I read the Q/A " Cryptography What are the ways to generate Beaver triples for multiplication gate?" on this site.
So, I understand how to create Beaver's triple for a single-bit value without a trusted party, by using Oblivious Transfer. However, I don't understand how we can extend this to values of an arbitrary bit size. Could someone please explain this with a simple example?
Let $\mathbb{F}_p$ be a prime-order field. Consider the following functionality:
This is called an oblivious linear evaluation, or OLE for short. This is a natural generalization of oblivious transfers: taking $p=2$ yields a functionality which is equivalent to an oblivious transfer (it's a simple exercise to check that for yourself).
A Beaver triple over $\mathbb{F}_p$ can immediately be obtained from 2 OLEs over $\mathbb{F}_p$ using the same construction as described in my answer (the one you link to).
Then, the question boils down to building an OLE in the first place. There is a classical construction of OLE from $\log|\mathbb{F}_p|$ oblivious transfers, due to Gilboa (here). The construction is described for example at the end of page 45 of my HDR manuscript. In short:
Let $t = \log|\mathbb{F}_p|$. Write $x$ as a bitstring $x_1 \cdots x_t$. Alice randomly shares $b$ into $t$ shares $b_1, \cdots, b_t$ over $\mathbb{F}_p$. Then, Alice and Bob execute $t$ oblivious transfers, where in the $i$-th OT, Alice inputs $(b_i, b_i + 2^{i-1}\cdot a)$ and Bob inputs $x_i$. Observe that after each OT, Bob receives $c_i = b_i + (2^{i-1}x_i)\cdot a$. Bob outputs:
$\sum_i c_i = \sum_i b_i + a\cdot \sum_i (2^{i-1}x_i) = b + a\cdot x$.
Thanks for your answer and now I understand how OLE works. Below I summarized my reasoning for the rest of the procedure to compute the secret shares of a Beaver's triple. Please let me know should anything be wrong in here.
=====
Basically, for a Beaver triple, we want to find the triple {z, x, y} such that z = xy. After generating the Beaver triple, Alice should get only {z_A, x_A, y_A}, whereas Bob should get only {z_B, x_B, y_B}.
Notice that z = xy is equivalent to (z_A + z_B) = (x_A + x_B)⋅(y_A + y_B) = x_A⋅y_A + x_A⋅y_B + x_B⋅y_A + x_B⋅y_B.
We suppose that Alice randomly generates the secret shares x_A and y_A, whereas Bob randomly generates the secret shares x_B and y_B. Based on this setup, Alice should find z_A and Bob should find z_B, without knowing about each other's secret shares.
Alice knows what x_A⋅y_A is, and Bob knows what x_B⋅y_B is. Now, their next goals are to find out the secret shares for x_A⋅y_B and x_B⋅y_A, each.
Let the secret shares of x_A⋅y_B = c = c_A + c_B, and x_B⋅y_A = d = d_A + d_B.
Then, we can let z_A = x_A⋅y_A + c_A + d_A, and z_B = x_B⋅y_B + c_B + d_B.
First, to compute c_A and c_B, Bob randomly generates n_B. Then, Bob now has (y_B, n_B) and Alice has x_A. Based on these, Alice and Bob can do OLE (Oblivious Linear Evaluation), which gives Alice x_A⋅y_B + n_B. Then, we can let c_A = x_A⋅y_B + n_B and c_B = -n_B (note that Bob knows -n_B because he knows n_B). Doing this, c_A + c_B = x_A⋅y_B. Thus, Alice and Bob has successfully created valid secret shares {c_A, c_B} for x_A⋅y_B.
Similarly, Alice and Bob can create valid secret shares {d_A, d_B} for x_B⋅y_A.
At this point, Alice can compute z_A = x_A⋅y_A + c_A + d_A, and Bob can compute z_B = x_B⋅y_B + c_B + d_B. Therefore, Alice now gets {z_A, x_A, y_A}, whereas Bob gets {z_B, x_B, y_B}, which are secret shares of a Beaver's triple.
=====
In fact, the secret shares for multiplication of two secret values can be computed by using only OLE. Yet, we still prefer doing this by Beaver's triples, because OLE requires processing log(q) sets of secret shares (for each bit of the secrets), whereas the method based on Beaver's triple requires fewer secret shares to be processed.