Lecture 13 Secret Sharing Schemes and Game. Secret sharing schemes are multi-party protocols related to key establishment. The original motivation for

Lecture 13 Secret Sharing Schemes and Game

Secret sharing schemes are multi-party protocols related to key establishment. The original motivation for secret sharing was the following. To safeguard cryptographic keys from loss, it is desirable to create backup copies. The greater the number of copies made, the greater the risk of security exposure; the smaller the number, the greater the risk that all are lost. Secret sharing schemes address this issue by allowing enhanced reliability without increased risk.

One of the major contributions of modern cryptography has been the development of advanced protocols. These protocols enable users to electronically solve many real world problems, play games, and accomplish all kinds of intriguing and very general distributed tasks. The goal of this lecture is to give a brief introduction to flipping coins and mental poker over the telephone.

Outline Scenarios for Secret Sharing

Secret Splitting Threshold Schemes Flipping Coins over the Telephone Poker over the Telephone

1 Scenarios for Secret Sharing 1.1 For Secret Splitting

Imagine that you’ve invented a new, extra gooey, extra sweet, cream filling or a burger sauce that is even more tasteless than your competitors’. This is important; you have to keep it secret. You could tell only your most trusted employees the exact mixture of ingredients, but what if one of them defects to the competition? There goes the secret, and before long every grease palace on the block will be making burgers with sauce as tasteless as yours.

This calls for secret splitting. There are ways to take a message and divide it up into pieces. Each piece by itself means nothing, but put them together and the message appears. If the message is the recipe and each employee has a piece, then only together can they make the sauce. If any employee resigns with his single piece of the recipe, his information is useless by itself.

However, it has a problem: If any of the pieces gets lost, so does the message. If one employee, who has a piece of the sauce recipe, goes to work for the competition and takes his piece with him, the rest of them are out of luck. He can’t reproduce the recipe, but neither can work together. His piece is as critical to the message as every other piece combined.

1.2 For Threshold Schemes You’re setting up a launch program for a

nuclear missile. You want to make sure that no single raving lunatic can initiate a launch. You want at least three out of five officers to be raving lunatics before you allow a launch. This is easy to solve. Make a mechanical launch controller. Give each of the five officers a key and require that at least three officers stick their keys in the proper slots before you’ll allow them to blow up whomever we're blowing up this week.

We can get even more complicated. Maybe the general and two colonels are authorized to launch the missile, but if the general is busy playing golf then five colonels are required to initiate a launch. Make the launch controller so that it requires five keys. Give the general three keys and the colonels one each. The general together with any two colonels can launch the missile; so can the five colonels. However, a general and one colonel cannot; neither can four colonels.

A more complicated sharing scheme, called a threshold scheme, can do all of this and more—mathematically. At its simplest level, you can take any message (a secret recipe, launch codes, your laundry list, etc.) and divide it into n pieces, called shares or shadows, such that any m of them can be used to reconstruct the message.

One can divide his secret sauce recipe among Alice, Bob, Carol, and Dave, such that any three of them can put their shadows together and reconstruct the message. If Carol is on vacation, Alice, Bob, and Dave can do it. If Bob gets run over by a bus, Alice, Carol, and Dave can do it. However, if Bob gets run over by a bus while Carol is on vacation, Alice and Dave can't reconstruct the message by themselves.

2 Secret Splitting2.1 Dual Control by Modular Addition

.recover

to modulo themsums which device, theinto estheir valu

enter separately then and ly.respective , and parties

two to) (mod and values thegives and 1,

1number random a generates party A trusted used. be

may scheme following thenumber, thisknows party) trusteda

n (other tha individual singleany that eundesirabl isit reasons,

loperationafor but key), seed a (e.g., device a into entered be

must ,integer somefor 1 0 ,number secret a If

11

1

S

m

BABA

mSSSm

ST

mmSS

2.1 Dual Control by Modular Addition (Continued)

it. trigger torequired are people two-control

dualunder be tosaid is requiringaction Any

people. obetween twsplit is secret theof knowledge

-scheme knowledge-split a of examplean is This )2(

1. and 0between number random a is possesses

each value thesince ,about n informatioany has one

neither then collude, not to trustedare and If (1)

S

S

m

S

BA

Comment.

