The problem of Byzantine Agreement (BA) is of interest to both the distributed computing and cryptography communities. Following well-known results from distributed computing literature, the BA problem in the asynchronous network setting encounters inevitable non-termination issues. The impasse is overcome via randomization that allows construction of BA protocols in two flavors of termination guarantee—with overwhelming probability and with probability one. The latter type, termed as almost-surely terminating BA, is the main focus of this article. An eluding problem in the domain of almost-surely terminating BA is achieving a constant expected running time. Our primary contribution in this work makes significant progress in this direction. In a setting with n parties and an adversary with unbounded computing power controlling at most t parties in a Byzantine fashion, we present two almost-surely terminating BA protocols in the asynchronous setting: ○ With the optimal resilience of t < n /3, our first protocol runs for an expected O ( n ) time. The existing protocols in the same setting either run for an expected O ( n 2 ) time (Abraham et al., PODC 2008) or require exponential computing power from the honest parties (Wang, CoRR 2015). In terms of communication complexity, our construction outperforms all the known constructions with t < n /3 that offer almost-surely terminating feature. ○ With the resilience of t < n /3 + ϵ for any ϵ > 0, our second protocol runs for an expected O (1/ϵ) time. The expected running time of our protocol turns constant when ϵ is a constant fraction. The known constructions with a constant expected running time either require ϵ to be at least 1 (Feldman-Micali, STOC 1988 and Patra-Pandu Rangan, PODC 2010), implying t < n /4, or call for exponential computing power from the parties (Wang, CoRR 2015). We follow the traditional route of building BA via common coin protocol that in turn reduces to Asynchronous Verifiable Secret-Sharing (AVSS). Our constructions are built on a variant of AVSS that is termed as shunning . A shunning AVSS fails to offer the properties of AVSS when the corrupt parties strike, but allows the honest parties to locally detect and shun a set of corrupt parties for any future communication. Our shunning AVSS with t < n /3 and t < n /3 + ϵ guarantee Ω( n ) and, respectively, Ω(ϵ t 2 ) conflicts to be revealed when failure occurs. Turning this shunning AVSS to a common coin protocol efficiently constitutes yet another contribution of this work. As a secondary contribution, we show the power of the shunning technique and present a highly efficient cryptographically secure shunning AVSS, which is used further to design an asynchronous BA protocol with the optimal resilience of t < n /3 in the cryptographic setting. Our construct achieves an amortized expected communication complexity of O ( n 2 ) bits for reaching agreement on a single bit while consuming a constant expected running time. This property has been achieved for the first time in the cryptographic setting and that, too, with standard cryptographic assumptions. The best-known existing construction (Cachin et al., CCS 2002), while still needing more communication complexity than ours, is proven secure only in the Random-Oracle Model (ROM).

中文翻译：

---

回避的力量

拜占庭协议（BA）的问题对分布式计算和密码学社区都很感兴趣。继分布式计算文献的著名结果之后，BA 问题在异步网络设置遇到不可避免的不终止问题。僵局是通过随机化来克服的，它允许以两种终止保证方式构建 BA 协议——具有压倒性的概率和概率一。后一种类型，称为几乎肯定会终止BA，是本文的重点。在几乎肯定会终止 BA 的领域中，一个难以解决的问题是实现恒定的预期运行时间。我们在这项工作中的主要贡献在这个方向上取得了重大进展。在与n当事人和对手无界算力控制最多吨以拜占庭式的方式，我们在异步设置中提出了两个几乎可以肯定终止的 BA 协议：最佳弹性的吨<n/3，我们的第一个协议运行预期○(n） 时间。相同设置中的现有协议要么按预期运行○(n 2) 时间（Abraham 等人，PODC 2008）或需要诚实方的指数计算能力（Wang，CoRR 2015）。在通信复杂性方面，我们的构造优于所有已知构造吨<n/3 几乎可以肯定地提供终止功能。○ 具有弹性吨<n/3 + ε 对于任何ϵ > 0，我们的第二个协议运行预期○(1/ε) 时间。当 ε 是一个常数分数时，我们协议的预期运行时间变为常数。具有恒定预期运行时间的已知结构要么要求 ϵ 至少为 1（Feldman-Micali，STOC 1988 和 Patra-Pandu Rangan，PODC 2010），这意味着吨<n/4，或要求各方提供指数计算能力（Wang, CoRR 2015）。我们遵循通过通用硬币协议构建 BA 的传统路线，这反过来又减少到异步可验证秘密共享（AVSS）。我们的结构建立在 AVSS 的变体之上，称为回避. 回避的 AVSS 在腐败方罢工时无法提供 AVSS 的属性，但允许诚实方本地检测并避开一组腐败方，以便将来进行任何通信。我们回避的 AVSS吨<n/3 和吨<n/3 + ε 保证 Ω(n) 和 Ω(ϵ吨 2) 发生故障时要显示的冲突。有效地将这种回避的 AVSS 转换为通用硬币协议构成了这项工作的另一个贡献。作为次要贡献，我们展示了回避技术的力量，并提出了一种高效的密码安全回避 AVSS，它被进一步用于设计具有最佳弹性的异步 BA 协议吨<n/3 在加密设置中。我们的构造实现了摊销的预期通信复杂度○(n 2) 位用于在单个位上达成一致，同时消耗恒定的预期运行时间。该属性是第一次在密码设置中实现，并且在标准密码假设下也是如此。最著名的现有结构（Cachin 等人，CCS 2002）虽然仍需要比我们的更复杂的通信，但仅在随机 Oracle 模型 (ROM) 中被证明是安全的。