Security - Princeton CS

Download Report

Transcript Security - Princeton CS

NP-Complete Problems
• Coloring is complete
• In particular, we can reduce solving any
search problem to finding a valid coloring for
some collection of circles!
• So, if we could solve Coloring quickly, then
P = NP
• That’s why we believe Coloring can’t be solved
quickly by any computer.
• We call such problems NP-Complete.
NP-complete problems
•
•
•
•
Coloring
Traveling Salesman Problem
Knapsack problem
Partition Problem
Knapsack problem
• We are given a set of items each having
an integer weight
• We are given an integer capacity for the
knapsack
• We ask if we can exactly pack the
knapsack using a subset of these items
Sample Knapsack problem
• Item weights 2,4,9,13,17,23,32,70,123,157
• Capacity is 228
• Packing 157 + 32 + 17 + 13 + 9
• Capacity is 226
• Packing (there are none)
Partition problem
• We are given a set of items each having
an integer weight
• We are asked if we can divide all the
items into 2 groups with equal total weight
• Is this NP-complete?
Partition problem
• We are given a set of items each having
an integer weight
• We are asked if we can divide all the
items into 2 groups with equal total weight
• Like knapsack problem
• Capacity of knapsack is half the total weight
Sample Partition problem
• Item weights 2,4,9,13,17,23,32,70,123,157
• Total weight is 450
• Packing 123 + 70 + 32 = 225
• Packing 157 + 23 + 17 + 13 + 9 + 4 + 2 = 225
• Why is this different from the PCP?
Other Hard Problems?
• There are other problems besides NP-Complete
Problems that we also believe are hard.
• Can we be sure?
• No.
• But people have been trying to solve certain
mathematical problems for centuries.
• So it seems reasonable to assume that nobody
will figure out how to solve them soon
• Then again, what about Fermat’s Last
Theorem? …
• People continue to work on NP-completeness.
Wrap-up
• We’ve seen problems that computers can’t solve
at all, and also problems that computers
probably can’t solve in our lifetimes.
• Too much bad news?
• Could it ever be useful to have hard problems?
• Yes!
• Cryptography
Security and Cryptography
Cryptography
• Why do we care so much about hard problems?
• Because sometimes we want to make things hard.
• Protecting Privacy, Authenticity
• Want to make it hard for adversaries to:
• Steal our credit cards
• Impersonate us
• Etc.
• Makes it possible for companies to protect
intellectual property.
Cryptography
•
Science of making things hard for adversaries
= Cryptography
•
Dates back to Julius Caesar
•
Caesar cipher – shift each character by a few places
•
"UHWXUA WR URPH" encodes “RETURN TO ROME“
•
Used extensively during WW 2 (and every other war)
•
Used to encode passwords
•
Used to prevent copying of software and data (e.g. DVD).
Requirements of a cryptosystem
• Easy to encode messages
• Hard to decode messages
One Approach...
It’s so complicated!
It must be secure!
Cryptosystem XYZ
(Patent Pending)
One Approach...
Extra!: Cryptosystem
XYZ Broken 2 Days
After Release!
One Approach...
• Unfortunately, this approach is often used in
real life.
• This is one of the reasons why you hear about so
many security systems being broken!
• Examples: DVD encryption (DeCSS),
Cell phones in Europe (GSM),
encoding of fonts by Adobe,
many many more
More sophisticated approach
• Use the theory of hard search problems
and the notion of reducing one problem to
another.
• Show that if you break this security system, you
do so by solving some of the world’s greatest
unsolved problems first!
Encryption
• The most basic problem in Cryptography is
Encryption:
Private
Message m
Alice
Bob
Encryption
• The most basic problem in Cryptography is
Encryption:
Private
Message m
Bob
Alice
Eve
the eavesdropper
Encryption
• The most basic problem in Cryptography is
Encryption:
Encrypted
Message E(m)
Bob
Alice
Eve
the eavesdropper
Encryption
• Have to make it easy for Bob to recover m
• But hard for Eve to learn anything about m
Encrypted
Message E(m)
Bob
Alice
Eve
the eavesdropper
Public-Key Cryptography
[Diffie-Hellman 1976]
Bob’s
Public Key
Bob’s
Secret Key
Bob
• Everybody knows Bob’s published Public Key.
• Only Bob knows his private key.
Public-Key Encryption
Encrypted
Message E(m)
Alice
Bob
• Alice uses Bob’s public key to encrypt m.
• Bob uses his private key to recover (decrypt) m.
•
Relationship between public and private key is such
that encryption with former enables decryption with
latter
Public-Key Encryption
Encrypted
Message E(m)
Alice
•
•
•
Eve
the eavesdropper
Bob
Alice and Eve both know Bob’s public key.
Eve must not be able to “break” the encryption even
though she knows the public key.
Discovering private key from public key must be VERY
hard.
