Quit-Resistant Reliable Broadcast and Efficient Terminating Gather

Mizrahi Erbes, Mose; Wattenhofer, Roger

doi:10.4230/LIPIcs.OPODIS.2024.15

Quit-Resistant Reliable Broadcast and Efficient Terminating Gather

Mose Mizrahi Erbes

ETH Zurich, Switzerland Roger Wattenhofer

ETH Zurich, Switzerland

Abstract

Termination is a central property in distributed computing. A party terminates a protocol once it stops accepting and sending messages. We discover that byzantine reliable broadcast is sometimes used in a manner which leads to non-terminating protocols. We consider an asynchronous network of $n$ parties up to $t$ of which are byzantine, and show that if each party is to broadcast its value and terminate upon obtaining $n-t$ values, then composing $n$ parallel reliable broadcast instances leads to non-termination. The issue is that a party must quit $t$ broadcast instances early in order to terminate, a behaviour not supported by ordinary reliable broadcast. So, we modify Bracha’s protocol into a quit-resistant reliable broadcast (QBRB) protocol which lets the parties quit early. This protocol retains its termination guarantees as long as no party quits before some party terminates.

Then, we turn our attention to Gather, an all-to-all broadcast primitive which guarantees that the parties obtain $n-t$ common values. Existing error-free deterministic Gather protocols either run forever, or fail to terminate since the parties quit reliable broadcast instances. We design an error-free, deterministic, terminating (and binding) Gather protocol for $\ell$ -bit inputs with the communication complexity $\mathcal{O}(\ell n^{2}+n^{3}\log n)$ . This matches the state-of-the-art for non-terminating Gather.

Finally, inspired by our QBRB protocol, we design a reliable broadcast protocol which retains its termination guarantees no matter when any party quits. To achieve this, we give each party the option to output $\bot$ if more than $q$ parties quit before some party terminates. The protocol requires $4t+q<n$ , which is optimal, and it lets parties quit after they have suffered transient crash failures so that they can help the remaining parties terminate.

Keywords and phrases:

Asynchronous networks, byzantine fault tolerance, protocol termination, reliable broadcast, all-to-all broadcast, gather

Copyright and License:

2012 ACM Subject Classification:

Theory of computation

\rightarrow

Distributed algorithms

DOI:

10.4230/LIPIcs.OPODIS.2024.15

Event:

28th International Conference on Principles of Distributed Systems (OPODIS 2024)

Editors:

Silvia Bonomi, Letterio Galletta, Etienne Rivière, and Valerio Schiavoni

Series and Publisher:

Leibniz International Proceedings in Informatics, Schloss Dagstuhl – Leibniz-Zentrum für Informatik

1 Introduction

Byzantine reliable broadcast (BRB) is a fundamental asynchronous communication primitive. Traditionally, a BRB protocol is run by $n$ parties $P_{1},P_{2},\dots,P_{n}$ , where up to $t$ of the parties may deviate arbitrarily from the protocol while the rest remain honest. Given a fixed sender party $P^{*}$ who eventually acquires an input $v^{*}$ , a BRB protocol ensures the following:

$\blacksquare$

Validity: If $P^{*}$ is honest, and an honest $P_{i}$ outputs $y_{i}$ , then $P^{*}$ has acquired $v^{*}=y_{i}$ .
$\blacksquare$

Consistency: If honest parties $P_{i}$ and $P_{j}$ output $y_{i}$ and $y_{j}$ , then $y_{i}=y_{j}$ .
$\blacksquare$

Local Termination: If $P^{*}$ is honest, then some honest party terminates.
$\blacksquare$

Global Termination: If some honest party terminates, then all honest parties terminate.

Notice that we split the output correctness properties from the termination properties. Since we focus on termination in this work, the breakdown above will be useful.

When we say that a protocol terminates, what do we mean? In their seminal work on asynchronous byzantine agreement [12], Canetti and Rabin say that a protocol terminates if all the honest parties “complete the protocol (i.e. terminate locally).” The way we understand this is that they do not let parties keep sending messages after they locally terminate, and thus define termination as we will. In [4], Abraham et al. define termination as Canetti and Rabin do, but they also separately define “termination of output” to be the property that every honest party eventually outputs.

Following the definitions in [9], we distinguish between liveness and termination. A live protocol guarantees that if the honest parties all eventually acquire inputs and run forever, then they all output. Liveness is the property called “termination of output” in [4]. Termination is stronger. A terminating protocol guarantees that if the honest parties all eventually acquire inputs and run until they terminate, then they all terminate. A party can terminate once it has output, and after terminating it can no longer accept or send messages.

Termination as opposed to liveness is useful in that it allows the parties to go offline and forget about a protocol once they terminate. When the parties run an asynchronous protocol that is live but not terminating, they must forever remain alert for further messages, even if the network happens to be fast and they decide on their outputs almost instantly. In contrast, if the parties run a terminating asynchronous protocol, then they can go offline once they terminate. Even in networks where the parties are always active, termination lets a party free the resources it has allocated for a protocol, while liveness does not.

It is common in distributed computing to compose $n$ (or more) instances of BRB to implement all-to-all broadcast. In all-to-all broadcast, each party $P_{i}$ has an input $v_{i}$ which it broadcasts to the other parties, and each party $P_{i}$ outputs a set $X_{i}$ of value-sender pairs $(m,P)$ with at most one value per sender. Typically, one requires at least the following:

$\blacksquare$

For some constant $z\leq n-t$ , the honest output sets contain at least $z$ value-sender pairs.
$\blacksquare$

If there exists some $(m_{j},P_{j})\in X_{i}$ for any honest $P_{i}$ and $P_{j}$ , then $m_{j}=v_{j}$ .
$\blacksquare$

If there exist some $(m,P)\in X_{i}$ and $(m^{\prime},P)\in X_{j}$ for any honest $P_{i}$ and $P_{j}$ , then $m=m^{\prime}$ .

One simple all-to-all broadcast protocol which we name $\Pi_{\mathsf{All}}$ achieves precisely the guarantees above, with $z$ maximally set to $n-t$ . It consists of $n$ parallel BRB instances, one for each party to broadcast its input. The idea is that since there exist $n-t$ honest parties, every honest party eventually terminates $n-t$ instances of BRB and thus terminates $\Pi_{\mathsf{All}}$ . In the wild, $\Pi_{\mathsf{All}}$ and its variants are commonly used in agreement protocols. For instance, Canetti and Rabin [12] use $\Pi_{\mathsf{All}}$ (with $z=2t+1$ ) for secret sharing/reconstruction in their seminal work on byzantine agreement [12], and Abraham, Amit and Dolev use a strengthened variant of $\Pi_{\mathsf{All}}$ as a core primitive in their seminal work on approximate agreement [2].

The problem the literature sometimes overlooks is that $\Pi_{\mathsf{All}}$ achieves liveness, but not termination. Observe that if a party $P_{i}$ terminates $\Pi_{\mathsf{All}}$ upon terminating $n-t$ instances of BRB and obtaining $|X_{i}|=n-t$ , then it stops running the $t$ instances of BRB it has not yet terminated. However, unless the BRB protocol lets honest parties quit before they terminate, honest parties quitting BRB instances early leads to $\Pi_{\mathsf{All}}$ losing its liveness. We show this in Section 3 with an attack when $\Pi_{\mathsf{All}}$ uses Bracha’s reliable broadcast protocol $\Pi_{\mathsf{Bracha}}$ [10].

One consequence of this issue is that the byzantine agreement protocol in [12] by Canetti and Rabin, whose termination mechanism is an $\Pi_{\mathsf{All}}$ variant which a party terminates after terminating $t+1$ broadcasts with identical outputs, does not achieve termination. The protocol does achieve liveness, but it would also do so if one were to remove its termination mechanism entirely. The approximate agreement protocol against $t<\frac{n}{3}$ corruptions in [2] by Abraham et al. is similarly impacted. Contrary to how their protocol is written, a party can never halt. More recent approximate agreement protocols such as [15, 20, 21, 24, 27] based on the witness technique of [2] are impacted as well.

The question we thus ask is if we can redefine reliable broadcast to ensure the termination of protocols like $\Pi_{\mathsf{All}}$ where a party has to quit reliable broadcast instances to terminate. We answer this affirmatively in Section 4 with quit-resistant reliable broadcast (QBRB), our new BRB variant where the parties can quit (and inform the other parties of their quitting) before they terminate, with precisely the guarantees to prevent attacks of the sort against $\Pi_{\mathsf{All}}$ . A QBRB protocol retains validity and consistency no matter when any honest party quits, and retains global termination as long as no honest party quits before some honest party terminates. It turns out that one can easily modify $\Pi_{\mathsf{Bracha}}$ into a QBRB protocol resilient against $t<\frac{n}{3}$ corruptions. This is fortunate, as the aforementioned protocols which do not terminate due to BRB not supporting quits become terminating if one replaces the standard BRB invocations in them with QBRB invocations.

Note that a party informing the others when it quits (or wishes to quit) a protocol and this playing a role in termination is an idea that has appeared in the literature before. In [5], the authors design a protocol for byzantine agreement in partial synchrony where upon running a view (i.e. a tagged protocol instance) for too long, a party sends everyone an abort message, and these abort messages play a role in the parties switching to the next view.

We would also be remiss not to mention some of the techniques the literature uses to terminate live agreement protocols. One can upgrade a live byzantine agreement protocol into a terminating one with reliable consensus [13], a constant-round termination procedure based on Bracha’s protocol with $\mathcal{O}(n^{2})$ messages carrying protocol outputs. More generally, one can upgrade a live agreement protocol where the parties obtain at most $\omega$ distinct outputs (e.g. for approximate agreement in a graph [24]) into a terminating one with the constant-round termination procedure in [22] that builds on reliable consensus, if $t<\frac{n}{\max(3,\omega+1)}$ .

However, for approximate agreement in $\mathbb{R}^{d}$ , we do not know of any prior termination procedure. So, we offer two approaches to terminate approximate agreement in $\mathbb{R}^{d}$ . One of them is QBRB, our general solution which by itself suffices to upgrade the protocols in [21, 27] into terminating ones. Our second solution that allows the efficient bundling of many approximate agreement instances (as in [18]) is a terminating Gather protocol. Gather is an $\Pi_{\mathsf{All}}$ variant which requires $|\bigcap_{P_{i}\text{ is honest}}X_{i}|\geq n-t$ . It is especially useful for approximate agreement¹¹1For approximate agreement, the typical requirement is that $|X_{i}\cap X_{j}|\geq n-t$ for all honest $P_{i}$ and $P_{j}$ , which is implied by the stronger $|\bigcap_{P_{i}\text{ is honest}}X_{i}|\geq n-t$ . [2, 15, 19, 20, 21, 24, 27], though its variants (with additional properties such as binding and verifiability, which we will discuss later) have been used for distributed key generation [4], common coin tossing [14, 18] and asynchronous core set agreement [3, 16].

In Section 5, we design $\Pi_{\mathsf{Gthr}}$ , an error-free deterministic Gather protocol optimally secure against $t<\frac{n}{3}$ corruptions, usable as a termination procedure for any approximate agreement protocol based on Gather iterations since it guarantees that if some honest party terminates, then all of them do. As far as we are aware, no other error-free²²2We call a protocol error-free if it achieves the properties required of it in every possible execution. deterministic³³3Gather is weakening of asynchronous core set agreement (ACS) [8], which requires $X_{i}=X_{j}$ for any honest $P_{i}$ and $P_{j}$ . Though there exist terminating ACS protocols [8], ACS implies byzantine agreement, and error-free deterministic asynchronous byzantine agreement is impossible against one crash fault [17]. Gather protocol in the literature achieves termination. The communication complexity of $\Pi_{\mathsf{Gthr}}$ for $\ell$ -bit inputs is $\mathcal{O}(\ell n^{2}+n^{3}\log n)$ bits. This is the complexity of the most efficient live Gather protocol ( $\Pi_{\mathsf{Gthr}}^{\mathsf{Live}}$ ) we are aware of [15], when it is instantiated with a state-of-the-art standard BRB protocol with the complexity $\mathcal{O}(\ell n+n^{2}\log n)$ [6]. Our $\Pi_{\mathsf{Gthr}}$ protocol additionaly lets one extract a core set of $n-t$ parties whose values are obtained by every honest party from the view of any honest party who outputs; hence, it is binding. Binding Gather was developed in [4], and there are cases involving secret shares which require the binding property [18].

In section 6, we return to QBRB, and design a QBRB variant $\Pi_{\mathsf{Any}}$ which retains local and global termination even if any honest party quits whenever it wishes. The standard output guarantees of reliable broadcast cannot be achieved with such lax participation, and for this reason we introduce the extra outputs $\bot$ and $\top$ . If at most $q$ honest parties quit before some honest party terminates, then $\Pi_{\mathsf{Any}}$ is just a QBRB protocol, albeit one with an extra output $\top$ to indicate that the sender quit before it acquired an input. If more than $q$ honest parties quit before some honest party terminates, then we give each party the individual option to output $\bot$ . The protocol $\Pi_{\mathsf{Any}}$ optimally requires $4t+q<n$ for this.

From a practical view, $\Pi_{\mathsf{Any}}$ is of interest in that it lets parties quit after they recover from transient crashes to help the remaining parties terminate. For example, a party can quit when it reconnects after a network disconnection, or when it restarts after a power loss. This ensures that as long as the honest parties that transiently crash (no matter how many) eventually come back online, all parties terminate $\Pi_{\mathsf{Any}}$ . We remark that reliable broadcast with recoverable transient crashes has been studied before. In [7], one can find a live BRB protocol against a polynomially bounded adversary for when $3t+2f<n$ and at most $f$ honest parties suffer transient crashes for a polynomially bounded number of times.

