Skip to main content
SpringerLink
Log in

Reaching consensus for asynchronous distributed key generation

  • Published:
Distributed Computing Aims and scope Submit manuscript

Abstract

We give a protocol for Asynchronous Distributed Key Generation (A-DKG) that is optimally resilient (can withstand \({{\varvec{f}}}<\frac{{{\varvec{n}}}}{{{\varvec{3}}}}\) faulty parties), has a constant expected number of rounds, has \({{\varvec{O}}}({\varvec{\lambda }} {{\varvec{n}}}^{{\varvec{3}}})\) expected communication complexity, and assumes only the existence of a PKI. Prior to our work, the best A-DKG protocols required \({\varvec{\Omega }}({{\varvec{n}}})\) expected number of rounds, and \({\varvec{\Omega }}({{\varvec{n}}}^4)\) expected communication. Our A-DKG protocol relies on several building blocks that are of independent interest. We define and design a Proposal Election (PE) protocol that allows parties to retrospectively agree on a valid proposal after enough proposals have been sent from different parties. With constant probability the elected proposal was proposed by a nonfaulty party. In building our PE protocol, we design a Verifiable Gather protocol which allows parties to communicate which proposals they have and have not seen in a verifiable manner. The final building block to our A-DKG is a Validated Asynchronous Byzantine Agreement (VABA) protocol. We use our PE protocol to construct a VABA protocol that does not require leaders or an asynchronous DKG setup. Our VABA protocol can be used more generally when it is not possible to use threshold signatures.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1

Similar content being viewed by others

References

  1. Kokoris Kogias, E., Malkhi, D., Spiegelman, A.: Asynchronous distributed key generation for computationally-secure randomness, consensus, and threshold signatures. In: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. CCS’20, pp. 1751–1767. Association for Computing Machinery, New York, NY, USA (2020). https://doi.org/10.1145/3372297.3423364

  2. Syta, E., Jovanovic, P., Kokoris-Kogias, E., Gailly, N., Gasser, L., Khoffi, I., Fischer, M.J., Ford, B.: Scalable bias-resistant distributed randomness. In: 38th IEEE Symposium on Security and Privacy (2017)

  3. Abraham, I., Malkhi, D., Spiegelman, A.: Asymptotically optimal validated asynchronous byzantine agreement. In: Proceedings of the 2019 ACM Symposium on Principles of Distributed Computing, pp. 337–346. ACM, New York, NY, USA (2019). https://doi.org/10.1145/3293611.3331612

  4. Kokoris-Kogias, E., Alp, E.C., Gasser, L., Jovanovic, P., Syta, E., Ford, B.: CALYPSO: Private Data Management for Decentralized Ledgers. Cryptology ePrint Archive, Report 2018/209. To appear in VLDB 2021 (2018)

  5. Kate, A., Huang, Y., Goldberg, I.: Distributed Key Generation in the Wild. Cryptology ePrint Archive, Report 2012/377. https://eprint.iacr.org/2012/377 (2012)

  6. Feldman, P.N.: Optimal algorithms for byzantine agreement. Ph.D. thesis, Massachusetts Institute of Technology (1988)

  7. Canetti, R., Rabin, T.: Fast asynchronous byzantine agreement with optimal resilience. In: Proceedings of the Twenty-Fifth Annual ACM Symposium on Theory of Computing. STOC ’93, pp. 42–51. Association for Computing Machinery, New York, NY, USA (1993). https://doi.org/10.1145/167088.167105

  8. Abraham, I., Amit, Y., Dolev, D.: Optimal resilience asynchronous approximate agreement. In: Proceedings of the 8th International Conference on Principles of Distributed Systems. OPODIS’04, pp. 229–239. Springer, Berlin (2004). https://doi.org/10.1007/11516798_17

  9. Gurkan, K., Jovanovic, P., Maller, M., Meiklejohn, S., Stern, G., Tomescu, A.: Aggregatable Distributed Key Generation. Cryptology ePrint Archive, Report 2021/005. https://eprint.iacr.org/2021/005 (2021)

  10. Cachin, C., Kursawe, K., Petzold, F., Shoup, V.: Secure and efficient asynchronous broadcast protocols. In: Kilian, J. (ed.) Advances in Cryptology—CRYPTO 2001, pp. 524–541. Springer, Berlin (2001)

    Chapter  Google Scholar 

  11. Feldman, P., Micali, S.: An optimal probabilistic protocol for synchronous byzantine agreement. SIAM J. Comput. 26(4), 873–933 (1997)

