On the Round Complexity of Randomized Byzantine Agreement

Abstract

We prove lower bounds on the round complexity of randomized Byzantine agreement (BA) protocols, bounding the halting probability of such protocols after one and two rounds. In particular, we prove that: 1. BA protocols resilient against n/3 [resp., n/4] corruptions terminate (under attack) at the end of the first round with probability at most o(1) [resp., \(1/2+ o(1)\)]. 2. BA protocols resilient against a fraction of corruptions greater than 1/4 terminate at the end of the second round with probability at most \(1-\Theta (1)\). 3. For a large class of protocols (including all BA protocols used in practice) and under a plausible combinatorial conjecture, BA protocols resilient against a fraction of corruptions greater than 1/3 [resp., 1/4] terminate at the end of the second round with probability at most o(1) [resp., \(1/2 + o(1)\)]. The above bounds hold even when the parties use a trusted setup phase, e.g., a public-key infrastructure (PKI). The third bound essentially matches the recent protocol of Micali (ITCS’17) that tolerates up to n/3 corruptions and terminates at the end of the third round with constant probability.

Locally Consistent Security to Malicious Security

In this section, we formally state and prove Theorem 1.6 and show how to compile any BA protocol that is secure against locally consistent adversaries into a protocol that is secure against malicious adversaries. That is, we prove the following theorem:

Theorem A.1

(Theorem 1.6, restated) Let \(\Pi \) be a \((t,\alpha ,\beta ,q,\gamma )\)-\(\mathsf {BA}\) against locally consistent adversaries for \(q=O(\log {n})\) and assume the existence of verifiable random functions and existentially unforgeable digital signatures under an adaptive chosen-message attack. Then,

1. 1.

   labelthm:localspstospsmalspsgeneric Assuming in addition the existence of non-interactive zero-knowledge proofs, there exist a ppt protocol-compiler \(\mathsf {Comp}(\cdot )\) such that \(\Pi '=\mathsf {Comp}(\Pi )\) is a \((t,\alpha -{\text {neg}}(\kappa ),\beta -{\text {neg}}(\kappa ),q,\gamma -{\text {neg}}(\kappa ))\)-\(\mathsf {BA}\) in the PKI model, resilient to malicious adversaries.

2. 2.

   There exists a ppt protocol-compiler \(\mathsf {Comp}_\mathsf {PR}(\cdot )\) such that if \(\Pi \) is a public-randomness protocol, then \(\Pi '=\mathsf {Comp}_\mathsf {PR}(\Pi )\) is a \((t,\alpha -{\text {neg}}(\kappa ),\beta -{\text {neg}}(\kappa ),q,\gamma -{\text {neg}}(\kappa ))\)-\(\mathsf {BA}\) in the PKI model, resilient to malicious adversaries.

In Sect. A.1, we define the cryptographic primitives used in the compiler, and in Sect. A.2, we construct the compiler and prove its security.

1.1 Preliminaries

The compiler makes use of verifiable random functions (VRF) [56], digital signatures, and non-interactive zero-knowledge proofs, as defined below.

1.1.1 Verifiable Random Functions

We follow the definition of VRF from [43].

Definition A.2

(VRF) A verifiable random function is a tuple of polynomial-time algorithms \(\Pi =(\mathsf {VRF.Gen},\mathsf {VRF.Eval},\mathsf {VRF.Verify})\) of the following form.

• \(\mathsf {VRF.Gen}(1^\kappa )\rightarrow ( sk , vk )\). On input the security parameter, the key-generation algorithm outputs a secret key \( sk \) and a public verification key \( vk \).

• \(\mathsf {VRF.Eval}( sk ,x)\rightarrow (y,\pi )\). On input the secret key and an input \(x\in \{0,1\}^\kappa \), the evaluation algorithm outputs a value \(y\in {\mathcal {S}}\) (for a finite set \({\mathcal {S}}\)) and a proof \(\pi \).

• \(\mathsf {VRF.Verify}( vk ,x,y,\pi )\rightarrow b\). On input the verification key, an input \(x\in \{0,1\}^\kappa \), an output \(y\in {\mathcal {S}}\), and a proof \(\pi \), the deterministic verification algorithm outputs a bit \(b\in \{0,1\}\).

We require the following properties:

• Correctness. For \(( sk , vk )\leftarrow \mathsf {VRF.Gen}(1^\kappa )\) and \(x\in \{0,1\}^\kappa \) it holds that if \((y,\pi )\leftarrow \mathsf {VRF.Eval}( sk ,x)\) then \(\mathsf {VRF.Verify}( vk ,x,y,\pi )=1\).

• Unique provability. For all strings \(( sk , vk )\) (not necessarily generated by \(\mathsf {VRF.Gen}\)) and all \(x\in \{0,1\}^\kappa \), there exists no \((y_0,\pi _0,y_1,\pi _1)\) such that \(y_0\ne y_1\) and \(\mathsf {VRF.Verify}( vk ,x,y_0,\pi _0)=\mathsf {VRF.Verify}( vk ,x,y_1,\pi _1)=1\).

• Pseudorandomness. For any ppt adversary \(\mathsf {A} =(\mathsf {A} _1,\mathsf {A} _2)\) it holds that

  $$\begin{aligned} \left| \Pr _{}\left[ \mathsf {Expt} ^\mathsf {VRF} _{\Pi ,\mathsf {A}}(\kappa )=1\right] -\frac{1}{2}\right| \le {\text {neg}}(\kappa ), \end{aligned}$$

  for the experiment \(\mathsf {Expt} ^\mathsf {VRF} \) defined below:

\(\mathsf {Expt} ^\mathsf {VRF} _{\Pi ,\mathsf {A}}(\kappa )\)	\({\mathcal {O}}_\mathsf {eval} (x)\)
\(( sk , vk )\leftarrow \mathsf {VRF.Gen}(1^\kappa )\)	\((y,\pi )\leftarrow \mathsf {VRF.Eval}( sk ,x)\) return \((y,\pi )\)
\((x^*,\mathsf{state})\leftarrow \mathsf {A} _1^{{\mathcal {O}}_\mathsf {eval} (\cdot )}( vk )\)
\((y_0,\pi )\leftarrow \mathsf {VRF.Eval}( sk ,x^*)\)
\(y_1\leftarrow _R {\mathcal {S}}\)
\(b\leftarrow _R \{0,1\}\)
\(b'\leftarrow \mathsf {A} _2^{{\mathcal {O}}_\mathsf {eval} (\cdot )}(\mathsf{state},y_b)\)
return 1 if and only if \(b=b'\)
and \(\mathsf {A} \) didn’t query \(x^*\)

1.1.2 Digital Signatures

We consider the standard notion of existentially unforgeable signatures under an adaptive chosen-message attack [38].

