Appendix
A Broadcast Construction
We show how to construct the broadcast resource specification introduced in Sect. 6.2, using the so-called king-phase paradigm [5]. The construction consists of several steps, each providing stronger consistency guarantees.
1.1 A.1 Weak-Consensus
Let Z be a set of parties. The primitive weak-consensus provides two guarantees:
-
Validity: If all parties in \(\overline{Z}\) input the same value, they agree on this value.
-
Weak Consistency: If some party \(i \in \overline{Z}\) decides on an output \(y_i \in \{0,1\}\), then every other party \(j \in \overline{Z}\) decides on a value \(y_j \in \{y_i, \bot \}\).
A specification \(\mathcal {WC}_{k,l, Z, t}\) capturing the guarantees of a weak-consensus primitive (up to t dishonest parties, and where parties input at round k and output at round l) can be naturally defined as the set of all resources satisfying validity and weak consistency. More concretely, for \(|Z| \le t\), \(\mathcal {WC}_{k, l, Z, t}\), is the set of all resources which output a value at round l.b that satisfy the validity and weak consistency properties, according to the inputs from round k.a. That is:
And when \(|Z| > t\), \(\mathcal {WC}_{k,l,Z, t} = \varPhi \).
Protocol \(\varPi _{\mathtt {wc}}^k = (\pi _1^{\mathtt {wc}},\dots ,\pi _n^{\mathtt {wc}})\) constructs specification \(\mathcal {WC}_{k,k,Z, t}\) from \(\mathcal {N}_{Z}\). The protocol is quite simple: At round k each party sends its input message to every other party via each channel. Then, if there is a bit b that is received at least \(n-t\) times, the output is b. Otherwise, the output is \(\bot \). At a very high level, the protocol meets the specification because, if a party i outputs a bit b, it received b from at least \(n-t\) parties, and hence it received b from at least \(n-2t\) honest parties. This implies that every other party received the bit \(1-b\) at most \(2t < n-t\) times (since \(t < \frac{n}{3}\)). Hence, no honest party outputs \(1-b\).
Theorem 2
Let \(t < \frac{n}{3}\). \(\varPi _{\mathtt {wc}}^k\) constructs \(\mathcal {WC}_{k,k,Z,t}\) from \(\mathcal {N}_{Z}\), for any \(Z\subseteq \mathcal {P}\) such that \(|Z| \le t\), and constructs \(\varPhi \) otherwise.
Proof
Let \(Z \subseteq \mathcal {P}\) such that \(|Z| \le t\). We want to prove that the system specification \(\mathcal {R}_Z := (\varPi _{\mathtt {wc}}^k)_{\overline{Z}} \mathcal {N}_{Z} \subseteq \mathcal {WC}_{k,k,Z,t}\).
For that, all we need to prove is that at round \(k.b\), the outputs from the honest parties satisfy both the weak-consistency and the validity property, where the inputs to be taken into account are those at round \(k.a\). We divide two cases:
-
If every party \(i \in \overline{Z}\) had as input value b at round k (there was pre-agreement): In the system specification \(\mathcal {WC}_{k,k,Z,t}\), the parties output the bit b by definition. In the system specification \(\mathcal {R}_Z\), each party \(i \in \overline{Z}\) receives the bit b at least \(n-t\) times. Hence, each party \(i \in \overline{Z}\) also outputs b.
-
Otherwise, in \(\mathcal {R}_Z\), either every party \(i \in \overline{Z}\) outputs \(\bot \) (in which case the parties meet the specification \(\mathcal {WC}_{k,k,Z,t}\)), or some party i outputs a bit b. In this case, we observe that it received b from at least \(n-t\) parties, and hence it received b from at least \(n-2t\) honest parties. This implies that every other party received the bit \(1-b\) at most \(2t < n-t\) times (since \(t < \frac{n}{3}\)). In conclusion, no honest party outputs \(1-b\), and the parties output a value \(v_i \in \{\bot , b\}\).
\(\square \)
1.2 A.2 Graded-Consensus
We define graded-consensus with respect to a set of parties Z. In this protocol, each party inputs a bit \(x_i \in \{0,1\}\) and outputs a pair value-grade \((y_i,g_i) \in \{0,1\}^2\). The primitive provides two guarantees:
-
Validity: If all parties in \(\overline{Z}\) input the same value, they agree on this value with grade 1.
-
Graded Consistency: If some party \(i \in \overline{Z}\) decides on a value \(y_i \in \{0,1\}\) with grade \(g_i = 1\), then every other party \(j \in \overline{Z}\) decides on the same value \(y_j = y_i\).
