lecture 13 secret sharing schemes and game

Lecture 13 Secret Sharing Schemes and Game

Secret sharing schemes are multi-party protocols related to key establishment. The original motivation for secret sharing was the following. To safeguard cryptographic keys from loss, it is desirable to create backup copies. The greater the number of copies made, the greater the risk of security exposure; the smaller the number, the greater the risk that all are lost. Secret sharing schemes address this issue by allowing enhanced reliability without increased risk.

One of the major contributions of modern cryptography has been the development of advanced protocols. These protocols enable users to electronically solve many real world problems, play games, and accomplish all kinds of intriguing and very general distributed tasks. The goal of this lecture is to give a brief introduction to flipping coins and mental poker over the telephone.

Outline Scenarios for Secret Sharing Secret Splitting Threshold Schemes Flipping Coins over the Telephone Poker over the Telephone

1 Scenarios for Secret Sharing 1.1 For Secret Splitting Imagine that you’ve invented a new, extra gooey,

extra sweet, cream filling or a burger sauce that is even more tasteless than your competitors’. This is important; you have to keep it secret. You could tell only your most trusted employees the exact mixture of ingredients, but what if one of them defects to the competition? There goes the secret, and before long every grease palace on the block will be making burgers with sauce as tasteless as yours.

This calls for secret splitting. There are ways to take a message and divide it up into pieces. Each piece by itself means nothing, but put them together and the message appears. If the message is the recipe and each employee has a piece, then only together can they make the sauce. If any employee resigns with his single piece of the recipe, his information is useless by itself.

However, it has a problem: If any of the pieces gets lost, so does the message. If one employee, who has a piece of the sauce recipe, goes to work for the competition and takes his piece with him, the rest of them are out of luck. He can’t reproduce the recipe, but neither can work together. His piece is as critical to the message as every other piece combined.

1.2 For Threshold Schemes You’re setting up a launch program for a

nuclear missile. You want to make sure that no single raving lunatic can initiate a launch. You want at least three out of five officers to be raving lunatics before you allow a launch. This is easy to solve. Make a mechanical launch controller. Give each of the five officers a key and require that at least three officers stick their keys in the proper slots before you’ll allow them to blow up whomever we're blowing up this week.

We can get even more complicated. Maybe the general and two colonels are authorized to launch the missile, but if the general is busy playing golf then five colonels are required to initiate a launch. Make the launch controller so that it requires five keys. Give the general three keys and the colonels one each. The general together with any two colonels can launch the missile; so can the five colonels. However, a general and one colonel cannot; neither can four colonels.

A more complicated sharing scheme, called a threshold scheme, can do all of this and more—mathematically. At its simplest level, you can take any message (a secret recipe, launch codes, your laundry list, etc.) and divide it into n pieces, called shares or shadows, such that any m of them can be used to reconstruct the message.

One can divide his secret sauce recipe among Alice, Bob, Carol, and Dave, such that any three of them can put their shadows together and reconstruct the message. If Carol is on vacation, Alice, Bob, and Dave can do it. If Bob gets run over by a bus, Alice, Carol, and Dave can do it. However, if Bob gets run over by a bus while Carol is on vacation, Alice and Dave can't reconstruct the message by themselves.

2 Secret Splitting2.1 Dual Control by Modular Addition

.recover to modulo themsums which device, theinto estheir valu

enter separately then and ly.respective , and parties two to) (mod and values thegives and 1,

1number random a generates party A trusted used. bemay scheme following thenumber, thisknows party) trusteda

n (other tha individual singleany that eundesirabl isit reasons, loperationafor but key), seed a (e.g., device a into entered be

must ,integer somefor 1 0 ,number secret a If

11

1

Sm

BABAmSSSm

ST

mmSS

2.1 Dual Control by Modular Addition (Continued)

it. trigger torequired are people two-control dualunder be tosaid is requiringaction Any

people. obetween twsplit is secret theof knowledge -scheme knowledge-split a of examplean is This )2(

1. and 0between number random a is possesseseach value thesince ,about n informatioany has one

neither then collude, not to trustedare and If (1)

SS

mS

BA

Comment.

