Probabilistic E n c r y p t i o n
&
H o w To P l a y M e n t a l P o k e r K e e p i n g S e c r e t
All P a r t i a l I n f o r m a t i o n
Shaft Goldwasser * and Silvio Micali **
C o m p u t e r Science D e p a r t m e n t
University of California - Berkeley
I. Introduction
We would like to p o i n t o u t two basic w e a k n e s s e s
of this a p p r o a c h :
1) The f a c t t h a t f is a t r a p d o o r f u n c t i o n d o e s
n o t r u l e o u t t h e p o s s i b i l i t y of c o m p u t i n g x
f r o m ff (x) w h e n x is of a s p e c i a l f o r m .
Usually m e s s a g e s do not consist of numbers
chosen at r a n d o m but possess more struct u r e . S u c h s t r u c t u r a l i n f o r m a t i o n m a y help
in decoding. For e x a m p l e , a f u n c t i o n f ,
which is h a r d to i n v e r t on a g e n e r i c input,
c o u l d c o n c e i v a b l y be e a s y t o i n v e r t on t h e
ASCII r e p r e s e n t a t i o n s of English s e n t e n c e s .
This p a p e r p r o p o s e s a n E n c r y p t i o n S c h e m e
t h a t p o s s e s s t h e following p r o p e r t y :
An a d v e r s a r y , who knows t h e e n c r y p t i o n
a l g o r i t h m and is given t h e c y p h e r t e x t , c a n not obtain any information about the cleartext.
Any i m p l e m e n t a t i o n of a Public Key C r y p t o s y s t e m , as p r o p o s e d b y Diffie a n d H e l l m a n in [8],
should p o s s e s s this p r o p e r t y .
Our E n c r y p t i o n S c h e m e follows t h e i d e a s in
the n u m b e r t h e o r e t i c i m p l e m e n t a t i o n s of a
Public Key C r y p t o s y s t e m due to Rivest, S h a m i r
and A d l e m a n [13], a n d Rabin [12].
2)
The fact that f is a trapdoor function does
not rule out the possibility of easily computing s o m e partial information about z
(even every other bit of x) from f (z). The
d a n g e r in t h e c a s e t h a t z is t h e ASCII
r e p r e s e n t a t i o n of an English s e n t e n c e is
self evident. E n c r y p t i n g m e s s a g e s in a way
t h a t e n s u r e s t h e s e c r e c y of all p a r t i a l inform a t i o n is an e x t r e m e l y i m p o r t a n t goal in
C r y p t o g r a p h y . The i m p o r t a n c e of this p o i n t
of view is p a r t i c u l a r l y a p p a r e n t if we w a n t
to use e n c r y p t i o n to play c a r d g a m e s over
t h e t e l e p h o n e . If t h e suit o r c o l o r of a c a r d
c o u l d be c o m p r o m i s e d t h e whole g a m e
c o u l d be invalid.
S e c u r i t y is b a s e d on C o m p l e x i t y T h e o r y and
the i n t r a c t a b i l i t y of s o m e p r o b l e m s in n u m b e r
t h e o r y s u c h as f a c t o r i n g , i n d e x finding and
deciding w h e t h e r n u m b e r s are q u a d r a t i c resid u e s with r e s p e c t to c o m p o s i t e m v d u l i is
a s s u m e d . In this c o n t e x t , i m p o s s i b i l i t y m e a n s
c o m p u t a t i o n a l infeasibility a n d proving t h a t a
p r o b l e m is h a r d m e a n s to show it e q u i v a l e n t to
one of t h e a b o v e m e n t i o n e d p r o b l e m s .
The k e y idea in b o t h t h e RSA s c h e m e a n d
t h e Rabin s c h e m e is t h e s e l e c t i o n of an
a p p r o p r i a t e t r a p d o o r function; a n e a s y to
e v a l u a t e f u n c t i o n f s u c h t h a t x is n o t easily
c o m p u t a b l e f r o m f(x), u n l e s s s o m e e x t r a
i n f o r m a t i o n is known. To e n c r y p t a m e s s a g e
m , one s i m p l y e v a l u a t e s f ( m ) .
T h o u g h no one knows how to b r e a k t h e RSA or
the Rabin s c h e m e , in n o n e of t h e s e s c h e m e s is
it proved t h a t d e c o d i n g is h a r d w i t h o u t any
a s s u m p t i o n s m a d e on t h e m e s s a g e s p a c e . Rabin
shows t h a t , in his s c h e m e , d e c o d i n g is h a r d for
an a d v e r s a r y if t h e s e t of possible m e s s a g e s has
some density property.
The n o v e l t y of o u r c o n t r i b u t i o n c o n s i s t s of
Thin r e s e a r c h was s u p p o r t e d by
* NSF G r a n t MCS-79-037667
** fellowship f r o m Consiglio Nazionale delle R i c e r c h e Italy a n d in p a r t by NSF G r a n t MCS-79-037667
1.
Permission to copy without fee all or part of this material is granted
provided that the copies are not made or distributed for direct
commercial advantage, the ACM copyright notice and the title of the
publication and its date appear, and notice is given that copying is by
permission of the Association for Computing Machinery. To copy
otherwise, or to republish, requires a fee and/or specific permission.
©
1982 ACM0-89791-067-2/82/005/0365
The n o t i o n of T r a p d o o r F u n c t i o n s is
r e p l a c e d by P r o b a b i l i s t i c E n c r y p t i o n . To
e n c r y p t e a c h m e s s a g e we m a k e use of a fair
coin. The e n c o d i n g of e a c h m e s s a g e will
d e p e n d on t h e m e s s a g e plus t h e r e s u l t of a
s e q u e n c e of coin tosses.
Consequently,
t h e r e are m a n y possible e n c o d i n g s for e a c h
m e s s a g e , llowever, m e s s a g e s are always
u n i q u e l y d e c o d a b l e .~
I P r o b a b i l i s t i c E n c r y p t i o n is c o m p l e t e l y different f r o m
the t e c h n i q u e of apl~eDcling r a n d o m bits to a m e s s a g e as
s u g g e s t e d in U?.] a n d [16].
$00.75
365
2.
D e c o d i n g is e a s y for t h e legal r e c e i v e r of a
m e s s a g e , b u t p r o v a b l y h a r d for a n a d v e r s a r y . T h e r e f o r e t h e s p i r i t of a t r a p d o o r
f u n c t i o n is m a i n t a i n e d . In addition, in o u r
scheme, without imposing any restrictions
on t h e m e s s a g e s p a c e , we c a n p r o v e t h a t
d e c o d i n g is e q u i v a l e n t to d e c i d i n g quadratic
residuosity
modulo
composite
numbers.
3.
No P a r t i a l I n f o r m a t i o n a b o u t a n e n c r y p t e d
m e s s a g e could be obtained by an adversary. Assume that the message space has
an associated probability distribution and
t h a t , with r e s p e c t to t h i s d i s t r i b u t i o n , an
e a s y t o c o m p u t e p r e d i c a t e P ( s u c h as " t h e
e x c l u s i v e or of all t h e b i t s in t h e m e s s a g e is
1") h a s p r o b a b i l i t y p to be t r u e . Let p ~ .5
w i t h o u t a n y loss of g e n e r a l i t y . Then,
w i t h o u t a n y s p e c i a l ability, an a d v e r s a r y ,
given t h e c y p h e r t e x t ~
c a n always g u e s s
t h a t P is t r u e for t h e c l e a r t e x t , a n d be
c o r r e c t with p r o b a b i l i t y p .
B a s e d on t h e a s s u m p t i o n t h a t d e c i d i n g quadratic
residuosity
modulo
composite
n u m b e r s is h a r d , we p r o v e t h a t an a d v e r s a r y c a n n o t g u e s s c o r r e c t l y with p r o b a b i l ity p+e,from the cyphertext, whether the
cleartext satisfies the predicate P, where e
is a n o n negligible p o s i t i v e r e a l n u m b e r .
i n g e n i o u s p a p e r [8]. Let M be a finite m e s s a g e
s p a c e , A, B,... b e u s e r s , a n d l e t m e M d e n o t e a
m e s s a g e . Let E A : M ~ M b e A's e n c r y p t i o n f u n c tion, w h i c h is ideally bijective, a n d D A be A ' s
decryption function such that DA(EA(m)) = m
for all m e M. In a Public Key C r y p t o s y s t e m E A
is p l a c e d in a p u b l i c file, a n d u s e r A k e e p s DA
p r i v a t e . D A s h o u l d b e difficult to c o m p u t e
knowing only E A. To s e n d m e s s a g e m to A, B
t a k e s E A f r o m t h e p u b l i c file, c o m p u t e s E A ( m )
a n d s e n d s this m e s s a g e to A. A easily c o m p u t e s
D A ( E A ( m ) ) to obtain m .
2.2 The RSA s c h e m e and t h e Rabin s c h e m e
The two implementations of a Public Key
Cryptosystem most relevant and inspiring for
this paper are the R S A s c h e m e [13], due to
Rivest, Shamir and Adleman, and its particularization suggested by Rabin [12].
The key idea in both the R S A s c h e m e and
the Rabin s c h e m e consists in the selection of
an appropriate n u m b e r
theoretic trapdoor
function. In the R S A scheme, user A selects/,~,
the product of two large primes p I and p 2 and a
n u m b e r s such that s and 9(N) are relatively
prime , where ~ is the Euler totient function. A
puts N and s in a public file and keeps the factorization
of N
private. Let
ZN'= ~ z I
i ~ z ~ N - i and z and N are relatively primel.
For every message m eZN', E A ( r n ) = m s m o d
N. Clearly, the ability to take s th roots rood N
implies the ability to decode. A, w h o knows the
factorization of N, can easily take s th roots m o d
N. No efficient way to take sth roots rood Nis
k n o w n w h e n the factorlzation of N is unknown.
P r o b a b i l i s t i c E n c r y p t i o n h a s b e e n u s e f u l for t h e
s o l u t i o n of Mental P o k e r . The p r o b l e m w h e t h e r
it is p o s s i b l e t o p l a y a "fair" g a m e of Mental
P o k e r h a s b e e n r a i s e d b y R o b e r t Floyd.
S h a m i r , Rivest a n d A d l e m a n p r o p o s e d an
e l e g a n t s o l u t i o n to t h i s p r o b l e m in [14] using
commutative encryption functions, but they
could not prove t h a t partial information could
not be compromised using their scheme.
I n d e e d , s e v e r a l p r o b l e m s in t h e i m p l e m e n t a t i o n of t h e i r s c h e m e h a v e b e e n p o i n t e d o u t b y
L i p t o n in [ 10].
A b o u t t h e RSA s c h e m e a a b i n r e m a r k s t h a t ,
f o r all we know, i n v e r t i n g t h e f u n c t i o n z ~ rood
N m a y b e a h a r d p r o b l e m in g e n e r a l , a n d y e t
e a s y f o r a l a r g e p e r c e n t a g e of t h e z ' s .
