Cryptography Modern cryptography was born in 1970s when - PowerPoint PPT Presentation

Cryptography

Modern cryptography was born in 1970’s when computationally easy-to-verify but ‘hard-to-solve’ problems were discovered. Computational Complexity, by Fu Yuxi Cryptography 1 / 75

Cryptography is closely related to some advanced topics in computational complexity. Computational Complexity, by Fu Yuxi Cryptography 2 / 75

Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof 6. Remark Computational Complexity, by Fu Yuxi Cryptography 3 / 75

Computationally Secure Encryption Computational Complexity, by Fu Yuxi Cryptography 4 / 75

An encryption scheme is a pair ( E , D ) of algorithms such that D k ( E k ( x )) = x for all key k and plaintext x . Obviously E k is one-one for every k . Computational Complexity, by Fu Yuxi Cryptography 5 / 75

Shannon’s Perfect Secrecy ( E , D ) is perfectly secret if for every pair x , x ′ ∈ { 0 , 1 } m , the distributions E U n ( x ) and E U n ( x ′ ) are identical. ◮ n is the key length. ◮ U n is the uniform distribution over { 0 , 1 } n . Computational Complexity, by Fu Yuxi Cryptography 6 / 75

One Time Pad Encryption Scheme, Vernan 1917 Encryption: ◮ Plaintext x ∈ { 0 , 1 } n . ◮ Generate a key k ∈ R { 0 , 1 } n , encrypt x by x ⊕ k . Decryption: ◮ Ciphertext y ∈ { 0 , 1 } n . ◮ The plaintext is recovered by y ⊕ k . If a key k is used twice, useful information can be derived. Computational Complexity, by Fu Yuxi Cryptography 7 / 75

One Time Pad Encryption Scheme Fact . The one time pad encryption scheme is perfectly secure. It is crucial that the key is as long as the message. Computational Complexity, by Fu Yuxi Cryptography 8 / 75

Shannon Theorem . Suppose ( E , D ) is an encryption scheme. If n < m , then there exist x , x ′ such that E U n ( x ) and E U n ( x ′ ) differ. Proof. A proof can be read off from the proof of Lemma. ◮ Perfectly secret encryption scheme is not a practical scenario. ◮ Modern cryptography offers a solution. Computational Complexity, by Fu Yuxi Cryptography 9 / 75

Negligible Functions A function ǫ : N → [0 , 1] is negligible if ∀ c . ∃ N . ∀ n ≥ N .ǫ ( n ) < 1 n c . 1 In other words ǫ is negligible if it tends to 0 faster than p ( n ) for every polynomial p ( n ). ◮ Events with negligible probability can be practically ignored. ◮ ǫ is not negligible if ∃ c . ǫ ( n ) ≥ 1 n c for infinitely many n . Computational Complexity, by Fu Yuxi Cryptography 10 / 75

Computationally Secure Encryption Scheme An encryption scheme ( E , D ) for keys of length n and messages of length m is computationally secure if for every P-time PTM A there is a negligible function ǫ : N → [0 , 1] such that � � � Pr k ∈ R { 0 , 1 } n , x ∈ R { 0 , 1 } m [ A ( E k ( x )) = ( i , b ) ∧ x i = b ] − 1 � � � ≤ ǫ ( n ) . � � 2 Computational Complexity, by Fu Yuxi Cryptography 11 / 75

Is there a computationally secure encryption scheme? The answer is conditional. Computational Complexity, by Fu Yuxi Cryptography 12 / 75

