Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cryptography and Complexity at the Weizmann Institute

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Cryptography and Complexity at the Weizmann Institute"— Presentation transcript:

1 Cryptography and Complexity at the Weizmann Institute
Moni Naor מוני נאור Weizmann Institute of Science Open Day February 2005

2 Computational Complexity Theory
Study the resources needed to solve computational problems Computer time Computer memory Communication Parallelism Randomness Identify problems that are infeasible to compute by any reasonable machine Taxonomy: classify problems into classes with similar properties wrt the resource requirements Help find the most efficient algorithm for a problem A computational problem: multiplying two numbers, selecting a move in a chess position Find the shortest tour visiting all cities P=NP?

3 What is Cryptography? Traditionally: how to maintain secrecy in communication Alice and Bob talk while Eve tries to listen Alice Bob Eve

4 History of Cryptography
Very ancient occupation Biblical times - איך נלכדה ששך ותתפש תהלת כל הארץ איך היתה לשמה בבל בגויים Egyptian Hieroglyphs Unusual ones ... Many interesting books and sources, especially about the Enigma (WW2)

5 Modern Times Up to the mid 70’s - mostly classified military work Since then - explosive growth Commercial applications Scientific work: tight relationship with Computational Complexity Theory Recently - more involved models for more diverse tasks. How to maintain the secrecy, integrity and functionality in computer and communication system. Prevalence of the Internet: Cryptography is in the news (daily!) Cryptography is relevant to ``everyone” - security and privacy issues for individuals

6 Cryptographic Research
Complexity Theory - Study the resources needed to solve computational problems computer time, memory Identify problems that are infeasible to compute. Cryptography - Find ways to specify security requirements of systems Use the computational infeasibility of problems in order to obtain security. The development of these two areas is tightly connected! “A match made in heaven”

7 Faculty members in Cryptography and Complexity
Prof. Uri Feige Prof. Oded Goldreich Prof. Shafi Goldwasser Prof. Moni Naor Dr. Omer Reingold Prof. Ran Raz Prof. Adi Shamir אורי פייגה עודד גולדרייך שפי גולדווסר מוני נאור עומר ריינגולד רן רז עדי שמיר One of the most active groups in the world!

8 Authentication One of the fundamental tasks of cryptography
Alice (sender) wants to send a message m to Bob (receiver). They want to prevent Eve from interfering Bob should be sure that the message m’ he receives is indeed the message m Alice sent. Alice Bob Eve

9 Authentication and Non-Repudiation
Key idea of modern cryptography [Diffie-Hellman]: can make authentication (signatures) transferable to third party - Non-repudiation. Provided Alice (the sender) has a unique public key Essential to contract signing, e-commerce… First implementation: Rivest, Shamir and Adleman 1977 Digital Signatures: last 25 years major effort in Research Notions of security Computationally efficient constructions Technology, Infrastructure (PKI), Commerce, Legal Turing Award 2003 Existential Unforgeability under an adaptive message attack

10 Is non-repudiation always desirable?
Not necessarily so: Privacy of conversation, no (verifiable) record. Do you want everything you ever said to be held against you? If Bob pays for the authentication, shouldn't be able to transfer it for free Alternative: (Plausible) Deniability If the recipient (or any recipient) could have generated the conversation himself or an indistinguishable one Key concept in cryptography and complexity

11 Deniable Authentication
Setting: Sender has a public key known to receiver Want to come up with an (perhaps interactive) authentication scheme such that the receiver keeps no receipt of conversation. This means: Any receiver could have generated the conversation itself. There is a simulator that for any message m and verifier V* generates an indistinguishable conversation. This property is known as Zero-Knowledge! An example where zero-knowledge is the ends, not the means! Proof of security consists of Unforgeability and Deniability Yet another WIS concept

12 Ring Signatures and Authentication
Can we keep the sender anonymous? Idea: prove that the signer is a member of an ad hoc set Other members do not cooperate Use their `regular’ public-keys Encryption Should be indistinguishable which member of the set is actually doing the authentication Bob Alice? Eve