2.2 Unanimous Consent Control by Modular Addition

). (mod

as recovered issecret The ). (mod

given is while,given are through Parties 1. 1 1, 0 , numbers randomt independen

1 generates :follows as ,recover order toin required are whomof all users, among divided bemay secret the

thatso dgeneralizeeasily is above scheme control dual The

1

11

11

mS

SmSSS

PSPPtimSStTS

t S

iti

itit

tit

ii

2.2 Unanimous Consent Control by Modular Addition (Continued)

necessary. are trials2 piece,bit -56 agiven

isparty each if while trials,2only requiresparty oneby search

exhaustive key, theof bits 28given each are parties twoif 2, and 56 for example,For each. bits / of pieces intokey bit -

an ngpartitionihan security tgreater provides This length.-full be should scheme controlsplit ain componentskey individual The )2(

).(loglength -bit fixed of and valuesdata using OR,-exclusiveby replaced bemay operations

modulo above, scheme control dual in the and hereBoth (1)

56

28

2

trtrtr

mSS

m

i

Comment.

3 Threshold Schemes

pieces. noknowingover opponent an tosense) theoretic-ninformatio the

in r, whatsoeveabout n informatio (no advantage no provide sharesfewer or 1only knowingin which scheme threshold

a is scheme resholdperfect thA not.may sharesfewer or 1only knowing groupany but ,recover easily may sharestheir

pool whousers moreor any : trueis following thesuch that ,user to sdistributesecurely and ,secret initialan from

1 , sharessecret computesparty trustedaby which method a is )( scheme threshold) ,(

St

tS

tPSSniS

ntntA

ii

i

1 Definition

itself.key the toaccess haven rather tha triggered,

isaction an that seeonly need tsparticipan and control, shared is objective the wheresystemsfor eappropriat is This device.

combining trusteda usingby done bemay as secret, recovered theof value theaccessing from s themselvemembers group

prevent tois method One users.other of shares thededucingfrom tsparticipanprevent tonecessary are controls security,

decreased without reused be tois scheme thresholda If )2(scheme. threshold

) ,( a is scheme controlconsent unanimous thewhilescheme, threshold2) (2, a of examplean is scheme control dual The (1)

tt

Comment.

3.1 Shamir’s Threshold Scheme

. )(

, modulo polynomial random thedefining 1,0 , , , tscoefficient independen random, 1 selects (1.2)

. defines and ), ,(max prime a chooses (1.1)users. among distribute toit wishes

0integer secret a with begins party trustedThe . (1).recover

can shares their pool which users of groupany :RESULTusers. to

secret a of shares sdistributeparty trusteda :SUMMARYscheme threshold) ,( sShamir'

1

0

11

0

t

jj

j

j

t

xaxf

ppaaatT

SanSpTn

STSetupS

tnS

nt

1 Mechanism

3.1 Shamir’s Threshold Scheme (Continued)

. (0) notingby recovered is secret The ion.interpolat Lagrangeby )( of 1 1

, tscoefficien theofn computatio allowing ) ,( ) ,( pointsdistinct provide sharesTheir shares.their

pool users moreor of groupAny shares. of Pooling (2).index public with along ,user to share

theransferssecurely t and 1), 1 , pointsdistinct any for (or 1 ,) (mod )( computes (1.3)

)(Continued scheme threshold) ,( sShamir'

0 Safxftj

aSiyxt

tiPS

piinnipifST

nt

ji

ii

i

1 Mechanism


. where,

:as expressed bemay secret shared the, (0) Since

.)(

:formulaion interpolat Lagrange theby given are , 1 ), ,( pointsby defined , thanless

degree of )( polynomialunknown an of tscoefficien The ion.interpolat LagrangeAbout

11

0

11

ijtj ji

ji

t

iii

ijtj ji

jt

ii

ii

xxx

cycS

Saf

xxxx

yxf

tiyx txf


computed.-pre bemay users , of group fixed afor that

meansIt constants.secret -non are theSince (2). shares ofn combinatio

linear a as computemay member groupEach (1) Explain.

tc

yt S

i

i


.147)1039110787 (8, 28)9734416803 (7, 73)8521360505 (6, 82)6751938978 (5, 55)4426152222 (4, 92)1544000236 (3, 326)1045116192 (2, 91)6456279478 (1,

:personeach toone pairs, following thedistribute weTherefore,8. ,2, 1, where), ,( pairs peopleeight thegive now We

.6651206749628394829430288201905031805)(

work withsLet' . )( polynomial theform

and moduluo and numbers random Choose .6789011312345 prime a Choose .201905031805number theissecret theSuppose scheme. threshold-8) (3, aconstruct sLet'

