Asynchronous Byzantine Agreement with Subquadratic ......[CKS20]: Shir Cohen, Idit Keidar, and...

Asynchronous Byzantine Agreement with Subquadratic Communication

Julian Loss

U. Maryland

Chen-Da Liu-Zhang

ETH Zurich

Erica

Blum

U. Maryland

TCC 2020

Jonathan

Katz

U. Maryland

Byzantine Agreement

Byzantine Agreement

𝑥1

𝑥2

𝑥3

𝑥6

𝑥5

𝑥4

Byzantine Agreement

All honest parties agree on the same output

𝑦

𝑦

𝑦

𝑦

𝑦

𝑦

Byzantine Agreement

All honest parties agree on the same output

If honest parties have the same input, they keep the same value as output

𝑥

𝑥

𝑥

𝑥

𝑥

𝑥

Byzantine Agreement

All honest parties agree on the same output

If honest parties have the same input, they keep the same value as output

𝑥

𝑥

𝑥

𝑥

𝑥

𝑥

Byzantine Agreement

All honest parties agree on the same output

If honest parties have the same input, they keep the same value as output

𝑥

𝑥

𝑥

𝑥

Is there an asynchronous BA with 𝑜(𝑛2) communication that tolerates 𝜃(𝑛) adaptive corruptions?

Is there an asynchronous BA with 𝑜(𝑛2) communication that tolerates 𝜃(𝑛) adaptive corruptions?

• Feasibility of asynch. 𝑜(𝑛2) BA for 𝑓 < (1 − 𝜖) Τ𝑛 3 using a trusted dealer(alternately, with amortized 𝑜(𝑛2) and without setup)

Is there an asynchronous BA with 𝑜(𝑛2) communication that tolerates 𝜃(𝑛) adaptive corruptions?

• Feasibility of asynch. 𝑜(𝑛2) BA for 𝑓 < (1 − 𝜖) Τ𝑛 3 using a trusted dealer(alternately, with amortized 𝑜(𝑛2) and without setup)

• Impossibility of asynch. 𝑜(𝑛2) BA with 𝜃(𝑛) corruptions without setup

Related Work

Most previous subquadratic BA are synchronous or partially synchronous [KS06,KS10,M17,A+19,…]

Recent work by Cohen et al. [CKS20] give subquadratic asynchronous BA, but the adversary has restricted scheduling power

