1 Introduction

Byzantine agreement (BA) [24, 35] is a classical problem in distributed computing. Roughly speaking, a BA protocol allows a group of n parties, each holding some initial input value, to agree on their outputs even in the presence of some threshold of corrupted parties. Such protocols are used widely in practice for ensuring consistency among a set of distributed processors [6, 21, 23, 30], and have received renewed interest in the context of blockchain protocols. They also serve as a core building block for more complicated protocols, e.g., for secure multiparty computation. There is an extensive literature on Byzantine agreement, and many different models in which it can be studied. We focus here on the setting in which a public-key infrastructure (PKI) is available.

Typically, protocols for Byzantine agreement are designed and analyzed assuming either a synchronous network, where messages are guaranteed to be delivered within some known time bound \(\varDelta \), or an asynchronous network, where messages can be delayed arbitrarily. Existing results precisely characterize when the problem can be solved in each case [5, 8, 10, 24, 35]: in a synchronous network, it is possible if and only if \(t_s<n/2\) parties are corrupted, while in an asynchronous network it can be achieved only when there are \(t_a<n/3\) corruptions. In each case, protocols tolerating the optimal threshold and running in expected constant rounds are known [5, 20].

In real-world deployments of Byzantine agreement, the network conditions in which a protocol are run may be unclear; for example, the network may generally be synchronous but intermittently experience congestion that prevents messages from being delivered in a timely fashion. This results in the following dilemma when deciding what protocol to use:

  • Protocols designed for a synchronous network are, in general, insecure if the assumption of network synchrony fails.

  • Protocols designed for an asynchronous network will (of course) be secure when the network is synchronous. But in this case the fraction of faults that can be tolerated is lower than what could have been tolerated if the protocol were designed for the synchronous setting.

Fix some thresholds \(t_a, t_s\) with \(0< t_a< n/3 \le t_s < n/2\). We ask the following question: is it possible to design a BA protocol that is (1) resilient to any \(t_s\) (adaptive) corruptions when run in a synchronous network and also (2) resilient to \(t_a\) (adaptive) corruptions even if the network happens to be asynchronous? We completely resolve this question by showing matching feasibility and infeasibility results demonstrating that this is possible if and only if \(t_a + 2\cdot t_s < n\).

Positive Result. The protocol achieving our positive result is constructed by combining two sub-protocols \(\varPi _{\mathsf {SBA}}, \varPi _{\mathsf {ABA}}\) for Byzantine agreement, where \(\varPi _{\mathsf {SBA}}\) is secure in a synchronous network and \(\varPi _{\mathsf {ABA}}\) is secure in an asynchronous network. The key to our analysis is to separately analyze the validity, consistency, and liveness guarantees of these sub-protocols. Specifically, we design \(\varPi _{\mathsf {SBA}}\) so that it also satisfies a certain validity guarantee even when run in an asynchronous network. We also design \(\varPi _{\mathsf {ABA}}\) so that it achieves validity (in an asynchronous network) even beyond n/3 corruptions. We then use these properties to prove security of our main protocol, for different thresholds, when run in either a synchronous or asynchronous network.

Impossibility Result. We also show that our positive result is tight, namely, that if \(t_a + 2\cdot t_s \ge n\) then there is no protocol that is simultaneously resilient to \(t_s\) corruptions when run in a synchronous network and also resilient to \(t_a\) faults in an asynchronous network. In fact, we show a result that is slightly stronger: it is not possible to achieve validity for \(t_s\) static faults in the synchronous setting while also achieving a weak notion of consistency for \(t_a\) static faults in an asynchronous network.

1.1 Related Work

The question of designing protocols that remain secure when run in various network conditions is natural, and so it is somewhat surprising that it has only recently begun to draw attention in the literature. Recent work by Malkhi et al. [28] is most closely related to our own. Among other things, they consider protocols with certain guarantees when run in synchronous or partially synchronous networks. In contrast, we consider the case of synchronous or fully asynchronous networks. Liu et al. [25] design a protocol that is resilient to a minority of malicious corruptions in a synchronous network, and a minority of fail-stop faults in an asynchronous network. Our work can be viewed as extending theirs to consider malicious corruptions in both settings. Guo, Pass, and Shi [16] consider a model motivated by eclipse attacks [18] on blockchain protocols, whereby an attacker temporarily disconnects some subset S of honest parties from the rest of the network \(S'\), e.g., by delaying or dropping messages between S and \(S'\). Parties in S may not be able to reach agreement with honest parties in \(S'\); nevertheless, as observed by Guo et al., it may be possible to provide certain guarantees for the parties in \(S'\) if their network is well-behaved (i.e., synchrony continues to hold for messages sent between parties in \(S'\)). Guo et al. gave BA protocols tolerating the optimal corruption threshold in this model, and Abraham et al. [2] extended their work to achieve similar guarantees for state-machine replication. The main difference between these works and ours is that they continue to assume synchrony in part of the network, and their protocols fail completely if the all communication channels in the network may be asynchronous.

Kursawe [22] shows a protocol for asynchronous BA that reaches agreement more quickly in case the network is synchronous. In contrast to our work, that protocol does not achieve better fault tolerance (and, in particular, cannot tolerate n/3 or more faults) in the synchronous case.

