Fast Asynchronous Byzantine Agreement

with Optimal Resilience

(Extended Abstract)

Ran Canetti Tal Rabin *

Dept. of Computer Science Dept. of Computer Science
Technion Hebrew University

Abstract 1 Introduction

The Byzantine Agreement problem is one of the most The problem of reaching agreement in the presence of
fundamental problems in the field of distributed comput- faults is one of the most fundamental problems in the
ing. However, despite extensive research, a few important field of distributed computing. A particularly interest-
questions have remained open. ing variant of this problem, introduced by Pease, Shostak
The resilience of a protocol is the maximum number and Lamport [PSL], allows Byzantine faults (namely, the
of faults in the presence of which the protocol meets faulty players may collaborate in any way). A standard
its specification. It is known that no BA protocol for formulation of this problem, called the Byzantine Agree-
n players (either synchronous or asynchronous) can be ment (BA) problem, follows: Design a protocol that al-
[~1-resilient. The only known asynchronous ([~1 - l)- lows the non-faulty players to agree on a common value.
resilient BA protocol runs in expected exponential time! The agreed value should be the input value of one of the
A long standing open question is whether there exists a non-faulty players.
fast asynchronous ([:1 – 1)-resilient BA protocol. The BA problem was investigated in various mod-
We answer this question in the affirmative. We con- els, characterized by several parameters (e.g. synchrony,
sider a completely asynchronous network of n players, in privacy of the communication channels, computational
which every two players are connected via a private chan- power of the players). Of these, a key parameter is the
nel. Furthermore, we let the faulty players have unlim- synchrony of the network. Two important criteria for
ited computational power. In this setting, we describe an evaluating agreement protocols are resilience and time
(“round”) complexity. Informally, an n player protocol
( [~1 - I)-resilient Byzantine Agreement protocol. With
overwhelming probability all the non-faulty players com- is t-resilient if the outputs of the non-faulty players meet
plete the execution of the protocol. Conditioned on the the specifications of the protocol, as long as up tot of the
event that all the non-faulty players have completed the players are faulty.
execution of the protocol, they do so in constant expected A great deal of work concerning BA protocols has been
time. carried out. We refer the int crested reader to the surveys
Our construction employs an ([:1 – I)-resilient Asyn- of Fischer [F] and Chor and Dwork [CD]. However, de-
chronous Verifiable Secret Sharing (AVSS) scheme. No spite extensive research a few important questions have
([:1 – I)-resilient AVSS scheme was previously known. remained open. One of these questions is the subject of
Our AVSS scheme employs new asynchronous tools which this paper.
are of independent interest. State of the art and our result. Bounds on the
resilience of 13A protocols were proven by [PSL]. They
showed that agreement cannot be reached by a deter=
*Supported by the Eshkol Fellowship of the Israel Min-
istry of Education. ministic protocol,
in an n-player synchronous network,
with (%1 Byzantine faults. Karlin and Yao [KYl gener-
Permission to copy without fee all or part of this material is
granted provided that the copies are not made or distributed for
alized this result to randomized protocols. Clearly, these
direct commercial advantage, the ACM copyright notice and the results apply to asynchronous networks as well. Further-
title of the publication and its date appaar, and notice is given more, Fischer, Lynch and Paterson’s [FLP] seminal im-
that copying is by permission of the Association for Computing
possibility result for deterministic protocols implies that
Machinery. To copy otherwise, or to republish, requires a fee
any (randomized) protocol reaching BA must have non-
and/or specific permission.
25th ACM STOC ‘93-51931CA, USA terminating runs. Bracha [Br] describes an ( [*1 – l)-
0 1993 ACM O-89791 -591 -719310005 t0042... $~ .50
reailient asynchronous BA protocol which runs in 2e(nJ

