How to coinflip over the telephone

Sunday, November 30, 2008

In telecommunications and cryptography, the following algorithm can be used:

1. Party A chooses two large primes, either both congruent to 1, or both congruent to 3, mod 4, called p and q, and produces N = pq; then N is communicated to party B, but p and q are not. It follows N will be congruent to 1 mod 4. The primes should be chosen large enough that factoring of N is not computationally feasible. The exact size will depend on how much time party B is to be given to make the choice in the next step, and on party B's expected resources.
2. Party B calls either "1" or "3", a claim as to the mod 4 status of p and q. For example, if p and q are congruent to 1 mod 4, and B called "3", B loses the toss.
3. Party A produces the primes, making the outcome of the toss obvious; party B can easily multiply them to check that A is being truthful.