360 likes | 458 Views
Security through complexity Ana Nora Sovarel. Projects. Please fill one slot on the signup sheet. One meeting for each group. All members must agree. Turing Machine. Finite Control. 0. 0. 1. 1. 0. 0. 1. 0. 0. 0. Definition.
E N D
Projects Please fill one slot on the signup sheet. One meeting for each group. All members must agree.
Turing Machine FiniteControl 0 0 1 1 0 0 1 0 0 0
Definition • A Turing Machine is a 7-tuple (Q, ∑, Γ, δ, q0, qaccept, qreject) where Q, ∑, Γ are finite sets and • Q is the set of states • ∑ is the input alphabet • Γ is the tape alphabet • δ : Q X Γ Q X Γ X {L,R} is the transition function • q0 is the start state • qaccept is the accept state • qreject is the reject state, where qaccept ≠ qreject
Nondeterministic Turing Machine Finite Control 0 0 1 1 0 0 1 0 0 0 Finite Control Finite Control 0 0 1 1 0 0 1 0 0 0 0 0 0 1 0 0 1 0 0 0
Definition A Turing Machine is a 7-tuple (Q, ∑, Γ, δ, q0, qaccept, qreject) where Q, ∑, Γ are finite sets and • Q is the set of states • ∑ is the input alphabet • Γ is the tape alphabet • δ : Q X Γ P(Q X Γ X {L,R}) is the transition function • q0 is the start state • qaccept is the accept state • qreject is the reject state, where qaccept ≠ qreject
More Power? Does nondeterminism affect the power of Turing Machine? NO – more power means it recognizes more languages But, maybe it can do things faster …
Complexity Classes • P = decidable in polynomial time by a deterministic TM • NP = decidable in polynomial time by a nondeterministic TM
f(A) B A’s Input B’s Input Yes/No Reduction f – polynomial time transformation What we know about A and B? A is at most as hard as B ( can be easier if we find another way to solve it ) B is at least as hard as A.
More definitions … • NP-Hard = the set of problems Q such that any problem Q’ in NP is polynomial reducible to it. • NP-complete = the problems Q such that Q is in NP-Hard and Q is in NP
How do we prove a problem is hard? • Let A be a known hard problem • Find a polynomial transformation from A’s input to your problem’s input • Why it works? • If your problem is easy ( P ) then we can solve A easy ( P ). • So A is not hard. Contradiction • Need a hard problem to start with ….
Cook’s Theorem (‘71) SAT is NP-complete. ( SAT = given a boolean formula, is it satisfiable? ) 3SAT is NP-complete. Example: Ф(x1,x2,x3,x4)=(x1+x2+x3)(x’1+x3+x4)
Subset Sum Given a set {x1,x2,…,xn} of integers and an integer t, find {y1,y2,…,yk} a subset of {x1,x2,…,xn} such that:
Subset Sum To prove NP-complete: • Prove is in NP • Verifiable in polynomial time • Give a nondeterministic algorithm • Reduction from a known NP-complete problem to subset sum • Reduction from 3SAT to subset sum
Subset Sum is in NP sum = 0 A = {x1,x2,…,xn} for each x in A y choice(A) sum = sum + y if ( sum = t ) thensuccess A A – {y} done fail
Reduction Goal: Reduce 3SAT to SUBSET-SUM. How: Let Ф be a 3 conjunctive normal form formula. Build an instance of SUBSET-SUM problem (S, t) such that Ф is satisfiable if and only if there is a subset T of S whose elements sum to t. Prove the reduction is polynomial.
1. Algorithm Input: Ф - 3 conjunctive normal form formula Variables: x1, x2, …, xl Clauses: c1,c2,…,ck. Output: S, t such that Ф is satisfiable iff there is T subset of S which sums to t.
1. Algorithm (cont.) (yi,xj), (zi,xj) – 1 if i=j, 0 otherwise (yi,cj) – 1 if cj contains variable xi, 0 otherwise (zi,cj) – 1 if cj contains variable x’i, 0 otherwise (gi,xj), (hi,xj) – 0 (gi,cj), (hi,cj) – 1 if i=j, 0 otherwise Each row represents a decimal number. S={y1,z1,..,yl,zl,g1,h1,…,gk,hk} t is the last row in the table.
2. Reduction ‘’ Given a variable assignment which satisfies Ф, find T. • If xi is true then yi is in T, else zi is in T • Add gi and/or hi to T such all last k digits of T to be 3.
3. Reduction ‘’ Given T a subset of S which sums to t, find a variable assignment which satisfies Ф. • If yi is in T then xi is true • If zi is in T then xi is false
4. Polynomial Table size is (k+l)2 O(n2)
Back to cryptology • P=NP is still an open question • factorization is not known to be NP-complete • cipher based on a known NP-complete problem
Knapsack Cipher • Public Key: {a1,a2,…,an} set of integers • Plain Text: x1…xn • Cipher Text: [Merkle and Hellman, ’78]
Decryption • Based on an easier problem • {a1,a2,…,an} is a superincreasing sequence
Linear Time Decryption • xn = 1 iff • Solve it recursively on {a1,a2,…,an-1} and s - xnan
How to build the keys? • Modular multiplication (Merkle and Hellman) • Starts with superincreasing sequence {b1,b2,…,bn} • Choose M and W such that • Compute {a1,a2,…,an} such that
Decryption • C = (s W-1) mod M, where (W-1W) mod M = 1 • Solve subset sum problem with superincreasing sequence {b1,b2,…,bn} and sum c.
Trade offs • bi large M large n bits encoded with log2M bits • bi small easy to break • If bi = 1 aj = W. • Break O(n) • Merkle and Hellman recommended: b1 ≈ 2n, , bn ≈ 22n
Evaluation + speed ( 100 times faster than RSA ) • needs twice the communication capacity (m bits encoded into approximate 2m bits) • larger public key (2n2 bits, 20,000 for n=100, RSA - 500) ? security
Knapsack Cipher - Summary • Secret • superincreasing sequence {b1,b2,…,bn} • M • W • Public • {a1,a2,…,an} Remember:
Shamir’s break (’82) • based on the choice of superincreasing sequence • linear transformation to generate public key • What do we need to guess ? (Only one of W and M is enough)
Shamir’s break (cont.) Given the public key {a1,a2,…,an} find M and W such that (ai W) mod M is a superincreasing sequence. b1 = (ai W) mod M b1 = ai W + k1M b1/(Mai) = W/M + k1/ ai b2/(Maj) = W/M + k2/ aj b1/(Mai) - b2/(Maj) = k1/ ai - k2/ aj | k1/ ai - k2/ aj | < 2-3n
Shamir’s break (cont.) Now a lot of math follows … Main steps: • Find ki’s, which gives an approximation of W/M • Find a pair W’/M’ close to W/M which generates a superincreasing sequence • W’,M’, and superincreasing sequence are different from the secret key
A little bit of history • Some knapsack cryptosystems were broke by late ’70’s • ’82 polynomial time break against singly iterated Merkle-Hellman cryptosystem [Shamir] • ’85 break against multiple iterated Merkle-Hellman cryptosystem [Brickell] • Low density knapsack [Brickell, Lagarias and Odlyzko] Most knapsack cryptosystems broken Few resisted – Chor-Rivest (’85)
Conclusion • Computer Science doesn’t yet have adequate tools to a problem is hard • We can base ciphers on ‘known’ hard problems like subset sum • We have to be careful • NP-complete means is hard to get right answer to all instances • To break a cipher, only need to probabilistically get close to the right answer for specific instances most of the time