Probabilistic E n c r y p t i o n &
H o w To P l a y M e n t a l P o k e r K e e p i n g S e c r e t
All P a r t i a l I n f o r m a t i o n
Shaft Goldwasser * and Silvio Micali **
C o m p u t e r Science D e p a r t m e n t
University of California - Berkeley
I. Introduction
This p a p e r p r o p o s e s a n E n c r y p t i o n S c h e m e
t h a t p o s s e s s t h e following p r o p e r t y :
An a d v e r s a r y , who knows t h e e n c r y p t i o n
a l g o r i t h m and is given t h e c y p h e r t e x t , c a n -
not obtain any information about the clear-
text.
Any i m p l e m e n t a t i o n of a Public Key C r y p t o s y s -
t e m , as p r o p o s e d b y Diffie a n d H e l l m a n in [8],
should p o s s e s s this p r o p e r t y .
Our E n c r y p t i o n S c h e m e follows t h e i d e a s in
the n u m b e r t h e o r e t i c i m p l e m e n t a t i o n s of a
Public Key C r y p t o s y s t e m due to Rivest, S h a m i r
and A d l e m a n [13], a n d Rabin [12].
S e c u r i t y is b a s e d on C o m p l e x i t y T h e o r y and
the i n t r a c t a b i l i t y of s o m e p r o b l e m s in n u m b e r
t h e o r y s u c h as f a c t o r i n g , i n d e x finding and
deciding w h e t h e r n u m b e r s are q u a d r a t i c resi-
d u e s with r e s p e c t to c o m p o s i t e m v d u l i is
a s s u m e d . In this c o n t e x t , i m p o s s i b i l i t y m e a n s
c o m p u t a t i o n a l infeasibility a n d proving t h a t a
p r o b l e m is h a r d m e a n s to show it e q u i v a l e n t to
one of t h e a b o v e m e n t i o n e d p r o b l e m s .
The k e y idea in b o t h t h e RSA s c h e m e a n d
t h e Rabin s c h e m e is t h e s e l e c t i o n of an
a p p r o p r i a t e t r a p d o o r function; a n e a s y to
e v a l u a t e f u n c t i o n f s u c h t h a t x is n o t easily
c o m p u t a b l e f r o m f(x), u n l e s s s o m e e x t r a
i n f o r m a t i o n is known. To e n c r y p t a m e s s a g e
m , one s i m p l y e v a l u a t e s f ( m ) .
Thin r e s e a r c h was s u p p o r t e d by
* NSF G r a n t MCS-79-037667
** fellowship f r o m Consiglio Nazionale delle R i c e r c h e -
Italy a n d in p a r t by NSF G r a n t MCS-79-037667
Permission to copy without fee all or part of this material is granted
provided that the copies are not made or distributed for direct
commercial advantage, the ACM copyright notice and the title of the
publication and its date appear, and notice is given that copying is by
permission of the Association for Computing Machinery. To copy
otherwise, or to republish, requires a fee and/or specific permission.
© 1982 ACM0-89791-067-2/82/005/0365 $00.75
365
We would like to p o i n t o u t two basic w e a k n e s s e s
of this a p p r o a c h :
1) The f a c t t h a t f is a t r a p d o o r f u n c t i o n d o e s
n o t r u l e o u t t h e p o s s i b i l i t y of c o m p u t i n g x
f r o m ff (x) w h e n x is of a s p e c i a l f o r m .
Usually m e s s a g e s do not consist of numbers
chosen at r a n d o m but possess more struc-
t u r e . S u c h s t r u c t u r a l i n f o r m a t i o n m a y help
in decoding. For e x a m p l e , a f u n c t i o n f ,
which is h a r d to i n v e r t on a g e n e r i c input,
c o u l d c o n c e i v a b l y be e a s y t o i n v e r t on t h e
ASCII r e p r e s e n t a t i o n s of English s e n t e n c e s .
2) The fact that f is a trapdoor function does
not rule out the possibility of easily com-
puting s o m e partial information about z
(even every other bit of x) from f (z). The
d a n g e r in t h e c a s e t h a t z is t h e ASCII
r e p r e s e n t a t i o n of an English s e n t e n c e is
self evident. E n c r y p t i n g m e s s a g e s in a way
t h a t e n s u r e s t h e s e c r e c y of all p a r t i a l infor-
m a t i o n is an e x t r e m e l y i m p o r t a n t goal in
C r y p t o g r a p h y . The i m p o r t a n c e of this p o i n t
of view is p a r t i c u l a r l y a p p a r e n t if we w a n t
to use e n c r y p t i o n to play c a r d g a m e s over
t h e t e l e p h o n e . If t h e suit o r c o l o r of a c a r d
c o u l d be c o m p r o m i s e d t h e whole g a m e
c o u l d be invalid.
T h o u g h no one knows how to b r e a k t h e RSA or
the Rabin s c h e m e , in n o n e of t h e s e s c h e m e s is
it proved t h a t d e c o d i n g is h a r d w i t h o u t any
a s s u m p t i o n s m a d e on t h e m e s s a g e s p a c e . Rabin
shows t h a t , in his s c h e m e , d e c o d i n g is h a r d for
an a d v e r s a r y if t h e s e t of possible m e s s a g e s has
some density property.
The n o v e l t y of o u r c o n t r i b u t i o n c o n s i s t s of
1. The n o t i o n of T r a p d o o r F u n c t i o n s is
r e p l a c e d by P r o b a b i l i s t i c E n c r y p t i o n . To
e n c r y p t e a c h m e s s a g e we m a k e use of a fair
coin. The e n c o d i n g of e a c h m e s s a g e will
d e p e n d on t h e m e s s a g e plus t h e r e s u l t of a
s e q u e n c e of coin tosses. Consequently,
t h e r e are m a n y possible e n c o d i n g s for e a c h
m e s s a g e , llowever, m e s s a g e s are always
u n i q u e l y d e c o d a b l e .~
I P r o b a b i l i s t i c E n c r y p t i o n is c o m p l e t e l y different f r o m
the t e c h n i q u e of apl~eDcling r a n d o m bits to a m e s s a g e as
s u g g e s t e d in U?.] a n d [16].
2. D e c o d i n g is e a s y for t h e legal r e c e i v e r of a
m e s s a g e , b u t p r o v a b l y h a r d for a n a d v e r -
s a r y . T h e r e f o r e t h e s p i r i t of a t r a p d o o r
f u n c t i o n is m a i n t a i n e d . In addition, in o u r
scheme, without imposing any restrictions
on t h e m e s s a g e s p a c e , we c a n p r o v e t h a t
d e c o d i n g is e q u i v a l e n t to d e c i d i n g qua-
dratic residuosity modulo composite
numbers.
3. No P a r t i a l I n f o r m a t i o n a b o u t a n e n c r y p t e d
m e s s a g e could be obtained by an adver-
sary. Assume that the message space has
an associated probability distribution and
t h a t , with r e s p e c t to t h i s d i s t r i b u t i o n , an
e a s y t o c o m p u t e p r e d i c a t e P ( s u c h as " t h e
e x c l u s i v e or of all t h e b i t s in t h e m e s s a g e is
1") h a s p r o b a b i l i t y p to be t r u e . Let p ~ .5
w i t h o u t a n y loss of g e n e r a l i t y . Then,
w i t h o u t a n y s p e c i a l ability, an a d v e r s a r y ,
given t h e c y p h e r t e x t ~ c a n always g u e s s
t h a t P is t r u e for t h e c l e a r t e x t , a n d be
c o r r e c t with p r o b a b i l i t y p .
B a s e d on t h e a s s u m p t i o n t h a t d e c i d i n g qua-
dratic residuosity modulo composite
n u m b e r s is h a r d , we p r o v e t h a t an a d v e r -
s a r y c a n n o t g u e s s c o r r e c t l y with p r o b a b i l -
ity p+e,from the cyphertext, whether the
cleartext satisfies the predicate P, where e
is a n o n negligible p o s i t i v e r e a l n u m b e r .
P r o b a b i l i s t i c E n c r y p t i o n h a s b e e n u s e f u l for t h e
s o l u t i o n of Mental P o k e r . The p r o b l e m w h e t h e r
it is p o s s i b l e t o p l a y a "fair" g a m e of Mental
P o k e r h a s b e e n r a i s e d b y R o b e r t Floyd.
S h a m i r , Rivest a n d A d l e m a n p r o p o s e d an
e l e g a n t s o l u t i o n to t h i s p r o b l e m in [14] using
commutative encryption functions, but they
could not prove t h a t partial information could
not be compromised using their scheme.
I n d e e d , s e v e r a l p r o b l e m s in t h e i m p l e m e n t a -
t i o n of t h e i r s c h e m e h a v e b e e n p o i n t e d o u t b y
L i p t o n in [ 10].
We p r e s e n t a s o l u t i o n f o r Mental P o k e r , f o r
w h i c h we c a n prove, b a s e d on t h e a s s u m p t i o n
that factoring and deciding quadratic
r e s i d u o s i t y m o d u l o c o m p o s i t e n u m b e r s is h a r d ,
t h a t n o t a single b i t of i n f o r m a t i o n a b o u t a c a r d
w h i c h should r e m a i n h i d d e n c a n b e d i s c o v e r e d .
Our s o l u t i o n d o e s n o t u s e c o m m u t a t i v e e n c r y p -
tion functions.
2. T h e ,Security of a P u b l i c Key Cryptosystem.
All t h e n u m b e r t h e o r e t i c n o t a t i o n u s e d in
t h i s s e c t i o n will b e d e f i n e d in s e c t i o n 3.1.
2.1 What is a P u b l i c Key Cryptosystem?
The c o n c e p t of a Public Key C r y p t o s y s t e m
was i n t r o d u c e d b y Diffie a n d H e l l m a n in t h e i r
366
i n g e n i o u s p a p e r [8]. Let M be a finite m e s s a g e
s p a c e , A, B,... b e u s e r s , a n d l e t m e M d e n o t e a
m e s s a g e . Let E A : M ~ M b e A's e n c r y p t i o n f u n c -
tion, w h i c h is ideally bijective, a n d D A be A ' s
decryption function such that DA(EA(m)) = m
for all m e M. In a Public Key C r y p t o s y s t e m E A
is p l a c e d in a p u b l i c file, a n d u s e r A k e e p s DA
p r i v a t e . D A s h o u l d b e difficult to c o m p u t e
knowing only E A. To s e n d m e s s a g e m to A, B
t a k e s E A f r o m t h e p u b l i c file, c o m p u t e s E A ( m )
a n d s e n d s this m e s s a g e to A. A easily c o m p u t e s
D A ( E A ( m ) ) to obtain m .
2.2 The RSA s c h e m e and t h e Rabin s c h e m e
The two implementations of a Public Key
Cryptosystem most relevant and inspiring for
this paper are the R S A s c h e m e [13], due to
Rivest, Shamir and Adleman, and its particular-
ization suggested by Rabin [12].
