Solution: Alice tosses a coin and conveys the result to Bob. Problem: Alice can choose any result.

Similar documents
Diffie-Hellman key-exchange protocol

Cryptography CS 555. Topic 20: Other Public Key Encryption Schemes. CS555 Topic 20 1

Introduction to Cryptography CS 355

The Chinese Remainder Theorem

The Chinese Remainder Theorem

The number theory behind cryptography

Merkle s Puzzles. c Eli Biham - May 3, Merkle s Puzzles (8)

Data security (Cryptography) exercise book

Math 319 Problem Set #7 Solution 18 April 2002

EE 418: Network Security and Cryptography

Yale University Department of Computer Science

Discrete Mathematics & Mathematical Reasoning Multiplicative Inverses and Some Cryptography

TMA4155 Cryptography, Intro

Cryptography. 2. decoding is extremely difficult (for protection against eavesdroppers);

18.S34 (FALL, 2007) PROBLEMS ON PROBABILITY

Lecture 32. Handout or Document Camera or Class Exercise. Which of the following is equal to [53] [5] 1 in Z 7? (Do not use a calculator.

Primitive Roots. Chapter Orders and Primitive Roots

Public Key Encryption

Mathematical Foundations HW 5 By 11:59pm, 12 Dec, 2015

Public Key Cryptography Great Ideas in Theoretical Computer Science Saarland University, Summer 2014

Solutions for the Practice Final

Number Theory and Public Key Cryptography Kathryn Sommers

Block Ciphers Security of block ciphers. Symmetric Ciphers

Secure Function Evaluation

ElGamal Public-Key Encryption and Signature

Classical Cryptography

Differential Cryptanalysis of REDOC III

CHAPTER 2. Modular Arithmetic

Assignment 2. Due: Monday Oct. 15, :59pm

Mathematics Explorers Club Fall 2012 Number Theory and Cryptography

A Probability Work Sheet

MA/CSSE 473 Day 9. The algorithm (modified) N 1

Public-key Cryptography: Theory and Practice

1. The chance of getting a flush in a 5-card poker hand is about 2 in 1000.

Linear Congruences. The solutions to a linear congruence ax b (mod m) are all integers x that satisfy the congruence.

3 The multiplication rule/miscellaneous counting problems

CS 261 Notes: Zerocash

Public-Key Cryptosystem Based on Composite Degree Residuosity Classes. Paillier Cryptosystem. Harmeet Singh

p 1 MAX(a,b) + MIN(a,b) = a+b n m means that m is a an integer multiple of n. Greatest Common Divisor: We say that n divides m.

Application: Public Key Cryptography. Public Key Cryptography

Xor. Isomorphisms. CS70: Lecture 9. Outline. Is public key crypto possible? Cryptography... Public key crypography.

CMath 55 PROFESSOR KENNETH A. RIBET. Final Examination May 11, :30AM 2:30PM, 100 Lewis Hall

Fermat s little theorem. RSA.

Cryptography Math 1580 Silverman First Hour Exam Mon Oct 2, 2017

SMT 2014 Advanced Topics Test Solutions February 15, 2014

Discrete Mathematics and Probability Theory Spring 2016 Rao and Walrand Note 13

3. (8 points) If p, 4p 2 + 1, and 6p are prime numbers, find p. Solution: The answer is p = 5. Analyze the remainders upon division by 5.

The Sign of a Permutation Matt Baker

Example 1. An urn contains 100 marbles: 60 blue marbles and 40 red marbles. A marble is drawn from the urn, what is the probability that the marble

CS70: Lecture 8. Outline.

The topic for the third and final major portion of the course is Probability. We will aim to make sense of statements such as the following:

Discrete Mathematics and Probability Theory Spring 2018 Ayazifar and Rao Midterm 2 Solutions

Chapter 6: Probability and Simulation. The study of randomness

Theory of Probability - Brett Bernstein

Variations on the Two Envelopes Problem

3 The multiplication rule/miscellaneous counting problems

Final exam. Question Points Score. Total: 150

Lecture 39: GMW Protocol GMW

CIS 2033 Lecture 6, Spring 2017

The next several lectures will be concerned with probability theory. We will aim to make sense of statements such as the following:

Math 1111 Math Exam Study Guide

Public Key Cryptography

Secure multiparty computation without one-way functions

CS1802 Week 9: Probability, Expectation, Entropy

November 8, Chapter 8: Probability: The Mathematics of Chance

MA 111, Topic 2: Cryptography

Secure Distributed Computation on Private Inputs

Section : Combinations and Permutations

The tenure game. The tenure game. Winning strategies for the tenure game. Winning condition for the tenure game

Cryptography, Number Theory, and RSA

Distributed Settlers of Catan

23 Applications of Probability to Combinatorics

L29&30 - RSA Cryptography

DTTF/NB479: Dszquphsbqiz Day 30

Ma/CS 6a Class 16: Permutations

Here are two situations involving chance:

1 2-step and other basic conditional probability problems

Journal of Discrete Mathematical Sciences & Cryptography Vol. ( ), No., pp. 1 10

Math 14 Lecture Notes Ch. 3.3

Number Theory and Security in the Digital Age

Introduction to Number Theory 2. c Eli Biham - November 5, Introduction to Number Theory 2 (12)

Math 1111 Math Exam Study Guide

Compound Probability. Set Theory. Basic Definitions

Lecture 18 - Counting

LECTURE 7: POLYNOMIAL CONGRUENCES TO PRIME POWER MODULI

Dominant and Dominated Strategies

Chapter 3: Elements of Chance: Probability Methods

November 6, Chapter 8: Probability: The Mathematics of Chance

The Teachers Circle Mar. 20, 2012 HOW TO GAMBLE IF YOU MUST (I ll bet you $5 that if you give me $10, I ll give you $20.)

Week 1: Probability models and counting

4.1 Sample Spaces and Events

Section 6.1 #16. Question: What is the probability that a five-card poker hand contains a flush, that is, five cards of the same suit?

( ) Online MC Practice Quiz KEY Chapter 5: Probability: What Are The Chances?

EE 418 Network Security and Cryptography Lecture #3

Math 127: Equivalence Relations

Such a description is the basis for a probability model. Here is the basic vocabulary we use.

CSC/MATA67 Tutorial, Week 12

Grade 6 Math Circles Fall Oct 14/15 Probability

Contributions to Mental Poker

6. Find an inverse of a modulo m for each of these pairs of relatively prime integers using the method

Transcription:

Example - Coin Toss Coin Toss: Alice and Bob want to toss a coin. Easy to do when they are in the same room. How can they toss a coin over the phone? Mutual Commitments Solution: Alice tosses a coin and conveys the result to Bob. Problem: Alice can choose any result. Solution: Alice and Bob each tosses a coin and then they send the results to each other. The coin toss result is the XOR of both tosses. Problem: The one who sends the result first has no influence on the result, while the second can choose any result. Note: There is a strong dependency on the simultaneous publication of the result. c Eli Biham - March 20, 2007 34 Mutual Commitments (3) c Eli Biham - March 20, 2007 35 Mutual Commitments (3) Mental Poker Alice and Bob want to play poker over the phone. At the beginning of the game they need to deal the cards, such that: A player knows his own cards. A player does not know the other player s cards. Both players do not know any of the cards in the deck. No card appears more than once. No player can change his cards without the other player noticing it. If Alice holds a deck of cards and deals the cards, then in order to tell Bob about his hand Alice must know his hand. Further more, Alice can deal the cards any way she pleases. Thus, we need a protocol for dealing the cards, such that: 1. A player knows his own cards. 2. A player does not know the other player s cards. 3. The hands are always disjoint. 4. All dealings have the same probability. 5. It is possible to reveal cards or to exchange cards. c Eli Biham - March 20, 2007 36 Mutual Commitments (3) c Eli Biham - March 20, 2007 37 Mutual Commitments (3) Solution: The usage of a trusted third party. If Alice and Bob have a mutual trusted friend, who can be the dealer, and has a private communication channel both to Alice and to Bob, it is possible to use him to solve the problems. But sometimes a third party cannot be used. For example who will be the third party to choose random bits to be used in protocols between super powers? and how can we make sure that a private channel is not eavesdropped? Thus, we are interested in protocols which do not involve a third party. Claim: A protocol for mental poker, for which all the above 5 conditions are met, cannot be constructed without a third party. Proof: Assume that we have a deck of 3 cards denoted by x, y, z, and that each of the players got one card. Assume that each of the players is a probabilistic Turing machine (i.e., can use random bits). We execute the protocol and we further assume that A got x and B got y. A knows the protocol, and thus can simulate B on all possible random inputs and therefore can choose only simulations for which A and B send the messages which were actually sent. B can receive y, but z is also a possible card. Similarly, A receives x or z. The communication between A and B is the same in all the runs, thus it may be possible that both received z in contradiction to the disjointment of the hands. QED c Eli Biham - March 20, 2007 38 Mutual Commitments (3) c Eli Biham - March 20, 2007 39 Mutual Commitments (3) Coin Toss Alice and Bob want to toss a coin over the phone. If Alice commits to a bit, and promises not to change her choice after Bob tells her about his coin toss, we get that the protocol: Alice: Chooses a bit b A. Bob: Chooses a bit b B. Bob Alice: b B. Alice Bob: b A. Both: b = b A b B. It is clear that Bob cannot choose the result of the coin toss. On the other hand, Alice was committed to b A before knowing b B and therefore she cannot choose the result of the coin toss, as well. Thus, we want to ensure that Alice does not change her choice after hearing b B. is secure. c Eli Biham - March 20, 2007 40 Mutual Commitments (3) c Eli Biham - March 20, 2007 41 Mutual Commitments (3)

