 Hi, my name is Dream1 and today I want to introduce a Byzantine broadcast protocol that works under a strongly adapted adversary and majority corruptions. This is joint work with Hanschen, Srinni, and Yilin. Byzantine broadcast is proposed by Lampere et al. in 1982. We have a set of users aiming to achieve consensus. One of the users is the sender, who has an input bit which is either 0 or 1. Byzantine broadcast needs to satisfy consistency and validity. Consistency requires all honest users to always output the same bit. Validity requires that if the sender is honest, then all honest users follow the sender's decision and just output the sender's input bit. Under the synchronous model, Dolop and Strong showed that no deterministic protocol can achieve Byzantine broadcast in less than F++ rounds. Rf is the number of corrupted users, therefore we're just going to focus on randomized protocols. If we consider randomized protocol, then there were some beautiful results. Under honest majority, Kaz and Ku, and later Abraham et al. showed that there exists expected constant-runs protocol even under a strongly adapted adversary. Under dishonest majority, Chen et al. first proposed solution with polylog run complexity – this is later improved by one et al. to expected constant-runs. However, the solutions for dishonest majority only work under a weakly adapted adversary. Before we move on to the details, let's first clarify the adversary model we're talking about. Usually, in consensus, we consider three adversary models. The first one is the static adversary, which is the weakest adversary model. In the static adversary, an adversary needs to decide who to corrupt before the protocol begins. Once the protocol starts, the adversary cannot corrupt any other honest users or any incoming new users. The second adversary model is the weakly adapted adversary model. A weakly adapted adversary can corrupt any user at any time of the protocol. However, after it corrupts a user, it cannot erase any message already sent by that user in the run of corruption. So this is why we can deal with a weakly adapted adversary by keeping the identity of the leader or the community secret. If we can't elect a leader and the leader's only job is to send a message once, then it doesn't matter whether the adversary corrupts the user after the message has been sent. At this point, the leader's job is fulfilled, and the adversary can do whatever he wants to the leader. The third adversary model is the strongest of all. A strongly rushing adapted adversary can perform what we call after-the-fact removal. This means when it corrupts an honest user, it can even erase all the message this node has sent in this run. So suppose we elect a leader and the leader sends a message. As soon as we detect it, we can control the leader and erase the message that this leader has already sent. It has been a long-standing open problem whether it is possible to achieve sub-linear run complexity under dishonest majority and a strongly rushing adapted adversary. In this paper, we show that the answer is yes, assuming the existence of a trusted setup and the existence of some hard time-locked puzzle, then there exists a protocol that achieved by the hidden broadcast in n divided by the number of honest user square times polylock lambda number of rounds. Here lambda is the security parameter. Our solution is to combine time-locked puzzle with Chen et al's construction. So let's first review their protocol. So in their construction, they define two committees called the zero committee and the one committee. This is constructed using a verifiable random function. Basically the zero committee just contains all nodes whose VR app evaluation outcome on zero is smaller than a certain parameter. This parameter is chosen such that each committee's size is polylock rhythmic in expectation. Each committee will basically engage in a polylock rhythmic number of rounds of voting based on certain voting rules. Let's not go into the details of these voting rules here. It's just enough to know that this is very similar to doing Dolov and Strunk's protocol just under the committee, but in the same time, committee members and non-committees member will keep relaying all the votes they have seen. So this protocol works for weekly adaptive because a committee member only needs to send message once. Their identity will be hidden before they send a message. After they send a message, this message will be guaranteed to be received by all honest users under weekly adaptive adversaries. At this point, their drop is fulfilled and they're done. However, this does not work for a strongly adaptive adversary as the strongly adaptive adversary can just detect the committee's members whenever it sends a message, it then just corrupt it and also erase the message sent. So if only the adversary cannot corrupt any users before those messages are delivered. So with this in mind, our first idea is to how about we encrypt the votes or we encrypt the message such that the adversary will need at least one round of time to decrypt this message by the end of which this message will already be delivered to every other honest users. This is the part where we use a time lock puzzle. As the name implies, a time lock puzzle basically take a message and lock it in a puzzle for some time t. No one can solve it before this time. Specifically, the time lock puzzle or at least the version we consider has two functions. It has a generating function, which is a probabilistic algorithm that takes a security parameter, a time parameter, and a solution as inputs and then the outputs of the puzzle. They also have a solve function, which is a deterministic algorithm that taking the puzzle and provides the solution. A time lock puzzle needs to satisfy three properties. First of all, solving the puzzle will always return the correct solution. Secondly, it should be efficient, meaning that the generated the puzzle will take a polylock time regarding t, the time parameter, and solving the problem or solving the puzzle will take at most t steps. Notice that both of this time complexity should happen on a sequential random assets machine. So without needing parallel computing or anything like this, they should still be able to achieve this time complexity. Finally, the most important properties of a time lock puzzle is that there exists a