METHOD FOR CRYPTOGRAPHIC COMMUNICATION BASED ON PURE CHANCE

Abstract

A cryptographic communications system enables two entities related by an insecure communication channel and having initially no privately shared knowledge, to agree on a shared unconditionally secure information. Each one of the entities has the capability to generate a new form of randomness called Deep Random, such that any other entity than itself cannot know anything about the probability distribution except a given public characteristic. The internal system of each entity is made up with: (1) a Deep Random Generator (DRG) capable of generating Deep Random signals and of making calculations using the generated signals, and (2) an Interactive Communication Module (ICM) capable of publishing to and reading from the insecure channel. The two entities execute a communication protocol such that they can each compute their respective estimations of the shared information that are probabilistically as close as desired from perfect equality.

Description

1. FIELD OF INVENTION

The invention relates to cryptographic systems.

2. DESCRIPTION OF PRIOR ART

Modern cryptography mostly relies on mathematical problems commonly trusted as very difficult to solve, such as large integer factorization or discrete logarithm, belonging to complexity theory. As no certainty exist on the actual difficulty of those problems, not even the truth of the famous P≠NP conjecture, some other methods, rather based on information theory, have been developed since early 90's. Those methods relies on hypothesis about the opponent (such as «memory bounded» adversary [6]) or about the communication channel (such as «independant noisy channels» [5]); unfortunately, if their perfect secrecy have been proven under given hypothesis, none of those hypothesis are easy to ensure in practical. At last, some other methods based on physical theories like quantum undetermination [3] or chaos generation have been described and experimented, but they are complex to implement, and, again, relies on not proven theories.

Considering this unsatisfying situation, we propose a new method, where proven perfect secrecy can be reached, without relying on any assumption about the opponent, that is supposed to have unlimited calculation and storage capacities, nor about the communication channel, that is supposed to be perfectly public, accessible and equivalent for any playing party (legitimate partner and opponent). The considered opponent is passive, which means that it does not interfere actively in the communication by suppressing, adding or modifying information exchanged between the legitimate partners; it just has a full access to it. Active opponent can also be considered by adding authentication schemes between the legitimate partners in the communication protocol.

REFERENCES

• [1] C. E. Shannon, «Communication theory of secrecy systems», Bell Syst. Tech. J., Vol. 28, pp. 656-715, October 1949
• [2] A. N. Kolmogorov, «On Tables of Random Numbers», Sankhya. Indian Journal of Statistics A, 25(4):369-376
• [3] C. H. Bennet and G. Brassard, «Quantum cryptography and its application to provable secure key expansion, public-key distribution and coin-tossing», Proc. IEEE International Conference on Computers, Systems and Signal Processing, Bangalore, India, pp. 175-179, December 1984
• [4] C. H. Bennet, G. Brassard and J.-M. Robert, «Privacy Amplification by Public Discussion», SIAM J. COMPUT., Vol. 17, No. 2, April 1988
• [5] U. M. Maurer, «Secret Key Agreement by Public Discussion from Common Information», IEEE Transactions on Information Theory, Vol. 39, No. 3, May 1993
• [6] C. Cachin and U. M. Maurer, «Unconditional Security Against Memory-Bounded Adversaries», Proceeding of CRYPTO '97, Lecture Notes in Computer Science, Springer, 1997The inventor has published the following scientific articles related to the invention herein described posteriorly to the priority date of the application:
• [7] T. de Valroger, «Perfect Secrecy under Deep Random assumption», Arxiv.org (http://arxiv.org/abs/1507.08258)
• [8] T. de Valroger, “Simulation for Deep Random Secrecy Protocols”, Arxiv.org (https://arxiv.org/abs/1611.01683)

3. SUMMARY AND OBJECT OF THE INVENTION

We consider two Autonomous Entities (AE), called legitimate corresponding AE, willing to communicate over an insecure public channel. Like in every classical protocol modelization, those AE are entities capable to generate random bit strings, publish bit strings, read bit strings published by other AE on the public channel, store bit strings, make calculation on bit strings. The main difference of our method is that random generation includes Deep Random generation. Deep Random is a source of digital randomness such that an external obsever cannot know anything about the probability distribution of the digital random variable, except some public characteristics. Thus, such Deep Random variables are not subject to Bayesian inference evaluation.

An AE is constituted (FIG. 1) with two components:

The Deep Random Generator (DRG). A DRG is capable of:

Producing continuously new/evolutive probability distributions, called Deep Random distributions, whose characteristic is given below

Generating and storing, upon request of authorized associated ICM, some random digital information using its Deep Random probability distributions, those information having to remain secret for the purpose of the secrecy of the communication

Performing, upon request of authorized associated ICM, calculations involving the said secret digital information

The Interactive Communication Module (ICM). An ICM is capable of:

Publishing information on the public channel (to the attention of its legitimate corresponding AE)

Reading information from the public channel

Executing a communication protocol called Perfect Secrecy Protocol, whose characteristic is given below.

The two main characterics of the present invention are (i) the generation of Deep Random probability distributions, and (ii) the execution of Perfect Secrecy Protocol. They are designed to work together, which gives the unity of the invention. They produce perfect secrecy without the need of prearrangement of secret key and without any condition or limitation regarding the communication channel and the opponent, which gives the innovativeness and usefulness of the invention. They can be embodied in several forms, but at least one is described in the section 5 below, which shows that such invention is subject to industrial application. In addition, the author did obtain the mathematical proof of the perfect secrecy, which was not the case with former patented methods; nevertheless, the details of this mathematical proof are complex and thus are not explicited in the present description.

