Byzantine Agreement Given Partial Broadcast

Transcription

1 J. Cryptology (2005) 18: DOI: /s x 2005 Internatonal Assocaton for Cryptologc Research Byzantne Agreement Gven Partal Broadcast Jeffrey Consdne Computer Scence Department, Boston Unversty, Boston, MA 02215, U.S.A. Matthew Frankln Department of Computer Scence, Unversty of Calforna, Davs, CA 95616, U.S.A. Uel Maurer Department of Computer Scence, ETH Zurch, CH-8092 Zurch, Swtzerland Matthas Ftz Department of Computer Scence, Unversty of Århus, 8000 Aarhus C, Denmark Leond A. Levn Computer Scence Department, Boston Unversty, Boston, MA 02215, U.S.A. Davd Metcalf Computer Scence Department, Boston Unversty, Boston, MA 02215, U.S.A. Communcated by Ran Canett Receved 4 March 2003 Onlne publcaton 20 May 2005 Abstract. Ths paper consders uncondtonally secure protocols for relable broadcast among a set of n players, where up to t of the players can be corrupted by a (Byzantne) adversary but the remanng h = n t players reman honest. In the standard model wth a complete, synchronous network of blateral authentcated communcaton channels among the players, broadcast s achevable f and only f 2n/h < 3. We show that, by extendng ths model by the exstence of partal broadcast channels among subsets of b players, global broadcast can be acheved f and only f the number h of honest players satsfes 2n/ h < b+1. Achevablty s demonstrated by protocols wth communcaton and computaton complextes polynomal n the sze of the network,.e., n the number of partal broadcast channels. A respectve characterzaton for the related consensus problem s also gven. Key words. Broadcast, Byzantne agreement, uncondtonal securty. Prelmnary versons of the results presented n ths artcle were reported n [25], [9], [19], [10], and [20]. Leond A. Levn was supported by NSF Grants CCR , , Matthas Ftz was partly supported by the Packard Foundaton, Matthew Frankln was supported by the Packard Foundaton and NSF, and Uel Maurer was partly supported by the Swss Natonal Scence Foundaton. 191

2 192 J. Consdne, M. Ftz, M. Frankln, L. A. Levn, U. Maurer, and D. Metcalf 1. Introducton A fundamental problem n fault-tolerant dstrbuted computng s to acheve consstency of the nvolved partes vews, even f some of the partes (also called players) devate from the protocol n an arbtrary manner. A core prmtve for achevng global consstency s broadcast,.e., a mechansm or protocol allowng one player, the sender, to send a value consstently to all other players such that, even n case of malcous behavor by the sender and/or some of the other players, all honest players receve the same value. The standard model consdered n fault-tolerant dstrbuted computng s that every par of players can communcate over a blateral authentcated channel. In ths model, authentcated channels are smply assumed to exst. In practce, they can be mplemented usng cryptographc technques. Such technques assume an ntal set-up phase such as the establshment of a publc-key nfrastructure, or sharng parwse secret keys. The problem of mplementng broadcast n the standard model [32] s a classcal problem n dstrbuted computng. The semnal result of Lamport et al. [32] s that broadcast can be mplemented f and only f less than a thrd of all the players msbehave Motvaton In ths paper we propose to nvestgate a new research drecton by assumng, as part of the model, more powerful prmtves than authentcated channels,.e., prmtves that guarantee some degree of consstency among the players. The addtonal prmtve we consder s probably the smplest one that can serve as an extenson of the standard model, namely channels that guarantee consstency among b partcpants when one of them sends a value to the others. Our motvaton for consderng such enhanced models s twofold. Frst, the generc reducton of complex tasks to smple ones s a useful tool for provng whether or not a task s achevable under gven condtons, only requrng a constructon for the smple task n order to prove the achevablty of the complex one, and only requrng to show the mpossblty of the complex task n order to prove the smple one to be mpossble. Second, for uncondtonal mult-party computaton 1 among n players, the achevablty of broadcast s a lmtng factor. As 2n/h < 3 s the lower bound for mult-party computaton when broadcast s not avalable, broadcast allows for n/ h < 2. When addtonally assumng oblvous transfer, non-robust mult-party computaton s stll achevable n the presence of any number of corrupted players. As broadcast s typcally the only assumed prmtve that nvolves all n players (n contrast to other commonly assumed prmtves such as parwse channels or oblvous transfer), t s a natural queston to ask whether global broadcast s necessary for mult-party computaton beyond 2n/ h < 3 or, alternatvely, what reslence can be acheved for mult-party computaton when only assumng prmtves of constant sze. 1 Refer to Secton 6.4 for an nformal defnton of mult-party computaton as well as a short overvew of prevous results.

3 Byzantne Agreement Gven Partal Broadcast Models and Defntons Byzantne agreement refers to the general problem of havng a set P ={p 1,...,p n } of n players agree on a value v from some fnte doman D where some of the players may be corrupted. There are two man varatons of Byzantne agreement, broadcast and consensus. The goal of broadcast (or the Byzantne generals problem) s to have some desgnated player p s, called the sender, consstently send an nput value (or message) x s to all other players. The goal of consensus, where every player p starts wth an nput value x of hs own, s to make all honest (non-corrupted) players decde on a common output value such that, f all honest players hold the same nput value v, ths common output value s v Communcaton The players n P are connected va a complete, synchronous network of parwse authentcated channels. A parwse authentcated channel between two players p and p j s a blateral communcaton channel that guarantees that only the two respectve players can send messages on the channel,.e., excludng any thrd party from accessng t n any other way than possbly readng the communcaton between the two players. In partcular, we assume that communcaton va an authentcated channel cannot be blocked by a thrd party. Synchroncty means that all players share common, synchronzed clock cycles. In such a clock cycle, each player frst receves a fnte (possbly empty) set of messages from the other players, followed by a fnte number (possbly zero) of local computaton steps, and fnally sends a fnte (possbly empty) set of messages to the other players. Messages beng sent durng a clock cycle are guaranteed to have arrved at the begnnng of the next cycle. We refer to the communcaton model descrbed so far n ths secton as the classcal model, denoted by M 2. In contrast, we ntroduce the partal-broadcast model, M b, below. Defnton 1 (M b ). Model M b extends the classcal model by perfectly relable synchronous broadcast channels among each b-tuple of players,.e., authentcated broadcast channels (denoted BC b ) from p 1 to players p 2,...,p b, for any selecton of b dstnct players from P. We assume all blateral and BC b -channels to be composable n parallel (or at least sequentally) Composablty It has long been a common technque to construct complex protocols by combnng subprotocols that acheve smpler tasks. When gvng a securty proof of such a constructon, the fact that the subprotocols compose correctly s usually not made explct because t s typcally trval n the context of the protocol tself. On the other hand, composablty can become non-trval when the whole context of the executon of the (sub-)protocols s not known n advance [6], [33]. We note that, n our modular constructon, our subprotocols trvally compose wth each other, and so do the fnal protocols.

