Score:1

Mathematical formulation for a cryptosystem

cd flag

I will try to define easily the cryptographic system of this paper. The author designs a communication game for $N$ players. The private information of every player is denoted as $t_i\in T_i$ and represents the type of player $i$. The encryption system that the players use to communicate is based in the following reporting correspondences.

$\textbf{Reporting correspondences:}$ Let $\mathcal{R}_i$ be a non-empty, finite set and define the reporting correspondence $R_i : T_i\to 2^{\mathcal{R}_i}-\{\emptyset\}$ to be a mapping from player $i$’s type space to the collection of subsets of $\mathcal{R}_i$. An element $r\in\mathcal{R}_i$ is called a type-dependent message and $R_i(t_i)$ is the set of type-dependent messages available to type $t_i$ of player $i$. Type-dependent messages certify a player’s statement about his type. For example, if $S\in T_i$ is the set of types of player $i$ who can send the message $r\in R_i$, then $r$ certifies a statement of the type “my type is in $S$”. The set $S$ is therefore called a certifiable event.

$\textbf{Certifiability Configurations:}$ Let $E_i\subseteq 2^{T_i}-\{\emptyset\}$ be a set of subsets of $T_i$ that is closed under intersection. A certifiability configuration is an $N$-tuple of particular reporting correspondences $C_i:T_i\to E_i$ for every $i = 1, ..., N$, with $$C_i(t_i)=\{e_i\in E_i|t_i\in e_i\},\quad\text{$\forall t_i\in T_i$} $$

These reporting correspondences have two very useful properties. First, each message is identical to the event that it certifies. Second, any event that is certifiable by a combination of messages in $C_i(t_i)$ is also included in the set.

Let $R=(R_i)_{i\in I}$ be an arbitrary profile of reporting correspondences, and for every player $i\in I$, let $E_i^R$ denote the smallest set that contains $\{R^{-1}(r_i)|r_i\in \mathcal{R}_i\}$ andd is closed under intersection. $E_i^R$ is the set of all events that player $i$ can certify with $R_i$. The profile $R$ can be uniquely associated with a certifiability configuration $C_R=(C_i^R)_{i\in I}$, where $$C_i^R(t_i)=\{e_i\in E_i^R|t_i\in e_i\}$$

The certifiability configuration $C_i^R$ of $R$ expresses the certifiable information explicitly as events in a player’s type space.

$\textbf{Encryption:}$ Let $C=(C_i)_{i\in I}$ be a certifiability configuration. If verifiable information is encrypted, for every $i\in I$, every certifiable event $e_i\in E_i$ is encoded using a cryptographic algorithm, called a cipher. A cipher is a mapping $ρ_i: E_i × Y_i → X_i$ that has as inputs the private information $e_i$ and a piece of additional information $y_i\in Y_i$, called the key, and produces as output a code $x_i\in X_i$. It is assumed that the set of keys $Y_i$ is sufficiently large, i.e. $|Y_i| ≥ |E_i|$, and that for each $y_i\in Y_i$ the mapping $ρ(\cdot, y_i)$ is bijective, so that every pair $(x_i, y_i)$ is associated with exactly one certifiable event $e_i$. When a player’s information is encrypted, his type-dependent messages are pairs consisting of a piece of code and a key. At the time when players learn their types, nature chooses publicly a cipher $ρ_i$ for player $i\in I$ and a private key $y_i$ uniformly from the set $Y_i$. Player $i$’s reporting correspondence is then given by

$$\hat{R}_i(t_i,y_i)=\{(x_i, y_i)|x_i=ρ_i(e_i, y_i), e_i\in C_i(t_i)\}$$

One natural interpretation of messages in $R_i$ is as pieces of encrypted evidence regarding player $i$’s type, provided by a trusted third party which uses a publicly known cipher and a private key to encrypt the information. Note that if $C=C^R$, then the profiles $R(\cdot)=(R_i(\cdot))_{i\in I}$ and $\hat{R}(\cdot,y)=(\hat{R}_i(\cdot,y_i))_{i\in I}$ have a common certifiability configuration for every combination of keys $y\in(Y_i)_{i\in I}$

Let $E^R=(E_i^R)_{i\in I}$ be the profile of sets of events that are certifiable with $R$. The set $E_i^R$ is finite, so that all its elements may be labeled in an arbitrary order with an index from $1$ to some positive integer $n_i$. Each certifiable event can then be associated with its index, i.e., a number in the set $\{1,...,n_i\}$. I will write $z_i(e_i)$ to refer to the number representing the event $e_i$ and, by a slight abuse of notation, I will write $e_i(z_i)$ to refer to the event whose index is equal to $z_i$.

The following lemma is needed

$\textbf{Lemma:}$ If $z_i$ is a random variable with support on $\{1,...,n_i\}$ and $y_i$ is uniformly distributed over $\{1,...,n_i\}$ independent of $z_i$, then the random variable $x_i$ defined by $x_i=z_i−y_i(mod{n}_i)$ is also uniformly distributed over $\{1,...,n_i\}$.

