Security through complexity Ana Nora Sovarel

1
Security through complexityAna Nora Sovarel
2
Projects

• Please fill one slot on the signup sheet.
• One meeting for each group.
• All members must agree.

3
Turing Machine
Finite Control
0
0
1
1
0
0
1
0
0
0
4
Definition

• A Turing Machine is a 7-tuple (Q, ?, G, d, q0,
  qaccept, qreject) where Q, ?, G are finite sets
  and
• Q is the set of states
• ? is the input alphabet
• G is the tape alphabet
• d Q X G ? Q X G X L,R is the transition
  function
• q0 is the start state
• qaccept is the accept state
• qreject is the reject state, where qaccept ?
  qreject

5
Nondeterministic Turing Machine
Finite Control
0
0
1
1
0
0
1
0
0
0
Finite Control
Finite Control
0
0
1
1
0
0
1
0
0
0
0
0
0
1
0
0
1
0
0
0
6
Definition

• A Turing Machine is a 7-tuple (Q, ?, G, d, q0,
  qaccept, qreject) where Q, ?, G are finite sets
  and
• Q is the set of states
• ? is the input alphabet
• G is the tape alphabet
• d Q X G ?P(Q X G X L,R) is the transition
  function
• q0 is the start state
• qaccept is the accept state
• qreject is the reject state, where qaccept ?
  qreject

7
More Power?

• Does nondeterminism affect the power of Turing
  Machine?
• NO more power means it recognizes more
  languages
• But, maybe it can do things faster

8
Complexity Classes

• P decidable in polynomial time by a
  deterministic TM
• NP decidable in polynomial time by a
  nondeterministic TM

9
Reduction

• f polynomial time transformation
• What we know about A and B?
• A is at most as hard as B ( can be easier if we
  find another way to solve it )
• B is at least as hard as A.

10
More definitions

• NP-Hard the set of problems Q such that any
  problem Q in NP is polynomial reducible to it.
• NP-complete the problems Q such that Q is in
  NP-Hard and Q is in NP

11
How do we prove a problem is hard?

• Let A be a known hard problem
• Find a polynomial transformation from As input
  to your problems input
• Why it works?
• If your problem is easy ( P ) then we can solve A
  easy ( P ).
• So A is not hard. Contradiction
• Need a hard problem to start with .

12
Cooks Theorem (71)

• SAT is NP-complete.
• ( SAT given a boolean formula, is it
  satisfiable? )
• 3SAT is NP-complete.
• Example ?(x1,x2,x3,x4)(x1x2x3)(x1x3x4)

13
Subset Sum

• Given a set x1,x2,,xn of integers and an
  integer t, find y1,y2,,yk a subset of
  x1,x2,,xn such that

14
Subset Sum

• To prove NP-complete
• Prove is in NP
• Verifiable in polynomial time
• Give a nondeterministic algorithm
• Reduction from a known NP-complete problem to
  subset sum
• Reduction from 3SAT to subset sum

15
Subset Sum is in NP

• sum 0
• A x1,x2,,xn
• for each x in A
• y ? choice(A)
• sum sum y
• if ( sum t ) then success
• A ? A y
• done
• fail

16
Reduction

• Goal Reduce 3SAT to SUBSET-SUM.
• How
• Let ? be a 3 conjunctive normal form
• formula. Build an instance of SUBSET-SUM
• problem (S, t) such that ? is satisfiable
• if and only if there is a subset T of S whose
• elements sum to t.
• Prove the reduction is polynomial.

17
1. Algorithm

• Input ? - 3 conjunctive normal form formula
• Variables x1, x2, , xl
• Clauses c1,c2,,ck.
• Output S, t such that
• ? is satisfiable iff there is T subset of S
• which sums to t.

18
1. Algorithm (cont.)
19
1. Algorithm (cont.)

