Download presentation
Presentation is loading. Please wait.
Published byEmily Spittle Modified over 10 years ago
1
SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012
3
RSA INVENTORS GOT BORED AND DECIDED TO PLAY POKER Some history … Mental Poker Adi Shamir, Ronald Rivest, Leonard Adleman, ’81
4
HOW TO PLAY MENTAL POKER?
5
MENTAL POKER PROTOCOL Some history … Mental Poker Shamir, Rivest, Adleman, ’81 how to write a protocol for mental poker without using a third trusted party? in theory impossible
6
MENTAL POKER PROTOCOL Some history … in theory impossible: no such protocol exists Information Theory: the ciphertext provides no information about the plaintext. Shannon’s entropy is a measure of this information. Mental Poker Shamir, Rivest, Adleman, ’81 how to write a protocol for mental poker without using a third trusted party?
7
MENTAL POKER PROTOCOL Some history … in theory impossible Mental Poker Shamir, Rivest, Adleman, ’81 how to write a protocol for mental poker without using a third trusted party?
8
MENTAL POKER PROTOCOL Some history … in theory impossible solution based on SRA Mental Poker Shamir, Rivest, Adleman, ’81 how to write a protocol for mental poker without using a third trusted party?
9
MENTAL POKER PROTOCOL Some history … SRA Protocol relies on commutative encryption E ( E (x, a), b) = E ( E (x, b), a) in theory impossible solution based on SRA Mental Poker Shamir, Rivest, Adleman, ’81 how to write a protocol for mental poker without using a third trusted party?
10
MENTAL POKER PROTOCOL Some history … Mental Poker Shamir, Rivest, Adleman, ’81 Encryption function E for SRA * q is a large prime number * (q) = q-1 * plaintext, ciphertext, key spaces all in Z q * * key a s.t. gcd(a, (q))= 1 E (x, a) = x a mod q D (c, a) = c -a mod q
11
MENTAL POKER PROTOCOL Some history … Mental Poker Shamir, Rivest, Adleman, ’81 Cast : Alice and Bob
12
MENTAL POKER PROTOCOL How SRA works
13
MENTAL POKER PROTOCOL How SRA works
14
MENTAL POKER PROTOCOL How SRA works
15
MENTAL POKER PROTOCOL How SRA works E (, b ) E (, b ) E (, b )
16
MENTAL POKER PROTOCOL How SRA works E (, b ) E (, b ) E (, b )
17
MENTAL POKER PROTOCOL How SRA works E (, b ) E (, b) E (, b )
18
MENTAL POKER PROTOCOL How SRA works E (, b ) E (, b) E (, b )
19
MENTAL POKER PROTOCOL How SRA works E (, b ) E (, b ) E (, b )
20
MENTAL POKER PROTOCOL How SRA works E (, b ) E (, b) E (, b) BobAlice E (, b ) E (, b ) E (, b )
21
MENTAL POKER PROTOCOL How SRA works E (, b ) E (, b ) E (, b ) BobAlice E ( E (, b ),a )
22
MENTAL POKER PROTOCOL How SRA works E (, b ) E (, b ) E (, b ) BobAlice E (, b ) E ( E (, b ),a )
23
MENTAL POKER PROTOCOL How SRA works E (, b ) E (, b ) E (, b ) BobAlice E (, b ) E ( E (, b ),a ) D ( E ( E (, b ),a ), b)
24
A simple programming language var::= x | y | z … op :: = + | - | * | < | = … expr :: = const | var | expr op expr c::= var := expr | skip | if ( expr ) then {c} else {c} | while ( expr ) do {c} | c; c
25
Semantics of expressions [ e ] To define semantics of expressions, we need to define states . A state is a function that maps each variable into its value. We need to provide an interpretation for each operation op var::= x | y | z … op :: = + | - | * | < | = … expr :: = const| var | expr op expr
26
Semantics of expressions [ e ] Example: If (x) = 3 and (y) = 0 then [ x+y ] = [ x ] + [ y ] = 3 + 0 = 3 We say that the semantics of [ x/y ] is not defined. var::= x | y | z … op :: = + | - | * | < | = … expr :: = const| var | expr op expr
27
Operational semantics Semantics precisely defines the meaning of programs: We will define a “small-step operational semantics” Basic idea: execution of a program can be formalize as a sequence of configurations: c0 c1 c2 …. A configuration is a pair command and a state Example of configuration:
28
The operational semantics is defined by a transition system (Configurations, ). Configurations = {,,,, } The relation can be represented by a picture but it should be formally defined by a set of rules. Operational semantics
29
In this example: Configurations = {, }
30
Operational semantics The operational semantics is defined by a transition system (Configurations, ). The relation is defined by a set of semantic rules of the form: [ e ] =v _________________________
31
Operational semantics We need to define relation for each command in the programming language: c::= var := expr | skip | if ( expr ) then {c} else {c} | while ( expr ) do {c} | c; c
32
Operational semantics [ e ] =v _________________________
33
Operational semantics _________________________
34
Operational semantics [ e ] =0 _________________________
35
Operational semantics [ e ] =0 _________________________ [ e ] 0 _________________________
36
Operational semantics [ e ] =0 _________________________ [ e ] 0 _________________________
37
Operational semantics c’ _________________________ _________________________
38
Operational semantics ________________
39
Probabilistic programming language var::= x | y | z … op :: = + | - | * | < | = … expr :: = var | expr op expr probFun::= f | g | E |G | D | … c::= var := expr | skip | var:= probFun ( var, …,var) | if ( expr ) then {c} else {c} | while ( expr ) do {c} | c ; c
40
Markov Chain 0.4 0.1 0.2 0.1 0.4 1 0.1 0.4 0.90.3 0.7 0.8 0.1 0.2
41
Markov Chain 0.4 0.1 0.2 0.1 0.4 1 0.1 0.4 0.90.3 0.7 0.8 0.1 0.2 The sum is equal to 1 This forms a distribution for configurations reachable from
42
Markov Chain 0.4 0.1 0.2 0.1 0.4 1 0.1 0.4 0.90.3 0.7 0.8 0.1 0.2 Distribution d induced by d ( ) = 0.4 d ( ) = 0.1 d ( ) = 0.2 …
43
Markov Chain 0.4 0.1 0.2 0.1 0.4 1 0.1 0.4 0.90.3 0.7 0.8 0.1 0.2 What is the probability of reaching from Pr[ ] ? What is the probability of reaching from Pr[ ] ?
44
Markov Chain 0.4 0.1 0.2 0.1 0.4 1 0.1 0.4 0.90.3 0.7 0.8 0.1 0.2 What is the probability of reaching from Pr[ ] ? What is the probability of reaching from Pr[ ] ?
45
Markov Chain 0.4 0.1 0.2 0.1 0.4 1 0.1 0.4 0.90.3 0.7 0.8 0.1 0.2 T he probability of reaching from Pr[ ] = 0.2 * 0.7 = 0.14 T he probability of reaching from Pr[ ] = 0.2 * 0.7 = 0.14
46
Markov Chain 0.4 0.1 0.2 0.1 0.4 1 0.1 0.4 0.90.3 0.7 0.8 0.1 0.2 T he probability of reaching from Pr[ ] = 0.2 * 0.7 = 0.14 T he probability of reaching from Pr[ ] = 0.2 * 0.7 = 0.14
47
Probabilistic semantics Given by a sequence of probability distributions
48
Probabilistic Transition System And more formally, we need to provide a set of rules to define the probabilistic transition system Now relation is probabilistic, annotated with a probability p p
49
Operational semantics [ e ] =v _________________________ 1 _________________________ 1 [ e ] =0 _________________________ 1 [ e ] 0 _________________________ 1 [ e ] =0 _________________________ 1 [ e ] 0 _________________________ 1 p c’ _________________________ p p _________________________ p ________________ 1
50
Mental Poker in While p shuffle ( ) = c := {0,1,2,3,4,5} ; if c=0 then b 0,b 1,b 2 := ; else ….
51
MP = cards:= shuffle( ); for c := 1 to 3 do ce[c]:= E (cards[c],b); lce:= ce ecards:= shuffle( E (, b ) E (, b ) E (, b ) ); aliceCard := randomPick(lce, nil); bobCard := randomPick(lce,aliceCard ); aliceCard:= E (aliceCard,a); laliceCard:= aliceCard; lbobCard:= bobCard laliceCard:= D (laliceCard,b -1 ); bobCard:= D (lbobCard,b -1 ); MENTAL POKER
52
MP = cards:= shuffle( ); for c := 1 to 3 do ce[c]:= E (cards[c],b); lce:= ce laliceCard:= D (laliceCard,b -1 ); bobCard:= D (lbobCard,b -1 ); HOW TO CHEAT IN MENTAL POKER ?
