Good-case Latency of Byzantine Broadcast: a Complete Categorization
GGood-case Latency of Byzantine Broadcast: a Complete Categorization
ITTAI ABRAHAM,
VMware Research, Israel
KARTIK NAYAK,
Duke University, USA
LING REN,
University of Illinois at Urbana-Champaign, USA
ZHUOLUN XIANG β , University of Illinois at Urbana-Champaign, USA
This paper explores the problem good-case latency of Byzantine fault-tolerant broadcast, motivated by the real-world latency andperformance of practical state machine replication protocols. The good-case latency measures the time it takes for all non-faulty partiesto commit when the designated broadcaster is non-faulty. We provide a complete characterization of tight bounds on good-case latency,in the authenticated setting under synchrony, partial synchrony and asynchrony. Some of our new results may be surprising, e.g.,2-round PBFT-style partially synchronous Byzantine broadcast is possible if and only if π β₯ π β
1, and a tight bound for good-caselatency under π / < π < π / Byzantine fault-tolerant broadcast is a fundamental problem in distributed computing. In Byzantine broadcast (BB) orByzantine reliable broadcast (BRB), there is a designated broadcaster that sends its input value to all parties, and allnon-faulty parties must deliver the same value. Moreover, if the broadcaster is non-faulty, then the delivered valuemust be broadcasterβs input. BB requires all non-faulty parties to eventually terminate, while BRB relaxes the conditionto only require termination when the broadcaster is honest or if a non-faulty party terminates.One of the most important practical applications of broadcast is to implement
Byzantine fault-tolerant state machinereplication (BFT SMR), which ensures all non-faulty replicas agree on the same sequence of client inputs to providethe client with the illusion of a single non-faulty server. Most of the practical solutions for BFT SMR are based on thePrimary-Backup paradigm. In this approach, in each view , one replica is designated to be the leader, and is in chargeof a view to drive decisions, until replaced by the leader of the next view due to malicious behavior or bad networkconnection. The Primary-Backup approach for SMR exposes deep connections to broadcast. Each view in BFT SMRis similar to an instance of broadcast where with the leader taking on a similar role as the broadcaster , and hencean efficient broadcast protocol can be converted to an SMR protocol with similar efficiency guarantees. Due to theimportance of BFT SMR and the recent interest in permissioned blockchains, improving the latency of the BFT SMRand understanding its fundamental latency limit have been a research focus for several decades [2, 4, 11, 20, 23, 26].However, there exists a mismatch between theoretical studies on broadcast latency and practical SMR systems.Most of the theoretical studies focused on the worst-case latency of broadcast. For Byzantine broadcast, the worst-casenumber of rounds required is π + π faults [18]. As π is typically assumed to be linear in π , any BB protocolwill inevitably have a poor worst-case latency as π increases. However, in contrast, practical BFT SMR systems caremore about the good-case , in which a stable non-faulty leader stays in charge and drives consensus on many decisions.Another relatively minor disconnect lies in the βlife cycleβ of the protocol. Broadcast and reliable broadcast require allparties to halt or terminate after agreeing on a single value, while practical SMR protocols are intended to run forever;replicas commit or decide on an ever-growing sequence of values. Hence, in contrast to the worst-case latency to halt,we argue the importance of good-case latency to commit for broadcast protocols defined as follows. β Lead author Each view of BFT SMR does not require committing an honest leaderβs proposed value, and thus, is weaker than BB and BRB.1 a r X i v : . [ c s . D C ] F e b ttai Abraham, Kartik Nayak, Ling Ren, and Zhuolun Xiang Problem Timing Model Resilience Lower Bound Upper Bound
BRB Aynchrony π β₯ π + π β₯ π β rounds π + β€ π β€ π β rounds < π < π / πΏ πΉ π = π / π« + πΉ π« + πΉ π / < π < π / sync start π« + πΉ unsync start π« + . πΉ sync start π« + πΉ unsync start π« + . πΉ π / β€ π < π (β ππ β π β β ) π« π ( ππ β π ) Ξ [33] Table 1. Upper and lower bounds for good-case latency of Byzantine fault-tolerant broadcast.
Our new (and nontrivial) resultsare marked bold.
Under asynchrony, all lower and upper bounds are for BRB. Under partial synchrony, all lower and upper boundare for a new broadcast formulation named partially synchronous Byzantine broadcast we propose (Definition 5). To strengthen allresults under synchrony, all lower bounds are for BRB and synchronized start, and all upper bounds are for BB and unsynchronizedstart, unless otherwise specified.
Definition 1 (Informal; Good-case Latency).
The good-case latency of a broadcast protocol is the time for all honestparties to commit (over all executions and adversarial strategies), given the designated broadcaster is honest.
In fact, practical systems often implicitly talk about the good-case latency without formally defining it as such. In atalk from 2000 [25], Barbara Liskov commented that she did not know whether 3 rounds are optimal for PBFT [11]. It isclear that Liskov was implicitly referring to the number of rounds needed to reach agreement in the good case that theprimary is non-faulty.Our workβs main contribution is a formal theoretical framework to address exactly this question and be able toprove the minimum number of phases in the good-case where the primary is non-faulty. In fact, our work gives acomplete and tight categorization on good-case latency, for any threshold adversary size, both for the synchronousmodel, partially synchronous model and for the asynchronous model in the authenticated setting (i.e., with signatures).Another contribution of our work is a new broadcast formulation, named partially synchronous Byzantine broadcast(psync-BB), for the partially synchronous model to better abstract a single shot of BFT SMR such as PBFT, since noexisting broadcast formulation captures the properties of partially synchronous BFT SMR protocols such as PBFT.For instance, most existing BFT SMR solutions are leader-based and will replace an honest leader during asynchrony,while Byzantine broadcast and Byzantine reliable broadcast force parties to commit an honest broadcasterβs value. Wesummarize our findings in Table 1 and some of them may be quite surprising.
Complete categorization for good-case latency in asynchrony.
The results for BRB under asynchrony turn outto be strightforward. Although by definition BRB can always be solved with good-case latency of 2 rounds, the resultsare not useful for solving BFT SMR, since the parties in BRB are allowed to never commit when the broadcaster isByzantine.Theorem 1 (Informal; tight bounds on good-case latency in asynchrony).
For Byzantine Reliable Broadcastwith π Byzantine parties in the asynchronous and authenticated setting, in the good-case, 2 rounds are necessary andsufficient iff π β₯ π + (Section 3). Complete categorization for good-case latency in partial synchrony.
PBFT [11] shows that in the good case, 3rounds are sufficient with π β₯ π + π β₯ π +
1. Somewhatsurprisingly, we show that these results are not tight in the authenticated model (which PBFT and all follow-up work ood-case Latency of Byzantine Broadcast: a Complete Categorization assume), and the boundary between 2 and 3 rounds is at π β₯ π β
1. We propose a new broadcast formulation namedpartially synchronous Byzantine broadcast (psync-BB) that abstracts a single-shot of BFT SMR under partial synchrony,and show the following results.Theorem 2 (Informal; tight bounds on good-case latency in partial synchrony).
For Partially SynchronousByzantine Broadcast with π Byzantine parties in the partially synchronous and authenticated setting, in the good-case:(1) 2 rounds are necessary and sufficient if π β₯ π β (Section 4.1), and(2) 3 rounds are necessary and sufficient if π + β€ π < π β (Section 4.2). The new 2-round good-case psync-BB protocol solves a single shot of BFT SMR within 2 rounds in the good case.We extend the protocol to obtain a practical BFT SMR in our complementary paper [5]. Observe one interesting andimportant special case here: when π =
1, we have π = = π + = π β
1, and 3-round PBFT is not optimal, as 2 roundsare sufficient.
Complete categorization for good-case latency in synchrony.
We give a complete categorization for good-caselatency in the synchronous model, where message delays are bounded by a known upper bound Ξ . There turns out tobe a surprisingly rich spectrum here.We adopt the separation between the conservative worst-case bound Ξ and the actual (unknown) bound πΏ β€ Ξ as suggested in [3, 4, 21, 27, 31]. Moreover, our categorization highlights the importance of the assumption on thesynchronization of when the protocol starts at each party. We distinguish two models: the synchronized start modelassumes all parties start the protocol at the exact same time; the unsynchronized start model assumes all parties startthe protocol within a known time interval bounded by the clock skew (see Section 2). Whenever applicable, we provelower bounds in the synchronized start model (hence they also apply to unsynchronized start), and upper bounds inthe unsynchronized start model (hence they also apply to synchronized start). The case of π / < π < π / π / < π < π / Ξ + . πΏ , which is not an integermultiple of the message delay.Theorem 3 (Informal; bounds on good-case latency in synchrony). For Byzantine Broadcast and ByzantineReliable Broadcast with π Byzantine parties in the synchronous and authenticated setting, in the good-case:(1) if < π < π / , then πΏ is necessary and sufficient (Section 5.1);(2) if π = π / , then Ξ + πΏ is necessary and sufficient (Section 5.2);(3) if π / < π < π / then Ξ + πΏ is necessary and sufficient in the synchronized start model (Section 5.3), and Ξ + . πΏ isnecessary and sufficient in the unsynchronized start model (Section 5.4);(4) if π / β€ π < π then (β ππ β π β β ) Ξ is necessary, and π ( ππ β π ) Ξ is sufficient (Section 5.5). We define a protocol for a set of π parties, among which at most π are Byzantine faulty and canbehave arbitrarily. If a party remains non-faulty for the entire protocol execution, we call the party honest. Duringan execution πΈ of a protocol, parties perform sequences of events, including send, receive/deliver, local computation .The local history at some party π during an execution πΈ refers to the initial state and the sequence of events performedby party π in πΈ , denoted as πΈ | π . An honest party π cannot distinguish two executions πΈ and πΈ if its local history ttai Abraham, Kartik Nayak, Ling Ren, and Zhuolun Xiang is identical in both executions, i.e., πΈ | π = πΈ | π . If the protocol is deterministic, for any two executions, if an honestparty has the same initial state and receives the same set of messages at the same corresponding time points (by itslocal clock), the honest party will have the same local history and thus cannot distinguish two executions. We willuse the standard indistinguishability argument to prove our lower bounds. In this paper, we investigate results fordeterministic authenticated protocols. We use (perfect) digital signatures and public-key infrastructure (PKI), assumeideal unforgeability, and use β¨ π β© π to denote a message π signed by party π . We call any message valid, if the message isin the correct format and properly signed by the corresponding party (sender). We say a party detects equivocation if itreceives messages containing different values signed by the broadcaster. Synchrony, partial synchrony, and asynchrony.
We consider three standard network models, synchrony, partialsynchrony and asynchrony. Under asynchrony , the adversary can control the message delay of any message to be anarbitrary non-negative value. Under partial synchrony , the adversary can control the message delay of any message tobe an arbitrary non-negative value until a Global Stable Time (GST), after which the message delays are bounded by Ξ .For a more accurate latency characterization under synchrony , we follow the literature [2, 21, 27] to separate the actual bound πΏ , and the conservative bound Ξ on the network delay: β’ For one execution, πΏ is the upper bound for message delays between any pair of honest parties, but the value of πΏ is unknown to the protocol designer or any party. Different executions may have different πΏ values. β’ For all executions, Ξ is the upper bound for message delays between any pair of honest parties, and the value of Ξ is known to the protocol designer and all parties.In other words, Ξ is the maximum network delay bound assumed by the synchronous model, and by definition πΏ β€ Ξ .In practice, the parameter Ξ is usually chosen conservative, and thus πΏ βͺ Ξ . In this model, for any execution with anactual message delay bound πΏ , the adversary can control the delay of any message between two honest parties to beany value in [ , πΏ ] . Between a pair of parties where at least one is Byzantine, the adversary can control the messagedelay to be any non-negative value or even infinity. This can be easily achieved by having Byzantine parties postponesending or reading the message to simulate an arbitrary delay. A simulated delay of β means that a message is neversent or is discarded without being read. Clock synchronization.
For synchronous protocols, each party is equipped with a local clock that starts countingat the beginning of the protocol execution. We assume the clock skew is at most π , i.e., they start protocol at most π apart from each other. We assume parties have no clock drift for convenience. There exist clock synchronizationprotocols [1, 12] that guarantee a bounded clock skew of π β€ πΏ . At the same time, there is a negative result that showsclocks cannot be synchronized within ( β / π ) πΏ [6], hence the clock skew must β₯ ( β / π ) πΏ β₯ . πΏ in the nontrivialcase of π β₯ π =
0, all parties start their local clock at the same time, and we refer such model asthe synchronized start model. Otherwise, it is called the unsynchronized start model. To strengthen our results for thesynchronous case, all lower bound results assume the synchronized start model and all upper bound results assume theunsynchronized start model, unless otherwise specified . Since the value of πΏ is unknown to the protocol designer or anyparty, we will assume π = Ξ for our upper bounds under synchrony. For the lower bound under unsynchronized start,we assume the smallest achievable clock skew π = . πΏ to strengthen the bound. Partially synchronous protocols uselocal blocks with no clock drift and arbitrary clock skew , for timeout and view-change. Asynchronous protocols do notuse clocks and make no assumption on clocks. Byzantine broadcast variants.
We investigate two standard variants of Byzantine broadcast problem for synchronyand asynchrony, and define a new variants of Byzantine broadcast problem for partial synchrony (Definition 5). ood-case Latency of Byzantine Broadcast: a Complete Categorization Definition 2 (Byzantine Broadcast (BB)).
A Byzantine broadcast protocol must satisfy the following properties. β’ Agreement. If two honest parties commit values π£ and π£ β² respectively, then π£ = π£ β² . β’ Validity. If the designated broadcaster is honest, then all honest parties commit the broadcasterβs value and terminate. β’ Termination. All honest parties commit and terminate.
Definition 3 (Byzantine Reliable Broadcast (BRB)).
A Byzantine reliable broadcast protocol must satisfy thefollowing properties. β’ Agreement. Same as above. β’ Validity. Same as above. β’ Termination. If an honest party commits a value and terminates, then all honest parties commit a value and terminate.
For partial synchrony, we define partially synchronous Byzantine broadcast below, which abstracts the single-shot ofexisting partially synchronous BFT SMR protocols such as PBFT [11].Definition 4 (partially synchronous Byzantine broadcast (psync-BB)).
