Title: Introduction to Practical Cryptography
1Introduction to Practical Cryptography
- Forward Key Security
- Zero KnowledgeOblivious TransferMulti-Party
Computation
2Overview
- Intended as overview of specific areas
- Solutions/instances of some require background
not covered in this class
3Agenda
- Forward Key Security
- Zero Knowledge
- Oblivious Transfer
- Multi-party Computation
4Forward Secure Encryption Schemes
- Attacker learns key at time t
- Should not be able to decrypt anything from prior
to time t - Encryption algorithm add an input, time
- Esk(m) becomes Esk(m,t)
- Current key is a function of prior key
- kt F(sk,t) G(kt-1,t)
- Given sk, can compute entire sequence of kts
- c Ekt(m)
5Digital Signatures
- Alice has a secret key
- Everyone else has the corresponding public key
- Alice can sign message with her secret key
- Given a signature and a message, everyone can
verify correctness using Alices public key - Desirable property non-repudiation. If Alice
signed a contract, she cant deny it later.
6Digital Signature Schemes
- Three algorithms Key-Gen, Sign, Verify
- Key-Gen inputs security parameter (key size)
k output keys (PK, SK) - Sign inputs message M, secret key SK
output signature S - Verify inputs M, signature S, public key PK
output valid/invalid - Strong security notioneven given signatures on
messages of its choice,adversary cannot forge
signatures on new messages
7Problem with Signatures
- Cant tell when a signature was really generated
- Not even if you include current time into the
document doesnt say when it was signed - Therefore,
- signing key disclosed Þ all signatures worthless
- (even if produced before
disclosure) - Inconvenience your notarized document is no
longer valid - Repudiation Alice gets out of past contracts by
anonymously leaking her SK - Key revocation doesnt help it merely informs of
the leak
8Fixing the Problem
- Attempt 1 re-sign all the past messages with a
new key - Expensive
- What if the signer doesnt cooperate?
- Attempt 2 change keys frequently, erasing past
SK - Disclosure of current SK doesnt affect past SK
- However, changing PK is expensive, requires
certification - Attempt 3 Employ time stamping authority (third
party)
9Forward Security
- Idea change SK but not PK And97
- Divide the lifetime of PK into T time periods
- Each SKj is for a particular time period, erased
thereafter - If current SKj is compromised, signatures with
previous SKj-t remain secure - Note cant be done without assuming secure
erasure
10Definitions Key-Evolving Scheme BM99
- The usual three algorithms Key-Gen, Sign, Verify
- Key-Gen inputs security parameter (key size)
k total number T of time periods output (PK,
SK1) - Sign inputs message M, current secret key SKj
output signature S (time period j included) - Verify inputs M, time period j, signature S,
public key PK output valid/invalid
11Definitions Key-Evolving Scheme BM99
- The usual three algorithms Key-Gen, Sign, Verify
- Key-Gen inputs security parameter (key size)
k total number T of time periods output (PK,
SK1) - Sign inputs message M, current secret key SKj
output signature S (time period j included) - Verify inputs M, time period j, signature S,
