SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography...
-
Upload
emily-spittle -
Category
Documents
-
view
215 -
download
1
Transcript of SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography...
![Page 1: SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.](https://reader030.fdocuments.us/reader030/viewer/2022032517/56649c9a5503460f949570a0/html5/thumbnails/1.jpg)
SECURITY AND VERIFICATION
Lecture 1: Why to prove cryptography? The origins of provable cryptographyTamara RezkINDES TEAM, INRIA January 3rd, 2012
![Page 2: SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.](https://reader030.fdocuments.us/reader030/viewer/2022032517/56649c9a5503460f949570a0/html5/thumbnails/2.jpg)
![Page 3: SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.](https://reader030.fdocuments.us/reader030/viewer/2022032517/56649c9a5503460f949570a0/html5/thumbnails/3.jpg)
RSA INVEN
TORS G
OT BO
RED AN
D D
ECIDED
TO
PLAY POKER
Some history …
Mental Poker Adi Shamir, Ronald Rivest, Leonard Adleman, ’81
![Page 4: SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.](https://reader030.fdocuments.us/reader030/viewer/2022032517/56649c9a5503460f949570a0/html5/thumbnails/4.jpg)
HOW TO PLAY MENTAL POKER?
![Page 5: SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.](https://reader030.fdocuments.us/reader030/viewer/2022032517/56649c9a5503460f949570a0/html5/thumbnails/5.jpg)
MEN
TAL POKER PRO
TOCO
L Some history …
Mental Poker Shamir, Rivest, Adleman, ’81
how to write a protocol for mental poker without using a third trusted party?
in theory impossible
![Page 6: SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.](https://reader030.fdocuments.us/reader030/viewer/2022032517/56649c9a5503460f949570a0/html5/thumbnails/6.jpg)
MEN
TAL POKER PRO
TOCO
LSome history …
in theory impossible: no such protocol exists
Information Theory: the ciphertext provides no information about the plaintext. Shannon’s entropy is a measure of this information.
Mental Poker Shamir, Rivest, Adleman, ’81
how to write a protocol for mental poker without using a third trusted party?
![Page 7: SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.](https://reader030.fdocuments.us/reader030/viewer/2022032517/56649c9a5503460f949570a0/html5/thumbnails/7.jpg)
MEN
TAL POKER PRO
TOCO
LSome history …
in theory impossible
Mental Poker Shamir, Rivest, Adleman, ’81
how to write a protocol for mental poker without using a third trusted party?
![Page 8: SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.](https://reader030.fdocuments.us/reader030/viewer/2022032517/56649c9a5503460f949570a0/html5/thumbnails/8.jpg)
MEN
TAL POKER PRO
TOCO
LSome history …
in theory impossible
solution based on SRA
Mental Poker Shamir, Rivest, Adleman, ’81
how to write a protocol for mental poker without using a third trusted party?
![Page 9: SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.](https://reader030.fdocuments.us/reader030/viewer/2022032517/56649c9a5503460f949570a0/html5/thumbnails/9.jpg)
MEN
TAL POKER PRO
TOCO
LSome history …
SRA Protocol relies on commutative encryption
E (E (x, a), b) = E (E (x, b), a)
in theory impossible
solution based on SRA
Mental Poker Shamir, Rivest, Adleman, ’81
how to write a protocol for mental poker without using a third trusted party?
