Abstract 1 Introduction 2 Model and Preliminaries 3 Warmup: PushPullFlood 4 OptimisticFlood 5 Conclusion References

Optimistic Message Dissemination

Chen-Da Liu-Zhang ORCID Lucerne University of Applied Sciences and Arts, Rotkreuz, Switzerland
Web3 Foundation, Zug, Switzerland
Christian Matt ORCID Primev, Steinhausen, Switzerland Søren Eller Thomsen ORCID Partisia, Aarhus, Denmark
Abstract

Message dissemination is a fundamental building block in distributed systems and guarantees that any message sent eventually reaches all parties. State of the art provably secure protocols for disseminating messages have a per-party communication complexity that is linear in the inverse of the fraction of parties that are guaranteed to be honest in the worst case. Unfortunately, this per-party communication complexity arises even in cases where the actual fraction of parties that behave honestly is close to 1. In this paper, we propose an optimistic message dissemination protocol that adopts to the actual conditions in which it is deployed, with optimal worst-case per-party communication complexity. Our protocol cuts the complexity of prior provably secure protocols for 49% worst-case corruption almost in half under optimistic conditions and allows practitioners to combine efficient heuristics with secure fallback mechanisms.

Keywords and phrases:
flooding, message dissemination, optimistic
Funding:
Søren Eller Thomsen: The work was partly done at The Alexandra Institute, Aarhus, Denmark.
Copyright and License:
[Uncaptioned image] © Chen-Da Liu-Zhang, Christian Matt, and Søren Eller Thomsen; licensed under Creative Commons License CC-BY 4.0
2012 ACM Subject Classification:
Networks Peer-to-peer protocols
Related Version:
Full Version: https://ia.cr/2025/1404 [26]
Funding:
This work was supported by the Ethereum Foundation, grant number FY24-1527.
Editors:
Zeta Avarikioti and Nicolas Christin

1 Introduction

1.1 Motivation

A basic task in distributed systems is to disseminate a message to all parties in the system. This is often done using a flooding protocol where a party sends the message to all its neighbors, and the neighbors in turn send the message to all their neighbors, and so on. Due to the inherent redundancy in this process, flooding protocols are robust to message loss and random failures of parties. Practical implementations of flooding protocols often optimize the dissemination latency using several heuristics, e.g., preferring to send messages to parties that are geographically closer and have lower latency [22, 35]. Such heuristic protocols, however, cannot be secure in the presence of Byzantine corruptions: For example, it is possible that all parties geographically close to some honest party are corrupted and eclipse the honest party from the network, even though the corruption fraction in the total network is small.

On the other hand, there are provably secure flooding protocols that guarantee the delivery of messages to all honest parties after a bounded number of steps as long as the overall corruption fraction is below a predetermined threshold [28, 24, 25]. The inherent downside of these protocols is that they have a higher per-party communication complexity and do not allow for heuristic optimizations. Furthermore, the per-party communication complexity of these protocols is linear in the inverse of the fraction of parties guaranteed to be honest (which was shown to be optimal in [25]), where the threshold of honest parties needs to be set a priori. This communication complexity arises even when the actual fraction of parties that behave honestly is close to 1. When deploying this type of protocols, the engineers setting the parameters are thus left choosing between a protocol that always is secure but most of the time has an excessive bandwidth usage, or choosing a protocol that is secure most of time and always has a low bandwidth.

1.2 Contributions

Consider two thresholds γbcγwc. We ask whether there is a protocol which is secure as long as at least a γwc fraction of parties behave honestly, and achieves a strictly better per-party communication complexity when the actual number of honest parties is at least γbc:

Is there flooding protocol that has optimal worst-case per-party communication complexity with at least γwc honesty-fraction, and a strictly better complexity in the optimistic case with γbc honesty-fraction?

We answer this question affirmatively by proposing a flooding protocol with two distinct features: First, our protocol has an optimistic path that is efficient when the actual fraction of honest parties is high. If the actual corruption fraction is high, our protocol employs a fall-back mechanism that guarantees the delivery of messages to all honest parties in this worst-case scenario. Secondly, the optimistic path of our protocol can be instantiated with an arbitrary flooding protocol, including those that are optimized for practical deployment. This allows practitioners to use their favorite flooding protocol together with a secure fallback mechanism. That way, we achieve the best of both worlds: Protocols that take into account practical peculiarities such as physical distance, and provably secure protocols that ensure reliable message delivery even against a Byzantine worst-case adversary.

Applicability of results.

Our constructions are built in a black-box manner from existing flooding protocols, and impose no additional assumptions on the fraction of honest parties beyond what these underlying protocols require. Additionally, we assume that all parties have access to a PKI infrastructure and access to a randomness beacon, both of which are readily available in most blockchain systems. As our protocols rely on splitting messages into multiple shares and on cryptographic techniques to guarantee the validity of these shares, our constructions are not suitable for disseminating very short messages. Hence, the protocols are better suited for disseminating blocks than individual transactions.

We assume a synchronous network with point-to-point channels between all parties. The protocol as we describe it requires this synchrony (i.e., knowledge of an upper bound on the delivery time of the point-to-point channels) to guarantee that all honest parties receive all messages in the worst case. The protocol can be slightly modified to guarantee delivery to all honest parties in all cases without synchrony, and only require synchrony to achieve better efficiency in the optimistic case at the expense of slightly more communication in the optimistic case. The protocol can thus be adapted to best suit the synchrony assumption and delivery requirements of the application it is used in.

Warm-up: Asymptotically optimal flooding.

As a first step, we present a simple protocol PushPullFlood that achieves asymptotically optimal per-party communication (but is not optimistic). Instead of only “pushing” messages to all parties, it additionally allows parties to “pull” messages from other parties that have already received the message. We will use this mechanism also in our optimistic protocol.

Theorem 1 (PushPullFlood (informal)).

Let ΠFlood be a flooding protocol and let ΠFracFlood be a flooding protocol that delivers to only a constant fraction of the honest parties. Then, PushPullFlood(ΠFlood,ΠFracFlood) makes black-box use of both protocols and is a secure flooding protocol with a per-party communication complexity for sending an l-bit message with security parameter κ proportional to that of ΠFracFlood distributing l-bit messages plus ΠFlood distributing κ-bit messages.

By instantiating ΠFlood and ΠFracFlood with appropriate protocols from [24] and [25] respectively, it follows that PushPullFlood can provide flooding with asymptotically optimal per-party communication.

Asymptotically optimal optimistic flooding.

We then strengthen the result above and present the first flooding protocol OptimisticFlood that is asymptotically-optimal in the worst-case, but also has improved efficiency in the optimistic case.

Below we use γActual to quantify the actual fraction of parties behaving honestly and state an informal version of the theorem we show for OptimisticFlood.

Theorem 2 (OptimisticFlood (informal)).

Let γbcγwc0. Further let ΠBC be a flooding protocol secure for the optimistic case γActualγbc and let ΠWC be a flooding protocol secure for the worst-case γActualγwc. Then OptimisticFlood(Πbc,Πwc) is a secure flooding protocol assuming a γwc fraction of honesty, with per-party communication complexity and delivery guarantees roughly equal to that of ΠBC in the optimistic case, and the sum of both Πbc and Πwc with small overhead in the worst-case.

A natural choice is to let both ΠBC and Πwc be instantiated with asymptotically optimal flooding protocols with a per-party communication complexity of O(lγ1) such as the one from [25] (where it was also shown that this is a lower bound). By instantiating the corresponding honesty-fraction parameters for the best case to be close to 1, e.g., γbc=0.95, our protocol shaves off almost a factor of γwc1 from the communication complexity in the optimistic case. In particular, if γwc=0.5, it cuts the per-party communication complexity almost in half in the optimistic case compared to using only the worst-case protocol.

Further note that one can also instantiate the optimistic good-case protocol with protocols that do not provide any guarantees for the safety of the overall protocol to be guaranteed. In particular, this means that algorithms not designed for Byzantine adversaries aiming to build for example minimum spanning trees such as the Plumtree algorithm [22] (as used in Ethereum [35]) may be used optimistically while still having provable worst-case fallback guarantees if the network is under attack.

1.3 Technical Overview

Overview of PushPullFlood.

At a high level, the protocol PushPullFlood works by first “pushing” a message to a large fraction of the parties and then allowing the remaining parties that may not have received the message to “pull” the message from those that have received it, similarly to the seminal work of [10]. The protocol is build modularly by being parametric in two sub protocols: 1) a flooding protocol that must ensure to push a small notification to all parties and 2) a fractional flooding protocol that must guarantee to push the message to at least a constant fraction of the honest parties. Combining these, our construction relies on three key techniques to ensure the efficiency of the pull phase:

  1. 1.

    We use a verifiable random function (VRF) to let a party prove that they are allowed to pull the message from another party, similar to [7]. That is, the pulling party will evaluate the VRF to obtain a seed and use this seed to select whom they will pull from. A party receiving such pull requests will then verify that this seed indeed was the output of the VRF to confirm the validity of the pull request. Thereby, we ensure that honest parties do not need to answer an excessive amount of malicious pull requests while still ensuring that all honest pull requests will be answered. To prevent malicious parties from choosing their VRF keys in such a way that many of them can pull from the same honest party, the VRF is evaluated on an unpredictable value obtained from a randomness beacon, which is assumed to be available to all parties.