4 194 J. Consdne, M. Ftz, M. Frankln, L. A. Levn, U. Maurer, and D. Metcalf Adversary and Corrupton The reslence of a protocol s characterzed by the number t of players that may devate from the protocol. We refer to such a player as beng corrupted whereas a noncorrupted player s called honest. Alternatvely, h = n t denotes the mnmal number of players that are assumed to be honest. It helps to magne a central adversary who can corrupt up to t players and make them cheat n an arbtrary, coordnated manner. We consder an adaptve adversary who can gradually corrupt arbtrary new players durng the protocol, but at most t n total. Note, however, that our mpossblty results are proven even wth respect to the strctly weaker defnton of a non-adaptve (or statc) adversary that s assumed to preselect up to t of the players at the begnnng of the protocol and not corrupt any further players durng any later stage of the protocol Securty We demand our protocols to be uncondtonally secure,.e., we requre that even a computatonally unbounded adversary cannot make the protocol fal except for some neglgble error probablty. Our fnal broadcast protocol wll even be perfectly secure (zero error probablty). On the other hand, our mpossblty result s gven even wth respect to an adversary that s bounded to polynomal-tme computaton Setup Assumptons We assume that all players know the player set, the protocol, and the whole network topology,.e., they know whch players partcpate n the protocol and how they are connected by communcaton channels. Addtonally, we assume that all players agree on a common pont n tme when the protocol s to be started. The achevable reslence of Byzantne agreement depends on whether or not one assumes that a publc-key nfrastructure (PKI) s consstently set up among the players. Such a PKI would allow all messages to be sgned and enable broadcast wth arbtrary reslence and consensus for n/h < 2. In ths paper we consder the case where no such PKI s set up among the players Complextes We characterze the effcency of the protocols n terms of the computatonal complexty,.e., the local computatonal worst-case complexty of the honest players, the bt complexty,.e., the total number of bts communcated by all honest players durng the protocol n the worst case, and the round complexty,.e., the maxmal number of communcaton rounds for any honest player n the worst case. Our round complexty analyses are gven under the assumpton that the underlyng channels are composable n parallel wthout any sde-effects on each other Broadcast, Consensus, and Proxcast Defnton 2 (Broadcast). A protocol for the player set P, where player p s P (the sender) holds an nput value x s D and every player p P computes an output

5 Byzantne Agreement Gven Partal Broadcast 195 value y D, acheves broadcast (or s a broadcast protocol) f t satsfes the followng condtons: Consstency (or agreement): All honest players decde on the same output value,.e., y = y j for all honest players p and p j. Valdty: If the sender p s s honest, then every honest player p decdes on the sender s nput value,.e., y = x s. Defnton 3 (Consensus). A protocol for the player set P, where every player p P holds an nput value x D and computes an output value y D, acheves consensus f t satsfes the followng condtons: Consstency (or agreement): All honest players decde on the same output value,.e., y = y j for all honest players p and p j. Valdty (or persstency): If every honest player p holds the same nput value x = x, then every honest player decdes on t,.e., y = x. Note that, n contrast to broadcast, the consensus defnton only makes sense f less than half of the players are corrupted. In ths case, broadcast can easly be acheved usng consensus and vce versa. Thus, we focus on broadcast n what follows, and generalze our results to consensus only at the very end. Furthermore, we manly focus on bnary broadcast (doman D ={0, 1}) snce broadcast for any fnte doman D can be effcently solved by log 2 D nvocatons of ts bnary varant. A more effcent way to acheve ths was gven n [40] by Turpn and Coan. We now ntroduce the prmtve proxcast whch serves as a fundamental buldng block for our protocol constructons. Proxcast was frst defned n [38]. Pn k s a broadcast-lke prmtve that acheves the valdty property of broadcast. Addtonally, t s guaranteed that the players outputs are proxmate n the sense that they do not devate too strongly from each other. Pn k s best ntroduced pctorally and by means of a bnary nput doman. See Fg. 1. The sender sends a bt x {0, 1}. Each player p receves an output l {0,...,k 1}. If the sender s honest then each honest player gets output x (k 1). If the sender s corrupted then t s stll guaranteed that there s a value m such that all honest players get an output l {m, m + 1}. Alternatvely, the output can be represented as a par (y, g) wth output bt y and grade value g = 0,..., (k 1)/2. If the sender s honest then each honest player gets bt y = x and maxmal grade g = (k 1)/2. Ifthe sender s corrupted then the honest players stll receve adjacent grades g {z, z + 1}. k =4 k =5 ` y g ` y g ? Fg. 1. Pn 4 and P5 n over bnary nput doman.