![Page 10: SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.](https://reader030.fdocuments.us/reader030/viewer/2022032517/56649c9a5503460f949570a0/html5/thumbnails/10.jpg)
MEN
TAL POKER PRO
TOCO
LSome history …
Mental Poker Shamir, Rivest, Adleman, ’81
Encryption function E for SRA
* q is a large prime number* (q) = q-1* plaintext, ciphertext, key spaces all in Zq
*
* key a s.t. gcd(a, (q))= 1
E (x, a) = xa mod qD (c, a) = c-a mod q
![Page 11: SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.](https://reader030.fdocuments.us/reader030/viewer/2022032517/56649c9a5503460f949570a0/html5/thumbnails/11.jpg)
MEN
TAL POKER PRO
TOCO
LSome history …
Mental Poker Shamir, Rivest, Adleman, ’81
Cast : Alice and Bob
![Page 12: SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.](https://reader030.fdocuments.us/reader030/viewer/2022032517/56649c9a5503460f949570a0/html5/thumbnails/12.jpg)
MEN
TAL POKER PRO
TOCO
LHow SRA works
![Page 13: SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.](https://reader030.fdocuments.us/reader030/viewer/2022032517/56649c9a5503460f949570a0/html5/thumbnails/13.jpg)
MEN
TAL POKER PRO
TOCO
LHow SRA works
![Page 14: SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.](https://reader030.fdocuments.us/reader030/viewer/2022032517/56649c9a5503460f949570a0/html5/thumbnails/14.jpg)
MEN
TAL POKER PRO
TOCO
LHow SRA works
![Page 15: SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.](https://reader030.fdocuments.us/reader030/viewer/2022032517/56649c9a5503460f949570a0/html5/thumbnails/15.jpg)
MEN
TAL POKER PRO
TOCO
LHow SRA works
E ( , b ) E ( , b ) E ( , b )
![Page 16: SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.](https://reader030.fdocuments.us/reader030/viewer/2022032517/56649c9a5503460f949570a0/html5/thumbnails/16.jpg)
MEN
TAL POKER PRO
TOCO
LHow SRA works
E ( , b ) E ( , b ) E ( , b )
![Page 17: SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.](https://reader030.fdocuments.us/reader030/viewer/2022032517/56649c9a5503460f949570a0/html5/thumbnails/17.jpg)
MEN
TAL POKER PRO
TOCO
LHow SRA works
E ( , b ) E ( , b) E ( , b )
E ( , b ) E ( , b ) E ( , b )
![Page 18: SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.](https://reader030.fdocuments.us/reader030/viewer/2022032517/56649c9a5503460f949570a0/html5/thumbnails/18.jpg)
MEN
TAL POKER PRO
TOCO
LHow SRA works
E ( , b ) E ( , b) E ( , b )
E ( , b ) E ( , b ) E ( , b )
![Page 19: SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.](https://reader030.fdocuments.us/reader030/viewer/2022032517/56649c9a5503460f949570a0/html5/thumbnails/19.jpg)
MEN
TAL POKER PRO
TOCO
LHow SRA works
E ( , b ) E ( , b ) E ( , b )
E ( , b ) E ( , b ) E ( , b )
![Page 20: SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.](https://reader030.fdocuments.us/reader030/viewer/2022032517/56649c9a5503460f949570a0/html5/thumbnails/20.jpg)
MEN
TAL POKER PRO
TOCO
LHow SRA works
E ( , b ) E ( , b) E ( , b)
Bob Alice
E ( , b ) E ( , b ) E ( , b )
![Page 21: SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.](https://reader030.fdocuments.us/reader030/viewer/2022032517/56649c9a5503460f949570a0/html5/thumbnails/21.jpg)
MEN
TAL POKER PRO
TOCO
LHow SRA works
E ( , b ) E ( , b ) E ( , b )
E ( , b ) E ( , b) E ( , b)
Bob Alice
E (E ( , b ) ,a )
![Page 22: SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.](https://reader030.fdocuments.us/reader030/viewer/2022032517/56649c9a5503460f949570a0/html5/thumbnails/22.jpg)
MEN
TAL POKER PRO
TOCO
LHow SRA works
E ( , b ) E ( , b ) E ( , b )
E ( , b ) E ( , b) E ( , b)
Bob Alice
E ( , b ) E (E ( , b ) ,a )
![Page 23: SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.](https://reader030.fdocuments.us/reader030/viewer/2022032517/56649c9a5503460f949570a0/html5/thumbnails/23.jpg)
MEN
TAL POKER PRO
TOCO
LHow SRA works
E ( , b ) E ( , b ) E ( , b )
E ( , b ) E ( , b) E ( , b)
Bob Alice
E ( , b ) E (E ( , b ) ,a )
D ( E (E ( , b ) ,a ), b)
![Page 24: SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.](https://reader030.fdocuments.us/reader030/viewer/2022032517/56649c9a5503460f949570a0/html5/thumbnails/24.jpg)
A simple programming language
![Page 25: SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.](https://reader030.fdocuments.us/reader030/viewer/2022032517/56649c9a5503460f949570a0/html5/thumbnails/25.jpg)
Semantics of expressions [e]
To define semantics of expressions, we need to define states .
