CS255: Cryptography and Computer Security Winter 1998
Due: Friday Mar 13, 1997
Written Assignment - Extra Credit Question. You don't have to answer it !
Citizens of the island of Kafku (in the south pacific) adopted a bizarre
voting scheme. Each citizen's vote v(i) is a bit (either zero or one). To decide which of
the two competing parties wins the election the election committee computes
v(Alice) xor v(Bob) xor .... xor v(Zorba)
The result identifies the winning party. The individual votes must remain secret. The inhabitants of the island of Kafku are famous for their mental calculation powers as well as their total unwillingness to use paper. They agreed to use the following protocol:
On election day the election committee announces certain information (public key) using the loud speaker system.
Alice decides on her vote. She then tells Bob some value, A, based on her vote, A=F(1,v(Alice)). To keep her vote secret the value A should not reveal her vote to Bob.
Bob decides on his vote. He computes some function of his vote and the value he received from Alice, B=F(A,v(Bob)). He tells the result, B, to Charlie.
This process continues until Zorba computes the final value, Z=F(Y,v(Zorba)). He then gives the result, Z, to the representative of the election committee (who is not a citizen of the Island).
The representative uses some secret information known only to her to determine the outcome of the election.
Design the cryptographic mechanism to enable the denizens of Kafku to carry out the election while not revealing their private votes. Base the security of your mechanism on the hardness of distinguishing quadratic residues modulo a composite from non-residues with Jacobi symbol +1. You must describe the public key published on election day as well as the function F(x,y) used by the inhabitants.
This is an example of a private computation: a number of parties wish to compute a function of certain private values. The results of the computation should be made public, however no other information should be revealed about the private inputs. Another example of such a computation is the billionaires problem: two billionaires wish to decide who is richer without revealing their wealth. The solution to the billionaires problem is much harder. In general, it has been shown that (in principal) any function can be computed privately.
In this assignment, you need to implement a client-server application that handles electronic money. Once again we use the spellchecker. However now the client needs to pay the spellchecker for the services. The client will send words to the server who will spellcheck them and reply to the client with the result. The server will charge the client according to the number (and length) of the words it spellchecked.
The main security requirements are as follows: the client should be assured that the server cannot over charge. That is, the server should not be able to claim that the client spell checked words it did not. The server should be able to prove (to a judge) that the client indeed spell checked as many words as it did.
You will work with more or less the same skeleton client and server programs as you did
in the first programming assignment. The client is still the same, the server has an added
cleanup routine which is called when you try to kill it by pressing ctrl-C or using 'kill
-2 processid'. Your job is to modify the client and server to add the money exchange
functionality. You are strongly encouraged to work in pairs for this
assignment. There will be no difference in the grading standard if you choose to work
The directory /afs/ir/class/cs255/p2 on the Leland machines contains all the files you will need. They are:
Copy these files to your directory and run make to create spellc and spelld.
And you can check these in the same manner as you did in case of assignment 1. When you
quit the spelld by pressing ctrl-C the server should print Server terminating..
What You Need To Do
You will maintain the current interface for spellc and spelld. You need not and should not change any of the code in the main() functions. You will add provisions for money exchange. You will have to change the init security() and process() functions both in spellc and spelld, plus the function cleanup() in the server spelld. cleanup() will print how much money the client used.
The client pays for spell checking services using tokens of various denominations. To avoid the need for a client signature on each spellchecking request, token lists are stored as stalks (see below). Spending a token amounts to revealing an element on the stalk. To implement coins of different denominations we use multiple stalks. Each stalk holds coins of a single denomination.
The implementation will require you to use signatures, one-way hash and MACs (for integrity).
The server must store the client's signature on SN to validate the hash chain (stalk). This is the only signature the server needs to store. There is no need for the client to generate a signature for each spell checking request. Note that without the client's signature on SN this mechanism can be easily defeated by both the server and client.
Assuming h() is a one-way hash function, the server cannot recover SN-1 from SN unless the client hands SN-1 to it. Consequently, the client is assured that the server cannot falsely claim the client spent more tokens than it did. Conversely, possession of SN-k (and the client's signature on SN) can be used by the server to prove (to a judge) that the client spent k tokens.
Rates and Denominations
The cost of spellchecking a word is equal to the number of characters in the word. And we will use tokens of different denominations 1, 5 and 10 units. So in order to check the word disambiguate, the client will have to pay 12 units which he will pay by sending one token of denomination 10 units and 2 of denomination 1 unit.
Your client should begin with a total credit of 1000 units beings divided as 50 tokens of 1 unit, 50 tokens of 5 units and 70 tokens of 10 units. Every once in a while, the client will run out of the small denomination tokens, and so it will need to exchange the 10 unit tokens for tokens of smaller denomination. You need to decide the exchange protocol to get this done. The client may communicate with the server for this exchange.
The client is sending the server the word and an element in the hash chain. If the hash chain element is corrupted, the server ignores the request. However, if some intruder corrupts the word in transit, the server will charge the client for a word which the client was not interested in. Hence, to preserve the integrity of the message you need to append a MAC to it. The MAC can be generated using the session-key exchanged between the server and client during session startup.
The way the system works is as follows:
You need to decide on the message formats and the protocol for exchanging different
denominations (i.e. exchanging a 10 unit token with 10 single unit tokens).
How You Should Do It
There are three steps to making the source code changes you need to make. The first step is to decide (at a high level) what cryptographic algorithms and what security protocols you will use. You have considerable freedom in this matter. The only restriction is that your algorithms/protocols must not require a third-party. You may reuse your code from the first programming assignment.
Having decided what schemes you will use, the next step will be to fix the details of the protocols. You will also need to design the message formats and the protocol flows to support your schemes.
Finally, you will need to implement your schemes and your implementation is subject to certain constraints:
Again you have full access to the cryptolibrary. Do not use other crypto toolkits
available on the Web. In addition to coding, you will also need to submit a writeup. The
writeup should consist of three parts corresponding to the three design phases described
above. It should describe the algorithms and protocols that you used and provide a
justification for your choices. In addition, it should provide a description the message
formats and flows that you actually implemented. This description needs to be detailed
enough to allow someone to independently implement spelld and have it work with your
spellc (or vice versa). Note that your writeup must be in plain ascii text format.
Put your source code (spell.h, spellc.c, spelld.c) and your writeup (writeup.txt) in a
directory called ,/cs255 handin/p2. Make sure that this directory is readable by the
course staff. If you are on AFS, give the group "cs255-admins" access using the
% fs sa , cs255-admins lr
% fs sa ,/cs255 handin cs255-admins all
% fs sa ,/cs255 handin/p1 cs255-admins all
When you have done this, send email to email@example.com providing us with your (and your partner's) names, leland logins, and Stanford ID numbers. (Only one partner needs to send email.)