Probabilistic Encryption & How To Play Mental Poker Keeping Secret All Partial Information
Shaft Goldwasser * and Silvio Micali ** Computer Science Department University of California - Berkeley
I. Introduction We would like to point out two basic weaknesses of this approach: This paper proposes an Encryption Scheme 1) The fact that f is a trapdoor function does that possess the following property: not rule out the possibility of computing x An adversary, who knows the encryption from ff (x) when x is of a special form. algorithm and is given the cyphertext, can- Usually messages do not consist of numbers not obtain any information about the clear- chosen at random but possess more struc- text. ture. Such structural information may help Any implementation of a Public Key Cryptosys- in decoding. For example, a function f, tem, as proposed by Diffie and Hellman in [8], which is hard to invert on a generic input, should possess this property. could conceivably be easy to invert on the ASCII representations of English sentences. Our Encryption Scheme follows the ideas in 2) The fact that f is a trapdoor function does the number theoretic implementations of a not rule out the possibility of easily com- Public Key Cryptosystem due to Rivest, Shamir puting some partial information about z and Adleman [13], and Rabin [12]. (even every other bit of x) from f (z). The danger in the case that z is the ASCII Security is based on Complexity Theory and representation of an English sentence is the intractability of some problems in number self evident. Encrypting messages in a way theory such as factoring, index finding and that ensures the secrecy of all partial infor- deciding whether numbers are quadratic resi- mation is an extremely important goal in dues with respect to composite mvduli is Cryptography. The importance of this point assumed. In this context, impossibility means of view is particularly apparent if we want computational infeasibility and proving that a to use encryption to play card games over problem is hard means to show it equivalent to the telephone. If the suit or color of a card one of the above mentioned problems. could be compromised the whole game could be invalid. The key idea in both the RSA scheme and the Rabin scheme is the selection of an Though no one knows how to break the RSA or appropriate trapdoor function; an easy to the Rabin scheme, in none of these schemes is evaluate function f such that x is not easily it proved that decoding is hard without any computable from f(x), unless some extra assumptions made on the message space. Rabin information is known. To encrypt a message shows that, in his scheme, decoding is hard for m, one simply evaluates f (m). an adversary if the set of possible messages has some density property.
The novelty of our contribution consists of
Thin research was supported by * NSF Grant MCS-79-037667 1. The notion of Trapdoor Functions is ** fellowship from Consiglio Nazionale delle Ricerche - replaced by Probabilistic Encryption. To Italy and in part by NSF Grant MCS-79-037667 encrypt each message we make use of a fair coin. The encoding of each message will depend on the message plus the result of a Permission to copy without fee all or part of this material is granted provided that the copies are not made or distributed for direct sequence of coin tosses. Consequently, commercial advantage, the ACM copyright notice and the title of the there are many possible encodings for each publication and its date appear, and notice is given that copying is by message, llowever, messages are always permission of the Association for Computing Machinery. To copy uniquely decodable.~ otherwise, or to republish, requires a fee and/or specific permission. IProbabilistic Encryption is completely different from the technique of apl~eDcling random bits to a message as © 1982 ACM0-89791-067-2/82/005/0365 $00.75 suggested in U?.] and [16].
365 2. Decoding is easy for the legal receiver of a ingenious paper [8]. Let M be a finite message message, but provably hard for an adver- space, A, B,... be users, and let m e M denote a sary. Therefore the spirit of a trapdoor message. Let EA:M~M be A's encryption func- function is maintained. In addition, in our tion, which is ideally bijective, and D A be A's scheme, without imposing any restrictions decryption function such that DA(EA(m)) = m on the message space, we can prove that for all m e M. In a Public Key Cryptosystem E A decoding is equivalent to deciding qua- is placed in a public file, and user A keeps DA dratic residuosity modulo composite private. D A should be difficult to compute numbers. knowing only E A. To send message m to A, B takes E A from the public file, computes EA(m ) 3. No Partial Information about an encrypted and sends this message to A. A easily computes message could be obtained by an adver- DA(EA(m)) to obtain m. sary. Assume that the message space has an associated probability distribution and that, with respect to this distribution, an 2.2 The RSA scheme and the Rabin scheme easy to compute predicate P (such as "the The two implementations of a Public Key exclusive or of all the bits in the message is Cryptosystem most relevant and inspiring for 1") has probability p to be true. Let p ~ .5 this paper are the RSA scheme [13], due to without any loss of generality. Then, Rivest, Shamir and Adleman, and its particular- without any special ability, an adversary, ization suggested by Rabin [ 12]. given the cyphertext~ can always guess that P is true for the cleartext, and be The key idea in both the RSA scheme and correct with probabilityp. the Rabin scheme consists in the selection of an appropriate number theoretic trapdoor Based on the assumption that deciding qua- function. In the RSA scheme, user A selects/,~, dratic residuosity modulo composite the product of two large primes p I and p 2 and a numbers is hard, we prove that an adver- number s such that s and 9(N) are relatively sary cannot guess correctly with probabil- prime , where ~ is the Euler totient function. A ity p+e,from the cyphertext, whether the puts N and s in a public file and keeps the fac- cleartext satisfies the predicate P, where e torization of N private. Let ZN'= ~ z I is a non negligible positive real number. i ~ z ~ N-i and z and N are relatively primel. For every message m eZN', EA(rn)=m s mod Probabilistic Encryption has been useful for the N. Clearly, the ability to take s th roots rood N solution of Mental Poker. The problem whether implies the ability to decode. A, who knows the it is possible to play a "fair" game of