Lemma . Suppose P = NP . Let ( E , D ) be a P-time encryption scheme with key shorter than message. A P-time algorithm A exists such that for every message length m , there is a pair x 0 , x 1 ∈ { 0 , 1 } m satisfying Pr b ∈ R { 0 , 1 } , k ∈ R { 0 , 1 } n [ A ( E k ( x b )) = b ] ≥ 3 / 4 where n is the key length and n < m . 1. Let S be defined as follows: y ∈ S iff ∃ k . y = E k ( x 0 ), where x 0 = 0 m . 2. If P = NP then S is P-time decidable by some algorithm A . ◮ A ( x ) = 0 iff x ∈ S . 3. Let D x = distribution E U n ( x ). Then Pr [ A ( D x 0 )=0] = 1. Computational Complexity, by Fu Yuxi Cryptography 13 / 75

If Pr [ D x ∈ S ] > 1 2 for all x then one would have 1 2 < Pr x [ Pr [ D x ∈ S ]] = Pr k [ Pr x [ E k ( x ) ∈ S ]] ≤ 1 2 , where ≤ holds because | S | ≤ 2 n ≤ 2 m − 1 by the definition of S and E k is injective. It follows that Pr [ D x 1 ∈ S ] ≤ 1 2 for some x 1 ∈ { 0 , 1 } m . According to the definition of A , one has Pr [ A ( D x 1 )=0] ≤ 1 2 . Hence 2 Pr [ A ( D x 0 )=0] + 1 1 Pr b , k [ A ( E k ( x b ))= b ] = 2 Pr [ A ( D x 1 )=1] 1 2 + 1 = 2 Pr [ A ( D x 1 )=1] 3 ≥ 4 . Computational Complexity, by Fu Yuxi Cryptography 14 / 75

P � = NP is necessary for modern cryptography. We do not know if it is sufficient. Computational Complexity, by Fu Yuxi Cryptography 15 / 75

Pseudorandom Generator Computational Complexity, by Fu Yuxi Cryptography 16 / 75

Modern cryptography addresses the long key issue by studying how to generate long keys from short ones. ◮ An observer cannot detect efficiently any useful difference between a pseudorandom key and a truly random key. Computational Complexity, by Fu Yuxi Cryptography 17 / 75

What is a pseudorandom string? How do we characterize pseudorandom strings? ◮ For modern cryptography it suffices that encrypted messages are distributed in a way that looks random to all efficient observers. Computational Complexity, by Fu Yuxi Cryptography 18 / 75

Pseudorandom Generator Let G : { 0 , 1 } ∗ → { 0 , 1 } ∗ and ℓ : N → N be P-time computable such that ℓ ( n ) > n for all n and | G ( x ) | = ℓ ( | x | ) for all x ∈ { 0 , 1 } ∗ . G is a computationally secure pseudorandom generator of stretch ℓ ( n ) if, for every P-time PTM A , there exists a negligible function ǫ : N → [0 , 1] such that � ≤ ǫ ( n ) . � � � Pr [ A ( G ( U n )) = 1] − Pr [ A ( U ℓ ( n ) ) = 1] 1. Yao. Theory and Applications of Trapdoor Functions. FOCS 1982. Computational Complexity, by Fu Yuxi Cryptography 19 / 75

A pseudorandom generator says nothing about how it is constructed. Computational Complexity, by Fu Yuxi Cryptography 20 / 75

Unpredictability Let G : { 0 , 1 } ∗ → { 0 , 1 } ∗ be P-time computable with stretch ℓ ( n ), where ℓ : N → N is P-time computable such that ∀ n .ℓ ( n ) > n . We say that G is unpredictable if for every P-time PTM B there is a negligible function ǫ : N → [0 , 1] such that � � � Pr x ∈ R { 0 , 1 } n , y = G ( x ) , i ∈ R [ ℓ ( n )] [ B (1 n , y 1 , . . . , y i − 1 ) = y i ] − 1 � � � ≤ ǫ ( n ) . � � 2 1. M. Blum, S. Micali. How to Generate Cryptographically Strong Sequences of Pseudorandom Bits. FOCS 1982. Computational Complexity, by Fu Yuxi Cryptography 21 / 75