    Article  MathSciNet  MATH  Google Scholar 

  12. Backes, M., Datta, A., Kate, A.: Asynchronous computational VSS with reduced communication complexity. In: Dawson, E. (ed.) Topics in Cryptology—CT-RSA 2013, pp. 259–276. Springer, Berlin (2013)

    Chapter  Google Scholar 

  13. Dolev, D., Reischuk, R.: Bounds on information exchange for Byzantine Agreement. In: Proceedings of the First ACM SIGACT-SIGOPS Symposium on Principles of Distributed Computing - PODC ’82, pp. 132–140. ACM Press, New York, NY, USA (1982). https://doi.org/10.1145/800220.806690

  14. Bracha, G.: An asynchronous [(n - 1)/3]-resilient consensus protocol. In: Proceedings of the Third Annual ACM Symposium on Principles of Distributed Computing, pp. 154–162. Association for Computing Machinery, New York, NY, USA (1984). https://doi.org/10.1145/800222.806743

  15. Cachin, C., Tessaro, S.: Asynchronous verifiable information dispersal. In: Distributed Computing. 19th International Conference, DISC 2005, Cracow, Poland, September 26–29, 2005, Proceedings, pp. 503–504. Springer, Berlin (2005)

  16. Bracha, G.: Asynchronous byzantine agreement protocols. Inf. Comput. 75(2), 130–143 (1987)

    Article  MathSciNet  MATH  Google Scholar 

  17. Cachin, C., Kursawe, K., Shoup, V.: Random oracles in constantinople: practical asynchronous Byzantine agreement using cryptography. J. Cryptol. 18(3), 219–246 (2005). https://doi.org/10.1007/s00145-005-0318-0

    Article  MathSciNet  MATH  Google Scholar 

  18. Cachin, C., Kursawe, K., Lysyanskaya, A., Strobl, R.: Asynchronous verifiable secret sharing and proactive cryptosystems. In: Proceedings of the 9th ACM Conference on Computer and Communications Security. CCS ’02, pp. 88–97. Association for Computing Machinery, New York, NY, USA (2002). https://doi.org/10.1145/586110.586124

  19. Zhou, L., Schneider, F.B., Van Renesse, R.: APSS: proactive secret sharing in asynchronous systems. ACM Trans. Inf. Syst. Secur. 8(3), 259–286 (2005). https://doi.org/10.1145/1085126.1085127

    Article  Google Scholar 

  20. Yin, M., Malkhi, D., Reiter, M.K., Gueta, G.G., Abraham, I.: Hotstuff: Bft consensus with linearity and responsiveness. In: Proceedings of the 2019 ACM Symposium on Principles of Distributed Computing. PODC ’19, pp. 347–356. Association for Computing Machinery, New York, NY, USA (2019). https://doi.org/10.1145/3293611.3331591

  21. Lu, Y., Lu, Z., Tang, Q., Wang, G.: Dumbo-mvba: Optimal multi-valued validated asynchronous byzantine agreement, revisited. In: Proceedings of the 39th Symposium on Principles of Distributed Computing. PODC ’20, pp. 129–138. Association for Computing Machinery, New York, NY, USA (2020). https://doi.org/10.1145/3382734.3405707

  22. Abraham, I., Stern, G.: Information theoretic hotstuff. In: OPODIS. LIPIcs, vol. 184, pp. 11–11116. Schloss Dagstuhl - Leibniz-Zentrum für Informatik, Dagstuhl, Germany (2020)

  23. Fischer, M.J., Lynch, N.A., Paterson, M.S.: Impossibility of distributed consensus with one faulty process. J. ACM 32(2), 374–382 (1985). https://doi.org/10.1145/3149.214121

    Article  MathSciNet  MATH  Google Scholar 

  24. Ben-Or, M.: Another advantage of free choice (extended abstract): completely asynchronous agreement protocols. In: Proceedings of the Second Annual ACM Symposium on Principles of Distributed Computing. PODC ’83, pp. 27–30. Association for Computing Machinery, New York, NY, USA (1983). https://doi.org/10.1145/800221.806707

  25. Patra, A., Choudhary, A., Pandu Rangan, C.: Simple and efficient asynchronous byzantine agreement with optimal resilience. In: Proceedings of the 28th ACM Symposium on Principles of Distributed Computing. PODC ’09, pp. 92–101. Association for Computing Machinery, New York, NY, USA (2009). https://doi.org/10.1145/1582716.1582736

