EP3284208A1

EP3284208A1 - Method for cryptographic communication based on pure chance

Info

Publication number: EP3284208A1
Application number: EP16723793.2A
Authority: EP
Inventors: Thibault DE VALROGER
Original assignee: Individual
Current assignee: Individual
Priority date: 2015-04-14
Filing date: 2016-04-06
Publication date: 2018-02-21
Also published as: FR3035293A1; CN108093680A; US20180287781A1; WO2016166426A1; US10396983B2; CN108093680B; FR3035293B1

Abstract

The invention relates to a method for allowing two entities, linked by a non-secure communication channel and not initially sharing any secret data, to agree on secret information shared in an unconditionally secure manner. Each of these entities is able to generate a new form of random information, referred to as Pure Chance, such that no entity other than itself can know its probability distribution, apart from a set of public characteristics. The internal system of each entity comprises: (1) a Pure Chance Generator (PCG) able to generate a random Pure Chance signal and perform processing operations using the generated signal; and (2) an Interactive Communication Module (ICM) able to publish and read information over the non-secure communication channel. These two entities execute a communication protocol such that: (i) they can each calculate their respective estimation of the shared secret information, which must be as perfectly equal as desired, and (ii) any passive entity having full and unlimited access to the information exchanged over the communication channel, and having unlimited data calculation and storage capacities, can only calculate an estimate of the shared secret information, which can be made as statistically close to absolute uncertainty as desired.

Description

CRYPTOGRAPHIC COMMUNICATION METHOD BASED ON DEEP HAZARD

1. Technical field of the invention

The invention belongs to the field of cryptographic communication systems.

2. State of the prior art

Most modern cryptography relies on mathematical problems that are very difficult to solve in the current state of knowledge and calculation means, such as for example the factorization of large prime numbers, or the calculation of discrete logarithms, belonging to the theory of the complexity. Since there is no certainty as to the real difficulty of these problems, not even the famous P ≠ NP conjecture, other methods have been developed since the early 1990s. These methods are based on assumptions about the adversary (such as "the limited-memory opponent" [6]) or the communication channel (such as "independent noise channels" [5]); unfortunately, while it has been shown that perfect confidentiality can be achieved for these methods under certain given assumptions, none of these assumptions is easily guaranteed in practice. Finally, other methods, based on physical theories, such as quantum indeterminacy [3] or chaotic dynamical systems have been described and experimented, but they are complex to implement and, again, they are based on unproven theories.

Considering this unsatisfactory theoretical situation, we propose a new method, thanks to which the perfect confidentiality can be reached and proven, without any hypothesis relating to the adversary, which is supposed endowed with capacities of computation and storage of unlimited data, neither the communication channel, which is supposed to be perfectly public and equivalent for all participants (legitimate partners and opponents). The considered adversary is passive, which means that it does not interfere in the communication protocol between the legitimate partners by adding, modifying or deleting data to the information exchanged; however, he has full access to this information. Active adversaries can also be considered by adding to the protocol a message authentication scheme between legitimate partners.

References

[1] C E. Shannon, Communication System of Secrecy Systems, Bell Syst. Tech. J., Vol. 28, pp. 656-715, Oct. 1949

[2] A. N. Kolmogorov, "On Tables of Random Numbers", Sankhya. Indian Journal of Statistics A, 25 (4): 369-376

[3] CH Bennet and G. Brassard, "Quantum cryptography and its application to provable secure key expansion, public-key distribution and coin-tossing", Proc. ΓΕΕΕ International Conference on Computers, Systems and Signal Processing, Bangalore, India, pp. 175-179, Dec. 1984

[4] C. H. Bennet, G. Brassard and J.-M. Robert, "Privacy Amplification by Public Discussion", SIAM J. COMPUT., Vol. 17, No. 2, Apr. 1988

[5] U. M. Maurer, "Secret Key Agreement by Public Discussion from Common Information," Transactions on Information Theory, Vol. 39, No. 3, May 1993

[6] C. Cachin and U. M. Maurer, "Unconditional Security Against Memory-Bounded Inversaries," Proceeding of CRYPTO '97, Lecture Notes in Computer Science, Springer, 1997

3. Presentation of the invention

We consider two Autonomous Entities (EAs), called legitimate EA correspondents, wishing to communicate over an unsafe public communication channel. As in any communication protocol modeling, these EAs are entities capable of generating random bit sequences, publishing bit sequences, reading bit sequences published by other EAs, storing bit sequences, to perform calculations on bit sequences. The main difference of our method is that the random generation of bit sequences includes the generation of Deep Hazard. Deep Hazard is a source of random digital information such that an outside observer can not know the probability distribution of the random variable associated with that information source, except for a set of public characteristics. As a result, such Random Random Random variables are not subject to Bayesian inference evaluation.

An EA consists of the following 2 components (Figure 1):

• The Deep Random Generator (GHP). A GHP is able to:

o Produce continuously new distributions of probabilities, called distributions by Deep Hazard, the characteristics of which are described below.

o Generate and store, at the request of an authorized MCI, a random digital information using its distributions by Deep Hazard, this information must remain secret to ensure the confidentiality of the communication

o Perform, on request of an authorized MCI, calculations on said random digital information

• The Interactive Communication Module (MCI). An MCI is able to:

o Publish information on the public communication channel (for the attention of the legitimate E A correspondent)

o Read information on the communication channel o Execute a particular type of communication protocol called Perfect Privacy Protocol, the characteristics of which are described below.

