1 Introduction

Byzantine Agreement (BA) is one of the most fundamental problems in fault tolerant distributed computing [4, 8, 27] and of increasing interest given recent advances in cryptocurrencies [3, 14, 23]. In this paper, we consider the “broadcast” formulation of Byzantine Agreement, henceforth also called Byzantine Broadcast (BB): imagine that there are n nodes among which there is a designated sender. The sender is given an input bit \(b \in \{0, 1\}\) and wants to send this bit to every other node. Although up to \(f < n-1\) nodes can be corrupted and deviate arbitrarily from the prescribed protocol, we would like to nonetheless ensure two key properties: 1) consistency requires that all honest nodes must output the same bit (even when the sender is corrupt); and 2) validity requires that all honest nodes output the sender’s input bit if the sender is honestFootnote 1.

An important question to understand is the round complexity of Byzantine Broadcast. Dolev and Strong [12] showed that assuming (idealized) digital signatures, there is a deterministic protocol achieving \(f+1\) rounds; and moreover, \(f+1\) rounds is the best one can hope for in any deterministic protocol. It is also widely understood that randomization can help overcome the \((f+1)\)-round barrier in the honest majority setting. Specifically, many elegant works have shown expected constant-round protocols assuming honest majority [2, 15, 16, 26].

For a long while, the community was perplexed about the following natural question: can we achieve sublinear-round Byzantine Broadcast under dishonest majority? The ingenious work by Garay et al. [19] was the first to demonstrate a positive result although their construction achieves sublinear round complexity only under a narrow parameter regime: specifically, they constructed an expected \(\varTheta ((f-n/2)^2)\)-round protocol, and the subsequent work of Fitzi and Nielsen [18] improved it to \(\varTheta (f-n/2)\) rounds. In other words, these constructions achieve sublinear number of rounds only if \(f \le n/2 + o(n)\). This is somewhat unsatisfying since even for \(f = 0.51 n\), their results would be inapplicable.

Very recently, the frontier of our understanding was again pushed forward due to Chan, Pass, and Shi [9]. Assuming trusted setup and standard cryptographic assumptions, their protocol achieves Byzantine Broadcast with probability \(1 - \delta \) for any \(f \le (1 - \epsilon ) \cdot n\) in \(\mathsf{poly} \log (1 / \epsilon , 1 / \delta )\) rounds (both in expectation and worst-case), where \(\epsilon , \delta \in (0, 1)\) are two parameters that the protocol takes as input. Although their work represents exciting progress on a long stagnant front, it fails to match the asymptotic (expected) round complexity of known honest majority protocols—for honest majority, it is long known how to achieve expected constant round complexity [2, 26]. We thus ask the following question: can we achieve Byzantine Broadcast in expected constant rounds in the corrupt majority setting?

1.1 Our Contributions

We present a Byzantine Broadcast protocol that achieves expected \(O((\frac{n}{n-f})^2)\) rounds. This means that for \(f = (1-\epsilon )n\) where \(\epsilon \in (0, 1)\) may be an arbitrarily small constant, our protocol achieves expected constant rounds. Our protocol works even under an adaptive adversary, assuming a trusted setup and standard cryptographic assumptions in an algebraic structure called bilinear groups. In this paper, we assume that when the adaptive adversary corrupts a node v in some round r, it cannot erase the message v has already sent in round r but it can make the now-corrupt v inject additional messages into round r—such a model is also referred to as weakly adaptive in earlier works.

To the best of our knowledge, our work is the first to achieve an expected constant-round BB protocol for any \(f\ge n/2 + \omega (1)\). Previously, no result was known even for the static corruption setting, and even under any setup assumptions. We compare our results with the state-of-art results in Table 1 and summarize our results in Theorem 1.

Table 1. A comparison between our results and previous work under dishonest majority.
Full size table

Theorem 1 (Expected constant round BB under adaptive corruption)

Assume trusted setup and that the decisional linear assumption holds in suitable bilinear groupsFootnote 2 Then, there exists a BB protocol with expected \(O((\frac{n}{n-f})^2)\) round complexity for any non-uniform \({ p.p.t.}\) adversary that can adaptively corrupt \(f < n-1\) nodes.

Throughout the paper, we assume a synchronous network, i.e., honest nodes can deliver messages to each other within a single round. This assumption is necessary since without it, Byzantine Broadcast is long known to be impossible under more than n/3 corruptions [13].

1.2 Interpreting Our Result

Below we situate our result in context to help the reader understand how tight the bound is as well as the assumptions we make.

On the Tightness of the Bound and the Resilience Parameter. Theorem 1 says that if the number of honest nodes is an arbitrarily small constant fraction (e.g., 0.01%), we can achieve expected constant rounds. The restriction on the number of honest nodes is necessary in light of an elegant lower bound proven by Garay et al. [19]: they showed that even randomized protocols cannot achieve BB in less than \(\varTheta (n/(n-f))\) number of rounds, even assuming static corruption and allowing reasonable setup assumptions. Note that their lower bound says that when almost all nodes can be corrupt except O(1) nodes who remain honest, then even randomized protocols must incur linear number of rounds. Comparing their lower bound and our upper bound side by side, one can see that for the (narrow) regime \(n - f = o(n)\), there is still an asymptotical gap between our upper bound and their lower bound. Whether we can construct an upper bound that matches their lower bound in this regime remains open, even under static corruptions and allowing any reasonable setup assumptions.

On the Weakly Adaptive Model. Our result holds in the weakly adaptive model [1, 21, 31]. In this model, the adversary can adaptively corrupt a node; and if some node u becomes newly corrupt in round r, the adversary can inject new messages on behalf of u in the same round r; however, the adversary cannot erase the messages u already sent in round r prior to becoming corrupt. The weakly adaptive model is akin to the atomic message model first introduced by Garay et al. [20] as a way to overcome a lower bound pertaining to a particular adaptive, simulation-based notion of security proven by Hirt and Zikas [25]. The only slight difference is that in the atomic message model, not only is the adversary unable to perform “after-the-fact” message removal, it also must wait for one network delay after a node i becomes corrupt, before it is able to inject messages on behalf of i. In this sense, the weakly adaptive model is a slightly weaker model than the atomic model by Garay et al. (and this makes our upper bound slightly stronger).

In comparison, the classical consensus literature often considered a strongly adaptive model [12, 16, 19]—this was also the widely accepted model in the early distributed systems and multi-party protocols literature (see also Definition 1 in Feldman’s thesis [17] and Fig. 4, page 176 of Canetti’s excellent work [7]). In the strongly adaptive model, the adversary is allowed to perform “after-the-fact” message removal, i.e., if the adversary adaptively corrupts a node u in round r, it can erase all messages u had sent in round r prior to becoming corrupt. Thus, a strongly adaptive adversary has strictly more power than a weakly adaptive one. The weakly adaptive model was inspired by the line of work on blockchains and sublinear-communication, large-scale consensus protocols. Many famous protocols including Nakamoto’s consensus [30, 34], and other subsequent blockchain protocols [1, 10, 11, 32, 33, 35] were proven secure in the weakly adaptive model, and it is widely known that their security fails to hold in the strongly adaptive model. The recent work by Abraham et al. [1] showed that this is not a coincidence—in the strongly adaptive model, no consensus protocol can achieve sublinear communication overhead!

We adopt the weakly adaptive model inspired by the blockchain line of work. The techniques in this paper do not easily extend to the strongly adaptive model; there is an attack that breaks our protocol under the strongly adaptive model.

It remains an open question whether in the strongly adaptive model, expected constant round BB is possible under even 51% corruption. In fact, in the strongly adaptive model under 51% corruption, even sublinear-round protocols were not known. In a companion work [36], we show that assuming trusted setup, the existence of time-lock puzzles and other reasonable cryptographic assumptions, one can construct BB with polylogarithmic round complexity in the strongly adaptive model. It is interesting to note that the techniques used in that work [36] depart completely from the ones in this paper. In light of our companion paper [36], it remains open 1) whether any sublinear-round BB is possible under 51% strongly adaptive corruption, without time lock puzzles; and 2) whether expected constant round BB is possible under 51% strongly adaptive corruption and any reasonable assumptions. New upper- or lower-bounds in these directions would be exciting.

On the Necessity of Trusted Setup. We assume a trusted setup to get our weakly adaptive BB. Due to the famous lower bound by Lamport et al. [28], some setup assumption is necessary to get consensus under at least n/3 (even static) corruptions. We do not understand if our trusted setup can be weakened, and we leave it as another exciting open question. We stress, however, that expected constant-round BB under 51% corruption is an open question whose answer has eluded the community for more than three decades, under any assumption, allowing any (reasonable) setup, and even under static corruption. We therefore believe that despite our trusted setup and weakly adaptive restrictions, our result is an important step forward in this line of work.

