Flipping Coins over the Telephone: First Attempt Games & - - PowerPoint PPT Presentation

flipping coins over the telephone first attempt games
SMART_READER_LITE
LIVE PREVIEW

Flipping Coins over the Telephone: First Attempt Games & - - PowerPoint PPT Presentation

Feb 15, 2024 666 likes •733 views

Flipping Coins over the Telephone: First Attempt Games & Quadratic Residues Jim Royer Alice and Bob are on the phone trying to decide who pays for diner tonight. Introduction to Cryptography Alice proposed flipping a coin. October

slide-1
SLIDE 1

Games & Quadratic Residues

Jim Royer

Introduction to Cryptography

October 16, 2018

1 / 19

Flipping Coins over the Telephone: First Attempt

◮ Alice and Bob are on the phone trying to decide who pays for diner tonight. ◮ Alice proposed flipping a coin. ◮ Here is what happens Alice Asks Bob to call Heads or Tails. Bob Calls Heads. Alice Replies, “You loose!” ◮ Bob is not happy, with reason. ◮ How can we fix this?

2 / 19

Flipping Coins over the Telephone (Blum 1981)

Alice Chooses p and q, distinct primes ≡ 3 (mod 4) Computes n = p · q p, q private Sends n to Bob. Bob Chooses x

ran

∈ Z∗

n

x private Computes y = x2 (mod n) Sends y to Alice Alice Finds distinct a, −a, b, −b such that: a2 = (−a)2 = b2 = (−b)2 = y (mod n) Since Alice knows p and q, (Why?) she can compute ±a and ±b quickly. (Later) Chooses one of a, −a, b, −b (say b) and sends it to Bob. Bob If b = ±x (mod n) then he tells Alice she wins else he tells Alice she looses.

3 / 19

Flipping Coins over the Phone: Why does this work?

The Coin Flipping Protocol

Alice Chooses p, q primes ≡ 3 (mod 4) Computes n = p · q p, q private Sends n to Bob. Bob Chooses x

ran

∈ Z∗

n

x private Computes y = x2 (mod n) Sends y to Alice Alice Finds distinct a, −a, b, −b such that (±a)2 = (±b)2 = y (mod n). Chooses one of a, −a, b, −b (say b) and sends it to Bob. Bob If b = ±x (mod n) then Bob tells Alice she wins else Bob tells Alice she looses.

◮ If Alice looses, she asks Bob to factor n. If Alice looses, Bob knows ±b and ±a. Fact: gcd(a − b, n)|n. (Proof later) ◮ When Bob gets b, he checks that b2 = x2 This prevents Alice from cheating on the choice of b. !! However, Bob can choose to loose all the time!

4 / 19

slide-2
SLIDE 2

Mental Poker: The Basic Idea

Bob Constructs 52 boxes with a card locked in each one Constructs a bag containing the 52 boxes Sends the bag to Alice Alice Chooses 5 boxes and sends them to Bob Bob Unlocks the boxes and gets his five cards Alice Chooses 5 more boxes and puts her locks on them. Sends these to Bob Bob Takes off his locks of the five boxes. Sends these boxes to Alice Alice Takes off her locks and she has her five cards. How can we implement this?

5 / 19

Quadratic Residues

◮ We know how to solve equations like: a · x ≡ b (mod n) ◮ We now want to solve equations like: x2 ≡ b (mod n) !! But there may not be a solution. E.g., for: x2 ≡ 3 (mod 5) 12 = 1 ≡ 1 (mod 5) 22 = 4 ≡ 4 (mod 5) 32 = 9 ≡ 4 (mod 5) 42 = 16 ≡ 1 (mod 5)

Definition 1.

Suppose a ∈ Z∗

n.

Then, a is a quadratic residue mod n when x2 ≡ a (mod n) has a solution, otherwise a is a nonresidue.

Notation

QRn = the quadratic residues mod n. Q: What are the residues/nonresidues mod 5?

6 / 19

Euler’s Criterion

Suppose p is an odd prime and a ∈ Z∗

p.

Theorem 2 (Euler’s Criterion).

a ∈ QRp ⇐ ⇒ a(p−1)/2 ≡ 1 (mod p).

