Communication Complexity of Byzantine Agreement, Revisited

TL;DR

This paper establishes the necessity of disallowing after-the-fact removal for subquadratic Byzantine Agreement protocols and introduces new protocols that achieve this efficiency under standard assumptions in various network models.

Contribution

It proves the necessity of disallowing after-the-fact removal for subquadratic BA and presents new protocols that achieve near-optimal resilience and constant rounds without strong assumptions.

Findings

Disallowing after-the-fact removal is necessary for subquadratic BA.

New subquadratic BA protocols achieve near-optimal resilience and constant rounds.

Setup assumptions are necessary for subquadratic multicast-based BA.

Abstract

As Byzantine Agreement (BA) protocols find application in large-scale decentralized cryptocurrencies, an increasingly important problem is to design BA protocols with improved communication complexity. A few existing works have shown how to achieve subquadratic BA under an {\it adaptive} adversary. Intriguingly, they all make a common relaxation about the adaptivity of the attacker, that is, if an honest node sends a message and then gets corrupted in some round, the adversary {\it cannot erase the message that was already sent} --- henceforth we say that such an adversary cannot perform "after-the-fact removal". By contrast, many (super-)quadratic BA protocols in the literature can tolerate after-the-fact removal. In this paper, we first prove that disallowing after-the-fact removal is necessary for achieving subquadratic-communication BA. Next, we show new subquadratic binary BA constructions (of course, assuming no after-the-fact removal) that achieves near-optimal resilience and expected constant rounds under standard cryptographic assumptions and a public-key infrastructure (PKI) in both synchronous and partially synchronous settings. In comparison, all known subquadratic protocols make additional strong assumptions such as random oracles or the ability of honest nodes to erase secrets from memory, and even with these strong assumptions, no prior work can achieve the above properties. Lastly, we show that some setup assumption is necessary for achieving subquadratic multicast-based BA.