Lecture 13 Secret Sharing Schemes and Game
Secret sharing schemes are multi-party protocols related to key establishment. The original motivation for secret sharing was the following. To safeguard cryptographic keys from loss, it is desirable to create backup copies. The greater the number of copies made, the greater the risk of security exposure; the smaller the number, the greater the risk that all are lost. Secret sharing schemes address this issue by allowing enhanced reliability without increased risk.
One of the major contributions of modern cryptography has been the development of advanced protocols. These protocols enable users to electronically solve many real world problems, play games, and accomplish all kinds of intriguing and very general distributed tasks. The goal of this lecture is to give a brief introduction to flipping coins and mental poker over the telephone.
Outline Scenarios for Secret Sharing
Secret Splitting Threshold Schemes Flipping Coins over the Telephone Poker over the Telephone
1 Scenarios for Secret Sharing 1.1 For Secret Splitting
Imagine that you’ve invented a new, extra gooey, extra sweet, cream filling or a burger sauce that is even more tasteless than your competitors’. This is important; you have to keep it secret. You could tell only your most trusted employees the exact mixture of ingredients, but what if one of them defects to the competition? There goes the secret, and before long every grease palace on the block will be making burgers with sauce as tasteless as yours.
This calls for secret splitting. There are ways to take a message and divide it up into pieces. Each piece by itself means nothing, but put them together and the message appears. If the message is the recipe and each employee has a piece, then only together can they make the sauce. If any employee resigns with his single piece of the recipe, his information is useless by itself.
However, it has a problem: If any of the pieces gets lost, so does the message. If one employee, who has a piece of the sauce recipe, goes to work for the competition and takes his piece with him, the rest of them are out of luck. He can’t reproduce the recipe, but neither can work together. His piece is as critical to the message as every other piece combined.
1.2 For Threshold Schemes You’re setting up a launch program for a
nuclear missile. You want to make sure that no single raving lunatic can initiate a launch. You want at least three out of five officers to be raving lunatics before you allow a launch. This is easy to solve. Make a mechanical launch controller. Give each of the five officers a key and require that at least three officers stick their keys in the proper slots before you’ll allow them to blow up whomever we're blowing up this week.
We can get even more complicated. Maybe the general and two colonels are authorized to launch the missile, but if the general is busy playing golf then five colonels are required to initiate a launch. Make the launch controller so that it requires five keys. Give the general three keys and the colonels one each. The general together with any two colonels can launch the missile; so can the five colonels. However, a general and one colonel cannot; neither can four colonels.
A more complicated sharing scheme, called a threshold scheme, can do all of this and more—mathematically. At its simplest level, you can take any message (a secret recipe, launch codes, your laundry list, etc.) and divide it into n pieces, called shares or shadows, such that any m of them can be used to reconstruct the message.
One can divide his secret sauce recipe among Alice, Bob, Carol, and Dave, such that any three of them can put their shadows together and reconstruct the message. If Carol is on vacation, Alice, Bob, and Dave can do it. If Bob gets run over by a bus, Alice, Carol, and Dave can do it. However, if Bob gets run over by a bus while Carol is on vacation, Alice and Dave can't reconstruct the message by themselves.
2 Secret Splitting2.1 Dual Control by Modular Addition
.recover
to modulo themsums which device, theinto estheir valu
enter separately then and ly.respective , and parties
two to) (mod and values thegives and 1,
1number random a generates party A trusted used. be
may scheme following thenumber, thisknows party) trusteda
n (other tha individual singleany that eundesirabl isit reasons,
loperationafor but key), seed a (e.g., device a into entered be
must ,integer somefor 1 0 ,number secret a If
11
1
S
m
BABA
mSSSm
ST
mmSS
2.1 Dual Control by Modular Addition (Continued)
it. trigger torequired are people two-control
dualunder be tosaid is requiringaction Any
people. obetween twsplit is secret theof knowledge
-scheme knowledge-split a of examplean is This )2(
1. and 0between number random a is possesses
each value thesince ,about n informatioany has one
neither then collude, not to trustedare and If (1)
S
S
m
S
BA
Comment.