Other recent work has looked at designing protocols for synchronous BA that achieve good responsiveness when the network latency is low. That is, these protocols ensure that if the actual message-delivery time is \(\delta < \varDelta \) then the time to reach agreement is proportional to \(\delta \) rather than the upper bound \(\varDelta \). This problem was considered by Pass and Shi [31, 32], who gave protocols that rely on a leader and are therefore not adaptively secure, as well as by Loss and Moran [27], who avoid the use of a leader. The work of Loss and Moran was extended by Liu-Zhang et al. [26] to the case of general secure computation. None of these works provides security in case the synchrony assumption fails altogether.

Several prior works [3, 7, 12, 34] consider a model in which synchrony is assumed to be available for some (known) limited period of time, and asynchronous afterward. Fitzi et al. [11] and Loss and Moran [27] study trade-offs between the validity, consistency, and liveness properties of BA that inspired our asynchronous BA protocol in Sect. 4 and our lower bound in Sect. 6.

1.2 Paper Organization

We introduce our model as well as definitions for Byzantine agreement and related tasks in Sect. 2. In Sects. 3 and 4 we describe two protocols for Byzantine agreement and prove various properties about them. Those protocols are used, in turn, as sub-protocols of our main protocol in Sect. 5 that achieves security (for different thresholds) in both synchronous and asynchronous networks. Finally, in Sect. 6 we show that the bounds we achieve are tight.

2 Model and Definitions

Throughout, we consider a network of n parties \(P_1, \ldots , P_n\) who may communicate over point-to-point authenticated channels. We also assume that the parties have established a public-key infrastructure in advance of the protocol execution. This means that all parties hold the same vector \((pk_1, \ldots , pk_n)\) of public keys for a digital signature scheme, where each honest party \(P_i\) holds the honestly generated secret key \(sk_i\) associated with \(pk_i\). (Malicious parties may choose their keys arbitrarily.) A valid signature \(\sigma \) on m from \(P_i\) is one for which \(\mathsf {Verify}_{pk_i}(m, \sigma )=1\). We make the standard convention of treating signatures as idealized objects; i.e., throughout our analysis, signatures are assumed to be perfectly unforgeable. When the signature scheme used is existentially unforgeable under chosen-message attacks we thus obtain security against computationally bounded adversaries, with a negligible probability of failure. We implicitly assume that parties use domain separation when signing (e.g., via unique session IDs) to ensure that signatures generated for one purpose will be considered invalid if used in another context.

When we say a protocol tolerates t corrupted parties we always mean that it is secure against an adversary who may adaptively corrupt up to t parties during execution of the protocol and coordinate the actions of those parties as they deviate from the protocol in an arbitrary manner. An honest party is one who is not corrupted by the end of the protocol. We stress that our claims about adaptive security are only with respect to the “property-based” definitions we give here; we do not consider adaptive security with respect to a simulation-based definition [13, 19].

We are interested in protocols running in one of two possible settings. When a protocol is run in a synchronous network, we assume all messages are delivered within a known time bound \(\varDelta \) after they are sent. We allow the adversary to arbitrarily schedule delivery of messages subject to this bound, which implies in particular that we consider a rushing adversary who may obtain messages sent to it before sending messages of its own. In the synchronous case, we also assume all parties begin running the protocol at the same time, and all parties have local clocks that progress at the same rate. When we refer to a protocol running in an asynchronous network, we allow the adversary to arbitrarily schedule delivery of messages without any upper bound on their delivery time. We do, however, require that all messages that are sent are eventually delivered. Importantly, honest parties do not know a priori which type of network the protocol is running in.

We may view executions in a synchronous network as proceeding in a series of rounds, where execution begins at time 0 and the rth round refers to the period of time from \((r-1)\cdot \varDelta \) to \(r\cdot \varDelta \). When we say a party receives a message in round r we mean that it receives a message in that time interval; when we say it sends a message in round r we means it sends that message at the beginning of that round, i.e., at time \((r-1)\cdot \varDelta \). Thus, in a synchronous network all messages sent in round r are received in round r (but in an asynchronous network this need not be the case).

We assume a coin-flip mechanism \(\mathsf{CoinFlip}\) available as an atomic primitive. This can be viewed as an ideal functionality, parameterized by a value t, that upon receiving input k from \(t + 1\) parties generates an unbiased coin \(\mathsf {Coin}_k \in \{0,1\}\) and sends \((k, \mathsf {Coin}_k)\) to all parties. (When run in an asynchronous network, messages to and from \(\mathsf{CoinFlip}\) can be arbitrarily delayed.) The key property this ensures is that, if at most t parties are corrupted, at least one honest party must send k to \(\mathsf{CoinFlip}\) before the adversary can learn \(\mathsf {Coin}_k\). Several protocols for realizing such a coin flipFootnote 1 in an asynchronous network, based on general assumptions, are known [1, 5, 29, 33]. For our purposes, we need a protocol that is secure for \(t<n/3\) faults, and that terminates for \(t'<n/2\) faults. Such protocols can be constructed using a threshold unique signature scheme [4, 14, 17, 27].

2.1 Definitions

We are ultimately interested in Byzantine agreement, but we find it useful to define the related notions of broadcast and graded consensus. Relevant definitions follow.

Byzantine Agreement. Byzantine agreement allows a set of parties who each hold some initial input to agree on their output. We consider several security properties that may hold for such protocols. For simplicity, we consider the case of agreement on a bit; this is without loss of generality as one can run any such protocol \(\ell \) times to agree on a string of length \(\ell \).