The key idea in both the R S A s c h e m e and
the Rabin s c h e m e consists in the selection of
an appropriate n u m b e r theoretic trapdoor
function. In the R S A scheme, user A selects/,~,
the product of two large primes p I and p 2 and a
n u m b e r s such that s and 9(N) are relatively
prime , where ~ is the Euler totient function. A
puts N and s in a public file and keeps the fac-
torization of N private. Let ZN'= ~ z I
i ~ z ~ N - i and z and N are relatively primel.
For every message m eZN', E A ( r n ) = m s m o d
N. Clearly, the ability to take s th roots rood N
implies the ability to decode. A, w h o knows the
factorization of N, can easily take s th roots m o d
N. No efficient way to take sth roots rood Nis
k n o w n w h e n the factorlzation of N is unknown.
A b o u t t h e RSA s c h e m e a a b i n r e m a r k s t h a t ,
f o r all we know, i n v e r t i n g t h e f u n c t i o n z ~ rood
N m a y b e a h a r d p r o b l e m in g e n e r a l , a n d y e t
e a s y f o r a l a r g e p e r c e n t a g e of t h e z ' s .
He s u g g e s t s t o m o d i f y t h e RSA s c h e m e b y
c h o o s i n g s = 2 . Thus, for all u s e r s A, EA(Z ) = z 2
rood N. Notice t h a t E A is a 4-1 f u n c t i o n b e c a u s e
o u r N is t h e p r o d u c t of two p r i m e s . In fact,
e v e r y q u a d r a t i c r e s i d u e rood N, i.e e v e r y q
such that q ~ z 2 m o d N for s o m e z eZN', has
four square roots m o d N: ±z m o d N and ±y
rood N. As A knows the factorization of N, upon
receiving the encrypted message m 2 m o d N, he
could c o m p u t e its four square roots and get the
message rn. The ambiguity in decoding could
be eliminated, for example, by sending the first
20 digits of rn in addition to m 2 rood N. Such
extra information cannot effectively help in
decoding: we could always guess the first 20
digits of m .
The following theorem shows how hard is it
to invert Rabin's function z 2 m o d N.
T h e o r e m (Rabin): If for i~ of the q's quadratic
r e s i d u e s m o d N one could find one s q u a r e r o o t
of q, t h e n one could f a c t o r N in R a n d o m Poly-
n o m i a l Time.
The t h e o r e m follows f r o m the following
l e m m a t h a t we s t a t e w i t h o u t proof.
L e m m a 1: Given z , y E Z N ° s u c h t h a t x 2 = y 2
rood N a n d x ~ :i:y m o d N, t h e r e is a p o l y n o -
mial t i m e a l g o r i t h m to f a c t o r N. (In f a c t t h e
g r e a t e s t c o m m o n divisor of N and x :i=y is a fac-
t o r of N).
I n f o r m a l proof of R a b i n ' s t h e o r e m : A s s u m e
t h a t we have a m a g i c box B s u c h t h a t given q, a
q u a d r a t i c r e s i d u e rood N, for 1% of t h e q's it
o u t p u t s one s q u a r e r o o t of q rood N. Then we
c o u l d f a c t o r N by i t e r a t i n g t h e following step:
P i c k i at r a n d o m in Z N~ and c o m p u t e q =i ~
m o d N. F e e d t h e m a g i c b o x B w i t h q . If M
o u t p u t s a s q u a r e r o o t of q d i f f e r e n t f r o m i
or -i m o d N, t h e n (by t h e above l e m m a )
f a c t o r N.
The e x p e c t e d n u m b e r of i t e r a t i o n s is low, as a t
e a c h step, we have a 0.SYo c h a n c e s to f a c t o r N.
2.3 Objections to Cryptosystems based on
Trapdoor Functions
Covering o n e s face with a h a n d k e r c h i e f c e r -
tainly helps to hide p e r s o n a l identity. However:
1) It will n o t hide f r o m m e t h e i d e n t i t y of a
special s u b s e t of people: m y m o t h e r , m y
sister, close friends.
2) I c a n g a t h e r a lot of i n f o r m a t i o n a b o u t t h e
p e o p l e I c a n n o t identify: t h e i r height, t h e i r
hair c o l o r and so on.
Essentially, t h e s a m e kind of p r o b l e m s m a y
arise in t h e RSA s c h e m e and in t h e Rabin
s c h e m e and, m o r e g e n e r a l l y , in a n y o t h e r P u b -
lic Key C r y p t o s y s t e m b a s e d on T r a p d o o r F u n c -
tions:
1) The f a c t t h a t f is a T r a p d o o r F u n c t i o n d o e s
n o t rule o u t t h e possibility of c o m p u t i n g x
f r o m f(x) w h e n x is of special form.
2) The f a c t t h a t f is t r a p d o o r f u n c t i o n does n o t
rule o u t t h e p o s s i b i l i t y of easily c o m p u t i n g
s o m e p a r t i a l i n f o r m a t i o n a b o u t x f r o m f(x).
2.4 Discussion of Objection 1
One m a y a r g u e t h a t R a b i n ' s Public Key
t r y p t o s y s t e m is as h a r d to b r e a k as f a c t o r i n g
in t h e following way; w h o e v e r can2getm a m e s -
sages m from their encryptions m o d N 1P~
of t h e time, is a c t u a l l y realizing t h e m a g i c box
of R a b i n ' s t h e o r e m and t h u s c o u l d efficiently
f a c t o r n.
We would like to p o i n t o u t t h e following
fact.
Claim: If M, t h e set of m e s s a g e s , is " s p a r s e "
367
in ZN*, the ability t o d e c o d e 1% of all m e s s a g e s
does n o t yield a r a n d o m p o l y n o m i a l t i m e algo-
r i t h m for f a c t o r i n g .
By " s p a r s e " we m e a n t h a t for a r a n d o m l y
c h o s e n x E Z N ' , t h e p r o b a b i l i t y t h a t x is a m e s -
sage is virtually 0.
Let f (x) = z 2 m o d N . A s s u m e t h a t we a r e
able to i n v e r t t h e f u n c t i o n f only on f(M).
Then we would have a m a g i c box MB which, fed
m 2 rood N, would o u t p u t m w h e n e v e r m EM;
and fed q, outputs nothing whenever
qe~m2modNImEMI, e x c e p t , at m o s t , for a
negligible p o r t i o n of t h e q's. With t h e use of
s u c h a m a g i c box we could d e c o d e , b u t n o t fac-
t o r N efficiently. Using s u c h MB, let us look a t
the above i n f o r m a l p r o o f of R a b i n ' s t h e o r e m . If
we pick r n e M and feed m z rood N into MB,
t h e n we g e t b a c k m and we c a n n o t f a c t o r . If
we p i c k .ieM and f e e d i2 m o d N to MB, t h e n t h e
p r o b a b i l i t y t h a t one s q u a r e r o o t of i2 m o d N
different f r o m i, b e l o n g s to / / is p r a c t i c a l l y 0
and we g e t no answer.
2.5 Discussion of Objection 2
We would like to define a Public Key Cryp-
t o s y s t e m to be s e c u r e if an a d v e r s a r y , given
the c y p h e r t e x t , c a n n o t o b t a i n a n y p a r t i a l infor-
m a t i o n a b o u t t h e c l e a r t e x t . This l a t t e r n o t i o n
n e e d s to be f o r m a l i z e d :
Let P be a n y e a s y to evaluate, n o n con-
s t a n t , b o o l e a n p r e d i c a t e defined on t h e
m e s s a g e s p a c e M. Let m e M . If, given t h e
encryption of m , an adversary can
efficiently c o m p u t e t h e value of P ( m ) ,
t h e n p a r t i a l i n f o r m a t i o n a b o u t m c a n be
o b t a i n e d f r o m t h e e n c r y p t i o n of m
Notice t h a t , a c c o r d i n g to t h e above definition,
no Public Key C r y p t o s y s t e m based on trapdoor
f u n c t i o n s is s e c u r e . In fact, if E A is a t r a p d o o r
function, t h e following p r e d i c a t e P , defined on
the c l e a r t e x t , is e a s y to e v a l u a t e f r o m t h e
c y p h e r t e x t : P ( x ) is t r u e if and only if E4(x) is
even. We c a n avoid s u c h p r o b l e m s using P r o b a -
bitistic E n c r y p t i o n .
We know t h a t s o m e d e c i s i o n p r o b l e m s m a y
be h a r d to solve for p a r t i c u l a r inputs, b u t e a s y
to solve for m o s t of t h e inputs. In view of t h e
special p u r p o s e of C r y p t o g r a p h y , t h e r e q u i r e -
m e n t t h a t o b t a i n i n g p a r t i a l i n f o r m a t i o n should
be difficult n e e d s to be s t r e n g t h e n e d .
A s s u m e t h a t t h e m e s s a g e s p a c e h a s an
associated probability distribution and that,
with r e s p e c t to this d i s t r i b u t i o n , a p r e d i c a t e P
has a p r o b a b i l i t y p to be t r u e . Without loss of
g e n e r a l i t y , l e t p ~ 0.5.
Definition: An a d v e r s a r y h a s an e a d v a n t a g e
in e v a l u a t i n g t h e p r e d i c a t e P , if he c a n
c o r r e c t l y g u e s s t h e value of P r e l a t i v e to t h e
c l e a r t e x t with p r o b a b i l i t y g r e a t e r t h a n p +e.
 W e are now able to restate the previous
partial information definition.
Definition: A Public Key Cryptosystem is e
secure if an adversary does not have an e
advantage in evaluating, given the cyphertext,
any easy to c o m p u t e predicate relative to the
cleartext.
Based on the assumption that deciding qua-
dratic residuosity modulo composite n u m b e r s
is hard, we introduce an e-secure Public Key
Cryptosystem, for every non negligible, posi-
tive, real n u m b e r e. Let us first deal with the
question of sending securely a single bit in a
Public Key Cryptosystern. This question,
closely related to the security of Partial Infor-
mation, has been raised by Brassard in [~-].
2.6 A t t e m p t s to S e n d a Single Bit S e c u r e l y in
P u b l i c Key C r y p t o s y s t e m s b a s e d on T r a p D o o r
Functions
S u p p o s e t h a t u s e r B w a n t s to s e n d a single
bit m e s s a g e t o u s e r A in g r e a t s e c r e c y . The bit
is equally likely to be a 0 or a 1. B w a n t s no
a d v e r s a r y to have a 1~o a d v a n t a g e in g u e s s i n g
c o r r e c t l y his m e s s a g e . B knows t h a t E A is h a r d
to invert and tries to m a k e use of this fact in
the following way.
Idea i: All users in the system agree on an
integer i. User B selects r e M at random,
except for the ith bit of T, which will be his
message. B sends E4(r ) to A. •
A can decode and thus get the desired bit. But
what can an adversary do ?
Danger: let y = EA(x ), where E A is a one
way function. Then, given y, it could be
difficult to c o m p u t e x but not a specific bit of x.
