Presentation is loading. Please wait.

Presentation is loading. Please wait.

SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.

Similar presentations


Presentation on theme: "SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012."— Presentation transcript:

1 SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012

2

3 RSA INVENTORS GOT BORED AND DECIDED TO PLAY POKER Some history … Mental Poker Adi Shamir, Ronald Rivest, Leonard Adleman, ’81

4 HOW TO PLAY MENTAL POKER?

5 MENTAL POKER PROTOCOL Some history … Mental Poker Shamir, Rivest, Adleman, ’81 how to write a protocol for mental poker without using a third trusted party? in theory impossible

6 MENTAL POKER PROTOCOL Some history … in theory impossible: no such protocol exists Information Theory: the ciphertext provides no information about the plaintext. Shannon’s entropy is a measure of this information. Mental Poker Shamir, Rivest, Adleman, ’81 how to write a protocol for mental poker without using a third trusted party?

7 MENTAL POKER PROTOCOL Some history … in theory impossible Mental Poker Shamir, Rivest, Adleman, ’81 how to write a protocol for mental poker without using a third trusted party?

8 MENTAL POKER PROTOCOL Some history … in theory impossible solution based on SRA Mental Poker Shamir, Rivest, Adleman, ’81 how to write a protocol for mental poker without using a third trusted party?

9 MENTAL POKER PROTOCOL Some history … SRA Protocol relies on commutative encryption E ( E (x, a), b) = E ( E (x, b), a) in theory impossible solution based on SRA Mental Poker Shamir, Rivest, Adleman, ’81 how to write a protocol for mental poker without using a third trusted party?

10 MENTAL POKER PROTOCOL Some history … Mental Poker Shamir, Rivest, Adleman, ’81 Encryption function E for SRA * q is a large prime number *  (q) = q-1 * plaintext, ciphertext, key spaces all in Z q * * key a s.t. gcd(a,  (q))= 1 E (x, a) = x a mod q D (c, a) = c -a mod q

11 MENTAL POKER PROTOCOL Some history … Mental Poker Shamir, Rivest, Adleman, ’81 Cast : Alice and Bob

12 MENTAL POKER PROTOCOL How SRA works

13 MENTAL POKER PROTOCOL How SRA works

14 MENTAL POKER PROTOCOL How SRA works

15 MENTAL POKER PROTOCOL How SRA works E (, b ) E (, b ) E (, b )

16 MENTAL POKER PROTOCOL How SRA works E (, b ) E (, b ) E (, b )

17 MENTAL POKER PROTOCOL How SRA works E (, b ) E (, b) E (, b )

18 MENTAL POKER PROTOCOL How SRA works E (, b ) E (, b) E (, b )

19 MENTAL POKER PROTOCOL How SRA works E (, b ) E (, b ) E (, b )

20 MENTAL POKER PROTOCOL How SRA works E (, b ) E (, b) E (, b) BobAlice E (, b ) E (, b ) E (, b )

21 MENTAL POKER PROTOCOL How SRA works E (, b ) E (, b ) E (, b ) BobAlice E ( E (, b ),a )

22 MENTAL POKER PROTOCOL How SRA works E (, b ) E (, b ) E (, b ) BobAlice E (, b ) E ( E (, b ),a )

23 MENTAL POKER PROTOCOL How SRA works E (, b ) E (, b ) E (, b ) BobAlice E (, b ) E ( E (, b ),a ) D ( E ( E (, b ),a ), b)

24 A simple programming language var::= x | y | z … op :: = + | - | * | < | = … expr :: = const | var | expr op expr c::= var := expr | skip | if ( expr ) then {c} else {c} | while ( expr ) do {c} | c; c

25 Semantics of expressions [ e ]  To define semantics of expressions, we need to define states . A state is a function that maps each variable into its value. We need to provide an interpretation for each operation op var::= x | y | z … op :: = + | - | * | < | = … expr :: = const| var | expr op expr

26 Semantics of expressions [ e ]  Example: If  (x) = 3 and  (y) = 0 then [ x+y ]  = [ x ]  + [ y ]  = = 3 We say that the semantics of [ x/y ]  is not defined. var::= x | y | z … op :: = + | - | * | < | = … expr :: = const| var | expr op expr

27 Operational semantics Semantics precisely defines the meaning of programs: We will define a “small-step operational semantics” Basic idea: execution of a program can be formalize as a sequence of configurations: c0  c1  c2  …. A configuration is a pair command and a state Example of configuration:

28 The operational semantics is defined by a transition system (Configurations,  ). Configurations = {,,,, } The relation  can be represented by a picture but it should be formally defined by a set of rules. Operational semantics

29 In this example:  Configurations = {, }

30 Operational semantics The operational semantics is defined by a transition system (Configurations,  ). The relation  is defined by a set of semantic rules of the form: [ e ]  =v _________________________ 

31 Operational semantics We need to define relation  for each command in the programming language: c::= var := expr | skip | if ( expr ) then {c} else {c} | while ( expr ) do {c} | c; c

32 Operational semantics [ e ]  =v _________________________ 

33 Operational semantics _________________________ 

34 Operational semantics [ e ]  =0 _________________________ 

35 Operational semantics [ e ]  =0 _________________________  [ e ]   0 _________________________ 

36 Operational semantics [ e ]  =0 _________________________  [ e ]   0 _________________________ 

37 Operational semantics  c’   _________________________   _________________________ 

38 Operational semantics ________________ 

39 Probabilistic programming language var::= x | y | z … op :: = + | - | * | < | = … expr :: = var | expr op expr probFun::= f | g | E |G | D | … c::= var := expr | skip | var:= probFun ( var, …,var) | if ( expr ) then {c} else {c} | while ( expr ) do {c} | c ; c

40 Markov Chain

41 Markov Chain The sum is equal to 1 This forms a distribution for configurations reachable from

42 Markov Chain Distribution d induced by d ( ) = 0.4 d ( ) = 0.1 d ( ) = 0.2 …

43 Markov Chain What is the probability of reaching from Pr[ ] ? What is the probability of reaching from Pr[ ] ?

44 Markov Chain What is the probability of reaching from Pr[ ] ? What is the probability of reaching from Pr[ ] ?

45 Markov Chain T he probability of reaching from Pr[ ] = 0.2 * 0.7 = 0.14 T he probability of reaching from Pr[ ] = 0.2 * 0.7 = 0.14

46 Markov Chain T he probability of reaching from Pr[ ] = 0.2 * 0.7 = 0.14 T he probability of reaching from Pr[ ] = 0.2 * 0.7 = 0.14

47 Probabilistic semantics Given by a sequence of probability distributions

48 Probabilistic Transition System And more formally, we need to provide a set of rules to define the probabilistic transition system Now relation  is probabilistic, annotated with a probability p  p

49 Operational semantics [ e ]  =v _________________________  1 _________________________  1 [ e ]  =0 _________________________  1 [ e ]   0 _________________________  1 [ e ]  =0 _________________________  1 [ e ]   0 _________________________  1  p c’   _________________________  p  p _________________________  p ________________  1

50 Mental Poker in While p shuffle ( ) = c := {0,1,2,3,4,5} ; if c=0 then b 0,b 1,b 2 := ; else ….

51 MP = cards:= shuffle( ); for c := 1 to 3 do ce[c]:= E (cards[c],b); lce:= ce ecards:= shuffle( E (, b ) E (, b ) E (, b ) ); aliceCard := randomPick(lce, nil); bobCard := randomPick(lce,aliceCard ); aliceCard:= E (aliceCard,a); laliceCard:= aliceCard; lbobCard:= bobCard laliceCard:= D (laliceCard,b -1 ); bobCard:= D (lbobCard,b -1 ); MENTAL POKER

52 MP = cards:= shuffle( ); for c := 1 to 3 do ce[c]:= E (cards[c],b); lce:= ce laliceCard:= D (laliceCard,b -1 ); bobCard:= D (lbobCard,b -1 ); HOW TO CHEAT IN MENTAL POKER ?

