Paper 2023/1757

Adaptively Secure Consensus with Linear Complexity and Constant Round under Honest Majority in the Bare PKI Model, and Separation Bounds from the Idealized Message-Authentication Model

Abstract

We consider the mainstream model in secure computation known as the bare PKI setup, also as the {bulletin-board PKI}. It allows players to broadcast once and non-interactively before they receive their inputs and start the execution. A bulletin-board PKI is essentially the minimum setup known so far to implement the model known as {messages-authentication}, i.e., when $P$ is forwarded a signed message, it considers it to be issued by $R$ if and only if $R$ signed it. It is known since [Lamport et al, 82] that BA under honest majority (let alone secure computation) would not be possible without messages-authentication. But as further highlighted by [Borcherding, 96], messages-authentication cannot not simply be implemented with digital signatures, without a bulletin-board of public keys. So the bulletin-board PKI setup and the messages-authentication model seem very close: this raizes the question whether there is a separation between them. In the bulletin-board PKI setup, the most communication-efficient synchronous BA is the one of [Boyle-Cohen-Goel, Podc'21 \& J. Cryptol.'24], which has $O(n.\text{polylog}(n))$ bit complexity, $f<n(1/3-\epsilon)$ resilience and tolerates an adversary which cannot adaptively corrupt after the setup. Our main upper-bound is a BA (and also a VBA) in this same model with strictly better parameters: {quasi-optimal} resilience $f<n(1/2-\epsilon)$, with an expected bit complexity of communications which is {linear} in $n$, and tolerance to an {adaptive} rushing adversary (but which unavoidably cannot remove messages sent). As [BCG'21], they have constant expected latency. All previous BAs or VBAs achieving the same metrics as our upper bound, are either in the static adversary model: Sleepy [Pass-Shi, Asiacrypt'17], Snow White [Daian-Pass-Shi, FC'19], or assume more than a bare PKI setup: (i) The model of Thunderella [Pass-Shi, EC'17], Algorand [Gilad et al, SOSP'17], Praos [David et al, EC'18], [Goyal et al, FC'21] and [Momose et al, CCS'22 and CCS'23] assumes a public random seed which is unpredictable until strictly after all players published on the bulletin board; (ii) [Abraham et al, Podc'19] assume a trusted entity which honestly samples the keys of all players; (iii) All known implementations of the setups (i) and (ii), as well as the setup of [Blum et al, TCC'20], require interactions, furthermore in the form of BAs. (iv) [Garay-Kiayas-Shen '23] assume that honest players work more than the adversary, or, [Eckey-Faust-Loss et al '17 '22] at least as fast. Of independent interest, our tool is a very simple non-interactive mechanism which {sets-up a self-sortition function from non-interactive publications on the bulletin board}, and still, guarantees an honest majority in every committee up to probability exponentially small in both $\epsilon$ and in the multicast complexity. We provide the following further results: {- Optimality.} We show that resilience up to a tight honest majority $f<n/2$ is impossible for any multicast-based adaptively secure BA with subquadratic communication, whatever the setup. {- Separation.} We show impossibility of subquadratic multicast-based BA in the messages-authentication model. Our model for this lower bound is even stronger, since it onboards other assumptions at least as strong as all popular implications of a bulletin-board PKI setup: {secure channels}, {a (possibly structured) random string}, {NIZK}. {- Partial synchrony.} Given that the multicast lower-bound holds a fortiori, and that the upper-bound adapts seamlessly (for $f<n(1/3-\epsilon)$), the separation also holds. We show a second separation, which holds for general BAs, non-necessarily multicast-based: any partially-synchronous BA in the messages-authentication model, if it has linear message complexity, then it has latency at least {logarithmic in $f$}. {- Extension to VBA.} We extend to VBA the logarithmic latency lower bound. This is the first communication lower bound for randomized VBA to our knowledge. It shows that the separation under partial synchrony also holds for VBA. Along the way, we close the characterization of [Civit et al, Podc'23] of validity conditions in authenticated consensus, by apparently new results on VBA: both BA and VBA are infeasible under partial synchrony beyond $f<n/3$, whatever the setup; whereas synchronous VBA is feasible up to $f=n-1$ (contrary to BA).

Note: Minor clarifications