Note Computations with a deck of cards

Similar documents
Card-Based Protocols for Securely Computing the Conjunction of Multiple Variables

Five-Card Secure Computations Using Unequal Division Shuffle

Efficient Card-based Protocols for Generating a Hidden Random Permutation without Fixed Points

Analyzing Execution Time of Card-Based Protocols

How to Implement a Random Bisection Cut

A Cryptographic Solution to a Game Theoretic. Problem. USA , USA.

A SECURITY MODEL FOR ANONYMOUS CREDENTIAL SYSTEMS

Generic Attacks on Feistel Schemes

On the Complexity of Broadcast Setup

Secure multiparty computation without one-way functions

Cryptography CS 555. Topic 20: Other Public Key Encryption Schemes. CS555 Topic 20 1

Cryptographic and Physical Zero-Knowledge Proof Systems for Solutions of Sudoku Puzzles

Lecture 39: GMW Protocol GMW

Yale University Department of Computer Science

Introduction to Cryptography CS 355

Simple And Efficient Shuffling With Provable Correctness and ZK Privacy

How to Implement a Random Bisection Cut

Juan Garay (Yahoo Labs) Clint Givens (Maine School of Science and Mathematics) Rafail Ostrovsky (UCLA) Pavel Raykov (ETH)

Generic Attacks on Feistel Schemes

.. Algorithms and Combinatorics 17

Non-overlapping permutation patterns

Building Oblivious Transfer on Channel Delays

arxiv: v1 [cs.cr] 3 Jun 2016

Permutations and Combinations

Full text available at: Foundations of Cryptography APrimer

Number Theory and Security in the Digital Age

Cryptology and Graph Theory

CS 261 Notes: Zerocash

Card-based Cryptographic Protocols Using a Minimal Number of Cards

Public Key Cryptography Great Ideas in Theoretical Computer Science Saarland University, Summer 2014

The Chinese Remainder Theorem

Collusion-Free Multiparty Computation in the Mediated Model

Introductory Probability

New Zero-knowledge Undeniable Signatures - Forgery of Signature Equivalent to Factorisation

Math 42, Discrete Mathematics

Distributed Settlers of Catan

Asymptotically Optimal Two-Round Perfectly Secure Message Transmission

Permutation Polynomials Modulo 2 w

The Chinese Remainder Theorem

Secure Grouping Protocol Using a Deck of Cards. March 19, 2018

Lecture 2. 1 Nondeterministic Communication Complexity

RATIONAL SECRET SHARING OVER AN ASYNCHRONOUS BROADCAST CHANNEL WITH INFORMATION THEORETIC SECURITY

Public-key Cryptography: Theory and Practice

A Recursive Threshold Visual Cryptography Scheme

Card-Based Zero-Knowledge Proof for Sudoku

Combinations. April 14, 2006

RSA hybrid encryption schemes

Lecture 18 - Counting

EE 418: Network Security and Cryptography

Solution: Alice tosses a coin and conveys the result to Bob. Problem: Alice can choose any result.

Diffie-Hellman key-exchange protocol

RSA hybrid encryption schemes

methods for subliminal channels Kazukuni Kobara and Hideki Imai Institute of Industrial Science, The University of Tokyo

Random Sequences for Choosing Base States and Rotations in Quantum Cryptography

Number Theory. Konkreetne Matemaatika

Lossy Compression of Permutations

Leandro Chaves Rêgo. Unawareness in Extensive Form Games. Joint work with: Joseph Halpern (Cornell) Statistics Department, UFPE, Brazil.

