Presentation is loading. Please wait.

Presentation is loading. Please wait.

Bit Commitment, Fair Coin Flips, and One-Way Accumulators Matt Ashoff 11/9/2004 Cryptographic Protocols.

Published byFelix Porter Modified over 8 years ago

Similar presentations

Presentation on theme: "Bit Commitment, Fair Coin Flips, and One-Way Accumulators Matt Ashoff 11/9/2004 Cryptographic Protocols."— Presentation transcript:

1 Bit Commitment, Fair Coin Flips, and One-Way Accumulators Matt Ashoff 11/9/2004 Cryptographic Protocols

2 Outline Bit Commitment  Definition  Properties  Applications  Implementations Fair Coin Flips  Definition  Implementations One-Way Accumulators  Definition  Example  Motivation  Applications References

3 Definition Bit Commitment Goal is to ensure bit commitment. Simplest example:  Decide who goes first in a game  If Bob guesses correctly, he goes  Alice picks a bit (0 or 1) and locks it in a box  Bob guesses a bit  The box is opened to see if he is right Two parts:  Commitment  Unveiling Must ensure that:  Alice cannot change her bit after Bob guesses  Bob cannot know what Alice’s bit is until she unveils it Assume no trusted third-party

4 Properties Bit Commitment Ideally, bit commitment has two interesting properties:  It is unconditionally secure if implemented correctly As opposed to computationally secure, which is a requirement for most algorithms  It requires only a noisy channel However, implementing the algorithm ideally is the key

5 Applications Bit Commitment Zero-Knowledge Protocols Identification Schemes Multi-party Computation Fair Coin Flips Electronic Voting

6 Implementations Bit Commitment Symmetric Cryptography  Alice encrypts her bit with a random key  Sends to Bob  At a later time, she sends Bob the key  He can then verify the bit Disadvantage:  Alice may be able to generate another key so that the bit is changed once she knows the result. Solution:  Have Bob send her a random string to concatenate with her bit, then encrypt, makes generation of changed bit unlikely. Disadvantage: Bob must send random string

7 Implementations (cont.) Bit Commitment One-way hash functions  Alice generates two random strings R 1,R 2  Sends h(R 1,R 2,b) and R 1 to Bob  At a later time, Alice sends Bob (R 1,R 2,b)  Bob checks h(R 1,R 2,b) and R 1 Advantage: Bob sends nothing Disadvantage: Alice must not be able to find collisions on the hash function such that:  h(R 1,R 2,b) = h(R 1,R 2 ’,b’) Note: Even more secure if Bob sends R 1

8 Implementations (cont.) Bit Commitment Could also use random number generators, many, many other protocols… A “quantum” bit commitment scheme is supposedly computationally secure  Although not proven to be so

9 Definition Fair Coin Flips Goal is to flip a coin “over the phone” Original protocol went like this:  Alice flips a coin and tells Bob the result  Bob then flips his own coin, XORs his result with Alice’s, and this is the result …but this only prevents Alice from cheating. Bob can still make up his coin flip. Ideally, Alice and Bob would send their results simultaneously Note: If either party lies and just makes up heads or tails, the other parties result will “cancel it out”  This allows for one distrustful party

10 Implementations Fair Coin Flips Alice flips her coin Alice generates a random key and encrypts “My coin toss returned [head, tails]” and sends this to Bob Bob does exactly the same thing They then swap keys and decrypt Note: If one receives the key before the other (and thus, the others’ flip), they will not be able to generate another key that will change their coin flip Note: This is just bit commitment using symmetric encryption (e.g., Heads  0, Tails  1)

11 Implementations (cont.) Fair Coin Flips Using a one-way hash function:  Alice selects a random number x and computes y = h(x), sends this to Bob  Bob guesses if x is heads (even) or tails (odd), sends guess to Alice  If Bob is correct, he wins  Alice announces the result of the flip and sends x to Bob  Bob verifies that y = h(x) Notes:  The output of h(x) must have nothing to do with the parity of x.  Alice must not be able to find a x and x’ such that x is odd and x’ is even, and h(x) = h(x’) = y

12 Definition One-Way Accumulators Given a one-way hash function with the property that:  h: A x B  C where |A| ~ |B| ~ |C|  i.e., the size is not mapped down Given the definition of a quasi-commutative function:  f(f(x,y 1 ),y 2 ) = f(f(x,y 2 ),y 1 ) A one-way accumulators is defined as:  h(h(x,y 1 ),y 2 ) = h(h(x,y 2 ),y 1 ) “A family of one-way accumulators is a family of one-way hash functions each of which is quasi-commutative.”