Example: let p be a large prime such that
p - i has at least one large prime factor. Let g
be a generator for Zp*. Then ll-=gz m o d p is a
well k n o w n one-way function. But, even though
it is difficult to c o m p u t e x from gS m o d p (the
index finding problem), it is easy to get the last
bit of x. In fact, x ends in 0 if and only if y is a
quadratic residue m o d p, For p prime we have
fast r a n d o m polynomial time algorithms to test
quadratic residuosity, see [i0].
The following idea was s u g g e s t e d by Donald
Johnson.
Idea 2: B s e l e c t s 8 ~ i ~ 100 a t r a n d o m , a n d
s e t s t h e i t h bit of x to t h e bit he w a n t s to
c o m m u n i c a t e . The r e m a i n i n g 93 bits of x a r e
c h o s e n at r a n d o m , e x c e p t for t h e first 7 bits of
x, which s p e c i f y l o c a t i o n i. B s e n d s EA(x ) to A.
D a n g e r : If, given EA(x), we c a n easily c o m -
p u t e t h e first 7 bits of x and one of t h e last 93
bits of x, t h e n we c o u l d g u e s s B's m e s s a g e with
a 1/98 advantage.
368
S u m m a r i z i n g : T h e r e are m a n y ways in
w h i c h a single bit c o u l d be " e m b e d d e d " in a
b i n a r y n u m b e r x. Taking t h e "exclusive or" of
all t h e digits of x is j u s t one m o r e e x a m p l e .
However, given y =EA(x ), being able to d i s c o v e r
s o m e p a r t i c u l a r bits e m b e d d e d in x DOES NOT
CONTRADICT the f a c t t h a t it is h a r d to c o m p u t e
x. Then, w h a t is a s e c u r e way to s e n d a single
bit ? The a n s w e r to this p r o b l e m is d i s c u s s e d in
the n e x t section.
3. DECIDING QUDRATIC RESIDUOSITY IS HARD
ON THE AVERAGE
The s y m b o l (x,N) will d e n o t e t h e g r e a t e s t
c o m m o n divisor of x a n d N. We use P r ( X ) to
d e n o t e t h e p r o b a b i l i t y of t h e e v e n t X. We let
ZN*= ~ z [ i ~ X ~ N - I and (z,N)=l~.
3. I Background and Notation
Given qeZ~v*, is q~-x 2 m o d N solvable ?If
N is prime, then the answer to this question is
easily computed. If a solution exists, q is said
to be a quadratic residue rood N. Otherwise q is
said to be a quadratic non-residue rood N.
F r o m now on let P, and P2 be odd, distinct
primes and N =PlP2. Then, q ~ x 2 rood N is
solvable if and only if both q=-x2 rood Pl and
q ~-z 2 m o d P2 are solvable. If this is the case, q
is said to be a quadratic residue rood N, other-
wise q is said to be a quadratic non-residue
rood N. W e will call the problem of determining
whether an element q e ZN* is a quadratic resi-
due, the quadratic residuosity problem.
Let p be an odd prime and q e Zp*, then the
Jacobi symbol (q/p) equals i if q is a quadratic
residue rood p and -I otherwise. The Jacobi
symbol (q/N), is defined as (q/N) =
(q/pl)(q/P2). Despite the fact that the Jacobi
symbol (q/N) is defined through the factoriza-
tion of N, (q/N) is computable in polynomial
time even w h e n the factorization of N is not
known !
]t is easy to see, from the above definitions
that if (q/N) = -i then q m u s t be a quadratic
non-residue rood N. In fact, q m u s t be a qua-
dratic non-residue either rood Pl or rood P2.
However, if (q/N)=+l, then either q is a qua-
dratic residue rood N or q is a quadratic non-
residue for both the prime factors of N.
Let us count h o w m a n y of the q 's, such that
(q/N) = 1, a r e a c t u a l l y q u a d r a t i c r e s i d u e s .
T h e o r e m : Let p be a n odd p r i m e . Then Zp"
is a cyclic g r o u p .
T h e o r e m : Let 9 be a g e n e r a t o r for Z~*,
t h e n g t rood p is a q u a d r a t i c r e s i d u e if a n d
only if s is even.
C o r o l l a r y : Half of t h e n u m b e r s in Z~" a r e
q u a d r a t i c r e s i d u e s a n d half are q u a d r a t i c non-
residues.
T h e o r e m : Let N = . P I P 2 w h e r e P s a n d P2 a r e
d i s t i n c t o d d p r i m e s . Then half of t h e n u m b e r s
in Z N" have J a c o b i s y m b o l equal to -1 a n d t h u s
are q u a d r a t i c n o n - r e s i d u e s . The J a c o b i s y m b o l
of t h e r e s t of t h e n u m b e r s is 1. E x a c t l y half of
these latter ones are quadratic residues.
3.2 A Difficult P r o b l e m in N u m b e r T h e o r y .
If t h e f a c t o r i z a t i o n of N is n o t k n o w n a n d
(q/N) =1, t h e n t h e r e is no k n o w n p r o c e d u r e for
d e c i d i n g w h e t h e r q is a q u a d r a t i c r e s i d u e m o d
N. This d e c i s i o n p r o b l e m is well k n o w n to be
h a r d in N u m b e r Theory. It is one of t h e m a i n
f o u r a l g o r i t h m i c p r o b l e m s d i s c u s s e d by Gauss
in his "Disquisitiones A r i t h m e t i c a e " (1801). A
p o l y n o m i a l s o l u t i o n f o r it would i m p l y a p o l y n o -
mial s o l u t i o n to o t h e r o p e n p r o b l e m s in
N u m b e r Theory, s u c h as d e c i d i n g w h e t h e r a
c o m p o s i t e n , w h o s e f a c t o r i z a t i o n is n o t known,
is t h e p r o d u c t of 2 or 3 p r i m e s , see o p e n p r o b -
l e m s 9 a n d I5 in A d l e m a n [3].
R e c e n t l y , A d l e m a n [ 1] s h o w e d t h a t a g e n e r a l i z a -
tion of q u a d r a t i c r e s i d u o s i t y is e q u i v a l e n t t o
f a c t o r i n g . Using this g e n e r a l i z e d n o t i o n in o u r
p r o t o c o l , we c o u l d b a s e t h e s e c u r i t y of o u r
c r y p t o s y s t e m on f a c t o r i n g . At p r e s e n t , we
await t h e final v e r s i o n of A d e l m a n ' s p a p e r .
Assumption: Let 0 < c < l . F o r e a c h positive
i n t e g e r k, let C~,e be t h e m i n i m u m size of cir-
c u i t s C t h a t d e c i d e c o r r e c t l y q u a d r a t i c resi-
d u o s i t y m o d n for a f r a c t i o n e of t h e /c bit
integers n. Then, for e v e r y 0 < e < l and e v e r y
p o l y n o m i a l Q, t h e r e exists 5e,Q s u c h t h a t
/c>Se,Q implies Ce,~ > Q(k)
S.4 A n u m b e r t h e o r e t i c r e s u l t .
We want to show t h a t d e c i d i n g w h e t h e r q is
a q u a d r a t i c r e s i d u e m o d N, is n o t h a r d in s o m e
special c a s e s , b u t is h a r d o n t h e a v e r a g e in a
v e r y s t r o n g sense. In o r d e r to do so, let us
r e c a l l t h e weak law of l a r g e n u m b e r s :
If Yl, Y2 . . . . . y~ are /c i n d e p e n d e n t Ber-
noulli v a r i a b l e s s u c h t h a t Yi = 1 with p r o b a -
bility p , and S~ = yl+...+y~, t h e n for real
numbers ~, 6>0, /c ~ _ _ ! _ _ implies that
46~ 2
Notice t h a t k is b o u n d e d b y a p o l y n o m i a l in "0-1
a n d 6-1.
L e t A N ' = ~z I zeZ1v" and (z/ N)=l].
Definition: For a composite n u m b e r N, and for
1 =i .....k. Notice that
real n u m b e r 0 < e ~ ~ we say that we can
guess with e advantage whether q drawn at ran-
d o m from AN ° is a quadratic residue m o d N if
we can, in polynomial(INl) time, guess qua-
dratic residuosity rood N correctly for at least
1 of t h e e l e m e n t s of AN'.
T h e o r e m 1: Let 0 < c ~ ~--, 1 0 < 6 ~ 1 be non-
369
negligible n u m b e r s . S u p p o s e we could guess,
with an c a d v a n t a g e w h e t h e r q, d r a w n at r a n -
d o m f r o m AN', is a q u a d r a t i c r e s i d u e rood N.
Then we c o u l d d e c i d e q u a d r a t i c r e s i d u o s i t y of
a n y i n t e g e r rood N with p r o b a b i l i t y i - ~ b y
m e a n s of a p o l y n o m i a l in INI, c - I and (5-I t i m e
probabilistic algorithm.
P r o o f : Assume, to t h e c o n t r a r y , t h a t we have a
p o l y n o m i a l t i m e m a g i c box MB w h i c h g u e s s e s
c o r r e c t l y w h e t h e r q EA N• is a q u a d r a t i c resi-
1
due m o d N, for ~-+c of t h e e l e m e n t s of AN'.
Let,
a = Pr(MB a n s w e r s "q is a q u a d r a t i c r e s i d u e " I q
is a q u a d r a t i c r e s i d u e rood n)
fl = Pr(MB a n s w e r s "q is a q u a d r a t i c r e s i d u e " I
q is a q u a d r a t i c n o n - r e s i d u e rood N, q e AN *).
The f r a c t i o n of AN on w h i c h MB is c o r r e c t
equals ~-~+ 1-fi). In o r d e r for MB to have a c
a d v a n t a g e , it m u s t be t h a t c~ - B ~ 2e. How-
1
ever, a n e e d n o t be e q u a l to c + ~ We will now
show how to g e t a good e s t i m a t e for a.
C o n s t r u c t a s a m p l e of k q u a d r a t i c r e s i d u e s
c h o s e n at r a n d o m in ZN ° (the value of k will be
defined l a t e r on). This c a n be easily done b y
p i c k i n g s t ..... s~ at r a n d o m in ZN ° a n d s q u a r i n g
t h e m m o d N.
Initialize two counters R and N R to 0.
Feed each s~2 to MB. Every time that M B
answers "quadratic residue", increment the R
counter. Every time that M B answer "quadratic
non residue".~increment the N R counter.
Let ~=-~-~ If k is chosen to be suitably
1 ,
large, k ~ ~ - ~ t h e w e a k law of l a r g e n u m b e r s
assures that
i.e. R / k is a very good approximation to h o w
well M B guesses if the inputs are only quadratic
residues.
We are n o w ready to determine the quadratic
residuosity of elements in A N .
Let q be an element of Air that we want to
test for quadratic residuosity. R a n d o m l y gen-
erate k quadratic residues, z 1..... z~, ele-
m e n t s of ZN* and c o m p u t e yi~qz~ rood N for i
a) if q is a quadratic residue, then the y~'s are
r a n d o m quadratic residues in IN*
b) if q is a quadratic non-residue in A N*, then
the y~'s are r a n d o m quadratic non-residues
in A N *.
