Presentation is loading. Please wait.

Presentation is loading. Please wait.

SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.

Published byEmily Spittle Modified over 9 years ago

Similar presentations

Presentation on theme: "SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012."— Presentation transcript:

1 SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012

2

3 RSA INVENTORS GOT BORED AND DECIDED TO PLAY POKER Some history … Mental Poker Adi Shamir, Ronald Rivest, Leonard Adleman, ’81

4 HOW TO PLAY MENTAL POKER?

5 MENTAL POKER PROTOCOL Some history … Mental Poker Shamir, Rivest, Adleman, ’81 how to write a protocol for mental poker without using a third trusted party? in theory impossible

6 MENTAL POKER PROTOCOL Some history … in theory impossible: no such protocol exists Information Theory: the ciphertext provides no information about the plaintext. Shannon’s entropy is a measure of this information. Mental Poker Shamir, Rivest, Adleman, ’81 how to write a protocol for mental poker without using a third trusted party?

7 MENTAL POKER PROTOCOL Some history … in theory impossible Mental Poker Shamir, Rivest, Adleman, ’81 how to write a protocol for mental poker without using a third trusted party?

8 MENTAL POKER PROTOCOL Some history … in theory impossible solution based on SRA Mental Poker Shamir, Rivest, Adleman, ’81 how to write a protocol for mental poker without using a third trusted party?

9 MENTAL POKER PROTOCOL Some history … SRA Protocol relies on commutative encryption E ( E (x, a), b) = E ( E (x, b), a) in theory impossible solution based on SRA Mental Poker Shamir, Rivest, Adleman, ’81 how to write a protocol for mental poker without using a third trusted party?

10 MENTAL POKER PROTOCOL Some history … Mental Poker Shamir, Rivest, Adleman, ’81 Encryption function E for SRA * q is a large prime number *  (q) = q-1 * plaintext, ciphertext, key spaces all in Z q * * key a s.t. gcd(a,  (q))= 1 E (x, a) = x a mod q D (c, a) = c -a mod q

11 MENTAL POKER PROTOCOL Some history … Mental Poker Shamir, Rivest, Adleman, ’81 Cast : Alice and Bob

12 MENTAL POKER PROTOCOL How SRA works

13 MENTAL POKER PROTOCOL How SRA works

14 MENTAL POKER PROTOCOL How SRA works

15 MENTAL POKER PROTOCOL How SRA works E (, b ) E (, b ) E (, b )

16 MENTAL POKER PROTOCOL How SRA works E (, b ) E (, b ) E (, b )

17 MENTAL POKER PROTOCOL How SRA works E (, b ) E (, b) E (, b )

18 MENTAL POKER PROTOCOL How SRA works E (, b ) E (, b) E (, b )

19 MENTAL POKER PROTOCOL How SRA works E (, b ) E (, b ) E (, b )

20 MENTAL POKER PROTOCOL How SRA works E (, b ) E (, b) E (, b) BobAlice E (, b ) E (, b ) E (, b )

21 MENTAL POKER PROTOCOL How SRA works E (, b ) E (, b ) E (, b ) BobAlice E ( E (, b ),a )

22 MENTAL POKER PROTOCOL How SRA works E (, b ) E (, b ) E (, b ) BobAlice E (, b ) E ( E (, b ),a )

23 MENTAL POKER PROTOCOL How SRA works E (, b ) E (, b ) E (, b ) BobAlice E (, b ) E ( E (, b ),a ) D ( E ( E (, b ),a ), b)

24 A simple programming language var::= x | y | z … op :: = + | - | * | < | = … expr :: = const | var | expr op expr c::= var := expr | skip | if ( expr ) then {c} else {c} | while ( expr ) do {c} | c; c

25 Semantics of expressions [ e ]  To define semantics of expressions, we need to define states . A state is a function that maps each variable into its value. We need to provide an interpretation for each operation op var::= x | y | z … op :: = + | - | * | < | = … expr :: = const| var | expr op expr

26 Semantics of expressions [ e ]  Example: If  (x) = 3 and  (y) = 0 then [ x+y ]  = [ x ]  + [ y ]  = 3 + 0 = 3 We say that the semantics of [ x/y ]  is not defined. var::= x | y | z … op :: = + | - | * | < | = … expr :: = const| var | expr op expr

