1. Expected Constant-Round Protocols for Broadcast
Jonathan Katz Chiu-Yuen Koo
University of Maryland

2. Background
When designing cryptographic protocols, it is often convenient to assume a broadcast channel
In a point-to-point network, this broadcast will have to be “emulated” by a broadcast sub-routine
The round complexity of the eventual protocol depends heavily on the round complexity of broadcast!
Much work has focused on reducing this round complexity…

3. Byzantine Agreement
n parties P1, …, Pn, t of whom are malicious; each party has an input vi
If the inputs of all honest parties initially agree, they should all output this common value
(No matter what…) all honest parties should output the same value

4. Broadcast
n parties P1, …, Pn, t of whom are malicious; one party is the dealer who holds a message M
If the dealer is honest, all honest parties should output M
Even if the dealer is dishonest, all honest parties should output the same value
Essentially equivalent to the problem of Byzantine agreement for t < n/2

5. Prior Work (t < n/3)
Broadcast possible in the “plain model” if and only if t < n/3 [PSL80]
At least (t+1) rounds are necessary for any deterministic protocol [FL82]; a poly-time protocol with this round complexity is known [GM98]
Randomized protocols can beat the lower bound [R83, BO83]
[FM87] show an expected O(1)-round protocol

6. Prior Work (t < n)
Given a PKI and signatures, authenticated broadcast is possible for t < n [PSL80, DS83]
The (t+1)-round lower bound still holds
[FG03] show an expected O(1)-round protocol for t < n/2, using specific number-theoretic assumptions
Open since [FM97]: existence of an expected O(1)-round protocol for t < n/2 based on signatures only
Note: Feldman-Micali approach does not extend to this case (at least as far as we know)

7. Our Contributions I
We show an expected O(1)-round broadcast protocol for t < n/2, assuming only a PKI and digital signatures
Along the way, we improve and simplify(?) the Feldman-Micali protocol for t < n/3
Proof is entirely self-contained…
Our approach relies on the new notion of a moderated protocol
Has other applications as well (see next talk)

8. Our Contributions II
We show how to deal with parallel/sequential composition of randomized protocols for t < n/2 (extending [LLR02, BOEY03])
Combined with existing results, this gives expected O(1)-round protocols for MPC tolerating t < n/2 malicious players

9. Protocol Details…
The cases of t < n/3 and t < n/2 will be developed in parallel
The first is in the plain model and gives unconditional security; the second assumes a PKI + signatures (but is otherwise unconditional)
We always assume pairwise authenticated and private channels, and an adaptive, rushing adversary

10. Constant-round protocol for
Overview
Constant-round protocol for
(a variant of) VSS
Constant-round protocol for leader election/coin tossing
Expected constant-round protocol for BA
Constant-round VSS protocol (using broadcast channel)
Constant-round gradecast protocol (in point-to-point model)
Compiler
Moderated VSS

11. Gradecast [FM97] A relaxation of broadcast…
Dealer holds input M; each honest party Pi outputs a message mi and grade gi
If dealer honest, all honest players output (M, 2)
If any honest party outputs (mi, 2), then all other honest parties Pj output mj = mi and gj ≥ 1

12. Theorem
There exist constant-round gradecast protocols (in the point-to-point model) for t < n/3 and t < n/2
(Previously known for t < n/3 [FM97])
For details, see paper…

13. VSS
2-phase protocol (sharing and reconstruction phases); dealer holds input s
If the dealer is honest, then the view of the malicious players is independent of s after the first phase, and all honest parties output s in the second phase
At the end of the sharing phase, the view of the honest parties defines a value s’ that all honest parties will output in the second phase

14. Theorem
There exist constant-round VSS protocols for t < n/3 and t < n/2 that use broadcast during the sharing phase only
(Previously known for t < n/3 [GIKR01]; follows by adapting [CDDHR99] for t < n/2)

