Reaching Consensus for Asynchronous Distributed Key Generation

Abstract: We give a protocol for Asynchronous Distributed Key Generation (A-DKG) that is optimally resilient (can withstand < 3 faulty parties), has a constant expected number of rounds, has ˜ ( 3 ) expected communication complexity, and assumes only the existence of a PKI. Prior to our work, the best A-DKG protocols required Ω ( ) expected number of rounds, and Ω ( 4 ) expected communication.Our A-DKG protocol relies on several building blocks that are of independent interest. We define and design a Proposal Election (… Show more

“…As illustrated in Table 1, it closes the O(n) gap between the message and the communication complexities in the earlier private-setup free ABA protocols such as CKLS02 [11], while preserving other benefits such as the maximal n/3 resilience and the optimal expected constant running time. Even comparing with a very recent work due to Abraham et al [2] that presents a more efficient VBA construction and improves ABA as a by-product, 2 our approach still realizes a log n factor improvement. The crux of our design is a novel efficient construction for the reasonably fair common coin in the bulletin PKI setting (conditioned on the random oracle model), with using the more efficient AVSS protocol and verifiable random function.…”

“…The idea is simple: every party signs and multicasts its input bit, then each one solicits a vector of n − f input-signature pairs from distinct parties, and feeds the vector into VBA, such that VBA would return to everyone the common vector of n − f signed bits, the majority of which becomes the ABA output. Therefore, the very recent VBA protocol in [2] also improves ABA in the setting with only public key infrastructure. O(1) KMS20 [25] O(λn 4 )…”

“…O(1) † Note that AJM+21 [2] did not present any explicit constructions for the reasonably fair common coin and leader election. Nevertheless, this very recent work gave an asynchronous distributed key generation protocol with O(λn 3 log n) bits and expected constant running time, which can potentially bootstrap threshold verifiable random function and can faithfully set up common coin and leader election schemes.…”

“…Noticeably, the design requires a strengthened AVSS notion with high-threshold secrecy, which specifies that the adversary shall not learn the secret "committed" during the sharing phase, unless n − 2f honest parties tried to reconstruct the secret (where f is the number of probably corrupted parties). 1 In a very recent breakthrough, Abraham et al [2] presented an elegant (validated) agreement protocol that avoids private setups to tolerate asynchronous network and maximal n/3 Byzantine corruptions in the presence of a bulletin PKI that only aids in the registration and broadcast of public keys. For λn-bit input, it spends O(λn 3 log n) bits, O(n 3 ) messages, and expected constant running time.…”

“…

Though recent breakthroughs have greatly improved the efficiency of asynchronous Byzantine agreement protocols, they mainly focused on the setting with private setups, e.g., assuming a trusted dealer to establish non-interactive threshold cryptosystems. Challenges remain to reduce the large communication complexities in the absence of private setups, for example: (i) for asynchronous binary agreement (ABA) with optimal resilience, prior private-setup free protocols (Cachin et al, CCS' 2002; Kokoris-Kogias et al, CCS' 2020) have to incur O(λn 4 ) bits and O(n 3 ) messages; (ii) for asynchronous multi-valued agreement with external validity (VBA), Abraham et al [2] very recently gave the first elegant construction with O(n 3 ) messages, relying on only public key infrastructure (PKI), but the design still costs O(λn 3 log n) bits. Here n is the number of participating parties and λ is the cryptographic security parameter.

…”

Efficient Asynchronous Byzantine Agreement without Private Setups

“…As illustrated in Table 1, it closes the O(n) gap between the message and the communication complexities in the earlier private-setup free ABA protocols such as CKLS02 [11], while preserving other benefits such as the maximal n/3 resilience and the optimal expected constant running time. Even comparing with a very recent work due to Abraham et al [2] that presents a more efficient VBA construction and improves ABA as a by-product, 2 our approach still realizes a log n factor improvement. The crux of our design is a novel efficient construction for the reasonably fair common coin in the bulletin PKI setting (conditioned on the random oracle model), with using the more efficient AVSS protocol and verifiable random function.…”

“…The idea is simple: every party signs and multicasts its input bit, then each one solicits a vector of n − f input-signature pairs from distinct parties, and feeds the vector into VBA, such that VBA would return to everyone the common vector of n − f signed bits, the majority of which becomes the ABA output. Therefore, the very recent VBA protocol in [2] also improves ABA in the setting with only public key infrastructure. O(1) KMS20 [25] O(λn 4 )…”

“…O(1) † Note that AJM+21 [2] did not present any explicit constructions for the reasonably fair common coin and leader election. Nevertheless, this very recent work gave an asynchronous distributed key generation protocol with O(λn 3 log n) bits and expected constant running time, which can potentially bootstrap threshold verifiable random function and can faithfully set up common coin and leader election schemes.…”

“…Noticeably, the design requires a strengthened AVSS notion with high-threshold secrecy, which specifies that the adversary shall not learn the secret "committed" during the sharing phase, unless n − 2f honest parties tried to reconstruct the secret (where f is the number of probably corrupted parties). 1 In a very recent breakthrough, Abraham et al [2] presented an elegant (validated) agreement protocol that avoids private setups to tolerate asynchronous network and maximal n/3 Byzantine corruptions in the presence of a bulletin PKI that only aids in the registration and broadcast of public keys. For λn-bit input, it spends O(λn 3 log n) bits, O(n 3 ) messages, and expected constant running time.…”

“…

Though recent breakthroughs have greatly improved the efficiency of asynchronous Byzantine agreement protocols, they mainly focused on the setting with private setups, e.g., assuming a trusted dealer to establish non-interactive threshold cryptosystems. Challenges remain to reduce the large communication complexities in the absence of private setups, for example: (i) for asynchronous binary agreement (ABA) with optimal resilience, prior private-setup free protocols (Cachin et al, CCS' 2002; Kokoris-Kogias et al, CCS' 2020) have to incur O(λn 4 ) bits and O(n 3 ) messages; (ii) for asynchronous multi-valued agreement with external validity (VBA), Abraham et al [2] very recently gave the first elegant construction with O(n 3 ) messages, relying on only public key infrastructure (PKI), but the design still costs O(λn 3 log n) bits. Here n is the number of participating parties and λ is the cryptographic security parameter.

…”

Efficient Asynchronous Byzantine Agreement without Private Setups