Improved message passing

[fjarri]

The unpublished version of the paper contains the following note:

To reconcile the two communications models, we propose the following process (in the spirit of echo-broadcasting [?]). In the point-to-point case, for an outgoing message m_{i,k} sent from P_i at round k. P_i is instructed to send a commitment h_{i,k} = com(m_{i,k}) over the broadcast channel and send the relevant data directly to each party using the point-to-point network. That way, if (any part of) m_{i,k} is malformed, an honest party P_j may report P_i as such; by having both parties reveal the underlying (faulty message). Notice that this process incurs a round complexity penalty because the protocol proceeds only if no one reports an issue. However, since the rounds can be “piggybacked” (cf. Remark 3.2) and the last round of each of our protocol phases is a broadcast round, this process does not incur any round-complexity penalty for us.

Remark 3.2.:

For non-unanimous halting [?], by sacrificing identifiable abort, the broadcast channel can be entirely replaced using echo-broadcasting with one extra round of communication; this can be achieved by having the parties “echo” the (hash of the) message they received from each party at the previous round. To obtain only one extra round of communication, notice that the parties are instructed to “piggyback” the echo on the rounds of the signing protocol.

So several things here:

• Do we want to sacrifice identifiable abort?
• Currently we do echo broadcasting as a separate round; how hard would it be to attach it to the next round generically?
• We currently re-send the full messages, not hashes - that can be improved.
• Do we need to do this thing with broadcasting the commitment in direct messages?

[fjarri]

We currently re-send the full messages, not hashes - that can be improved.

Fixed in commit 3252d91

[fjarri]

After some discussions, we decided that echo-broadcasting is good enough, so the only remaining issue is piggybacking. Superseded by #114.