42
expected time. Feldman and Micali [FM] describe a syn- and (2) a reconstruction phase in which the players recon-
chronous ( r~l — I )-resilient BA protocol, which runs in struct the secret from its shares. A player P must be able
constant expected time. Feldman [Fe] generalizes the to complete the execution of the sharing phase even if he
[FM] construction to an asynchronous setting, yielding a has communicated with only n – t of the players. This
constant expected time, ( r~l — 1)-resilient asynchronous means that he has verified the existence of a well defined
13A protocol. These works allow computationally unj secret only with this subset of the players (denoted Cl).
bounded faulty players ([FM, Fe] assume private chan- When P proceeds to carry out the reconstruction phase
nels). he again can wait to communicate with at most n – t of
A long standing open question (cf. [FM,CD]) is the players. Denote this set by C2. The set C’2 might
whether there exists a fast asynchronous BA protocol include players with whom P has not communicated in
which is ( r~l – 1)-resilient. the sharing phase and hence he does not know whether
We answer this question in the affirmative. We con- their shares are in accordance with the secret defined by
sider a completely asynchronous network of n players, in the shares of the players in Cl. (Possibly, the players who
which each two players are connected via a private chan- are not in Cl did not receive shares at all.) Thus, P can
nel. Furthermore, we let the faulty players have unlim- depend only on the players in the intersection, C, of the
ited computational power. In this setting, we describe a two sets. Still, t out of the players in C may be faulty.
13yzantine Agreement protocol that is ( r~l - I )-resilient. As long as n ~ 4t+ 1, it holds that ICI 2 2t+ 1;thus,the
with overwhelmingprobability all the non-faulty players majority of the players in C are honest. However, when
complete the execution of the protocol. Conditioned on n = 3t + 1, it is possible that ICI = t + 1. In this case,
the event that all the non-faulty players have completed there might be only a single honest player in C.
the execution of the protocol, they do so in constant ex- Our solution. We overcome these difficulties by devis-
pected time. The constructions we use in our protocol are ing a tool, called Asynchronous Recoverable Sharing (A-
c)f independent interest. We describe these constructions RS), assuring that, with overwhelming probability, the
below. shares of all the players in the set Cl (defined above)
Previous work. Let us describe the chain of results will be available in the reconstruction phase. The A-
leading to our result, and sketch the techniques used. Ra- RS protocol uses a tool presented in [R2,RB], called In-
bin [RI] describes an ( r~~ – I)-resilient Byzantine Agree- formation Checking Protocol. Using A-RS as a primi-
ment protocol that runs in constant expected time, pro- tive, we construct a secret sharing scheme, called Asyn-
vided that all the players have access to a ‘global coin” chronous Weak Secret Sharing (AWSS). Using AWSS, we
(namely, a common source of randomness with certain construct our AVSS scheme. (Both the AWSS and the
properties). Rabin’s construction can be used in syn- AVSS schemes generalize synchronous constructs intro-
chronous as well as asynchronous networks. Bracha [Br] duced in [R2,RB].)
improved the resilience of Rabin’s protocol in an asyn- Since Feldman’s work wss never published we also
chronous network, given a ‘global coin’, to ( r~l – 1). The present a modified version of Feldman’s construction for
essence of the [FM] synchronous Byzantine Agreement reaching BA given an AVSS scheme. Put together,
protocol is a scheme for generating such a ‘global coin’; these constructions constitute an synchronous ( r%l – l)-
once this global coin is generated, the players proceed resilient BA protocol.
in a conceptually similar manner to Bracha’s protocol. We note that our ( r~l – 1)-resilient AVSS scheme
The protocol for generating this ‘global coin’ relies heav- has applications in other contexts as well (for instance,
i Iy on a Ver-z’’able Secret Sharing (VSS) scheme. (The strengthening the results of [BE]).
notion of VSS was introduced by Chor et al. [CGMA].) Organization. This paper is organized as folIows: In Sec-
Feldman’s asynchronous construction for achieving BA, tion 2 we describe our asynchronous model and give a formal
given an r-resilient Asynchronous VSS (AVSS) scheme, is definition of Byzantine Agreement and Asynchronous Verifi-
~in(r, r;l — I )-resilient. However, up to now, no known able Secret Sharing. In Section 3 we state our main theorems,
AVSS scheme has been more than ( r~l – 1)-resilient. (An and present an overview of our protocols. Section A contains
( [:1 -l)-resilient AVSS scheme is presented in [Fe, BCG].) tools used in our construction. In Sections 5 through 1 we de-
The main difficulty. We offer an intuitive exposi- scribe our A-M, AWSS, and AVSS schemes. Sections 8 and 9
tion of the difficulties encountered in trying to devise contain a short description of our BA protocol given an AVSS
an ( r;l — 1)-resilient AVSS scheme. Generally, in an scheme.
asynchronous network of n players, out of which t may
be faulty, a player can never wait to communicate with
2 Definitions
more than n – t other players, because the faulty players
may not cooperate. An AVSS scheme is composed of two
2.1 The model
phases: (1) a sharing phase, in which a dealer shares a
secret among the players, and each player verifies for him- Consider an asynchronous network of n players, where
self that a unique secret has been defined by the shares, every two players are connected via a reliable and pri-

43
vatecommunication channel. Messages sent on a channel ● Correctness. All the honest players who have ter-
may have arbitrary (however, finite) delays, Furthermore, minated have identical outputs. Furthermore, if all the
there is no need that the order of the messages on the honest players have the same input, denoted U, then all
channel be preserved. the honest players output U.

We regard an execution of an asynchronous protocol as

a sequence of atomic steps. In each atomic step a single 2.3 Asynchronous Verifiable Secret Shar-
player is active. The player is activated by receiving a
ing
message; he then performs an internal computation, and
possibly sends messages on its outgoing channels. We A secret sharing scheme (either synchronous or asyn-
consider the order of the atomic steps as controlled by chronous) consists of two protocols: a sharing protocol,
a scheduler. We ‘enforce’ the privacy of the channels by in which a dealer shares a secret among the players, and a
considering oblivious schedulers only. The only informa- reconstruction protocol, in which the players reconstruct
tion known to these schedulers is the origin and destina- the secret from its shares. An honest dealer should be
tion of each message sent. able to share a secret in a reconstructible way. Further-
In our model, up tot of the players may become faulty more, if the dealer is honest then the shared secret should
at any time during the run of the protocol. We con- remain unknown to the faulty players, as long as no hon-
sider a dynamic, Byzantine adversary. This adversary est player has started the reconstruction protocol. We
may choose, at the beginning of each atomic step, which say that a secret sharing scheme is verifiable if the fol-
additional players to corrupt, without exceeding the limit lowing holds: if one honest player accepts the sharing
of t faulty players. Once a player is corrupted, he hands of a secret, then all the honest players accept this shar-
all his internal data over to the adversary. From now on ing, and a unique secret will be reconstructed (even if the
he follows the instructions of the adversary. We colloqui- dealer is faulty). In the following definition, we formalize
ally call non-fault y players honest. the requirements of a verifiable secret sharing scheme for
For convenience, we unite the adversary controlling the
our asynchronous setting. (In the sequel we define some
faulty players (parametrized by t,the maximum number weaker secret sharing schemes.)
of faulty players) with the scheduler, to one entity. We Definition 2 Let (Sh, Ret) be a pair of protocols in
call this entity a t-adversary, We allow computationally which a dealer, D, shares a secret s. We say that
unbounded adversaries.
(Sh, Ret) is a (1 – c)-correct, t-resilient AVSS scheme for
A time measure. Let us briefly and informally n players if the following hold, for every t-adversary.
present a standard definition of the running time of an ● Termination. With probability 1 – c the following re-
asynchronous protocol. (For a fuller definition of asyn- quirements hold.
chronous time, see, for instance, [AM].) Consider a vir- 1. If the dealer is honest, then each honest player will
tual ‘external clock’ measuring time in the network (of eventually complete protocol Sh.
course, the players cannot read this clock). Let the delay 2. If some honest player has completed protocol Sh,
of a message be the time elapsed from its sending to its then each honest player will eventually complete protocol
receipt. Let the period of a finite execution of a proto- Sh.
col be the longest delay of a message in this execution. 3. If an honest player has completed protocol Sh, and
The of a finite execution is the total time mea-
duration all the honest players invoke protocol Ret, then each hon-
sured by the global clock divided by the period of this est player will complete protocol Rec.
execution. (Infinite executions have infinite duration.) ● Correctness. Once an honest player has completed
The expected running time of a protocol, conditioned on protocol Sh, then there exists a unique value, r, such that
an event, is the maximum over all inputs and applicable with probability 1 – e the following holds.
adversaries, of the average over the random inputs of the 1. If the dealer is honest, then r is the shared secret,
players, of the duration of executions of the protocol in i.e. r=s.
which this event occurs. 2. If all the honest players invoke protocol Ret, then
each honest player outputs r. (Namely, r is the recon-
structed secret.)
2.2 Asynchronous Byzantine Agreement, ● Secrecy. If the dealer is honest and no honest player
has begun executing protocol Ret, then the faulty players
Definition 1 Let T be an asynchronous protocol for
have no information about the shared secret.
whtch each player has binary input. We say that r is
a (1– c)-terminating, t-resilient Byzantine Agreement pro- Remark. We stress that an honest player is not required
tocol if the following hold, for every t-adversary and every to complete protocol Sh in case that the dealer is faulty. (We
input. do not distinguish between the case where an honest player
● Termination. With probability 1 – e all the honest did not complete protocol Sh, and the case where an honest
players complete the protocol (i.e., terminate locally). player has completed Sh unsuccessfully.)

