Your SlideShare is downloading. ×
0
20080217 cryptography hirsch_lecture01
20080217 cryptography hirsch_lecture01
20080217 cryptography hirsch_lecture01
20080217 cryptography hirsch_lecture01
20080217 cryptography hirsch_lecture01
20080217 cryptography hirsch_lecture01
20080217 cryptography hirsch_lecture01
20080217 cryptography hirsch_lecture01
20080217 cryptography hirsch_lecture01
20080217 cryptography hirsch_lecture01
20080217 cryptography hirsch_lecture01
20080217 cryptography hirsch_lecture01
20080217 cryptography hirsch_lecture01
20080217 cryptography hirsch_lecture01
20080217 cryptography hirsch_lecture01
20080217 cryptography hirsch_lecture01
20080217 cryptography hirsch_lecture01
20080217 cryptography hirsch_lecture01
20080217 cryptography hirsch_lecture01
20080217 cryptography hirsch_lecture01
20080217 cryptography hirsch_lecture01
20080217 cryptography hirsch_lecture01
20080217 cryptography hirsch_lecture01
20080217 cryptography hirsch_lecture01
20080217 cryptography hirsch_lecture01
20080217 cryptography hirsch_lecture01
20080217 cryptography hirsch_lecture01
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

20080217 cryptography hirsch_lecture01

1,359

Published on

Published in: Technology, Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,359
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Ñëîæíîñòíàÿ êðèïòîãðàôèÿ Ýäóàðä Àëåêñååâè÷ Ãèðø http://logic.pdmi.ras.ru/~hirsch ÏÎÌÈ ÐÀÍ 17 ôåâðàëÿ 2008 ã. 1 / 19
  • 2. Îñíîâàíèÿ êðèïòîãðàôèè Ïîñòàíîâêà çàäà÷èX ×åñòíûå ó÷àñòíèêè (Àëèñà, Áîá)F Íå÷åñòíûå ó÷àñòíèêè (×àðëè)F Ðåøàåìàÿ çàäà÷à (íàïðèìåð, ïåðåäàòü ñîîáùåíèå îò Àëèñû ê Áîáó, åñëè åñòü îáùèé êëþ÷)F Íàä¼æíîñòü (íàïðèìåð, ×àðëè, íå çíàþùèé êëþ÷à, íå ìîæåò ðàñøèôðîâàòü ñîîáùåíèÿ)F ÑðåäñòâàX ïðèìèòèâû " ¾êèðïè÷èêè¿D èç êîòîðûõ âñ¼ ñòðîèòñÿ (íàïðèìåð, îäíîñòîðîííèå ôóíêöèè)D ñâåä¡íèÿF å 2 / 19