Basic Math Review
• Let’s recall some basic mathematics:
• A number p is called prime if its only factors are
1 and itself.
• Examples:
Basic Math Review
• Let’s recall some basic mathematics:
• A number p is called prime if its only factors are
1 and itself.
• Examples: 2, 3, 5, 7, 11, 13, 17, 19, …
Basic Math Review
• Let’s recall some basic mathematics:
• A number p is called prime if its only factors are
1 and itself.
• Examples: 2, 3, 5, 7, 11, 13, 17, 19, …
• There are many prime numbers.
• Fact: It is known how to check quickly if a
number is prime or not.
• So, to find a big prime number, we can just keep
generating large random numbers until we find a
prime.
Basic Math Review
• Given two primes p and q, it is easy to multiply
them together: N = pq
• But given N, how do you find p and q quickly?
i.e. how do you factor N into primes?
• Easy for small numbers (e.g. 6 or 35).
• For centuries, mathematicians have been trying
to find ways to factor large numbers quickly. No
one knows how!
• Factoring a 10,000 digit N would take centuries
on the fastest computer in existence!
How do we know factoring is hard?
• Problem has a long history
• Prizes are offered and have been for a long
time
• Factoring progress happens slowly
Basic Math & Crypto
• We want to make it so that for Eve the
eavesdropper to break our system, she would
have to factor a very large number.
• We’ll (almost) do that.
Modular Arithmetic
• Ordinary integers:
…
-4
-3
-2
-1
0
1
2
3
4 …
Modular Arithmetic
• Ordinary integers:
…
-4
-3
-2
-1
• Integers Modulo N:
0
1
2
0
1
(N – 1)
2
(N – 2)
(N – 3)
3
…
3
4 …
Modular Arithmetic
• Example: Arithmetic Modulo 12
(like Arithmetic performed on hours)
0
• 3 + 11 (Modulo 12) =
• 2 – 4 (Modulo 12) =
• 5 * 4 (Modulo 12) =
• 4 * 3 (Modulo 12) =
1
11
2
10
9
…
3
Modular Arithmetic
• Example: Arithmetic Modulo 12
(like Arithmetic on time)
0
• 3 + 11 (Modulo 12) = 2
• 2 – 4 (Modulo 12) =
• 5 * 4 (Modulo 12) =
• 4 * 3 (Modulo 12) =
1
11
2
10
9
…
3
Modular Arithmetic
• Example: Arithmetic Modulo 12
(like Arithmetic on time)
0
• 3 + 11 (Modulo 12) = 2
• 2 – 4 (Modulo 12) = 10
• 5 * 4 (Modulo 12) =
• 4 * 3 (Modulo 12) =
1
11
2
10
9
…
3
Modular Arithmetic
• Example: Arithmetic Modulo 12
(like Arithmetic on time)
0
• 3 + 11 (Modulo 12) = 2
• 2 – 4 (Modulo 12) = 10
• 5 * 4 (Modulo 12) = 8
• 4 * 3 (Modulo 12) =
1
11
2
10
9
…
3
Modular Arithmetic
• Example: Arithmetic Modulo 12
(like Arithmetic on time)
0
• 3 + 11 (Modulo 12) = 2
• 2 – 4 (Modulo 12) = 10
• 5 * 4 (Modulo 12) = 8
• 4 * 3 (Modulo 12) = 0
1
11
2
10
9
…
3
The RSA Encryption Scheme
[Rivest Shamir Adleman 1978]
• Bob picks two large primes p and q, and
computes: N = pq
• Fact: Because Bob knows p and q, he can pick
numbers e and d such that:
• For all m:
d
e
(m ) = m (Modulo N)
• Bob reveals e, N as his Public Key
• Bob retains d as his Private Key
The RSA Encryption Scheme
• Recall Fact: Because Bob knows p and q, he can
pick numbers e and d such that:
• For all m:
d
e
(m ) = m (Modulo N)
• To Encrypt a message m, Alice uses Bob’s public
key (e, N) to compute the encrypted message:
• E(m) = me (Modulo N)
The RSA Encryption Scheme
• Recall Fact: Because Bob knows p and q, he can
pick numbers e and d such that:
• For all m:
d
e
(m ) = m (Modulo N)
• To Encrypt a message m, Alice uses Bob’s public
key (e, N) to compute the encrypted message:
• E(m) = me (Modulo N)
• To Decrypt, Bob uses private key (d) to compute:
•
d
d
e
m = (E(m)) (Modulo N) = (m ) (Modulo N)
The RSA Encryption Scheme
• To Encrypt a message m, Alice computes:
• E(m) = me (Modulo N)
• The only known way to compute m from E(m)
involves knowing d, which implies knowing p and q,
which implies factoring N.
• For Eve to break this system, she would have to
solve a long-standing open problem in Mathematics
• This is probably the most widely used Public-Key
Encryption Scheme in the world.
