1
00:00:17,260 --> 00:00:24,260
Welcome to this course of cryptography and
network security. So, I shall be, in today's
2
00:00:24,270 --> 00:00:29,520
class, I shall be introducing this topic and
I shall be trying to address about certain
3
00:00:29,520 --> 00:00:35,400
issues which are important in crypto and network
security.
4
00:00:35,400 --> 00:00:42,120
This course, essentially deals with the, deals
with the, communication of data between two,
5
00:00:42,120 --> 00:00:48,870
I mean a sender and a receiver. And the idea
is that the sender and the receiver are communicating
6
00:00:48,870 --> 00:00:55,720
information over an insecure channel, and
there is an eavesdropper who is trying to
7
00:00:55,720 --> 00:01:02,720
essentially understand, what information is
being transferred from the sender to the receiver.
8
00:01:02,940 --> 00:01:09,890
So, the objective of the sender and the receiver
would be to use cryptography or principles
9
00:01:09,890 --> 00:01:16,890
of cryptography and to ensure that certain
properties of the data are not compromised.
10
00:01:17,140 --> 00:01:23,110
For example, the integrity of the data, that
is whether the data has been modified or not,
11
00:01:23,110 --> 00:01:27,400
the secrecy of the data, that is what information
has been transferred, and there are similar
12
00:01:27,400 --> 00:01:30,880
certain other objectives which needs to be
satisfied.
13
00:01:30,880 --> 00:01:37,230
So, essentially cryptography or the principles
of cryptography gives you certain mechanisms
14
00:01:37,230 --> 00:01:42,170
or certain principles of how you can carry
these operations forward, how you can satisfy
15
00:01:42,170 --> 00:01:47,580
these properties when you transfer data, transfer
information over an insecure channel. So,
16
00:01:47,580 --> 00:01:53,900
that is the objectives of essentially studying
this subject of cryptography and network security.
17
00:01:53,900 --> 00:01:59,170
In order to understand that, we will see a
communication game, and we will see essentially,
18
00:01:59,170 --> 00:02:06,170
what are the issues which are involved in
such a particular, such a game; then, we shall
19
00:02:07,370 --> 00:02:12,739
define the concept of protocols as opposed
to something which we know as algorithms.
20
00:02:12,739 --> 00:02:17,269
And then we shall define some, some, magic
function which will be used to solve this
21
00:02:17,269 --> 00:02:22,190
simple protocol or simple game that we considered.
This magic function is something, which we
22
00:02:22,190 --> 00:02:28,859
will try to understand and essentially throughout
the course, throughout this entire course,
23
00:02:28,859 --> 00:02:35,859
we shall be studying various techniques, various
methods, how you can realize this magic function.
24
00:02:36,200 --> 00:02:41,969
So, these magic functions are realized in
a form of cryptographic functions. So, in
25
00:02:41,969 --> 00:02:45,349
today's class we shall end with this particular
note.
26
00:02:45,349 --> 00:02:51,819
So, going into the communication game, let
us consider, let us consider a game where
27
00:02:51,819 --> 00:02:57,159
Alice and Bob, who are essentially, you will
be seeing in the literature, this Alice and
28
00:02:57,159 --> 00:03:01,319
Bob, you can imagine, they are the most famous
persons in cryptography, that is, they are
29
00:03:01,319 --> 00:03:08,319
the most widely popularly known, I mean, known
names for the sender and the receiver. So,
30
00:03:08,549 --> 00:03:13,569
Alice and Bob are the two most famous persons
in cryptography and they are used everywhere.
31
00:03:13,569 --> 00:03:20,329
So, Alice and Bob essentially are just two
names to denote the sender and the receiver;
32
00:03:20,329 --> 00:03:23,999
we can understand like, we can take Alice
to be the sender and Bob to be the receiver
33
00:03:23,999 --> 00:03:30,069
of the information. And just let us consider
a scenario where Alice and Bob wishes to go
34
00:03:30,069 --> 00:03:35,609
for a dinner together and they want to, and
Alice would like to go for a Chinese food
35
00:03:35,609 --> 00:03:38,859
whereas Bob intends to go for an Indian food.
36
00:03:38,859 --> 00:03:45,230
So, the question is that if Alice and Bob
want to dine together, then how do they resolve
37
00:03:45,230 --> 00:03:52,230
this problem of not concurring at what they
want to have for dinner? So, how do they resolve
38
00:03:52,700 --> 00:03:59,400
this problem? Very simple, they can use an
unbiased coin; so, this can be one example,
39
00:03:59,400 --> 00:04:04,499
that is, if I believe that both of them are
not ready to compromise and they have got,
40
00:04:04,499 --> 00:04:09,659
I mean, very strong desires either to go for
a Chinese food or an Indian food, then what
41
00:04:09,659 --> 00:04:13,340
Alice will do is that Alice will toss an unbiased
coin.
42
00:04:13,340 --> 00:04:18,880
By the term unbiased coin, we mean that the
probability, of the coin, when we toss the
43
00:04:18,880 --> 00:04:25,310
coin, the probability that the outcome is
a head is half and is equal to the probability
44
00:04:25,310 --> 00:04:32,310
that the outcome is a tail. So, Alice what
she does is that she tosses a coin, with her
45
00:04:33,430 --> 00:04:40,430
hands covering the coin and asks Bob of his
choice; so, essentially, Bob has to say that
46
00:04:40,970 --> 00:04:46,500
head or tail. And if Bob's choice matches
with the outcome of the toss, then they go
47
00:04:46,500 --> 00:04:53,500
for an Indian food, that is Bob wins the game;
else, Alice has in her way, which means, Alice
48
00:04:54,470 --> 00:05:01,470
says that we have to go for the Chinese food.
This is a very, quite an acceptable solution,
49
00:05:02,600 --> 00:05:07,310
assuming that the coin is an unbiased coin
and the coin has got only two possibilities,
50
00:05:07,310 --> 00:05:12,850
that is it can either result in a head or
it can either result in a tail; so, considering
51
00:05:12,850 --> 00:05:17,530
this situation, this is quite an easy problem,
which can be solved.
52
00:05:17,530 --> 00:05:23,030
But imagine that is what happens in real life,
is that most of us are quite distant apart;
53
00:05:23,030 --> 00:05:28,230
that is, for example, imagine that Alice and
Bob are two friends who stay a far distance
54
00:05:28,230 --> 00:05:34,160
apart and for them, they want to meet at one
place and have the dinner, but where do they
55
00:05:34,160 --> 00:05:38,920
meet? That is a problem. Therefore, they cannot
have an unbiased coin and they cannot toss
56
00:05:38,920 --> 00:05:42,870
that at the same place.
So, consider the situation when both of them
57
00:05:42,870 --> 00:05:49,490
are far apart and communicate through a telephone;
and so, therefore, what is the essential difference
58
00:05:49,490 --> 00:05:56,490
when we are separating out Alice and Bob over
a large distance, from this particular problem?
59
00:05:56,620 --> 00:06:01,060
What is the essential problem?
The problem is essentially of something which
60
00:06:01,060 --> 00:06:08,060
we call trust; that is, when Alice and Bob
are quite a distance apart, then, for example,
61
00:06:09,170 --> 00:06:15,500
if Alice tosses the coin, so imagine that
they engage the same technique, that is, both
62
00:06:15,500 --> 00:06:21,140
of them use the unbiased coin and even when
they are distant apart, then Bob cannot see
63
00:06:21,140 --> 00:06:27,090
the outcome of the toss.
Therefore, when Alice takes a coin and tosses,
64
00:06:27,090 --> 00:06:32,680
since Bob is at a distance apart, Bob is unable
to see the outcome of what happens at Alice's
65
00:06:32,680 --> 00:06:39,490
end. So, therefore Bob does not trust Alice;
so, Alice can claim Alice; that is the point.
