**How encryption works and what are the new models allowed by AI**

A continuous search is underway for cryptographic models that allow a fair balance between large amounts of data and privacy, to allow companies to use the data collected without compromising confidentiality and privacy.

Alberto Stefani

Data Protection Officer, Cybersecurity Consultant

1. HOME

2. ARTIFICIAL INTELLIGENCE

3. How encryption works and what are the new models allowed by AI

May 18, 2021 ARTIFICIAL INTELLIGENCE

Since the time of Julius Caesar, cryptography has played a fundamental role in trying to protect data hidden within a text. Cryptography and steganography (a technique that aims to hide the communication between two interlocutors) perhaps within an image therefore have very ancient origins. These methodologies have evolved over the centuries that have gone hand in hand with the evolution of human knowledge and the level of technology available.

If in the past, until the Second World War, cryptography was a science applied to implement military plans and hide messages of strategic importance, today with the advent of AI (artificial intelligence) and big data it is experiencing a new phase with totally different things such as privacy and personal data protection. This objective is naturally contemplated within the GDPR which in article 32 in relation to the security of processing states: “Taking into account the state of the art and the implementation costs, as well as the nature, object, context and purposes of the treatment, as well as the risk of varying probability and gravity for the rights and freedoms of natural persons, the Data Controller and the Data Processor implement adequate technical and organizational measures to guarantee a level of security adequate to the risk, which they include, among others: pseudonymisation and encryption of personal data ”.

Topic Index:

• 1 Modern Cryptography History

• 2 The GDPR leaves freedom of choice

• 3 How encryption works

or 3.1 What is a cryptogram or coded message

• 4 Encryption, what it is for and advantages

• 5 How to encrypt a file

• 6 Various types of encryption

• 7 Differences between symmetric, asymmetric, end to end and other cryptography

o 7.1 Symmetric encryption

or 7.2 Asymmetric encryption

o 7.3 End-to-End Encryption

o 7.4 Homomorphic encryption

o 7.5 Zero-knowledge protocol encryption

• 8 What is quantum cryptography

• 9 Applications of cryptography

o 9.1 Email

o 9.2 HTTPS protocol

or 9.3 Whatsapp

• 10 Conclusions

Modern cryptography history

If we were to find a father of modern cryptography or a thinker who first laid the mathematical and scientific foundations that allowed the development of computer science, this would surely be Alan Mathison Turing, born in 1912, a scholar without whose contribution the Nazi dominance in World War II would have had a dominance with unexpected implications.

In fact, Turing worked during those terrible years at Bletchley Park, the main cryptanalysis center in the United Kingdom, where he devised a series of techniques for breaking German ciphers. Among the most important inventions we must undoubtedly remember the electromechanical machine “The Bomb” capable of decoding the codes created by the Enigma cryptographic machine used by the Germans.

Turing’s epilogue was very sad: he committed suicide at the age of 41, following the persecution suffered by the British authorities because of his homosexuality with him. To get to know the life of this unrivaled cryptographic genius in depth, I recommend the substantial biography written by Andrew Hodges “Alan Turing: the story of an enigma” which also inspired the 2014 film “The Imitation Game” on the life of the mathematician and on the birth of “The Bomb” considered the first computer in history. But back to us, let’s try to delve into the current use of cryptography which perhaps, unbeknownst to most, accompanies us every day.

The GDPR leaves freedom of choice

In the GDPR, therefore, the types or methods of encryption to be used are not indicated but full freedom of action is left to the data controller who may decide to organize the encryption of the data in the manner he deems most appropriate.

The future leaves ample room for maneuver in the use of encryption as a method of protecting the privacy of personal data. Vast scenarios open up where companies are given the opportunity to use personal data, even of a particular type, previously made anonymous by appropriate cryptographic methods.

The offer and use of these methodologies continue to increase as do the companies and startups that are born in order to offer the market their own solution based essentially on the coordinated use of artificial intelligence, big data and privacy. When talking about these topics, it is always good to observe the methodologies adopted by various countries that strive to implement, according to their own regulations, the privacy of their citizens with the use of the latest technologies

How encryption works

By cryptography we mean a technique of representing a message in a form such that the information contained in it can only be received by the recipient.

