1 Security through complexity Ana Nora Sovarel
Feb 08, 2016
1
Security through complexity
Ana Nora Sovarel
2
Projects
Please fill one slot on the signup sheet.One meeting for each group.All members must agree.
3
Turing Machine
Finite Control
0 0 1 1 0 0 1 0 0 0
4
Definition
A Turing Machine is a 7-tuple (Q, ∑, Γ, δ, q0, qaccept, qreject) where Q, ∑, Γ are finite sets and
1. Q is the set of states2. ∑ is the input alphabet3. Γ is the tape alphabet4. δ : Q X Γ Q X Γ X {L,R} is the transition function5. q0 is the start state
6. qaccept is the accept state
7. qreject is the reject state, where qaccept ≠ qreject
5
Nondeterministic Turing Machine
Finite Control
0 0 1 1 0 0 1 0 0 0
Finite Control
0 0 1 1 0 0 1 0 00
Finite Control
0 0 0 1 0 0 1 0 00
6
DefinitionA Turing Machine is a 7-tuple (Q, ∑, Γ, δ, q0, qaccept, qreject)
where Q, ∑, Γ are finite sets and1. Q is the set of states2. ∑ is the input alphabet3. Γ is the tape alphabet4. δ : Q X Γ P(Q X Γ X {L,R}) is the transition function5. q0 is the start state6. qaccept is the accept state7. qreject is the reject state, where qaccept ≠ qreject
7
More Power?
Does nondeterminism affect the power of Turing Machine?
NO – more power means it recognizes more languages
But, maybe it can do things faster …
8
Complexity Classes
• P = decidable in polynomial time by a deterministic TM
• NP = decidable in polynomial time by a nondeterministic TM
9
Reduction
f – polynomial time transformation
What we know about A and B?A is at most as hard as B ( can be easier if
we find another way to solve it )B is at least as hard as A.
A’s Inputf(A) B Yes/No
B’s Input
10
More definitions …
• NP-Hard = the set of problems Q such that any problem Q’ in NP is polynomial reducible to it.
• NP-complete = the problems Q such that Q is in NP-Hard and Q is in NP
11
How do we prove a problem is hard?
• Let A be a known hard problem• Find a polynomial transformation from A’s
input to your problem’s input• Why it works?
– If your problem is easy ( P ) then we can solve A easy ( P ).
– So A is not hard. Contradiction• Need a hard problem to start with ….
12
Cook’s Theorem (‘71)
SAT is NP-complete. ( SAT = given a boolean formula, is it
satisfiable? )
3SAT is NP-complete.Example: Ф(x1,x2,x3,x4)=(x1+x2+x3)(x’1+x3+x4)
13
Subset Sum
Given a set {x1,x2,…,xn} of integers and an integer t, find {y1,y2,…,yk} a subset of {x1,x2,…,xn} such that:
k
i
iyt1
14
Subset Sum
To prove NP-complete:1. Prove is in NP
• Verifiable in polynomial time• Give a nondeterministic algorithm
2. Reduction from a known NP-complete problem to subset sum
• Reduction from 3SAT to subset sum
15
Subset Sum is in NPsum = 0A = {x1,x2,…,xn}for each x in A
y choice(A)sum = sum + yif ( sum = t ) then successA A – {y}
donefail
16
Reduction
Goal: Reduce 3SAT to SUBSET-SUM.How: Let Ф be a 3 conjunctive normal formformula. Build an instance of SUBSET-SUMproblem (S, t) such that Ф is satisfiable if and only if there is a subset T of S whoseelements sum to t.Prove the reduction is polynomial.
17
1. Algorithm
Input: Ф - 3 conjunctive normal form formulaVariables: x1, x2, …, xl
Clauses: c1,c2,…,ck.
Output: S, t such that Ф is satisfiable iff there is T subset of Swhich sums to t.
