CS 111 -- Lectures

1
Security and Cryptography
Portions stolen from Prof. Sahai (spring 2001)
December 4, 2001
2
Administrivia

• Homework assignment 7 due today
• Homework Assignment 8 due January 7,2002
• Homework 9
• Part a due next Tuesday
• Part b due next Thursday
• Part c due next Friday
• Lab 8 this week
• No lab next week
• Guest lecturer(s) Thursday
• Final Exam  CS  104  01/23/2002_at_830  AM

3
Last Time

• We saw examples of undecidable problems that
  computers cant solve
• We saw examples of search problems that we
  believe computers cant solve quickly.

4
Easy undecidable problems

• Halting Problem
• Post's Correspondence Problem (PCP)?

5
Post's Correspondence Problem (PCP)?

• An instance of Post's correspondence problem of
  size s is a finite set of pairs of strings (gi ,
  hi) ( i 1...s sgt1) over some alphabet ?. A
  solution is a sequence i1 i2 ... in of selections
  such that the strings gi1gi2 ... gin and hi1hi2
  ... hin formed by concatenation are identical.

6
Sample PCP

• g1 aba h1 abaa
• g2 bbab h2 abab
• g3 baaa h3 a
• g4 a h4 bb
• So, 1,3,1,2 would correspond to
• aba baaa aba bbab from gs
• abaa a abaa abab from hs (not a match)

7
Sample PCP (cont.)

• g1 aba h1 abaa
• g2 bbab h2 abab
• g3 baaa h3 a
• g4 a h4 bb
• 1,4,2,1,3
• aba a bbab aba baaa
• abaa bb abab abaa a

8
PCP is undecidable

• Post's correspondence problem shown to be
  undecidable by Post in 1946.
• The problem with size 2 has been proved
  decidable.
• The problem with size 7 has been proved
  undecidable.
• The decidablility of problems with size between 3
  and 6 is still pending.

9
Last Time hard search problems

• We saw examples of search problems that we
  believe computers cant solve quickly.
• A search problem is a problem where
• Is hard to find solution
• Is easy to check possible solution
• A complete search problem is as hard as any
  search problem
• Search problem is believed to be hard because
• We cant solve it
• No one else can
• No one can solve any of the complete search
  problems

10
Classes of search problems

• In computer-science terminology
• NP All Search Problems
• P Problems we can solve quickly
• We believe that P ? NP, i.e. not every search
  problem can be solved quickly on a computer.
• Search problem is NP but not P are used in
  situations where we want a problem that is
• Hard to solve
• Easy to check a solution.

11
Coloring
12
Coloring (cont.)

• We can build a computer as a coloring problem
• Build simulations of gates
• NOT, AND, OR
• Combine simulations to build circuit for, e.g.
  Carry-ripple adder
• Result
• Here is a graph,
• Color a few circles to mark inputs
• Find a valid coloring of all circles
• Read off values of output circles to get result

13
Coloring (cont.)

• Coloring is complete
• In particular, we can reduce solving any search
  problem to finding a valid coloring for some
  collection of circles!
• So, if we could solve Coloring quickly, then P
  NP
• Thats why we believe Coloring cant be solved
  quickly by any computer.
• We call such problems NP-Complete.

14
NP-complete problems

• Coloring
• Traveling Salesman Problem
• Knapsack problem
• Partition Problem

15
Knapsack problem

• We are given a set of items each having a weight
  measured by an integer
• We are given a capacity for the knapsack
• We ask if we can exactly pack the knapsack

16
Sample Knapsack problem

• Item weights 2,4,9,13,17,23,32,70,123,157
• Capacity is 228
• Packing 157 32 17 13 9
• Capacity is 226
• Packing (there are none)

17
Partition problem

• We are given a set of items each having a weight
  measured by an integer
• We are asked if we can divide the items into 2
  groups that have the same total weights.
• Like a knapsack problem
• Weight is half of total weight

18
Sample Partition problem

• Item weights 2,4,9,13,17,23,32,70,123,157
• Total weight is 450
• Packing 123 70 32 225
• Packing 157 23 17 13 9 4 2 225
• Why is this different from the PCP?

19
Other Hard Problems?

• There are other problems besides NP-Complete
  Problems that we also believe are hard.
• Can we be sure?
• No.
• But humanity has been trying to solve certain
  mathematical problems for centuries.
• So. it seems reasonable to assume that nobody
  will figure out how to solve them soon.

20
Cryptography

• Why do we care so much about hard problems?
• Because sometimes we want to make things hard.
• Protecting Privacy, Authenticity
• Want to make it hard for adversaries to
• Steal our credit cards
• Impersonate us
• Etc.
• Makes it possible for companies to protect
  intellectual property.

21
Cryptography

• Science of making things hard for adversaries
  Cryptography
• Dates back to Julius Caeser
• Caesar cipher shift each character by a few
  places
• "UHWXUA WR URPH" encodes RETURN TO ROME
• Used extensively during WW 2 (and every other
  war)
• Used to encode passwords
• Used to prevent copying of software and data
  (e.g. DVD).