2 Model

We consider an asynchronous network of $n$ message-sending parties $\mathcal{P}=\{P_{1},\dots,P_{n}\}$ who are connected pairwise via reliable authenticated channels. The party set $\mathcal{P}$ is publicly known. The parties do not have access to synchronized clocks.

Our basic adversary, which we name the $t$ -adversary, corrupts up to $t$ parties. The corrupt parties are byzantine; they deviate arbitrarily from the protocol. The rest of the parties are honest. The adversary schedules messages as it wishes, and it is only required to eventually deliver all messages from honest senders. The adversary can also adaptively corrupt parties during the execution of a protocol depending on the sent messages and the parties’ internal states, and drop messages from parties by corrupting them. So, we call a party honest if it is never corrupted. Unless stated otherwise, our protocols are designed against the $t$ -adversary.

By default, a party must run a protocol until it is instructed to terminate. However, a QBRB protocol lets each party quit whenever it wishes by invoking the procedure $\mathsf{Quit}()$ , in which the party might send some final messages to help the remaining parties terminate. The adversary can influence if and when a party invokes $\mathsf{Quit}()$ . The invocation of $\mathsf{Quit}()$ is an event which a party handles like any other. A QBRB protocol keeps validity and consistency no matter when any honest party invokes $\mathsf{Quit}()$ , but potentially loses global termination if an honest party invokes $\mathsf{Quit}()$ before some honest party terminates.

In Section 6, we design the broadcast protocol $\Pi_{\mathsf{Any}}$ against an adversary which can cause a single transient crash for any honest party. This adversary can arbitrarily choose when any crash occurs and how long it lasts. At the end of a crash, the recovering party immediately invokes $\mathsf{Quit}()$ , having retained the information that $\mathsf{Quit}()$ needs (the kinds of messages the party has sent in $\Pi_{\mathsf{Any}}$ ). We define the $(t,\mathsf{crash})$ -adversary to be the $t$ -adversary with the power to cause transient crashes as described above. Against the $(t,\mathsf{crash})$ -adversary, $\Pi_{\mathsf{Any}}$ achieves local and global termination no matter when any honest party quits, though with weaker output guarantees if more than $q$ honest parties quit before some honest termination.

When a party “multicasts” a message $m$ , it sends $m$ to all parties. To keep things simple, we assume that the honest parties do not transiently crash while multicasting, though note that we could remove this assumption by requiring any party that crashes while multicasting any $m$ to remember $m$ so that it can multicast $m$ again when it recovers from the crash.

For composability, the parties do not begin protocols “having” inputs. Instead, they “acquire” inputs while they are running. This matters since we consider protocols where some parties might quit before they acquire inputs, or terminate despite never acquiring inputs.

3 Insufficiency of Standard BRB for Terminating All-to-All Broadcast

Below, we present the classical BRB protocol $\Pi_{\mathsf{Bracha}}$ [10]. Note that a party $P_{i}$ only accepts a single ECHO message and a single READY message from any party $P_{j}$ . We do not require a party to multicast $\langle{\texttt{ECHO}},{v}\rangle$ upon receiving $t+1$ $\langle{\texttt{READY}},{v}\rangle$ messages; this rule is absent in modern renditions of the protocol [1, 11]. The protocol $\Pi_{\mathsf{Bracha}}$ is proven secure in [1, 10, 11].

And now, we present a version of $\Pi_{\mathsf{All}}$ which fails to terminate because it uses $\Pi_{\mathsf{Bracha}}$ .

Let us informally argue that $\Pi_{\mathsf{All}}$ terminates against the $t$ -adversary when $t<\frac{n}{3}$ . Since there exist at least $n-t$ honest parties and since $\Pi_{\mathsf{Bracha}}$ guarantees termination for all honest parties when the sender is honest, eventually, some first honest $P_{i}$ terminates $n-t$ instances of $\Pi_{\mathsf{Bracha}}$ and thus terminates $\Pi_{\mathsf{All}}$ . Then, since $\Pi_{\mathsf{Bracha}}$ guarantees termination for all honest parties when some honest party terminates, every honest party can eventually terminate $\Pi_{\mathsf{All}}$ by terminating the $n-t$ instances of $\Pi_{\mathsf{Bracha}}$ terminated by $P_{i}$ .

As Theorem 1 below indicates, this argument fails. The intuitive reason why is that an honest party must stop participating in every $\Pi_{\mathsf{Bracha}}$ instance to terminate $\Pi_{\mathsf{All}}$ , which means that the party must prematurely quit $t$ instances of $\Pi_{\mathsf{Bracha}}$ before terminating them. Though some honest party eventually terminates $n-t$ $\Pi_{\mathsf{Bracha}}$ instances, these instances lose global termination if other honest parties quit them before terminating them.

Theorem 1.

When $n=7$ , the $2$ -adversary can prevent a particular party from terminating $\Pi_{\mathsf{All}}$ by making two parties omit sending messages to the party.

Proof.

The adversary corrupts $P_{2}$ and $P_{3}$ . The party $P_{1}$ will be precluded from terminating.

The adversary lets every honest $P_{i}$ acquire its input $v_{i}$ , and assigns arbitrary inputs to the corrupt parties $P_{2}$ and $P_{3}$ . These corrupt parties do not send $P_{1}$ any messages, but otherwise they behave honestly. The adversary begins with the following message scheduling:

$\blacksquare$

The communication between $P_{1}$ and the rest of the parties is indefinitely blocked.
$\blacksquare$

For $k\in\{4,\dots,7\}$ , the communication for $\Pi_{\mathsf{Bracha}}^{k}$ is indefinitely blocked for the party $P_{\mathsf{next}(k)}$ , where $\mathsf{next}(k)=k+1$ if $k<7$ and $\mathsf{next}(7)=4$ .
$\blacksquare$

Initially, all ECHO and READY messages are blocked.

First, each party $P_{i}$ sends the INIT messages of its broadcast instance $\Pi_{\mathsf{Bracha}}^{i}$ . The INIT messages in $\Pi_{\mathsf{Bracha}}^{1}$ are received by only $P_{1}$ . The INIT messages in $\Pi_{\mathsf{Bracha}}^{2}$ and $\Pi_{\mathsf{Bracha}}^{3}$ are received by all parties except $P_{1}$ . For all $k\geq 4$ , the INIT messages in $\Pi_{\mathsf{Bracha}}^{k}$ are received by all parties except $P_{1}$ and $P_{\mathsf{next}(k)}$ .

Then, the adversary unblocks the ECHO messages. The ECHO messages in $\Pi_{\mathsf{Bracha}}^{1}$ are sent and received by only $P_{1}$ . The ECHO messages in $\Pi_{\mathsf{Bracha}}^{2}$ and $\Pi_{\mathsf{Bracha}}^{3}$ are sent and received by all parties except $P_{1}$ ; so, all parties except $P_{1}$ send READY messages in $\Pi_{\mathsf{Bracha}}^{2}$ and $\Pi_{\mathsf{Bracha}}^{3}$ . For all $k\geq 4$ , the ECHO messages in $\Pi_{\mathsf{Bracha}}^{k}$ are sent and received by all parties except $P_{1}$ and $P_{\mathsf{next}(k)}$ ; so, all parties except $P_{1}$ and $P_{\mathsf{next}(k)}$ send READY messages in $\Pi_{\mathsf{Bracha}}^{k}$ .

Afterwards, the adversary unblocks the READY messages. No party sends READY messages in $\Pi_{\mathsf{Bracha}}^{1}$ . The READY messages in $\Pi_{\mathsf{Bracha}}^{2}$ and $\Pi_{\mathsf{Bracha}}^{3}$ are sent and received by all parties except $P_{1}$ . For all $k\geq 4$ , the READY messages in $\Pi_{\mathsf{Bracha}}^{k}$ are sent and received by all parties except $P_{1}$ and $P_{\mathsf{next}(k)}$ . So, for all $k\geq 4$ , the party $P_{\mathsf{next}(k)}$ terminates $\Pi_{\mathsf{All}}$ by receiving at least $n-2$ READY messages in all $\Pi_{\mathsf{Bracha}}$ instances except $\Pi_{\mathsf{Bracha}}^{1}$ and $\Pi_{\mathsf{Bracha}}^{k}$ . Since $\mathsf{next}$ is a permutation of $\{4,\dots,7\}$ , we get that the parties $P_{4},\dots,P_{7}$ all terminate $\Pi_{\mathsf{All}}$ .

Finally, the adversary unblocks all communication. No party sends READY messages in $\Pi_{\mathsf{Bracha}}^{1}$ , and so $P_{1}$ does not terminate $\Pi_{\mathsf{Bracha}}^{1}$ . In any broadcast instance $\Pi_{\mathsf{Bracha}}^{k}$ where $k\geq 4$ , the party $P_{1}$ receives READY messages from the $3$ parties in $\{P_{4},\dots,P_{7}\}\setminus\{P_{\mathsf{next}(k)}\}$ . This suffices for $P_{1}$ to send itself a READY message in $\Pi_{\mathsf{Bracha}}^{k}$ . Even then, $P_{i}$ only receives $4$ READY messages in $\Pi_{\mathsf{Bracha}}^{k}$ , which is insufficient for termination. Since $P_{1}$ cannot terminate any $\Pi_{\mathsf{Bracha}}$ instance except $\Pi_{\mathsf{Bracha}}^{2}$ and $\Pi_{\mathsf{Bracha}}^{3}$ , it cannot terminate $\Pi_{\mathsf{All}}$ . $\hfill\blacktriangleleft$

4 Quit-Resistant BRB

One could thwart the attack with a termination procedure based on reliable consensus [13] by exploiting the fact that if an honest party terminates a $\Pi_{\mathsf{Bracha}}$ instance, then every party learns the instance’s output by receiving $n-2t$ READY messages on the output. However, it is hard to come up with a termination procedure that works with any BRB protocol instead of just $\Pi_{\mathsf{Bracha}}$ , and our view is not that $\Pi_{\mathsf{All}}$ is lacking a termination procedure but that the termination properties of standard BRB are lacking for protocols like $\Pi_{\mathsf{All}}$ where a party must quit remaining BRB instances to terminate. Hence, we define quit-resistant BRB (QBRB). A QBRB protocol lets any party quit by invoking $\mathsf{Quit}()$ . Given a fixed sender party $P^{*}$ who might (or might not) eventually acquire an input $v^{*}$ , a QBRB protocol ensures the following:

$\blacksquare$

Validity: If $P^{*}$ is honest, and an honest $P_{i}$ outputs $y_{i}$ , then $P^{*}$ has acquired $v^{*}=y_{i}$ .
$\blacksquare$

Consistency: If honest parties $P_{i}$ and $P_{j}$ output $y_{i}$ and $y_{j}$ , then $y_{i}=y_{j}$ .
$\blacksquare$

Local Termination: If $P^{*}$ is honest, and it acquires an input, then either some honest party terminates, or some honest party quits.
$\blacksquare$

Global Termination: If some honest party terminates before any honest party quits, then every honest party either terminates or quits.

We keep the definitions of validity and consistency from standard BRB. However, while a standard BRB protocol requires the parties to run until instructed to terminate, a QBRB protocol lets each party quit whenever it wishes by invoking $\mathsf{Quit}()$ , and retains a meaningful global termination guarantee if no honest party quits before some honest party terminates.

QBRB is what $\Pi_{\mathsf{All}}$ needs to terminate. If in $\Pi_{\mathsf{All}}$ one replaces $\Pi_{\mathsf{Bracha}}$ with any QBRB protocol, then the QBRB instances terminated by the first honest party who terminates $\Pi_{\mathsf{All}}$ retain global termination, and thus $\Pi_{\mathsf{All}}$ terminates.

Below, we modify $\Pi_{\mathsf{Bracha}}$ into a QBRB protocol $\Pi_{\mathsf{Quit}}$ , optimally secure when $t<\frac{n}{3}$ . We do so with the QUIT message which a party multicasts when it invokes $\mathsf{Quit}()$ , making it easier for the remaining parties to terminate. The QUIT messages do not compromise the safety guarantees since $t+1$ READY messages are required to obtain output, and global termination relies on the fact that if the honest parties do not multicast QUIT before some honest party terminates, then the first honest termination occurs after $t+1$ honest parties multicast $\langle{\texttt{READY}},{v}\rangle$ for some $v$ , which means that every honest party will multicast $\langle{\texttt{READY}},{v}\rangle$ or QUIT.

Theorem 2.

$\Pi_{\mathsf{Quit}}$ is a secure QBRB protocol when $t<\frac{n}{3}$ .

Proof.

Consistency and Validity.

For any $v$ , let $P_{i}$ be the first honest party who multicasts $\langle{\texttt{READY}},{v}\rangle$ . The party $P_{i}$ cannot have done this after having received $\langle{\texttt{READY}},{v}\rangle$ from $t+1$ parties, because then there would need to exist a prior honest party who multicast $\langle{\texttt{READY}},{v}\rangle$ . Therefore, $P_{i}$ must have received $\langle{\texttt{ECHO}},{v}\rangle$ from $\lfloor\frac{n+t}{2}\rfloor+1$ parties.