Mental factorization of N, can easily take s th roots mod Poker has been raised by Robert Floyd. N. No efficient way to take sth roots rood Nis Shamir, Rivest and Adleman proposed an known when the factorlzation of N is unknown. elegant solution to this problem in [14] using commutative encryption functions, but they About the RSA scheme aabin remarks that, could not prove that partial information could for all we know, inverting the function z ~ rood not be compromised using their scheme. N may be a hard problem in general, and yet Indeed, several problems in the implementa- easy for a large percentage of the z's. tion of their scheme have been pointed out by He suggests to modify the RSA scheme by Lipton in [ 10]. choosing s=2. Thus, for all users A, EA(Z ) = z 2 rood N. Notice that E A is a 4-1 function because We present a solution for Mental Poker, for our N is the product of two primes. In fact, which we can prove, based on the assumption every quadratic residue rood N, i.e every q that factoring and deciding quadratic such that q~z 2 mod N for some z eZN', has residuosity modulo composite numbers is hard, four square roots mod N: ±z mod N and ±y that not a single bit of information about a card rood N. As A knows the factorization of N, upon which should remain hidden can be discovered. receiving the encrypted message m 2 mod N, he Our solution does not use commutative encryp- could compute its four square roots and get the tion functions. message rn. The ambiguity in decoding could be eliminated, for example, by sending the first 2. The ,Security of a Public Key Cryptosystem. 20 digits of rn in addition to m 2 rood N. Such All the number theoretic notation used in extra information cannot effectively help in this section will be defined in section 3.1. decoding: we could always guess the first 20 digits of m. 2.1 What is a Public Key Cryptosystem? The following theorem shows how hard is it The concept of a Public Key Cryptosystem to invert Rabin's function z 2 mod N. was introduced by Diffie and Hellman in their Theorem (Rabin): If for i~ of the q's quadratic
366 residues mod N one could find one square root in ZN*, the ability to decode 1% of all messages of q, then one could factor N in Random Poly- does not yield a random polynomial time algo- nomial Time. rithm for factoring. The theorem follows from the following By "sparse" we mean that for a randomly lemma that we state without proof. chosen x E ZN', the probability that x is a mes- Lemma 1: Given z, yEZN ° such that x 2=y2 sage is virtually 0. rood N and x ~ :i:y mod N, there is apolyno- Let f (x) = z 2 modN. Assume that we are mial time algorithm to factor N. (In fact the able to invert the function f only on f(M). greatest common divisor of N and x :i=y is a fac- Then we would have a magic box MB which, fed tor of N). m 2 rood N, would output m whenever m EM; Informal proof of Rabin's theorem: Assume and fed q, outputs nothing whenever that we have a magic box B such that given q, a qe~m2modNImEMI, except, at most, for a quadratic residue rood N, for 1% of the q's it negligible portion of the q's. With the use of outputs one square root of q rood N. Then we such a magic box we could decode, but not fac- could factor N by iterating the following step: tor N efficiently. Using such MB, let us look at Pick i at random in Z N~ and compute q =i ~ the above informal proof of Rabin's theorem. If mod N. Feed the magic boxB withq. If M we pick rneM and feed m z rood N into MB, outputs a square root of q different from i then we get back m and we cannot factor. If or -i mod N, then (by the above lemma) we pick .ieM and feed i2 mod N to MB, then the factor N. probability that one square root of i2 mod N The expected number of iterations is low, as at different from i, belongs to // is practically 0 each step, we have a 0.SYo chances to factor N. and we get no answer.
2.3 Objections to Cryptosystems based on 2.5 Discussion of Objection 2 Trapdoor Functions We would like to define a Public Key Cryp- tosystem to be secure if an adversary, given Covering ones face with a handkerchief cer- the cyphertext, cannot obtain any partial infor- tainly helps to hide personal identity. However: mation about the cleartext. This latter notion needs to be formalized: 1) It will not hide from me the identity of a special subset of people: my mother, my Let P be any easy to evaluate, non con- sister, close friends. stant, boolean predicate defined on the message space M. Let m eM. If, given the 2) I can gather a lot of information about the encryption of m, an adversary can people I cannot identify: their height, their efficiently compute the value of P(m), hair color and so on. then partial information about m can be Essentially, the same kind of problems may obtained from the encryption of m arise in the RSA scheme and in the Rabin Notice that, according to the above definition, scheme and, more generally, in any other Pub- no Public Key Cryptosystem based on trapdoor lic Key Cryptosystem based on Trapdoor Func- functions is secure. In fact, if E A is a trapdoor tions: function, the following predicate P, defined on 1) The fact that f is a Trapdoor Function does the cleartext, is easy to evaluate from the not rule out the possibility of computing x cyphertext: P(x) is true if and only if E4(x) is from f(x) when x is of special form. even. We can avoid such problems using Proba- bitistic Encryption. 2) The fact that f is trapdoor function does not We know that some decision problems may rule out the possibility of easily computing be hard to solve for particular inputs, but easy some partial information about x from f(x). to solve for most of the inputs. In view of the special purpose of Cryptography, the require- 2.4 Discussion of Objection 1 ment that obtaining partial information should One may argue that Rabin's Public Key be difficult needs to be strengthened. tryptosystem is as hard to break as factoring Assume that the message space has an in the following way; whoever can2getm a mes- associated probability distribution and that, sages m from their encryptions mod N 1P~ with respect to this distribution, a predicate P of the time, is actually realizing the magic box has a probability p to be true. Without loss of of Rabin's theorem and thus could efficiently generality, letp ~ 0.5. factor n. Definition: An adversary has an e advantage We would like to point out the following in evaluating the predicate P, if he can fact. correctly guess the value of P relative to the Claim: If M, the set of messages, is "sparse" cleartext with probability greater than p +e.