66
00:06:39,490 --> 00:06:46,170
Therefore, they have to do something better,
they have to do something different.
67
00:06:46,170 --> 00:06:53,170
So, in order to do that, what they do is that,
therefore, the problem is that in this case
68
00:06:53,670 --> 00:07:00,670
of trust, and Bob cannot trust Alice as Alice
can tell a lie. So, the question is, how do
69
00:07:00,790 --> 00:07:05,810
we solve this problem?
These kinds of problems are very popular in
70
00:07:05,810 --> 00:07:12,000
our network security domain and often involve
not only two parties, but actually multi-party
71
00:07:12,000 --> 00:07:17,500
scenario; therefore, there is more than one
party who are playing this game. So, these
72
00:07:17,500 --> 00:07:23,090
types of, these types of scenarios are very
commonly or technically known as protocols.
73
00:07:23,090 --> 00:07:30,090
So, therefore, in order to resolve the problem,
both Alice and Bob have to engage in a protocol
74
00:07:30,950 --> 00:07:37,560
and they have to solve this problem. So, therefore,
they have to engage in a protocol. Therefore,
75
00:07:37,560 --> 00:07:42,160
protocol is something which is similar to
an algorithm; so it is basically a sequence
76
00:07:42,160 --> 00:07:47,830
of steps in order to solve a problem, but
the thing is that, in case of protocols we
77
00:07:47,830 --> 00:07:53,340
have got more than peoples, more than one
parties who are involved in a game; so, that
78
00:07:53,340 --> 00:07:57,710
is the idea. So, in this case, we have got
two parties like we have got Alice and Bob,
79
00:07:57,710 --> 00:08:04,710
who want to solve the problem and they need
to concur upon agreement, but they are not
80
00:08:06,920 --> 00:08:12,210
at the same place geographically.
In order to do that, they use a magic function,
81
00:08:12,210 --> 00:08:18,350
and I call that as f x or denote that as f
x. Let us see what these properties of this
82
00:08:18,350 --> 00:08:25,350
magic function should satisfy, so that this
problem of trust can essentially be resolved.
83
00:08:28,690 --> 00:08:35,690
Let us consider some properties of the function
f x. So, you assume that the domain and the
84
00:08:36,500 --> 00:08:41,940
range of f x are the set of integers; so,
therefore, you understand what is meant by
85
00:08:41,940 --> 00:08:48,450
domain and range. Imagine, that x is chosen
from a pool of values and I call that to be
86
00:08:48,450 --> 00:08:54,850
the domain of f x and all the possible values
that f x can result to, is called a range
87
00:08:54,850 --> 00:09:00,080
of f x. So, therefore, imagine that x is chosen
from the set of integers and it also results
88
00:09:00,080 --> 00:09:05,029
in the set of integers. So, therefore, f x
has got a domain and range, both of which
89
00:09:05,029 --> 00:09:10,020
are the set of integers. So, for every integer
x, it is easy... So, therefore, the property
90
00:09:10,020 --> 00:09:14,590
of f x are as follows, so the property of
f x: the first property, something which we
91
00:09:14,590 --> 00:09:21,590
call as one-wayness; it means, very simply
that this function f x is easy to compute.
92
00:09:22,790 --> 00:09:28,520
So, let us just try. Let us not go into what
is meant by easy and what is meant by not
93
00:09:28,520 --> 00:09:34,720
easy or hard; let us just take it as two terms;
so, let us not go into the technical details,
94
00:09:34,720 --> 00:09:39,830
right now. So, therefore, what I am trying
to say is that for every integer x, it is
95
00:09:39,830 --> 00:09:46,830
easy to compute f x from x, but it is easy
in one way; but given f x, it is hard to compute
96
00:09:47,700 --> 00:09:47,950
x.
97
00:09:47,880 --> 00:09:54,880
Therefore, the problem is as follows like
if you take x, the property of this function
98
00:09:55,970 --> 00:10:02,970
f is something we have called as one-wayness.
So, if I give you x, then to compute f x,
99
00:10:06,920 --> 00:10:13,920
is easy. So, therefore, for example, you can
just take x and very easily compute the value
100
00:10:18,300 --> 00:10:24,540
of f x, but if I give you the value f x and
I ask you what is the value of x - then this
101
00:10:24,540 --> 00:10:29,980
should be a relatively difficult problem.
So, that is what is meant by the one-wayness
102
00:10:29,980 --> 00:10:36,089
property of f. And actually in literature
we will see that inspite of lot of research,
103
00:10:36,089 --> 00:10:41,520
we have got several, we have got few candidates
for one-way functions. But there are no concrete
104
00:10:41,520 --> 00:10:46,950
proofs, which says that whether the function
can be prove to be a one-way function or not.
105
00:10:46,950 --> 00:10:51,110
But this is the notion; so, the notion is
what? The notion is of something which I call
106
00:10:51,110 --> 00:10:58,110
as one-wayness, which means, a function which
is easy to compute, but hard to invert.
107
00:11:07,320 --> 00:11:14,320
So, I give an example, which is believed to
be correct, like you take two prime numbers
108
00:11:16,170 --> 00:11:23,170
or two large prime numbers
p and q, so if I tell you that N is equal
to p into q, then given p and q, computing
109
00:11:36,920 --> 00:11:39,910
N is an easy problem; it is quite relatively
an easy problem.
110
00:11:39,910 --> 00:11:46,740
So, I give you p and if I give you q, from
there computing the value of N is an easy
111
00:11:46,740 --> 00:11:53,740
problem; but if I give you N and I ask you
- what is the value of p and q, it is believed
112
00:11:56,380 --> 00:12:01,430
to be a hard problem; so, if I give you N
and I ask you what are the corresponding values
113
00:12:01,430 --> 00:12:07,860
of p and q, it is believed to be a relatively
hard problem. So, this problem is commonly
114
00:12:07,860 --> 00:12:14,860
known as the factorization problem.
So, this is a probable candidate for a one-way
115
00:12:18,940 --> 00:12:25,940
function; this is one property which the function
f needs to satisfy. The other property is
116
00:12:27,910 --> 00:12:34,160
that, when I say impossible, I mean to say,
it is difficult to find a pair of distinct
117
00:12:34,160 --> 00:12:40,050
integers x and y, such that f x and f y are
the same; so this is also sometimes called
118
00:12:40,050 --> 00:12:43,930
collision resistance.
So, therefore, if I give you a function f
119
00:12:43,930 --> 00:12:50,330
and I tell you that, report two values of
x and y which are not the same, but which
120
00:12:50,330 --> 00:12:55,290
results in a same values of f x and f y, then
this should be a relatively hard problem.
121
00:12:55,290 --> 00:13:00,910
So, therefore it says that, therefore, collision
resistance means this that is...
122
00:13:00,910 --> 00:13:07,910
So, next property is of collision resistance,
which says that, if I give you, or given a
123
00:13:16,890 --> 00:13:23,890
function f x, output two values: x not equal
to y, such that f x and f y are same; so,
124
00:13:34,990 --> 00:13:41,990
this should be a difficult problem.
I will come to at the end of the class, to
125
00:13:45,870 --> 00:13:50,330
explain a little bit about what I mean by
an easy problem or what I mean by a hard or
126
00:13:50,330 --> 00:13:57,330
difficult problem; this is, a hard or a difficult
problem. So, therefore, it is not easy to
127
00:13:59,320 --> 00:14:04,839
report two values x and y which will essentially
result in the same values of f x and I mean,
128
00:14:04,839 --> 00:14:08,450
which will result in the same values of the
output of f.
