Upload
peigi
View
40
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Lecture 13 Secret Sharing Schemes and Game . - PowerPoint PPT Presentation
Citation preview
Lecture 13 Secret Sharing Schemes and Game
Secret sharing schemes are multi-party protocols related to key establishment. The original motivation for secret sharing was the following. To safeguard cryptographic keys from loss, it is desirable to create backup copies. The greater the number of copies made, the greater the risk of security exposure; the smaller the number, the greater the risk that all are lost. Secret sharing schemes address this issue by allowing enhanced reliability without increased risk.
One of the major contributions of modern cryptography has been the development of advanced protocols. These protocols enable users to electronically solve many real world problems, play games, and accomplish all kinds of intriguing and very general distributed tasks. The goal of this lecture is to give a brief introduction to flipping coins and mental poker over the telephone.
Outline Scenarios for Secret Sharing Secret Splitting Threshold Schemes Flipping Coins over the Telephone Poker over the Telephone
1 Scenarios for Secret Sharing 1.1 For Secret Splitting Imagine that you’ve invented a new, extra gooey,
extra sweet, cream filling or a burger sauce that is even more tasteless than your competitors’. This is important; you have to keep it secret. You could tell only your most trusted employees the exact mixture of ingredients, but what if one of them defects to the competition? There goes the secret, and before long every grease palace on the block will be making burgers with sauce as tasteless as yours.
This calls for secret splitting. There are ways to take a message and divide it up into pieces. Each piece by itself means nothing, but put them together and the message appears. If the message is the recipe and each employee has a piece, then only together can they make the sauce. If any employee resigns with his single piece of the recipe, his information is useless by itself.
However, it has a problem: If any of the pieces gets lost, so does the message. If one employee, who has a piece of the sauce recipe, goes to work for the competition and takes his piece with him, the rest of them are out of luck. He can’t reproduce the recipe, but neither can work together. His piece is as critical to the message as every other piece combined.
1.2 For Threshold Schemes You’re setting up a launch program for a
nuclear missile. You want to make sure that no single raving lunatic can initiate a launch. You want at least three out of five officers to be raving lunatics before you allow a launch. This is easy to solve. Make a mechanical launch controller. Give each of the five officers a key and require that at least three officers stick their keys in the proper slots before you’ll allow them to blow up whomever we're blowing up this week.
We can get even more complicated. Maybe the general and two colonels are authorized to launch the missile, but if the general is busy playing golf then five colonels are required to initiate a launch. Make the launch controller so that it requires five keys. Give the general three keys and the colonels one each. The general together with any two colonels can launch the missile; so can the five colonels. However, a general and one colonel cannot; neither can four colonels.
A more complicated sharing scheme, called a threshold scheme, can do all of this and more—mathematically. At its simplest level, you can take any message (a secret recipe, launch codes, your laundry list, etc.) and divide it into n pieces, called shares or shadows, such that any m of them can be used to reconstruct the message.
One can divide his secret sauce recipe among Alice, Bob, Carol, and Dave, such that any three of them can put their shadows together and reconstruct the message. If Carol is on vacation, Alice, Bob, and Dave can do it. If Bob gets run over by a bus, Alice, Carol, and Dave can do it. However, if Bob gets run over by a bus while Carol is on vacation, Alice and Dave can't reconstruct the message by themselves.
2 Secret Splitting2.1 Dual Control by Modular Addition
.recover to modulo themsums which device, theinto estheir valu
enter separately then and ly.respective , and parties two to) (mod and values thegives and 1,
1number random a generates party A trusted used. bemay scheme following thenumber, thisknows party) trusteda
n (other tha individual singleany that eundesirabl isit reasons, loperationafor but key), seed a (e.g., device a into entered be
must ,integer somefor 1 0 ,number secret a If
11
1
Sm
BABAmSSSm
ST
mmSS
2.1 Dual Control by Modular Addition (Continued)
it. trigger torequired are people two-control dualunder be tosaid is requiringaction Any
people. obetween twsplit is secret theof knowledge -scheme knowledge-split a of examplean is This )2(
1. and 0between number random a is possesseseach value thesince ,about n informatioany has one
neither then collude, not to trustedare and If (1)
SS
mS
BA
Comment.