For contradiction, suppose that for some distinct $v$ and $v^{\prime}$ , some honest parties multicast $\langle{\texttt{READY}},{v}\rangle$ and some honest parties multicast $\langle{\texttt{READY}},{v^{\prime}}\rangle$ . Let $P$ and $P^{\prime}$ be the first honest parties who respectively multicast $\langle{\texttt{READY}},{v}\rangle$ and $\langle{\texttt{READY}},{v^{\prime}}\rangle$ . Then, $P$ must have received $\langle{\texttt{ECHO}},{v}\rangle$ from $\lfloor\frac{n+t}{2}\rfloor+1$ parties, and $P^{\prime}$ must have received $\langle{\texttt{ECHO}},{v^{\prime}}\rangle$ from $\lfloor\frac{n+t}{2}\rfloor+1$ parties. These quorums have an intersection of at least $t+1$ parties, and hence we get the contradiction that an honest party must have sent $\langle{\texttt{ECHO}},{v}\rangle$ to $P$ and $\langle{\texttt{ECHO}},{v^{\prime}}\rangle$ to $P^{\prime}$ .

Suppose some honest $P_{i}$ outputs $v$ . Then, $P_{i}$ must have received $\langle{\texttt{READY}},{v}\rangle$ from at least $t+1$ parties, at least one of which is honest. Since honest parties cannot multicast $\langle{\texttt{READY}},{v^{\prime}}\rangle$ for any $v^{\prime}\neq v$ , no honest party outputs any $v^{\prime}\neq v$ . That is, we have consistency.

Furthermore, if $P^{*}$ is honest, then the only message on which a party may receive ECHO messages from $\lfloor\frac{n+t}{2}\rfloor+1>t$ parties is the input $v^{*}$ of $P^{*}$ , after $P^{*}$ has acquired $v^{*}$ and multicast $\langle{\texttt{INIT}},{v^{*}}\rangle$ . This implies validity since an honest party can output any $v$ only after some honest party receives $\langle{\texttt{ECHO}},{v}\rangle$ from $\lfloor\frac{n+t}{2}\rfloor+1$ parties and multicasts $\langle{\texttt{READY}},{v}\rangle$ .

Local Termination.

For contradiction, consider a counterexample execution of $\Pi_{\mathsf{Quit}}$ where $P^{*}$ is honest, and it acquires an input, but no honest party terminates or quits. Then, the honest parties participate forever in the execution. Every honest party receives $\langle{\texttt{INIT}},{v^{*}}\rangle$ from $P^{*}$ and thus multicasts $\langle{\texttt{ECHO}},{v^{*}}\rangle$ . Then, every honest party receives $\langle{\texttt{ECHO}},{v^{*}}\rangle$ from $n-t\geq\lfloor\frac{n+t}{2}\rfloor+1$ parties and thus multicasts $\langle{\texttt{READY}},{v^{*}}\rangle$ if it has not multicast a READY message (which would have to be $\langle{\texttt{READY}},{v^{*}}\rangle$ ) already. Finally, since all honest parties multicast $\langle{\texttt{READY}},{v^{*}}\rangle$ , some honest party terminates after receiving the message QUIT from $f$ byzantine parties (where $f\leq t$ ) and receiving $\langle{\texttt{READY}},{v^{*}}\rangle$ from $2t+1-f\leq n-t$ parties. This contradicts the assumption that no honest party terminates.

Global Termination.

Suppose some honest $P_{i}$ terminates with the output $v$ , with no honest parties terminating or quitting earlier. Then, $P_{i}$ must have received $\langle{\texttt{READY}},{v}\rangle$ from $2t+1-f$ parties, where $f$ is the number of QUIT messages $P_{i}$ received. These $f$ messages must have corrupt senders because honest parties do not quit before $P_{i}$ terminates. Since $P_{i}$ does not accept both a QUIT message and a READY message from the same party, at least $2t+1-f-(t-f)=t+1$ of the parties from whom $P_{i}$ accepted the message $\langle{\texttt{READY}},{v}\rangle$ must be honest. So, every honest party either multicasts QUIT, or receives $\langle{\texttt{READY}},{v}\rangle$ from $t+1$ parties, which makes it set its output to $v$ and multicast $\langle{\texttt{READY}},{v}\rangle$ if it has not multicast a READY message (which would have to be $\langle{\texttt{READY}},{v}\rangle$ ) already. Finally, every honest party either quits, or terminates after receiving from $2t+1$ parties the messages QUIT or $\langle{\texttt{READY}},{v}\rangle$ . $\hfill\blacktriangleleft$

We remark that we purposefully defined global termination so that it guarantees nothing if some honest party quits before any honest party terminates. In [23], the authors construct a signature-based reliable broadcast protocol which a party terminates upon receiving/constructing a certificate (that consists of the output $y$ and signatures on $y$ from $t+1$ parties), after multicasting the certificate so that everyone can terminate by receiving it. This protocol is (with the addition of an empty $\mathsf{Quit}()$ procedure) a QBRB protocol which guarantees that if some honest party terminates, then every honest party who does not quit eventually terminates, no matter when any honest party quits. Our $\Pi_{\mathsf{Quit}}$ does not achieve this stronger global termination property, and we do not know whether any error-free QBRB protocol can.

5 Efficient Terminating Gather

In Gather, each party $P_{i}$ may eventually acquire an $\ell$ -bit input $v_{i}$ (where $\ell$ is publicly known), and each party $P_{i}$ outputs a set of value-sender pairs $X_{i}$ (with at most one value per sender). Against the $t$ -adversary, a Gather protocol must achieve the following correctness properties:

$\blacksquare$

Common Core: There exists a common core set $\mathcal{C}\subseteq\mathcal{P}$ of size at least $n-t$ such that every honest output set $X_{i}$ contains some $(m_{j},P_{j})$ for all $P_{j}\in\mathcal{C}$ .
$\blacksquare$

Validity: If there exists some $(m_{j},P_{j})\in X_{i}$ for any honest $P_{i}$ and $P_{j}$ , then $m_{j}=v_{j}$ .
$\blacksquare$

Consistency: If there exist some $(m,P)\in X_{i}$ and $(m^{\prime},P)\in X_{j}$ for any honest $P_{i}$ and $P_{j}$ , then $m=m^{\prime}$ .

If the protocol is binding, then the following stronger version of common core must hold:

$\blacksquare$

Binding Common Core: At the moment when some honest party outputs for the first time, one can extract a common core set $\mathcal{C}$ from the views of the honest parties.

Finally, the protocol should have one of the following termination-related properties:

$\blacksquare$

Liveness: Suppose the honest parties all eventually acquire inputs. If the honest parties all run the protocol forever, then they all obtain outputs from it.
$\blacksquare$

Termination: Suppose the honest parties all eventually acquire inputs. If the honest parties all run the protocol until they terminate it, then they all terminate the protocol.
$\blacksquare$

Strong Termination: If all honest parties eventually acquire inputs, then some honest party terminates; and if some honest party terminates, all honest parties terminate.

Strong termination is typically the termination property a termination procedure (e.g. reliable consensus [13]) achieves. To see why it matters, let $\Pi_{L}$ and $\Pi_{T}$ be Gather protocols, the former with liveness only. Let the parties run $\Pi_{L}$ on their inputs, transform their $\Pi_{L}$ outputs into $\Pi_{T}$ inputs, obtain final outputs from $\Pi_{T}$ , and terminate when they output. When a party terminates the composed protocol, it necessarily stops running $\Pi_{L}$ . Hence, the remaining parties might not output from $\Pi_{L}$ , and thus not acquire $\Pi_{T}$ inputs. Now, if $\Pi_{T}$ strongly terminates, then the composed protocol does so as well since no party quits $\Pi_{L}$ before some party terminates $\Pi_{T}$ . However, if $\Pi_{T}$ is just terminating, then the composed protocol might not terminate since some honest parties might never obtain $\Pi_{T}$ inputs. Approximate agreement protocols often consist of Gather iterations composed like this, and the strong termination of the last iteration suffices for the composed protocol to (strongly) terminate.

With $\Pi_{\mathsf{Gthr}}^{\mathsf{Live}}$ we denote the most efficient live Gather protocol we know of [15]. Instantiated with a state-of-the-art standard BRB protocol which requires $\mathcal{O}(\ell n+n^{2}\log n)$ bits of communication [6], it achieves the bit complexity $\mathcal{O}(\ell n^{2}+n^{3}\log n)$ . The protocol $\Pi_{\mathsf{Gthr}}^{\mathsf{Live}}$ is presented in [15], though for completeness we restate it and its security proof in the appendix. Note that $\Pi_{\mathsf{Gthr}}^{\mathsf{Live}}$ is not binding, but our strongly terminating Gather protocol $\Pi_{\mathsf{Gthr}}$ will be.

The protocol $\Pi_{\mathsf{Gthr}}^{\mathsf{Live}}$ involves $n$ standard BRB broadcasts of $\ell$ -bit inputs, $n$ standard BRB broadcasts of $n$ -bit inputs and $n$ multicasts of $n$ -bit inputs. To make $\Pi_{\mathsf{Gthr}}^{\mathsf{Live}}$ (strongly) terminate, it suffices to replace its standard BRB broadcasts and multicasts with QBRB broadcasts. The issue is that against $t<\frac{n}{3}$ corruptions we do not know of a more efficient error-free QBRB protocol than $\Pi_{\mathsf{Quit}}$ , and replacing all standard BRB broadcasts and multicasts in $\Pi_{\mathsf{Gthr}}^{\mathsf{Live}}$ with $\Pi_{\mathsf{Quit}}$ instances results in the bit complexity $\mathcal{O}(\ell n^{3}+n^{4})$ . Our $\Pi_{\mathsf{Gthr}}$ protocol instead achieves strong termination while preserving the complexity $\mathcal{O}(\ell n^{2}+n^{3}\log n)$ .

5.1 k-slot Consensus

To construct $\Pi_{\mathsf{Gthr}}$ , we need a 5-slot consensus⁴⁴4In the literature 5-slot consensus is better known as (binary) graded consensus, with the possible outputs $(0,2),(0,1),(\bot,0),(1,1),(1,2)$ . We use the mapping $[(0,2),(0,1),(\bot,0),(1,1),(1,2)]\leftrightarrow[0,\frac{1}{4},\frac{2}{4},% \frac{3}{4},1]$ . We define k-slot consensus so that we can compare k-slot consensus outputs with numbers.protocol with strong termination. In a k-slot consensus protocol, each party $P_{i}$ may eventually acquire an input $v_{i}\in\{0,1\}$ and obtain an output $y_{i}\in\{0,\frac{1}{k-1},\dots,\frac{k-2}{k-1},1\}$ . The following output correctness properties must hold:

$\blacksquare$

Validity: If for some $b$ every honest input is $b$ , then every honest output is $b$ .
$\blacksquare$

k-Consistency: There exists some $z$ such that every honest output is in $\{z,z+\frac{1}{k-1}\}$ .

Of course, a k-slot consensus protocol must also have some termination guarantee. This may be liveness, termination or strong termination, which are defined as they were for Gather.

In [22], the authors present a constant-round quorum-based termination procedure which when $t<\frac{n}{\max(3,\omega+1)}$ turns any live protocol $\Pi$ where the honest parties obtain at most $\omega$ distinct outputs into a strongly terminating⁵⁵5In [22], the authors do not consider strong termination, and only prove that their procedure upgrades live protocols into terminating ones. However, upon inspection one can observe that their procedure results in strong termination. This is also the case for the reliable consensus termination procedure [13]. protocol where each honest party runs $\Pi$ with its input and terminates with the $\Pi$ output of some honest party. The procedure has an overhead of $3$ additional rounds and $\mathcal{O}(\omega n^{2})$ additional messages carrying $\Pi$ outputs.

Since from k-slot consensus the honest parties obtain at most 2 distinct outputs and since k-slot consensus remains secure if the honest parties exchange their outputs, the procedure is perfectly suited to upgrade a live k-slot consensus protocol into a strongly terminating one when $t<\frac{n}{3}$ . In the appendix, we present the strongly terminating k-slot consensus protocol $\Pi_{\mathsf{k\textsf{-}slot}}$ where we use the procedure on a live k-slot consensus protocol $\Pi_{\mathsf{k\textsf{-}slot}}$ , alongside a proof since strong termination is not formally considered in [22].

In the rest of this section, we denote by $\Pi_{\mathsf{5\textsf{-}slot}}$ the protocol $\Pi_{\mathsf{k\textsf{-}slot}}$ instantiated with the constant-round error-free deterministic live 5-slot consensus protocol in [9] which we call $\Pi_{\mathsf{5\textsf{-}live}}$ . Against $t<\frac{n}{3}$ corruptions, $\Pi_{\mathsf{5\textsf{-}live}}$ achieves 5-slot consensus with $\mathcal{O}(n^{2})$ bits/messages. The 5-slot consensus protocol $\Pi_{\mathsf{5\textsf{-}slot}}$ has the same corruption tolerance $t<\frac{n}{3}$ and the same asymptotic complexity as $\Pi_{\mathsf{5\textsf{-}live}}$ , and it is error-free and deterministic like $\Pi_{\mathsf{5\textsf{-}live}}$ .

5.2 Online Error Correction

We use online error correction [8] based on Reed-Solomon error correcting codes [25] in order to obtain a communication complexity of the form $\mathcal{O}(\ell n^{2}+\dots)$ for $\Pi_{\mathsf{Gthr}}$ . For some $a>\log_{2}(n)$ , we use the following two functions:

$\blacksquare$

$\mathsf{Encode}(m)$ : This function takes a message $m$ of length $a\cdot(n-2t)$ , and outputs a codeword $(s_{1},\dots,s_{n})$ of $n$ symbols in the Galois Field $GF(2^{a})$ , each of which are $a$ bits long.
$\blacksquare$

$\mathsf{TryDecode}(s_{1},\dots,s_{n})$ : This function takes as input $n$ symbols $s_{1},\dots,s_{n}\in GF(2^{a})\cup\{\bot\}$ . With respect to a message $m$ with $\mathsf{Encode}(m)=(s_{1}^{\prime},\dots,s_{n}^{\prime})$ ; we call a symbol $s_{j}$ correct if $s_{j}=s_{j}^{\prime}$ , missing if $s_{j}=\bot$ , and incorrect otherwise. When used with at most $t$ missing symbols and at most $t$ incorrect symbols with respect to some $m$ , $\mathsf{TryDecode}(s_{1},\dots,s_{n})$ outputs $m$ if at least $n-t$ of the symbols are correct with respect to $m$ , and $\bot$ otherwise.

