Flipping Coins over the Telephone: First Attempt Games & - PowerPoint PPT Presentation

Flipping Coins over the Telephone: First Attempt Games & Quadratic Residues Jim Royer ◮ Alice and Bob are on the phone trying to decide who pays for diner tonight. Introduction to Cryptography ◮ Alice proposed flipping a coin. October 16, 2018 ◮ Here is what happens Alice Asks Bob to call Heads or Tails. Bob Calls Heads. Alice Replies, “You loose!” ◮ Bob is not happy, with reason. ◮ How can we fix this? 1 / 19 2 / 19 Flipping Coins over the Phone: Why does this work? Flipping Coins over the Telephone (Blum 1981) Chooses p and q , distinct primes ≡ 3 ( mod 4 ) Alice The Coin Flipping Protocol Computes n = p · q p , q private ◮ If Alice looses, she asks Bob Sends n to Bob. Chooses p , q primes ≡ 3 ( mod 4 ) Alice to factor n . ran Computes n = p · q p , q private ∈ Z ∗ Bob Chooses x x private If Alice looses, Bob knows n Sends n to Bob. Computes y = x 2 ( mod n ) ± b and ± a . ran ∈ Z ∗ Bob Chooses x x private n Sends y to Alice Fact: gcd ( a − b , n ) | n . (Proof Computes y = x 2 ( mod n ) Finds distinct a , − a , b , − b such that: later) Alice Sends y to Alice a 2 = ( − a ) 2 = b 2 = ( − b ) 2 = y ( mod n ) Finds distinct a , − a , b , − b such that Alice ◮ When Bob gets b , he checks ( ± a ) 2 = ( ± b ) 2 = y ( mod n ) . that b 2 = x 2 Since Alice knows p and q, (Why?) Chooses one of a , − a , b , − b (say b ) and sends it to she can compute ± a and ± b quickly. (Later) This prevents Alice from Bob. Chooses one of a , − a , b , − b (say b ) and sends it to Bob. cheating on the choice of b . Bob If b = ± x ( mod n ) Bob If b = ± x ( mod n ) then Bob tells Alice she wins !! However, Bob can choose to else Bob tells Alice she looses. then he tells Alice she wins loose all the time! else he tells Alice she looses. 3 / 19 4 / 19

Mental Poker: The Basic Idea Quadratic Residues !! But there may not be a solution. Bob Constructs 52 boxes with a card locked in each one ◮ We know how to solve E.g., for: x 2 ≡ 3 ( mod 5 ) Constructs a bag containing the 52 boxes equations like: Sends the bag to Alice a · x ≡ b ( mod n ) 1 2 = 1 ≡ 1 ( mod 5 ) Alice Chooses 5 boxes and sends them to Bob 2 2 = 4 ≡ 4 ( mod 5 ) ◮ We now want to solve Bob Unlocks the boxes and gets his five cards 3 2 = 9 ≡ 4 ( mod 5 ) equations like: x 2 ≡ b ( mod n ) Alice Chooses 5 more boxes and puts her locks on them. 4 2 = 16 ≡ 1 ( mod 5 ) Sends these to Bob Bob Takes off his locks of the five boxes. Definition 1. Sends these boxes to Alice Suppose a ∈ Z ∗ n . Alice Takes off her locks and she has her five cards. Notation Then, a is a quadratic residue mod n when QR n = the quadratic residues mod n . x 2 ≡ a ( mod n ) How can we implement this? has a solution, otherwise a is a nonresidue . Q: What are the residues/nonresidues mod 5? 