SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012
RSA INVENTORS GOT BORED AND DECIDED TO PLAY POKER Some history … Mental Poker Adi Shamir, Ronald Rivest, Leonard Adleman, ’81
HOW TO PLAY MENTAL POKER?
MENTAL POKER PROTOCOL Some history … Mental Poker Shamir, Rivest, Adleman, ’81 how to write a protocol for mental poker without using a third trusted party? in theory impossible
MENTAL POKER PROTOCOL Some history … in theory impossible: no such protocol exists Information Theory: the ciphertext provides no information about the plaintext. Shannon’s entropy is a measure of this information. Mental Poker Shamir, Rivest, Adleman, ’81 how to write a protocol for mental poker without using a third trusted party?
MENTAL POKER PROTOCOL Some history … in theory impossible Mental Poker Shamir, Rivest, Adleman, ’81 how to write a protocol for mental poker without using a third trusted party?
MENTAL POKER PROTOCOL Some history … in theory impossible solution based on SRA Mental Poker Shamir, Rivest, Adleman, ’81 how to write a protocol for mental poker without using a third trusted party?
MENTAL POKER PROTOCOL Some history … SRA Protocol relies on commutative encryption E ( E (x, a), b) = E ( E (x, b), a) in theory impossible solution based on SRA Mental Poker Shamir, Rivest, Adleman, ’81 how to write a protocol for mental poker without using a third trusted party?
MENTAL POKER PROTOCOL Some history … Mental Poker Shamir, Rivest, Adleman, ’81 Encryption function E for SRA * q is a large prime number * (q) = q-1 * plaintext, ciphertext, key spaces all in Z q * * key a s.t. gcd(a, (q))= 1 E (x, a) = x a mod q D (c, a) = c -a mod q
MENTAL POKER PROTOCOL Some history … Mental Poker Shamir, Rivest, Adleman, ’81 Cast : Alice and Bob
MENTAL POKER PROTOCOL How SRA works
MENTAL POKER PROTOCOL How SRA works
MENTAL POKER PROTOCOL How SRA works
MENTAL POKER PROTOCOL How SRA works E (, b ) E (, b ) E (, b )
MENTAL POKER PROTOCOL How SRA works E (, b ) E (, b ) E (, b )
MENTAL POKER PROTOCOL How SRA works E (, b ) E (, b) E (, b )
MENTAL POKER PROTOCOL How SRA works E (, b ) E (, b) E (, b )
MENTAL POKER PROTOCOL How SRA works E (, b ) E (, b ) E (, b )
MENTAL POKER PROTOCOL How SRA works E (, b ) E (, b) E (, b) BobAlice E (, b ) E (, b ) E (, b )
MENTAL POKER PROTOCOL How SRA works E (, b ) E (, b ) E (, b ) BobAlice E ( E (, b ),a )
MENTAL POKER PROTOCOL How SRA works E (, b ) E (, b ) E (, b ) BobAlice E (, b ) E ( E (, b ),a )
MENTAL POKER PROTOCOL How SRA works E (, b ) E (, b ) E (, b ) BobAlice E (, b ) E ( E (, b ),a ) D ( E ( E (, b ),a ), b)
A simple programming language var::= x | y | z … op :: = + | - | * | < | = … expr :: = const | var | expr op expr c::= var := expr | skip | if ( expr ) then {c} else {c} | while ( expr ) do {c} | c; c
Semantics of expressions [ e ] To define semantics of expressions, we need to define states . A state is a function that maps each variable into its value. We need to provide an interpretation for each operation op var::= x | y | z … op :: = + | - | * | < | = … expr :: = const| var | expr op expr
Semantics of expressions [ e ] Example: If (x) = 3 and (y) = 0 then [ x+y ] = [ x ] + [ y ] = = 3 We say that the semantics of [ x/y ] is not defined. var::= x | y | z … op :: = + | - | * | < | = … expr :: = const| var | expr op expr