  2. 2.

    We split the message into multiple shares using erasure correcting codes while ensuring that a constant fraction of these is sufficient to reconstruct the message, similar to [25]. By letting the answer to a pull request be such individual share, we ensure that honest parties can send sufficiently many pull requests to be certain to talk to a fraction of parties answering such pull request honestly, without allowing an adversary to exploit this to induce excessive communication.

  3. 3.

    We accompany such shares with membership proofs for a cryptographic accumulator similar to [25]. This ensures that honest parties are able to recognize which shares belong together, allowing honest parties to reconstruct efficiently.

Together, these techniques ensure that the per-party communication complexity of the pulling phase is asymptotically optimal and thereby improves the efficiency of previous protocols with a similar design. Note that while a certain message length is required for the protocol to be asymptotically optimal, the usage of erasure correcting codes and cryptographic accumulators was demonstrated to be concretely advantageous in terms of per-party communication complexity for a push-based protocol with messages of a length as small as 2 kilobytes in [25]. In addition to the cryptographic overhead, it must make sense to first send a small notification instead of the full message, so messages should be substantially larger than such a notification. Overall, the protocol is well suited for disseminating blocks in a blockchain system, where each block contains many transactions.

 Remark 3.

The use of the VRF and the randomness beacon prevent denial-of-service attacks. Often, they are dealt with on the network level by rate-limiting, blocking IP addresses, etc. There are two reasons why such methods are less effective in our setting: First, an adversary may control a large number of nodes, so even a single pull request from every malicious node could overwhelm an honest party. Secondly, a malicious pull request not only incurs incoming traffic to the targeted party, but also forces the party to actively answer the request, leading to additional outgoing communication. Therefore, such attacks are more damaging to our protocols than, e.g., in pure push-based flooding protocol. Nevertheless, if denial-of-service attacks are not a concern, e.g., in a permissioned setting with a limited number of nodes, our protocols can be simplified by omitting the usage of VRFs.

While the idea of using a push-pull based approach is not new [10, 22], to the best of the authors knowledge, this is the first time a provably secure construction with a formal security proof is presented. Additionally, it is the first time erasure correcting codes are used to obtain asymptotically optimal communication complexity in a protocol utilizing pulling.

Overview of OptimisticFlood.

We present the first optimistic flooding protocol OptimisticFlood. The protocol is also build modularly and takes two protocols as parameters: 1) A flooding protocol used for the optimistic case and 2) a flooding protocol guaranteed to work even in the worst-case. Using these two, the protocol runs in three phases:

Phase 1:

The message is sent using the optimistic case flooding protocol.

Phase 2:

The sender estimates whether the message has been received by sufficiently many honest parties by asking a committee of parties whether they have received it.

Phase 3:

Depending on the conclusion of Phase 2, one of the following steps is taken:

  • If it is concluded that sufficiently many honest parties have received the message, any party that did not receive it is allowed to pull the message from some random peers.

  • Otherwise, the sender defaults back to sending the message using the worst-case protocol.

If the protocol is executed in a setting fulfilling the optimistic conditions, then the optimistic case protocol ensures delivery to all honest parties and we set the parameters such that the adversary cannot force defaulting back to the worst-case protocol. Hence, the adversary can only induce additional complexity by pulling, which is ensured to be minimal using the same techniques as for the pull-phase of PushPullFlood.

On the other hand, if the protocol is executed in a setting not fulfilling the optimistic conditions, we do not obtain any guarantees from the optimistic case flooding protocol about how many parties receive the message. This is not a problem if the sender in Phase 3 defaults back to the worst-case protocol. However, an adversary may try to convince the sender that the optimistic protocol succeeded even though it did not. We solve this by carefully tweaking the parameters of the protocol to ensure that if the sender concludes that the protocol succeeded, then it is guaranteed that at least a fraction of the honest parties have received the message. By setting the parameters of the erasure correcting codes correspondingly, we ensure that the remaining honest parties receive the message when pulling.

1.4 Related Work

There is an extensive line of work on message dissemination and flooding protocols. While classic epidemic algorithms and gossip protocols [10, 17, 20, 21, 11] focused mainly on the crash failure setting, a recent line of work [28, 24, 25, 7] introduced flooding protocols that are resilient against byzantine adversaries. Such protocols follow graph-theoretic techniques such as [21], relying on the fact that the graph induced by the neighbor selection procedure among honest parties remains connected. Most recently [25] showed that worst-case per-party communication complexity of a flooding protocol is lower-bounded by Ω(lγActual1) where l denotes the length of the message and γActual denotes the fraction of parties remaining honest. The same work presents a protocol achieving O(lγwc1) worst-case per-party communication complexity where γwc denotes the worst-case fraction of parties remaining honest and thereby almost matches the lower-bound.

When the protocol PushPullFlood, presented in this paper, is instantiated with suitable parameters, it matches that worst-case bound. Further, the protocol OptimisticFlood instantiated with suitable parameters has a per-party communication complexity of only O(lγbc1) when γActualγbc while asymptotically matching the protocol of [25] in the worst-case (i.e., if γbc>γActualγwc). Thereby, we improve upon the state of the art for provably secure protocols when the actual fraction of honest parties is higher than in the worst-case.

In contrast to this, other lines of work that target efficiency by following heuristic approaches to minimize per-party communication complexity and latency [16, 34, 37]. A detailed overview of existing protocols can be found in [25].

To the best of our knowledge, current flooding protocols secure under Byzantine corruptions focus on the worst-case performance and do not explicitly attempt to improve the efficiency under optimistic conditions. Nevertheless, there is an extensive literature on optimistic protocols for agreement primitives.

Optimistic latency.

The work of Abraham, Nayak, Ren and Xiang [2] considers Byzantine fault-tolerant broadcast and optimizes the good-case latency, measured as the number of rounds for all honest parties to commit when the designated broadcaster is honest.

Another traditional line of work investigates protocols that have a number of rounds proportional to the actual number of corruptions f, rather than a known upper bound on the number of corruptions t. In this case, it is known that deterministic broadcast solutions have min{f+2,t+1} rounds of communication [14, 13]. A long line of works focused on feasibility results, including protocols without setup [12, 33, 36, 3, 13, 5, 18, 1], or protocols with a setup for cryptographic (pseudo-)signatures [31, 27, 9]. A different line of work optimizes the delay of each round (rather than the number of rounds), by making progress as fast as the actual network delay in an optimistic case when the number of corruptions is small [30, 23].

Optimistic communication.

The work [6] considered protocols with optimistic communication O(nf) for byzantine agreement, improving upon traditional protocols that achieved O(nt) communication.

2 Model and Preliminaries

2.1 Model

We assume a synchronous network, i.e., that all parties are connected via point-to-point channels which guarantee delivery within a known time ΔChannel. We additionally assume that the actual fraction of honest parties γActual is at least some worst-case bound on the number of honest parties γwc(0,1]. We assume that all parties have access to a PKI (public-key infrastructure). That is, all parties pi have a public key 𝚙𝚔i and a secret key 𝚜𝚔i where the former is known by all other parties. Additionally, we assume that all parties have access to a randomness beacon, which periodically generates unpredictable random values. These values are updated at regular intervals, referred to as epochs, and are accessible to all parties for both the current and past epochs. Such randomness beacons are used in many blockchain protocols, e.g., for leader election in proof-of-stake protocols [8, 15].

 Remark 4.

When one of our protocols is used to disseminate messages in a blockchain network, the functioning of the blockchain and consequently the randomness beacon and progressing epochs rely on message delivery of the flooding protocol. Since our protocols assume such a randomness beacon with access to epochs, we need to avoid circular dependencies. One way to achieve this is to upgrade an already functioning blockchain with a traditional flooding protocol to use our optimistic flooding protocol: In that case, the randomness beacon is already working and the current epoch is known. Our protocols can thus be used and are guaranteed to reliably deliver messages in the current epoch. This in turn guarantees the blockchain to progress until the next epoch, and so on.

Notation.

Let 𝙷:{0,1}{0,1}κ denote a collision-resistant hash-function and let {{a,a,b}} denote a multiset containing the elements a,a, and b. In Table 1, we summarize the notation used in this paper. Note that several symbols are used in the context of our protocols and their meaning will become clear later.

Table 1: Overview of commonly used symbols.
Symbol Meaning Symbol Meaning
𝒫 Set of all parties. γbc, γwc Best/worst case honest parties fraction.
n Number of parties, n=|𝒫|. c, T Committee size and complaint threshold.
κ Security parameter. k Number of received complaints.
l Message length in bits. η Bound on the number of pulling parties.
Δ Delivery time upper bound. ζ Erasure coding scheme.
ψ Randomness beacon value. μ, τ Number of shares and tolerated erasures.
𝚙𝚔, 𝚜𝚔 Public and secret key. s Share of erasure coding scheme.
r, π𝗏𝗋𝖿 Output and proof of VRF. α Cryptographic accumulation scheme.
γActual Actual honesty fraction. z, π𝖺𝖼𝖼 Accumulated value and proof.

