Créer une présentation
Télécharger la présentation

Télécharger la présentation
## CHAPTER 11 : Protocols to do seemingly impossible

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -

**CHAPTER 11:Protocols to do seemingly impossible**A protocol is an algorithm two (or more) parties have to follow to perform a communication/cooperation. A cryptographical protocol is a protocol to achieve securecommunication during some goal oriented cooperation. In this and next chapter we deal with a variety of cryptographicalprotocols that allow to solve seemingly unsolvable problems. An important goal of the chapter is to showcryptographic protocols for such basic cryptographic primitives asbit commitment and oblivious transfer. As an application we discuss and illustrate voting schemes. IV054 Protocols to do seemingly impossible**IV054**COIN-FLIPPING BY PHONE PROTOCOLS • Coin-flipping by telephone:Alice and Bob got divorced and they do not trust each other any longer. They want to decide, communicating by phone only, who gets the car. Protocol 1 Alice sends Bob messages head and tail encrypted by a one-way function f. Bob guesses which one of them is encryption of head. Alice tells Bob whether his gess was correct. If Bob does not believe her, Alice sends f to Bob. Protocol 2 Alice chooses two large primes p,q, sends Bob n=pq and keeps p,q secret. Bob chooses a random number yÎ{1,…,n / 2}, sends Alice x=y2mod n and tells Alice: if you guess y correctly, car is yours. Alice computes four square roots (x1,n-x1) and (x2,n-x2) of x. Let x1‘=(x1,n-x1),x2‘=(x2,n-x2). Since yÎ{1,…,n/ 2}, either y=x1' ory=x2'. Alice then guesses whether y=x1' or y=x2' and tells Bob her choice (for example by reporting the position and value of the leftmost bit in which x1' and x2' differ). Bob tells Alice whether her guess was correct. (Later, if necessary, Alice reveals p and q, and Bob reveals y.) Protocols to do seemingly impossible**IV054**BIT COMMITMENT PROTOCOLS (BCP) • Basic ideas and solutions I • In a bit commitment protocol Alice chooses a bit b and gets committed to b, in the following sense: • Bob has no way of knowing which commitment Alice has made, and Alice has no way of changing her commitment once she has made it; say after Bob announces his guess as to what Alice has chosen. • An example of a “pre-computer era'' BCP is that Alice writes hercommitment on a paper, locks it in a box, sends the box to Bob and, in the opening phase, she sends also key to Bob. Complexity era solution I. Alice chooses a one-way function f and an even (odd) x if she wants to commit herself to 0 (1) and sends to Bob f(x) and f. Problem: Alice may know an even x1 and an odd x2 such that f(x1)=f(x2). Complexity era solution II. Alice chooses a one-way function f, two random x1,x2 and a bit b she wishes to commit to, and sends to Bob (f(x1,x2,b),x1) - a commitment. When times comes for Alice to reveal her bit she sends to Bob f and the triple (x1,x2,b). Protocols to do seemingly impossible**IV054**BIT COMMITMENT SCHEMES I • The basis of bit commitment protocols are bit commitment schemes: • A bit commitment scheme is a mapping f: {0,1} xX®Y, whereX and Yare finite sets. • A commitment to a bÎ{0,1}, or an encryption of b, is anyvalue (called blow) • f(b,x), xÎX. • Each bit commitment protocol has twophases: • Commitment phase: The sender sends a bit b he wants to commit to, in encrypted form, to the receiver. • Opening phase: If required, the senders sends to the receiver additional information that enables the receiver to get b. • . Protocols to do seemingly impossible**BIT COMMITMENT SCHEMES II**• Each bit commitment scheme should have three properties: • Hiding: For no bÎ{0,1} and xÎX, it is feasible for Bob to determine b fromB=f(b,x). • Binding:Alice can “open'' her commitment B, by revealing (opening) xand b such that B=f(b,x), but she should not be able to open a commitment (blow) B as both 0 and 1. • Viability: If both, the sender and the receiver follow the protocol, the receiver will always recover the committed value. Protocols to do seemingly impossible**IV054**TWO BIT COMMITMENT SCHEMES • Bit commitment scheme I. p, q are large primes, n=pq, mÎQNR(n), X=Y= = Zn*, n,m are public. • f(b,x)=mbx2mod n. • Since computation of quadratic residues is in general infeasible, thisbit commitment scheme is hiding. • Since mÎQNR(n), there are nox1, x2 such that mx12=x22modn and therefore the scheme isbinding. Bit commitment scheme II. p is a large Blume prime, X={0,1,…, p-1}= Y, is aprimitive element of Zp*. where Binding property of this bit commitment scheme follows from thefact that in the case of discrete logarithms modulo Blum primes thereis no effective way to determine second least significant bit (SLB) ofdiscrete logarithm. Protocols to do seemingly impossible**IV054**COIN TOSSING BY PHONE- revisited • Each bit commitment scheme can be used to solve coin tossing by phone problem as follows: • Alice tosses a coin, commits itself to its outcome bA (say heads =0, tails =1)and sends the commitment to Bob. • Bob also tosses a coin and sends the outcome bB to Alice. • Alice open her commitment. • Both Alice and Bob compute b=bAĹbB. Observe that if at least one of the parties follow the protocol, that is it tosses a random coin, the outcome is indeed a random bit. Note: If the hiding or the binding property of a commitment protocoldeepends on the complexity of a computational problem, we speak about computational hiding and computational binding. In case, the binding or the hiding property does not depend on the complexity of a computational problem, we speak about unconditional hiding or unconditional binding. Protocols to do seemingly impossible**IV054**A commitment scheme based on discr. log. • Alice commits herself to an mÎ{0,…,q-1}. • Scheme setting: • Bob randomly chooses primes p and q such that • q |(p-1). • Bob chooses random generators of the subgroup G of order qÎZn*. • Bob sends p,q,g and v to Alice. • Commitment phase: • Alice verifies commitment phase. To commit to an mÎ{0,…,q-1},she chooses a random rÎ{0,…,q-1}, and sends c=grvm to Bob. • Opening phase: • Alice sends r and m to Bob who then verifies whether c=grvm. Protocols to do seemingly impossible**IV054**COMMENTS • If Alice, commited to an m, could open her commitment as , then and therefore • Hence, Alice could commpute lggv of a randomly chosen element vÎG, what contradicts the assumption that computation of discrete logarithms in G is infeasible. • Since g and v are generators of G, then gr is a uniformly chosen random element in G, perfectly hiding vm and m in grvm, as in the encryption with ONE-TIME PAD cryptosystem. Protocols to do seemingly impossible**BIT COMMITMENT using ENCRYPTIONS**• Commit phase: • Bob generates a random string r and sends it to Alice • Alice commit herself to a bit b using a key k through encryption • Ek(rb) • and sends it to Bob. • Opening phase: • Alice sends the key k to Bob. • Bob decrypts the message to learn b and to verify r. • Comment: without Bob’s random string r Alice could find a different key k1 • such that ek(b)=ek1(¬b). Protocols to do seemingly impossible**IV054**COMMITMENTS and ELECTRONIC VOTING • Let com(r,m)=grvm denote commitment to m in the commitment scheme based on discrete logarithm. If r1,r2,m1,m2Î{0,…,q-1}, then • com(r1,m1) × com(r2,m2)=com(r1 +r2,m1 +m2). • Commitment schemes with such a property are called homomorphic commiment schemes. • Homomorphic scemes can be use to cast yes-no votes of n voters V1,…, Vn, by trusted center T for whom eT and dT are ElGamal encryption and decryption algorithms. • Each voter Vi chooses his vote miÎ{0,1}, a random rIÎ{0,…, q-1} and computes his voting commitment cI=com(ri,mi). Then Vi makes ci public and sends eT(gri) to T who computes • whereand makes public gr. • Now, anybody can compute the result s of voting from publically known ci and gr since • with • s can be derived from vs by computing v1, v 2,v3,… and comparing with vs if the number of voters is not too large. Protocols to do seemingly impossible**IV054**OBLIVIOUS TRANSFER PROBLEM • Story:Alice knows a secret and wants to send secret to Bob in such a way that he gets secret with probability1/2, and he knows whether he got secret, but