SlideShare a Scribd company logo

Algorithms and Complexity: Cryptography Theory

Alex Prut
Alex Prut

This document discusses algorithms and complexity in cryptography. It begins by defining function problems in computational complexity theory as computational problems where the expected output is more complex than a simple yes or no answer. It then discusses one-way functions, which are easy to compute but believed to be hard to invert. The document provides examples of one-way functions based on integer multiplication, discrete logarithms, and the RSA cryptosystem. It argues that the existence of one-way functions separates the complexity classes P and UP, and that cryptography relies on the assumption that stronger versions of one-way functions exist.

1 of 29
Algorithms and Complexity Cryptography Theory Alex Prut Universit`a degli studi di Udine January 31, 2017
1 Introduction The Problem 2 Function Problems Definition 3 Protocols
Introduction The Problem Definition (informal, alice and bob problem) Two parties (Alice & Bob) wish to communicate in the presence of malevolent eavesdroppers. That is, Alice wants to send a message to Bob, over a channel monitored by an adversary (Eve), and wishes the messages to be knows only to her and Bob. Alice & Bob agree on two algorithms E (encoding) and D (decoding), known to general public. Alice runs y = E(e, x), who wish to send message x ∈ Σ∗(Σ = {0, 1}), Bob receives y and computes x = D(d, y). Privacy is assured in terms of two strings e, d ∈ Σ∗ known only to Alice & Bob.
Perfect solution One-time pad Definition (One-time pad) Let both d, e be the string e of length |x|. Let E(e, x) and D(e, y) be the exclusive or. E(e, x) = e ⊕ x = y and D(e, y) = e ⊕ y = x that is the ith bit is one ⇐⇒ exactly one of ei , yi = 1). Since ((x ⊕ e) ⊕ e) = x we have that D(d, E(e, x)) = x Cons: the key must be as long as the message (i.e. e = |x|) Alice & Bob need to agree and exchange the key e
Perfect solution Public-Key Cryptosystem Definition (Public-Key Cryptosystem (informal)) Suppose that only d is secret and private to Bob, while e is known to Alice and general public. Bob generates the (e, d) pair and announces e openly. Alice can send a message x to Bob by computing and trasmitting E(e, x) where D(d, E(e, x)) = x. . The point is that it is computationally infeasible to deduce d from e, and x from y without knowing d. Secure key cryptosystem can exists only if P = NP, even that it is not immediate. W.Diffie, M.E.Hellman - IEEE Trans. on Information Theory, 22, pp. 664, 1976
Function Problem Function Problem Definition (function problem) In computational complexity theory, a function problem is a computational problem where a single output (of a total function) is expected for every input, but the output is more complex than that of a decision problem, that is, it isn’t just YES or NO.
Function Problems Relation between decision and function problems Definition (Relation between decision and function problems, FNP) Given L ∈ NP. There is a polynomial-time decidable, polynomially balanced relation RL such that for all strings x: There is a string y with RL(x, y) ⇐⇒ x ∈ L. The function problem associated with L, denoted FL is the following computational problem: Given x, find a string y such that RL(x, y) if such a string exists; if no return ’no’
Function Problems more definitions/theorems Definition (Reduction) A function problem A reduces to function problem B if the following holds: There are string functions R and S, both computable in logarithmic space, such that for any string x and z the following holds: 1 If x is an instace of A then R(x) is an istance of B 2 If z is the correct output of R(x) then S(z) is a correct output of x Definition (F-Complete) A function problem A is complete for a class FC of function problems if it is in FC and all problems in that class reduce to A.
Function Problems more definitions/theorems Definition (FSAT) FSAT is FNP-Complete. Theorem FP = FNP ⇐⇒ P = NP. Definition (TFNP) A problem R is FNP total if for every string x there is at least one string y such that R(x, y). The subclass of FNP containing all total function problems is denoted TFNP. N.Megiddo, C.H.Papadimitriou - Theor. Comp. Sci., 81, 1991
Function Problems class hierarchy
Function Problems One-way function Definition (One-way function) Let f : Σ∗ → Σ∗ be a function from strings to strings. We say that f is one-way function if the following holds: 1 f is one-to-one and for all x ∈ Σ∗, |x|1/k ≤ |f (x)| ≤ |x|k for some k > 0, f (x) is at most polynomially longer or shorter than x. 2 f is in FP, can be computed in polynomial time 3 the inverse f −1 is not in FP, i.e. there is no polynomial-time algorithm which given y either computes an x such that f (x) = y or returns ’no’ Even if P = NP there is no guarantee that one-way functions exist.
One-way function Integer multiplication with primes Definition (Integer multiplication with primes) fMULT (p, q) = (p, q) if p, q not prime numbers p · q otherwise (1) Many people suspect is indeed a one-way function. We know of no polynomial algorithm which inverts f (i.e. factor products of large primes)
One-way function Discrete logarithm problem Definition (Exponentiation modulo a prime) Given fEXP, p a prime number, a primitive root r modulo p and an integer x < p: fEXP(p, r, x) = (p, rx mod p) Inverting fEXP is another well-known hard computational problem in number theory called discrete logarithm problem, for which no polynomial-time algorithm is known.
RSA RSA function Definition (RSA function) As the basis of a public-key cryptosystem a clever combination of fMULT and fEXP can be exploited. Let p, q be two prime numbers, consider their product p · q. The number of bits of pq is n = logpq . Suppose that e is a number that is relatively prime to φ(pq) = pq(1 − 1/p)(1 − 1/q) = pq − p − q + 1 (Euler function). The RSA function: fRSA(x, e, p, q) = (xe mod pq, pq, e) No polynomial algorithm for inverting the RSA function has been announced. R.L.Rivest, A.Shamir, L.Adleman - C.ACM, 22, pp. 120, 1978
RSA RSA public-key cryptosystem RSA function can be the basis of a public-key cryptosystem. Bob knows p, q and announces their product pq as well as e (i.e. an integer prime to φ(pq)). The public key of Bob is (pq, e). Alice uses the public key to encrypt message x (an n bits integer) as follows: y = xe mod pq Bob knows besides Alice an integer d (i.e. a residue modulo pq) such that e · d = 1 + kφ(pq) for some integer k (d can be found by the Euclid’s algorithm). In order to decrypt y Bob simply computes: yd = xe·d = x1+kφ(pq) = x mod pq simply because xφ(pq) = 1 mod pq (Fermat’s theorem).
Cryptography and Complexity UP Definition (Unambiguous nondeterministic Turing machine) Call a nondeterministic Turing machine unambiguous if it has the following property: 1 For any input x there is at most one accepting computation. UP is the class of languages accepted by unambiguous polynomial-time bounded nondeterministic Turing machines. It is obvious that P ⊆ UP ⊆ NP L.G.Valiant - Inf. Proc. Letters, 5, pp.20, 1976
Cryptography and Complexity UP Theorem P = UP ⇐⇒ there are no one-way functions Proof. ⇐ Suppose that there exist a one-way function f . We consider Lf = {(x, y) : there is z s.t. f (z) = y and z ≤ x}. In writing z ≤ x we assume that all strings in {0, 1}∗ are ordered, first by length and strings of the same length n are ordered lexicographically. We claim that Lf ∈ UP − P. It is easy to see that there is an unambiguous machine U that accepts Lf on input (x, y), nondeterministically guesses a string z of length at most |y|k and tests whether y = f (z). If the answer is ’yes’ it checks whether z ≤ x and if so accepts it. Hence Lf ∈ UP. continue...