13 Definition (cont.) One-Way Accumulators For the one-way function to be secure, it must satisfy the property that:  Given x,y,y’, it is hard to find a x’ such that h(x,y) = h(x’,y’) It is not necessary for it to be hard to find a (x’,y’) pair such that h(x,y) = h(x’,y’)

14 Example One-Way Accumulators Most obvious example is modulo n math:  Given a n (x,y) = (x*y) mod n  a n (a n (x,y1),y2) = ((x*y1) mod n)*y2 mod n = (x*y1*y2) mod n = ((x*y2) mod n)*y1 mod n = a n (a n (x,y2),y1)  Easy to invert  Unsuitable  Given e n (x,y) = x y mod n  e n (e n (x,y1),y2) = (x y1 mod n) y2 mod n = x (y1+y2) mod n = (x y2 mod n) y1 mod n = e n (e n (x,y2),y1)  Hard to invert  Suitable (e.g., RSA)

15 Motivation One-Way Accumulators The quasi-commutative property can be extended to m users:  Start with an initial value x,  Set of values {y 1,y 2,…,y m }  To compute z such that:  z = h(h(…h(h(x,y 1 ),y 2 ),…,y m-1 ),y m ) Notice that z is unchanged by the order of the y i

16 App: Digital Signatures One-Way Accumulators All parties in m choose their own y j The total hash z is computed given all of the y i and some initial value x Each party in m computes their own z j given every y i except their own y j They can later authenticate themselves to any other party in the group by presenting y j and z j, such that z = h(z j,y j )

17 More Applications One-Way Accumulators The digital signature application can easily be extended/modified to support:  Time Stamping  Membership Testing  Etc.

18 References J. Benaloh, M. de Mare. One-Way Accumulators: A Decentralized Alternative to Digital Signatures. Advances in Cryptology--EUROCRYPT'93. LNCS, vol.765, pp.274--285, Springer--Verlag, 1994 M. Blum, "Coin flipping by telephone: a protocol for solving impossible problems”, Proc. IEEE Computer Conference, pp. 133-137, 1982. J. Kilian. Uses of Randomness in Algorithms and Protocols, MIT Press, 1990. Nayak, Ashwin and Shor, Peter (2002) On bit-commitment based quantum coin flipping. Technical Report. California Institute of Technology. M. Naor, "Bit commitment using pseudo-randomness", J. Cryptology, vol. 2, no. 2, pp. 151-158, 1991. H.F. Chau, Hoi-Kwong Lo, “Making an Empty Promise with a Quantum Computer”, Fortschr. Phys. 46 (1998) 4-5, 507-519. http://www.disappearing-inc.com/F/faircointoss.html http://www.cs.mcgill.ca/~crepeau/CRYPTO/BCDemo/BCbackground.html http://www.cs.rochester.edu/users/faculty/nelson/courses/cryptology/notes/lecture_16.txt

Download ppt "Bit Commitment, Fair Coin Flips, and One-Way Accumulators Matt Ashoff 11/9/2004 Cryptographic Protocols."

Similar presentations

1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.

1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.
Hash Functions A hash function takes data of arbitrary size and returns a value in a fixed range. If you compute the hash of the same data at different.

Hash Functions A hash function takes data of arbitrary size and returns a value in a fixed range. If you compute the hash of the same data at different.
Public Key Cryptosystem

Public Key Cryptosystem
Lecture 8: Coin Flipping by Telephone Wayne Patterson SYCS 654 Spring 2010.

Lecture 8: Coin Flipping by Telephone Wayne Patterson SYCS 654 Spring 2010.
Intro to Quantum Cryptography Algorithms Andrew Hamel EECS 598 Quantum Computing FALL 2001.

Intro to Quantum Cryptography Algorithms Andrew Hamel EECS 598 Quantum Computing FALL 2001.
Mental Poker The SRA Protocol. What is Mental Poker? Playing poker without cards (ie over telephone or internet). No Trusted Third Party or source of.

Mental Poker The SRA Protocol. What is Mental Poker? Playing poker without cards (ie over telephone or internet). No Trusted Third Party or source of.
ITIS 6200/8200. 2 Secure multiparty computation – Alice has x, Bob has y, we want to calculate f(x, y) without disclosing the values – We can only do.

ITIS 6200/ Secure multiparty computation – Alice has x, Bob has y, we want to calculate f(x, y) without disclosing the values – We can only do.
1 Receipt-freedom in voting Pieter van Ede. 2 Important properties of voting  Authority: only authorized persons can vote  One vote  Secrecy: nobody.

1 Receipt-freedom in voting Pieter van Ede. 2 Important properties of voting  Authority: only authorized persons can vote  One vote  Secrecy: nobody.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Short course on quantum computing Andris Ambainis University of Latvia.

Short course on quantum computing Andris Ambainis University of Latvia.
Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.

Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.

CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.
Attacks on Digital Signature Algorithm: RSA

Attacks on Digital Signature Algorithm: RSA
Public-key Cryptography Montclair State University CMPT 109 J.W. Benham Spring, 1998.

Public-key Cryptography Montclair State University CMPT 109 J.W. Benham Spring, 1998.
Quantum Cryptography Qingqing Yuan. Outline No-Cloning Theorem BB84 Cryptography Protocol Quantum Digital Signature.

Quantum Cryptography Qingqing Yuan. Outline No-Cloning Theorem BB84 Cryptography Protocol Quantum Digital Signature.
20-751 ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.

ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.
Proactive Secure Mobile Digital Signatures Work in progress. Ivan Damgård and Gert Læssøe Mikkelsen University of Aarhus.

Proactive Secure Mobile Digital Signatures Work in progress. Ivan Damgård and Gert Læssøe Mikkelsen University of Aarhus.

Similar presentations

Ads by Google