Optimal Extension Protocols for Byzantine Broadcast and Agreement

Transcription

1 Optmal Extenson Protocols for Byzantne Broadcast and Agreement Chaya Ganesh 1 and Arpta Patra 2 1 Department of Computer Scence, New York Unversty ganesh@cs.nyu.edu 2 Department of Computer Scence & Automaton, Indan Insttute of Scence, Inda arpta@sc.ac.n Abstract The problem of Byzantne Broadcast (BB) and Byzantne Agreement (BA) are of nterest to both dstrbuted computng and cryptography communty. Extenson protocols for these prmtves have been ntroduced to handle long messages effcently at the cost of small number of sngle-bt broadcasts, referred to as seed broadcasts. The communcaton optmalty has remaned the most sought-after property of an extenson protocol n the lterature. In ths paper, we prortze both communcaton and round optmalty. A concrete protocol from an extenson protocol s obtaned by replacng the seed broadcasts wth a BB protocol for sngle bt. Towards buldng concrete protocols effcent both n terms of communcaton and round, we mnmze the seed round complexty of the extenson protocols, where ths measure refers to the number of rounds n whch seed broadcasts are nvoked n an extenson protocol. In a settng wth n partes and an adversary controllng at most t partes n Byzantne fashon, we present BB and BA extenson protocols wth t < n, t < n/2 and t < n/3 that are smultaneously optmal n terms of communcaton and round complexty. The best communcaton that an extenson protocol can acheve n any settng s O(ln) bts for a message of length l bts. The best achevable round complexty s O(n) for the settng t < n and O(1) n the other two settngs t < n/2 and t < n/3. The exstng constructons are ether optmal only n terms of communcaton complexty, or requre more rounds as well as seed rounds than our protocols, or acheve optmal round complexty at the cost of sub-optmal communcaton. Specfcally, we construct communcaton-optmal protocols n the followng three settngs wth the followng round and seed round complextes: t < n/3: Our protocol requres three rounds and a sngle seed round. The best known protocol n ths settng s only communcaton optmal and requres a round complexty and a seed round complexty of Ω(n 3 ). t < n/2: Our protocol provdes a round complexty of 5 and a seed round complexty of one. The best known protocol n ths settng requres a round complexty of 6 and a seed round complexty of 3. t < n: Our protocol has a round as well as a seed round complexty of O(n). The same complextes for the best known protocol n ths doman are O(n 2 ). The results of ths paper appeared n prelmnary form n [GP16] and [Pat11]. 1

2 1 Introducton In the Byzantne Broadcast (BB) problem, a desgnated party (called the sender) holds an nput message m, and the goal s for all partes to learn m and agree on t. In the related Byzantne Agreement (BA) problem, every party P holds a message m, and the goal s for all partes to agree on a common message. BB and BA are mportant prmtves used wdely n Mult-Party Computaton (MPC) and dstrbuted computng protocols n order to reach agreement on some messages. Most often, these hgher level protocols need agreement to be reached on longer messages rather than on sngle bts, whch can be prohbtvely expensve n terms of communcaton and round complexty. For nstance, n a settng wth n partes and an adversary controllng at most t partes n Byzantne fashon such that t < n, the best round complexty and communcaton complexty that can be acheved by a BB protocol for bt s Ω( n n t ) [GKKO07] and Ω(n2 ) [DS83] respectvely. The BB and BA extenson protocols 1 are ntroduced and studed out of the need for communcaton-effcent BB and BA protocols for long messages. The extenson protocols acheve agreement for long messages relyng on pont-to-pont communcatons and a small number of oracle access to a sngle-bt broadcast. Ths s conceptually smlar to Oblvous Transfer (OT) extenson [IKNP03] where a large number of OTs are obtaned at the cost of a small number of seed OTs and cheap symmetrc key operatons. We recall that OT [EGL85] s a fundamental buldng block of MPC t s a protocol between a sender and a recever where the sender wth two nputs (x 0, x 1 ) can transmt x σ to the recever wthout knowng σ, where σ s the choce bt of the recever. Followng the OT extenson lterature, we denote the sngle-bt broadcasts used n the BB and BA extenson protocols as seed broadcasts. Four mportant parameters of extenson protocols are: () communcaton complexty, () round complexty, () seed round complexty and (v) seed communcaton complexty. The communcaton complexty of a protocol [Yao79] s defned to be the number of bts sent/receved by the honest partes durng the protocol executon. Note that, only the bts that should be receved accordng to the protocol specfcaton are counted. The round complexty refers to the number of rounds taken by the protocol to termnate. In any specfc round, both pont-to-pont communcaton as well as seed broadcasts may be nvoked. The latter two complexty measures refer to the number of rounds n whch a seed broadcast s nvoked and to the number of bts sent va seed broadcasts. The seed round and seed communcaton complexty as parameters relate only to an extenson protocol whch uses sngle-bt broadcasts as oracle calls, whle the pror two complexty measures relate to a sngle-bt BB protocol, to an extenson protocol, or to a concrete extenson protocol that s derved from an extenson protocol by replacng the seed broadcasts wth a sngle-bt BB protocol. 1.1 Byzantne Broadcast (BB) and Agreement (BA) BB and BA have been studed n two settngs: wth or wthout a trusted set-up assumpton. In the model where no set-up s assumed, error-free (determnstc) and nformaton-theoretc BA as well as BB s achevable f and only f the number of corrupt partes t s at most t < n/3 where n s the total number of partes [PSL80, CW92, BGP92]. The bound cannot be mproved wth the help of cryptography or randomzaton [KY86]. In the model where there s a set-up among the partes, BA s achevable for t < n/2 and BB s achevable for t < n both cryptographcally [DS83] and nformaton theoretcally [PW96]. The popular set-up assumpton s a publc-key nfrastructure 1 In the lterature, they are known as mult-valued protocols. 2

