Professional Documents
Culture Documents
Abstract 1 Introduction
The Byzantine Agreement problem is one of the most The problem of reaching agreement in the presence of
fundamental problems in the field of distributed comput- faults is one of the most fundamental problems in the
ing. However, despite extensive research, a few important field of distributed computing. A particularly interest-
questions have remained open. ing variant of this problem, introduced by Pease, Shostak
The resilience of a protocol is the maximum number and Lamport [PSL], allows Byzantine faults (namely, the
of faults in the presence of which the protocol meets faulty players may collaborate in any way). A standard
its specification. It is known that no BA protocol for formulation of this problem, called the Byzantine Agree-
n players (either synchronous or asynchronous) can be ment (BA) problem, follows: Design a protocol that al-
[~1-resilient. The only known asynchronous ([~1 - l)- lows the non-faulty players to agree on a common value.
resilient BA protocol runs in expected exponential time! The agreed value should be the input value of one of the
A long standing open question is whether there exists a non-faulty players.
fast asynchronous ([:1 – 1)-resilient BA protocol. The BA problem was investigated in various mod-
We answer this question in the affirmative. We con- els, characterized by several parameters (e.g. synchrony,
sider a completely asynchronous network of n players, in privacy of the communication channels, computational
which every two players are connected via a private chan- power of the players). Of these, a key parameter is the
nel. Furthermore, we let the faulty players have unlim- synchrony of the network. Two important criteria for
ited computational power. In this setting, we describe an evaluating agreement protocols are resilience and time
(“round”) complexity. Informally, an n player protocol
( [~1 - I)-resilient Byzantine Agreement protocol. With
overwhelming probability all the non-faulty players com- is t-resilient if the outputs of the non-faulty players meet
plete the execution of the protocol. Conditioned on the the specifications of the protocol, as long as up tot of the
event that all the non-faulty players have completed the players are faulty.
execution of the protocol, they do so in constant expected A great deal of work concerning BA protocols has been
time. carried out. We refer the int crested reader to the surveys
Our construction employs an ([:1 – I)-resilient Asyn- of Fischer [F] and Chor and Dwork [CD]. However, de-
chronous Verifiable Secret Sharing (AVSS) scheme. No spite extensive research a few important questions have
([:1 – I)-resilient AVSS scheme was previously known. remained open. One of these questions is the subject of
Our AVSS scheme employs new asynchronous tools which this paper.
are of independent interest. State of the art and our result. Bounds on the
resilience of 13A protocols were proven by [PSL]. They
showed that agreement cannot be reached by a deter=
*Supported by the Eshkol Fellowship of the Israel Min-
istry of Education. ministic protocol,
in an n-player synchronous network,
with (%1 Byzantine faults. Karlin and Yao [KYl gener-
Permission to copy without fee all or part of this material is
granted provided that the copies are not made or distributed for
alized this result to randomized protocols. Clearly, these
direct commercial advantage, the ACM copyright notice and the results apply to asynchronous networks as well. Further-
title of the publication and its date appaar, and notice is given more, Fischer, Lynch and Paterson’s [FLP] seminal im-
that copying is by permission of the Association for Computing
possibility result for deterministic protocols implies that
Machinery. To copy otherwise, or to republish, requires a fee
any (randomized) protocol reaching BA must have non-
and/or specific permission.
25th ACM STOC ‘93-51931CA, USA terminating runs. Bracha [Br] describes an ( [*1 – l)-
0 1993 ACM O-89791 -591 -719310005 t0042... $~ .50
reailient asynchronous BA protocol which runs in 2e(nJ
42
expected time. Feldman and Micali [FM] describe a syn- and (2) a reconstruction phase in which the players recon-
chronous ( r~l — I )-resilient BA protocol, which runs in struct the secret from its shares. A player P must be able
constant expected time. Feldman [Fe] generalizes the to complete the execution of the sharing phase even if he
[FM] construction to an asynchronous setting, yielding a has communicated with only n – t of the players. This
constant expected time, ( r~l — 1)-resilient asynchronous means that he has verified the existence of a well defined
13A protocol. These works allow computationally unj secret only with this subset of the players (denoted Cl).
bounded faulty players ([FM, Fe] assume private chan- When P proceeds to carry out the reconstruction phase
nels). he again can wait to communicate with at most n – t of
A long standing open question (cf. [FM,CD]) is the players. Denote this set by C2. The set C’2 might
whether there exists a fast asynchronous BA protocol include players with whom P has not communicated in
which is ( r~l – 1)-resilient. the sharing phase and hence he does not know whether
We answer this question in the affirmative. We con- their shares are in accordance with the secret defined by
sider a completely asynchronous network of n players, in the shares of the players in Cl. (Possibly, the players who
which each two players are connected via a private chan- are not in Cl did not receive shares at all.) Thus, P can
nel. Furthermore, we let the faulty players have unlim- depend only on the players in the intersection, C, of the
ited computational power. In this setting, we describe a two sets. Still, t out of the players in C may be faulty.
