On Fri, Jan 17, 2014 at 10:01:13PM -0600, Nicholas Hopper wrote:
Yes: Nick (who would probably be the one writing the code anyway) generates the shares encrypted to keys generated by the authority operators, sends them to the authority operators, and forgets the intermediate results. ;-) (Only partially kidding.)
Ha! Yes, byzantine agreement is much easier with a trusted party. :)
Then again, if *that* code is written, then just having each authority operator run an instance of that code in the role of Nick, and having everyone add their results, works fine if everyone is online. It's also easy to check that the protocol succeeeded, by interpolating the resulting public keys. An actively malicious adversary during this phase would cause the protocol to fail, but I think it would be good to know that we have an actively malicious authority. ;-)
Let's call this the "optimistic approach", and it would certainly be an option, although one issue is that when it fails we can say that someone is malicious but not which authority(s). Although one possibility is to have the ability to fall back to a full byzantine-tolerant protocol in that event.
Actually, I think the above "optimistic" protocol _would_ let you identify the misbehaving party if each message is signed by its sender.
- Ian