This is achieved with two different methods: by concealing the very existence of the message or by subjecting the text of the message to transformations that make it incomprehensible. Cryptographic techniques consist in representing the elements of a message (plain text), by means of the elements of another system of symbols, code alphabet, obtaining a message in code or cryptogram.

To transform a plaintext message into a cryptogram it is necessary to define rules that determine a class of transformations. The one actually adopted is identified by the value assumed by a parameter called key, on whose secrecy the security of the cryptographic system is based.

What is a cryptogram or coded message

A code is a cryptographic system in which the elements of the plaintext are words or phrases that are replaced by groups of letters or digits, generally of a fixed length, while a cipher is a system in which the elements of the plaintext are the single characters.

Modern cryptographers stress that the security of cryptographic methods should not depend on the secrecy of the encryption method (or algorithm), but only on the secrecy of the keys. Secret keys must not be disclosed when comparing plaintext and ciphertext, and no one should be aware of the key. Modern algorithms are based on mathematically difficult problems, for example, factorization of prime numbers, discrete logarithms, etc. There is no mathematical proof that these problems are actually difficult, but only and exclusively empirical proof.

Modern cryptographic algorithms are too complex for humans to perform. Today’s algorithms are performed by computers or specialized hardware devices and in most cases are implemented by software installed inside the terminals.

Enigma, one of the first machine to encrypt messages, used during the Second World War

The design of secure systems using cryptographic techniques focuses primarily on the protection of (secret) keys. Keys can be protected by encrypting them with other keys or physically protecting them, while the algorithm used to encrypt the data is made public and subjected to intense scrutiny.

When cryptographers choose an effective encryption method (a code), they can patent it as an intellectual property and earn royalties when their method is used in commercial products.

Encryption, what it is for and advantages

The spread of technology and mass communication methods such as email, instant messaging, banking transactions and many other applications have acquired an increasingly central role in everyone’s life. Every day billions of pieces of information, some of which are very relevant to each of us, are circulating on the net.

For these and other even more important reasons, the development of sophisticated systems capable of guaranteeing a high level of secrecy of some of these data has become fundamental.

Among the various implementations, cryptography has been able and continues to guarantee transfers of secure information, making understanding possible only and exclusively for those directly involved after authentication of the sender and recipient.

When we talk about authentication, we mean any process by which certain information is tried and verified. Sometimes you may want to verify the origin of a document, the sender’s identity, the time and date a document was sent or signed, the identity of a computer or user and so on. For example, a digital signature is a cryptographic means by which many of these can be verified. The digital signature of a document is information based both on the document and on the private key of the signatory.

Another use that can be implemented is the time stamp (timestamp), a technique that can certify the existence or delivery of a certain document or electronic communication at a certain time.

The timestamp uses an encryption model called a blind signature scheme. In cryptography, blind signatures are a form of digital signature in which the content of a message is hidden before being signed. The message is then signed blindly, as the signer does not know the content of the message.

Blind signatures are used in privacy protocols where the signer and the author of the message are different, for example they are widely used in the field of e-voting (electronic voting) and e-cash (electronic money). Blind-signed schemes allow the sender to receive the receipt of a message from another party without revealing any information about the message to the other party.

Another important feature of the timestamp is the indication of the time, very similar to sending a registered letter by post, but provides an additional level of proof. It can prove that a recipient has received a specific document. Possible applications include patent applications, copyright archives and contracts. Time stamping is a fundamental application that helps make the transition to electronic legal documents possible.

How to encrypt a file

Encrypting a file using a password is often very useful, and in fact, there are plenty of software that can do this for us. Encryption is recommended when the content of the document must remain confidential even in the event of making some mistake, perhaps by sending the file to the wrong recipient via email.

Hence the possibility, through encryption and the use of passwords, to achieve minimum security objectives on our communications. Currently, most of the communications that take place on the network are encrypted communications and there are many communication protocols that guarantee the security of the information sent and received. Of course, the apps installed on our smartphones are also powerful encryption machines. Let’s see some of the most known and used systems.

