# Cryptography

Where Complexity Finally Comes In Handy«

1

The Amazing Adventures of Alice and Bob
extremely secret message

Alice
eavesdropper

Bob

2

PAP 279-298

Introduction
 Objectives:
² To introduce the subject of cryptography and its tight connection to complexity

 Overview:
² Public key cryptography ² One-Way Functions and Trapdoor functions ² RSA

3

Intuitive Approach
encoding key decoding key
extremely secret message

E(e,
Alice

)D(d,
eavesdropper

)
Bob

4

Simple Implementation:
Problem!

Just XOR!
secret message

Agree first on some random string e.

Alice

extremely

e(
eavesdropper

)
Bob

5

Solution: Public-Key Cryptosystems
 Bob generates a pair of keys  Publishes E  Keeps D private
E(x) D(y)

Bob

6

Encryption: Requirements
 ´Easyµ (so everyone can send Bob encrypted messages)  ´Hard to invertµ (so no one can break the encryption)

7

SIP 375

One-Way Functions: Formally
Definition: A length preserving function f is a oneway function if: some 1. f is computable in polynomial time. textbooks 2. f-1 cannot be computed in probabilistic demand f is one-to-one polynomial time, i.e 
MkNn " NPrM,w
R7 n

«M f w ! y where f y ! f w » e n k ­ ½

8

One-Way For sufficiently
large natural n For any Turing Machine M

M inverts f correctly on at most n-k of the inputs 

MkNn " N PrM w 7n «M f w ! y where f y ! f w » e nk ­ ½
For any natural constant k
¡

Probability taken over: choices made by M random selection of w

9

Applications: Authentication
 Many users may login to a network  Each user has a password  The database can be read by everyone

 Problem: secure authentication

10

How to Authenticate Using OWF? One-Way Function
 Encrypt each password with a OWF.  Store only the encrypted password.  When this user tries to login«
² Encrypt the password she entered ² Compare to the stored password MyPass1234 MyPass1234 2iB>S\]1%^o 2iB>S\]1%^o 

11

Do One-Way Functions Exist?
 Believed to«  OWF   P P.

12

Do One-Way Functions Suffice?
Problem: How would Bob generate D(y)?
D is so hard, I don·t know how to compute it myself«

Bob

13

Trapdoor Functions
probabilistic polynomial-time TM G
family of functions which are hard to invert

f1 index f2 f3

«
the key to invert that function

14

SIP 376-377

Trapdoor Functions : Formally
Definition: A length preserving indexing function f:§*v§*p §* is a trapdoor function, if there exist f(i,w)=fi(w) <index, key> generator  a poly-time TM G  a function h:§*v§*p §* decoder which satisfy:

15

SIP 376-377

Trapdoor Functions : Formally
1. f and h are computable in polynomial time. 2. ´fi is hard to invert in the absence of tµ
<i,t> is output by G

3. ´fi is easy to invert when t is knownµ

16

RSA
 A public-key cryptosystem developed by Rivest, Shamir and Adleman.  Based on the (conjectured) hardness of factoring.

17

Plan
1. Prime numbers: basic facts and recent results. 2. Euler·s function. 3. Description of the RSA cryptosystem.

18

PRIMES
 Instance: A number in binary representation.  Problem: To decide if this number is prime.

Yes instance: o instance:

10111 10110

19

Is PRIMES in P ?!
What·s the problem with the following trivial algorithm?
Input: a number Output: is prime? for i in 2.. do for j in 2.. do if i*j= , return FALSE return TRUE

20

Prime

umbers

 Fact 1: There are many prime numbers (k/log k in the range [k]={1,«,k})  Fact 2: ([AKS02]) Primality testing can be done in time polynomial in log k.  Question: How to choose a random prime in [k] in time poly-log k?

21

Picking a Random Prime
 while didn·t-find-one
² choose x R [k] ² if x  PRIMES
 return x Expected time: O(polylogk) primes
uniformly at random

[k]

22

De-Randomization
 By Alon et Al and aor and aor, there·s a deterministic construction XI of O(logk/I2) numbers in [k] which is I-close to uniform.  By using it with I < log-1k, we can obtain O(polylogk) run-time (not just expectedly!)

If PrxR[k] [xS] > I   XIS

23

Euler·s Function
 *(n) = { m | 1e m < n A D gcd(m,n)=1 }  Euler·s function: J(n)=|*(n)|
Example: *(12)={1,2,3,4,5,6,7,8,9,10,11} J(12)=4

Observe: For any prime p, *(p)={1,...,p-1}

24

RSA
 To encrypt a message, write it as a number m, and compute E ,e(m) = me (mod )  To decrypt a cipher text c, compute Dd(c) = cd (mod )  ow for (almost) any m, ² med | m (mod ) ² And therefore: (me)d | m (mod ) Therefore: Dd(E

,e(m))

| m

(mod

)
25

The Public and Private Keys
 Choose two long random prime numbers p, q ² set = pq  Randomly choose an odd number e s.t: ² 1 < e < J( ) Compute d using Euclid·s ² gcd(e, J( )) = 1  Let d be the inverse of e, namely gcd algorithm ed | 1 (mod J(n)) Public key: < , e>

;

Private key: d
26

Summary



 We presented the notion of Public Key Cryptosystems and its well-known implementation, RSA.  We examined some of the underlying assumptions of cryptography:
² Existence of one-way functions ² Existence of trapdoor functions

 These assumptions are stronger than the standard complexity assumption P P.