44
3 Overview of the protocols Global-Coin using AVSS. We implement a Global-
Coin using techniques introduced in [FM,Fe], employing
First, let us state our main results. our AVSS scheme (see Section 8).
AVSS from scratch. Our AVSS scheme is con-
Theorem 1 (AVSS). Let n ~ 3t + 1. Then, for ev- structed in three ‘layers’. Each layer consists of a differ-
ery c > 0 there exists a (1 – c). correct, t-resilient A VSS ent secret sharing scheme (with an allowed-error param-
scheme for n players. Conditioned on the event that the eter, e). The scheme of the lowest layer is called Asyn-
honest players terminate, they do so in constant time. chronous Recoverable Sharing (A-RS). The scheme of the
Furthermore, the computational resources required of each next layer is called Asynchronous Weak Secret Sharing
player are polynomial in n and log $. (AWSS). The top layer is an AVSS scheme (as in Defini-
tion 2). Each layer is a building block for the level above
Theorem 2 (BA). Let n ~ 3t+l. Then, for every e >0 it. All three sharing schemes satisfy the termination and
there ezists a (1 – c)-terminating, t-resilient, asynchronous secrecy requirements of Definition 2. In all three schemes,
Byzantine Agreement protocol for n players. Conditioned if the dealer is honest then the honest players reconstruct
on the event that the honest players terminate, they do the secret shared by the dealer. The correctness property
so in constant expected time. Furthermore, the computa- for the case when the dealer is faulty is upgraded from
tional resources required of each player are polynomial in A-RS to AWSS and finally to AVSS:
n and log:. A-RS- Once the first honest player completes the Re-
construction Phase, there exists a subset, S G F of size
We present an overview of our Byzantine Agreement 2t + 1, such that each honest player will reconstruct a
protocol. Let F be a field of size E)(2n ). All the com- value r ● S U {nu//}.

putations in the sequel are done in F. The BA protocol AWSS- Once the first honest player completes the Shar-
employs the idea of using a ‘global coin’ to reach agree: ing Phase, a value, s, is fixed. Each honest player will
ment. reconstruct s or null.
BA using Global-Coin. This part of our protocol AVSS- Once the first honest player completes the Shar-
follows Bracha’s [B] and Feldman’s [Fe] constructions. ing Phase, a value, s, is fixed. Each honest player will
The protocol proceeds in iterations. In each iteration, reconstruct s.
each player has a ‘modified input’ value; in the first iter- Given that all the honest players complete all AVSS-
ation, the modified input of each player is his local input. reconstruction protocols they invoked, then each iteration
In each iteration the players invoke two protocols, called of the Byzantine Agreement protocol terminates in con-
Vote and Global-Coin, In the Vote protocol, described in stant time.
Section 9, the players ‘vote on an output’; namely, each
player tries to establish whether there exists a distinct
majority for some value amongst the players’ modified
4 Tools
inputs of this iteration. If a player recognizes a distinct
4.1 Information Checking Protocol- ICP
majority for some value, he takes this value to be his mod-
ified input for the next iteration. Otherwise, he sets his The Information Checking Protocol (ICP) is a tool for au-
modified input for the next iteration to be the output of thentication of messages in the presence of computation-
the Global-Coin protocol (outlined below). We show that ally unbounded faulty players. We state the properties
no two honest players can recognize a distinct majority for of this protocol without giving implementation details.
two different values. Furthermore, if all the honest players The ICP was introduced by T. Rabin and T. Rabin and
have the same input value in some iteration, then all the Ben-Or ([R2],[RB]).
honest players will recognize an ‘overwhelming majority’ The protocol is executed by three players: a dealer,
for this value. Once a player recognizes an overwhelming D, an intermediary, INT, and a receiver, R. The three
majority for some value, u, he broadcasts u (using the A* players have an allowed-error parameter, c, The dealer
cast protocol described in Section 4.2), and, subsequently, has a secret value s which he hands over to INT. At a
terminates with output a. later stage, INT is required to hand this value over to R.
A Global-Coin protocol has the following specification. The protocol is carried out in three phases:
Each player has a random input, and outputs a value in Generation(s) is initiated by D. In this phase D hands
{O, 1}. For every value u G {O, 1}, with probability at the secret s to INT and some auxiliary data to both INT
least ~ all the honest players output a. Consequently, if and R.
the coin is used by a subset (or all) of the honest players in Verification is initiated by INT, The receiver, R, is
some iteration, then with probability of at least ~ all the requested to participate. In this phase INT decides
honest players will have the same modified input for the whether to continue or abort the protocol. (INT bases
next iteration. It follows that the BA protocol terminates his decision on the prediction whether, in the Authenti-
within an expected constant number of iterations. cation Phase, R will accept the secret held by INT. We