public key PK output valid/invalid - A new algorithm Update
- Update input current secret key SKj
output new secret key SKj1
12Definitions Forward-Security BM99
- Given
- Signatures on messages and time periods of its
choice - The ability to break-in in any time period b
and get SKb - adversary cant forge a new signature for a time
period jltb
13 Simple Schemes Efficiency?
- Long Public and Long Private Keys
- T pairs (p1, s1), (p2,s2),. (pt, st)
- PK (p1,p2,.,pt)
- SK (s1,s2,..,st)
- Update erase si for period i
- Drawback public and private key linear in t
number of periods
14Anderson Long Secret Key Only
- T pairs as before and an additional pair (p,s)
- Sig(j)SIG( j pj) with key s, j 1,,t
certificate - Public key now p (only)
- Secret key (sj, Sig(j)) j1,..,t Still
linear - The public key p is like a CA key and a signature
will include the period, the certificate, the
message, signature on the message with periods
secret key
15Long Signatures Only
- Have (p,s)
- In period j get (pj,sj) and
- Let Cert(j) sig_sj-1 (j pj)
- A signature is the entire certificate chain
signature, it is of the form (j, sig_sj(m), p1,
Cert(1),pj, Cert(j)) - Think about it as a tree of degree one and height
t for t periods - (signer memory still linear in t)
16Binary Certification tree BM
- Now (s0,p0)
- Each element certifies two children left and
right - We have a tree of height log t (for t periods)
- At each point only a log branch of certificate is
used in the signature - Only leaves are used to sign
- Keys whose children are not going to be used in
future periods are erased. - We get O(log t) key sizes, signature size
17Concrete Scheme
- Use a scheme based on Fiat-Shamir variant
- Have the public key be a point x raised to 2t
- Have the initial private key at period zero be x
- Sign based on FS paradigm
- Update by squaring the current key
- The verifier is aware of the period so it knows
that currently the private key is raised to the
power 2t-1 (and the identification proofs are
adjusted accordingly).
18Replace keys Pseudorandomness
- Have future keys derived from a forward secure
pseudorandom generator - Pseudorandom generators which are forward secure
are easy replace the seed with an iteration of
the function. - Possibilities in practice
- Block cipher use previous output as next input
- Stream cipher previous output as next state
19Agenda
- Forward Key Security
- Zero Knowledge
- Oblivious Transfer
- Multi-party Computation
20Zero Knowledge
Bob
Alice
I know X
Prove it
X
Some exchange, but which does not provide X
- Interactive method for Alice to prove to Bob that
she has/knows x without revealing x to Bob. - Motivation authentication
- Alice wants to prove her identity to Bob via some
secret but doesn't want Bob to learn anything
about this secret - Login methods where password is not stored on
server (maybe hash of password is stored) - Alice (user/client) proves to Bob (server) that
she knows the password without giving Bob the
password
21Zero Knowledge
- Interactive method for Alice to prove to Bob that
she has/knows x without revealing x to Bob. - Zero-knowledge proof must satisfy three
properties - Statement is alice knows x
- Completeness if the statement is true, the
honest verifier (that is, one following the
protocol properly) will be convinced of this fact
by an honest prover. - Soundness if the statement is false, no cheating
prover can convince the honest verifier that it
is true, except with some small probability. - Zero-knowledge if the statement is true, no
cheating verifier learns anything other than this
fact. - Completeness and soundness needed for any
interactive proof
22Zero Knowledge
- Example use enforce honest behavior while
maintaining privacy - Force a user to prove that its behavior is
correct according to the protocol. - Used in secure multiparty computation
23Zero Knowledge
- Jean-Jacques Quisquater, et. al "How to Explain
Zero-Knowledge Protocols to Your Children - Peggy (prover) has uncovered the secret password
to open a magic door in a cave. The cave is
shaped like a circle, with the entrance in one
side and the magic door blocking the opposite
side. - Victor (verifier) will pay Peggy for the secret,
but not until he's sure that she really knows it.
Peggy says she'll tell him the secret, but not
until she receives the money. - Zero knowledge need a method by which Peggy
proves to Victor that she knows the word without
telling it to him - Solution
- Victor waits outside the cave, Peggy goes in.