2 Technical Overview

2.1 Preliminaries

Problem Definition. The problem of Byzantine Broadcast has been widely explored. Suppose there are n nodes (sometimes also called parties) in a distributed system, indexed from 1 to n, respectively. The communication within the system is modeled by a synchronous network, where a message sent by an honest node in some round r is guaranteed to be delivered to an honest recipient at the beginning of the next round \(r+1\). Among the n nodes in the system, there is a designated sender whose identity is common knowledge. Before the protocol begins, the sender receives an input bit b. All nodes then engage in interactions where the sender aims to send the bit b to everyone. At the end of the protocol, each node u outputs a bit \(b_u\). Henceforth, we assume that the protocol is parameterized with a security parameter \(\lambda \). We say that a protocol achieves Byzantine Broadcast if it satisfies the following guarantees except with negligibly small in \(\lambda \) probability.

  • Consistency: for any two honest nodes u and v, \(b_u = b_v\).

  • Validity: if the designated sender is honest, for any honest node u, \(b_u = b\).

Although our main definition is for agreeing on a single bit, our approach easily extends to multi-valued BB too.

Adversary Model. At any point of time during the protocol’s execution a node can either be honest or corrupt. Honest nodes correctly follow the protocol, while corrupt nodes are controlled by an adversary and can deviate from the prescribed protocol arbitrarily. We allow the adversary to be rushing, i.e., it can observe the messages honest nodes want to send in round r before deciding what messages corrupt nodes send in the same round r.

We consider an adaptive adversary in our paper. In any round r, it can adaptively corrupt honest nodes after observing the messages they want to send in round r, as long as the total number of corrupted nodes does not exceed an upper bound f. If a node \(v \in [n]\) becomes newly corrupt in round r, the adversary can make it inject new messages of its choice in the present round r; however, the adversary cannot perform “after-the-fact removal”, i.e., erase the messages v sent in round r before it became corrupt.

Modeling Setup. We will allow setup assumptions as well as standard cryptography. Our protocol makes use of a public-key infrastructure and digital signatures, and for simplicity in this paper we assume that the signature scheme is ideal. We adopt a standard idealized signature model, i.e., imagine that there is a trusted functionality that keeps track of all messages nodes have signed and answers verification queries by looking up this trusted table. Under such an idealized signature model, no signature forgery is possible. When we replace the ideal signature with a real-world instantiation that satisfies the standard notion of “unforgeability under chosen-message attack”, all of our theorems and lemmas will follow accounting for an additive, negligibly small failure probability due to the failure of the signature scheme—this approach has been commonly adopted in prior works too and is well-known to be cryptographically sound (even against adaptive adversaries).

For other cryptographic primitives we adopt, e.g., verifiable random functions, we do not assume idealized primitives since the computationally sound reasoning for these primitives is known to have subtleties.

2.2 Technical Roadmap

Byzantine Broadcast under dishonest majority is challenging even under static corruption because the standard random committee election technique fails to work. More concretely, in the honest majority setting and assuming static corruption, a well-known random committee election technique can allow us to compile any polynomial-round BB to a poly-logarithmic round BB protocol. However, as already pointed out by Chan et al. [9], this technique is inapplicable to the corrupt majority setting even under a static adversary.Footnote 3 Similarly, we also know of no way to extend the recent techniques of Chan et al. [9] to obtain our result. Instead, we devise novel techniques that redesign the consensus protocol from the ground up.

Trust Graph Maintenance (Section 3). First, we devise a new method for nodes to maintain a trust graph over time. While previous work [5, 22] also used consistency graph in multiparty protocols and secret sharing, our trust graph is of a different nature from prior work. We are the first to tie the round complexity of distributed consensus with the diameter of a trust graph, and upper bound the diameter.

The vertices in the trust graph represent nodes in the BB protocol; and an edge between u and v indicates that u and v mutually trust each other. Initially, every node’s trust graph is the complete graph; however, during the protocol, if some nodes misbehave, they may get removed completely or get disconnected from other nodes in honest nodes’ trust graphs. On the other hand, honest nodes will forever remain direct neighbors to each other in their respective trust graphs.

There are a few challenges we need to cope with in designing the trust graph mechanism. First, if a node v misbehaves in a way that leaves a cryptographic evidence implicating itself (e.g., double-signing equivocating votes), then honest nodes can distribute this evidence and remove v from their trust graphs. Sometimes, however, v may misbehave in a way that does not leave cryptographic evidence: for example, v can fail to send a message it is supposed to send to u, and in this case u cannot produce an evidence to implicate v. In our trust graph mechanism, we allow u to complain about v without providing an evidence, and a receiver of this complaint can be convinced that at least one node among u and v is corrupt (but it may not be able to tell which one is corrupt). In any case, the receiver of this complaint may remove the edge (uv) from its trust graph. We do not allow a node u to express distrust about an edge (vw) that does not involve itself—in this way a corrupt node cannot cause honest nodes to get disconnected in their trust graphs.

A second challenge we are faced with is that honest nodes may not have agreement for their respective trust graphs at any point of time—in fact, reaching agreement on their trust graphs may be as hard as the BB problem we are trying to solve in the first place. However, if honest nodes always share their knowledge to others, we can devise a mechanism that satisfies the following monotonicity condition: any honest node’s trust graph in round \(t > r\) is a subgraph of any honest node’s trust graph in round r. In our protocol we will have to work with this slightly imperfect condition rather than complete agreement.

Finally, although an honest node is convinced that besides their direct neighbors in its own trust graph, no one else can be honest, it still must wait to hear what nodes multiple hops away say during the protocol. This is because their direct neighbors may still trust their own neighbors, and the neighbors’ neighbors may care about their own neighbors, etc. For information to flow from a node v that is r hops away from u in u’s trust graph may take up to r rounds, and this explains why the diameter of the trust graph is critical to the round complexity of our protocol. We will devise algorithms for ensuring that honest nodes’ trust graphs have small diameter. To maintain small diameter, we devise a mechanism for nodes to post-process their trust graphs: for example, although a node u may not have direct evidence against v, if many nodes complain about v, u can be indirectly convinced that v is indeed corrupt and remove v.

The \(\mathsf{TrustCast} \) Building Block (Section 4). A common technique in the consensus literature is to bootstrap full consensus from weaker primitives, often called “reliable broadcast” or “gradecast” depending on the concrete definitions [6, 16, 26]. Typically, these weaker primitives aim to achieve consistency whether the sender is honest or not; but they may not achieve liveness if the sender is corrupt [6, 16, 26]. Based on a weaker primitive such as “reliable broadcast” or “gradecast”, existing works would additionally rely on random leader election to bootstrap full consensus. Roughly speaking, every epoch a random leader is chosen, and if the leader is honest, liveness will ensue. Additionally, relying on the consistency property of this weaker primitive, with enough care we can devise mechanisms for ensuring consistency within the same epoch and across epochs—in other words, honest nodes must make the same decision no matter whether they make decisions in the same epoch or different epochs.

In our work we devise a \(\mathsf{TrustCast}\) building block which is also a weakening of full consensus and we would like to bootstrap consensus from this weaker primitive. Our definition of \(\mathsf{TrustCast}\), however, is tied to the trust graph and departs significantly from prior works. Specifically, \(\mathsf{TrustCast}\) allows a sender \(s \in [n]\) to send a message to everyone: if s wants to continue to remain in an honest node u’s trust graph, u must receive some valid message from s at the end of the protocol, although different honest nodes may receive inconsistent messages from s if s is corrupt. At a high level, the sender s has three choices:

  1. 1.

    it can either send the same valid message to all honest nodes;

  2. 2.

    (*technical challenge) or it can fail to send a valid message to some honest node, say u,—in this case u will remove s from its trust graph immediately and in the next round all honest nodes will remove s from their trust graphs;

  3. 3.

    or u can send equivocating messages to different honest nodes, but in the next round honest nodes will have compared notes and discovered the equivocation, and thus they remove s from their trust graphs.

The first case will directly lead to progress in our protocol. In the second and third cases, s will be removed from honest nodes’ trust graphs; we also make progress in the sense that s can no longer hamper liveness in the future.

An important technical challenge for designing the \(\mathsf{TrustCast}\) protocol lies in the second case above: in this case, u may not have a cryptographic evidence to implicate s and thus u cannot directly convince others to remove s. However, in this case, it turns out that u can be convinced that some of its direct neighbors must be corrupt, and it will instead convince others to remove the edge (uv) for every direct neighbor v that it believes to be corrupt. Once these edges are removed, s will land in a “remote” part of the graph such that honest nodes can be convinced that it is corrupt and remove it altogether.