  26. Abraham, I., Dolev, D., Halpern, J.Y.: An almost-surely terminating polynomial protocol for asynchronous byzantine agreement with optimal resilience. In: Proceedings of the Twenty-Seventh ACM Symposium on Principles of Distributed Computing. PODC ’08, pp. 405–414. Association for Computing Machinery, New York, NY, USA (2008). https://doi.org/10.1145/1400751.1400804

  27. Bangalore, L., Choudhury, A., Patra, A.: Almost-surely terminating asynchronous byzantine agreement revisited. In: Proceedings of the 2018 ACM Symposium on Principles of Distributed Computing. PODC ’18, pp. 295–304. Association for Computing Machinery, New York, NY, USA (2018). https://doi.org/10.1145/3212734.3212735

  28. Katz, J., Koo, C.: On expected constant-round protocols for byzantine agreement. Electron. Colloquium Comput. Complex. 13(028) (2006)

  29. Ben-Or, M., Canetti, R., Goldreich, O.: Asynchronous secure computation. In: Proceedings of the Twenty-Fifth Annual ACM Symposium on Theory of Computing. STOC ’93, pp. 52–61. Association for Computing Machinery, New York, NY, USA (1993). https://doi.org/10.1145/167088.167109

  30. Ben-Or, M., Kelmer, B., Rabin, T.: Asynchronous secure computations with optimal resilience (extended abstract). In: Proceedings of the Thirteenth Annual ACM Symposium on Principles of Distributed Computing. PODC ’94, pp. 183–192. Association for Computing Machinery, New York, NY, USA (1994). https://doi.org/10.1145/197917.198088

  31. Beerliová-Trubíniová, Z., Hirt, M.: Simple and efficient perfectly-secure asynchronous mpc. In: Proceedings of the Advances in Crypotology 13th International Conference on Theory and Application of Cryptology and Information Security. ASIACRYPT’07, pp. 376–392. Springer, Berlin (2007)

  32. Hirt, M., Nielsen, J.B., Przydatek, B.: Asynchronous multi-party computation with quadratic communication. In: Aceto, L., Halldorsson, M.M., Ingolfsdottir, A. (eds.) Automata, Languages and Programming—ICALP 2008. Lecture Notes in Computer Science, vol. 5126, pp. 473–485. Springer, Berlin (2008)

    Google Scholar 

  33. Choudhury, A., Patra, A.: Optimally resilient asynchronous mpc with linear communication complexity. In: Proceedings of the 2015 International Conference on Distributed Computing and Networking. ICDCN ’15. Association for Computing Machinery, New York, NY, USA (2015). https://doi.org/10.1145/2684464.2684470

  34. Gagol, A., Lesniak, D., Straszak, D., Swietek, M.: Aleph: Efficient Atomic Broadcast in Asynchronous Networks with Byzantine Nodes (2019)

  35. Das, S., Xiang, Z., Ren, L.: Asynchronous data dissemination and its applications. In: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, pp. 2705–2721 (2021)

  36. Gao, Y., Lu, Y., Lu, Z., Tang, Q., Xu, J., Zhang, Z.: Efficient Asynchronous Byzantine Agreement without Private Setups (2021). arXiv:2106.07831

  37. Das, S., Yurek, T., Xiang, Z., Miller, A., Kokoris-Kogias, L., Ren, L.: Practical Asynchronous Distributed Key Generation. Cryptology ePrint Archive, Paper 2021/1591. https://eprint.iacr.org/2021/1591 (2021)

Download references

Author information

Authors and Affiliations

  1. VMware Research, Herzliya, Israel

    Ittai Abraham

  2. University College London, London, UK

    Philipp Jovanovic & Sarah Meiklejohn

  3. Ethereum Foundation, London, UK

    Mary Maller

  4. Google, London, UK

    Sarah Meiklejohn

  5. The Hebrew University in Jerusalem, Jerusalem, Israel

    Gilad Stern

  6. VMware Research, Palo Alto, CA, USA

    Alin Tomescu

Authors
  1. Ittai Abraham
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Philipp Jovanovic
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Mary Maller
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Sarah Meiklejohn
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Gilad Stern
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Alin Tomescu
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Gilad Stern.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Background: reliable broadcast for asynchronous systems

Background: reliable broadcast for asynchronous systems

Throughout our agreement protocol we shall use a reliable broadcast protocol. It is possible to use the recent reliable broadcast protocol of Das et al. [35] to achieve an efficiency of \({\mathcal {O}}(\lambda n^2+\left| M\right| n)\), where \(\left| M\right| \) is the number of words in the broadcasted messages and \(\lambda \) is a security parameter. For completeness, we also provide a slight adaptation of the reliable broadcast of Cachin and Tessaro [15] which applies error correcting codes to Bracha broadcast [16]. The broadcast protocol has communication complexity \({\mathcal {O}}(n^2 \log (n) + |M| n)\). It can tolerate up to \(f<\frac{n}{3}\) Byzantine adversaries and works in the asynchronous setting.

