Abstract
We prove lower bounds on the round complexity of randomized Byzantine agreement (BA) protocols, bounding the halting probability of such protocols after one and two rounds. In particular, we prove that: 1. BA protocols resilient against n/3 [resp., n/4] corruptions terminate (under attack) at the end of the first round with probability at most o(1) [resp., \(1/2+ o(1)\)]. 2. BA protocols resilient against a fraction of corruptions greater than 1/4 terminate at the end of the second round with probability at most \(1-\Theta (1)\). 3. For a large class of protocols (including all BA protocols used in practice) and under a plausible combinatorial conjecture, BA protocols resilient against a fraction of corruptions greater than 1/3 [resp., 1/4] terminate at the end of the second round with probability at most o(1) [resp., \(1/2 + o(1)\)]. The above bounds hold even when the parties use a trusted setup phase, e.g., a public-key infrastructure (PKI). The third bound essentially matches the recent protocol of Micali (ITCS’17) that tolerates up to n/3 corruptions and terminates at the end of the third round with constant probability.
Similar content being viewed by others
Avoid common mistakes on your manuscript.
1 Introduction
Byzantine agreement (BA) [50, 63] is one of the most important problems in theoretical computer science. In a BA protocol, a set of n parties wish to jointly agree on one of the honest parties’ input bits. The protocol is t-resilient if no set of t corrupted parties can collude and prevent the honest parties from completing this task. In the closely related problem of broadcast, all honest parties must agree on the message sent by a (potentially corrupted) sender. Byzantine agreement and broadcast are fundamental building blocks in distributed computing and cryptography, with applications in fault-tolerant distributed systems [16, 49], secure multiparty computation [8, 17, 36, 69], and more recently, blockchain protocols [18, 35, 62].
In this work, we consider the synchronous communication model, where the protocol proceeds in rounds. It is well known that in the plain model, without any trusted setup assumptions, BA and broadcast can be solved if and only if \(t<n/3\) [28, 32, 50, 63]. Assuming the existence of digital signatures and a public-key infrastructure (PKI), BA can be solved in the honest-majority setting \(t<n/2\), and broadcast under any number of corruptions \(t<n\) [24]. Information-theoretic variants that remain secure against computationally unbounded adversaries exist using information-theoretic pseudo-signatures [65].
An important aspect of BA and broadcast protocols is their round complexity. For deterministic t-resilient protocols, \(t+1\) rounds are known to be sufficient [24, 32] and necessary [24, 27]. The breakthrough results of Ben-Or [6] and Rabin [66] showed that this limitation can be circumvented using randomization. In particular, Rabin [66] used random beacons (common random coins that are secret-shared among the parties in a trusted setup phase) to construct a BA protocol resilient to \(t<n/4\) corruptions. The failure probability of Rabin’s protocol after r rounds is \(2^{-r}\), and the expected number of rounds to reach agreement is constant. This line of research culminated with the work of Feldman and Micali [26] who showed how to compute the common coins from scratch, yielding expected-constant-round BA protocol in the plain model, resilient to \(t<n/3\) corruptions. Katz and Koo [47] gave an analogue result in the PKI-model for the honest-majority case. Recent results used trusted setup and cryptographic assumptions to establish a surprisingly small expected round complexity, namely 9 for \(t<n/3\) [54] and 10 for \(t<n/2\) [2, 55].
The expected-constant-round protocols mentioned above are guaranteed to terminate (with negligible error probability) within a poly-logarithmic number of rounds. The lower bounds on the guaranteed termination from [24, 27] were generalized by [20, 46], showing that any randomized r-round protocol must fail with probability at least \((c\cdot r)^{-r}\) for some constant c; in particular, randomized agreement with sub-constant failure probability cannot be achieved in strictly constant rounds. However, to date there is no lower bound on the expected round complexity of randomized BA.
In this work, we tackle this question and show new lower bounds for randomized BA. To make the discussion more informative, we consider a more explicit definition that bounds the halting probability within a specific number of rounds. A lower bound based on such a definition readily implies a lower bound on the expected round complexity of the BA protocol.
1.1 The Model
We start with describing in more details the model in which our lower bounds are given. In the BA protocols considered in this work, the parties are communicating over a synchronous network of private and authenticated channels. Each party starts the protocol with an input bit and upon completion decides on an output bit. The protocol is t-resilient if when facing t colluding parties that attack the protocol it holds that: (1) all honest parties agree on the same output bit (agreement), (2) if all honest parties start with the same input bit, then this is the common output bit (validity), and (3) the protocol eventually terminates (termination). The protocols might have a trusted setup phase: a trusted external party samples correlated values (or receives a value from each party) and distributes them among the parties. A setup phase is known to be essential for tolerating \(t\ge n/3\) corruptions, and seems to be crucial for highly efficient protocols such as [1, 2, 18, 54, 55]. The trusted setup phase is typically implemented using (heavy) secure multiparty computation [10, 13], distributed key generation [34, 64], via a public-key infrastructure (see [14] for a discussion on different flavors of PKI), or with a random oracle (that can be used to model proofs of work) [61].
Locally consistent adversaries. The attacks presented in this paper require very limited capabilities from the corrupted parties (a limitation that makes our bounds stronger). Specifically, a corrupted party can deviate from the protocol only by: (1) prematurely aborting, and (2) altering (possibly a multiple number of times) its input bit and/or incoming messages from corrupted parties (see Sect. 3.1.2 for a precise definition). We emphasize that corrupted parties sample their random coins honestly (and use the same coins for all messages sent). In addition, they do not lie about messages received from honest parties.
Public-randomness protocols. In many randomized protocols, including all those used in practice, cryptography is merely used to provide message authentication—preventing a party from lying about the messages it received—and verifiable randomness—forcing the parties to toss their coins correctly. The description of such protocols can be greatly simplified if only security against locally consistent adversaries is required (in which corrupted parties do not lie about their coin tosses and their incoming messages from honest parties). This motivates the definition of public-randomness protocols, where each party publishes its local coin tosses for each round (the party’s first message also contains its setup parameter, if such exists). Although our attacks apply to arbitrary BA protocols, we show even stronger lower bounds for public-randomness protocols.
We illustrate the simplicity of the model by considering the BA protocol of Micali [54]. In this protocol, the cryptographic tools, digital signatures and verifiable random functions (VRFs),Footnote 1 are used to allow the parties elect leaders and toss coins with probability 2/3 as follows: each party \(\mathsf {P} _i\) in round r evaluates the VRF on the pair (i, r) and multicasts the result. The leader is set to be the party with the smallest VRF value, and the coin is set to be the least-significant bit of this value. Since these values are uniformly distributed \(\kappa \)-bit strings (\(\kappa \) is the security parameter), and there are at least 2n/3 honest parties, the success probability is 2/3. (Indeed, with probability 1/3, the leader is corrupted, and can send its value only to a subset of the parties, creating disagreement.)
When considering locally consistent adversaries, Micali’s protocol can be significantly simplified by having each party randomly sample and multicast a uniformly distributed \(\kappa \)-bit string (cryptographic tools and setup phase are no longer needed). Corrupted parties can still send their values to a subset of honest parties as before, but they cannot send different random values to different honest parties.
A similar simplification applies to other BA protocols that are based on leader election and coin tosses such as [26, 29, 47] (private channels are used for a leader-election sub-protocol), [2, 55] (cryptography is used for coin-tossing and message-authentication), and [1, 18] (cryptography is used to elect a small committee per round).Footnote 2
Proposition 1.1
(Malicious security to locally consistent public-randomness protocol, informal) Each of the BA protocols of [1, 2, 18, 26, 29, 47, 54, 55] induces a public-randomness BA protocol secure against locally consistent adversaries, with the same parameters.
A useful abstraction for protocol design. To complete the picture, we remark that security against locally consistent adversaries, which may seem somewhat weak at first sight, can be compiled using standard cryptographic techniques into security against arbitrary adversaries. This reduction becomes lossless, efficiency-wise and security-wise, when applied to public-randomness protocols. Thus, building public-randomness protocols secure against locally consistent adversaries is a useful abstraction for protocol designers that want to use what cryptography has to offer, but without being bothered with the technical details. See more details in Sect. 1.3.
Connection to the full-information model. The public-randomness model can be viewed as a restricted form of the full-information model [5, 7, 9, 19, 37, 39, 45, 48, 51, 52]. In the latter model, the adversary is computationally unbounded and has complete access to all the information in the system, i.e., it can listen to all transmitted messages and view the internal states of honest parties (such an adversary is also called intrusive [19]). One of the motivations to study full-information protocols is to separate randomization from cryptography and see to what extent randomization alone can speed up Byzantine agreement. Bar-Joseph and Ben-Or [5] showed that any full-information BA protocol tolerating \(t=\Theta (n)\) adaptive, fail-stop corruptions (i.e., the adversary can dynamically choose which parties to crash) runs for \({{\tilde{\Omega }}}(\sqrt{n})\) rounds. Goldwasser et al. [39] constructed an \(O(\log {n})\)-round BA protocol tolerating \(t=(1/3-\varepsilon )n\) static, malicious corruptions, for an arbitrarily small constant \(\varepsilon >0\).
We chose to state our results in the public-randomness model for two reasons. First, our lower bounds readily extend to lower bounds in the full-information model (since we consider weaker adversarial capabilities, e.g., all our attacks are efficient). Second, when considering locally consistent adversaries, public-randomness captures essentially what efficient cryptography has to offer. Indeed, all protocol used in practice can be cast as public-randomness protocols tolerating locally consistent adversaries (Proposition 1.1) and every public-randomness protocol secure against locally consistent adversaries can be compiled, using cryptography, to malicious security in the standard model, where security relies on secret coins (see Theorem 1.6 below).
We note that it is known how to compile certain full-information protocols and “boost” their security from fail-stop into malicious; however, these compilers capture either deterministic protocols [15, 42, 59] or protocols with a non-uniform source of randomness (namely, an SV-source [67]) [39]. It is unclear whether these compilers can be extended to capture arbitrary protocols (this is in fact stated as an open question in [15, 39]). In addition, these compilers are designed to be information theoretic and not rely on cryptography; thus, they do not model highly efficient protocols used in practice.
1.2 Our Results
We present three lower bounds on the halting probability of randomized BA protocols. To keep the following introductory discussion simple, we will assume that both validity and agreement properties hold perfectly, without error. Throughout we consider \(t<n/2\) (as otherwise Byzantine agreement cannot be achieved).
First-round halting. Our first result bounds the halting probability after a single communication round. This is the simplest case since parties cannot inform each other about inconsistencies they encounter. Indeed, the established lower bound is quite strong, showing an exponentially small bound on the halting probability when \(t\ge n/3\), and exponentially close to 1/2 when \(t\ge n/4\).
Theorem 1.2
(First-round halting, informal) Let \(\Pi \) be an n-party BA protocol and let \(\gamma \) denote the halting probability after a single communication round facing a locally consistent, static, adversary corrupting t parties. Then,
-
\(n/2>t \ge n/3\) implies \(\gamma \le 2^{t-n}\) for arbitrary protocols, and \(\gamma =0\) for public-randomness protocols.
-
\(n/2>t \ge n/4\) implies \(\gamma \le 1/2+2^{t-n}\) for arbitrary protocols, and \(\gamma \le 1/2\) for public-randomness protocols.
Note that the deterministic \((t+1)\)-round, t-resilient BA protocol of Dolev and Strong [24] can be cast as a locally consistent public-randomness protocol (in the plain model).Footnote 3 Theorem 1.2 shows that for \(n=3\) and \(t=1\), this two-round BA protocol is essentially optimal and cannot be improved via randomization (at least without considering complex protocols that cannot be cast as public-randomness protocols).
Second-round halting for arbitrary protocols. Our second result considers the halting probability after two communication rounds. This is a much more challenging regime, as honest parties have time to detect inconsistencies in first-round messages. Our bound for arbitrary protocols in this case is weaker, and shows that when \(t>n/4\), the halting probability is bounded away from 1.
Theorem 1.3
(Second-round halting, arbitrary protocols, informal) Let \(\Pi \) be an n-party BA protocol and let \(\gamma \) denote the halting probability after two communication rounds facing a locally consistent, static, adversary corrupting \(t=(1/4+\varepsilon )\cdot n\) parties. Then, \(\gamma \le 1 - (\varepsilon /5)^2\).
Second-round halting for public-randomness protocols. Theorem 1.3 bounds the second-round halting probability of arbitrary BA protocols away from one. For public-randomness protocol we achieve a much stronger bound. The attack requires adaptive corruptions (as opposed to static corruptions in the previous case) and is based on a combinatorial conjecture that is stated below.Footnote 4
Theorem 1.4
(Second-round halting, public-randomness protocols, informal) Let \(\Pi \) be an n-party public-randomness BA protocol and let \(\gamma \) denote the halting probability after two communication rounds facing a locally consistent adversary adaptively corrupting t parties. Then, for sufficiently large n and assuming Conjecture 1.5 holds,
-
\(t > n/3\) implies \(\gamma =0\).
-
\(t > n/4\) implies \(\gamma \le 1/2\).
Theorem 1.4 shows that for sufficiently large n, any public-randomness protocol tolerating \(t>n/3\) locally consistent corruptions cannot halt in less than three rounds (unless Conjecture 1.5 is false). In particular, its expected round complexity must be at least three.
To understand the meaning of this result, recall the protocol of Micali [54]. As discussed above, this protocol can be cast as a public-randomness protocol tolerating \(t<n/3\) adaptive locally consistent corruptions. The protocol proceeds by continuously running a three-round sub-protocol until halting, where each sub-protocol consists of a coin-tossing round, a check-halting-on-0 round, and a check-halting-on-1 round. Executing a single instance of this sub-protocol demonstrates a halting probability of 1/3 after three rounds. By Theorem 1.4, a protocol that tolerates slightly more corruptions, i.e., \((1/3 +\varepsilon ) \cdot n\), for arbitrarily small \(\varepsilon >0\), cannot halt in fewer rounds.
Our techniques. Our attacks follow the spirit of many lower bounds on the round complexity on BA and broadcast [4, 24, 25, 27, 33, 46]. The underlying idea is to start with a configuration in which validity assures the common output is 0, and gradually adjust it, while retaining the same output value, into a configuration in which validity assures the common output is 1. (For the simple case of deterministic protocols, each step of the argument requires the corrupted parties to lie about their input bits and incoming messages from other corrupted parties, but otherwise behave honestly.) Our main contribution, which departs from the aforementioned paradigm, is adding another dimension to the attack by aborting a random subset of parties (rather than simply manipulating the input and incoming messages). This change allows us to bypass a seemingly inherent barrier for this approach. We refer the reader to Sect. 2 for a detailed overview of our attacks.
We remark that a similar approach was employed by Attiya and Censor [3] for obtaining lower bounds on consensus protocols in the asynchronous shared-memory model, a flavor of BA in a communication model very different to the one considered in the present paper. Specifically, [3] showed that in an asynchronous shared-memory system, \(\Theta (n^2)\) steps are required for n processors to reach agreement when facing \(\Theta (n)\) computationally unbounded strongly adaptive corruptions (see Footnote 4). Their adversary also aborts a subset of the parties to prevent halting; however, the difference in communication model (synchronous in our work, vs. asynchronous in [3]) and the adversary’s power (efficient and adaptive in our work, vs. computationally unbounded and strongly adaptive in [3]) yields a very different attack and analysis (though, interestingly, both attacks boil down to different variants of isoperimetric-type inequalities).
The combinatorial conjecture. We conclude the present section by motivating and stating the combinatorial conjecture assumed in Theorem 1.4, and discussing its plausibility. We believe the conjecture to be of independent interest, as it relates to topics from Boolean functions analysis such as influences of subsets of variables [60] and isoperimetric-type inequalities [57, 58]. The nature of our conjecture makes the following paragraphs somewhat technical, and reading them can be postponed until after going over the description of our attack in Sect. 2.
The analysis of our attack naturally gives rise to an isoperimetric-type inequality. For limited types of protocols, we manage to prove it using Friedgut’s theorem [31] about approximate juntas and the KKL theorem [44]. For arbitrary protocols, however, we can only reduce our attack to the conjecture below.
We require the following notation before stating the conjecture. Let \(\Sigma \) denote some finite set. For \({ \varvec{x}}\in \Sigma ^n\) and \({\mathcal {S}}\subseteq [n]\), define the vector \(\bot _{\mathcal {S}}({ \varvec{x}}) \in \left\{ \Sigma \cup \bot \right\} ^n\) by assigning all entries indexed by \({\mathcal {S}}\) with the value \(\bot \), and all other entries according to \({ \varvec{x}}\). Finally, let \({\mathbf {D}}_{n,\sigma }\) denote the distribution induced over subsets of [n] by choosing each element with probability \(\sigma \) independently at random.
Conjectures 1.5
For any \(\sigma ,\lambda >0\) there exists \(\delta >0\) such that the following holds for large enough \(n\in {{\mathbb {N}}}\): let \(\Sigma \) be a finite alphabet, and let \({\mathcal {A}}_0,{\mathcal {A}}_1 \subseteq \left\{ \Sigma \cup \bot \right\} ^n\) be two sets such that for both \(b\in \{0,1\}\):
Then,
Consider two large sets \({\mathcal {A}}_0\) and \({\mathcal {A}}_1\) which are “stable” in the following sense: for both \(b\in \{0,1\}\), with probability \(1-\delta \) over \({\mathcal {S}}\leftarrow {\mathbf {D}}_{n,\sigma }\), it holds that both \({ \varvec{r}}\) and \(\bot _{{\mathcal {S}}}({ \varvec{r}})\) belong to \({\mathcal {A}}_b\), with probability at least \(\lambda \) over \({ \varvec{r}}\). Conjecture 1.5 stipulates that with high probability (\(\ge \delta \)), the vectors \({ \varvec{r}}\) and \(\bot _{{\mathcal {S}}}({ \varvec{r}})\) lie in opposite sets (i.e., one is in \({\mathcal {A}}_0\) and the other \({\mathcal {A}}_1\)), for random \({ \varvec{r}}\) and \({\mathcal {S}}\). It is somewhat reminiscent of the following flavor of isoperimetric inequality: for any two large sets \({\mathcal {B}}_0\) and \({\mathcal {B}}_1\), taking a random element from \({\mathcal {B}}_0\) and resampling a few coordinates, yields an element in \({\mathcal {B}}_1\) with large probability. Less formally, one can “move” from one set to the other by manipulating a few coordinates [57, 58].
A few remarks are in order. First, it suffices for our purposes to show that \(\delta \) is a noticeable (i.e., inverse polynomial) function of n, rather than independent of n.Footnote 5 We opted for the latter as it gives a stronger attack. Second, the conjecture holds for “natural” sets such as balls, i.e., \({\mathcal {A}}_0\) and \({\mathcal {A}}_1\) are balls centered around \(0^n\) and \(1^n\) of constant radius,Footnote 6 and “prefix” sets, i.e., sets of the form \({\mathcal {A}}_b=b^k \times \left\{ \Sigma \cup \bot \right\} ^{n-k}\). Furthermore, the claim can be proven when the probabilities over \({\mathcal {S}}\) and \({ \varvec{r}}\) are reversed, i.e., “with probability \(\lambda \) over \({ \varvec{r}}\), it holds that both \({ \varvec{r}}\) and \(\bot _{{\mathcal {S}}}({ \varvec{r}})\) belong to \({\mathcal {A}}_b\) with probability at least \(1-\delta \) over \({\mathcal {S}}\)”, instead of the above. Interestingly, this weaker statement boils down to the aforementioned isoperimetric-type inequality (cf. [57] for the Boolean case and [58] for the non-Boolean case).
We conclude by pointing out that, as mentioned in Footnote 4, the conjecture is not needed for certain limited cases that are not addressed in detail in the present paper. One such case is sketched out in Sect. 2.
1.3 Locally Consistent Security to Malicious Security
As briefly mentioned in Sect. 1.1, protocols that are secure against locally consistent adversaries can be compiled to tolerate arbitrary malicious adversaries. The compiler requires a PKI setup for digital signatures, verifiable random functions (VRFs) [56], and non-interactive zero-knowledge proofs (NIZK) [11]. A VRF is a pseudorandom function with an additional property: using the secret key and an input x, the VRF outputs a pseudorandom value y along with a proof string \(\pi \); using the public key, everyone can use \(\pi \) to verify whether y is the output of x. We consider a trusted setup phase for establishing the PKI, where a trusted party generates VRF and signature keys for every party, securely gives the secret keys to each party, and publishes the public keys to all.
Given a protocol that is secure against locally consistent adversaries, the compiled protocol proceeds as follows, round by round. Each party \(\mathsf {P} _i\) sets its random coins for the \(r\)’th round \(\rho _i^r\) (together with a proof \(\pi _i^r\)) by evaluating the VRF over the pair (i, r). Next, for every \(j\in [n]\), party \(\mathsf {P} _i\) uses these coins to compute the message \(m^r_{i\rightarrow j}\) for \(\mathsf {P} _j\), signs \(m^r_{i\rightarrow j}\) as \(\sigma ^r_{i\rightarrow j}\), and sends \((m^r_{i\rightarrow j},\sigma ^r_{i\rightarrow j},\pi _i^r)\) to \(\mathsf {P} _j\). Finally, \(\mathsf {P} _i\) sends to \(\mathsf {P} _j\) a NIZK proof that:
-
1.
There exist an input bit b, random coins \(\rho _i^r\), as well as random coins \(\rho ^{r'}_i\) and incoming messages and \((m^{r'}_{1\rightarrow i},\ldots ,m^{r'}_{n\rightarrow i})\) for every prior round \(r'<r\), such that: (1) \(\pi _i^r\) verifies that \(\rho _i^r\) is the VRF output of (i, r) (using the VRF public key of \(\mathsf {P} _i\)), (2) the message \(m^r_{i\rightarrow j}\) was signed by \(\mathsf {P} _i\), and (3) the message \(m^r_{i\rightarrow j}\) is the output of the next-message function of \(\mathsf {P} _i\) when applied to these values.