Cryptography. Module in Autumn Term 2016 University of Birmingham. Lecturers: Mark D. Ryan and David Galindo

CS 787: Advanced Algorithms Homework 1

Unlinkability and Redundancy in Anonymous Publication Systems

1111: Linear Algebra I

A tournament problem

Inputs. Outputs. Outputs. Inputs. Outputs. Inputs

Compound Probability. Set Theory. Basic Definitions

MAS336 Computational Problem Solving. Problem 3: Eight Queens

INFLUENCE OF ENTRIES IN CRITICAL SETS OF ROOM SQUARES

Rational Secure Computation and Ideal Mechanism Design

Mathematics Explorers Club Fall 2012 Number Theory and Cryptography

CSE 312: Foundations of Computing II Quiz Section #2: Combinations, Counting Tricks (solutions)

Alessandro Cincotti School of Information Science, Japan Advanced Institute of Science and Technology, Japan

Identity-based multisignature with message recovery

The Product Rule The Product Rule: A procedure can be broken down into a sequence of two tasks. There are n ways to do the first task and n

Problem Set 4 Due: Wednesday, November 12th, 2014

Card-based Cryptographic Protocols Using a Minimal Number of Cards

CIS 2033 Lecture 6, Spring 2017

The next several lectures will be concerned with probability theory. We will aim to make sense of statements such as the following:

A Cryptosystem Based on the Composition of Reversible Cellular Automata

Implementation and Performance Testing of the SQUASH RFID Authentication Protocol

Discrete Mathematics & Mathematical Reasoning Multiplicative Inverses and Some Cryptography

Introduction. and Z r1 Z rn. This lecture aims to provide techniques. CRT during the decription process in RSA is explained.

COUNTING AND PROBABILITY

The number theory behind cryptography

A 2-Approximation Algorithm for Sorting by Prefix Reversals

Physical Zero-Knowledge Proof: From Sudoku to Nonogram

37 Game Theory. Bebe b1 b2 b3. a Abe a a A Two-Person Zero-Sum Game

Block Ciphers Security of block ciphers. Symmetric Ciphers

5.4 Imperfect, Real-Time Decisions

VARIATIONS ON NARROW DOTS-AND-BOXES AND DOTS-AND-TRIANGLES

Designing Protocols for Nuclear Warhead Verification

Theory of Probability - Brett Bernstein

CS 237 Fall 2018, Homework SOLUTION

CSE 312: Foundations of Computing II Quiz Section #2: Inclusion-Exclusion, Pigeonhole, Introduction to Probability (solutions)

Heuristic Search with Pre-Computed Databases

Capacity of collusion secure fingerprinting a tradeoff between rate and efficiency

ON THE PERMUTATIONAL POWER OF TOKEN PASSING NETWORKS.

Secure Stochastic Multi-party Computation for Combinatorial Problems

CSE 312 Midterm Exam May 7, 2014

Primitive Roots. Chapter Orders and Primitive Roots

Secure Multiparty Computations

HIROIMONO is N P-complete

Transcription:

Theoretical Computer Science 259 (2001) 671 678 www.elsevier.com/locate/tcs Note Computations with a deck of cards Anton Stiglic Zero-Knowledge Systems Inc, 888 de Maisonneuve East, 6th Floor, Montreal, Que.Canada H2L 4S8 Received May 2000; revised September 2000; accepted October 2000 Communicated by A. Salomaa Abstract A deck of cards can be used as a cryptographic tool (Advances in cryptology : CRYPTO 93, Lecture notes in Computer Science, Vol. 773, Springer, Berlin, 1994, pp. 319 330 [3]; Theoret. Comput. Sci. 191(1 2) (1998) 173 193 [6]). Using a protocol that securely computes the Boolean AND function, one can construct a protocol for securely computing any Boolean function. This, in turn, can be used for secure multiparty computations, solitary games, zeroknowledge proofs and other cryptographic schemes. We present a protocol for two people to securely compute the AND function using a deck of 2 types of cards. The protocol needs a total of only 8 cards, thus conrming the assumption of an open question Crepeau and Kilian (1994)[3] about the minimal number of values that are needed for this type of computation. To our knowledge, the protocol is also the rst one of its kind that does not need to make copies of the inputs. We thus prove upper bounds for this type of computation. The protocol is much simpler, uses less cards, and is more ecient than the ones introduced in Crepeau and Kilian (1994) [3] and Niemi and Renvall (1998)[6]. c 2001 Elsevier Science B.V. All rights reserved. Keywords: Bit Commitment; Cards; Cryptography; Multiparty-computation; Zero-knowledge proofs 1. Introduction Suppose Alice commits herself to a bit b A and Bob commits himself to b B.We would like Alice and Bob to be able to compute b A b B in such a way that neither one of them learns anything more than what they can deduce from their own input and the output of the computation (for example, if Alice is committed to 0, she will never know what bit Bob was committed to). Boer [4] rst introduced a now classic E-mail address: anton@zeroknowledge.com (A. Stiglic). 0304-3975/01/$ - see front matter c 2001 Elsevier Science B.V. All rights reserved. PII: S0304-3975(00)00409-6

