of 51 /51
Complexity and Cryptography Haya Shulman CGC Colloquium

Complexity and Cryptography Haya Shulman CGC Colloquium

  • View
    227

  • Download
    2

Embed Size (px)

Citation preview

Page 1: Complexity and Cryptography Haya Shulman CGC Colloquium

Complexity and Cryptography

Haya ShulmanCGC Colloquium

Page 2: Complexity and Cryptography Haya Shulman CGC Colloquium

Complexity Theory

• Determines complexity (power and limitations) of well defined tasks– Defines resources required to solve

computational problems• E.g. time, space, randomness, interaction

– Classifies problems according to their difficulty

– Defines relations between computational phenomena

Page 3: Complexity and Cryptography Haya Shulman CGC Colloquium

Complexity Theory

• Provided a way of dividing computational world into complexity classes

• Evidence implying that these complexity classes are distinct

• Complexity Class is a fundamental notion of complexity theory – Practical: relationship between

computational classes and real computational problems

Page 4: Complexity and Cryptography Haya Shulman CGC Colloquium

Complexity Class

• A model of computation– Turing machine

• A resource or a set thereof– E.g. time, memory

• A complexity bound for each resource• Complexity considers the worst case

performance• Lower bounds are stated asymptotically

– Constant factors are irrelevant, and only the order of the lower bound is considered (linear, poly, exponential,…)

Page 5: Complexity and Cryptography Haya Shulman CGC Colloquium

Turing Machine

Deterministic vs. Non-Deterministic Turing

Machine

Page 6: Complexity and Cryptography Haya Shulman CGC Colloquium

Turing Machine

• Was invented by Alan Turing in 1936• Turing machine is an abstract model

of computation– Embodies any computer program– Turing machine is composed of a

"tape“, head and the program, i.e. a list of transitions

Page 7: Complexity and Cryptography Haya Shulman CGC Colloquium

Turing Machine vs. Computers

• If a computer can compute an algorithm then so can a Turing machine

• Can a computer compute an algorithm if a Turing machine can?– No computer is as powerful as a Turing

machine• A computer is restricted while a Turing

machine can do all that is theoretically possible given unlimited resources, e.g. time, memory

Page 8: Complexity and Cryptography Haya Shulman CGC Colloquium

Deterministic Turing Machine

• Deterministic machines model real computations

• Transition function for a given state and symbol under the tape head, specifies: – The symbol to be written to the tape– The direction to move the head– The state of the finite control

• Given A on the tape in state 5, write B on the tape move the head right, and switch to state 7

Page 9: Complexity and Cryptography Haya Shulman CGC Colloquium

Non-Deterministic Turing Machine

• The state and tape symbol do not uniquely specify the computation– The machine "branches" into many copies,

each follows one possible transition– If any branch of the tree halts with an accept

condition, then the machine accepts the input

• Given A on the tape in state 5, write B on the tape move the head right, and switch to state 7 or write A, move left and stay in state 5

Page 10: Complexity and Cryptography Haya Shulman CGC Colloquium

Deterministic vs. Non-Deterministic Turing Machine

• NDTM has a computation tree, while a DTM has a single computation path

• Is NDTM more powerful than DTM?– Any language recognized by an NDTM can

also be recognized by a DTM• DTM simulates each branch of NDTM

– Makes multiple copies of states when multiple transitions are possible

• How long to simulate? P vs. NP

Page 11: Complexity and Cryptography Haya Shulman CGC Colloquium

NPP

DeterministicPolynomial Time

Non-DeterministicPolynomial Time

P vs. NP

Page 12: Complexity and Cryptography Haya Shulman CGC Colloquium

P vs. NP

• Is finding solutions to problems harder than verifying their correctness?

• P represents – Efficiently solvable tasks– Sets of assertions that can be efficiently verified

from scratch

• NP represents – Tasks for which solutions can be efficiently

checked– Sets of assertions that can be efficiently verified

with the help of adequate proofs

Page 13: Complexity and Cryptography Haya Shulman CGC Colloquium

P vs. NP

• Complexity theory is concerned with manipulation of information– A solution to a computational problem is a

different representation of the information• A representation in which the answer is explicit

rather than implicit

– The problem contains all necessary information• Process the information in order to supply the

answer• E.g. the answer to “is a given Boolean formula

satisfiable” is implicit in the formula itself and the task is to make the answer explicit

Page 14: Complexity and Cryptography Haya Shulman CGC Colloquium

Complexity Classes

P, NP, NPC

Page 15: Complexity and Cryptography Haya Shulman CGC Colloquium

Definitions

• A language is a set of strings– E.g. Primes={2,3,5,7,11,13,17,19…}

• Decision problem:– Given some string determine if it is in

the set– Given i, is i Primes?

