@inproceedings{18071, abstract = {Recent advancements on DAG-based consensus protocols allow for blockchains with improved metrics and properties, such as throughput and censorship-resistance. Variants of the Bullshark [18] consensus protocol are adopted for practical use by the Sui blockchain, for improved latency. However, the protocol is leader-based, and is strongly affected by crashed leaders that can lead to various performance issues, for example, decreased transaction throughput. In this paper, we propose HammerHead, a DAG-based consensus protocol, that is inspired by Carousel [8] and provides Leader-Utilization. Our proposal differs from Carousel, which is built for a chained consensus protocol; in HammerHead chain quality is inherited by the DAG. HammerHead needs to preserve safety and liveness, despite validators committing leader vertices asynchronously. The key idea is to update leader schedules dynamically, based on the validators' scores during the previous schedule. We implement HammerHead and show a minor improvement in performance for cases without faults. The major improvements in comparison to Bullshark appear in faulty settings. Specifically, we show a drastic, 2x-latency improvement and up to 40% increased throughput when crash faults occur (100 validators, 33 faults).}, author = {Tsimos, Giorgos and Kichidis, Anastasios and Sonnino, Alberto and Kokoris Kogias, Eleftherios}, booktitle = {Proceedings - International Conference on Distributed Computing Systems}, isbn = {9798350386059}, issn = {2575-8411}, location = {Jersey City, NJ, United States}, pages = {1377--1387}, publisher = {IEEE}, title = {{HammerHead: Leader reputation for dynamic scheduling}}, doi = {10.1109/ICDCS60910.2024.00129}, year = {2024}, } @inproceedings{18913, abstract = {With the proliferation of blockchain technology in high-value sectors, consensus protocols are becoming critical infrastructures. The rapid innovation cycle in Byzantine fault tolerant (BFT) consensus protocols has culminated in HotStuff, which provides linear message complexity in the partially synchronous setting. To achieve this, HotStuff leverages a leader that collects, aggregates, and broadcasts the messages of other validators. This paper analyzes the security implications of such approaches in practice, from the perspective of liveness and availability. By implementing attacks in a globally-distributed testbed, we show that state-of-the-art leader-based protocols are vulnerable to denial-of-service (DoS) attacks on the leader. Our attacks, demonstrated on committees of up to 64 validators, manage to disrupt liveness within seconds, using only a few tens of Mbps of attack bandwidth per validator. Crucially, the cost and effectiveness of the attacks are independent of the committee size. Based on the outcome of these experiments, we then propose and test effective mitigations. Our findings show that advancements in both protocol design and network-layer defenses can greatly improve the practical resilience of BFT consensus protocols.}, author = {Giuliari, Giacomo and Sonnino, Alberto and Frei, Marc and Streun, Fabio and Kokoris Kogias, Eleftherios and Perrig, Adrian}, booktitle = {Proceedings of the 19th ACM Asia Conference on Computer and Communications Security}, isbn = {9798400704826}, location = {Singapore, Singapore}, pages = {1345--1360}, publisher = {ACM}, title = {{An empirical study of consensus protocols’ DoS resilience}}, doi = {10.1145/3634737.3656997}, year = {2024}, } @inproceedings{18957, abstract = {Sui Lutris is the first smart-contract platform to sustainably achieve sub-second finality. It achieves this significant decrease by employing consensusless agreement not only for simple payments but for a large variety of transactions. Unlike prior work, Sui Lutris neither compromises expressiveness nor throughput and can run perpetually without restarts. Sui Lutris achieves this by safely integrating consensuless agreement with a high-throughput consensus protocol that is invoked out of the critical finality path but ensures that when a transaction is at risk of inconsistent concurrent accesses, its settlement is delayed until the total ordering is resolved. Building such a hybrid architecture is especially delicate during reconfiguration events, where the system needs to preserve the safety of the consensusless path without compromising the long-term liveness of potentially misconfigured clients. We thus develop a novel reconfiguration protocol, the first to provably show the safe and efficient reconfiguration of a consensusless blockchain. Sui Lutris is currently running in production and underpins the Sui smart-contract platform. Combined with the use of Objects instead of accounts it enables the safe execution of smart contracts that expose objects as a first-class resource. In our experiments Sui Lutris achieves latency lower than 0.5 seconds for throughput up to 5,000 certificates per second (150k ops/s with transaction blocks), compared to the state-of-the-art real-world consensus latencies of 3 seconds. Furthermore, it gracefully handles validators crash-recovery and does not suffer visible performance degradation during reconfiguration.