We consider Byzantine agreement protocols where, in some cases, parties may not terminate immediately upon generating output, or may never terminate. For that reason, we treat termination separately in the definition that follows. By convention, any party that terminates generates output before doing so; however, we allow parties to output the special symbol \(\perp \).

Definition 1 (Byzantine agreement)

Let \(\varPi \) be a protocol executed by parties \(P_1, \ldots , P_n\), where each party \(P_i\) begins holding input \(v_i \in \{0,1\}\).

  • Weak validity: \(\varPi \) is t -weakly valid if the following holds whenever at most t of the parties are corrupted: if every honest party’s input is equal to the same value v, then every honest party outputs either v or \(\perp \).

  • Validity: \(\varPi \) is t -valid if the following holds whenever at most t of the parties are corrupted: if every honest party’s input is equal to the same value v, then every honest party outputs v.

  • Validity with termination: \(\varPi \) is t -valid with termination if the following holds whenever at most t of the parties are corrupted: if every honest party’s input is equal to the same value v, then every honest party outputs v and terminates.

  • Weak consistency: \(\varPi \) is t -weakly consistent if the following holds whenever at most t of the parties are corrupted: there is a \(v \in \{0,1\}\) such that every honest party outputs either v or \(\perp \).

  • Consistency: \(\varPi \) is t -consistent if the following holds whenever at most t of the parties are corrupted: there is a \(v \in \{0, 1,\bot \}\) such that every honest party outputs v. (In the terminology of Goldwasser and Lindell [15], weak consistency might be called “consistency with abort” and consistency might be called “consistency with unanimous abort.”)

  • Liveness: \(\varPi \) is t -live if whenever at most t of the parties are corrupted, every honest party outputs a value in \(\{0,1\}\).

  • Termination: \(\varPi \) is t -terminating if whenever at most t of the parties are corrupted, every honest party terminates. \(\varPi \) has guaranteed termination if it is n-terminating.

If \(\varPi \) is t-valid, t-consistent, t-live, and t-terminating, then we say \(\varPi \) is t -secure.

While several of the above definitions are not entirely standard, our notion of security matches the standard one. In particular, t-liveness and t-consistency imply that whenever at most t parties are corrupted, there is a \(v \in \{0, 1\}\) such that every honest party outputs v. Note that t-validity with termination is weaker than t-validity plus t-termination, as the former does not require termination in case the inputs of the honest parties do not agree.

Broadcast. Protocols for broadcast allow a set of parties to agree on a value chosen by a designated sender. We only consider broadcast protocols with guaranteed termination, and so do not mention termination explicitly when defining the various properties.

Definition 2 (Broadcast)

Let \(\varPi \) be a protocol executed by parties \(P_1\), ..., \(P_n\), where a sender \(P^* \in \{P_1, \ldots , P_n\}\) begins holding input \(v^* \in \{0,1\}\) and all parties are guaranteed to terminate.

  • Weak validity: \(\varPi \) is t -weakly valid if the following holds whenever at most t of the parties are corrupted: if \(P^*\) is honest, then every honest party outputs either \(v^*\) or \(\perp \).

  • Validity: \(\varPi \) is t -valid if the following holds whenever at most t of the parties are corrupted: if \(P^*\) is honest, then every honest party outputs \(v^*\).

  • Weak consistency: \(\varPi \) is t -weakly consistent if the following holds whenever at most t of the parties are corrupted: there is a \(v \in \{0,1\}\) such that every honest party outputs either v or \(\perp \).

  • Consistency: \(\varPi \) is t -consistent if the following holds whenever at most t of the parties are corrupted: there is a \(v \in \{0, 1, \perp \}\) such that every honest party outputs v.

  • Liveness: \(\varPi \) is t -live if whenever at most t of the parties are corrupted, every honest party outputs a value in \(\{0,1\}\).

If \(\varPi \) is t-valid, t-consistent, and t-live, then we say \(\varPi \) is t -secure.

Graded consensus. As a stepping stone to Byzantine agreement, it is also useful to define graded consensus [9]. Here, each party outputs both a value \(v \in \{0,1,\perp \}\) as well as a grade \(g \in \{0,1,2\}\). As in the case of Byzantine agreement, we consider protocols that may not terminate; however, parties terminate upon generating output.

Definition 3 (Graded consensus)

Let \(\varPi \) be a protocol executed by parties \(P_1,\ldots ,P_n\), where each party \(P_i\) begins holding input \(v_i \in \{0,1\}\) and each party terminates upon generating output.

  • Graded validity: \(\varPi \) achieves t -graded validity if the following holds whenever at most t of the parties are corrupted: if every honest party’s input is equal to the same value v, then all honest parties output (v, 2).

  • Graded consistency: \(\varPi \) achieves t -graded consistency if the following hold whenever at most t of the parties are corrupted: (1) If two honest parties output grades \(g, g'\), then \(|g-g'|\le 1\). (2) If two honest parties output (vg) and \((v',g')\) with \(g, g' \ge 1\), then \(v=v'\).

  • Liveness: \(\varPi \) is t -live if whenever at most t of the parties are corrupted, every honest party outputs (vg) with either \(v \in \{0,1\}\) and \(g \ge 1\), or \(v=\perp \) and \(g=0\).

If \(\varPi \) achieves t-graded validity, t-graded consistency, and t-liveness then we say \(\varPi \) is t -secure.