-
2.
For \(r>1\), the messages \((m^{r'}_{k\rightarrow i},\sigma ^{r'}_{k\rightarrow i},\pi _k^{r'})\) received by \(\mathsf {P} _i\) from every \(\mathsf {P} _k\) in prior rounds are proven to be properly generated. That is, \(\mathsf {P} _k\) provided a NIZK proof that explains how \(m^{r'}_{k\rightarrow i}\) was generated using random coins computed via the VRF on \((k,r')\) and on incoming messages that were signed by the senders.
When considering public-randomness protocols, the above compilation can be made much more efficient. Instead of proving in zero knowledge the consistency of each message, each party \(\mathsf {P} _i\) concatenates to each message all of its incoming messages from the previous round. A receiver can now locally verify the coins used by \(\mathsf {P} _i\) are the VRF output of (i, r) (as assured by the VRF), that the incoming messages are properly signed, and that the message is correctly generated from the internal state of \(\mathsf {P} _i\) (which is now visible and verified).
Theorem 1.6
(Locally consistent to malicious security, folklore, informal) Assume PKI for digital signatures, VRF, and NIZK. Then, an expected-constant-round BA protocol secure against locally consistent adversaries can be compiled into a maliciously secure protocol with the same parameters.
The proof of Theorem 1.6 can be found in Sect. A.
1.4 Additional Related Work
Following the work of Feldman and Micali [26] in the two-thirds majority setting, Katz and Koo [47] improved the expected round complexity to 23, and Micali [54] to 9. In the honest-majority setting, Fitzi and Garay [29] showed expected-constant-round protocol and Katz and Koo [47] expected 56 rounds. Micali and Vaikuntanathan [55] adjusted the technique from [54] to the honest-majority case. Abraham et al. [2] achieved expected 10 rounds assuming static corruptions and expected 16 rounds assuming adaptive corruptions. Abraham et al. [1] constructed an expected-constant-round protocol tolerating \((1/2-\epsilon )\cdot n\) adaptive corruptions with sublinear communication complexity. In the dishonest-majority setting, Garay et al. [33] constructed a broadcast protocol with expected \(O(k^2)\) rounds, tolerating \(t<n/2+k\) corruptions, that was improved by Fitzi and Nielsen [30] to expected O(k) rounds.
Attiya and Censor-Hillel [4] extended the results of Chor et al. [20] and of Karlin and Yao [46] on guaranteed termination of randomized BA protocols to the asynchronous setting, and provided a tight lower bound.
Randomized protocols with expected constant round complexity have probabilistic termination, which requires delicate care with respect to composition (i.e., their usage as subroutines by higher-level protocols). Parallel composition of randomized BA protocols was analyzed in [6, 29], sequential composition in [53], and universal composition in [21, 22].
1.5 Open Questions
Our attack on two-round halting of public-randomness protocols is based on Conjecture 1.5. In this work we prove special cases of this conjecture, but proving the general case remains an open challenge.
A different interesting direction is to bound the halting probability of protocols when \(t<n/4\). It is not clear how to extend our attacks to this regime.
1.6 Paper Organization
In Sect. 2 we present a technical overview of our attacks. The formal model and the exact bounds are stated in Sect. 3. The proof of the first-round halting is given in Sect. 4, and for second-round halting in Sect. 5. The proof of Theorem 1.6 appears in Sect. A.
2 Our Techniques
In this section, we outline our techniques for proving our results. We start with explaining our bound for first-round halting of arbitrary protocols (Theorem 1.2). We then move to second-round halting, starting with the weaker bound for arbitrary protocols (Theorem 1.3), and then move to the much stronger bound for public-randomness protocols (Theorem 1.4).
Notations. We use calligraphic letters to denote sets, uppercase for random variables, lowercase for values, boldface for vectors, and sans-serif (e.g., \(\mathsf {A}\)) for algorithms (i.e., Turing Machines). For \(n\in {{\mathbb {N}}}\), let \([n]=\left\{ 1,\ldots ,n\right\} \) and \((n)=\left\{ 0,1,\ldots ,n\right\} \). Let \(\mathrm {dist}(x, y)\) denote the hamming distance between x and y. For a set \({\mathcal {S}}\subseteq [n]\) let \({{\overline{{\mathcal {S}}}}}= [n]\setminus {\mathcal {S}}\). For a set \({\mathcal {R}}\subseteq \{0,1\}^n\), let \({\mathcal {R}}|_{{\mathcal {S}}}=\{{ \varvec{x}}_{\mathcal {S}}\in \{0,1\}^{\left| {\mathcal {S}}\right| }\text { s.t.\ }{ \varvec{x}}\in {\mathcal {R}}\}\), i.e., \({\mathcal {R}}|_{{\mathcal {S}}}\) is the projection of \({\mathcal {R}}\) on the index-set \({\mathcal {S}}\).
Fix an n-party randomized BA protocol \(\Pi = ({\mathsf {P}}_1,\ldots ,{\mathsf {P}}_n)\). For presentation purposes, we assume that n is divisible by 3, that validity and agreement hold perfectly, and consider no setup parameters (in the subsequent sections, we remove these assumptions). Furthermore, we only address here the case where the security threshold is \(t>n/3\). The case \(t>n/4\) requires an additional generic step that we defer to the technical sections of the paper. We denote by \(\Pi ({ \varvec{v}};{ \varvec{r}})\) the output of an honest execution of \(\Pi \) on input \({ \varvec{v}}\in {\{0,1\}^n}\) and randomness \({ \varvec{r}}\) (each party \(\mathsf {P} _i\) holds input \(v_i\) and randomness \(r_i\)). We let \(\Pi ({ \varvec{v}})\) denote the resulting random variable determined by the parties’ random coins, and we write \(\Pi ({ \varvec{v}}) =b\) to denote the event that the parties output \(b\) in an honest execution of \(\Pi \) on input \({ \varvec{v}}\). All corrupt parties described below are locally consistent (see Sect. 1.1).
2.1 First-Round Halting
Assume the honest parties of \(\Pi \) halt at the end of the first round with probability \(\gamma >0\) when facing t corruptions (on every input). Our goal is to upperbound the value of \(\gamma \). Our approach is inspired by the analogous lower-bound for deterministic protocols (see [24, 27]). Namely, we start with a configuration in which validity assures the common output is 0, and, while maintaining the same output, we gradually adjust it into a configuration in which validity assures the common output is 1, thus obtaining a contradiction. For randomized protocols, the challenge is to maintain the invariant of the output, even when the probability of halting is far from 1. We make the following observations:
That is, in an honest execution of \(\Pi \), if the parties almost start with preagreement, i.e., with at least \(n-t\) of \(b\)’s in the input vector, then the parties output \(b\) with probability 1. Equation (1) follows from agreement and validity by considering an adversary corrupting exactly those parties with input \(v_i\ne b\), and otherwise not deviating from the protocol.
That is, for two input vectors that are at most t-far (i.e., the resiliency threshold), the probability that the executions on these vectors yield the same output when using the same randomness is bounded below by the halting probability. To see why Eq. (2) holds, consider the following adversary corrupting subset \({\mathcal {C}}\), for \({\mathcal {C}}\) being the set of indices where \({ \varvec{v}}_0\) and \({ \varvec{v}}_1\) disagree. For an arbitrary partition \(\{{\overline{{\mathcal {C}}}}_0,{\overline{{\mathcal {C}}}}_1\}\) of \({\overline{{\mathcal {C}}}}\), the adversary instructs \({\mathcal {C}}\) to send messages according to \({ \varvec{v}}_0\) to \({\overline{{\mathcal {C}}}}_0\) and according to \({ \varvec{v}}_1\) to \({\overline{{\mathcal {C}}}}_1\), respectively. With probability at least \(\gamma \), all parties halt at the first round, and, by perfect agreement, all parties compute the same output.Footnote 7 Since parties in \({\overline{{\mathcal {C}}}}_b\) cannot distinguish this execution from a halting execution of \(\Pi ({ \varvec{v}}_b;{ \varvec{r}})\), Eq. (2) follows.
We deduce that if there are more than n/3 corrupt parties, then the halting probability is 0; this follows by combining the two observations above for \({ \varvec{v}}_0=0^{2n/3}1^{n/3}\) and \({ \varvec{v}}_1=0^{n/3}1^{2n/3}\). Namely, by Eq. (1), it holds that \(\Pr _{{ \varvec{r}}}\left[ \Pi ({ \varvec{v}}_0;{ \varvec{r}})=\Pi ({ \varvec{v}}_1;{ \varvec{r}})\right] =0\). Thus, by Eq. (2), \(\gamma =0\).
2.2 Second-Round Halting – Arbitrary Protocols
We proceed to explain our bound for second-round halting of arbitrary protocols. Assume the honest parties of \(\Pi \) halt at the end of the second round with probability \(\gamma >0\) when facing t corruptions (on every input). Let \(t=(1/3+\varepsilon )\cdot n\), for an arbitrary small constant \(\varepsilon >0\). In spirit, the attack follows the footsteps of the single-round case described above; we show that neighboring executions compute the same output with good enough probability (related to the halting probability), and lower-bound the latter using the almost pre-agreement observation. There is, however, a crucial difference between the first-round and second-round cases; the honest parties can use the second round to detect whether (some) parties are sending inconsistent messages. Thus, the second round of the protocol can be used to “catch-and-discard” parties that are pretending to have different inputs to different parties, and so our previous attack breaks down. (In the one-round case, we exploit the fact that the honest parties cannot verify the consistency of the messages they received.) Still, we show that there is a suitable variant of the attack that violates the agreement of any “too-good” scheme.
At a very high level, the idea for proving the neighboring property is to gradually increase the set of honest parties towards which the adversary behaves according to \({ \varvec{v}}_1\) (for the remainder it behaves according to \({ \varvec{v}}_0\), which is a decreasing set of parties). While the honest parties might identify the attacking parties and discard their messages, they should still agree on the output and halt at the conclusion of the second round with high probability. We exploit this fact to show that at the two extremes (where the adversary is merely playing honestly according to \({ \varvec{v}}_0\) and \({ \varvec{v}}_1\), respectively), the honest parties behave essentially the same. Therefore, if at one extreme (for \({ \varvec{v}}_0\)) the honest parties output \(b\), it follows that they also output \(b\) at the other extreme (for \({ \varvec{v}}_1\)), which proves the neighboring property for the second-round case.
We implement the above by augmenting the one-round attack as follows. In addition to corrupting a set of parties that feign different inputs to different parties, the adversary corrupts an extra set of parties that is inconsistent with regards to the messages it received from the first set of corrupted parties. To distinguish between the two sets of corrupted parties, the former (first) will be referred to as “pivot” parties (since they pivot their input) and will be denoted \({\mathcal {P}}\), and the latter will be referred to as “propagating” parties (since they carefully choose what message to propagate at the second round) and will be denoted \({\mathcal {L}}\). We emphasize that the propagating parties deviate from the protocol only at the second round and only with regards to the messages received by the pivot parties (not with regards to their input—as is the case for the pivot parties). In more detail, we partition \({{\overline{{\mathcal {P}}}}}= [n]\setminus {\mathcal {P}}\) into \(\ell =\lceil 1/\varepsilon \rceil \) sets \(\{{\mathcal {L}}_1,\ldots ,{\mathcal {L}}_\ell \}\), and we show that, unless there exists i such that parties in \({\mathcal {C}}= {\mathcal {P}}\cup {\mathcal {L}}_i\) violate agreement (explained below), the following must hold for neighboring executions.
That is, for two input vectors that are at most n/3–far, the difference in probability that two distinct executions (for each input vector) yield the same output within two rounds is roughly upper-bounded by the quantity \((1-\gamma )/\varepsilon ^2\) (i.e., non-halting probability divided by \(\varepsilon ^2\)). To see that Eq. (3) holds true, fix \({ \varvec{v}}_0,{ \varvec{v}}_1\in {\{0,1\}^n}\) of hamming distance at most n/3, and let \({\mathcal {P}}\) be the set of indices where \({ \varvec{v}}_0\) and \({ \varvec{v}}_1\) differ. Consider the following \(\ell +1\) distinct variants of \(\Pi \), denoted \(\left\{ \Pi _0,\ldots , \Pi _\ell \right\} \); in protocol \(\Pi _i\), parties in \({\mathcal {P}}\) send messages to \({\mathcal {L}}_1,\ldots , {\mathcal {L}}_i\) according to the input prescribed by \({ \varvec{v}}_1\) and to \({\mathcal {L}}_{i+1},\ldots , {\mathcal {L}}_\ell \) according to the input prescribed by \({ \varvec{v}}_0\), respectively. All other parties follow the instructions of \(\Pi \) for input \({ \varvec{v}}_0\). We write \(\Pi _i=b\) to denote the event that the parties not in \({\mathcal {P}}\) output \(b\). Notice that the endpoint executions \(\Pi _0\) and \(\Pi _{\ell }\) are identical to honest executions with input \({ \varvec{v}}_0\) and \({ \varvec{v}}_1\), respectively. Let \(\mathsf {Halt}_i\) denote the event that the parties not in \({\mathcal {P}}\) halt at the second round in an execution of \(\Pi _{i}\). We point out that \(\Pr _{}\left[ \lnot \mathsf {Halt}_i\right] \le (\ell +1)\cdot (1-\gamma )\), since otherwise the adversary corrupting \({\mathcal {P}}\) and running \(\Pi _i\), for a random , prevents halting with probability greater than \(1-\gamma \). Next, we inductively show that
for every \(i\in (\ell )\), which yields the desired expression for \(i=\ell \). In pursuit of contradiction, assume Eq. (4) does not hold, and let i denote the smallest index for which it does not hold (observe that \(i\ne 0\), by definition). Notice that
The second inequality follows from union bound and \(A\vee \lnot B\equiv (A\wedge B) \vee \lnot B\), the third inequality is by induction hypothesis, and the last inequality by the bound \(\Pr _{}\left[ \lnot \mathsf {Halt}_i\right] \le (\ell +1)\cdot (1-\gamma )\).
It follows that an adversary corrupting \({\mathcal {C}}={\mathcal {P}}\cup {\mathcal {L}}_i\) causes disagreement with non-zero probability by acting as follows: parties in \({\mathcal {P}}\) and \({\mathcal {L}}_i\) send messages according to \(\Pi _i\) and \(\Pi _{i-1}\) to \({\overline{{\mathcal {C}}}}_0\) and \({\overline{{\mathcal {C}}}}_1\), respectively, where \(\{{\overline{{\mathcal {C}}}}_0,{\overline{{\mathcal {C}}}}_1\}\) is an arbitrary partition of \({\overline{{\mathcal {C}}}}= [n]\setminus {\mathcal {P}}\cup {\mathcal {L}}_i\). Since disagreement is ruled out by assumption, we deduce Eq. (4) and (3). To conclude, we combine the almost pre-agreement property (Eq. (1)) with the neighboring property (Eq. (3)) with \({ \varvec{v}}_0=0^{2n/3}1^{n/3}\), \({ \varvec{v}}_1=0^{n/3}1^{2n/3}\), and \(b=1\). Namely, \(\Pr _{}\left[ \Pi ({ \varvec{v}}_0)=1\text { in two rounds}\right] =0\), by almost pre-agreement and \(\Pr _{}\left[ \Pi ({ \varvec{v}}_1)=1\text { in two rounds}\right] \ge \gamma \), by almost pre-agreement and halting. It follows that \(0 \ge \gamma - 2 (\ell +1)^2 \cdot (1-\gamma )\), by Eq. (3), and thus \(1-\frac{1}{2(\ell +1)^2+1} \ge \gamma \), which yields the desired expression.
2.3 Second-Round Halting – Public-Randomness Protocols
In Sect. 2.2, we ruled out “very good” second-round halting for arbitrary protocols via an efficient locally consistent attack. Recall that if the halting probability is close to 1, then there is a somewhat simple attack that violates agreement and/or validity. In this subsection, we discuss ruling out any second-round halting, i.e., halting probability bounded away from zero, for public-randomness protocols.
We first explain why the attack—as is—does not rule out second-round halting. Suppose that at the first round the parties of \(\Pi \) send a deterministic function of their input, and at the second round they send the messages they received at the first round together with a uniform random bit. On input \({ \varvec{v}}\) and randomness \({ \varvec{r}}\), the parties are instructed not to halt at the second round (i.e., carry on beyond the second round until they reach agreement with validity) if a super-majority (\(\ge n-t\)) of the \(v_i\)’s are in agreement and \({\text {maj}}(r_1,\ldots , r_n)\ne {\text {maj}}(v_1,\ldots , v_n)\), i.e., the majority of the random bits does not agree with the super-majority of the inputs. In all other cases, the parties are instructed to output \({\text {maj}}(r_1,\ldots , r_n)\). It is not hard to see that this protocol will halt with probability 1/2, even in the presence of the previous locally consistent adversary (regardless of the choice of propagating parties \({\mathcal {L}}_i\)). More generally, if the randomness uniquely determines the output, then the protocol designer ensures that halting does not result in disagreement (by partitioning the randomness appropriately), and thus foiling the previous attack.Footnote 8
To overcome the above apparent obstacle, we introduce another dimension to our locally consistent attack; we instruct an extra set of corrupted parties to abort at the second round without sending their second-round messages. By utilizing aborting parties, the adversary can potentially decouple the output/halting from the parties’ randomness and thus either prevent halting or cause disagreement. In Sect. 2.3.1, we explain how to rule out second-round halting for a rather unrealistic class of public-randomness protocol. What makes the class of protocols unrealistic is that we assume security holds against unbounded locally consistent adversaries, and the protocol prescribes only a single bit of randomness per party per round. That being said, this case illustrates nicely our attack, and it also makes an interesting connection to Boolean functions analysis (namely, the KKL theorem [44]). For general public-randomness protocols, we only know how to analyze the aforementioned attack assuming Conjecture 1.5, as explained in Sect. 2.3.2.
2.3.1 “Superb” Single-Coin Protocols
A BA protocol \(\Pi \) is t-superb if agreement and validity hold perfectly against an adaptive unbounded locally consistent adversary corrupting at most t parties, i.e., the probability that such an adversary violates agreement or validity is 0. A public-randomness protocol is single-coin, if, at any given round, each party samples a single unbiased bit.
Theorem 2.1
(Second-round halting, superb single-coin protocols) For every \(\varepsilon > 0\) there exists \(c>0\) such that the following holds for large enough n. For \(t=(1/3+\varepsilon ) \cdot n\), let \(\Pi \) be a t-superb, single-coin, n-party public-randomness Byzantine agreement protocol and let \(\gamma \) denote the probability that the protocol halts in the second round under a locally consistent attack. Then, \(\gamma \le n^{-c}\).
We assume for simplicity that the parties do not sample any randomness at the first round, and write \({ \varvec{r}}\in {\{0,1\}^n}\) for the vector of bits sampled by the parties at the second round, i.e., \(r_i\) is a uniform random bit sampled by \(\mathsf {P} _i\).
As discussed above, our attack uses an additional set of corrupted parties of size \(\sigma \cdot n\), dubbed the “aborting” parties and denoted \({\mathcal {S}}\), that abort indiscriminately at the second round (the value of \(\sigma \) is set to \(\varepsilon /4\) and \(\ell =2\cdot \lceil 1/\varepsilon \rceil \) to accommodate for the new set of corrupted parties, i.e., \(\left| {\mathcal {L}}_i\right| \le n\cdot \varepsilon /2\)). In more detail, analogously to the previous analysis, we consider \((\ell +1)\cdot \left( {\begin{array}{c}n\\ \sigma n\end{array}}\right) \) distinct variants of \(\Pi \), denoted \(\{\Pi ^{{\mathcal {S}}}_i\}_{i,{\mathcal {S}}}\) and indexed by \(i\in (\ell )\) and \({\mathcal {S}}\subseteq [n]\) of size \(\sigma n\), as follows. In protocol \(\Pi _i^{\mathcal {S}}\), parties in \({\mathcal {P}}\) send messages to \({\mathcal {L}}_1,\ldots , {\mathcal {L}}_i\) according to the input prescribed by \({ \varvec{v}}_1\), and to \({\mathcal {L}}_{i+1},\ldots , {\mathcal {L}}_\ell \) according to the input prescribed by \({ \varvec{v}}_0\) (recall that \({\mathcal {P}}\) consists of exactly those indices where \({ \varvec{v}}_0\) and \({ \varvec{v}}_1\) differ). Parties in \({\mathcal {S}}\) act according to \({\mathcal {P}}\) or \({\mathcal {L}}_j\), for the relevant j, except that they abort at the second round without sending their second-round messages. We write \(\Pi ^{{\mathcal {S}}}_i({ \varvec{r}})=b\) to denote the event that the parties not in \({\mathcal {P}}\cup {\mathcal {S}}\) output \(b\), where the parties’ second-round randomness is equal to \({ \varvec{r}}\). Let \(\mathsf {Halt}^{{\mathcal {S}}}_i\) denote the event that all parties not in \({\mathcal {P}}\cup {\mathcal {S}}\) halt at the second round in an execution of \(\Pi ^{{\mathcal {S}}}_i\), and define \({\mathcal {R}}_{i }^{{\mathcal {S}}}(b)=\{{ \varvec{r}}\in {\{0,1\}^n}\text { s.t.\ }\Pi ^{{\mathcal {S}}}_i({ \varvec{r}})=b\wedge \mathsf {Halt}^{{\mathcal {S}}}_i\}\). The following holds:
In words, for both \(b\in \{0,1\}\): if \(\Pi _{i-1}^{\mathcal {S}}=b\) and halts in two rounds with large probability (\(\ge \gamma /2\)), for every \({\mathcal {S}}\), then \(\Pi _i^{\mathcal {S}}=b\) and halts in two rounds with large probability, for every \({\mathcal {S}}\). Before proving Eq. (5), we show how to use it to derive Theorem 2.1. We apply Eq. (5) for \({ \varvec{v}}_0=0^{2n/3}1^{n/3}\), \({ \varvec{v}}_1=0^{n/3}1^{2n/3}\), \(b=0\), and \(i=\ell \), in combination with the properties of validity and almost pre-agreement (Eq. (1)). Namely, by these properties, a random execution of \(\Pi \) on input \({ \varvec{v}}_0\) where the parties in \({\mathcal {S}}\) abort at the second round yields output 0 with probability at least \(\gamma /2\), for every \({\mathcal {S}}\in {\left( {\begin{array}{c}[n]\\ \sigma n\end{array}}\right) }\). Therefore, by Eq. (5), we deduce that a random execution of \(\Pi \) on input \({ \varvec{v}}_1\) where the parties in \({\mathcal {S}}\) abort at the second round yields output 0 with probability at least \(\gamma /2\), for every \({\mathcal {S}}\in {\left( {\begin{array}{c}[n]\\ \sigma n\end{array}}\right) }\). The latter violates either validity or almost pre-agreement—contradiction. To conclude the proof of Theorem 2.1, we prove Eq. (5) by using the following corollary of the seminal KKL theorem [44] from Bourgain et al. [12]. (Recall that \({\mathcal {R}}|_{\overline{{\mathcal {S}}}}\) is the projection of \({\mathcal {R}}\) on the index-set \(\overline{{\mathcal {S}}}\).)