2.2 Unanimous Consent Control by Modular Addition
). (mod
as recovered issecret The ). (mod
given is while,given are through Parties 1. 1 1, 0 , numbers randomt independen
1 generates :follows as ,recover order toin required are whomof all users, among divided bemay secret the
thatso dgeneralizeeasily is above scheme control dual The
1
11
11
mS
SmSSS
PSPPtimSStTS
t S
iti
itit
tit
ii
2.2 Unanimous Consent Control by Modular Addition (Continued)
necessary. are trials2 piece,bit -56 agiven
isparty each if while trials,2only requiresparty oneby search
exhaustive key, theof bits 28given each are parties twoif 2, and 56 for example,For each. bits / of pieces intokey bit -
an ngpartitionihan security tgreater provides This length.-full be should scheme controlsplit ain componentskey individual The )2(
).(loglength -bit fixed of and valuesdata using OR,-exclusiveby replaced bemay operations
modulo above, scheme control dual in the and hereBoth (1)
56
28
2
trtrtr
mSS
m
i
Comment.
3 Threshold Schemes
pieces. noknowingover opponent an tosense) theoretic-ninformatio the
in r, whatsoeveabout n informatio (no advantage no provide sharesfewer or 1only knowingin which scheme threshold
a is scheme resholdperfect thA not.may sharesfewer or 1only knowing groupany but ,recover easily may sharestheir
pool whousers moreor any : trueis following thesuch that ,user to sdistributesecurely and ,secret initialan from
1 , sharessecret computesparty trustedaby which method a is )( scheme threshold) ,(
St
tS
tPSSniS
ntntA
ii
i
1 Definition
itself.key the toaccess haven rather tha triggered,
isaction an that seeonly need tsparticipan and control, shared is objective the wheresystemsfor eappropriat is This device.
combining trusteda usingby done bemay as secret, recovered theof value theaccessing from s themselvemembers group
prevent tois method One users.other of shares thededucingfrom tsparticipanprevent tonecessary are controls security,
decreased without reused be tois scheme thresholda If )2(scheme. threshold
) ,( a is scheme controlconsent unanimous thewhilescheme, threshold2) (2, a of examplean is scheme control dual The (1)
tt
Comment.
3.1 Shamir’s Threshold Scheme
. )(
, modulo polynomial random thedefining 1,0 , , , tscoefficient independen random, 1 selects (1.2)
. defines and ), ,(max prime a chooses (1.1)users. among distribute toit wishes
0integer secret a with begins party trustedThe . (1).recover
can shares their pool which users of groupany :RESULTusers. to
secret a of shares sdistributeparty trusteda :SUMMARYscheme threshold) ,( sShamir'
1
0
11
0
t
jj
j
j
t
xaxf
ppaaatT
SanSpTn
STSetupS
tnS
nt
1 Mechanism
3.1 Shamir’s Threshold Scheme (Continued)
. (0) notingby recovered is secret The ion.interpolat Lagrangeby )( of 1 1
, tscoefficien theofn computatio allowing ) ,( ) ,( pointsdistinct provide sharesTheir shares.their
pool users moreor of groupAny shares. of Pooling (2).index public with along ,user to share
theransferssecurely t and 1), 1 , pointsdistinct any for (or 1 ,) (mod )( computes (1.3)
)(Continued scheme threshold) ,( sShamir'
0 Safxftj
aSiyxt
tiPS
piinnipifST
nt
ji
ii
i
1 Mechanism
3.1 Shamir’s Threshold Scheme (Continued)
. where,
:as expressed bemay secret shared the, (0) Since
.)(
:formulaion interpolat Lagrange theby given are , 1 ), ,( pointsby defined , thanless
degree of )( polynomialunknown an of tscoefficien The ion.interpolat LagrangeAbout
11
0
11
ijtj ji
ji
t
iii
ijtj ji
jt
ii
ii
xxx
cycS
Saf
xxxx
yxf
tiyx txf
3.1 Shamir’s Threshold Scheme (Continued)
computed.-pre bemay users , of group fixed afor that
meansIt constants.secret -non are theSince (2). shares ofn combinatio
linear a as computemay member groupEach (1) Explain.