Here, $z_i$ represents a certifiable event, $y_i$ represents a key, and $x_i$ is the code generated by the cipher $ρ_i(e_i,y_i)=z_i(e_i)−y_i(mod{n}_i)$. Now, suppose player $i$’s private information is encrypted and his reporting correspondence is

$$\hat{R}_i(t_i,y_i)=\{(x_i, y_i)|x_i=z_i(e_i)−y_i(mod{n}_i), e_i\in C_i(t_i)\}$$

so that player $i$ can send a pair $(x_i,y_i)$ if the event $e_i$ represented by $z_i=x_i+y_i(mod{n}i)$ is in $C_i^R(t_i)$. The certifiability configuration generated in this way is identical to the certifiability configuration of $R$: if only types of player $i$ who can certify $e_i$ with $R_i$ can send a pair $(x_i, y_i)$ that satisfies $z_i=x_i+y_i(mod{n}_i)$, then sending such a pair is the same as certifying $e_i$. By Lemma $1$, both $x_i$ and $y_i$ are uniformly distributed over $\{1,...,n_i\}$, and thus, individually, $x_i$ and $y_i$ contain no information about $e_i$.

$\textbf{Question:}$ If we assume that in the case of the above mathematical structure the cipher that is defined as bijective where every pair $(x_i,y_i)$ refers to a linear equation such that $h(x)=ax+b$, $b=e_i$. If two players know $(x_i,y_i)$ the can combine them and take what it misses to them so as $x_i+y_i(nod{n}_i)=z_i(e_i)\quad\text{or $e_i(z_i)$}$. Hence in case we take for $h$ a polynomial of degree $t<2N$ such that

$$h(x)=a_tx^t+a_{t-1}x^{t-1}+\cdots+a_1x+a_0,\quad\text{where $a_0=e_i(z_i)$}$$

what is the equivalent representation of $\rho_i$, where know they are needed $t+1$ pairs to calculate $h(x)$ with constant term $e_i(z_i)$ (which in essence means that $t+1$ pair $(x_i,y_i)$ are associated with only one $e_i$ (bijective))?

In other words the question changes in the equivalent one that says: "Could anybody help in a simple polynomial representation of the cipher $\rho_i$"?

$\textbf{Hint:}$ With a slight abuse of notation I think the author uses $\{1,...,n_i\}$ instead of $\{0,1,...,n_i-1\}$.

Nav89 avatar
cd flag
@kelalaka this is one cryptosystem that I think it suits in my previous question fully. So, I write this here...
Nav89 avatar
cd flag
P.s. I know that all these questions are hard to be answered but whoever answers one or some of them, I will vote up. I just want answers. No problem if someone could help in answering just one of them. I would appreciate any help! Thank you in advance!
Nav89 avatar
cd flag
i think I must change my questions from many to one
Hunger Learn avatar
ua flag
Wll it seems to me that you wrote the whole model to get an answer for this question https://math.stackexchange.com/questions/4355406/if-we-re-define-this-function-could-it-be-bijective?noredirect=1#comment9096449_4355406 right?
Nav89 avatar
cd flag
well, it is not that simple. I am giving an example above as you can see. I would like to know if I can define a cipher with 3 keys and 3 codes for example so us the pairs $(x_{i,1},y_{i,1})$, $(x_{i,2},y_{i,2})$ and $(x_{i,3},y_{i,3})$ are associated with one $t_i$ as I have already mentioned...something like $\rho_i(t_i,y_{i,1},y_{i,2},y_{i,3})=\text{calculation of $x_{i,1}$, $x_{i,2}$ and $x_{i,3}$}$ so as the message will be decrypted like it follows $$x_{i}\oplus y_{i}=(x_{i.1}+y_{i,2})+(x_{i.2}+y_{i,2})+(x_{i.3}+ y_{i,3}) (mod{n}_i)=z_i(e_i)$$ or something like this...
Nav89 avatar
cd flag
@kelalaka you want me to delete this one or the other that I have posted there?
Nav89 avatar
cd flag
@kelalaka ok I kept this one...
Nav89 avatar
cd flag
Anything else? :)
Nav89 avatar
cd flag
Anyway...the reporting correspondences have always this formulation? $$\hat{R}_i(t_i,y_i)=\{(x_i, y_i)|x_i=z_i(e_i)-y_i(mod{n}_i), e_i\in C_i(t_i)\}$$ where you obtain the information that you want by just adding the code and the key? Is this a universal scheme? $z_i(e_i)=x_i+y_i(mod{n}_i)$
Nav89 avatar
cd flag
question changed again...anyone could help in a simple polynomial representation of the cipher $\rho_i$?
Score:1
ua flag

Well just a thought...in case the cipher takes more valeus as keys or codes doesnt this mean that you arw working in a scheme where the BGW protocols are applied? Namely with one key and one code it means that you have a lienar mapping for the cihper $\rho_i$ however when you have more points then you work with polynomials. If this is the case you can hust generalize the scheme working for polynomial ciphers and then this may preserve the properties that you want and this is the new mechanism.

P.s. A generalization of BGW Protocol proof if any could help you with the maths and the definitions...

I can tag some people who are awae with such schemes, but change if you want the question like if the BGW protocol could be applied somehow in this scheme...for the many codes and keys that will be nothing more or less than pairs of the random polynomial cipher $\rho_i$ that will be given to the players so as none could learn $e_i$ by her own but they must further make some calculations. Furthermore, if a player leanrs $e_i$ in fact he does not lear $t_i$, becasue as you see $t_i\in e_i$, which means that it is informative enough but does not give presicely $t_i$ maybe it contains some noise or something like that.

Nav89 avatar
cd flag
good thought but do we know that for every polynomial of degree $k$ for instance we have $k$ pairs $(x_i,y_i)$ that uniquely determine the polynomial $f$ with constant term the information $e_i$? Because if this is the case, the bijective assumption about $\rho_i$ remains
Nav89 avatar
cd flag
after your comment I think that this is the exact point. I will redefine my question now
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.