Lec11 - Cryptographic Protocols Sheng Zhong 1 Outline Bit Commitment Secret Sharing Oblivious Transfer Secure Computation Definitions Completeness

Info iconThis preview shows pages 1–11. Sign up to view the full content.

View Full Document Right Arrow Icon
1 Cryptographic Protocols Sheng Zhong
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
2 Outline Bit Commitment Secret Sharing Oblivious Transfer Secure Computation Definitions Completeness Theorems
Background image of page 2
3 Bit Commitment (1) Suppose Alice and Bob want to flip a coin to decide something. However, they are not physically in the same place. How can they flip a coin over the phone? If Alice flips the coin, she might want to manipulate the result so that it is to her favor. If Bob flips the coin, he might do the same thing.
Background image of page 3

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
4 Bit Commitment (2) One possible solution is: Alice flips a coin and commits to it. Bob flips another coin and tells Alice his result. Alice reveals her own result and the final result= Alice’s result xor Bob’s result. But how can Alice commit to a bit?
Background image of page 4
5 Bit Commitment Scheme A bit commitment scheme allows Alice to compute a commitment of a bit, such that: Alice can reveal the value of this bit later. Alice cannot cheat (i. e., give a false value) when revealing the value of this bit. Bob cannot compute the value of this bit from the commitment.
Background image of page 5

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
6 Example: Bit Commitment based on Discrete Logarithm An example of bit commitment scheme: Let p be a large prime. Let g be a generator of Zp*. Commitment to 0: g x , where x is a uniform random number in [0, (p-1)/2). Commitment to 1: g x , where x is a uniform random number in [(p-1)/2, p-1). The scheme is secure under the assumption that discrete log is hard.
Background image of page 6
7 General Commitment More generally, we can commit to a bit string or an integer rather than to a single bit. Example Scheme (by Chaum): Let g and h be two generators mod large prime p, picked independently. Commitment to x: g x h r , where r is a random number.
Background image of page 7

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
8 Secret Sharing Suppose a company has a very important secret. Who should know this secret? If only the CEO knows it, then what if something unexpected happened to him? If a good number number of people (e.g., all directors) know it, then what if one of them were corrupted? A cryptographic solution to this problem is secret sharing.
Background image of page 8
9 Secret Sharing Scheme A secret sharing scheme allows a secret s to be shared among n parties with a threshold t, such that: Any group of t parties can easily recover s. Any group of <t corrupted parties cannot figure out s. The above scenario often needs to be established by a trusted third party or using a special method.
Background image of page 9

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Shamir Secret Sharing The first secret sharing scheme was proposed by Adi Shamir. Choose a random degree-(t-1) polynomial f() with the constant term=s. – Choose n points x 1 , …, x n (≠0). – The ith party has share: f(x i ). To recover s only needs to interpolate the
Background image of page 10
Image of page 11
This is the end of the preview. Sign up to access the rest of the document.

This note was uploaded on 09/27/2010 for the course CSE 664 taught by Professor Shengzhong during the Spring '10 term at SUNY Buffalo.

Page1 / 47

Lec11 - Cryptographic Protocols Sheng Zhong 1 Outline Bit Commitment Secret Sharing Oblivious Transfer Secure Computation Definitions Completeness

This preview shows document pages 1 - 11. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online