A state is a function that maps each variable into its value.
We need to provide an interpretation for each operation op
var ::= x | y | z …op :: = + | - | * | < | = … expr :: = const| var | expr op
expr
![Page 26: SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.](https://reader030.fdocuments.us/reader030/viewer/2022032517/56649c9a5503460f949570a0/html5/thumbnails/26.jpg)
Semantics of expressions [e]
Example: If (x) = 3 and (y) = 0 then
[x+y] = [x] + [y] =3 + 0 =
3
We say that the semantics of [x/y] is not defined.
var ::= x | y | z …op :: = + | - | * | < | = … expr :: = const| var | expr op expr
![Page 27: SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.](https://reader030.fdocuments.us/reader030/viewer/2022032517/56649c9a5503460f949570a0/html5/thumbnails/27.jpg)
Operational semanticsSemantics precisely defines the meaning of programs:
We will define a “small-step operational semantics”Basic idea: execution of a program can be formalize as
a sequence of configurations: c0 c1 c2 ….
A configuration is a pair command and a state Example of configuration:
< x: = x+1; y: = y+x, [x:2 | y:0]>
![Page 28: SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.](https://reader030.fdocuments.us/reader030/viewer/2022032517/56649c9a5503460f949570a0/html5/thumbnails/28.jpg)
The operational semantics is defined by a transition system (Configurations, ).
Configurations = { , , , , }
The relation can be
represented by a picture but
it should be formally defined
by a set of rules.
Operational semantics
![Page 29: SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.](https://reader030.fdocuments.us/reader030/viewer/2022032517/56649c9a5503460f949570a0/html5/thumbnails/29.jpg)
In this example:
< x: = x+1; y: = y+x, [x:2 | y:0]>
<y: = y+x, [x:3 | y:0]>
< , [x:3 | y:0]>
Configurations =
{ < x: = x+1; y: = y+x, [x:2 | y:0]>,
<y: = y+x, [x:3 | y:0]>,
< , [x:3 | y:0]>
}
< x: = x+1; y: = y+x, [x:2 | y:0]>
<y: = y+x, [x:3 | y:0]>
< , [x:3 | y:0]>
![Page 30: SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.](https://reader030.fdocuments.us/reader030/viewer/2022032517/56649c9a5503460f949570a0/html5/thumbnails/30.jpg)
Operational semanticsThe operational semantics is defined by a transition
system (Configurations, ).