The two main features of the present invention are (i) the generation of Deep Random distributions, and (ii) the execution of Perfect Privacy Protocol. They are designed (GHP and MCI) to work together, giving the uniqueness of the invention. They make it possible to obtain perfect confidentiality without the need for prior distribution of a secret key and without condition or limitation on the communication channel or on the capabilities of the adversary, which gives the utility and the innovative character of the invention. They can be made in different forms, knowing that at least one is described in section 5 of the present description below, which ensures that the invention can be industrially applied. In addition, the inventor has obtained a mathematical proof of perfect confidentiality, which is not the case for most other previously patented cryptographic communication methods; however, the details of this mathematical proof are complex and are not presented in the present description for the sake of brevity.

(i) Characteristics of the Deep Random Generator:

The Deep Random generated by an EA called A is a source of chance such that its probability distribution is unknowable (or hidden) for a given set of EAs called opponents, each denoted by ξ. In practice, this set of EA is generally all EA other than A. More generally, the probability distribution can be hidden from a set of public features / (note the _s £ all probability distributions that check characteristics /). Such sources of chance have the following property:

If X and Y are two random variables, and if X has a hidden probability distribution for ξ outside the / characteristics, then:

Ε [φ (Χ) \ Υ] _ξ does not depend on the probability distribution of X within it;

where £ '[φ (.Χ ^, ) | ν ^, ] denotes the conditional expectation of <p (X) from knowledge reduced to Y by ξ. φ being any deterministic function.

We can give a weaker but more concrete formulation of this property, with the generated variables. As a definition, if V is a random variable with values in a set E, a random variable V with values in the set F is said to be generated by V if there is a generational distribution ψ E x F κ> [0,1] such that Vx GE, Σy _£ ip (y, x) dy-1 and corresponding to the probability distribution of V:

The weakened formulation of the property is then: let Y be a random variable with values in a set F, generated by any random variable with value in E by the same generation distribution xp: E x F ^ [0,1 ] · If X and X 'are two random variables with values in E whose probability distributions are in Ω _; each hidden for ξ outside the characteristics /, then:

Ε [φ (Χ) \ Υ] _ξ = Ε [φ (Χ ') \ Υ] _ξ

m

Considering 1ΈΑ for which the probability distribution of a random variable is hidden, the estimation capacity relating to this variable is of course more limited than for a traditional random variable whose distribution is known. The concept of weighting possible values is replaced by the concept of the mere existence of such values.

It is important to understand that the assertion that the distribution of a random variable is unknowable for an EA does not mean that this distribution does not exist. It simply means that it is hidden for this EA. For any other EA (knowing the distribution), the random variable remains governed by the traditional probability theory.

It may seem like a nonsense to want to generate Deep Hazard using programmable computing resources. In the real world, even a computer has access to sources of chance whose probability distributions are at least partially unknown, but that does not mean that it is possible to obtain Deep Hazard directly from these sources, usable for a cryptographic communication application.

There are 3 methods for programmatically generating Deep Hazard within an EA:

1) Secure Programming: As part of this method, the program that generates the Deep Hazard (GHP) is secretly developed within an isolated industrial process, and is kept secret to any outside EA. For industrial applications, the program is embedded in a device resistant to investigation, and can be solicited only to provide an output generated internally using the program.

2) Recursive generation: as part of this method, the GHP program executes a continuous recursive generation sequence, in which, at each step m + 1, the probability distribution is created / selected to implement failure the optimal estimation strategy for distributions of steps <m. This method can be implemented in a program that runs continuously within a runtime environment, and can be requested at any time by ΕΑ to provide a random signal generated using a random draw. based on the current value of the distribution suite. Such an implementation can be done in software or hardware to improve the confidentiality of the current state of the suite. For such a method to be safe, the entropy of the random output signal should not be larger than the entropy of the index value of the sequence. An example of such a method is given in section 5 of the present description.

3) The combination: as part of this method, different sources of Deep Hazard are combined. These sources may come from a collaborative external EA, as shown in FIG. 3. In this case, a Perfect Privacy Protocol is used to exchange the parameters of the probability distribution, from one or more Level 1 to Level 2 collaborative EAs considered. Combination methods are such that if at least one of the sources is really Deep Random, then the result of the combination is still Deep Random, in other words the probability distribution obtained remains hidden for the opponents.

With respect to recursive generation, if an observer does not know the start date or the execution speed of an infinite incremental counter, no probability distribution can even estimate the current value of the counter at a given instant, because of its unlimited nature. In addition, if it executes in a computing device, the actual speed of the counter is impacted by external tasks and events within the processors, for which no reliable probability distribution can be used; the only thing an adversary can do is to estimate a very approximate upper bound of the counter's value and speed.

(ii) Characteristics of a Perfect Privacy Protocol:

Let's first define our general model of communication protocols.

A communication protocol is a procedure involving 2 corresponding legitimate EAs 04 and β); which can be decomposed into a finite number of steps t _{1 (} ..., t _R such that, at each step r <R:

a) _: A and B respectively generate a new information x _r and y _r (potentially using classical chance or Deep Hazard thanks to their GHP as shown in Fig. 1 - 100 & 101 interaction), potentially involving the knowledge respectively of {Xm} i≤m <r _> {im m} i≤m <r, and {y _m } _{1≤m <r} , {t _m , j _m ) i < _{m <r} . For this, the GHP can be requested by the MCI as shown in FIG. 1 - interaction 101, and the MCI reads the information published by the other party in the preceding step as shown in FIG. 1 - interaction 103.

b) A and B respectively publish information t _r and j _r which can depend respectively on {½) i < _m≤r , {'mJm} l≤7n <r> ^and {m} l≤? ≤> {½Jm} l≤ _? n <r-

For this, the MCI writes the information on the public channel as shown in FIG. 1 - interaction 102.