He s u g g e s t s t o m o d i f y t h e RSA s c h e m e b y
c h o o s i n g s = 2 . Thus, for all u s e r s A, EA(Z ) = z 2
rood N. Notice t h a t E A is a 4-1 f u n c t i o n b e c a u s e
o u r N is t h e p r o d u c t of two p r i m e s . In fact,
e v e r y q u a d r a t i c r e s i d u e rood N, i.e e v e r y q
such that q ~ z 2 m o d N for s o m e z eZN', has
four square roots m o d N: ±z m o d N and ±y
rood N. As A knows the factorization of N, upon
receiving the encrypted message m 2 m o d N, he
could c o m p u t e its four square roots and get the
message rn. The ambiguity in decoding could
be eliminated, for example, by sending the first
20 digits of rn in addition to m 2 rood N. Such
extra information cannot effectively help in
decoding: we could always guess the first 20
digits of m .
The following theorem shows how hard is it
to invert Rabin's function z 2 m o d N.
T h e o r e m (Rabin): If for i~ of the q's quadratic
We p r e s e n t a s o l u t i o n f o r Mental P o k e r , f o r
w h i c h we c a n prove, b a s e d on t h e a s s u m p t i o n
that
factoring
and
deciding
quadratic
r e s i d u o s i t y m o d u l o c o m p o s i t e n u m b e r s is h a r d ,
t h a t n o t a single b i t of i n f o r m a t i o n a b o u t a c a r d
w h i c h should r e m a i n h i d d e n c a n b e d i s c o v e r e d .
Our s o l u t i o n d o e s n o t u s e c o m m u t a t i v e e n c r y p tion functions.
2. T h e ,Security of a P u b l i c Key Cryptosystem.
All t h e n u m b e r t h e o r e t i c n o t a t i o n u s e d in
t h i s s e c t i o n will b e d e f i n e d in s e c t i o n 3.1.
2.1 What is a P u b l i c Key Cryptosystem?
The c o n c e p t of a Public Key C r y p t o s y s t e m
was i n t r o d u c e d b y Diffie a n d H e l l m a n in t h e i r
366
r e s i d u e s m o d N one could find one s q u a r e r o o t
of q, t h e n one could f a c t o r N in R a n d o m Polyn o m i a l Time.
The t h e o r e m follows f r o m the following
l e m m a t h a t we s t a t e w i t h o u t proof.
L e m m a 1: Given z , y E Z N ° s u c h t h a t x 2 = y 2
rood N a n d x ~ :i:y m o d N, t h e r e is a p o l y n o mial t i m e a l g o r i t h m to f a c t o r N. (In f a c t t h e
g r e a t e s t c o m m o n divisor of N and x :i=y is a fact o r of N).
I n f o r m a l proof of R a b i n ' s t h e o r e m : A s s u m e
t h a t we have a m a g i c box B s u c h t h a t given q, a
q u a d r a t i c r e s i d u e rood N, for 1% of t h e q's it
o u t p u t s one s q u a r e r o o t of q rood N. Then we
c o u l d f a c t o r N by i t e r a t i n g t h e following step:
P i c k i at r a n d o m in Z N~ and c o m p u t e q =i ~
m o d N. F e e d t h e m a g i c b o x B w i t h q . If M
o u t p u t s a s q u a r e r o o t of q d i f f e r e n t f r o m i
or -i m o d N, t h e n (by t h e above l e m m a )
f a c t o r N.
The e x p e c t e d n u m b e r of i t e r a t i o n s is low, as a t
e a c h step, we have a 0.SYo c h a n c e s to f a c t o r N.
in ZN*, the ability t o d e c o d e 1% of all m e s s a g e s
does n o t yield a r a n d o m p o l y n o m i a l t i m e algor i t h m for f a c t o r i n g .
By " s p a r s e " we m e a n t h a t for a r a n d o m l y
c h o s e n x E Z N ' , t h e p r o b a b i l i t y t h a t x is a m e s sage is virtually 0.
Let f (x) = z 2 m o d N . A s s u m e t h a t we a r e
able to i n v e r t t h e f u n c t i o n f only on f(M).
Then we would have a m a g i c box MB which, fed
m 2 rood N, would o u t p u t m w h e n e v e r m EM;
and
fed
q,
outputs
nothing
whenever
qe~m2modNImEMI,
e x c e p t , at m o s t , for a
negligible p o r t i o n of t h e q's. With t h e use of
s u c h a m a g i c box we could d e c o d e , b u t n o t fact o r N efficiently. Using s u c h MB, let us look a t
the above i n f o r m a l p r o o f of R a b i n ' s t h e o r e m . If
we pick r n e M and feed m z rood N into MB,
t h e n we g e t b a c k m and we c a n n o t f a c t o r . If
we p i c k .ieM and f e e d i2 m o d N to MB, t h e n t h e
p r o b a b i l i t y t h a t one s q u a r e r o o t of i2 m o d N
different f r o m i, b e l o n g s to / / is p r a c t i c a l l y 0
and we g e t no answer.
2.3
2.5 Discussion of Objection 2
Objections to
Cryptosystems
based
on
We would like to define a Public Key Crypt o s y s t e m to be s e c u r e if an a d v e r s a r y , given
the c y p h e r t e x t , c a n n o t o b t a i n a n y p a r t i a l inform a t i o n a b o u t t h e c l e a r t e x t . This l a t t e r n o t i o n
n e e d s to be f o r m a l i z e d :
Let P be a n y e a s y to evaluate, n o n cons t a n t , b o o l e a n p r e d i c a t e defined on t h e
m e s s a g e s p a c e M. Let m e M . If, given t h e
encryption
of m ,
an
adversary
can
efficiently c o m p u t e t h e value of P ( m ) ,
t h e n p a r t i a l i n f o r m a t i o n a b o u t m c a n be
o b t a i n e d f r o m t h e e n c r y p t i o n of m
Notice t h a t , a c c o r d i n g to t h e above definition,
no Public Key C r y p t o s y s t e m based on trapdoor
f u n c t i o n s is s e c u r e . In fact, if E A is a t r a p d o o r
function, t h e following p r e d i c a t e P , defined on
the c l e a r t e x t , is e a s y to e v a l u a t e f r o m t h e
c y p h e r t e x t : P ( x ) is t r u e if and only if E4(x) is
even. We c a n avoid s u c h p r o b l e m s using P r o b a bitistic E n c r y p t i o n .
We know t h a t s o m e d e c i s i o n p r o b l e m s m a y
be h a r d to solve for p a r t i c u l a r inputs, b u t e a s y
to solve for m o s t of t h e inputs. In view of t h e
special p u r p o s e of C r y p t o g r a p h y , t h e r e q u i r e m e n t t h a t o b t a i n i n g p a r t i a l i n f o r m a t i o n should
be difficult n e e d s to be s t r e n g t h e n e d .
A s s u m e t h a t t h e m e s s a g e s p a c e h a s an
associated probability distribution and that,
with r e s p e c t to this d i s t r i b u t i o n , a p r e d i c a t e P
has a p r o b a b i l i t y p to be t r u e . Without loss of
g e n e r a l i t y , l e t p ~ 0.5.
Definition: An a d v e r s a r y h a s an e a d v a n t a g e
in e v a l u a t i n g t h e p r e d i c a t e P , if he c a n
c o r r e c t l y g u e s s t h e value of P r e l a t i v e to t h e
c l e a r t e x t with p r o b a b i l i t y g r e a t e r t h a n p +e.
Trapdoor Functions
Covering o n e s face with a h a n d k e r c h i e f c e r tainly helps to hide p e r s o n a l identity. However:
1) It will n o t hide f r o m m e t h e i d e n t i t y of a
special s u b s e t of people: m y m o t h e r , m y
sister, close friends.
2) I c a n g a t h e r a lot of i n f o r m a t i o n a b o u t t h e
p e o p l e I c a n n o t identify: t h e i r height, t h e i r
hair c o l o r and so on.
Essentially, t h e s a m e kind of p r o b l e m s m a y
arise in t h e RSA s c h e m e and in t h e Rabin
s c h e m e and, m o r e g e n e r a l l y , in a n y o t h e r P u b lic Key C r y p t o s y s t e m b a s e d on T r a p d o o r F u n c tions:
1) The f a c t t h a t f is a T r a p d o o r F u n c t i o n d o e s
n o t rule o u t t h e possibility of c o m p u t i n g x
f r o m f(x) w h e n x is of special form.
2)
The f a c t t h a t f is t r a p d o o r f u n c t i o n does n o t
rule o u t t h e p o s s i b i l i t y of easily c o m p u t i n g
s o m e p a r t i a l i n f o r m a t i o n a b o u t x f r o m f(x).
2.4 Discussion of Objection 1
One m a y a r g u e t h a t R a b i n ' s Public Key
t r y p t o s y s t e m is as h a r d to b r e a k as f a c t o r i n g
in t h e following way; w h o e v e r can2getm a m e s sages m from their encryptions
m o d N 1P~
of t h e time, is a c t u a l l y realizing t h e m a g i c box
of R a b i n ' s t h e o r e m and t h u s c o u l d efficiently
f a c t o r n.
We would like to p o i n t o u t t h e following
fact.
Claim: If M, t h e set of m e s s a g e s , is " s p a r s e "
367
W e are now able to restate the previous
partial information definition.
Definition: A Public Key Cryptosystem is e
secure if an adversary does not have an e
advantage in evaluating, given the cyphertext,
any easy to c o m p u t e predicate relative to the
cleartext.
Based on the assumption that deciding quadratic residuosity modulo composite n u m b e r s
is hard, we introduce an e-secure Public Key
Cryptosystem, for every non negligible, positive, real n u m b e r e. Let us first deal with the
question of sending securely a single bit in a
Public Key
Cryptosystern.
This question,
closely related to the security of Partial Information, has been raised by Brassard in [~-].
S u m m a r i z i n g : T h e r e are m a n y ways in
w h i c h a single bit c o u l d be " e m b e d d e d " in a
b i n a r y n u m b e r x. Taking t h e "exclusive or" of
all t h e digits of x is j u s t one m o r e e x a m p l e .
However, given y =EA(x ), being able to d i s c o v e r
s o m e p a r t i c u l a r bits e m b e d d e d in x DOES NOT
CONTRADICT the f a c t t h a t it is h a r d to c o m p u t e
x. Then, w h a t is a s e c u r e way to s e n d a single
bit ? The a n s w e r to this p r o b l e m is d i s c u s s e d in
the n e x t section.
2.6 A t t e m p t s to S e n d a Single Bit S e c u r e l y in
P u b l i c Key C r y p t o s y s t e m s b a s e d on T r a p D o o r
Functions
S u p p o s e t h a t u s e r B w a n t s to s e n d a single
bit m e s s a g e t o u s e r A in g r e a t s e c r e c y . The bit
is equally likely to be a 0 or a 1. B w a n t s no
a d v e r s a r y to have a 1~o a d v a n t a g e in g u e s s i n g
c o r r e c t l y his m e s s a g e . B knows t h a t E A is h a r d
to invert and tries to m a k e use of this fact in
the following way.