6 196 J. Consdne, M. Ftz, M. Frankln, L. A. Levn, U. Maurer, and D. Metcalf If any honest player gets a hgh enough grade g then t s guaranteed that all honest players hold the same output bt y as can be verfed, ths s the case for grades g > k mod 2. 2 Accordng to requrements we use the two dfferent representatons nterchangeably. Defnton 4 (Proxcast). Let k > 0 be an nteger. A protocol among player set P where player p s P (the sender) holds an nput value x s D and every player p P fnally decdes on an output value y D and a grade g {0,..., (k 1)/2 } acheves k-proxcast (Pn k, for short) f t satsfes the followng condtons: Valdty: If the sender s honest wth nput x s then every honest player p computes y = x s and g = (k 1)/2. Consstency: There s a value g {1,..., (k 1)/2 } such that every honest player p decdes on ether g = g 1org = g. If some honest player p computes g > k mod 2 then all honest players p j compute the same value y j = y. Alternatvely, f D = {0, 1}, we say that a player wth values y {0, 1} and g {0,..., (k 1)/2 } decdes on level l = y ( (k 1)/2 +g ) + (1 y ) ( (k 1)/2 g ). 3 The valdty and consstency condtons then transform nto Valdty : If the sender s honest wth nput x s then every honest player p computes l = x s (k 1). Consstency : There s a level l {0,...,k 2} such that every honest player p computes l {l, l + 1}. Well known specal cases of proxcast are mult-send (k = 2), crusader agreement [12] (k = 3), and graded broadcast [17] (k = 5). We denote an nvocaton of Pn k wth sender p s and nput x s by Pn k(p, p s, x s ). Note the followng trval fact about proxcast. Proposton 1. Pn k mples Pk n for any k < k. Pn k effcently acheved by bnary Pn k. for any fnte doman D can be Proof. Pn k can be easly acheved by nvokng Pk n and mergng k k + 1 adjacent output values together. Let a protocol for bnary Pn k be gven,.e., x {0, 1} and g {0,..., (b 1)/2 }. Mult-valued Pn k wth a gven doman D, x D, can be acheved by runnng an nstance of bnary Pn k wth respect to every sngle bt n the bnary representaton of x. The recpents then decde on the value y beng composed of all the bts receved durng these nvocatons plus on the mnmal grade ever receved durng the bnary nvocatons. Snce proxcast (broadcast) for any fnte nput doman effcently reduces to bnary proxcast (broadcast, respectvely) we restrct ourself to the bnary case n what follows. 2 For odd k, g = 1 s not suffcent snce the mddle level l = (k 1)/2 cannot be unquely assocated wth a partcular output bt y. 3 Whch maps the possble pars (y, g ) to values l {0,...,k 1} accordng to Fg. 1.

7 Byzantne Agreement Gven Partal Broadcast Protocol Notaton Protocols are understood to be specfed wth respect to a player set S P ={p 1,..., p n }. Each player p S runs the same program, usng as the nput (f there s one) hs own nput, say x. The local varable names ndcate the ndex of the player p performng the nstructon. For nstance, Protocol Broadcast(S, p 1, x 1 ) refers to a protocol for broadcast among the player set S where player p 1 holds nput x 1 and the other players hold no nput. Some of the nstructons are ndcated as beng only for a specfc player, e.g., the sender: f = 1 then SendToAll(v 1 ) f; Receve(w ) means that player p 1 sends the value stored n (hs local) varable v 1 to all players n S and that each player p (ncludng p 1 ) assgns the receved value to hs local varable w. At the end of a protocol, each player outputs a value, usually stored n the local varable y, wrtten return y. The doman of the values s usually specfed mplctly. For smplcty, t s not explctly stated how to handle receved values (from a corrupted player) outsde the doman. Such a value can be assumed to be replaced by some default value, ether an arbtrary value n the doman or a specal extra symbol Prevous Work The Byzantne agreement problem was ntroduced by Lamport et al. [32]. For the standard model M 2 they presented a broadcast protocol among n players that s secure for 2n/h < 3. As proven n [32], [31], and [18], ths bound s tght,.e., no protocol can tolerate 2n/h 3, not even f the adversary s computatonally bounded. The frst effcent (.e., polynomal-tme) broadcast protocol was gven n [15] by Dolev and Strong, followed by a varety of alternatve protocols wth dfferent nterestng propertes [14], [39], [1], [17], [5], [8], [28]. The extenson of the standard communcaton model by partal broadcast was already consdered n [27], [26], and [41] n the context of secure pont-to-pont communcaton over an ncomplete network, a problem ntally studed by Dolev et al. [13] for the standard communcaton model. In [27] Frankln and Yung show how to acheve prvate pont-to-pont communcaton n the presence of a passve adversary, gven partal broadcast but not necessarly parwse communcaton channels among the players. Secure pont-to-pont communcaton over partal-broadcast networks n the presence of an actve adversary was consdered by Frankln and Wrght [26] and Wang and Desmedt [41] Result and Sources Theorem 1. In Model M b, global broadcast among n > b players s achevable f and only f 2n/h < b + 1. If b = O(1) or n b = O(1) then broadcast s achevable wth message and computaton complextes polynomal n n. In all other cases, our protocols are stll polynomal n the sze ( n b) of the network.

8 198 J. Consdne, M. Ftz, M. Frankln, L. A. Levn, U. Maurer, and D. Metcalf The specal case of b = 3 was ntroduced and fully treated n [25]. In [9] 2n/h < b + 1 was shown to be a lower bound for the case of general b. There, a protocol matchng ths bound for ntegers n/ h was gven. That protocol addtonally assures agreement whenever the sender s honest regardless of the number of corrupted recpents; requrng ths extra property, the protocol s optmal even for fractonal n/ h. Protocols matchng the lower bound 2n/ h < b+1 for fractonal n/ h were ndependently developed n [19] and [10]. Protocols that are polynomal n the sze of the network were gven n [20] Outlne We frst gve our proof of the lower bound n Secton 2. The proof s obtaned by usng deas of Fscher et al. who n [18] ntroduced a standard technque n order to prove the mpossblty of Byzantne agreement n standard scenaros. We also use a smulaton argument from [32] for ths purpose. We then descrbe two dfferent protocols wth respect to the optmal bound 2n/h < b + 1. Snce both protocols are bult on b-proxcast, Pn b (as gven n Defnton 4), we frst show how to mplement that prmtve effcently n Secton 3. In Secton 4 we present our frst protocol whch extends the recursve constructon n [32] known under the name nformaton gatherng (IG) [1]. Ths protocol s less complcated than the second one but generally superpolynomal n the sze ( n b) of the network. IG among n players s mplctly based on two-threshold broadcast among less than n players, a generalzaton of broadcast that acheves valdty and consstency wth respect to dfferent thresholds [24]. In Secton 5 we present our second constructon. The resultng protocol s complextes are polynomal n the sze ( n b) of the network. The protocol s obtaned along the lnes of the protocols n [16] and [34] where a PKI s assumed to be set up among the players wth respect to a (pseudo-)sgnature scheme. We demonstrate that k-proxcast (wth suffcently large k) s powerful enough to replace a PKI wth respectve sgnatures n the protocols of [16] and [34], thus yeldng a protocol for our model wthout the need for a PKI or sgnatures. We also show how to transform Pn b nto Pk n effcently for the requred k. Fnal remarks and the extenson of the results to consensus are gven n Secton Lower Bound We prove that, n Model M b, secure global broadcast among n > b players s mpossble f 2n/h b + 1. We frst prove the nexstence of a protocol for n = b + 1 and h = 2 by generalzng the proof dea n [18] for the mpossblty of broadcast among n players n the standard model wth respect to 2n/h < 3. Actually, ths yelds a stronger result, namely that such a protocol cannot exst even for a weaker adversary whose choce of whch players he must leave uncorrupted s restrcted to two consecutve players. The fnal mpossblty result for general n wll then be derved from ths specal case along the lnes of a smlar generalzaton n [32].