In the last step R, A and B perform only calculations based on the respective knowledge of {Xm) i≤m <K _> {im _> jm i≤m <R _> and {y _m } i {i _m , _Tn } i _<m _{</ i} - One of the results of these calculations (as shown in Fig. 1 - 104 interaction) is an estimate of the shared secret information. These estimates are respectively denoted V _A and V _B.

{ _v ] _v is called a configurable protocol, with v a numeric parameter vector set before the protocol execution, if the protocol implementation description (including the ability to generate Deep Random) has a size larger by H (y) + K, where H represents the entropy function and K is a constant independent of v.

Perfect Confidenentiality Protocols are a special type of protocol belonging to the general model described above, for which, assuming the assumptions (H) and (// ') presented above for GHP generated signals, the strategy of the most effective adversary (conditional expectation) to estimate for example V _A is strictly less efficient than V _B (Advantage Distillation [4]). Such protocols also include methods, already known and widely studied in the public literature, Reconciliation and Amplification of Confidentiality [4] to transform said Advantage into secret information and shared exclusively between legitimate correspondents. This shared secret information, which can be of a size as long as desired (for example by repetition of the protocol), can be used to exchange between the legitimate correspondents in a perfectly secure way a signifying message, either directly (use of a mask disposable XOR) or by exchanging a symmetric cryptographic key, which can then be used with a block cipher system or a continuous ciphering system.

More formally, if we consider a protocol T, the total set of random information generated respectively by A and B obeys probablity distributions belonging respectively to sets that are noted ¾CP) and Ά _Β (). . The use of the Deep Randy makes it possible to consider, dependent on T, several subsets of Q _A P) X & B (P) ■ '(Ηι · H), ... such that they contain only distributions that are non distinguishable from each other for the opponent. These subsets are supposed to be maximal (because otherwise we can complete them). We can consider the group of reversible transformations {/ im (s)} _m (supposed to be countable) of & _A P) x Ά _Β (Τ)> → Q _A P) XQ _B (P). which leaves (β ^, Ηξ) stable. Each of these transformations also induces a reversible transformation m _m (s) in the set of possible strategies of the adversary = Ωρ. We then denote Ωφ (β) the subset of Ωγ that contains the invariant strategies by the action of the induced group vs _m {s)} _m . Chance hypotheses Deep (H) and (Η ') allow to restrict the choice of the strategy of the opponent to any element of the subset i¾> (s).

We denote Η _Ρ ε, ε ') the minimum amount of information (number of bits) to be exchanged through T to obtain: ^■

(i) d _h (V _A , V _B ) ≤ EH (V _B )

(ii) inf _s (su _{Pcùesl s)} E'H (V _B)

where d _h denotes the Hamming distance, and H (-) denotes Shannon's entropy [1]. If the 2 conditions above can not be satisfied, then Η _Ρ (ε, ε ') = ∞. A configurable protocol {Ρ _υ } _υ is called a Perfect Privacy Protocol if, νε, ε '> 0, there exist ν (ε, ε') under the assumptions of the Deep Hazard (H) and (W), such as:

Η _Ρν ε, ε ') <∞

The three minimum features of a Perfect Privacy Protocol:

1) Deep Hazard (HP): The 2 legitimate correspondents involved in the protocol make use of the Deep Hazard

2) Degradation: For each of the 2 legitimate correspondents involved in the protocol, the information it publishes is at least partially degraded from the output signal generated by its GHP. This means that the published information is the result of a random variable generated from said output signal generated by the GHP, such that the accuracy of the output signal of said generated variable is made strictly lower (through this process of Degradation) that the accuracy of the output signal generated by the

GHP.

3) Distillation of Advantage under the assumptions of the Deep Hazard ((H) and (H ')): Under the assumptions (H) and (Η'), no strategy of the adversary can be considered more effective than at least one other strategy belonging to a given set Ω, called restriction subset for the protocol; and for any strategy of Ω adopted by the adversary, the estimation of the shared secret information given by said strategy is strictly less accurate than the estimates of the legitimate correspondents.

To illustrate the phenomenon of Degradation, let's give a simple example: consider an EA observing a test of a binary random variable V of parameter Θ 6 [0,1] · If the EA wants to generate a new binary random variable based on the result of the test, it can only affect parameters [θ ₀ , depending on the binary result {0,1} of the test of V. The parameter of this new binary random variable V is then:

0 "+ («, - θ ₀ ) ΰ

If now we replace Θ by θ / k where k is a number>1; it is impossible to generate from V a new binary random variable of parameter Θ (because \ θ-ι- θ ₀ \ <1). The observing EA can of course multiply the result by k (thus generating a value variable this time in {0, k] instead of {0,1},), to obtain a variable generated with the same mean (moment of order 1) that V, but then the variance (moment of order 2, representing the precision) of this generated variable is strictly higher than that of V, in other words its precision is strictly lower. L ΈΑ must therefore "make a choice" between the moment of order 1 and the moment of o dre 2, but can not equal the two moments in the same generated variable.