Idea i: All users in the system agree on an
integer i. User B selects r e M
at random,
except for the ith bit of T, which will be his
message. B sends E4(r ) to A. •
A can decode and thus get the desired bit. But
what can an adversary do ?
Danger: let y = EA(x ), where E A is a one
way function.
Then, given y, it could be
difficult to c o m p u t e x but not a specific bit of x.
Example: let p be a large prime such that
p - i has at least one large prime factor. Let g
be a generator for Zp*. Then ll-=gz m o d p is a
well k n o w n one-way function. But, even though
it is difficult to c o m p u t e x from gS m o d p (the
index finding problem), it is easy to get the last
bit of x. In fact, x ends in 0 if and only if y is a
quadratic residue m o d p, For p prime we have
fast r a n d o m polynomial time algorithms to test
quadratic residuosity, see [i0].
3. I Background and Notation
3. DECIDING QUDRATIC RESIDUOSITY IS HARD
ON THE AVERAGE
The s y m b o l (x,N) will d e n o t e t h e g r e a t e s t
c o m m o n divisor of x a n d N. We use P r ( X ) to
d e n o t e t h e p r o b a b i l i t y of t h e e v e n t X. We let
ZN*= ~ z [ i ~ X ~ N - I and (z,N)=l~.
Given qeZ~v*, is q~-x 2 m o d N
solvable ?If
N is prime, then the answer to this question is
easily computed. If a solution exists, q is said
to be a quadratic residue rood N. Otherwise q is
said to be a quadratic non-residue rood N.
F r o m now on let P, and P2 be odd, distinct
primes and N =PlP2. Then, q ~ x 2 rood N is
solvable if and only if both q=-x2 rood Pl and
q ~-z 2 m o d P2 are solvable. If this is the case, q
is said to be a quadratic residue rood N, otherwise q is said to be a quadratic non-residue
rood N. W e will call the problem of determining
whether an element q e ZN* is a quadratic residue, the quadratic residuosity problem.
Let p be an odd prime and q e Zp*, then the
Jacobi symbol (q/p) equals i if q is a quadratic
residue rood p and -I otherwise. The Jacobi
symbol
(q/N),
is defined
as
(q/N) =
(q/pl)(q/P2). Despite the fact that the Jacobi
symbol (q/N) is defined through the factorization of N, (q/N) is computable in polynomial
time even w h e n the factorization of N is not
known !
]t is easy to see, from the above definitions
that if (q/N) = -i then q m u s t be a quadratic
non-residue rood N. In fact, q m u s t be a quadratic non-residue either rood Pl or rood P2.
However, if (q/N)=+l, then either q is a quadratic residue rood N or q is a quadratic nonresidue for both the prime factors of N.
Let us count h o w m a n y of the q 's, such that
(q/N) = 1, a r e a c t u a l l y q u a d r a t i c r e s i d u e s .
T h e o r e m : Let p be a n odd p r i m e . Then Zp"
is a cyclic g r o u p .
T h e o r e m : Let 9 be a g e n e r a t o r for Z~*,
t h e n g t rood p is a q u a d r a t i c r e s i d u e if a n d
only if s is even.
C o r o l l a r y : Half of t h e n u m b e r s in Z~" a r e
q u a d r a t i c r e s i d u e s a n d half are q u a d r a t i c nonresidues.
The following idea was s u g g e s t e d by Donald
Johnson.
Idea 2: B s e l e c t s 8 ~ i ~ 100 a t r a n d o m , a n d
s e t s t h e i t h bit of x to t h e bit he w a n t s to
c o m m u n i c a t e . The r e m a i n i n g 93 bits of x a r e
c h o s e n at r a n d o m , e x c e p t for t h e first 7 bits of
x, which s p e c i f y l o c a t i o n i. B s e n d s EA(x ) to A.
D a n g e r : If, given EA(x), we c a n easily c o m p u t e t h e first 7 bits of x and one of t h e last 93
bits of x, t h e n we c o u l d g u e s s B's m e s s a g e with
a 1/98 advantage.
368
negligible n u m b e r s . S u p p o s e we could guess,
with an c a d v a n t a g e w h e t h e r q, d r a w n at r a n d o m f r o m AN', is a q u a d r a t i c r e s i d u e rood N.
Then we c o u l d d e c i d e q u a d r a t i c r e s i d u o s i t y of
a n y i n t e g e r rood N with p r o b a b i l i t y i - ~ b y
m e a n s of a p o l y n o m i a l in INI, c - I and (5-I t i m e
probabilistic algorithm.
P r o o f : Assume, to t h e c o n t r a r y , t h a t we have a
p o l y n o m i a l t i m e m a g i c box MB w h i c h g u e s s e s
c o r r e c t l y w h e t h e r q EA N• is a q u a d r a t i c resi1
due m o d N, for ~-+c of t h e e l e m e n t s of AN'.
T h e o r e m : Let N = . P I P 2 w h e r e P s a n d P2 a r e
d i s t i n c t o d d p r i m e s . Then half of t h e n u m b e r s
in Z N" have J a c o b i s y m b o l equal to -1 a n d t h u s
are q u a d r a t i c n o n - r e s i d u e s . The J a c o b i s y m b o l
of t h e r e s t of t h e n u m b e r s is 1. E x a c t l y half of
these latter ones are quadratic residues.
3.2 A Difficult P r o b l e m in N u m b e r T h e o r y .
If t h e f a c t o r i z a t i o n of N is n o t k n o w n a n d
(q/N) =1, t h e n t h e r e is no k n o w n p r o c e d u r e for
d e c i d i n g w h e t h e r q is a q u a d r a t i c r e s i d u e m o d
N. This d e c i s i o n p r o b l e m is well k n o w n to be
h a r d in N u m b e r Theory. It is one of t h e m a i n
f o u r a l g o r i t h m i c p r o b l e m s d i s c u s s e d by Gauss
in his "Disquisitiones A r i t h m e t i c a e " (1801). A
p o l y n o m i a l s o l u t i o n f o r it would i m p l y a p o l y n o mial s o l u t i o n to o t h e r o p e n p r o b l e m s in
N u m b e r Theory, s u c h as d e c i d i n g w h e t h e r a
c o m p o s i t e n , w h o s e f a c t o r i z a t i o n is n o t known,
is t h e p r o d u c t of 2 or 3 p r i m e s , see o p e n p r o b l e m s 9 a n d I5 in A d l e m a n [3].
R e c e n t l y , A d l e m a n [ 1] s h o w e d t h a t a g e n e r a l i z a tion of q u a d r a t i c r e s i d u o s i t y is e q u i v a l e n t t o
f a c t o r i n g . Using this g e n e r a l i z e d n o t i o n in o u r
p r o t o c o l , we c o u l d b a s e t h e s e c u r i t y of o u r
c r y p t o s y s t e m on f a c t o r i n g . At p r e s e n t , we
await t h e final v e r s i o n of A d e l m a n ' s p a p e r .
Assumption: Let 0 < c < l . F o r e a c h positive
i n t e g e r k, let C~,e be t h e m i n i m u m size of circ u i t s C t h a t d e c i d e c o r r e c t l y q u a d r a t i c resid u o s i t y m o d n for a f r a c t i o n e of t h e /c bit
integers n.
Then, for e v e r y 0 < e < l and e v e r y
p o l y n o m i a l Q, t h e r e exists 5e,Q s u c h t h a t
/c>Se,Q implies Ce,~ > Q(k)
S.4 A n u m b e r t h e o r e t i c r e s u l t .
We want to show t h a t d e c i d i n g w h e t h e r q is
a q u a d r a t i c r e s i d u e m o d N, is n o t h a r d in s o m e
special c a s e s , b u t is h a r d o n t h e a v e r a g e in a
v e r y s t r o n g sense. In o r d e r to do so, let us
r e c a l l t h e weak law of l a r g e n u m b e r s :
If Yl, Y2 . . . . . y~ are /c i n d e p e n d e n t Bernoulli v a r i a b l e s s u c h t h a t Yi = 1 with p r o b a bility p , and S~ = yl+...+y~, t h e n for real
numbers
~,
6>0,
/c ~ _ _ ! _ _ implies
46~ 2
Let,
a =
is a
fl =
q is
Pr(MB a n s w e r s "q is a q u a d r a t i c r e s i d u e " I q
q u a d r a t i c r e s i d u e rood n)
Pr(MB a n s w e r s "q is a q u a d r a t i c r e s i d u e " I
a q u a d r a t i c n o n - r e s i d u e rood N, q e AN *).
The f r a c t i o n of AN on w h i c h MB is c o r r e c t
equals ~-~+
1-fi). In o r d e r for MB to have a c
a d v a n t a g e , it m u s t be t h a t c~ - B ~ 2e. How1
ever, a n e e d n o t be e q u a l to c + ~
We will now
show how to g e t a good e s t i m a t e for a.
C o n s t r u c t a s a m p l e of k q u a d r a t i c r e s i d u e s
c h o s e n at r a n d o m in ZN ° (the value of k will be
defined l a t e r on). This c a n be easily done b y
p i c k i n g s t ..... s~ at r a n d o m in ZN ° a n d s q u a r i n g
t h e m m o d N.
Initialize two counters R and N R to 0.
Feed each s~2 to MB. Every time that M B
answers "quadratic residue", increment the R
counter. Every time that M B answer "quadratic
non residue".~increment the N R counter.
Let ~=-~-~ If k is chosen to be suitably
1 ,
large, k ~ ~ - ~ t h e w e a k law of l a r g e n u m b e r s
assures that
i.e. R / k is a very good approximation to h o w
well M B guesses if the inputs are only quadratic
residues.
We are n o w ready to determine the quadratic
residuosity of elements in A N .
Let q be an element of Air that we want to
test for quadratic residuosity. R a n d o m l y generate k quadratic residues, z 1..... z~, elem e n t s of ZN* and c o m p u t e yi~qz~ rood N for i
=i .....k. Notice that
a) if q is a quadratic residue, then the y~'s are
r a n d o m quadratic residues in IN*
b) if q is a quadratic non-residue in A N*, then
the y~'s are r a n d o m quadratic non-residues
in A N *.
Let us postpone the proof of (a) and (b) and
assume, for the time being, that they are true.
that
Notice t h a t k is b o u n d e d b y a p o l y n o m i a l in "0-1
a n d 6-1.
L e t A N ' = ~z I zeZ1v" and (z/ N)=l].
Definition: For a composite n u m b e r N, and for
1
real n u m b e r 0 < e ~ ~
we say that we can
guess with e advantage whether q drawn at rand o m from AN ° is a quadratic residue m o d N if
we can, in polynomial(INl) time, guess quadratic residuosity rood N correctly for at least
of t h e e l e m e n t s of AN'.
1 0 < 6 ~ 1 be nonT h e o r e m 1: Let 0 < c ~ ~--,
1
369
in T h e o r e m 1. Also p i c k Yl . . . . . Y20 at r a n d o m f r o m AN'. Again, with v e r y high p r o b a bility, at l e a s t one of t h e y~'s will be a
quadratic
non-residue.