3 Trust Graph Maintenance

3.1 Overview of Trust Graph Maintenance and Invariants

At a very high level, the novelty of our approach lies in the way parties maintain and make use of an undirected trust graph over time. In a trust graph, the vertices correspond to all or a subset of the parties participating in the consensus protocol. An edge (uv) in the trust graph intuitively means that the nodes \(u \in [n]\) and \(v \in [n]\) mutually trust each other. Since a node in the graph corresponds to a party in the system, to avoid switching between the words “node” and “party”, we will just use the word “node”.

Initially, every honest node’s trust graph is the complete graph over the set [n], i.e., everyone mutually trusts everyone else. However, over the course of the protocol, a node may discover misbehavior of other nodes and remove nodes or edges from its own trust graph accordingly. We will assume that at any point of time, an honest node u’s trust graph must be a single connected component containing u—effectively u would always discard any node disconnected from itself from its own trust graph.

Notations. Throughout the paper, we will use \(G_u^r\) to denote the node u’s updated trust graph in round r (after processing the graph-messages received in round r and updating the trust graph). More precisely, \(G_u^r\) is the trust graph exported by u’s trust graph module to u’s consensus module. Sometimes, if the round we refer to is clear, we may also write \(G_u\) omitting the round r. We also use N(vG) to denote the set of neighbors of v in the graph G. In cases where the graph G we refer to is clear, we just abbreviate it to N(v). For convenience, we always assume that a node is a neighbor of itself. Therefore, \(v\in N(v)\) holds.

Finally, we follow the notations in Sect. 2.1 where n is the number of nodes in the system, f is the upper bound for the number of corrupt nodes and \(h = n - f\) is the lower bound for the number of honest nodes.

Important Invariants of the Trust Graph. A very natural requirement is that corrupt nodes can never cause honest nodes to suspect each other; in fact, we want the following invariant:

  • Honest clique invariant: at any time, in any honest node’s trust graph, all honest nodes form a clique. This implies that all honest nodes must forever remain direct neighbors to each other in their trust graphs.

The round complexity of our protocol is directly related to the diameter of honest nodes’ trust graphs and thus we want to make sure that honest nodes’ trust graphs have small diameter. To understand this more intuitively, we can consider an example in which three nodes, uv, and s execute Byzantine Broadcast with s being the sender. All three nodes behave honestly except that s drops all messages to u. In this case, although u is convinced that s is corrupt and thus removes the edge (us) from its trust graph, it cannot prove s’s misbehavior to v. Since v still has reasons to believe that s might be honest, v will seek to reach agreement with s. Now, if u tries to reach agreement with v, it has to care about what s says. But since s drops all messages to u, any information propagation from s to u must incur 2 rounds with v acting as the relay.

This example can generalize over multiple hops: although an honest node \(u \in [n]\) knows that except for its direct neighbors in its trust graph, everyone else must be corrupt; it must nonetheless wait for information to propagate from nodes multiple hops away in its trust graph. For a node w that is r hops away from u in u’s trust graph, information from w may take r rounds to reach u. Summarizing, for our protocol to be round efficient, we would like to maintain the following invariant:

  • Small diameter invariant: at any point of time, every honest node u’s trust graph must have small diameter.

Finally, we stress that a difficult challenge we are faced with, is the fact that honest nodes may never be in full agreement w.r.t. their trust graphs at any snapshot of time—in fact, attempting to make honest nodes agree on their trust graphs could be as difficult as solving the Byzantine Broadcast problem itself. However, from a technical perspective, what will turn out to be very helpful to us, is the following monotonicity invariant:

  • Monotonicity invariant: an honest node u’s trust graph in round \(t > r\) must be a subset of an honest node v’s trust graph in round r. Here, we say that an undirected graph \(G = (V, E)\) is a subset of another undirected graph \(G' = (V', E')\) iff \(V \subseteq V'\) and \(E \subseteq E'\).

The above trust graph monotonicity invariant can be maintained because of the following intuition: whatever messages an honest node \(v \in [n]\) sees in round r, v can relay them such that all other honest nodes must have seen them by round \(r+1\)—in this way the honest node u would perform the same edge/node removal in round \(r+1\) as what v performed in round r.

3.2 Conventions and Common Assumptions

Throughout our paper, we assume that message echoing among honest nodes is implicit (and our protocol will not repeatedly state the echoing):

  • Implicit echoing assumption: All honest nodes echo every fresh message they have heard from the network, i.e., as soon as an honest node u receives a message m at the beginning of some round r, if this message is well-formed and has not been received before, u relays it to everyone.

Each node has a consensus module (see Sects. 4 and 5) and a trust graph module which will be described in this section. Messages generated by the trust graph module and the consensus module will have different formats. Henceforth, we may call messages generated by the trust graph module graph messages; and we may call all other messages consensus messages. Below, we state some assumptions about the modules and their interfaces. We assume that all messages generated by the consensus module are of the following format:

  • Message format of the consensus module: All protocol messages generated by the consensus module are of the form \((\mathtt{T}, e, \mathsf{payload})\) along with a signature from the sender, where \(\mathtt{T}\) is a string that denotes the type of the message, \(e\in \mathbb {N}\) denotes the epoch number (the meaning of this will be clear later in Sect. 5), and \(\mathsf{payload}\) is a string denoting an arbitrary payload. Each type of message may additionally require its payload to satisfy some wellformedness requirements.

For example, \((\mathtt{vote}, e, b)\) and \((\mathtt{comm}, e, \mathcal {E})\) represent vote messages and commit messages, respectively, in our Byzantine Broadcast protocol (see Sect. 5), where \(\mathtt{vote}\) and \(\mathtt{comm}\) denote the type of the message, e denotes the epoch number, and the remainder of the message is some payload.

In our consensus module, nodes can misbehave in different ways, and some types of misbehaviors can generate cryptographic evidence to implicate the offending node. We define equivocation evidence below.

  • Equivocation evidence. In our consensus module, honest nodes are not supposed to double-sign two different messages with the same type and epoch number—if any node does so, it is said to have equivocated. Any node that has equivocated must be malicious. The collection of two messages signed by the same node \(u \in [n]\), with the same type and epoch but different payloads, is called an equivocation evidence for u.

3.3 Trust Graph Maintenance Mechanism

Note that if the trust graph always remains the complete graph, obviously it would satisfy the aforementioned three invariants. However, keep in mind that the goal for trust graph maintenance is to make sure that corrupt nodes do not hamper liveness. In our protocol, once a node starts to misbehave in certain ways, each honest node would remove them from its trust graph such that they would no longer care about reaching agreement with them. In our scheme, every node maintains its trust graph in the following manner:

figure a

Remark 1

Note that a \((\mathtt{distrust}, (u, v))\) message is only valid if it is signed by u, i.e., the first node in the pair of nodes—this makes sure that corrupt nodes cannot misuse distrust messages to cause an edge between two honest nodes to be removed (in any honest node’s trust graph).

Suppose that an honest node never declares \(\mathsf{Distrust} \) on another honest node—note that this is a condition that our protocol must respect and it will be proved in Theorem 4 of Sect. 4. We first show that the honest clique invariant is satisfied. An edge is removed from the trust graph iff (1) a \(\mathsf{Distrust} \) is declared on the edge or (2) the edge is removed during post processing. Since an honest node never declares \(\mathsf{Distrust} \) on another honest node, we only need to show that we never remove edges between honest nodes during post processing.

Lemma 1

The post processing does not remove any edge between honest nodes.

Proof

We will prove by contradiction. Let us consider post-processing on a node u’s trust graph \(G_u\). Suppose the edge (vw) is removed during post-processing where v and w are both honest nodes. W.l.o.g., we can assume that this is the first time any edge between honest nodes is removed during post processing. This means that before post processing, all honest nodes are fully connected in \(G_u\), i.e., all honest nodes are the neighbors of both v and w. Thus, we have \(|N(v, G_u) \cap N(w, G_u)| \ge h\). This violates our assumption that (vw) is removed during post processing, because (vw) is removed iff \(|N(v, G_u) \cap N(w, G_u)| < h\).

The monotonicity invariant is not as apparent. We need to show that if an honest node u removes an edge during post-processing, another honest node v would remove this edge as well in the next round. The observation is that the post-processing algorithm does not change the subgraph relationship—if G is a subgraph of H and we apply post-processing on both G and H to get \(G'\) and \(H'\), then \(G'\) would still be a subgraph of \(H'\). Since an edge can only be removed by calling \(\mathsf{Distrust}\) and post processing, we can prove the monotonicity invariant using induction. Due to the page limit, we skip the proof for the monotonicity lemma. The detailed proof for Lemma 2 can be found in the online version [37].