367 We are now able to restate the previous Summarizing: There are many ways in partial information definition. which a single bit could be "embedded" in a binary number x. Taking the "exclusive or" of Definition: A Public Key Cryptosystem is e all the digits of x is just one more example. secure if an adversary does not have an e However, given y =EA(x ), being able to discover advantage in evaluating, given the cyphertext, some particular bits embedded in x DOES NOT any easy to compute predicate relative to the CONTRADICT the fact that it is hard to compute cleartext. x. Then, what is a secure way to send a single Based on the assumption that deciding qua- bit ? The answer to this problem is discussed in dratic residuosity modulo composite numbers the next section. is hard, we introduce an e-secure Public Key Cryptosystem, for every non negligible, posi- 3. DECIDING QUDRATIC RESIDUOSITY IS HARD tive, real number e. Let us first deal with the ON THE AVERAGE question of sending securely a single bit in a The symbol (x,N) will denote the greatest Public Key Cryptosystern. This question, common divisor of x and N. We use Pr(X) to closely related to the security of Partial Infor- denote the probability of the event X. We let mation, has been raised by Brassard in [~-]. ZN*= ~ z [ i ~X ~N-I and (z,N)=l~. 2.6 Attempts to Send a Single Bit Securely in 3. I Background and Notation Public Key Cryptosystems based on TrapDoor Functions Given qeZ~v*, is q~-x 2 modN solvable ?If N is prime, then the answer to this question is Suppose that user B wants to send a single easily computed. If a solution exists, q is said bit message to user A in great secrecy. The bit to be a quadratic residue rood N. Otherwise q is is equally likely to be a 0 or a 1. B wants no said to be a quadratic non-residue rood N. adversary to have a 1~o advantage in guessing From now on let P, and P2 be odd, distinct correctly his message. B knows that E A is hard primes and N =PlP2. Then, q~x 2 rood N is to invert and tries to make use of this fact in solvable if and only if both q=-x2 rood Pl and the following way. q ~-z 2 mod P2 are solvable. If this is the case, q Idea i: All users in the system agree on an is said to be a quadratic residue rood N, other- integer i. User B selects reM at random, wise q is said to be a quadratic non-residue except for the ith bit of T, which will be his rood N. We will call the problem of determining message. B sends E4(r ) to A. • whether an element q e ZN* is a quadratic resi- A can decode and thus get the desired bit. But due, the quadratic residuosity problem. what can an adversary do ? Let p be an odd prime and q e Zp*, then the Danger: let y = EA(x ), where E A is a one Jacobi symbol (q/p) equals i if q is a quadratic way function. Then, given y, it could be residue rood p and -I otherwise. The Jacobi difficult to compute x but not a specific bit of x. symbol (q/N), is defined as (q/N) = Example: let p be a large prime such that (q/pl)(q/P2). Despite the fact that the Jacobi p-i has at least one large prime factor. Let g symbol (q/N) is defined through the factoriza- be a generator for Zp*. Then ll-=gz mod p is a tion of N, (q/N) is computable in polynomial well known one-way function. But, even though time even when the factorization of N is not it is difficult to compute x from gS mod p (the known ! index finding problem), it is easy to get the last ]t is easy to see, from the above definitions bit of x. In fact, x ends in 0 if and only if y is a that if (q/N) = -i then q must be a quadratic quadratic residue mod p, For p prime we have non-residue rood N. In fact, q must be a qua- fast random polynomial time algorithms to test dratic non-residue either rood Pl or rood P2. quadratic residuosity, see [ i0]. However, if (q/N)=+l, then either q is a qua- dratic residue rood N or q is a quadratic non- The following idea was suggested by Donald residue for both the prime factors of N. Johnson. Let us count how many of the q 's, such that Idea 2: B selects 8 ~ i ~ 100 at random, and (q/N) = 1, are actually quadratic residues. sets the ith bit of x to the bit he wants to Theorem: Let p be an odd prime. Then Zp" communicate. The remaining 93 bits of x are is a cyclic group. chosen at random, except for the first 7 bits of x, which specify location i. B sends EA(x ) to A. Theorem: Let 9 be a generator for Z~*, then gt rood p is a quadratic residue if and Danger: If, given EA(x), we can easily com- only if s is even. pute the first 7 bits of x and one of the last 93 bits of x, then we could guess B's message with Corollary: Half of the numbers in Z~" are a 1/98 advantage. quadratic residues and half are quadratic non- residues.
