We consider an asynchronous network of $n$ parties connected to each other via secure channels, up to $t$ of which are byzantine. We study common coin tossing, a task where the parties try to agree on an unpredictable random value, with some chance of failure due to the byzantine parties' influence. Coin tossing is a well known and often studied task due to its use in byzantine agreement. In this work, we present an adaptively secure committee-based method to roughly speaking turn strong but costly common coins into cheaper but lower-quality ones. For all $k > 2$ and $\varepsilon > 0$, we show how to use a strong (very rarely failing) coin that costs $\widetilde{O}(n^k)$ bits of communication to get a cheaper coin that costs $\widetilde{O}(\varepsilon^{-2k}n^{3 - 2/k})$ bits of communication. This latter coin tolerates $\varepsilon n$ fewer byzantine parties than the former, and it fails with an arbitrarily small constant probability. For any $\varepsilon > 0$, our method allows us to get a perfectly secure binary coin that tolerates $t \leq (\frac{1}{4} - \varepsilon)n$ faults with $O(n^{2.5}(\varepsilon^{-8} + \log n))$ messages of size $O(\log n)$, as well as a setup-free cryptographically secure binary coin that tolerates $t \leq (\frac{1}{3} - \varepsilon)n$ faults with $O(n^{7/3}\varepsilon^{-6}κ\log n)$ bits of communication (where $κ= Ω(\log n)$ is a cryptographic security paramater). These coins both have $O(\log n)$ latency. They are to our knowledge the first setup-free coins that cost $o(n^3)$ bits of communication but still succeed with at least constant probability against $t = Θ(n)$ adaptive byzantine faults. As such, they for the first time enable setup-free (and even perfectly secure) asynchronous byzantine agreement with $o(n^3)$ communication against $Θ(n)$ adaptive byzantine faults.

翻译：我们考虑一个由$n$个参与方通过安全信道连接的异步网络，其中最多$t$个参与方可能是拜占庭节点。我们研究公共抛币问题，该任务旨在使各方就一个不可预测的随机值达成一致，但由于拜占庭节点的影响存在一定失败概率。抛币作为拜占庭共识的核心组件，是一个被广泛研究的经典问题。本文提出一种基于委员会的自适应安全方法，其核心思想是将强健但昂贵的公共硬币转化为成本更低但质量稍逊的硬币。对于所有$k > 2$和$\varepsilon > 0$，我们展示了如何利用通信成本为$\widetilde{O}(n^k)$比特的强健硬币（极少失败），获得通信成本仅为$\widetilde{O}(\varepsilon^{-2k}n^{3 - 2/k})$比特的廉价硬币。后者相比前者可容忍的拜占庭节点数量减少$\varepsilon n$，并以任意小的常数概率失败。对于任意$\varepsilon > 0$，我们的方法能够实现：1）完全安全的二进制硬币，容错能力$t \leq (\frac{1}{4} - \varepsilon)n$，通信复杂度为$O(n^{2.5}(\varepsilon^{-8} + \log n))$条$O(\log n)$规模的消息；2）无需预设条件的密码学安全二进制硬币，容错能力$t \leq (\frac{1}{3} - \varepsilon)n$，通信复杂度为$O(n^{7/3}\varepsilon^{-6}κ\log n)$比特（其中$κ= Ω(\log n)$为密码学安全参数）。这两种硬币均具有$O(\log n)$延迟。据我们所知，这是首个通信成本为$o(n^3)$比特，且在面对$t = Θ(n)$规模的自适应拜占庭故障时仍能保持常数成功概率的无预设抛币协议。因此，这些协议首次实现了在$o(n^3)$通信复杂度下，对抗$Θ(n)$规模自适应拜占庭故障的无预设（甚至完全安全）异步拜占庭共识。