Zombies and Ghosts: Optimal Byzantine Agreement in the Presence of Omission Faults

Abstract

Studying the feasibility of Byzantine Agreement (BA) in realistic fault models is an important question in the area of distributed computing and cryptography. In this work, we revisit the mixed fault model with Byzantine (malicious) faults and omission faults put forth by Hauser, Maurer, and Zikas (TCC 2009), who showed that BA (and MPC) is possible with t Byzantine faults, s send faults (whose outgoing messages may be dropped) and r receive faults (whose incoming messages may be lost) if \(n>3t+r+s\). We generalize their techniques and results by showing that BA is possible if \(n>2t+r+s\), given the availability of a cryptographic setup. Our protocol is the first to match the recent lower bound of Eldefrawy, Loss, and Terner (ACNS 2022) for this setting.

Appendices

A Security Proofs

This section includes security proofs not included in the body of the paper.

1.1 A.1 Undead Weak Multicast

Theorem 1. The protocol described in Fig. 1 is a (t, s, r)-secure undead weak multicast protocol if \(n>2t+s+r\).

Proof

Validity. If \(i^*\) is nonfaulty or is receive faulty and alive in the beginning of the protocol, it sends \(m,\sigma \) to every party and all nonfaulty parties receive it and forward it. Every party that isn’t receive faulty receives those messages. Since \(i^*\) is non-Byzantine, it only sends one verifying signature and thus this is the only received value, which will then be output. In addition, if a receive faulty party j receives fewer than \(n-t-s\) messages, it becomes a zombie. Otherwise, it receives at least \(n-t-s\ge 2t+s+r+1-t-s=t+r+1\) messages, and at least one of those messages was sent by a party that is neither Byzantine nor receive faulty. Those parties receive the message \(m,\sigma \) from \(i^*\) and forward it, and thus every \(j\ne i^*\) outputs m. In addition, if \(i^*\) isn’t a zombie by the end of the protocol, it outputs \((m,\textsf{Z}_{i^*},\textsf{G}_{i^*})\) as well. Finally, if \(i^*\) is send faulty, it only signs the message m. This means that no nonfaulty party receives any other signed message from \(i^*\), and thus output either m or \(\bot \).

Detection. If \(i^*\) did not become a ghost, then it received “no output” from fewer than \(t+1\) parties. It receives all messages from all \(t+1\) nonfaulty parties, so at least one of those parties did not send “no output”, and has thus output \(m,\textsf{Z},\textsf{G}\).

Termination. All parties terminate after exactly 3 rounds.

No Living Undead. Any party that isn’t receive faulty receives messages from at least \(n-t-s\) parties in round 2. Therefore, only receive faulty parties become zombies. If \(i^*\) is nonfaulty or receive faulty, then all nonfaulty parties receive \(m,\sigma \) in round 1 and forward it. Every non-Byzantine party that hasn’t become a zombie received \(n-t-s\) messages, i.e. at least \(t+r+1\). Therefore, at least one of those messages was from a nonfaulty or send faulty party. As stated above, it received \(m,\sigma \) and thus did not send “no output”. This means that \(i^*\) receives at most t messages of the form “no output” from Byzantine parties and does not become a ghost.

1.2 A.2 Undead Graded Multicast

Theorem 2. The protocol described in Fig.  2 is a (t, s, r)-secure undead graded multicast protocol if \(n>2t+s+r\).

Proof

Validity. If \(i^*\) is nonfaulty or is receive faulty and alive in the beginning of the protocol, it sends \(m,\sigma \) using an undead weak multicast protocol. The protocol has no living undead, and thus \(i^*\) does not become a ghost, and sends the same message again in the second round. From the Validity property of that protocol, every non-Byzantine party either outputs \((m,\sigma ),\textsf{Z},\textsf{G}\) in both rounds, or becomes a zombie. Therefore, every party that didn’t become a zombie received both messages and output \(m,2,\textsf{Z},\textsf{G}\). In addition, if \(i^*\) is send faulty, it only signs m and thus no party receives a message \(m'\ne m\) with a verifying signature. Therefore, every party outputs \(x,y,\textsf{Z},\textsf{G}\) such that \(x=m\) or \(x=\bot \).