Cryptography and Complexity UP Proof. We have to show now that Lf /∈ P. Suppose there is a polynomial-time algorithm for Lf . Then we can invert the one-way function f by binary search: Given y we ask whether (1|y|k , y) ∈ Lf . If the answer is ’no’ this means that there is no x s.t. f (x) = y if there were such an x it would have to be lexicographically smaller than 1|y|k since |y| ≥ |x|1/k. If the answer is ’yes’ then we ask whether (1|y|k −1) ∈ Lf , and then (1|y|k −2) ∈ Lf and so on until for some query (1l−1, y) ∈ Lf we get the answer ’no’ and thus determine the actual length l ≤ |y|k of x. We then determine one-by-one the bits of x again by asking whether (01l−1) ∈ Lf and then depending on whether the answer was ’yes’ or ’no’, asking (001l−2) ∈ Lf or (101l−2) ∈ Lf and so on. After a total of at most 2nk application of the polynomial algorithm for Lf we have inverted f on y.
Cryptography and Complexity UP Proof. ⇒ Suppose that there is a language L ∈ UP − P. Let U be the unambiguous nondeterministic Turing machine accepting L, and let x be an accepting computation of U on input y; we define fU(x) = 1y, that is, the input of U for which x is an accepting computation prefixed by the flag 1. If x does not encode a computation of U, fU(x) = 0x, the flag now is 0 meaning that the the argument of fU is not a computation. We claim that fU is one-way function. It is a well-defined function in FP because y is a part of the representation of the computation x and can be essentially read off x. Second, the lengths of argument and result are polynomially related, as required, because U has polynomially long computations. continue...
Cryptography and Complexity UP Proof. The function is one-to-one, because since the machine is unambiguous. And if we could invert fU in polynomial time, then we would be able to decide L in polynomial time as well. Thus, the correct complexity context for discussing cryptography and one-way functions is the P ? = UP question not the P ? = NP one. We fully expect that P = UP. UP is not known or believed to have complete problems.
Function Problems Stronger one-way function Definition (Stronger one-way function) A definition of one-way functions that is closer to what we need in cryptography would replace requirement: (iii)—that inverting is worst-case difficult—by a stronger requirement, that there be no integer k, and no algorithm which, for large enough n, in time O(nk) successfully computes f −1(y) for at least 2n/nk strings y of length n. That is, there is no polynomial-time algorithm that successfully inverts f on a polynomial fraction of the inputs of length n. Levin - Proc. 16th ACM, Symposium on the Theory of Computing - 1984
RSA Why RSA works We conclude that it is fairly easy to find inputs for which fRSA is ’defined’. There is a final important positive property that fRSA has: There is a polynomially-computable function d, with the same inputs as fRSA, that makes the inversion problem easy. That is, although there is apparently no fast way to recover (x, e, p, q) from (xe mod pq, pq), if we are given: d(x, e, p, q) = e−1 mod pq − p − q + 1 then we can easily invert fRSA by computing (xe)d mod pq as in the decoding phase of the RSA cryptosystem. That is, we can easily recover the input X = (x, e, p, q) from both fRSA(X) and d(X) but apparently not from fRSA(X) alone.
Function Problems Trapdoor functions Definition (Trapdoor functions) To summarize the additional properties of the RSA function, besides (1), (2) and (3) of one-way functions, that we indentified in this discussion: 4 We can efficiently sample the domain of the one-way function 5 There is a polynomially computable function d of the input that trivializes the inversion problem. We call one-way function that has properties (4) and (5) a trapdoor function If Factorization /∈ P then fRSA is a trapdoor function.
Randomized public-key cryptosystem RSA problem There are two very important messages that are always easy to decode: Suppose that Alice and Bob communicate using the RSA public-key cryptosystem, and very often Alice needs to send to Bob a single confidential bit b ∈ {0, 1}. Should Alice encrypt this bit as an ordinary message, be mod pq? Obviously not. Since be = b for b ∈ {0, 1}, the encrypted message would be the same as the original message i.e. not encrypted at all. Single bits are always easy to decode. There is simple remedy for the last problem. Alice could generate a random integer x ≤ pq/2 and then transmit to Bob y = (2x + b)e mod pq. Bob receives y, and uses this private key to recover 2x + b: b is the last bit of the decrypted integer.
Randomized public-key cryptosystem RSA problem The resulting randomized public-key cryptosystem is much slower than the original RSA, which transmits several hundreds of bits at once. The point is that it is much more secure: detecting repetitions, luckily recovering crucial messages, etc. are not present in the randomized public-key cryptosystem.
Protocols Signature protocol Definition (Signature problem (informal)) Suppose that Alice wants to send Bob a signed document x. But what does this mean? Minimally, a signed message SAlice(x) is a string that contains the information in the original message x, but is modified in a way that unmistakably identifies the sender. Public-key cryptosystem provide an elegant solution to the electronic signature problem.
Protocols Signature Suppose that both Alice & Bob have public and private keys eAlice, dAlice, eBob, dBob. We assume they both use the same encoding, decoding functions. Alice signs x as: SAlice(x) = (x, D(dAlice, x)) A message decrypted as if it were an encrypted message received by Alice. Bob upon receipt of SAlice(x) takes the second part and encodes it using Alice’s public key: E(eAlice, D(dAlice, x)) = D(dAlice, E(eAlice, x)) = x The RSA cryptosystem is clearly commutative, since: D(d, E(e, x)) = (xe)d mod pq = (xd )e mod pq = E(e, D(d, x))
Protocols Mental Poker problem Definition Suppose that Alice & Bob have agreed upon three n-bit numbers a < b < c, the cards. They want to randomly choose one card each so that the following holds: 1 Their cards are different 2 All six pairs of distinct cards are equiprobable as outcomes 3 Alice’s card is known to Alice but not to Bob, similarly to Bob 4 Since the person with the highest card wins the game, the outcome should be indisputable This protocol can be achieved by cryptographic techniques. Shamir, Rivest, Adleman - Mental poker - The mathematical gardener, pp.37, 1981
Protocols Mental Poker protocol First the two players agree on a large prime number p, and each has two secret keys, an encryption key eAlice, eBob and a decryption key dAlice, dBob. Alice is the dealer, she encrypts the three cards and sends to Bob the encrypted message aeAlice mod p, beAlice mod p, ceAlice mod p. Bob then picks one of the three messages and returns it to Alice, who decodes it and keeps it as her card. Bob’s selection must be random. Bob then encrypts the two remaining cards a and c with his encryption key to obtain aeAlice eBob mod p, ceAlice eBob mod p and sends a random permutation of the result to Alice. Alicenow picks one of these messages, say a, decodes it with her key dAlice, and sends the result aeBob mod p to Bob. Bob decrypts it using dBob and the protocol terminates.

