Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)
-
date post
22-Dec-2015 -
Category
Documents
-
view
214 -
download
0
Transcript of Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)
![Page 1: Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)](https://reader036.fdocuments.net/reader036/viewer/2022062715/56649d7d5503460f94a5ffd3/html5/thumbnails/1.jpg)
Security and Cryptography
December 4, 2001December 4, 2001 Portions stolen from Prof. Sahai Portions stolen from Prof. Sahai (spring 2001)(spring 2001)
![Page 2: Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)](https://reader036.fdocuments.net/reader036/viewer/2022062715/56649d7d5503460f94a5ffd3/html5/thumbnails/2.jpg)
AdministriviaAdministrivia
oHomework assignment 7 due todayHomework assignment 7 due todayoHomework Assignment 8 due January 7,2002Homework Assignment 8 due January 7,2002oHomework 9Homework 9
o Part a due next Tuesdayo Part b due next Thursdayo Part c due next Friday
oLab 8 this weekLab 8 this weekoNo lab next weekNo lab next weekoGuest lecturer(s) ThursdayGuest lecturer(s) ThursdayoFinal Exam CS 104 01/23/2002@8:30 AMFinal Exam CS 104 01/23/2002@8:30 AM
![Page 3: Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)](https://reader036.fdocuments.net/reader036/viewer/2022062715/56649d7d5503460f94a5ffd3/html5/thumbnails/3.jpg)
Last Time• We saw examples of undecidable problems that
computers can’t solve
• We saw examples of search problems that we believe computers can’t solve quickly.
![Page 4: Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)](https://reader036.fdocuments.net/reader036/viewer/2022062715/56649d7d5503460f94a5ffd3/html5/thumbnails/4.jpg)
““Easy” undecidable Easy” undecidable problemsproblems
Halting ProblemHalting Problem
Post's Correspondence Problem Post's Correspondence Problem (PCP)?(PCP)?
![Page 5: Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)](https://reader036.fdocuments.net/reader036/viewer/2022062715/56649d7d5503460f94a5ffd3/html5/thumbnails/5.jpg)
Post's Correspondence Problem (PCP)?Post's Correspondence Problem (PCP)?
AnAn instance of Post's instance of Post's correspondence problem of size correspondence problem of size ss is is a finite set of pairs of strings (a finite set of pairs of strings (ggii , , hhii) ) ( ( i i = 1...s s>=1) over some alphabet = 1...s s>=1) over some alphabet . A solution is a sequence . A solution is a sequence ii11 i i22 ... ... iinn of selections such that the strings of selections such that the strings ggi1i1ggi2i2 ... g ... ginin and and hhi1i1hhi2i2 ... h ... hinin formed by formed by concatenation are identical. concatenation are identical.
![Page 6: Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)](https://reader036.fdocuments.net/reader036/viewer/2022062715/56649d7d5503460f94a5ffd3/html5/thumbnails/6.jpg)
Sample PCPSample PCP
gg1 1 = aba= aba hh1 1 = abaa= abaa
gg2 2 = bbab= bbab hh2 2 = abab= abab
gg3 3 = baaa= baaa hh3 3 = a= a
gg4 4 = a= a hh4 4 = bb= bb
So, 1,3,1,2 would correspond toSo, 1,3,1,2 would correspond to
aba baaa aba bbab from g’saba baaa aba bbab from g’s
abaa a abaa abab from h’s (not a match)abaa a abaa abab from h’s (not a match)
![Page 7: Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)](https://reader036.fdocuments.net/reader036/viewer/2022062715/56649d7d5503460f94a5ffd3/html5/thumbnails/7.jpg)
Sample PCP (cont.)Sample PCP (cont.)