1.1 Construction

The protocol is extremely similar to Bracha’s famous reliable broadcast protocol [16]. In Bracha’s protocol, the dealer first sends a message \(\langle value,m\rangle \) to all parties. After receiving the first message from the dealer, every nonfaulty party responds with an \(\langle echo,m\rangle \) message. Then, after receiving \(n-f\) \(\langle echo,m\rangle \) messages, the parties respond with a \(\langle ready,m\rangle \) message. In addition, if some party receives \(f+1\) \(\langle ready,m\rangle \) messages and it did not send a ready message yet, it also sends a \(\langle ready, m\rangle \) message. Finally, after receiving \(n-f\) \(\langle ready,m\rangle \) messages, every party outputs m and terminates.

Unfortunately, when sending a large message M, every message sent by the parties contains all of M, yielding large communication costs. Cachin et al.’s clever approach to reducing the communication costs was employing error correction codes in the form of Reed-Solomon encoding. Instead of just sending the message \(M=(m_0,\ldots ,m_\ell )\), the dealer treats the message as coefficients of a polynomial \(p(x)=\sum _{k=0}^\ell m_k\cdot x^k\). Then for every nonfaulty party j the dealer computes a set \(P^j\) of \(\lceil \frac{\ell +1}{f+1}\rceil \) values on the polynomial p(x). Then the dealer commits to to the vector \(P=(P^i,\ldots ,P^n)\), and sends each party j the commitment com, the set \(P^j\), and a proof \(\pi ^j\) that the j’th element in the committed vector is \(P^j\) . Then, similarly to Bracha’s protocol, after receiving a message and checking that the proof is correct, every party sends an echo message with the same information. Now, after receiving \(n-f\) echo messages with the same commitment and correct proofs, every nonfaulty party j should send a ready message with the same commitment, with a set \(P^j\) values and with a proof \(\pi ^j\). However, j might not have received the set \(P^j\) and the proof \(\pi ^j\), so in order to be able to compute those values, it interpolates the points in \(f+1\) of the sets it received \((k,y_k)\) to a polynomial p of degree \(\ell \) or less, checks that the commitment is indeed a commitment to a vector \(P=(P^1,\ldots ,P^n)\) such that each \(P^k\) is a set of \(\lceil \frac{\ell +1}{f+1}\rceil \) points on the polynomial p(x), and then computes the set of points \(P^j\) that it should have received, as well as a proof \(\pi ^j\) that the j’th element in the committed vector is \(P^j\) for each one of its points. After doing that, j sends a ready message with all of that information to all parties. The exact same procedure takes place when sending a ready message after receiving \(f+1\) ready messages (except at this point it is not necessary to check that the commitment is correct). Finally, after receiving \(n-f\) ready messages, every nonfaulty party interpolates the corresponding points to a polynomial p, computes its coefficients \(m_0,\ldots ,m_\ell \), and outputs the message \(M'=(m_0,\ldots ,m_\ell )\).

figure q

Lemma 11

When a nonfaulty party tries to interpolate \(\ell +1\) pairs in either the set echoes[com] or readies[com], there are indeed \(\ell +1\) pairs in those sets. Furthermore, for any nonfaulty party, if \((x,y),(x',y')\in echoes[com]\) or \((x,y),(x',y')\in readies[com]\), then either \(x\ne x'\) or \((x,y)=(x',y')\).