368 Theorem: Let N =.PIP2 where Ps and P2 are negligible numbers. Suppose we could guess, distinct odd primes. Then half of the numbers with an c advantage whether q, drawn at ran- in Z N" have Jacobi symbol equal to -1 and thus dom from AN', is a quadratic residue rood N. are quadratic non-residues. The Jacobi symbol Then we could decide quadratic residuosity of of the rest of the numbers is 1. Exactly half of any integer rood N with probability i- ~ by these latter ones are quadratic residues. means of a polynomial in INI, c -I and (5-I time 3.2 A Difficult Problem in Number Theory. probabilistic algorithm. If the factorization of N is not known and Proof: Assume, to the contrary, that we have a (q/N) =1, then there is no known procedure for polynomial time magic box MB which guesses deciding whether q is a quadratic residue mod correctly whether q EA N• is a quadratic resi- 1 N. This decision problem is well known to be due mod N, for ~-+c of the elements of AN'. hard in Number Theory. It is one of the main four algorithmic problems discussed by Gauss Let, a = Pr(MB answers "q is a quadratic residue" I q in his "Disquisitiones Arithmeticae" (1801). A polynomial solution for it would imply a polyno- is a quadratic residue rood n) mial solution to other open problems in fl = Pr(MB answers "q is a quadratic residue" I Number Theory, such as deciding whether a q is a quadratic non-residue rood N, q e AN *). composite n, whose factorization is not known, The fraction of A N on which MB is correct is the product of 2 or 3 primes, see open prob- equals ~-~+ 1-fi). In order for MB to have a c lems 9 and I5 in Adleman [3]. Recently, Adleman[ 1] showed that a generaliza- advantage, it must be that c~ - B ~ 2e. How- 1 tion of quadratic residuosity is equivalent to ever, a need not be equal to c+~ We will now factoring. Using this generalized notion in our show how to get a good estimate for a. protocol, we could base the security of our cryptosystem on factoring. At present, we Construct a sample of k quadratic residues await the final version of Adelman's paper. chosen at random in ZN ° (the value of k will be defined later on). This can be easily done by Assumption: Let 0 369 Initialize two counters R" and NR" to O. Feed in Theorem 1. Also pick Yl ..... Y20 at ran- the sample }Yi] into MB. Increment R' every dom from A N'. Again, with very high proba- time that MB answers "quadratic residue", and bility, at least one of the y~'s will be a NR" every time that MB answers "quadratic quadratic non-residue. Now, construct non-residue". We know, that if q is a quadratic samples Ht=~y~s Is e S], and feed them residue, then the into MB~. pr([ R" R 5 2 k k I ~2"~)m (1-~-) , and if q is a a) If MB z performs on all the Hi's as it per- formed on S, then go to the next element in T. quadratic non-residue then Halt if all elements in T have been used. R" R ~)z Pr(l --~ .~-I~2~) 370 Testing whether q E A~ is a quadratic residue Definition: The distance between a and b is mod N, when the factorization of N is known, is defined to be the number of positions in which easy by the following lemma. a and b differ. We say that a and b are adja- ].,emma 2: If the factorization of N is known, we cent if the distance between them is 1. can test whether there exists an x such that q ~x 2 mod N in polynomial time. For any decision function d and n-signature l, Proof: q is a quadratic residue mod N if and let Pd(l):lO,11 n ~ [0,1] be defined as only if q is a quadratic residue mod p 1 AND P2. Pa(l) = Pr ( d(x)=l ] ~N(2~) = l forx eSN n) For a prime p, q is a quadratic residue rood p if and only if q(p-1)/2 = 1 mod p. Thus, to 1 test whether q is a quadratic residue mod N we Theorem 3: Let 0 371 dratic residuosity of any integer nod N with q is a quadratic residue and all quadratic non- probability 1-6 by means of a polynomial ( in residues in A~, otherwise. INI, e-l, and 6 -1) time probabilistic algorithm. In theorem 2 we showed that knowing a non-residue in A~ does not help in deciding quadratic residuosity. Therefore we can Let us introduce some more notation. Let, assume that such a non-residue, h, is known. M n = [rnl,m2 ..... I be the set of messages This allows us to pick quadratic non-residues at whose length is ~%, where r~ is bounded by a random from A~, (by computing hz~). polynomial function in IN I. Set k = IM~ I. Let M~ be the set of all possible encodings of mes- We are now ready to decide whether q is a sage m ieM ~, using the scheme described at quadratic residue. the beginning of this section. Clearly, M~ c SN ~ (* Construct a random sample of ~¢ elements and for all i and j, IMil = IMjl. Set X =IM~I. (y~.~ ..... y,,,~) ..... (y~,~ ..... y~,,~) • Sg" such that for all 4.1 The Security of Partial Information 1 ~ i ~ ~%, i # r, 1 ~ j ~/c, fiN (Yj,~) = S~, and In the present version of the paper, we for all 1 ~ j ~ ~, y~.,r=y~. *) assume that all messages in M ~ are equally likely. Let P be an easy to evaluate predicate, For i = 1 ..... r-l, r+l .... ~ do defined on M ". Let p be the probability that begin P(z) is true for arandom z•M '~. Since M n is For j = 1 ..... ~ do uniformly distributed, and I Mn[ = k, P must draw z • A~ at random. evaluate to 1 on p~: messages in M n. if st = 1 theny~,~ := x ~modN Let MB be a magic box that receives as else if s~ =0 theny3,i := hz amodN input the cyphertext E(m) •SN '~, where end. m •M n, and outputs 0 or 1, its guess for the (* Evaluate the decision function d on each value of P(m). Let 0j be the number of 0's and member of the sample *) let ly be the number of l's that MB guesses on encodings of my. Clearly, 0j + lj = X. Let For j = 1..... /¢ do x~ = d(U~,~ ..... V~,,.