gg1 1 = aba= aba h h1 1 = abaa= abaa
gg2 2 = bbab= bbab h h2 2 = abab= abab
gg3 3 = baaa= baaa h h3 3 = a= a
gg4 4 = a= a h h4 4 = bb= bb
1,4,2,1,31,4,2,1,3aba a bbab aba baaaaba a bbab aba baaaabaa bb abab abaa aabaa bb abab abaa a
![Page 8: Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)](https://reader036.fdocuments.net/reader036/viewer/2022062715/56649d7d5503460f94a5ffd3/html5/thumbnails/8.jpg)
PCP is undecidablePCP is undecidable
Post's correspondence problem shown Post's correspondence problem shown to be undecidable by Post in 1946.to be undecidable by Post in 1946.The problem with size 2 has been The problem with size 2 has been proved decidable. proved decidable. The problem with size 7 has been The problem with size 7 has been proved undecidable. proved undecidable. The decidablility of problems with size The decidablility of problems with size between 3 and 6 is still pending.between 3 and 6 is still pending.
![Page 9: Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)](https://reader036.fdocuments.net/reader036/viewer/2022062715/56649d7d5503460f94a5ffd3/html5/thumbnails/9.jpg)
Last Time – hard search problems• We saw examples of search problems that we
believe computers can’t solve quickly.
• A search problem is a problem where
• Is hard to find solution
• Is easy to check possible solution
• A complete search problem is as hard as any search problem
• Search problem is believed to be hard because
• We can’t solve it
• No one else can
• No one can solve any of the complete search problems
![Page 10: Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)](https://reader036.fdocuments.net/reader036/viewer/2022062715/56649d7d5503460f94a5ffd3/html5/thumbnails/10.jpg)
Classes of search problems• In computer-science terminology:
• NP = All Search Problems
• P = Problems we can solve quickly
• We believe that P NP, i.e. not every search problem can be solved quickly on a computer.
• Search problem is NP but not P are used in situations where we want a problem that is
• Hard to solve
• Easy to check a solution.
![Page 11: Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)](https://reader036.fdocuments.net/reader036/viewer/2022062715/56649d7d5503460f94a5ffd3/html5/thumbnails/11.jpg)
Coloring
![Page 12: Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)](https://reader036.fdocuments.net/reader036/viewer/2022062715/56649d7d5503460f94a5ffd3/html5/thumbnails/12.jpg)
Coloring (cont.)• We can build a computer as a coloring problem
• Build simulations of gates
• NOT, AND, OR
• Combine simulations to build circuit for, e.g. Carry-ripple adder
• Result
• Here is a graph,
• Color a few circles to mark inputs
• Find a valid coloring of all circles
• Read off values of output circles to get result
![Page 13: Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)](https://reader036.fdocuments.net/reader036/viewer/2022062715/56649d7d5503460f94a5ffd3/html5/thumbnails/13.jpg)
Coloring (cont.)• Coloring is complete
• In particular, we can reduce solving any search problem to finding a valid coloring for some collection of circles!
• So, if we could solve Coloring quickly, then
P = NP
• That’s why we believe Coloring can’t be solved quickly by any computer.
• We call such problems NP-Complete.
![Page 14: Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)](https://reader036.fdocuments.net/reader036/viewer/2022062715/56649d7d5503460f94a5ffd3/html5/thumbnails/14.jpg)
NP-complete problemsNP-complete problems
ColoringColoringTraveling Salesman ProblemTraveling Salesman ProblemKnapsack problemKnapsack problemPartition ProblemPartition Problem
![Page 15: Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)](https://reader036.fdocuments.net/reader036/viewer/2022062715/56649d7d5503460f94a5ffd3/html5/thumbnails/15.jpg)
Knapsack problemKnapsack problem
We are given a set of items each We are given a set of items each having a weight measured by an having a weight measured by an integerinteger We are given a capacity for the We are given a capacity for the knapsackknapsackWe ask if we can We ask if we can exactlyexactly pack the pack the knapsackknapsack
![Page 16: Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)](https://reader036.fdocuments.net/reader036/viewer/2022062715/56649d7d5503460f94a5ffd3/html5/thumbnails/16.jpg)
Sample Knapsack problemSample Knapsack problem
Item weights 2,4,9,13,17,23,32,70,123,157Item weights 2,4,9,13,17,23,32,70,123,157
Capacity is 228Capacity is 228Packing 157 + 32 + 17 + 13 + 9Packing 157 + 32 + 17 + 13 + 9
Capacity is 226Capacity is 226Packing (there are none)Packing (there are none)
![Page 17: Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)](https://reader036.fdocuments.net/reader036/viewer/2022062715/56649d7d5503460f94a5ffd3/html5/thumbnails/17.jpg)
Partition problemPartition problem
We are given a set of items each We are given a set of items each having a weight measured by an having a weight measured by an integerinteger We are asked if we can divide the We are asked if we can divide the items into 2 groups that have the items into 2 groups that have the same total weights.same total weights.