3 (PKI) set-up among n partes. By a PKI set-up among n partes, we mean the followng: All partes hold a set of n publc keys for a sgnature scheme where the th key corresponds to the th party. Every honest party holds the honestly-generated secret key assocated wth ts own publc key. The corrupted partes may generate ther keys arbtrarly. The PKI set-up has been consdered n two varants- () nformaton-theoretc: a PKI set-up for an nformaton-theoretcally secure pseudo-sgnature scheme [PW96], and () cryptographc or computatonal: a PKI set-up for a cryptographcally secure unforgeable dgtal sgnature scheme [DS83]. The semnal result of [DR85] shows that any BB or BA protocol must communcate Ω(n 2 ) bts. Snce the message s at least a sngle bt, the lower bound on the communcaton complexty for sngle bt s Ω(n 2 ) bts. In many dstrbuted computng applcatons, lke reachng agreement on a large fle n fault-tolerant dstrbuted storage system, dstrbuted votng where ballots contanng ggabytes of data s to be handled [CGS97], MPC [GMW87] where many broadcasts and agreements are nvoked, there s an nherent need for dealng wth long messages for BB and BA protocols. One could, of course, broadcast a long message by ust broadcastng the message bt-by-bt usng a sngle-bt broadcast protocol. Whle ths trval approach requres Ω(ln 2 ) bts of communcaton (followng the lower bound of [DR85]), there are extenson protocols that are specfcally desgned to handle long messages to beat the communcaton complexty of the trval approach. In what follows, we summarze the results on extenson protocols. 1.2 Extenson Protocols Extenson protocols for BB and BA are constructons for long messages, bult from sngle-bt seed broadcasts and pont-to-pont communcatons. Hstorcally, ganng communcaton effcency motvated the study of such protocols. In any BB extenson protocol, snce each honest party must learn the message, a correct protocol wll ncur a communcaton complexty of at least O(ln) where l s the message length. The same lower bound on the communcaton complexty holds for BA extenson [FH06]. It s now well known how to acheve communcaton optmalty n the settng of t < n/3 [LV11], t < n/2 [FH06] and t < n [HR14]. In fact, except the frst extenson protocol of [TC84], the remanng protocols n the lterature [FH06, LV11, PR11, PR, HR14] acheve communcaton optmalty. Whle t s known how to acheve optmal communcaton complexty n all the settngs, the round and the seed round complexty have not been explored much. In some scenaros the latency assocated wth the communcaton rounds can be a huge bottleneck. The round complexty drectly mpacts the round effcency of concrete extenson protocols that are derved from extenson protocols by replacng the seed broadcasts wth sngle-bt BB protocols. Studyng seed round complexty of extenson protocols has more than one motvaton. On one hand, ths measure drectly mpacts the round complexty of concrete extenson protocols. On the other hand, fewer seed rounds help avod any compostonal ssues that arse from many sequental calls to the sngle-bt broadcasts. When an outer protocol uses multple nvocatons of a broadcast oracle where the oracle s nstantated by a probablstc protocol, several ssues related to composton of the sub-protocols arse [KK06]. If an extenson protocol has the best possble seed round complexty of 1, then there s only one nvocaton, and we may thus bypass the composton ssues. The mpact of the seed round complexty on the round complexty of concrete extenson protocols are ustfed by the large round complexty and compostonal ssues of the sngle-bt broadcast protocols as stated next. Any determnstc BB (and BA) protocol necessarly requres (t + 1) rounds [LF82, DR85]. Usng randomzaton, the bound can be made constant n the honest maorty settng [FM97, KK06]. But 3

4 the round complexty s obtaned n expected terms, and mportantly, the constants are rather hgh for many practcal purposes [KK06]. Specfcally, the expected round complexty of the BB protocols of [KK06] n the t < n/3 settng s 23. If there are multple sequental calls to the BB protocol, then, except the frst call whch takes expected 23 rounds, each addtonal call wll cost expected 49 rounds. The correspondng fgures n the honest maorty settng of t < n/2 are 56 and 89. The use of randomzaton does not help much n the dshonest maorty settng whch s consdered to be the most practcal settng. The proven lower bound on the round complexty for a BB protocol for bt s Ω( n n t ) [GKKO07]. The best known upper bound presented n [GKKO07] acheves expected O(k 2 ) round complexty when t n/2 + k. The followng results comprse the state-of-the-art of extenson protocols n terms of round and seed round complexty. The proven lower bound on the round complexty of an extenson protocol s Ω(n) for the settng t < n [HR14] and constant when t < n/2 [FH06]. The communcaton-optmal extenson protocol of [HR14] for t < n has a round complexty of O(n 2 ) whch s non-optmal. The round complexty of the communcaton optmal extenson protocol of [LV11] for t < n/3 s far from optmal. Namely, the round complexty of [LV11] s O( l + n 2 ) and t translates to Ω(n 3 ) as l = Ω(n 6 ). The exstng extenson protocols have more than one round seed rounds. The protocol of [HR14] for t < n has a seed round complexty of O(n 2 ). The protocol of [FH06] for the t < n/2 case has a seed round complexty of 3. The protocol of [LV11] for the t < n/3 case has a seed round complexty of O( l + n 2 ) whch translates to O(n 3 ) when l = Ω(n 6 ). None of the exstng protocols acheve the best possble seed round complexty of one wthout trvally replacng the seed broadcasts wth sngle-bt broadcast protocols. We pont out that whle the naïve protocol of broadcastng btby-bt has a seed round complexty of 0, t does not acheve optmal communcaton complexty. The noton of seed round complexty s nterestng when consdered n conuncton wth optmal communcaton complexty. In summary, whle communcaton-optmal extenson protocols have been well-studed n the lterature, there are few examples of extenson protocols that prortze both communcaton and round optmalty. Snce the round complexty of a concrete protocol depends on the seed round complexty and round complexty of the extenson protocol, the focus of ths paper s to study and construct extenson protocols that are optmal n communcaton and round complextes, along wth mnmal usage of seed rounds. 1.3 Our Results We study BA and BB extenson protocols wth t < n, t < n/2 and t < n/3, and present protocols that are smultaneously communcaton and round optmal. The exstng constructons are ether optmal only n terms of communcaton complexty, or requre more rounds as well as seed rounds than our protocols, or acheve optmal round complexty by gvng up on optmal communcaton. All our constructons acheve O(ln) bts of communcaton, and are thus communcaton optmal (for dfferent bounds on l). Ther round and seed round complextes are as dscussed below. t < n/3: Our protocol provdes a round complexty of 3 and seed round complexty of 1. Both the round and seed round complexty of the best known communcaton-optmal extenson protocol n ths settng [LV11] s O( l+n 2 ). Snce l = Ω(n 6 ) n ther protocol, the complexty translates to Ω(n 3 ). t < n/2: Our protocol provdes a round complexty of 5 and seed round complexty of 1. The best known extenson protocol that s communcaton-optmal, has a round complexty of 6 4

