Cryptography Reference
In-Depth Information
protocols consists of a single broadcast channel. Note that the messages
of the original protocol may be assumed to be sent over a broadcast
channel, because the adversary may see them anyhow (by tapping the
point-to-point channels), and because a broadcast channel is trivially
implementable in the case of passive adversaries. As for the resulting
actively-secure protocol, the broadcast channel it uses can be imple-
mented via an (authenticated) Byzantine Agreement protocol (52; 95),
thus providing an emulation of this model on the standard point-to-
point model (in which a broadcast channel does not exist). We men-
tion that authenticated Byzantine Agreement is typically implemented
using a signature scheme (and assuming that each party knows the
verification-key corresponding to each of the other parties).
Turning to the transformation itself, the main idea is to use zero-
knowledge proofs (as described in Section 4.3) in order to force parties
to behave in a way that is consistent with the (passively-secure) pro-
tocol. Actually, we need to confine each party to a unique consistent
behavior (i.e., according to some fixed local input and a sequence of coin
tosses), and to guarantee that a party cannot fix its input (and/or its
coins) in a way that depends on the inputs of honest parties. Thus, some
preliminary steps have to be taken before the step-by-step emulation
of the original protocol may start. Specifically, the compiled protocol
(which like the original protocol is executed over a broadcast channel)
proceeds as follows:
(1) Committing to the local input : Prior to the emulation of the
original protocol, each party commits to its input (using
a commitment scheme (101)). In addition, using a zero-
knowledge proof-of-knowledge (81; 20; 75), each party also
proves that it knows its own input; that is, that it can
decommit to the commitment it sent. (These zero-knowledge
proofs-of-knowledge are conducted sequentially to prevent
dishonest parties from setting their inputs in a way that
depends on inputs of honest parties; a more round-ecient
method was presented in (45).)
(2) Generation of local random tapes : Next, all parties jointly
generate a sequence of random bits for each party such
Search WWH ::

Custom Search