45
denote continuation (resp. abortion) by Verification= 1 (Sh, Ret) is a (1 — c)-correct, t-resilient A-RS scheme for
(resp. O). n players if the following hold, for every t-adversary.
Authentication is initiated by R. The intermediary, ● Termination. Same as in the definition for AVSS
INT, is requested to participate. In this phase R re- (Definition 2).
ceives s’ from INT, and either accepts or rejects it. ● Correctness. The following holds, with probability 1–
We denote acceptance of a secret s’, (resp. reject) by c.
Authentication= s’ (resp. null). 1. If the dealer is honest, then each honest player, upon
The ICP has the following properties. completing protocol Ret, outputs the shared secret.
1. If D, holding secret s, INT and R are honest, then 2. Once The jirst honest player completes protocol Rec
Verification= 1 and Authentication= s. then a set S ~ F of size 2t + 1 is defined. Each honest
2. If INT and R are honest, and INT haa decided,in the player, upon completing protocol Ret, outputs a value r e
Verification Phase, to continue the protocol, then with s u {null}.
probability (1 – c), R will accept the secret received from ● Secrecy. Same as in the definition for AVSS (Defini-
INT in the Authentication Phase. tion 2].
3. If R and D are honest, and R accepted the secret s in
Our implementation. Sharing protocol. The
the Authentication Phase, then with probability (1 – c),
dealer, having a secret s, chooses values al, .... at c F
s originated with D.
with uniform distribution, and defines the polynomial
4. If D and INT are honest, then as long as INT has not
f(x) = a~zi + . . . + alz +s.(We call this process choosing
started the Authentication Phase, R has no in formatioil
a random polynomial f(x) The technique of using a
fors.
about the secret s.
t degree polynomial was introduced by Shamir [S].) Next,
We note that in the implementation that we use, each
phase involves sending only two messages, and the compu- for each i, the dealer sends /3i ~ f(i) to Pi. We say that
tational resources required of each player are polynomial pi is Pi’s share ofs. In addition, for each share pi and for
in log ~. each player F’j, the dealer executes the ICP-Generation
Phase (described in Section 4.1), with player Pi acting as
the Intermediary, and player Pj acting ss the Receiver.
4.2 A-cast
The ICP protocol will have the appropriate allowed-error
The asynchronous broadcast primitive (denoted A-cast) parameter e’ (we set d = +). We denote this execution
was introduced and elegantly implemented by Bracha of the ICP-Generation Phase by Gen~,i,j [~’] (pi). Next,

[Br]. Bracha’s A-cast protocol is ( (31 - 1)-resilient. each two players Pi and Pj execute the ICP-Verification
Phase, denoted Veri,j [c’], with respect to ~i. Once Pi
Definition 3 Let r be an n-player protocol initiated by successfully (i.e. with output 1) terminates 2t + 1 Ver-
a special player (called the sender), having input m (the ification Phases, he A-ca.sts( “OK” ,Pi ). A player com-
message to be broadcast). Protocol r is a t-resilient A-cast
pletes the sharing protocol upon completing 2t + 1 A-
protocol if the following hold, for every input, and every casts (“OK” ,...), Our protocol, denoted A-RS Share is
t-adversary. presented in Figure 1.
● Termination. Let r ~ t + 1. In the sequel we say that a sequence
1. If the sender is honest and all the honest players of shares, /31, ...1. P,, define a secret s, if there exists a
participate in the protocol, then each honest player will unique polynomial f(z) of degree at most i?, whose con-
eventually complete the protocol. stant term is s, such that ~(i) = /?i, for 1 < i < r.
2. If any honest player completes the protocol, then (We shall interchangeably say that “the shares define the
each honest player will eventually complete the protocol.’ polynomial f(z)”. )
● Correctness. If the honest players complete the pro- Reconstruction protocol. First, each player Pi
tocol, then they do so with a common output m“. Fur- He then executes the ICP-
A-casts his share, /3i.
thermore, if the sender is honest then m* = m. Authentication Phase with each other player, Pj. (We
denote this execution by Authi,j [c’].) For each player
We stress that the Termination property of A-cast is
Pj, whose share is accepted (namely, AUthj,i[~’] = betu; ),
much weaker than the Termination property of BA: for
player Pi A-casts (“Authenticates” ,Pi ,~~ ).
A-cast, we do not require that the honest players complete
Player P considers a share legal, if it is authenticated
the protocol when the sender is faulty.
by at least t+ 1 players, Once P has t+ 1 legal shares, he
computes the secret, If there exists a value which is sug-
5 Asynchronous Recoverable gested by t+ 1 players, then P output this value. Other-
wise, P outputs null. Our protocol denoted A- RS-Recon
Sharing — A-RS is presented in Figure 2.

Definition 4 Let (Sh, Ret) be a pair of protocols in Theorem 3 Let n z 3t + 1. Then for every e >0, the
which a dealer, D, shares a secret s. We say that pair (A-RS-Share[c] ,A-RS-Recon[c]) is a (1 – c)-correct,

46
 t-resilient A-RS scheme for n players.