5 and a seed round complexty of 3 [FH06]. t < n: Our protocol has a round complexty and a seed round complexty of O(n). Our protocol beats the communcaton optmal extenson protocol of [HR14] by a factor of Ω(n) n terms of both round as well as seed round complextes. The constructon wth t < n/3 s error-free and nformaton-theoretcally secure. The latter mples that the protocol guarantees hold even n the face of a computatonally unbounded adversary. The protocols n the other two settngs are cryptographcally secure assumng a collson resstant hash functon. Cryptographc securty guarantees that the securty of the protocols hold aganst polynomally bounded adversares. Our contrbutons put n context of other results are summarzed n Table 1. We use κ to denote the cryptographc (statstcal, respectvely) securty parameter for the cryptographc (nformaton-theoretc, respectvely) prmtves..t denotes nformaton-theoretc and crypto denotes cryptographc securty. Let B(l) denote the communcaton complexty of broadcastng an l-bt message. Table 1: BB and BA Extenson Protocols. Threshold Securty Communcaton Round Seed Round Reference Complexty ( Complexty Complexty.t O ln + (n t < n/3 2 ) l + n 4 )B(1) O( l + n 2 ) O( l + n 2 ) [LV11].t O ( ln + n 2 B(1) ) 3 1 Ths paper.t O ( ln + n t < n/2 3 κ + (n 2 + nκ)b(1) ) 6 3 [FH06] crypto O ( ln + n 3 κ + nκb(1) ) 5 1 Ths paper.t O ( ln + (n 4 + n 3 κ)b(1) ) O(n 3 ) O(n 3 ) [HR14] crypto O ( ln + (n t < n 2 + nκ)b(1) ) O(n 2 ) O(n 2 ) [HR14] crypto O ( ln + (nκ + n 3 log n)b(1) ) O(n) O(n) Ths paper A trval constructon to broadcast a long message s to broadcast bt-by-bt usng a snglebt broadcast protocol, ncurrng a communcaton complexty of lb(1) for an l-bt message. In Table 2, we lst the complextes of the sngle-bt broadcast protocols when used to broadcast a l-bt message n varous settngs. Table 2: BB protocols for bt. Threshold Securty Communcaton Round Reference Complexty Complexty.t Ω(ln 2 ) O(n) [BGP92, CW92] t < n/3.t O ( ln 4 + n 6 (κ + log n) ) 23 (expected) for one call [KK06] c (expected) for 1 + c calls crypto /.t O ( ln t < n/2 + n 6 (κ + log n) ) 56 (expected) for one call, [KK06] c (expected) for 1 + c calls.t Ω ( ln t < n + n 6 κ ) O(n) [PW96] crypto Ω ( ln 2 + n 3 κ ) O(n) [DS83] t n/2 + k crypto O ( l(n 2 k 2 + n 3 ) + n 6 (κ + log n) ) O(k 2 )(expected) [GKKO07] The complexty costs of concrete extenson protocols are summarzed and compared wth other protocols n Table 3. A concrete protocol nherts the assumptons from ts underlyng mplementaton of seed broadcasts, for example, a PKI when nstantated wth [DS83]. The concrete protocols 5

6 resultng from our extenson protocol for t < n/3 needs no setup assumpton when nstantated wth sngle-bt broadcasts wth t < n/3. On the other hand, the concrete protocols resulted from the other two extenson protocols requre setup assumpton, namely PKI. The securty of a concrete protocol s the mnmal securty provded by the sngle-bt BB protocol and the extenson protocol. Namely, the concrete protocol wll be nformaton-theoretcally secure f and only f both the snglebt BB and the extenson protocol are nformaton-theoretc. Otherwse, t wll be cryptographcally secure. The round complexty of concrete protocols n Table 3 s gven by O (R + (s r)), where R s the round complexty of the extenson protocol, s s the seed round complexty of the extenson protocol, and r s the round complexty of the sngle-bt broadcast protocol used to nstantate the seed broadcasts. Table 3: Concrete BB and BA protocols for l-bt messages. Threshold Securty Communcaton Total Round Instantaton Complexty Complexty.t O(ln + n 4 l + n 6 ) O(n l + n 3 ) [LV11] wth [BGP92, CW92].t O(ln + n t < n/3 ( 4 ) O(n) Ths paper wth [BGP92, CW92].t O ln + n 6 ( ) l + κ + n 2 ) O( l + n 2 ) [LV11] wth [KK06] t < n/2 t < n t n/2 + k.t O ( ln + n 6 (κ + log n) ) 25(expected) Ths paper wth [KK06].t O ( ln + n 7 κ ) O(n) [FH06] wth [PW96] crypto O ( ln + n 4 (n + κ) ) O(n) [FH06] wth [DS83] crypto /.t O ( ln + n 7 κ(κ + log n) ) 237 (expected) [FH06] wth [KK06] crypto O ( ln + n 4 κ ) O(n) Ths paper wth [DS83] crypto O ( ln + n 7 κ(κ + log n) ) 60 (expected) Ths paper wth [KK06].t O ( ln + n 10 κ ) O(n 4 ) [HR14] wth [PW96] crypto O ( ln + n 5 κ ) O(n 3 ) [HR14] wth [DS83] crypto O ( ln + n 6 κ log n ) O(n 2 ) Ths paper wth [DS83] crypto O ( ln + n 7 κ(κ + log n) ) O(n 2 k 2 )(expected) [HR14] wth [GKKO07] crypto O ( ln + (n 3 k 2 κ + n 9 log n)(κ + log n) ) O(nk 2 )(expected) Ths paper wth [GKKO07] As seen from Table 3, our protocol n t < n/3 settng leads to the the frst nstantaton wthout set-up assumpton that provdes optmal communcaton complexty and constant round complexty after replacng the seed broadcasts wth the sngle-bt broadcast protocol of [KK06]. In the t < n settng, our protocol leads to the frst nstantaton n dshonest maorty settng wth optmal communcaton complexty and round complexty of O(n) after replacng the seed broadcasts wth the protocol of [GKKO07] for some values of k (e.g. when t n/2 + k and k s a constant). Our protocol for t < n could only attan a seed round complexty of O(n). Desgnng protocols for t < n that acheve a seed round complexty of one whle preservng communcaton and round optmalty s left as an nterestng open queston. 1.4 Organzaton In Secton 2, we dscuss the model and defntons of BB and BA protocols. Our results for t < n/3, t < n/2 and t < n appear n Secton 3, Secton 5 and Secton 6 respectvely. We summarze and conclude wth questons for further work n Secton 7. 6