Like a knapsack problemLike a knapsack problem Weight is half of total weight
![Page 18: Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)](https://reader036.fdocuments.net/reader036/viewer/2022062715/56649d7d5503460f94a5ffd3/html5/thumbnails/18.jpg)
Sample Partition problemSample Partition problem
Item weights 2,4,9,13,17,23,32,70,123,157Item weights 2,4,9,13,17,23,32,70,123,157
Total weight is 450Total weight is 450Packing 123 + 70 + 32 = 225Packing 123 + 70 + 32 = 225Packing 157 + 23 + 17 + 13 + 9 + 4 + 2 = 225Packing 157 + 23 + 17 + 13 + 9 + 4 + 2 = 225
Why is this different from the PCP?Why is this different from the PCP?
![Page 19: Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)](https://reader036.fdocuments.net/reader036/viewer/2022062715/56649d7d5503460f94a5ffd3/html5/thumbnails/19.jpg)
Other Hard Problems?
• There are other problems besides NP-Complete Problems that we also believe are hard.
• Can we be sure?
• No.
• But humanity has been trying to solve certain mathematical problems for centuries.
• So. it seems reasonable to assume that nobody will figure out how to solve them soon.
![Page 20: Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)](https://reader036.fdocuments.net/reader036/viewer/2022062715/56649d7d5503460f94a5ffd3/html5/thumbnails/20.jpg)
Cryptography
• Why do we care so much about hard problems?
• Because sometimes we want to make things hard.
• Protecting Privacy, Authenticity
• Want to make it hard for adversaries to:
• Steal our credit cards
• Impersonate us
• Etc.
• Makes it possible for companies to protect intellectual property.
![Page 21: Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)](https://reader036.fdocuments.net/reader036/viewer/2022062715/56649d7d5503460f94a5ffd3/html5/thumbnails/21.jpg)
Cryptography
• Science of making things hard for adversaries = Cryptography
• Dates back to Julius Caeser
• Caesar cipher – shift each character by a few places
• "UHWXUA WR URPH" encodes “RETURN TO ROME“
• Used extensively during WW 2 (and every other war)
• Used to encode passwords
• Used to prevent copying of software and data (e.g. DVD).
![Page 22: Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)](https://reader036.fdocuments.net/reader036/viewer/2022062715/56649d7d5503460f94a5ffd3/html5/thumbnails/22.jpg)
Requirements of a Requirements of a cryptosystemcryptosystem
Easy to encode messagesEasy to encode messages
Hard to decode messagesHard to decode messages
![Page 23: Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)](https://reader036.fdocuments.net/reader036/viewer/2022062715/56649d7d5503460f94a5ffd3/html5/thumbnails/23.jpg)
One Approach...One Approach...
It’s so complicated!It must be secure!
Cryptosystem XYZ(Patent Pending)
![Page 24: Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)](https://reader036.fdocuments.net/reader036/viewer/2022062715/56649d7d5503460f94a5ffd3/html5/thumbnails/24.jpg)
One Approach...One Approach...
Cryptosystem XYZ Broken 2 Days After
Release!