2.2 Unanimous Consent Control by Modular Addition

). (mod

as recovered issecret The ). (mod

given is while,given are through Parties

1. 1 1, 0 , numbers randomt independen

1 generates :follows as ,recover order toin required

are whomof all users, among divided bemay secret the

thatso dgeneralizeeasily is above scheme control dual The

1

11

11

mS

SmSSS

PSPP

timSS

tTS

t S

iti

itit

tit

ii

2.2 Unanimous Consent Control by Modular Addition (Continued)

necessary. are trials2 piece,bit -56 agiven

isparty each if while trials,2only requiresparty oneby search

exhaustive key, theof bits 28given each are parties twoif 2,

and 56 for example,For each. bits / of pieces intokey bit -

an ngpartitionihan security tgreater provides This length.-full be

should scheme controlsplit ain componentskey individual The )2(

.loglength -bit fixed of and

valuesdata using OR,-exclusiveby replaced bemay operations

modulo above, scheme control dual in the and hereBoth (1)

56

28

2

t

rtrtr

mSS

m

i

Comment.

3 Threshold Schemes

pieces. no

knowingover opponent an tosense) theoretic-ninformatio the

in r, whatsoeveabout n informatio (no advantage no provide

sharesfewer or 1only knowingin which scheme threshold

a is scheme resholdperfect thA not.may sharesfewer or 1

only knowing groupany but ,recover easily may sharestheir

pool whousers moreor any : trueis following thesuch that

,user to sdistributesecurely and ,secret initialan from

1 , sharessecret computesparty trustedaby which

method a is )( scheme threshold) ,(

S

t

t

S

t

PSS

niS

ntntA

ii

i

1 Definition

itself.key the toaccess haven rather tha triggered,

isaction an that seeonly need tsparticipan and control, shared

is objective the wheresystemsfor eappropriat is This device.

combining trusteda usingby done bemay as secret, recovered

theof value theaccessing from s themselvemembers group

prevent tois method One users.other of shares thededucing

from tsparticipanprevent tonecessary are controls security,

decreased without reused be tois scheme thresholda If )2(

scheme. threshold

) ,( a is scheme controlconsent unanimous thewhilescheme,

threshold2) (2, a of examplean is scheme control dual The (1)

tt

Comment.

3.1 Shamir’s Threshold Scheme

. )(

, modulo polynomial random thedefining 1,0

, , , tscoefficient independen random, 1 selects (1.2)

. defines and ), ,(max prime a chooses (1.1)

users. among distribute toit wishes

0integer secret a with begins party trustedThe . (1)

.recover

can shares their pool which users of groupany :RESULT

users. to

secret a of shares sdistributeparty trusteda :SUMMARY

scheme threshold) ,( sShamir'

1

0

11

0

t

j

jj

j

t

xaxf

ppa

aatT

SanSpT

n

STSetup

S

t

nS

nt

1 Mechanism

3.1 Shamir’s Threshold Scheme (Continued)

. (0) notingby recovered is

secret The ion.interpolat Lagrangeby )( of 1 1

, tscoefficien theofn computatio allowing ) ,(

) ,( pointsdistinct provide sharesTheir shares.their

pool users moreor of groupAny shares. of Pooling (2)

.index public with along ,user to share

theransferssecurely t and 1), 1 , pointsdistinct

any for (or 1 ,) (mod )( computes (1.3)

)(Continued scheme threshold) ,( sShamir'

0 Saf

xftj

aSi

yxt

t

iPS

piin

nipifST

nt

ji

ii

i

1 Mechanism


. where,

:as expressed bemay secret shared the, (0) Since

.)(

:formulaion interpolat Lagrange the

by given are , 1 ), ,( pointsby defined , thanless

degree of )( polynomialunknown an of tscoefficien The

ion.interpolat LagrangeAbout

11

0

11

ijtj ji

ji

t

iii

ijtj ji

jt

ii

ii

xx

xcycS

Saf

xx

xxyxf

tiyx t

xf


computed.