7 2 Models and Defntons We work n the standard pont-to-pont network where the set of partes P = {P 1,..., P n } are connected by parwse authentcated channels and communcate n synchronous rounds. The faultness of the partes s modeled n terms of a monolthc adversary A corruptng t out of the n partes n Byzantne fason. A can make the corrupted partes devate from the protocol n any desred manner. The partes who are not under the control of A are referred to as honest. We dstngush between cryptographc securty and nformaton-theoretc securty. Informaton-theoretc securty guarantees that the securty propertes of the protocol hold even n the presence of a computatonally unbounded adversary. When the adversary s bounded, we wrte PPT to denote a probablstc polynomal-tme algorthm. We now recall some defntons. Defnton 2.1 (Byzantne Broadcast). A protocol for a set of partes P = {P 1,, P n }, where a dstngushed party called the sender, P s P holds an ntal nput m, m = l, s a broadcast protocol toleratng A, f the followng propertes are satsfed: Agreement. All the honest partes output the same value. Valdty. If the sender s honest, all honest partes output the value m. defnton Defnton 2.2 (Byzantne Agreement). A protocol for a set of partes P = {P 1,, P n }, where each party P P holds an ntal nput m ( m = l) s a Byzantne Agreement protocol toleratng A, f the followng propertes are satsfed: Agreement. All the honest partes output the same value. Valdty. If every honest party P hold the same message m = m, then all honest partes output the value m. In t < n settng, only BB s possble and so we desgn a BB extenson protocol. In the honest maorty settngs (that ncludes t < n/2 and t < n/3), a BB protocol can be obtaned by makng one call to a BA protocol plus O(ln) bts of communcaton over pont-to-pont channels, where l s the length of the message. Therefore, we desgn a BA extenson protocol wth varous optmal complexty measures. Ths mples a BB protocol wth the optmal complextes n the honest maorty settngs. Our protocols n settngs t < n and t < n/2 (where set-up assumpton s requred) are cryptographcally secure toleratng any polynomally bounded adversary A. Cryptographc or computatonal securty guarantees that the protocol s secure based on some computatonal assumptons. Our protocols rely on a cryptographc collson-resstant hash functon Hash. Collson resstance property guarantees that t s hard for a polynomally bounded adversary to come up wth two premages of Hash that hash to the same value. Formal defnton of collson-resstant hash functons s provded below. Defnton 2.3 (Collson Resstant Hash Functons). A famly of functons {Hash k } k I s a collson resstant hash functon famly f the followng condtons hold: 1. Effcent Samplng. There exsts a PPT algorthm Gen that outputs an ndex s from the ndex set I gven a securty parameter κ, s Gen(1 κ ). 2. Compresson. The functon Hash s maps nputs of length n to outputs of length m such that m < n. 7

8 3. Easy to compute. There exsts a PPT algorthm that takes an ndex s, an nput x {0, 1} n and computes y = Hash s (x). 4. Collson resstance. For every PPT algorthm B, Pr[Hash s (x) = Hash s (x ), x x x, x B(s), s Gen(1 κ )] = negl(κ). A set-up assumpton s needed n the settng t n/3 for nstantatng the seed broadcasts. Hence, our concrete extenson protocols (after nstantaton of the oracle) are secure assumng PKI and a collson-resstant hash functon. On the other hand, our protocol n the t < n/3 s nformaton-theoretcally secure. The securty analyss of our protocol s for a statc adversary that corrupts partes at the begnnng of the protocol. 3 Extenson Protocols for t < n/3 In ths secton, we present an error-free and nformaton-theoretc BA and BB extenson protocol for the t < n/3 settng wth: () communcaton complexty: O(ln) bts, () round complexty: 3 and () seed round complexty: 1. We descrbe an extenson protocol for BA. A BB extenson protocol wth the same complexty as that of the BA protocol can be acheved by lettng the sender send the message to all the partes and then runnng a BA to reach agreement. Ths s the standard reducton n synchronous settngs from BA to BB [Lyn96]. Our protocol reles on technques from codng theory and graph theory. Specfcally, as techncal tools, the protocol uses lnear error correctng codes (e.g. Reed-Solomon Code) and a graph theoretc algorthm for fndng some specal structure ((n, t)-star) n an undrected graph. Our approach dffers from all exstng constructons n ths settng whch are constructed n playerelmnaton [HMP00] or dspute-control [BH06] framework. We start wth a bref presentaton of the tools that we use: (a) An algorthm for fndng a graphcal structure called (n, t)-star n an undrected graph; (b) Lnear Error Correctng Code. 3.1 Buldng Blocks Fndng (n, t)-star n an Undrected Graph. We now descrbe an exstng soluton for a graph theoretc problem, called fndng (n, t)-star n an undrected graph G = (V, E). Let G be an undrected graph wth the n partes n P as ts vertex set. A par (C, D) of sets wth C D P s an (n, t)-star [Can96, BOCG93] n G, f: () C n 2t; () D n t; () for every P C and every P k D the edge (P, P k ) exsts n G. Followng the dea of [GJ79], n [BOCG93], the authors presented an elegant and effcent algorthm for fndng an (n, t)-star n a graph of n nodes, provded that the graph contans a clque of sze n t. The algorthm, called STAR takes the complementary graph G of G as nput and tres to fnd (n, t)-star n G, where (n, t)-star s a par (C, D) of sets wth C D P, satsfyng the followng condtons: (a) C n 2t; (b) D n t; (c) There are no edges between the nodes n C and nodes n C D n G. Clearly, a par (C, D) representng an (n, t)-star n G, s an (n, t)-star n G. STAR outputs ether an (n, t)-star, or a message nostar. Whenever the nput graph G contans an ndependent set of sze n t, STAR always outputs an (n, t)-star. For smplcty of notaton, we denote G by H. The algorthm STAR s presented n Fgure 1. We nstantate the algorthm for fndng maxmum matchng n a general graph wth a determnstc algorthm (lke [Blu90]) and obtan a determnstc algorthm for fndng star. 8