An example of a Perfect Privacy Protocol is given in section 5 of the present disclosure as a specific embodiment for this invention.

4. Brief presentation of the drawings

Fig. Figure 1 shows the general model of a Deep Hazard-based Perfect Privacy Protocol, in which each EA involved in the protocol (designated A and β), has a continuous GHP, and an MCI. The MCIs of A and B are connected by an error-free public communication channel on which an EA (called "adversary") is assumed to have full read access.

Fig. Figure 2 shows the specific embodiment of a Deep Hazard-Based Parfisk Protocol (corresponding to Section 5) with the successive interactions performed between the EAs involved in the protocol (referred to as A and B). Each of these interactions is described in section 5.

Fig. Figure 3 shows a collaboration model between 2 Deep Random Generators, in which one or more Level 1 EAs (denoted by A. x, A. y) can securely transmit the parameters of their Probablity distribution to Deep Random at a given time. Level 2 EA (designated B). B can then combine these sources potentially together and / or with his own, to generate new sources of Deep Hazard.

Fig. 4 shows a Deep Random Generator operating with the recursive continuous generation method, schematized in the form of a block diagram. The GHP is implemented in a physical environment resistant to computer or electromagnetic intrusions and logically consists of 4 sub-modules: the Internal Recursive Generator Deep Random (GRIHP), the Internal Standard Random Generator, the Internal Memory, and the Interface Communication, which is the only one of the 4 sub-modules that can communicate with the external environment.

5. Description of a specific embodiment i) Description of a specific embodiment of a Deep Random Generator

The specific embodiment presented in this section corresponds to the recursive continuous generation method, as described in section 3. (i) 2), associated with a combination method, as described in section 3. (i) 3 ). he can be implemented in software form or in a hardware device resistant to computer or electromagnetic intrusions.

Fig. 4 shows a Deep Random Generator operating with the recursive continuous generation method, schematized in the form of a block diagram. The GHP logically consists of 4 sub-modules:

• The Internal Recursive Generator of Deep Hazard (GRIHP), which produces [Fig4-400] a continuous and recursive sequence of probability distributions and is able to make available, on request of the Communication Interface [Fig4-420] a proof obtained from the current value of the sequence of probability distributions

• the Internal Hazard Generator Standard, which produces and makes available on request of the Communication Interface [Fig4-430] a proof from a known probability distribution; this probability distribution may require an input parameter such as, for example, the output signal of the GRIHP (in which case it generates a random variable generated by the Probablity distribution at Deep Hazard)

• the Communication Interface, which allows to receive an order of a MCI associated with the GHP, and to give an output signal in return [Fig4-410, 411, 412]

· Internal Memory, which allows the Communication Interface to store, retrieve or erase [Fig4-440, 441, 442] an output signal from the GRIHP.

In the remainder of this section 5.i), an example of GRIHP is presented more particularly.

The following notations are defined; considering x- (x _lt ..., x _n ) and y = (y _{1 (} ..., y _n ) vectors of parameters of [0, l] ⁿ and i- ..., i _n ) and = (Ji, -, jn) test vectors of {0, l} ⁿ , l, r, two integers, and Θ G [0,1], we define:

x. y (resp, ij) the scalar product of x and y (respectively i and j)

We will also manipulate permutation operators on the vectors. For σ GS _n , we write supp (a) = ker (cr-id _Sn ) = {i, σ (ί) ≠ i] and | σ | = card (supp (a)). The vector permutation corresponds to the following linear application:

\ σ GQ _n , σ (χ) = (* _{σ ΐ)} , ..., χ _{σ (η)} ) where Q _n represents the symmetric group

Φ, Φ _τη denote probability distributions with values in [0,1] ^η · For such a distribution Φ, Φ ° σ is another distribution with values in [0, l] ⁿ such that:

Probtp aCx = Prob _< t _> (a ¹ ()) The quadratic matrix of such a distribution Φ is:

_{_{_Μ}} Λ ^{^χ} η ^χ ν Φ (χ) άχ

S _n denotes the set of subsets / of {1, ..., n] of size n / 2; we define Il ^■ Il _c , called the norm-c, by:

V / G 5 _η , ί; (Μ _φ ) = Τ ^M <t> ( ^u >^v; || Μ _φ || _ε = max | _{C /} (M) |

η ^Δ Li _ i € S _n

uv & lxl

To each quadratic matrix distribution Μ _φ is associated the matrix _φ defined by: Φ Η → ¾ = ™ _Φ |: joùm _φ = ~ - ^ Σ _{u ≠ v} M (u, v) We will note in the following:

< _ω , Φ, Φ ') ^ [( _ωυ -¾ ² ] _φφ , <ω, Φ> ê, (ω, Φ, Φ)

where ω denotes any strategy of the adversary, depending on the public information i, j (this set of possible strategies is denoted by Ω), to estimate as precisely as possible the quantity i, j are vectors of proofs of {0, l } ⁿ generated by a Bernoulli distribution at xy

The transformation (x, y) · → (-, -) is the Degradation (as introduced in 3. (ii)) used for the present embodiment, for both the GHP and the Protocol. to Perfect Confidentiality described below in section 5.ii).

Finally, we note:

Parfied Confidentiality Protocol presented hereafter, ((a) corresponds to all distributions that are "far" from being symmetrical. can be considered in the Perfect Privacy Protocol presented below to be able to ensure the effectiveness of the Synchronization step (Step 4).