Lemma 2

The trust graph maintenance mechanism satisfies the monotonicity invariant, i.e., for any honest node uv and any round number r, \(G_v^{r + 1}\) is a subgraph of \(G_u^{r}\).

Finally, the most challenging part is to prove that the post-processing mechanism will output a graph with diameter at most O(n/h). To prove this, we will show that if the graph’s diameter is larger than 2n/h, there must exist an edge (vw) such that \(|N(v) \cap N(w)| < h\)—henceforth, we call such an edge a fictitious edge. At a very high level, observe that if the graph’s diameter is greater than 2n/h, there must exist a path from some u to some \(u'\) whose length is greater than 2n/h. Now, we can divide nodes into layers based on their distance from u, where \(S_i\) denotes all nodes at distance i from u. Since there must be more than 2n/h layers, we can show that there must exist two adjacent layers \(S_i\) and \(S_{i+1}\) such that the union of the two contains fewer than h nodes. Therefore, any edge between the two layers is a fictitious edge. This is the high level intuition and might be inaccurate in the boundary condition. Through a more involved argument (see our online version [37] for detail), we can provide a tight upper bound and show that after the post-processing, the graph’s diameter is at most \(d = \lceil n/h\rceil + \lfloor n/h\rfloor - 1\).

Lemma 3

The post-processing guarantees that the diameter of the trust graph is upper bounded by \(d = \lceil n/h\rceil + \lfloor n/h\rfloor - 1\).

The following theorem follows directly from Lemma 1, 2 and 3.

Theorem 2

(Efficient trust graph mechanism). Suppose that an honest node never declares \(\mathsf{Distrust} \) on another honest node (which is proven to be true in Sect. 4). Then, the efficient trust graph maintenance mechanism satisfies the honest clique invariant, the monotonicity invariant, and moreover, at any point of time, any honest node’s trust graph has diameter at most \(d = \lceil n/h \rceil + \lfloor n/h \rfloor - 1\).

Finally, observe that the trust graph module’s communication (including implicit echoing of graph messages) is upper bounded by \(\widetilde{O}(n^4)\) (the \(\widetilde{O}\) hides the \(\log n\) terms needed to encode a node’s identifier). This is because there are at most \(O(n^2)\) number of effective \(\mathtt{distrust}\) messages and everyone will echo each such message seen to all nodes.

4 New Building Block: The TrustCast Protocol

Starting from this section, we will be describing the consensus module. In this section, we first describe an important building block called \(\mathsf{TrustCast}\) which will play a critical role in our BB protocol. Before describing the consensus module, we first clarify the order in which the trust module and consensus module are invoked within a single round:

  1. 1.

    At the beginning of the round, a node u receives all incoming messages.

  2. 2.

    Next, u’s trust graph module processes all the graph-messages and updates its local trust graph:

    • Process all the freshly seen \(\mathsf{Distrust}\) messages and remove the corresponding edges from its trust graph.

    • Check for new equivocation evidence: if any equivocation evidence is seen implicating any \(v \in [n]\), remove v and all edges incident to v from the node’s own trust graph.

    Recall also that every time an edge or node is removed from a node’s trust graph, a post-processing procedure is called to make sure that the trust graph still has O(n/h) diameter (see Sect. 3.3).

  3. 3.

    Now, u’s consensus module processes the incoming consensus messages, and computes a set of messages denoted M to send in this round. The rules for computing the next messages M are specified by our Byzantine Broadcast protocol (Sect. 5) which calls the \(\mathsf{TrustCast}\) protocol (this section) as a building block. The protocol is allowed to query the node’s current trust graph (i.e., the state after the update in the previous step).

  4. 4.

    Finally, u sends M to everyone; additionally, for every fresh message first received in this round, u relays it to everyone.

Henceforth, in our consensus module description, whenever we say “at the beginning of round r”, we actually mean in round r after Step (2), i.e., after the trust graph module makes updates and yields control to the consensus module.

4.1 The \(\mathsf{TrustCast}\) Protocol

Motivation and Intuition. We introduce a \(\mathsf{TrustCast}\) protocol that will be used as a building block in our Byzantine Broadcast protocol. In the \(\mathsf{TrustCast}\) protocol, a sender \(s \in [n]\) has a message m and wants to share m with other parties. At the end of the \(\mathsf{TrustCast}\) protocol, any honest node either receives a message from s or removes s from its trust graph. The \(\mathsf{TrustCast}\) protocol does not guarantee consistency: if the sender is corrupt, different honest parties may output different messages from the sender. However, if the sender is indeed honest, then all honest parties will output the message that the sender sends. Very remotely, the \(\mathsf{TrustCast}\) protocol resembles the notion of a “reliable broadcast” [6] or a “gradecast” [16, 26] which is a weakening of Byzantine Broadcast—many existing works in the consensus literature bootstrap full consensus (or broadcast) from either reliable broadcast or gradecast. Similarly, we will bootstrap Byzantine Broadcast from \(\mathsf{TrustCast}\); however, we stress that our definition of the \(\mathsf{TrustCast}\) abstraction is novel, especially in the way the abstraction is tied to the trust graph.

Abstraction and Notations. A \(\mathsf{TrustCast}\) protocol instance must specify a sender denoted \(s \in [n]\); furthermore, it must also specify a verification function \(\mathsf{Vf} \) for receiving nodes to check the validity of the received message. Therefore, we will use the notation \(\mathsf{TrustCast} ^{\mathsf{Vf}, s}\) to specify the verification function and the sender of a \(\mathsf{TrustCast}\) instance. Given a node \(u \in [n]\) and a message m, we also use the following convention

$$\begin{aligned} u.\mathsf{Vf} (m) = \mathsf{true} \text { in round } r \end{aligned}$$

to mean that message m passes the verification of \(\mathsf{Vf} \) w.r.t. node u in round r.

In our Byzantine Broadcast protocol, whenever a sender s calls \(\mathsf{TrustCast} ^{\mathsf{Vf}, s}\) to propagate a message m, the verification function \(\mathsf{Vf}\) and the message m must respect the following two conditions—only if these conditions are satisfied can we guarantee that honest nodes never distrust each other (see Theorem 4).

  • Validity at origin. Assuming that the leader s is honest, it must be that \(s.\mathsf{Vf} (m) = \mathsf{true}\) in round 0, i.e., at the beginning of the \(\mathsf{TrustCast} ^{\mathsf{Vf}, s}\) protocol.

  • Monotonicity condition. We say that \(\mathsf{Vf}\) satisfies the monotonicity condition if and only if the following holds. Let \(r < t\) and suppose that \(u, v \in [n]\) are honest. Then, if \(u.\mathsf{Vf} (m) = \mathsf{true}\) in round r, it must hold that \(v.\mathsf{Vf} (m) = \mathsf{true}\) in round t as well. Note that in the above, u and v could be the same or different parties.

The first condition guarantees that an honest sender always verifies the message it sends. The second condition, i.e., the Monotonicity condition, guarantees that if an honest node successfully verifies a message, then that message would pass verification of all other honest nodes in future rounds. Together, the two conditions imply that the honest sender’s message would pass verification of all honest nodes.

\(\mathsf{TrustCast}\) Protocol. We describe the \(\mathsf{TrustCast} ^{\mathsf{Vf}, s}(m)\) protocol below where a sender \(s \in [n]\) wants to propagate a message of the form \(m = (\mathtt{T}, e, \mathsf{payload})\) whose validity can be ascertained by the verification function \(\mathsf{Vf} \). Recall that by our common assumptions (see Sect. 3.2), honest nodes echo every fresh message seen. Moreover, if an honest node \(u \in [n]\) sees the sender’s signatures on two messages with the same \((\mathtt{T}, e)\) but different payloads, then u removes the sender s from its trust graph. For brevity, these implicit assumptions will not be repeated in the protocol description below.

figure b

To better understand the protocol, consider the example where the sender s is a direct neighbor of an honest node u in u’s trust graph. This means that u “trusts” s, i.e., u thinks that s is an honest node. Therefore, u expects to receive s’s message in the first round of the \(\mathsf{TrustCast}\) protocol. If u has not received from s in the first round, it knows that s must be corrupted. It would thus remove the edge (us) from u’s trust graph.