-pre bemay users , of group fixed afor that

meansIt constants.secret -non are theSince (2)

. shares ofn combinatio

linear a as computemay member groupEach (1)

Explain.

t

c

yt

S

i

i


.147)1039110787 (8, 28)9734416803 (7,

73)8521360505 (6, 82)6751938978 (5, 55)4426152222 (4,

92)1544000236 (3, 326)1045116192 (2, 91)6456279478 (1,

:personeach toone pairs, following thedistribute weTherefore,

8. ,2, 1, where), ,( pairs peopleeight thegive now We

.6651206749628394829430288201905031805)(

work withsLet' . )( polynomial theform

and moduluo and numbers random Choose .67890113

12345 prime a Choose .201905031805number theis

secret theSuppose scheme. threshold-8) (3, aconstruct sLet'

2

221

21

iSi

xxxf

xaxaSxf

pa a

pS

i

1 Example


secret. the

is which ,201905031805 ermconstant t theisabout care they All

.6651206749628394829430288201905031805

obtain

to moduluo reduce and ,807407407340by 1/5 replace they So,

).(mod18074074073405

But,

.)5/7931095476582(42719861927514728/52070560214

:points heir three through tpasses polynomial following that the

calculate they ,polynomialion interpolat Lagrange Usingsecret.

thedetermine toecollaborat want to7 and 3, 2, persons Suppose

)(Continued

2

2

xx

p

p

xx

1 Example


).6651206749628

,394829430288 ,201905031805() , ,( yields This

),1131234567890(mod

289734416803

921544000236

3261045116192

4971

931

421

:following thesolve toneed they would

instead,approach systemlinear thechose 7 and

3, 2, persons If secret. obtain the and polynomial

t thereconstruc could people any three Similarly,

)(Continued

21

2

1

aaS

a

a

S

1 Example


users. existing of shares affecting

without ddistribute and computed bemay users)

new(for shares New users. newfor Extendable (3)

secret. theof size theis share one of size The Ideal. (2)

probable.equally remain

secret shared theof 1 0 valuesall shares,

fewer or 1any of knowledgeGiven Perfect. (1)

scheme. thresholdsShamir' of Properties

pS

t


problems). theoretic-number of difficulty

about the (e.g., sassumptionunproven any on

rely not doessecurity itsschemes, hiccryptograp

many Unlikes.assumptionunproven No (5)

structure. access the

changing o without tindividualupon that control

more bestows shares multipleuser with single a

Providing possible. control of levels Varying (4)

3.2 Vector Scheme

point. thedeterminesexactly

shyperplane theof any ofon intersecti The point.

theincludes that hyperplane ldimensiona-1)(an

ofequation theis shadowEach space. ldimensiona

-in point a as defined is message The space.

in points using scheme a inventedBlakley George

t

t

t

3.2 Vector Scheme (Continued)

share. theas user each

to hyperplane theransferssecurely t and

,)(mod setting , 1 , modulo

, , tscoefficient independen random, 1 chooses (1.2)

. modulo space ldimensiona-in )

, ,, ,(point a defines and modulorandomly

, ,, chooses . prime a chooses (1.1)

users. among distribute toit wishes

integer secret a with begins party trustedThe . (1)

.recover

can shares their pool which users of groupany :RESULT

users. to

secret a of shares sdistributeparty trusteda :SUMMARY

scheme threshold) ,( sBlakley'

