1 Cryptography and Complexity at the Weizmann Institute Moni Naor Weizmann Institute of Science Open...
-
date post
22-Dec-2015 -
Category
Documents
-
view
220 -
download
1
Transcript of 1 Cryptography and Complexity at the Weizmann Institute Moni Naor Weizmann Institute of Science Open...
![Page 1: 1 Cryptography and Complexity at the Weizmann Institute Moni Naor Weizmann Institute of Science Open Day February 2005 מוני נאור.](https://reader035.fdocuments.in/reader035/viewer/2022062314/56649d805503460f94a6489b/html5/thumbnails/1.jpg)
1
Cryptography and Complexity at the Weizmann Institute
Moni Naor
Weizmann Institute of Science
Open Day February 2005
נאור מוני
![Page 2: 1 Cryptography and Complexity at the Weizmann Institute Moni Naor Weizmann Institute of Science Open Day February 2005 מוני נאור.](https://reader035.fdocuments.in/reader035/viewer/2022062314/56649d805503460f94a6489b/html5/thumbnails/2.jpg)
2
Computational Complexity Theory• Study the resources needed to solve computational problems
– Computer time– Computer memory– Communication– Parallelism– Randomness– …
• Identify problems that are infeasible to compute by any reasonable machine
• Taxonomy: classify problems into classes with similar properties wrt the resource requirements– Help find the most efficient algorithm for a problem
A computational problem:
•multiplying two numbers,
•selecting a move in a chess position
•Find the shortest tour visiting all cities
P=NP?
![Page 3: 1 Cryptography and Complexity at the Weizmann Institute Moni Naor Weizmann Institute of Science Open Day February 2005 מוני נאור.](https://reader035.fdocuments.in/reader035/viewer/2022062314/56649d805503460f94a6489b/html5/thumbnails/3.jpg)
3
What is Cryptography?
Traditionally: how to maintain secrecy in communication
Alice and Bob talk while Eve tries to listen
Alice Bob
Eve
![Page 4: 1 Cryptography and Complexity at the Weizmann Institute Moni Naor Weizmann Institute of Science Open Day February 2005 מוני נאור.](https://reader035.fdocuments.in/reader035/viewer/2022062314/56649d805503460f94a6489b/html5/thumbnails/4.jpg)
4
History of Cryptography
• Very ancient occupation Biblical times -
ותתפש תהלת כל הארץששךאיך נלכדה
בגוייםבבלאיך היתה לשמה
• Egyptian Hieroglyphs – Unusual ones
... • Many interesting books and sources, especially about the
Enigma (WW2)
![Page 5: 1 Cryptography and Complexity at the Weizmann Institute Moni Naor Weizmann Institute of Science Open Day February 2005 מוני נאור.](https://reader035.fdocuments.in/reader035/viewer/2022062314/56649d805503460f94a6489b/html5/thumbnails/5.jpg)
5
Modern Times• Up to the mid 70’s - mostly classified military work• Since then - explosive growth
– Commercial applications– Scientific work: tight relationship with Computational Complexity Theory
• Recently - more involved models for more diverse tasks.
How to maintain the secrecy, integrity and functionality in computer and communication system.
Prevalence of the Internet:•Cryptography is in the news (daily!)•Cryptography is relevant to ``everyone” - security and privacy issues for individuals
![Page 6: 1 Cryptography and Complexity at the Weizmann Institute Moni Naor Weizmann Institute of Science Open Day February 2005 מוני נאור.](https://reader035.fdocuments.in/reader035/viewer/2022062314/56649d805503460f94a6489b/html5/thumbnails/6.jpg)
6
Cryptographic Research
Complexity Theory -• Study the resources needed
to solve computational problems – computer time, memory
• Identify problems that are infeasible to compute.
Cryptography -• Find ways to specify security
requirements of systems• Use the computational
infeasibility of problems in order to obtain security.
The development of these two areas is tightly connected!
