Abstract
Typically, protocols for Byzantine agreement (BA) are designed to run in either a synchronous network (where all messages are guaranteed to be delivered within some known time \(\varDelta \) from when they are sent) or an asynchronous network (where messages may be arbitrarily delayed). Protocols designed for synchronous networks are generally insecure if the network in which they run does not ensure synchrony; protocols designed for asynchronous networks are (of course) secure in a synchronous setting as well, but in that case tolerate a lower fraction of faults than would have been possible if synchrony had been assumed from the start.
Fix some number of parties n, and \(0< t_a< n/3 \le t_s < n/2\). We ask whether it is possible (given a public-key infrastructure) to design a BA protocol that is resilient to (1) \(t_s\) corruptions when run in a synchronous network and (2) \(t_a\) faults even if the network happens to be asynchronous. We show matching feasibility and infeasibility results demonstrating that this is possible if and only if \(t_a + 2\cdot t_s < n\).
J. Katz—Portions of this work were done while at the University of Maryland.
J. Loss—Work was done while at Ruhr University Bochum.
You have full access to this open access chapter, Download conference paper PDF
Similar content being viewed by others
1 Introduction
Byzantine agreement (BA) [24, 35] is a classical problem in distributed computing. Roughly speaking, a BA protocol allows a group of n parties, each holding some initial input value, to agree on their outputs even in the presence of some threshold of corrupted parties. Such protocols are used widely in practice for ensuring consistency among a set of distributed processors [6, 21, 23, 30], and have received renewed interest in the context of blockchain protocols. They also serve as a core building block for more complicated protocols, e.g., for secure multiparty computation. There is an extensive literature on Byzantine agreement, and many different models in which it can be studied. We focus here on the setting in which a public-key infrastructure (PKI) is available.
Typically, protocols for Byzantine agreement are designed and analyzed assuming either a synchronous network, where messages are guaranteed to be delivered within some known time bound \(\varDelta \), or an asynchronous network, where messages can be delayed arbitrarily. Existing results precisely characterize when the problem can be solved in each case [5, 8, 10, 24, 35]: in a synchronous network, it is possible if and only if \(t_s<n/2\) parties are corrupted, while in an asynchronous network it can be achieved only when there are \(t_a<n/3\) corruptions. In each case, protocols tolerating the optimal threshold and running in expected constant rounds are known [5, 20].
In real-world deployments of Byzantine agreement, the network conditions in which a protocol are run may be unclear; for example, the network may generally be synchronous but intermittently experience congestion that prevents messages from being delivered in a timely fashion. This results in the following dilemma when deciding what protocol to use:
-
Protocols designed for a synchronous network are, in general, insecure if the assumption of network synchrony fails.
-
Protocols designed for an asynchronous network will (of course) be secure when the network is synchronous. But in this case the fraction of faults that can be tolerated is lower than what could have been tolerated if the protocol were designed for the synchronous setting.
Fix some thresholds \(t_a, t_s\) with \(0< t_a< n/3 \le t_s < n/2\). We ask the following question: is it possible to design a BA protocol that is (1) resilient to any \(t_s\) (adaptive) corruptions when run in a synchronous network and also (2) resilient to \(t_a\) (adaptive) corruptions even if the network happens to be asynchronous? We completely resolve this question by showing matching feasibility and infeasibility results demonstrating that this is possible if and only if \(t_a + 2\cdot t_s < n\).
Positive Result. The protocol achieving our positive result is constructed by combining two sub-protocols \(\varPi _{\mathsf {SBA}}, \varPi _{\mathsf {ABA}}\) for Byzantine agreement, where \(\varPi _{\mathsf {SBA}}\) is secure in a synchronous network and \(\varPi _{\mathsf {ABA}}\) is secure in an asynchronous network. The key to our analysis is to separately analyze the validity, consistency, and liveness guarantees of these sub-protocols. Specifically, we design \(\varPi _{\mathsf {SBA}}\) so that it also satisfies a certain validity guarantee even when run in an asynchronous network. We also design \(\varPi _{\mathsf {ABA}}\) so that it achieves validity (in an asynchronous network) even beyond n/3 corruptions. We then use these properties to prove security of our main protocol, for different thresholds, when run in either a synchronous or asynchronous network.
Impossibility Result. We also show that our positive result is tight, namely, that if \(t_a + 2\cdot t_s \ge n\) then there is no protocol that is simultaneously resilient to \(t_s\) corruptions when run in a synchronous network and also resilient to \(t_a\) faults in an asynchronous network. In fact, we show a result that is slightly stronger: it is not possible to achieve validity for \(t_s\) static faults in the synchronous setting while also achieving a weak notion of consistency for \(t_a\) static faults in an asynchronous network.
1.1 Related Work
The question of designing protocols that remain secure when run in various network conditions is natural, and so it is somewhat surprising that it has only recently begun to draw attention in the literature. Recent work by Malkhi et al. [28] is most closely related to our own. Among other things, they consider protocols with certain guarantees when run in synchronous or partially synchronous networks. In contrast, we consider the case of synchronous or fully asynchronous networks. Liu et al. [25] design a protocol that is resilient to a minority of malicious corruptions in a synchronous network, and a minority of fail-stop faults in an asynchronous network. Our work can be viewed as extending theirs to consider malicious corruptions in both settings. Guo, Pass, and Shi [16] consider a model motivated by eclipse attacks [18] on blockchain protocols, whereby an attacker temporarily disconnects some subset S of honest parties from the rest of the network \(S'\), e.g., by delaying or dropping messages between S and \(S'\). Parties in S may not be able to reach agreement with honest parties in \(S'\); nevertheless, as observed by Guo et al., it may be possible to provide certain guarantees for the parties in \(S'\) if their network is well-behaved (i.e., synchrony continues to hold for messages sent between parties in \(S'\)). Guo et al. gave BA protocols tolerating the optimal corruption threshold in this model, and Abraham et al. [2] extended their work to achieve similar guarantees for state-machine replication. The main difference between these works and ours is that they continue to assume synchrony in part of the network, and their protocols fail completely if the all communication channels in the network may be asynchronous.
Kursawe [22] shows a protocol for asynchronous BA that reaches agreement more quickly in case the network is synchronous. In contrast to our work, that protocol does not achieve better fault tolerance (and, in particular, cannot tolerate n/3 or more faults) in the synchronous case.
Other recent work has looked at designing protocols for synchronous BA that achieve good responsiveness when the network latency is low. That is, these protocols ensure that if the actual message-delivery time is \(\delta < \varDelta \) then the time to reach agreement is proportional to \(\delta \) rather than the upper bound \(\varDelta \). This problem was considered by Pass and Shi [31, 32], who gave protocols that rely on a leader and are therefore not adaptively secure, as well as by Loss and Moran [27], who avoid the use of a leader. The work of Loss and Moran was extended by Liu-Zhang et al. [26] to the case of general secure computation. None of these works provides security in case the synchrony assumption fails altogether.
Several prior works [3, 7, 12, 34] consider a model in which synchrony is assumed to be available for some (known) limited period of time, and asynchronous afterward. Fitzi et al. [11] and Loss and Moran [27] study trade-offs between the validity, consistency, and liveness properties of BA that inspired our asynchronous BA protocol in Sect. 4 and our lower bound in Sect. 6.
