1 / 36

Security through complexity Ana Nora Sovarel

This text discusses the concepts of Turing machines, complexity classes, NP-completeness, and their relevance to security. It also examines the use of Turing machines in cryptography, specifically the Knapsack Cipher.

johnathonc
Download Presentation

Security through complexity Ana Nora Sovarel

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security through complexityAna Nora Sovarel

  2. Projects Please fill one slot on the signup sheet. One meeting for each group. All members must agree.

  3. Turing Machine FiniteControl 0 0 1 1 0 0 1 0 0 0

  4. Definition • A Turing Machine is a 7-tuple (Q, ∑, Γ, δ, q0, qaccept, qreject) where Q, ∑, Γ are finite sets and • Q is the set of states • ∑ is the input alphabet • Γ is the tape alphabet • δ : Q X Γ  Q X Γ X {L,R} is the transition function • q0 is the start state • qaccept is the accept state • qreject is the reject state, where qaccept ≠ qreject

  5. Nondeterministic Turing Machine Finite Control 0 0 1 1 0 0 1 0 0 0 Finite Control Finite Control 0 0 1 1 0 0 1 0 0 0 0 0 0 1 0 0 1 0 0 0

  6. Definition A Turing Machine is a 7-tuple (Q, ∑, Γ, δ, q0, qaccept, qreject) where Q, ∑, Γ are finite sets and • Q is the set of states • ∑ is the input alphabet • Γ is the tape alphabet • δ : Q X Γ P(Q X Γ X {L,R}) is the transition function • q0 is the start state • qaccept is the accept state • qreject is the reject state, where qaccept ≠ qreject

  7. More Power? Does nondeterminism affect the power of Turing Machine? NO – more power means it recognizes more languages But, maybe it can do things faster …

  8. Complexity Classes • P = decidable in polynomial time by a deterministic TM • NP = decidable in polynomial time by a nondeterministic TM

  9. f(A) B A’s Input B’s Input Yes/No Reduction f – polynomial time transformation What we know about A and B? A is at most as hard as B ( can be easier if we find another way to solve it ) B is at least as hard as A.

  10. More definitions … • NP-Hard = the set of problems Q such that any problem Q’ in NP is polynomial reducible to it. • NP-complete = the problems Q such that Q is in NP-Hard and Q is in NP

  11. How do we prove a problem is hard? • Let A be a known hard problem • Find a polynomial transformation from A’s input to your problem’s input • Why it works? • If your problem is easy ( P ) then we can solve A easy ( P ). • So A is not hard. Contradiction • Need a hard problem to start with ….

  12. Cook’s Theorem (‘71) SAT is NP-complete. ( SAT = given a boolean formula, is it satisfiable? ) 3SAT is NP-complete. Example: Ф(x1,x2,x3,x4)=(x1+x2+x3)(x’1+x3+x4)

  13. Subset Sum Given a set {x1,x2,…,xn} of integers and an integer t, find {y1,y2,…,yk} a subset of {x1,x2,…,xn} such that:

  14. Subset Sum To prove NP-complete: • Prove is in NP • Verifiable in polynomial time • Give a nondeterministic algorithm • Reduction from a known NP-complete problem to subset sum • Reduction from 3SAT to subset sum

  15. Subset Sum is in NP sum = 0 A = {x1,x2,…,xn} for each x in A y choice(A) sum = sum + y if ( sum = t ) thensuccess A  A – {y} done fail

  16. Reduction Goal: Reduce 3SAT to SUBSET-SUM. How: Let Ф be a 3 conjunctive normal form formula. Build an instance of SUBSET-SUM problem (S, t) such that Ф is satisfiable if and only if there is a subset T of S whose elements sum to t. Prove the reduction is polynomial.

  17. 1. Algorithm Input: Ф - 3 conjunctive normal form formula Variables: x1, x2, …, xl Clauses: c1,c2,…,ck. Output: S, t such that Ф is satisfiable iff there is T subset of S which sums to t.

  18. 1. Algorithm (cont.)