672 A.Stiglic / Theoretical Computer Science 259 (2001) 671 678 protocol that enables two participants to privately compute the AND function of their inputs. To be able to compute any Boolean function (see Section 6) it is necessary that the answer be in a committed format. Crepeau and Kilian came up with a solution to this problem in [3], using 4 types of cards. Later on, Niemi and Renvall proposed a solution in [6] that used only 2 types of cards. Although our solution is only linearly more ecient than the latter one (which in turn, is only linearly more ecient than the one in [3]), it proves important upper bounds and may be the most simple and ecient one that exists. A protocol for securely computing the Boolean AND function is an important cryptographic tool with many applications, it can be used for multiparty computations, solitary games, zero-knowledge proofs and more (we discuss these later on, see also [4, 3, 1, 6]). Although the number of cards needed for the computation of a Boolean function increases only linearly with the number of gates of the circuit dening it, complex computations demand an extremely large amount of cards. Only small computations of these kind can be done eciently with cards, thus, even slight optimizations of the AND protocol is useful. 2. The model We will be working with the following alphabet: = { ; ;? } Each value can be thought of as a suit in a deck of cards,? representing a card with its face down. Let c 1 ;c 2 ;:::;c n be elements of. c 1 c 2 :::c n can be considered as a deck of cards, c 1 being the topmost card, c 2 the second, etc... We dene (c 1 c 2 :::c n ) as the set {c 1 c 2 :::c n ;c 2 c 3 :::c n c 1 ;:::;c n c 1 :::c n 1 } (i.e., the set of cyclic permutations of letters of the string c 1 c 2 :::c n ). will denote the operator that takes an element from the set to the set such that c 1 ;c 2 ;:::;c n where is picked randomly in (c 1 c 2 :::c n ). Applying to a string can be thought of as applying a cyclic shuing of the cards represented by the string. We will use the following coding: =1; =0 e will be a function which corresponds to turning a string of cards face down and will be the inverse of e. We suppose that we cannot distinguish between and when they are face down?? and once we have applied to them.

A.Stiglic / Theoretical Computer Science 259 (2001) 671 678 673 3. Bit commitment protocol Say Alice wants to commit to a bit b, she simply does the following: (1) She takes two distinct cards, shows them to Bob and then places them face down?? (she applies e). Call this string. (2) She then computes :=. (3) She outputs. To reveal the secret, we simply compute ( ) (i.e., we turn over the cards). 4. Secure AND protocol Boer [4] rst proposed a protocol to securely compute b A b B but the result was not in a committed format. Crepeau and Kilian proposed a Las Vegas algorithm in [3] that produced a committed output but it uses a larger alphabet (a deck of 4 dierent types of cards), needs to make copies of the cards that commit the input and takes an average of 12 trials. Niemi and Renvall also proposed a solution in [6], their Las Vegas algorithm used only 2 types of cards but also needed to make copies of the input, took an average of 2:5 trials and the AND protocol needed a total of 10 cards. The algorithm proposed here uses 2 types of cards and takes an average of 2 trials, no copies of the committed inputs are needed and the total number of cards needed is just 8. This gives an upper bound to the number of values (4 values coded by 8 cards) needed to be shued during the AND protocol, proving the assumption in the open question of [3]. It also gives an upper bound to the number of copies needed of the inputs: NO copies of the inputs need to be made. Our protocol works as follows: Denote x 0 x 1 as the cards that commit Alices value b A and y 0 the cards that commit Bobs value b B. These cards are of the form??, turned over they are either or. We need 4 extra cards: 2 s and 2 s. (1) Place the cards as follows:???? x 0 x 1 y 0 (2) Then turn over the public cards, let s call this string!.???????? (3) Now, let Alice and then Bob apply a cyclic shuing:!!. (4) Turn over the two topmost cards of!, call this v. If v { ; } then go on to step (5). If v =, then turn over the third topmost card, if it is a, go on to the next step, otherwise turn back over the public cards and go back to the cyclic shuing step (3).

