Our Results. In this paper, we work towards understanding the possible efficiency guarantees that any CGKA protocol can achieve in the worst-case, i.e., in cases when the conditions are not good. We start by asking the following question: Can we construct a CGKA protocol that does better than the trivial CGKA protocol in the worst-case? We provide a negative answer to the above question. In particular, we show that every CGKA (from PKE) has large Ω(n) worst-case communication cost. Although one can hope that this worst-case will not occur often in practice, until there are better, well-defined assumptions on the structure of operation sequences under which practitioners hope that good efficiency bounds can be proven, there is always a danger of bad efficiency in some cases. As the first step of this lower bound, we show that a natural primitive which we call Compact Key Exchange (CKE) is at the core of CGKA, and in fact tightly captures the worst-case communication cost of CGKA. The heart of our negative result is then a black-box separation showing that PKE are insufficient for efficiently realizing CKE. Finally, using the above equivalence, we translate this result into the aforementioned lower bound on CGKA. Given that no CGKA protocol can be efficient in the worst case, we ask: Can we realize one CGKA protocol that works as well as possible in all cases? Here again, we present negative evidence showing that no such protocol based on black-box use of PKE exists. Specifically, we show two distributions over sequences of group operations such that no single CGKA protocol making only black-box use of PKE obtains optimal communication costs on both sequences. That is, any CGKA protocol which acts well on one distribution of operations must have much worse Ω(n) communication cost on the other distribution; otherwise, it violates our CKE lower bound.
Our Results. We perform an in-depth investigation of boosting from almost-everywhere to full agreement with O˜(1) balanced communication. Motivated by the O˜(1)-locality protocol of Boyle, Goldwasser, and Xxxxxxx [15], we first achieve an intermediate step of certified almost-everywhere agreement, where almost all of the parties reach agreement, and, in addition, hold a certificate for the agreed value. Xxxxx et al. [15] showed how to boost certified almost-everywhere agreement to full agreement in a single round, where every party talks to (and processes messages from) O˜(1) parties. Our initial observation is that the protocol from [15] achieves low communication aside from one expensive piece: the distributed generation of the certificate, which is of size Θ(n), and its dissemination. We thus target this step and explore. Our contributions can be summarized as follows. • SRDS and balanced BA. We identify a minimal ad-hoc cryptographic primitive whose exis- tence implies O˜(1) balanced BA: succinctly reconstructed distributed signatures (SRDS). We define and provide two constructions of SRDS, each based on a different flavor of a public- key infrastructure (PKI): (1) from one-way functions in a “trusted-PKI” model, and (2) from collision-resistant hash functions (CRH) and a strong form of succinct non-interactive argu- ments of knowledge (SNARKs) in a model with a “bulletin-board PKI” and a common random string (CRS). Roughly, trusted-PKI setup assumes that parties’ keys are generated properly, whereas bulletin-board PKI further supports the case where corrupt parties may generate keys maliciously. We elaborate on the difference between the PKI models in Section 1.2. • Necessity of setup for one-shot “boost.” Our SRDS-based BA follows a paradigm of boosting from almost-everywhere to full agreement, and does so in a single communication round. Complementarily, we prove two lower bounds for any such protocol in which every party sends o(n) messages. The first shows that some form of PKI (or stronger setup, such as correlated randomness) is necessary for this task. The second shows that given only PKI setup (as opposed to stronger, correlated-randomness setup), then computational assumptions (namely, at least one-way functions) are additionally required. In contrast to prior lower bounds (e.g., [57, 1]), this holds even against a static adversary, and where parties can exercise dynamic filtering (i.e., without placing limitations on how parties can select to whom to l...