Protocol A-RS-Share[~] Proof: Fix a t-adversary. Termination (l). When

the dealer is honest, the verification protocol of ICP be-
Code for the dealer, on parameter c and secret s: tween every two honest players will be successful (ICP

1. Choose a random polynomial, ~(~), for s, property 2, see Section 4.1). Therefore, each honest
player will have 2t + 1 successful verifications for its share.
2. Send /?i ~ f(i) to each player Pi. Thus, each honest player P will A-cast (OK, P) . Con-
sequent y, each honest player will complete 2t + 1 (OK,
Let c’~~. For each two players Pi and Pj
. . .) A-casts, and terminate.
execute GenD,i,j [t’] (Pi).
Termination (2). If an honest player has completed
Code for player Pi, with parameter e: A-RS-Share, then he has completed 2t + 1 (OK, . ..) A-
casts. By the definition of broadcast (Definition 3), each
3. For all j E [n]: Wait until Gen~,i,j [c’] is com- honest player will complete these 2t + 1 (OK, . ..) A-
pleted; then, initiate Veri,j [c’]. casts, and will thus complete A-RS-Share.
Termination (3). Let ,?3 be the event that ‘no er-
4. If Veri,j [/] = 1 for 2t + 1 players Pj, then
rors occur’ in all the invocations of ICP. Namely, for each
A-cast (OK , pi) .
two players Pi and Pj, if both Pi ad Pj are honest and
5. Upon completing 2t + 1 different A-cssts of Veri,j [6’] = 1 then Pi accepts /3j in Step 2 of protocol
the form (OK, . . .) , terminate. A-RS-Share; furthermore, if either the dealer or Pj are
honest, then the values accepted by Pi is the value that
Pj received from the dealer. We have that event E occurs
Figure 1: The A-RS sharing protocol with probability at least 1 – n2c’ = 1 – c.
By the properties of ICP (see Section 4.1), if Pi and
Pj are honest and Ver~,j [e’] = 1 in Step 3 of A-RS-
Share, then, conditioned on the event E, the player pj
will accept Pi’s share in Step 2 of A-RS-Recon. If an
Protocol A-RS-Recon[t] honest player Pi A-tasted (OK, Pi) in Step 3 of A-
RS-Share, then for at least t + 1 honest players, F’j, we
Code for player Pi, with parameter c: have Veri,j [d] = 1. Thus, conditioned on event E, these
t + 1 players will accept Pi’s share, and will broadcast
1. A-cast the share pi. (Pj authent i.cat es pi, ~~) in Step 2 of A-RS-Recon.
Consequently, Pi’s share will be considered legal by every
2. For each player Pj such that the ~j A-c~t is
honest player in Step 3 of A-RS-Recon.
completed, initiate Authj,i[d].
Now, if an honest player, P, haa completed the A-RS-
If Authj,i [/] = @j, then A-cast (Pi
Share protocol, then 2t + 1 players have A-tasted (OK,
authenticates Pj, /3j ) .
., .) in Step 3 of A-RS-Share. Out of these A-casts, at
3. Consider a share, ~j, legal, if at least t + least t + 1 have originated with honest players. Conse-
1 A-casts of the form (Pk authenticates quently, if event E occurs, then every honest player will
Pj, ~j ) have been completed. Create an in- have t + 1 legal shares in Step 3 of A-RS-Recon. In this
terpolation Set, ISi. Add every legal share case, P will have 2t + 1 suggested secrets, and will com-
to Is;. plete protocol A-RS-Recon,
Correctness (1). If the dealer is honest and event
4. Once llSi I = t + 1, compute the secret, E occurs, then for each honest player, Pi, each share Bj
s, defined by the shares in ISi. A-cast in .fSi originated with D (namely, /3j = f(j)). There-
(suggested secret, s) .
fore, the shares in ISi define the secret, s, shared by
the dealer, and Pi will A-cast (suggested secret, s)
5. Wait until completing 2t + 1 (suggested
Consequently, each honest player will complete 2t + 1
secret, . . .) A-casts.
A-casts, out of which at least t + 1 suggest the secret s.
If there is a value, s!, which appears in at
Hence, each honest player will output s.
least t + 1 such A-casts, then output s’.
Correctness (2). If a player, P, haa completed proto-
Otherwise, output null.
col A-RS-Recon, then he has completed 2t + 1 A-casts of
the form (suggested secret. .) Let S denote the
Figure 2: The A-RS reconstruction protocol set of 2t + 1 Suggested secrets in these 2t + 1 A-casts.
Clearly, at least t+ 1 out of the 2t + 1 A-casts completed
by each other honest player, P’, in Step 4 of A-RS-Recon,

,-
are of values in S. Thus, if some secret, r, appears t+ 1 Let ELGi be Pi’s dynamic set of players Pj whose
times in the A-casts completed by P’, then it must be ACCj A-cast hm been completed, and ACCj ~ COMi.
that r E S. We define the set ISj as the first 2t + 1 players in l?LGi.
Secrecy. If the dealer is honest and no honest player Once lELGil z 2t + 1, player Pi A-casts ISi. (This eli-
has initiated protocol A-RS-Recon, then any set of b < t gibility set, is the set of players whose share will
ELGi,
players have only b shares of the secret, along with the be later considered either legal or null. The interpolation
data received during the ICP generation and verification set, lSi, is the set of players whose shares will later define
protocols with respect to the other players’ shares of the the secret associated with Pi.)
secret. By the Secrecy properties of ICP and Shamir’s Let FINALi be Pi ‘S set of players Pj whose ISj
secret sharing scheme, this data is independent of the A-cast has been completed, and lSj ~ ELGi. Once
shared secret. 0 I.FINALil = 2t + 1 complete the sharing protocol. (This
final set, FINALi, is the set of players, with whom Pi
will later associate a secret,)
6 Asynchronous Weak Secret Reconstruction protocol. Remark: it will be seen
Sharing — AWSS that when player P executes the reconstruction protocol,
he essentially doubles up as each other player (namely, he
Definition 5 Let (Sh, Ret) be a pair of protocols in locally executes the protocols of the other players).
which a dealer, D, shares a secret s. We say that Initially, each player Pi reconstructs the values shared
(Sh, Ret) is a (1 – c)-correct, t-resilient A WSS scheme by each player Pj E ELGi, in the following manner. Re-
for n players if the following hold, for every t-adversary. call that each player in ELGi shared, in the sharing pro-
● Termination. Same as the definition of AVSS (Defi- tocol, values he received as an Intermediary of ICP, and
nition ,2). values he received as a Receiver of ICP. Player Pi first
● Correctness. invokes A-RS-Recon for all the values that the players in
1. If the dealer is honest, then with probability l–c each ELGi received as Intermediaries in ICP. Call these in-
honest player, upon completing protocol Ret, outputs the vocations of A-RS-Recon preliminary. For each player
shared secret. Pj E ELGi and for each P1 c ACCj, once all the prelim-
2. Once the first honest player completes protocol Sh, inary A-RS-Recons have been completed, Pi invokes the
then there exists a value s, such that with probability 1– ~ A-RS-Recons of (the rest of) the values shared by Pi. We
each honest player, upon completing protocol Ret, will note that the order in which the A-RS-Recons are invoked
output s or null. is crucial for the proof of the Correctness property of the
● Secrecy. Same as the definition of A W’S (Definition scheme.