A partially synchronous Byzantinebroadcast protocol provides the following properties. β’ Agreement. Same as above. β’ Validity. If the designated broadcaster is honest and
πΊππ = , then all honest replicas commit the broadcasterβs value. β’ Termination. All honest replicas commit and terminate after
πΊππ . In comparison, BB is a harder than both psync-BB and BRB, as BRB relaxes the termination property of BB to alloweither all honest parties commit or no honest party commits, and psync-BB relaxes both termination and validity. Alsonote that under synchrony, psync-BB is the same as BB, and BB can only be solved under synchrony. As a result, undersynchrony, any protocol that solves BB (same as psync-BB) also solves BRB, and thus any upper bound result (includinggood-case latency) for BB also implies the same upper bound result for BRB . Moreover, any lower bound result for BRB alsoimplies the same lower bound result for BB . BRB is not comparable to psync-BB, as the validity of BRB is stronger (honestparties must commit the honest broadcasterβs value in BRB but not in psync-BB), while the termination of psync-BB isstronger (all honest parties commits after GST in psync-BB but not in BRB).In this paper, we present all the upper and lower bounds in the strongest possible form for synchrony and asynchronyas follows. We present upper bounds (i.e., construct protocols) for BB under synchrony (which equal psync-BB and alsosolve BRB), BRB under asynchrony as BB is impossible to solve even with a single fault under asynchrony. We presentall lower bound results for BRB for both synchrony and asynchrony (which also apply to BB).For partial synchrony, we present all lower bounds for psync-BB, and upper bounds for a slightly stronger formulationthat additionally requires the committed values to be externally valid for some external predicate F : { , } π β{ π‘ππ’π, π πππ π } , to better capture the partially synchronus BFT SMR like PBFT in practice.Definition 5 (partially synchronous validated Byzantine broadcast (psync-VBB)). A partially synchronousvalidated Byzantine broadcast protocol provides the following properties. β’ Agreement. Same as above. β’ Validity. If the designated broadcaster is honest and
πΊππ = , then all honest replicas commit the broadcasterβs value;otherwise the value π£ committed by any honest replica satisfies F ( π£ ) = π‘ππ’π ( π£ is externally valid). β’ Termination. Same as above. ttai Abraham, Kartik Nayak, Ling Ren, and Zhuolun Xiang A psync-VBB protocol solves psync-BB protocol by definition, and directly solves a single-shot of BFT SMR. Hence,we will present upper bounds for psync-VBB, and the extension to a practical BFT SMR protocol can be found in ourcomplementary paper [5].We will also use
Byzantine agreement as a primitive to simplify the construction of our BB protocols under synchrony.The Byzantine agreement gives each party an input, and its validity requires that if all honest parties have the sameinput value, then all honest parties commit that value. In addition, due to clock skew, in our synchronous BB protocols,the honest parties may invoke the BA at times at most π apart from each other. Therefore, we need the BA primitive totolerate up to π clock skew. For instance, any synchronous lock-step BA can do so by using a clock synchronizationalgorithm [1, 12] to ensure at most Ξ clock skew, and setting each round duration to be 2 Ξ to enforce the abstraction oflock-step rounds. Our synchronous BB protocols in Figure 5, 6 and 9, 10 will use such a BA primitive. Good-case latency of broadcast.
As explained in Section 1, improving the latency performance of BFT SMR protocolsmotivates our investigation on the good-case latency of the family of Byzantine fault-tolerant broadcast protocols.Depending on the network model, the measurement of latency is different.Definition 6 (Good-case Latency under Synchrony).
A Byzantine broadcast (or Byzantine reliable broadcast)protocol has good-case latency of π under synchrony, if all honest parties commit within time π since the broadcasterstarts the protocol (over all executions and adversarial strategies), given the designated broadcaster is honest. To measure the latency of a partially synchronous protocol, we use the natural notion of synchronous rounds , followingpartially synchronous protocols like PBFT [11].Definition 7 (Good-case Latency under Partial Synchrony).
A partially synchronous Byzantine broadcastprotocol has good-case latency of π rounds under partial synchrony, if all honest parties commit within π synchronousround (over all executions and adversarial strategies), given the designated broadcaster is honest and after πΊππ . To measure the latency of an asynchronous protocol, we adopt the standard and natural notion of asynchronousrounds from the literature [10]. We defer the formal definitions to Appendix A.Definition 8 (Good-case Latency under Asynchrony).
A Byzantine reliable broadcast protocol has good-caselatency of π rounds under asynchrony, if all honest parties commit within asynchronous round π (over all executions andadversarial strategies), given the designated broadcaster is honest. The standard broadcast formulation for asynchrony is Byzantine reliable broadcast, which is solvable if and only if π β₯ π +
1. We show the tight lower and upper bound on the good-case latency of asynchronous BRB is 2 rounds.
BRB lower bound rounds under π > . This bound is almost trivial. The intuition is that if any BRB can guaranteea good-case latency of 1 round, then parties must commit after receiving from the broadcaster. In an execution wherethe broadcaster is Byzantine and equivocates, this will lead to safety violations.Theorem 4.
Any Byzantine reliable broadcast protocol that is resilient to π > faults must have a good-case latency ofat least rounds under asynchrony. Proof of Theorem 4. Suppose there exists a BRB protocol Ξ that has a good-case latency of 1 round, which meansthe honest parties can always commit after receiving all round-0 messages but before receiving any round-1 messages, ood-case Latency of Byzantine Broadcast: a Complete Categorization (1) Propose.
The designated broadcaster πΏ with input π£ sends β¨ propose , π£ β© to all parties.(2) Vote.
When receiving the first proposal β¨ propose , π£ β© from the broadcaster, send a vote message for π£ toall parties in the form of β¨ vote , π£ β© π .(3) Commit.
When receiving π β π signed vote messages for π£ , forward these vote messages to all otherparties, commit π£ and terminate. Fig. 1. -round-BRB Protocol with π β₯ π + if the designated broadcaster is honest. Let party π be the broadcaster, and divide the remaining π β π΄, π΅ each with β₯ π΄ ( π΅ ) to refer all the parties in π΄ ( π΅ ). Consider the followingthree executions of Ξ .(1) Execution 1. The broadcaster π is honest, and sends 0 to all parties in round 0. Since the broadcaster is honest,by validity and good-case latency, parties in π΄, π΅ will commit 0 after receiving all round-0 messages but beforereceiving any round-1 messages.(2) Execution 2. The broadcaster π is honest, and sends 1 to all parties in round 0. Since the broadcaster is honest,by validity and good-case latency, parties in π΄, π΅ will commit 1 after receiving all round-0 messages but beforereceiving any round-1 messages.(3) Execution 3. The broadcaster π is Byzantine, it sends 0 to parties in π΄ and 1 to parties in π΅ in round 0. Contradiction.
The set of round-0 messages received by π΄ from π΅ is identical in Execution 1 and 3 since the round-0messages only depend on the initial states. Therefore, the parties in π΄ cannot distinguish Execution 1 and 3 beforereceiving any round-1 message, and thus will commit 0 in Execution 3. Similarly, the parties in π΅ cannot distinguishExecution 2 and 3 before receiving any round-1 message, and will commit 1 in Execution 3. However, this violates theagreement property of BRB, and therefore no such protocol Ξ exists. β‘ The same proof also applies to an even weaker broadcast formulation named Byzantine consistent broadcast (BCB),where termination of all honest parties is required only when the broadcaster is honest.
BRB upper bound rounds under π β₯ π + . We show the tightness of the bound by presenting a trivial authenticatedprotocol 2-round-BRB, which has good-case latency of 2 rounds with π β₯ π + vote for the first valid proposal, each party waits for π β π vote messages for the same value to commit.Theorem 5. The -round-BRB protocol solves Byzantine reliable broadcast with π β₯ π + in the asynchronousauthenticated setting, and has optimal good-case latency of rounds. Proof.
Agreement.
If any two honest parties commit different values at Step 3, then by standard quorum intersectionargument, two sets of π β π vote messages must intersect at β₯ ( π β π ) β π β₯ π + vote for different values, a contradiction. Validity and Good-case Latency.
If the broadcaster is honest, it sends the same proposal of value π£ to all parties.Then all π β π honest parties will multicast the vote message for π£ . The Byzantine parties cannot make any honestparty to commit a different value since π < π β π . All honest parties will eventually commit π£ after receiving π β π vote messages at Step 3 and terminate. The commit latency is 2 rounds if the broadcaster is honest. Termination.
Suppose an honest party β commits π£ and terminates, its forwarded π β π vote messages for π£ willeventually lead all honest parties to commit and terminate. β‘ ttai Abraham, Kartik Nayak, Ling Ren, and Zhuolun Xiang In this section, we will present tight lower and upper bound results on the good-case latency of partially synchronouspartially synchronous Byzantine broadcast under different resilience guarantees. All the lower bound results are forauthenticated partially synchronous Byzantine broadcast, and all the upper bound results are for authenticated partiallysynchronous validated Byzantine broadcast. π β₯ π β , Matching Lower and Upper Bounds of Roundspsync-BB lower bound rounds under π > . Similar to the 2-round lower bound for asynchronous BRB, thisbound is also trivial and can be implied by a similar proof of Theorem 4, which we will omit for brevity.Theorem 6.
Any partially synchronous Byzantine broadcast protocol that is resilient to π > faults must have agood-case latency of at least rounds under partial synchrony. psync-VBB upper bound rounds under π β₯ π β . In this section, we present an authenticated partially synchro-nous validated Byzantine broadcast protocol with good-case latency of 2 rounds and only requires π β₯ π β ( π β ) -psync-VBB protocol is leader-based and follows the standard PBFT framework [11]. Asmentioned, it directly solves 2-round single-shot BFT, and an extension to BFT SMR can be found in our complementarypaper [5]. Our protocol is also optimal in terms of resilience, as we can show that any psync-BB protocol with π β€ π β Relation to the previous work [26].
The authors of FaB [26] propose a 2-round PBFT with π β₯ π + π β€ π cannot always commit within 2 round. However, Byzantine agreement with weak validity turns out to be aharder problem than a PBFT-style protocol that requires only external validity. Thus, we propose a new broadcastformulation named psync-VBB that abstracts a single-shot of BFT, and an authenticated protocol ( π β ) -psync-VBBthat solves psync-VBB with good-case latency of 2 rounds and optimal resilience π β₯ π β
1, which also directly solvessingle-shot of BFT. Our protocol refutes the optimality claim made in FaB [26].
Intuition.
Before presenting our protocol, it is helpful to briefly explain how FaB achieves 2-round commit with π = π + π£ is safe to be committed if it is voted by π β π = π + π + π + ( π + ) + ( π + ) β π = π + π£ . Since2 π + π +
1, the next leader can re-propose the majority value to ensure safety across different views.If we reduce the number of parties, i.e., π = π , then the set of 4 π view-change messages may contain two disjoint setsof 2 π messages supporting two different values respectively, and the next leader is unable to break the tie. Main observation: detecting leader equivocation with authentication.
Our protocol has good-case latency of 2 rounds,consisting 1 round of proposing and 1 round of voting. The main observation is that parties can detect the maliciousbehavior of the leader with authentication and thus further reduce the number of parties to π = π β
1. More specifically,leader equivocation can be detected by honest parties when they receive more than one value signed by the leader.Then, if any honest party detects that the leader is Byzantine, it can wait for one more view-change message from partiesother than the broadcaster . Therefore, the set of π β π = π β π β π messages from the honest parties. When any ood-case Latency of Byzantine Broadcast: a Complete Categorization The ( π β ) -psync-VBB protocol uses the following rule for certificate check. πΏ π€ is the leader for view π€ . Certificate Check. C is a valid certificate of view π€ iff it contains β₯ π β π is either β¨β₯ , π€ β© π , or β¨ π£, π€ β© πΏ π€ ,π where F ( π£ ) = π‘ππ’π . Moreover, C locks a value π£ β β₯ iff (1) it contains β₯ π β β¨ π£, π€ β© πΏ π€ ,π for any π β [ π ] , and no β¨ π£ β² , π€ β© πΏ π€ ,π for any π£ β² β π£, π β [ π ] , or(2) it contains β₯ π β¨ π£, π€ β© πΏ π€ ,π where π β πΏ π€ .For initialization, β is also a valid certificate of view 0, locking any externally valid value π£ β β₯ . Note that bydefinition, if C locks π£ β β₯ , it does not lock on any π£ β² β π£ . C ranks higher with a higher view number. Fig. 2. Certificate Check for ( π β ) -psync-VBB The protocol proceeds in view π€ = , , ... each with a leader πΏ π€ , and the first leader πΏ being the designatedbroadcaster. Each party keeps the highest certificate C β received, initialized as β . The parties will ignore anymessage for value π£ β β₯ that is not externally valid.(1) Propose.
The leader πΏ π€ sends β¨ propose , β¨ π£, π€ β© πΏ π€ , Sβ© πΏ π€ to all parties. If π€ =
1, then π£ is the input of theleader and S = β₯ ; otherwise π£, S are specified in the Status step.(2)
Vote.
Upon receiving the first proposal in the form of β¨ propose , β¨ π£, π€ β© πΏ π€ , Sβ© πΏ π€ from the leader πΏ π€ , if β’ π€ =
1, or β’ S is a valid certificate of view π€ β π£ , or β’ S contains 4 π β status messages of view π€ β β€ π€ β β₯ value, and the highest certificate in S locks π£ ,multicast a vote message in the form of β¨ vote , β¨ π£, π€ β© πΏ π€ ,π β© π .(3) Commit.
When receiving 4 π β vote messages of view π€ for the same value π£ , forwardthese 4 π β vote messages to all other parties, and commit π£ .(4) Timeout.
If not committed within 4 Ξ after entering view π€ , timeout view π€ , which means (1) if timeoutbefore voting, stop voting for view π€ and multicast β¨ timeout , β¨β₯ , π€ β© π β© π ; (2) if timeout after voting forvalue π£ , multicast β¨ timeout , β¨ π£, π€ β© πΏ π€ ,π β© π .(5) New View.
Upon receiving 4 π β timeout messages of view π€ β β₯ value signed by πΏ π€ β and the party, or receiving 4 π β timeout messages fromparties other than πΏ π€ β , perform the following.Forward these timeout messages, update C β if 4 π β π€ β π£ β β₯ , timeout view π€ β π€ . Send a status message in theform of β¨ status , π€ β , C β β© π to the leader πΏ π€ .(6) Status.
After entering view π€ and receiving 4 π β status messages of view π€ β C of view β€ π€ β β₯ value, the leader πΏ π€ sets a proof S and a proposalvalue π£ as follows: β’ If the status messages contain a valid certificate C of view π€ β
1, set S = C and the proposal to thevalue π£ that C locks. β’ Otherwise, set S to be the set of 4 π β status messages of view π€ β π£ that the highest valid certificate in S locks. Fig. 3. ( π β ) -psync-VBB Protocol with good-case latency of rounds honest party commits π£ by receiving π β π = π β π£ , at least 3 π β π£ . Duringview-change, honest party either receives 4 π β β₯ ( π β ) β π β π = π β π£ and no message for other values, or detect leader equivocation. For the latter case, the set of view-change messagesmust contain at least 3 π + ( π β ) β ( π β ) = π messages from the honest parties who voted for π£ , which is themajority and any honest party can thus lock on π£ during view change. ttai Abraham, Kartik Nayak, Ling Ren, and Zhuolun Xiang Certificate check.