15. VSS for t < n/2
Dealer chooses F(x,y) of degree t in each variable, with F(0,0) = s. Let ai,j = bi,j = F(i,j). Dealer sends to Pi the values a1,i, …, an,i and bi,1, …, bi,n (signed).
If insufficient signatures received, Pi broadcasts a complaint. If the values are inconsistent, Pi broadcasts the inconsistent values and their signatures (and the dealer is disqualified)
The dealer broadcasts the values (signed) for any party Pi who broadcast a complaint; Pi uses these values in the rest of the protocol
(Every party now has consistent vectors with correct dealer signatures)

16. VSS for t < n/2 continued…
Pi signs aj,i and sends it to Pj
If ai,j is not equal to bi,j (or no signature received), Pi broadcasts bi,j with the dealer’s signature
If any party broadcast a value bi,j different from ai,j, then broadcast ai,j with dealer’s signature. If dealer’s signature on two different values is broadcast, it is disqualified

17. VSS for t < n/2, continued
Reconstruction: Pi sends bi,j for all j (along with signature of Pj) to all other parties. (Note: if no valid signature obtained, Pi has already broadcast bi,j)
If Pj sent any incorrect signatures, or bj = (bj,1, …, bj,n) inconsistent, disqualify Pj.
For each non-disqualified Pj, interpolate bj to get fj(y). Next, interpolate {fj(y)} to get F(x,y). Output F(0,0).

18. Proof (sketch)
If dealer is honest, the information the malicious parties have about s is exactly {F(i,y), F(x, i)}i malicious
Since there are at most t malicious players, and the degree of F is t in each variable, no information about s is leaked
Say dealer, Pi, Pj honest. Then Pi recovers fj(y)=F(j,y). For any malicious Pk (who is not disqualified by Pi), bk,j was “validated” by Pj and so bk,j = F(k,j). Since this holds for t+1 honest players, Pi recovers Fk(y) = F(k,y). Interpolating these thus yields F(x,y).

19. Proof (sketch)
For the case of dishonest dealer, take the values (bi,1, …, bi,n) of an honest Pi at the end of sharing phase.
These are consistent; let fi(y) be the corresponding polynomial
Since we have t+1 honest players, we can interpolate the {fi(y)} to obtain F(x,y)
Claim: F(0,0) will be the value output in the reconstruction phase
Argument is similar to before…

20. Moderated VSS
2-phase protocol; dealer holds input s; there is also a distinguished moderator
Each party Pi outputs a bit fi at the end of the sharing phase
If the moderator is honest, then fi = 1 for all honest parties
If there exists an honest player with fi = 1, then the protocol achieves VSS

21. Key Result
There exist constant-round protocols for moderated VSS (in the point-to-point model) for t < n/3 and t < n/2
Proof: We construct such a protocol by compiling any VSS protocol (using broadcast in sharing phase only) with gradecast…

22. Compiler Given VSS protocol Π; construct Π’ as follows:
Parties begin with fi = 1
Whenever a party P is supposed to broadcast a message m (as part of Π):
P gradecasts m
The moderator gradecasts the result
Let (m, g) and (m’, g’) be the outputs of some player. Use m’ as the message broadcast by P (in the execution of Π)
Set f = 0 if (g’ ≠ 2) or (m ≠ m’ and g = 2)

23. Proof…
If the moderator is honest, then g’=2. Also, if g=2 then all parties output the same message in the gradecast by P, so m’=m.
So, honest parties output f=1 if moderator is honest
If any honest party outputs f=1, then (1) g’=2 always, and so honest parties use the same message within Π; furthermore, (2) if P is honest (so g=2) then m’=m.
So, the functionality of broadcast was achieved whenever needed throughout Π
Hence, Π’ achieves VSS

24. Oblivious Leader Election (OLE) with Fairness δ
With probability ≥δ, the following holds (i.e., an honest leader is elected): There exists an index j such that (1) each honest party outputs j, and (2) Pj is honest
Theorem: There exist constant round protocols for OLE with fairness 1/2, for t < n/3 and t < n/2

25. Constructing OLE Pi “trusts” Pj Assume moderated VSS…
Pi begins with ti,j = 1 for all j
For all i, j, party Pi chooses random 1 ≤ ci,j ≤ n3 and then runs mVSS using this value and Pj as moderator
If Pk outputs f=0 here, it sets tk,j=0
Reconstruct the above. Pk sets cj = Σ ci,j mod n3.
Pk outputs j with tk,j = 1 that minimizes cj

