# Lec11 - Cryptographic Protocols Sheng Zhong 1 Outline Bit Commitment Secret Sharing Oblivious Transfer Secure Computation Definitions Completeness

This preview shows pages 1–11. Sign up to view the full content.

1 Cryptographic Protocols Sheng Zhong

This preview has intentionally blurred sections. Sign up to view the full version.

View Full Document
2 Outline Bit Commitment Secret Sharing Oblivious Transfer Secure Computation Definitions Completeness Theorems
3 Bit Commitment (1) Suppose Alice and Bob want to flip a coin to decide something. However, they are not physically in the same place. How can they flip a coin over the phone? If Alice flips the coin, she might want to manipulate the result so that it is to her favor. If Bob flips the coin, he might do the same thing.

This preview has intentionally blurred sections. Sign up to view the full version.

View Full Document
4 Bit Commitment (2) One possible solution is: Alice flips a coin and commits to it. Bob flips another coin and tells Alice his result. Alice reveals her own result and the final result= Alice’s result xor Bob’s result. But how can Alice commit to a bit?
5 Bit Commitment Scheme A bit commitment scheme allows Alice to compute a commitment of a bit, such that: Alice can reveal the value of this bit later. Alice cannot cheat (i. e., give a false value) when revealing the value of this bit. Bob cannot compute the value of this bit from the commitment.

This preview has intentionally blurred sections. Sign up to view the full version.

View Full Document
6 Example: Bit Commitment based on Discrete Logarithm An example of bit commitment scheme: Let p be a large prime. Let g be a generator of Zp*. Commitment to 0: g x , where x is a uniform random number in [0, (p-1)/2). Commitment to 1: g x , where x is a uniform random number in [(p-1)/2, p-1). The scheme is secure under the assumption that discrete log is hard.
7 General Commitment More generally, we can commit to a bit string or an integer rather than to a single bit. Example Scheme (by Chaum): Let g and h be two generators mod large prime p, picked independently. Commitment to x: g x h r , where r is a random number.

This preview has intentionally blurred sections. Sign up to view the full version.

View Full Document
8 Secret Sharing Suppose a company has a very important secret. Who should know this secret? If only the CEO knows it, then what if something unexpected happened to him? If a good number number of people (e.g., all directors) know it, then what if one of them were corrupted? A cryptographic solution to this problem is secret sharing.
9 Secret Sharing Scheme A secret sharing scheme allows a secret s to be shared among n parties with a threshold t, such that: Any group of t parties can easily recover s. Any group of <t corrupted parties cannot figure out s. The above scenario often needs to be established by a trusted third party or using a special method.

This preview has intentionally blurred sections. Sign up to view the full version.

View Full Document
Shamir Secret Sharing The first secret sharing scheme was proposed by Adi Shamir. Choose a random degree-(t-1) polynomial f() with the constant term=s. – Choose n points x 1 , …, x n (≠0). – The ith party has share: f(x i ). To recover s only needs to interpolate the
This is the end of the preview. Sign up to access the rest of the document.

## This note was uploaded on 09/27/2010 for the course CSE 664 taught by Professor Shengzhong during the Spring '10 term at SUNY Buffalo.

### Page1 / 47

Lec11 - Cryptographic Protocols Sheng Zhong 1 Outline Bit Commitment Secret Sharing Oblivious Transfer Secure Computation Definitions Completeness

This preview shows document pages 1 - 11. Sign up to view the full document.

View Full Document
Ask a homework question - tutors are online