Cryptography and Complexity at the Weizmann Institute

1
Cryptography and Complexity at the Weizmann
Institute

• Moni Naor

???? ????
Weizmann Institute of Science Open Day February
2005
2
Computational Complexity Theory

• Study the resources needed to solve computational
  problems
• Computer time
• Computer memory
• Communication
• Parallelism
• Randomness
• Identify problems that are infeasible to compute
  by any reasonable machine
• Taxonomy classify problems into classes with
  similar properties wrt the resource requirements
• Help find the most efficient algorithm for a
  problem

• A computational problem
• multiplying two numbers,
• selecting a move in a chess position
• Find the shortest tour visiting all cities

PNP?
3
What is Cryptography?
Traditionally how to maintain secrecy in
communication
Alice and Bob talk while Eve tries to listen
Bob
Alice
Eve
4
History of Cryptography

• Very ancient occupation
• Biblical times -
• ??? ????? ??? ????? ???? ??
  ????
• ??? ????
  ???? ??? ??????
• Egyptian Hieroglyphs
• Unusual ones
• ...
• Many interesting books and sources, especially
  about the Enigma (WW2)

5
Modern Times

• Up to the mid 70s - mostly classified military
  work
• Since then - explosive growth
• Commercial applications
• Scientific work tight relationship with
  Computational Complexity Theory
• Recently - more involved models for more diverse
  tasks.
• How to maintain the secrecy, integrity and
  functionality in computer and communication
  system.

• Prevalence of the Internet
• Cryptography is in the news (daily!)
• Cryptography is relevant to everyone -
  security and privacy issues for individuals

6
Cryptographic Research

• Complexity Theory -
• Study the resources needed to solve computational
  problems
• computer time, memory
• Identify problems that are infeasible to
  compute.

• Cryptography -
• Find ways to specify security requirements of
  systems
• Use the computational infeasibility of problems
  in order to obtain security.

The development of these two areas is tightly
connected! A match made in heaven
7
Faculty members in Cryptography and Complexity

• Prof. Uri Feige
• Prof. Oded Goldreich
• Prof. Shafi Goldwasser
• Prof. Moni Naor
• Dr. Omer Reingold
• Prof. Ran Raz
• Prof. Adi Shamir

• ???? ?????
• ???? ????????
• ??? ????????
• ???? ????
• ???? ????????
• ?? ??
• ??? ????

One of the most active groups in the world!
8
Authentication

• One of the fundamental tasks of cryptography
• Alice (sender) wants to send a message m to Bob
  (receiver).
• They want to prevent Eve from interfering
• Bob should be sure that the message m he
  receives is indeed the message m Alice sent.

Alice
Bob
Eve
9
Authentication and Non-Repudiation

• Key idea of modern cryptography Diffie-Hellman
  
• can make authentication (signatures) transferable
  to third party - Non-repudiation.
• Provided Alice (the sender) has a unique public
  key
• Essential to contract signing, e-commerce
• First implementation Rivest, Shamir and Adleman
  1977
• Digital Signatures last 25 years major effort in
• Research
• Notions of security
• Computationally efficient constructions
• Technology, Infrastructure (PKI), Commerce, Legal

Turing Award 2003
Existential Unforgeability under an adaptive
message attack
10
Is non-repudiation always desirable?

• Not necessarily so
• Privacy of conversation, no (verifiable) record.
• Do you want everything you ever said to be held
  against you?
• If Bob pays for the authentication, shouldn't be
  able to transfer it for free
• Alternative (Plausible) Deniability
• If the recipient (or any recipient) could have
  generated the conversation himself
• or an indistinguishable one

Key concept in cryptography and complexity
11
Deniable Authentication

• Setting
• Sender has a public key known to receiver
• Want to come up with an (perhaps interactive)
  authentication scheme such that the receiver
  keeps no receipt of conversation.
• This means
• Any receiver could have generated the
  conversation itself.
• There is a simulator that for any message m and
  verifier V generates an indistinguishable
  conversation.
• This property is known as Zero-Knowledge!
• An example where zero-knowledge is the ends, not
  the means!
• Proof of security consists of Unforgeability and
  Deniability

Yet another WIS concept
12
Ring Signatures and Authentication

• Can we keep the sender anonymous?
• Idea prove that the signer is a member of an ad
  hoc set
• Other members do not cooperate
• Use their regular public-keys
• Encryption
• Should be indistinguishable which member of the
  set is actually doing the authentication

Bob
Alice?
Eve
13
Deniable Ring Authentication

• Completeness a good sender and receiver complete
  the authentication on any message m
• Unforgeability Existential unforgeable against
  adaptive chosen message attack
• for any sequence of messages m1, m2, mk
• Adversarially chosen in an adaptive manner
• Even if sender authenticates all of m1, m2, mk
• Probability forger convinces receiver to accept a
  m? m1, m2, mk
• is negligible

Properties of an interactive authentication scheme
14
Deniable Ring Authentication

• Deniability
• For any verifier, for any arbitrary set of keys,
  some good some bad, there is simulator that can
  generate computationally indistinguishable
  conversations.
• A more stringent requirement statistically
  indistinguishable
• Source Hiding
• For any verifier, for any arbitrary set of keys,
  some good some bad, the source is computationally
  indistinguishable among the good keys
• A more stringent requirement statistically
  indistinguishable
• Source Hiding and Deniability incomparable

15
Encryption
Plaintext

• Assume a public key encryption scheme E
• Public key PK knowing PK can encrypt message m
  
• generate YE(PK , m, r)
• With corresponding secret key PS, given Y can
  retrieve m
• m D(PS , Y)
• Encryption process is probabilistic
• Each message induces a distribution on the
  ciphertexts
• Security of encryption scheme
• non-malleable against chosen ciphertext attacks
  in the post-processing mode.
• In particular given YE(PK, m, r) hard to
  generate YE(PK, m, r) for a related message
  m
• Example of a very malleable scheme one-time pad

Ciphertext
16
A Public Key Authentication Protocol

• P has a public key PK of an encryption scheme E.
• To authenticate a message m
• V ? P Choose x ?R 0,1n.
• Send YE(PK, mx , r)
• P ? V Verify that prefix of plaintext is
  indeed m.
• If yes - send x.
• V accepts iff the received xx
• Is it Unforgeable? Is it Deniable?