Lemma 2.2
For every \(\sigma , \delta \in (0,1)\), there exists \(c>0\) s.t. the following holds for large enough n. Let \({\mathcal {R}}\subseteq {\{0,1\}^n}\) be s.t. \(|{\mathcal {R}}|_{\overline{{\mathcal {S}}}}|\le (1-\delta )\cdot 2^{(1-\sigma )n}\), for every \({\mathcal {S}}\subseteq [n]\) of size \(\sigma n\). Then, \(\left| {\mathcal {R}}\right| \le n^{-c}\cdot 2^n\).
Loosely speaking, Lemma 2.2 states that for a set \({\mathcal {R}}\subseteq {\{0,1\}^n}\), if the size of every projection on a constant fraction of indices is bounded away from one (in relative size), then the size of \({\mathcal {R}}\) is vanishingly small (again, in relative size).Footnote 9
Going back to the proof, in pursuit of contradiction, let \(i\ge 1\) denote the smallest index for which Eq. (5) does not hold, and without loss of generality suppose \(b=0\), i.e., there exists \({\mathcal {S}}\) such that \(|{\mathcal {R}}_{i}^{{\mathcal {S}}}(0)|< \gamma /2 \cdot 2^{n}\), and \(|{\mathcal {R}}_{i-1}^{{\mathcal {S}}'}(0)|\ge \gamma /2 \cdot 2^n\), for every relevant \({\mathcal {S}}'\). We prove Eq. (5) by proving Eqs. (6) and (7), which result in contradiction via Lemma 2.2.
Eq. (6) follows by the halting property of \(\Pi _{i}^{\mathcal {S}}\), since the execution halts if and only if \({ \varvec{r}}\in {\mathcal {R}}_{i }^{{\mathcal {S}}}(1)\cup {\mathcal {R}}_{i }^{{\mathcal {S}}}(0)\), and, by assumption, \(|{\mathcal {R}}_{i }^{{\mathcal {S}}}(0)|< \gamma /2 \cdot 2^{n}\). To conclude, we prove Eq. (7) by observing that for every \({\mathcal {S}}'\) and \(b\in \{0,1\}\), and every \({ \varvec{r}}\) and \({ \varvec{r}}'\), if \({ \varvec{r}}\in {\mathcal {R}}_{i-1}^{{\mathcal {S}}'}(0)\) and \({ \varvec{r}}|_{\overline{{\mathcal {S}}}'}={ \varvec{r}}'|_{\overline{{\mathcal {S}}}'}\), then \({ \varvec{r}}'\in {\mathcal {R}}_{i-1}^{{\mathcal {S}}'}(0)\) (by definition), i.e., membership to \({\mathcal {R}}_{i-1}^{{\mathcal {S}}'}(0)\) does not depend on the indices of \({\mathcal {S}}'\). Therefore, if \({ \varvec{r}}\in {\mathcal {R}}_i^{\mathcal {S}}(1)\) and \({ \varvec{r}}|_{\overline{{\mathcal {S}}}'}\in {\mathcal {R}}_{i-1}^{{\mathcal {S}}'}(0)|_{\overline{{\mathcal {S}}}'}\), for some \({\mathcal {S}}'\) and \({ \varvec{r}}\), then \({ \varvec{r}}\in {\mathcal {R}}_{i-1}^{{\mathcal {S}}'}(0) \cap {\mathcal {R}}_{i}^{{\mathcal {S}}}(1)\) which gives rise to the following attack. The attacker controls \({\mathcal {P}}\), \({\mathcal {L}}_{i}\), \({\mathcal {S}}\), and \({\mathcal {S}}'\), and sends messages according to \(\Pi _{i}^{{\mathcal {S}}}\) and \(\Pi _{i-1}^{{\mathcal {S}}'}\) to \({\overline{{\mathcal {C}}}}_0\) and \({\overline{{\mathcal {C}}}}_1\), respectively, where \(\{{\overline{{\mathcal {C}}}}_0,{\overline{{\mathcal {C}}}}_1\}\) is an arbitrary partition of \({\overline{{\mathcal {C}}}}=[n]\setminus {\mathcal {P}}\cup {\mathcal {L}}_{i} \cup {\mathcal {S}}\cup {\mathcal {S}}'\). It is not hard to see the attacker violates agreement, whenever the randomness lands on \({ \varvec{r}}\).
Finally, since \(|{\mathcal {R}}_{i-1}^{{\mathcal {S}}'}(0)|\ge \gamma /2 \cdot 2^{n}\), we observe that \(|{\mathcal {R}}_{i-1}^{{\mathcal {S}}'}(0)|_{\overline{{\mathcal {S}}}'}|\ge \gamma /2 \cdot 2^{(1-\sigma ) n}\), and, since \({\mathcal {R}}_{i-1}^{{\mathcal {S}}'}(0)|_{\overline{{\mathcal {S}}}'}\) and \({\mathcal {R}}_{i}^{{\mathcal {S}}}(1)|_{\overline{{\mathcal {S}}}'}\) are non-intersecting for every \({\mathcal {S}}'\), it follows that \(|{\mathcal {R}}_{i}^{{\mathcal {S}}}(1)|_{\overline{{\mathcal {S}}}'}|\le (1-\gamma /2)\cdot 2^{(1-\sigma ) n}\), which yields Eq. (7).
Remark 2.3
For superb, single-coin, public-randomness protocol, repeated application of Eq. (2)and Lemma 2.2 rules out second-round halting for arbitrary (constant) fraction of corrupted parties (and not only n/3 fraction).
2.3.2 General (Public-Randomness) Protocols
The analysis above crucially relies on the superb properties of the protocol. While it can be generalized for protocols with near-perfect statistical security and constant-bit randomness, we only manage to analyze the most general case (i.e., protocols with non-perfect computational security and arbitrary-size randomness) assuming Conjecture 1.5. Very roughly (and somewhat inaccurately), when applying the above attack on general public-randomness protocols, the following happens for some \(\delta >0\) and both values of \(b\in \{0,1\}\): for \((1-\delta )\)-fraction of possible aborting subsets \({\mathcal {S}}\), the probability that the honest parties halt in two rounds and output the same value \(b\), whether parties in \({\mathcal {S}}\) all abort or not, is bounded below by the halting probability. Assuming Conjecture 1.5, it follows that with probability \(\delta \) over the randomness and \({\mathcal {S}}\), the honest parties under the attack output opposite values depending whether the parties in \(\mathcal{{S}}\) abort or not. We conclude that the agreement of the protocol is at most \(\delta \). We refer the reader to Sect. 5.2 for the full details.
3 Our Lower Bounds
In this section, we formally state our lower bounds on the round complexity of Byzantine agreement protocols. The communication and adversarial models as well as the notion of Byzantine agreement protocols we consider are given in Sect. 3.1, and our bounds are formally stated in Sect. 3.2.
3.1 The Model
3.1.1 Protocols
All protocols considered in this paper are ppt (probabilistic polynomial time): the running time of every party is polynomial in the (common) security parameter (given as a unary string). We only consider Boolean-input Boolean-output protocols: apart from the common security parameter, all parties have a single input bit, and each of the honest parties outputs a single bit. For an n-party protocol \(\Pi \), an input vector \({ \varvec{v}}\in {\{0,1\}^n}\) and randomness \({ \varvec{r}}\), let \(\Pi ({ \varvec{v}}; { \varvec{r}})\) denote the output vector of the parties in an (honest) execution with party \(\mathsf {P} _i\)’s input being \({ \varvec{v}}_i\) and randomness \({ \varvec{r}}_i\). For a set of parties \({\mathcal {P}}\subseteq [n]\), we denote by \(\Pi ({ \varvec{v}}; { \varvec{r}})_{\mathcal {P}}\) the output vector of the parties in \({\mathcal {P}}\).
The protocols we consider might have a setup phase in which before interaction starts a trusted party distributes (correlated) values between the parties. We only require the security to hold for a single use of the setup parameters, i.e., for a single instance of the BA protocol (in reality, these parameters are set once and then used for many interactions). This, however, only makes our lower bound stronger.
The communication model is synchronous, meaning that the protocols proceed in rounds. In each round every party can send a message to every other party over a private and authenticated channel. (Allowing the protocol to be executed over private channels makes our lower bounds stronger.) It is guaranteed that all of the messages that are sent in a round will arrive at their destinations by the end of that round.
3.1.2 Adversarial Model
We consider both \(\mathsf {adaptive}\) and \(\mathsf {non-adaptive}\) (also known as, static) adversaries. An \(\mathsf {adaptive}\) adversary can choose which parties to corrupt for the next round immediately after the conclusion of the previous round but before seeing the next round’s messages. If a party has been corrupted then it is considered corrupt for the rest of the execution. A \(\mathsf {non-adaptive}\) (static) adversary chooses which parties to corrupt before the execution of the protocol begins (i.e., before the setup phase, if such exists). We measure the success probability of the latter adversaries as the expectation over their choice of corrupted parties.
We consider both rushing and non-rushing adversaries. A non-rushing adversary chooses the corrupted parties’ messages in a given round based on the messages sent in the previous rounds. In contrast, a rushing adversary can base the corrupted parties’ messages on the messages sent in the previous rounds, and on those sent by the honest parties in the current round.
Locally consistent adversaries. As discussed in Sect. 1.1, our attack requires very limited capabilities from each corrupted party: to prematurely abort, and to lie about its input bit and incoming messages from other corrupted parties. In particular, a corrupted party tosses its local coins honestly and does not lie about incoming messages from honest parties. We now present the formal definition.
Definition 3.1
(locally consistent adversaries) Let \(\Pi =({\mathsf {P}}_1,\ldots ,{\mathsf {P}}_n)\) be an n-party protocol and let \(\{\alpha _{i,i'}^j\}_{i,i' \in [n],j\in {{\mathbb {N}}}}\) be its set of next-message functions, i.e.,
is the message party \({\mathsf {P}}_i\) sends to party \({\mathsf {P}}_{i'}\) in the \(j\)’th round, given that its input bit is b, the random coins it flipped till now are r, and in round \(j' < j\), it got the message \(m^{j'}_{i'',i}\) from party \({\mathsf {P}}_{i''}\). An adversary taking the role of \({\mathsf {P}}_i\) is said to be locally consistent with respect to \(\Pi \), if it flips its random coins honestly, and the message it sends in the \(j\)’th round to party \({\mathsf {P}}_{i'}\) takes one of the following two forms:
-
Abort: the message \(\perp \).
-
Input and message selection: a set of messages \(\left\{ m_\ell \right\} _{\ell =1}^k\), for some k, such that for each \(\ell \in [k]\):
$$\begin{aligned} m_\ell = \alpha _{i,i'}^j\left( b_\ell ;r;((m^1_{1})_\ell ,\ldots ,(m^1_{n})_\ell ),\ldots , ((m^{j-1}_{1})_\ell ,\ldots ,(m^{j-1}_{n})_\ell )\right) , \end{aligned}$$where \(b_\ell \in \{0,1\}\), r are the coins \({\mathsf {P}}_i\) tossed (honestly) until now, and \((m^{j'}_{i''})_\ell \), for each \(j'<j\) and \(i''\ne i\), is one of the messages \({\mathsf {P}}_i\) received from party \({\mathsf {P}}_{i''}\) in the \(j\)’th round (or the empty string).
That is, a locally consistent party \({\mathsf {P}}_{i}\) might send party \({\mathsf {P}}_{i'}\) a sequence of messages (and not just one as instructed), each consistent with a possible choice of its input bit, and some of the messages it received in the previous round. In turn, this will enable party \({\mathsf {P}}_{i'}\), if corrupted, the freedom to choose in the next rounds the message of \({\mathsf {P}}_{i}\) it would like to act according to. Note that without loss of generality, \({\mathsf {P}}_{i}\) will always send a single message to the honest parties, as otherwise they will discard the messages.
A few remarks are in place.
-
1.
While the above definition does not enforce between-rounds consistency (a party might send to another party a first-round message consistent with input 0 and a second-round message consistent with input 1), compiling a given protocol so that every message party \({\mathsf {P}}_{i}\) sends to \({\mathsf {P}}_{i'}\) contains the previous messages \({\mathsf {P}}_{i}\) sent to \({\mathsf {P}}_{i'}\), will enforce such between-rounds consistency on locally consistent parties.
-
2.
Although a locally consistent adversary tosses its random coins honestly, he may toss all random coins at the beginning of the protocol and choose its actions as a function of these coins. Our attacks in Sects. 4 and 5 do not take advantage of this capability, and let the corrupted parties toss the random coins for a given round at the beginning of the round.
-
3.
Using standard cryptographic techniques, a protocol secure against locally consistent adversaries can be compiled into one secure against arbitrary malicious adversaries, without hurting the efficiency of the protocol “too much,” and in particular preserve the round complexity (see Sect. 1.3).
-
4.
The locally consistent parties considered in Sects. 4 and 5 do not take full advantage of the generality of Definition 3.1. Rather, the parties considered either act honestly but abort at the conclusion of the first round, cheat in the first round and then abort, or cheat only in the second round and then abort.
3.1.3 Public-Randomness Protocols
In Sect. 1.1, we showed that the description of many natural protocols can be simplified when security is required to hold only against locally consistent adversaries. In this relaxed description a trusted setup phase and cryptographic assumptions are not required, and every party can publish the coins it locally tossed in each round.
Definition 3.2
(Public-randomness protocols) A protocol has public randomness, if every party’s message consists of two parts: the randomness it sampled in that round, and an arbitrary message which is a function of its view (input, incoming messages, and coins tossed up to and including that point). The party’s first message also contains its setup parameters, if such exist.
3.1.4 Byzantine Agreement
We now formally define the notion of Byzantine agreement. Since we focus on lower bounds we will consider only the case of a single input bit and a single output bit. A more general notion of Byzantine agreement will include string input and string outputs. A generic reduction shows that the cost of agreeing on strings rather than bits is two additional rounds [68].
Definition 3.3
(Byzantine Agreement) We associate the following properties with a ppt n-party Boolean input/output protocol \(\Pi \).
-
Agreement. Protocol \(\Pi \) has \((t,\alpha )\)-\(\mathsf {agreement}\), if the following holds with respect to any ppt adversary controlling at most t parties in \(\Pi \) and any value of the non-corrupted parties’ input bits: in a random execution of \(\Pi \) on sufficiently large security parameter, all non-corrupted parties output the same bit with probability at least \(1-\alpha \).Footnote 10
-
Validity. Protocol \(\Pi \) has \((t,\beta )\)-\(\mathsf {validity}\), if the following holds with respect to any ppt adversary controlling at most t parties in \(\Pi \) and an input bit b given as input to all non-corrupted parties: in a random execution of \(\Pi \) on sufficiently large security parameter, all non-corrupted parties output b with probability at least \(1-\beta \).
-
Halting. Protocol \(\Pi \) has \((t,q,\gamma )\)-\(\mathsf {halting}\), if the following holds with respect to any ppt adversary controlling at most t parties in \(\Pi \) and any value of the non-corrupted parties’ input bits: in a random execution of \(\Pi \) on sufficiently large security parameter, all non-corrupted parties halt within q rounds with probability at least \(\gamma \).
Protocol \(\Pi \) is a \((t,\alpha ,\beta ,q,\gamma )\)-\(\mathsf {BA}\), if it has \((t,\alpha )\)-\(\mathsf {agreement}\), \((t,\beta )\)-\(\mathsf {validity}\), and \((t,q,\gamma )\)-\(\mathsf {halting}\). If the protocol has a setup phase, then the above probabilities are taken with respect to this phase as well.
Remark 3.4
(Concrete security) Since we care about fixed values of a protocol’s characteristics (i.e., agreement), the role of the security parameter in the above definition is to enable us to bound the running time of the parties and adversaries in consideration in a meaningful way, and to parametrize the cryptographic tools used by the parties (if there are any). Since the attacks we present are efficient assuming the protocol is efficient (in any reasonable sense), the bounds we present are applicable for a fixed protocol that might use a fixed cryptographic primitive, e.g., SHA-256.
3.2 The Bounds
We proceed to present the formal statements of the three lower bounds. Recall that Byzantine agreement cannot be achieved for \(t\ge n/2\), since otherwise the corrupted parties can simply play honestly on an input of their choice and force the output. We therefore consider \(t<n/2\) throughout the paper.
First-round halting, arbitrary protocols. The first result bounds the halting probability of arbitrary protocols after a single round. Namely, for “small” values of \(\alpha \) and \(\beta \), the halting probability is “small” for \(t\ge n/3\) and “close to 1/2” for \(t\ge n/4\).
Theorem 3.5
(restating Theorem 1.2) Let \(\Pi \) be a ppt n-party protocol that is \((t,\alpha ,\beta ,1,\gamma )\)-\(\mathsf {BA}\) against locally consistent, static, non-rushing adversaries. Then,
-
\(t \ge n/3\) implies \(\gamma \le 6\alpha + 2\beta +\mathsf {err}\)
-
\(t \ge n/4\) implies \(\gamma \le 1/2 + 5\alpha + \beta + \mathsf {err}\),
for \(\mathsf {err}= 2^{t-n}\) (\(\mathsf {err}=0\) for public-randomness protocols whose security holds against rushing adversaries).
Second-round halting, arbitrary protocols. The second result bounds the halting probability of arbitrary protocols after two rounds.
Theorem 3.6
(restating Theorem 1.3) Let \(\Pi \) be a ppt n-party protocol that is \((t,\alpha ,\beta ,2,\gamma )\)-\(\mathsf {BA}\) against locally consistent, static, non-rushing adversaries for \(t > n/4\). Then \(\gamma \le 1 + 2\alpha + \frac{\beta }{w^2} -\frac{1}{2w^2}\) for \(w = \left\lceil (n-\left\lceil n/4 \right\rceil )/\left\lfloor t - n/4 \right\rfloor \right\rceil +1\).
In particular, for \(t = (1/4 + \varepsilon )\cdot n\) and “small” \(\alpha \) and \(\beta \), the protocol might not halt at the conclusion of the second round with probability \(\approx \varepsilon ^2\).
Second-round halting, public-randomness protocols. The third result bounds the halting probability of public-randomness protocols after two rounds. The result requires adaptive and rushing adversaries, and is based on Conjecture 3.8 (stated in Sect. 3.3 below).
Theorem 3.7
(restating Theorem 1.4) Assume Conjecture 3.8 holds, then for any (constants) \(\varepsilon _t,\varepsilon _\gamma >0\) there exists \(\alpha > 0\) such that the following holds for large enough n: let \(\Pi \) be a ppt n-party, public-randomness protocol that is \((t,\alpha ,\beta = \varepsilon _\gamma ^2/200,2,\gamma )\)-\(\mathsf {BA}\) against locally consistent, rushing, adaptive adversaries. Then,
-
\(t \ge (1/3 + \varepsilon _t)\cdot n\) implies \(\gamma < \varepsilon _\gamma \).
-
\(t \ge (1/4 + \varepsilon _t)\cdot n\) implies \(\gamma < \frac{1}{2} + \varepsilon _\gamma \).
In particular, assuming the protocol has perfect agreement and validity, the protocol never halts in two rounds if the fraction of corrupted parties is greater than 1/3, and halts in two rounds with probability at most 1/2 if the fraction of corrupted parties is greater than 1/4.
The value of \(\alpha \) in the theorem is (roughly) \(\delta \cdot \varepsilon _t\cdot \varepsilon _\gamma ^2\) where \(\delta \) is the constant guaranteed by Conjecture 3.8. We were not trying to optimize over the constants in the above statement, and in particular it seems that \(\beta \) can be pushed to \(\varepsilon _\gamma ^2\).