Label the left and right paths from the entrance
A and B. She takes either A or B at random
(Victor does not know which) - Victor enters the cave and shouts the path (A or
B at random) on which she must return - Peggy returns along the path chosen by Victor,
opening the door if it was not the path on which
she had entered the cave - If Peggy did not know the word, there is a 50
chance she can return on the correct path repeat
the above many times, Peggys chance of
successfully returning becomes negligible - (assume chance of Peggy guessing the word is
negligible) - If Peggy returns correctly each time, this proves
she knows the word
door
A
B
enter
24Agenda
- Forward Key Security
- Zero Knowledge
- Oblivious Transfer
- Multi-party Computation
25Oblivious Transfer
Bob
Alice
0 or 1
m 1
- Alice transfers a secret bit m to Bob with
probability ½ such that - Bob knows whether or not he receives m
- Alice doesnt know if m transferred to Bob
26Oblivious Transfer Example Method
- Alice oblivious transfer to Bob
- Alice
- picks 2 random primes p,q, set n pq
- encrypt message m using n (such as with RSA)
- c resulting ciphertext
- sends n and c to Bob
- Bob
- picks a ? Zn at random
- sends w a2 mod n to Alice
- Alice
- computes square roots of w S x,-x,y,-y
- picks one of the four at random, s ? S and sends
to Bob (probability s a or a is ½) - Bob
- if s ? a, -a Bob can factor n and obtain m (and
will know he has m) - Wont walk through why see Rabin cryptosystem
- Bob obtains m with probability ½ and Alice
doesnt know result
27Oblivious Transfer Example Method
- Works if Bob selects a at random (doesnt cheat)
- Not known if Bob gains any advantage (can cheat)
if intentionally selects a specific a
28Oblivious Transfer Application
- Alice and Bob will each sign a contract only if
the other also signs it - Idea
- If names are of equal length, could sign a letter
at a time, alternating - But someone must go last and could abort not
complete last letter - Sign small fragment at a time bit, pixel
- Dont know who will be last
- If one stops, both are approximately at same
point - But one could send garbage in a fragment
- Oblivious transfer solves the problem
29Oblivious Transfer Application
- Alice and Bob will each sign a contract only if
the other also signs it - Idea
- If names are of equal length, could sign a letter
at a time, alternating - But someone must go last and could abort not
complete last letter - Sign small fragment at a time bit, pixel
- Dont know who will be last
- If one stops, both are approximately at same
point - But one could send garbage in a fragment
- Oblivious transfer solves the problem
30Oblivious Transfer Application
- Alice and Bob each
- create 2 signatures, pick 2 random keys and
encrypt each signature (such as with a block
cipher) - Alice
- LA Alice, this is my signature of the left
half of the contract - RA Alice, this is my signature of the right
half of the contract - Keys KLA, KRA
- CLA EKLA(LA), CRA EKRA(RA)
- Bob
- LB Bob, this is my signature of the left half
of the contract - RB Bob, this is my signature of the right half
of the contract - Keys KLB, KRB
- CLB EKLB(LB), CRB EKRB(RB)
- Contract is considered signed only if Alice and
Bob each have both halves of others signature
31Oblivious Transfer Application
- Alice sends one of KLA, KRA to Bob using
oblivious transfer - Bob sends one of KLB, KRB to Alice using
oblivious transfer - Alice and Bob exchange bits of both keys, one bit
at a time from each key, in order, until all bits
are sent. - If Alice sees a mistake in key bits received,
Alice aborts - Likewise if Bob sees a mistake
- Bob does not know if Alice has KBL or KBR, so he
cannot risk sending an incorrect value for either
key - Likewise for Alice
- Must exchange bits simultaneously otherwise,
last one could flip last bit
32Agenda
- Forward Key Security
- Zero Knowledge
- Oblivious Transfer
- Multi-party Computation
Some slides are modified from a presentation by
Juan Garay, Bell Labs
33Secure MPC
- A set of parties with private inputs wish to
compute some joint function of their inputs. - Parties wish to preserve some security
properties. E.g., privacy and correctness. - Example secure election protocol
- Security must be preserved in the face of
adversarial behavior by some of the participants
34Secure MPC
- Multi-party computation (MPC) Goldreich-Micali-Wi
gderson 87 - n parties P1, P2, , Pn each Pi holds a
private input xi - One public function f (x1,x2,,xn)
- All want to learn y f (x1,x2,,xn)
(Correctness) - Nobody wants to disclose his private input
(Privacy) - 2-party computation (2PC) Yao 82, Yao 86 n2
Studied for a long time. Focus has been security.