27 Operational semantics Semantics precisely defines the meaning of programs: We will define a “small-step operational semantics” Basic idea: execution of a program can be formalize as a sequence of configurations: c0  c1  c2  …. A configuration is a pair command and a state Example of configuration:

28 The operational semantics is defined by a transition system (Configurations,  ). Configurations = {,,,, } The relation  can be represented by a picture but it should be formally defined by a set of rules. Operational semantics

29 In this example:  Configurations = {, }

30 Operational semantics The operational semantics is defined by a transition system (Configurations,  ). The relation  is defined by a set of semantic rules of the form: [ e ]  =v _________________________ 

31 Operational semantics We need to define relation  for each command in the programming language: c::= var := expr | skip | if ( expr ) then {c} else {c} | while ( expr ) do {c} | c; c

32 Operational semantics [ e ]  =v _________________________ 

33 Operational semantics _________________________ 

34 Operational semantics [ e ]  =0 _________________________ 

35 Operational semantics [ e ]  =0 _________________________  [ e ]   0 _________________________ 

36 Operational semantics [ e ]  =0 _________________________  [ e ]   0 _________________________ 

37 Operational semantics  c’   _________________________   _________________________ 

38 Operational semantics ________________ 

39 Probabilistic programming language var::= x | y | z … op :: = + | - | * | < | = … expr :: = var | expr op expr probFun::= f | g | E |G | D | … c::= var := expr | skip | var:= probFun ( var, …,var) | if ( expr ) then {c} else {c} | while ( expr ) do {c} | c ; c

40 Markov Chain 0.4 0.1 0.2 0.1 0.4 1 0.1 0.4 0.90.3 0.7 0.8 0.1 0.2

41 Markov Chain 0.4 0.1 0.2 0.1 0.4 1 0.1 0.4 0.90.3 0.7 0.8 0.1 0.2 The sum is equal to 1 This forms a distribution for configurations reachable from

42 Markov Chain 0.4 0.1 0.2 0.1 0.4 1 0.1 0.4 0.90.3 0.7 0.8 0.1 0.2 Distribution d induced by d ( ) = 0.4 d ( ) = 0.1 d ( ) = 0.2 …

43 Markov Chain 0.4 0.1 0.2 0.1 0.4 1 0.1 0.4 0.90.3 0.7 0.8 0.1 0.2 What is the probability of reaching from Pr[ ] ? What is the probability of reaching from Pr[ ] ?

44 Markov Chain 0.4 0.1 0.2 0.1 0.4 1 0.1 0.4 0.90.3 0.7 0.8 0.1 0.2 What is the probability of reaching from Pr[ ] ? What is the probability of reaching from Pr[ ] ?

45 Markov Chain 0.4 0.1 0.2 0.1 0.4 1 0.1 0.4 0.90.3 0.7 0.8 0.1 0.2 T he probability of reaching from Pr[ ] = 0.2 * 0.7 = 0.14 T he probability of reaching from Pr[ ] = 0.2 * 0.7 = 0.14

46 Markov Chain 0.4 0.1 0.2 0.1 0.4 1 0.1 0.4 0.90.3 0.7 0.8 0.1 0.2 T he probability of reaching from Pr[ ] = 0.2 * 0.7 = 0.14 T he probability of reaching from Pr[ ] = 0.2 * 0.7 = 0.14

47 Probabilistic semantics Given by a sequence of probability distributions

48 Probabilistic Transition System And more formally, we need to provide a set of rules to define the probabilistic transition system Now relation  is probabilistic, annotated with a probability p  p

49 Operational semantics [ e ]  =v _________________________  1 _________________________  1 [ e ]  =0 _________________________  1 [ e ]   0 _________________________  1 [ e ]  =0 _________________________  1 [ e ]   0 _________________________  1  p c’   _________________________  p  p _________________________  p ________________  1

50 Mental Poker in While p shuffle ( ) = c := {0,1,2,3,4,5} ; if c=0 then b 0,b 1,b 2 := ; else ….

51 MP = cards:= shuffle( ); for c := 1 to 3 do ce[c]:= E (cards[c],b); lce:= ce ecards:= shuffle( E (, b ) E (, b ) E (, b ) ); aliceCard := randomPick(lce, nil); bobCard := randomPick(lce,aliceCard ); aliceCard:= E (aliceCard,a); laliceCard:= aliceCard; lbobCard:= bobCard laliceCard:= D (laliceCard,b -1 ); bobCard:= D (lbobCard,b -1 ); MENTAL POKER

52 MP = cards:= shuffle( ); for c := 1 to 3 do ce[c]:= E (cards[c],b); lce:= ce laliceCard:= D (laliceCard,b -1 ); bobCard:= D (lbobCard,b -1 ); HOW TO CHEAT IN MENTAL POKER ?