Lemma 3.

a(p−1)/2 ≡ ±1 (mod p).

Proposition 4.

Suppose p ≡ 3 (mod 4) and b = a(p+1)/4 (mod p). Then either ◮ a ∈ QRp with roots ±b, or ◮ −a ∈ QRp with roots ±b. proofs on board shortly

7 / 19

An Example mod 19

a b2 b −b a

(p−1) 2

1 1 1 18 1 2 17 13 6 18 3 16 15 4 18 4 4 17 2 1 5 5 9 10 1 6 6 5 14 1 7 7 11 8 1 8 11 12 7 18 9 9 16 3 1 10 9 3 16 18 11 11 7 12 1 12 7 8 11 18 13 6 14 5 18 14 5 10 9 18 15 4 2 17 18 16 16 4 15 1 17 17 6 13 1 18 1 18 1 18 b = a(p+1)/4 mod p.

Suppose p is prime and a ∈ Z∗

p.

QRp = quadratic residues mod p.

Euler’s Criterion

a ∈ QRp ⇐ ⇒ a(p−1)/2 ≡ 1 (mod p).

Proposition 4

Suppose ◮ p ≡ 3 (mod 4) ◮ b = a(p+1)/4 (mod p) Then either ◮ a ∈ QRp with square roots ±b, or ◮ −a ∈ QRp with square roots ±b.

8 / 19

slide-3
SLIDE 3

An Example mod 19

a b2 b −b a

(p−1) 2

1 1 1 18 1 2 17 13 6 18 3 16 15 4 18 4 4 17 2 1 5 5 9 10 1 6 6 5 14 1 7 7 11 8 1 8 11 12 7 18 9 9 16 3 1 10 9 3 16 18 11 11 7 12 1 12 7 8 11 18 13 6 14 5 18 14 5 10 9 18 15 4 2 17 18 16 16 4 15 1 17 17 6 13 1 18 1 18 1 18 b = a(p+1)/4 mod p. Suppose p is prime and a ∈ Z∗ p. QRp = quadratic residues mod p.

Euler’s Criterion a ∈ QRp ⇐ ⇒ a(p−1)/2 ≡ 1 (mod p). Proposition 4 Suppose ◮ p ≡ 3 (mod 4) ◮ b = a(p+1)/4 (mod p) Then either ◮ a ∈ QRp with square roots ±b, or ◮ −a ∈ QRp with square roots ±b.

2018-10-16

Games & Quadratic Residues An Example mod 19 Proof of Euler’s Criterion: So suppose p is an odd prime. (Hence, p − 1 is even.) (The p = 2 case is trivial since Z∗

2 = { 1 }.)

(= ⇒) : Suppose x2 ≡ a (mod p). Then a(p−1)/2 = (x2)(p−1)/2 = xp−1 ≡ 1 (mod p) by FLL. (⇐ =): Suppose a(p−1)/2 ≡ 1 (mod p). Let g be a prim. elm and a = gj (mod p). Then gj(p−1)/2 ≡ 1 (mod p). But since g is a prim. elm, we must have: j(p − 1)/2 = k · (p − 1) for some integer k. (Why?) Hence, j = 2k and (gk)2 = g2k = gj = a. So a ∈ QRp.

An Example mod 19

a b2 b −b a

(p−1) 2

1 1 1 18 1 2 17 13 6 18 3 16 15 4 18 4 4 17 2 1 5 5 9 10 1 6 6 5 14 1 7 7 11 8 1 8 11 12 7 18 9 9 16 3 1 10 9 3 16 18 11 11 7 12 1 12 7 8 11 18 13 6 14 5 18 14 5 10 9 18 15 4 2 17 18 16 16 4 15 1 17 17 6 13 1 18 1 18 1 18 b = a(p+1)/4 mod p. Suppose p is prime and a ∈ Z∗ p. QRp = quadratic residues mod p.

Euler’s Criterion a ∈ QRp ⇐ ⇒ a(p−1)/2 ≡ 1 (mod p). Proposition 4 Suppose ◮ p ≡ 3 (mod 4) ◮ b = a(p+1)/4 (mod p) Then either ◮ a ∈ QRp with square roots ±b, or ◮ −a ∈ QRp with square roots ±b.