26. Proof… Define T = {j : exists honest Pi with ti,j = 1}
If Pi honest, then i  T.
If j  T, then all honest parties agree on cj. Furthermore, cj is uniform in {1, …, n3} (since ci,j is uniform for Pi honest). With high probability, all such cj are unique.
So, with probability at least (t+1)/|T| ≥ ½ an honest leader is elected

27. From Leader Election to BANo
Has agreement
been reached?
Yes
Exit
Maybe
Run a leader election protocol.
Each party sends the message it holds to all parties
Each party sets its input to the message sent by the leader

28. Proof (ideas)
If parties hold the same inputs, they do not change their inputs and will terminate the protocol by the end of the next iteration
No (honest) party terminates until agreement has been reached
Once an honest leader is elected, agreement will be reached in the following iteration
Since an honest leader is elected with constant probability, termination occurs in expected O(1) rounds

29. Final Result
There exist expected O(1)-round protocols for broadcast for t < n/3 and t < n/2
Applying some optimizations, we obtain protocols with the following (expected) round complexities:
t < n/3: 24 rounds
t < n/2: 56 rounds

30. Composition

31. Parallel composition
In general, parallel composition of n protocols with expected O(1)-round complexity does not yield an expected O(1)-round protocol
For our particular protocols, known techniques give parallel composition without increasing the expected number of rounds
Run OLE once for all parallel executions…

32. Sequential composition
A different problem may be caused by non-simultaneous termination
Parties terminate one iteration in different rounds, and thus start the next iteration in different rounds
This is inherent for sublinear-round BA protocols
Existing methods for dealing with this are complex [LLR02] or apply only to t < n/3 [BOEY02]

33. Sequential composition
Protocol Π has staggering gap g if honest parties terminate within g rounds
Theorem: Let Π be a b’cast protocol. Then there is a b’cast protocol Π’ such that:
It is secure as long as all parties start within 1 round of each other
Its staggering gap is 1
rc(Π’) = 3 rc(Π) + 1

34. Sequential composition
To sequentially compose Π1, …, Πk, run Π’1, …, Π’k instead
Each Π’i has staggering gap 1
Each Π’i+1 is secure as long as parties start within 1 round of each other
k sequential executions of a protocol with round complexity r requires ≈3kr rounds

35. Recent results (with J. Garay and R. Ostrovsky)

36. Broadcast for t < n? Our results apply only for t < n/2
We use VSS, which is possible only for t < n/2
What about for t < n?
Known: deterministic protocols with round complexity t+1; matching lower bound

37. Negative result
Theorem: Any broadcast protocol tolerating t malicious parties must have expected round complexity at least O(n/(n-t))
In particular, tolerating the optimal threshold t = n-1 is not possible in sub-linear rounds

38. Positive result First consider case t = n/2:
Dealer gradecasts M and then exits
Remaining parties run as follows:
If received (M’, g ≤ 1), run (n/2)-resilient BA with M’ as input and output the result
If received (M’, 2), run (n/2)-resilient BA with M’ as input for K rounds; output M’

39. Analysis
If the dealer is honest, then all honest players enter the BA protocol with the same input
In this case, the protocol terminates in a fixed constant number of rounds
If dealer dishonest
If g=2 for some honest player, then all honest players enter BA with same input (and output the same value in K rounds)
Otherwise, all honest players run BA to completion, with honest majority!

40. General case
Theorem: Let c = t – (n-t) = 2t-n. Then there is a broadcast protocol with resilience t and expected round complexity O(c)
In particular, for t = n/2 + o(n) we get a protocol with sub-linear round complexity

41. Summary
We have shown an expected O(1)-round broadcast protocol for t < n/2
First based on general (minimal) assumptions
We also improve/simplify [FM97] for t < n/3
Sequential composition for t < n/2
Open questions
Sublinear-round broadcast for t < n?
Lower bounds on round complexity?