1.2 Paper Organization
We introduce our model as well as definitions for Byzantine agreement and related tasks in Sect. 2. In Sects. 3 and 4 we describe two protocols for Byzantine agreement and prove various properties about them. Those protocols are used, in turn, as sub-protocols of our main protocol in Sect. 5 that achieves security (for different thresholds) in both synchronous and asynchronous networks. Finally, in Sect. 6 we show that the bounds we achieve are tight.
2 Model and Definitions
Throughout, we consider a network of n parties \(P_1, \ldots , P_n\) who may communicate over point-to-point authenticated channels. We also assume that the parties have established a public-key infrastructure in advance of the protocol execution. This means that all parties hold the same vector \((pk_1, \ldots , pk_n)\) of public keys for a digital signature scheme, where each honest party \(P_i\) holds the honestly generated secret key \(sk_i\) associated with \(pk_i\). (Malicious parties may choose their keys arbitrarily.) A valid signature \(\sigma \) on m from \(P_i\) is one for which \(\mathsf {Verify}_{pk_i}(m, \sigma )=1\). We make the standard convention of treating signatures as idealized objects; i.e., throughout our analysis, signatures are assumed to be perfectly unforgeable. When the signature scheme used is existentially unforgeable under chosen-message attacks we thus obtain security against computationally bounded adversaries, with a negligible probability of failure. We implicitly assume that parties use domain separation when signing (e.g., via unique session IDs) to ensure that signatures generated for one purpose will be considered invalid if used in another context.
When we say a protocol tolerates t corrupted parties we always mean that it is secure against an adversary who may adaptively corrupt up to t parties during execution of the protocol and coordinate the actions of those parties as they deviate from the protocol in an arbitrary manner. An honest party is one who is not corrupted by the end of the protocol. We stress that our claims about adaptive security are only with respect to the “property-based” definitions we give here; we do not consider adaptive security with respect to a simulation-based definition [13, 19].
We are interested in protocols running in one of two possible settings. When a protocol is run in a synchronous network, we assume all messages are delivered within a known time bound \(\varDelta \) after they are sent. We allow the adversary to arbitrarily schedule delivery of messages subject to this bound, which implies in particular that we consider a rushing adversary who may obtain messages sent to it before sending messages of its own. In the synchronous case, we also assume all parties begin running the protocol at the same time, and all parties have local clocks that progress at the same rate. When we refer to a protocol running in an asynchronous network, we allow the adversary to arbitrarily schedule delivery of messages without any upper bound on their delivery time. We do, however, require that all messages that are sent are eventually delivered. Importantly, honest parties do not know a priori which type of network the protocol is running in.
We may view executions in a synchronous network as proceeding in a series of rounds, where execution begins at time 0 and the rth round refers to the period of time from \((r-1)\cdot \varDelta \) to \(r\cdot \varDelta \). When we say a party receives a message in round r we mean that it receives a message in that time interval; when we say it sends a message in round r we means it sends that message at the beginning of that round, i.e., at time \((r-1)\cdot \varDelta \). Thus, in a synchronous network all messages sent in round r are received in round r (but in an asynchronous network this need not be the case).
We assume a coin-flip mechanism \(\mathsf{CoinFlip}\) available as an atomic primitive. This can be viewed as an ideal functionality, parameterized by a value t, that upon receiving input k from \(t + 1\) parties generates an unbiased coin \(\mathsf {Coin}_k \in \{0,1\}\) and sends \((k, \mathsf {Coin}_k)\) to all parties. (When run in an asynchronous network, messages to and from \(\mathsf{CoinFlip}\) can be arbitrarily delayed.) The key property this ensures is that, if at most t parties are corrupted, at least one honest party must send k to \(\mathsf{CoinFlip}\) before the adversary can learn \(\mathsf {Coin}_k\). Several protocols for realizing such a coin flipFootnote 1 in an asynchronous network, based on general assumptions, are known [1, 5, 29, 33]. For our purposes, we need a protocol that is secure for \(t<n/3\) faults, and that terminates for \(t'<n/2\) faults. Such protocols can be constructed using a threshold unique signature scheme [4, 14, 17, 27].
2.1 Definitions
We are ultimately interested in Byzantine agreement, but we find it useful to define the related notions of broadcast and graded consensus. Relevant definitions follow.
Byzantine Agreement. Byzantine agreement allows a set of parties who each hold some initial input to agree on their output. We consider several security properties that may hold for such protocols. For simplicity, we consider the case of agreement on a bit; this is without loss of generality as one can run any such protocol \(\ell \) times to agree on a string of length \(\ell \).
We consider Byzantine agreement protocols where, in some cases, parties may not terminate immediately upon generating output, or may never terminate. For that reason, we treat termination separately in the definition that follows. By convention, any party that terminates generates output before doing so; however, we allow parties to output the special symbol \(\perp \).
Definition 1 (Byzantine agreement)
Let \(\varPi \) be a protocol executed by parties \(P_1, \ldots , P_n\), where each party \(P_i\) begins holding input \(v_i \in \{0,1\}\).
-
Weak validity: \(\varPi \) is t -weakly valid if the following holds whenever at most t of the parties are corrupted: if every honest party’s input is equal to the same value v, then every honest party outputs either v or \(\perp \).
-
Validity: \(\varPi \) is t -valid if the following holds whenever at most t of the parties are corrupted: if every honest party’s input is equal to the same value v, then every honest party outputs v.
-
Validity with termination: \(\varPi \) is t -valid with termination if the following holds whenever at most t of the parties are corrupted: if every honest party’s input is equal to the same value v, then every honest party outputs v and terminates.
-
Weak consistency: \(\varPi \) is t -weakly consistent if the following holds whenever at most t of the parties are corrupted: there is a \(v \in \{0,1\}\) such that every honest party outputs either v or \(\perp \).
-
Consistency: \(\varPi \) is t -consistent if the following holds whenever at most t of the parties are corrupted: there is a \(v \in \{0, 1,\bot \}\) such that every honest party outputs v. (In the terminology of Goldwasser and Lindell [15], weak consistency might be called “consistency with abort” and consistency might be called “consistency with unanimous abort.”)
-
Liveness: \(\varPi \) is t -live if whenever at most t of the parties are corrupted, every honest party outputs a value in \(\{0,1\}\).
-
Termination: \(\varPi \) is t -terminating if whenever at most t of the parties are corrupted, every honest party terminates. \(\varPi \) has guaranteed termination if it is n-terminating.
If \(\varPi \) is t-valid, t-consistent, t-live, and t-terminating, then we say \(\varPi \) is t -secure.
While several of the above definitions are not entirely standard, our notion of security matches the standard one. In particular, t-liveness and t-consistency imply that whenever at most t parties are corrupted, there is a \(v \in \{0, 1\}\) such that every honest party outputs v. Note that t-validity with termination is weaker than t-validity plus t-termination, as the former does not require termination in case the inputs of the honest parties do not agree.
Broadcast. Protocols for broadcast allow a set of parties to agree on a value chosen by a designated sender. We only consider broadcast protocols with guaranteed termination, and so do not mention termination explicitly when defining the various properties.
Definition 2 (Broadcast)
Let \(\varPi \) be a protocol executed by parties \(P_1\), ..., \(P_n\), where a sender \(P^* \in \{P_1, \ldots , P_n\}\) begins holding input \(v^* \in \{0,1\}\) and all parties are guaranteed to terminate.
