Download presentation

Presentation is loading. Please wait.

Published byEmily Spittle Modified over 2 years ago

1
SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012

3
RSA INVENTORS GOT BORED AND DECIDED TO PLAY POKER Some history … Mental Poker Adi Shamir, Ronald Rivest, Leonard Adleman, ’81

4
HOW TO PLAY MENTAL POKER?

5
MENTAL POKER PROTOCOL Some history … Mental Poker Shamir, Rivest, Adleman, ’81 how to write a protocol for mental poker without using a third trusted party? in theory impossible

6
MENTAL POKER PROTOCOL Some history … in theory impossible: no such protocol exists Information Theory: the ciphertext provides no information about the plaintext. Shannon’s entropy is a measure of this information. Mental Poker Shamir, Rivest, Adleman, ’81 how to write a protocol for mental poker without using a third trusted party?

7
MENTAL POKER PROTOCOL Some history … in theory impossible Mental Poker Shamir, Rivest, Adleman, ’81 how to write a protocol for mental poker without using a third trusted party?

8
MENTAL POKER PROTOCOL Some history … in theory impossible solution based on SRA Mental Poker Shamir, Rivest, Adleman, ’81 how to write a protocol for mental poker without using a third trusted party?

9
MENTAL POKER PROTOCOL Some history … SRA Protocol relies on commutative encryption E ( E (x, a), b) = E ( E (x, b), a) in theory impossible solution based on SRA Mental Poker Shamir, Rivest, Adleman, ’81 how to write a protocol for mental poker without using a third trusted party?

10
MENTAL POKER PROTOCOL Some history … Mental Poker Shamir, Rivest, Adleman, ’81 Encryption function E for SRA * q is a large prime number * (q) = q-1 * plaintext, ciphertext, key spaces all in Z q * * key a s.t. gcd(a, (q))= 1 E (x, a) = x a mod q D (c, a) = c -a mod q

11
MENTAL POKER PROTOCOL Some history … Mental Poker Shamir, Rivest, Adleman, ’81 Cast : Alice and Bob

12
MENTAL POKER PROTOCOL How SRA works

13
MENTAL POKER PROTOCOL How SRA works

14
MENTAL POKER PROTOCOL How SRA works

15
MENTAL POKER PROTOCOL How SRA works E (, b ) E (, b ) E (, b )

16
MENTAL POKER PROTOCOL How SRA works E (, b ) E (, b ) E (, b )

17
MENTAL POKER PROTOCOL How SRA works E (, b ) E (, b) E (, b )

18
MENTAL POKER PROTOCOL How SRA works E (, b ) E (, b) E (, b )

19
MENTAL POKER PROTOCOL How SRA works E (, b ) E (, b ) E (, b )

20
MENTAL POKER PROTOCOL How SRA works E (, b ) E (, b) E (, b) BobAlice E (, b ) E (, b ) E (, b )

21
MENTAL POKER PROTOCOL How SRA works E (, b ) E (, b ) E (, b ) BobAlice E ( E (, b ),a )

22
MENTAL POKER PROTOCOL How SRA works E (, b ) E (, b ) E (, b ) BobAlice E (, b ) E ( E (, b ),a )

23
MENTAL POKER PROTOCOL How SRA works E (, b ) E (, b ) E (, b ) BobAlice E (, b ) E ( E (, b ),a ) D ( E ( E (, b ),a ), b)

24
A simple programming language var::= x | y | z … op :: = + | - | * | < | = … expr :: = const | var | expr op expr c::= var := expr | skip | if ( expr ) then {c} else {c} | while ( expr ) do {c} | c; c

25
Semantics of expressions [ e ] To define semantics of expressions, we need to define states . A state is a function that maps each variable into its value. We need to provide an interpretation for each operation op var::= x | y | z … op :: = + | - | * | < | = … expr :: = const| var | expr op expr

26
Semantics of expressions [ e ] Example: If (x) = 3 and (y) = 0 then [ x+y ] = [ x ] + [ y ] = 3 + 0 = 3 We say that the semantics of [ x/y ] is not defined. var::= x | y | z … op :: = + | - | * | < | = … expr :: = const| var | expr op expr

27
Operational semantics Semantics precisely defines the meaning of programs: We will define a “small-step operational semantics” Basic idea: execution of a program can be formalize as a sequence of configurations: c0 c1 c2 …. A configuration is a pair command and a state Example of configuration:

28
The operational semantics is defined by a transition system (Configurations, ). Configurations = {,,,, } The relation can be represented by a picture but it should be formally defined by a set of rules. Operational semantics

29
In this example: Configurations = {, }

30
Operational semantics The operational semantics is defined by a transition system (Configurations, ). The relation is defined by a set of semantic rules of the form: [ e ] =v _________________________

