1

Security through complexity

Ana Nora Sovarel

2

Projects

Please fill one slot on the signup sheet.

One meeting for each group.

All members must agree.

3

Turing Machine

Finite Control

0 0 1 1 0 0 1 0 0 0

4

Definition

A Turing Machine is a 7-tuple (Q, ∑, Γ, δ, q0, qaccept, qreject) where Q, ∑, Γ are finite sets and

1. Q is the set of states

2. ∑ is the input alphabet

3. Γ is the tape alphabet

4. δ : Q X Γ Q X Γ X {L,R} is the transition function

5. q0 is the start state

6. qaccept is the accept state

7. qreject is the reject state, where qaccept ≠ qreject

5

Nondeterministic Turing Machine

Finite Control

0 0 1 1 0 0 1 0 0 0

Finite Control

0 0 1 1 0 0 1 0 00

Finite Control

0 0 0 1 0 0 1 0 00

6

Definition

A Turing Machine is a 7-tuple (Q, ∑, Γ, δ, q0, qaccept, qreject) where Q, ∑, Γ are finite sets and

1. Q is the set of states2. ∑ is the input alphabet3. Γ is the tape alphabet4. δ : Q X Γ P(Q X Γ X {L,R}) is the transition function5. q0 is the start state6. qaccept is the accept state7. qreject is the reject state, where qaccept ≠ qreject

7

More Power?

Does nondeterminism affect the power of Turing Machine?

NO – more power means it recognizes more languages

But, maybe it can do things faster …

8

Complexity Classes

• P = decidable in polynomial time by a deterministic TM

• NP = decidable in polynomial time by a nondeterministic TM

9

Reduction

f – polynomial time transformation

What we know about A and B?A is at most as hard as B ( can be easier if

we find another way to solve it )B is at least as hard as A.

A’s Input

f(A) B Yes/No

B’s Input

10

More definitions …

• NP-Hard = the set of problems Q such that any problem Q’ in NP is polynomial reducible to it.

• NP-complete = the problems Q such that Q is in NP-Hard and Q is in NP

11

How do we prove a problem is hard?

• Let A be a known hard problem

• Find a polynomial transformation from A’s input to your problem’s input

• Why it works? – If your problem is easy ( P ) then we can solve

A easy ( P ).– So A is not hard. Contradiction

• Need a hard problem to start with ….

12

Cook’s Theorem (‘71)

SAT is NP-complete.

( SAT = given a boolean formula, is it satisfiable? )

3SAT is NP-complete.

Example: Ф(x1,x2,x3,x4)=(x1+x2+x3)(x’1+x3+x4)

13

Subset Sum

Given a set {x1,x2,…,xn} of integers and an integer t, find {y1,y2,…,yk} a subset of {x1,x2,…,xn} such that:

k

i

iyt1

14

Subset Sum

To prove NP-complete:

1. Prove is in NP• Verifiable in polynomial time• Give a nondeterministic algorithm

2. Reduction from a known NP-complete problem to subset sum

• Reduction from 3SAT to subset sum

15

Subset Sum is in NP

sum = 0

A = {x1,x2,…,xn}for each x in A

y choice(A)sum = sum + yif ( sum = t ) then successA A – {y}

donefail

16

Reduction

Goal: Reduce 3SAT to SUBSET-SUM.How: Let Ф be a 3 conjunctive normal formformula. Build an instance of SUBSET-SUMproblem (S, t) such that Ф is satisfiable if and only if there is a subset T of S whoseelements sum to t.Prove the reduction is polynomial.

17

1. Algorithm

Input: Ф - 3 conjunctive normal form formula

Variables: x1, x2, …, xl

Clauses: c1,c2,…,ck.

Output: S, t such that

Ф is satisfiable iff there is T subset of S

which sums to t.

18

1. Algorithm (cont.)x1 x2 …. xl c1 c2 …. ck

y1 1 0 0 1 0 0

z1 1 0 0 0 1 0

y2 1 0 0 0 1

z2 1 0 0 0 0

…

yl 1 0 0 0

zl 1 0 0 0

g1 1 0 0

h1 1 0 0

g2 1 0

h2 1 0

…

gk 1

hk 1

t 1 1 … 1 3 3 … 3

19

1. Algorithm (cont.)

(yi,xj), (zi,xj) – 1 if i=j, 0 otherwise

(yi,cj) – 1 if cj contains variable xi, 0 otherwise

(zi,cj) – 1 if cj contains variable x’i, 0 otherwise

(gi,xj), (hi,xj) – 0

(gi,cj), (hi,cj) – 1 if i=j, 0 otherwise

Each row represents a decimal number.

