selling multiple secrets to a single buyer
TRANSCRIPT
Information Sciences 179 (2009) 1657–1662
Contents lists available at ScienceDirect
Information Sciences
journal homepage: www.elsevier .com/locate / ins
Selling multiple secrets to a single buyer
A. Martín del Rey a,*, G. Rodríguez Sánchez b
a Department of Applied Mathematics, E.P.S. de Ávila, Universidad de Salamanca, C/ Hornos Caleros 50, 05003-Ávila, Spainb Department of Applied Mathematics, E.P.S. de Zamora, Universidad de Salamanca, Avda. Requejo 33, 49022-Zamora, Spain
a r t i c l e i n f o a b s t r a c t
Article history:Received 4 July 2007Received in revised form 15 January 2009Accepted 16 January 2009
Keywords:CryptographyJacobi symbolsNumber theoryCryptographic protocolsSecret selling
0020-0255/$ - see front matter � 2009 Elsevier Incdoi:10.1016/j.ins.2009.01.020
* Corresponding author.E-mail addresses: [email protected] (A.M. del Rey),
This paper deals with the original work due to Brassard et al., in which an algorithm to sellonly one secret to one buyer was introduced. It is based on the theory of quadratic residuesmodulo an integer number and Jacobi symbols. Unfortunately, this algorithm exhibits animportant security drawback: the seller can disclose more than one secret to the buyerinstead of only one. This problem was overcome by other sophisticated protocols. Althoughsuch problem has been satisfactorily tackled, the main goal of this work is to modify theoriginal work (preserving its flavour) in order to securely disclose multiple secrets withoutthe participation of more buyers but with a third trusted party.
� 2009 Elsevier Inc. All rights reserved.
1. Introduction
The idea of public-key cryptography was put forward publicly in scientific circles by Diffie and Hellman in 1976,although this idea was pioneered by Ellis and Cocks, of the british intelligence agency GCHQ, in the late 1960s and early1970s. Since then, several public-key cryptographic protocols have been appeared in the literature (see, for example[11,16,22,24]). One of these protocols is the secret selling of secrets. This protocol is based on the following problem: Alice(A) has k secrets and she is willing to sell any of them to Bob (B), but she wants to ensure that if he pays for only one secrethe cannot obtain any information about the others. Bob would like to buy one of the secrets from Alice, but he wants toensure that Alice cannot obtain any information about which of her secrets he has obtained. This problem was initiallytackled by all-or-nothing disclosure of secrets (ANDOS) developed by Brassard et al. [3,4]. It is based on the use of Jacobisymbols and the computing of square roots in Zn, where n is a composite integer of two large prime factors. Unfortunately,this initial protocol shows an important drawback: the buyer can pay for only one secret and he can buy several secrets. Ithas been overcome by other ANDOS protocols. In [21] an efficient ANDOS protocol is proposed involving several buyers andassuming that the majority of them are honest; in [17] another ANDOS protocol relying on ad hoc assumptions is intro-duced. In [23], Stern proposed an ANDOS algorithm that needs zero knowledge proof for establishing the validity of querysent by B, and thus needs a multiround of communication. Moreover, several proposals of this type of protocols have beenintroduced in the literature (see, for example [5,15,18,23]). These are based on more complicated mathematical techniquesand some of them require at least two buyers in order to work. In [19,20] the problem of blind decoding, which is similar toANDOS protocol, is introduced. In this scheme, B is supposed to have an encrypted secret and has it decrypted by A suchthat the seller does not obtain any information either on the plaintext or on B’s private key. Furthermore, ANDOS protocolsare intimately related to private information retrieval protocols (PIR). These schemes allow one to retrieve information
. All rights reserved.
[email protected] (G.R. Sánchez).
1658 A.M. del Rey, G.R. Sánchez / Information Sciences 179 (2009) 1657–1662
from a database while maintaining the query private from the database managers. They were initially introduced by Choret al. in [8], although it was also independently studied in the context of implementing and anonymous messaging servicefor mobile user by Cooper and Birman [9]. Subsequently, Chor and Gilboa [7] introduced the notion of computationally pri-vate information retrieval protocols in which the privacy of users is guaranteed only against the computationally boundedservers. A PIR scheme with polylogarithmic communication complexity is constructed in [6]. In [14] there is a report of asingle database PIR based on any one-way trapdoor permutations. Moreover, more PIR based protocols have been proposed(see, for example [1,2,10,12,13]).
These protocols have several applications, such as multiplicative relationships and polynomial arithmetic, the two-mes-sage millionaire’s protocol with logarithmic communication, conditional oblivious transfer, electronic voting, and auctionswithout random oracles, etc.
