Lecture 16 - University of Virginia, Department of Computer Science

Download Report

Transcript Lecture 16 - University of Virginia, Department of Computer Science

Security through complexity
Ana Nora Sovarel
1
Projects
Please fill one slot on the signup sheet.
One meeting for each group.
All members must agree.
2
Turing Machine
Finite Control
0
0
1
1
0
0
1
0
0
0
3
Definition
A Turing Machine is a 7-tuple (Q, ∑, Γ, δ, q0, qaccept, qreject)
where Q, ∑, Γ are finite sets and
1. Q is the set of states
2. ∑ is the input alphabet
3. Γ is the tape alphabet
4. δ : Q X Γ  Q X Γ X {L,R} is the transition function
5. q0 is the start state
6. qaccept is the accept state
7. qreject is the reject state, where qaccept ≠ qreject
4
Nondeterministic Turing Machine
Finite Control
0
0
1
1
Finite Control
0
0
1
0
0
0
Finite Control
0
0 1
1 0
0
1 0
0 0
0
0 0
1 0
0
1 0
0 0
5
Definition
A Turing Machine is a 7-tuple (Q, ∑, Γ, δ, q0, qaccept, qreject)
where Q, ∑, Γ are finite sets and
1. Q is the set of states
2. ∑ is the input alphabet
3. Γ is the tape alphabet
4. δ : Q X Γ P(Q X Γ X {L,R}) is the transition function
5. q0 is the start state
6. qaccept is the accept state
7. qreject is the reject state, where qaccept ≠ qreject
6
More Power?
Does nondeterminism affect the power of
Turing Machine?
NO – more power means it recognizes more
languages
But, maybe it can do things faster …
7
Complexity Classes
• P = decidable in polynomial time by a
deterministic TM
• NP = decidable in polynomial time by a
nondeterministic TM
8
Reduction
f – polynomial time transformation
A’s Input
B’s Input
f(A)
B
Yes/No
What we know about A and B?
A is at most as hard as B ( can be easier if
we find another way to solve it )
B is at least as hard as A.
9
More definitions …
• NP-Hard = the set of problems Q such that
any problem Q’ in NP is polynomial
reducible to it.
• NP-complete = the problems Q such that
Q is in NP-Hard and Q is in NP
10
How do we prove a problem is
hard?
• Let A be a known hard problem
• Find a polynomial transformation from A’s
input to your problem’s input
• Why it works?
– If your problem is easy ( P ) then we can solve
A easy ( P ).
– So A is not hard. Contradiction
• Need a hard problem to start with ….
11
Cook’s Theorem (‘71)
SAT is NP-complete.
( SAT = given a boolean formula, is it
satisfiable? )
3SAT is NP-complete.
Example:
Ф(x1,x2,x3,x4)=(x1+x2+x3)(x’1+x3+x4)
12
Subset Sum
Given a set {x1,x2,…,xn} of integers and an
integer t, find {y1,y2,…,yk} a subset of
{x1,x2,…,xn} such that:
k
t   yi
i 1
13
Subset Sum
To prove NP-complete:
1. Prove is in NP
•
•
Verifiable in polynomial time
Give a nondeterministic algorithm
2. Reduction from a known NP-complete
problem to subset sum
•
Reduction from 3SAT to subset sum
14
Subset Sum is in NP
sum = 0
A = {x1,x2,…,xn}
for each x in A
y  choice(A)
sum = sum + y
if ( sum = t ) then success
A  A – {y}
done
fail
15
Reduction
Goal: Reduce 3SAT to SUBSET-SUM.
How:
Let Ф be a 3 conjunctive normal form
formula. Build an instance of SUBSET-SUM
problem (S, t) such that Ф is satisfiable
if and only if there is a subset T of S whose
elements sum to t.
Prove the reduction is polynomial.
16
1. Algorithm
Input: Ф - 3 conjunctive normal form formula
Variables: x1, x2, …, xl
Clauses: c1,c2,…,ck.
Output: S, t such that
Ф is satisfiable iff there is T subset of S
which sums to t.
17
1. Algorithm (cont.)
x1
x2
y1
1
z1
1
….
….
xl
c1
c2
ck
0
0
1
0
0
0
0
0
1
0
y2
1
0
0
0
1
z2
1
0
0
0
0
yl
1
0
0
0
zl
1
0
0
0
g1
1
0
0
h1
1
0
0
g2
1
0
h2
1
0
…
…
gk
1
hk
1
t
1
1
…
1
3
3
…
3
18
1. Algorithm (cont.)