Various types of encryption

Let’s start by distinguishing the types of encryption based on symmetric or asymmetric encryption, taking the basic terminologies of the subject for granted. For those who are passionate about the subject and want to read up on evolution, I recommend Simon Singh’s “Codes & Secrets” which tells the story of encrypted messages from ancient Egypt to the Internet.

When a single key is present we speak of symmetric key or secret key cryptography (the sender’s key and the recipient’s key are the same), when instead there are two distinct encryption keys we speak of asymmetric key or public key cryptography ( the encryption key is public, while the decryption key is private).

Differences between symmetric, asymmetric, end to end and other cryptography

Below we will try to better understand the most used encryption methods and their uses. Let’s start by distinguishing the types of encryption based on symmetric or asymmetric encryption, taking the basic terminologies of the topic for granted.

When a single key is present we speak of symmetric key or secret key cryptography (the sender’s key and the recipient’s key are the same), when instead there are two distinct encryption keys we speak of asymmetric key or public key cryptography ( the encryption key is public, while the decryption key is private).

Symmetric encryption

Symmetric cryptography therefore involves the use of a single key both to hide the message and to unlock it and is relatively fast and simple to implement compared to other types of encryption (such as asymmetric).

The most popular algorithm used today in symmetric key cryptography is called Advanced Encryption Standard (AES). It was developed in the late 1990s by two Belgian cryptographers, Joan Daemen and Vincent Rijmen, at the request of the National Institute of Standards and Technology and became a public standard in late 2001.

In 2003, the US National Security Agency approved 128-bit AES to protect all government information classified as secret and 192 and 256-bit AES for so-called top secret documents. The main disadvantage of symmetric key cryptography is that all parties involved must exchange the key used to encrypt the data before it can be decrypted.

Asymmetric encryption

Asymmetric algorithms use two interdependent keys, one to encrypt data, and the other to decrypt it. One private and one public. If one key is used for the encryption operation, the other must be used for decryption and vice versa. As you can guess from the names themselves, the private key is known only by the owner, it must be kept secret and must not be shared with anyone else, while the public key is shared by all interlocutors.

The fact of being aware of the public key does not allow us to trace the private key in any way. One of the most used examples is the Rivest, Shamir, Adleman (RSA) algorithm created in 1977 by the three MIT researchers whose name it bears: often used in e-commerce protocols such as SSL, RSA is considered secure because of the sufficiently strong keys. lengthy and use of up-to-date implementations.

In recent years, cryptography has been enriched with numerous implementations introducing new concepts such as homomorphic cryptography and zero-knowledge protocol cryptography allowing companies to overcome traditional concepts of privacy and allowing companies to use large amounts of data through intelligence. artificial to extract the necessary information without violating data privacy. So let’s think about what potential the use of huge databases can have, for example in the medical sector and health research, in order to create useful models through the use of AI.

The combination of big data combined with the use of artificial intelligence in respect of privacy through cryptography may seem like a daydream even for experts in the sector, but today it can be considered a reality on which to base future evolutions.

End-to-end encryption

End-to-end encryption (E2E) is a secure communication method that prevents third parties from accessing data as it is being transferred from one end device to another.

In E2E, the data is encrypted on the sender’s system or device and only the recipient is able to decrypt it. No one in between, be they an internet service provider or a hacker, is able to read or tamper with it.

The cryptographic keys used to encrypt and decrypt messages are stored exclusively on the end points, a trick made possible thanks to the use of public key cryptography. Although key swapping in this scenario is considered indestructible using known algorithms and currently achievable computing power, there are at least two potential weaknesses that exist outside of mathematics.

First, each endpoint must obtain the public key of the other endpoint, but a potential attacker who could provide one or both endpoints with the attacker’s public key could perform a man-in-the-middle attack. Furthermore, all safeties are canceled if one of the end points has been compromised so that the attacker can see the messages before and after they have been encrypted or decrypted.

The method generally used to ensure that a public key is in fact the legitimate key created by the intended recipient is to embed the public key in a certificate that has been digitally signed by a well-recognized certification authority.

Since the public key of the certification authority is widely distributed and generally known, its veracity can be relied upon and a certificate signed by that public key can be assumed to be authentic. Since the certificate associates the recipient’s name and the public key, presumably a certification authority would never sign a certificate that associates a different public key with the same name.

