Byzantine agreement (BA), the task of n parties to agree on one of their input bits in the face of malicious agents, is a powerful primitive that lies at the core of a vast range of distributed protocols. Interestingly, in BA protocols with the best overall communication, the demands of the parties are highly unbalanced: the amortized cost is \({\tilde{O}}(1)\) bits per party, but some parties must send \(\Omega (n)\) bits. In best known balanced protocols, the overall communication is sub-optimal, with each party communicating \({\tilde{O}}(\sqrt{n})\). In this work, we ask whether asymmetry is inherent for optimizing total communication. In particular, is BA possible where each party communicates only \({\tilde{O}}(1)\) bits? Our contributions in this line are as follows:

• We define a cryptographic primitive—succinctly reconstructed distributed signatures (SRDS)—that suffices for constructing \({\tilde{O}}(1)\) balanced BA. We provide two constructions of SRDS from different cryptographic and public-key infrastructure (PKI) assumptions.

• The SRDS-based BA follows a paradigm of boosting from “almost-everywhere” agreement to full agreement, and does so in a single round. Complementarily, we prove that PKI setup and cryptographic assumptions are necessary for such protocols in which every party sends o(n) messages.

• We further explore connections between a natural approach toward attaining SRDS and average-case succinct non-interactive argument systems (SNARGs) for a particular type of NP-Complete problems (generalizing Subset-Sum and Subset-Product).

Our results provide new approaches forward, as well as limitations and barriers, toward minimizing per-party communication of BA. In particular, we construct the first two BA protocols with \({\tilde{O}}(1)\) balanced communication, offering a trade-off between setup and cryptographic assumptions and answering an open question presented by King and Saia (DISC’09).

拜占庭协议(BA) 是n方在面对恶意代理时就其输入位之一达成一致的任务，是一种强大的原语，是各种分布式协议的核心。有趣的是，在整体通信最好的 BA 协议中，各方的需求是高度不平衡的：每方的摊余成本为\({\tilde{O}}(1)\)位，但有些各方必须发送\(\欧米茄 (n)\)位。在最著名的平衡协议中，整体通信不是最优的，每一方都进行通信\({\tilde{O}}(\sqrt{n})\)。在这项工作中，我们询问不对称性是否是优化总体通信所固有的。特别是，当各方仅通信\({\tilde{O}}(1)\)位时，BA 是否可能？我们在这方面的贡献如下：

• 我们定义了一个加密原语——简洁重构的分布式签名（SRDS）——足以构建\({\tilde{O}}(1)\)平衡BA。我们根据不同的加密和公钥基础设施 (PKI) 假设提供两种 SRDS 结构。

• 基于 SRDS 的 BA 遵循从“几乎无处不在”协议提升到完全协议的范式，并且是在单轮中实现的。作为补充，我们证明 PKI 设置和加密假设对于各方发送o ( n ) 条消息的协议是必要的。

• 我们进一步探讨了实现 SRDS 的自然方法与针对特定类型 NP 完全问题（概括子集和和子集乘积）的平均情况简洁非交互式论证系统 (SNARG) 之间的联系。

我们的结果提供了新的前进方法，以及限制和障碍，以最大限度地减少 BA 的各方沟通。特别是，我们使用\({\tilde{O}}(1)\)平衡通信构建了前两个 BA 协议，提供了设置和加密假设之间的权衡，并回答了 King 和 Saia 提出的开放性问题 (DISC '09）。