Unpredictability ⇐ Pseudorandomness Suppose G is a pseudorandom generator. If it is not unpredictable then there is some c such that � � � Pr x ∈ R { 0 , 1 } n , y = G ( x ) , i ∈ R [ ℓ ( n )] [ B (1 n , y 1 , . . . , y i − 1 ) = y i ] − 1 � ≥ 1 � � � � 2 n c holds for a P-time PTM B for infinitely many n . Some i exists such that � Pr x ∈ R { 0 , 1 } n , y = G ( x ) [ B (1 n , y 1 , . . . , y i − 1 ) = y i ] − 1 � � 1 � � � ≥ � � n c ℓ ( n ) 2 for infinitely many n . It follows from Pr [ B ( U ℓ ( n ) ) = 1] = 1 2 that 1 Pr [ B ( G ( U n )) = 1] − Pr [ B ( U ℓ ( n ) ) = 1] ≥ n c ℓ ( n ) for infinitely many n , which is a contradiction. Computational Complexity, by Fu Yuxi Cryptography 22 / 75

Unpredictability ⇒ Pseudorandomness Theorem (Yao, 1982). If G is unpredictable, then it is a pseudorandom generator. 1. Yao. Theory and Applications of Trapdoor Functions. FOCS 1982. Computational Complexity, by Fu Yuxi Cryptography 23 / 75

Unpredictability ⇒ Pseudorandomness Let ℓ : N → N be P-time computable such that ℓ ( n ) ≥ n . Let G : { 0 , 1 } ∗ → { 0 , 1 } ∗ be P-time computable unpredictable function with stretch ℓ . Suppose G is not a pseudorandom generator. Then there is some constant c and some P-time PTM A such that, wlog, Pr [ A ( G ( U n )) = 1] − Pr [ A ( U ℓ ( n ) ) = 1] ≥ 1 n c for infinitely many n . Computational Complexity, by Fu Yuxi Cryptography 24 / 75

Unpredictability ⇒ Pseudorandomness For i ≤ ℓ ( n ), the hybrid distribution D i is defined as follows: 1. choose x ∈ R { 0 , 1 } n and compute y = G ( x ); 2. output y 1 , . . . , y i , z i +1 , . . . , z ℓ ( n ) with z i +1 , . . . , z ℓ ( n ) ∈ R { 0 , 1 } . We notice that D 0 = U ℓ ( n ) and D ℓ ( n ) = G ( U n ). Let p i = Pr [ A ( D i ) = 1]. By assumption for infinitely many n , p ℓ ( n ) − p 0 = ( p ℓ ( n ) − p ℓ ( n ) − 1 ) + ( p ℓ ( n ) − 1 − p ℓ ( n ) − 2 ) + . . . + ( p 1 − p 0 ) ≥ 1 n c . Computational Complexity, by Fu Yuxi Cryptography 25 / 75

Unpredictability ⇒ Pseudorandomness Algorithm B asserts that everything A says is correct. ◮ Input 1 n , i ∈ [ ℓ ( n )] and y 1 , . . . , y i − 1 . 1. randomly generate z i , . . . , z ℓ ( n ) ; 2. compute a = A ( y 1 , . . . , y i − 1 , z i , . . . , z ℓ ( n ) ); 3. output z i if a = 1 and 1 − z i if a = 0. We are done if we can prove the following inequality Pr x ∈ R { 0 , 1 } n , y = G ( x ) , i ∈ R [ ℓ ( n )] [ B (1 n , y 1 , . . . , y i − 1 ) = y i ] − 1 1 2 ≥ n c ℓ ( n ) , which can be derived if the following holds for every i ∈ [ ℓ ( n )]: Pr x ∈ R { 0 , 1 } n , y = G ( x ) [ B (1 n , y 1 , . . . , y i − 1 ) = y i ] = 1 2 + ( p i − p i − 1 ) . Computational Complexity, by Fu Yuxi Cryptography 26 / 75