Coin Flipping Protocol
CS 303 Alg. Number
Theory & Cryptography
Jeremy Johnson
Manuel Blum, Coin Flipping by Telephone: A Protocol for Solving Impossible
Problems, ACM SIGACT, Vol. 15, No. 1, 1983, pp. 23-27.
Outline
Coin flipping protocol
 Completely secure vs. normally secure
one-way functions
 Some protocols that do not work
 Blum Protocol
 Goldwasser-Micali Probabilistic
Encryption

12/10/2008
Goldwasser
1
Coin Tossing Protocol

Want to flip a coin over the telephone
Fair and verifiable
 Not subject to cheating

2
Public Key Cryptography

Let M be a message and let C be the encrypted
message (ciphertext). A public key cryptosystem has a
separate method E() for encrypting and D() decrypting.





D(E(M)) = M
Both E() and D() are easy to compute
Publicly revealing E() does not make it easy to determine D()
E(D(M)) = M - needed for signatures
The collection of E()’s are made publicly available but
the D()’s remain secret. Called a one-way trap-door
function (hard to invert, but easy if you have the secret
information)
3
Attempt 1

Generate Encryption/Decryption Keys
A: Randomly select flip = “heads” or “tails”
 A  B EA(flip)
 B  A guess heads or tails
 A  B DA() to check result


What’s wrong
4
One-Way Functions

Normally Secure One-Way Function


Efficiently computable function whose
inverse can not be computed efficiently
Completely Secure One-Way Function

Normally secure plus knowledge of f(x) does
not give more than 50-50 chance of
efficiently guessing some non-trivial property
such as parity
5
Solution with a Completely
Secure One-Way Function
A: randomly select x
 A  B f(x)
 B  A guess x even/odd
 A  B send x to verify result

6
Attempt 2 (RSA)

Generate Keys: N = PQ, gcd(e,(N))=1,
ed  1(mod (N)), E = (e,N), D = (d,N)
A: Randomly select x (use parity)
 A  B E(x)
 B  A guess parity of x
 A  B D() to check parity of result


What could be wrong
7
Attempt 3 (Discrete Log)

Zp = <>, p  1 (mod 4) prime
A: Randomly select x (use parity)
 A  B y = x
 B  A guess parity of x
 A  B send x to verify guess


Probability is correct. What is wrong?
8
Blum Protocol

Blum protocol




B selects N = PQ, P  3 (mod 4), Q  3 (mod 4).
A selects x1,…,xt and send x12,…,xt2 to B
B guesses b1,…bt and sends to A
A sends x1,…,xt to B and B checks (xi/n) = bi
9
Correctness of Blum Protocol

Four solutions x2  a (mod N) [use CRT]


P  Q  3 (mod 4)  J(-1,P) =J(-1,Q) = -1


(±b)2  a (mod P), (±c)2  a (mod Q)
Half with J(x,N) = 1, half with J(x,N)= -1
Knowing ±b and ±c gives P and Q

bc (mod P) b = c (mod Q)  gcd(b-c,N)=Q
10
Public Key Cryptography

Let M be a message and let C be the encrypted
message (ciphertext). A public key cryptosystem has a
separate method E() for encrypting and D() decrypting.





D(E(M)) = M
Both E() and D() are easy to compute
Publicly revealing E() does not make it easy to determine D()
E(D(M)) = M - needed for signatures
The collection of E()’s are made publicly available but
the D()’s remain secret. Called a one-way trap-door
function (hard to invert, but easy if you have the secret
information)
11
Goldwasser-Micali Probabilistic
Encryption

Goldwasser-Micali (Quadratic Redisuosity)



N = pq, x a non-residue such that
m = m1   mt, mi  {0,1}
c = c1   ct, ci = yixmi mod N, yi random quadratic residue
 x   x
      1
 p q
Shafi Goldwasser and Silvio Micali. Probabilistic Encryption.
Journal of Computer and System Sciences (JCSS), 28(2):270299, April 1984.
12