5 / 19 6 / 19 Euler’s Criterion An Example mod 19 ( p − 1 ) Suppose p is an odd prime and a ∈ Z ∗ b 2 p . a b − b a 2 Suppose p is prime and a ∈ Z ∗ p . 1 1 1 18 1 QR p = quadratic residues mod p . Theorem 2 (Euler’s Criterion). 2 17 13 6 18 3 16 15 4 18 a ( p − 1 ) /2 ≡ 1 ( mod p ) . a ∈ QR p ⇐ ⇒ Euler’s Criterion 4 4 17 2 1 5 5 9 10 1 a ( p − 1 ) /2 ≡ 1 ( mod p ) . a ∈ QR p ⇐ ⇒ 6 6 5 14 1 Lemma 3. 7 7 11 8 1 a ( p − 1 ) /2 ≡ ± 1 ( mod p ) . 8 11 12 7 18 Proposition 4 9 9 16 3 1 Suppose 10 9 3 16 18 Proposition 4. 11 11 7 12 1 ◮ p ≡ 3 ( mod 4 ) 12 7 8 11 18 Suppose p ≡ 3 ( mod 4 ) and b = a ( p + 1 ) /4 ( mod p ) . Then either ◮ b = a ( p + 1 ) /4 ( mod p ) 13 6 14 5 18 14 5 10 9 18 ◮ a ∈ QR p with roots ± b, or Then either 15 4 2 17 18 ◮ − a ∈ QR p with roots ± b. 16 16 4 15 1 ◮ a ∈ QR p with square roots ± b, or 17 17 6 13 1 ◮ − a ∈ QR p with square roots ± b. proofs on board shortly 18 1 18 1 18 b = a ( p + 1 ) /4 mod p . 7 / 19 8 / 19

An Example mod 19 An Example mod 19 Games & Quadratic Residues Games & Quadratic Residues ( p − 1 ) ( p − 1 ) a b 2 b − b a a b 2 b − b a 2 Suppose p is prime and a ∈ Z ∗ 2 Suppose p is prime and a ∈ Z ∗ p . p . 1 1 1 18 1 1 1 1 18 1 QR p = quadratic residues mod p . QR p = quadratic residues mod p . 2018-10-16 2 17 13 6 18 2018-10-16 2 17 13 6 18 3 16 15 4 18 3 16 15 4 18 4 4 17 2 1 Euler’s Criterion 4 4 17 2 1 Euler’s Criterion 5 5 9 10 1 5 5 9 10 1 a ( p − 1 ) /2 ≡ 1 ( mod p ) . a ( p − 1 ) /2 ≡ 1 ( mod p ) . a ∈ QR p ⇐ ⇒ a ∈ QR p ⇐ ⇒ 6 6 5 14 1 6 6 5 14 1 7 7 11 8 1 7 7 11 8 1 8 11 12 7 18 Proposition 4 8 11 12 7 18 Proposition 4 9 9 16 3 1 9 9 16 3 1 Suppose Suppose 10 9 3 16 18 10 9 3 16 18 11 11 7 12 1 ◮ p ≡ 3 ( mod 4 ) 11 11 7 12 1 ◮ p ≡ 3 ( mod 4 ) An Example mod 19 An Example mod 19 12 7 8 11 18 12 7 8 11 18 13 6 14 5 18 ◮ b = a ( p + 1 ) /4 ( mod p ) 13 6 14 5 18 ◮ b = a ( p + 1 ) /4 ( mod p ) 14 5 10 9 18 14 5 10 9 18 Then either Then either 15 4 2 17 18 15 4 2 17 18 16 16 4 15 1 ◮ a ∈ QR p with square roots ± b, or 16 16 4 15 1 ◮ a ∈ QR p with square roots ± b, or 17 17 6 13 1 17 17 6 13 1 18 1 18 1 18 ◮ − a ∈ QR p with square roots ± b. 18 1 18 1 18 ◮ − a ∈ QR p with square roots ± b. b = a ( p + 1 ) /4 mod p . b = a ( p + 1 ) /4 mod