Detection. If \(i^*\) is send faulty and alive at the end of the protocol, it did not become a ghost after sending \((m,\sigma )\) for the first time. From the Detection property of the undead weak multicast protocol, at least one nonfaulty party j received that message and forwarded it using the undead weak multicast protocol in the second round. From the Validity property of the protocol, every party that doesn’t become a zombie in the protocol receives \((m,\sigma )\) from j and outputs \(m,1,\textsf{Z},\textsf{G}\) if it hasn’t received \((m,\sigma )\) from \(i^*\) and output \(m,2,\textsf{Z},\textsf{G}\) instead.

Consistency. Assume \(i^*\) is not Byzantine and that some party j output \(m,2,\textsf{Z},\textsf{G}\) with \(\textsf{Z}=\textsf{false}\). This means that j received the same message \((m,\sigma )\) from \(i^*\) in both calls to the undead weak multicast protocol. From the Validity property, \(i^*\) must have sent those messages, and a non-Byzantine party only sends the second message if it does not become a ghost during the first call to the protocol. As argued above, at least one nonfaulty party receives that message and forwards it to all parties, either because of the Validity property if \(i^*\) is nonfaulty or receive faulty, or from the Detection property if it is send faulty. Every party either becomes a zombie or receives the message, and thus outputs \(m,1,\textsf{Z},\textsf{G}\) if it hasn’t also received \((m,\sigma )\) from \(i^*\) in the second round, causing it to output \(m,2,\textsf{Z},\textsf{G}\) instead. This means that for every nonfaulty j, k that don’t become zombies, \(y_j,y_k\in \{1,2\}\) and thus \(\left| y_j-y_k\right| \le 1\). Note that if no nonfaulty party outputs the grade \(y=2\), then for every j, k the grades \(y_j,y_k\) are either 0 or 1 and thus \(\left| y_j-y_k\right| \le 1\) also holds. Finally, note that if \(y_j\ne 0\), then j output \(m',y_j,\textsf{Z},\textsf{G}\) after receiving a pair \(m',\sigma '\) such that \(\textsf{Verify}(\textsf{pk}_{i^*},m',\sigma ')=1\). As stated above, \(i^*\) only signs m, so \(m'=m\).

Termination. All parties terminate after exactly 2 rounds.

No Living Undead. Parties only become ghosts or zombies after doing so in the undead weak multicast protocol, and thus are either send or receive omission respectively since that protocol has no living undead as well.

1.3 A.3 Undead Weak Consensus

Theorem 3. The protocol described in Fig. 3 is a (t, s, r)-secure undead weak consensus protocol if \(n>2t+s+r\).

Proof

Validity. Assume all parties that are alive in the beginning of the protocol have the same input x. Each alive i sends \(x,\sigma _i\) to all other parties. Each nonfaulty party receives at least \(t+1\) such messages from all nonfaulty parties, and no non-Byzantine party receives more than t messages \(x',\sigma '\) such that \(x'\ne x\). Every nonfaulty party then calls the undead graded multicast protocol with the set of values it received. From the Validity property of the protocol every non-Byzantine party that isn’t a zombie at this time receives the \(S_j\) set sent by every nonfaulty party. Therefore, every party i that isn’t a zombie by that time received at least \(t+1\) certificates \(S_j\) for the input x sent by the nonfaulty parties, and no set contains more than t signatures on \(1-v\). Therefore every party i that isn’t a zombie at that time outputs \(x,\textsf{Z}_i,\textsf{G}_i\).

Consistency. Assume some non-Byzantine party outputs \(v,\textsf{Z},\textsf{G}\) such that \(v\ne \bot \). By construction, this means that this party is not a zombie at that time. Since it output \(v\ne \bot \), there are \(t+1\) parties j from which it received a certificate \(S_{j,i}\) for v with \(y_{j,i}=2\). At least one of these parties is non-Byzantine, and let that party be j. From the Validity and Consistency properties of the undead graded multicast protocol, all parties that aren’t zombies received the same set \(S_{j,i}\) with either grade 1 or 2. This set is a certificate for v and thus every party that isn’t a zombie won’t output \(1-v\). In addition, parties that do become zombies output \(\bot \). Therefore, no non-Byzantine party outputs \(1-v\) from the protocol.