35Secure MPC
s3
Alice
s4
s2
s5
sn
s1
s
Alice has a secret key, s, (such as a key to a
system) Afraid she may lose s Want to give is to
someone, but dont trust anyone with entire
secret Share secret among n people s s1? s2 ?
s3 ? s4 ? s5 ? sn
36Secure MPC
s3
X
Alice
s4
s2
s5
sn
s1
s
- Suppose need more flexibility
- ith person loses si or is malicious
- n people
- Any subset of size t can recover s
- Any subset of size lt t cannot recover any
information about s
37Secure MPC
- Use polynomials
- Finite field F
- (such as some Zp for prime p)
- F(x) a0x0 a1x1 a2x2 atxt
- Coefficients a0, a1, a2 at ? F
- t1 terms (degree is t)
38Secure MPC
- Polynomials properties
- Interpolation given t1 distinct points,
(x1,y1), (x2,y2) (xt1,yt1) , can find a0, a1,
a2 , at - Secrecy if have only t (or fewer) distinct
points, cant determine anything about a0
39Secure MPC
- Coefficients
- Pick a1, a2 .. at at random
- set a0 s
- Each person is associated with a distinct point
- Person i assigned distinct xi
- Set si f(xi) (xi,si) is point for person i
40Secure MPC
- Polynomial construction requires honesty
- Entity choosing ais, xis is dishonest
- Collusion person 2 may give (x2,s2) to person
10 - Verifiable secret sharing
- Each person can verify piece received is a proper
piece - Allows for O(log n) colluders
- Based on factoring Chor, Goldwasser, Micali,
Awerbuch
41Instances of 2PC
- Authentication
- Parties 1 server, 1 client.
- Function if (server.passwd client.passwd),
then return succeed, else return fail. - On-line Bidding
- Parties 1 seller, 1 buyer.
- Function if (seller.price lt buyer.price), then
return (seller.price buyer.price)/2, else
return no transaction. - Intuition In NYSE, the trading price is between
the ask (selling) price and bid (buying) price.
42Instances of MPC
- Auctions
- Parties 1 auctioneer, (n-1) bidders.
- Function Many possibilities (e.g., Vickrey).
- Consider a secure auction (with secret bids)
- An adversary may wish to learn the bids of all
parties to prevent this, requires privacy - An adversary may wish to win with a lower bid
than the highest to prevent this, requires
correctness
sealed-bid, bidders submit written bids without
knowing the bid of the others. Highest bidder
wins, but pays second-highest bid. Intent
bidders bid true value.
43MPC Protocols
- Consider 2PC (MPC is similar). Two parties P0
and P1. - Encode function as a Boolean circuit of ANDs and
XORs - Bits on each wire are shared using XOR
- Per-gate evaluation
- (Shared) Inputs x x0 ? x1 , y y0
? y1 - XOR No interaction needed
- ( x ? y ) ( x0 ? y0 )
? ( x1 ? y1 ) - AND More complex (needs interaction)
- Each party reveals his shares
44MPC Elections
- m voters v1, v2, vm
- ith voter inputs xi
- Result function, f, of xis
- Required properties
- Only authorized voters can vote
- Each can only vote once
- Each vote is secret
- No vote can be duplicated by another voter
- Vote tally correctly computed
- Anyone can check the tally is correct
- Fault tolerate protocol works if some number of
bad parties - Cannot coerce a voter into revealing how he/she
voted (no vote-buying) - Meeting all requirements tricky, especially last
- In real life system, logistical problems main
issues as opposed to protocols
45MPC Digital Cash
- Required properties
- Prevent forgery
- Prevent or detect duplication
- Preserve customers anonymity
- Practical
- operationally feasible (ex. no large single
database of all issued digital cash)
46Digital Cash
- 3 protocols
- Withdrawal user can obtain a digital coin
- Payment user buys goods from vendor using
digital coin - Deposit vendor gives digital coin to bank to be
credited to the vendors account - Notation
- U user
- B Bank
- V vendor
- D digital coin of 100
- SKBx signature of B on x
47Digital Cash - Withdrawal
- U notifies B wants to withdraw D
- B gives D to U
- D SKBI am a 100 bill, 4527
- U checks signature
- accepts D if it is valid
- else rejects D
- Bank deducts D from Us account if U accepts D
48Digital Cash - Payment
- U pays V with D
- V checks signature
- accepts D if it is valid
- else rejects D
49Digital Cash - Deposit
- V gives D to B
- B checks signature
- accepts D if it is valid and credits Vs account
- else rejects D
50Digital Cash Do Properties Hold?
