Consider the following protocol for two parties to flip a fair coin:
- Trusted party $T$ publishes her public key $p_k$
- A chooses a random bit $b_A$, encrypts it under $p_k$, and announces the ciphertext $c_A$ to $B$ and $T$
- $B$ does the same and announces a ciphertext $c_B$
- $T$ decrypts $c_A$ and $c_B$, and announces the results. Both parties XOR the results to obtain the random value $b_A \oplus b_B$.
Suggest what type of encryption scheme would be appropriate to prevent $B$ from cheating.
I would say that an appropriate scheme to use here would be Cramer-Shoup or RSA+OAEP. How can we define an appropriate notion of security and prove that it achieves this definition?