22
Requirements of a cryptosystem

• Easy to encode messages
• Hard to decode messages

23
One Approach...
Its so complicated! It must be secure!
Cryptosystem XYZ (Patent Pending)
24
One Approach...
25
One Approach...

• Unfortunately, this approach is often used in
  real life.
• This is one of the reasons why you hear about so
  many security systems being broken!
• Examples DVD encryption (DeCSS), Cell phones
  in Europe (GSM), encoding of
  fonts by Adobe, many many
  more

26
More sophisticated approach

• Use the theory of hard search problemsand the
  notion of reducing one problem to another.
• Show that if you break this security system, you
  do so by solving some of the worlds greatest
  unsolved problems first!

27
Encryption

• The most basic problem in Cryptography is
  Encryption

Private Message m
Bob
Alice
28
Encryption

• The most basic problem in Cryptography is
  Encryption

Private Message m
Bob
Alice
Eve the eavesdropper
29
Encryption

• The most basic problem in Cryptography is
  Encryption

Encrypted Message E(m)
Bob
Alice
Eve the eavesdropper
30
Encryption

• Have to make it easy for Bob to recover m
• But hard for Eve to learn anything about m

Encrypted Message E(m)
Bob
Alice
Eve the eavesdropper
31
Public-Key CryptographyDiffie-Hellman 1976
Bobs Public Key
Bobs Secret Key
Bob

• Everybody knows Bobs published Public Key.
• Only Bob knows his secret key.

32
Public-Key Encryption
Encrypted Message E(m)
Bob
Alice

• Alice uses Bobs public key to encrypt m.
• Bob uses his secret key to recover (decrypt) m.

33
Public-Key Encryption
Encrypted Message E(m)
Bob
Alice
Eve the eavesdropper

• Alice and Eve both know Bobs public key.
• Eve must not be able to break the encryption
  even though she knows the public key.

34
Basic Math Review

• Lets recall some basic mathematics
• A number p is called prime if its only factors
  are 1 and itself.
• Examples

35
Basic Math Review

• Lets recall some basic mathematics
• A number p is called prime if its only factors
  are 1 and itself.
• Examples 2, 3, 5, 7, 11, 13, 17, 19,

36
Basic Math Review

• Lets recall some basic mathematics
• A number p is called prime if its only factors
  are 1 and itself.
• Examples 2, 3, 5, 7, 11, 13, 17, 19,
• There are lots of prime numbers.
• Fact It is known how to check quickly if a
  number is prime or not.
• So, to find a big prime number, we can just keep
  generating large random numbers until we find a
  prime.

37
Basic Math Review

• Given two primes p and q, it is easy to multiply
  them together N pq
• But given N, how do you find p and q
  quickly?i.e. how do you factor N?
• Easy for small numbers (e.g. 6 or 35).
• For centuries, mathematicians have been trying to
  find ways to factor large numbers quickly. No
  one knows how!
• Factoring a 10,000 digit N would take centuries
  on the fastest computer in existence!

38
How do we know factoring is hard?

• Problem has a long history
• Prizes are offered and have been for a long time
• Factoring progress happens slowly

39
Factoring RSA-130 (4/10/96)

• RSA-130 1807082088687404805951656164405905566278
  10251676940134917012702145005666254024404838734112
  7590812303371781887966563182013214880557
  39685999459597454290161126162883786067576449112810
  064832555157243 45534498646735972188403686897274
  408864356301263205069600999044599
• Moores Law would add a digit or 2 every year.

40
Basic Math Crypto

• We want to make it so that if Eve the
  eavesdropper breaks our system, she would have to
  factor a very large number.
• Well (almost) do that.

41
Modular Arithmetic

• Ordinary Arithmetic

-4 -3 -2 -1 0 1 2 3 4
42
Modular Arithmetic

• Ordinary Arithmetic
• Arithmetic Modulo N

-4 -3 -2 -1 0 1 2 3 4
N 0
1
(N 1)
2
(N 2)
(N 3)
3

43
Modular Arithmetic

• Example Arithmetic Modulo 12
  (like Arithmetic on time)
• 3 11 (Modulo 12)
• 2 4 (Modulo 12)
• 5 4 (Modulo 12)
• 4 3 (Modulo 12)

44
Modular Arithmetic

• Example Arithmetic Modulo 12
  (like Arithmetic on time)
• 3 11 (Modulo 12) 2
• 2 4 (Modulo 12)
• 5 4 (Modulo 12)
• 4 3 (Modulo 12)

45
Modular Arithmetic

• Example Arithmetic Modulo 12
  (like Arithmetic on time)
• 3 11 (Modulo 12) 2
• 2 4 (Modulo 12) 10
• 5 4 (Modulo 12)
• 4 3 (Modulo 12)

46
Modular Arithmetic

• Example Arithmetic Modulo 12
  (like Arithmetic on time)
• 3 11 (Modulo 12) 2
• 2 4 (Modulo 12) 10
• 5 4 (Modulo 12) 8
• 4 3 (Modulo 12)