2018-10-16

Games & Quadratic Residues An Example mod 19 Claim: Suppose p is an odd prime. Then ±1 (mod p) are the only two solutions of x2 ≡ 1 (mod p). Proof of the Claim: x2 ≡ 1 (mod p) ⇐ ⇒ (x2 − 1) ≡ 0 (mod p) ⇐ ⇒ (x − 1)(x + 1) ≡ 0 (mod p). Since Z∗

p is a field, it follows that either x − 1 ≡ 0 or x + 1 ≡ 0.

I.e., x = ±1 (mod p). Proof of the Lemma: By FLL: (a(p−1)/2)2 = ap−1 ≡ 1 (mod p). So by the claim, (a(p−1)/2) ≡ ±1 (mod p).

An Example mod 19

a b2 b −b a

(p−1) 2

1 1 1 18 1 2 17 13 6 18 3 16 15 4 18 4 4 17 2 1 5 5 9 10 1 6 6 5 14 1 7 7 11 8 1 8 11 12 7 18 9 9 16 3 1 10 9 3 16 18 11 11 7 12 1 12 7 8 11 18 13 6 14 5 18 14 5 10 9 18 15 4 2 17 18 16 16 4 15 1 17 17 6 13 1 18 1 18 1 18 b = a(p+1)/4 mod p. Suppose p is prime and a ∈ Z∗ p. QRp = quadratic residues mod p.

Euler’s Criterion a ∈ QRp ⇐ ⇒ a(p−1)/2 ≡ 1 (mod p). Proposition 4 Suppose ◮ p ≡ 3 (mod 4) ◮ b = a(p+1)/4 (mod p) Then either ◮ a ∈ QRp with square roots ±b, or ◮ −a ∈ QRp with square roots ±b.

2018-10-16

Games & Quadratic Residues An Example mod 19

Proposition 4, Restated: Suppose p ≡ 3 (mod 4) and b = a(p+1)/4 (mod p) Then either

  • a ∈ QRp with square roots ±b, or
  • −a ∈ QRp with square roots ±b.

Proof: Consider b2 ≡ (a(p+1)/4)2 ≡ a(p+1)/2 ≡ a

(p−1) 2

+ 2

2 ≡ a (p−1) 2

· a (mod p). By Lemma 3, a

(p−1) 2

∼ = ±1 (mod p). CASE: a

(p−1) 2

≡ 1 (mod p). Then (−b)2 ∼ = b2 ∼ = 1 · a ∼ = a (mod p). CASE: a

(p−1) 2

≡ −1 (mod p). Then (−b)2 ∼ = b2 ∼ = −1 · a ∼ = −a (mod p).

Another Criterion

Suppose p is prime.

Euler’s Criterion, Repeated

a ∈ QRp ⇐ ⇒ a(p−1)/2 ≡ 1 (mod p).

Proposition 5 (Another criterion).

Suppose g is a primitive element of Z∗

  • p. Then:

gj ∈ QRp ⇐ ⇒ j is even.

E.g.: mod 19, g=2 i gi ai· p−1

2

1 2 18 2 4 1 3 8 18 4 16 1 5 13 18 6 7 1 7 14 18 8 9 1 9 18 18 10 17 1 11 15 18 12 11 1 13 3 18 14 6 1 15 12 18 16 5 1 17 10 18 18 1 1

9 / 19

slide-4
SLIDE 4

Another Criterion

Suppose p is prime. Euler’s Criterion, Repeated a ∈ QRp ⇐ ⇒ a(p−1)/2 ≡ 1 (mod p). Proposition 5 (Another criterion). Suppose g is a primitive element of Z∗

  • p. Then:

gj ∈ QRp ⇐ ⇒ j is even. E.g.: mod 19, g=2 i gi ai· p−1

2

1 2 18 2 4 1 3 8 18 4 16 1 5 13 18 6 7 1 7 14 18 8 9 1 9 18 18 10 17 1 11 15 18 12 11 1 13 3 18 14 6 1 15 12 18 16 5 1 17 10 18 18 1 1

2018-10-16

Games & Quadratic Residues Another Criterion Recall, p is an odd prime. Proof of Proposition 5: (⇐ =): Suppose j = 2i. Then a = gj = g2i = (gi)2. So a is a QR. (= ⇒): Suppose a ∈ QRp. So, a ∼ = b2 (mod p) for some b ∈ Z∗

p.