“A match made in heaven”
![Page 7: 1 Cryptography and Complexity at the Weizmann Institute Moni Naor Weizmann Institute of Science Open Day February 2005 מוני נאור.](https://reader035.fdocuments.in/reader035/viewer/2022062314/56649d805503460f94a6489b/html5/thumbnails/7.jpg)
7
Faculty members in Cryptography and Complexity
• Prof. Uri Feige
• Prof. Oded Goldreich
• Prof. Shafi Goldwasser
• Prof. Moni Naor
• Dr. Omer Reingold
• Prof. Ran Raz
• Prof. Adi Shamir
אורי פייגה
גולדרייך עודד
גולדווסר שפי
נאור מוני
ריינגולד עומר
רן רז
שמיר עדי
One of the most active groups in the world!
![Page 8: 1 Cryptography and Complexity at the Weizmann Institute Moni Naor Weizmann Institute of Science Open Day February 2005 מוני נאור.](https://reader035.fdocuments.in/reader035/viewer/2022062314/56649d805503460f94a6489b/html5/thumbnails/8.jpg)
8
AuthenticationOne of the fundamental tasks of cryptography• Alice (sender) wants to send a message m to Bob
(receiver).• They want to prevent Eve from interfering
– Bob should be sure that the message m’ he receives is indeed the message m Alice sent.
Alice Bob
Eve
![Page 9: 1 Cryptography and Complexity at the Weizmann Institute Moni Naor Weizmann Institute of Science Open Day February 2005 מוני נאור.](https://reader035.fdocuments.in/reader035/viewer/2022062314/56649d805503460f94a6489b/html5/thumbnails/9.jpg)
9
Authentication and Non-Repudiation• Key idea of modern cryptography [Diffie-Hellman]:
can make authentication (signatures) transferable to third party - Non-repudiation.
– Provided Alice (the sender) has a unique public key– Essential to contract signing, e-commerce…– First implementation: Rivest, Shamir and Adleman 1977
• Digital Signatures: last 25 years major effort in– Research
• Notions of security• Computationally efficient constructions
– Technology, Infrastructure (PKI), Commerce, Legal
Turing Award2003
Existential Unforgeability under an adaptive message attack
![Page 10: 1 Cryptography and Complexity at the Weizmann Institute Moni Naor Weizmann Institute of Science Open Day February 2005 מוני נאור.](https://reader035.fdocuments.in/reader035/viewer/2022062314/56649d805503460f94a6489b/html5/thumbnails/10.jpg)
10
Is non-repudiation always desirable?
Not necessarily so:• Privacy of conversation, no (verifiable) record.
– Do you want everything you ever said to be held against you?
• If Bob pays for the authentication, shouldn't be able to transfer it for free
Alternative: (Plausible) Deniability• If the recipient (or any recipient) could have generated the
conversation himself – or an indistinguishable one
Key concept in cryptography and complexity
![Page 11: 1 Cryptography and Complexity at the Weizmann Institute Moni Naor Weizmann Institute of Science Open Day February 2005 מוני נאור.](https://reader035.fdocuments.in/reader035/viewer/2022062314/56649d805503460f94a6489b/html5/thumbnails/11.jpg)
11
Deniable AuthenticationSetting:• Sender has a public key known to receiver• Want to come up with an (perhaps interactive) authentication scheme
such that the receiver keeps no receipt of conversation.
This means:• Any receiver could have generated the conversation itself.
– There is a simulator that for any message m and verifier V* generates an indistinguishable conversation.
– This property is known as Zero-Knowledge!– An example where zero-knowledge is the ends, not the means!
