1 Security through complexity Ana Nora Sovarel

2 Projects Please fill one slot on the signup sheet. One meeting for each group. All members must agree.

3 Turing Machine Finite Control

4 Definition A Turing Machine is a 7-tuple (Q, ∑, Γ, δ, q 0, q accept, q reject ) where Q, ∑, Γ are finite sets and 1.Q is the set of states 2.∑ is the input alphabet 3.Γ is the tape alphabet 4.δ : Q X Γ  Q X Γ X {L,R} is the transition function 5.q 0 is the start state 6.q accept is the accept state 7.q reject is the reject state, where q accept ≠ q reject

5 Nondeterministic Turing Machine Finite Control

6 Definition A Turing Machine is a 7-tuple (Q, ∑, Γ, δ, q 0, q accept, q reject ) where Q, ∑, Γ are finite sets and 1.Q is the set of states 2.∑ is the input alphabet 3.Γ is the tape alphabet 4.δ : Q X Γ  P(Q X Γ X {L,R}) is the transition function 5.q 0 is the start state 6.q accept is the accept state 7.q reject is the reject state, where q accept ≠ q reject

7 More Power? Does nondeterminism affect the power of Turing Machine? NO – more power means it recognizes more languages But, maybe it can do things faster …

8 Complexity Classes P = decidable in polynomial time by a deterministic TM NP = decidable in polynomial time by a nondeterministic TM

9 Reduction f – polynomial time transformation What we know about A and B? A is at most as hard as B ( can be easier if we find another way to solve it ) B is at least as hard as A. A’s Input f(A)B Yes/No B’s Input

10 More definitions … NP-Hard = the set of problems Q such that any problem Q’ in NP is polynomial reducible to it. NP-complete = the problems Q such that Q is in NP-Hard and Q is in NP

11 How do we prove a problem is hard? Let A be a known hard problem Find a polynomial transformation from A’s input to your problem’s input Why it works? –If your problem is easy ( P ) then we can solve A easy ( P ). –So A is not hard. Contradiction Need a hard problem to start with ….

12 Cook’s Theorem (‘71) SAT is NP-complete. ( SAT = given a boolean formula, is it satisfiable? ) 3SAT is NP-complete. Example: Ф(x 1,x 2,x 3,x 4 )=(x 1 +x 2 +x 3 )(x’ 1 +x 3 +x 4 )

13 Subset Sum Given a set {x 1,x 2,…,x n } of integers and an integer t, find {y 1,y 2,…,y k } a subset of {x 1,x 2,…,x n } such that:

14 Subset Sum To prove NP-complete: 1.Prove is in NP Verifiable in polynomial time Give a nondeterministic algorithm 2.Reduction from a known NP-complete problem to subset sum Reduction from 3SAT to subset sum

15 Subset Sum is in NP sum = 0 A = {x 1,x 2,…,x n } for each x in A y  choice(A) sum = sum + y if ( sum = t ) then success A  A – {y} done fail

16 Reduction Goal: Reduce 3SAT to SUBSET-SUM. How: Let Ф be a 3 conjunctive normal form formula. Build an instance of SUBSET-SUM problem (S, t) such that Ф is satisfiable if and only if there is a subset T of S whose elements sum to t. Prove the reduction is polynomial.

17 1. Algorithm Input: Ф - 3 conjunctive normal form formula Variables: x 1, x 2, …, x l Clauses: c 1,c 2,…,c k. Output: S, t such that Ф is satisfiable iff there is T subset of S which sums to t.

18 1. Algorithm (cont.) x1x1 x2x2 ….xlxl c1c1 c2c2 ckck y1y z1z y2y z2z … ylyl 1000 zlzl 1000 g1g1 100 h1h1 100 g2g2 10 h2h2 10 … gkgk 1 hkhk 1 t11…133…3

19 1. Algorithm (cont.) (y i,x j ), (z i,x j ) – 1 if i=j, 0 otherwise (y i,c j ) – 1 if c j contains variable x i, 0 otherwise (z i,c j ) – 1 if c j contains variable x’ i, 0 otherwise (g i,x j ), (h i,x j ) – 0 (g i,c j ), (h i,c j ) – 1 if i=j, 0 otherwise Each row represents a decimal number. S={y 1,z 1,..,y l,z l,g 1,h 1,…,g k,h k } t is the last row in the table.