This paper addresses the original work of Brassard et al. Specifically, the main goal of this work is to modify it in order tosell multiple secrets in a secure way without the participation of another buyers, but preserving the flavour of the originalwork. In the protocol proposed here Alice is secure to charge all the secrets bought by Bob and Bob is secure that no infor-mation about these secrets is gained by Alice.
The rest of the paper is organized as follows: In Section 2, some mathematical preliminaries are introduced. The protocolfor secret disclosure of secrets is presented in Section 3. Section 4 addresses the modified protocol to securely sell multiplesecrets and an example is offered. Finally, the conclusions are introduced in Section 5.
2. Mathematical background
Let n be an integer number. An element X 2 Z�n is said to be a quadratic residue modulo n if there exists another elementx 2 Z�n such that x2 � X ðmodnÞ. The set of all quadratic residues modulo n is denoted by Q n. The element x is called a squareroot of X modulo n.
If n is an odd prime integer and X 2 Qn, then X has exactly two square roots modulo n. Moreover, if n ¼ pe11 � p
e22 � � � p
ekk , with
ei P 1, then X has 2k different square roots modulo n. Consequently, if n ¼ p � q, where p and q are odd primes, then X has foursquare roots modulo n:
x ¼ �uqðq�1 ðmodpÞÞ � vpðp�1 ðmodqÞÞ;
where
ð�uÞ2 � X ðmodpÞ; ð�vÞ2 � X ðmodqÞ:
An interesting result with cryptographic applications is the following (see, for example [16]):
Proposition 1. Let n ¼ p � q, where p and q are unknown odd primes. Then the problem of computing the square roots of X 2 Qn iscomputationally equivalent to the problem of factoring n.
An useful tool to know whether or not an integer number x is a quadratic residue modulo an odd prime p is given by theLegendre symbol x
p
� �. It is defined as follows:
xp
� �¼
0 if p divides x;
1 if x 2 Q p;
�1 if x R Q p:
8><>:
The Jacobi symbol is a generalization of the Legendre symbol to odd integers n P 3, which are not necessarily primes. TheJacobi symbol, x
n
� �, when n ¼ pe1
1 � pe22 � � � p
ekk is:
xn
� �¼ x
p1
� �e1
� xp2
� �e2
� � � xpk
� �ek
:
Note that the Jacobi symbol is 0, 1 or �1. Moreover, xn
� �¼ 0 if and only if gcdðx;nÞ–1.
The following result relates both to the square roots modulo n and the Jacobi symbols (see [16]):
Proposition 2. Let n ¼ p � q, where p and q are odd primes such that p � 3 ðmod4Þ and q � 3 ðmod4Þ. Then, two different squareroots of X modulo n have distinct Jacobi symbols.
3. The protocol to sell secrets
Let us assume that the seller A has k secrets to be bought: s1; . . . ; sk. The protocol to sell a secret (see [3,4]) is based on theRSA cryptosystem and it allows buyer B to buy one secret, sj, such that A does not obtain any information about it. The pro-tocol is as follows:
A.M. del Rey, G.R. Sánchez / Information Sciences 179 (2009) 1657–1662 1659
1. A computes k pairs of RSA keys: fðni; eiÞ; dig;1 6 i 6 k, where ni satisfies the conditions of Proposition 2. Subsequently, foreach i, A encrypts the secret si with the ith public key to obtain the corresponding cryptogram: ci � sei
i ðmodniÞ.2. A sends the k encrypted secrets, c1; . . . ; ck, to B, with the corresponding public keys: ðn1; e1Þ; . . . ; ðnk; ekÞ.3. B computes k random numbers: x1; . . . ; xk, such that gcdðxi;niÞ ¼ 1 for 1 6 i 6 k. Moreover, for each xi, B also calculates
Xi ¼ x2i ðmodniÞ and the Jacobi symbol xi
ni
� �.
4. B sends the following pairs to A:
X1;x1
n1
� �� ; . . . ; Xj;�
xj
nj
� �� ; . . . ; Xk;
xk
nk
� �� :
5. For each i A computes the square root of Xi modulo ni, whose Jacobi symbol is equal to that sent by B. Consequently, Aobtains the sequence:
x1; . . . ; xj�1; yj; xjþ1; . . . ; xk; ð1Þ
that is sent to B. Note that A can compute these square roots since he/she posses the private keys.6. B obtains two different square roots of Xj modulo nj: xj; yj. Then, B can factorize nj and decrypt cj. Consequently, B knows
the secret sj, and A has no information about the secret bought.