Having defined these notations, it is now possible to describe precisely the process of construction of the recursive sequence of distributions {Φ [ρ] τη} ρε¾, ηι _ε Ν executed by the GRIHP of the GHP object of the present embodiment of GHP, called in the following GHP (iV, n, k):

Unit Recursive Generation Process:

The set of quadratic matrices of possible distributions (assuming Φ restricted to the set of distributions with values in {0, l} ⁿ ) is the convex envelope of all matrices in the set:

{a (S _r ) \ ae _n) re M _n }

{1 if 1 * 7 "6t V <T

" which corresponds to the quadratic matrix of the

0 otherwise

Dirac distribution for the vector {1, l _r , 0, ..., 0}.

It is easy to calculate that for all r not too close to 0 or 1:

and thus to determine if a distribution of Dirac δ _χ e ζ (α).

The initial primer Φ ₀ of the process is chosen from any predefined subset of ζ (α) that can be traversed algorithmically. In this embodiment, for example, the subset of the convex linear combinations of the distributions that remain in ζ μ) is considered. σ. = _Sn Id Φι = Φο ° ^σ ι

to _m realizes the minium:

where { _{m <s} } ^ is called the GHP characteristic function, which checks at _ms > 0, and

Σm T _ Λ.

s = l Λπι, ε ~ ^± ' Ψ is chosen at random from the initial subset, and it can be proved (the details are complex and are not presented in this description) that it is possible to choose _{m + 1} such that:

<ώ _ιη , ψ ο σ _{τιι + 1} >>

not

We then determine _{m + 1} by:

cu _m o and _{m + 1} may be thus determined (also using the random vector for Ψ o and _{m + 1)} at each stage by the GRIHP.

One can also use a method to combine the distributions in ζ (α): Internal Combination Process:

We start by selecting Ψ in ζ (), and a set {Ψ ₅ } _ΪΕ {Ι, ..., Ν} of distributions "to combine", all also in ζ (α). Let a _{s be} a permutation such that Δ ₀ (Ψ, Ψ ₅ oa _s ) ≥ (^ - <(^ j, it can be proved (the details are complex and are not presented in this description) that such a permutation exists therefore,

and the combined distribution is then: Φ- Σ ^ _{= 1} Ψ ₅ ° r _s . The association of the Unit Recursive Generation Process and the Internal Combination Process presented above gives the following description of the GHP GRIHP (N, n, k) (as represented in [Fig4-400]):

The EA executes a continuous and recursive generation process in which N continuous continuations {Φ [ρ] τη} ρερ¾, 77ΐεΝ progress in parallel each by following a Unit Recursive Generation Process as presented above. It may also be decided (randomly decided) to update the current value of a given sequence by a combination of the current values of the suites using the Internal Combination Process as presented above. The quality of the Deep Random depends on the variety of the initial subset as well as the growing number of iterations executed on each sequence. The GRIHP should execute at least nx N iterations before starting to receive requests from an MCI. N should be approximately of the order of ln (n!) ~ Nln (n), which represents the entropy necessary to encode an element of the set of permutations S _n . At the moment when an MCI requests the selection of a distribution from the GHP (as represented in [Fig4-410]), an additional processing is carried out for the selection of the distribution by the Communication Interface (as represented in [FIG. 420]): the Communication Interface randomly chooses ([Fig4-430]) an integer c among {1, ..., N]; the probability of choosing c is N / c (c + 1) (iV + 1); so that the probability distribution of 1 / c is evenly distributed over [0,1]. The EA then randomly selects c suites from N ([Fig4-430]) and establishes its distribution

Φ as the linear combination ^~ Σr = i Φ [τ ·] ηι _Γ ( _£ ); ^or t denotes the execution time of the process, [p ₁ , ..., p _r ] denote the indices of the selected c suites, m _r (t) denotes the current value of the counter of the sequence Φ [ρ _Γ ] at the moment of execution. The justification for this additional processing is that the finally chosen distribution must belong to a quasi-convex set, and therefore must also have its parameter-a in a convex segment. Indeed, the Dispersion step (Step 2) of the Protocol to

Perfect Privacy presented below uses the convex transformation Φ> → i

- (Φ + Ψ), and this transformation decreases the value of the -a parameter; in general, a convex linear transformation with c summed distributions decreases the value of the parameter-α by a multiplicative constant of the order of 1 / c. Of course, even if this process then makes it possible to be able to effectively apply the hypotheses (H) and (/ ') presented in the description of the invention, the price to be paid is that it introduces the appearance of occurrences low probablity for which the adversary can effectively estimate the secret information shared with separable strategy ω = - ^ j ^ because, by decreasing the value of the parameter-a, we obtain a distribution that is close to a symmetric distribution. These low probability occurrences therefore correspond to the case of larger values of c, which also corresponds to the lower values of the -a parameter.