The observation above partly explains the intuition of the certificate check in Figure 2, whichdefines a valid certificate that locks a value for view-change. When a value π£ is committed at any honest party, to ensureagreement, we want all honest parties to lock π£ after receiving a valid certificate and only vote for π£ in any futureviews. A valid certificate C of view π€ consists of at least 4 π β β₯ ) and a viewnumber π€ , from different parties. For brevity, we will just call them signed values. The signed values are from the vote messages (Step 2) or timeout messages (Step 4) of the ( π β ) -psync-VBB protocol. A valid certificate C locks a value π£ β β₯ when there may be some honest party that already commits π£ , and thus any honest party that receives such C should lock on value π£ for agreement. Similar to the earlier argument, if any value π£ is committed, there must be β₯ π β π£ and signed π£ . If C contains only one value signed by the leader πΏ π€ of view π€ ,then C must contain at least 2 π β β¨ π£, π€ β© . Otherwise, if C contains more than one value signed by the leader πΏ π€ , then πΏ π€ is Byzantine as it equivocated, and C should contain 4 π β πΏ π€ , andthus at least 2 π signed β¨ π£, π€ β© , which is the majority. Therefore, any honest party will lock on π£ when receiving a validcertificate C that locks π£ , since π£ may have been committed by some honest parties. Protocol description.
The protocol proceeds in views starting from 1, each view has a designated leader (by round-robin for instance), and the first leader is the designated broadcaster. Each party locally keeps the highest certificate C it has ever seen, which is β initially. Except for view 1, each party enters a new view π€ in Step 5 by gathering4 π β timeout messages of view π€ β timeout messages is to ensure that all honest parties will lock on the value π£ if any honest party hascommitted π£ . Thus, if detect equivocation of the previous leader, the party will wait for one more timeout messagefrom other parties. Then, if the received 4 π β timeout messages form a valid certificate that locks any value π£ β β₯ ,the party updates its highest certificate C . The party also timeouts the old view (as defined in Step 4), enters the newview and sends a status message with C . The broadcaster, who is also the leader of view 1, can just propose its inputas the proposal. For any other leader of view β₯
2, it can propose a value and a proof based on the set of 4 π β status messages received. If its highest certificate C is updated in Step 5, meaning possibly some honest party has committeda value in the previous view, the leader proposes the same value and its C to ensure agreement. Otherwise, the leadersets the proposal to be the value locked by the highest certificate among the status messages received, and attachesall these status messages as a proof. After receiving the proposal, each party will check if the proposed value andthe proof are produced according to the above steps, and multicast a vote message for the value in Step 2 if the checkpasses. When receiving 4 π β π£ , the party forwards these votes and commit π£ . Otherwise, ifthe party does not commit within 4 Ξ time after entering view π€ , which means either the network is bad or the leaderis Byzantine, it will timeout the current view by sending a timeout message. If the party timeouts after voting forsome value π£ , it sends timeout message with the value π£ , otherwise it sends timeout message with β₯ . When enough timeout messages are collected, the party enters the new view π€ +
1, as in Step 5.
Proof of Correctness.
The correctness proof can be found in Appendix B.1. π + β€ π β€ π β , Matching Lower and Upper Bounds of Rounds
Recall that psync-BB solves a single-shot of BFT SMR under partial synchrony, hence psync-BB is solvable if and only if π β₯ π + π β₯ π + π + β€ π β€ π β
2, we show a lower bound of 3 rounds on its good-case latency using standard indistinguishabilityarguments. This is tight given the PBFT protocol [11] solves psync-VBB with good-case latency of 3 rounds and π β₯ π + ood-case Latency of Byzantine Broadcast: a Complete Categorization Theorem 7.
Any authenticated partially synchronous Byzantine broadcast that is resilient to π β₯ ( π + )/ faults musthave a good-case latency of at least rounds under partial synchrony. Proof. The proof is illustrated in Figure 4. Suppose there exists a psync-BB protocol Ξ that has good-case latency of2 rounds under π β€ π β
2. By definition, when the broadcaster is honest and the network is synchronous ( πΊππ = ) , Ξ ensures all honest parties commit after delivering all round-0 and round-1 messages, even if any round-2 message is notdelivered yet. Divide π β€ π β π , and five disjoint groups π΄, π΅, πΆ, π·, πΈ where
π΄, πΆ, π· havesize β€ π β π΅, πΈ have size π . For brevity, we will often use a group to refer to all the parties in that group. We willconstruct the following 5 executions. In all constructed executions, all messages are delivered by the recipient after Ξ time by default, and we will explicitly specify the messages that are delayed by the adversary due to asynchrony. Also,we focus on the messages between different groups, and assume by default the party sends and delivers any messagewithin its group as well.(1) Execution 1. The network is synchronous ( πΊππ = π parties in πΈ are Byzantine that only send round-0 messages faithfully to π΅, πΆ, π· and no message to π΄ . Since thebroadcaster is honest, by the good-case latency guarantee and validity, π΄, π΅, πΆ, π· commit 0 within 2 rounds afterdelivering all round-0 and round-1 messages.(2) Execution 5. Symmetric to Execution 1, the network is synchronous (
πΊππ = π parties in π΅ are Byzantine that only send round-0 messages faithfully to πΆ, π·, πΈ and no message to π΄ . By the good-case latency guarantee and validity, π΄, πΆ, π·, πΈ commit 1 within 2 rounds afterdelivering all round-0 and round-1 messages.(3) Execution 3. The network is synchronous (
πΊππ = π΅, πΆ , and 1 to
π·, πΈ .Then the broadcaster behaves to
π΅, πΆ the same way as the broadcaster to
π΅, πΆ in Execution 1, and behaves to
π·, πΈ the same way as the broadcaster to
π·, πΈ in Execution 5. The π β π΄ are Byzantine and only send round-0messages faithfully to π΅, πΆ, π·, πΈ . By termination,
π΅, πΆ, π·, πΈ eventually commit some value.(4) Execution 2. The network is asynchronous before
π΅, πΈ commit (
πΊππ comes after
π΅, πΈ commit). The broadcaster isByzantine; it sends 0 to
π΄, π΅, πΆ , and 1 to πΈ . Then the broadcaster behaves to π΄, π΅, πΆ the same way as the broadcasterto
π΄, π΅, πΆ in Execution 1, and behaves to πΈ the same way as the broadcaster to πΈ in Execution 5. The π β π· are Byzantine; they behave to π΄ the same way as π· to π΄ in Execution 1, and behave to the others the same wayas π· to the others in Execution 3. Any message other than round-0 messages from π΄ to the rest of the parties isdelayed indefinitely until πΊππ . Any message from πΈ to π΄ is delayed indefinitely until πΊππ .(5) Execution 4. Symmetric to Execution 2, the network is asynchronous before
π΅, πΈ commit (
πΊππ comes after
π΅, πΈ commit); the broadcaster is Byzantine; it sends 0 to π΅ , and 1 to π΄, π·, πΈ . Then the broadcaster behaves to
π΄, π·, πΈ thesame way as the broadcaster to
π΄, π·, πΈ in Execution 5, and behaves to π΅ the same way as the broadcaster to π΅ inExecution 1. The π β πΆ are Byzantine; they behave to π΄ the same way as πΆ to π΄ in Execution 5, and tothe others the same way as πΆ to the others in Execution 3. Any message other than round-0 messages from π΄ torest of the parties is delayed indefinitely until πΊππ . Any message from π΅ to π΄ is delayed indefinitely until πΊππ .We show the following indistinguishability and contradiction. β’ π΄ cannot distinguish Execution 1 and 2 after delivering all round-0 and round-1 messages but before delivering anyround-2 message. β First we show that any round-0 or round-1 message from
π΅, πΆ is identical in both executions. Any round-0 messageonly depends on the partyβs initial state, thus is identical since
π΅, πΆ are honest. Any round-1 message depends ttai Abraham, Kartik Nayak, Ling Ren, and Zhuolun Xiang B C A D EB,C,A,D commit 0 in 2 roundsExecution 1f f-1 f-1 f-1 fs send 0 to allB C A D EExecution 2f f-1 f-1 f-1 fs 1000A cannot distinguish B C A D EExecution 3f f-1 f-1 f-1 fs 1100 B C A D EExecution 4f f-1 f-1 f-1 fs 11 10A cannot distinguishB, E cannot distinguish Execution 2,3,4 B C,A,D,E commit 1 in 2 roundsExecution 5f f-1 f-1 f-1 fs send 1 to allA commit 0 in 2 rounds and B,E commit 0 A commit 1 in 2 rounds and B,E commit 1send round-r message to allsend round-r message to all except P r P r0 A send round-r message to all, butmessage to P is delayed indefinitely r P A A A A C A D E A P honest parties in group PP Byzantine parties in group P
Fig. 4. psync-BB Lower Bound: rounds with π = π β . Dotted circles denote Byzantine parties. In Execution 1 (5), the network issynchronous ( πΊππ = ), πΈ ( π΅ ) are Byzantine and only send round- messages faithfully to rest of the parties except π΄ . In Execution 3,the network is synchronous ( πΊππ = ), π΄ are Byzantine and only send round- messages faithfully to rest of the parties. In Execution2 (4), the network is asynchronous before π΅, πΈ commits, messages from π΄ after round 0 are delayed indefinitely until πΊππ , andmessages from πΈ ( π΅ ) to π΄ are delayed indefinitely until πΊππ . on the round-0 messages the party delivers. In the two executions, the broadcaster sends the same value of 0 to π΅, πΆ , and
π΄, π·, πΈ all follow the protocol to send the same round-0 messages to
π΅, πΆ , so
π΅, πΆ send the same round-1messages to π΄ . β For π· and the broadcaster, in Execution 2, the Byzantine parties in π· and the broadcaster behave identically to π΄ as in Execution 1. For πΈ , no message from πΈ is delivered by π΄ in both executions.Since π΄ is honest and delivers identical round-0 and round-1 messages in Execution 1 and 2, π΄ cannot distinguishExecution 1 and 2 before delivering any round-2 message. Since π΄ commits 0 in Execution 1, π΄ also commits 0 inExecution 2. Then by agreement and termination, π΅, πΆ, πΈ also commit 0 in Execution 2. β’ Similar to the argument above, π΄ cannot distinguish Execution 4 and 5 after delivering all round-0 and round-1messages but before delivering any round-2 message. Therefore, π΄, π΅, π·, πΈ also commit 1 in Execution 4. β’ π΅, πΈ cannot distinguish Execution 2 and 3. For π΄ , in both executions any party not in π΄ only delivers the same round-0messages from π΄ . For π· and broadcaster, in Execution 2, they behave identically as in Execution 3. Since π΅, πΆ, πΈ arehonest, they will behave identically in both executions. Therefore,
π΅, πΈ cannot distinguish Execution 2 and 3, andwill eventually commit both executions to satisfy termination. Since π΄ commit 0 in Execution 2, π΅, πΈ will eventuallycommit 0 in Execution 2 by agreement, and thus commit 0 in Execution 3 as well. β’ Similar to the argument above,
π΅, πΈ cannot distinguish Execution 4 and 3, and will eventually commit 1 in Execution3.We proved that
π΅, πΈ commit both 0 and 1 in Execution 3, contradiction. Hence such a protocol Ξ cannot exist. β‘ ood-case Latency of Byzantine Broadcast: a Complete Categorization In this section, we present lower and upper bound results for broadcast under synchrony. To strengthen the results,we prove all the lower bounds for Byzantine reliable broadcast (thus also apply to Byzantine broadcast), and all theupper bounds for Byzantine broadcast (thus also apply to Byzantine reliable broadcast). Furthermore, all lower boundresults assume synchronized start, and all upper bound results assume unsynchronized start, except for the case of π / < π < π / π < π / π = π / π / < π < π / < π < π / , Matching Lower and Upper Bounds of πΏ Theorem 8.
Any Byzantine reliable broadcast protocol that is resilient to π > faults must have a good-case latency atleast πΏ , even with synchronized start. For the lower bound, early-stopping result [13] implies any BB protocol must have good-case latency of 2 πΏ , and herewe slightly strengthen the result for BRB. Intuitively, it takes at least πΏ to receive from the broadcaster and another πΏ for parties to exchange the proposal received from the broadcaster, otherwise parties may commit in different valuesunder a Byzantine broadcaster if the good-case latency is < πΏ .For a matching upper bound, the protocol relies on the standard quorum intersection technique. The parties vote forthe first proposal they received, and commit within 2 πΏ time if they receive π β π votes on the same value. By quorumintersection, there cannot be π β π votes on different values. Otherwise, a BA is used to guarantee agreement when thebroadcaster is Byzantine. Details can be found in Appendix C.1. π = π / , Matching Lower and Upper Bounds of Ξ + πΏ BRB lower bound Ξ + πΏ under synchronized start and π β₯ π / . Based on the Ξ lower bound proof for BB in [2], weshow a more accurate lower bound of Ξ + πΏ on the good-case latency for BRB using similar proof techniques. Intuitively,since π β₯ π /
3, the adversary can split the honest parties into two disjoint groups, each with a different proposed valuefrom the Byzantine broadcaster. If a protocol can commit before Ξ + πΏ , the two groups will commit conflicting valuesbefore Ξ + πΏ , which is before they communicate any information about the broadcasterβs proposed value. Details can befound in Appendix C.2.Theorem 9. Any Byzantine reliable broadcast protocol that is resilient to π β₯ π / faults must have a good-case latencyat least Ξ + πΏ , even with synchronized start. BB upper bound Ξ + πΏ under unsynchronized start and π = π / . To show that Ξ + πΏ is the tight good-case latencybound for the case of π = π /
3, we show such a BB protocol in Figure 5, with correctness proof in Appendix C.2.Each party starts the protocol at most π = Ξ time part with a local clock starting at 0. The broadcaster first multicastsits proposed value, and any party that receives the first valid proposal will vote for the proposal. Meanwhile, the partyalso starts a timer to wait for Ξ time for equivocation detection. If the party detects no different value signed by thebroadcaster during the above Ξ waiting period, it may commit earlier as follows. When the party receives π β π votes forthe same value π£ , it forwards these votes, and if the local time is β€ Ξ + π when receiving the votes, the party commitsand locks the value, and multicasts a commit message. At time 3 Ξ + π , each party checks the set of votes it received. ttai Abraham, Kartik Nayak, Ling Ren, and Zhuolun Xiang Initially, every party π starts the protocol at most π = Ξ time apart with a local clock and sets lock = β₯ .(1) Propose.
The designated broadcaster πΏ with input π£ sends β¨ propose , π£ β© πΏ to all parties.(2) Vote.