Feasibility of asynchronous 𝑜(𝑛2) BA for 𝑓 < (1 − 𝜖) Τ𝑛 3 adaptive

Feasibility of asynchronous 𝑜(𝑛2) BA for 𝑓 < (1 − 𝜖) Τ𝑛 3 adaptive

𝐵𝐴 𝑆𝑒𝑡𝑢𝑝

𝐵𝐴

Feasibility of asynchronous 𝑜(𝑛2) BA for 𝑓 < (1 − 𝜖) Τ𝑛 3 adaptive

CC: 𝑂 𝑝𝑜𝑙𝑦 𝜅 ⋅ 𝑛

𝐵𝐴 𝑆𝑒𝑡𝑢𝑝

𝐵𝐴

Size: 𝑂 𝑝𝑜𝑙𝑦 𝜅

Feasibility of asynchronous 𝑜(𝑛2) BA for 𝑓 < (1 − 𝜖) Τ𝑛 3 adaptive

𝑀𝑃𝐶 𝑆𝑒𝑡𝑢𝑝

𝑀𝑃𝐶

𝐵𝐴 𝑆𝑒𝑡𝑢𝑝

𝐵𝐴

CC: 𝑂 𝑝𝑜𝑙𝑦 𝜅 ⋅ 𝑛

Size: 𝑂 𝑝𝑜𝑙𝑦 𝜅

Feasibility of asynchronous 𝑜(𝑛2) BA for 𝑓 < (1 − 𝜖) Τ𝑛 3 adaptive

𝑀𝑃𝐶 𝑆𝑒𝑡𝑢𝑝

𝑀𝑃𝐶

𝐵𝐴 𝑆𝑒𝑡𝑢𝑝

𝐵𝐴

CC: 𝑂 𝑝𝑜𝑙𝑦 𝜅 ⋅ 𝑛

Size: 𝑂 𝑝𝑜𝑙𝑦 𝜅

Initial dealer

Feasibility of asynchronous 𝑜(𝑛2) BA for 𝑓 < (1 − 𝜖) Τ𝑛 3 adaptive

𝑀𝑃𝐶 𝑆𝑒𝑡𝑢𝑝

𝑀𝑃𝐶

𝐵𝐴 𝑆𝑒𝑡𝑢𝑝

𝐵𝐴

CC: 𝑂 𝑝𝑜𝑙𝑦 𝜅 ⋅ 𝑛

Size: 𝑂 𝑝𝑜𝑙𝑦 𝜅

𝑀𝑃𝐶 𝑆𝑒𝑡𝑢𝑝𝐵𝐴 𝑆𝑒𝑡𝑢𝑝

Initial dealer

Feasibility of asynchronous 𝑜(𝑛2) BA for 𝑓 < (1 − 𝜖) Τ𝑛 3 adaptive

𝑀𝑃𝐶 𝑆𝑒𝑡𝑢𝑝

𝑀𝑃𝐶

𝐵𝐴 𝑆𝑒𝑡𝑢𝑝

𝐵𝐴

CC: 𝑂 𝑝𝑜𝑙𝑦 𝜅 ⋅ 𝑛

Size: 𝑂 𝑝𝑜𝑙𝑦 𝜅

𝑀𝑃𝐶 𝑆𝑒𝑡𝑢𝑝𝐵𝐴 𝑆𝑒𝑡𝑢𝑝

𝑂 𝑝𝑜𝑙𝑦 𝜅 ⋅ 𝑛

𝑂 𝑝𝑜𝑙𝑦 𝜅

Initial dealer

Feasibility of asynchronous 𝑜(𝑛2) BA for 𝑓 < (1 − 𝜖) Τ𝑛 3 adaptive

𝑀𝑃𝐶 𝑆𝑒𝑡𝑢𝑝

𝑀𝑃𝐶

𝐵𝐴 𝑆𝑒𝑡𝑢𝑝

𝐵𝐴

CC: 𝑂 𝑝𝑜𝑙𝑦 𝜅 ⋅ 𝑛

Size: 𝑂 𝑝𝑜𝑙𝑦 𝜅

𝑀𝑃𝐶 𝑆𝑒𝑡𝑢𝑝𝐵𝐴 𝑆𝑒𝑡𝑢𝑝

𝑂 𝑝𝑜𝑙𝑦 𝜅 ⋅ 𝑛

𝑂 𝑝𝑜𝑙𝑦 𝜅

Initial dealer

𝑀𝑃𝐶𝐵𝐴

…

One-Time BA

𝐺𝐶

𝐶𝑜𝑖𝑛

𝐺𝐶

𝐶𝑜𝑖𝑛

Graded Consensus [CR93]Input 𝑥𝑖; Output (𝑧𝑖 , 𝑔𝑖)

If ∀ honest 𝑃𝑖 𝑥𝑖 = 𝑥, then 𝑧𝑖 , 𝑔𝑖 = (𝑥, 1)If ∃ honest 𝑃𝑖 𝑔𝑖 = 1, then 𝑧𝑗 = 𝑧𝑖

One-Time BA

𝐺𝐶

𝐶𝑜𝑖𝑛

Graded Consensus [CR93]Input 𝑥𝑖; Output (𝑧𝑖 , 𝑔𝑖)

If ∀ honest 𝑃𝑖 𝑥𝑖 = 𝑥, then 𝑧𝑖 , 𝑔𝑖 = (𝑥, 1)If ∃ honest 𝑃𝑖 𝑔𝑖 = 1, then 𝑧𝑗 = 𝑧𝑖

Coin-FlipEach 𝑃𝑖 obtains the same random bit 𝑐𝑖

One-Time BA

𝐺𝐶

𝐶𝑜𝑖𝑛

Graded Consensus [CR93]Input 𝑥𝑖; Output (𝑧𝑖 , 𝑔𝑖)

If ∀ honest 𝑃𝑖 𝑥𝑖 = 𝑥, then 𝑧𝑖 , 𝑔𝑖 = (𝑥, 1)If ∃ honest 𝑃𝑖 𝑔𝑖 = 1, then 𝑧𝑗 = 𝑧𝑖

Coin-FlipEach 𝑃𝑖 obtains the same random bit 𝑐𝑖

≤ 𝑂(𝜅)