2.2 Unanimous Consent Control by Modular Addition
). (mod
as recovered issecret The ). (mod
given is while,given are through Parties
1. 1 1, 0 , numbers randomt independen
1 generates :follows as ,recover order toin required
are whomof all users, among divided bemay secret the
thatso dgeneralizeeasily is above scheme control dual The
1
11
11
mS
SmSSS
PSPP
timSS
tTS
t S
iti
itit
tit
ii
2.2 Unanimous Consent Control by Modular Addition (Continued)
necessary. are trials2 piece,bit -56 agiven
isparty each if while trials,2only requiresparty oneby search
exhaustive key, theof bits 28given each are parties twoif 2,
and 56 for example,For each. bits / of pieces intokey bit -
an ngpartitionihan security tgreater provides This length.-full be
should scheme controlsplit ain componentskey individual The )2(
.loglength -bit fixed of and
valuesdata using OR,-exclusiveby replaced bemay operations
modulo above, scheme control dual in the and hereBoth (1)
56
28
2
t
rtrtr
mSS
m
i
Comment.
3 Threshold Schemes
pieces. no
knowingover opponent an tosense) theoretic-ninformatio the
in r, whatsoeveabout n informatio (no advantage no provide
sharesfewer or 1only knowingin which scheme threshold
a is scheme resholdperfect thA not.may sharesfewer or 1
only knowing groupany but ,recover easily may sharestheir
pool whousers moreor any : trueis following thesuch that
,user to sdistributesecurely and ,secret initialan from
1 , sharessecret computesparty trustedaby which
method a is )( scheme threshold) ,(
S
t
t
S
t
PSS
niS
ntntA
ii
i
1 Definition
itself.key the toaccess haven rather tha triggered,
isaction an that seeonly need tsparticipan and control, shared
is objective the wheresystemsfor eappropriat is This device.
combining trusteda usingby done bemay as secret, recovered
theof value theaccessing from s themselvemembers group
prevent tois method One users.other of shares thededucing
from tsparticipanprevent tonecessary are controls security,
decreased without reused be tois scheme thresholda If )2(
scheme. threshold
) ,( a is scheme controlconsent unanimous thewhilescheme,
threshold2) (2, a of examplean is scheme control dual The (1)
tt
Comment.
3.1 Shamir’s Threshold Scheme
. )(
, modulo polynomial random thedefining 1,0
, , , tscoefficient independen random, 1 selects (1.2)
. defines and ), ,(max prime a chooses (1.1)
users. among distribute toit wishes
0integer secret a with begins party trustedThe . (1)
.recover
can shares their pool which users of groupany :RESULT
users. to
secret a of shares sdistributeparty trusteda :SUMMARY
scheme threshold) ,( sShamir'
1
0
11
0
t
j
jj
j
t
xaxf
ppa
aatT
SanSpT
n
STSetup
S
t
nS
nt
1 Mechanism
3.1 Shamir’s Threshold Scheme (Continued)
. (0) notingby recovered is
secret The ion.interpolat Lagrangeby )( of 1 1
, tscoefficien theofn computatio allowing ) ,(
) ,( pointsdistinct provide sharesTheir shares.their
pool users moreor of groupAny shares. of Pooling (2)
.index public with along ,user to share
theransferssecurely t and 1), 1 , pointsdistinct
any for (or 1 ,) (mod )( computes (1.3)
)(Continued scheme threshold) ,( sShamir'
0 Saf
xftj
aSi
yxt
t
iPS
piin
nipifST
nt
ji
ii
i
1 Mechanism
3.1 Shamir’s Threshold Scheme (Continued)
. where,
:as expressed bemay secret shared the, (0) Since
.)(
:formulaion interpolat Lagrange the
by given are , 1 ), ,( pointsby defined , thanless
degree of )( polynomialunknown an of tscoefficien The
ion.interpolat LagrangeAbout
11
0
11
ijtj ji
ji
t
iii
ijtj ji
jt
ii
ii
xx
xcycS
Saf
xx
xxyxf
tiyx t
xf
3.1 Shamir’s Threshold Scheme (Continued)
computed.
