Lecturer: Moni Naor Weizmann Institute of Science

Theoretical CryptographyLecture 1: Introduction, Standard Model of Cryptography, Identification, One-way functions Lecturer:Moni Naor Weizmann Institute of Science

What is Cryptography? Traditionally: how to maintain secrecy in communication Alice and Bob talk while Eve tries tolisten Bob Alice Eve

History of Cryptography • Very ancient occupation Biblical times - אֵיךְ נִלְכְּדָה שֵׁשַׁךְ, וַתִּתָּפֵשׂ תְּהִלַּת כָּל-הָאָרֶץ; אֵיךְ הָיְתָה לְשַׁמָּה בָּבֶל, בַּגּוֹיִם. • Egyptian Hieroglyphs • Unusual ones ... • Many interesting books and sources, especially about the Enigma (WW2) • David Kahn, The Codebreakers, 1967 • Gaj and Orlowski, Facts and Myths of Enigma: Breaking StereotypesEurocrypt 2003 • Not the subject of this course! Atbashאתבש

Modern Times • Up to the mid 70’s - mostly classified military work • Exception: Shannon, Turing • Since then - explosive growth • Commercial applications • Scientific work: tight relationship with Computational Complexity Theory • Major works: Diffie-Hellman, Rivest, Shamir and Adleman (RSA) • Recently - more involved models for more diverse tasks. How to maintain the secrecy, integrity and functionality in computer and communication system. Focus of this course • Prevalence of the Internet: • Cryptography is in the news (daily!) • Cryptography is relevant to ``everyone” - security and privacy issues for individuals

Computational Complexity Theory • Study the resources needed to solve computational problems • Computer time • Computer memory • Communication • Parallelism • Randomness • … • Identify problems that are infeasible to compute by any reasonable machine • Taxonomy: classify problems into classes with similar properties wrt the resource requirements • Help find the most efficient algorithm for a problem • A computational problem: • multiplying two numbers, • selecting a move in a chess position • Find the shortest tour visiting all cities P=NP?

The Traveling Salesman problem • Find the shortest tour visiting all cities

Factoring numbers • Given two large (prime) numbers, producing the product – an `easy’ computational problem • Given the product of two large prime numbers, finding them: a computationally difficult problem • Not quite exponential time, but still mot achieved for thousand bit numbers • Great progress since first considered for cryptography 35 years ago. • Quantum computers – can factor “efficiently” • One of the most useful problems for cryptography Current record: RSA 768

Key Idea of Cryptography Use the intractability of some problems for the advantage of constructing secure system • Almost any cryptographic task requires using this idea. • Large research effort devoted to studying the relationship between cryptography and complexity • Our goal is to investigate this relationship

Administrivia • Instructor: Moni Naor • When: Tuesday 14:00--16:00 Where: Ziskind 1 ? Home page of the course: www.wisdom.weizmann.ac.il/~naor/COURSE/theoretical_crypto.html • METHOD OF EVALUATION: several homework assignments and a final (in class) exam. Also must prepare notes for (at least) one lecture. • Homework assignments should be turned in on time! • Try and do as many problems from each set. • You may discuss the problems with other students, but the write-up should be individual. • There will also be reading assignments.

Official Description • Cryptography deals with methods for protecting the privacy, integrity and functionality of computer and communication systems. • The goal of the Theoretical Cryptography course is to address the foundations of cryptography and in particular the relationship with computational complexity theory.

Topics Covered • The standard model of cryptography, • Notions of security of a cryptosystem • signatures and encryption schemes, • Proof techniques for demonstrating security • Cryptographic primitives: • One-way functions and • Trapdoor permutations, • Zero-knowledge proofs, • Fully homomorphic encryption and secure function evaluation.