129
00:14:08,450 --> 00:14:15,450
So, if I take a function f and to take or
report two values of x and y which are different,
130
00:14:16,850 --> 00:14:23,399
but which results in same values of f x and
f y, should be hard or impossible; so, therefore,
131
00:14:23,399 --> 00:14:30,190
the property essentially satisfy these two
properties: the first property is of one-wayness
132
00:14:30,190 --> 00:14:37,190
and the second property is of collision resistance.
Let us assume that the magic function f essentially
133
00:14:42,620 --> 00:14:49,620
satisfies these two properties. Now, let us
see if Alice and Bob engage such a magic function,
134
00:14:51,440 --> 00:14:58,440
then does their problem of resolution get
solved. So, therefore, the magic function
135
00:14:59,620 --> 00:15:06,620
f satisfies these properties of one and two,
and now the question is that - if it does
136
00:15:08,070 --> 00:15:12,459
so, then does the problem of resolution get
solved?
137
00:15:12,459 --> 00:15:19,029
So, therefore, in order to solve this problem,
Alice and Bob essentially have to engage the
138
00:15:19,029 --> 00:15:23,630
function f in something, which I called as
a protocol.
139
00:15:23,630 --> 00:15:30,630
Let us see what could be the protocol. So,
both of them agree on the function f x; so,
140
00:15:31,160 --> 00:15:35,640
therefore, they decide upon a function f x
and which they believe is, which they believe
141
00:15:35,640 --> 00:15:42,640
should satisfy these two properties of one-wayness
and collision resistance. And they assume
142
00:15:46,350 --> 00:15:53,350
that head will be represented by an even number
x and tail or the outcome of tail will be
143
00:15:54,160 --> 00:15:59,830
represented by an odd number of x.
So, see what Alice and Bob are trying to do?
144
00:15:59,830 --> 00:16:05,290
Essentially, Alice and Bob are trying to do
the same thing, like tossing an unbiased coin
145
00:16:05,290 --> 00:16:10,339
when both of them were together, but now since
they are apart from each other, they cannot
146
00:16:10,339 --> 00:16:14,890
really do it straightaway; so, what they do
is that they use this magic function f, and
147
00:16:14,890 --> 00:16:19,029
essentially try to, which satisfies these
two properties and try to do the same thing.
148
00:16:19,029 --> 00:16:23,170
So, essentially they have to decide whether
a head is resulting.
149
00:16:23,170 --> 00:16:30,040
I mean, so, what they will do is that they
will try to replace the function, they will
150
00:16:30,040 --> 00:16:37,040
try to replace the function, if by, they will
try to replace the unbiased coin by the function
151
00:16:37,540 --> 00:16:44,540
f, and will try to see that whether a head
results or whether a tail results by the computation
152
00:16:45,399 --> 00:16:52,399
of the function f x. So, what Alice and Bob
does is as follows - so, Alice and Bob essentially
153
00:16:57,649 --> 00:17:04,649
does the same thing; that is, now they need
to do the coin toss by using the function
154
00:17:17,130 --> 00:17:24,130
f. So, they need to use the coin toss by using
the function f and in order to do that, there
155
00:17:29,809 --> 00:17:35,549
are two possibilities. The possibilities are
whether...
156
00:17:35,549 --> 00:17:42,549
So, what they essentially try to do here is
that, Alice chooses randomly a value x, chooses
157
00:17:52,130 --> 00:17:59,130
randomly a value x; so, this x, if it is randomly
chosen from the set of integers, the probability
158
00:18:01,090 --> 00:18:08,090
that x is even is the same as the probability
that x is odd and that is equal to half, but
159
00:18:14,000 --> 00:18:19,740
till this part there is no problem. The problem
happens or the problem of trust happens, when
160
00:18:19,740 --> 00:18:26,740
Alice communicates this information, that
is, whether x is even or odd
to Bob; so, we try to understand the problem
161
00:18:35,410 --> 00:18:42,410
and is as follows - if Bob predicts that x
is even or so therefore imagine that Alice
162
00:18:43,140 --> 00:18:49,280
essentially does a coin toss at its end, and
depending upon the coin toss, that is whether
163
00:18:49,280 --> 00:18:56,250
the toss results in head or a tail, it chooses
the value of x to be even or odd. So, therefore,
164
00:18:56,250 --> 00:19:03,250
if this coin toss results in head, Alice chooses,
I mean x is even, but if this coin toss is
165
00:19:07,450 --> 00:19:14,450
a tail, then x is odd. So, remember what was
the game? The game was that Bob initially
166
00:19:20,580 --> 00:19:25,840
has to guess, what was the parity of x, that
is, whether the value of x was even or odd?
167
00:19:25,840 --> 00:19:32,840
But the point is, since they are doing over
a communication channel, why Bob is not believing
168
00:19:33,040 --> 00:19:39,570
Alice or does not have trust in Alice is that,
after the result of the coin toss, Alice can
169
00:19:39,570 --> 00:19:46,570
essentially say or communicate a wrong information
to Bob; that is, even if Bob is correct, like,
170
00:19:46,799 --> 00:19:53,340
for example, coin toss at Alice's end was
actually head, and when Bob also had said
171
00:19:53,340 --> 00:19:58,580
that head would have been the resultant, head
would have been the outcome, so what Alice
172
00:19:58,580 --> 00:20:05,580
can do is that Alice can pass on a wrong information,
that the result was a tail.
173
00:20:07,030 --> 00:20:13,679
In order to prevent such a scenario, Alice
and Bob shall be using the function f; so,
174
00:20:13,679 --> 00:20:20,679
in order to solve this problem of trust, Alice
and Bob shall be using the function f to communicate
175
00:20:37,130 --> 00:20:44,130
the parity of x; that is, whether x is even
or whether x is odd - that information now
176
00:20:47,200 --> 00:20:52,929
Alice will not pass just on the clear, but
instead will compute the value of f x and
177
00:20:52,929 --> 00:20:56,600
will pass on that information to Bob.
178
00:20:56,600 --> 00:21:01,120
I believe that even if this is not clear till
now, it will be clear, I will try to make
179
00:21:01,120 --> 00:21:07,340
it more clear. So, at this point, at least
try to understand, that a head event or a
180
00:21:07,340 --> 00:21:13,510
head outcome is being represented by even
number x; whereas, a tail is being represented
181
00:21:13,510 --> 00:21:20,470
by an odd number x. So, what Alice does is
as follows. Therefore, I call this as a coin
182
00:21:20,470 --> 00:21:24,660
flipping over the telephone; so, essentially,
they are flipping the coin as we have done
183
00:21:24,660 --> 00:21:30,140
when both Alice and Bob were together, but
only in this case, we have to solve this problem
184
00:21:30,140 --> 00:21:33,830
over the telephone.
So, what Alice does is that Alice picks up
185
00:21:33,830 --> 00:21:38,590
randomly a large integer x; so, therefore,
when I say randomly, it is just like they
186
00:21:38,590 --> 00:21:45,299
are based upon the outcome of a toss at which
Alice does. So Alice takes an unbiased coin
187
00:21:45,299 --> 00:21:48,720
and it does not really matter at Bob's end
whether it is an unbiased or biased, because
188
00:21:48,720 --> 00:21:52,809
Alice does not have an advantage right now
about that. So that just imagine, that Alice
189
00:21:52,809 --> 00:21:59,809
picks up randomly a large integer x and computes
the value of f x; so, Bob tells Alice his
190
00:22:00,480 --> 00:22:07,480
guess of whether x is odd or even; so what
Bob does is Bob predicts -
what was the guess of Alice.
