Unformatted text preview: ect half, so half the time Alice could cheat. However, this only works if there is one key pair. If there were only two pairs, this sort of deception would succeed 25 percent of the time. That is why n should be large. Alice has to guess correctly the outcome of n oblivious transfer protocols; she has a 1 in 2n chance of doing this. If n = 10, Alice has a 1 in 1024 chance of deceiving Bob. Alice could also send Bob random bits in step (8). Perhaps Bob won’t know that she is sending him random bits until he receives the whole key and tries to decrypt the message halves. But again, Bob has probability on his side. He has already received half of the keys, and Alice does not know which half. If n is large enough, Alice is sure to send him a nonsense bit to a key he has already received and he will know immediately that she is trying to deceive him. Maybe Alice will just go along with step (8) until she has enough bits of the keys to mount a bruteforce attack and then stop transmitting bits. DES has a 56bitlong key. If she receives 40 of the 56 bits, she only has to try 216, or 65,536, keys in order to read the message—a task certainly within the realm of a computer’s capabilities. But Bob will have exactly the same number of bits of her keys (or, at worst, one bit less), so he can do the same thing. Alice has no real choice but to continue the protocol. The basic point is that Alice has to play fairly, because the odds of fooling Bob are just too small. At the end of the protocol, both parties have n signed message pairs, any one of which is sufficient for a valid signature. There is one way Alice can cheat; she can send Bob identical messages in Step (5). Bob can’t detect this until after the protocol is finished, but he can use a transcript of the protocol to convince a judge of Alice’s duplicity. There are two weaknesses with protocols of this type [138]. First, it’s a problem if one of the parties has significantly more computing power than the other. If, for example, Alice can mount a bruteforce attack faster than Bob can, then she can stop sending bits early in step (8),...
View
Full
Document
This note was uploaded on 10/18/2010 for the course MATH CS 301 taught by Professor Aliulger during the Fall '10 term at Koç University.
 Fall '10
 ALIULGER
 Cryptography

Click to edit the document details