1 / 10

ITIS 6200/8200

ITIS 6200/8200. Bit commitment. Alice needs to commit a prediction which will not be revealed until later. Bob needs to make sure that Alice cannot change it. How can we do that? Example: Picking stocks: who will go first? Be careful of the forward search attack

abel-dunlap
Télécharger la présentation

ITIS 6200/8200

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ITIS 6200/8200

  2. Bit commitment • Alice needs to commit a prediction which will not be revealed until later. Bob needs to make sure that Alice cannot change it. How can we do that? • Example: • Picking stocks: who will go first? • Be careful of the forward search attack • Attack to such commitment: racing horses • Why this attack can be conducted: limited commitment space

  3. Bit commitment using one-way function • Can we use Hash(RA, b) to commit a bit? • If Alice does not tell Bob RA, forward search by Alice • If Alice tells Bob RA, Bob can figure out the bit • A better protocol: • Alice generates two random numbers, R1 and R2 • Alice sends (R1, Hash(R1, R2, b)) to Bob to commit the bit • Why we need R1 in plain text? • Why do we need R2 in cipher-text? • Later, Alice gives Bob R1, R2, and b to verify

  4. The advantage of this protocol: • Bob does not need to send anything • It is very difficult to find Hash(R1, R2, “0”) = Hash(R1, R2’, “1”) if R1 is long enough and the one way function has been properly designed

  5. Fair coin flip in digital world • It is different from the real world, where both parties can see the coin • The properties we need: • Alice flips the coin before Bob guesses • Alice cannot change the result after Bob guesses • Bob cannot “see” the result before taking the guess • It seems that bit commitment can solve this problem

  6. Coin flip using bit commitment • Alice commits to a bit using one of the previous protocols • Bob guesses the value of the bit • If right, Bob wins, if wrong, Alice wins • After the guess, Bob must be able to verify the result

  7. Coin flip using one-way functions • Alice generates a random number X, and sends Hash(X) to Bob • Bob guess whether X is odd or even • If Bob guesses right, Bob wins, otherwise, Alice wins • Alice reveals X so that Bob can verify. • If Alice can find two numbers (one odd, one even) having the same hash result, she can control the result every time.

  8. Coin flip using commutative encryption (where E_k1(E_k2(msg)) = E_k2(E_k1(msg)) • Alice generates two messages, (R1, Head), (R2, Tail), sends E_k1(m1) and E_k1(m2) to Bob • Bob selects one message and sends back E_k2(E_k1(m)), Alice does not know which one Bob choose • Alice decrypts the message and sends back to Bob, Bob decrypts it again and tells Alice the random number and the result • Alice and Bob reveal their keys to verify the result

  9. Coin flip using commutative encryption • Can Bob cheat? Not if he cannot guess the random string • Can Alice cheat? • Send both messages with Head. But later when they reveal the key, Alice will be caught. • Alice can lie about the value of R1 and R2: Bob can ask for their hash values before the messages are sent • An application of coin flip: • Generate session keys in a collaborative method where no party has a total control • We can flip multiple bits simultaneously

More Related