3.3 The Combinatorial Conjecture
Next, we provide the formal statement for the combinatorial conjecture used in Theorem 3.7. For \(n\in {{\mathbb {N}}}\) and \(\sigma \in [0,1]\), let \({\mathbf {D}}_{n,\sigma }\) be the distribution induced on the subsets of [n] by sampling each element independently with probability \(\sigma \). For a finite alphabet \(\Sigma \), a vector \({ \varvec{x}}\in \Sigma ^n\), and a subset \({\mathcal {S}}\subseteq [n]\), define the vector \(\bot _{\mathcal {S}}({ \varvec{x}}) \in \Sigma ^n\) by
Conjectures 3.8
(restating Conjecture 1.5) For any \(\sigma ,\lambda >0\) there exists \(\delta >0\) such that the following holds for large enough \(n\in {{\mathbb {N}}}\). Let \(\Sigma \) be a finite alphabet and let \({\mathcal {A}}_0,{\mathcal {A}}_1 \subseteq \left\{ \Sigma \cup \bot \right\} ^n\) be two sets such that for both \(b\in \{0,1\}\):
Then,
4 Lower Bounds on First-Round Halting
In this section, we present our lower bound for the probability of first-round halting in Byzantine agreement protocols.
Theorem 4.1
(Bound on first-round halting. Theorem 3.5 restated) Let \(\Pi \) be a ppt n-party protocol that is \((t,\alpha ,\beta ,1,\gamma )\)-\(\mathsf {BA}\) against locally consistent, static, non-rushing adversaries. Then,
-
\(t \ge n/3\) implies \(\gamma \le 6\alpha + 2\beta +\mathsf {err}\)
-
\(t \ge n/4\) implies \(\gamma \le 1/2 + 5\alpha + \beta + \mathsf {err}\),
for \(\mathsf {err}= 2^{t-n}\) (\(\mathsf {err}=0\) for public-randomness protocols whose security holds against rushing adversaries).
Let \(\Pi \) be as in Theorem 4.1. Without loss of generality and for ease of notation, we denote by \(\Pi \) the modified protocol that outputs \(\bot \) if a party does not halt after the first round (it will be clear that the attack, described below, does not benefit from this change). We also omit the security parameter from the parties’ input list, it will be clear though that the adversaries we present are efficient with respect to the security parameter.
Lemma 4.2
(Neighboring executions) Let \({ \varvec{v}},{ \varvec{v}}' \in {\{0,1\}^n}\) be with \(\mathrm {dist}({ \varvec{v}},{ \varvec{v}}') \le t\). Then for both \(b\in \{0,1\}\):
Namely, the lemma bounds from below the probability that in a random honest execution of the protocol on input \({ \varvec{v}}'\), at least one party halts in the first round while outputting \(b\).
We prove Lemma 4.2 below, but first use it to prove Theorem 4.1. We also make use of the following immediate observation.
Claim 4.3
(Almost pre-agreement) Let \({ \varvec{v}}\in {\{0,1\}^n}\) and \(b\in \{0,1\}\) be such that \(\mathrm {dist}({ \varvec{v}},b^n) \le t\). Then, \(\Pr _{}\left[ \Pi ({ \varvec{v}}) \in \left\{ b,\bot \right\} ^n\right] \ge 1 - \alpha - \beta \).
Proof
Let \({\mathcal {A}}\subset [n]\) be a subset of size \(n-t\) such that \({ \varvec{v}}_{\mathcal {A}}= b^{\left| {\mathcal {A}}\right| }\). The claimed validity of \(\Pi \) yields that
This follows from \(\beta \)-validity of \(\Pi \) and the fact that an honest party cannot distinguish between an execution of \(\Pi ({ \varvec{v}})\) and an execution of \(\Pi (b^n)\) in which all parties not in \({\mathcal {A}}\) act as if their input bit is as in \({ \varvec{v}}\). Hence, by the claimed agreement of \(\Pi \),
\(\square \)
Proof of Theorem 4.1
We separately prove the theorem for \(t \ge n/3\) and for \(t \ge n/4\).
The case \(t \ge n/3\). Let \({ \varvec{v}}_0= 0^t 1^{\left\lceil (n-t)/2 \right\rceil } 0^{\left\lfloor (n-t)/2 \right\rfloor } \) and \({ \varvec{v}}_1= 1^t 1^{\left\lceil (n-t)/2 \right\rceil } 0^{\left\lfloor (n-t)/2 \right\rfloor }\). Note that \(\mathrm {dist}({ \varvec{v}}_0,{ \varvec{v}}_1) = t\), and that for both \(b\in \{0,1\}\) it holds that \(\mathrm {dist}({ \varvec{v}}_b,b^n)\le t\). Hence, by Claim 4.3, for both \(b\in \{0,1\}\):
Applying Lemma 4.2 to \({ \varvec{v}}= { \varvec{v}}_0\) and \({ \varvec{v}}'= { \varvec{v}}_1\) yields that
Since by Claim 4.3 it holds that \(\Pr _{}\left[ \Pi ({ \varvec{v}}_1) \in \left\{ 0,\perp \right\} ^n \setminus \left\{ \bot ^n\right\} \right] \le \Pr _{}\left[ \Pi ({ \varvec{v}}_1) \notin \left\{ 1,\perp \right\} ^n\right] \le \alpha +\beta \), we conclude that \(6\alpha + 2\beta + (1-\gamma ) + \mathsf {err}\ge 1\), hence \(\gamma \le 6\alpha + 2\beta + \mathsf {err}\).
The case \(t \ge n/4\). In this case there are no two vectors that are t apart in Hamming distance, and still each of them has \(n-t\) entries of opposite values. Rather, we consider the two vectors \({ \varvec{v}}_0= 0^t 0^t 0^t 1^{n-3t}\) and \({ \varvec{v}}_1= 1^t 1^t 0^t 1^{n-3t}\) of distance 2t. For both \(b\in \{0,1\}\), the vector \({ \varvec{v}}_b\) has at least \(n-t\) entries with \(b\) and is of distance t from the vector \({\mathbf {v}}^{\star }=1^t 0^t 0^t 1^{n-3t}\).
As in the first part of the proof, Applying Claim 4.3 and Lemma 4.2 on \({ \varvec{v}}_b\) and \({\mathbf {v}}^{\star }\), for both \(b\in \{0,1\}\), yields that
By union bound, we conclude that \(2(5\alpha + \beta + (1- \gamma ) + \mathsf {err}) \ge 1\), hence \(\gamma \le 1/2+5\alpha + \beta +\mathsf {err}\). \(\square \)
4.1 Proving Lemma 4.2
Proof of Lemma 4.2
Fix \(b \in \{0,1\}\) and let \(\delta = \Pr _{}\left[ \Pi ({ \varvec{v}}) \in \left\{ b,\bot \right\} ^n\right] \). Let \({\mathcal {P}}\) be the coordinates in which \({ \varvec{v}}\) and \({ \varvec{v}}'\) differ, and let \({{\overline{{\mathcal {P}}}}}= [n] \setminus {\mathcal {P}}\). Let I be the index (a function of the parties’ coins and setup parameters) of the smallest party in \({{\overline{{\mathcal {P}}}}}\) that halts in the first round and outputs the same value, both if the parties in \({\mathcal {P}}\) send their messages according to input \({ \varvec{v}}\) and if they do that according to \({ \varvec{v}}'\). We let \(I=0\) if there is no such party, and (abusing notation) sometimes identify I with the event that \(I\ne 0\), e.g., \(\Pr _{}\left[ I\right] \) stands for \(\Pr _{}\left[ I\ne 0\right] \). By definition,
and thus
It follows that
The first inequality and the equalities hold by the definition of I. The second and third inequalities hold by agreement, and the last inequality holds by Eq. (8). We conclude the proof showing that:
Let \(C\) denote the event (a function of the parties’ coins and setup parameters) that for each party j in \({{\overline{{\mathcal {P}}}}}\) there exists an input in \(\left\{ { \varvec{v}},{ \varvec{v}}'\right\} \) on which it does not halt. Furthermore, let , i.e., there exists a party that halts on both inputs but outputs different values. By definition, \(I=0\) is equivalent to the event \(F\vee C\).
Consider the adversary that in the first round acts toward a random subset \({{\overline{{\mathcal {P}}}}}' \subseteq {{\overline{{\mathcal {P}}}}}\) according to input \({ \varvec{v}}\), towards the remaining parties according to \({ \varvec{v}}'\), and aborts at the end of this round. Fix some random coins and setup parameters in \(F\), and let \(i\in {{\overline{{\mathcal {P}}}}}\) be a party that, under this fixing, halts in the first round on both \({ \varvec{v}}\) and \({ \varvec{v}}'\), but outputs a different value. Note that the other parties in \({{\overline{{\mathcal {P}}}}}\) cannot distinguish whether i is in \({{\overline{{\mathcal {P}}}}}'\) or not (in both cases i halts at the end of the first round). Since, by assumption, \(t< n/2\) (i.e., there exist additional honest parties), it follows that under the above conditioning, agreement is violated with probability at least 1/2. We conclude that \(\Pr _{}\left[ F\right] \le 2\alpha \).
It is also clear that when \(C\) occurs, the above attacker fails to prevent an honest party in \({{\overline{{\mathcal {P}}}}}\) from halting in the first round only if the following event happens: each party in \({{\overline{{\mathcal {P}}}}}\) does not halt in \(\Pi ({ \varvec{v}}'')\) for some \({ \varvec{v}}'' \in \left\{ { \varvec{v}},{ \varvec{v}}'\right\} \), but the adversary acts towards each of these parties on the input in which it does halt. The latter event happens with probability at most \(2^{-\left| {{\overline{{\mathcal {P}}}}}\right| } \le 2^{t-n}= \mathsf {err}\). Thus, \(\Pr _{}\left[ C\right] \le 1 - (\gamma - \mathsf {err})\). We conclude that
Finally, we note that if the protocol has public randomness, the (now rushing) attacker does not have to guess what input to act upon. Rather, after seeing the first-round randomness, it finds an input \({ \varvec{v}}'' \in \left\{ { \varvec{v}},{ \varvec{v}}'\right\} \) such that at least one party in \({{\overline{{\mathcal {P}}}}}\) does not halt in \(\Pi ({ \varvec{v}}'')\) or violates agreement, and acts according to this input. Specifically, given the honest parties’ first-round coins, the attacker can compute on its own all honest-to-honest first-round messages (recall that we consider private channels, so the attacker does not see those messages on the channels), and locally check which honest party will halt with output 0 and which will halt with output 1 when playing according to \({ \varvec{v}}\) and when playing according to \({ \varvec{v}}'\). Hence, the bound on I changes to
proving the theorem statement for such protocols. \(\square \)
5 Lower Bounds on Second-Round Halting
In this section, we prove lower bounds for second-round halting of Byzantine agreement protocols. In Sect. 5.1, we prove a bound for arbitrary protocols, and in Sect. 5.2, we give a much stronger bound for public-randomness protocols (the natural extension of public-coin protocols to the “with-input” setting).
5.1 Arbitrary Protocols
We start by proving our lower bound for second-round halting of arbitrary protocols.
Theorem 5.1
(Bound on second-round halting, arbitrary protocols. Theorem 3.6 restated) Let \(\Pi \) be a ppt n-party protocol that is \((t,\alpha ,\beta ,2,\gamma )\)-\(\mathsf {BA}\) against locally consistent, static, non-rushing adversaries for \(t > n/4\). Then \(\gamma \le 1 + 2\alpha + \frac{\beta }{w^2} -\frac{1}{2w^2}\) for \(w = \left\lceil (n-\left\lceil n/4 \right\rceil )/\left\lfloor t - n/4 \right\rfloor \right\rceil +1\).
Let \(\Pi \) be as in Theorem 5.1. Without loss of generality and for ease of notation, we denote by \(\Pi \) the modified protocol that outputs \(\bot \) if a party does not halt after the first two rounds (it will be clear that the attack, described below, does not benefit from this change). We also assume without loss of generality that the honest parties in an execution of \(\Pi \) never halt in the first round (by adding a dummy round if needed). Finally, we omit the security parameter from the parties’ input list, it will be clear though that the adversaries we present are efficient with respect to the security parameter.
Let \(k =\left\lceil n/4 \right\rceil \) and let \(h = \left\lceil (n-k)/(t-k) \right\rceil \). The theorem is easily implied by the next lemma.
Lemma 5.2
(Neighboring executions) Let \({ \varvec{v}},{ \varvec{v}}' \in {\{0,1\}^n}\) be with \(\mathrm {dist}({ \varvec{v}},{ \varvec{v}}') \le k\). Then, for every \(b\in \{0,1\}\):
Namely, the lemma bounds from below the probability that in a random honest execution of the protocol on input \({ \varvec{v}}'\) all parties halt within two rounds while outputting \(b\).
We prove Lemma 5.2 below, but first use it to prove Theorem 5.1. We also make use of the following immediate observation.
Claim 5.3
(Almost pre-agreement) Let \({ \varvec{v}}\in {\{0,1\}^n}\) and \(b\in \{0,1\}\) be such that \(\mathrm {dist}({ \varvec{v}},b^n) \le t\). Then, \(\Pr _{}\left[ \Pi ({ \varvec{v}}) = b^n \right] \ge 1 - \alpha - \beta - (1- \gamma )\).
Proof
The same argument as in the proof of Claim 4.3 yields that
Thus, by \(\gamma \)-second-round halting
\(\square \)
Proof of Theorem 5.1
Consider the vectors \({ \varvec{v}}_0= 0^k 0^k 0^k 1^{n-3k}\), \({ \varvec{v}}_1= 1^k 1^k 0^k 1^{n-3k}\) and \({\mathbf {v}}^{\star }=1^k 0^k 0^k 1^{n-3k}\). Note that for both \(b\in \{0,1\}\) it holds that \(\mathrm {dist}({ \varvec{v}}_b,b^n)\le t\) since \(n/4 \le k\le t\)), and that \(\mathrm {dist}({ \varvec{v}}_b,{\mathbf {v}}^{\star })=k\). Applying Lemma 5.2 and Claim 5.3 for each of these vectors, yields that for both \(b\in \{0,1\}\):
Note that \(w=h+1\), which implies \(\beta +w^2(2\alpha + 1-\gamma ) \ge 1/2\), and the proof follows by a simple calculation. \(\square \)
5.1.1 Proving Lemma 5.2
We assume for ease of notation that \(\mathrm {dist}({ \varvec{v}},{ \varvec{v}}')=k\) (rather than \(\le k\)) and let \(\ell =t-k\). Assume for ease of notation that \(h\cdot \ell = n-k \) (i.e., no rounding), and for a k-size subset of parties \({\mathcal {P}}\subset [n]\), let \( {\mathcal {L}}^{\mathcal {P}}_1,\dots ,{\mathcal {L}}_h^{\mathcal {P}}\) be an arbitrary partition of \({{\overline{{\mathcal {P}}}}}= [n] \setminus {\mathcal {P}}\) into \(\ell \)-size subsets. Consider the following family of protocols:
Namely, the “pivot” parties in \({\mathcal {P}}\) gradually shift their inputs from their real input to its negation according to parameter d. Note that protocol \(\Pi ^{{\mathcal {P}},{\mathcal {S}}}_{0}({ \varvec{v}})\) is equivalent to an honest execution of protocol \(\Pi ({ \varvec{v}})\), and \(\Pi ^{{\mathcal {P}},{\mathcal {S}}}_{h}({ \varvec{v}})\) is equivalent to an honest execution of \(\Pi ({ \varvec{v}}')\), for \({ \varvec{v}}'\) being \({ \varvec{v}}\) with the coordinates in \({\mathcal {P}}\) negated. Note that for “intermediately” protocols \(\Pi ^{{\mathcal {P}},{\mathcal {S}}}_d\) for \(0<d<h\), the pivot parties send conflicting messages to honest parties in the first round and abort in the second round. The reason that aborting in the second round does not affect our analysis below is that, without loss of generality, honest parties can exchange their views in the second round, realize the pivot parties are cheating (as we consider locally consistent adversaries), and ignore their messages. Lemma 5.2 easily follows by the next claim about Protocol 5.4. In the following we let \(\delta _b = \Pr _{}\left[ \Pi ({ \varvec{v}})_{{\overline{{\mathcal {P}}}}}= b^{\left| {{\overline{{\mathcal {P}}}}}\right| }\right] \).
Claim 5.5
For every k-size subset \({\mathcal {P}}\subset [n]\), \(b\in \{0,1\}\) and \(d\in (h)\), it holds that
We prove Claim 5.5 below, but first use it to prove Lemma 5.2.
Proof of Lemma 5.2
By Claim 5.5,
Recall that \(\Pi ^{{\mathcal {P}},{\mathcal {S}}}_h({ \varvec{v}})_{{\overline{{\mathcal {P}}}}}= b^{\left| {{\overline{{\mathcal {P}}}}}\right| }\) only when parties complete the protocol in the second round, since, by assumption, a party that continues to beyond the second round outputs \(\bot \). In addition, since \(\Pi ^{{\mathcal {P}},{\mathcal {S}}}_h({ \varvec{v}})\) is just an honest execution of \(\Pi ({ \varvec{v}}')\), by agreement it holds that
\(\square \)
Proof of Claim 5.5
The proof is by induction on d. The base case \(d=0\) holds by definition. Suppose for contradiction the claim does not hold, and let \({d^*}\in (h-1)\) be such that the claim holds for \({d^*}\) but not for \({d^*}+1\). Let \(\gamma _d\) be the probability that all honest parties halt in the second round of a random execution of \(\Pi ^{{\mathcal {P}},{\mathcal {S}}}_d({ \varvec{v}})\). Since the claim holds for \({d^*}\), it holds that
Since the claim does not hold for \({d^*}+1\), but all honest parties output something in \(\Pi ^{{\mathcal {P}},{\mathcal {S}}}_{{d^*}+1}\) with probability at least \(\gamma _{{d^*}+1}\), we have that
We note that for every \(d\in (h)\)
Indeed, otherwise, the adversary that corrupts the parties in \({\mathcal {P}}\) and acts like \(\Pi ^{{\mathcal {P}},{\mathcal {S}}}_d\) for a random \(d\in (h)\), violates the \(\gamma \)-second-round-halting property of \(\Pi \). We conclude that
for \({ \varvec{r}}\) being the randomness of the parties. The second inequality is by Eq. (12) and (13), and the third one by Eq. (14).
Consider the adversary \(\mathsf {A}\) that samples \(d\leftarrow (h-1)\), corrupts the parties in \({\mathcal {P}}\cup {\mathcal {L}}^{\mathcal {P}}_{d+1}\), and acts towards a uniform random subset of the honest parties according to \(\Pi ^{{\mathcal {P}},{\mathcal {S}}}_d\) and to the remaining parties according to \(\Pi ^{{\mathcal {P}},{\mathcal {S}}}_{d+1}\). Since \(\mathsf {A}\) violates agreement if it guesses \(d= {d^*}\) and it partitions the honest parties suitably, Eq. (15) yields that \(\mathsf {A}\) causes disagreement with probability larger than \(2\alpha (h+1)/(2(h+1)) = \alpha \). Since \(\mathsf {A}\) corrupts \(|{\mathcal {P}}\cup {\mathcal {L}}^{\mathcal {P}}_{d+1}|\le t\) parties, this contradicts the assumption about \(\Pi \). \(\square \)
5.2 Public-Randomness Protocols
We proceed to prove our lower bound for second-round halting of public-randomness protocols.
Theorem 5.6
(Lower bound on second-round halting, public-randomness protocols. Theorem 3.7 restated) Assume Conjecture 3.8 holds, then for any (constants) \(\varepsilon _t,\varepsilon _\gamma >0\) there exists \(\alpha > 0\) such that the following holds for large enough n: let \(\Pi \) be a ppt n-party, public-randomness protocol that is \((t,\alpha ,\beta = \varepsilon _\gamma ^2/200,2,\gamma )\)-\(\mathsf {BA}\) against locally consistent, rushing, adaptive adversaries. Then,
-
\(t \ge (1/3 + \varepsilon _t)\cdot n\) implies \(\gamma < \varepsilon _\gamma \).
-
\(t \ge (1/4 + \varepsilon _t)\cdot n\) implies \(\gamma < \frac{1}{2} + \varepsilon _\gamma \).
Assume Conjecture 3.8 holds. Let \(\Pi \) be as in the theorem statement, and assume \(\gamma = \varepsilon _\gamma \) in the case \(t \ge (1/3 +\varepsilon _t)\cdot n\) and \(\gamma = \tfrac{1}{2}+ \varepsilon _\gamma \) in the case \(t \ge (1/4 +\varepsilon _t)\cdot n\). Let \(\lambda =\varepsilon _\gamma /10\) and \(\sigma = \varepsilon _t/4\). Recall that \(\bot _{\mathcal {S}}({ \varvec{x}})\) is the string resulting by replacing all entries of \({ \varvec{x}}\) indexed by \({\mathcal {S}}\) with \(\bot \). Conjecture 3.8 yields that there exists \(\delta >0\) such that the following holds for large enough n: let \(\Sigma \) be a finite alphabet and let \({\mathcal {A}}_0,{\mathcal {A}}_1 \subset \left\{ \Sigma \cup \bot \right\} ^n\) be two sets such that for both \(b\in \{0,1\}\):
Then,
In the following we assume \(\alpha = \min \left\{ \delta \lambda \varepsilon _t/10, \beta \right\} \) and derive a contradiction, yielding that the agreement error has to be larger than that.
Fix n that is large enough for Eq. (16) to hold and that (by Chernoff bound) \(\Pr _{\mathcal{{S}}\leftarrow {\mathbf {D}}_{n,\sigma }}\left[ \left| \mathcal{{S}}\right| > 2\sigma n\right] = 2^{- \Theta (n\cdot \sigma )} \le \alpha \), i.e., \(n> \Theta ((\log 1/\alpha )/\sigma )\). As in the proof of Theorem 5.1, we assume for ease of notation that an honest party that runs more than two round outputs \(\perp \), and that the honest parties in \(\Pi \) never halt in one round. We also omit the security parameter from the parties input list. We assume without loss of generality that in the first round, the parties flip no coin, since such coins can be added to the setup parameter.