![Page 25: Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)](https://reader036.fdocuments.net/reader036/viewer/2022062715/56649d7d5503460f94a5ffd3/html5/thumbnails/25.jpg)
One Approach...One Approach...
• Unfortunately, this approach is often used in real life.
• This is one of the reasons why you hear about so many security systems being broken!
• Examples: DVD encryption (DeCSS),Cell phones in Europe
(GSM), encoding of fonts by Adobe, many many more
![Page 26: Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)](https://reader036.fdocuments.net/reader036/viewer/2022062715/56649d7d5503460f94a5ffd3/html5/thumbnails/26.jpg)
More sophisticated More sophisticated approachapproach
• Use the theory of hard search problemsand the notion of reducing one problem to another.
• Show that if you break this security system, you do so by solving some of the world’s greatest unsolved problems first!
![Page 27: Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)](https://reader036.fdocuments.net/reader036/viewer/2022062715/56649d7d5503460f94a5ffd3/html5/thumbnails/27.jpg)
Encryption
• The most basic problem in Cryptography is Encryption:
Alice Bob
PrivateMessage m
![Page 28: Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)](https://reader036.fdocuments.net/reader036/viewer/2022062715/56649d7d5503460f94a5ffd3/html5/thumbnails/28.jpg)
Encryption
• The most basic problem in Cryptography is Encryption:
Alice Bob
PrivateMessage m
Eve the eavesdropper
![Page 29: Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)](https://reader036.fdocuments.net/reader036/viewer/2022062715/56649d7d5503460f94a5ffd3/html5/thumbnails/29.jpg)
Encryption
• The most basic problem in Cryptography is Encryption:
Alice Bob
EncryptedMessage E(m)
Eve the eavesdropper
![Page 30: Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)](https://reader036.fdocuments.net/reader036/viewer/2022062715/56649d7d5503460f94a5ffd3/html5/thumbnails/30.jpg)
Encryption
• Have to make it easy for Bob to recover m
• But hard for Eve to learn anything about m
Alice Bob
EncryptedMessage E(m)
Eve the eavesdropper
![Page 31: Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)](https://reader036.fdocuments.net/reader036/viewer/2022062715/56649d7d5503460f94a5ffd3/html5/thumbnails/31.jpg)
Public-Key Cryptography[Diffie-Hellman 1976]
Bob’sPublic Key
Bob’s Secret Key
Bob
• Everybody knows Bob’s published Public Key.
• Only Bob knows his secret key.
![Page 32: Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)](https://reader036.fdocuments.net/reader036/viewer/2022062715/56649d7d5503460f94a5ffd3/html5/thumbnails/32.jpg)
Public-Key Encryption
• Alice uses Bob’s public key to encrypt m.
• Bob uses his secret key to recover (decrypt) m.
Alice Bob
EncryptedMessage E(m)
![Page 33: Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)](https://reader036.fdocuments.net/reader036/viewer/2022062715/56649d7d5503460f94a5ffd3/html5/thumbnails/33.jpg)
Public-Key Encryption
• Alice and Eve both know Bob’s public key.
• Eve must not be able to “break” the encryption even though she knows the public key.
Alice Bob
EncryptedMessage E(m)
Eve the eavesdropper
![Page 34: Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)](https://reader036.fdocuments.net/reader036/viewer/2022062715/56649d7d5503460f94a5ffd3/html5/thumbnails/34.jpg)
Basic Math Review
• Let’s recall some basic mathematics:
• A number p is called prime if its only factors are 1 and itself.
• Examples:
![Page 35: Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)](https://reader036.fdocuments.net/reader036/viewer/2022062715/56649d7d5503460f94a5ffd3/html5/thumbnails/35.jpg)
Basic Math Review
• Let’s recall some basic mathematics:
• A number p is called prime if its only factors are 1 and itself.
