Secrecy without one-way functions
aa r X i v : . [ c s . CR ] J a n SECRECY WITHOUT ONE-WAY FUNCTIONS
DIMA GRIGORIEV AND VLADIMIR SHPILRAIN
Abstract.
We show that some problems in information security can be solved with-out using one-way functions. The latter are usually regarded as a central concept ofcryptography, but the very existence of one-way functions depends on difficult con-jectures in complexity theory, most notably on the notorious “ P = NP ” conjecture.This is why cryptographic primitives that do not employ one-way functions are oftencalled “unconditionally secure”.In this paper, we suggest protocols for secure computation of the sum, product,and some other functions of two or more elements of an arbitrary constructible ring,without using any one-way functions. A new input that we offer here is that, incontrast with other proposals, we conceal “intermediate results” of a computation.For example, when we compute the sum of k numbers, only the final result is knownto the parties; partial sums are not known to anybody. Other applications of ourmethod include voting/rating over insecure channels and a rather elegant and efficientsolution of the “two millionaires problem”.Then, while it is fairly obvious that a secure (bit) commitment between two partiesis impossible without a one-way function, we show that it is possible if the numberof parties is at least 3. We also show how our unconditionally secure (bit) commit-ment scheme for 3 parties can be used to arrange an unconditionally secure (bit)commitment between just two parties if they use a “dummy” (e.g., a computer) asthe third party. We explain how our concept of a “dummy” is different from a well-known concept of a “trusted third party”. Based on a similar idea, we also offer anunconditionally secure k - n oblivious transfer protocol between two parties who use a“dummy”.We also suggest a protocol, without using a one-way function, for the so-called“mental poker”, i.e., a fair card dealing (and playing) over distance.Finally, we propose a secret sharing scheme where an advantage over Shamir’sand other known secret sharing schemes is that nobody, including the dealer, endsup knowing the shares (of the secret) owned by any particular player.It should be mentioned that computational cost of our protocols is negligible tothe point that all of them can be executed without a computer. Introduction
Secure multi-party computation is a problem that was originally suggested by Yao[18] in 1982. The concept usually refers to computational systems in which severalparties wish to jointly compute some value based on individually held secret bits of
Research of the first author was partially supported by the Federal Agency of the Science andInnovations of Russia, State Contract No. 02.740.11.5192.Research of the second author was partially supported by the NSF grants DMS-0914778 and CNS-1117675. information, but do not wish to reveal their secrets to anybody in the process. Forexample, two individuals who each possess some secret numbers, x and y , respectively,may wish to jointly compute some function f ( x, y ) without revealing any informationabout x or y other than what can be reasonably deduced by knowing the actual valueof f ( x, y ).Secure computation was formally introduced by Yao as secure two-party computa-tion. His “two millionaires problem” (cf. our Section 3) and its solution gave way to ageneralization to multi-party protocols, see e.g. [4], [7]. Secure multi-party computa-tion provides solutions to various real-life problems such as distributed voting, privatebidding and auctions, sharing of signature or decryption functions, private informationretrieval, etc.In this paper, we offer protocols for secure computation of the sum and product ofthree or more elements of an arbitrary constructible ring without using encryption orany one-way functions whatsoever. We require in our scheme that there are k securechannels for communication between the k ≥ k secure channels is not enough.Unconditionally secure multiparty computation was previously considered in [4] andelsewhere ( since the present paper is not a survey, we do not give a comprehensivebibliography on the subject here, but only mention what is most relevant to our paper ).A new input that we offer here is that, in contrast with [4] and other proposals, weconceal “intermediate results” of a computation. For example, when we compute asum of k numbers n i , only the final result P ki =1 n i is known to the parties; partial sumsare not known to anybody. This is not the case in [4] where each partial sum P si =1 n i is known to at least some of the parties. This difference is important because, by the“pigeonhole principle”, at least one of the parties may accumulate sufficiently manyexpressions in n i to be able to recover at least some of the n i other than his own.Here we show how our method works for computing the sum (Section 2) and theproduct (Section 4) of private numbers. We ask what other functions can be securelycomputed without revealing intermediate results.Other applications of our method include voting/rating over insecure channels (Sec-tion 2.3) and a rather elegant solution of the “two millionaires problem” (Section 3).We also address another cryptographic primitive, known as (bit) commitment. Incryptography, a commitment scheme allows one to commit to a value while keeping ithidden, with the ability to reveal the committed value later. Commitments are used tobind a party to a value so that they cannot adapt to other messages in order to gainsome kind of inappropriate advantage. They are important to a variety of cryptographicprotocols including secure coin flipping, zero-knowledge proofs, and secure multi-partycomputation. See [8] or [13] for a general overview.It is known [12] that a secure (bit) commitment between two parties is impossiblewithout some kind of encryption, i.e., without a one-way function. However, if thenumber of parties is at least 3, this becomes possible, as long as parties do not formcoalitions to trick other party (or parties). It has to be pointed out though that formaldefinitions of commitment schemes vary strongly in notation and in flavor, so we have ECRECY WITHOUT ONE-WAY FUNCTIONS 3 to be specific about our model. We give more formal details in Section 6, while herewe just say, informally, that what we achieve is the following: if the committed valuesare just bits, then after the commitment stage of our scheme is completed, none of theparties can guess any other party’s bit with probability greater than . We require inour scheme that there are k secure channels for communication between the parties,arranged in a circuit. We also show that less than k secure channels is not enough.Then, in Section 7, we show how our unconditionally secure (bit) commitment schemefor 3 parties can be used to arrange an unconditionally secure (bit) commitment betweenjust two parties if they use a “dummy” (e.g., a computer) as the third party. We explainhow our concept of a “dummy” is different from a well-known concept of a “trustedthird party” and also from Rivest’s idea of a “trusted initializer” [15]. In particular,a difference important for real-life applications is that our “dummy” is unaware of thecommitted values. Also, our “dummy” is passive , i.e., he does not privately transmitinformation to “real” participants and he does not generate randomness.Based on a similar idea, we also offer, in Section 8, an unconditionally secure k - n oblivious transfer protocol between two parties who use a “dummy”.In Section 9, we consider a related cryptographic primitive known as “mental poker”,i.e., a fair card dealing (and playing) over distance. Several protocols for doing this,most of them using encryption, have been suggested, the first by Shamir, Rivest, andAdleman [17], and subsequent proposals include [5] and [9]. As with the bit commit-ment, a fair card dealing between just two players over distance is impossible withouta one-way function since commitment is part of any meaningful card dealing scenario.However, it turns out to be possible if the number of players is k ≥
3. What we requirethough is that there are k secure channels for communication between players, arrangedin a circuit. We also show that our protocol can, in fact, be adapted to deal cards tojust 2 players. Namely, if we have 2 players, they can use a “dummy” player (e.g. acomputer), deal cards to 3 players, and then just ignore the “dummy”’s cards, i.e., “puthis cards back in the deck”. An assumption on the “dummy” player is that he cannotgenerate any randomness, so randomness has to be supplied to him by the two “real”players. Another assumption is that there are secure channels for communication be-tween either “real” player and the “dummy”. We believe that this model is adequatefor 2 players who want to play online but do not trust the server. “Not trusting” theserver exactly means not trusting with generating randomness. Other, deterministic,operations can be verified at the end of the game; we give more details in Section 9.2.We note that the only known (to us) proposal for dealing cards to k ≥ k, k )-threshold scheme only. SECRECY WITHOUT ONE-WAY FUNCTIONS Secure computation of a sum
In this section, our scenario is as follows. There are k parties P , . . . , P k ; each P i hasa private element n i of a fixed constructible ring R . The goal is to compute the sum ofall n i without revealing any of the n i to any party P j , j = i .One obvious way to achieve this is well studied in the literature (see e.g. [8, 9, 11]):encrypt each n i as E ( n i ), send all E ( n i ) to some designated P i (who does not have adecryption key), have P i compute S = P i E ( n i ) and send the result to the participantsfor decryption. Assuming that the encryption function E is homomorphic , i.e., that P i E ( n i ) = E ( P i n i ), each party P i can recover P i n i upon decrypting S .This scheme requires not just a one-way function, but a one-way function with atrapdoor since both encryption and decryption are necessary to obtain the result.What we suggest in this section is a protocol that does not require any one-way func-tion, but involves secure communication between some of the P i . So, our assumption here is that there are k secure channels of communication between the k parties P i ,arranged in a circuit. Our result is computing the sum of private elements n i withoutrevealing any individual n i to any P j , j = i . Clearly, this is only possible if the numberof participants P i is greater than 2. As for the number of secure channels between P i ,we will show that it cannot be less than k , by the number of parties.2.1. The protocol (computing the sum). (1) P initiates the process by sending n + n to P , where n is a random element(“noise”).(2) Each P i , ≤ i ≤ k −
1, does the following. Upon receiving an element m from P i − , he adds his n i + n i to m (where n i is a random element) and sends theresult to P i +1 .(3) P k adds n k + n k to whatever he has received from P k − and sends the resultto P .(4) P subtracts n from what he got from P k ; the result now is the sum S = P ≤ i ≤ k n i + P ≤ i ≤ k n i . Then P publishes S .(5) Now all participants P i , except P , broadcast their n i , possibly over insecurechannels, and compute P ≤ i ≤ k n i . Then they subtract the result from S tofinally get P ≤ i ≤ k n i .Thus, in this protocol we have used k (by the number of the parties P i ) securechannels of communication between the parties. If we visualize the arrangement as agraph with k vertices corresponding to the parties P i and k edges corresponding tosecure channels, then this graph will be a k -cycle. Other arrangements are possible,too; in particular, a union of disjoint cycles of length ≥ k edges.) Two natural questions that one might now ask are:(1) is any arrangement with less than k secure channels possible? (2) with k securechannels, would this scheme work with any arrangement other than a union of disjointcycles of length ≥
3? The answer to both questions is “no”. Indeed, if there is a vertex(corresponding to P , say) of degree 0, then any information sent out by P will beavailable to everybody, so other participants will know n unless P uses a one-way ECRECY WITHOUT ONE-WAY FUNCTIONS 5 function to conceal it. If there is a vertex (again, corresponding to P ) of degree 1,this would mean that P has a secure channel of communication with just one otherparticipant, say P . Then any information sent out by P will be available at least to P , so P will know n unless P uses a one-way function to conceal it. Thus, everyvertex in the graph should have degree at least 2, which implies that every vertex isincluded in a cycle. This immediately implies that the total number of edges is at least k . If now a graph Γ has k vertices and k edges, and every vertex of Γ is included ina cycle, then every vertex has degree exactly 2 since by the “handshaking lemma” thesum of the degrees of all vertices in any graph equals twice the number of edges. Itfollows that our graph is a union of disjoint cycles.2.2. Effect of coalitions.