2.2 Primitives

Below we define properties of flooding protocols and introduce basic primitives our protocols will use and briefly discuss how they can be instantiated.

Flooding.

We use a property-based definition of flooding as it was shown in [25] that security w.r.t. this definition implies a secure implementation of the flooding functionality in the UC framework [4]. However, unlike previous property based definitions, we include the fraction of parties that must remain honest for the delivery guarantee to apply in the definition. This allows us to capture optimistic protocols that perform better when the actual fraction of honest parties is high.

Definition 5 (Flooding).

A flooding protocol is a protocol Π executed by parties 𝒫, where each party p𝒫 can input a message at any time, and as a consequence, parties may get a message as output.

Definition 6 ((γ,Δ)-delivery).

We say that a flooding protocol Π has (γ,Δ)-delivery for γ[0,1] and Δ>0 if the following holds: When an honest party inputs a message m at time t and γActualγ, then all other honest parties output m by time t+Δ, except with probability negligible in the security parameter κ.

Additionally, we define the key metric for flooding networks most relevant for this paper namely per-party communication complexity.

Definition 7 (Per-Party Communication Complexity).

Let Π be a flooding protocol and let l be the bit-length of a message m. We say that the per-party communication complexity of the protocol Π to send a message of length l is bounded by X if for any adversary, the probability that there is an honest party sending more than X bits as a consequence of an honest sender having input m is negligible in the security parameter κ. We write 𝙿𝙿𝙲𝙲(Π,l)X to denote this.

Note that the delivery time parameter Δ is a crucial metric for flooding protocols. To keep the per-party communication asymptotically optimal and in particular independent of the number of parties n, the delivery time must grow at least logarithmically with n. Our protocols, however, introduce only a small constant overhead beyond the latency of the underlying protocols we use in a black-box manner.

Verifiable Random Function (VRF).

In our constructions, we will use a VRF to prevent corrupt parties creating excess network traffic. Below, we define an abstraction of VRF as a pair of two algorithms with the standard properties defined in [19].

Definition 8 (Verifiable Random Function).

A pair 𝚟𝚛𝚏 is a VRF if it consists of the following two algorithms:

  • 𝚟𝚛𝚏.Eval: An evaluation algorithm that takes an input i{0,1} and a secret key 𝚜𝚔 as parameters and outputs an output r and proof π𝗏𝗋𝖿.

  • 𝚟𝚛𝚏.Verify: A verification algorithm that takes an input i, an output r, a proof π𝗏𝗋𝖿, and a public key 𝚙𝚔 as parameters and outputs a boolean value b{,}.

With the following properties:

Full uniqueness:

An adversary cannot find a public key 𝚙𝚔, an input i, two different outputs r1r2, and proofs π1𝗏𝗋𝖿, π2𝗏𝗋𝖿 s.t. 𝚟𝚛𝚏.Verify(i,r1,π1𝗏𝗋𝖿)= and 𝚟𝚛𝚏.Verify(i,r2,π2𝗏𝗋𝖿)=.

Full pseudorandomness:

An adversary not knowing a secret key 𝚜𝚔 cannot distinguish the output value r of 𝚟𝚛𝚏.Eval(i,𝚜𝚔) (for any input i chosen by the adversary) from a value drawn uniformly at random without the proof π𝗏𝗋𝖿.

For simplicity, we will assume all these properties to hold throughout all our executions and disregard the negligible probability that they do not hold. Note that there exist several simple implementation of such a VRF [19].

Erasure correcting code scheme.

Our protocols will make use of erasure correcting codes. Below, we recap the definition given in [25].

Definition 9 (Erasure Correcting Code Scheme).

Let μ be the number of shares, and let τ be the number of erasures that are to be tolerated. A pair of algorithms ζ is a (μ,τ)-erasure-correcting-code-scheme (abbreviated (μ,τ)-ECCS) if it consists of two deterministic algorithms:

  • ζ.Enc: An encoding algorithm that takes a message m{0,1} and produces a sequence of shares s1,,sμ.

  • ζ.Dec: A decoding algorithm that if a sequence of shares s1,,sμ s.t. it holds for at least μτ of them that si=si and for the remaining si= is input, then the original message m is returned.

We will use the notation ζ.𝚂𝚑𝚊𝚛𝚎𝚂𝚒𝚣𝚎(l) for a function that bounds the size of each share when a message of length l is encoded.

Note that we here assume the algorithms to be deterministic, which we will exploit in our constructions. While this is not the case for all erasure correcting codes, e.g., Reed-Solomon codes [32] are deterministic. Using Reed-Solomon codes with the same encoding of messages as in [25], we obtain ζ.𝚂𝚑𝚊𝚛𝚎𝚂𝚒𝚣𝚎(l)=O(lμτ).

Weak cryptographic accumulator.

In our protocols, we will make use of a weak form of cryptographic accumulators. Below we recap the definition from [25].

Definition 10 (Weak Static Cryptographic Accumulation Scheme).

A pair of algorithms α is a weak static cryptographic accumulation scheme (abbreviated WSCAS) if it consists of two deterministic algorithms:

  • α.Accumulate({m1,,mλ}): An algorithm for accumulating a set of values {m1,,mλ}. It returns an accumulated value z and a sequence of proofs π1𝖺𝖼𝖼,,πλ𝖺𝖼𝖼 where πi𝖺𝖼𝖼 can be used to prove that mi is in the accumulated value z where each mi{0,1}.

  • α.Verify(m,π𝖺𝖼𝖼,z): A function that checks if a proof π𝖺𝖼𝖼 proves that a message m was in the set of elements used to create the accumulated value z.

With the following properties:

Completeness:

All honestly generated proofs are accepted by α.Verify.

Collision-freeness:

No polynomial-time adversary can find a set of values M{m1,,mλ}, a value mM, and a proof π𝖺𝖼𝖼 such that α.Verify(m,π𝖺𝖼𝖼,z)= for zα.Accumulate(M).

We use the notation α.𝙰𝚌𝚌𝚂𝚒𝚣𝚎 for a bound on the size of the accumulated value and α.𝙿𝚛𝚘𝚘𝚏𝚂𝚒𝚣𝚎(λ) for a function that bounds the size of each proof as a function of the number of messages accumulated λ.

Note that we here assume deterministic accumulators. Similarly to erasure correcting codes, this is needed for our constructions. One can use Merkle trees [29] to instantiate such a WSCAS, where the accumulated value is the root of the Merkle tree and the proofs are the Merkle proofs for each message. This yields an efficient deterministic scheme with

α.𝙰𝚌𝚌𝚂𝚒𝚣𝚎=O(κ)andα.𝙿𝚛𝚘𝚘𝚏𝚂𝚒𝚣𝚎(λ)=O(log(λ)κ). (1)

3 Warmup: PushPullFlood

We design a new flooding protocol based upon the push-pull paradigm from [10], by first pushing a message to a fraction of the parties and then letting the remaining parties pull the message from those that have received it. The original push-pull protocol proposed in [10] relied on periodic pulling but is unfortunately not practical in the Byzantine setting because of two issues:

  1. 1.

    The time period between pull requests must be set. If it is too low, it takes a long time before a message reaches everybody. If it is too high, a lot of excess traffic is created.

  2. 2.

    Byzantine parties may issue an excessive amount of pull request and because honest parties cannot determine whether these request are malicious, they have to answer the requests. Thereby, the bandwidth of honest parties may be exhausted.

We address Item 1 by letting our new protocol take an existing flooding protocol as a parameter and use this to notify parties that a message is being flooded. Thereby parties can simply issue pull requests when they receive such notification but no message. At first it may seem paradoxical to design a flooding protocol that is parameterized by an existing flooding protocol. However, note that the existing flooding protocol is only used to flood notifications showing that a message has been flooded, and such notifications are therefore significantly shorter than the actual message being flooded. Therefore, previous provably secure flooding protocols [28, 24] for short messages can be used to instantiate this protocol without blowing up the communication complexity of this new protocol.

A naive way to limit the number of pull requests that honest parties must answer is to have each honest party enforce a local (possibly statistical) cap on the number of requests they respond to. However, to prevent dishonest parties from exhausting this response budget – thereby blocking genuine pull requests – such limits would need to be enforced per sending party. Unfortunately, even if an honest party answers just one pull request from each other party, it would still induce a per-party communication cost of Ω(n(1γwc)), which is already too high. Instead, a partial solution to Item 2 is to use a VRF to enforce from which neighbors a party is allowed to pull a message from, similar to how connections are established in [7]. In more detail, each party uses a VRF to obtain a random seed, which is then used to deterministically sample the set of parties from which it pulls. Parties receiving pull requests can thus verify the VRF proof and ignore illegitimate pull requests. To further prevent malicious parties from biasing their VRF keys to skew the sampling, parties evaluate the VRF on an unpredictable value from the randomness beacon, which is updated every epoch.