• Examples: 2, 3, 5, 7, 11, 13, 17, 19, …
![Page 36: Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)](https://reader036.fdocuments.net/reader036/viewer/2022062715/56649d7d5503460f94a5ffd3/html5/thumbnails/36.jpg)
Basic Math Review
• Let’s recall some basic mathematics:
• A number p is called prime if its only factors are 1 and itself.
• Examples: 2, 3, 5, 7, 11, 13, 17, 19, …
• There are lots of prime numbers.
• Fact: It is known how to check quickly if a number is prime or not.
• So, to find a big prime number, we can just keep generating large random numbers until we find a prime.
![Page 37: Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)](https://reader036.fdocuments.net/reader036/viewer/2022062715/56649d7d5503460f94a5ffd3/html5/thumbnails/37.jpg)
Basic Math Review
• Given two primes p and q, it is easy to multiply them together: N = pq
• But given N, how do you find p and q quickly?i.e. how do you factor N?
• Easy for small numbers (e.g. 6 or 35).
• For centuries, mathematicians have been trying to find ways to factor large numbers quickly. No one knows how!
• Factoring a 10,000 digit N would take centuries on the fastest computer in existence!
![Page 38: Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)](https://reader036.fdocuments.net/reader036/viewer/2022062715/56649d7d5503460f94a5ffd3/html5/thumbnails/38.jpg)
How do we know factoring is How do we know factoring is hard?hard?
Problem has a long historyProblem has a long history
Prizes are offeredPrizes are offered and have been for and have been for a long timea long time
Factoring progress happens slowlyFactoring progress happens slowly
![Page 39: Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)](https://reader036.fdocuments.net/reader036/viewer/2022062715/56649d7d5503460f94a5ffd3/html5/thumbnails/39.jpg)
Factoring RSA-130 (4/10/96)Factoring RSA-130 (4/10/96)
RSA-130 = RSA-130 = 1807082088687404805951656164405905566271807082088687404805951656164405905566278102516769401349170127021450056662540248102516769401349170127021450056662540244048387341127590812303371781887966563184048387341127590812303371781887966563182013214880557 = 2013214880557 = 39685999459597454290161126162883786067539685999459597454290161126162883786067576449112810064832555157243 * 76449112810064832555157243 * 4553449864673597218840368689727440886434553449864673597218840368689727440886435630126320506960099904459956301263205069600999044599
Moore’s Law would add a digit or 2 every year.Moore’s Law would add a digit or 2 every year.
![Page 40: Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)](https://reader036.fdocuments.net/reader036/viewer/2022062715/56649d7d5503460f94a5ffd3/html5/thumbnails/40.jpg)
Basic Math & Crypto
• We want to make it so that if Eve the eavesdropper breaks our system, she would have to factor a very large number.
• We’ll (almost) do that.
![Page 41: Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)](https://reader036.fdocuments.net/reader036/viewer/2022062715/56649d7d5503460f94a5ffd3/html5/thumbnails/41.jpg)
Modular Arithmetic
• Ordinary Arithmetic:
… -4 -3 -2 -1 0 1 2 3 4 …
![Page 42: Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)](https://reader036.fdocuments.net/reader036/viewer/2022062715/56649d7d5503460f94a5ffd3/html5/thumbnails/42.jpg)
Modular Arithmetic
• Ordinary Arithmetic:
• Arithmetic Modulo N:
… -4 -3 -2 -1 0 1 2 3 4 …
N = 01
2
3…
(N – 3)
(N – 2)
(N – 1)
![Page 43: Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)](https://reader036.fdocuments.net/reader036/viewer/2022062715/56649d7d5503460f94a5ffd3/html5/thumbnails/43.jpg)
Modular Arithmetic