Suppose now we have k ≥ k secure channelsof communication arranged in a circuit, and suppose 2 of the parties secretly form acoalition. Our assumption here is that, because of the circular arrangement of securechannels, a secret coalition is only possible between parties P i and P i +1 for some i ,where the indices are considered modulo k ; otherwise, attempts to form a coalition (overinsecure channels) will be detected. If two parties P i and P i +1 exchanged information,they would, of course, know each other’s elements n i , but other than that, they wouldnot get any advantage if k ≥
4. Indeed, we can just “glue these two parties together”,i.e., consider them as one party, and then the protocol is essentially reduced to thatwith k − ≥ k = 3, then, of course, two parties togetherhave all the information about the third party’s element.For an arbitrary k ≥
4, if n < k parties want to form a (secret) coalition to getinformation about some other party’s element, all these n parties have to be con-nected by secure channels, which means there is a j such that these n parties are P j , P j +1 , . . . , P j + n − , where indices are considered modulo k . It is not hard to seethen that only a coalition of k − P , . . . , P i − , P i +1 , . . . , P k can suffice to getinformation about the P i ’s element.2.3. Ramification: voting/rating over insecure channels.
In this section, ourscenario is as follows. There are k parties P , . . . , P k ; each P i has a private integer n i .There is also a computing entity B (for Boss) who shall compute the sum of all n i . Thegoal is to let B compute the sum of all n i without revealing any of the n i to him or toany party P j , j = i .The following example from real life is a motivation for this scenario. Example 1.
Suppose members of the board in a company have to vote for a project bysubmitting their numeric scores (say, from 1 to 10) to the president of the company. Theproject gets a green light if the total score is above some threshold value T . Members ofthe board can discuss the project between themselves and exchange information privately,but none of them wants his/her score to be known to either the president or any othermember of the board. In the protocol below, we are again assuming that there are k channels of communi-cation between the parties, arranged in a circuit: P → P → . . . → P k → P . On the SECRECY WITHOUT ONE-WAY FUNCTIONS other hand, communication channels between B and any of the parties are not assumedto be secure.2.4.
The protocol (rating over insecure channels). (1) P initiates the process by sending n + n to P , where n is a randomnumber.(2) Each P i , ≤ i ≤ k −
1, does the following. Upon receiving a number m from P i − , he adds his n i + n i to m (where n i is a random number) and sends theresult to P i +1 .(3) P k adds n k + n k to whatever he has received from P k − and sends the resultto B.(4) P k now starts the process of collecting the “adjustment” in the opposite direc-tion. To that effect, he sends his n k to P k − .(5) P k − adds n k − and sends the result to P k − .(6) The process ends when P gets a number from P , adds his n , and sends theresult to B. This result is the sum of all n i .(7) B subtracts what he got from P from what he got from P k ; the result now isthe sum of all n i , ≤ i ≤ k .3. Application: the “two millionaires problem”
The protocol from Section 2, with some adjustments, can be used to provide anelegant and efficient solution to the “two millionaires problem” introduced in [18]:there are two numbers, n and n , and the goal is to solve the inequality n ≥ n ?without revealing the actual values of n or n .To that effect, we use a “dummy” as the third party. Our concept of a “dummy” isquite different from a well-known concept of a “trusted third party”; importantly, our“dummy” is not supposed to generate any randomness; he just does what he is told to.Basically, the only difference between our “dummy” and a usual calculator is that thereare secure channels of communication between the “dummy” and either “real” party.One possible real-life interpretation of such a “dummy” would be an online calculatorthat can combine inputs from different users. Also note that in our scheme below the“dummy” is unaware of the committed values of n or n , which is useful in case thetwo “real” parties do not want their private numbers to ever be revealed. This suggestsyet another real-life interpretation of a “dummy”, where he is a mediator between twoparties negotiating a settlement.Thus, let A (Alice) and B (Bob) be two “real” parties, and D (Dummy) the “dummy”.Suppose A’s number is n , and B’s number is n .3.1. The protocol (comparing two numbers). (1) A splits her number n as a difference n = n +1 − n − . She then sends n − to B.(2) B splits his number n as a difference n = n +2 − n − . He then sends n − to A.(3) A sends n +1 + n − to D.(4) B sends n +2 + n − to D. ECRECY WITHOUT ONE-WAY FUNCTIONS 7 (5) D subtracts ( n +2 + n − ) from ( n +1 + n − ) to get n − n , and announces whetherthis result is positive or negative. Remark 1.
Perhaps a point of some dissatisfaction in this protocol could be the factthat the “dummy” ends up knowing the actual difference n − n , so if there is a leak ofthis information to either party, this party would recover the other’s private number n i .This can be avoided if n and n are represented in the binary form and compared one bitat a time, going left to right, until the difference between bits becomes nonzero. However,this method, too, has a disadvantage: the very moment the “dummy” pronounces thedifference between bits nonzero would give an estimate of the difference n − n to thereal parties , not just to the “dummy”. We note that the original solution of the “two millionaires problem” given in [18],although lacks the elegance of our scheme, does not involve a third party, whereas oursolution does. On the other hand, the solution in [18] uses encryption, whereas oursolution does not, which makes it by far more efficient.4.