Homomorphic encryption

Homomorphic encryption (from English homomorphic encryption or simply HE) is a type of encryption based on techniques that allow the manipulation of encrypted data. For example, having two numbers X and Y (encrypted with the same homomorphic algorithm starting from two numbers A and B) it is possible to calculate the encryption of the sum of A and B by adding X and Y directly, without the need for decryption.

Homomorphic cryptography is divided into various types, two of the most important are: partially homomorphic cryptography (PHE) and fully homomorphic cryptography (FHE). The first can process only one type of operation, typically addition or multiplication. While the second can process all the necessary operations, for example the boolean functions AND, OR, NOT.

With increasing use of cloud computing, which allows a wide range of data to be shared and used between multiple operators, the demand for performing arithmetic operations on encrypted personal data, allowing data to be used without disclosing it, is continuously increasing. , making it advisable to seek safe and feasible solutions.

The main idea behind homomorphic cryptography is that the deductions made on the basis of the calculations of the encrypted data should be accurate as if using plaintext data. The notion of homomorphism implies the possibility of carrying out computation, understood as algebraic composition, of both encrypted and unencrypted data.

Zero-knowledge protocol encryption

In cryptography, the zero-knowledge protocol is an interactive method used by one subject to demonstrate to another subject that a (usually mathematical) statement is true, without revealing anything other than its veracity.

A company that uses zero-knowledge encryption provides the organization with the ability to store and manage encrypted data without accessing the encryption keys.

The zero-knowledge protocol is undoubtedly one of the most fascinating concepts in cryptography. The guarantee of total anonymity protection opens the door to countless applications, not only in the field of cryptocurrencies.

The principle on which the zero-knowledge protocol technique is based is very simple: a subject (prover) must demonstrate to another subject (verifier) that he knows a certain x value, without transmitting the x value itself. The prover subject is essentially the one who must provide the proof of knowledge, while the verifier is the one who must perform the knowledge check in proving the knowledge of a certain information without revealing it. In order for it to be considered as such, the following three fundamental properties must be satisfied:

completeness: it means that a verifier who acts correctly (ie following the rules of the protocol) will be able to consider the test passed if it is provided by an honest prover too;

solidity: if the proof provided by the prover is false, the prover himself will have no chance (except for a very low probability) to fool an honest verifier into believing that the proof is true;

zero knowledge: if the proof is true, no verifier can derive any kind of information from it, other than making sure that the proof itself is true. In other words, the mere fact of knowing the evidence (and not the information that you want to keep secret) is sufficient to determine if the prover is aware of the secret.

We can therefore state that if completeness and solidity are

properties common to many interactive proof of work (PoW) techniques, zero knowledge is the key factor that transforms the verification process into a zero-knowledge proof.

What is quantum cryptography

Quantum cryptography draws on ideas that derive from quantum physics. The developments of this discipline, in fact, make it possible – at least in a theoretical way – the creation of a computer of a different type than the classical ones, the so-called quantum computer which, due to its calculation characteristics, would make any current cryptographic system vulnerable, putting in place danger civil, military, banking and other security systems. But the same concepts on which the quantum computer is based can lead to the conception and implementation of quantum cryptographic systems that are absolutely unassailable even by a possible quantum computer, with the additional ability to discover if any malicious people have tried – even without completely succeeding – to intrude illegally. in a confidential communication.

The first ideas of quantum cryptography can be traced in a contribution by S. Wiesner around 1970, published only in 1983 as it was rejected by various scientific journals that did not understand its innovative value. These ideas were then taken up by C. H. Bennett and G. Brassard around 1980. They elaborated a protocol for the quantum distribution of keys, today called the BB84 protocol as the related article dates back to 1984.

Unlike the quantum computer, which for the moment is only theory, quantum cryptography is a reality. C. Bennet and J. Smolin, in 1988 created the first system for sending keys using the BB84 protocol. At that moment, they were able to send messages at a distance of a few centimeters. Using optical fibers, it has been possible to send messages over greater distances. In 1995, for example, researchers from the University of Geneva were able to send numeric keys with the BB84 protocol over a distance of 23 kilometers.