Finally, the chosen distribution Φ is also transformed (always in the context of the interaction [Fig4-420]) by a transformation called "permutative smoothing":

where y, called the permutative smoothing nucleus, is a function of → [0,1] (note that it is impossible that \ σ \ = 1 and thus the index component 1 can be ignored) which verifies:

This final transformation is necessary to "soften"Dirac's distributions, and to avoid specific biases in certain fast-changing distributions (the technical details are too complex to be presented in this description). The permutative smoothing core is chosen as a fixed GHP parameter. Without going into the complete theoretical justification that goes beyond the scope of this description, the explanation of the design choice of the Unit Recursive Generation Process in the context of the specific embodiment GHP (N, n, k) is as follows:

With an unified counter incrementing in isolation and secure within the GRIHP, the moments m and m + 1 are indistinguishable for the opponent ξ. If a set H _m of strategies allowing an accurate estimation of the shared secret information existed at the instant time, then for any distribution Φ:

and thus, by choosing at the moment m + 1 the distribution, η + ι such that:

(which is always possible as explained above) ΓΕΑ guarant that, provided that ^ C, no absolute strategy exists to accurately estimate all x y.

instant the secret information shared - ^, because the observation instants can not be distinguished by the adversary as being rather m or m + 1.

x j i y

And on the other hand, noting V _A - V _B - where x, y would correspond to independent proofs according to the same distribution can calculate that:

This process therefore generates Deep Hazard because, otherwise, the opponent would

. xy capable by Bayesian inference of estimating shared secret information -j- from public information i, j with a precision equal to or greater than that of V _A or V _B.

ii) Description of a specific embodiment of the Perfect Privacy Protocol

Fig. 2 shows a specific embodiment of a Perfect Privacy Protocol noted Ρ (λ, Θ, Ν, n, k) using a block diagram, where (A, θ, N, n , k) are public parameters of the protocol, whose legitimate correspondents are denoted by A and fi. A and B are two EAs each equipped with a GHP and an MCI. The 2 MCIs are connected by a public and error-free communication channel, so that A and B can publish information on the channel and read information published by the other party.

The steps of the protocol Τ (λ, θ, N, n, k) are as follows:

Step 1 - Generation of Deep Hazard:

A and B each independently perform a process of continuous and recursive generation of deep random probability distributions [Fig2-200] typically using a GHP generator (N, n, k) as described hereinabove in FIG.

10 subsection 5.i). A and B wish to enter into secure communication and start the protocol by independently choosing a probability distribution, respectively Φ and Φ 'by soliciting their GHP (, n, / c) as represented in [Fig2-210 & 211 & 213 & 214, Fig4-410 & 420 ]. The result of this step is that A (resp.B) randomly generates the parameter vector x ₀ G [0,1] "from

15 of Φ (respectively y ₀ [[0,1] "from Φ '), and stores x ₀ (or y ₀ ) in the internal memory of its GHP as shown in [Fig4-440].

Step 2 - Dispersion:

A also chooses a second distribution Ψ always requesting its GHP (N, n, k) as represented in [Fig2-210 & 211 & 213 & 214]. Ψ is used to

20 "scramble" the repeated tests from Φ. A further solicits its GHP (N, n, k) to randomly generate N parameter vectors {x _lr ..., x _N } G {[0, l] ⁿ } ^w from the combined distribution ^ (Φ + Ψ ). B randomly generates N parameter vectors {y _ll ..., y _N ) G {[0,1] "} ^ from Φ '. A (resp. B) stores {χ _ΐΊ ...; Χ _Ν } (resp. {y ₁ , ..., yw}) in the internal memory of its GHP as represented in [Fig4-

440].

Step 3 - Degradation:

A generates N + 1 Bernoulli proof vectors {i ₀ , ..., i _N ] € {{0, l} ⁿ } ^{N + 1} respectively from the parameter vectors -z ~ j ~ j as represented in

[Fig2-210 & 211, Fig4-430 & 441]. A publishes {i _0l ..., i _N } as shown in [FIG. 2-220].

Step 4 - Synchronization:

B read {i ₀ , ..., i _N } on the public channel as represented in [Fig2-221] and calculate a synchronization permutation σ _β = σ _β [{ί ₅ } ^* , { _s } ^* ] _s6M ^ GS _n that satisfies the condition: then generates a proof vector of Bernoulli j ₀ G {0, l} ⁿ from ^ ² -. B publishes y ^' ₀ as represented in [Fig2-230 & 231 & 232 & 240].

Step 5 - Advantage Distillation:

A lit o on the public canal as represented in [Fig2-241] and calculates V _A = as represented in [Fig2-253 & 254 & 255, Fig4-412 & 441 & 442], B calculates V _B = ^ as represented in [Fig2-250 & 251 & 252, Fig4-412 & 441 & 442 ]

Step 6 - Reconciliation and Amplification of Privacy:

Finally, a classic process of Reconciliation and Amplification of Confidentiality [4] provides both a precision as close as desired to perfection for legitimate correspondents, and a knowledge of secret information as close as desired to the nil for any opponent with unlimited computing and storage powers.

It can be proved (the details are complex and are not presented in this description) that an appropriate choice of the parameters (λ, θ, N, n, k) makes it possible to make the steps 4 and 6 under the hybreneses of the hazard Deep (H) and (// '), which constitutes the heart of the present invention. However, we now give some explanations. The use of the Deep Hazard as described in steps 1 and 2 allows to restrict the set of strategies of the adversary as follows: · The stage of Dispersion of the protocol makes it possible to restrict a first time all the strategies of the opponent. opponent to strategies (j _0i i ₀ depends only on public information j ₀ , i _Q

• The Synchronization step leads to restrict a second time the set of strategies of the opponent to the set of strategies such that ω _έ = ω _{σ (} ; _{σ (} ;, Va GQ _n , in other words all invariant strategies by common permutation on i ₀ ,; ₀ .