Let us postpone the proof of (a) and (b) and
assume, for the time being, that they are true.
Initialize two c o u n t e r s R" a n d NR" to O. F e e d
t h e s a m p l e }Yi] into MB. I n c r e m e n t R ' e v e r y
t i m e t h a t MB a n s w e r s " q u a d r a t i c r e s i d u e " , and
NR" e v e r y t i m e t h a t MB a n s w e r s " q u a d r a t i c
n o n - r e s i d u e " . We know, t h a t if q is a q u a d r a t i c
residue, then the
pr([ R " R 5 2
k k I ~2"~)m (1-~-) , and if q is a
quadratic non-residue then
Pr(l -R~-" R
.~-I~2~)<I-(I- ~)z
. Thus
I R°k Rl-<2~k t h e n with p r o b a b i l i t y g r e a t e r
t h a n 1-5, q is a q u a d r a t i c r e s i d u e m o d N, oth-
erwise, a g a i n with p r o b a b i l i t y g r e a t e r t h a n 1-5,
q was a q u a d r a t i c n o n - r e s i d u e m o d N.
We still n e e d to p r o v e (a) a n d (b). We will
only p r o v e (a) as t h e p r o o f for (b) is similar. It
will suffice to p r o v e t h a t , given a n y q u a d r a t i c
r e s i d u e q, a n y o t h e r q u a d r a t i c r e s i d u e y in ZN"
c a n be u n i q u e l y w r i t t e n as y = q z w h e r e z is
a q u a d r a t i c r e s i d u e m o d N. It is a well k n o w n
t h e o r e m in a l g e b r a t h a t Z N" = Z p , ' x Z p ' . Thus
let a a n d b be g e n e r a t o r s for Z p " a n d Zp, °
s u c h t h a t (a,p2)=l a n d ( b , p l ) = 1. Then a n y
e l e m e n t of Z N. c a n be w r i t t e n u n i q u e l y as aib j
where l~i~pl-1 and l ~ j ~ p 2 - 1 . Moreover, q
is a q u a d r a t i c r e s i d u e m o d N if and only if it
c a n be w r i t t e n as q = aeib 2j w h e r e 1 ~ 2i ~ P l -
1 a n d 1 - < 2 j _ < p 2 - 1 . Thus if y = a2Sb 2t is a n y
q u a d r a t i c r e s i d u e and x = a2(S-i)b 2(t-y), t h e n
y = qx p a r t (a) is proved.
T h e o r e m 2: Let r c A N" be a p u b l i c i z e d qua-
d r a t i c n o n - r e s i d u e m o d N. Let 0 < ~ g 1
0 < 5 -< 1 be non-negligible n u m b e r s . S u p p o s e
we could g u e s s with an ~ a d v a n t a g e w h e t h e r q,
d r a w n at r a n d o m f r o m AN , is a q u a d r a t i c resi-
due m o d N. Then we c o u l d d e c i d e q u a d r a t i c
r e s i d u o s i t y of a n y i n t e g e r rood N with p r o b a b i l -
ity 1 - 5 b y m e a n s of a p o l y n o m i a l in IN[, e -1 and
6 -1 t i m e p r o b a b i l i s t i e a l g o r i t h m .
Proof:
A s s u m e first t h a t given a n y r q u a d r a t i c
n o n - r e s i d u e rood N, V e A N ' , s o m e o n e c o u l d
build a p o l y n o m i a l t i m e m a g i c box" MBr t h a t
has a e a d v a n t a g e in d i s t i n g u i s h i n g b e t w e e n
q u a d r a t i c r e s i d u e s a n d n o n - r e s i d u e s rood N. We
will show t h a t even if one is n o t given s u c h an r ,
q u a d r a t i c r e s i d u o s i t y c a n still be d e c i d e d .
C o n s t r u c t a s e t T c o n s i s t i n g of 20 e l e m e n t s
c h o s e n a t r a n d o m f r o m AN'. With p r o b a b i l i t y
1- ( 1 / 2 ) 2° one of t h e e l e m e n t s in T will be a
q u a d r a t i c n o n - r e s i d u e m o d N. F o r e a c h z • T
do t h e following:
Choose k as in t h e o r e m 1. C o n s t r u c t MBz
a n d t e s t its p e r f o r m a n c e on k r a n d o m qua-
d r a t i c r e s i d u e s , S = [ s 1. . . . . ski, as we did
in T h e o r e m 1. Also p i c k Yl . . . . . Y20 at r a n -
d o m f r o m AN'. Again, with v e r y high p r o b a -
bility, at l e a s t one of t h e y~'s will be a
quadratic non-residue. Now, c o n s t r u c t
s a m p l e s Ht=~y~s I s e S], and feed t h e m
into MB~.
a) If MB z p e r f o r m s on all t h e H i ' s as it p e r -
f o r m e d on S, t h e n go to t h e n e x t e l e m e n t in T.
Halt if all e l e m e n t s in T have b e e n used.
if b) If MB z p e r f o r m s "significantly" d i f f e r e n t l y
o n , say H i, t h a n it did on S , halt.
If c a s e (b) o c c u r s t h e n Yi is a q u a d r a t i c
n o n - r e s i d u e and, m o s t i m p o r t a n t l y , we o b t a i n a
m a g i c box, MB z, w h i c h d i s t i n g u i s h e s b e t w e e n
q u a d r a t i c r e s i d u e s a n d n o n - r e s i d u e s in r a n d o m
polynomial time.
Case (b) o c c u r s when t h e r e is an x e T
w h i c h is a q u a d r a t i c n o n - r e s i d u e rood N, a n d a t
l e a s t one of its c o r r e s p o n d i n g yi's is a qua-
d r a t i c n o n - r e s i d u e m o d N. Thus c a s e (b)
o c c u r s with p r o b a b i l i t y 1- This c o n t r a d -
icts o u r a s s u m p t i o n t h a t d e c i d i n g q u a d r a t i c
r e s i d u o s i t y is h a r d .
In t h e above, we a s s u m e d t h a t given a n y
q u a d r a t i c n o n r e s i d u e r eAg*, one c o u l d c o n -
s t r u c t a m a g i c box MB r, having a e a d v a n t a g e
in d e c i d i n g q u a d r a t i c r e s i d u o s i t y , and we
derived a contradiction.
S u p p o s e one is able to build a MBr, having a
~ a d v a n t a g e in d e c i d i n g q u a d r a t i c r e s i d u o s i t y ,
only for 1% of t h e q u a d r a t i c n o n - r e s i d u e s ,
r e AN'. Then all t h a t would be c h a n g e d in t h e
above p r o o f would be t h e size of t h e s e t T, so
t h a t T will i n c l u d e a s u i t a b l e r .
4. H O W TO S E N D M E S S A G E S IN A PUBLIC K E Y
C R Y P T O S Y S T E M IN A P R O V A B L Y S E C U R E W A Y
E v e r y u s e r in t h e s y s t e m p u b l i c i z e s a l a r g e
c o m p o s i t e n u m b e r N whose f a c t o r i z a t i o n , N =
P ~ 2 , he alone knows, a n d y e A~ s u c h t h a t y
is a q u a d r a t i c n o n - r e s i d u e m o d N.
Let N be t h e public k e y of u s e r A. S u p p o s e
u s e r B w a n t s to s e n d A a b i n a r y m e s s a g e
m = ( m 1. . . . . m~). Then, for e a c h m i, B r a n -
d o m l y p i c k s an xi e Z~, a n d s e t s
zi ~ m o d N if m i is a 0
e~ ~- yz~ 2 m o d N if m i is al '
B sends (e l..... e~) to A.
To d e c o d e m , user A, w h o k n o w s the factors
of N, reconstructs m by letting
i if e i is a quadratic residue rood N
~'r%i~- 0 if e i a is quadratic n o n residue m o o N
370
T e s t i n g w h e t h e r q E A~ is a q u a d r a t i c r e s i d u e D e f i n i t i o n : The d i s t a n c e b e t w e e n a a n d b is
m o d N, w h e n t h e f a c t o r i z a t i o n of N is k n o w n , is d e f i n e d t o b e t h e n u m b e r of p o s i t i o n s i n w h i c h
easy by the following lemma. a a n d b d i f f e r . We s a y t h a t a a n d b a r e a d j a -
] . , e m m a 2: If t h e f a c t o r i z a t i o n of N is k n o w n , we c e n t if t h e d i s t a n c e b e t w e e n t h e m is 1.
can test whether there exists an x such that
q ~ x 2 m o d N in p o l y n o m i a l t i m e . For any decision function d and n-signature l,
P r o o f : q is a q u a d r a t i c r e s i d u e m o d N if a n d l e t Pd(l):lO,11 n ~ [0,1] b e d e f i n e d a s
o n l y if q is a q u a d r a t i c r e s i d u e m o d p 1 AND P2. Pa(l) = Pr ( d(x)=l ] ~N(2~) = l forx eSN n)
F o r a p r i m e p , q is a q u a d r a t i c r e s i d u e r o o d p
if a n d o n l y if q ( p - 1 ) / 2 = 1 m o d p . Thus, t o
1
t e s t w h e t h e r q is a q u a d r a t i c r e s i d u e m o d N we Theorem 3: Let 0 <e~ ~- and 0<6~ 1 be
need only compute q(~-i)/2 rood pl and n o n - n e g l i g i b l e n u m b e r s . If t h e r e e x i s t s a d e c i s i o n
q(~-~)/~ m o d p 2 .
f u n c t i o n d w h i c h is e a s y t o c o m p u t e a n d t w o
We n o w a d d r e s s t h e q u e s t i o n of t h e s e c u r i t y n-signatures, u and v, have been found such
of t h e n e w l y p r o p o s e d P u b l i c K e y C r y p t o s y s - t h a t [Pa(u ) - P a ( v ) [ > e , t h e n we c a n d e c i d e
tern. Let E ( x ) stand for our new encryption q u a d r a t i c r e s i d u o s i t y of a n y i n t e g e r m o d N
f u n c t i o n a n d l e t M b e t h e s e t of all p o s s i b l e w i t h p r o b a b i l i t y 1 - ~ b y m e a n s of a p o l y n o m i a l (
messages. in INI, e -1, a n d d - t ) t i m e p r o b a b i l i s t i c a l g o -
T h e d e f i n i t i o n of s e c u r i t y in a P u b l i c K e y rithm.
