360 likes | 370 Views
This text discusses the concepts of Turing machines, complexity classes, NP-completeness, and their relevance to security. It also examines the use of Turing machines in cryptography, specifically the Knapsack Cipher.
E N D
Projects Please fill one slot on the signup sheet. One meeting for each group. All members must agree.
Turing Machine FiniteControl 0 0 1 1 0 0 1 0 0 0
Definition • A Turing Machine is a 7-tuple (Q, ∑, Γ, δ, q0, qaccept, qreject) where Q, ∑, Γ are finite sets and • Q is the set of states • ∑ is the input alphabet • Γ is the tape alphabet • δ : Q X Γ Q X Γ X {L,R} is the transition function • q0 is the start state • qaccept is the accept state • qreject is the reject state, where qaccept ≠ qreject
Nondeterministic Turing Machine Finite Control 0 0 1 1 0 0 1 0 0 0 Finite Control Finite Control 0 0 1 1 0 0 1 0 0 0 0 0 0 1 0 0 1 0 0 0
Definition A Turing Machine is a 7-tuple (Q, ∑, Γ, δ, q0, qaccept, qreject) where Q, ∑, Γ are finite sets and • Q is the set of states • ∑ is the input alphabet • Γ is the tape alphabet • δ : Q X Γ P(Q X Γ X {L,R}) is the transition function • q0 is the start state • qaccept is the accept state • qreject is the reject state, where qaccept ≠ qreject
More Power? Does nondeterminism affect the power of Turing Machine? NO – more power means it recognizes more languages But, maybe it can do things faster …
Complexity Classes • P = decidable in polynomial time by a deterministic TM • NP = decidable in polynomial time by a nondeterministic TM
f(A) B A’s Input B’s Input Yes/No Reduction f – polynomial time transformation What we know about A and B? A is at most as hard as B ( can be easier if we find another way to solve it ) B is at least as hard as A.
More definitions … • NP-Hard = the set of problems Q such that any problem Q’ in NP is polynomial reducible to it. • NP-complete = the problems Q such that Q is in NP-Hard and Q is in NP
How do we prove a problem is hard? • Let A be a known hard problem • Find a polynomial transformation from A’s input to your problem’s input • Why it works? • If your problem is easy ( P ) then we can solve A easy ( P ). • So A is not hard. Contradiction • Need a hard problem to start with ….
Cook’s Theorem (‘71) SAT is NP-complete. ( SAT = given a boolean formula, is it satisfiable? ) 3SAT is NP-complete. Example: Ф(x1,x2,x3,x4)=(x1+x2+x3)(x’1+x3+x4)
Subset Sum Given a set {x1,x2,…,xn} of integers and an integer t, find {y1,y2,…,yk} a subset of {x1,x2,…,xn} such that:
Subset Sum To prove NP-complete: • Prove is in NP • Verifiable in polynomial time • Give a nondeterministic algorithm • Reduction from a known NP-complete problem to subset sum • Reduction from 3SAT to subset sum
Subset Sum is in NP sum = 0 A = {x1,x2,…,xn} for each x in A y choice(A) sum = sum + y if ( sum = t ) thensuccess A A – {y} done fail
Reduction Goal: Reduce 3SAT to SUBSET-SUM. How: Let Ф be a 3 conjunctive normal form formula. Build an instance of SUBSET-SUM problem (S, t) such that Ф is satisfiable if and only if there is a subset T of S whose elements sum to t. Prove the reduction is polynomial.
1. Algorithm Input: Ф - 3 conjunctive normal form formula Variables: x1, x2, …, xl Clauses: c1,c2,…,ck. Output: S, t such that Ф is satisfiable iff there is T subset of S which sums to t.
1. Algorithm (cont.) (yi,xj), (zi,xj) – 1 if i=j, 0 otherwise (yi,cj) – 1 if cj contains variable xi, 0 otherwise (zi,cj) – 1 if cj contains variable x’i, 0 otherwise (gi,xj), (hi,xj) – 0 (gi,cj), (hi,cj) – 1 if i=j, 0 otherwise Each row represents a decimal number. S={y1,z1,..,yl,zl,g1,h1,…,gk,hk} t is the last row in the table.
2. Reduction ‘’ Given a variable assignment which satisfies Ф, find T. • If xi is true then yi is in T, else zi is in T • Add gi and/or hi to T such all last k digits of T to be 3.
3. Reduction ‘’ Given T a subset of S which sums to t, find a variable assignment which satisfies Ф. • If yi is in T then xi is true • If zi is in T then xi is false
4. Polynomial Table size is (k+l)2 O(n2)
Back to cryptology • P=NP is still an open question • factorization is not known to be NP-complete • cipher based on a known NP-complete problem
Knapsack Cipher • Public Key: {a1,a2,…,an} set of integers • Plain Text: x1…xn • Cipher Text: [Merkle and Hellman, ’78]
Decryption • Based on an easier problem • {a1,a2,…,an} is a superincreasing sequence
Linear Time Decryption • xn = 1 iff • Solve it recursively on {a1,a2,…,an-1} and s - xnan
How to build the keys? • Modular multiplication (Merkle and Hellman) • Starts with superincreasing sequence {b1,b2,…,bn} • Choose M and W such that • Compute {a1,a2,…,an} such that
Decryption • C = (s W-1) mod M, where (W-1W) mod M = 1 • Solve subset sum problem with superincreasing sequence {b1,b2,…,bn} and sum c.
Trade offs • bi large M large n bits encoded with log2M bits • bi small easy to break • If bi = 1 aj = W. • Break O(n) • Merkle and Hellman recommended: b1 ≈ 2n, , bn ≈ 22n
Evaluation + speed ( 100 times faster than RSA ) • needs twice the communication capacity (m bits encoded into approximate 2m bits) • larger public key (2n2 bits, 20,000 for n=100, RSA - 500) ? security
Knapsack Cipher - Summary • Secret • superincreasing sequence {b1,b2,…,bn} • M • W • Public • {a1,a2,…,an} Remember:
Shamir’s break (’82) • based on the choice of superincreasing sequence • linear transformation to generate public key • What do we need to guess ? (Only one of W and M is enough)
Shamir’s break (cont.) Given the public key {a1,a2,…,an} find M and W such that (ai W) mod M is a superincreasing sequence. b1 = (ai W) mod M b1 = ai W + k1M b1/(Mai) = W/M + k1/ ai b2/(Maj) = W/M + k2/ aj b1/(Mai) - b2/(Maj) = k1/ ai - k2/ aj | k1/ ai - k2/ aj | < 2-3n
Shamir’s break (cont.) Now a lot of math follows … Main steps: • Find ki’s, which gives an approximation of W/M • Find a pair W’/M’ close to W/M which generates a superincreasing sequence • W’,M’, and superincreasing sequence are different from the secret key
A little bit of history • Some knapsack cryptosystems were broke by late ’70’s • ’82 polynomial time break against singly iterated Merkle-Hellman cryptosystem [Shamir] • ’85 break against multiple iterated Merkle-Hellman cryptosystem [Brickell] • Low density knapsack [Brickell, Lagarias and Odlyzko] Most knapsack cryptosystems broken Few resisted – Chor-Rivest (’85)
Conclusion • Computer Science doesn’t yet have adequate tools to a problem is hard • We can base ciphers on ‘known’ hard problems like subset sum • We have to be careful • NP-complete means is hard to get right answer to all instances • To break a cipher, only need to probabilistically get close to the right answer for specific instances most of the time