密码算法与协议3_密钥的确认
合集下载
相关主题
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
proofs and secure multi-party computation.
2016/1/8
4
Commitment Scheme
A commitment scheme consists of two protocols, called
commit and reveal ,
between two parties, usually called the sender and the receiver. In many cases, the protocols commit and reveal can be defined in terms of a single algorithm, requiring no interaction between the sender and receiver at all. Such commitment schemes are non-interactive.
Concealing:b不参与其中运算 Binding: 不存在x1(odd),x2(even), x1e = x2emod n
2016/1/8 9
Bit Commitment by Encryption(Example 2)
Let K = (n = pq, p, q primes, m QR(n) ) , (n,m) published To commit a bit b, we could do the following
to write the value on a piece of paper, put it in a box, and lock the box with a padlock. The locked box is then given to the other party, but you keep the key. At a later time, you present the key to the other party who may then open the box, and check its contents.
Party A commits to a random bit value bA R {0, 1} by sending a commitment on bA to party B. Party B then replies by sending a bit value bB R {0, 1} to A. Finally, party A opens the commitment and sends bA to B. Both parties take b = bAbB as the common random bit.
Sender should be bound to X
2016/1/8
8
Bit Commitment by Encryption(Example 1)
Let K = (n = pq, e, d) be an RSA key To commit a bit b, we could do the following
Generating mutually random bits is a basic part of many protocols. Commitments are used as an auxiliary tool in many cryptographic applications, such as zero-knowledge
Chapter 3.
Commitment Schemes
2016/1/8
1
Introduction
The functionality of a commitment scheme is commonly introduced by means of the following analogy. Suppose you need to commit to a certain value, but you don’t want to reveal it right away. For example, the committed value is a sealed bid in some auction scheme. One way to do this is
Commit protocol: To commit to a value x {0, 1}*, the sender computes C = commit(r, x), where r R {0, 1}k, and sends C to the receiver. Reveal protocol: To open commitment C = commit(r, x), the sender sends r and x to the receiver. The receiver computes commit(r, x) and verifies that it is equal to the previously received commitment.
2
2016/1/8
Coin Flipping over the Telephone
An immediate application of commitment schemes is known as “coin flipping over the telephone” or as “coin flipping into a well”. Two parties, say A and B, determine a mutually random bit as follows.
Choose a random x such that
Y=f(b,x)=mbx2 mod n
To open blob(b),
just review b and x, use the encryption to verify: y=f(b,x)=mbx2 mod n Concealing : 如果平方剩余问题不可解,no information on b will be revealed Binding: if not, then exist x1,x2, commit(x1,,1) = commit(x2,,0), mx12=x22 mod n, then m= (x2x1-1)2 (mod n), it is contradiction to the condition.
2016/1/8
3
Application of Commitment
Note that party B sees the commitment of A before choosing its bit bB, so no information on bit bA should leak from the commitment on bA. Similarly, party A could try to influence the value of the resulting bit b (after seeing the bit bB) by opening the commitment on bA as a commitment on 1-bA. Clearly, party A should not be able to “change its mind” in such a way!
In the special case that the committed value is a bit, that is, x {0, 1}, one speaks of a bit commitment scheme.
2016/1/8 11
Security Requirements
The security requirements for a bit commitment scheme are the following. The commitment must be binding, i.e.,
for any adversary A, the probability of generating r, r’ {0, 1}k satisfying commit(r, 0) = commit(r’, 1) should be negligible (as a function of k). the distributions induced by commit(r, 0) and commit(r, 1) (with r R {0, 1}k) are indistinguishable.
2016Biblioteka Baidu1/8 6
Bit Commitment: Locking a Bit in a Secure Box
f: {0,1} X Y is bit commitment scheme if for a randomly chosen x from X
Concealing: for a bit b {0,1}, Verifier(Receiver) cannot determine the value b from f (b,x), the blob Binding: Prover(Sender) can later open the blob by revealing the value of x. The Prover should not be able to open the blob as both 0 or 1
Furthermore, the commitment must be hiding, i.e.,
Choose a random x such that x is even if b = 0 x is odd if b = 1 Let blob(b) = xe mod n
To open blob(b),
just review x, use the encryption to check!
2016/1/8
5
Commitment Protocol
Commit Phase
Sender
X
Receiver
Sender is bound to X Reveal Phase
Sender
X
Receiver
Receiver can verify X was the value in the box
2016/1/8
10
Definition
Let commit : {0, 1}k × {0, 1}* {0, 1}* be a deterministic polynomial time algorithm, where k is a security parameter. A (noninteractive) commitment scheme consists of two protocols between a sender and a receiver:
If at least one of the parties is honest, the resulting bit b is distributed uniformly at random, assuming that A and B cannot cheat when revealing their bits.