13yzantine Agreement protocol that is ( r~l - I )-resilient. As long as n ~ 4t+ 1, it holds that ICI 2 2t+ 1;thus,the
with overwhelmingprobability all the non-faulty players majority of the players in C are honest. However, when
complete the execution of the protocol. Conditioned on n = 3t + 1, it is possible that ICI = t + 1. In this case,
the event that all the non-faulty players have completed there might be only a single honest player in C.
the execution of the protocol, they do so in constant ex- Our solution. We overcome these difficulties by devis-
pected time. The constructions we use in our protocol are ing a tool, called Asynchronous Recoverable Sharing (A-
c)f independent interest. We describe these constructions RS), assuring that, with overwhelming probability, the
below. shares of all the players in the set Cl (defined above)
Previous work. Let us describe the chain of results will be available in the reconstruction phase. The A-
leading to our result, and sketch the techniques used. Ra- RS protocol uses a tool presented in [R2,RB], called In-
bin [RI] describes an ( r~~ – I)-resilient Byzantine Agree- formation Checking Protocol. Using A-RS as a primi-
ment protocol that runs in constant expected time, pro- tive, we construct a secret sharing scheme, called Asyn-
vided that all the players have access to a ‘global coin” chronous Weak Secret Sharing (AWSS). Using AWSS, we
(namely, a common source of randomness with certain construct our AVSS scheme. (Both the AWSS and the
properties). Rabin’s construction can be used in syn- AVSS schemes generalize synchronous constructs intro-
chronous as well as asynchronous networks. Bracha [Br] duced in [R2,RB].)
improved the resilience of Rabin’s protocol in an asyn- Since Feldman’s work wss never published we also
chronous network, given a ‘global coin’, to ( r~l – 1). The present a modified version of Feldman’s construction for
essence of the [FM] synchronous Byzantine Agreement reaching BA given an AVSS scheme. Put together,
protocol is a scheme for generating such a ‘global coin’; these constructions constitute an synchronous ( r%l – l)-
once this global coin is generated, the players proceed resilient BA protocol.
in a conceptually similar manner to Bracha’s protocol. We note that our ( r~l – 1)-resilient AVSS scheme
The protocol for generating this ‘global coin’ relies heav- has applications in other contexts as well (for instance,
i Iy on a Ver-z’’able Secret Sharing (VSS) scheme. (The strengthening the results of [BE]).
notion of VSS was introduced by Chor et al. [CGMA].) Organization. This paper is organized as folIows: In Sec-
Feldman’s asynchronous construction for achieving BA, tion 2 we describe our asynchronous model and give a formal
given an r-resilient Asynchronous VSS (AVSS) scheme, is definition of Byzantine Agreement and Asynchronous Verifi-
~in(r, r;l — I )-resilient. However, up to now, no known able Secret Sharing. In Section 3 we state our main theorems,
AVSS scheme has been more than ( r~l – 1)-resilient. (An and present an overview of our protocols. Section A contains
( [:1 -l)-resilient AVSS scheme is presented in [Fe, BCG].) tools used in our construction. In Sections 5 through 1 we de-
The main difficulty. We offer an intuitive exposi- scribe our A-M, AWSS, and AVSS schemes. Sections 8 and 9
tion of the difficulties encountered in trying to devise contain a short description of our BA protocol given an AVSS
an ( r;l — 1)-resilient AVSS scheme. Generally, in an scheme.
asynchronous network of n players, out of which t may
be faulty, a player can never wait to communicate with
2 Definitions
more than n – t other players, because the faulty players
may not cooperate. An AVSS scheme is composed of two
2.1 The model
phases: (1) a sharing phase, in which a dealer shares a
secret among the players, and each player verifies for him- Consider an asynchronous network of n players, where
self that a unique secret has been defined by the shares, every two players are connected via a reliable and pri-
43
vatecommunication channel. Messages sent on a channel ● Correctness. All the honest players who have ter-
may have arbitrary (however, finite) delays, Furthermore, minated have identical outputs. Furthermore, if all the
there is no need that the order of the messages on the honest players have the same input, denoted U, then all
channel be preserved. the honest players output U.
44
3 Overview of the protocols Global-Coin using AVSS. We implement a Global-
Coin using techniques introduced in [FM,Fe], employing
First, let us state our main results. our AVSS scheme (see Section 8).