  • 3. Îäíîñòîðîííèå ôóíêöèè ïðîñòî −→ ←− òðóäíî ¾Ïåðâîå ïðèáëèæåíèå¿: ¾ëåãêî¿: ∈€ (ìîæíî äåòåðìèíèðîâàííî çà ïîëèíîìèàëüíîå âðåìÿ), ¾òðóäíî¿: ∈€ / (íåëüçÿ . . . ). Òåîðåìà Ïóñòü € = x€. Òîãäà ñóùåñòâóåò òàêàÿ f ∈ €, ÷òî f − 1 ∈ €. / 3 / 19
  • 4. Îäíîñòîðîííÿÿ â íàèõóäøåì ñëó÷àå: äîêàçàòåëüñòâî Äîêàçàòåëüñòâî. Äåéñòâèòåëüíî, ïóñòü Φ ôîðìóëà â ÊÍÔ, à A íàáîð çíà÷åíèé ïåðåìåííûõ. Îïðåäåëèì îäíîñòîðîííþþ ôóíêöèþ: f (Φ, A) = (Φ, 1|A| ), if A Φ[ ] = True, (Φ, 0|A| ), otherwise. Åñëè áû ìîãëè îáðàòèòü ýòó ôóíêöèþ, ìû ìîãëè áû íàéòè âûïîëíÿþùèé íàáîð äëÿ ëþáîé âûïîëíèìîé ôîðìóëû, âû÷èñëèâ f −1(Φ, 1êîë-âî ïåðåìåííûõ). Íî ìû çíàåì, ÷òî ýòà çàäà÷à x€-òðóäíà. 4 / 19
  • 5. Îáðàòíàÿ òåîðåìà Îïðåäåëåíèå Ôóíêöèÿ f íàçûâàåòñÿ ÷åñòíîé, åñëè ó ëþáîé òî÷êè z å¼ îáðàçà èìååòñÿ ïðîîáðàç, äëèíà êîòîðîãî ïîëèíîìèàëüíî (îò äëèíû z) îãðàíè÷åíà.  äàëüíåéøåì âñå ðàññìàòðèâàåìûå îäíîñòîðîííèå ôóíêöèè è ïðî÷èå êîíñòðóêöèè, îñíîâàííûå íà íèõ, ïî ñóùåñòâó, ÷åñòíûå (äàæå åñëè îïðåäåëåíèÿ äîïóñêàþò èíîå). Óïðàæíåíèå Äîêàçàòü îáðàòíóþ òåîðåìó ∃f (f ∈ € ∧ f −1 ∈ €) ⇒ € = x€ / â ïðåäïîëîæåíèè, ÷òî f ÷åñòíàÿ. 5 / 19
  • 6. Îäíîñòîðîííèå ôóíêöèè ïðîñòî −→ ←− òðóäíî ¾Ïåðâîå ïðèáëèæåíèå¿: ¾ëåãêî¿: ∈€ (ìîæíî äåòåðìèíèðîâàííî çà ïîëèíîìèàëüíîå âðåìÿ), ¾òðóäíî¿: ∈€ / (íåëüçÿ . . . ). ×àðëè ìîæåò ïîëüçîâàòüñÿ ñëó÷àéíûìè ÷èñëàìè! ×àðëè ìîæåò îáðàòèòü âî âñåõ òî÷êàõ, êðîìå îäíîé! ×àðëè ìîæåò îáðàòèòü äëÿ ïî÷òè âñåõ äëèí êëþ÷åé! 6 / 19
  • 7. Îäíîñòîðîííèå ôóíêöèè ïðîñòî −→ ←− òðóäíî Îïðåäåëåíèå Ôóíêöèÿ f : {0, 1}∗ → {0, 1}∗ íàçûâàåòñÿ [ñèëüíî] îäíîñòîðîííåé (one-way function, owf), åñëè f âû÷èñëèìà çà ïîëèíîìèàëüíîå âðåìÿ íà ÄÏÌÒ , 1 ∀ ÂÏÌÒ A k ∀ ∈N ∃ N ∀n N Pr{A(f (x ), 1 n )∈ f −1 (f (x ))} 1 , nk ãäå âåðîÿòíîñòü áåð¼òñÿ ïî ñëó÷àéíûì ÷èñëàì, èñïîëüçóåìûì A, è ðàâíîìåðíîìó ðàñïðåäåëåíèþ ïî âõîäíûì ñòðîêàì x ∈ {0, 1}n . 1 ÄÏÌÒ/ÂÏÌÒ = äåòåðìèíèðîâàííàÿ/âåðîÿòíîñòíàÿ ïîëèíîìèàëüíàÿ ïî âðåìåíè ìàøèíà Òüþðèíãà 6 / 19
