Applied Cryptography, Second Edition: Protocols, Algorthms, and Source Code in C (cloth)
(Publisher: John Wiley & Sons, Inc.)
Author(s): Bruce Schneier
ISBN: 0471128457
Publication Date: 01/01/96

23.6 Computing with Encrypted Data

The Discrete Logarithm Problem

There is a large prime, p, and a generator, g. Alice has a particular value for x, and wants to know e, such that

g^e ≡ x (mod p)

This is a hard problem, and Alice lacks the computational power to compute the result. Bob has the power to solve the problem—he represents the government, or a large computing organization, or whatever. Here’s how Bob can do it without Alice revealing x [547,4]:

(1)  Alice chooses a random number, r, less than p.

(2)  Alice computes

x' = xg^r mod p

(3)  Alice asks Bob to solve

g^e' ≡ x' (mod p)

(5)  Bob computes e' and sends it to Alice.

(6)  Alice recovers e by computing

e = (e' - r) mod (p - 1)

Similar protocols for the quadratic residuosity problem and for the primitive root problem are in [3,4]. (See also Section 4.8.)

23.7 Fair Coin Flips

The following protocols allow Alice and Bob to flip a fair coin over a data network (see Section 4.9) [194]. This is an example of flipping a coin into a well (see Section 4.10). At first, only Bob knows the result of the coin toss and tells it to Alice. Later, Alice may check to make sure that Bob told her the correct outcome of the toss.

Coin Flipping Using Square Roots

Coin-flip subprotocol:

(1)  Alice chooses two large primes, p and q, and sends their product, n to Bob.

(2)  Bob chooses a random positive integer, r, such that r is less than n/2. Bob computes

z = r² mod n

and sends z to Alice.

(3)  Alice computes the four square roots of z (mod n). She can do this because she knows the factorization of n. Let’s call them +x, -x, +y, and -y. Call x' the smaller of these two numbers:

x mod n

-x mod n

Similarly, call y' the smaller of these two numbers:

y mod n

-y mod n

Note that r is equal either to x' or y'.

(4)  Alice guesses whether r = x' or r = y', and sends her guess to Bob.

(5)  If Alice’s guess is correct, the result of the coin flip is heads. If Alice’s guess is incorrect, the result of the coin flip is tails. Bob announces the result of the coin flip.

Verification subprotocol:

(6)  Alice sends p and q to Bob.

(7)  Bob computes x' and y' and sends them to Alice.

(8)  Alice calculates r.

Alice has no way of knowing r, so her guess is real. She only tells Bob one bit of her guess in step (4) to prevent Bob from getting both x' and y'. If Bob has both of those numbers, he can change r after step (4).

Coin Flipping Using Exponentiation Modulo p

Exponentiation modulo a prime number, p, is used as a one-way function in this protocol [1306]:

Coin-flip subprotocol:

(1)  Alice chooses a prime number, p, in such a way that the factorization of p - 1 is known and contains at least one large prime.

(2)  Bob selects two primitive elements, h and t, in GF(p). He sends them to Alice.

(3)  Alice checks that h and t are primitive and then chooses a random integer x, relatively prime to p - 1. She then computes one of the two values:

y = h^x mod p, or y = t^x mod p

She sends y to Bob.

(4)  Bob guesses whether Alice calculated y as afunction of h or t, and sends his guess to Alice.

(5)  If Bob’s guess is correct, the result of the coin flip is heads. If Bob’s guess is incorrect, the result of the coin flip is tails. Alice announces the result of the coin flip.

Verification subprotocol:

(6)  Alice reveals x to Bob. Bob computes h^x mod p and t^x mod p, to confirm that Alice has played fairly and to verify the result of the toss. He also checks that x and p - 1 are relatively prime.

For Alice to cheat, she has to know two integers, x and x', such that h^x ≡t^x' (mod p). If she knew those values,she would be able to calculate:

log_t h = x'x^-1 mod p - 1 and log_th = x^-1x' mod p - 1

These are hard problems.

Alice would be able to do this if she knew log_t h, but Bob chooses h and t in step (2). Alice has no other recourse except to try to compute the discrete logarithm. Alice could also attempt to cheat by choosing an x that is not relatively prime to p -1, but Bob will detect that in step (6).

Bob can cheat if h and t are not primitive in GF(p), but Alice can easily check that after step (2) because she knows the prime factorization of p -1.

One nice thing about this protocol is that if Alice and Bob want to flip multiple coins, they can use the same values for p, h, and t. Alice just generates a new x, and the protocol continues from step (3).

Coin Flipping Using Blum Integers

Blum integers can be used in a coin-flipping protocol.

(1)  Alice generates a Blum integer, n, a random x relatively prime to n, x₀ = x² mod n, and x₁ = x₀² mod n. She sends n and x₁ to Bob.

(2)  Bob guesses whether x₀ is even or odd.

(3)  Alice sends x to Bob.

(4)  Bob checks that n is a Blum integer (Alice would have to give Bob the factors of n and proofs of their primality, or execute some zero-knowledge protocol to convince him that n is a Blum integer), and he verifies that x₀ = x² mod n and x₁ = x₀² mod n. If all this checks out, Bob wins the flip if he guessed correctly.

It is crucial that n be a Blum integer. Otherwise, Alice may be able to find an x'₀ such that x'₀² mod n =x₀ ² mod n =x₁ , where x'₀ is also a quadratic residue. If x₀ were even and x'₀ were odd (or vice versa), Alice could freely cheat.

23.8 One-Way Accumulators

There is a simple one-way accumulator function [116] (see Section 4.12):

A(x_i, y) = x_i-1^y mod n