191
00:22:13,919 --> 00:22:19,590
So, in this case, Alice picks up randomly
a large integer x and computes the value of
192
00:22:19,590 --> 00:22:26,590
f x and this value of f x is now passed to
Bob; so, Bob now has the value f x. And Bob,
193
00:22:28,030 --> 00:22:35,030
based on the value of f x, so Bob essentially
has got the information of f x, but now what
194
00:22:35,460 --> 00:22:42,460
Bob needs to do, is that Bob needs to tell
Alice his guess of whether x is odd or even.
195
00:22:42,460 --> 00:22:48,309
I will come to the properties, but first of
all just try to understand the protocol. Then
196
00:22:48,309 --> 00:22:54,740
Alice what she does is that Alice then sends
x to Bob and Bob verifies by computing the
197
00:22:54,740 --> 00:23:01,059
value of f x. So, here, there are two important
things to be noticed. The first important
198
00:23:01,059 --> 00:23:06,530
thing to be noticed is that - Bob has got
an information of f x and when it is trying
199
00:23:06,530 --> 00:23:11,890
to guess, that is, whether x is odd or even,
in order to see that Bob does not have an
200
00:23:11,890 --> 00:23:18,429
advantage of guessing, means what? Means that
the function f x should not reveal any information
201
00:23:18,429 --> 00:23:25,429
about the oddity or even parity of x, which
means that f x, which means that f x should
202
00:23:26,390 --> 00:23:32,620
not reveal any information about x and that
property is satisfied by the one-wayness guarantee
203
00:23:32,620 --> 00:23:38,850
of the magic function f.
So, how we will do it, we are not really bothered
204
00:23:38,850 --> 00:23:45,820
at this point, we are just trying to understand
the properties. The other important thing
205
00:23:45,820 --> 00:23:51,720
is that, when I am considering the end of
Alice, when Alice is computing the value of
206
00:23:51,720 --> 00:23:58,720
f x and sending this value of f x - why is
Alice doing so? Alice is doing so, because
207
00:24:00,630 --> 00:24:06,950
if Bob's guess is correct, then later on Alice
should not be able to change the value of
208
00:24:06,950 --> 00:24:13,140
x, that is, change the parity of x, such that
the value of f x which she has previously
209
00:24:13,140 --> 00:24:20,140
committed will remain the same. So, what does
that mean? So, what Alice will try to do,
210
00:24:21,770 --> 00:24:27,900
if she wants to cheat? She will try to change
x to x dash, such that the parity of x and
211
00:24:27,900 --> 00:24:34,900
the parity of x dash are different. And what
is the other property? The thing is that,
212
00:24:35,440 --> 00:24:39,320
the value of f x and the value of f x dash
will collide.
213
00:24:39,320 --> 00:24:45,250
So, that is how Alice will try to cheat Bob,
because then it can say, that see actually
214
00:24:45,250 --> 00:24:49,900
what you have guessed is wrong, because what
is you have guessed is, you have guessed x,
215
00:24:49,900 --> 00:24:53,990
but whereas the correct value is x dash, and
you see that you can calculate the value of
216
00:24:53,990 --> 00:25:00,990
f x dash and it will be the same as that of
f x. But this is also hindered and Alice also
217
00:25:03,299 --> 00:25:08,460
does not have this advantage because of the
collision resistance guarantee or collision
218
00:25:08,460 --> 00:25:11,799
resistance property of the magic function
f x.
219
00:25:11,799 --> 00:25:16,910
So, therefore, therefore, that is the reason
why we say that the magic function f x needs
220
00:25:16,910 --> 00:25:21,870
to have the one-wayness property and also
the collision resistance property. I hope
221
00:25:21,870 --> 00:25:25,010
it is clear till this point.
222
00:25:25,010 --> 00:25:32,010
So, therefore, if I do a security analysis,
so the question is can Alice cheat? For that
223
00:25:35,260 --> 00:25:41,049
Alice needs to create a y, which is not equal
to x, such that f x and f y are the same.
224
00:25:41,049 --> 00:25:44,980
When I say that y is not equal to x, which
means in this case, the important information
225
00:25:44,980 --> 00:25:51,200
is the parity of y and the parity of x are
different, such that f x and f y are same
226
00:25:51,200 --> 00:25:56,150
and this is believed to be hard. The other
important thing is that - can Bob guess better
227
00:25:56,150 --> 00:26:03,150
than a random guess - so Bob listens to f
x. Can Bob guess better than a random guess,
228
00:26:04,309 --> 00:26:09,990
means initially, if Bob has not been provided
with the information of f x, what should be
229
00:26:09,990 --> 00:26:16,679
the probability of Bob guessing correct - it
is half, right? So, even when the information
230
00:26:16,679 --> 00:26:22,210
of f x is provided to Bob, the probability
should still remain half; so, his probability
231
00:26:22,210 --> 00:26:25,549
of guess is half.
Therefore, it should be still like a random
232
00:26:25,549 --> 00:26:30,559
guess, which means that the value of f x does
not leak any information about the value or
233
00:26:30,559 --> 00:26:37,559
parity of x; so, these two are being guaranteed
by the properties of the magic function f.
234
00:26:39,179 --> 00:26:45,700
So, we will consider a little bit more concrete
example; so, this is a similar scenario where
235
00:26:45,700 --> 00:26:52,130
Alice and Bob wish to resolve a dispute over
the telephone. We can encode the possibility
236
00:26:52,130 --> 00:26:56,860
of the dispute by a binary value; so for this
they engage a protocol. So what we've just
237
00:26:56,860 --> 00:26:59,990
now seen.
So, Alice and Bob, essentially what both of
238
00:26:59,990 --> 00:27:05,130
them do is like this - so, Alice picks up
randomly an x, which is a 200 bit number and
239
00:27:05,130 --> 00:27:10,039
computes a function of f x as follows; so,
it computes the value of some f x value, which
240
00:27:10,039 --> 00:27:17,039
I will discuss just now. So what Alice does
is that...So, let us consider this particular
241
00:27:19,590 --> 00:27:21,559
example, little bit minutely.
242
00:27:21,559 --> 00:27:28,559
So, what Alice does is, Alice sends to Bob
the outcome of a function f x. So, it chooses
243
00:27:32,780 --> 00:27:39,780
x at random, it chooses x randomly and x is
a 200 bit number; it is a 200 bit, it means,
244
00:27:44,270 --> 00:27:51,270
200 number of 0-1 values; so, it chooses a
200 bit number, a 200 bit value and computes
245
00:27:55,620 --> 00:28:02,620
the value of f x
and sends it to Bob. So, computes the value
of f x and sends it to Bob. So, what Bob does
246
00:28:13,789 --> 00:28:20,789
is that, so Bob now sends to Alice, the guess;
so, Bob now guesses whether x was even or
247
00:28:32,789 --> 00:28:39,789
odd and sends this information back to Alice.
Alice, now what she does it...
248
00:28:45,799 --> 00:28:52,799
Bob needs to verify, therefore, what Alice
does is that Alice now sends x to Bob; so,
249
00:28:57,990 --> 00:29:04,990
what will Bob do? Bob will verify, Bob verifies
by computing f x and tallying with the previously
250
00:29:16,900 --> 00:29:23,900
received value; so this is the basic protocol,
right?
251
00:29:30,350 --> 00:29:37,350
Now, what do we need to do? We need to think
of such a function f x. We have seen that
252
00:29:39,809 --> 00:29:44,740
if this f x function satisfies the collision
resistance and the one-wayness, then this
253
00:29:44,740 --> 00:29:50,870
protocol should give a fair evaluation and
do something which is similar to when Alice
254
00:29:50,870 --> 00:29:57,340
and Bob did simultaneously; when both of them
were together, they just did a random coin
255
00:29:57,340 --> 00:30:02,590
tossing; so, therefore, both of them do not
have any additional advantage in the game.
256
00:30:02,590 --> 00:30:09,590
In order to do that, we will consider a concrete
example of the function f. So just consider
257
00:30:10,549 --> 00:30:12,750
the following function.