Recommended

Daa notes 3
Daa notes 3Daa notes 3
Daa notes 3
smruti sarangi
 
Finite automata intro
Finite automata introFinite automata intro
Finite automata intro
lavishka_anuj
 
Np cooks theorem
Np cooks theoremNp cooks theorem
Np cooks theorem
Narayana Galla
 
Computability - Tractable, Intractable and Non-computable Function
Computability - Tractable, Intractable and Non-computable FunctionComputability - Tractable, Intractable and Non-computable Function
Computability - Tractable, Intractable and Non-computable Function
Reggie Niccolo Santos
 
Computational Complexity: Introduction-Turing Machines-Undecidability
Computational Complexity: Introduction-Turing Machines-UndecidabilityComputational Complexity: Introduction-Turing Machines-Undecidability
Computational Complexity: Introduction-Turing Machines-Undecidability
Antonis Antonopoulos
 
Asymptotic Notations
Asymptotic NotationsAsymptotic Notations
Asymptotic Notations
NagendraK18
 
Computational Complexity: Oracles and the Polynomial Hierarchy
Computational Complexity: Oracles and the Polynomial HierarchyComputational Complexity: Oracles and the Polynomial Hierarchy
Computational Complexity: Oracles and the Polynomial Hierarchy
Antonis Antonopoulos
 
Computational Complexity: Complexity Classes
Computational Complexity: Complexity ClassesComputational Complexity: Complexity Classes
Computational Complexity: Complexity Classes
Antonis Antonopoulos
 

Recommended

Daa notes 3
Daa notes 3Daa notes 3
Daa notes 3
smruti sarangi
 
Finite automata intro
Finite automata introFinite automata intro
Finite automata intro
lavishka_anuj
 
Np cooks theorem
Np cooks theoremNp cooks theorem
Np cooks theorem
Narayana Galla
 
Computability - Tractable, Intractable and Non-computable Function
Computability - Tractable, Intractable and Non-computable FunctionComputability - Tractable, Intractable and Non-computable Function
Computability - Tractable, Intractable and Non-computable Function
Reggie Niccolo Santos
 
Computational Complexity: Introduction-Turing Machines-Undecidability
Computational Complexity: Introduction-Turing Machines-UndecidabilityComputational Complexity: Introduction-Turing Machines-Undecidability
Computational Complexity: Introduction-Turing Machines-Undecidability
Antonis Antonopoulos
 
Asymptotic Notations
Asymptotic NotationsAsymptotic Notations
Asymptotic Notations
NagendraK18
 
Computational Complexity: Oracles and the Polynomial Hierarchy
Computational Complexity: Oracles and the Polynomial HierarchyComputational Complexity: Oracles and the Polynomial Hierarchy
Computational Complexity: Oracles and the Polynomial Hierarchy
Antonis Antonopoulos
 
Computational Complexity: Complexity Classes
Computational Complexity: Complexity ClassesComputational Complexity: Complexity Classes
Computational Complexity: Complexity Classes
Antonis Antonopoulos
 
Algorithmics on SLP-compressed strings
Algorithmics on SLP-compressed stringsAlgorithmics on SLP-compressed strings
Algorithmics on SLP-compressed strings
Antonis Antonopoulos
 
Algorithm chapter 10
Algorithm chapter 10Algorithm chapter 10
Algorithm chapter 10
chidabdu
 
27 NP Completness
27 NP Completness27 NP Completness
27 NP Completness
Andres Mendez-Vazquez
 
NP completeness
NP completenessNP completeness
NP completeness
Amrinder Arora
 
Introduction to complexity theory assignment
Introduction to complexity theory assignmentIntroduction to complexity theory assignment
Introduction to complexity theory assignment
tesfahunegn minwuyelet
 
A brief introduction to Hartree-Fock and TDDFT
A brief introduction to Hartree-Fock and TDDFTA brief introduction to Hartree-Fock and TDDFT
A brief introduction to Hartree-Fock and TDDFT
Jiahao Chen
 
P, NP, NP-Complete, and NP-Hard
P, NP, NP-Complete, and NP-HardP, NP, NP-Complete, and NP-Hard
P, NP, NP-Complete, and NP-Hard
Animesh Chaturvedi
 
Np completeness
Np completenessNp completeness
Np completeness
Rajendran
 
Bron Kerbosch Algorithm - Presentation by Jun Zhai, Tianhang Qiang and Yizhen...
Bron Kerbosch Algorithm - Presentation by Jun Zhai, Tianhang Qiang and Yizhen...Bron Kerbosch Algorithm - Presentation by Jun Zhai, Tianhang Qiang and Yizhen...
Bron Kerbosch Algorithm - Presentation by Jun Zhai, Tianhang Qiang and Yizhen...
Amrinder Arora
 
Towards a stable definition of Algorithmic Randomness
Towards a stable definition of Algorithmic RandomnessTowards a stable definition of Algorithmic Randomness
Towards a stable definition of Algorithmic Randomness
Hector Zenil
 
Algorithm Design and Complexity - Course 6
Algorithm Design and Complexity - Course 6Algorithm Design and Complexity - Course 6
Algorithm Design and Complexity - Course 6
Traian Rebedea
 
Discrete Logarithm Problem over Prime Fields, Non-canonical Lifts and Logarit...
Discrete Logarithm Problem over Prime Fields, Non-canonical Lifts and Logarit...Discrete Logarithm Problem over Prime Fields, Non-canonical Lifts and Logarit...
Discrete Logarithm Problem over Prime Fields, Non-canonical Lifts and Logarit...
PadmaGadiyar
 
Fractal Dimension of Space-time Diagrams and the Runtime Complexity of Small ...
Fractal Dimension of Space-time Diagrams and the Runtime Complexity of Small ...Fractal Dimension of Space-time Diagrams and the Runtime Complexity of Small ...
Fractal Dimension of Space-time Diagrams and the Runtime Complexity of Small ...
Hector Zenil
 
The complexity of promise problems with applications to public-key cryptography
The complexity of promise problems with applications to public-key cryptographyThe complexity of promise problems with applications to public-key cryptography
The complexity of promise problems with applications to public-key cryptography
XequeMateShannon
 
SMART Seminar Series: "A polynomial algorithm to solve hard np 3 cnf-sat prob...
SMART Seminar Series: "A polynomial algorithm to solve hard np 3 cnf-sat prob...SMART Seminar Series: "A polynomial algorithm to solve hard np 3 cnf-sat prob...
SMART Seminar Series: "A polynomial algorithm to solve hard np 3 cnf-sat prob...
SMART Infrastructure Facility
 
A Numerical Method for the Evaluation of Kolmogorov Complexity, An alternativ...
A Numerical Method for the Evaluation of Kolmogorov Complexity, An alternativ...A Numerical Method for the Evaluation of Kolmogorov Complexity, An alternativ...
A Numerical Method for the Evaluation of Kolmogorov Complexity, An alternativ...
Hector Zenil
 
Hardness of approximation
Hardness of approximationHardness of approximation
Hardness of approximation
carlol
 
Logic Seminar Spring 2011
Logic Seminar Spring 2011Logic Seminar Spring 2011
Logic Seminar Spring 2011
Valeria de Paiva
 
Predicate Logic
Predicate LogicPredicate Logic
Predicate Logic
Darío Garigliotti
 
Winter school-pq2016v2
Winter school-pq2016v2Winter school-pq2016v2
Winter school-pq2016v2
Ludovic Perret
 
5.5 Injective and surjective functions. A handout.
5.5 Injective and surjective functions. A handout.5.5 Injective and surjective functions. A handout.
5.5 Injective and surjective functions. A handout.
Jan Plaza
 
Design and Analysis of Algorithms Exam Help
Design and Analysis of Algorithms Exam HelpDesign and Analysis of Algorithms Exam Help
Design and Analysis of Algorithms Exam Help
Programming Exam Help
 

More Related Content

What's hot

Algorithmics on SLP-compressed strings
Algorithmics on SLP-compressed stringsAlgorithmics on SLP-compressed strings
Algorithmics on SLP-compressed strings
Antonis Antonopoulos
 
Algorithm chapter 10
Algorithm chapter 10Algorithm chapter 10
Algorithm chapter 10
chidabdu
 
27 NP Completness
27 NP Completness27 NP Completness
27 NP Completness
Andres Mendez-Vazquez
 
NP completeness
NP completenessNP completeness
NP completeness
Amrinder Arora
 
Introduction to complexity theory assignment
Introduction to complexity theory assignmentIntroduction to complexity theory assignment
Introduction to complexity theory assignment
tesfahunegn minwuyelet
 
A brief introduction to Hartree-Fock and TDDFT
A brief introduction to Hartree-Fock and TDDFTA brief introduction to Hartree-Fock and TDDFT
A brief introduction to Hartree-Fock and TDDFT
Jiahao Chen
 
