In trying to implement mental poker, can all players agree on a standard set of 52 points on the curve corresponding to each card, and then to "encrypt" a card you just multiply it by a scalar which is your encryption key? (and to decrypt, multiply by the scalar's inverse modulo the group size)
Asked
Active
Viewed 165 times
1 Answers
2
This works, as long as the 52 points are chosen such that their discrete logs w.r.t. each other are unknowable.
E.g. if $5♠$ is point $P$, and $6♦$ is point $Q$, and your encryption scalar is $x$, then you could encrypt $5♠$ using $P' = xP$. Now, if you know $y=P/Q$, then you could pretend you had encrypted $6♦$ instead of $5♠$ by declaring your encryption key as $z=xy$, because $z^{-1}P'=(xy)^{-1}P'=(xP/Q)^{-1}P'=(xP/Q)^{-1}xP=(Q/xP)xP=Q$
I'd recommend you use a hash-to-curve method to produce the point $P$ by hashing the string $5♠$. The discrete logs of hash-to-curve points with respect to other curve points are unknowable.
In contrast, it would be catastrophic if you'd chosen points such that each point was a base point $G$ added to itself between 1 and 52 times, depending on the card.
Note that you would need to use a different encryption key every time you encrypt a card, to ensure that the same card encrypted twice (during different rounds) does not produce the same encrypted point each time.
knaccc
- 4,880
- 1
- 18
- 33