}, author = {Blackshear, Sam and Chursin, Andrey and Danezis, George and Kichidis, Anastasios and Kokoris Kogias, Eleftherios and Li, Xun and Logan, Mark and Menon, Ashok and Nowacki, Todd and Sonnino, Alberto and Williams, Brandon and Zhang, Lu}, booktitle = {Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security}, isbn = {9798400706363}, location = {Salt Lake City, UT, United States}, pages = {2606--2620}, publisher = {ACM}, title = {{Sui Lutris: A blockchain combining broadcast and consensus}}, doi = {10.1145/3658644.3670286}, year = {2024}, } @article{13988, abstract = {Most permissionless blockchains inherently suffer from throughput limitations. Layer-2 systems, such as side-chains or Rollups, have been proposed as a possible strategy to overcome this limitation. Layer-2 systems interact with the main-chain in two ways. First, users can move funds from/to the main-chain to/from the layer-2. Second, layer-2 systems periodically synchronize with the main-chain to keep some form of log of their activity on the main-chain - this log is key for security. Due to this interaction with the main-chain, which is necessary and recurrent, layer-2 systems impose some load on the main-chain. The impact of such load on the main-chain has been, so far, poorly understood. In addition to that, layer-2 approaches typically sacrifice decentralization and security in favor of higher throughput. This paper presents an experimental study that analyzes the current state of Ethereum layer-2 projects. Our goal is to assess the load they impose on Ethereum and to understand their scalability potential in the long-run. Our analysis shows that the impact of any given layer-2 on the main-chain is the result of both technical aspects (how state is logged on the main-chain) and user behavior (how often users decide to transfer funds between the layer-2 and the main-chain). Based on our observations, we infer that without efficient mechanisms that allow users to transfer funds in a secure and fast manner directly from one layer-2 project to another, current layer-2 systems will not be able to scale Ethereum effectively, regardless of their technical solutions. Furthermore, from our results, we conclude that the layer-2 systems that offer similar security guarantees as Ethereum have limited scalability potential, while approaches that offer better performance, sacrifice security and lead to an increase in centralization which runs against the end-goals of permissionless blockchains.}, author = {Neiheiser, Ray and Inacio, Gustavo and Rech, Luciana and Montez, Carlos and Matos, Miguel and Rodrigues, Luis}, issn = {2169-3536}, journal = {IEEE Access}, keywords = {General Engineering, General Materials Science, General Computer Science, Electrical and Electronic Engineering}, pages = {8651--8662}, publisher = {Institute of Electrical and Electronics Engineers}, title = {{Practical limitations of Ethereum’s layer-2}}, doi = {10.1109/access.2023.3237897}, volume = {11}, year = {2023}, } @inproceedings{14516, abstract = {We revisit decentralized random beacons with a focus on practical distributed applications. Decentralized random beacons (Beaver and So, Eurocrypt'93) provide the functionality for n parties to generate an unpredictable sequence of bits in a way that cannot be biased, which is useful for any decentralized protocol requiring trusted randomness. Existing beacon constructions are highly inefficient in practical settings where protocol parties need to rejoin after crashes or disconnections, and more significantly where smart contracts may rely on arbitrary index points in high-volume streams. For this, we introduce a new notion of history-generating decentralized random beacons (HGDRBs). Roughly, the history-generation property of HGDRBs allows for previous beacon outputs to be efficiently generated knowing only the current value and the public key. At application layers, history-generation supports registering a sparser set of on-chain values if desired, so that apps like lotteries can utilize on-chain values without incurring high-frequency costs, enjoying all the benefits of DRBs implemented off-chain or with decoupled, special-purpose chains. Unlike rollups, HG is tailored specifically to recovering and verifying pseudorandom bit sequences and thus enjoys unique optimizations investigated in this work. We introduce STROBE: an efficient HGDRB construction which generalizes the original squaring-based RSA approach of Beaver and So. STROBE enjoys several useful properties that make it suited for practical applications that use beacons: 1) history-generating: it can regenerate and verify high-throughput beacon streams, supporting sparse (thus cost-effective) ledger entries; 2) concisely self-verifying: NIZK-free, with state and validation employing a single ring element; 3) eco-friendly: stake-based rather than work based; 4) unbounded: refresh-free, addressing limitations of Beaver and So; 5) delay-free: results are immediately available. 