Common use of Open Questions Clause in Contracts

Open Questions. ‌ Our results leave open several interesting questions for followup work. Our constructions of SRDS offer a trade-off between cryptographic assumptions and setup as- sumptions (indeed, our lower bound indicates that some form of private-coin setup is needed). Is it possible to get the best of both, i.e., construct SRDS with bulletin-board PKI under standard, falsifiable assumptions? This in turn would imply O˜(1)-balanced BA from the corresponding com- putational assumption and setup. Alternatively, does SRDS in a weak setup model require strong computational assumptions: For example, do SRDS with bulletin-board PKI imply some kind of succinct non-interactive arguments (SNARGs)? Taking a step back: Is it possible to achieve O˜(1)-balanced BA unconditionally? While our SRDS-based approach inherently makes use of computational assumptions (and our lower bound implies this necessity for a one-shot boost from almost-everywhere to everywhere agreement in the PKI model), this leaves open the possibility of removing cryptography via an alternative approach. Can one further extend the lower bound in this work, identifying a minimal required round com- plexity for generically converting from almost-everywhere to everywhere agreement within various setup models? In the O˜(1)-amortized BA setting, known constructions consider stronger security models. Namely, the protocol in ▇▇▇▇▇-▇▇▇▇▇▇▇ et al. [19] is secure against static corruptions (similarly to our protocols); however, no trusted setup assumptions are required. The protocol of ▇▇▇▇▇▇▇ et al. [1] guarantees security against adaptive corruptions; however, it requires a trusted PKI as-

Open Questions. ‌ Our results leave open several interesting questions for followup work. Our constructions of SRDS offer a trade-off between cryptographic assumptions and setup as- sumptions (indeed, our lower bound indicates that some form of private-coin setup is needed). Is it possible to get the best of both, i.e., construct SRDS with bulletin-board bare PKI under standard, falsifiable assumptionsas- sumptions? This in turn would imply O˜(1)-balanced BA from the corresponding com- putational assumption computational as- sumption and setup. Alternatively, does SRDS in a weak setup model require strong computational assumptions: For example, do SRDS with bulletin-board bare PKI imply some kind of succinct non-interactive arguments (SNARGs)? Taking a step back: Is it possible to achieve O˜(1)-balanced BA unconditionally? While our SRDS-based approach inherently makes use of computational assumptions (and our lower bound implies this necessity for a one-shot boost from almost-everywhere to everywhere agreement in the PKI model), this leaves open the possibility of removing cryptography via an alternative approach. Can one further extend the lower bound in this work, identifying a minimal required round com- plexity for generically converting from almost-everywhere to everywhere agreement within various setup models? In the O˜(1)-amortized BA setting, known constructions consider stronger security models. Namely, the protocol in ▇▇▇▇▇-▇▇▇▇▇▇▇ et al. [1921] is secure against static corruptions (similarly to our protocols); however, no trusted setup assumptions are required. The protocol of ▇▇▇▇▇▇▇ et al. [1] guarantees security against adaptive corruptions; however, it requires a trusted PKI as-

Open Questions. ‌ Our results leave open several interesting questions for followup work. Our constructions of SRDS offer offer a trade-off off between cryptographic assumptions and setup as- sumptions (indeed, our lower bound indicates that some form of private-coin setup is needed). Is it possible to get the best of both, i.e., construct SRDS with bulletin-board PKI under standard, falsifiable falsifiable assumptions? This in turn would imply O˜(1)-balanced BA from the corresponding com- putational assumption and setup. Alternatively, does SRDS in a weak setup model require strong computational assumptions: For example, do SRDS with bulletin-board PKI imply some kind of succinct non-interactive arguments (SNARGs)? Taking a step back: Is it possible to achieve O˜(1)-balanced BA unconditionally? While our SRDS-based approach inherently makes use of computational assumptions (and our lower bound implies this necessity for a one-shot boost from almost-everywhere to everywhere agreement in the PKI model), this leaves open the possibility of removing cryptography via an alternative approach. Can one further extend the lower bound in this work, identifying a minimal required round com- plexity for generically converting from almost-everywhere to everywhere agreement within various setup models? In the O˜(1)-amortized BA setting, known constructions consider stronger security models. Namely, the protocol in ▇▇▇▇▇-▇▇▇▇▇▇▇ et al. [19] is secure against static corruptions (similarly to our protocols); however, no trusted setup assumptions are required. The protocol of ▇▇▇▇▇▇▇ et al. [1] guarantees security against adaptive corruptions; however, it requires a trusted PKI as-as- sumption. On the contrary, the protocol of King and Saia [64] does not require setup assumptions and is resilient to adaptive corruptions, but it provides suboptimal total communication O˜(n√n). It is very interesting to explore if O˜(1)-balanced BA can be achieved without setup or in the adaptive setting. Regarding the communication model, the vast majority of sub-quadratic BA protocol are defined in the synchronous model. In the asynchronous setting unbalanced sub-quadratic BA in the trusted PKI model was recently proposed [35]. We note that balanced sub-quadratic BA is not known even in the partially synchronous model. An interesting question is to expand our techniques beyond the synchronous realm. Finally, all known BA protocols with o(n2) total communication follow either the approach of ▇▇▇▇ et al. [65] or of ▇▇▇▇ and ▇▇▇▇▇▇ [29], that are based on electing a polylog-size committee. As such, these protocols only support a non-optimal constant fraction of corruptions. Is it possible to achieve o(n2) total communication while tolerating the optimal number of corruptions t < n/2? In Section 2, we provide basic definitions. SRDS are defined in Section 3. Our BA protocol and the lower bounds appear in Section 4. Section 5 presents two constructions of SRDS, and in Section 6, we explore the connection of SRDS based on multi-signatures to succinct non-interactive arguments. Some of the definitions and proofs are deferred to the appendix.