  • 8. Îäíîñòîðîííèå ôóíêöèè ïðîñòî −→ ←− òðóäíî Îïðåäåëåíèå Ôóíêöèÿ f : {0, 1}∗ → {0, 1}∗ íàçûâàåòñÿ [ñèëüíî] îäíîñòîðîííåé (one-way function, owf), åñëè f âû÷èñëèìà çà ïîëèíîìèàëüíîå âðåìÿ íà ÄÏÌÒ , 1 ∀ ÂÏÌÒ A k ∀ ∈N ∃ N ∀n N Pr{A(f (x ), 1 n )∈ f −1 (f (x ))} 1 , nk ãäå âåðîÿòíîñòü áåð¼òñÿ ïî ñëó÷àéíûì ÷èñëàì, èñïîëüçóåìûì A, è ðàâíîìåðíîìó ðàñïðåäåëåíèþ ïî âõîäíûì ñòðîêàì x ∈ {0, 1}n . 1 ÄÏÌÒ/ÂÏÌÒ = äåòåðìèíèðîâàííàÿ/âåðîÿòíîñòíàÿ ïîëèíîìèàëüíàÿ ïî âðåìåíè ìàøèíà Òüþðèíãà 6 / 19
  • 9. Ïðèìåðû êàíäèäàòîâ â owf Ïðèìåð f (a , b ) = a · b . Ïðèìåð f (p, q) = p · q, ãäå p, q ∈ P, log p ≈ log q. Ïðèìåð f (x1, x2, . . . , xn , I ) = (x1, x2, . . . , xn , i ∈I xi ), ãäå I ⊆ {1, . . . , n} (ýòî NP-òðóäíàÿ çàäà÷à SUBSET SUM, ïîõîæàÿ íà çàäà÷ó î ðþêçàêå). ×òî òàêîå çäåñü çàïÿòûå? 7 / 19
  • 10. Ïðèìåðû êàíäèäàòîâ â owf Ïðèìåð f (a , b ) = a · b . Ïðèìåð f (p, q) = p · q, ãäå p, q ∈ P, log p ≈ log q. Ïðèìåð f (x1, x2, . . . , xn , I ) = (x1, x2, . . . , xn , i ∈I xi ), ãäå I ⊆ {1, . . . , n} (ýòî NP-òðóäíàÿ çàäà÷à SUBSET SUM, ïîõîæàÿ íà çàäà÷ó î ðþêçàêå). ×òî òàêîå çäåñü çàïÿòûå? 7 / 19
  • 11. Ïðèìåðû êàíäèäàòîâ â owf Ïðèìåð f (a , b ) = a · b . Ïðèìåð f (p, q) = p · q, ãäå p, q ∈ P, log p ≈ log q. Ïðèìåð f (x1, x2, . . . , xn , I ) = (x1, x2, . . . , xn , i ∈I xi ), ãäå I ⊆ {1, . . . , n} (ýòî NP-òðóäíàÿ çàäà÷à SUBSET SUM, ïîõîæàÿ íà çàäà÷ó î ðþêçàêå). ×òî òàêîå çäåñü çàïÿòûå? 7 / 19
  • 12. Ïðèìåðû êàíäèäàòîâ â owf Ïðèìåð f (a , b ) = a · b . Ïðèìåð f (p, q) = p · q, ãäå p, q ∈ P, log p ≈ log q. Ïðèìåð f (x1, x2, . . . , xn , I ) = (x1, x2, . . . , xn , i ∈I xi ), ãäå I ⊆ {1, . . . , n} (ýòî NP-òðóäíàÿ çàäà÷à SUBSET SUM, ïîõîæàÿ íà çàäà÷ó î ðþêçàêå). ×òî òàêîå çäåñü çàïÿòûå? 7 / 19