2

221

21

iSixxxf

xaxaSxf

pa apS

i

1 Example


secret. theis which ,201905031805 ermconstant t theisabout care they All

.6651206749628394829430288201905031805

obtain to moduluo reduce and ,807407407340by 1/5 replace they So,

).(mod18074074073405 But,

.)5/7931095476582(42719861927514728/52070560214

:points heir three through tpasses polynomial following that thecalculate they ,polynomialion interpolat Lagrange Usingsecret.

thedetermine toecollaborat want to7 and 3, 2, persons Suppose)(Continued

2

2

xx

pp

xx

1 Example


).6651206749628 ,394829430288 ,201905031805() , ,( yields This

),1131234567890(mod2897344168039215440002363261045116192

4971931421

:following thesolve toneed they would instead,approach systemlinear thechose 7 and

3, 2, persons If secret. obtain the and polynomial t thereconstruc could people any three Similarly,

)(Continued

21

2

1

aaS

aaS

1 Example


users. existing of shares affecting without ddistribute and computed bemay users)

new(for shares New users. newfor Extendable (3)secret. theof size theis share one of size The Ideal. (2)

probable.equally remain secret shared theof 1 0 valuesall shares,fewer or 1any of knowledgeGiven Perfect. (1)

scheme. thresholdsShamir' of Properties

pS t


problems). theoretic-number of difficulty about the (e.g., sassumptionunproven any on

rely not doessecurity itsschemes, hiccryptograpmany Unlikes.assumptionunproven No (5)

structure. access the changing o without tindividualupon that control

more bestows shares multipleuser with single a Providing possible. control of levels Varying (4)

3.2 Vector Scheme

point. thedeterminesexactly shyperplane theof any ofon intersecti The point.

theincludes that hyperplane ldimensiona-1)(an ofequation theis shadowEach space. ldimensiona

-in point a as defined is message The space.in points using scheme a inventedBlakley George

tt

t

3.2 Vector Scheme (Continued)

share. theas user each

to hyperplane theransferssecurely t and

,)(mod setting , 1 , modulo

, , tscoefficient independen random, 1 chooses (1.2)

. modulo space ldimensiona-in ) , ,, ,(point a defines and modulorandomly

, ,, chooses . prime a chooses (1.1)users. among distribute toit wishes

integer secret a with begins party trustedThe . (1).recover

can shares their pool which users of groupany :RESULTusers. to

secret a of shares sdistributeparty trusteda :SUMMARYscheme threshold) ,( sBlakley'

201

2012

0

1

210

1210

0

i

itj j

ijt

tj j

ijt

iit

i

t

t

P

yxax

psasynipa

atT

ptssssQpsssTspT

nsSTSetup

St

nS

nt

2 Mechanism


. notingby recovered issecret The. modulo inverted becan matrix

the, modulo nonzero ismatrix thisoft determinan theas long As

).(mod

1

11

equationmatrix theyieldThey . 1 , users example,For ). , ,, ,(point theofn computatio

allowing shyperplanedistinct provide sharesTheir shares.their pool users moreor of groupAny shares. of Pooling (2)

0

2

1

1

1

0

10

21

20

11

10

1210

Ssp

p

p

y

yy

s

ss

aa

aaaa

tiPtssssQ

t t

tt

tt

i

t


.491934 :E161257 :D186536 :C102752 :B

68194 :A:planes following

theE D, C, B, A, people five thegive weSuppose 73.Let scheme. threshold-5) (3, aconstruct sLet'

102

102

102

102

102

xxxxxxxxxxxx

xxx

p2 Example


.recover tocooperatecan E D, C, B, A, of any three ,Similarity . 42 is

secret theso 57), 29, (42,) , ,( issolution The

).73(mod181068

16536127521194

solve they secret, erecover th to wantsC B, A, If)(Continued

0

210

2

1

0

SxS

xxx

xxx

2 Example


).,( versus) , , ,( :methodShamir in the than those

person each by carried be n toinformatio more requiresIt (3).invertible always ismatrix that theso

, , tscoefficien choose to waysarrange tohard benot

It would .guaranteednot is is though th,invertible ismatrix t thelikely tha very isit large, reasonably is as long As )2(

pieces. no knowingover opponent an toadvantage some is there,coordinate

one than more ddistributebeen hassecret theIf secret. thecarry toused be should coordinate oneonly that Note (1)

20

2

0

yxyaa

a

a

p

iit

i

it

i

Comment.