9 Byzantne Agreement Gven Partal Broadcast Impossblty for n = b + 1 and h = 2 Our am s to show that, for each possble protocol among b + 1 players, there s an admssble adversary that can make the protocol fal wth some non-neglgble probablty by corruptng at most b 1 of the players. For ths, we assume any potental broadcast protocol to be gven and consder t n two dfferent contexts, dstrbuted systems and (see Fg. 2 for the specal case b = 3). System s the orgnal settng among the b + 1 players where the adversary corrupts b 1 of them. By assumpton, the protocol acheves broadcast n ths system. In system no adversary s present,.e., all players follow the protocol correctly. However, the players are arranged n a dfferent way. In partcular, s a dstrbuted system bult of 2b + 2 players the b + 1 orgnal ones together wth one dentcal copy of each of them. Stll, protocol can be run n ths extended system meanng that all 2b + 2 players run ther respectve local codes and communcate wth the players they are connected to. We show that, for certan pars of players, ther jont vews n protocol are ndstngushable wth respect to the dfferent systems and. That s, such a par of players cannot tell whether they are nvolved n system or. Ths mples that system (.e., the rearrangement of the players) smulates an admssble adversary n the orgnal system wth respect to several pars of players smultaneously. Snce we assume the protocol to be secure n the presence of h = 2 honest players, the valdty and consstency condtons of broadcast must thus be satsfed for each one of these pars even n system. However, we wll be able to conclude that t s mpossble to acheve these condtons smultaneously wth respect to all nvolved pars hence showng that the assumed protocol cannot be secure n the orgnal system. Techncal detals. Let P ={p 0,...,p b } be the n = b + 1 players wth sender p 0 and let be a protocol among the players n P. Protocol specfes a local program ψ for each player p. Let the nteger {0,...,b} be called the type of player p, unquely defnng the program ψ t s supposed to run. Our communcaton model suggests that each player p has ports wth respect to each communcaton channel t shares wth other players. Let p s blateral port of type j denote the port t uses for ts blateral communcaton wth player p j. When necessary, we dstngush p s blateral read port of type j (where t reads the messages receved from player p j ) from ts blateral wrte port of type j (where t wrtes the messages to be sent to player p j ). Fnally, let p s BC b port of type j denote the port t uses for ts communcaton va the BC b channel t shares wth the players n P\{p j }. Reconnecton of Players. The left part of Fg. 2 sketches how the players are connected wth each other n the orgnal settng for the specal case of b = 3 (where the blateral channels are represented by arrows and the BC b channels are represented by shaded trangles). We refer to ths dstrbuted system as the orgnal system. We now descrbe the smulaton system whch s sketched n the rght part of the fgure for the specal case b = 3. For each player p P, let p +n be an dentcal copy of p. System conssts of the 2n = 2(b+1) players P ={p 0,...,p 2b+1 }, all connected

10 200 J. Consdne, M. Ftz, M. Frankln, L. A. Levn, U. Maurer, and D. Metcalf Σ Σ p p p 0 p p p6 1 p 2 p p p p p 4 Fg. 2. Orgnal system and smulaton system for the specal case b = 3. together as descrbed further below. Let Type() = mod n denote the type of player p P. There are hence two players of each of the b + 1 types and, n partcular, two senders p 0 and p n who take bnary nput x 0 and x n, respectvely. In order to defne the system exactly we need to specfy, for each player p ( {0,...,2n 1}), wth whch other players ts communcaton channels are connected. The 2n players p 0,...,p 2n 1 are arranged n a crcular way, wth the channels of each player arranged n a cyclcally dentcal manner. It thus suffces to descrbe the channels of player p 0. Each blateral wrte port of p 0 of type k = 1,...,b 1 s connected to the blateral read port of type 0 of the specfc player p k as orgnally. Player p 0 s blateral wrte port of type b s connected to the blateral read port of type 0 of the specfc player p 2n 1. Each BC b port of p 0 of type k = 1,...,b s connected to the BC b port of type k of the specfc players p 1,...,p k 1 and p k+1+n,...,p 2n 1. Ths way of connectng the players p P satsfes the followng propertes: 1. Exclusve assgnment of ports. Each player p s blateral wrte (read) port of type j s exclusvely connected to the blateral read (wrte) port of type Type() of one player of type j. Furthermore, each player p s BC b port of type j s exclusvely connected to the BC b ports of type j of b 1 players of dstnct types k / {Type(), j}. Exclusve assgnment of the blateral ports mmedately follows by cyclcal symmetry of the constructon. Furthermore, the connecton rule for the BC b channels guarantees that a player p s BC b port of type j s assgned to a player p k s port of type j f and only f player p k s BC b port of type j s assgned to player p s BC b port of type j Mutual assgnment of ports. For each player par {p, p (+1) mod 2n } t holds that p s blateral read (wrte) port of type Type(+1) s connected to the wrte (read) port of the partcular adjacent player p (+1) mod 2n. Furthermore, ther BC b ports of types j / {Type(), Type( + 1)} are all mutually connected. Exclusve and mutual assgnment of ports (n ) now guarantees that any message sent (receved) by player p va ts blateral port of type Type( + 1) s receved (sent) by 4 Note that the rule smply mutually groups together ether all players p l P such that p j < p l < p j+n or all players p l P such that p l < p j or p j+n < p l.