When receiving the first valid proposal β¨ propose , π£ β© πΏ from the broadcaster, send a vote to all partiesin the form of β¨ vote , β¨ propose , π£ β© πΏ β© π where π£ is the value of the proposal. Set vote-timer to Ξ and startcounting down.(3) Commit.
When vote-timer reaches 0, if the party detects no equivocation, it does the following: Whenreceiving π β π signed votes for π£ , forward these π β π votes to all other parties. If the π β π votes for π£ are received before local time 2 Ξ + π , commit π£ , set lock = π£ and send β¨ commit , π£ β© π to all parties.(4) Lock and Byzantine agreement.
At local time 3 Ξ + π , if the party receives π β π signed votes for onlyone value π£ , it sets lock = π£ . Otherwise, if two sets of π β π signed votes for different values are received,let F be the set of parties in the intersection of these two vote sets. If the party receives β¨ commit , π£ β© π fromany party that is not in F , it commits π£ and set lock = π£ .Then, invoke an instance of Byzantine agreement with lock as the input. If not committed, commit onthe output of the Byzantine agreement. Terminate. Fig. 5. ( Ξ + πΏ ) - π / -BB Protocol with π β€ π / If the party receives π β π votes for one value, it locks that value. Otherwise, if there exist two sets of π β π votes ondifferent values, the parties in the intersection of the two sets must be all Byzantine since they voted for two values.Hence, an honest party can identify all the Byzantine parties and commit and lock the same value from honest parties.Then, all the parties participate in an instance of BA with input lock , and commit the output if they havenβt committed.Observe that π = π / π Byzantine parties will expose themselves if they try to double voteand make different honest parties lock on different values. As we will show next in Section 5.3 and 5.4, if the number offaults exceeds π /
3, the tight bound of good-case latency becomes dependent on the clock synchronization assumption. π / < π < π / and Synchronized Start, Matching Lower and Upper Bounds of Ξ + πΏ For π / < π < π /
2, the tight bound of good-case latency depends on the assumption on clock synchronization. If allhonest parties start the protocol at the same time and have synchronized clocks ( π = Ξ + πΏ by Theorem 9 from the previous section and Theorem 18 in this section. Otherwise, if there exists a clock skew of π β₯ . πΏ , the tight bound becomes Ξ + . πΏ by Theorem 10 and 11 later in Section 5.4. BRB lower bound Ξ + πΏ under synchronized start and π β₯ π / . See Theorem 9.
BB upper bound Ξ + πΏ under synchronized start and π < π / . Now we present a protocol ( Ξ + πΏ ) -BB that worksunder π < π / Ξ + πΏ . The protocol is presented inFigure 6. Every party locally sets its lock to be some default value β₯ and its rank = Ξ +
1, and starts the protocolsimultaneously at time 0. The broadcaster first multicasts its proposal, and any party that receives the first valid proposalat time π β€ Ξ will multicast a vote for the proposal containing the time π . When receiving π + π£ , if there exists a π‘ β [ , Ξ ] such that the party detects no equivocation within time π‘ + Ξ and all π + π β€ π‘ , the party can commit π£ and forward these votes. Otherwise, the party updates its lock if receiving π + Ξ with input lock , and committhe output of the BA if have not committed. The correctness proof can be found in Appendix C.3. ood-case Latency of Byzantine Broadcast: a Complete Categorization Initially, every party π starts the protocol at the same time from 0, sets lock = β₯ and rank = Ξ + Propose.
The designated broadcaster πΏ with input π£ sends β¨ propose , π£ β© πΏ to all parties.(2) Vote.
When receiving the first valid proposal β¨ propose , π£ β© πΏ from the broadcaster at time π where π β€ Ξ ,send a vote in the form of β¨ vote , π, β¨ propose , π£ β© πΏ β© π to all parties.(3) Commit and Lock.
For any π‘ β [ , Ξ ] , if party π detects no equivocation within time π‘ + Ξ , and receives π + vote messages for the same value π£ each with π β€ π‘ , party π commits π£ and forward these π + vote messages.For any π‘ β [ , Ξ ] , within time 2 Ξ + π‘ , if receive π + vote messages for the same value π£ eachwith π β€ π‘ , and rank > π‘ , update lock = π£ and rank = π‘ .(4) Byzantine agreement.
At time 4 Ξ , invoke an instance of Byzantine agreement with lock as the input.If not committed, commit on the output of the Byzantine agreement. Terminate. Fig. 6. ( Ξ + πΏ ) -BB Protocol with π < π / and synchronized start π / < π < π / and Unsynchronized Start, Matching Lower and Upper Bounds of Ξ + . πΏ Interestingly, when the clocks at each party are not perfectly synchronized and the parties therefore do not start theprotocol at the same time, the tight bound for good-case latency increases when the number of faults is π / < π < π / Ξ + . πΏ under unsynchronized start, which consists a 1 . πΏ term which is not ainteger multiple of πΏ . This is perhaps the most interesting and surprising result of this paper, as it involves a protocolthat is very different from conventional ones whose latency have always been an integer multiple of the message delay. BRB lower bound Ξ + . πΏ under unsynchronized start and π > π / . We first present the lower bound result thatshows no BRB protocol can have good-case latency less than Ξ + . πΏ under unsynchronized start and π > π / Any Byzantine reliable broadcast protocol with unsynchronized start and is resilient to π > π / faultsmust have a good-case latency at least Ξ + . πΏ . Proof Sketch. Illustrated in Figure 7, and the complete proof can be found in Appendix C.4. Suppose there exists aBRB protocol that has good-case latency < Ξ + . πΏ under π < π . As mentioned in Section 2, we assume the clock skew π = . πΏ due to the lower bound for clock skew [6]. We can construct 4 executions as follows, and use the standardindistinguishability argument to derive contradictions. We divide the parties into 5 groups π΄, π΅, πΆ of size β€ π β π, β of size 1 each. The Byzantine parties are denoted by the dotted circles in the figure. The broadcaster is someparty in π΅ .In execution E1 with actual message delay bound πΏ , the broadcaster is honest and sends 0 at global time 0, which isreceived by all parties at global time πΏ . By assumption, honest parties in π, π΄, π΅ commit 0 before global time Ξ + . πΏ .Byzantine parties in πΆ pretends that it starts the protocol 0 . πΏ time later.In execution E2 with actual message delay bound Ξ , the broadcaster is Byzantine, and sends 0 to π, π΄ and 1 to πΆ . Thehonest parties in πΆ start the protocol 0 . πΏ time later due to the clock skew, and receive 1 from the broadcaster at localtime πΏ and global time 1 . πΏ . Moreover, any message from πΆ to π has delay Ξ . Therefore, before global time Ξ + . πΏ , π cannot learn the fact that πΆ receive from the broadcaster . We can carefully construct the executions such that π cannotdistinguish E1 and E2 before global time Ξ + . πΏ , and will commit 0 in E2 as well. ttai Abraham, Kartik Nayak, Ling Ren, and Zhuolun Xiang g1 Af-1 Bf-1 Cf-1 hf-1 g, A, B commit 0 at < β + 1.5πΏ E1: honest broadcaster sends 0 β0.5πΏπΏ g1 Af-1 Bf-1 Cf-1 h1 h, B, C commit 1 at < β + 1.5πΏ
E4: honest broadcaster sends 1 β0.5πΏπΏ late lateg1 Af-1 Bf-1 Cf-1 h1 g commit 0 at < β + 1.5πΏ , A,C commit 0E2: Byz broadcaster β0.5πΏπΏ late0 0 10 1 g1 Af-1 Bf-1 Cf-1 h1 h commit 1 at < β + 1.5πΏ , B,C commit 1E3: Byz broadcaster β0.5πΏπΏ late 1 10 10 indistinguishable to g at < β + 1.5πΏ indistinguishable to h at < β + 1.5πΏ indistinguishable to A,C
Fig. 7. Illustration of the proof sketch for the Ξ + . πΏ lower bound. Executions E3 and E4 are the symmetric case of executions E2 and E1, respectively. In E4, broadcaster is honest andsends 1, and β, π΅, πΆ commits 1 before global time Ξ + . πΏ . In E3, broadcaster is Byzantine, but β cannot learn that beforecommit since the equivocating message from π΄ reaches β at global time Ξ + . πΏ , as π΄ starts the protocol 0 . πΏ time laterdue to clock skew. Similarly, β cannot distinguish E3 and E4 before global time Ξ + . πΏ , and will commit 1 in E3 as well.The last step to complete the proof is to show that π΄, πΆ cannot distinguish E2 and E3. The intuition is that, with the π β π΅ equivocating to π΄ and πΆ , the honest parties in π΄, πΆ cannot decide between π and β whichis the honest party that actually commits. Also, the message delays between π΄, πΆ , and all pairs of honest parties arecontrolled by the adversary, such that the honest parties in
π΄, πΆ cannot tell which of them start the protocol 0 . πΏ timelater than the rest. For instance, the adversary can make the delay from πΆ to π΄ to be Ξ β πΏ in E2 and Ξ in E3. Then, thedifferences in the delays compensate the differences in when π΄, πΆ start their protocol. Once we proved that
π΄, πΆ cannotdistinguish E2 and E3, the contradiction is obvious, as they have to commit 0 in E2 and commit 1 in E3. β‘ Ξ + . πΏ is a tight lower bound due to the matching (and surprising) upper bound. But we also provide some intuitionbelow on why Ξ + . πΏ is the best lower bound we can prove using the above approach. Suppose we try to use theabove construction to prove a lower bound of Ξ + . πΏ , then in E1 and E2, πΆ have to start the protocol 0 . πΏ time late;otherwise π is able to distinguish E1 and E2 before its commit at time Ξ + . πΏ . Similarly in E4 and E3, π΄ have to startthe protocol 0 . πΏ time late. Then, in order to have E2 and E3 indistinguishable to π΄ and πΆ , the message delays between π΄, πΆ must compensate for the 0 . πΏ clock skew. Since the message delay π from πΆ to π΄ must be β€ Ξ in E3, the messagedelay π from πΆ to π΄ in E2 must be π = π β Γ ( . πΏ ) β€ Ξ β . πΏ . The message delay from π΄ to π in E2 is β€ πΏ in bothE1 and E2. Then, π in E2 can learn that πΆ received 1 from the broadcaster via the forwarded messages from π΄ , beforetime 1 . πΏ + π + πΏ β€ Ξ + . πΏ . Thus, E1 and E2 are no longer indistinguishable to π . ood-case Latency of Byzantine Broadcast: a Complete Categorization π‘ π‘ + Ξ β . π π‘ + Ξ + . π π‘ β² π‘ + Ξ β . π β² ΞΞ π‘ + Ξ π‘ π‘ β² + Ξ π‘ β² Ξ forward π£ β² vote π£ forward π£ Ξ will not vote π£ β² forward π£ forward π£ β² vote π£ will not vote π£ β² ( Ξ + πΏ ) -BB [4] ( Ξ + . πΏ ) -BB Fig. 8. Intuition of the ( Ξ + . πΏ ) -BB Protocol. BB upper bound Ξ + . πΏ under unsynchronized start and π < π / . Now, we show the bound Ξ + . πΏ is tightunder unsynchronized start, by presenting the protocol ( Ξ + . πΏ ) -BB in Figure 9. Intuition.
Before presenting the details of our protocol, we would like to provide the intuition of the state-of-the-artBB protocol with good-case latency Ξ + πΏ from [4], and how our protocol improves the result to the optimal Ξ + . πΏ , asillustrated in Figure 8. The key insight of the ( Ξ + πΏ ) -BB is to use a Ξ time waiting window for equivocation detectionbefore voting, so that no two honest parties will vote for different values. More specifically, when receiving the proposedvalue from the broadcaster, the party forwards the proposal and waits for a time of Ξ . If no conflicting value is receivedduring the Ξ period, the party votes for the value. As shown in Figure 8, the forwarded value π£ from the first honestparty will reach all other honest parties within their Ξ period and thus prevents them from voting for a different value π£ β² . Since no two honest parties vote for different values, there can be at most one value with a certificate ( π + Ξ period ends, there may be honest parties voting fordifferent values before they detect equivocation. Then certificates for different values will be formed since π Byzantineparties can double vote, and honest parties cannot tell which is the value that has been actually committed.One novelty of our ( Ξ + . π ) -BB is to break such indistinguishability, by allowing parties to βearly voteβ with aparameter π that βguessesβ the value of πΏ , and ranking the certificates by the value of π (a smaller π ranks higher).So in our protocol, though honest parties may vote for different values, only the one with the highest rank will win,and we will guarantee that the certificate for any committed value always has the highest rank. More specifically, forany value π β [ , Ξ ] , after Ξ β . π time since receiving the proposed value π£ , parties send a vote containing π and π£ , if no equivocation has been detected so far. Then, if π + π and the same value π£ are received, and no equivocation is detected for Ξ + . π time since receiving π£ , a party can commit π£ . Our protocolguarantees that no honest party can vote for any other value π£ β² β π£ with a parameter π β² β€ π (Lemma 1). The intuitionis that, as shown in Figure 8, if the second honest party receives the proposal π£ β² no later than some time threshold, itsforwarded proposal will stop the first honest party from committing π£ . But if the second honest party receives π£ β² laterthan the time threshold, the forwarded proposal of π£ from the first honest party will stop it from sending any voteswith parameter π β² β€ π due to detecting equivocation. Our construction guarantees a good-case latency of Ξ + . πΏ .When the broadcaster is honest, all honest parties receive the value within time πΏ , send vote with π = πΏ within time πΏ + Ξ β . πΏ , and receive π + πΏ + Ξ β . πΏ + πΏ = Ξ + . πΏ . For voteswith π > πΏ , parties can only commit at time πΏ + Ξ + . π by our protocol, which leads to a latency > Ξ + . πΏ . For voteswith π < πΏ , π + Ξ β . π may not be received by all honest parties at time Ξ + . π , as themessage delay πΏ > π . It should be noted even if parties βguessβ the value of πΏ wrong, the protocol always guaranteesagreement, termination, validity, and the optimal good-case latency of Ξ + . πΏ . ttai Abraham, Kartik Nayak, Ling Ren, and Zhuolun Xiang Initially, every party π starts the protocol at most π = Ξ time apart with a local clock from 0, sets direct-rcv = π πππ π , lock = β₯ and rank = Ξ + Propose.
The designated broadcaster πΏ with input π£ sends β¨ propose , π£ β© πΏ to all parties.(2) Forward.
When receiving the first valid proposal β¨ propose , π£ β© πΏ from party π at local time π‘ ππππ , forwardthe proposal to all parties. If π = πΏ and π‘ ππππ β€ Ξ + π , set direct-rcv = π‘ππ’π .(3) Vote.