We use the following notation: the setup parameter and second-round randomness of the parties in \(\Pi \) are identified with elements of \({\mathcal {F}}\) and \({\mathcal {R}}\), respectively. We denote by \(f_i\) and \(r_i\) the setup parameter and the second-round randomness of party \({\mathsf {P}}_i\) in \(\Pi \), and let \(D_\mathcal{F}\) be the joint distribution of the parties’ setup parameters (by definition, the joint distribution of the second-round randomness is the product distribution \({\mathcal {R}}^n\)). For \({ \varvec{v}}\in {\{0,1\}^n}\), \({ \varvec{f}}=(f_1,\ldots ,f_n) \in {\text {Supp}}(D_\mathcal{F})\), and \({ \varvec{r}}=(r_1,\ldots ,r_n) \in {\mathcal {R}}^n\), let \(\Pi ({ \varvec{v}};({ \varvec{f}},{ \varvec{r}}))\) denote the execution of \(\Pi \) in which party \({\mathsf {P}}_i\) gets input \(v_i\), setup parameter \(f_i\) and second-round randomness \(r_i\). We naturally apply this notation for the variants of \(\Pi \) considered in the proof.
For \(\mathcal{{S}}\subseteq [n]\), let \(\Pi ^\mathcal{{S}}\) be the variant of \(\Pi \) in which the parties in \(\mathcal{{S}}\) halt at the end of the first round. Let \(k = \left\lceil {t-\varepsilon _t\cdot n} \right\rceil \) (i.e., \(k = \left\lceil n/3 \right\rceil \) if \(t\ge (1/3 + \varepsilon _t)\cdot n\), and \(k = \left\lceil n/4 \right\rceil \) if \(t\ge (1/4 + \varepsilon _t)\cdot n\)). The heart of the proof lies in the following lemma.
Lemma 5.7
(Neighboring executions) Let \({ \varvec{v}},{ \varvec{v}}' \in {\{0,1\}^n}\) be with \(\mathrm {dist}({ \varvec{v}},{ \varvec{v}}') \le k\), let \(b\in \{0,1\}\), and let \({{\overline{{\mathcal {S}}}}}= [n] \setminus \mathcal{{S}}\). Then, with probability at least \(\gamma - 7\lambda - \frac{\alpha + \Pr _{}\left[ \Pi ({ \varvec{v}}) \ne b^n\right] }{\lambda }\) over \({ \varvec{f}}\leftarrow D_\mathcal{F}\), it holds that
Namely, in an execution of \(\Pi ({ \varvec{v}}')\), all honest parties halt after two rounds and output \(b\), regardless of whether a random subset of parties aborts after the first round. Lemma 5.7 is proven in Sect. 5.2.1, but let us first use it to prove Theorem 5.6. We make use of the following immediate observation:
Claim 5.8
(Almost pre-agreement) Let \({ \varvec{v}}\in {\{0,1\}^n}\) and \(b\in \{0,1\}\) be such that \(\mathrm {dist}({ \varvec{v}},b^n) \le t\). Then, \(\Pr _{}\left[ \Pi ({ \varvec{v}}) \in \left\{ b,\perp \right\} ^n \right] \ge 1 - \alpha - \beta \).
Proof
The proof of this claim uses an identical argument as in the proof of Claim 4.3.
\(\square \)
Proving Theorem 5.6.
Proof of Theorem 5.6
We separately prove the case \(t \ge (1/3 + \varepsilon _t)\cdot n\) and \(t \ge (1/4 + \varepsilon _t)\cdot n\).
The case \(t \ge (1/3 + \varepsilon _t)\cdot n\). Let \({ \varvec{v}}_0= 0^k 1^{\left\lceil (n-k)/2 \right\rceil } 0^{\left\lfloor (n-k)/2 \right\rfloor } \) and let \({ \varvec{v}}_1= 1^k 1^{\left\lceil (n-k)/2 \right\rceil } 0^{\left\lfloor (n-k)/2 \right\rfloor } \). Note that \(\mathrm {dist}({ \varvec{v}}_0,{ \varvec{v}}_1)=k\) and that for both \(b\in \{0,1\}\) it holds that \(\mathrm {dist}({ \varvec{v}}_b,b^n) \le t\). We will use Lemma 5.7 and Claim 5.8 to prove that \(\Pi ({ \varvec{v}}_1) = 0^n\) with noticeable probability, contradicting the validity of the protocol.
Recall that, in this case, \(\gamma = \varepsilon _\gamma \), that \(\lambda = \varepsilon _\gamma /10\) and \(\alpha ,\beta \le \varepsilon _\gamma ^2/200 = \lambda ^2/2\). Claim 5.8 yields that for both \(b\in \{0,1\}\):
Applying Lemma 5.7 with respect to \({ \varvec{v}}_0\) and \({ \varvec{v}}_1\) and \(b=0\), yields that with probability at least
over \({ \varvec{f}}\leftarrow D_\mathcal{F}\), it holds that (by discarding the probability over \({\mathcal {S}}\) since the item below does not depend on \({\mathcal {S}}\))
Therefore, overall
in contradiction to Eq. (17).
The case \(t \ge (1/4 + \varepsilon _t)\cdot n\). Consider the vectors \({ \varvec{v}}_0= 0^k 0^k 0^k 1^{n-3k}\), \({ \varvec{v}}_1= 1^k 1^k 0^k 1^{n-3k}\) and \({\mathbf {v}}^{\star }=1^k 0^k 0^k 1^{n-3k}\). Note that for both \(b\in \{0,1\}\) it holds that \(\mathrm {dist}({ \varvec{v}}_b,b^n) \le t\) and that \(\mathrm {dist}({ \varvec{v}}_b,{\mathbf {v}}^{\star })=k\). Applying Lemma 5.7 and Claim 5.8 on \({ \varvec{v}}_b\) and \({\mathbf {v}}^{\star }\), for both \(b\in \{0,1\}\), yields that \(\Pi ^\mathcal{{S}}({\mathbf {v}}^{\star }) = b^n\) with noticeable probability over the choice of \(\mathcal{{S}}\). This will allow us to use Conjecture 3.8 to lowerbound the protocol’s agreement.
Recall that the distribution \({\mathbf {D}}_{n,\sigma }\), from which set \(\mathcal{{S}}\) is sampled, is the distribution induced on the subsets of [n] by sampling each element independently with probability \(\sigma \). In addition, recall that in the case at hand (\(t \ge (1/4 + \varepsilon _t)\cdot n\)), we assume that \(\gamma =1/2+\varepsilon _\gamma \). A similar calculation to the previous case yields that by Lemma 5.7 and Claim 5.8, for both \(b\in \{0,1\}\): with probability at least \(\frac{1}{2} + 2\lambda \) over \({ \varvec{f}}\leftarrow D_\mathcal{F}\) it holds that
It follows that there exists a set \({\mathcal {T}}\subseteq {\text {Supp}}(D_\mathcal{F})\) with \(\Pr _{{ \varvec{f}}\leftarrow D_\mathcal{F}}\left[ {\mathcal {T}}\right] \ge 4\lambda \), such that for every \({ \varvec{f}}\in {\mathcal {T}}\), for both \(b\in \{0,1\}\):
We assume without loss of generality that if a party gets \(\perp \) as its second-round random coins, it aborts after the first round. For \({ \varvec{r}}\in ({\mathcal {R}}\cup \{\bot \})^n\) let \( {\mathcal {E}}({ \varvec{r}})\) be the indices in \({ \varvec{r}}\) of the value \(\bot \). For \({ \varvec{f}}\in {\text {Supp}}(D_\mathcal{F})\) and \(b\in \{0,1\}\), let
By Eq. (18), for \({ \varvec{f}}\in {\mathcal {T}}\) and \(b\in \{0,1\}\), it holds that
Hence by Conjecture 3.8, see Eq. (16), for \({ \varvec{f}}\in {\mathcal {T}}\) it holds that
That is,
Recall that n is chosen so that \(\Pr _{\mathcal{{S}}\leftarrow {\mathbf {D}}_{n,\sigma }}\left[ \left| \mathcal{{S}}\right| >2\sigma n\right] \le \alpha \) and that \(\alpha < \delta /2\). By Eq. (21), the above adversary violates the agreement of \(\Pi \) on input \({\mathbf {v}}^{\star }\) with probability larger than \(\delta - \Pr _{\mathcal{{S}}\leftarrow {\mathbf {D}}_{n,\sigma }}\left[ \left| \mathcal{{S}}\right|>2\sigma n\right] \ge \delta - \alpha >\alpha \), in contradiction with the assumed agreement of \(\Pi \). \(\square \)
5.2.1 Proving Lemma 5.7
Fix \({ \varvec{v}},{ \varvec{v}}' \in {\{0,1\}^n}\) and \(b\in \{0,1\}\) as in the lemma statement. We assume for simplicity that \(\mathrm {dist}({ \varvec{v}},{ \varvec{v}}')=k\) (rather than \(\le k\)). Let \(\ell = \left\lfloor (t -k)/2 \right\rfloor \) and let \(h = \left\lceil (n-k)/\ell \right\rceil \). Assume for ease of notation that \(h\cdot \ell = n-k \) (i.e., no rounding), and for a k-size subset of parties \({\mathcal {P}}\subset [n]\), let \( {\mathcal {L}}^{\mathcal {P}}_1,\dots ,{\mathcal {L}}_h^{\mathcal {P}}\) be an arbitrary partition of \({{\overline{{\mathcal {P}}}}}= [n] \setminus {\mathcal {P}}\) into \(\ell \)-size subsets. Consider the following protocol family.
Namely, the “pivot” parties in \({\mathcal {P}}\) shift their inputs from their real input to the flipped one according to parameter d. The “aborting” parties in \(\mathcal{{S}}\) abort at the end of the first round. Note that protocol \(\Pi ^{{\mathcal {P}},{\mathcal {S}}}_{0}\) is the same as protocol \(\Pi ^\mathcal{{S}}\), and \(\Pi ^{{\mathcal {P}},{\mathcal {S}}}_h({ \varvec{v}})\) acts like \(\Pi ^\mathcal{{S}}({ \varvec{v}}')\), for \({ \varvec{v}}'\) being \({ \varvec{v}}\) with the coordinates in \({\mathcal {P}}\) flipped.
For \({\mathcal {P}}, {\mathcal {S}}\subseteq [n]\), let \({\overline{{\mathcal {P}}\cup {\mathcal {S}}}}= [n] \setminus ({\mathcal {P}}\cup \mathcal{{S}})\), let \(d\in (h)\), let \(c\in \{0,1\}\), and let
Namely, \({\mathcal {V}}^{{\mathcal {P}}}_{d,c}\) are the sets, setup parameters and random strings on which honest parties in \(\Pi ^{{\mathcal {P}},{\mathcal {S}}}_{d}\) halt in the second round and output c. Let \(\chi = \Pr _{}\left[ \Pi ({ \varvec{v}}) \ne b^n\right] \) and let
The proof of Lemma 5.7 immediately follows by the next lemma.
Lemma 5.11
For every k-size subset \({\mathcal {P}}\subset [n]\) and \(d\in [h]\), it holds that
Proof of Lemma 5.7
Immediate by Lemma 5.11. \(\square \)
The rest of this subsection is devoted to proving Lemma 5.11. Fix a k-size subset \({\mathcal {P}}\subset [n]\) and omit it from the notation when clear from the context. Let
Namely, \({\widetilde{{\mathcal {V}}}}_{d,c} \subseteq {\mathcal {V}}_{d,c}\) are the sets, setup parameters and random strings, on which honest parties in \(\Pi ^{{\mathcal {P}},{\mathcal {S}}}_{d+a}\) halt in the second round and output c, if the parties in \({\mathcal {S}}\) abort and regardless of whether the parties in \({\mathcal {P}}\) act toward those in \({\mathcal {L}}_{d+1}\) according to input 0 or 1. Let
let \({{\widetilde{{\mathcal {T}}}}}_{d} = {{\widetilde{{\mathcal {T}}}}}_{d,0}\cup {{\widetilde{{\mathcal {T}}}}}_{d,1}\), and let \({{\widetilde{{\mathcal {T}}}}}= \bigcap _{d \in (h-1)}{{\widetilde{{\mathcal {T}}}}}_{d}\). Lemma 5.11 is proved via the following claims (the following probabilities are taken over \({ \varvec{f}}\leftarrow D_\mathcal{F}\)).
Claim 5.12
\(\Pr _{}\left[ {\mathcal {T}}_{d+1,b} \mid {{\widetilde{{\mathcal {T}}}}}\right] < \eta \) implies \(\Pr _{}\left[ {\mathcal {T}}_{d,1-b} \mid {{\widetilde{{\mathcal {T}}}}}\right] \ge 1- \eta \).
Proof of Claim 5.12
Assuming \(\Pr _{}\left[ {\mathcal {T}}_{d+1,b}\mid {{\widetilde{{\mathcal {T}}}}}\right] \le \eta \) notice that
Consequently, since \(\Pr _{}\left[ {{\widetilde{{\mathcal {T}}}}}_{d}\mid {{\widetilde{{\mathcal {T}}}}}\right] =1\), it follows that \(\Pr _{}\left[ {{\widetilde{{\mathcal {T}}}}}_{d,b}\mid {{\widetilde{{\mathcal {T}}}}}\right] \le \eta \) implies \(\Pr _{}\left[ {{\widetilde{{\mathcal {T}}}}}_{d,1-b}\mid {{\widetilde{{\mathcal {T}}}}}\right] \ge 1-\eta \) and thus \(\Pr _{}\left[ {\mathcal {T}}_{d,1-b}\mid {{\widetilde{{\mathcal {T}}}}}\right] \ge \Pr _{}\left[ {{\widetilde{{\mathcal {T}}}}}_{d,1-b}\mid {{\widetilde{{\mathcal {T}}}}}\right] \ge 1-\eta \). \(\square \)
Claim 5.13
\(\Pr _{}\left[ {{\widetilde{{\mathcal {T}}}}}\right] \ge \gamma - 5\lambda \).
Claim 5.14
\(\Pr _{}\left[ {\mathcal {T}}_{1,b} \mid {{\widetilde{{\mathcal {T}}}}}\right] \ge 1- (\chi + \alpha )/(\Pr [{{\widetilde{{\mathcal {T}}}}}]\cdot \lambda )\).
Claim 5.15
For every \(d \in [h-1]\).
We prove Claims 5.13 to 5.15 below, but first use the above claims for proving Lemma 5.7.
Proving Lemma 5.11.
Proof of Lemma 5.11
We first prove that for every \(d\in [h]\):
The proof is by induction on d. The base case, \(d=1\), is by Claim 5.14. The induction steps follows by the combination of Claim 5.15 and the contrapositive of Claim 5.12. Applying Eq. (22) for \(d=h\), yields that
and the proof follows by Claim 5.13. \(\square \)
So it is left to prove Claims 5.13 to 5.15. Note that the following adversaries corrupt at most \(k + \ell + 2\sigma n \le t\) parties and thus they make a valid attack. Since our security model considers rushing adversaries, and \(\Pi \) has public randomness, we assume the adversary knows \({ \varvec{f}}= (f_1,\ldots ,f_n)\) before sending its first-round messages. In the following we let \(\Pi ^{{\mathcal {S}}}_d = \Pi ^{{\mathcal {P}},{\mathcal {S}}}_d\) and \(\Pi _d = \Pi ^{\emptyset }_d\).
Proving Claim 5.13. This is the only part in proof where we exploit the fact that the protocol is secure against adaptive adversaries.
Proof of Claim 5.13
For \(d\in (h)\), let \({\mathcal {V}}^{{\mathcal {P}}}_d = {\mathcal {V}}^{{\mathcal {P}}}_{d,0} \cup {\mathcal {V}}^{{\mathcal {P}}}_{d,1} \) and \({\widetilde{{\mathcal {V}}}}_d = {\widetilde{{\mathcal {V}}}}_{d,0} \cup {\widetilde{{\mathcal {V}}}}_{d,1}\). Since \(\Pr _{{ \varvec{r}}\leftarrow {\mathcal {R}}^n}\left[ ({ \varvec{f}},{\mathcal {S}},{ \varvec{r}}),({ \varvec{f}},\emptyset ,{ \varvec{r}}) \in {\widetilde{{\mathcal {V}}}}_{d}\right] \le \sum _{c\in \{0,1\}} \Pr _{{ \varvec{r}}\leftarrow {\mathcal {R}}^n}\left[ ({ \varvec{f}},{\mathcal {S}},{ \varvec{r}}),({ \varvec{f}},\emptyset ,{ \varvec{r}}) \in {\widetilde{{\mathcal {V}}}}_{d,c}\right] \), for \(f\notin {{\widetilde{{\mathcal {T}}}}}_{d}\) it holds that
Consider the following rushing adaptive adversary.
By definition, if the attack does not abort then it violates either agreement or (second-round) halting. Let D be the value of d chosen by the adversary \(\mathsf {A} \) at the first round of the protocol. By construction, the attack abort with probability \(\xi _D\). So it is left to argue about the value of \(\xi _D\).
Assume \({ \varvec{f}}\notin {{\widetilde{{\mathcal {T}}}}}\). Recall that (by Chernoff/Hoeffding bound) \(\Pr _{\mathcal{{S}}\leftarrow {\mathbf {D}}_{n,\sigma }}\left[ \left| \mathcal{{S}}\right| > 2\sigma n\right] \le \alpha < \delta /2\). Therefore, with probability at least \(\delta /2\) over the choice of \(\mathcal{{S}}\) in Step 1 of \(\mathsf {A}\), there exists \(i\in (h-1)\) such that \(\xi _i < 2\lambda \) (by Eq. (23)). It follows that \(\xi _D < 3\lambda \), except with probability at most \(\lambda \) (i.e., error estimating \(\xi _D\) by another Chernoff/Hoeffding bound). We conclude that if \({ \varvec{f}}\notin {{\widetilde{{\mathcal {T}}}}}\) the attack succeeds with probability at least \(1-4\lambda \).
It follows that under the above attack, the honest parties halt in the second round and output the same value with probability at most \(\Pr [{{\widetilde{{\mathcal {T}}}}}] + \Pr [\lnot {{\widetilde{{\mathcal {T}}}}}]\cdot 4\lambda \le \Pr [{{\widetilde{{\mathcal {T}}}}}] + 4\lambda \). Since the parties halt and agree with probability at least \(\gamma -\alpha \), we conclude that \(\Pr [{{\widetilde{{\mathcal {T}}}}}] \ge \gamma - \alpha - 4\lambda \ge \gamma - 5\lambda \). \(\square \)
Proving Claim 5.14.
Proof of Claim 5.14
By definition, for \({ \varvec{f}}\in {\mathcal {T}}_{1,b}\) it holds that
letting \(\mathcal{{H}}= {\mathcal {P}}\cup {\mathcal {L}}_1\) and \({{\overline{\mathcal{{H}}}}}= [n] \setminus \mathcal{{H}}\). Let \(\eta = \Pr _{{ \varvec{f}}}\left[ {\mathcal {T}}_{1,{\overline{b}}} \mid {{\widetilde{{\mathcal {T}}}}}\right] \), clearly, \(\Pr _{{ \varvec{f}}}\left[ {\mathcal {T}}_{1,b} \mid {{\widetilde{{\mathcal {T}}}}}\right] = 1 -\eta \). By the above
(recall that \(\Pi _1({ \varvec{v}})\) stands for \(\Pi _1({ \varvec{v}};({ \varvec{f}},{ \varvec{r}}))\), for a random choice of \(({ \varvec{f}},{ \varvec{r}}))\)). Finally, we notice that
If not, then the following attack violates the \(\alpha \)-agreement. Recall that \(\Pi \) is an honest execution on input \({ \varvec{v}}\) and \(\Pi _1\) is an execution of the protocol where the parties in \({\mathcal {L}}_1\) receive inputs from \({\mathcal {P}}\) according to input \({ \varvec{v}}'\) and all others receive inputs from \({\mathcal {P}}\) according to input \({ \varvec{v}}\) (recall that \({ \varvec{v}}\) and \({ \varvec{v}}'\) differ on exactly those indices indexed by \({\mathcal {P}}\)). The attack proceeds as follows: the adversary corrupts the parties in \(\mathcal{{H}}\), partitions the honest parties into two equal-size sets and acts toward the first honest parties according to \(\Pi \) and toward the rest according to \(\Pi _1\). We conclude that \(\Pr [{{\widetilde{{\mathcal {T}}}}}]\cdot \eta \cdot \lambda \le \chi + \alpha \), and therefore \(\eta \le (\chi + \alpha )/(\Pr [{{\widetilde{{\mathcal {T}}}}}]\cdot \lambda )\). \(\square \)
Proving Claim 5.15. The proof uses Conjecture 3.8 in a similar way to the second part of the proof of the theorem.
