Cryptography Reference
In-Depth Information
that only this party knows the outcome of the random
sequence generated for it, but everybody gets a commitment
to this outcome. These sequences will be used as the random-
inputs (i.e., sequence of coin tosses) for the original protocol.
Each bit in the random-sequence generated for Party
X
is
determined as the exclusive-or of the outcomes of instances
of an (augmented) coin-tossing protocol (cf. (28) and (67,
Sec. 7.4.3.5)) that Party
X
plays with each of the other par-
ties. The latter protocol provides the other parties with a
commitment to the outcome obtained by Party X.
(3)
Effective prevention of premature termination
: In addition,
when compiling (the passively-secure protocol to an actively-
secure protocol)
for the model that allows the adversary to
control only a minority of the parties
, each party shares its
input and random-input with all other parties using a “Ver-
ifiable Secret Sharing” (VSS) protocol (cf. (43) and (67,
Sec. 7.5.5.1)). Loosely speaking, a VSS protocol allows a
secret to be shared in a way that enables each participant
to verify that the share it got fits the publicly posted infor-
mation, which includes (on top of the commitments posted
in Steps 1 and 2) commitments to all shares. The use of VSS
guarantees that if Party X prematurely suspends the exe-
cution, then the honest parties can together reconstruct all
Party X's secrets and carry on the execution while playing
its role. This step effectively prevents premature termina-
tion, and is not needed in a model that does not consider
premature termination a breach of security.
(4)
Step-by-step emulation of the original protocol
:Afterallthe
above steps were completed, we turn to the main step in
which the new protocol emulates the original one. In each
step, each party augments the message determined by the
original protocol with a zero-knowledge proof that asserts
that the message was indeed computed correctly. Recall that
the next message (as determined by the original protocol)
is a function of the sender's own input, its random-input,
and the messages it has received so far (where the latter are