258
00:30:12,750 --> 00:30:19,750
So, imagine that f is essentially...So, you
know that x has been chosen to be a 200 bit
259
00:30:20,640 --> 00:30:27,640
number, right? So, I denote that as a 0-1
string of 200 bit values, and what f does,
260
00:30:29,210 --> 00:30:36,210
is that it takes in the values of x, so, therefore
x is something like from 0 to 199; so, it
261
00:30:36,559 --> 00:30:43,559
takes the first 100 bit values and it takes
the next 100 bit values and I call this part...
262
00:30:44,309 --> 00:30:51,270
Therefore, it takes this part and does a bitwise
OR between these values; so, therefore, it
263
00:30:51,270 --> 00:30:58,270
does a bitwise OR. So, all these bits are
getting odd, therefore, this is odd bit, this
264
00:30:59,539 --> 00:31:05,230
and you get this; you odd this bit, with this
and you get this. So, this is nothing but
265
00:31:05,230 --> 00:31:09,440
the MSB part; therefore, you just take the
MSB part, bring it here, you take this part
266
00:31:09,440 --> 00:31:13,309
and do a bitwise OR between the bits and you
get the resultant output.
267
00:31:13,309 --> 00:31:20,309
So, let us consider a simple example, like,
for example, if there is the string like 1111
268
00:31:23,279 --> 00:31:30,279
and so on, there are 100 bits, 100 values
here and similarly, the next 100 values are
269
00:31:31,100 --> 00:31:36,429
say 0000 and say 1. So, what will be the corresponding...So,
this is x, so what is the corresponding value
270
00:31:36,429 --> 00:31:43,429
of f x? It is 111 and so on, and you odd that
with 100 and 1; therefore, if you do a bitwise
271
00:31:45,580 --> 00:31:52,450
OR, you get 1 here and this is again a 0,
so we have got a 1 here, and so you will get
272
00:31:52,450 --> 00:31:59,340
a 1 for all the values; so, this your corresponding
value of f x.
273
00:31:59,340 --> 00:32:06,340
So, let us just imagine a function f which
looks like this and try to compute the success
274
00:32:07,409 --> 00:32:14,409
probability of Alice and Bob. So, for example,
here in this function...So this function can
275
00:32:20,210 --> 00:32:25,370
also be replaced by other possible candidate;
this is just a simple example. So for example,
276
00:32:25,370 --> 00:32:32,370
we could have replaced this OR by a XOR and
we could have computed the similar properties,
277
00:32:33,350 --> 00:32:37,919
but I am trying to find out this particular...
I am just taking this as an example and trying
278
00:32:37,919 --> 00:32:44,919
to compute what is the probability that Bob
succeeds; that is, Bob is correct in his guess,
279
00:32:47,690 --> 00:32:54,650
and what is the probability that Alice can
cheat.
280
00:32:54,650 --> 00:33:01,020
So, we are interested in these two probabilities
and what we have to see is that whether there
281
00:33:01,020 --> 00:33:07,960
is an additional advantage over a random coin
toss? Therefore, typically we will try to
282
00:33:07,960 --> 00:33:12,760
compare this with a random coin toss and based
upon that we will see whether this function
283
00:33:12,760 --> 00:33:16,760
f is really a candidate for a magic function
or not?
284
00:33:16,760 --> 00:33:21,409
So, how do we calculate these values, that
is, the probability of Bob will succeed or
285
00:33:21,409 --> 00:33:26,390
probability of Alice will cheat? So, for that,
we have to observe the properties of this
286
00:33:26,390 --> 00:33:33,390
OR function. What I have said to you, that
is a more concrete example is this: that if
287
00:33:37,330 --> 00:33:41,840
Bob's guess was right, Bob wins; so, this
was a game - if Bob's guess was right Bob
288
00:33:41,840 --> 00:33:46,480
wins, otherwise Alice has the dispute solved
in her own way. So, what they do is that they
289
00:33:46,480 --> 00:33:51,909
decide upon a function like this; so f is
essentially a map from x to y, where x is
290
00:33:51,909 --> 00:33:56,200
a 200 bit random variable and y is a 100 bit
random variable.
291
00:33:56,200 --> 00:34:01,679
So, the function is just as I have told you
now, that you take the most significant 100
292
00:34:01,679 --> 00:34:08,609
bits of x and you odd that with the least
significant 100 bits of x. So, x is just a
293
00:34:08,609 --> 00:34:15,109
200 bit string and you odd or you do a bitwise
OR between the first 100 bits of x and the
294
00:34:15,109 --> 00:34:22,109
least 100 bits of x; so here, OR denotes a
bitwise OR operation.
295
00:34:22,450 --> 00:34:28,440
What we are interested now in doing is, that
we are interesting in calculating the success
296
00:34:28,440 --> 00:34:34,919
probability of Bob and the probability that
Alice can cheat. In order to do that, we have
297
00:34:34,919 --> 00:34:40,629
to first of all think of an algorithm or a
strategy for Bob; so, Bob essentially has
298
00:34:40,629 --> 00:34:46,280
to adapt the principle or adapt an algorithm
or something which we commonly call as an
299
00:34:46,280 --> 00:34:53,280
experiment of Bob. What is Bob's objective?
Bob has been provided the value of f x and
300
00:34:53,330 --> 00:34:58,630
Bob has to guess the parity of x; so, therefore,
Bob needs to do something good.
301
00:34:58,630 --> 00:35:05,540
Now see, that this property or rather if you
see the property of this OR function; you
302
00:35:05,540 --> 00:35:12,490
know that if I just do a simple truth table
of this OR function, you know that if there
303
00:35:12,490 --> 00:35:19,490
are two inputs like a and b and this is a
OR b, so if you just consider the binary truth
304
00:35:19,570 --> 00:35:25,890
table, you see here, there is only one value
which is 0 here, but the rest of the things
305
00:35:25,890 --> 00:35:32,890
in it reports in a 1. So, therefore, this
property or rather this observation, Bob will
306
00:35:34,560 --> 00:35:41,390
exploit to make his guess more favorable,
I mean, to enhance its probability of success.
307
00:35:41,390 --> 00:35:48,390
In order to do that, you see that Bob essentially
has got the value of f x; so, Bob has got
308
00:35:50,680 --> 00:35:57,680
the value of f x and what it will observe
is, what is the least significant bit of f
309
00:35:58,150 --> 00:36:02,099
x?
You see, there can be two possibilities here
310
00:36:02,099 --> 00:36:09,099
- it can either be 0 or it can either be 1.
If it is a 0, what does it mean? Just think
311
00:36:19,020 --> 00:36:26,020
of the function f x, just think of the function
f x; therefore, if you just think of the first
312
00:36:27,790 --> 00:36:33,660
100 bits here, so f x means what? This is
the first 100 bits, so you just consider that
313
00:36:33,660 --> 00:36:40,660
this is some value and I call that to be the
x 0 value; so that is the least significant
314
00:36:40,950 --> 00:36:46,490
bit of x, and there are other values here;
so there are 100 more bits here.