674 A.Stiglic / Theoretical Computer Science 259 (2001) 671 678 If v =, then turn over the third topmost card, if it is a, go on to the next step, otherwise turn back over the cards and go back to step (3). (5) If the 2 topmost cards are, then the 6th and 7th topmost cards are the commitment to the result?????? result If the 3 topmost cards are, then the 7th and 8th cards are the commitment to the result????? result If the 2 topmost cards are, then the 4th and 5th cards contain the commitment to the result?????? result Finally, if the 3 topmost cards are, then the 5th and 6th cards contain the commitment to the result????? result To see why the protocol works and is secure, let s see what happens from under the glass table : At step two, we get one of the following congurations b A b B 0 0 x 0 0 1 x 0 1 0 x 0 1 1 x 0! uncovered x 1 y 0 x 1 y 0 x 1 y 0 x 1 y 0! is just one of the above card congurations permuted by a cyclic shift, this is just done so that Bob and Alice have no information on the order of the cards and the act of turning the topmost card becomes equivalent to picking, uniformly at random, a card from the deck. Now, after the cyclic shuing, the probability that the 2 topmost cards are is 1 8, in all 4 cases and the probability that they are is also 1 8 in all 4 cases, so we get absolutely no information on the inputs of Alice and Bob. On the other hand, the probability of picking is 3 8 in all 4 cases, same thing for picking, so no information is leaked here either.

A.Stiglic / Theoretical Computer Science 259 (2001) 671 678 675 Finally, if we picked, the probability of picking a as the third card is 2 3, and the probability of picking a for a third card is 1 3,inall 4 cases. The probability of picking or is also equiprobable in all four cases. These are all the situations we will encounter, all probabilities are equiprobable in all four cases, thus, demonstrating that our protocol is secure. The fact that the protocol gives the commitment to the right answer can easily be seen by observing the value coded by the cards to be picked by the protocol. 5. Other primitives In order to be able to privately compute any probabilistic Boolean function we rst need to describe a few more primitives. 5.1. OR, NOT gates It is easy to compute the negation of a committed bit, you simply reverse the order of the two cards. With this in hand, and the AND protocol described in Section 4, we can easily construct a protocol for the OR gate (b A b B b A b B ). 5.2. Random committed bits For a probabilistic Boolean function, we can get random bits by taking cards committing bits and applying to them. 5.3. Copies of a committed bit Although copies of the committed bits are not needed to compute a simple boolean gate, it is a tool that is needed for privately computing any Boolean function. We present a protocol that enables us to make n copies of a committed bit, for any n. The protocol comes directly from [3] To copy a committed bit b: (1) create the following conguration:?? b (2) Turn over the public cards, and apply a random cyclic shift to the 6 rightmost cards???????? We get the following conguration:???????? b b b where b is now an unknown bit

676 A.Stiglic / Theoretical Computer Science 259 (2001) 671 678 (3) Now, randomly shift the 4 topmost values???????? (4) Open the 4 topmost values. If the sequence you see is alternating then it means that b = b and the 4 rightmost cards form 2 copies of b.???? b b Otherwise, the 4 rightmost values form 2 copies of b???? b b This protocol is easily generalized to make any number (n) of copies. 6. Computations with cards 6.1. Multi-party computations The notion of multiparty computation (MPC) was rst introduced in [7]. A rst protocol permitting a general multiparty computation, as well as completeness theorems, was given in [5]. The MPC problem can be dened as follows: a group of n players P 1 ;:::P n wish to securely (and correctly) compute F(x 1 ;:::;x n ), where x i is P i s private input and F is a public function which they have agreed upon. Securely here means that a player p i does not get to know any more information than what he can deduce from his own input and the result of the function. We assume here that the participants always follow the protocol, in another case a more specic denition of security must be provided (see [5, 2] for example). Also, if a group of participants decide to collide together, they must form a minority of the total number of participants. As mentioned in [3, 6], we can use the tools presented here to enable multiparty computations of any Boolean function. We simply publicly describe a Boolean circuit (AND, OR and NOT gates) dening the function and, using protocols described above, securely compute each gate, keeping the answers in committed format and using them for other inputs when necessary. The inputs of the participants are of course introduced in a committed format. Only the nal answer of the function is revealed. Probabilistic Boolean functions can also be securely computed using the protocol described to generate random committed bits. 6.2. Perfect zero-knowledge proofs A zero-knowledge proof (ZKP) consists of an all powerful prover P and a polynomial-time bounded verier V. P would like to convince V that he possesses an answer to a certain problem without giving him the solution. We can use our protocol