Our Results. We perform an in-depth investigation of boosting from almost-everywhere to full agreement with O˜(1) communication per party. Motivated by the O˜(1)-locality protocol of Boyle, Goldwasser, and Xxxxxxx [17], we first achieve an intermediate step of certified almost-everywhere agreement, where almost all of the parties reach agreement, and, in addition, hold a certificate for the agreed value. Xxxxx et al. [17] showed how to boost certified almost-everywhere agreement to full agreement in a single round, where every party communicates with O˜(1) parties. Our initial observation is that the protocol from [17] achieves low communication aside from one expensive piece: the distributed generation of the certificate, which is of size Θ(n), and its dissemination. We thus target this step and explore. Our contributions can be summarized as follows. • SRDS and balanced BA. We define a minimal cryptographic primitive whose existence implies
Our Results. In this work, we present novel constructions that achieve precisely such guarantees by compiling existing protocols under different synchrony assumptions into a new protocol that boasts the beneficial properties of both synchronous and asynchronous protocols. Best-of-both-worlds compilers Concretely, our generic compiler combines protocols ΠABA and ΠSBA for asynchronous and synchronous byzantine agreement, respectively, and leads to a hybrid protocol ΠHBA for byzantine agreement with the following properties. 1 • For all fAR ≤ 4 , if ΠABA achieves byzantine agreement, given that less than an fAR-fraction of the parties are corrupted, then ΠHBA is responsive in the following sense: If the network is fast and less than an fAR-fraction of the parties are corrupted, then every honest party can produce output in ΠHBA within a time that depends only on the network delay δ. We refer to this property as output responsiveness. • For all fAV ≤ 2 , if ΠABA satisfies validity, given that less than an fAV-fraction of the parties are corrupted, ΠHBA also satisfies validity under the same condition. • If ΠSBA achieves byzantine agreement in time tSBA, given that less than half of the parties are corrupted, then ΠHBA also achieves 1 -consistency. • ΠHBA is guaranteed to terminate by time tout +∆+tSBA, where tout is a time-out parameter that can be chosen arbitrarily in ΠHBA. In particular, if tSBA = tstart + O(∆) (where tstart is the protocol starting time), then choosing tout = O(∆) implies that ΠHBA runs in O(1) synchronous rounds. We present ΠHBA in section 4.1, with an informal analysis. The main properties achieved by ΠHBA are stated in theorem 4.10. In section 4.3, we also give an alternative compiler which leads to a responsive hybrid protocol ΠETHBA in which parties can terminate immediately after outputting and within a time that depends only on the network delay δ. We refer to this property simply as responsiveness. In addition, ΠETHBA satisfies the same security guarantees as ΠHBA, but incurs a worst-case overhead in running time of O(n) synchronous rounds if either the network is slow or too many parties are corrupted. The properties of ΠETHBA are summed up in Theorem 4.24. Security against adaptive adversaries Protocols obtained via our compilers preserve se- curity guarantees against adaptive adversaries offered by the components ΠABA and ΠSBA. In particular, the responsiveness guarantees offered by our hybrid protocols do not degrade under adaptive corrupti...
Our Results. With respect to the results obtained in [10] we design a framework for the contributory group key agreement in mobile ad-hoc groups (TFAN) that achieves optimal trade-off between communication, computation and mem- ory costs. The framework combines the communication ef- ficient µSTR protocol and the computation and memory ef- ficient µTGDH protocol. This combination is possible be- cause of the similarities in the computation process of the group key in both protocols, which relies on the tree-based extension of the well-known elliptic curve Xxxxxx-Xxxxxxx key exchange protocol (ECDH). Additionally to the theo- retical security and complexity analysis the optimum of the trade-off between communication, computation and mem- ory costs for TFAN is substantiated by the experimental re- sults obtained from the implementation and simulation of the framework.
Our Results. We present, for the first time, a definition of Byzantine agreement taking into account rational behavior on the part of the adversary. In our work, we adopt a somewhat different approach than that taken in some other work blending game theory and cryptography (see below): rather than treating all players as rational, we assume that some players are honest and will follow the protocol without question, while other players (those controlled by the adversary) are rational and will attempt to alter the outcome so as to increase their utility. ≥ We study rational broadcast and Byzantine agreement for a natural class of adversarial utility functions defined by the adversary’s preferences over the possi- ble outcomes: agreement on 0, agreement on 1, and disagreement. Interestingly, many of the statements that are considered self-evident in the BA literature break down in the rational setting. Examples include the impossibility of con- sensus for t n/2, the usefulness of setups for statistical (and computational) security, as well as the reduction of consensus to broadcast for t < n/2. We also study of feasibility of RBA for all possible orderings on the adversary’s preferences in the following two cases: (1) the utility function of the adversary is known, and (2) only the adversary’s preference between agreement and dis- agreement is known (but among the possible outcomes for agreement, it is not known which one is more preferred).
Our Results. We perform an in-depth investigation of boosting from almost-everywhere to full agreement with O˜(1) balanced communication. Motivated by the O˜(1)-locality protocol of Boyle, Goldwasser, and Xxxxxxx [15], we first achieve an intermediate step of certified almost-everywhere agreement, where almost all of the parties reach agreement, and, in addition, hold a certificate for the agreed value. Xxxxx et al. [15] showed how to boost certified almost-everywhere agreement to full agreement in a single round, where every party talks to (and processes messages from) O˜(1) parties. Our initial observation is that the protocol from [15] achieves low communication aside from one expensive piece: the distributed generation of the certificate, which is of size Θ(n), and its dissemination. We thus target this step and explore. Our contributions can be summarized as follows. •
Our Results. − This paper describes two algorithms, XXXXXXX and RBSAMPLER that can solve Byzan- tine agreement without all-to-all communication. To the best of our knowledge, this paper presents the first practical algorithms with this property. Xxxxx and Xxxxxxxx [7] showed that any algorithm must send Ω(n2) messages to ensure Byzantine agreement with prob- ability 1. This lower bound still holds even with the assumption of a random beacon. Thus, our algorithms are necessarily Monte Carlo, in the sense that they succeed with probability 1 O(1/nk), for any fixed k. Our main results are given in the following two theorems. For the first theorem, we let B be an upper bound on the total number of messages sent in a round by the bad processors. We note that B is at most θ(n2), but may be much lower, depending on the resources available to the adversary.1 RBQUERY is described in Section 2.1, and the proof of Theorem 1 is given in Section 3.1. −