tc
yt S
i
i
3.1 Shamir’s Threshold Scheme (Continued)
.147)1039110787 (8, 28)9734416803 (7, 73)8521360505 (6, 82)6751938978 (5, 55)4426152222 (4, 92)1544000236 (3, 326)1045116192 (2, 91)6456279478 (1,
:personeach toone pairs, following thedistribute weTherefore,8. ,2, 1, where), ,( pairs peopleeight thegive now We
.6651206749628394829430288201905031805)(
work withsLet' . )( polynomial theform
and moduluo and numbers random Choose .6789011312345 prime a Choose .201905031805number theissecret theSuppose scheme. threshold-8) (3, aconstruct sLet'
2
221
21
iSixxxf
xaxaSxf
pa apS
i
1 Example
3.1 Shamir’s Threshold Scheme (Continued)
secret. theis which ,201905031805 ermconstant t theisabout care they All
.6651206749628394829430288201905031805
obtain to moduluo reduce and ,807407407340by 1/5 replace they So,
).(mod18074074073405 But,
.)5/7931095476582(42719861927514728/52070560214
:points heir three through tpasses polynomial following that thecalculate they ,polynomialion interpolat Lagrange Usingsecret.
thedetermine toecollaborat want to7 and 3, 2, persons Suppose)(Continued
2
2
xx
pp
xx
1 Example
3.1 Shamir’s Threshold Scheme (Continued)
).6651206749628 ,394829430288 ,201905031805() , ,( yields This
),1131234567890(mod2897344168039215440002363261045116192
4971931421
:following thesolve toneed they would instead,approach systemlinear thechose 7 and
3, 2, persons If secret. obtain the and polynomial t thereconstruc could people any three Similarly,
)(Continued
21
2
1
aaS
aaS
1 Example
3.1 Shamir’s Threshold Scheme (Continued)
users. existing of shares affecting without ddistribute and computed bemay users)
new(for shares New users. newfor Extendable (3)secret. theof size theis share one of size The Ideal. (2)
probable.equally remain secret shared theof 1 0 valuesall shares,fewer or 1any of knowledgeGiven Perfect. (1)
scheme. thresholdsShamir' of Properties
pS t
3.1 Shamir’s Threshold Scheme (Continued)
problems). theoretic-number of difficulty about the (e.g., sassumptionunproven any on
rely not doessecurity itsschemes, hiccryptograpmany Unlikes.assumptionunproven No (5)
structure. access the changing o without tindividualupon that control
more bestows shares multipleuser with single a Providing possible. control of levels Varying (4)
3.2 Vector Scheme
point. thedeterminesexactly shyperplane theof any ofon intersecti The point.