2

01

2

012

0

1

210

1210

0

i

it

j jijt

t

j jijt

iit

i

t

t

P

yxax

psasynipa

atT

pts

sssQp

sssTspT

ns

STSetup

S

t

nS

nt

2 Mechanism


.

notingby recovered issecret The. modulo inverted becan matrix

the, modulo nonzero ismatrix thisoft determinan theas long As

).(mod

1

1

1

equationmatrix theyieldThey . 1 , users

example,For ). , ,, ,(point theofn computatio

allowing shyperplanedistinct provide sharesTheir shares.their

pool users moreor of groupAny shares. of Pooling (2)

0

2

1

1

1

0

10

21

20

11

10

1210

Ss

p

p

p

y

y

y

s

s

s

aa

aa

aa

tiPt

ssssQ

t

t

tt

tt

i

t


.491934 :E

161257 :D

186536 :C

102752 :B

68194 :A

:planes following

theE D, C, B, A, people five thegive weSuppose

73.Let scheme. threshold-5) (3, aconstruct sLet'

102

102

102

102

102

xxx

xxx

xxx

xxx

xxx

p

2 Example


.recover tocooperatecan

E D, C, B, A, of any three ,Similarity . 42 is

secret theso 57), 29, (42,) , ,( issolution The

).73(mod

18

10

68

16536

12752

1194

solve they secret, erecover th to wantsC B, A, If

)(Continued

0

210

2

1

0

S

xS

xxx

x

x

x

2 Example


).,( versus) , , ,( :methodShamir in the than those

person each by carried be n toinformatio more requiresIt (3)

.invertible always ismatrix that theso

, , tscoefficien choose to waysarrange tohard benot

It would .guaranteednot is is though th,invertible ismatrix

t thelikely tha very isit large, reasonably is as long As )2(

pieces. no knowing

over opponent an toadvantage some is there,coordinate

one than more ddistributebeen hassecret theIf secret. the

carry toused be should coordinate oneonly that Note (1)

20

2

0

yxyaa

a

a

p

iit

i

it

i

Comment.

3.3 Secret Sharing with Cheaters

Colonels Alice, Bob, and Carol are in a bunker deep below some isolated field. One day, they get a coded message from the president: “Launch the missiles. We’re going to eradicate the last vestiges of neural network research in the country.” Alice, Bob, and Carol reveal their shares, but Carol enters a random number. She’s actually a pacifist and doesn't want the missiles launched. Since Carol doesn't enter the correct share, the secret they recover is the wrong secret. The missiles stay in their silos. Even worse, no one knows why.

3.3 Secret Sharing with Cheaters (Continued)

). (i.e., incorrect""but 1}), ,1, {0, (i.e.,

legal"" is tedreconstruc secret the, and , ,

, , from that,meanst participanth thedeceiving

Here, .t participanth a deceive that , , ,

shares new fabricatecan , , , tsparticipan

1any that 0 y probabilit small aonly is There

1}. ,1, {0, secret theSuppose

1

21

121

121

SSsS

SSS

SSt

itSSS

iii

t

sS

tt

t

ii

ii

tiii

t

1 Property


).( where), ,( Let

1}. , 2, {1, from elementsdistinct of nspermutatio all

among fromrandomly anduniformly ) , , ,( Choose (3)

. )( , modulo polynomial

random thedefining 1,0 , , , tscoefficien

t independen random, 1select and Define (2)

). , 1)/1)( max(( primeany Choose (1)

0.>any for , than less is cheating undetected ofy probabilit

that theso scheme sShamir'modify :SUMMARY

scheme threshold) ,( sShamir' Modified

21

1

0

11

0

iiiii

n

t

j

jj

jt

xqddxS

pn

xxx

xaxqp

paaa

tSa

nttsp

nt

3 Mechanism


. and )( )( ifonly

secret incorrect t thereconstruc willt Participan

points. 1most at in )(intersect can )(

polynomial asuch , If above. points fabricated

theand ) (0,point he through tpassing 1most at

degree of )( polynomialdistinct a defines }1

, 1, {0, 'secret possibleEach .t participan

tosend to), ,( ,), ,( ), ,( values

fabricate , , , tsparticipan Suppose Proof.