C r y p t o s y s t e m is v e r y d i f f i c u l t . It d e p e n d s o n
t h e m o d e l a s s u m e d of t h e p o s s i b l e b e h a v i o r of Proof: Suppose there exists a decision function
a n a d v e r s a r y • At p r e s e n t , we a s s u m e t h a t a n d and two n-signatures u and v such that
adversary may intercept E ( m ) and try to IPa(u)-Pd(v)I>~. Let A be the distance
e x t r a c t i n f o r m a t i o n a b o u t m . He c a n m a k e u s e between u and v. L e t ao,a I . . . . . a a be a
o n l y of a c o m p u t e r , t h e c y p h e r t e x t a n d t h e a s e q u e n c e of n - s i g n a t u r e s such that a 0 = u,
p r i o r i k n o w l e d g e of t h e m e s s a g e s p a c e M. No a a=v a n d a.~ is a d j a c e n t t o a,~+I f o r 0 ~ i <rn.
restrictions on M are assumed. As ] P a ( u ) - P a ( v ) ] > ~, t h e r e m u s t exist
N o t i c e t h a t in o u r s c h e m e , d i f f e r e n t l y f r o m i , 0 ~ i ~ A - 1, such that
t h e RSA, a n a d v e r s a r y , g i v e n E ( m ) , m a y b e [ P d ( a ~ ) - Pa(a~+l) l ~ e / n . For convenience,
l u c k y in g u e s s i n g c o r r e c t l y m a n d y e t n o t a b l e l e t s = ~ a n d t = a~+ 1.
t o p r o v e t h e c o r r e c t n e s s of h i s g u e s s • H o w e v e r , Let us choose ~= ~ Also, l e t k ~ 1
t h e p o s s i b i l i t y of u n d e r s t a n d i n g a m e s s a g e , 4n" d,~2"
w i t h o u t b e i n g a b l e t o p r o v e w h a t i t is, is s t i l l C h o o s e k e l e m e n t s , x 1. . . . . xk at random from
d a n g e r o u s f o r t h e s e c u r i t y of t h e P u b l i c K e y Q, =Ix c SN n I EN(x ) = s l a n d k e l e m e n t s ,
Cryptosystem. Y 1. . . . . Y~ at random from
We s h o w t h a t , g i v e n E ( r n ) f o r rn ~ M , if a n Q t = l x c S N n I ZN(x) = tl. T h e n , b y t h e w e a k
adversary can do better than guessing m at law of l a r g e n u m b e r s ,
r a n d o m , t h e n d e c i d i n g q u a d r a t i c r e s i d u o s i t y of d(xO+...+d(z~)
a n y i n t e g e r m o d N , is e a s y . Pr(IP~(s) -
4
I>~) < !
Recall that AN*=~z eZN* l(x/ N)=ll. and
D e f i n i t i o n : L e t x CAN °. The signature of x , d(y~)+...+d(yk)
aN(X ) is d e f i n e d a s Pr (IP~(t) - I >~)<~
Set,
1 if x is a q u a d r a t i c r e s i d u e r o o d N
aN(x) *- 0 if x a is q u a d r a t i c n o n r e s i d u e r o o d N d(zt)+...+d(xk) d(yl)+...+d(y~)
k k
L e t SN n b e t h e s e t of all s e q u e n c e s of n ele- As s = ( s I . . . . . s,') and t=(t I..... in) are
m e n t s f r o m AN*. a d j a c e n t , t h e y d i f f e r in e x a c t l y o n e l o c a t i o n .
Call t h i s l o c a t i o n r . L e t u s a s s u m e , w i t h o u t l o s s
D e f i n i t i o n : L e t s = (xl . . . . . x n ) C S N n. The n - of g e n e r a l i t y , t h a t sv = i a n d t r = 0.
s i g n a t u r e of s , EN(s), is d e f i n e d t o b e t h e
We will n o w s h o w t h a t we c a n d e c i d e q u a -
s t r i n g EN(S ) = aN(Xl) aN(Z2) ' ' . aN(Zn) dratic residuosity mod N with probabilit,y
g r e & t e r t h a n i - 6 . L e t q b e a n e l e m e n t of AN
Definition: A decision function is a function
t h a t we w a n t t o t e s t f o r r e s i d u o s i t y . C h o o s e k
d:S~-,Io, lL r a n d o m q u a d r a t m r e s l d u e s In A N : x l2 . . . . . xe2
• • • *

. L e t a = ( a 1. . . . . ar~,) a n d b = (b 1. . . . . bn) a n d c o m p u t e y j = q.x/2 m o d N f o r i ~ j ~ k . By

be n-signatures. t h e o r e m 1, t h e y j ' s a r e all q u a d r a t i c r e s i d u e s if

371
 d r a t i c r e s i d u o s i t y of a n y i n t e g e r n o d N with
q is a q u a d r a t i c r e s i d u e a n d all q u a d r a t i c non-
p r o b a b i l i t y 1 - 6 by m e a n s of a p o l y n o m i a l ( in
r e s i d u e s in A~, otherwise.
INI, e-l, a n d 6 -1) t i m e p r o b a b i l i s t i c a l g o r i t h m .
In t h e o r e m 2 we showed t h a t knowing a
n o n - r e s i d u e in A~ does n o t help in d e c i d i n g
quadratic residuosity. Therefore we can Let us introduce s o m e m o r e notation. Let,
a s s u m e t h a t s u c h a n o n - r e s i d u e , h, is known. M n = [rnl,m2 ..... I be the set of m e s s a g e s
This allows us to pick q u a d r a t i c n o n - r e s i d u e s a t whose length is ~%, where r~ is b o u n d e d by a
r a n d o m f r o m A~, (by c o m p u t i n g hz~). polynomial function in IN I. Set k = I M ~ I. Let
M~ be the set of all possible encodings of m e s -
We are now r e a d y to d e c i d e w h e t h e r q is a sage m i e M ~, using the s c h e m e described at
q u a d r a t i c residue. the beginning of this section. Clearly, M~ c S N ~
(* C o n s t r u c t a r a n d o m s a m p l e of ~¢ e l e m e n t s and for all i and j , IMil = IMjl. Set X =IM~I.
(y~.~ . . . . . y,,,~) . . . . . (y~,~ . . . . . y~,,~) • S g "
such that for all 4.1 The S e c u r i t y of P a r t i a l I n f o r m a t i o n
1 ~ i ~ ~%, i # r , 1 ~ j ~ / c , fiN (Yj,~) = S~, and In t h e p r e s e n t v e r s i o n of t h e p a p e r , we
for all 1 ~ j ~ ~, y~.,r=y~. *) a s s u m e t h a t all m e s s a g e s in M ~ are equally
likely. Let P be an e a s y to e v a l u a t e p r e d i c a t e ,
For i = 1 ..... r - l , r + l .... ~ do defined on M ". Let p be t h e p r o b a b i l i t y t h a t
begin P ( z ) is t r u e for a r a n d o m z • M '~. Since M n is
F o r j = 1 ..... ~ do u n i f o r m l y d i s t r i b u t e d , a n d I Mn[ = k, P m u s t
draw z • A~ at r a n d o m . e v a l u a t e to 1 on p~: m e s s a g e s in M n.
if st = 1 theny~,~ := x ~ m o d N Let MB be a m a g i c box t h a t r e c e i v e s as
else if s~ = 0 t h e n y 3 , i := h z a m o d N input the cyphertext E ( m ) • S N '~, w h e r e
end. m • M n, a n d o u t p u t s 0 or 1, its g u e s s for t h e
(* E v a l u a t e t h e d e c i s i o n f u n c t i o n d on e a c h value of P ( m ) . Let 0j be t h e n u m b e r of 0's and
m e m b e r of t h e s a m p l e *) let ly be t h e n u m b e r of l ' s t h a t MB g u e s s e s on
e n c o d i n g s of my. Clearly, 0j + lj = X. Let
For j = 1..... /¢ do
x~ = d(U~,~ . . . . . V~,,.-~,Y~, Y~,,.+~ ..... ~y,,~ ) lj i f P ( m j ) = 1
Notice that the entire sample q= 0j ifP(m~.) 0.
e i t h e r a s u b s e t of Os or a s u b s e t of fit. Thus C/ r e p r e s e n t s t h e n u m b e r of e n c o d i n g s of m e s -
with p r o b a b i l i t y g r e a t e r t h a n 1 - 6 one of t h e fol- sage m t on w h i c h MB c o r r e c t l y g u e s s e s t h e
lowing two m u t u a l l y exclusive e y e n t s will o c c u r : value of P ( m y ) .
. .t(x~+...+x~) a/< T h e o r e m 5: Let 0 < 6 < 1 be a n o n negligible
- |
real n u m b e r If = 1S p for s o m e n o n -
or 1
negligible real e > 0, t h e n we could d e c i d e qua-
(~)I(XI+'''+Xk) # I< 2n£ . d r a t i c r e s i d u o s i t y of a n y i n t e g e r m o d N with
If case (1) occurs, we conclude, with probability p r o b a b i l i t y 1-6 b y m e a n s of a p o l y n o m i a l in
g r e a t e r t h a n 1-6, t h a t q is a q u a d r a t i c residue. INI, e-l, a n d 6 -1 t i m e p r o b a b i l i s t i c a l g o r i t h m .
Otherwise, we c o n c l u d e , a g a i n with p r o b a b i l i t y P r o o f : Let us p a r t i t i o n M n into 1 0 / e b u c k e t s ,
10/
g r e a t e r t h a n 1 - 6 t h a t q is a q u a d r a t i c non- MrS= U B~, s u c h t h a t m e B~ if and only if
residue. i=l
The n o t i o n of a d e c i s i o n f u n c t i o n is i m m e d i - (i-1) e ~ lm < i ---~---- We show t h a t t h e r e
a t e l y g e n e r a l i z e d to t h a t of a d i s c r i m i n a t i n g I0 X I0"
f u n c t i o n . This is a d e c i s i o n f u n c t i o n w h i c h c a n exist two non-adjacent buckets, each contain-
t a k e on m o r e t h a n 2 values. F o r a n y n o n e m p t y ing a non-negligible portion of the messages.
set fl, let D : S N " - ~ . Let a eft, then More formally, we show there exist g,h where
PD.a(I) = P r ( D ( x ) = a [ ~N(Z) = l for x • SNn). l<h+l<g ~ I0/~ such that IBgI,IBhl
The following t h e o r e m is a n e a s y e x t e n s i o n of > 1 k. Say, that /~ is big if
t h e o r e m 3 a n d we will s t a t e it w i t h o u t proof.
-i 2 ]c and small otherwise. T h e n w e
1 IB~ I >to (is~ow)that there are two non adjacent
Theorem 4: Let 0< c~ ~-and 0 < 6 ~ 1 be want
non-negligible n u m b e r s . If t h e r e e x i s t s a big buckets. Assume, for contradiction, that
d i s c r i m i n a t i n g f u n c t i o n D:SN r'~A, which is this is not the case. T h e n one of the following
e a s y to c o m p u t e and two n - s i g n a t u r e s , u and cases m u s t apply:
v, have been found such that i) There are no big buckets.