2016/1/8
7
Following Commit Phase
Receiver should not have gained any information about X
Information theoretic? Computationally? No two different and valid openings exist It is computationally infeasible to find two different valid openings
2016/1/8
4
Commitment Scheme
A commitment scheme consists of two protocols, called
commit and reveal ,
between two parties, usually called the sender and the receiver. In many cases, the protocols commit and reveal can be defined in terms of a single algorithm, requiring no interaction between the sender and receiver at all. Such commitment schemes are non-interactive.
Concealing:b不参与其中运算 Binding: 不存在x1(odd),x2(even), x1e = x2emod n
2016/1/8 9
Bit Commitment by Encryption(Example 2)
Let K = (n = pq, p, q primes, m QR(n) ) , (n,m) published To commit a bit b, we could do the following
to write the value on a piece of paper, put it in a box, and lock the box with a padlock. The locked box is then given to the other party, but you keep the key. At a later time, you present the key to the other party who may then open the box, and check its contents.
Party A commits to a random bit value bA R {0, 1} by sending a commitment on bA to party B. Party B then replies by sending a bit value bB R {0, 1} to A. Finally, party A opens the commitment and sends bA to B. Both parties take b = bAbB as the common random bit.
Sender should be bound to X
2016/1/8
8
Bit Commitment by Encryption(Example 1)
Let K = (n = pq, e, d) be an RSA key To commit a bit b, we could do the following
Generating mutually random bits is a basic part of many protocols. Commitments are used as an auxiliary tool in many cryptographic applications, such as zero-knowledge
Chapter 3.
Commitment Schemes
2016/1/8
1
Introduction
The functionality of a commitment scheme is commonly introduced by means of the following analogy. Suppose you need to commit to a certain value, but you don’t want to reveal it right away. For example, the committed value is a sealed bid in some auction scheme. One way to do this is
Commit protocol: To commit to a value x {0, 1}*, the sender computes C = commit(r, x), where r R {0, 1}k, and sends C to the receiver. Reveal protocol: To open commitment C = commit(r, x), the sender sends r and x to the receiver. The receiver computes commit(r, x) and verifies that it is equal to the previously received commitment.
2
2016/1/8
Coin Flipping over the Telephone
An immediate application of commitment schemes is known as “coin flipping over the telephone” or as “coin flipping into a well”. Two parties, say A and B, determine a mutually random bit as follows.
Choose a random x such that
Y=f(b,x)=mbx2 mod n
To open blob(b),
just review b and x, use the encryption to verify: y=f(b,x)=mbx2 mod n Concealing : 如果平方剩余问题不可解,no information on b will be revealed Binding: if not, then exist x1,x2, commit(x1,,1) = commit(x2,,0), mx12=x22 mod n, then m= (x2x1-1)2 (mod n), it is contradiction to the condition.
2016/1/8
3
Application of Commitment
Note that party B sees the commitment of A before choosing its bit bB, so no information on bit bA should leak from the commitment on bA. Similarly, party A could try to influence the value of the resulting bit b (after seeing the bit bB) by opening the commitment on bA as a commitment on 1-bA. Clearly, party A should not be able to “change its mind” in such a way!
In the special case that the committed value is a bit, that is, x {0, 1}, one speaks of a bit commitment scheme.
2016/1/8 11
Security Requirements
The security requirements for a bit commitment scheme are the following. The commitment must be binding, i.e.,
for any adversary A, the probability of generating r, r’ {0, 1}k satisfying commit(r, 0) = commit(r’, 1) should be negligible (as a function of k). the distributions induced by commit(r, 0) and commit(r, 1) (with r R {0, 1}k) are indistinguishable.
2016Biblioteka Baidu1/8 6
Bit Commitment: Locking a Bit in a Secure Box
f: {0,1} X Y is bit commitment scheme if for a randomly chosen x from X
Concealing: for a bit b {0,1}, Verifier(Receiver) cannot determine the value b from f (b,x), the blob Binding: Prover(Sender) can later open the blob by revealing the value of x. The Prover should not be able to open the blob as both 0 or 1
Furthermore, the commitment must be hiding, i.e.,
Choose a random x such that x is even if b = 0 x is odd if b = 1 Let blob(b) = xe mod n
To open blob(b),
just review x, use the encryption to check!
2016/1/8
5
Commitment Protocol
Commit Phase
Sender
X
Receiver
Sender is bound to X Reveal Phase
Sender
X
Receiver
Receiver can verify X was the value in the box
2016/1/8
10
Definition
Let commit : {0, 1}k × {0, 1}* {0, 1}* be a deterministic polynomial time algorithm, where k is a security parameter. A (noninteractive) commitment scheme consists of two protocols between a sender and a receiver:
If at least one of the parties is honest, the resulting bit b is distributed uniformly at random, assuming that A and B cannot cheat when revealing their bits.
2016/1/8
7
Following Commit Phase
Receiver should not have gained any information about X
Information theoretic? Computationally? No two different and valid openings exist It is computationally infeasible to find two different valid openings