31
Operational semantics We need to define relation for each command in the programming language: c::= var := expr | skip | if ( expr ) then {c} else {c} | while ( expr ) do {c} | c; c

32
Operational semantics [ e ] =v _________________________

33
Operational semantics _________________________

34
Operational semantics [ e ] =0 _________________________

35
Operational semantics [ e ] =0 _________________________ [ e ] 0 _________________________

36
Operational semantics [ e ] =0 _________________________ [ e ] 0 _________________________

37
Operational semantics c’ _________________________ _________________________

38
Operational semantics ________________

39
Probabilistic programming language var::= x | y | z … op :: = + | - | * | < | = … expr :: = var | expr op expr probFun::= f | g | E |G | D | … c::= var := expr | skip | var:= probFun ( var, …,var) | if ( expr ) then {c} else {c} | while ( expr ) do {c} | c ; c

40
Markov Chain 0.4 0.1 0.2 0.1 0.4 1 0.1 0.4 0.90.3 0.7 0.8 0.1 0.2

41
Markov Chain 0.4 0.1 0.2 0.1 0.4 1 0.1 0.4 0.90.3 0.7 0.8 0.1 0.2 The sum is equal to 1 This forms a distribution for configurations reachable from

42
Markov Chain 0.4 0.1 0.2 0.1 0.4 1 0.1 0.4 0.90.3 0.7 0.8 0.1 0.2 Distribution d induced by d ( ) = 0.4 d ( ) = 0.1 d ( ) = 0.2 …

43
Markov Chain 0.4 0.1 0.2 0.1 0.4 1 0.1 0.4 0.90.3 0.7 0.8 0.1 0.2 What is the probability of reaching from Pr[ ] ? What is the probability of reaching from Pr[ ] ?

44
Markov Chain 0.4 0.1 0.2 0.1 0.4 1 0.1 0.4 0.90.3 0.7 0.8 0.1 0.2 What is the probability of reaching from Pr[ ] ? What is the probability of reaching from Pr[ ] ?

45
Markov Chain 0.4 0.1 0.2 0.1 0.4 1 0.1 0.4 0.90.3 0.7 0.8 0.1 0.2 T he probability of reaching from Pr[ ] = 0.2 * 0.7 = 0.14 T he probability of reaching from Pr[ ] = 0.2 * 0.7 = 0.14

46
Markov Chain 0.4 0.1 0.2 0.1 0.4 1 0.1 0.4 0.90.3 0.7 0.8 0.1 0.2 T he probability of reaching from Pr[ ] = 0.2 * 0.7 = 0.14 T he probability of reaching from Pr[ ] = 0.2 * 0.7 = 0.14

47
Probabilistic semantics Given by a sequence of probability distributions

48
Probabilistic Transition System And more formally, we need to provide a set of rules to define the probabilistic transition system Now relation is probabilistic, annotated with a probability p p

49
Operational semantics [ e ] =v _________________________ 1 _________________________ 1 [ e ] =0 _________________________ 1 [ e ] 0 _________________________ 1 [ e ] =0 _________________________ 1 [ e ] 0 _________________________ 1 p c’ _________________________ p p _________________________ p ________________ 1

50
Mental Poker in While p shuffle ( ) = c := {0,1,2,3,4,5} ; if c=0 then b 0,b 1,b 2 := ; else ….

51
MP = cards:= shuffle( ); for c := 1 to 3 do ce[c]:= E (cards[c],b); lce:= ce ecards:= shuffle( E (, b ) E (, b ) E (, b ) ); aliceCard := randomPick(lce, nil); bobCard := randomPick(lce,aliceCard ); aliceCard:= E (aliceCard,a); laliceCard:= aliceCard; lbobCard:= bobCard laliceCard:= D (laliceCard,b -1 ); bobCard:= D (lbobCard,b -1 ); MENTAL POKER

52
MP = cards:= shuffle( ); for c := 1 to 3 do ce[c]:= E (cards[c],b); lce:= ce laliceCard:= D (laliceCard,b -1 ); bobCard:= D (lbobCard,b -1 ); HOW TO CHEAT IN MENTAL POKER ?