To ensure that an honest party pulls from at least one honest party, they must be allowed to pull from at least Ω(κ) neighbors. Thus, if parties are allowed to pull the entire message from all their neighbors, adversaries can induce a communication of least Ω(κl(1γActual)n) by letting all corrupt parties pull for a message of length l from all their neighbors. To overcome this, we adapt the techniques from [25] to work for pulling instead of pushing. That is, to reduce the communication complexity of the pull phase, we let parties pull only an erasure correcting share of the original message from each neighbor. As a final ingredient and similarly to [25], we use a weak cryptographic accumulator to let honest parties recognize which shares belong together and thereby ensure that they can reconstruct the message.

We next describe our push-pull protocol for the Byzantine setting. We describe the pull step in a modular fashion, as we will reuse this step for our optimistic flooding protocol in later sections. We therefore first introduce the protocol Pull and analyze its communication complexity before presenting the protocol PushPullFlood.

3.1 Pulling

The pull-phase of the protocol has the purpose of ensuring that if a constant fraction of the parties already knows a message, then if the remaining parties begin pulling, they are all able to obtain the message with a per-communication complexity of just O(nlγwc1).

The protocol makes use of a VRF and the randomness beacon we assume to be available to all parties (see Section 2.1). We assume that the VRF keys of all parties participating in the protocol are generated independently of the current (and future) values of the randomness beacon. This means in practice, users have to register their VRF keys at least one epoch before participating in the protocol. This prevents malicious parties from repeatedly generating VRF keys to skew the probabilities in their favor.

Protocol Pull(ζ,α)

  The protocol takes the following parameters:

ζ:

An (μ,τ)-ECCS.

α:

A WSCAS.

Each party pi𝒫 keeps track of a set of shares received for a particular accumulator z, 𝚁𝚎𝚌𝚎𝚒𝚟𝚎𝚍𝚂𝚑𝚊𝚛𝚎𝚜i[z] and a set of received messages 𝙼𝚎𝚜𝚜𝚊𝚐𝚎𝚜i.

Each party accepts the following three commands:

Pull message:

When a party pi𝒫 gets the input (Pull,h) they do the following:

  1. 1.

    Obtain random value ψ from randomness beacon for the current epoch.111We here assume for simplicity that all parties agree on what the current epoch is. In practice, this can be achieved by letting the sender of message include the epoch number ν in the message and propagate this epoch number to protocol calls, i.e., the party would in this case get the input (Pull,ν,h) instead of (Pull,h) etc.

  2. 2.

    Use 𝚟𝚛𝚏.Eval((ψ,h),𝚜𝚔i)=(r,π𝗏𝗋𝖿) to obtain a random seed r and a proof π𝗏𝗋𝖿. Use the seed to deterministically sample with replacement a multiset S={{p1,,pμ}} from 𝒫 s.t. |S|=μ, and S is distributed uniformly for uniform r.

  3. 3.

    Now, the parties in S are deterministically enumerated S={{p1,,pμ}}. For each party pjS they send (Pull,r,h,π𝗏𝗋𝖿,j) to this party.

  4. 4.

    Whenever a party pjS responds with the requested share and a proof of which accumulator it belongs to (Share,sj,π𝖺𝖼𝖼,z), pi first check that the proof π𝖺𝖼𝖼 verifies that the share si belongs to the accumulator z. If both checks pass, then pi adds si to 𝚁𝚎𝚌𝚎𝚒𝚟𝚎𝚍𝚂𝚑𝚊𝚛𝚎𝚜i[z].

  5. 5.

    When a party has received sufficiently many shares they will reconstruct the shares to get a message m which they will add to 𝙼𝚎𝚜𝚜𝚊𝚐𝚎𝚜i.

Accept pull:

When a party pi𝒫 gets the input (AcceptPull,m) they first share the message m into shares ζ.Enc(m)=s1,,sμ. Furthermore, they obtain an accumulated value and proofs for each share and its share number z,π1𝖺𝖼𝖼,,πμ𝖺𝖼𝖼=α.Accumulate({(sj,j)1jμ}).

Afterwards, whenever, a message (Pull,r,h,π𝗏𝗋𝖿,j) is received from a party pj for the first time, then party pi checks that pj should send this message to pi. This is done by obtaining the random value ψ from randomness beacon for the current epoch, checking that 𝚟𝚛𝚏.Verify((ψ,h),r,π𝗏𝗋𝖿,𝚙𝚔j)=, and checking that pj was indeed sampled as the j’th party using the seed r. If this check passes, the party sends the accumulator and share values (Share,sj,π𝖺𝖼𝖼,z) that belong to the hash value h to party pj.

Get messages:

On input (GetMessages) to pi the party returns the set of messages they have received 𝙼𝚎𝚜𝚜𝚊𝚐𝚎𝚜i.

We now state and prove the necessary property of this protocol.

Lemma 11.

Let δ(0,1], let ζ be an (μ,τ)-ECCS and let α be a WSCAS. For any β(0,1] and any message m, if

  1. 1.

    at least βn of the parties are honest and have input (AcceptPull,m),

  2. 2.

    the last honest party inputs (Pull,𝙷(m)) to the protocol Pull(ζ,α) at time t,

  3. 3.

    and τμ(1(1δ)β),

then the probability that some party has not received the message m by time t+2ΔChannel is less than γActualneδ2μβ2.

Proof.

Consider an honest party p that has not received (AcceptPull,m) as input. We introduce indicator random variables X1,,Xμ where Xj indicates whether the j’th party from which p requests a share is honest and has already received (AcceptPull,m) before time t. Since we assume both the erasure correcting code as well as the weak cryptographic accumulator to be deterministic, that party will in this case have generated the same shares and accumulator proofs as other parties. Therefore, p will in this case have received share j and a valid proof by time t+2ΔChannel. Further, note that if p has received at least μτ valid shares by time t+2ΔChannel, then p is able to reconstruct the original message timely by the correctness property of the ECCS and the unforgeability of the WSCAS. Therefore, by the assumption that

τμ(1(1δ)β)μτ(1δ)μβ, (2)

we have

Pr[p has not received message m by time t+2ΔChannel]Pr[j=1μXjμτ]Pr[j=1μXj(1δ)μβ]. (3)

Parties sample the μ neighbors with replacement using a random seed r obtained from the VRF given the message hash and a fresh value from the randomness beacon. Since we assume the randomness beacon produces unpredictable values, independent from the VRF keys, the Xj are computationally indistinguishable from independent and identically distributed values. We further note that, up to some negligible distinguishing advantage, the expected value of any Xj is given by E[Xj]=β, and there Chernoff implies

Pr[j=1μXj(1δ)μβ]eδ2μβ2. (4)

Noting that there are at most γActualn such parties and using a union-bound together with Equation 3, we get the desired bound

Pr[some honest party has not received message m by time t+2ΔChannel]γActualneδ2μβ2. (5)

Communication complexity of pulling.

Let us now analyze the communication complexity of the pulling protocol. We first concentrate on the communication complexity induced for a party to pull a message. For each party pulling, there will be μ pulling requests. The pulling requests will each consist of:

  1. 1.

    A tag Pull of size O(1),

  2. 2.

    the random seed from the VRF to determine whom to pull from of size O(κ),

  3. 3.

    the proof that this seed has been correctly calculated of size O(κ),

  4. 4.

    the hash of the message of size O(κ),

  5. 5.

    and the index of the requested share of size O(log(μ)).

Therefore, each such pull request will have size

O(1)+O(κ)+O(κ)+O(κ)+O(log(μ))=O(κ+log(μ)), (6)

and the total communication complexity for such pulling party will be

μO(κ+log(μ))=O(μ(κ+log(μ))). (7)

Next, let us analyze the communication complexity of responding to such valid222That is, a pull request where the attached VRF-proof proofs that the share should actually be requested from this specific party. pull requests. A response to such pulling request will consist of:

  1. 1.

    A tag Share of size O(1),

  2. 2.

    a share of size ζ.𝚂𝚑𝚊𝚛𝚎𝚂𝚒𝚣𝚎(l),

  3. 3.

    the accumulated value of all shares and indexes with size α.𝙰𝚌𝚌𝚂𝚒𝚣𝚎,

  4. 4.

    and the proof that the share is a part of the accumulator with size α.𝙿𝚛𝚘𝚘𝚏𝚂𝚒𝚣𝚎(μ).

Therefore, each such response will have size

O(1)+ζ.𝚂𝚑𝚊𝚛𝚎𝚂𝚒𝚣𝚎(l)+α.𝙰𝚌𝚌𝚂𝚒𝚣𝚎+α.𝙿𝚛𝚘𝚘𝚏𝚂𝚒𝚣𝚎(μ). (8)

The total communication complexity for a party having accepted pulls, will therefore be what is given in Equation 8 multiplied with the number of such valid pull requests the party receives.

By the pseudorandomness property of the VRF, a verifying pull requests can only be established by letting the party knowing their secret key evaluate the VRF.333To see that this follows from the pseudorandomness, consider for the sake of contradiction an adversary with a non-negligible probability of evaluating a VRF without knowing a corresponding secret key. This can be used to distinguish an output of the VRF from a uniformly random value non-negligibly by using the adversary capable of evaluating such VRF with a non-negligible probability and if the output matches the challenge, guess that it was produced by the VRF. To upper bound the per-party communication complexity let η be an upper bound on the number of secret keys that are used to evaluate the VRF for a particular message. Each VRF evaluation gives rise to μ pull requests. The outputs of each such evaluation from a secret key is guaranteed to be unique by the full uniqueness property which ensures that there are therefore at most ημ valid pull requests in total for a particular message.

