Re: Jointly calculating the sum

From: Ann Brandon (ann_brandon_spamfree_at_yahoo.com)
Date: 07/27/05 

Date: Wed, 27 Jul 2005 23:11:26 +0200

David Wagner wrote:
> I guess I probably don't understand the communication model.
> I would have thought that in step 1, each party broadcasts a single
> message (of size O(n)).
Probably I missunderstand something, cause you're the expert. Why has
each party only to broadcast one value? If they are using a VSS scheme,
then each party has to create a polynomial and commit to its
coefficients. The polynomial needs to have degree of n-1, so there are n
coefficients where the constant coefficient is the secret value r_i. Or
am I completly misinterpreting something?

> Maybe you're worried about the cost of robustness? Sometimes one
Yes that's the point. At least if I got a wrong result, I need a way to
find the gultiy person. Identification won't work without some
verification-values, or am I doing something wrong?

> can optimize with an "optimistic" protocol, where the cost of robustness
> is only incurred in the presence of an attack (e.g., if you don't receive
> the expected messages within a timeout, you initiate a less efficient
> recovery procedure).
This sounds interesting. Do you have some special idea in mind, or
somethings to read for me?