3 Synchronous BA with Fallback (Weak) Validity

In this section we show a protocol that is secure for some threshold \(t_s\) of corrupted parties when run in a synchronous network, and achieves weak validity (though liveness and weak consistency may not hold) for a lower threshold \(t_a\) even when run in an asynchronous network.

Fig. 1.
figure 1

The Dolev-Strong broadcast protocol \(\varPi _\mathsf {DS}\).

Full size image

Our protocol relies on a variant of the Dolev-Strong broadcast protocol [8] as a subroutine. Since we use a slightly non-standard version of that protocol, we describe it in Fig. 1 for completeness. In the protocol, we say that \((v, \mathsf{SET})\) is an r-correct message (from the point of view of a party \(P_i\)) if \(\mathsf{SET}\) contains valid signatures on v from \(P^*\) and \(r-1\) additional, distinct parties other than \(P_i\).

Lemma 1

Broadcast protocol \(\varPi _\mathsf {DS}\) satisfies the following properties:

  1. 1.

    When run in a synchronous network, it is n-consistent and n-valid.

  2. 2.

    When run in an asynchronous network, it is n-weakly valid.

Proof

The standard analysis of the Dolev-Strong protocol shows that, when run in a synchronous network with any number of corrupted parties, \(\mathsf{ACC}_i=\mathsf{ACC}_j\) for any honest parties \(P_i, P_j\). This implies n-consistency. Since an honest \(P^*\) sends a 1-correct message to all honest parties, and the attacker cannot forge signatures of the honest sender, n-validity holds.

The second claim follows because an attacker cannot forge the signature of an honest \(P^*\).

We now define a BA protocol using \(\varPi _\mathsf {DS}\) as a sub-routine. This protocol is parameterized by a value \(t_a\) which determines the security thresholds the protocol satisfies.

Fig. 2.
figure 2

A Byzantine agreement protocol, parameterized by \(t_a\).

Full size image

Theorem 1

For any \(t_a, t_s\) with \(t_a < n/3\) and \(t_a + 2\cdot t_s < n\), Byzantine agreement protocol \(\varPi _{\mathsf {SBA}}^{t_a}\) satisfies the following properties:

  1. 1.

    When the protocol is run in a synchronous network, it is \(t_s\)-secure.

  2. 2.

    When the protocol is run in an asynchronous network, it is \(t_a\)-weakly valid.

Moreover, the protocol has guaranteed termination in both cases, and when run in a synchronous network every honest party terminates in time at most \(n \cdot \varDelta \).

Proof

The claim about termination is immediate.

When run in a synchronous network with \(t_s\) corrupted parties, at least \(n-t_s > 2t_a\) of the executions of \(\varPi _\mathsf {DS}\) result in boolean output for all honest parties (by n-validity of \(\varPi _\mathsf {DS}\)) and so all honest parties generate boolean output in \(\varPi _{\mathsf {SBA}}^{t_a}\); this proves \(t_s\)-liveness. By n-consistency of \(\varPi _\mathsf {DS}\), all honest parties agree on the \(\{v_j\}\) values they obtain and hence \(\varPi _{\mathsf {SBA}}^{t_a}\) is \(t_s\)-consistent (in fact, it is n-consistent). Finally, n-validity of \(\varPi _\mathsf {DS}\) implies that when all honest parties begin holding the same input \(v \in \{0,1\}\), then all honest parties will have v as their majority value. This proves \(t_s\)-validity (in fact, the protocol is t-valid for any \(t<n/2\)).

For the second claim, assume all honest parties begin holding the same input v, and \(t_a\) parties are corrupted. Any honest party \(P_i\) who generates boolean output must have at least \(2t_a+1\) boolean values \(\{v^i_j\}\), of which at most \(t_a\) of these can be equal to \(\bar{v}\). Hence, any honest party who generates boolean output will in fact output v.

4 Validity-Optimized Asynchronous BA

Here we show a protocol that is secure for some threshold when run in an asynchronous network, and achieves validity for a higher threshold. Throughout this section we only consider protocols running in an asynchronous network, and so drop explicit mention of this fact for the remainder of this section.

Theorem 2

For any \(t_a, t_s\) with \(t_a < n/3\) and \(t_a + 2 \cdot t_s < n\), there is an n-party protocol for Byzantine agreement that, when run in an asynchronous network, is \(t_a\)-secure and also achieves \(t_s\)-validity with termination.

Our proof of Theorem 2 proceeds in a number of steps. In Sect. 4.1 we describe a “validity-optimized” protocol \(\varPi ^{t_s}_\mathsf{GC}\) for graded consensus that is \(t_a\)-secure and also achieves \(t_s\)-graded validity. Then, in Sect. 4.2, we show a Byzantine agreement protocol \(\varPi ^{t_s}_\mathsf{ABA}\) using \(\varPi ^{t_s}_\mathsf{GC}\) as a subroutine. This protocol illustrates our main ideas, and achieves all the properties claimed in Theorem 2 except termination. We then discuss how termination can be added using existing techniques.

Our protocol is based on the work of Mostéfaoui et al. [29], but allows for variable thresholds. Also, our description simplifies theirs by presenting the protocol in a modular fashion.

4.1 Validity-Optimized Graded Consensus

Our graded consensus protocol relies on a sub-protocol \(\varPi ^{t_s}_\mathsf{prop}\) for proposing values, shown in Fig. 3. This protocol is parameterized by a value \(t_s\) that determines its security thresholds. We begin by proving some properties of \(\varPi ^{t_s}_\mathsf{prop}\). Throughout, we let n denote the number of parties.

