1. Introduction to Modern Cryptography Sharif University Data and Network Security Lab Sharif University of Technology Department of Computer Engineering A Primer on Modern Cryptography (2) Author & Instructor: Mohammad Sadeq Dousti 1 / 37

2. Introduction to Modern Cryptography Sharif University  These set of slides are licensed under Creative Commons Attribution-NonCommercial- ShareAlike (CC BY-NC-SA) 4.0.  Basically, this license allows others to use the slides verbatim, and even modify and incorporate them into their own work, as long as: 1. They credit the original author(s); 2. Their work is used non-commercially; 3. They license their work under CC BY-NC-SA 4.0.  For further information, please consult: o https://creativecommons.org/licenses/by-nc-sa/4.0 https://creativecommons.org/licenses/by-nc-sa/4.0 o https://creativecommons.org/licenses/by-nc- sa/4.0/legalcode https://creativecommons.org/licenses/by-nc- sa/4.0/legalcode Copyright Notice 2 / 37

3. Introduction to Modern Cryptography Sharif University  Review of previous session  Complexity classes P, BPP, and NP  NP-completeness  Difficulty of constructing NP-hard cryptographic schemes  “Definition” vs. “model” in cryptography  Applications of games in cryptography Outline 3 / 37

4. Introduction to Modern Cryptography Sharif University  Topics of previous session: o Introduction: The course at a glance o Provable security demystified o Concrete vs. asymptotic approaches to computational security o A review of theory of computation (algorithms and Turing machines) Review of previous session 4 / 37

5. Introduction to Modern Cryptography Sharif University Complexity Classes P, BPP, and NP 5 / 37

6. Introduction to Modern Cryptography Sharif University  Modern cryptography is based on problems which are: o Easy to compute for friends; o Hard to foil for enemies.  The easiness and hardness of problems are formally stated as their complexity.  The study of problems and their complexity lays the foundation of complexity theory. Complexity & Modern Cryptography 6 / 37

7. Introduction to Modern Cryptography Sharif University  From elementary school, we feel that multiplication is more complex than addition. o 96 + 83 = ? o 96 * 83 = ?  Is this complexity inherent?  How can we formalize our feeling? o We need a model of computation… o … as well as a measurement for resources.  Let’s pick (deterministic) Turing machines as the model of computation.  Time, (scratch) space, etc. can be resources to be measured. Problems and Complexity 7 / 37

8. Introduction to Modern Cryptography Sharif University  Consider a problem with “fixed input”: o 35 108 = ?  While seemingly complex, this problem can be solved in O (1) by a Turing machine that hard-codes the output.  We have to somehow define a family of problems: o Each member of the family has fixed input (size). o There are infinitely many members.  Examples: o Multiplication of two n-bit numbers, for n ∈ ℕ ; o Decryption of an n-bit RSA, for n ∈ ℕ. Family of Problems 8 / 37

9. Introduction to Modern Cryptography Sharif University  If the type of resource is omitted, time complexity is implied.  (Intrinsic) complexity of a family is a function of the input length.  Example: ADDITION has intrinsic complexity of Θ(n). o I.e., two n-bit numbers can be added in Θ(n) steps.  Complexity can be stated for worst-, average-, and best-case scenarios. Measuring Intrinsic Complexity 9 / 37

10. Introduction to Modern Cryptography Sharif University  Decision Problem: Does the given input belong to a certain set? o Hamiltonicity: Is graph G a Hamiltonian graph? o Primality: Is number N a prime?  Search Problem: Find something in the input which satisfies a certain predicate. o Find a Hamiltonian cycle in graph G. o Find a prime factor of number N.  Optimization Problem: Find something in the input which maximizes/minimizes a certain function. o Find the shortest path between two vertices of graph G. o Find the largest prime factor of N. Types of Problems 10 / 37

11. Introduction to Modern Cryptography Sharif University  A complexity class is a set of problem families.  The intrinsic complexities of the families are related.  This is a worst-case complexity class. o Why?  Example: ADDITION ∈ P.  Non-examples? Complexity Classes and P Complexity Class P: The set of decision problems that can be solved by a Turing machine in time polynomial in the size of the input. 11 / 37

12. Introduction to Modern Cryptography Sharif University   n, 6n 12, 1  30n 50 +100n 200, etc.  In general, denoted as n O(1) or poly(n).  What’s so special about polynomials? o Problems with super-polynomial time complexity are considered “hard”. o Composition: A polynomial-time algorithm can use another polynomial-time algorithm as a subroutine (and invoke it arbitrarily). The composition remains polynomial-time. o Few natural problems exist with high-degree polynomial time complexity. o Most high-degree poly-time algorithms for natural problems are later simplified to low-degree poly-time algorithms.  The notion of “easiness” is often associated with polynomial time complexity. Polynomials For any polynomial p(n), we can construct an artificial problem with time complexity p(n). 12 / 37

