1 Complexity ©D.Moshkovitz Cryptography Where Complexity Finally Comes In Handy…

2 Complexity ©D.Moshkovitz The Amazing Adventures of Alice and Bob AliceBob extremely secret message eavesdropper

3 Complexity ©D.Moshkovitz Introduction Objectives: –To introduce the subject of cryptography and its tight connection to complexity Overview: –Public key cryptography –One-Way Functions and Trapdoor functions –RSA PAP

4 Complexity ©D.Moshkovitz Intuitive Approach AliceBob extremely secret message eavesdropper E(e, )D(d, ) encoding key decoding key

5 Complexity ©D.Moshkovitz Simple Implementation: Just XOR! Agree first on some random string e. AliceBob eavesdropper e  e  ( ) extremely secret message Problem!

6 Complexity ©D.Moshkovitz Solution: Public-Key Cryptosystems Bob generates a pair of keys Publishes E Keeps D private Bob E(x) D(y)

7 Complexity ©D.Moshkovitz Encryption: Requirements “Easy” (so everyone can send Bob encrypted messages) “Hard to invert” (so no one can break the encryption)

8 Complexity ©D.Moshkovitz One-Way Functions: Formally Definition: A length preserving function f is a one- way function if: 1.f is computable in polynomial time. 2.f -1 cannot be computed in probabilistic polynomial time, i.e SIP 375 some textbooks demand f is one-to-one

9 Complexity ©D.Moshkovitz One-Way For any Turing Machine M For any natural constant k For sufficiently large natural n Probability taken over: choices made by M random selection of w M inverts f correctly on at most n -k of the inputs

10 Complexity ©D.Moshkovitz Applications: Authentication Many users may login to a network Each user has a password The database can be read by everyone Problem: secure authentication

11 Complexity ©D.Moshkovitz How to Authenticate Using OWF? Encrypt each password with a OWF. Store only the encrypted password. When this user tries to login… –Encrypt the password she entered –Compare to the stored password One-Way Function MyPass1234 2iB>S\]1%^o MyPass1234

12 Complexity ©D.Moshkovitz Do One-Way Functions Exist? Believed to… OWF  P≠NP.

13 Complexity ©D.Moshkovitz Do One-Way Functions Suffice? Problem: How would Bob generate D(y)? Bob D is so hard, I don’t know how to compute it myself…

14 Complexity ©D.Moshkovitz Trapdoor Functions f1f1 f2f2 f3f3 … G index family of functions which are hard to invert probabilistic polynomial-time TM the key to invert that function

15 Complexity ©D.Moshkovitz Trapdoor Functions : Formally Definition: A length preserving indexing function f:  *  *   * is a trapdoor function, if there exist a poly-time TM G a function h:  *  *   * which satisfy: SIP f(i,w)=f i (w) <index, key> generator decoder

16 Complexity ©D.Moshkovitz Trapdoor Functions : Formally 1.f and h are computable in polynomial time. 2. “f i is hard to invert in the absence of t” 3.“f i is easy to invert when t is known” SIP <i,t> is output by G

17 Complexity ©D.Moshkovitz RSA A public-key cryptosystem developed by Rivest, Shamir and Adleman. Based on the (conjectured) hardness of factoring.

18 Complexity ©D.Moshkovitz Plan 1.Prime numbers: basic facts and recent results. 2.Euler’s function. 3.Description of the RSA cryptosystem.

19 Complexity ©D.Moshkovitz PRIMES Instance: A number in binary representation. Problem: To decide if this number is prime Yes instance: No instance:10110

20 Complexity ©D.Moshkovitz Is PRIMES in P ?! What’s the problem with the following trivial algorithm? Input: a number N Output: is N prime? for i in 2..  N do for j in 2..  N do if i*j=N, return FALSE return TRUE

21 Complexity ©D.Moshkovitz Prime Numbers Fact 1: There are many prime numbers (k/log k in the range [k]={1,…,k}) Fact 2: ([AKS02]) Primality testing can be done in time polynomial in log k. Question: How to choose a random prime in [k] in time poly-log k?

22 Complexity ©D.Moshkovitz Picking a Random Prime while didn’t-find-one –choose x  R [k] –if x  PRIMES return x [k] primes uniformly at random Expected time: O(polylogk)

23 Complexity ©D.Moshkovitz De-Randomization By Alon et Al and Naor and Naor, there’s a deterministic construction X  of O(logk/  2 ) numbers in [k] which is  -close to uniform. By using it with  < log -1 k, we can obtain O(polylogk) run-time (not just expectedly!) If Pr x  R [k] [x  S] >   X   S≠ 

24 Complexity ©D.Moshkovitz Euler’s Function  (n) = { m | 1  m < n AND gcd(m,n)=1 } Euler’s function:  (n)=|  (n)|  (12)={1,2,3,4,5,6,7,8,9,10,11}  (12)=4 Example: Observe: For any prime p,  (p)={1,...,p-1}

25 Complexity ©D.Moshkovitz RSA To encrypt a message, write it as a number m, and compute E N,e (m) = m e (mod N) To decrypt a cipher text c, compute D d (c) = c d (mod N) Now for (almost) any m, –m ed  m (mod N) –And therefore: (m e ) d  m (mod N) Therefore: D d (E N,e (m))  m (mod N)

26 Complexity ©D.Moshkovitz The Public and Private Keys Choose two long random prime numbers p, q –set N = pq Randomly choose an odd number e s.t: –1 < e <  (N) –gcd(e,  (N)) = 1 Let d be the inverse of e, namely ed  1 (mod  (n)) Public key: ;Private key: d Compute d using Euclid’s gcd algorithm

27 Complexity ©D.Moshkovitz Summary We presented the notion of Public Key Cryptosystems and its well-known implementation, RSA. We examined some of the underlying assumptions of cryptography: –Existence of one-way functions –Existence of trapdoor functions These assumptions are stronger than the standard complexity assumption P≠NP. 