-
Weak validity: \(\varPi \) is t -weakly valid if the following holds whenever at most t of the parties are corrupted: if \(P^*\) is honest, then every honest party outputs either \(v^*\) or \(\perp \).
-
Validity: \(\varPi \) is t -valid if the following holds whenever at most t of the parties are corrupted: if \(P^*\) is honest, then every honest party outputs \(v^*\).
-
Weak consistency: \(\varPi \) is t -weakly consistent if the following holds whenever at most t of the parties are corrupted: there is a \(v \in \{0,1\}\) such that every honest party outputs either v or \(\perp \).
-
Consistency: \(\varPi \) is t -consistent if the following holds whenever at most t of the parties are corrupted: there is a \(v \in \{0, 1, \perp \}\) such that every honest party outputs v.
-
Liveness: \(\varPi \) is t -live if whenever at most t of the parties are corrupted, every honest party outputs a value in \(\{0,1\}\).
If \(\varPi \) is t-valid, t-consistent, and t-live, then we say \(\varPi \) is t -secure.
Graded consensus. As a stepping stone to Byzantine agreement, it is also useful to define graded consensus [9]. Here, each party outputs both a value \(v \in \{0,1,\perp \}\) as well as a grade \(g \in \{0,1,2\}\). As in the case of Byzantine agreement, we consider protocols that may not terminate; however, parties terminate upon generating output.
Definition 3 (Graded consensus)
Let \(\varPi \) be a protocol executed by parties \(P_1,\ldots ,P_n\), where each party \(P_i\) begins holding input \(v_i \in \{0,1\}\) and each party terminates upon generating output.
-
Graded validity: \(\varPi \) achieves t -graded validity if the following holds whenever at most t of the parties are corrupted: if every honest party’s input is equal to the same value v, then all honest parties output (v, 2).
-
Graded consistency: \(\varPi \) achieves t -graded consistency if the following hold whenever at most t of the parties are corrupted: (1) If two honest parties output grades \(g, g'\), then \(|g-g'|\le 1\). (2) If two honest parties output (v, g) and \((v',g')\) with \(g, g' \ge 1\), then \(v=v'\).
-
Liveness: \(\varPi \) is t -live if whenever at most t of the parties are corrupted, every honest party outputs (v, g) with either \(v \in \{0,1\}\) and \(g \ge 1\), or \(v=\perp \) and \(g=0\).
If \(\varPi \) achieves t-graded validity, t-graded consistency, and t-liveness then we say \(\varPi \) is t -secure.
3 Synchronous BA with Fallback (Weak) Validity
In this section we show a protocol that is secure for some threshold \(t_s\) of corrupted parties when run in a synchronous network, and achieves weak validity (though liveness and weak consistency may not hold) for a lower threshold \(t_a\) even when run in an asynchronous network.
Our protocol relies on a variant of the Dolev-Strong broadcast protocol [8] as a subroutine. Since we use a slightly non-standard version of that protocol, we describe it in Fig. 1 for completeness. In the protocol, we say that \((v, \mathsf{SET})\) is an r-correct message (from the point of view of a party \(P_i\)) if \(\mathsf{SET}\) contains valid signatures on v from \(P^*\) and \(r-1\) additional, distinct parties other than \(P_i\).
Lemma 1
Broadcast protocol \(\varPi _\mathsf {DS}\) satisfies the following properties:
-
1.
When run in a synchronous network, it is n-consistent and n-valid.
-
2.
When run in an asynchronous network, it is n-weakly valid.
Proof
The standard analysis of the Dolev-Strong protocol shows that, when run in a synchronous network with any number of corrupted parties, \(\mathsf{ACC}_i=\mathsf{ACC}_j\) for any honest parties \(P_i, P_j\). This implies n-consistency. Since an honest \(P^*\) sends a 1-correct message to all honest parties, and the attacker cannot forge signatures of the honest sender, n-validity holds.
The second claim follows because an attacker cannot forge the signature of an honest \(P^*\).
We now define a BA protocol using \(\varPi _\mathsf {DS}\) as a sub-routine. This protocol is parameterized by a value \(t_a\) which determines the security thresholds the protocol satisfies.
Theorem 1
For any \(t_a, t_s\) with \(t_a < n/3\) and \(t_a + 2\cdot t_s < n\), Byzantine agreement protocol \(\varPi _{\mathsf {SBA}}^{t_a}\) satisfies the following properties:
-
1.
When the protocol is run in a synchronous network, it is \(t_s\)-secure.
-
2.
When the protocol is run in an asynchronous network, it is \(t_a\)-weakly valid.
Moreover, the protocol has guaranteed termination in both cases, and when run in a synchronous network every honest party terminates in time at most \(n \cdot \varDelta \).
Proof
The claim about termination is immediate.
When run in a synchronous network with \(t_s\) corrupted parties, at least \(n-t_s > 2t_a\) of the executions of \(\varPi _\mathsf {DS}\) result in boolean output for all honest parties (by n-validity of \(\varPi _\mathsf {DS}\)) and so all honest parties generate boolean output in \(\varPi _{\mathsf {SBA}}^{t_a}\); this proves \(t_s\)-liveness. By n-consistency of \(\varPi _\mathsf {DS}\), all honest parties agree on the \(\{v_j\}\) values they obtain and hence \(\varPi _{\mathsf {SBA}}^{t_a}\) is \(t_s\)-consistent (in fact, it is n-consistent). Finally, n-validity of \(\varPi _\mathsf {DS}\) implies that when all honest parties begin holding the same input \(v \in \{0,1\}\), then all honest parties will have v as their majority value. This proves \(t_s\)-validity (in fact, the protocol is t-valid for any \(t<n/2\)).
For the second claim, assume all honest parties begin holding the same input v, and \(t_a\) parties are corrupted. Any honest party \(P_i\) who generates boolean output must have at least \(2t_a+1\) boolean values \(\{v^i_j\}\), of which at most \(t_a\) of these can be equal to \(\bar{v}\). Hence, any honest party who generates boolean output will in fact output v.
4 Validity-Optimized Asynchronous BA
Here we show a protocol that is secure for some threshold when run in an asynchronous network, and achieves validity for a higher threshold. Throughout this section we only consider protocols running in an asynchronous network, and so drop explicit mention of this fact for the remainder of this section.
Theorem 2
For any \(t_a, t_s\) with \(t_a < n/3\) and \(t_a + 2 \cdot t_s < n\), there is an n-party protocol for Byzantine agreement that, when run in an asynchronous network, is \(t_a\)-secure and also achieves \(t_s\)-validity with termination.
Our proof of Theorem 2 proceeds in a number of steps. In Sect. 4.1 we describe a “validity-optimized” protocol \(\varPi ^{t_s}_\mathsf{GC}\) for graded consensus that is \(t_a\)-secure and also achieves \(t_s\)-graded validity. Then, in Sect. 4.2, we show a Byzantine agreement protocol \(\varPi ^{t_s}_\mathsf{ABA}\) using \(\varPi ^{t_s}_\mathsf{GC}\) as a subroutine. This protocol illustrates our main ideas, and achieves all the properties claimed in Theorem 2 except termination. We then discuss how termination can be added using existing techniques.
Our protocol is based on the work of Mostéfaoui et al. [29], but allows for variable thresholds. Also, our description simplifies theirs by presenting the protocol in a modular fashion.