Termination. All parties complete the protocol after exactly 2 rounds.

No Living Undead. Parties only become zombies or ghosts in the protocol after seeing they do so in the undead graded multicast protocol. The protocol has no living undead, so parties only do so if they are indeed send or receive faulty respectively.

1.4 A.4 Undead Consensus

Theorem 4. The protocol described in Fig. 4 is a (t, s, r)-secure undead consensus protocol if \(n>2t+s+r\).

Proof

Validity. Assume all parties that are alive in the beginning of the protocol have the same input v. All parties set \(v_i=v\) and start the first iteration of the protocol. We will now prove inductively that every party i that hasn’t terminated has \(v_i=u_i=v\) in all iterations of the protocol. From the Validity property of the undead weak consensus protocol, every party that isn’t a zombie by the end of the protocol outputs \(u_i=v\) and sets \(v_i=v\). Any party that is a zombie by the end of the protocol outputs \(\bot ,\textsf{Z},\textsf{G}\). Following that, all parties that are not zombies start the next iteration with \(v_i=v\). Note that parties only send messages of the form \(x,\sigma \) with \(x=v_i\) and thus at most t parties sign any value other than v in the protocol. This means that at all times, there are signatures from at most t different parties in \(D_{1-v}\) and thus no nonfaulty party outputs \(1-v\). In order to complete the proof, it is required to show that all parties eventually terminate, which will be shown in the Termination property of the protocol.

Consistency. Assume some nonfaulty party output some value. It does so after seeing that there are signatures from at least \(t+1\) parties in either \(D_0\) or \(D_1\). Let i be the first non-Byzantine party to send a \(v,\sigma \) message for any value v. If it does so, it is alive at that time, and both output \(u_i=v\) from the undead weak consensus protocol and saw that \(b=v\) in the same iteration. In that case, every party j that is alive at that point in the protocol outputs either \(u_j=v\) or \(u_j=\bot \) because of the Consistency property of the undead weak consensus protocol and outputs \(b=v\) from \(\textsf{CoinFlip}\) in that iteration. Then, every alive j either updates \(v_j\) to \(u_j\) if \(u_j\ne \bot \) (and thus \(u_j=v_j=v\)), or updates \(v_j\) to \(b=v\). Following the same arguments as the ones in the Validity property, no non-Byzantine party ever sends a signature on \(1-v\), and thus every party that completes the protocol and isn’t a zombie outputs v.

Termination. First note that if some nonfaulty party completes the protocol after outputting v, it sends \(v,D_v\) to all parties. Every party that isn’t receive faulty receives that message and terminates in a finite number of rounds, and every party that is receive faulty will become a zombie after all other parties stop participating and don’t send it messages, causing it to become a zombie if it hasn’t terminated earlier. This means that it is enough to show that some nonfaulty party completes the protocol in a finite amount of time. We will show that this even takes place with probability 1 and that the expected number of rounds until this happens is constant.

Observe a single iteration of the protocol in which no nonfaulty party terminated, and assume without loss of generality that all parties that are alive at the end of the call to the undead weak consensus protocol either output v or \(\bot \) for some \(v\in \{0,1\}\). With probability \(\frac{1}{2}\), all parties output \(b=v\) from the \(\textsf{CoinFlip}\) protocol as well in that iteration. Therefore, every party i that is alive in the next iteration has \(v_i=v\). As shown in the proof of the Validity property, from this point on, all parties have \(v_i=u_i=v\) in all subsequent iterations of the protocol. From the consistency property of the undead weak consensus protocol, all nonfaulty parties output v from the protocol in each iteration from this point on. In each one of those iterations, with probability \(\frac{1}{2}\), every nonfaulty party also outputs \(b=v\) from the \(\textsf{CoinFlip}\) protocol. At that point, each nonfaulty party sends a \(v,\sigma \) message to all other parties. Every nonfaulty party receives those messages, adds the a tuple \((j,\sigma )\) to \(D_v\) for every nonfaulty j and outputs v in the end of the iteration. From the above discussion, all parties complete the protocol in a constant number of rounds after that.