Fig. 3.
figure 3

A sub-protocol for proposing values, parameterized by \(t_s\).

Full size image

Lemma 2

Assume \(t_a<n-2\cdot t_s\) parties are corrupted in an execution of \(\varPi ^{t_s}_\mathsf{prop}\). If two honest parties \(P_i, P_j\) output \(\{b\}\), \(\{b'\}\), respectively, then \(b=b'\).

Proof

Since \(P_i\) outputs \(\{b\}\), it must have received at least \(n-t_s\) messages \((\mathsf {propose},b)\), of which at least \(n-t_s-t_a\) of those were sent by honest parties. Similarly, \(P_j\) must have received at least \(n-t_s-t_a\) messages \((\mathsf {propose}, b')\) that were sent by honest parties. If \(b\ne b'\), then because \(2 \cdot (n-t_s-t_a)\) is strictly greater than the number of honest parties \(n-t_a\), this would mean that some honest party sent \(\mathsf {propose}\) messages on two different values, which is impossible.

Lemma 3

Assume \(t_a\le t_s\) parties are corrupted in an execution of \(\varPi ^{t_s}_\mathsf{prop}\). If no honest party has input v, then no honest party outputs \(\mathsf{prop}\) containing v.

Proof

If v was not input by any honest party, then at most \(t_a\le t_s\) messages \((\mathsf {prepare}, v)\) are sent in step 2. Thus, no honest party ever sends a message \((\mathsf {prepare}, v)\), and consequently no honest party ever sends a message \((\mathsf {propose}, v)\). It follows that no honest party ever adds v to \(\mathsf {vals}\), and so no honest party outputs \(\mathsf{prop}\) containing v.

Lemma 4

Assume \(t_a\) parties are corrupted in an execution of \(\varPi ^{t_s}_\mathsf{prop}\), where \(t_a <n-2\cdot t_s\) and \(t_a \le t_s\). If an honest party sends a message \((\mathsf {propose}, b)\), all honest parties add b to \(\mathsf {vals}\).

Proof

Suppose some honest party \(P_i\) sends \((\mathsf {propose}, b)\). Then \(P_i\) must have received at least \(n-t_s\) messages \((\mathsf {prepare}, b)\). At least \(n-t_s-t_a > t_s\) of these must have been sent by honest parties, and so eventually all other honest parties also receive strictly more than \(t_s\) messages \((\mathsf {prepare}, b)\). We thus see that every honest party will eventually send \((\mathsf {prepare}, b)\). Therefore, every honest party will eventually receive at least \(n-t_a\ge n-t_s\) messages \((\mathsf {prepare}, b)\), and consequently every honest party will add b to \(\mathsf {vals}\).

Note that whenever parties in \(\varPi ^{t_s}_\mathsf{prop}\) generate output, they terminate. While honest parties do not necessarily terminate (for example, if honest parties are split evenly among 0, 1, and \(\lambda \)), we show they do terminate as long as honest parties hold at most two different input values.

Lemma 5

Assume \(t_a\) parties are corrupted in an execution of \(\varPi ^{t_s}_\mathsf{prop}\), where \(t_a <n-2\cdot t_s\) and \(t_a \le t_s\). If all honest parties hold one of two different inputs, then all honest parties terminate.

Proof

We first argue that every honest party sends a \(\mathsf {propose}\) message. Indeed, there are \(n-t_a\) honest parties, so at least \(\frac{1}{2}(n-t_a)>t_s\) honest parties must have the same input v. Therefore, all honest parties receive strictly more than \(t_s\) messages \((\mathsf {prepare}, v)\). Consequently, all honest parties will eventually send \((\mathsf {prepare}, v)\). Thus, every honest party receives \(n-t_a\ge n-t_s\) messages \((\mathsf {prepare}, v)\) and adds v to \(\mathsf {vals}\). In particular, \(\mathsf {vals}\) is nonempty and so every honest party sends a \(\mathsf {propose}\) message.

Each honest party thus receives at least \(n-t_a\ge n-t_s\) \(\mathsf {propose}\) messages sent by honest parties. By Lemma 4, for any b proposed by an honest party, all honest parties eventually have \(b\in \mathsf {vals}\). Thus, every honest party eventually receives at least \(n-t_s\) propose messages for values in their set \(\mathsf {vals}\), and therefore all honest parties terminate.

\(\varPi _\mathsf{prop}^{t_s}\) satisfies a notion of validity even for \(t_s\) corrupted parties.

Lemma 6

Assume \(t_s<n/2\) parties are corrupted in an execution of \(\varPi ^{t_s}_\mathsf{prop}\). If all honest parties hold the same input v, then all honest parties output \(\mathsf{prop}=\{v\}\).

Proof

Suppose \(t_s\) parties are corrupted, and all honest parties hold the same input v. In step 2, all \(n-t_s\) honest parties send \((\mathsf {prepare}, v)\), and so all honest parties add v to \(\mathsf {vals}\). Any \(\mathsf {prepare}\) messages on other values in step 2 are sent by the \(t_s<n-t_s\) corrupted parties, and so no honest party ever adds a value other than v to \(\mathsf {vals}\). Thus, all \(n-t_s\) honest parties send their (single) \(\mathsf {propose}\) message \((\mathsf {propose}, v)\) in step 5. It follows that every honest party outputs \(\mathsf{prop}=\{v\}\) in step 6.