- Prevent forgery
- ok, infeasible under basic assumptions of
signature schemes - Prevent or detect duplication
- Very easy to duplicate coins, double spend
- Preserve customers anonymity
- No anonymity know U and where D was spent
51Digital Cash Fix Properties
- Blind signature
- U presents D to B
- B signs D without seeing its contents (i.e. cant
associate with U) - Analogy U covers check with carbon paper and
seals both inside an envelope. Bank signs outside
of envelop - But how does B know D is not fake?
52Digital Cash Fix Properties
- RSA Blind signature
- Have key pair (e,n) (d,n)
- U picks random r mod n
- U computes D D re mod n
- presents D to B
- B signs D s (D)d mod n ( Md (re)d Mdr
mod n ) - B deducts D from Us account
- U computes signature on M s Md mod n by
dividing s by r - Now anonymity no link between U and D
- But
- B can be tricked into signing fake D
- D can be duplicated and double spent
53Digital Cash Fix Properties
- One denomination or one public key per
denomination, feasible not many denominations - Probability method
- U makes up 100 Ds
- Blind signature on all 100 and gives all to B
- B signs one, requires U to unblind the rest
(reveal rs) - U has 1/100 chance of successfully cheating
- U spends 1 remaining D, anonymous
54Digital Cash Fix Properties
- Now have anonymity and no (or small) chance of
cheating - How to prevent double spending?
- B has database of all D, records Ds as they are
returned spent from V - not too practical large database, V must wait
for B to ok each D at time of purchase
55Digital Cash Fix Properties
- What if just detect double spending?
- Random identity string (RIS)
- Different for every payment of D
- Only U can create a valid RIS
- Two different RISs on same D allows B to
retrieve Us name - If B receives two identical Ds with different
RIS values, U cheated - If B receives two different Ds with same RIS
values, V cheated
56Digital Cash Fix Properties
- H hash
- U creates 100 Ds
- Di (Im a 100 bill, 4527i,yi,1yi,1,yi,2,
yi,2, yi,k,yi,k) - where
- yi,j H(xi,j) yi,j H(xi,j)
- xi,j and xi,j are randomly chosen but such that
xi,j ? xi,j Us name ? i,j
57Digital Cash Fix Properties
- Withdrawal
- U blinds each Di, get Di
- B has U unblind all but one Di and reveals
appropriate xi,j and xi,j - B checks for each
- yi,j H(xi,j) yi,j H(xi,j)
- xi,j ? xi,j Us name
- B signs remaining blind Di and gives to U
58Digital Cash Fix Properties
- Payment
- U gives Di to V
- V checks Bs signature on Di
- V creates a challenge random bit string b1,b2,
bk - If bj 0, U reveals xi,j , else reveals xi,j
- V checks yi,j H(xi,j) or yi,j H(xi,j) and
accepts if yes, else rejects - Probability in a different payment that same RIS
is produced is 2-k because V creates challenge at
random - Only U can produce valid RIS H is
computationally infeasible to invert - Two different RIS values on same DI leaks Us
name have xi,j and xi,j for some j (due two
different challenges)
59Digital Cash Fix Properties
- Deposit
- V gives Di, s, RIS to B
- B verifies signature, checks if already returned
- If already in database, B compares RIS values
- If different, U double spent
- If equal, V trying to deposit twice
60Other MPC Applications
- Database Query
- Alice has a string q Bob has a database of
strings - Alice wants to know whether there exists a string
ti in Bob's database that matches q (exact or
close) - Privacy
- Bob cannot know Alice's q or the response
- Alice cannot know the database contents except
for what can be known from the query result
61Other MPC Applications
- Profile Matching
- Alice has a database of known hacker's behaviors
- Bob has a hacker's behavior from a recent
break-in - How can Bob check if his hacker is in Alices
database while - Not disclosing the hacker's actual behavior to
Alice doing so that might disclose the
vulnerability in his system. - Not obtaining contents of Alices database it
contains confidential information.