Specification \(\mathcal {GC}_{k,l, Z, t}\) captures the guarantees of a graded-consensus primitive secure up to t dishonest parties, and where parties give input at round k and output at round l. If \(|Z| \le t\):
And when \(|Z| > t\), \(\mathcal {GC}_{k,l, Z, t} = \varPhi \).
We show a protocol \(\varPi _{\mathtt {gc}}^k = (\pi _1^{\mathtt {gc}},\dots ,\pi _n^{\mathtt {gc}})\) that constructs specification \(\mathcal {GC}_{k,k+1,Z,t}\) from the assumed specification \([\mathcal {WC}_{k,k,Z,t}, \mathcal {N}_{Z}]\): At round k, each party i invokes the weak consensus protocol on its input \(x_i\). Then, at round \(k + 1\), each party sends the output from the weak consensus protocol to every other party via the network. After that, each party i sets the output value \(y_i\) to be the most received bit, and the grade \(g_i = 1\) if and only if the value was received at least \(n-t\) times.
If any party i decides on an output \(y_i\) with \(g_i = 1\), it means that the party received \(y_i\) from at least \(n-t\) parties, where at least \(n-2t\) are honest parties. Hence, every other honest party received the value \(y_i\) at least \(n-2t\) times. Given that \(n-2t > t\), at least one honest party obtained \(y_i\) as output of \(\mathcal {WC}_{k,k,Z,t}\). Therefore, by weak consistency, no honest party obtained \(1 - y_i\) as output from \(\mathcal {WC}_{k,k,Z,t}\), from which it follows that each honest party j received it at most \(t < n - 2t\) times and therefore outputs \(y_j = y_i\).
Theorem 3
Let \(t < \frac{n}{3}\). \(\varPi _{\mathtt {gc}}^k\) constructs \(\mathcal {GC}_{k,k+1, Z, t}\) from \([\mathcal {WC}_{k,k,Z,t},\mathcal {N}_{Z}]\), for any \(Z\subseteq \mathcal {P}\) such that \(|Z| \le t\), and constructs \(\varPhi \) otherwise.
Proof
Let \(Z \subseteq \mathcal {P}\) such that \(|Z| \le t\). We want to prove that the system specification \(\mathcal {R}_Z := (\varPi _{\mathtt {gc}}^k)_{\overline{Z}} [\mathcal {WC}_{k,k,Z,t},\mathcal {N}_{Z}] \subseteq \mathcal {GC}_{k,k+1, Z, t}\).
For that, all we need to prove is that at round \((k+1).b\), the outputs from the honest parties satisfy both the graded-consistency and the validity property, where the inputs to be taken into account are those at round \(k.a\).
At round \(k.a\), each party \(i \in \overline{Z}\) inputs the message \(x_i\) to \(\mathcal {WC}_{k,k,Z,t}\). Then, it is guaranteed that at round \(k.b\), honest parties obtain an output that satisfies validity and weak-consistency. At round \((k+1).b\), we divide two cases:
-
If every party \(i \in \overline{Z}\) had as input value b at round k (there was pre-agreement): In \(\mathcal {GC}_{k,k+1, Z, t}\), the parties output the bit (b, 1) by definition. In \(\mathcal {R}_Z\), each party \(i \in \overline{Z}\) outputs the bit b as \(z_j\) because of the validity of \(\mathcal {WC}_{k,k,Z,t}\). Then, party i receives at least \(n-t\) times the bit b. Hence, each party \(i \in \overline{Z}\) also outputs b.
-
If an honest party i decides on an output \(y_i\) with \(g_i = 1\), then it means that the party received \(y_i\) from at least \(n-t\) parties, where at least \(n-2t\) are honest parties. This implies that every other honest party received the value \(y_i\) at least \(n-2t\) times. Given that \(n-2t > t\), at least one honest party obtained \(y_i\) as output of \(\mathcal {WC}_{k,k,Z,t}\) at round \((k+1).b\). Therefore, by weak consistency, no honest party obtained \(1 - y_i\) as output from \(\mathcal {WC}_{k,k,Z,t}\), from which it follows that each honest party j received at most \(t < n - 2t\) times and therefore outputs \(y_j = y_i\).
\(\square \)
1.3 A.3 King-Consensus
We first define a specification that achieves king-consensus with respect to a set of parties Z. In the king-consensus primitive, there is a party K, the king, which plays a special role. The primitive provides two guarantees:
-
Validity: If all parties in \(\overline{Z}\) input the same value, they agree on this value.