-pre bemay users , of group fixed afor that
meansIt constants.secret -non are theSince (2)
. shares ofn combinatio
linear a as computemay member groupEach (1)
Explain.
t
c
yt
S
i
i
3.1 Shamir’s Threshold Scheme (Continued)
.147)1039110787 (8, 28)9734416803 (7,
73)8521360505 (6, 82)6751938978 (5, 55)4426152222 (4,
92)1544000236 (3, 326)1045116192 (2, 91)6456279478 (1,
:personeach toone pairs, following thedistribute weTherefore,
8. ,2, 1, where), ,( pairs peopleeight thegive now We
.6651206749628394829430288201905031805)(
work withsLet' . )( polynomial theform
and moduluo and numbers random Choose .67890113
12345 prime a Choose .201905031805number theis
secret theSuppose scheme. threshold-8) (3, aconstruct sLet'
2
221
21
iSi
xxxf
xaxaSxf
pa a
pS
i
1 Example
3.1 Shamir’s Threshold Scheme (Continued)
secret. the
is which ,201905031805 ermconstant t theisabout care they All
.6651206749628394829430288201905031805
obtain
to moduluo reduce and ,807407407340by 1/5 replace they So,
).(mod18074074073405
But,
.)5/7931095476582(42719861927514728/52070560214
:points heir three through tpasses polynomial following that the
calculate they ,polynomialion interpolat Lagrange Usingsecret.
thedetermine toecollaborat want to7 and 3, 2, persons Suppose
)(Continued
2
2
xx
p
p
xx
1 Example
3.1 Shamir’s Threshold Scheme (Continued)
).6651206749628
,394829430288 ,201905031805() , ,( yields This
),1131234567890(mod
289734416803
921544000236
3261045116192
4971
931
421
:following thesolve toneed they would
instead,approach systemlinear thechose 7 and
3, 2, persons If secret. obtain the and polynomial
t thereconstruc could people any three Similarly,
)(Continued
21
2
1
aaS
a
a
S
1 Example
3.1 Shamir’s Threshold Scheme (Continued)
users. existing of shares affecting
without ddistribute and computed bemay users)
new(for shares New users. newfor Extendable (3)
secret. theof size theis share one of size The Ideal. (2)
probable.equally remain
secret shared theof 1 0 valuesall shares,
fewer or 1any of knowledgeGiven Perfect. (1)
scheme. thresholdsShamir' of Properties
pS
t
3.1 Shamir’s Threshold Scheme (Continued)
problems). theoretic-number of difficulty
about the (e.g., sassumptionunproven any on
rely not doessecurity itsschemes, hiccryptograp
many Unlikes.assumptionunproven No (5)
structure. access the
changing o without tindividualupon that control
more bestows shares multipleuser with single a
Providing possible. control of levels Varying (4)
3.2 Vector Scheme
point. thedeterminesexactly
shyperplane theof any ofon intersecti The point.
theincludes that hyperplane ldimensiona-1)(an
ofequation theis shadowEach space. ldimensiona
-in point a as defined is message The space.
in points using scheme a inventedBlakley George
t
t
t
3.2 Vector Scheme (Continued)
share. theas user each
to hyperplane theransferssecurely t and
,)(mod setting , 1 , modulo
, , tscoefficient independen random, 1 chooses (1.2)
. modulo space ldimensiona-in )
, ,, ,(point a defines and modulorandomly
, ,, chooses . prime a chooses (1.1)
users. among distribute toit wishes
integer secret a with begins party trustedThe . (1)
.recover
can shares their pool which users of groupany :RESULT
users. to
secret a of shares sdistributeparty trusteda :SUMMARY
scheme threshold) ,( sBlakley'
2
01
2
012
0
1
210
1210
0
i
it
j jijt
t
j jijt
iit
i
t
t
P
yxax
psasynipa
atT
pts
sssQp
sssTspT
ns
STSetup
S
t
nS
nt
2 Mechanism
3.2 Vector Scheme (Continued)
.
