Asynchronous Byzantine Agreement. Algorithm 11.21 Asynchronous Byzantine Agreement (Ben-Or, for f < n/10) ∈ { } 1: xu 0, 1 a input bit 2: r = 1 a round 3: decided = false 4: Broadcast propose(xx,x) 5: repeat −
Asynchronous Byzantine Agreement. 33 If the correct nodes have different (binary) input values, the validity condition becomes trivial as any result is fine. − − What about agreement? Let u be the first node to decide on value x (in Line 8). Due to asynchrony another node v received messages from a different subset of the nodes, however, at most f senders may be different. Taking into account that byzantine nodes may lie (send different propose messages to different nodes), f additional propose messages received by v may differ from those received by u. Since node u had at least n 2f propose messages with value x, node v has at least n 4f propose messages with value x. Hence every correct node will propose x in the next round, and then decide on x. So we only need to worry about termination: We have already seen that as soon as one correct node terminates (Line 8) everybody terminates in the next round. So what are the chances that some node u terminates in Line 8? Well, we can hope that all correct nodes randomly propose the same value (in Line 12). Maybe there are some nodes not choosing at random (entering Line 10 instead of 12), but according to Lemma 3.22 they will all propose the same. − Thus, at worst all n f correct nodes need to randomly choose the same bit, which happens with probability 2−(n−f)+1. If so, all correct nodes will send the same propose message, and the algorithm terminates. So the expected running time is exponential in the number of nodes n.
Asynchronous Byzantine Agreement. ABA An ABA protocol allows the set of n parties in P, each having an input binary value, to agree on a consensus value, which is the input value of one of the honest parties, despite the presence of At. Definition 3 (ABA[10]) : Let Π be an asynchronous protocol executed among the set of parties P, with each party having a private binary input. We say that Π is an ABA protocol tolerating At if the following hold, for every possible behavior of At and every possible input:
Asynchronous Byzantine Agreement. De nition 1 Let be an asynchronous protocol for which each one of the n players has binary input. We say that is a (1 )-completing, t-resilient Byzantine Agreement protocol if the following requirements hold, for every t-adversary and every input vector for the players.
Asynchronous Byzantine Agreement. Definition 1 (ABA). Let π be any asynchronous protocol in which each process has a binary input. We say that π is an almost-surely terminating, t-resilient ABA protocol if the following properties hold for every t-adversary and every input:
Asynchronous Byzantine Agreement. ( ABA)). An asynchronous Byzantine agreement protocol among 𝑛 parties is one in which each party receives an input and outputs a value 𝑣 and has the following guarantees: • • •
Asynchronous Byzantine Agreement. The most basic form of asynchronous Byzantine consensus is asynchronous binary agreement (ABA), where each node has a binary value as input and will agree on a binary value. The validity of ABA is defined in an unanimous manner, i.e., if all honest nodes input the same binary value, they will agree on this value. As there are only two candidate values, the validity of ABA implies the so-called strong validity, i.e., the output is always the input of some honest node, which is a very useful property for applications. In the perspective of constructions, Xxxxxxxxxx et al. ’s seminal work [44] presented an ABA protocol with 1 rounds and 𝑛2 communication complexity, not relying on any cryptographic tools beyond the coin. There are follow-up works [22] for improving the concrete performance of [44]. ≫ ≥ + O( ) O( + ) O( + ) O( + ) O( ) O( ) O( ) O( ) O( ) O( ) Multi-valued byzantine agreement (MBA) is a natural extension to ABA for handling multi-bit inputs. There is a straightforward reduction from MBA to ABA, by applying multiple ABA instances to agree on each bit. However, for an ℓ-bit input, the expected running time and the message complexity of ℓ parallel ABA instances will be blown up to log ℓ and ℓ𝑛2 , respectively. Mostefaoui and Xxxxxx [45] presented an optimized MBA with 1 rounds, 𝑛2 messages, and ℓ𝑛2 communication complexity. For large-size inputs, say ℓ 𝜆, Nayak et al. [46] presented a general framework based on MBA for 𝜆 bits. Based on pairing-based cryptography, their framework can give a MBA with 1 rounds, 𝑛2 messages, and ℓ𝑛 𝜆𝑛2 communication complexity. If only using hash functions, the communication complexity of the MBA in [46] will be ℓ𝑛 𝜆𝑛2 log 𝑛 . Alternatively, Xx and Xxxx [40] presented an MBA with communication complexity of ℓ𝑛 𝑛2 log 𝑛 , achieving perfect security without using any cryptographic tools. However, the scheme in [40] requires 𝑛 5𝑓 1. Note that the MBA discussed above focuses on the unanimous style of validity, also called weak validity, which guarantees that when all honest nodes have the same input value, they will agree on that value. But for other cases, there is no guarantee on what value they will agree on; the output could be a default value . ⊥ ⊥ Some works, including [45] considered a slightly stronger validity called non-intrusion validity, which means if the output 𝑣 ≠ , then 𝑣 must be an input of an honest node. The non-intrusion property has been leveraged and explored in consequent works ...
