How Much Public Randomness Do Modern Consensus Protocols Need?

Bonneau, Joseph; Bünz, Benedikt; Christ, Miranda; Efron, Yuval

doi:10.4230/LIPIcs.AFT.2025.12

How Much Public Randomness Do Modern Consensus Protocols Need?

Joseph Bonneau

New York University, NY, USA Benedikt Bünz

New York University, NY, USA Miranda Christ

Columbia University, New York, NY, USA Yuval Efron

Columbia University, New York, NY, USA

Abstract

Modern blockchain-based consensus protocols aim for efficiency (i.e., low communication and round complexity) while maintaining security against adaptive adversaries. These goals are usually achieved using a public randomness beacon to select roles for each participant. We examine to what extent this randomness is necessary. Specifically, we provide tight bounds on the amount of entropy a Byzantine Agreement protocol must consume from a beacon in order to enjoy efficiency and adaptive security. We first establish that no consensus protocol can simultaneously be efficient, be adaptively secure, and use $O(\log n)$ bits of beacon entropy. We then show this bound is tight and, in fact, a trilemma by presenting three consensus protocols that achieve any two of these three properties.

Keywords and phrases:

Consensus, Randomness Beacon

Copyright and License:

2012 ACM Subject Classification:

Theory of computation

\rightarrow

Distributed algorithms

DOI:

10.4230/LIPIcs.AFT.2025.12

Event:

7th Conference on Advances in Financial Technologies (AFT 2025)

Editors:

Zeta Avarikioti and Nicolas Christin

Series and Publisher:

Leibniz International Proceedings in Informatics, Schloss Dagstuhl – Leibniz-Zentrum für Informatik

1 Introduction

Consensus is a cornerstone of distributed computing, with research spanning over four decades [33, 28]. In the consensus problem, $n$ players (or nodes) with respective inputs must engage in communication in order to reach agreement on a value. The challenge stems from the presence of at most $f$ corrupted (eq. Byzantine) players, which may deviate from any given protocol in arbitrary ways.

The consensus problem has been considered under a myriad of constraints and allowances across various axes, including network synchrony, setup assumptions, the use of randomness by honest players, and the capabilities of the adversary (Garay and Kiayias [20] provide a detailed survey). With the renewed interest in this problem due to its foundational role in blockchains, two properties of particular importance from a practical point of view have been efficiency and adaptive security.

1.

Efficiency. We consider an efficiency notion motivated by modern blockchain-related consensus protocols. We say that a protocol has low communication (or in other words, is laconic) if in every round few of the players (i.e., $o(n)<<n$ ) send messages. A protocol has low latency if it requires at most $o(n)$ rounds. We refer to a protocol as efficient if it has both low communication and low latency. Our efficiency notion is essential for consensus protocols to scale to thousands of players and finalize transactions quickly. Indeed, most modern blockchain systems (e.g., Bitcoin and Ethereum) are efficient in this sense.
2.

Adaptive Security. We say that a consensus protocol is secure against an adaptive adversary if it solves consensus even when the adversary may choose to corrupt players “on the fly,” based on its observations thus far. We consider both a basic adaptive adversary which can corrupt up to $f$ players at any point based on the current transcript of the protocol, but cannot un-corrupt them, and a mobile blocking adversary which can choose potentially new players to target in each round but can only block their messages, and not cause arbitrary behavior.

Observe that either of these properties is straightforward to achieve without the other: if efficiency is not important, classical Byzantine fault-tolerant consensus protocols [10] are adaptively secure. On the other hand, Nakamoto-style consensus [32] with round-robin leader election is efficient against a non-adaptive adversary, but has linear latency against an adaptive adversary.

In practice, the vast majority of blockchains, including Ethereum and Bitcoin, aim to achieve both of the above properties. They do so by relying on a source of shared randomness for the players, for tasks such as leader election and committee sampling [5, 32, 14]. Such a primitive that provides access to fresh randomness at every point in time is referred to in the literature as a randomness beacon [34]. Implementing such a beacon, however, is an expensive task, with current constructions either employing delay functions [29, 7], requiring many rounds or much communication [37, 12, 35, 24], or achieving a sub-optimal version of the ideal functionality subject to manipulation [22, 5].

On the other hand, it turns out, that the use of unpredictable randomness is essential to the design of efficient consensus protocols [17, 6, 1]. Dolev and Reischuk [17] show that any deterministic protocol must have $\Omega(n^{2})$ communication complexity. Bar-Joseph and Ben-Or [6] show that against a computationally unbounded adaptive adversary that can view the local state of all players, any (even randomized) synchronous $\mathsf{BA}$ protocol requires $\tilde{\Omega}(\sqrt{n})$ rounds. Abraham et al. [1] show that without unpredictable randomness, any consensus protocol must use $\Omega(n^{2})$ communication.

1.1 Our Setting

The goal of this paper is to quantify the precise amount of randomness that must be drawn from such a beacon to allow for efficient and adaptively secure consensus protocols. We make minimal auxiliary assumptions, focusing on the information-theoretic (i.e., a computationally unbounded¹¹1Under computational assumptions, e.g., using a delay function, a beacon can be constructed. The unbounded adversary setting enables us to isolate the utility of the beacon. adversary and no PKI), synchronous setting. Specifically, we consider the following ideal functionality for a beacon: At each round $t$ , a fresh, uniformly random string is revealed to all players.

Such an assumption, referred to as an idealized common coin or randomness beacon is a common assumption in the $\mathsf{BA}$ protocols for asynchronous networks [15, 31]. We say that a protocol has low beacon entropy if it can be implemented using a randomness beacon that generates $O(\log n)$ bits in total during the protocol. We stress that it is important that the random string revealed to all players at round $t$ is not only uniform, but also is unpredictable prior to round $t$ . In other words, no adversary can predict the contents of the string of round $t$ prior to round $t$ . Abraham et al. [1] show that any protocol secure against an adversary that can predict the content of the beacon ahead of time, must use $\Omega(n^{2})$ communication. We emphasize that our lower bound applies even when the protocol has access to our beacon with stronger unpredictability.

1.2 Our Results

We provide a complete and tight characterization of efficiency, adaptive security, and low beacon randomness:

Impossibility (Section 4, Theorems 7 and 8):: We show that no consensus protocol can simultaneously achieve all three properties. That is, any efficient, adaptively secure consensus protocol must use a randomness beacon that outputs $\omega(\log n)$ bits. Our impossibility result holds against a computationally unbounded adversary in a broadcast communication model.
Possibility (Section 5, Lemmas 9, 15, and 17):: We show that the above impossibility is tight by presenting three consensus protocols, each realizing exactly two of the above three properties. Our protocols work against a computationally unbounded adversary in a peer-to-peer communication model. Together, they demonstrate a trilemma: consensus protocols can achieve any two of efficiency, adaptive security and low-entropy, but not all three.

2 Related Work

A long line of work considers a computationally bounded adversary [13, 2, 18, 21]. Protocols in this setting employ cryptographic tools to enable adaptive secure consensus protocols with as few as $O(1)$ rounds (in expectation). This research culminates in the work of Ghinea, Goyal and Liu-Zhang [21], which matches the decades-old lower bound Chor, Merritt, and Shmoys [13] which states that any $r$ round consensus protocol has error probability at least $\Omega(\frac{1}{r^{r}}$ ).

Coming back to an unbounded adversary, other works [26, 36, 8, 1, 16] consider relaxed versions of the adaptive adversary, and design consensus protocols that circumvent the aforementioned round and communication lower bounds of [1, 6].

Adaptively secure consensus.

By Abraham et al. [1], any protocol that is secure against a strongly adaptive adversary must use $\Omega(n^{2})$ bits of communication. This bound is known to be tight in the setting of a computationally bounded adversary by the work of Abraham et al. [2]. The protocol of this work also achieves optimal $O(1)$ round complexity, in expectation.

Adversary Relaxations.

On the road to circumventing the lower bounds of [1, 6], various relaxations to the strongly rushing adversary have been considered.

$\blacksquare$

A typical relaxation is that if the adversary chooses to corrupt a player $p$ at round $r$ , player $p$ still performs the honest behaviour of round $r$ prior to the adversary taking control of $p$ (at which point the adversary can send additional messages, still in round $r$ ). Protocols achieving $o(n^{2})$ communication complexity under this assumption include the work of King and Saia [26], and the follow up work by King, Lonargan, Saia and Trehan [25] in which they show protocols with $O(n^{1.5})$ communication complexity. Additional cryptographic assumptions allow the design of protocols with nearly linear communication complexity [8, 11, 2, 9]. Another class of protocol circumventing the communication lower bound of [1] are motivated by blockchain applications, and make use of proof-of-work or proof-of-stake assumptions [16, 32].
$\blacksquare$

Another line of work considers a late adaptive adversary. Roughly, this is an adaptive adversary with an outdated view of the state of the protocol. At each round the adversary may choose players to corrupt based on all information available so far, however the actual corruption occurs several rounds later. Most of these works consider relaxed variants of the consensus problem, e.g., almost-everywhere consensus [36, 4, 3, 27].
$\blacksquare$

A mobile blocking adversary has been considered previously in [36], and is generally related to the well studied model of omission failures [30, 23].

Randomness beacon entropy.

As mentioned, the idealized randomness beacon assumption, also known as a common coin, is extensively used in consensus protocol design in asynchronous networks (See [31] and references within). A recent work [23] studies a similar question to ours. Specifically, they consider protocols secure against an adaptive omission failure adversary, and characterize the trade-off between the required number of oracle calls to a random beacon and the round complexity.

3 Preliminaries

Notation.

We let $\lambda$ denote the security parameter. If a function $f(\lambda)$ is $O(1/\mathsf{poly}\left(\lambda\right))$ for every polynomial in $\lambda$ , we say $f$ is negligible in $\lambda$ . We write $f=\mathsf{negl}\left(\lambda\right)$ . We let $\log(x)$ denote the logarithm base 2 of $x$ . If $X$ is a random variable over domain $\Omega$ , and $\operatorname{Supp}\left(X\right)=\left\{x\in\Omega\mid\Pr[X=x]>0\right\}$ , we denote the min-entropy of $X$ by $H_{\infty}(X)=\min_{x\in\operatorname{Supp}\left(X\right)}\frac{1}{\Pr[X=x]}$ .