parameter or a constant, epsilon, such that every epsilon times t bounded, non-uniform, parallel machines cannot solve the puzzle. They can only succeed with negligible probability. Given the time lock puzzle, here are our basic intuitions. Voters will lock the votes in a time lock puzzle and send the votes rather than the clear text message. Adversaries have to solve the puzzle to figure out what's the message. So if non-voters also send dummy message of the same length, the adversary cannot figure out who is in the committee until they have solved the puzzle. And if we set a parameter such that it takes the time of a round to solve the puzzle, and by the time the adversary realize who are in the committee, those message or those votes will already have been delivered. This is true even if the adversary have unbounded parallelism, because time lock puzzle is safe even under parallel machine. In essence, what we want is a delayed exposure message distribution system. It should have only polylock rhythmic number of rounds, and it should allow all honest users to each distribute a time lock puzzle embedding a message that they want to send. The adversary should not be able to learn any information about honest users message within one round of time. However, there are several challenges here. The first challenge is that while adversaries have unbounded parallel machines, honest users don't. So if we have n time lock puzzles, and honest users need to solve them one by one, then that would take n times the time to solve each puzzle, which is at least one round of time. So overall honest user will need n rounds to solve the puzzles, which is just too much. So in some sense, we want honest users to distribute the job of solving puzzles fairly among all honest users, so that they expect the time for each individual user is constant or only logarithmic. However, this is really hard as well, as honest users do not have a consistent view of the puzzle being distributed. We present a high level description here. Basically in the first round, every user computes and send a time lock puzzle. And then for login iterations, we'll try to pick up each unsolved puzzle with some probability independently and solve this puzzle. Notice that one thing the adversary can do in this case is to flushing a lot of puzzles at the very end. So to avoid this, we want to make sure that if a puzzle remains unsolved for a long time, then there is a higher chance we attack this puzzle first. We do it by first defining some probability p, which is ignoring all this detail, it's just approximately 1 divided by n. And the probability of solving a puzzle is 2 to the alpha times p. Here alpha is basically the age of the puzzle. This means how many rounds has this puzzle remained unsolved. Finally after we solve the puzzles, we are going to send it to all other users. The idea behind this is that we want to make sure at the end of each round or at the end of each iteration, we are going to solve at least half of the unsolved puzzles. Recall that we're dealing with a strongly adapted adversary here. So if we're not careful, the adversary can just observe what kind of puzzle each user is solving and then just selectively corrupt the honest user such that those left behind only solve a small portion of the unsolved puzzles. We want to make sure that no matter who the adversary corrupts, that worst case scenario is not going to happen. So in fact, we can bond the failure probability for the IAP iteration using these equations below. That's not going to do the details here. It's just enough to know that this is a combination of probability analysis and then doing union bound over all the set of possible honest user and all the set of unsolved puzzles. So in the end, we can show that this is negligible, it is exponential to linear of n. So this protocol will satisfy likeness and secrecy. So overall, the distributed protocol, we have run complexity, which is equal to the number of epoch, which is theta log n, times the number of puzzles we need to solve per iteration. This we can bond by polylog of n by Chernoff bound and then times the time to solve each of the puzzle divided by the time per round by the definition of time lock puzzle. If the time lock puzzle is epsilon hard, then time of solving divided by the time of a round is upper bounded by one divided by epsilon. So overall, this just reduced to polylog of n and lambda. So lastly, all we need to do is combine it with the technique proposed in Chen Intel, where there are a lot of details that we need to change, but the most important intuition is just replace the normal message relay with the distributed protocol we proposed. Like changing the algorithm isn't exactly a challenge. The most challenging aspect of this part is how to prove the security or how to rigorously argue the failure probability. Because at this point, we're using verifiable random function. We're using time lock puzzle. There's a lot of potential events in Chen Intel's protocol. We need to use a really complicated hybrid argument to provide a rigorous analysis. Feel free to check out our paper online. I will not bother you with the details here. In fact, our distributed protocol can be combined with a lot of other protocols to make them tolerate strongly adapted adversaries. It will be interesting to check out and try out different algorithms later. So in conclusion, we propose a Byzantine broadcast protocol that works under dishonest majority and a strongly rushing adapted adversary. The round complexity is polylogarithmic. However, it remains an open problem whether it is possible to achieve Byzantine broadcast under a strongly adapted adversary in just expected constant number of rounds. Of course, under dishonest majority. I personally find it very challenging because if you need expected constant rounds, then you can't use the distributed protocol or time lock puzzle we just talked about. And it will be also very interesting to see if you can prove any impossibility results on this area. We would like to thank the anonymous TCC reviewers and our awesome shepherd, Ren, for helping us by improving this paper. We also like to thank everyone who has discussed time lock puzzle with us and providing help for feedbacks and suggestions. Of course, finally, we would like to thank you for listening to this talk and being interested in our work.