For every π β [ , Ξ ] a , at local time π‘ ππππ + Ξ β . π , if the party detects no equivocation, it sends a vote in the form of β¨ vote , π, β¨ propose , π£ β© πΏ β© π to all parties.(4) Commit and Lock.
When receiving π + vote messages of the same π and π£ at local time π‘ π£ππ‘ππ ,forwards these π + vote messages and performs the following:(a) If π‘ π£ππ‘ππ β π‘ ππππ β€ Ξ + . π , detect no equivocation until local time π‘ ππππ + Ξ + . π , and direct-rcv = π‘ππ’π ,commit π£ .(b) If π‘ π£ππ‘ππ β π‘ ππππ β€ . Ξ and rank > π , update lock = π£ and rank = π .(5) Byzantine agreement.
At local time 6 . Ξ + π , invoke an instance of Byzantine agreement with lock as the input. If not committed, commit on the output of the Byzantine agreement. Terminate. a The protocol is purely theoretical as the message complexity is unbounded. Its purpose is just to show the tightness of the Ξ + . πΏ bound. Fig. 9. ( Ξ + . πΏ ) -BB Protocol with π / β€ π < π / and unsynchronized start. Protocol description.
Initially, each party sets lock = β₯ , rank = Ξ +
1, a flag direct-rcv = π πππ π , and starts theprotocol at time at most π = Ξ apart with its local clock starting from 0. The broadcaster first multicasts its proposedvalue, and all parties forward the first valid proposal received. If the party receives the first valid proposal from thebroadcaster at local time π‘ ππππ and π‘ ππππ β€ Ξ + π , it sets the flag direct-rcv = π‘ππ’π . For every π β [ , Ξ ] , after Ξ β . π time since the proposal is received, the party multicasts a vote with parameter π if no equivocation is detected sofar. When receiving π + vote with the same value of π and the same value π£ at time π‘ π£ππ‘ππ , the party forwards these vote messages and checks the following to commit or lock. If the time between receiving the votes and the proposal is β€ Ξ + . π , and no equivocation is detected until local time π‘ ππππ + Ξ + . π , and the party receives the proposal fromthe broadcaster ( direct-rcv = π‘ππ’π ), the party commits π£ . If the time between receiving the votes and the proposal is β€ . Ξ , and its rank > π , the party updates its lock and rank. Finally, at local time 6 . Ξ + π , the parties participate inan instance of BA with input lock , and commit the output if have not committed. Correctness of the ( Ξ + . πΏ ) -BB Protocol. In the proof, we use local time to refer the time indicated by the localclock at each party, and global time to refer the time indicated by some global clock.Lemma 1.
If an honest party commits some value π£ at Step 4a by receiving π + vote messages of the same value of π β [ , Ξ ] and π£ , then (1) no honest party sends vote with π β² β€ π for any π£ β² β π£ , (2) no honest party commits π£ β² β π£ atStep 4, and (3) all honest parties have lock = π£ when invoking the BA at Step 5. Proof.
Part (1).
Suppose on the contrary that an honest party β receives π + vote messages of the same π, π£ andthen commits π£ at Step 4a at global time π‘ , and some honest party β β² sends vote with π β² β€ π for some value π£ β² β π£ . If β β² receives the proposal of π£ β² at global time β€ π‘ β Ξ , then its forwarded proposal reaches β at global time β€ π‘ , and willstop β from committing π£ due to detecting equivocation. Hence β β² receives the proposal of π£ β² at global time > π‘ β Ξ .Since β commits π£ at local time β₯ π‘ ππππ + Ξ + . π and at global time π‘ , it receives the proposal of π£ and forwards itto all parties at local time π‘ ππππ and at global time β€ π‘ β Ξ β . π . Thus, the forwarded proposal of π£ will reach β β² at global time β€ π‘ β Ξ β . π + Ξ = π‘ β . π . Since β β² receives the proposal of π£ β² at global time > π‘ β Ξ and localtime π‘ β² ππππ , when β β² receives the forwarded proposal of π£ from β at global time β€ π‘ β . π , its local time should be ood-case Latency of Byzantine Broadcast: a Complete Categorization < π‘ β² ππππ + ( π‘ β . π ) β ( π‘ β Ξ ) = π‘ β² ππππ + Ξ β . π β€ π‘ β² ππππ + Ξ β . π β² where π β² β€ π . Therefore, β β² will not send any vote with π β² β€ π for any value π£ β² β π£ , since it detects equivocation within local time π‘ β² ππππ + Ξ β . π β² . This is a contradictionand thus no honest party sends vote with π β² β€ π for any π£ β² β π£ . Part (2).
Suppose on the contrary that an honest party β commits π£ at Step 4a at global time π‘ , and some honestparty β β² commits π£ β² β π£ at Step 4a. Similar to Part (1), β β² must receive the proposal of π£ β² at global time > π‘ β Ξ ,otherwise β will receive the proposal of π£ β² and not commit π£ . Also, the forwarded proposal of π£ from β will reach β β² at global time β€ π‘ β Ξ β . π + Ξ = π‘ β . π , thus the local time at β β² when receiving the proposal of π£ is < π‘ β² ππππ + ( π‘ β . π ) β ( π‘ β Ξ ) = π‘ β² ππππ + Ξ β . π β€ π‘ β² ππππ + Ξ + . π β² for any π β² β [ , Ξ ] . Hence, β β² will not commit π£ β² atStep 4 due to the detection of equivocation. This is a contradiction and thus no honest party commits π£ β² β π£ at Step 4. Part (3).
Any two honest parties receive the first valid proposal at most Ξ time apart, since the first honest partythat receives the proposal will forward it to all other parties, and the forwarded proposal will arrive within time Ξ .After the honest party β commits some value π£ at Step 4a when π‘ π£ππ‘ππ β π‘ ππππ β€ Ξ + . π , all honest parties receives the π + vote with π messages forwarded by this honest party within Ξ time. Therefore, when receiving the π + vote messages with π , any party has π‘ π£ππ‘ππ β π‘ ππππ β€ Ξ + . π + Ξ β€ . Ξ .Since an honest party β commits π£ at Step 4a, it has direct-rcv = π‘ππ’π and receives the proposal from the broadcasterat local time β€ Ξ + π . Then, its forwarded proposal reaches all other parties at their local time β€ Ξ + π , since themessage delay is bounded by Ξ and local clocks at any two parties have skew β€ π . Since π‘ ππππ β€ Ξ + π at any party,any party has π‘ π£ππ‘ππ β€ π‘ ππππ + . Ξ β€ . Ξ + π , and thus will not invoke the BA at Step 5 before setting the lock .Moreover, by Part (1), no honest party sends any vote with π β² β€ π for any π£ β² β π£ , there exists no π + vote with π β² β€ π for any π£ β² β π£ . Hence all honest parties set lock = π£ at Step 4b and will not change the lock . β‘ Theorem 11. ( Ξ + . πΏ ) -BB protocol solves Byzantine broadcast under π / < π < π / faults in the synchronousauthenticated setting, and has optimal good-case latency of Ξ + . πΏ . Proof.
Agreement.
If all honest parties commit at Step 5, all honest parties commit on the same value due to theagreement property of the BA. Otherwise, there must be some honest party that commits at Step 4. By Lemma 1, nohonest party commits π£ β² β π£ at Step 4 and all honest parties set lock = π£ at Step 5. Since all honest parties input π£ tothe BA, by the validity of BA, the output of BA is π£ , so any honest party that has not committed will commit π£ . Termination.
According to the protocol, honest parties invoke a BA instance at local time 6 . Ξ + π , and terminateat Step 5. The parties commit a value before termination at Step 5 or 4. Validity.
If the broadcaster is honest, it sends the same proposal of value π£ to all parties, and all honest partiesreceive the proposal at local time β€ Ξ + π and set direct-rcv = π‘ππ’π . All π β π β₯ π + vote with π for the proposal at Step 3, and there exists no vote with π for any π£ β² β π£ . Then at Step 4, all honest parties detectno equivocation and receive π + vote with π for π£ from honest parties, thus commit π£ . Good-case latency.
In the good case, the broadcaster is honest and sends the same proposal of value π£ at globaltime 0. The proposal reaches all parties by global time πΏ and all honest parties set direct-rcv = π‘ππ’π . Then, by globaltime πΏ + ( Ξ β . πΏ ) all π β π β₯ π + vote with πΏ for π£ , and the above π β π β₯ π + vote with πΏ reach all honest parties at global time β€ πΏ + ( Ξ β . πΏ ) + πΏ = Ξ + . πΏ . Since any honest party receives the proposal atglobal time β₯
0, we have π‘ π£ππ‘ππ β π‘ ππππ β€ Ξ + . πΏ at all honest parties. Moreover, honest parties detect no equivocationand have direct-rcv = π‘ππ’π . Thus, they all commit on π£ at Step 4a within time Ξ + . πΏ after the broadcaster sendsthe proposal. Therefore, the good-case latency of the protocol is Ξ + . πΏ . β‘ ttai Abraham, Kartik Nayak, Ling Ren, and Zhuolun Xiang π / < π < π , Lower Bound of (β ππ β π β β ) Ξ and Upper Bound of π ( ππ β π ) Ξ For the dishonest majority case, we prove a lower bound of (β ππ β π β β ) Ξ on the good-case latency, and an upper boundof π ( ππ β π ) Ξ can be implied by the BB protocol in [33]. We defer the results to Appendix C.5 for brevity. Byzantine fault tolerant broadcast, first proposed byLamport et al. [24], have received a significant amount of attention for several decades. For synchronous protocols,the deterministic Dolev-Strong protocol [14] solves BB in worst-case π + π β² + π β² < π actual faults. The classicasynchronous Byzantine reliable broadcast by Bracha [8] has a worst-case latency of 3 rounds. A sequence of effort hasbeen made on reducing the round complexity to expected constant through randomization [1, 7, 17, 22, 29]. Improving good-case latency for BFT protocols.
Decades of research on BFT state machine replication protocolsfocus on improving the performance of the protocol when an honest leader is in charge, which is what we formallydefined as the good-case latency. Under synchrony, Sync HotStuff [2] is a recent synchronous BFT SMR protocolthat has a good-case latency of 2 Ξ . Later work [3, 4] improves the good-case latency to Ξ + πΏ with a lower boundof Ξ for the π / < π < π / π < π / Optimistic BFT protocols.
Another line of research aims at developing BFT protocols with small latencies whencertain optimistic conditions are met [2, 15, 23, 28, 32]. Common examples of such optimistic conditions include: morethan 3 π / π parties vote under partial synchrony [20, 23]. Note thatthese conditions are much more demanding than our definition of good-case, which only requires an honest leader. We provide a complete categorization of the good-case latency of Byzantine fault-tolerant broadcast in the authenticatedsetting under synchrony, partial synchrony and asynchrony. Our results reveal the structure in the latencies of Byzantinefault-tolerant broadcast with an honest broadcaster under various resilience assumptions, from which latency efficientstate machine replication protocols can be derived.The first open problem is the tight bound of the good-case latency for the π / β€ π < π case under synchrony.Currently our result still leaves a gap of a constant factor (factor of 2). It would be interesting to complete the picture.Another interesting open problem is to derive results for the unauthenticated case. Some of the lower bound resultsin our paper still apply, but it is intriguing to find out if they are still tight. Under synchrony, unauthenticated BB issolvable if and only if π < π /
3, and there exists a gap between the 2 πΏ lower bound and a 3 πΏ upper bound implied byBrachaβs broadcast [8]. Under partial synchrony, we believe one can prove the tight resilience for unauthenticated ood-case Latency of Byzantine Broadcast: a Complete Categorization psync-BB with good-case latency of 2 rounds is back to π β₯ π + Acknowledgement.
We would like to thank Jun Wan for helpful discussions.
REFERENCES [1] Ittai Abraham, Srinivas Devadas, Danny Dolev, Kartik Nayak, and Ling Ren. 2019. Synchronous Byzantine Agreement with Expected π ( ) Rounds,Expected π ( π ) Communication, and Optimal Resilience. In
International Conference on Financial Cryptography and Data Security (FC) . Springer,320β334.[2] Ittai Abraham, Dahlia Malkhi, Kartik Nayak, Ling Ren, and Maofan Yin. 2020. Sync HotStuff: Simple and Practical Synchronous State MachineReplication.
IEEE Symposium on Security and Privacy (SP) (2020).[3] Ittai Abraham, Kartik Nayak, Ling Ren, and Zhuolun Xiang. 2020. Brief Announcement: Byzantine Agreement, Broadcast and State MachineReplication with Optimal Good-Case Latency. In . Schloss Dagstuhl-Leibniz-ZentrumfΓΌr Informatik.[4] Ittai Abraham, Kartik Nayak, Ling Ren, and Zhuolun Xiang. 2020. Byzantine Agreement, Broadcast and State Machine Replication with Near-optimalGood-Case Latency. arXiv preprint arXiv:2003.13155 (2020).[5] Ittai Abraham, Kartik Nayak, Ling Ren, and Zhuolun Xiang. 2021. Fast Validated Byzantine Broadcast. arXiv preprint arXiv:2102.07932 (2021).[6] Hagit Attiya and Jennifer Welch. 2004.
Distributed computing: fundamentals, simulations, and advanced topics . Vol. 19. John Wiley & Sons.[7] Michael Ben-Or. 1983. Another advantage of free choice: completely asynchronous agreement protocols. In
Proceedings of the second ACM Symposiumon Principles of Distributed Computing (PODC) . 27β30.[8] Gabriel Bracha. 1987. Asynchronous Byzantine agreement protocols.
Information and Computation
75, 2 (1987), 130β143.[9] Ethan Buchman. 2016.
Tendermint: Byzantine fault tolerance in the age of blockchains . Ph.D. Dissertation.[10] Ran Canetti and Tal Rabin. 1993. Fast asynchronous Byzantine agreement with optimal resilience. In
Proceedings of the twenty-fifth annual ACMsymposium on Theory of computing (STOC) . 42β51.[11] Miguel Castro and Barbara Liskov. 1999. Practical Byzantine fault tolerance. In
Proceedings of the third Symposium on Operating Systems Design andImplementation (OSDI) . USENIX Association, 173β186.[12] Danny Dolev, Joseph Y Halpern, Barbara Simons, and Ray Strong. 1995. Dynamic fault-tolerant clock synchronization.
Journal of the ACM (JACM)
42, 1 (1995), 143β185.[13] Danny Dolev, Ruediger Reischuk, and H Raymond Strong. 1990. Early stopping in Byzantine agreement.
Journal of the ACM (JACM)
37, 4 (1990),720β741.[14] Danny Dolev and H. Raymond Strong. 1983. Authenticated algorithms for Byzantine agreement.
SIAM J. Comput.
12, 4 (1983), 656β666.[15] Partha Dutta, Rachid Guerraoui, and Marko Vukolic. 2005.
