An Optimal Probabilistic Protocol for Synchronous Byzantine Agreement

Broadcasting guarantees the recipient of a message that everyone else has received the same message. This guarantee no longer exists in a setting in which all communication is person-to-person and some of the people involved are untrustworthy: though he may claim to send the same message to everyone, an untrustworthy sender may send different messages to different people. In such a setting, Byzantine agreement offers the "best alternative" to broadcasting. Thus far, however, reaching Byzantine agreement has required either many rounds of communication (i.e., messages had to be sent back and forth a number of times that grew with the size of the network) or the help of some external trusted party. In this paper, for the standard communication model of synchronous networks in which each pair of processors is connected by a private communication line, we exhibit a protocol that, in probabilistic polynomial time and without relying on any external trusted party, reaches Byzantine agreement in an expected constant number of rounds and in the worst natural fault model. In fact, our protocol successfully tolerates that up to 1/3 of the processors in the network may deviate from their prescribed instructions in an arbitrary way, cooperate with each other, and perform arbitrarily long computations. Our protocol effectively demonstrates the power of randomization and zero-knowledge computation against errors. Indeed, it proves that "privacy" (a fundamental ingredient of one of our primitives), even when is not a desired goal in itself (as for the Byzantine agreement problem), can be a crucial tool for achieving correctness. Our protocol also introduces three new primitives---graded broadcast, graded verifiable secret sharing, and oblivious common coin---that are of independent interest, and may be effectively used in more practical protocols than ours.

[1]  Volker Strassen,et al.  A Fast Monte-Carlo Test for Primality , 1977, SIAM J. Comput..

[2]  Leslie Lamport,et al.  Reaching Agreement in the Presence of Faults , 1980, JACM.

[3]  Nancy A. Lynch,et al.  A Lower Bound for the Time to Assure Interactive Consistency , 1982, Inf. Process. Lett..

[4]  Michael Ben-Or,et al.  Another advantage of free choice (Extended Abstract): Completely asynchronous agreement protocols , 1983, PODC '83.

[5]  Michael J. Fischer,et al.  The Consensus Problem in Unreliable Distributed Systems (A Brief Survey) , 1983, FCT.

[6]  Brian A. Coan,et al.  Extending Binary Byzantine Agreement to Multivalued Byzantine Agreement , 1984, Inf. Process. Lett..

[7]  Silvio Micali,et al.  Byzantine Agreement in Constant Expected Time (and Trusting No One) , 1985, FOCS 1985.

[8]  Joe Kilian,et al.  Almost all primes can be quickly certified , 1986, STOC '86.

[9]  Cynthia Dwork,et al.  Flipping persuasively in constant expected time , 1986, 27th Annual Symposium on Foundations of Computer Science (sfcs 1986).

[10]  Moti Yung,et al.  Cryptographic Computation: Secure Faut-Tolerant Protocols and the Public-Key Model , 1987, CRYPTO.

[11]  Leslie Lamport,et al.  The Byzantine generals , 1987 .

[12]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[13]  Silvio Micali,et al.  The Knowledge Complexity of Interactive Proof Systems , 1989, SIAM J. Comput..

[14]  Tal Rabin,et al.  Verifiable secret sharing and multiparty protocols with honest majority , 1989, STOC '89.

[15]  Silvio Micali,et al.  Collective Coin Tossing Without Assumptions nor Broadcasting , 1990, CRYPTO.

[16]  Oded Goldreich,et al.  The Best of Both Worlds: Guaranteeing Termination in Fast Randomized Byzantine Agreement Protocols , 1990, Inf. Process. Lett..

[17]  Silvio Micali,et al.  The round complexity of secure protocols , 1990, STOC '90.