Bit Commitment This protocol is a building block for the construction of other protocols, and we will use it later. Objective: Alice chooses a bit b and uses it in some protocol, with Bob. Bob needs to make sure that Alice uses b and not b, but Alice prefers not to reveal b. The Model: Alice sends a commitment C on b to Bob, from which b cannot be reconstructed. Revealment phase: later Alice reveals b to Bob, and Bob checks the commitment. Example: Bit Commitment (cont.) Let f be an one-way permutation and let B be a hardcore predicate of f. Then Alice and Bob can perform the following BC protocol: Alice chooses b, and a random number r (100-bit number) such that B(r) = b. Alice sends the commitment C = f(r) to Bob. Later for the revealment phase: Alice sends b and r to Bob. Bob checks whether C = f(r) and b = B(r). If not then Alice cheated, Otherwise Bob concludes that Alice indeed committed to b. What goes wrong when B is not a hardcore predicate? What goes wrong when f is not a permutation? c Eli Biham - March 20, 2007 42 Mutual Commitments (3) c Eli Biham - March 20, 2007 43 Mutual Commitments (3) RSA based example: Bit Commitment (cont.) Alice chooses n = p q,e, d as in RSA, and a random number 0 r < n with parity b (or another hardcore predicate B(r) = b), and sends n,e and r e (mod n) to Bob. At the revealment phase, Alice sends p and q to Bob. From p and q Bob calculates d, r and B(r) and then compares B(r) to b. Coin Toss Our coin toss protocol by using general BC: Alice: Chooses b A and commits to b. Bob: Chooses a bit b B and sends it to Alice. Alice: Reveals b A. Bob: Checks out Alice s commitment. Both: b = b A b B. c Eli Biham - March 20, 2007 44 Mutual Commitments (3) c Eli Biham - March 20, 2007 45 Mutual Commitments (3) A protocol based on the hardness of factoring: 1. A chooses p,q and computes n = p q (as in RSA) and sends n to B. 2. B chooses a random number u such that 1 < u < n and reveals z = u2 2 (mod n) to A. 3. A computes ±x, ±y - the 4 roots of z (mod n) by using p,q. Assume, WLG, that x, y n 2 (and that x, y n 2 ). It is obvious that u = x or u = y. 4. A guesses whether u = x or u = y. A finds the index i of the least significant bit for which x i y i, then sends to B one of the following guesses: Your i th bit is 0 or Your i th bit is 1. 5. B informs A whether he was right (heads) or wrong (tails). 6. B sends u to A. 7. A sends the factors of n, p and q, to B. c Eli Biham - March 20, 2007 46 Mutual Commitments (3) A cannot know whether u = x or u = y, thus he has to guess. If B can cheat by changing u after A s guess, then he knows both roots x, y of z = u 2 (mod n) under n 2 and therefore can factor n. In order to prevent A from revealing the other root of z = u 2 (mod n) to B, A reveals only i + 1 bits of the other root (i equal, 1 different). c Eli Biham - March 20, 2007 47 Mutual Commitments (3) A Protocol for Mental Poker Assume, WLG, that A is the dealer. The cards are marked by the numbers 1,...,52 (or otherwise). We refer to them as w 1,...,w 52. We assume the use of a commutative public key cryptosystem (e.g., Pohlig and Hellman s cryptosystem), in which A and B have keys which are kept secret (i.e., encryption and decryption keys are kept secret). 1. B shuffles the cards and encrypts them by E B and sends E B (w 1 ),E B (w 2 ),...,E B (w 52 ) to A. 2. A chooses 5 random cards and informs B about them. B decrypts them. The result is B s hand. 3. A chooses 5 random cards and encrypt them: E A (E B (w i )). A sends the encrypted 5 cards to B. B decrypts and gets D B (E A (E B (w i ))) = E A (w i ) and sends to A. A decrypts and gets w i. The result is A s hand. 4. After the end of the game they reveal their keys. c Eli Biham - March 20, 2007 48 Mutual Commitments (3) c Eli Biham - March 20, 2007 49 Mutual Commitments (3)

