 I'm excited to virtually be here. I'd like to talk about some new results regarding the round complexity of Basington Agreement. This is joint work with Hilbert Chan and Raphael Paz. Let me first define the problem of Basington broadcast. Suppose that during the COVID-19 pandemic, a group of cryptographers would like to decide whether the next year's PKC should be held virtually or in person. The cryptographers communicate over the internet by sending emails back and forth to each other. Since everyone's sheltering at home and relaxing, my email sent today will be received tomorrow morning. We will also call one day a round, since the players in our protocol act round by round. Typically, a Basington broadcast protocol works as follows. Let's say this year's PKC Chair Aguilos makes a suggestion. In this case, the suggestion is to hold the next conference virtually online. Now everyone engages in some protocol to discuss a decision. At the end of the protocol, everyone outputs a decision. If everyone faithfully followed the protocol, in this case, everyone's decision would agree with what Aguilos had suggested. Unfortunately, some of these cryptographers are unhappy, maybe because their papers got rejected from PKC. Now, the unhappy people can arbitrarily deviate from the prescribed protocol, aiming to disrupt the agreement and prevent the next conference from happening. Even in the presence of such unhappy people, we still would like to guarantee that all the happy cryptographers should nonetheless satisfy consistency and validity. Consistency requires that they all reach the same decision, and validity requires that if Aguilos is happy, then every happy person should output Aguilos' rejection. From now on, we often call happy players honest, and the unhappy players are often called corrupt. As I mentioned, this problem is commonly referred to as basing in broadcast. It was first proposed by Lampot and others back in the 1980s. This is arguably one of the most important abstractions in distributed systems and multi-party protocols. In this talk, whenever I mention the word consensus, I almost always mean basing in broadcast. An important performance metric for basing in broadcast is the protocol's round complexity. Lolev and Strong showed that in the presence of F corruption, we can have a deterministic protocol making use of ideal signatures that achieves basing in broadcasts in F plus one round. The protocol works for any size of F, and it works even when a majority of the players are corrupt. Unfortunately, let's say when a constant fraction of the players are corrupt, the protocol has linear round complexity, which is rather expensive. It turns out that if we restricted only to deterministic protocols, F plus one round is in fact necessary. This law bound was proven in the same work by Lolev and Strong. Therefore, to hope for better round complexity, the community turned its attention to randomized protocols. Assuming the majority of the players are honest, in this case, life is good, and it has been known for decades that expected constant round protocols exist. This was first shown by Feldman and McCally, and later improved by several others. Given the state of the affairs, a very natural question is whether we can achieve sublinear round-baking in broadcasts in a corrupt majority setting, too. Obviously, due to the F plus one deterministic law bound, to hope for such a result, we must rely on a randomness. Unfortunately, our understanding of this question is surprisingly little, even after so many years. The only relevant results are by Gore-Adal and the subsequent improvement by Fizziadal, where they showed that it's possible to achieve expected two F minus N rounds. For almost all parameter regimes, their result is in linear land rather than in sublinear land. For example, even when only 51% of the players are corrupt, their protocol would still suffer from linear round complexity. Only in the very narrow regime, when the number of corrupt players F is just a tiny little more than a half that's there without sublinear round complexity, but this is quite unsatisfied. To summarize, for the question we care about, basically nothing is known, even under only 51% corruption, despite decades of work on distributed circumstances. So when we first started working on this problem, this was somewhat surprising. Let me add that the problem is open, even for static corruption, and even when allowing any reasonable setup and could probably be consumption. Before I talk about our protocol, I want to briefly discuss the naive, popular idea of committee election and clarify why it doesn't work in the corrupt majority settings. So what is committee election? Essentially, suppose that we have N players involved in the consensus protocol, and let's say N is large. Now we randomly select a small committee of polylogic size. Instead of having everyone around the consensus, we instead have the committee of representatives around the consensus protocol. And now the committee will reach a decision on everyone else's to have. Since the committee is only polylogic making size, the consensus protocol will terminate in polylogically many rounds. Due to the channel bound, the fraction of the honest players in the committee should be roughly equal to the fraction of the honest players in the overall population, you know, with all but negligible public ability. Okay, for example, if overall, 51% of the players are honest, then the committee will have honest majority with all but negligible public ability. One technicality that arises is the following. The consensus among the committee indeed lets the committee reach a common agreement. But how does the committee relate the decision to those outside the committee? Now, if the committee is honest majority, there is a simple solution. Basically, a player outside the committee can ask every committee member what the decision is, and then take majority votes. Therefore, with the committee election technique, we can achieve consensus in a small number of rounds in the honest majority setting. Note that this technique works only under static corruption because if the corruption is adaptive, then the adversary can simply corrupt the entire committee. Okay, so what about the corrupt majority setting? Unfortunately, here