• Primes P

Page 16: Complexity and Cryptography Haya Shulman CGC Colloquium

P Complexity Class

• The class of all languages that can be recognised by a deterministic polynomial time machine

• A language L is in P if there exists a TM M and a polynomial p(), s.t.– M(x) halts in at most p(|x|) steps– M(x)=1 iff x in L

Page 17: Complexity and Cryptography Haya Shulman CGC Colloquium

P Associated with Efficient Computation

• Showing that a problem not in P, implies that solution by a DTM is impossible

• Reductions: given efficient f() and p(), h=f•p efficient

• Poly time is a boundary between feasible and infeasible– Given a polynomial algorithm apply mathematical and

algorithmic techniques to improve• All models of sequential computation yield the

same class P– The notions of polynomial time for all models of

sequential computation yeild the same class– The class P captures the true notion of the problems

that are computable in polynomial time by sequential machines

Page 18: Complexity and Cryptography Haya Shulman CGC Colloquium

NP Complexity Class

• LNP if L’ P and p(∙), s.t. for every x, x L iff w, s.t. |w|≤p(|x|) and (x,w) L’– Definition by means of DTM, which verifies

correctness of solutions– When x L, w is the positive solution to the

problem represented by x, or a proof that x L

• Class of problems, s.t. – DTM: Given solution, test for validity efficiently– NDTM: Guess a solution and test for validity

• NDTM has infinitely many parallel processors

Page 19: Complexity and Cryptography Haya Shulman CGC Colloquium

NP Complexity Class

• L is set of composite numbers– DTM:

• Given the proof, verify its correctness

• Given proof that x is composite, i.e. x1≥2 and x2 ≥ 2, check if x1x2=x

– NDTM: • Try all possible solutions at once, and identify the

solution in polynomial time• On input x the machine branches to write down guesses

for x1 and x2

– Then deterministically multiplies to test if x1x2=x

• There exists an accepting computation path iff x is composite

Page 20: Complexity and Cryptography Haya Shulman CGC Colloquium

Complexity

• Failed to establish lower bounds on resources• Showed that many problems computationally

equivalent– All of them have efficient algorithms or all of them

do not– E.g. failed to determine complexity of finding

satisfying assignment of boolean formula (SAT) or 3COL

– In contrast, established that these problems are computationally equivalent

Page 21: Complexity and Cryptography Haya Shulman CGC Colloquium

NP Complete Complexity Class

• Identifies a set of problems that are as hard as NP

• If Any of those problems is easy to solve, then so are all problems in NP

• Demonstrating NP-Completeness of a task is a central tool in indicating hardness of problems

• Showing that a problem is NPC provides evidence to its intractability

Page 22: Complexity and Cryptography Haya Shulman CGC Colloquium

NP Complete Complexity Class

• A problem is NP Complete if– It is in NP– Every NP problem is reduced to it in

polynomial time

• L NPC if – L NP

– For every L’ NP, L’ ≤P L

Page 23: Complexity and Cryptography Haya Shulman CGC Colloquium

Reducibility

• Language L1 is polynomial-time reducible to language L2

– L1 ≤P L2

• If there exists a polynomial-time computable function f: {0, 1}* → {0, 1}* such that for all x {0, 1}*

x L1 iff f(x) L2•Significance:

– If L2 P and L1 ≤P L2, then L1 P also

Page 24: Complexity and Cryptography Haya Shulman CGC Colloquium

Reduction

• Cook’s theorem:– Every decision problem in the class NP

reduces to the Boolean satisfiability problem SAT

Page 25: Complexity and Cryptography Haya Shulman CGC Colloquium

SAT

• The first decision problem proved to be NP-complete• Boolean satisfiability problem (SAT) is a decision

problem– Its instance is a Boolean expression with only AND, OR, NOT,

variables, and parentheses– Is there some assignment of TRUE and FALSE values to the

variables that will make the entire expression true

• Any problem that can be reduced to SAT in polynomial time is in NPC

j

m

jii

n

ixCC

11 s.t. ,

Page 26: Complexity and Cryptography Haya Shulman CGC Colloquium

SAT

• Non-Deterministic algorithm:– Guess an assignment of the variables– Check if this is a satisfying assignment