Suppose b = gi. Then g2i = a. Hence, j ∼ = 2i (mod p − 1). So: j ∼ = 2i (mod p − 1) ⇐ ⇒ (j − 2i) = k · (p − 1) for some k ⇐ ⇒ j = 2 · i

  • even

+ k · (p − 1)

  • even

(recall, p is odd). So j is even.

Finding Square Roots mod p

Proposition (Repeated)

Suppose p is a prime with p ≡ 3 (mod 4) and a ∈ Z∗

p.

Then for b = a(p+1)/4 (mod p) either ◮ a ∈ QRp with roots ±b, or ◮ −a ∈ QRp with roots ±b.

Example 6.

  • 1. Suppose a = 5 and p = 11.

Then b = a(p+1)/4 = 53 ≡ 4(mod 11). Since 42 ≡ 5(mod 11), the sq. roots of a are ±4(mod 11).

  • 2. Suppose a = 2 and p = 11.

Then b = a(p+1)/4 = 23 = 8(mod 11). But 82 ≡ 9 ≡ −2(mod 11). So 2 has no square roots mod 11.

10 / 19

Finding Square roots mod (p · q), I

Suppose p and q are distinct primes.

Claim

x2 ∼ = y (mod p · q) ⇐ ⇒ x2 ∼ = y (mod p) & x2 ∼ = y (mod q).

Proof.

(= ⇒) x2 ∼ = y (mod p · q) ⇐ ⇒ (x2 − y) = k · p · q for some k. So clearly p|(x2 − y) and q|(x2 − y). (⇐ =) This direction follows from:

Exercise: Show that if p|a and q|a, then (p · q)|a.

11 / 19

Finding Square roots mod (p · q), II

Given p and q, finding sq. roots mod p · q isn’t hard — when p, q ≡ 3 (mod 4).

Example: x2 ≡ 71 (mod 77), so p = 7 and q = 11

x2 ≡ 71 (mod 77) ⇐ ⇒

  • x2 ≡ 71 ≡ 1 (mod 7)

x2 ≡ 71 ≡ 5 (mod 11)

  • x ≡ ±1 (mod 7)

x ≡ ±4 (mod 11)

  • x ≡ 1 (mod 7)

x ≡ 4 (mod 11)

  • r
  • x ≡ −1 (mod 7)

x ≡ 4 (mod 11)

  • r
  • x ≡ 1 (mod 7)

x ≡ −4 (mod 11)

  • r
  • x ≡ −1 (mod 7)

x ≡ −4 (mod 11)

  • Now, we use the Chinese Remainder Theorem 4 times.

We end up with: x ≡ ±15, ±29 (mod 77).

12 / 19

slide-5
SLIDE 5

Square roots mod (p · q), III

Claim

Suppose: ◮ n = p · q, where p & q are distinct primes with p, q ≡ 3 (mod 4). ◮ y ∈ Z∗

n and the solutions of x2 ≡ y (mod n) are x ≡ ±a, ±b.

Then: either (i)

  • a ≡ b (mod p)

a ≡ −b (mod q)

  • r

(ii)

  • a ≡ −b (mod p)

a ≡ b (mod q)

  • .

Proof.

Just use the CRT construction on the prior page. ◮ Then a − b is ≡ 0 (mod p) or ≡ 0 (mod q). Say a − b ≡ 0 (mod p).

∴ gcd(a − b, n) = p and so we can factor n. ∴ If we can find square roots mod n, we can easily factor n. ∴ Factoring n & finding square roots mod n

are about the same computational-hardness.

13 / 19

Example: The situation mod 21

21 = 3 · 7 and both 3 and 7 are ≡ 3 (mod 4). Z∗

21 = { 1, 2, 4, 5, 8, 10, 11, 13, 16, 17, 19, 20 }.