2). For each player Pj E ELGi and for each player PI c

ACCj, once all the necessary values are reconstructed,
Our implementation. Sharing protocol. The dealer, simulate Authj,f [c’], in order to compute Pr’s result of
having a secret s, chooses a random polynomial ~(x) for Authj,l [c’]. Player Pi associates a value with player Pj in
the following manner: If Pi finds out that t + 1 players
s. Next, for each i, the dealer sends /3i ~ f(i) to Pi. In
addition, for each share @i and for each player Pj, the in ACCj have accepted ~j then he associates fij with Pj.

dealer executes the Generation Phase of ICP with player (We then say that f?j is legal). Otherwise, he associates
Pi acting as the Intermediary, and player Pj acting as the
the value “null” with Pj.

Receiver. (This part is the same as in A-RS-Share.) Now, for each player l’k 6 FINALi, once the values
Next, each player shares each value received from the associated with all the players in ISk are computed, if all
dealer (including the values received in the Generation the legal shares in lSk define a secret, s, then Pi considers
Phase of ICP), using A-RS-Share (Figure 1). Player Pi s to be the secret suggested by pk. Otherwise, the secret
creates a set, COMi. Once Pi completes all the A-RS- suggested by pk is null.

Shares of Pj’s values, Pj is added to COM~, (Players may Finally, Pi waits until the secrets suggested by all the
be added to COMi as long as the AWSS sharing protocol players in FINALi are computed. If all the players in
is being executed. We call such sets dynamic sets.) FINALi suggest the same secret, s, Pi outputs s. Oth-
For each player Pj c COMi, player Pi initiates the erwise, Pi outputs null.
Verification Phase of ICP for pi with Pj, and with the
appropriate allowed-error parameter, ./. (We denote this
Theorem 4 Let n ~ 3t + 1. Then for every c >0, the
execution by Veri,j [d]).
pair (AWSS-Share[c] ,AWSS-Recon[c]) is a (1 – c)-correct,
Let ACCi be Pi ‘S set of players Pj such that Veri,j [t’] =
t-resilient A WSS scheme for n players.
1. Once lACCil = 2t + 1, player Pi A-c&s ACCi. (This
accept ante set, ACCi, is the set of players who will later
accept /3i.) Proofi See our Technical Report [CR].

48
6.1 Two&Sum Asynchronous WSS holds because of the following reason. For each player
Pj EFINALithere exists at least one honest player, who
In the AVSS scheme we will need the following variation of
has confirmed him. Thus, there exists a t-degree polyno-
an AWSS scheme: A dealer shares three secrets: S1, S2, S3,
mial, h(x), such that rj, together with at least 2t other
such that S3 = S1 +s2. The sharing of these secrets should
values, define the polynomial h(z). We say that h(z) is
have the properties of the AWSS scheme; In addition, the
associated with P1. It can be easily seen that all the poly-
following requirements should hold:
nomials associated with all the players Pj c FINA Li are
1. If we reconstruct either S2 or SI + S2, then the faulty
identical.
players have no information about S1.
Reconstruction protocol. The reconstruction pro-
2. Let ri be the value set once the first honest player
tocol is simple. The shares of all the players are recon-
completes the sharing of Sj. Then, either rl + r2 = r3, or
structed using AWSS-Recon. Once t+ 1 shares in FINALi
at least two of {rl, rz, rs} are null.
are reconstructed, player Pi computes the secret defined
An implementation of this scheme, denoted Two&Sum-
by these shares, and terminates. (Recall that the shares
AWSS, is a straight forward generalization of our AWSS
of all the players in FINALi define a secret. Thus, this
scheme. The scheme is based on the synchronotis
secret can be computed based on any t+ 1 of these shares.)
Two& Sum-WSS presented in [R2]. We present our
scheme in [CR]. Theorem 1 Let n ~ 3t + 1. Then for every c >0, the
pair (AVSS-Share[c] ,AVSS-Recon[c]) is a (1 – e)-correct,
t-resilient AVSS scheme for n players.
7 Asynchronous Verifiable Secret
Proof: See our Technical Report [CR]. We note that
Sharing — AVSS showing that the sharing protocol terminates in constant
time (given that all the honest player complete the pro-
Our implementation. In this extended abstract we tocol) requires subtle arguments.
only sketch our construction. For full details see our Tech-
nical Report [CR].
Sharing protocol. The sharing protocol consists of two 8 Global Coin from AVSS
phases: in the first phase, the dealer sends shares to all
the players. In the second phase, the players verify that Definition 6 Let x be a protocol, where each player has a

their shares define a unique secret. random input, and outputs a value in {O, 1}. We say ihat

