commca-devel Mailing List for CommCA
Status: Planning
Brought to you by:
wrenhunt1
You can subscribe to this list here.
2005 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
---|
From: J. W. H. <wre...@fm...> - 2005-07-20 12:53:18
|
> Assume there are 4 parties > A,B,C,D. Now the parties B,C,D want to create a random > value r for A, so that each party B,C,D can verify > afterwards, that A uses indeed the random value r, but > doesn't know the value of r. > I thought of the following solution, but it has a > problem: > Each party I \in{B,C,D} broadcasts a value g^{r_i} mod > p, where r_i is random, p is a large prime and g is a > generator. After that each party sends to A the value > r_i secretly. Aftern that A can compute: > r= r_B + r_C + r_D. If A then uses this value in the > form of g^r everyone can verify that A uses every r_i > in g^r. What does it mean "A uses this value in the form of g^r"? A uses r not g^r, doesn't it? This is a weak point: from A's use of r every party should be able to compute g^r mod p with no knowledge of r. I assume you know how to organize that. > This scheme has one problem (at least I think so): The > partys B,C wait till D braodcasts her value g^{r_D}. > Then they choose their values r_B and r_C so that g^r > has a special characteristic e.g. the last bit of g^r > is zero. Then r is not randomly disributed in Z_p, > cause only values are allowed for r, which yield to > g^r with last bit zero. What's about the following modification? Each party i\in{B,C,D} sends to A the value of r_i secretly. Upon receiving all three values A broadcasts q_1=g^{r_B} mod p, q_2=g^{r_C} mod p, q_3=g^{r_D} mod p. The party i then verifies that the value r_i was used to produce one of q_1, q_2, q_3. >From A's use of r every party computes g^r mod p and verifies that g^r=q1*q2*q3. |