(i) Characteristics of Deep Random Generators:

Deep Random generated by an AE called A is a source of randomness such that its probability distribution is made practically unknowledgeable (or hidden) for a given set of AE called opponents, and each one denoted ξ. In practice, this set of AE is generally all AE other than A. More generally, the probability distribution may be hidden for ξ except a public characteristical information I (we denote Ω_I the set of probability distributions verifying the characteristical information I). Such a randomness source has the following characteristic:

If X and Y are two random variables, and if X has a hidden probability distribution for ξ except a given characteristical information I, then:

E[φ(X)|Y]_ξ has no dependency with probability distribution of X within Ω_I   (H)

where E[φ(X)|Y]_ξ designates the conditional expectation of φ(X) from restricted knowledge of Y by ξ.

We can give a weaker, but more concrete formulation of this characteristic, associated to engendered variables. As a general definition, if V is a random variable with values in a set E, a random variable V′ with values in a set F is engendered variable from V if there exists an engendering distribution ψ:E×F[0,1] such that ∀x∈E, Σ_y∈F ψ(y, x)∂y=1 and being the probability distribution of V′:

P(V′=y|V=x)=ψ(y,x)

The weaker formulation is then the following: let Y be a random variable with values in F, engendered by any variable with values in E through the same engendering distribution ψ:E×F[0,1]. If X and X′ are two random variables with values in E and probability distributions in Ω_I both hidden for ξ except the characteristical information I, then:

E[φ(X)|Y]_ξ=E[φ(X′)|Y]_ξ   (H′)

Viewed from AE to which the probability distribution is hidden, the capabilities of calculation related to that random variable are of course more limited than for a traditional one in probability theory. The concept of «weighting» of possible values in sample space, is replaced by the concept of simple existence of such values.

It is important to understand that stating that a random variable's probability distribution is unknowledgeable doesn't mean that its probability distribution doesn't exist. It only means that it is hidden to a given set of AE. For any other AE (knowing probability distribution of X), the random variable remains governed by traditional probability theory.

It may appear as a non sense to desire to generate Deep Random from a deterministic computable program. In the real world, even a computer may access sources of randomness whose probability distribution is at least partly unknown, but it doesn't mean that we can build from it Deep Random reliable for cryptographic applications.

3 methods exist to generate programmatically Deep Random within an AE:

1) Secure programming: in this method, the program generating Deep Random (DRG) is securely elaborated within a closed industrial process and is kept secret to external AE. For industrial application, it is embedded into tamper resistant device and can only be requested to generate a given output random signal2) Recursive generation: in this method the DRG program executes a continuous recursive generation sequence, where at each step m+1, the probability distribution is created/selected to defeat the prediction of the optimal predicting strategy for the probability distributions of steps ≤m. This method can be implemented in a program that is continuously running in a computing environment, and that can be requested at any time to output a random signal taken from a draw based on the current value of the probability distribution sequence. Such implementation can be done in software or embedded in tamper resistant hardware to improve confidentiality of the current stance of the counter and of the probability distribution sequence. For such a method to be secure, the entropy of the output random signal should not be greater than the entropy of the current counter value. An example of such method is given in section 5.3) Combination: in this method, different sources of Deep Randomness are combined. Those sources can come from external collaborative AE as per FIG. 3. In this case, Perfect Secrecy protocol is used to exchange probability distribution parameters from one or several level 1 collaborative AE to the considered level 2 AE. The combination methods are such that if at least one of the combined source is actually Deep Random, the result of the combination with other sources is also Deep Random, meaning that its probability distribution remains hidden to the opponents.

Regarding the recursive generation, if one doesn't know the date of beginning and the speed of an infinite counter, no probability distribution can be even approximated about the value of the counter at a given time, because of the unlimited nature of a counter. If performed in a physical computing source, the actual speed of the counter is impacted by all external tasks of the processor, for which no probability distribution can be estimated, the only thing that an opponent can do is estimate a rough upper bound of that speed.

(ii) Characteristics of Perfect Secrecy Protocol:

Let's first define our general communication protocol model.A protocol is a communication procedure involving 2 legitimate communicating AE (A and B) that can be decomposed in a finite number of steps t₁, . . . , t_R such that at each step r<R:a) A and B generate respectively a new information x_r and y_r (using potentially classical random or Deep Random thanks to their DRG as per FIG. 1—interaction 100 & 101), potentially involving the knowledge of respectively {x_m}_1≤m<r, {i_m,j_m}_1≤m<r, and {y_m}_1≤m<r, {i_m,j_m}_1≤m<r. To that extent, the DRG may be requested by the ICM as per FIG. 1—interaction 101 and the ICM reads the information published by the other party at previous step as per FIG. 1—interaction 103.b) A and B publish respectively an information i_t and j_r that may depend respectively on {x_m}_1≤m<r, {i_m,j_m}_1≤m<r, and {y_m}_1≤m<r, {i_m,j_m}_1≤m<r. To that extent the ICM writes the information on the public channel as per FIG. 1 interaction 102.