Model.

We consider a network of $n$ players (eq. nodes or participants). We focus here on the permissioned setting, in which the set of $n$ players is fixed and known to all players in advance. At most $f$ players can be corrupt. We further assume that communication takes place over a synchronous network with maximum message delay of $\Delta$ , i.e. a player $p$ at round $t$ has received all messages sent to it up to round $t-\Delta$ . For simplicity of exposition, we assume that $\Delta=1$ , but all our results extend naturally to the general case of delay parameter $\Delta$ . Throughout the paper we consider two models for a communication network. In the peer-to-peer model, players may send different messages to different players during each round. In the broadcast model, players (including corrupted players) may only broadcast a message, which is received by all other players.

Specifically, the latter model does not allow corrupt players to equivocate. Our lower bound holds even in the more generous broadcast model, and our upper bounds hold even in the more general peer-to-peer model of communication.

Adversary model.

All of the adversaries considered in the paper are computationally unbounded, and in particular we assume no PKI (though we do assume authenticated channels between participants). Specifically, we consider three types of adversaries, static, adaptive, and mobile blocking. Let $f$ be the adversary’s corruption budget. It is useful for us to consider an adversary as a pair of algorithms $\mathcal{A}=(\mathcal{A}_{0},\mathcal{A}_{1})$ , where $\mathcal{A}_{0}$ is responsible for choosing the identities of up to $f$ corrupted players at every round $t$ , and $\mathcal{A}_{1}$ is the adversary participating in the protocol. A bit more formally, at each round $t$ , $\mathcal{A}_{0}$ may observe $(\Pi,t,\mathrm{Tr}_{t})$ and output a set $\mathcal{F}_{t}$ of at most $f$ players. Here, $\Pi$ is a description a protocol and $\mathrm{Tr}_{t}$ refers to the transcript of a protocol up to round $t$ (see Definition 2). Each adversary type we consider imposes different restrictions on either $\mathcal{A}_{0}$ or $\mathcal{A}_{1}$ .²²2One might ask about the possibility of a mobile adversary capable of corruption, but this is tricky to reason about as it requires a notion of “un-corrupting” players.

$\blacksquare$

Static. The static adversary chooses the identities of $f$ corrupt players at round $t=0$ , and this choice is fixed throughout the execution of the protocol. The adversary has complete control over the behaviour of the corrupted players. In other words $\mathcal{F}_{t}=\mathcal{F}_{0}$ for all $t$ . There are no restrictions on $\mathcal{A}_{1}$ .
$\blacksquare$

Adaptive. At the beginning of each round $t$ , the adversary chooses the identities of $f_{t}<f$ players to corrupt in that round, based on its observations of the transcript of the protocol and the players it has corrupted thus far. These players stay corrupted for the rest of the execution. In other words, $\mathcal{F}_{t}\subseteq\mathcal{F}_{t+1}$ for all $t$ . There are no restrictions on $\mathcal{A}_{1}$ .
$\blacksquare$

Mobile blocking. A mobile blocking adversary can, at every round, observe $(\Pi,t,\mathrm{Tr}_{t})$ , where $t$ is a round, and $\mathrm{Tr}_{t}$ is the transcript of $\Pi$ up to round $t$ , and output a set $\mathcal{F}_{t}$ of at most $f$ players that are prohibited from sending messages at round $t$ . We emphasize that unlike the adaptive adversary which is constrained by the total number of corruptions, the mobile adversary may corrupt up to $f$ players in each round regardless of how many players it has corrupted in the past. A mobile blocking adversary is also captured by the $(\mathcal{A}_{0},\mathcal{A}_{1})$ notation via $\mathcal{A}_{0}(\Pi,t,\mathrm{Tr}_{t})=S$ , and $\mathcal{A}_{1}$ be an adversary behaviour in which corrupted players send no messages.

In any adversary variant, we say that an adversary corrupting at most $f=\rho n$ players is $\rho$ -bounded.

Randomness.

The protocols we consider in this work have two main sources of randomness. For both of them, we assume an ideal functionality as our goal is to reason about the nature and amount of randomness required to design consensus protocols.

1.

Common Random String (CRS). We assume that at round $t=0$ , an arbitrarily long (as per the protocol’s specification) uniformly random string $\mathsf{CRS}$ is revealed to all players. A static adversary must choose the identities of corrupt players prior to the CRS being revealed. An adaptive or mobile adversary can choose the identities of corrupt players after $\mathsf{CRS}$ is revealed.
2.

Randomness Beacon. A randomness beacon is an oracle that at every round $t$ , produces a fresh uniformly random string $\mathsf{seed}_{t}$ of an arbitrary length (as per the protocol’s specification). In particular, for each round $t$ , an adaptive or a mobile adversary must choose the identities of corrupted players prior to the revelation of $\mathsf{seed}_{t}$ .

Clearly, in the presence of an adaptive adversary the latter source of randomness is significantly more powerful than the former. It is precisely the latter source of randomness that is the main focus of this paper.

Authenticated Channels.

Similarly to prior work [26, 8], we assume that communication channels in our network are authenticated. Intuitively, this means that each player knows the identity of the sender for any message received. This can be formalized by instantiating communication channels with a map that maps a message $m$ to the tuple $(m,p)$ , where $p$ is the sender of $m$ . This mapping is fixed and can not be tampered with by the adversary.

Executions.

An execution is a tuple $E=(\Pi,\mathcal{A},r)$ where $\Pi$ is the protocol run by honest players. $\mathcal{A}$ is a particular adversary, i.e. $\mathcal{A}$ is an algorithm that chooses corrupt players (only at $t=0$ if static, otherwise $\mathcal{A}_{0}$ chooses at every round $t$ ) based on the transcript of the protocol and internal state of corrupt players, and instructions for the behaviour of the environment. $r$ denotes the random coins of all players. Given a protocol $\Pi$ we say that $E$ is an execution of $\Pi$ if the first component of $E$ is $\Pi$ .

We say that an execution is admissible in the adaptive model if for all rounds $t\geq 0$ it holds that $f_{t}<\frac{1}{3}n$ . In the static model we further demand that the identities of corrupt players remain fixed throughout the execution of the protocol. At times we abuse notation and refer to an execution also as the random variable $(\Pi,\mathcal{A})$ which is a distribution over executions in which $\Pi$ is the protocol run by honest players, and $\mathcal{A}$ is the adversary (corrupt players in each round, and actions taken by them). We denote this random variable by $E_{\mathcal{A}}$ .

The specification of the consensus problem we consider takes the form of the well known Byzantine Agreement problem [33, 28].

Byzantine Agreement ( $\mathsf{BA}$ ).

In the $\mathsf{BA}$ task, $n$ players must come to an agreement on a bit under some constraints. Each player $P_{i}$ has an input $b_{i}\in\left\{0,1\right\}$ , and produces an output $o_{i}\in\left\{0,1\right\}$ . We say that a protocol $\Pi$ solves the $\mathsf{BA}$ task if the following three properties are guaranteed by $\Pi$ , except for with $\mathsf{negl}\left(\lambda\right)$ probability.

1.

Termination. There exists $t$ such that all honest players have produced an output by round $t$ .
2.

Agreement. For any pair of honest players $P_{i},P_{j}$ , the probability (over the randomness of the adversary and the protocol) that these players output different values is at most $\mathsf{negl}\left(\lambda\right)$ .
3.

Validity. If all honest players have the same input bit $b$ , then all honest players always output $b$ .

An additional critical notion relating to a $\mathsf{BA}$ protocol is latency, which is defined as follows. Intuitively, latency captures the expected number of rounds it takes for $\Pi$ to terminate.

Definition 1 (Latency).

Let $\Pi$ be a protocol solving BA, and let $T_{i,\mathcal{A}}$ denote the random variable indicating the round in which player $i$ terminates given an adversary $\mathcal{A}$ corrupting some subset of the players. Given an execution $E=(\Pi,\mathcal{A},r)$ , let $H_{E}$ denote the set of players that remain honest throughout the entire execution. $\Pi$ has expected latency $\ell$ given $f$ corruptions if for all adversaries $\mathcal{A}$ corrupting at most $f$ players,

\max_{\begin{subarray}{c}(\Pi,\mathcal{A})\\ \mathcal{A}\text{ corrupts at most }f\text{ players}\end{subarray}}\mathop{% \mathbb{E}}_{E=(\Pi,\mathcal{A},r)}\left[\max\limits_{p\in H_{E}}T_{p,\mathcal% {A}}\right]\leq\ell.

Randomness beacon.

In this paper, we consider an $\ell$ -bit randomness beacon to be an $n$ -party protocol $\Pi^{\mathcal{O}}$ with access to a random oracle $\mathcal{O}$ that satisfies termination and agreement and, on input $1^{\lambda}$ , outputs a string $s$ of length $\ell(\lambda)$ . Furthermore, the value output by the honest parties must be computationally indistinguishable from random, in the random oracle model. In other words, the adversary responsible with distinguishing between the uniform distribution and the output of the beacon is only bounded in its number of queries to the random oracle, but not in any other manner. In particular, it can perform arbitrary computation. More precisely, let $\mathcal{A}$ be any (computationally unbounded) adversary corrupting $f$ out of $n$ players. Let $\mathcal{B}^{\mathcal{O}}$ by any computationally bounded distinguisher, making $poly(\lambda)$ queries to the random oracle $\mathcal{O}$ . Denote by $v\leftarrow\Pi_{\mathcal{A}}^{\mathcal{O}}$ the output of the honest parties from an execution of $\Pi$ with the adversary $\mathcal{A}$ . For any such $\mathcal{A},\mathcal{B}^{\mathcal{O}}$ it must hold that:

\left|\Pr[\mathcal{B}^{\mathcal{O}}(1^{\lambda},v)=1:\ v\leftarrow\Pi_{% \mathcal{A}}^{\mathcal{O}}]-\Pr[\mathcal{B}^{\mathcal{O}}(1^{\lambda},r)=0:\ r% \leftarrow\{0,1\}^{\ell(\lambda)}\ ]\right|\leq\mathsf{negl}\left(\lambda% \right).