112211

121

SSxqxq

Si

txqxq

SS

St

xqs

Si

dxdxdx

iii

tt

tt

iiS

t

S

S

t

iiiiii

t


.))/(1()1(most at is t participan

deceiving ofy probabilit theThus ).)/(1(

most at y probabilit with t participan deceive

wouldspolynomial theseof oneAny s.polynomial

ingcorrespond 1 yield valuesfabricated theso secrets,

incorrect but legal 1 are There ).)/(1(

mostat is )( )(y that probabilit the

with )( polynomialeach for Thus

}. ,, ,{- } 1 , 2, {1, ofelement

random a is that Recall ).(Continued Proof

121

tptsi

tpt

i

s

stpt

xqxq

SSxq

xxxp

x

t

t

iiS

iS

iii

i

tt

t

t

t

4 Flipping Coins over the Telephone 4.1 Scenario A friend, not realizing that Alice and Bob are

no longer together, leaves them a car in his will. How do they decide who gets the car? Bob phones Alice and says he’ll flip a coin. Alice chooses “tails” but Bob says “sorry, it was heads.” So Bob gets the car. For some reason, Alice suspects Bob might not have been honest. She resolves that the next time this happens, she'll use a different method.

4.2 A Problem Solution

Here is a thought. Alice picks a random bit b1 and sends it to Bob, and Bob picks a random bit b2 and sends it to Alice, and the value of the coin is b1 b2. The problem is who goes first. If Alice goes first, Bob will choose b2 to make the coin whatever he wants. Not fair.

4.3 Requirements for Fair Flipping Coin

(1) Bob must flip the coin before Alice guesses.

(2) Bob must not be able to re-flip the coin after hearing Alice’s guess.

(3) Alice must not be able to know how the coin landed before making her guess.

4.4 Flipping Coin Using Square Roots

wins.Bob

), (mod If wins.she that Alice tellsBob), (mod If (4)

Bob. to

it sends and ,say random,at one chooses She . modulo of ,

roots squarefour thefind to and of knowledgeher uses Alice (3)

Alice. tosendsbut secret keeps He

).(mod computes and integer random a chooses Bob (2)

Bob.

toproduct thesendsbut secret themkeeps She 4. mod 3 to

congruentboth ,and primes random large twochooses Alice (1)

session.coin flippingeach achieve tosteps following thePerform

coin. flippingin guess the winsBobor Alice :RESULT

channel. public

aover messages 4 exchange Bob and Alice users :SUMMARY

roots square using protocolcoin Flipping

2

nxbnxb

bnyba

qp

yx

nxyx

q pn

qp

1 Protocol

Alice Bob

qpn

y

b

)( winsBobor

)( winsAlice

xb

xb

n

2xy

yba 22

4.4 Flipping Coin Using Square Roots (Continued)


. ofion factorizat for the Bob askingby

cheatt didn' Bob check thatcan Alice So case. in this and

produce toable benot should he Therefore, .number

thehimsent Alice when had hen than informatio more

no has Bob , Bob sends Alice If sends. Alice valuethe

minusor plusnot is of valuehis when be would and

factors theproduce could Bobonly way the,factor to

infeasiblenally computatio isit if Therefore, . offactor

nontrivial a gives ),gcd( ,particularin .factor

can he so ), (mod of roots squarefour all knows

Bob then ), (mod and Bob to sends Alice If

Explain.