S={y1,z1,..,yl,zl,g1,h1,…,gk,hk}

t is the last row in the table.

20

2. Reduction ‘’

Given a variable assignment which satisfies

Ф, find T.

1. If xi is true then yi is in T, else zi is in T

2. Add gi and/or hi to T such all last k digits of T to be 3.

21

3. Reduction ‘’

Given T a subset of S which sums to t, find a

variable assignment which satisfies Ф.

1. If yi is in T then xi is true

2. If zi is in T then xi is false

22

4. Polynomial

Table size is (k+l)2

O(n2)

23

Back to cryptology

• P=NP is still an open question

• factorization is not known to be NP-complete

• cipher based on a known NP-complete problem

24

Knapsack Cipher

• Public Key: {a1,a2,…,an} set of integers

• Plain Text: x1…xn

• Cipher Text:

[Merkle and Hellman, ’78]

n

i

iiaxs1

25

Decryption

• Based on an easier problem

• {a1,a2,…,an} is a superincreasing sequence

1

1

i

j

ji aa

26

Linear Time Decryption

• xn = 1 iff

• Solve it recursively on {a1,a2,…,an-1}

and s - xnan

n

i

ias1

27

How to build the keys?

• Modular multiplication (Merkle and Hellman)

• Starts with superincreasing sequence {b1,b2,…,bn}

• Choose M and W such that

• Compute {a1,a2,…,an} such that

1),(,1

WMGCDaMn

i

i

MWba ii mod)(

28

Decryption

• C = (s W-1) mod M, where (W-1W) mod M = 1

• Solve subset sum problem with superincreasing sequence {b1,b2,…,bn} and sum c.

29

Trade offs

• bi large M large n bits encoded with log2M bits

• bi small easy to break

– If bi = 1 aj = W.

– Break O(n)

• Merkle and Hellman recommended:

b1 ≈ 2n, , bn ≈ 22n 12,

1

1

nibbi

j

ji

30

Evaluation

+ speed ( 100 times faster than RSA )

- needs twice the communication capacity

(m bits encoded into approximate 2m bits)

- larger public key

(2n2 bits, 20,000 for n=100, RSA - 500)

? security

31

Knapsack Cipher - Summary

• Secret – superincreasing sequence {b1,b2,…,bn}

– M– W

• Public– {a1,a2,…,an}

Remember:

MWba ii mod)(

32

Shamir’s break (’82)

• based on the choice of superincreasing sequence

• linear transformation to generate public key

• What do we need to guess ?

(Only one of W and M is enough)

33

Shamir’s break (cont.)

Given the public key {a1,a2,…,an} find M and W such that (ai W) mod M is a superincreasing sequence.

b1 = (ai W) mod M b1 = ai W + k1M

b1/(Mai) = W/M + k1/ ai

b2/(Maj) = W/M + k2/ aj

b1/(Mai) - b2/(Maj) = k1/ ai - k2/ aj

| k1/ ai - k2/ aj | < 2-3n

34

Shamir’s break (cont.)

Now a lot of math follows …

Main steps:

- Find ki’s, which gives an approximation of W/M

- Find a pair W’/M’ close to W/M which generates a superincreasing sequence

- W’,M’, and superincreasing sequence are different from the secret key

35

A little bit of history

• Some knapsack cryptosystems were broke by late ’70’s

• ’82 polynomial time break against singly iterated Merkle-Hellman cryptosystem [Shamir]

• ’85 break against multiple iterated Merkle-Hellman cryptosystem [Brickell]

• Low density knapsack [Brickell, Lagarias and Odlyzko]

Most knapsack cryptosystems brokenFew resisted – Chor-Rivest (’85)

36

Conclusion

• Computer Science doesn’t yet have adequate tools to a problem is hard

• We can base ciphers on ‘known’ hard problems like subset sum

• We have to be careful– NP-complete means is hard to get right

answer to all instances– To break a cipher, only need to

probabilistically get close to the right answer for specific instances most of the time