Flipping coins over the telephone and other games.

Slides:



Advertisements
Similar presentations
RSA.
Advertisements

1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.
Lecture 8: Coin Flipping by Telephone Wayne Patterson SYCS 654 Spring 2010.
Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.
RSA COSC 201 ST. MARY’S COLLEGE OF MARYLAND FALL 2012 RSA.
1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.
1 390-Elliptic Curves and Elliptic Curve Cryptography Michael Karls.
Mental Poker The SRA Protocol. What is Mental Poker? Playing poker without cards (ie over telephone or internet). No Trusted Third Party or source of.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (4) Information Security.
BY : Darshana Chaturvedi.  INTRODUCTION  RSA ALGORITHM  EXAMPLES  RSA IS EFFECTIVE  FERMAT’S LITTLE THEOREM  EUCLID’S ALGORITHM  REFERENCES.
Digital Signatures and applications Math 7290CryptographySu07.
Announcements:Questions? This week: Digital signatures, DSA Digital signatures, DSA Secret sharing Secret sharing DTTF/NB479: DszquphsbqizDay 29.
Announcements: See schedule for weeks 8 and 9 See schedule for weeks 8 and 9 Project workdays, due dates, exam Project workdays, due dates, exam Projects:
and Factoring Integers (I)
Public-key Cryptography Montclair State University CMPT 109 J.W. Benham Spring, 1998.
Elliptic Curve Cryptography (ECC) Mustafa Demirhan Bhaskar Anepu Ajit Kunjal.
1 Many people debate basic questions of chance in games such as lotteries. The Monty Hall problem is a fun brain teaser that Marilyn vos Savant addressed.
Introduction to Modern Cryptography Homework assignments.
Announcements:Questions? This week: Birthday attacks, Digital signatures, DSA Birthday attacks, Digital signatures, DSA DTTF/NB479: DszquphsbqizDay 30.
Chapter 7-1 Signature Schemes.
ITIS 6200/8200. time-stamping services Difficult to verify the creation date and accurate contents of a digital file Required properties of time-stamping.
Introduction to Modern Cryptography, Lecture 7/6/07 Zero Knowledge and Applications.
Introduction to Modern Cryptography, Lecture 9 More about Digital Signatures and Identification.
11 -1 Chapter 11 Randomized Algorithms Randomized algorithms In a randomized algorithm (probabilistic algorithm), we make some random choices.
Announcements:Questions? This week: Digital signatures, DSA Digital signatures, DSA DTTF/NB479: DszquphsbqizDay 29.
Diffie-Hellman Key Exchange
Codes, Ciphers, and Cryptography-RSA Encryption
Lecture 6: Public Key Cryptography
Public Key Model 8. Cryptography part 2.
Quadratic Residuosity and Two Distinct Prime Factor ZK Protocols By Stephen Hall.
Applied Cryptography Spring 2015 Digital signatures.
The RSA Algorithm Rocky K. C. Chang, March
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Cryptography Lecture 8 Stefan Dziembowski
Lecture 7 Discrete Logarithms
Protocols to do seemingly impossible 1 CHAPTER 11: Protocols to do seemingly impossible A protocol is an algorithm two (or more) parties have to follow.
Cryptography Dec 29. This Lecture In this last lecture for number theory, we will see probably the most important application of number theory in computer.
Public-Key Cryptography CS110 Fall Conventional Encryption.
1 SC700 A2 Internet Information Protocols 3/20/2001 Paper Presentation by J. Chu How to Explain Zero-Knowledge Protocols to Your Children.
Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there.
11 -1 Chapter 11 Randomized Algorithms Randomized Algorithms In a randomized algorithm (probabilistic algorithm), we make some random choices.
Modular Arithmetic with Applications to Cryptography Lecture 47 Section 10.4 Wed, Apr 13, 2005.
Remaining course content Remote, fair coin flipping Remote, fair coin flipping Presentations: Protocols, Elliptic curves, Info Theory, Quantum Crypto,
Network Security – Special Topic on Skype Security.
CRYPTOGRAPHY. WHAT IS PUBLIC-KEY ENCRYPTION? Encryption is the key to information security The main idea- by using only public information, a sender can.
A A E E D D C C B B # Symmetric Keys = n*(n-1)/2 F F
Lecture 6.1: Misc. Topics: Number Theory CS 250, Discrete Structures, Fall 2011 Nitesh Saxena.
Lecture 13 Secret Sharing Schemes and Game. Secret sharing schemes are multi-party protocols related to key establishment. The original motivation for.
14-1 Last time Internet Application Security and Privacy Basics of cryptography Symmetric-key encryption.
Elliptic Curves Number Theory and Cryptography. A Pile of Cannonballs A Square of Cannonballs.
Chapter 12: Cryptography MAT 320 Spring Cryptography: Basic Ideas We want to encode information so that no one other than the intended recipient.
Software Security Seminar - 1 Chapter 4. Intermediate Protocols 발표자 : 이장원 Applied Cryptography.
Primality Testing. Introduction The primality test provides the probability of whether or not a large number is prime. Several theorems including Fermat’s.
1 Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang 9 February 2007.
 5.1 Zero-Knowledge Proofs  5.2 Zero-Knowledge Proofs of Identity  5.3 Identity-Based Public-Key Cryptography  5.4 Oblivious Transfer  5.5 Oblivious.
1 The RSA Algorithm Rocky K. C. Chang February 23, 2007.
Bit Commitment, Fair Coin Flips, and One-Way Accumulators Matt Ashoff 11/9/2004 Cryptographic Protocols.
Key Exchange in Systems VPN usually has two phases –Handshake protocol: key exchange between parties sets symmetric keys –Traffic protocol: communication.
최신정보보호기술 경일대학교 사이버보안학과 김 현성.
Public Key Encryption Major topics The RSA scheme was devised in 1978
Public-key Cryptography
Big Numbers: Mathematics and Internet Commerce
Coin Flipping Protocol
Practical Aspects of Modern Cryptography
Digital Signatures.
Chapter 13 Digital Signature
One Way Functions Motivation Complexity Theory Review, Motivation
Public-Key Cryptography Quadratic Residues and „Rabin Lock“
Presentation transcript:

flipping coins over the telephone and other games

If Alice and Bob are on the phone and make a decision by flipping a coin, and make a decision by flipping a coin, what’s to keep the person with the coin from just asserting their preference, instead of reporting the actual result? what’s to keep the person with the coin from just asserting their preference, instead of reporting the actual result?

Alice chooses two large prime numbers, p and q, both congruent to 3 mod 4. She keeps p and q secret but sends the product n=pq to Bob. Alice chooses two large prime numbers, p and q, both congruent to 3 mod 4. She keeps p and q secret but sends the product n=pq to Bob. Alice uses her knowledge of p and q to compute square roots of y mod n. There are four of them: +a, and +b. One of them is x, but she doesn’t know which. So she chooses one at random and sends it to Bob. Alice uses her knowledge of p and q to compute square roots of y mod n. There are four of them: +a, and +b. One of them is x, but she doesn’t know which. So she chooses one at random and sends it to Bob. Alice sends b to Bob. Alice sends b to Bob. Bob chooses a secret x and computes y=x2 mod n. He sends y to Alice. that was the “flip” If b=+x, then Bob tells Alice she wins. If b+x, then Bob wins.

Why should this be safe? If x=+a, (so Bob wins) then Bob can use his knowledge of all four square roots of y to factor n.* He can prove he has won by telling Alice p and q. If x=+a, (so Bob wins) then Bob can use his knowledge of all four square roots of y to factor n.* He can prove he has won by telling Alice p and q. But if x=+b, then Bob should not be able to factor n and produce p and q. (Factoring is hard, that’s why RSA is secure.) But if x=+b, then Bob should not be able to factor n and produce p and q. (Factoring is hard, that’s why RSA is secure.) *if x=+a, gcd(x-b,n) gives a non trivial factor of n.

And what keeps Alice honest? If Alice tried to send some random number rather than a square root of y? Bob can verify Bob can verify….………….. that the square her number is congruent to y is congruent to y….……….. And what if Alice sneaks in a third factor? Bob can ask her for Bob can ask her for……….. her factors and verify them.

Poker over the telephone

Alice chooses secret  with gcd( , p-1)=1 and computes  -1 mod p-1. Alice chooses secret  with gcd( , p-1)=1 and computes  -1 mod p-1. Bob chooses secret  with gcd( , p-1)=1 and computes  -1 mod p-1. Bob chooses secret  with gcd( , p-1)=1 and computes  -1 mod p-1. Bob and Alice agree on a large prime p. These values are good for one hand only. The 52 cards are each assigned different numbers mod p by some prearranged scheme.

a scheme

Alice chooses five of these, b i1,b i2,…,b i5. Alice calculates b ij  for her five cards, and sends them to Bob. Alice applies the power  -1 to the five values; this reveals her five card hand. Alice then sends five other b i values to Bob. Bob computes b i =c i  mod p, b i =c i  mod p, and sends them all to Alice. Bob applies the power  -1 to the five values he receives from Alice, and returns them. Who applies the power  -1 to reveal his five card hand. Dealing additional cards can continue in this fashion. Betting is done as usual.

using number theory to cheat at telephone poker A number r mod p is a quadratic residue if there are solutions to the congruence x 2 =r mod p. For a nonresidue n, there are no solutions to the congruence x 2 =n mod p. The values 1,2,…,p-1 are divided equally among the residues and nonresidues. It is easy to determine whether a number z is a residue or a nonresidue:

And recall that since  and  were chosen relatively prime to (p-1), they are both odd. A card c is encrypted by Bob as b=c . The encrypted card has the same residuosity as the nonencrypted card. This would appear to give Bob an advantage.

But if Alice knows some number theory, too, she can also use this information about residues and non residues to her advantage. She, after all, deals the five cards to Bob, and can choose to send him all residues or all nonresidues in any combination that suits her need. She could even suggest a prime where, for the encoding scheme for cards, the high cards all fall in one group or the other! Will Bob notice, after a few hands, that he has been receiving only nonresidues in his hand? Will Alice and Bob continue to play together?