Communication Complexity. The most expensive steps in the protocol are the run of BA(κ) in Step 1 (which itself consists of κ parallel runs of BA(1)) and the distribution of the long blocks in Step 2. The costs for Step 1 are bounded as O(κ6 · n) since every run of BA(1) costs O(κ5 · n). The costs for Step 2 are bounded by O(l · n). Overall, we obtain a complexity of O(n · l + κ6 · n).
Communication Complexity. Our protocol incurs a communication com- plexity of O(n4(κ + r log(r))) bits, where κ is the size of a signature and r is the number of rounds. Using threshold signatures for the (conditional) graded broadcast primitive, we can save a linear factor n. It remains open to explore solutions with improved communication.
Communication Complexity. Let |S| be a bound on the encoding of the union of the input sets, |r| a bound on the encoding of the round number and λH a bound on the output of a collision-resistant hash. Denote BCost(L) the cost of 5-graded gossip for an L-bit message. Let TCost(L) denote the communication cost of 5-graded f -threshold gossiping a set with encoding size L, and GCost(L) the communication cost of gradecasting an L-bit message.
Communication Complexity. It is the total number of bits communicated by the honest parties in the protocol; (c)
Communication Complexity. We briefly explain the notions from commu- nication complexity we use. For formal definitions, background and more details, see the textbook [44]. For a function f and a distribution µ on its inputs, define Dµ(f ) as the minimum communication complexity of a protocol that correctly computes f with error 1/3 over the inputs from µ. Define D×(f ) = max Dµ(f ): µ is a product distribution . Define the unbounded error communication complexity U (f ) of f as the minimum communication complexity of a randomized private-coin8 protocol that correctly computes f with probability strictly larger than 1/2 on every input. The two works [64] and [63] showed that there are functions with small distribu- tional communication complexity under product distributions, and large unbounded error communication complexity. In [64] the separation is as strong as possible but it is not for an explicit function, and the separation in [63] is not as strong but the underlying function is explicit. 6Interestingly, their motivation for considering sign rank comes from image processing. 7The paper [49] considered a different type of combinatorial description from [14] and [18], and therefore considered a different formulation of the stretchability problem. However, it is possible to transform between these descriptions in polynomial time. 8In the public-coin model every boolean function has unbounded communication complexity at most two. The matrix A with d = 2 and n ≥ 3 in our example from § 2.2 corresponds to the following communication problem: Xxxxx gets a point p ∈ P , Bob gets a line ℓ ∈ L, and they wish to decide whether p ∈ ℓ or not. Let f : P × L → {0, 1} be the corresponding function and let m = log2(N ) . A trivial protocol would be that Xxxxx sends Bob the name of her point using m bits, Bob checks whether it is incident to the line and outputs accordingly. Theorem 7 implies the following consequences. Even if we consider protocols that use randomness and are allowed to err with probability less than but arbitrarily close to 1/2, then still one cannot do considerably better than the above trivial protocol. However, if the input (p, ℓ) P L is distributed according to a product distribution then there exists an O(1) protocol that errs with probability at most 1/3.
Communication Complexity. The leader nomination phase consists of n concurrent proposal promotion instances, each of which incurs O(n) communication complexity due to the linear communication complexity of ( n + 1)-Provable-Broadcast (Theorem 3). Then, prior to the leader election phase, each party sends a constant number of constant-sized messages to each of the other parties. The elect function incurs O(n2) communication complexity. In the view-change phase, each party sends a constant number of constant-sized messages to each of the other parties. Lastly, the protocol requires constant rounds in expectation (Lemma 7).
Communication Complexity. In the off-chain part of our protocol, r can be generated in 3 rounds (see Appendix A) of which, the last round can be used to send Ksamp. Then, one more round is required to transfer descx, so that it makes 4 rounds in total. The protocol continues with the on-chain part, which can be executed in 3 rounds, where messages are exchanged with the blockchain.
Communication Complexity. The most expensive steps in the protocol are the run of BA(κ) in Step 1 (which itself consists of κ parallel runs of BA(1)) and the distribution of the long blocks in Step 2. The costs for Step 1 are bounded as O(κ3 · n) since every run of BA(1) costs O(κ2 · n). The costs for Step 2 are bounded by O(l · n). Overall, we obtain a complexity of O(n · l + κ3 · n). 5 Adaptively Secure Asynchronous Communication-Efficient Protocol for Long Messages We briefly recall the asynchronous adaptively-secure BA protocol of Blum et al. [3]. As for the previous protocol, the step of each round i is performed by a randomly chosen committee Ci, who reveals itself only when it is their turn to speak in the protocol. Again, we assume that parties are endowed (via some trusted setup) with efficient routines ComProve and ComVer that allow to prove and verify committee membership. The remaining accumulator setup is as for ΠsprABA and we also reuse the routines Encode and Rec introduced in the previous section. Again, we run two versions of the protocol, the first is for κ-valued messages and denoted as ABA(κ), the other for binary-valued messages, and denoted as ABA(1). Since the protocol in [3] is binary, we simply run it κ many times in parallel to agree on a κ bit message. As before, we choose the committees with expected size cκ. Protocol ΠsprABA Let tκ = |(1 + ε) · κ ∫. The protocol is described from the point of view of party Pi who holds an l-bit input message mi.
Communication Complexity n+1 rounds, 2n− 1 messages (2 per mem- ber Ui, i ƒ= {n− 1, n}; 1 message + 1 broadcast for Un−1, 1 broadcast for Un), O(log2 max(g) ) msg. size SECURITY: Passive (DDH/GDH assumption) PUBLIC DOMAIN PARAMETERS: g of prime order q such that G = (g) Every member Xx chooses a random xi and executes the following: ROUND i; i ∈ [1, n − 1]:
Communication Complexity. Let |S| be a bound on the encoding of the union of the input sets, |r| a bound on the encoding of the round number and λH a bound on the output of a collision-resistant hash. Denote BCost(L) the cost of 5-graded gossip for an L-bit message. Let TCost(L) denote the communication cost of 5-graded f -threshold gossiping a set with encoding size L, and GCost(L) the communication cost of gradecasting an L-bit message. Theorem 4.12. Let n be an upper bound on the number of participating public keys with non-zero grades (i.e., those eligible to generate messages in the protocol), n′ an upper bound on the number of participating propose-round keys and p a lower bound on the probability that an iteration elects an honest leader. The communication complexity of the BA protocol, such that the probability of choosing an honest leader in each iteration is at least p, is at most n · TCost(|S|) + (1 + 1/p) · 2n · TCost(λH) + n′ · GCost(|S|) .