For a particular party p, we introduce an indicator random variable Xi for each of the pull requests i{1,ημ} where Xi=1 if and only if the i’th of these potential pull requests targets p as a valid receiver of the pull request. As the target of a valid pull request is drawn uniformly at random among all parties (up to some negligible distance by the pseudorandomness property of the VRF and the definition of the protocol), we have for any Xi that the expected value is E[Xi]=n1 and therefore E[i=1ηnμXi]=ημn1. Further, because the sampling is done with replacement, we have as in the proof of Lemma 11 that the values Xi are indistinguishable from independent and identically distributed random variables. We can thus apply the Chernoff bound to obtain (up to negligible distance) for any δ[0,1]

Pr[i=1ηnμXi(1+δ)ημn1]eδ2ημ3n. (9)

Further, using the union bound, we can bound the probability that any party receives more pull requests than what we used in the bound above:

Pr[p receiving more than (1+δ)ημn1 pull requests]neδ2ημ3n. (10)

Letting δ be constant, we note that the probability that any party receives more than O(ημn1) valid pull requests is negligible in κ when μ3n(log(n)+κ)(δ2η)1. Hence, the per-party communication complexity for a party accepting pull requests with these parameters will be

O(ημn1(ζ.𝚂𝚑𝚊𝚛𝚎𝚂𝚒𝚣𝚎(l)+α.𝙰𝚌𝚌𝚂𝚒𝚣𝚎+α.𝙿𝚛𝚘𝚘𝚏𝚂𝚒𝚣𝚎(μ))). (11)

3.2 Push-Pull Flooding

We now present the full protocol that combines the push and pull phases. Before presenting the actual protocol, we introduce a weakened delivery guarantee, that will be used for the push-phase of the protocol.

Fractional delivery.

We here introduce a weakened version of the (γ,Δ)-delivery guarantee, namely a version where it is not required that a message is delivered to all parties, but rather only to a fraction of the parties. The idea is that we will use a protocol with this weaker delivery guarantee to spread out messages to a large fraction of the parties before the pulling phase is initiated. We dub this weakened property fractional delivery and define it formally below.

Definition 12 ((β,γ,Δ)-fractional delivery).

We say that a flooding protocol Π has (β,γ,Δ)-fractional delivery for β,γ[0,1] and Δ>0 if the following holds: When a message m is input to an honest party at time t and γActualγ, then at least a β fraction of honest parties output m by time t+Δ, except with probability negligible in the security parameter κ.

Sometimes, we will refer to a flooding protocol with this property as a fractional flooding protocol.

The idea of not delivering messages to all parties was also considered in [7].444In particular, the Fsync functionality of [7, p. 7] allows a fraction of the parties to be eclipsed in which case the delivery guarantees will not apply. However, their work builds a custom consensus protocol on top of the weaker message dissemination functionality. In contrast, our work uses the weaker property as a step towards building a flooding protocol that ensures message delivery to all parties.

Push and then pull flooding protocol.

We now present our flooding protocol that works by first making the parties push out a notification for that a message is about to arrive (the hash of the message) and push out the actual message using a fractional flooding protocol. Afterwards, all parties are allowed to pull for the message if they did not receive the message that they were notified about.

Protocol PushPullFlood(ΠFlood,ΠFracFlood,ζ,α)

  The protocol takes the following parameters:

ΠFlood:

a flooding protocol with (γwc,ΔFlood)-delivery.

ΠFracFlood:

a flooding protocol with (β,γwc,ΔFracFlood)-fractional delivery.

ζ:

A ECCS.

α:

A WSCAS.

Each party pi keeps track of a set of received messages 𝙼𝚎𝚜𝚜𝚊𝚐𝚎𝚜i that initially is empty, and runs an instance of the protocols Pull(ζ,α), ΠFlood, and ΠFracFlood.

Each party accepts the following two commands:

Send:

When party pi receives input (Send,m) they:

  1. 1.

    Send a hash of the message (Hash,𝙷(m)) to all parties using ΠFlood.

  2. 2.

    Send the message using ΠFracFlood.

  3. 3.

    Add m to 𝙼𝚎𝚜𝚜𝚊𝚐𝚎𝚜i

  4. 4.

    Input (AcceptPull,m) to Pull(ζ,α).

Get messages:

On input (GetMessages) to pi the party returns the set of messages they have received 𝙼𝚎𝚜𝚜𝚊𝚐𝚎𝚜i.

Additionally, at all times the parties do the following:

  1. 1.

    Whenever a party pi receives message h in the protocol ΠFlood, the party notes down the time t. If there is no message m𝙼𝚎𝚜𝚜𝚊𝚐𝚎𝚜i s.t. 𝙷(m)=h at time t+ΔFracFlood, then they issue (Pull,h) to Pull(ζ,α).

  2. 2.

    Whenever a party pi receives a message m in the protocol ΠFracFlood, they add m to 𝙼𝚎𝚜𝚜𝚊𝚐𝚎𝚜i and input (AcceptPull,m) to Pull(ζ,α).

  3. 3.

    Whenever a party pi receives a message m in Pull(ζ,α), they add m to 𝙼𝚎𝚜𝚜𝚊𝚐𝚎𝚜i.

Below, we state and prove the security of PushPullFlood.

Theorem 13.

Let μ,τ,ΔFlood,ΔFracFlood, let β,δ(0,1], and let α be a WSCAS. If

  1. 1.

    ΠFlood ensures (γwc,ΔFlood)-delivery,

  2. 2.

    ΠFracFlood ensures (β,γwc,ΔFracFlood)-fractional delivery,

  3. 3.

    and ζ is a (μ,τ)-ECCS with

    1. (a)

      μ2(log(n)+κ)(βγwcδ2)1 and

    2. (b)

      τμ(1(1δ)βγwc),

then PushPullFlood(ΠFlood,ΠFracFlood,ζ,α) ensures (γwc,ΔFlood+ΔFracFlood+2ΔChannel)-delivery.

Proof.

Assume there are at least γwcn honest parties and let m be a message input to some honest party at time t. We let

  • A be the event that all honest parties have received m by time ΔFlood+ΔFracFlood+2ΔChannel,

  • B be the event that all honest parties have received 𝙷(m) by time t+ΔFlood,

  • and let C be the event that at least a β fraction of the honest parties have received m by time t+ΔFracFlood.

By the law of total probability and the assumptions on ΠFlood and ΠFracFlood, we have that

Pr[A]Pr[ABC]Pr[BC]Pr[ABC](1negl(κ)). (12)

Further, as Pr[ABC]=1Pr[¬ABC], it is sufficient to prove that Pr[¬ABC]negl(κ). Note that C ensures that a β fraction of the honest parties, i.e., at least a fraction ββγwc, has received m in the protocol ΠFracFlood by time t+ΔFracFlood, and thus has input (AcceptPull,m) to Pull(ζ,α) by then. Further note that B ensures that by time t+ΔFlood+ΔFracFlood, all honest parties either have received m or have input (Pull,𝙷(m)) to Pull(ζ,α). Finally note that we have τμ(1(1δ)β) by assumption. Hence, the preconditions for Lemma 11 are fulfilled, which gives us that:

Pr[¬ABC]γActualneδ2μβγwc2nelog(n)+κ2negl(κ). (13)

Communication complexity of pushing and pulling.

In the full version [26], we show that the per-party communication complexity of PushPullFlood is bounded by

𝙿𝙿𝙲𝙲(PushPullFlood(ΠFlood,ΠFracFlood,ζ,α),l)𝙿𝙿𝙲𝙲(ΠFlood,κ)+𝙿𝙿𝙲𝙲(ΠFracFlood,l)+O~(l(βγwc)1+κ2(βγwc)1). (14)

This implies that the protocol is asymptotically optimal for messages of length l=Ω~(κ2(βγwc)1) for appropriate instantiations of the underlying protocols.

4 OptimisticFlood

In this section, we present our optimistic flooding protocol OptimisticFlood that has an optimistic path such that under certain conditions it is guaranteed to have a communication complexity that is much lower than in worst-case scenarios.

4.1 Protocol

Protocol intuition.

Our protocol is parameterized by two flooding protocols: 1) a best-case flooding protocol that only works if some best-case conditions are fulfilled, 2) a worst-case flooding protocol that is ensured to work in all remaining cases. The best-case conditions will be that at least a fraction γbc of the parties remain honest throughout the execution.

A first skeleton of an optimistic flooding protocol relying on two such existing flooding protocols could look like the following:

  1. 1.

    Run a best-case protocol to disseminate the actual message.

  2. 2.

    Check if the best-case protocol succeeds. If not, default to sending the entire message using the worst-case protocol.

