 Hello everybody, my name is Giovanni Deligios, I'm a PhD student at ETH in Zurich and it's a pleasure for me today to be presenting joint work that was carried out with Martin Hirt and Chandli Uzzang, while at ETH. The title of the work is Round Efficient Synchronous Byzantine Agreement and Multi-Party Computation with A Synchronous Fallback. I'll begin by providing some motivation for our work and then I'll dive into some more detail into the main results. We deal with two prominent problems in distributed computing and cryptography, namely the problem of Byzantine Agreement and the problem of multi-party computation. A quick reminder, in Byzantine Agreement a set of N parties, each holding an input VI in 0 or 1, want to agree on a common output in 0 or 1, despite the fact that a fraction of the parties might be corrupted by an adversary and actively misbehaving and deviating from the protocol. In multi-party computation, which is a more general problem which includes Byzantine Agreement as a special case, a set of N parties, each holding an input in 0 or 1, want to compute a common function of their inputs without revealing anything about their inputs that could not be inferred by looking directly at the output of the computation. When designing protocols to solve these problems, one needs to make assumptions about the network infrastructure that is available to the parties performing these protocols. And typically in the literature, two of the most prominent models that are considered are the synchronous model in which parties are assumed to have synchronized clocks and furthermore it's assumed that each message sent by a party is delivered within a certain and known delay delta which is known to all parties and can be used in the design of protocols or another prominent model that is also assumed is the asynchronous model in which both of these assumptions are dropped and we assume that the adversary has the power of arbitrarily delivering the messages that are sent by honest parties and parties do not have access to synchronized clocks and the only assumption that we keep in this case is that all messages sent by honest parties are eventually delivered by the adversary. It is not uncommon in both of these scenarios to assume that parties have access to authenticated channels and we're gonna keep this assumption as well. The security guarantees that can be achieved in these two different models are different and in the synchronous models both BA and MPC protocols can be achieved which are secure up to n-half score options but the problem is that as soon as the synchrony assumptions on the network are violated then all security guarantees tend to be lost pretty quickly and in the asynchronous model on the other hand the protocols that are designed are robust even in unpredictable networks but on the other hand the security guarantees that can be achieved are significantly weaker for example BA and MPC protocols can only be achieved up to n-third corruptions so when deploying protocols in real-life networks which can be typically fast but experience occasional congestures or failures or delays then one is faced with a dilemma or whether modeling this network as a synchronous network and deploying protocols that are designed in the synchronous model therefore risking catastrophic security failures when the network experiences delays or whether to model this network as an asynchronous network and deploy the more robust protocols that are designed in the asynchronous model and then do not exploit the extra security guarantees that one could achieve by the fact that the network is usually fast so it's quite natural to ask the question of whether one could be able to design BA and MPC protocols that are secure for the maximum threshold corruptions in both the synchronous model and the asynchronous model a recent line of work starting in 2019 with the work of bloom cuts and loss and that was carried on in 2020 by the work of bloom Liu Zhang and loss answered both of these questions affirmatively under some proven to be optimal threshold assumption and that is that the number of corruptions when the network is asynchronous plus two times the number of corruptions when the network is synchronous must be smaller than n and that the number of corruptions when the network is asynchronous must be smaller or equal than the number of corruption when the network is synchronous when the network is asynchronous we refer to around as a time interval of length delta and since parties have access to synchronized clocks then they also have agreement on the current round they're currently in round complexity that is the number of rounds required by a protocol to terminate is often used as a measure of efficiency of protocols and our goal in this project is to improve on the round efficiency of known BA and MPC protocols known in the hybrid realm so super quick I would like to give an overview of where the room for improvement in these protocols is let's start talking about Byzantine agreement protocols so purely synchronous Byzantine protocols achieving constant rounds are divided into two main categories there are Monte Carlo type protocols which run in a fixed number of rounds and achieve security up to a small error probability so this type of protocol as a round complexity which is constant in a security parameter and then there's Las Vegas type protocols and these are protocols that whenever they terminate they achieve security but they only terminate with probability one and in this case they run with an expected constant number of rounds on the contrast protocols for BA that function in this hybrid realm that we've introduced they have a round complexity which is linear in the number of party participating in the protocol so this is one of the places where there's room for improvement and now if we have a look at MPC protocols whose round complexity is typically calculated in terms of all to all broadcast rounds in the literature purely synchronous MPC protocols typically require a constant number of all 12 broadcast rounds while the known MPC protocols in the hybrid realm require a number of broadcast rounds that is linear in the depth multiplicative depth of the circuit to evaluate so this is the second place where there is room for improvement and in both cases we provide positive results meaning that we show the first known BA protocol which is secure when run over a synchronous network and is also secure when run over an asynchronous network and that requires a constant number of rounds when the network is a synchronous and we provide both flavor of these BA protocols that is a version with probabilistic termination and a version