Optimal extension protocols for byzantine broadcast and agreement


The problems of Byzantine Broadcast (BB) and Byzantine Agreement (BA) are of interest to both the distributed computing and cryptography communities. Extension protocols for these primitives have been introduced to handle long messages efficiently at the cost of small number of single-bit broadcasts, referred to as seed broadcasts. While the communication optimality has remained the most sought-after property of an extension protocol in the literature, we prioritize both communication and round optimality in this work. In a setting with n parties and a static adversary controlling at most t parties in Byzantine fashion, we present BB and BA extension protocols with \(t<n\), \(t < n/2\) and \(t<n/3\) that are simultaneously optimal in terms of communication and round complexity. The best communication that an extension protocol can achieve in any setting is \(\mathcal {O}(\ell n)\) bits for a message of length \(\ell \) bits. The best achievable round complexity is \(\mathcal {O}(n)\) for the setting \(t< n\) and \(\mathcal {O}(1)\) in the other two settings \(t < n/2\) and \(t<n/3\). The existing constructions are either optimal only in terms of communication complexity, or require more rounds than our protocols, or achieve optimal round complexity at the cost of sub-optimal communication. Specifically, we construct communication-optimal protocols in the three corruption scenarios with the following round complexities:


3 rounds, improving over \(\mathcal {O}(\sqrt{\ell } + n^2)\)


5 rounds, improving over 6


\(\mathcal {O}(n)\) rounds, improving over \(\mathcal {O}(n^2)\)

A concrete protocol from an extension protocol is obtained by replacing the seed broadcasts with a BB protocol for a single bit. Our extension protocols minimize the seed-round complexity and seed-communication complexity. The former refers to the number of rounds in an extension protocol in which seed broadcasts are invoked and impacts the round complexity of a concrete protocol due to a number of sequential calls to bit broadcast. The latter refers to the number of bits communicated through the seed broadcasts and impacts the round and communication complexity due to parallel instances of single-bit broadcast. In the settings of \(t<n/3\), \(t<n/2\) and \(t<n\), our protocols improve the seed-round complexity from \(\mathcal {O}(\sqrt{\ell } + n^2)\) to 1, from 3 to 2 and from \(\mathcal {O}(n^2)\) to \(\mathcal {O}(n)\) respectively. Our protocols keep the seed-communication complexity independent of the message length \(\ell \) and, either improve or keep the complexity almost in the same order compared to the existing protocols.

This is a preview of subscription content, access via your institution.

Fig. 1
Fig. 2
Fig. 3
Fig. 4


  1. 1.

    In the literature, they are known as multi-valued protocols.


  1. 1.

    Beerliová-Trubíniová, Z., Hirt, M.: Efficient multi-party computation with dispute control. In: Halevi, S., Rabin, T. (eds.) Theory of Cryptography, pp. 305–328. Springer, Berlin (2006)

  2. 2.

    Ben-Or, M., Canetti, R., Goldreich, O.: Asynchronous secure computation. In: Proceedings of the 25th Annual ACM Symposium on Theory of computing, pp. 52–61. ACM (1993)

  3. 3.

    Ben-Or, M., El-Yaniv, R.: Resilient-optimal interactive consistency in constant time. Distrib. Comput. 16(4), 249–262 (2003)

    Article  Google Scholar 

  4. 4.

    Blum, N.: A new approach to maximum matching in general graphs. In: Automata, Languages and Programming, 17th International Colloquium, ICALP90, Warwick University, England, July 16-20, 1990, Proceedings, pp. 586–597 (1990)

  5. 5.

    Braud-Santoni, N., Guerraoui, R., Huc, F.: Fast byzantine agreement. In: Proceedings of the 2013 ACM Symposium on Principles of Distributed Computing, pp. 57–64. ACM (2013)

  6. 6.

    Canetti, R.: Studies in secure multiparty computation and applications. Ph.D. thesis, The Weizmann Institute of Science (1996)

  7. 7.

    Chongchitmate, W., Ostrovsky, R.: Information-theoretic broadcast with dishonest majority for long messages. Cryptology ePrint Archive, Report 2018/829 (2018). https://eprint.iacr.org/2018/829

  8. 8.

    Coan, B.A., Welch, J.L.: Modular construction of a byzantine agreement protocol with optimal message bit complexity. Inform. Comput. 97(1), 61–85 (1992)

    MathSciNet  Article  Google Scholar 

  9. 9.

    Cohen, R., Coretti, S., Garay, J., Zikas, V.: Probabilistic termination and composability of cryptographic protocols. Proceedings. Part III, of the 36th Annual International Cryptology Conference on Advances in Cryptology–CRYPTO 2016-Volume 9816, pp. 240–269. Springer, New York, Inc (2016)

  10. 10.

    Cohen, R., Coretti, S., Garay, J., Zikas, V.: Round-Preserving Parallel Composition of Probabilistic-Termination Cryptographic Protocols. In: 44th International Colloquium on Automata, Languages, and Programming (ICALP 2017), Leibniz International Proceedings in Informatics (LIPIcs), vol. 80, pp. 37:1–37:15 (2017)

  11. 11.

    Cramer, R., Gennaro, R., Schoenmakers, B.: A secure and optimally efficient multi-authority election scheme. In: Fumy, W. (ed.) Advances in Cryptology - EUROCRYPT 1997, pp. 103–118. Springer, Berlin (1997)

    Google Scholar 

  12. 12.

    Dolev, D., Reischuk, R.: Bounds on information exchange for byzantine agreement. J. ACM 32(1), 191–204 (1985)

    MathSciNet  Article  Google Scholar 

  13. 13.

    Dolev, D., Strong, H.R.: Authenticated algorithms for byzantine agreement. SIAM J. Comput. 12(4), 656–666 (1983)

    MathSciNet  Article  Google Scholar 

  14. 14.

    Even, S., Goldreich, O., Lempel, A.: A randomized protocol for signing contracts. Commun. ACM 28(6), 637–647 (1985)

    MathSciNet  Article  Google Scholar 

  15. 15.

    Feldman, P., Micali, S.: An optimal probabilistic protocol for synchronous byzantine agreement. SIAM J. Comput. 26(4), 873–933 (1997)

    MathSciNet  Article  Google Scholar 

  16. 16.

    Fitzi, M., Hirt, M.: Optimally efficient multi-valued byzantine agreement. In: Proceedings of the 25th Annual ACM Symposium on Principles of Distributed Computing, pp. 163–168. ACM (2006)

  17. 17.

    Ganesh, C., Patra, A.: Broadcast extensions with optimal communication and round complexity. In: Proceedings of the 2016 ACM Symposium on Principles of Distributed Computing, pp. 371–380. ACM (2016)

  18. 18.

    Garay, J., Givens, C., Ostrovsky, R., Raykov, P.: Broadcast (and round) efficient verifiable secret sharing. In: International Conference on Information Theoretic Security, pp. 200–219. Springer (2013)

  19. 19.

    Garay, J., Katz, J., Koo, C.Y., Ostrovsky, R.: Round complexity of authenticated broadcast with a dishonest majority. In: Foundations of Computer Science, 2007. FOCS’07, pp. 658–668. IEEE (2007)

  20. 20.

    Garey, M.R., Johnson, D.S.: Computers and intractability: a guide to the theory of np-completeness, W. H. Freeman & Co, USA (1990)

  21. 21.

    Goldreich, O., Micali, S., Wigderson, A.: How to play any mental game. In: Proceedings of the 19th Annual ACM Symposium on Theory of Computing, pp. 218–229. ACM (1987)

  22. 22.

    Hirt, M., Maurer, U.M., Przydatek, B.: Efficient secure multi-party computation. In: Okamoto, T. (ed.) Advances in Cryptology - ASIACRYPT 2000, 6th International Conference on the Theory and Application of Cryptology and Information Security, Kyoto, Japan, December 3–7, 2000, Proceedings, Lecture Notes in Computer Science, vol. 1976, pp. 143–161. Springer (2000)

  23. 23.

    Hirt, M., Raykov, P.: Multi-valued byzantine broadcast: The \(t<n\) case. In: Sarkar, P., Iwata, T. (eds.) Advances in Cryptology–ASIACRYPT 2014, pp. 448–465. Springer (2014)

  24. 24.

    Ishai, Y., Kilian, J., Nissim, K., Petrank, E.: Extending oblivious transfers efficiently. In: Boneh, D. (ed.) Advances in Cryptology-CRYPTO 2003, pp. 145–161. Springer (2003)

  25. 25.

    Karlin, A., Yao, A.C.C.: Probabilistic lower bounds for byzantine agreement. Tech. rep, Manuscript (1986)

  26. 26.

    Katz, J., Koo, C.: On expected constant-round protocols for byzantine agreement. Adv. Cryptol - CRYPTO 2006, 445–462 (2006)

    MathSciNet  MATH  Google Scholar 

  27. 27.

    Katz, J., Koo, C.Y.: Round-efficient secure computation in point-to-point networks. Adv Cryptolo-EUROCRYPT 2007, 311–328 (2007)

    MathSciNet  MATH  Google Scholar 

  28. 28.

    Katz, J., Koo, C.Y., Kumaresan, R.: Improving the round complexity of vss in point-to-point networks. In: Aceto, L., Damgård, I., Goldberg, L.A., Halldórsson, M.M., Ingólfsdóttir, A., Walukiewicz, I. (eds.) International Colloquium on Automata, Languages, and Programming, pp. 499–510. Springer (2008)

  29. 29.

    King, V., Lonargan, S., Saia, J., Trehan, A.: Load balanced scalable byzantine agreement through quorum building, with full information. In: Distributed Computing and Networking - 12th International Conference, ICDCN 2011, Bangalore, India, January 2–5, 2011. Proceedings, pp. 203–214 (2011)

  30. 30.

    King, V., Saia, J.: From almost everywhere to everywhere: Byzantine agreement with \(\tilde{O}(n^{3/2})\) bits. In: International Symposium on Distributed Computing, pp. 464–478. Springer (2009)

  31. 31.

    King, V., Saia, J.: Breaking the \(o(n^2)\) bit barrier: scalable byzantine agreement with an adaptive adversary. J. ACM (JACM) 58(4), 18 (2011)

    Article  Google Scholar 

  32. 32.

    King, V., Saia, J., Sanwalani, V., Vee, E.: Scalable leader election. In: Proceedings of the 17th Annual ACM-SIAM Symposium on Discrete Algorithm, pp. 990–999. Society for Industrial and Applied Mathematics (2006)

  33. 33.

    Lamport, L., Fischer, M.: Byzantine generals and transaction commit protocols. Tech. rep., Technical Report 62, SRI International (1982). https://lamport.azurewebsites.net/pubs/trans.pdf

  34. 34.

    Liang, G., Vaidya, N.: Error-free multi-valued consensus with byzantine failures. In: Proceedings of the 30th Annual ACM SIGACT-SIGOPS Symposium on Principles of Distributed Computing, pp. 11–20. ACM (2011)

  35. 35.

    Lindell, Y., Lysyanskaya, A., Rabin, T.: Sequential composition of protocols without simultaneous termination. In: Proceedings of the Twenty-First Annual ACM Symposium on Principles of Distributed Computing, PODC 2002, Monterey, California, USA, July 21–24, 2002, pp. 203–212 (2002)

  36. 36.

    Lindell, Y., Lysyanskaya, A., Rabin, T.: On the composition of authenticated byzantine agreement. J. ACM (JACM) 53(6), 881–917 (2006)

    MathSciNet  Article  Google Scholar 

  37. 37.

    Lynch, N.A.: Distributed Algorithms. Morgan Kaufmann, Burlington (1996)

    Google Scholar 

  38. 38.

    MacWilliams, F.J., Sloane, N.J.A.: The Theory of Error Correcting Codes. North-Holland Publishing Company, Amsterdam (1978)

    Google Scholar 

  39. 39.

    Micali, S.: Very simple and efficient byzantine agreement. In: 8th Innovations in Theoretical Computer Science Conference, ITCS 2017, January 9–11, 2017, Berkeley, CA, USA, pp. 6:1–6:1 (2017)

  40. 40.

    Patra, A.: Error-free multi-valued broadcast and byzantine agreement with optimal communication complexity. In: Proceedings of Principles of Distributed Systems - 15th International Conference, OPODIS 2011, pp. 34–49 (2011)

  41. 41.

    Patra, A., Rangan, C.P.: Communication optimal multi-valued asynchronous broadcast protocol. In: Abdalla, M., Barreto, P.S.L.M. (eds.) Progress in Cryptology - LATINCRYPT 2010 LATINCRYPT 2010. Lecture Notes in Computer Science, vol. 6212, pp. 162–177. Springer, Berlin, Heidelberg (2010)

    Google Scholar 

  42. 42.

    Patra, A., Rangan, C.P.: Communication optimal multi-valued asynchronous byzantine agreement with optimal resilience. In: Proceedings of the 5th International Conference on Information Theoretic Security, pp. 206–226. Springer-Verlag (2011)

  43. 43.

    Pease, M., Shostak, R., Lamport, L.: Reaching agreement in the presence of faults. J ACM (JACM) 27(2), 228–234 (1980)

    MathSciNet  Article  Google Scholar 

  44. 44.

    Pfitzmann, B., Waidner, M.: Information-theoretic pseudosignatures and byzantine agreement for t \(\ge \) n/3. Technical Report RZ 2882 (#90830), IBM Research (1996). https://www.csa.iisc.ac.in/~arpita/BroadcastBAReadingGroup/PW96.pdf

  45. 45.

    Reed, I.S., Solomon, G.: Polynomial codes over certain finite fields. J. Soc. Ind. Appl. Math. 8(2), 300–304 (1960)

    MathSciNet  Article  Google Scholar 

  46. 46.

    Turpin, R., Coan, B.A.: Extending binary byzantine agreement to multivalued byzantine agreement. Inform. Process. Lett. 18(2), 73–76 (1984)

    Article  Google Scholar 

  47. 47.

    Yao, A.C.C.: Some complexity questions related to distributive computing(preliminary report). In: Proceedings of the 11th Annual ACM Symposium on Theory of Computing, STOC ’79, pp. 209–213. ACM (1979)

Download references


Arpita Patra would like to acknowledge financial support from SERB MATRICS (Theoretical Sciences) Grant 2020. The authors would like to thank Ling Ren and Zhuolun Xiang for pointing out a minor bug in the BA protocol with \(t < n/2\) presented in the conference version [17]. The bug allowed the adversary to make the honest parties communicate more than \(\mathcal {O}(n\ell )\) bits, and has been fixed in this version.

Author information



Corresponding author

Correspondence to Arpita Patra.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

The results of this paper appeared in preliminary form in [17] and [40].

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Ganesh, C., Patra, A. Optimal extension protocols for byzantine broadcast and agreement. Distrib. Comput. 34, 59–77 (2021). https://doi.org/10.1007/s00446-020-00384-1

Download citation


  • Byzantine Agreement
  • Byzantine Broadcast
  • Extension Protocols
  • Round Complexity
  • Communication Complexity