Proof

The proof only deals with the set echoes[com]. The exact same arguments can be made for readies[com]. A nonfaulty party tries to interpolate \(\ell +1\) pairs in the set echoes[com] when it finds that \(\left| echoes[com]\right| \ge (n-f)\cdot c\ge (f+1)\cdot c\), for \(c=\lceil \frac{\ell +1}{f+1}\rceil \). Substituting c: \(\left| echoes[com]\right| \ge (f+1)\cdot \lceil \frac{\ell +1}{f+1}\rceil \ge (f+1)\cdot \frac{\ell +1}{f+1}=\ell +1\). For the second part of the lemma, a nonfaulty party only adds elements of the form \(((j-1)\cdot c+k,p_{j,k})\) to echoes[com] such that \(k\in [c]\) after receiving an echo message from party j. However, for any pair \(j,j'\in {\mathbb {N}}\) such that \(j\ne j'\) and \(k,k'\in [c]\), it cannot be the case that \((j-1)\cdot c+k=(j'-1)\cdot c+k'\) because the distance between \((j-1)\cdot c\) and \((j'-1)\cdot c\) is at least c. \(\square \)

Lemma 12

If two nonfaulty parties ij send the messages \(\langle ready, com, P_i,\pi _i\rangle \) and \(\langle ready, com', P_j,\pi _j\rangle \), then \(com=com'\).

Proof

Let \(i',j'\) be the first nonfaulty parties that sent messages with the values \(com,com'\) respectively. Since \(i'\) is the first nonfaulty party to send such a message, it couldn’t have received a \(\langle ready, com, P^k, \pi ^k\rangle \) message from any party other than the f faulty parties before sending such a message. The only other way for \(i'\) to send such a message is after finding that \(\left| echoes[com]\right| \ge (n-f)\cdot c\). Since \(i'\) adds c elements to echoes[com] after receiving an \(\langle echo, com, P_k,\pi _k\rangle \) from party k, this means it received such echo messages from \(n-f\) parties. Similarly, \(j'\) received an \(\langle echo, com', P_k,\pi _k\rangle \) message from \(n-f\) parties. Since \(2(n-f)=n+(n-2f)\ge n+f+1\), \(i'\) and \(j'\) received those ready messages from at least \(f+1\) common parties, and at least one of those parties is nonfaulty. Note that if some nonfaulty party sends an echo message it sends the same one to all parties, and thus \(com=com'\). \(\square \)

Lemma 13

Let \(c=\lceil \frac{\ell +1}{f+1} \rceil \) be defined as it is in the protocol. If a nonfaulty party i sends the message \(\langle ready, com, P_i,\pi _i\rangle \), then \(\left| P_i\right| =c\) and \(\mathsf {Open}\mathsf {Verify}(com,P_i,i,\pi _i)=1\).

Proof

Party i only sends the message \(\langle ready, com, P_i,\pi _i\rangle \) if it finds that \(\left| echoes[com]\right| \ge (n-f)\cdot c\) or if it finds that \(\left| readies[com]\right| \ge (f+1)\cdot c\). This can only happen as a result of receiving messages of the form \(\langle echo, com, P_j,\pi _j\rangle \) from \(n-f\) parties, or messages of the form \(\langle ready, com, P_j,\pi _j\rangle \) from \(f+1\) parties which pass verification tests. This is because whenever i updates either of its echoes or readies sets, it adds exactly c elements to them. If i sent the message after receiving \(n-f\) echo messages, then i first interpolates \(\ell +1\) of the points \((k,y_k)\in echoes[com]\) to a polynomial \(p'\), for every \(j\in [n]\) computes \(P'_j=(p((j-1)\cdot c+1),\ldots , p(j\cdot c))\), sets \(P'=(P'_1,\ldots ,P'_n)\), and then checks that \(\mathsf {Commit}(P')=com\). It then computes \(\pi _i =\mathsf {Open}\mathsf {Prove}(P',i)\) and sends the message \(\langle ready, com, P'_i,\pi _i\rangle \). Note that in that case, com is indeed a commitment to \(P'\), so \(\mathsf {Open}\mathsf {Verify}(com,P'_i,i,\pi _i)=1\). On the other hand, if i sent the message after receiving \(f+1\) ready messages, then at least one of those messages was received from a nonfaulty party. Observe the first nonfaulty party j that sent a \(\langle ready, com, P_j, \pi _j\rangle \) message. No nonfaulty party has sent a ready message with the value com at the time j sent the message, so it could have only received ready messages with the value com from the f faulty parties, and thus \(\left| readies[com]\right| \le f\cdot c\). This means that before sending the message, it received \(n-f\) messages of the form \(\langle echo,com,P_k,\pi _k\rangle \), interpolated \(\ell +1\) of the values in its echoes[com] set to a polynomial \(p'\), for every \(l\in [n]\) computed \(P'_l=(p'((l-1)\cdot c+1),\ldots p'(l\cdot c))\) and found that \(\mathsf {Commit}((P'_1,\ldots ,P'_n))=com\). Since interpolating \(\ell +1\) points always yields a polynomial of degree \(\ell \) or less, this means that com is a commitment to n sets of c points on the polynomial \(p'\), which is of degree \(\ell \) or less. Now, before sending the ready message, i receives \(f+1\) messages of the form \(\langle ready, com, P_j, \pi _j\rangle \) such that \(\forall \mathsf {Open}\mathsf {Verify}(com, P_j, j, \pi _j)=1\), and thus each such \(P_j\) is a set of c points on the polynomial \(p'\). More precisely, \(P_j=(p'((j-1)\cdot c+1),\ldots ,p'(j\cdot c))\). Party i then interpolates \(\ell +1\) of the pairs \((k,p'(k))\in readies[com]\) to a polynomial, and since \(p'\) is of degree \(\ell \) or less, that polynomial must be \(p'\). Finally, i computes \(P'_j=(p'((j-1)\cdot c+1),\ldots ,p'(j\cdot c))\) for every \(j\in [n]\), \(P'=(P'_1,\ldots ,P'_n)\) and \(\pi _i=(\mathsf {Open}\mathsf {Prove}(P',i))\). After computing those values, i sends \(\langle ready,com,P'_i,\pi _i\rangle \) to all parties. Clearly, in this case \(\left| P'_i\right| =c\). In addition, since com is a commitment to \(P'\), it is also the case that \(\mathsf {Open}\mathsf {Verify}(com, P'_i,i,\pi _i)=1\). \(\square \)

