Polynomial reduction. Outline Lecture. Non deterministic polynomial time. Example 1 : discrete log. Lecture: Polynomial reduction.

Transcription

1 Outlie Lecture Part 1 : Asymmetric cryptography, oe way fuctio, complexity Part 2 : arithmetic complexity ad lower bouds : expoetiatio Part 3 : Provable security ad polyomial time reductio : P, NP classes. Oe-way fuctio ad NP class. 1. NP : defiitio,examples 2. P-reductio, NP-hard, NP-complete, NP-itermediate 3. Relatioship betwee asymetric cryptography ad NP Part 4 : RSA : the algorithm Part 5 : Provable security of RSA Part 6 : Attacks ad importace of paddig. Polyomial reductio Lecture: Polyomial reductio Very short «remid» about P ad NP Example: Least sigificat bit of LOG versus all bits of LOG LSB i a cyclic group: iput x, output YES iff LOG(x) is odd Exercise. 2 / Form 2: Primes, Big Factor ad Factorizatio No determiistic polyomial time Problem F is i P if there is a algorithm A(x) that computes F(x) o iput time polyomial i the iput size, x. P is closed uder compositio ad polyomially bouded iteratios. Decisio problem F is i NP if for all x such that F(x) holds, there exists a polyomial sized certificate c(x) ad a verifyig algorithm V(x, y) such that V(x, c(x)) computes F(x) i time polyomial i x. NP cotais P. It is ot kow if P=? NP Co-NP defiitio: F is i co-np iff Complemet(F) is i NP. Example 1 : discrete log G = {g i, i=0,, -1 a cyclic group of order Problem LOG G : Iput: G ; Output : 0! i < such that g i = x. Decisio Problem PLOG G : Iput: G ad a iteger t ( 0! t < ) ; Output : YES iff LOG G (x) t.

2 PLOG is i NP PLOG(x, t) = YES iff it exists 0! i < such that g i = x ad x t. PLOG is i NP: Certificate : i a iteger Verifyig algorithm V(x, t, i) { y = BiaryPower(g,i); if ( y==x ) ad (i t) retur «OK: PLOG(x,t) is proved»; Algorithm V is a verifyig algorithm for PLOG Proof: V(x,t,i) returs OK! PLOG(x,t) = YES Algorithm V rus i time polyomial i x + t for all iput (x,t) satisfyig PLOG(x,t)=YES Proof: if PLOG(x,t)=YES it exists a polyomial sized certificate i with i! log 2 = x ad V(x,t,i) requires at most O( i + x + t ) operatios. NP-class equivalet defiitios Def 1. NP = set of decisio problems Q which YES output is verified by a determiistic polyomial time: There exists a algorithm VerificatioQ(x, z) : For all x such that Q(x)=YES, it exists z such that VerificatioQ(x, z) returs Q(x)=YES is proved i polyomial time. For all x such that Q(x)=NO, for all z, VerificatioQ(x, z) ever returs Q(x)=YES is proved. Def 2. NP = set of Decisio problems Q that admit a No-determiistic Polyomial-time algorithm: If Q output=yes, at least oe path returs YES If Q output=no, o path returs YES (i.e., ay path returs NO or ifiitely loops ) No-determistic polyomialtime algorithm: a example Decisio problem PLOG G ( x, t ) Iput: w i G ad a iteger t Output : YES iff it exists i : g i = x ad i t. NDetAlgo_PLOG (x, t) { It i = odermiistic_choice (0,.., G -1) ; y = BiaryPower( g, i ) ; if ( y == x ) retur YES ; else { while (1) ; /* ifiite loop */ No-determistic polyomialtime algorithm: a example Decisio problem IS_COMPOSITE ( N ) Iput: a iteger N Output : YES iff N is composite NDetAlgo_IsComposite (N) { It a = odermiistic_choice (1,.., #N) ; if ( N mod a == 0 ) retur YES ; retur NO; Remark: aother proof: PRIME is i P. So IS_COMPOSITE is i P DEC, which is icluded i NP.

3 P-reductio, NP-Hard, NP-Complete Let A ad B be two problems. OracleB(x): oracle that computes B(x) i time x. Def: Polyomial Reductio: A! P B iff there exists a algorithm Algo A that computes A(x) i polyomial time usig stadard operatios (DTM or RAM model) ad oracles for B. Note: This polyomial reductio is amed «Turig-reductio» or «Cook-reductio») PLOG G! P LOG G Algorithm PLOG_reductio (G x, It t) { logx = OracleLOG( x ) ; if (logx t) retur YES else retur NO; Assumig cost of OracleLOG is costat, ad sice 0! logx < ad 0! t <, cost of PLOG_reductio is O( log ). Thus PLOG G! P LOG G. LOG G! P PLOG G Algorithm LOG_reductio (G x) { // computatio by biary search i [mi, max( mi = 0 ; max = ; while (mi < max) { mid = (mi + max ) / 2 ; if ( OraclePLOG( x, mid)) { mi=mid; else {max=mid;; retur mi; Cost icludig calls to the Oracle: O( log 2 ), which is polyomial i the iput size ( x = log ). Thus LOG G! P PLOG G Relatio betwee PLOG ad LOG Theorem: if LOG G is computatioally impossible, the PLOG G is computatioally impossible too. Proof: Variats [exercise]: Least sigificat bit: PLOG-LSB Let PLOG-LSB(x) = YES iff LOG(x) mod 2=1. Highest sigificat bit : PLOG-HSB Let PLOG-LSB(x) = YES iff LOG(x) (log 2-1)/2.