53
MP = cards:= shuffle( ); for c := 1 to 3 do ce[c]:= E (cards[c],b); lce:= ce laliceCard:= D (laliceCard,b -1 ); bobCard:= D (lbobCard,b -1 ); HOW TO CHEAT IN MENTAL POKER A
54
How SRA works Some facts to break the protocol:
55
HOW TO CHEAT IN MENTAL POKER How SRA works Some facts to break the protocol: If “Alice” can decrypt without the key
56
HOW TO CHEAT IN MENTAL POKER How SRA works Some facts to break the protocol: If “Alice” can decrypt without the key An adversary that breaks the protocol by using brute force : A = for k = 1 to 2 ɳ do y:= D (lce[c],k); if y = then aliceCard := lce[c]
57
HOW TO CHEAT IN MENTAL POKER How SRA works Some facts to break the protocol: If “Alice” can decrypt without the key A is polynomial, factorization is a hard problem
58
HOW TO CHEAT IN MENTAL POKER How SRA works Some facts to break the protocol: If “Alice” can decrypt without the key A is polynomial, factorization is a hard problem
59
HOW TO CHEAT IN MENTAL POKER How SRA works Some facts to break the protocol: If “Alice” can decrypt without the key If Bob plays twice with the same key
60
HOW TO CHEAT IN MENTAL POKER How SRA works Some facts to break the protocol: If “Alice” can decrypt without the key If Bob plays twice with the same key An adversary that breaks the protocol if Bob plays twice with the same key
61
HOW TO CHEAT IN MENTAL POKER How SRA works Some facts to break the protocol: If “Alice” can decrypt without the key If Bob plays twice with the same key A = if oldEncACE = lce[c] then aliceCard := lce[c];
62
HOW TO CHEAT IN MENTAL POKER How SRA works Some facts to break the protocol: If “Alice” can decrypt without the key If Bob plays twice with the same key Observing quadratic residues!! (R.J. Lipton) x Q q b x 2 b (mod q) x Q q x k (mod q) Q q
63
HOW TO CHEAT IN MENTAL POKER How SRA works Observing quadratic residues!! (R.J. Lipton) x Q q b x 2 b (mod q) x Q q x k (mod q) Q q How to cheat in Mental Poker Lipton’81
64
PROVABLE CRYPTOGRAPHY how to prove security of encryption algorithms? PROVABLE CRYPTOGRAPHY
65
how to prove security of encryption algorithms? Probabilistic Encryption and How to Play Mental Poker Keeping Secret All Partial Information Goldwasser and Micali ’82 PROVABLE CRYPTOGRAPHY
66
Probabilistic Encryption and How to Play Mental Poker … Goldwasser and Micali ’82 The fact that f is a trapdoor function does not rule out: 1.the possibility of computing x from f(x) when x is of a special form. 2.the possibility of computing some partial information about x (even every other bit of x) from f(x). TRAPDOOR FUNCTION x f(x) easy hard
67
PROVABLE CRYPTOGRAPHY how to prove security of encryption algorithms? Probabilistic Encryption and How to Play Mental Poker … Goldwasser and Micali ’82 - probabilistic setting - notion of semantic security PROVABLE CRYPTOGRAPHY
68
Semantic security or Chosen Plaintext Attack (a.k.a. CPA) E ( message1, b) message1, message 2 E ( message2, b) “I guess that the coin was tail” | Pr[CPA; g = c] - ½ | is negligible for |b| (|b| is called security parameter)
69
NEGLIGIBLE FUNCTION A function f (x) is negligible for x when for all c>0, there is a constant n c such that n c ≤ x implies f(x) ≤ 1/x c
70
NEGLIGIBLE FUNCTION A function f (x) is negligible for x when for all c>0, there is a constant n c such that n c ≤ x implies f(x) ≤ 1/x c Are the following functions negligible? f(x) = x 2 f(x) =1/x f(x) =1/x 2 f(x)= 1/3 x
71
encryption scheme Definition of encryption scheme An encryption scheme is a triple ( G, E, D ) of probabilistic polynomial-time algorithms such that: - On input ɳ, algorithm G outputs a pair e, d of bitstrings - D ( E (x,e),d) = x
72
PROVABLE CRYPTOGRAPHY Chosen-plaintext attack (CPA) E (x 0, x 1 ) = if (c = 0) then {m := E (x 0, k e )} else {m := E (x 1,k e )}; CPA = c := {0,1}; k e, k d := G e (); A [ E ] | Pr[CPA; g =c] - ½ | is negligible for ɳ ( ɳ is called security parameter)
73
READING Slides, Notes, Bibliography Slides and lecture notes: www-sop.inria.fr/members/Tamara.Rezk/teaching Mental Poker – Shamir, Rivest, Adleman Probabilistic Encryption & How to Play Mental Poker Keeping Secret all Partial Information – Goldwasser, Micali
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.