We say that $\Pi^{\mathcal{O}}$ is secure against a static/adaptive/mobile blocking adversary if the above holds and $\mathcal{A}$ is a static/adaptive/mobile blocking adversary respectively. We note that the definition of a randomness beacon varies throughout the literature; here, we consider a weak notion where the adversary corrupting parties during the protocol execution is different from the adversary attempting to distinguish the beacon output from random. This notion is still nontrivial.

4 Impossibility Result

In the following, we define formal notions in order to rigorously discuss the amount of common randomness consumed by a $\mathsf{BA}$ protocol with adaptive security and low communication. Recall that in this section, we assume to be in the broadcast model of communication. We begin with defining the transcript of a protocol.

Definition 2 (Transcript).

Consider a $\mathsf{BA}$ protocol $\Pi$ for a network of $n$ players, and let $\mathcal{A}=(\mathcal{A}_{0},\mathcal{A}_{1})$ denote some adversary. Denote by $E_{\mathcal{A}}$ the random variable of executions under $(\Pi,\mathcal{A})$ . We define the transcript $Tr_{E_{\mathcal{A}}}$ to be the random variable that indicates the identities and contents of the players speaking in each round. Formally, we have

$\blacksquare$

$\mathrm{Tr}_{E_{\mathcal{A}}}=\left\{\mathrm{Tr}_{E_{\mathcal{A}}}^{t}\right\}% _{t\in\mathbb{N}}$
$\blacksquare$

$\mathrm{Tr}_{E_{\mathcal{A}}}^{t}=(I_{E_{\mathcal{A}}}^{t},C_{E_{\mathcal{A}_{% 1}}}^{t},A^{t}_{\mathcal{A}},\mathsf{seed}_{t},\mathsf{CRS})$ , where $I_{E_{\mathcal{A}_{0}}}^{t}\subseteq[n]$ is a subset of honest players at round $t$ , and $C_{E_{\mathcal{A}}}^{t}\in\left(\left\{0,1\right\}^{*}\right)^{I_{E_{\mathcal{% A}}}^{t}}$ denotes the messages of those players. Furthermore, an honest player $p_{i}$ speaks in round $t$ iff $i\in I_{E_{\mathcal{A}}}^{t}$ , and the message it sends is consistent with $C_{E_{\mathcal{A}}}^{t}$ . $A^{t}_{\mathcal{A}}$ contains the identities of the adversarial parties speaking at round $t$ and the contents of their messages

We consider the following notion of unpredictability, that intuitively says that the probability that an adaptive adversary can guess correctly the set of speaking parties in every round, given the transcript of the protocol up to that round is negligible.

Definition 3 (Adversary’s guess of speaking parties).

Let $\Pi$ be a consensus protocol, and let $\mathcal{A}=(\mathcal{A}_{0},\mathcal{A}_{1})$ be an adversary. We define the adversary’s guess to be a series $(\hat{I_{\mathcal{A}}^{0}},\hat{I_{\mathcal{A}}^{1}},\hat{I_{\mathcal{A}}^{2}}% ,...)$ given by an algorithm $\mathcal{A}_{2}$ of the adversary’s choice where for each $t\in\mathbb{N}$ ,

\hat{I}_{\mathcal{A},\mathcal{A}_{2}}^{t}\leftarrow\mathcal{A}_{2}(\Pi,\left\{% \mathrm{Tr}_{E_{\mathcal{A}}}^{i}\mid 0\leq i\leq t-1\right\},t)

Given the above definition, we can now define global leader unpredictability:

Definition 4 (Global leader unpredictability).

Let $\Pi$ be a $\mathsf{BA}$ protocol. We say that $\Pi$ has global leader unpredictability if for any adversaries $\mathcal{A}=(\mathcal{A}_{0},\mathcal{A}_{1})$ and $\mathcal{A}_{2}$ ,

\Pr\left[\forall t,\hat{I}_{\mathcal{A},\mathcal{A}_{2}}^{t}=I_{E_{\mathcal{A}% _{0}}}^{t}\mid\mathsf{CRS}\right]=\prod\limits_{t=0}^{\infty}\Pr\left[\hat{I}_% {\mathcal{A},\mathcal{A}_{2}}^{t}=I_{E_{\mathcal{A}_{0}}}^{t}\mid\left\{I_{E_{% \mathcal{A}_{0}}}^{i}\mid 0\leq i<t\right\},\mathsf{CRS}\right]\leq\mathsf{% negl}\left(\lambda\right)

We now prove that if a protocol $\Pi$ satisfies global leader unpredictability, then its transcript contains a significant amount of min-entropy.

Lemma 5.

Let $\Pi$ be a $\mathsf{BA}$ protocol that satisfies global leader unpredictability. Then for any constant $c>0$ and any adversary $\mathcal{A}=(\mathcal{A}_{0},\mathcal{A}_{1})$ ,

\sum\limits_{t=0}^{\infty}H_{\infty}(\mathrm{Tr}_{E_{\mathcal{A}}}^{t}\mid% \left\{\mathrm{Tr}_{E_{\mathcal{A}}}^{i}\mid 0\leq i<t\right\},\mathsf{CRS})% \geq c\log n.

Proof.

Assume towards a contradiction that there exist a constant $c>0$ and an adversary $\mathcal{A}=(\mathcal{A}_{0},\mathcal{A}_{1})$ such that

\sum\limits_{t=0}^{\infty}H_{\infty}(\mathrm{Tr}_{E_{\mathcal{A}}}^{t}\mid% \left\{\mathrm{Tr}_{E_{\mathcal{A}}}^{i}\mid 0\leq i<t\right\},\mathsf{CRS})<c% \log n.

Now for each $t\in\mathbb{N}$ , denote by $k_{t}$ the value $H_{\infty}(\mathrm{Tr}_{E_{\mathcal{A}}}^{t}\mid\left\{\mathrm{Tr}_{E_{% \mathcal{A}}}^{i}\mid 0\leq i<t\right\},\mathsf{CRS})$ . Applying $f(x)=\frac{1}{2^{x}}$ to both sides of the inequality above, we get that

\frac{1}{2^{\sum\limits_{t=0}^{\infty}k_{t}}}>\frac{1}{n^{c}}

Thus, by definition of min-entropy, we have that there exist strings $S_{t},t\in\mathbb{N}$ s.t.

\frac{1}{2^{k_{t}}}=\Pr[\mathrm{Tr}_{E_{\mathcal{A}}}^{t}=S_{t}\mid\left\{% \mathrm{Tr}_{E_{\mathcal{A}}}^{i}\mid 0\leq i<t\right\},\mathsf{CRS}]

We thus have that

\Pr[\forall t\in\mathbb{N},\mathrm{Tr}_{E_{\mathcal{A}}}^{t}=S_{t}\mid\mathsf{% CRS}]=\prod\limits_{t=0}^{\infty}\Pr[\mathrm{Tr}_{E_{\mathcal{A}}}^{t}=S_{t}% \mid\left\{\mathrm{Tr}_{E_{\mathcal{A}}}^{i}\mid 0\leq i<t\right\},\mathsf{CRS% }]>\frac{1}{n^{c}}

where the first transition is by definition of the probability of event intersection. Since $I_{E_{\mathcal{A}}}^{t}$ is a part of $\mathrm{Tr}_{E_{\mathcal{A}}}^{t}$ , we thus get that there exists set $\hat{I}_{t},t\in\mathbb{N}$ s.t.

\Pr[\forall t\in\mathbb{N},I_{E_{\mathcal{A}}}^{t}=\hat{I}_{t}\mid\mathsf{CRS}% ]>\frac{1}{n^{c}}

Now note that an adversary $\mathcal{A}_{2}$ that predicts at round $t$ the set $\hat{I}_{t}$ can realize this success probability, thus violating the global leader unpredictability condition, as required. Such an adversary is realizable both in the adaptive and mobile blocking models since the adversary at round $t$ has definitive knowledge of the transcript up to and including round $t-1$ , including $\mathsf{CRS}$ . $\hfill\blacktriangleleft$

We would now like to prove that the lack of the global unpredictability condition, combined with low communication, implies susceptibility to attacks by adaptive adversaries. With the notion of a transcript in hand, we can also now formally define the relevant notion for this paper of low communication.

Definition 6.

Let $\Pi$ be a consensus protocol, and let $\mathcal{A}=(\mathcal{A}_{0},\mathcal{A}_{1})$ be an adversary. We define the communication complexity of $\Pi$ to be the random variable $C=\sum\limits_{t\in\mathbb{N}}|I_{E_{\mathcal{A}}}^{t}|$ . We say that the communication is uniform if there exists $T$ such that except for with $\mathsf{negl}\left(\lambda\right)$ probability it holds that $|I_{E_{\mathcal{A}}}^{t}|=O(\frac{C}{T})$ for all $t\leq T$ and $|I_{E_{\mathcal{A}}}^{t}|=0$ for all $t>T$ . We refer to $\frac{C}{T}$ as the uniform communication complexity of $\Pi$ . We say that a protocol has low communication if it has uniform communication of $o(n)$ .

The goal of defining uniform communication, as opposed to just considering the general number of bits exchanged between players in the protocol, is to speak rigorously about protocols in which only a few players speak in each round. We now aim to prove the following theorem, which says that any $\mathsf{BA}$ protocol in which few players speak in every round, uses low beacon entropy, and is adaptively secure, requires many rounds. In other words, no $\mathsf{BA}$ protocol can simultaneously be efficient, adaptively secure, and use low beacon entropy.

Theorem 7.

Let $\Pi$ be a protocol that has the following properties:

$\blacksquare$

$\Pi$ does not satisfy global leader unpredictability.
$\blacksquare$

Except for $O(1)$ initial rounds, $\Pi$ has uniform communication complexity $k$

Then w.p. $\frac{1}{p(n)}$ for some polynomial $p$ , $\Pi$ requires $\Omega(\frac{\rho n}{k})$ rounds in the presence of a $\rho$ -bounded adaptive adversary, for any $\rho\geq\frac{k}{n}$ . Furthermore, if a mobile blocking adversary is considered, then $\Pi$ does not exist for any $\rho\geq\frac{k}{n}$ .

Proof.

