Test of malicious behavior during zero check protocol

[andyleiserson]

Test case related to #1204 -- will post more detail to the issue.

[akoshelev]

What I haven't realized is that this test demonstrates that a malicious helper can break the security by making other helpers accept the result of check zero protocol even when u*v != 0. It is a very neat attack discovered by @andyleiserson:

H1 is malicious, H2, H3 are honest helpers executing check_zero

• H1, H2 and H3 execute the first part of check_zero protocol - semi-honest multiply of r*v (according to the paper, this is the right thing to do here).
• as part of this multiply, H2 sends data to H3, H3 to H1 and H1 does not send anything to H2.
• H1 and H3 move to the reveal phase. H1 because it can do whatever it wants (and it has the shares from multiplication), H3 because from its perspective multiplication is done
• H3 sends its shares to H2 and H1 and waits for others
• H1 now can combine the shares of r*v because it has all three of them.

At this point, H1 can craft the response for multiplication to H2 that is still waiting and make the resulting share $\hat{r} = r + a$ equal to 0, completely breaking the security of MAC.