Foundations of cryptography lecture 1
This presentation is the property of its rightful owner.
Sponsored Links
1 / 34

Foundations of Cryptography Lecture 1 PowerPoint PPT Presentation

Foundations of Cryptography Lecture 1. Lecturer: Moni Naor. What is Cryptography?. Traditionally: how to maintain secrecy in communication. Alice and Bob talk while Eve tries to listen. Bob. Alice. Eve. History of Cryptography. Very ancient occupation Biblical times -

Related searches for Foundations of Cryptography Lecture 1

Download Presentation

Foundations of Cryptography Lecture 1

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Foundations of cryptography lecture 1

Foundations of CryptographyLecture 1

Lecturer:Moni Naor


What is cryptography

Whatis Cryptography?

Traditionally: how to maintain secrecy in communication

Alice and Bob talk while Eve tries tolisten

Bob

Alice

Eve


History of cryptography

History of Cryptography

  • Very ancient occupation

    Biblical times -

    איך נלכדה ששך ותתפש תהלת כל הארץ

    איך היתה לשמה בבל בגויים

  • Many interesting books and sources, especially about the Enigma

    • David Kahn, The Codebreakers, 1967

    • Gaj and Orlowski, Facts and Myths of Enigma: Breaking Stereotypes Eurocrypt 2003

  • Not the subject of this course


Modern times

Modern Times

  • Up to the mid 70’s - mostly classified military work

  • Since then - explosive growth

    • Commercial applications

    • Scientific work: tight relationship with Computational Complexity Theory

    • Major works: Diffie-Hellman, Rivest, Shamir and Adleman (RSA)

  • Recently - more involved models for more diverse tasks.

    How to maintain the secrecy, integrity and functionality in computer and communication system.


Cryptography and complexity

Complexity Theory -

Study the resources needed to solve computational problems

computer time, memory

Identify problems that are infeasible to compute.

Cryptography -

Find ways to specify security requirements of systems

Use the computational infeasibility of problems in order to obtain security.

Cryptography and Complexity

The development of these two areas is tightly connected!

The interplay between these areas is the subject of the course


Administrivia

Administrivia

  • Instructor: Moni Naor

  • Grader: Guy Rothblum

  • When:     Thursday 14:00--16:00 Where:    Ziskind 1

    Home page of the course:

    www.wisdom.weizmann.ac.il/~naor/COURSE/foundations_of_crypto.html

  • METHOD OF EVALUATION: around 12 homework assignments and a final (in class) exam

    • Homework assignments should be turned in on time (usually two weeks after they are given)!

    • Try and do as many problems from each set.

    • You may (and are encouraged to) discuss the problems with other students, but the write-up should be individual.


Official description

Official Description

Cryptography deals with methods for protecting the privacy, integrity and functionality of computer and communication systems.

The goal of the course is to provide a firm foundation to the construction of such methods.

In particular we will cover topics such as notions of security of a cryptosystem, proof techniques for demonstrating security and cryptographic primitives such as one-way functions and trapdoor permutations


Sources

Sources

Books:

Oded Goldreich, Foundations of Cryptography

  • Vol 1, Basic Tools, Cambridge ,2001

  • Other volumes in www.wisdom.weizmann.ac.il/~oded/books.html

    Web courses

  • Trevisan and Wagner: www.cs.berkeley.edu/~daw/cs276

  • Bellare and Rogaway: www.cs.ucsd.edu/users/mihir/cse207/index.html


Three basic issues in cryptography

Three Basic Issues in Cryptography

  • Identification

  • Authentication

  • Encryption


Example identification

Example: Identification

  • When the time is right, Alice wants to send an `approve’ message to Bob.

  • They want to prevent Eve from interfering

    • Bob should be sure that Alice indeed approves

Alice

Bob

Eve


Rigorous specification of security

Rigorous Specification of Security

To define security of a system must specify:

  • What constitute a failure of the system

  • The power of the adversary

    • computational

    • access to the system

    • what it means to break the system.


