Cryptography and
Network Security
Lecture III-4
22 October 2004
Jussipekka Leiwo 2004
1
Coin flipping over the phone,
mental poker, electronic voting
22 October 2004
Jussipekka Leiwo 2004
2
Preliminaries
„
Consider a function f that satisfies two
properties:
1.
2.
„
For any integer x, it is easy to compute f(x) but
given f(x), it is hard to find out whether x is even or
odd
It is hard to find a pair of integers (x,y) where x≠y
and f(x)=f(y)
Given such function, a protocol can be
constructed for flipping a coin over telephone
22 October 2004
Jussipekka Leiwo 2004
3
Coin flipping protocol
„
Protocol setup:
1.
2.
„
Function f as described above,
An even number x in f(x) representing HEADS, an
odd number in f(x) representing TAILS
Protocol:
1. A → B :
f ( x), x is a random integer
2. A ← B : Guess ∈ {EVEN , ODD}
3. A → B : x
Verify f ( x), check correctness of Guess
4. B :
22 October 2004
Jussipekka Leiwo 2004
4
Observations
„
Function f could be implemented as SHA-1
„
„
1.
2.
3.
Ö
22 October 2004
Good enough for ‘casual’ applications
Not suitable for rigorous security scenarios:
Users may be tricked to apply cryptographic
operations on ‘random’ numbers specifically
constructed by an attacker to foil the protocol,
In some cases, random challenges generated with
a hash functions are not suitable to protocols, and
Precise security analysis is hard
More trustworthy randomness is required
Jussipekka Leiwo 2004
5
Blum integers
„
Let P and Q be large prime numbers that
satisfy the congruence
P ≡ Q ≡ 3 (mod 4)
„
„
Integers N=PQ are called Blum integers.
Several useful properties for cryptography
(see Mao: Modern Cryptography, pp. 198-200)
22 October 2004
Jussipekka Leiwo 2004
6
Blum’s coin-flipping protocol
„
„
Let A and B agree on a string of mutually
trusted random bits of length m
To simplify the notation for expressing the
protocol, assume that:
1.
2.
22 October 2004
Each message communicated between A and B is
digitally signed
If any verification (incl. verification of digital
signatures of received messages) fails, the party
will abort without proceeding with the protocol.
Jussipekka Leiwo 2004
7
Protocol steps
1. A ← B : N = PQ
2. A :
x 
x1, x2 , K, xm ∈U Z N* ,  i , i = 1,2, K, m are the coin flipping results
N
3. A → B : { yi | i = 1,2,K m, yi = xi2 (mod N )}
4. A ← B : {bi | i = 1,2,K , m, bi ∈U {1,−1}}
5. A → B : x1, x2 , K, xm
6. B :
?
yi ≡ xi2 (mod N )
7. A ← B : P , Q
?
?
8. A :
P ≡ Q ≡ 3(mod 4), test P and Q for primality
9. A, B :

x 
1 if  i  = bi (i.e. B' s guess is correct)
ri = 
N
0 otherwise
22 October 2004
Jussipekka Leiwo 2004
8
Observations
1.
2.
3.
4.
B’s guesses in step (3) are coded as the
guesses of the sign of (xi/N). Passing each m
guesses to A completes the guessing of the
A’s coin flipping results by B.
Step (4) is where A informs B on the
correctness of his guesses
A can only cheat if is capable of factoring N
B’s guessing probability is exactly (1/2)
22 October 2004
Jussipekka Leiwo 2004
9
Mental poker (three party version)
„
„
Alice, Bob and Carol wish to play poker over
the network. Alice is the dealer but Bob and
Carol need assurance that she is not cheating.
Everybody needs assurance that nobody else
is cheating, either.
Assume a commutative asymmetric
cryptosystem:
EB(EA(m))=EA(EB(m))
22 October 2004
Jussipekka Leiwo 2004
10
Mental poker --dealing
1.
Alice:
a.
b.
2.
Generates 52 distinct random numbers x1, x2, ..., x52
corresponding to a deck of cards.
Encrypts each xi with her public key, sends EA(x1),
EA(x2), ..., EA(x52) to Bob
Bob:
a.
b.
22 October 2004
Picks five of the encrypted cards (say, at at indicies
a, b, c, d, e)
Sends to Carol EB(EA(xa)), EB(EA(xb)), EB(EA(xc)),
EB(EA(xd)), EB(EA(xe)) together with the 47
“unchosen” cards
Jussipekka Leiwo 2004
11
Mental poker -- dealing (cont’d)
3.
Carol:
a.
b.
c.
22 October 2004
Picks five of the “unselected” encrypted cards, say
at indicies f, g, h, i, j
Encrypts those cards with her public key, sends
EC(EA(xf)), EC(EA(xg)), EC(EA(xh)), EC(EA(xi)), EC(EA(xj))
to Alice.
Picks five of the remaining 42 cards as Alice’s
hand, sends those to Alice
Jussipekka Leiwo 2004
12
Hand verification
1.
2.
3.
4.
5.
For each k∈{a, b, c, d, e}, Alice computes
DA(EB(EA(x)))=EB(xk)
Alice sends each EB(xk) to Bob.
For each k∈{f, g, h, i, j}, Alice computes
DA(Ec(EA(x)))=Ec(xk)
Alice sends each Ec(xk) to Bob.
Bob and Carol decrypt their hands, Alice
reveals x1, x2, ..., x52 and all players learn all
hands and find the winner
22 October 2004
Jussipekka Leiwo 2004
13
Secure electronic voting
„
Requirements:
1.
2.
3.
4.
5.
6.
7.
22 October 2004
Only authorized parties can vote
No authorized voter can vote more than once
Nobody can determine whom anyone else voted
Nobody can duplicate anyone else’s vote
Nobody can change anyone else’s vote
Every voter can be sure that his/her vote is included
in the final tabulation
(Everyone will know who voted and who didn’t)
Jussipekka Leiwo 2004
14
Voting with blind signatures
1.
Voter:
a.
b.
2.
CTF (Central Tabulating Facility):
a.
b.
3.
Checks that party has not casted blinded votes before
Opens 9 sets of votes, signs, returns to voted, stores name
of voter in a database
Voter:
a.
b.
4.
Generates 10 sets of messages of valid vote for each
possible outcome, a random integer
Blinds messages, sends to CTF with blinding factors
Unblinds messages, gains votes signed by CTF
Chooses one of the messages, encrypts with CTF’s public
key, sends to CTF
CTF:
a.
Decrypts vote, checks signature, tabulates results
22 October 2004
Jussipekka Leiwo 2004
15
The course is approaching an end...
„
„
„
„
Friday: Analysis of cryptographic protocols
Monday: Security assurance, Jussi’s wrap-up
Thursday: No lecture
Friday: Adrian’s wrap-up
22 October 2004
Jussipekka Leiwo 2004
16
Questions?
Next: Analysis of cryptographic protocols
22 October 2004
Jussipekka Leiwo 2004
17