• Example: Arithmetic Modulo 12 (like Arithmetic on time)
• 3 + 11 (Modulo 12) =
• 2 – 4 (Modulo 12) =
• 5 * 4 (Modulo 12) =
• 4 * 3 (Modulo 12) =
![Page 44: Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)](https://reader036.fdocuments.net/reader036/viewer/2022062715/56649d7d5503460f94a5ffd3/html5/thumbnails/44.jpg)
Modular Arithmetic
• Example: Arithmetic Modulo 12 (like Arithmetic on time)
• 3 + 11 (Modulo 12) = 2
• 2 – 4 (Modulo 12) =
• 5 * 4 (Modulo 12) =
• 4 * 3 (Modulo 12) =
![Page 45: Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)](https://reader036.fdocuments.net/reader036/viewer/2022062715/56649d7d5503460f94a5ffd3/html5/thumbnails/45.jpg)
Modular Arithmetic
• Example: Arithmetic Modulo 12 (like Arithmetic on time)
• 3 + 11 (Modulo 12) = 2
• 2 – 4 (Modulo 12) = 10
• 5 * 4 (Modulo 12) =
• 4 * 3 (Modulo 12) =
![Page 46: Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)](https://reader036.fdocuments.net/reader036/viewer/2022062715/56649d7d5503460f94a5ffd3/html5/thumbnails/46.jpg)
Modular Arithmetic
• Example: Arithmetic Modulo 12 (like Arithmetic on time)
• 3 + 11 (Modulo 12) = 2
• 2 – 4 (Modulo 12) = 10
• 5 * 4 (Modulo 12) = 8
• 4 * 3 (Modulo 12) =
![Page 47: Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)](https://reader036.fdocuments.net/reader036/viewer/2022062715/56649d7d5503460f94a5ffd3/html5/thumbnails/47.jpg)
Modular Arithmetic
• Example: Arithmetic Modulo 12 (like Arithmetic on time)
• 3 + 11 (Modulo 12) = 2
• 2 – 4 (Modulo 12) = 10
• 5 * 4 (Modulo 12) = 8
• 4 * 3 (Modulo 12) = 0
![Page 48: Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)](https://reader036.fdocuments.net/reader036/viewer/2022062715/56649d7d5503460f94a5ffd3/html5/thumbnails/48.jpg)
The RSA Encryption Scheme
[Rivest Shamir Adleman 1978]
• Bob picks two large primes p and q, and computes: N = pq
• Fact: Because Bob knows p and q, he can pick numbers e and d such that:
• For all m: (me)d = m (Modulo N)
• Bob’s Public Key will be e, N
• Bob’s secret key will be d
![Page 49: Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)](https://reader036.fdocuments.net/reader036/viewer/2022062715/56649d7d5503460f94a5ffd3/html5/thumbnails/49.jpg)
The RSA Encryption Scheme
• Fact: Because Bob knows p and q, he can pick numbers e and d such that:
• For all m: (me)d = m (Modulo N)
• To Encrypt a message m, Alice computes:
• E(m) = me (Modulo N)
![Page 50: Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)](https://reader036.fdocuments.net/reader036/viewer/2022062715/56649d7d5503460f94a5ffd3/html5/thumbnails/50.jpg)
The RSA Encryption Scheme
• Fact: Because Bob knows p and q, he can pick numbers e and d such that:
• For all m: (me)d = m (Modulo N)
• To Encrypt a message m, Alice computes:
• E(m) = me (Modulo N)
• To Decrypt, Bob computes:
• m = E(m)d (Modulo N)
![Page 51: Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)](https://reader036.fdocuments.net/reader036/viewer/2022062715/56649d7d5503460f94a5ffd3/html5/thumbnails/51.jpg)
The RSA Encryption Scheme• To Encrypt a message m, Alice computes:
• E(m) = me (Modulo N)
• The only known way to compute m from E(m) involves factoring N.
• For Eve to break this system, she would have to solve a long-standing open problem in Mathematics.
• This is probably the most widely used Public-Key Encryption Scheme in the world.
• Look at Help on IE
![Page 52: Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)](https://reader036.fdocuments.net/reader036/viewer/2022062715/56649d7d5503460f94a5ffd3/html5/thumbnails/52.jpg)
Shifting Gears: Proofs…• Bob wants to convince Alice of the validity of
some statement (like “I really am Bob!”)
