 Hello everyone, welcome to this presentation, I'm Czenda from ETH Zurich, and I'm going to talk about a synchronous Byzantine agreement with sub-quadratic communication, and this is joint work with Erika, John and Julian from the University of Maryland. Byzantine agreement is a fundamental primitive in distributed computing. It is used in many contexts, such as multi-party computation, voting, secret sharing, and many other applications. It allows a set of parties, each with an input, to agree on a common value. Moreover, if all honest parties start with the same input x, then they agree on x. And these two properties, called consistency and validity, hold even when some of the parties misbehave during the protocol execution. In large-scale systems and applications where the number of parties is substantial, it is important to understand how the communication complexity grows in terms of the number of parties. In this paper, we investigate whether one can achieve low communication when the network is completely asynchronous, meaning that the adversary has full control over the network, but messages sent by honest parties are eventually delivered. More concretely, we investigate the following question. Is there an asynchronous Byzantine agreement protocol with sub-quadratic communication that tolerates a linear number of adaptive corruptions? And note that in a protocol with sub-quadratic communication, we cannot afford that every party sends a message to every other party, because this would be n-squared already. And we answer this question by showing feasibility and impossibility results. On the one hand, we provide a protocol with sub-quadratic communication that uses a trusted dealer as setup. The protocol assumes security ratios and an adversary that cannot take back messages sent by honest parties. On the other hand, we give an impossibility result that shows that some form of setup is needed if the protocol has sub-quadratic communication. And this holds even assuming secure erasures, secret channels, and the same type of adversary. Most of the previous Byzantine agreement protocols, like the words by King Anzaya, Michali, or Abraham et al., are synchronous or partially synchronous. There is a recent paper by Kohenet Al that gives a sub-quadratic asynchronous VA but where the adversary has restricted scheduling power. In particular, the adversary cannot reorder messages sent by honest parties in the same protocol step. Let me start with the feasibility result. It achieves an almost optimal corruption threshold since we know from traditional results that tolerating n-third corruptions or more is impossible even with setup and even against static corruptions. The protocol relies on two building blocks, each of independent intervests. The first building block is a one-time Byzantine agreement. This is a Byzantine agreement protocol that assumes an initial non-reusable setup. The VA has sub-quadratic communication complexity and small setup size depending on the security parameter kappa. The second building block is an asynchronous NPC protocol that also assumes some setup. Both setups together constitute what the trusted dealer generates initially for the overall protocol. And the task of the NPC protocol is to emulate the trusted dealer functionality and generate the setup for the next protocol invocation. For this particular trusted dealer functionality we achieve an NPC protocol with sub-quadratic communication and with small setup size. This approach gives a protocol that supports an unbounded number of Byzantine agreement invocations where each invocation has sub-quadratic communication. And as a side remark one can generate the initial setup with a setup-free NPC protocol which will be expensive but only use once. This course will be amortized with sufficiently many VA invocations and leads to a setup-free protocol that supports an unbounded number of BAs with amortized sub-quadratic communication. And in the following I will explain how each of the building blocks are instantiated. First comes the one-time Byzantine agreement protocol. Note that a deterministic solution is not possible due to the FLP impossibility result in the asynchronous model. Our protocol is therefore randomized and actually follows the traditional Feldman-Mikali or Kaneti-Rabin approach of iterating an instantiation of graded consensus followed by a Cointos protocol. Graded consensus is a primitive that gives a weak notion of agreement. Each party outputs a value and a grade that can be zero or one that intuitively indicates the confidence that the party has on the output value. And grade zero means that the party is not confident and grade one means that the party is confident and the guarantees of graded consensus are as follows. If all honest parties start with the same bit then all honest parties output this bit with grade one and moreover if there is an honest party that outputs with grade one this means that all honest parties are in agreement. And our graded consensus protocol is a player-replaceable version of Kaneti-Rabin's protocol achieving sub quadratic communication. And after the graded consensus we run a Cointre protocol which essentially gives to all parties the same uniform random bit. Then what the parties do is they iterate invocations of graded consensus and coin flip where each party adopts the value of the coin if the party had grade zero and otherwise they keep the value from graded consensus for the next iteration. In order to achieve sub quadratic communication we use a trusted dealer that generates some setup. The setup for graded consensus consists of a sequence of random subsets of kappa parties, the committees, where each party in a committee has a proof that it was elected for the committee. Then in each step of the protocol a designated committee is in charge of sending messages to all parties. And given that the protocol has a constant number of steps the message complexity is sub quadratic. The setup for the coin flip simply has the trusted dealer compute a random coin value and a random committee. And then it computes shares and gives a share of the uniform random value to each party in the committee. So the coin flip protocol simply consists of each party sending the share to every other party and parties reconstructing the random coin which will be the same if the committee has an honest majority. And since the number of iterations is bounded by kappa then the communication complexity is poly kappa times n and the size of the setup is poly of kappa. The second building block is an npc protocol. This allows the parties to correctly compute a function without revealing their inputs except from what the output. And in an asynchronous network it is known that it is not possible to include all parties inputs into the computation. So we say that an npc has l output quality if the number of inputs included into the computation is at least l. And the set of inputs that are actually included is chosen by the adversary. Our protocol uses an agreement on a common subset primitive sometimes also called asynchronous common subset or core set agreement. And in this primitive each party starts with an input and they jointly agree on the same multi set s of size at least l which is a parameter of the protocol. And also within the set s at least l minus f of the