Mental Poker The SRA Protocol. What is Mental Poker? Playing poker without cards (ie over telephone or internet). No Trusted Third Party or source of.

Presentation on theme: "Mental Poker The SRA Protocol. What is Mental Poker? Playing poker without cards (ie over telephone or internet). No Trusted Third Party or source of."— Presentation transcript:

Mental Poker The SRA Protocol

What is Mental Poker? Playing poker without cards (ie over telephone or internet). No Trusted Third Party or source of randomness. We assume 2 players, 52 cards. Five cards are dealt then one round of betting then all cards shown.

Desired Characteristics Players have disjoint hands. Any player can have any possible hand. No player can discover another players hand. Any collusion has minimal effect.

The SRA protocol Invented by Shamir, Rivest and Adleman in 1979. Relies on a commutative encryption scheme ie E A (E B (M)) = E B (E A (M)) Two players Alice and Bob together choose a large prime number n, then Alice chooses her key A s.t. gcd(A,n-1) = 1 and Bob chooses B similarly.

SRA cont… Encode the 52 cards as integers. Encryption E A (M) = M A (mod n) Decryption D A (M) = M inv(A) (mod n) Bob permutes the cards to x 1,x 2,…,x 52 encrypts them then sends to Alice E B (x i ). Alice chooses 5 cards for herself, encrypts them and sends to Bob E A (E B (x i )). Also chooses 5 cards for Bob and sends them to him (without encrypting) E B (x i ).

SRA cont… Bob can now decrypt his cards to see his hand D B (E B (x i ) = x i. He also decrypts Alice’s cards then sends them back to her. Here is where we need commutativity so D B (E A (E B (x i ))) = E A (x i ) Alice receives her cards and decrypt them seeing her hand D A (E A (x i )) = x i.

Naive Analysis When Alice receives the shuffled, encrypted cards she cannot tell which is which so picks randomly ie cannot see Bob’s hand. When Bob receives Alice’s double encrypted hand he cannot read it even when he partially decrypts it. But is there information leaked by the encryption process? Yes! Quadratic Residues.

Quadratic Residues An integer a, not divisible by an odd prime p, is a quadratic residue modulo p if there is a b in {1,2,…,p-1} s.t. a = b 2 (mod p). Otherwise a is a quadratic nonresidue. So for p = 11, 1=1 2, 3=5 2, 4=2 2, 5=4 2, 9=3 2 are the quadratic residues and 2,6,7,8,10 are the quadratic nonresidues. This works in general. For a prime p there are (p-1)/2 of both residues and nonresidues.

Cheating at Mental Poker In 1981 R. Lipton showed for odd k, x k is a quadratic residue mod p iff x is a quadratic residue mod p. So the cards whose representations are quadratic residues are still quadratic residues when they are encrypted. This allows Alice to find the cards that are residues and nonresidues, for the particular p used, and then choose (on average) high cards for herself and low cards for Bob.

Dealing with cheating The easiest way to prevent the attack we have discussed is to only represent cards with quadratic residues. However other, more general attacks have been shown to be effective so SRA is not a good protocol. Other protocols for the Mental Poker problem have been considered with the most successful ones using probabilistic encryption and zero knowledge proof. Crepeau solved the problem in 1987 although his protocol is not computationally feasible. Research still goes on.

Download ppt "Mental Poker The SRA Protocol. What is Mental Poker? Playing poker without cards (ie over telephone or internet). No Trusted Third Party or source of."

Similar presentations