security and cryptography december 4, 2001 portions stolen from prof. sahai (spring 2001)

Security and Cryptography

December 4, 2001December 4, 2001 Portions stolen from Prof. Sahai Portions stolen from Prof. Sahai (spring 2001)(spring 2001)

AdministriviaAdministrivia

oHomework assignment 7 due todayHomework assignment 7 due todayoHomework Assignment 8 due January 7,2002Homework Assignment 8 due January 7,2002oHomework 9Homework 9

o Part a due next Tuesdayo Part b due next Thursdayo Part c due next Friday

oLab 8 this weekLab 8 this weekoNo lab next weekNo lab next weekoGuest lecturer(s) ThursdayGuest lecturer(s) ThursdayoFinal Exam CS 104 01/23/2002@8:30 AMFinal Exam CS 104 01/23/2002@8:30 AM

Last Time• We saw examples of undecidable problems that

computers can’t solve

• We saw examples of search problems that we believe computers can’t solve quickly.

““Easy” undecidable Easy” undecidable problemsproblems

Halting ProblemHalting Problem

Post's Correspondence Problem Post's Correspondence Problem (PCP)?(PCP)?

Post's Correspondence Problem (PCP)?Post's Correspondence Problem (PCP)?

AnAn instance of Post's instance of Post's correspondence problem of size correspondence problem of size ss is is a finite set of pairs of strings (a finite set of pairs of strings (ggii , , hhii) ) ( ( i i = 1...s s>=1) over some alphabet = 1...s s>=1) over some alphabet . A solution is a sequence . A solution is a sequence ii11 i i22 ... ... iinn of selections such that the strings of selections such that the strings ggi1i1ggi2i2 ... g ... ginin and and hhi1i1hhi2i2 ... h ... hinin formed by formed by concatenation are identical. concatenation are identical.

Sample PCPSample PCP

gg1 1 = aba= aba hh1 1 = abaa= abaa

gg2 2 = bbab= bbab hh2 2 = abab= abab

gg3 3 = baaa= baaa hh3 3 = a= a

gg4 4 = a= a hh4 4 = bb= bb

So, 1,3,1,2 would correspond toSo, 1,3,1,2 would correspond to

aba baaa aba bbab from g’saba baaa aba bbab from g’s

abaa a abaa abab from h’s (not a match)abaa a abaa abab from h’s (not a match)

Sample PCP (cont.)Sample PCP (cont.)

gg1 1 = aba= aba h h1 1 = abaa= abaa

gg2 2 = bbab= bbab h h2 2 = abab= abab

gg3 3 = baaa= baaa h h3 3 = a= a

gg4 4 = a= a h h4 4 = bb= bb

1,4,2,1,31,4,2,1,3aba a bbab aba baaaaba a bbab aba baaaabaa bb abab abaa aabaa bb abab abaa a

PCP is undecidablePCP is undecidable

Post's correspondence problem shown Post's correspondence problem shown to be undecidable by Post in 1946.to be undecidable by Post in 1946.The problem with size 2 has been The problem with size 2 has been proved decidable. proved decidable. The problem with size 7 has been The problem with size 7 has been proved undecidable. proved undecidable. The decidablility of problems with size The decidablility of problems with size between 3 and 6 is still pending.between 3 and 6 is still pending.

Last Time – hard search problems• We saw examples of search problems that we

believe computers can’t solve quickly.

• A search problem is a problem where

• Is hard to find solution

• Is easy to check possible solution

• A complete search problem is as hard as any search problem

• Search problem is believed to be hard because

• We can’t solve it

• No one else can

• No one can solve any of the complete search problems

Classes of search problems• In computer-science terminology:

• NP = All Search Problems

• P = Problems we can solve quickly

• We believe that P NP, i.e. not every search problem can be solved quickly on a computer.

• Search problem is NP but not P are used in situations where we want a problem that is

• Hard to solve

• Easy to check a solution.

Coloring

Coloring (cont.)• We can build a computer as a coloring problem

• Build simulations of gates

• NOT, AND, OR

• Combine simulations to build circuit for, e.g. Carry-ripple adder

• Result

• Here is a graph,

• Color a few circles to mark inputs

• Find a valid coloring of all circles

• Read off values of output circles to get result

Coloring (cont.)• Coloring is complete

• In particular, we can reduce solving any search problem to finding a valid coloring for some collection of circles!