If 𝑔𝑖 = 0: 𝑥𝑖 = 𝑐𝑖Else 𝑥𝑖 = 𝑧𝑖

One-Time BA

𝐵𝐴 𝑆𝑒𝑡𝑢𝑝

𝐺𝐶

𝐶𝑜𝑖𝑛

≤ 𝑂(𝜅)

Graded Consensus [CR93]Input 𝑥𝑖; Output (𝑧𝑖 , 𝑔𝑖)

If ∀ honest 𝑃𝑖 𝑥𝑖 = 𝑥, then 𝑧𝑖 , 𝑔𝑖 = (𝑥, 1)If ∃ honest 𝑃𝑖 𝑔𝑖 = 1, then 𝑧𝑗 = 𝑧𝑖

Coin-FlipEach 𝑃𝑖 obtains the same random bit 𝑐𝑖

𝜅 𝜅 𝜅

Each party in set can prove membership

𝜅

Each party in set has a (signed) share of 𝑐𝑖

𝜅 𝜅 𝜅

One-Time BA

If 𝑔𝑖 = 0: 𝑥𝑖 = 𝑐𝑖Else 𝑥𝑖 = 𝑧𝑖

𝐵𝐴 𝑆𝑒𝑡𝑢𝑝

𝐺𝐶

𝐶𝑜𝑖𝑛

≤ 𝑂(𝜅)

Graded Consensus [CR93]Input 𝑥𝑖; Output (𝑧𝑖 , 𝑔𝑖)

If ∀ honest 𝑃𝑖 𝑥𝑖 = 𝑥, then 𝑧𝑖 , 𝑔𝑖 = (𝑥, 1)If ∃ honest 𝑃𝑖 𝑔𝑖 = 1, then 𝑧𝑗 = 𝑧𝑖

Coin-FlipEach 𝑃𝑖 obtains the same random bit 𝑐𝑖

Communication 𝑂 𝑝𝑜𝑙𝑦 𝜅 ⋅ 𝑛

Setup size 𝑂 𝑝𝑜𝑙𝑦 𝜅

𝜅 𝜅 𝜅

Each party in set can prove membership

𝜅

Each party in set has a (signed) share of 𝑐𝑖

𝜅 𝜅 𝜅

One-Time BA

If 𝑔𝑖 = 0: 𝑥𝑖 = 𝑐𝑖Else 𝑥𝑖 = 𝑧𝑖

MPC

MPC

Multi-Party Computation with ℓ-output quality

𝑥1

𝑥2

𝑥3

𝑥6

𝑥5

𝑥4

MPC

Multi-Party Computation with ℓ-output quality

𝑔(𝑥1′ , 𝑥2

′ , … , 𝑥𝑛′ ), where 𝑥𝑖

′ = 𝑥𝑖 if 𝑃𝑖 ∈ 𝑆𝑥𝑖′ =⊥ otherwise

Adversary chooses 𝑆 with size at least ℓ

𝑥1

𝑥2

𝑥3

𝑥6

𝑥5

𝑥4

MPC

Agreement on a Common Subset with ℓ-output quality

𝐴𝐶𝑆

𝑥1𝑥2

𝑥3𝑥4

𝑥𝑛

𝑆 ≥ ℓ with ℓ − 𝑓 honest inputs

𝑆

…

MPC

Agreement on a Common Subset with ℓ-output quality

𝐴𝐶𝑆

𝑥1𝑥2

𝑥3𝑥4

…

𝑥𝑛

𝑆

𝑆 ≥ ℓ with ℓ − 𝑓 honest inputs

𝐵𝐴 𝑆𝑒𝑡𝑢𝑝 𝐵𝐴 𝑆𝑒𝑡𝑢𝑝…

𝐵𝐴 𝑆𝑒𝑡𝑢𝑝

𝑂(ℓ)