• But Bob doesn’t want to reveal his secrets to Alice in the process…
Alice Bob
![Page 53: Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)](https://reader036.fdocuments.net/reader036/viewer/2022062715/56649d7d5503460f94a5ffd3/html5/thumbnails/53.jpg)
Zero-Knowledge Proofs
• What is the least amount of information Bob can reveal, while still convincing Alice?
• Amazingly, it is possible for Bob to convince Alice of something without revealing any information at all!
• How can that be?
![Page 54: Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)](https://reader036.fdocuments.net/reader036/viewer/2022062715/56649d7d5503460f94a5ffd3/html5/thumbnails/54.jpg)
Magic TricksMagic Tricks
• Magic tricks are like zero-knowledge proofs:
• Good magic tricks reveal nothing about how they work.
• What makes a magic trick good?
![Page 55: Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)](https://reader036.fdocuments.net/reader036/viewer/2022062715/56649d7d5503460f94a5ffd3/html5/thumbnails/55.jpg)
A Magic TrickA Magic Trick• Two balls: Purple and Red, otherwise identical
• Blindfolded Magician
• You give a random ball to magician
![Page 56: Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)](https://reader036.fdocuments.net/reader036/viewer/2022062715/56649d7d5503460f94a5ffd3/html5/thumbnails/56.jpg)
A Magic Trick (cont.)A Magic Trick (cont.)• Magician tells you the color!
• Magician proves he can distinguish balls blindfolded.
• You learn nothing except this.
Abracadabra,Goobedy goo!
It is Red!
Wow! He’sso cool!
![Page 57: Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)](https://reader036.fdocuments.net/reader036/viewer/2022062715/56649d7d5503460f94a5ffd3/html5/thumbnails/57.jpg)
A Magic Trick (cont.)A Magic Trick (cont.)• You knew exactly what magician was going to do.
• And he did it!
• Since you knew to begin with, you could not have learned anything new!
It’s Red!
I knew hewould say that.
![Page 58: Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)](https://reader036.fdocuments.net/reader036/viewer/2022062715/56649d7d5503460f94a5ffd3/html5/thumbnails/58.jpg)
Zero KnowledgeZero Knowledge• What it means:
• Alice “knows” what is going to happen.
• CS-speak: Alice can simulate it herself!
Abracadabra,Goobedy goo!
It is Red!
Simulation
![Page 59: Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)](https://reader036.fdocuments.net/reader036/viewer/2022062715/56649d7d5503460f94a5ffd3/html5/thumbnails/59.jpg)
Another Magic TrickAnother Magic Trick• Magician asks you to think of either
• “Apple” or
• “Banana”
• Magician then gives you a sealed box.
![Page 60: Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)](https://reader036.fdocuments.net/reader036/viewer/2022062715/56649d7d5503460f94a5ffd3/html5/thumbnails/60.jpg)
Mind ReadingMind Reading• You tell Magician what you were thinking.
I was thinkingof a banana.
![Page 61: Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)](https://reader036.fdocuments.net/reader036/viewer/2022062715/56649d7d5503460f94a5ffd3/html5/thumbnails/61.jpg)
Banana
Mind Reading (cont.)Mind Reading (cont.)• Magician tells you to open box, and read piece of paper in box.
• Magician proves he can predict what you will say.
How did hedo that!!
![Page 62: Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)](https://reader036.fdocuments.net/reader036/viewer/2022062715/56649d7d5503460f94a5ffd3/html5/thumbnails/62.jpg)
Mind Reading (cont.)Mind Reading (cont.)• Again, you knew what was going to happen. Zero-Knowledge
I was thinkingof a banana.
Simulation
Banana
![Page 63: Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)](https://reader036.fdocuments.net/reader036/viewer/2022062715/56649d7d5503460f94a5ffd3/html5/thumbnails/63.jpg)
Mind Reading (cont.)Mind Reading (cont.)• But why was it convincing?
