[17919] in cryptography@c2.net mail archive
jointly create a random value for corrupted party
daemon@ATHENA.MIT.EDU (Anna Rikova)
Sat Jul 16 17:16:03 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Fri, 15 Jul 2005 17:01:30 -0700 (PDT)
From: Anna Rikova <annarikova@yahoo.com>
To: cryptography@metzdowd.com
Hi,
maybe this is a silly question, but at the moment I
don't know how to solve it. Assume there are 4 partys
A,B,C,D. Now the parties B,C,D want to create a random
value r for A, so that each party B,C,D can verify
afterwards, that A uses indeed the random value r, but
doesn't know the value of r.
I thought of the following solution, but it has a
problem:
Each party I \in{B,C,D} broadcasts a value g^{r_i} mod
p, where r_i is random, p is a large prime and g is a
generator. After that each party sends to A the value
r_i secretly. Aftern that A can compute:
r= r_B + r_C + r_D. If A then uses this value in the
form of g^r everyone can verify that A uses every r_i
in g^r.
This scheme has one problem (at least I think so): The
partys B,C wait till D braodcasts her value g^{r_D}.
Then they choose their values r_B and r_C so that g^r
has a special characteristic e.g. the last bit of g^r
is zero. Then r is not randomly disributed in Z_p,
cause only values are allowed for r, which yield to
g^r with last bit zero.
What can I do against this? I assume there are
protocols to solve this problem.
Thanks in advance,
Anna
____________________________________________________
Start your day with Yahoo! - make it your home page
http://www.yahoo.com/r/hs
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