  • 13. Óïðàæíåíèÿ Óïðàæíåíèå Ïóñòü f âû÷èñëèìà íà ÂÏÌÒ: èçìåíèòñÿ ëè ïîíÿòèå, áóäåò ëè ñóùåñòâîâàíèå ñòàðûõ owf ýêâèâàëåíòíî ñóùåñòâîâàíèþ íîâûõ owf? Óïðàæíåíèå Íàîáîðîò, ïóñòü A ÄÏÌÒ: . . . Óïðàæíåíèå À åñëè f èëè A ïîñëåäîâàòåëüíîñòè áóëåâûõ ñõåì, äåòåðìèíèðîâàííûõ èëè âåðîÿòíîñòíûõ?.. Óïðàæíåíèå (ÑÅÉ×ÀÑ) x ×òî áóäåò, åñëè áóäåò ðàñïðåäåëåíî íà {0, 1}n íå ðàâíîìåðíî, à èíà÷å (íî âû÷èñëèìî çà ïîëèíîìèàëüíîå âðåìÿ)? 8 / 19
  • 14. Óïðàæíåíèÿ Óïðàæíåíèå Ïóñòü f âû÷èñëèìà íà ÂÏÌÒ: èçìåíèòñÿ ëè ïîíÿòèå, áóäåò ëè ñóùåñòâîâàíèå ñòàðûõ owf ýêâèâàëåíòíî ñóùåñòâîâàíèþ íîâûõ owf? Óïðàæíåíèå Íàîáîðîò, ïóñòü A ÄÏÌÒ: . . . Óïðàæíåíèå À åñëè f èëè A ïîñëåäîâàòåëüíîñòè áóëåâûõ ñõåì, äåòåðìèíèðîâàííûõ èëè âåðîÿòíîñòíûõ?.. Óïðàæíåíèå (ÑÅÉ×ÀÑ) x ×òî áóäåò, åñëè áóäåò ðàñïðåäåëåíî íà {0, 1}n íå ðàâíîìåðíî, à èíà÷å (íî âû÷èñëèìî çà ïîëèíîìèàëüíîå âðåìÿ)? 8 / 19
  • 15. Áóëåâû ñõåìû: íàïîìèíàíèå Îðèåíòèðîâàííûé ãðàô áåç öèêëîâ. Áèíàðíûå (è óíàðíûå) îïåðàöèè íàä áèòàìè: ∧, ∨, ⊕, ... Ïðèìåð (4 ãåéòà): x1 x2 x3 ⊕ ⊕ ∨ ⊕ u1 u2 ¾Âðåìÿ¿ = êîëè÷åñòâî ãåéòîâ. 9 / 19
  • 16. Óïðàæíåíèÿ Óïðàæíåíèå Ïóñòü f âû÷èñëèìà íà ÂÌÒ: èçìåíèòñÿ ëè ïîíÿòèå, áóäåò ëè ñóùåñòâîâàíèå ñòàðûõ owf ýêâèâàëåíòíî ñóùåñòâîâàíèþ íîâûõ owf? Óïðàæíåíèå Íàîáîðîò, ïóñòü A ÄÌÒ: . . . Óïðàæíåíèå À åñëè f èëè A ïîñëåäîâàòåëüíîñòè áóëåâûõ ñõåì, äåòåðìèíèðîâàííûõ èëè âåðîÿòíîñòíûõ?.. Óïðàæíåíèå (ÑÅÉ×ÀÑ) x ×òî áóäåò, åñëè áóäåò ðàñïðåäåëåíî íà {0, 1}n íå ðàâíîìåðíî, à èíà÷å (íî âû÷èñëèìî çà ïîëèíîìèàëüíîå âðåìÿ)? 10 / 19
  • 17. Óïðàæíåíèÿ Óïðàæíåíèå Ïóñòü f âû÷èñëèìà íà ÂÌÒ: èçìåíèòñÿ ëè ïîíÿòèå, áóäåò ëè ñóùåñòâîâàíèå ñòàðûõ owf ýêâèâàëåíòíî ñóùåñòâîâàíèþ íîâûõ owf? Óïðàæíåíèå Íàîáîðîò, ïóñòü A ÄÌÒ: . . . Óïðàæíåíèå À åñëè f èëè A ïîñëåäîâàòåëüíîñòè áóëåâûõ ñõåì, äåòåðìèíèðîâàííûõ èëè âåðîÿòíîñòíûõ?.. Óïðàæíåíèå (ÑÅÉ×ÀÑ) x ×òî áóäåò, åñëè áóäåò ðàñïðåäåëåíî íà {0, 1}n íå ðàâíîìåðíî, à èíà÷å (íî âû÷èñëèìî çà ïîëèíîìèàëüíîå âðåìÿ)? 10 / 19