Best-case complexity of asynchronous Byzantine consensus . Technical Report.[16] Cynthia Dwork, Nancy Lynch, and Larry Stockmeyer. 1988. Consensus in the presence of partial synchrony.
Journal of the ACM (JACM)
35, 2(1988), 288β323.[17] Paul Feldman and Silvio Micali. 1988. Optimal algorithms for Byzantine agreement. In
Proceedings of the twentieth ACM Symposium on Theory ofComputing . 148β161.[18] Michael J Fischer and Nancy A Lynch. 1982. A lower bound for the time to assure interactive consistency.
Inform. Process. Lett.
14, 4 (1982), 183β186.[19] Juan A Garay, Jonathan Katz, Chiu-Yuen Koo, and Rafail Ostrovsky. 2007. Round complexity of authenticated broadcast with a dishonest majority.In . IEEE, 658β668.[20] Guy Golan Gueta, Ittai Abraham, Shelly Grossman, Dahlia Malkhi, Benny Pinkas, Michael Reiter, Dragos-Adrian Seredinschi, Orr Tamir, and AlinTomescu. 2019. SBFT: a scalable and decentralized trust infrastructure. In . IEEE, 568β580.[21] A Ierzberg and S Kutten. 1989. Efficient detection of message forwarding faults. In
Proceeding of the 8th ACM Symposium on Principles of DistributedComputing (PODC) . 339β353.[22] Jonathan Katz and Chiu-Yuen Koo. 2006. On expected constant-round protocols for Byzantine agreement. In
Annual International CryptologyConference . Springer, 445β462.[23] Ramakrishna Kotla, Lorenzo Alvisi, Mike Dahlin, Allen Clement, and Edmund Wong. 2007. Zyzzyva: speculative byzantine fault tolerance. In
Proceedings of twenty-first ACM Symposium on Operating Systems Principles (SOSP) . 45β58.[24] Leslie Lamport, Robert Shostak, and Marshall Pease. 1982. The Byzantine Generals Problem.
ACM Transactions on Programming Languages andSystems
4, 3 (1982), 382β401.[25] Barbara Liskov. 2001. EECS Colloquium on Practical Byzantine Fault Tolerance, https://youtu.be/Uj638eFIWg8?t=800.[26] J-P Martin and Lorenzo Alvisi. 2006. Fast byzantine consensus.
IEEE Transactions on Dependable and Secure Computing
3, 3 (2006), 202β215.[27] Rafael Pass and Elaine Shi. 2017. Hybrid consensus: Efficient consensus in the permissionless model. In . Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik.21 ttai Abraham, Kartik Nayak, Ling Ren, and Zhuolun Xiang [28] Rafael Pass and Elaine Shi. 2018. Thunderella: Blockchains with optimistic instant confirmation. In
Annual International Conference on the Theoryand Applications of Cryptographic Techniques . Springer, 3β33.[29] Michael O Rabin. 1983. Randomized byzantine generals. In . IEEE, 403β409.[30] Matthieu Rambaud. 2020. The latency costs of Optimistically fast output and of Strong unanimity, in authenticated leader-based Byzantine consensusunder partial synchrony. (2020).[31] Nibesh Shrestha, Ittai Abraham, Ling Ren, and Kartik Nayak. 2020. On the Optimality of Optimistic Responsiveness. In
Proceedings of the 2020 ACMSIGSAC Conference on Computer and Communications Security (CCS) . 839β857.[32] Yee Jiun Song and Robbert van Renesse. 2008. Bosco: One-step byzantine asynchronous consensus. In
International Symposium on DistributedComputing (DISC) . Springer, 438β450.[33] Jun Wan, Hanshen Xiao, Elaine Shi, and Srinivas Devadas. 2020. Expected constant round byzantine broadcast under dishonest majority. In
Theoryof Cryptography Conference (TCC) . Springer, 381β411.[34] Maofan Yin, Dahlia Malkhi, Michael K Reiter, Guy Golan Gueta, and Ittai Abraham. 2019. Hotstuff: Bft consensus with linearity and responsiveness.In
Proceedings of the 2019 ACM Symposium on Principles of Distributed Computing (PODC) . ACM, 347β356.22 ood-case Latency of Byzantine Broadcast: a Complete Categorization
A ASYNCHRONOUS MODEL [10]
To measure the latency of an asynchronous protocol, we adopt the standard asynchronous round definitions from theliterature [10].Definition 9 (Asynchronous Atomic Step).
The execution of the protocol proceeds in consecutive atomic steps, wherefor each atomic step the adversary can choose a single party π to perform the following actions: β’ Read a subset M of messages in its buffer chosen by the adversary. Messages in M are called delivered. β’ Perform local computations. β’ Send messages to other parties, and each message is buffered at the corresponding recipient until delivered.
Definition 10 (Asynchronous Round).
Each atomic step in an execution is assigned a round number as follows. β’ Round only consists a single atomic step at each party, where each party receives a special start message to startthe protocol. By definition, the message sent at this atomic step has round number . β’ For any π β₯ , let π π be the last atomic step where a message of round π β is delivered. All the steps after step π π β until (and including) step π π are in round π . As an example, a Byzantine broadcast protocol that runs in 2 asynchronous rounds can do the following. In round0, the broadcaster multicasts its proposal to all other parties. In round 1, all parties receive the proposal from thebroadcaster, and multicast vote messages to all other parties. In round 2, all parties receive enough vote messages andcommit. Note that only 2 asynchronous rounds of message exchanges are needed for the protocol to commit, thereforethe protocol has a commit latency of 2 rounds.
B MISSING RESULTS AND PROOFS FOR PARTIAL SYNCHRONYB.1 Correctness of the ( π β ) -psync-BB Protocol For brevity, any value π£ in the proof is assumed to be π£ β β₯ , unless specified.Lemma 2. If π β honest replicas vote for the same value π£ in Step 2 of view π€ , then there exists no valid certificate C of view π€ that locks any value π£ β² β π£ , and any honest replica that enters view π€ + has a valid certificate of view π€ thatlocks π£ . Proof. Suppose on the contrary that there exists a valid certificate C of view π€ that locks value π£ β² β π£ . By definition, C contains β₯ π β β¨β , π€ β© , and (a) it contains β₯ π β β¨ π£ β² , π€ β© signed by πΏ π€ and the replica, and no other valuesigned by πΏ π€ , or (b) it contains β₯ π β¨ π£ β² , π€ β© signed by πΏ π€ and replicas other than πΏ π€ . Condition (a) cannot be true:Since 3 π β β¨ π£, π€ β© signed by the leader πΏ π€ and the corresponding replica in the timeout messages, C cannot include these messages, which implies there need to be at least 3 π β + π β = π β > π replicas, contradiction. Condition (b) also cannot be true: If πΏ π€ is honest, then it will not propose and sign two differentvalues, contradiction. If πΏ π€ is Byzantine, then C contains at most π β π messages from the honest replicas. Since 3 π β β¨ π£, π€ β© signed by πΏ π€ and thecorresponding replica, at least 2 π messages must be for π£ , which implies that at most 4 π β β π = π β π£ β² , contradiction. Therefore, there exist no valid certificate C of view π€ that locks any value π£ β² β π£ .According to the protocol, any honest replica that enters view π€ + π β timeout messages ofview π€ that contains only one value signed by πΏ π€ , or 4 π β timeout messages from replicas other than πΏ π€ . Forthe first case, since 3 π β β¨ π£, π€ β© , the 4 π β timeout messages can contain ttai Abraham, Kartik Nayak, Ling Ren, and Zhuolun Xiang at most 2 π signed β¨β₯ , π€ β© , and thus can form a valid certificate that locks π£ . For the second case: (i) If πΏ π€ is honest, thenonly one value can be signed by πΏ π€ and the claim follows from the first case; (ii) If πΏ π€ is Byzantine, then 4 π β timeout messages contains at most π β π signatures from thehonest replicas. Since 3 π β β¨ π£, π€ β© , at least 2 π signatures must be on π£ , and thuscan form a valid certificate that locks π£ . β‘ Lemma 3.
If an honest replica commits π£ in view π€ , for any π€ β² β₯ π€ , there exists no valid certificate of any view π€ β² thatlocks any other value π£ β² β π£ , and no honest replica vote for any π£ β² β π£ in any view π€ β² + . Proof. Suppose β is the honest replica that commits π£ in view π€ . We prove the lemma by induction on the viewnumbers. Base case of view π€ . According to the protocol, β receives 4 π β vote messages for π£ in view π€ , among whichat least 3 π β vote messages are sent by the honest replicas. Since at least 3 π β π£ , by Lemma 2,there exists no valid certificate C of view π€ that locks any value π£ β² β π£ , and any honest replica that enters view π€ + π€ that locks π£ . According to Step 2, to have any honest replica vote for π£ β² β π£ , πΏ π€ + needsto send the proposal π£ β² with either (a) a valid certificate of view π€ that locks π£ β² , which is impossible since there existno valid certificate of view π€ that locks any value π£ β² β π£ ; (b) or 4 π β status message of view π€ each with avalid certificate and among which the highest certificate locks π£ β² , which is also impossible since any honest replica thatenters view π€ + π€ that locks π£ , and there exists no valid certificate of view π€ that locks π£ β² β π£ . Hence, no honest replica vote for any π£ β² β π£ in view π€ +
1, and the lemma is true for the base case.
Induction step.
Assume the induction hypothesis that the lemma is true for view π€, π€ + , ..., π β
1. We only needto prove that the lemma is also true for view π . Since all honest replicas can only vote for π£ in view π by inductionhypothesis, according to Lemma 2, there exist no valid certificate of view π that locks any value π£ β² β π£ . The highestvalid certificate at any honest replica locks on π£ , since any honest replica that enters view π€ + π€ that locks π£ and there exists no valid certificate of view β₯ π€ that locks π£ β² β π£ that can update the certificate inStep 5 at any honest replica. Then, according to Step 2, no honest replica will vote for any π£ β² β π£ in view π + π that locks π£ β² , or 4 π β status message of view π that contains ahighest certificate that locks π£ β² . Hence the lemma is true by induction. β‘ Theorem 12 (Agreement).
If an honest replica commits π£ , no honest commits any π£ β² β π£ . Proof. Let β be the first honest replica that commits, and β commits π£ in view π€ . Suppose on the contrary thatanother honest β β² commits a different value π£ β² β π£ in view β₯ π€ . If β β² commits in view π€ , according to Step 3, at least3 π β π£ β² . Since at least 3 π β π£ for β to commit and the totalnumber of honest replicas is only 4 π β
1, at least ( π β ) + ( π β ) β ( π β ) = π β > β β² commits in view π€ β² β₯ π€ +
1, according to Step 3, at least3 π β π£ β² . However, by Lemma 3, no honest replica vote for any π£ β² β π£ in any view β₯ π€ +
1, andtherefore no honest can commit π£ β² β π£ . β‘ Theorem 13 (Termination).
After GST, every replica eventually commits and terminates.
Proof. Let view π€ be the first view after GST that has an honest leader. If no honest replica ever enters the view π€ , there exist no 4 π β timeout messages from the honest replicas, and thus at least one honest replica must ood-case Latency of Byzantine Broadcast: a Complete Categorization have committed before view π€ and its forwarded 4 π β vote will lead other honest replicas to commit aswell. Otherwise, all honest replicas eventually receive 4 π β timeout messages to enter view π€ . Then, any honestreplica sends a status message with C to the leader πΏ π€ in Step 5. The leader πΏ π€ can receive 4 π β status messages of view π€ β C that locks some value since there are 4 π β timeout messages form a valid certificate of view π€ β π£ , the leader proposes π£ withthe certificate, otherwise it proposes value π£ that is locked by the highest valid certificate from 4 π β status messages. By definition of the certificate check, the proposed value is externally valid, and according to Step 2, anyhonest replica will vote for the proposal of the leader. Then, in Step 3 all honest replicas can receive 4 π β vote messages of view π€ for the same value π£ , and thus commit π£ . Also, 4 Ξ time is sufficient for an honest leader tocommit a value at all honest replicas before any honest replica timeout, since any two honest replicas enter the newview within Ξ time of each other, and the sending of status , propose and vote message each takes at most Ξ time.Thus, no honest replica will timeout before voting in the view with an honest leader. β‘ Theorem 14 (Validity).
If the designated broadcaster is honest and
πΊππ = , then all honest parties commit thebroadcasterβs value. Proof. If the broadcaster is honest and the network is synchronous, all 4 π β π β β‘ Theorem 15 (Good-case Latency).
When the network is synchronous and the leader is honest, the proposal of theleader will be committed within rounds. Proof. By the proof of Theorem 14. β‘ C MISSING RESULTS AND PROOFS FOR SYNCHRONYC.1 < π < π / , Matching Lower and Upper Bounds of πΏ BRB lower bound πΏ under synchronized start and π > . The proof is very similar to that of Theorem 4.Proof of Theorem 8. Suppose there exists a protocol Ξ with synchronized start that has good-case latency < πΏ ,which means the honest parties can always commit before time 2 πΏ if the designated broadcaster is honest. Let party π bethe broadcaster, and divide the remaining π β π΄, π΅ each with β₯ π΄ ( π΅ ) to refer all the parties in π΄ ( π΅ ). Consider the following three executions of Ξ . All the executions constructedbelow have message delays equal to πΏ .(1) Execution 1. The broadcaster π is honest, and sends 0 to all parties. Since the broadcaster is honest, by validity,parties in π΄, π΅ will commit 0 before time 2 πΏ .(2) Execution 2. The broadcaster π is honest, and sends 1 to all parties. Since the broadcaster is honest, by validity,parties in π΄, π΅ will commit 1 before time 2 πΏ .(3) Execution 3. The broadcaster π is Byzantine, it sends 0 to parties in π΄ and 1 to parties in π΅ . Contradiction.
Recall that the message delays are πΏ in all executions. The set of messages received by π΄ from π΅ beforetime 2 πΏ are sent by π΅ before time πΏ , and thus is identical in Execution 1 and 3 since the local history of π΅ is identical ttai Abraham, Kartik Nayak, Ling Ren, and Zhuolun Xiang before receiving from the broadcaster in these two executions. Therefore, the parties in π΄ cannot distinguish Execution1 and 3 before time 2 πΏ , and thus will commit 0 in Execution 3. Similarly, the parties in π΅ cannot distinguish Execution 2and 3 before time 2 πΏ , and will commit 1 in Execution 3. However, this violates the agreement property of BRB, andtherefore no such protocol Ξ exists. β‘ The same proof also applies to an even weaker broadcast formulation named Byzantine consistent broadcast (BCB),where termination of all honest parties is required only when the broadcaster is honest.