Secure computation of a product
In this section, we show how to use the same general ideas from Section 2 to se-curely compute a product. Again, there are k parties P , . . . , P k ; each P i has a private(nonzero) element n i of a fixed constructible ring R . The goal is to compute the prod-uct of all n i without revealing any of the n i to any party P j , j = i . Requirements onthe ring R are going to be somewhat more stringent here than they were in Section 2.Namely, we require that R does not have zero divisors and, if an element r of R is aproduct a · x with a known a and an unknown x , then x can be efficiently recoveredfrom a and r . Examples of rings with these properties include the ring of integers andany constructible field.4.1. The protocol (computing the product). (1) P initiates the process by sending n · n to P , where n is a random nonzeroelement (“noise”).(2) Each P i , ≤ i ≤ k −
1, does the following. Upon receiving an element m from P i − , he multiplies m by n i · n i (where n i is a random element) and sends theresult to P i +1 .(3) P k multiplies by n k · n k whatever he has received from P k − and sends theresult to P . This result is the product P = Π ≤ i ≤ k n i · Π ≤ i ≤ k n i .(4) P divides what he got from P k by his n ; the result now is the product P = Π ≤ i ≤ k n i · Π ≤ i ≤ k n i . Then P publishes P .(5) Now all participants P i , except P , broadcast their n i , possibly over insecurechannels, and compute Π ≤ i ≤ k n i . Then they divide P by the result to finallyget Π ≤ i ≤ k n i . SECRECY WITHOUT ONE-WAY FUNCTIONS Secure computation of symmetric functions
In this section, we show how our method can be easily generalized to allow securecomputation of any expression of the form P ki =1 n ri , where n i are parties’ private num-bers, k is the number of parties, and r ≥ The protocol (computing the sum of powers). (1) P initiates the process by sending a random element n to P .(2) Each P i , ≤ i ≤ k −
1, does the following. Upon receiving an element m from P i − , he adds his n ri to m and sends the result to P i +1 .(3) P k adds his n rk to whatever he has received from P k − and sends the result to P .(4) P subtracts ( n − n r ) from what he got from P k ; the result now is the sum ofall n ri , ≤ i ≤ k .Now that the parties can securely compute the sum of any powers of their n i , theycan also compute any symmetric function of n i . However, in the course of computinga symmetric function from sums of different powers of n i , at least some of the partieswill possess several different polynomials in n i , so chances are that at least some of theparties will be able to recover at least some of the n i . On the other hand, because ofthe symmetry of all expressions involved, there is no way to tell which n i belongs towhich party.5.2. Open problem.
Now it is natural to ask:
Problem 1.
What other functions (other than the sum and the product) can be securelycomputed without revealing intermediate results to any party?
To be more precise, we note that one intermediate result is inevitably revealed tothe party who finishes computation, but this cannot be avoided in any scenario. Forexample, after the parties have computed the sum of their private numbers, each partyalso knows the sum of all numbers except his own. What we want is that no otherintermediate results are ever revealed.To give some insight into this problem, we consider a couple of examples of computingsimple functions different from the sum and the product of the parties’ private numbers.
Example 2.
We show how to compute the function f ( n , n , n ) = n n + n n inthe spirit of the present paper, without revealing (or even computing) any intermediateresults, i.e., without computing n n or n n . (1) P initiates the process by sending a random element n to P . (2) P adds his n to n and sends n + n to P . (3) P adds his n to n + n and sends the result to P . (4) P subtracts n from n + n + n and multiplies the result by n . This is now n n + n n . ECRECY WITHOUT ONE-WAY FUNCTIONS 9
Example 3.
The point of this example is to show that functions that can be computedby our method do not have to be homogeneous (in case the reader got this impressionbased on the previous examples).The function that we compute here is f ( n , n , n ) = n n + g ( n ) , where g is anycomputable function. (1) P initiates the process by sending a random element a to P . (2) P multiplies a by his n and sends the result to P . (3) P multiplies a n by a random element c and sends the result to P . (4) P multiplies a n c by his n , divides by a , and sends the result, which is n n c , back to P . (5) P divides n n c by c and adds g ( n ) , to end up with n n + g ( n ) . Note that in this example, the parties used more than just one loop of transmissionsin the course of computation. Also, information here was sent “in both directions” inthe circuit.
Remark 2.