-~,Y~, Y~,,.+~ ..... ~y,,~ ) lj ifP(mj) = 1 Notice that the entire sample q= 0j ifP(m~.) 0. either a subset of Os or a subset of fit. Thus C/ represents the number of encodings of mes- with probability greater than 1-6 one of the fol- sage m t on which MB correctly guesses the lowing two mutually exclusive eyents will occur: value of P(my). . .t(x~+...+x~) a/< - | Theorem 5: Let 0<6 < 1 be a non negligible real number If =S1 p for some non- or 1 negligible real e > 0, then we could decide qua- # < . (~) I(XI+'''+Xk) I 2n£ dratic residuosity of any integer mod N with If case (1) occurs, we conclude, with probability probability 1-6 by means of a polynomial in greater than 1-6, that q is a quadratic residue. INI, e-l, and 6 -1 time probabilistic algorithm. Otherwise, we conclude, again with probability Proof: Let us partition M n into 10/e buckets, 10/ greater than 1-6 that q is a quadratic non- MrS= U B~, such that m e B~ if and only if residue. i=l The notion of a decision function is immedi- (i-1) e ~ lm < i ---~---- We show that there ately generalized to that of a discriminating I0 X I0" function. This is a decision function which can exist two non-adjacent buckets, each contain- take on more than 2 values. For any non empty ing a non-negligible portion of the messages. More formally, we show there exist g,h where set fl, let D:SN"-~. Let a eft, then PD.a(I) = Pr(D(x) = a [ ~N(Z) = l for x • SNn). l 372 3) There are exactly two adjacent big buckets: Theorem 6: Let 0<5< 1 be a non negligible B~ and B¢_~ k r~,~ 1 Note that case 1 can never be true; otherwise real number. If ~ k- x > e + ~--for some i=l 10e-* 1 = E I B{I ~ < k In case 2, E Cj is non-negligible e < 1-~-, then we can decide i=1 lOI :-I " rn: e Bi quadratic residuosity rood N with probability maximum for i = 10' and if all messages m~ 1-5 by means of a polynomial in INI, e-1 and for which P(mj) = 1 belong to B ~._2 i.e when MB 6 -2 time probabilistic algorithm. 10 Proof: Say that a message m~ is well decoded if guesses 1 for all the encodings of all the mes- 1 riA>(~-v)X. Let, W be the set of well-decoded sages for which the predicate is true. messages and W' = M n - W. / Thus, p+~_!__ ~ Ci k X m~ ~ M" Claim 1." There exist at least ~--well-decoded messages. = i ( ~ C3+ E Cj)~p+ ~ i=l ~,eW ~EW' In case 3, E Cj.+ E Cj is maximum when 1 1 1 rnj E B~ m~ e B~_, -< xl Wl+(k-l WllE~x=X [(z-Ecll W l+k~-~) ] i = -~-and all the messages for which P is true belong to BA.._ and all the messages for which P Hence, ]W] > ~/3 e (claim 1) [~ 10 (i - ~/2) > E is false belong to BA 10 -1 Clearly, if we pick messages at random Thus, p+e~ i ~ Ci = from M n, we expect to find a well-decoded mes- k X ral e M" sage in 2v -1 trials. Let QcW such that [QI>2e -landletp > 1 1 {(m~ C'+ ~ C1) + ~ C1 } Ee-l(2v-l+ 1) ' Ic X B~ mi e B~-1 rnt e B, , k ~, ~ + l Claim 2." There exists two well-decoded mes- i {[p]cx+(l_p)~lO-llcx]+kxclO_I } sages mi, m I eQ such that Ir~,~I-~---- r,,~~ "lI > p proof: Fix m IeD. How many messages m i e kX+3~lO-'kX ) In all three cases we reach a contradiction. most 1 <2e-1+1 such messages. Thus Thus there exist two non adjacent ~uckets (~-~:-p) Bg and B h each containing at least ~10 k mes- there exists an m~ e Q that satisfies the claim. sages. By sampling, we can find, in a small (claim 2) expected time, two messages u and v in Bg Let us transform MB into a discriminating and B h , respectively. We view MB as a decision function D:SNn~Mnu~71. If x eSNn and MB, on function D:SN n -~[0,1]. Then, input x, outputsmj, then set D(x)=mj. Ify is PD(u)--PD(v) > -~-and theorem 3 applies. not the encoding of any message, then one of 3 cases must occur: Next, we will see that an adversary cannot 1) MB outputs m r for !_ 373 Theorem 6 shows that inverting the func- won (or lost), he lets A come closer and look tion E on the encrypted messages is as hard as into the well. deciding quadratic residuosity, independently Essentially, if we can simulate a flip in the of the sparsity of M". well by exchanging messages over the telephone, A can send a random bit to B, where A does not know what he sent, but B can, if 5. MENTAL POKER necessary, prove to A what the bit was. This is Mental Poker is played like regular poker especially applicable to cryptographical games. except that there are no cards and no deck The notion of coin flipping in the well has The game is played over the telephone lines, oI been introduced by Blum and Micali in [5], in over a computer network. Since we cannot which, based on the assumption that index send physical cards over the phone lines, deal- finding is hard, they show how to flip a coin in ing and playing must be simulated by exchang- the well over the telephone lines. Another ing messages between the players. The players method based on the assumption that factori- do not trust each other more than ordinary zation