theincludes that hyperplane ldimensiona-1)(an ofequation theis shadowEach space. ldimensiona
-in point a as defined is message The space.in points using scheme a inventedBlakley George
tt
t
3.2 Vector Scheme (Continued)
share. theas user each
to hyperplane theransferssecurely t and
,)(mod setting , 1 , modulo
, , tscoefficient independen random, 1 chooses (1.2)
. modulo space ldimensiona-in ) , ,, ,(point a defines and modulorandomly
, ,, chooses . prime a chooses (1.1)users. among distribute toit wishes
integer secret a with begins party trustedThe . (1).recover
can shares their pool which users of groupany :RESULTusers. to
secret a of shares sdistributeparty trusteda :SUMMARYscheme threshold) ,( sBlakley'
201
2012
0
1
210
1210
0
i
itj j
ijt
tj j
ijt
iit
i
t
t
P
yxax
psasynipa
atT
ptssssQpsssTspT
nsSTSetup
St
nS
nt
2 Mechanism
3.2 Vector Scheme (Continued)
. notingby recovered issecret The. modulo inverted becan matrix
the, modulo nonzero ismatrix thisoft determinan theas long As
).(mod
1
11
equationmatrix theyieldThey . 1 , users example,For ). , ,, ,(point theofn computatio
allowing shyperplanedistinct provide sharesTheir shares.their pool users moreor of groupAny shares. of Pooling (2)
0
2
1
1
1
0
10
21
20
11
10
1210
Ssp
p
p
y
yy
s
ss
aa
aaaa
tiPtssssQ
t t
tt
tt
i
t
3.2 Vector Scheme (Continued)
.491934 :E161257 :D186536 :C102752 :B
68194 :A:planes following
theE D, C, B, A, people five thegive weSuppose 73.Let scheme. threshold-5) (3, aconstruct sLet'
102
102
102
102
102
xxxxxxxxxxxx
xxx
p2 Example
3.2 Vector Scheme (Continued)
.recover tocooperatecan E D, C, B, A, of any three ,Similarity . 42 is
secret theso 57), 29, (42,) , ,( issolution The
).73(mod181068
16536127521194
solve they secret, erecover th to wantsC B, A, If)(Continued
0
210
2
1
0
SxS
xxx
xxx
2 Example
3.2 Vector Scheme (Continued)
).,( versus) , , ,( :methodShamir in the than those
person each by carried be n toinformatio more requiresIt (3).invertible always ismatrix that theso
, , tscoefficien choose to waysarrange tohard benot
It would .guaranteednot is is though th,invertible ismatrix t thelikely tha very isit large, reasonably is as long As )2(
pieces. no knowingover opponent an toadvantage some is there,coordinate
one than more ddistributebeen hassecret theIf secret. thecarry toused be should coordinate oneonly that Note (1)
20
2
0
yxyaa
a
a
p
iit
i
it
i
Comment.
3.3 Secret Sharing with Cheaters Colonels Alice, Bob, and Carol are in a bunker
deep below some isolated field. One day, they get a coded message from the president: “Launch the missiles. We’re going to eradicate the last vestiges of neural network research in the country.” Alice, Bob, and Carol reveal their shares, but Carol enters a random number. She’s actually a pacifist and doesn't want the missiles launched. Since Carol doesn't enter the correct share, the secret they recover is the wrong secret. The missiles stay in their silos. Even worse, no one knows why.
3.3 Secret Sharing with Cheaters (Continued)
). (i.e., incorrect""but 1}), ,1, {0, (i.e.,
legal"" is tedreconstruc secret the, and , ,
, , from that,meanst participanth thedeceiving
Here, .t participanth a deceive that , , ,shares new fabricatecan , , , tsparticipan
1any that 0 y probabilit small aonly is There1}. ,1, {0, secret theSuppose
1
21
121
121
SSsS
SSS
SSt
itSSSiii
tsS
tt
t
ii
ii
tiii
t
1 Property
3.3 Secret Sharing with Cheaters (Continued)
).( where), ,( Let 1}. , 2, {1, from elementsdistinct of nspermutatio all
among fromrandomly anduniformly ) , , ,( Choose (3)
. )( , modulo polynomial
random thedefining 1,0 , , , tscoefficient independen random, 1select and Define (2)
). , 1)/1)( max(( primeany Choose (1)0.>any for , than less is cheating undetected ofy probabilit
that theso scheme sShamir'modify :SUMMARYscheme threshold) ,( sShamir' Modified
21
1
0
11
0
iiiii
n
t
jj
j
jt
xqddxSpn
xxx
xaxqp
paaatSa
nttsp
nt
3 Mechanism
3.3 Secret Sharing with Cheaters (Continued)
. and )( )( ifonly secret incorrect t thereconstruc willt Participan
points. 1most at in )(intersect can )(polynomial asuch , If above. points fabricated
theand ) (0,point he through tpassing 1most at degree of )( polynomialdistinct a defines }1
, 1, {0, 'secret possibleEach .t participan
tosend to), ,( ,), ,( ), ,( values fabricate , , , tsparticipan Suppose Proof.