Communication 𝑂 ℓ ⋅ ℐ ⋅ 𝑝𝑜𝑙𝑦 𝜅 ⋅ 𝑛

Setup size 𝑂 ℓ ⋅ 𝑝𝑜𝑙𝑦 𝜅

𝐴𝐶𝑆 𝑆𝑒𝑡𝑢𝑝

MPCThreshold Fully Homomorphic Encryption

MPCThreshold Fully Homomorphic Encryption

𝑀𝑃𝐶 𝑆𝑒𝑡𝑢𝑝

𝐴𝐶𝑆 𝑆𝑒𝑡𝑢𝑝

MPCThreshold Fully Homomorphic Encryption

𝑀𝑃𝐶 𝑆𝑒𝑡𝑢𝑝

𝐴𝐶𝑆 𝑆𝑒𝑡𝑢𝑝 𝜅

MPCThreshold Fully Homomorphic Encryption

𝑀𝑃𝐶 𝑆𝑒𝑡𝑢𝑝

𝐴𝐶𝑆 𝑆𝑒𝑡𝑢𝑝 𝜅𝑒𝑘 𝑑𝑘1, … , 𝑑𝑘𝜅 for parties in

MPCThreshold Fully Homomorphic Encryption

𝑀𝑃𝐶 𝑆𝑒𝑡𝑢𝑝

𝐴𝐶𝑆 𝑆𝑒𝑡𝑢𝑝 [𝑟] 𝜅𝑒𝑘 𝑑𝑘1, … , 𝑑𝑘𝜅 for parties in

MPC

𝑦𝑔

Threshold Fully Homomorphic Encryption

𝑥1

𝑥2

𝑥3

𝑥4…

𝑥𝑛

𝑟

𝑀𝑃𝐶 𝑆𝑒𝑡𝑢𝑝

𝐴𝐶𝑆 𝑆𝑒𝑡𝑢𝑝 [𝑟] 𝜅𝑒𝑘 𝑑𝑘1, … , 𝑑𝑘𝜅 for parties in

MPCThreshold Fully Homomorphic Encryption

𝑀𝑃𝐶 𝑆𝑒𝑡𝑢𝑝

𝐴𝐶𝑆 𝑆𝑒𝑡𝑢𝑝 [𝑟] 𝜅𝑒𝑘 𝑑𝑘1, … , 𝑑𝑘𝜅 for parties in

[𝑥1]

[𝑥2]

[𝑥3]

[𝑥4]

…

[𝑥𝑛]

𝑆𝐴𝐶𝑆

MPC

𝑐𝐸𝑣𝑎𝑙𝑔

Threshold Fully Homomorphic Encryption

𝐴𝐶𝑆

[𝑥1]

[𝑥2]

[𝑥3]

[𝑥4]

…

[𝑥𝑛]

𝑆

𝑀𝑃𝐶 𝑆𝑒𝑡𝑢𝑝

𝐴𝐶𝑆 𝑆𝑒𝑡𝑢𝑝

[𝑥1]

⊥

[𝑥3]

⊥

[𝑥𝑛]

[𝑟] 𝜅𝑒𝑘 𝑑𝑘1, … , 𝑑𝑘𝜅 for parties in

…

MPC

𝑐𝐸𝑣𝑎𝑙𝑔

Threshold Fully Homomorphic Encryption

𝐴𝐶𝑆

[𝑥1]

[𝑥2]

[𝑥3]

[𝑥4]

…

[𝑥𝑛]

𝑆

𝑀𝑃𝐶 𝑆𝑒𝑡𝑢𝑝

𝐴𝐶𝑆 𝑆𝑒𝑡𝑢𝑝

[𝑥1]

⊥

[𝑥3]

⊥

[𝑥𝑛]

[𝑟] 𝜅𝑒𝑘 𝑑𝑘1, … , 𝑑𝑘𝜅 for parties in

Decryption

𝑑𝑗 = 𝐷𝑒𝑐𝑆ℎ𝑎𝑟𝑒𝑑𝑘𝑖(𝑐)

𝑑𝑗

𝑃1

𝑃𝑛

……

MPC

𝑐𝐸𝑣𝑎𝑙𝑔

Threshold Fully Homomorphic Encryption

𝐴𝐶𝑆

[𝑥1]

[𝑥2]

[𝑥3]

[𝑥4]

…

[𝑥𝑛]

𝑆

𝑀𝑃𝐶 𝑆𝑒𝑡𝑢𝑝

𝐴𝐶𝑆 𝑆𝑒𝑡𝑢𝑝

[𝑥1]

⊥

[𝑥3]

⊥

[𝑥𝑛]

[𝑟] 𝜅𝑒𝑘 𝑑𝑘1, … , 𝑑𝑘𝜅 for parties in

Decryption

𝑑𝑗 = 𝐷𝑒𝑐𝑆ℎ𝑎𝑟𝑒𝑑𝑘𝑖(𝑐)

𝑑𝑗

𝑃1

𝑃𝑛

…

𝑦 = 𝑅𝑒𝑐({𝑑𝑗})