is hard has been found by Blum in [4]. players do. A fair game on the telephone We sketch a third method, based on the should ensure that: difficulty of distinguishing quadratic residues 1) Neither player can have any partial infor- from non-residues with respect to composite mation about the cards in his opponent's moduli. hand or in the deck, A and B want to flip a coin. A generates two 2) There is no overlap in the cards dealt to large odd primes at random, P and Q and players, sets N=p*Q. A publicizes N and y EAN* 3) All possible hands are equally probable for such that y is a quadratic non-residue mod both players. N. A picks a number q at random from 4) At the end of the game each player can ver- AN* and asks B, who does not know the fae- ify that the game was played according to torization of N, whether q is a quadratic the rules and no cheating occurred. residue rood N or not. B tells A what his guess his. A now knows whether B won Note that in a fair game of Mental Poker it (lost), and can later prove to B that he is not enough to show that it is computationally indeed won(lost) by releasing the factoriza- difficult to get the exact value of a card. We lion of N. must also show that no partial information about the card can fall into the hands of an To avoid adding new assumptions to the adversary. ones that we already have, we propose to use We present a protocol for two people to play one of these latter two coin flipping methods in a fair game of Mental Poker, using eneryption. our protocol for Mental Poker. We prove that there is no way a player can get The next section will list some known any information about cards not in his hand results that will be used in the proof of the pro- under the assumption that deciding quadratic tocol. residuosity is hard. There are two main tools used in our imple- 5.2 Useful Results mentation of Mental Poker. One is a method Let p 1, P2 be odd primes and N = p 1P2. for coin-flipping over the telephone[5] and the other is the method for sending a single bit ].,emma 3: If the factorization of N is known, we securely in a Public Key Cryptosystem can find qeZ N" such that (q/N) =i and qis a presented here. quadratic non-residue, in random polynomial A different solution to the problem of Men- time. tal Poker has been obtained independently by Proof: Pick aeZpl such that (a/Pl)=-l. Manuel Blum in [6]. His solution is based on the This can be done in 2 expected trials. Similarly, assumption that factoring is hard and that pick beZ;, such that (b/p2)=-l. Using the completely secure one way fui,ctions exist. Chinese Remainder theorem compute the unique q eZ N" such that q ~ a ( mod pl) and 5.1 Background For Coin Flipping q-= b (modp2). Now, q is a quadratic non- To flip cL coin in the welt - A and B stand far residue and (q/ N ) = (q/PlPe ) = apart from each other. B is standing next to a deep well. A throws a coin into the well from a (q/Pl )" (q/P2) = (alp1)" (b/P2)=1. distance. Now, B knows the outcome of the flip ]_,emma 4: Let N =p 1 P 2 such that (by looking into the well) but can not change it, -= P2 -: 3rood 4. For all z, y e ZN °, if and A has no way of knowing the outcome. Px~ y~ rood N and x ~ ±y rood N then (z/N) Later on when B would like to prove to A that he = - (y/g). 374 Proof: Let primes chosen by him as (s 1, tl), (s 2, re), 1 (mod Pl) (s 3, t3) ..... (s52, t52 ) such that s,~-ti-=3 mod 4 c ~ 0 (rood Pc) for 1-< i _< 52, and his 52 composite numbers 1 (rnocl Pc) by M 1 := s 1 ' t 1, M~ := s a " t 2 ..... d ~- O(modpl) M52 := s52 • tfa. He shuffles the deck of cards and assigns M 1..... M52 to the shuffled deck, an We can find c and d through the Chinese M, per the i th card. He publicizes the Remainder Theorem. Let a 2 ~x 2 ( mod pl ) and b z =- x 2 ( mod P2). Then the four square ordered 52 tuple < M1, Me ..... M52 >. roots ( mod N ) are given by ac +db, -ac +db, -(ac +db ) and (ac-db ). Let STEP 3: B publicizes his entire deck. The deck x = ac+db, and y =-ac+bd. Since N~-i mod is encrypted in the following way. For every 4 implies (x/ N)=(-x/ N), we need only prove card Ct (with public key Nt), B publicizes an that (+x/N)=-(+y/N). Thus, (x/N) = ordered list of 6 numbers in ANt', (ql ..... q6) (ac +bd/ N) = (ac +bd/ pl)(ac +bd/ p2 ) such that for 1 ~ j -< 6, qy is a quadratic resi- =(ac/pl)(bg/p2 ). And (y/ N) = due if and only if the j th bit of Ctisa 1. (-ac +bd/ N)=(-ac +bd/ pl)(-ac +bd/p2)= For example, let the first card in B's deck (-ac/pl)(bd/p2)=(-1/pl)(x/N). Sincepl = 3 be 010010. Then B publicizes (ql, qa, qa, q4, qS, (mod 4), (-i/pl)=-l. q6) where ql, qa, q4 and q6 are quadratic non- residues mod N~, and q2, q5 are quadratic resi- By a theorem of de la Vallee Poussin[15], dues rood N~ with Jacobi symbol 1. The q¢'s are approximately half of all primes of a given chosen at random among the elements of ANt" length are congruent to 3 rood 4. Thus, compo- with the desired properties. This can be done site numbers of the form N=pl,p 2 where in random polynomial time, by Lemma 3. .pl~pe~3 rood 4 constitute approximately 1/4 NOTE that, by Lemma 2, if A can factor N¢, he of all composite numbers which are a product can also determine whether the numbers that of two odd primes of a given length, Thus fac- B posed as corresponding