Theorem 10

Protocol RB is a reliable broadcast protocol resilient to \(f<\frac{n}{3}\) Byzantine parties.

Proof

We will prove each property separately. In the proof, let \(c=\lceil \frac{\ell +1}{f+1}\rceil \), as defined in the protocol.

Validity If the dealer is nonfaulty, it computes \(p(x)=\sum _{k=0}^\ell m_k\cdot x^k\), computes \(P_j=(p((j-1)\cdot c+1),\ldots p(j\cdot c))\) for every \(j\in [n]\) and sets \(P=(P_1,\ldots P_n)\). Afterwards, the dealer computes \(com=\mathsf {Commit}(P)\) and then for every party j it computes \(\pi _j=\mathsf {Open}\mathsf {Prove}(P,j)\), and sends j the message \(\langle value, com, P_j, \pi _j\rangle \). Every nonfaulty party j that sends an echo message does so after receiving the previous message and sends the message \(\langle echo, com, P_j, \pi _j\rangle \). The nonfaulty parties send only one echo message, so every nonfaulty party receives no more than f messages of the form \(\langle echo, com', P_k, \pi _k\rangle \) with \(com'\ne com\). Assume by way of contradiction some nonfaulty party sends a ready message \(\langle ready, com', P', \pi '\rangle \) with \(com'\ne com\), and let j be the first nonfaulty party that doe so. Since j is the first nonfaulty party to send such a message, at the time it sent the message it could have only received \(\langle ready, com', P_k, \pi _k\rangle \) message with \(com'\ne com\) from the f faulty parties. Note that i can either add exactly c elements to \(echoes[com']\) or no elements at all after receiving each of those messages, and thus at that time \(\left| echoes[com']\right| \le f\cdot c<(n-f)\cdot c\). This means j must have sent the message as a result of finding that \(\left| echoes[com]\right| \ge (n-f)\cdot c\), which could only happen after receiving \(\langle echo, com', P_j, \pi _j\rangle \) messages from \(n-f\) parties. However, \(n-f\ge f+1\), so at least one of those parties is nonfaulty. As discussed above, every nonfaulty party that sends an echo message sends one with the value \(com\ne com'\), reaching a contradiction. Now observe some nonfaulty party i that completes the protocol. Before doing so, it found that for some \(com'\) \(\left| readies[com']\right| \ge (n-f)\cdot c\). Party i adds exactly c elements to \(readies[com']\) after receiving \(\langle ready,com',P_j,\pi _j\rangle \) from some party j that passes some verification tests. As shown above, no more than f such messages could have been sent for any \(com'\ne com\), in which case \(\left| readies[com']\right| \le c\cdot f<(n-f)\cdot c\), so \(com'=com\). Any pair \(((j-1)\cdot c+k,p_{j,k})\) that i added to readies[com] was added after finding that \(\mathsf {Open}\mathsf {Verify}(com,P_j,j,\pi _j)=1\) and parsing \(P_j\) as \((p_{j,1},\ldots ,p_{j,c})\). Seeing as com is a commitment to \((P_i,\ldots ,P_n)\), it must be the case that \(p_{j,k}=p((j-1)\cdot c+k)\). Now, before completing the protocol i interpolates \(\ell +1\) points (mp(m)) on the polynomial p of degree \(\ell \) or less, and thus it computes p, then computes its coefficients \(m_0,\ldots ,m_\ell \), and finally outputs \(M=(m_0,\ldots ,m_\ell )\).