IPi~.=(u)-PD,=(v)I>e, t h e n we c a n d e c i d e qua- 2) There is only one big bucket: B~

372
3) T h e r e are exactly two a d j a c e n t big buckets: T h e o r e m 6: Let 0 < 5 < 1 be a n o n negligible
B~ and B¢_~ k r~,~ 1
Note t h a t c a s e 1 c a n n e v e r be t r u e ; o t h e r w i s e real n u m b e r . If ~ k- x > e + ~ - - f o r s o m e
10e-* i=l
= E I B{I ~ < k In case 2, E Cj is non-negligible e < 1-~-,
1 then we c a n decide
i=1 lOI :-I " rn: e Bi
q u a d r a t i c r e s i d u o s i t y rood N with p r o b a b i l i t y
m a x i m u m for i = 1 0 ' and if all m e s s a g e s m~ 1 - 5 by m e a n s of a p o l y n o m i a l in I N I , e-1 and
for which P ( m j ) = 1 b e l o n g to B ~._2 i.e when MB 6 -2 t i m e p r o b a b i l i s t i c a l g o r i t h m .
10 P r o o f : Say t h a t a m e s s a g e m~ is well d e c o d e d if
g u e s s e s 1 for all t h e e n c o d i n g s of all t h e m e s - 1
riA>(~-v)X. Let, W be t h e set of w e l l - d e c o d e d
s a g e s for which the p r e d i c a t e is true.
m e s s a g e s a n d W' = M n - W. /

Thus, p + ~ _ ! _ _ ~ Ci Claim 1." There exist at l e a s t ~ - - w e l l - d e c o d e d

k X m~ ~ M"
messages.
= i ( ~ C3+ E Cj)~p+ ~ <p+C Proof:
kX & m~ c B~,~ #~ i0 k

i=l ~,eW ~EW'

In c a s e 3, E Cj.+ E Cj is m a x i m u m when 1 1 1
rnj EB~ m~ e B~_, -< xl W l + ( k - l WllE~x=X [ ( z - E c l l W l+k~-~) ]
i = - ~ - a n d all t h e m e s s a g e s for which P is t r u e
b e l o n g to BA.._ and all t h e m e s s a g e s for which P Hence, ]W] > ~/3 e (claim 1) [~
10 (i - ~/2) > E
is false belong to BA
10 - 1
Clearly, if we pick m e s s a g e s at r a n d o m
Thus, p + e ~ i ~ Ci = f r o m M n, we e x p e c t to find a w e l l - d e c o d e d m e s -
k X ral e M" sage in 2v -1 trials. Let QcW s u c h t h a t
[QI>2e -landletp > 1
1 {(m~ C'+ ~ C1) + ~ C1 } E e - l ( 2 v - l + 1) '
IcX B~ mi e B~-1 rnt e B , , k ~ , ~+ l

i {[p]cx+(l_p)~lO-llcx]+kxclO_I } Claim 2." There exists two w e l l - d e c o d e d m e s -

sages mi, m I eQ such that Ir~,~
I - ~ - - - - r,,~
~ "lI > p
proof: Fix m I e D . How m a n y m e s s a g e s m i e
kX+3~lO-'kX ) <p+~-
I
c a n be s u c h t h a t I r'~'iX rJ'i
'X -< p o' ml n- e r e a r e at

In all t h r e e c a s e s we r e a c h a c o n t r a d i c t i o n . most 1 <2e-1+1 such messages. Thus

Thus t h e r e exist two n o n a d j a c e n t ~ u c k e t s (~-~:-p)
Bg and B h e a c h c o n t a i n i n g at l e a s t ~10 k m e s - t h e r e e x i s t s an m~ e Q t h a t satisfies t h e claim.
sages. By sampling, we c a n find, in a small (claim 2)
e x p e c t e d time, two m e s s a g e s u and v in Bg Let us t r a n s f o r m MB into a d i s c r i m i n a t i n g
and B h , r e s p e c t i v e l y . We view MB as a d e c i s i o n f u n c t i o n D:SNn~Mnu~71. If x e S N n and MB, on
function D:SN n -~[0,1]. Then, i n p u t x, o u t p u t s m j , t h e n set D(x)=mj. I f y is
PD(u)--PD(v) > - ~ - a n d t h e o r e m 3 applies. n o t the e n c o d i n g of a n y m e s s a g e , t h e n one of 3
cases m u s t occur:
Next, we will see t h a t an a d v e r s a r y c a n n o t 1) MB o u t p u t s m r for ! _ < i ~ t. Set
d e c o d e m o r e t h a n a negligible f r a c t i o n of t h e D(y)=m~.
e n c o d i n g s of all m e s s a g e s . 2) MB o u t p u t s m~ for i < 1 or i > t. Set
D(y)=7.
4.2 An A d v e r s a r y C a n n o t D e c o d e . 3) MH does n o t a n s w e r within a c e r t a i n t i m e
Let MH be a m a g i c box t h a t r e c e i v e s as limit. Set D(Y)=T.
i n p u t E ( m ) for m e M n, and o u t p u t s mr. MB's Now, n o t e t h a t in c l a i m s 1 and 2 just p r o v e d
o u t p u t can be i n t e r p r e t e d as MH's g u e s s of above, we showed t h a t we c a n q u i c k l y find two
what m is. w e l l - d e c o d e d m e s s a g e s m( and m j s u c h t h a t
Let rj,~ d e n o t e the n u m b e r of e n c o d i n g s of m e s - IPD,m,(m()-PD,m~(mj)] > p. Thus the
sage m j , on which MH a n s w e r s mi. Clearly, r~,~ h y p o t h e s i s of t h e o r e m 4 holds and deciding
will d e n o t e the n u m b e r of times, o v e r all possi- q u a d r a t i c r e s i d u o s i t y m o d N is p o l y n o m i a l in
ble e n c o d i n g s of m~, t h a t MB a n s w e r s c o r r e c t l y . INI, e -1 and 6 -1. []

373
 T h e o r e m 6 shows t h a t i n v e r t i n g the f u n c -
tion E on t h e e n c r y p t e d m e s s a g e s is as h a r d as
deciding q u a d r a t i c r e s i d u o s i t y , i n d e p e n d e n t l y
of t h e s p a r s i t y of M".
5. MENTAL POKER
Mental P o k e r is p l a y e d like r e g u l a r p o k e r
e x c e p t t h a t t h e r e are no c a r d s a n d no d e c k
The g a m e is p l a y e d over the t e l e p h o n e lines, oI
over a c o m p u t e r n e t w o r k . Since we c a n n o t
s e n d p h y s i c a l c a r d s over t h e p h o n e lines, deal-
ing and playing m u s t be s i m u l a t e d by e x c h a n g -
ing m e s s a g e s b e t w e e n t h e players. The p l a y e r s
do n o t t r u s t e a c h o t h e r m o r e t h a n o r d i n a r y
p l a y e r s do. A f a i r g a m e o n t h e t e l e p h o n e
should e n s u r e t h a t :
1) N e i t h e r p l a y e r c a n have a n y p a r t i a l infor-
m a t i o n a b o u t t h e c a r d s in his o p p o n e n t ' s
h a n d or in t h e d e c k ,
2) T h e r e is no o v e r l a p in t h e c a r d s d e a l t to
players,
3) All possible h a n d s a r e equally p r o b a b l e for
both players.
4) At t h e end of t h e g a m e e a c h p l a y e r c a n ver-
ify t h a t t h e g a m e was p l a y e d a c c o r d i n g to
t h e r u l e s a n d no c h e a t i n g o c c u r r e d .
Note t h a t in a fair g a m e of Mental P o k e r it
is n o t e n o u g h t o show t h a t it is c o m p u t a t i o n a l l y
difficult to g e t t h e e x a c t value of a c a r d . We
m u s t also show t h a t no p a r t i a l i n f o r m a t i o n
a b o u t t h e c a r d c a n fall into the h a n d s of an
adversary.
We p r e s e n t a p r o t o c o l for two p e o p l e to p l a y
a fair g a m e of Mental P o k e r , using e n e r y p t i o n .
We p r o v e t h a t t h e r e is no way a p l a y e r c a n g e t
any i n f o r m a t i o n a b o u t c a r d s n o t in his h a n d
u n d e r t h e a s s u m p t i o n t h a t deciding q u a d r a t i c
r e s i d u o s i t y is h a r d .
T h e r e are two m a i n tools u s e d in o u r i m p l e -
m e n t a t i o n of Mental P o k e r . One is a m e t h o d
for coin-flipping o v e r t h e t e l e p h o n e [ 5 ] a n d t h e
o t h e r is t h e m e t h o d for s e n d i n g a single bit
securely in a Public Key C r y p t o s y s t e m
p r e s e n t e d here.
A d i f f e r e n t s o l u t i o n to t h e p r o b l e m of Men-
tal P o k e r has b e e n o b t a i n e d i n d e p e n d e n t l y by
Manuel Blum in [6]. His s o l u t i o n is b a s e d on t h e
a s s u m p t i o n t h a t f a c t o r i n g is h a r d and t h a t
c o m p l e t e l y s e c u r e one way f u i , c t i o n s exist.
5.1 Background For Coin Flipping
To f l i p cL c o i n i n the welt - A a n d B s t a n d far
a p a r t f r o m e a c h o t h e r . B is s t a n d i n g n e x t to a
d e e p well. A t h r o w s a coin into t h e well f r o m a
d i s t a n c e . Now, B knows t h e o u t c o m e of t h e flip
(by looking into t h e well) b u t c a n n o t c h a n g e it,
and A has no way of knowing t h e o u t c o m e .
L a t e r on when B would like to p r o v e to A t h a t he
374
won (or lost), he lets A c o m e c l o s e r a n d look
into t h e well.
Essentially, if we c a n s i m u l a t e a flip in t h e
well by exchanging messages over the
t e l e p h o n e , A c a n s e n d a r a n d o m bit to B, w h e r e
A does n o t know w h a t he sent, b u t B can, if
n e c e s s a r y , p r o v e to A w h a t t h e bit was. This is
e s p e c i a l l y a p p l i c a b l e to c r y p t o g r a p h i c a l g a m e s .
The n o t i o n of coin flipping in t h e well h a s
b e e n i n t r o d u c e d by Blum and Micali in [5], in
which, b a s e d on t h e a s s u m p t i o n t h a t i n d e x
finding is hard, t h e y show how to flip a coin in
the well over t h e t e l e p h o n e lines. A n o t h e r
m e t h o d b a s e d on t h e a s s u m p t i o n t h a t f a c t o r i -
z a t i o n is h a r d has b e e n f o u n d b y Blum in [4].
We s k e t c h a t h i r d m e t h o d , b a s e d on t h e
difficulty of d i s t i n g u i s h i n g q u a d r a t i c r e s i d u e s
f r o m n o n - r e s i d u e s with r e s p e c t to c o m p o s i t e
moduli.
A a n d B w a n t to flip a coin. A g e n e r a t e s two
large odd p r i m e s at r a n d o m , P and Q and
s e t s N = p * Q . A p u b l i c i z e s N and y EAN*
s u c h t h a t y is a q u a d r a t i c n o n - r e s i d u e m o d
N. A p i c k s a n u m b e r q a t r a n d o m f r o m
AN* and a s k s B, who does n o t know t h e fae-
t o r i z a t i o n of N, w h e t h e r q is a q u a d r a t i c
r e s i d u e rood N or not. B tells A w h a t his
g u e s s his. A now knows w h e t h e r B won
(lost), a n d c a n l a t e r p r o v e to B t h a t he
i n d e e d won(lost) by r e l e a s i n g t h e f a c t o r i z a -
lion of N.