to the bits in the toring and deciding quadratic residuosity encoding of CQ are quadratic residues or not modulos such special N's remains a hard prob- and therefore determine what the card is. ]f A lem. Another method, which does not use spe- can not factor N¢, he can not tell whether the cial composite numbers, but increases the numbers corresponding to bits in the cards number of messages exchanged in the protocol, encoding are quadratic residues or not, and will appear in the final paper. therefore can not tell what the remaining cards are, 5.3 THE PROTOCOL STEP 4: A publicizes his deck in the exact same To represent 52 cards in binary we must way that B did. use at least 6 bits per card. Thus at first A and B agree on 52 different bit patterns which STEP 5 [B deals a Card to A]: Suppose A decided correspond to the 52 cards. to pick the K- th card from B's deck. Repeat From now on, when we say that A flips k to the following procedure for each card in B's B, we mean that B receives a number k at ran- encrypted deck. We describe it for the i-th dom from A, and A has no information whatso- card, to which N~ corresponds. B flips z e Z~, to ever about k. k is actually sent bit by bit A. A computes x 2 mad N~ and (x/N~). At this through a sequence of coin flips into a well. point A must follow one of two procedures: P1 if 5.3.1 The Algorithm i=K and P2 otherwise. PI: A sends x 2 rood N,i, and -(x/N~) to B. STEP 1: B chooses at random 52 pairs of large P2: A sends x e mod Ny. and (x/N~) to B. prime numbers: (Pl, ql), (P2, q2), (Pa, qa) ..... (P52, q52) such that p~q~-=3 mod 4 for 19 computes the square roots of x 2 mod N~. Let 1 ~ i ~ 52, and produces 52 large composite the square roots be x, n-z, y and n-y. Next, numbers whose factorization she knows, i.e B sends the root whose Jaeobi symbol she Nl := pl "ql, N2 := p2" q 2 ..... Ns2 := p~2 " q52. received from A : y if she received -(x/Ni) from Next, she shuffles the deck of cards in her A, and x otherwise. By ]emma 4, (x/N¢) hands and assigns N 1..... Nsa to the shuffled uniquely identifies x, and -(x/N~) uniquely deck, an N, per the i th card. She publicizes identifies y. Thus if A followed P1 then he will the ordered 52 tuple < N1, N 2 ..... N52 >. receive 4 square roots of x 2 rood N~, and by lemma 1 can factor. If A followed P2, he will get STEP 2: A does the same. Let us denote the no new information as to the value of CC/. B 375 from her side has no information as to which It still remains to be shown that neither card A selected. Later, B can verify what he player can have, at any stage of the game, any flipped to A, and hence verify that B has only partial information, about a single encrypted found out the factorization of a single card. card not in his hand, or any subset of STEP 6: At this point A knows the factorization encrypted cards not in his hand. A complete proof will be found in the final paper. Here we of N K. To reconstruct the actual card CK, A restrict ourselves to proving that when two applies the polynomial time test of Lamina 2 to players A and B publicize their respective the encrypted representation of CK, encrypted decks, neither A nor B can answer (ql ..... q6). Next, A must delete CK from his quickly with I% advantage a i bit question encrypted deck. B can see which encrypted about a single card in the opponents deck. element in A's deck is being erased, but this Examples of such i bit questions are: is the i-th does not enable her to decrypt it. card in the deck black?, Are the first and third bit of the i-th card equal? Is the rood 2 sum of STEP 7[A deals a card to B]: Clearly, the same the bits in the i-th card 0 or I? procedure as in Step 5 and 6 is done with the Theorem 7: If A, when B publicizes her roles of A and B reversed. Now B will discover encrypted deck, can answer, in polynomial the factorization of one of M 1.... M52. time, a l-bit question Q about a single card in B's deck with i% advantage, then he can decide STEP 8: If any more cards need to be dealt quadratic residuosity modulo a random compo- throughout the game, a similar protocol takes site N with probability i, by means of a place. Whenever A needs a card, he will pick a polynomial(IN0 time probabilistic algorithm. card from B's deck, by following the procedure Proof: Suppose A can answer a l-bit question Q in step 5 and 6. And similarly whenever B about card i, to which composite N¢ needs a card, she will pick it from A's deck. corresponds. A's ability to answer Q with a i% advantage can be viewed as a decision function STEP 9 [after game verification]: After the d:S6-,0,1 (S 6 = all 6-1ong sequences of ele- game is over, A can prove to B that everything ments from AN, ). Since A answers Q correctly he claims she flipped him, was indeed flipped by 51 times out of a I00, we can efficiently find two her and in what order. B can do the same. A 6-signatures u and v such that releases the factorization of each of the M, for IPd(u) --Pd(v)l --> 1/100. Thus we can apply all 1-< i-< 52, and B releases the factorization theorem 8 and decide quadratic residuosity of each of the N¢ for all 1~_i~52. They can modulo N~ in polynomial time. Contradiction! both prove to each other whatever claim they made in the game such as "N is a product of two primes", "all cards where present at the 5.3.3 Implementation Details deck at all times", "these are the quadratic In order to perform the protocol we must residues you flipped to me", or "I won". be able to do the following: 1. Generate large prime numbers, This can be 5.3.2 Proof Of Correctness: done using Gary Miller's test for primality[ 11] . Claim 1: all hands are equally probable. 