62Other MPC Applications
- Companies want to cooperate in preventing
intrusions into their networks. - Need to share data patterns, but this is
sensitive information - Real data for IDS/security research
- None exists
- Outdated/now irrelevant MIT Lincoln Laboratory
IDS Evaluation Data Set 1998-2000
63Other MPC Applications
- In general, many database applications
- Simple queries
- Determining intersection
- Sharing of patterns without revealing actual
content
64Backup
65On-line Bidding Definition of Security
- Correctness
- seller.output buyer.output f (seller.price,
buyer.price) - Privacy The transcript carries no additional
information about seller.price and buyer.price.
66Privacy is a little tricky
- On-line Bidding Function
- if (seller.price lt buyer.price),
- then return (seller.price buyer.price)/2,
- else return no transaction.
- If seller.price buyer.price, then both parties
can learn each others private input. - If seller.price gt buyer.price, then both parties
should learn nothing more than this fact. - Privacy Each party should only learn whatever
can be inferred from the output (which can be a
lot sometimes).
67Fair Secure Multi-Party Computation (FMPC)
Parties P1, P2, , Pn (some corrupted), each
holding private input xi, wish to compute y
f(x1, x2,, xn) privately and correctly.
Security is about absolute information gain. At
the end of the protocol, each party learns y (and
anything inferable from y).
Fairness is about relative information gain. At
the end of the protocol, either all parties learn
y, or no party learns anything.
Important in MPC crucial in some
applications (e.g., two-party contract signing).
68Security vs. Fairness
- The problem of secure MPC/2PC is well-studied and
well-understood. - The problem of fair MPC/2PC less developed
- Security and fairness different concepts
- Fair without being secure
69Security ? Fairness
On-line Bidding Function if (seller.price lt
buyer.price), then return (seller.price
buyer.price)/2 else return no transaction.
E.g., in an unfair on-line bidding protocol, the
seller may learn the output (and thus
buyer.price) before the buyer learns
anything.
70Cheating with Unfair Protocols
- A cheating seller
- Initiate protocol with price x (originally
999,999). - Run until getting the output (buyer hasnt got
the output yet). - if (output no transaction), then abort
(e.g., announce network failure), set x ? x-1,
and repeat.
- A cheating seller can
- find out the buyers price (destroys privacy) and
- achieve maximum profit (destroys correctness)
- (the actual function computed is return
buyer.price) -
? The lack of fairness completely voids the
security!
71Fairness Positive Results
- n parties, t corrupted
- t ? n/3 possible with p2p channels
- computational GMW87
- information-theoretic BGW88, CCD88
- n/3 ? t ? n/2 possible with broadcast channel
- computational GMW87
- information-theoretic RB89
-
72Unfortunately
- Fairness is impossible with corrupted majority (t
? n/2)
Intuition (2 parties) Party sending the last
message may abort early.
- Consequently, many security definitions do
not consider fairness, - or only consider partial fairness BG90,
BL91, FGHHS02, GL02.