To use error correction on messages of any arbitrary length $\ell$ , we pad the messages to the length $a\cdot(n-2t)$ for some $a>\log_{2}(n)$ . This gives us the symbol bit length $a=\max(\lceil\frac{\ell}{n-2t}\rceil,\linebreak\lfloor\log_{2}(n)\rfloor+1)=% \mathcal{O}(\frac{\ell}{n}+\log n)$ . For readability, we omit explicit padding/unpadding operations.

Online error correction is useful when there is a message $m$ with $\mathsf{Encode}(m)=(s_{1},\dots,s_{n})$ such that each honest $P_{j}$ multicasts $s_{j}$ . Then, each honest $P_{i}$ can keep track of the symbols it receives, and upon receiving $n-t+r$ symbols for each $r\in\{0,\dots,t\}$ run $\mathsf{TryDecode}$ in an attempt to obtain $m$ . The output will be $m$ or $\bot$ in each trial as in each trial there will be at most $t$ missing symbols and at most $t$ incorrect symbols with respect to $m$ . Furthermore, since $P_{i}$ can eventually receive the symbol $s_{j}$ from each honest $P_{j}$ , in some $\mathsf{TryDecode}$ trial there will be $n-t$ correct symbols and $m$ will be the output.

The most efficient standard BRB protocol we are aware of [6] uses the online error correction approach above to achieve the bit complexity $\mathcal{O}(\ell n+n^{2}\log n)$ . The approach falters for QBRB because an honest party may quit a QBRB instance without ever sending any message related to the sender’s input. This prevents us from designing a QBRB protocol against $t<\frac{n}{3}$ corruptions (and not just $t\leq\frac{(1-\varepsilon)n}{3}$ for a positive constant $\varepsilon$ ) with the bit complexity $\mathcal{O}(\ell n+n^{2}\log n)$ . Nevertheless, we are able to use online error correction in $\Pi_{\mathsf{Gthr}}$ .

5.3 The Gather Protocol

The Gather protocol $\Pi_{\mathsf{Gthr}}^{\mathsf{Live}}$ is similar to $\Pi_{\mathsf{All}}$ in that the parties broadcast their inputs with standard BRB instances, and each honest $P_{i}$ inserts a value-sender pair to its output set $X_{i}$ when it terminates a BRB instance. In $\Pi_{\mathsf{Gthr}}$ we use $\Pi_{\mathsf{Gthr}}^{\mathsf{Live}}$ , but with external access to the output set $X_{i}$ which each honest $P_{i}$ builds in $\Pi_{\mathsf{Gthr}}^{\mathsf{Live}}$ . Hence, we denote the $\Pi_{\mathsf{Gthr}}^{\mathsf{Live}}$ output of each honest $P_{i}$ with $Z_{i}$ . The set $Z_{i}$ is a snapshot of $X_{i}$ made when $P_{i}$ outputs from $\Pi_{\mathsf{Gthr}}^{\mathsf{Live}}$ .

Inspired by the classical ACS protocol in [8] which involves one byzantine agreement instance per party to decide whether the party’s input gets into the core set, we run $n$ instances of $\Pi_{\mathsf{5\textsf{-}slot}}$ , named $\Pi_{\mathsf{5\textsf{-}slot}}^{1},\dots,\Pi_{\mathsf{5\textsf{-}slot}}^{n}$ . Upon obtaining $Z_{i}$ from $\Pi_{\mathsf{Gthr}}^{\mathsf{Live}}$ , the party $P_{i}$ provides an input to each $\Pi_{\mathsf{5\textsf{-}slot}}$ instance; the input is $1$ if there exists a pair $(m_{j},P_{j})\in Z_{i}$ .

We call an honest $P_{i}$ happy if it has terminated every $\Pi_{\mathsf{5\textsf{-}slot}}$ instance, and has inserted some $(m_{j},P_{j})$ to $X_{i}$ whenever $g_{i}^{j}\geq\frac{1}{4}$ . Note that $g_{i}^{j}>\frac{1}{4}$ indicates by the validity of $\Pi_{\mathsf{5\textsf{-}slot}}$ that some honest $P_{k}$ has $(m_{j},P_{j})\in Z_{k}$ . So, unless some honest party stops running $\Pi_{\mathsf{Gthr}}^{\mathsf{Live}}$ , eventually $P_{i}$ can terminate the standard BRB terminated by $P_{k}$ and insert $(m_{j},P_{j})$ to $X_{i}$ . Upon becoming happy, the party $P_{i}$ lets $(S_{j,1},\dots S_{j,n})=\mathsf{Encode}(m_{j})$ if $g_{i}^{j}\geq\frac{1}{4}$ , and lets $(S_{j,1},\dots S_{j,n})=\linebreak(\bot,\dots,\bot)$ otherwise. Then, $P_{i}$ sends each $P_{j}$ the message $\langle{\texttt{YOURS}},{(S_{1,j},\dots,S_{n,j})}\rangle$ .

Suppose that a party $P_{i}$ terminates $\Pi_{\mathsf{5\textsf{-}slot}}^{j}$ with $g_{i}^{j}\geq\frac{2}{4}$ , and that there are at least $t+1$ happy parties. Then, by the 5-consistency of $\Pi_{\mathsf{5\textsf{-}slot}}^{j}$ , every happy party $P_{k}$ has $g_{k}^{j}\geq\frac{1}{4}$ , and thus the happy parties send YOURS vectors to $P_{i}$ with a common non- $\bot$ $j^{\text{th}}$ symbol. So, every party $P_{i}$ can (and must, before it terminates $\Pi_{\mathsf{Gthr}}$ ) eventually multicast $\langle{\texttt{MINE}},{(s_{1},\dots,s_{n})}\rangle$ , where for all $j$ , if $g_{i}^{j}\leq\frac{1}{4}$ then $s_{j}=\bot$ , and otherwise $s_{j}$ is the common non- $\bot$ $j^{\text{th}}$ symbol in $t+1$ YOURS vectors which $P_{i}$ receives. Note that if $s_{j}\neq\bot$ , then $s_{j}$ is the $i^{\text{th}}$ symbol of $\mathsf{Encode}(m_{j})$ , where $m_{j}$ is the unique message such that some honest $P_{k}$ has $(m_{j},P_{j})\in X_{k}$ .

Finally, a party $P_{i}$ could terminate $\Pi_{\mathsf{5\textsf{-}slot}}^{j}$ with $g_{i}^{j}\geq\frac{3}{4}$ . Then, to ensure the binding common core property, $P_{i}$ must insert some $(m_{j},P_{j})$ to its $\Pi_{\mathsf{Gthr}}$ output set $Q_{i}$ . By the 5-consistency of $\Pi_{\mathsf{5\textsf{-}slot}}^{j}$ , every honest $P_{k}$ has $g_{k}^{j}\geq\frac{2}{4}$ , which means that $P_{k}$ multicasts a MINE vector whose $j^{\text{th}}$ symbol is the $k^{\text{th}}$ symbol of $\mathsf{Encode}(m_{j})$ , where $m_{j}$ is the unique message such that some honest $P_{q}$ has $(m_{j},P_{j})\in X_{q}$ . So, $P_{i}$ can obtain $m_{j}$ via online error correction.

In $\Pi_{\mathsf{Gthr}}$ , we use READY quorums of size $t+1$ and $2t+1$ in the manner of Bracha’s protocol to ensure without impacting liveness that no honest party terminates before $t+1$ parties become happy. Since a party must terminate every $\Pi_{\mathsf{5\textsf{-}slot}}$ instance to become happy, the strong termination of $\Pi_{\mathsf{5\textsf{-}slot}}$ ensures that every honest party terminates every $\Pi_{\mathsf{5\textsf{-}slot}}$ instance. Furthermore, the YOURS vectors multicast by at least $t+1$ happy parties ensure that the parties all multicast MINE vectors, and thus that they all construct the messages they need.

When a party $P_{i}$ terminates $\Pi_{\mathsf{Gthr}}$ , one can use its view to compute the binding common core $\mathcal{C}_{i}=\{P_{j}\in\mathcal{P}:g_{i}^{j}=1\}$ . The common core property of $\Pi_{\mathsf{Gthr}}^{\mathsf{Live}}$ and the validity of $\Pi_{\mathsf{5\textsf{-}slot}}$ ensure that $\mathcal{C}_{i}\supseteq\mathcal{C}^{\prime}$ where $\mathcal{C}^{\prime}$ is any common core of $\Pi_{\mathsf{Gthr}}^{\mathsf{Live}}$ , and therefore that $|\mathcal{C}_{i}|\geq n-t$ . Moreover, $\mathcal{C}_{i}$ is a common core since the 5-consistency of $\Pi_{\mathsf{5\textsf{-}slot}}$ ensures that for all $P_{k}\in\mathcal{C}_{i}$ , every honest $P_{j}$ obtains $g_{j}^{k}\geq\frac{3}{4}$ , and therefore inserts some $(m_{k},P_{k})$ to $Q_{j}$ .

In $\Pi_{\mathsf{Gthr}}$ , the parties send $\mathcal{O}(\ell n^{2}+n^{3}\log n)$ bits/ $\mathcal{O}(n^{3})$ messages in $\Pi_{\mathsf{Gthr}}^{\mathsf{Live}}$ , $\mathcal{O}(n^{3}\log n)$ bits/ $\mathcal{O}(n^{3})$ messages in the $n$ instances of $\Pi_{\mathsf{5\textsf{-}slot}}$ (the $\log n$ factor is from $\lceil\log_{2}(n)\rceil$ -bit message tags which are necessary to distinguish the $\Pi_{\mathsf{5\textsf{-}slot}}$ instances), $\mathcal{O}(n^{2})$ bits/messages for the READY notifications, and finally $\mathcal{O}(ln^{2}+n^{3}\log n)$ bits/ $\mathcal{O}(n^{2})$ messages for the YOURS and MINE vectors. Hence, the complexity of $\Pi_{\mathsf{Gthr}}$ is $\mathcal{O}(\ell n^{2}+n^{3}\log n)$ bits and $\mathcal{O}(n^{3})$ messages.

Theorem 3.

$\Pi_{\mathsf{Gthr}}$ is a secure binding Gather protocol with strong termination when $t<\frac{n}{3}$ .

Due to a lack of space, we formally prove Theorem 3 in the appendix.

Some Gather variants also achieve the property verifiability [3, 4, 26]. Essentially (as defined in [26]), each honest $P_{i}$ has a function $\mathsf{Verify}_{i}$ which outputs a bit given $P_{i}$ ’s current view and any party set $\mathcal{P}^{\prime}$ . $\mathsf{Verify}_{i}(\mathcal{P}^{\prime})$ outputs $0$ if $\mathcal{P}^{\prime}$ does not contain the binding common core, and eventually outputs $1$ if $\mathcal{P}^{\prime}$ is the set of the senders in $Q_{j}$ for some honest $P_{j}$ . Also, if $\mathsf{Verify}_{i}(\mathcal{P}^{\prime})=1$ at any time, then $\mathsf{Verify}_{i}(\mathcal{P}^{\prime})=1$ at any later time. To achieve verifiability, we can replace 5-slot consensus in $\Pi_{\mathsf{Gthr}}$ with 6-slot consensus, and require each $P_{i}$ to include some $(m_{j},P_{j})$ in its output set $Q_{i}$ when $g_{i}^{j}\geq\frac{3}{5}$ . Then, from $P_{i}$ we can extract the binding common core $\{P_{j}\in\mathcal{P}:g_{i}^{j}=1\}$ , and for each $P_{j}$ let $\mathsf{Verify}_{j}(\mathcal{P}^{\prime})$ output $1$ after $P_{j}$ terminates iff $\mathcal{P}^{\prime}\supseteq\{P_{k}\in\mathcal{P}:g_{j}^{k}\geq\frac{4}{5}\}$ . However, this is insufficient for the “agreement on verification” in [3, 4], which requires for all $\mathcal{P}^{\prime}$ that if $\mathsf{Verify}_{i}(\mathcal{P}^{\prime})$ outputs $1$ for some $P_{i}$ , then eventually $\mathsf{Verify}_{j}(\mathcal{P}^{\prime})$ outputs $1$ for all $P_{j}$ . We do not see a way to achieve termination and “agreement on verification” together without switching from Gather to asynchronous core set agreement.

6 QBRB Against Arbitrary Quits

The QBRB protocol $\Pi_{\mathsf{Quit}}$ in Section 4 loses its termination guarantees if any honest party quits before some honest party terminates. Now, we design an error-free deterministic QBRB variant $\Pi_{\mathsf{Any}}$ which keeps its termination guarantees no matter when any honest party quits.