-
King Consistency: If party \(K \in \overline{Z}\), then there is a value y such that every party \(j \in \overline{Z}\) decides on the value \(y_j = y\).
We describe a specification \(\mathcal {KC}_{k,l, Z, t, K}\) that models a king-consensus primitive where K has the role of king, and is secure up to t dishonest parties, which starts at round k and ends at round l. If \(|Z| \le t\):
And when \(|Z| > t\), \(\mathcal {KC}_{k,l, Z, t, K} = \varPhi \).
Protocol \(\varPi _{\mathtt {kc}}^k = (\pi _1^{\mathtt {kc}},\dots ,\pi _n^{\mathtt {kc}})\) constructs specification \(\mathcal {KC}_{k,k+2, Z, t, K}\) from the assumed specification \([\mathcal {GC}_{k,k+1,Z,t}, \mathcal {N}_{Z}]\): At round k, each party i invokes the graded consensus protocol on its input \(x_i\). Then, at round \(k + 2\), the king K sends the output \(z_K\) from the graded consensus protocol to every other party. Finally, each party i sets the value \(y_i = z_i\) to the output of graded consensus if the grade was \(g_i = 1\), and otherwise to the value of the king \(y_i = z_K\). Note that consistency is guaranteed to hold only in the case the king is honest: if every honest party i has grade \(g_i = 0\), they all adopt the king’s value. Otherwise, there is a party j with grade \(g_j = 1\), and graded consistency ensures that all honest parties (in particular the king) have the same output.
Theorem 4
Let \(t < \frac{n}{3}\). \(\varPi _{\mathtt {kc}}^k\) constructs \(\mathcal {KC}_{k,k+2, Z, t, K}\) from \([\mathcal {GC}_{k,k+1,Z,t},\mathcal {N}_{Z}]\), for any \(Z\subseteq \mathcal {P}\) such that \(|Z| \le t\), and constructs \(\varPhi \) otherwise.
Proof
Let \(Z \subseteq \mathcal {P}\) such that \(|Z| \le t\). We want to prove that the system specification \(\mathcal {R}_Z := (\varPi _{\mathtt {kc}}^k)_{\overline{Z}} [\mathcal {GC}_{k,k+1,Z,t},\mathcal {N}_{Z}] \subseteq \mathcal {KC}_{k,k+2, Z, t, K}\).
At round \(k.a\), each party \(i \in \overline{Z}\) inputs the message \(x_i\) to \(\mathcal {GC}_{k,k+1,Z,t}\). Then, it is guaranteed that at round \((k+1).b\), honest parties obtain an output that satisfies validity and graded-consistency. We divide two cases:
-
If every party \(i \in \overline{Z}\) had as input value b at round k (there was pre-agreement): In \(\mathcal {KC}_{k,k+2, Z, t, K}\), the parties output the bit b at round \(k+2\) by definition. In the system specification \(\mathcal {R}_Z\), each party \(i \in \overline{Z}\) receives the bit (b, 1) at round \(k+1\), because of the validity of \(\mathcal {GC}_{k,k+1,Z,t}\). Hence, each party \(i \in \overline{Z}\) also outputs b at round \(k+2\).
-
Otherwise, assume the king is honest. If every honest party i obtains an output \((z_i,0)\), then at round \((k + 2).b\), every party takes the value of the king \(z_K\). Otherwise, there is a party j that obtained an output \((z_j,1)\) at round \((k + 1).b\). In this case, graded consistency implies that all honest parties have the same output. In particular, this holds for the honest king. Thus, all parties decide on the same output. \(\square \)
1.4 A.4 Consensus
We define a specification that achieves consensus with respect to a set of parties Z. The primitive provides two guarantees:
-
Validity: If all parties in \(\overline{Z}\) input the same value, they agree on this value.
-
Consistency: There is a value y such that every party \(j \in \overline{Z}\) decides on the value \(y_j = y\).
We describe a specification \(\mathcal {C}_{k,l, Z, t}\) that models consensus, secure up to t dishonest parties, which starts at round k and ends at round l. If \(|Z| \le t\):
And when \(|Z| > t\), \(\mathcal {C}_{k,l, Z, t} = \varPhi \).