The dealer, having a secret s, chooses a random poly- r is a (1 – c)-terminating, t-resilient global coin protocol if

nomial ~(z) for s. Next, for each i, the dealer sends the following hold, for every t-adversary.
. Termination. With probability 1 – e, all the honest
pi fi f(i) to pi. (We say that & is Pi’s share of the
players terminate locally.
secret.) In addition, the dealer chooses an appropriate
● Correctness. For every value u ~ {0, 1}, with proba-
number of random polynomials g(z) of degree t. For
bility at least ~ all the honest players output U.
each such polynomial g(z), and for each i, the dealer
sends g(i) to player Pi. Upon receiving all the expected An implementation. Our construction follows the
values from the dealer, each player shares the values outline of Feldman’s construction. However, several mod-
{~(i), 9(i)1 ?(0+9(0} for each polynomial 9(~), using the ifications have been introduced. In this extended abstract
Two&Sum AWSS sharing protocol with the appropriate we only sketch this construction. For full details see our
allowed-error parameter (see Sect ion 6.1), Technical Report [CR]. Roughly speaking, the protocol,
Next, the dealer proves to each player, using a cut- denoted Global-Coin [c] (with ‘termination parameter’ e),
and-choose method (as in [BGW,CCD,Fe,FM]), that the consists of four stages. First, each player shares n ran-
shares of the players indeed define a secret. Once a player dom secrets, using the AVSS-Share protocol of an AVSS
is convinced that the shares of 2t+l players are acceptable scheme. (These AVSS-Shares are invoked with the appro-
(namely, the Two& Sum-AWSS-Share of these shares are priate ‘allowed error’ parameter, which is a function of c.)
completed, and the values set by the Two& Sum-AWSS- We say that the ith secret shared by each party is assigned
Shares of these shares, define a secret), he confirms these to player Pi. Once a player completes n – t AVSS-Share
players by A-casting their identities. Once a a player, protocols of secrets assigned to him, the player A-casts
Pi, completes 2t + 1 A-casts in which the player P is the identity of the dealers of these secrets. (Later, the
confirmed, he adds P to his final set, FINALi. Once value associated with this player will be computed based
FINALi contains 2t + 1 players, player Pi completes the on these secrets. )
sharing protocol. Once a player is assured that enough players have A-
For each player Pj 6FINALi let rj be the values set casted their set of assigned secrets, he starts reconstruct-
by the AWSS-Share of Pi. Note that the values rj of ing the relevant secrets. C)nce all these secrets are recon–
the players Pj EFINALi define a secret; furthermore, the strutted, each player locally computes his output based
values in all the FINALi’s define the same secret. This on the reconstructed secrets.

49
 For the proof of correctness, we show that once some A-casts his re-vote, along with the identities of the n – t
honest player completes the A-cast of the secrets assigned players whose A-tasted votes were used to compute the
with player P, a random value, VP, is fixed. With over- re-vote, and waits to receive n – t other re-votes that are
whelming probability, the value that each honest player consistent with the consistent votes of the second round.)
will later associate with P will be VP. Now, each honest Now, if all the consistent votes received by a player
player Pi computes his output based on the values ZSSG agree on a value, a, then this player outputs (u, 2). Oth-
ciated with the parties in some set, S’i, of size n — t. We erwise, if all the consistent re-votes received by the player
show that once the first honest player starts reconstruct- agree on a value, a, then the player outputs (a, 1). Oth-
ing secrets, a large enough “core” set, C, of players is erwise, the player outputs (O, O).
fixed. Each honest player will have C C Si. We use these
facts to show that for each value a G {O, 1}, with large
9.2 The Byzantine Agreement protocol
enough probability all the players output v.

Theorem 5 Let n > 3t + 1. Then, for every c > 0

Protocol BA[~](~i)
protocol Global-Coin[e] is a (1 – c)-terminating, t-resilient
global coin protocol for n players.
Code for player Pi, on input xi, and parameter c:

Proof: See our Technical Report [CR]. 0 1. Set 7’-1. Set ~1 -Zi.

Repeat until terminating:

9 Byzantine Agreement from
2. Set (~,, m,) =Vote(v,).
Global Coin (Namely, invoke protocol Vote with input v,;
once the protocol is completed, let (y~, mr )
Before describing the Byzantine Agreement protocol, let
be the outputs.)
us describe another protocol used in our construction.
This protocol, denoted Vote, does ‘whatever can be done 3. Wait until (yr, m, ) are computed. Then, set
deterministically to reach agreement’. Cr =Global-Coin[~].

(a) If mr = 2, set V,+l + V. and A-cast

9.1 The voting protocol (Terminate with yr ) .
Participate in only one more Vote protocol
Each player’s input of the Vote protocol is a binary value.
and only one more Global-Coin
Each player tries to find out whether there exists a major-
protocol.
ity for some value among the inputs of the players. More
precisely, each player’s output of the Vote protocol has (b) If m, = 1, set Vr+l + y,.
two fields: the first field is the ‘majority vote’ (i.e., a value (c) Otherwise, set Vr+l t cr.
in {(I, 1}). The second field is the ‘majority parameter’.
A majority parameter 2 stands for ‘overwhelming major- ● Upon receiving t + 1 (Terminate with a)
ity’; majority parameter 1 stands for ‘distinct majority’; A-casts for some value u, output a and ter-
majority parameter O stands for ‘no distinct majority’. It minate.
will be shown that the difference in the majority param-
eter of every two honest players is at most 1, and no two
honest players recognize a distinct majority for different Figure 3: The Byzantine Agreement protocol
values. Furthermore, if all the honest players have the
same input, c, then all the honest players will recognize
an overwhelming majority for u. The Byzantine Agreement protocol proceeds in itera-
The protocol consists of three ‘rounds’. In the first tions. In each iteration, each player has a ‘modified in-
round, each player A-casts his input value, waits to re- put’ value; in the first iteration, the modified input of
ceive n — t other inputs, and sets his vote to the majority each player is his local input. In each iteration the play-
value among these inputs. In the second round, each ers invoke two protocols: Vote and Global-Coin. Protocol
player A-casts his vote (along with the identities of the Global-Coin is invoked only after protocol Vote is com-
n – t players whose A-tasted inputs were used to compute pleted. If a player recognizes a ‘distinct majority’ for
the vote), waits to receive n –t other votes that are consis- some value, u, in the output of protocol Vote (namely
tent with the A-tasted inputs of the first round, and sets output (u, 1) or (u, 2)), then he sets his modified input
his re-vote to the majority value among these votes. In the for the next iteration to a. Otherwise, he sets his mod-
third round each player repeats the same procedure with ified input for the next iteration to be the output of the
respect to the A-tasted re-votes. (Namely, each player Global-Coin protocol.