Proof of security consists of Unforgeability and Deniability
Yet another WIS concept
![Page 12: 1 Cryptography and Complexity at the Weizmann Institute Moni Naor Weizmann Institute of Science Open Day February 2005 מוני נאור.](https://reader035.fdocuments.in/reader035/viewer/2022062314/56649d805503460f94a6489b/html5/thumbnails/12.jpg)
12
Ring Signatures and AuthenticationCan we keep the sender anonymous?Idea: prove that the signer is a member of an ad hoc set
– Other members do not cooperate– Use their `regular’ public-keys
• Encryption – Should be indistinguishable which member of the set is actually doing
the authentication
Bob
Alice? Eve
![Page 13: 1 Cryptography and Complexity at the Weizmann Institute Moni Naor Weizmann Institute of Science Open Day February 2005 מוני נאור.](https://reader035.fdocuments.in/reader035/viewer/2022062314/56649d805503460f94a6489b/html5/thumbnails/13.jpg)
13
Deniable Ring AuthenticationCompleteness: a good sender and receiver complete the authentication on
any message m Unforgeability Existential unforgeable against adaptive chosen message
attack
for any sequence of messages m1, m2,… mk
Adversarially chosen in an adaptive manner
Even if sender authenticates all of m1, m2,… mk
Probability forger convinces receiver to accept a m{ m1, m2,… mk
}is negligible
Properties of an interactive authentication scheme
![Page 14: 1 Cryptography and Complexity at the Weizmann Institute Moni Naor Weizmann Institute of Science Open Day February 2005 מוני נאור.](https://reader035.fdocuments.in/reader035/viewer/2022062314/56649d805503460f94a6489b/html5/thumbnails/14.jpg)
14
Deniable Ring AuthenticationDeniability
– For any verifier, for any arbitrary set of keys, some good some bad, there is simulator that can generate computationally indistinguishable conversations.
• A more stringent requirement: statistically indistinguishable
Source Hiding:– For any verifier, for any arbitrary set of keys, some good some
bad, the source is computationally indistinguishable among the good keys
• A more stringent requirement: statistically indistinguishable
Source Hiding and Deniability – incomparable
![Page 15: 1 Cryptography and Complexity at the Weizmann Institute Moni Naor Weizmann Institute of Science Open Day February 2005 מוני נאור.](https://reader035.fdocuments.in/reader035/viewer/2022062314/56649d805503460f94a6489b/html5/thumbnails/15.jpg)
15
Encryption• Assume a public key encryption scheme E
– Public key PK – knowing PK can encrypt message m • generate Y=E(PK , m, r)
– With corresponding secret key PS, given Y can retrieve m • m =D(PS , Y)
• Encryption process is probabilisticEach message induces a distribution on the ciphertexts
• Security of encryption scheme:– non-malleable against chosen ciphertext attacks in the post-processing mode.– In particular given Y=E(PK, m, r) hard to generate Y’=E(PK, m’, r’) for a
related message m’• Example of a very malleable scheme: one-time pad
Plaintext
Ciphertext
![Page 16: 1 Cryptography and Complexity at the Weizmann Institute Moni Naor Weizmann Institute of Science Open Day February 2005 מוני נאור.](https://reader035.fdocuments.in/reader035/viewer/2022062314/56649d805503460f94a6489b/html5/thumbnails/16.jpg)
16
A Public Key Authentication Protocol
P has a public key PK of an encryption scheme E.To authenticate a message m:• V P : Choose x R {0,1}n. Send Y=E(PK, mx , r)• P V : Verify that prefix of plaintext is indeed m. If yes - send x.V accepts iff the received x’=x
Is it Unforgeable? Is it Deniable?
![Page 17: 1 Cryptography and Complexity at the Weizmann Institute Moni Naor Weizmann Institute of Science Open Day February 2005 מוני נאור.](https://reader035.fdocuments.in/reader035/viewer/2022062314/56649d805503460f94a6489b/html5/thumbnails/17.jpg)
17
Security of the schemeUnforgeability: depends on the strength of E• Sensitive to malleability:
– if given E(PK, mx, r) can generate E(PK, m’x’, r) where m’ is related to m and x’ is related to x then can forge.
• The protocol allows a chosen ciphertext attack on E.– Even of the post-processing kind!
• Can prove that any strategy for existential forgery can be translated into a CCA strategy on E
• Works even against concurrent executions.
