This preview shows pages 1–11. Sign up to view the full content.
1
Cryptographic Protocols
Sheng Zhong
This preview has intentionally blurred sections. Sign up to view the full version.
View Full Document 2
Outline
•
Bit Commitment
•
Secret Sharing
•
Oblivious Transfer
•
Secure Computation
–
Definitions
–
Completeness Theorems
3
Bit Commitment (1)
•
Suppose Alice and Bob want to flip a coin
to decide something.
–
However, they are not physically in the same
place.
–
How can they flip a coin over the phone?
–
If Alice flips the coin, she might want to
manipulate the result so that it is to her favor.
–
If Bob flips the coin, he might do the same
thing.
This preview has intentionally blurred sections. Sign up to view the full version.
View Full Document 4
Bit Commitment (2)
•
One possible solution is:
–
Alice flips a coin and commits to it.
–
Bob flips another coin and tells Alice his
result.
–
Alice reveals her own result and the final
result= Alice’s result xor Bob’s result.
•
But how can Alice commit to a bit?
5
Bit Commitment Scheme
•
A bit commitment scheme allows Alice to
compute a commitment of a bit, such that:
–
Alice can reveal the value of this bit later.
–
Alice cannot cheat (i. e., give a false value)
when revealing the value of this bit.
–
Bob cannot compute the value of this bit from
the commitment.
This preview has intentionally blurred sections. Sign up to view the full version.
View Full Document 6
Example: Bit Commitment based
on Discrete Logarithm
•
An example of bit commitment scheme:
–
Let p be a large prime.
–
Let g be a generator of Zp*.
–
Commitment to 0: g
x
, where x is a uniform
random number in [0, (p1)/2).
–
Commitment to 1: g
x
, where x is a uniform
random number in [(p1)/2, p1).
–
The scheme is secure under the assumption
that discrete log is hard.
7
General Commitment
•
More generally, we can commit to a bit
string or an integer rather than to a single
bit.
•
Example Scheme (by Chaum):
–
Let g and h be two generators mod large
prime p, picked independently.
–
Commitment to x: g
x
h
r
, where r is a random
number.
This preview has intentionally blurred sections. Sign up to view the full version.
View Full Document 8
Secret Sharing
•
Suppose a company has a very important
secret. Who should know this secret?
–
If only the CEO knows it, then what if
something unexpected happened to him?
–
If a good number number of people (e.g., all
directors) know it, then what if one of them
were corrupted?
–
A cryptographic solution to this problem is
secret sharing.
9
Secret Sharing Scheme
•
A secret sharing scheme allows a secret s
to be shared among n parties with a
threshold t, such that:
–
Any group of t parties can easily recover s.
–
Any group of <t corrupted parties cannot
figure out s.
•
The above scenario often needs to be
established by a trusted third party or
using a special method.
This preview has intentionally blurred sections. Sign up to view the full version.
View Full Document
Shamir Secret Sharing
•
The first secret sharing scheme was
proposed by Adi Shamir.
–
Choose a random degree(t1) polynomial f()
with the constant term=s.
– Choose n points x
1
, …, x
n
(≠0).
– The ith party has share: f(x
i
).
–
To recover s only needs to interpolate the
This is the end of the preview. Sign up
to
access the rest of the document.
This note was uploaded on 09/27/2010 for the course CSE 664 taught by Professor Shengzhong during the Spring '10 term at SUNY Buffalo.
 Spring '10
 SHENGZHONG
 Computer Security

Click to edit the document details