- Source: Socialist millionaire problem
In cryptography, the socialist millionaire problem is one in which two millionaires want to determine if their wealth is equal without disclosing any information about their riches to each other. It is a variant of the Millionaire's Problem whereby two millionaires wish to compare their riches to determine who has the most wealth without disclosing any information about their riches to each other.
It is often used as a cryptographic protocol that allows two parties to verify the identity of the remote party through the use of a shared secret, avoiding a man-in-the-middle attack without the inconvenience of manually comparing public key fingerprints through an outside channel. In effect, a relatively weak password/passphrase in natural language can be used.
Motivation
Alice and Bob have secret values
x
{\displaystyle x}
and
y
{\displaystyle y}
, respectively. Alice and Bob wish to learn if
x
=
y
{\displaystyle x=y}
without allowing either party to learn anything else about the other's secret value.
A passive attacker simply spying on the messages Alice and Bob exchange learns nothing about
x
{\displaystyle x}
and
y
{\displaystyle y}
, not even whether
x
=
y
{\displaystyle x=y}
.
Even if one of the parties is dishonest and deviates from the protocol, that person cannot learn anything more than if
x
=
y
{\displaystyle x=y}
.
An active attacker capable of arbitrarily interfering with Alice and Bob's communication (man-in-the-middle attack) cannot learn more than a passive attacker and cannot affect the outcome of the protocol other than to make it fail.
Therefore, the protocol can be used to authenticate whether two parties have the same secret information. Popular instant message cryptography package Off-the-Record Messaging uses the Socialist Millionaire protocol for authentication, in which the secrets
x
{\displaystyle x}
and
y
{\displaystyle y}
contain information about both parties' long-term authentication public keys as well as information entered by the users themselves.
Off-the-Record Messaging protocol
The protocol is based on group theory.
A group of prime order
p
{\displaystyle p}
and a generator
h
{\displaystyle h}
are agreed upon a priori, and in practice are generally fixed in a given implementation. For example, in the Off-the-Record Messaging protocol,
p
{\displaystyle p}
is a specific fixed 1,536-bit prime.
h
{\displaystyle h}
is then a generator of a prime-order subgroup of
(
Z
/
p
Z
)
∗
{\displaystyle (\mathbb {Z} /p\mathbb {Z} )^{*}}
, and all operations are performed modulo
p
{\displaystyle p}
, or in other words, in a subgroup of the multiplicative group,
(
Z
/
p
Z
)
∗
{\displaystyle (\mathbb {Z} /p\mathbb {Z} )^{*}}
.
By
⟨
h
|
a
,
b
⟩
{\displaystyle \langle h|a,\,b\rangle }
, denote the secure multiparty computation, Diffie–Hellman–Merkle key exchange, which, for the integers,
a
{\displaystyle a}
,
b
{\displaystyle b}
, returns
h
a
b
{\displaystyle h^{ab}}
to each party:
Alice calculates
h
a
{\displaystyle h^{a}}
and sends it to Bob, who then calculates
(
h
a
)
b
≡
h
a
b
{\displaystyle \left(h^{a}\right)^{b}\equiv h^{ab}}
.
Bob calculates
h
b
{\displaystyle h^{b}}
and sends it to Alice, who then calculates
(
h
b
)
a
≡
h
b
a
{\displaystyle \left(h^{b}\right)^{a}\equiv h^{ba}}
.
h
a
b
≡
h
b
a
{\displaystyle h^{ab}\equiv h^{ba}}
as multiplication in
(
Z
/
p
Z
)
∗
{\displaystyle (\mathbb {Z} /p\mathbb {Z} )^{*}}
is associative. Note that this procedure is insecure against man-in-the-middle attacks.
The socialist millionaire protocol only has a few steps that are not part of the above procedure, and the security of each relies on the difficulty of the discrete logarithm problem, just as the above does. All sent values also include zero-knowledge proofs that they were generated according to protocol.
Part of the security also relies on random secrets. However, as written below, the protocol is vulnerable to poisoning if Alice or Bob chooses any of
a
{\displaystyle a}
,
b
{\displaystyle b}
,
α
{\displaystyle \alpha }
, or
β
{\displaystyle \beta }
to be zero. To solve this problem, each party must check during the Diffie-Hellman exchanges that none of the
h
a
{\displaystyle h^{a}}
,
h
b
{\displaystyle h^{b}}
,
h
α
{\displaystyle h^{\alpha }}
, or
h
β
{\displaystyle h^{\beta }}
that they receive is equal to 1. It is also necessary to check that
P
a
≠
P
b
{\displaystyle P_{a}\neq P_{b}}
and
Q
a
≠
Q
b
{\displaystyle Q_{a}\neq Q_{b}}
.
Note that:
P
a
P
b
−
1
=
γ
r
γ
−
s
=
γ
r
−
s
=
h
α
β
(
r
−
s
)
{\displaystyle {\begin{aligned}P_{a}{P_{b}}^{-1}&=\gamma ^{r}\gamma ^{-s}=\gamma ^{r-s}\\&=h^{\alpha \beta (r-s)}\end{aligned}}}
and therefore
c
=
(
Q
a
Q
b
−
1
)
α
β
=
(
h
r
g
x
h
−
s
g
−
y
)
α
β
=
(
h
r
−
s
g
x
−
y
)
α
β
=
(
h
r
−
s
h
a
b
(
x
−
y
)
)
α
β
=
h
α
β
(
r
−
s
)
h
α
β
a
b
(
x
−
y
)
=
(
P
a
P
b
−
1
)
h
α
β
a
b
(
x
−
y
)
{\displaystyle {\begin{aligned}c&=\left(Q_{a}Q_{b}^{-1}\right)^{\alpha \beta }\\&=\left(h^{r}g^{x}h^{-s}g^{-y}\right)^{\alpha \beta }=\left(h^{r-s}g^{x-y}\right)^{\alpha \beta }\\&=\left(h^{r-s}h^{ab(x-y)}\right)^{\alpha \beta }=h^{\alpha \beta (r-s)}h^{\alpha \beta ab(x-y)}\\&=\left(P_{a}{P_{b}}^{-1}\right)h^{\alpha \beta ab(x-y)}\end{aligned}}}
.
Because of the random values stored in secret by the other party, neither party can force
c
{\displaystyle c}
and
P
a
P
b
−
1
{\displaystyle P_{a}{P_{b}}^{-1}}
to be equal unless
x
{\displaystyle x}
equals
y
{\displaystyle y}
, in which case
h
α
β
a
b
(
x
−
y
)
=
h
0
=
1
{\displaystyle h^{\alpha \beta ab(x-y)}=h^{0}=1}
. This proves correctness.
See also
Zero-knowledge proof
References
External links
Description of the OTR-Messaging Protocol version 2
Explain it like I’m Five: The Socialist Millionaire Problem and Secure Multi-Party Computation at the Wayback Machine (archived December 25, 2022)
Goldbug Messenger, which uses an implementation the Socialist Millionaire Protocol
Kata Kunci Pencarian:
- Socialist millionaire problem
- Yao's Millionaires' problem
- SMP
- 1904 United States presidential election
- Socialist Party of India (1955)
- Sahra Wagenknecht Alliance
- Scottish Socialist Party
- The Capitalist Manifesto: Why the Global Free Market Will Save the World
- Nicolae Ceaușescu
- Upton Sinclair