• Look at Help on IE
Shifting Gears: Proofs…
• Bob wants to convince Alice of (prove to her)
the validity of some statement (like “I really am
Bob!”)
Alice
Bob
• But Bob doesn’t want to reveal any of his
secrets to Alice in the process…
Zero-Knowledge Proofs
• What is the least amount of information Bob can
reveal, while still convincing Alice?
• Amazingly, it is possible for Bob to convince
Alice of something without revealing any new
information to Alice at all!
• How can that be?
Magic Tricks
• Magic tricks are like
zero-knowledge proofs:
• Good magic tricks
reveal nothing about
how they work.
• What makes a magic trick good?
A Magic Trick
• Two balls: Purple and Red, otherwise identical
• Blindfolded Magician
• You give a random ball to magician
A Magic Trick (cont.)
• Magician tells you the color!
• Magician proves he can distinguish balls
blindfolded.
• You learn nothing except this.
Abracadabra,
Goobedy goo!
It is Red!
Wow! He’s
so cool!
A Magic Trick (cont.)
• You knew exactly what magician was going to do.
• And he did it, i.e. showed you he can do it!
• Since you knew to begin the magician was a
magician and would get the right answer, you
could not have learned anything new!
It’s Red!
I knew he
would say that.
Zero Knowledge
• What it means:
• Alice “knows” what is going to happen.
• She can produce the same answers herself: no
need for magician
• CS-speak: Alice can simulate it herself!
Simulation
Abracadabra,
Goobedy goo!
It is Red!
Another Magic Trick
• Magician asks you to think of either
• “Apple” or
• “Banana”
• Magician then gives you a sealed box.
Mind Reading
• You tell Magician what you were thinking.
I was thinking
of a banana.
Mind Reading (cont.)
• Magician tells you to open box, and read
piece of paper in box.
• Magician proves he can predict what you will
say.
Banana
How did he
do that!!
Mind Reading (cont.)
• Again, you knew what was going to happen. If
you believed magician was indeed a magician,
you learn nothing new
 Zero-Knowledge
• Magician just shows you that he can do it
• you can simulate it yourself
Banana
Simulation
I was thinking
of a banana.
Mind Reading (cont.)
• But why do you believe the magician is more
special than you?
• Because Magician committed to his guess
before you told him.
• Commitment is the key.
Cryptographic Commitment
• Public Key Encryption Scheme
• To commit to a string x, I send y = E(x).
• like putting it in the box
• To “open” the commitment (box), I use my
secret key.
• Commitment is secret.
• And I can’t change my mind about x once I’ve
sent the encryption.
ZK Proofs for NPComplete Problems
• I tell you I have a solution to an NPComplete problem, but I won’t tell you
what the solution is
• You can ask me questions, and my
answers will reveal that I have a
solution, but they won’t reveal what
the solution is
NP-Complete Problems
• Remember we can reduce any search
problem to Coloring.
ZK Proof for Coloring
• Input: Collection of circles.
• Magician Claims to Know: Coloring using R, B, G
• Multi-step protocol. In each step:
• First, Magician picks random permutation
: R,B,G  R,B,G, and applies to coloring:

ZK Proof (cont.)
Magician presents
encrpyted permuted
graph
ZK Proof (cont.)
Verifier (Alice)
chooses a random
pair of nodes to
verify
ZK Proof (cont.)
Magician
decrypts
those nodes
and shows
they’re
colored
in valid way
Can Simulate Magician Each
Time
Only difference
is that a simulator
won’t know a valid
coloring
(NP-Complete problem)
Simulated ZK Proof
Interaction
ZK Proof: Analysis
• Suppose Magician is an imposter: does not
know a valid coloring.
• Then at least one pair of connected circles
will have colors equal (color equality survives
permutation).
Alice catches Magician cheating
with probability at least 1/n2.
• Repeat protocol 100 n2 times,
 Alice catches Magician cheating
almost always!
ZK Proof: Analysis (cont.)
• Simulator/imposter can produce the same
results each time (just needs to produce
different colorings for the two edges)
• Since magician permutes randomly each time:
• Each result from simulator (or imposter) is in itself
indistinguishable from what magician sends
• Verifier cannot put together graph from the pairs
(cannot gain knowledge; so zero-knowledge)
ZK Proof: Analysis (cont.)
• Key difference between magician & imposter:
• Magician knows valid coloring, can commit to it,
and won’t be caught in pairwise game
• Simulator/imposter does not, and will
ultimately be caught
• But commitments are secret, by security of
encryption scheme.
 Simulator output and real life
are indistinguishable to an eavesdropper,
who cannot tell if magician is imposter or not
Wrap-up
• Today we saw some examples illustrating
techniques from modern cryptography:
• Encryption
• Zero Knowledge Proofs