• Because Magician committed to his guess before you told him.
![Page 64: Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)](https://reader036.fdocuments.net/reader036/viewer/2022062715/56649d7d5503460f94a5ffd3/html5/thumbnails/64.jpg)
CryptographicCryptographicCommitmentCommitment
• Public Key Encryption Scheme
• To commit to a string x, I send y = E(x).
• To open the commitment, I reveal my secret key.
• Commitment is secret.
• And I can’t change my mind about x once I’ve sent the encryption.
![Page 65: Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)](https://reader036.fdocuments.net/reader036/viewer/2022062715/56649d7d5503460f94a5ffd3/html5/thumbnails/65.jpg)
NP-CompletenessNP-Completeness• Remember we can reduce any search problem to Coloring.
![Page 66: Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)](https://reader036.fdocuments.net/reader036/viewer/2022062715/56649d7d5503460f94a5ffd3/html5/thumbnails/66.jpg)
NP-Completeness (cont.)NP-Completeness (cont.)• “y is an encryption of a valid tax return”
reduction
![Page 67: Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)](https://reader036.fdocuments.net/reader036/viewer/2022062715/56649d7d5503460f94a5ffd3/html5/thumbnails/67.jpg)
ZK Proof for ZK Proof for ColoringColoring
• Input: Collection of circles.
• Magician Knows: Coloring using R, B, G
• First, Magician picks random permutation
: R,B,G R,B,G, and applies to coloring:
![Page 68: Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)](https://reader036.fdocuments.net/reader036/viewer/2022062715/56649d7d5503460f94a5ffd3/html5/thumbnails/68.jpg)
ZK Proof (cont.)ZK Proof (cont.)
![Page 69: Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)](https://reader036.fdocuments.net/reader036/viewer/2022062715/56649d7d5503460f94a5ffd3/html5/thumbnails/69.jpg)
ZK Proof (cont.)ZK Proof (cont.)
![Page 70: Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)](https://reader036.fdocuments.net/reader036/viewer/2022062715/56649d7d5503460f94a5ffd3/html5/thumbnails/70.jpg)
ZK Proof (cont.)ZK Proof (cont.)
![Page 71: Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)](https://reader036.fdocuments.net/reader036/viewer/2022062715/56649d7d5503460f94a5ffd3/html5/thumbnails/71.jpg)
ZK Proof: AnalysisZK Proof: Analysis• Suppose NO valid coloring exists.
• Then at least one pair of connected circles where colors equal.
Alice catches Magician cheating with probability at least 1/n2.
• Repeat protocol 100 n2 times, Alice catches Magician cheating almost always!
![Page 72: Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)](https://reader036.fdocuments.net/reader036/viewer/2022062715/56649d7d5503460f94a5ffd3/html5/thumbnails/72.jpg)
SimulatorSimulator
![Page 73: Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)](https://reader036.fdocuments.net/reader036/viewer/2022062715/56649d7d5503460f94a5ffd3/html5/thumbnails/73.jpg)
Simulated ZK ProofSimulated ZK Proof
![Page 74: Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)](https://reader036.fdocuments.net/reader036/viewer/2022062715/56649d7d5503460f94a5ffd3/html5/thumbnails/74.jpg)
ZK Proof: Analysis (cont.)ZK Proof: Analysis (cont.)• Only difference between real & simulated:
• In real life, commitments are to valid coloring.
• In simulator, commitments are to invalid coloring.
• But commitments are secret, by security of encryption scheme.
Simulator output and real life are indistinguishable.
![Page 75: Security and Cryptography December 4, 2001 Portions stolen from Prof. Sahai (spring 2001)](https://reader036.fdocuments.net/reader036/viewer/2022062715/56649d7d5503460f94a5ffd3/html5/thumbnails/75.jpg)
Wrap-up
• Today we saw some examples illustrating techniques from modern cryptography:
• Encryption
• Zero Knowledge Proofs