Proof of Claim 5.15
For \({ \varvec{r}}\in ({\mathcal {R}}\cup \{\bot \})^n\) let \( {\mathcal {E}}({ \varvec{r}})\) be the indices in \({ \varvec{r}}\) of the value \(\bot \). We assume without loss of generality that a party aborts upon getting \(\perp \) as its second-round random coins. For \({ \varvec{f}}\in {\text {Supp}}(D_\mathcal{F})\), for \(d\in [h-1]\), and for \(b\in \{0,1\}\), let
By definition, for \({ \varvec{f}}\in {\mathcal {T}}_{d,0} \cap {\mathcal {T}}_{d,1}\) and \(b\in \{0,1\}\), it holds that
By Conjecture 3.8, see Eq. (16), for \({ \varvec{f}}\in {\mathcal {T}}_{d,0} \cap {\mathcal {T}}_{d,1}\) it holds that
That is,
In pursuit of contradiction, assume that \(\Pr _{}\left[ {\mathcal {T}}_{d,0} \mid {{\widetilde{{\mathcal {T}}}}}\right] + \Pr _{}\left[ {\mathcal {T}}_{d,1} \mid {{\widetilde{{\mathcal {T}}}}}\right] \ge 1 + \lambda /(h\cdot \Pr [{{\widetilde{{\mathcal {T}}}}}])\) for some \(d \in [h-1]\). It follows that
The first inequality is by Eq. (28), the second one by the assumption that \(\Pr [{\mathcal {T}}_{d,0} \mid {{\widetilde{{\mathcal {T}}}}}] + \Pr [{\mathcal {T}}_{d,1} \mid {{\widetilde{{\mathcal {T}}}}}] \ge 1 + \lambda /(h\cdot \Pr [{{\widetilde{{\mathcal {T}}}}}])\), and the last one by the definition of \(\alpha \). Next, consider the following rushing adversary:
Observe that Eq. (29) says that with probability \(8\alpha \) (over the setup parameter, the choice of set S and coins r) the output of the honest parties is sensitive to whether the parties in S abort or not (while halting and agreement occurs for both cases). Therefore, analogously to the proof of Claim 5.13, we deduce that the adversary described above causes disagreement with probability at least \(\alpha \). \(\square \)
Notes
A pseudorandom function that provides a non-interactively verifiable proof for the correctness of its output.
Unlike the aforementioned protocols that use “simple” preprocess and “light-weight” cryptographic tools, the protocol of Rabin [66] uses a heavy, per execution, setup phase (consisting of Shamir sharing of a random coin for every potential round) that we do not know how to cast as a public-randomness protocol.
When considering locally consistent adversaries, the impossibility of BA for \(t\ge n/3\) does not apply.
The attack holds even without assuming Conjecture 1.5 when considering strongly adaptive corruptions [40], in which an adversary sees all messages sent by honest parties in any given round and, based on the messages’ content, decides whether to corrupt a party (and alter its message or sabotage its delivery) or not. Similarly, the conjecture is not required if each party is limited to tossing a single unbiased coin. These extensions are not formally proved in this paper.
We remark that it is rather easy to show that \(\delta \ge 2^{-n}\), which is not good enough for our purposes.
The alphabet \(\Sigma \) is not necessarily Boolean, and there are a couple of subtleties in defining balls.
In the above, we have chosen to ignore a crucial subtlety. In an execution of the protocol, it may be the case that there is a suitable message (according to \({ \varvec{v}}_0\) or \({ \varvec{v}}_1\)) to prevent halting, yet the adversary cannot determine which one to send. In further sections, we address this issue by taking a random partition of \({\overline{{\mathcal {C}}}}\) (rather than an arbitrary one). By doing so, we introduce an error-term of \(1/2^{n-t}\) when we upper bound the halting probability \(\gamma \).
In Sect. 2.2, halting was close to 1 and thus the randomness was necessarily ambiguous regarding the output.
In the jargon of Boolean functions analysis, since every large set has a o(n)-size index-set of influence almost one, it follows that some projection on a constant fraction of indices is almost full.
A more general definition would allow the parameter \(\alpha \) (and the parameters \(\beta ,\gamma \) below) to depend on the protocol’s security parameter. But in this paper we focus on the case that \(\alpha \) is a fixed value.
References
I. Abraham, T.H. Chan, D. Dolev, K. Nayak, R. Pass, L. Ren, E. Shi, Communication complexity of Byzantine agreement, revisited, in Proceedings of the 38th Annual ACM Symposium on Principles of Distributed Computing (PODC) (2019a), pp. 317–326)
I. Abraham, S. Devadas, D. Dolev, K. Nayak, L. Ren, Synchronous Byzantine agreement with expected O(1) rounds, expected o(n\({}^{\text{2)}}\) communication, and optimal resilience, in Financial Cryptography and Data Security (2019b)
H. Attiya, K. Censor, Tight bounds for asynchronous randomized consensus. J. ACM, 55(5):20:1–20:26 (2008)
H. Attiya, K. Censor-Hillel, Lower bounds for randomized consensus under a weak adversary. SIAM J. Comput. 39(8):3885–3904 (2010)
Z. Bar-Joseph, M. Ben-Or, A tight lower bound for randomized synchronous consensus, in Proceedings of the 17th Annual ACM Symposium on Principles of Distributed Computing (PODC), pp. 193–199 (1998)
M. Ben-Or, Another advantage of free choice: completely asynchronous agreement protocols (extended abstract), in Proceedings of the 2nd Annual ACM Symposium on Principles of Distributed Computing (PODC), pp. 27–30 (1983)
M. Ben-Or, N. Linial, Collective coin flipping, robust voting schemes and minima of banzhaf values, in Proceedings of the 26th Annual Symposium on Foundations of Computer Science (FOCS), pp. 408–416 (1985)
M. Ben-Or, S. Goldwasser, A. Wigderson, Completeness theorems for non-cryptographic fault-tolerant distributed computation (extended abstract), in Proceedings of the 20th Annual ACM Symposium on Theory of Computing (STOC), pp. 1–10 (1988)
M. Ben-Or, E. Pavlov, V. Vaikuntanathan, Byzantine agreement in the full-information model in o(log n) rounds, in Proceedings of the 38th Annual ACM Symposium on Theory of Computing (STOC), pp. 179–186 (2006)
E. Ben-Sasson, A. Chiesa, M. Green, E. Tromer, M. Virza, Secure sampling of public parameters for succinct zero knowledge proofs, in IEEE Symposium on Security and Privacy, pp. 287–304 (2015)
M. Blum, P. Feldman, S. Micali, Non-interactive zero-knowledge and its applications (extended abstract), in Proceedings of the 20th Annual ACM Symposium on Theory of Computing (STOC), pp. 103–112 (1988)
J. Bourgain, J. Kahn, G. Kalai, Influential coalitions for Boolean functions, in CoRR, 2014. arXiv:1409.3033
S. Bowe, A. Gabizon, M.D. Green, A multi-party protocol for constructing the public parameters of the pinocchio zk-snark, in Financial Cryptography and Data Security FC, pp. 64–77 (2018)
E. Boyle, R. Cohen, A. Goel, Breaking the o(\(\surd \) n)-bit barrier: Byzantine agreement with polylog bits per party, in Proceedings of the 40th Annual ACM Symposium on Principles of Distributed Computing (PODC), pp. 319–330 (2021)
G. Bracha, An asynchronou [(n-1)/3]-resilient consensus protocol, in Proceedings of the 3rd Annual ACM Symposium on Principles of Distributed Computing (PODC), pp. 154–162 (1984)
M. Castro, B. Liskov. Practical Byzantine fault tolerance, in Proceedings of the Third USENIX Symposium on Operating Systems Design and Implementation (OSDI), pp. 173–186 (1999)
D. Chaum, C. Crépeau, I. Damgård, Multiparty unconditionally secure protocols (extended abstract), in Proceedings of the 20th Annual ACM Symposium on Theory of Computing (STOC), pp. 11–19 (1988)
J. Chen, S. Micali, Algorand, in CoRR, 2016. arXiv:1607.01341
B. Chor, B.A. Coan, A simple and efficient randomized Byzantine agreement algorithm, in Fourth Symposium on Reliability in Distributed Software and Database Systems, SRDS, pp. 98–106 (1984)
B. Chor, M. Merritt, D.B. Shmoys, Simple constant-time consensus protocols in realistic failure models. J. ACM, 36(3):591–614 (1989)
R. Cohen, S. Coretti, J.A. Garay, V. Zikas, Probabilistic termination and composability of cryptographic protocols, in Advances in Cryptology – CRYPTO 2016, part III, pp. 240–269 (2016)
R. Cohen, S. Coretti, J. Garay, V. Zikas, Round-preserving parallel composition of probabilistic-termination cryptographic protocols, in Proceedings of the 44th International Colloquium on Automata, Languages, and Programming (ICALP), pp. 37:1–37:15 (2017)
R. Cohen, I. Haitner, N. Makriyannis, M. Orland, A. Samorodnitsky, On the round complexity of randomized byzantine agreement, in Proceedings of the 33st International Symposium on Distributed Computing (DISC), pp. 12:1–12:17 (2019)
D. Dolev, R. Strong, Authenticated algorithms for Byzantine agreement. SIAM J. Comput. 12(4):656–666 (1983)
D. Dolev, R. Reischuk, H.R. Strong, Early stopping in Byzantine agreement. J. ACM, 37(4):720–741 (1990)
P. Feldman, S. Micali. An optimal probabilistic protocol for synchronous Byzantine agreement. SIAM J. Comput. 26(4):873–933 (1997)
M.J. Fischer, N.A. Lynch, A lower bound for the time to assure interactive consistency. Inf. Process. Lett. 14(4):183–186 (1982)
M.J. Fischer, N.A. Lynch, M. Merritt, Easy impossibility proofs for distributed consensus problems, in Proceedings of the 23th Annual ACM Symposium on Principles of Distributed Computing (PODC), pp. 59–70 (1985)
M. Fitzi, J.A. Garay. Efficient player-optimal protocols for strong and differential consensus, in Proceedings of the 22th Annual ACM Symposium on Principles of Distributed Computing (PODC), pp. 211–220 (2003)
M. Fitzi, J.B. Nielsen, On the number of synchronous rounds sufficient for authenticated Byzantine agreement, in Proceedings of the 23th International Symposium on Distributed Computing (DISC), pp. 449–463 (2009)
E. Friedgut, Boolean functions with low average sensitivity depend on few coordinates. Combinatorica 18(1):27–35 (1998)
J.A. Garay, Y. Moses, Fully polynomial Byzantine agreement in t+1 rounds, in Proceedings of the 25th Annual ACM Symposium on Theory of Computing (STOC), pp. 31–41 (1993)
J.A. Garay, J. Katz, C. Koo, R. Ostrovsky, Round complexity of authenticated broadcast with a dishonest majority, in Proceedings of the 48th Annual Symposium on Foundations of Computer Science (FOCS), pp. 658–668 (2007)
R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin. Secure distributed key generation for discrete-log based cryptosystems, in Advances in Cryptology – EUROCRYPT ’99, pp. 295–310 (1999)
Y. Gilad, R. Hemo, S. Micali, G. Vlachos, N. Zeldovich, Algorand: Scaling Byzantine agreements for cryptocurrencies, in Proceedings of the 26th Symposium on Operating Systems Principles (SOSP), pp. 51–68 (2017)
O. Goldreich, S. Micali, A. Wigderson, How to play any mental game or a completeness theorem for protocols with honest majority, in Proceedings of the 19th Annual ACM Symposium on Theory of Computing (STOC), pp. 218–229 (1987)
O. Goldreich, S. Goldwasser, N. Linial, Fault-tolerant computation in the full information model. SIAM J. Comput. 27(2):506–544 (1998)
S. Goldwasser, S. Micali, R.L. Rivest, A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput. 17(2):281–308 (1988)
S. Goldwasser, E. Pavlov, V. Vaikuntanathan, Fault-tolerant distributed computing in full-information networks, in Proceedings of the 47th Annual Symposium on Foundations of Computer Science (FOCS), pp. 15–26 (2006)
S. Goldwasser, Y.T. Kalai, S. Park, Adaptively secure coin-flipping, revisited, in Proceedings of the 42th International Colloquium on Automata, Languages, and Programming (ICALP), part II, pp. 663–674 (2015)
J. Groth, R. Ostrovsky, A. Sahai, New techniques for noninteractive zero-knowledge. J. ACM 59(3):11:1–11:35 (2012)
V. Hadzilacos, Connectivity requirements for Byzantine agreement under restricted types of failures. Distrib. Comput. 2(2):95–103 (1987)
D. Hofheinz, T. Jager, Verifiable random functions from standard assumptions, in Proceedings of the 13th Theory of Cryptography Conference, TCC 2016-A, part I, pp. 336–362 (2016)
J. Kahn, G. Kalai, N. Linial, The influence of variables on Boolean functions (extended abstract), in Proceedings of the 29th Annual Symposium on Foundations of Computer Science (FOCS), pp. 68–80 (1988)
B.M. Kapron, D. Kempe, V. King, J. Saia, V. Sanwalani, Fast asynchronous Byzantine agreement and leader election with full information, in Proceedings of the Nineteenth Annual ACM-SIAM Symposium on Discrete Algorithms, SODA, pp. 1038–1047 (2008)
A.R. Karlin, A.C. Yao, Probabilistic lower bounds for Byzantine agreement and clock synchronization. Unpublished manuscript (1984)
J. Katz, C. Koo, On expected constant-round protocols for Byzantine agreement, in Advances in Cryptology – CRYPTO 2006, pp. 445–462 (2006)
V. King, J. Saia, Byzantine agreement in polynomial expected time: [extended abstract], in Proceedings of the 45th Annual ACM Symposium on Theory of Computing (STOC), pp. 401–410 (2013)
J. Kubiatowicz, D. Bindel, Y. Chen, S.E. Czerwinski, P.R. Eaton, D. Geels, R. Gummadi, S.C. Rhea, H. Weatherspoon, W. Weimer, C. Wells, B.Y. Zhao, Oceanstore: An architecture for global-scale persistent storage, in ASPLOS-IX Proceedings of the 9th International Conference on Architectural Support for Programming Languages and Operating Systems, pp. 190–201 (2000)
L. Lamport, R.E. Shostak, M.C. Pease, The Byzantine generals problem. ACM Trans. Program. Lang. Syst. 4(3):382–401 (1982)
A.B. Lewko, The contest between simplicity and efficiency in asynchronous Byzantine agreement, in Proceedings of the 25th International Symposium on Distributed Computing (DISC), pp. 348–362 (2011)
A.B. Lewko, M. Lewko, On the complexity of asynchronous agreement against powerful adversaries, in Proceedings of the 32th Annual ACM Symposium on Principles of Distributed Computing (PODC), pp. 280–289 (2013)
Y. Lindell, A. Lysyanskaya, T. Rabin, On the composition of authenticated Byzantine agreement. J. ACM, 53(6):881–917 (2006)
S. Micali, Very simple and efficient Byzantine agreement, in Proceedings of the 8th Annual Innovations in Theoretical Computer Science (ITCS) conference, pp. 6:1–6:1 (2017)
S. Micali, V. Vaikuntanathan, Optimal and player-replaceable consensus with an honest majority. Unpublished manuscript (2017)
S. Micali, M.O. Rabin, S.P. Vadhan, Verifiable random functions, in Proceedings of the 40th Annual Symposium on Foundations of Computer Science (FOCS), pp. 120–130 (1999)
E. Mossel, R. O’Donnell, O. Regev, J. E. Steif, and B. Sudakov. Non-interactive correlation distillation, inhomogeneous Markov chains, and the reverse Bonami-Beckner inequality. Israel Journal of Mathematics, 154(1):299–336 (2006)
E. Mossel, K. Oleszkiewicz, A. Sen, On reverse hypercontractivity. Geom. Funct. Anal. 23(3):1062–1097 (2013)
G. Neiger, S. Toueg, Automatically increasing the fault-tolerance of distributed algorithms. J. Algorithms 11(3):374–419 (1990)
R. O’Donnell, Analysis of Boolean Functions (Cambridge University Press, Cambridge, 2014)
R. Pass and E. Shi. Hybrid consensus: Efficient consensus in the permissionless model, in Proceedings of the 31st International Symposium on Distributed Computing (DISC), pp. 39:1–39:16 (2017)
R. Pass, E. Shi, Thunderella: Blockchains with optimistic instant confirmation, in Advances in Cryptology – EUROCRYPT 2018, part II, pp. 3–33 (2018)
M.C. Pease, R.E. Shostak, L. Lamport, Reaching agreement in the presence of faults. J. ACM 27(2):228–234 (1980)
T.P. Pedersen, Non-interactive and information-theoretic secure verifiable secret sharing, in Advances in Cryptology – CRYPTO ’91, pp. 129–140 (1991)
B. Pfitzmann, M. Waidner, Unconditional Byzantine agreement for any number of faulty processors, in Proceedings of the 9th Annual Symposium on Theoretical Aspects of Computer Science (STACS), pp. 339–350 (1992)
M.O. Rabin, Randomized Byzantine generals, in Proceedings of the 24th Annual Symposium on Foundations of Computer Science (FOCS), pp. 403–409 (1983)
M. Santha, U.V. Vazirani, Generating quasi-random sequences from slightly-random sources (extended abstract), in Proceedings of the 25th Annual Symposium on Foundations of Computer Science (FOCS), pp. 434–440 (1984)
R. Turpin, B.A. Coan, Extending binary Byzantine agreement to multivalued Byzantine agreement. Inf. Process. Lett. 18(2):73–76 (1984)
A.C. Yao, Protocols for secure computations (extended abstract), in Proceedings of the 23th Annual Symposium on Foundations of Computer Science (FOCS), pp. 160–164 (1982)
Acknowledgements
We would like to thank Rotem Oshman, Juan Garay, Ehud Friedgut, and Elchanan Mossel for very helpful discussions.
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by Alon Rosen.
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
A preliminary version of this work appeared in DISC’19 [23].
Ran Cohen: Research supported in part by NSF Grant No. 2055568. Some of this work was done while the author was a post-doc at Tel Aviv University, supported by ERC starting Grant 638121.
Iftach Haitner: Member of the Check Point Institute for Information Security. Research supported by Israel Science Foundation Grant 666/19. Research supported by ERC starting Grant 638121.
Nikolaos Makriyannis: This work was done while the author was a post-doc at Technion, supported by ERC advanced Grant 742754. Research supported by ERC starting Grant 638121.
Matan Orland: Research supported by ERC starting Grant 638121.
Alex Samorodnitsky: Research partially supported by ISF Grant 1724/15.
Locally Consistent Security to Malicious Security
Locally Consistent Security to Malicious Security
In this section, we formally state and prove Theorem 1.6 and show how to compile any BA protocol that is secure against locally consistent adversaries into a protocol that is secure against malicious adversaries. That is, we prove the following theorem:
Theorem A.1
(Theorem 1.6, restated) Let \(\Pi \) be a \((t,\alpha ,\beta ,q,\gamma )\)-\(\mathsf {BA}\) against locally consistent adversaries for \(q=O(\log {n})\) and assume the existence of verifiable random functions and existentially unforgeable digital signatures under an adaptive chosen-message attack. Then,
-
1.
labelthm:localspstospsmalspsgeneric Assuming in addition the existence of non-interactive zero-knowledge proofs, there exist a ppt protocol-compiler \(\mathsf {Comp}(\cdot )\) such that \(\Pi '=\mathsf {Comp}(\Pi )\) is a \((t,\alpha -{\text {neg}}(\kappa ),\beta -{\text {neg}}(\kappa ),q,\gamma -{\text {neg}}(\kappa ))\)-\(\mathsf {BA}\) in the PKI model, resilient to malicious adversaries.
-
2.
There exists a ppt protocol-compiler \(\mathsf {Comp}_\mathsf {PR}(\cdot )\) such that if \(\Pi \) is a public-randomness protocol, then \(\Pi '=\mathsf {Comp}_\mathsf {PR}(\Pi )\) is a \((t,\alpha -{\text {neg}}(\kappa ),\beta -{\text {neg}}(\kappa ),q,\gamma -{\text {neg}}(\kappa ))\)-\(\mathsf {BA}\) in the PKI model, resilient to malicious adversaries.
In Sect. A.1, we define the cryptographic primitives used in the compiler, and in Sect. A.2, we construct the compiler and prove its security.
1.1 Preliminaries
The compiler makes use of verifiable random functions (VRF) [56], digital signatures, and non-interactive zero-knowledge proofs, as defined below.
1.1.1 Verifiable Random Functions
We follow the definition of VRF from [43].
Definition A.2
(VRF) A verifiable random function is a tuple of polynomial-time algorithms \(\Pi =(\mathsf {VRF.Gen},\mathsf {VRF.Eval},\mathsf {VRF.Verify})\) of the following form.
-
\(\mathsf {VRF.Gen}(1^\kappa )\rightarrow ( sk , vk )\). On input the security parameter, the key-generation algorithm outputs a secret key \( sk \) and a public verification key \( vk \).
-
\(\mathsf {VRF.Eval}( sk ,x)\rightarrow (y,\pi )\). On input the secret key and an input \(x\in \{0,1\}^\kappa \), the evaluation algorithm outputs a value \(y\in {\mathcal {S}}\) (for a finite set \({\mathcal {S}}\)) and a proof \(\pi \).
-
\(\mathsf {VRF.Verify}( vk ,x,y,\pi )\rightarrow b\). On input the verification key, an input \(x\in \{0,1\}^\kappa \), an output \(y\in {\mathcal {S}}\), and a proof \(\pi \), the deterministic verification algorithm outputs a bit \(b\in \{0,1\}\).
We require the following properties:
-
Correctness. For \(( sk , vk )\leftarrow \mathsf {VRF.Gen}(1^\kappa )\) and \(x\in \{0,1\}^\kappa \) it holds that if \((y,\pi )\leftarrow \mathsf {VRF.Eval}( sk ,x)\) then \(\mathsf {VRF.Verify}( vk ,x,y,\pi )=1\).
-
Unique provability. For all strings \(( sk , vk )\) (not necessarily generated by \(\mathsf {VRF.Gen}\)) and all \(x\in \{0,1\}^\kappa \), there exists no \((y_0,\pi _0,y_1,\pi _1)\) such that \(y_0\ne y_1\) and \(\mathsf {VRF.Verify}( vk ,x,y_0,\pi _0)=\mathsf {VRF.Verify}( vk ,x,y_1,\pi _1)=1\).
