Bounded-to-Unbounded Poker Game
L. Harn, H.-Y. Lin. and G. Gong.
Indexing terms: Cryptographic scheme, Unconditionally secure
Abstract
The bounded-to-unbounded poker game is a fair poker game that can
be played over the Internet. It allows both dealer and player to
distribute cards in a fair and secure manner. In addition, our protocol
assumes that the player is computationally bounded; however, the
dealer is computationally unbounded.
Introduction
Shamir, Rivest and Adleman [1] has shown how to play a fair “mental poker”
remotely. A mental poker involves two entities: A (i.e. Alice) is the dealer and B (i.e.
Bob) is the player. Since mental poker is played remotely by A and B like ordinary poker
without cards, all exchanges between A and B are accomplished by exchanging
messages. For example, the 52 cards can be represented by the following messages: m1,
m2, …., m52. The challenging problem in mental poker is how to fairly distribute these 52
messages to both entities. We can summarize the security requirements below:
a. Each entity should know the cards in their own hand but not the others.
b. All hands must be disjoint.
c. All possible hands should be equally likely for each entity.
d. Each entity should be able to check whether the game has been played fairly and
honestly.
Due to the commutative property of modular exponentiation, mental poker can be
realized with an exponentiation cipher, such as the Pohlig-Hellmam scheme [2]. Later,
Lipton [3] has shown that it is possible to cheat using the previous scheme and also
shown how to modify the scheme to fix the problem.
Since the mental poker involves two entities and cryptographic technology has
been applied in exchanging messages back and forth, it is easy to see that at least one of
the two entities should be computationally bounded. In other words, if both entities have
infinite (i.e. unbounded) computational power, the cryptographic solution will render its
security. This observation can also be found in most commitment schemes [4, 5]. Most
string commitment protocols assume that the sender of the commitment is
1
computationally bounded; but the receiver of the commitment may have unlimited
computational power.
The solution proposed in reference [1] utilizes an encryption scheme to protect
messages and it assumes that both entities are computationally bounded. In this letter, we
want to show how to modify the solution to be a bounded-to-unbounded poker game.
Under this arrangement, the secret of the cards of the players can be unconditionally
protected from the dealer. However, we still assume that the player is computationally
bounded. Our solution can be applied to all Web-based card games, such as Blackjack,
poker, etc. We believe that our solution provides a better fairness for players. Usually,
the dealer is the organizer of the game who is also responsible for establishing the rules
and selecting cryptographic technology, such as cryptographic algorithms and security
parameters. A 512-bit discrete logarithm problem may sound infeasible to solve for
players with limited computational power; however, it may be computationally feasible
to solve for the dealer with larger computational power. Our bounded-to-unbounded
solution can provide protection for player’s cards even the dealer has unlimited
computational power.
In other words, player no longer need to worry about the
computational power of the dealer in joining any Web-based card game.
Bounded-to-Unbounded Poker Game
Setup Phase
The dealer A first chooses a large public prime p, where p=2q+1 and q is also a
prime, and a primitive element  of GF(p). Then the dealer picks a set of 52 odd secret
integers, S = {s1, s2, ...,s52}, where 1 < si < p-1 and si  q. Let T = {mi,| mi =  si mod p, i
= 1 to 52}. This is the set of public messages that correspond to 52 cards.
Distributing Cards
1.
The dealer A picks up a pair of secret keys (eA, dA) such that eA dA mod p-1=1. A
then encrypts these 52 messages as mieA mod p, for i=1, 2, …., 52. A randomly
shuffles the encrypted deck and sends it to the player B.
2.
B randomly selects 5 encrypted messages, c1, c2, …., c5, and return them to A.
3.
A deciphers these 5 cards as cidA mod p, for i=1, 2, …., 5, to determine her hand.
2
4.
B randomly selects 5 more encrypted messages, c’1, c’2, …., c’5, where c’i=m’ieA
mod p. For each encrypted message, c’i, B enciphers it with a secret key, eBi, as
c”i=(c’i)eBi
mod p, where eBi dBi
mod p-1=1.