Definition A.3

(Digital signatures) A digital signatures scheme is a tuple of polynomial-time algorithms \(\Pi =(\mathsf {DS.Gen},\mathsf {DS.Sign},\mathsf {DS.Verify})\) of the following form.

• \(\mathsf {DS.Gen}(1^\kappa )\rightarrow ( sk , vk )\). On input the security parameter, the key-generation algorithm outputs a secret signing key \( sk \) and a public verification key \( vk \).

• \(\mathsf {DS.Sign}( sk ,m)\rightarrow \sigma \). On input the signing key and a message m, the signing algorithm outputs a signature \(\sigma \).

• \(\mathsf {DS.Verify}( vk ,m,\sigma )\rightarrow b\). On input the verification key, a message m, and a signature \(\sigma \), the deterministic verification algorithm outputs a bit \(b\in \{0,1\}\).

We require the following properties:

• Correctness. For \(( sk , vk )\leftarrow \mathsf {DS.Gen}(1^\kappa )\) and a message m it holds that if \(\sigma \leftarrow \mathsf {DS.Sign}( sk ,m)\) then \(\mathsf {DS.Verify}( vk ,m,\sigma )=1\).

• Existentially unforgeable under an adaptive chosen-message attack. For any ppt adversary \(\mathsf {A} \) it holds that

  $$\begin{aligned} \left| \Pr _{}\left[ \mathsf {Expt} ^\mathsf {Sig} _{\Pi ,\mathsf {A}}(\kappa )=1\right] \right| \le {\text {neg}}(\kappa ), \end{aligned}$$

  for the experiment \(\mathsf {Expt} ^\mathsf {Sig} \) defined below:

\(\mathsf {Expt} ^\mathsf {Sig} _{\Pi ,\mathsf {A}}(\kappa )\)	\({\mathcal {O}}_\mathsf {sign} (m)\)
\(( sk , vk )\leftarrow \mathsf {DS.Gen}(1^\kappa )\)	\(\sigma \leftarrow \mathsf {DS.Sign}( sk ,m)\) return \(\sigma \)
\((m,\sigma )\leftarrow \mathsf {A} ^{{\mathcal {O}}_\mathsf {sign} (\cdot )}( vk )\)
return 1 if and only if \(\mathsf {DS.Verify}( vk ,m,\sigma )=1\)
and \(\mathsf {A} \) didn’t query m

1.1.3 Non-interactive Zero-Knowledge Proofs

A non-interactive zero-knowledge proof [11] is a single-message protocol that allow a prover to convince a verifier the a certain common statement belongs to a language, without disclosing any additional information. We follow the definition from [41].

Definition A.4

(NIZK) Let \({\mathcal {R}} \) be an \(\text {NP}\)-relation and let \({\mathcal {L}} _{\mathcal {R}} \) be the language consisting of the statements in \({\mathcal {R}} \). A non-interactive zero-knowledge proof system for \({\mathcal {R}} \) is a tuple of polynomial-time algorithms \(\Pi =(\mathsf {NIZK.Gen},\mathsf {NIZK.Prover},\mathsf {NIZK.Verifier})\) of the following form:

• \(\mathsf {NIZK.Gen}(1^\kappa )\rightarrow \mathsf {crs} \). On input the security parameter, the setup-generation algorithm outputs a common reference string \(\mathsf {crs} \).

• \(\mathsf {NIZK.Prover}(\mathsf {crs},x,w)\rightarrow \varphi \). On input the \(\mathsf {crs} \), a statement x, and a witness w such that \((x,w)\in {\mathcal {R}} \), the prover algorithm outputs a proof string \(\varphi \).

• \(\mathsf {NIZK.Verifier}(\mathsf {crs},x,\varphi )\rightarrow b\). On input the \(\mathsf {crs} \), a statement x, and a proof \(\varphi \), the verification algorithm outputs a bit \(b\in \{0,1\}\).

We require the following properties:

• Correctness. A proof system is complete if an honest prover with a valid witness can convince an honest verifier. For \((x,w)\in {\mathcal {R}} \) it holds that

  $$\begin{aligned} \Pr _{}\left[ \mathsf {NIZK.Verifier}(\mathsf {crs},x,\varphi )=1 \mid \mathsf {crs} \leftarrow \mathsf {NIZK.Gen}(1^\kappa ), \varphi \leftarrow \mathsf {NIZK.Prover}(\mathsf {crs},x,w)\right] =1. \end{aligned}$$

• Statistical soundness. A proof system is sound if it is infeasible to convince an honest verifier when the statement is false. For all polynomial-size families \(\{x_\kappa \}\) of statements \(x_\kappa \notin {\mathcal {L}} _{\mathcal {R}} \) and all adversaries \(\mathsf {A} \) it holds that

  $$\begin{aligned} \Pr _{}\left[ \left[ \mathsf {NIZK.Verifier}(\mathsf {crs},x_\kappa ,\varphi )=1 \mid \mathsf {crs} \leftarrow \mathsf {NIZK.Gen}(1^\kappa ) \varphi \leftarrow \mathsf {A} (\mathsf {crs},x_\kappa )\right] =1.\right] \end{aligned}$$

• Computational (adaptive, multi-theorem) zero knowledge. A proof system is zero-knowledge if the proofs do not reveal any information about the witnesses. There exists a polynomial-time simulator \(\mathsf {S} _{\mathsf {nizk}}xspace=(\mathsf {S} _{\mathsf {nizk}}xspace^1, \mathsf {S} _{\mathsf {nizk}}xspace^2)\), where \(\mathsf {S} _{\mathsf {nizk}}xspace^1\) returns a simulated \(\mathsf {crs}\) together with a simulation trapdoor \(\tau \) that enables \(\mathsf {S} _{\mathsf {nizk}}xspace^2\) to simulate proofs without having access to the witness. That is, for every non-uniform polynomial-time adversary \(\mathsf {A} \) it holds that

  $$\begin{aligned}&\bigg |\Pr _{}\left[ \mathsf {A} ^{{\mathsf {P}}_\mathsf {crs} (\cdot ,\cdot )}(\mathsf {crs})=1 \mid \mathsf {crs} \leftarrow \mathsf {NIZK.Gen}(1^\kappa )\right] \\&\qquad -\Pr _{}\left[ \mathsf {A} ^{\mathsf {S} _{\mathsf {crs},\tau }(\cdot ,\cdot )}(\mathsf {crs})= 1 \mid (\mathsf {crs},\tau )\leftarrow \mathsf {S} _{\mathsf {nizk}}xspace^1(1^\kappa )\right] \bigg |\\&\quad \le {\text {neg}}(\kappa ), \end{aligned}$$

  where \(\mathsf {S} _{\mathsf {crs},\tau }(x,w)=\mathsf {S} _{\mathsf {nizk}}xspace^2(\mathsf {crs},\tau ,x)\) for \((x,w)\in {\mathcal {R}} \) and \({\mathsf {P}}_\mathsf {crs} (x,w)=\mathsf {NIZK.Prover}(\mathsf {crs},x,w)\).

1.1.4 Next-Message Functions

An n-party protocol is represented by a set \(\{\mathsf {next-msg}_{i\rightarrow j}\}_{i,j\in [n]}\) of next-message functions, a set \(\{\mathsf {output}_i\}_{i\in [n]}\) of output functions, and a distribution D for generating setup information. Initially, the setup information is sampled as \((\mathsf {setup}_1,\ldots ,\mathsf {setup}_n)\leftarrow D\) and every party \(\mathsf {P} _i\) receives \(\mathsf {setup}_i\) before the protocol begins. The view of a party \(\mathsf {P} _i\) in the \(r\)’th round, denoted \(\textsf {view}_i^r\), consists of: its input bit \(x_i\), its setup information \(\mathsf {setup}_i\), its random coin tosses \(\rho _i=(\rho _i^1,\ldots ,\rho _i^r)\) (where \(\rho _i^{r'}\) are the tossed coins for round \(r'\)) and the incoming messages \((m^{r'}_{1\rightarrow i}, \ldots , m^{r'}_{n\rightarrow i})\) for every \(r'<r\), where \(m^{r'}_{j\rightarrow i}\) is the message received from \(\mathsf {P} _j\) in round \(r'\). Given \(\mathsf {P} _i\)’s view in the \(r\)’th round, the function \(\mathsf {next-msg}_{i\rightarrow j}(\textsf {view}_i^r)\) outputs the message \(m^r_{i\rightarrow j}\) to be sent by \(\mathsf {P} _i\) to \(\mathsf {P} _j\), except for the last round, where it outputs \(\bot \); in that case the output function \(\mathsf {output}(\textsf {view}_i^r)\) produces the output value y. Without loss of generality we assume that a message \(m^r_{i\rightarrow j}\) is of the form (r, i, j, m); looking ahead, this will ensure that two messages in the protocol will not have the same signature.

1.1.5 The PKI Model

The compiled protocol is designed to work in the public-key infrastructure (PKI) model, where a trusted third party generates private/public keys for the parties before the protocol begins. In our setting, we will require a PKI for VRF, digital signatures, and \({{\textsf {NIZK}}}\), meaning that the trusted party operates as follows:

1. 1.

   For every \(i\in [n]\), compute VRF keys \((\mathsf {sk}^{\mathsf {vrf}}_i,\mathsf {vk}^{\mathsf {vrf}}_i)\leftarrow \mathsf {VRF.Gen}(1^\kappa )\).

2. 2.

   For every \(i\in [n]\), compute signature keys \((\mathsf {sk}^{\mathsf {ds}}_i,\mathsf {vk}^{\mathsf {ds}}_i)\leftarrow \mathsf {DS.Gen}(1^\kappa )\).

3. 3.

   Compute \(\mathsf {crs} \leftarrow \mathsf {NIZK.Gen}(1^\kappa )\).

4. 4.

   Send to every party \(\mathsf {P} _i\) the secret keys \((\mathsf {sk}^{\mathsf {vrf}}_i,\mathsf {sk}^{\mathsf {ds}}_i)\) as well as all the public keys \(\mathsf {crs} \), \((\mathsf {vk}^{\mathsf {vrf}}_1,\ldots ,\mathsf {vk}^{\mathsf {vrf}}_n)\) and \((\mathsf {vk}^{\mathsf {ds}}_1,\ldots ,\mathsf {vk}^{\mathsf {ds}}_n)\).

1.2 The Compiler

Given a protocol that is secure against locally consistent adversaries, the main idea of the compiler is to limit the capabilities of a malicious adversary attacking the compiled protocol to those of a locally consistent one. This is achieved by proving an honest behavior via the cryptographic tools described above (VRF, digital signatures, and NIZK proofs) in a similar way to the GMW compiler [36]. Unlike GMW, where all consistency proofs are carried out over a broadcast channel to ensure a consistent view between the honest parties, in our case the consistency proofs are done over pairwise channels, so they only guarantee local consistency.

We start by defining the NP relations that will be used for the zero-knowledge proofs. Each instance consists of a message between a pair of parties (say from \(\mathsf {P} _i'\) to \(\mathsf {P} _j'\)) and the witness is the internal state of \(\mathsf {P} _i'\) used to generate the message (the input, the random coins, and all incoming messages) along with a “proof of correctness,” i.e., that the random coins were properly generated using the VRF, that the incoming messages that \(\mathsf {P} _i'\) received from every \(\mathsf {P} _k'\) were signed by \(\mathsf {P} _k'\), and in turn were proven to be generated correctly (i.e., that each \(\mathsf {P} _k'\) used the correct random coins generated by the VRF and its incoming messages were signed by the senders). Note that this recursive step in the verification is required for proving locally consistent behaviour, since if both \(\mathsf {P} _i'\) and \(\mathsf {P} _k'\) are corrupt, then \(\mathsf {P} _k'\) can send an arbitrary message to \(\mathsf {P} _i'\) and sign it (in this case the NIZK proof from \(\mathsf {P} _k'\) to \(\mathsf {P} _i'\) will not verify). When \(\mathsf {P} _i'\) sends its message to an honest \(\mathsf {P} _j'\), it is not enough that \(\mathsf {P} _i'\) proves that the messages from \(\mathsf {P} _k'\) are properly signed, but \(\mathsf {P} _i'\) must also prove that \(\mathsf {P} _k'\) provided a NIZK proof asserting that its messages were generated by consistent random coins and correct incoming messages according to the next-message function. For this reason we consider \(q=O(\log {n})\)

The Relation \({\mathcal {R}} ^r_{i\rightarrow j}\). We will consider the following set of NP relations, where for \(i,j\in [n]\) and an integer r, the relation \({\mathcal {R}} ^r_{i\rightarrow j}\) is parametrized by an n-party protocol \(\Pi \) (represented by \(\{\mathsf {next-msg}_{i\rightarrow j}\}_{i,j\in [n]}\) and \(\{\mathsf {output}_i\}_{i\in [n]}\)), a \({{\textsf {VRF}}} \) scheme, a \({{\textsf {DS}}} \) scheme, and a \({{\textsf {NIZK}}}\) scheme, as well as:

• A vector of VRF verification keys \((\mathsf {vk}^{\mathsf {vrf}}_1,\ldots ,\mathsf {vk}^{\mathsf {vrf}}_n)\).

• A vector of signature verification keys \((\mathsf {vk}^{\mathsf {ds}}_1,\ldots ,\mathsf {vk}^{\mathsf {ds}}_n)\).

• A \({{\textsf {NIZK}}}\) common reference string \(\mathsf {crs} \).

The instance consists of a message \((m_{i\rightarrow j}^r,\sigma _{i\rightarrow j}^r,\pi _i^r)\) (the message from \(\mathsf {P} _i\) to \(\mathsf {P} _j\)). The witness consists of:

• A bit \(x_i\in \{0,1\}\) and a string \(\mathsf {setup}_i\).

• A vector of random coins \((\rho _i^1,\ldots ,\rho _i^r)\).

• For \(r'\in [r-1]\) and \(k\in [n]\), a message \({ \varvec{m}}^{r'}_{k\rightarrow i}=(m^{r'}_{k\rightarrow i},\sigma ^{r'}_{k\rightarrow i},\pi ^{r'}_k,\varphi _{k\rightarrow i}^{r'})\) (\(\mathsf {P} _i\)’s incoming messages).

The instance/witness pair is in the relation \({\mathcal {R}} ^r_{i\rightarrow j}\) if the following holds:

1. 1.

   For every \(r'\in [r]\) it holds that \(\mathsf {VRF.Verify}(\mathsf {vk}^{\mathsf {vrf}}_i,(i,r'),\rho _i^{r'},\pi _i^{r'})=1\).

2. 2.

   \(\mathsf {DS.Verify}(\mathsf {vk}^{\mathsf {ds}}_i,m^r_{i\rightarrow j},\sigma ^r_{i\rightarrow j})=1\).

3. 3.

   For \(r'\in [r-1]\) and \(k\in [n]\) it holds that \(\mathsf {NIZK.Verifier}(\mathsf {crs},(m^{r'}_{k\rightarrow i},\sigma ^{r'}_{k\rightarrow i},\pi _k^{r'}),\varphi _{k\rightarrow i}^{r'})=1\) with respect to the relation \({\mathcal {R}} ^{r'}_{k\rightarrow i}\).

4. 4.

   Set \(\textsf {view}_i^1=(x_i,\mathsf {setup}_i,\rho _i^1)\) and for \(1<r'\le r\) set \(\textsf {view}_i^{r'}=(\textsf {view}_i^{r'-1},m_{1\rightarrow i}^{r'-1},\ldots ,m_{n\rightarrow i}^{r'-1},\rho _i^{r'})\). Then, it holds that \(m_{i\rightarrow j}^r=\mathsf {next-msg}_{i\rightarrow j}(\textsf {view}_i^r)\).

The compiled protocol. Having defined the relations \(\{{\mathcal {R}} ^r_{i\rightarrow j}\}\), we are ready to present the compiler for a protocol \(\Pi \), secure against locally consistent adversaries to a maliciously secure one. Initially, in the setup phase, each party receives its setup information for \(\Pi \) in addition to the PKI keys for \({{\textsf {VRF}}} \), digital signatures, and NIZK (as described above). To generate its coins for the \(r\)’th round (along with a proof), party \(\mathsf {P} _i\) evaluates the \({{\textsf {VRF}}} \) over the pair (i, r); next, \(\mathsf {P} _i\) computes the \(r\)’th round messages for \(\Pi \), signs each message, and sends to every other \(\mathsf {P} _j\) the corresponding message, the signature, and the \({{\textsf {VRF}}} \) proof. In addition, \(\mathsf {P} _i\) sends to \(\mathsf {P} _j\) a \({{\textsf {NIZK}}} \) proof for \({\mathcal {R}} ^r_{i\rightarrow j}\), proving that \(\mathsf {P} _i\) behaves consistently towards \(\mathsf {P} _j\).

Let \(\Pi =(\mathsf {P} _1,\ldots ,\mathsf {P} _n)\) be an n-party protocol represented by the set of next-message functions \(\{\mathsf {next-msg}_{i\rightarrow j}\}_{i,j\in [n]}\), the set of output functions \(\{\mathsf {output}_i\}_{i\in [n]}\), and a distribution D for generating setup information. Let \({{\textsf {VRF}}} \) be a verifiable random function, let \({{\textsf {DS}}} \) be a digital signatures scheme, and let \({{\textsf {NIZK}}} \) be a non-interactive zero-knowledge proof scheme. Later on, we will simplify the compiler for the case of public-randomness protocols by removing the need for \({{\textsf {NIZK}}} \).

1.2.1 Security Proof

We prove the security of Protocol A.5 using a sequence of arguments. Given a protocol \(\Pi \) secure against locally consistent adversaries, we first adjust it to use pseudorandom coins computed using a VRF. The new protocol, denoted \(\Pi _1\), remains secure against slightly weaker locally consistent adversaries by the pseudorandomness property of the VRF. Next, we show how to convert any malicious adversary against the compiled protocol \(\Pi '=\mathsf {Comp}(\Pi )\) into a “weak” locally consistent attack against \(\Pi _1\). The proof of the second part of the theorem, concerning public-randomness protocols, follows in similar lines.

Proof of Theorem A.1

We start by proving the first part of the theorem, considering generic protocols, and later focus on public-randomness protocols.

Proof of Item 1(generic protocols). We prove Item 1 in two steps. Initially, as an intermediate step, we consider a variant of \(\Pi \), denoted \(\Pi _1\), where the parties behave exactly as in \(\Pi \) except that they use a \({{\textsf {VRF}}} \) to compute their random coins for each round. Formally, \(\Pi _1\) is defined in the PKI model, where, in addition to the setup information for \(\Pi \), every party \(\mathsf {P} _i\) receives \(\mathsf {sk}^{\mathsf {vrf}}_i\) and \((\mathsf {vk}^{\mathsf {vrf}}_1,\ldots ,\mathsf {vk}^{\mathsf {vrf}}_n)\) for \((\mathsf {sk}^{\mathsf {vrf}}_i,\mathsf {vk}^{\mathsf {vrf}}_i)\leftarrow \mathsf {VRF.Gen}(1^\kappa )\). During the execution of the protocol, each party \(\mathsf {P} _i\) evaluates \((\rho _i^r,\pi _i^r)\leftarrow \mathsf {VRF.Eval}(\mathsf {sk}^{\mathsf {vrf}}_i,(i,r))\), sets its coins for the \(r\)’th round to \(\rho _i^r\) (instead of a uniformly distributed string), and appends \(\pi _i^r\) to its \(r\)’th round messages. Note that the strings \(\rho _i^r\) are deterministic, so a locally consistent adversary has the power to use arbitrary values instead. To enable a reduction to the security of \(\Pi \), we will explicitly assume that corrupted parties indeed use the honestly generated pseudorandom values \(\rho _i^r\) by evaluating the \({{\textsf {VRF}}}\) on (i, r); we call such a locally consistent adversary \({{\textsf {VRF}}}\) -compliant.

Claim A.6

If \(\Pi \) is a \(\left( t,\alpha ,\beta ,q,\gamma \right) \)-\(\mathsf {BA}\) against locally consistent adversaries, then \(\Pi _1\) is a \(\left( t,\alpha -{\text {neg}}(\kappa ),\beta -{\text {neg}}(\kappa ),q,\gamma -{\text {neg}}(\kappa )\right) \)-\(\mathsf {BA}\) against locally consistent \({{\textsf {VRF}}}\)-compliant adversaries.

Proof

By assumption, a corrupted \(\mathsf {P} _i\) uses the value \(\rho _i^r\) as its random coins for the \(r\)’th round. Therefore, the only difference between \(\Pi _1\) and \(\Pi \) are the use of pseudorandom string instead of uniformly distributed strings. The proof follows by the pseudorandomness of the \({{\textsf {VRF}}} \) scheme using a standard hybrid argument. \(\square \)

Next, let \(\mathsf {A} '\) be an adversary attacking \(\Pi '=(\mathsf {P} '_1,\ldots ,\mathsf {P} '_n)\). We will construct an adversary \(\mathsf {A} \) for the protocol \(\Pi _1=(\mathsf {P} _1,\ldots ,\mathsf {P} _n)\). Let \(\mathsf {S} _{\mathsf {nizk}}xspace=(\mathsf {S} _{\mathsf {nizk}}xspace^1,\mathsf {S} _{\mathsf {nizk}}xspace^2)\) be the simulator that is guaranteed for the NIZK scheme. The adversary \(\mathsf {A} \) runs internally a copy of \(\mathsf {A} '\) and proceeds as follows:

• In the setup phase of \(\Pi _1\), \(\mathsf {A} \) receives the setup string \(\left( \mathsf {setup}_i, \mathsf {sk}^{\mathsf {vrf}}_i,\mathsf {vk}^{\mathsf {vrf}}_1,\ldots ,\mathsf {vk}^{\mathsf {vrf}}_n\right) \) (consisting of the setup for \(\Pi \) and the \({{\textsf {VRF}}}\) keys). Next, \(\mathsf {A}\) samples \((\mathsf {crs},\tau )\leftarrow \mathsf {S} _{\mathsf {nizk}}xspace^1(1^\kappa )\) and \((\mathsf {sk}^{\mathsf {ds}}_i,\mathsf {vk}^{\mathsf {ds}}_i)\leftarrow \mathsf {DS.Gen}(1^\kappa )\) for every \(i\in [n]\), and provides the setup string \(\mathsf {setup}'_i=\Big (\mathsf {setup}_i, \mathsf {sk}^{\mathsf {vrf}}_i,\mathsf {sk}^{\mathsf {ds}}_i, \mathsf {crs},\mathsf {vk}^{\mathsf {vrf}}_1,\ldots ,\mathsf {vk}^{\mathsf {vrf}}_n, \mathsf {vk}^{\mathsf {ds}}_1,\ldots ,\mathsf {vk}^{\mathsf {ds}}_n\Big )\) for every corrupted \(\mathsf {P} '_i\).

• Upon receiving a message \((m^r_{i \rightarrow j},\pi _i^r)\) from an honest \(\mathsf {P} _i\) to a corrupted \(\mathsf {P} _j\) in the execution of \(\Pi _1\), \(\mathsf {A}\) sends \((m^r_{i \rightarrow j},\sigma ^r_{i \rightarrow j},\pi _i^r, \varphi _{i\rightarrow j}^r)\) to \(\mathsf {A} '\) with \(\sigma _{i\rightarrow j}^r\leftarrow \mathsf {DS.Sign}(\mathsf {sk}^{\mathsf {ds}}_i,m^r_{i \rightarrow j})\) and \(\varphi _{i\rightarrow j}^r\leftarrow \mathsf {S} _{\mathsf {nizk}}xspace^2(\mathsf {crs},\tau ,(m^r_{i \rightarrow j},\sigma ^r_{i \rightarrow j}, \pi _i^r))\).

• When \(\mathsf {A} \) receives \((m^r_{i \rightarrow j},\sigma ^r_{i \rightarrow j},\pi _i^r,\varphi _{i\rightarrow j}^r)\) from \(\mathsf {A} '\) on behalf of a corrupted \(\mathsf {P} _i'\) to an honest \(\mathsf {P} _j'\) (in the simulated execution of \(\Pi '\)), \(\mathsf {A}\) first verifies that \(\mathsf {NIZK.Verifier}(\mathsf {crs},(m^r_{i \rightarrow j},\sigma ^r_{i \rightarrow j},\pi _i^r),\varphi _{i\rightarrow j}^r)=1\). If the proof is verified, \(\mathsf {A}\) sends the message \((m^r_{i \rightarrow j},\pi _i^r)\) to \(\mathsf {P} _j\) in the protocol \(\Pi _1\); otherwise, \(\mathsf {A}\) considers \(\mathsf {P} _i\) as an aborting party towards \(\mathsf {P} _j\).

We complete the proof in a series of steps, analyzing the attack under increasingly stronger power of the adversary \(\mathsf {A} '\), starting from a locally consistent \({{\textsf {VRF}}}\)-compliant attack until reaching a full blown malicious attack. Initially, we will assume perfect security of the NIZK, and remove this restriction later on.

Claim A.7

Consider a perfect NIZK scheme. If \(\Pi _1\) is a \(\left( t,\alpha ,\beta ,q,\gamma \right) \)-\(\mathsf {BA}\) against locally consistent \({{\textsf {VRF}}}\)-compliant adversaries, then \(\Pi '\) is a \(\left( t,\alpha ,\beta ,q,\gamma \right) \)-\(\mathsf {BA}\) against locally consistent \({{\textsf {VRF}}}\)-compliant adversaries.

Proof

If \(\mathsf {A} '\) is a locally consistent \({{\textsf {VRF}}}\)-compliant adversary, then in particular whenever \(\mathsf {A} '\) sends a message on behalf of a corrupted \(\mathsf {P} _i'\), he knows a witness for the \({{\textsf {NIZK}}}\) proof. Therefore, without loss of generality we can assume that either a corrupted \(\mathsf {P} _i'\) does not send a message (i.e., aborts) to an honest \(\mathsf {P} _j'\) or that \(\mathsf {P} _i'\) correctly generates the \({{\textsf {NIZK}}}\) proof. In that case every locally consistent \({{\textsf {VRF}}}\)-compliant attack by \(\mathsf {A} '\) translates to a locally consistent \({{\textsf {VRF}}}\)-compliant attack by \(\mathsf {A} \). \(\square \)

The next claim considers stronger adversaries that are allowed to use arbitrary random coins for computing the next-message function. We will use the following notations: A message sent in \(\Pi '\) is of the form \((m,\sigma ,\pi ,\varphi )\); we call m the content of the message. For a party \(\mathsf {P} _i'\), let \({\mathcal {M}}_\mathsf {in} ^{r',k\rightarrow i}\) denote the set of incoming messages’ contents received from party \(\mathsf {P} _k'\) in round \(r'\) (as this is a locally consistent attack, there could be multiple incoming messages from each corrupted party, but at most one message from each honest party). Let \({\mathcal {M}}_\mathsf {out} ^{r,i\rightarrow j}\) be the set of possible messages’ contents that \(\mathsf {P} _i'\) can send to \(\mathsf {P} _j'\) at round r under a \({{\textsf {VRF}}}\)-compliant locally consistent attack when using a subset of the incoming messages’ contents \(\{{\mathcal {M}}_\mathsf {in} ^{r',k\rightarrow i}\}_{r'<r, k\in [n]}\) and randomness \(\{\rho _i^{r'}\}_{r'\in [r]}\) computed as \((\rho _i^{r'},\pi _i^{r'})\leftarrow \mathsf {VRF.Eval}(\mathsf {sk}^{\mathsf {vrf}}_i,(i,r'))\).

Claim A.8

Consider a perfect NIZK scheme. If \(\Pi _1\) is a \(\left( t,\alpha ,\beta ,q,\gamma \right) \)-\(\mathsf {BA}\) against locally consistent \({{\textsf {VRF}}}\)-compliant adversaries, then \(\Pi '\) is a \(\left( t,\alpha -{\text {neg}}(\kappa ),\beta -{\text {neg}}(\kappa ),q,\gamma -{\text {neg}}(\kappa )\right) \)-\(\mathsf {BA}\) against locally consistent adversaries.

Proof

We prove the claim by showing that the additional power of the adversary only allows for a negligible cheating advantage. Consider a locally consistent adversary \(\mathsf {A} '\) and assume that a corrupted party \(\mathsf {P} _i'\) used arbitrary random coins to generate the message content for party \(\mathsf {P} _j'\) in round r, denoted \({\tilde{m}}_{i\rightarrow j}^r\). There are two possible cases:

Case 1::

If \({\tilde{m}}_{i\rightarrow j}^r\in {\mathcal {M}}_\mathsf {out} ^{r,i\rightarrow j}\), then the adversary can compute a witness for the relation \({\mathcal {R}} ^r_{i\rightarrow j}\). That is, even if the actual coins used to generate \({\tilde{m}}_{i\rightarrow j}^r\) are different than \(\{\rho _i^{r'}\}_{r'\in [r]}\), the message \({\tilde{m}}_{i\rightarrow j}^r\) can be explained as if generated using \(\{\rho _i^{r'}\}_{r'\in [r]}\) consistently with a subset of the incoming messages in \(\{{\mathcal {M}}_\mathsf {in} ^{r',k\rightarrow i}\}_{r'<r, k\in [n]}\). Therefore, without loss of generality this can be cast as a locally consistent \({{\textsf {VRF}}}\)-compliant attack.

Case 2::

If \({\tilde{m}}_{i\rightarrow j}^r\notin {\mathcal {M}}_\mathsf {out} ^{r,i\rightarrow j}\), let \(\{{\tilde{\rho }}_i^{r'}\}_{r'\in [r]}\) be the coins used by \(\mathsf {A} '\) to generate \({\tilde{m}}_{i\rightarrow j}^r\). Then, \({\tilde{\rho }}_i^{r'}\ne \rho _i^{r'}\) for at least one \(r'\). To provide a witness for the relation \({\mathcal {R}} ^r_{i\rightarrow j}\), \(\mathsf {A} '\) must generate \({\tilde{\pi }}_i^{r'}\) such that \(\mathsf {VRF.Verify}(\mathsf {vk}^{\mathsf {vrf}}_i,(i,r'),{\tilde{\rho }}_i^{r'},{\tilde{\pi }}_i^{r'})=1\). By unique provability property of the VRF, such an attack can only succeed with negligible probability.

\(\square \)

The next claim considers stronger adversaries that are allowed to use arbitrary incoming messages for their next-message function.

Claim A.9

Consider a perfect NIZK scheme. If \(\Pi _1\) is a \(\left( t,\alpha ,\beta ,q,\gamma \right) \)-\(\mathsf {BA}\) against locally consistent \({{\textsf {VRF}}}\)-compliant adversaries, then \(\Pi '\) is a \(\left( t,\alpha -{\text {neg}}(\kappa ),\beta -{\text {neg}}(\kappa ),q,\gamma -{\text {neg}}(\kappa )\right) \)-\(\mathsf {BA}\) against locally consistent adversaries that are allowed to use arbitrary messages’ contents when computing the next-message function.

Proof

Consider an adversary \(\mathsf {A} '\) that behaves locally consistent but can use arbitrary values as incoming messages. Assume that \(\mathsf {A} '\) is \({{\textsf {VRF}}}\)-compliant and let r be the first round in which \(\mathsf {A} '\) deviates from the protocol with respect to incoming messages. Let \(\mathsf {P} _i'\) be a corrupted party that uses \(\{\tilde{{\mathcal {M}}}_\mathsf {in} ^{r',k\rightarrow i}\}_{r'<r, k\in [n]}\) as its set of incoming messages to generate the message content for party \(\mathsf {P} _j'\) in round r, denoted \({\tilde{m}}_{i\rightarrow j}^r\), and assume that \(\bigcup \tilde{{\mathcal {M}}}_\mathsf {in} ^{r',k\rightarrow i} \nsubseteq \bigcup {\mathcal {M}}_\mathsf {in} ^{r',k\rightarrow i}\). There are two possible cases:

• Case 1: If \({\tilde{m}}_{i\rightarrow j}^r\in {\mathcal {M}}_\mathsf {out} ^{r,i\rightarrow j}\), then the adversary can compute a witness for the relation \({\mathcal {R}} ^r_{i\rightarrow j}\). That is, even if \(\bigcup \tilde{{\mathcal {M}}}_\mathsf {in} ^{r',k\rightarrow i} \nsubseteq \bigcup {\mathcal {M}}_\mathsf {in} ^{r',k\rightarrow i}\), the message \({\tilde{m}}_{i\rightarrow j}^r\) can be explained as if generated using a subset of \(\bigcup {\mathcal {M}}_\mathsf {in} ^{r',k\rightarrow i}\). Therefore, without loss of generality this can be cast as a locally consistent attack.

• Case 2: If \({\tilde{m}}_{i\rightarrow j}^r\notin {\mathcal {M}}_\mathsf {out} ^{r,i\rightarrow j}\), then to find a witness for the relation \({\mathcal {R}} ^r_{i\rightarrow j}\), \(\mathsf {A} '\) must produce for every message \({\tilde{m}}_{k\rightarrow i}^{r'}\in \bigcup \tilde{{\mathcal {M}}}_\mathsf {in} ^{r',k\rightarrow i} \setminus \bigcup {\mathcal {M}}_\mathsf {in} ^{r',k\rightarrow i}\) a signature \({\tilde{\sigma }}_{k\rightarrow i}^{r'}\), a VRF proof \(\pi _{k\rightarrow i}^{r'}\) and a NIZK proof \({\tilde{\varphi }}_{k\rightarrow i}^{r'}\).

• If \(\mathsf {P} _k\) is honest, \(\mathsf {A} '\) can find an accepting signature \({\tilde{\sigma }}_{k\rightarrow i}^{r'}\) for \({\tilde{m}}_{k\rightarrow i}^{r'}\) under \(\mathsf {vk}^{\mathsf {ds}}_k\) only with negligible probability (recall that every message \({\tilde{m}}_{k\rightarrow i}^{r'}\) encodes the values \(k,i,r'\); hence, \(\mathsf {A} '\) cannot reuse messages that were signed by \(\mathsf {P} _k\) in other rounds).

• If \(\mathsf {P} _k\) is corrupted, then in turn it must have provided a valid witness for the relation \({\mathcal {R}} _{k\rightarrow i}^{r'}\). By the minimality of r, it is guaranteed that \({\tilde{m}}_{k\rightarrow i}^{r'-1}\) was honestly generated with respect to the incoming messages of \(\mathsf {P} _k'\) until round \(r'-1\), \(\{\bigcup {\mathcal {M}}_\mathsf {in} ^{r'',k'\rightarrow k}\}_{r''\in [r'-1], k'\in [n]}\). In this case, without loss of generality, the message \({\tilde{m}}_{k\rightarrow i}^{r'}\) could have been sent by the corrupted \(\mathsf {P} _k'\) to the corrupted \(\mathsf {P} _i'\), i.e., be included in the set \({\mathcal {M}}_\mathsf {in} ^{r',k\rightarrow i}\).

The proof of the claim now reduces considering non-\({{\textsf {VRF}}}\)-compliant adversaries, which follows from Claim A.8. \(\square \)

The next claim considers stronger adversaries that are not required to compute their outgoing messages by the next-message function, but can send arbitrary messages instead.

Claim A.10

Consider a perfect NIZK scheme. If \(\Pi _1\) is a \(\left( t,\alpha ,\beta ,q,\gamma \right) \)-\(\mathsf {BA}\) against locally consistent \({{\textsf {VRF}}}\)-compliant adversaries, then \(\Pi '\) is a \(\left( t,\alpha -{\text {neg}}(\kappa ),\beta -{\text {neg}}(\kappa ),q,\gamma -{\text {neg}}(\kappa )\right) \)-\(\mathsf {BA}\) against malicious adversaries.

Proof

Consider a malicious adversary \(\mathsf {A} '\) and assume that \(\mathsf {A} '\) behaves locally consistent and \({{\textsf {VRF}}}\)-compliant until round r, i.e., round r is the first round in which \(\mathsf {A} '\) does not compute a message according to the next-message function. Let \(\mathsf {P} _i'\) be a corrupted party that generates the message content for party \(\mathsf {P} _j'\) in round r, denoted \({\tilde{m}}_{i\rightarrow j}^r\), arbitrarily. There are two possible cases:

• Case 1: If \({\tilde{m}}_{i\rightarrow j}^r\in {\mathcal {M}}_\mathsf {out} ^{r,i\rightarrow j}\), then the adversary can compute a witness for the relation \({\mathcal {R}} ^r_{i\rightarrow j}\). That is, the message \({\tilde{m}}_{i\rightarrow j}^r\) can be explained as if generated using \(\{\rho _i^{r'}\}_{r'\in [r]}\) consistently with a subset of the incoming messages in \(\{{\mathcal {M}}_\mathsf {in} ^{r',k\rightarrow i}\}_{r'<r, k\in [n]}\) according to the next-message function. Therefore, without loss of generality this can be cast as a locally consistent \({{\textsf {VRF}}}\)-compliant attack.

• Case 2: If \({\tilde{m}}_{i\rightarrow j}^r\notin {\mathcal {M}}_\mathsf {out} ^{r,i\rightarrow j}\), then \(\mathsf {A} '\) must provide \({\tilde{\sigma }}_{i\rightarrow j}^r\) and \(\pi _i^r\) along with a witness \(\mathsf {wit}_{i\rightarrow j}^r\) consisting of:

• An input bit \(x_i\) an \(\mathsf {setup}_i\).

• For every \(r'\in [r]\) random coins \(\rho _i^{r'}\).

• For every \(r'\in [r-1]\) and \(k\in [n]\) a message \({\tilde{{ \varvec{m}}}}_{k\rightarrow i}^{r'}=({\tilde{m}}_{k\rightarrow i}^{r'},{\tilde{\sigma }}_{k\rightarrow i}^{r'},\pi _k^{r'},{\tilde{\varphi }}_{k\rightarrow i}^{r'})\).

In addition it holds that \((({\tilde{m}}_{i\rightarrow j}^r,{\tilde{\sigma }}_{i\rightarrow j}^r,\pi _i^r),\mathsf {wit}_{i\rightarrow j}^r)\in {\mathcal {R}} ^r_{i\rightarrow j}\). As before, with all but negligible probability it is guaranteed that \(\mathsf {VRF.Verify}(\mathsf {vk}^{\mathsf {vrf}}_i,(i,r),\rho _i^r,\pi _i^r)=1\) and for every honest party \(\mathsf {P} _k'\), \((({\tilde{m}}_{k\rightarrow i}^{r'},{\tilde{\sigma }}_{k\rightarrow i}^{r'},\pi _k^{r'}),{\tilde{\varphi }}_{k\rightarrow i}^{r'})\in {\mathcal {R}} _{k\rightarrow i}^{r'}\). For a corrupted \(\mathsf {P} _k'\), if \((({\tilde{m}}_{k\rightarrow i}^{r'},{\tilde{\sigma }}_{k\rightarrow i}^{r'},\pi _k^{r'}),{\tilde{\varphi }}_{k\rightarrow i}^{r'})\in {\mathcal {R}} _{k\rightarrow i}^{r'}\) then without loss of generality the message could have been sent by \(\mathsf {P} _k'\) to \(\mathsf {P} _i'\). We conclude that with all but negligible probability, the \({\tilde{m}}_{i\rightarrow j}^r\) can be explained by a locally consistent \({{\textsf {VRF}}}\)-compliant attack.

The proof of the claim now follows from Claim A.9. \(\square \)

Finally, we remove the assumption of a perfect NIZK scheme and consider a NIZK scheme that allows for negligible adversarial advantage, and obtain the following claim.

Claim A.11

If \(\Pi _1\) is a \(\left( t,\alpha ,\beta ,q,\gamma \right) \)-\(\mathsf {BA}\) against locally consistent \({{\textsf {VRF}}}\)-compliant adversaries, then \(\Pi '\) is a \(\left( t,\alpha -{\text {neg}}(\kappa ),\beta -{\text {neg}}(\kappa ),q,\gamma -{\text {neg}}(\kappa )\right) \)-\(\mathsf {BA}\) against malicious adversaries.

This concludes the proof of the first part of the theorem.

Proof of Item 2 (public-randomness protocols). We prove Item 2 of Theorem A.1 by adjusting the compiler \(\mathsf {Comp}\) and removing the use of NIZK proofs. The new compiler \(\mathsf {Comp}_\mathsf {PR}\) is defined like \(\mathsf {Comp}\) except that instead of computing a NIZK proof \(\varphi _{i\rightarrow j}^r\leftarrow \mathsf {NIZK.Prover}(\mathsf {crs}, \mathsf {stat}_{i\rightarrow j}^r, \mathsf {wit}_{i\rightarrow j}^r)\) for the relation \({\mathcal {R}} _{i\rightarrow j}^r\) and sending \(\varphi _{i\rightarrow j}^r\), the sender \(\mathsf {P} _i'\) simply sends the witness \(\mathsf {wit}_{i\rightarrow j}^r\). The receiver \(\mathsf {P} _j'\) can now directly verify that \(\mathsf {wit}_{i\rightarrow j}^r\) is a valid witness. The proof follows immediately from Item 1 of Theorem A.1. \(\square \)