running in a fixed number of rounds and for MPC we provide the first known MPC protocol which is secure when run over a synchronous network and remain secure when run over an asynchronous network and at the same time as a number of all to all broadcast rounds which is not depend on the depth of the circuit to evaluate I will now dive into a little bit more depth in our constructions for Byzantine agreement protocols but before I do that I think it's useful if we briefly recall the main properties that are desirable from a Byzantine agreement protocol as you recall a Byzantine agreement protocol is run between n parties of which each party holds an input in zero one and each party produces an output upon terminating the protocol and that output is going to be either a bit zero one and we allow for an extra symbol called top that is going to have the function of basically signaling when parties detect then the network they are running the protocol in is indeed asynchronous typically there are two main properties we require the validity property and the consistency property the validity property guarantees that if parties honest parties at least have pre-agreement on a certain bit before executing a BA protocol then they're going to preserve this agreement and they're all going to output this bit at the end of the protocol while the consistency property guarantees that even if parties are not in agreement before executing a protocol they will be upon terminating the protocol so it guarantees that each honest party outputs the same bit and in our case also we allow for parties to all output the same top symbol since we're going to allow in our protocols for this unusual output behavior we introduce the liveness property which guarantees that under certain conditions parties do not output this extra symbol top and that is they really output a bit in zero one and we're going to see that we require protocols to have this liveness property only when the network is synchronous so that when the network is synchronous in the in the BA protocols achieve the same guarantees that are usually achieved by synchronous protocols in the literature another kind of validity property that we can require from BA protocols is a weak validity and that means that if parties do have agreement on a bit before executing a protocol then they either output this bit or they output this top symbol and we're going to see that we require this weaker form of validity from protocols when the network is asynchronous to achieve a BA protocol that is secure up to TS corruption when the network is synchronous and that is also secure up to TA corruption when the network is asynchronous and I recall that by security mean that it achieves the validity and consistency guarantees the main idea is to run two BA protocols in succession and this idea is due to bloom cuts and loss and it was first published in 2019 and from the synchronous BA protocol we require security when the network is synchronous up to TS corruptions and from the asynchronous protocol we require security when the network is asynchronous up to TA corruptions but also from these two protocols we require some extra security guarantees that protocols would not typically achieve and that is that from the synchronous protocol we require that when the network is asynchronous it also achieves this form of weak validity that we discussed before and from the asynchronous protocol we require that when the network is synchronous it achieves validity and termination up to TS corruptions and please recall that TS is generally larger than TA so this is not a trivial property to achieve for an asynchronous protocol if indeed we have protocols with these extra properties then we can do a quick analysis to show that indeed this construction actually achieves security so if parties do have pre-agreement on a bit and the network is synchronous then this pre-agreement is going to be maintained so the parties will all output a bit and then we'll run the asynchronous protocol again with pre-agreement and thanks to the validity plus termination property they're going to output the same bit on the other hand if the network is synchronous and parties do not have agreement on a bit then they will have agreement on a bit by the end of the synchronous protocol because his protocol is secure and then this agreement is going to be preserved by the asynchronous protocol and its validity property when the network is asynchronous on the other hand basically all the security guarantees fall on the asynchronous protocol and the only thing that the synchronous protocol guarantees is that indeed if parties do have pre-agreement on a bit then this agreement is not broken by running the synchronous protocol because this protocol achieves weak validity in an asynchronous network that means that if parties output the symbol top from this protocol then they're going to go back and use their previous input vi as input to the second asynchronous protocol so they're still going to have pre-agreement upon entering the asynchronous protocol and then the security of the asynchronous protocol is going to guarantee that indeed the security is achieved for the whole construction and now that we have introduced this high level idea we're going to observe that in the original construction by bloom cuts and loss these two ba protocols with extra properties were actually instantiated through some construction and the synchronous one in particular was achieved by a slight modification of the original Dulev strong protocol which requires a linear number of rounds in the number of parties participating in the protocol on the other hand the asynchronous protocol that they use already achieves a constant number of rounds when the network is synchronous so the focus of our work is going to be of actually providing a construction for the synchronous portion of this compiler that runs in constant rounds and we're going to have to show a ba protocol that is securing asynchronous networks up to ts corruptions and that achieves ta weak validity also when the network is asynchronous so this is what i'm going to do next but to discuss our construction I first have to introduce a different type of agreement primitive which is sometimes known in the literature as crusaders agreement but that has mostly been called lately weak consensus and weak consensus primitives they are very similar to Byzantine agreement primitives but they have a relaxed consistency property so instead of asking for all honest parties to output the same the same output at the end of the protocol we're going to relax this property and we're only going to require that parties do not output