Presentation is loading. Please wait.

Presentation is loading. Please wait.

CRYPTOGRAPHY AND NP-HARDNESS Andrej Bogdanov Chinese University of Hong Kong MACS Foundations of Cryptography| January 2016.

Published byBryce O’Connor’ Modified over 8 years ago

Similar presentations

Presentation on theme: "CRYPTOGRAPHY AND NP-HARDNESS Andrej Bogdanov Chinese University of Hong Kong MACS Foundations of Cryptography| January 2016."— Presentation transcript:

1 CRYPTOGRAPHY AND NP-HARDNESS Andrej Bogdanov Chinese University of Hong Kong MACS Foundations of Cryptography| January 2016

2 What these talks are about Apply insights from computational complexity to understand the nature of cryptographic hardness Such insights have not (yet) led to attacks on real cryptosystems… …but it hopefully explains why things do get broken sometimes

3 How hard is it to break encryption? AliceBob 0100100111101010 The quick brown fox jumped over the lazy dog. 1100101001 The quick brown fox jumped over the lazy dog! Eve

4 How hard is it to break encryption? AliceBob ciphertext c message m key k Eve wants to find k, m so that Alice(k, m) = c Can do if she is given enough time!

5 NP problems Problems whose solutions are easy to verify...may or may not be easy to find! 99925x + 4452y + 40736z = 10115057624 33778x + 9835y + 78751z = 3953653349 12512x + 83072y + 45040z = 5072747520 62862x + 75873y + 39538z = 9681080527 Example 1: EQUATIONS x = 98220 y = 44395 z = 2464

6 NP problems p ∙ q = 21063855906995023 Example 2: FACTORING p = 102385783 q = 205730281 p, q > 1

7 NP problems Example 3: SUBSET-SUM 13174331003415 x 1 + 17285145771356 x 2 + 19133308147607 x 3 + 20768399988658 x 4 + 22857403444525 x 5 + 27320889680330 x 6 + 32609413435035 x 7 + 33346249486015 x 8 + 36451703583100 x 9 + 44137263807532 x 10 + 44383378110073 x 11 + 46011207828303 x 12 + 46660233846241 x 13 + 48665987443489 x 14 + 50851895884076 x 15 + 54719671502113 x 16 + 57124392416851 x 17 + 84622296739659 x 18 + 91977495188814 x 19 + 97454623373902 x 20 = 401687963698840 x 1, … x 20 = 0 or 1 x = 01110101110001001001

8 NP-complete problems SUBSET-SUM is NP-complete If SUBSET-SUM can be solved efficiently, so can all NP problems… … including FACTORING SUBSET-SUM is no easier than FACTORING Is it harder?

9 Different kinds of hardness It is generally believed that FACTORING is “easier” than SUBSET-SUM. Evidence #1: Quantum computers can factor efficiently… …but not known to help for SUBSET-SUM

10 Refutation 99925x + 4452y + 40736z = 10115057624 33778x + 9835y + 78751z = 3953653349 12512x + 83072y + 45040z = 5072747520 62862x + 75873y + 39538z = 968108052 7 8 Prove that there is no solution! Proof: Run EQUATIONS algorithm and verify that whatever it outputs is not a solution.

11 Refutation p ∙ q = 21063855906995 p, q > 1 119 023 Claim: Now there is no solution! Proof: The number is a prime Can be confirmed using the algorithm of Agrawal, Kayal, and Saxena

12 Refutation 13174331003415 x 1 + 17285145771356 x 2 + 19133308147607 x 3 + 20768399988658 x 4 + 22857403444525 x 5 + 27320889680330 x 6 + 32609413435035 x 7 + 33346249486015 x 8 + 36451703583100 x 9 + 44137263807532 x 10 + 44383378110073 x 11 + 46011207828303 x 12 + 46660233846241 x 13 + 48665987443489 x 14 + 50851895884076 x 15 + 54719671502113 x 16 + 57124392416851 x 17 + 84622296739659 x 18 + 91977495188814 x 19 + 97454623373902 x 20 = 40168796369884 1 0 Nobody knows how to refute in general! x 1, … x 20 = 0 or 1

