Download presentation
Presentation is loading. Please wait.
1
Introduction of Cryptography -- an overview of the latter course
Yu-Chi Chen Academia Sinica x
2
Outline What is cryptography? What is computation?
Provable crypto approach Some crypto notions Historical intro for crypto Course intro 2015/7/27
3
Outline What is cryptography? (revisited) What is computation?
Provable crypto approach Some crypto notions Historical intro for crypto Course intro 2015/7/27
4
What is cryptography? 2015/7/27
5
What is cryptography? Security Real-life example Purposes Requirements
Protect communication (in wartime) Outsource private data to a server … If do not care security, we won’t need crypto 2015/7/27
6
What is cryptography? Encryption Signature Zero knowledge …
Applications Use crypto primitives to build other construction Extensions Provide more functionalities We have security purposes, so we have crypto 2015/7/27
7
Some notions - SKE Share Key K Sender Receiver 2015/7/27
8
Some notions - PKE Public key Secret key Sender Receiver 2015/7/27
9
Some notions - Signature
Verification key Signing key Verifier Signer Accept or Reject 2015/7/27
10
Summer Plan First three weeks Next three weeks Math Hardness
Provable Security Crypto Construction [Informal Question] Do you believe your construction is truly secure? 2015/7/27
11
What is provable security?
Recall: ECDLP Encryption Assumption Construction Security? We may need to solve an assumption, ECDLP We may detour or avoid facing the assumption, then get msg or key 2015/7/27
12
What is provable security?
Exact methodology to describe the security definition Rigorous proof to argue that the construction satisfies the security definition based on the assumption 2015/7/27
13
Outline What is cryptography? What is computation? (Interlude)
Provable crypto approach Some crypto notions Historical intro for crypto Course intro 2015/7/27
14
What is computation? function f input x output y Algorithm
[Wiki] Computation is any type of calculation that follows a well-defined model, for example, an algorithm, or a protocol. Algorithm function f input x output y 2015/7/27
15
Efficiency Input size, |x| = n bits Efficient algorithm
[Imagination - Complexity] Given poly 𝑛 = 𝑛 & exp 𝑛 = 2 𝑛 , find 𝑛′ s.t. for all 𝑥>𝑛′, exp 𝑥 >poly 𝑥 Input size, |x| = n bits Efficient algorithm Integer multiplication, x*x=? Time= n^2 Time: poly(n) Inefficient algorithm Integer factoring, x=?*? Time=2^n Time: exp(n) Hardness v.s. Cryptography Exercise: 9973 * 1009 = ? 2015/7/27
16
Outline What is cryptography? What is computation?
Provable crypto approach Some crypto notions Historical intro for crypto Course intro 2015/7/27
17
Reduction Concept How to claim a problem A is hard?
Believe me, this is hard Problem A, EX: Break the encryption construction Find a well-studied hard problem B and link them Prove B can be reduced to A If we can solve A, then we can solve B (𝐵 ≤ 𝑝 𝐴) Problem B, EX: Break ECDLP 2015/7/27
18
Reduction Concept Polynomial time Intuition: If P, then Q
If -Q, then -P Reduction Concept Argue A is hard, try to link it to B by reduction Assume Solver A exists Problem B Polynomial time Problem A Poly Solver A Poly Solver B Solution B Create Solver A is Solver B’s subroutine 2015/7/27
19
Reduction Concept Construct solver B
Compare hardness between two problems Poly Solver A Problem A If A works, then B also works. Poly Solver B Break encryption Solution B Problem B Break ECDLP 2015/7/27
20
Cryptography w/ Provable Security
Convince people that your product is good, and they will buy. Definition Assumption Construction Reduction Sample (warrant) Relationship Warrant 2015/7/27
21
Flowchart Definition Reduction Construction Assumption Algorithm A
Algorithm B create Reduction Construction Assumption 2015/7/27
22
Flowchart (Ex: encryption)
ECDLP Breaker Adversary Security def. Proof Encryption ECDLP Defining the security def. is non-trivial. Won’t talk the actual security def. now. 2015/7/27
23
Crypto w/ Provable Security
Definition Here we care two things: System framework Security requirement (security definition) Sample (warrant) 2015/7/27
24
Crypto w/ Provable Security
Assumption It is hard to solve/break The best-known algorithm takes too much time (e.g. exp) to solve EX: ECDLP Why we need assumption in crypto? 2015/7/27
25
Crypto w/ Provable Security
Construction To satisfy some security purposes Rely on some hard assumptions EX: Encryption based on ECDLP 2015/7/27
26
Crypto w/ Provable Security
Reduction Trust me please! No one will believe [Informal] A way to convincing everyone [Formal] The construction is proven to be secure under the security definition Warrant 2015/7/27
27
Reduction Please remember! Still have two algorithms
security definition Assumption Algorithm 1 (Adversary) Algorithm 2 (Breaker) Construction Breaking Assumption 2015/7/27
28
What is ‘break’ (define ‘break’)
Think of what can the adversary do what is the adversary’s goal (or purpose) Defining the reasonable security definition is non-trivial. EX: PKE v.s. IND-CPA 2015/7/27
29
Security in encryption?