contradicting bits at the end of the protocol now if the output set was only zero and one this would be the same as asking the traditional consistency property but if we enlarge the output set to include other values and in particular we allow the top value from before and now also a new value bottom then this property is a strictly weaker than requiring normal consistency I now introduce our construction which is an adaptation of an idea originally due to Feldman and Michali in the purely synchronous setting the idea is the following parties run in succession many iterations each iteration consists of an execution of a weak consensus protocol followed by a common coin toss in vocation a common coin toss is simply a functionality that outputs a uniformly common random bit and that can only invoke if at least one honest party wishes to do so this kind of functionalities can easily be implemented through distributed protocols but in our paper we assume an ideal functionality with these properties in the purely synchronous setting the idea behind this construction is that if parties output a bit from the weak consensus protocol then they keep this bit as output of the whole iteration on the other hand if parties output the bottom symbol as output of the weak consensus protocol then they're gonna take the common coin value as output of the whole iteration instead now since weak consensus preserves pre-agreement if parties do have pre-agreement on a common bit then this pre-agreement is never gonna be broken because they will just ignore the value of the common coin on the other hand if parties do not have pre-agreement on a bit then in each iterations they will reach agreement with probability at least one half that is the probability that the common coin value matches the output of the parties that did output a bit from the weak consensus protocol and remember that parties never output contradicting bits from a weak consensus protocol so all parties output the same bit or the bottom symbol so the problem is that when trying to transport this construction in the setting where you don't know what the network conditions are before executing the protocol you have no way of knowing whether if you don't receive a message you didn't receive this message because the network is asynchronous and the adversary drops this message or if the network is synchronous and simply the party sending the message was corrupted and he never sent the message in the first place so the way we circumvent this problem is as follows instead of just allowing parties to have one abort behavior in the weak consensus protocol that is by outputting the bottom symbol we allow honest parties to have two different abort behaviors in the weak consensus protocol that is either output the bottom symbol or outputting a top symbol and the difference is that we're able to throw some kind of detection in the protocol to make sure that when the network is synchronous parties never output the top symbol and when the network is asynchronous parties never output the bottom symbol so now the way we can recover the previous construction is as follows when parties output the bottom symbol they will take as output of the whole iteration simply the value of the common coin and when the parties output the top symbol they will simply take their original input as output of the whole iteration now remember that when the network is asynchronous we only care for weak validity so this makes sure that if parties have pre-agreement they will all output either the pre-agreed upon bit or the top symbol and in either case they will take their original input as output of the iteration and preserve the pre-agreement through successive iterations so next i'm gonna present our construction one of our constructions for such a weak consensus protocol try to go into some details and also argue informally about the security of such a protocol but i hope that the way this protocol fits into the bigger picture is now clear the protocol is actually quite short and simple in this we assume that parties have access to a public key infrastructure which allows them to sign messages but most importantly allows to forward cryptographic evidence that a certain message was received by another party in a previous round one of the big challenges in designing these protocols is that if the network condition is not known when parties begin the protocol then if a message is not received that that was supposed to be received by a party this party has no way to know whether the message was dropped by the adversary because the network is asynchronous for example or if the party sending the message is corrupted by the adversary and did not send the message in the first place so the high level idea of how to deal with these is to carefully consider the thresholds of messages that a party needs to receive in order to decide that the network is synchronous in this protocol at the beginning each party signs their bit using their private key and send this signed bit to all other parties and then the parties collect the messages they receive and divide them into two sets the messages that were received with bit one and the messages that were received with bit zero so the first thing parties do is to look at the total number of messages they received and if the total number of messages they received is below a cut off which is set to n minus ts and remember ta and ts in this case are parameters for the protocol then they simply set their intended output to top and they don't do any of the following steps if instead they received enough messages that is at least n minus ts then they check if they received a bit enough times and enough times we mean at least n minus ts minus ta times if this is the case they set their intended output to this bit and they collect all the signatures they received on this bit and they send the set of signatures to all other parties then if they receive no collection of signatures on the opposite bit of the one they receive they simply output the bits they decided and otherwise if they do receive a collection of signatures on the opposite bit to the one they decided then they set their intended output to the bottom symbol and they output the bottom symbol so why does this construction work when we argue about the security of protocols that are run alternatively in synchronous and asynchronous networks we always need to consider both cases separately decide which properties we require from our protocols in the synchronous case and in the asynchronous case and then indeed prove that if this assumption holds then the desired properties are achieved when we argue in asynchronous networks we're going to