P, NP, NP-Complete, and NP-Hard
P, NP, NP-Complete, and NP-HardP, NP, NP-Complete, and NP-Hard
P, NP, NP-Complete, and NP-Hard
Animesh Chaturvedi
 
Np completeness
Np completenessNp completeness
Np completeness
Rajendran
 
Bron Kerbosch Algorithm - Presentation by Jun Zhai, Tianhang Qiang and Yizhen...
Bron Kerbosch Algorithm - Presentation by Jun Zhai, Tianhang Qiang and Yizhen...Bron Kerbosch Algorithm - Presentation by Jun Zhai, Tianhang Qiang and Yizhen...
Bron Kerbosch Algorithm - Presentation by Jun Zhai, Tianhang Qiang and Yizhen...
Amrinder Arora
 
Towards a stable definition of Algorithmic Randomness
Towards a stable definition of Algorithmic RandomnessTowards a stable definition of Algorithmic Randomness
Towards a stable definition of Algorithmic Randomness
Hector Zenil
 
Algorithm Design and Complexity - Course 6
Algorithm Design and Complexity - Course 6Algorithm Design and Complexity - Course 6
Algorithm Design and Complexity - Course 6
Traian Rebedea
 
Discrete Logarithm Problem over Prime Fields, Non-canonical Lifts and Logarit...
Discrete Logarithm Problem over Prime Fields, Non-canonical Lifts and Logarit...Discrete Logarithm Problem over Prime Fields, Non-canonical Lifts and Logarit...
Discrete Logarithm Problem over Prime Fields, Non-canonical Lifts and Logarit...
PadmaGadiyar
 
Fractal Dimension of Space-time Diagrams and the Runtime Complexity of Small ...
Fractal Dimension of Space-time Diagrams and the Runtime Complexity of Small ...Fractal Dimension of Space-time Diagrams and the Runtime Complexity of Small ...
Fractal Dimension of Space-time Diagrams and the Runtime Complexity of Small ...
Hector Zenil
 
The complexity of promise problems with applications to public-key cryptography
The complexity of promise problems with applications to public-key cryptographyThe complexity of promise problems with applications to public-key cryptography
The complexity of promise problems with applications to public-key cryptography
XequeMateShannon
 
SMART Seminar Series: "A polynomial algorithm to solve hard np 3 cnf-sat prob...
SMART Seminar Series: "A polynomial algorithm to solve hard np 3 cnf-sat prob...SMART Seminar Series: "A polynomial algorithm to solve hard np 3 cnf-sat prob...
SMART Seminar Series: "A polynomial algorithm to solve hard np 3 cnf-sat prob...
SMART Infrastructure Facility
 
A Numerical Method for the Evaluation of Kolmogorov Complexity, An alternativ...
A Numerical Method for the Evaluation of Kolmogorov Complexity, An alternativ...A Numerical Method for the Evaluation of Kolmogorov Complexity, An alternativ...
A Numerical Method for the Evaluation of Kolmogorov Complexity, An alternativ...
Hector Zenil
 
Hardness of approximation
Hardness of approximationHardness of approximation
Hardness of approximation
carlol
 
Logic Seminar Spring 2011
Logic Seminar Spring 2011Logic Seminar Spring 2011
Logic Seminar Spring 2011
Valeria de Paiva
 
Predicate Logic
Predicate LogicPredicate Logic
Predicate Logic
Darío Garigliotti
 
Winter school-pq2016v2
Winter school-pq2016v2Winter school-pq2016v2
Winter school-pq2016v2
Ludovic Perret
 

What's hot (20)

Algorithmics on SLP-compressed strings
Algorithmics on SLP-compressed stringsAlgorithmics on SLP-compressed strings
Algorithmics on SLP-compressed strings
 
Algorithm chapter 10
Algorithm chapter 10Algorithm chapter 10
Algorithm chapter 10
 
27 NP Completness
27 NP Completness27 NP Completness
27 NP Completness
 
NP completeness
NP completenessNP completeness
NP completeness
 
Introduction to complexity theory assignment
Introduction to complexity theory assignmentIntroduction to complexity theory assignment
Introduction to complexity theory assignment
 
A brief introduction to Hartree-Fock and TDDFT
A brief introduction to Hartree-Fock and TDDFTA brief introduction to Hartree-Fock and TDDFT
A brief introduction to Hartree-Fock and TDDFT
 
P, NP, NP-Complete, and NP-Hard
P, NP, NP-Complete, and NP-HardP, NP, NP-Complete, and NP-Hard
P, NP, NP-Complete, and NP-Hard
 
Np completeness
Np completenessNp completeness
Np completeness
 
Bron Kerbosch Algorithm - Presentation by Jun Zhai, Tianhang Qiang and Yizhen...
Bron Kerbosch Algorithm - Presentation by Jun Zhai, Tianhang Qiang and Yizhen...Bron Kerbosch Algorithm - Presentation by Jun Zhai, Tianhang Qiang and Yizhen...
Bron Kerbosch Algorithm - Presentation by Jun Zhai, Tianhang Qiang and Yizhen...
 
Towards a stable definition of Algorithmic Randomness
Towards a stable definition of Algorithmic RandomnessTowards a stable definition of Algorithmic Randomness
Towards a stable definition of Algorithmic Randomness
 
Algorithm Design and Complexity - Course 6
Algorithm Design and Complexity - Course 6Algorithm Design and Complexity - Course 6
Algorithm Design and Complexity - Course 6
 
Discrete Logarithm Problem over Prime Fields, Non-canonical Lifts and Logarit...
Discrete Logarithm Problem over Prime Fields, Non-canonical Lifts and Logarit...Discrete Logarithm Problem over Prime Fields, Non-canonical Lifts and Logarit...
Discrete Logarithm Problem over Prime Fields, Non-canonical Lifts and Logarit...
 
Fractal Dimension of Space-time Diagrams and the Runtime Complexity of Small ...
Fractal Dimension of Space-time Diagrams and the Runtime Complexity of Small ...Fractal Dimension of Space-time Diagrams and the Runtime Complexity of Small ...
Fractal Dimension of Space-time Diagrams and the Runtime Complexity of Small ...
 
The complexity of promise problems with applications to public-key cryptography
The complexity of promise problems with applications to public-key cryptographyThe complexity of promise problems with applications to public-key cryptography
The complexity of promise problems with applications to public-key cryptography
 
SMART Seminar Series: "A polynomial algorithm to solve hard np 3 cnf-sat prob...
SMART Seminar Series: "A polynomial algorithm to solve hard np 3 cnf-sat prob...SMART Seminar Series: "A polynomial algorithm to solve hard np 3 cnf-sat prob...
SMART Seminar Series: "A polynomial algorithm to solve hard np 3 cnf-sat prob...
 
A Numerical Method for the Evaluation of Kolmogorov Complexity, An alternativ...
A Numerical Method for the Evaluation of Kolmogorov Complexity, An alternativ...A Numerical Method for the Evaluation of Kolmogorov Complexity, An alternativ...
A Numerical Method for the Evaluation of Kolmogorov Complexity, An alternativ...
 