Adversary Enc(m) Adversary must learn nothing about Enc(m) Adversary cannot recover msg (hiding) How about msg is odd or even? How to define ‘learn nothing’ 2015/7/27
30
IND-CPA Indistinguishability against chosen plaintext attack
Special case: Bit-encryption Adversary Challenger Enc(b) Randomly choose b in {0,1} output b’ win if b’=b Probability discussion?! 2015/7/27
31
Provable security methodology
Formalize the security definition Then build a construction based on assumptions Finally, prove it to meet the security definition 2015/7/27
32
Outline What is cryptography? What is computation?
Provable crypto approach Some crypto notions Historical intro for crypto Course intro 2015/7/27
33
Crypto resource Assumptions Integer factorization
Recall: Assumption construction Assumption hardness security Assumption structure functionality * One crypto direction: find assumptions Crypto resource Assumptions Integer factorization Discrete logarithm problem Decision (Computational) Diffie-Hellman problem DLP (DDH and others) in elliptic curve crypto or pairing-based crypto Lattice problem … Pairing More ‘efficient’ IBD Lattice can do more!! 2015/7/27
34
Why choose lattices? Powerful, and crypto research progress based on lattices (last 10 years) Fully homomorphic encryption (FHE) Multi-linear map more powerful than bilinear map …(Too much! we cannot touch all) Rich structure, geometric intuition, few math background, easy to understand 2015/7/27
35
Key exchange (3-party by BMap)
pk3=g^sk3 pk1=g^sk1 Key=e(pk2,pk3)^sk1 pk2=g^sk2 Key=e(pk1,pk2)^sk3 Key=e(pk1,pk3)^sk2 2015/7/27
36
Key exchange (k-party by BMap)
Sorry, don’t have such solution only by BMap 2015/7/27
37
Key exchange (k-party by MMap)
k-1 Multi-linear map Key=e(pk2,…,pkk)^sk1 We can easily have k-party key exchange by MMap 2015/7/27
38
Homomorphic Encryption (HE)
Compute ⨀ over encrypted data ⨀: operation over encryption Multiplicative: RSA encryption 𝐸𝑛𝑐 𝑚 1 ⨀𝐸𝑛𝑐 𝑚 2 =𝐸𝑛𝑐( 𝑚 1 𝑚 2 ) Additive: Paillier encryption 𝐸𝑛𝑐 𝑚 1 ⨀𝐸𝑛𝑐 𝑚 2 =𝐸𝑛𝑐( 𝑚 1 + 𝑚 2 ) Can I make RSA do more operations? 2015/7/27
39
Fully Homomorphic Encryption
Ideally, compute 𝑓 over encrypted data 𝑓: arbitrary function FHE does not have time limitation of ADD/MULT (some can provide n ADD and 1 MULT) The first FHE construction is proposed in 2008. Before 2008, no FHE. Applications of FHE 2015/7/27
40
Why we need FHE? Enc(Input) Function Enc(Output) Output 2015/7/27
41
Outline What is cryptography? What is computation?
Provable crypto approach Some crypto notions Historical intro for crypto (& lattices) Course intro 2015/7/27
42
Cryptography is everywhere
Real-life is based on cryptography In credit cards, passports, mobile phones, Internet, … Most systems are based on the RSA cryptosystem, developed by Rivest, Shamir, and Adleman in 1977 RSA logo We know what they did Leak sth to NSA 2015/7/27
43
Cryptography in wartime
vs 2015/7/27
44
Public key encryption RSA ID-based encryption from Weil pairing
Conceptually simple More efficient than before 2015/7/27
45
FHE In 2008, Gentry’s FHE from ideal lattices
Ideal lattices: a special class of lattices Before 2008, still have a few crypto based on lattice problems After 2008, know what powerful lattices are Go back to seek assumptions 2015/7/27
46
History (Lattices) Geometric objects with rich mathematical structure
Considerable mathematical interest, starting from early work by Gauss 1801, Hermite 1850, and Minkowski 1896. 2015/7/27
47
Lattice background (Sorry, we don’t cover today or in the future)
2015/7/27
48
Lattice For some linear independent vectors v1,…,vn in Rn, the lattice is the set of points L={a1v1+…anvn | ai integers} Call v1,…,vn a basis of L v1+v2 2v2 2v2-v1 v1 v2 2v2-2v1 o 2015/7/27
49
Lattice Why we care lattice in crypto?
