This preview shows page 1. Sign up to view the full content.
Unformatted text preview: incorrect, the result of the coin flip is tails. Alice announces the result of the coin flip. Verification subprotocol: (6) Alice reveals x to Bob. Bob computes hx mod p and tx mod p, to confirm that Alice has played fairly and to verify the result of the toss. He also checks that x and p  1 are relatively prime. For Alice to cheat, she has to know two integers, x and x', such that hx atx' (mod p). If she knew those values,she would be able to calculate: logt h = x'x1 mod p  1 and logth = x1x' mod p  1 These are hard problems. Alice would be able to do this if she knew logt h, but Bob chooses h and t in step (2). Alice has no other recourse except to try to compute the discrete logarithm. Alice could also attempt to cheat by choosing an x that is not relatively prime to p 1, but Bob will detect that in step (6). Bob can cheat if h and t are not primitive in GF(p), but Alice can easily check that after step (2) because she knows the prime factorization of p 1. One nice thing about this protocol is that if Alice and Bob want to flip multiple coins, they can use the same values for p, h, and t. Alice just generates a new x, and the protocol continues from step (3). Coin Flipping Using Blum Integers
Blum integers can be used in a coinflipping protocol. (1) Alice generates a Blum integer, n, a random x relatively prime to n, x0 = x2 mod n, and x1 = x02 mod n. She sends n and x1 to Bob. (2) Bob guesses whether x0 is even or odd. (3) Alice sends x to Bob. (4) Bob checks that n is a Blum integer (Alice would have to give Bob the factors of n and proofs of their primality, or execute some zeroknowledge protocol to convince him that n is a Blum integer), and he verifies that x0 = x2 mod n and x1 = x02 mod n. If all this checks out, Bob wins the flip if he guessed correctly. It is crucial that n be a Blum integer. Otherwise, Alice may be able to find an x'0 such that x'02 mod n =x0 2 mod n =x1 , where x'0 is also a quadratic residue. If x0 were even and x'0 were odd (or vice versa), Alice could...
View
Full
Document
This note was uploaded on 10/18/2010 for the course MATH CS 301 taught by Professor Aliulger during the Fall '10 term at Koç University.
 Fall '10
 ALIULGER
 Cryptography

Click to edit the document details