9 Algorthm STAR Input: An undrected graph H. Algorthm Requred: An algorthm for the maxmum matchng problem on general graphs. 1. Fnd a maxmum matchng M n H. Let N be the set of matched nodes (namely, the endponts of the edges n M), and let N = P \ N. 2. Compute output as follows: (a) Let T = {P N P, P k s.t (P, P k ) M and (P, P ), (P, P k ) E}. T s called the set of trangle-heads. Let C = N \ T. (b) Let B be the set of matched nodes that have neghbors n C. So B = {P N P C s. t. (P, P ) E}. Let D = P \ B. (c) If C n 2t and D n t, output (C, D). Otherwse, output nostar. Fgure 1: Algorthm for Fndng (n, t)-star. Lnear Error Correctng Code. We use Reed-Solomon (RS) codes [RS60] n our protocols. We consder an (n, t + 1) RS code n Galos Feld F = GF (2 c ), where n 2 c. Each element of F s represented by c bts. An (n, t + 1) RS code encodes t + 1 elements of F nto a codeword consstng of n elements from F. We denote the encodng functon as ENC() and the correspondng decodng functon as DEC(). Let m 0, m 1,..., m t be the nput to ENC. Then ENC computes a codeword of length n, (s 1,..., s n ) as follows. It frst constructs a polynomal of degree-t, f(x) = m 0 + m 1 x m t x t and then computes s = f(). We use the followng syntax for ENC: (s 1, s 2,..., s n ) = ENC(m 0, m 1,..., m t ). Each element of the codeword s computed as a lnear combnaton of the t + 1 nput message elements, such that every subset of (t + 1) elements from the codeword unquely determne the nput message elements. Smlarly, knowledge of any t + 1 elements from the codeword suffces to determne the remanng elements of the codeword. The decodng functon DEC can be appled as long as t + 1 elements from a codeword are avalable. A RS code s capable of error correcton and detecton. The task of error correcton s to fnd the error locatons and error values n a receved vector. On the other hand, error detecton means an ndcaton that errors have occurred, wthout attemptng to correct them. We wll be concerned wth Byzantne errors whch are errors that are adversaral n nature. That s, c Byzantne errors means c elements of the codeword are arbtrarly changed. We recall the followng well known result from codng theory [MS78]. DEC can correct up to c Byzantne errors and smultaneously detect up to addtonal d Byzantne errors n a vector of length N (where N n) f and only f N t 1 2c + d. In our protocols, we nvoke DEC on a vector of length N n wth specfc value of c and d. If c, d and N satsfy the above relaton, then DEC returns the correct data elements correspondng to the vector. Otherwse, DEC returns falure. 9

10 3.2 The BA Protocol Wth the above tools, we are ready to present our BA extenson protocol. Each party P wth message m contanng l bts dstrbutes the codeword of ts message among the partes. Each party verfes the part of the codeword receved from other partes aganst ts codeword and announces the outcome n publc. The publc responses are turned nto a consstency graph. Then a specal structure n the graph that mples exstence of an honest maorty set holdng the same message s looked for. Namely, the specal structure s a quadruple (C, D, F, E) such that (C, D) s an (n, t)-star, F 2t + 1 and every party n F has at least t + 1 neghbors n C, E 2t + 1 and every party n E has at least 2t + 1 neghbors n F. The novelty then les n provng that the honest partes n E hold the same message. The partes then rely on the error correcton and detecton of the RS code to compute and agree on the common message of the partes n E. If such a set E does not exst, all honest partes agree on some pre-determned message. The extenson protocol s presented n Fgure 2. The sm n our notaton P sm stands for same message. Lemma 3.1. The honest partes n P sm hold same message of length l. Proof. The set P sm s the E component of a quadruple (C, D, F, E). We start wth provng that the honest partes n C hold the same message of length l. We recall that D contans at least t+1 honest partes and every P C s neghbor of every party n D. Let {P 1,..., P α } be the set of α honest partes n D, where α t + 1. Then for every P n C, s k s same as s k k of all k {1,..., α}. Therefore the codewords correspondng to the messages of the honest partes n C are same at least at t + 1 locatons correspondng to the denttes of the honest partes n D. Snce the codewords belong to (n, t + 1) RS code, the messages of the honest partes n C are same. Let the common message be m, m = l. Let (s 1,..., s n ) = ENC(m 0, m 1,..., m t ), where m = m 0 m 1..., m t. Now we show that every honest party P F holds s. Recall that P has at least t + 1 neghbors n C n whch at least one s honest, say P. Ths mples that s of P s same as s of P. However, s = s, snce P holds m. Hence s = s. Therefore every honest P n F holds s whch s same as s. Fnally, we show that every honest P E holds m. Recall that P has at least 2t + 1 neghbors n F n whch at least t + 1 are honest. Let {P 1,..., P α } be the set of α honest partes n F, where α t + 1. Then s k of P s same as s k k of every honest P k for k {1,..., α}. Now s k k of P k s same as s k. Therefore the codeword correspondng to the message of P E matches wth (s 1,..., s n ) at least at t + 1 locatons correspondng to the denttes of the honest partes n F. Ths mples the codeword of P s dentcal to (s 1,..., s n ), snce they belong to (n, t + 1) RS code. Hence P E holds m. Lemma 3.2. If all honest partes start wth same nput m, then all the partes wll agree on P sm where P sm 2t + 1. Proof. All honest partes start wth the same nput m. Therefore, all honest partes generate the same codeword, (s 1,..., s n ) = ENC(m 0,..., m t ), such that m = m 0 m 1... m t. Ths means that there wll be an edge between every par of honest partes. In other words, the edges n the complementary graph wll be ether (a) between an honest and a corrupted party OR (b) between two corrupted partes. Ths mples that there wll be a clque of sze at least 2t + 1 eventually. Ths guarantees the exstence of (n, t)-star n G for an honest P, and the C component of an (n, t)-star wll contan at least t + 1 honest partes. Subsequently, the F and E components wll be of sze at least 2t + 1. In ths case t s guaranteed that all honest partes fnd the same quadruple (C, D, F, E) (here we rely 10

