Informal Description and Security Analysis Sample Clauses

Informal Description and Security Analysis. The idea of ΠHBA is as follows. Parties first run ΠABA with their input to ΠHBA. Upon obtaining output from ΠABA, they sign it and broadcast the signature to every party. If a party Pi obtains 3n signatures on any value v before time tout, then it outputs v and broadcasts v along with a proof Li containing the signatures. (Intuitively, ▇▇ is a proof that v was a correct output of the ΠABA.) If a party did not terminate the ΠABA until time tout, it waits for another ∆ interval to ensure that all messages that were sent prior to tout have been received. It then participates in a run of ΠSBA, using either its initial input vi as input to ΠSBA or any value upon which it has received 3n valid signatures after time tout (there can only be one such value). Since ΠABA ensures termination for nfAR < n corrupted parties, the honest parties can obtain the necessary 3n signatures for termination at a speed that depends only on the actual network delay whenever less than nfAR parties are dishonest. In this way, ΠHBA guarantees fAR-output responsiveness. On the other hand, if the parties do not all terminate ΠABA, it is impossible that two honest parties output different values vr and v, as this would imply that both of these values were signed at least 3n times. (this would lead to a contradiction, because it implies that more than half the parties signed both values, contradicting the assumption that more than half the parties are honest). If at least one honest party Pi obtains such a list on a value v before time tout (and therefore outputs v), every other honest party is ensured to receive the same list by time tout + ∆ (since it was broadcast Pi at time tout. Therefore, in this case, all honest parties use v as their input to ΠSBA. Validity of ΠSBA now ensures that all the parties agree on v and terminate. Figure 4.1: ΠHBA(tout) protocol (view of Pi) • Let vi denote the input of party Pi. • ▇▇ starts to execute ΠABA with input vi (note that parties might start the ΠABA at different times). • Initialize v∗ ← vi. • Party Pi runs ΠABA until it terminates ΠABA or until time tout (whichever comes first). • If party Pi’s view of ΠABA has terminated with output v at time tr < tout, it computes a signature σi ← Sign(v, ski). It broadcasts (i, v, σi) to every party (including itself). 3n value vr at time tr < tout, Pi sets v∗ ← vr outputs v∗ and broadcasts (i, v∗, Li), where Li denotes a list containing these signatures. Note that this instruction may also be triggered upo...