Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Asynchronous Byzantine Agreement with Subquadratic Communication
Julian Loss
U. Maryland
Chen-Da Liu-Zhang
ETH Zurich
Erica
Blum
U. Maryland
TCC 2020
Jonathan
Katz
U. Maryland
Byzantine Agreement
Byzantine Agreement
𝑥1
𝑥2
𝑥3
𝑥6
𝑥5
𝑥4
Byzantine Agreement
All honest parties agree on the same output
𝑦
𝑦
𝑦
𝑦
𝑦
𝑦
Byzantine Agreement
All honest parties agree on the same output
If honest parties have the same input, they keep the same value as output
𝑥
𝑥
𝑥
𝑥
𝑥
𝑥
Byzantine Agreement
All honest parties agree on the same output
If honest parties have the same input, they keep the same value as output
𝑥
𝑥
𝑥
𝑥
𝑥
𝑥
Byzantine Agreement
All honest parties agree on the same output
If honest parties have the same input, they keep the same value as output
𝑥
𝑥
𝑥
𝑥
Is there an asynchronous BA with 𝑜(𝑛2) communication that tolerates 𝜃(𝑛) adaptive corruptions?
Is there an asynchronous BA with 𝑜(𝑛2) communication that tolerates 𝜃(𝑛) adaptive corruptions?
• Feasibility of asynch. 𝑜(𝑛2) BA for 𝑓 < (1 − 𝜖) Τ𝑛 3 using a trusted dealer(alternately, with amortized 𝑜(𝑛2) and without setup)
Is there an asynchronous BA with 𝑜(𝑛2) communication that tolerates 𝜃(𝑛) adaptive corruptions?
• Feasibility of asynch. 𝑜(𝑛2) BA for 𝑓 < (1 − 𝜖) Τ𝑛 3 using a trusted dealer(alternately, with amortized 𝑜(𝑛2) and without setup)
• Impossibility of asynch. 𝑜(𝑛2) BA with 𝜃(𝑛) corruptions without setup
Related Work
Most previous subquadratic BA are synchronous or partially synchronous [KS06,KS10,M17,A+19,…]