11 Protocol ( n 3 )-BA Input of every P : An l-bt message m. Oracle: Broadcast oracle for bts. Every party P does the followng: 1. Dvde the l-bt message m nto t + 1 blocks, m 0,..., m t, each contanng l t+1 bts. Compute (s 1,..., s n ) = ENC(m 0,..., m t ). Send s to every party. Send s to P for = [1, n]. 2. Construct a bnary vector v of length n. Assgn v [] = 1, f s = s and s = s where s and s are receved from P. Otherwse assgn v [] = 0. Broadcast v. 3. Construct graph G usng partes n P as the vertces. Add edge (P, P k ) f v [k] = 1 and v k [] = 1. Invoke STAR (G) and contnue as follows. (a) If (C, D) s returned by STAR, then fnd F as the set of partes who have at least t+1 neghbours n C n graph G. Fnd E as the set of partes who have at least 2t+1 neghbours n F n graph G. If F 2t + 1 and E 2t + 1, then set P sm = E. Otherwse, agree on some predefned message m of length l and abort. (b) If nostar s returned, then agree on some predefned message m of length l and abort. 4. Assgn s to be the value s receved from the maorty of the partes n P sm. Send s to every party. 5. Let (s 1,..., s n ) be the vector where s s receved from P. Apply DEC on (s 1,..., s n ) wth c = t and d = 0. Let m 0, m 1,..., m t be the data returned by DEC. Output m = m 0... m t. Fgure 2: Error-free BA extenson protocol n t < n/3 settng. on the determnsm of STAR algorthm), and wll never agree on predefned m. From the same quadruple, all honest partes wll reach agreement on P sm. Lemma 3.3. If P sm s agreed, all honest partes output the common message of the partes n P sm. Proof. By Lemma 3.1, all honest partes n P sm hold the same message, say m. Ths means they hold the same codeword (s 1,..., s n ) = ENC(m 0, m 1,..., m t ), where m = m 0 m 1..., m t. Then every honest P n P sm already holds s, the th element n the codeword. Now every party P wll receve s correctly as maorty of the partes n P sm are honest and they wll send s to P. Once every honest P holds correct s, he sends that to everybody. Therefore a party wll receve n values from n partes n whch at most t can be wrong (sent by Byzantne corrupted party). However, 11

12 DEC of (n, t + 1) RS code wth n = 3t + 1 allows to correct t errors. Therefore DEC wll return m 0,..., m t such that m = m 0... m t. Theorem 3.1. The protocol ( n 3 )-BA satsfes: Agreement: Every honest party wll output the same message. Valdty: If every honest party P holds the same message m = m, then all honest partes output m. Complexty: The protocol has a round complexty of 3, seed round complexty of 1, communcaton complexty of O ( ln + n 2 B(1) ) bts and a seed communcaton complexty of O(n 2 ) bts. Proof. Agreement: If P sm s agreed, then all honest partes output the common message of the partes n P sm (by Lemma 3.3). If P sm s not agreed, then all honest partes agree on predefned m. Hence, agreement s acheved. Valdty: If all the honest partes start wth same m, then by Lemma 3.2, they agree on P sm and output m (by Lemma 3.3). l t+1 bts Complexty: Every P sends two values s and s to every other party P. The values are long each. Therefore n total there are l t+1 O(n2 ) = O(nl) bts of communcaton. Every party P broadcasts n-length bnary vector v. Ths leads to total O(n 2 ) nstances of broadcast for sngle bt. So the communcaton complexty s O(ln + n 2 B(1)) and the seed communcaton complexty s O(n 2 ). The communcaton takes place n steps 1, 2 and 4 of ( n 3 )-BA wth step 2 nvokng bt broadcast protocol. So the round and the seed round complexty of ( n 3 )-BA are 3 and 1 respectvely. 4 Extenson Protocols wth Set-up Assumpton In ths secton, we present two extenson protocols wth set-up assumpton n the settng of dshonest maorty (.e. t < n) and honest maorty (.e. t < n/2) respectvely. 5 Byzantne Agreement Extenson for t < n/2 We present a BA extenson protocol for l bt message n the honest maorty settng wth: () communcaton complexty: O(ln) bts, () round complexty: 5 and () seed round complexty: 1. Gven a protocol for BA, a BB protocol can be constructed usng the same folklore transformaton mentoned n the prevous secton [Lyn96]. At a hgh level, our BA protocol closely follows the protocol of [FH06] (wll be referred as FH protocol from now onwards) wth the man dfference beng the seed round complexty. Whle [FH06] requres three seed rounds, our protocol requres ust one round of seed broadcast. A closer look wll reveal that t s non-trval to reduce the number of seed rounds n [FH06]. The FH protocol proceeds n three phases, where each phase brngs the partes closer to agreement. The protocol may be aborted n the frst two phases when some nconsstency s detected. In that case, the partes wll output. However, f the partes reach the thrd phase, agreement wll be reached wthout any abort. In each of the frst two phases, the partes must agree on whether to abort or 12

13 to contnue to the next phase. Otherwse the BA protocol wll have no agreement property. Ths calls for at least two seed rounds (one n each of the frst two phases). FH protocol requres three seed rounds, one n the frst phase and the other two n the second phase. Thus far, there s no known nformaton-theoretc BA extenson wth optmal communcaton complexty and one seed round n the honest maorty settng. In ths paper, we propose a cryptographcally secure protocol and leave open the desgn of an nformaton-theoretc protocol wth the same complexty. Our protocol proceeds n two phases. The frst phase denoted as the checkng phase s smlar to the frst phase of the FH protocol. The partes check f there are at least n t partes who hold the same message, denoted as P sm (sm stands for same message ). If such a set does not exst, the partes output and termnate the protocol. Ths phase conssts of a sngle round and uses broadcast to reach agreement on P sm f t exsts or on when no such set exsts. The communcaton nvolves broadcastng the hashes of the ndvdual party s messages and so the communcaton complexty remans ndependent of the message sze. The second phase denoted as the agreement phase s ntated when the partes have agreed on P sm. Here, the partes who are not n P sm wll obtan the common message held by the honest partes n P sm. The dea s to come up wth a set P hmsm where the messages held by the honest partes n P hmsm and P sm are the same. Furthermore, P hmsm s guaranteed to have honest maorty (hmsm stands for honest maorty same message ). Now the honest partes n P hmsm can together transfer ther common message to a party wth ust O(l) communcaton complexty usng a smple yet clever technque suggested n [FH06]. Lastly, snce ths phase does not use any broadcast, the honest partes outsde P sm may have dfferent P hmsm sets. But for each such set, the honest maorty wll be guaranteed and thus the technque wll work wthout any problem. The complete detals of the protocol are presented n Fgure 3. We now proceed to the proofs. Lemma 5.1. The checkng phase satsfes the followng three propertes: (a) If all the honest partes P start wth the same message m = m, then the honest partes do not abort and output the same set P sm. Moreover, every honest P wll belong to P sm. (b) All honest partes n P sm hold the same nput message m = m wth very hgh probablty. Proof. (a) If all the honest partes hold the same message m, then all honest partes broadcast h = Hash(m). Snce there are n t honest partes and all of them wll broadcast a common hash value h, there wll be a set of sze at least n t partes whose broadcasted hash values wll be the same. So the set P sm wll exst and the honest partes wll not abort the checkng phase. Snce the hash values are broadcasted, all the honest partes wll output the same and unque P sm. The unqueness of the agreed set P sm s argued as follows. There cannot be two sets of sze n t partes such that one set broadcasts h and the other set broadcast h wth h h. If two such sets exst, t mples that one party has broadcasted both h and h. But snce every party broadcasts one hash value, the set P sm s unque and ncludes all the partes who broadcast h. Clearly the set P sm wll nclude all the honest partes. (b) If two honest partes P and P n P sm hold two dfferent messages m m, then by the collson resstance of the hash functon, Hash(m ) Hash(m ) wth hgh probablty and therefore both P and P cannot belong to P sm. Hence all honest partes n P sm hold the same message. 13