• So, if we could solve Coloring quickly, then

P = NP

• That’s why we believe Coloring can’t be solved quickly by any computer.

• We call such problems NP-Complete.

NP-complete problemsNP-complete problems

ColoringColoringTraveling Salesman ProblemTraveling Salesman ProblemKnapsack problemKnapsack problemPartition ProblemPartition Problem

Knapsack problemKnapsack problem

We are given a set of items each We are given a set of items each having a weight measured by an having a weight measured by an integerinteger We are given a capacity for the We are given a capacity for the knapsackknapsackWe ask if we can We ask if we can exactlyexactly pack the pack the knapsackknapsack

Sample Knapsack problemSample Knapsack problem

Item weights 2,4,9,13,17,23,32,70,123,157Item weights 2,4,9,13,17,23,32,70,123,157

Capacity is 228Capacity is 228Packing 157 + 32 + 17 + 13 + 9Packing 157 + 32 + 17 + 13 + 9

Capacity is 226Capacity is 226Packing (there are none)Packing (there are none)

Partition problemPartition problem

We are given a set of items each We are given a set of items each having a weight measured by an having a weight measured by an integerinteger We are asked if we can divide the We are asked if we can divide the items into 2 groups that have the items into 2 groups that have the same total weights.same total weights.

Like a knapsack problemLike a knapsack problem Weight is half of total weight

Sample Partition problemSample Partition problem

Item weights 2,4,9,13,17,23,32,70,123,157Item weights 2,4,9,13,17,23,32,70,123,157

Total weight is 450Total weight is 450Packing 123 + 70 + 32 = 225Packing 123 + 70 + 32 = 225Packing 157 + 23 + 17 + 13 + 9 + 4 + 2 = 225Packing 157 + 23 + 17 + 13 + 9 + 4 + 2 = 225

Why is this different from the PCP?Why is this different from the PCP?

Other Hard Problems?

• There are other problems besides NP-Complete Problems that we also believe are hard.

• Can we be sure?

• No.

• But humanity has been trying to solve certain mathematical problems for centuries.

• So. it seems reasonable to assume that nobody will figure out how to solve them soon.

Cryptography

• Why do we care so much about hard problems?

• Because sometimes we want to make things hard.

• Protecting Privacy, Authenticity

• Want to make it hard for adversaries to:

• Steal our credit cards

• Impersonate us

• Etc.

• Makes it possible for companies to protect intellectual property.

Cryptography

• Science of making things hard for adversaries = Cryptography

• Dates back to Julius Caeser

• Caesar cipher – shift each character by a few places

• "UHWXUA WR URPH" encodes “RETURN TO ROME“

• Used extensively during WW 2 (and every other war)

• Used to encode passwords

• Used to prevent copying of software and data (e.g. DVD).

Requirements of a Requirements of a cryptosystemcryptosystem

Easy to encode messagesEasy to encode messages

Hard to decode messagesHard to decode messages

One Approach...One Approach...

It’s so complicated!It must be secure!

Cryptosystem XYZ(Patent Pending)


Cryptosystem XYZ Broken 2 Days After

Release!


• Unfortunately, this approach is often used in real life.

• This is one of the reasons why you hear about so many security systems being broken!

• Examples: DVD encryption (DeCSS),Cell phones in Europe

(GSM), encoding of fonts by Adobe, many many more

More sophisticated More sophisticated approachapproach

• Use the theory of hard search problemsand the notion of reducing one problem to another.

• Show that if you break this security system, you do so by solving some of the world’s greatest unsolved problems first!

Encryption

• The most basic problem in Cryptography is Encryption:

Alice Bob

PrivateMessage m

Encryption


Alice Bob

PrivateMessage m

Eve the eavesdropper

Encryption


Alice Bob

EncryptedMessage E(m)


Encryption

• Have to make it easy for Bob to recover m

• But hard for Eve to learn anything about m

Alice Bob



Public-Key Cryptography[Diffie-Hellman 1976]

Bob’sPublic Key

Bob’s Secret Key

Bob

• Everybody knows Bob’s published Public Key.

• Only Bob knows his secret key.

Public-Key Encryption

• Alice uses Bob’s public key to encrypt m.