  • 18. Ñåìåéñòâà îäíîñòîðîííèõ ôóíêöèé Ìíîãî êîìó íàäî øèôðîâàòü çíà÷èò, êàæäîìó íóæíà ñâîÿ ñîáñòâåííàÿ îäíîñòîðîííÿÿ ôóíêöèÿ! Îïðåäåëåíèå Ñåìåéñòâî îäíîñòîðîííèõ ôóíêöèé (one-way function family, ow) ýòî äåòåðìèíèðîâàííûé ïîëèíîìèàëüíûé ïî âðåìåíè àëãîðèòì G : (1n , rg ) → (e , s ) (áóëåâû ñõåìû), ãäå e : {0, 1}n → {0, 1} (n) (encryptor) s : {0, 1}σ(n) → {0, 1}n (sampler), ïðè÷¼ì ∀ ÂÏÌÒ A ∀k ∈ N ∃N ∀n N Pr{ A(e (s (rs )), 1n , e , s ) ∈ e −1(e (s (rs )))} n1k , ãäåG (1n , rg ) = (e , s ), à âåðîÿòíîñòü áåð¼òñÿ ïî ñëó÷àéíûì ÷èñëàì, èñïîëüçóåìûì A, è ïî (ðàâíîìåðíî ðàñïðåäåë¼ííûì) rg è rs . 11 / 19
  • 19. Ñåìåéñòâà îäíîñòîðîííèõ ôóíêöèé '$ s e −→ −→ % 12 / 19
  • 20. Óïðàæíåíèÿ Óïðàæíåíèå À íóæíî ëè ïåðåäàâàòü âçëîìùèêó s? Óïðàæíåíèå ×òî ïðîèçîéä¼ò, åñëè îãðàíè÷èòüñÿ e : {0, 1}n → {0, 1}n èëè, íàîáîðîò, ðàçðåøèòü2 e : {0, 1}p(n) → {0, 1}p(n)? Óïðàæíåíèå Ñðàâíèòü îïðåäåëåíèå îäíîñòîðîííåé ôóíêöèè ñ îïðåäåëåíèåì èç êàêîé-íèáóäü êíèãè3 è ïîíÿòü, ýêâèâàëåíòíû ëè îíè. 2 NB: â êíèãå Ãîëäðåéõà èìåííî òàê. 3 Ê ïðèìåðó, Oded Goldreich, Foundations of Cryptography. 13 / 19
  • 21. owf vs ow Òåîðåìà ∃f îäíîñòîðîííÿÿ ôóíêöèÿ ⇔ ∃G cåìåéñòâî îäíîñòîðîííèõ ôóíêöèé. Äîêàçàòåëüñòâî. ⇒: G (1n , ·): e ìîäåëèðóåò4 ðàáîòó àëãîðèòìà, âû÷èñëÿþùåãî f íà äëèíå n, s òðèâèàëüíàÿ ñõåìà s (x ) = x . ⇐: f (rg , rs ) = (e (s (rs )), e , s ), ãäå G (1n , rg ) = (e , s ). 4 Êàê ìîäåëèðóåòñÿ öèêë? Ïî÷åìó ýòîãî äîñòàòî÷íî? 14 / 19
  • 22. Ñëàáî îäíîñòîðîííèå ôóíêöèè Îïðåäåëåíèå Ôóíêöèÿ f : {0, 1}∗ → {0, 1}∗ ñëàáî îäíîñòîðîííÿÿ ôóíêöèÿ, åñëè f âû÷èñëèìà çà ïîëèíîìèàëüíîå âðåìÿ íà ÄÏÌÒ è k ∃ ∈ N ∀ ÂÏÌÒ A ∃ N ∀n N Pr{A(f (x ), 1n ) ∈ f −1(f (x ))} 1− n1k , ãäå âåðîÿòíîñòü áåð¼òñÿ ïî ñëó÷àéíûì ÷èñëàì, èñïîëüçóåìûì A, è ðàâíîìåðíîìó ðàñïðåäåëåíèþ ïî âõîäíûì ñòðîêàì x ∈ {0, 1}n . Òåîðåìà f ∃ w ñëàáî îäíîñòîðîííÿÿ ôóíêöèÿ ⇔ f ∃ s ñèëüíî îäíîñòîðîííÿÿ ôóíêöèÿ. 15 / 19