To avoid a d d i n g new a s s u m p t i o n s to t h e
ones t h a t we a l r e a d y have, we p r o p o s e to use
one of t h e s e l a t t e r two coin flipping m e t h o d s in
our p r o t o c o l for Mental P o k e r .
The n e x t s e c t i o n will list s o m e known
r e s u l t s t h a t will be u s e d in t h e p r o o f of t h e pro-
tocol.
5.2 Useful Results
Let p 1, P2 be odd p r i m e s a n d N = p 1P2.
].,emma 3: If the factorization of N is known, we
can find qeZ N" such that (q/N) =i and qis a
quadratic non-residue, in r a n d o m polynomial
time.
Proof: Pick aeZpl such that (a/Pl)=-l.
This c a n be d o n e in 2 e x p e c t e d trials. Similarly,
pick b e Z ; , such that ( b / p 2 ) = - l . Using t h e
Chinese R e m a i n d e r t h e o r e m c o m p u t e the
u n i q u e q e Z N" s u c h t h a t q ~ a ( m o d p l ) and
q-= b ( m o d p 2 ) . Now, q is a q u a d r a t i c non-
r e s i d u e and ( q / N ) = ( q / P l P e ) =
( q / P l )" ( q / P 2 ) = (alp1)" (b/P2)=1.
]_,emma 4:Let N =p 1 P 2 such that
-= P2 -: 3 r o o d 4. For all z , y e ZN °, if
Px~ y~ rood N a n d x ~ ±y rood N t h e n ( z / N )
= - (y/g).
P r o o f : Let
1 (mod Pl)
c ~ 0 (rood P c )
1 (rnocl P c )
d ~- O ( m o d p l )
We c a n find c a n d d t h r o u g h t h e Chinese
Remainder Theorem. Let a 2 ~ x 2 ( m o d p l )
and b z =- x 2 ( m o d P2). Then t h e f o u r s q u a r e
roots ( mod N ) are given
ac + d b , - a c + d b , - ( a c +db ) and ( a c - d b ). Let
x = a c + d b , and y = - a c + b d . Since N~-i m o d
4 implies ( x / N ) = ( - x / N ) , we n e e d only p r o v e
that ( + x / N ) = - ( + y / N ) . Thus, (x/N)
(ac + b d / N ) = (ac + b d / p l ) ( a c + b d / p 2 )
=(ac/pl)(bg/p2 ). And (y/ N)
(-ac +bd/ N)=(-ac +bd/ pl)(-ac +bd/p2)=
(-ac/pl)(bd/p2)=(-1/pl)(x/N). Sincepl = 3
(mod 4), (-i/pl)=-l.
By a t h e o r e m of de la Vallee Poussin[15],
a p p r o x i m a t e l y half of all p r i m e s of a given
l e n g t h a r e c o n g r u e n t to 3 rood 4. Thus, c o m p o -
site n u m b e r s of the f o r m N = p l , p 2 w h e r e
. p l ~ p e ~ 3 rood 4 c o n s t i t u t e a p p r o x i m a t e l y 1 / 4
of all c o m p o s i t e n u m b e r s which are a p r o d u c t
of two odd p r i m e s of a given length, Thus fac-
toring and deciding quadratic residuosity
m o d u l o s s u c h special N ' s r e m a i n s a h a r d p r o b -
lem. A n o t h e r m e t h o d , which does n o t use spe-
cial c o m p o s i t e n u m b e r s , b u t i n c r e a s e s t h e
n u m b e r of m e s s a g e s e x c h a n g e d in t h e p r o t o c o l ,
will a p p e a r in the final p a p e r .
5 . 3 THE PROTOCOL
To r e p r e s e n t 52 c a r d s in b i n a r y we m u s t
use at l e a s t 6 bits p e r card. Thus at first A and
B a g r e e on 52 d i f f e r e n t bit p a t t e r n s which
c o r r e s p o n d to t h e 52 c a r d s .
F r o m now on, when we say t h a t A flips k to
B, we m e a n t h a t B r e c e i v e s a n u m b e r k at r a n -
d o m f r o m A, and A has no i n f o r m a t i o n w h a t s o -
e v e r a b o u t k. k is a c t u a l l y s e n t bit by bit
t h r o u g h a s e q u e n c e of c o i n f l i p s i n t o a well.
5.3.1 The A l g o r i t h m
STEP 1: B c h o o s e s at r a n d o m 52 p a i r s of large
p r i m e n u m b e r s : (Pl, ql), (P2, q2), (Pa, qa) .....
(P52, q52) s u c h t h a t p ~ q ~ - = 3 m o d 4 for
1 ~ i ~ 52, a n d p r o d u c e s 52 large c o m p o s i t e
n u m b e r s whose f a c t o r i z a t i o n she knows, i.e
N l := p l "ql, N2 := p 2 " q 2 ..... Ns2 := p~2 " q52.
Next, she shuffles t h e d e c k of c a r d s in h e r
h a n d s and a s s i g n s N 1..... Nsa to t h e shuffled
deck, an N, p e r t h e i th card. She p u b l i c i z e s
t h e o r d e r e d 52 t u p l e < N1, N 2..... N52 >.
STEP 2: A does t h e s a m e . Let us d e n o t e t h e
p r i m e s c h o s e n by h i m as (s 1, t l ) , (s 2, re),
(s 3, t3) ..... (s52, t52 ) s u c h that s,~-ti-=3 m o d 4
for 1-< i _< 52, and his 52 c o m p o s i t e n u m b e r s
by M 1 := s 1 ' t 1, M~ := s a " t 2 .....
M52 := s52 • tfa. He shuffles t h e d e c k of c a r d s
and assigns M 1..... M52 to t h e shuffled deck, an
M, p e r the i th card. He p u b l i c i z e s t h e
o r d e r e d 52 t u p l e < M1, Me ..... M52 >.
by
STEP 3: B p u b l i c i z e s his e n t i r e deck. The d e c k
is e n c r y p t e d in t h e following way. F o r e v e r y
c a r d Ct (with public k e y Nt), B p u b l i c i z e s an
= o r d e r e d list of 6 n u m b e r s in ANt', ( q l ..... q6)
s u c h t h a t for 1 ~ j -< 6, qy is a q u a d r a t i c resi-
= due if and only if t h e j t h bit of C t i s a 1.
For e x a m p l e , let t h e first c a r d in B's d e c k
be 010010. Then B p u b l i c i z e s (ql, qa, qa, q4, qS,
q6) w h e r e ql, qa, q4 and q6 a r e q u a d r a t i c non-
r e s i d u e s m o d N~, and q2, q5 a r e q u a d r a t i c resi-
dues rood N~ with J a c o b i s y m b o l 1. The q¢'s are
c h o s e n at r a n d o m a m o n g t h e e l e m e n t s of ANt"
with t h e d e s i r e d p r o p e r t i e s . This c a n be d o n e
in r a n d o m p o l y n o m i a l time, b y L e m m a 3.
NOTE t h a t , b y L e m m a 2, if A c a n f a c t o r N¢, he
c a n also d e t e r m i n e w h e t h e r t h e n u m b e r s t h a t
B p o s e d as c o r r e s p o n d i n g to the bits in t h e
e n c o d i n g of CQ are q u a d r a t i c r e s i d u e s or n o t
and t h e r e f o r e d e t e r m i n e what the c a r d is. ]f A
can n o t f a c t o r N¢, he c a n n o t tell w h e t h e r t h e
n u m b e r s c o r r e s p o n d i n g to bits in t h e c a r d s
e n c o d i n g a r e q u a d r a t i c r e s i d u e s or not, and
t h e r e f o r e c a n n o t tell what the r e m a i n i n g c a r d s
are,
STEP 4: A p u b l i c i z e s his d e c k in t h e e x a c t s a m e
way t h a t B did.
STEP 5 [B deals a Card to A]: S u p p o s e A d e c i d e d
to pick t h e K- t h c a r d f r o m B's deck. R e p e a t
the following p r o c e d u r e for e a c h c a r d in B's
e n c r y p t e d deck. We d e s c r i b e it for the i-th
c a r d , to which N~ c o r r e s p o n d s . B flips z e Z~, to
A. A c o m p u t e s x 2 m a d N~ and ( x / N ~ ) . At this
p o i n t A m u s t follow one of two p r o c e d u r e s : P1 if
i = K and P2 otherwise.
P I : A s e n d s x 2 rood N,i, and - ( x / N ~ ) to B.
P2: A s e n d s x e m o d Ny. and ( x / N ~ ) to B.
19 c o m p u t e s the square roots of x 2 m o d N~. Let
the square roots be x, n - z , y and n - y . Next,
B sends the root whose Jaeobi symbol she
received from A : y if she received -(x/Ni) from
A, and x otherwise. By ] e m m a 4, ( x / N ¢ )
u n i q u e l y identifies x, and - ( x / N ~ ) uniquely
identifies y . Thus if A followed P1 t h e n he will
r e c e i v e 4 s q u a r e r o o t s of x 2 rood N~, and by
l e m m a 1 c a n f a c t o r . If A followed P2, he will g e t
no new i n f o r m a t i o n as to t h e value of CC/. B
375
f r o m h e r side has no i n f o r m a t i o n as to which
c a r d A s e l e c t e d . Later, B c a n verify w h a t he
flipped to A, a n d h e n c e verify t h a t B h a s only
f o u n d out the f a c t o r i z a t i o n of a single c a r d .
STEP 6: At this p o i n t A knows t h e f a c t o r i z a t i o n
of N K. To r e c o n s t r u c t t h e a c t u a l c a r d CK, A
applies t h e p o l y n o m i a l t i m e t e s t of L a m i n a 2 t o
the encrypted representation of CK,
(ql . . . . . q6). Next, A m u s t d e l e t e CK f r o m his
e n c r y p t e d deck. B c a n see which e n c r y p t e d
e l e m e n t in A's d e c k is being e r a s e d , b u t this
does n o t e n a b l e h e r to d e c r y p t it.
STEP 7[A d e a l s a c a r d to B]: Clearly, t h e s a m e
p r o c e d u r e as in S t e p 5 a n d 6 is done with t h e
roles of A a n d B r e v e r s e d . Now B will d i s c o v e r
t h e f a c t o r i z a t i o n of one of M 1.... M52.
STEP 8: If any m o r e c a r d s n e e d t o b e d e a l t
t h r o u g h o u t t h e g a m e , a similar p r o t o c o l t a k e s
place. W h e n e v e r A n e e d s a c a r d , he will p i c k a
c a r d f r o m B's d e c k , b y following t h e p r o c e d u r e
in s t e p 5 a n d 6. And similarly w h e n e v e r B
n e e d s a c a r d , she will pick it f r o m A's d e c k .