73Fairness After the Impossibility Result
We still need (some form of) fairness, so tweak
model/definition
- Optimistic approach (tweak the model) M97,
ASW98, CC00, - Adds a trusted party as an arbiter in case of
dispute. - Needs to be (constantly) available.
- Gradual Release approach (tweak the definition)
Blum83, D95, - BN00,
- No trusted party needed.
- Parties take turns releasing info
little-by-little. - Still somewhat unfair, but we can quantify and
control the - amount of unfairness.
74The Gradual Release Approach
- Reasonably studied
- Initial idea by Blum 83
- Subsequent work ,Damgard 95, Boneh-Naor 00,
Garay-Pomerance 03, Pinkas 03,
- Not quite well-understood
- Ad hoc security notions
- Limited general constructions (only 2PC)
- Few practical constructions
75Security and Fairness
- A typical gradual release protocol (e.g., BN00,
GP03, P03) consists of two phases - Computation phase Normal computation.
- Revealing phase Each Pi gradually reveals a
secret si then each Pi computes
the result y from s1, s2,, sn.
76 Observation on Existing MPC Protocols
Many (unfair) MPC protocols (e.g., GMW87,
CDN01, CLOS02) share the same structure Sharing
phase Parties share data among themselves
(simple sharing, or (n, t) threshold
sharing) Evaluation phase Gate-by-gate
evaluation (all intermediate data are
shared or blinded) Revealing phase Each
party reveal its secret share (all
parties learn the result from the shares)
77FCPFO Commit-Prove-Fair-Open
- Commit phase Every party Pi commits to a value
xi. - Prove phase Every party Pi proves a relation
about xi. - Open phase Open x1, x2,, xn simultaneously.
Simultaneous opening guarantees fairness
either all parties learn all the committed
values, or nobody learns anything.
Using FCPFO, the revealing phase becomes fair,
and so does the MPC protocol.
78 Time-lines Towards realizing FCPFO
accelerator 1
accelerator 2
accelerator k
- A time-line An array of numbers (head, ,
tail). - Time-line commitments
- TL-Commit(x) (head, tail x)
- Perfect binding.
- Hiding (2k steps to compute tail from head).
- Gradual opening Each accelerator cuts the
number of steps by half.
79A time-line, mathematically BN00,GJ02,GP03
accelerator 1
accelerator 2
g
g22k
g22k-1
g2(2k-12k-2)
- N safe Blum modulus,
- N pq, where p, q, (p-1)/2, (q-1)/2 are
all primes. - g a random element in ZN.
- head g, tail g22k
80A time-line, mathematically (contd)
accelerator 1
accelerator 2
g
g22k
g22k-1
g2(2k-12k-2)
g22i
Gi
- Can move forward m positions by doing m
squarings - Knowing ?(N), one can compute Gi efficiently,
for any i. - Hard to move backward, not knowing factorization
of N - inefficient to move forward (step-by-step) ?
point far away is unknown
81Fair exchange using time-lines
- START Alice has a, Bob has b.
- COMMIT
- Alice sends TL-Commit(a) to Bob,
- Bob sends TL-Commit(b) to Alice.
- OPEN Take turns to gradually open the
commitments.
Alice
Bob
82Fair exchange using time-lines (contd)
Alice
Bob
- ABORT If Bob aborts and force-opens in t steps,
Alice can do it as well in 2t steps.
83Realizing FCPFO using time-lines
- Setup A master time-line T ?N g Gj,
j1,,k? in CRS. - Commit Each party Pi
- Derives a time-line Ti ?N gi Gij?
- TL-commits to xi (gi Gik xi),
- Prove Standard ZK proof.
- Open In round m, each party Pi reveals Gim
with ZK proof - if any party aborts, enter panic mode.
- Panic mode Depends on current round
m - If (k-m) is large, then abort.
- (A does not have enough time to force-open.)
- If (k-m) is small, then force-open.
- (A has enough time to force-open as well.)
84Putting things together
Plug FCPFO into existing MPC protocols ? Fair
MPC protocols