• Deterministic algorithm– Given an assignment, check if satisfying

• Time for n variables: – Guess an assignment of the variables O(n)– Check if this is a satisfying assignment O(n)– Total time: O(n)

The satisfiability problem is an NP Complete Problem

Page 27: Complexity and Cryptography Haya Shulman CGC Colloquium

Theorem: NP-Completeness

• If any NP-complete problem is polynomial-time solvable, then P = NP!– If L NPC and we can find a DTM accepting L in

polynomial time (so that L P ), then P = NP– All the problems in NP would have polynomial

deterministic solutions!

• Equivalently, if any problem in NP is not polynomial-time solvable, then no NP-complete problem is polynomial-time solvable– If we prove that we cannot solve an NP-Complete

problem in Deterministic Polynomial Time, then we know: P ≠ NP

Page 28: Complexity and Cryptography Haya Shulman CGC Colloquium

Proof: NP-Completeness

• Let L P and L NPC– For any L′ NP, L′≤P L

• By definition of NP-completeness

– Therefore, L′ P

Page 29: Complexity and Cryptography Haya Shulman CGC Colloquium

P, NP, NPC Complexity Hierarchy

P

Primes

NP

NPC

• SAT

Page 30: Complexity and Cryptography Haya Shulman CGC Colloquium

Cryptography and Complexity

Basing cryptography on complexity

theoretic assumptionsRandomnessInteraction

Page 31: Complexity and Cryptography Haya Shulman CGC Colloquium

Complexity Theory• Study the resources

required to solve computational tasks – time, space(memory)

• Understanding relations between complexity phenomena

• Provides new perspective on various concepts

Cryptography• Specify security

requirements of systems

• Use the computational infeasibility of problems to obtain security

• Almost any cryptographic task requires using this idea

These disciplines are connected!

Cryptography and Complexity

Page 32: Complexity and Cryptography Haya Shulman CGC Colloquium

Cryptography

• Study of systems that are easy to use, but hard to abuse

• Crypto systems involve– Secrets– Randomness– Interaction – Complexity gap

• Between proper usage by legitimate parties and infeasibility of causing systems deviate from prescribed functionality

Page 33: Complexity and Cryptography Haya Shulman CGC Colloquium

Cryptography is Based on Complexity Theoretic

Assumptions• Transformations of simple primitives, e.g.

One Way Functions into complex constructions, e.g. encryption schemes

• Intractability of NPC problems is based on hardest instances– But, some problems are easy on average

• Breaking crypto-system must be hard for almost all instances and not just some of them– For cryptography, use average case

complexity analysis

Page 34: Complexity and Cryptography Haya Shulman CGC Colloquium

Randomness

Pseudo-Random Generators (PRG)

Page 35: Complexity and Cryptography Haya Shulman CGC Colloquium

Randomness and Intractability

• Complexity defines objects as equivalent if they cannot be told apart by efficient observer

• Coin toss is random if it is infeasible to predict the outcome

• A distribution is random if it is infeasible to distinguish from uniform distribution

• Randomness is expandable– Random strings can be expanded into longer

pseudo random strings

Page 36: Complexity and Cryptography Haya Shulman CGC Colloquium

Randomness and Intractability

• Pseudo-randomness refers to intractability– i.e. infeasibility of distinguishing pseudo-random

strings from uniformly distributed strings

• The assumption of One Way Functions implies the existence of pseudo-random generators– Stretch short random seeds into long pseudo-

random strings

• Existence of PRGs is equivalent to the existence of OWFs

Page 37: Complexity and Cryptography Haya Shulman CGC Colloquium

Derandomisation

• Goal– Real random bits are difficult to obtain, use

less randomness• Idea

– Replace random strings with pseudo-random• Security?