Hardness of approximation
Hardness of approximationHardness of approximation
Hardness of approximation
 
Logic Seminar Spring 2011
Logic Seminar Spring 2011Logic Seminar Spring 2011
Logic Seminar Spring 2011
 
Predicate Logic
Predicate LogicPredicate Logic
Predicate Logic
 
Winter school-pq2016v2
Winter school-pq2016v2Winter school-pq2016v2
Winter school-pq2016v2
 

Similar to Algorithms and Complexity: Cryptography Theory

5.5 Injective and surjective functions. A handout.
5.5 Injective and surjective functions. A handout.5.5 Injective and surjective functions. A handout.
5.5 Injective and surjective functions. A handout.
Jan Plaza
 
Design and Analysis of Algorithms Exam Help
Design and Analysis of Algorithms Exam HelpDesign and Analysis of Algorithms Exam Help
Design and Analysis of Algorithms Exam Help
Programming Exam Help
 
UNIT-V.pdf daa unit material 5 th unit ppt
UNIT-V.pdf daa unit material 5 th unit pptUNIT-V.pdf daa unit material 5 th unit ppt
UNIT-V.pdf daa unit material 5 th unit ppt
JyoReddy9
 
IVR - Chapter 1 - Introduction
IVR - Chapter 1 - IntroductionIVR - Chapter 1 - Introduction
IVR - Chapter 1 - Introduction
Charles Deledalle
 
senior seminar
senior seminarsenior seminar
senior seminar
Jose Stewart
 
9. chapter 8 np hard and np complete problems
9. chapter 8 np hard and np complete problems9. chapter 8 np hard and np complete problems
9. chapter 8 np hard and np complete problems
Jyotsna Suryadevara
 
math camp
math campmath camp
math camp
ssuser8cde591
 
Design and Analysis of Algorithms Assignment Help
Design and Analysis of Algorithms Assignment HelpDesign and Analysis of Algorithms Assignment Help
Design and Analysis of Algorithms Assignment Help
Programming Homework Help
 
A factorization theorem for generalized exponential polynomials with infinite...
A factorization theorem for generalized exponential polynomials with infinite...A factorization theorem for generalized exponential polynomials with infinite...
A factorization theorem for generalized exponential polynomials with infinite...
Pim Piepers
 
Analysis Solutions CIV
Analysis Solutions CIVAnalysis Solutions CIV
Analysis Solutions CIV
Leonardo Di Giosia
 
Unit-8.pdf
Unit-8.pdfUnit-8.pdf
Unit-8.pdf
drinkMilk1
 
Fol
FolFol
Fol
Sravanthi Emani
 
Csr2011 june17 14_00_bulatov
Csr2011 june17 14_00_bulatovCsr2011 june17 14_00_bulatov
Csr2011 june17 14_00_bulatov
CSR2011
 
Csr2011 june17 14_00_bulatov
Csr2011 june17 14_00_bulatovCsr2011 june17 14_00_bulatov
Csr2011 june17 14_00_bulatov
CSR2011
 
Dirichlet processes and Applications
Dirichlet processes and ApplicationsDirichlet processes and Applications
Dirichlet processes and Applications
Saurav Jha
 
On Spaces of Entire Functions Having Slow Growth Represented By Dirichlet Series
On Spaces of Entire Functions Having Slow Growth Represented By Dirichlet SeriesOn Spaces of Entire Functions Having Slow Growth Represented By Dirichlet Series
On Spaces of Entire Functions Having Slow Growth Represented By Dirichlet Series
IOSR Journals
 
Chapter 01 - p2.pdf
Chapter 01 - p2.pdfChapter 01 - p2.pdf
Chapter 01 - p2.pdf
smarwaneid
 
Programming Exam Help
Programming Exam Help Programming Exam Help
Programming Exam Help
Programming Exam Help
 
590-Article Text.pdf
590-Article Text.pdf590-Article Text.pdf
590-Article Text.pdf
BenoitValea
 
590-Article Text.pdf
590-Article Text.pdf590-Article Text.pdf
590-Article Text.pdf
BenoitValea
 

Similar to Algorithms and Complexity: Cryptography Theory (20)

5.5 Injective and surjective functions. A handout.
5.5 Injective and surjective functions. A handout.5.5 Injective and surjective functions. A handout.
5.5 Injective and surjective functions. A handout.
 
Design and Analysis of Algorithms Exam Help
Design and Analysis of Algorithms Exam HelpDesign and Analysis of Algorithms Exam Help
Design and Analysis of Algorithms Exam Help
 
UNIT-V.pdf daa unit material 5 th unit ppt
UNIT-V.pdf daa unit material 5 th unit pptUNIT-V.pdf daa unit material 5 th unit ppt
UNIT-V.pdf daa unit material 5 th unit ppt
 
IVR - Chapter 1 - Introduction
IVR - Chapter 1 - IntroductionIVR - Chapter 1 - Introduction
IVR - Chapter 1 - Introduction
 
senior seminar
senior seminarsenior seminar
senior seminar
 
9. chapter 8 np hard and np complete problems
9. chapter 8 np hard and np complete problems9. chapter 8 np hard and np complete problems
9. chapter 8 np hard and np complete problems
 
math camp
math campmath camp
math camp
 
Design and Analysis of Algorithms Assignment Help
Design and Analysis of Algorithms Assignment HelpDesign and Analysis of Algorithms Assignment Help
Design and Analysis of Algorithms Assignment Help
 
A factorization theorem for generalized exponential polynomials with infinite...
A factorization theorem for generalized exponential polynomials with infinite...A factorization theorem for generalized exponential polynomials with infinite...
A factorization theorem for generalized exponential polynomials with infinite...
 
Analysis Solutions CIV
Analysis Solutions CIVAnalysis Solutions CIV
Analysis Solutions CIV
 
Unit-8.pdf
Unit-8.pdfUnit-8.pdf
Unit-8.pdf
 
Fol
FolFol
Fol
 
Csr2011 june17 14_00_bulatov
Csr2011 june17 14_00_bulatovCsr2011 june17 14_00_bulatov
Csr2011 june17 14_00_bulatov
 
Csr2011 june17 14_00_bulatov
Csr2011 june17 14_00_bulatovCsr2011 june17 14_00_bulatov
Csr2011 june17 14_00_bulatov
 
Dirichlet processes and Applications
Dirichlet processes and ApplicationsDirichlet processes and Applications
Dirichlet processes and Applications
 
On Spaces of Entire Functions Having Slow Growth Represented By Dirichlet Series
On Spaces of Entire Functions Having Slow Growth Represented By Dirichlet SeriesOn Spaces of Entire Functions Having Slow Growth Represented By Dirichlet Series
On Spaces of Entire Functions Having Slow Growth Represented By Dirichlet Series
 
Chapter 01 - p2.pdf
Chapter 01 - p2.pdfChapter 01 - p2.pdf
Chapter 01 - p2.pdf
 
Programming Exam Help
Programming Exam Help Programming Exam Help
Programming Exam Help
 
590-Article Text.pdf
590-Article Text.pdf590-Article Text.pdf
590-Article Text.pdf
 
590-Article Text.pdf
590-Article Text.pdf590-Article Text.pdf
590-Article Text.pdf
 

Recently uploaded

What is Digital Literacy? A guest blog from Andy McLaughlin, University of Ab...
What is Digital Literacy? A guest blog from Andy McLaughlin, University of Ab...What is Digital Literacy? A guest blog from Andy McLaughlin, University of Ab...
What is Digital Literacy? A guest blog from Andy McLaughlin, University of Ab...
GeorgeMilliken2
 
Film vocab for eal 3 students: Australia the movie
Film vocab for eal 3 students: Australia the movieFilm vocab for eal 3 students: Australia the movie
Film vocab for eal 3 students: Australia the movie
Nicholas Montgomery
 
LAND USE LAND COVER AND NDVI OF MIRZAPUR DISTRICT, UP
LAND USE LAND COVER AND NDVI OF MIRZAPUR DISTRICT, UPLAND USE LAND COVER AND NDVI OF MIRZAPUR DISTRICT, UP
LAND USE LAND COVER AND NDVI OF MIRZAPUR DISTRICT, UP
RAHUL
 
