Example - Coin Toss Coin Toss: Alice and Bob want to toss a coin. Easy to do when they are in the same room. How can they toss a coin over the phone? Mutual Commitments Solution: Alice tosses a coin and conveys the result to Bob. Problem: Alice can choose any result. Solution: Alice and Bob each tosses a coin and then they send the results to each other. The coin toss result is the XOR of both tosses. Problem: The one who sends the result first has no influence on the result, while the second can choose any result. Note: There is a strong dependency on the simultaneous publication of the result. c Eli Biham - March 20, 2007 34 Mutual Commitments (3) c Eli Biham - March 20, 2007 35 Mutual Commitments (3) Mental Poker Alice and Bob want to play poker over the phone. At the beginning of the game they need to deal the cards, such that: A player knows his own cards. A player does not know the other player s cards. Both players do not know any of the cards in the deck. No card appears more than once. No player can change his cards without the other player noticing it. If Alice holds a deck of cards and deals the cards, then in order to tell Bob about his hand Alice must know his hand. Further more, Alice can deal the cards any way she pleases. Thus, we need a protocol for dealing the cards, such that: 1. A player knows his own cards. 2. A player does not know the other player s cards. 3. The hands are always disjoint. 4. All dealings have the same probability. 5. It is possible to reveal cards or to exchange cards. c Eli Biham - March 20, 2007 36 Mutual Commitments (3) c Eli Biham - March 20, 2007 37 Mutual Commitments (3) Solution: The usage of a trusted third party. If Alice and Bob have a mutual trusted friend, who can be the dealer, and has a private communication channel both to Alice and to Bob, it is possible to use him to solve the problems. But sometimes a third party cannot be used. For example who will be the third party to choose random bits to be used in protocols between super powers? and how can we make sure that a private channel is not eavesdropped? Thus, we are interested in protocols which do not involve a third party. Claim: A protocol for mental poker, for which all the above 5 conditions are met, cannot be constructed without a third party. Proof: Assume that we have a deck of 3 cards denoted by x, y, z, and that each of the players got one card. Assume that each of the players is a probabilistic Turing machine (i.e., can use random bits). We execute the protocol and we further assume that A got x and B got y. A knows the protocol, and thus can simulate B on all possible random inputs and therefore can choose only simulations for which A and B send the messages which were actually sent. B can receive y, but z is also a possible card. Similarly, A receives x or z. The communication between A and B is the same in all the runs, thus it may be possible that both received z in contradiction to the disjointment of the hands. QED c Eli Biham - March 20, 2007 38 Mutual Commitments (3) c Eli Biham - March 20, 2007 39 Mutual Commitments (3) Coin Toss Alice and Bob want to toss a coin over the phone. If Alice commits to a bit, and promises not to change her choice after Bob tells her about his coin toss, we get that the protocol: Alice: Chooses a bit b A. Bob: Chooses a bit b B. Bob Alice: b B. Alice Bob: b A. Both: b = b A b B. It is clear that Bob cannot choose the result of the coin toss. On the other hand, Alice was committed to b A before knowing b B and therefore she cannot choose the result of the coin toss, as well. Thus, we want to ensure that Alice does not change her choice after hearing b B. is secure. c Eli Biham - March 20, 2007 40 Mutual Commitments (3) c Eli Biham - March 20, 2007 41 Mutual Commitments (3)
Bit Commitment This protocol is a building block for the construction of other protocols, and we will use it later. Objective: Alice chooses a bit b and uses it in some protocol, with Bob. Bob needs to make sure that Alice uses b and not b, but Alice prefers not to reveal b. The Model: Alice sends a commitment C on b to Bob, from which b cannot be reconstructed. Revealment phase: later Alice reveals b to Bob, and Bob checks the commitment. Example: Bit Commitment (cont.) Let f be an one-way permutation and let B be a hardcore predicate of f. Then Alice and Bob can perform the following BC protocol: Alice chooses b, and a random number r (100-bit number) such that B(r) = b. Alice sends the commitment C = f(r) to Bob. Later for the revealment phase: Alice sends b and r to Bob. Bob checks whether C = f(r) and b = B(r). If not then Alice cheated, Otherwise Bob concludes that Alice indeed committed to b. What goes wrong when B is not a hardcore predicate? What goes wrong when f is not a permutation? c Eli Biham - March 20, 2007 42 Mutual Commitments (3) c Eli Biham - March 20, 2007 43 Mutual Commitments (3) RSA based example: Bit Commitment (cont.) Alice chooses n = p q,e, d as in RSA, and a random number 0 r < n with parity b (or another hardcore predicate B(r) = b), and sends n,e and r e (mod n) to Bob. At the revealment phase, Alice sends p and q to Bob. From p and q Bob calculates d, r and B(r) and then compares B(r) to b. Coin Toss Our coin toss protocol by using general BC: Alice: Chooses b A and commits to b. Bob: Chooses a bit b B and sends it to Alice. Alice: Reveals b A. Bob: Checks out Alice s commitment. Both: b = b A b B. c Eli Biham - March 20, 2007 44 Mutual Commitments (3) c Eli Biham - March 20, 2007 45 Mutual Commitments (3) A protocol based on the hardness of factoring: 1. A chooses p,q and computes n = p q (as in RSA) and sends n to B. 2. B chooses a random number u such that 1 < u < n and reveals z = u2 2 (mod n) to A. 3. A computes ±x, ±y - the 4 roots of z (mod n) by using p,q. Assume, WLG, that x, y n 2 (and that x, y n 2 ). It is obvious that u = x or u = y. 4. A guesses whether u = x or u = y. A finds the index i of the least significant bit for which x i y i, then sends to B one of the following guesses: Your i th bit is 0 or Your i th bit is 1. 5. B informs A whether he was right (heads) or wrong (tails). 6. B sends u to A. 7. A sends the factors of n, p and q, to B. c Eli Biham - March 20, 2007 46 Mutual Commitments (3) A cannot know whether u = x or u = y, thus he has to guess. If B can cheat by changing u after A s guess, then he knows both roots x, y of z = u 2 (mod n) under n 2 and therefore can factor n. In order to prevent A from revealing the other root of z = u 2 (mod n) to B, A reveals only i + 1 bits of the other root (i equal, 1 different). c Eli Biham - March 20, 2007 47 Mutual Commitments (3) A Protocol for Mental Poker Assume, WLG, that A is the dealer. The cards are marked by the numbers 1,...,52 (or otherwise). We refer to them as w 1,...,w 52. We assume the use of a commutative public key cryptosystem (e.g., Pohlig and Hellman s cryptosystem), in which A and B have keys which are kept secret (i.e., encryption and decryption keys are kept secret). 1. B shuffles the cards and encrypts them by E B and sends E B (w 1 ),E B (w 2 ),...,E B (w 52 ) to A. 2. A chooses 5 random cards and informs B about them. B decrypts them. The result is B s hand. 3. A chooses 5 random cards and encrypt them: E A (E B (w i )). A sends the encrypted 5 cards to B. B decrypts and gets D B (E A (E B (w i ))) = E A (w i ) and sends to A. A decrypts and gets w i. The result is A s hand. 4. After the end of the game they reveal their keys. c Eli Biham - March 20, 2007 48 Mutual Commitments (3) c Eli Biham - March 20, 2007 49 Mutual Commitments (3)
Note: All 5 conditions are met: If the encryption keys are not kept secret, each side can encrypt all 52 cards, and by that be able to identify the cards. It is possible to add random bits to the card names before encryption, but that does not prevent Bob from identifying the cards. The additional randomness should be chosen such that all cards have the same quadratic residuocity. We add redundancy to the names of the cards to make sure that random values are not dealt instead of those actually encrypted. 1. A player knows his own cards. 2. A player does not know the other player s cards: knowing that is equivalent to breaking the cipher. 3. The hands are always disjoint: as this is the way they are chosen. 4. All dealings have the same probability: because the two players choose the cards at random. No one of them can eliminate the randomness alone. 5. It is possible to reveal cards or to exchange cards: It is easy for a player to reveal a specific card. c Eli Biham - March 20, 2007 50 Mutual Commitments (3) c Eli Biham - March 20, 2007 51 Mutual Commitments (3) Note: RSA is not recommended here because: 1. It cannot be used with 2 different n s. 2. If both parties use the same n, and both know the factorization (as both have their own e and d), then it reduces to using Pohlig-Hellman twice in parallel, modulo p and modulo q. Oblivious Transfer (OT) Another tool for classified communication. Enables Alice to send a bit to Bob, such that he receives the bit with 50% chance, but Alice does not know whether he received it or not. Another version of OT enables Alice to send several secrets to Bob, such that Bob receives exactly one of them, and Alice doesn t know which one. OT protocols are used as building blocks for other protocols. DLOG can be used. c Eli Biham - March 20, 2007 52 Mutual Commitments (3) c Eli Biham - March 20, 2007 53 Mutual Commitments (3) Example: using factorization. Let n = p q as in RSA. WLG, assume that the secret is the factors p, q and Alice wants Bob to receive p,q with 50% chance, without her knowing whether he received the secret or not. Obviously, it is possible to encrypt any secret using RSA, and knowing the factorization implies knowing the secret. A One-out-of-Two Secrets OT Protocol: Alice has 2 secrets s 0,s 1. She sends them to Bob, such that Bob receives exactly one of the secrets, but she does not know which of them he receives. This protocol is non interactive: Alice sends a message to Bob, but Bob does not sends any messages to Alice. 1. Bob chooses x and sends x 2 (mod n) to Alice. 2. Alice computes the 4 roots and sends one of them to Bob. 3. Bob checks whether the root he received is ±x (mod n). If it is: Bob did not receive any new information. If it isn t: Bob can factor n. Alice doesn t know which of the 4 roots is x, thus she chooses ±x with probability 1 2. c Eli Biham - March 20, 2007 54 Mutual Commitments (3) c Eli Biham - March 20, 2007 55 Mutual Commitments (3) The system parameters: p - a large prime. g - a primitive root of Z p. c - a value which no one knows its discrete logarithm. We assume the Diffie and Hellman assumption: it is impossible to compute g xy (mod p) given g x,g y (mod p). Private and public keys: Each user randomly chooses a value 0 x p 2 and a bit i {0, 1} and computes: β i g x (mod p) β 1 i c (g x ) 1 (mod p) The user s public key is (β 0, β 1) and his secret key is (i,x). c Eli Biham - March 20, 2007 56 Mutual Commitments (3) c Eli Biham - March 20, 2007 57 Mutual Commitments (3)
The owner of a key does not know the DLOG of both β 0 and β 1, otherwise he would have known the DLOG of c β 0 β 1 (mod p) in contradiction with our assumption. On the other hand, if the owner is cheating and does not know any of the DLOG s of β 0 and β 1, it is his problem (he can always receive a value and forget about it immediately). The protocol: 1. Alice receives Bob s β, chooses random values y 0,y 1 in the range [0, p 2], and computes for j {0, 1}: and sends α 0, α 1,r o,r 1 to Bob. α j g yj (mod p) γ j β yj j (mod p) r j s j γ j 2. Bob computes, using the secret (i,x): α x i g xyi β yi i γ i (mod p) s i γ i r i He gets only one out of the secrets s 0, s 1, but cannot get both, because if he knows s 1 i, he will know γ 1 i, which means he can compute g xyi (mod p) given α i g yi (mod p) and β i g x (mod p). c Eli Biham - March 20, 2007 58 Mutual Commitments (3) c Eli Biham - March 20, 2007 59 Mutual Commitments (3) In order to receive one secret out of many secrets, it is possible to use a protocol similar to the mental poker protocol, where each card is a secret and Alice lets Bob choose a secret. A commutative cryptosystem, public keys know to both users: 1. B sends y 1,...,y k random values (in the size of the secrets) to A. 2. A sends z j = E A (S j y j ),j = 1,...,k to B. 3. B chooses the i th secret and sends x = E B (z i ) to A. 4. A sends D A (x) to Bob. 5. Bob computes s i = D B (D A (x)) y i. c Eli Biham - March 20, 2007 60 Mutual Commitments (3) c Eli Biham - March 20, 2007 61 Mutual Commitments (3) OT Applications J. Killian, Founding cryptography or oblivious transfer, STOC 20, 1988, pp. 20 31. Abstract Suppose your net-mail is being erratically censored by Captain Yossarian. Whenever you send a message, he censors each bit of the message with probability 1 2, replacing each censored bit by some reserved character. Well versed is such concepts as redundancy, this is no real problem to you. The question is, can it actually be turned around and used to your advantage?... By using OT it is possible to perform: Bit Commitment. OT Applications (cont.) Non Interactive Zero Knowledge (NIZK) without any additional assumptions (as the sender does not know what the receiver receives). c Eli Biham - March 20, 2007 62 Mutual Commitments (3) c Eli Biham - March 20, 2007 63 Mutual Commitments (3) OT Applications (cont.) Oblivious Circuit Evaluation: given f(x 1,...,x n ) Alice and Bob want to compute f on the input x 1,...,x n, when: Bob knows x 1,...,x m. Alice knows x m+1,...,x n. Bob should receive the value of f(x 1,...,x n ). Bob should not receive any information on x m+1,...,x n, apart from the information he gets from knowing the value of f. Alice should not receive any information on x 1,...,x m or on the value of f(x 1,...,x n). BC Using OT The following protocol applies BC using OT, without any additional assumptions. Committing to a bit b: Alice chooses k bits b 1,b 2,...,b k such that b = b 1 b 2 b k (for k large enough). Alice sends b 1, b 2,...,b k to Bob, each by OT. Bob receives b 1, b 2,...,b k, where for all i: b i = b i with probability 1 2 and b i = # with probability 1 2, as well (# means that the i th bit was not received). The commitment is performed t times on the same bit b. c Eli Biham - March 20, 2007 64 Mutual Commitments (3) c Eli Biham - March 20, 2007 65 Mutual Commitments (3)
Decommitting: BC Using OT (cont.) Security: BC Using OT (cont.) Alice sends b 1, b 2,...,b k to Bob. Bob checks whether b i = b i or b i = # for all i. If not Alice is cheating. Bob computes b = b 1 b 2 b k. The decommitment is performed t times and Bob checks that the same bit b is accepted every time. Bob can discover b before Alice decommits only when he receives all k bits in one of the t iterations. The probability for that is less than t 2 k, which is exponentially small. Alice can cheat Bob about the value of b if she sends some b i flipped in the decommitting phase to Bob. The probability that Bob catches her is 1 2. The probability that Alice cheats Bob in all t iterations is 2 t. c Eli Biham - March 20, 2007 66 Mutual Commitments (3) c Eli Biham - March 20, 2007 67 Mutual Commitments (3)