112211
121
SSxqxqSi
txqxqSS
Stxqs
Si
dxdxdxiii
tt
tt
iiS
t
S
S
t
iiiiii
t
3.3 Secret Sharing with Cheaters (Continued)
. ))/(1()1(most at is t participan deceiving of
yprobabilit theThus ).)/(1(most at y probabilit with t participan deceive wouldspolynomial
theseof oneAny s.polynomial ingcorrespond 1yield valuesfabricated theso secrets,incorrect but
legal 1 are There ).)/(1(most at is )(
)(y that probabilit the with )(
polynomialeach for Thus }. ,, ,{- } 1
, 2, {1, ofelement random a is that Recall Proof.
121
tptsitpt
is
stptxq
xqSSxq
xxxp
x
t
t
i
iSiS
iii
i
t
tt
t
t
4 Flipping Coins over the Telephone 4.1 Scenario A friend, not realizing that Alice and Bob are
no longer together, leaves them a car in his will. How do they decide who gets the car? Bob phones Alice and says he’ll flip a coin. Alice chooses “tails” but Bob says “sorry, it was heads.” So Bob gets the car. For some reason, Alice suspects Bob might not have been honest. She resolves that the next time this happens, she'll use a different method.
4.2 A Problem Solution Here is a thought. Alice picks a random bit
b1 and sends it to Bob, and Bob picks a random bit b2 and sends it to Alice, and the value of the coin is b1 b2. The problem is who goes first. If Alice goes first, Bob will choose b2 to make the coin whatever he wants. Not fair.
4.3 Requirements for Fair Flipping Coin (1) Bob must flip the coin before Alice
guesses. (2) Bob must not be able to re-flip the coin
after hearing Alice’s guess. (3) Alice must not be able to know how the
coin landed before making her guess.
4.4 Flipping Coin Using Square Roots
wins.Bob ), (mod If wins.she that Alice tellsBob), (mod If (4)
Bob. toit sends and ,say random,at one chooses She . modulo of ,
roots squarefour thefind to and of knowledgeher uses Alice (3)Alice. tosendsbut secret keeps He
).(mod computes and integer random a chooses Bob (2)
Bob. toproduct thesendsbut secret themkeeps She 4. mod 3 to
congruentboth ,and primes random large twochooses Alice (1)session.coin flippingeach achieve tosteps following thePerform
coin. flippingin guess the winsBobor Alice :RESULTchannel. public
aover messages 4 exchange Bob and Alice users :SUMMARYroots square using protocolcoin Flipping
2
nxbnxb
bnybaqp
yx nxyx
q pn qp
1 Protocol
Alice Bob
qpn
y
b
)( winsBobor )( winsAlicexb
xb
n
2xy
yba 22
4.4 Flipping Coin Using Square Roots (Continued)
4.4 Flipping Coin Using Square Roots (Continued)
. ofion factorizat for the Bob askingby cheatt didn' Bob check thatcan Alice So case. in this and
produce toable benot should he Therefore, .number thehimsent Alice when had hen than informatio more
no has Bob , Bob sends Alice If sends. Alice valuetheminusor plusnot is of valuehis when be would and
factors theproduce could Bobonly way the,factor to infeasiblenally computatio isit if Therefore, . offactor
nontrivial a gives ),gcd( ,particularin .factor can he so ), (mod of roots squarefour all knows
Bob then ), (mod and Bob to sends Alice IfExplain.
