5

Alice and Bob are stingy, honorable, but also distrustful. They live far away from each other. They both know that they are the only two people who wants to buy an item in an upcoming auction. If only one of them places a qualifying bid, that person will get the item at the minimum price. They agree in a chat that if they can figure out a fair and simple way for them to decide which of them gets to place the bid, they will both honor the result. However, they are distrustful enough so that it is not good enough to decide this by having one of them flip a coin.

TL;DR, how can two people in a chat generate a random bit and be sure that the outcome is not affected by their individual preferences?

Jostein Trondal
  • 378
  • What does "TL DR" mean? To clarify, I think the distrust issue is that the first person might flip the coin but lie about the result, is that correct? PS: This sounds like a homework problem, so for that it is best to put your thought process and work. – Michael Jan 06 '17 at 19:48
  • 1
    If there is a way for the messages to be sent simultaneously, they could agree to take the XOR of the resulting outputs. – Hans Musgrave Jan 06 '17 at 19:52
  • 1
    Or they could each send an encrypted message containing their chosen bit; then once both messages are sent they could send decryption keys, and the XOR of the result could be evaluated. – Hans Musgrave Jan 06 '17 at 19:54
  • No homework. Just a problem that occured to me. I am a teacher however. – Jostein Trondal Jan 06 '17 at 19:58
  • @Michael TL;DR = "Too long; didn't read" -- that is, the short version or a summary. – John Jan 06 '17 at 20:36

1 Answers1

2

One standard trick is to work with two distinct primes $p,q$ of length $N$ where $N$ is chosen so that computers can work well with numbers of length $N$ but not with numbers of length $2N$. To clarify: $N$ needs to be small enough so that $A$ can readily produce primes of length $N$ and can extract square roots of quadratic residues modulo such primes, but it should be large enough so that $B$ can not factor general numbers of length $2N$. (thanks to @TonyK for correctly suggesting that clarification was needed here).

If $A$ has two such primes she can hand their product, $n=pq$, to $B$ who can not then recover $p,q$. $B$ then takes $m\pmod n$ and computes $m^2\pmod n$, which he then hands to $A$ (to be clear, he hands the residue class of $m^2$, not $m$).

Now, since $A$ knows $p,q$ she can find the square root of $m^2$ modulo both $p,q$. Alas, that gives rise to four possible values, let's call them $\pm m, \pm k$. She guesses which one $B$ started with and hands that back. If she is right, she wins. If she is wrong, $B$ can now factor $n$ and thereby prove that $A$ was wrong, and then $B$ wins.

It's a minor exercise to prove that $B$ can factor $n$ given the four square roots (note that $\gcd(n,m+k)=p$ or $q$ and $B$ can now use the Euclidean Algorithm to find one of the primes).

Note: one drawback to this method is that $B$ can "cheat" in that he can pretend to lose. That is, he can say that $A$ guessed right even if she didn't. This flaw doesn't appear to signify much in your instance (usually it is safe to assume that both parties are actually trying to win).

lulu
  • 70,402
  • 1
    In concrete terms, $p$ and $q$ should each be about $250$ decimal digits long. – TonyK Jan 06 '17 at 20:18
  • @TonyK Thanks! That sounds about right, but I haven't kept up. Last time I coded anything along these lines $100$ would have sufficed, but it's been a while. – lulu Jan 06 '17 at 20:22
  • By the way, computers can "work well with" number thousands of digits long. The point is that $N$ must be small enough that we can easily generate primes of length $N$; and large enough so that we can not factorise numbers of length $2N$. These are two quite distinct operations: prime generation is much faster than factorisation. – TonyK Jan 06 '17 at 20:26
  • @TonyK Oh, agreed. Indeed, I expect $B$ to be able to use the Euclidean Algorithm without incident. I thought I made clear that I meant that $B$ couldn't factor $n$...from $A's$ perspective, it's also important that she can extract square roots. That is harder than prime generation, no? – lulu Jan 06 '17 at 20:34
  • Yes, that's right. Extracting square roots modulo $n$, where $n$ is known to be a product of two primes, is exactly as hard as factoring $n$: if you can do one, you can easily do the other. – TonyK Jan 06 '17 at 20:38
  • What is $m$? Where can I find this standard trick in the literature? – Jostein Trondal Jan 07 '17 at 00:12
  • $m$ is a number chosen by $B$. $B$ uses it to compute $m^2 \pmod n$ and passes that residue on to $A$. If, say, $p=43,q=67$ then $n=2881$. $B$ could pick $m=1237$ and then pass $m^2\equiv 358 \pmod n$ back to $A$. Of course, these numbers are far too small, but that't the idea. I don't know a written reference to this idea, sorry. – lulu Jan 07 '17 at 00:16
  • Found a reference, here – lulu Jan 07 '17 at 00:17
  • 1
    The reason I say it is "standard" isn't so much that it is much written about. Rather, it tends to come up when people are looking at RSA type codes . What I sketched uses similar concepts to address a much simpler problem. The security on the procedure I sketched is comparable to RSA security. – lulu Jan 07 '17 at 00:34