By the assumption that $\Pi$ does not satisfy global leader unpredictability, we deduce that there exist a polynomial $p(n)$ and adversaries $\mathcal{A}=(\mathcal{A}_{0},\mathcal{A}_{1})$ and $\mathcal{A}_{2}$ such that

\Pr[\forall t,\hat{I}_{\mathcal{A},\mathcal{A}_{2}}^{t}=I_{E_{\mathcal{A}_{0}}% }^{t}\mid\mathsf{CRS}]\geq\frac{1}{p(n)}.

Now consider the following adversary $\mathcal{B}=(\mathcal{B}_{0},\mathcal{B}_{1})$ , acting as follows. Let $r=O(1)$ be the number of initial rounds which may have high communication complexity. In the following, we employ a well-known result [13], which states that any $\mathsf{BA}$ protocol with $r$ rounds has error probability of at least $\Omega(\frac{1}{n^{r}})$ , with the adversary needing to corrupt at most $r$ players [13]. In our case, $\Omega(\frac{1}{n^{r}})=1/n^{O(1)}$ .

1.

For the first $r$ rounds, employ the adversary strategy [13], corrupting at most $r$ players in the process.
2.

$\mathcal{B}_{0}$ acts as follows: At the beginning of any round $t>r$ , use $\mathcal{A}_{2}(\Pi,\left\{\mathrm{Tr}_{E_{\mathcal{A}}}^{i}\mid 0\leq i<t% \right\})$ to obtain $\hat{I}_{\mathcal{A},\mathcal{A}_{2}}^{t}$ . In the case of the adaptive adversary, corrupt all the players in $\hat{I}_{\mathcal{A},\mathcal{A}_{2}}^{t}$ until the total number of corrupted parties has reached the corruption budget $\rho n$ . In the case of a mobile blocking adversary, corrupt them for round $t$ .
3.

$\mathcal{B}_{1}$ sends no messages by the corrupted players; that is, the players in $\hat{I}_{\mathcal{A},\mathcal{A}_{2}}^{t}$ . Note that this is compatible behaviour with the mobile blocking adversary, in addition to the adaptive adversary.

From here on in, the analysis is conditioned on the event that $\mathcal{A}_{2}$ has guessed correctly the identity of speakers at all rounds, which occurs w.p. at least $\frac{1}{p(n)}$ , by assumption. Due to the strategy of [13], we have that with at least inverse polynomial probability, $\Pi$ does not solve $\mathsf{BA}$ up to round $r$ of the execution. For the following $\Omega(\frac{\rho n}{k})$ rounds, no progress is made since the adversary corrupts all parties participating in the protocol for those rounds. Thus at least with inverse polynomial probability, $\Pi$ requires $\Omega(\frac{\rho n}{k})$ rounds, as required. In the case of a mobile blocking adversary, no progress is made at all, indefinitely, and so in particular the protocol either has no termination, or has error probability at least $\Omega(\frac{1}{n^{r}\cdot p(n)})$ , which is a contradiction. $\hfill\blacktriangleleft$

We now show that global leader unpredictability implies a randomness beacon. This randomness beacon simply runs $\Pi$ and computes the hash(i.e. queries the random oracle) of the identities that spoke in each round. Since these identities are unpredictable, given enough parties there is sufficient randomness to construct a beacon.

Corollary 8.

Let $\Pi$ be an $n$ -party protocol satisfying global leader unpredictability. If $n\geq\lambda$ , there exists a randomness beacon $\Pi^{\prime\mathcal{O}}$ such that:

$\blacksquare$

$\Pi^{\prime\mathcal{O}}$ has the same communication complexity and latency as $\Pi$ .
$\blacksquare$

$\Pi^{\prime\mathcal{O}}$ outputs $\lambda$ bits that are indistinguishable from random by any efficient $(poly(\lambda)$ query) adversary in the random oracle model.

Proof.

Let $\mathcal{O}:\{0,1\}^{*}\to\{0,1\}^{\lambda}$ be a hash function which we model as a random oracle. Let $\Pi^{\prime\mathcal{O}}$ be the protocol obtained by running $\Pi$ and outputting the hash(i.e. querying the oracle $\mathcal{O}$ ) of the identities of the parties that speak in each round of $\Pi$ . Observe now that $\Pi^{\prime\mathcal{O}}$ trivially satisfies the first bullet point, since it involves only running $\Pi$ and applying a function to its transcript. Since we operate in the broadcast setting with authenticated channels, all parties know these identities of speaking parties. Recall that global leader unpredictability states that this tuple of speaking parties has at least $c\log n$ min-entropy for any constant $c$ . Therefore, for any fixed string $s$ , the probability that this tuple of identities equals $s$ is at most $1/\lambda^{c}$ for any constant $c$ . Let $\mathcal{B}^{\mathcal{O}}$ be a computationally bounded adversary making a polynomial number of queries to the random oracle $\mathcal{O}$ . The probability that $\mathcal{B}$ queried the tuple of speaking parties to $\mathcal{O}$ is smaller than the inverse of any polynomial, which is negligible. Therefore, except with negligible probability the hash of the tuple of speaking parties is a freshly random value from the perspective of $\mathcal{B}^{\mathcal{O}}$ . $\hfill\blacktriangleleft$

5 Possibility Results

Having established the above trade-off, we turn to showing that it exactly captures the role of randomness in efficient and adaptively secure $\mathsf{BA}$ . Specifically, we present three protocols solving $\mathsf{BA}$ , all simplified versions of known protocols from the literature, and prove that each of them satisfies two of the three properties we described above. To make our results as strong as possible, throughout this section, we consider a model where players are deterministic and all players are given access to an ideal randomness beacon and a $\mathsf{CRS}$ . Recall (see Section 3) that an adaptive adversary must make corruption choices for round $r$ prior to seeing the beacon output of round $r$ . While for the lower bound result we assumed a broadcast model of communication, we assume a peer-to-peer network for the upper bounds, to make our results as strong as possible. In particular, corrupt players can equivocate. We formally describe our framework and general $\mathsf{BA}$ protocol in the following section, and then showcase how this framework is instantiated in three ways to obtain protocols:

1.

Efficiency and adaptive security. We show that when entropy from a beacon is not limited, there exists a protocol that is adaptively secure and efficient. The details, along with our general framework, are in Section 5.1.
2.

Low beacon entropy and adaptive security. If one is willing to forgo low communication, we show that there is an adaptively secure, low beacon entropy protocol that also has $O(1)$ expected round complexity. The details are in Section 5.2.
3.

Low beacon entropy and efficiency. If one wishes to forgo adaptive security, then there exists an efficient protocol that uses low beacon entropy that is secure against a static adversary. The details are in Section 5.3.

Mobile blocking adversary.

All the proofs relating to security against an adaptive adversary in this section can easily be modified to work for a mobile blocking adversary, with the same protocols. The main observation is that against an adversary that can only silence players, none of our proofs use the property that the same parties are corrupted between rounds, and also that in our protocols, the actions of an honest player depend only on the messages received from the previous round, and not any other round in the past.

5.1 Efficiency and Adaptive Security

In this section we describe our general framework for $\mathsf{BA}$ protocol design, along with one instantiation of it to obtain a $\mathsf{BA}$ protocol that has low communication(i.e. $O(\lambda)$ parties talk in each round) and is secure against an adaptive adversary, as long as $3f_{t}+1<(1-\epsilon)n$ for all $t\in\mathbb{N}$ and constants $\epsilon$ . Formally, we prove the following in this section:

Lemma 9.

For all $\epsilon>0$ , assuming a randomness beacon, there exists a protocol $\Pi$ that except for with $exp(-\lambda)$ probability, solves the $\mathsf{BA}$ task in the presence of an adaptive adversary that satisfies $3f_{t}+1<(1-\epsilon)n$ for all $t\in\mathbb{N}$ .
Furthermore, the protocol has $O(1)$ expected latency, and the protocol has uniform $O(\lambda)$ communication complexity, in expectation.

Our general framework, with which all three of our protocols are designed, resembles that of Gafni and Losa [19] of interlacing executions of the commit-adopt task and leader election. The main differences are the use of the randomness beacon to ensure both low communication and security against an adaptive adversary for some of our considered settings, and the consideration of a stronger adversary (Losa and Gafni assume a non equivocating adversary). With this in mind, we describe in this section the general framework and its concrete implementation to obtain Lemma 9. The following sections explain how to modify the implementation to obtain the other two protocols.

In all our protocols, the set of parties tasked with speaking in each round is denoted by $com_{t}$ for round $t$ . We refer to $com_{t}$ as the committee of round $t$ . Furthermore, each round $t$ has a designated leader, denoted by $\ell_{t}$ . Despite the fact that every round has a leader, in most rounds the leader does not have any special role. The identity of $com_{t}$ and $\ell_{t}$ in each of our considered settings is derived both from the beacon and the given $\mathsf{CRS}$ in different ways, as follows.

1.

Efficiency and adaptive security. To achieve Lemma 9, we use the randomness beacon as follows. Denote the string distributed at round $t$ to the players by the randomness beacon by $\mathsf{seed}_{t}$ . We choose $|\mathsf{seed}_{t}|=O(\lambda\log n)$ , where $\lambda$ is the security parameter, and we treat $\mathsf{seed}_{t}$ as $\mathsf{seed}_{t}=(\ell_{t},com_{t})$ where $\ell_{t}\in[n]$ is the identity of a player, which is referred to as the leader of round $t$ , and $com_{t}\subseteq[n]$ is a subset of size $O(\lambda)$ of players, indicating the committee of round $t$ . The protocol presented in this section makes no use of the given $\mathsf{CRS}$ .
2.

Adaptive security and low beacon entropy. This protocol also makes no use of the $\mathsf{CRS}$ . In this protocol, $com_{t}=[n]$ for all $t$ , and the leader $\ell_{t}$ is elected via the randomness beacon string $\mathsf{seed}_{t}$ as above. See Section 5.2 for further details.
3.

Efficiency and low beacon entropy. This protocol is the only protocol that makes use of the $\mathsf{CRS}$ . We interpret the $\mathsf{CRS}$ as $(\mathsf{seed}_{1},\mathsf{seed}_{2},\ldots)$ where $\mathsf{seed}_{t}=(\ell_{t},com_{t})$ with $\ell_{t}\in[n]$ and $com_{t}\subseteq[n]$ of size $O(\lambda)$ . See Section 5.3 for further details.