14 ( n 2 )-BA Input of every P : An l-bt message m. Oracle: Broadcast oracle for bts. Cryptographc Assumpton: A collson resstant hash functon Hash. Checkng Phase. Every party P does the followng: 1. Compute a hash of the message m as h = Hash(m ) and broadcast h. 2. Check f at least n t broadcasted hashes are equal. If no n t broadcasted hashes are equal, output o = and termnate. Otherwse, let h denote the common hash value broadcasted by at least n t partes. Then form P sm as the set of partes broadcastng h. Agreement Phase. Every party P does the followng 1. If P P sm, set output message o = m. 2. Form an nectve functon from P \P sm to P sm, by say, mappng the party wth the smallest ndex n P \ P sm to the party wth the smallest ndex n P sm.e. φ : P \ P sm P sm. 3. If P P sm and P = φ(p ), then send o to P. 4. If P P \ P sm and receved a value say, o from P P sm n the prevous round such that P = φ(p ), then check f Hash(o ) = h. If the test passes, set happy = 1 and assgn output message o = o, else set happy = 0. Send happy to all partes n P. 5. If P P \ P sm and happy = 0, then construct a set P conflct consstng of the partes P, φ(p ) such that happy receved from P n the prevous step s 0 and P belongs to P \ P sm. Set P hmsm = P \ P conflct, d = ( P hmsm + 1)/2 and send d to all the partes belongng to P hmsm and nothng to all the others. 6. If d s receved from P P \ P sm, Transform the message o nto a polynomal over GF (2 c ), for c = l + 1/d denoted by f wth degree d 1. Compute the c-bt pece y = f (), H = (Hash(f (1)),, Hash(f (n))) and sends (y, H ) to P. 7. If P P \ P sm and happy = 0, check each pece y receved from each P P hmsm aganst the th entry of every hash value vector H k receved from P k Phmsm. If at least d of the hash values match a pece y, then accept y, otherwse reect t. Interpolate the polynomal f from the d accepted peces y, and compute the message m correspondng to the polynomal f. Set o = m. 8. Output o and termnate. Fgure 3: Honest Maorty BA Lemma 5.2. The agreement phase satsfes the followng propertes: (a) The maorty of the partes n Phmsm are honest for every honest P n P \ P sm. (b) The output messages of the honest partes n P sm and Phmsm are the same for every honest P n P \ P sm. 14

15 (c) Every honest party holds the same output message m. Proof. (a) Now we show that Phmsm has honest maorty for every honest P P \ P sm. Consder the set Pconflct = P \ P hmsm. Ths set conssts of pars of partes (P, φ(p )). It s not possble that both the partes (P, φ(p )) are honest. If φ(p ) s honest, by Lemma 5.1, he holds a message m that matches wth h and he wll send m to P. If P was honest too, ts check Hash(m) = h wll verfy and t wll send happy = 1. Snce the par (P, φ(p )) s ncluded n Pconflct, P had sent happy = 0 to P. Ths mples ether P s corrupt and sent happy = 0, or φ(p ) s corrupt and sent a message not matchng h to P. Therefore, at least half of Pconflct are corrupted partes. Snce we have honest maorty n P, we have that the maorty of the partes n Phmsm are honest. (b) By Lemma 5.1, all the honest partes n P sm hold the same nput message, say m. So o for every honest party P n P sm s equal to m. Now consder an arbtrary honest party P Phmsm. If P P sm, then o = m = m. If P P sm but n Phmsm, then P must have sent happy = 1 to honest P. Ths mples that P had receved some message, say m from φ(p ) P sm and h = Hash(m ) where h s the hash of the common output message m held by the honest partes n P sm. Ths mples m = m wth hgh probablty by collson resstance of the hash functon. Snce P sets o = m, the output messages of all the honest partes n Psm and Phmsm are the same message. (c) We wll show that every honest party P outputs o = m, where m s the common nput message of the honest partes n P sm. Consder an arbtrary honest party P. We have already proved that f P P sm or P Phmsm for an honest P, then o = m. If P nether belongs to P sm or nor to Phmsm for any honest P, then t mples that happy must be 0 and P has receved a message that s not equal to m from φ(p ). We now show that P wll retreve m from the partes n P hmsm. Recall that snce P s honest, P hmsm has honest maorty and all the honest partes n t have o = m. Ths mples that every honest party P s transformed polynomal f are dentcal and correspond to m. We refer to the polynomal as f. If P receves d correct y values on f, then t can reconstruct f that s a d 1 degree polynomal. There are at least d honest partes n P hmsm whose hash vectors wll be the hash values of f(1),..., f(n). So a pece y that s same as f() wll be accepted by P. Whereas y that s not f() wll be reected by P wth hgh probablty. Snce there are at least d honest partes n P hmsm, P wll always receve d y peces and wll reconstruct f and m. Theorem 5.1. The protocol ( n 2 )-BA satsfes the followng propertes. Agreement: All honest partes output the same value. Valdty: If every honest party P hold the same message m = m, then all the honest partes output m. Complexty: The protocol has a round complexty of 5, seed round complexty of 1, a communcaton complexty of O ( ln + n 3 κ + nκb(1) ) bts and seed communcaton complexty of O(nκ) bts. Proof. Agreement: If the protocol aborts n the checkng phase, then all the partes output. Otherwse, all the partes output the same message at the end of agreement phase (Lemma 5.2(c)). 15