13 NP-completeness and refutation It is believed NP-complete problems do not have short refutations* * If they did, the “polynomial hierarchy collapses,” etc. …but FACTORING, and other problems used for crypto hardness, do In this sense, breaking current cryptosystems is easier than solving NP-complete problems theorem

14 SOME ELEMENTS OF CRYPTOGRAPHY

15 One-way functions f(p, q) = p∙q easy hard One-way functions are necessary for (most of) cryptography.

16 Cryptographic security Rabin’s public key encryption SK = (p, q) PK = n = p∙q Enc PK (m) = m 2 mod n Dec SK (c) = … Security claim: If I can recover m from PK and Enc PK (m), then I can factor n.

17 A bit of algebra The map x → (x mod p, x mod q) is a bijection from Z n * to Z p * × Z q * Example: p = 5, q = 3 0123401234 012012 061239 1017134 5112814 x mod p x mod q

18 Reduction If I can recover m from PK and Enc PK (m), then I can factor n. If I can recover m from n and c = m 2 mod n, then I can factor n. Proof: On input n, You choose random m* and ask me to recover message from c = m* 2 mod n I tell you some m You output p = gcd(m* – m, n) and q = n/p

19 Analysis Claim: With probability ½, p and q are the factors of n Proof by example p = 5, q = 3, n = 15 Suppose you chose m* = 7, so m* 2 mod n = 4 m 2 mod n = 4 has four solutions m = 2, 7, 8, 13 0123401234 012012 061239 1017134 5112814 If I say m = 2 or 13, m* – m has a factor of n

20 Analysis Claim: With probability ½, p and q are the factors of n Proof (continued) But what if I had said m = 7 or 8? You chose m* at random and I only see m* 2 I only know m* 2 = 4 mod 15 So for me m* is equally likely to be 2, 7, 8, 15 I am “forced” to choose a good m* w/p ½

21 HARDNESS OF ONE-WAY FUNCTIONS

22 The setup Suppose I believe my function f is one-way. How do I “prove” it? Want a hard problem X and a reduction R R can use an (imaginary) inverter I If I inverts f, R I solves X

23 Maybe hard but not too hard YES instances of X have short proofs, and NO instances of X have short refutations. If such R exists for a one-way permutation f, then X cannot be too hard: For instance, X cannot be SUBSET-SUM because it does not have short refutations* * Unless NP = coNP

24 One-way permutations A one-way permutation is a one-way function that is also a bijection. Example: f(x) = g x g generator of group G x ∈ {0, …, |G|  1}

25 Simulating reduction by a proof system SUBSET-SUMI reduction 13174331003415 x 1 + 17285145771356 x 2 + 19133308147607 x 3 + 20768399988658 x 4 + 22857403444525 x 5 + 27320889680330 x 6 + 32609413435035 x 7 + 33346249486015 x 8 + 36451703583100 x 9 + 44137263807532 x 10 + 44383378110073 x 11 + 46011207828303 x 12 = 40168796369884 invert f at b 1 a1a1... Verifier Prover Verifier:On input eqn, simulate reduction. Prover:Provide query/answer pairs b 1, a 1,..., b t, a t Verifier: If f(a 1 ) = b 1 and... and f(a t ) = b t, and consistent output answer of reduction x = 01110101110001001001 otherwise declare “prover is cheating!”

26 From a proof system to a proof invert f at b 1 a1a1... Verifier Prover invert f at b t atat b 1, a 1,..., b t, a t eqn The sequence b 1, a 1,..., b t, a t is a short proof that: eqn  has a solution, provided that it does, but also eqn  does not have a solution if it doesn’t!