47
Modular Arithmetic

• Example Arithmetic Modulo 12
  (like Arithmetic on time)
• 3 11 (Modulo 12) 2
• 2 4 (Modulo 12) 10
• 5 4 (Modulo 12) 8
• 4 3 (Modulo 12) 0

48
The RSA Encryption Scheme Rivest Shamir Adleman
1978

• Bob picks two large primes p and q, and computes
  N pq
• Fact Because Bob knows p and q, he can pick
  numbers e and d such that
• For all m (me)d m (Modulo N)
• Bobs Public Key will be e, N
• Bobs secret key will be d

49
The RSA Encryption Scheme

• Fact Because Bob knows p and q, he can pick
  numbers e and d such that
• For all m (me)d m (Modulo N)
• To Encrypt a message m, Alice computes
• E(m) me (Modulo N)

50
The RSA Encryption Scheme

• Fact Because Bob knows p and q, he can pick
  numbers e and d such that
• For all m (me)d m (Modulo N)
• To Encrypt a message m, Alice computes
• E(m) me (Modulo N)
• To Decrypt, Bob computes
• m E(m)d (Modulo N)

51
The RSA Encryption Scheme

• To Encrypt a message m, Alice computes
• E(m) me (Modulo N)
• The only known way to compute m from E(m)
  involves factoring N.
• For Eve to break this system, she would have to
  solve a long-standing open problem in
  Mathematics.
• This is probably the most widely used Public-Key
  Encryption Scheme in the world.
• Look at Help on IE

52
Shifting Gears Proofs

• Bob wants to convince Alice of the validity of
  some statement (like I really am Bob!)
• But Bob doesnt want to reveal his secrets to
  Alice in the process

Bob
Alice
53
Zero-Knowledge Proofs

• What is the least amount of information Bob can
  reveal, while still convincing Alice?
• Amazingly, it is possible for Bob to convince
  Alice of something without revealing any
  information at all!
• How can that be?

54
Magic Tricks

• Magic tricks are like zero-knowledge proofs
• Good magic tricks reveal nothing about how
  they work.
• What makes a magic trick good?

55
A Magic Trick

• Two balls Purple and Red, otherwise identical
• Blindfolded Magician
• You give a random ball to magician

56
A Magic Trick (cont.)

• Magician tells you the color!
• Magician proves he can distinguish balls
  blindfolded.
• You learn nothing except this.

Abracadabra, Goobedy goo! It is Red!
Wow! Hesso cool!
57
A Magic Trick (cont.)

• You knew exactly what magician was going to do.
• And he did it!
• Since you knew to begin with, you could not
  have learned anything new!

Its Red!
I knew hewould say that.
58
Zero Knowledge

• What it means
• Alice knows what is going to happen.
• CS-speak Alice can simulate it herself!

Simulation
Abracadabra, Goobedy goo! It is Red!
59
Another Magic Trick

• Magician asks you to think of either
• Apple or
• Banana
• Magician then gives you a sealed box.

60
Mind Reading

• You tell Magician what you were thinking.

I was thinkingof a banana.
61
Mind Reading (cont.)

• Magician tells you to open box, and read
  piece of paper in box.
• Magician proves he can predict what you will
  say.

Banana
How did hedo that!!
62
Mind Reading (cont.)

• Again, you knew what was going to happen. ?
  Zero-Knowledge

Simulation
Banana
I was thinkingof a banana.
63
Mind Reading (cont.)

• But why was it convincing?
• Because Magician committed to his guess
  before you told him.

64
CryptographicCommitment

• Public Key Encryption Scheme
• To commit to a string x, I send y E(x).
• To open the commitment, I reveal my secret
  key.
• Commitment is secret.
• And I cant change my mind about x once Ive
  sent the encryption.

65
NP-Completeness

• Remember we can reduce any search problem to
  Coloring.

66
NP-Completeness (cont.)

• y is an encryption of a valid tax return

reduction
67
ZK Proof for Coloring

• Input Collection of circles.
• Magician Knows Coloring using R, B, G
• First, Magician picks random permutation ?
  ?R,B,G? ? ?R,B,G?, and applies to coloring

?
68
ZK Proof (cont.)
69
ZK Proof (cont.)
70
ZK Proof (cont.)
71
ZK Proof Analysis

• Suppose NO valid coloring exists.
• Then at least one pair of connected circles
  where colors equal.
• ?Alice catches Magician cheating with
  probability at least 1/n2.
• Repeat protocol 100 n2 times, ? Alice
  catches Magician cheating almost always!

72
Simulator
73
Simulated ZK Proof
74
ZK Proof Analysis (cont.)

• Only difference between real simulated
• In real life, commitments are to valid
  coloring.
• In simulator, commitments are to invalid
  coloring.
• But commitments are secret, by security of
  encryption scheme.
• ? Simulator output and real life are
  indistinguishable.

75
Wrap-up

• Today we saw some examples illustrating
  techniques from modern cryptography
• Encryption
• Zero Knowledge Proofs