Communication Complexity. The most expensive steps in the protocol are the run of BA(κ) in Step 1 (which itself consists of κ parallel runs of BA(1)) and the distribution of the long blocks in Step 2. The costs for Step 1 are bounded as O(κ6 · n) since every run of BA(1) costs O(κ5 · n). The costs for Step 2 are bounded by O(l · n). Overall, we obtain a complexity of O(n · l + κ6 · n).
Communication Complexity. Our protocol incurs a communication com- plexity of O(n4(κ + r log(r))) bits, where κ is the size of a signature and r is the number of rounds. Using threshold signatures for the (conditional) graded broadcast primitive, we can save a linear factor n. It remains open to explore solutions with improved communication. References [AC10] Xxxxx Xxxxxx and Xxxxx Censor-Hillel. Lower bounds for randomized con- sensus under a weak adversary. SIAM Journal on Computing, 39(8):3885– 3904, 2010. Xxxxxx Xxxxx, Xxx Xxxxx, and Xxxxxxx Xxxx. Breaking the O( n)-bit [ADD+19] Xxxxx Xxxxxxx, Xxxxxxxx Xxxxxxx, Xxxxx Xxxxx, Xxxxxx Xxxxx, and Xxxx Xxx. Synchronous Byzantine agreement with expected O(1) rounds, ex- pected o(n2) communication, and optimal resilience. In International Conference on Financial Cryptography and Data Security, pages 320–334. [BCG21] Springer, 2019. √ barrier: Byzantine agreement with polylog bits per party. In Proceed- ings of the 2021 ACM Symposium on Principles of Distributed Comput- ing, PODC’21, page 319–330, New York, NY, USA, 2021. Association for Computing Machinery. [Ben83] Xxxxxxx Xxx-Or. Another advantage of free choice: Completely asyn- chronous agreement protocols (extended abstract). In Xxxxxx X. Xxxxxxx, Xxxxx X. Xxxxx, and Xxxxxx Xxxxxxx, editors, 2nd ACM PODC, pages 27–30. ACM, August 1983. [CCGZ16] Xxx Xxxxx, Xxxxxx Xxxxxxx, Xxxx X. Xxxxx, and Xxxxxxxx Xxxxx. Probabilis- tic termination and composability of cryptographic protocols. In Xxxxxxx Xxxxxxx and Xxxxxxxx Xxxx, editors, CRYPTO 2016, Part III, volume 9816 of LNCS, pages 240–269. Springer, Heidelberg, August 2016. [CCGZ17] Xxx Xxxxx, Xxxxxx Xxxxxxx, Xxxx X. Xxxxx, and Xxxxxxxx Xxxxx. Round- preserving parallel composition of probabilistic-termination cryptographic protocols. In Xxxxxxx Xxxxxxxxxxxxxxx, Xxxxx Xxxxx, Xxxxxx Xxxx, and Xxxx Xxxxxxxx, editors, ICALP 2017, volume 80 of LIPIcs, pages 37:1– 37:15. Schloss Dagstuhl, July 2017. [CFF+05] Xxxxxxx Xxxxxxxxx, Xxxxxxxx Xxxxx, Xxxxxxx X. Xxxxxxxx, Xxxxxx X. Xxxxx, Xxxx X. Xxxxxx, and Xxxxx Xxxxxxx. Byzantine agreement given partial broadcast. Journal of Cryptology, 18(3):191–217, July 2005. [CHM+19] Xxx Xxxxx, Xxxxxx Xxxxxxx, Xxxxxxxx Xxxxxxxxxxx, Xxxxx Xxxxxx, and Xxxx Xxxxxxxxxxxxx. On the round complexity of randomized Byzan- tine agreement. In Xxxxx Xxxxxxx, editor, 33rd International Symposium on Distributed Computing (DISC 2019), volume 146 of Leibniz Interna- tional Proceedings in Informatics (LIPIcs), pages 12:1–12:17,...
Communication Complexity. We briefly explain the notions from commu- nication complexity we use. For formal definitions, background and more details, see the textbook [44]. { } For a function f and a distribution µ on its inputs, define Dµ(f ) as the minimum communication complexity of a protocol that correctly computes f with error 1/3 over the inputs from µ. Define D×(f ) = max Dµ(f ): µ is a product distribution . Define the unbounded error communication complexity U (f ) of f as the minimum communication complexity of a randomized private-coin8 protocol that correctly computes f with probability strictly larger than 1/2 on every input. The two works [64] and [63] showed that there are functions with small distribu- tional communication complexity under product distributions, and large unbounded error communication complexity. In [64] the separation is as strong as possible but it is not for an explicit function, and the separation in [63] is not as strong but the underlying function is explicit. 6Interestingly, their motivation for considering sign rank comes from image processing. 7The paper [49] considered a different type of combinatorial description from [14] and [18], and therefore considered a different formulation of the stretchability problem. However, it is possible to transform between these descriptions in polynomial time. 8In the public-coin model every boolean function has unbounded communication complexity at most two. ⌈ ⌉ The matrix A with d = 2 and n ≥ 3 in our example from § 2.2 corresponds to the following communication problem: Xxxxx gets a point p ∈ P , Bob gets a line ℓ ∈ L, and they wish to decide whether p ∈ ℓ or not. Let f : P × L → {0, 1} be the corresponding function and let m = log2(N ) . A trivial protocol would be that Xxxxx sends Bob the name of her point using m bits, Bob checks whether it is incident to the line and outputs accordingly. ∈ × Theorem 7 implies the following consequences. Even if we consider protocols that use randomness and are allowed to err with probability less than but arbitrarily close to 1/2, then still one cannot do considerably better than the above trivial protocol. However, if the input (p, ℓ) P L is distributed according to a product distribution then there exists an O(1) protocol that errs with probability at most 1/3.