notingby recovered issecret The. modulo inverted becan matrix
the, modulo nonzero ismatrix thisoft determinan theas long As
).(mod
1
1
1
equationmatrix theyieldThey . 1 , users
example,For ). , ,, ,(point theofn computatio
allowing shyperplanedistinct provide sharesTheir shares.their
pool users moreor of groupAny shares. of Pooling (2)
0
2
1
1
1
0
10
21
20
11
10
1210
Ss
p
p
p
y
y
y
s
s
s
aa
aa
aa
tiPt
ssssQ
t
t
tt
tt
i
t
3.2 Vector Scheme (Continued)
.491934 :E
161257 :D
186536 :C
102752 :B
68194 :A
:planes following
theE D, C, B, A, people five thegive weSuppose
73.Let scheme. threshold-5) (3, aconstruct sLet'
102
102
102
102
102
xxx
xxx
xxx
xxx
xxx
p
2 Example
3.2 Vector Scheme (Continued)
.recover tocooperatecan
E D, C, B, A, of any three ,Similarity . 42 is
secret theso 57), 29, (42,) , ,( issolution The
).73(mod
18
10
68
16536
12752
1194
solve they secret, erecover th to wantsC B, A, If
)(Continued
0
210
2
1
0
S
xS
xxx
x
x
x
2 Example
3.2 Vector Scheme (Continued)
).,( versus) , , ,( :methodShamir in the than those
person each by carried be n toinformatio more requiresIt (3)
.invertible always ismatrix that theso
, , tscoefficien choose to waysarrange tohard benot
It would .guaranteednot is is though th,invertible ismatrix
t thelikely tha very isit large, reasonably is as long As )2(
pieces. no knowing
over opponent an toadvantage some is there,coordinate
one than more ddistributebeen hassecret theIf secret. the
carry toused be should coordinate oneonly that Note (1)
20
2
0
yxyaa
a
a
p
iit
i
it
i
Comment.
3.3 Secret Sharing with Cheaters
Colonels Alice, Bob, and Carol are in a bunker deep below some isolated field. One day, they get a coded message from the president: “Launch the missiles. We’re going to eradicate the last vestiges of neural network research in the country.” Alice, Bob, and Carol reveal their shares, but Carol enters a random number. She’s actually a pacifist and doesn't want the missiles launched. Since Carol doesn't enter the correct share, the secret they recover is the wrong secret. The missiles stay in their silos. Even worse, no one knows why.
3.3 Secret Sharing with Cheaters (Continued)
). (i.e., incorrect""but 1}), ,1, {0, (i.e.,
legal"" is tedreconstruc secret the, and , ,
, , from that,meanst participanth thedeceiving
Here, .t participanth a deceive that , , ,
shares new fabricatecan , , , tsparticipan
1any that 0 y probabilit small aonly is There
1}. ,1, {0, secret theSuppose
1
21
121
121
SSsS
SSS
SSt
itSSS
iii
t
sS
tt
t
ii
ii
tiii
t
1 Property
3.3 Secret Sharing with Cheaters (Continued)
).( where), ,( Let
1}. , 2, {1, from elementsdistinct of nspermutatio all
among fromrandomly anduniformly ) , , ,( Choose (3)
. )( , modulo polynomial
random thedefining 1,0 , , , tscoefficien
t independen random, 1select and Define (2)
). , 1)/1)( max(( primeany Choose (1)
0.>any for , than less is cheating undetected ofy probabilit
that theso scheme sShamir'modify :SUMMARY
scheme threshold) ,( sShamir' Modified
21
1
0
11
0
iiiii
n
t
j
jj
jt
xqddxS
pn
xxx
xaxqp
paaa
tSa
nttsp
nt
3 Mechanism
3.3 Secret Sharing with Cheaters (Continued)
. and )( )( ifonly
secret incorrect t thereconstruc willt Participan
points. 1most at in )(intersect can )(
polynomial asuch , If above. points fabricated
theand ) (0,point he through tpassing 1most at
degree of )( polynomialdistinct a defines }1
, 1, {0, 'secret possibleEach .t participan
tosend to), ,( ,), ,( ), ,( values
fabricate , , , tsparticipan Suppose Proof.