11 Byzantne Agreement Gven Partal Broadcast 201 p s own adjacent player p (+1) mod 2n. The same holds for the mutual BC b ports. Mutual assgnment of ports addtonally guarantees that any message sent on a BC b channel of type j / {Type(), Type( + 1)} s ether receved by both adjacent players p and p (+1) mod 2n or by none of them. Identcal jont vews and contradcton. We now demonstrate that, for any par {p, p (+1) mod 2n } of adjacent players n system, there s an admssble adversary for the orgnal system that acheves that the jont vew of the players p mod n and p (+1) mod n s dentcal to the jont vew of the players p and p (+1) mod 2n. For ths, the adversary corrupts the b 1 players n P\{p mod n, p (+1) mod n }, smulates the vrtual players n P \{p, p (+1) mod 2n } of system, and makes player p ( 1) mod n nteract wth the honest players lke player p ( 1) mod 2n n and player p (+2) mod n nteract wth the honest players lke player p (+2) mod 2n n. 5 Snce any two adjacent players p and p (+1) mod 2n are consstently nterconnected n (see the prevous paragraph), ths adversary strategy now guarantees that that the jont vew of the players p and p (+1) mod 2n s dentcal to the jont vew of the players p mod n and p (+1) mod n n the orgnal system. Lemma 2. In model M b, broadcast among the n = b +1 players P ={p 0,...,p b } s not achevable f, for any one par {p, p (+1) mod n } P, the adversary can corrupt the b 1 remanng players n P\{p, p (+1) mod n }. In partcular, the adversary can make the protocol fal wth probablty at least 1/n = 1/(b + 1). Proof. We assume that, wthout loss of generalty, the sender s program ψ 0 outputs ts own nput value. Now, consder the system beng started wth nput x 0 = 0 for p 0 and nput x n = 1 for p n. Let q, for = 0,...,b, be the probablty (n system ) that players p and p +1 output dfferent values,.e., y y +1. Snce y 0 = 0 and y n = 1, we have b q 1. (1) =0 Snce for any par of adjacent players n system, ther vew s dentcal to ther respectve players vew n the orgnal system, the consstency condton of broadcast demands that y = y +1 holds for every = 1,...,b also n system n contradcton to (1). In partcular, n the orgnal system, the followng adversary strategy makes the protocol fal wth a probablty of at least 1/n. The adversary selects one of the n pars {p, p (+1) mod n } P ( = 0,...,b) unformly at random and corrupts the remanng players (P\{p, p (+1) mod n }) by smulatng the players n {p 0,...,p 1, p +2,...,p 2n 1 } of system towards the players p and p (+1) mod n. Thus, the probablty that the honest players p and p (+1) mod n dsagree on 5 Ths stuaton s depcted n Fg. 2 wth respect to the player par p 0 and p 3. On the left sde, the corrupted players are encrcled. On the rght sde, the players are encrcled who are smulated by the adversary. In, p 1 plays the role of player p 1 n and p 2 plays the role of player p 6 n.

12 202 J. Consdne, M. Ftz, M. Frankln, L. A. Levn, U. Maurer, and D. Metcalf ther outputs s and the lemma follows. P 1 n b =0 q 1 n = 1 b + 1, (2) 2.2. Impossblty for General 2n/h b + 1 We now gve the mpossblty proof for general n. We show that any protocol for general n > b and 2n/h b + 1 could be used n order to acheve broadcast among b + 1 players where the adversary can corrupt at least b 1 consecutve players whch s mpossble by Lemma 2. Lemma 3. Let P =nand 2n/h b + 1. It s possble to partton P nto b + 1 sets P 0 P b = P such that P P (+1) mod(b+1) h holds for each = 0,...,b. Proof. Let k = n mod(b+1) and n = λ(b+1)+k. The set P s parttoned nto b+1 sets P of n/(b + 1) or n/(b + 1) elements n any possble way except for the followng constrant: f k (b+1)/2 then t s addtonally assured that P = n/(b + 1) mples P (+1) mod(b+1) = n/(b + 1). The lemma follows by dstncton of the followng two cases. k < b + 1 P P (+1) mod(b+1) n 2n 2 = h, and 2 b + 1 b + 1 k b + 1 P P (+1) mod(b+1) n n 2n + h. 2 b + 1 b + 1 b + 1 Theorem 2. In model M b, broadcast among n > b players s not achevable f 2n/h b + 1. In partcular, the adversary can make the protocol fal wth probablty at least 1/(b + 1). Proof. Assume any broadcast protocol for n > b players Q ={q 0,...,q n 1 } wth sender q 0, secure for 2n/h b + 1. Wth the help of protocol, the b + 1 players P ={p 0,...,p b } can acheve broadcast secure for any honest par {p, p (+1) mod(b+1) } as follows. The set Q s parttoned nto b + 1 sets Q 0,...,Q b such that q 0 Q 0, and Q Q (+1) mod(b+1) hfor all = 0,...,bwhch s possble by Lemma 3. The players n P can now acheve broadcast by havng each player p smulate all players q j Q n an nstance of protocol. There, the players n Q Q (+1) mod(b+1) for some = 0,...,b are honest snce at least one par {p, p (+1) mod(b+1) } of the smulatng players s. Snce Q Q (+1) mod(b+1) hby constructon, protocol acheves broadcast among the smulatng players n P, as secure as wth respect to the player set Q. Thus, by Lemma 2, protocol must have an error probablty of at least 1/(b + 1). Note that ths mpossblty result holds wth respect to the stronger model where the players are connected by secure blateral channels and where the adversary s statc and lmted to probablstc polynomal computaton.

13 Byzantne Agreement Gven Partal Broadcast Effcent b-proxcast Let Ɣ := (b 1)/2 be the maxmal possble grade n Pn b. Pb n s acheved by havng the sender p s dstrbute hs nput value x s by all ( n 1 b 1) dfferent BCb -channels ncludng the sender (as a sender of the prmtve). Dependng on the consstency among the ( n 2) b 2 dfferent BC b -channels a recpent p s nvolved n, p decdes on a value y and a grade g. Qualtatvely speakng, player p decdes on a hgher grade g as more BC b nvocatons nvolvng p result n the same value y. For example, assume b = 6, and let y sjklm be the output value of the BC 6 nstance among the players p s, p, p j, p k, p l, and p m, where p s acts as the sender. If the sender p s s honest then an honest player p receves the same value x s n all nstances of partal broadcast,.e., y s x s. However, f such a player p sees y s x s then the sender could stll be corrupted, and another honest player p j could have receved the value 1 x s n an nvocaton where p does not partcpate, e.g., y sjcdef j = 1 x s. However, honest player p seeng y s x s mples that, for every honest player p j, t holds that y sj j x s. Furthermore, f p j sees y sj j x s (but no honest player p sees y s x s ) then t holds that every honest player p k sees y skj j x s ; and so on. As a natural approach, the grades of the fnal proxcast drectly relate to the maxmal number of astersks a player can nfer. More precsely, n order to compute hs grade g, a player p computes a mnmal set of players Z (P\{p s, p }) such that all nvocatons of BC b nvolvng the players n {p s, p } Z resulted n output 0. For example, f there are players p j and p k such that y sjk 0 but no p c exsts such that y sc 0 then Z ={j, k}. In step 4 of the protocol, let mn denote any mnmal set that satsfes the gven condton and let : denote the assgnment of any set satsfyng the respectve condton. Protocol 1. P b n (S, p s, x s ) 1. P b 2 P\{p s, p }, P b 2 =b 2: y P b 2 := BC b (P b 2 {p s, p }, p s, x s ) f; 2. f = s then y := x s ; g := Ɣ; l := y (b 1); return (y, g,l ) f; 3. f b = n then y := y P\{p s,p } ; g := Ɣ; l := y (b 1); return (y, g,l ) f; 4. f P b 2 : y P b 2 = 0 then Z := mn(z P\{p s, p } P b 2 Z : y P b 2 = 0) else Z : P\{p s, p } such that Z =b 1f; [0 never receved] 5. f Z < b/2 then y := 0 else y := 1 f; g := (b 1)/2 Z ; l := Z ; 6. return (y, g,l ) Lemma 4. In model M b, Protocol 1 acheves P b n. Proof. If b = n then the lemma trvally holds. Thus we assume that b < n. (Valdty ) If the sender p s s honest then every honest player p computes Z such that l = Z =x s (b 1).

