On Mon, Jan 20, 2014 at 7:32 AM, Ian Goldberg iang@cs.uwaterloo.ca wrote:
Then again, if *that* code is written, then just having each authority operator run an instance of that code in the role of Nick, and having everyone add their results, works fine if everyone is online. It's also easy to check that the protocol succeeeded, by interpolating the resulting public keys. An actively malicious adversary during this phase would cause the protocol to fail, but I think it would be good to know that we have an actively malicious authority. ;-)
Let's call this the "optimistic approach", and it would certainly be an option, although one issue is that when it fails we can say that someone is malicious but not which authority(s). Although one possibility is to have the ability to fall back to a full byzantine-tolerant protocol in that event.
Actually, I think the above "optimistic" protocol _would_ let you identify the misbehaving party if each message is signed by its sender.
This runs into problems when parties claim *not* to have received messages from others. (e.g. imagine that floor(n/2) authorities are corrupted and claim that an uncorrupted party did not send them any input)