Now, c o n s t r u c t
s a m p l e s Ht=~y~s I s e S], and feed t h e m
into MB~.
a) If MB z p e r f o r m s on all t h e H i ' s as it p e r f o r m e d on S, t h e n go to t h e n e x t e l e m e n t in T.
Halt if all e l e m e n t s in T have b e e n used.
b) If MB z p e r f o r m s "significantly" d i f f e r e n t l y
o n , say H i, t h a n it did on S , halt.
Initialize two c o u n t e r s R" a n d NR" to O. F e e d
t h e s a m p l e }Yi] into MB. I n c r e m e n t R ' e v e r y
t i m e t h a t MB a n s w e r s " q u a d r a t i c r e s i d u e " , and
NR" e v e r y t i m e t h a t MB a n s w e r s " q u a d r a t i c
n o n - r e s i d u e " . We know, t h a t if q is a q u a d r a t i c
residue,
then
the
pr([ R "
k
quadratic
Pr(l -R~-"
I R°k
R
5 2
k I ~2"~)m (1-~-) , and
non-residue
R
.~-I~2~)<I-(I-
~)z
.
if q
is a
then
Thus
if
Rl-<2~k t h e n with p r o b a b i l i t y g r e a t e r
If c a s e (b) o c c u r s t h e n Yi is a q u a d r a t i c
n o n - r e s i d u e and, m o s t i m p o r t a n t l y , we o b t a i n a
m a g i c box, MB z, w h i c h d i s t i n g u i s h e s b e t w e e n
q u a d r a t i c r e s i d u e s a n d n o n - r e s i d u e s in r a n d o m
polynomial time.
Case (b) o c c u r s when t h e r e is an x e T
w h i c h is a q u a d r a t i c n o n - r e s i d u e rood N, a n d a t
l e a s t one of its c o r r e s p o n d i n g yi's is a quad r a t i c n o n - r e s i d u e m o d N.
Thus c a s e (b)
t h a n 1-5, q is a q u a d r a t i c r e s i d u e m o d N, otherwise, a g a i n with p r o b a b i l i t y g r e a t e r t h a n 1-5,
q was a q u a d r a t i c n o n - r e s i d u e m o d N.
We still n e e d to p r o v e (a) a n d (b). We will
only p r o v e (a) as t h e p r o o f for (b) is similar. It
will suffice to p r o v e t h a t , given a n y q u a d r a t i c
r e s i d u e q, a n y o t h e r q u a d r a t i c r e s i d u e y in ZN"
c a n be u n i q u e l y w r i t t e n as y = q z w h e r e z is
a q u a d r a t i c r e s i d u e m o d N. It is a well k n o w n
t h e o r e m in a l g e b r a t h a t Z N" = Z p , ' x Z p ' . Thus
let a a n d b be g e n e r a t o r s for Z p " a n d Zp, °
s u c h t h a t (a,p2)=l a n d ( b , p l ) = 1. Then a n y
e l e m e n t of Z N. c a n be w r i t t e n u n i q u e l y as aib j
where l~i~pl-1
and l ~ j ~ p 2 - 1 .
Moreover, q
is a q u a d r a t i c r e s i d u e m o d N if and only if it
c a n be w r i t t e n as q = aeib 2j w h e r e 1 ~ 2i ~ P l 1 a n d 1 - < 2 j _ < p 2 - 1 . Thus if y = a2Sb 2t is a n y
q u a d r a t i c r e s i d u e and x = a2(S-i)b 2(t-y), t h e n
y = qx p a r t (a) is proved.
o c c u r s with p r o b a b i l i t y
1-
This c o n t r a d -
icts o u r a s s u m p t i o n t h a t d e c i d i n g q u a d r a t i c
r e s i d u o s i t y is h a r d .
In t h e above, we a s s u m e d t h a t given a n y
q u a d r a t i c n o n r e s i d u e r eAg*, one c o u l d c o n s t r u c t a m a g i c box MB r, having a e a d v a n t a g e
in d e c i d i n g q u a d r a t i c r e s i d u o s i t y , and we
derived a contradiction.
S u p p o s e one is able to build a MBr, having a
~ a d v a n t a g e in d e c i d i n g q u a d r a t i c r e s i d u o s i t y ,
only for 1% of t h e q u a d r a t i c n o n - r e s i d u e s ,
r e AN'. Then all t h a t would be c h a n g e d in t h e
above p r o o f would be t h e size of t h e s e t T, so
t h a t T will i n c l u d e a s u i t a b l e r .
T h e o r e m 2: Let r c A N" be a p u b l i c i z e d quad r a t i c n o n - r e s i d u e m o d N. Let 0 < ~ g 1
0 < 5 -< 1 be non-negligible n u m b e r s . S u p p o s e
we could g u e s s with an ~ a d v a n t a g e w h e t h e r q,
d r a w n at r a n d o m f r o m AN , is a q u a d r a t i c residue m o d N. Then we c o u l d d e c i d e q u a d r a t i c
r e s i d u o s i t y of a n y i n t e g e r rood N with p r o b a b i l ity 1 - 5 b y m e a n s of a p o l y n o m i a l in IN[, e -1 and
6 -1 t i m e p r o b a b i l i s t i e a l g o r i t h m .
Proof:
A s s u m e first t h a t given a n y r q u a d r a t i c
n o n - r e s i d u e rood N, V e A N ' , s o m e o n e c o u l d
build a p o l y n o m i a l t i m e m a g i c box" MBr t h a t
has a e a d v a n t a g e in d i s t i n g u i s h i n g b e t w e e n
q u a d r a t i c r e s i d u e s a n d n o n - r e s i d u e s rood N. We
will show t h a t even if one is n o t given s u c h an r ,
q u a d r a t i c r e s i d u o s i t y c a n still be d e c i d e d .
C o n s t r u c t a s e t T c o n s i s t i n g of 20 e l e m e n t s
c h o s e n a t r a n d o m f r o m AN'. With p r o b a b i l i t y
1- ( 1 / 2 ) 2° one of t h e e l e m e n t s in T will be a
q u a d r a t i c n o n - r e s i d u e m o d N. F o r e a c h z • T
do t h e following:
Choose k as in t h e o r e m 1. C o n s t r u c t MBz
a n d t e s t its p e r f o r m a n c e on k r a n d o m quad r a t i c r e s i d u e s , S = [ s 1. . . . . ski, as we did
4. H O W TO S E N D M E S S A G E S IN A PUBLIC K E Y
C R Y P T O S Y S T E M IN A P R O V A B L Y S E C U R E W A Y
E v e r y u s e r in t h e s y s t e m p u b l i c i z e s a l a r g e
c o m p o s i t e n u m b e r N whose f a c t o r i z a t i o n , N =
P ~ 2 , he alone knows, a n d y e A~ s u c h t h a t y
is a q u a d r a t i c n o n - r e s i d u e m o d N.
Let N be t h e public k e y of u s e r A. S u p p o s e
u s e r B w a n t s to s e n d A a b i n a r y m e s s a g e
m = ( m 1. . . . . m~). Then, for e a c h m i, B r a n d o m l y p i c k s an xi e Z~, a n d s e t s
zi ~ m o d N
e~ ~-
yz~ 2 m o d N
if m i is a 0
if m i is al '
B sends (e l..... e~) to A.
To d e c o d e m , user A, w h o k n o w s the factors
of N, reconstructs m by letting
i if e i is a quadratic residue rood N
~'r%i~-
370
0 if e i a is quadratic n o n residue m o o N
D e f i n i t i o n : The d i s t a n c e b e t w e e n a a n d b is
d e f i n e d t o b e t h e n u m b e r of p o s i t i o n s i n w h i c h
a a n d b d i f f e r . We s a y t h a t a a n d b a r e a d j a c e n t if t h e d i s t a n c e b e t w e e n t h e m is 1.
T e s t i n g w h e t h e r q E A~ is a q u a d r a t i c r e s i d u e
m o d N, w h e n t h e f a c t o r i z a t i o n of N is k n o w n , is
easy by the following lemma.
] . , e m m a 2: If t h e f a c t o r i z a t i o n of N is k n o w n , we
can test whether there exists an x such that
q ~ x 2 m o d N in p o l y n o m i a l t i m e .
P r o o f : q is a q u a d r a t i c r e s i d u e m o d N if a n d
o n l y if q is a q u a d r a t i c r e s i d u e m o d p 1 AND P2.
F o r a p r i m e p , q is a q u a d r a t i c r e s i d u e r o o d p
if a n d
o n l y if q ( p - 1 ) / 2 = 1 m o d p . Thus, t o
t e s t w h e t h e r q is a q u a d r a t i c r e s i d u e m o d N we
need only compute
q(~-i)/2 rood pl and
q(~-~)/~ m o d p 2 .
For any decision function d and n-signature
l e t Pd(l):lO,11 n ~ [0,1] b e d e f i n e d a s
Pa(l) = Pr ( d(x)=l
Theorem
T h e d e f i n i t i o n of s e c u r i t y in a P u b l i c K e y
C r y p t o s y s t e m is v e r y d i f f i c u l t . It d e p e n d s o n
t h e m o d e l a s s u m e d of t h e p o s s i b l e b e h a v i o r of
a n a d v e r s a r y • At p r e s e n t , we a s s u m e t h a t a n
adversary
may intercept
E ( m ) and try to
e x t r a c t i n f o r m a t i o n a b o u t m . He c a n m a k e u s e
o n l y of a c o m p u t e r , t h e c y p h e r t e x t a n d t h e a
p r i o r i k n o w l e d g e of t h e m e s s a g e s p a c e M. No
restrictions on M are assumed.
N o t i c e t h a t in o u r s c h e m e , d i f f e r e n t l y f r o m
t h e RSA, a n a d v e r s a r y , g i v e n E ( m ) , m a y b e
l u c k y in g u e s s i n g c o r r e c t l y m a n d y e t n o t a b l e
t o p r o v e t h e c o r r e c t n e s s of h i s g u e s s • H o w e v e r ,
t h e p o s s i b i l i t y of u n d e r s t a n d i n g a m e s s a g e ,
w i t h o u t b e i n g a b l e t o p r o v e w h a t i t is, is s t i l l
d a n g e r o u s f o r t h e s e c u r i t y of t h e P u b l i c K e y
Cryptosystem.
We s h o w t h a t , g i v e n E ( r n ) f o r rn ~ M , if a n
adversary can do better than guessing m at
r a n d o m , t h e n d e c i d i n g q u a d r a t i c r e s i d u o s i t y of
a n y i n t e g e r m o d N , is e a s y .
aN(x) *-
The
signature
Let us choose
of n
d:S~-,Io, lL
Pr (IP~(t) -
>~)<~
I
Set,
d(zt)+...+d(xk)
k
ele-
d(yl)+...+d(y~)
k
As s = ( s I . . . . .
s,') and t=(t I.....
in) are
a d j a c e n t , t h e y d i f f e r in e x a c t l y o n e l o c a t i o n .