27 A trick question Where did we use that f is a permutation? How realistic is our model of the reduction? The “right” question to ask: XI reduction x invert f at b 1 a1a1... The reduction may be randomized

28 Emulating randomized reductions b 1, a 1,..., b t, a t Verifier Prover (reduction R ? ) (inverter I ) Who should provide the randomness r ? Answer: The verifier Correctness of randomized reductions: Given an inversion oracle I for f For most r, R I (x; r) solves x

29 Emulating randomized reductions b 1, a 1,..., b t, a t Verifier Prover (reduction R ? ) (inverter I ) randomness r Verifier is randomized, proof system is interactive

30 Permutations vs. functions Where did we use that f is a permutation? Correctness of randomized reductions: Given an inversion oracle I for f For most r, R I (x; r) solves x Verifier and prover should agree on I before r is chosen When f is a permutation, I is unique

31 Two-to-one functions f: {0, 1} n → {0, 1} n-1 is 2-to-1 if for every y, |f -1 (y)| = 2 choice of r choice of I R I (x; r) solves x b 1, a 1,..., b t, a t Verifier Prover r If for every i, f(b i ) = a i output answer of reduction, otherwise “prover is cheating!” Such an f has 2 2 possible inversion oracles n-1

32 Proof system for 2-1 functions Prover and verifier agree to emulate inversion oracle that answers with lexicographically smaller inverse b 1, a 1, a 1 ’..., b t, a t, a t ’ Verifier Prover r output answer of reduction otherwise “prover is cheating!” If for every i, f(a i ) = f(a i ’) = b i and a i < a i ’ with transcript b 1, a 1,..., b t, a t choice of r choice of I R I (x; r) solves x

33 Theme Cryptographic reductions can sometimes be emulated by proof systems Verifier plays role of reduction Prover plays role of adversary (e.g. inverter) Can both prove and refute instances of X provided prover is “forced” to play unique advrersary

34 K-to-one functions Say f is K -to-1 if for every y, |f -1 (y)| = K Complexity of proof system grows linearly in K When say K = 2 n/2 this is exponential in n Can we do better?

35 INTERACTIVE PROOFS

36 Graph isomorphism is isomorphic to Claim: Proof:

37 Graph non-isomorphism is not isomorphic to Claim: Interactive proof: G0G0 G1G1 Verifier: Choose random bit b, permutation  Send graph G =  (G b ) Prover: Answer with b’ Verifier:If b’ = b, declare “probably not isomorphic”

38 Graph non-isomorphism Analysis: If G 0, G 1 not isomorphic, then prover knows for sure that G came from G b, so he can answer b If G 0, G 1 isomorphic, then G is equally likely to have come from G 0 / G 1, so he can guess b with prob 1/2 Is there a classical proof system for graph non-isomorphism? Now almost, but I made this slide in 2014.

39 Interactive proofs Given a promise problem L = (L YES, L NO ) VerifierProver x  ∈ L YES  L NO randomized efficient unbounded q1q1 a2a2 q R-1 aRaR... YES/NO Completeness: If x ∈  L YES, Pr[V P (x) = YES] ≥ 1/8 Soundness: If x ∈  L NO, Pr[V P* (x) = YES] < 1/16 for every P*

40 Normal form for interactive proofs The class AM consists of those decision problems that have constant round interactive proofs Such proofs have a normal form a(x, r) Verifier Prover public randomness r There is a compiler for converting protocols into this form; we’ll do an example instead.

41 The set size lower bound protocol Input: A set C ⊆ {0, 1} n (specified by a circuit) A size estimate 0 < S < 2 n L YES : |C| ≥ S L NO : |C| < S/8 Verifier: Interactive proof: Send a random 2-universal hash function h: {0, 1} n → {0, 1} r where 2S ≤ 2 r < 4S Prover: Send x (and a proof that x ∈ C ) Verifier: Accept if x ∈ C and h(x) = 0.