nq
pn
x xqp
nn
nbxnny
naxb
4.4 Flipping Coin Using Square Roots (Continued)
). (mod262333410393785035or 6186768891012103737 yield toways
fourin together theseputs theoremremainder Chinese The).(mod 325656728 and ) (mod 1701899961that
knows she e,).Therefor (mod 325656728 and
)(mod1701899961 computes Alice Alice. to
sends hewhich ), od55491705(m3632786010
computes and 3730950481414213562 takesBob Bob. to9917719372426317299 sends She.1190494759 and 2038074743 chooses Alice
1)/4(
1)/4(
2
nx
qxpxqy
py
nxy
xqpn
qp
q
p
3 Example
4.4 Flipping Coin Using Square Roots (Continued)
won.he that provecan he ,1190494759)23334103,93785035265483562373090gcd(141421
computingBy victory.claims BobThen Bob. to 233341039378503526 sends Alice that instead Suppose
winner. theAlice declares Bob so ), (mod is This Bob. to86768891012103761 sends Alice Suppose
)(Continued
n
nx
3 Example
4.4 Flipping Coin Using Square Roots (Continued)
is.not try thshould she, Therefore . offactor nontrivial a find toBob allow will choices wrong three theofEach send. toAlicefor numbers of choicesfour are sign there Up. of roots squareeight are there
But primes. threeofproduct a sendingby Bob deceive totries Alice that is caseOther game. theof end at the ofion factorizat
for the Aliceask could Bob course, Of primes. twoofproduct a of instend prime a sendingby Bob deceive to triesAlice Suppose (2)
. tocongruent is sends Alicenumber theof square that thecheckingby isagainst th guardcan Bob . factoring
from Bobprevent surely would then this, ofroot square athan rather number random a Bob sendingby cheat to triesAlice If (1)
concerns.Security
n
y
n
yn
y
4.4 Flipping Coin Using Square Roots (Continued)
number.her of square thetocongruent iswhich number, sBob' of square theis has shen informatio
only thesince thisdisputecannot Alice him.sent Alice that valueeexactly th was of valuehis
claimcan then He lose. to wantshe decides Bob Suppose procedure. in this flaw one is There (3)
Continued)concerns.(Security
x
5 Poker over the Telephone A protocol similar to the fair flipping coin
protocol allows Alice and Bob to play poker with each other over the telephone. Instead of Bob making two messages, one for “Heads” and one for “Tails”, he makes 52 numbers, c1, c2,..., c52, one for each card in the deck. How to make sure that no one has cheated?
5.1 Idea Bob encrypts the cards c1, c2,..., c52 using his
key and sends to Alice. Alice chooses five cards at random, encrypts them with her encrypted key, and then sends them back to Bob. Bob decrypts the cards and sends them back to Alice, who decrypts them to determine her hand. She then chooses five more cards at random and sends them back to Bob. Bob decrypts these and they become his hand.
5.1 Idea (Continued) During the game, additional cards can be
dealt to either player by repeating the procedure. At the end of the game, Alice and Bob both reveal their cards and key pairs so that each can be assured that the other did not cheat.
5.2 Poker Based on Discrete Logarithm Problem
Alice. to themsends and,521for )(mod computes Bob .prearrange some via modulo
,, , numbersdistinct 52 tochanged are cards 52 The (2)also.) handeach for used be could and , ,different (A
. )1( 1mod such that computes and 1,)1,gcd( with interger secret a chooses Bob . )1( 1mod
such that computes and 1,)1,gcd( with interger secret a chooses Alice . prime eappropriatan on agree Bob and Alice (1)
session.poker theachieve tosteps following thePerformcards. fivedealt ispalyer each :RESULT
channel. public aover messages 4 exchange Bob and Alice palyers :SUMMARY
problem logarithm discreteon based protocolPoker
5221
ipcbp
cccp
ppp
pp
ii
2 Protocol
5.2 Poker Based on Discrete Logarithm Problem (Continued)
hand. his him gives This .51for )(mod
computes whoBob, back to themsends and , ,
, , numbers theof more five chooses then Alice (5)hand.her Alice