Fig. 4.
figure 4

A protocol for graded consensus, parameterized by \(t_s\).

Full size image

In Fig. 4 we show a graded consensus protocol \(\varPi ^{t_s}_\mathsf{GC}\) that relies on \(\varPi ^{t_s}_\mathsf{prop}\) as a subroutine. Note that parties terminate upon generating output. We now analyze the protocol.

Lemma 7

If \(t_s < n/2\), then \(\varPi ^{t_s}_\mathsf{GC}\) achieves \(t_s\)-graded validity.

Proof

Suppose \(t_s\) parties are corrupted, and every honest party’s input is equal to the same value v. By Lemma 6, all honest parties have \(\mathsf{prop}_{1}=\{v\}\) following the first execution of \(\varPi ^{t_s}_\mathsf{prop}\), and so use v as the input for the second execution of \(\varPi ^{t_s}_\mathsf{prop}\). By the same reasoning, all honest parties have \(\mathsf{prop}_{2}=\{v\}\) after the second execution of \(\varPi ^{t_s}_\mathsf{prop}\). Thus, all honest parties output (v, 2).

Lemma 8

Assume \(t_a \le t_s\) and \(t_a + 2\cdot t_s < n\). Then \(\varPi ^{t_s}_\mathsf{GC}\) achieves \(t_a\)-graded consistency.

Proof

Suppose \(t_a\) parties are corrupted. First, we show that the grades output by two honest parties \(P_i, P_j\) differ by at most 1. The only way this can possibly fail is if one of the parties (say, \(P_i\)) outputs a grade of 2. \(P_i\) must then have received \(\mathsf{prop}_2=\{b\}\), for some \(b \in \{0,1\}\), as its output from the second execution of \(\varPi ^{t_s}_\mathsf{prop}\). It follows from Lemma 2 that \(P_j\) could not have received \(\mathsf{prop}_2=\{\lambda \}\). Therefore, it is not possible for \(P_j\) to output grade 0.

Next, we show that any two honest parties that output nonzero grades must output the same value. Observe first that there is a bit b such that the inputs of all the honest parties to the second execution of \(\varPi ^{t_s}_\mathsf{prop}\) lie in \(\{b, \lambda \}\). (Indeed, if all honest parties set \(b_2:=\lambda \) this claim is immediate. On the other hand, if some honest party sets \(b_2:=b\in \{0,1\}\) then they must have \(\mathsf{prop}_1=\{b\}\); but then Lemma 2 implies that any other honest party who sets \(b_2\) to anything other than \(\lambda \) will set it equal to b as well.) Lemma 3 thus implies that no honest party outputs a set \(\mathsf{prop}_2\) after the second execution of \(\varPi ^{t_s}_\mathsf{prop}\) that contains a value other than b or \(\lambda \). Thus, any two honest parties that output a nonzero grade must output the same value b.

Lemma 9

Assume \(t_a \le t_s\) and \(t_a + 2\cdot t_s < n\). Then \(\varPi ^{t_s}_\mathsf{GC}\) achieves \(t_a\)-liveness.

Proof

All honest parties hold input in \(\{0,1\}\) in the first execution of \(\varPi ^{t_s}_\mathsf{prop}\), so Lemma 5 shows that all honest parties terminate that execution. As in the proof of the previous lemma, there is a bit b such that the inputs of all the honest parties to the second execution of \(\varPi ^{t_s}_\mathsf{prop}\) lie in \(\{b, \lambda \}\); so, using Lemma 5 again, that execution also terminates. Moreover, by Lemma 3, the set \(\mathsf{prop}_2\) output by any honest party is a nonempty subset of \(\{b,\lambda \}\), i.e., is either \(\{b\}, \{b,\lambda \}\), or \(\{\lambda \}\). Thus, every honest party generates output and terminates in \(\varPi ^{t_s}_\mathsf{GC}\).

4.2 Validity-Optimized Byzantine Agreement

We present a Byzantine agreement protocol \(\varPi ^{t_s}_\mathsf{ABA}\) in Fig. 5. Recall from Sect. 2 that we assume an atomic primitive \(\mathsf{CoinFlip}\) that allows all parties to generate and learn an unbiased value \(\mathsf {Coin}_k\in \{0,1\}\) for \(k=1,\ldots \). We refer there for a discussion as to how it can be realized.

Fig. 5.
figure 5

A Byzantine agreement protocol, parameterized by \(t_s\).

Full size image

Lemma 10

If \(t_s < n/2\), then protocol \(\varPi ^{t_s}_\mathsf{ABA}\) satisfies \(t_s\)-validity. Moreover, if all honest parties initially hold v, then all honest parties output v at the end of the first iteration of \(\varPi ^{t_s}_\mathsf{ABA}\).

Proof

Suppose there are at most \(t_s\) corrupted parties and all honest parties initially hold \(v\in \{0,1\}\). All honest parties use input v in the first execution of \(\varPi ^{t_s}_\mathsf{GC}\) in the first iteration; \(t_s\)-graded validity of \(\varPi ^{t_s}_\mathsf{GC}\) (cf. Lemma 7) implies they all output (v, 2) from that execution. Thus, all honest parties ignore the result of the coin flip and run a second instance of \(\varPi ^{t_s}_\mathsf{GC}\) using input v, again unanimously obtaining (v, 2) as output. Thus, all honest parties output v in the first iteration.