14 204 J. Consdne, M. Ftz, M. Frankln, L. A. Levn, U. Maurer, and D. Metcalf (Consstency ) Consder an honest player p wth a mnmal set Z,.e., such that for all players p j t holds that l j = Z j Z =l.if Z b 2then Z j Z +1 trvally follows. If Z < b 2 then Z = Z {p } satsfes that, for all P b 2 Z, y P b 2 j = 0, and thus, that Z j Z Z +1. Thus, consstency follows. Note that a mnmal set Z can be effcently (polynomal n the sze of the communcaton network) computed n the case where b n/2. However, n the general case, fndng a mnmal set Z calculates the wtness for an NP-complete problem and thus seems nfeasble. Thus, n order to guarantee a computaton complexty polynomal n the sze ( n b) of the communcaton network (and thus polynomal n n for b = O(1) and n b = O(1)), we have the players approxmate such a mnmal set by publc dscusson n the followng way. A player p wth Z = (.e., p receved value 0 n every sngle BC b nvocaton) can effcently detect ths fact. Thus, n a frst round, we have every such player p dstrbute hs set Z = to every other player. A player p j (who has not computed Z j yet) now accepts ths statement f and only f y sj j 0 by calculatng Z j :={p } and dstrbutng Z j n a next round. A player p k (who has not computed Z k yet) now accepts p j s statement f and only f y skj k 0 by calculatng Z k := Z j {p j }, and dstrbutng Z k n a next round; etc. Ths process s contnued for b 2 rounds n total. Although ths process does not guarantee that the honest players p compute a mnmal set Z t stll guarantees that they compute an extremal set ( Z =0fx s = 0, and Z =b 1fx s = 1) when the sender s honest, and, that there s a player p j such that each honest player p k s set satsfes Z k { Z j, Z j +1}. The followng protocol s to replace step 4 n Protocol 1. Note that step 5 below s necessary n order to guarantee that, n round z, p ndeed composes a set Z of exact cardnalty z + 1 (n the textual descrpton above ths s not necessarly the case snce the set obtaned mght contan p hmself). Protocol 2. Approxmate Z 1. f P b 2 : y P b 2 = 1 then Z := else Z := f; 2. for z = 0 to b 3 do 3. f Z Z =z then SendToAll(Z ) f; Receve(Z 1,...,Z n); 4. f Z = ( Z k, Z k =z P b 2 Z k {p k } : y P b 2 = 0) then 5. Z := Z k {p k }; f p Z then pck arbtrary p l / Z {p s, p } and let Z :=(Z \{p }) p l f; 6. od; 7. f Z = then Z : P\{p s, p } such that Z =b 1f; Theorem 3. In model M b, Protocol 1(usng Protocol 2 nstead of step 4) acheves Pn b. The computaton and communcaton complextes of the protocol are polynomal n the sze ( n b) of the network. In partcular, the protocol s polynomal n the number of players f b = O(1) or n b = O(1).

15 Byzantne Agreement Gven Partal Broadcast 205 Proof. If b = n then the lemma trvally holds. Thus we assume that b < n. (Valdty ) Assume the sender p s to be honest. If x s = 0 then every honest player p mmedately computes Z := n step 1 of Protocol 2, and thus l = 0. If x s = 1 then there s no set P b 2 such that player p receved y P b 2 = 0 and p computes l = Z =b 1. (Consstency ) Consder an honest player p wth a mnmal set Z,.e., such that for all players p j t holds that l j = Z j Z =l.if Z b 2then Z j Z +1 trvally follows. If Z < b 2 then p j ether already computed Z j wth Z j = Z or accepts such a set Z by computng Z j accordng to step 5 of Protocol 2 of exact cardnalty Z j = Z +1, and l j = l + 1. (Complextes) Protocol 1 nvolves one communcaton round n step 1 and b 2 communcaton rounds n step 4 and thus R = b 1 rounds n total. The overall number of BC b calls s ( n 1 b 1) and, addtonally, n Protocol 2, each player sends at most one n-bt message to every other player. Thus, the bt complexty of Protocol 1 s B = O(n 3 + ( n b) ). The computatonal complexty s domnated by the test n step 4 of Protocol 2 whch s evdently polynomal n ( n b). 4. The Informaton-Gatherng Protocol We now present our nformaton-gatherng (IG) protocol for global broadcast n model M b secure f 2n/h < b + 1. Its complextes are generally superpolynomal n the sze ( n b) of the network. IG among n players s mplctly based on subprotocols for two-threshold broadcast [24]. Defnton 5 (Two-Threshold Broadcast). A protocol among P where player p s P (called the sender) holds an nput value x s D and every player p P fnally decdes on an output value y D, and acheves two-threshold broadcast (TTBC, for short) wth respect to thresholds t v and t c f t satsfes the followng condtons: Valdty: If the sender p s and at most t v players overall are corrupted then all honest players p decde on the sender s nput value, y = x s. Consstency: If at most t c players are corrupted then all honest players decde on the same output value. TTBC among a player set S P (n = S ) wth sender p s and thresholds t v and t c (t v t c ) recursvely works as follows. Frst, the sender p s dstrbutes hs nput value x s to all players n S va an nstance of Pn b. Then each player p S\{p s } recursvely redstrbutes the receved value wth an nstance of TTBC among the n = n 1 remanng players (S := S\{p s }) wth respect to threshold t c = t c 1. Now, every player holds the same n = n 1 votes (one per remanng player) on what level the respectve player receved n the nvocaton of Pn b. The only dfference between two players vews can now be that ther ntal levels receved durng Pn b dffer by one (consstency of Pn b ). The decson rule fnally manages to reunte respectve adjacent vews whle stll guaranteeng valdty wth respect to an honest sender. Note that the recurson works on reduced n = n 1 and t c = t c 1 but leaves t v unchanged.