BB upper bound πΏ under unsynchronized start and π < π / . We show a matching upper bound of 2 πΏ on thegood-case latency for BB with the 2 πΏ -BB Protocol presented in Figure 5. Here we give a brief description. Initially eachparty has its lock set to some default value β₯ , and starts the protocol at most π = Ξ time part with a local clock startingat 0. First, the broadcaster multicasts its proposed value π£ , and each party will vote for the first valid proposal (in thecorrect format and signed by the broadcaster) and multicast a vote. When a party receives π β π votes on the samevalue π£ , it forwards these votes and sets its lock to be π£ . The party also commits π£ if this happens before time 2 Ξ + πΏ . Atlocal time 3 Ξ + πΏ , all parties participate in an instance of BA with lock as the input, and commit the output (if theyhavenβt committed already).Note that synchrony and a known Ξ are crucial to the correctness of the protocol; otherwise under partial synchrony,the resilience bound would be different (see Theorem 7).Initially, every party π starts the protocol at most π = Ξ time apart with a local clock and sets lock = β₯ .(1) Propose.
The designated broadcaster πΏ with input π£ sends β¨ propose , π£ β© πΏ to all parties.(2) Vote.
When receiving the first valid proposal from the broadcaster, send a vote to all parties in the formof β¨ vote , π£ β© π where π£ is the value of the proposal.(3) Commit.
When receiving π β π signed votes for some value π£ at local time π‘ , forward these π β π votesto all parties and set lock = π£ . If π‘ β€ Ξ + π , commit π£ .(4) Byzantine agreement.
At local time 3 Ξ + π , invoke an instance of Byzantine agreement with lock asthe input. If not committed, commit on the output of the Byzantine agreement. Terminate. Fig. 10. πΏ -BB Protocol with π < π / Correctness of the πΏ -BB Protocol. Theorem 16. 2 πΏ -BB protocol solves Byzantine broadcast under π < π / faults in the synchronous authenticated setting,and has optimal good-case latency of πΏ . Proof.
Agreement.
If all honest parties commit at Step 4, all honest parties commit on the same value due to theagreement property of the BA. Otherwise, there must be some honest party that commits at Step 3. First, no two honestparties can commit different values at Step 3. Otherwise, since they both receive π β π signed votes, the two sets ofvotes intersect at at least ( π β π ) + ( π β π ) β π = π β π β₯ π + β denote the first honest party that commits at Step 3,and let π£ denote the committed value. Since β commits and forwards π β π votes at local time π‘ β€ Ξ + π , all honestparties set lock = π at their local time β€ Ξ + π before invoking the Byzantine agreement primitive at Step 4, sincethe clock skew is π and message delay is bounded by Ξ . Therefore, at Step 4, all honest parties have the same input to ood-case Latency of Byzantine Broadcast: a Complete Categorization the BA. Then by the validity condition of the BA primitive, the output of the agreement is also π . Any honest party thatdoes not commit at Step 3 will commit on value π at Step 4. Termination.
According to the protocol, honest parties terminate at Step 4, and they commit a value beforetermination.
Validity.
If the broadcaster is honest, it sends the same proposal of value π£ to all parties, and all honest parties willvote for π£ before local time Ξ + π . Then at Step 3, all honest parties receive π β π signed messages of π£ before local time2 Ξ + π , and commits π£ . Good-case latency.
In the good case, the broadcaster is honest, its value π£ reaches all parties at time β€ πΏ and allhonest parties will vote for π£ . Next, the above votes reach all honest parties after πΏ time, and all honest parties commiton the senderβs proposal within time β€ πΏ . β‘ C.2 π = π / , Matching Lower and Upper Bounds of Ξ + πΏ BRB lower bound Ξ + πΏ under synchronized start and π β₯ π / . Proof of Theorem 9. Suppose there exists a protocol Ξ with synchronized start that has good-case latency < Ξ + πΏ ,which means the honest parties can always commit before time Ξ + πΏ if the designated broadcaster is honest. Divide π β€ π parties into three groups π΄, π΅, πΆ of size β€ π each. For brevity, we often use π΄ ( π΅, πΆ ) to refer all the parties in π΄ ( π΅, πΆ ). Let one party π in group πΆ to be the broadcaster. Consider the following three executions of Ξ .(1) Execution 1. The message delay bound is πΏ , and the message delay is πΏ between all pairs of honest parties. Thebroadcaster π is honest, and sends 0 to all parties with message delay πΏ . The parties in π΅ are Byzantine, but behaveas honest except that they pretend the message delays between π΅, π΄ and
π΅, πΆ are both Ξ . All other messagedelays are πΏ . Since the broadcaster is honest, by validity, parties in π΄, πΆ will commit 0 before time Ξ + πΏ .(2) Execution 2. The message delay bound is πΏ , and the message delay is πΏ between all pairs of honest parties. Thebroadcaster π is honest, and sends 1 to all parties with message delay πΏ . The parties in π΄ are Byzantine, but behaveas honest except that they pretend the message delays between π΄, π΅ and
π΄, πΆ are both Ξ . All other messagedelays are πΏ . Since the broadcaster is honest, by validity, parties in π΅, πΆ will commit 1 before time Ξ + πΏ .(3) Execution 3. The message delay bound is Ξ , and thus the adversary can control the message delay to be anyvalue in [ , Ξ ] between any pair of honest parties. The broadcaster π is Byzantine, it sends 0 to parties in π΄ and 1to parties in π΅ both with message delay πΏ . The parties in πΆ are also Byzantine, they behave the same as πΆ to π΄ from Execution 1, and the same as πΆ to π΅ from Execution 2. The message delay between π΄, π΅ is Ξ , and all othermessage delays are πΏ . Contradiction.
Notice that in Execution 1 and 3, the message delay is πΏ between the broadcaster and π΅ , and is Ξ between π΄ and π΅ . The set of messages received by π΄ from π΅ before time Ξ + πΏ are sent by π΅ before time πΏ , and thus isidentical in Execution 1 and 3 since the state of π΅ is identical before receiving from the broadcaster in two executions.Moreover, πΆ behaves identically to π΄ in both executions. Therefore, the parties in π΄ cannot distinguish Execution 1 and3 before time Ξ + πΏ , and thus will commit 0 in Execution 3. Similarly, the parties in π΅ cannot distinguish Execution 2and 3 before time Ξ + πΏ , since they receive the identical set of messages from the parties in π΄ , and thus will commit 1 inExecution 3. However, this violates the agreement property of BRB, and therefore no such protocol Ξ exists. β‘ BB upper bound Ξ + πΏ under unsynchronized start and π = π / ttai Abraham, Kartik Nayak, Ling Ren, and Zhuolun Xiang Theorem 17. ( Ξ + πΏ ) - π / -BB protocol solves Byzantine broadcast under π β€ π / faults in the synchronous authenticatedsetting, and has optimal good-case latency of Ξ + πΏ . Proof.
Agreement.
Honest parties may commit at Step 3 or 4.First we prove that no two honest parties commit different values in Step 3. Suppose two honest β, β β² commit value π£, π£ β² respectively in Step 3. Without loss of generality, suppose that β receives the proposal of π£ from the broadcaster nolater than β β² . Then party β β² should receive the vote for π£ from party β during its Ξ waiting period, and will not commitat Step 3 due to the detection of conflicting votes. Thus any honest commit the same value in Step 3.Now consider any honest party β that commits in Step 4 before invoking the BA. Then β receives two sets of π β π conflicting votes, and the parties in the intersection of the two sets are Byzantine since they voted for different values.The set F contains at least ( π β π ) + ( π β π ) β π = π β π β₯ π parties, which means β detects all π Byzantine parties.Therefore, any commit message from any party not in F must be from an honest party, and β commits the same valueas any honest party committed at Step 3.If all honest parties commit at Step 4 after the BA, all honest parties commit the same value due to the agreementproperty of the BA. Otherwise, there must be some honest party that commits some value π£ at Step 3. Since this honestparty receives and forwards π β π votes at local time β€ Ξ + π , all honest parties receive these votes at local time β€ Ξ + π . If any honest party receives π β π votes for only one value π£ , it sets lock = π£ . Otherwise, the honest partydetects all Byzantine parties, commits the same value π£ and sets lock = π£ as argued previously. Therefore, at Step 4, allhonest parties have the same input to the BA. Then by the validity condition of the BA primitive, the output of theagreement is also π£ . Any honest party that does not commit at Step 3 will commit on value π£ at Step 4. Termination.
According to the protocol, honest parties terminate at Step 4, and they commit a value beforetermination.
Validity.
If the broadcaster is honest, it sends the same proposal of value π£ to all parties, and all π β π honest partieswill vote for the proposal within Ξ time. Moreover, there exists no vote for any other proposal. Then at Step 3, allhonest parties detect no conflicting vote and receive π β π signed votes for π£ from honest parties before time 2 Ξ + π ,and commits π£ . Good-case latency.
In the good case, the broadcaster is honest, its proposal of value π£ reaches all parties withintime β€ πΏ and all honest parties will vote for π£ and start the Ξ waiting period. The above π β π votes reach all honestparties after πΏ time, and meanwhile the honest parties detect no conflicting vote during the Ξ waiting period, thus theywill commit on the senderβs proposal at time β€ Ξ + πΏ in Step 3. β‘ C.3 π / < π < π / and Synchronized Start, Matching Lower and Upper Bounds of Ξ + πΏ Correctness of the ( Ξ + πΏ ) -BB Protocol. Since the protocol assumes synchronized start, local clocks at all honestparties have the same time.Lemma 4.
If an honest party commits some value π£ at Step 3, then (1) no honest party commits π£ β² β π£ at Step 3, and (2)all honest parties have lock = π£ at Step 4. Proof.
Part (1).
Suppose an honest party β commits some value π£ at Step 3 at time Ξ + π‘ . According to the protocol, β detects no equivocation within time Ξ + π‘ and receives π + vote messages for the same value π£ each with π β€ π‘ . Then, at least one vote is from an honest party π , who receives the proposal of π£ and multicasts the vote at time π π where π π β€ π‘ . Now suppose some honest party β β² commits a different value π£ β² β π£ at Step 3 at time Ξ + π‘ β² . Similarly, ood-case Latency of Byzantine Broadcast: a Complete Categorization at least one honest party π receives the proposal of π£ β² and multicasts the vote at time π π where π π β€ π‘ β² . Without lossof generality, assume π π β€ π π . Then the vote from party π will reach party π within time π π + Ξ β€ π π + Ξ β€ π‘ β² + Ξ , andprevents β β² from committing due to equivocation detection. This is a contradiction, and thus no honest party commits π£ β² β π£ at Step 3. Part (2).
Suppose an honest party β commits some value π£ at Step 3 at time Ξ + π‘ . Since β forwards the π + vote messages at time Ξ + π‘ , all honest parties will receive these vote messages within time 2 Ξ + π‘ . According to the protocol,all honest parties will update their lock = π£ , unless they are locked on some value π£ β² β π£ with rank β€ π‘ . Hence, it issufficient to show that there exists no π + vote messages for any π£ β² β π£ each has π β€ π‘ . First we show that thereis no vote with π β€ π‘ for any π£ β² β π£ sent by an honest party. Otherwise, this vote will reach party β within time π + Ξ β€ π‘ + Ξ and prevent β from committing β due to equivocation detection. Since there are at most π Byzantineparties, there exists no π + vote messages for any π£ β² β π£ each has π β€ π‘ . β‘ Theorem 18. ( Ξ + πΏ ) -BB protocol solves Byzantine broadcast tolerating π / < π < π / faults under synchronized startin the synchronous authenticated setting, and has optimal good-case latency of Ξ + πΏ . Proof.
Agreement.
If all honest parties commit at Step 4, all honest parties commit on the same value due to theagreement property of the BA. Otherwise, there must be some honest party that commits at Step 3. By Lemma 4, nohonest party commits π£ β² β π£ at Step 3 and all honest party have lock = π£ at Step 4. Since all honest parties have thesame input π£ for the BA, according to the validity condition of the BA, the output of the agreement is π£ . Then anyhonest party that has not committed will commit π£ . Termination.
According to the protocol, honest parties invoke a BA instance at time 4 Ξ , and terminate after theBA at Step 4. The parties commit a value before termination at Step 4 or 3. Validity and good-case latency.