Another collection of examples of multiparty computation without revealingintermediate results can be obtained as follows. Suppose, without loss of generality, thatsome function f ( n , . . . , n k ) can be computed by our method in such a way that the laststep in the computation is performed by the party P , i.e., P is the one who ends up with f ( n , . . . , n k ) while no party knows any intermediate result g ( n , . . . , n k ) of this compu-tation. Then, obviously, P can produce any function of the form F ( n , f ( n , . . . , n k )) (for a computable function F ) as well. Examples include n r + n n · · · n k for any r ≥ ; n r + ( n n + n ) s for any r, s ≥ , etc., etc. (Bit) commitment While it is fairly obvious that a secure (bit) commitment between two parties isimpossible without a one-way function, we show here that it is possible if the numberof parties is at least 3. Generalizing the standard concept (see e.g. [8]) of a two-party(bit) commitment scheme, we define an n -party (bit) commitment scheme to be a two-phase protocol through which each of the n parties can commit himself to a value suchthat the following two requirements are satisfied: (1) Secrecy: at the end of the commitment phase, none of the n parties gains anyinformation about any other party’s committed value. (2) Unambiguity: suppose that the commitment phase is successfully completed. Then,if later the parties perform the decommitment phase (sometimes called the reveal phase),each party’s committed value can be recovered (collectively by other parties) withoutambiguity.To make our ideas more transparent, we start with the simplest case where there arejust 3 parties: P , P , and P , and no two of them form a coalition against the thirdone. Suppose they want to commit to integers n , n , and n (modulo some m ≥ n i . After that, the parties “decommit”, or reveal, their integers and prove to each other that theintegers n i that they revealed are the same that they committed to.All computations below are performed modulo a fixed integer m ≥ P i randomly splits his integer n i in a sum of two integers: n i = r i + s i . If the participants want to commit to bits rather than integers,then P i would split the “0” bit as either 0+0 or 1+1, and the “1” bit as either0+1 or 1+0.(2) ( Commitment phase. ) P sends r to P , then P sends r + r to P , then P sends r + r + r to P . In the “opposite direction”, P sends s to P , then P sends s + s to P , then P sends s + s + s to P .After the commitment phase, P has s , s + s , r , and r + r + r (therefore also r + r ), so he cannot possibly recover any n i otherthan his own. (He can recover n + n , but this does not give him anyinformation about either n or n ). Then, P has s , s , r , and r , sohe, too, cannot possibly recover any n i other than his own. Finally, P has s , r , r + r , and s + s + s (therefore also s + s ), so he, too,cannot possibly recover any n i other than his own, (He can recover n + n , but this does not give him any information about either n or n ).(3) ( Decommitment phase starts. ) Note that during the decommitment steps below,each participant transmits information that somebody else had committed tobefore. This way, each piece of transmitted information can be corroboratedby two parties, which prevents cheating since we are assuming that no twoparticipants form a coalition.(4) P sends n + n to both P and P . Now P knows n , and P knows n .(5) P sends r to P . Now P can recover r from r and r + r .(6) P sends s + s to P . Now P can extract s from this sum, and then, sincehe has r , recover n , and then also n since P already knows n + n .(7) P sends r + r + r to P . Now P can recover r and therefore n = r + s .This protocol can be obviously generalized to 3 m participants for arbitrary m ≥ k ≥ k secure channels, but we leave details to the reader. Remark 3.
A question that one might now ask, if only out of curiosity, is: would thisscheme work with any arrangement of secure channels other than a union of disjointcircuits of length ≥ ? The answer to this question is “no”. Indeed, if in the graphof secure channels there is a vertex (corresponding to P , say) of degree 0, then anyinformation sent out by P will be available to everybody, so other participants willknow n unless P uses a one-way function to conceal it. If there is a vertex (again,corresponding to P ) of degree 1, this would mean that P has a secure channel ofcommunication with just one other participant, say P . Then any information sent outby P will be available at least to P , so P will know n unless P uses a one-wayfunction to conceal it. So, every vertex in the graph should have degree at least 2, which ECRECY WITHOUT ONE-WAY FUNCTIONS 11 implies that every vertex is included in a circuit. It follows, in particular, that the totalnumber of secure channels should be at least k , by the number of participants. (Bit) commitment between two parties Now we show how our unconditionally secure commitment scheme for 3 parties fromSection 6 can be used to arrange an unconditionally secure commitment between justtwo parties. This is similar, in spirit, to the idea of Rivest [15], where an extra par-ticipant is introduced to bring the number of parties up to 3. However, an importantdifference between our proposal and that of [15] is that the extra participant in [15] isa “trusted initializer”, which means that (i) he is allowed to generate randomness; (ii) he can transmit information to “real” participants over secure channels.By contrast, our extra participant is a “dummy”, i.e., (i) he is not allowed to gen-erate randomness; (ii) he can receive information from “real” participants over securechannels and perform simple arithmetic operations.One possible real-life interpretation of such a “dummy” would be an online calculatorthat can combine inputs from different users. Also note that in our scheme below the“dummy” is unaware of the committed values , which is useful in case the two “real”participants do not want their commitments to ever be revealed to the third party;for example, such a “dummy” could be a mediator between two parties negotiating adivorce settlement.Thus, let A (Alice) and B (Bob) be two “real” participants, and D (Dummy) the“dummy”. Suppose A and B want to commit to integers n and n , respectively.(1) A and B randomly split their integers n i in a sum of two integers: n i = r i + s i .(2) ( Commitment. ) A sends s to B, and B sends r to A. Then, A sends r + r to D, and B sends s + s to D.(3) ( Decommitment. ) D reveals r + r + s + s = n + n both to A and B.