The History of Stoke Newington Street Names
The History of Stoke Newington Street NamesThe History of Stoke Newington Street Names
The History of Stoke Newington Street Names
History of Stoke Newington
 
How to Fix the Import Error in the Odoo 17
How to Fix the Import Error in the Odoo 17How to Fix the Import Error in the Odoo 17
How to Fix the Import Error in the Odoo 17
Celine George
 
Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...
Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...
Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...
Dr. Vinod Kumar Kanvaria
 
Hindi varnamala | hindi alphabet PPT.pdf
Hindi varnamala | hindi alphabet PPT.pdfHindi varnamala | hindi alphabet PPT.pdf
Hindi varnamala | hindi alphabet PPT.pdf
Dr. Mulla Adam Ali
 
How to Make a Field Mandatory in Odoo 17
How to Make a Field Mandatory in Odoo 17How to Make a Field Mandatory in Odoo 17
How to Make a Field Mandatory in Odoo 17
Celine George
 
World environment day ppt For 5 June 2024
World environment day ppt For 5 June 2024World environment day ppt For 5 June 2024
World environment day ppt For 5 June 2024
ak6969907
 
The basics of sentences session 6pptx.pptx
The basics of sentences session 6pptx.pptxThe basics of sentences session 6pptx.pptx
The basics of sentences session 6pptx.pptx
heathfieldcps1
 
Main Java[All of the Base Concepts}.docx
Main Java[All of the Base Concepts}.docxMain Java[All of the Base Concepts}.docx
Main Java[All of the Base Concepts}.docx
adhitya5119
 
S1-Introduction-Biopesticides in ICM.pptx
S1-Introduction-Biopesticides in ICM.pptxS1-Introduction-Biopesticides in ICM.pptx
S1-Introduction-Biopesticides in ICM.pptx
tarandeep35
 
C1 Rubenstein AP HuG xxxxxxxxxxxxxx.pptx
C1 Rubenstein AP HuG xxxxxxxxxxxxxx.pptxC1 Rubenstein AP HuG xxxxxxxxxxxxxx.pptx
C1 Rubenstein AP HuG xxxxxxxxxxxxxx.pptx
mulvey2
 
Pollock and Snow "DEIA in the Scholarly Landscape, Session One: Setting Expec...
Pollock and Snow "DEIA in the Scholarly Landscape, Session One: Setting Expec...Pollock and Snow "DEIA in the Scholarly Landscape, Session One: Setting Expec...
Pollock and Snow "DEIA in the Scholarly Landscape, Session One: Setting Expec...
National Information Standards Organization (NISO)
 
A Independência da América Espanhola LAPBOOK.pdf
A Independência da América Espanhola LAPBOOK.pdfA Independência da América Espanhola LAPBOOK.pdf
A Independência da América Espanhola LAPBOOK.pdf
Jean Carlos Nunes Paixão
 
writing about opinions about Australia the movie
writing about opinions about Australia the moviewriting about opinions about Australia the movie
writing about opinions about Australia the movie
Nicholas Montgomery
 
Digital Artifact 1 - 10VCD Environments Unit
Digital Artifact 1 - 10VCD Environments UnitDigital Artifact 1 - 10VCD Environments Unit
Digital Artifact 1 - 10VCD Environments Unit
chanes7
 
How to Manage Your Lost Opportunities in Odoo 17 CRM
How to Manage Your Lost Opportunities in Odoo 17 CRMHow to Manage Your Lost Opportunities in Odoo 17 CRM
How to Manage Your Lost Opportunities in Odoo 17 CRM
Celine George
 
Pengantar Penggunaan Flutter - Dart programming language1.pptx
Pengantar Penggunaan Flutter - Dart programming language1.pptxPengantar Penggunaan Flutter - Dart programming language1.pptx
Pengantar Penggunaan Flutter - Dart programming language1.pptx
Fajar Baskoro
 
Chapter 4 - Islamic Financial Institutions in Malaysia.pptx
Chapter 4 - Islamic Financial Institutions in Malaysia.pptxChapter 4 - Islamic Financial Institutions in Malaysia.pptx
Chapter 4 - Islamic Financial Institutions in Malaysia.pptx
Mohd Adib Abd Muin, Senior Lecturer at Universiti Utara Malaysia
 

Recently uploaded (20)

What is Digital Literacy? A guest blog from Andy McLaughlin, University of Ab...
What is Digital Literacy? A guest blog from Andy McLaughlin, University of Ab...What is Digital Literacy? A guest blog from Andy McLaughlin, University of Ab...
What is Digital Literacy? A guest blog from Andy McLaughlin, University of Ab...
 
Film vocab for eal 3 students: Australia the movie
Film vocab for eal 3 students: Australia the movieFilm vocab for eal 3 students: Australia the movie
Film vocab for eal 3 students: Australia the movie
 
LAND USE LAND COVER AND NDVI OF MIRZAPUR DISTRICT, UP
LAND USE LAND COVER AND NDVI OF MIRZAPUR DISTRICT, UPLAND USE LAND COVER AND NDVI OF MIRZAPUR DISTRICT, UP
LAND USE LAND COVER AND NDVI OF MIRZAPUR DISTRICT, UP
 
The History of Stoke Newington Street Names
The History of Stoke Newington Street NamesThe History of Stoke Newington Street Names
The History of Stoke Newington Street Names
 
How to Fix the Import Error in the Odoo 17
How to Fix the Import Error in the Odoo 17How to Fix the Import Error in the Odoo 17
How to Fix the Import Error in the Odoo 17
 
Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...
Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...
Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...
 
Hindi varnamala | hindi alphabet PPT.pdf
Hindi varnamala | hindi alphabet PPT.pdfHindi varnamala | hindi alphabet PPT.pdf
Hindi varnamala | hindi alphabet PPT.pdf
 
How to Make a Field Mandatory in Odoo 17
How to Make a Field Mandatory in Odoo 17How to Make a Field Mandatory in Odoo 17
How to Make a Field Mandatory in Odoo 17
 
World environment day ppt For 5 June 2024
World environment day ppt For 5 June 2024World environment day ppt For 5 June 2024
World environment day ppt For 5 June 2024
 
The basics of sentences session 6pptx.pptx
The basics of sentences session 6pptx.pptxThe basics of sentences session 6pptx.pptx
The basics of sentences session 6pptx.pptx
 
Main Java[All of the Base Concepts}.docx
Main Java[All of the Base Concepts}.docxMain Java[All of the Base Concepts}.docx
Main Java[All of the Base Concepts}.docx
 
S1-Introduction-Biopesticides in ICM.pptx
S1-Introduction-Biopesticides in ICM.pptxS1-Introduction-Biopesticides in ICM.pptx
S1-Introduction-Biopesticides in ICM.pptx
 
C1 Rubenstein AP HuG xxxxxxxxxxxxxx.pptx
C1 Rubenstein AP HuG xxxxxxxxxxxxxx.pptxC1 Rubenstein AP HuG xxxxxxxxxxxxxx.pptx
C1 Rubenstein AP HuG xxxxxxxxxxxxxx.pptx
 
Pollock and Snow "DEIA in the Scholarly Landscape, Session One: Setting Expec...
Pollock and Snow "DEIA in the Scholarly Landscape, Session One: Setting Expec...Pollock and Snow "DEIA in the Scholarly Landscape, Session One: Setting Expec...
Pollock and Snow "DEIA in the Scholarly Landscape, Session One: Setting Expec...
 