16 206 J. Consdne, M. Ftz, M. Frankln, L. A. Levn, U. Maurer, and D. Metcalf In the followng protocol, let h v := n t v and h c := n t c, and for any predcate Q, let 0 k=1 Q := true. Note that the protocol s bnary. Thus the recurson n step 3 does not only branch n order of n (n 1 subcalls) but also n order log b snce l j {0,...,b 1} must be processed btwse. Protocol 3. TTBC(S, p s, x s, t v, t c ) 1. f n = b then y := BC b (S, p s, x s ) else (y, g,l ) := Pn b(p, p s, x s ) f; 2. f = s then y := x s ; return y f f t c = 0 b = n then return y f; 3. p j S\{p s }: l j := TTBC(S\{p s }, p j,l j, t v, t c 1) f; 4. l [0, b 1] : L [l] := {p j S\{p s } l j = l} ; 5. f l k=1 (L [k 1] + L [k] h c ) (L [0] h v 1) then 6. y := 0 else y := 1 7. f; return y Lemma 5. Consder Protocol 3 n model M b. If 2t v +(b 1)t c <(b 1)n and t c t v then the protocol acheves TTBC wth respect to thresholds t v and t c. Proof. The proof proceeds by backward nducton over n. Thus, assume that Protocol 3 acheves TTBC among n = n 1 players whenever 2t v + (b 1)t c <(b 1)n, and hence acheves TTBC for the specal case that n = n 1, t v = t v, and t c = t c 1. (Valdty) Assume that the sender p s s honest and that at most t v players are corrupted. If t c = 0orb = n then valdty s trvally satsfed (step 2) ths case consttutes the nducton base. Thus, assume that t c > 0 and b < n, and, by nducton, that the protocol acheves valdty wth respect to n = n 1, t v = t v, and t c = t c 1. Snce honest p s consstently dstrbutes the same value x s, every honest player p j computes l j = x s (b 1). By nducton assumpton, every honest player consstently receves ths value l j by the at least h v 1 remanng honest players n S\{p s } n step 3. If x s = 0 then every honest player p computes l = 0 and L [0] h v 1, and thus y = 0 = x s.ifx s = 1 then l = b 1 and L [b 1] h v 1. Thus, p computng y = 0 would mply that, addtonally, L [0] h v 1 and L [k] + L [k + 1] h c for k = 0,...,b 2, and thus that at least (2(h v 1) + (b 1)h c )/2 > n 1 = n players partcpated n step 3. Thus p must compute y = 1 = x s. (Consstency) Assume that at most t c players are corrupted. If t c = 0orb = n then consstency s trvally satsfed accordng to step 2. If the sender p s s honest then consstency follows from valdty (proven above) snce t v t c. Thus, assume that t c > 0, n > b, the sender p s s corrupted, and that, by nducton, the protocol acheves TTBC wth respect to n = n 1, t v = t v, and t c = t c 1. Snce the sender s corrupted, only t c = t c 1 corrupted players reman n S\{p s }, and are nvolved n step 3. Hence, by nducton, every nvocaton of the protocol n step 3 acheves consstency. Furthermore, snce t v t c, also valdty s acheved,.e., all nvocatons of the protocol n step 3 acheve broadcast. Ths mples that two honest players p and p j compute exactly the same sets L [0] = L j [0] =: L[0],..., L [b 1] = L j [b 1] =: L[b 1]. Let p be an honest player wth mnmal l-value,.e., such that for all other honest players p j : l l j. By the consstency property of Pn b, t holds that l j {l,l + 1}.

17 Byzantne Agreement Gven Partal Broadcast 207 We now show that all honest players p j compute y j = y.ifl j = l then both players have exactly the same vew and hence decde n the same way, y j = y. Thus, assume that l j = l + 1. If p computes y = 0 then l k=1 (L[k 1] + L[k] h c) (L[0] h v 1), and by the consstency property of Pn b t also holds that L[l ] + L[l + 1] h c. Hence, l +1 k=1 (L k 1 + L k h c ) (L [0] h v 1) and p j computes y j = 0 = y. If p computes y = 1 then ( l k=1 (L[k 1] + L[k] h c) (L[0] h v 1)), and thus ( l +1 k=1 (L[k 1] + L[k] h c) (L[0] h v 1)), and p j computes y j = 1 = y. Protocol 4. Broadcast(P, p s, x s ) 1. y := TTBC(P, p s, x s, n h, n h); 2. return y Theorem 4. In model M b, Protocol 4 acheves broadcast f 2n/h < b + 1. Its round complexty s R = mn(n h, n b) + 1 and ts bt complexty s polynomal n n for n b = O(1). Proof. Protocol 3 s nvoked wth parameters t v = t c = n h. Snce 2n/h < b + 1, t holds that 2t v +(b 1)t c = (b +1)(n h) = (b 1)n +(2n (b +1)h) <(b 1)n and thus that Protocol 3 acheves TTBC. That Protocol 4 acheves broadcast now follows from Defnton 5 and Lemma 5. Furthermore, f Protocol 1 s run wthout the effcent approxmaton technque gven n Protocol 2 then the round complexty s R = mn(n h, n b) + 1. Polynomal bt complexty for n b = O(1) follows from the effcency of Pn b and the fact that R n b + 1 = O(1). 5. The Protocol Along the Lnes of Dolev Strong For any number t of corrupted players, the broadcast protocol of Dolev and Strong [16] can be based on any authentcaton scheme wth transferablty k t +1, e.g., any dgtal sgnature scheme or the uncondtonal pseudo-sgnature scheme n [35]. The protocol then s as secure as the component authentcaton scheme. In ths secton we frst show that even the weaker assumpton of Pn 2(t+1) (or Pn 2(n h+1), respectvely) s suffcent for broadcast, by slghtly adaptng the Dolev Strong protocol to ths dfferent prmtve. We then gve an effcent constructon for Pn 2(n h+1) under the assumpton that 2n/h < b + 1, whch can then be plugged nto that broadcast protocol. The stepwse constructon of the fnal broadcast protocol s depcted n Fg. 3. Frst, BC b s transformed nto Pn b wth arbtrary reslence. How to acheve ths was already shown n Secton 3. Then Pn b s teratvely transformed nto P2(n h+1) n whch s possble f 2n/h < b + 1. Ths step s demonstrated n Secton 5.2. Fnally, Pn 2(n h+1) can be plugged nto our modfed Dolev Strong protocol whch we present n Secton 5.1.