– Depends on the power of the distinguisher• For restricted distinguisher, probability to

distinguish is ½• For an unbounded distinguisher, probability to

distinguish is 1

Page 38: Complexity and Cryptography Haya Shulman CGC Colloquium

Generating Computational Randomness

Pseudo-Random Generator

random seed

Pseudo-random string

Insecure against computationally unbounded distinguisher

Secure against computationally bounded distinguisher

Page 39: Complexity and Cryptography Haya Shulman CGC Colloquium

Pseudo-Random Generator

PRG

random seed

Pseudo-random string truly random string

Appear indistinguishableto any Efficient Observer

• PRG is a polynomial time deterministic function whose output is indistinguishable from random by any efficient distinguisher

Page 40: Complexity and Cryptography Haya Shulman CGC Colloquium

PRG and P vs. NP

• Theorem:– If P=NP there are no PRGs

• Proof sketch:– Let G be a PRG and let D be a distinguisher,

s.t. on input y it accepts iff there is an x s.t. G(x)=y

– D NP - can guess x’ and check if G(x’)=y– Since P=NP, D is efficient– Accepts all strings except those output by G– G is not PRG

Page 41: Complexity and Cryptography Haya Shulman CGC Colloquium

Information vs. Knowledge

Interactive Proofs Zero Knowledge Proofs

Page 42: Complexity and Cryptography Haya Shulman CGC Colloquium

Knowledge and Secrecy• A result of hard computation

– Not a knowledge if can be efficiently computed by anyone

• Zero Knowledge Interaction– Interactions in which no knowledge is gained– Assert correctness of data provided beforehand– Motivation for interaction is gaining knowledge– Showing a possession of a secret to other party

without revealing the secret

• Knowledge is something one party has and the other does not and cannot feasibly obtain– “Knowledge is a secret”

Page 43: Complexity and Cryptography Haya Shulman CGC Colloquium

What is a gain of knowledge?

• Defined with respect to computational ability

• Bob gains knowledge after interacting with Alice if:– After the interaction Bob can easily

compute something that was infeasible for him before

Page 44: Complexity and Cryptography Haya Shulman CGC Colloquium

Recall: The complexity class NP

• The languages in NP are those whose members all have short certificates of membership, which can be easily verified

• NP can be characterized as the set of languages for which an efficient procedure exists to check if a string belongs to that language

• Given a string x from a language L and a certificate w it is easy to check if x belongs to L

Page 45: Complexity and Cryptography Haya Shulman CGC Colloquium

Proof Systems and NP

• We can view this as follows:– There is an unbounded prover– The prover has to convince the

verifier that the input is indeed a member of the language

– It sends the verifier a short (polynomial) certificate

– The verifier is bounded•The verification of the certificate cannot

take more than polynomial time

Page 46: Complexity and Cryptography Haya Shulman CGC Colloquium

Interactive Proof System• Interactive proofs is a generalisation of the

concept of a proof system• It is obtained by adding two more properties

– Interaction between the parties (interaction adds power)

– Letting the verifier toss coins (randomisation)• Why?

• An Interactive Proof System is a two-party game between a verifier and a prover that interact on a common input for a polynomial amount of time

• Eventually the verifier accepts (x L) or rejects the input otherwise

Page 47: Complexity and Cryptography Haya Shulman CGC Colloquium

Properties of an Interactive Proof System

• Prover and verifier interact with each other– Two Turing machines, sharing a common tape– The unbounded prover has to convince the bounded

(polynomial) verifier• Correctness:

– Soundness - I’ll not believe a false statement• For a false assertion no proof strategy exists

– Completeness - I’ll believe all true statements• For a true assertion there is a convincing proof strategy

• Proofs are defined by their verification procedure

• Verification is typically simple - proving is typically hard

• IP = class of languages that have interactive proofs

Page 48: Complexity and Cryptography Haya Shulman CGC Colloquium

Example: IP for SAT

• Check the membership of a given boolean formula: =(xyz’)(x’y’)z’

• The prover must convince the verifier this formula is satisfiable – It sends an assignment, which supposedly

satisfies the formula • x=0, y=1, z=0

– It is not difficult for the prover to find such, if such exists; why?• The prover is unbounded

Page 49: Complexity and Cryptography Haya Shulman CGC Colloquium

Example: IP for SAT

• The verifier checks the truth value of the formula under the assignment it received

• Finds out whether the prover was right

• This takes polynomial time

Page 50: Complexity and Cryptography Haya Shulman CGC Colloquium

Zero Knowledge Proof System

• (P,V) is ZKIP, if – It is complete and sound– It is zero knowledge

• The verifier does not learn anything except the truth of the statement

• For every verifier interacting with a prover, there is a simulator

• This simulator does not have access to the interactive prover– Yet, it can simulate the interaction between P and V– Hence, V did not gain any knowledge from P

• Since the same output could have been generated without any access to P

Page 51: Complexity and Cryptography Haya Shulman CGC Colloquium

Questions?

Thank you.