Similarly, if s is at distance r from u in u’s trust graph, then u should expect to receive a valid message signed by s in at most r rounds. In case it does not, then u can be convinced that all of its direct neighbors that are at distance \(r-1\) or smaller from s in its trust graph must be malicious—therefore u calls \(\mathsf{Distrust} \) to declare distrust in all such neighbors. Note that the distrust messages generated in round r will be processed at the beginning of round \(r + 1\). We now utilize the above intuition to prove that the \(\mathsf{TrustCast}\) protocol satisfies the following properties:

  • At the end of the \(\mathsf{TrustCast}\) protocol, any honest node either receives a message from s or removes s from its trust graph (Theorem 3).

  • In the \(\mathsf{TrustCast}\) protocol, we never remove edges between two honest nodes in any honest node’s trust graph (Theorem 4).

In the rest of the paper, we always use the variable d to represent \(\lceil n/h \rceil + \lfloor n/h \rfloor - 1\).

Theorem 3

Let \(u\in [n]\) be an honest node. At the beginning of round \(d + 1\), either the sender s is removed from u’s trust graph or u must have received a message m signed by s such that \(u.\mathsf{Vf} (m) = \mathsf{true}\) in some round r.

Proof

By the definition of the \(\mathsf{TrustCast} ^{\mathsf{Vf}, s}\) protocol, if in round r, the node u has not received a message m signed by s such that \(u.\mathsf{Vf} (m) = \mathsf{true}\) in round r, then u will call \(\mathsf{Distrust} (v)\) for each of its neighbors v that is within distance \(r - 1\) from s. The \(\mathsf{Distrust} (v)\) operation generates a distrust message that will be processed at the beginning of round \(r + 1\), causing u to remove the edge (uv) from its trust graph. After removing the edge (uv), the trust graph module will also perform some post-processing which may further remove additional edges and nodes. After this procedure, s must be at distance at least \(r+1\) from u or removed from u’s trust graph.

By setting the round number r to d, we can conclude that at the beginning of round \(d + 1\), if u has not received a message m such that \(u.\mathsf{Vf} (m) = \mathsf{true}\), then s must be either at distance at least \(d+1\) from u or removed from u’s trust graph. Yet, u’s trust graph must contain a single connected component containing u, with diameter at most d. So s must be removed from u’s trust graph.

Theorem 4

If the validity at origin and the monotonicity conditions are respected, then an honest node u will never call \(\mathsf{Distrust} (v)\) where v is also honest.

Proof

We can prove by contradiction: suppose that in round \(r \in [1, d]\), an honest node u calls \(\mathsf{Distrust} (v)\) where \(v \in [n]\) is also honest. This means that in round r, u has not received a message m signed by s such that \(u.\mathsf{Vf} (m) = \mathsf{true}\) in round r. Due to the implicit echoing and the monotonicity condition of \(\mathsf{Vf} \), it means that in round \(r-1\), v has not received a message m signed by s such that \(v.\mathsf{Vf} (m) = \mathsf{true}\) in round \(r-1\). We may now consider two cases:

  • Case 1: suppose \(r-1 = 0\). If the validity at origin condition holds, then v cannot be the sender s. In this case u cannot call \(\mathsf{Distrust} (v)\) in round 0 because v is at distance at least 1 from the sender s.

  • Case 2: suppose \(r -1 > 0\). By definition of the \(\mathsf{TrustCast} ^{\mathsf{Vf}, s}\) protocol, in round \(r - 1\), v would send \(\mathsf{Distrust} (w)\) for any w within distance \(r - 2\) from s in \(G_v^{r - 1}\). Suppose v sends distrust messages on \(w_1, \cdots , w_l\) and we denote the graph \(G' \leftarrow G_v^{r - 1} / \{(v, w_1), \cdots , (v, w_l)\}\). Then, in \(G'\), the distance between v and s should be at least r. Let us now consider node u and u’s trust graph. By trust graph monotonicity and Lemma 2, u’s trust graph at the beginning of round r, i.e., \(G_u^{r}\), should be a subset of \(G_v^{r-1}\). Further, u would receive v’s distrust messages on \(w_1, \cdots , w_l\) in round r. Thus,

    $$ G_u^{r} \subseteq G_v^{r - 1} / \{(v, w_1), \cdots , (v, w_l)\}. $$

    This implies that the distance between v and s in \(G_u^r\) should be at least r, contradicting our assumption that the distance between v and s is \(r - 1\).

In either case, we have reached a contradiction.

In this section, we provided a \(\mathsf{TrustCast}\) protocol with nice properties (Theorem 3 and 4) related to the trust graph. In the next section, we will show how to bootstrap full consensus from the \(\mathsf{TrustCast}\) protocol.

Remark 2

Later, when \(\mathsf{TrustCast}\) is invoked by a parent protocol, it could be invoked in an arbitrary round \(r_\mathrm{init}\) of the parent protocol; moreover, at invocation, honest nodes’ trust graphs need not be complete graphs. In this section, our presentation assumed that the initial round is renamed to round 0 (and all the subsequent rounds are renamed correspondingly). We say that a sender s trustcasts message m with verification function \(\mathsf{Vf} \) if s calls \(\mathsf{TrustCast} ^{\mathsf{Vf}, s}\) on message m. If the verification function \(\mathsf{Vf} \) is clear in the context, we just say s trustcasts a message m.

5 Byzantine Broadcast Under an Adaptive Adversary

In this section, we present a Byzantine Broadcast (BB) protocol that achieves security under a weakly adaptive adversary.

Leader Election. One common trick used in existing Byzantine Broadcast protocols is to select a leader in each epoch and let the leader broadcast its proposal. However, ideal leader election is hard to implement under an adaptive adversary. This is because the adaptive adversary will learn the leader’s identity upon receiving the leader’s proposal. It can then corrupt the leader and generate an equivocating proposal. At the high level, we want an honest leader to fulfill its duty before its identity is known to the adversary. To achieve this, we need to use verifiable random functions (VRFs) and a new building block called \(\mathsf{AckCast}\), which is a simple extension of \(\mathsf{TrustCast}\).

Commit Evidence. In our Byzantine Broadcast protocol, each node uses the \(\mathsf{TrustCast}\) protocol to send messages until it becomes confident as to which bit to commit on. Afterwards, it needs to convince other nodes to also commit on this bit using what we call a commit evidence. In other words, once a node generates a valid commit evidence, all other nodes that receive it will commit on the corresponding bit. We want the commit evidence to satisfy that.

  • It is impossible for two nodes to generate valid commit evidences on different bits.

  • If the leader in this epoch is honest, at least one honest node should be able to generate a commit evidence on the leader’s proposed bit.

The first property guarantees consistency while the second property guarantees liveness. We first show what we define to be a commit evidence in our protocol. After we describe our protocol in Sect. 5.3, we will prove that this definition satisfies the two properties above.

Fix an epoch e and a bit \(b \in \{0, 1\}\). We say that a collection \(\mathcal {E} \) containing signed messages of the form \((\mathtt{vote}, e, b)\) is an epoch-e commit evidence for b w.r.t. \(G_u^r\) iff for every \(v \in G_u^r\), \(\mathcal {E} \) contains a signed message \((\mathtt{vote}, e, b)\) from v. Recall that \(G_u^r\) is u’s trust graph at the beginning of round r (after processing graph-messages).

Fix \(u \in [n]\) and the round r. We say that a commit evidence for (eb) w.r.t. \(G_u^r\) is fresher than a commit evidence for \((e', b')\) w.r.t. \(G_u^r\) iff \(e' > e\). Henceforth, we will assume that \(\bot \) is a valid epoch-0 commit evidence for either bit.

Remark 3

In our protocol description, if we say that “node \(u \in [n]\) sees a commit evidence for (eb) in round r”, this means that at the beginning of the round r, after having processed graph-messages, node u has in its view a commit evidence for (eb) w.r.t. \(G_u^r\).

Lemma 4 (Commit evidence monotonicity lemma)

Let \(u, v \in [n]\) be honest nodes. A commit evidence for (eb) w.r.t. \(G_u^r\) must be a commit evidence for (eb) w.r.t. \(G_v^t\) for any \(t > r\). Note that in the above, u and v can be the same or different node(s).

Proof

Due to the trust graph monotonicity lemma, we have \(G_u^t \subseteq G_v^r\) since \(t > r\). The lemma then follows directly.

Protocol Intuition. Our protocol proceeds in incrementing epochs where each epoch consists of three phases, called Propose, Vote, and Commit, respectively. Each phase has O(d) (\(d = \lceil n/h \rceil + \lfloor n/h \rfloor - 1\)) rounds. Intuitively, each phase aims to achieve the following objectives:

  • Propose: the leader uses the \(\mathsf{TrustCast}\) protocol to share the freshest commit evidence it has seen.