6) storage-efficient: the last beacon suffices to derive all past outputs, thus O(1) storage requirements for nodes serving the whole history.}, author = {Beaver, Donald and Kelkar, Mahimna and Lewi, Kevin and Nikolaenko, Valeria and Sonnino, Alberto and Chalkias, Konstantinos and Kokoris Kogias, Eleftherios and Naurois, Ladi De and Roy, Arnab}, booktitle = {5th Conference on Advances in Financial Technologies}, isbn = {9783959773034}, issn = {1868-8969}, location = {Princeton, NJ, United States}, publisher = {Schloss Dagstuhl - Leibniz-Zentrum für Informatik}, title = {{STROBE: Streaming Threshold Random Beacons}}, doi = {10.4230/LIPIcs.AFT.2023.7}, volume = {282}, year = {2023}, } @inproceedings{14609, abstract = {Distributed Key Generation (DKG) is a technique to bootstrap threshold cryptosystems without a trusted party. DKG is an essential building block to many decentralized protocols such as randomness beacons, threshold signatures, Byzantine consensus, and multiparty computation. While significant progress has been made recently, existing asynchronous DKG constructions are inefficient when the reconstruction threshold is larger than one-third of the total nodes. In this paper, we present a simple and concretely efficient asynchronous DKG (ADKG) protocol among n = 3t + 1 nodes that can tolerate up to t malicious nodes and support any reconstruction threshold ℓ ≥ t. Our protocol has an expected O(κn3) communication cost, where κ is the security parameter, and only assumes the hardness of the Discrete Logarithm. The core ingredient of our ADKG protocol is an asynchronous protocol to secret share a random polynomial of degree ℓ ≥ t, which has other applications, such as asynchronous proactive secret sharing and asynchronous multiparty computation. We implement our high-threshold ADKG protocol and evaluate it using a network of up to 128 geographically distributed nodes. Our evaluation shows that our high-threshold ADKG protocol reduces the running time by 90% and bandwidth usage by 80% over the state-of-the-art.}, author = {Das, Sourav and Xiang, Zhuolun and Kokoris Kogias, Eleftherios and Ren, Ling}, booktitle = {32nd USENIX Security Symposium}, isbn = {9781713879497}, location = {Anaheim, CA, United States}, pages = {5359--5376}, publisher = {Usenix}, title = {{Practical asynchronous high-threshold distributed key generation and distributed polynomial sampling}}, volume = {8}, year = {2023}, } @inproceedings{14735, abstract = {Scaling blockchain protocols to perform on par with the expected needs of Web3.0 has been proven to be a challenging task with almost a decade of research. In the forefront of the current solution is the idea of separating the execution of the updates encoded in a block from the ordering of blocks. In order to achieve this, a new class of protocols called rollups has emerged. Rollups have as input a total ordering of valid and invalid transactions and as output a new valid state-transition. If we study rollups from a distributed computing perspective, we uncover that rollups take as input the output of a Byzantine Atomic Broadcast (BAB) protocol and convert it to a State Machine Replication (SMR) protocol. BAB and SMR, however, are considered equivalent as far as distributed computing is concerned and a solution to one can easily be retrofitted to solve the other simply by adding/removing an execution step before the validation of the input. This “easy” step of retrofitting an atomic broadcast solution to implement an SMR has, however, been overlooked in practice. In this paper, we formalize the problem and show that after BAB is solved, traditional impossibility results for consensus no longer apply towards an SMR. Leveraging this we propose a distributed execution protocol that allows reduced execution and storage cost per executor (O(log2n/n)) without relaxing the network assumptions of the underlying BAB protocol and providing censorship-resistance. Finally, we propose efficient non-interactive light client constructions that leverage our efficient execution protocols and do not require any synchrony assumptions or expensive ZK-proofs.