Note: All 5 conditions are met: If the encryption keys are not kept secret, each side can encrypt all 52 cards, and by that be able to identify the cards. It is possible to add random bits to the card names before encryption, but that does not prevent Bob from identifying the cards. The additional randomness should be chosen such that all cards have the same quadratic residuocity. We add redundancy to the names of the cards to make sure that random values are not dealt instead of those actually encrypted. 1. A player knows his own cards. 2. A player does not know the other player s cards: knowing that is equivalent to breaking the cipher. 3. The hands are always disjoint: as this is the way they are chosen. 4. All dealings have the same probability: because the two players choose the cards at random. No one of them can eliminate the randomness alone. 5. It is possible to reveal cards or to exchange cards: It is easy for a player to reveal a specific card. c Eli Biham - March 20, 2007 50 Mutual Commitments (3) c Eli Biham - March 20, 2007 51 Mutual Commitments (3) Note: RSA is not recommended here because: 1. It cannot be used with 2 different n s. 2. If both parties use the same n, and both know the factorization (as both have their own e and d), then it reduces to using Pohlig-Hellman twice in parallel, modulo p and modulo q. Oblivious Transfer (OT) Another tool for classified communication. Enables Alice to send a bit to Bob, such that he receives the bit with 50% chance, but Alice does not know whether he received it or not. Another version of OT enables Alice to send several secrets to Bob, such that Bob receives exactly one of them, and Alice doesn t know which one. OT protocols are used as building blocks for other protocols. DLOG can be used. c Eli Biham - March 20, 2007 52 Mutual Commitments (3) c Eli Biham - March 20, 2007 53 Mutual Commitments (3) Example: using factorization. Let n = p q as in RSA. WLG, assume that the secret is the factors p, q and Alice wants Bob to receive p,q with 50% chance, without her knowing whether he received the secret or not. Obviously, it is possible to encrypt any secret using RSA, and knowing the factorization implies knowing the secret. A One-out-of-Two Secrets OT Protocol: Alice has 2 secrets s 0,s 1. She sends them to Bob, such that Bob receives exactly one of the secrets, but she does not know which of them he receives. This protocol is non interactive: Alice sends a message to Bob, but Bob does not sends any messages to Alice. 1. Bob chooses x and sends x 2 (mod n) to Alice. 2. Alice computes the 4 roots and sends one of them to Bob. 3. Bob checks whether the root he received is ±x (mod n). If it is: Bob did not receive any new information. If it isn t: Bob can factor n. Alice doesn t know which of the 4 roots is x, thus she chooses ±x with probability 1 2. c Eli Biham - March 20, 2007 54 Mutual Commitments (3) c Eli Biham - March 20, 2007 55 Mutual Commitments (3) The system parameters: p - a large prime. g - a primitive root of Z p. c - a value which no one knows its discrete logarithm. We assume the Diffie and Hellman assumption: it is impossible to compute g xy (mod p) given g x,g y (mod p). Private and public keys: Each user randomly chooses a value 0 x p 2 and a bit i {0, 1} and computes: β i g x (mod p) β 1 i c (g x ) 1 (mod p) The user s public key is (β 0, β 1) and his secret key is (i,x). c Eli Biham - March 20, 2007 56 Mutual Commitments (3) c Eli Biham - March 20, 2007 57 Mutual Commitments (3)