20 2. Reduction ‘  ’ Given a variable assignment which satisfies Ф, find T. 1.If x i is true then y i is in T, else z i is in T 2.Add g i and/or h i to T such all last k digits of T to be 3.

21 3. Reduction ‘  ’ Given T a subset of S which sums to t, find a variable assignment which satisfies Ф. 1.If y i is in T then x i is true 2.If z i is in T then x i is false

22 4. Polynomial Table size is (k+l) 2 O(n 2 )

23 Back to cryptology P=NP is still an open question factorization is not known to be NP- complete cipher based on a known NP-complete problem

24 Knapsack Cipher Public Key: {a 1,a 2,…,a n } set of integers Plain Text: x 1 …x n Cipher Text: [Merkle and Hellman, ’78]

25 Decryption Based on an easier problem {a 1,a 2,…,a n } is a superincreasing sequence

26 Linear Time Decryption x n = 1 iff Solve it recursively on {a 1,a 2,…,a n-1 } and s - x n a n

27 How to build the keys? Modular multiplication (Merkle and Hellman) Starts with superincreasing sequence {b 1,b 2,…,b n } Choose M and W such that Compute {a 1,a 2,…,a n } such that

28 Decryption C = (s W -1 ) mod M, where (W -1 W) mod M = 1 Solve subset sum problem with superincreasing sequence {b 1,b 2,…,b n } and sum c.

29 Trade offs b i large  M large  n bits encoded with log 2 M bits b i small  easy to break –If b i = 1  a j = W. –Break O(n) Merkle and Hellman recommended: b 1 ≈ 2 n,, b n ≈ 2 2n

30 Evaluation + speed ( 100 times faster than RSA ) -needs twice the communication capacity (m bits encoded into approximate 2m bits) -larger public key (2n 2 bits, 20,000 for n=100, RSA - 500) ? security

31 Knapsack Cipher - Summary Secret –superincreasing sequence {b 1,b 2,…,b n } –M –W Public –{a 1,a 2,…,a n } Remember:

32 Shamir’s break (’82) based on the choice of superincreasing sequence linear transformation to generate public key What do we need to guess ? (Only one of W and M is enough)

33 Shamir’s break (cont.) Given the public key {a 1,a 2,…,a n } find M and W such that (a i W) mod M is a superincreasing sequence. b 1 = (a i W) mod M  b 1 = a i W + k 1 M b 1 /(Ma i ) = W/M + k 1 / a i b 2 /(Ma j ) = W/M + k 2 / a j b 1 /(Ma i ) - b 2 /(Ma j ) = k 1 / a i - k 2 / a j  | k 1 / a i - k 2 / a j | < 2 -3n

34 Shamir’s break (cont.) Now a lot of math follows … Main steps: -Find ki’s, which gives an approximation of W/M -Find a pair W’/M’ close to W/M which generates a superincreasing sequence -W’,M’, and superincreasing sequence are different from the secret key

35 A little bit of history Some knapsack cryptosystems were broke by late ’70’s ’82 polynomial time break against singly iterated Merkle-Hellman cryptosystem [Shamir] ’85 break against multiple iterated Merkle- Hellman cryptosystem [Brickell] Low density knapsack [Brickell, Lagarias and Odlyzko] Most knapsack cryptosystems broken Few resisted – Chor-Rivest (’85)

36 Conclusion Computer Science doesn’t yet have adequate tools to a problem is hard We can base ciphers on ‘known’ hard problems like subset sum We have to be careful –NP-complete means is hard to get right answer to all instances –To break a cipher, only need to probabilistically get close to the right answer for specific instances most of the time