Is there a studied notion of "party independent transfer"?

Question

I've been thinking about the following set-up involving three parties, Alice, Bob and Charlie:

• Bob and Charlie decide among themselves who is going to receive a bit from Alice (perhaps by a coin toss)
• Some protocol is then executed in which Alice transfers a bit to the decided on person.

The protocol is defined as secure if:

• Alice cannot change her bit based on which of Bob or Charlie it is that receives the bit (the transfer is "party independent")
• Supposing Bob was decided on to receive the bit, Charlie cannot learn the value of the bit handed over by Alice, and vice versa.

My question is this: is there a studied task which is similar to what is described above? Or is this perhaps secretly equivalent to some apparently distinct task? (it sounds a bit like some form of oblivious transfer)

Answer 1

You can get active security in cryptographic setting, but it seems that you also need broadcast.

1. Bob and Charlie both create an asymmetric key.
2. Bob commits to his public key a broadcasts the commitment.
3. Bob sends its public key to Charlie and opens the commitment to him. If these do not match, Charlie complains.
4. Charlie broadcasts both keys (in random order). If Bob's isn't one of them, he complains by opening the commitment.
5. Alice picks one key at random, encrypts the message, and broadcasts the result. Only one of them is able to decrypt, and Alice doesn't know who.

Note that the message space should be large, otherwise Bob can just try to encrypt all possible messages with Charlie's key and see which one was broadcast. To remedy this, apply some random padding to the message.

Also note that in step 3, the accusation does not lead to identification of the culprit.