This preview shows page 1. Sign up to view the full content.
Unformatted text preview: t implementation [318]. It uses the RSA algorithm. Bob has a public key, e, a private key, d, and a public modulus, n. Alice wants Bob to sign message m blindly. (1) Alice chooses a random value, k, between 1 and n. Then she blinds m by computing t = mke mod n (2) Bob signs t td = (mke)d mod n (3) Alice unblinds td by computing s = td/k mod n (4) And the result is s = md mod n This can easily be shown td a (mke)d a mdk (mod n), so td/k = mdk/k a md (mod n). Chaum invented a family of more complicated blind signature algorithms in [320,324], called blind unanticipated signatures. These signatures are more complex in construction, but more flexible. 23.13 Oblivious Transfer
In this protocol by Michael Rabin [1286], Alice has a 50 percent chance of sending Bob two primes, p, and q. Alice will not know whether the transfer is successful. (See Section 5.5.) (This protocol can be used to send Bob any message with a 50 percent success rate if p and q reveal an RSA private key.) (1) Alice sends Bob the product of the two primes: n = pq. (2) Bob chooses a random x less than n, such that x is relatively prime to n. He sends Alice: a = x2 mod n (3) Alice, knowing p and q, computes the four roots of a: x, n  x, y, and n  y. She chooses one of these roots at random and sends it to Bob. (4) If Bob receives y or n  y, he can compute the greatest common divisor of x + y and n, which is either p or q. Then, of course, n/p = q. If Bob receives x or n  x, he can’t compute anything. This protocol may have a weakness: It might be the case that Bob can compute a number a such that given the square root of a you can calculate a factor of n all the time. 23.14 Secure Multiparty Computation
This protocol is from [1373]. Alice knows the integer i; Bob knows the integer j. Alice and Bob together wish to know whether i d j or if i > j, but neither Alice nor Bob wish to reveal the integer each knows. This special case of secure multiparty computation (see Section 6.2) is sometimes known as Yao’s millionaire problem [1627]. For this example, assume that i and j range from 1 to 100. Bob has a public key and a pr...
View Full
Document
 Fall '10
 ALIULGER
 Cryptography

Click to edit the document details