Relationship with “Practical Cryptography” • A sequence of two courses in cryptography will be offered this year (at the same time slot): • "Theoretical Cryptography" taught by Moni Naor in the first semester and • "Practical Cryptography", taught by Adi shamir in the second semester • These are two independent courses but complimentary. • Attending both is highly recommended

What you will learn in this course • How to specify a cryptographic task • How to specify a solution • Relationship with complexity assumptions

Lectures Outline • Identification, Authentication and encryption • One-way functions and their essential role in cryptography • Amplification: from weak to strong one-way functions • Universal hashing and authentication. • One-way hashing • Signature Scheme: Existentially unforgeability • Pseudo-randomness: • Pseudo-random generators • Hardcore predicates, • Pseudo-Random Functions and Permutations. • Semantic Security and Indistinguishability of Encryptions. • Zero-Knowledge Proofs and Arguments • Chosen ciphertext attacks and non-malleability • Fully Homomorphic Encryption • Oblivious Transfer and Secure Function Evaluation

Typical Scenario in Cryptography Want to maintain secrecy in communication Alice and bob talk while Eve tries to listen Alice Bob Eve

Modeling an Attack Foundations of Cryptography: Rigorous specification of security of protocols • The power of the adversary • Access to the system • Computational power • What it means to break the system “Standard model” Ek(m)

Adversarial Models STANDARD MODEL: • Abstract models of computation • Interactive Turing machines • Private memory, randomness • ... • Well-defined adversarial access • Can model powerful attacks REAL LIFE: • Physical implementations leak information • Adversarial access not always captured by abstract models Ek(m)

Adversarial Models Attacks - standard model: • Chosen-plaintext attacks • Chosen-ciphertext attacks • Composition • Self-referential encryption • Circular encryption • .... Attacks outside standard model: • Timing attacks [Kocher 96] • Fault detection [BDL 97, BS 97] • Power analysis [KJJ 99] • Cache attacks [OST 05] • Memory attacks [HSHCPCFAF 08] • ... Ek(m)

Adversarial Models Attacks - standard model: • Chosen-plaintext attacks • Chosen-ciphertext attacks • Composition • Self-referential encryption • Circular encryption • .... Attacks outside standard model: • Timing attacks [Kocher 96] • Fault detection [BDL 97, BS 97] • Power analysis [KJJ 99] • Cache attacks [OST 05] • Memory attacks [HSHCPCFAF 08] • ... Side channel: Any information not captured by the abstract “standard” model

Adversarial Models http://xkcd.com/538/

Three Basic Issues in Cryptography • Identification • Authentication • Encryption

Example: Identification • When the time is right, Alice wants to send an `approve’ message to Bob. • They want to prevent Eve from interfering • Bob should be sure that Alice indeed approves Alice Bob Eve

Rigorous Specification of Security To define security of a system must specify: • What constitute a failure of the system • The power of the adversary • computational • access to the system • what it means to break the system.

Specification of the Problem Alice and Bob communicate through a channel Bob has two external states {N,Y} Eve completely controls the channel Requirements: • If Alice wants to approve and Eve does not interfere – Bob moves to state Y • If Alice does not approve, then for any behavior from Eve, Bob stays in N • If Alice wants to approve and Eve does interfere - no requirements from the external state

Can we guarantee the requirements? • No – when Alice wants to approve she sends (and receives) a finite set of bits on the channel. Eve can guess them. • To the rescue - probability. • Want that Eve will succeed only with low probability. • How low? Related to the string length that Alice sends…

Identification X X Alice Bob ?? Eve

Suppose there is a setup period • There is a setup where Alice and Bob can agree on a common secret • Eve only controls the channel, does not see the internal state of Alice and Bob (only external state of Bob) Simple solution: • Alice and Bob choose a random string X R{0,1}n • When Alice wants to approve – she sends X • If Bob gets any symbols on channel – compares to X • If equal moves to Y • If not equal moves permanently to N

Eve’s probability of success • If Alice did not send X and Eve put some string X’ on the channel, then • Bob moves to Y only if X= X’ Prob[X=X’] ≤ 2-n Good news: can make it a small as we wish • What to do if Alice and Bob cannot agree on a uniformly generated string X?