50
 Once a player recognizes an ‘overwhelming majority’ [Br] G. Bracha, “An Asynchronous [(n - 1)/3J-resilient
for some value, a, (namely, output (a,2) of protocol Consensus Protocol”, 3rd PODC, pp. 154-162, 1984.
Vote), he A-casts a. Once a player completest+l A- [CR] R. Canetti, and T. Rabin, “Optimal Asynchronous
casts for some value, o, he terminates with output a. Byzantine Agreement”, Technical Report #92-15, CS
The code of the Byzantine Agreement protocol ispre- Department, Hebrew University, 1992.
sented in Figure 3. [CCD] D. Chaum, C. Crepeau and I. Damgard, “Multiparty
Unconditionally Secure Protocols”, 20th STOC, pp.
Theorem 2 Let n ~ 3t + 1. Then, for every E >0 proto- 11-19, 1988.
col BA[c] is a ( 1 —c)-terminating, t-resilient, asynchronous
[CGMA1 B. Chor, S. Goldwasser, S. Micali and B. Awerbuch.
Byzantine Agreement protocol for n players. Given that ‘Verifiable Secret Sharing and Achieving Simultaneity
the players terminate, they do so in constant expected in the Presence of Faults”, 26th FOCS, pp. 383-395,
time. Furthermore, the computational resources required 1985.
of each player are polynomial in n and log ~.
[CD] B. Chor and C. Dwork, “Randomization in Bysantine
Agreement”, Advances in Computing Research, Vol. 5,
The proof of Theorem 2 is presented in [CR]. The follow- pp. 443-497, 1989.
ing claims are the milestones of this proof.
[Fe] P, Feldman, “Asynchronous Byzantine Agreement in
Constant Expected Time”, unpublished manuscript,
Claim 1 Let k ~ O, and assume that all the honest play-
1989.
ers complete the kth invocation of Global-Coin. Then the
[FM] P. Feldman, and S. Micah, “An Optimal Algorithm For
execution of the kth iteration of protocot BA terminates
Synchronous Byzantine Agreement”, 20th STOC, pp.
m constant time.
148-161, 1988.

[F] M. Fischer, “The Concensus Problem in Unreliable

Claim 2 For each k >0, the probability that all the play-
Distributed System”, Technical Report, Yale Univer-
ers complete the kth iteration (namely, compute vk+l),
sity, 1983.
given that all the players complete all the previous itera-
tions, is at least 1 – ~. [FLP] M. Fischer, N. Lynch and M. Paterson, “Impossibility
of Distributed Consensus with One Faulty Process”,

Claim 3 For each k >0, the probability that all the play- JA CM, Vol. 32, no. 2, pp. 374-382, 1985.

ers have the same vk+l value, given that all he players [KYl A. Karlin and A. Yao, “Probabilistic Lower Bounds for
complete the kth iteration (namely, compute Vk+l)j is d Byzantine Agreement”, unpublished manuscript, 1986.

least ~. [PSL] M. Pease, R. Shostak and L. Lamport, “Reaching

Agreement in the Presence of Faults”, .lA CM, Vol. 27
No. 2, pp. 228-234, 1980.
Acknowledgements
[Rl] M. Rabin, “Randomized Byzantine Generals”, 24th
A special thank is due to Michael Rabin for his patience FOCS, pp. 403-409, 1983.
and wise advice. In addition we thank Oded Goldriech
[R2] T. Rabin , “Robust Sharing Of Secrets When The
and Michael Ben-Or for commenting on our drafts. Fi- Dealer Is Honest Or Faulty”, Masters Thesis, Hebrew
nally, we warmly thank Boaz Kelmer. University, submitted for publication to the JA CM.

[RB] T. Rabin and M. Ben-Or, “Verifiable Secret Sharing

and Multiparty Protocols with Honest Majority”, 21st
References
STOC, pp. 73-85, 1989.

[Ahf] H. Attiya and hf. Mavronicolas, “Efficiency of Semi- [Sh] A. Shamir, “How to share a secret”, CA CM, VOL 22,
Synchronous versus Asynchronous Networks,” Mathe- No. 11, pp. 612-613, 1979.
matical Systems Theory, to appear. Preliminary ver-
sion in proceedings of the 28th annual Allerton Con-
ference on Communication, Control and Computing,
October 1990, pp. 578-587.

[BCG] M. Ben-Or, R. Canetti and O. Goldreich, “Asyn-

chronous Secure Computations”, submitted to these
proceedings.

[BE] M. Ben-Or and R. E1-Yaniv, “Interactive Consistency

in Constant Time”, submitted for publication, 1991

[BGW] M. Ben-Or, S. Goldwasser and A. Wigderson, “

Completeness Theorems for Non-Cryptographic Fault-
Tolerant Distributed Computation”, 20th STOC, pp.
1-10, 1988.

51