  • 23. Ñëàáàÿ → ñèëüíàÿ owf ÊîíñòðóêöèÿX fs (x1, x2, . . . , xm ) = (fw (x1), fw (x2), . . . , fw (xm )), ãäå m = m (n ) ïîëèíîì. Ñâåä¡íèåX å As îáðàùàåò fs ñ âåðîÿòíîñòüþ 1/nk s ⇓ Ïîñòðîèì Aw , îáðàùàþùèé fw . Aw (y ) : for each j = 1..m, x1, . . . , xm ← random; x = As (fw (x1), . . . , fw (xj −1), y , fw (xj +1), . . . , fw (xm ))j . if fw (x ) = y , then return x . 16 / 19
  • 24. Óïðàæíåíèÿ Óïðàæíåíèå Ìîæíî ëè ïåðåíåñòè ýòó òåîðåìó íà ñëó÷àé ow? Óïðàæíåíèå fs ïîëó÷èëàñü îïðåäåë¼ííîé íà äîâîëüíî ðåäêîì ìíîæåñòâå. Êàê áûòü ñî âõîäàìè äëèíû, îòëè÷íîé îò mn? 17 / 19
  • 25. Ôóíêöèè ñ ñåêðåòîì Îïðåäåëåíèå Ñåìåéñòâî ôóíêöèé ñ ñåêðåòîì (trapdoor function family, td) ýòî äåòåðìèíèðîâàííûé ïîëèíîìèàëüíûé ïî âðåìåíè àëãîðèòì G : (1n , rg ) → (e , d , s ) (áóëåâû ñõåìû), ãäå e : {0, 1}n → {0, 1} (n) (encryptor) d : {0, 1} (n) → {0, 1}n (decryptor) s : {0, 1}σ(n) → {0, 1}n (sampler), ïðè÷¼ì ∀x ∈ Im(s ) d (e (x )) = x è ∀ ÂÏÌÒ A ∀k ∈ N ∃N ∀n N Pr{ A(e (s (rs )), 1n , e , s ) ∈ e −1(e (s (rs )))} n1k , ãäåG (1n , rg ) = (e , d , s ), à âåðîÿòíîñòü áåð¼òñÿ ïî ñëó÷àéíûì ÷èñëàì, èñïîëüçóåìûì A, è ïî (ðàâíîìåðíî ðàñïðåäåë¼ííûì) rg è rs . 18 / 19
  • 26. Ôóíêöèè ñ ñåêðåòîì Îïðåäåëåíèå Ñåìåéñòâî ôóíêöèé ñ ñåêðåòîì (trapdoor function family, td) ýòî äåòåðìèíèðîâàííûé ïîëèíîìèàëüíûé ïî âðåìåíè àëãîðèòì G : (1n , rg ) → (e , d , s ) (áóëåâû ñõåìû), ãäå e : {0, 1}n → {0, 1} (n) (encryptor) d : {0, 1} (n) → {0, 1}n (decryptor) s : {0, 1}σ(n) → {0, 1}n (sampler), ïðè÷¼ì ∀x ∈ Im(s ) d (e (x )) = x è ∀ ÂÏÌÒ A ∀k ∈ N ∃N ∀n N Pr{ A(e (s (rs )), 1n , e , s ) ∈ e −1(e (s (rs )))} n1k , ãäåG (1n , rg ) = (e , d , s ), à âåðîÿòíîñòü áåð¼òñÿ ïî ñëó÷àéíûì ÷èñëàì, èñïîëüçóåìûì A, è ïî (ðàâíîìåðíî ðàñïðåäåë¼ííûì) rg è rs . 18 / 19
  • 27. td ïðèìåð Ïðèìåð s (x ) = x, e (x ) = xε mod N, d (x ) = xδ mod N , ãäå p q ε · δ ≡ 1 (mod ( − 1)( − 1)), N = p · q, p, q ∈ P 19 / 19

×