13. Introduction to Modern Cryptography Sharif University  There are certain problems with the following property: It’s “easy” to verify whether an alleged solution is in fact a solution to the problem. Solving vs. Verification It’s easy to be wise after the event It’s easy to be smart after the fact معما چو حل گشت آسان شود ! It’s easy to be wise after the event It’s easy to be smart after the fact معما چو حل گشت آسان شود ! Images reproduced from GNOME Sudoku. 13 / 37

14. Introduction to Modern Cryptography Sharif University  Yes-instance: Inputs which belong to the “certain set” in the definition of decision problems.  Easily verified: The verification algorithm has polynomial time-complexity (in n, the size of the input).  Short witness: An auxiliary input, whose length is bounded by a polynomial (in n). Class NP Complexity Class NP: The set of decision problems whose yes-instances can be “easily” verified using a short witness. 14 / 37

15. Introduction to Modern Cryptography Sharif University  Class P trivially belongs to class NP, i.e., P ⊆ NP. o Why?  Is P identical to NP, or are they different classes? o Perhaps the most important open problem in computer science.  What if P = NP? o Automated proofs are possible: Proofs are NP-witnesses to the validity of the theorems. If P = NP, not only proofs can be “easily” verified, but also they can be “easily” constructed. o Cryptography is devastated: Except for a few schemes, all other cryptographic constructs are broken. Why? P vs. NP 15 / 37

16. Introduction to Modern Cryptography Sharif University  Algorithm A easily solves a problem p using algorithm B for p, if algorithm A uses B as a subroutine, and solves p after polynomial number of steps. o Each invocation of B contributes 1 step in the time complexity of A.  PROB is complete for C if (1) it is hard for C, and (2) it belongs to C.  Complete problems capture the essence of complexity classes. Hard & Complete Problems Problem PROB is hard for complexity class C, if all problems in C can be “easily” solved “using” an algorithm which solves PROB. Reduction 16 / 37

17. Introduction to Modern Cryptography Sharif University  Both complexity classes P and NP admit natural complete problems. o P-completeness is defined with different type of reductions.  Sample NP-complete (NPC) problems: o Hamiltonicity o Graph 3-coloring ( G3C ) o Satisfiability ( SAT )  https://en.wikipedia.org/wiki/List_of_NP- complete_problems https://en.wikipedia.org/wiki/List_of_NP- complete_problems  What if one NPC problem has poly-time algorithm? NP-Completeness 17 / 37

18. Introduction to Modern Cryptography Sharif University Current relationships between P, NP, and NPC 18 / 37

19. Introduction to Modern Cryptography Sharif University  Random choices can sometimes speed up computation.  Example: Sampling in statistics Randomness in Computation 19 / 37

20. Introduction to Modern Cryptography Sharif University  BPP is similar to complexity class P, but the underlying computational model is probabilistic Turing machines (PTM).  A PTM can perform random computations. o Formalized by providing the PTM with a random tape.  Consider decision problems. A PTM can err in its final verdict. o Completeness error: The input belongs to the “certain set”, but the PTM erroneously outputs 0. o Soundness error: The input doesn’t belong to the “certain set”, but the PTM erroneously outputs 1.  Both errors should be less than ⅓. Complexity Class BPP (1) Any constant strictly less than ½ will do. Amplification lemma: The errors can be reduced exponentially by repetition and taking majority. Any constant strictly less than ½ will do. Amplification lemma: The errors can be reduced exponentially by repetition and taking majority. 20 / 37

21. Introduction to Modern Cryptography Sharif University  We currently don’t know whether P = BPP or not. o Derandomization: Removing randomness (or using as little of it as possible) from algorithms.  BPP captures our intuition of efficiently solvable problems.  Fun fact: There is no known complete problems for BPP. Complexity Class BPP (2) Complexity Class BPP: The set of decision problems that can be solved by a PTM in time polynomial in the size of the input. 21 / 37

22. Introduction to Modern Cryptography Sharif University Current relationships between P, BPP, NP, and NPC 22 / 37

23. Introduction to Modern Cryptography Sharif University  Cryptographic schemes are hard on average. o Example: Consider RSA. On average, when we pick two random primes p and q and compute n = pq, factoring n must be hard.  NP is defined for worst-case problems.  Can we construct a cryptographic scheme with the following property: o Breaking the scheme is NP-hard?  Pass [Pas06] provided strong evidence that such reduction does not exist. Constructing NP-hard cryptographic schemes 23 / 37

24. Introduction to Modern Cryptography Sharif University “Definition” vs. “Model” In Cryptography 24 / 37

25. Introduction to Modern Cryptography Sharif University  Model; Etymology from American Heritage Dictionary: o From French modèle, from Italian modello, diminutive of modo, form, from Latin modus, measure, standard.  Model is a “smaller form” of the reality. o Smaller size o Less details o More abstract Model Model of Karim Khan's Court. Photo taken by M.S. Dousti in Karim Khan’s Castle, Shiraz. 25 / 37