Less than perfect random variables • Suppose X is chosen according to some distribution Px over some set of symbols Γ • What is Eve’s best strategy? • What is Eve’s probability of success

(Shannon) Entropy Let X be random variable over alphabet Γ with distribution Px The (Shannon) entropy of X is H(X) = - ∑ x ΓPx (x) log Px (x) Where we take 0 log 0 to be 0. Represents how much we can compressX

Examples • If X=0 (constant) then H(x) = 0 • Only case where H(x) = 0 is when x is constant • All other cases H(x) >0 • If Γ= {0,1} and Prob[X=0] = p and Prob[X=1]=1-p, then H(X) = -p log p + (1-p) log (1-p) ≡ H(p) If Γ={0,1}nand Xis uniformly distributed, then H(X) = - ∑ x  {0,1}n1/2n log 1/2n =2n/2n n = n

Properties of Entropy • Entropy is bounded H(X) ≤ log |Γ| with equality only if X is uniform over Γ

Does High Entropy Suffice for Identification? • If Alice and bob agree on X {0,1}n where X has high entropy (say H(X) ≥ n/2 ), • what are Eve’s chances of cheating? • Can be high: say • Prob[X=0n ] = 1/2 • For any x1{0,1} n-1 Prob[X=x ] = 1/2n Then H(X) = n/2+1/2 But Eve can cheat with probability at least ½ by guessing that X=0n

Another Notion: Min Entropy Let X be random variable over alphabet Γ with distribution Px The min entropy of X is Hmin(X) = - log max x ΓPx (x) The min entropy represents the most likely value of X Property: Hmin(X) ≤ H(X) Why?

High Min Entropy and Passwords Claim: if Alice and Bob agree on such that Hmin(X) ≥ m, then the probability that Eve succeeds in cheating is at most 2-m Proof: Make Eve deterministic, by picking her best choice, X’ = x’. Prob[X=x’] = Px (x’) ≤ max x ΓPx (x) = 2 –Hmin(X) ≤ 2-m Conclusion: passwords should be chosen to have high min-entropy!

Good source on Information Theory: T. Cover and J. A. Thomas, Elements of InformationTheory

One-time vs. many times • This was good for a single identification. What about many sessions of identification? • Later…

A different scenario – now Charlie is involved • Bob has no proof that Alice indeed identiferd herself (`approved’). • If there are two possible verifiers, Bob and Charlie, they can each pretend to each other to be Alice • Can each have there own string • But, assume that they share the setup phase • Whatever Bob knows Charlie know • Relevant when they are many possible verifiers!

The new requirement • If Alice wants to approve and Eve does not interfere – Bob moves to state Y • If Alice does not approve, then for any behavior from Eve and Charlie, Bob stays in N • Similarly if Bob and Charlie are switched Charlie Alice Bob Eve

Can we achieve the requirements? • Observation: what Bob and Charlie received in the setup phase might as well be public • Therefore can reduce to the previous scenario (with no setup)… • To the rescue - complexity Alice should be able to perform something that neither Bob nor Charlie (nor Eve) can do Must assume that the parties are not computationally all powerful!

Function and inversions • We say that a function f is hard to invert if given y=f(x) it is hard to find x’ such that y=f(x’) • x’ need not be equal to x • We will use f-1(y) to denote the set of preimages of y • To discuss hard must specify a computational model • Use two flavors: • Concrete • Asymptotic

Computational Models • Asymptotic: Turing Machines with random tape • For classical models: precise model does not matter up to polynomial factor Random tape 1 0 1 1 0 1 0 Both algorithm for evaluatingfand the adversary are modeled by PTM Input tape