315
00:36:46,490 --> 00:36:53,490
So, therefore, how do I compute f x? I just
take this and I odd with this. If the resultant
316
00:36:53,760 --> 00:37:00,760
value or the least significant bit of the
result is a 0, which means that 0 is the OR
317
00:37:03,150 --> 00:37:10,150
of x 0 and we have got x 0 to x 99 here, and
this is your x hundredth bit; therefore, this
318
00:37:14,440 --> 00:37:21,280
is the OR of x 0 and x 100. So, if this value
is 0, you see that in the truth table of a
319
00:37:21,280 --> 00:37:26,750
OR b there is only one possibility; that is,
both a and both b are odd; so, therefore,
320
00:37:26,750 --> 00:37:33,330
you can say with the probability of 1 that
x 0 is 0. What does it mean? It means that
321
00:37:33,330 --> 00:37:38,700
x was an even value; therefore, immediately
the parity of x gets ascertained; so, therefore,
322
00:37:38,700 --> 00:37:45,700
if this be so, then Bob has got, I mean with
a probability of 1, Bob can say, Bob says,
323
00:37:49,839 --> 00:37:56,839
x is even; otherwise Bob says x is odd. So,
you see, that in this particular case, Bob
324
00:38:05,500 --> 00:38:10,700
has a probability of success of 1, but in
this case, the success probability of Bob
325
00:38:10,700 --> 00:38:17,700
is not exactly 1, but it is slightly different.
Can you say what is the probability here?
326
00:38:17,839 --> 00:38:24,839
You see that if this be 1, so what are the
possible cases? It means that it belongs to
327
00:38:26,760 --> 00:38:33,760
this case; therefore, it means that 1 is equal
to x 0 or x 100 and we are interested in the
328
00:38:38,400 --> 00:38:45,400
value of x 0. In how many possible ways you
can get a 1 here? It could be either be a
329
00:38:47,839 --> 00:38:54,839
0 1, it could be either be a 1 0 or it could
either be a 1 1; so you see that in these
330
00:38:56,950 --> 00:39:02,970
three cases, there are two cases for which
this x 0 value was actually 1, which means
331
00:39:02,970 --> 00:39:08,420
the x was odd and that is what Bob is saying.
But in the other case and there is one case
332
00:39:08,420 --> 00:39:13,750
out of these three cases, where Bob will fail;
therefore, the probability of success here
333
00:39:13,750 --> 00:39:20,290
is actually 2 by 3, because in two cases Bob
is correct out of three cases. So, here in
334
00:39:20,290 --> 00:39:27,290
this case the probability of success is 1
but here it is 2 by 3; so, Bob can use this
335
00:39:29,290 --> 00:39:32,190
particular observation to develop a strategy.
336
00:39:32,190 --> 00:39:39,190
The strategy is very simple, the strategy
is like this - if the zeroth bit of f x is
337
00:39:39,740 --> 00:39:46,740
0, then x is even, otherwise x is odd; so,
this is a simple algorithm or simple strategy
338
00:39:46,760 --> 00:39:52,930
which Bob can adopt. In this case, the probability
of success of Bob will be 1, but in this case
339
00:39:52,930 --> 00:39:57,740
the probability of success of Bob will be
2 by 3.
340
00:39:57,740 --> 00:40:04,270
You note one thing, that is, x was randomly
chosen, but the value of f x is actually not
341
00:40:04,270 --> 00:40:09,770
randomly chosen. Therefore, if I say, what
is Bob's probability of success, you cannot
342
00:40:09,770 --> 00:40:16,300
straightaway assume that the value of f x
0 be being equal to 0 is half and compute
343
00:40:16,300 --> 00:40:20,230
the value of f x; you have to do slightly
different thing, that is what I will come
344
00:40:20,230 --> 00:40:27,230
to next. But this is correct that is if it
says, x is even - so in this case the probability
345
00:40:27,790 --> 00:40:34,790
of success of Bob is 1, but in this case - the
probability of success of Bob is 2 by 3, as
346
00:40:34,980 --> 00:40:37,810
we have just worked out.
347
00:40:37,810 --> 00:40:44,810
Next, we are interested in calculating what
is Bob's probability of success? How do we
348
00:40:46,920 --> 00:40:52,539
calculate Bob's probability of success? So,
you know that there are two possible ways
349
00:40:52,539 --> 00:40:57,490
- since x is randomly chosen, x can either
be even or x can either be odd, and therefore
350
00:40:57,490 --> 00:41:03,450
the probability that x is even is equal to
probability that x is odd and that is equal
351
00:41:03,450 --> 00:41:09,280
to half. So, now, the probability that Bob
succeeds can easily be found out or can be
352
00:41:09,280 --> 00:41:11,480
written in this fashion.
353
00:41:11,480 --> 00:41:18,480
Therefore, if I want to calculate this particular
probability that Bob will succeed, I can do
354
00:41:20,500 --> 00:41:27,500
this in this fashion - probability of Bob
succeeds is equal to probability that x is
355
00:41:32,589 --> 00:41:39,589
even multiplied by probability that Bob succeeds;
conditional probability, so, it is a conditional
356
00:41:43,869 --> 00:41:48,770
probability and here the condition is that
x is even. And basically, what I am trying
357
00:41:48,770 --> 00:41:55,770
to do is that I am trying to split the possibilities
into two mutually exclusive cases - one is
358
00:41:56,849 --> 00:42:03,230
when x is even and the other one is when probability
of when x is odd. Therefore, I write the other
359
00:42:03,230 --> 00:42:10,230
part as probability of x is odd multiplied
by the probability that Bob will succeed,
360
00:42:12,020 --> 00:42:19,020
given x is odd.
So, we split this into two mutually exclusive
361
00:42:20,050 --> 00:42:26,599
cases and what is the probability that x is
even? I know that is half and I also know
362
00:42:26,599 --> 00:42:30,430
that the probability that x is odd is also
half; so, I can take this half common, and
363
00:42:30,430 --> 00:42:37,430
I have got probability that Bob succeeds,
given x is even, plus the probability that
364
00:42:42,079 --> 00:42:49,079
Bob succeeds, given that x is odd. So, now
you see, that we have got two cases - one
365
00:42:56,230 --> 00:43:03,230
is that when x is even; so when x is even,
then what is the probability that Bob will
366
00:43:05,210 --> 00:43:12,210
succeed?
So, x is even means, what? x is even means
367
00:43:13,530 --> 00:43:20,530
x 0 is 0. What is the corresponding value
of f x 0? It is x 100 or with x 0; in this
368
00:43:26,390 --> 00:43:33,390
case, it is equal to x of 100; so, depending
upon the value of x 100, Bob will say it to
369
00:43:34,480 --> 00:43:41,480
be 0 or 1; so, Bob did not predict its value.
So, you see that if, x of 100 is also 0, in
370
00:43:46,510 --> 00:43:50,640
that case, the result is 0 and therefore,
what Bob guesses is correct; that is, Bob
371
00:43:50,640 --> 00:43:57,640
guesses x to be even and that is correct.
But if x 100 is 1 then this result is 1; so,
372
00:43:58,589 --> 00:44:05,589
therefore Bob will see this 1 and using its
strategy Bob will guess that x is odd, but
373
00:44:05,810 --> 00:44:09,890
actually x in this case is even, therefore
Bob fails.
374
00:44:09,890 --> 00:44:16,890
Therefore, when x 100 is 0, then Bob is successful,
but when x 100 is 1, then Bob fails. And what
375
00:44:19,640 --> 00:44:25,040
is the probability of x 100 is 0 or 1? It
is half, because x is randomly chosen, therefore
376
00:44:25,040 --> 00:44:29,920
anywhere the bits being equal to 0 or 1 is
actually equal to half.
377
00:44:29,920 --> 00:44:35,790
Therefore, this particular value, that is,
probability that Bob succeeds when x is even
378
00:44:35,790 --> 00:44:41,760
is actually equal to half. What about this
case - when x is odd? If x is odd means x
379
00:44:41,760 --> 00:44:48,760
of 0 is 1 and therefore, x of this value is
equal to x of 100 or with 1 and this is always
380
00:44:52,030 --> 00:44:58,030
1. Therefore seeing this 1, Bob using its
strategy will always guess that x of 0 is
381
00:44:58,030 --> 00:45:03,020
1, and therefore, its probability of success
is actually equal to 1, when x is odd.