AVSS from scratch. Our AVSS scheme is con-
Theorem 1 (AVSS). Let n ~ 3t + 1. Then, for ev- structed in three ‘layers’. Each layer consists of a differ-
ery c > 0 there exists a (1 – c). correct, t-resilient A VSS ent secret sharing scheme (with an allowed-error param-
scheme for n players. Conditioned on the event that the eter, e). The scheme of the lowest layer is called Asyn-
honest players terminate, they do so in constant time. chronous Recoverable Sharing (A-RS). The scheme of the
Furthermore, the computational resources required of each next layer is called Asynchronous Weak Secret Sharing
player are polynomial in n and log $. (AWSS). The top layer is an AVSS scheme (as in Defini-
tion 2). Each layer is a building block for the level above
Theorem 2 (BA). Let n ~ 3t+l. Then, for every e >0 it. All three sharing schemes satisfy the termination and
there ezists a (1 – c)-terminating, t-resilient, asynchronous secrecy requirements of Definition 2. In all three schemes,
Byzantine Agreement protocol for n players. Conditioned if the dealer is honest then the honest players reconstruct
on the event that the honest players terminate, they do the secret shared by the dealer. The correctness property
so in constant expected time. Furthermore, the computa- for the case when the dealer is faulty is upgraded from
tional resources required of each player are polynomial in A-RS to AWSS and finally to AVSS:
n and log:. A-RS- Once the first honest player completes the Re-
construction Phase, there exists a subset, S G F of size
We present an overview of our Byzantine Agreement 2t + 1, such that each honest player will reconstruct a
protocol. Let F be a field of size E)(2n ). All the com- value r ● S U {nu//}.
putations in the sequel are done in F. The BA protocol AWSS- Once the first honest player completes the Shar-
employs the idea of using a ‘global coin’ to reach agree: ing Phase, a value, s, is fixed. Each honest player will
ment. reconstruct s or null.
BA using Global-Coin. This part of our protocol AVSS- Once the first honest player completes the Shar-
follows Bracha’s [B] and Feldman’s [Fe] constructions. ing Phase, a value, s, is fixed. Each honest player will
The protocol proceeds in iterations. In each iteration, reconstruct s.
each player has a ‘modified input’ value; in the first iter- Given that all the honest players complete all AVSS-
ation, the modified input of each player is his local input. reconstruction protocols they invoked, then each iteration
In each iteration the players invoke two protocols, called of the Byzantine Agreement protocol terminates in con-
Vote and Global-Coin, In the Vote protocol, described in stant time.
Section 9, the players ‘vote on an output’; namely, each
player tries to establish whether there exists a distinct
majority for some value amongst the players’ modified
4 Tools
inputs of this iteration. If a player recognizes a distinct
4.1 Information Checking Protocol- ICP
majority for some value, he takes this value to be his mod-
ified input for the next iteration. Otherwise, he sets his The Information Checking Protocol (ICP) is a tool for au-
modified input for the next iteration to be the output of thentication of messages in the presence of computation-
the Global-Coin protocol (outlined below). We show that ally unbounded faulty players. We state the properties
no two honest players can recognize a distinct majority for of this protocol without giving implementation details.
two different values. Furthermore, if all the honest players The ICP was introduced by T. Rabin and T. Rabin and
have the same input value in some iteration, then all the Ben-Or ([R2],[RB]).
honest players will recognize an ‘overwhelming majority’ The protocol is executed by three players: a dealer,
for this value. Once a player recognizes an overwhelming D, an intermediary, INT, and a receiver, R. The three
majority for some value, u, he broadcasts u (using the A* players have an allowed-error parameter, c, The dealer
cast protocol described in Section 4.2), and, subsequently, has a secret value s which he hands over to INT. At a
terminates with output a. later stage, INT is required to hand this value over to R.
A Global-Coin protocol has the following specification. The protocol is carried out in three phases:
Each player has a random input, and outputs a value in Generation(s) is initiated by D. In this phase D hands
{O, 1}. For every value u G {O, 1}, with probability at the secret s to INT and some auxiliary data to both INT
least ~ all the honest players output a. Consequently, if and R.
the coin is used by a subset (or all) of the honest players in Verification is initiated by INT, The receiver, R, is
some iteration, then with probability of at least ~ all the requested to participate. In this phase INT decides
honest players will have the same modified input for the whether to continue or abort the protocol. (INT bases
next iteration. It follows that the BA protocol terminates his decision on the prediction whether, in the Authenti-
within an expected constant number of iterations. cation Phase, R will accept the secret held by INT. We
45
denote continuation (resp. abortion) by Verification= 1 (Sh, Ret) is a (1 — c)-correct, t-resilient A-RS scheme for
(resp. O). n players if the following hold, for every t-adversary.