Lemma 11

Assume \(t_a \le t_s\) and \(t_a + 2\cdot t_s < n\). Then \(\varPi ^{t_s}_\mathsf{ABA}\) satisfies \(t_a\)-liveness and \(t_a\)-consistency. Moreover: (1) if an honest party generates generates output for the first time in iteration k, then every other honest party generates output in iteration k or \(k+1\), and (2) all honest parties generate output in an expected constant number of iterations.

Proof

Assume \(t_a\) parties are corrupted. Consider an iteration k of the protocol by which no honest party has yet generated output. Let Agree be the event that all honest parties use the same input to the second execution of \(\varPi ^{t_s}_\mathsf{GC}\) in that iteration. If Agree occurs, then \(t_s\)-graded validity of \(\varPi ^{t_s}_\mathsf{GC}\) implies that all honest parties will obtain a grade of 2 in that execution and hence generate output in iteration k. We show that Agree occurs with probability at least 1/2. We distinguish two cases:

  • Say some honest party outputs (b, 2) in the first execution of \(\varPi ^{t_s}_\mathsf{GC}\) in iteration k. By \(t_a\)-graded consistency of \(\varPi ^{t_s}_\mathsf{GC}\), all honest parties output either (b, 2) or (b, 1) in that execution of \(\varPi ^{t_s}_\mathsf{GC}\). Since \(\mathsf {Coin}_k\) is not revealed until the first honest party terminates that execution of \(\varPi ^{t_s}_\mathsf{GC}\), this means b is chosen independently of \(\mathsf {Coin}_k\). If \(\mathsf {Coin}_k=b\), which occurs with probability 1/2, then all parties will use the same input in the second execution of \(\varPi ^{t_s}_\mathsf{GC}\) in iteration k.

  • If no honest party outputs (b, 2) after the first execution of \(\varPi ^{t_s}_\mathsf{GC}\), then all honest parties will use \(\mathsf {Coin}_k\) as their input in the second execution of \(\varPi ^{t_s}_\mathsf{GC}\) in iteration k.

The above implies that in expected constant rounds some honest party generates boolean output. We next show that if some honest party \(P_i\) outputs \(b\in \{0,1\}\) in iteration k, then all other honest parties output b in iteration k or \(k+1\). Since \(P_i\) output b in iteration k, it must have seen (b, 2) as the output of the second execution of \(\varPi ^{t_s}_\mathsf{GC}\) in iteration k. By \(t_a\)-graded consistency of \(\varPi ^{t_s}_\mathsf{GC}\), every honest party obtains either (b, 1) or (b, 2) as output from that execution of \(\varPi ^{t_s}_\mathsf{GC}\). Clearly, all honest parties in the second situation output b in iteration k. We argue that all honest parties in the first situation (namely, who obtain output (b, 1)) will output b in iteration \(k+1\). This can be seen as follows. Since all honest parties use input b in the first execution of \(\varPi ^{t_s}_\mathsf{GC}\) in iteration \(k+1\), all honest parties output (b, 2) in that execution (by \(t_s\)-validity of \(\varPi ^{t_s}_\mathsf{GC}\)). All honest parties then participate in the coin flip but ignore the result, and use input b in the next execution of \(\varPi ^{t_s}_\mathsf{GC}\). Thus, all honest parties obtain output (b, 2) from the second execution of \(\varPi ^{t_s}_\mathsf{GC}\) in iteration \(k+1\), and any honest party that did not output b in the previous iteration will output it now.

Corollary 1

For any \(t_a, t_s\) with \(t_a < n/3\) and \(t_a + 2 \cdot t_s < n\), there is an n-party protocol for Byzantine agreement that, when run in an asynchronous network, achieves \(t_s\)-validity, \(t_a\)-consistency, and \(t_a\)-liveness.

Proof

We may assume \(t_s \ge t_a\) since, if not, we can set \(t_s=t_a\) and \(t_a + 2 \cdot t_s < n\) will still hold. Note also that the stated conditions imply \(t_s < n/2\). The corollary thus follows from Lemmas 10 and 11.

Adding Termination. Corollary 1 proves all the claims of Theorem 2 except for termination and, indeed, parties in \(\varPi _\mathsf{ABA}^{t_s}\) participate indefinitely and so the protocol does not terminate. However, we can obtain a terminating protocol \(\varPi _\mathsf{ABA^*}^{t_s}\) (and hence complete the proof of Theorem 2) using existing techniques [29]. We refer to the appendix for further discussion.

5 Main Protocol

Fix \(n, t_a, t_s\) with \(t_a<n/3\) and \(t_a + 2\cdot t_s < n\). As in the proof of Corollary 1 we may assume \(t_a \le t_s\). Our main protocol \(\varPi _{\mathsf {HBA}}^{t_a,t_s}\) is given in Fig. 6. It relies on the following sub-protocols:

  • \(\varPi _{\mathsf {SBA}}^{t_a}\) is an n-party BA protocol that is \(t_s\)-secure when run in a synchronous network, and \(t_a\)-weakly valid when run in an asynchronous network. Moreover, the protocol has guaranteed termination regardless of the network, and when run in a synchronous network all honest parties terminate by time \(n \cdot \varDelta \). The existence of such a protocol is guaranteed by Theorem 1.

  • \(\varPi _\mathsf{ABA^*}^{t_s}\) is an n-party BA protocol that is \(t_a\)-secure and \(t_s\)-valid with termination when run in an asynchronous network. (Of course, these properties also hold if the protocol is run in a synchronous network.) The existence of such a protocol is guaranteed by Theorem 2.