Operational semantics Semantics precisely defines the meaning of programs: We will define a “small-step operational semantics” Basic idea: execution of a program can be formalize as a sequence of configurations: c0 c1 c2 …. A configuration is a pair command and a state Example of configuration:
The operational semantics is defined by a transition system (Configurations, ). Configurations = {,,,, } The relation can be represented by a picture but it should be formally defined by a set of rules. Operational semantics
In this example: Configurations = {, }
Operational semantics The operational semantics is defined by a transition system (Configurations, ). The relation is defined by a set of semantic rules of the form: [ e ] =v _________________________
Operational semantics We need to define relation for each command in the programming language: c::= var := expr | skip | if ( expr ) then {c} else {c} | while ( expr ) do {c} | c; c
Operational semantics [ e ] =v _________________________
Operational semantics _________________________
Operational semantics [ e ] =0 _________________________
Operational semantics [ e ] =0 _________________________ [ e ] 0 _________________________
Operational semantics [ e ] =0 _________________________ [ e ] 0 _________________________
Operational semantics c’ _________________________ _________________________
Operational semantics ________________
Probabilistic programming language var::= x | y | z … op :: = + | - | * | < | = … expr :: = var | expr op expr probFun::= f | g | E |G | D | … c::= var := expr | skip | var:= probFun ( var, …,var) | if ( expr ) then {c} else {c} | while ( expr ) do {c} | c ; c
Markov Chain
Markov Chain The sum is equal to 1 This forms a distribution for configurations reachable from
Markov Chain Distribution d induced by d ( ) = 0.4 d ( ) = 0.1 d ( ) = 0.2 …
Markov Chain What is the probability of reaching from Pr[ ] ? What is the probability of reaching from Pr[ ] ?
Markov Chain What is the probability of reaching from Pr[ ] ? What is the probability of reaching from Pr[ ] ?
Markov Chain T he probability of reaching from Pr[ ] = 0.2 * 0.7 = 0.14 T he probability of reaching from Pr[ ] = 0.2 * 0.7 = 0.14
Markov Chain T he probability of reaching from Pr[ ] = 0.2 * 0.7 = 0.14 T he probability of reaching from Pr[ ] = 0.2 * 0.7 = 0.14
Probabilistic semantics Given by a sequence of probability distributions
Probabilistic Transition System And more formally, we need to provide a set of rules to define the probabilistic transition system Now relation is probabilistic, annotated with a probability p p
Operational semantics [ e ] =v _________________________ 1 _________________________ 1 [ e ] =0 _________________________ 1 [ e ] 0 _________________________ 1 [ e ] =0 _________________________ 1 [ e ] 0 _________________________ 1 p c’ _________________________ p p _________________________ p ________________ 1
Mental Poker in While p shuffle ( ) = c := {0,1,2,3,4,5} ; if c=0 then b 0,b 1,b 2 := ; else ….
MP = cards:= shuffle( ); for c := 1 to 3 do ce[c]:= E (cards[c],b); lce:= ce ecards:= shuffle( E (, b ) E (, b ) E (, b ) ); aliceCard := randomPick(lce, nil); bobCard := randomPick(lce,aliceCard ); aliceCard:= E (aliceCard,a); laliceCard:= aliceCard; lbobCard:= bobCard laliceCard:= D (laliceCard,b -1 ); bobCard:= D (lbobCard,b -1 ); MENTAL POKER
MP = cards:= shuffle( ); for c := 1 to 3 do ce[c]:= E (cards[c],b); lce:= ce laliceCard:= D (laliceCard,b -1 ); bobCard:= D (lbobCard,b -1 ); HOW TO CHEAT IN MENTAL POKER ?