Authentication is initiated by R. The intermediary, ● Termination. Same as in the definition for AVSS
INT, is requested to participate. In this phase R re- (Definition 2).
ceives s’ from INT, and either accepts or rejects it. ● Correctness. The following holds, with probability 1–
We denote acceptance of a secret s’, (resp. reject) by c.
Authentication= s’ (resp. null). 1. If the dealer is honest, then each honest player, upon
The ICP has the following properties. completing protocol Ret, outputs the shared secret.
1. If D, holding secret s, INT and R are honest, then 2. Once The jirst honest player completes protocol Rec
Verification= 1 and Authentication= s. then a set S ~ F of size 2t + 1 is defined. Each honest
2. If INT and R are honest, and INT haa decided,in the player, upon completing protocol Ret, outputs a value r e
Verification Phase, to continue the protocol, then with s u {null}.
probability (1 – c), R will accept the secret received from ● Secrecy. Same as in the definition for AVSS (Defini-
INT in the Authentication Phase. tion 2].
3. If R and D are honest, and R accepted the secret s in
Our implementation. Sharing protocol. The
the Authentication Phase, then with probability (1 – c),
dealer, having a secret s, chooses values al, .... at c F
s originated with D.
with uniform distribution, and defines the polynomial
4. If D and INT are honest, then as long as INT has not
f(x) = a~zi + . . . + alz +s.(We call this process choosing
started the Authentication Phase, R has no in formatioil
a random polynomial f(x) The technique of using a
fors.
about the secret s.
t degree polynomial was introduced by Shamir [S].) Next,
We note that in the implementation that we use, each
phase involves sending only two messages, and the compu- for each i, the dealer sends /3i ~ f(i) to Pi. We say that
tational resources required of each player are polynomial pi is Pi’s share ofs. In addition, for each share pi and for
in log ~. each player F’j, the dealer executes the ICP-Generation
Phase (described in Section 4.1), with player Pi acting as
the Intermediary, and player Pj acting ss the Receiver.
4.2 A-cast
The ICP protocol will have the appropriate allowed-error
The asynchronous broadcast primitive (denoted A-cast) parameter e’ (we set d = +). We denote this execution
was introduced and elegantly implemented by Bracha of the ICP-Generation Phase by Gen~,i,j [~’] (pi). Next,
[Br]. Bracha’s A-cast protocol is ( (31 - 1)-resilient. each two players Pi and Pj execute the ICP-Verification
Phase, denoted Veri,j [c’], with respect to ~i. Once Pi
Definition 3 Let r be an n-player protocol initiated by successfully (i.e. with output 1) terminates 2t + 1 Ver-
a special player (called the sender), having input m (the ification Phases, he A-ca.sts( “OK” ,Pi ). A player com-
message to be broadcast). Protocol r is a t-resilient A-cast
pletes the sharing protocol upon completing 2t + 1 A-
protocol if the following hold, for every input, and every casts (“OK” ,...), Our protocol, denoted A-RS Share is
t-adversary. presented in Figure 1.
● Termination. Let r ~ t + 1. In the sequel we say that a sequence
1. If the sender is honest and all the honest players of shares, /31, ...1. P,, define a secret s, if there exists a
participate in the protocol, then each honest player will unique polynomial f(z) of degree at most i?, whose con-
eventually complete the protocol. stant term is s, such that ~(i) = /?i, for 1 < i < r.
2. If any honest player completes the protocol, then (We shall interchangeably say that “the shares define the
each honest player will eventually complete the protocol.’ polynomial f(z)”. )
● Correctness. If the honest players complete the pro- Reconstruction protocol. First, each player Pi
tocol, then they do so with a common output m“. Fur- He then executes the ICP-
A-casts his share, /3i.
thermore, if the sender is honest then m* = m. Authentication Phase with each other player, Pj. (We
denote this execution by Authi,j [c’].) For each player
We stress that the Termination property of A-cast is
Pj, whose share is accepted (namely, AUthj,i[~’] = betu; ),
much weaker than the Termination property of BA: for
player Pi A-casts (“Authenticates” ,Pi ,~~ ).
A-cast, we do not require that the honest players complete
Player P considers a share legal, if it is authenticated
the protocol when the sender is faulty.
by at least t+ 1 players, Once P has t+ 1 legal shares, he
computes the secret, If there exists a value which is sug-
5 Asynchronous Recoverable gested by t+ 1 players, then P output this value. Other-
wise, P outputs null. Our protocol denoted A- RS-Recon
Sharing — A-RS is presented in Figure 2.
