Coin Flipping Protocol

1. Coin Flipping Protocol CS 303 Alg. Number Theory & Cryptography Jeremy Johnson Manuel Blum, Coin Flipping by Telephone: A Protocol for Solving Impossible Problems, ACM SIGACT, Vol. 15, No. 1, 1983, pp. 23-27.

2. Outline • Coin flipping protocol • Completely secure vs. normally secure one-way functions • Some protocols that do not work • Blum Protocol • Goldwasser-Micali Probabilistic Encryption Goldwasser

3. Coin Tossing Protocol • Want to flip a coin over the telephone • Fair and verifiable • Not subject to cheating

4. Public Key Cryptography • Let M be a message and let C be the encrypted message (ciphertext). A public key cryptosystem has a separate method E() for encrypting and D() decrypting. • D(E(M)) = M • Both E() and D() are easy to compute • Publicly revealing E() does not make it easy to determine D() • E(D(M)) = M - needed for signatures • The collection of E()’s are made publicly available but the D()’s remain secret. Called a one-way trap-door function (hard to invert, but easy if you have the secret information)

5. Attempt 1 • Generate Encryption/Decryption Keys • A: Randomly select flip = “heads” or “tails” • A  B EA(flip) • B  A guess heads or tails • A  B DA() to check result • What’s wrong

6. One-Way Functions • Normally Secure One-Way Function • Efficiently computable function whose inverse can not be computed efficiently • Completely Secure One-Way Function • Normally secure plus knowledge of f(x) does not give more than 50-50 chance of efficiently guessing some non-trivial property such as parity

7. Solution with a Completely Secure One-Way Function • A: randomly select x • A  B f(x) • B  A guess x even/odd • A  B send x to verify result

8. Attempt 2 (RSA) • Generate Keys: N = PQ, gcd(e,(N))=1, ed  1(mod (N)), E = (e,N), D = (d,N) • A: Randomly select x (use parity) • A  B E(x) • B  A guess parity of x • A  B D() to check parity of result • What could be wrong

9. Attempt 3 (Discrete Log) • Zp = <>, p  1 (mod 4) prime • A: Randomly select x (use parity) • A  B y = x • B  A guess parity of x • A  B send x to verify guess • Probability is correct. What is wrong?

10. Blum Protocol • Blum protocol • B selects N = PQ, P  3 (mod 4), Q  3 (mod 4). • A selects x1,…,xt and send x12,…,xt2 to B • B guesses b1,…bt and sends to A • A sends x1,…,xt to B and B checks (xi/n) = bi

11. Correctness of Blum Protocol • Four solutions x2  a (mod N) [use CRT] • (±b)2  a (mod P), (±c)2  a (mod Q) • P  Q  3 (mod 4)  J(-1,P) =J(-1,Q) = -1 • Half with J(x,N) = 1, half with J(x,N)= -1 • Knowing ±b and ±c gives P and Q • bc (mod P) b = c (mod Q)  gcd(b-c,N)=Q

12. Public Key Cryptography • Let M be a message and let C be the encrypted message (ciphertext). A public key cryptosystem has a separate method E() for encrypting and D() decrypting. • D(E(M)) = M • Both E() and D() are easy to compute • Publicly revealing E() does not make it easy to determine D() • E(D(M)) = M - needed for signatures • The collection of E()’s are made publicly available but the D()’s remain secret. Called a one-way trap-door function (hard to invert, but easy if you have the secret information)

13. Goldwasser-Micali Probabilistic Encryption • Goldwasser-Micali (Quadratic Redisuosity) • N = pq, x a non-residue such that • m = m1  mt, mi {0,1} • c = c1   ct, ci = yixmi mod N, yirandom quadratic residue ShafiGoldwasser and SilvioMicali. Probabilistic Encryption. Journal of Computer and System Sciences (JCSS), 28(2):270-299, April 1984.