3.3 Secret Sharing with Cheaters Colonels Alice, Bob, and Carol are in a bunker

deep below some isolated field. One day, they get a coded message from the president: “Launch the missiles. We’re going to eradicate the last vestiges of neural network research in the country.” Alice, Bob, and Carol reveal their shares, but Carol enters a random number. She’s actually a pacifist and doesn't want the missiles launched. Since Carol doesn't enter the correct share, the secret they recover is the wrong secret. The missiles stay in their silos. Even worse, no one knows why.

3.3 Secret Sharing with Cheaters (Continued)

). (i.e., incorrect""but 1}), ,1, {0, (i.e.,

legal"" is tedreconstruc secret the, and , ,

, , from that,meanst participanth thedeceiving

Here, .t participanth a deceive that , , ,shares new fabricatecan , , , tsparticipan

1any that 0 y probabilit small aonly is There1}. ,1, {0, secret theSuppose

1

21

121

121

SSsS

SSS

SSt

itSSSiii

tsS

tt

t

ii

ii

tiii

t

1 Property


).( where), ,( Let 1}. , 2, {1, from elementsdistinct of nspermutatio all

among fromrandomly anduniformly ) , , ,( Choose (3)

. )( , modulo polynomial

random thedefining 1,0 , , , tscoefficient independen random, 1select and Define (2)

). , 1)/1)( max(( primeany Choose (1)0.>any for , than less is cheating undetected ofy probabilit

that theso scheme sShamir'modify :SUMMARYscheme threshold) ,( sShamir' Modified

21

1

0

11

0

iiiii

n

t

jj

j

jt

xqddxSpn

xxx

xaxqp

paaatSa

nttsp

nt

3 Mechanism


. and )( )( ifonly secret incorrect t thereconstruc willt Participan

points. 1most at in )(intersect can )(polynomial asuch , If above. points fabricated

theand ) (0,point he through tpassing 1most at degree of )( polynomialdistinct a defines }1

, 1, {0, 'secret possibleEach .t participan

tosend to), ,( ,), ,( ), ,( values fabricate , , , tsparticipan Suppose Proof.

112211

121

SSxqxqSi

txqxqSS

Stxqs

Si

dxdxdxiii

tt

tt

iiS

t

S

S

t

iiiiii

t


. ))/(1()1(most at is t participan deceiving of

yprobabilit theThus ).)/(1(most at y probabilit with t participan deceive wouldspolynomial

theseof oneAny s.polynomial ingcorrespond 1yield valuesfabricated theso secrets,incorrect but

legal 1 are There ).)/(1(most at is )(

)(y that probabilit the with )(

polynomialeach for Thus }. ,, ,{- } 1

, 2, {1, ofelement random a is that Recall Proof.

121

tptsitpt

is

stptxq

xqSSxq

xxxp

x

t

t

i

iSiS

iii

i

t

tt

t

t

4 Flipping Coins over the Telephone 4.1 Scenario A friend, not realizing that Alice and Bob are

no longer together, leaves them a car in his will. How do they decide who gets the car? Bob phones Alice and says he’ll flip a coin. Alice chooses “tails” but Bob says “sorry, it was heads.” So Bob gets the car. For some reason, Alice suspects Bob might not have been honest. She resolves that the next time this happens, she'll use a different method.

4.2 A Problem Solution Here is a thought. Alice picks a random bit

b1 and sends it to Bob, and Bob picks a random bit b2 and sends it to Alice, and the value of the coin is b1 b2. The problem is who goes first. If Alice goes first, Bob will choose b2 to make the coin whatever he wants. Not fair.

4.3 Requirements for Fair Flipping Coin (1) Bob must flip the coin before Alice

guesses. (2) Bob must not be able to re-flip the coin

after hearing Alice’s guess. (3) Alice must not be able to know how the

coin landed before making her guess.