One-way functions - asymptotic A function f: {0,1}* → {0,1}* is called aone-way function, if • f is a polynomial-time computable function • Also polynomial relationship between input and output length • for every probabilistic polynomial-time algorithm A, every positive polynomial p(.), and all sufficiently large n’s Prob[ A(f(x)) f-1(f(x)) ] ≤ 1/p(n) Where x is chosen uniformly in {0,1}nand the probability is also over the internal coin flips of A

Computational Models • Concrete : Boolean circuits (example) • precise model makes a difference • Time = circuit size Input Output

One-way functions – concrete version A function f:{0,1}n → {0,1}n is called a (t,ε)one-way function, if • f is a polynomial-time computable function (independent of t) • for every t-time algorithm A, Prob[A(f(x)) f-1(f(x)) ] ≤ ε Where x is chosen uniformly in {0,1}nand the probability is also over the internal coin flips of A Can either think oft and εas being fixed or ast(n), ε(n) circuit

Complexity Theory and One-way Functions • Claim: if P=NP then there are no one-way functions Proof: for any one-way function f: {0,1}n → {0,1}n consider the language Lf : • Consisting of strings of the form {y, b1, b2,…,bk} • There is an x  {0,1}n such that y=f(x) and • The first k bits of x are b1, b2…bk Lfis NP – guess x and check If Lfis P then f is invertible in polynomial time: Self reducibility

A few properties and questions concerning one-way functions • Major open problem: connect the existence of one-way functions and the P=NP? question. • If f is one-to-one it is a called a one-way permutation. In what complexity class does the problem of inverting one-way permutations reside? • good exercise! • If f’ is a one-way function, is f’ where f’(x) is f(x) with the last bit chopped necessarily a one-way function? • If f is a one-way function, is fL where fL(x) consists of the first half of the bits of f(x) necessarily a one-way function? • good exercise! • If f is a one way function, is g(x) = f(f(x)) necessarily a one-way function? • good exercise!

Solution to the password problem • Assume that • f: {0,1}n → {0,1}n is a (t,ε)one-way function • Adversary’s run times is bounded by t • Setup phase: • Alice chooses xR{0,1}n • computes y=f(x) • Gives y to Bob and Charlie • When Alice wants to approve – she sends x • If Bob gets any symbols on channel – call them z; compute f(z) and compares to y • If equal moves to state Y • If not equal moves permanently to state N

Eve’s and Charlie’s probability of success • If Alice did not send x and Eve (Charlie) put some string x’ on the channel to Bob, then: • Bob moves to state Y only if f(x’)=y=f(x) • But we know that Prob[A[f(x)] f-1(f(x)) ] ≤ ε or else we can use Eve to break the one-way function Good news: if ε can be made as small as we wish, then we have a good scheme. • Can be used for monitoring • Similar to the Unix password scheme • f(x) stored in login file • DES used as the one-way function(password=key and encryption of ‘0’) The time and probability of success of breaking the identification scheme by Eve same as The time and probability of invertingf byA’ A’ Eve y y x’ x’

Lecturer: Moni Naor Weizmann Institute of Science

Lecturer: Moni Naor Weizmann Institute of Science

Presentation Transcript

Science 100

Introduction to Cognitive Science: Linguistics Segment

Matching with Invariant Features

The Use of Semidefinite Programming in Approximation Algorithms

Structure Learning in Bayesian Networks

A Primal-Dual Approach to Online Optimization Problems

Communication Technology

BlazeSports Institute for Applied Science CDSS Level I Curriculum

Science Vocabulary

William A. Goddard, III, wag@wag.caltech.edu 316 Beckman Institute, x3093

Outline

Principia Biologica

William A. Goddard, III, wag@wagltech 316 Beckman Institute, x3093

Lecture 5,6 January 15, 2010

BIOMOLECULAR MATERIALS

Title

Principia Biologica

Cryptography and Privacy Preserving Operations Lecture 1

11/15/2014

Lecturer: Fedonyuk L.Ya.