4.1 Validity-Optimized Graded Consensus
Our graded consensus protocol relies on a sub-protocol \(\varPi ^{t_s}_\mathsf{prop}\) for proposing values, shown in Fig. 3. This protocol is parameterized by a value \(t_s\) that determines its security thresholds. We begin by proving some properties of \(\varPi ^{t_s}_\mathsf{prop}\). Throughout, we let n denote the number of parties.
Lemma 2
Assume \(t_a<n-2\cdot t_s\) parties are corrupted in an execution of \(\varPi ^{t_s}_\mathsf{prop}\). If two honest parties \(P_i, P_j\) output \(\{b\}\), \(\{b'\}\), respectively, then \(b=b'\).
Proof
Since \(P_i\) outputs \(\{b\}\), it must have received at least \(n-t_s\) messages \((\mathsf {propose},b)\), of which at least \(n-t_s-t_a\) of those were sent by honest parties. Similarly, \(P_j\) must have received at least \(n-t_s-t_a\) messages \((\mathsf {propose}, b')\) that were sent by honest parties. If \(b\ne b'\), then because \(2 \cdot (n-t_s-t_a)\) is strictly greater than the number of honest parties \(n-t_a\), this would mean that some honest party sent \(\mathsf {propose}\) messages on two different values, which is impossible.
Lemma 3
Assume \(t_a\le t_s\) parties are corrupted in an execution of \(\varPi ^{t_s}_\mathsf{prop}\). If no honest party has input v, then no honest party outputs \(\mathsf{prop}\) containing v.
Proof
If v was not input by any honest party, then at most \(t_a\le t_s\) messages \((\mathsf {prepare}, v)\) are sent in step 2. Thus, no honest party ever sends a message \((\mathsf {prepare}, v)\), and consequently no honest party ever sends a message \((\mathsf {propose}, v)\). It follows that no honest party ever adds v to \(\mathsf {vals}\), and so no honest party outputs \(\mathsf{prop}\) containing v.
Lemma 4
Assume \(t_a\) parties are corrupted in an execution of \(\varPi ^{t_s}_\mathsf{prop}\), where \(t_a <n-2\cdot t_s\) and \(t_a \le t_s\). If an honest party sends a message \((\mathsf {propose}, b)\), all honest parties add b to \(\mathsf {vals}\).
Proof
Suppose some honest party \(P_i\) sends \((\mathsf {propose}, b)\). Then \(P_i\) must have received at least \(n-t_s\) messages \((\mathsf {prepare}, b)\). At least \(n-t_s-t_a > t_s\) of these must have been sent by honest parties, and so eventually all other honest parties also receive strictly more than \(t_s\) messages \((\mathsf {prepare}, b)\). We thus see that every honest party will eventually send \((\mathsf {prepare}, b)\). Therefore, every honest party will eventually receive at least \(n-t_a\ge n-t_s\) messages \((\mathsf {prepare}, b)\), and consequently every honest party will add b to \(\mathsf {vals}\).
Note that whenever parties in \(\varPi ^{t_s}_\mathsf{prop}\) generate output, they terminate. While honest parties do not necessarily terminate (for example, if honest parties are split evenly among 0, 1, and \(\lambda \)), we show they do terminate as long as honest parties hold at most two different input values.
Lemma 5
Assume \(t_a\) parties are corrupted in an execution of \(\varPi ^{t_s}_\mathsf{prop}\), where \(t_a <n-2\cdot t_s\) and \(t_a \le t_s\). If all honest parties hold one of two different inputs, then all honest parties terminate.
Proof
We first argue that every honest party sends a \(\mathsf {propose}\) message. Indeed, there are \(n-t_a\) honest parties, so at least \(\frac{1}{2}(n-t_a)>t_s\) honest parties must have the same input v. Therefore, all honest parties receive strictly more than \(t_s\) messages \((\mathsf {prepare}, v)\). Consequently, all honest parties will eventually send \((\mathsf {prepare}, v)\). Thus, every honest party receives \(n-t_a\ge n-t_s\) messages \((\mathsf {prepare}, v)\) and adds v to \(\mathsf {vals}\). In particular, \(\mathsf {vals}\) is nonempty and so every honest party sends a \(\mathsf {propose}\) message.
Each honest party thus receives at least \(n-t_a\ge n-t_s\) \(\mathsf {propose}\) messages sent by honest parties. By Lemma 4, for any b proposed by an honest party, all honest parties eventually have \(b\in \mathsf {vals}\). Thus, every honest party eventually receives at least \(n-t_s\) propose messages for values in their set \(\mathsf {vals}\), and therefore all honest parties terminate.
\(\varPi _\mathsf{prop}^{t_s}\) satisfies a notion of validity even for \(t_s\) corrupted parties.
Lemma 6
Assume \(t_s<n/2\) parties are corrupted in an execution of \(\varPi ^{t_s}_\mathsf{prop}\). If all honest parties hold the same input v, then all honest parties output \(\mathsf{prop}=\{v\}\).
Proof
Suppose \(t_s\) parties are corrupted, and all honest parties hold the same input v. In step 2, all \(n-t_s\) honest parties send \((\mathsf {prepare}, v)\), and so all honest parties add v to \(\mathsf {vals}\). Any \(\mathsf {prepare}\) messages on other values in step 2 are sent by the \(t_s<n-t_s\) corrupted parties, and so no honest party ever adds a value other than v to \(\mathsf {vals}\). Thus, all \(n-t_s\) honest parties send their (single) \(\mathsf {propose}\) message \((\mathsf {propose}, v)\) in step 5. It follows that every honest party outputs \(\mathsf{prop}=\{v\}\) in step 6.
In Fig. 4 we show a graded consensus protocol \(\varPi ^{t_s}_\mathsf{GC}\) that relies on \(\varPi ^{t_s}_\mathsf{prop}\) as a subroutine. Note that parties terminate upon generating output. We now analyze the protocol.
Lemma 7
If \(t_s < n/2\), then \(\varPi ^{t_s}_\mathsf{GC}\) achieves \(t_s\)-graded validity.
Proof
Suppose \(t_s\) parties are corrupted, and every honest party’s input is equal to the same value v. By Lemma 6, all honest parties have \(\mathsf{prop}_{1}=\{v\}\) following the first execution of \(\varPi ^{t_s}_\mathsf{prop}\), and so use v as the input for the second execution of \(\varPi ^{t_s}_\mathsf{prop}\). By the same reasoning, all honest parties have \(\mathsf{prop}_{2}=\{v\}\) after the second execution of \(\varPi ^{t_s}_\mathsf{prop}\). Thus, all honest parties output (v, 2).
Lemma 8
Assume \(t_a \le t_s\) and \(t_a + 2\cdot t_s < n\). Then \(\varPi ^{t_s}_\mathsf{GC}\) achieves \(t_a\)-graded consistency.
Proof
Suppose \(t_a\) parties are corrupted. First, we show that the grades output by two honest parties \(P_i, P_j\) differ by at most 1. The only way this can possibly fail is if one of the parties (say, \(P_i\)) outputs a grade of 2. \(P_i\) must then have received \(\mathsf{prop}_2=\{b\}\), for some \(b \in \{0,1\}\), as its output from the second execution of \(\varPi ^{t_s}_\mathsf{prop}\). It follows from Lemma 2 that \(P_j\) could not have received \(\mathsf{prop}_2=\{\lambda \}\). Therefore, it is not possible for \(P_j\) to output grade 0.