n

q

pn

x

xqp

n

n

nbxn

ny

naxb


). (mod2623334103

93785035or 6186768891012103737 yield toways

fourin together theseputs theoremremainder Chinese The

).(mod 325656728 and ) (mod 1701899961that

knows she e,).Therefor (mod 325656728 and

)(mod1701899961 computes Alice Alice. to

sends hewhich ), od55491705(m3632786010

computes and 3730950481414213562 takesBob

Bob. to9917719372426317299 sends She

.1190494759 and 2038074743 chooses Alice

1)/4(

1)/4(

2

n

x

qxpx

qy

py

nxy

x

qpn

qp

q

p

3 Example


won.he that provecan he ,1190494759

)23334103,93785035265483562373090gcd(141421

computingBy victory.claims BobThen Bob. to

233341039378503526 sends Alice that instead Suppose

winner. theAlice declares Bob so ), (mod is This

Bob. to86768891012103761 sends Alice Suppose

)(Continued

n

nx

3 Example


is.not try th

should she, Therefore . offactor nontrivial a find toBob allow will

choices wrong three theofEach send. toAlicefor numbers of

choicesfour are sign there Up. of roots squareeight are there

But primes. threeofproduct a sendingby Bob deceive totries

Alice that is caseOther game. theof end at the ofion factorizat

for the Aliceask could Bob course, Of primes. twoofproduct a of

instend prime a sendingby Bob deceive to triesAlice Suppose (2)

. tocongruent is sends Alicenumber theof

square that thecheckingby isagainst th guardcan Bob . factoring

from Bobprevent surely would then this, ofroot square athan

rather number random a Bob sendingby cheat to triesAlice If (1)

concerns.Security

n

y

n

y

n

y


number.her of square thetocongruent iswhich

number, sBob' of square theis has shen informatio

only thesince thisdisputecannot Alice him.sent

Alice that valueeexactly th was of valuehis

claimcan then He lose. to wantshe decides Bob

Suppose procedure. in this flaw one is There (3)

Continued)concerns.(Security

x

5 Poker over the Telephone A protocol similar to the fair flipping coin

protocol allows Alice and Bob to play poker with each other over the telephone. Instead of Bob making two messages, one for “Heads” and one for “Tails”, he makes 52 numbers, c1, c2,..., c52, one for each card in the deck. How to make sure that no one has cheated?

5.1 Idea

Bob encrypts the cards c1, c2,..., c52 using his key and sends to Alice. Alice chooses five cards at random, encrypts them with her encrypted key, and then sends them back to Bob. Bob decrypts the cards and sends them back to Alice, who decrypts them to determine her hand. She then chooses five more cards at random and sends them back to Bob. Bob decrypts these and they become his hand.

5.1 Idea (Continued)

During the game, additional cards can be dealt to either player by repeating the procedure. At the end of the game, Alice and Bob both reveal their cards and key pairs so that each can be assured that the other did not cheat.

5.2 Poker Based on Discrete Logarithm Problem

Alice. to themsends and,521

for )(mod computes Bob .prearrange some via modulo

,, , numbersdistinct 52 tochanged are cards 52 The (2)

also.) handeach for used be could and , ,different (A

. )1( 1mod such that computes and 1,)1,gcd(

with interger secret a chooses Bob . )1( 1mod

such that computes and 1,)1,gcd( with interger secret

a chooses Alice . prime eappropriatan on agree Bob and Alice (1)

session.poker theachieve tosteps following thePerform

cards. fivedealt ispalyer each :RESULT

channel. public aover

messages 4 exchange Bob and Alice palyers :SUMMARY

problem logarithm discreteon based protocolPoker

5221

i

pcbp

ccc

p

pp

p

p

p

ii

2 Protocol

5.2 Poker Based on Discrete Logarithm Problem (Continued)

hand. his him gives This .51for )(mod

computes whoBob, back to themsends and , ,

, , numbers theof more five chooses then Alice (5)

hand.her Alice

gives This power. the toraises whoAlice, tothem

sends and ,power the tonumbers theseraises Bob (4)

Bob. tonumbers thesesends and ,51for )(mod

computes , , , , numbers five chooses Alice (3)