• (yi,xj), (zi,xj) 1 if ij, 0 otherwise
• (yi,cj) 1 if cj contains variable xi, 0
  otherwise
• (zi,cj) 1 if cj contains variable xi, 0
  otherwise
• (gi,xj), (hi,xj) 0
• (gi,cj), (hi,cj) 1 if ij, 0 otherwise
• Each row represents a decimal number.
• Sy1,z1,..,yl,zl,g1,h1,,gk,hk
• t is the last row in the table.

20
2. Reduction ?

• Given a variable assignment which satisfies
• ?, find T.
• If xi is true then yi is in T, else zi is in T
• Add gi and/or hi to T such all last k digits of T
  to be 3.

21
3. Reduction ?

• Given T a subset of S which sums to t, find a
• variable assignment which satisfies ?.
• If yi is in T then xi is true
• If zi is in T then xi is false

22
4. Polynomial

• Table size is (kl)2
• O(n2)

23
Back to cryptology ?

• PNP is still an open question
• factorization is not known to be NP-complete
• cipher based on a known NP-complete problem

24
Knapsack Cipher

• Public Key a1,a2,,an set of integers
• Plain Text x1xn
• Cipher Text
• Merkle and Hellman, 78

25
Decryption

• Based on an easier problem
• a1,a2,,an is a superincreasing sequence

26
Linear Time Decryption

• xn 1 iff
• Solve it recursively on a1,a2,,an-1
• and s - xnan

27
How to build the keys?

• Modular multiplication (Merkle and Hellman)
• Starts with superincreasing sequence b1,b2,,bn
  
• Choose M and W such that
• Compute a1,a2,,an such that

28
Decryption

• C (s W-1) mod M, where (W-1W) mod M 1
• Solve subset sum problem with superincreasing
  sequence b1,b2,,bn and sum c.

29
Trade offs

• bi large ? M large ? n bits encoded with log2M
  bits
• bi small ? easy to break
• If bi 1 ? aj W.
• Break O(n)
• Merkle and Hellman recommended
• b1 2n, , bn 22n

30
Evaluation

• speed ( 100 times faster than RSA )
• needs twice the communication capacity
• (m bits encoded into approximate 2m bits)
• larger public key
• (2n2 bits, 20,000 for n100, RSA - 500)
• ? security

31
Knapsack Cipher - Summary

• Secret
• superincreasing sequence b1,b2,,bn
• M
• W
• Public
• a1,a2,,an
• Remember

32
Shamirs break (82)

• based on the choice of superincreasing sequence
• linear transformation to generate public key
• What do we need to guess ?
• (Only one of W and M is enough)

33
Shamirs break (cont.)

• Given the public key a1,a2,,an find M and W
  such that (ai W) mod M is a superincreasing
  sequence.
• b1 (ai W) mod M ? b1 ai W k1M
• b1/(Mai) W/M k1/ ai
• b2/(Maj) W/M k2/ aj
• b1/(Mai) - b2/(Maj) k1/ ai - k2/ aj ?
• k1/ ai - k2/ aj lt 2-3n

34
Shamirs break (cont.)

• Now a lot of math follows
• Main steps
• Find kis, which gives an approximation of W/M
• Find a pair W/M close to W/M which generates a
  superincreasing sequence
• W,M, and superincreasing sequence are different
  from the secret key

35
A little bit of history

• Some knapsack cryptosystems were broke by late
  70s
• 82 polynomial time break against singly iterated
  Merkle-Hellman cryptosystem Shamir
• 85 break against multiple iterated
  Merkle-Hellman cryptosystem Brickell
• Low density knapsack Brickell, Lagarias and
  Odlyzko
• Most knapsack cryptosystems broken
• Few resisted Chor-Rivest (85)

36
Conclusion

• Computer Science doesnt yet have adequate tools
  to a problem is hard
• We can base ciphers on known hard problems like
  subset sum
• We have to be careful
• NP-complete means is hard to get right answer to
  all instances
• To break a cipher, only need to probabilistically
  get close to the right answer for specific
  instances most of the time