  19. 1. Algorithm (cont.) (yi,xj), (zi,xj) – 1 if i=j, 0 otherwise (yi,cj) – 1 if cj contains variable xi, 0 otherwise (zi,cj) – 1 if cj contains variable x’i, 0 otherwise (gi,xj), (hi,xj) – 0 (gi,cj), (hi,cj) – 1 if i=j, 0 otherwise Each row represents a decimal number. S={y1,z1,..,yl,zl,g1,h1,…,gk,hk} t is the last row in the table.

  20. 2. Reduction ‘’ Given a variable assignment which satisfies Ф, find T. • If xi is true then yi is in T, else zi is in T • Add gi and/or hi to T such all last k digits of T to be 3.

  21. 3. Reduction ‘’ Given T a subset of S which sums to t, find a variable assignment which satisfies Ф. • If yi is in T then xi is true • If zi is in T then xi is false

  22. 4. Polynomial Table size is (k+l)2 O(n2)

  23. Back to cryptology  • P=NP is still an open question • factorization is not known to be NP-complete • cipher based on a known NP-complete problem

  24. Knapsack Cipher • Public Key: {a1,a2,…,an} set of integers • Plain Text: x1…xn • Cipher Text: [Merkle and Hellman, ’78]

  25. Decryption • Based on an easier problem • {a1,a2,…,an} is a superincreasing sequence

  26. Linear Time Decryption • xn = 1 iff • Solve it recursively on {a1,a2,…,an-1} and s - xnan

  27. How to build the keys? • Modular multiplication (Merkle and Hellman) • Starts with superincreasing sequence {b1,b2,…,bn} • Choose M and W such that • Compute {a1,a2,…,an} such that

  28. Decryption • C = (s W-1) mod M, where (W-1W) mod M = 1 • Solve subset sum problem with superincreasing sequence {b1,b2,…,bn} and sum c.

  29. Trade offs • bi large  M large  n bits encoded with log2M bits • bi small  easy to break • If bi = 1  aj = W. • Break O(n) • Merkle and Hellman recommended: b1 ≈ 2n, , bn ≈ 22n

  30. Evaluation + speed ( 100 times faster than RSA ) • needs twice the communication capacity (m bits encoded into approximate 2m bits) • larger public key (2n2 bits, 20,000 for n=100, RSA - 500) ? security

  31. Knapsack Cipher - Summary • Secret • superincreasing sequence {b1,b2,…,bn} • M • W • Public • {a1,a2,…,an} Remember:

  32. Shamir’s break (’82) • based on the choice of superincreasing sequence • linear transformation to generate public key • What do we need to guess ? (Only one of W and M is enough)

  33. Shamir’s break (cont.) Given the public key {a1,a2,…,an} find M and W such that (ai W) mod M is a superincreasing sequence. b1 = (ai W) mod M  b1 = ai W + k1M b1/(Mai) = W/M + k1/ ai b2/(Maj) = W/M + k2/ aj b1/(Mai) - b2/(Maj) = k1/ ai - k2/ aj | k1/ ai - k2/ aj | < 2-3n

  34. Shamir’s break (cont.) Now a lot of math follows … Main steps: • Find ki’s, which gives an approximation of W/M • Find a pair W’/M’ close to W/M which generates a superincreasing sequence • W’,M’, and superincreasing sequence are different from the secret key

  35. A little bit of history • Some knapsack cryptosystems were broke by late ’70’s • ’82 polynomial time break against singly iterated Merkle-Hellman cryptosystem [Shamir] • ’85 break against multiple iterated Merkle-Hellman cryptosystem [Brickell] • Low density knapsack [Brickell, Lagarias and Odlyzko] Most knapsack cryptosystems broken Few resisted – Chor-Rivest (’85)

  36. Conclusion • Computer Science doesn’t yet have adequate tools to a problem is hard • We can base ciphers on ‘known’ hard problems like subset sum • We have to be careful • NP-complete means is hard to get right answer to all instances • To break a cipher, only need to probabilistically get close to the right answer for specific instances most of the time

More Related