1
Security through complexity
Ana Nora Sovarel
2
Projects
Please fill one slot on the signup sheet.
One meeting for each group.
All members must agree.
3
Turing Machine
Finite Control
0 0 1 1 0 0 1 0 0 0
4
Definition
A Turing Machine is a 7-tuple (Q, ∑, Γ, δ, q0, qaccept, qreject) where Q, ∑, Γ are finite sets and
1. Q is the set of states
2. ∑ is the input alphabet
3. Γ is the tape alphabet
4. δ : Q X Γ Q X Γ X {L,R} is the transition function
5. q0 is the start state
6. qaccept is the accept state
7. qreject is the reject state, where qaccept ≠ qreject
5
Nondeterministic Turing Machine
Finite Control
0 0 1 1 0 0 1 0 0 0
Finite Control
0 0 1 1 0 0 1 0 00
Finite Control
0 0 0 1 0 0 1 0 00
6
Definition
A Turing Machine is a 7-tuple (Q, ∑, Γ, δ, q0, qaccept, qreject) where Q, ∑, Γ are finite sets and
1. Q is the set of states2. ∑ is the input alphabet3. Γ is the tape alphabet4. δ : Q X Γ P(Q X Γ X {L,R}) is the transition function5. q0 is the start state6. qaccept is the accept state7. qreject is the reject state, where qaccept ≠ qreject
7
More Power?
Does nondeterminism affect the power of Turing Machine?
NO – more power means it recognizes more languages
But, maybe it can do things faster …
8
Complexity Classes
• P = decidable in polynomial time by a deterministic TM
• NP = decidable in polynomial time by a nondeterministic TM
9
Reduction
f – polynomial time transformation
What we know about A and B?A is at most as hard as B ( can be easier if
we find another way to solve it )B is at least as hard as A.
A’s Input
f(A) B Yes/No
B’s Input
10
More definitions …
• NP-Hard = the set of problems Q such that any problem Q’ in NP is polynomial reducible to it.
• NP-complete = the problems Q such that Q is in NP-Hard and Q is in NP
11
How do we prove a problem is hard?
• Let A be a known hard problem
• Find a polynomial transformation from A’s input to your problem’s input
• Why it works? – If your problem is easy ( P ) then we can solve
A easy ( P ).– So A is not hard. Contradiction
• Need a hard problem to start with ….
12
Cook’s Theorem (‘71)
SAT is NP-complete.
( SAT = given a boolean formula, is it satisfiable? )
3SAT is NP-complete.
Example: Ф(x1,x2,x3,x4)=(x1+x2+x3)(x’1+x3+x4)
13
Subset Sum
Given a set {x1,x2,…,xn} of integers and an integer t, find {y1,y2,…,yk} a subset of {x1,x2,…,xn} such that:
k
i
iyt1
14
Subset Sum
To prove NP-complete:
1. Prove is in NP• Verifiable in polynomial time• Give a nondeterministic algorithm
2. Reduction from a known NP-complete problem to subset sum
• Reduction from 3SAT to subset sum
15
Subset Sum is in NP
sum = 0
A = {x1,x2,…,xn}for each x in A
y choice(A)sum = sum + yif ( sum = t ) then successA A – {y}
donefail
16
Reduction
Goal: Reduce 3SAT to SUBSET-SUM.How: Let Ф be a 3 conjunctive normal formformula. Build an instance of SUBSET-SUMproblem (S, t) such that Ф is satisfiable if and only if there is a subset T of S whoseelements sum to t.Prove the reduction is polynomial.
17
1. Algorithm
Input: Ф - 3 conjunctive normal form formula
Variables: x1, x2, …, xl
Clauses: c1,c2,…,ck.
Output: S, t such that
Ф is satisfiable iff there is T subset of S
which sums to t.
18
1. Algorithm (cont.)x1 x2 …. xl c1 c2 …. ck
y1 1 0 0 1 0 0
z1 1 0 0 0 1 0
y2 1 0 0 0 1
z2 1 0 0 0 0
…
yl 1 0 0 0
zl 1 0 0 0
g1 1 0 0
h1 1 0 0
g2 1 0
h2 1 0
…
gk 1
hk 1
t 1 1 … 1 3 3 … 3
19
1. Algorithm (cont.)
(yi,xj), (zi,xj) – 1 if i=j, 0 otherwise
(yi,cj) – 1 if cj contains variable xi, 0 otherwise
(zi,cj) – 1 if cj contains variable x’i, 0 otherwise
(gi,xj), (hi,xj) – 0
(gi,cj), (hi,cj) – 1 if i=j, 0 otherwise
Each row represents a decimal number.