Next, we show that any two honest parties that output nonzero grades must output the same value. Observe first that there is a bit b such that the inputs of all the honest parties to the second execution of \(\varPi ^{t_s}_\mathsf{prop}\) lie in \(\{b, \lambda \}\). (Indeed, if all honest parties set \(b_2:=\lambda \) this claim is immediate. On the other hand, if some honest party sets \(b_2:=b\in \{0,1\}\) then they must have \(\mathsf{prop}_1=\{b\}\); but then Lemma 2 implies that any other honest party who sets \(b_2\) to anything other than \(\lambda \) will set it equal to b as well.) Lemma 3 thus implies that no honest party outputs a set \(\mathsf{prop}_2\) after the second execution of \(\varPi ^{t_s}_\mathsf{prop}\) that contains a value other than b or \(\lambda \). Thus, any two honest parties that output a nonzero grade must output the same value b.
Lemma 9
Assume \(t_a \le t_s\) and \(t_a + 2\cdot t_s < n\). Then \(\varPi ^{t_s}_\mathsf{GC}\) achieves \(t_a\)-liveness.
Proof
All honest parties hold input in \(\{0,1\}\) in the first execution of \(\varPi ^{t_s}_\mathsf{prop}\), so Lemma 5 shows that all honest parties terminate that execution. As in the proof of the previous lemma, there is a bit b such that the inputs of all the honest parties to the second execution of \(\varPi ^{t_s}_\mathsf{prop}\) lie in \(\{b, \lambda \}\); so, using Lemma 5 again, that execution also terminates. Moreover, by Lemma 3, the set \(\mathsf{prop}_2\) output by any honest party is a nonempty subset of \(\{b,\lambda \}\), i.e., is either \(\{b\}, \{b,\lambda \}\), or \(\{\lambda \}\). Thus, every honest party generates output and terminates in \(\varPi ^{t_s}_\mathsf{GC}\).
4.2 Validity-Optimized Byzantine Agreement
We present a Byzantine agreement protocol \(\varPi ^{t_s}_\mathsf{ABA}\) in Fig. 5. Recall from Sect. 2 that we assume an atomic primitive \(\mathsf{CoinFlip}\) that allows all parties to generate and learn an unbiased value \(\mathsf {Coin}_k\in \{0,1\}\) for \(k=1,\ldots \). We refer there for a discussion as to how it can be realized.
Lemma 10
If \(t_s < n/2\), then protocol \(\varPi ^{t_s}_\mathsf{ABA}\) satisfies \(t_s\)-validity. Moreover, if all honest parties initially hold v, then all honest parties output v at the end of the first iteration of \(\varPi ^{t_s}_\mathsf{ABA}\).
Proof
Suppose there are at most \(t_s\) corrupted parties and all honest parties initially hold \(v\in \{0,1\}\). All honest parties use input v in the first execution of \(\varPi ^{t_s}_\mathsf{GC}\) in the first iteration; \(t_s\)-graded validity of \(\varPi ^{t_s}_\mathsf{GC}\) (cf. Lemma 7) implies they all output (v, 2) from that execution. Thus, all honest parties ignore the result of the coin flip and run a second instance of \(\varPi ^{t_s}_\mathsf{GC}\) using input v, again unanimously obtaining (v, 2) as output. Thus, all honest parties output v in the first iteration.
Lemma 11
Assume \(t_a \le t_s\) and \(t_a + 2\cdot t_s < n\). Then \(\varPi ^{t_s}_\mathsf{ABA}\) satisfies \(t_a\)-liveness and \(t_a\)-consistency. Moreover: (1) if an honest party generates generates output for the first time in iteration k, then every other honest party generates output in iteration k or \(k+1\), and (2) all honest parties generate output in an expected constant number of iterations.
Proof
Assume \(t_a\) parties are corrupted. Consider an iteration k of the protocol by which no honest party has yet generated output. Let Agree be the event that all honest parties use the same input to the second execution of \(\varPi ^{t_s}_\mathsf{GC}\) in that iteration. If Agree occurs, then \(t_s\)-graded validity of \(\varPi ^{t_s}_\mathsf{GC}\) implies that all honest parties will obtain a grade of 2 in that execution and hence generate output in iteration k. We show that Agree occurs with probability at least 1/2. We distinguish two cases:
-
Say some honest party outputs (b, 2) in the first execution of \(\varPi ^{t_s}_\mathsf{GC}\) in iteration k. By \(t_a\)-graded consistency of \(\varPi ^{t_s}_\mathsf{GC}\), all honest parties output either (b, 2) or (b, 1) in that execution of \(\varPi ^{t_s}_\mathsf{GC}\). Since \(\mathsf {Coin}_k\) is not revealed until the first honest party terminates that execution of \(\varPi ^{t_s}_\mathsf{GC}\), this means b is chosen independently of \(\mathsf {Coin}_k\). If \(\mathsf {Coin}_k=b\), which occurs with probability 1/2, then all parties will use the same input in the second execution of \(\varPi ^{t_s}_\mathsf{GC}\) in iteration k.
-
If no honest party outputs (b, 2) after the first execution of \(\varPi ^{t_s}_\mathsf{GC}\), then all honest parties will use \(\mathsf {Coin}_k\) as their input in the second execution of \(\varPi ^{t_s}_\mathsf{GC}\) in iteration k.
The above implies that in expected constant rounds some honest party generates boolean output. We next show that if some honest party \(P_i\) outputs \(b\in \{0,1\}\) in iteration k, then all other honest parties output b in iteration k or \(k+1\). Since \(P_i\) output b in iteration k, it must have seen (b, 2) as the output of the second execution of \(\varPi ^{t_s}_\mathsf{GC}\) in iteration k. By \(t_a\)-graded consistency of \(\varPi ^{t_s}_\mathsf{GC}\), every honest party obtains either (b, 1) or (b, 2) as output from that execution of \(\varPi ^{t_s}_\mathsf{GC}\). Clearly, all honest parties in the second situation output b in iteration k. We argue that all honest parties in the first situation (namely, who obtain output (b, 1)) will output b in iteration \(k+1\). This can be seen as follows. Since all honest parties use input b in the first execution of \(\varPi ^{t_s}_\mathsf{GC}\) in iteration \(k+1\), all honest parties output (b, 2) in that execution (by \(t_s\)-validity of \(\varPi ^{t_s}_\mathsf{GC}\)). All honest parties then participate in the coin flip but ignore the result, and use input b in the next execution of \(\varPi ^{t_s}_\mathsf{GC}\). Thus, all honest parties obtain output (b, 2) from the second execution of \(\varPi ^{t_s}_\mathsf{GC}\) in iteration \(k+1\), and any honest party that did not output b in the previous iteration will output it now.
Corollary 1
For any \(t_a, t_s\) with \(t_a < n/3\) and \(t_a + 2 \cdot t_s < n\), there is an n-party protocol for Byzantine agreement that, when run in an asynchronous network, achieves \(t_s\)-validity, \(t_a\)-consistency, and \(t_a\)-liveness.
Proof
We may assume \(t_s \ge t_a\) since, if not, we can set \(t_s=t_a\) and \(t_a + 2 \cdot t_s < n\) will still hold. Note also that the stated conditions imply \(t_s < n/2\). The corollary thus follows from Lemmas 10 and 11.