112211
121
SSxqxq
Si
txqxq
SS
St
xqs
Si
dxdxdx
iii
tt
tt
iiS
t
S
S
t
iiiiii
t
3.3 Secret Sharing with Cheaters (Continued)
.))/(1()1(most at is t participan
deceiving ofy probabilit theThus ).)/(1(
most at y probabilit with t participan deceive
wouldspolynomial theseof oneAny s.polynomial
ingcorrespond 1 yield valuesfabricated theso secrets,
incorrect but legal 1 are There ).)/(1(
mostat is )( )(y that probabilit the
with )( polynomialeach for Thus
}. ,, ,{- } 1 , 2, {1, ofelement
random a is that Recall ).(Continued Proof
121
tptsi
tpt
i
s
stpt
xqxq
SSxq
xxxp
x
t
t
iiS
iS
iii
i
tt
t
t
t
4 Flipping Coins over the Telephone 4.1 Scenario A friend, not realizing that Alice and Bob are
no longer together, leaves them a car in his will. How do they decide who gets the car? Bob phones Alice and says he’ll flip a coin. Alice chooses “tails” but Bob says “sorry, it was heads.” So Bob gets the car. For some reason, Alice suspects Bob might not have been honest. She resolves that the next time this happens, she'll use a different method.
4.2 A Problem Solution
Here is a thought. Alice picks a random bit b1 and sends it to Bob, and Bob picks a random bit b2 and sends it to Alice, and the value of the coin is b1 b2. The problem is who goes first. If Alice goes first, Bob will choose b2 to make the coin whatever he wants. Not fair.
4.3 Requirements for Fair Flipping Coin
(1) Bob must flip the coin before Alice guesses.
(2) Bob must not be able to re-flip the coin after hearing Alice’s guess.
(3) Alice must not be able to know how the coin landed before making her guess.
4.4 Flipping Coin Using Square Roots
wins.Bob
), (mod If wins.she that Alice tellsBob), (mod If (4)
Bob. to
it sends and ,say random,at one chooses She . modulo of ,
roots squarefour thefind to and of knowledgeher uses Alice (3)
Alice. tosendsbut secret keeps He
).(mod computes and integer random a chooses Bob (2)
Bob.
toproduct thesendsbut secret themkeeps She 4. mod 3 to
congruentboth ,and primes random large twochooses Alice (1)
session.coin flippingeach achieve tosteps following thePerform
coin. flippingin guess the winsBobor Alice :RESULT
channel. public
aover messages 4 exchange Bob and Alice users :SUMMARY
roots square using protocolcoin Flipping
2
nxbnxb
bnyba
qp
yx
nxyx
q pn
qp
1 Protocol
Alice Bob
qpn
y
b
)( winsBobor
)( winsAlice
xb
xb
n
2xy
yba 22
4.4 Flipping Coin Using Square Roots (Continued)
4.4 Flipping Coin Using Square Roots (Continued)
. ofion factorizat for the Bob askingby
cheatt didn' Bob check thatcan Alice So case. in this and
produce toable benot should he Therefore, .number
thehimsent Alice when had hen than informatio more
no has Bob , Bob sends Alice If sends. Alice valuethe
minusor plusnot is of valuehis when be would and
factors theproduce could Bobonly way the,factor to
infeasiblenally computatio isit if Therefore, . offactor
nontrivial a gives ),gcd( ,particularin .factor
can he so ), (mod of roots squarefour all knows
Bob then ), (mod and Bob to sends Alice If
Explain.
