Lemma 4. If there is a time t after which a correct proposer pi in state proposing cannot execute Line 31, then xx eventually decides.
Lemma 4. 3.1 Let O be an imaginary quadratic order and let m be an odd prime number. Then O = Z[σ] for some σ ∈ O of norm coprime to m. Proof. Let τ ∈ O be a generator of O, suppose of norm divisible by m. Then for any k ∈ Z, N (τ + k) = N (τ ) + k(tr(τ ) + k) ≡ k(tr(τ ) + k) mod m. Since m ≥ 3 we can thus always find k ∈ Z such that m ∤ N (τ + k).
Lemma 4. 1 of Section 4) For all r > 0, every process p, and every correct process q, if p executes round r until the end, then q executes round r until the end. Proof (sketch): This follows from a simple induction on r. We only proof the inductive step: assume that the lemma holds for r − 1, and that p executes round r > 1 until the end; we show that every correct process executes round r until the end. From the inductive hypothesis, all cor- rect processes execute round r− 1 until the end, and so, execute W-ABroadcast(r, −) in round r. From validity of the ordering oracles, all correct processes eventually execute W-ADeliver(r, −). It also follows that since there are n − f correct processes that execute send(first, r, −) at line 12, no correct process remains blocked forever at the wait statement at line 13, and executes round r until the end, concluding the proof. Q Lemma C.2 (Lemma 4.2 of Section 4) For all r > 0, every process p that executes round r p until the end, and every process q that executes round r +1 until the end, deliveredr is a prefix q of deliveredr+1. Proof (sketch): Assume p executed round r until the end. Then, p received at line 13 p n − f messages of the type (first, r, v), and from lines 16 and 19, allSeqp and deliveredr are prefixes of v. Since there are n − f processes that execute send(first, r, v), and f < n/3, for p every process u that executes lines 14–15, we have that allSeqp and deliveredr are prefixes of estimater , where estimater is the value of estimateu right after process u executes line 14–15. u u Let q be a process that executes line 13 of round r + 1. Then q receives n − f messages of the type (first,r + 1, vj), where vj = estimater , and so, allSeqp and deliveredr are prefixes of u p
Lemma 4. .8. Suppose that less than an fAV-fraction of the parties is dishonest and all honest parties input v to ΠHBA. Further, suppose that no honest party outputs in ΠHBA at time tj < tout. Then every honest party outputs v in ΠHBA at time tout + ∆ + tSBA.
Lemma 4. 22. Suppose that less than nfAV parties are dishonest and all honest parties input v to ΠETHBA. Further, suppose that no honest party outputs in ΠETHBA at time tr < tout. Then every honest party outputs v in ΠETHBA at time tout + tSBC + tSBA + ∆.
Lemma 4. 10. For all θ ∈ R, Ique(θ) = − lim log Pξ(X = [θt♩) (4.62) t→∞ t 0 t exists, is finite and is constant ξ-a.s.
Lemma 4. 1.11. Let M be an A-module equipped with two discrete filtra- tions GiM ⊂ FiM. Equip each gri (M ) with the filtration induced by G and suppose that each gri (grj (M )) is A-projective of finite constant rank. Then
Lemma 4. 1. If D 1 commutes with T we have that: 1 T T = U Λ 2 U (10) 1 T−1 = U Λ− 2 UT (11) 1 1 D− MD− = U ΛUT (12) 1 1 where U ΛUT is the eigenvalue decomposition of D− 2 MD− 2 (i.e. U is some orthogonal matrix and Λ is a diagonal positive definite matrix). A detailed discussion of when the commutativity as- sumption is satisfied is included in Appendix B. The proof of the previous Lemma can be find in Appendix C.1. ^ ^ ^ ^T = U Λ U Note that we could use Lemma 4.1 to estimate T as fol- lows: where U^ Λ^M U^ T is the eigenvalue decomposition of M 2 T (13) a homogeneous, i.e. they have the same noise transition ma- trix T , and to build the final dataset we decide to randomly select the label of one of the annotators we have that Γ = T . D− 1 M^D− 1 . However such estimate can result in matri- ces that are not doubly stochastic, or diagonally dominant due to estimation errors. A more accurate estimate of T could be obtained as T = π(U ΛM U ) where π is a projec- With probability at least 1 − δ: ^ ^ ^ 2 ^ T ||T − T||2 ≤ ln 2n
Lemma 4. 2 If all honest parties start with same input m, then all the parties will agree on CORE, |CORE| ≥ 2t+l.
Lemma 4. 5. Let β < 1/3 and assume the existence of PRF and βn-secure SRDS in the bare- PKI model (resp., trusted-PKI model). Then, protocol πba is a βn-resilient BA protocol in the (ƒae-comm, ƒba, ƒct, ƒaggr-sig)-hybrid model such that: • The round complexity and the locality of the protocol are polylog(n); the number of bits commu- nicated by each party is polylog(n) · poly(n). { } • The adversary can adaptively corrupt the parties based on the public setup of the SRDS, i.e., pp and vk1,1, . . . , vkn,z before the onset of the protocol. For bare PKI, the adversary can additionally replace the corrupted parties’ public keys. The proof of Lemma 4.5 can be found in Appendix B.1.