Recent work by Cohen et al. [CKS20] give subquadratic asynchronous BA, but the adversary has restricted scheduling power
Feasibility of asynchronous 𝑜(𝑛2) BA for 𝑓 < (1 − 𝜖) Τ𝑛 3 adaptive
Feasibility of asynchronous 𝑜(𝑛2) BA for 𝑓 < (1 − 𝜖) Τ𝑛 3 adaptive
𝐵𝐴 𝑆𝑒𝑡𝑢𝑝
𝐵𝐴
Feasibility of asynchronous 𝑜(𝑛2) BA for 𝑓 < (1 − 𝜖) Τ𝑛 3 adaptive
CC: 𝑂 𝑝𝑜𝑙𝑦 𝜅 ⋅ 𝑛
𝐵𝐴 𝑆𝑒𝑡𝑢𝑝
𝐵𝐴
Size: 𝑂 𝑝𝑜𝑙𝑦 𝜅
Feasibility of asynchronous 𝑜(𝑛2) BA for 𝑓 < (1 − 𝜖) Τ𝑛 3 adaptive
𝑀𝑃𝐶 𝑆𝑒𝑡𝑢𝑝
𝑀𝑃𝐶
𝐵𝐴 𝑆𝑒𝑡𝑢𝑝
𝐵𝐴
CC: 𝑂 𝑝𝑜𝑙𝑦 𝜅 ⋅ 𝑛
Size: 𝑂 𝑝𝑜𝑙𝑦 𝜅
Feasibility of asynchronous 𝑜(𝑛2) BA for 𝑓 < (1 − 𝜖) Τ𝑛 3 adaptive
𝑀𝑃𝐶 𝑆𝑒𝑡𝑢𝑝
𝑀𝑃𝐶
𝐵𝐴 𝑆𝑒𝑡𝑢𝑝
𝐵𝐴
CC: 𝑂 𝑝𝑜𝑙𝑦 𝜅 ⋅ 𝑛
Size: 𝑂 𝑝𝑜𝑙𝑦 𝜅
Initial dealer
Feasibility of asynchronous 𝑜(𝑛2) BA for 𝑓 < (1 − 𝜖) Τ𝑛 3 adaptive
𝑀𝑃𝐶 𝑆𝑒𝑡𝑢𝑝
𝑀𝑃𝐶
𝐵𝐴 𝑆𝑒𝑡𝑢𝑝
𝐵𝐴
CC: 𝑂 𝑝𝑜𝑙𝑦 𝜅 ⋅ 𝑛
Size: 𝑂 𝑝𝑜𝑙𝑦 𝜅
𝑀𝑃𝐶 𝑆𝑒𝑡𝑢𝑝𝐵𝐴 𝑆𝑒𝑡𝑢𝑝
Initial dealer
Feasibility of asynchronous 𝑜(𝑛2) BA for 𝑓 < (1 − 𝜖) Τ𝑛 3 adaptive
𝑀𝑃𝐶 𝑆𝑒𝑡𝑢𝑝
𝑀𝑃𝐶
𝐵𝐴 𝑆𝑒𝑡𝑢𝑝
𝐵𝐴
CC: 𝑂 𝑝𝑜𝑙𝑦 𝜅 ⋅ 𝑛
Size: 𝑂 𝑝𝑜𝑙𝑦 𝜅
𝑀𝑃𝐶 𝑆𝑒𝑡𝑢𝑝𝐵𝐴 𝑆𝑒𝑡𝑢𝑝
𝑂 𝑝𝑜𝑙𝑦 𝜅 ⋅ 𝑛
𝑂 𝑝𝑜𝑙𝑦 𝜅
Initial dealer
Feasibility of asynchronous 𝑜(𝑛2) BA for 𝑓 < (1 − 𝜖) Τ𝑛 3 adaptive
𝑀𝑃𝐶 𝑆𝑒𝑡𝑢𝑝
𝑀𝑃𝐶
𝐵𝐴 𝑆𝑒𝑡𝑢𝑝
𝐵𝐴
CC: 𝑂 𝑝𝑜𝑙𝑦 𝜅 ⋅ 𝑛
Size: 𝑂 𝑝𝑜𝑙𝑦 𝜅
𝑀𝑃𝐶 𝑆𝑒𝑡𝑢𝑝𝐵𝐴 𝑆𝑒𝑡𝑢𝑝
𝑂 𝑝𝑜𝑙𝑦 𝜅 ⋅ 𝑛
𝑂 𝑝𝑜𝑙𝑦 𝜅
Initial dealer
𝑀𝑃𝐶𝐵𝐴
…
One-Time BA
𝐺𝐶
𝐶𝑜𝑖𝑛
𝐺𝐶
𝐶𝑜𝑖𝑛
Graded Consensus [CR93]Input 𝑥𝑖; Output (𝑧𝑖 , 𝑔𝑖)
If ∀ honest 𝑃𝑖 𝑥𝑖 = 𝑥, then 𝑧𝑖 , 𝑔𝑖 = (𝑥, 1)If ∃ honest 𝑃𝑖 𝑔𝑖 = 1, then 𝑧𝑗 = 𝑧𝑖
One-Time BA
𝐺𝐶
𝐶𝑜𝑖𝑛
Graded Consensus [CR93]Input 𝑥𝑖; Output (𝑧𝑖 , 𝑔𝑖)
If ∀ honest 𝑃𝑖 𝑥𝑖 = 𝑥, then 𝑧𝑖 , 𝑔𝑖 = (𝑥, 1)If ∃ honest 𝑃𝑖 𝑔𝑖 = 1, then 𝑧𝑗 = 𝑧𝑖
Coin-FlipEach 𝑃𝑖 obtains the same random bit 𝑐𝑖
One-Time BA
𝐺𝐶
𝐶𝑜𝑖𝑛
Graded Consensus [CR93]Input 𝑥𝑖; Output (𝑧𝑖 , 𝑔𝑖)