The relation is defined by a set of semantic rules of the form:
[e] =v_________________________< x: = e, > < , [ | y:v]>
![Page 31: SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.](https://reader030.fdocuments.us/reader030/viewer/2022032517/56649c9a5503460f949570a0/html5/thumbnails/31.jpg)
Operational semantics
![Page 32: SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.](https://reader030.fdocuments.us/reader030/viewer/2022032517/56649c9a5503460f949570a0/html5/thumbnails/32.jpg)
Operational semantics
[e] =v_________________________< x: = e, > < , [ | x:v]>
![Page 33: SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.](https://reader030.fdocuments.us/reader030/viewer/2022032517/56649c9a5503460f949570a0/html5/thumbnails/33.jpg)
Operational semantics
_________________________< skip, > < , >
![Page 34: SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.](https://reader030.fdocuments.us/reader030/viewer/2022032517/56649c9a5503460f949570a0/html5/thumbnails/34.jpg)
Operational semantics[e] =0
_________________________< if (e) then {c1} else {c2} , > < c1 , >
![Page 35: SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.](https://reader030.fdocuments.us/reader030/viewer/2022032517/56649c9a5503460f949570a0/html5/thumbnails/35.jpg)
Operational semantics[e] =0
_________________________< if (e) then {c1} else {c2} , > < c1 , >
[e] 0_________________________
< if (e) then {c1} else {c2} , > < c2 , >
![Page 36: SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.](https://reader030.fdocuments.us/reader030/viewer/2022032517/56649c9a5503460f949570a0/html5/thumbnails/36.jpg)
Operational semantics[e] =0
_________________________< while (e) do {c} , > < c ; while (e) do {c} , >
[e] 0_________________________
< while (e) do {c} , > < , , >
![Page 37: SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.](https://reader030.fdocuments.us/reader030/viewer/2022032517/56649c9a5503460f949570a0/html5/thumbnails/37.jpg)
Operational semantics
<c1, > < c’ , ’ > c’ _________________________
< c1;c2 , > < c’;c2 , ‘>
<c1, > < , ’ > _________________________< c1;c2 , > < c2 , ‘>
![Page 38: SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.](https://reader030.fdocuments.us/reader030/viewer/2022032517/56649c9a5503460f949570a0/html5/thumbnails/38.jpg)
Operational semantics
________________< , , > < , , >
![Page 39: SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.](https://reader030.fdocuments.us/reader030/viewer/2022032517/56649c9a5503460f949570a0/html5/thumbnails/39.jpg)
Probabilistic programming language
![Page 40: SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.](https://reader030.fdocuments.us/reader030/viewer/2022032517/56649c9a5503460f949570a0/html5/thumbnails/40.jpg)
0.4 0.1 0.2 0.2 0.1
0.1 0.41
0.1
0.40.9 0.3 0.7 0.80.1 0.2
![Page 41: SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.](https://reader030.fdocuments.us/reader030/viewer/2022032517/56649c9a5503460f949570a0/html5/thumbnails/41.jpg)
0.4 0.1 0.2 0.2 0.1
0.1 0.41
0.1
0.40.9 0.3 0.7 0.80.1 0.2
The sum is equal to 1This forms a distribution for
configurations reachable from
![Page 42: SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.](https://reader030.fdocuments.us/reader030/viewer/2022032517/56649c9a5503460f949570a0/html5/thumbnails/42.jpg)
0.4 0.1 0.2 0.2 0.1
0.1 0.41
0.1
0.40.9 0.3 0.7 0.80.1 0.2
Distribution d induced by
d ( ) = 0.4d ( ) = 0.1 d ( ) = 0.2
…
![Page 43: SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.](https://reader030.fdocuments.us/reader030/viewer/2022032517/56649c9a5503460f949570a0/html5/thumbnails/43.jpg)
0.4 0.1 0.2 0.2 0.1
0.1 0.41
0.1
0.40.9 0.3 0.7 0.80.1 0.2
What is the probability of reaching
from Pr[ ] ?
![Page 44: SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.](https://reader030.fdocuments.us/reader030/viewer/2022032517/56649c9a5503460f949570a0/html5/thumbnails/44.jpg)
0.4 0.1 0.2 0.2 0.1
0.1 0.41
0.1
0.40.9 0.3 0.7 0.80.1 0.2
What is the probability of reaching
from Pr[ ] ?