}, author = {Stefo, Christos and Xiang, Zhuolun and Kokoris Kogias, Eleftherios}, booktitle = {27th International Conference on Financial Cryptography and Data Security}, isbn = {9783031477539}, issn = {0302-9743}, location = {Bol, Brac, Croatia}, pages = {3--20}, publisher = {Springer Nature}, title = {{Executing and proving over dirty ledgers}}, doi = {10.1007/978-3-031-47754-6_1}, volume = {13950}, year = {2023}, } @inproceedings{14743, abstract = {Leader-based consensus algorithms are fast and efficient under normal conditions, but lack robustness to adverse conditions due to their reliance on timeouts for liveness. We present QuePaxa, the first protocol offering state-of-the-art normal-case efficiency without depending on timeouts. QuePaxa uses a novel randomized asynchronous consensus core to tolerate adverse conditions such as denial-of-service (DoS) attacks, while a one-round-trip fast path preserves the normal-case efficiency of Multi-Paxos or Raft. By allowing simultaneous proposers without destructive interference, and using short hedging delays instead of conservative timeouts to limit redundant effort, QuePaxa permits rapid recovery after leader failure without risking costly view changes due to false timeouts. By treating leader choice and hedging delay as a multi-armed-bandit optimization, QuePaxa achieves responsiveness to prevalent conditions, and can choose the best leader even if the current one has not failed. Experiments with a prototype confirm that QuePaxa achieves normal-case LAN and WAN performance of 584k and 250k cmd/sec in throughput, respectively, comparable to Multi-Paxos. Under conditions such as DoS attacks, misconfigurations, or slow leaders that severely impact existing protocols, we find that QuePaxa remains live with median latency under 380ms in WAN experiments.}, author = {Tennage, Pasindu and Basescu, Cristina and Kokoris Kogias, Eleftherios and Syta, Ewa and Jovanovic, Philipp and Estrada-Galinanes, Vero and Ford, Bryan}, booktitle = {Proceedings of the 29th Symposium on Operating Systems Principles}, isbn = {9798400702297}, location = {Koblenz, Germany}, pages = {281--297}, publisher = {Association for Computing Machinery}, title = {{QuePaxa: Escaping the tyranny of timeouts in consensus}}, doi = {10.1145/3600006.3613150}, year = {2023}, } @inproceedings{14744, abstract = {Sharding distributed ledgers is a promising on-chain solution for scaling blockchains but lacks formal grounds, nurturing skepticism on whether such complex systems can scale blockchains securely. We fill this gap by introducing the first formal framework as well as a roadmap to robust sharding. In particular, we first define the properties sharded distributed ledgers should fulfill. We build upon and extend the Bitcoin backbone protocol by defining consistency and scalability. Consistency encompasses the need for atomic execution of cross-shard transactions to preserve safety, whereas scalability encapsulates the speedup a sharded system can gain in comparison to a non-sharded system. Using our model, we explore the limitations of sharding. We show that a sharded ledger with n participants cannot scale under a fully adaptive adversary, but it can scale up to m shards where n=c'm log m, under an epoch-adaptive adversary; the constant c' encompasses the trade-off between security and scalability. This is possible only if the sharded ledgers create succinct proofs of the valid state updates at every epoch. We leverage our results to identify the sufficient components for robust sharding, which we incorporate in a protocol abstraction termed Divide & Scale. To demonstrate the power of our framework, we analyze the most prominent sharded blockchains (Elastico, Monoxide, OmniLedger, RapidChain) and pinpoint where they fail to meet the desired properties.}, author = {Avarikioti, Zeta and Desjardins, Antoine and Kokoris Kogias, Eleftherios and Wattenhofer, Roger}, booktitle = {30th International Colloquium on Structural Information and Communication Complexity}, isbn = {9783031327322}, issn = {1611-3349}, location = {Alcalá de Henares, Spain}, pages = {199--245}, publisher = {Springer Nature}, title = {{Divide & Scale: Formalization and roadmap to robust sharding}}, doi = {10.1007/978-3-031-32733-9_10}, volume = {13892}, year = {2023}, } @inproceedings{14829, abstract = {This paper explores a modular design architecture aimed at helping blockchains (and other SMR implementation) to scale to a very large number of processes. This comes in contrast to existing monolithic architectures that interleave transaction dissemination, ordering, and execution in a single functionality. To achieve this we first split the monolith to multiple layers which can use existing distributed computing primitives. The exact specifications of the data dissemination part are formally defined by the Proof of Availability & Retrieval (PoA &R) abstraction. Solutions to the PoA &R problem contain two related sub-protocols: one that “pushes” information into the network and another that “pulls” this information. Regarding the latter, there is a dearth of research literature which is rectified in this paper. We present a family of pulling sub-protocols and rigorously analyze them. Extensive simulations support the theoretical claims of efficiency and robustness in case of a very large number of players. Finally, actual implementation and deployment on a small number of machines (roughly the size of several industrial systems) demonstrates the viability of the architecture’s paradigm.