A Independência da América Espanhola LAPBOOK.pdf
A Independência da América Espanhola LAPBOOK.pdfA Independência da América Espanhola LAPBOOK.pdf
A Independência da América Espanhola LAPBOOK.pdf
 
writing about opinions about Australia the movie
writing about opinions about Australia the moviewriting about opinions about Australia the movie
writing about opinions about Australia the movie
 
Digital Artifact 1 - 10VCD Environments Unit
Digital Artifact 1 - 10VCD Environments UnitDigital Artifact 1 - 10VCD Environments Unit
Digital Artifact 1 - 10VCD Environments Unit
 
How to Manage Your Lost Opportunities in Odoo 17 CRM
How to Manage Your Lost Opportunities in Odoo 17 CRMHow to Manage Your Lost Opportunities in Odoo 17 CRM
How to Manage Your Lost Opportunities in Odoo 17 CRM
 
Pengantar Penggunaan Flutter - Dart programming language1.pptx
Pengantar Penggunaan Flutter - Dart programming language1.pptxPengantar Penggunaan Flutter - Dart programming language1.pptx
Pengantar Penggunaan Flutter - Dart programming language1.pptx
 
Chapter 4 - Islamic Financial Institutions in Malaysia.pptx
Chapter 4 - Islamic Financial Institutions in Malaysia.pptxChapter 4 - Islamic Financial Institutions in Malaysia.pptx
Chapter 4 - Islamic Financial Institutions in Malaysia.pptx
 