-
Pseudorandomness. For any ppt adversary \(\mathsf {A} =(\mathsf {A} _1,\mathsf {A} _2)\) it holds that
$$\begin{aligned} \left| \Pr _{}\left[ \mathsf {Expt} ^\mathsf {VRF} _{\Pi ,\mathsf {A}}(\kappa )=1\right] -\frac{1}{2}\right| \le {\text {neg}}(\kappa ), \end{aligned}$$for the experiment \(\mathsf {Expt} ^\mathsf {VRF} \) defined below:
\(\mathsf {Expt} ^\mathsf {VRF} _{\Pi ,\mathsf {A}}(\kappa )\) | \({\mathcal {O}}_\mathsf {eval} (x)\) |
---|---|
\(( sk , vk )\leftarrow \mathsf {VRF.Gen}(1^\kappa )\) | \((y,\pi )\leftarrow \mathsf {VRF.Eval}( sk ,x)\) return \((y,\pi )\) |
\((x^*,\mathsf{state})\leftarrow \mathsf {A} _1^{{\mathcal {O}}_\mathsf {eval} (\cdot )}( vk )\) | |
\((y_0,\pi )\leftarrow \mathsf {VRF.Eval}( sk ,x^*)\) | |
\(y_1\leftarrow _R {\mathcal {S}}\) | |
\(b\leftarrow _R \{0,1\}\) | |
\(b'\leftarrow \mathsf {A} _2^{{\mathcal {O}}_\mathsf {eval} (\cdot )}(\mathsf{state},y_b)\) | |
return 1 if and only if \(b=b'\) | |
and \(\mathsf {A} \) didn’t query \(x^*\) |
1.1.2 Digital Signatures
We consider the standard notion of existentially unforgeable signatures under an adaptive chosen-message attack [38].
Definition A.3
(Digital signatures) A digital signatures scheme is a tuple of polynomial-time algorithms \(\Pi =(\mathsf {DS.Gen},\mathsf {DS.Sign},\mathsf {DS.Verify})\) of the following form.
-
\(\mathsf {DS.Gen}(1^\kappa )\rightarrow ( sk , vk )\). On input the security parameter, the key-generation algorithm outputs a secret signing key \( sk \) and a public verification key \( vk \).
-
\(\mathsf {DS.Sign}( sk ,m)\rightarrow \sigma \). On input the signing key and a message m, the signing algorithm outputs a signature \(\sigma \).
-
\(\mathsf {DS.Verify}( vk ,m,\sigma )\rightarrow b\). On input the verification key, a message m, and a signature \(\sigma \), the deterministic verification algorithm outputs a bit \(b\in \{0,1\}\).
We require the following properties:
-
Correctness. For \(( sk , vk )\leftarrow \mathsf {DS.Gen}(1^\kappa )\) and a message m it holds that if \(\sigma \leftarrow \mathsf {DS.Sign}( sk ,m)\) then \(\mathsf {DS.Verify}( vk ,m,\sigma )=1\).
-
Existentially unforgeable under an adaptive chosen-message attack. For any ppt adversary \(\mathsf {A} \) it holds that
$$\begin{aligned} \left| \Pr _{}\left[ \mathsf {Expt} ^\mathsf {Sig} _{\Pi ,\mathsf {A}}(\kappa )=1\right] \right| \le {\text {neg}}(\kappa ), \end{aligned}$$for the experiment \(\mathsf {Expt} ^\mathsf {Sig} \) defined below:
\(\mathsf {Expt} ^\mathsf {Sig} _{\Pi ,\mathsf {A}}(\kappa )\) | \({\mathcal {O}}_\mathsf {sign} (m)\) |
---|---|
\(( sk , vk )\leftarrow \mathsf {DS.Gen}(1^\kappa )\) | \(\sigma \leftarrow \mathsf {DS.Sign}( sk ,m)\) return \(\sigma \) |
\((m,\sigma )\leftarrow \mathsf {A} ^{{\mathcal {O}}_\mathsf {sign} (\cdot )}( vk )\) | |
return 1 if and only if \(\mathsf {DS.Verify}( vk ,m,\sigma )=1\) | |
and \(\mathsf {A} \) didn’t query m |
1.1.3 Non-interactive Zero-Knowledge Proofs
A non-interactive zero-knowledge proof [11] is a single-message protocol that allow a prover to convince a verifier the a certain common statement belongs to a language, without disclosing any additional information. We follow the definition from [41].
Definition A.4
(NIZK) Let \({\mathcal {R}} \) be an \(\text {NP}\)-relation and let \({\mathcal {L}} _{\mathcal {R}} \) be the language consisting of the statements in \({\mathcal {R}} \). A non-interactive zero-knowledge proof system for \({\mathcal {R}} \) is a tuple of polynomial-time algorithms \(\Pi =(\mathsf {NIZK.Gen},\mathsf {NIZK.Prover},\mathsf {NIZK.Verifier})\) of the following form:
-
\(\mathsf {NIZK.Gen}(1^\kappa )\rightarrow \mathsf {crs} \). On input the security parameter, the setup-generation algorithm outputs a common reference string \(\mathsf {crs} \).
-
\(\mathsf {NIZK.Prover}(\mathsf {crs},x,w)\rightarrow \varphi \). On input the \(\mathsf {crs} \), a statement x, and a witness w such that \((x,w)\in {\mathcal {R}} \), the prover algorithm outputs a proof string \(\varphi \).
-
\(\mathsf {NIZK.Verifier}(\mathsf {crs},x,\varphi )\rightarrow b\). On input the \(\mathsf {crs} \), a statement x, and a proof \(\varphi \), the verification algorithm outputs a bit \(b\in \{0,1\}\).
We require the following properties:
-
Correctness. A proof system is complete if an honest prover with a valid witness can convince an honest verifier. For \((x,w)\in {\mathcal {R}} \) it holds that
$$\begin{aligned} \Pr _{}\left[ \mathsf {NIZK.Verifier}(\mathsf {crs},x,\varphi )=1 \mid \mathsf {crs} \leftarrow \mathsf {NIZK.Gen}(1^\kappa ), \varphi \leftarrow \mathsf {NIZK.Prover}(\mathsf {crs},x,w)\right] =1. \end{aligned}$$ -
Statistical soundness. A proof system is sound if it is infeasible to convince an honest verifier when the statement is false. For all polynomial-size families \(\{x_\kappa \}\) of statements \(x_\kappa \notin {\mathcal {L}} _{\mathcal {R}} \) and all adversaries \(\mathsf {A} \) it holds that
$$\begin{aligned} \Pr _{}\left[ \left[ \mathsf {NIZK.Verifier}(\mathsf {crs},x_\kappa ,\varphi )=1 \mid \mathsf {crs} \leftarrow \mathsf {NIZK.Gen}(1^\kappa ) \varphi \leftarrow \mathsf {A} (\mathsf {crs},x_\kappa )\right] =1.\right] \end{aligned}$$ -
Computational (adaptive, multi-theorem) zero knowledge. A proof system is zero-knowledge if the proofs do not reveal any information about the witnesses. There exists a polynomial-time simulator \(\mathsf {S} _{\mathsf {nizk}}xspace=(\mathsf {S} _{\mathsf {nizk}}xspace^1, \mathsf {S} _{\mathsf {nizk}}xspace^2)\), where \(\mathsf {S} _{\mathsf {nizk}}xspace^1\) returns a simulated \(\mathsf {crs}\) together with a simulation trapdoor \(\tau \) that enables \(\mathsf {S} _{\mathsf {nizk}}xspace^2\) to simulate proofs without having access to the witness. That is, for every non-uniform polynomial-time adversary \(\mathsf {A} \) it holds that
$$\begin{aligned}&\bigg |\Pr _{}\left[ \mathsf {A} ^{{\mathsf {P}}_\mathsf {crs} (\cdot ,\cdot )}(\mathsf {crs})=1 \mid \mathsf {crs} \leftarrow \mathsf {NIZK.Gen}(1^\kappa )\right] \\&\qquad -\Pr _{}\left[ \mathsf {A} ^{\mathsf {S} _{\mathsf {crs},\tau }(\cdot ,\cdot )}(\mathsf {crs})= 1 \mid (\mathsf {crs},\tau )\leftarrow \mathsf {S} _{\mathsf {nizk}}xspace^1(1^\kappa )\right] \bigg |\\&\quad \le {\text {neg}}(\kappa ), \end{aligned}$$where \(\mathsf {S} _{\mathsf {crs},\tau }(x,w)=\mathsf {S} _{\mathsf {nizk}}xspace^2(\mathsf {crs},\tau ,x)\) for \((x,w)\in {\mathcal {R}} \) and \({\mathsf {P}}_\mathsf {crs} (x,w)=\mathsf {NIZK.Prover}(\mathsf {crs},x,w)\).
1.1.4 Next-Message Functions
An n-party protocol is represented by a set \(\{\mathsf {next-msg}_{i\rightarrow j}\}_{i,j\in [n]}\) of next-message functions, a set \(\{\mathsf {output}_i\}_{i\in [n]}\) of output functions, and a distribution D for generating setup information. Initially, the setup information is sampled as \((\mathsf {setup}_1,\ldots ,\mathsf {setup}_n)\leftarrow D\) and every party \(\mathsf {P} _i\) receives \(\mathsf {setup}_i\) before the protocol begins. The view of a party \(\mathsf {P} _i\) in the \(r\)’th round, denoted \(\textsf {view}_i^r\), consists of: its input bit \(x_i\), its setup information \(\mathsf {setup}_i\), its random coin tosses \(\rho _i=(\rho _i^1,\ldots ,\rho _i^r)\) (where \(\rho _i^{r'}\) are the tossed coins for round \(r'\)) and the incoming messages \((m^{r'}_{1\rightarrow i}, \ldots , m^{r'}_{n\rightarrow i})\) for every \(r'<r\), where \(m^{r'}_{j\rightarrow i}\) is the message received from \(\mathsf {P} _j\) in round \(r'\). Given \(\mathsf {P} _i\)’s view in the \(r\)’th round, the function \(\mathsf {next-msg}_{i\rightarrow j}(\textsf {view}_i^r)\) outputs the message \(m^r_{i\rightarrow j}\) to be sent by \(\mathsf {P} _i\) to \(\mathsf {P} _j\), except for the last round, where it outputs \(\bot \); in that case the output function \(\mathsf {output}(\textsf {view}_i^r)\) produces the output value y. Without loss of generality we assume that a message \(m^r_{i\rightarrow j}\) is of the form (r, i, j, m); looking ahead, this will ensure that two messages in the protocol will not have the same signature.
1.1.5 The PKI Model
The compiled protocol is designed to work in the public-key infrastructure (PKI) model, where a trusted third party generates private/public keys for the parties before the protocol begins. In our setting, we will require a PKI for VRF, digital signatures, and \({{\textsf {NIZK}}}\), meaning that the trusted party operates as follows:
-
1.
For every \(i\in [n]\), compute VRF keys \((\mathsf {sk}^{\mathsf {vrf}}_i,\mathsf {vk}^{\mathsf {vrf}}_i)\leftarrow \mathsf {VRF.Gen}(1^\kappa )\).
-
2.
For every \(i\in [n]\), compute signature keys \((\mathsf {sk}^{\mathsf {ds}}_i,\mathsf {vk}^{\mathsf {ds}}_i)\leftarrow \mathsf {DS.Gen}(1^\kappa )\).
-
3.
Compute \(\mathsf {crs} \leftarrow \mathsf {NIZK.Gen}(1^\kappa )\).
-
4.
Send to every party \(\mathsf {P} _i\) the secret keys \((\mathsf {sk}^{\mathsf {vrf}}_i,\mathsf {sk}^{\mathsf {ds}}_i)\) as well as all the public keys \(\mathsf {crs} \), \((\mathsf {vk}^{\mathsf {vrf}}_1,\ldots ,\mathsf {vk}^{\mathsf {vrf}}_n)\) and \((\mathsf {vk}^{\mathsf {ds}}_1,\ldots ,\mathsf {vk}^{\mathsf {ds}}_n)\).
1.2 The Compiler
Given a protocol that is secure against locally consistent adversaries, the main idea of the compiler is to limit the capabilities of a malicious adversary attacking the compiled protocol to those of a locally consistent one. This is achieved by proving an honest behavior via the cryptographic tools described above (VRF, digital signatures, and NIZK proofs) in a similar way to the GMW compiler [36]. Unlike GMW, where all consistency proofs are carried out over a broadcast channel to ensure a consistent view between the honest parties, in our case the consistency proofs are done over pairwise channels, so they only guarantee local consistency.
We start by defining the NP relations that will be used for the zero-knowledge proofs. Each instance consists of a message between a pair of parties (say from \(\mathsf {P} _i'\) to \(\mathsf {P} _j'\)) and the witness is the internal state of \(\mathsf {P} _i'\) used to generate the message (the input, the random coins, and all incoming messages) along with a “proof of correctness,” i.e., that the random coins were properly generated using the VRF, that the incoming messages that \(\mathsf {P} _i'\) received from every \(\mathsf {P} _k'\) were signed by \(\mathsf {P} _k'\), and in turn were proven to be generated correctly (i.e., that each \(\mathsf {P} _k'\) used the correct random coins generated by the VRF and its incoming messages were signed by the senders). Note that this recursive step in the verification is required for proving locally consistent behaviour, since if both \(\mathsf {P} _i'\) and \(\mathsf {P} _k'\) are corrupt, then \(\mathsf {P} _k'\) can send an arbitrary message to \(\mathsf {P} _i'\) and sign it (in this case the NIZK proof from \(\mathsf {P} _k'\) to \(\mathsf {P} _i'\) will not verify). When \(\mathsf {P} _i'\) sends its message to an honest \(\mathsf {P} _j'\), it is not enough that \(\mathsf {P} _i'\) proves that the messages from \(\mathsf {P} _k'\) are properly signed, but \(\mathsf {P} _i'\) must also prove that \(\mathsf {P} _k'\) provided a NIZK proof asserting that its messages were generated by consistent random coins and correct incoming messages according to the next-message function. For this reason we consider \(q=O(\log {n})\)
The Relation \({\mathcal {R}} ^r_{i\rightarrow j}\). We will consider the following set of NP relations, where for \(i,j\in [n]\) and an integer r, the relation \({\mathcal {R}} ^r_{i\rightarrow j}\) is parametrized by an n-party protocol \(\Pi \) (represented by \(\{\mathsf {next-msg}_{i\rightarrow j}\}_{i,j\in [n]}\) and \(\{\mathsf {output}_i\}_{i\in [n]}\)), a \({{\textsf {VRF}}} \) scheme, a \({{\textsf {DS}}} \) scheme, and a \({{\textsf {NIZK}}}\) scheme, as well as:
-
A vector of VRF verification keys \((\mathsf {vk}^{\mathsf {vrf}}_1,\ldots ,\mathsf {vk}^{\mathsf {vrf}}_n)\).
-
A vector of signature verification keys \((\mathsf {vk}^{\mathsf {ds}}_1,\ldots ,\mathsf {vk}^{\mathsf {ds}}_n)\).
-
A \({{\textsf {NIZK}}}\) common reference string \(\mathsf {crs} \).
The instance consists of a message \((m_{i\rightarrow j}^r,\sigma _{i\rightarrow j}^r,\pi _i^r)\) (the message from \(\mathsf {P} _i\) to \(\mathsf {P} _j\)). The witness consists of:
-
A bit \(x_i\in \{0,1\}\) and a string \(\mathsf {setup}_i\).
-
A vector of random coins \((\rho _i^1,\ldots ,\rho _i^r)\).
-
For \(r'\in [r-1]\) and \(k\in [n]\), a message \({ \varvec{m}}^{r'}_{k\rightarrow i}=(m^{r'}_{k\rightarrow i},\sigma ^{r'}_{k\rightarrow i},\pi ^{r'}_k,\varphi _{k\rightarrow i}^{r'})\) (\(\mathsf {P} _i\)’s incoming messages).
The instance/witness pair is in the relation \({\mathcal {R}} ^r_{i\rightarrow j}\) if the following holds:
-
1.
For every \(r'\in [r]\) it holds that \(\mathsf {VRF.Verify}(\mathsf {vk}^{\mathsf {vrf}}_i,(i,r'),\rho _i^{r'},\pi _i^{r'})=1\).
-
2.
\(\mathsf {DS.Verify}(\mathsf {vk}^{\mathsf {ds}}_i,m^r_{i\rightarrow j},\sigma ^r_{i\rightarrow j})=1\).
-
3.
For \(r'\in [r-1]\) and \(k\in [n]\) it holds that \(\mathsf {NIZK.Verifier}(\mathsf {crs},(m^{r'}_{k\rightarrow i},\sigma ^{r'}_{k\rightarrow i},\pi _k^{r'}),\varphi _{k\rightarrow i}^{r'})=1\) with respect to the relation \({\mathcal {R}} ^{r'}_{k\rightarrow i}\).
-
4.
Set \(\textsf {view}_i^1=(x_i,\mathsf {setup}_i,\rho _i^1)\) and for \(1<r'\le r\) set \(\textsf {view}_i^{r'}=(\textsf {view}_i^{r'-1},m_{1\rightarrow i}^{r'-1},\ldots ,m_{n\rightarrow i}^{r'-1},\rho _i^{r'})\). Then, it holds that \(m_{i\rightarrow j}^r=\mathsf {next-msg}_{i\rightarrow j}(\textsf {view}_i^r)\).
The compiled protocol. Having defined the relations \(\{{\mathcal {R}} ^r_{i\rightarrow j}\}\), we are ready to present the compiler for a protocol \(\Pi \), secure against locally consistent adversaries to a maliciously secure one. Initially, in the setup phase, each party receives its setup information for \(\Pi \) in addition to the PKI keys for \({{\textsf {VRF}}} \), digital signatures, and NIZK (as described above). To generate its coins for the \(r\)’th round (along with a proof), party \(\mathsf {P} _i\) evaluates the \({{\textsf {VRF}}} \) over the pair (i, r); next, \(\mathsf {P} _i\) computes the \(r\)’th round messages for \(\Pi \), signs each message, and sends to every other \(\mathsf {P} _j\) the corresponding message, the signature, and the \({{\textsf {VRF}}} \) proof. In addition, \(\mathsf {P} _i\) sends to \(\mathsf {P} _j\) a \({{\textsf {NIZK}}} \) proof for \({\mathcal {R}} ^r_{i\rightarrow j}\), proving that \(\mathsf {P} _i\) behaves consistently towards \(\mathsf {P} _j\).
Let \(\Pi =(\mathsf {P} _1,\ldots ,\mathsf {P} _n)\) be an n-party protocol represented by the set of next-message functions \(\{\mathsf {next-msg}_{i\rightarrow j}\}_{i,j\in [n]}\), the set of output functions \(\{\mathsf {output}_i\}_{i\in [n]}\), and a distribution D for generating setup information. Let \({{\textsf {VRF}}} \) be a verifiable random function, let \({{\textsf {DS}}} \) be a digital signatures scheme, and let \({{\textsf {NIZK}}} \) be a non-interactive zero-knowledge proof scheme. Later on, we will simplify the compiler for the case of public-randomness protocols by removing the need for \({{\textsf {NIZK}}} \).
1.2.1 Security Proof
We prove the security of Protocol A.5 using a sequence of arguments. Given a protocol \(\Pi \) secure against locally consistent adversaries, we first adjust it to use pseudorandom coins computed using a VRF. The new protocol, denoted \(\Pi _1\), remains secure against slightly weaker locally consistent adversaries by the pseudorandomness property of the VRF. Next, we show how to convert any malicious adversary against the compiled protocol \(\Pi '=\mathsf {Comp}(\Pi )\) into a “weak” locally consistent attack against \(\Pi _1\). The proof of the second part of the theorem, concerning public-randomness protocols, follows in similar lines.
Proof of Theorem A.1
We start by proving the first part of the theorem, considering generic protocols, and later focus on public-randomness protocols.
Proof of Item 1(generic protocols). We prove Item 1 in two steps. Initially, as an intermediate step, we consider a variant of \(\Pi \), denoted \(\Pi _1\), where the parties behave exactly as in \(\Pi \) except that they use a \({{\textsf {VRF}}} \) to compute their random coins for each round. Formally, \(\Pi _1\) is defined in the PKI model, where, in addition to the setup information for \(\Pi \), every party \(\mathsf {P} _i\) receives \(\mathsf {sk}^{\mathsf {vrf}}_i\) and \((\mathsf {vk}^{\mathsf {vrf}}_1,\ldots ,\mathsf {vk}^{\mathsf {vrf}}_n)\) for \((\mathsf {sk}^{\mathsf {vrf}}_i,\mathsf {vk}^{\mathsf {vrf}}_i)\leftarrow \mathsf {VRF.Gen}(1^\kappa )\). During the execution of the protocol, each party \(\mathsf {P} _i\) evaluates \((\rho _i^r,\pi _i^r)\leftarrow \mathsf {VRF.Eval}(\mathsf {sk}^{\mathsf {vrf}}_i,(i,r))\), sets its coins for the \(r\)’th round to \(\rho _i^r\) (instead of a uniformly distributed string), and appends \(\pi _i^r\) to its \(r\)’th round messages. Note that the strings \(\rho _i^r\) are deterministic, so a locally consistent adversary has the power to use arbitrary values instead. To enable a reduction to the security of \(\Pi \), we will explicitly assume that corrupted parties indeed use the honestly generated pseudorandom values \(\rho _i^r\) by evaluating the \({{\textsf {VRF}}}\) on (i, r); we call such a locally consistent adversary \({{\textsf {VRF}}}\) -compliant.