the majority voting technique doesn't work anymore. And therefore, it's unclear how committee members can securely convey their decisions to those outside the committee. Therefore, in the corrupt majority setting, the folklore committee election technique fails to work. In other words, even with static corruption, it seems like very much non-trivial to achieve consensus in a small number of rounds in the corrupt majority setting. To summarize, the problem we talk about has been open since the 1980s, and quite surprisingly, nothing is known even for the 21% corrupt and even under static corruption and allowing any reasonable setup and cryptocurrency consumption. Okay, now let me summarize our results. We showed that under trusted setup and assuming standard cryptocurrency partners, there is a Byzantine broadcast protocol with polylogically many rounds, even when 99% of the players can be adaptively corrupt. Technically, we assume a weakly adaptive corruption model. In other words, the adversary can corrupt players in a round after having observed the messages they sent in the round. Once corrupt, this newly corrupt player can inject new messages, but the adversary cannot retroactively erase the messages it had already sent before it became corrupt in the same round. In this talk, for simplicity, I'm going to assume that up to 99% of the players can be corrupt, but in our paper, we have a more general form of adherence statement for a broader range of candidates. So how can we achieve a result like this? Our idea is inspired by the committee election idea, but to make it work, there are two challenges we have to overcome. First, we need to figure out a way for the committee to convey its decision to non-committee members. Second, we need to find a way to elect the committee secretly such that the adversary cannot simply adaptively corrupt the entire committee and disrupt the consensus. I will first focus on solving the first challenge that is how to convey the committee's decision to non-committee members, and then I'll talk about the second. For the time being, let's assume that the corruption is static and we can randomly elect the committee with the hash function after the adversary decides to do the corrupt. To understand our idea, I will first explain the classical Dolef-Strong protocol and how to leverage Dolef-Strong to allow the committee to reach agreement. Then I will explain how to let non-committee members also participate in Dolef-Strong as non-voters, and this will let the non-committee members reach the same decision as the committee members. Okay. So to understand Dolef-Strong, I will first introduce the notation B stamp R. This is pronounced as an R batch of votes on the bid B. It means a bid B bundled together with R signatures from distinct players. And moreover, one of the designers must be the chair himself, right? In this case, Aguilo is the chair. Also, I'm going to assume that a random committee of size C is elected and C is roughly polylogged in the security parameter lambda. Assume that at most 99% of the players are corrupt, we can guarantee that with all but negligible probability, the committee has at least one honest member. Okay, so here's how the Dolef-Strong protocol works. Keep in mind this is run inside the committee. In the first round, round zero, essentially we do the most natural thing, right? So we are going to assume that the chair Aguilo is always in the committee. And in round zero, Aguilo basically signs his bid and sends the sign bid to everyone. Note that here the notation one batch of both zombie means that the bid B is attached with a single signature and in this case, the signature must be Aguilo C. Now every player maintains what's called an extracted set and player J's extracted set is denoted E sub J. The extracted set maintains the set of bits. The player believes Aguilo's to have sent. In the next C round where C is the committee size, the committee members perform the following. In the arts round, if player J observes an R batch of votes on some bid B and B is not in the player's extracted set E sub J, it will add B to its extracted set. It will sign a signature on B and propagate an R plus one batch of votes on B to everyone else. Again here, the R plus one batch of votes is created by taking the R batch of votes bid at C and then adding its own signature. Finally, at the very end of the protocol, if a player's extracted set contains a single bid, it simply outputs that bid at the decision. Otherwise, if the set contains either zero bits or two bits, the player outputs a canonical bid zero. This is essentially the Dola Strom protocol. And again, at this moment, we are running it inside the committee and this allows the committee to reach an agreement internally. To see why the protocol works, we can first show that for any R, that is not the final round. If some honest player adds B to its extracted setting round R, then all honest players will have added B in the immediate next round. This is because in the protocol, let's say whenever an honest player adds a bid to its extracted set, say in some round T less than R, it will send a T plus one batch of votes on B. So in the immediate next round, all of the honest players will also add B if they haven't done so already. Okay, so basically the first lemma says, if I have the bidding round R, you'll have it in the immediate next round R plus one. But to finish the consistency proof, it helps to observe that in the last round, something magical happens. If some honest player adds B to its extracted setting the final round, then C people must have signed it. And among them, one player must be honest. So now this honest player must have added B to its extracted setting some earlier round R. And by the first lemma, now everyone must have added B two by round R plus one, which is less than or equal to C. Okay, again, so far we are running the left strong among the committee. And that's in the lemmas here, player means a committee member. Okay, so now we show how to augment the protocol to allow non-committee members to participate as non-voters and yet reach the same decision as committee members. Recall that earlier, there are C rounds of voting, but now we break each voting round into two little rounds. We will use the new