Our framework is comprised from the interlacing of two components.

$\blacksquare$

Commit-Adopt ( $\mathsf{CA}$ ). The $\mathsf{CA}$ protocol consists of 2-rounds. In each of these rounds, only the committee $com_{t}$ speaks. If the $\mathsf{CA}$ step fails to achieve consensus, players proceed to the second phase of the protocol.
$\blacksquare$

Conciliator ( $\mathsf{CO}$ ). Intuitively, the goal of the Conciliator task is to bring back the honest players into a consistent view after the previous $\mathsf{CA}$ failed. This is done by running an additional $\mathsf{CA}$ and a leader election, and then outputting a value to continue with for the subsequent $\mathsf{CA}$ .

We now formally define the two procedures $\mathsf{CA}$ , and $\mathsf{CO}$ .

Definition 10 (Commit-Adopt).

In the commit-adopt task ( $\mathsf{CA}$ ), each player receives an input value $z$ , and must produce an output of the form $commit(z^{\prime})$ or $adopt(z^{\prime})$ for some value $z^{\prime}$ , with the following guarantees.

1.

Agreement. If an honest player outputs $commit(z)$ for some value $z$ , then all honest players must output either $commit(z)$ or $adopt(z)$ .
2.

Validity. If all honest players input the same value $z$ , then all honest players must output $commit(z)$ .
3.

Termination. There exists a round $r\in\mathbb{N}$ such that by round $r$ , all awake honest players have submitted an output.

Definition 11 (Conciliator).

In the conciliator task ( $\mathsf{CO}$ ), each player has an input value $z$ and must produce an output with the following guarantees.

1.

Validity. If all honest players input the same value $z$ , then all honest players output $z$ .
2.

Termination. There is a round $r\in\mathbb{N}$ such that all honest players output by round $r$ .
3.

Probabilistic Agreement. With probability at least $\frac{2}{3}$ , all players output the same value $z$ inputted by some honest player.

Figure 1: Illustration of the structure of all three of our protocols.

\mathsf{CA}

and

\mathsf{CO}

procedures are interlaced, with each

\mathsf{CO}

procedure ensuring safety on a potentially locked value, followed by letting a leader propose a value to the decision

\mathsf{CA}

. In each round

t

, only the players in

com_{t}

or

\ell_{t}

send messages.

Our generic protocol alternates between executions of $\mathsf{CO}$ and $\mathsf{CA}$ until $\mathsf{BA}$ is solved. See Figure 1 for an illustration. We denote the $i$ -th execution of $\mathsf{CA}$ and $\mathsf{CO}$ by $\mathsf{CA}[i]$ and $\mathsf{CO}[i]$ , respectively. We now provide formal descriptions of the protocols for $\mathsf{CA}$ and $\mathsf{CO}$ using $\ell_{t},com_{t}$ as explained above to obtain Lemma 9. The following sections explain how these implementations are modified to obtain our other protocols.

Algorithm 1

\mathsf{CA}

.

We employ the following adopt-commit protocol executed by all honest players $p$ with input $z_{p}$ .

1.

At round $t=0$ , if $p\in com_{0}$ , $p$ broadcasts its input $z_{p}$ . Otherwise, do nothing.
2.

At round $t=1$ , if $p\not\in com_{1}$ , do nothing. Otherwise, if there exists a value $z$ that $p$ has received $z$ from more than $\frac{2|com_{0}|}{3}$ of the players in $com_{0}$ ³³3Here we use our authenticated channels assumption, $p$ broadcasts $vote(z)$ . Otherwise, do nothing.
3.
At round $t\geq 2$ , $p$ decides on its output as follows.
1. (a)
  
  If there exists value $z$ such that $p$ has received $vote(z)$ from at least $\frac{2|com_{1}|}{3}$ of the players in $com_{1}$ , output $commit(z)$ .
2. (b)
  
  Else if there exists a value $z$ for which $p$ received more $vote(z)$ from players in $com_{1}$ than for any other value, output $adopt(z)$ .
3. (c)
  
  Else, output $adopt(z_{p})$ .

We now prove that the above procedure solves the $\mathsf{CA}$ problem in the presence of an adaptive adversary, as long as there is a constant $\epsilon>0$ s.t. $3f_{t}+1<(1-\epsilon)n$ for all $t\in\mathbb{N}$ . In general, the above procedure solves the $\mathsf{CA}$ problem as long as $com_{t}$ contains a greater than $\frac{2}{3}$ -majority of honest players for all rounds $t$ . In the context of Lemma 9, we make the following observation, which is used liberally throughout the section. We denote the above protocol by $\Pi$ .

Observation 12.

Let $\mathcal{A}=(\mathcal{A}_{0},\mathcal{A}_{1})$ be an adaptive adversary. Then for all $t$ it holds that

\Pr\left[|\mathcal{A}_{0}(\Pi,t,\mathrm{Tr}_{t})\cap com_{t}|\geq\frac{|com_{t% }|}{3}\right]=\mathsf{negl}\left(\lambda\right)

Proof.

The proof follows from standard concentration bounds. Specifically we get that the expected number of corrupted players in $com_{t}$ is upper bounded by $\frac{|com_{t}|}{3}(1-\epsilon)$ , and thus by a Hoeffding bound we get the probability that the number of corrupted players in $com_{t}$ exceeds $\frac{|com_{t}|}{3}$ is at most $e^{-\Omega(\epsilon^{2}|com_{t}|)}=e^{-\Omega(\epsilon^{2}\lambda)}$ . For this we use the facts that $|com_{t}|=\Omega(\lambda)$ , $\epsilon$ is a constant, the choice of each player in $com_{t}$ being independent, and the independence of $\mathcal{A}_{0}(\Pi,t,\mathrm{Tr}_{t})$ on $com_{t}$ . $\hfill\blacktriangleleft$

We thus assume from here on in for the remainder of the analysis that an honest super-majority assumption holds at all rounds amongst the committee members, i.e. $|\mathcal{A}_{0}(\Pi,t,\mathrm{Tr}_{t})\cap com_{t}|<\frac{|com_{t}|}{3}$ holds for all $t$ . With that in mind all that is left is to prove that the above protocol solves the $\mathsf{CA}$ problem.

Lemma 13.

For any constant $\epsilon>0$ , except for with $\mathsf{negl}\left(\lambda\right)$ probability, Algorithm 1 solves the $\mathsf{CA}$ task whenever $3f_{t}+1<(1-\epsilon)n$ .

Proof.

Termination is clear from the behavior of the protocol. We move on to Validity, assume that all honest parties start the protocol with input $z$ , and let $com_{0},com_{1}$ be as in the protocol. Then in particular, all honest players in $com_{0}$ broadcast $z$ . The above observation implies that any honest player in $com_{1}$ observes the value $z$ from more than $\frac{2}{3}$ of the players in $com_{0}$ . Thus all honest players in $com_{1}$ broadcast $vote(z)$ message at round 1. Which in turn causes all honest players to output $commit(z)$ at $t=2$ , as required. For Agreement, let $commit(z)$ be the value output by some honest player $p$ . Which means that $p$ observed $vote(z)$ from more than $\frac{2}{3}$ of the members of $com_{1}$ . Note first that no other honest member of $com_{1}$ sends $vote(z^{\prime})$ for a different value, as this implies that that two honest players $q_{1},q_{2}$ in $com_{1}$ , respectively received multicasts of $z,z^{\prime}$ from more than $\frac{2}{3}$ of the members of $com_{0}$ , and a quorum intersection argument implies the existence of an honest player in $com_{0}$ that broadcast two different inputs, which can not occur. Thus for any other value $z^{\prime}$ an honest player can only observe strictly less than $\frac{|com_{1}|}{3}$ $vote(z^{\prime})$ messages from players in $com_{1}$ . On the other hand, if $p$ observed $vote(z)$ from more than $\frac{2}{3}$ of the members of $com_{1}$ , this implies, together with Observation 12, that more than $\frac{1}{3}$ of the honest members of $com_{1}$ broadcast $vote(z)$ , which means all honest players have seen $vote(z)$ messages from more than $\frac{1}{3}$ of the members of $com_{1}$ . Combined, this means that all honest players have observed more $vote(z)$ messages from players in $com_{1}$ than for any other value, and thus output either $adopt(z)$ or $commit(z)$ , as required. $\hfill\blacktriangleleft$

We now proceed to designing a protocol for the $\mathsf{CO}$ task.

Algorithm 2

\mathsf{CO}

.

We employ the following conciliator protocol executed by all honest players $p$ with input $z_{p}$ .

1.

If $t\in[0,2]$ , run according to $\mathsf{CA}$ protocol with input value $z$ .
2.

If $r=3$ , if $p=\ell_{3}$ or $p\in com_{3}$ , broadcast $\mathsf{CA}$ output.
3.
if $r\geq 4$ , then:
1. (a)
  
  If $p$ received $commit(z)$ from more than $\frac{1}{3}$ of the players in $com_{3}$ for some value $z$ , then $p$ outputs $z$ .
2. (b)
  
  Else, if $p$ received $adopt(z)$ or $commit(z)$ for some value $z$ from $\ell_{3}$ , then output $z$
3. (c)
  
  Else, output $z_{p}$ .

We now proceed to prove the correctness of the above procedure.

Lemma 14.

For any constant $\epsilon>0$ , except for with $\mathsf{negl}\left(\lambda\right)$ probability, Algorithm 2 solves the $\mathsf{CO}$ task whenever $3f_{t}+1<(1-\epsilon)n$ .

Proof.