Call t h i s l o c a t i o n r . L e t u s a s s u m e , w i t h o u t l o s s
of g e n e r a l i t y , t h a t sv = i a n d t r = 0.
We will n o w s h o w t h a t we c a n d e c i d e q u a dratic residuosity
mod N with probabilit,y
g r e & t e r t h a n i - 6 . L e t q b e a n e l e m e n t of AN
t h a t we w a n t t o t e s t f o r r e s i d u o s i t y . C h o o s e k
r a n d o m q u a d r a t m r e s l d u e s In A N : x l2 . . . . . xe2
a n d c o m p u t e y j = q.x/2 m o d N f o r i ~ j ~ k . By
t h e o r e m 1, t h e y j ' s a r e all q u a d r a t i c r e s i d u e s if
•
ar~,) a n d b = (b 1. . . . .
1 be
~=
d(y~)+...+d(yk)
of x ,
A decision function is a function
. L e t a = ( a 1. . . . .
be n-signatures.
0<6~
I>~) < !
D e f i n i t i o n : L e t s = (xl . . . . . x n ) C S N n. The n s i g n a t u r e of s , EN(s), is d e f i n e d t o b e t h e
s t r i n g EN(S ) = aN(Xl) aN(Z2) ' ' .
aN(Zn)
Definition:
1
~- and
~
Also, l e t k ~
1
4n"
d,~2"
C h o o s e k e l e m e n t s , x 1. . . . .
xk at random from
Q, =Ix c SN n I EN(x ) = s l a n d k e l e m e n t s ,
Y 1. . . . .
Y~
at
random
from
Q t = l x c S N n I ZN(x) = tl. T h e n , b y t h e w e a k
law of l a r g e n u m b e r s ,
d(xO+...+d(z~)
Pr(IP~(s) 4
and
1 if x is a q u a d r a t i c r e s i d u e r o o d N
0 if x a is q u a d r a t i c n o n r e s i d u e r o o d N
L e t SN n b e t h e s e t of all s e q u e n c e s
m e n t s f r o m AN*.
0 <e~
Proof: Suppose there exists a decision function
d and two n-signatures
u and v such that
IPa(u)-Pd(v)I>~.
Let A be the distance
between u and v.
L e t ao,a I . . . . .
a a be a
s e q u e n c e of n - s i g n a t u r e s
such that a 0 = u,
a a=v
a n d a.~ is a d j a c e n t t o a,~+I f o r 0 ~ i
<rn.
As ] P a ( u ) - P a ( v ) ]
> ~, t h e r e m u s t
exist
i , 0 ~ i ~ A - 1,
such
that
[ P d ( a ~ ) - Pa(a~+l) l ~ e / n .
For convenience,
l e t s = ~ a n d t = a~+ 1.
AN*=~z eZN* l(x/ N)=ll.
D e f i n i t i o n : L e t x CAN °.
aN(X ) is d e f i n e d a s
Let
~N(2~) = l forx eSN n)
n o n - n e g l i g i b l e n u m b e r s . If t h e r e e x i s t s a d e c i s i o n
f u n c t i o n d w h i c h is e a s y t o c o m p u t e a n d t w o
n-signatures, u and v, have been found such
t h a t [Pa(u ) - P a ( v ) [ > e ,
t h e n we c a n d e c i d e
q u a d r a t i c r e s i d u o s i t y of a n y i n t e g e r m o d N
w i t h p r o b a b i l i t y 1 - ~ b y m e a n s of a p o l y n o m i a l (
in INI, e -1, a n d d - t ) t i m e p r o b a b i l i s t i c a l g o rithm.
We n o w a d d r e s s t h e q u e s t i o n of t h e s e c u r i t y
of t h e n e w l y p r o p o s e d P u b l i c K e y C r y p t o s y s tern. Let E ( x ) stand for our new encryption
f u n c t i o n a n d l e t M b e t h e s e t of all p o s s i b l e
messages.
Recall that
3:
]
l,
bn)
371
•
•
*
q is a q u a d r a t i c r e s i d u e a n d all q u a d r a t i c nonr e s i d u e s in A~, otherwise.
In t h e o r e m 2 we showed t h a t knowing a
n o n - r e s i d u e in A~ does n o t help in d e c i d i n g
quadratic
residuosity.
Therefore
we
can
a s s u m e t h a t s u c h a n o n - r e s i d u e , h, is known.
This allows us to pick q u a d r a t i c n o n - r e s i d u e s a t
r a n d o m f r o m A~, (by c o m p u t i n g hz~).
We are now r e a d y to d e c i d e w h e t h e r q is a
q u a d r a t i c residue.
(* C o n s t r u c t a r a n d o m s a m p l e of ~¢ e l e m e n t s
(y~.~ . . . . .
y,,,~) . . . . .
(y~,~ . . . . .
y~,,~) • S g "
such
that
for
all
1 ~ i ~ ~%, i # r , 1 ~ j ~ / c , fiN (Yj,~) = S~,
and
for all 1 ~ j ~ ~, y~.,r=y~. *)
For i = 1 ..... r - l , r + l .... ~ do
begin
F o r j = 1 ..... ~ do
draw z • A~ at r a n d o m .
if st = 1 theny~,~ := x ~ m o d N
else if s~ = 0 t h e n y 3 , i := h z a m o d N
end.
(* E v a l u a t e t h e d e c i s i o n f u n c t i o n d on e a c h
m e m b e r of t h e s a m p l e *)
For j = 1..... /¢ do
x~ = d(U~,~ . . . . .
Notice
that
Let us introduce s o m e m o r e notation. Let,
M n = [rnl,m2 ..... I be the set of m e s s a g e s
whose length is ~%, where r~ is b o u n d e d by a
polynomial function in IN I. Set k = I M ~ I. Let
M~ be the set of all possible encodings of m e s sage m i e M ~, using the s c h e m e described at
the beginning of this section. Clearly, M~ c S N ~
and for all i and j , IMil = IMjl. Set X =IM~I.
4.1 The S e c u r i t y of P a r t i a l I n f o r m a t i o n
In t h e p r e s e n t v e r s i o n of t h e p a p e r , we
a s s u m e t h a t all m e s s a g e s in M ~ are equally
likely. Let P be an e a s y to e v a l u a t e p r e d i c a t e ,
defined on M ". Let p be t h e p r o b a b i l i t y t h a t
P ( z ) is t r u e for a r a n d o m z • M '~. Since M n is
u n i f o r m l y d i s t r i b u t e d , a n d I Mn[ = k, P m u s t
e v a l u a t e to 1 on p~: m e s s a g e s in M n.
Let MB be a m a g i c box t h a t r e c e i v e s as
input
the
cyphertext
E ( m ) • S N '~, w h e r e
m • M n, a n d o u t p u t s 0 or 1, its g u e s s for t h e
value of P ( m ) . Let 0j be t h e n u m b e r of 0's and
let ly be t h e n u m b e r of l ' s t h a t MB g u e s s e s on
e n c o d i n g s of my. Clearly, 0j + lj = X. Let
V~,,.-~,Y~, Y~,,.+~ ..... ~y,,~ )
the
entire
sample
e i t h e r a s u b s e t of Os or a s u b s e t of fit. Thus
with p r o b a b i l i t y g r e a t e r t h a n 1 - 6 one of t h e following two m u t u a l l y exclusive e y e n t s will o c c u r :
.
d r a t i c r e s i d u o s i t y of a n y i n t e g e r n o d N with
p r o b a b i l i t y 1 - 6 by m e a n s of a p o l y n o m i a l ( in
INI, e-l, a n d 6 -1) t i m e p r o b a b i l i s t i c a l g o r i t h m .
.t(x~+...+x~)
-
a/<
|
lj i f P ( m j )
q=
0.
C/ r e p r e s e n t s t h e n u m b e r of e n c o d i n g s of m e s sage m t on w h i c h MB c o r r e c t l y g u e s s e s t h e
value of P ( m y ) .
T h e o r e m 5: Let 0 < 6 < 1 be a n o n negligible
real n u m b e r
If = 1S
p
for s o m e n o n -
or
1
(~)I(XI+'''+Xk) # I< 2n£ .
If case (1) occurs, we conclude, with probability
g r e a t e r t h a n 1-6, t h a t q is a q u a d r a t i c residue.
Otherwise, we c o n c l u d e , a g a i n with p r o b a b i l i t y
g r e a t e r t h a n 1 - 6 t h a t q is a q u a d r a t i c nonresidue.
The n o t i o n of a d e c i s i o n f u n c t i o n is i m m e d i a t e l y g e n e r a l i z e d to t h a t of a d i s c r i m i n a t i n g
f u n c t i o n . This is a d e c i s i o n f u n c t i o n w h i c h c a n
t a k e on m o r e t h a n 2 values. F o r a n y n o n e m p t y
set
fl, let D : S N " - ~ .
Let
a eft, then
PD.a(I) = P r ( D ( x ) = a [ ~N(Z) = l for x • SNn).
The following t h e o r e m is a n e a s y e x t e n s i o n of
t h e o r e m 3 a n d we will s t a t e it w i t h o u t proof.
Theorem
0j ifP(m~.)
= 1
4: Let
1
0< c~ ~-and
0 < 6 ~ 1 be
non-negligible n u m b e r s .
If t h e r e e x i s t s a
d i s c r i m i n a t i n g f u n c t i o n D:SN r'~A, which is
e a s y to c o m p u t e and two n - s i g n a t u r e s , u and
v,
have
been
found
such
that
IPi~.=(u)-PD,=(v)I>e, t h e n we c a n d e c i d e qua-
negligible real e > 0, t h e n we could d e c i d e quad r a t i c r e s i d u o s i t y of a n y i n t e g e r m o d N with
p r o b a b i l i t y 1-6 b y m e a n s of a p o l y n o m i a l
in
INI, e-l, a n d 6 -1 t i m e p r o b a b i l i s t i c a l g o r i t h m .
P r o o f : Let us p a r t i t i o n M n into 1 0 / e b u c k e t s ,
MrS=
10/
U B~, s u c h t h a t m e B~ if and only if
i=l
(i-1)
e
~ lm
< i ---~---- We show t h a t t h e r e
I0
X
I0"
exist two non-adjacent buckets, each containing a non-negligible portion of the messages.
More formally, we show there exist g,h where
l<h+l<g
~ I0/~
such
that
>
1
k.
Say,
that
/~
is
big
if
IBgI,IBhl
-i 2 ]c and small otherwise. T h e n w e
IB~ I >to (is~ow)that there are two non adjacent
want
big buckets. Assume, for contradiction, that
this is not the case. T h e n one of the following
cases m u s t apply:
i) There are no big buckets.