(4) Now A knows ( n + n ) − n = n , and B knows ( n + n ) − n = n , so cheatingby either party is impossible.8. k - n oblivious transfer An oblivious transfer protocol is a protocol by which a sender sends some informa-tion to the receiver, but remains oblivious as to what is received. The first form ofoblivious transfer was introduced in 1981 by Rabin [14]. Rabin’s oblivious transfer waslater shown to be equivalent to “1-2 oblivious transfer”; the latter was subsequentlygeneralized to 1- n oblivious transfer and to k - n oblivious transfer [3]. In the lattercase, the receiver obtains a set of k messages from a collection of n messages. Theset of k messages may be received simultaneously (“non-adaptively”), or they may berequested consecutively, with each request based on previous messages received. Allthe aforementioned constructions use encryption, so in particular they use one-wayfunctions. The first proposal that did not use one-way functions (and therefore offeredunconditionally secure oblivious transfer) appeared in the paper by Rivest [15] that wehave already cited in our Section 7. In this section, we offer an unconditionally secure k - n oblivious transfer protocol thatis essentially different from that of Rivest in a similar way that our bit commitmentprotocol in Section 7 is different from Rivest’s unconditionally secure bit commitmentprotocol [15]. More specifically, the extra participant in [15] is a “trusted initializer”,which means, in particular, that (i) he is allowed to generate randomness; (ii) he can“consciously” transmit information to “real” participants over secure channels.By contrast, our extra participant is a “dummy”, i.e., (i) he is not allowed to gen-erate randomness; (ii) he can receive information from “real” participants over securechannels, but he transmits information upon specific requests only.Again, let A (Alice) and B (Bob) be two “real” participants, and D (Dummy) the“dummy”, e.g., a computer. Suppose A has a collection of n messages, and B wants toobtain k of these messages, without A knowing which messages B has received. Supposethat all messages are integers m i , ≤ i ≤ n .(1) A randomly splits her integers m i in a sum of two integers: m i = r i + s i .(2) A sends the (ordered) set of all r i , ≤ i ≤ n, to D, and the (ordered) set of all s i , ≤ i ≤ n, to B.(3) B sends to D the set of indices j , . . . , j k corresponding to the messages m j hewants to receive.(4) D sends to B the (ordered) set r j , . . . , r j k .(5) B recovers m j , . . . , m j k as a sum of relevant r j and s j .9. Mental poker “Mental poker” is the common name for a set of cryptographic problems that con-cerns playing a fair game over distance without the need for a trusted third party. Oneof the ways to describe the problem is: how can 2 players deal cards fairly over thephone? Several protocols for doing this have been suggested, including [17], [5], [9]and [1]. As with the bit commitment, it is rather obvious that a fair card dealing totwo players over distance is impossible without a one-way function, or even a one-wayfunction with trapdoor. However, it turns out to be possible if the number of playersis at least 3, assuming, of course, that there are secure channels for communicationbetween at least some of the players. In our proposal, we will be using k secure chan-nels for k ≥ P , . . . , P k , and these k channels will be arranged in a circuit: P → P → . . . → P k → P .To begin with, suppose there are 3 players: P , P , and P and 3 secure channels: P → P → P → P .The first protocol, Protocol 1 below, is for distributing all integers from 1 to m tothe players in such a way that each player gets about the same number of integers.(For example, if the deck that we want to deal has 52 cards, then two players shouldget 17 integers each, and one player should get 18 integers.) In other words, Protocol1 allows one to randomly split a set of m integers into 3 disjoint sets.The second protocol, Protocol 2, is for collectively generating random integers mod-ulo a given integer M . This very simple but useful primitive can be used: (i) forcollectively generating, uniformly randomly, a permutation from the group S m . This ECRECY WITHOUT ONE-WAY FUNCTIONS 13 will allow us to assign cards from a deck of m cards to the m integers distributed byProtocol 1; (ii) introducing “dummy” players as well as for “playing” after dealingcards.9.1. Protocol 1.
For notational convenience, we are assuming below that we have todistribute integers from 1 to r = 3 s to 3 players.To begin with, all players agree on a parameter N , which is a positive integer of areasonable magnitude, say, 10.(1) each player P i picks, uniformly randomly, an integer (a “counter”) c i between1 and N , and keeps it private.(2) P starts with the “extra” integer 0 and sends it to P .(3) P sends to P either the integer m he got from P , or m + 1. More specifically,if P gets from P the same integer m less than or equal to c times, then hesends m to P ; otherwise, he sends m + 1 and keeps m (i.e., in the latter case m becomes one of “his” integers). Having sent out m + 1, he “resets his counter”,i.e., selects, uniformly randomly between 1 and N , a new c . He also resets hiscounter if he gets the number m for the first time, even if he does not keep it.(4) P sends to P either the integer m he got from P , or m + 1. More specifically,if P gets from P the same integer m less than or equal to c times, then hesends m to P ; otherwise, he sends m + 1 and keeps m . Having sent out m + 1,he selects a new counter c . He also resets his counter if he gets the number m for the first time, even if he does not keep it.(5) P sends to P either the integer m he got from P , or m + 1. More specifically,if P gets from P the same integer m less than or equal to c times, then hesends m to P ; otherwise, he sends m + 1 and keeps m . Having sent out m + 1,he selects a new counter c . He also resets his counter if he gets the number m for the first time, even if he does not keep it.(6) This procedure continues until one of the players gets s integers (not countingthe “extra” integer 0). After that, a player who already has s integers just“passes along” any integer that comes his way, while other players keep followingthe above procedure until they, too, get s integers.(7) The protocol ends as follows. When all 3 s integers, between 1 and 3 s , aredistributed, the player who got the last integer, 3 s , keeps this fact to himselfand passes this integer along as if he did not “take” it.(8) The process ends when the integer 3 s makes N + 1 “full circles”.We note that the role of the “extra” integer 0 is to prevent P from knowing that P has got the integer 1 if it happens so that c = 1 in the beginning.We also note that this protocol can be generalized to arbitrarily many players inthe obvious way, if there are k secure channels for communication between k players,arranged in a circuit.9.2. Protocol 2.