S={y1,z1,..,yl,zl,g1,h1,…,gk,hk}
t is the last row in the table.
20
2. Reduction ‘’
Given a variable assignment which satisfies
Ф, find T.
1. If xi is true then yi is in T, else zi is in T
2. Add gi and/or hi to T such all last k digits of T to be 3.
21
3. Reduction ‘’
Given T a subset of S which sums to t, find a
variable assignment which satisfies Ф.
1. If yi is in T then xi is true
2. If zi is in T then xi is false
22
4. Polynomial
Table size is (k+l)2
O(n2)
23
Back to cryptology
• P=NP is still an open question
• factorization is not known to be NP-complete
• cipher based on a known NP-complete problem
24
Knapsack Cipher
• Public Key: {a1,a2,…,an} set of integers
• Plain Text: x1…xn
• Cipher Text:
[Merkle and Hellman, ’78]
n
i
iiaxs1
25
Decryption
• Based on an easier problem
• {a1,a2,…,an} is a superincreasing sequence
1
1
i
j
ji aa
26
Linear Time Decryption
• xn = 1 iff
• Solve it recursively on {a1,a2,…,an-1}
and s - xnan
n
i
ias1
27
How to build the keys?
• Modular multiplication (Merkle and Hellman)
• Starts with superincreasing sequence {b1,b2,…,bn}
• Choose M and W such that
• Compute {a1,a2,…,an} such that
1),(,1
WMGCDaMn
i
i
MWba ii mod)(
28
Decryption
• C = (s W-1) mod M, where (W-1W) mod M = 1
• Solve subset sum problem with superincreasing sequence {b1,b2,…,bn} and sum c.
29
Trade offs
• bi large M large n bits encoded with log2M bits
• bi small easy to break
– If bi = 1 aj = W.
– Break O(n)
• Merkle and Hellman recommended:
b1 ≈ 2n, , bn ≈ 22n 12,
1
1
nibbi
j
ji
30
Evaluation
+ speed ( 100 times faster than RSA )
- needs twice the communication capacity
(m bits encoded into approximate 2m bits)
- larger public key
(2n2 bits, 20,000 for n=100, RSA - 500)
? security
31
Knapsack Cipher - Summary
• Secret – superincreasing sequence {b1,b2,…,bn}
– M– W
• Public– {a1,a2,…,an}
Remember:
MWba ii mod)(
32
Shamir’s break (’82)
• based on the choice of superincreasing sequence
• linear transformation to generate public key
• What do we need to guess ?
(Only one of W and M is enough)
33
Shamir’s break (cont.)
Given the public key {a1,a2,…,an} find M and W such that (ai W) mod M is a superincreasing sequence.
b1 = (ai W) mod M b1 = ai W + k1M
b1/(Mai) = W/M + k1/ ai
b2/(Maj) = W/M + k2/ aj
b1/(Mai) - b2/(Maj) = k1/ ai - k2/ aj
| k1/ ai - k2/ aj | < 2-3n
34
Shamir’s break (cont.)
Now a lot of math follows …
Main steps:
- Find ki’s, which gives an approximation of W/M
- Find a pair W’/M’ close to W/M which generates a superincreasing sequence
- W’,M’, and superincreasing sequence are different from the secret key
35
A little bit of history
• Some knapsack cryptosystems were broke by late ’70’s
• ’82 polynomial time break against singly iterated Merkle-Hellman cryptosystem [Shamir]
• ’85 break against multiple iterated Merkle-Hellman cryptosystem [Brickell]
• Low density knapsack [Brickell, Lagarias and Odlyzko]
Most knapsack cryptosystems brokenFew resisted – Chor-Rivest (’85)
36
Conclusion
• Computer Science doesn’t yet have adequate tools to a problem is hard
• We can base ciphers on ‘known’ hard problems like subset sum
• We have to be careful– NP-complete means is hard to get right
answer to all instances– To break a cipher, only need to
probabilistically get close to the right answer for specific instances most of the time
Top Related