gives This power. the toraises whoAlice, tothem sends and ,power the tonumbers theseraises Bob (4)
Bob. tonumbers thesesends and ,51for )(mod
computes , , , , numbers five chooses Alice (3))(Continued problem
logarithm discreteon based protocolPoker
5
21
521
jpb
b
bb
jpb
bbb
j
j
k
k
kk
i
iii
2 Protocol
AliceBob
521for )(mod ipcb ii
51for jbjk
)(mod)) (( pbcjj ii
)(mod) ( pbjk
51for )(mod jpbji
51for )(mod) ( jpbji
5.2 Poker Based on Discrete Logarithm Problem (Continued)
5.2 Poker Based on Discrete Logarithm Problem (Continued)
). modulo are es(congruenc calculates now Bob.200508901 computes Bob and 024062734
compute Alice 7654321.secret his chooses Bob and 1234567secret her chooses Alice .2396271991 be prime Let the
10305.ace 11091407,king,1721050514queen 10010311,jack 200514,ten:following
thehave weso,,02,01 using numbers tocards theChange card. onedealt isplayer Each ace. king, queen, jack, ten,
:cards fiveonly are there wheregame simplified aconsider sLet'
p
p
ba
4 Example
5.2 Poker Based on Discrete Logarithm Problem (Continued)
). (mod17005360071230896099
:Alice back toit sends and power the to thisraises Bob). (mod1230896099914012224
:Bob it to sends and ,power theit to raises-fourth theexample,for -numbers theseof one choosingby cardher chooses now Alice.74390103 ,914012224 ,2337996540 ,1112225809 ,1507298770
:Alice to themsends andnumber theseshuffles He.111222580910305
233799654011091407
743901031721050514
150729877010010311
914012224200514
)(Continued
p
p
4 Example
5.2 Poker Based on Discrete Logarithm Problem (Continued)
ten. thewasAlice sent to he card that theshow and computequickly can
Bob king. thehas she claim to triesAlice Suppose . and secret their reveal then Bob and Alice cheating,prevent To
jack. theis card his Therefore,. ) od10010311(m1507298770
computes Bob Bob. back toit sending and1507298770 example,for -received she cards original the
of one choosingsimply by card sBob' chooses Alice Now ten. the thereforeis cardHer
). (mod2005141700536007
:power the to thisraises now Alice)(Continued
p
p
4 Example
5.2 Poker Based on Discrete Logarithm Problem (Continued)
residue.-non quadratic a is if ), (mod1residue quadratic a is if ), (mod1
:residue-nonor residue quadratic a is)(mod0number anot or whether decide oeasy way tan is There (2)
problems. logarithm discrete aresolve toneeds Alice that equations But these .)(mod
form theof equations solve toneed wouldAlice
means This . card dunencrypte fixed a toscorrespond card encrypted which guess could She cards. sBob' deduce toAlicefor difficult quite be toseemsIt (1)
concerns.Security
21
cpcp
c
pc
pb
c
cb
p
i
j
i
i
5.2 Poker Based on Discrete Logarithm Problem (Continued)
example. following the theSee result. thisusing Bobover advantagean gainsmay Alice cards. the ofpower and the toapplies alsostatement
ingcorrespond The residue. quadratic a is ifonly and
if modulo residue quadratic a is that meansIt
).(mod
and , toencrypted
is cardA odd. are and e,1.Therefor)1 ,gcd( and 1)1 ,gcd( needed that weRecall
)(Continued concerns.Security
21
21
21
c
pc
pccc
c
cpp
ppp
5.2 Poker Based on Discrete Logarithm Problem (Continued)
residues. quadratic are cards remaining theall whileresidue,-non a is ace only the so
,110305
111091407
11721050514
110010311
1200514
fact,In random.not was prime of choice The example. simplified thereturn to sLet'
21
21
21
21
21
p
p
p
p
p
p 5 Example
5.2 Poker Based on Discrete Logarithm Problem (Continued)
. ace theiscardher that finds she course, Of .power theit to raises whoAlice,
back toit sends and power theit to rasies He Bob. it to sendsthen ,power theit to raises She .1112225809 is ace heher that t tellsThis
.174390103
1914012224
12337996540
11112225809
11507298770
computes she hand,her choosing is AliceWhen )(Continued
21
21
21
21
21
p
p
p
p
p
5 Example
Thank you!