Now we describe a protocol for generating random integers modulosome integer M collectively by 3 players. As in Protocol 1, we are assuming that thereare secure channels for communication between the players, arranged in a circuit. (1) P and P uniformly randomly and independently select private integers n and n (respectively) modulo M .(2) P sends n to P , and P sends n to P .(3) P computes the sum m = n + n modulo M .Note that neither P nor P can cheat by trying to make a “clever” selection of their n i because the sum, modulo M , of any integer with an integer uniformly distributedbetween 0 and M −
1, is an integer uniformly distributed between 0 and M − P cannot cheat simply because he does not really get a chance: if he miscal-culates n + n modulo M , this will be revealed at the end of the game. (All players keepcontemporaneous records of all transactions, so that at the end of the game, correctnesscould be verified.)To generalize Protocol 2 to arbitrarily many players P , . . . , P k , k ≥ , we can justengage 3 players at a time in running the above protocol. If, at the same time, we wantto keep the same circular arrangement of secure channels between the players that wehad in Protocol 1, i.e., P → P → . . . P k → P , then 3 players would have to be P i +1 , P i , P i +2 , where i would run from 1 to k , and the indices are considered modulo k .Protocol 2 can now be used to collectively generate, uniformly randomly, a permu-tation from the group S m . This will allow us to assign cards from a deck of m cardsto the m integers distributed by Protocol 1. Generating a random permutation from S m can be done by taking a random integer between 1 and m (using Protocol 2) se-quentially, ensuring that there is no repetition. This “brute-force” method will requireoccasional retries whenever the random integer picked is a repeat of an integer alreadyselected. A simple algorithm to generate a permutation from S m uniformly randomlywithout retries, known as the Knuth shuffle , is to start with the identity permutationor any other permutation, and then go through the positions 1 through ( m − i swap the element currently there with an arbitrarily chosen elementfrom positions i through m , inclusive (again, Protocol 2 can be used here to producea random integer between i and m ). It is easy to verify that any permutation of m elements will be produced by this algorithm with probability exactly m ! , thus yieldinga uniform distribution over all such permutations.After this is done, we have m cards distributed uniformly randomly to the players,i.e., we have: Proposition 1. If m cards are distributed to k players using Protocols 1 and 2, thenthe probability for any particular card to be distributed to any particular player is k . Using “dummy” players while dealing cards.
We now show how a combina-tion of Protocol 1 and Protocol 2 can be used to deal cards to just 2 players. If we have2 players, they can use a “dummy” player (e.g. a computer), deal cards to 3 players asin Protocol 1, and then just ignore the “dummy”’s cards, i.e., “put his cards back inthe deck”. We note that the “dummy” in this scenario would not generate randomness;it will be generated for him by the other two players using Protocol 2. Namely, if wecall the “dummy” P , then the player P would randomly generate c between 1 and N and send it to P , and P would randomly generate c between 1 and N and sendit to P . Then P would compute his random number as c = c + c modulo N . ECRECY WITHOUT ONE-WAY FUNCTIONS 15
Similarly, “dummy” players can help k “real” players each get a fixed number s ofcards, because Protocol 1 alone is only good for distributing all cards in the deck tothe players, dealing each player about the same number of cards. We can introduce m “dummy” players so that ( m + k ) · s is approximately equal to the number of cards inthe deck, and position all the “dummy” players one after another as part of a circuit P → P → . . . P m + k → P . Then we use Protocol 1 to distribute all cards in the deckto ( m + k ) players taking care that each “real” player gets exactly s cards. As in theprevious paragraph, “dummy” players have “real” ones generate randomness for themusing Protocol 2.After all cards in the deck are distributed to ( m + k ) players, “dummy” players sendall their cards to one of them; this “dummy” player now becomes a “dummy dealer”,i.e., he will give out random cards from the deck to “real” players as needed in thecourse of a subsequent game, while randomness itself will be supplied to him by “real”players using Protocol 2.10. Summary of the properties of our card dealing (Protocols 1 and 2)
Here we summarize the properties of our Protocols 1 and 2 and compare, whereappropriate, our protocols to the card dealing protocol of [1].
1. Uniqueness of cards.
Yes, by the very design of Protocol 1.
2. Uniform random distribution of cards.
Yes, because of Protocol 2; see ourProposition 1 in Section 9.2.
3. Complete confidentiality of cards.
Yes, by the design of Protocol 1.
4. Number of secure channels for communication between k ≥ players: k ,arranged in a circuit.By comparison, the card dealing protocol of [1] requires 3 k secure channels.
5. Average number of transmissions between k ≥ players: O ( N mk ), where m is the number of cards in the deck, and N ≈
10. This is because in Protocol 1,the number of circles (complete or incomplete) each integer makes is either 1 or theminimum of all the counters c i at the moment when this integer completes the firstcircle. Since the average of c i is at most N , we get the result because within one circle(complete or incomplete) there are at most k transmissions. We note that in fact, thereis a precise formula for the average of the minimum of c i in this situation: P Nj =1 j k N k ,which is less than N if k ≥ O ( mk ) transmissions.
6. Total length of transmissions between k ≥ players: N mk · log m bits. Thisis just the average number of transmissions times the length of a single transmission,which is a positive integer between 1 and m .By comparison, total length of transmissions in [1] is O ( mk log k ).
7. Computational cost of Protocol 1:
By comparison, the protocol of [1] requires computing products of up to k permuta-tions from the group S k to deal just one card; the total computational cost thereforeis O ( mk log k ). 11. Secret sharing
Secret sharing refers to method for distributing a secret amongst a group of partici-pants, each of whom is allocated a share of the secret. The secret can be reconstructedonly when a sufficient number of shares are combined together; individual shares areof no use on their own.More formally, in a secret sharing scheme there is one dealer and k players. Thedealer gives a secret to the players, but only when specific conditions are fulfilled. Thedealer accomplishes this by giving each player a share in such a way that any group of t (for threshold) or more players can together reconstruct the secret but no group offewer than t players can. Such a system is called a ( t, k )-threshold scheme (sometimeswritten as a ( k, t )-threshold scheme).Secret sharing was invented by Shamir [16] and Blakley [2], independent of each other,in 1979. Both proposals assumed secure channels for communication between the dealerand each player. In our proposal here, the number of secure channels is equal to 2 k ,where k is the number of players, because in addition to the secure channels betweenthe dealer and each player, we have k secure channels for communication between theplayers, arranged in a circuit: P → P → . . . → P k → P .The advantage over Shamir’s and other known secret sharing schemes that we aregoing to get here is that nobody, including the dealer, ends up knowing the shares (ofthe secret) owned by any particular players. The disadvantage is that our scheme is a( k, k )-threshold scheme only.We start by describing a subroutine for distributing shares by the players amongthemselves. More precisely, k players want to split a given number in a sum of k numbers, so that each summand is known to one player only, and each player knowsone summand only.11.1. The Subroutine (distributing shares by the players among themselves).