STEP 9 [ a f t e r g a m e verification]: After the
g a m e is over, A c a n p r o v e to B t h a t e v e r y t h i n g
he c l a i m s she flipped him, was i n d e e d flipped by
h e r a n d in w h a t o r d e r . B c a n do t h e s a m e . A
r e l e a s e s t h e f a c t o r i z a t i o n of e a c h of t h e M, for
all 1-< i - < 52, and B r e l e a s e s t h e f a c t o r i z a t i o n
of e a c h of t h e N¢ for all 1 ~ _ i ~ 5 2 . They c a n
b o t h p r o v e to e a c h o t h e r w h a t e v e r c l a i m t h e y
m a d e in the g a m e s u c h as "N is a p r o d u c t of
two p r i m e s " , "all c a r d s w h e r e p r e s e n t at t h e
d e c k at all t i m e s " , " t h e s e are t h e q u a d r a t i c
r e s i d u e s you flipped to me", or "I won".
5.3.2 Proof Of C o r r e c t n e s s :
Claim 1: all h a n d s a r e equally p r o b a b l e .
Proof: In s t e p 9, A and B verify t h a t b o t h
e n c r y p t e d d e c k s c o n t a i n e d all 52 c a r d s . In
step 5, A h i m s e l f c h o o s e s which e n c r y p t e d
value f r o m B's d e c k he wants, t h u s he is equally
likely to get any c a r d in the d e c k . Similar r e a -
soning holds for B.
Claim 2: no o v e r l a p p i n g or r e p e a t i n g hands.
Proof: When A is d e a l t a c a r d , he e r a s e s t h a t
c a r d f r o m his e n c r y p t e d deck. Thus B c a n
n e v e r be d e a l t t h e s a m e c a r d . A knows which
c a r d s he p i c k e d f r o m B's deck, and t h u s will
n e v e r pick the s a m e c a r d twice.
Claim 3: ]f p l a y e r A knows the f a c t o r i z a t i o n of
N~ he c a n r e c o n s t r u c t Ci in 0 ( I N ]a) t i m e .
Proof: We are given N t = .Pl P2, and (ql ..... q6)
s u c h t h a t for all j , qi e Z N and (qj/N~,) =1. To
r e c o n s t r u c t . Ct, we m u s t t e s t w h e t h e r qi is a
q u a d r a t i c r e s i d u e rood Nt for all j . That c a n be
done in O( IN I3) s t e p s by L a m i n a 2.
376
It still remains to be shown that neither
player can have, at any stage of the game, any
partial information, about a single encrypted
card not in his hand, or any subset of
encrypted cards not in his hand. A complete
p r o o f will be f o u n d in t h e final p a p e r . H e r e we
r e s t r i c t o u r s e l v e s to p r o v i n g t h a t w h e n two
p l a y e r s A and B publicize t h e i r r e s p e c t i v e
e n c r y p t e d decks, neither A nor B can answer
quickly with I% a d v a n t a g e a i bit q u e s t i o n
a b o u t a single c a r d in t h e o p p o n e n t s d e c k .
E x a m p l e s of s u c h i bit q u e s t i o n s are: is t h e i-th
c a r d in t h e d e c k black?, Are t h e first a n d t h i r d
bit of t h e i-th c a r d equal? Is t h e rood 2 s u m of
t h e bits in t h e i-th c a r d 0 or I?
T h e o r e m 7: If A, w h e n B p u b l i c i z e s h e r
e n c r y p t e d d e c k , c a n answer, in p o l y n o m i a l
time, a l - b i t q u e s t i o n Q a b o u t a single c a r d in
B's d e c k with i% a d v a n t a g e , t h e n he c a n d e c i d e
quadratic residuosity modulo a random compo-
site N with p r o b a b i l i t y i, b y m e a n s of a
polynomial(IN0 t i m e p r o b a b i l i s t i c a l g o r i t h m .
Proof: S u p p o s e A c a n a n s w e r a l - b i t q u e s t i o n Q
about card i, to which composite N¢
c o r r e s p o n d s . A's ability to a n s w e r Q with a i%
a d v a n t a g e c a n be viewed as a d e c i s i o n f u n c t i o n
d : S 6 - , 0 , 1 (S 6 = all 6-1ong s e q u e n c e s of ele-
m e n t s f r o m AN, ). Since A a n s w e r s Q c o r r e c t l y
51 t i m e s o u t of a I00, we c a n efficiently find two
6-signatures u and v such that
IPd(u) --Pd(v)l -->1/100. Thus we can apply
theorem 8 and decide quadratic residuosity
m o d u l o N~ in p o l y n o m i a l time. C o n t r a d i c t i o n !
5.3.3 I m p l e m e n t a t i o n Details
In o r d e r to p e r f o r m t h e p r o t o c o l we m u s t
be able to do the following:
1. G e n e r a t e l a r g e p r i m e n u m b e r s , This c a n be
done using Gary Miller's t e s t for p r i m a l i t y [ 11] .
2. Find s q u a r e r o o t s of x 2 triad N when t h e fac-
t o r i z a t i o n of N is known. Use Adleman, M a n d e r s
and Millers p o l y n o m i a l t i m e a l g o r i t h m [ 2 ] for
finding s q u a r e roots.
6. R e m a r k s a n d F u r t h e r I m p r o v e m e n t s
In this paper we showed that it is possible
to encrypt messages in such a way, that an
adversary, given the cypherLext, cannot
extract information about the cleartext. This is
sufficient for protocols such as Mental Poker or
for encrypting one's private files. An adversary
can read these files but cannot understand-
them.
W e also showed that Probabilistie Encryp-
tion can be used in a Public Key Environment.
However, in a Public Key Cryptosystem, getting
hold of the cyphertext and trying to under-
stand it is the m o s t obvious attack to the secu-
r i t y of t h e s c h e m e .
* An a d v e r s a r y could, as a u s e r , t r y to b r e a k
the scheme by communicating.
He c o u l d t r y to b r e a k t h e s c h e m e b y i n t e r -
cepting some other user's messages and [4]
changing them.
* Finally, he m a y t r y to b r e a k t h e s c h e m e b y [5]
m a k i n g u s e of t h e d e c o d i n g e q u i p m e n t !
The Public Key C r y p t o s y s t e m p r e s e n t e d in t h i s [8]
p a p e r is n o t s e c u r e a g a i n s t t h e s e p o s s i b l e
a t t a c k s . However, by forcing t h e u s e r s to fol- [7]
low a p a r t i c u l a r p r o t o c o l f o r e x c h a n g i n g m e s -
sages, we h a v e built a Public Key C r y p t o s y s t e m
which is p r o v a b l y s e c u r e a g a i n s t t h e a b o v e
m e n t i o n e d a t t a c k s . T h e s e r e s u l t s will a p p e a r in
a future paper.
Acknowledgements
Our m o s t s i n c e r e t h a n k s go to R i c h a r d
Karp, who s u p e r v i s e d this r e s e a r c h , for his
contributions, encouragement and great
p a t i e n c e , a n d to Manuel B l u m for a w o n d e r -
ful c o u r s e in N u m b e r Theory, m a n y i n s i g h t -
ful d i s c u s s i o n s a n d for having f o u n d a way to
r e d u c e t h e n u m b e r s of m e s s a g e s e x c h a n g e d
in t h e p r o t o c o l .
We a r e p a r t i c u l a r l y i n d e b t e d to F a i t h
Fich, Mike Luby, Jeff Shallit a n d Po Tong.
Without t h e i r g e n e r o u s h e l p this p a p e r
would h a v e n e v e r b e e n w r i t t e n .
Andrew Yao p o i n t e d out to us s o m e g e n -
e r a l difficulties arising with c o m m u t a t i v e
e n c r y p t i o n f u n c t i o n s . The c l a i m in s e c t i o n
3.4 was o b t a i n e d with Vijay Vazirani. We
thank t h e m both.
We a r e g r a t e f u l tb Ron Rivest and Mike
S i p s e r for a v e r y i n s p i r i n g discussion. It
i m p r o v e d this p a p e r a g r e a t deal.
References
[1] A d l e m a n , L., Private Communication, 1981.
[2] A d l e m a n , L., M a n d e r s K. a n d Miller G., On
Tc~cing Roots In Finite Fields, P r o c e e d i n g s
of t h e 18th Annual ]EEE S y m p o s i u m on
F o u n d a t i o n s of C o m p u t e r S c i e n c e (FOCS),
1977, 175-177.
377
[3] A d l e m a n , L., On Distinguishing Prime
Numbers from Composite Numbers,
P r o c e e d i n g s of t h e 21st IEEE S y m p o s i u m on
the Foundations of C o m p u t e r Science
(FOCS), S y r a c u s e , N.Y., 1980, 387-408.
Blum, M., Three Applications of The Oblivi-
ous Transfer, to a p p e a r , 1981.
Blum, M., a n d Micali, S., How to Flip A Coin
Through the Telephone, to a p p e a r , 1982.
Blum, M., Mental Poker, to a p p e a r , 1982.
B r a s s a r d , G., Relativized Cryptography,
P r o c e e d i n g s of t h e 20st IEEE S y m p o s i u m on
the Foundations of C o m p u t e r Science
(FOCS) , S a n Juan, P u e r t o Rico, 1979, 383-
391.
[8] Diffie, W., a n d M. E. H e l l m a n , New Direction
in Cryptography, IEEE Trans. on I n f o r m . Th.
IT-22, 6 (1976), 644-654.
[9] C o l d w a s s e r S., and Micali S., A Bit by Bit
Secure Public Key Cryptosystem, M e m o r a n -
d u m NO. UCB/ERL M81/88, U n i v e r s i t y of
California, B e r k e l e y , D e c e m b e r 1981.
[10] Lipton, R., How to Cheat at Mental Poker,
P r o c e e d i n g of t h e AMS s h o r t c o u r s e on
C r y p t o l o g y , J a n u a r y 1981.
[11] Miller, G., R i e m a n n ' s Hypothesis and Tests
for Pr~mality, Ph.D. Thesis, U.C. B e r k e l e y ,
1975.
[12] Rabin, M., Digitalized Signatures and
Public-Key Functions As Intractable As Fac-
torization, MIT/LCS/TR-212, Technical
Memo MIT, 1979.
[13] Rivest, R., S h a m i r , A., A d l e m a n , L., A
Method f o r Obtaining Digital Signatures
and Public Key Cryptosystems, C o m m u n i c a -
t i o n s of t h e ACM, F e b r u a r y 1978.
[14] S h a m i r , Rivest, a n d A d l e m a n , Mental
Poker, MIT T e c h n i c a l R e p o r t , 1978.
[15] S h a n k s , D., Solved and Unsolved Problems
"~n N u m b e r Theory, C h e l s e a P u b l i s h i n g Co.
(1978).
Added in proof:
[16] Chau.m, D. L., Untraceable EZec~o~,ic Mail,
Returvt Addresses, and Digital Pseudonymus,
Communications of the ACM, 24,2 (1981) 84-88.