Squares mod 21

n n2 n n2 1 1 2 4 3 9 4 16 5 4 6 15 7 7 8 1 9 18 10 16 11 16 12 18 13 1 14 7 15 15 16 4 17 16 18 9 19 4 20 1 a sq.roots of a gcd(a, 12) 1 1, 8, 13, 20 gcd(1, 21) = 1 4 2, 5, 16, 19 gcd(4, 21) = 1 7 7, 14 gcd(7, 21) = 7 9 3, 18 gcd(9, 21) = 3 15 6, 15 gcd(15, 21) = 3 16 4, 10, 11, 17 gcd(16, 21) = 1 18 9, 12 gcd(18, 21) = 3 Do the square roots of 1, 4, & 16 behave as promised? Another example? Try 33.

14 / 19

Back to Mental Poker

Set up p, a prime. Public Alice Picks α ∈ Z∗

p−1

Private Computes α′ = α−1 (mod p − 1). (So, (cα)α′ ≡ c (mod p)) Bob Picks β ∈ Z∗

p−1

Private Computes β′ = β−1 (mod p − 1). (So, (cβ)β′ ≡ c (mod p)) ◮ c1, . . . , c52 ∈ Zp represent cards

15 / 19

Mental Poker: Suffling and Dealing

Bob Computes bi ≡ cβ

i (mod p), for i = 1, . . . , 52.

Randomly permutes these & sends them to Alice. Alice Chooses five numbers bi1, bi2, bi3, bi4, and bi5. Bob Unlocks cij ≡ (bij)β′ (mod p), for j = 1, . . . , 5. Alice Chooses five more bi’s, locks them (i.e., ai = (bi)α). Sends these to Bob. Bob Takes his locks off

(i.e., di = aβ′

i ≡ cβαβ′ i

≡ cα

i (mod p)).

Sends them to Alice. Alice Takes off her locks

(i.e., dα′

i ≡ cαα′ i

≡ ci (mod p)). She looks at her hand.

16 / 19

slide-6
SLIDE 6

Mental Poker: Cheating

Use Euler’s Criterion

Since α ∈ Z∗

p−1:

◮ (cα)(p−1)/2 ≡ (c(p−1)/2)α. ◮ So, cα is a quad. res. ⇐ ⇒ c is a QR. ◮ You can tell whether a locked number is a QR.

∴ Either all the ci’s should be QRs,

  • r else all should be non-quadratic residues.

(Why?)

17 / 19

Rabin’s Encryption Scheme

◮ Breaking RSA might be easier than the factoring problem. ◮ We know that factoring p · q and finding square roots mod p · q are computational equivalent. ◮ Rabin’s idea: Use m → m2 mod (p · q) for encryption.

◮ Setup: p, q primes where p, q ≡ 3 (mod 4). ◮ n = p · q public key p, q private keys ◮ Plaintexts: elements of Z∗

n.

◮ Ciphertexts: quadratic residues mod n. Alice Wants to send a message m ∈ Z∗

n.

Sends Bob c = m2 mod n. (n is Bob’s public key) Bob Receives c and uses the CRT trick to compute the four∗ square roots of

  • c. Which one is m?

Add extra info to the message to say which one m is, e.g., [It is the 3rd largest] or [ m

n

  • & the “sign” of m].

∗There are some irritating special cases, e.g., m = p.

18 / 19

Rabin’s Signature Scheme

Beginning Idea

◮ Use a hash function that produces quadratic residues mod n. ◮ A message signed by Bob = (m, y) such that y2 ≡ h(m) (mod n). ◮ To verify (m, y) just check y2 ≡ h(m) (mod n). ◮ The only way to feasibly compute a sq. root of h(m) is to know Bob’s p and q. So it must has been Bob that produced y.

Constructing something close to h

◮ Start with h0 : P × { 0, 1 }k → Zn, some standard hash function. ◮ Bob tries lots of x

ran

∈ { 0, 1 }k until he finds one with h(m, x) ∈ QRn. ◮ Since Bob knows p and q, testing h(m, x) ∈ QRn is easy. ◮ The signed message is: (m, x, y) with y2 ≡ h(m, x) (mod n).

19 / 19