Adding Termination. Corollary 1 proves all the claims of Theorem 2 except for termination and, indeed, parties in \(\varPi _\mathsf{ABA}^{t_s}\) participate indefinitely and so the protocol does not terminate. However, we can obtain a terminating protocol \(\varPi _\mathsf{ABA^*}^{t_s}\) (and hence complete the proof of Theorem 2) using existing techniques [29]. We refer to the appendix for further discussion.
5 Main Protocol
Fix \(n, t_a, t_s\) with \(t_a<n/3\) and \(t_a + 2\cdot t_s < n\). As in the proof of Corollary 1 we may assume \(t_a \le t_s\). Our main protocol \(\varPi _{\mathsf {HBA}}^{t_a,t_s}\) is given in Fig. 6. It relies on the following sub-protocols:
-
\(\varPi _{\mathsf {SBA}}^{t_a}\) is an n-party BA protocol that is \(t_s\)-secure when run in a synchronous network, and \(t_a\)-weakly valid when run in an asynchronous network. Moreover, the protocol has guaranteed termination regardless of the network, and when run in a synchronous network all honest parties terminate by time \(n \cdot \varDelta \). The existence of such a protocol is guaranteed by Theorem 1.
-
\(\varPi _\mathsf{ABA^*}^{t_s}\) is an n-party BA protocol that is \(t_a\)-secure and \(t_s\)-valid with termination when run in an asynchronous network. (Of course, these properties also hold if the protocol is run in a synchronous network.) The existence of such a protocol is guaranteed by Theorem 2.
Theorem 3
Let \(n, t_a, t_s\) be as above. Then protocol \(\varPi _{\mathsf {HBA}}^{t_a,t_s}\) satisfies the following properties:
-
1.
When the protocol is run in a synchronous network, it is \(t_s\)-secure.
-
2.
When the protocol is run in an asynchronous network, it is \(t_a\)-secure.
Proof
First consider the case when \(\varPi _{\mathsf {HBA}}^{t_a,t_s}\) is run in a synchronous network, and at most \(t_s\) parties are corrupted. By \(t_s\)-security of \(\varPi _{\mathsf {SBA}}^{t_a}\), after running \(\varPi _{\mathsf {SBA}}^{t_a}\) there is a value \(b \ne \perp \) such that \(b_i=b\) for every honest \(P_i\). Moreover, if every honest party’s input was equal to the same value v, then \(b=v\). Thus, all honest parties set \(v_i^*\) to the same value b and, if every party’s input was the same value v, then \(v_i^*=v\). By \(t_s\)-validity with termination of \(\varPi _\mathsf{ABA^*}^{t_s}\), all honest parties terminate and agree on their output from \(\varPi _{\mathsf {HBA}}^{t_a,t_s}\), proving \(t_s\)-consistency, \(t_s\)-liveness, and \(t_s\)-termination. Moreover, if every honest party’s original input was equal to the same value v, then the output of \(\varPi _\mathsf{ABA^*}^{t_s}\) (and thus of \(\varPi _{\mathsf {HBA}}^{t_a,t_s}\)) is equal to v. This proves \(t_s\)-validity.
Next consider the case when \(\varPi _{\mathsf {HBA}}^{t_a,t_s}\) is run in an asynchronous network, and at most \(t_a\) parties are corrupted. The protocol inherits \(t_a\)-consistency, \(t_a\)-liveness, and \(t_a\)-termination from \(t_a\)-security of \(\varPi _\mathsf{ABA^*}^{t_s}\), and so it only remains to argue \(t_a\)-validity. Assume every honest party’s initial input is equal to the same value v. Then \(t_a\)-weak validity of \(\varPi _{\mathsf {SBA}}^{t_a}\), plus the fact that it always terminates, imply that \(b_i \in \{v, \perp \}\), and hence \(v^*_i=v\), for every honest \(P_i\). It follows from \(t_s\)-validity (note \(t_a \le t_s\)) of \(\varPi _\mathsf{ABA^*}^{t_s}\) that all honest parties output v.
6 Impossibility Result
We show here that our positive result from the previous section is tight. That is:
Theorem 4
For any n, if \(t_a \ge n/3\) or \(t_a + 2 \cdot t_s \ge n\) there is no n-party protocol for Byzantine agreement that is \(t_s\)-secure in a synchronous network and \(t_a\)-secure in an asynchronous network.
The case of \(t_a \ge n/3\) follows from existing impossibility results for asynchronous consensus, so the interesting case is when \(t_a < n/3\) but \(t_a + 2 \cdot t_s \ge n\). Theorem 4 follows from the lemma below.
Lemma 12
Fix \(n, t_a, t_s\) with \(t_a + 2t_s \ge n\). If an n-party Byzantine agreement protocol is \(t_s\)-valid in a synchronous network, then it cannot also be \(t_a\)-weakly consistent in an asynchronous network.
Proof
The proof is similar to that of [36]. Assume \(t_a+2t_s=n\) and fix a BA protocol \(\varPi \). Partition the n parties into sets \(S_0, S_1, S_a\) where \(|S_0|=|S_1|=t_s\) and \(|S_a|=t_a\), and consider the following experiment:
-
Parties in \(S_0\) run \(\varPi \) using input 0, and parties in \(S_1\) run \(\varPi \) using input 1. All communication between parties in \(S_0\) and parties in \(S_1\) is blocked (but all other messages are delivered within time \(\varDelta \)).
-
Create virtual copies of each party in \(S_a\), call them \(S_a^0\) and \(S_a^1\). Parties in \(S_a^0\) run \(\varPi \) using input 0, and communicate only with each other and parties in \(S_0\). Parties in \(S_a^1\) run \(\varPi \) using input 1, and communicate only with each other and parties in \(S_1\).
Consider an execution of \(\varPi \) in a synchronous network where parties in \(S_1\) are corrupted and simply abort, and all remaining (honest) parties use input 0. The views of the honest parties in this execution are distributed identically to the views of \(S_0 \cup S_a^0\) in the above experiment. In particular, \(t_s\)-validity of \(\varPi \) implies that all parties in \(S_0\) output 0. Analogously, all parties in \(S_1\) output 1.
Next consider an execution of \(\varPi \) in an asynchronous network where parties in \(S_a\) are corrupted, and run \(\varPi \) using input 0 when interacting with \(S_0\) while running \(\varPi \) using input 1 when interacting with \(S_1\). Moreover, all communication between the (honest) parties in \(S_0\) and \(S_1\) is delayed indefinitely. The views of the honest parties in this execution are distributed identically to the views of \(S_0 \cup S_1\) in the above experiment, yet the conclusion of the preceding paragraph shows that weak consistency is violated.
Notes
- 1.
Some of these realize a p-weak coin flip, where honest parties agree on the coin only with probability \(p<1\). We can also rely on such protocols, at an increase in the expected round complexity by a factor of O(1/p).