If the broadcaster is honest, it sends the same proposal of value π£ to all parties,and all honest parties receive the proposal within time πΏ . All π β π β₯ π + vote with π β€ πΏ forthe proposal at Step 2, and there exists no valid vote for any π£ β² β π£ . Then at Step 3, within time Ξ + πΏ , all honest partiesdetect no equivocation and receive π + vote messages for π£ with π β€ πΏ from the honest parties, and commit π£ .Thus the good-case latency of the protocol is Ξ + πΏ . β‘ C.4 π / < π < π / and Unsynchronized Start, Matching Lower and Upper Bounds of Ξ + . πΏ BRB lower bound Ξ + . πΏ under unsynchronized start and π > π / Ξ that has good-caselatency < Ξ + . πΏ , under clock skew π and π > π / π = . πΏ due to the lower bound for clock skew [6]. We divide π parties into 5 disjoint groups π΄, π΅, πΆ, π, β , where π, β each contain a single party, and
π΄, π΅, πΆ each evenly contains the remaining π β < π β π΄, π΅, πΆ contains β€ π β πΏ , and the message delay is πΏ between all pairs of honest parties. Thebroadcaster is honest and sends value 0 to all parties. All parties start the protocol at time 0, and receive thebroadcasterβs proposal at time πΏ . ttai Abraham, Kartik Nayak, Ling Ren, and Zhuolun Xiang g A B C h β β 0.5πΏβ β 0.5πΏβ + 0.5πΏ g, A, B commit 0 at < β + 1.5πΏ Execution 1g A B C h πΏ πΏπΏ β β 0.5πΏβ β πΏβ
Execution 20 0 0 0 00 0 0/1 1 1 g cannot distinguish Execution 4Execution 3A,C cannot distinguish h cannot distinguish
C start at receive 1 at β β 0.5πΏβ β + 0.5πΏ h C B A g β β 0.5πΏβ β 0.5πΏβ + 0.5πΏ β β 0.5πΏβ β + 0.5πΏ h C B A g πΏ πΏ πΏβ β 0.5πΏβ β πΏβ
A start at receive 0 at g commit 0 at < β + 1.5πΏ and A ,C commit 0 h commit 1 at < β + 1.5πΏ and A ,C commit 1h, C, B commit 1 at < β + 1.5πΏ
Fig. 11. BRB good-case latency lower bound: Ξ + . πΏ with unsynchronized start. Dotted circles denote Byzantine parties. β’ π, π΄, π΅ are honest. β’ Parties in πΆ are Byzantine. They behave honestly except that they control the message delays to be Ξ + . πΏ from πΆ to π , Ξ β . πΏ from πΆ to π΄ , and Ξ β . πΏ from π, π΄ to πΆ . β’ β is Byzantine, it behaves honestly except that it controls the message delay to be Ξ β . πΏ from β to π΄ , Ξ + . πΏ from π΄ to β , and β between β and π .Since the broadcaster is honest, the honest parties in π, π΄, π΅ will commit 0 at time < Ξ + . πΏ by assumption.(2) Execution 4. This Execution is a symmetry of Execution 1. The message delay is πΏ between all pairs of honest parties.The broadcaster is honest and sends value 1 to all parties. All parties start the protocol at time 0, and receive thebroadcasterβs proposal at time πΏ . β’ β, πΆ, π΅ are honest. β’ Parties in π΄ are Byzantine. They behave honestly except that they control the message delays to be Ξ + . πΏ from π΄ to β , Ξ β . πΏ from π΄ to πΆ , and Ξ β . πΏ from β, πΆ to π΄ . ood-case Latency of Byzantine Broadcast: a Complete Categorization β’ π is Byzantine, it behaves honestly except that it controls the message delay to be Ξ β . πΏ from π to πΆ , Ξ + . πΏ from πΆ to π , and β between π and β .Since the broadcaster is honest, the honest parties in π΅, πΆ, β will commit 1 within time Ξ + . πΏ by assumption.(3) Execution 2. The message delay bound is Ξ , and thus the adversary can control the message delay to be any valuein [ , Ξ ] between any pair of honest parties. The broadcaster is Byzantine, it sends 0 to π, π΄, π΅ , and 1 to π΅, πΆ, β . Let πΏ denote the message delay bound in Execution 1 and 4. All parties start the protocol at time 0 except that the partiesin πΆ start at time 0 . πΏ . All parties receive the broadcasterβs proposal at time πΏ , except that πΆ receive at time 1 . πΏ . β’ π, π΄, πΆ are honest. The message delay is πΏ between π, π΄ , and Ξ between π, πΆ . The message delay is Ξ β πΏ from πΆ to π΄ , and Ξ from π΄ to πΆ . β’ The parties in π΅ are Byzantine, they behave to π, π΄ the same as that in Execution 1, and to πΆ, β the same as that inExecution 4, but they control the message delay to be 1 . πΏ from π΅ to πΆ and 0 . πΏ from πΆ to π΅ . β’ β is Byzantine, it behaves honestly except it controls the message delays as follows: β between π, β , πΏ between π΅, β , 0 . πΏ from πΆ to β , 1 . πΏ from β to πΆ , Ξ + . πΏ from π΄ to β , and Ξ β . πΏ from β to π΄ .(4) Execution 3. This Execution is the symmetry of Execution 2. The message delay bound is Ξ and let πΏ denote themessage delay bound in Execution 1 and 4. The broadcaster is Byzantine, it sends 0 to π, π΄, π΅ , and 1 to π΅, πΆ, β . Allparties start the protocol at time 0 except that the parties in π΄ start at time 0 . πΏ . All parties receive the broadcasterβsproposal at time πΏ , except that π΄ receive at time 1 . πΏ . β’ β, π΄, πΆ are honest. The message delay is πΏ between β, πΆ , and Ξ between β, π΄ . The message delay is Ξ β πΏ from π΄ to πΆ , and Ξ from πΆ to π΄ . β’ The parties in π΅ are Byzantine, they behave to π, π΄ the same as that in Execution 1 but control the message delayto be 1 . πΏ from π΅ to π΄ and 0 . πΏ from π΄ to π΅ , and to πΆ, β the same as that in Execution 4. β’ π is Byzantine, it behaves honestly except it controls the messages delays as follows: β between π, β , πΏ between π΅, π , 0 . πΏ from π΄ to π , 1 . πΏ from π to π΄ , Ξ + . πΏ from πΆ to π , and Ξ β . πΏ from π to πΆ . Claim 1: The party in π cannot distinguish Execution 1 and 2 before time Ξ + . πΏ , and thus it commits in both executions. Similarly, β cannot distinguish Execution 3 and 4 before time Ξ + . πΏ , and it commits in both executions. We need to show that before Ξ + . πΏ , the party in π receives the same set of messages at the same correspondingtime points by its local clock in both Execution 1 and 2. According to the construction of the executions, we have thefollowing observation. β’ By construction,
π΅, β behave to π the same in both Execution 1 and 2. β’ For π΄ , we show that the local history of π΄ before time Ξ + . πΏ is identical in both Execution 1 and 2. Then, anymessage from π΄ to π before time Ξ + . πΏ is identical in both executions since the message delay between π, π΄ is πΏ inboth executions. β π΄ start the protocol at time 0 with the same initial state, and receive proposal of value 0 at time πΏ from the senderin both executions. β By construction, π΅ behave the same to π΄ in both Execution 1 and 2. β The messages from πΆ to π΄ before time Ξ + . πΏ are identical in Execution 1 and 2. In Execution 1, πΆ start at time0, receive from the broadcaster at time πΏ , and behave honestly but simulate a message delay of Ξ β . πΏ to π΄ . InExecution 2, πΆ start at time 0 . πΏ , receive from the broadcaster at time 1 . πΏ , and behave honestly. Since the messagedelay from πΆ to π΄ is Ξ β . πΏ in Execution 1 and Ξ β πΏ in Execution 2 (0 . πΏ faster than Execution 1), and the local ttai Abraham, Kartik Nayak, Ling Ren, and Zhuolun Xiang history at πΆ in Execution 2 from time 0 . πΏ to 1 . πΏ is identical to that in Execution 1 from time 0 to πΏ , the set ofmessages π received from πΆ before time Ξ + . πΏ is the same in both executions. β The message delay from β to π΄ is Ξ β . πΏ in both executions, and β has the same local history before time πΏ . Henceany message from β to π΄ received before time Ξ + . πΏ is the same in both executions. β π is honest in both executions, and will behave identically to π΄ before time Ξ + . πΏ unless different messages arereceived. β’ For πΆ , we show that the messages π received from πΆ before Ξ + . πΏ are identical in both Execution 1 and 2. The localhistory of πΆ from time 0 to time < πΏ in Execution 1 is identical to that from time 0 . πΏ to time < . πΏ in Execution 2,since πΆ receive from the broadcaster at time πΏ in Execution 1, and at time 1 . πΏ in Execution 2. Moreover, the messagedelay from πΆ to π is Ξ + . πΏ in Execution 1, and Ξ in Execution 2, which implies the claim.By the argument above, the party in π cannot distinguish Execution 1 and 2 before time Ξ + . πΏ , and thus it commits 0in both executions. Similarly, β cannot distinguish Execution 3 and 4 before time Ξ + . πΏ , and thus it commits 1 in bothexecutions. Claim 2: The parties in
π΄, πΆ cannot distinguish Execution 2 and 3.
We will prove that the local histories at
π΄, πΆ are identical in both Execution 2 and 3. By construction, πΆ in Execution2 start the protocol and receive from the broadcaster 0 . πΏ time later than πΆ in Execution 3, and π΄ in Execution 3 startthe protocol and receive from the broadcaster 0 . πΏ time later than π΄ in Execution 2. As for the message delays between π΄, πΆ , the delay from π΄ to πΆ is Ξ in Execution 2 and Ξ β πΏ in Execution 3, and the delay from πΆ to π΄ is Ξ in Execution 3and Ξ β πΏ in Execution 2. The differences in the message delays between π΄, πΆ compensate the delays of when
π΄, πΆ starttheir protocol, and therefore, if any other receiving events at
π΄, πΆ are identical from their local view, then
π΄, πΆ willhave the same local histories. For other message delays, for πΆ in Execution 2 and π΄ in Execution 3 that start 0 . πΏ timelater, all incoming message delays are 0 . πΏ larger and outgoing message delays are 0 . πΏ smaller, which also compensatethe delays of when π΄, πΆ start their protocol. Rest of the message delays are identical in both executions. The receivingevents at π, π΄, πΆ, β from π΅ are identical in both executions, since π΅ behave to π, π΄ the same as that in Execution 1, and to β, πΆ the same as that in Execution 2. The receiving events at π΄, πΆ from π, β are also identical in both executions, since π, β behave honestly except that they control delays to compensate the delay of when
π΄, πΆ start their protocol. Hencethe local histories at
π΄, πΆ are identical, and thus
π΄, πΆ cannot distinguish Execution 2,3.
Contradiction.
By Claim 1, π commits 0 in Execution 2 and β commits 1 in Execution 3. To satisfy safety, π΄ mustcommit 0 in Execution 2 and πΆ must commit 1 in Execution 3. However, by Claim 2, π΄, πΆ cannot distinguish Execution2 and 3, and they may commit different values in the same execution, violating safety. Therefore, such a BRB protocol Ξ that has good-case latency < Ξ + . πΏ cannot exist. β‘ C.5 π / < π < π , Lower Bound of (β ππ β π β β ) Ξ and Upper Bound of π ( ππ β π ) Ξ For the dishonest majority case, we prove a lower bound of (β ππ β π β β ) Ξ on the good-case latency, and an upper boundof π ( ππ β π ) Ξ can be implied by the BB protocol in [33]. BRB lower bound (β ππ β π β β ) Ξ under synchronized start and π β₯ π / . We first show that no BRB protocol can have good-case latency less than (β ππ β π β β ) Ξ under π β₯ π /
2. The proof isinspired by the round complexity lower bound proof of Byzantine broadcast in [19], where the authors show that evenrandomized BB protocols require at least 2 π /( π β π ) β ood-case Latency of Byzantine Broadcast: a Complete Categorization Theorem 19.
Any Byzantine reliable broadcast protocol that is resilient to π β₯ π / faults must have a good-case latencyat least (β ππ β π β β ) Ξ , even with synchronized start. Proof. The proof is illustrated in Figure 12. Let β = π β π denote the number of honest parties. Let π = β πβ β β π + = β πβ β disjoint groups πΊ , ..., πΊ π , where | πΊ π | = π = , , ..., π β | πΊ π | = β β π = , , ..., π β | πΊ π | β₯ β β
1. Suppose there exists a BRB protocol Ξ that can tolerate π Byzantinefaults and commit before time (β ππ β π β β ) Ξ = ( π β ) Ξ / πΊ π to refer all the parties in πΊ π .Considering the following executions with the party in πΊ being the broadcaster. In all the executions below, anyByzantine party in group πΊ π behaves as honest except that it only communicates with parties in groups πΊ π , πΊ π β and πΊ π + . For the broadcaster in πΊ , when it is Byzantine, it only communicates with πΊ and πΊ π after sending the proposal. β’ Execution 0. Only the broadcaster πΊ and πΊ are honest, and πΊ sends 0 to all parties. All Byzantine partiesin πΊ , ..., πΊ π pretends their message delay is Ξ . Since the broadcaster is honest, πΊ , πΊ commit 0 before time ( π β ) Ξ / β’ Execution π . Only the broadcaster πΊ and πΊ π are honest, and πΊ sends 1 to all parties. All Byzantine partiesin πΊ , ..., πΊ π β pretends their message delay is Ξ . Since the broadcaster is honest, πΊ , πΊ π commit 1 before time ( π β ) Ξ / β’ Execution π , where π = , , ..., π β
1. Only πΊ π , πΊ π + are honest. The broadcaster in πΊ is Byzantine, it sends 0 to πΊ π for 1 β€ π β€ ( π + )/
2, and sends 1 to πΊ π for ( π + )/ β€ π β€ π + πΊ behaves to πΊ the same as πΊ to πΊ inExecution 0, and behaves to πΊ π the same as πΊ to πΊ π in Execution π . All other message delays are Ξ . β’ In the executions above, we argue the following indistinguishability: β πΊ cannot distinguish Execution 0 and 1 before time ( π β ) Ξ /
2. Any message sent by πΊ ( π + )/ takes time ( π β ) Ξ / πΊ . Before that the set of messages received by πΊ is identical in both executions, since πΊ , πΊ , ..., πΊ ( π β )/ all receive 0 from the broadcaster, and any different message takes ( π β ) Ξ / πΊ .Thus, πΊ also commits 0 in Execution 1 before time ( π β ) Ξ /
2. Similarly, πΊ π cannot distinguish Execution π and π β
1, and commits 1 in Execution π β ( π β ) Ξ / β πΊ π cannot distinguish Execution π β π for 2 β€ π β€ π β
1, since two executions look identical to πΊ π . The only difference between Execution π β π is that the set of honest parties changes from πΊ π β , πΊ π to πΊ π , πΊ π + , but since the Byzantine parties behaves as honest except that they only communicatewith neighboring parties, πΊ π cannot distinguish the two executions. Contradiction.
Since πΊ π cannot distinguish Execution π β π for 2 β€ π β€ π β
1, by the terminationproperty of BRB, we can infer that πΊ ( π + )/ commit 0 in Execution ( π β )/ ( π + )/
2. However, πΊ ( π + )/ cannot distinguish these two executions, and thus will violate agreement propertyof Byzantine broadcast. Hence, any BRB protocol with good case latency < ( π β ) Ξ / = (β ππ β π β β ) Ξ cannotexist. β‘ BB upper bound π ( ππ β π ) Ξ under unsynchronized start and π β₯ π / . By the recent progress [33] on the Byzantine broadcast protocol with expected constant round under π β₯ π /
2, wecan directly obtain an upper bound on the good-case latency of π ( ππ β π ) Ξ for BB. For brevity we will omit the floor orceiling on the accurate latency for the discussion below, as we donβt have a tight bound for the π β₯ π / TrustCast , which takes about ππ β π rounds and can guarantee ttai Abraham, Kartik Nayak, Ling Ren, and Zhuolun Xiang h-1clique πΊ ! πΊ " h-1clique πΊ h-1clique πΊ $%" πΊ $%! β₯ h-1clique πΊ $ πΊ & Fig. 12. BRB Lower Bound: ( β ππ β π β β ) Ξ when π β₯ π / that each honest party either receives a message from the sender or knows the sender is Byzantine. The BB protocol isleader-based, and each epoch with the corresponding leader invokes 3 instances of TrustCast, for the leader to send theproposal, the parties to vote for the proposal, and the parties to send commit certificate, respectively. When an honestleader is in charge, the protocol guarantees that all honest parties can commit after the voting (thus after the secondTrustCast), and hence has good-case latency about ππ β π Ξ . More details of the expected constant round BB protocol canbe found in [33].Here we briefly describe how to further improve the upper bound of good-case latency to about ππ β π Ξ under π β₯ π / ππ β π rounds, and then every party use TrustCast tosend its vote, which takes about ππ β π rounds. Rest of the protocol such as the commit rule or the commit certificateremains the same. If the broadcaster is honest, all honest parties can commit within about ππ β π Ξ time, and thus thegood-case latency of the protocol is about ππ β π Ξ . Note that there is still a factor of 2 gap between the lower bound andthe upper bound for the π β₯ π /2 case, which is an interesting open question for future work.