Termination is clear from the behavior of the protocol. For Validity, if $z$ is the input of all honest players, then by the Validity of $\mathsf{CA}$ , we get that by round $3$ , all honest players output $commit(z)$ . For probabilistic agreement, note that if no honest player outputs according to item (a), then the property holds as the leader is honest w.p. at least $\frac{2}{3}$ . Otherwise, Let $p$ be an honest player that output according to item (a), which implies that $p$ observed more than $\frac{1}{3}$ fraction of $commit(z)$ messages for the same value $z$ from the players in $com_{3}$ . In particular this implies that at least one of those players is honest. Thus by the Agreement property $\mathsf{CA}$ , we have that all honest players output either $commit(z)$ or $adopt(z)$ . Thus no player in $com_{3}$ sends $commit(z^{\prime})$ for any value $z\neq z^{\prime}$ . In particular this means that no honest player views more than a $\frac{1}{3}$ fraction of $commit(z^{\prime})$ for any $z^{\prime}=z$ . Thus, all honest players that output according to item (a) agree. Denote that value by $z$ . Now note that w.p. at least $\frac{2}{3}$ , $\ell_{3}$ is honest, and if this is the case, then $\ell_{3}$ also output either $commit(z)$ or $adopt(z)$ , by the agreement property of $\mathsf{CA}$ , and all other honest players output $z$ according to item $b$ in that case. Thus, w.p. at least $\frac{2}{3}$ , all honest players agree on the output, as required. $\hfill\blacktriangleleft$

We denote by $L_{c},L_{ca}$ the number of rounds required to run the $\mathsf{CO},\mathsf{CA}$ tasks, respectively. We can now describe the generic $\mathsf{BA}$ protocol we employ. The following protocol is executed by every honest player $p$ with input $z$ .

Algorithm 3

\mathsf{BA}

protocol framework.

1.
For $i=0,...,D$ :
1. (a)
  
  If $t\in[(L_{c}+L_{ca})i,(L_{c}+L_{ca})i+L_{c}]$ , run as in $\mathsf{CO}[i]$ with input being the output of $\mathsf{CA}[i-1]$ or $z$ if $i=0$ .
2. (b)
  
  If $r\in[(L_{c}+L_{ca})i+(L_{c}+1),(L_{c}+L_{ca}+1)i]$ run as in $\mathsf{CA}[i]$ with input being $p$ ’s output in $\mathsf{CO}[i]$ .
3. (c)
  let $o$ be the output of $\mathsf{CA}[i]$ .
  1. i.
    
    If $o=commit(v)$ for some value, then output $v$ as $\mathsf{BA}$ decision. Participate in the protocol for one more iteration with inputs to all subroutines being fixed to $v$ .
  2. ii.
    
    Else, move on to $i+1$ .

With the above instantiations of $\mathsf{CA}$ and $\mathsf{CO}$ in mind, we now prove that the above protocol proves Lemma 9.

Proof.

For Termination, consider an iteration $i$ of the protocol above. By probabilistic agreement of $\mathsf{CO}$ , we have that w.p. at least $\frac{2}{3}$ , all honest players agree on the output of $\mathsf{CO}[i]$ . Denote it by $z$ . Conditioned on agreement, Validity of $\mathsf{CA}$ guarantees that all honest players output $commit(z)$ , and thus they all terminate at the end of $\mathsf{CA}[i]$ . Thus for every iteration $i$ , w.p. at least $\frac{2}{3}$ , all honest players terminate at the end of iteration $i+1$ . Thus, w.h.p. all honest players terminate after $O(\log n)$ iterations. For Validity, consider the case where all players have the same input $z$ . The Validity properties of both $\mathsf{CO}$ and $\mathsf{CA}$ imply that at end of iteration 1, all honest players output $commit(z)$ from $\mathsf{CA}[1]$ and output $z$ , as required. For Agreement, Let $p$ be the first honest player to output, with output $z$ . I.e. there exists an $i$ such that $p$ output $commit(z)$ from $\mathsf{CA}[z]$ , and no honest player has output $commit(z^{\prime})$ for any $z$ at any iteration $i^{*}<i$ . In particular, this implies, by the consistency of $\mathsf{CA}$ , that all other honest players output either $commit(z)$ or $adopt(z)$ from $\mathsf{CA}[i]$ . Which implies that all honest players enter iteration $i+1$ with input $z$ . The Validity of an iteration, proven above, implies thus that by the end of iteration $i+1$ , all honest players output $z$ .

Combining the fact that for every iteration $i$ , w.p. at least $\frac{2}{3}$ , all honest players terminate at the end of iteration $i+1$ with the small size of $com_{t}$ for all $t$ , we obtain that the protocol halts in $O(1)$ rounds in expectation, and has $O(\lambda)$ uniform communication complexity, in expectation, as required. $\hfill\blacktriangleleft$

Note that we have essentially proved that Algorithm 3 solves $\mathsf{BA}$ whenever the number of honest participants in each round exceeds a $\frac{2}{3}$ fraction. Furthermore, it has expected latency of $O(1)$ .

Nakamoto Consensus.

Note that Nakamoto consensus [32], also gives an efficient protocol with adaptive security. In each round, a leader is elected from a beacon. The leader adds a block to a chain, and consensus is reached on a prefix of the current longest chain, i.e. on blocks that are $k$ -deep in the longest chain. This implies that in order to agree on a single block with $1-exp(-\lambda)$ confidence, it must be $k=O(\lambda)$ deep in the longest chain. Thus, the beacon needs to emit $k\cdot\log(n)$ random bits to reach consensus. We note that the classic implementation of Nakamoto does not satisfy the validity condition of BA. This is easily remedied with a single invocation of $\mathsf{CA}$ prior to the initiation of the Nakamoto protocol. While $\mathsf{CA}$ requires $\Omega(n^{2})$ communication, note that our lower bound (Theorem 7) applies even when the protocol has $O(1)$ initial rounds of high communication.

5.2 Adaptive security and low beacon entropy

Next, we showcase a protocol that is secure against an adaptive adversary and does not satisfy Definition 4 (i.e., has low beacon entropy). This, of course, as per Theorem 7, implies that this protocol has to have high communication. Specifically, all $n$ parties send messages in every round. Specifically, we prove the following lemma.

Lemma 15.

For every $\rho<\frac{1}{3}$ , and assuming a randomness beacon there exists a $\rho$ -secure consensus protocol against an adaptive adversary, with $O(1)$ expected latency. Furthermore, the protocol does not satisfy Definition 4.

We once again in this protocol make no use of $\mathsf{CRS}$ , as we aim to be secure against an adaptive adversary. The protocol $\Pi$ is going to follow the same structure of Algorithm 3, with the following modifications.

$\blacksquare$

All players participate in every round of Algorithm 3. In other words, $com_{t}=[n]$ for all rounds $t$ . In particular, the randomness beacon is not used for committee sampling.
$\blacksquare$

The random beacon is still being used to sample a uniformly random leader during the $\mathsf{CO}$ task. That is the only use of the randomness beacon. In other words, the output of the randomness beacon at round $t$ , denoted by $\mathsf{seed}_{t}$ , contains only the identity of a single player $\ell_{t}$ which is the chosen leader for round $t$ .

Correctness of the protocol and its security against an adaptive adversary are immediate from the proof of correctness for Algorithm 3, and the adversary being $\rho$ -bounded for $\rho<\frac{1}{3}$ . The last item to prove is the following.

Claim 16.

Algorithm 3 when implemented without committees, satisfies that there exists a constant $c>0$ such that

\sum\limits_{t=0}^{\infty}H_{\infty}(\mathrm{Tr}_{E_{\mathcal{A}}}^{t}\mid% \left\{\mathrm{Tr}_{E_{\mathcal{A}}}^{i}\mid 0\leq i<t\right\})\leq c\log n

Proof.

Note that the only source of entropy in the modified protocol is the leader election in the $\mathsf{CO}$ subroutine. Besides that, all content of all messages is a deterministic function of the inputs of the players. Furthermore, we have that for each iteration $i$ , w.p. at least $\frac{2}{3}$ , all honest players terminate by the end of iteration $i+1$ . Thus, We get that for any adversary $\mathcal{A}$ and any execution $E$ , and for every iteration $i>0$ w.p. at least $1-\frac{1}{3^{i-1}}$ , $I^{t}_{E_{\mathcal{A}}}=\emptyset$ where $t$ is any round during iteration $i$ . In particular we then get that the total min entropy of the transcript of the protocol $\Pi$ during iteration $i$ , for all $i>1$ is upper bounded by $\log(\frac{3^{i-1}}{3^{i-1}-1})$ . For $i=0,1$ , the transcript is determined by the identity of the random leader, hence both of these iterations provide $\log n$ min entropy each. In total, we get that

\sum\limits_{t=0}^{\infty}H_{\infty}(I_{E_{\mathcal{A}}}^{t}|\left\{Tr^{i}_{E_% {\mathcal{A}}}\mid 0\leq i<t\right\},\mathsf{CRS})<2\log n+\sum\limits_{t=2}^{% \infty}\log(\frac{3^{t-1}}{3^{t-1}-1})<2\log n+1

as required. $\hfill\vartriangleleft$

5.3 Efficiency and low beacon entropy

In this section, we showcase a protocol achieving both low communication and low Randomness beacon entropy usage, which in particular implies that it doesn’t have global leader unpredictability (see Definition 4). This is the only protocol in which we make use of the $\mathsf{CRS}$ . Specifically, we run Algorithm 3 but instead of using $\mathsf{seed}_{t}$ to select committees and a leader for $\mathsf{CO}[i]$ , all the information about the committees and leaders for each iteration are taken from $\mathsf{CRS}$ . I.e. the $\mathsf{CRS}$ is interpreted as $(\mathsf{seed}_{1},\mathsf{seed}_{2},\ldots)$ , where $\mathsf{seed}_{t}=(com_{t},\ell_{t})$ with $\ell_{t}\in[n]$ and $com_{t}\subseteq[n]$ being a subset of players of size $O(\lambda)$ . We assume that $\mathsf{CRS}$ is sufficiently long to encode such information. We recall that a static adversary makes its choice of corruption before observing the CRS. Formally, we prove the following.

Lemma 17.

For every $\epsilon>0$ and $\rho<\frac{1-\epsilon}{3}$ , and assuming a $\mathsf{CRS}$ , there exists a $\rho$ -secure consensus protocol against a static adversary with $O(1)$ expected latency and $O(\lambda)$ uniform communication complexity, in expectation.

For simplicity, we abuse notation and refer to $\ell_{t},com_{t}$ for the purposes of this lemma also as the leader and the committee of round $t$ as described in the $\mathsf{CRS}$ .

Observation 18.

