1 / 18

Bit Commitment, Fair Coin Flips, and One-Way Accumulators

Bit Commitment, Fair Coin Flips, and One-Way Accumulators. Matt Ashoff 11/9/2004 Cryptographic Protocols. Outline. Bit Commitment Definition Properties Applications Implementations Fair Coin Flips Definition Implementations One-Way Accumulators Definition Example Motivation

magdalen
Télécharger la présentation

Bit Commitment, Fair Coin Flips, and One-Way Accumulators

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Bit Commitment, Fair Coin Flips, and One-Way Accumulators Matt Ashoff 11/9/2004 Cryptographic Protocols

  2. Outline • Bit Commitment • Definition • Properties • Applications • Implementations • Fair Coin Flips • Definition • Implementations • One-Way Accumulators • Definition • Example • Motivation • Applications • References

  3. Definition Bit Commitment • Goal is to ensure bit commitment. • Simplest example: • Decide who goes first in a game • If Bob guesses correctly, he goes • Alice picks a bit (0 or 1) and locks it in a box • Bob guesses a bit • The box is opened to see if he is right • Two parts: • Commitment • Unveiling • Must ensure that: • Alice cannot change her bit after Bob guesses • Bob cannot know what Alice’s bit is until she unveils it • Assume no trusted third-party

  4. Properties Bit Commitment • Ideally, bit commitment has two interesting properties: • It is unconditionally secure if implemented correctly • As opposed to computationally secure, which is a requirement for most algorithms • It requires only a noisy channel • However, implementing the algorithm ideally is the key

  5. Applications Bit Commitment • Zero-Knowledge Protocols • Identification Schemes • Multi-party Computation • Fair Coin Flips • Electronic Voting

  6. Implementations Bit Commitment • Symmetric Cryptography • Alice encrypts her bit with a random key • Sends to Bob • At a later time, she sends Bob the key • He can then verify the bit • Disadvantage: • Alice may be able to generate another key so that the bit is changed once she knows the result. • Solution: • Have Bob send her a random string to concatenate with her bit, then encrypt, makes generation of changed bit unlikely. • Disadvantage: Bob must send random string

  7. Implementations (cont.) Bit Commitment • One-way hash functions • Alice generates two random strings R1,R2 • Sends h(R1,R2,b) and R1 to Bob • At a later time, Alice sends Bob (R1,R2,b) • Bob checks h(R1,R2,b) and R1 • Advantage: Bob sends nothing • Disadvantage: Alice must not be able to find collisions on the hash function such that: • h(R1,R2,b) = h(R1,R2’,b’) • Note: Even more secure if Bob sends R1

  8. Implementations (cont.) Bit Commitment • Could also use random number generators, many, many other protocols… • A “quantum” bit commitment scheme is supposedly computationally secure • Although not proven to be so

  9. Definition Fair Coin Flips • Goal is to flip a coin “over the phone” • Original protocol went like this: • Alice flips a coin and tells Bob the result • Bob then flips his own coin, XORs his result with Alice’s, and this is the result • …but this only prevents Alice from cheating. Bob can still make up his coin flip. • Ideally, Alice and Bob would send their results simultaneously • Note: If either party lies and just makes up heads or tails, the other parties result will “cancel it out” • This allows for one distrustful party

  10. Implementations Fair Coin Flips • Alice flips her coin • Alice generates a random key and encrypts “My coin toss returned [head, tails]” and sends this to Bob • Bob does exactly the same thing • They then swap keys and decrypt • Note: If one receives the key before the other (and thus, the others’ flip), they will not be able to generate another key that will change their coin flip • Note: This is just bit commitment using symmetric encryption (e.g., Heads  0, Tails  1)

  11. Implementations (cont.) Fair Coin Flips • Using a one-way hash function: • Alice selects a random number x and computes y = h(x), sends this to Bob • Bob guesses if x is heads (even) or tails (odd), sends guess to Alice • If Bob is correct, he wins • Alice announces the result of the flip and sends x to Bob • Bob verifies that y = h(x) • Notes: • The output of h(x) must have nothing to do with the parity of x. • Alice must not be able to find a x and x’ such that x is odd and x’ is even, and h(x) = h(x’) = y

  12. Definition One-Way Accumulators • Given a one-way hash function with the property that: • h: A x B  C where |A| ~ |B| ~ |C| • i.e., the size is not mapped down • Given the definition of a quasi-commutative function: • f(f(x,y1),y2) = f(f(x,y2),y1) • A one-way accumulators is defined as: • h(h(x,y1),y2) = h(h(x,y2),y1) • “A family of one-way accumulators is a family of one-way hash functions each of which is quasi-commutative.”

  13. Definition (cont.) One-Way Accumulators • For the one-way function to be secure, it must satisfy the property that: • Given x,y,y’, it is hard to find a x’ such that h(x,y) = h(x’,y’) • It is not necessary for it to be hard to find a (x’,y’) pair such that h(x,y) = h(x’,y’)

  14. Example One-Way Accumulators • Most obvious example is modulo n math: • Given an(x,y) = (x*y) mod n • an(an(x,y1),y2) = ((x*y1) mod n)*y2 mod n = (x*y1*y2) mod n = ((x*y2) mod n)*y1 mod n = an(an(x,y2),y1) • Easy to invert  Unsuitable • Given en(x,y) = xy mod n • en(en(x,y1),y2) = (xy1 mod n)y2 mod n = x(y1+y2) mod n = (xy2 mod n)y1 mod n = en(en(x,y2),y1) • Hard to invert  Suitable (e.g., RSA)

  15. Motivation One-Way Accumulators • The quasi-commutative property can be extended to m users: • Start with an initial value x, • Set of values {y1,y2,…,ym} • To compute z such that: • z = h(h(…h(h(x,y1),y2),…,ym-1),ym) • Notice that z is unchanged by the order of the yi

  16. App: Digital Signatures One-Way Accumulators • All parties in m choose their own yj • The total hash z is computed given all of the yi and some initial value x • Each party in m computes their own zj given every yi except their own yj • They can later authenticate themselves to any other party in the group by presenting yj and zj, such that z = h(zj,yj)

  17. More Applications One-Way Accumulators • The digital signature application can easily be extended/modified to support: • Time Stamping • Membership Testing • Etc.

  18. References • J. Benaloh, M. de Mare. One-Way Accumulators: A Decentralized Alternative to Digital Signatures. Advances in Cryptology--EUROCRYPT'93. LNCS, vol.765, pp.274--285, Springer--Verlag, 1994 • M. Blum, "Coin flipping by telephone: a protocol for solving impossible problems”, Proc. IEEE Computer Conference, pp. 133-137, 1982. • J. Kilian. Uses of Randomness in Algorithms and Protocols, MIT Press, 1990. • Nayak, Ashwin and Shor, Peter (2002) On bit-commitment based quantum coin flipping. Technical Report. California Institute of Technology. • M. Naor, "Bit commitment using pseudo-randomness", J. Cryptology, vol. 2, no. 2, pp. 151-158, 1991. • H.F. Chau, Hoi-Kwong Lo, “Making an Empty Promise with a Quantum Computer”, Fortschr. Phys. 46 (1998) 4-5, 507-519. • http://www.disappearing-inc.com/F/faircointoss.html • http://www.cs.mcgill.ca/~crepeau/CRYPTO/BCDemo/BCbackground.html • http://www.cs.rochester.edu/users/faculty/nelson/courses/cryptology/notes/lecture_16.txt

More Related