  • Vote: each node uses the \(\mathsf{TrustCast}\) protocol to relay the leader’s proposal it receives in the propose phase. At the end of the vote phase, each node checks whether it can construct a commit evidence.

  • Commit: nodes use the \(\mathsf{TrustCast}\) protocol to share their commit evidence.

Besides the three phases, there is also a termination procedure (with the entry point Terminate) that runs in the background and constantly checks whether the node should terminate. Also, to apply the \(\mathsf{TrustCast}\) protocol, we need to define the corresponding verification functions such that the monotonicity condition and the validity at origin condition (defined in Sect. 4.1) are satisfied.

In this section, we first review VRFs [29] in Sect. 5.1. We will apply VRF as a cryptographic primitive in the leader election step. In Sect. 5.2, we introduce our \(\mathsf{AckCast}\) protocol. Finally, in Sect. 5.3, we introduce our Byzantine Broadcast protocol under an adaptive adversary, followed by its proof of correctness.

5.1 Preliminary: Verifiable Random Functions

In this section, we review the definition and notations of VRFs in [29]. A VRF includes the following (possibly randomized) algorithms:

  • \(({ pp}, \{\mathsf {pk} _u, \mathsf {sk} _u\}_{u \in [n]}) \leftarrow \mathsf{Gen} (1^\lambda )\): takes in a security parameter \(\lambda \) and generates public parameters \({ pp} \), and a public and secret key pair \((\mathsf {pk} _u, \mathsf {sk} _u)\) for each node \(u \in [n]\); each \(\mathsf {sk} _u\) is of the form \(\mathsf {sk} _u := (s_u, \rho _u)\) where \(s_u\) is said to be the evaluation key and \(\rho _u\) is said to be the proof key for u.

  • \((y, \pi ) \leftarrow \mathsf{Eval} ({ pp}, \mathsf {sk} _u, x)\): we shall assume that \(\mathsf{Eval}:= (E, P)\) has two sub-routines E and P where \(\mathsf{Eval}.E\) is deterministic and \(\mathsf{Eval}.P\) is possibly randomized. Given the public parameters \({ pp} \), the secret key \(\mathsf {sk} _u = (s_u, \rho _u)\), and input \(x \in \{0, 1\}^{|x|}\), compute \(y := \mathsf{Eval}.E({ pp}, s_u, x)\) and \(\pi := \mathsf{Eval}.P({ pp}, s_u, \rho _u, x)\), and output \((y, \pi )\).

  • \(\{0, 1\}\leftarrow \mathsf{Ver} ({ pp}, \mathsf {pk} _u, x, y, \pi )\): receives the public parameters \({ pp} \), a public key \(\mathsf {pk} _u\), an input x, a purported outcome y, and a proof \(\pi \), outputs either 0 indicating rejection or 1 indicating acceptance.

For a VRF scheme to satisfy correctness, we require that for any \(v \in [n]\) and any input x, the following holds with probability 1: let \(({ pp}, \{\mathsf {pk} _u, \mathsf {sk} _u\}_{u \in [n]}) \leftarrow \mathsf{Gen} (1^\lambda )\), and let \((y, \pi ) \leftarrow \mathsf{Eval} ({ pp}, \mathsf {sk} _v, x)\), then \(\mathsf{Ver} ({ pp}, \mathsf {pk} _v, x, y, \pi ) = 1\).

Suppose the adversary can request to create new VRF instances, query existing instances with specified inputs, selectively corrupt instances and obtain the secret keys of these instances.

  • We say that a VRF scheme satisfies pseudorandomness under selective opening iff the adversary is unable to distinguish the VRF’s evaluation outcomes on any future message from randomly generated values.

  • We say that a VRF scheme satisfies unforgeability, if the adversary cannot forge the VRF outcome and proof on behalf of any honest node on a point that has not been queried.

Due to the page limit, we are unable to review the full definition of VRF. The detailed definition and the cryptographic games are included in the online version [37]. Abraham et al. [1] proved the following theorem where the bilinear group assumptions needed are the same as those adopted by Groth et al. [24].

Theorem 5

(Existence of adaptively secure VRFs [1]). Assuming standard bilinear group assumptions and a trusted setup, we can construct a VRF scheme satisfying pseudorandomness under selective opening and unforgeability.

VRF Technical Lemma. Abraham et al. [1] showed the following theorem regarding VRFs that satisfy pseudorandomness under selective opening attacks. To describe the theorem, we need to first describe the following experiments:

  • Ideal experiment. In the ideal experiment, an adversary \({\mathcal {A}} \) interacts with an idealized oracle \(\mathcal {F} \). The execution continues in epochs. At the beginning of each epoch e, \(\mathcal {F} \) picks a random answer for every query of the form (ue) for \(u \in [n]\), and returns all n answers to \({\mathcal {A}} \). When \({\mathcal {A}} \) calls \(\mathcal {F}.\mathsf{Corrupt}(u)\), \(\mathcal {F} \) records that u has been corrupted.

  • Real experiment. In the real experiment, an adversary \({\mathcal {A}} \) interacts with an oracle \(\mathcal {F} '\). First, \(\mathcal {F} '\) calls \(\mathsf{VRF}.\mathsf{Gen} (1^\lambda )\) and gives the resulting \({ pp}, \mathsf {pk} _1, \ldots , \mathsf {pk} _n\) to \({\mathcal {A}} \), but keeps \(\mathsf {sk} _1, \ldots , \mathsf {sk} _n\) to itself. At the beginning of every epoch e, \(\mathcal {F} '\) computes for every \(u \in [n]\) a tuple \((y_u, \pi _u) := \mathsf{VRF}.\mathsf{Eval} ({ pp}, \mathsf {sk} _u, e)\) and returns \((y_u, \pi _u)\) to \({\mathcal {A}} \). Whenever \({\mathcal {A}} \) calls \(\mathcal {F} '.\mathsf{Corrupt}(u)\), \(\mathcal {F} '\) records that u has been corrupted but also discloses \(\mathsf {sk} _u\) to \({\mathcal {A}}\) as well as all the randomness used by \(\mathsf{Eval} \) earlier pertaining to u.

Now, let \(\mathsf{bad}\) be any polynomial-time computable function defined over the following variables:

Lemma 5

(Technical lemma regarding VRF [1]). Suppose that the VRF satisfies pseudorandomness under selective opening. Then, if there exists a non-uniform \({ p.p.t.}\) adversary \({\mathcal {A}} \) that can cause the bad event \(\mathsf{bad}\) to take place in the real experiment with probability p, there must exist a non-uniform \({ p.p.t.}\) adversary \({\mathcal {A}} '\) that can cause \(\mathsf{bad}\) to happen in the ideal experiment with probability at least \(p - \mathsf{negl} (\lambda )\).

5.2 New Building Block: \(\mathsf{AckCast} \) Protocol

We describe an additional helpful building block called \(\mathsf{AckCast} \) that is a simple extension of the previous \(\mathsf{TrustCast}\). In \(\mathsf{AckCast}\), a sender \(s \in [n]\) trustcasts a message and then every node acknowledges (ACK) the message (also using \(\mathsf{TrustCast}\)). If a node receives ACKs on different messages, which must contain equivocating signatures from the sender, then the sender must be corrupted and can be removed from the trust graph. At the end of the \(\mathsf{AckCast}\) protocol, we guarantee that for any honest node u, either

  • s is no longer in u’s trust graph, or

  • u has received a unique and valid message from s; moreover, u has heard an ACK for the same message from every node in u’s trust graph.

figure c

It can be observed that if \(\mathsf{Vf}\) satisfies the monotonicity condition, then \(\mathsf{Vf} '\) also satisfies the monotonicity condition. Further, \(\mathsf{Vf} '\) also satisfies the validity at origin condition by the property of the first \(\mathsf{TrustCast} ^{\mathsf{Vf}, s}\). We list these observations in Lemmas 6 and fct:validitymulticastack. Due to the page limit, the detailed proof is omitted and can be found in our online version [37].

Lemma 6

If  \(\mathsf{Vf}\) satisfies the monotonicity condition, then \(\mathsf{Vf} '\) also satisfies the monotonicity condition.

Lemma 7

\(\mathsf{Vf} '\) satisfies the validity at origin property, i.e., when an honest node u trustcasts \((\mathtt{ack}, s, m)\) with \(\mathsf{TrustCast} ^{\mathsf{Vf} ', u}\) in some round r during \(\mathsf{AckCast} ^{\mathsf{Vf}, s}\), it must be that \(u.\mathsf{Vf} '(\mathtt{ack}, s, m) = \mathsf{true}\) in round r.