Let $\mathcal{A}=(\mathcal{A}_{0},\mathcal{A}_{1})$ be a static adversary. Then for all $t$ it holds that

\Pr\left[|\mathcal{A}_{0}(\Pi,t)\cap com_{t}|\geq\frac{|com_{t}|}{3}\right]=% \mathsf{negl}\left(\lambda\right)

when $com_{t}$ is taken from the $\mathsf{CRS}$ .

The observation follows from the same arguments as Observation 12.

Proof.

The proof of the lemma follows from the correctness of Algorithm 3 whenever the honest fraction of participating parties in every round exceeds $\frac{2}{3}$ . Algorithm 3 was shown to have $O(1)$ expected latency and by the size of $com_{t}$ for all $t$ we get that the communication complexity of the protocol is uniform $O(\lambda)$ in expectation, as required. $\hfill\blacktriangleleft$

6 Conclusion

Our motivation in this paper was to characterize the space of what is possible in modern consensus protocols. Although prior work has examined many desirable properties of consensus, the relationship between randomness, communication efficiency, and adaptive security lacked a rigorous understanding. These properties have become especially desirable in modern-day consensus protocols, yet their theoretical foundations have lagged behind. We further our understanding of the consensus landscape by showing a trilemma: Efficient consensus with adaptive security requires $\Omega(\log n)$ bits of beacon entropy. On the positive side, we provide protocols that achieve any pair of these properties.

Implications for practice.

In modern blockchains, adaptive security is especially desirable to prevent bribery attacks or other attacks where nodes are temporarily compromised. In practice, modern blockchains often use randomness beacons to unpredictably elect leaders or committees. However, these randomness beacons come at a cost and add design and implementation complexity. Our work shows that efficient and adaptively secure protocols require beacons; this cost is in some sense unavoidable.

A natural next question is exactly how much randomness is needed from the beacon. Our possibility results show that the amount of entropy required is relatively low, growing only logarithmically in the number of parties. Therefore, using a beacon is unavoidable, yet this beacon can be relatively lightweight.

Extensions to other settings.

In this work, we have considered a computationally unbounded adversary and an information-theoretic setting. This choice mainly served to maintain the simplicity and clarity of the exposition. A natural alternative model is the PKI setting, with computationally bounded adversaries. Our positive results trivially extend to this setting, as information-theoretic security implies security against a computationally bounded adversary. Extending our lower bound is slightly more subtle, though we expect it to hold for a notion of pseudorandomness rather than statistical beacon entropy. We leave formalizing this analogous bound as an interesting direction for future work.

In this work, we restricted our attention to a special variety of low-communication protocols, specifically ones where the set of parties speaking in each round is small. This notion of communication efficiency is desirable in practice, and several protocols use a committee subsampling approach to this end (e.g., Algorand, Ethereum). However, one might also be interested in other notions of communication efficiency, for example the setting where communication is simply measured by the total number of bits exchanged by honest parties. An open question is whether our results stand in this alternate setting.

References

[1] Ittai Abraham, T.-H. Hubert Chan, Danny Dolev, Kartik Nayak, Rafael Pass, Ling Ren, and Elaine Shi. Communication complexity of byzantine agreement, revisited. Distributed Comput., 36(1):3–28, 2023. doi:10.1007/S00446-022-00428-8.
[2] Ittai Abraham, Srinivas Devadas, Danny Dolev, Kartik Nayak, and Ling Ren. Synchronous Byzantine Agreement with Expected O(1) Rounds, Expected O( $n^{2}$ ) Communication, and Optimal Resilience. In Financial Crypto, 2019.
[3] Mohamad Ahmadi, Abdolhamid Ghodselahi, Fabian Kuhn, and Anisur Rahaman Molla. The cost of global broadcast in dynamic radio networks. Theor. Comput. Sci., 806:363–387, 2020. doi:10.1016/J.TCS.2019.07.013.
[4] Mohamad Ahmadi and Fabian Kuhn. Multi-message broadcast in dynamic radio networks. In ALGOSENSORS, 2016.
[5] Kaya Alpturer and S. Matthew Weinberg. Optimal RANDAO manipulation in ethereum. In AFT, 2024. doi:10.4230/LIPIcs.AFT.2024.10.
[6] Ziv Bar-Joseph and Michael Ben-Or. A tight lower bound for randomized synchronous consensus. In PODC. ACM, 1998. doi:10.1145/277697.277733.
[7] Dan Boneh, Joseph Bonneau, Benedikt Bünz, and Ben Fisch. Verifiable Delay Functions. In CRYPTO, 2018.
[8] Elette Boyle, Ran Cohen, and Aarushi Goel. Breaking the O(n)-bit Barrier: Byzantine Agreement with Polylog Bits Per Party. In PODC. ACM, 2021. doi:10.1145/3465084.3467897.
[9] Nicolas Braud-Santoni, Rachid Guerraoui, and Florian Huc. Fast byzantine agreement. In PODC. ACM, 2013. doi:10.1145/2484239.2484243.
[10] Miguel Castro, Barbara Liskov, et al. Practical Byzantine Fault Tolerance. In OSDI, 1999.
[11] Jing Chen and Silvio Micali. Algorand: A secure and efficient distributed ledger. Theor. Comput. Sci., 777:155–183, 2019. doi:10.1016/J.TCS.2019.02.001.
[12] Kevin Choi, Aathira Manoj, and Joseph Bonneau. Sok: Distributed randomness beacons. In IEEE Security & Privacy, 2023.
[13] Benny Chor, Michael Merritt, and David B. Shmoys. Simple constant-time consensus protocols in realistic failure models. J. ACM, 36(3):591–614, 1989. doi:10.1145/65950.65956.
[14] Francesco D’Amato and Luca Zanolini. A simple single slot finality protocol for ethereum. In ESORICS, 2023.
[15] Sourav Das, Sisi Duan, Shengqi Liu, Atsuki Momose, Ling Ren, and Victor Shoup. Asynchronous Consensus without Trusted Setup or Public-Key Cryptography. In ACM CCS, 2024.
[16] Bernardo David, Peter Gazi, Aggelos Kiayias, and Alexander Russell. Ouroboros Praos: An Adaptively-Secure, Semi-synchronous Proof-of-Stake Blockchain. In Eurocrypt, 2018.
[17] Danny Dolev and Rüdiger Reischuk. Bounds on information exchange for byzantine agreement. J. ACM, 32(1):191–204, 1985. doi:10.1145/2455.214112.
[18] Matthias Fitzi, Chen-Da Liu-Zhang, and Julian Loss. A new way to achieve round-efficient byzantine agreement. In PODC. ACM, 2021. doi:10.1145/3465084.3467907.
[19] Eli Gafni and Giuliano Losa. Brief Announcement: Byzantine Consensus Under Dynamic Participation with a Well-Behaved Majority. In DISC, 2023. doi:10.4230/LIPIcs.DISC.2023.41.
[20] Juan A. Garay and Aggelos Kiayias. SoK: A Consensus Taxonomy in the Blockchain Era. In CT-RSA, 2020.
[21] Diana Ghinea, Vipul Goyal, and Chen-Da Liu-Zhang. Round-optimal byzantine agreement. In Eurocrypt, 2022.
[22] Yossi Gilad, Rotem Hemo, Silvio Micali, Georgios Vlachos, and Nickolai Zeldovich. Algorand: Scaling byzantine agreements for cryptocurrencies. In SOSP, 2017.
[23] Mohammad Hajiaghayi, Dariusz R. Kowalski, and Jan Olkowski. Nearly-optimal consensus tolerating adaptive omissions: Why a lot of randomness is needed? In PODC. ACM, 2024. doi:10.1145/3662158.3662826.
[24] Alireza Kavousi, Zhipeng Wang, and Philipp Jovanovic. SoK: Public Randomness. In Euro S&P, 2024.
[25] Valerie King, Steven Lonargan, Jared Saia, and Amitabh Trehan. Load balanced scalable byzantine agreement through quorum building, with full information. In ICDCN, 2011.
[26] Valerie King and Jared Saia. Breaking the O(n ${}^{\mbox{2}}$ ) bit barrier: Scalable byzantine agreement with an adaptive adversary. J. ACM, 58(4):18:1–18:24, 2011. doi:10.1145/1989727.1989732.
[27] Marek Klonowski, Dariusz R. Kowalski, and Jaroslaw Mirek. Ordered and delayed adversaries and how to work against them on a shared channel. Distributed Comput., 32(5):379–403, 2019. doi:10.1007/S00446-018-0341-7.
[28] Leslie Lamport, Robert E. Shostak, and Marshall C. Pease. The Byzantine Generals Problem. ACM Trans. Program. Lang. Syst., 4(3):382–401, 1982. doi:10.1145/357172.357176.
[29] Arjen K. Lenstra and Benjamin Wesolowski. A random zoo: sloth, unicorn, and trx. Cryptology ePrint Archive, Paper 2015/366, 2015. URL: https://eprint.iacr.org/2015/366.
[30] Julian Loss and Gilad Stern. Zombies and ghosts: Optimal byzantine agreement in the presence of omission faults. In TCC (4), volume 14372 of Lecture Notes in Computer Science, pages 395–421. Springer, 2023. doi:10.1007/978-3-031-48624-1_15.
[31] Achour Mostéfaoui, Hamouma Moumen, and Michel Raynal. Signature-free asynchronous binary byzantine consensus with t < n/3, o(n2) messages, and O(1) expected time. J. ACM, 62(4):31:1–31:21, 2015. doi:10.1145/2785953.
[32] Satoshi Nakamoto. Bitcoin: A peer-to-peer electronic cash system. https://bitcoin.org/bitcoin.pdf, 2008.
[33] Marshall C. Pease, Robert E. Shostak, and Leslie Lamport. Reaching agreement in the presence of faults. J. ACM, 27(2):228–234, 1980. doi:10.1145/322186.322188.
[34] Michael O. Rabin. Transaction protection by beacons. Journal of Computer and System Sciences, 1983.
[35] Mayank Raikwar and Danilo Gligoroski. SoK: Decentralized randomness beacon protocols. In Australasian Conference on Information Security and Privacy, 2022.
[36] Peter Robinson, Christian Scheideler, and Alexander Setzer. Breaking the $\tilde{\Omega}(\sqrt{n})$ barrier: Fast consensus under a late adversary. In SPAA. ACM, 2018.
[37] Ewa Syta, Philipp Jovanovic, Eleftherios Kokoris Kogias, Nicolas Gailly, Linus Gasser, Ismail Khoffi, Michael J Fischer, and Bryan Ford. Scalable bias-resistant distributed randomness. In IEEE Security & Privacy, 2017.