If ∀ honest 𝑃𝑖 𝑥𝑖 = 𝑥, then 𝑧𝑖 , 𝑔𝑖 = (𝑥, 1)If ∃ honest 𝑃𝑖 𝑔𝑖 = 1, then 𝑧𝑗 = 𝑧𝑖
Coin-FlipEach 𝑃𝑖 obtains the same random bit 𝑐𝑖
≤ 𝑂(𝜅)
If 𝑔𝑖 = 0: 𝑥𝑖 = 𝑐𝑖Else 𝑥𝑖 = 𝑧𝑖
One-Time BA
𝐵𝐴 𝑆𝑒𝑡𝑢𝑝
𝐺𝐶
𝐶𝑜𝑖𝑛
≤ 𝑂(𝜅)
Graded Consensus [CR93]Input 𝑥𝑖; Output (𝑧𝑖 , 𝑔𝑖)
If ∀ honest 𝑃𝑖 𝑥𝑖 = 𝑥, then 𝑧𝑖 , 𝑔𝑖 = (𝑥, 1)If ∃ honest 𝑃𝑖 𝑔𝑖 = 1, then 𝑧𝑗 = 𝑧𝑖
Coin-FlipEach 𝑃𝑖 obtains the same random bit 𝑐𝑖
𝜅 𝜅 𝜅
Each party in set can prove membership
𝜅
Each party in set has a (signed) share of 𝑐𝑖
𝜅 𝜅 𝜅
One-Time BA
If 𝑔𝑖 = 0: 𝑥𝑖 = 𝑐𝑖Else 𝑥𝑖 = 𝑧𝑖
𝐵𝐴 𝑆𝑒𝑡𝑢𝑝
𝐺𝐶
𝐶𝑜𝑖𝑛
≤ 𝑂(𝜅)
Graded Consensus [CR93]Input 𝑥𝑖; Output (𝑧𝑖 , 𝑔𝑖)
If ∀ honest 𝑃𝑖 𝑥𝑖 = 𝑥, then 𝑧𝑖 , 𝑔𝑖 = (𝑥, 1)If ∃ honest 𝑃𝑖 𝑔𝑖 = 1, then 𝑧𝑗 = 𝑧𝑖
Coin-FlipEach 𝑃𝑖 obtains the same random bit 𝑐𝑖
Communication 𝑂 𝑝𝑜𝑙𝑦 𝜅 ⋅ 𝑛
Setup size 𝑂 𝑝𝑜𝑙𝑦 𝜅
𝜅 𝜅 𝜅
Each party in set can prove membership
𝜅
Each party in set has a (signed) share of 𝑐𝑖
𝜅 𝜅 𝜅
One-Time BA
If 𝑔𝑖 = 0: 𝑥𝑖 = 𝑐𝑖Else 𝑥𝑖 = 𝑧𝑖
MPC
MPC
Multi-Party Computation with ℓ-output quality
𝑥1
𝑥2
𝑥3
𝑥6
𝑥5
𝑥4
MPC
Multi-Party Computation with ℓ-output quality
𝑔(𝑥1′ , 𝑥2
′ , … , 𝑥𝑛′ ), where 𝑥𝑖
′ = 𝑥𝑖 if 𝑃𝑖 ∈ 𝑆𝑥𝑖′ =⊥ otherwise
Adversary chooses 𝑆 with size at least ℓ
𝑥1
𝑥2
𝑥3
𝑥6
𝑥5
𝑥4
MPC
Agreement on a Common Subset with ℓ-output quality
𝐴𝐶𝑆
𝑥1𝑥2
𝑥3𝑥4
𝑥𝑛
𝑆 ≥ ℓ with ℓ − 𝑓 honest inputs
𝑆
…
MPC
Agreement on a Common Subset with ℓ-output quality
𝐴𝐶𝑆
𝑥1𝑥2
𝑥3𝑥4
…
𝑥𝑛
𝑆
𝑆 ≥ ℓ with ℓ − 𝑓 honest inputs
𝐵𝐴 𝑆𝑒𝑡𝑢𝑝 𝐵𝐴 𝑆𝑒𝑡𝑢𝑝…
𝐵𝐴 𝑆𝑒𝑡𝑢𝑝
𝑂(ℓ)
Communication 𝑂 ℓ ⋅ ℐ ⋅ 𝑝𝑜𝑙𝑦 𝜅 ⋅ 𝑛
Setup size 𝑂 ℓ ⋅ 𝑝𝑜𝑙𝑦 𝜅
𝐴𝐶𝑆 𝑆𝑒𝑡𝑢𝑝
MPCThreshold Fully Homomorphic Encryption
MPCThreshold Fully Homomorphic Encryption