Of course, such lax participation from the honest parties makes the standard output guarantees impossible. Hence, we introduce the extra outputs $\bot$ and $\top$ . For some publicly known $q$ , if at most $q$ honest parties quit before some honest party terminates, then $\Pi_{\mathsf{Any}}$ is just a QBRB protocol, albeit one with an extra output $\top$ to indicate that the sender quit before it acquired an input. If more than $q$ honest parties quit before some honest party terminates, then we relax the output guarantees and give each party the individual option to output $\bot$ . The protocol $\Pi_{\mathsf{Any}}$ optimally requires $4t+q<n$ for this, which means that if $t\ll n$ , then almost every honest party can quit without the output $\bot$ becoming permitted.

Formally, let $\mathcal{M}$ be the input domain of $\Pi_{\mathsf{Any}}$ , with $\mathcal{M}\cap\{\bot,\top\}=\varnothing$ . The protocol $\Pi_{\mathsf{Any}}$ has the output domain $\mathcal{M}\cup\{\bot,\top\}$ , and given a fixed sender party $P^{*}$ who may eventually acquire an input $v^{*}\in\mathcal{M}$ , it guarantees the following against the $(t,\mathsf{crash})$ -adversary:

$\blacksquare$

Validity: Suppose $P^{*}$ is honest. If an honest $P_{i}$ outputs $y_{i}\in\mathcal{M}$ , then $P^{*}$ has acquired $v^{*}=y_{i}$ , and if an honest $P_{i}$ outputs $\top$ , then $P^{*}$ has quit before acquiring an input.
$\blacksquare$

Consistency: If honest parties $P_{i}$ and $P_{j}$ output $y_{i}\neq\bot$ and $y_{j}\neq\bot$ , then $y_{i}=y_{j}$ .
$\blacksquare$

Robustness: If at most $q$ honest parties quit before some honest party terminates, then no honest party outputs $\bot$ .
$\blacksquare$

Local Termination: If $P^{*}$ is honest, and it either acquires an input or quits before doing so, then either some honest party terminates, or all honest parties quit.
$\blacksquare$

Global Termination: If some honest party terminates, then every honest party either terminates or quits.

As per the definition of the $(t,\mathsf{crash})$ -adversary in Section 2, the protocol $\Pi_{\mathsf{Any}}$ achieves security even if the reason a party quits is that it has suffered a transient crash. This makes $\Pi_{\mathsf{Any}}$ of practical interest when the parties are prone to such crashes. For example, a party could get disconnected from the network or run out of battery while running $\Pi_{\mathsf{Any}}$ . Then, upon recovering, the party would invoke $\mathsf{Quit}()$ to help the remaining parties terminate.

In $\Pi_{\mathsf{Any}}$ , transient crash tolerance follows from quit tolerance. If a party invokes $\mathsf{Quit}()$ upon recovering from a crash, then the protocol proceeds almost as if the party never crashed, but just invoked $\mathsf{Quit}()$ while running normally. From before crashing a party must retain only the information that $\mathsf{Quit}()$ needs. In $\Pi_{\mathsf{Any}}$ , a party must remember the kinds of messages (among INIT, ECHO, READY) that it multicast before crashing.

Theorem 4.

$\Pi_{\mathsf{Any}}$ is secure when $4t+q<n$ .

Due to a lack of space, we formally prove Theorem 4 in the appendix. Note that $4t+q<n$ is optimal (by Theorem 5) even if the honest parties cannot transiently crash.

The main innovation in $\Pi_{\mathsf{Any}}$ is the flexible ECHO quorum threshold, which allows the honest parties to form ECHO quorums on the INIT value $v^{*}$ of an honest sender $P^{*}$ (the input of $P^{*}$ , or $\top$ if $P^{*}$ quits before acquiring an input) as long as at most $t+q$ honest parties quit. If $P^{*}$ is honest, it multicasts $\langle{\texttt{INIT}},{v^{*}}\rangle$ , and at most $t+q$ honest parties quit, then for some $f\leq t+q$ there exist at least $n-t-f$ honest parties who multicast $\langle{\texttt{ECHO}},{v^{*}}\rangle$ and at least $f$ honest parties who multicast $\langle{\texttt{ECHO}},{\bot}\rangle$ . Since $n-t-f>\max(t,\frac{n+t-f}{2})$ , this suffices for the honest parties to be able to form quorums on $v^{*}$ .

As usual, conflicting ECHO quorums do not occur because each honest party multicasts at most one ECHO message. Intuitively, if the adversary can create conflicting quorums on $v$ and $v^{\prime}$ with $\langle{\texttt{ECHO}},{\bot}\rangle$ messages, then it can also do so with just $\langle{\texttt{ECHO}},{v}\rangle$ and $\langle{\texttt{ECHO}},{v^{\prime}}\rangle$ messages. So, consider the case where the corrupt parties never send $\langle{\texttt{ECHO}},{\bot}\rangle$ . If $f\leq n$ honest parties multicast $\langle{\texttt{ECHO}},{\bot}\rangle$ , then a party must receive $\langle{\texttt{ECHO}},{v}\rangle$ from more than $\frac{n+t-f}{2}$ parties to form an ECHO quorum on $v$ . Conflicting quorums on $v\neq v^{\prime}$ do not occur since at most $n-f$ parties send either $\langle{\texttt{ECHO}},{v}\rangle$ or $\langle{\texttt{ECHO}},{v^{\prime}}\rangle$ . Lastly, an invalid quorum on $v$ (formed without $P^{*}$ sending $\langle{\texttt{INIT}},{v}\rangle$ ) is prevented by a quorum on $v$ requiring at least $t+1$ $\langle{\texttt{ECHO}},{v}\rangle$ messages.

If an honest party quits, then it multicasts both QUIT and some READY message. If $t+q+1$ honest parties quit, then the $t+q+1$ QUIT messages they multicast suffice for every honest party to multicast a READY message. Hence, every honest party can receive READY messages from $n-t$ parties and terminate. On the other hand, if at most $t+q$ honest parties quit, then we get local termination by the fact that after the honest sender $P^{*}$ multicasts $\langle{\texttt{INIT}},{v^{*}}\rangle$ , every honest party receives sufficiently many ECHO messages to multicast $\langle{\texttt{READY}},{v^{*}}\rangle$ .

If some honest party terminates, then there are at least $n-2t\geq 2t+q+1$ honest parties who multicast READY messages. Since for some $v\neq\bot$ every honest READY message is either $\langle{\texttt{READY}},{v}\rangle$ or $\langle{\texttt{READY}},{\bot}\rangle$ , either there are at least $t+1$ honest parties who multicast $\langle{\texttt{READY}},{v}\rangle$ , or there are at least $t+q+1$ honest parties who multicast $\langle{\texttt{READY}},{\bot}\rangle$ . Either way, every honest party multicasts a READY message, and so every honest party can terminate.

Finally, if at most $q$ honest parties quit before some honest $P_{i}$ terminates, then $P_{i}$ terminates with at most $q$ honest copies of $\langle{\texttt{READY}},{\bot}\rangle$ . Hence, $P_{i}$ terminates with at least $n-2t-q$ honest copies of $\langle{\texttt{READY}},{v}\rangle$ for some $v\neq\bot$ . The senders of these copies do not send READY messages on any $v^{\prime}\neq v$ ; so, any honest $P_{j}$ who terminates (including $P_{i}$ ) does so after receiving $n-3t-q\geq t+1$ honest copies of $\langle{\texttt{READY}},{v}\rangle$ and setting its output to $v$ .

Theorem 5.

If $|\mathcal{M}|\geq 2$ , $n\geq 3$ , $t\geq 1$ and $4t+q\geq n$ , then no broadcast protocol achieves against the $t$ -adversary the properties validity, consistency, robustness, local termination and global termination (all as defined for $\Pi_{\mathsf{Any}}$ ).

Proof.

Suppose $\mathcal{M}\supseteq\{m,m^{\prime}\}$ for some $m\neq m^{\prime}$ , $n\geq 3$ , $t\geq 1$ and $4t+q\geq n$ . We partition $\mathcal{P}$ into five sets $S_{1},S_{2},S_{3},Q_{C},Q_{H}$ , where $1\leq|S_{1}|,|S_{2}|,|S_{3}|\leq t$ , $|Q_{C}|\leq t$ and $|Q_{H}|\leq q$ . Let us consider a broadcast instance where $P^{*}\in S_{2}$ .

In the five scenarios below, the parties in $Q_{H}$ are honest, and they quit immediately. The parties in $Q_{C}$ also quit immediately, but they may be corrupt parties only pretending to quit. Note that the sender’s input does not influence the behavior of a non-sender who immediately quits. Finally, the parties in $S_{1}$ , $S_{2}$ and $S_{3}$ never quit or pretend to quit. In the first two scenarios, the parties in $S_{1}$ and $S_{2}$ are honest, and $P^{*}$ has the input $m$ .

$\blacksquare$

Scenario 1: In this scenario, $S_{3}$ is the set of corrupt parties, and the parties in $S_{3}$ immediately crash. The parties in $S_{1}$ must terminate despite never hearing from $S_{3}$ .
$\blacksquare$

Scenario 2: In this scenario, $Q_{C}$ is the set of corrupt parties, and the messages from $S_{3}$ are delayed. The parties in $S_{1}$ cannot afford to wait for messages from $S_{3}$ , because for them this scenario is indistinguishable from Scenario 1. Hence, they must all terminate. Furthermore, they must output $m$ because at most $q$ honest parties quit before some honest party terminates and because the honest sender $P^{*}$ never quits.

In the next two scenarios, the parties in $S_{2}$ and $S_{3}$ are honest, and $P^{*}$ has the input $m^{\prime}$ .

$\blacksquare$

Scenario 3: In this scenario, $S_{1}$ is the set of corrupt parties, and the parties in $S_{1}$ immediately crash. The parties in $S_{3}$ must terminate despite never hearing from $S_{1}$ .
$\blacksquare$

Scenario 4: In this scenario, $Q_{C}$ is the set of corrupt parties, and the messages from $S_{1}$ are delayed. Being in the same predicament as the parties in $S_{1}$ in Scenario 2, the parties in $S_{3}$ must all terminate with the output $m^{\prime}$ without waiting for messages from $S_{1}$ .

Finally, consider Scenario 5, where the adversary successfully executes a split-brain attack.

$\blacksquare$

Scenario 5: In this scenario, $S_{2}$ is the set of corrupt parties. The parties in $S_{2}$ act towards $S_{1}$ as if $P^{*}$ has the input $m$ and the messages from $S_{3}$ are delayed, and act towards $S_{2}$ as if $P^{*}$ has the input $m^{\prime}$ and the messages from $S_{1}$ are delayed. Moreover, the communication between $S_{1}$ and $S_{3}$ is indefinitely delayed. The parties in $S_{1}$ output $m$ as they cannot distinguish this scenario from Scenario 2. Likewise, the parties in $S_{3}$ output $m^{\prime}$ as they cannot distinguish this scenario from Scenario 4. This violates consistency.