Recall again: assumption construction Lattice hard problem shortest (non-zero) vector given L 𝛾-approximate SVP is also hard Given 𝐿, find a vector 𝑣∈𝐿 s.t. 𝑣<𝛾 𝑙 1 ( 𝑙 1 shortest vector) we will see how hard it is 2015/7/27
50
Lattice problems seem hard
We’ll be interested in 𝛾-approximate SVP For 𝛾=𝑝𝑜𝑙𝑦(𝑛), best known algorithm runs in time 2 𝑛 New breakthrough result: 𝛾=1, in time 2 𝑛 Polynomial-time algorithm solves for 𝛾= 2 𝑛𝑙𝑜𝑔𝑙𝑜𝑔𝑛/𝑙𝑜𝑔𝑛 (a.k.a LLL algorithm) 𝛾= 𝑛 1.5 , we have crypto 2015/7/27
51
Lattice-based Cryptography
Recent work identified two key problems Shortest integer solution (SIS) Learning with errors (LWE) via reduction to show they are as hard as SVP easy to use (ex: construct crypto primitive) 2015/7/27
52
Outline What is cryptography? What is computation?
Provable crypto approach Some crypto notions Historical intro for crypto Course intro 2015/7/27
53
Schedule Learning with errors Secret key encryption
Leftover hash lemma Public key encryption Fully homomorphic encryption Shortest integer solution One-way function Collision resistant hash Signature Advanced topics TBD 2015/7/27
54
Invited talks 7/31 Hsu-Chun Hsiao (NTU CS) 8/5 Po-Chun Kuo (NTU EE)
Research: Security Guest lecture: Non-(little-) cryptographic security 8/5 Po-Chun Kuo (NTU EE) Research: Cryptanalysis Guest lecture: Lattice basis reduction and its application - how to attack lattice-based cryptosystem? 2015/7/27
55
Activities Paper reading Homework Five TAs
TA office time: 14:00~16:00 (weekday only) Status report everyday to TAs Final presentation Homework Due: one week 2015/7/27
56
Paper list [GGH15] Graph-Induced Multilinear Maps from Lattices (YC, YL) [SDS+13] Path ORAM: An Extremely Simple Oblivious RAM Protocol (TH, WK) [BGV12] Fully Homomorphic Encryption without Bootstrapping (TH, WK, YC) [CLT14] Scale-Invariant Fully Homomorphic Encryption over the Integers (TH, YC) [GGH+13] Candidate Indistinguishability Obfuscation and Functional Encryption for all circuits (CN, WK, YC) [SW13] How to Use Indistinguishability Obfuscation: Deniable Encryption, and More (WK, YC) [GKP+13] Reusable Garbled Circuits and Succinct Functional Encryption (WK, YC) 2015/7/27
![Paper list [GGH15] Graph-Induced Multilinear Maps from Lattices (YC, YL) [SDS+13] Path ORAM: An Extremely Simple Oblivious RAM Protocol (TH, WK)](http://slideplayer.com./slide/12580778/76/images/56/Paper+list+%5BGGH15%5D+Graph-Induced+Multilinear+Maps+from+Lattices+%28YC%2C+YL%29+%5BSDS%2B13%5D+Path+ORAM%3A+An+Extremely+Simple+Oblivious+RAM+Protocol+%28TH%2C+WK%29.jpg "[BGV12] Fully Homomorphic Encryption without Bootstrapping (TH, WK, YC) [CLT14] Scale-Invariant Fully Homomorphic Encryption over the Integers (TH, YC) [GGH+13] Candidate Indistinguishability Obfuscation and Functional Encryption for all circuits (CN, WK, YC) [SW13] How to Use Indistinguishability Obfuscation: Deniable Encryption, and More (WK, YC) [GKP+13] Reusable Garbled Circuits and Succinct Functional Encryption (WK, YC) 2015/7/27.")
57
and prove the security 2015/7/27
Similar presentations
