Embed Size (px)
Citation preview
SECURITY AND VERIFICATION
Lecture 1: Why to prove cryptography? The origins of provable cryptographyTamara RezkINDES TEAM, INRIA January 3rd, 2012
RSA INVEN
TORS G
OT BO
RED AN
D D
ECIDED
TO
PLAY POKER
Some history …
Mental Poker Adi Shamir, Ronald Rivest, Leonard Adleman, ’81
HOW TO PLAY MENTAL POKER?
MEN
TAL POKER PRO
TOCO
L Some history …
Mental Poker Shamir, Rivest, Adleman, ’81
how to write a protocol for mental poker without using a third trusted party?
in theory impossible
MEN
TAL POKER PRO
TOCO
LSome history …
in theory impossible: no such protocol exists
Information Theory: the ciphertext provides no information about the plaintext. Shannon’s entropy is a measure of this information.
Mental Poker Shamir, Rivest, Adleman, ’81
how to write a protocol for mental poker without using a third trusted party?
MEN
TAL POKER PRO
TOCO
LSome history …
in theory impossible
Mental Poker Shamir, Rivest, Adleman, ’81
how to write a protocol for mental poker without using a third trusted party?
MEN
TAL POKER PRO
TOCO
LSome history …
in theory impossible
solution based on SRA
Mental Poker Shamir, Rivest, Adleman, ’81
how to write a protocol for mental poker without using a third trusted party?
MEN
TAL POKER PRO
TOCO
LSome history …
SRA Protocol relies on commutative encryption
E (E (x, a), b) = E (E (x, b), a)
in theory impossible
solution based on SRA
Mental Poker Shamir, Rivest, Adleman, ’81
how to write a protocol for mental poker without using a third trusted party?
MEN
TAL POKER PRO
TOCO
LSome history …
Mental Poker Shamir, Rivest, Adleman, ’81
Encryption function E for SRA
* q is a large prime number* (q) = q-1* plaintext, ciphertext, key spaces all in Zq
*
* key a s.t. gcd(a, (q))= 1
E (x, a) = xa mod qD (c, a) = c-a mod q
MEN
TAL POKER PRO
TOCO
LSome history …
Mental Poker Shamir, Rivest, Adleman, ’81
Cast : Alice and Bob
MEN
TAL POKER PRO
TOCO
LHow SRA works
MEN
TAL POKER PRO
TOCO
LHow SRA works
MEN
TAL POKER PRO
TOCO
LHow SRA works
MEN
TAL POKER PRO
TOCO
LHow SRA works
E ( , b ) E ( , b ) E ( , b )
MEN
TAL POKER PRO
TOCO
LHow SRA works
E ( , b ) E ( , b ) E ( , b )
MEN
TAL POKER PRO
TOCO
LHow SRA works
E ( , b ) E ( , b) E ( , b )
E ( , b ) E ( , b ) E ( , b )
MEN
TAL POKER PRO
TOCO
LHow SRA works
E ( , b ) E ( , b) E ( , b )
E ( , b ) E ( , b ) E ( , b )
MEN
TAL POKER PRO
TOCO
LHow SRA works
E ( , b ) E ( , b ) E ( , b )
E ( , b ) E ( , b ) E ( , b )
MEN
TAL POKER PRO
TOCO
LHow SRA works
E ( , b ) E ( , b) E ( , b)
Bob Alice
E ( , b ) E ( , b ) E ( , b )
MEN
TAL POKER PRO
TOCO
LHow SRA works
E ( , b ) E ( , b ) E ( , b )
E ( , b ) E ( , b) E ( , b)
Bob Alice
E (E ( , b ) ,a )
MEN
TAL POKER PRO
TOCO
LHow SRA works
E ( , b ) E ( , b ) E ( , b )
E ( , b ) E ( , b) E ( , b)
Bob Alice
E ( , b ) E (E ( , b ) ,a )
MEN
TAL POKER PRO
TOCO
LHow SRA works
E ( , b ) E ( , b ) E ( , b )
E ( , b ) E ( , b) E ( , b)
Bob Alice
E ( , b ) E (E ( , b ) ,a )
D ( E (E ( , b ) ,a ), b)
A simple programming language
Semantics of expressions [e]
To define semantics of expressions, we need to define states .
A state is a function that maps each variable into its value.
We need to provide an interpretation for each operation op
var ::= x | y | z …op :: = + | - | * | < | = … expr :: = const| var | expr op
expr
Semantics of expressions [e]
Example: If (x) = 3 and (y) = 0 then
[x+y] = [x] + [y] =3 + 0 =
3
We say that the semantics of [x/y] is not defined.
var ::= x | y | z …op :: = + | - | * | < | = … expr :: = const| var | expr op expr
Operational semanticsSemantics precisely defines the meaning of programs:
We will define a “small-step operational semantics”Basic idea: execution of a program can be formalize as
a sequence of configurations: c0 c1 c2 ….
A configuration is a pair command and a state Example of configuration:
< x: = x+1; y: = y+x, [x:2 | y:0]>
The operational semantics is defined by a transition system (Configurations, ).
