1

Alice and Bob are playing Rock-paper-scissors.

Alice chooses $a \leftarrow\{stone, paper, scissors\}$ and a nonce $R_A$ used as symmetric key for encryption

$$A → B : A, R_A(a)$$

Bob chooses $b \leftarrow\{stone,paper, scissors\}$ and nonce $R_B$

$$B → A : B, R_B(b)$$

$$A → B : A, R_A$$

Now Bob decodes $R_A(a)$ and knows a and so he knows who is the winner

$$B → A : B, R_B$$

Now Alice decodes $R_B(b)$ and knows $b$ and so he knows who is the winner

What are the possible fraudulent behaviours the players could engage in?

mikeazo
  • 38,563
  • 8
  • 112
  • 180
user11818
  • 11
  • 1
  • 2
    What do you mean by the second $A$ in A -> B : **A**,R_A? (actually I'm not sure I got the entire notation right, so please add a note explaining that) Also take a look at commitment schemes. – rath Feb 04 '14 at 19:06
  • 2
    What do you think? What have you tried? We prefer you to make an effort on your own before asking. This is a nice exercise, but we're not here to solve your exercises for you -- on the other hand, if you have a specific question about a specific aspect of your attempt at a solution, that might be more suitable for this site. – D.W. Feb 04 '14 at 19:19
  • If you want to do some research in this area, look for "cryptographical commitment". – poncho Feb 04 '14 at 19:33
  • @rath The second A is a label, the name of the sender. – user11818 Feb 04 '14 at 20:36
  • 1
    Let's assume that the lengths of the 3 option are the same. When Bob receives the encrypted value of Alice, could he send a value b such that he always wins? – user11818 Feb 04 '14 at 20:41
  • I try to answer. In the last step Bob can send Rb1 instead of Rb such that the decrypted value of Rb(b) is a winner value. – user11818 Feb 04 '14 at 21:17
  • If encryption is done properly, Bob cannot figure out an Rb1 that will decrypt to something intelligible. – mikeazo Feb 04 '14 at 23:25
  • One of the basic problems: Bob knows the result before Alice. If he realizes he has lost, he can just spot the protocol and Alice is left hanging. Otherwise it looks just like a normal game with commitments. – tylo Feb 06 '14 at 12:37
  • Outside the rules of the game, a player may engage fraudulent activities (side-channel). For instance, Bob may have installed webcam at Alice's and therefore know all Alice's choices in advance. – user4982 Apr 06 '14 at 14:11
  • Bob can force a draw by sending the same value as Alice. – CodesInChaos Apr 07 '14 at 17:07

2 Answers2

1

You don't specify your encryption method. To show you why that is important, I'm going to pick a really bad one. Let's say we use a stream cipher to encrypt. "stone" and "paper" have the same length, so we are good there, but "scissors" is longer. So, if Alice chooses "scissors", Bob can see the ciphertext length and know what she picked and choose "stone". Therefore, if Alice chooses "scissors", Bob always wins.

If you pick your encryption method so that the ciphertext lengths are always the same, this attack is mitigated.

Bob, once he knows whether or not he wins, could refuse to send $R_B$.

The major flaw, however, is, even if you pick a really good encryption method (say AES-CBC with a fixed length size), you are doing nothing for integrity checking when integrity is really the primary concern here.

The proper way to do this would be to have Alice and Bob each publish a commitment to their choice. Then they open the commitment publicly. This could be done, for example, with HMAC. Choose a random key $k$ and publish $HMAC(k,m)$ where $m$ is the choice. Once both have done this, they can each publish $m,k$. That way they can verify that the choice hasn't changed.

mikeazo
  • 38,563
  • 8
  • 112
  • 180
  • 1
    Ok, I understand why it is important to specify the encryption method but maybe the question is more general because later there is another question that asks how to improve the reliability without asking the help of a trusted third party. – user11818 Feb 04 '14 at 20:46
  • @user11818 updated. You have got to remember, we have no idea who you are. For all I know you know nothing about encryption, which is why I pointed out the obvious problem of using a really bad encryption method. – mikeazo Feb 05 '14 at 13:47
1

If Alice and Bob use XOR, then Bob can win in every game. For example, Bob select "paper", Alice select "sciss" (let length will be same). After decryption, Bob realize he lost. Then he send to Alice as a key "paper"^Rb^"stone". After XORing Alice finds "stone", so she will think, she lost.

neverwalkaloner
  • 410
  • 6
  • 11