asynchronous byzantine agreement with subquadratic ......[cks20]: shir cohen, idit keidar, and...
TRANSCRIPT
Asynchronous Byzantine Agreement with Subquadratic Communication
Julian Loss
U. Maryland
Chen-Da Liu-Zhang
ETH Zurich
Erica
Blum
U. Maryland
TCC 2020
Jonathan
Katz
U. Maryland
Byzantine Agreement
Byzantine Agreement
π₯1
π₯2
π₯3
π₯6
π₯5
π₯4
Byzantine Agreement
All honest parties agree on the same output
π¦
π¦
π¦
π¦
π¦
π¦
Byzantine Agreement
All honest parties agree on the same output
If honest parties have the same input, they keep the same value as output
π₯
π₯
π₯
π₯
π₯
π₯
Byzantine Agreement
All honest parties agree on the same output
If honest parties have the same input, they keep the same value as output
π₯
π₯
π₯
π₯
π₯
π₯
Byzantine Agreement
All honest parties agree on the same output
If honest parties have the same input, they keep the same value as output
π₯
π₯
π₯
π₯
Is there an asynchronous BA with π(π2) communication that tolerates π(π) adaptive corruptions?
Is there an asynchronous BA with π(π2) communication that tolerates π(π) adaptive corruptions?
β’ Feasibility of asynch. π(π2) BA for π < (1 β π) Ξ€π 3 using a trusted dealer(alternately, with amortized π(π2) and without setup)
Is there an asynchronous BA with π(π2) communication that tolerates π(π) adaptive corruptions?
β’ Feasibility of asynch. π(π2) BA for π < (1 β π) Ξ€π 3 using a trusted dealer(alternately, with amortized π(π2) and without setup)
β’ Impossibility of asynch. π(π2) BA with π(π) corruptions without setup
Related Work
Most previous subquadratic BA are synchronous or partially synchronous [KS06,KS10,M17,A+19,β¦]
Recent work by Cohen et al. [CKS20] give subquadratic asynchronous BA, but the adversary has restricted scheduling power
Feasibility of asynchronous π(π2) BA for π < (1 β π) Ξ€π 3 adaptive
Feasibility of asynchronous π(π2) BA for π < (1 β π) Ξ€π 3 adaptive
π΅π΄ πππ‘π’π
π΅π΄
Feasibility of asynchronous π(π2) BA for π < (1 β π) Ξ€π 3 adaptive
CC: π ππππ¦ π β π
π΅π΄ πππ‘π’π
π΅π΄
Size: π ππππ¦ π
Feasibility of asynchronous π(π2) BA for π < (1 β π) Ξ€π 3 adaptive
πππΆ πππ‘π’π
πππΆ
π΅π΄ πππ‘π’π
π΅π΄
CC: π ππππ¦ π β π
Size: π ππππ¦ π
Feasibility of asynchronous π(π2) BA for π < (1 β π) Ξ€π 3 adaptive
πππΆ πππ‘π’π
πππΆ
π΅π΄ πππ‘π’π
π΅π΄
CC: π ππππ¦ π β π
Size: π ππππ¦ π
Initial dealer
Feasibility of asynchronous π(π2) BA for π < (1 β π) Ξ€π 3 adaptive
πππΆ πππ‘π’π
πππΆ
π΅π΄ πππ‘π’π
π΅π΄
CC: π ππππ¦ π β π
Size: π ππππ¦ π
πππΆ πππ‘π’ππ΅π΄ πππ‘π’π
Initial dealer
Feasibility of asynchronous π(π2) BA for π < (1 β π) Ξ€π 3 adaptive
πππΆ πππ‘π’π
πππΆ
π΅π΄ πππ‘π’π
π΅π΄
CC: π ππππ¦ π β π
Size: π ππππ¦ π
πππΆ πππ‘π’ππ΅π΄ πππ‘π’π
π ππππ¦ π β π
π ππππ¦ π
Initial dealer
Feasibility of asynchronous π(π2) BA for π < (1 β π) Ξ€π 3 adaptive
πππΆ πππ‘π’π
πππΆ
π΅π΄ πππ‘π’π
π΅π΄
CC: π ππππ¦ π β π
Size: π ππππ¦ π
πππΆ πππ‘π’ππ΅π΄ πππ‘π’π
π ππππ¦ π β π
π ππππ¦ π
Initial dealer
πππΆπ΅π΄
