1 / 13

Coin Flipping Protocol

Coin Flipping Protocol. CS 303 Alg. Number Theory & Cryptography Jeremy Johnson. Manuel Blum, Coin Flipping by Telephone: A Protocol for Solving Impossible Problems, ACM SIGACT, Vol. 15, No. 1, 1983, pp. 23-27. Outline. Coin flipping protocol

woodford
Download Presentation

Coin Flipping Protocol

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Coin Flipping Protocol CS 303 Alg. Number Theory & Cryptography Jeremy Johnson Manuel Blum, Coin Flipping by Telephone: A Protocol for Solving Impossible Problems, ACM SIGACT, Vol. 15, No. 1, 1983, pp. 23-27.

  2. Outline • Coin flipping protocol • Completely secure vs. normally secure one-way functions • Some protocols that do not work • Blum Protocol • Goldwasser-Micali Probabilistic Encryption Goldwasser

  3. Coin Tossing Protocol • Want to flip a coin over the telephone • Fair and verifiable • Not subject to cheating

  4. Public Key Cryptography • Let M be a message and let C be the encrypted message (ciphertext). A public key cryptosystem has a separate method E() for encrypting and D() decrypting. • D(E(M)) = M • Both E() and D() are easy to compute • Publicly revealing E() does not make it easy to determine D() • E(D(M)) = M - needed for signatures • The collection of E()’s are made publicly available but the D()’s remain secret. Called a one-way trap-door function (hard to invert, but easy if you have the secret information)

  5. Attempt 1 • Generate Encryption/Decryption Keys • A: Randomly select flip = “heads” or “tails” • A  B EA(flip) • B  A guess heads or tails • A  B DA() to check result • What’s wrong

  6. One-Way Functions • Normally Secure One-Way Function • Efficiently computable function whose inverse can not be computed efficiently • Completely Secure One-Way Function • Normally secure plus knowledge of f(x) does not give more than 50-50 chance of efficiently guessing some non-trivial property such as parity

  7. Solution with a Completely Secure One-Way Function • A: randomly select x • A  B f(x) • B  A guess x even/odd • A  B send x to verify result

  8. Attempt 2 (RSA) • Generate Keys: N = PQ, gcd(e,(N))=1, ed  1(mod (N)), E = (e,N), D = (d,N) • A: Randomly select x (use parity) • A  B E(x) • B  A guess parity of x • A  B D() to check parity of result • What could be wrong

  9. Attempt 3 (Discrete Log) • Zp = <>, p  1 (mod 4) prime • A: Randomly select x (use parity) • A  B y = x • B  A guess parity of x • A  B send x to verify guess • Probability is correct. What is wrong?

  10. Blum Protocol • Blum protocol • B selects N = PQ, P  3 (mod 4), Q  3 (mod 4). • A selects x1,…,xt and send x12,…,xt2 to B • B guesses b1,…bt and sends to A • A sends x1,…,xt to B and B checks (xi/n) = bi

  11. Correctness of Blum Protocol • Four solutions x2  a (mod N) [use CRT] • (±b)2  a (mod P), (±c)2  a (mod Q) • P  Q  3 (mod 4)  J(-1,P) =J(-1,Q) = -1 • Half with J(x,N) = 1, half with J(x,N)= -1 • Knowing ±b and ±c gives P and Q • bc (mod P) b = c (mod Q)  gcd(b-c,N)=Q

  12. Public Key Cryptography • Let M be a message and let C be the encrypted message (ciphertext). A public key cryptosystem has a separate method E() for encrypting and D() decrypting. • D(E(M)) = M • Both E() and D() are easy to compute • Publicly revealing E() does not make it easy to determine D() • E(D(M)) = M - needed for signatures • The collection of E()’s are made publicly available but the D()’s remain secret. Called a one-way trap-door function (hard to invert, but easy if you have the secret information)

  13. Goldwasser-Micali Probabilistic Encryption • Goldwasser-Micali (Quadratic Redisuosity) • N = pq, x a non-residue such that • m = m1  mt, mi {0,1} • c = c1   ct, ci = yixmi mod N, yirandom quadratic residue ShafiGoldwasser and SilvioMicali. Probabilistic Encryption. Journal of Computer and System Sciences (JCSS), 28(2):270-299, April 1984.

More Related