1. Coin Flipping Protocol
CS 303 Alg. Number Theory & Cryptography
Jeremy Johnson
Manuel Blum, Coin Flipping by Telephone: A Protocol for Solving Impossible Problems, ACM SIGACT, Vol. 15, No. 1, 1983, pp

2. Outline Coin flipping protocol
Completely secure vs. normally secure one-way functions
Some protocols that do not work
Blum Protocol
Goldwasser-Micali Probabilistic Encryption
12/10/2008
Goldwasser

3. Coin Tossing Protocol Want to flip a coin over the telephone
Fair and verifiable
Not subject to cheating

4. Public Key Cryptography
Let M be a message and let C be the encrypted message (ciphertext). A public key cryptosystem has a separate method E() for encrypting and D() decrypting.
D(E(M)) = M
Both E() and D() are easy to compute
Publicly revealing E() does not make it easy to determine D()
E(D(M)) = M - needed for signatures
The collection of E()’s are made publicly available but the D()’s remain secret. Called a one-way trap-door function (hard to invert, but easy if you have the secret information)

5. Attempt 1 Generate Encryption/Decryption Keys What’s wrong
A: Randomly select flip = “heads” or “tails”
A  B EA(flip)
B  A guess heads or tails
A  B DA() to check result
What’s wrong

6. One-Way Functions Normally Secure One-Way Function
Efficiently computable function whose inverse can not be computed efficiently
Completely Secure One-Way Function
Normally secure plus knowledge of f(x) does not give more than chance of efficiently guessing some non-trivial property such as parity

7. Solution with a Completely Secure One-Way Function
A: randomly select x
A  B f(x)
B  A guess x even/odd
A  B send x to verify result

8. Attempt 2 (RSA)
Generate Keys: N = PQ, gcd(e,(N))=1, ed  1(mod (N)), E = (e,N), D = (d,N)
A: Randomly select x (use parity)
A  B E(x)
B  A guess parity of x
A  B D() to check parity of result
What could be wrong

9. Attempt 3 (Discrete Log)
Zp = <>, p  1 (mod 4) prime
A: Randomly select x (use parity)
A  B y = x
B  A guess parity of x
A  B send x to verify guess
Probability is correct. What is wrong?

10. Blum Protocol Blum protocol
B selects N = PQ, P  3 (mod 4), Q  3 (mod 4).
A selects x1,…,xt and send x12,…,xt2 to B
B guesses b1,…bt and sends to A
A sends x1,…,xt to B and B checks (xi/n) = bi

11. Correctness of Blum Protocol
Four solutions x2  a (mod N) [use CRT]
(±b)2  a (mod P), (±c)2  a (mod Q)
P  Q  3 (mod 4)  J(-1,P) =J(-1,Q) = -1
Half with J(x,N) = 1, half with J(x,N)= -1
Knowing ±b and ±c gives P and Q
bc (mod P) b = c (mod Q)  gcd(b-c,N)=Q

12. Public Key Cryptography
Let M be a message and let C be the encrypted message (ciphertext). A public key cryptosystem has a separate method E() for encrypting and D() decrypting.
D(E(M)) = M
Both E() and D() are easy to compute
Publicly revealing E() does not make it easy to determine D()
E(D(M)) = M - needed for signatures
The collection of E()’s are made publicly available but the D()’s remain secret. Called a one-way trap-door function (hard to invert, but easy if you have the secret information)

13. Goldwasser-Micali Probabilistic Encryption
Goldwasser-Micali (Quadratic Redisuosity)
N = pq, x a non-residue such that
m = m1   mt, mi  {0,1}
c = c1   ct, ci = yixmi mod N, yi random quadratic residue
Shafi Goldwasser and Silvio Micali. Probabilistic Encryption. Journal of Computer and System Sciences (JCSS), 28(2): , April 1984.