Fig. 6.
figure 6

A Byzantine agreement protocol, parameterized by \(t_a, t_s\).

Full size image

Theorem 3

Let \(n, t_a, t_s\) be as above. Then protocol \(\varPi _{\mathsf {HBA}}^{t_a,t_s}\) satisfies the following properties:

  1. 1.

    When the protocol is run in a synchronous network, it is \(t_s\)-secure.

  2. 2.

    When the protocol is run in an asynchronous network, it is \(t_a\)-secure.

Proof

First consider the case when \(\varPi _{\mathsf {HBA}}^{t_a,t_s}\) is run in a synchronous network, and at most \(t_s\) parties are corrupted. By \(t_s\)-security of \(\varPi _{\mathsf {SBA}}^{t_a}\), after running \(\varPi _{\mathsf {SBA}}^{t_a}\) there is a value \(b \ne \perp \) such that \(b_i=b\) for every honest \(P_i\). Moreover, if every honest party’s input was equal to the same value v, then \(b=v\). Thus, all honest parties set \(v_i^*\) to the same value b and, if every party’s input was the same value v, then \(v_i^*=v\). By \(t_s\)-validity with termination of \(\varPi _\mathsf{ABA^*}^{t_s}\), all honest parties terminate and agree on their output from \(\varPi _{\mathsf {HBA}}^{t_a,t_s}\), proving \(t_s\)-consistency, \(t_s\)-liveness, and \(t_s\)-termination. Moreover, if every honest party’s original input was equal to the same value v, then the output of \(\varPi _\mathsf{ABA^*}^{t_s}\) (and thus of \(\varPi _{\mathsf {HBA}}^{t_a,t_s}\)) is equal to v. This proves \(t_s\)-validity.

Next consider the case when \(\varPi _{\mathsf {HBA}}^{t_a,t_s}\) is run in an asynchronous network, and at most \(t_a\) parties are corrupted. The protocol inherits \(t_a\)-consistency, \(t_a\)-liveness, and \(t_a\)-termination from \(t_a\)-security of \(\varPi _\mathsf{ABA^*}^{t_s}\), and so it only remains to argue \(t_a\)-validity. Assume every honest party’s initial input is equal to the same value v. Then \(t_a\)-weak validity of \(\varPi _{\mathsf {SBA}}^{t_a}\), plus the fact that it always terminates, imply that \(b_i \in \{v, \perp \}\), and hence \(v^*_i=v\), for every honest \(P_i\). It follows from \(t_s\)-validity (note \(t_a \le t_s\)) of \(\varPi _\mathsf{ABA^*}^{t_s}\) that all honest parties output v.

6 Impossibility Result

We show here that our positive result from the previous section is tight. That is:

Theorem 4

For any n, if \(t_a \ge n/3\) or \(t_a + 2 \cdot t_s \ge n\) there is no n-party protocol for Byzantine agreement that is \(t_s\)-secure in a synchronous network and \(t_a\)-secure in an asynchronous network.

The case of \(t_a \ge n/3\) follows from existing impossibility results for asynchronous consensus, so the interesting case is when \(t_a < n/3\) but \(t_a + 2 \cdot t_s \ge n\). Theorem 4 follows from the lemma below.

Lemma 12

Fix \(n, t_a, t_s\) with \(t_a + 2t_s \ge n\). If an n-party Byzantine agreement protocol is \(t_s\)-valid in a synchronous network, then it cannot also be \(t_a\)-weakly consistent in an asynchronous network.

Proof

The proof is similar to that of [36]. Assume \(t_a+2t_s=n\) and fix a BA protocol \(\varPi \). Partition the n parties into sets \(S_0, S_1, S_a\) where \(|S_0|=|S_1|=t_s\) and \(|S_a|=t_a\), and consider the following experiment:

  • Parties in \(S_0\) run \(\varPi \) using input 0, and parties in \(S_1\) run \(\varPi \) using input 1. All communication between parties in \(S_0\) and parties in \(S_1\) is blocked (but all other messages are delivered within time \(\varDelta \)).

  • Create virtual copies of each party in \(S_a\), call them \(S_a^0\) and \(S_a^1\). Parties in \(S_a^0\) run \(\varPi \) using input 0, and communicate only with each other and parties in \(S_0\). Parties in \(S_a^1\) run \(\varPi \) using input 1, and communicate only with each other and parties in \(S_1\).

Consider an execution of \(\varPi \) in a synchronous network where parties in \(S_1\) are corrupted and simply abort, and all remaining (honest) parties use input 0. The views of the honest parties in this execution are distributed identically to the views of \(S_0 \cup S_a^0\) in the above experiment. In particular, \(t_s\)-validity of \(\varPi \) implies that all parties in \(S_0\) output 0. Analogously, all parties in \(S_1\) output 1.

Next consider an execution of \(\varPi \) in an asynchronous network where parties in \(S_a\) are corrupted, and run \(\varPi \) using input 0 when interacting with \(S_0\) while running \(\varPi \) using input 1 when interacting with \(S_1\). Moreover, all communication between the (honest) parties in \(S_0\) and \(S_1\) is delayed indefinitely. The views of the honest parties in this execution are distributed identically to the views of \(S_0 \cup S_1\) in the above experiment, yet the conclusion of the preceding paragraph shows that weak consistency is violated.