Loading...

PPT – Symbiosis Among Cryptography, Coding Theory, Distributed Algorithms and Quantum Computing PowerPoint presentation | free to download - id: 617c70-ZDc2Z

The Adobe Flash plugin is needed to view this content

Symbiosis Among Cryptography, Coding Theory,

Distributed Algorithms and Quantum Computing

- Kannan Srinathan
- IIIT Hyderabad

Our Focus

- Achieving secure communication over an insecure

channel

Our Focus (Contd.)

- A fundamental and practical problem
- Initial set-back Shannons pessimistic theorem
- Circumventing Shannon Independently achieved by

all four fields

Our Focus (Contd.)

- Each of these four solutions has its own set of

advantages and limitations - Each solution is better than the other three,

in some sense. - These solutions are based on orthogonal

assumptions and can be used together yielding

improved security

Whats So Difficult About the Problem?

- Classically, a perfect solution is impossible!
- Shannon 1 proved that secure communication over

an insecure channel is impossible. - The impossibility stems from the invariant that

adversary knows all that receiver knows. - 1 Shannon, Claude. "Communication Theory of

Secrecy Systems", Bell System Technical Journal,

vol.28(4), page 656715, 1949.

Shannons Solution Assume a Secure Channel!

Perfectly secure channels are necessary for

perfectly secure communication

How fast should the secure channel be?

- Shannon proved that even if there is a secure

shared key between sender and receiver,

theoretically unbreakable ciphers must use a key

at least as big as the message. This is

impractical. - Conclusion We need very fast secure channels

Solution is Impractical!

Overall secure throughput 1 Mbps

- The secure communication throughput of the entire

system is same as the cumulative bandwidth of

truly secure channels in the system

The Main Issue

- Fast secure channels are required for efficient

secure communication

Chicken-and-Egg problem!

Solving the Issue

- Some sort of assumptions are necessary to

resolve the main issue - Different assumptions lead to different

paradigms of security

Paradigm 1 Modern Cryptography

- Shannons impossibility holds if the message is

to be kept secure forever, however for all

practical purposes it is enough to keep a message

secure for a very long (finite) time - This paradigm is based on complexity theory
- Assumption Everybodys (including adversarys)

computing power is polynomial-time bounded

Solution 1 Modern Cryptographic Solution

- One-way functions
- For simulating slow secure channel over a

insecure channel - For example, Diffie-Hellman Key exchange, RSA

etc. - Psedorandom generators (stream ciphers) and

pseudorandom functions (block ciphers) - For simulating a fast secure channel over a slow

secure channel - For example, Blum-Blum-Shub, DES, AES, etc.

Diffie-Hellman Key Exchange 2

- Based on the hardness of the Discrete Logarithm

problem - 2 New Directions in Cryptography W. Diffie and

M. E. Hellman, IEEE Transactions on Information

Theory, vol. IT-22, Nov. 1976, pp 644-654.

The Protocol

- Public information A prime p and a generator g

of the cyclic (multiplicative) group Zp - Sender S chooses a random element a from Zp

and sends (ga mod p) to R. - Receiver R chooses a random element b from Zp

and sends (gb mod p) to S. - S computes K (gb)a gab (mod p)
- R computes K (ga)b gab (mod p)

What about adversary ?

- Adversary sees g,p,ga (mod p),gb (mod p)
- Given g, p, ga (mod p) computing a is Hard -

discrete logarithm problem. - Since adversary cannot find either a or b, it

(conjecturally) cannot compute gab.

Paradigm 2 Distributed Algorithmic Solution

Distributed Algorithmic Solution

- Shannons impossibility holds if the adversary

possesses complete access to the channel - However for all practical purposes, the channel

consists of a huge network of nodes and it may be

assumed that not all of the network is

simultaneously accessible to the adversary - This paradigm is based on Network theory
- Key ingredient Secret Sharing
- Assumption Everybodys (including adversarys)

Bandwidth is bounded

t-Secret Sharing

- Shamirs Protocol
- Choose a t-degree polynomial p() over a (large

enough) finite field - Let Secret s p(0)
- Shares are p(1), p(2), p(n) for some n
- Ref Adi Shamir. How to Share a Secret. CACM, 1979

Perfectly Secure Communication

- Dolev et al. 3 Protocol
- Sender shares the message using secret sharing

and sends the shares to Receiver along different

paths. - Receiver collects all the shares, and

reconstructs the message. - 3 Danny Dolev, Cynthia Dwork, Orli Waarts, Moti

Yung Perfectly secure message transmission, J.

ACM 40, 1 (1993), 17-47.

Paradigm 3 Quantum Mechanical Solution

Quantum Secret Key Establishment Protocol

The Standard Setting

Quantum Secret Key Establishment Protocol

- Sender S and receiver R share a quantum

communication channel, via which quantum states

can be transmitted. - Two conjugate bases are used, say b1 and b2.as

shown in the table. - S chooses a random base, and based on the bit to

send, it sends a qubit prepared in the

corresponding state. - R measures the qubit received, with a random

base. If the base is different from what S used,

the bit is lost, else R measures the actual bit.

Bit 0 1

b1

b2

Quantum SKEP (Contd.)

- This process is repeated for all the bits.
- S and R publicly compare (through a classical

channel) their respective bases, and discard all

those bits where their bases were different. - The bases are same for nearly half the number of

bits. - S and R now check whether adversary has

intercepted (measured) any of these bits, by

comparing a certain subset of the remaining bit

strings. - If more than p bits differ, they abort the key

and repeat the process.

Quantum SKEP (Contd.)

- Eve will use the wrong basis approximately 50 of

the time (while resending) - Bob measures a resent qubit with the correct

basis there will be a 25 probability that he

measures the wrong value.

Paradigm 4 Coding Theoretic Solution

Noise-based Secrecy

- Shannons impossibility holds if the adversary

can access all information that the receiver can

access - However in practical scenarios, the channel is

noisy and therefore it may be assumed that the

noisy data received by the adversary is different

from the noisy data received by the receiver - This paradigm is based on Information/Coding

Theory - Assumption Everybody (including adversary)

receives different noisy versions of the data

Intuitively

- Noise is bad for any system because
- it can affect the systems functionality,

efficiency, accuracy and so on

Can Noise be Useful?

- Usually NO
- by definition
- (naturally, it is termed as noise typically

because of its adversarial nature!)

Can Noise be Useful? (Contd.)

- Rarely YES but how?
- Perhaps in situations where we need to

simultaneously deal with another adversarial

entity apart from noise - We may then hope that the two adversaries would

fight among themselves making it easier for us to

tackle them together, than each one individually

Does Our Hope Come True?

- Are there real examples for such a comedy of

errors by the adversarial entities? - YES

Whos Are Our Adversaries?

- The First Adversary
- Responsible for injecting noise in the

communication channel - The Other Adversary
- The Cryptographic Eavesdropper
- Responsible for listening/reading critical

information from channel/nodes

Revisiting Secure Communication

- Shannons Result Information-theoretically

Secure Communication is Impossible in a Noiseless

Insecure Channel - Information-theoretically Secure Communication is

possible in an appropriately Noisy Insecure

Channel

Is it noisy?

Another Fundamental Problem Oblivious Transfer

Can A learn only the bit bi without revealing i

to B?

- B

A

Index i

Bit-Array b0,b1,bn

- Information-theoretically Secure Oblivious

Transfer is Impossible in a Noiseless Channel - Information-theoretically Secure Oblivious

Transfer is possible in an appropriately Noisy

Insecure Channel

Yet Another Fundamental Problem Securely

Computing AND

- Securely Computing x ? y in GF(2)

For simplicity assume the following channel

noise Any 1 bit out of every block of 4 bits

sent will be toggled

Fact Perfectly Secure AND is impossible in a

noiseless channel

Protocol for Secure AND

- A chooses four random bits, r0,r1,r2,r3 and sends

them to B, who receives s0,s1,s2,s3 - One of the ri is different from si
- Three of the others are equal
- A and B compute the following 3-tuples

respectively

- A (respectively B) multiplies the ith row of

matrix M with ri (respectively si) to obtain a

matrix MA (resp. MB) - A (resp. B) adds up the resultant 4 by 3 matrix

MA (resp. MB) column-wise to obtain a 3-tuple TA

(a0, b0, c0) (resp. TB (a1,b1,c1))

0 0 0

0 1 0

1 0 0

1 1 1

M

Protocol for Secure AND (Contd.)

- Let x x0 ?x1 and y y0 ?y1
- A sends x1 to B and retains x0
- B sends y0 to A and retains y1
- Now,
- A has x0, y0, a0, b0 and c0
- B has x1, y1, a1, b1 and c1

Protocol for Secure AND (Contd.)

- A publishes (x0?a0) and (y0?b0)
- B publishes (x1?a1) and (y1?b1)
- Both of them compute the bits P and Q
- P (x0?a0) ? (x1?a1)
- Q (y0?b0) ? (y1?b1)
- A computes the bit z0 as follows
- z0 (b0 ? P) ? (a0 ? Q) ? (P ? Q) ? c0
- Similarly B computes z1 as
- z1 (b1 ? P) ? (a1 ? Q) ? (P ? Q) ? c1
- It can be showed that (z0 ? z1) (x ? y)

Securely Computing Any Function in GF(2)

- Express the function by a Boolean circuit using

only AND and XOR gates (fan-in 2 and fan-out 1) - Protocol for Secure AND securely transforms two

shared inputs (x and y) to a shared output

(z) of a single AND gate - Protocol for secure XOR is simple just locally

XOR the input shares - Any circuit can thus be securely evaluated

gate-by-gate till the output wire is reached the

output shares can be XORed to obtain f(x,y)

Protocol for Oblivious Transfer

Can A learn only the bit bi without revealing i

to B?

- B

A

Index i

Bit-Array b0,b1,bn

For n2 We may securely compute ((i?1)?b0) ?

(i ?b1)

Protocol for Secure Communication

- To securely send a bit m, the receiver chooses

uniformly at random a permutation of 0,1 and

executes an Oblivious Transfer of the mth index

bit to the Sender. - Upon receipt of the obliviously transferred bit,

the Sender reliably sends that bit to the

receiver who recovers m from it

Conclusions

- Modern cryptography
- Based on complexity theorys currently unproven

hardness assumptions - Contemporary mathematicians suggest that these

assumptions are (a) likely to be true and (b)

unlikely to be proven in the near future - Very fast and scalable once a secret-key is

established (symmetric-key cryptography)

- Distributed Algorithmic Solution
- Based on adversarys inability to simultaneously

corrupt several routers - Necessitates highly connected networking
- Can tolerate active adversaries too

- Quantum Mechanical Solution
- Based on the postulates of quantum mechanics
- Currently secure transmission is achieved to

about 100km - Is physically unbreakable, however several

side-channel attacks are plausible

- Noisy Channel Solution
- It assumes that natural noise is not under the

cryptographic adversarys control - It is an intriguing recycling of noise in to

productive use - Noise is ubiquitous

Thank You