26. Introduction to Modern Cryptography Sharif University  Projectile motion o Friction is abstracted out  Point mass o The object is zero- dimensional o All mass is concentrated at one point o What is abstracted? Example of Abstraction in Models (Physics) 26 / 37

27. Introduction to Modern Cryptography Sharif University  In cryptography, a bare minimum model includes the following: o Model of computation: The underlying model of computation for all parties (including the adversary). o Adversarial model: The possible interactions between the adversary and other parties, and the type of attacks which can be mounted on honest parties.  In addition, the model can include: o Execution model: Stand alone, parallel, concurrent, etc. o Channel model: Authenticated, private, etc. o Timing model: Synchronous, asynchronous with timeouts, fully asynchronous, etc. o Infrastructure/trust model: BPK, PKI, CRS, ROM, etc. o…o… Model in Cryptography 27 / 37

28. Introduction to Modern Cryptography Sharif University  A model includes only two parties: o Honest party F; o Adversary ;  Both parties are polynomial-time PTMs;  has only one type of interaction (attack) with F: o can send the NextBit query to F. o F responds with 0 or 1. Example Note that the model does not define the cryptographic construct in question. In fact, the model can be very general, encompassing multiple security definitions. A model as simple as this is often embedded into the definition itself. Note that the model does not define the cryptographic construct in question. In fact, the model can be very general, encompassing multiple security definitions. A model as simple as this is often embedded into the definition itself. 28 / 37

29. Introduction to Modern Cryptography Sharif University  A cryptographic definition clarifies and formalizes what is being defined, using both syntax and semantics.  Syntax: The “type” of object that we aim to make. o Syntax is more concerned with validity/correctness, rather than security.  Semantics: Defines when the scheme is deemed secure.  The semantics is often formulated as a “winning condition” for the adversary. o The scheme is secure if the adversary can satisfy the “winning condition” only with a very small probability. Definitions in Cryptography 29 / 37

30. Introduction to Modern Cryptography Sharif University  Syntax: A public key encryption scheme is a triple (G, E, D) of efficient algorithms. o On input 1 n, algorithm G outputs a pair (pk, sk), where |pk|, |sk| ≥ n. o On input pk and any message m ∈ {0, 1} n, algorithm E outputs a ciphertext c. o (Validity) For all n ∈ ℕ, all pairs (pk, sk) in the support of G(1 n ), and all messages m ∈ {0, 1} n, we have D(sk, E(pk, m)) = m with probability 1. Example of Syntax 30 / 37

31. Introduction to Modern Cryptography Sharif University  Semantics is often stated in one of two flavors: o Game based o Simulation based  Game-based definitions are discussed in the first half of this course.  We will pertain to simulation-based definitions in the second half of the course. Semantics in Cryptographic Definitions 31 / 37

32. Introduction to Modern Cryptography Sharif University Applications of Games In Cryptography 32 / 37

33. Introduction to Modern Cryptography Sharif University  Cryptographic constructs can be seen as “games” played between honest parties in one side, and the adversary in the other side.  A “winning condition” is defined for the adversary.  The construct is deemed secure if and only if the adversary has a negligible probability of winning the game.  How to formalize “negligible” quantity? o A quantity is negligible if putting together “many” quantities of the same type does not make it one unit! Defining Security in Terms of Games 33 / 37

34. Introduction to Modern Cryptography Sharif University  You cannot quantify one paper’s thickness using a tape measure.  However, given 500 papers, you can easily use a tape measure quantify a single paper’s thickness.  Can you do the same for an electron?  What’s the difference? Analogy: How to Measure a Paper’s Thickness 34 / 37

35. Introduction to Modern Cryptography Sharif University Negligible Quantity 35 / 37

36. Introduction to Modern Cryptography Sharif University  We’ll see real-world examples in the next session… Example of Game-based Definitions 36 / 37

37. Introduction to Modern Cryptography Sharif University [Gol01] O. Goldreich. Foundations of Cryptography Volume 1: Basic Tools. Cambridge University Press, 2001. [Pas06] R. Pass. Parallel Repetition of Zero-Knowledge Proofs and the Possibility of Basing Cryptography on NP-Hardness. In Proceedings of the 21 st Annual IEEE Conference on Computational Complexity (CCC'06), 2006. [Rog05] P. Rogaway. On the Role of Definitions in and Beyond Cryptography. In Proceedings of the 9 th Asian Computing Science conference on Advances in Computer Science (ASIAN'04), 2005. [Sho06] V. Shoup. Sequences of Games: A Tool for Taming Complexity in Security Proofs. Cryptology ePrint Archive, 2006. Available from http://eprint.iacr.org/2004/332. http://eprint.iacr.org/2004/332 References 37 / 37