• Bob uses his secret key to recover (decrypt) m.

Alice Bob


Public-Key Encryption

• Alice and Eve both know Bob’s public key.

• Eve must not be able to “break” the encryption even though she knows the public key.

Alice Bob



Basic Math Review

• Let’s recall some basic mathematics:

• A number p is called prime if its only factors are 1 and itself.

• Examples:

Basic Math Review



• Examples: 2, 3, 5, 7, 11, 13, 17, 19, …

Basic Math Review



• Examples: 2, 3, 5, 7, 11, 13, 17, 19, …

• There are lots of prime numbers.

• Fact: It is known how to check quickly if a number is prime or not.

• So, to find a big prime number, we can just keep generating large random numbers until we find a prime.

Basic Math Review

• Given two primes p and q, it is easy to multiply them together: N = pq

• But given N, how do you find p and q quickly?i.e. how do you factor N?

• Easy for small numbers (e.g. 6 or 35).

• For centuries, mathematicians have been trying to find ways to factor large numbers quickly. No one knows how!

• Factoring a 10,000 digit N would take centuries on the fastest computer in existence!

How do we know factoring is How do we know factoring is hard?hard?

Problem has a long historyProblem has a long history

Prizes are offeredPrizes are offered and have been for and have been for a long timea long time

Factoring progress happens slowlyFactoring progress happens slowly

http://www.rsa.com/rsalabs/challenges/factoring/

Factoring RSA-130 (4/10/96)Factoring RSA-130 (4/10/96)

RSA-130 = RSA-130 = 1807082088687404805951656164405905566271807082088687404805951656164405905566278102516769401349170127021450056662540248102516769401349170127021450056662540244048387341127590812303371781887966563184048387341127590812303371781887966563182013214880557 = 2013214880557 = 39685999459597454290161126162883786067539685999459597454290161126162883786067576449112810064832555157243 * 76449112810064832555157243 * 4553449864673597218840368689727440886434553449864673597218840368689727440886435630126320506960099904459956301263205069600999044599

Moore’s Law would add a digit or 2 every year.Moore’s Law would add a digit or 2 every year.

Basic Math & Crypto

• We want to make it so that if Eve the eavesdropper breaks our system, she would have to factor a very large number.

• We’ll (almost) do that.

Modular Arithmetic

• Ordinary Arithmetic:

… -4 -3 -2 -1 0 1 2 3 4 …

Modular Arithmetic

• Ordinary Arithmetic:

• Arithmetic Modulo N:

… -4 -3 -2 -1 0 1 2 3 4 …

N = 01

2

3…

(N – 3)

(N – 2)

(N – 1)

Modular Arithmetic

• Example: Arithmetic Modulo 12 (like Arithmetic on time)

• 3 + 11 (Modulo 12) =

• 2 – 4 (Modulo 12) =

• 5 * 4 (Modulo 12) =

• 4 * 3 (Modulo 12) =

Modular Arithmetic


• 3 + 11 (Modulo 12) = 2

• 2 – 4 (Modulo 12) =

• 5 * 4 (Modulo 12) =

• 4 * 3 (Modulo 12) =

Modular Arithmetic


• 3 + 11 (Modulo 12) = 2

• 2 – 4 (Modulo 12) = 10

• 5 * 4 (Modulo 12) =

• 4 * 3 (Modulo 12) =

Modular Arithmetic


• 3 + 11 (Modulo 12) = 2

• 2 – 4 (Modulo 12) = 10

• 5 * 4 (Modulo 12) = 8

• 4 * 3 (Modulo 12) =

Modular Arithmetic


• 3 + 11 (Modulo 12) = 2

• 2 – 4 (Modulo 12) = 10

• 5 * 4 (Modulo 12) = 8

• 4 * 3 (Modulo 12) = 0

The RSA Encryption Scheme

[Rivest Shamir Adleman 1978]

• Bob picks two large primes p and q, and computes: N = pq

• Fact: Because Bob knows p and q, he can pick numbers e and d such that:

• For all m: (me)d = m (Modulo N)

• Bob’s Public Key will be e, N

• Bob’s secret key will be d




• To Encrypt a message m, Alice computes:

• E(m) = me (Modulo N)




• To Encrypt a message m, Alice computes:


• To Decrypt, Bob computes:

• m = E(m)d (Modulo N)

The RSA Encryption Scheme• To Encrypt a message m, Alice computes:


• The only known way to compute m from E(m) involves factoring N.