$\hfill\blacktriangleleft$

References

[1] Ittai Abraham. Living with asynchrony: Bracha’s reliable broadcast. Decentralized Thoughts, 2020. URL: https://decentralizedthoughts.github.io/2020-09-19-living-with-asynchrony-brachas-reliable-broadcast/.
[2] Ittai Abraham, Yonatan Amit, and Danny Dolev. Optimal resilience asynchronous approximate agreement. In Proceedings of the 8th International Conference on Principles of Distributed Systems, OPODIS ’04, pages 229–239, Berlin, Heidelberg, 2004. Springer-Verlag. doi:10.1007/11516798_17.
[3] Ittai Abraham, Gilad Asharov, Arpita Patra, and Gilad Stern. Perfectly secure asynchronous agreement on a core set in constant expected time. Cryptology ePrint Archive, Paper 2023/1130, 2023. URL: https://eprint.iacr.org/2023/1130.
[4] Ittai Abraham, Philipp Jovanovic, Mary Maller, Sarah Meiklejohn, Gilad Stern, and Alin Tomescu. Reaching consensus for asynchronous distributed key generation. In Proceedings of the 2021 ACM Symposium on Principles of Distributed Computing, PODC ’21, pages 363–373, New York, NY, USA, 2021. Association for Computing Machinery. doi:10.1145/3465084.3467914.
[5] Ittai Abraham and Gilad Stern. Information Theoretic HotStuff. In Quentin Bramas, Rotem Oshman, and Paolo Romano, editors, 24th International Conference on Principles of Distributed Systems (OPODIS 2020), volume 184 of Leibniz International Proceedings in Informatics (LIPIcs), pages 11:1–11:16, Dagstuhl, Germany, 2021. Schloss Dagstuhl – Leibniz-Zentrum für Informatik. doi:10.4230/LIPIcs.OPODIS.2020.11.
[6] Nicolas Alhaddad, Sourav Das, Sisi Duan, Ling Ren, Mayank Varia, Zhuolun Xiang, and Haibin Zhang. Balanced byzantine reliable broadcast with near-optimal communication and improved computation. In Proceedings of the 2022 ACM Symposium on Principles of Distributed Computing, PODC ’22, pages 399–417, New York, NY, USA, 2022. Association for Computing Machinery. doi:10.1145/3519270.3538475.
[7] Michael Backes and Christian Cachin. Reliable broadcast in a computational hybrid model with byzantine faults, crashes, and recoveries. In 2003 International Conference on Dependable Systems and Networks, 2003. Proceedings., pages 37–46, 2003. doi:10.1109/DSN.2003.1209914.
[8] Michael Ben-Or, Ran Canetti, and Oded Goldreich. Asynchronous secure computation. In Proceedings of the Twenty-Fifth Annual ACM Symposium on Theory of Computing, STOC ’93, pages 52–61, New York, NY, USA, 1993. Association for Computing Machinery. doi:10.1145/167088.167109.
[9] Erica Blum, Jonathan Katz, and Julian Loss. Synchronous consensus with optimal asynchronous fallback guarantees. In Theory of Cryptography, pages 131–150, Cham, Switzerland, 2019. Springer International Publishing. doi:10.1007/978-3-030-36030-6_6.
[10] Gabriel Bracha. Asynchronous byzantine agreement protocols. Information and Computation, 75(2):130–143, 1987. doi:10.1016/0890-5401(87)90054-X.
[11] Christian Cachin. Secure distributed computing. École Polytechnique Fédérale de Lausanne, 2009. URL: https://dcl.epfl.ch/site/_media/education/sdc_byzconsensus.pdf.
[12] Ran Canetti and Tal Rabin. Fast asynchronous byzantine agreement with optimal resilience. In Proceedings of the Twenty-Fifth Annual ACM Symposium on Theory of Computing, STOC ’93, pages 42–51, New York, NY, USA, 1993. Association for Computing Machinery. doi:10.1145/167088.167105.
[13] Annick Chopard, Martin Hirt, and Chen-Da Liu-Zhang. On communication-efficient asynchronous mpc with adaptive security. In Theory of Cryptography: 19th International Conference, TCC’21, pages 35–65, Berlin, Heidelberg, 2021. Springer-Verlag. doi:10.1007/978-3-030-90453-1_2.
[14] Ran Cohen, Pouyan Forghani, Juan Garay, Rutvik Patel, and Vassilis Zikas. Concurrent asynchronous byzantine agreement in expected-constant rounds, revisited. In Theory of Cryptography, pages 422–451, Cham, Switzerland, 2023. Springer Nature Switzerland. doi:10.1007/978-3-031-48624-1_16.
[15] Andrei Constantinescu, Diana Ghinea, Roger Wattenhofer, and Floris Westermann. Convex Consensus with Asynchronous Fallback. In Dan Alistarh, editor, 38th International Symposium on Distributed Computing (DISC 2024), volume 319 of Leibniz International Proceedings in Informatics (LIPIcs), pages 15:1–15:23, Dagstuhl, Germany, 2024. Schloss Dagstuhl – Leibniz-Zentrum für Informatik. doi:10.4230/LIPIcs.DISC.2024.15.
[16] Sourav Das, Sisi Duan, Shengqi Liu, Atsuki Momose, Ling Ren, and Victor Shoup. Asynchronous consensus without trusted setup or public-key cryptography. Cryptology ePrint Archive, Paper 2024/677, 2024. Appeared in ACM CCS ’24. doi:10.1145/3658644.3670327.
[17] Michael J. Fischer, Nancy A. Lynch, and Michael S. Paterson. Impossibility of distributed consensus with one faulty process. In Proceedings of the 2nd ACM SIGACT-SIGMOD Symposium on Principles of Database Systems, PODS ’83, pages 1–7, New York, NY, USA, 1983. Association for Computing Machinery. doi:10.1145/588058.588060.
[18] Luciano Freitas, Petr Kuznetsov, and Andrei Tonkikh. Distributed Randomness from Approximate Agreement. In Christian Scheideler, editor, 36th International Symposium on Distributed Computing (DISC 2022), volume 246 of Leibniz International Proceedings in Informatics (LIPIcs), pages 24:1–24:21, Dagstuhl, Germany, 2022. Schloss Dagstuhl – Leibniz-Zentrum für Informatik. doi:10.4230/LIPIcs.DISC.2022.24.
[19] Diana Ghinea, Chen-Da Liu-Zhang, and Roger Wattenhofer. Optimal synchronous approximate agreement with asynchronous fallback. In Proceedings of the 2022 ACM Symposium on Principles of Distributed Computing, PODC ’22, pages 70–80, New York, NY, USA, 2022. Association for Computing Machinery. doi:10.1145/3519270.3538442.
[20] Diana Ghinea, Chen-Da Liu-Zhang, and Roger Wattenhofer. Multidimensional approximate agreement with asynchronous fallback. In Proceedings of the 35th ACM Symposium on Parallelism in Algorithms and Architectures, SPAA ’23, pages 141–151, New York, NY, USA, 2023. Association for Computing Machinery. doi:10.1145/3558481.3591105.
[21] Hammurabi Mendes and Maurice Herlihy. Multidimensional approximate agreement in byzantine asynchronous systems. In Proceedings of the Forty-Fifth Annual ACM Symposium on Theory of Computing, STOC ’13, pages 391–400, New York, NY, USA, 2013. Association for Computing Machinery. doi:10.1145/2488608.2488657.
[22] Mose Mizrahi Erbes and Roger Wattenhofer. Asynchronous approximate agreement with quadratic communication, 2024. arXiv:2408.05495, doi:10.48550/arXiv.2408.05495.
[23] Atsuki Momose and Ling Ren. Multi-threshold byzantine fault tolerance. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, CCS ’21, pages 1686–1699, New York, NY, USA, 2021. Association for Computing Machinery. doi:10.1145/3460120.3484554.
[24] Thomas Nowak and Joel Rybicki. Byzantine Approximate Agreement on Graphs. In Jukka Suomela, editor, 33rd International Symposium on Distributed Computing (DISC 2019), volume 146 of Leibniz International Proceedings in Informatics (LIPIcs), pages 29:1–29:17, Dagstuhl, Germany, 2019. Schloss Dagstuhl – Leibniz-Zentrum für Informatik. doi:10.4230/LIPIcs.DISC.2019.29.
[25] I. S. Reed and G. Solomon. Polynomial codes over certain finite fields. Journal of the Society for Industrial and Applied Mathematics, 8(2):300–304, 1960. doi:10.1137/0108018.
[26] Gilad Stern and Ittai Abraham. Gather with binding and verifiability. Decentralized Thoughts, 2024. URL: https://decentralizedthoughts.github.io/2024-01-09-gather-with-binding-and-verifiability/.
[27] Nitin H. Vaidya and Vijay K. Garg. Byzantine vector consensus in complete graphs. In Proceedings of the 2013 ACM Symposium on Principles of Distributed Computing, PODC ’13, pages 65–73, New York, NY, USA, 2013. Association for Computing Machinery. doi:10.1145/2484239.2484256.

Appendix A Strongly Terminating k-slot Consensus

In the protocol $\Pi_{\mathsf{k\textsf{-}slot}}$ below, we use the termination procedure from [22] to upgrade any live k-slot consensus protocol $\Pi_{\mathsf{k\textsf{-}live}}$ into a strongly terminating one. Strong termination is the combination of local termination (some honest party terminates) and global termination (if some honest party terminates, every honest party terminates), and $\Pi_{\mathsf{k\textsf{-}slot}}$ ensures global termination with READY quorums. If some honest party terminates, then it has received $2t+1$ READY messages, at least $t+1$ of which are honest, and so every honest party receives $t+1$ honest READY messages, multicasts READY, and receives $2t+1$ READY messages. Furthermore, the first honest party who multicasts READY does so upon receiving some $\Pi_{\mathsf{k\textsf{-}live}}$ output $z$ from $2t+1$ parties, which means that every honest party can set $z$ as its output upon receiving $z$ from $t+1$ honest parties.

Theorem 6.

Suppose $\Pi_{\mathsf{k\textsf{-}live}}$ achieves validity, k-consistency and liveness when $t<\frac{n}{3}$ . Then, $\Pi_{\mathsf{k\textsf{-}slot}}$ achieves validity, k-consistency and strong termination when $t<\frac{n}{3}$ .

Proof.

k-Consistency and Validity.

An honest party must receive $z$ from $t+1$ parties (at least one of which is honest) to output $z$ , and for any $z$ , the first honest party who multicasts $z$ must have output $z$ from $\Pi_{\mathsf{k\textsf{-}live}}$ . Hence, every honest $\Pi_{\mathsf{k\textsf{-}slot}}$ output is the $\Pi_{\mathsf{k\textsf{-}live}}$ output of some honest party. The $k$ -consistency and validity of $\Pi_{\mathsf{k\textsf{-}slot}}$ thus follow from the $k$ -consistency and validity of $\Pi_{\mathsf{k\textsf{-}live}}$ .

Strong Termination.

To prove strong termination, we prove local termination and global termination. Local termination guarantees that if the honest parties all eventually acquire inputs, then some honest party terminates. Global termination guarantees that if some honest party terminates, then all honest parties terminate.

For the sake of contradiction, consider an execution of $\Pi_{\mathsf{k\textsf{-}slot}}$ where local termination fails. Every honest party provides an input to $\Pi_{\mathsf{k\textsf{-}live}}$ , and hence every honest party obtains a $\Pi_{\mathsf{k\textsf{-}live}}$ output. By the $k$ -consistency of $\Pi_{\mathsf{k\textsf{-}live}}$ there exists some $z$ such that every honest $\Pi_{\mathsf{k\textsf{-}live}}$ output is either $z$ or $z+\frac{1}{k-1}$ . By the pigeonhole principle there exists some $z^{\prime}\in\{z,z+\frac{1}{k-1}\}$ such that at least $\lceil\frac{n-t}{2}\rceil\geq t+1$ honest parties output $z^{\prime}$ from $\Pi_{\mathsf{k\textsf{-}live}}$ . At least $t+1$ honest parties multicast $z^{\prime}$ , and this suffices for every honest $P_{i}$ to receive $z^{\prime}$ from $t+1$ parties, set $y_{i}\leftarrow z^{\prime}$ if $y_{i}=\bot$ and multicast $z^{\prime}$ . Since all honest parties multicast $z^{\prime}$ , all honest parties can receive $z^{\prime}$ from $2t+1$ parties and thus multicast READY. Finally, since all honest parties multicast READY, all honest parties can receive READY from $2t+1$ parties and thus terminate.

Now, let us show global termination. If some honest party terminates, then it must have received READY from $2t+1$ parties, at least $t+1$ of which are honest. Hence, every honest party multicasts READY, at the latest upon receiving READY from $t+1$ parties, and so any honest $P_{i}$ who sets $y_{i}\neq\bot$ becomes able to terminate by receiving READY from $2t+1$ parties. Furthermore, the first honest party who multicasts READY does so when it has received some $z$ from $2t+1$ parties, at least $t+1$ of which are honest. Since $t+1$ honest parties multicast $z$ , every honest $P_{j}$ can receive $z$ from $t+1$ parties and set $y_{j}\leftarrow z$ . $\hfill\blacktriangleleft$

Appendix B The Live Gather Protocol

Below, we present $\Pi_{\mathsf{Gthr}}^{\mathsf{Live}}$ , the most efficient live Gather protocol we are aware of [15]. It achieves the bit complexity $\mathcal{O}(\ell n^{2}+n^{3}\log n)$ when instantiated with the state-of-the-art standard BRB protocol $\Pi_{\mathsf{LBRB}}$ with the bit complexity $\mathcal{O}(\ell n+n^{2}\log n)$ [6].

Theorem 7.

$\Pi_{\mathsf{Gthr}}$ is a secure Gather protocol with liveness when $t<\frac{n}{3}$ .

Proof.

Consistency and Validity.

The consistency and validity of $\Pi_{\mathsf{Gthr}}^{\mathsf{Live}}$ follow from the consistency and validity of $\Pi_{\mathsf{LBRB}}^{0,1},\dots,\Pi_{\mathsf{LBRB}}^{0,n}$ .

Liveness.

Since all honest parties broadcast their inputs, every honest $P_{i}$ terminates $n-t$ input broadcasts, and thus broadcasts $W_{0}^{i}$ . All honest parties terminate all honest $W_{0}$ set broadcasts, and if some honest $P_{i}$ broadcasts $W_{0}^{i}$ , then, by the global termination of $\Pi_{\mathsf{LBRB}}$ , every honest $P_{j}$ terminates all input broadcasts terminated by $P_{i}$ , obtains $W_{0}^{j}\supseteq W_{0}^{i}$ , and adds $P_{i}$ to $W_{1}^{j}$ . This means that every honest $P_{i}$ adds every honest $P_{j}$ to $W_{1}^{i}$ , and therefore that eventually $|W_{1}^{i}|\geq n-t$ holds and $P_{i}$ multicasts $W_{1}^{i}$ . Afterwards, every honest $P_{j}$ adds $P_{i}$ to $W_{2}^{j}$ after receiving $W_{1}^{i}$ from $P_{i}$ because eventually $W_{1}^{j}\supseteq W_{1}^{i}$ holds, due to the fact that whenever $P_{i}$ adds any $P_{k}$ to $W_{1}^{i}$ , eventually $P_{j}$ adds $P_{k}$ to $W_{1}^{j}$ as well since eventually $W_{0}^{j}\supseteq W_{0}^{i}$ holds and since $P_{j}$ terminates $P_{k}$ ’s $W_{0}$ set broadcast with the same $W_{0}$ set as $P_{i}$ . So, since every honest party adds every honest party to its $W_{2}$ set, eventually $|W_{2}^{i}|\geq n-t$ holds for every honest $P_{i}$ . Finally, we conclude that every honest $P_{i}$ obtains $|W_{0}^{i}|\geq n-t$ , $|W_{1}^{i}|\geq n-t$ and $|W_{2}^{i}|\geq n-t$ , which leads to $P_{i}$ outputting $X_{i}$ .

Common Core.

Let $\mathcal{H}$ be the set of the first $n-t$ honest parties $P_{i}$ who obtain $|W_{1}^{i}|=n-t$ . For each $P_{i}\in\mathcal{H}$ , the set $W_{1}^{i}$ which $P_{i}$ multicasts contains $n-t$ parties, at least $n-2t$ of which are in $\mathcal{H}$ . Hence, $\sum_{P_{i}\in\mathcal{H}}|W_{1}^{i}\cap\mathcal{H}|\geq(n-2t)(n-t)$ .

