Open andyleiserson opened 1 month ago
What I haven't realized is that this test demonstrates that a malicious helper can break the security by making other helpers accept the result of check zero protocol even when u*v
!= 0. It is a very neat attack discovered by @andyleiserson:
H1 is malicious, H2, H3 are honest helpers executing check_zero
r*v
(according to the paper, this is the right thing to do here).r*v
because it has all three of them.At this point, H1 can craft the response for multiplication to H2 that is still waiting and make the resulting share $\hat{r} = r + a$ equal to 0, completely breaking the security of MAC.
Test case related to #1204 -- will post more detail to the issue.