𝑀𝑃𝐶 𝑆𝑒𝑡𝑢𝑝
𝐴𝐶𝑆 𝑆𝑒𝑡𝑢𝑝
MPCThreshold Fully Homomorphic Encryption
𝑀𝑃𝐶 𝑆𝑒𝑡𝑢𝑝
𝐴𝐶𝑆 𝑆𝑒𝑡𝑢𝑝 𝜅
MPCThreshold Fully Homomorphic Encryption
𝑀𝑃𝐶 𝑆𝑒𝑡𝑢𝑝
𝐴𝐶𝑆 𝑆𝑒𝑡𝑢𝑝 𝜅𝑒𝑘 𝑑𝑘1, … , 𝑑𝑘𝜅 for parties in
MPCThreshold Fully Homomorphic Encryption
𝑀𝑃𝐶 𝑆𝑒𝑡𝑢𝑝
𝐴𝐶𝑆 𝑆𝑒𝑡𝑢𝑝 [𝑟] 𝜅𝑒𝑘 𝑑𝑘1, … , 𝑑𝑘𝜅 for parties in
MPC
𝑦𝑔
Threshold Fully Homomorphic Encryption
𝑥1
𝑥2
𝑥3
𝑥4…
𝑥𝑛
𝑟
𝑀𝑃𝐶 𝑆𝑒𝑡𝑢𝑝
𝐴𝐶𝑆 𝑆𝑒𝑡𝑢𝑝 [𝑟] 𝜅𝑒𝑘 𝑑𝑘1, … , 𝑑𝑘𝜅 for parties in
MPCThreshold Fully Homomorphic Encryption
𝑀𝑃𝐶 𝑆𝑒𝑡𝑢𝑝
𝐴𝐶𝑆 𝑆𝑒𝑡𝑢𝑝 [𝑟] 𝜅𝑒𝑘 𝑑𝑘1, … , 𝑑𝑘𝜅 for parties in
[𝑥1]
[𝑥2]
[𝑥3]
[𝑥4]
…
[𝑥𝑛]
𝑆𝐴𝐶𝑆
MPC
𝑐𝐸𝑣𝑎𝑙𝑔
Threshold Fully Homomorphic Encryption
𝐴𝐶𝑆
[𝑥1]
[𝑥2]
[𝑥3]
[𝑥4]
…
[𝑥𝑛]
𝑆
𝑀𝑃𝐶 𝑆𝑒𝑡𝑢𝑝
𝐴𝐶𝑆 𝑆𝑒𝑡𝑢𝑝
[𝑥1]
⊥
[𝑥3]
⊥
[𝑥𝑛]
[𝑟] 𝜅𝑒𝑘 𝑑𝑘1, … , 𝑑𝑘𝜅 for parties in
…
MPC
𝑐𝐸𝑣𝑎𝑙𝑔
Threshold Fully Homomorphic Encryption
𝐴𝐶𝑆
[𝑥1]
[𝑥2]
[𝑥3]
[𝑥4]
…
[𝑥𝑛]
𝑆
𝑀𝑃𝐶 𝑆𝑒𝑡𝑢𝑝
𝐴𝐶𝑆 𝑆𝑒𝑡𝑢𝑝
[𝑥1]
⊥
[𝑥3]
⊥
[𝑥𝑛]
[𝑟] 𝜅𝑒𝑘 𝑑𝑘1, … , 𝑑𝑘𝜅 for parties in
Decryption
𝑑𝑗 = 𝐷𝑒𝑐𝑆ℎ𝑎𝑟𝑒𝑑𝑘𝑖(𝑐)
𝑑𝑗
𝑃1
𝑃𝑛
……
MPC
𝑐𝐸𝑣𝑎𝑙𝑔
Threshold Fully Homomorphic Encryption
𝐴𝐶𝑆
[𝑥1]
[𝑥2]
[𝑥3]
[𝑥4]
…
[𝑥𝑛]
𝑆
𝑀𝑃𝐶 𝑆𝑒𝑡𝑢𝑝
𝐴𝐶𝑆 𝑆𝑒𝑡𝑢𝑝
[𝑥1]
⊥
[𝑥3]
⊥
[𝑥𝑛]
[𝑟] 𝜅𝑒𝑘 𝑑𝑘1, … , 𝑑𝑘𝜅 for parties in
Decryption
𝑑𝑗 = 𝐷𝑒𝑐𝑆ℎ𝑎𝑟𝑒𝑑𝑘𝑖(𝑐)
𝑑𝑗
𝑃1
𝑃𝑛
…
𝑦 = 𝑅𝑒𝑐({𝑑𝑗})
All parties output
…
MPC
𝑐𝐸𝑣𝑎𝑙𝑔
Threshold Fully Homomorphic Encryption
𝐴𝐶𝑆
[𝑥1]
[𝑥2]
[𝑥3]
[𝑥4]
…
[𝑥𝑛]
𝑆
𝑀𝑃𝐶 𝑆𝑒𝑡𝑢𝑝
𝐴𝐶𝑆 𝑆𝑒𝑡𝑢𝑝
[𝑥1]
⊥
[𝑥3]
⊥
[𝑥𝑛]
[𝑟] 𝜅𝑒𝑘 𝑑𝑘1, … , 𝑑𝑘𝜅 for parties in
Size: 𝑂 (ℓ + 1) ⋅ 𝑝𝑜𝑙𝑦 𝜅
Decryption
𝑑𝑗 = 𝐷𝑒𝑐𝑆ℎ𝑎𝑟𝑒𝑑𝑘𝑖(𝑐)
𝑑𝑗
𝑃1
𝑃𝑛
…
𝑦 = 𝑅𝑒𝑐({𝑑𝑗})
All parties output
CC: 𝑂 ℓ + 1 ⋅ ℐ + 𝒪 ⋅ 𝑝𝑜𝑙𝑦 𝜅 ⋅ 𝑛
…
MPC for Trusted Dealer
𝑐𝐸𝑣𝑎𝑙𝑔
Threshold Fully Homomorphic Encryption
𝑀𝑃𝐶 𝑆𝑒𝑡𝑢𝑝
[𝑟] 𝜅𝑒𝑘 𝑑𝑘1, … , 𝑑𝑘𝜅 for parties in
Size: 𝑂 (ℓ + 1) ⋅ 𝑝𝑜𝑙𝑦 𝜅
Decryption