Definition 4 Let (Sh, Ret) be a pair of protocols in Theorem 3 Let n z 3t + 1. Then for every e >0, the
which a dealer, D, shares a secret s. We say that pair (A-RS-Share[c] ,A-RS-Recon[c]) is a (1 – c)-correct,
46
t-resilient A-RS scheme for n players.
1. Choose a random polynomial, ~(~), for s, property 2, see Section 4.1). Therefore, each honest
player will have 2t + 1 successful verifications for its share.
2. Send /?i ~ f(i) to each player Pi. Thus, each honest player P will A-cast (OK, P) . Con-
sequent y, each honest player will complete 2t + 1 (OK,
Let c’~~. For each two players Pi and Pj
. . .) A-casts, and terminate.
execute GenD,i,j [t’] (Pi).
Termination (2). If an honest player has completed
Code for player Pi, with parameter e: A-RS-Share, then he has completed 2t + 1 (OK, . ..) A-
casts. By the definition of broadcast (Definition 3), each
3. For all j E [n]: Wait until Gen~,i,j [c’] is com- honest player will complete these 2t + 1 (OK, . ..) A-
pleted; then, initiate Veri,j [c’]. casts, and will thus complete A-RS-Share.
Termination (3). Let ,?3 be the event that ‘no er-
4. If Veri,j [/] = 1 for 2t + 1 players Pj, then
rors occur’ in all the invocations of ICP. Namely, for each
A-cast (OK , pi) .
two players Pi and Pj, if both Pi ad Pj are honest and
5. Upon completing 2t + 1 different A-cssts of Veri,j [6’] = 1 then Pi accepts /3j in Step 2 of protocol
the form (OK, . . .) , terminate. A-RS-Share; furthermore, if either the dealer or Pj are
honest, then the values accepted by Pi is the value that
Pj received from the dealer. We have that event E occurs
Figure 1: The A-RS sharing protocol with probability at least 1 – n2c’ = 1 – c.
By the properties of ICP (see Section 4.1), if Pi and
Pj are honest and Ver~,j [e’] = 1 in Step 3 of A-RS-
Share, then, conditioned on the event E, the player pj
will accept Pi’s share in Step 2 of A-RS-Recon. If an
Protocol A-RS-Recon[t] honest player Pi A-tasted (OK, Pi) in Step 3 of A-
RS-Share, then for at least t + 1 honest players, F’j, we
Code for player Pi, with parameter c: have Veri,j [d] = 1. Thus, conditioned on event E, these
t + 1 players will accept Pi’s share, and will broadcast
1. A-cast the share pi. (Pj authent i.cat es pi, ~~) in Step 2 of A-RS-Recon.
Consequently, Pi’s share will be considered legal by every
2. For each player Pj such that the ~j A-c~t is
honest player in Step 3 of A-RS-Recon.
completed, initiate Authj,i[d].
Now, if an honest player, P, haa completed the A-RS-
If Authj,i [/] = @j, then A-cast (Pi
Share protocol, then 2t + 1 players have A-tasted (OK,
authenticates Pj, /3j ) .
., .) in Step 3 of A-RS-Share. Out of these A-casts, at
3. Consider a share, ~j, legal, if at least t + least t + 1 have originated with honest players. Conse-
1 A-casts of the form (Pk authenticates quently, if event E occurs, then every honest player will
Pj, ~j ) have been completed. Create an in- have t + 1 legal shares in Step 3 of A-RS-Recon. In this
terpolation Set, ISi. Add every legal share case, P will have 2t + 1 suggested secrets, and will com-
to Is;. plete protocol A-RS-Recon,
Correctness (1). If the dealer is honest and event
4. Once llSi I = t + 1, compute the secret, E occurs, then for each honest player, Pi, each share Bj
s, defined by the shares in ISi. A-cast in .fSi originated with D (namely, /3j = f(j)). There-
(suggested secret, s) .
fore, the shares in ISi define the secret, s, shared by
the dealer, and Pi will A-cast (suggested secret, s)
5. Wait until completing 2t + 1 (suggested
Consequently, each honest player will complete 2t + 1
secret, . . .) A-casts.
A-casts, out of which at least t + 1 suggest the secret s.
If there is a value, s!, which appears in at
Hence, each honest player will output s.
least t + 1 such A-casts, then output s’.
Correctness (2). If a player, P, haa completed proto-
Otherwise, output null.
col A-RS-Recon, then he has completed 2t + 1 A-casts of
the form (suggested secret. .) Let S denote the
Figure 2: The A-RS reconstruction protocol set of 2t + 1 Suggested secrets in these 2t + 1 A-casts.
