Where Complexity Finally Comes In Handy… Cryptography Where Complexity Finally Comes In Handy… Complexity ©D.Moshkovitz
The Amazing Adventures of Alice and Bob extremely secret message Alice Bob eavesdropper Complexity ©D.Moshkovitz
Introduction Objectives: Overview: PAP 279-298 Introduction Objectives: To introduce the subject of cryptography and its tight connection to complexity Overview: Public key cryptography One-Way Functions and Trapdoor functions RSA Complexity ©D.Moshkovitz
E(e, ) D(d, ) Intuitive Approach Alice Bob encoding key decoding key extremely secret message Alice Bob eavesdropper Complexity ©D.Moshkovitz
Simple Implementation: Just XOR! Problem! Agree first on some random string e. e e ( ) extremely secret message Alice Bob eavesdropper Complexity ©D.Moshkovitz
Solution: Public-Key Cryptosystems Bob generates a pair of keys Publishes E Keeps D private Bob E(x) D(y) Complexity ©D.Moshkovitz
Encryption: Requirements “Easy” (so everyone can send Bob encrypted messages) “Hard to invert” (so no one can break the encryption) Complexity ©D.Moshkovitz
One-Way Functions: Formally SIP 375 One-Way Functions: Formally Definition: A length preserving function f is a one-way function if: f is computable in polynomial time. f-1 cannot be computed in probabilistic polynomial time, i.e some textbooks demand f is one-to-one Complexity ©D.Moshkovitz
One-Way M inverts f correctly on at most n-k of the inputs For sufficiently large natural n M inverts f correctly on at most n-k of the inputs For any Turing Machine M For any natural constant k Probability taken over: choices made by M random selection of w Complexity ©D.Moshkovitz
Applications: Authentication Many users may login to a network Each user has a password The database can be read by everyone Problem: secure authentication Complexity ©D.Moshkovitz
How to Authenticate Using OWF? One-Way Function Encrypt each password with a OWF. Store only the encrypted password. When this user tries to login… Encrypt the password she entered Compare to the stored password MyPass1234 2iB>S\]1%^o MyPass1234 2iB>S\]1%^o Complexity ©D.Moshkovitz
Do One-Way Functions Exist? Believed to… OWF P≠NP. Complexity ©D.Moshkovitz
Do One-Way Functions Suffice? Problem: How would Bob generate D(y)? D is so hard, I don’t know how to compute it myself… Bob Complexity ©D.Moshkovitz
Trapdoor Functions … probabilistic polynomial-time TM f1 f2 index f3 G family of functions which are hard to invert probabilistic polynomial-time TM f1 f2 index G f3 … the key to invert that function Complexity ©D.Moshkovitz
Trapdoor Functions : Formally SIP 376-377 Trapdoor Functions : Formally Definition: A length preserving indexing function f:** * is a trapdoor function, if there exist a poly-time TM G a function h:** * which satisfy: f(i,w)=fi(w) <index, key> generator decoder Complexity ©D.Moshkovitz
Trapdoor Functions : Formally SIP 376-377 Trapdoor Functions : Formally f and h are computable in polynomial time. “fi is hard to invert in the absence of t” “fi is easy to invert when t is known” <i,t> is output by G Complexity ©D.Moshkovitz
RSA A public-key cryptosystem developed by Rivest, Shamir and Adleman. Based on the (conjectured) hardness of factoring. Complexity ©D.Moshkovitz
Plan Prime numbers: basic facts and recent results. Euler’s function. Description of the RSA cryptosystem. Complexity ©D.Moshkovitz
PRIMES Instance: A number in binary representation. Problem: To decide if this number is prime. Yes instance: 10111 No instance: 10110 Complexity ©D.Moshkovitz
Is PRIMES in P ?! What’s the problem with the following trivial algorithm? Input: a number N Output: is N prime? for i in 2..N do for j in 2..N do if i*j=N, return FALSE return TRUE Complexity ©D.Moshkovitz
Prime Numbers Fact 1: There are many prime numbers (k/log k in the range [k]={1,…,k}) Fact 2: ([AKS02]) Primality testing can be done in time polynomial in log k. Question: How to choose a random prime in [k] in time poly-log k? Complexity ©D.Moshkovitz
Expected time: O(polylogk) Picking a Random Prime [k] while didn’t-find-one choose x R [k] if x PRIMES return x uniformly at random primes Expected time: O(polylogk) Complexity ©D.Moshkovitz
If PrxR[k] [xS] > XS≠ De-Randomization By Alon et Al and Naor and Naor, there’s a deterministic construction X of O(logk/2) numbers in [k] which is -close to uniform. By using it with < log-1k, we can obtain O(polylogk) run-time (not just expectedly!) If PrxR[k] [xS] > XS≠ Complexity ©D.Moshkovitz
Observe: For any prime p, (p)={1,...,p-1} Euler’s Function (n) = { m | 1 m < n AND gcd(m,n)=1 } Euler’s function: (n)=|(n)| Example: (12)={1,2,3,4,5,6,7,8,9,10,11} (12)=4 Observe: For any prime p, (p)={1,...,p-1} Complexity ©D.Moshkovitz
Therefore: Dd(EN,e(m)) m (mod N) RSA To encrypt a message, write it as a number m, and compute EN,e(m) = me (mod N) To decrypt a cipher text c, compute Dd(c) = cd (mod N) Now for (almost) any m, med m (mod N) And therefore: (me)d m (mod N) Therefore: Dd(EN,e(m)) m (mod N) Complexity ©D.Moshkovitz
The Public and Private Keys Choose two long random prime numbers p, q set N = pq Randomly choose an odd number e s.t: 1 < e < (N) gcd(e, (N)) = 1 Let d be the inverse of e, namely ed 1 (mod (n)) Public key: <N, e> ; Private key: d Compute d using Euclid’s gcd algorithm Complexity ©D.Moshkovitz
Summary We presented the notion of Public Key Cryptosystems and its well-known implementation, RSA. We examined some of the underlying assumptions of cryptography: Existence of one-way functions Existence of trapdoor functions These assumptions are stronger than the standard complexity assumption P≠NP. Complexity ©D.Moshkovitz