Note that the number of iterations required for each of the above events is a geometric random variable with probability \(\frac{1}{2}\) of succeeding in each iteration, and thus the expected number of rounds is bounded by 4. In addition, for any \(\ell \), the probability that it takes more than \(\ell \) iterations for each of the events to take place is no greater than \(\frac{1}{2^\ell }\), and thus the probability that some party does not terminate in at most \(2\ell \) iterations is no greater than \(\frac{2}{2^{\ell }}=\frac{1}{2^{\ell -1}}\), which decreases exponentially as \(\ell \) grows with a 0 probability of an infinite run.

No Living Undead. Parties only become zombies or ghosts in the protocol if they do so in the undead weak consensus and \(\textsf{CoinFlip}\) protocols. Both of these protocols have no living undead, so parties do so if they are receive or send faulty respectively. Note that if a party is alive and it completes the protocol after outputting v, it sends its \(D_v\) set to all parties and continues participating in another iteration of the loop. This means that any party that is alive at the time the first nonfaulty party completes the protocol either receives the message or is receive faulty. It then outputs \(v,\textsf{Z},\textsf{G}\) in the next iteration of the loop. Since all parties are still participating in the protocol, the undead weak consensus protocol has no living undead at that point in time. Any receive-omission party that hasn’t terminated by that point in time will either become a zombie because it receives no messages or eventually output v. In addition, note that if parties become zombies, all parties are informed and act as if the zombies sent messages consistent with receiving no messages in all protocols, which is a possible behaviour of theirs in a regular run of the protocols, and thus the protocols still have no living undead.

B Original Protocol Definitions

As stated in Sect. 2.4, the definitions used in this paper are variations on well-known protocols, which also add the notion of undead parties. Below are the original definitions, which do not use undead parties. Note that in the undead versions of the protocols, parties also output the flags \(\textsf{Z}\) and \(\textsf{G}\), which are not part of the output in the original setting. This means that the undead versions technically do not solve the original tasks, but can be easily adjusted to solve them by simply omitting these flags from the output. Note that in the below protocols we actually consider uniform versions of the protocols. In these versions, even omission faulty parties are required to output the correct values or \(\bot \) if they can’t (specifically, if they are receive faulty). This reflects the above constructions of the undead versions of the protocols, which also have these guarantees for faulty outputs. Weaker versions of such protocols also exist in which no restrictions are made on the output of faulty parties, but we do not define such protocols below.

Multicast. This notion is usually not defined separately, and is often just used as a simple instruction to send a message to all parties. One could define a multicast task in which a known sender has a message to send to all parties, and all parties output a message or \(\bot \).

Definition 6

Let \(\varPi \) be a protocol executed by parties \(1,\ldots ,n\), with a designated sender \(i^*\) starting with an input \(m\ne \bot \). Every party outputs a value x such that x is either a possible message or \(\bot \).

• Validity. \(\varPi \) is (t, s, r)-valid if the following holds whenever at most t parties are Byzantine, s parties are send faulty and r parties are receive faulty: if \(i^*\) is nonfaulty or receive faulty, every party that is neither Byzantine nor receive faulty outputs m. In addition, if \(i^*\) is send faulty, no non-Byzantine party outputs x such that \(x\notin \{m,\bot \}\).

• Termination. \(\varPi \) is (t, s, r)-terminating if the following holds whenever at most t parties are Byzantine, s parties are send faulty and r parties are receive faulty: all parties complete the protocol and output a value.

If \(\varPi \) is (t, s, r)-valid and (t, s, r)-terminating we say that it is a (t, s, r)-secure multicast protocol.

Graded Multicast. A graded multicast protocol also has a designated sender that attempts to send its message to all parties. In addition to outputting a message x, parties also output a grade y, indicating how confident they are that the protocol succeeded.

Definition 7

Let \(\varPi \) be a protocol executed by parties \(1,\ldots ,n\), with a designated sender \(i^*\) starting with an input \(m\ne \bot \). Every party outputs a pair of values (x, y) such that x is either a possible message or \(\bot \) and \(y\in \{0,1,2\}\).