(yi,xj), (zi,xj) – 1 if i=j, 0 otherwise
(yi,cj) – 1 if cj contains variable xi, 0 otherwise
(zi,cj) – 1 if cj contains variable x’i, 0 otherwise
(gi,xj), (hi,xj) – 0
(gi,cj), (hi,cj) – 1 if i=j, 0 otherwise
Each row represents a decimal number.
S={y1,z1,..,yl,zl,g1,h1,…,gk,hk}
t is the last row in the table.
19
2. Reduction ‘’
Given a variable assignment which satisfies
Ф, find T.
1. If xi is true then yi is in T, else zi is in T
2. Add gi and/or hi to T such all last k digits
of T to be 3.
20
3. Reduction ‘’
Given T a subset of S which sums to t, find a
variable assignment which satisfies Ф.
1. If yi is in T then xi is true
2. If zi is in T then xi is false
21
4. Polynomial
Table size is (k+l)2
O(n2)
22
Back to cryptology 
• P=NP is still an open question
• factorization is not known to be NPcomplete
• cipher based on a known NP-complete
problem
23
Knapsack Cipher
• Public Key: {a1,a2,…,an} set of integers
• Plain Text: x1…xn
n
• Cipher Text: s   xiai
i 1
[Merkle and Hellman, ’78]
24
Decryption
• Based on an easier problem
• {a1,a2,…,an} is a superincreasing sequence
i 1
ai   aj
j 1
25
Linear Time Decryption
n
• xn = 1 iff
s   ai
i 1
• Solve it recursively on {a1,a2,…,an-1}
and s - xnan
26
How to build the keys?
• Modular multiplication (Merkle and Hellman)
• Starts with superincreasing sequence
{b1,b2,…,bn}
• Choose M and W such that
n
M   ai, GCD( M , W )  1
i 1
• Compute {a1,a2,…,an} such that
ai  (biW ) mod M
27
Decryption
• C = (s W-1) mod M, where (W-1W) mod M = 1
• Solve subset sum problem with
superincreasing sequence {b1,b2,…,bn} and
sum c.
28
Trade offs
• bi large  M large  n bits encoded with
log2M bits
• bi small  easy to break
– If bi = 1  aj = W.
– Break O(n)
• Merkle and Hellman recommended:
b 1 ≈ 2 n,
i 1
bi   bj,2  i  n  1
j 1
, bn ≈ 22n
29
Evaluation
+ speed ( 100 times faster than RSA )
- needs twice the communication capacity
(m bits encoded into approximate 2m bits)
- larger public key
(2n2 bits, 20,000 for n=100, RSA - 500)
? security
30
Knapsack Cipher - Summary
• Secret
– superincreasing sequence {b1,b2,…,bn}
–M
–W
• Public
– {a1,a2,…,an}
Remember:
ai  (biW ) mod M
31
Shamir’s break (’82)
• based on the choice of superincreasing
sequence
• linear transformation to generate public
key
• What do we need to guess ?
(Only one of W and M is enough)
32
Shamir’s break (cont.)
Given the public key {a1,a2,…,an} find M and
W such that (ai W) mod M is a
superincreasing sequence.
b1 = (ai W) mod M  b1 = ai W + k1M
b1/(Mai) = W/M + k1/ ai
b2/(Maj) = W/M + k2/ aj
b1/(Mai) - b2/(Maj) = k1/ ai - k2/ aj 
| k1/ ai - k2/ aj | < 2-3n
33
Shamir’s break (cont.)
Now a lot of math follows …
Main steps:
- Find ki’s, which gives an approximation of
W/M
- Find a pair W’/M’ close to W/M which
generates a superincreasing sequence
- W’,M’, and superincreasing sequence are
different from the secret key
34
A little bit of history
• Some knapsack cryptosystems were broke by
late ’70’s
• ’82 polynomial time break against singly iterated
Merkle-Hellman cryptosystem [Shamir]
• ’85 break against multiple iterated MerkleHellman cryptosystem [Brickell]
• Low density knapsack [Brickell, Lagarias and
Odlyzko]
Most knapsack cryptosystems broken
Few resisted – Chor-Rivest (’85)
35
Conclusion
• Computer Science doesn’t yet have
adequate tools to a problem is hard
• We can base ciphers on ‘known’ hard
problems like subset sum
• We have to be careful
– NP-complete means is hard to get right
answer to all instances
– To break a cipher, only need to
probabilistically get close to the right answer
for specific instances most of the time
36