Cryptography

Where Complexity Finally Comes In Handy…

Complexity 1
©D.Moshkovitz
 The Amazing Adventures of
Alice and Bob

extremely
secret
message

Alice Bob
eavesdropper

Complexity 2
©D.Moshkovitz
 PAP 279-298

Introduction
• Objectives:
– To introduce the subject of cryptography
and its tight connection to complexity
• Overview:
– Public key cryptography
– One-Way Functions and Trapdoor functions
– RSA

Complexity 3
©D.Moshkovitz
 Intuitive Approach
encoding decoding
key key

E(e, )D(d, )
extremely
secret
message

Alice Bob
eavesdropper

Complexity 4
©D.Moshkovitz
 Simple Implementation:

Problem!
Just XOR!
Agree first on some random string e.

e e( )
extremely
secret
message

Alice Bob
eavesdropper

Complexity 5
©D.Moshkovitz
 Solution:
Public-Key Cryptosystems
• Bob generates a pair of keys
• Publishes E
• Keeps D private
Bob
E(x)
D(y)

Complexity 6
©D.Moshkovitz
 Encryption: Requirements
• “Easy”
(so everyone can send Bob encrypted
messages)
• “Hard to invert”
(so no one can break the encryption)

Complexity 7
©D.Moshkovitz
 SIP 375

One-Way Functions: Formally

Definition: A length preserving function f is a one-
way function if:
some
1. f is computable in polynomial time. textbooks
2. f-1 cannot be computed in probabilistic demand f is
polynomial time, i.e one-to-one

M
 kkN
M Nnn  N
NPr
PrM,w
M,w
nn 
R  
R
 M
M  f
f  w
w   
 y
y where
where f
f  y
y  
 f
f  w
w  
 
 n
n
kk

Complexity 8
©D.Moshkovitz
 One-Way
For sufficiently
large natural n
M inverts f correctly on
For any Turing
Machine M
at most n-k of the inputs

MkNn  N PrM,w nn M  f  w    y where f  y   f  w    n k

R
R

For any natural

constant k Probability taken over:

choices made by M

random selection of w

Complexity 9
©D.Moshkovitz
 Applications: Authentication
• Many users may login to a network
• Each user has a password
• The database can be read by everyone

• Problem: secure authentication

Complexity 10
©D.Moshkovitz
 How to Authenticate Using
OWF? One-Way Function
• Encrypt each password with a OWF.
• Store only the encrypted password.
• When this user tries to login…
– Encrypt the password she entered
– Compare to the stored password

MyPass1234 2iB>S\]1%^o

MyPass1234 2iB>S\]1%^o

Complexity 11
©D.Moshkovitz
 Do One-Way Functions Exist?

• Believed to…
• OWF  P≠NP.

Complexity 12
©D.Moshkovitz
 Do One-Way Functions
Suffice?
Problem: How would Bob generate D(y)?

D is so hard,
I don’t know how to
compute it myself…

Bob

Complexity 13
©D.Moshkovitz
 Trapdoor Functions
family of functions which are
hard to invert
probabilistic
polynomial-time f1
TM
index f2
f3
G
…
the key to
invert that
function
Complexity 14
©D.Moshkovitz
 SIP 376-377

Trapdoor Functions : Formally

Definition:
A length preserving indexing function
f:** * is a trapdoor function,
if there exist f(i,w)=f (w)
i

• a poly-time TM G <index, key> generator

• a function h:** *
decoder
which satisfy:

Complexity 15
©D.Moshkovitz
 SIP 376-377

Trapdoor Functions : Formally

1. f and h are computable in polynomial time.
2. “fi is hard to invert in the absence of t”
M k N n  N
<i,t> is
output by G PrG i,t ,w n M  i, fi  w    y where fi  y   fi  w    n k
RR

3. “fi is easy to invert when t is known”

n w  nn G  i,i,t
h  t, fii  w
w   y, where
where ffii  y   fii  w
w

Complexity 16
©D.Moshkovitz
 RSA
• A public-key cryptosystem developed
by Rivest, Shamir and Adleman.
• Based on the (conjectured) hardness
of factoring.

Complexity 17
©D.Moshkovitz
 Plan
1. Prime numbers: basic facts
and recent results.
2. Euler’s function.
3. Description of the RSA
cryptosystem.

Complexity 18
©D.Moshkovitz
 PRIMES
• Instance: A number in binary
representation.
• Problem: To decide if this number is prime.

Yes instance: 10111

10111
No instance: 10110
10110

Complexity 19
©D.Moshkovitz
 Is PRIMES in P ?!
What’s the problem with the following
trivial algorithm?
Input: a number N
Output: is N prime?

for i in 2..N do
for j in 2..N do
if i*j=N, return FALSE
return TRUE
Complexity 20
©D.Moshkovitz
 Prime Numbers
• Fact 1: There are many prime numbers
(k/log k in the range [k]={1,…,k})
• Fact 2: ([AKS02]) Primality testing can
be done in time polynomial in log k.
• Question: How to choose a random
prime in [k] in time poly-log k?

Complexity 21
©D.Moshkovitz
 Picking a Random Prime

• while didn’t-find-one
uniformly at random
– choose x R [k] [k]
– if x  PRIMES
• return x

Expected time: O(polylogk) primes

Complexity 22
©D.Moshkovitz
 De-Randomization
• By Alon et Al and Naor and Naor,
there’s a deterministic construction
X of O(logk/2) numbers in [k] which
is -close to uniform.
If Prx [xS] >   XS≠
R[k]

• By using it with  < log-1k, we can

obtain O(polylogk) run-time (not just
expectedly!)

Complexity 23
©D.Moshkovitz
 Euler’s Function
 (n) = { m | 1 m < n AND gcd(m,n)=1 }
• Euler’s function: (n)=|(n)|

Example: (12)={1,2,3,4,5,6,7,8,9,10,11}
(12)={1,2,3,4,5,6,7,8,9,10,11} (12)=4
(12)=4

Observe: For any prime p,

(p)={1,...,p-1}

Complexity 24
©D.Moshkovitz
 RSA
• To encrypt a message, write it as a number m, and
compute
EN,e(m) = me (mod N)
• To decrypt a cipher text c, compute
Dd(c) = cd (mod N)
• Now for (almost) any m,
– med  m (mod N)
– And therefore: (me)d  m (mod N)

Therefore: Dd(EN,e(m))  m (mod N)

Complexity 25
©D.Moshkovitz
 The Public and Private Keys
• Choose two long random prime numbers p, q
– set N = pq
• Randomly choose an odd number e s.t:
– 1 < e < (N) Compute d
– gcd(e, (N)) = 1 using Euclid’s
• Let d be the inverse of e, namely gcd algorithm
ed  1 (mod (n))

Public key: <N, e> ; Private key: d

Complexity 26
©D.Moshkovitz
 Summary 
• We presented the notion of Public Key
Cryptosystems and its well-known
implementation, RSA.
• We examined some of the underlying
assumptions of cryptography:
– Existence of one-way functions
– Existence of trapdoor functions
• These assumptions are stronger than the
standard complexity assumption P≠NP.

Complexity 27
©D.Moshkovitz