4.4 Flipping Coin Using Square Roots

wins.Bob ), (mod If wins.she that Alice tellsBob), (mod If (4)

Bob. toit sends and ,say random,at one chooses She . modulo of ,

roots squarefour thefind to and of knowledgeher uses Alice (3)Alice. tosendsbut secret keeps He

).(mod computes and integer random a chooses Bob (2)

Bob. toproduct thesendsbut secret themkeeps She 4. mod 3 to

congruentboth ,and primes random large twochooses Alice (1)session.coin flippingeach achieve tosteps following thePerform

coin. flippingin guess the winsBobor Alice :RESULTchannel. public

aover messages 4 exchange Bob and Alice users :SUMMARYroots square using protocolcoin Flipping

2

nxbnxb

bnybaqp

yx nxyx

q pn qp

1 Protocol

Alice Bob

qpn

y

b

)( winsBobor )( winsAlicexb

xb

n

2xy

yba 22

4.4 Flipping Coin Using Square Roots (Continued)


. ofion factorizat for the Bob askingby cheatt didn' Bob check thatcan Alice So case. in this and

produce toable benot should he Therefore, .number thehimsent Alice when had hen than informatio more

no has Bob , Bob sends Alice If sends. Alice valuetheminusor plusnot is of valuehis when be would and

factors theproduce could Bobonly way the,factor to infeasiblenally computatio isit if Therefore, . offactor

nontrivial a gives ),gcd( ,particularin .factor can he so ), (mod of roots squarefour all knows

Bob then ), (mod and Bob to sends Alice IfExplain.

nq

pn

x xqp

nn

nbxnny

naxb


). (mod262333410393785035or 6186768891012103737 yield toways

fourin together theseputs theoremremainder Chinese The).(mod 325656728 and ) (mod 1701899961that

knows she e,).Therefor (mod 325656728 and

)(mod1701899961 computes Alice Alice. to

sends hewhich ), od55491705(m3632786010

computes and 3730950481414213562 takesBob Bob. to9917719372426317299 sends She.1190494759 and 2038074743 chooses Alice

1)/4(

1)/4(

2

nx

qxpxqy

py

nxy

xqpn

qp

q

p

3 Example


won.he that provecan he ,1190494759)23334103,93785035265483562373090gcd(141421

computingBy victory.claims BobThen Bob. to 233341039378503526 sends Alice that instead Suppose

winner. theAlice declares Bob so ), (mod is This Bob. to86768891012103761 sends Alice Suppose

)(Continued

n

nx

3 Example


is.not try thshould she, Therefore . offactor nontrivial a find toBob allow will choices wrong three theofEach send. toAlicefor numbers of choicesfour are sign there Up. of roots squareeight are there

But primes. threeofproduct a sendingby Bob deceive totries Alice that is caseOther game. theof end at the ofion factorizat

for the Aliceask could Bob course, Of primes. twoofproduct a of instend prime a sendingby Bob deceive to triesAlice Suppose (2)

. tocongruent is sends Alicenumber theof square that thecheckingby isagainst th guardcan Bob . factoring

from Bobprevent surely would then this, ofroot square athan rather number random a Bob sendingby cheat to triesAlice If (1)

concerns.Security

n

y

n

yn

y


number.her of square thetocongruent iswhich number, sBob' of square theis has shen informatio

only thesince thisdisputecannot Alice him.sent Alice that valueeexactly th was of valuehis

claimcan then He lose. to wantshe decides Bob Suppose procedure. in this flaw one is There (3)

Continued)concerns.(Security

x

5 Poker over the Telephone A protocol similar to the fair flipping coin

protocol allows Alice and Bob to play poker with each other over the telephone. Instead of Bob making two messages, one for “Heads” and one for “Tails”, he makes 52 numbers, c1, c2,..., c52, one for each card in the deck. How to make sure that no one has cheated?

5.1 Idea Bob encrypts the cards c1, c2,..., c52 using his

key and sends to Alice. Alice chooses five cards at random, encrypts them with her encrypted key, and then sends them back to Bob. Bob decrypts the cards and sends them back to Alice, who decrypts them to determine her hand. She then chooses five more cards at random and sends them back to Bob. Bob decrypts these and they become his hand.

5.1 Idea (Continued) During the game, additional cards can be

dealt to either player by repeating the procedure. At the end of the game, Alice and Bob both reveal their cards and key pairs so that each can be assured that the other did not cheat.