[bib.bib1] [1] Ittai Abraham, T.-H. Hubert Chan, Danny Dolev, Kartik Nayak, Rafael Pass, Ling Ren, and Elaine Shi. Communication complexity of byzantine agreement, revisited. Distributed Comput., 36(1):3–28, 2023. doi:10.1007/S00446-022-00428-8.

[bib.bib2] [2] Ittai Abraham, Srinivas Devadas, Danny Dolev, Kartik Nayak, and Ling Ren. Synchronous Byzantine Agreement with Expected O(1) Rounds, Expected O( $n^{2}$ ) Communication, and Optimal Resilience. In Financial Crypto, 2019.

[bib.bib3] [3] Mohamad Ahmadi, Abdolhamid Ghodselahi, Fabian Kuhn, and Anisur Rahaman Molla. The cost of global broadcast in dynamic radio networks. Theor. Comput. Sci., 806:363–387, 2020. doi:10.1016/J.TCS.2019.07.013.

[bib.bib4] [4] Mohamad Ahmadi and Fabian Kuhn. Multi-message broadcast in dynamic radio networks. In ALGOSENSORS, 2016.

[bib.bib5] [5] Kaya Alpturer and S. Matthew Weinberg. Optimal RANDAO manipulation in ethereum. In AFT, 2024. doi:10.4230/LIPIcs.AFT.2024.10.

[bib.bib6] [6] Ziv Bar-Joseph and Michael Ben-Or. A tight lower bound for randomized synchronous consensus. In PODC. ACM, 1998. doi:10.1145/277697.277733.

[bib.bib7] [7] Dan Boneh, Joseph Bonneau, Benedikt Bünz, and Ben Fisch. Verifiable Delay Functions. In CRYPTO, 2018.

[bib.bib8] [8] Elette Boyle, Ran Cohen, and Aarushi Goel. Breaking the O(n)-bit Barrier: Byzantine Agreement with Polylog Bits Per Party. In PODC. ACM, 2021. doi:10.1145/3465084.3467897.

[bib.bib9] [9] Nicolas Braud-Santoni, Rachid Guerraoui, and Florian Huc. Fast byzantine agreement. In PODC. ACM, 2013. doi:10.1145/2484239.2484243.

[bib.bib10] [10] Miguel Castro, Barbara Liskov, et al. Practical Byzantine Fault Tolerance. In OSDI, 1999.

[bib.bib11] [11] Jing Chen and Silvio Micali. Algorand: A secure and efficient distributed ledger. Theor. Comput. Sci., 777:155–183, 2019. doi:10.1016/J.TCS.2019.02.001.

[bib.bib12] [12] Kevin Choi, Aathira Manoj, and Joseph Bonneau. Sok: Distributed randomness beacons. In IEEE Security & Privacy, 2023.

[bib.bib13] [13] Benny Chor, Michael Merritt, and David B. Shmoys. Simple constant-time consensus protocols in realistic failure models. J. ACM, 36(3):591–614, 1989. doi:10.1145/65950.65956.

[bib.bib14] [14] Francesco D’Amato and Luca Zanolini. A simple single slot finality protocol for ethereum. In ESORICS, 2023.

[bib.bib15] [15] Sourav Das, Sisi Duan, Shengqi Liu, Atsuki Momose, Ling Ren, and Victor Shoup. Asynchronous Consensus without Trusted Setup or Public-Key Cryptography. In ACM CCS, 2024.

[bib.bib16] [16] Bernardo David, Peter Gazi, Aggelos Kiayias, and Alexander Russell. Ouroboros Praos: An Adaptively-Secure, Semi-synchronous Proof-of-Stake Blockchain. In Eurocrypt, 2018.

[bib.bib17] [17] Danny Dolev and Rüdiger Reischuk. Bounds on information exchange for byzantine agreement. J. ACM, 32(1):191–204, 1985. doi:10.1145/2455.214112.

[bib.bib18] [18] Matthias Fitzi, Chen-Da Liu-Zhang, and Julian Loss. A new way to achieve round-efficient byzantine agreement. In PODC. ACM, 2021. doi:10.1145/3465084.3467907.

[bib.bib19] [19] Eli Gafni and Giuliano Losa. Brief Announcement: Byzantine Consensus Under Dynamic Participation with a Well-Behaved Majority. In DISC, 2023. doi:10.4230/LIPIcs.DISC.2023.41.

[bib.bib20] [20] Juan A. Garay and Aggelos Kiayias. SoK: A Consensus Taxonomy in the Blockchain Era. In CT-RSA, 2020.

[bib.bib21] [21] Diana Ghinea, Vipul Goyal, and Chen-Da Liu-Zhang. Round-optimal byzantine agreement. In Eurocrypt, 2022.

[bib.bib22] [22] Yossi Gilad, Rotem Hemo, Silvio Micali, Georgios Vlachos, and Nickolai Zeldovich. Algorand: Scaling byzantine agreements for cryptocurrencies. In SOSP, 2017.

[bib.bib23] [23] Mohammad Hajiaghayi, Dariusz R. Kowalski, and Jan Olkowski. Nearly-optimal consensus tolerating adaptive omissions: Why a lot of randomness is needed? In PODC. ACM, 2024. doi:10.1145/3662158.3662826.

[bib.bib24] [24] Alireza Kavousi, Zhipeng Wang, and Philipp Jovanovic. SoK: Public Randomness. In Euro S&P, 2024.

[bib.bib25] [25] Valerie King, Steven Lonargan, Jared Saia, and Amitabh Trehan. Load balanced scalable byzantine agreement through quorum building, with full information. In ICDCN, 2011.

[bib.bib26] [26] Valerie King and Jared Saia. Breaking the O(n ${}^{\mbox{2}}$ ) bit barrier: Scalable byzantine agreement with an adaptive adversary. J. ACM, 58(4):18:1–18:24, 2011. doi:10.1145/1989727.1989732.

[bib.bib27] [27] Marek Klonowski, Dariusz R. Kowalski, and Jaroslaw Mirek. Ordered and delayed adversaries and how to work against them on a shared channel. Distributed Comput., 32(5):379–403, 2019. doi:10.1007/S00446-018-0341-7.

[bib.bib28] [28] Leslie Lamport, Robert E. Shostak, and Marshall C. Pease. The Byzantine Generals Problem. ACM Trans. Program. Lang. Syst., 4(3):382–401, 1982. doi:10.1145/357172.357176.

[bib.bib29] [29] Arjen K. Lenstra and Benjamin Wesolowski. A random zoo: sloth, unicorn, and trx. Cryptology ePrint Archive, Paper 2015/366, 2015. URL: https://eprint.iacr.org/2015/366.

[bib.bib30] [30] Julian Loss and Gilad Stern. Zombies and ghosts: Optimal byzantine agreement in the presence of omission faults. In TCC (4), volume 14372 of Lecture Notes in Computer Science, pages 395–421. Springer, 2023. doi:10.1007/978-3-031-48624-1_15.

[bib.bib31] [31] Achour Mostéfaoui, Hamouma Moumen, and Michel Raynal. Signature-free asynchronous binary byzantine consensus with t < n/3, o(n2) messages, and O(1) expected time. J. ACM, 62(4):31:1–31:21, 2015. doi:10.1145/2785953.

[bib.bib32] [32] Satoshi Nakamoto. Bitcoin: A peer-to-peer electronic cash system. https://bitcoin.org/bitcoin.pdf, 2008.

[bib.bib33] [33] Marshall C. Pease, Robert E. Shostak, and Leslie Lamport. Reaching agreement in the presence of faults. J. ACM, 27(2):228–234, 1980. doi:10.1145/322186.322188.

[bib.bib34] [34] Michael O. Rabin. Transaction protection by beacons. Journal of Computer and System Sciences, 1983.

[bib.bib35] [35] Mayank Raikwar and Danilo Gligoroski. SoK: Decentralized randomness beacon protocols. In Australasian Conference on Information Security and Privacy, 2022.

[bib.bib36] [36] Peter Robinson, Christian Scheideler, and Alexander Setzer. Breaking the $\tilde{\Omega}(\sqrt{n})$ barrier: Fast consensus under a late adversary. In SPAA. ACM, 2018.

[bib.bib37] [37] Ewa Syta, Philipp Jovanovic, Eleftherios Kokoris Kogias, Nicolas Gailly, Linus Gasser, Ismail Khoffi, Michael J Fischer, and Bryan Ford. Scalable bias-resistant distributed randomness. In IEEE Security & Privacy, 2017.

How Much Public Randomness Do Modern Consensus Protocols Need?

Abstract

Keywords and phrases:

Copyright and License:

2012 ACM Subject Classification:

DOI:

Event:

Editors:

Series and Publisher:

1 Introduction

1.1 Our Setting

1.2 Our Results

2 Related Work

Adaptively secure consensus.

Adversary Relaxations.

Randomness beacon entropy.

3 Preliminaries

Notation.

Model.

Adversary model.

Randomness.

Authenticated Channels.

Executions.

Byzantine Agreement (𝗕𝗔).

Definition 1 (Latency).

Randomness beacon.

4 Impossibility Result

Definition 2 (Transcript).

Definition 3 (Adversary’s guess of speaking parties).

Definition 4 (Global leader unpredictability).

Lemma 5.

Proof.

Definition 6.

Theorem 7.

Proof.

Corollary 8.

Proof.

5 Possibility Results

Mobile blocking adversary.

5.1 Efficiency and Adaptive Security

Lemma 9.

Definition 10 (Commit-Adopt).

Definition 11 (Conciliator).

Observation 12.

Proof.

Lemma 13.

Proof.

Lemma 14.

Proof.

Proof.

Nakamoto Consensus.

5.2 Adaptive security and low beacon entropy

Lemma 15.

Claim 16.

Proof.

5.3 Efficiency and low beacon entropy

Lemma 17.

Observation 18.

Proof.

6 Conclusion

Implications for practice.

Extensions to other settings.

References

Byzantine Agreement ( $\mathsf{BA}$ ).