382
00:45:03,020 --> 00:45:09,650
Now, we combine these two things and we obtain
what we have written out in this slide; we
383
00:45:09,650 --> 00:45:14,970
obtain that, here write, half into half that
is plus half into 1 and therefore, we get
384
00:45:14,970 --> 00:45:20,420
a probability that Bob is successful is equal
to 3 by 4.
385
00:45:20,420 --> 00:45:26,430
So, what should have been the ideal probability
of Bob's success actually? It would have been
386
00:45:26,430 --> 00:45:32,900
half; therefore, we see that there is a significant
excess over half and that excess is over 1
387
00:45:32,900 --> 00:45:39,030
by 4; that means, that the magic function
f which we have instantiated by this OR function
388
00:45:39,030 --> 00:45:43,160
is not correct.
Therefore, this is not a very good candidate
389
00:45:43,160 --> 00:45:48,599
for such a function, but this is an example.
We are just seeing that example in order to
390
00:45:48,599 --> 00:45:53,960
appreciate the problem and motivate the study
of this present course, that is - why at all
391
00:45:53,960 --> 00:46:00,720
we are studying cryptography? What is the
purpose? That is why we are trying to see
392
00:46:00,720 --> 00:46:06,200
a simple game and we are trying to see a possible
candidate of the function f.
393
00:46:06,200 --> 00:46:10,480
But you just try to understand first, that
this particular function f which we have chosen
394
00:46:10,480 --> 00:46:14,230
is not actually an ideal candidate, because
here, in this case, the probability that Bob
395
00:46:14,230 --> 00:46:19,280
succeeds is not actually equal to half, but
it is quite greater than half; so, it is significantly
396
00:46:19,280 --> 00:46:25,790
larger than half and therefore Alice and Bob
should not be satisfied with the function
397
00:46:25,790 --> 00:46:31,020
f. What is the probability that Alice will
cheat? That is, Alice's cheating probability?
398
00:46:31,020 --> 00:46:35,920
So you see that in this case, remember that
we will compute Alice's cheating probability
399
00:46:35,920 --> 00:46:40,359
irrespective of Bob's strategy.
Alice really does not know what strategy Bob
400
00:46:40,359 --> 00:46:46,550
has taken and Alice still wants to cheat;
so, therefore, in order to cheat, what does
401
00:46:46,550 --> 00:46:53,550
Alice need to do? You see, that Alice has
communicated the value of f x and therefore,
402
00:46:54,589 --> 00:47:01,589
when Bob guesses, that is what is the parity
of x. In order to cheat, what Alice will do
403
00:47:02,770 --> 00:47:08,570
is that Alice will change the value of x or
change the parity of x, keeping the value
404
00:47:08,570 --> 00:47:14,280
of f x intact; therefore, Alice can cheat
by changing the parity of x.
405
00:47:14,280 --> 00:47:20,140
So, therefore, Alice needs to change the parity
of x such that here - there should be additional
406
00:47:20,140 --> 00:47:25,940
certain few words - the value of f x should
be intact, the value of f x should not change.
407
00:47:25,940 --> 00:47:32,400
So, in order to compute the probability, let
us divide this again into two cases, like
408
00:47:32,400 --> 00:47:36,990
what we have done in the previous case. Let
us divide this, the first case is - x is even;
409
00:47:36,990 --> 00:47:43,990
so when f x is even...; so when x is even,
therefore, x 0 is 0; so what is the value
410
00:47:44,640 --> 00:47:51,640
of f x? There can be only two possible cases
- f x 0 equal to 0 and f x 1, this should
411
00:47:53,380 --> 00:47:59,450
be actually 0; therefore, the f x 0 can either
be 0 or it can be either equal to 1; so there
412
00:47:59,450 --> 00:48:06,450
can be two possible cases here also. That
is, if you see the case one - x is even; so
413
00:48:06,630 --> 00:48:13,630
if x is even the value of f x 0 is again equal
to x 0 OR with x of 100; so what is the value
414
00:48:17,900 --> 00:48:24,210
of f x 0 here? It is equal to 0 because x
is even, so x of 0 is 0.
415
00:48:24,210 --> 00:48:29,760
So, therefore, what is a probability that
therefore This is actually equal to x of 100;
416
00:48:29,760 --> 00:48:35,980
so, therefore, depending upon the value of
x 100, whether its 0 or 1, f x 0 is 0 or 1.
417
00:48:35,980 --> 00:48:42,980
Therefore, the f x 0 being equal to 0 or being
equal to 1, both has got a probability of
418
00:48:43,770 --> 00:48:49,670
half because that depends upon whether the
100 bit is, x 100 is 0 or 1; therefore, this
419
00:48:49,670 --> 00:48:55,980
also has a probability of half and this also
has a probability of half. Note that in this
420
00:48:55,980 --> 00:49:02,980
case, when f x 0 is 0, then Alice cannot cheat,
why? Because in order to cheat, Alice needs
421
00:49:07,720 --> 00:49:14,720
to make the value of x odd and still see,
whether function f x results in a 0, which
422
00:49:17,050 --> 00:49:23,430
cannot be the case.
If x 0 is changed from 0 to 1, therefore in
423
00:49:23,430 --> 00:49:28,619
order to cheat in this particular case - if
I call this as a case a and I call this as
424
00:49:28,619 --> 00:49:35,619
a case b - so in this case one a, Alice cannot
cheat, why? Because in order to cheat, Alice
425
00:49:41,890 --> 00:49:48,890
needs to do, what? She needs to change the
value of x 0 to 1, but this implies that f
426
00:49:50,810 --> 00:49:57,810
x 0 computes to 1, which means that this is
not the same as the previous case. Therefore,
427
00:49:58,500 --> 00:50:05,500
this is not the same as what was initially
reported; that is, initially f x 0 was 0,
428
00:50:06,520 --> 00:50:13,520
therefore this is not equal to 0; since this
is not equal to 0, so Alice cannot essentially
429
00:50:14,920 --> 00:50:20,190
change the value of x 0 to some other, I mean,
cannot change the parity of x, but still keep
430
00:50:20,190 --> 00:50:24,599
the same value of f x.
So, therefore, in this case, Alice is unable
431
00:50:24,599 --> 00:50:31,599
to cheat, but what about case one b? Alice
can cheat, why? Because in this case f x 0
432
00:50:36,770 --> 00:50:43,770
is actually equal to 1; so when f x 0 is equal
to 1 then - and we know that in this case
433
00:50:44,640 --> 00:50:51,640
x is even - so, even if Alice changes x 0
to 1, this particular f x 0 value does not
434
00:51:01,310 --> 00:51:08,310
get affected; therefore, the f x value is,
f x 0 is still 1 and this is the same as in
435
00:51:15,589 --> 00:51:22,589
case one b; therefore, f x does not get changed,
but
the parity of x is changed.
436
00:51:37,640 --> 00:51:44,640
So, therefore, Alice, what she has done in
this case one b is that although x was even,
437
00:51:49,270 --> 00:51:55,230
can actually change this x even to an odd
value by just flipping the last bit, but the
438
00:51:55,230 --> 00:52:00,650
value of f x 0, which she has committed does
not get changed. Therefore, Bob does not have
439
00:52:00,650 --> 00:52:07,650
any other way to understand that Alice has
done this malice; therefore Alice is able
440
00:52:08,990 --> 00:52:11,990
to cheat; therefore, Alice is successful to
cheat.
441
00:52:11,990 --> 00:52:16,520
So, therefore, what is the probability that
Alice is able to cheat, comes from this particular
442
00:52:16,520 --> 00:52:23,510
case and what is the probability of this?