53 MP = cards:= shuffle( ); for c := 1 to 3 do ce[c]:= E (cards[c],b); lce:= ce laliceCard:= D (laliceCard,b -1 ); bobCard:= D (lbobCard,b -1 ); HOW TO CHEAT IN MENTAL POKER A

54 How SRA works Some facts to break the protocol:

55 HOW TO CHEAT IN MENTAL POKER How SRA works Some facts to break the protocol: If “Alice” can decrypt without the key

56 HOW TO CHEAT IN MENTAL POKER How SRA works Some facts to break the protocol: If “Alice” can decrypt without the key An adversary that breaks the protocol by using brute force : A = for k = 1 to 2 ɳ do y:= D (lce[c],k); if y = then aliceCard := lce[c]

57 HOW TO CHEAT IN MENTAL POKER How SRA works Some facts to break the protocol: If “Alice” can decrypt without the key A is polynomial, factorization is a hard problem

58 HOW TO CHEAT IN MENTAL POKER How SRA works Some facts to break the protocol: If “Alice” can decrypt without the key A is polynomial, factorization is a hard problem

59 HOW TO CHEAT IN MENTAL POKER How SRA works Some facts to break the protocol: If “Alice” can decrypt without the key If Bob plays twice with the same key

60 HOW TO CHEAT IN MENTAL POKER How SRA works Some facts to break the protocol: If “Alice” can decrypt without the key If Bob plays twice with the same key An adversary that breaks the protocol if Bob plays twice with the same key

61 HOW TO CHEAT IN MENTAL POKER How SRA works Some facts to break the protocol: If “Alice” can decrypt without the key If Bob plays twice with the same key A = if oldEncACE = lce[c] then aliceCard := lce[c];

62 HOW TO CHEAT IN MENTAL POKER How SRA works Some facts to break the protocol: If “Alice” can decrypt without the key If Bob plays twice with the same key Observing quadratic residues!! (R.J. Lipton) x  Q q   b x 2  b (mod q) x  Q q  x k (mod q)  Q q

63 HOW TO CHEAT IN MENTAL POKER How SRA works Observing quadratic residues!! (R.J. Lipton) x  Q q   b x 2  b (mod q) x  Q q  x k (mod q)  Q q How to cheat in Mental Poker Lipton’81

64 PROVABLE CRYPTOGRAPHY how to prove security of encryption algorithms? PROVABLE CRYPTOGRAPHY

65 how to prove security of encryption algorithms? Probabilistic Encryption and How to Play Mental Poker Keeping Secret All Partial Information Goldwasser and Micali ’82 PROVABLE CRYPTOGRAPHY

66 Probabilistic Encryption and How to Play Mental Poker … Goldwasser and Micali ’82 The fact that f is a trapdoor function does not rule out: 1.the possibility of computing x from f(x) when x is of a special form. 2.the possibility of computing some partial information about x (even every other bit of x) from f(x). TRAPDOOR FUNCTION x f(x) easy hard

67 PROVABLE CRYPTOGRAPHY how to prove security of encryption algorithms? Probabilistic Encryption and How to Play Mental Poker … Goldwasser and Micali ’82 - probabilistic setting - notion of semantic security PROVABLE CRYPTOGRAPHY

68 Semantic security or Chosen Plaintext Attack (a.k.a. CPA) E ( message1, b) message1, message 2 E ( message2, b) “I guess that the coin was tail” | Pr[CPA; g = c] - ½ | is negligible for |b| (|b| is called security parameter)

69 NEGLIGIBLE FUNCTION A function f (x) is negligible for x when for all c>0, there is a constant n c such that n c ≤ x implies f(x) ≤ 1/x c