Deniability: does V retain a receipt??– It does not retain one for an honest V– Need to prove knowledge of x
There are encryption schemes satisfying the desired requirements
![Page 18: 1 Cryptography and Complexity at the Weizmann Institute Moni Naor Weizmann Institute of Science Open Day February 2005 מוני נאור.](https://reader035.fdocuments.in/reader035/viewer/2022062314/56649d805503460f94a6489b/html5/thumbnails/18.jpg)
18
Simulator for honest receiver
Choose x R {0,1}n.
Output: hY=E(PK, mx, r), x, ri
Has exactly the same distribution as a real conversation when the verifier is following the protocolStatistical indistinguishability
Verifier might cheat by checking whether certain ciphertext have as a prefix mNo known concrete way of doing harm this way
![Page 19: 1 Cryptography and Complexity at the Weizmann Institute Moni Naor Weizmann Institute of Science Open Day February 2005 מוני נאור.](https://reader035.fdocuments.in/reader035/viewer/2022062314/56649d805503460f94a6489b/html5/thumbnails/19.jpg)
19
Encryption as Commitment
When the public key PK is fixed and known Y=E(PK, x, r) can be seen as commitment to x
To open x reveal r, the random bits used to create Y
Perfect binding: from unique decryption For any Y there are no two different x and x’ and r and r’ s.t.
Y=E(PK, x, r) =E(PK, x’, r’)
Secrecy: no information about x is leaked to those not knowing private key PS
![Page 20: 1 Cryptography and Complexity at the Weizmann Institute Moni Naor Weizmann Institute of Science Open Day February 2005 מוני נאור.](https://reader035.fdocuments.in/reader035/viewer/2022062314/56649d805503460f94a6489b/html5/thumbnails/20.jpg)
20
Deniable Protocol P has a public key PK of an encryption scheme E.
To authenticate message m:
• V P: Choose xr{0,1}n.
Send Y=E(PK, mx , r)
• P V: Send E(PK, x, t)
• V P: Send x and r - opening Y=E(PK, mx, r)
• P V: Open E(PK, x , t) by sending t.
P commits to the value x. Does not want to reveal it yet
![Page 21: 1 Cryptography and Complexity at the Weizmann Institute Moni Naor Weizmann Institute of Science Open Day February 2005 מוני נאור.](https://reader035.fdocuments.in/reader035/viewer/2022062314/56649d805503460f94a6489b/html5/thumbnails/21.jpg)
21
Security of the scheme
Unforgeability: as before - depends on the strength of E can simulate previous scheme (with access to D(PK , . ))Important property: E(PK, x, t) is a non-malleable commitment (wrt the
encryption) to x.
Deniability: can run simulator:• Extract x by running with E(PK, garbage, t) and rewinding• Expected polynomial time• Need the semantic security of E - it acts as a commitment
scheme
![Page 22: 1 Cryptography and Complexity at the Weizmann Institute Moni Naor Weizmann Institute of Science Open Day February 2005 מוני נאור.](https://reader035.fdocuments.in/reader035/viewer/2022062314/56649d805503460f94a6489b/html5/thumbnails/22.jpg)
22
Ring Signatures and AuthenticationWant to keep the sender anonymous by proving that the
signer is a member of an ad hoc set – Other members do not cooperate– Use their `regular’ public-keys– Should be indistinguishable which member of the set is
actually doing the authentication
Bob
Alice? Eve
![Page 23: 1 Cryptography and Complexity at the Weizmann Institute Moni Naor Weizmann Institute of Science Open Day February 2005 מוני נאור.](https://reader035.fdocuments.in/reader035/viewer/2022062314/56649d805503460f94a6489b/html5/thumbnails/23.jpg)
23
Ring Authentication Setting
• A ring is an arbitrary set of participants including the authenticator
• Each member i of the ring has a public encryption key PKi
– Only i knows the corresponding secret key PSi
• To run a ring authentication protocol both sides need to know PK1
, PK2, …, PKn
the public keys of the ring members
...