terminology phase to describe when iteration of voting and except for the initial phase in which Aguilo's sent a signed bit, all other phases now have two rounds. The key idea is to make sure that the guarantees of the earlier lemma one is now generalized to all players and not just the committee members. To make sure this is indeed the case, before the committee members start to vote in each phase, we introduce a relay round. During the relay round of phase R, a non-committee member who has observed an R batch of votes at B to its extracted set. But we wanna make sure that if it does that, then in the next round, all honest players go at B too. So make sure this happens instead of having the non-committee member vote on B, which it's not allowed to do, this non-committee member instead just relays the R batch of signature testing to everyone else. This makes sure that some honest committee member will definitely receive it too. And it will add its votes during the voting round. And then an R plus one batch of votes will be sent to everyone else. Okay, so next is the voting round where committee members pass new votes. And this works the same way as before. Essentially every committee member who observes an R batch of signatures adds B to its extracted set. And they will create a new vote for B by signing it. And then it will send an R plus one batch of votes to everyone. Okay, so keep in mind that only signatures from the committee count as valid votes. So it turns out this simple change gives us a polylog round protocol for the static corruption study. Okay, so we've solved the first challenge and now it's time to look at the second challenge. And here the issue is we want to extend the protocol to achieve adaptive security. And the challenge is that the adaptive adversary can observe foods in the committee and then adaptively corrupt the entire committee. It can afford to do so because the committee is pretty smart. To defend against such an adaptive corruption attack we will rely on a secret committee election technique such that the adversary has no idea who's in the committee until the player casts a vote. At this point, however, it'll be too late to corrupt the voter because the votes that has been distributed cannot be erased anymore. To achieve this, we will use a verifiable random function or VRF to determine committee membership. Recall that the VRF is a pseudo random function such that one can evaluate the function using a secret key but the outcome can be verified with a corresponding public key. Importantly, without the secret key the evaluation outcome cannot be predicted in advance and is basically indistinguishable from a random string. Now a player can use its secret key, SKJ, to determine if it's a member of the B committee. And the B committee defines the set of players who are allowed to vote on the big B. If the VRF outcome on the input big B is less than some difficulty parameter B then the player is a member of the B committee. Note that the adversary does not have the honest player's secret keys and therefore it cannot predict in advance who's in the B committee. When player J evaluates its own VRF besides the evaluation outcome role, it also obtains a proof denoted pi and the proof basically attests to the correctness of the evaluation outcome. Everyone else now can use player J's public key and the proof pi to check if the purported evaluation outcome role is correct. Therefore everyone can check if player J is indeed a member of the B committee. What's important here is that the two committees, the committee that vote on zero and the committee that vote on one are decided independently by invoking the VRF price. Therefore whether a player is in the zero committee is independent of whether she is in the one committee. Had it not been the case, say the committee that vote on zero is the same as the committee that vote on one. This is problematic because the adversary can simply make the committee vote on zero first. At this point, the committee members will disclose their identities and then the adversary can adaptively corrupt all of them. And once corrupt, the adversary can perform an attack on the other big one. Essentially it can make some honest players include one in their extracted sets and others not. Okay, so we can now put all these ideas together in comparison with the earlier protocol with static security. Here the main difference is that the adversary doesn't know a priori who's in the committee, who's in which committee in fact. And when players vote, they attach a VRF proof that they have eligibility to vote for the corresponding bid. Since the committee is elected with the VRF, we don't know the exact committee sizes, but we can run the protocol for sufficiently many faces such that the number of faces is an upper bound on the committee sizes, but without the negligible probability. This allows us to solve a longstanding open problem. Given that the problem is widely known and has been open for so long, you know, it might be somewhat surprising in hindsight that our techniques are really not too complicated. Nonetheless, it was non-trivial to come up with the right techniques and put them together. And by the way, we also really like the simplicity of the solution and we view it as an advantage. Finally, to conclude, we mentioned some exciting directions and our ongoing efforts. The first natural question is whether we can improve the round complexity to expected and constant round. This was known to be possible for the honest majority setting. You know, note that our protocol has polylogismically many rounds, both on average and in the worst case. Okay, so joined with Jean-Wen and the group at MIT, we actually have an upcoming work, which is on e-print. And in this work, we can achieve expected constant round and turns out to achieve this, we need to design completely novel techniques from the ground up. Okay, so now the second natural question is whether we can achieve a similar round complexity result, but now under the strongly adaptive corruption model. In this model, once the adversary adaptively corrupts a player in a round, it can even erase the message the player had sent in the same round prior to becoming corrupt. So we are also working on the second open question. Thank you very much.