𝑑𝑗 = 𝐷𝑒𝑐𝑆ℎ𝑎𝑟𝑒𝑑𝑘𝑖(𝑐)
𝑑𝑗
𝑃1
𝑃𝑛
…
𝑦 = 𝑅𝑒𝑐({𝑑𝑗})
All parties output
CC: 𝑂 ℓ + 1 ⋅ ℐ + 𝒪 ⋅ 𝑝𝑜𝑙𝑦 𝜅 ⋅ 𝑛
MPC for Trusted Dealer
𝑐𝐸𝑣𝑎𝑙𝑔
Threshold Fully Homomorphic Encryption
𝑀𝑃𝐶 𝑆𝑒𝑡𝑢𝑝
[𝑟] 𝜅𝑒𝑘 𝑑𝑘1, … , 𝑑𝑘𝜅 for parties in
Size: 𝑂 𝑝𝑜𝑙𝑦 𝜅
Decryption
𝑑𝑗 = 𝐷𝑒𝑐𝑆ℎ𝑎𝑟𝑒𝑑𝑘𝑖(𝑐)
𝑑𝑗
𝑃1
𝑃𝑛
…
𝑦 = 𝑅𝑒𝑐({𝑑𝑗})
All parties output
CC: 𝑂 ℓ + 1 ⋅ ℐ + 𝒪 ⋅ 𝑝𝑜𝑙𝑦 𝜅 ⋅ 𝑛
MPC for Trusted Dealer
𝑐𝐸𝑣𝑎𝑙𝑔
Threshold Fully Homomorphic Encryption
𝑀𝑃𝐶 𝑆𝑒𝑡𝑢𝑝
[𝑟] 𝜅𝑒𝑘 𝑑𝑘1, … , 𝑑𝑘𝜅 for parties in
Size: 𝑂 𝑝𝑜𝑙𝑦 𝜅
Decryption
𝑑𝑗 = 𝐷𝑒𝑐𝑆ℎ𝑎𝑟𝑒𝑑𝑘𝑖(𝑐)
𝑑𝑗
𝑃1
𝑃𝑛
…
𝑦 = 𝑅𝑒𝑐({𝑑𝑗})
All parties output
CC: 𝑂 𝑝𝑜𝑙𝑦 𝜅 ⋅ 𝑛
Impossibility of asynch. 𝑜(𝑛2) BA with 𝜃(𝑛) adaptive corruptions and no setup
Other lower bounds:
[DR85, A+19] adversary can perform after-the-fact removal
[R20] similar to our lower bound, but with idealized PKI
Impossibility of asynch. 𝑜(𝑛2) BA with 𝜃(𝑛) adaptive corruptions and no setup
∀𝑃𝑖 has input 1𝑃 outputs 1
𝑃𝑆
𝑆′
Impossibility of asynch. 𝑜(𝑛2) BA with 𝜃(𝑛) adaptive corruptions and no setup
∀𝑃𝑖 has input 1𝑃 outputs 1
∀𝑃𝑖 ∈ 𝑆′ has input 0∀𝑃𝑖 ∈ 𝑆′ outputs 0
𝑆
𝑆′
𝑃𝑆
𝑆′
Impossibility of asynch. 𝑜(𝑛2) BA with 𝜃(𝑛) adaptive corruptions and no setup
𝑃𝑆
𝑆′
∀𝑃𝑖 has input 1𝑃 outputs 1
∀𝑃𝑖 ∈ 𝑆′ has input 0∀𝑃𝑖 ∈ 𝑆′ outputs 0
𝑆
𝑆′
𝑃𝑆
𝑆′
𝑃 has input 1; ∀𝑃𝑖 ∈ 𝑆′ has input 0𝑃 outputs 1; ∀𝑃𝑖 ∈ 𝑆′ outputs 0
Impossibility of asynch. 𝑜(𝑛2) BA with 𝜃(𝑛) adaptive corruptions and no setup
𝑃𝑆
𝑆′
∀𝑃𝑖 has input 1𝑃 outputs 1
∀𝑃𝑖 ∈ 𝑆′ has input 0∀𝑃𝑖 ∈ 𝑆′ outputs 0
𝑆
𝑆′
𝑃𝑆
𝑆′
𝑃 has input 1; ∀𝑃𝑖 ∈ 𝑆′ has input 0𝑃 outputs 1; ∀𝑃𝑖 ∈ 𝑆′ outputs 0
Impossibility of asynch. 𝑜(𝑛2) BA with 𝜃(𝑛) adaptive corruptions and no setup