![Page 45: SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.](https://reader030.fdocuments.us/reader030/viewer/2022032517/56649c9a5503460f949570a0/html5/thumbnails/45.jpg)
0.4 0.1 0.2 0.2 0.1
0.1 0.41
0.1
0.40.9 0.3 0.7 0.80.1 0.2
The probability of reachingfrom
Pr[ ] = 0.2 * 0.7 = 0.14
![Page 46: SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.](https://reader030.fdocuments.us/reader030/viewer/2022032517/56649c9a5503460f949570a0/html5/thumbnails/46.jpg)
0.4 0.1 0.2 0.2 0.1
0.1 0.41
0.1
0.40.9 0.3 0.7 0.80.1 0.2
The probability of reachingfrom
Pr[ ] = 0.2 * 0.7 = 0.14
![Page 47: SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.](https://reader030.fdocuments.us/reader030/viewer/2022032517/56649c9a5503460f949570a0/html5/thumbnails/47.jpg)
Given by a sequence of probability distributions
![Page 48: SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.](https://reader030.fdocuments.us/reader030/viewer/2022032517/56649c9a5503460f949570a0/html5/thumbnails/48.jpg)
And more formally, we need to provide a set of rules to define the probabilistictransition system
Now relation is probabilistic, annotated with a probability p p
![Page 49: SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.](https://reader030.fdocuments.us/reader030/viewer/2022032517/56649c9a5503460f949570a0/html5/thumbnails/49.jpg)
Operational semantics[e] =v
_________________________< x: = e, > 1 < , [ | x:v]>
_________________________< skip, > 1 < , >
[e] =0_________________________
< if (e) then {c1} else {c2} , > 1
< c1 , >
[e] 0_________________________
< if (e) then {c1} else {c2} , > 1
< c2 , >
[e] =0_________________________
< while (e) do {c} , > 1 < c; while (e) do {c} , >
[e] 0_________________________
< while (e) do {c} , > 1 < , , >
<c1, > p < c’ , ’ > c’ _________________________
< c1;c2 , > p < c’;c2 , ‘>
<c1, > p < , ’ > _________________________< c1;c2 , > p< c2 , ‘>
________________< , , > 1 < , , >
![Page 50: SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.](https://reader030.fdocuments.us/reader030/viewer/2022032517/56649c9a5503460f949570a0/html5/thumbnails/50.jpg)
Mental Poker in Whilep
shuffle ( ) =
c := {0,1,2,3,4,5} ;
if c=0 then
b0,b1,b2:= ;
else ….
![Page 51: SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.](https://reader030.fdocuments.us/reader030/viewer/2022032517/56649c9a5503460f949570a0/html5/thumbnails/51.jpg)
MP =
cards:= shuffle( );
for c := 1 to 3 do ce[c]:= E (cards[c],b);
lce:= ce
ecards:= shuffle(E ( , b ) E ( , b ) E ( , b ) );
aliceCard := randomPick(lce, nil);
bobCard := randomPick(lce,aliceCard );
aliceCard:= E (aliceCard,a);
laliceCard:= aliceCard;
lbobCard:= bobCard
laliceCard:= D(laliceCard,b-1);
bobCard:= D(lbobCard,b-1);
MEN
TAL POKER
![Page 52: SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.](https://reader030.fdocuments.us/reader030/viewer/2022032517/56649c9a5503460f949570a0/html5/thumbnails/52.jpg)
MP =
cards:= shuffle( );
for c := 1 to 3 do ce[c]:= E (cards[c],b);
lce:= ce
laliceCard:= D(laliceCard,b-1);
bobCard:= D(lbobCard,b-1);
HO
W TO
CHEAT IN
MEN
TAL POKER?