At last step R, A and B only perform calculations involving the knowledge of respectively {x_m}_1≤m<R, {i_m,j_m}_1≤m<R, and {y_m}_1≤m<R, {i_m,j_m}_1≤m<R. One of the result of those calculations (as per FIG. 1 interaction 104) is an estimation of the shared information. Those estimations are respectively denoted V_A and V_B.

{_v}_v is called a configurable protocol, with v a vector of numerical parameters fixed before running the protocol, if the description of the implementation of the protocol (including the capacity of generating Deep Random) have a size bounded by H(v)+K, where H is the entropy and K a constant not depending on v.

Perfect Secrecy Protocols are special protocols within the above general model, for which, assuming the above (H) and (H′) for signal generated by DRG, the most efficient strategy for an opponent (conditional expectation) to estimate say V_A is less efficient than V_B (Advantage Distillation [4]). Such protocols also include a so called Reconciliation and Privacy Amplification methods [4] to transform the said Advantage into a secure shared information exclusively between legitimate partners. This information, that can be of size as long as desired (repetition of the protocol), can be used to exchange securely a meaningful message between the legitimate partners or directly (one time pad XOR) or by exchanging a symmetric cryptographic key applicable with any block or stream cipher.

More formally, if we consider a protocol P, the whole set of random information generated by respectively A and B obey to a probability distribution respectively in sets that we call _A(P) and _B(P). The use of Deep Random enables to consider, depending on P, several subsets of _A(P)×_B(P):(H₁^A,H₁^B), . . . such that they contain only distributions that cannot be distinguished between each others by the opponent. Those subsets are supposed to be maximized (because they can be complemented if not). We can consider the group of reversible transforms {h_m(s)}_m (supposed to be enumerable) of _A(P)×_B(P)_A(P)×_B(P), that let (H_s^A,H_s^B) stable. Each of those transforms induces a reversible transform ω_m(s) in the set of strategies for the opponent {ω_{ir},{ir}}=. We thus denote (s) the subset of containing the strategies invariant by action of the induced group {ω_m(s)}_m. The hypothesis of the Deep Random (H) and (H′) thus enables to restrict the strategy of the opponent to any of those subsets (s).

We denote (ε,ε′) the minimum quantity (number of digits) that is to be exchanged through P to obtain:

d _h(V_A,V_B)≤εH(V_B)  (i)

inf_s(sup_(s)|d_h(ω,v_B)−½H(V_B)|)≤ε′H(V_B)  (ii)

Where d_h denotes the Hamming's distance, and H(⋅) denotes Shannon's entropy [1]. If the 2 conditions above cannot be fulfilled, then (ε,ε′)=∞. A configurable protocol {P_v}_v is called a Perfect Secrecy Protocol if, ∀ε,ε>0, there exists v(ε,ε′) under hypothesis of the Deep Random (H) and (H′), such that

_v(ε,ε′)<∞

The three minimal characteristics of Perfect Secrecy Protocols are:

1) Deep Random (DR): Both legitimate partner involved in the protocol make use of a DRG2) Degradation: For both legitimate partner involved in the protocol, the information published by it is at least partly degraded from the associated output signal generated by its DRG. This means that the published information is the result of an engendered variable from the output signal generated by the DRG such that the accuracy of the output of the said engendered variable is made lesser (through the degradation process) than the accuracy of the output signal generated by the DRG.3) Advantage Distillation under DR assumption ((H) and (H′)): Under (H) and (H′), a strategy for the opponent cannot be considered as more efficient than at least one other strategy belonging to a given set Ω, called restriction set of strategies for the protocol; and for any strategy in Ω adopted by the opponent, the estimation of the shared information given by the said strategy is strictly less accurate than the estimations of the legitimate partners.To illustrate degradation, let's give a simple example: let's consider an AE beholding an experiment of binary random variable V with parameter θ∈[0,1]. If the AE wants to generate a new binary random variable based on the result of the experiment, it can only affect parameters {θ₀,θ₁} depending on the {0,1} result of the experiment of V. The parameter of the new binary random variable V′ is then:

θ₀+(θ₁−θ₀)θ

Let's now replace θ by θ/k where k is a real number >1; it is thus impossible to engender from V a binary random variable with parameter θ (because |θ₁−θ₀|≤1). The beholding AE can of course multiplicate the obtained experiment by k (resulting into an engendered variable with value in {0,k} instead of {0,1}), in order to obtain an engendered variable with same first moment than V, but the variance (second moment, representing accuracy) of that engendered variable is then strictly larger than the variance of V. The AE then have to «make a choice» between first and second moment, but cannot get both in the same engendered variable.An example of such Perfect Secrecy Protocol is given in section 5, as specific embodiment of the invention.

4. BRIEF DESCRIPTION OF DRAWINGS

FIG. 1 shows the general model for Deep Random based Perfect Secrecy Protocols, where each AE involved in the protocol (denoted A and B) is running a DRG and an ICM. ICM of A and ICM of B are connected through an errorless public channel, over which any AE is supposed to have full reading access.

FIG. 2 shows the specific embodiment of a Deep Random based Perfect Secrecy Protocol (related to section 5) with the successive interactions executed between the AE involved in the protocol (denoted A and B). Each of those interactions is described in section 5.

FIG. 3 shows a collaboration model between Deep Random Generators, where one or several level 1 AE (denoted A·x, A·y) can securely transfer the parameters of a Deep Random probability distribution to a level 2 AE (denoted B). B can then combine those sources potentially together with its own ones, to generate new local Deep Random source.