2) There is only one big bucket: B~
372
3) T h e r e are exactly two a d j a c e n t big buckets:
T h e o r e m 6: Let 0 < 5 <
1 be a n o n negligible
k r~,~
1
real n u m b e r . If ~ k- x > e + ~ - - f o r s o m e
B~ and B¢_~
Note t h a t c a s e 1 c a n n e v e r be t r u e ; o t h e r w i s e
10e-*
= E
I B{I
~
In case
< k
lOI :-I
i=1
E
2,
i=l
Cj is
non-negligible
1
e < 1-~-,
then
for which P ( m j ) = 1 b e l o n g to B ~._2 i.e when MB
10
g u e s s e s 1 for all t h e e n c o d i n g s of all t h e m e s s a g e s for which the p r e d i c a t e is true.
m e s s a g e s a n d W' = M n - W.
Thus, p + ~ _ ! _ _
~
Ci
k X m~ ~ M"
kX
C3+
&
m~ c B~,~ #~
~
messages.
<p+C
Proof:
i0
k
~,eW
i=l
In c a s e 3,
E
Cj.+
rnj EB~
E
/
Claim 1." There exist at l e a s t ~ - - w e l l - d e c o d e d
Cj)~p+
E
decide
q u a d r a t i c r e s i d u o s i t y rood N with p r o b a b i l i t y
1 - 5 by m e a n s of a p o l y n o m i a l in I N I , e-1 and
6 -2 t i m e p r o b a b i l i s t i c a l g o r i t h m .
P r o o f : Say t h a t a m e s s a g e m~ is well d e c o d e d if
1
riA>(~-v)X. Let, W be t h e set of w e l l - d e c o d e d
m a x i m u m for i = 1 0 ' and if all m e s s a g e s m~
= i ( ~
we c a n
rn: e Bi
"
when
Cj is m a x i m u m
~EW'
1
1
1
-< xl W l + ( k - l WllE~x=X [ ( z - E c l l W l+k~-~) ]
m~ e B~_,
i = - ~ - a n d all t h e m e s s a g e s for which P is t r u e
b e l o n g to BA.._ and all t h e m e s s a g e s for which P
Hence,
]W] >
10
~/3
(i -
is false belong to BA
e
~/2) > E
(claim 1) [~
10 - 1
Thus, p + e ~
1 {(m~
IcX
~
k X ral e M"
C'+
B~
i
i
~
Clearly, if we pick m e s s a g e s at r a n d o m
f r o m M n, we e x p e c t to find a w e l l - d e c o d e d m e s sage in 2v -1 trials.
Let QcW s u c h t h a t
1
[QI>2e -landletp >
E e - l ( 2 v - l + 1) '
Ci =
C1) +
mi e B~-1
~
rnt e B , , k ~ ,
C1 }
~+ l
}
Claim 2." There exists two w e l l - d e c o d e d m e s -
{[p]cx+(l_p)~lO-llcx]+kxclO_I
kX+3~lO-'kX )
<p+~-
sages mi, m I eQ such that
Ir~,~
I - ~ - - - - r,,~
~ "lI > p
proof: Fix m I e D . How m a n y m e s s a g e s m i e
I
c a n be s u c h t h a t I r'~'iX
rJ'i
'X
-< p o' ml n- e r e a r e at
In all t h r e e c a s e s we r e a c h a c o n t r a d i c t i o n .
Thus t h e r e exist two n o n a d j a c e n t ~ u c k e t s
most
Bg and B h e a c h c o n t a i n i n g at l e a s t ~10 k m e s sages. By sampling, we c a n find, in a small
e x p e c t e d time, two m e s s a g e s u and v in Bg
and B h , r e s p e c t i v e l y . We view MB as a d e c i s i o n
function
D:SN n -~[0,1].
Then,
t h e r e e x i s t s an m~ e Q t h a t satisfies t h e claim.
(claim 2)
PD(u)--PD(v) > - ~ - a n d t h e o r e m 3 applies.
Next, we will see t h a t an a d v e r s a r y c a n n o t
d e c o d e m o r e t h a n a negligible f r a c t i o n of t h e
e n c o d i n g s of all m e s s a g e s .
1
<2e-1+1
such messages.
Thus
(~-~:-p)
Let us t r a n s f o r m MB into a d i s c r i m i n a t i n g
f u n c t i o n D:SNn~Mnu~71. If x e S N n and MB, on
i n p u t x, o u t p u t s m j , t h e n set D(x)=mj. I f y is
n o t the e n c o d i n g of a n y m e s s a g e , t h e n one of 3
cases m u s t occur:
1) MB o u t p u t s m r for ! _ < i ~ t.
Set
D(y)=m~.
2) MB o u t p u t s m~ for i < 1 or i > t.
Set
D(y)=7.
4.2 An A d v e r s a r y C a n n o t D e c o d e .
Let MH be a m a g i c box t h a t r e c e i v e s as
i n p u t E ( m ) for m e M n, and o u t p u t s mr. MB's
o u t p u t can be i n t e r p r e t e d as MH's g u e s s of
what m is.
Let rj,~ d e n o t e the n u m b e r of e n c o d i n g s of m e s sage m j , on which MH a n s w e r s mi. Clearly, r~,~
will d e n o t e the n u m b e r of times, o v e r all possible e n c o d i n g s of m~, t h a t MB a n s w e r s c o r r e c t l y .
3) MH does n o t a n s w e r within a c e r t a i n t i m e
limit. Set D(Y)=T.
Now, n o t e t h a t in c l a i m s 1 and 2 just p r o v e d
above, we showed t h a t we c a n q u i c k l y find two
w e l l - d e c o d e d m e s s a g e s m( and m j s u c h t h a t
IPD,m,(m()-PD,m~(mj)] > p.
Thus
the
h y p o t h e s i s of t h e o r e m 4 holds and deciding
q u a d r a t i c r e s i d u o s i t y m o d N is p o l y n o m i a l in
INI, e -1 and 6 -1. []
373
T h e o r e m 6 shows t h a t i n v e r t i n g the f u n c tion E on t h e e n c r y p t e d m e s s a g e s is as h a r d as
deciding q u a d r a t i c r e s i d u o s i t y , i n d e p e n d e n t l y
of t h e s p a r s i t y of M".
won (or lost), he lets A c o m e c l o s e r a n d look
into t h e well.
Essentially, if we c a n s i m u l a t e a flip in t h e
well
by
exchanging
messages
over
the
t e l e p h o n e , A c a n s e n d a r a n d o m bit to B, w h e r e
A does n o t know w h a t he sent, b u t B can, if
n e c e s s a r y , p r o v e to A w h a t t h e bit was. This is
e s p e c i a l l y a p p l i c a b l e to c r y p t o g r a p h i c a l g a m e s .
The n o t i o n of coin flipping in t h e well h a s
b e e n i n t r o d u c e d by Blum and Micali in [5], in
which, b a s e d on t h e a s s u m p t i o n t h a t i n d e x
finding is hard, t h e y show how to flip a coin in
the well over t h e t e l e p h o n e lines. A n o t h e r
m e t h o d b a s e d on t h e a s s u m p t i o n t h a t f a c t o r i z a t i o n is h a r d has b e e n f o u n d b y Blum in [4].
We s k e t c h a t h i r d m e t h o d , b a s e d on t h e
difficulty of d i s t i n g u i s h i n g q u a d r a t i c r e s i d u e s
f r o m n o n - r e s i d u e s with r e s p e c t to c o m p o s i t e
moduli.
A a n d B w a n t to flip a coin. A g e n e r a t e s two
large odd p r i m e s at r a n d o m , P and Q and
s e t s N = p * Q . A p u b l i c i z e s N and y EAN*
s u c h t h a t y is a q u a d r a t i c n o n - r e s i d u e m o d
N. A p i c k s a n u m b e r q a t r a n d o m f r o m
AN* and a s k s B, who does n o t know t h e faet o r i z a t i o n of N, w h e t h e r q is a q u a d r a t i c
r e s i d u e rood N or not. B tells A w h a t his
g u e s s his. A now knows w h e t h e r B won
(lost), a n d c a n l a t e r p r o v e to B t h a t he
i n d e e d won(lost) by r e l e a s i n g t h e f a c t o r i z a lion of N.
5. MENTAL POKER
Mental P o k e r is p l a y e d like r e g u l a r p o k e r
e x c e p t t h a t t h e r e are no c a r d s a n d no d e c k
The g a m e is p l a y e d over the t e l e p h o n e lines, oI
over a c o m p u t e r n e t w o r k . Since we c a n n o t
s e n d p h y s i c a l c a r d s over t h e p h o n e lines, dealing and playing m u s t be s i m u l a t e d by e x c h a n g ing m e s s a g e s b e t w e e n t h e players. The p l a y e r s
do n o t t r u s t e a c h o t h e r m o r e t h a n o r d i n a r y
p l a y e r s do. A f a i r g a m e o n t h e t e l e p h o n e
should e n s u r e t h a t :
1) N e i t h e r p l a y e r c a n have a n y p a r t i a l inform a t i o n a b o u t t h e c a r d s in his o p p o n e n t ' s
h a n d or in t h e d e c k ,
2) T h e r e is no o v e r l a p in t h e c a r d s d e a l t to
players,
3) All possible h a n d s a r e equally p r o b a b l e for
both players.
4)
At t h e end of t h e g a m e e a c h p l a y e r c a n verify t h a t t h e g a m e was p l a y e d a c c o r d i n g to
t h e r u l e s a n d no c h e a t i n g o c c u r r e d .
Note t h a t in a fair g a m e of Mental P o k e r it
is n o t e n o u g h t o show t h a t it is c o m p u t a t i o n a l l y
difficult to g e t t h e e x a c t value of a c a r d . We
m u s t also show t h a t no p a r t i a l i n f o r m a t i o n
a b o u t t h e c a r d c a n fall into the h a n d s of an
adversary.
We p r e s e n t a p r o t o c o l for two p e o p l e to p l a y
a fair g a m e of Mental P o k e r , using e n e r y p t i o n .
We p r o v e t h a t t h e r e is no way a p l a y e r c a n g e t
any i n f o r m a t i o n a b o u t c a r d s n o t in his h a n d
u n d e r t h e a s s u m p t i o n t h a t deciding q u a d r a t i c
r e s i d u o s i t y is h a r d .
T h e r e are two m a i n tools u s e d in o u r i m p l e m e n t a t i o n of Mental P o k e r . One is a m e t h o d
for coin-flipping o v e r t h e t e l e p h o n e [ 5 ] a n d t h e
o t h e r is t h e m e t h o d for s e n d i n g a single bit
securely
in
a Public
Key C r y p t o s y s t e m
p r e s e n t e d here.
A d i f f e r e n t s o l u t i o n to t h e p r o b l e m of Mental P o k e r has b e e n o b t a i n e d i n d e p e n d e n t l y by
Manuel Blum in [6]. His s o l u t i o n is b a s e d on t h e
a s s u m p t i o n t h a t f a c t o r i n g is h a r d and t h a t
c o m p l e t e l y s e c u r e one way f u i , c t i o n s exist.
To avoid a d d i n g new a s s u m p t i o n s to t h e
ones t h a t we a l r e a d y have, we p r o p o s e to use
one of t h e s e l a t t e r two coin flipping m e t h o d s in
our p r o t o c o l for Mental P o k e r .