All parties output

…

MPC

𝑐𝐸𝑣𝑎𝑙𝑔

Threshold Fully Homomorphic Encryption

𝐴𝐶𝑆

[𝑥1]

[𝑥2]

[𝑥3]

[𝑥4]

…

[𝑥𝑛]

𝑆

𝑀𝑃𝐶 𝑆𝑒𝑡𝑢𝑝

𝐴𝐶𝑆 𝑆𝑒𝑡𝑢𝑝

[𝑥1]

⊥

[𝑥3]

⊥

[𝑥𝑛]

[𝑟] 𝜅𝑒𝑘 𝑑𝑘1, … , 𝑑𝑘𝜅 for parties in

Size: 𝑂 (ℓ + 1) ⋅ 𝑝𝑜𝑙𝑦 𝜅

Decryption

𝑑𝑗 = 𝐷𝑒𝑐𝑆ℎ𝑎𝑟𝑒𝑑𝑘𝑖(𝑐)

𝑑𝑗

𝑃1

𝑃𝑛

…

𝑦 = 𝑅𝑒𝑐({𝑑𝑗})

All parties output

CC: 𝑂 ℓ + 1 ⋅ ℐ + 𝒪 ⋅ 𝑝𝑜𝑙𝑦 𝜅 ⋅ 𝑛

…

MPC for Trusted Dealer

𝑐𝐸𝑣𝑎𝑙𝑔

Threshold Fully Homomorphic Encryption

𝑀𝑃𝐶 𝑆𝑒𝑡𝑢𝑝

[𝑟] 𝜅𝑒𝑘 𝑑𝑘1, … , 𝑑𝑘𝜅 for parties in

Size: 𝑂 (ℓ + 1) ⋅ 𝑝𝑜𝑙𝑦 𝜅

Decryption

𝑑𝑗 = 𝐷𝑒𝑐𝑆ℎ𝑎𝑟𝑒𝑑𝑘𝑖(𝑐)

𝑑𝑗

𝑃1

𝑃𝑛

…

𝑦 = 𝑅𝑒𝑐({𝑑𝑗})

All parties output

CC: 𝑂 ℓ + 1 ⋅ ℐ + 𝒪 ⋅ 𝑝𝑜𝑙𝑦 𝜅 ⋅ 𝑛

MPC for Trusted Dealer

𝑐𝐸𝑣𝑎𝑙𝑔

Threshold Fully Homomorphic Encryption

𝑀𝑃𝐶 𝑆𝑒𝑡𝑢𝑝

[𝑟] 𝜅𝑒𝑘 𝑑𝑘1, … , 𝑑𝑘𝜅 for parties in

Size: 𝑂 𝑝𝑜𝑙𝑦 𝜅

Decryption

𝑑𝑗 = 𝐷𝑒𝑐𝑆ℎ𝑎𝑟𝑒𝑑𝑘𝑖(𝑐)

𝑑𝑗

𝑃1

𝑃𝑛

…

𝑦 = 𝑅𝑒𝑐({𝑑𝑗})

All parties output

CC: 𝑂 ℓ + 1 ⋅ ℐ + 𝒪 ⋅ 𝑝𝑜𝑙𝑦 𝜅 ⋅ 𝑛

MPC for Trusted Dealer

𝑐𝐸𝑣𝑎𝑙𝑔

Threshold Fully Homomorphic Encryption

𝑀𝑃𝐶 𝑆𝑒𝑡𝑢𝑝

[𝑟] 𝜅𝑒𝑘 𝑑𝑘1, … , 𝑑𝑘𝜅 for parties in

Size: 𝑂 𝑝𝑜𝑙𝑦 𝜅

Decryption

𝑑𝑗 = 𝐷𝑒𝑐𝑆ℎ𝑎𝑟𝑒𝑑𝑘𝑖(𝑐)

𝑑𝑗

𝑃1

𝑃𝑛

…

𝑦 = 𝑅𝑒𝑐({𝑑𝑗})

All parties output

CC: 𝑂 𝑝𝑜𝑙𝑦 𝜅 ⋅ 𝑛

Impossibility of asynch. 𝑜(𝑛2) BA with 𝜃(𝑛) adaptive corruptions and no setup

Other lower bounds:

[DR85, A+19] adversary can perform after-the-fact removal

[R20] similar to our lower bound, but with idealized PKI

Impossibility of asynch. 𝑜(𝑛2) BA with 𝜃(𝑛) adaptive corruptions and no setup

∀𝑃𝑖 has input 1𝑃 outputs 1

𝑃𝑆

𝑆′

Impossibility of asynch. 𝑜(𝑛2) BA with 𝜃(𝑛) adaptive corruptions and no setup

∀𝑃𝑖 has input 1𝑃 outputs 1

∀𝑃𝑖 ∈ 𝑆′ has input 0∀𝑃𝑖 ∈ 𝑆′ outputs 0

𝑆

𝑆′

𝑃𝑆

𝑆′

Impossibility of asynch. 𝑜(𝑛2) BA with 𝜃(𝑛) adaptive corruptions and no setup

𝑃𝑆

𝑆′

∀𝑃𝑖 has input 1𝑃 outputs 1

∀𝑃𝑖 ∈ 𝑆′ has input 0∀𝑃𝑖 ∈ 𝑆′ outputs 0

𝑆

𝑆′

𝑃𝑆

𝑆′

𝑃 has input 1; ∀𝑃𝑖 ∈ 𝑆′ has input 0𝑃 outputs 1; ∀𝑃𝑖 ∈ 𝑆′ outputs 0

Impossibility of asynch. 𝑜(𝑛2) BA with 𝜃(𝑛) adaptive corruptions and no setup

𝑃𝑆

𝑆′

∀𝑃𝑖 has input 1𝑃 outputs 1

∀𝑃𝑖 ∈ 𝑆′ has input 0∀𝑃𝑖 ∈ 𝑆′ outputs 0

𝑆

𝑆′

𝑃𝑆

𝑆′

𝑃 has input 1; ∀𝑃𝑖 ∈ 𝑆′ has input 0𝑃 outputs 1; ∀𝑃𝑖 ∈ 𝑆′ outputs 0

Impossibility of asynch. 𝑜(𝑛2) BA with 𝜃(𝑛) adaptive corruptions and no setup

𝑃𝑆

𝑆′

∀𝑃𝑖 has input 1𝑃 outputs 1

∀𝑃𝑖 ∈ 𝑆′ has input 0∀𝑃𝑖 ∈ 𝑆′ outputs 0

𝑆

𝑆′

𝑃𝑆

𝑆′

𝑃 has input 1; ∀𝑃𝑖 ∈ 𝑆′ has input 0𝑃 outputs 1; ∀𝑃𝑖 ∈ 𝑆′ outputs 0

Impossibility of asynch. 𝑜(𝑛2) BA with 𝜃(𝑛) adaptive corruptions and no setup

𝑃𝑆

𝑆′

∀𝑃𝑖 has input 1𝑃 outputs 1

∀𝑃𝑖 ∈ 𝑆′ has input 0∀𝑃𝑖 ∈ 𝑆′ outputs 0

𝑆

𝑆′

𝑃𝑆

𝑆′

𝑃 has input 1; ∀𝑃𝑖 ∈ 𝑆′ has input 0𝑃 outputs 1; ∀𝑃𝑖 ∈ 𝑆′ outputs 0

Impossibility of asynch. 𝑜(𝑛2) BA with 𝜃(𝑛) adaptive corruptions and no setup

𝑃𝑆

𝑆′

∀𝑃𝑖 has input 1𝑃 outputs 1

∀𝑃𝑖 ∈ 𝑆′ has input 0∀𝑃𝑖 ∈ 𝑆′ outputs 0

𝑆

𝑆′

𝑃𝑆

𝑆′

𝑃 has input 1; ∀𝑃𝑖 ∈ 𝑆′ has input 0𝑃 outputs 1; ∀𝑃𝑖 ∈ 𝑆′ outputs 0

Impossibility of asynch. 𝑜(𝑛2) BA with 𝜃(𝑛) adaptive corruptions and no setup

𝑃𝑆

𝑆′

∀𝑃𝑖 has input 1𝑃 outputs 1

∀𝑃𝑖 ∈ 𝑆′ has input 0∀𝑃𝑖 ∈ 𝑆′ outputs 0

𝑆

𝑆′

𝑃𝑆

𝑆′

𝑃 has input 1; ∀𝑃𝑖 ∈ 𝑆′ has input 0𝑃 outputs 1; ∀𝑃𝑖 ∈ 𝑆′ outputs 0

Impossibility of asynch. 𝑜(𝑛2) BA with 𝜃(𝑛) adaptive corruptions and no setup

𝑃𝑆

𝑆′

∀𝑃𝑖 has input 1𝑃 outputs 1

∀𝑃𝑖 ∈ 𝑆′ has input 0∀𝑃𝑖 ∈ 𝑆′ outputs 0

𝑆

𝑆′

𝑃𝑆

𝑆′

𝑃 has input 1; ∀𝑃𝑖 ∈ 𝑆′ has input 0𝑃 outputs 1; ∀𝑃𝑖 ∈ 𝑆′ outputs 0

