This preview has intentionally blurred sections. Sign up to view the full version.
View Full Document
Unformatted text preview: 6.080/6.089 GITCS April 24, 2008 Lecture 19 Lecturer: Scott Aaronson Scribe: Michael Fitzgerald 1 Recap And Discussion Of Previous Lecture In the previous lecture, we discussed different cryptographic protocols. People asked: In the RSA cryptosystem, why do people raise to a power greater than three? Raising to a power greater than three is an extra precaution; its like adding a second lock on your door. If everything has been implemented correctly, the RSA we discussed (cubing the message (mod n )) should be fine. This assumes that your message has been padded appropriately, however. If your message hasnt been padded, smallexponent attacks can be successful at breaking RSA; sending the message to a bunch of different recipients with different public keys can let the attacker take advantage of the small exponent. Raising to a power greater than three mitigates this risk. There are a couple of other attacks that can be successful. Timing attacks look at the length of time the computer takes to generate numbers to get hints as to what those numbers are. Other attacks can look at the electromagnetic waves coming from the computer to try and get hints about the number. Then there are attacks that abuse the cryptosystem with constructed inputs and try to determine some information about the system based on the error messages they receive. In general, modern cryptosystems are most often defeated when attackers find bugs in the implementations of the systems, not in the systems themselves. Social engineering remains the most successful way of breaching security; often just calling someone on the phone, pretending to be a company tech support person, and asking for their password will get you a response. We also talked about zeroknowledge proofs and general interactive protocols in the last lecture. Twenty years ago, a revolution in the notion of proof drove home the point that a proof doesnt have to be just a static set of symbols that someone checks for accuracy. For example, a proof can be an interactive process that ends with you being convinced of a statements truth, without learning much of anything else. We gave two examples of socalled zeroknowledge protocols : one that convinces a verifier that two graphs are not isomorphic, and another that proves any statement with a short conventional proof, assuming the existence of oneway functions. 2 More Interactive Proofs It turns out that this notion of an interactive proof is good for more than just cryptography. It was discovered in the early 1990s that interactive proofs can convince you of solutions to problems that we think are much harder than NPcomplete ones. As an analogy, its hard to tell that an author of a research paper knows what hes talking about just from reading his paper. If you get a chance to ask him questions off the cuff and hes able to respond correctly, its much more convincing....
View
Full Document
 Spring '11
 Prof.ScottAaronson
 Machine Learning, Computational complexity theory, computational learning theory, exponentially small probability, concept class

Click to edit the document details