![Page 53: SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.](https://reader030.fdocuments.us/reader030/viewer/2022032517/56649c9a5503460f949570a0/html5/thumbnails/53.jpg)
MP =
cards:= shuffle( );
for c := 1 to 3 do ce[c]:= E (cards[c],b);
lce:= ce
laliceCard:= D(laliceCard,b-1);
bobCard:= D(lbobCard,b-1);
HO
W TO
CHEAT IN
MEN
TAL POKER
A
![Page 54: SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.](https://reader030.fdocuments.us/reader030/viewer/2022032517/56649c9a5503460f949570a0/html5/thumbnails/54.jpg)
HO
W TO
CHEAT IN
MEN
TAL POKER
How SRA works
Some facts to break the protocol:
![Page 55: SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.](https://reader030.fdocuments.us/reader030/viewer/2022032517/56649c9a5503460f949570a0/html5/thumbnails/55.jpg)
HO
W TO
CHEAT IN
MEN
TAL POKER
How SRA works
Some facts to break the protocol:
• If “Alice” can decrypt without the key
![Page 56: SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.](https://reader030.fdocuments.us/reader030/viewer/2022032517/56649c9a5503460f949570a0/html5/thumbnails/56.jpg)
HO
W TO
CHEAT IN
MEN
TAL POKER
How SRA works
Some facts to break the protocol:
• If “Alice” can decrypt without the key
An adversary that breaks the protocol by using brute force :
A =
for k = 1 to 2ɳ do
y:=D(lce[c],k);
if y = then aliceCard := lce[c]
![Page 57: SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.](https://reader030.fdocuments.us/reader030/viewer/2022032517/56649c9a5503460f949570a0/html5/thumbnails/57.jpg)
HO
W TO
CHEAT IN
MEN
TAL POKER
How SRA works
Some facts to break the protocol:
• If “Alice” can decrypt without the key
A is polynomial, factorization is a hard problem
![Page 58: SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.](https://reader030.fdocuments.us/reader030/viewer/2022032517/56649c9a5503460f949570a0/html5/thumbnails/58.jpg)
HO
W TO
CHEAT IN
MEN
TAL POKER
How SRA works
Some facts to break the protocol:
• If “Alice” can decrypt without the key
A is polynomial, factorization is a hard problem
![Page 59: SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.](https://reader030.fdocuments.us/reader030/viewer/2022032517/56649c9a5503460f949570a0/html5/thumbnails/59.jpg)
HO
W TO
CHEAT IN
MEN
TAL POKER
How SRA works
Some facts to break the protocol:
• If “Alice” can decrypt without the key
• If Bob plays twice with the same key
![Page 60: SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.](https://reader030.fdocuments.us/reader030/viewer/2022032517/56649c9a5503460f949570a0/html5/thumbnails/60.jpg)
HO
W TO
CHEAT IN
MEN
TAL POKER
How SRA works
Some facts to break the protocol:
• If “Alice” can decrypt without the key
• If Bob plays twice with the same key
An adversary that breaks the protocol if Bob plays twice with the same key
![Page 61: SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.](https://reader030.fdocuments.us/reader030/viewer/2022032517/56649c9a5503460f949570a0/html5/thumbnails/61.jpg)
HO
W TO
CHEAT IN
MEN
TAL POKER
How SRA works
Some facts to break the protocol:
• If “Alice” can decrypt without the key
• If Bob plays twice with the same key A =
if oldEncACE = lce[c] then
aliceCard := lce[c];
![Page 62: SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.](https://reader030.fdocuments.us/reader030/viewer/2022032517/56649c9a5503460f949570a0/html5/thumbnails/62.jpg)
HO
W TO
CHEAT IN
MEN
TAL POKER
How SRA works
Some facts to break the protocol:
• If “Alice” can decrypt without the key
• If Bob plays twice with the same key
• Observing quadratic residues!! (R.J. Lipton)
x Qq b x2 b (mod q)
x Qq xk (mod q) Qq
![Page 63: SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.](https://reader030.fdocuments.us/reader030/viewer/2022032517/56649c9a5503460f949570a0/html5/thumbnails/63.jpg)
HO
W TO
CHEAT IN
MEN
TAL POKER
How SRA works
Observing quadratic residues!! (R.J. Lipton)
x Qq b x2 b (mod q)
x Qq xk (mod q) Qq
How to cheat in Mental PokerLipton’81
![Page 64: SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.](https://reader030.fdocuments.us/reader030/viewer/2022032517/56649c9a5503460f949570a0/html5/thumbnails/64.jpg)
PROVABLE CRYPTO
GRAPH
Yhow to prove security of encryption algorithms?
PROVABLE CRYPTOGRAPHY
![Page 65: SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.](https://reader030.fdocuments.us/reader030/viewer/2022032517/56649c9a5503460f949570a0/html5/thumbnails/65.jpg)
PROVABLE CRYPTO
GRAPH
Yhow to prove security of encryption algorithms?