FIG. 4. shows a Deep Random Generator working with continuous recursive generation method in block diagram form. It is embodied in a tamper resistant shell, and is logically made up with 4 sub-modules: the Internal Recursive DR Generator, the Internal Standard Random Generator, the Internal Memory, and the Communication Interface, which is the only of the four sub-modules to be enabled to communicate with the external environment.

5. DESCRIPTION OF A SPECIFIC EMBODIMENT

i) Description of a Specific Embodiment of Deep Random Generator

The specific embodiment presented in this section corresponds to a recursive method as per section 3. (i) 2), associated with a combination method as per section 3. (i) 3). It can be implemented in a software program or tamper resistant hardware device.

FIG. 4. shows an embodiment of Deep Random Generator working with continuous recursive generation method in block diagram form. Such DRG has typically 4 sub-components:

An Internal Recursive DR Distribution Generator, that produces [FIG. 4-400] a continuous recursive sequence of probability distribution and is capable of outputting upon request [FIG. 4-420] an experiment obtained from the current value of the probability distribution sequence

An Internal Standard Random Generator, that produces and outputs upon request [FIG. 4-430] an experiment from a known probability distribution, this probability distribution can need an input parameter such as an output signal of the internal DRG (in which case it generates an engendered variable from the DR probability distribution)

A Communication Interface, that enables to receive order from an associated ICM [FIG. 4-410, 411, 412]

An Internal Memory, that enables the Communication Interface to store, retrieve or suppress [FIG. 4-440, 441, 442] an output signal of the internal DRG.

In the following of this section 5.i), it will be focused on an example of the Internal Recursive DR Distribution Generator.

Let's define some notations; considering x=(x₁, . . . , x_n) and y=(y₁, . . . , y_n) some parameter vectors in [0,1]ⁿ and i=(i₁, . . . , i_n) and j=(j₁, . . . , j_n) some experiment vectors in {0,1}ⁿ, l, r∈_n* two integers, and θ∈[0,1], we define:

• • x·y (resp. i·j) the scalar product of x and y (resp. i and j)

|x|Σ_s=1ⁿx_s;|i|Σ_s=1ⁿi_s

We will also manipulate permutation operators over vectors. For σ∈_n, we write supp(σ)=ker(σ−i_n)={i, σ(i)≠i} and |σ|=card(supp(σ)). The permutation of a vector is the following linear application:

• • ∀σ∈_n, σ(x)(x_σ(1), . . . , x_σ(n)) where _n represents the symmetric groupΦ, Φ_m denote probability distributions outputting values in [0,1]ⁿ. For such distribution Φ, Φ∘σ denotes another probability distribution outputting values in [0,1]ⁿ and such that:

Prob_Φ∘σ(x)=Prob_Φ(σ⁻¹(x))

The quadratic matrix of such distribution Φ is:

M _Φ(u,v)=∫_[0,1]nx_ux_vΦ(x)dx

Let S_n stand for the set of the subsets I of {1, . . . , n} with size n/2; we define ∥⋅∥_c the c-norm by:

$\forall I\in S_n,c_I\left(M_{\Phi }\right)=\frac{4}{n^2}\sum _{u,v\in I\times \stackrel{\_}{I}}M_{\Phi }\left(u,v\right);$ $M_{\Phi }=\underset{I\in S_n}{\max }c_I\left(M_{\Phi }\right)$

We associate to any distribution quadratic matrix M_Φ the matrix M_Φ defined by:

$M_{\Phi }\mapsto \stackrel{\_}{M_{\Phi }}=m_{\Phi }\left(\begin{array}{ccc}0& \dots & 1\\ ⋮& \ddots & ⋮\\ 1& \dots & 0\end{array}\right)$ $\mathrm{where}m_{\Phi }=\frac{1}{n\left(n-1\right)}\sum _{u\ne v}M\left(u,v\right)$

We will denote in the followings:

$〈\omega ,\Phi ,{\Phi }^{\prime }〉\stackrel{\Delta }{=}{E\left[{\left({\omega }_{i,j}-\frac{x·y}{\mathrm{nk}}\right)}^2\right]}_{\Phi ,{\Phi }^{\prime }}$ $〈\omega ,\Phi 〉\stackrel{\Delta }{=}〈\omega ,\Phi ,\Phi 〉$ ${\Delta }_0\left(\Phi ,{\Phi }^{\prime }\right)\stackrel{\Delta }{=}{\int }_{x,y\in {\left[0,1\right]}^n}^{}{\left(\frac{xy}{n^2}-\frac{x·y}{n}\right)}^2\Phi \left(x\right){\Phi }^{\prime }\left(y\right)\mathrm{dxdy}$

where ω denotes any strategy chosen by the opponent, depending on the public information i,j (this set of possible strategies is denoted Ω), to bestly estimate

$\frac{x·y}{\mathrm{nk}}.$

i,j are experiment vectors in {0,1}ⁿ generated from a Bernouilli distribution from the respective parameter vectors

$\frac{x}{k},\frac{y}{k}.$

The transform

$\left(x,y\right)\mapsto \left(\frac{x}{k},\frac{y}{k}\right)$

is the Degradation (as per section 3.(ii)) used in the present method, for both the DRG and the Perfect Secrecy Protocol described hereafter.Finally, we denote:

ζ(α){Φ|∥M_Φ−M_Φ∥≥√{square root over (α)}}

where α∈[0,1] is a scalar lower bound chosen as a configuration parameter, its value is a trade-off between the size of the entropy of the set of possible distributions, and the efficiency of the Synchronization step of the hereafter presented Perfect Secrecy Protocol; ζ(α) corresponds to the set of distributions that are «far» from being symmetric. Only such distributions can be considered in the hereafter presented Perfect Secrecy Protocol to ensure the efficiency of its Synchronization step (Step 4).