Communication Complexity. It is the total number of bits communicated by the honest parties in the protocol; (c)
Communication Complexity. The most expensive steps in the protocol are the run of BA(κ) in Step 1 (which itself consists of κ parallel runs of BA(1)) and the distribution of the long blocks in Step 2. The costs for Step 1 are bounded as O(κ3 · n) since every run of BA(1) costs O(κ2 · n). The costs for Step 2 are bounded by O(l · n). Overall, we obtain a complexity of O(n · l + κ3 · n). 5 Adaptively Secure Asynchronous Communication-Efficient Protocol for Long Messages We briefly recall the asynchronous adaptively-secure BA protocol of Blum et al. [3]. As for the previous protocol, the step of each round i is performed by a randomly chosen committee Ci, who reveals itself only when it is their turn to speak in the protocol. Again, we assume that parties are endowed (via some trusted setup) with efficient routines ComProve and ComVer that allow to prove and verify committee membership. The remaining accumulator setup is as for ΠsprABA and we also reuse the routines Encode and Rec introduced in the previous section. Again, we run two versions of the protocol, the first is for κ-valued messages and denoted as ABA(κ), the other for binary-valued messages, and denoted as ABA(1). Since the protocol in [3] is binary, we simply run it κ many times in parallel to agree on a κ bit message. As before, we choose the committees with expected size cκ. Protocol ΠsprABA Let tκ = |(1 + ε) · κ ∫. The protocol is described from the point of view of party Pi who holds an l-bit input message mi.
Communication Complexity. The leader nomination phase consists of n concurrent proposal promotion instances, each of which incurs O(n) communication complexity due to the linear communication complexity of ( n + 1)-Provable-Broadcast (Theorem 3). Then, prior to the leader election phase, each party sends a constant number of constant-sized messages to each of the other parties. The elect function incurs O(n2) communication complexity. In the view-change phase, each party sends a constant number of constant-sized messages to each of the other parties. Lastly, the protocol requires constant rounds in expectation (Lemma 7).
Communication Complexity. In the off-chain part of our protocol, r can be generated in 3 rounds (see Appendix A) of which, the last round can be used to send Ksamp. Then, one more round is required to transfer descx, so that it makes 4 rounds in total. The protocol continues with the on-chain part, which can be executed in 3 rounds, where messages are exchanged with the blockchain.
Communication Complexity. To avoid the use of n different instances of binary agreement, we adopt the ap- proach of external validity to the information theoretic setting. External validity [12] is a very successful framework in the authenticated setting for multi-valued agreement. To adopt to the information theoretic setting we define the notion of an asynchronous validity predicate, which is an information-theoretic asyn- chronous alternative to external validity functions. Such predicates act “like func- tions”, but the results are delivered asynchronously. That is, if a value is valid, all parties will eventually see that it is, but otherwise they might not receive any output from the predicate. We then construct an agreement with an asyn- chronous validity predicate. To adopt this approach of using an asynchronous validity predicate we first extend the use of information theoretic protocols [5] from partial synchrony to asynchrony. This requires using asynchronous verifi- able secret sharing to randomly choose leaders. Since we do not have a perfect leader election mechanism, we use the techniques of [3] that build a weaker no- tion of proposer election and adopt them to the information theoretic setting. Among other things, this requires re-formulating the gather primitive to support non-cryptographic primitives and changing the HotStuff variant to support an non-cryptographic asynchronous view change protocol.
Communication Complexity n+1 rounds, 2n− 1 messages (2 per mem- ber Ui, i ƒ= {n− 1, n}; 1 message + 1 broadcast for Un−1, 1 broadcast for Un), O(log2 max(g) ) msg. size SECURITY: Passive (DDH/GDH assumption) PUBLIC DOMAIN PARAMETERS: g of prime order q such that G = (g) Every member Xx chooses a random xi and executes the following: ROUND i; i ∈ [1, n − 1]:
Communication Complexity. As shown in figure 4, the join protocol of DACGKA uses two (one unicast and one broad cast) messages on new member join. Figure 3. Comparative analysis on computation of ECDLP-based protocols for member join group key. Figure 4. Comparative analysis on communication of ECDLP-based protocols for member join group key. Figure 5. Comparative analysis on computation of ECDLP-based protocols for member leave group key. Figure 6. Comparative analysis on communication of ECDLP-based protocols for member leave group key.