There exists some $P_{k}\in\mathcal{H}$ included in the multicast $W_{1}$ sets of at least $n-2t$ parties in $\mathcal{H}$ . For contradiction, suppose otherwise. Then, for each $P_{j}\in\mathcal{H}$ , less than $n-2t$ parties in $\mathcal{H}$ have $W_{1}$ sets which include $P_{j}$ . This implies $\sum_{P_{j}\in\mathcal{H}}|\{P_{i}\in\mathcal{H}:P_{j}\in W_{1}^{i}\}|<(n-2t)(% n-t)$ , which contradicts $\sum_{P_{j}\in\mathcal{H}}|\{P_{i}\in\mathcal{H}:P_{j}\in W_{1}^{i}\}|=\sum_{P% _{i}\in\mathcal{H}}|W_{1}^{i}\cap\mathcal{H}|\geq(n-2t)(n-t)$ .

Suppose some honest $P_{i}$ outputs from $\Pi_{\mathsf{Gthr}}^{\mathsf{Live}}$ . Consider the set $W_{0}^{k}$ at the instant when $P_{k}$ broadcasts it. Since at least $n-2t\geq t+1$ honest parties include $P_{k}$ in the $W_{1}$ sets which they multicast, $P_{i}$ must have added some honest $P_{j}$ to $W_{2}^{i}$ from whom $P_{i}$ received some $W_{1}^{j}\supseteq\{P_{k}\}$ . This implies $W_{1}^{i}\supseteq\{P_{k}\}$ , and $W_{1}^{i}\supseteq\{P_{k}\}$ implies $W_{0}^{k}\subseteq W_{0}^{i}=\{P_{j}\in\mathcal{P}:\exists(m,P_{j})\in X_{i}\}$ . So, $W_{0}^{k}$ is a common core. $\hfill\blacktriangleleft$

Appendix C Skipped Proofs

Theorem 3.

$\Pi_{\mathsf{Gthr}}$ is a secure binding Gather protocol with strong termination when $t<\frac{n}{3}$ .

Proof.

As we did for $\Pi_{\mathsf{k\textsf{-}slot}}$ , we split strong termination into local and global termination.

Consistency and Validity.

Suppose some honest $P_{i}$ includes some $(m_{j},P_{j})$ in its output set $Q_{i}$ . This requires $g_{i}^{j}\geq\frac{3}{4}$ ; hence, by the validity of $\Pi_{\mathsf{5\textsf{-}slot}}$ , there exists some (unique, by the consistency of $\Pi_{\mathsf{Gthr}}^{\mathsf{Live}}$ ) $m_{j}^{\prime}$ such that some honest parties have $(m_{j}^{\prime},P_{j})$ in their $\Pi_{\mathsf{Gthr}}^{\mathsf{Live}}$ output sets. We show below that $m_{j}=m_{j}^{\prime}$ . Note that this gives us consistency because if some $P_{k}$ has some $(m_{j}^{\prime\prime},P_{j})\in Q_{k}$ , then we have $m_{j}^{\prime}=m_{j}=m_{j}^{\prime\prime}$ . We also get validity: If $P_{j}$ is honest, then $m_{j}^{\prime}=m_{j}$ must be the input of $P_{j}$ by the validity of $\Pi_{\mathsf{Gthr}}^{\mathsf{Live}}$ .

Let $(s_{1},\dots,s_{n})\leftarrow\mathsf{Encode}(m_{j}^{\prime})$ . The party $P_{i}$ obtains $m_{j}$ via $\mathsf{TryDecode}(M_{j,1},\dots,M_{j,n})$ , where $M_{j,k}$ is either $\bot$ , or the non- $\bot$ $j^{\text{th}}$ symbol in the MINE vector $P_{k}$ sends to $P_{i}$ . Assume now that if the latter is the case and $P_{k}$ is honest, then $M_{j,k}=s_{k}$ . This implies that in any $\mathsf{TryDecode}$ attempt the vector $(M_{j,1},\dots,M_{j,n})$ contains with respect to $m_{j}^{\prime}$ at most $t$ incorrect symbols (from corrupt parties) and at most $t$ missing symbols. Thus, the correctness of $\mathsf{TryDecode}$ ensures that $\mathsf{TryDecode}(M_{j,1},\dots,M_{j,n})\in\{m_{j}^{\prime},\bot\}$ always holds.

It remains to prove the assumption that if $M_{j,k}\neq\bot$ and $P_{k}$ is honest, then $M_{j,k}=s_{k}$ . If $M_{j,k}\neq\bot$ and $P_{k}$ is honest, then $M_{j,k}$ is a non- $\bot$ symbol repeated at least $t+1$ times in the $j^{\text{th}}$ column of the $Y$ matrix of $P_{k}$ . Hence, some honest $P_{q}$ must have sent $P_{k}$ a message $\langle{\texttt{YOURS}},{(S_{1,k},\dots,S_{n,k})}\rangle$ with $S_{j,k}=M_{j,k}$ . The party $P_{q}$ must have had $(m_{j}^{\prime},P_{j})\in X_{q}$ and computed $(S_{j,1},\dots,S_{j,n})\leftarrow\mathsf{Encode}(m_{j}^{\prime})$ . Therefore, we conclude that $M_{j,k}=S_{j,k}=s_{k}$ .

Global Termination.

If some honest party terminates, then it has received READY from $2t+1$ parties. We show below that for all honest parties to terminate, it suffices for some honest party to receive READY from $2t+1$ parties.

If an honest party has received READY from $2t+1$ parties, then at least $t+1$ honest parties have multicast READY. Every honest party becomes able to multicast READY by receiving READY from $t+1$ parties, and so every honest party receives READY from $2t+1$ parties.

The first honest party who multicasts READY must have done so because it has received YOURS vectors from $2t+1$ parties. Hence, there must exist at least $t+1$ happy parties $P_{i}$ such that $P_{i}$ has terminated all $\Pi_{\mathsf{5\textsf{-}slot}}$ instances and there exists some $(m_{j},P_{j})\in X_{i}$ whenever $g_{i}^{j}\geq\frac{1}{4}$ . Furthermore, because the happy parties have terminated all $\Pi_{\mathsf{5\textsf{-}slot}}$ instances, the strong termination of $\Pi_{\mathsf{5\textsf{-}slot}}$ implies that every honest party terminates every $\Pi_{\mathsf{5\textsf{-}slot}}$ instance.

Suppose some honest $P_{i}$ has $g_{i}^{j}\geq\frac{2}{4}$ for some $j$ . Then, every happy $P_{k}$ has $g_{k}^{j}\geq\frac{1}{4}$ and thus has some $(m_{j},P_{j})\in X_{k}$ . This $m_{j}$ is the same for all happy parties by the consistency of standard BRB. Hence, every happy $P_{k}$ computes $(s_{1},\dots,s_{n})\leftarrow\mathsf{Encode}(m_{j})$ and sends $P_{i}$ a YOURS vector with the $j^{\text{th}}$ symbol $s_{i}$ . The party $P_{i}$ can thus find $s_{i}$ to be the non- $\bot$ symbol repeated at least $t+1$ times in the $j^{\text{th}}$ column of its matrix $Y$ . This happens eventually for any $j$ where $g_{i}^{j}\geq\frac{2}{4}$ ; hence, every honest party eventually multicasts some MINE vector.

Finally, suppose some honest $P_{i}$ has $g_{i}^{j}\geq\frac{3}{4}$ for some $j$ . Then, every honest $P_{k}$ has $g_{k}^{j}\geq\frac{2}{4}$ , which means that the $j^{\text{th}}$ symbol of the MINE vector which $P_{k}$ multicasts is the non- $\bot$ symbol $s_{k}$ , which (as we showed while proving consistency) is such that $(s_{1},\dots,s_{n})=\mathsf{Encode}(m_{j})$ for some $m_{j}$ that is consistent for all honest parties. Since $P_{i}$ can eventually store $s_{k}$ as $M_{j,k}$ , eventually $P_{i}$ ’s vector $(M_{j,1},\dots,M_{j,n})$ contains $n-t$ correct symbols with respect to $m_{j}$ , $\mathsf{TryDecode}(M_{k,1},\dots,M_{k,n})$ outputs $m_{j}$ , and $P_{i}$ inserts $(m_{j},P_{j})$ to $Q_{i}$ .

In the end, every honest $P_{i}$ terminates $\Pi_{\mathsf{Gthr}}$ after terminating every $\Pi_{\mathsf{5\textsf{-}slot}}$ instance, multicasting READY and receiving READY from $2t+1$ parties, multicasting some MINE vector and inserting some $(m_{j},P_{j})$ to $Q_{i}$ whenever $g_{i}^{j}\geq\frac{3}{4}$ . This gives us global termination.

Local Termination.

For contradiction, suppose no honest party terminates. Then, every honest $P_{i}$ eventually outputs some $Z_{i}$ from $\Pi_{\mathsf{Gthr}}^{\mathsf{Live}}$ and thus provides inputs to all $\Pi_{\mathsf{5\textsf{-}slot}}$ instances. Hence, the honest parties terminate all $\Pi_{\mathsf{5\textsf{-}slot}}$ instances. For any honest $P_{i}$ , if for some $j$ it is the case that $g_{i}^{j}\geq\frac{1}{4}$ , then by the validity of $\Pi_{\mathsf{5\textsf{-}slot}}$ some honest party must have terminated the standard BRB instance in $\Pi_{\mathsf{Gthr}}^{\mathsf{Live}}$ with which $P_{j}$ broadcasts its input, and hence $P_{i}$ terminates this BRB instance and inserts some $(m_{j},P_{j})$ to $X_{i}$ as well. So, every honest $P_{i}$ eventually becomes happy and sends out YOURS vectors. Consequently, every honest party receives YOURS vectors from $2t+1$ parties and multicasts READY, and then every honest party receives READY from $2t+1$ parties. As we showed to prove global termination, for all honest parties to terminate it suffices for some honest party to receive READY from $2t+1$ parties. So, we reach the contradictory conclusion that all honest parties terminate. $\hfill\blacktriangleleft$

Theorem 4.

$\Pi_{\mathsf{Any}}$ is secure when $4t+q<n$ .

Proof.

Consistency.

We show that there exist no distinct $v\neq\bot$ and $v^{\prime}\neq\bot$ such that some honest parties multicast $\langle{\texttt{READY}},{v}\rangle$ while others multicast $\langle{\texttt{READY}},{v^{\prime}}\rangle$ . As in $\Pi_{\mathsf{Bracha}}$ and $\Pi_{\mathsf{Quit}}$ , the first honest party who multicasts $\langle{\texttt{READY}},{v}\rangle$ for any particular $v\neq\bot$ must have done so upon receiving enough ECHO messages to form an ECHO quorum on $v$ . For the sake of contradiction, let $P_{i}$ and $P_{j}$ be the first honest parties who respectively multicast $\langle{\texttt{READY}},{v_{i}}\rangle$ and $\langle{\texttt{READY}},{v_{j}}\rangle$ for some distinct $v_{i}\neq\bot$ and $v_{j}\neq\bot$ , let $\mathcal{H}$ be a set of $n-t$ honest parties, and let $f$ be the number of parties in $\mathcal{H}$ who multicast $\langle{\texttt{ECHO}},{\bot}\rangle$ . For each $k\in\{i,j\}$ , let

$\blacksquare$

$b_{k}$ be the number of $\langle{\texttt{ECHO}},{v_{k}}\rangle$ messages from parties in $\mathcal{H}$ counted in $P_{k}$ ’s quorum,
$\blacksquare$

$c_{k}$ be the number of $\langle{\texttt{ECHO}},{v_{k}}\rangle$ messages from parties outside $\mathcal{H}$ counted in $P_{k}$ ’s quorum,
$\blacksquare$

$d_{k}$ be the number of $\langle{\texttt{ECHO}},{\bot}\rangle$ messages from parties in $\mathcal{H}$ counted in $P_{k}$ ’s quorum,
$\blacksquare$

$e_{k}$ be the number of $\langle{\texttt{ECHO}},{\bot}\rangle$ messages from parties outside $\mathcal{H}$ counted in $P_{k}$ ’s quorum.

For each $k\in\{i,j\}$ , we have $d_{k}\leq f$ and $c_{k}+e_{k}\leq t$ . For the quorum of $P_{k}$ to be of sufficient size, we must have $b_{k}+c_{k}>\max(t,\frac{n+t-d_{k}-e_{k}}{2})$ , which implies $b_{k}>\frac{n+t-d_{k}-e_{k}}{2}-c_{k}\geq\frac{n+t-d_{k}-2(c_{k}+e_{k})}{2}% \geq\frac{n-t-f}{2}$ . However, $\mathcal{H}$ consists of $f$ honest parties who multicast $\langle{\texttt{ECHO}},{\bot}\rangle$ and thus contribute to neither $b_{i}$ nor $b_{j}$ , and $n-t-f$ honest parties who contribute to at most one of $b_{i}$ and $b_{j}$ since an honest party cannot send $\langle{\texttt{ECHO}},{v_{i}}\rangle$ to $P_{i}$ and $\langle{\texttt{ECHO}},{v_{j}}\rangle$ to $P_{j}$ . This gives us $b_{i}+b_{j}\leq n-t-f$ , which contradicts $b_{i}>\frac{n-t-f}{2}\land b_{j}>\frac{n-t-f}{2}$ . Finally, consistency follows because in order to output $v\neq\bot$ , an honest party must receive $\langle{\texttt{READY}},{v}\rangle$ from $t+1$ parties, at least one of which is honest.