Unfortunately, this protocol has a serious drawback. It allows B to buy several secrets by simply replacing the correspond-ing Jacobi symbol. In this case, B pays for only one secret but he/she obtains many secrets. There are have been several pro-posals to overcome this drawback (see, for example [18,21,23]). Nevertheless, these works involve the participation ofmultiple buyers.
4. The proposed protocol to sell secrets
In this section, a modified version of the protocol stated in the last section is introduced. This new algorithm guaranteesthe confidentiality of the secrets bought. Furthermore, the seller is secure to charge all these secrets. It does not involve theparticipation of more buyers, although a third trusted party (TTP) is required.
4.1. The protocol
The proposed algorithm is as follows:
1. A computes k pairs of RSA keys: fðni; eiÞ; dig;1 6 i 6 k, where ni satisfies the conditions of Proposition 2. Subsequently,A encrypts the secret si with the ith public key to obtain the corresponding cryptogram: ci � sei
i ðmodniÞ.2. A sends the k encrypted secrets, c1; . . . ; ck, to B with the corresponding public keys: ðn1; e1Þ; . . . ; ðnk; ekÞ.3. A sends the k public keys to the TTP.4. The TTP computes k random numbers, x1; . . . ; xk, with gcdðxi;niÞ ¼ 1;1 6 i 6 k, and their Jacobi symbols:
x1
n1
� �; . . . ;
xk
nk
� �:
5. The TTP computes the hashes of the following sequences of Jacobi symbols (using, for example, SHA-1):
� x1
n1
� �; . . . ;
0xj
nj
� �; . . . ;
xk
nk
� �� !hash
r1
..
.
x1
n1
� �; . . . ;� xj
nj
� �; . . . ;
xk
nk
� �� !hash
rj
..
.
x1
n1
� �; . . . ;
xj
nj
� �; . . . ;� xk
nk
� �� !hash
rk:
Consequently, the sequence of hashes fr1; . . . ; rkg is obtained.
6. The TTP sends the k random numbers: x1; . . . ; xk, to B.7. The TTP sends the set R ¼ frpð1Þ; . . . ; rpðkÞg, to A where p is a secret permutation of k elements.8. For each xi;1 6 i 6 k, B computes Xi � x2i ðmodniÞ and its Jacobi symbol, ðxiniÞ.
9. B sends the following pairs to A:
X1;x1
n1
� �� ; . . . ; Xj;�
xj
nj
� �� ; . . . ; Xk;
xk
nk
� �� :
1660 A.M. del Rey, G.R. Sánchez / Information Sciences 179 (2009) 1657–1662
10. A computes the hash, ~r, of the sequence of Jacobi symbols given by B, and checks it is in R. If ~r R R, then A is sure that Bcheated on the protocol; otherwise, it is all correct and steps 5 and 6 of the protocol of Section 3 are carried out.
4.2. Example
Let us consider the following artificially chosen parameters:
pi
qi ni di3268441487
3693762287 12072845901946800769 8048563929989731331 3121416119 8453187599 26385916028449508281 17590610677916603043 4109086403 7872753179 32349823042003925137 21566548686681390371 6766282883 9323818103 63087590834534430949 42058393878962886643 3256595843 8592359207 27981841275078976501 18654560842153347635with ei ¼ 3 for 1 6 i 6 5. Suppose that B wants to buy a secret s3 from the collection of secrets of A given by:
S ¼ s1 ¼ 111111; s2 ¼ 222222; s3 ¼ 333333; s4 ¼ 444444; s5 ¼ 555555f g:
Then, A computes the cryptograms:
c1 ¼ 1371737997260631;c2 ¼ 10973903978085048;c3 ¼ 37036925926037037;c4 ¼ 87791231824680384;c5 ¼ 171467249657578875
and sends them to B with the corresponding public keys. Furthermore, the public keys are also sent to the TTP.The TTP selects the following random numbers:
x1 ¼ 42290856852913293624;x2 ¼ 13059213956361040692;x3 ¼ 85466088309157552416;x4 ¼ 46762113275681783499;x5 ¼ 26611806444069555645
and sends them to B. Moreover, the TTP computes the sequence of Jacobi symbols corresponding to fx1; . . . ; x5g, which are:
f�1;�1;1;�1;�1g:
Then, using the SHA-1 hash function the TTP computes
r1 ¼ 6dc48aa9491ae4fc3c20f11ef34596943f0c2314 ;
r2 ¼ 142037a42fa2963ce49e804cda30227eedfb782b;
r3 ¼ 6934105ad50010b814c933314b1da6841431bc8b;
r4 ¼ b3957c5148a3b8cc29a7996a634d1bedbc876bf9 ;
r5 ¼ 7c4d66f7652a51c693ae4605ca686346af749c92
and sends R ¼ fr3; r1; r4; r5; r2g to A, where p is the following permutation:
pð1Þ ¼ 2; pð2Þ ¼ 5; pð3Þ ¼ 1; pð4Þ ¼ 3; pð5Þ ¼ 4:
When B receives the random numbers, he/she computes:
X1 � 422908568529132936242 ðmod12072845901946800769Þ ¼ 1289030948236960923;
X2 � 130592139563610406922 ðmod26385916028449508281Þ ¼ 10685825643793287934;
X3 � 854660883091575524162 ðmod32349823042003925137Þ ¼ 4861544229534432579;
X4 � 467621132756817834992 ðmod63087590834534430949Þ ¼ 11186500821343347869;
X5 � 266118064440695556452 ðmod27981841275078976501Þ ¼ 14422273983078200403:
Since B wants to buy the third secret, then he/she sends the sequence fX1; . . . ;X5g to A with the Jacobi symbolsf�1;�1;�1;�1;�1g (note that the third one is changed).