Alice has no idea whether he received secret. (Or Alice has several secrets and Bob wants to buy one of them but he does not want that Alice knows which one he bought.) Oblivious transfer problem:Design a protocol for sending a message from Alice to Bob in such a way that Bob receives the message with probability1/2 and “garbage'' with the probability1/2. Moreover, Bob knows whether he got the message or garbage, but Alice has no idea which one he got. • Solution: protocol • Alice chooses two large primes p and q and sends n=pq to Bob. • (2) Bob chooses a random number x and sends y=x2mod n to Alice. • (3) Alice computes four square roots ± x1, ±x2 of y (mod n) and sends one of them to Bob. (She can do it, but has no idea which of them is x.) • (4) Bob checks whether the number he got is congruent to x. If yes, he has received no new information. Otherwise, Bob has two different square roots modulo n and can factor n. Alice has no way of knowing whether this is the case. Protocols to do seemingly impossible**1-OUT-OF-2 oblivious transfer problem**• The 1-out-of-2 oblivious transfer problem: Alice sends two messages to Bob in such a way that Bob can choose which of the messages he receives (but he cannot choose both), but Alice cannot learn Bob’s decision. • A generalization of 1-out-of-2 oblivious transfer problem is two-party oblivious • circuit evaluation problem: • Alice has a secret i and Bob has a secret j and they both know some function f. • At the end of protocol the following conditions should hold: • Bob knows the value f(i,j), but he does not learn anything about i. • Alice learns nothing about j and nothing about f(i,j). • Note: The 1-out-of-2 oblivious transfer problem is the instance of the oblivious circuit evaluation problem for i=(b0,b1), f(i,j)=bj. Protocols to do seemingly impossible**IV054**Mental poker playing by phone -two players • Basic requirements: • All hands (sets of 5 cards) are equally likely. • The hands of Alice and Bob are disjoint. • Both players know their own hand but not that of the opponent. • Each player can detect eventual cheating of the other player. • A commutative cryptosystem is used with all functions kept secret. • Players agree on numbers w1,…,w52 as the names of 52 cards. Protocol: (1) Bob shuffles cards, encrypts them with eB, and tells eB(w1),…, eB(w52), in a randomly chosen order, to Alice. (2) Alice chooses five of the items eB(wi) as Bob's hands and tells them Bob. (3) Alice chooses another five of eB(wi), encrypt them with eA and sends to Bob. (4) Bob applies dB to five values eA(eB(wi)) he got from Alice and sends eA(wi) to Alice as Alice's hands. Remarque: The cryptosystem that is used cannot be public-key in the normal sense. Otherwise Alice could compute eB(wi) and deal with the cards accordingly - a good hand for B but slightly better for herself. Protocols to do seemingly impossible**IV054**Mental poker with three players • Alice encrypts 52 cards w1,…,w52 with eA and sends them in a random order to Bob. • Bob, who cannot read the cards, chooses 5 of them, randomly. He encrypts them with eB, and sends eB(eA(wi)) to Alice and the remaining 47 encrypted messages eA(wi) to Carol. • Carol, who cannot read any of the messages, chooses five at random, encrypts them with her key and sends AliceeC(eA(w_i)). • Alice, who cannot read encrypted messages from Bob and Carol, decrypt them with her key and sends back to the senders, • fivedA(eB(eA(wi)))=eB(wi) to Bob, • five dA(eC(eA(wi)))=eC(wi) to Carol. • Bob and Carol decrypt the messages to learn their hands. • Carol chooses randomly 5 other messages eA(wi) from the remaining 42 and sends them to Alice. • Alice decrypt messages to learn her hands. • Additional cards can be dealt with in a similar manner. If either Bob or Carol wants a card, they take an encrypted message eA(wi) and go through the protocol with Alice. If Alice wants a card, whoever currently has the deck sends her a card. Protocols to do seemingly impossible**IV054**SECURE ELECTIONS • The ideal voting protocol should have at least the following properties: • 1. Only authorized voters can vote. • 