β¦
One-Time BA
πΊπΆ
πΆπππ
πΊπΆ
πΆπππ
Graded Consensus [CR93]Input π₯π; Output (π§π , ππ)
If β honest ππ π₯π = π₯, then π§π , ππ = (π₯, 1)If β honest ππ ππ = 1, then π§π = π§π
One-Time BA
πΊπΆ
πΆπππ
Graded Consensus [CR93]Input π₯π; Output (π§π , ππ)
If β honest ππ π₯π = π₯, then π§π , ππ = (π₯, 1)If β honest ππ ππ = 1, then π§π = π§π
Coin-FlipEach ππ obtains the same random bit ππ
One-Time BA
πΊπΆ
πΆπππ
Graded Consensus [CR93]Input π₯π; Output (π§π , ππ)
If β honest ππ π₯π = π₯, then π§π , ππ = (π₯, 1)If β honest ππ ππ = 1, then π§π = π§π
Coin-FlipEach ππ obtains the same random bit ππ
β€ π(π )
If ππ = 0: π₯π = ππElse π₯π = π§π
One-Time BA
π΅π΄ πππ‘π’π
πΊπΆ
πΆπππ
β€ π(π )
Graded Consensus [CR93]Input π₯π; Output (π§π , ππ)
If β honest ππ π₯π = π₯, then π§π , ππ = (π₯, 1)If β honest ππ ππ = 1, then π§π = π§π
Coin-FlipEach ππ obtains the same random bit ππ
π π π
Each party in set can prove membership
π
Each party in set has a (signed) share of ππ
π π π
One-Time BA
If ππ = 0: π₯π = ππElse π₯π = π§π
π΅π΄ πππ‘π’π
πΊπΆ
πΆπππ
β€ π(π )
Graded Consensus [CR93]Input π₯π; Output (π§π , ππ)
If β honest ππ π₯π = π₯, then π§π , ππ = (π₯, 1)If β honest ππ ππ = 1, then π§π = π§π
Coin-FlipEach ππ obtains the same random bit ππ
Communication π ππππ¦ π β π
Setup size π ππππ¦ π
π π π
Each party in set can prove membership
π
Each party in set has a (signed) share of ππ
π π π
One-Time BA
If ππ = 0: π₯π = ππElse π₯π = π§π
MPC
MPC
Multi-Party Computation with β-output quality
π₯1
π₯2
π₯3
π₯6
π₯5
π₯4
MPC
Multi-Party Computation with β-output quality
π(π₯1β² , π₯2
β² , β¦ , π₯πβ² ), where π₯π
β² = π₯π if ππ β ππ₯πβ² =β₯ otherwise
Adversary chooses π with size at least β
π₯1
π₯2
π₯3
π₯6
π₯5
π₯4
MPC
Agreement on a Common Subset with β-output quality
π΄πΆπ
π₯1π₯2
π₯3π₯4
π₯π
π β₯ β with β β π honest inputs
π
β¦
MPC
Agreement on a Common Subset with β-output quality
π΄πΆπ
π₯1π₯2
π₯3π₯4
β¦
π₯π
π
π β₯ β with β β π honest inputs
π΅π΄ πππ‘π’π π΅π΄ πππ‘π’πβ¦
π΅π΄ πππ‘π’π
π(β)
Communication π β β β β ππππ¦ π β π
Setup size π β β ππππ¦ π
π΄πΆπ πππ‘π’π
MPCThreshold Fully Homomorphic Encryption
MPCThreshold Fully Homomorphic Encryption
πππΆ πππ‘π’π
π΄πΆπ πππ‘π’π
MPCThreshold Fully Homomorphic Encryption
πππΆ πππ‘π’π
π΄πΆπ πππ‘π’π π
MPCThreshold Fully Homomorphic Encryption
πππΆ πππ‘π’π
π΄πΆπ πππ‘π’π π ππ ππ1, β¦ , πππ for parties in
MPCThreshold Fully Homomorphic Encryption
πππΆ πππ‘π’π
π΄πΆπ πππ‘π’π [π] π ππ ππ1, β¦ , πππ for parties in
MPC
π¦π
Threshold Fully Homomorphic Encryption
π₯1
π₯2
π₯3
π₯4β¦
π₯π
π
πππΆ πππ‘π’π
π΄πΆπ πππ‘π’π [π] π ππ ππ1, β¦ , πππ for parties in
MPCThreshold Fully Homomorphic Encryption
πππΆ πππ‘π’π
π΄πΆπ πππ‘π’π [π] π ππ ππ1, β¦ , πππ for parties in
[π₯1]
[π₯2]
[π₯3]
[π₯4]
β¦
[π₯π]
ππ΄πΆπ
MPC
ππΈπ£πππ
Threshold Fully Homomorphic Encryption
π΄πΆπ
[π₯1]
[π₯2]
[π₯3]
[π₯4]
β¦
[π₯π]
π
πππΆ πππ‘π’π
π΄πΆπ πππ‘π’π
[π₯1]
β₯
[π₯3]
β₯
[π₯π]
[π] π ππ ππ1, β¦ , πππ for parties in