53
MP = cards:= shuffle( ); for c := 1 to 3 do ce[c]:= E (cards[c],b); lce:= ce laliceCard:= D (laliceCard,b -1 ); bobCard:= D (lbobCard,b -1 ); HOW TO CHEAT IN MENTAL POKER A

54
How SRA works Some facts to break the protocol:

55
HOW TO CHEAT IN MENTAL POKER How SRA works Some facts to break the protocol: If “Alice” can decrypt without the key

56
HOW TO CHEAT IN MENTAL POKER How SRA works Some facts to break the protocol: If “Alice” can decrypt without the key An adversary that breaks the protocol by using brute force : A = for k = 1 to 2 ɳ do y:= D (lce[c],k); if y = then aliceCard := lce[c]

57
HOW TO CHEAT IN MENTAL POKER How SRA works Some facts to break the protocol: If “Alice” can decrypt without the key A is polynomial, factorization is a hard problem

58
HOW TO CHEAT IN MENTAL POKER How SRA works Some facts to break the protocol: If “Alice” can decrypt without the key A is polynomial, factorization is a hard problem

59
HOW TO CHEAT IN MENTAL POKER How SRA works Some facts to break the protocol: If “Alice” can decrypt without the key If Bob plays twice with the same key

60
HOW TO CHEAT IN MENTAL POKER How SRA works Some facts to break the protocol: If “Alice” can decrypt without the key If Bob plays twice with the same key An adversary that breaks the protocol if Bob plays twice with the same key

61
HOW TO CHEAT IN MENTAL POKER How SRA works Some facts to break the protocol: If “Alice” can decrypt without the key If Bob plays twice with the same key A = if oldEncACE = lce[c] then aliceCard := lce[c];

62
HOW TO CHEAT IN MENTAL POKER How SRA works Some facts to break the protocol: If “Alice” can decrypt without the key If Bob plays twice with the same key Observing quadratic residues!! (R.J. Lipton) x Q q b x 2 b (mod q) x Q q x k (mod q) Q q

63
HOW TO CHEAT IN MENTAL POKER How SRA works Observing quadratic residues!! (R.J. Lipton) x Q q b x 2 b (mod q) x Q q x k (mod q) Q q How to cheat in Mental Poker Lipton’81

64
PROVABLE CRYPTOGRAPHY how to prove security of encryption algorithms? PROVABLE CRYPTOGRAPHY

65
how to prove security of encryption algorithms? Probabilistic Encryption and How to Play Mental Poker Keeping Secret All Partial Information Goldwasser and Micali ’82 PROVABLE CRYPTOGRAPHY

66
Probabilistic Encryption and How to Play Mental Poker … Goldwasser and Micali ’82 The fact that f is a trapdoor function does not rule out: 1.the possibility of computing x from f(x) when x is of a special form. 2.the possibility of computing some partial information about x (even every other bit of x) from f(x). TRAPDOOR FUNCTION x f(x) easy hard

67
PROVABLE CRYPTOGRAPHY how to prove security of encryption algorithms? Probabilistic Encryption and How to Play Mental Poker … Goldwasser and Micali ’82 - probabilistic setting - notion of semantic security PROVABLE CRYPTOGRAPHY

68
Semantic security or Chosen Plaintext Attack (a.k.a. CPA) E ( message1, b) message1, message 2 E ( message2, b) “I guess that the coin was tail” | Pr[CPA; g = c] - ½ | is negligible for |b| (|b| is called security parameter)

69
NEGLIGIBLE FUNCTION A function f (x) is negligible for x when for all c>0, there is a constant n c such that n c ≤ x implies f(x) ≤ 1/x c

70
NEGLIGIBLE FUNCTION A function f (x) is negligible for x when for all c>0, there is a constant n c such that n c ≤ x implies f(x) ≤ 1/x c Are the following functions negligible? f(x) = x 2 f(x) =1/x f(x) =1/x 2 f(x)= 1/3 x

71
encryption scheme Definition of encryption scheme An encryption scheme is a triple ( G, E, D ) of probabilistic polynomial-time algorithms such that: - On input ɳ, algorithm G outputs a pair e, d of bitstrings - D ( E (x,e),d) = x

72
PROVABLE CRYPTOGRAPHY Chosen-plaintext attack (CPA) E (x 0, x 1 ) = if (c = 0) then {m := E (x 0, k e )} else {m := E (x 1,k e )}; CPA = c := {0,1}; k e, k d := G e (); A [ E ] | Pr[CPA; g =c] - ½ | is negligible for ɳ ( ɳ is called security parameter)

73
READING Slides, Notes, Bibliography Slides and lecture notes: www-sop.inria.fr/members/Tamara.Rezk/teaching Mental Poker – Shamir, Rivest, Adleman Probabilistic Encryption & How to Play Mental Poker Keeping Secret all Partial Information – Goldwasser, Micali

Similar presentations

OK

Public Key Cryptosystem In Symmetric or Private Key cryptosystems the encryption and decryption keys are either the same or can be easily found from each.

Public Key Cryptosystem In Symmetric or Private Key cryptosystems the encryption and decryption keys are either the same or can be easily found from each.

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google