2. No one can vote more than once. • 3. No one can determine for whom anyone else voted. • 4. No one can change anyone else vote without being discovered. • 5. All voters can make sure that their votes were counted. • Additional requirement: Everyone knows who voted and who didn't. • Very simple voting protocol I. • All voters encrypt their vote with the public key of a Central Election Board (CEB). • All voters send their votes to the CEB. • CEB decrypts votes, tabulates them and makes the result public. • The protocol has problem with some of the required properties. • Simple voting protocol II. • Each voter Vi signs his/her vote vi with his/her private key – dVi (vi). • Each voter encrypts his/her signed vote with the CEB's public key – eCEB(dVi(vi)). • All voters send their votes to CEB. • CEB decrypts the votes, verifies signatures, tabulates votes and makes the result public. Protocols to do seemingly impossible**IV054**Voting protocol(Nurmi, Salomaa, Santean, 69) • CEB publishes a list of all legitimate voters. • Within a given deadline, everybody intended to vote reports his/her intention to CEB. • CEB publishes a list of voters participating in elections. • Each voter V receives an identification number, i, using a special protocol that very likely assigns different numbers to different users. • Each voter V creates a public encryption function eV and secret decryption function dV. • *If v is a vote of the voter V, then V generates the following message and sends it to CEB: • (i,eV(i,v)) • The CEB acknowledges the receipt of the vote by publishing eV(i,v). • Each voterV sends to CEB the pair (iV,dV). • The CEB uses dV to decrypt the vote (i,eV(i,v)). • At the end of the elections CEB publishes the results of the election and, for each different vote, the list of all eV(i,v)-values that contained that vote. • It is possible that two voters get the same identification number. In such a case, the • CEB generates a new identification number, i1, chooses one of two votes, and publishes: (i1,eV(i,v)). The owner of that vote recognizes that and sends in a second vote, repeating step (*) with the new identification number i1. Protocols to do seemingly impossible**IV054**Anonymous money order • Digital cash idea has one big problem: how to hide to whom you gave the money. • Protocol 1 • (1) Alice prepares 100 anonymous money order for 1000$. (2) Alice puts one money order, and a piece of carbon paper, into each of 100 different envelopes and gives them to the bank. (3) The bank opens 99 envelopes and confirms that each is a money order for 1000$. (4) The bank signs the remaining unopened envelope. The signature goes through the carbon paper to the money order. The bank hands the unopened envelope back to Alice and deletes 1000$ from her account. (5) Alice opens the envelope and spends the money order with a merchant. (6) The merchant checks for the bank's signature to make sure the money order is legitimate. (7) The merchant takes the money order to the bank. (8) The bank verifies its signature and credits $1000 to the merchnt's account. (Alice has a 1% chance of cheating - the bank can make penalty for cheating so large that this does not pay of.) Protocols to do seemingly impossible**IV054**Multi-authority election scheme • Basic idea: • There are many voters and an n-member election boards. • Voting is an YES-NO voting and majority of votes decides. • Election Board uses El Gamal public key with trapdoor information y. • A Central Authority uses Shamir's (n,t)-secret sharing scheme to distribute (secret) yto all n members of election board with member Mi geting secret share yi. • During voting each voter Vi commits himself to a vote vi ε {1,-1} by encrypting it with the election board public key and sends the outcome to publically accessible common memory of the Election Board. • Since ElGamal commitment scheme is homomorphic election board can compute encrypted version of the sum of votes vi. • After elections are over, everybody can get the result of the voting provided t members of the election board cooperate with him. Protocols to do seemingly impossible