5.2 Poker Based on Discrete Logarithm Problem

Alice. to themsends and,521for )(mod computes Bob .prearrange some via modulo

,, , numbersdistinct 52 tochanged are cards 52 The (2)also.) handeach for used be could and , ,different (A

. )1( 1mod such that computes and 1,)1,gcd( with interger secret a chooses Bob . )1( 1mod

such that computes and 1,)1,gcd( with interger secret a chooses Alice . prime eappropriatan on agree Bob and Alice (1)

session.poker theachieve tosteps following thePerformcards. fivedealt ispalyer each :RESULT

channel. public aover messages 4 exchange Bob and Alice palyers :SUMMARY

problem logarithm discreteon based protocolPoker

5221

ipcbp

cccp

ppp

pp

ii

2 Protocol

5.2 Poker Based on Discrete Logarithm Problem (Continued)

hand. his him gives This .51for )(mod

computes whoBob, back to themsends and , ,

, , numbers theof more five chooses then Alice (5)hand.her Alice

gives This power. the toraises whoAlice, tothem sends and ,power the tonumbers theseraises Bob (4)

Bob. tonumbers thesesends and ,51for )(mod

computes , , , , numbers five chooses Alice (3))(Continued problem

logarithm discreteon based protocolPoker

5

21

521

jpb

b

bb

jpb

bbb

j

j

k

k

kk

i

iii

2 Protocol

AliceBob

521for )(mod ipcb ii

51for jbjk

)(mod)) (( pbcjj ii

)(mod) ( pbjk

51for )(mod jpbji

51for )(mod) ( jpbji



). modulo are es(congruenc calculates now Bob.200508901 computes Bob and 024062734

compute Alice 7654321.secret his chooses Bob and 1234567secret her chooses Alice .2396271991 be prime Let the

10305.ace 11091407,king,1721050514queen 10010311,jack 200514,ten:following

thehave weso,,02,01 using numbers tocards theChange card. onedealt isplayer Each ace. king, queen, jack, ten,

:cards fiveonly are there wheregame simplified aconsider sLet'

p

p

ba

4 Example


). (mod17005360071230896099

:Alice back toit sends and power the to thisraises Bob). (mod1230896099914012224

:Bob it to sends and ,power theit to raises-fourth theexample,for -numbers theseof one choosingby cardher chooses now Alice.74390103 ,914012224 ,2337996540 ,1112225809 ,1507298770

:Alice to themsends andnumber theseshuffles He.111222580910305

233799654011091407

743901031721050514

150729877010010311

914012224200514

)(Continued

p

p

4 Example


ten. thewasAlice sent to he card that theshow and computequickly can

Bob king. thehas she claim to triesAlice Suppose . and secret their reveal then Bob and Alice cheating,prevent To

jack. theis card his Therefore,. ) od10010311(m1507298770

computes Bob Bob. back toit sending and1507298770 example,for -received she cards original the

of one choosingsimply by card sBob' chooses Alice Now ten. the thereforeis cardHer

). (mod2005141700536007

:power the to thisraises now Alice)(Continued

p

p

4 Example


residue.-non quadratic a is if ), (mod1residue quadratic a is if ), (mod1

:residue-nonor residue quadratic a is)(mod0number anot or whether decide oeasy way tan is There (2)

problems. logarithm discrete aresolve toneeds Alice that equations But these .)(mod

form theof equations solve toneed wouldAlice

means This . card dunencrypte fixed a toscorrespond card encrypted which guess could She cards. sBob' deduce toAlicefor difficult quite be toseemsIt (1)

concerns.Security

21

cpcp

c

pc

pb

c

cb

p

i

j

i

i


example. following the theSee result. thisusing Bobover advantagean gainsmay Alice cards. the ofpower and the toapplies alsostatement

ingcorrespond The residue. quadratic a is ifonly and

if modulo residue quadratic a is that meansIt

).(mod

and , toencrypted

is cardA odd. are and e,1.Therefor)1 ,gcd( and 1)1 ,gcd( needed that weRecall

)(Continued concerns.Security

21

21

21

c

pc

pccc

c

cpp

ppp


residues. quadratic are cards remaining theall whileresidue,-non a is ace only the so

,110305

111091407

11721050514

110010311

1200514

fact,In random.not was prime of choice The example. simplified thereturn to sLet'

21

21

21

21

21

p

p

p

p

p

p 5 Example


. ace theiscardher that finds she course, Of .power theit to raises whoAlice,

back toit sends and power theit to rasies He Bob. it to sendsthen ,power theit to raises She .1112225809 is ace heher that t tellsThis

.174390103

1914012224

12337996540

11112225809

11507298770

computes she hand,her choosing is AliceWhen )(Continued

21

21

21

21

21

p

p

p

p

p

5 Example

Thank you!

lecture 13 secret sharing schemes and game

Documents

secret sharing schemes

game secret

single piece

launch program

sauce recipe

mechanical launch controller

threshold schemes youre

general distributed