p . Claim: Suppose p is an odd prime. Then ± 1 ( mod p ) are the only two solutions of x 2 ≡ Proof of Euler’s Criterion: So suppose p is an odd prime. (Hence, p − 1 is even.) 1 ( mod p ) . (The p = 2 case is trivial since Z ∗ 2 = { 1 } .) Proof of the Claim: ⇒ ) : Suppose x 2 ≡ a ( mod p ) . (= x 2 ≡ 1 ⇒ ( x 2 − 1 ) ≡ 0 ( mod p ) ⇐ ( mod p ) Then a ( p − 1 ) /2 = ( x 2 ) ( p − 1 ) /2 = x p − 1 ≡ 1 ( mod p ) by FLL. ⇐ ⇒ ( x − 1 )( x + 1 ) ≡ 0 ( mod p ) . = ): Suppose a ( p − 1 ) /2 ≡ 1 ( mod p ) . Since Z ∗ p is a field, it follows that either x − 1 ≡ 0 or x + 1 ≡ 0. ( ⇐ Let g be a prim. elm and a = g j ( mod p ) . I.e., x = ± 1 ( mod p ) . Then g j ( p − 1 ) /2 ≡ 1 ( mod p ) . Proof of the Lemma: By FLL: ( a ( p − 1 ) /2 ) 2 = a p − 1 ≡ 1 ( mod p ) . But since g is a prim. elm, we must have: j ( p − 1 ) /2 = k · ( p − 1 ) for some integer k . (Why?) So by the claim, ( a ( p − 1 ) /2 ) ≡ ± 1 ( mod p ) . Hence, j = 2 k and ( g k ) 2 = g 2 k = g j = a . So a ∈ QR p . An Example mod 19 Games & Quadratic Residues ( p − 1 ) a b 2 b − b a 2 Suppose p is prime and a ∈ Z ∗ Another Criterion p . 1 1 1 18 1 QR p = quadratic residues mod p . 2018-10-16 2 17 13 6 18 3 16 15 4 18 4 4 17 2 1 Euler’s Criterion 5 5 9 10 1 a ( p − 1 ) /2 ≡ 1 ( mod p ) . a ∈ QR p ⇐ ⇒ 6 6 5 14 1 7 7 11 8 1 8 11 12 7 18 Proposition 4 E.g.: mod 19, g=2 9 9 16 3 1 Suppose 10 9 3 16 18 11 11 7 12 1 ◮ p ≡ 3 ( mod 4 ) a i · p − 1 An Example mod 19 12 7 8 11 18 g i 13 6 14 5 18 ◮ b = a ( p + 1 ) /4 ( mod p ) i 2 14 5 10 9 18 Then either 15 4 2 17 18 16 16 4 15 1 ◮ a ∈ QR p with square roots ± b, or 17 17 6 13 1 1 2 18 18 1 18 1 18 ◮ − a ∈ QR p with square roots ± b. b = a ( p + 1 ) /4 mod p . 2 4 1 Proposition 4, Restated: Suppose p is prime. 3 8 18 Suppose p ≡ 3 ( mod 4 ) and b = a ( p + 1 ) /4 ( mod p ) Then either 4 16 1 • a ∈ QR p with square roots ± b, or Euler’s Criterion, Repeated 5 13 18 6 7 1 • − a ∈ QR p with square roots ± b. a ( p − 1 ) /2 ≡ 1 ( mod p ) . a ∈ QR p ⇐ ⇒ 7 14 18 Proof: 8 9 1 Consider b 2 ≡ ( a ( p + 1 ) /4 ) 2 ≡ a ( p + 1 ) /2 ≡ a ( p − 1 ) ( p − 1 ) + 2 2 ≡ a · a ( mod p ) . 9 18 18 2 2 Proposition 5 (Another criterion). ( p − 1 ) ∼ 10 17 1 = ± 1 ( mod p ) . By Lemma 3, a 2 11 15 18 Suppose g is a primitive element of Z ∗ p . Then: ( p − 1 ) ≡ 1 ( mod p ) . Then ( − b ) 2 ∼ = b 2 ∼ = 1 · a ∼ C ASE : a = a ( mod p ) . 12 11 1 2 13 3 18 g j ∈ QR p ⇐ ( p − 1 ) ≡ − 1 ( mod p ) . Then ( − b ) 2 ∼ = b 2 ∼ = − 1 · a ∼ ⇒ j is even. C ASE : a = − a ( mod p ) . 14 6 1 2 15 12 18 16 5 1 17 10 18 18 1 1 9 / 19