Suppose a player P i receives a number M that has to be split in a sum of k privatenumbers. In what follows, all indices are considered modulo k .(1) P i initiates the process by sending M − m i to P i +1 , where m i is a randomnumber (could be positive or negative).(2) Each subsequent P j does the following. Upon receiving a number m from P j − ,he subtracts a random number m j from m and sends the result to P j +1 . Thenumber m j is now P j ’s secret summand.(3) When this process gets back to P i , he adds m i to whatever he got from P i − ;the result is his secret summand.Now we get to the actual secret sharing protocol. ECRECY WITHOUT ONE-WAY FUNCTIONS 17
The protocol (secret sharing ( k, k ) -threshold scheme). The dealer D wantsto distribute shares of a secret number N to k players P i so that, if P i gets a number s i , then P ki =1 s i = N .(1) D arbitrarily splits N in a sum of k integers: N = P ki =1 n i .(2) The loop: at Step i of the loop, D sends n i to P i , and P i initiates the aboveSubroutine to distribute shares n ij of n i among the players, so that P kj =1 n ij = n i .(3) After all k steps of the loop are completed, each player P i ends up with k numbers n ji that sum up to s i = P kj =1 n ji . It is obvious that P ki =1 s i = N . Acknowledgement.
Both authors are grateful to Max Planck Institut f¨ur Mathematik,Bonn for its hospitality during the work on this paper.
References [1] I. B´ar´any, Z. F¨uredi,
Mental poker with three or more players , Inform. and Control (1983),84-93.[2] G. R. Blakley, Safeguarding cryptographic keys , Proceedings of the National Computer Confer-ence (1979), 313-317.[3] G. Brassard, C. Cr´epeau and J.-M. Robert, All-or-nothing disclosure of secrets , In Advances inCryptology - CRYPTO ’86, pp. 234-238, Lecture Notes Comp. Sc. , Springer, 1986.[4] D. Chaum, C. Cr´epeau, and I. Damgard,
Multiparty unconditionally secure protocols (extendedabstract) , Proceedings of the Twentieth ACM Symposium on the Theory of Computing, ACM,1988, pp. 11-19.[5] C. Cr´epeau,
A zero-knowledge poker protocol that achieves confidentiality of the players’ strategyor how to achieve an electronic poker face , Advances in cryptology - CRYPTO ’86, pp. 239-247,Lecture Notes Comp. Sc. , Springer, 1986.[6] I. Damgard, M. Geisler, M. Kroigard,
Homomorphic encryption and secure comparison , Int. J.Appl. Cryptogr. (2008), 22-31.[7] I. Damgard, Y. Ishai, Scalable secure multiparty computation , Advances in cryptology -CRYPTO 2006, 501-520, Lecture Notes in Comput. Sci. , Springer, Berlin, 2006.[8] O. Goldreich,
Foundations of Cryptography: Volume 1, Basic Tools . Cambridge UniversityPress, 2007.[9] S. Goldwasser and S. Micali,
Probabilistic Encryption and How to Play Mental Poker KeepingSecret All Partial Information , in Proceedings of the 14th Annual ACM symp. on Theory ofcomputing, ACM-SIGACT, May 1982, pp. 365–377.[10] S. Goldwasser, S. Micali,
Probabilistic encryption , J. Comput. System Sci. (1984), 270-299.[11] D. Grigoriev, I. Ponomarenko, Constructions in public-key cryptography over matrix groups ,Contemp. Math., Amer. Math. Soc. (2006), 103–119.[12] R. Impagliazzo and M. Luby,
One-way functions are essential for complexity based cryptography ,in: FOCS’89, IEEE Computer Society, 1989, pp. 230–235.[13] A. Menezes, P. van Oorschot, and S. Vanstone,
Handbook of Applied Cryptography , CRC-Press1996.[14] M. Rabin,
How to exchange secrets by oblivious transfer , Technical Report TR-81, Aiken Com-putation Laboratory, Harvard University, 1981.[15] R. Rivest,
Unconditionally Secure Commitment and Oblivious Transfer Schemes Using PrivateChannels and a Trusted Initializer , preprint, 1999.[16] A. Shamir,
How to share a secret , Comm. ACM (1979), 612-613. [17] A. Shamir, R. Rivest, and L. Adleman, Mental poker , Technical Report LCS/TR-125, Mas-sachusetts Institute of Technology, April 1979.[18] A. C. Yao,
Protocols for secure computations (Extended Abstract), 23rd annual symposium onfoundations of computer science (Chicago, Ill., 1982), 160–164, IEEE, New York, 1982.
CNRS, Math´ematiques, Universit´e de Lille, 59655, Villeneuve d’Ascq, France
E-mail address : [email protected] Department of Mathematics, The City College of New York, New York, NY 10031
E-mail address ::