References
Abraham, I., Dolev, D., Halpern, J.Y.: An almost-surely terminating polynomial protocol for asynchronous Byzantine agreement with optimal resilience. In: 27th Annual ACM Symposium on Principles of Distributed Computing (PODC), pp. 405–414. ACM Press (2008)
Abraham, I., Malkhi, D., Nayak, K., Ren, L., Yin, M.: Sync HotStuff: simple and practical synchronous state machine replication (2019). http://eprint.iacr.org/2019/270
Beerliová-Trubíniová, Z., Hirt, M., Nielsen, J.B.: On the theoretical gap between synchronous and asynchronous MPC protocols. In: 29th Annual ACM Symposium on Principles of Distributed Computing (PODC), pp. 211–218. ACM Press (2010)
Cachin, C., Kursawe, K., Shoup, V.: Random oracles in Constantinople: practical asynchronous Byzantine agreement using cryptography. J. Cryptology 18(3), 219–246 (2005)
Canetti, R., Rabin, T.: Fast asynchronous Byzantine agreement with optimal resilience. In: 25th Annual ACM Symposium on Theory of Computing (STOC), pp. 42–51. ACM Press (1993)
Castro, M., Liskov, B.: Practical Byzantine fault tolerance and proactive recovery. ACM Trans. Comput. Syst. 20(4), 398–461 (2002)
Damgård, I., Geisler, M., Krøigaard, M., Nielsen, J.B.: Asynchronous multiparty computation: theory and implementation. In: Jarecki, S., Tsudik, G. (eds.) PKC 2009. LNCS, vol. 5443, pp. 160–179. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00468-1_10
Dolev, D., Strong, H.R.: Authenticated algorithms for Byzantine agreement. SIAM J. Comput. 12(4), 656–666 (1983)
Feldman, P., Micali, S.: An optimal probabilistic protocol for synchronous Byzantine agreement. SIAM J. Comput. 26(4), 873–933 (1997)
Fischer, M.J., Lynch, N.A., Paterson, M.: Impossibility of distributed consensus with one faulty process. J. ACM 32(2), 374–382 (1985)
Fitzi, M., Hirt, M., Holenstein, T., Wullschleger, J.: Two-threshold broadcast and detectable multi-party computation. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 51–67. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-39200-9_4
Fitzi, M., Nielsen, J.B.: On the number of synchronous rounds sufficient for authenticated byzantine agreement. In: Keidar, I. (ed.) DISC 2009. LNCS, vol. 5805, pp. 449–463. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-04355-0_46
Garay, J.A., Katz, J., Kumaresan, R., Zhou, H.-S.: Adaptively secure broadcast, revisited. In: 30th Annual ACM Symposium on Principles of Distributed Computing (PODC), pp. 179–186. ACM Press (2011)
Gilad, Y., Hemo, R., Micali, S., Vlachos, G., Zeldovich, N.: Algorand: scaling Byzantine agreements for cryptocurrencies (2017). http://eprint.iacr.org/2017/454
Goldwasser, S., Lindell, Y.: Secure multi-party computation without agreement. J. Cryptology 18(3), 247–287 (2005)
Guo, Y., Pass, R., Shi, E.: Synchronous, with a chance of partition tolerance. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11692, pp. 499–529. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26948-7_18
Hanke, T., Movahedi, M., Williams, D.: Dfinity technology overview series consensus system, rev. 1 (2018). https://dfinity.org/faq
Heilman, E., Kendler, A., Zohar, A., Goldberg, S.: Eclipse attacks on Bitcoin’s peer-to-peer network. In: 24th USENIX Security Symposium, pp. 129–144. USENIX Association (2015)
Hirt, M., Zikas, V.: Adaptively secure broadcast. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 466–485. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_24
Katz, J., Koo, C.-Y.: On expected constant-round protocols for Byzantine agreement. J. Comput. Syst. Sci. 75(2), 91–112 (2009)
Kotla, R., Alvisi, L., Dahlin, M., Clement, A., Wong, E.L.: Zyzzyva: speculative Byzantine fault tolerance. ACM Trans. Comput. Syst. 27(4), 7:1–7:39 (2009)
Kursawe, K.: Optimistic Byzantine agreement. In: 21st Symposium on Reliable Distributed Systems (SRDS), pp. 262–267. IEEE Computer Society (2002)
Lamport, L.: The part-time parliament. Technical Report 49, DEC Systems Research Center (1989)
Lamport, L., Shostak, R.E., Pease, M.C.: The Byzantine generals problem. ACM Trans. Program. Lang. Syst. 4(3), 382–401 (1982)
Liu, S., Viotti, P., Cachin, C., Quéma, V., Vukolic, M.: XFT: practical fault tolerance beyond crashes. In: 12th USENIX Symposium on Operating Systems Design and Implementation (OSDI), pp. 485–500. USENIX Association (2016)
Liu-Zhang, C.-D., Loss, J., Moran, T., Maurer, U., Tschudi, D.: Robust MPC: asynchronous responsiveness yet synchronous security (2019). http://eprint.iacr.org/2019/159
Loss, J., Moran, T.: Combining asynchronous and synchronous Byzantine agreement: the best of both worlds (2018). http://eprint.iacr.org/2018/235
Malkhi, D., Nayak, K., Ren, L.: Flexible Byzantine fault tolerance (2019). https://arxiv.org/abs/1904.10067
Mostéfaoui, A., Moumen, H., Raynal, M.: Signature-free asynchronous binary Byzantine consensus with \(t<n/3\), \(O(n^2)\) messages, and \(O(1)\) expected time. J. ACM 62(4), 31:1–31:21 (2015)
Ongaro, D., Ousterhout, J.K.: In search of an understandable consensus algorithm. In: USENIX Annual Technical Conference, pp. 305–319. USENIX Association (2014)
Pass, R., Shi, E.: Hybrid consensus: efficient consensus in the permissionless model. In: 31st International Symposium on Distributed Computing (DISC), volume 91 of LIPIcs, pp. 39:1–39:16. Schloss Dagstuhl–Leibniz-Zentrum fuer Informatik (2017)
Pass, R., Shi, E.: Thunderella: blockchains with optimistic instant confirmation. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10821, pp. 3–33. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78375-8_1
Patra, A., Choudhary, A., Pandu Rangan, C.: Simple and efficient asynchronous byzantine agreement with optimal resilience. In: 28th Annual ACM Symposium on Principles of Distributed Computing (PODC), pp. 92–101. ACM Press (2009)
Patra, A., Ravi, D.: On the power of hybrid networks in multi-party computation. IEEE Trans. Inf. Theory 64(6), 4207–4227 (2018)
Pease, M., Shostak, R.E., Lamport, L.: Reaching agreement in the presence of faults. J. ACM 27(2), 228–234 (1980)
Toueg, S.: Randomized Byzantine agreements. In: 3rd Annual ACM Symposium on Principles of Distributed Computing (PODC), pp. 163–178. ACM Press (1984)
Acknowledgments
Julian Loss was supported by ERC Project ERCC (FP7/615074).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendix
Appendix
Protocol \(\varPi _\mathsf{ABA}^{t_s}\) has the property that parties never terminate. It is worth noting that the naive way to address this drawback—in which honest parties participate in one more iteration after generating output, and then terminate—is not sufficient to allow the remaining honest parties to terminate. To see why, suppose that some honest party \(P_i\) receives (b, 2) as output from the second instance of \(\varPi _\mathsf{GC}^{t_s}\) in iteration k, and some other honest party \(P_j\) receives (b, 1). Now \(P_i\) will participate in iteration \(k+1\), helping \(P_j\) to output (b, 2) in that iteration. However, \(P_i\) then terminates and does not participate in iteration \(k+2\), while \(P_j\) still needs to complete iteration \(k+2\) in order to terminate. \(P_j\) will not receive messages from \(P_i\) when running \(\varPi _\mathsf{GC}^{t_s}\), and (since the network may be asynchronous) has no way of knowing whether \(P_i\) has terminated or is sending messages that have been delayed. Thus, \(P_j\) may never terminate its execution of \(\varPi _\mathsf{GC}^{t_s}\).