17
Security of the scheme

• Unforgeability depends on the strength of E
• Sensitive to malleability
• if given E(PK, mx, r) can generate E(PK, mx,
  r) where m is related to m and x is related to
  x then can forge.
• The protocol allows a chosen ciphertext attack on
  E.
• Even of the post-processing kind!
• Can prove that any strategy for existential
  forgery can be translated into a CCA strategy on
  E
• Works even against concurrent executions.
• Deniability does V retain a receipt??
• It does not retain one for an honest V
• Need to prove knowledge of x

There are encryption schemes satisfying the
desired requirements
18
Simulator for honest receiver

• Choose x ?R 0,1n.
• Output hYE(PK, mx, r), x, ri
• Has exactly the same distribution as a real
  conversation when the verifier is following the
  protocol
• Statistical indistinguishability
• Verifier might cheat by checking whether certain
  ciphertext have as a prefix m
• No known concrete way of doing harm this way

19
Encryption as Commitment

• When the public key PK is fixed and known YE(PK,
  x, r) can be seen as commitment to x
• To open x reveal r, the random bits used to
  create Y
• Perfect binding from unique decryption
• For any Y there are no two different x and x and
  r and r s.t.
• YE(PK, x, r) E(PK, x, r)
• Secrecy no information about x is leaked to
  those not knowing private key PS

20
Deniable Protocol

• P has a public key PK of an encryption scheme E.
• To authenticate message m
• V ? P Choose x?r0,1n.
• Send YE(PK, mx , r)
• P ? V Send E(PK, x, t)
• V ? P Send x and r - opening YE(PK, mx, r)
• P ? V Open E(PK, x , t) by sending t.

P commits to the value x. Does not want to
reveal it yet
21
Security of the scheme

• Unforgeability as before - depends on the
  strength of E
• can simulate previous scheme (with access to D(PK
  , . ))
• Important property E(PK, x, t) is a
  non-malleable commitment (wrt the encryption) to
  x.
• Deniability can run simulator
• Extract x by running with E(PK, garbage, t) and
  rewinding
• Expected polynomial time
• Need the semantic security of E - it acts as a
  commitment scheme

22
Ring Signatures and Authentication

• Want to keep the sender anonymous by proving
  that the signer is a member of an ad hoc set
• Other members do not cooperate
• Use their regular public-keys
• Should be indistinguishable which member of the
  set is actually doing the authentication

Bob
Alice?
Eve
23
Ring Authentication Setting

• A ring is an arbitrary set of participants
  including the authenticator
• Each member i of the ring has a public encryption
  key PKi
• Only i knows the corresponding secret key PSi
• To run a ring authentication protocol both sides
  need to know PK1, PK2, , PKn
• the public keys of the ring members

...
24
An almost Good Ring Authentication Protocol

• Ring has public keys PK1, PK2, , PKn of
  encryption scheme E
• To authenticate message m with jth decryption key
  PSj
• V ? P Choose x ?0,1n.
• Send E(PK1, mx, r1), E(PK2, mx, r2), ,
  E(PKn, mx, rn)
• P ? V Decrypt E(PKj, mx, rj), using PSj and
• Send E(PK1, x, t1), E(PK2, x, t2), , E(PKn,
  x, tn)
• V ? P open all the E(PKi, mx, ri) by
• Send x and r1, r2 , rn
• P ? V Verify consistency and open all E(PKi,
  x, ti) by
• Send t1, t2 , tn

Problem what if not all suffixes (xs) are
equal
25
The Ring Authentication Protocol

• Ring has public keys PK1, PK2, , PKn of
  encryption scheme E
• To authenticate message m with jth decryption key
  PSj
• V ? P Choose x ?0,1n.
• Send E(PK1, mx, r1), E(PK2, mx, r2), ,
  E(PK1, mx, rn)
• P ? V Decrypt E(PKj, mx, rj), using PSj and
• Send E(PK1, x1, t1), E(PK2, x2, t2), ,
  E(PKn, xn, tn)
• Where xx1x2 ? xn
• V ? P open all the E(PKi, mx, ri) by
• Send x and r1, r2 , rn
• P ? V Verify consistency and open all E(PKi,
  x, ti) by
• Send t1, t2 , tn and x1, x2 ,, xn

26
Properties of the Scheme

• Works with any good encryption scheme - members
  of the ring are unwilling participants.
• Fairly efficient scheme
• Need n encryptions n verifications and one
  decryption
• Can extend the scheme so that convince a verifier
  that At least k members confirm the message.
• What are the social implications of the existence
  of ring authentication?

27
Summary

• Cryptography and Complexity are very active
  research areas
• Research activities in the areas range from
• providing firm foundations to the construction of
  methods
• providing actual constructions and analysis
  for specific needs.
• Many unexpected results...

28
Security of the scheme

• Unforgeability as before (assuming all keys are
  well chosen) since
• E(PK1, x1, t1), E(PK2, x2, t2),,E(PK1, xn, tn)
• where xx1x2 L xn
• is a non-malleable commitment to x
• Source Hiding which key was used (among well
  chosen keys) is
• Computationally indistinguishable during protocol
• Statistically indistinguishable after protocol
• If ends successfully
• Deniability Can run simulator as before