This PR contains a protocol for constructing authenticated bit shares from a set of multi-party authenticated shares.
The reason we need this protocol, as described in WRK17b, appendix B.2, is that after bit authentication "it is still possible that a malicious party uses inconsistent ∆’s when authenticating different parties’ shares." This protocol solves the problem by "sacrificing", i.e. revealing a fixed number of the authenticated bits to validate consistent use of the same global MAC key ∆ in a larger batch.
To this end, I've implemented the sacrificing check, which includes extending commitments, openings and authenticated bits by methods that allow parties to broadcast them (or the relevant parts of them), i.e. simple serialization and deserialization methods that allow us to use the existing broadcast utility
The PR also includes a small extension of the Party struct by a bit authentication pool, that can be used to store as many pre-computed bit authentications as required for later online computation. A good quality-of-life extension to this would be the ability to store and load pre-computed bit authentications from a file, since the bit authentication is by far the slowest part of a protocol run.
This PR contains a protocol for constructing authenticated bit shares from a set of multi-party authenticated shares. The reason we need this protocol, as described in WRK17b, appendix B.2, is that after bit authentication "it is still possible that a malicious party uses inconsistent ∆’s when authenticating different parties’ shares." This protocol solves the problem by "sacrificing", i.e. revealing a fixed number of the authenticated bits to validate consistent use of the same global MAC key ∆ in a larger batch.
To this end, I've implemented the sacrificing check, which includes extending commitments, openings and authenticated bits by methods that allow parties to broadcast them (or the relevant parts of them), i.e. simple serialization and deserialization methods that allow us to use the existing broadcast utility
The PR also includes a small extension of the
Partystruct by a bit authentication pool, that can be used to store as many pre-computed bit authentications as required for later online computation. A good quality-of-life extension to this would be the ability to store and load pre-computed bit authentications from a file, since the bit authentication is by far the slowest part of a protocol run.Fixes #73 Fixes #65