n
q
pn
x
xqp
n
n
nbxn
ny
naxb
4.4 Flipping Coin Using Square Roots (Continued)
). (mod2623334103
93785035or 6186768891012103737 yield toways
fourin together theseputs theoremremainder Chinese The
).(mod 325656728 and ) (mod 1701899961that
knows she e,).Therefor (mod 325656728 and
)(mod1701899961 computes Alice Alice. to
sends hewhich ), od55491705(m3632786010
computes and 3730950481414213562 takesBob
Bob. to9917719372426317299 sends She
.1190494759 and 2038074743 chooses Alice
1)/4(
1)/4(
2
n
x
qxpx
qy
py
nxy
x
qpn
qp
q
p
3 Example
4.4 Flipping Coin Using Square Roots (Continued)
won.he that provecan he ,1190494759
)23334103,93785035265483562373090gcd(141421
computingBy victory.claims BobThen Bob. to
233341039378503526 sends Alice that instead Suppose
winner. theAlice declares Bob so ), (mod is This
Bob. to86768891012103761 sends Alice Suppose
)(Continued
n
nx
3 Example
4.4 Flipping Coin Using Square Roots (Continued)
is.not try th
should she, Therefore . offactor nontrivial a find toBob allow will
choices wrong three theofEach send. toAlicefor numbers of
choicesfour are sign there Up. of roots squareeight are there
But primes. threeofproduct a sendingby Bob deceive totries
Alice that is caseOther game. theof end at the ofion factorizat
for the Aliceask could Bob course, Of primes. twoofproduct a of
instend prime a sendingby Bob deceive to triesAlice Suppose (2)
. tocongruent is sends Alicenumber theof
square that thecheckingby isagainst th guardcan Bob . factoring
from Bobprevent surely would then this, ofroot square athan
rather number random a Bob sendingby cheat to triesAlice If (1)
concerns.Security
n
y
n
y
n
y
4.4 Flipping Coin Using Square Roots (Continued)
number.her of square thetocongruent iswhich
number, sBob' of square theis has shen informatio
only thesince thisdisputecannot Alice him.sent
Alice that valueeexactly th was of valuehis
claimcan then He lose. to wantshe decides Bob
Suppose procedure. in this flaw one is There (3)
Continued)concerns.(Security
x
5 Poker over the Telephone A protocol similar to the fair flipping coin
protocol allows Alice and Bob to play poker with each other over the telephone. Instead of Bob making two messages, one for “Heads” and one for “Tails”, he makes 52 numbers, c1, c2,..., c52, one for each card in the deck. How to make sure that no one has cheated?
5.1 Idea
Bob encrypts the cards c1, c2,..., c52 using his key and sends to Alice. Alice chooses five cards at random, encrypts them with her encrypted key, and then sends them back to Bob. Bob decrypts the cards and sends them back to Alice, who decrypts them to determine her hand. She then chooses five more cards at random and sends them back to Bob. Bob decrypts these and they become his hand.
5.1 Idea (Continued)
During the game, additional cards can be dealt to either player by repeating the procedure. At the end of the game, Alice and Bob both reveal their cards and key pairs so that each can be assured that the other did not cheat.
5.2 Poker Based on Discrete Logarithm Problem
Alice. to themsends and,521
for )(mod computes Bob .prearrange some via modulo
,, , numbersdistinct 52 tochanged are cards 52 The (2)
also.) handeach for used be could and , ,different (A
. )1( 1mod such that computes and 1,)1,gcd(
with interger secret a chooses Bob . )1( 1mod
such that computes and 1,)1,gcd( with interger secret
a chooses Alice . prime eappropriatan on agree Bob and Alice (1)
session.poker theachieve tosteps following thePerform
cards. fivedealt ispalyer each :RESULT
channel. public aover
messages 4 exchange Bob and Alice palyers :SUMMARY
problem logarithm discreteon based protocolPoker
5221
i
pcbp
ccc
p
pp
p
p
p
ii
2 Protocol
5.2 Poker Based on Discrete Logarithm Problem (Continued)
hand. his him gives This .51for )(mod
computes whoBob, back to themsends and , ,
, , numbers theof more five chooses then Alice (5)