Protocol \(\varPi _{\mathtt {cons}}^k = (\pi _1^{\mathtt {cons}},\dots ,\pi _n^{\mathtt {cons}})\) constructs specification \(\mathcal {C}_{k,k+3(t+1)-1, Z, t}\) from the assumed specification \([\mathcal {KC}_{k,k+2,Z,t,1},\dots ,\mathcal {KC}_{k+3t,k+3(t+1)-1,Z,t, {t+1}}]\). The idea is simply to execute the king consensus protocol sequentially \(t+1\) times with different kings. More concretely, at round \(k + 3j\), \(j \in [0,t]\), parties execute the king consensus protocol, where the king is \({j+1}\). If parties start with the same input bit, validity of king consensus guarantees that this bit is kept until the end. Otherwise, since the number of dishonest parties is at most t, one of the executions has an honest king. After the execution with the honest king, consistency is reached, and validity ensures that consistency is maintained until the end of the execution.
Theorem 5
Let \(t < n\). \(\varPi _{\mathtt {cons}}^k\) constructs \(\mathcal {C}_{k,k+3t+2, Z, t}\) from \([\mathcal {KC}_{k,k+2,Z,t,1}, \dots ,\) \(\mathcal {KC}_{k+3t,k+3t+2,Z,t, {t+1}}]\), for any \(Z\subseteq \mathcal {P}\) such that \(|Z| \le t\), and constructs \(\varPhi \) otherwise.
Proof
Let \(Z \subseteq \mathcal {P}\) such that \(|Z| \le t\). We divide two cases:
-
If every party \(i \in \overline{Z}\) had as input value b at round k (there was pre-agreement): After each input to \(\mathcal {KC}_{k+3j,k+3j+2, Z, t, {j+1}}\), the parties obtain the bit b because of validity. This is the same in \(\mathcal {C}_{k,k+3t+2, Z, t}\) by definition.
-
Otherwise, given that there are up to t dishonest parties and there are \(t+1\) different kings, there is an honest king K. The output of any system in the specification \(\mathcal {KC}_{k+3(K-1),k+3K-1,Z,t, {K}}\) is the same value v for all honest parties because of the king consistency. All the following invocations to king consensus keep the value v as the output because of the validity property. Thus, all parties decide on the same output.
\(\square \)
1.5 A.5 Broadcast
In Sect. 6.2 we introduced a broadcast resource specification. We show how to achieve such a specification from \(\mathcal {C}_{k,l, Z, t}\), as long as \(|Z| \le t\), for any \(t \le \frac{n}{3}\).
We recall the broadcast specification resource secure up to t dishonest parties, which starts at round k and ends at round l. If \(|Z| \le t\):
And when \(|Z| > t\), \(\mathcal {BC}_{k,l, Z, t} = \varPhi \).
Protocol \(\varPi _{\mathtt {bc}}^k = (\pi _1^{\mathtt {bc}},\dots ,\pi _n^{\mathtt {bc}})\) constructs specification \(\mathcal {BC}_{k,k+3t+3,Z,t}\) from the assumed specification \([\mathcal {C}_{k+1,k+3t+3,Z,t},\mathcal {N}_Z]\). The sender simply sends its input value x to every party, and then parties execute the consensus protocol on the received value from the sender.
Theorem 6
Let \(t < \frac{n}{2}\). \(\varPi _{\mathtt {bc}}^k\) constructs \(\mathcal {BC}_{k,k+3t+3,Z,t}\) from \([\mathcal {C}_{k+1,k+3t+3,Z,t},\) \(\mathcal {N}_Z]\), for any \(Z\subseteq \mathcal {P}\) such that \(|Z| \le t\), and constructs \(\varPhi \) otherwise.
Proof
Let \(Z \subseteq \mathcal {P}\) such that \(|Z| \le t\). We divide two cases:
-
If the sender is honest, every honest party receives the sender’s input \(x_s\) and inputs this value into the consensus resource. Because of the validity of consensus, every honest party obtains \(x_s\) from the consensus resource and outputs it. This is the same in \(\mathcal {BC}_{k,k+3t+3, Z, t}\) by definition.
-
Otherwise, the consistency of the consensus resource guarantees that every honest party receives the same value from the consensus resource, and hence every honest party outputs the same value. \(\square \)
As a corollary of composing all the previous protocols, we obtain that there is a protocol which constructs broadcast from a network of bilateral channels.
Corollary 1
Let \(t < \frac{n}{3}\). There is a protocol that constructs \(\mathcal {BC}_{k,k+3t+3,Z,t}\) from \(\mathcal {N}_Z\), for any \(Z\subseteq \mathcal {P}\) such that \(|Z| \le t\), and constructs \(\varPhi \) otherwise.