Agreement Let i, j be two nonfaulty parties that output the messages \(M,M'\) respectively. Before outputting those messages, i found that for some value com \(\left| readies[com]\right| \ge (n-f)\cdot c\). This means that i received a message of the form \(\langle ready, com, P_k, \pi _k\rangle \) from \(n-f\) parties such that for each one \(\mathsf {Open}\mathsf {Verify}(com,P_k,k,\pi _k)=1\). The same can be said about j having received similar messages with some value \(com'\). Since \(2(n-f)=n+(n-2f)\ge n+f+1\), i and j received the aforementioned messages from at least \(f+1\) common parties, at least one of which is nonfaulty. Note that every nonfaulty party sends only one ready message to all parties throughout the protocol (with the same content), so \(com=com'\).

Observe the first nonfaulty party \(i^*\) that sent a ready message with the commitment com. At that time, \(i^*\) could have received no more than f ready messages with the commitment com, and as discussed in the proof of the Validity property, this means that \(\left| readies[com]\right| \le f\cdot c<(f+1)\cdot c\). This means that \(i^*\) decided to send the message after finding that \(\left| echoes[com]\right| \ge (n-f)\cdot c\), interpolated \(\ell +1\) of the values \((k,y_k)\in echoes[com]\) to a polynomial \(p'\), computed \(P'_k=(p'((k-1)\cdot c+1),\ldots ,p'(k\cdot c))\) for every \(k\in [n]\). It then set \(P'=(P'_1,\ldots ,P'_k)\) and found that \(\mathsf {Commit}(P')=com\). Since interpolating \(\ell +1\) points always yields a polynomial of degree \(\ell \) or less, this means that com is a commitment to n sets of c points on a polynomial of degree \(\ell \) or less. Now, before outputting M and \(M'\), i and j found that \(\left| readies[com]\right| \ge (n-f)\cdot c\). Again, as discussed above, this could only happen after receiving \(n-f\) messages of the form \(\langle ready, com, P_k, \pi _k\rangle \) such that \(\left| P_k\right| ==c\) and \(\mathsf {Open}\mathsf {Verify}(com,P_k,k,\pi _k)=1\). \(P_k\) is a commitment to a vector of c points on \(p'\), and thus \(P_k=(p'((j-1)\cdot c+1),\ldots ,p'(j\cdot c))\). Therefore, after receiving those messages, both i and j add \(((k-1)\cdot c+l,p'((k-1)\cdot c+l))\) to readies[com] for every \(l\in [c]\). Those are the only values added to the set readies, so for every \((k,y_k)\in readies[com]\), \(y_k=p'(k)\). Choosing any \(\ell +1\) points \((k,y_k)\in readies[com]\), both i and j then compute the same polynomial \(p'(x)=\sum _{i=0}^\ell m'_i\cdot x^i\), and output the same message \((m'_0,\ldots ,m'_\ell )\).

Termination If the dealer is nonfaulty, it computes \(p(x)=\sum _{k=0}^\ell m_k\cdot x^k\) and computes \(P_j=(p((j-1)\cdot c+1),\ldots ,p(j\cdot c))\) for every party \(j\in [n]\). The dealer then sets \(P=(P_1,\ldots ,P_n)\), computes \(com=\mathsf {Commit}(P)\) and then for every party j it computes \(\pi _j=\mathsf {Open}\mathsf {Prove}(P,j)\) and sends j the message \(\langle value, com, P_j, \pi _j\rangle \). Every nonfaulty party then receives that message, finds that \(\left| P^j\right| =c\) and \(\mathsf {Open}\mathsf {Verify}(com,P_j,j,\pi _j)=1\) and sends an \(\langle echo, com, P_j, \pi _j\rangle \) message to all parties. Every nonfaulty eventually receives an \(\langle echo, com, P_j,\pi _j\rangle \) message from every nonfaulty party, finds that the same conditions hold, parses \(P_j\) as \((p_{j,1},\ldots ,p_{j,c})\) and adds \(((j-1)\cdot c+k,p_{j,k})\) to echoes[com] for every \(k\in [c]\). After doing that, every nonfaulty party j finds that \(\left| echoes[com]\right| \ge (n-f)\cdot c\), and if it hasn’t sent a ready message yet, it interpolates \(\ell +1\) points in echoes[com] to a polynomial \(p'\) and sends a ready message. From Lemma 12, all of the ready messages sent by nonfaulty parties have the same value com, and from Lemma 13, if a nonfaulty party sends a message \(\langle ready, com, P_j, \pi _j\rangle \) then \(\mathsf {Open}\mathsf {Verify}(com,P_j,j,\pi _j)=1\) and \(\left| P_j\right| =c\) for every one of those messages. Therefore, after receiving each of those messages, every nonfaulty party updates its readies[com] set and adds c elements to it. After adding c such elements for every nonfaulty j, every nonfaulty party finds that \(\left| readies[com]\right| \ge (n-f)\cdot c\), performs some local computations, and completes the protocol.