4 NP class ad! P_Karp reductio Prop. NP is closed uder! P_Karp i.e. (A! P_Karp B ad B NP) => A NP. Def. A decisio problem Q is NP-hard iff X NP : X! P _Karp Q. Def. NP-complete = NP $ NP-Hard Theo: SAT NP-complete. Def: SAT(F : boolea formula)=yes iff F is ot always false. Moreover, 3-SAT NP-complete (but 2-SAT P) Def. conp: Q conp iff Q NP Def: TAUT(F : boolea formula)=yes iff F is always true. Theo: TAUT conp-complete P-reductio, NP-Hard, NP-Complete Let A ad B be two problems. OracleB(x): oracle that computes B(x) i time x. Def: Polyomial Reductio: A! P B iff there exists a algorithm Algo A that computes A(x) i polyomial time usig stadard operatios (DTM or RAM model) ad oracles for B. Note: This polyomial reductio is amed «Turig-reductio» or «Cook-reductio») Remark: The reductio! P is used for security proofs; but it is differet from the «stadard» may-to-oe reductio (Karp-reductio). With Turig reductio: NP = P co-np (but ope questio with Karp reductio) With Turig reductio: it is ot kow wether NP is closed or ot (but NP is closed uder Karp-reductio This affects the below (o stadard) defiitio of NP-Hard ad NP-complete: Def: Q is NP-hard iff, X NP : X! P Q Q NP-complete iff both Q is NP-hard ad Q NP. Cook theorem : NP-complete %. SAT ad 3-SAT are NP-complete. NP - Itermediate Def: NP-itermediate == problems that are either i P or NP-complete. Theorem: If P%NP, NP-itermediate % Good cadidates for NP-itermediate problems: P_LOG G NP-itermediate DISCRETE_LOGARITHM! P PLOG [See exercise sheet 2] HAS_BIG_FACTOR NP-itermediate INTEGER_FACTORIZATION! P HAS_BIG_FACTOR [See exercise sheet 2] Graph isomorphism Oe-way fuctio ad NP class E : { 0,1! { 0,1 (or Im( E ) { 0,1 +1 ) ijective (oe-to-oe mappig), ad easy to compute i.e. ~liear time to compute E(X) D = E -1 : should be computatioally impossible Does such fuctios exist? Ayway: E «easy» to compute # E $ P The, sice D=E -1 # D $ NP (o-determiistic) Note: if oe-way fuctios exist, P%NP The, look for a coveiet D amog the most difficult problems iside NP cojectured itractable NP-complete oes: eg subset sum/kapsack [Merkle-Hellma, Chor-Rivest ] Cojectured computatioally imposible oes: factorizatio

5 Some «hard» problems used to build oe-way fuctios Subset sum [NP-complete] Iput : S, (a 1,, a ) ; - Output : (x 1,, x ) $ {0,1 : Discrete logarithm (NP-itermediate) Iput : g, M ; - Output : x such that g x = M a i = S Factorizatio (NP-itermediate) 1. Iput : N - output : factorizatio of N 2. Iput: N, M, C ; - output : d s.t M d = C mod N 3. Iput : N, e, C ; - output : M s.t. M e = C mod N 4. Iput : N, x ; - output : YES iff % y such that x = y 2 mod N Example 1 : «Expoetial ad Discrete logarithm» (G, * ) : cyclic group of order ; g a geerator of G G = { g i ; i = 0,, -1 Expoetial : Exp: { 0,, -1! G defied by Exp(i) = g i Computatio cost of Exp (i ) = O(log (i)) = O( log ) [upper ad lower boud, lect2] Example : 5 11 [7] = ((5 2 ) 2 5) 2 5 = ((4) 2 5) 2 5 = (2.5) 2 5 = 2.5 = 3 Discrete Logarithm: Log : G! { 0,, -1 defied by Log(x) =i s.t. x= g i Example : fid x / 6 x = 8 [11] (Aswer: x = 7 ) Best kow algorithms for ay G i O( 0.5 ) [Shaks] Note : INTEGER-FACTORIZATION!P DISCRETE-LOGARITHM Cojectured hard to compute : Very used i asymmetric cryptography: ex RSA, El Gamal, ECDLP But : some specific istaces are easy to compute Oe-way trapdoor fuctio Defiitio: E is oe-way D(E(x)) = x [ ad E(D(x)) = x for sigature] But, give a trapdoor (the secret key), D is easy to compute (almost liear time) Provable security: Give c = E(x), computig s utractable How to prove it? By reductio (cotractictio)! assume there exists a algorithm to compute x from c the exhibit a algorithm that computes a utracatable problem! Example 2 : «kapsack» SUBSETSUM $ NP -complete Iput : (a 1,, a ) ad S itegers Output : YES iff it exists (x 1,, x ) $ { 0,1 : Idea for a ecodig: E(x 1,, x ) = Buildig a trapdoor fuctio Easy to solve istace; choose (a 1,, a ) super-icreasig. What is the decodig algorithm? Hidig simplicity b i = t.a i mod m with t secret ad prime to m Public : (b 1,, b ) ad m : E(x 1,, x ) = a i = S Secret : (a 1,, a ), t ad u = t -1 mod m : Decodig: just compute (S.u mod ) ad decode from (a 1,, a ) a i b i mod m [Merkle- Hellma,78]

6 Outlie lecture 2 P NP NP-complete NP-hard The (polyomial) complexity of E bouds the complexity of D : (E P) (D NP) Cojecture for asymetric cryptography:p % NP so asymetric cryptograpy is based o NPitermediate problems. Discrete LOG has a complexity polyomially equivalet to LSB_LOG.