Having set those notations, we can describe the constructing process of the sequences of probability distributions {Φ[p] executed by the Internal Recursive DR Distribution Generator of our specific DRG embodiment, DRG(N, n, k):

The Unitary Recursive Generation Process:

The set of possible quadratic matrix (if Φ is restricted over {0,1}ⁿ) is the convex envelop of all matrix in the set:

{σ(S_r)|σ∈_n, r∈_n}

where

$S_r\left(u,v\right)=\{\begin{array}{cc}1& \mathrm{if}u<r\mathrm{and}v<r\\ 0& \mathrm{otherwise}\end{array}$

corresponding to the matrix of the Dirac distribution for the vector {1, . . . ,1_r, 0, . . . ,0}.

We can easily calculate that, for r not too close from 0 or 1:

${S_r-\stackrel{\_}{S_r}}_c=\{\begin{array}{cc}\frac{r\left(r-1\right)}{n\left(n-1\right)}& \iff r<\frac{n}{2}\\ \frac{\left(n-r\right)\left(n-r-1\right)}{n\left(n-1\right)}& \iff r\ge \frac{n}{2}\end{array}$

and therefore to determine if the Dirac distribution δ_x∈ζ(α).

The initial seed Φ₀ of the process is taken among any predefined subset of ζ(α) that can be ranged algorithmically. In the present embodiment, we consider for instance the subset of all convex linear combination of Dirac distributions that remains in ζ(α).

σ₁=I_n

Φ₁=Φ₀∘σ₁

{circumflex over (ω)}_m is performing a minimum value in:

$\underset{\omega \in \Omega }{\min }〈\omega ,\sum _{s=1}^m{\lambda }_{m,s}{\Phi }_s〉$

where {λ_m,s}_s≤m is called the characteristic function of the DRG, that verifies λ_m,s≥0, and Σ_s=1^mλ_m,s=1;Ψ is chosen randomly in the initial subset, and it can be proven (the details are complex and are not presented in this description) that one can choose σ_m+1 such that:

$〈{\hat{\omega }}_m,\Psi \circ {\sigma }_{m+1}〉\ge \frac{C\left(\alpha \right)}{n}$

Then we set Φ_m+1 as:

Φ_m+1=Ψ∘σ_m+1

{circumflex over (ω)}_m and σ_m+1 can be determined (using also classical randomness regarding Ψ and σ_m+1) at each step by the Internal Recursive DR Distribution Generator.

Then we can use a method to combine distributions in (a):

The Internal Combination Process:

We first select Ψ in ζ(α), and a set {Ψ_s}_{s∈{1, . . . ,N}} of «to be combined» distributions also in ζ(α). Let σ_s be a permutation such that

${\Delta }_0\left(\Psi ,{\Psi }_s\circ {\sigma }_s\right)\ge {\left(\frac{\alpha }{4}-\left(\frac{1}{n}\right)\right)}^2,$

it can be proved (the details are complex and are not presented in this description) that such permutation always exists. Thus,

${\Delta }_0\left(\Psi ,\frac{1}{N}\sum _{s=1}^N{\Psi }_s\circ {\sigma }_s\right)=\frac{1}{N}\sum _{s=1}^N{\Delta }_0\left(\Psi ,{\Psi }_s\circ {\sigma }_s\right)\ge {\left(\frac{\alpha }{4}-\left(\frac{1}{n}\right)\right)}^2$

and the combined distribution is then:

$\Phi =\frac{1}{N}\sum _{s=1}^N{\Psi }_s\circ {\sigma }_s.$

The association of the Unitary Recursive Generation Process and the Internal Combination Process presented above gives the following description of the Internal Recursive DR Distribution Generator DRG(N, n, k) (as per [FIG. 4-400]):

The AE runs a recursive and continuous generation process in which N continuos sequences {Φ[p] are running in parallel according to a Unitary Recursive Generation Process presented above. It can also be decided (over random decision) to update the current value of a given sequence by a combination of the current values of the sequences using the Internal Combination Process presented above. The quality of the Deep Random depends on the variety of the initial subset and also on the increasing number of steps (rounds) performed in each sequences. The Internal Recursive DR Distribution Generator should run at least during n x N steps before receiving any request from an ICM. N should be roughly equal to ln (n!)˜n ln(n), which represent the entropy needed to encode a member of the set of permutations _n.

