Author(s): Bruce Schneier

ISBN: 0471128457

Publication Date: 01/01/96

Previous | Table of Contents | Next |

This protocol is self-enforcing. Either party can immediately detect cheating by the other, and no trusted third party is required to participate in either the actual protocol or any adjudication after the protocol has been completed. To see how this works, let’s try to cheat.

If Alice wanted to cheat and force heads, she has three potential ways of affecting the outcome. First, she could encrypt two “heads” messages in step (2). Bob would discover this when Alice revealed her keys at step (7). Second, she could use some other key to decrypt the message in step (4). This would result in gibberish, which Bob would discover in step (5). Third, she could lie about the validity of the message in step (6). Bob would also discover this in step (7), when Alice could not prove that the message was not valid. Of course, Alice could refuse to participate in the protocol at any step, at which point Alice’s attempted deception would be obvious to Bob.

If Bob wanted to cheat and force “tails, ” his options are just as poor. He could incorrectly encrypt a message at step (3), but Alice would discover this when she looked at the final message at step (6). He could improperly perform step (5), but this would also result in gibberish, which Alice would discover at step (6). He could claim that he could not properly perform step (5) because of some cheating on the part of Alice, but this form of cheating would be discovered at step (7). Finally, he could send a “tails” message to Alice at step (5), regardless of the message he decrypted, but Alice would immediately be able to check the message for authenticity at step (6).

*Flipping Coins into a Well*

It is interesting to note that in all these protocols, Alice and Bob don’t learn the result of the coin flip at the same time. Each protocol has a point where one of the parties (Alice in the first two protocols and Bob in the last one) knows the result of the coin flip but cannot change it. That party can, however, delay disclosing the result to the other party. This is known as **flipping coins into a well**. Imagine a well. Alice is next to the well and Bob is far away. Bob throws the coin and it lands in the well. Alice can now look into the well and see the result, but she cannot reach down to change it. Bob cannot see the result until Alice lets him come close enough to look.

*Key Generation Using Coin Flipping*

A real application for this protocol is session-key generation. Coin-flipping protocols allow Alice and Bob to generate a random session key such that neither can influence what the session key will be. And assuming that Alice and Bob encrypt their exchanges, this key generation is secure from eavesdropping as well.

A protocol similar to the public-key fair coin flip protocol allows Alice and Bob to play poker with each other via electronic mail. Instead of Alice making and encrypting two messages, one for heads and one for tails, she makes 52 messages, *M*_{1}, *M*_{2},..., *M*_{52}, one for each card in the deck. Bob chooses five messages at random, encrypts them with his public key, and then sends them back to Alice. Alice decrypts the messages and sends them back to Bob, who decrypts them to determine his hand. He then chooses five more messages at random and sends them back to Alice as he received them; she decrypts these and they become her hand. During the game, additional cards can be dealt to either player by repeating the procedure. At the end of the game, Alice and Bob both reveal their cards and key pairs so that each can be assured that the other did not cheat.

*Mental Poker with Three Players*

Poker is more fun with more players. The basic mental poker protocol can easily be extended to three or more players. In this case, too, the cryptographic algorithm must be commutative.

**(1)**Alice, Bob, and Carol each generate a public-key/private-key key pair.**(2)**Alice generates 52 messages, one for each card in the deck. These messages should contain some unique random string, so that she can verify their authenticity later in the protocol. Alice encrypts all the messages with her public key and sends them to Bob.*E*_{A}(*M*_{n})

**(3)**Bob, who cannot read any of the messages, chooses five at random. He encrypts them with his public key and sends them back to Alice.*E*_{B}(*E*_{A}(*M*_{n}))

**(4)**Bob sends the other 47 messages to Carol.*E*_{A}(*M*_{n})

**(5)**Carol, who cannot read any of the messages, chooses five at random. She encrypts them with her public key and sends them to Alice.*E*_{C}(*E*_{A}(*M*_{n}))

**(6)**Alice, who cannot read any of the messages sent back to her, decrypts them with her private key and then sends them back to Bob or Carol (depending on where they came from).*D*_{A}(*E*_{B}(*E*_{A}(*M*_{n}))) =*E*_{B}(*M*_{n})*D*_{A}(*E*_{C}(*E*_{A}(*M*_{n}))) =*E*_{C}(*M*_{n})

**(7)**Bob and Carol decrypt the messages with their keys to reveal their hands.*D*_{B}(*E*_{B}(*M*_{n})) =*M*_{n}*D*_{C}(*E*_{C}(*M*_{n})) =*M*_{n}

**(8)**Carol chooses five more messages at random from the remaining 42. She sends them to Alice.*E*_{A}(*M*_{n})

**(9)**Alice decrypts the messages with her private key to reveal her hand.*D*_{A}(*E*_{A}(*M*_{n})) =*M*_{n}

**(10)**At the end of the game Alice, Bob, and Carol all reveal their hands and all of their keys so that everyone can make sure that no one has cheated.

Additional cards can be dealt in the same manner. If Bob or Carol wants a card, either one can take the encrypted deck and go through the protocol with Alice. If Alice wants a card, whoever currently has the deck sends her a random card.

Previous | Table of Contents | Next |