While the skeleton reads fairly straightforward, it is easier said than done to reliably detect if the best-case protocol fails while still tolerating a small fraction of corrupted parties. Because flooding protocols only ensure the delivery of the message when the initial sender is honest, a first step towards this could be to let the initial sender ask all parties if they have received the message. We refer to a party reporting that they have not received the message as a complaint. Based on the answers given by the parties, a decision must be taken on whether we default back to use the worst-case flooding protocol and use this to send the entire message. The decision procedure and the following actions should account for the following two cases depending on the actual fraction of parties being honest γActual:

γbcγActual:

In this case, the best-case protocol is guaranteed to deliver the message to all honest parties and therefore the worst-case protocol should not be executed, independently of the actions of the malicious parties. In particular, these up to n(1γbc) malicious parties may complain about not having received the message even though they have.

γwcγActual<γbc:

In this case, we have no guarantees from the best-case flooding protocol about how many parties have received the message and the adversary can choose this arbitrarily (by delivering the message to specific parties). In particular, it may be that the adversary does not deliver the message to n(1γbc) parties.

Note that from the sender’s point of view, it will be impossible to distinguish which of the two above cases they are in as an adversary can make the views appear exactly the same for the sender. So how do we ensure that n(1γbc) parties cannot force the execution of the worst-case protocol in the first case while ensuring that all honest parties receive the message in the second case?

To balance this we introduce a subsequent pull-phase in case we decide that the best-case protocol “succeeded” allowing parties not having received the message to pull similar to the pull-phase from the protocol PushPullFlood presented in Section 3. That is, instead of requiring that no honest party complains to conclude a success, we only require that not more than a fraction of the parties complain in order to conclude that the best-case protocol succeeded. Concretely, we introduce a threshold T for how many complaints we will accept and still conclude that the best-case protocol “succeeded”. We will set this threshold such that (1γbc)n parties cannot produce enough complaints to conclude that the protocol failed if it did not, but still it should ensure that a sufficient fraction of the honest parties have received the message to ensure that pull requests will be responded to appropriately. Thereby, we can use the protocol Pull without prohibitively high communication.

What is left is only to combat the impracticality of letting the sender ask all parties. We do this by letting the sender sample a subset of the parties and ask this subset of parties about whether or not they have received the message. This allows the sender to statistically conclude whether or not the best-case protocol succeeded.

Protocol description.

Below, we present our protocol for optimistic flooding.

Protocol OptimisticFlood(Πbc,Πwc,c,T,ζ,α)

  The protocol has the following parameters:

Πbc:

A flooding protocol that should work in the best-case ensuring delivery within ΔBC time when at least a γbc fraction of the parties remains honest.

Πwc:

A flooding protocol that should work in the worst-case ensuring delivery within ΔWC time when at least a γwc fraction of the parties remains honest.

c:

The size of the subset the sender should ask for complaints.

T:

A threshold that decides how many complaints are acceptable.

ζ:

A ECCS.

α:

A WSCAS.

Each party pi keeps track of a set of received messages 𝙼𝚎𝚜𝚜𝚊𝚐𝚎𝚜i that initially is empty, and runs an instance of the protocols Pull(ζ,α), ΠFlood, and ΠFracFlood.

Send:

When a party s receives input (Send,m) they do the following:

  1. 1.

    The sender s sends (Message,m) to all parties using Πbc. We let the time that this happens be denoted tInit.

  2. 2.

    At time tInit+ΔBC555This timing ensures that the best-case protocol have had sufficient time to deliver the message. the sender uniformly at random (with repetition) samples a committee of parties C={p1,,pc}𝒫. For each party pC the sender sends a direct message using an authenticated channel (Received?,𝙷(m),tInit+ΔBC).

  3. 3.

    At time tInit+ΔBC+2ΔChannel666At this time it is ensured that all honest parties’ complaints have reached the sender., the sender counts how many unique complaints they have received from valid committee members for 𝙷(m). We let the count be denoted by k, and based on this the sender does one of following two things:

    1. (a)

      If k>T, then the sender sends the original message (Message,m) to all parties using Πwc.

    2. (b)

      Otherwise if kT, the sender initializes a pull-phase by signing and sending (PullPhaseBegun,𝙷(m)) to all parties using Πwc.

Get messages:

On input (GetMessages) to pi, the party returns the set of messages they have received 𝙼𝚎𝚜𝚜𝚊𝚐𝚎𝚜i.

Additionally, at all times the parties do the following:

  • When party pi receives a message (Received?,h,t) over an authenticated channel from a party s, the party checks if there is any message m𝙼𝚎𝚜𝚜𝚊𝚐𝚎𝚜i s.t. 𝙷(m)=h which has been received before time t.777Note that it is necessary to require that the message have been received before time t to ensure that the number of complaints from the set of parties sampled accurately reflects the share of parties that have actually received the message. If this condition was not enforced, an adversary could choose to deliver the message to all the parties part of the committee once the sender sends the Received?-message to them. If no such message exists, then they send (Complaint,h) to s over the authenticated channel.

  • When a party pi receives (PullPhaseBegun,h) over Πwc at time t they do the following:

    1. 1.

      If there is any message m𝙼𝚎𝚜𝚜𝚊𝚐𝚎𝚜i s.t. 𝙷(m)=h, then they input (AcceptPull,m) to Pull(ζ,α).

    2. 2.

      Otherwise, if no such message exists, then they input (Pull,h) to Pull(ζ,α) at time t+ΔWC.888The reason that the party does not immediately input the message to the pull protocol, is that it must be ensured that sufficiently many parties have already input an accept of the message to the pulling protocol.

  • When party pi receives a message m in either the best-case protocol, the worst-case protocol or the pulling protocol, they add it to 𝙼𝚎𝚜𝚜𝚊𝚐𝚎𝚜i and store the time they received it together with the message.

Note that for the provably secure protocols, we often have ΔBC,ΔWC=O(log(n)ΔChannel). Hence, the direct communication steps that happen using a channel are comparatively “cheap” time-wise.

It is also worth noting that instead of using just two different flooding protocols, one could consider using three different protocols. A natural example of this would be to use one worst-case protocol for short messages (notifications), one worst-case protocol for long-messages, and one best-case protocol for long messages.

The described version of the protocol requires a synchrony assumption on the channels for safety (i.e., guaranteeing message delivery) in the worst case to ensure that sufficiently many complaints reach the sender in time. In the optimistic case, it does not require synchrony. However, if we instead changed the protocol to require a certain number of “confirmations” from parties having received the message instead of complaints, the protocol would achieve safety without relying on synchrony. On the other, it would still only achieve the best-case communication complexity under synchronous conditions and require slightly more communication in the optimistic case to send the confirmations. This allows fine-tuning the protocol for the specific settings it is deployed in.

4.2 Correctness and Communication Complexity

In this section, we prove the correctness of the protocol OptimisticFlood under relevant conditions and analyze its communication complexity. We start out by stating that if the actual fraction honest parties γActual is bigger than the best-case threshold γbc, then for certain parameters, we achieve the delivery guarantees of the best-case protocol.

Lemma 14 (Best-case correctness).

Let c be the size of the committee, T be the complaint threshold, Πwc a protocol, ζ a ECCS, α be a WSCAS, and δ(0,1]. If

  1. 1.

    Πbc has (γbc,ΔBC)-delivery

  2. 2.

    and T(1+δ)(1γbc)c

then OptimisticFlood(Πbc,Πwc,c,T,ζ,α) has (γbc,ΔBC)-delivery and if γActualγbc and the sender is honest, then the probability that Item 3a is activated is less than eδ2(1γbc)c3.

The intuition for Item 2 is that it corresponds to requiring that under best-case conditions, the threshold for the number of complaints is set sufficiently large such that only dishonest parties in the committee cannot make the sender default back to using the worst-case protocol. We now proceed with the proof.

Proof.

We note that because the entire message is immediately input to Πbc, the delivery guarantees for Πbc directly apply and hence OptimisticFlood(Πbc,Πwc,c,T,ζ,α) has (γbc,ΔBC)-delivery.

We now bound the probability that Item 3a is activated for an honest sender. Let the time that the honest sender sends a message m be denoted tInit and note that by the above, all honest parties have received the message at time tInit+ΔBC. Hence, no honest party will send back (Complaint,𝙷(m)) to the sender. It is therefore sufficient to show that the number of corrupted parties in the committee is at most T with overwhelming probability.

To do so, we let X1,,Xc denote indicator variables s.t. Xi=1 if and only if party pi of the committee C in Item 2 is corrupted and note that for the actual number of complaints k, it holds that i=1cXik. Further, note that

E[i=1cXi]=(1γActual)c(1γbc)c, (15)

and that the variables are identically and independently distributed as the honest sender samples the committee at random with repetition. Hence, using the Chernoff bound, we conclude that

Pr[i=1cXi(1+δ)(1γbc)c]eδ2(1γbc)c3. (16)

Therefore, by Item 2, we have Pr[k>T]eδ2(1γbc)c3.

Next, we state that when the parameters of the protocol are instantiated carefully, then the protocol also ensures delivery assuming just the worst-case bound on the number of honest parties. It is worth noting that the theorem only makes assumptions about the worst-case protocol. Hence, message delivery is ensured independently of which best-case protocol is deployed. In particular, this allows to use protocols that based on for example heuristics about practice.

Lemma 15 (Worst-case correctness).