13 Deniable Ring Authentication
Completeness: a good sender and receiver complete the authentication on any message m Unforgeability Existential unforgeable against adaptive chosen message attack for any sequence of messages m1, m2,… mk Adversarially chosen in an adaptive manner Even if sender authenticates all of m1, m2,… mk Probability forger convinces receiver to accept a m{ m1, m2,… mk } is negligible Properties of an interactive authentication scheme

14 Deniable Ring Authentication
Deniability For any verifier, for any arbitrary set of keys, some good some bad, there is simulator that can generate computationally indistinguishable conversations. A more stringent requirement: statistically indistinguishable Source Hiding: For any verifier, for any arbitrary set of keys, some good some bad, the source is computationally indistinguishable among the good keys Source Hiding and Deniability – incomparable

15 Encryption Assume a public key encryption scheme E
Plaintext Assume a public key encryption scheme E Public key PK – knowing PK can encrypt message m generate Y=E(PK , m, r) With corresponding secret key PS, given Y can retrieve m m =D(PS , Y) Encryption process is probabilistic Each message induces a distribution on the ciphertexts Security of encryption scheme: non-malleable against chosen ciphertext attacks in the post-processing mode. In particular given Y=E(PK, m, r) hard to generate Y’=E(PK, m’, r’) for a related message m’ Example of a very malleable scheme: one-time pad Ciphertext

16 A Public Key Authentication Protocol
P has a public key PK of an encryption scheme E. To authenticate a message m: V  P : Choose x R {0,1}n. Send Y=E(PK, m°x , r) P  V : Verify that prefix of plaintext is indeed m. If yes - send x. V accepts iff the received x’=x Is it Unforgeable? Is it Deniable?

17 There are encryption schemes satisfying the desired requirements
Security of the scheme Unforgeability: depends on the strength of E Sensitive to malleability: if given E(PK, m°x, r) can generate E(PK, m’°x’, r) where m’ is related to m and x’ is related to x then can forge. The protocol allows a chosen ciphertext attack on E. Even of the post-processing kind! Can prove that any strategy for existential forgery can be translated into a CCA strategy on E Works even against concurrent executions. Deniability: does V retain a receipt?? It does not retain one for an honest V Need to prove knowledge of x There are encryption schemes satisfying the desired requirements

18 Simulator for honest receiver
Choose x R {0,1}n. Output: hY=E(PK, m°x, r), x, ri Has exactly the same distribution as a real conversation when the verifier is following the protocol Statistical indistinguishability Verifier might cheat by checking whether certain ciphertext have as a prefix m No known concrete way of doing harm this way

19 Encryption as Commitment
When the public key PK is fixed and known Y=E(PK, x, r) can be seen as commitment to x To open x reveal r, the random bits used to create Y Perfect binding: from unique decryption For any Y there are no two different x and x’ and r and r’ s.t. Y=E(PK, x, r) =E(PK, x’, r’) Secrecy: no information about x is leaked to those not knowing private key PS

20 Does not want to reveal it yet
Deniable Protocol P has a public key PK of an encryption scheme E. To authenticate message m: V  P: Choose xr{0,1}n. Send Y=E(PK, m°x , r) P  V: Send E(PK, x, t) V  P: Send x and r - opening Y=E(PK, m°x, r) P  V: Open E(PK, x , t) by sending t. P commits to the value x. Does not want to reveal it yet

21 Security of the scheme Unforgeability: as before - depends on the strength of E can simulate previous scheme (with access to D(PK , . )) Important property: E(PK, x, t) is a non-malleable commitment (wrt the encryption) to x. Deniability: can run simulator: Extract x by running with E(PK, garbage, t) and rewinding Expected polynomial time Need the semantic security of E - it acts as a commitment scheme

22 Ring Signatures and Authentication
Want to keep the sender anonymous by proving that the signer is a member of an ad hoc set Other members do not cooperate Use their `regular’ public-keys Should be indistinguishable which member of the set is actually doing the authentication Bob Alice? Eve

23 Ring Authentication Setting
A ring is an arbitrary set of participants including the authenticator Each member i of the ring has a public encryption key PKi Only i knows the corresponding secret key PSi To run a ring authentication protocol both sides need to know PK1, PK2, …, PKn the public keys of the ring members ...

