Merkle Puzzles Revisited (Transcript of Discussion)
暂无分享,去创建一个
I’m going to break with tradition and talk about an actual security protocol. This is a small part of a problem which arose in the context of something that David Wheeler and I were looking at, and we didn’t think anyone else had written about it. The setting for the problem is that A and B each have a table of bit strings. There don’t have to be the same number of strings in each table, but it’s simpler to explain in the case where they do. The bit strings don’t all have to be the same length either, but again it’s conceptually easier if they do. So N is the number of bit-strings in each table, and each bit-string is n bits long. And there is a certain number k of collisions between the tables. By a collision I mean a bit string that is in both tables, although it may be in a different place in each table. Now A and B want to discover all the collisions between their tables. It may be that they know a priori that there is exactly one collision and they just want to find out what it is. It may be that it’s possible that there are no collisions, and they want to know that there aren’t any. (This is sometimes the case with the original Merkle key agreement protocol.) Or it may be that there are lots of collisions and they want to find all of them. (If you’re doing digital money and you’re trying to put watermarks in digital money in such a way that no-one can cheat, then very often you know that there is a number of collisions that’s reasonably large, about of the order of the square route of the number of things in the table.) For technical reasons which will become apparent later, we assume that the proportion of collisions is small, that k is small relative to N/ log2 N . But it suffices for this if k is of order √ N . We assume that the bit strings are randomly distributed. If they’re not, then just put them through a random hash function and use the values of the random hash function instead of the original bit strings. And we assume that the bit strings are long enough that different bit strings can actually be distinguished. So n > log2 N . Again, that’s a technical assumption that you can get rid of if you want, by using encoding rules. The classic application of this is the Merkle key agreement protocol. Here you have some value c that’s publicly agreed but that can’t be predicted in advance by an adversary. Then A and B each pick a few thousand random values ri and form a table of the values h(c|ri). They take the (lexically) first collision in their table as being the key that’s agreed. The adversary will have to do on the order of a million computations rather than on the order of a few thousand to obtain the key. You can scale this up so that you’re talking about 230 and 260