Let τ,μ,T,c, let Πbc be a protocol, let α be a WSCAS, and let δ1,δ2,β(0,1]. If

  1. 1.

    Πwc has (γwc,ΔWC)-delivery,

  2. 2.

    T(1δ1)(γwcβ)c,

  3. 3.

    μ2(log(n)+κ)(βδ22)1,

  4. 4.

    cκδ12(γwcβ),

  5. 5.

    τμ(1(1δ2)β),

  6. 6.

    and ζ is a (μ,τ)-ECCS,

then OptimisticFlood(Πbc,Πwc,c,T,ζ,α) has (γwc,ΔBC+4ΔChannel+2ΔWC)-delivery. Further, if the sender is honest, then the probability that there are less than βn honest parties that have received the message and Item 3b is activated is negligible in κ.

The intuition for β is that it corresponds to a threshold for the fraction of parties that are honest and must have had the message delivered in case the sender does not receive sufficiently many complaints to default back to the worst-case protocol.

Proof.

Let s be an honest sender that sends a message m at time tInit. Further, let θ[0,γActual] be the fraction of parties that are honest and have received the message m at time tInit+ΔBC. Because we have no guarantees about how the best-case protocol performs assuming only γActualγwc, we have no guarantees about the value of θ. Instead, we make a case distinction whether θ>β or not:

𝜽>𝜷:

For this case, we again make a case distinction based upon whether or not the actual number of complaints collected by the sender k is above the threshold T:

𝒌>𝑻:

In this case the sender will enter Item 3a at time tInit+ΔBC+2ΔChannel and flood the entire message using the worst-case protocol Πwc. Hence, by Item 1, it is guaranteed that with overwhelming probability, all parties have learned the message at the latest at time tInit+ΔBC+2ΔChannel+ΔWC.

𝒌𝑻:

In this case the sender enters Item 3b at time tInit+ΔBC+2ΔChannel. Hence, the delivery guarantees of the worst-case flooding protocol Πwc ensures that with overwhelming probability, all parties will have received (PullPhaseBegun,𝙷(m)) before time tInit+ΔBC+2ΔChannel+ΔWC. Now, this implies that more than βn parties are honest and have input (AcceptPull,𝙷(m)) to Pull(ζ,α) by this time. Furthermore, it is guaranteed that all remaining honest parties will have input (Pull,𝙷(m)) before time tInit+ΔBC+2ΔChannel+2ΔWC. Additionally, Items 5 and 6 ensure that the final precondition for Lemma 11 is fulfilled. Hence, using Item 3, the probability that at time tInit+ΔBC+4ΔChannel+2ΔWC, there is some party who has not received the message is less than

γActualneδ22μβ2neδ22μβ2nelog(n)+κ2negl(κ). (17)
𝜽𝜷:

First, note (similarly to the previous case) that if for the actual number of complaints k it holds that k>T, then the sender enters Item 3a in which case the probability that all parties have received the message at time tInit+ΔBC+2ΔChannel+ΔWC is overwhelming in the security parameter (by Item 1). Therefore, it is sufficient to show that the probability that kT is negligible in the security parameter. To show this, let X1,,Xc be indicator variables s.t. Xi indicates if the committee member i is honest and has not received the message by time tInit+ΔBC. Now, note that any honest party that is part of the committee and has not received the message by time tInit+ΔBC will send (Complaint,𝙷(m)) at latest at time tInit+ΔBC+ΔChannel, which means that the sender will receive it at most ΔChannel time later. Hence, we have that i=1cXik. By Item 2, it is therefore to sufficient to show that

Pr[i=1cXi(1δ1)(γwcβ)c]negl(κ). (18)

Now note that for any i

Pr[Xi=1]=γActualθγwcθγwcβ. (19)

Hence, we have E[i=1cXi](γwcβ)c. Further, because the sampling of the committee is done with replacement, we can apply the Chernoff bound, which when using cκδ12(γwcβ) (Item 4) gives us:

Pr[i=1cXi(1δ1)(γwcβ)c]eδ12(γwcβ)c2eκ2negl(κ). (20)

Hence, the total failure probability will be bounded by the three negligible probabilities from above. Therefore, with overwhelming probability all parties will have received the message before time tInit+ΔBC+4ΔChannel+2ΔWC. Finally, combining Lemmas 14 and 15, we can conclude that for suitable parameters the protocol OptimisticFlood performs well in both the best-case and the worst-case.

Corollary 16.

Let τ,T,c be the size of the committee, let T be the complaint threshold, let α be a WSCAS, and let δ1,δ2,β,δ(0,1]. If

  1. 1.

    Πbc has (γbc,ΔBC)-delivery,

  2. 2.

    Πwc has (γwc,ΔWC)-delivery,

  3. 3.

    T(1+δ)(1γbc)c

  4. 4.

    T(1δ1)(γwcβ)c,

  5. 5.

    μ2(log(n)+κ)(βδ22)1,

  6. 6.

    cκδ12(γwcβ)

  7. 7.

    τμ(1(1δ2)β),

  8. 8.

    and ζ is a (μ,τ)-ECCS,

then OptimisticFlood(Πbc,Πwc,c,T,ζ,α) has both (γbc,ΔBC)-delivery and (γwc,ΔBC+4ΔChannel+2ΔWC)-delivery. Additionally, when γActualγbc, then the probability that Item 3a is activated for an honest sender is less than eδ2(1γbc)c3.

Finally, we state the per-party communication of OptimisticFlood. Due to space constraints we postpone the analysis to the full version [26].

Theorem 17.

Let OptimisticFlood(Πbc,Πwc,c,T,ζ,α) be instantiated with variables as stated in Corollary 16 while minimizing the communication complexity, let α be a implemented by a merkle tree, and let ζ be a (μ,τ)-ECCS be implemented with Reed-Solomon codes.

If γActualγbc, then

𝙿𝙿𝙲𝙲(OptimisticFlood(Πbc,Πwc,c,T,ζ,α),l)𝙿𝙿𝙲𝙲(Πbc,l)+𝙿𝙿𝙲𝙲(Πwc,κ)+O~(l+κ2γwc1), (21)

Further, if γActualγwc, then

𝙿𝙿𝙲𝙲(OptimisticFlood(Πbc,Πwc,c,T,ζ,α),l)𝙿𝙿𝙲𝙲(Πbc,l)+𝙿𝙿𝙲𝙲(Πwc,l)+O~(lγwc1+κ2γwc1). (22)

For the best-case, we emphasize that there is only an asymptotic overhead compared to running only the best-case protocol that is directly linear in the message length for messages of length l=Ω~(κ2γwc1). Hence, as noticed in Section 1.2, this allows the protocol to shave off a factor of γwc when instantiated with asymptotically optimal flooding protocols.

Finally, we note that this protocol is also optimistically responsive in the network delay if the best case protocol is optimistically responsive. I.e. if there is a high fraction of honest parties, then OptimisticFlood propagates the message with the actual delivery time of the best-case protocol.

5 Conclusion

In this work, we presented two new protocols for message dissemination based on a push-pull mechanism. Both are asymptotically optimal in terms of per-party communication complexity. The protocol OptimisticFlood has an even better communication complexity in the best-case, where the fraction of honest parties is high. Furthermore, OptimisticFlood is designed modularly such that it remains provably secure when instantiated with a heuristically optimized best-case protocol with high practical efficiency. This improves the state of the art in theoretical research on message dissemination protocols and at the same time provides a protocol with practical efficiency gains.