Applications of cryptography

Below we see some practical applications of cryptography that are the basis of the operations we carry out every day in front of our smartphones or PCs.

E-mail

Email encryption is a method of protecting the content of emails from anyone outside of the conversation trying to get a participant’s information. In its encrypted form, an email is no longer legible. Only with the private email key can these be unlocked and decrypted in the original message.

Each user with an e-mail address has a key pair associated with that email address and these keys are required to encrypt or decrypt an email. One of the keys is known as a “public key” and is stored on a key server where it is linked to the name and email address and is accessible to anyone. The other cryptographic key is your private key, which is not shared publicly with anyone.

When an email is sent, it is encrypted by a computer using the public cryptographic key and the content of the e-mail is transformed into a complex and indecipherable scramble, very difficult to decrypt. This public key cannot be used to decrypt the sent message, only to encrypt it. Only the person with the appropriate matching private key has the ability to decrypt the email and read its contents.

The connection between email providers can be encrypted, preventing external attackers from finding a way to intercept incoming or outgoing emails as they travel between servers.

Old or archived emails that are already stored on your email client should also be encrypted to prevent attackers from potentially gaining access to emails that are not currently in transit between servers.

HTTPS protocol

HTTPS (Hypertext Transfer Protocol Secure) is an Internet communication protocol that protects the integrity and confidentiality of data exchanged between computers and sites. Users expect the use of an online website to be done in a secure and private way.

The differences between HTTP and HTTPS are not many, quite the opposite. As can also be seen from the name of the two protocols, the only real difference lies in the greater security of data and personal information that the second provides compared to the first.

The HTTPS protocol exploits two different IT security implementations that make up the Transport Layer Security. On the one hand, using TLS certificates issued by third party verifiers (and comparable to identification documents), it certifies the real “identity” of the portal and allows the user to avoid being the victim of a phishing attack. On the other hand, using advanced encryption protocols, it encrypts the communication between the server and the end user, preventing hackers from stealing the information sent and received, which can range from email credentials to bank account or credit card data.

Whatsapp

WhatsApp uses the “Signal” protocol for encryption, which uses a combination of asymmetric and symmetric cryptographic key algorithms. Symmetric key algorithms ensure confidentiality and integrity, while asymmetric key cryptographic algorithms help achieve the other security objectives, namely authentication.

WhatsApp uses the algorithm based on Curve25519. The story of Curve25519 is noteworthy as it was introduced after concerns over allegations that certain parameters of the previously prevailing NIST P-256 standards had been manipulated by the US National Security Agency (NSA) to more easily slip into some conversations.

The Elliptic Curve Diffie Hellman algorithm is a mathematical algorithm that helps two communicating entities agree on a shared secret without actually sending the actual keys to each other.

The security of WhatsApp communications is certain but there are exceptions. More than any other app, WhatsApp offers greater privacy thanks to end-to-end encryption that encodes messages to ensure that only us and the person you are communicating with can read your messages or listen to your calls, but the messages of WhatsApp (which include videos and photos) are vulnerable before being encrypted and after being decrypted if a hacker managed to drop spyware on our phone.

Of course, even in the world of instant messaging apps, including for example WhatsApp, Telegram, Signal, a wide debate has spread about which is the safest, but this could be a topic to be discussed on another occasion.

Conclusions

A continuous study of cryptographic models is underway that allows a fair balance between huge amounts of data and privacy in order to allow companies to work by collecting data, obtaining information without ever damaging the confidentiality and privacy of anyone.

COMMENT

This article talks about future quantum computers that are already a reality today and quantum cryptography which, judging by the few lines of this article, has yet to be proven that it works and that seems to only serve to transmit keys.

Furthermore, certain claims about the security of various systems have been disproved by the facts. Already in the Ethical Hacker course of 2017 they explained to me how HTTPS could be bypassed.

The security of the asymmetric key system is also called into question, in addition to possible quantum computer attacks, even with attacks on passwords and attacks with bogus certificates.

We have the patented cryptographic systems CRIPTEOS 3001 that challenge all quantum computers, even future ones, for safety and are on a par with the most powerful hackers for speed.