Clearly, at least t+ 1 out of the 2t + 1 A-casts completed
by each other honest player, P’, in Step 4 of A-RS-Recon,
,-
are of values in S. Thus, if some secret, r, appears t+ 1 Let ELGi be Pi’s dynamic set of players Pj whose
times in the A-casts completed by P’, then it must be ACCj A-cast hm been completed, and ACCj ~ COMi.
that r E S. We define the set ISj as the first 2t + 1 players in l?LGi.
Secrecy. If the dealer is honest and no honest player Once lELGil z 2t + 1, player Pi A-casts ISi. (This eli-
has initiated protocol A-RS-Recon, then any set of b < t gibility set, is the set of players whose share will
ELGi,
players have only b shares of the secret, along with the be later considered either legal or null. The interpolation
data received during the ICP generation and verification set, lSi, is the set of players whose shares will later define
protocols with respect to the other players’ shares of the the secret associated with Pi.)
secret. By the Secrecy properties of ICP and Shamir’s Let FINALi be Pi ‘S set of players Pj whose ISj
secret sharing scheme, this data is independent of the A-cast has been completed, and lSj ~ ELGi. Once
shared secret. 0 I.FINALil = 2t + 1 complete the sharing protocol. (This
final set, FINALi, is the set of players, with whom Pi
will later associate a secret,)
6 Asynchronous Weak Secret Reconstruction protocol. Remark: it will be seen
Sharing — AWSS that when player P executes the reconstruction protocol,
he essentially doubles up as each other player (namely, he
Definition 5 Let (Sh, Ret) be a pair of protocols in locally executes the protocols of the other players).
which a dealer, D, shares a secret s. We say that Initially, each player Pi reconstructs the values shared
(Sh, Ret) is a (1 – c)-correct, t-resilient A WSS scheme by each player Pj E ELGi, in the following manner. Re-
for n players if the following hold, for every t-adversary. call that each player in ELGi shared, in the sharing pro-
● Termination. Same as the definition of AVSS (Defi- tocol, values he received as an Intermediary of ICP, and
nition ,2). values he received as a Receiver of ICP. Player Pi first
● Correctness. invokes A-RS-Recon for all the values that the players in
1. If the dealer is honest, then with probability l–c each ELGi received as Intermediaries in ICP. Call these in-
honest player, upon completing protocol Ret, outputs the vocations of A-RS-Recon preliminary. For each player
shared secret. Pj E ELGi and for each P1 c ACCj, once all the prelim-
2. Once the first honest player completes protocol Sh, inary A-RS-Recons have been completed, Pi invokes the
then there exists a value s, such that with probability 1– ~ A-RS-Recons of (the rest of) the values shared by Pi. We
each honest player, upon completing protocol Ret, will note that the order in which the A-RS-Recons are invoked
output s or null. is crucial for the proof of the Correctness property of the
● Secrecy. Same as the definition of A W’S (Definition scheme.
dealer executes the Generation Phase of ICP with player (We then say that f?j is legal). Otherwise, he associates
Pi acting as the Intermediary, and player Pj acting as the
the value “null” with Pj.
Receiver. (This part is the same as in A-RS-Share.) Now, for each player l’k 6 FINALi, once the values
Next, each player shares each value received from the associated with all the players in ISk are computed, if all
dealer (including the values received in the Generation the legal shares in lSk define a secret, s, then Pi considers
Phase of ICP), using A-RS-Share (Figure 1). Player Pi s to be the secret suggested by pk. Otherwise, the secret
creates a set, COMi. Once Pi completes all the A-RS- suggested by pk is null.
Shares of Pj’s values, Pj is added to COM~, (Players may Finally, Pi waits until the secrets suggested by all the
be added to COMi as long as the AWSS sharing protocol players in FINALi are computed. If all the players in
is being executed. We call such sets dynamic sets.) FINALi suggest the same secret, s, Pi outputs s. Oth-
For each player Pj c COMi, player Pi initiates the erwise, Pi outputs null.
Verification Phase of ICP for pi with Pj, and with the
appropriate allowed-error parameter, ./. (We denote this
Theorem 4 Let n ~ 3t + 1. Then for every c >0, the
execution by Veri,j [d]).
pair (AWSS-Share[c] ,AWSS-Recon[c]) is a (1 – c)-correct,
Let ACCi be Pi ‘S set of players Pj such that Veri,j [t’] =
t-resilient A WSS scheme for n players.