42

43

44 The set size lower bound protocol Input: A set C ⊆ {0, 1} n A size estimate 0 < S < 2 n L YES : |C| ≥ S L NO : |C| < (1 –  )S An error parameter  > 0 Running time of verifier is linear in |C|/  Proof: Run original protocol on (C k, S k ), k = 3/ 

45 Graph non-isomorphism via set size Given G 0, G 1 we want a proof of non-isomorphism For simplicity we’ll assume G 0, G 1 have no automorphisms C = {  (G b ):  is a permutation, b is a bit } G 0, G 1 are isomorphic |C| = n! G 0, G 1 are not isomorphic |C| = 2∙n! Reduction to set size lower bound:

46 AM ≈ NP a(x, r) Verifier Prover public randomness r If we replace r by the output of a suitable pseudo- random generator, proof can be derandomized Under a plausible assumption in complexity theory, AM = NP.

47 BACK TO CRYPTOGRAPHY

48 Hardness of regular one-way functions Say f: {0, 1} n → {0, 1} n - k is 2 k -to- 1 Suppose we have a reduction R ? that, given an inverter I for f, solves L Verifier will emulate reduction Prover will emulate random inverter I Given a query b, return each a s.t. f(a) = b with probability 2 -k independently of previous queries and answers

49 Hardness of regular one-way functions b1b1 a 1 = I(b 1 )... Verifier Prover btbt a t = I(b t ) x ∈  L Pr r, I [R I (x; r) accepts] ≥ 2/3 x ∉  L Pr r, I [R I (x; r) accepts] < 1/3 |{(r, a 1, …, a t ) valid and accepting}| ≥ (2/3) 2 |r| + kt |{(r, a 1, …, a t ) valid and accepting}| < (1/3) 2 |r| + kt

50 Hardness of regular one-way functions y1y1 x 1 = I(y 1 )... Verifier Prover ytyt x t = I(y t ) x∈∉ Lx∈∉ L x ∈  L Pr r, I [R I (x; r) rejects] ≥ 2/3 x ∉  L Pr r, I [R I (x; r) rejects] < 1/3 |{(r, x 1, …, x t ) valid and rejecting}| ≥ (2/3) 2 |r| + kt |{(r, x 1, …, x t ) valid and rejecting}| < (1/3) 2 |r| + kt

Download ppt "CRYPTOGRAPHY AND NP-HARDNESS Andrej Bogdanov Chinese University of Hong Kong MACS Foundations of Cryptography| January 2016."

Similar presentations

Quantum Money from Hidden Subspaces Scott Aaronson and Paul Christiano.

Quantum Money from Hidden Subspaces Scott Aaronson and Paul Christiano.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.
1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.

1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.
Complexity 26-1 Complexity Andrei Bulatov Interactive Proofs.

Complexity 26-1 Complexity Andrei Bulatov Interactive Proofs.
Complexity 18-1 Complexity Andrei Bulatov Probabilistic Algorithms.

Complexity 18-1 Complexity Andrei Bulatov Probabilistic Algorithms.
Computability and Complexity 13-1 Computability and Complexity Andrei Bulatov The Class NP.

Computability and Complexity 13-1 Computability and Complexity Andrei Bulatov The Class NP.
15-251 Great Theoretical Ideas in Computer Science.

Great Theoretical Ideas in Computer Science.
Computational problems, algorithms, runtime, hardness

Computational problems, algorithms, runtime, hardness
1 Adapted from Oded Goldreich’s course lecture notes.

1 Adapted from Oded Goldreich’s course lecture notes.
Complexity and Cryptography

Complexity and Cryptography
Lecturer: Moni Naor Foundations of Cryptography Lecture 4: One-time Signatures, UOWHFs.

Lecturer: Moni Naor Foundations of Cryptography Lecture 4: One-time Signatures, UOWHFs.
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
Lecturer: Moni Naor Foundations of Cryptography Lecture 12: Commitment and Zero-Knowledge.

Lecturer: Moni Naor Foundations of Cryptography Lecture 12: Commitment and Zero-Knowledge.
CRYPTOGRAPHY WHAT IS IT GOOD FOR? Andrej Bogdanov Chinese University of Hong Kong CMSC 5719 | 6 Feb 2012.

CRYPTOGRAPHY WHAT IS IT GOOD FOR? Andrej Bogdanov Chinese University of Hong Kong CMSC 5719 | 6 Feb 2012.

Similar presentations

Ads by Google