18
1. Algorithm (cont.)x1 x2 …. xl c1 c2 …. ck
y1 1 0 0 1 0 0
z1 1 0 0 0 1 0
y2 1 0 0 0 1
z2 1 0 0 0 0
…
yl 1 0 0 0
zl 1 0 0 0
g1 1 0 0
h1 1 0 0
g2 1 0
h2 1 0
…
gk 1
hk 1
t 1 1 … 1 3 3 … 3
19
1. Algorithm (cont.)
(yi,xj), (zi,xj) – 1 if i=j, 0 otherwise
(yi,cj) – 1 if cj contains variable xi, 0 otherwise
(zi,cj) – 1 if cj contains variable x’i, 0 otherwise
(gi,xj), (hi,xj) – 0
(gi,cj), (hi,cj) – 1 if i=j, 0 otherwise
Each row represents a decimal number.S={y1,z1,..,yl,zl,g1,h1,…,gk,hk}t is the last row in the table.
20
2. Reduction ‘’
Given a variable assignment which satisfiesФ, find T.
1. If xi is true then yi is in T, else zi is in T
2. Add gi and/or hi to T such all last k digits of T to be 3.
21
3. Reduction ‘’
Given T a subset of S which sums to t, find avariable assignment which satisfies Ф.
1. If yi is in T then xi is true
2. If zi is in T then xi is false
22
4. Polynomial
Table size is (k+l)2
O(n2)
23
Back to cryptology
• P=NP is still an open question
• factorization is not known to be NP-complete
• cipher based on a known NP-complete problem
24
Knapsack Cipher
• Public Key: {a1,a2,…,an} set of integers
• Plain Text: x1…xn
• Cipher Text:
[Merkle and Hellman, ’78]
n
i
iiaxs1
25
Decryption
• Based on an easier problem
• {a1,a2,…,an} is a superincreasing sequence
1
1
i
j
ji aa
26
Linear Time Decryption
• xn = 1 iff
• Solve it recursively on {a1,a2,…,an-1}
and s - xnan
n
i
ias1
27
How to build the keys?
• Modular multiplication (Merkle and Hellman)• Starts with superincreasing sequence {b1,b2,
…,bn} • Choose M and W such that
• Compute {a1,a2,…,an} such that
1),(,1
WMGCDaMn
i
i
MWba ii mod)(
28
Decryption
• C = (s W-1) mod M, where (W-1W) mod M = 1
• Solve subset sum problem with superincreasing sequence {b1,b2,…,bn} and sum c.
29
Trade offs
• bi large M large n bits encoded with log2M bits
• bi small easy to break– If bi = 1 aj = W.– Break O(n)
• Merkle and Hellman recommended:
b1 ≈ 2n, , bn ≈ 22n 12,
1
1
nibbi
j
ji
30
Evaluation
+ speed ( 100 times faster than RSA )- needs twice the communication capacity (m bits encoded into approximate 2m bits)- larger public key(2n2 bits, 20,000 for n=100, RSA - 500)
? security
31
Knapsack Cipher - Summary
• Secret – superincreasing sequence {b1,b2,…,bn}– M– W
• Public– {a1,a2,…,an}
Remember:MWba ii mod)(
32
Shamir’s break (’82)
• based on the choice of superincreasing sequence
• linear transformation to generate public key
• What do we need to guess ?(Only one of W and M is enough)
33
Shamir’s break (cont.)
Given the public key {a1,a2,…,an} find M and W such that (ai W) mod M is a superincreasing sequence.
b1 = (ai W) mod M b1 = ai W + k1M
b1/(Mai) = W/M + k1/ ai
b2/(Maj) = W/M + k2/ aj
b1/(Mai) - b2/(Maj) = k1/ ai - k2/ aj
| k1/ ai - k2/ aj | < 2-3n
34
Shamir’s break (cont.)
Now a lot of math follows …Main steps:- Find ki’s, which gives an approximation of
W/M- Find a pair W’/M’ close to W/M which
generates a superincreasing sequence- W’,M’, and superincreasing sequence are
different from the secret key
35
A little bit of history• Some knapsack cryptosystems were broke by
late ’70’s • ’82 polynomial time break against singly iterated
Merkle-Hellman cryptosystem [Shamir]• ’85 break against multiple iterated Merkle-
Hellman cryptosystem [Brickell]• Low density knapsack [Brickell, Lagarias and
Odlyzko]Most knapsack cryptosystems brokenFew resisted – Chor-Rivest (’85)
36
Conclusion• Computer Science doesn’t yet have
adequate tools to a problem is hard • We can base ciphers on ‘known’ hard
problems like subset sum• We have to be careful
– NP-complete means is hard to get right answer to all instances
– To break a cipher, only need to probabilistically get close to the right answer for specific instances most of the time