18 208 J. Consdne, M. Ftz, M. Frankln, L. A. Levn, U. Maurer, and D. Metcalf Theorem 3 Secton 3 - BCb Any h Theorem 7 Theorem 5 Secton 5.2 Secton 5.1 Pn b - Pn - 2(n h+1) 2n=h < b +1 h Broadcast Fg. 3. Stepwse constructon of our broadcast protocol along the lnes of Dolev and Strong Pn 2(n h+1) Imples Broadcast We now show that (effcent) proxcast wth parameter k = 2(n h +1) mples (effcent) broadcast secure f 2n/h < b + 1. For ths, the Dolev Strong protocol (wth a small modfcaton n [34]) s executed usng proxcast nstead of sgnatures. Every player p P mantans a set A of accepted values that, at the end, s ether, {0}, {1}, or {0, 1}. Furthermore, every player p mantans two sets S [0] and S [1] that consst of elements n {1,...,n}. For ease of exposton, we parameterze the followng protocol by the number of corrupted players t = n h whereby k = 2(n h + 1) turns nto k = 2t + 2. Protocol 5. Broadcast(P, p s, x s ) The whole protocol proceeds for t + 1 phases. In a frst phase, p s ntates an nstance of Pn 2t+2 (P, p s, x s ) sendng x s, sends {s} to every other player over the parwse channels, computes y s := x s, and halts. Durng phases r = 1,...,t + 1, every player p ( s) performs the followng actons where, ntally, each A = : If any value v {0, 1} has been newly added to the set of accepted values A durng phase r 1 then p ntates an nstance of Pn 2t+2 2r (P, p,v)sendng v, and sends S [v] {} to everybody over the parwse channels. Suppose (v, S) s receved from any player p j such that v {0, 1} and the set S contans at least r dstnct values m ncludng s such that p receved value v wth grade t r + 1 from some nstance of Pn k ntated by p m. Then v s added to A, and S [v] := S. At the end of the protocol, every player p computes output y = 1fA ={1}, and y = 0 otherwse. Lemma 6. If all nstances Pn k (k 2t + 2) execute correctly then, n the standard parwse-channels model, Protocol 5 acheves broadcast for any number t < n of corrupted players. Let R 0, B 0, and C 0 be the round, bt, and computatonal complextes of Pn 2t+2. Then the respectve complextes of Protocol 5 are R (t +1)R 0, B = O(ntB 0 ), and C = Poly(nC 0 ). Proof. (Valdty) Assume that the sender p s s honest. Now, p accepts x s after the frst phase but never accepts the value 1 x s snce p s never ntates any nstance of the form P k n (P, p s, 1 x s ). Hence every honest player p decdes on y = x s. (Consstency) Assume players p and p j to be honest. We show that p and p j decde on the same value y = y j by showng that A = A j at the end of the protocol.

19 Byzantne Agreement Gven Partal Broadcast 209 Consder any value v A.Ifp adds v to A for the frst tme durng phaser [1 t], then there are r dstnct values of m (ncludng s) ns [v] such that p receved v wth grade t r +1 from some nstance of Pn k ntated by p m. Ths mples that p j receved v wth grade t r from the same r nstances of Pn k. Note that p wll ntate an nstance of Pn 2t+2 2(r+1) (P, p,v)n phase r +1, and p j wll receve ths nstance wth maxmum grade t r 1. Also note that p j wll receve (v, S [v] {}) from p n phase r + 1. Ths wll cause p j to accept v n phase r + 1, f he has not already done so. On the other hand, f p accepts v only durng phase t + 1 then some player sent hm (v, S) wth t +1 dstnct values of m (ncludng s)ns such that p receved v wth grade t r + 1 from some nstance of Pn k ntated by p m. One of those t + 1 dstnct values of m corresponds to an honest player who was convnced to accept v n an earler phase, and then sent convncng nformaton to all partes. Thus every honest player accepts v by the end of the protocol. (Complextes) The round complexty of Protocol 5 s R (t + 1)R 0, ts bt complexty s B = O(ntB 0 ), 6 and ts computatonal complexty s evdently polynomal n nc 0. Theorem 5. If 2n/h < b + 1 then P 2(n h+1) n allows for effcent broadcast. Proof. The theorem follows from Lemma Transformaton from P b n to P2(n h+1) n We now present an effcent transformaton from Pn b to P2(n h+1) n for the case that 2n/h < b + 1. The transformaton proceeds n a stepwse manner from Pn k to Pk+1 n. The basc step nvolves one nvocaton of Pn k and n nvocatons of Pb n. Snce the basc step nvolves Pn k only once, the fnal reducton wll be effcent Transformaton Idea In a frst round, an nstance of Pn k s executed wth the same sender as desgnated for the broadcast. In a second round, every player (ncludng the orgnal sender, for smplcty) dstrbutes hs result usng an nstance of Pn b. It s convenent to nterpret the ntal (bnary) Pn k wth respect to the alternatve defnton where each player p receves a level l {0,...,k 1} and the second (non-bnary) nstances Pn b wth respect to the orgnal defnton where each player p receves a value y {0,...,k 1} and a grade g {0,..., (b 1)/2 }. Thus, n the fnal protocol, each player p receves an ntal level l {0,...,k 1} and n further messages (one per player p j ) of the form (l j, g j ) where g j {0,..., (b 1)/2 } expressng that player p j clamed towards p to have receved (as a result of Pn k) level l j, and that p receved ths clam l j from p j wth grade g j. Based on ths nformaton, each player p fnally decdes on a new level L {0,...,k}. 6 We adopt the conventon that not ntatng Pn 2t+2 2r for any value v {0, 1} s done by ntatng Pn 2t+2 2r wth value v =. Thus, every player ntates a proxcast durng every phase.