53 MP = cards:= shuffle( ); for c := 1 to 3 do ce[c]:= E (cards[c],b); lce:= ce laliceCard:= D (laliceCard,b -1 ); bobCard:= D (lbobCard,b -1 ); HOW TO CHEAT IN MENTAL POKER A

54 How SRA works Some facts to break the protocol:

55 HOW TO CHEAT IN MENTAL POKER How SRA works Some facts to break the protocol: If “Alice” can decrypt without the key

56 HOW TO CHEAT IN MENTAL POKER How SRA works Some facts to break the protocol: If “Alice” can decrypt without the key An adversary that breaks the protocol by using brute force : A = for k = 1 to 2 ɳ do y:= D (lce[c],k); if y = then aliceCard := lce[c]

57 HOW TO CHEAT IN MENTAL POKER How SRA works Some facts to break the protocol: If “Alice” can decrypt without the key A is polynomial, factorization is a hard problem

58 HOW TO CHEAT IN MENTAL POKER How SRA works Some facts to break the protocol: If “Alice” can decrypt without the key A is polynomial, factorization is a hard problem

59 HOW TO CHEAT IN MENTAL POKER How SRA works Some facts to break the protocol: If “Alice” can decrypt without the key If Bob plays twice with the same key

60 HOW TO CHEAT IN MENTAL POKER How SRA works Some facts to break the protocol: If “Alice” can decrypt without the key If Bob plays twice with the same key An adversary that breaks the protocol if Bob plays twice with the same key

61 HOW TO CHEAT IN MENTAL POKER How SRA works Some facts to break the protocol: If “Alice” can decrypt without the key If Bob plays twice with the same key A = if oldEncACE = lce[c] then aliceCard := lce[c];

62 HOW TO CHEAT IN MENTAL POKER How SRA works Some facts to break the protocol: If “Alice” can decrypt without the key If Bob plays twice with the same key Observing quadratic residues!! (R.J. Lipton) x  Q q   b x 2  b (mod q) x  Q q  x k (mod q)  Q q

63 HOW TO CHEAT IN MENTAL POKER How SRA works Observing quadratic residues!! (R.J. Lipton) x  Q q   b x 2  b (mod q) x  Q q  x k (mod q)  Q q How to cheat in Mental Poker Lipton’81

64 PROVABLE CRYPTOGRAPHY how to prove security of encryption algorithms? PROVABLE CRYPTOGRAPHY

65 how to prove security of encryption algorithms? Probabilistic Encryption and How to Play Mental Poker Keeping Secret All Partial Information Goldwasser and Micali ’82 PROVABLE CRYPTOGRAPHY

66 Probabilistic Encryption and How to Play Mental Poker … Goldwasser and Micali ’82 The fact that f is a trapdoor function does not rule out: 1.the possibility of computing x from f(x) when x is of a special form. 2.the possibility of computing some partial information about x (even every other bit of x) from f(x). TRAPDOOR FUNCTION x f(x) easy hard

67 PROVABLE CRYPTOGRAPHY how to prove security of encryption algorithms? Probabilistic Encryption and How to Play Mental Poker … Goldwasser and Micali ’82 - probabilistic setting - notion of semantic security PROVABLE CRYPTOGRAPHY

68 Semantic security or Chosen Plaintext Attack (a.k.a. CPA) E ( message1, b) message1, message 2 E ( message2, b) “I guess that the coin was tail” | Pr[CPA; g = c] - ½ | is negligible for |b| (|b| is called security parameter)

69 NEGLIGIBLE FUNCTION A function f (x) is negligible for x when for all c>0, there is a constant n c such that n c ≤ x implies f(x) ≤ 1/x c

70 NEGLIGIBLE FUNCTION A function f (x) is negligible for x when for all c>0, there is a constant n c such that n c ≤ x implies f(x) ≤ 1/x c Are the following functions negligible? f(x) = x 2 f(x) =1/x f(x) =1/x 2 f(x)= 1/3 x

71 encryption scheme Definition of encryption scheme An encryption scheme is a triple ( G, E, D ) of probabilistic polynomial-time algorithms such that: - On input ɳ, algorithm G outputs a pair e, d of bitstrings - D ( E (x,e),d) = x

72 PROVABLE CRYPTOGRAPHY Chosen-plaintext attack (CPA) E (x 0, x 1 ) = if (c = 0) then {m := E (x 0, k e )} else {m := E (x 1,k e )}; CPA = c := {0,1}; k e, k d := G e (); A [ E ] | Pr[CPA; g =c] - ½ | is negligible for ɳ ( ɳ is called security parameter)

73 READING Slides, Notes, Bibliography Slides and lecture notes: www-sop.inria.fr/members/Tamara.Rezk/teaching Mental Poker – Shamir, Rivest, Adleman Probabilistic Encryption & How to Play Mental Poker Keeping Secret all Partial Information – Goldwasser, Micali


Download ppt "SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012."

Similar presentations


Ads by Google