ close to W/M which generates a superincreasing sequence
- W’,M’, and superincreasing sequence are different from the secret key
![Page 35: Security through complexity Ana Nora Sovarel](https://reader030.vdocument.in/reader030/viewer/2022033102/56815a81550346895dc7ea62/html5/thumbnails/35.jpg)
35
A little bit of history
• Some knapsack cryptosystems were broke by late ’70’s
• ’82 polynomial time break against singly iterated Merkle-Hellman cryptosystem [Shamir]
• ’85 break against multiple iterated Merkle-Hellman cryptosystem [Brickell]
• Low density knapsack [Brickell, Lagarias and Odlyzko]
Most knapsack cryptosystems brokenFew resisted – Chor-Rivest (’85)
![Page 36: Security through complexity Ana Nora Sovarel](https://reader030.vdocument.in/reader030/viewer/2022033102/56815a81550346895dc7ea62/html5/thumbnails/36.jpg)
36
Conclusion
• Computer Science doesn’t yet have adequate tools to a problem is hard
• We can base ciphers on ‘known’ hard problems like subset sum
• We have to be careful– NP-complete means is hard to get right
answer to all instances– To break a cipher, only need to
probabilistically get close to the right answer for specific instances most of the time