Algorithms and Complexity: Cryptography Theory

  • 1. Algorithms and Complexity Cryptography Theory Alex Prut Universit`a degli studi di Udine January 31, 2017
  • 2. 1 Introduction The Problem 2 Function Problems Definition 3 Protocols
  • 3. Introduction The Problem Definition (informal, alice and bob problem) Two parties (Alice & Bob) wish to communicate in the presence of malevolent eavesdroppers. That is, Alice wants to send a message to Bob, over a channel monitored by an adversary (Eve), and wishes the messages to be knows only to her and Bob. Alice & Bob agree on two algorithms E (encoding) and D (decoding), known to general public. Alice runs y = E(e, x), who wish to send message x ∈ Σ∗(Σ = {0, 1}), Bob receives y and computes x = D(d, y). Privacy is assured in terms of two strings e, d ∈ Σ∗ known only to Alice & Bob.
  • 4. Perfect solution One-time pad Definition (One-time pad) Let both d, e be the string e of length |x|. Let E(e, x) and D(e, y) be the exclusive or. E(e, x) = e ⊕ x = y and D(e, y) = e ⊕ y = x that is the ith bit is one ⇐⇒ exactly one of ei , yi = 1). Since ((x ⊕ e) ⊕ e) = x we have that D(d, E(e, x)) = x Cons: the key must be as long as the message (i.e. e = |x|) Alice & Bob need to agree and exchange the key e
  • 5. Perfect solution Public-Key Cryptosystem Definition (Public-Key Cryptosystem (informal)) Suppose that only d is secret and private to Bob, while e is known to Alice and general public. Bob generates the (e, d) pair and announces e openly. Alice can send a message x to Bob by computing and trasmitting E(e, x) where D(d, E(e, x)) = x. . The point is that it is computationally infeasible to deduce d from e, and x from y without knowing d. Secure key cryptosystem can exists only if P = NP, even that it is not immediate. W.Diffie, M.E.Hellman - IEEE Trans. on Information Theory, 22, pp. 664, 1976
  • 6. Function Problem Function Problem Definition (function problem) In computational complexity theory, a function problem is a computational problem where a single output (of a total function) is expected for every input, but the output is more complex than that of a decision problem, that is, it isn’t just YES or NO.
  • 7. Function Problems Relation between decision and function problems Definition (Relation between decision and function problems, FNP) Given L ∈ NP. There is a polynomial-time decidable, polynomially balanced relation RL such that for all strings x: There is a string y with RL(x, y) ⇐⇒ x ∈ L. The function problem associated with L, denoted FL is the following computational problem: Given x, find a string y such that RL(x, y) if such a string exists; if no return ’no’
  • 8. Function Problems more definitions/theorems Definition (Reduction) A function problem A reduces to function problem B if the following holds: There are string functions R and S, both computable in logarithmic space, such that for any string x and z the following holds: 1 If x is an instace of A then R(x) is an istance of B 2 If z is the correct output of R(x) then S(z) is a correct output of x Definition (F-Complete) A function problem A is complete for a class FC of function problems if it is in FC and all problems in that class reduce to A.
  • 9. Function Problems more definitions/theorems Definition (FSAT) FSAT is FNP-Complete. Theorem FP = FNP ⇐⇒ P = NP. Definition (TFNP) A problem R is FNP total if for every string x there is at least one string y such that R(x, y). The subclass of FNP containing all total function problems is denoted TFNP. N.Megiddo, C.H.Papadimitriou - Theor. Comp. Sci., 81, 1991
  • 11. Function Problems One-way function Definition (One-way function) Let f : Σ∗ → Σ∗ be a function from strings to strings. We say that f is one-way function if the following holds: 1 f is one-to-one and for all x ∈ Σ∗, |x|1/k ≤ |f (x)| ≤ |x|k for some k > 0, f (x) is at most polynomially longer or shorter than x. 2 f is in FP, can be computed in polynomial time 3 the inverse f −1 is not in FP, i.e. there is no polynomial-time algorithm which given y either computes an x such that f (x) = y or returns ’no’ Even if P = NP there is no guarantee that one-way functions exist.
  • 12. One-way function Integer multiplication with primes Definition (Integer multiplication with primes) fMULT (p, q) = (p, q) if p, q not prime numbers p · q otherwise (1) Many people suspect is indeed a one-way function. We know of no polynomial algorithm which inverts f (i.e. factor products of large primes)
  • 13. One-way function Discrete logarithm problem Definition (Exponentiation modulo a prime) Given fEXP, p a prime number, a primitive root r modulo p and an integer x < p: fEXP(p, r, x) = (p, rx mod p) Inverting fEXP is another well-known hard computational problem in number theory called discrete logarithm problem, for which no polynomial-time algorithm is known.
  • 14. RSA RSA function Definition (RSA function) As the basis of a public-key cryptosystem a clever combination of fMULT and fEXP can be exploited. Let p, q be two prime numbers, consider their product p · q. The number of bits of pq is n = logpq . Suppose that e is a number that is relatively prime to φ(pq) = pq(1 − 1/p)(1 − 1/q) = pq − p − q + 1 (Euler function). The RSA function: fRSA(x, e, p, q) = (xe mod pq, pq, e) No polynomial algorithm for inverting the RSA function has been announced. R.L.Rivest, A.Shamir, L.Adleman - C.ACM, 22, pp. 120, 1978
  • 15. RSA RSA public-key cryptosystem RSA function can be the basis of a public-key cryptosystem. Bob knows p, q and announces their product pq as well as e (i.e. an integer prime to φ(pq)). The public key of Bob is (pq, e). Alice uses the public key to encrypt message x (an n bits integer) as follows: y = xe mod pq Bob knows besides Alice an integer d (i.e. a residue modulo pq) such that e · d = 1 + kφ(pq) for some integer k (d can be found by the Euclid’s algorithm). In order to decrypt y Bob simply computes: yd = xe·d = x1+kφ(pq) = x mod pq simply because xφ(pq) = 1 mod pq (Fermat’s theorem).
  • 16. Cryptography and Complexity UP Definition (Unambiguous nondeterministic Turing machine) Call a nondeterministic Turing machine unambiguous if it has the following property: 1 For any input x there is at most one accepting computation. UP is the class of languages accepted by unambiguous polynomial-time bounded nondeterministic Turing machines. It is obvious that P ⊆ UP ⊆ NP L.G.Valiant - Inf. Proc. Letters, 5, pp.20, 1976
  • 17. Cryptography and Complexity UP Theorem P = UP ⇐⇒ there are no one-way functions Proof. ⇐ Suppose that there exist a one-way function f . We consider Lf = {(x, y) : there is z s.t. f (z) = y and z ≤ x}. In writing z ≤ x we assume that all strings in {0, 1}∗ are ordered, first by length and strings of the same length n are ordered lexicographically. We claim that Lf ∈ UP − P. It is easy to see that there is an unambiguous machine U that accepts Lf on input (x, y), nondeterministically guesses a string z of length at most |y|k and tests whether y = f (z). If the answer is ’yes’ it checks whether z ≤ x and if so accepts it. Hence Lf ∈ UP. continue...
  • 18. Cryptography and Complexity UP Proof. We have to show now that Lf /∈ P. Suppose there is a polynomial-time algorithm for Lf . Then we can invert the one-way function f by binary search: Given y we ask whether (1|y|k , y) ∈ Lf . If the answer is ’no’ this means that there is no x s.t. f (x) = y if there were such an x it would have to be lexicographically smaller than 1|y|k since |y| ≥ |x|1/k. If the answer is ’yes’ then we ask whether (1|y|k −1) ∈ Lf , and then (1|y|k −2) ∈ Lf and so on until for some query (1l−1, y) ∈ Lf we get the answer ’no’ and thus determine the actual length l ≤ |y|k of x. We then determine one-by-one the bits of x again by asking whether (01l−1) ∈ Lf and then depending on whether the answer was ’yes’ or ’no’, asking (001l−2) ∈ Lf or (101l−2) ∈ Lf and so on. After a total of at most 2nk application of the polynomial algorithm for Lf we have inverted f on y.
  • 19. Cryptography and Complexity UP Proof. ⇒ Suppose that there is a language L ∈ UP − P. Let U be the unambiguous nondeterministic Turing machine accepting L, and let x be an accepting computation of U on input y; we define fU(x) = 1y, that is, the input of U for which x is an accepting computation prefixed by the flag 1. If x does not encode a computation of U, fU(x) = 0x, the flag now is 0 meaning that the the argument of fU is not a computation. We claim that fU is one-way function. It is a well-defined function in FP because y is a part of the representation of the computation x and can be essentially read off x. Second, the lengths of argument and result are polynomially related, as required, because U has polynomially long computations. continue...
  • 20. Cryptography and Complexity UP Proof. The function is one-to-one, because since the machine is unambiguous. And if we could invert fU in polynomial time, then we would be able to decide L in polynomial time as well. Thus, the correct complexity context for discussing cryptography and one-way functions is the P ? = UP question not the P ? = NP one. We fully expect that P = UP. UP is not known or believed to have complete problems.
  • 21. Function Problems Stronger one-way function Definition (Stronger one-way function) A definition of one-way functions that is closer to what we need in cryptography would replace requirement: (iii)—that inverting is worst-case difficult—by a stronger requirement, that there be no integer k, and no algorithm which, for large enough n, in time O(nk) successfully computes f −1(y) for at least 2n/nk strings y of length n. That is, there is no polynomial-time algorithm that successfully inverts f on a polynomial fraction of the inputs of length n. Levin - Proc. 16th ACM, Symposium on the Theory of Computing - 1984
  • 22. RSA Why RSA works We conclude that it is fairly easy to find inputs for which fRSA is ’defined’. There is a final important positive property that fRSA has: There is a polynomially-computable function d, with the same inputs as fRSA, that makes the inversion problem easy. That is, although there is apparently no fast way to recover (x, e, p, q) from (xe mod pq, pq), if we are given: d(x, e, p, q) = e−1 mod pq − p − q + 1 then we can easily invert fRSA by computing (xe)d mod pq as in the decoding phase of the RSA cryptosystem. That is, we can easily recover the input X = (x, e, p, q) from both fRSA(X) and d(X) but apparently not from fRSA(X) alone.
  • 23. Function Problems Trapdoor functions Definition (Trapdoor functions) To summarize the additional properties of the RSA function, besides (1), (2) and (3) of one-way functions, that we indentified in this discussion: 4 We can efficiently sample the domain of the one-way function 5 There is a polynomially computable function d of the input that trivializes the inversion problem. We call one-way function that has properties (4) and (5) a trapdoor function If Factorization /∈ P then fRSA is a trapdoor function.
  • 24. Randomized public-key cryptosystem RSA problem There are two very important messages that are always easy to decode: Suppose that Alice and Bob communicate using the RSA public-key cryptosystem, and very often Alice needs to send to Bob a single confidential bit b ∈ {0, 1}. Should Alice encrypt this bit as an ordinary message, be mod pq? Obviously not. Since be = b for b ∈ {0, 1}, the encrypted message would be the same as the original message i.e. not encrypted at all. Single bits are always easy to decode. There is simple remedy for the last problem. Alice could generate a random integer x ≤ pq/2 and then transmit to Bob y = (2x + b)e mod pq. Bob receives y, and uses this private key to recover 2x + b: b is the last bit of the decrypted integer.
  • 25. Randomized public-key cryptosystem RSA problem The resulting randomized public-key cryptosystem is much slower than the original RSA, which transmits several hundreds of bits at once. The point is that it is much more secure: detecting repetitions, luckily recovering crucial messages, etc. are not present in the randomized public-key cryptosystem.
  • 26. Protocols Signature protocol Definition (Signature problem (informal)) Suppose that Alice wants to send Bob a signed document x. But what does this mean? Minimally, a signed message SAlice(x) is a string that contains the information in the original message x, but is modified in a way that unmistakably identifies the sender. Public-key cryptosystem provide an elegant solution to the electronic signature problem.
  • 27. Protocols Signature Suppose that both Alice & Bob have public and private keys eAlice, dAlice, eBob, dBob. We assume they both use the same encoding, decoding functions. Alice signs x as: SAlice(x) = (x, D(dAlice, x)) A message decrypted as if it were an encrypted message received by Alice. Bob upon receipt of SAlice(x) takes the second part and encodes it using Alice’s public key: E(eAlice, D(dAlice, x)) = D(dAlice, E(eAlice, x)) = x The RSA cryptosystem is clearly commutative, since: D(d, E(e, x)) = (xe)d mod pq = (xd )e mod pq = E(e, D(d, x))
  • 28. Protocols Mental Poker problem Definition Suppose that Alice & Bob have agreed upon three n-bit numbers a < b < c, the cards. They want to randomly choose one card each so that the following holds: 1 Their cards are different 2 All six pairs of distinct cards are equiprobable as outcomes 3 Alice’s card is known to Alice but not to Bob, similarly to Bob 4 Since the person with the highest card wins the game, the outcome should be indisputable This protocol can be achieved by cryptographic techniques. Shamir, Rivest, Adleman - Mental poker - The mathematical gardener, pp.37, 1981
  • 29. Protocols Mental Poker protocol First the two players agree on a large prime number p, and each has two secret keys, an encryption key eAlice, eBob and a decryption key dAlice, dBob. Alice is the dealer, she encrypts the three cards and sends to Bob the encrypted message aeAlice mod p, beAlice mod p, ceAlice mod p. Bob then picks one of the three messages and returns it to Alice, who decodes it and keeps it as her card. Bob’s selection must be random. Bob then encrypts the two remaining cards a and c with his encryption key to obtain aeAlice eBob mod p, ceAlice eBob mod p and sends a random permutation of the result to Alice. Alicenow picks one of these messages, say a, decodes it with her key dAlice, and sends the result aeBob mod p to Bob. Bob decrypts it using dBob and the protocol terminates.