• For Eve to break this system, she would have to solve a long-standing open problem in Mathematics.

• This is probably the most widely used Public-Key Encryption Scheme in the world.

• Look at Help on IE

Shifting Gears: Proofs…• Bob wants to convince Alice of the validity of

some statement (like “I really am Bob!”)

• But Bob doesn’t want to reveal his secrets to Alice in the process…

Alice Bob

Zero-Knowledge Proofs

• What is the least amount of information Bob can reveal, while still convincing Alice?

• Amazingly, it is possible for Bob to convince Alice of something without revealing any information at all!

• How can that be?

Magic TricksMagic Tricks

• Magic tricks are like zero-knowledge proofs:

• Good magic tricks reveal nothing about how they work.

• What makes a magic trick good?

A Magic TrickA Magic Trick• Two balls: Purple and Red, otherwise identical

• Blindfolded Magician

• You give a random ball to magician

A Magic Trick (cont.)A Magic Trick (cont.)• Magician tells you the color!

• Magician proves he can distinguish balls blindfolded.

• You learn nothing except this.

Abracadabra,Goobedy goo!

It is Red!

Wow! He’sso cool!

A Magic Trick (cont.)A Magic Trick (cont.)• You knew exactly what magician was going to do.

• And he did it!

• Since you knew to begin with, you could not have learned anything new!

It’s Red!

I knew hewould say that.

Zero KnowledgeZero Knowledge• What it means:

• Alice “knows” what is going to happen.

• CS-speak: Alice can simulate it herself!

Abracadabra,Goobedy goo!

It is Red!

Simulation

Another Magic TrickAnother Magic Trick• Magician asks you to think of either

• “Apple” or

• “Banana”

• Magician then gives you a sealed box.

Mind ReadingMind Reading• You tell Magician what you were thinking.

I was thinkingof a banana.

Banana

Mind Reading (cont.)Mind Reading (cont.)• Magician tells you to open box, and read piece of paper in box.

• Magician proves he can predict what you will say.

How did hedo that!!

Mind Reading (cont.)Mind Reading (cont.)• Again, you knew what was going to happen. Zero-Knowledge

I was thinkingof a banana.

Simulation

Banana

Mind Reading (cont.)Mind Reading (cont.)• But why was it convincing?

• Because Magician committed to his guess before you told him.

CryptographicCryptographicCommitmentCommitment

• Public Key Encryption Scheme

• To commit to a string x, I send y = E(x).

• To open the commitment, I reveal my secret key.

• Commitment is secret.

• And I can’t change my mind about x once I’ve sent the encryption.

NP-CompletenessNP-Completeness• Remember we can reduce any search problem to Coloring.

NP-Completeness (cont.)NP-Completeness (cont.)• “y is an encryption of a valid tax return”

reduction

ZK Proof for ZK Proof for ColoringColoring

• Input: Collection of circles.

• Magician Knows: Coloring using R, B, G

• First, Magician picks random permutation

: R,B,G R,B,G, and applies to coloring:

ZK Proof (cont.)ZK Proof (cont.)

ZK Proof: AnalysisZK Proof: Analysis• Suppose NO valid coloring exists.

• Then at least one pair of connected circles where colors equal.

Alice catches Magician cheating with probability at least 1/n2.

• Repeat protocol 100 n2 times, Alice catches Magician cheating almost always!

SimulatorSimulator

Simulated ZK ProofSimulated ZK Proof

ZK Proof: Analysis (cont.)ZK Proof: Analysis (cont.)• Only difference between real & simulated:

• In real life, commitments are to valid coloring.

• In simulator, commitments are to invalid coloring.

• But commitments are secret, by security of encryption scheme.

Simulator output and real life are indistinguishable.

Wrap-up

• Today we saw some examples illustrating techniques from modern cryptography:

• Encryption

• Zero Knowledge Proofs

security and cryptography december 4, 2001 portions stolen from prof. sahai (spring 2001)

Documents

search problem search

coloring slide

complete search problems

search problems p

examples of search problems

classes of search problems

result slide

abaa g