MP = cards:= shuffle( ); for c := 1 to 3 do ce[c]:= E (cards[c],b); lce:= ce laliceCard:= D (laliceCard,b -1 ); bobCard:= D (lbobCard,b -1 ); HOW TO CHEAT IN MENTAL POKER A
How SRA works Some facts to break the protocol:
HOW TO CHEAT IN MENTAL POKER How SRA works Some facts to break the protocol: If “Alice” can decrypt without the key
HOW TO CHEAT IN MENTAL POKER How SRA works Some facts to break the protocol: If “Alice” can decrypt without the key An adversary that breaks the protocol by using brute force : A = for k = 1 to 2 ɳ do y:= D (lce[c],k); if y = then aliceCard := lce[c]
HOW TO CHEAT IN MENTAL POKER How SRA works Some facts to break the protocol: If “Alice” can decrypt without the key A is polynomial, factorization is a hard problem
HOW TO CHEAT IN MENTAL POKER How SRA works Some facts to break the protocol: If “Alice” can decrypt without the key A is polynomial, factorization is a hard problem
HOW TO CHEAT IN MENTAL POKER How SRA works Some facts to break the protocol: If “Alice” can decrypt without the key If Bob plays twice with the same key
HOW TO CHEAT IN MENTAL POKER How SRA works Some facts to break the protocol: If “Alice” can decrypt without the key If Bob plays twice with the same key An adversary that breaks the protocol if Bob plays twice with the same key
HOW TO CHEAT IN MENTAL POKER How SRA works Some facts to break the protocol: If “Alice” can decrypt without the key If Bob plays twice with the same key A = if oldEncACE = lce[c] then aliceCard := lce[c];
HOW TO CHEAT IN MENTAL POKER How SRA works Some facts to break the protocol: If “Alice” can decrypt without the key If Bob plays twice with the same key Observing quadratic residues!! (R.J. Lipton) x Q q b x 2 b (mod q) x Q q x k (mod q) Q q
HOW TO CHEAT IN MENTAL POKER How SRA works Observing quadratic residues!! (R.J. Lipton) x Q q b x 2 b (mod q) x Q q x k (mod q) Q q How to cheat in Mental Poker Lipton’81
PROVABLE CRYPTOGRAPHY how to prove security of encryption algorithms? PROVABLE CRYPTOGRAPHY
how to prove security of encryption algorithms? Probabilistic Encryption and How to Play Mental Poker Keeping Secret All Partial Information Goldwasser and Micali ’82 PROVABLE CRYPTOGRAPHY
Probabilistic Encryption and How to Play Mental Poker … Goldwasser and Micali ’82 The fact that f is a trapdoor function does not rule out: 1.the possibility of computing x from f(x) when x is of a special form. 2.the possibility of computing some partial information about x (even every other bit of x) from f(x). TRAPDOOR FUNCTION x f(x) easy hard
PROVABLE CRYPTOGRAPHY how to prove security of encryption algorithms? Probabilistic Encryption and How to Play Mental Poker … Goldwasser and Micali ’82 - probabilistic setting - notion of semantic security PROVABLE CRYPTOGRAPHY
Semantic security or Chosen Plaintext Attack (a.k.a. CPA) E ( message1, b) message1, message 2 E ( message2, b) “I guess that the coin was tail” | Pr[CPA; g = c] - ½ | is negligible for |b| (|b| is called security parameter)
NEGLIGIBLE FUNCTION A function f (x) is negligible for x when for all c>0, there is a constant n c such that n c ≤ x implies f(x) ≤ 1/x c
NEGLIGIBLE FUNCTION A function f (x) is negligible for x when for all c>0, there is a constant n c such that n c ≤ x implies f(x) ≤ 1/x c Are the following functions negligible? f(x) = x 2 f(x) =1/x f(x) =1/x 2 f(x)= 1/3 x
encryption scheme Definition of encryption scheme An encryption scheme is a triple ( G, E, D ) of probabilistic polynomial-time algorithms such that: - On input ɳ, algorithm G outputs a pair e, d of bitstrings - D ( E (x,e),d) = x
PROVABLE CRYPTOGRAPHY Chosen-plaintext attack (CPA) E (x 0, x 1 ) = if (c = 0) then {m := E (x 0, k e )} else {m := E (x 1,k e )}; CPA = c := {0,1}; k e, k d := G e (); A [ E ] | Pr[CPA; g =c] - ½ | is negligible for ɳ ( ɳ is called security parameter)
READING Slides, Notes, Bibliography Slides and lecture notes: www-sop.inria.fr/members/Tamara.Rezk/teaching Mental Poker – Shamir, Rivest, Adleman Probabilistic Encryption & How to Play Mental Poker Keeping Secret all Partial Information – Goldwasser, Micali