A.Stiglic / Theoretical Computer Science 259 (2001) 671 678 677 to construct a ZKP for any NP-Complete decision problem. Simply reduce the problem to the SAT problem (call the formula f). Now P, having the solution, commits to the bits that satisfy f and securely computes f with these inputs. P reveals the nal answer to V. All of this is done in polynomial time, so V can verify. 6.3. Solitary games As discussed in [3], any game can be played solitarily by describing the strategies of one s opponents in a probabilistic boolean circuit. POKER and BRIDGE are such examples. To play in solitary one discreetly applies the strategies of the opponents by using the secure protocols described above. 7. Remarks and open questions (1) We assumed that cyclic permutations (cyclic shuings) of a deck of cards are indistinguishable. A question that remains open is if there are more general primitives that may allow us to do the same computations as discussed in this paper (for example, [6] suggested to try moving from a cyclic symmetry group to a dihedral group). (2) A proof that the result presented in this paper, working in cyclic groups, is optimal concerning the amount of cards that need to be used would be good. We have started such proofs under certain conditions (no copying, 2 types of cards, using the commitment scheme described in this paper), but a more generalized proof would be better. Acknowledgements We would like to thank Alain Tapp, Niel Stewart, Frederic Legare and Adam Smith for their appreciated comments concerning earlier versions of this paper. We would also like to thank the anonymous referee for some nal corrections. References [1] David Chaum, Ivan B. Damgard, Jeroen van de Graaf, Multiparty computations ensuring privacy of each party s input, correctness of the result, in: Carl Pomerance (Ed.), Lecture Notes in Computer Science, Vol. 293, Springer, Berlin, 1988, pp. 87 119. [2] R. Cramer, I. Damgard, S. Dziembowski, M. Hirt, T. Rabin, Ecient multiparty computations with dishonest minority, Advances in Cryptology EUROCRYPT 99, Lecture Notes in Computer Science, vol. 1561, Springer, Berlin, March 1999, pp. 311 326. [3] C. Crepeau, J. Kilian, Discreet solitary games, in: D.R. Stinson (Ed.), Advances in Cryptology: CRYPTO 93, Lecture Notes in Computer Science, vol. 773, Springer, Berlin, 1994, pp. 319 330. [4] B. den Boer, More ecient match-making and satisability: the ve card trick. in: J.-J. Quisquater, J. Vandewalle (Eds.) Advances in Cryptology EUROCRYPT 89, Lecture Notes in Computer Science, vol. 434, Springer, Verlag, 1990, 10 13 April 1989, pp. 208 217.

678 A.Stiglic / Theoretical Computer Science 259 (2001) 671 678 [5] O. Goldreich, S. Micali, A. Wigderson, How to play any mental game A completeness theorem for protocols with honest majority, in: ACM (Ed.), Proc. nineteenth Ann. ACM Symp. on Theory of Computing, New York City, May 25 27, 1987, ACM Press, New York, NY 10036, USA, 1987, pp. 218 229. [6] V. Niemi, A. Renvall, Secure multiparty computations without computers, Theoret. Comput. Sci. 191 (1 2) (1998) 173 183. [7] A. Yao, Protocols for secure computation, in: IEEE (Ed.), 23rd Ann. Symp. on Foundations of Computer Science, November 3 5, 1982, Chicago, IL, IEEE Computer Society Press, Silver Spring, MD, USA, 1982, pp. 160 164.

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback