A broadcast protocol allows a sender to distribute a message through a point-to-point network to a set of parties, such that (i) all parties receive the same message, even if the sender is corrupted, and (ii) this is the sender’s message, if he is honest. Broadcast protocols satisfying these properties are known to exist if and only if t < n/3, where n denotes the total number of parties, and t denotes the maximal number of corruptions. When a setup allowing signatures is available to the parties, then such protocols exist even for t < n.

Since its invention in [LSP82], broadcast has been used as a primitive in numerous multi-party protocols making it one of the fundamental primitives in the distributed-protocols literature. The security of these protocols is analyzed in a model where a broadcast primitive which behaves in an ideal way is assumed. Clearly, a definition of broadcast should allow for secure composition, namely, it should be secure to replace an assumed broadcast primitive by a protocol satisfying this definition. Following recent cryptographic reasoning, to allow secure composition the ideal behavior of broadcast can be described as an ideal functionality, and a simulation-based definition can be used.

In this work, we show that the property-based definition of broadcast does not imply the simulation-based definition for the natural broadcast functionality. In fact, most broadcast protocols in the literature do not securely realize this functionality, which raises a composability issue for these broadcast protocols. In particular, we do not know of any broadcast protocol which could be securely invoked in a multi-party computation protocol in the secure-channels model. The problem is that existing protocols for broadcast do not preserve the secrecy of the message while being broadcasted, and in particular allow the adversary to corrupt the sender (and change the message), depending on the message being broadcasted. For example, when every party should broadcast a random bit, the adversary could corrupt those parties who intend to broadcast 0, and make them broadcast 1.

More concretely, we show that simulatable broadcast in a model with secure channels is possible if and only if t < n/3, respectively t ≤ n/2 when a signature setup is available. The positive results are proven by constructing secure broadcast protocols.


