This preview shows page 1. Sign up to view the full content.
Unformatted text preview: key attack; so is the system proposed as NIKSTAS [1542,1540,1541,993,375,1538]. Honestly, nothing proposed so far is both practical and secure. TABLE 5.1 Chaum’s Blind Signature Patents U.S. PATENT # 4,759,063 4,759,064 4,914,698 4,949,380 4,991,210 DATE 7/19/88 7/19/88 3/3/90 8/14/90 2/5/91 TITLE Blind Signature Systems [323] Blind Unanticipated Signature Systems [324] OneShow Blind Signature Systems [326] ReturnedValue Blind Signature Systems [328] Unpredictable Blind Signature Systems [331] 5.5 Oblivious Transfer
Cryptographer Bob is desperately trying to factor a 500bit number, n. He knows it’s the product of five 100bit numbers, but nothing more. (This is a problem. If he can’t recover the key he’ll have to work overtime and he’ll miss his weekly mental poker game with Alice.) What do you know? Here comes Alice now: “I happen to know one factor of the number,” she says, “and I’ll sell it to you for $100. That’s a dollar a bit.” To show she’s serious, she uses a bitcommitment scheme and commits to each bit individually. Bob is interested, but has only $50. Alice is unwilling to lower her price and offers to sell Bob half the bits for half the price. “It’ll save you a considerable amount of work,” she says. “But how do I know that your number is actually a factor of n? If you show me the number and let me verify that it is a factor, then I will agree to your terms,” says Bob. They are at an impasse. Alice cannot convince Bob that her number is a factor of n without revealing it, and Bob is unwilling to buy 50 bits of a number that could very well be worthless. This story, stolen from Joe Kilian [831], introduces the concept of oblivious transfer. Alice transmits a group of messages to Bob. Bob receives some subset of those messages, but Alice has no idea which ones he receives. This doesn’t completely solve the problem, however. After Bob has received a random half of the bits, Alice has to convince him that the bits she sent are part of a factor of n, using a zerokn...
View
Full
Document
This note was uploaded on 10/18/2010 for the course MATH CS 301 taught by Professor Aliulger during the Fall '10 term at Koç University.
 Fall '10
 ALIULGER
 Cryptography

Click to edit the document details