Probabilistic Encryption and How to Play Mental Poker Keeping Secret All Partial Information Goldwasser and Micali ’82
PROVABLE CRYPTOGRAPHY
![Page 66: SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.](https://reader030.fdocuments.us/reader030/viewer/2022032517/56649c9a5503460f949570a0/html5/thumbnails/66.jpg)
Probabilistic Encryption and How to Play Mental Poker …Goldwasser and Micali ’82
The fact that f is a trapdoor function does not rule out: 1.the possibility of computing x from f(x) when x is of a special form.2.the possibility of computing some partial information about x (even every other bit of x) from f(x).
TRAPDOOR FUNCTION
x f(x)
easy
hard
![Page 67: SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.](https://reader030.fdocuments.us/reader030/viewer/2022032517/56649c9a5503460f949570a0/html5/thumbnails/67.jpg)
PROVABLE CRYPTO
GRAPH
Yhow to prove security of encryption algorithms?
Probabilistic Encryption and How to Play Mental Poker …Goldwasser and Micali ’82 - probabilistic setting- notion of semantic security
PROVABLE CRYPTOGRAPHY
![Page 68: SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.](https://reader030.fdocuments.us/reader030/viewer/2022032517/56649c9a5503460f949570a0/html5/thumbnails/68.jpg)
PROVABLE CRYPTO
GRAPH
YSemantic security or Chosen Plaintext Attack (a.k.a. CPA)
E ( message1 , b)
message1, message 2
E ( message2 , b)
“I guess that the coin was tail”
| Pr[CPA; g = c] - ½ | is negligible for |b| (|b| is called security parameter)
![Page 69: SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.](https://reader030.fdocuments.us/reader030/viewer/2022032517/56649c9a5503460f949570a0/html5/thumbnails/69.jpg)
NEGLIGIBLE FUNCTION
A function f (x) is negligible for x when for all c>0, there is a constant nc such
that nc≤ x implies f(x) ≤ 1/xc
![Page 70: SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.](https://reader030.fdocuments.us/reader030/viewer/2022032517/56649c9a5503460f949570a0/html5/thumbnails/70.jpg)
NEGLIGIBLE FUNCTION
A function f (x) is negligible for x when for all c>0, there is a constant nc such that nc≤ x implies f(x) ≤ 1/xc
Are the following functions negligible?
f(x) = x2 f(x) =1/xf(x) =1/x2
f(x)= 1/3x
![Page 71: SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.](https://reader030.fdocuments.us/reader030/viewer/2022032517/56649c9a5503460f949570a0/html5/thumbnails/71.jpg)
encryption scheme
Definition of encryption scheme
An encryption scheme is a triple (G, E, D) of probabilistic polynomial-time algorithms such that:
- On input ɳ , algorithm G outputs a pair e, d of bitstrings
- D(E(x,e),d) = x
![Page 72: SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.](https://reader030.fdocuments.us/reader030/viewer/2022032517/56649c9a5503460f949570a0/html5/thumbnails/72.jpg)
PROVABLE CRYPTO
GRAPH
Y
Chosen-plaintext attack (CPA)
E(x0, x1 ) = if (c = 0)
then {m := E (x0, ke)}
else {m := E(x1,ke)};
CPA = c := {0,1};
ke, kd := Ge(); A[E]
| Pr[CPA; g =c] - ½ | is negligible for ɳ (ɳ is called security parameter)
![Page 73: SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.](https://reader030.fdocuments.us/reader030/viewer/2022032517/56649c9a5503460f949570a0/html5/thumbnails/73.jpg)
READIN
GSlides, Notes, Bibliography
• Slides and lecture notes: www-sop.inria.fr/members/Tamara.Rezk/teaching
• Mental Poker – Shamir, Rivest, Adleman
• Probabilistic Encryption & How to Play Mental Poker Keeping Secret all Partial Information – Goldwasser , Micali