He then sends these doubly
encrypted messages to A.
5.
A deciphers each received c”i with her secret key, dA, as
(c”i)dA mod p= ((m’ieA) eBi) dA mod p
= m’i eBi mod p
She sends these encrypted messages to B.
6.
For each received message, m’i eBi mod p, B then uses the corresponding secret key,
dBi, to compute as (m’i eBi) dBi mod p= m’i. Thus, B can determine his hand.
7.
In case either party needs additional cards during the same game, above procedures
can be repeated.
8.
At the end of the game, both parties reveal their secret keys to prove that they did
not cheat.
Security Analysis
We need the following Lemma for our analysis.
Lemma 1.
Let  be a primitive element of GF(p). Then the set , where  = {2i+1| q > i  0, 2i +
1  q}, consists of all primitive elements of GF(p) and all quadratic nonresidue modulo p
except for –1 = q.
The confidentiality of A’s hand is protected from B based on the difficult
problem of solving the discrete logarithm. In step 2, B randomly selects 5 encrypted
messages, c1, c2, …., c5, to determine A’s hand. Without knowing the secret key, eA, B
needs to solve the discrete logarithm of these encrypted messages in order to compute
the corresponding messages of A’s hand.
The confidentiality of B’s hand is protected from A with no computational
assumption. In step 5, after deciphering the doubly encrypted message c”i with the secret
key, dA, A is able to obtain m’i eBi mod p, where m’i is the corresponding message of B’s
3
hand. From Lemma 1 we know that all messages, mi, for i = 1 to 52, corresponding to
52 cards are primitive numbers. Furthermore, in step 4, B has chosen a different secret
key, eBi, to generate each doubly encrypted message, c”i. Thus, without knowing the
secret key, eBi, even if A has infinite computational power to solve the discrete logarithm,
A cannot recover the exact messages of B’s hand. This is due to the fact that, for each
given exponential value, there always exists a discrete logarithm solution (i.e. the
exponent) with respect to a primitive base.
Conclusion
In this letter, we have proposed a bounded-to-unbounded Internet poker game.
Using this game, the secret of the cards of the player can be unconditionally protected
from the dealer. However, the secret of the cards of the dealer is still protected from the
player under regular cryptographic assumption. This solution can be applied to all Webbased card games.
Dec. 2, 1999
Lein Harn (Department of Computer Networking, University of Missouri – Kansas City,
Kansas City, MO 64110, USA)
Hung-Yu Lin (Computer Science Department, California State University, San Marcos,
CA 92096-0001, USA)
Guang Gong (Department of Combinatorics & Optimization, University of Waterloo
Waterloo, Ontario N2L 3G1, CANADA)
References
[1]
Shamir, A., Rivest, R. L. and Adleman, L. M.., “Mental Poker,” in The
Mathematical Gardner, ed. D. Klarner, Prindle, Weber & Schmidt, Boston, Mass.
(1980).
[2]
Pohlig, S. and Hellman, M., “An Improved Algorithm for Computing Logarithms
over GF(p) and its Cryptographic Significance,” IEEE Trans. on Info. Theory, Vol.
IT-24(1), pp.106-110 (Jan. 1978).
[3]
Lipton, R. J., “How to Cheat at Mental Poker,” Comp. Sci. Dept., Univ. of Calif.,
Berkeley, Calif. (Aug. 1979).
4
[4]
Halevi, S., “Efficient Commitment with Bounded Sender and Unbounded
Receiver.” in Advances in Cryptology- CRYPTO ’95, pp. 84-96, Lecture Notes in
Computer Science 963, Springer (1995).
[5]
Halevi, S. and Micali, S., “Practical and Provably-Secure Commitment Schemes
from Collision-Free Hashing,” in Advances in Cryptology- CRYPTO ’96, pp. 201215, Lecture Notes in Computer Science 1109, Springer (1996).
5