hand.her Alice
gives This power. the toraises whoAlice, tothem
sends and ,power the tonumbers theseraises Bob (4)
Bob. tonumbers thesesends and ,51for )(mod
computes , , , , numbers five chooses Alice (3)
)(Continued problem
logarithm discreteon based protocolPoker
5
21
521
jpb
b
bb
jpb
bbb
j
j
k
k
kk
i
iii
2 Protocol
AliceBob
521for )(mod ipcb ii
51for jbjk
)(mod)) (( pbcjj ii
)(mod) ( pbjk
51for )(mod jpbji
51for )(mod) ( jpbji
5.2 Poker Based on Discrete Logarithm Problem (Continued)
5.2 Poker Based on Discrete Logarithm Problem (Continued)
). modulo are es(congruenc calculates now Bob
.200508901 computes Bob and 024062734
compute Alice 7654321.secret his chooses Bob and 1234567
secret her chooses Alice .2396271991 be prime Let the
10305.ace 11091407,king
,1721050514queen 10010311,jack 200514,ten:following
thehave weso,,02,01 using numbers tocards the
Change card. onedealt isplayer Each ace. king, queen, jack, ten,
:cards fiveonly are there wheregame simplified aconsider sLet'
p
p
ba
4 Example
5.2 Poker Based on Discrete Logarithm Problem (Continued)
). (mod17005360071230896099
:Alice back toit sends and power the to thisraises Bob
). (mod1230896099914012224
:Bob it to sends and ,power theit to raises-fourth theexample,for
-numbers theseof one choosingby cardher chooses now Alice
.74390103 ,914012224 ,2337996540 ,1112225809 ,1507298770
:Alice to themsends andnumber theseshuffles He
.111222580910305
233799654011091407
743901031721050514
150729877010010311
914012224200514
)(Continued
p
p
4 Example
5.2 Poker Based on Discrete Logarithm Problem (Continued)
ten. thewas
Alice sent to he card that theshow and computequickly can
Bob king. thehas she claim to triesAlice Suppose . and
secret their reveal then Bob and Alice cheating,prevent To
jack. theis card his Therefore,
. ) od10010311(m1507298770
computes Bob Bob. back toit sending and
1507298770 example,for -received she cards original the
of one choosingsimply by card sBob' chooses Alice Now
ten. the thereforeis cardHer
). (mod2005141700536007
:power the to thisraises now Alice
)(Continued
p
p
4 Example
5.2 Poker Based on Discrete Logarithm Problem (Continued)
residue.-non quadratic a is if ), (mod1
residue quadratic a is if ), (mod1
:residue-nonor residue quadratic a is)(mod0
number anot or whether decide oeasy way tan is There (2)
problems. logarithm discrete are
solve toneeds Alice that equations But these .)(mod
form theof equations solve toneed wouldAlice
means This . card dunencrypte fixed a toscorrespond
card encrypted which guess could She cards. sBob'
deduce toAlicefor difficult quite be toseemsIt (1)
concerns.Security
2
1
cp
cpc
pc
pb
c
c
b
p
i
j
i
i
5.2 Poker Based on Discrete Logarithm Problem (Continued)
example. following the theSee result. thisusing
Bobover advantagean gainsmay Alice cards. the
ofpower and the toapplies alsostatement
ingcorrespond The residue. quadratic a is ifonly and
if modulo residue quadratic a is that meansIt
).(mod
and , toencrypted
is cardA odd. are and e,1.Therefor)1
,gcd( and 1)1 ,gcd( needed that weRecall
)(Continued concerns.Security
2
1
2
1
2
1
c
pc
pccc
c
cp
p
ppp
5.2 Poker Based on Discrete Logarithm Problem (Continued)
residues. quadratic
are cards remaining theall whileresidue,-non a is ace only the so
,110305
111091407
11721050514
110010311
1200514
fact,In random.not
was prime of choice The example. simplified thereturn to sLet'
2
1
2
1
2
1
2
1
2
1
p
p
p
p
p
p
5 Example
5.2 Poker Based on Discrete Logarithm Problem (Continued)
. ace theis
cardher that finds she course, Of .power theit to raises whoAlice,
back toit sends and power theit to rasies He Bob. it to sendsthen
,power theit to raises She .1112225809 is ace heher that t tellsThis
.174390103
1914012224
12337996540
11112225809
11507298770
computes she hand,her choosing is AliceWhen
)(Continued
2
1
2
1
2
1
2
1
2
1
p
p
p
p
p
5 Example
Thank you!