70 NEGLIGIBLE FUNCTION A function f (x) is negligible for x when for all c>0, there is a constant n c such that n c ≤ x implies f(x) ≤ 1/x c Are the following functions negligible? f(x) = x 2 f(x) =1/x f(x) =1/x 2 f(x)= 1/3 x

71 encryption scheme Definition of encryption scheme An encryption scheme is a triple ( G, E, D ) of probabilistic polynomial-time algorithms such that: - On input ɳ, algorithm G outputs a pair e, d of bitstrings - D ( E (x,e),d) = x

72 PROVABLE CRYPTOGRAPHY Chosen-plaintext attack (CPA) E (x 0, x 1 ) = if (c = 0) then {m := E (x 0, k e )} else {m := E (x 1,k e )}; CPA = c := {0,1}; k e, k d := G e (); A [ E ] | Pr[CPA; g =c] - ½ | is negligible for ɳ ( ɳ is called security parameter)

73 READING Slides, Notes, Bibliography Slides and lecture notes: www-sop.inria.fr/members/Tamara.Rezk/teaching Mental Poker – Shamir, Rivest, Adleman Probabilistic Encryption & How to Play Mental Poker Keeping Secret all Partial Information – Goldwasser, Micali

Download ppt "SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012."

Similar presentations

1 Complexity ©D.Moshkovitz Cryptography Where Complexity Finally Comes In Handy…

1 Complexity ©D.Moshkovitz Cryptography Where Complexity Finally Comes In Handy…
SECURITY AND VERIFICATION

SECURITY AND VERIFICATION
SECURITY AND VERIFICATION Lecture 4: Cryptography proofs in context Tamara Rezk INDES TEAM, INRIA January 24 th, 2012.

SECURITY AND VERIFICATION Lecture 4: Cryptography proofs in context Tamara Rezk INDES TEAM, INRIA January 24 th, 2012.
Mental Poker The SRA Protocol. What is Mental Poker? Playing poker without cards (ie over telephone or internet). No Trusted Third Party or source of.

Mental Poker The SRA Protocol. What is Mental Poker? Playing poker without cards (ie over telephone or internet). No Trusted Third Party or source of.
Encryption Public-Key, Identity-Based, Attribute-Based.

Encryption Public-Key, Identity-Based, Attribute-Based.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
CS 395T Computational Soundness of Formal Models.

CS 395T Computational Soundness of Formal Models.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
RSA ( Rivest, Shamir, Adleman) Public Key Cryptosystem

RSA ( Rivest, Shamir, Adleman) Public Key Cryptosystem
Foundations of Cryptography Lecture 5: Signatures and pseudo-random generators Lecturer: Moni Naor.

Foundations of Cryptography Lecture 5: Signatures and pseudo-random generators Lecturer: Moni Naor.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
Princeton University COS 433 Cryptography Fall 2005 Boaz Barak COS 433: Cryptography Princeton University Fall 2005 Boaz Barak Lecture 2: Perfect Secrecy.

Princeton University COS 433 Cryptography Fall 2005 Boaz Barak COS 433: Cryptography Princeton University Fall 2005 Boaz Barak Lecture 2: Perfect Secrecy.
Public Encryption: RSA

Public Encryption: RSA
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
Public Key Algorithms 4/17/2017 M. Chatterjee.

Public Key Algorithms 4/17/2017 M. Chatterjee.
Princeton University COS 433 Cryptography Fall 2005 Boaz Barak COS 433: Cryptography Princeton University Fall 2005 Boaz Barak Lecture 2: Perfect Secrecy.

Princeton University COS 433 Cryptography Fall 2005 Boaz Barak COS 433: Cryptography Princeton University Fall 2005 Boaz Barak Lecture 2: Perfect Secrecy.
8: Network Security8-1 Symmetric key cryptography symmetric key crypto: Bob and Alice share know same (symmetric) key: K r e.g., key is knowing substitution.

8: Network Security8-1 Symmetric key cryptography symmetric key crypto: Bob and Alice share know same (symmetric) key: K r e.g., key is knowing substitution.
Public Key Cryptography RSA Diffie Hellman Key Management Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College,

Public Key Cryptography RSA Diffie Hellman Key Management Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College,

Similar presentations

Ads by Google