2. Find square roots of x 2 triad N when the fac- Proof: In step 9, A and B verify that both torization of N is known. Use Adleman, Manders encrypted decks contained all 52 cards. In and Millers polynomial time algorithm[2] for step 5, A himself chooses which encrypted finding square roots. value from B's deck he wants, thus he is equally likely to get any card in the deck. Similar rea- 6. Remarks and Further Improvements soning holds for B. Claim 2: no overlapping or repeating hands. In this paper we showed that it is possible Proof: When A is dealt a card, he erases that to encrypt messages in such a way, that an card from his encrypted deck. Thus B can adversary, given the cypherLext, cannot never be dealt the same card. A knows which extract information about the cleartext. This is cards he picked from B's deck, and thus will sufficient for protocols such as Mental Poker or never pick the same card twice. for encrypting one's private files. An adversary Claim 3: ]f player A knows the factorization of can read these files but cannot understand- N~ he can reconstruct Ci in 0(IN ]a) time. them. Proof: We are given N t = .Pl P2, and (ql ..... q6) We also showed that Probabilistie Encryp- such that for all j, qi eZN and (qj/N~,) =1. To tion can be used in a Public Key Environment. reconstruct. Ct, we must test whether qi is a However, in a Public Key Cryptosystem, getting quadratic residue rood Nt for all j. That can be hold of the cyphertext and trying to under- done in O( IN I 3) steps by Lamina 2. stand it is the most obvious attack to the secu- 376 rity of the scheme. [3] Adleman, L., On Distinguishing Prime * An adversary could, as a user, try to break Numbers from Composite Numbers, the scheme by communicating. Proceedings of the 21st IEEE Symposium on the Foundations of Computer Science (FOCS), Syracuse, N.Y., 1980, 387-408. He could try to break the scheme by inter- cepting some other user's messages and [4] Blum, M., Three Applications of The Oblivi- changing them. ous Transfer, to appear, 1981. * Finally, he may try to break the scheme by [5] Blum, M., and Micali, S., How to Flip A Coin making use of the decoding equipment ! Through the Telephone, to appear, 1982. The Public Key Cryptosystem presented in this [8] Blum, M., Mental Poker, to appear, 1982. paper is not secure against these possible attacks. However, by forcing the users to fol- [7] Brassard, G., Relativized Cryptography, low a particular protocol for exchanging mes- Proceedings of the 20st IEEE Symposium on sages, we have built a Public Key Cryptosystem the Foundations of Computer Science which is provably secure against the above (FOCS) , San Juan, Puerto Rico, 1979, 383- mentioned attacks. These results will appear in 391. a future paper. [8] Diffie, W., and M. E. Hellman, New Direction in Cryptography, IEEE Trans. on Inform. Th. Acknowledgements IT-22, 6 (1976), 644-654. Coldwasser S., and Micali S., A Bit by Bit Our most sincere thanks go to Richard [9] Secure Public Key Cryptosystem, Memoran- Karp, who supervised this research, for his dum NO. UCB/ERL M81/88, University of contributions, encouragement and great California, Berkeley, December 1981. patience, and to Manuel Blum for a wonder- ful course in Number Theory, many insight- [10] Lipton, R., How to Cheat at Mental Poker, ful discussions and for having found a way to Proceeding of the AMS short course on reduce the numbers of messages exchanged Cryptology, January 1981. in the protocol. [11] Miller, G., Riemann's Hypothesis and Tests We are particularly indebted to Faith for Pr~mality, Ph.D. Thesis, U.C. Berkeley, Fich, Mike Luby, Jeff Shallit and Po Tong. 1975. Without their generous help this paper would have never been written. [12] Rabin, M., Digitalized Signatures and Public-Key Functions As Intractable As Fac- Andrew Yao pointed out to us some gen- torization, MIT/LCS/TR-212, Technical eral difficulties arising with commutative Memo MIT, 1979. encryption functions. The claim in section 3.4 was obtained with Vijay Vazirani. We [13] Rivest, R., Shamir, A., Adleman, L., A thank them both. Method for Obtaining Digital Signatures and Public Key Cryptosystems, Communica- We are grateful tb Ron Rivest and Mike tions of the ACM, February 1978. Sipser for a very inspiring discussion. It improved this paper a great deal. [14] Shamir, Rivest, and Adleman, Mental Poker, MIT Technical Report, 1978. [15] Shanks, D., Solved and Unsolved Problems "~n Number Theory, Chelsea Publishing Co. References (1978). [1] Adleman, L., Private Communication, 1981. Added in proof: [2] Adleman, L., Manders K. and Miller G., On [16] Chau.m, D. L., Untraceable EZec~o~,ic Mail, Tc~cing Roots In Finite Fields, Proceedings Returvt Addresses, and Digital Pseudonymus, of the 18th Annual ]EEE Symposium on Communications of the ACM, 24,2 (1981) 84-88. Foundations of Computer Science (FOCS), 1977, 175-177. 377