Validity.

For some honest party to output $v\neq\bot$ , there must exist a first honest $P_{i}$ who multicasts $\langle{\texttt{READY}},{v}\rangle$ . To do so, $P_{i}$ must receive $\langle{\texttt{ECHO}},{v}\rangle$ from at least $t+1$ parties, at least one of which is honest. This can happen only after the sender $P^{*}$ sends $\langle{\texttt{INIT}},{v}\rangle$ to some honest party. Now suppose $P^{*}$ is honest. If $P^{*}$ acquires an input $v^{*}$ , then it multicasts $\langle{\texttt{INIT}},{v^{*}}\rangle$ , and this makes $v^{*}$ the unique possible non- $\bot$ output. If $P^{*}$ quits before acquiring an input, then it multicasts $\langle{\texttt{INIT}},{\top}\rangle$ , and thus $\top$ becomes the unique possible non- $\bot$ output.

Local Termination.

For contradiction, suppose that the sender $P^{*}$ is honest, that it either acquires an input or quits before doing so, that not all honest parties quit, and that despite all the preceding no honest party terminates. We separately consider the case where at least $t+q+1$ honest parties quit, and the case where at most $t+q$ honest parties quit. Note that an honest party does not quit without multicasting a READY message.

$\blacksquare$

Suppose at least $t+q+1$ honest parties quit. Because an honest party multicasts QUIT when it quits, every honest party either quits, or eventually receives QUIT from $t+q+1$ parties and thus becomes able to multicast a READY message.
$\blacksquare$

Suppose $f\leq t+q$ honest parties quit. The sender $P^{*}$ eventually multicasts $\langle{\texttt{INIT}},{v^{*}}\rangle$ , where $v^{*}$ is either its input or $\top$ . Then, at least $n-t-f$ honest parties multicast $\langle{\texttt{ECHO}},{v^{*}}\rangle$ . Since we have $n-t-f>(\frac{n}{2}+\frac{4t+q}{2})-t-(\frac{f}{2}+\frac{t+q}{2})=\frac{n+t-f}{% 2}\geq\frac{n-q}{2}>2t$ , every honest party either quits, or eventually receives $\langle{\texttt{ECHO}},{v^{*}}\rangle$ from sufficiently many parties to multicast a READY message.

In both cases, every honest party multicasts a READY message, which means that every honest party either quits, or terminates after receiving READY messages from $n-t$ parties.

Global Termination.

If an honest party terminates, then it has received READY messages from $n-t$ parties, at least $n-2t\geq 2t+q+1$ of which are honest. Since there is some $v\neq\bot$ such that every honest READY message is on either $v$ or $\bot$ , either there are at least $t+1$ honest parties who multicast $\langle{\texttt{READY}},{v}\rangle$ , or there are at least $t+q+1$ honest parties who multicast $\langle{\texttt{READY}},{\bot}\rangle$ . In either case, every honest party can multicast a READY message either before quitting, or after receiving sufficiently many honest READY messages. So, every honest party either quits, or terminates after receiving READY messages from $n-t$ parties.

Robustness.

Suppose at most $q$ honest parties have quit when some honest $P_{i}$ terminates for the first time. Then, an honest $P_{j}$ can multicast $\langle{\texttt{READY}},{\bot}\rangle$ before $P_{i}$ terminates only if it quits, as $P_{j}$ cannot receive QUIT or $\langle{\texttt{READY}},{\bot}\rangle$ from $t+q+1$ parties before $P_{i}$ terminates. So, $P_{i}$ terminates with at most $t$ corrupt READY messages, at most $q$ honest $\langle{\texttt{READY}},{\bot}\rangle$ messages, and at least $n-2t-q$ honest READY messages not on $\bot$ . Since for some $v\neq\bot$ every honest READY message is on either $v$ or $\bot$ , there are at least $n-2t-q$ honest parties who multicast $\langle{\texttt{READY}},{v}\rangle$ for some $v$ . Hence, any honest $P_{j}$ (including $P_{i}$ ) can terminate only after receiving at least $n-3t-q\geq t+1$ honest $\langle{\texttt{READY}},{v}\rangle$ messages and setting $y_{j}\leftarrow v$ . $\hfill\blacktriangleleft$

[bib.bib1] [1] Ittai Abraham. Living with asynchrony: Bracha’s reliable broadcast. Decentralized Thoughts, 2020. URL: https://decentralizedthoughts.github.io/2020-09-19-living-with-asynchrony-brachas-reliable-broadcast/.

[bib.bib2] [2] Ittai Abraham, Yonatan Amit, and Danny Dolev. Optimal resilience asynchronous approximate agreement. In Proceedings of the 8th International Conference on Principles of Distributed Systems, OPODIS ’04, pages 229–239, Berlin, Heidelberg, 2004. Springer-Verlag. doi:10.1007/11516798_17.

[bib.bib3] [3] Ittai Abraham, Gilad Asharov, Arpita Patra, and Gilad Stern. Perfectly secure asynchronous agreement on a core set in constant expected time. Cryptology ePrint Archive, Paper 2023/1130, 2023. URL: https://eprint.iacr.org/2023/1130.

[bib.bib4] [4] Ittai Abraham, Philipp Jovanovic, Mary Maller, Sarah Meiklejohn, Gilad Stern, and Alin Tomescu. Reaching consensus for asynchronous distributed key generation. In Proceedings of the 2021 ACM Symposium on Principles of Distributed Computing, PODC ’21, pages 363–373, New York, NY, USA, 2021. Association for Computing Machinery. doi:10.1145/3465084.3467914.

[bib.bib5] [5] Ittai Abraham and Gilad Stern. Information Theoretic HotStuff. In Quentin Bramas, Rotem Oshman, and Paolo Romano, editors, 24th International Conference on Principles of Distributed Systems (OPODIS 2020), volume 184 of Leibniz International Proceedings in Informatics (LIPIcs), pages 11:1–11:16, Dagstuhl, Germany, 2021. Schloss Dagstuhl – Leibniz-Zentrum für Informatik. doi:10.4230/LIPIcs.OPODIS.2020.11.

[bib.bib6] [6] Nicolas Alhaddad, Sourav Das, Sisi Duan, Ling Ren, Mayank Varia, Zhuolun Xiang, and Haibin Zhang. Balanced byzantine reliable broadcast with near-optimal communication and improved computation. In Proceedings of the 2022 ACM Symposium on Principles of Distributed Computing, PODC ’22, pages 399–417, New York, NY, USA, 2022. Association for Computing Machinery. doi:10.1145/3519270.3538475.

[bib.bib7] [7] Michael Backes and Christian Cachin. Reliable broadcast in a computational hybrid model with byzantine faults, crashes, and recoveries. In 2003 International Conference on Dependable Systems and Networks, 2003. Proceedings., pages 37–46, 2003. doi:10.1109/DSN.2003.1209914.

[bib.bib8] [8] Michael Ben-Or, Ran Canetti, and Oded Goldreich. Asynchronous secure computation. In Proceedings of the Twenty-Fifth Annual ACM Symposium on Theory of Computing, STOC ’93, pages 52–61, New York, NY, USA, 1993. Association for Computing Machinery. doi:10.1145/167088.167109.

[bib.bib9] [9] Erica Blum, Jonathan Katz, and Julian Loss. Synchronous consensus with optimal asynchronous fallback guarantees. In Theory of Cryptography, pages 131–150, Cham, Switzerland, 2019. Springer International Publishing. doi:10.1007/978-3-030-36030-6_6.

[bib.bib10] [10] Gabriel Bracha. Asynchronous byzantine agreement protocols. Information and Computation, 75(2):130–143, 1987. doi:10.1016/0890-5401(87)90054-X.

[bib.bib11] [11] Christian Cachin. Secure distributed computing. École Polytechnique Fédérale de Lausanne, 2009. URL: https://dcl.epfl.ch/site/_media/education/sdc_byzconsensus.pdf.

[bib.bib12] [12] Ran Canetti and Tal Rabin. Fast asynchronous byzantine agreement with optimal resilience. In Proceedings of the Twenty-Fifth Annual ACM Symposium on Theory of Computing, STOC ’93, pages 42–51, New York, NY, USA, 1993. Association for Computing Machinery. doi:10.1145/167088.167105.

[bib.bib13] [13] Annick Chopard, Martin Hirt, and Chen-Da Liu-Zhang. On communication-efficient asynchronous mpc with adaptive security. In Theory of Cryptography: 19th International Conference, TCC’21, pages 35–65, Berlin, Heidelberg, 2021. Springer-Verlag. doi:10.1007/978-3-030-90453-1_2.

[bib.bib14] [14] Ran Cohen, Pouyan Forghani, Juan Garay, Rutvik Patel, and Vassilis Zikas. Concurrent asynchronous byzantine agreement in expected-constant rounds, revisited. In Theory of Cryptography, pages 422–451, Cham, Switzerland, 2023. Springer Nature Switzerland. doi:10.1007/978-3-031-48624-1_16.

[bib.bib15] [15] Andrei Constantinescu, Diana Ghinea, Roger Wattenhofer, and Floris Westermann. Convex Consensus with Asynchronous Fallback. In Dan Alistarh, editor, 38th International Symposium on Distributed Computing (DISC 2024), volume 319 of Leibniz International Proceedings in Informatics (LIPIcs), pages 15:1–15:23, Dagstuhl, Germany, 2024. Schloss Dagstuhl – Leibniz-Zentrum für Informatik. doi:10.4230/LIPIcs.DISC.2024.15.

[bib.bib16] [16] Sourav Das, Sisi Duan, Shengqi Liu, Atsuki Momose, Ling Ren, and Victor Shoup. Asynchronous consensus without trusted setup or public-key cryptography. Cryptology ePrint Archive, Paper 2024/677, 2024. Appeared in ACM CCS ’24. doi:10.1145/3658644.3670327.

[bib.bib17] [17] Michael J. Fischer, Nancy A. Lynch, and Michael S. Paterson. Impossibility of distributed consensus with one faulty process. In Proceedings of the 2nd ACM SIGACT-SIGMOD Symposium on Principles of Database Systems, PODS ’83, pages 1–7, New York, NY, USA, 1983. Association for Computing Machinery. doi:10.1145/588058.588060.

[bib.bib18] [18] Luciano Freitas, Petr Kuznetsov, and Andrei Tonkikh. Distributed Randomness from Approximate Agreement. In Christian Scheideler, editor, 36th International Symposium on Distributed Computing (DISC 2022), volume 246 of Leibniz International Proceedings in Informatics (LIPIcs), pages 24:1–24:21, Dagstuhl, Germany, 2022. Schloss Dagstuhl – Leibniz-Zentrum für Informatik. doi:10.4230/LIPIcs.DISC.2022.24.

[bib.bib19] [19] Diana Ghinea, Chen-Da Liu-Zhang, and Roger Wattenhofer. Optimal synchronous approximate agreement with asynchronous fallback. In Proceedings of the 2022 ACM Symposium on Principles of Distributed Computing, PODC ’22, pages 70–80, New York, NY, USA, 2022. Association for Computing Machinery. doi:10.1145/3519270.3538442.

[bib.bib20] [20] Diana Ghinea, Chen-Da Liu-Zhang, and Roger Wattenhofer. Multidimensional approximate agreement with asynchronous fallback. In Proceedings of the 35th ACM Symposium on Parallelism in Algorithms and Architectures, SPAA ’23, pages 141–151, New York, NY, USA, 2023. Association for Computing Machinery. doi:10.1145/3558481.3591105.

[bib.bib21] [21] Hammurabi Mendes and Maurice Herlihy. Multidimensional approximate agreement in byzantine asynchronous systems. In Proceedings of the Forty-Fifth Annual ACM Symposium on Theory of Computing, STOC ’13, pages 391–400, New York, NY, USA, 2013. Association for Computing Machinery. doi:10.1145/2488608.2488657.

[bib.bib22] [22] Mose Mizrahi Erbes and Roger Wattenhofer. Asynchronous approximate agreement with quadratic communication, 2024. arXiv:2408.05495, doi:10.48550/arXiv.2408.05495.

[bib.bib23] [23] Atsuki Momose and Ling Ren. Multi-threshold byzantine fault tolerance. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, CCS ’21, pages 1686–1699, New York, NY, USA, 2021. Association for Computing Machinery. doi:10.1145/3460120.3484554.

[bib.bib24] [24] Thomas Nowak and Joel Rybicki. Byzantine Approximate Agreement on Graphs. In Jukka Suomela, editor, 33rd International Symposium on Distributed Computing (DISC 2019), volume 146 of Leibniz International Proceedings in Informatics (LIPIcs), pages 29:1–29:17, Dagstuhl, Germany, 2019. Schloss Dagstuhl – Leibniz-Zentrum für Informatik. doi:10.4230/LIPIcs.DISC.2019.29.

[bib.bib25] [25] I. S. Reed and G. Solomon. Polynomial codes over certain finite fields. Journal of the Society for Industrial and Applied Mathematics, 8(2):300–304, 1960. doi:10.1137/0108018.

[bib.bib26] [26] Gilad Stern and Ittai Abraham. Gather with binding and verifiability. Decentralized Thoughts, 2024. URL: https://decentralizedthoughts.github.io/2024-01-09-gather-with-binding-and-verifiability/.

[bib.bib27] [27] Nitin H. Vaidya and Vijay K. Garg. Byzantine vector consensus in complete graphs. In Proceedings of the 2013 ACM Symposium on Principles of Distributed Computing, PODC ’13, pages 65–73, New York, NY, USA, 2013. Association for Computing Machinery. doi:10.1145/2484239.2484256.