Ideal Functionality Consensus Protocol Broadcast Protocol Computational Security Byzantine Agreement 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. [BCG93]
    Ben-Or, M., Canetti, R., Goldreich, O.: Asynchronous secure computation. In: STOC 1993, pp. 52–61 (1993)Google Scholar
  2. [BDDS92]
    Bar-Noy, A., Dolev, D., Dwork, C., Strong, H.R.: Shifting gears: Changing algorithms on the fly to expedite Byzantine agreement. Information and Computation 97(2), 205–233 (1992)zbMATHCrossRefMathSciNetGoogle Scholar
  3. [BGP89]
    Berman, P.J., Garray, J., Perry, J.: Towards optimal distributed consensus. In: FOCS 1989, pp. 410–415 (1989); Full version in Computer Science Research (1992)Google Scholar
  4. [BGW88]
    Ben-Or, M., Goldwasser, S., Wigderson, A.: Completeness theorems for non-cryptographic fault-tolerant distributed computation. In: STOC 1988, pp. 1–10 (1988)Google Scholar
  5. [BHR07]
    Beerliova-Trubiniova, Z., Hirt, M., Riser, M.: Efficient Byzantine agreement with faulty minority. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 393–409. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  6. [BKR94]
    Ben-Or, M., Kelmer, B., Rabin, T.: Asynchronous secure computations with optimal resilience (extended abstract). In: PODC 1994, pp. 183–192. ACM, New York (1994)CrossRefGoogle Scholar
  7. [BPW91]
    Baum-Waidner, B., Pfitzmann, B., Waidner, M.: Unconditional Byzantine agreement with good majority. In: Jantzen, M., Choffrut, C. (eds.) STACS 1991. LNCS, vol. 480, pp. 285–295. Springer, Heidelberg (1991)CrossRefGoogle Scholar
  8. [Bra84]
    Bracha, G.: An asynchronou [(n-1)/3]-resilient consensus protocol. In: PODC 1984, pp. 154–162 (1984)Google Scholar
  9. [Can00]
    Canetti, R.: Security and composition of multiparty cryptographic protocols. Journal of Cryptology 13(1), 143–202 (2000)zbMATHCrossRefMathSciNetGoogle Scholar
  10. [Can01]
    Canetti, R.: Universally composable security: A new paradigm for cryptographic protocols. In: FOCS 2001, pp. 136–145 (2001)Google Scholar
  11. [Can03]
    Canetti, R.: Universally composable signatures, certification and authentication. Cryptology ePrint Archive, Report 2003/239 (2003),
  12. [CCD88]
    Chaum, D., Crépeau, C., Damgård, I.: Multiparty unconditionally secure protocols (extended abstract). In: STOC 1988, pp. 11–19 (1988)Google Scholar
  13. [CDD+99]
    Cramer, R., Damgård, I., Dziembowski, S., Hirt, M., Rabin, T.: Efficient multiparty computations secure against an adaptive adversary. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 311–326. Springer, Heidelberg (1999)Google Scholar
  14. [CGMA85]
    Chor, B., Goldwasser, S., Micali, S., Awerbuch, B.: Verifiable secret sharing and achieving simultaneity in the presence of faults. In: FOCS 1985, pp. 383–395 (1985)Google Scholar
  15. [CR87]
    Chor, B., Rabin, M.O.: Achieving independence in logarithmic number of rounds. In: PODC 1987, pp. 260–268 (1987)Google Scholar
  16. [CW89]
    Coan, B.A., Welch, J.L.: Modular construction of nearly optimal Byzantine agreement protocols. In: PODC 1989, pp. 295–305 (1989); Full version in Information and Computation (1992)Google Scholar
  17. [DFF+82]
    Dolev, D., Fischer, M.J., Fowler, R., Lynch, N.A., Strong, H.R.: An efficient algorithm for Byzantine agreement without authentication. Information and Control 52(3), 257–274 (1982)zbMATHCrossRefMathSciNetGoogle Scholar
  18. [DS82]
    Dolev, D., Strong, H.R.: Polynomial algorithms for multiple processor agreement. In: STOC 1982, pp. 401–407 (1982); Full version in SIAM Journal on Computing 12(4), 656–666 (1983)Google Scholar
  19. [Fit03]
    Fitzi, M.: Generalized Communication and Security Models in Byzantine Agreement. PhD thesis, ETH Zurich (2003)Google Scholar
  20. [FLM86]
    Fischer, M.J., Lynch, N.A., Merritt, M.: Easy impossibility proofs for distributed consensus problems. Distributed Computing 1, 26–39 (1986)zbMATHCrossRefGoogle Scholar
  21. [FM88]
    Feldman, P., Micali, S.: Optimal algorithms for Byzantine agreement. In: STOC 1988, pp. 148–161 (1988)Google Scholar
  22. [Gen95]
    Gennaro, R.: Achieving independence efficiently and securely. In: PODC 1995, pp. 130–136 (1995)Google Scholar
  23. [Gen00]
    Gennaro, R.: A protocol to achieve independence in constant rounds. IEEE Trans. Parallel Distrib. Syst. 11(7), 636–647 (2000)CrossRefGoogle Scholar
  24. [GL02]
    Goldwasser, S., Lindell, Y.: Secure computation without agreement. In: Malkhi, D. (ed.) DISC 2002. LNCS, vol. 2508, pp. 17–32. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  25. [GM93]
    Garay, J.A., Moses, Y.: Fully polynomial Byzantine agreement in t+1 rounds. In: STOC 1993, pp. 31–41 (1993)Google Scholar
  26. [Hev06]
    Hevia, A.: Universally composable simultaneous broadcast. In: De Prisco, R., Yung, M. (eds.) SCN 2006. LNCS, vol. 4116, pp. 18–33. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  27. [HM05]
    Hevia, A., Micciancio, D.: Simultaneous broadcast revisited. In: PODC 2005, pp. 324–333 (2005)Google Scholar
  28. [KY84]
    Karlin, A., Yao, A.C.: Manuscript (1984)Google Scholar
  29. [LLR02]
    Lindell, Y., Lysyanskaya, A., Rabin, T.: On the composition of authenticated Byzantine agreement. In: STOC 2002, pp. 514–523 (2002)Google Scholar
  30. [LSP82]
    Lamport, L., Shostak, R., Pease, M.: The Byzantine generals problem. ACM Transactions on Programming Languages and Systems 4(3), 382–401 (1982)zbMATHCrossRefGoogle Scholar
  31. [Nie03]
    Nielsen, J.B.: On Protocol Security in the Cryptographic Model. PhD thesis, BRICS (2003)Google Scholar
  32. [PW92]
    Pfitzmann, B., Waidner, M.: Unconditional Byzantine agreement for any number of faulty processors. In: STACS 1992. LNCS, vol. 577, pp. 339–350 (1992)Google Scholar
  33. [RB89]
    Rabin, T., Ben-Or, M.: Verifiable secret sharing and multiparty protocols with honest majority. In: STOC 1989, pp. 73–85 (1989)Google Scholar
  34. [TPS87]
    Toueg, S., Perry, K.J., Srikanth, T.K.: Fast distributed agreement. SIAM J. Comput. 16(3), 445–457 (1987)zbMATHCrossRefMathSciNetGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Martin Hirt
    • 1
  • Vassilis Zikas
    • 1
  1. 1.Department of Computer ScienceETH Zurich 

Personalised recommendations