1. Once lACCil = 2t + 1, player Pi A-c&s ACCi. (This
accept ante set, ACCi, is the set of players who will later
accept /3i.) Proofi See our Technical Report [CR].
48
6.1 Two&Sum Asynchronous WSS holds because of the following reason. For each player
Pj EFINALithere exists at least one honest player, who
In the AVSS scheme we will need the following variation of
has confirmed him. Thus, there exists a t-degree polyno-
an AWSS scheme: A dealer shares three secrets: S1, S2, S3,
mial, h(x), such that rj, together with at least 2t other
such that S3 = S1 +s2. The sharing of these secrets should
values, define the polynomial h(z). We say that h(z) is
have the properties of the AWSS scheme; In addition, the
associated with P1. It can be easily seen that all the poly-
following requirements should hold:
nomials associated with all the players Pj c FINA Li are
1. If we reconstruct either S2 or SI + S2, then the faulty
identical.
players have no information about S1.
Reconstruction protocol. The reconstruction pro-
2. Let ri be the value set once the first honest player
tocol is simple. The shares of all the players are recon-
completes the sharing of Sj. Then, either rl + r2 = r3, or
structed using AWSS-Recon. Once t+ 1 shares in FINALi
at least two of {rl, rz, rs} are null.
are reconstructed, player Pi computes the secret defined
An implementation of this scheme, denoted Two&Sum-
by these shares, and terminates. (Recall that the shares
AWSS, is a straight forward generalization of our AWSS
of all the players in FINALi define a secret. Thus, this
scheme. The scheme is based on the synchronotis
secret can be computed based on any t+ 1 of these shares.)
Two& Sum-WSS presented in [R2]. We present our
scheme in [CR]. Theorem 1 Let n ~ 3t + 1. Then for every c >0, the
pair (AVSS-Share[c] ,AVSS-Recon[c]) is a (1 – e)-correct,
t-resilient AVSS scheme for n players.
7 Asynchronous Verifiable Secret
Proof: See our Technical Report [CR]. We note that
Sharing — AVSS showing that the sharing protocol terminates in constant
time (given that all the honest player complete the pro-
Our implementation. In this extended abstract we tocol) requires subtle arguments.
only sketch our construction. For full details see our Tech-
nical Report [CR].
Sharing protocol. The sharing protocol consists of two 8 Global Coin from AVSS
phases: in the first phase, the dealer sends shares to all
the players. In the second phase, the players verify that Definition 6 Let x be a protocol, where each player has a
their shares define a unique secret. random input, and outputs a value in {O, 1}. We say ihat
The dealer, having a secret s, chooses a random poly- r is a (1 – c)-terminating, t-resilient global coin protocol if
nomial ~(z) for s. Next, for each i, the dealer sends the following hold, for every t-adversary.
. Termination. With probability 1 – e, all the honest
pi fi f(i) to pi. (We say that & is Pi’s share of the
players terminate locally.
secret.) In addition, the dealer chooses an appropriate
● Correctness. For every value u ~ {0, 1}, with proba-
number of random polynomials g(z) of degree t. For
bility at least ~ all the honest players output U.
each such polynomial g(z), and for each i, the dealer
sends g(i) to player Pi. Upon receiving all the expected An implementation. Our construction follows the
values from the dealer, each player shares the values outline of Feldman’s construction. However, several mod-
{~(i), 9(i)1 ?(0+9(0} for each polynomial 9(~), using the ifications have been introduced. In this extended abstract
Two&Sum AWSS sharing protocol with the appropriate we only sketch this construction. For full details see our
allowed-error parameter (see Sect ion 6.1), Technical Report [CR]. Roughly speaking, the protocol,
Next, the dealer proves to each player, using a cut- denoted Global-Coin [c] (with ‘termination parameter’ e),
and-choose method (as in [BGW,CCD,Fe,FM]), that the consists of four stages. First, each player shares n ran-
shares of the players indeed define a secret. Once a player dom secrets, using the AVSS-Share protocol of an AVSS
is convinced that the shares of 2t+l players are acceptable scheme. (These AVSS-Shares are invoked with the appro-
(namely, the Two& Sum-AWSS-Share of these shares are priate ‘allowed error’ parameter, which is a function of c.)
completed, and the values set by the Two& Sum-AWSS- We say that the ith secret shared by each party is assigned
Shares of these shares, define a secret), he confirms these to player Pi. Once a player completes n – t AVSS-Share
players by A-casting their identities. Once a a player, protocols of secrets assigned to him, the player A-casts
Pi, completes 2t + 1 A-casts in which the player P is the identity of the dealers of these secrets. (Later, the
confirmed, he adds P to his final set, FINALi. Once value associated with this player will be computed based
FINALi contains 2t + 1 players, player Pi completes the on these secrets. )
sharing protocol. Once a player is assured that enough players have A-
For each player Pj 6FINALi let rj be the values set casted their set of assigned secrets, he starts reconstruct-
by the AWSS-Share of Pi. Note that the values rj of ing the relevant secrets. C)nce all these secrets are recon–
the players Pj EFINALi define a secret; furthermore, the strutted, each player locally computes his output based
values in all the FINALi’s define the same secret. This on the reconstructed secrets.