Nevertheless, we can obtain a terminating protocol \(\varPi _\mathsf{ABA^*}^{t_s}\) using existing techniques [29]. The basic idea is that when an honest party generates output, it announces that fact to all other parties and terminates; the remaining honest parties can then simulate its behavior for the rest of their execution. Specifically, we modify \(\varPi _\mathsf{ABA}^{t_s}\) as follows: when an honest party \(P_i\) outputs \(b^*\), it sends \((\mathsf {notify}, b^*)\) to all parties. Upon receiving such a message, the remaining parties each locally simulate the behavior of \(P_i\) in the rest of the protocol, and specifically simulate receiving \((\mathsf {prepare}, b^*)\) and \((\mathsf {propose}, b^*)\) from \(P_i\) in each execution of the \(\varPi ^{t_s}_\mathsf{prop}\) subroutines. The following lemma shows that this is sufficient to simulate the behavior of honest parties who have already terminated.
Lemma 13
Let \(t_a, t_s\) be such that \(t_a \le t_s\) and \(t_a + 2\cdot t_s < n\), and assume at most \(t_a\) parties are corrupted in an execution of \(\varPi _\mathsf{ABA}^{t_s}\). If an honest party outputs \(b^*\), then in every future execution of \(\varPi ^{t_s}_\mathsf{prop}\) within \(\varPi _\mathsf{ABA}^{t_s}\) that party will send exactly the messages \((\mathsf {prepare}, b^*)\) and \((\mathsf {propose}, b^*)\).
Proof
Say honest party \(P_i\) outputs \(b^*\in \{0,1\}\) in some iteration k. Then \(P_i\) must have received \((b^*,2)\) as the output of the second execution of \(\varPi ^{t_s}_\mathsf{GC}\) in iteration k. By \(t_a\)-graded consistency of \(\varPi ^{t_s}_\mathsf{GC}\), every honest party obtained \((b^*,1)\) or \((b^*,2)\) as output from the second execution of \(\varPi ^{t_s}_\mathsf{GC}\) in iteration k. Therefore, in the first execution of \(\varPi ^{t_s}_\mathsf{GC}\) in iteration \(k+1\), all honest parties use input \(b^*\). Using the same argument as in the proof of Lemma 3, observe that no value other than \(b^*\) receives enough \(\mathsf {prepare}\) messages to be echoed (and therefore proposed) in this execution of \(\varPi ^{t_s}_\mathsf{prop}\). Therefore every honest party sends \((\mathsf {prepare}, b^*)\) in that execution of \(\varPi ^{t_s}_\mathsf{prop}\), and hence every honest party sends \((\mathsf {propose}, b^*)\) as in the proof of Lemma 5. This establishes that honest parties send exactly the messages \((\mathsf {prepare}, b^*)\) and \((\mathsf {propose}, b^*)\) in the first execution of \(\varPi ^{t_s}_\mathsf{prop}\) (as a subroutine of the first execution of \(\varPi ^{t_s}_\mathsf{GC}\)). Since, by Lemma 6, all honest parties terminate with \(\{b^*\}\) in that execution, they all use input \(b^*\) in the second execution of \(\varPi ^{t_s}_\mathsf{prop}\) (still in the first execution of \(\varPi ^{t_s}_\mathsf{GC}\)), and we can repeat the argument. Moreover, \(t_s\)-graded validity of \(\varPi ^{t_s}_\mathsf{GC}\) ensures that all parties output \((b^*,2)\) from the first execution of \(\varPi ^{t_s}_\mathsf{GC}\). Therefore, all honest parties input \(b^*\) to the second execution of \(\varPi ^{t_s}_\mathsf{GC}\) in iteration \(k+1\) and we can apply the same argument to show that during iteration \(k+1\) of \(\varPi _\mathsf{ABA}^{t_s}\), all honest parties send exactly the messages \((\mathsf {prepare}, b^*)\) and \((\mathsf {propose}, b^*)\). Now, \(t_s\)-graded validity of \(\varPi ^{t_s}_\mathsf{GC}\) ensures that all honest parties output \((b^*,2)\) in the second execution of \(\varPi ^{t_s}_\mathsf{GC}\) in iteration \(k+1\) as well, and hence set \(b=b^*\) for iteration \(k+2\). We can therefore repeat the same argument inductively for any iteration \(k'>k+1\).
Putting everything together, we have:
Lemma 14
For any \(t_a, t_s\) with \(t_a \le t_s\) and \(t_a + 2\cdot t_s < n\), protocol \(\varPi _\mathsf{ABA^*}^{t_s}\) is \(t_a\)-secure and also achieves \(t_s\)-validity with termination.
Proof
Protocol \(\varPi _\mathsf{ABA^*}^{t_s}\) inherits \(t_a\)-validity, \(t_a\)-consistency, and \(t_a\)-liveness directly from \(\varPi _\mathsf{ABA}^{t_s}\). In addition, \(t_a\)-liveness of \(\varPi _\mathsf{ABA}^{t_s}\) implies \(t_a\)-termination of \(\varPi _\mathsf{ABA^*}^{t_s}\).
It remains only to show that \(\varPi _\mathsf{ABA^*}^{t_s}\) is \(t_s\)-valid with termination. Suppose at most \(t_s\) parties are corrupted during an execution of \(\varPi _\mathsf{ABA^*}^{t_s}\), and all honest parties hold input \(v\in \{0,1\}\). The execution proceeds exactly as described in Lemma 10, and so all honest parties output v in the first iteration and terminate.
Realizing \(\mathsf{CoinFlip}\) within \(\varPi _\mathsf{ABA^*}^{t_s}\). Both Mostéfaoui et al. [29] and the above analysis treat the coin flip as an atomic primitive that outputs the kth coin when the first honest party invokes \(\mathsf {CoinFlip}(k)\), even if some honest parties have terminated. When the coin flip is realized by an interactive protocol, however, this may no longer hold. When realizing the coin flip via a threshold unique signature scheme, however, there is a simple way to fix this issue: When an honest party terminates in iteration k, it appends its share of the signature for iteration \(k+1\) to its \(\mathsf {notify}\) message. Then, all honest parties who have not yet terminated will be able to compute the coin in iteration \(k+1\) as needed. It is crucial here to note that since an honest party terminated in iteration k, the value of the coin in iteration \(k+1\) will be ignored by all honest parties anyway, so it does not matter if the adversary learns it in advance.
Rights and permissions
Copyright information
© 2019 International Association for Cryptologic Research
About this paper
Cite this paper
Blum, E., Katz, J., Loss, J. (2019). Synchronous Consensus with Optimal Asynchronous Fallback Guarantees. In: Hofheinz, D., Rosen, A. (eds) Theory of Cryptography. TCC 2019. Lecture Notes in Computer Science(), vol 11891. Springer, Cham. https://doi.org/10.1007/978-3-030-36030-6_6
Download citation
DOI: https://doi.org/10.1007/978-3-030-36030-6_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-36029-0
Online ISBN: 978-3-030-36030-6
eBook Packages: Computer ScienceComputer Science (R0)