values are inputs from parties that were honest at the start of the execution. And one can think that such a protocol can be implemented using o of l Byzantine agreement protocols. And using the one time pa protocol that we explained before one achieves a setup size of o of l times kappa and a communication complexity of o of l times size of the input times poly kappa n. Now we are ready to explain the npc protocol. The protocol uses threshold fully homomorphic encryption as a tool and follows the grammar Damgar Nielsen approach of letting parties evaluate the function over encrypted inputs and then jointly decrypting the final side project. As mentioned before the npc uses setup as well. And first it has a setup for acs since it is used as a sub protocol. Then it generates a random committee of size kappa. And then the keys for the threshold FHE scheme and all parties receive the public key ek and each party pi in the committee receives the secret key share ek i. Finally the setup also includes an encryption of a random value under the public key ek which I denote as r under the square bracket. Now fix a possibly randomized functionality g that parties want to compute and without generality assume that g uses say kappa random bits it uses more one can always use a prg. So to compute g each party first encrypts its input using the public key ek and invokes the acs protocol with the encrypted input. Protocol outputs the same set s with at least l encrypted inputs. And now parties evaluate the function g under the FHE using the inputs that made it into the set s and the random encryption of the setup. Then the parties in the committee execute a decryption subroutine where each party in the committee simply computes a decryption share of the ciphertext and distributes the share to all parties. And finally each party reconstructs the output upon receiving enough shares. The decryption omitted some details which can be found in the paper like the zero knowledge proofs that parties need to execute to avoid cheating and also the erasure steps to achieve adaptive security. And overall one can see that the setup size is that of acs which is l times poly kappa and a bunch of other elements with size poly kappa. And for the communication complexity in the decryption step kappa parties send the output ciphertext to all parties. So that is all times poly kappa n where all is the size of the output. And then in addition one has the acs sub protocol which is l times size of the input times poly kappa n. For the case of trusted dealer functionalities where the function to evaluate only takes as input random bits actually the acs step is not needed. So the setup for npc is only poly kappa which is the same size as the setup for ba. This means that the output size of the npc is poly kappa as well so the communication complexity is sub quadratic in this case. Now we move to impossibility results. Let me first mention some lower bounds in the literature. The first lower bound in this direction was the dollya pryshuk lower bound which shows that every deterministic protocol needs to send at least a quadratic number of messages. This lower bound was later improved by abraham et al to also consider randomized protocols. Both lower bounds hold even under a synchronous network. However they use the fact that the adversary can perform after the fact removal meaning that even after an honest party sent a message the adversary can adaptively corrupt the party and get back the message. In our lower bound the adversary plays with an asynchronous network and has to eventually deliver the messages sent by honest parties. It cannot take them back. Our lower bound also holds for randomized protocols and even if we assume erasures and secret channels. However it is only stated for protocols that have no setup. In a recent work rambaud showed a slightly stronger lower bound that holds even in the partially synchronous model and where parties have access to an idealized pki. Now I proceed to show our lower bound. The strategy is to assume the existence of a protocol with sub quadratic communication complexity and then to consider different scenarios to reach contradiction. In the first scenario in blue all parties are honest and have input 1. And it will be helpful to divide the parties into two sets s and s prime where the set s contains as many parties as half the corruption budget. Since all honest parties have input 1 validity ensures that all honest parties output 1 as well in particular all parties in s output 1. And we consider the third scenario in green where parties in s are corrupted and crash at the beginning of the execution. We call that the size of the set s is half of the corruption budget. So the adversary can definitely afford to corrupt all parties in s. And again since all honest parties have input 0 validity ensures that all parties in s prime also output 0. Now we consider a middle ground scenario where we will manage to make an honest party in s output 1 and honest parties in s prime output 0. Therefore violating consistency of the protocol. The idea is that since the protocol has sub quadratic complexity and the size of the set s is linear we call half of the corruption budget. Then most parties in s will communicate with a sub linear number of parties. Then the adversary can choose a party in s uniformly at random. We denote p and p will communicate with very few parties. And now the adversary corrupts all other parties in s and will try to fool p to output 1 by emulating towards p the messages as in the blue scenario and will also fool the honest parties in s prime to output 0 by emulating the messages as in the green scenario. So more concretely whenever p intends to send a message to a party in s prime the adversary interrupts this communication and also emulates the blue messages towards p. Note that since the channels are secret at this point the adversary doesn't learn what p sent but what the adversary can do is to delay these messages, delay this message and first corrupt the recipient. Then he delivers the message to the corrupted recipient allowing the adversary to learn the content of the message. And now the corrupted recipient can emulate the blue execution towards p and it also of course emulates the green execution towards all parties all honest parties in s prime. Also whenever an honest party in s prime intends to send a message to p the adversary delays this message, corrupts the sender and instead sends a message according to the blue execution to p. The green message is still in the network and is delivered only after p terminates. Then the the corrupted sender also emulates green messages towards honest parties in s prime. So observe that the adversary can corrupt all parties that communicate in one way or in another with p because p communicates with very few parties. Then from the point of view of p all he gets are blue messages so he will behave as in the blue execution and output one. And similarly all honest parties in s prime get green messages from parties in s prime and their view is the same as in the green execution meaning that they all output zero and therefore consistency is broke. Here you can find the link to the full version of the paper and the references. Thank you very much for listening and I hope to see you all at the online conference.