At the time when an ICM request the selection of DR distribution to the DRG (as per [FIG. 4-410]), a final treatment is performed for the internal selection of the distribution by the Communication Interface to the Internal Recursive DR Distribution Generator (as per [FIG. 4-420]): the Communication Interface picks ([FIG. 4-430]) an integer c among {1, . . . , N}; the probability to pick c in {1, . . . , N} is N/c(c+1)(N+1); by this, the probability of 1/c is roughly equidistributed over [0,1]. Then the AE randomly selects c sequences among N ([FIG. 4-430]) and elects its distribution Φ as the linear combination

$\frac{1}{c}\sum _{r=1}^c{\Phi \left[p_r\right]}_{m_r\left(t\right)};$

where t is the instant of the execution of this process, {p₁, . . . , p_r} are the indices of the c selected sequences, m_r(t) is the current value of the counter of the sequence Φ[p_r] at the instant of the execution. The justification of this process is that the final distribution should be in an almost convex subset, and thus should also have its α-parameter in a convex segment. Indeed, the Dispersion step (step 2) of the Perfect Secrecy Protocol presented hereafter uses the convex transformation

$\Phi \mapsto \frac{1}{2}\left(\Phi +\Psi \right),$

and this transformation lowers the α-parameter; a linear convex transformation with c summed distributions roughly lowers the α-parameter with a multiplicative constant 1/c. Of course, even if this process enables then to trustfully apply the hypothesis (H) and (H′) presented in the summary of the invention, the price to pay is that it introduces some low-probability occurrences in which the opponent can win with the separable strategy

$\omega =\frac{kij}{n^2}$

because, by lowering the α-parameter, one obtains that the elected distribution comes closer to a symmetric one. Those low-probability occurrences thus correspond to the case of large values of c, which is roughly equivalent to low values of the the α-parameter.

Ultimately, the elected distribution Φ is also transformed (always within interaction [FIG. 4-420]) by a permutative sleeking transform:

$\Phi \mapsto T_{\gamma }\left[\Phi \right]\stackrel{\Delta }{=}\sum _{\sigma \in {}_n}\gamma \left(\sigma \right)\Phi \circ \sigma$

where γ, called a permutative sleeking kernel, is a function _n*→[0,1] (note that it is impossible that |σ|=1 and thus the component for 1 can be ignored) that verifies:

$\sum _{\sigma \in {}_n}\gamma \left(\sigma \right)=1$

This final transform is necessary to «smooth» the Dirac distributions, and avoid specific prevarication (the technical details are too complex to be presented in this description). The permutative sleeking kernel γ is chosen as a configuration parameter of the DRG.

The explanation about the design of Unitary Recursive Generation Process within this specific embodiment DRG(N, n, k) is the following:

With an infinite counter privately executed within the Internal Recursive DR Distribution Generator, the moments m and m+1 are indistinguishable for the opponent ξ. If a set Ω_m of winning strategies at the moment m exists for ξ, then for any probability distribution Φ:

$\frac{1}{{\Omega }_m}\sum _{\omega \in {\Omega }_m}〈\omega ,\Phi 〉\ge 〈\frac{1}{{\Omega }_m}\sum _{\omega \in {\Omega }_m}\omega ,\Phi 〉$

and thus, by choosing at moment m+1 the probability distribution Φ_m+1 such that:

$〈\frac{1}{{\Omega }_m}\sum _{\omega \in {\Omega }_m}\omega ,{\Phi }_{m+1}〉\ge \frac{C}{n}$

(which is always possible as explained above) the AE guarantees, provided that

$\frac{1}{k}C,$

that no absolute winning strategy exist to estimate

$\frac{x·y}{\mathrm{nk}},$

because the moment of observation cannot be determined by opponent as rather being m or m+1.

On the other hand, by denoting

$V_A=\frac{x·j}{n},V_B=\frac{i·y}{n},$

where x,y would be experiment from Φ, it can be calculated that:

$\begin{array}{cc}E\left[{\left(V_A-\frac{x·y}{\mathrm{nk}}\right)}^2\right]=E\left[{\left(V_B-\frac{x·y}{\mathrm{nk}}\right)}^2\right]\le \frac{1}{\mathrm{nk}}& \left(E\right)\end{array}$

This process is indeed generating Deep Randomness, because if not, the opponent would be able by Bayesian inference to estimate

$\frac{x·y}{\mathrm{nk}}$

from the public information i,j with the same accuracy than V_A or V_B.

ii) Description of a Specific Embodiment of Perfect Secrecy Protocol

FIG. 2. shows an embodiment of Perfect Secrecy Protocol P(λ, θ, N, n, k) in block diagram form, where (λ,θ,N,n,k) are public parameters of the protocol, set up between the corresponding entities denoted A and B.

A and B are two AE, called the legitimate partners, each equipped with a DRG and an ICM. Both ICM are connected to the errorless public channel, so that A and B can publish on the channel, and read the information published by the other party.

The steps of the protocol (λ, θ, N, n, k) are the followings:

Step 1—Deep Random Generation:

A and B both independently run a recursive generation sequence of Deep Random probability distributions [FIG. 2-200] using typically a DRG(N, n, k) as described above in subsection 5.i). A and B desire to enter into secure communication and start the protocol by both picking independently the respective probability distributions Φ and Φ′ by requesting their DRG(N, n, k) as per [FIG. 2-210&211&213&214, FIG. 4-410&420]. The result of this step is that A (resp. B) draws the parameter vector x₀∈[0,1]ⁿ from Φ (resp. y₀∈[0,1]ⁿ from Φ′), and stores x₀ (resp. y₀) in the Internal Memory of its DRG as per [FIG. 4-440].