Given Lemmas 6 and 7, we can show that \(\mathsf{AckCast}\) satisfies what we want.

Lemma 8

Assume that \(\mathsf{Vf} \) satisfies the monotonicity condition and that the message m input to s satisfies the validity at origin condition. Then, at the end of the \(\mathsf{AckCast}\) protocol, for any honest node u, either

  1. 1.

    s is no longer in u’s trust graph or

  2. 2.

    u has heard s trustcast a unique message m such that \(u.\mathsf{Vf} (m) = \mathsf{true}\) at the end of the protocol; moreover, u must have received an ACK of the form \((\mathtt{ack}, s, m)\) from every node in its trust graph.

Proof

Since \(\mathsf{Vf} \) satisfies the monotonicity condition and the validity at origin condition, by Lemmas 6 and 7, \(\mathsf{Vf} '\) also satisfies the monotonicity condition and the validity at origin condition. Thus, by Theorem 3, for any two honest nodes u and v, u must have received a valid ACK from v that passes \(\mathsf{Vf} '\) in \(\mathsf{TrustCast} ^{\mathsf{Vf} ', v}\). In other words, by the end of the \(\mathsf{AckCast}\) protocol, any honest node u must have received valid ACKs that passes \(\mathsf{Vf} '\) from all nodes in its trust graph.

Now, we want to show that the ACKs u receives match what s trustcasts. If s is still in u’s trust graph by the end of \(\mathsf{AckCast}\), by Theorem 3, u must have received a valid message from s. By the definition of \(\mathsf{Vf} '\), each ACK message received by u must agree with what s has trustcast. This completes our proof.

5.3 Protocol

Strawman Attempt. We first discuss a strawman attempt using a VRF that achieves security against an adaptive adversary. In every epoch, every node u computes \((y_u, \pi _u) := \mathsf{VRF}({ pp}, \mathsf {sk} _u, e)\). \(y_u\) is said to be u’s charisma and we define the leader to be the node with the maximum charisma. The issue with this approach is that the adversary, upon observing that u has the maximum charisma and is the leader, can immediately corrupt u, and make u send an equivocating proposal. Such an attack will not affect consistency, however, it will hamper liveness due to the following: every honest node, upon seeing u’s equivocating proposal, removes u from its trust graph; and now they would vote for \(\bot \) in the Vote phase. An adversary with a corruption budget of f can continue this attack for f epochs in which an honest node becomes the leader, and thus liveness can take as long as \(\varOmega (f)\) epochs to ensue.

To defeat the aforementioned attack, we are inspired by techniques from the standard Byzantine Broadcast literature [2, 26] but it is not trivial to adapt these techniques to our setting. At a high level, during the Propose phase of each epoch, everyone multicasts a proposal using \(\mathsf{AckCast} \) pretending that they might be the elected leader. Because \(\mathsf{AckCast}\) rather than \(\mathsf{TrustCast}\) is used, effectively everyone would also trustcast an ACK for everyone’s proposal. Note that at this time, the VRF outcomes have not been revealed and the adversary cannot effectively single out and target the leader.

Our key idea is to require that a valid proposal must contain everyone’s ACK message. In this way, when nodes reveal their VRF outcomes (i.e., their charisma), the adversary may immediately corrupt the leader, but it is already too late for the now-corrupt leader to insert a new equivocating proposal, because there is no time for this new equivocating proposal to acquire ACKs from everyone. To integrate this idea into our protocol invovles further technicalities, but with this intuition in mind, we can now present our protocol formally.

Protocol. Our protocol is described below.

figure d

5.4 Consistency, Liveness and Validity Proof

To apply the properties of the \(\mathsf{TrustCast}\) protocol, we must show that our verification functions respect the monotonicity condition and validity at origin. The monotonicity condition follows from the trust graph’s monotonicity invariant and our implicit echoing assumption. The validity at origin property can be verified mechanically. We defer the detailed proofs to the online version [37].

Given that the verification functions respect the monotonicity condition and validity at origin, we first prove that our Byzantine Broadcast protocol achieves consistency, i.e., honest nodes always output the same bit. We divide the proof into two parts. First, we show that within the same epoch, two honest nodes cannot commit on different bits. Secondly, we show that even across different epochs, consistency is still guaranteed.

Lemma 9 (Consistency within the same epoch)

If an honest node \(u \in [n]\) sees an epoch-e commit evidence for the bit \(b \in \{0, 1\}\) in some round r, and an honest node \(v \in [n]\) sees an epoch-e commit evidence for the bit \(b' \in \{0, 1\}\) in some round t, it must be that \(b = b'\).

Proof

Let \(\mathcal {E} \) be the epoch-e commit evidence seen by u in round r and let \(\mathcal {E} '\) be the epoch-e commit evidence seen by v in round t. Due to the honest clique invariant of the trust graph, \(\mathcal {E} \) must contain signatures on \((\mathtt{vote}, e, b)\) from every honest node, and \(\mathcal {E} '\) must contain signatures on \((\mathtt{vote}, e, \widetilde{b})\) from every honest node. However, each honest node will only vote for a single bit in any given epoch e. It holds that \(b = b'\).

Lemma 10 (Consistency across epochs)

If an honest node \(u \in [n]\) outputs the bit b in some epoch e, then in every epoch \(e' > e\), no honest node \(v \in [n]\) can ever see a commit evidence for \((e', 1-b)\).

Proof

We will use induction to show that honest nodes will never receive commit evidence for the bit \(1-b\) in any epoch after e. By the protocol definition, for u to output b in epoch e, it must have seen a commit evidence for (eb) at the beginning of the Commit phase in epoch e. We have already shown in Lemma 9 that any two nodes cannot commit on different bits within the same epoch. Therefore, there cannot exist any commit evidence for \(1 - b\) in epoch e. Thus, we have shown the base case of our induction.

Suppose no honest node has seen any commit evidence for \(1 - b\) between epoch e and \(e'\) (\(e' \ge e\)), we will show that no commit evidence will be seen for \(1 - b\) in epoch \(e' + 1\) as well. Note that in epoch e, u will use \(\mathsf{TrustCast} ^{\mathsf{Vf} _\mathrm{comm}, u}\) to trustcast its commit evidence for (eb), and all honest nodes will receive it by the end of epoch e. Since no commit evidence for \(1 - b\) has been seen afterwards, for any honest node, the freshest commit evidence it has seen is on b. Now, during epoch \(e' + 1\), every honest node will reject \(L_{e'+1}\)’s proposal (where reject means not passing the \(\mathsf{Vf} _\mathrm{prop}\) function) unless it is for the same bit b; and if they do reject \(L_{e'+1}\)’s proposal, they will vote on \(\bot \). Therefore, in epoch \(e' + 1\), no honest node will vote for \(1-b\), and no honest node will ever see a commit evidence for \((e'+1, 1-b)\). This completes our induction proof.

Theorem 6 (Consistency)

If honest nodes u and v output b and \(b'\), respectively, it must be that \(b = b'\).

Proof

For an honest node to output b in epoch e, it must observe a commit evidence for (eb) in epoch e. Consider the earliest epoch e in which an honest node, say, \(u'\), outputs a bit b. By definition, every other honest node will output in epoch e or greater. By Lemma 9, no honest node will output \(1-b\) in epoch e. By Lemma 10, no honest node will output \(1-b\) in epoch \(e' > e\).

Next, we show that our protocol achieves liveness and terminates in expected constant rounds. Observe that if an honest node terminates, then all other honest nodes would terminate in the next round.

Lemma 11

If some honest node terminates in round r, then all honest nodes will have terminated by the end of round \(r + 1\).

Proof

If an honest node terminates in round r, it must have received consistent commit evidence from every node in its trust graph. By the implicit echoing assumption, it would forward those commit evidences to all other honest nodes before round \(r + 1\). By the trust graph monotonicity invariant and the commit evidence monotonicity lemma (Lemma 4), all other honest nodes would gather enough commit evidence in round \(r + 1\) and terminate as well.

During the execution, even before nodes reveal their charisma for some epoch e, we can already define a node u’s epoch-e charisma as the honestly computed VRF outcome \(\mathsf{VRF}.\mathsf{Eval} ({ pp}, \mathsf {sk} _u, e)\). This definition is well-formed no matter whether the node is honest or corrupt.

Definition 1 (Lucky epoch)

Henceforth, we say that epoch e is lucky iff the node with the maximum epoch-e charisma has not been corrupted until it has sent a signed \((\mathtt{elect}, e, \_, \_)\) message.