• Validity. \(\varPi \) is (t, s, r)-valid if the following holds whenever at most t parties are Byzantine, s parties are send faulty and r parties are receive faulty: if \(i^*\) is nonfaulty or receive faulty, every party that is neither Byzantine nor receive faulty outputs x, y such that \(x=m,y=2\). In addition, if \(i^*\) is send faulty, no non-Byzantine party outputs x, y such that \(x\notin \{m,\bot \}\).

• Consistency. \(\varPi \) is (t, s, r)-consistent if the following holds whenever at most t parties are Byzantine, s parties are send faulty and r parties are receive faulty: if \(i^*\) is non-Byzantine and j, k are neither Byzantine nor receive faulty, and j, k output \(x_j,y_j\) and \(x_k,y_k\) respectively, then \(\left| y_j-y_k\right| \le 1\). In addition, if j is non-Byzantine (but is possibly receive faulty) then either \(x_j=\bot \) and \(y_j= 0\) or \(x_j=m\).

• Termination. \(\varPi \) is (t, s, r)-terminating if the following holds whenever at most t parties are Byzantine, s parties are send faulty and r parties are receive faulty: all parties complete the protocol and output a value.

If \(\varPi \) is (t, s, r)-valid, (t, s, r)-consistent and (t, s, r)-terminating we say that it is a (t, s, r)-(secure) graded multicast protocol.

Weak Consensus. In a weak consensus protocol, every party has a binary input, 0 or 1. The goal of the protocol is for there to be some value y such that every party either outputs y or \(\bot \).

Definition 8

Let \(\varPi \) be a protocol executed by parties \(1,\ldots ,n\), in which every party i starts with an input \(v_i\ne \bot \). Every party outputs a value x such that x is either a possible input message or \(\bot \).

• Validity. \(\varPi \) is (t, s, r)-valid if the following holds whenever at most t parties are Byzantine, s parties are send faulty and r parties are receive faulty: if all nonfaulty parties have the same input v, every party that is neither Byzantine nor receive faulty outputs v.

• Consistency. \(\varPi \) is (t, s, r)-consistent if the following holds whenever at most t parties are Byzantine, s parties are send faulty and r parties are receive faulty: if two non-Byzantine parties output x and \(x'\) respectively, then either \(x=x'\), \(x=\bot \) or \(x'=\bot \).

• Termination. \(\varPi \) is (t, s, r)-terminating if the following holds whenever at most t parties are Byzantine, s parties are send faulty and r parties are receive faulty: all parties complete the protocol and output a value.

If \(\varPi \) is (t, s, r)-valid, (t, s, r)-consistent and (t, s, r)-terminating we say that it is a (t, s, r)-secure weak consensus protocol.

Consensus. In a consensus protocol, all parties output the same value. In addition, if all parties have the same input, they must output that value.

Definition 9

Let \(\varPi \) be a protocol executed by parties \(1,\ldots ,n\), in which every party i starts with an input \(v_i\ne \bot \). Every party outputs a possible output value x or possibly \(\bot \) if it is faulty.

• Validity. \(\varPi \) is (t, s, r)-valid if the following holds whenever at most t parties are Byzantine, s parties are send faulty and r parties are receive faulty: if all nonfaulty parties have the same input v, every party that is neither Byzantine nor receive faulty outputs v. In addition, receive faulty parties either output v or \(\bot \).

• Consistency. \(\varPi \) is (t, s, r)-consistent if the following holds whenever at most t parties are Byzantine, s parties are send faulty and r parties are receive faulty: if two parties non-Byzantine and they output \(x,x'\), then either \(x=x'\) or one of them is receive faulty and it outputs \(\bot \).

• Termination. \(\varPi \) is (t, s, r)-terminating if the following holds whenever at most t parties are Byzantine, s parties are send faulty and r parties are receive faulty: all parties complete the protocol and output a value.

If \(\varPi \) is (t, s, r)-valid, (t, s, r)-consistent and (t, s, r)-terminating we say that it is a (t, s, r)-secure consensus protocol.