The n e x t s e c t i o n will list s o m e known
r e s u l t s t h a t will be u s e d in t h e p r o o f of t h e protocol.
5.2 Useful Results
Let p 1, P2 be odd p r i m e s a n d N = p 1P2.
].,emma 3: If the factorization of N is known, we
can find qeZ N" such that (q/N) =i and qis a
quadratic non-residue, in r a n d o m polynomial
time.
Proof: Pick
aeZpl such that
(a/Pl)=-l.
This c a n be d o n e in 2 e x p e c t e d trials. Similarly,
pick b e Z ; , such that ( b / p 2 ) = - l .
Using t h e
Chinese R e m a i n d e r t h e o r e m
c o m p u t e the
u n i q u e q e Z N" s u c h t h a t q ~ a ( m o d p l ) and
q-= b ( m o d p 2 ) .
Now, q is a q u a d r a t i c nonr e s i d u e and ( q / N ) = ( q / P l P e ) =
5.1 Background For Coin Flipping
To f l i p cL c o i n i n the welt - A a n d B s t a n d far
a p a r t f r o m e a c h o t h e r . B is s t a n d i n g n e x t to a
d e e p well. A t h r o w s a coin into t h e well f r o m a
d i s t a n c e . Now, B knows t h e o u t c o m e of t h e flip
(by looking into t h e well) b u t c a n n o t c h a n g e it,
and A has no way of knowing t h e o u t c o m e .
L a t e r on when B would like to p r o v e to A t h a t he
( q / P l )" ( q / P 2 )
= (alp1)"
(b/P2)=1.
Let
N =p 1 P 2
such
that
-= P2 -: 3 r o o d 4.
For
all
z , y e ZN °,
if
Px~ y~ rood N a n d x ~ ±y rood N t h e n ( z / N )
]_,emma
= - (y/g).
374
4:
P r o o f : Let
p r i m e s c h o s e n by h i m as
(s 1, t l ) , (s 2, re),
(s 3, t3) ..... (s52, t52 ) s u c h that s,~-ti-=3 m o d 4
for 1-< i _< 52, and his 52 c o m p o s i t e n u m b e r s
by
M 1 := s 1 ' t 1, M~ := s a " t 2 .....
M52 := s52 • tfa. He shuffles t h e d e c k of c a r d s
and assigns M 1..... M52 to t h e shuffled deck, an
M, p e r the i th card.
He p u b l i c i z e s t h e
o r d e r e d 52 t u p l e < M1, Me ..... M52 >.
1 (mod Pl)
c ~
0 (rood P c )
1 (rnocl P c )
d ~- O ( m o d p l )
We c a n find c a n d d t h r o u g h t h e Chinese
Remainder Theorem.
Let a 2 ~ x 2 ( m o d p l )
and b z =- x 2 ( m o d P2). Then t h e f o u r s q u a r e
roots
(
mod
N
)
are
given
by
ac + d b , - a c + d b , - ( a c +db ) and ( a c - d b ). Let
x = a c + d b , and y = - a c + b d .
Since N~-i m o d
4 implies ( x / N ) = ( - x /
N ) , we n e e d only p r o v e
that ( + x / N ) = - ( + y / N ) .
Thus,
(x/N)
=
(ac + b d / N )
=
(ac + b d / p l ) ( a c + b d / p 2 )
=(ac/pl)(bg/p2
).
And
(y/ N)
=
(-ac +bd/ N)=(-ac +bd/ pl)(-ac +bd/p2)=
(-ac/pl)(bd/p2)=(-1/pl)(x/N).
Sincepl = 3
(mod 4), (-i/pl)=-l.
STEP 3: B p u b l i c i z e s his e n t i r e deck. The d e c k
is e n c r y p t e d in t h e following way. F o r e v e r y
c a r d Ct (with public k e y Nt), B p u b l i c i z e s an
o r d e r e d list of 6 n u m b e r s in ANt', ( q l ..... q6)
s u c h t h a t for 1 ~ j -< 6, qy is a q u a d r a t i c residue if and only if t h e j t h bit of C t i s a 1.
For e x a m p l e , let t h e first c a r d in B's d e c k
be 010010. Then B p u b l i c i z e s (ql, qa, qa, q4, qS,
q6) w h e r e ql, qa, q4 and q6 a r e q u a d r a t i c nonr e s i d u e s m o d N~, and q2, q5 a r e q u a d r a t i c residues rood N~ with J a c o b i s y m b o l 1. The q¢'s are
c h o s e n at r a n d o m a m o n g t h e e l e m e n t s of ANt"
with t h e d e s i r e d p r o p e r t i e s . This c a n be d o n e
in r a n d o m p o l y n o m i a l time, b y L e m m a 3.
NOTE t h a t , b y L e m m a 2, if A c a n f a c t o r N¢, he
c a n also d e t e r m i n e w h e t h e r t h e n u m b e r s t h a t
B p o s e d as c o r r e s p o n d i n g to the bits in t h e
e n c o d i n g of CQ are q u a d r a t i c r e s i d u e s or n o t
and t h e r e f o r e d e t e r m i n e what the c a r d is. ]f A
can n o t f a c t o r N¢, he c a n n o t tell w h e t h e r t h e
n u m b e r s c o r r e s p o n d i n g to bits in t h e c a r d s
e n c o d i n g a r e q u a d r a t i c r e s i d u e s or not, and
t h e r e f o r e c a n n o t tell what the r e m a i n i n g c a r d s
By a t h e o r e m of de la Vallee Poussin[15],
a p p r o x i m a t e l y half of all p r i m e s of a given
l e n g t h a r e c o n g r u e n t to 3 rood 4. Thus, c o m p o site n u m b e r s of the f o r m N = p l , p 2 w h e r e
. p l ~ p e ~ 3 rood 4 c o n s t i t u t e a p p r o x i m a t e l y 1 / 4
of all c o m p o s i t e n u m b e r s which are a p r o d u c t
of two odd p r i m e s of a given length, Thus factoring and deciding quadratic residuosity
m o d u l o s s u c h special N ' s r e m a i n s a h a r d p r o b lem. A n o t h e r m e t h o d , which does n o t use special c o m p o s i t e n u m b e r s , b u t i n c r e a s e s t h e
n u m b e r of m e s s a g e s e x c h a n g e d in t h e p r o t o c o l ,
will a p p e a r in the final p a p e r .
are,
5 . 3 THE PROTOCOL
STEP 4: A p u b l i c i z e s his d e c k in t h e e x a c t s a m e
way t h a t B did.
To r e p r e s e n t 52 c a r d s in b i n a r y we m u s t
use at l e a s t 6 bits p e r card. Thus at first A and
B a g r e e on 52 d i f f e r e n t bit p a t t e r n s which
c o r r e s p o n d to t h e 52 c a r d s .
F r o m now on, when we say t h a t A flips k to
B, we m e a n t h a t B r e c e i v e s a n u m b e r k at r a n d o m f r o m A, and A has no i n f o r m a t i o n w h a t s o e v e r a b o u t k. k is a c t u a l l y s e n t bit by bit
t h r o u g h a s e q u e n c e of c o i n f l i p s i n t o a well.
STEP 5 [B deals a Card to A]: S u p p o s e A d e c i d e d
to pick t h e K- t h c a r d f r o m B's deck. R e p e a t
the following p r o c e d u r e for e a c h c a r d in B's
e n c r y p t e d deck. We d e s c r i b e it for the i-th
c a r d , to which N~ c o r r e s p o n d s . B flips z e Z~, to
A. A c o m p u t e s x 2 m a d N~ and ( x / N ~ ) . At this
p o i n t A m u s t follow one of two p r o c e d u r e s : P1 if
i = K and P2 otherwise.
5.3.1 The A l g o r i t h m
P I : A s e n d s x 2 rood N,i, and - ( x / N ~ ) to B.
P2: A s e n d s x e m o d Ny. and ( x / N ~ ) to B.
STEP 1: B c h o o s e s at r a n d o m 52 p a i r s of large
p r i m e n u m b e r s : (Pl, ql), (P2, q2), (Pa, qa) .....
(P52, q52) s u c h t h a t p ~ q ~ - = 3
m o d 4 for
1 ~ i ~ 52, a n d p r o d u c e s 52 large c o m p o s i t e
n u m b e r s whose f a c t o r i z a t i o n she knows, i.e
N l := p l "ql, N2 := p 2 " q 2 .....
Ns2 := p~2 " q52.
Next, she shuffles t h e d e c k of c a r d s in h e r
h a n d s and a s s i g n s N 1..... Nsa to t h e shuffled
deck, an N, p e r t h e i th card. She p u b l i c i z e s
t h e o r d e r e d 52 t u p l e < N1, N 2..... N52 >.
STEP 2:
19 c o m p u t e s the square roots of x 2 m o d N~. Let
the square roots be x, n - z , y and n - y . Next,
B sends the root whose Jaeobi symbol she
received from A : y if she received -(x/Ni) from
A, and x otherwise.
By ] e m m a 4, ( x / N ¢ )
u n i q u e l y identifies x, and - ( x / N ~ )
uniquely
identifies y . Thus if A followed P1 t h e n he will
r e c e i v e 4 s q u a r e r o o t s of x 2 rood N~, and by
l e m m a 1 c a n f a c t o r . If A followed P2, he will g e t
no new i n f o r m a t i o n as to t h e value of CC/. B
A does t h e s a m e . Let us d e n o t e t h e
375
It still remains to be shown that neither
player can have, at any stage of the game, any
partial information, about a single encrypted
card not in his hand, or any subset of
encrypted cards not in his hand. A complete
p r o o f will be f o u n d in t h e final p a p e r . H e r e we
r e s t r i c t o u r s e l v e s to p r o v i n g t h a t w h e n two
p l a y e r s A and B publicize t h e i r r e s p e c t i v e
e n c r y p t e d decks, neither A nor B can answer
quickly with I% a d v a n t a g e a i bit q u e s t i o n
a b o u t a single c a r d in t h e o p p o n e n t s d e c k .
E x a m p l e s of s u c h i bit q u e s t i o n s are: is t h e i-th
c a r d in t h e d e c k black?, Are t h e first a n d t h i r d
bit of t h e i-th c a r d equal? Is t h e rood 2 s u m of
t h e bits in t h e i-th c a r d 0 or I?
T h e o r e m 7: If A, w h e n B p u b l i c i z e s h e r
e n c r y p t e d d e c k , c a n answer, in p o l y n o m i a l
time, a l - b i t q u e s t i o n Q a b o u t a single c a r d in
B's d e c k with i% a d v a n t a g e , t h e n he c a n d e c i d e
quadratic residuosity modulo a random composite N with p r o b a b i l i t y i, b y m e a n s of a
polynomial(IN0 t i m e p r o b a b i l i s t i c a l g o r i t h m .