These two restrictions ultimately leading to the set of restricted strategies Ω _# : Ω _# = [ω G [0,1] ^22η ; = Vf N _n ³ [0,1]

Step 4 is necessary to ensure that the adversary can not take advantage of the independence between the selection processes of Φ and Φ by A and B, which could enable him to estimate efficiently using the strategy. separable ^fc ^ ° ^ ^Jo ^.

Thanks to the synchronization step, such a strategy becomes ineffective, because of the nature of the initial primer Φ ₀ used in the GHP (iV, n, k). Repeated random draws from Φ are used to "synchronize" Φ and Φ ', but can not be used by the opponent ξ to gain an increased knowledge of the distribution Φ. This is the role of the Dispersion 3 step.

It is important to note that the calculation of the synchronization permutation ^σ Β - < _¾ [0 _s] ^* > {) ¾} ^* ] in step 4 depends only on the indices s £ N _N ^* , thus excluding 0. Indeed, the choice of σ _Β must remain independent of i ₀ , so that i ₀ and j ₀ remain independent tests of Bernoulli variables, thus making it possible to apply the increase (E) for the legitimate correspondents.

The explanation for this specific embodiment is as follows: it can be proved that (the details are complex and are not presented in this description), whatever the strategy of the opponent ω in the restricted set Ω _{( (} :

where C 'is a constant. And on the other hand, we always have:

and therefore, provided that - "C", an Advantage Distillation is obtained in step 5.

It is also obtained by the theoretical analysis of the protocol that N must still be of the order of ln (n!) ~ Nln (n), to have a satisfactory probability of satisfying the synchronization requirement of step 4 with the choice σ _Β .

6. Industrial applications

An industrial implementation of a Perfect Privacy Protocol allows two entities communicating through an unsafe communication channel to generate shared secret information. This information, which can be of a length in bits as large as desired (for example by repeating the protocol in a sequential manner) can be used either to exchange directly a perfectly secure message signifying between the legitimate correspondents, (using the secret information as a disposable mask XOR combined with the signifying message), or for exchanging a shared encryption key usable with a block cipher algorithm or a continuous encryption algorithm.

It can therefore be used to secure very sensitive communications, for which cryptographic methods whose security is not proven, or is not resistant to an adversary with a large computing power, may appear to be insufficient. It also eliminates non-automated shared key distribution processes in secure communication; these processes are difficult to implement, costly and susceptible to security breaches.

Such an embodiment may be in the form of a program or software library, which can be embedded in communication equipment or integrated into applications Γ. It can also be made in the form of a specially protected communication equipment, designed to be deployed in cut, resistant to computer and electromagnetic intrusions.

Claims

claims

1) Digital communication method for exchanging data confidentially between two corresponding entities, called A and B or together the legitimate correspondents, initially sharing no secret information, based on a communication protocol through a data channel. unsafe public digital communication, characterized in that: (i) both entities have a source of chance, called Deep Hazard Generator (GHP) and adapted for a given communication protocol, such as the probability distribution used by this source at any time is unknown and indistinguishable from any other probability distribution within a set of probability distributions 2 _A for A (resp., Q _B for B) for any entity other than that which has said source , thus preventing any reliable estimation based on the Bayesian inference, the said generator being able to be realized (a) in general continuously and recursively providing probability distributions at each step that defeat the optimal inference strategy corresponding to the distributions of the preceding steps in the context of a local emulation of said protocol, or (b) using probability distributions executed within programs that are resistant to investigation, or (c) a combination of several deep-source source type (a) or (b) concerns; (ii) the two entities execute a communication protocol associated with said GHP, including a degradation of the secret information generated by their GHP, also called GHP output signal, before said output signal thus degraded is used to generate a signal that can be published by the partner, and this in order to make necessary a process of Bayesian inference to find the signal from the GHP from the published degraded signal, said protocol then allowing each of the entities to calculate, from their secret information and signals published on the unsafe channel, their estimation, respectively called, V _A and V _B , of the shared secret information; said protocol being designed such that an adversary having full access to all information exchanged on the unsafe communication channel, can at best generate an estimate of shared secret information that is strictly less accurate than V _A and it is strictly less precise than V _B thanks to (a) the said degradation and (b) under the assumption that the probability distributions used respectively by A and B are indistinguishable respectively within Q _A and Q _B ; (iii) once an advantage between the legitimate correspondents has been obtained as described above, the protocol is supplemented by a conventional Reconciliation and then Privacy Amplification procedure to ensure that estimates of legitimate correspondents can be relinquished as close that desired the equality, and that the opponent's estimate can be made as close as desired to the total uncertainty. 2) Method according to claim 1, characterized in that the shared secret information estimated by each correspondent is then used by him as a secret key for the execution of a conventional secret key encryption method, in order to exchange then a flow or block of digital information in a confidential manner.

3) Method according to claim 1, characterized in that the confidential data exchange protocol is repeated several times to generate a bit string S called "disposable mask" shared between A and B and such that, (i) A can combine S by an operation XOR, or by any other bijective combination, with a message in clear M, (ii) A can send to B the result of this combination between S and M, (iii) B can obtain the message M in performing the inverse combination operation using S. 4) The method according to any one of the preceding claims, characterized in that it further comprises an authentication method between A and B to authenticate the sender of each message during the execution of the protocol, and thus allowing said protocol to be equally resistant to active adversaries, who would be able to introduce messages on the unsafe communication channel.