}, author = {Cohen, Shir and Goren, Guy and Kokoris Kogias, Eleftherios and Sonnino, Alberto and Spiegelman, Alexander}, booktitle = {27th International Conference on Financial Cryptography and Data Security}, isbn = {9783031477508}, issn = {1611-3349}, location = {Bol, Brac, Croatia}, pages = {36--53}, publisher = {Springer Nature}, title = {{Proof of availability and retrieval in a modular blockchain architecture}}, doi = {10.1007/978-3-031-47751-5_3}, volume = {13951}, year = {2023}, } @inproceedings{14989, abstract = {Encryption alone is not enough for secure end-to end encrypted messaging: a server must also honestly serve public keys to users. Key transparency has been presented as an efficient solution for detecting (and hence deterring) a server that attempts to dishonestly serve keys. Key transparency involves two major components: (1) a username to public key mapping, stored and cryptographically committed to by the server, and, (2) an outof-band consistency protocol for serving short commitments to users. In the setting of real-world deployments and supporting production scale, new challenges must be considered for both of these components. We enumerate these challenges and provide solutions to address them. In particular, we design and implement a memory-optimized and privacy-preserving verifiable data structure for committing to the username to public key store. To make this implementation viable for production, we also integrate support for persistent and distributed storage. We also propose a future-facing solution, termed “compaction”, as a mechanism for mitigating practical issues that arise from dealing with infinitely growing server data structures. Finally, we implement a consensusless solution that achieves the minimum requirements for a service that consistently distributes commitments for a transparency application, providing a much more efficient protocol for distributing small and consistent commitments to users. This culminates in our production-grade implementation of a key transparency system (Parakeet) which we have open-sourced, along with a demonstration of feasibility through our benchmarks.}, author = {Malvai, Harjasleen and Kokoris Kogias, Eleftherios and Sonnino, Alberto and Ghosh, Esha and Oztürk, Ercan and Lewi, Kevin and Lawlor, Sean}, booktitle = {Proceedings of the 2023 Network and Distributed System Security Symposium}, isbn = {1891562835}, location = {San Diego, CA, United States}, publisher = {Internet Society}, title = {{Parakeet: Practical key transparency for end-to-end eEncrypted messaging}}, doi = {10.14722/ndss.2023.24545}, year = {2023}, } @inproceedings{12160, abstract = {We present the Filecoin Hierarchical Consensus framework, which aims to overcome the throughput challenges of blockchain consensus by horizontally scaling the network. Unlike traditional sharding designs, based on partitioning the state of the network, our solution centers on the concept of subnets -which are organized hierarchically- and can be spawned on-demand to manage new state. Child sub nets are firewalled from parent subnets, have their own specific policies, and run a different consensus algorithm, increasing the network capacity and enabling new applications. Moreover, they benefit from the security of parent subnets by periodically checkpointing state. In this paper, we introduce the overall system architecture, our detailed designs for cross-net transaction handling, and the open questions that we are still exploring.}, author = {De la Rocha, Alfonso and Kokoris Kogias, Eleftherios and Soares, Jorge M. and Vukolic, Marko}, booktitle = {42nd International Conference on Distributed Computing Systems Workshops}, issn = {2332-5666}, location = {Bologna, Italy}, pages = {45--52}, publisher = {Institute of Electrical and Electronics Engineers}, title = {{Hierarchical consensus: A horizontal scaling framework for blockchains}}, doi = {10.1109/icdcsw56584.2022.00018}, volume = {2022}, year = {2022}, } @inproceedings{12168, abstract = {Advances in blockchains have influenced the State-Machine-Replication (SMR) world and many state-of-the-art blockchain-SMR solutions are based on two pillars: Chaining and Leader-rotation. A predetermined round-robin mechanism used for Leader-rotation, however, has an undesirable behavior: crashed parties become designated leaders infinitely often, slowing down overall system performance. In this paper, we provide a new Leader-Aware SMR framework that, among other desirable properties, formalizes a Leader-utilization requirement that bounds the number of rounds whose leaders are faulty in crash-only executions. We introduce Carousel, a novel, reputation-based Leader-rotation solution to achieve Leader-Aware SMR. The challenge in adaptive Leader-rotation is that it cannot rely on consensus to determine a leader, since consensus itself needs a leader. Carousel uses the available on-chain information to determine a leader locally and achieves Liveness despite this difficulty. A HotStuff implementation fitted with Carousel demonstrates drastic performance improvements: it increases throughput over 2x in faultless settings and provided a 20x throughput increase and 5x latency reduction in the presence of faults.