β¦
MPC
ππΈπ£πππ
Threshold Fully Homomorphic Encryption
π΄πΆπ
[π₯1]
[π₯2]
[π₯3]
[π₯4]
β¦
[π₯π]
π
πππΆ πππ‘π’π
π΄πΆπ πππ‘π’π
[π₯1]
β₯
[π₯3]
β₯
[π₯π]
[π] π ππ ππ1, β¦ , πππ for parties in
Decryption
ππ = π·πππβππππππ(π)
ππ
π1
ππ
β¦β¦
MPC
ππΈπ£πππ
Threshold Fully Homomorphic Encryption
π΄πΆπ
[π₯1]
[π₯2]
[π₯3]
[π₯4]
β¦
[π₯π]
π
πππΆ πππ‘π’π
π΄πΆπ πππ‘π’π
[π₯1]
β₯
[π₯3]
β₯
[π₯π]
[π] π ππ ππ1, β¦ , πππ for parties in
Decryption
ππ = π·πππβππππππ(π)
ππ
π1
ππ
β¦
π¦ = π ππ({ππ})
All parties output
β¦
MPC
ππΈπ£πππ
Threshold Fully Homomorphic Encryption
π΄πΆπ
[π₯1]
[π₯2]
[π₯3]
[π₯4]
β¦
[π₯π]
π
πππΆ πππ‘π’π
π΄πΆπ πππ‘π’π
[π₯1]
β₯
[π₯3]
β₯
[π₯π]
[π] π ππ ππ1, β¦ , πππ for parties in
Size: π (β + 1) β ππππ¦ π
Decryption
ππ = π·πππβππππππ(π)
ππ
π1
ππ
β¦
π¦ = π ππ({ππ})
All parties output
CC: π β + 1 β β + πͺ β ππππ¦ π β π
β¦
MPC for Trusted Dealer
ππΈπ£πππ
Threshold Fully Homomorphic Encryption
πππΆ πππ‘π’π
[π] π ππ ππ1, β¦ , πππ for parties in
Size: π (β + 1) β ππππ¦ π
Decryption
ππ = π·πππβππππππ(π)
ππ
π1
ππ
β¦
π¦ = π ππ({ππ})
All parties output
CC: π β + 1 β β + πͺ β ππππ¦ π β π
MPC for Trusted Dealer
ππΈπ£πππ
Threshold Fully Homomorphic Encryption
πππΆ πππ‘π’π
[π] π ππ ππ1, β¦ , πππ for parties in
Size: π ππππ¦ π
Decryption
ππ = π·πππβππππππ(π)
ππ
π1
ππ
β¦
π¦ = π ππ({ππ})
All parties output
CC: π β + 1 β β + πͺ β ππππ¦ π β π
MPC for Trusted Dealer
ππΈπ£πππ
Threshold Fully Homomorphic Encryption
πππΆ πππ‘π’π
[π] π ππ ππ1, β¦ , πππ for parties in
Size: π ππππ¦ π
Decryption
ππ = π·πππβππππππ(π)
ππ
π1
ππ
β¦
π¦ = π ππ({ππ})
All parties output
CC: π ππππ¦ π β π
Impossibility of asynch. π(π2) BA with π(π) adaptive corruptions and no setup
Other lower bounds:
[DR85, A+19] adversary can perform after-the-fact removal
[R20] similar to our lower bound, but with idealized PKI
Impossibility of asynch. π(π2) BA with π(π) adaptive corruptions and no setup
βππ has input 1π outputs 1
ππ
πβ²
Impossibility of asynch. π(π2) BA with π(π) adaptive corruptions and no setup
βππ has input 1π outputs 1
βππ β πβ² has input 0βππ β πβ² outputs 0
π
πβ²
ππ
πβ²
Impossibility of asynch. π(π2) BA with π(π) adaptive corruptions and no setup
ππ
πβ²
βππ has input 1π outputs 1
βππ β πβ² has input 0βππ β πβ² outputs 0
π
πβ²
ππ
πβ²
π has input 1; βππ β πβ² has input 0π outputs 1; βππ β πβ² outputs 0
Impossibility of asynch. π(π2) BA with π(π) adaptive corruptions and no setup
ππ
πβ²
βππ has input 1π outputs 1
βππ β πβ² has input 0βππ β πβ² outputs 0
π
πβ²
ππ
πβ²
π has input 1; βππ β πβ² has input 0π outputs 1; βππ β πβ² outputs 0
Impossibility of asynch. π(π2) BA with π(π) adaptive corruptions and no setup
ππ
πβ²
βππ has input 1π outputs 1
βππ β πβ² has input 0βππ β πβ² outputs 0
π
πβ²
ππ
πβ²
π has input 1; βππ β πβ² has input 0π outputs 1; βππ β πβ² outputs 0
Impossibility of asynch. π(π2) BA with π(π) adaptive corruptions and no setup
ππ
πβ²
βππ has input 1π outputs 1