Configurations = { , , , , }
The relation can be
represented by a picture but
it should be formally defined
by a set of rules.
Operational semantics
In this example:
< x: = x+1; y: = y+x, [x:2 | y:0]>
<y: = y+x, [x:3 | y:0]>
< , [x:3 | y:0]>
Configurations =
{ < x: = x+1; y: = y+x, [x:2 | y:0]>,
<y: = y+x, [x:3 | y:0]>,
< , [x:3 | y:0]>
}
< x: = x+1; y: = y+x, [x:2 | y:0]>
<y: = y+x, [x:3 | y:0]>
< , [x:3 | y:0]>
Operational semanticsThe operational semantics is defined by a transition
system (Configurations, ).
The relation is defined by a set of semantic rules of the form:
[e] =v_________________________< x: = e, > < , [ | y:v]>
Operational semantics
Operational semantics
[e] =v_________________________< x: = e, > < , [ | x:v]>
Operational semantics
_________________________< skip, > < , >
Operational semantics[e] =0
_________________________< if (e) then {c1} else {c2} , > < c1 , >
Operational semantics[e] =0
_________________________< if (e) then {c1} else {c2} , > < c1 , >
[e] 0_________________________
< if (e) then {c1} else {c2} , > < c2 , >
Operational semantics[e] =0
_________________________< while (e) do {c} , > < c ; while (e) do {c} , >
[e] 0_________________________
< while (e) do {c} , > < , , >
Operational semantics
<c1, > < c’ , ’ > c’ _________________________
< c1;c2 , > < c’;c2 , ‘>
<c1, > < , ’ > _________________________< c1;c2 , > < c2 , ‘>
Operational semantics
________________< , , > < , , >
Probabilistic programming language
0.4 0.1 0.2 0.2 0.1
0.1 0.41
0.1
0.40.9 0.3 0.7 0.80.1 0.2
0.4 0.1 0.2 0.2 0.1
0.1 0.41
0.1
0.40.9 0.3 0.7 0.80.1 0.2
The sum is equal to 1This forms a distribution for
configurations reachable from
0.4 0.1 0.2 0.2 0.1
0.1 0.41
0.1
0.40.9 0.3 0.7 0.80.1 0.2
Distribution d induced by
d ( ) = 0.4d ( ) = 0.1 d ( ) = 0.2
…
0.4 0.1 0.2 0.2 0.1
0.1 0.41
0.1
0.40.9 0.3 0.7 0.80.1 0.2
What is the probability of reaching
from Pr[ ] ?
0.4 0.1 0.2 0.2 0.1
0.1 0.41
0.1
0.40.9 0.3 0.7 0.80.1 0.2
What is the probability of reaching
from Pr[ ] ?
0.4 0.1 0.2 0.2 0.1
0.1 0.41
0.1
0.40.9 0.3 0.7 0.80.1 0.2
The probability of reachingfrom
Pr[ ] = 0.2 * 0.7 = 0.14
0.4 0.1 0.2 0.2 0.1
0.1 0.41
0.1
0.40.9 0.3 0.7 0.80.1 0.2
The probability of reachingfrom
Pr[ ] = 0.2 * 0.7 = 0.14
Given by a sequence of probability distributions
And more formally, we need to provide a set of rules to define the probabilistictransition system
Now relation is probabilistic, annotated with a probability p p
Operational semantics[e] =v
_________________________< x: = e, > 1 < , [ | x:v]>
_________________________< skip, > 1 < , >
[e] =0_________________________
< if (e) then {c1} else {c2} , > 1
< c1 , >
[e] 0_________________________
< if (e) then {c1} else {c2} , > 1
< c2 , >
[e] =0_________________________
< while (e) do {c} , > 1 < c; while (e) do {c} , >
[e] 0_________________________
< while (e) do {c} , > 1 < , , >
<c1, > p < c’ , ’ > c’ _________________________
< c1;c2 , > p < c’;c2 , ‘>
<c1, > p < , ’ > _________________________< c1;c2 , > p< c2 , ‘>
________________< , , > 1 < , , >
Mental Poker in Whilep
shuffle ( ) =
c := {0,1,2,3,4,5} ;
if c=0 then
b0,b1,b2:= ;
else ….
MP =
cards:= shuffle( );
for c := 1 to 3 do ce[c]:= E (cards[c],b);
lce:= ce
ecards:= shuffle(E ( , b ) E ( , b ) E ( , b ) );
aliceCard := randomPick(lce, nil);
bobCard := randomPick(lce,aliceCard );
aliceCard:= E (aliceCard,a);
laliceCard:= aliceCard;
lbobCard:= bobCard
laliceCard:= D(laliceCard,b-1);
bobCard:= D(lbobCard,b-1);
MEN
TAL POKER
MP =
cards:= shuffle( );
for c := 1 to 3 do ce[c]:= E (cards[c],b);
lce:= ce
laliceCard:= D(laliceCard,b-1);
bobCard:= D(lbobCard,b-1);
HO
W TO
CHEAT IN
MEN
TAL POKER?