Lemma 12

Suppose that the VRF satisfies unforgeability. Except with negligible probability, the following holds: if e is a lucky epoch, then one round after the end of epoch e, all honest nodes will terminate.

Proof

By Lemma 11, if any honest node terminates during epoch e, all honest nodes will terminate in the next round. Therefore, it suffices to prove the lemma assuming that no honest node has terminated by the end of epoch e, i.e., we may assume that all honest nodes will participate in all the \(\mathsf{TrustCast}\) protocols till the end of epoch e. Thus, we can safely use the properties of \(\mathsf{TrustCast}\).

Suppose epoch e is a lucky epoch. This means that the node L with the maximum epoch-e charisma has not been corrupted until it has sent the signed elect message \((\mathtt{elect}, e, y, \pi )\). Since the adaptive adversary cannot remove messages already sent, all honest nodes will receive the elect message. Every honest node will then trustcast \((\mathtt{prep}, e, b, L, y, \pi )\) where b is L’s proposed bit in the Propose phase of epoch e. Since L remains honest throughout the propose phase, all nodes have consistent views on L’s proposed bit and they can only Ack b. After the propose phase, honest nodes no longer Ack any new proposal. Thus, even if L becomes corrupt immediately after sending the elect message, it cannot gather Ack messages from honest nodes on the bit \(1 - b\).

By Theorem 3, after the Vote phase, for any two honest nodes u and v, u must have received a vote from v that passes \(\mathsf{Vf} _\mathrm{vote}\). Due to condition (c) of the \(\mathsf{Vf} _\mathrm{vote}\) check, the vote from v must vote for the same bit b that L proposes. Thus, at the end of the Vote phase, any honest node would receive votes on b from every node in its trust graph, which forms a commit evidence for b.

Again, by Theorem 3, after the Commit phase, for any two honest nodes u and v, u must have received a commit message from v that passes \(\mathsf{Vf} _\mathrm{comm}\). Recall that a \(\bot \) commit message passes \(\mathsf{Vf} _\mathrm{comm}\) w.r.t. node u iff there exists a node not in u’s trust graph, whose charisma is greater than all the prepare messages u has received. However, since epoch e is a lucky epoch, all honest nodes generate their prepare message from L, who has the largest charisma in epoch e. Therefore, all the commit messages received must be non-\(\bot \) commit messages. And since all honest nodes vote on b in the Vote phase, the commit message must be on b. In conclusion, unless the adversary can successfully forge a VRF result which happens with negligible probability, any honest node will receive commit messages from every node in its trust graph on b. This satisfies the termination condition and all honest nodes will terminate.

Lemma 13

Suppose that the VRF satisfies pseudorandomness under selective opening. Then, let \(\mathbf{R}_\mathrm{lucky}\) be a random variable denoting the first lucky epoch. It must be that there is a negligible function \(\mathsf{negl} (\cdot )\) such that for every R,

$$ \Pr [\mathbf{R}_\mathrm{lucky} \ge R] \le \Pr [ \mathsf{Geom}(h/n) \ge R] + \mathsf{negl} (\lambda ) $$

where \(\mathsf{Geom}(h/n)\) denotes a geometric random variable with probability h/n.

Proof

We can consider an ideal-world protocol defined just like the real-world protocol except for the following: whenever a node needs to compute \(\mathsf{VRF}.\mathsf{Eval} ({ pp}, \mathsf {pk} _u, e)\), it will instead call an ideal functionality \(\mathcal {F}.\mathsf{Eval} (u, e)\). Upon receiving this call, \(\mathcal {F} \) picks y, at random if this is the first time \(\mathsf{Eval} (u, e)\) is queried, and records the tuple (uey). Now \(\mathcal {F} \) returns the answer y that has been recorded for the query (ue), and the tuple \((y, \bot )\) will be used in place of the outcome of the VRF evaluation. Similarly, whenever a node needs to call \(\mathsf{VRF}.\mathsf{Ver} ({ pp}, \mathsf {pk} _u, e, y, \pi )\), the call is replaced with a call to \(\mathcal {F}.\mathsf{Ver} (u, e, y)\), which simply checks if the tuple (uey) has been recorded—if so, return 1; else return 0.

In this ideal world protocol, since leaders are elected completely randomly, it is not hard to see that \(\Pr [\mathbf{R}_\mathrm{lucky} \ge R] = \Pr [ \mathsf{Geom}(h/n) \ge R]\).

By the VRF technical lemma (Lemma 5), it is impossible to distinguish between the results of VRFs (the real-world protocol) and a uniformly random distribution (the ideal world protocol) for any polynomially bounded adversary. It thus follows that in the real-world protocol,

$$ \Pr [\mathbf{R}_\mathrm{lucky} \ge R] \le \Pr [ \mathsf{Geom}(h/n) \ge R] + \mathsf{negl} (\lambda ) $$

as long as the adversary is polynomially bounded.

Theorem 7 (Liveness)

Assume that the VRF adopted satisfies pseudorandomness under selective opening and unforgeability. Then, the protocol described in Sect. 5.3 achieves liveness in \(O((n/h)^2)\) number of rounds.

Proof

Follows directly from Lemma 12 and Lemma 13.

Finally, we show that the protocol also achieves validity. Note that the definition of validity needs to be slightly adjusted under the adaptive adversary model. Since an adaptive adversary can corrupt arbitrary nodes at any time, the validity requirement only makes sense when the initial sender remains honest throughout the entire protocol.

Theorem 8 (Validity)

Assume that the VRF adopted satisfies unforgeability. For the protocol described in Sect. 5.3, the following holds except with negligible probability: if the designated sender s is (forever) honest, then everyone will output the sender’s input bit.

Proof

Recall that by our construction, s is guaranteed to have the maximum charisma in epoch 1. The proof of Lemma 12 implies that if s is (forever) honest, at most one round after epoch \(e = 1\), all honest nodes will have terminated with an output that agrees with s’s proposal.

5.5 Round Complexity Analysis

Finally, we analyze the round complexity and communication complexity of the protocol, showing that the protocol terminates in expected \(O((n/h)^2)\) rounds and has \(\widetilde{O}(n^4)\) communication complexity.

In Theorem 7, we proved that as soon as some epoch has an honest leader, all honest nodes will terminate at most 1 round after the epoch’s end. Each epoch has \(O(d) = O(n/h)\) number of rounds, and with random leader election, in expectation we need O(n/h) number of rounds till we encounter an honest leader. Thus, the expected round complexity is \(O((n/h)^2)\). We can also show that with probability \(1-\delta \), the round complexity is bounded by \(\log (\frac{1}{\delta }) \cdot \frac{n}{h}/\log (\frac{1}{1 - h/n})\).

The total number of consensus messages generated by honest nodes in each epoch (not counting implicit echoing) is at most O(n). Each message is at most \(\widetilde{O}(n)\) in size (the \(\widetilde{O}\) hides the \(\log n\) terms needed to encode a node’s identifier). Each such consensus message will be delivered to O(n) nodes and each node will echo every fresh message to everyone. Therefore, the total amount of communication pertaining to the consensus module (including implicit echoing of consensus messages) is \(\widetilde{O}(n^4)\).

On top of this, honest nodes also need to echo messages sent by corrupt nodes and there can be (unbounded) polynomially many such messages. However, we can easily make the following optimization: for consensus messages with the same type and same epoch, every honest node echoes at most two messages originating from the same node (note that this is sufficient to form an equivocation evidence to implicate the sender). With this optimization, the per-epoch total communication for sending consensus messages is upper bounded by \(\widetilde{O}(n^4)\). As mentioned earlier in Sect. 3, the total amount of communication for the trust graph module is also upper bounded by \(\widetilde{O}(n^4)\). Thus, the total communication is upper bounded by \(\widetilde{O}(n^4 \cdot E)\) where E denotes the number of epochs till termination. Note that in expectation \(E = n/h\); moreover, with probability \(1-\delta \), E is upper bounded by \(\log (\frac{1}{\delta })/\log (\frac{1}{1-h/n})\).

6 Conclusion and Future Work

Our paper presents a Byzantine Broadcast protocol with amortized O(1) round complexity that works even under dishonest majority. The round complexity is constant and the communication complexity is \(\widetilde{O}(n^4)\) (for the entire system). We believe this is the first protocol that gives constant round complexity for Byzantine Broadcast under dishonest majority.

It has been shown by Garay et al. [19] that no randomized protocols can achieve BB in less than \(O(n/(n-f))\) number of rounds, even assuming static corruption and allowing standard setup assumptions. Therefore, for the (narrow) regime \(n - f = o(n)\), there is still an asymptotical gap between our upper bound and their lower bound. Bridging this gap is an exciting direction for future work.