Impossibility of asynch. 𝑜(𝑛2) BA with 𝜃(𝑛) adaptive corruptions and no setup

𝑃𝑆

𝑆′

∀𝑃𝑖 has input 1𝑃 outputs 1

∀𝑃𝑖 ∈ 𝑆′ has input 0∀𝑃𝑖 ∈ 𝑆′ outputs 0

𝑆

𝑆′

𝑃𝑆

𝑆′

𝑃 has input 1; ∀𝑃𝑖 ∈ 𝑆′ has input 0𝑃 outputs 1; ∀𝑃𝑖 ∈ 𝑆′ outputs 0

Impossibility of asynch. 𝑜(𝑛2) BA with 𝜃(𝑛) adaptive corruptions and no setup

𝑃𝑆

𝑆′

∀𝑃𝑖 has input 1𝑃 outputs 1

∀𝑃𝑖 ∈ 𝑆′ has input 0∀𝑃𝑖 ∈ 𝑆′ outputs 0

𝑆

𝑆′

𝑃𝑆

𝑆′

𝑃 has input 1; ∀𝑃𝑖 ∈ 𝑆′ has input 0𝑃 outputs 1; ∀𝑃𝑖 ∈ 𝑆′ outputs 0

Impossibility of asynch. 𝑜(𝑛2) BA with 𝜃(𝑛) adaptive corruptions and no setup

𝑃𝑆

𝑆′

∀𝑃𝑖 has input 1𝑃 outputs 1

∀𝑃𝑖 ∈ 𝑆′ has input 0∀𝑃𝑖 ∈ 𝑆′ outputs 0

𝑆

𝑆′

𝑃𝑆

𝑆′

𝑃 has input 1; ∀𝑃𝑖 ∈ 𝑆′ has input 0𝑃 outputs 1; ∀𝑃𝑖 ∈ 𝑆′ outputs 0

Impossibility of asynch. 𝑜(𝑛2) BA with 𝜃(𝑛) adaptive corruptions and no setup

𝑃𝑆

𝑆′

∀𝑃𝑖 has input 1𝑃 outputs 1

∀𝑃𝑖 ∈ 𝑆′ has input 0∀𝑃𝑖 ∈ 𝑆′ outputs 0

𝑆

𝑆′

𝑃𝑆

𝑆′

𝑃 has input 1; ∀𝑃𝑖 ∈ 𝑆′ has input 0𝑃 outputs 1; ∀𝑃𝑖 ∈ 𝑆′ outputs 0

References and CreditsFull version: https://eprint.iacr.org/2020/851

References:[BKLL20]: Ran Canetti and Tal Rabin. Fast asynchronous Byzantine agreement with optimal resilience. STOC 1993.[DR85]: Danny Dolev and Rüdiger Reischuk. Bounds on information exchange for Byzantine agreement. Journal of the

ACM 1985.[KS06]: Valerie King, Jared Saia, Vishal Sanwalani, and Erik Vee. Scalable leader election. SODA 2006.[KS10]: Valerie King and Jared Saia. Breaking the 𝑂(𝑛2) bit barrier: scalable byzantine agreement with an adaptive

adversary. PODC 2010.[M17]: Silvio Micali. Very simple and efficient byzantine agreement. ITCS 2017.[A+19]: Ittai Abraham, T.-H. Hubert Chan, Danny Dolev, Kartik Nayak, Rafael Pass, Ling Ren, and Elaine Shi. Communication

complexity of byzantine agreement, revisited. PODC 2019.[CKS20]: Shir Cohen, Idit Keidar, and Alexander Spiegelman. Not a COINcidence: Sub-quadratic asynchronous Byzantine

agreement WHP. DISC 2020.[R20]: Matthieu Rambaud. Lower bounds for authenticated randomized Byzantine consensus under (partial)

synchrony: The limits of standalone digital signatures.

Credits:Icons: https://www.flaticon.com/