MP =
cards:= shuffle( );
for c := 1 to 3 do ce[c]:= E (cards[c],b);
lce:= ce
laliceCard:= D(laliceCard,b-1);
bobCard:= D(lbobCard,b-1);
HO
W TO
CHEAT IN
MEN
TAL POKER
A
HO
W TO
CHEAT IN
MEN
TAL POKER
How SRA works
Some facts to break the protocol:
HO
W TO
CHEAT IN
MEN
TAL POKER
How SRA works
Some facts to break the protocol:
• If “Alice” can decrypt without the key
HO
W TO
CHEAT IN
MEN
TAL POKER
How SRA works
Some facts to break the protocol:
• If “Alice” can decrypt without the key
An adversary that breaks the protocol by using brute force :
A =
for k = 1 to 2ɳ do
y:=D(lce[c],k);
if y = then aliceCard := lce[c]
HO
W TO
CHEAT IN
MEN
TAL POKER
How SRA works
Some facts to break the protocol:
• If “Alice” can decrypt without the key
A is polynomial, factorization is a hard problem
HO
W TO
CHEAT IN
MEN
TAL POKER
How SRA works
Some facts to break the protocol:
• If “Alice” can decrypt without the key
A is polynomial, factorization is a hard problem
HO
W TO
CHEAT IN
MEN
TAL POKER
How SRA works
Some facts to break the protocol:
• If “Alice” can decrypt without the key
• If Bob plays twice with the same key
HO
W TO
CHEAT IN
MEN
TAL POKER
How SRA works
Some facts to break the protocol:
• If “Alice” can decrypt without the key
• If Bob plays twice with the same key
An adversary that breaks the protocol if Bob plays twice with the same key
HO
W TO
CHEAT IN
MEN
TAL POKER
How SRA works
Some facts to break the protocol:
• If “Alice” can decrypt without the key
• If Bob plays twice with the same key A =
if oldEncACE = lce[c] then
aliceCard := lce[c];
HO
W TO
CHEAT IN
MEN
TAL POKER
How SRA works
Some facts to break the protocol:
• If “Alice” can decrypt without the key
• If Bob plays twice with the same key
• Observing quadratic residues!! (R.J. Lipton)
x Qq b x2 b (mod q)
x Qq xk (mod q) Qq
HO
W TO
CHEAT IN
MEN
TAL POKER
How SRA works
Observing quadratic residues!! (R.J. Lipton)
x Qq b x2 b (mod q)
x Qq xk (mod q) Qq
How to cheat in Mental PokerLipton’81
PROVABLE CRYPTO
GRAPH
Yhow to prove security of encryption algorithms?
PROVABLE CRYPTOGRAPHY
PROVABLE CRYPTO
GRAPH
Yhow to prove security of encryption algorithms?
Probabilistic Encryption and How to Play Mental Poker Keeping Secret All Partial Information Goldwasser and Micali ’82
PROVABLE CRYPTOGRAPHY
Probabilistic Encryption and How to Play Mental Poker …Goldwasser and Micali ’82
The fact that f is a trapdoor function does not rule out: 1.the possibility of computing x from f(x) when x is of a special form.2.the possibility of computing some partial information about x (even every other bit of x) from f(x).
TRAPDOOR FUNCTION
x f(x)
easy
hard
PROVABLE CRYPTO
GRAPH
Yhow to prove security of encryption algorithms?
Probabilistic Encryption and How to Play Mental Poker …Goldwasser and Micali ’82 - probabilistic setting- notion of semantic security
PROVABLE CRYPTOGRAPHY
PROVABLE CRYPTO
GRAPH
YSemantic security or Chosen Plaintext Attack (a.k.a. CPA)
E ( message1 , b)
message1, message 2
E ( message2 , b)
“I guess that the coin was tail”
| Pr[CPA; g = c] - ½ | is negligible for |b| (|b| is called security parameter)
NEGLIGIBLE FUNCTION
A function f (x) is negligible for x when for all c>0, there is a constant nc such
that nc≤ x implies f(x) ≤ 1/xc
NEGLIGIBLE FUNCTION
A function f (x) is negligible for x when for all c>0, there is a constant nc such that nc≤ x implies f(x) ≤ 1/xc
Are the following functions negligible?
f(x) = x2 f(x) =1/xf(x) =1/x2
f(x)= 1/3x
encryption scheme
Definition of encryption scheme
An encryption scheme is a triple (G, E, D) of probabilistic polynomial-time algorithms such that:
- On input ɳ , algorithm G outputs a pair e, d of bitstrings
- D(E(x,e),d) = x
PROVABLE CRYPTO
GRAPH
Y
Chosen-plaintext attack (CPA)
E(x0, x1 ) = if (c = 0)
then {m := E (x0, ke)}
else {m := E(x1,ke)};
CPA = c := {0,1};
ke, kd := Ge(); A[E]
| Pr[CPA; g =c] - ½ | is negligible for ɳ (ɳ is called security parameter)
READIN
GSlides, Notes, Bibliography
• Slides and lecture notes: www-sop.inria.fr/members/Tamara.Rezk/teaching
• Mental Poker – Shamir, Rivest, Adleman
• Probabilistic Encryption & How to Play Mental Poker Keeping Secret all Partial Information – Goldwasser , Micali