It is half; so the probability of this is
443
00:52:23,510 --> 00:52:28,780
half and the probability that x is even is
also half and therefore the resultant probability
444
00:52:28,780 --> 00:52:34,369
in this case is actually equal to 1 by 4.
445
00:52:34,369 --> 00:52:41,369
So what about the next case, that is, case
two? In case two, x is odd and therefore f
446
00:52:48,480 --> 00:52:55,480
x 0, what are the possible values of f x 0?
If x is odd, it means that x of 0 is 1. Now,
447
00:52:59,589 --> 00:53:06,589
in this case, can f x 0 be equal to 0? That
is not possible, because if I OR with 1, I
448
00:53:06,589 --> 00:53:11,750
will definitely get a 1, so the only possibility
is here in this case is 1. In this case, also,
449
00:53:11,750 --> 00:53:16,369
Alice can cheat by a similar logic as we have
done for case one b.
450
00:53:16,369 --> 00:53:23,369
So, Alice can cheat similar to case one b;
so, therefore, in this case the probability
451
00:53:29,530 --> 00:53:34,720
that Alice is able to cheat is actually equal
to half into one, because that is the only
452
00:53:34,720 --> 00:53:39,569
outcome here. Therefore, the total probability
that Alice can cheat is actually, probability
453
00:53:39,569 --> 00:53:46,569
that Alice cheats or Alice can cheat, is actually
equal to 1 by 4 plus half and that is equal
454
00:53:47,930 --> 00:53:50,180
to 3 by 4.
455
00:53:50,180 --> 00:53:55,650
So, you see that here also Alice has got a
significant probability of being able to cheat;
456
00:53:55,650 --> 00:54:01,500
therefore, this function f, I conclude from
here, this f as we have defined, is not really
457
00:54:01,500 --> 00:54:08,500
a magic function. So, which means what? Which
means that we need to find out such values
458
00:54:13,470 --> 00:54:19,760
of f which are really possible candidates
of magic function and that is the objective
459
00:54:19,760 --> 00:54:24,180
of this course. That is, throughout this course,
we shall try or see various techniques or
460
00:54:24,180 --> 00:54:28,740
methods which will aim at discovering these
kinds of functions and they will be referred
461
00:54:28,740 --> 00:54:35,060
with various names like one-way functions,
pseudo-random generators, hash functions,
462
00:54:35,060 --> 00:54:37,599
symmetric and asymmetric ciphers and so on.
463
00:54:37,599 --> 00:54:44,099
So, I will just conclude; so that is the objective
of this course, but I will conclude with this
464
00:54:44,099 --> 00:54:51,099
class with just few words on what I meant
by easy and hard. Actually, I will be talking
465
00:54:51,200 --> 00:54:55,220
about this in more details in throughout the
course and it will be more clear as we proceed
466
00:54:55,220 --> 00:55:01,069
in the course, but I mean, just to understand
what is meant by practical efficiency - a
467
00:55:01,069 --> 00:55:07,180
mathematical problem is efficiently solvable
when the problem is solved in time and space,
468
00:55:07,180 --> 00:55:13,910
which can be measured by a small degree polynomial
in the size of the problem. So, the problem
469
00:55:13,910 --> 00:55:18,470
that describes the resource cost for the user
should be small.
470
00:55:18,470 --> 00:55:23,420
Therefore, what I mean by this is that when
I am saying an easy problem is that with respect
471
00:55:23,420 --> 00:55:30,089
to the input size of the problem, the cost
of your time or the cost of your space in
472
00:55:30,089 --> 00:55:37,089
solving the problem should be, as can be expressible
in a polynomial, with a polynomial of its
473
00:55:37,240 --> 00:55:40,520
input size and the degree of the polynomial
should be small.
474
00:55:40,520 --> 00:55:47,520
For example, if I have got an algorithm which
solves in a linear time complexity, say something
475
00:55:47,960 --> 00:55:52,550
like o n, something which we defined as o
n, which means it is linearly dependent upon
476
00:55:52,550 --> 00:55:58,589
the input size. As opposed to that, if I take
a quadratic problem, that is, if some problem
477
00:55:58,589 --> 00:56:03,970
like the time and cost of some time and space
of some problem is proportional to the square
478
00:56:03,970 --> 00:56:09,150
of its input size, then I say, that to be
a quadratic problem; therefore, the quadratic
479
00:56:09,150 --> 00:56:15,690
solution to the problem and therefore the
time and space of such a solution is obviously
480
00:56:15,690 --> 00:56:22,690
known, then what we get by a linear time problem,
linear time solution.
481
00:56:23,099 --> 00:56:28,089
Therefore, the idea here is that a mathematical
problem, I call that to be easy or I call
482
00:56:28,089 --> 00:56:32,720
that to be an easily solvable, is when the
problem which is solved in time and space
483
00:56:32,720 --> 00:56:37,280
can be measured by a small degree polynomial
in the size of the problem. And, therefore,
484
00:56:37,280 --> 00:56:42,230
as opposed to that when I have called some
problem is really a hard problem or a difficult
485
00:56:42,230 --> 00:56:48,630
problem, I mean to say, that the best algorithm
that I know to solve this problem has got
486
00:56:48,630 --> 00:56:54,619
a time or space complexity, or space which
is proportional or which cannot be really
487
00:56:54,619 --> 00:57:00,690
expressable in a polynomial with respect to
the input size, and the degree of the polynomial
488
00:57:00,690 --> 00:57:02,460
is small.
489
00:57:02,460 --> 00:57:07,220
For example, if I have got a solution which
is, say, an exponential with respect to the
490
00:57:07,220 --> 00:57:12,559
input size, for example, for example if I,
suppose the input size is n and if I have
491
00:57:12,559 --> 00:57:19,559
to do two power of n amount of storage is
required to solve that problem, then I call
492
00:57:20,099 --> 00:57:24,760
the problem to be a relatively difficult problem
or a hard problem. So that is the measure
493
00:57:24,760 --> 00:57:29,809
behind easy and a difficult.
We also have to keep our practical efficiency
494
00:57:29,809 --> 00:57:34,349
in mind, for example, a protocol with the
number of rounds between the users, if it
495
00:57:34,349 --> 00:57:37,890
increases quadratically with the number of
users, then I say that not to be efficient,
496
00:57:37,890 --> 00:57:43,150
but it may be the best possible way to do
it; but the researches throughout the world
497
00:57:43,150 --> 00:57:48,920
will try to make that protocol better or more
efficient. So, what does it mean? I mean to
498
00:57:48,920 --> 00:57:54,510
say that, I will try to increase or rather
reduce the number of users and make it more
499
00:57:54,510 --> 00:57:58,280
and more efficient; therefore, you should
not increase quadratically, I mean, may be
500
00:57:58,280 --> 00:58:00,440
it will increase linearly.
501
00:58:00,440 --> 00:58:04,920
Therefore, we wish to make protocols or algorithms
which are not only secure, but at the same
502
00:58:04,920 --> 00:58:09,819
time they are also efficient; therefore, efficiency
is also another thing which we will always
503
00:58:09,819 --> 00:58:16,819
keep in mind in developing cryptographic algorithms.
So, I conclude this topic part with reference
504
00:58:18,089 --> 00:58:18,750
which I have followed.
505
00:58:18,750 --> 00:58:24,150
I have followed the book of Wenbo Mao for
this part, it is Modern Cryptography and Theory
506
00:58:24,150 --> 00:58:29,950
and Practice - that is a low priced edition
from Pearson Education. In the next day's
507
00:58:29,950 --> 00:58:35,660
class, we will have an overview on modern
cryptography. We will see various cryptographic
508
00:58:35,660 --> 00:58:37,609
algorithms, various objectives of modern day
ciphers.
509
00:58:37,609 --> 00:58:44,609
So, we conclude this course.
Thank you.