16 Valdty: By Lemma 5.1(a), f all honest partes hold the same message, then all honest partes are n P sm and output the same message m. Complexty: The checkng phase communcates nb(κ) bts. In the agreement phase, at most t partes who are outsde P sm receve messages from the partes n P sm as per the mappng φ. Ths requres O(ln) bts of communcaton. After ths step, every party n P \ P sm sends a bt happy to every other party. Ths requres O(n 2 ) bts of communcaton. Next the partes who are n P \ P sm and dd not receve a message that matches wth h yet wll send d to all the partes n P hmsm. Ths step ncurs O(n2 log n) bts of communcaton (every d can be represented by log n bts). Fnally, for a party P, the set of partes n Phmsm makes O(l + n 2 κ) bts of communcaton. Snce there can be at most t partes n P \ P sm, the total communcaton requred s O(ln + n 3 κ) bts. The total communcaton complexty of ( n 2 )-BA protocol s O ( ln + n 3 κ + nκb(1) ) bts. The seed communcaton complexty s O(nκ). The checkng phase requres one round whch s also the sole seed round. The agreement phase requres four rounds of pont-to-pont communcaton. So the round complexty and the seed round complexty of ( n 2 )-BA are 5 and 1 respectvely. 6 Byzantne Broadcast Extenson for t < n We present a BB extenson protocol for l bt message n the dshonest maorty settng wth: () communcaton complexty: O(ln) bts, () round complexty: O(n). The protocol has a seed round complexty of O(n). In the same settng, the only known communcaton optmal BB extenson protocol was gven by [HR14] (wll be referred as HR protocol henceforth). Both the round complexty and seed round complexty of the HR protocol are O(n 2 ). Our protocol s the frst protocol that optmzes two sgnfcant parameters of a BB extenson protocol smultaneously. Lke the HR protocol, our constructon broadcasts the long message block by block sequentally usng dspute control framework [BH06]. Whle overall communcaton complexty s guaranteed to be optmal, broadcastng each block may not be done wth optmal communcaton complexty. Our dspute control framework ensures that a corrupted party gets a sngle chance to msbehave wth an honest party. Once t s detected for wrong behavour by an honest party n some executon of block broadcast, the corrupted party wll be gnored by the honest party for the rest of the protocol. By mantanng a hstory of devatng behavours across block broadcasts, the dspute control framework help save expensve block communcatons between partes n dspute. At the heart of dspute control framework les the art of mantanng hstory and usng t carefully. Such a paradgm calls for sequental executon, and hence, often, the framework trades round complexty for communcaton complexty. When both the round and the communcaton overheads are of concern, the framework may not seem to be a wse choce. However, we ht the optmal communcaton and round complexty at the same tme by mplementng dspute control framework wth overlapped sequental executon. At ths pont, we note a clear dfference between our constructon and HR constructon. Whle the HR block broadcasts run sequentally wthout any overlap, our constructon ntertwnes the block broadcasts cleverly, yet mantanng the optmal communcaton complexty. The result s our constructon runs ust for O(n) rounds beatng the non-optmal O(n 2 ) round complexty of HR protocol. Specfcally, we dvde the nput message nto n blocks. A seed broadcast round s then used to broadcast the hash values of the n blocks. The usage of broadcast ensures all the honest partes hold 16

17 the same copes for the hash values. In an honest block broadcast protocol where everyone behaves honestly, t ust requres n 1 pont-to-pont communcaton of the block n order to propagate t from the sender to the rest of the partes gven that the hash value of the message block s already agreed upon and the underlyng hash functon s collson resstant. But the corrupted partes may behave arbtrarly. Although t may result n requrng more than n 1 pont-to-pont block communcatons, the honest partes wll dentfy the corrupted partes who msbehaved and wll gnore them for the rest of the protocol. Our protocol (n)-bb s gven n Fgure 4 whch consttutes of two phases: () Hash Agreement Phase: It conssts of ust one round where P s broadcasts the hashes h (1),..., h (n) of the n message blocks usng oracle access to broadcast bts so that the partes agree on the hash values of the blocks.; () Block Agreement Phase: In ths phase, the partes try to obtan the blocks from partes who already receved t usng only pont-to-pont communcaton such that the blocks verfy aganst the agreed hash values. We now concentrate on the block agreement phase where the agreement of blocks are done sequentally yet n an overlapped fashon. Specfcally, a party P starts requestng for kth message block only when t has receved the (k 1)th one. Ths reflects the sequental nature. The overlappng comes from the fact that the kth block agreement for P may run n parallel wth the (k 1)th block agreement for P. Ths stems from the fact that a party P proceeds to kth block agreement once t receves the (k 1)th block and wthout watng for others to receve the same. The protocol runs for t + n rounds, where the earlest round to start askng for kth message block and the latest round to reach agreement on kth block are set to k and t + k respectvely. If no block matchng the kth hash s receved by the end of round (t + k) round, then an honest party exts the whle loop and outputs. Our protocol guarantees that ether all or none of the honest partes wll get the message. Every party mantans three knds of sets. A local corrupt set C s used by party P to log the corrupted partes dscovered across the blocks. For the kth block, every party P locally mantans a set of happy partes H (k) and a set of unhappy partes H (k). From P s pont of vew, a party s happy f t declares to hold/receve a message block matchng wth the hash value h (k) and t broadcasts certan proof along wth the declaraton. A party P promotes P to ts happy set only when the proof verfes correctly. Only P s s consdered to be happy ntally for all the blocks. Now let us understand how a partcular block agreement s done. Consder the kth block. A party P who has receved (k 1)th block and s stll unhappy for the kth block checks f there s a party n ts kth happy set H (k) who t can ask for the kth message block. An unhappy (and honest) party P never requests a party for the message block more than once. Smlarly, a happy (and honest) P does not entertan anyone more than once. To prevent the corrupted partes from makng block request from multple honest partes n a round, every party s made to broadcast the dentty of ts chosen party. A happy (and honest) P sends ts message block to P over the pont-to-pont channel f and only f t receves a request from P va broadcast for the frst tme for a block. A matrx T (k) s mantaned by each party to detect repeated message send requests. A party who asks for the message block more than once from the same party s dentfed as corrupted. Next P, on recevng a message block from P can check f t matches wth h (k). As h (k) s generated from a collson-resstant hash functon, a corrupted P cannot trck an honest P by sendng a wrong message block and yet pass the consstency check wth h (k). Once P s happy, t prepares ts proof and broadcasts the same. Intutvely, when P s s corrupted, the proof enables to reach agreement on a block wthn the round lmt fxed for the block. Namely, for the kth round, t s k + t. It ensures that the more the adversary delays the recept of the block by the honest partes, the more 17