References

  • [1] Ittai Abraham and Danny Dolev. Byzantine agreement with optimal early stopping, optimal resilience and polynomial complexity. In Rocco A. Servedio and Ronitt Rubinfeld, editors, 47th ACM STOC, pages 605–614. ACM Press, June 2015. doi:10.1145/2746539.2746581.
  • [2] Ittai Abraham, Kartik Nayak, Ling Ren, and Zhuolun Xiang. Good-case latency of byzantine broadcast: a complete categorization. In Avery Miller, Keren Censor-Hillel, and Janne H. Korhonen, editors, 40th ACM PODC, pages 331–341. ACM, July 2021. doi:10.1145/3465084.3467899.
  • [3] Piotr Berman, Juan A Garay, and Kenneth J Perry. Optimal early stopping in distributed consensus. In Distributed Algorithms: 6th International Workshop, WDAG’92 Haifa, Israel, November 2–4, 1992 Proceedings 6, pages 221–237. Springer, 1992.
  • [4] Ran Canetti. Universally composable security. J. ACM, 67(5):28:1–28:94, 2020. doi:10.1145/3402457.
  • [5] Brian A Coan. Efficient agreement using fault diagnosis. Distributed computing, 7:87–98, 1993. doi:10.1007/BF02280838.
  • [6] Shir Cohen, Idit Keidar, and Alexander Spiegelman. Make Every Word Count: Adaptive Byzantine Agreement with Fewer Words. In Eshcar Hillel, Roberto Palmieri, and Etienne Rivière, editors, 26th International Conference on Principles of Distributed Systems (OPODIS 2022), volume 253 of Leibniz International Proceedings in Informatics (LIPIcs), pages 18:1–18:21, Dagstuhl, Germany, 2023. Schloss Dagstuhl – Leibniz-Zentrum für Informatik. doi:10.4230/LIPIcs.OPODIS.2022.18.
  • [7] Sandro Coretti, Aggelos Kiayias, Cristopher Moore, and Alexander Russell. The generals’ scuttlebutt: Byzantine-resilient gossip protocols. In Heng Yin, Angelos Stavrou, Cas Cremers, and Elaine Shi, editors, ACM CCS 2022, pages 595–608. ACM Press, November 2022. doi:10.1145/3548606.3560638.
  • [8] Bernardo David, Peter Gazi, Aggelos Kiayias, and Alexander Russell. Ouroboros praos: An adaptively-secure, semi-synchronous proof-of-stake blockchain. In Jesper Buus Nielsen and Vincent Rijmen, editors, EUROCRYPT 2018, Part II, volume 10821 of LNCS, pages 66–98. Springer, Cham, April / May 2018. doi:10.1007/978-3-319-78375-8_3.
  • [9] Giovanni Deligios, Ivana Klasovita, and Chen-Da Liu-Zhang. Optimal early termination for dishonest majority broadcast. Cryptology ePrint Archive, Report 2024/1656, 2024. URL: https://eprint.iacr.org/2024/1656.
  • [10] Alan J. Demers, Daniel H. Greene, Carl Hauser, Wes Irish, John Larson, Scott Shenker, Howard E. Sturgis, Daniel C. Swinehart, and Douglas B. Terry. Epidemic algorithms for replicated database maintenance. In Fred B. Schneider, editor, 6th ACM PODC, pages 1–12. ACM, August 1987. doi:10.1145/41840.41841.
  • [11] Benjamin Doerr and Mahmoud Fouz. Asymptotically optimal randomized rumor spreading. In Luca Aceto, Monika Henzinger, and Jiri Sgall, editors, ICALP 2011, Part II, volume 6756 of LNCS, pages 502–513. Springer, Berlin, Heidelberg, July 2011. doi:10.1007/978-3-642-22012-8_40.
  • [12] Danny Dolev, Rüdiger Reischuk, and H. Raymond Strong. ‘Eventual’ is earlier than ‘Immediate’. In 23rd FOCS, pages 196–203. IEEE Computer Society Press, November 1982. doi:10.1109/SFCS.1982.51.
  • [13] Danny Dolev, Ruediger Reischuk, and H Raymond Strong. Early stopping in byzantine agreement. Journal of the ACM (JACM), 37(4):720–741, 1990. doi:10.1145/96559.96565.
  • [14] Danny Dolev and H. Raymond Strong. Authenticated algorithms for byzantine agreement. SIAM Journal on Computing, 12(4):656–666, 1983. doi:10.1137/0212045.
  • [15] Ben Edgington. Upgrading ethereum: 2.9.2 randomness, 2025. URL: https://eth2book.info/capella/part2/building_blocks/randomness/.
  • [16] Muntadher Fadhil, Gareth Owenson, and Mo Adda. A bitcoin model for evaluation of clustering to improve propagation delay in bitcoin network. In 2016 IEEE Intl Conference on Computational Science and Engineering (CSE) and IEEE Intl Conference on Embedded and Ubiquitous Computing (EUC) and 15th Intl Symposium on Distributed Computing and Applications for Business Engineering (DCABES), pages 468–475, 2016. doi:10.1109/CSE-EUC-DCABES.2016.226.
  • [17] Uriel Feige, David Peleg, Prabhakar Raghavan, and Eli Upfal. Randomized broadcast in networks. Random Structures & Algorithms, 1(4):447–460, 1990. doi:10.1002/RSA.3240010406.
  • [18] Juan A Garay and Yoram Moses. Fully polynomial byzantine agreement for n> 3 t processors in t+ 1 rounds. SIAM Journal on Computing, 27(1):247–290, 1998. doi:10.1137/S0097539794265232.
  • [19] Sharon Goldberg, Leonid Reyzin, Dimitrios Papadopoulos, and Jan Včelák. Verifiable Random Functions (VRFs). RFC 9381, August 2023. doi:10.17487/RFC9381.
  • [20] Richard M. Karp, Christian Schindelhauer, Scott Shenker, and Berthold Vöcking. Randomized rumor spreading. In 41st FOCS, pages 565–574. IEEE Computer Society Press, November 2000. doi:10.1109/SFCS.2000.892324.
  • [21] Anne-Marie Kermarrec, Laurent Massoulié, and Ayalvadi J. Ganesh. Probabilistic reliable dissemination in large-scale systems. IEEE Trans. Parallel Distributed Syst., 14(3):248–258, 2003. doi:10.1109/TPDS.2003.1189583.
  • [22] João Leitão, José Pereira, and LuÍs Rodrigues. Gossip-Based Broadcast, pages 831–860. Springer US, Boston, MA, 2010. doi:10.1007/978-0-387-09751-0_29.
  • [23] Chen-Da Liu-Zhang, Julian Loss, Ueli Maurer, Tal Moran, and Daniel Tschudi. MPC with synchronous security and asynchronous responsiveness. In Shiho Moriai and Huaxiong Wang, editors, ASIACRYPT 2020, Part III, volume 12493 of LNCS, pages 92–119. Springer, Cham, December 2020. doi:10.1007/978-3-030-64840-4_4.
  • [24] Chen-Da Liu-Zhang, Christian Matt, Ueli Maurer, Guilherme Rito, and Søren Eller Thomsen. Practical provably secure flooding for blockchains. In Shweta Agrawal and Dongdai Lin, editors, ASIACRYPT 2022, Part I, volume 13791 of LNCS, pages 774–805. Springer, Cham, December 2022. doi:10.1007/978-3-031-22963-3_26.
  • [25] Chen-Da Liu-Zhang, Christian Matt, and Søren Eller Thomsen. Asymptotically optimal message dissemination with applications to blockchains. In Marc Joye and Gregor Leander, editors, EUROCRYPT 2024, Part III, volume 14653 of LNCS, pages 64–95. Springer, Cham, May 2024. doi:10.1007/978-3-031-58734-4_3.
  • [26] Chen-Da Liu-Zhang, Christian Matt, and Søren Eller Thomsen. Optimistic message dissemination. Cryptology ePrint Archive, Paper 2025/1404, 2025. URL: https://eprint.iacr.org/2025/1404.
  • [27] Julian Loss and Jesper Buus Nielsen. Early stopping for any number of corruptions. In Marc Joye and Gregor Leander, editors, EUROCRYPT 2024, Part III, volume 14653 of LNCS, pages 457–488. Springer, Cham, May 2024. doi:10.1007/978-3-031-58734-4_16.
  • [28] Christian Matt, Jesper Buus Nielsen, and Søren Eller Thomsen. Formalizing delayed adaptive corruptions and the security of flooding networks. In Yevgeniy Dodis and Thomas Shrimpton, editors, CRYPTO 2022, Part II, volume 13508 of LNCS, pages 400–430. Springer, Cham, August 2022. doi:10.1007/978-3-031-15979-4_14.
  • [29] Ralph C. Merkle. A certified digital signature. In Gilles Brassard, editor, CRYPTO’89, volume 435 of LNCS, pages 218–238. Springer, New York, August 1990. doi:10.1007/0-387-34805-0_21.
  • [30] Rafael Pass and Elaine Shi. Thunderella: Blockchains with optimistic instant confirmation. In Jesper Buus Nielsen and Vincent Rijmen, editors, EUROCRYPT 2018, Part II, volume 10821 of LNCS, pages 3–33. Springer, Cham, April / May 2018. doi:10.1007/978-3-319-78375-8_1.
  • [31] Kenneth J Perry and Sam Toueg. An authenticated byzantine generals algorithm with early stopping. Technical report, Cornell University, 1984.
  • [32] I. S. Reed and G. Solomon. Polynomial codes over certain finite fields. Journal of the Society for Industrial and Applied Mathematics, 8(2):300–304, 1960. doi:10.1137/0108018.
  • [33] Rüdiger Reischuk. A new solution for the byzantine generals problem. Information and Control, 64(1-3):23–42, 1985. doi:10.1016/S0019-9958(85)80042-5.
  • [34] Elias Rohrer and Florian Tschorsch. Kadcast: A structured approach to broadcast in blockchain networks. In AFT, pages 199–213. ACM, 2019. doi:10.1145/3318041.3355469.
  • [35] Louis Thibault and Dan Marzec. The hitchhiker’s guide to p2p overlays in ethereum, 2023. Accessed: 2024-10-18. URL: https://hackmd.io/@dmarz/ethereum_overlays.
  • [36] Sam Toueg, Kenneth J Perry, and TK Srikanth. Fast distributed agreement. SIAM Journal on Computing, 16(3):445–457, 1987. doi:10.1137/0216031.
  • [37] Huy Vu and Hitesh Tewari. An efficient peer-to-peer bitcoin protocol with probabilistic flooding. In Mahdi H. Miraz, Peter S. Excell, Andrew Ware, Safeeullah Soomro, and Maaruf Ali, editors, Emerging Technologies in Computing, pages 29–45, Cham, 2019. Springer International Publishing.