𝑃𝑆
𝑆′
∀𝑃𝑖 has input 1𝑃 outputs 1
∀𝑃𝑖 ∈ 𝑆′ has input 0∀𝑃𝑖 ∈ 𝑆′ outputs 0
𝑆
𝑆′
𝑃𝑆
𝑆′
𝑃 has input 1; ∀𝑃𝑖 ∈ 𝑆′ has input 0𝑃 outputs 1; ∀𝑃𝑖 ∈ 𝑆′ outputs 0
Impossibility of asynch. 𝑜(𝑛2) BA with 𝜃(𝑛) adaptive corruptions and no setup
𝑃𝑆
𝑆′
∀𝑃𝑖 has input 1𝑃 outputs 1
∀𝑃𝑖 ∈ 𝑆′ has input 0∀𝑃𝑖 ∈ 𝑆′ outputs 0
𝑆
𝑆′
𝑃𝑆
𝑆′
𝑃 has input 1; ∀𝑃𝑖 ∈ 𝑆′ has input 0𝑃 outputs 1; ∀𝑃𝑖 ∈ 𝑆′ outputs 0
Impossibility of asynch. 𝑜(𝑛2) BA with 𝜃(𝑛) adaptive corruptions and no setup
𝑃𝑆
𝑆′
∀𝑃𝑖 has input 1𝑃 outputs 1
∀𝑃𝑖 ∈ 𝑆′ has input 0∀𝑃𝑖 ∈ 𝑆′ outputs 0
𝑆
𝑆′
𝑃𝑆
𝑆′
𝑃 has input 1; ∀𝑃𝑖 ∈ 𝑆′ has input 0𝑃 outputs 1; ∀𝑃𝑖 ∈ 𝑆′ outputs 0
Impossibility of asynch. 𝑜(𝑛2) BA with 𝜃(𝑛) adaptive corruptions and no setup
𝑃𝑆
𝑆′
∀𝑃𝑖 has input 1𝑃 outputs 1
∀𝑃𝑖 ∈ 𝑆′ has input 0∀𝑃𝑖 ∈ 𝑆′ outputs 0
𝑆
𝑆′
𝑃𝑆
𝑆′
𝑃 has input 1; ∀𝑃𝑖 ∈ 𝑆′ has input 0𝑃 outputs 1; ∀𝑃𝑖 ∈ 𝑆′ outputs 0
Impossibility of asynch. 𝑜(𝑛2) BA with 𝜃(𝑛) adaptive corruptions and no setup
𝑃𝑆
𝑆′
∀𝑃𝑖 has input 1𝑃 outputs 1
∀𝑃𝑖 ∈ 𝑆′ has input 0∀𝑃𝑖 ∈ 𝑆′ outputs 0
𝑆
𝑆′
𝑃𝑆
𝑆′
𝑃 has input 1; ∀𝑃𝑖 ∈ 𝑆′ has input 0𝑃 outputs 1; ∀𝑃𝑖 ∈ 𝑆′ outputs 0
Impossibility of asynch. 𝑜(𝑛2) BA with 𝜃(𝑛) adaptive corruptions and no setup
𝑃𝑆
𝑆′
∀𝑃𝑖 has input 1𝑃 outputs 1
∀𝑃𝑖 ∈ 𝑆′ has input 0∀𝑃𝑖 ∈ 𝑆′ outputs 0
𝑆
𝑆′
𝑃𝑆
𝑆′
𝑃 has input 1; ∀𝑃𝑖 ∈ 𝑆′ has input 0𝑃 outputs 1; ∀𝑃𝑖 ∈ 𝑆′ outputs 0
Impossibility of asynch. 𝑜(𝑛2) BA with 𝜃(𝑛) adaptive corruptions and no setup
𝑃𝑆
𝑆′
∀𝑃𝑖 has input 1𝑃 outputs 1
∀𝑃𝑖 ∈ 𝑆′ has input 0∀𝑃𝑖 ∈ 𝑆′ outputs 0
𝑆
𝑆′
𝑃𝑆
𝑆′
𝑃 has input 1; ∀𝑃𝑖 ∈ 𝑆′ has input 0𝑃 outputs 1; ∀𝑃𝑖 ∈ 𝑆′ outputs 0
Impossibility of asynch. 𝑜(𝑛2) BA with 𝜃(𝑛) adaptive corruptions and no setup