Claim A.6
If \(\Pi \) is a \(\left( t,\alpha ,\beta ,q,\gamma \right) \)-\(\mathsf {BA}\) against locally consistent adversaries, then \(\Pi _1\) is a \(\left( t,\alpha -{\text {neg}}(\kappa ),\beta -{\text {neg}}(\kappa ),q,\gamma -{\text {neg}}(\kappa )\right) \)-\(\mathsf {BA}\) against locally consistent \({{\textsf {VRF}}}\)-compliant adversaries.
Proof
By assumption, a corrupted \(\mathsf {P} _i\) uses the value \(\rho _i^r\) as its random coins for the \(r\)’th round. Therefore, the only difference between \(\Pi _1\) and \(\Pi \) are the use of pseudorandom string instead of uniformly distributed strings. The proof follows by the pseudorandomness of the \({{\textsf {VRF}}} \) scheme using a standard hybrid argument. \(\square \)
Next, let \(\mathsf {A} '\) be an adversary attacking \(\Pi '=(\mathsf {P} '_1,\ldots ,\mathsf {P} '_n)\). We will construct an adversary \(\mathsf {A} \) for the protocol \(\Pi _1=(\mathsf {P} _1,\ldots ,\mathsf {P} _n)\). Let \(\mathsf {S} _{\mathsf {nizk}}xspace=(\mathsf {S} _{\mathsf {nizk}}xspace^1,\mathsf {S} _{\mathsf {nizk}}xspace^2)\) be the simulator that is guaranteed for the NIZK scheme. The adversary \(\mathsf {A} \) runs internally a copy of \(\mathsf {A} '\) and proceeds as follows:
-
In the setup phase of \(\Pi _1\), \(\mathsf {A} \) receives the setup string \(\left( \mathsf {setup}_i, \mathsf {sk}^{\mathsf {vrf}}_i,\mathsf {vk}^{\mathsf {vrf}}_1,\ldots ,\mathsf {vk}^{\mathsf {vrf}}_n\right) \) (consisting of the setup for \(\Pi \) and the \({{\textsf {VRF}}}\) keys). Next, \(\mathsf {A}\) samples \((\mathsf {crs},\tau )\leftarrow \mathsf {S} _{\mathsf {nizk}}xspace^1(1^\kappa )\) and \((\mathsf {sk}^{\mathsf {ds}}_i,\mathsf {vk}^{\mathsf {ds}}_i)\leftarrow \mathsf {DS.Gen}(1^\kappa )\) for every \(i\in [n]\), and provides the setup string \(\mathsf {setup}'_i=\Big (\mathsf {setup}_i, \mathsf {sk}^{\mathsf {vrf}}_i,\mathsf {sk}^{\mathsf {ds}}_i, \mathsf {crs},\mathsf {vk}^{\mathsf {vrf}}_1,\ldots ,\mathsf {vk}^{\mathsf {vrf}}_n, \mathsf {vk}^{\mathsf {ds}}_1,\ldots ,\mathsf {vk}^{\mathsf {ds}}_n\Big )\) for every corrupted \(\mathsf {P} '_i\).
-
Upon receiving a message \((m^r_{i \rightarrow j},\pi _i^r)\) from an honest \(\mathsf {P} _i\) to a corrupted \(\mathsf {P} _j\) in the execution of \(\Pi _1\), \(\mathsf {A}\) sends \((m^r_{i \rightarrow j},\sigma ^r_{i \rightarrow j},\pi _i^r, \varphi _{i\rightarrow j}^r)\) to \(\mathsf {A} '\) with \(\sigma _{i\rightarrow j}^r\leftarrow \mathsf {DS.Sign}(\mathsf {sk}^{\mathsf {ds}}_i,m^r_{i \rightarrow j})\) and \(\varphi _{i\rightarrow j}^r\leftarrow \mathsf {S} _{\mathsf {nizk}}xspace^2(\mathsf {crs},\tau ,(m^r_{i \rightarrow j},\sigma ^r_{i \rightarrow j}, \pi _i^r))\).
-
When \(\mathsf {A} \) receives \((m^r_{i \rightarrow j},\sigma ^r_{i \rightarrow j},\pi _i^r,\varphi _{i\rightarrow j}^r)\) from \(\mathsf {A} '\) on behalf of a corrupted \(\mathsf {P} _i'\) to an honest \(\mathsf {P} _j'\) (in the simulated execution of \(\Pi '\)), \(\mathsf {A}\) first verifies that \(\mathsf {NIZK.Verifier}(\mathsf {crs},(m^r_{i \rightarrow j},\sigma ^r_{i \rightarrow j},\pi _i^r),\varphi _{i\rightarrow j}^r)=1\). If the proof is verified, \(\mathsf {A}\) sends the message \((m^r_{i \rightarrow j},\pi _i^r)\) to \(\mathsf {P} _j\) in the protocol \(\Pi _1\); otherwise, \(\mathsf {A}\) considers \(\mathsf {P} _i\) as an aborting party towards \(\mathsf {P} _j\).
We complete the proof in a series of steps, analyzing the attack under increasingly stronger power of the adversary \(\mathsf {A} '\), starting from a locally consistent \({{\textsf {VRF}}}\)-compliant attack until reaching a full blown malicious attack. Initially, we will assume perfect security of the NIZK, and remove this restriction later on.
Claim A.7
Consider a perfect NIZK scheme. If \(\Pi _1\) is a \(\left( t,\alpha ,\beta ,q,\gamma \right) \)-\(\mathsf {BA}\) against locally consistent \({{\textsf {VRF}}}\)-compliant adversaries, then \(\Pi '\) is a \(\left( t,\alpha ,\beta ,q,\gamma \right) \)-\(\mathsf {BA}\) against locally consistent \({{\textsf {VRF}}}\)-compliant adversaries.
Proof
If \(\mathsf {A} '\) is a locally consistent \({{\textsf {VRF}}}\)-compliant adversary, then in particular whenever \(\mathsf {A} '\) sends a message on behalf of a corrupted \(\mathsf {P} _i'\), he knows a witness for the \({{\textsf {NIZK}}}\) proof. Therefore, without loss of generality we can assume that either a corrupted \(\mathsf {P} _i'\) does not send a message (i.e., aborts) to an honest \(\mathsf {P} _j'\) or that \(\mathsf {P} _i'\) correctly generates the \({{\textsf {NIZK}}}\) proof. In that case every locally consistent \({{\textsf {VRF}}}\)-compliant attack by \(\mathsf {A} '\) translates to a locally consistent \({{\textsf {VRF}}}\)-compliant attack by \(\mathsf {A} \). \(\square \)
The next claim considers stronger adversaries that are allowed to use arbitrary random coins for computing the next-message function. We will use the following notations: A message sent in \(\Pi '\) is of the form \((m,\sigma ,\pi ,\varphi )\); we call m the content of the message. For a party \(\mathsf {P} _i'\), let \({\mathcal {M}}_\mathsf {in} ^{r',k\rightarrow i}\) denote the set of incoming messages’ contents received from party \(\mathsf {P} _k'\) in round \(r'\) (as this is a locally consistent attack, there could be multiple incoming messages from each corrupted party, but at most one message from each honest party). Let \({\mathcal {M}}_\mathsf {out} ^{r,i\rightarrow j}\) be the set of possible messages’ contents that \(\mathsf {P} _i'\) can send to \(\mathsf {P} _j'\) at round r under a \({{\textsf {VRF}}}\)-compliant locally consistent attack when using a subset of the incoming messages’ contents \(\{{\mathcal {M}}_\mathsf {in} ^{r',k\rightarrow i}\}_{r'<r, k\in [n]}\) and randomness \(\{\rho _i^{r'}\}_{r'\in [r]}\) computed as \((\rho _i^{r'},\pi _i^{r'})\leftarrow \mathsf {VRF.Eval}(\mathsf {sk}^{\mathsf {vrf}}_i,(i,r'))\).
Claim A.8
Consider a perfect NIZK scheme. If \(\Pi _1\) is a \(\left( t,\alpha ,\beta ,q,\gamma \right) \)-\(\mathsf {BA}\) against locally consistent \({{\textsf {VRF}}}\)-compliant adversaries, then \(\Pi '\) is a \(\left( t,\alpha -{\text {neg}}(\kappa ),\beta -{\text {neg}}(\kappa ),q,\gamma -{\text {neg}}(\kappa )\right) \)-\(\mathsf {BA}\) against locally consistent adversaries.
Proof
We prove the claim by showing that the additional power of the adversary only allows for a negligible cheating advantage. Consider a locally consistent adversary \(\mathsf {A} '\) and assume that a corrupted party \(\mathsf {P} _i'\) used arbitrary random coins to generate the message content for party \(\mathsf {P} _j'\) in round r, denoted \({\tilde{m}}_{i\rightarrow j}^r\). There are two possible cases:
- Case 1::
-
If \({\tilde{m}}_{i\rightarrow j}^r\in {\mathcal {M}}_\mathsf {out} ^{r,i\rightarrow j}\), then the adversary can compute a witness for the relation \({\mathcal {R}} ^r_{i\rightarrow j}\). That is, even if the actual coins used to generate \({\tilde{m}}_{i\rightarrow j}^r\) are different than \(\{\rho _i^{r'}\}_{r'\in [r]}\), the message \({\tilde{m}}_{i\rightarrow j}^r\) can be explained as if generated using \(\{\rho _i^{r'}\}_{r'\in [r]}\) consistently with a subset of the incoming messages in \(\{{\mathcal {M}}_\mathsf {in} ^{r',k\rightarrow i}\}_{r'<r, k\in [n]}\). Therefore, without loss of generality this can be cast as a locally consistent \({{\textsf {VRF}}}\)-compliant attack.
- Case 2::
-
If \({\tilde{m}}_{i\rightarrow j}^r\notin {\mathcal {M}}_\mathsf {out} ^{r,i\rightarrow j}\), let \(\{{\tilde{\rho }}_i^{r'}\}_{r'\in [r]}\) be the coins used by \(\mathsf {A} '\) to generate \({\tilde{m}}_{i\rightarrow j}^r\). Then, \({\tilde{\rho }}_i^{r'}\ne \rho _i^{r'}\) for at least one \(r'\). To provide a witness for the relation \({\mathcal {R}} ^r_{i\rightarrow j}\), \(\mathsf {A} '\) must generate \({\tilde{\pi }}_i^{r'}\) such that \(\mathsf {VRF.Verify}(\mathsf {vk}^{\mathsf {vrf}}_i,(i,r'),{\tilde{\rho }}_i^{r'},{\tilde{\pi }}_i^{r'})=1\). By unique provability property of the VRF, such an attack can only succeed with negligible probability.
\(\square \)
The next claim considers stronger adversaries that are allowed to use arbitrary incoming messages for their next-message function.
Claim A.9
Consider a perfect NIZK scheme. If \(\Pi _1\) is a \(\left( t,\alpha ,\beta ,q,\gamma \right) \)-\(\mathsf {BA}\) against locally consistent \({{\textsf {VRF}}}\)-compliant adversaries, then \(\Pi '\) is a \(\left( t,\alpha -{\text {neg}}(\kappa ),\beta -{\text {neg}}(\kappa ),q,\gamma -{\text {neg}}(\kappa )\right) \)-\(\mathsf {BA}\) against locally consistent adversaries that are allowed to use arbitrary messages’ contents when computing the next-message function.
Proof
Consider an adversary \(\mathsf {A} '\) that behaves locally consistent but can use arbitrary values as incoming messages. Assume that \(\mathsf {A} '\) is \({{\textsf {VRF}}}\)-compliant and let r be the first round in which \(\mathsf {A} '\) deviates from the protocol with respect to incoming messages. Let \(\mathsf {P} _i'\) be a corrupted party that uses \(\{\tilde{{\mathcal {M}}}_\mathsf {in} ^{r',k\rightarrow i}\}_{r'<r, k\in [n]}\) as its set of incoming messages to generate the message content for party \(\mathsf {P} _j'\) in round r, denoted \({\tilde{m}}_{i\rightarrow j}^r\), and assume that \(\bigcup \tilde{{\mathcal {M}}}_\mathsf {in} ^{r',k\rightarrow i} \nsubseteq \bigcup {\mathcal {M}}_\mathsf {in} ^{r',k\rightarrow i}\). There are two possible cases:
-
Case 1: If \({\tilde{m}}_{i\rightarrow j}^r\in {\mathcal {M}}_\mathsf {out} ^{r,i\rightarrow j}\), then the adversary can compute a witness for the relation \({\mathcal {R}} ^r_{i\rightarrow j}\). That is, even if \(\bigcup \tilde{{\mathcal {M}}}_\mathsf {in} ^{r',k\rightarrow i} \nsubseteq \bigcup {\mathcal {M}}_\mathsf {in} ^{r',k\rightarrow i}\), the message \({\tilde{m}}_{i\rightarrow j}^r\) can be explained as if generated using a subset of \(\bigcup {\mathcal {M}}_\mathsf {in} ^{r',k\rightarrow i}\). Therefore, without loss of generality this can be cast as a locally consistent attack.
-
Case 2: If \({\tilde{m}}_{i\rightarrow j}^r\notin {\mathcal {M}}_\mathsf {out} ^{r,i\rightarrow j}\), then to find a witness for the relation \({\mathcal {R}} ^r_{i\rightarrow j}\), \(\mathsf {A} '\) must produce for every message \({\tilde{m}}_{k\rightarrow i}^{r'}\in \bigcup \tilde{{\mathcal {M}}}_\mathsf {in} ^{r',k\rightarrow i} \setminus \bigcup {\mathcal {M}}_\mathsf {in} ^{r',k\rightarrow i}\) a signature \({\tilde{\sigma }}_{k\rightarrow i}^{r'}\), a VRF proof \(\pi _{k\rightarrow i}^{r'}\) and a NIZK proof \({\tilde{\varphi }}_{k\rightarrow i}^{r'}\).
-
If \(\mathsf {P} _k\) is honest, \(\mathsf {A} '\) can find an accepting signature \({\tilde{\sigma }}_{k\rightarrow i}^{r'}\) for \({\tilde{m}}_{k\rightarrow i}^{r'}\) under \(\mathsf {vk}^{\mathsf {ds}}_k\) only with negligible probability (recall that every message \({\tilde{m}}_{k\rightarrow i}^{r'}\) encodes the values \(k,i,r'\); hence, \(\mathsf {A} '\) cannot reuse messages that were signed by \(\mathsf {P} _k\) in other rounds).
-
If \(\mathsf {P} _k\) is corrupted, then in turn it must have provided a valid witness for the relation \({\mathcal {R}} _{k\rightarrow i}^{r'}\). By the minimality of r, it is guaranteed that \({\tilde{m}}_{k\rightarrow i}^{r'-1}\) was honestly generated with respect to the incoming messages of \(\mathsf {P} _k'\) until round \(r'-1\), \(\{\bigcup {\mathcal {M}}_\mathsf {in} ^{r'',k'\rightarrow k}\}_{r''\in [r'-1], k'\in [n]}\). In this case, without loss of generality, the message \({\tilde{m}}_{k\rightarrow i}^{r'}\) could have been sent by the corrupted \(\mathsf {P} _k'\) to the corrupted \(\mathsf {P} _i'\), i.e., be included in the set \({\mathcal {M}}_\mathsf {in} ^{r',k\rightarrow i}\).
The proof of the claim now reduces considering non-\({{\textsf {VRF}}}\)-compliant adversaries, which follows from Claim A.8. \(\square \)
The next claim considers stronger adversaries that are not required to compute their outgoing messages by the next-message function, but can send arbitrary messages instead.
Claim A.10
Consider a perfect NIZK scheme. If \(\Pi _1\) is a \(\left( t,\alpha ,\beta ,q,\gamma \right) \)-\(\mathsf {BA}\) against locally consistent \({{\textsf {VRF}}}\)-compliant adversaries, then \(\Pi '\) is a \(\left( t,\alpha -{\text {neg}}(\kappa ),\beta -{\text {neg}}(\kappa ),q,\gamma -{\text {neg}}(\kappa )\right) \)-\(\mathsf {BA}\) against malicious adversaries.
Proof
Consider a malicious adversary \(\mathsf {A} '\) and assume that \(\mathsf {A} '\) behaves locally consistent and \({{\textsf {VRF}}}\)-compliant until round r, i.e., round r is the first round in which \(\mathsf {A} '\) does not compute a message according to the next-message function. Let \(\mathsf {P} _i'\) be a corrupted party that generates the message content for party \(\mathsf {P} _j'\) in round r, denoted \({\tilde{m}}_{i\rightarrow j}^r\), arbitrarily. There are two possible cases:
-
Case 1: If \({\tilde{m}}_{i\rightarrow j}^r\in {\mathcal {M}}_\mathsf {out} ^{r,i\rightarrow j}\), then the adversary can compute a witness for the relation \({\mathcal {R}} ^r_{i\rightarrow j}\). That is, the message \({\tilde{m}}_{i\rightarrow j}^r\) can be explained as if generated using \(\{\rho _i^{r'}\}_{r'\in [r]}\) consistently with a subset of the incoming messages in \(\{{\mathcal {M}}_\mathsf {in} ^{r',k\rightarrow i}\}_{r'<r, k\in [n]}\) according to the next-message function. Therefore, without loss of generality this can be cast as a locally consistent \({{\textsf {VRF}}}\)-compliant attack.
-
Case 2: If \({\tilde{m}}_{i\rightarrow j}^r\notin {\mathcal {M}}_\mathsf {out} ^{r,i\rightarrow j}\), then \(\mathsf {A} '\) must provide \({\tilde{\sigma }}_{i\rightarrow j}^r\) and \(\pi _i^r\) along with a witness \(\mathsf {wit}_{i\rightarrow j}^r\) consisting of:
-
An input bit \(x_i\) an \(\mathsf {setup}_i\).
-
For every \(r'\in [r]\) random coins \(\rho _i^{r'}\).
-
For every \(r'\in [r-1]\) and \(k\in [n]\) a message \({\tilde{{ \varvec{m}}}}_{k\rightarrow i}^{r'}=({\tilde{m}}_{k\rightarrow i}^{r'},{\tilde{\sigma }}_{k\rightarrow i}^{r'},\pi _k^{r'},{\tilde{\varphi }}_{k\rightarrow i}^{r'})\).
In addition it holds that \((({\tilde{m}}_{i\rightarrow j}^r,{\tilde{\sigma }}_{i\rightarrow j}^r,\pi _i^r),\mathsf {wit}_{i\rightarrow j}^r)\in {\mathcal {R}} ^r_{i\rightarrow j}\). As before, with all but negligible probability it is guaranteed that \(\mathsf {VRF.Verify}(\mathsf {vk}^{\mathsf {vrf}}_i,(i,r),\rho _i^r,\pi _i^r)=1\) and for every honest party \(\mathsf {P} _k'\), \((({\tilde{m}}_{k\rightarrow i}^{r'},{\tilde{\sigma }}_{k\rightarrow i}^{r'},\pi _k^{r'}),{\tilde{\varphi }}_{k\rightarrow i}^{r'})\in {\mathcal {R}} _{k\rightarrow i}^{r'}\). For a corrupted \(\mathsf {P} _k'\), if \((({\tilde{m}}_{k\rightarrow i}^{r'},{\tilde{\sigma }}_{k\rightarrow i}^{r'},\pi _k^{r'}),{\tilde{\varphi }}_{k\rightarrow i}^{r'})\in {\mathcal {R}} _{k\rightarrow i}^{r'}\) then without loss of generality the message could have been sent by \(\mathsf {P} _k'\) to \(\mathsf {P} _i'\). We conclude that with all but negligible probability, the \({\tilde{m}}_{i\rightarrow j}^r\) can be explained by a locally consistent \({{\textsf {VRF}}}\)-compliant attack.
The proof of the claim now follows from Claim A.9. \(\square \)
Finally, we remove the assumption of a perfect NIZK scheme and consider a NIZK scheme that allows for negligible adversarial advantage, and obtain the following claim.
Claim A.11
If \(\Pi _1\) is a \(\left( t,\alpha ,\beta ,q,\gamma \right) \)-\(\mathsf {BA}\) against locally consistent \({{\textsf {VRF}}}\)-compliant adversaries, then \(\Pi '\) is a \(\left( t,\alpha -{\text {neg}}(\kappa ),\beta -{\text {neg}}(\kappa ),q,\gamma -{\text {neg}}(\kappa )\right) \)-\(\mathsf {BA}\) against malicious adversaries.
This concludes the proof of the first part of the theorem.
Proof of Item 2 (public-randomness protocols). We prove Item 2 of Theorem A.1 by adjusting the compiler \(\mathsf {Comp}\) and removing the use of NIZK proofs. The new compiler \(\mathsf {Comp}_\mathsf {PR}\) is defined like \(\mathsf {Comp}\) except that instead of computing a NIZK proof \(\varphi _{i\rightarrow j}^r\leftarrow \mathsf {NIZK.Prover}(\mathsf {crs}, \mathsf {stat}_{i\rightarrow j}^r, \mathsf {wit}_{i\rightarrow j}^r)\) for the relation \({\mathcal {R}} _{i\rightarrow j}^r\) and sending \(\varphi _{i\rightarrow j}^r\), the sender \(\mathsf {P} _i'\) simply sends the witness \(\mathsf {wit}_{i\rightarrow j}^r\). The receiver \(\mathsf {P} _j'\) can now directly verify that \(\mathsf {wit}_{i\rightarrow j}^r\) is a valid witness. The proof follows immediately from Item 1 of Theorem A.1. \(\square \)
Rights and permissions
About this article
Cite this article
Cohen, R., Haitner, I., Makriyannis, N. et al. On the Round Complexity of Randomized Byzantine Agreement. J Cryptol 35, 10 (2022). https://doi.org/10.1007/s00145-022-09421-7
Received:
Revised:
Accepted:
Published:
DOI: https://doi.org/10.1007/s00145-022-09421-7