Common use of Technical Overview Clause in Contracts

Technical Overview. ‌ We now proceed to present our results in greater detail. The primitive—succinctly reconstructed distributed signatures (SRDS)—is a new type of a dis- tributed signature scheme, with a natural motivation: allowing a set of parties to jointly produce a signature on some message m, which can serve as a succinct certificate for proving that a ma- jority of the parties agree on m. Interestingly, this task does not seem to be attained by existing distributed signature notions, such as multi-signatures [60], aggregate signatures [12], or threshold signatures [43]. For example, while multi-signatures (and, similarly, aggregate signatures) can suc- cinctly combine signatures of many parties, to verify the signature, the (length-Θ(n)!) vector of contributing-parties identities must also be communicated.4 As discussed in the related-work sec- tion (Section 1.3), threshold signatures are implied by SRDS but also do not suffice: while identities of the signers are no longer needed to verify a combined signature, this information is necessary to reconstruct the combined signature in the first place (even within specific existing schemes, e.g., [50, 10]). We provide a more detailed comparison to different signature notions in Section 1.3. An SRDS scheme is based on a PKI for signatures, where every party is set with a secret signing key and a public verification key.5 The parties may receive additional setup information that may contain, for example, public parameters for the signature scheme or a common random string (CRS), depending on the actual construction. Given a message m, every party can locally generate a signature on m, and signatures on the same message can be succinctly aggregated into a new signature. The new aspect is that given a combined signature and a message m, it is possible to verify whether is was aggregated from a “large” number of “base” signatures on m, and both aggregation and verification can be done succinctly. Three properties are required from an SRDS scheme: robustness means that the adversary can- not prevent the honest parties from generating an accepting signature on a message; unforgeability prevents the adversary controlling a minority from forging a signature; and succinctness requires that the “final” signature (including all information needed for verification) is short (of size O˜(1)) and can be incrementally reconstructed from “base” signatures in small batches of size polylog(n).6 An SRDS scheme is t-secure if it satisfies the above properties even facing t colluding parties.

Technical Overview. ‌ We now proceed to present our results in greater detail. The primitive—succinctly reconstructed distributed signatures (SRDS)—is a new type of a dis- tributed signature scheme, with a natural motivation: allowing a set of parties to jointly produce a signature on some message m, which can serve as a succinct certificate certificate for proving that a ma- jority of the parties agree on m. Interestingly, this task does not seem to be attained by existing distributed signature notions, such as multi-signatures [60], aggregate signatures [12], or threshold signatures [43]. For example, while multi-signatures (and, similarly, aggregate signatures) can suc- cinctly combine signatures of many parties, to verify the signature, the (length-Θ(n)!) vector of contributing-parties identities must also be communicated.4 As discussed in the related-work sec- tion (Section 1.3), threshold signatures are implied by SRDS but also do not sufficesuffice: while identities of the signers are no longer needed to verify a combined signature, this information is necessary to reconstruct the combined signature in the first first place (even within specific specific existing schemes, e.g., [50, 10]). We provide a more detailed comparison to different different signature notions in Section 1.3. An SRDS scheme is based on a PKI for signatures, where every party is set with a secret signing key and a public verification verification key.5 The parties may receive additional setup information that may contain, for example, public parameters for the signature scheme or a common random string (CRS), depending on the actual construction. Given a message m, every party can locally generate a signature on m, and signatures on the same message can be succinctly aggregated into a new signature. The new aspect is that given a combined signature and a message m, it is possible to verify whether is was aggregated from a “large” number of “base” signatures on m, and both aggregation and verification verification can be done succinctly. Three properties are required from an SRDS scheme: robustness means that the adversary can- not prevent the honest parties from generating an accepting signature on a message; unforgeability prevents the adversary controlling a minority from forging a signature; and succinctness requires that the “finalfinal” signature (including all information needed for verificationverification) is short (of size O˜(1)) and can be incrementally reconstructed from “base” signatures in small batches of size polylog(n).6 An SRDS scheme is t-secure if it satisfies satisfies the above properties even facing t colluding parties. Balanced BA from SRDS. We demonstrate how to attain O˜(1)-balanced BA against βn cor- ruptions (for β < 1/3) given black-box access to any βn-secure SRDS scheme. We begin by pre- senting a distilled version of the “certified almost-everywhere agreement” approach from [15] that we tailor for Byzantine agreement, where only correctness matters and privacy is not required.7 1. The parties execute the almost-everywhere agreement protocol of King et al. [65]; this estab- lishes a polylog(n)-size supreme committee with a 2/3 honest majority and a polylog(n)-degree communication tree connecting almost all of the parties to the supreme committee. 2. The supreme committee executes a BA protocol on their inputs to agree on the output y, and, in addition, runs a coin-tossing protocol to agree on a random seed s. Next, the supreme committee propagates the pair (y, s) to almost all of the parties. 3. Once a party receives the pair (y, s), the party signs it (in [15], using a multi-signature scheme), and sends the signature back to the supreme committee that aggregates all the signatures. The aggregated signature attesting to (y, s) is then distributed to almost all of the parties. 4Indeed, the verification algorithm of multi-signatures (and aggregate signatures) must receive the set of parties who signed the message. This is precisely the culprit for the large Θ˜(n) per-party communication within the low- locality protocol of [15]. 5We will distinguish between a bulletin-board PKI, where every party locally chooses its keys and corrupted parties can set their keys as a function of all verification keys (and any additional public information), and a trusted PKI, which is honestly generated (either locally or by a trusted party) and where corrupted parties cannot change their verification keys. See further discussion below. 6polylog(n) denotes logc(n) for some constant c > 1. 7The focus of [15] was on MPC and required stronger assumptions and additional rounds; in particular, a naïve use of their MPC protocol cannot lead to balanced BA as it requires all parties to send information to the supreme committee. Once this form of certified almost-everywhere agreement on (y, s) is reached, full agreement can be obtained in one round. Every party Pi that receives the signed pair (y, s), uses the seed s and its identity i to determine a set of (sufficiently random) polylog(n) parties it will talk to in that round (e.g., by evaluating a PRF on s and i), and sends the signed (y, s) to every party in that set. A party that receives such a signed pair, can verify that a majority of the parties agree on (y, s) (by the guarantees of multi-signatures) and that it was supposed to receive a message from the sender (by evaluating the PRF on s and the sender’s identity). In this case, it can output y and halt. The protocol from [15] achieves O˜(1) locality. However, recall that even though the size of a multi-signature might itself be “small,” the verification algorithm additionally requires a list of contributing parties, where the description size of this list will need to be proportional to n. Hence, the effective size of the aggregated signature, and thus per-party communication, is Θ(n). At this point the new notion of SRDS comes into the picture. We use the succinctness property of SRDS combined with the communication tree established by the protocol from [65] to bound the size of the aggregated signatures by O˜(1). In essence, the parties aggregate the signatures in a recursive manner up the communication tree such that in each step at most polylog(n) signatures are aggregated. This technique introduces additional subtleties that must be addressed. For example, since the partially aggregated signature can no longer afford to describe the set of contributing par- ties, it is essential to make sure that the same “base” signature is not aggregated multiple times (this may allow the adversary to achieve more influence on the final aggregated signature than its proportional fraction of “base” signatures). To ensure that the fraction of signatures that are gen- erated by corrupted parties is equal to corruption threshold, every party is assigned with polylog(n) (virtual) identities—one identity for each path from that party to the supreme committee in the communication tree. Theorem 1.1 (balanced BA, informal). Let β < 1/3 be a constant. Assuming the existence of βn-secure SRDS, there exists an n-party, βn-resilient BA protocol that terminates after polylog(n) rounds, and where every party sends/processes polylog(n) · poly(κ) bits. We note that our BA protocol is the first to establish a polylog(n)-degree communication graph where every party has an “honest path” to a 2/3-honest committee, such that the communication per party required for establishing it is O˜(1). Thus, we can obtain the following corollaries. Corollary 1.2 (informal). Let β < 1/3 be a constant. Assuming the existence of βn-secure SRDS:

Technical Overview. ‌ We now proceed to present our results in greater detail. The primitive—succinctly reconstructed distributed signatures (SRDS)—is a new type of a dis- tributed signature scheme, with a natural motivation: allowing a set of parties to jointly produce a signature on some message m, which can serve as a succinct certificate certificate for proving that a ma- jority of the parties agree on m. Interestingly, this task does not seem to be attained by existing distributed signature notions, such as multi-signatures [6064], aggregate signatures [1214], or threshold signatures [4347]. For example, while multi-signatures (and, similarly, aggregate signatures) can suc- cinctly combine signatures of many parties, to verify the signature, the (length-Θ(n)!) vector of contributing-parties identities must also be communicated.4 communicated.8 As discussed in the related-work sec- tion (Section 1.3), threshold signatures are implied by SRDS but also do not sufficesuffice: while identities of the signers are no longer needed to verify a combined signature, this information is necessary to reconstruct the combined signature in the first first place (even within specific specific existing schemes, e.g., [5054, 1012]). We provide a more detailed comparison to different different signature notions in Section 1.3. An SRDS scheme is based on a PKI for signatures, where every party is set with a secret signing key and a public verification key.5 verification key.9 The parties may receive additional setup information that may contain, for example, public parameters for the signature scheme or a common random string (CRS), depending on the actual construction. Given a message m, every party can locally generate a signature on m, and signatures on the same message can be succinctly aggregated into a new signature. The new aspect is that given a combined signature and a message m, it is possible to verify whether is was aggregated from a “large” number of “base” signatures on m, and both aggregation and verification verification can be done succinctly. Three properties are required from an SRDS scheme: robustness means that the an adversary can- cannot prevent the honest parties from generating an accepting signature on a message; unforgeability prevents the an adversary controlling a minority from forging a signature; and succinctness requires that the “finalfinal” signature (including all information needed for verificationverification) is short (of size O˜(1)) and can be incrementally reconstructed from “base” signatures in small batches of size polylog(n).6 polylog(n).10 An SRDS scheme is t-secure if it satisfies satisfies the above properties even facing t colluding adversarial parties.