5) Method according to any one of claims 1 to 4, characterized in that it is used to securely exchange the parameters of a probability distribution produced by a GHP, of an entity executing a GHP called level 1 to an entity performing a so-called level 2 GHP, which distribution can then be combined with others by the level 2 GHP.

6) Method according to claim 1, characterized in that the protocol consists more specifically of 6 steps: in a first step - called deep chance generation -, A and B each choose with the help of their random generator Deep (GHP) a probability distribution with value in [0, l] ⁿ , Φ for A and Φ 'for B, the GHPs being made in such a way that they allow to choose only distributions far from their symmetrical projection, that is to say away for Φ de-σ _σ ε _{& η} ° σ, A and B then each generate the vectors x ₀ and y ₀ G [0, l] ⁿ from their respective distributions and keep each secret this data; in a second stage - called Dispersion -, A chooses a second distribution Ψ using its GHP and generates

N vectors {x _lt ..., x _N ] from repeated draws according to the distribution (Φ + Ψ), B generates meanwhile N vectors {y _lt ..., y _N } from repeated draws according to the distribution Φ ', they each keep their series of vectors secret; in a third stage - called Degradation -, A generates N + 1 Bernoulli test vectors [i ₀ , ..., i _N } £ {{0, ï} ⁿ } ^{N + 1} respectively from the vectors of parameters where k is a Degradation parameter strictly greater than 1, A publishes {t ₀ , ..., i _N } to B on the unsafe public channel; in a fourth step - called Synchronization - B reads the proof vectors {i ₀ , ..., t _w } from the unsafe channel and calculates the synchronization permutation σ _Β - G _B [{i _s } * , {y _s } ^* ] _s in _N * ^e ®n satisfying the condition Card js GN _N ^* - £ l ^ Σ> ^ N, where Θ and λ are positive numerical parameters, then B generates the proof vector from Bernoulli j ₀ from the parameter vector ^ffB ^ and publish j ₀ to A on the unsafe channel; in a fifth step - called Advantage Distillation -, A reads j ₀ from the unsafe channel, and calculates V _A = its estimate of the shared secret information, B meanwhile calculates V _B = its estimate of the shared secret information; In a sixth step - called Reconciliation and Privacy Enhancement - A and B use traditional Reconciliation and Privacy Amplification techniques to achieve both near and perfect accuracy for their estimates. shared secret information, while making the opponent's estimate as close as desired to total uncertainty.

7) Deep chance generation method intended to be used to implement a method according to claim 6, characterized in that it relies more specifically on 4 subprocesses sus: (i) a Generation process Recursive Internal Deep Random (GRIHP) executing continuously and recursively, such that at each step m + 1, said process generates a probability distribution O _m + i with a value in [0, l] ⁿ remote of its symmetrical projection, that is to say of ^ Σ _σ £ _η τη + ι ° ^σ · _> ^{and a} permutation a _{m + 1} , such that

(½, Φ oa _{m + 1} ) AE - ¾ 1 ≥ where C is a parameter of the GRIHP, and 6½ denoting the optimal strategy of the adversary at step m, defined as verifying min _il) (w, Σ ^ _{= 1} l _{ni) S} O _s ), where {A _{m> s} } ^' is a parameter of the generator called characteristic function satisfying _ms > 0 andΣ ™ _! A _ms = 1; (ii) an internal memory process; (iii) a conventional random signal generation process; (iv) a communication process that can be requested at any time by an external Interactive Communication Module to perform a calculation on a signal from the GRIHP and stored by the internal storage process (ii), or to delete a stored signal, or for generating a signal from the GRIHP, in the latter case said communication process (iv) obtains from the GRIHP the current state of its recursive suite of probability distributions and memorizes by means of the internal storage process (ii) : either the parameters of the distribution corresponding to this current state, or a signal generated randomly from the distribution corresponding to this current state. 8) network communication device for transmitting and receiving information in a secure manner by implementing a method according to any one of claims 1 to 6, characterized in that it comprises a GHP resistant to computer intrusions and electromagnetic and a module of

5 Interactive Communication (MCI) able to solicit the GHP and execute the protocol; said device being capable of executing the protocol either in the role of A or in the role of B, and two such devices used by two entities A and B using them with respective roles A and B, being able to execute the protocol between A. and B.

10

9) Device for generating Deep Hazard, and can be associated with an Interactive Communication Module (MCI) capable of implementing a confidential data exchange protocol associated with a confidential data exchange method according to one of any of claims 1 to 4, characterized

In that (i) the Deep Hazard generation method relies on the recursive and continuous generation of probability distributions, defeating at each step the best estimation strategy of the preceding step in the sense of the executed protocol by the MCI, and (ii) the signal generated by the Internal Recursive Generator of Deep Hazard (GRIHP) can remain in the enclosure resistant to

20 computer and electromagnetic intrusions of said device, since only the generation request, calculation request and delete request operations associated with said signal can be submitted to said device by an external MCI.

10) Device for generating deep chance to be used to implement a method according to claim 6, characterized in that it is composed of an Internal Recursive Generation Module of Deep Hazard (GRIHP), a communication interface module, an internal standard random generation module, and an internal memory module, said modules being (i)

30 protected within a chamber resistant to computer and electromagnetic intrusions, (ii) made and arranged so as to implement a deep hazard generation method according to claim 7, and (iii) capable of performing the protocol implemented in the method according to claim 6 either in the role of A or in that of B, and in such a way that two such devices

Used by two entities A and B in the respective roles of A and B, allow them to execute said protocol.