assume that at most ta parties are corrupted in execution of the protocol and when we argue in synchronous networks we're going to assume that at most ts parties are corrupted in an execution of the protocol and we're also going to keep the assumption that I'm going to discuss later that ta plus 2 ts is smaller than n and that ta is smaller or equal than ts and under these assumptions now I'm going to argue about the security of the protocol let's start by considering the synchronous case so let's first assume the network is a synchronous the properties we want to prove is validity of this protocol and weak consistency of this protocol and also we require them when the network is a synchronous parties do not output the symbol top so let's first check that when the network is a synchronous parties do not output the symbol top if the network is a synchronous then in step two each party is going to send a validly signed message which means that in step three the amount of messages each party receives it's going to be at least n minus ts which means that parties are going to set the intent output to bottom and since there's no other part in the protocol after these where parties might set their input to top then this property holds let's check now that if parties have pre-agreement on a certain bit and the network is a synchronous then indeed they will output this bit so if parties have pre-agreement let's say on bit one without loss of generality then in step two each part is going to send a validly signed bit one to other parties which means that in step three not only will parties receive enough values one that is n minus ts but they will also receive enough values so that they set their intended output to one because n minus ts is greater or equal than n minus ts minus ta and please notice that there is no way that corrupted parties can generate enough signatures on the opposite bit to convince honest parties to output the symbol bottom in step four because this would mean that ts is actually greater or equal than n minus ts minus ta and the assumption we have on our thresholds actually guaranteed that this is not true so indeed when the network is asynchronous validity holds up to ts corruptions let's now check that when the network is synchronous and at most ts parties are corrupted then the weak consistency property holds remember that weak consistency means that if a certain party outputs a bit then no party will output the opposite bit this property holds because let's assume a party outputs one without loss of generality this means that they received at least n minus ts messages minus ta with bit one in step three which means they collect the signatures on these messages and they send them to all other parties in the following step so even if a party had decided on the opposite bit in step three then in step four they're gonna set their output to bottom because indeed these are valid signatures on bit one and these guarantees that no honest parties output contradicting bits this concludes the security when the network is asynchronous now when network is asynchronous we still care about the weak validity property and let's assume the network is asynchronous that at most ta parties are corrupted in an execution of this protocol then we can easily check that if all parties have pre-agreement on a certain bit then they're gonna set their output to top and the only way they set their output to something other than top if it's in step three they receive at least n minus ts messages since of these messages at least n minus ts minus ta are gonna come from honest parties since there are only ta corrupted parties then if indeed they do set their output to something other than bottom then they're gonna set this output to the to the grid upon bit and also these honest parties do not have the power to generate enough signatures on the opposite bit to convince honest parties in step four to output the bottom symbol because this would mean then ta is greater or equal than n minus ts minus ta and this is false thanks to the assumptions we made under thresholds plugging this construction for weak consensus into the high level construction we described before these already yields a ba protocol which is secure both in synchronous and asynchronous networks and that can run alternatively in fixed rounds or in expected constant rounds even though i'm not gonna go into detail of any other construction we provide in the paper we did investigate some other problems for example we investigated the optimality of the threshold assumptions we've just described when instead of asking full security in both synchronous and asynchronous networks for example we weaken the validity guarantees we require in asynchronous networks and indeed we prove that in this case these threshold assumptions are too strong and that one can actually achieve protocols with weaker threshold assumptions and this is interesting because sometimes these protocols with only weak validity can be used in bigger construction such as for example mpc or protocols that try to achieve different security guarantees in both synchronous and asynchronous networks we also provided some insight into the equivalents of the broadcast problem and the Byzantine agreement protocol which indeed holds when the networks are synchronous and which is known not to hold when the networks are asynchronous and we show how to achieve respectively Byzantine and broadcast protocols with this weak validity guarantees in asynchronous networks from one another does solving this equivalents problem to finish we also worked in the mpc setting where we improved on on previous results by providing the first mpc protocol which is a secure both in synchronous and asynchronous networks and that only requires a number of broadcast rounds all to all broadcast rounds which is independent of the multiplicative depth of the circuit to evaluate to achieve these we used previous known results due to bloom the uzang and loss and also some known results about garbling circuits in the multi-party setting and indeed if we implement the broadcast channels in this protocol using our construction for broadcast which is secure in both synchronous and asynchronous networks then these broadcast channels can be implemented in such a way that the number of rounds required is constant in the number of parties participating in the protocol so this is it for this presentation thank you for listening so far it was a pleasure for me to be able to present this work here at tcc and please refer to the full version of these papers for all details and feel free to email me about questions and discussions about this work thank you very much