Proof: S u p p o s e A c a n a n s w e r a l - b i t q u e s t i o n Q
about
card
i,
to
which
composite
N¢
c o r r e s p o n d s . A's ability to a n s w e r Q with a i%
a d v a n t a g e c a n be viewed as a d e c i s i o n f u n c t i o n
d : S 6 - , 0 , 1 (S 6 = all 6-1ong s e q u e n c e s of elem e n t s f r o m AN, ). Since A a n s w e r s Q c o r r e c t l y
51 t i m e s o u t of a I00, we c a n efficiently find two
6-signatures
u
and
v
such
that
IPd(u) --Pd(v)l -->1/100. Thus we can apply
theorem 8 and decide quadratic residuosity
m o d u l o N~ in p o l y n o m i a l time. C o n t r a d i c t i o n !
f r o m h e r side has no i n f o r m a t i o n as to which
c a r d A s e l e c t e d . Later, B c a n verify w h a t he
flipped to A, a n d h e n c e verify t h a t B h a s only
f o u n d out the f a c t o r i z a t i o n of a single c a r d .
STEP 6: At this p o i n t A knows t h e f a c t o r i z a t i o n
of N K. To r e c o n s t r u c t t h e a c t u a l c a r d CK, A
applies t h e p o l y n o m i a l t i m e t e s t of L a m i n a 2 t o
the
encrypted
representation
of
CK,
(ql . . . . . q6). Next, A m u s t d e l e t e CK f r o m his
e n c r y p t e d deck. B c a n see which e n c r y p t e d
e l e m e n t in A's d e c k is being e r a s e d , b u t this
does n o t e n a b l e h e r to d e c r y p t it.
STEP 7[A d e a l s a c a r d to B]: Clearly, t h e s a m e
p r o c e d u r e as in S t e p 5 a n d 6 is done with t h e
roles of A a n d B r e v e r s e d . Now B will d i s c o v e r
t h e f a c t o r i z a t i o n of one of M 1.... M52.
STEP 8: If any m o r e c a r d s n e e d t o b e d e a l t
t h r o u g h o u t t h e g a m e , a similar p r o t o c o l t a k e s
place. W h e n e v e r A n e e d s a c a r d , he will p i c k a
c a r d f r o m B's d e c k , b y following t h e p r o c e d u r e
in s t e p 5 a n d 6. And similarly w h e n e v e r B
n e e d s a c a r d , she will pick it f r o m A's d e c k .
STEP 9 [ a f t e r g a m e verification]: After the
g a m e is over, A c a n p r o v e to B t h a t e v e r y t h i n g
he c l a i m s she flipped him, was i n d e e d flipped by
h e r a n d in w h a t o r d e r . B c a n do t h e s a m e . A
r e l e a s e s t h e f a c t o r i z a t i o n of e a c h of t h e M, for
all 1-< i - < 52, and B r e l e a s e s t h e f a c t o r i z a t i o n
of e a c h of t h e N¢ for all 1 ~ _ i ~ 5 2 .
They c a n
b o t h p r o v e to e a c h o t h e r w h a t e v e r c l a i m t h e y
m a d e in the g a m e s u c h as "N is a p r o d u c t of
two p r i m e s " , "all c a r d s w h e r e p r e s e n t at t h e
d e c k at all t i m e s " , " t h e s e are t h e q u a d r a t i c
r e s i d u e s you flipped to me", or "I won".
5.3.3 I m p l e m e n t a t i o n Details
In o r d e r to p e r f o r m t h e p r o t o c o l we m u s t
be able to do the following:
1. G e n e r a t e l a r g e p r i m e n u m b e r s , This c a n be
done using Gary Miller's t e s t for p r i m a l i t y [ 11] .
2. Find s q u a r e r o o t s of x 2 triad N when t h e fact o r i z a t i o n of N is known. Use Adleman, M a n d e r s
and Millers p o l y n o m i a l t i m e a l g o r i t h m [ 2 ] for
finding s q u a r e roots.
5.3.2 Proof Of C o r r e c t n e s s :
Claim 1: all h a n d s a r e equally p r o b a b l e .
Proof: In s t e p 9, A and B verify t h a t b o t h
e n c r y p t e d d e c k s c o n t a i n e d all 52 c a r d s . In
step 5, A h i m s e l f c h o o s e s which e n c r y p t e d
value f r o m B's d e c k he wants, t h u s he is equally
likely to get any c a r d in the d e c k . Similar r e a soning holds for B.
Claim 2: no o v e r l a p p i n g or r e p e a t i n g hands.
Proof: When A is d e a l t a c a r d , he e r a s e s t h a t
c a r d f r o m his e n c r y p t e d deck. Thus B c a n
n e v e r be d e a l t t h e s a m e c a r d . A knows which
c a r d s he p i c k e d f r o m B's deck, and t h u s will
n e v e r pick the s a m e c a r d twice.
Claim 3: ]f p l a y e r A knows the f a c t o r i z a t i o n of
N~ he c a n r e c o n s t r u c t Ci in 0 ( I N ]a) t i m e .
Proof: We are given N t = .Pl P2, and (ql ..... q6)
s u c h t h a t for all j , qi e Z N and (qj/N~,) =1. To
r e c o n s t r u c t . Ct, we m u s t t e s t w h e t h e r qi is a
q u a d r a t i c r e s i d u e rood Nt for all j . That c a n be
done in O( IN I3) s t e p s by L a m i n a 2.
6. R e m a r k s a n d F u r t h e r I m p r o v e m e n t s
In this paper we showed that it is possible
to encrypt messages in such a way, that an
adversary,
given the cypherLext, cannot
extract information about the cleartext. This is
sufficient for protocols such as Mental Poker or
for encrypting one's private files. An adversary
can read these files but cannot understandthem.
W e also showed that Probabilistie Encryption can be used in a Public Key Environment.
However, in a Public Key Cryptosystem, getting
hold of the cyphertext and trying to understand it is the m o s t obvious attack to the secu-
376
[3]
He c o u l d t r y to b r e a k t h e s c h e m e b y i n t e r cepting some other user's messages and
changing them.
A d l e m a n , L., On Distinguishing Prime
Numbers
from
Composite
Numbers,
P r o c e e d i n g s of t h e 21st IEEE S y m p o s i u m on
the
Foundations
of C o m p u t e r
Science
(FOCS), S y r a c u s e , N.Y., 1980, 387-408.
[4]
Blum, M., Three Applications of The Oblivious Transfer, to a p p e a r , 1981.
Finally, he m a y t r y to b r e a k t h e s c h e m e b y
m a k i n g u s e of t h e d e c o d i n g e q u i p m e n t !
[5]
Blum, M., a n d Micali, S., How to Flip A Coin
Through the Telephone, to a p p e a r , 1982.
The Public Key C r y p t o s y s t e m p r e s e n t e d in t h i s
p a p e r is n o t s e c u r e a g a i n s t t h e s e p o s s i b l e
a t t a c k s . However, by forcing t h e u s e r s to follow a p a r t i c u l a r p r o t o c o l f o r e x c h a n g i n g m e s sages, we h a v e built a Public Key C r y p t o s y s t e m
which is p r o v a b l y s e c u r e a g a i n s t t h e a b o v e
m e n t i o n e d a t t a c k s . T h e s e r e s u l t s will a p p e a r in
a future paper.
[8]
Blum, M., Mental Poker, to a p p e a r , 1982.
[7]
B r a s s a r d , G., Relativized Cryptography,
P r o c e e d i n g s of t h e 20st IEEE S y m p o s i u m on
the
Foundations
of C o m p u t e r
Science
(FOCS) , S a n Juan, P u e r t o Rico, 1979, 383391.
r i t y of t h e s c h e m e .
* An a d v e r s a r y could, as a u s e r , t r y to b r e a k
the scheme by communicating.
*
[8]
Diffie, W., a n d M. E. H e l l m a n , New Direction
in Cryptography, IEEE Trans. on I n f o r m . Th.
IT-22, 6 (1976), 644-654.
[9]
C o l d w a s s e r S., and Micali S., A Bit by Bit
Secure Public Key Cryptosystem, M e m o r a n d u m NO. UCB/ERL M81/88, U n i v e r s i t y of
California, B e r k e l e y , D e c e m b e r 1981.
Acknowledgements
Our m o s t s i n c e r e t h a n k s go to R i c h a r d
Karp, who s u p e r v i s e d this r e s e a r c h , for his
contributions, encouragement
and great
p a t i e n c e , a n d to Manuel B l u m for a w o n d e r ful c o u r s e in N u m b e r Theory, m a n y i n s i g h t ful d i s c u s s i o n s a n d for having f o u n d a way to
r e d u c e t h e n u m b e r s of m e s s a g e s e x c h a n g e d
in t h e p r o t o c o l .
[10] Lipton, R., How to Cheat at Mental Poker,
P r o c e e d i n g of t h e AMS s h o r t c o u r s e on
C r y p t o l o g y , J a n u a r y 1981.
[11] Miller, G., R i e m a n n ' s Hypothesis and Tests
for Pr~mality, Ph.D. Thesis, U.C. B e r k e l e y ,
1975.
We a r e p a r t i c u l a r l y i n d e b t e d to F a i t h
Fich, Mike Luby, Jeff Shallit a n d Po Tong.
Without t h e i r g e n e r o u s h e l p this p a p e r
would h a v e n e v e r b e e n w r i t t e n .
Rabin, M., Digitalized Signatures and
Public-Key Functions As Intractable As Factorization,
MIT/LCS/TR-212,
Technical
Memo MIT, 1979.
[12]
Andrew Yao p o i n t e d out to us s o m e g e n e r a l difficulties arising with c o m m u t a t i v e
e n c r y p t i o n f u n c t i o n s . The c l a i m in s e c t i o n
3.4 was o b t a i n e d with Vijay Vazirani. We
thank t h e m both.
[13]
We a r e g r a t e f u l tb Ron Rivest and Mike
S i p s e r for a v e r y i n s p i r i n g discussion. It
i m p r o v e d this p a p e r a g r e a t deal.
Rivest, R., S h a m i r , A., A d l e m a n , L., A
Method f o r Obtaining Digital Signatures
and Public Key Cryptosystems, C o m m u n i c a t i o n s of t h e ACM, F e b r u a r y 1978.
[14]
S h a m i r , Rivest, a n d A d l e m a n ,
Poker, MIT T e c h n i c a l R e p o r t , 1978.
Mental
[15] S h a n k s , D., Solved and Unsolved Problems
"~n N u m b e r Theory, C h e l s e a P u b l i s h i n g Co.
(1978).
References
[1] A d l e m a n , L., Private Communication, 1981.
Added in proof:
[16] Chau.m, D. L., Untraceable EZec~o~,ic Mail,
Returvt Addresses, and Digital Pseudonymus,
Communications of the ACM, 24,2 (1981) 84-88.
[2] A d l e m a n , L., M a n d e r s K. a n d Miller G., On
Tc~cing Roots In Finite Fields, P r o c e e d i n g s
of t h e 18th Annual ]EEE S y m p o s i u m on
F o u n d a t i o n s of C o m p u t e r S c i e n c e (FOCS),
1977, 175-177.
377