For the second part of the property, if some nonfaulty party completes the protocol it received \(n-f\) messages of the form \(\langle ready,com,P_j,\pi _j\rangle \) with the same value com such that \(\mathsf {Open}\mathsf {Verify}(com,P_j,j,\pi _j)=1\) and \(\left| P^j\right| =c\). Out of those \(n-f\) messages, at least \(n-2f\ge f+1\) were sent by nonfaulty parties. Every nonfaulty party eventually receives those \(f+1\) messages, finds the same conditions hold, and adds c elements to readies[com]. After adding c elements for every one of those \(f+1\) parties, every nonfaulty i sees that \(\left| readies[com]\right| \ge (f+1)\cdot c\), performs some local computations and sends a message \(\langle ready, com, P_i,\pi -i\rangle \) itself, if it hasn’t done so earlier. From Lemma 12, every nonfaulty party that sent a ready message previously also sent one with the same value com. From Lemma 13, \(\mathsf {Open}\mathsf {Verify}(com,P_i,i,\pi _i)=1\) and \(\left| P^i\right| =c\), so after receiving those messages, every nonfaulty party adds c elements to readies[com]. Finally, after adding c elements to readies[com] for every nonfaulty party, every nonfaulty party finds that \(\left| readies[com]\right| \ge (n-f)\cdot c\), performs some local computations, and completes the protocol. \(\square \)

1.2 Proof of Theorem 5

Proof

Let the number of words in the message be \(\ell +1\). Throughout the protocol, the dealer starts by sending a single message to every party containing a commitment and \(O(\frac{\ell }{n})\) words and proofs. Then, every party sends at most one echo message and one ready message containing a commitment, a proof and a set containing \(O(\frac{\ell }{n})\) words. Overall, there are \(O(n^2)\) messages, each containing c words for the commitment, p words for the proof and \(O(\frac{\ell }{n})\) additional words. This yields a total of \(O(n^2\cdot (c+p)+\frac{\ell }{n}\cdot n^2)=O(n^2\cdot (c+p)+\ell \cdot n)\) words. \(\square \)

The protocol can trivially be turned into a Validated Reliable Broadcast protocol, VRB, by only having parties output \(m'\) in line 45 after checking that \(\mathsf {validate}(m')=1\). This clearly makes the additional part of the Validity property hold, and doesn’t change the rest of the proof for the Validity and Correctness properties. In the proof of the Termination property, first we can note that if some nonfaulty party were to output a message \(M'\) when the dealer is nonfaulty, then from the Validity property it must be the case that \(M'=M\). This means that if the dealer does have an input M such that \(\mathsf {validate}(M)=1\), all nonfaulty parties would reach that point in the protocol, see that \(\mathsf {validate}(M)=1\), and terminate. In addition, if some nonfaulty party completes the protocol, it must have output some value some \(M'\) such that \(\mathsf {validate}(M')=1\). Using the exact same arguments as the one in the proof of the Termination property, all nonfaulty parties eventually reach the end of the protocol. From the Correctness property, they reach the end of the protocol with the same message \(M'\), and thus when checking if \(\mathsf {validate}(M')=1\) they all see that the condition holds and output \(M'\).

Rights and permissions

Springer Nature or its licensor holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Abraham, I., Jovanovic, P., Maller, M. et al. Reaching consensus for asynchronous distributed key generation. Distrib. Comput. 36, 219–252 (2023). https://doi.org/10.1007/s00446-022-00436-8

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s00446-022-00436-8

Keywords

Search

Navigation