)(Continued problem

logarithm discreteon based protocolPoker

5

21

521

jpb

b

bb

jpb

bbb

j

j

k

k

kk

i

iii

2 Protocol

AliceBob

521for )(mod ipcb ii

51for jbjk

)(mod)) (( pbcjj ii

)(mod) ( pbjk

51for )(mod jpbji

51for )(mod) ( jpbji



). modulo are es(congruenc calculates now Bob

.200508901 computes Bob and 024062734

compute Alice 7654321.secret his chooses Bob and 1234567

secret her chooses Alice .2396271991 be prime Let the

10305.ace 11091407,king

,1721050514queen 10010311,jack 200514,ten:following

thehave weso,,02,01 using numbers tocards the

Change card. onedealt isplayer Each ace. king, queen, jack, ten,

:cards fiveonly are there wheregame simplified aconsider sLet'

p

p

ba

4 Example


). (mod17005360071230896099

:Alice back toit sends and power the to thisraises Bob

). (mod1230896099914012224

:Bob it to sends and ,power theit to raises-fourth theexample,for

-numbers theseof one choosingby cardher chooses now Alice

.74390103 ,914012224 ,2337996540 ,1112225809 ,1507298770

:Alice to themsends andnumber theseshuffles He

.111222580910305

233799654011091407

743901031721050514

150729877010010311

914012224200514

)(Continued

p

p

4 Example


ten. thewas

Alice sent to he card that theshow and computequickly can

Bob king. thehas she claim to triesAlice Suppose . and

secret their reveal then Bob and Alice cheating,prevent To

jack. theis card his Therefore,

. ) od10010311(m1507298770

computes Bob Bob. back toit sending and

1507298770 example,for -received she cards original the

of one choosingsimply by card sBob' chooses Alice Now

ten. the thereforeis cardHer

). (mod2005141700536007

:power the to thisraises now Alice

)(Continued

p

p

4 Example


residue.-non quadratic a is if ), (mod1

residue quadratic a is if ), (mod1

:residue-nonor residue quadratic a is)(mod0

number anot or whether decide oeasy way tan is There (2)

problems. logarithm discrete are

solve toneeds Alice that equations But these .)(mod

form theof equations solve toneed wouldAlice

means This . card dunencrypte fixed a toscorrespond

card encrypted which guess could She cards. sBob'

deduce toAlicefor difficult quite be toseemsIt (1)

concerns.Security

2

1

cp

cpc

pc

pb

c

c

b

p

i

j

i

i


example. following the theSee result. thisusing

Bobover advantagean gainsmay Alice cards. the

ofpower and the toapplies alsostatement

ingcorrespond The residue. quadratic a is ifonly and

if modulo residue quadratic a is that meansIt

).(mod

and , toencrypted

is cardA odd. are and e,1.Therefor)1

,gcd( and 1)1 ,gcd( needed that weRecall

)(Continued concerns.Security

2

1

2

1

2

1

c

pc

pccc

c

cp

p

ppp


residues. quadratic

are cards remaining theall whileresidue,-non a is ace only the so

,110305

111091407

11721050514

110010311

1200514

fact,In random.not

was prime of choice The example. simplified thereturn to sLet'

2

1

2

1

2

1

2

1

2

1

p

p

p

p

p

p

5 Example


. ace theis

cardher that finds she course, Of .power theit to raises whoAlice,

back toit sends and power theit to rasies He Bob. it to sendsthen

,power theit to raises She .1112225809 is ace heher that t tellsThis

.174390103

1914012224

12337996540

11112225809

11507298770

computes she hand,her choosing is AliceWhen

)(Continued

2

1

2

1

2

1

2

1

2

1

p

p

p

p

p

5 Example

Thank you!

Documents

Lecture 13 Secret Sharing Schemes and Game. Secret sharing schemes are multi-party protocols related to key establishment. The original motivation for