![Page 24: 1 Cryptography and Complexity at the Weizmann Institute Moni Naor Weizmann Institute of Science Open Day February 2005 מוני נאור.](https://reader035.fdocuments.in/reader035/viewer/2022062314/56649d805503460f94a6489b/html5/thumbnails/24.jpg)
24
An almost Good Ring Authentication Protocol
Ring has public keys PK1, PK2
, …, PKn of encryption scheme E
To authenticate message m with jth decryption key PSj:
V P: Choose x {0,1}n. Send E(PK1
, mx, r1), E(PK2, mx, r2), …, E(PKn
, mx, rn)
P V: Decrypt E(PKj, mx, rj), using PSj
and
Send E(PK1, x, t1), E(PK2
, x, t2), …, E(PKn, x, tn)
V P: open all the E(PKi, mx, ri) by
Send x and r1, r2 ,… rn
P V: Verify consistency and open all E(PKi, x, ti) by
Send t1, t2 ,… tn
Problem: what if not all suffixes (x‘s) are equal
![Page 25: 1 Cryptography and Complexity at the Weizmann Institute Moni Naor Weizmann Institute of Science Open Day February 2005 מוני נאור.](https://reader035.fdocuments.in/reader035/viewer/2022062314/56649d805503460f94a6489b/html5/thumbnails/25.jpg)
25
The Ring Authentication ProtocolRing has public keys PK1
, PK2, …, PKn
of encryption scheme E
To authenticate message m with jth decryption key PSj:
V P: Choose x {0,1}n. Send E(PK1
, mx, r1), E(PK2, mx, r2), …, E(PK1
, mx, rn)
P V: Decrypt E(PKj, mx, rj), using PSj
and
Send E(PK1, x1, t1), E(PK2
, x2, t2), …, E(PKn, xn, tn)
Where x=x1+x2 + xn
V P: open all the E(PKi, mx, ri) by
Send x and r1, r2 ,… rn
P V: Verify consistency and open all E(PKi, x, ti) by
Send t1, t2 ,… tn and x1, x2 ,…, xn
![Page 26: 1 Cryptography and Complexity at the Weizmann Institute Moni Naor Weizmann Institute of Science Open Day February 2005 מוני נאור.](https://reader035.fdocuments.in/reader035/viewer/2022062314/56649d805503460f94a6489b/html5/thumbnails/26.jpg)
26
Properties of the Scheme
• Works with any good encryption scheme - members of the ring are unwilling participants.
• Fairly efficient scheme:– Need n encryptions n verifications and one decryption
• Can extend the scheme so that convince a verifier that At least k members confirm the message.
• What are the social implications of the existence of ring authentication?
![Page 27: 1 Cryptography and Complexity at the Weizmann Institute Moni Naor Weizmann Institute of Science Open Day February 2005 מוני נאור.](https://reader035.fdocuments.in/reader035/viewer/2022062314/56649d805503460f94a6489b/html5/thumbnails/27.jpg)
27
Summary
• Cryptography and Complexity are very active research areas
• Research activities in the areas range from– providing firm foundations to the construction of methods – providing actual constructions and analysis for specific
needs.
• Many unexpected results...
![Page 28: 1 Cryptography and Complexity at the Weizmann Institute Moni Naor Weizmann Institute of Science Open Day February 2005 מוני נאור.](https://reader035.fdocuments.in/reader035/viewer/2022062314/56649d805503460f94a6489b/html5/thumbnails/28.jpg)
28
Security of the schemeUnforgeability: as before (assuming all keys are well chosen) since
E(PK1, x1, t1), E(PK2
, x2, t2),…,E(PK1, xn, tn)
where x=x1+x2 + xn
is a non-malleable commitment to x
Source Hiding: which key was used (among well chosen keys) is – Computationally indistinguishable during protocol– Statistically indistinguishable after protocol
• If ends successfully
Deniability: Can run simulator `as before’