Step 2—Dispersion:

A also picks a second probability distribution W from its DRG(N, n, k) as per [FIG. 2-210&211&213&214]. W is used to scramble the repeated draws of Φ. A requests its DRG(N, n, k) to draw N parameter vectors {x₁, . . . , x_N}∈{[0,1]ⁿ}^N from ½(Φ+Ψ). B draws N parameter vectors {y₁, . . . , y_N}∈{[0,1]ⁿ}^N from Φ′. A (resp. B) stores {x₁, . . . , x_N} (resp. {y₁, . . . , y_N}) in the Internal Memory of its DRG as per [FIG. 4-440].

Step 3—Degradation:

A generates N+1 Bernouilli experiment vectors {i₀, . . . , i_N}∈{{0,1}ⁿ}^N+1 respectively from

$\left\{\frac{x_0}{k},\dots ,\frac{x_N}{k}\right\}$

as per [FIG. 2-210&211, FIG. 4-430&441]. A publishes {i₀, . . . , i_N} as per [FIG. 2-220].

Step 4—Synchronization:

B reads {i₀, . . . , i_N} from the public channel as per [FIG. 2-221] and calculates a synchronization permutation σ_B=σ_B[{i_s}*, {y_s}*] ∈_n that satisfies the condition:

$\mathrm{Card}\left\{s\in {\mathbb{N}}_N^{*}|{\left(\frac{i_sy_s}{n^2}-\frac{i_s·{\sigma }_B^{-1}\left(y_s\right)}{n}\right)}^2\ge \frac{\theta }{n}\right\}\ge \lambda N$

and then generates a Bernouilli experiment vectors j₀∈{0,1}ⁿ from

$\frac{{\sigma }_B\left(y_0\right)}{k}.$

B publishes j₀ as per [FIG. 2-230&231&232&240].

Step 5—Advantage Distillation:

A reads j₀ from the public channel as per [FIG. 2-241] and calculates

$V_A=\frac{x_0·j_0}{n}$

as per [FIG. 2-253&254&255, FIG. 4-412&441&442], B calculates

$V_B=\frac{i_0·y_0}{n}$

as per [FIG. 2-250&251&252, FIG. 4-412&441&442]

Step 6: classical reconciliation and privacy amplification techniques lead to get accuracy as close as desired from perfection between estimations of legitamate partners, and knowledge as close as desired from zero by any unlimitedly powered opponent.

It can be proved (the details are complex and are not presented in this description) that appropriate choice of the parameters (λ, θ, N, n, k) enables to make steps 4 and 6 possible. The use of Deep Random as described in steps 1 and 2 enable to restrict the strategies of the opponent as follows:

Dispersion step of the protocol enables to restrict to the set of strategies ω_j0,i0 that only depends on public information j₀, i₀

Synchronization step leads to restrict to the set of strategies such that ω_i,j=ω_σ(i),σ(j), ∀σ∈_n, in other words strategies invariant by common permutation on i₀,j₀. which both lead to the restricted set of strategies Ω_#:

Ω_#={ω∈[0,1]²²ⁿ|ω_i,j=f(|i|,|j|,i·j), ∀f:_n³[0,1]}

The step 4 is necessary to ensure that the opponent cannot take advantage of the independance between the selection of Φ and Φ′ by A and B, which could efficiently let him estimate

$\frac{x·y}{\mathrm{nk}}$

by using the strategy

$\frac{ki_0j_0}{n^2}.$

Thanks to the synchronization step, such strategy becomes unefficient, because of the nature of the initial seed Φ₀ used in the DRG(N, n, k). The repeated draws of Φ are used to synchronize Φ and Φ′, but they shouldn't help to gain knowledge on Φ. This is the role of dispersion in step 3.

It is important to remark that the calculation of σ_B=σ_B[{i_s}*,{y_s}*] at step 4 only relies on the index s∈_N*, so excluding 0. Indeed, the choice of σ_B must remain independant from i₀, so that i₀ and j₀ remain draws of independant Bernouilli random variables, then allowing to apply the above upper bound (E) for the legitimate partners.

The explanation for this embodiment is the following: it can be proved that (the details are complex and are not presented in this description), whatever opponent's strategy ω in the restricted set Ω_#:

$E\left[{\left(\omega -\frac{x·y}{\mathrm{nk}}\right)}^2\right]\ge \frac{C^{\prime }}{n}$

where C′ is a constant. On the other hand, we still have:

$\begin{array}{cc}E\left[{\left(V_A-\frac{x·y}{\mathrm{nk}}\right)}^2\right]=E\left[{\left(V_B-\frac{x·y}{\mathrm{nk}}\right)}^2\right]\le \frac{1}{\mathrm{nk}}& \left(E\right)\end{array}$

and thus, provided that

$\frac{1}{k}C^{\prime },$

an Advantage Distillation is obtained at step 5.

It is also obtained in the theoretical analysis that, N should be again roughly equal to ln (n!)˜n ln(n), to obtain a satisfying probability to match the synchronization criteria at step 4 with the choice of σ_B.

6. INDUSTRIAL APPLICATION

An industrial embodiment of a Perfect Secrecy Protocol enables two entities communicating over an insecure communication channel, to generate commonly and exclusively a secure shared information. This information, that can be of size as long as desired (repetition of the protocol); it can be used to exchange securely a meaningful message between the legitimate partners or directly (one time pad XOR) or by exchanging a symmetric cryptographic key applicable with any block or stream cipher.