}, author = {Cohen, Shir and Gelashvili, Rati and Kokoris Kogias, Eleftherios and Li, Zekun and Malkhi, Dahlia and Sonnino, Alberto and Spiegelman, Alexander}, booktitle = {International Conference on Financial Cryptography and Data Security}, isbn = {9783031182822}, issn = {1611-3349}, location = {Grenada}, pages = {279--295}, publisher = {Springer Nature}, title = {{Be aware of your leaders}}, doi = {10.1007/978-3-031-18283-9_13}, volume = {13411}, year = {2022}, } @inproceedings{12229, abstract = {We present Bullshark, the first directed acyclic graph (DAG) based asynchronous Byzantine Atomic Broadcast protocol that is optimized for the common synchronous case. Like previous DAG-based BFT protocols [19, 25], Bullshark requires no extra communication to achieve consensus on top of building the DAG. That is, parties can totally order the vertices of the DAG by interpreting their local view of the DAG edges. Unlike other asynchronous DAG-based protocols, Bullshark provides a practical low latency fast-path that exploits synchronous periods and deprecates the need for notoriously complex view-change and view-synchronization mechanisms. Bullshark achieves this while maintaining all the desired properties of its predecessor DAG-Rider [25]. Namely, it has optimal amortized communication complexity, it provides fairness and asynchronous liveness, and safety is guaranteed even under a quantum adversary. In order to show the practicality and simplicity of our approach, we also introduce a standalone partially synchronous version of Bullshark, which we evaluate against the state of the art. The implemented protocol is embarrassingly simple (200 LOC on top of an existing DAG-based mempool implementation). It is highly efficient, achieving for example, 125,000 transactions per second with a 2 seconds latency for a deployment of 50 parties. In the same setting, the state of the art pays a steep 50% latency increase as it optimizes for asynchrony.}, author = {Spiegelman, Alexander and Giridharan, Neil and Sonnino, Alberto and Kokoris Kogias, Eleftherios}, booktitle = {Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security}, isbn = {9781450394505}, location = {Los Angeles, CA, United States}, pages = {2705–2718}, publisher = {Association for Computing Machinery}, title = {{Bullshark: DAG BFT protocols made practical}}, doi = {10.1145/3548606.3559361}, year = {2022}, } @inproceedings{12298, abstract = {Existing committee-based Byzantine state machine replication (SMR) protocols, typically deployed in production blockchains, face a clear trade-off: (1) they either achieve linear communication cost in the steady state, but sacrifice liveness during periods of asynchrony, or (2) they are robust (progress with probability one) but pay quadratic communication cost. We believe this trade-off is unwarranted since existing linear protocols still have asymptotic quadratic cost in the worst case. We design Ditto, a Byzantine SMR protocol that enjoys the best of both worlds: optimal communication on and off the steady state (linear and quadratic, respectively) and progress guarantee under asynchrony and DDoS attacks. We achieve this by replacing the view-synchronization of partially synchronous protocols with an asynchronous fallback mechanism at no extra asymptotic cost. Specifically, we start from HotStuff, a state-of-the-art linear protocol, and gradually build Ditto. As a separate contribution and an intermediate step, we design a 2-chain version of HotStuff, Jolteon, which leverages a quadratic view-change mechanism to reduce the latency of the standard 3-chain HotStuff. We implement and experimentally evaluate all our systems to prove that breaking the robustness-efficiency trade-off is in the realm of practicality.}, author = {Gelashvili, Rati and Kokoris Kogias, Eleftherios and Sonnino, Alberto and Spiegelman, Alexander and Xiang, Zhuolun}, booktitle = {Financial Cryptography and Data Security}, isbn = {9783031182822}, issn = {1611-3349}, location = {Radisson Grenada Beach Resort, Grenada}, pages = {296--315}, publisher = {Springer Nature}, title = {{Jolteon and ditto: Network-adaptive efficient consensus with asynchronous fallback}}, doi = {10.1007/978-3-031-18283-9_14}, volume = {13411}, year = {2022}, } @inproceedings{12300, abstract = {Distributed Key Generation (DKG) is a technique to bootstrap threshold cryptosystems without a trusted third party and is a building block to decentralized protocols such as randomness beacons, threshold signatures, and general multiparty computation. Until recently, DKG protocols have assumed the synchronous model and thus are vulnerable when their underlying network assumptions do not hold. The recent advancements in asynchronous DKG protocols are insufficient as they either have poor efficiency or limited functionality, resulting in a lack of concrete implementations. In this paper, we present a simple and concretely efficient asynchronous DKG (ADKG) protocol. In a network of n nodes, our ADKG protocol can tolerate up to t