Common use of H H Clause in Contracts

H H. – Commitment. From Lemma 2, all honest parties that complete AVSS-Sh would agree on the same h and c. According to the collision-resistance of hash function, the adversary cannot find a Cj = C such that h = (Cj) = (C ) with all but negligible probability, so there is a fixed C except with negligible probability. Moreover, C is computationally binding conditioned on DLog assumption, so all honest parties agree on the same polynomial A∗(x) committed to C , which fixes a unique key∗, and they also receive the same cipher c. So there exists a unique m∗ = c key∗, which can be fixed once some honest party outputs in AVSS-Sh. Now we prove that m∗ can be reconstructed when all honest parties activate AVSS-Rec. Any honest party outputs in the AVSS-Sh subprotocol must receive 2f + 1 Ready messages from distinct parties, at least f + 1 of which are from honest parties. Thus, at least one honest party has received 2f + 1 Echo messages from distinct parties. This ensures that at least f + 1 honest parties get the same commitment C and a valid quorum proof Π. Due the unforgeability of signatures in Π, that means at least f +1 honest parties did store valid shares of A∗(x) and B∗(x) along with the corresponding commitment C except with negligible probability. So after all honest parties start AVSS-Rec, there are at least f + 1 honest parties would broadcast KeyRec messages with valid shares of A∗(x) and B∗(x). These messages can be received by all parties and can be verified by at least f + 1 honest parties who record C . With overwhelming probability, at least f + 1 parties can interpolate A∗(x) to compute A∗(0) as key and broadcast it, and all parties can receive at least f + 1 same key∗ and then output the same m∗ = c key∗ as they obtain the same ciphertext c from AVSS-Sh.