Specification of the problem

Specification of the Problem

Alice and Bob communicate through a channel

Bob has two external states {N,Y}

Eve completely controls the channel

Requirements:

  • If Alice wants to approve and Eve does not interfere – Bob moves to state Y

  • If Alice does not approve, then for any behavior from Eve, Bob stays in N

  • If Alice wants to approve and Eve does interfere - no requirements from the external state


Can we guarantee the requirements

Can we guarantee the requirements?

  • No – when Alice wants to approve she sends (and receives) a finite set of bits on the channel. Eve can guess them.

  • To the rescue - probability.

    • Want that Eve will succeed with low probability.

    • How low? Related to the string length that Alice sends…


Example identification1

Example: Identification

X

X

Alice

Bob

??

Eve


Suppose there is a setup period

Suppose there is a setup period

  • There is a setup where Alice and Bob can agree on a common secret

    • Eve only controls the channel, does not see the internal state of Alice and Bob (only external state of Bob)

      Simple solution:

    • Alice and Bob choose a random string X R{0,1}n

    • When Alice wants to approve – she sends X

    • If Bob gets any symbols on channel – compares to X

      • If equal moves to Y

      • If not equal moves permanently to N


Eve s probability of success

Eve’s probability of success

  • If Alice did not send X and Eve put some string X’ on the channel, then

    • Bob moves to Y only if X=X’

      Prob[X=X’] ≤ 2-n

      Good news: can make it a small as we wish

  • What to do if Alice and Bob cannot agree on a uniformly generated string X?


Less than perfect random variables

Less than perfect random variables

  • Suppose X is chosen according to some distribution Px cover some set of symbols Γ

  • What is Eve’s best strategy?

  • What is her probability of success


Shannon entropy

(Shannon) Entropy

Let X be random variable over alphabet Γ with distribution Px

The (Shannon) entropy of X is

H(X) = - ∑ x ΓPx (x) log Px (x)

Where we take 0 log 0 to be 0.

Represents how much we can compress X


Examples

Examples

  • If X=0 (constant) then H(x) = 0

    • Only case where H(X)=0 when X is constnat

    • All other cases H(X) >0

  • If X {0,1} and Prob[X=0] = p and Prob[X=1]=1-p, then

    H(X) = -p log p + (1-p) log (1-p) ≡ H(p)

    If X {0,1}n and is uniformly distributed, then

    H(X) = - ∑ x  {0,1}n1/2n log 1/2n =2n/2n n = n


Properties of entropy

Properties of Entropy

  • Entropy is bounded H(X) ≤ log | Γ | with equality only if X is uniform over Γ


Does high entropy suffice for identification

Does High Entropy Suffice for Identification?

  • If Alice and bob agree on X {0,1}n where X has high entropy (say H(X) ≥ n/2 ), what are Eve’s chances of cheating?

  • Can be high: say

    • Prob[X=0n ] = 1/2

    • For any x1{0,1} n-1 Prob[X=x ] = 1/2n

      Then H(X) = n/2+1/2

      But Eve can cheat with probability at least ½ by guessing that X=0n


Another notion min entropy

Another Notion: Min Entropy

Let X be random variable over alphabet Γ with distribution Px

The min entropy of X is

Hmin(X) = - log max x ΓPx (x)

The min entropy represents the most likely value of X

Property: Hmin(X) ≤ H(X)

Why?


High min entropy and passwords

High Min Entropy and Passwords

Claim: if Alice and Bob agree on such that

Hmin(X) ≥ m, then the probability that Eve succeeds in cheating is at most 2-m

Proof: Make Eve deterministic, by picking her best choice, X’ = x’.

Prob[X=x’] = Px (x’) ≤ max x ΓPx (x) = 2 –Hmin(X) ≤ 2-m

Conclusion: passwords should be chosen to have high min-entropy!


One time vs many times

One-time vs. many times

  • This was good for a single identification. What about many identification?