49
For the proof of correctness, we show that once some A-casts his re-vote, along with the identities of the n – t
honest player completes the A-cast of the secrets assigned players whose A-tasted votes were used to compute the
with player P, a random value, VP, is fixed. With over- re-vote, and waits to receive n – t other re-votes that are
whelming probability, the value that each honest player consistent with the consistent votes of the second round.)
will later associate with P will be VP. Now, each honest Now, if all the consistent votes received by a player
player Pi computes his output based on the values ZSSG agree on a value, a, then this player outputs (u, 2). Oth-
ciated with the parties in some set, S’i, of size n — t. We erwise, if all the consistent re-votes received by the player
show that once the first honest player starts reconstruct- agree on a value, a, then the player outputs (a, 1). Oth-
ing secrets, a large enough “core” set, C, of players is erwise, the player outputs (O, O).
fixed. Each honest player will have C C Si. We use these
facts to show that for each value a G {O, 1}, with large
9.2 The Byzantine Agreement protocol
enough probability all the players output v.
Proof: See our Technical Report [CR]. 0 1. Set 7’-1. Set ~1 -Zi.
50
Once a player recognizes an ‘overwhelming majority’ [Br] G. Bracha, “An Asynchronous [(n - 1)/3J-resilient
for some value, a, (namely, output (a,2) of protocol Consensus Protocol”, 3rd PODC, pp. 154-162, 1984.
Vote), he A-casts a. Once a player completest+l A- [CR] R. Canetti, and T. Rabin, “Optimal Asynchronous
casts for some value, o, he terminates with output a. Byzantine Agreement”, Technical Report #92-15, CS
The code of the Byzantine Agreement protocol ispre- Department, Hebrew University, 1992.
sented in Figure 3. [CCD] D. Chaum, C. Crepeau and I. Damgard, “Multiparty
Unconditionally Secure Protocols”, 20th STOC, pp.
Theorem 2 Let n ~ 3t + 1. Then, for every E >0 proto- 11-19, 1988.
col BA[c] is a ( 1 —c)-terminating, t-resilient, asynchronous
[CGMA1 B. Chor, S. Goldwasser, S. Micali and B. Awerbuch.
Byzantine Agreement protocol for n players. Given that ‘Verifiable Secret Sharing and Achieving Simultaneity
the players terminate, they do so in constant expected in the Presence of Faults”, 26th FOCS, pp. 383-395,
time. Furthermore, the computational resources required 1985.
of each player are polynomial in n and log ~.
[CD] B. Chor and C. Dwork, “Randomization in Bysantine
Agreement”, Advances in Computing Research, Vol. 5,
The proof of Theorem 2 is presented in [CR]. The follow- pp. 443-497, 1989.
ing claims are the milestones of this proof.
[Fe] P, Feldman, “Asynchronous Byzantine Agreement in
Constant Expected Time”, unpublished manuscript,
Claim 1 Let k ~ O, and assume that all the honest play-
1989.
ers complete the kth invocation of Global-Coin. Then the
[FM] P. Feldman, and S. Micah, “An Optimal Algorithm For
execution of the kth iteration of protocot BA terminates
Synchronous Byzantine Agreement”, 20th STOC, pp.
m constant time.
148-161, 1988.
Claim 3 For each k >0, the probability that all the play- JA CM, Vol. 32, no. 2, pp. 374-382, 1985.
ers have the same vk+l value, given that all he players [KYl A. Karlin and A. Yao, “Probabilistic Lower Bounds for
complete the kth iteration (namely, compute Vk+l)j is d Byzantine Agreement”, unpublished manuscript, 1986.
[Ahf] H. Attiya and hf. Mavronicolas, “Efficiency of Semi- [Sh] A. Shamir, “How to share a secret”, CA CM, VOL 22,
Synchronous versus Asynchronous Networks,” Mathe- No. 11, pp. 612-613, 1979.
matical Systems Theory, to appear. Preliminary ver-
sion in proceedings of the 28th annual Allerton Con-
ference on Communication, Control and Computing,
October 1990, pp. 578-587.
51