Thus it can be used to secure very sensitive communication for which the security of unproven cryptographic methods may appear as not sufficient.

Such embodiment can be performed under the shape of software programs, that can be embedded in communication devices or IT applications. It can also be embedded in dedicated cut-through tamper resistant secure communication devices.

Claims

1) A method based on a communication protocol over an insecure public communication channel, such that two communicating entities, called A and B or jointly the legitimate partners, initially sharing no common secret information, can exchange a secret common information. Such a method being made possible by three characteristics: (i) both entities are capable to generate source of randomness, called Deep Random Generator (DRG) and adapted to a given communication protocol, such that the probability distribution of that source is unknown and indistinguishable from any other within a set of probability distributions A for A (resp. B for B) by any entity other than the one that generate the said source of randomness, thus preventing from any reliable estimation based on Bayesian inference, the said generator being possibly implemented (a) by generating recursively and continuously at each new step a new probability distribution that defeats the optimal inference strategy corresponding to the distributions of the previous steps in the context of a local emulation of the said communication protocol, or (b) by using probability distributions executed within tamper resistant environment, or (c) by a combination of several sources of Deep Randomness of type (a) or (b); (ii) both entities perform a communication protocol associated to the said DRG, involving a degradation of the secret information generated by its DRG, also called output signal of the DRG, before that the degraded said output signal be used to generate a signal that can be published by the partner, in order to make necessary a Bayesian inference process to restore the output signal of the DRG from the published signal, the said protocol enabling then each partner to calculate an estimation, called respectively VA and VB, of the shared secret signal, the said protocol being designed such that an opponent having full knowledge of all information exchanged between the two entities over the insecure communication channel can at best generate an estimation that is strictly less accurate than VA or VB thanks to (a) the said degradation, and (b) under the assumption that the probability distributions generated by A and B are indistinguishable respectively over A and B; (iii) once the advantage between the legitimate partners being generated as above described, the said protocol is completed by a classical reconciliation and privacy amplification process to ensure that the estimations from the legitimate partners can become as close as desired from equality, and that the estimation from the opponent can become as close as desired from total uncertainty.

2) A method as described in claim 1, and associated to a classical secret key encryption method in a way that the estimated secret shared information enable each partner to generate the secret key that is to be used in the said encryption method to further exchange securely information

3) A method as described in claim 1, and repeated several times to generate a one time pad message S shared between A and B and such that, (i) say A can combine S by XOR operation, or any other bijective combination, to a plaintext message M, (ii) A can send to B the result of the combination between S and M, (iii) B can obtain the message M by performing the reverse combination method using its calculation of S.

4) A method as described in claim 1, further comprising an authentication method between A and B to authenticate each sender of a message within the protocol, and thus making the said method also resistant to an active opponent capable to forge and send messages over the insecure communication channel

5) A method as described in the methods of claim 1, used to exchange securely the parameters of a probability distribution produced by a DRG, from an entity running a DRG said of level 1 to an entity running a DRG said of level 2, the said distribution then being possibly combined with other distribution within the DRG of level 2.

6) A method as described in claim 1, such that the protocol is more specifically organized in 6 steps: (1) in a first step, said Deep Random generation step, A et B select each one a probability distribution produced by their DRG taking values in [0,1]n, Φ for A for Φ′ for B, the said DRG being designed in such a way that they only distributions that are far from their symmetric projection, meaning for Φ far from

7) A method of Deep Random Generation purposed to be used in order to execute a method as described in claim 6, characterized by the fact that it more specifically relies on 4 process: (i) Internal Recursive DR Distribution Generator (IRDRG) that executes in a continuous and recursive manner, in such a way that at each step m+1, the said process generates a probability distribution Φm+1 with values in [0,1]n far from its symmetric projection, e.g.

8) A network communication apparatus for securely exchanging information as described in the methods of claim 1, comprising a tamper resistant DRG and an Interactive Communication Module (ICM) requesting the DRG and performing the protocol. Such apparatus being able to perform the protocol in either roles of A or B, and thus such that two apparatus performed by two entities A or B using them with the respective roles A or B, being able to perform the protocol between A or B.

9) An apparatus to generate Deep Randomness, associated to an Interactive Communication Module (ICM) performing a method as described in the method of claim 1, and such that (i) the method for Deep Random Generation relies on a continuous and recursive process generating at each new step a probability distribution that defeats the optimal estimation strategy corresponding to the previous step, for the protocol executed by the ICM, and (ii) the signal generated by the Internal Recursive DR Distribution Generator (IRDRG) can remain kept inside a tamper resistant container of the apparatus, and such that only generation, computation, and suppression operations related to the signal generated by the IRDRG can be requested from the outside by an associated external ICM.

10) An apparatus to generate Deep Randomness, purposed to be used in order to execute a method as described in claim 6, characterized by the fact that it comprises 4 modules: (i) an Internal Recursive DR Distribution Generator (IRDRG), (ii) a communication interface, (iii) an Internal Standard Random Generator; and (iv) an Internal Memory, the said modules being (a) protected inside a tamper resistant container of the apparatus, (b) manufactured and embodied in such a way that they enable a Deep Random Generation method as described in claim 7, and (iii) capable to execute the protocol of the method described in claim 6, in either roles of A or B, and thus such that two apparatus performed by two entities A or B using them with the respective roles A or B, being able to perform the protocol between A or B.