Efficient Byzantine Agreement with Faulty Minority

Byzantine Agreement (BA) among n players allows the players to agree on a value, even when up to t of the players are faulty. In the broadcast variant of BA, one dedicated player holds a message, and all players shall learn this message. In the consensus variant of BA, every player holds (presumably the same) message, and the players shall agree on this message. BA is the probably most important primitive in distributed protocols, hence its efficiency is of particular importance. BA from scratch, i.e., without a trusted setup, is possible only for t < n/3. In this setting, the known BA protocols are highly efficient (O(n2) bits of communication) and provide information-theoretic security. When a trusted setup is available, then BA is possible for t < n/2 (consensus), respectively for t < n (broadcast). In this setting, only computationally secure BA protocols are reasonably efficient (O(n3κ) bits). When information-theoretic security is required, the most efficient known BA protocols require O(n17κ) bits of communication per BA, where κ denotes a security parameter. The main reason for this huge communication is that in the information-theoretic world, parts of the setup are consumed with every invocation to BA, and hence the setup must be refreshed. This refresh operation is highly complex and communication-intensive. In this paper we present BA protocols (both broadcast and consensus) with information-theoretic security for t < n/2, communicating O(n5κ) bits per BA.

[1]  Jacques Stern,et al.  Advances in Cryptology — EUROCRYPT ’99 , 1999, Lecture Notes in Computer Science.

[2]  Ivan Damgård,et al.  Efficient Multiparty Computations Secure Against an Adaptive Adversary , 1999, EUROCRYPT.

[3]  Brian A. Coan,et al.  Modular Construction of a Byzantine Agreement Protocol with Optimal Message Bit Complexity , 1992, Inf. Comput..

[4]  Matthias Fitzi,et al.  Generalized communication and security models in Byzantine agreement , 2002 .

[5]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[6]  Leslie Lamport,et al.  Reaching Agreement in the Presence of Faults , 1980, JACM.

[7]  Birgit Pfitzmann,et al.  Information-Theoretic Pseudosignatures and Byzantine Agreement for t ≥ n/3 , 2007 .

[8]  Junji Shikata,et al.  Security Notions for Unconditionally Secure Signature Schemes , 2002, EUROCRYPT.

[9]  Nancy A. Lynch,et al.  Easy impossibility proofs for distributed consensus problems , 1985, PODC '85.

[10]  Donald Beaver,et al.  Secure multiparty protocols and zero-knowledge proof systems tolerating a faulty minority , 2004, Journal of Cryptology.

[11]  Larry Carter,et al.  Universal classes of hash functions (Extended Abstract) , 1977, STOC '77.

[12]  Tatsuaki Okamoto,et al.  Advances in Cryptology — ASIACRYPT 2000 , 2000, Lecture Notes in Computer Science.

[13]  Avi Wigderson,et al.  Completeness theorems for non-cryptographic fault-tolerant distributed computation , 1988, STOC '88.

[14]  Larry Carter,et al.  Universal Classes of Hash Functions , 1979, J. Comput. Syst. Sci..

[15]  Tal Rabin,et al.  Verifiable secret sharing and multiparty protocols with honest majority , 1989, STOC '89.

[16]  Aggelos Kiayias,et al.  Traitor Tracing with Constant Transmission Rate , 2002, EUROCRYPT.

[17]  Piotr Berman,et al.  Bit optimal distributed consensus , 1992 .

[18]  Birgit Pfitzmann,et al.  Unconditional Byzantine Agreement with Good Majority , 1991, STACS.

[19]  Danny Dolev,et al.  Authenticated Algorithms for Byzantine Agreement , 1983, SIAM J. Comput..

[20]  Martin Hirt,et al.  Efficient Multi-party Computation with Dispute Control , 2006, TCC.

[21]  Ueli Maurer,et al.  Efficient Secure Multi-party Computation , 2000, ASIACRYPT.