Paper 2021/810

Efficient Asynchronous Byzantine Agreement without Private Setups

Yingzi Gao and Yuan Lu and Zhenliang Lu and Qiang Tang and Jing Xu and Zhenfeng Zhang

Abstract

Though recent breakthroughs have greatly improved the efficiency of asynchronous Byzantine agreement protocols, they mainly focused on the setting with private setups, e.g., assuming a trusted dealer to establish non-interactive threshold cryptosystems. Challenges remain to reduce the large communication complexities in the absence of private setups, for example: (i) for asynchronous binary agreement ($\ABA$) with optimal resilience, prior private-setup free protocols (Cachin et al., CCS' 2002; Kokoris-Kogias et al., CCS' 2020) have to incur $\mathcal{O}(\lambda n^4)$ bits and $\mathcal{O}(n^3)$ messages; (ii) for asynchronous multi-valued agreement with external validity ($\VBA$), Abraham et al. [2] very recently gave the first elegant construction with $\mathcal{O}(n^3)$ messages, relying on only public key infrastructure (PKI), but the design still costs $\mathcal{O}(\lambda n^3 \log n)$ bits. Here $n$ is the number of participating parties and $\lambda$ is the cryptographic security parameter. We for the first time close the remaining efficiency gap between the communication complexity and the message complexity of private-setup free asynchronous Byzantine agreements, i.e., reducing their communication cost to only $\mathcal{O}(\lambda n^3)$ bits on average. At the core of our design, we give a systematic treatment of reasonably fair common randomness, and proceed as follows: - We construct a reasonably fair common coin (Canetti and Rabin, STOC' 1993) in the asynchronous setting with PKI instead of private setup, using only $\mathcal{O}(\lambda n^3)$ bit and constant asynchronous rounds. The common coin protocol ensures that with at least $1/3$ probability, all honest parties can output a common bit that is as if uniformly sampled, rendering a more efficient private-setup free $\ABA$ with expected $\mathcal{O}(\lambda n^3)$ bit communication and constant running time. -More interestingly, we lift our reasonably fair common coin protocol to attain perfect agreement without incurring any extra factor in the asymptotic complexities, resulting in an efficient reasonably fair leader election primitive pluggable in all existing $\VBA$ protocols (including Cachin et al., CRYPTO' 2001; Abraham et al., PODC' 2019; Lu et al., PODC' 2020), thus reducing the communication of private-setup free $\VBA$ to expected $\mathcal{O}(\lambda n^3)$ bits while preserving expected constant running time. This leader election primitive and its construction might be of independent interest. - Along the way, we also improve an important building block, asynchronous verifiable secret sharing (Canetti and Rabin, STOC' 1993) by presenting a private-setup free implementation costing only $\mathcal{O}(\lambda n^2)$ bits in the PKI setting. By contrast, prior art having the same communication complexity (Backes et al., CT-RSA' 2013) has to rely on a private setup.