A.M. del Rey, G.R. Sánchez / Information Sciences 179 (2009) 1657–1662 1661
A checks that the hash of the sequence f�1;�1;�1;�1;�1g is in R, and for each i, computes the square root of Xi ðmodniÞwhose associated Jacobi symbol corresponds to that one given in the sequence. Consequently, the square roots computedare:
x1 ¼ 42290856852913293624;x2 ¼ 13059213956361040692;y3 ¼ 11583380816854222995;x4 ¼ 46762113275681783499;x5 ¼ 26611806444069555645
and they are sent to B.Finally, since B has two square roots of
X3 ¼ 4861544229534432579 ðmod32349823042003925137Þ;
he/she can obtain the secret s3 because B factorizes n3.
4.3. Security analysis
The security of the original protocol of Brassard et al. is based on the security of RSA cryptosystem (note that Proposition 1states that the problem of computing the square roots is computationally equivalent to the problem of factoring the corre-sponding integer number).
The protocol proposed in this work is a modification of that of Brassard et al. and, consequently, its security also relies onRSA security. Nevertheless, some details must be taken into account as regards with the new steps added: Since the TTP com-putes the hashes of the sequences of Jacobi symbols, it is computationally infeasible for seller A to know the secret bought byB, because A only knows these hashes. As a consequence, the security of this step is based on the security of the hash functionused, for example, SHA. Nevertheless, TTP must also use a secret permutation, p, in order to disorder the hashes, becauseotherwise A could know the position of the secret.
Moreover, as we introduce a TTP into the protocol, there is no possibility of denial.
4.4. Selling multiple secrets
The proposed protocol can be readily modified to allow B to buy 1 < m < k secrets in a way secure for all participants ofthe protocol. In this way, the TTP must compute the hashes of all sequences of the Jacobi symbols
x1
n1; . . . ;
xk
nk
with one modified symbol, with two modified symbols, etc. Then, the B modifies the symbols corresponding to the secretsthat he/she wants to obtain and when A receives the sequence, he/she can check the number of modified symbols knowingthe number of secrets to be sold.
5. Conclusions and further work
An important cryptographic protocol is the secret selling of secrets. Basically, it allows a buyer to buy a secret from a sellersuch that, when the protocol is finished, the seller does not know the secret that has been bought. It is based on the use ofJacobi symbols and the computing of square roots in Zn, where n is a composite integer of two large prime factors. Unfor-tunately, this protocol shows an important drawback: the buyer can pay for only one secret but he/she can buy several se-crets. This pitfall has been overcome by the all-or-nothing disclosure of secrets protocols, but such algorithms require at leasttwo buyers in order for them to work.
Here, a novel protocol to sell multiple secrets without the participation of multiple buyers has been introduced. In thisprotocol the seller is secure to charge all the secrets and it also guarantees the confidentiality of the secrets bought.
Further work will aim at designing similar protocols based on other public-key algorithms such as elliptic curve basedcryptography.
Acknowledgement
This work has been supported by Ministerio de Ciencia e Innovación (Spain) under Grant MTM2008-02773.
References
[1] W. Aiello, Y. Ishai, O. Reingold, Priced oblivious transfer: how to sell digital goods, in: Advances in Cryptology—Proceedings of EuroCrypt 2001, LNCS2045 (2001) 119–135.