𝑃𝑆
𝑆′
∀𝑃𝑖 has input 1𝑃 outputs 1
∀𝑃𝑖 ∈ 𝑆′ has input 0∀𝑃𝑖 ∈ 𝑆′ outputs 0
𝑆
𝑆′
𝑃𝑆
𝑆′
𝑃 has input 1; ∀𝑃𝑖 ∈ 𝑆′ has input 0𝑃 outputs 1; ∀𝑃𝑖 ∈ 𝑆′ outputs 0
Impossibility of asynch. 𝑜(𝑛2) BA with 𝜃(𝑛) adaptive corruptions and no setup
𝑃𝑆
𝑆′
∀𝑃𝑖 has input 1𝑃 outputs 1
∀𝑃𝑖 ∈ 𝑆′ has input 0∀𝑃𝑖 ∈ 𝑆′ outputs 0
𝑆
𝑆′
𝑃𝑆
𝑆′
𝑃 has input 1; ∀𝑃𝑖 ∈ 𝑆′ has input 0𝑃 outputs 1; ∀𝑃𝑖 ∈ 𝑆′ outputs 0
References and CreditsFull version: https://eprint.iacr.org/2020/851
References:[BKLL20]: Ran Canetti and Tal Rabin. Fast asynchronous Byzantine agreement with optimal resilience. STOC 1993.[DR85]: Danny Dolev and Rüdiger Reischuk. Bounds on information exchange for Byzantine agreement. Journal of the
ACM 1985.[KS06]: Valerie King, Jared Saia, Vishal Sanwalani, and Erik Vee. Scalable leader election. SODA 2006.[KS10]: Valerie King and Jared Saia. Breaking the 𝑂(𝑛2) bit barrier: scalable byzantine agreement with an adaptive
adversary. PODC 2010.[M17]: Silvio Micali. Very simple and efficient byzantine agreement. ITCS 2017.[A+19]: Ittai Abraham, T.-H. Hubert Chan, Danny Dolev, Kartik Nayak, Rafael Pass, Ling Ren, and Elaine Shi. Communication
complexity of byzantine agreement, revisited. PODC 2019.[CKS20]: Shir Cohen, Idit Keidar, and Alexander Spiegelman. Not a COINcidence: Sub-quadratic asynchronous Byzantine
agreement WHP. DISC 2020.[R20]: Matthieu Rambaud. Lower bounds for authenticated randomized Byzantine consensus under (partial)
synchrony: The limits of standalone digital signatures.
Credits:Icons: https://www.flaticon.com/