  • Later…


A different scenario now charlie is involved

A different scenario – now Charlie is involved

  • Bob has no proof that Alice indeed identified

  • If there are two possible verifiers, Bob and Charlie, they can each pretend to each other to be Alice

    • Can each have there own string

    • But, assume that they share the setup phase

      • Whatever Bob knows Charlie know

      • Relevent when they are many of them


The new requirement

The new requirement

  • If Alice wants to approve and Eve does not interfere – Bob moves to state Y

  • If Alice does not approve, then for any behavior from Eve and Charlie, Bob stays in N

  • Similarly if Bob and Charlie are switched

Charlie

Alice

Bob

Eve


Can we achieve the requirements

Can we achieve the requirements?

  • Observation: what Bob and Charlie received in the setup phase might as well be public

  • Therefore can reduce to the previous scenario (with no setup)…

  • To the rescue - complexity

    Alice should be able to perform something that neither Bob nor Charlie (nor Eve) can do

    Must assume that the parties are not computationally all powerful!


Function and inversions

Function and inversions

  • We say that a function f is hard to invert if given y= f(x) it is hard to find x’ such that y=f(x’)

    • x’ need not be equal to x

    • We will use f-1(y) to denote the set of preimages of y

  • To discuss hard must specify a computational model

  • Use two flavors:

    • Concrete

    • Asymptotic


One way functions asymptotics

One-way functions - asymptotics

A function f: {0,1}n → {0,1}n is called aone-way function, if

  • f is a polynomial-time computable function

  • for every probabilistic polynomial-time algorithm A, every positive polynomial p(.), and all sufficiently large n’s

    Prob[A[f(x)] f-1(f(x)) ] ≤ 1/p(n)

    Where x is chosen uniformly in {0,1}nand the probability is also over the internal coin flips of A


One way functions concrete version

One-way functions – concrete version

A function f: {0,1}n → {0,1}n is called a (t,ε) one-way function, if

  • f is a polynomial-time computable function (independent of t)

  • for every t-time algorithm A,

    Prob[A[f(x)] f-1(f(x)) ] ≤ ε

    Where x is chosen uniformly in {0,1}nand the probability is also over the internal coin flips of A

    Can either think of t and εas being fixed or as t(n), ε(n)


Complexity theory and one way functions

Complexity Theory and One-way Functions

  • Claim: if P=NP then there are no one-way functions

  • Proof: for any one-way function f: {0,1}n → {0,1}n consider the language :

    • Consisting of strings of the form {y, b1, b2…bk}

    • There is an x  {0,1}n s.t. f(x)=y and

    • The first k bits of x are b1, b2…bk

      Lf is NP – guess x and check

      If Lf is P then f is invertable in polynomial time


A few properties and questions concerning one way functions

A few properties and questions concerning one-way functions

  • Major open problem: connect the existence of one-way functions and P=NP? question.

  • If f is one-to-one it is a called a one-way permutation. In what complexity class does the problem of inverting one-way permutations reside? Homework

  • If f is a one-way function, is f’ where f’(x) is f(x) with the last bit chopped a one-way function?

  • If f is a one-way function, is fL where fL(x) consists of the first half of the bits of f(x) a one-way function? Homework

  • If f is a one way function is g(x) = f(f(x)) necessarily a one-way function? Homework


Solution to the password problem

Solution to the password problem

  • Assume that

    • f: {0,1}n → {0,1}n is a (t,ε) one-way function

    • Adversaries run times is bounded by t

  • Setup phase: Alice chooses x{0,1}n , computes y=f(x) and given Bob and Charlie y

  • When Alice wants to approve – she sends X

  • If Bob gets any symbols on channel – call them z; compute f(z) and compares to y

    • If equal moves to state Y

    • If not equal moves permanently to state N


Eve s and charlie s probability of success

Eve’s and Charlie’s probability of success

  • If Alice did not send x and Eve (Charlie) put some string x’ on the channel to Bob, then:

    • Bob moves to state Y only if f(x’)=y=f(x)

    • But we know that

      Prob[A[f(x)] f-1(f(x)) ] ≤ ε

      or else we can use Eve to break the one-way function

      Good news: if ε can be made as small as we wish, then we have a good scheme.

  • Can be used for monitoring

  • Similar to the Unix password scheme

    • f(x) stored in login file

    • DES used as the one-way function.


  • Login