1662 A.M. del Rey, G.R. Sánchez / Information Sciences 179 (2009) 1657–1662
[2] A. Beimel, Y. Ishai, E. Kushilevitz, General constructions for information-theoretic private information retrieval, J. Comput. Syst. Sci. 71 (2005) 213–247.[3] G. Brassard, C. Crépeau, J.M. Robert, Information theoretic reductions among disclosure problems, in: Proceedings of the 27th IEEE Symposium on
Foundations on Computer Science, 1986, pp. 168–173.[4] G. Brassard, J.M. Crépeau, J.M. Robert, All-or-nothing disclosure of secrets, in: Advances in Cryptology—Proceedings of EuroCrypt 2001, LNCS 263
(1987) 234–238.[5] D. Boneh, E. Goh, K. Nissim, Evaluating 2-DNF formulas on ciphertexts, in: Proceedings of the Second Theory of Cryptography Conference, TCC 2005,
LNCS, vol. 3378, 2005, pp. 325–341.[6] C. Cachin, S. Micali, M. Stadler, Computationally private information retrieval with polylogarithmic communication, in: Advances in Cryptology-
EUROCRYPT’99, LNCS 1592 (1999) 402–414.[7] B. Chor, N. Gilboa, Computationally private information retrieval, in: Proceedings of the 29th Annual ACM Symposium on Theory of Computing, 1997,
pp. 304–313.[8] B. Chor, O. Goldreich, E. Kushilevitz, M. Sudan, Private information retrieval, in: Proceedings of the 36th Annual Symposium on Foundations on
Computer Science, IEEE Computer Society Press, Los Alamitos, CA, 1995, pp. 41–50.[9] D.A. Cooper, K.P. Birman, Preserving privacy in a network of mobile computers, in: Proceedings of the IEEE Symposium on Security and Privacy, 1995,
pp. 26–38.[10] Y. Gertner, Y. Ishai, E. Kushilevitz, T. Malkin, Protecting data privacy in private information retrieval schemes, J. Comput. Syst. Sci. 60 (2000) 592–629.[11] K. Kaya, A. Seluk, Threshold cryptography based on Asmuth Bloom secret sharing, Inform. Sci. 177 (2007) 4148–4160.[12] I. Kerenidis, R. de Wolf, Quantum symmetrically-private information retrieval, Inform. Process. Lett. 90 (2004) 109–114.[13] E. Kushilevitz, R. Ostrovsky, Replication is not needed: single database computationally-private information retrieval, in: Proceedings of the 38th
Annual Symposium on Foundations of Computer Science, IEEE Computer Society Press, Los Alamitos, CA, 1997, pp. 364–373.[14] E. Kushilevitz, R. Ostrovsky, One-way trapdoorpermutations are sufficient for single data base computationally-private information retrieval, in:
Advances in Cryptology-EUROCRYPT’00, LNCS 1807 (2000) 104–121.[15] H. Lipmaa, An oblivious transfer protocol with log-squared communication, in: Eighth Information Security Conference (ISC’05), LNCS, vol. 3650, 2005,
pp. 314–328.[16] A. Menezes, P. van Oorschot, S. Vanstone, Handbook of Applied Cryptography, CRC Press, Boca Raton, FL, 1997.[17] V. Niemi, A. Renvall, Cryptographic protocols and voting, in: Recent Trends in Theoretical Computer Science, LNCS 812 (1994) 307–316.[18] H. Nurmi, A. Salomaa, L. Santean, Secret ballot elections in computer networks, Comput. Security 10 (1991) 553–560.[19] K. Ohta, Remarks on blind decryption, in: Proceedings of the First International Workshop on Information Security, LNCS, vol. 1396, 1997, pp. 109–115.[20] K. Sakurai, Y. Yamane, Blind decoding blind undeniable signatures and their applications to privacy protection, in: Information Hiding, LNCS 1174
(1997) 257–264.[21] A. Salomaa, L. Santean, Secret selling of secrets with many buyers, ETACS Bull. 42 (1990) 178–186.[22] L. Shundong, W. Daoshun, D. Yiqi, L. Ping, Symmetric cryptographic solution to Yao’s millionaires’ problem and an evaluation of secure multiparty
computations, Inform. Sci. (178) (2008) 244–255.[23] J.P. Stern, A new and efficient all-or-nothing disclosure of secrets protocol, in: Proceedings of ASIACRYPT’98, LNCS, vol. 1514, 1998, pp. 357–371.[24] B. Wang, Q. Wu, Y. Hu, A knapsack-based probabilistic encryption scheme, Inform. Sci. 177 (2007) 3981–3994.