jointly create a random value for corrupted party

Max relf at unn.ac.ru
Sun Jul 17 15:36:38 EDT 2005


Anna Rikova wrote:

> maybe this is a silly question, but at the moment I
> don't know how to solve it. Assume there are 4 partys
> A,B,C,D. Now the parties B,C,D want to create a random
> value r for A, so that each party B,C,D can verify
> afterwards, that A uses indeed the random value r, but
> doesn't know the value of r.

> I thought of the following solution, but it has a
> problem:
> Each party I \in{B,C,D} broadcasts a value g^{r_i} mod
> p, where r_i is random, p is a large prime and g is a
> generator. After that each party sends to A the value
> r_i secretly. Aftern that A can compute:
> r= r_B + r_C + r_D. If A then uses this value in the
> form of g^r everyone can verify that A uses every r_i
> in g^r.

What does it mean "A uses this value in the form of g^r"?
A uses r not g^r, doesn't it?
This is a weak point: from A's use of r every party should be able to compute g^r mod p with no knowledge of r.
I assume you know how to organize that.

> This scheme has one problem (at least I think so): The
> partys B,C wait till D braodcasts her value g^{r_D}.
> Then they choose their values r_B and r_C so that g^r
> has a special characteristic e.g. the last bit of g^r
> is zero. Then r is not randomly disributed in Z_p,
> cause only values are allowed for r, which yield to
> g^r with last bit zero.

What's about the following modification?

Each party i\in{B,C,D} sends to A the value of r_i secretly.
Upon receiving all three values A broadcasts
q_1=g^{r_B} mod p, q_2=g^{r_C} mod p, q_3=g^{r_D} mod p.
The party i then verifies that the value r_i was used to produce one of q_1, q_2, q_3.
 From A's use of r every party computes g^r mod p and verifies that g^r=q1*q2*q3.

Max

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list