24 An almost Good Ring Authentication Protocol
Ring has public keys PK1, PK2, …, PKn of encryption scheme E To authenticate message m with jth decryption key PSj: V  P: Choose x {0,1}n. Send E(PK1, m°x, r1), E(PK2, m°x, r2), …, E(PKn, m°x, rn) P  V: Decrypt E(PKj, m°x, rj), using PSj and Send E(PK1, x, t1), E(PK2, x, t2), …, E(PKn, x, tn) V  P: open all the E(PKi, m°x, ri) by Send x and r1, r2 ,… rn P  V: Verify consistency and open all E(PKi, x, ti) by Send t1, t2 ,… tn Problem: what if not all suffixes (x‘s) are equal

25 The Ring Authentication Protocol
Ring has public keys PK1, PK2, …, PKn of encryption scheme E To authenticate message m with jth decryption key PSj: V  P: Choose x {0,1}n. Send E(PK1, m°x, r1), E(PK2, m°x, r2), …, E(PK1, m°x, rn) P  V: Decrypt E(PKj, m°x, rj), using PSj and Send E(PK1, x1, t1), E(PK2, x2, t2), …, E(PKn, xn, tn) Where x=x1+x2 +  xn V  P: open all the E(PKi, m°x, ri) by Send x and r1, r2 ,… rn P  V: Verify consistency and open all E(PKi, x, ti) by Send t1, t2 ,… tn and x1, x2 ,…, xn

26 Properties of the Scheme
Works with any good encryption scheme - members of the ring are unwilling participants. Fairly efficient scheme: Need n encryptions n verifications and one decryption Can extend the scheme so that convince a verifier that At least k members confirm the message. What are the social implications of the existence of ring authentication?

27 Summary Cryptography and Complexity are very active research areas
Research activities in the areas range from providing firm foundations to the construction of methods providing actual constructions and analysis for specific needs. Many unexpected results...

28 E(PK1, x1, t1), E(PK2, x2, t2),…,E(PK1, xn, tn)
Security of the scheme Unforgeability: as before (assuming all keys are well chosen) since E(PK1, x1, t1), E(PK2, x2, t2),…,E(PK1, xn, tn) where x=x1+x2 + L xn is a non-malleable commitment to x Source Hiding: which key was used (among well chosen keys) is Computationally indistinguishable during protocol Statistically indistinguishable after protocol If ends successfully Deniability: Can run simulator `as before’

Download ppt "Cryptography and Complexity at the Weizmann Institute"

Similar presentations

Foundations of Cryptography Lecture 1 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 1 Lecturer: Moni Naor.
Moni Naor מוני נאור Cryptography and Sudoku

Moni Naor מוני נאור Cryptography and Sudoku
Off-the-Record Communication, or, Why Not To Use PGP

Off-the-Record Communication, or, Why Not To Use PGP
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.

CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.

Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Introduction to Cryptography and Security Mechanisms: Unit 5 Theoretical v Practical Security Dr Keith Martin McCrea 34901784 443099

Introduction to Cryptography and Security Mechanisms: Unit 5 Theoretical v Practical Security Dr Keith Martin McCrea
Foundations of Cryptography Lecture 14: Malleability, Chosen Ciphertext Attacks, Cramer-Shoup Cryptosystem Lecturer: Moni Naor.

Foundations of Cryptography Lecture 14: Malleability, Chosen Ciphertext Attacks, Cramer-Shoup Cryptosystem Lecturer: Moni Naor.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.
Topics in Cryptography Lecture 6 Topic: Chosen Ciphertext Security Lecturer: Moni Naor.

Topics in Cryptography Lecture 6 Topic: Chosen Ciphertext Security Lecturer: Moni Naor.
Foundations of Cryptography Lecture 13: Zero-Knowledge Variants and Applications Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13: Zero-Knowledge Variants and Applications Lecturer: Moni Naor.

Similar presentations

Ads by Google