Correctness. For proving the first part, it is clear that (i) the honest dealer must collect at least n f valid digital signature for (C ) from distinct parties to form valid Π and (ii) every honest party can eventually wait the shares of A(x) and B(x) as well as the same C . This implies that all honest parties can eventually broadcast the same Cipher messages, so they would broadcast the same Echo messages and the same Ready messages, thus finally outputting in the AVSS-Sh instance. For proving the second party, it is easy to see that (i) any honest party must output a ciphertext c same to the ciphertext computed by the honest sender and (ii) all honest parties must receive the same hash h of the commitment C to A(x), where A(x) is a polynomial chosen by the honest deader. Recall that we have proven that all honest parties can reconstruct a message c A(0), which exactly is m because c computed by the honest sender is m A(0).
Appears in 2 contracts
Sources: Asynchronous Byzantine Agreement, Asynchronous Byzantine Agreement