βππ β πβ² has input 0βππ β πβ² outputs 0
π
πβ²
ππ
πβ²
π has input 1; βππ β πβ² has input 0π outputs 1; βππ β πβ² outputs 0
Impossibility of asynch. π(π2) BA with π(π) adaptive corruptions and no setup
ππ
πβ²
βππ has input 1π outputs 1
βππ β πβ² has input 0βππ β πβ² outputs 0
π
πβ²
ππ
πβ²
π has input 1; βππ β πβ² has input 0π outputs 1; βππ β πβ² outputs 0
Impossibility of asynch. π(π2) BA with π(π) adaptive corruptions and no setup
ππ
πβ²
βππ has input 1π outputs 1
βππ β πβ² has input 0βππ β πβ² outputs 0
π
πβ²
ππ
πβ²
π has input 1; βππ β πβ² has input 0π outputs 1; βππ β πβ² outputs 0
Impossibility of asynch. π(π2) BA with π(π) adaptive corruptions and no setup
ππ
πβ²
βππ has input 1π outputs 1
βππ β πβ² has input 0βππ β πβ² outputs 0
π
πβ²
ππ
πβ²
π has input 1; βππ β πβ² has input 0π outputs 1; βππ β πβ² outputs 0
Impossibility of asynch. π(π2) BA with π(π) adaptive corruptions and no setup
ππ
πβ²
βππ has input 1π outputs 1
βππ β πβ² has input 0βππ β πβ² outputs 0
π
πβ²
ππ
πβ²
π has input 1; βππ β πβ² has input 0π outputs 1; βππ β πβ² outputs 0
Impossibility of asynch. π(π2) BA with π(π) adaptive corruptions and no setup
ππ
πβ²
βππ has input 1π outputs 1
βππ β πβ² has input 0βππ β πβ² outputs 0
π
πβ²
ππ
πβ²
π has input 1; βππ β πβ² has input 0π outputs 1; βππ β πβ² outputs 0
Impossibility of asynch. π(π2) BA with π(π) adaptive corruptions and no setup
ππ
πβ²
βππ has input 1π outputs 1
βππ β πβ² has input 0βππ β πβ² outputs 0
π
πβ²
ππ
πβ²
π has input 1; βππ β πβ² has input 0π outputs 1; βππ β πβ² outputs 0
Impossibility of asynch. π(π2) BA with π(π) adaptive corruptions and no setup
ππ
πβ²
βππ has input 1π outputs 1
βππ β πβ² has input 0βππ β πβ² outputs 0
π
πβ²
ππ
πβ²
π has input 1; βππ β πβ² has input 0π outputs 1; βππ β πβ² outputs 0
References and CreditsFull version: https://eprint.iacr.org/2020/851
References:[BKLL20]: Ran Canetti and Tal Rabin. Fast asynchronous Byzantine agreement with optimal resilience. STOC 1993.[DR85]: Danny Dolev and RΓΌdiger Reischuk. Bounds on information exchange for Byzantine agreement. Journal of the
ACM 1985.[KS06]: Valerie King, Jared Saia, Vishal Sanwalani, and Erik Vee. Scalable leader election. SODA 2006.[KS10]: Valerie King and Jared Saia. Breaking the π(π2) bit barrier: scalable byzantine agreement with an adaptive
adversary. PODC 2010.[M17]: Silvio Micali. Very simple and efficient byzantine agreement. ITCS 2017.[A+19]: Ittai Abraham, T.-H. Hubert Chan, Danny Dolev, Kartik Nayak, Rafael Pass, Ling Ren, and Elaine Shi. Communication
complexity of byzantine agreement, revisited. PODC 2019.[CKS20]: Shir Cohen, Idit Keidar, and Alexander Spiegelman. Not a COINcidence: Sub-quadratic asynchronous Byzantine
agreement WHP. DISC 2020.[R20]: Matthieu Rambaud. Lower bounds for authenticated randomized Byzantine consensus under (partial)
synchrony: The limits of standalone digital signatures.
Credits:Icons: https://www.flaticon.com/