The owner of a key does not know the DLOG of both β 0 and β 1, otherwise he would have known the DLOG of c β 0 β 1 (mod p) in contradiction with our assumption. On the other hand, if the owner is cheating and does not know any of the DLOG s of β 0 and β 1, it is his problem (he can always receive a value and forget about it immediately). The protocol: 1. Alice receives Bob s β, chooses random values y 0,y 1 in the range [0, p 2], and computes for j {0, 1}: and sends α 0, α 1,r o,r 1 to Bob. α j g yj (mod p) γ j β yj j (mod p) r j s j γ j 2. Bob computes, using the secret (i,x): α x i g xyi β yi i γ i (mod p) s i γ i r i He gets only one out of the secrets s 0, s 1, but cannot get both, because if he knows s 1 i, he will know γ 1 i, which means he can compute g xyi (mod p) given α i g yi (mod p) and β i g x (mod p). c Eli Biham - March 20, 2007 58 Mutual Commitments (3) c Eli Biham - March 20, 2007 59 Mutual Commitments (3) In order to receive one secret out of many secrets, it is possible to use a protocol similar to the mental poker protocol, where each card is a secret and Alice lets Bob choose a secret. A commutative cryptosystem, public keys know to both users: 1. B sends y 1,...,y k random values (in the size of the secrets) to A. 2. A sends z j = E A (S j y j ),j = 1,...,k to B. 3. B chooses the i th secret and sends x = E B (z i ) to A. 4. A sends D A (x) to Bob. 5. Bob computes s i = D B (D A (x)) y i. c Eli Biham - March 20, 2007 60 Mutual Commitments (3) c Eli Biham - March 20, 2007 61 Mutual Commitments (3) OT Applications J. Killian, Founding cryptography or oblivious transfer, STOC 20, 1988, pp. 20 31. Abstract Suppose your net-mail is being erratically censored by Captain Yossarian. Whenever you send a message, he censors each bit of the message with probability 1 2, replacing each censored bit by some reserved character. Well versed is such concepts as redundancy, this is no real problem to you. The question is, can it actually be turned around and used to your advantage?... By using OT it is possible to perform: Bit Commitment. OT Applications (cont.) Non Interactive Zero Knowledge (NIZK) without any additional assumptions (as the sender does not know what the receiver receives). c Eli Biham - March 20, 2007 62 Mutual Commitments (3) c Eli Biham - March 20, 2007 63 Mutual Commitments (3) OT Applications (cont.) Oblivious Circuit Evaluation: given f(x 1,...,x n ) Alice and Bob want to compute f on the input x 1,...,x n, when: Bob knows x 1,...,x m. Alice knows x m+1,...,x n. Bob should receive the value of f(x 1,...,x n ). Bob should not receive any information on x m+1,...,x n, apart from the information he gets from knowing the value of f. Alice should not receive any information on x 1,...,x m or on the value of f(x 1,...,x n). BC Using OT The following protocol applies BC using OT, without any additional assumptions. Committing to a bit b: Alice chooses k bits b 1,b 2,...,b k such that b = b 1 b 2 b k (for k large enough). Alice sends b 1, b 2,...,b k to Bob, each by OT. Bob receives b 1, b 2,...,b k, where for all i: b i = b i with probability 1 2 and b i = # with probability 1 2, as well (# means that the i th bit was not received). The commitment is performed t times on the same bit b. c Eli Biham - March 20, 2007 64 Mutual Commitments (3) c Eli Biham - March 20, 2007 65 Mutual Commitments (3)

Decommitting: BC Using OT (cont.) Security: BC Using OT (cont.) Alice sends b 1, b 2,...,b k to Bob. Bob checks whether b i = b i or b i = # for all i. If not Alice is cheating. Bob computes b = b 1 b 2 b k. The decommitment is performed t times and Bob checks that the same bit b is accepted every time. Bob can discover b before Alice decommits only when he receives all k bits in one of the t iterations. The probability for that is less than t 2 k, which is exponentially small. Alice can cheat Bob about the value of b if she sends some b i flipped in the decommitting phase to Bob. The probability that Bob catches her is 1 2. The probability that Alice cheats Bob in all t iterations is 2 t. c Eli Biham - March 20, 2007 66 Mutual Commitments (3) c Eli Biham - March 20, 2007 67 Mutual Commitments (3)

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback