Download pdf Advances In Cryptology Asiacrypt 2019 25Th International Conference On The Theory And Application Of Cryptology And Information Security Kobe Japan December 8 12 2019 Proceedings Part I Steven D Galb ebook full chapter

Advances in Cryptology ASIACRYPT
2019 25th International Conference on

the Theory and Application of
Cryptology and Information Security
Kobe Japan December 8 12 2019
Proceedings Part I Steven D. Galbraith
Visit to download the full and correct content document:
https://textbookfull.com/product/advances-in-cryptology-asiacrypt-2019-25th-internati
onal-conference-on-the-theory-and-application-of-cryptology-and-information-security
-kobe-japan-december-8-12-2019-proceedings-part-i-steven-d-galb/
More products digital (pdf, epub, mobi) instant
download maybe you interests ...
Advances in Cryptology ASIACRYPT 2019 25th

International Conference on the Theory and Application
of Cryptology and Information Security Kobe Japan
December 8 12 2019 Proceedings Part III Steven D.
Galbraith
https://textbookfull.com/product/advances-in-cryptology-
asiacrypt-2019-25th-international-conference-on-the-theory-and-
application-of-cryptology-and-information-security-kobe-japan-
december-8-12-2019-proceedings-part-iii-steven-d-ga/

of Cryptology and Information Security Kobe Japan
December 8 12 2019 Proceedings Part II Steven D.
Galbraith
application-of-cryptology-and-information-security-kobe-japan-
december-8-12-2019-proceedings-part-ii-steven-d-gal/
Advances in Cryptology – ASIACRYPT 2018: 24th

of Cryptology and Information Security, Brisbane, QLD,
Australia, December 2–6, 2018, Proceedings, Part I
Thomas Peyrin
application-of-cryptology-and-information-security-brisbane-qld-
australia-december-2-6-201/

of Cryptology and Information Security Daejeon South
Korea December 7 11 2020 Proceedings Part I Shiho
Moriai
application-of-cryptology-and-information-security-daejeon-south-
Australia, December 2–6, 2018, Proceedings, Part II
Thomas Peyrin
australia-december-2-6-201-2/

Australia, December 2–6, 2018, Proceedings, Part III
Thomas Peyrin
australia-december-2-6-201-3/

Korea December 7 11 2020 Proceedings Part II Shiho
Moriai
korea-december-7-11-2020-proceedings-part-ii-shih/

Korea December 7 11 2020 Proceedings Part III Shiho
Moriai
korea-december-7-11-2020-proceedings-part-iii-shi/
Advances in Cryptology – ASIACRYPT 2017: 23rd

International Conference on the Theory and Applications
of Cryptology and Information Security, Hong Kong,
China, December 3-7, 2017, Proceedings, Part II 1st
Edition Tsuyoshi Takagi
asiacrypt-2017-23rd-international-conference-on-the-theory-and-
applications-of-cryptology-and-information-security-hong-kong-
Steven D. Galbraith
Shiho Moriai (Eds.)
LNCS 11921
Advances in Cryptology –
ASIACRYPT 2019
25th International Conference on the Theory
and Application of Cryptology and Information Security
Kobe, Japan, December 8–12, 2019
Proceedings, Part I
Lecture Notes in Computer Science 11921
Founding Editors
Gerhard Goos
Karlsruhe Institute of Technology, Karlsruhe, Germany
Juris Hartmanis
Cornell University, Ithaca, NY, USA
Editorial Board Members

Elisa Bertino
Purdue University, West Lafayette, IN, USA
Wen Gao
Peking University, Beijing, China
Bernhard Steffen
TU Dortmund University, Dortmund, Germany
Gerhard Woeginger
RWTH Aachen, Aachen, Germany
Moti Yung
Columbia University, New York, NY, USA
More information about this series at http://www.springer.com/series/7410
Steven D. Galbraith Shiho Moriai (Eds.)
•
Advances in Cryptology –
ASIACRYPT 2019
25th International Conference on the Theory
Proceedings, Part I
123
Editors
Steven D. Galbraith Shiho Moriai
University of Auckland Security Fundamentals Lab
Auckland, New Zealand NICT
Tokyo, Japan
ISSN 0302-9743 ISSN 1611-3349 (electronic)

Lecture Notes in Computer Science
ISBN 978-3-030-34577-8 ISBN 978-3-030-34578-5 (eBook)
https://doi.org/10.1007/978-3-030-34578-5
LNCS Sublibrary: SL4 – Security and Cryptology
© International Association for Cryptologic Research 2019

This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the
material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation,
broadcasting, reproduction on microfilms or in any other physical way, and transmission or information
storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now
known or hereafter developed.
The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication
does not imply, even in the absence of a specific statement, that such names are exempt from the relevant
protective laws and regulations and therefore free for general use.
The publisher, the authors and the editors are safe to assume that the advice and information in this book are
believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors
give a warranty, expressed or implied, with respect to the material contained herein or for any errors or
omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims in
published maps and institutional affiliations.
This Springer imprint is published by the registered company Springer Nature Switzerland AG
The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland
Preface
ASIACRYPT 2019, the 25th Annual International Conference on Theory and

Application of Cryptology and Information Security, was held in Kobe, Japan, during
December 8–12, 2019.
The conference focused on all technical aspects of cryptology, and was sponsored
by the International Association for Cryptologic Research (IACR).
We received a total of 307 submissions from all over the world. This was a sig-
nificantly higher number of submissions than recent Asiacrypt conferences, which
necessitated a larger Program Committee (PC) than we had originally planned. We
thank the seven additional PC members who accepted our invitation at extremely short
notice. They are Gorjan Alagic, Giorgia Azzurra Marson, Zhenzhen Bao, Olivier
Blazy, Romain Gay, Takanori Isobe, and Daniel Masny.
The PC selected 71 papers for publication in the proceedings of the conference. The
two program chairs were supported by a PC consisting of 55 leading experts in aspects
of cryptology. Each submission was reviewed by at least three Program Committee
members (or their sub-reviewers) and five PC members were assigned to submissions
co-authored by PC members. The strong conflict of interest rules imposed by the IACR
ensure that papers are not handled by PC members with a close working relationship
with authors. There were approximately 380 external reviewers, whose input was
critical to the selection of papers.
The review process was conducted using double-blind peer review. The conference
operated a two-round review system with a rebuttal phase. After the reviews and
first-round discussions the PC selected 193 submissions to proceed to the second
round. The authors of those 193 papers were then invited to provide a short rebuttal in
response to the referee reports. The second round involved extensive discussions by the
PC members. Indeed, the total number of text items in the online discussion (including
reviews, rebuttals, questions to authors, and PC member comments) exceeded 3,000.
The three volumes of the conference proceedings contain the revised versions of the
71 papers that were selected, together with 1 invited paper. The final revised versions
of papers were not reviewed again and the authors are responsible for their contents.
The program of Asiacrypt 2019 featured excellent invited talks by Krzysztof
Pietrzak and Elaine Shi. The conference also featured a rump session which contained
short presentations on the latest research results of the field.
The PC selected the work “Wave: A New Family of Trapdoor One-Way Preimage
Sampleable Functions Based on Codes” by Thomas Debris-Alazard, Nicolas Sendrier,
and Jean-Pierre Tillich for the Best Paper Award of Asiacrypt 2019. Two more papers
were solicited to submit a full version to the Journal of Cryptology. They are “An LLL
Algorithm for Module Lattices” by Changmin Lee, Alice Pellet-Mary, Damien Stehlé,
and Alexandre Wallet, and “Numerical Method for Comparison on Homomorphically
Encrypted Numbers” by Jung Hee Cheon, Dongwoo Kim, Duhyeong Kim, Hun Hee
Lee, and Keewoo Lee.
vi Preface
The Program Chairs are delighted to recognize the outstanding work by Mark
Zhandry and Shweta Agrawal, by awarding them jointly the Best PC Member Award.
Many people have contributed to the success of Asiacrypt 2019. We would like to
thank the authors for submitting their research results to the conference. We are very
grateful to the PC members and external reviewers for contributing their knowledge
and expertise, and for the tremendous amount of work that was done with reading
papers and contributing to the discussions.
We are greatly indebted to Mitsuru Matsui, the general chair, for his efforts and
overall organization.
We thank Mehdi Tibouchi for expertly organizing and chairing the rump session.
We are extremely grateful to Lukas Zobernig for checking all the latex files and for
assembling the files for submission to Springer.
Finally we thank Shai Halevi and the IACR for setting up and maintaining the Web
Submission and Review software, used by IACR conferences for the paper submission
and review process. We also thank Alfred Hofmann, Anna Kramer, Ingrid Haas,
Anja Sebold, Xavier Mathew, and their colleagues at Springer for handling the
publication of these conference proceedings.
December 2019 Steven Galbraith

Shiho Moriai
ASIACRYPT 2019
The 25th Annual International Conference on Theory

Sponsored by the International Association for Cryptologic Research (IACR)
General Chair
Mitsuru Matsui Mitsubishi Electric Corporation, Japan
Program Co-chairs
Steven Galbraith University of Auckland, New Zealand
Shiho Moriai NICT, Japan
Program Committee
Shweta Agrawal IIT Madras, India
Gorjan Alagic University of Maryland, USA
Shi Bai Florida Atlantic University, USA
Zhenzhen Bao Nanyang Technological University, Singapore
Paulo S. L. M. Barreto UW Tacoma, USA
Lejla Batina Radboud University, The Netherlands
Sonia Belaïd CryptoExperts, France
Olivier Blazy University of Limoges, France
Colin Boyd NTNU, Norway
Xavier Boyen Queensland University of Technology, Australia
Nishanth Chandran Microsoft Research, India
Melissa Chase Microsoft Research, USA
Yilei Chen Visa Research, USA
Chen-Mou Cheng Osaka University, Japan
Nils Fleischhacker Ruhr-University Bochum, Germany
Jun Furukawa NEC Israel Research Center, Israel
David Galindo University of Birmingham and Fetch AI, UK
Romain Gay UC Berkeley, USA
Jian Guo Nanyang Technological University, Singapore
Seokhie Hong Korea University, South Korea
Andreas Hülsing Eindhoven University of Technology, The Netherlands
Takanori Isobe University of Hyogo, Japan
David Jao University of Waterloo and evolutionQ, Inc., Canada
viii ASIACRYPT 2019
Jérémy Jean ANSSI, France

Elena Kirshanova ENS Lyon, France
Virginie Lallemand CNRS, France
Jooyoung Lee KAIST, South Korea
Helger Lipmaa Simula UiB, Norway
Feng-Hao Liu Florida Atlantic University, USA
Atul Luykx Swirlds Inc., USA
Hemanta K. Maji Purdue, USA
Giorgia Azzurra Marson NEC Laboratories Europe, Germany
Daniel Masny Visa Research, USA
Takahiro Matsuda AIST, Japan
Brice Minaud Inria and ENS, France
David Naccache ENS, France
Kartik Nayak Duke University and VMware Research, USA
Khoa Nguyen Nanyang Technological University, Singapore
Svetla Nikova KU Leuven, Belgium
Carles Padró UPC, Spain
Jiaxin Pan NTNU, Norway, and KIT, Germany
Arpita Patra Indian Institute of Science, India
Thomas Peters UCL, Belgium
Duong Hieu Phan University of Limoges, France
Raphael C.-W. Phan Monash University, Malaysia
Carla Ràfols Universitat Pompeu Fabra, Spain
Ling Ren VMware Research and University of Illinois,
Urbana-Champaign, USA
Yu Sasaki NTT laboratories, Japan
Junji Shikata Yokohama National University, Japan
Ron Steinfeld Monash University, Australia
Qiang Tang New Jersey Institute of Technology, USA
Mehdi Tibouchi NTT Laboratories, Japan
Hoeteck Wee CNRS and ENS, France
Mark Zhandry Princeton University, USA
Fangguo Zhang Sun Yat-sen University, China
Local Organizing Committee

General Chair
Mitsuru Matsui Mitsubishi Electric Corporation, Japan
Honorary Advisor
Tsutomu Matsumoto Yokohama National University, Japan
ASIACRYPT 2019 ix
External Reviewers
Masayuki Abe Megha Byali Oriol Farràs

Parhat Abla Eleonora Cagli Sebastian Faust
Victor Arribas Abril Ignacio Cascudo Prastudy Fauzi
Divesh Aggarwal Pyrros Chaidos Hanwen Feng
Martin Albrecht Avik Chakraborti Samuele Ferracin
Bar Alon Donghoon Chang Dario Fiore
Prabhanjan Ananth Hao Chen Georg Fuchsbauer
Elena Andreeva Jie Chen Thomas Fuhr
Yoshinori Aono Long Chen Eiichiro Fujisaki
Daniel Apon Ming-Shing Chen Philippe Gaborit
Toshinori Araki Qian Chen Tatiana Galibus
Seiko Arita Jung Hee Cheon Chaya Ganesh
Tomer Ashur Céline Chevalier Daniel Gardham
Nuttapong Attrapadung Ilaria Chillotti Luke Garratt
Man Ho Allen Au Wonhee Cho Pierrick Gaudry
Benedikt Auerbach Wonseok Choi Nicholas Genise
Saikrishna Wutichai Chongchitmate Esha Ghosh
Badrinarayanan Jérémy Chotard Satrajit Ghosh
Vivek Bagaria Arka Rai Choudhuri Kristian Gjøsteen
Josep Balasch Sherman Chow Aarushi Goel
Gustavo Banegas Michele Ciampi Huijing Gong
Laasya Bangalore Michael Clear Junqing Gong
Subhadeep Banik Thomas De Cnudde Alonso González
Achiya Bar-On Benoît Cogliati Dahmun Goudarzi
Manuel Barbosa Sandro Coretti-Drayton Rishabh Goyal
James Bartusek Edouard Cuvelier Jiaxin Guan
Carsten Baum Jan Czajkowski Aurore Guillevic
Arthur Beckers Dana Dachman-Soled Chun Guo
Rouzbeh Behnia Joan Daemen Kaiwen Guo
Francesco Berti Nilanjan Datta Qian Guo
Alexandre Berzati Gareth T. Davies Mohammad Hajiabadi
Ward Beullens Patrick Derbez Carmit Hazay
Shivam Bhasin Apporva Deshpande Jingnan He
Nina Bindel Siemen Dhooghe Brett Hemenway
Nicolas Bordes Christoph Dobraunig Nadia Heninger
Jannis Bossert Rafael Dowsley Javier Herranz
Katharina Boudgoust Yfke Dulek Shoichi Hirose
Christina Boura Avijit Dutta Harunaga Hiwatari
Florian Bourse Sébastien Duval Viet Tung Hoang
Zvika Brakerski Keita Emura Justin Holmgren
Anne Broadbent Thomas Espitau Akinori Hosoyamada
Olivier Bronchain Xiong Fan Kexin Hu
Leon Groot Bruinderink Antonio Faonio Senyang Huang
x ASIACRYPT 2019
Yan Huang Jason LeGrow Kirill Morozov

Phi Hun ByeongHak Lee Fabrice Mouhartem
Aaron Hutchinson Changmin Lee Pratyay Mukherjee
Chloé Hébant Keewoo Lee Pierrick Méaux
Kathrin Hövelmanns Kwangsu Lee Yusuke Naito
Ilia Iliashenko Youngkyung Lee Mridul Nandi
Mitsugu Iwamoto Dominik Leichtle Peter Naty
Tetsu Iwata Christopher Leonardi María Naya-Plasencia
Zahra Jafargholi Tancrède Lepoint Anca Niculescu
Christian Janson Gaëtan Leurent Ventzi Nikov
Ashwin Jha Itamar Levi Takashi Nishide
Dingding Jia Baiyu Li Ryo Nishimaki
Sunghyun Jin Yanan Li Anca Nitulescu
Charanjit S. Jutla Zhe Li Ariel Nof
Mustafa Kairallah Xiao Liang Sai Lakshmi Bhavana
Saqib A. Kakvi Benoît Libert Obbattu
Marc Kaplan Fuchun Lin Kazuma Ohara
Emrah Karagoz Rachel Lin Emmanuela Orsini
Ghassan Karame Wei-Kai Lin Elena Pagnin
Shuichi Katsumata Eik List Wenlun Pan
Craig Kenney Fukang Liu Omer Paneth
Mojtaba Khalili Guozhen Liu Bo Pang
Dakshita Khurana Meicheng Liu Lorenz Panny
Duhyeong Kim Qipeng Liu Jacques Patarin
Hyoseung Kim Shengli Liu Sikhar Patranabis
Sam Kim Zhen Liu Alice Pellet-Mary
Seongkwang Kim Alex Lombardi Chun-Yo Peng
Taechan Kim Julian Loss Geovandro Pereira
Agnes Kiss Jiqiang Lu Olivier Pereira
Fuyuki Kitagawa Xianhui Lu Léo Perrin
Michael Kloob Yuan Lu Naty Peter
François Koeune Lin Lyu Cécile Pierrot
Lisa Kohl Fermi Ma Jeroen Pijnenburg
Stefan Kölbl Gilles Macario-Rat Federico Pintore
Yashvanth Kondi Urmila Mahadev Bertram Poettering
Toomas Krips Monosij Maitra David Pointcheval
Veronika Kuchta Christian Majenz Yuriy Polyakov
Nishant Kumar Nikolaos Makriyannis Eamonn Postlethwaite
Noboru Kunihiro Giulio Malavolta Emmanuel Prouff
Po-Chun Kuo Sogol Mazaheri Pille Pullonen
Kaoru Kurosawa Bart Mennink Daniel Puzzuoli
Ben Kuykendall Peihan Miao Chen Qian
Albert Kwon Shaun Miller Tian Qiu
Qiqi Lai Kazuhiko Minematsu Willy Quach
Baptiste Lambin Takaaki Mizuki Håvard Raddum
Roman Langrehr Amir Moradi Ananth Raghunathan
ASIACRYPT 2019 xi
Somindu Ramanna Boris Skoric Alexandre Wallet

Kim Ramchen Maciej Skórski Michael Walter
Shahram Rasoolzadeh Yongsoo Song Han Wang
Mayank Rathee Pratik Soni Haoyang Wang
Divya Ravi Claudio Soriente Junwei Wang
Joost Renes Florian Speelman Mingyuan Wang
Angela Robinson Akshayaram Srinivasan Ping Wang
Thomas Roche François-Xavier Standaert Yuyu Wang
Miruna Rosca Douglas Stebila Zhedong Wang
Mélissa Rossi Damien Stehlé Yohei Watanabe
Mike Rosulek Patrick Struck Gaven Watson
Yann Rotella Valentin Suder Weiqiang Wen
Arnab Roy Bing Sun Yunhua Wen
Luis Ruiz-Lopez Shifeng Sun Benjamin Wesolowski
Ajith Suresh Siwei Sun Keita Xagawa
Markku-Juhani Jaechul Sung Zejun Xiang
O. Saarinen Daisuke Suzuki Hanshen Xiao
Yusuke Sakai Katsuyuki Takashima Shota Yamada
Kazuo Sakiyama Benjamin Hong Meng Takashi Yamakawa
Amin Sakzad Tan Kyosuke Yamashita
Louis Salvail Stefano Tessaro Avishay Yanai
Simona Samardjiska Adrian Thillard Guomin Yang
Pratik Sarkar Yan Bo Ti Kan Yasuda
Christian Schaffner Jean-Pierre Tillich Masaya Yasuda
John Schanck Radu Ţiţiu Aaram Yun
Berry Schoenmakers Yosuke Todo Alexandros Zacharakis
Peter Scholl Junichi Tomida Michal Zajac
André Schrottenloher Viet Cuong Trinh Bin Zhang
Jacob Schuldt Rotem Tsabary Cong Zhang
Sven Schäge Hikaru Tsuchida En Zhang
Sruthi Sekar Yi Tu Huang Zhang
Srinath Setty Nirvan Tyagi Xiao Zhang
Yannick Seurin Bogdan Ursu Zheng Zhang
Barak Shani Damien Vergnaud Chang-An Zhao
Yaobin Shen Jorge Luis Villar Raymond K. Zhao
Sina Shiehian Srinivas Vivek Yongjun Zhao
Kazumasa Shinagawa Christine van Vredendaal Yuanyuan Zhou
Janno Siim Satyanarayana Vusirikala Jiamin Zhu
Javier Silva Sameer Wagh Yihong Zhu
Mark Simkin Hendrik Waldner Lukas Zobernig
Contents – Part I
Invited Talk
Streamlined Blockchains: A Simple and Elegant Approach

(A Tutorial and Survey) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Elaine Shi
Best Paper
Wave: A New Family of Trapdoor One-Way Preimage Sampleable

Functions Based on Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Thomas Debris-Alazard, Nicolas Sendrier, and Jean-Pierre Tillich
Lattices (1)
Middle-Product Learning with Rounding Problem and Its Applications . . . . . 55

Shi Bai, Katharina Boudgoust, Dipayan Das, Adeline Roux-Langlois,
Weiqiang Wen, and Zhenfei Zhang
A Novel CCA Attack Using Decryption Errors Against LAC . . . . . . . . . . . . 82

Qian Guo, Thomas Johansson, and Jing Yang
Towards Attribute-Based Encryption for RAMs from LWE: Sub-linear

Decryption, and More . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Prabhanjan Ananth, Xiong Fan, and Elaine Shi
Symmetric Cryptography
4-Round Luby-Rackoff Construction is a qPRP . . . . . . . . . . . . . . . . . . . . . 145

Akinori Hosoyamada and Tetsu Iwata
Indifferentiability of Truncated Random Permutations . . . . . . . . . . . . . . . . . 175

Wonseok Choi, Byeonghak Lee, and Jooyoung Lee
Anomalies and Vector Space Search: Tools for S-Box Analysis . . . . . . . . . . 196
Xavier Bonnetain, Léo Perrin, and Shizhu Tian
Isogenies (1)
CSI-FiSh: Efficient Isogeny Based Signatures Through Class

Group Computations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Ward Beullens, Thorsten Kleinjung, and Frederik Vercauteren
xiv Contents – Part I
Verifiable Delay Functions from Supersingular Isogenies and Pairings . . . . . . 248

Luca De Feo, Simon Masson, Christophe Petit, and Antonio Sanso
Strongly Secure Authenticated Key Exchange

from Supersingular Isogenies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Xiu Xu, Haiyang Xue, Kunpeng Wang, Man Ho Au, and Song Tian
Obfuscation
Dual-Mode NIZKs from Obfuscation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311

Dennis Hofheinz and Bogdan Ursu
Output Compression, MPC, and iO for Turing Machines . . . . . . . . . . . . . . . 342

Saikrishna Badrinarayanan, Rex Fernando, Venkata Koppula,
Amit Sahai, and Brent Waters
Collusion Resistant Watermarking Schemes

for Cryptographic Functionalities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
Rupeng Yang, Man Ho Au, Junzuo Lai, Qiuliang Xu, and Zuoxia Yu
Multiparty Computation (1)
Valiant’s Universal Circuits Revisited: An Overall Improvement

and a Lower Bound. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
Shuoyao Zhao, Yu Yu, Jiang Zhang, and Hanlin Liu
The Broadcast Message Complexity of Secure Multiparty Computation . . . . . 426

Sanjam Garg, Aarushi Goel, and Abhishek Jain
Beyond Honest Majority: The Round Complexity of Fair and Robust

Multi-party Computation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456
Arpita Patra and Divya Ravi
Card-Based Cryptography Meets Formal Verification . . . . . . . . . . . . . . . . . 488

Alexander Koch, Michael Schrempp, and Michael Kirsten
Quantum
Quantum Algorithms for the Approximate k-List Problem

and Their Application to Lattice Sieving . . . . . . . . . . . . . . . . . . . . . . . . . . 521
Elena Kirshanova, Erik Mårtensson, Eamonn W. Postlethwaite,
and Subhayan Roy Moulik
Quantum Attacks Without Superposition Queries:

The Offline Simon’s Algorithm. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 552
Xavier Bonnetain, Akinori Hosoyamada, María Naya-Plasencia,
Yu Sasaki, and André Schrottenloher
Contents – Part I xv
Quantum Random Oracle Model with Auxiliary Input . . . . . . . . . . . . . . . . . 584

Minki Hhan, Keita Xagawa, and Takashi Yamakawa
QFactory: Classically-Instructed Remote Secret Qubits Preparation . . . . . . . . 615

Alexandru Cojocaru, Léo Colisson, Elham Kashefi, and Petros Wallden
E-cash and Blockchain
Quisquis: A New Design for Anonymous Cryptocurrencies . . . . . . . . . . . . . 649

Prastudy Fauzi, Sarah Meiklejohn, Rebekah Mercer,
and Claudio Orlandi
Divisible E-Cash from Constrained Pseudo-Random Functions . . . . . . . . . . . 679

Florian Bourse, David Pointcheval, and Olivier Sanders
Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 709

Invited Talk
Streamlined Blockchains:
A Simple and Elegant Approach
(A Tutorial and Survey)
Elaine Shi(B)
Cornell University, Ithaca, USA

runting@gmail.com
Abstract. A blockchain protocol (also called state machine replication)

allows a set of nodes to agree on an ever-growing, linearly ordered log of
transactions. The classical consensus literature suggests two approaches for
constructing a blockchain protocol: (1) through composition of single-shot
consensus instances often called Byzantine Agreement; and (2) through
direct construction of a blockchain where there is no clear-cut bound-
ary between single-shot consensus instances. While conceptually simple,
the former approach precludes cross-instance optimizations in a practical
implementation. This perhaps explains why the latter approach has gained
more traction in practice: specifically, well-known protocols such as Paxos
and PBFT all follow the direct-construction approach.
In this tutorial, we present a new paradigm called “streamlined
blockchains” for directly constructing blockchain protocols. This paradigm
enables a new family of protocols that are extremely simple and natural:
every epoch, a proposer proposes a block extending from a notarized parent
chain, and nodes vote if the proposal’s parent chain is not too old. When-
ever a block gains enough votes, it becomes notarized. Whenever a node
observes a notarized chain with several blocks of consecutive epochs at the
end, then the entire chain chopping off a few blocks at the end is final.
By varying the parameters highlighted in blue, we illustrate two vari-
ants for the partially synchronous and synchronous settings respectively.
We present very simple proofs of consistency and liveness. We hope that
this tutorial provides a compelling argument why this new family of pro-
tocols should be used in lieu of classical candidates (e.g., PBFT, Paxos,
and their variants), both in practical implementation and for pedagogical
purposes.
1 Introduction
In a blockchain protocol, a set of nodes seek to reach agreement on an ever-
growing, linearly ordered log. It is helpful to think of this log as an ordered chain
of blocks where each block may contain application-specific payload as well as
metadata pertaining to the consensus protocol, and hence the name blockchain.
In this tutorial, we consider how to construct a blockchain protocol in a
“permissioned” setting, assuming the existence of a public-key infrastructure
c International Association for Cryptologic Research 2019
S. D. Galbraith and S. Moriai (Eds.): ASIACRYPT 2019, LNCS 11921, pp. 3–17, 2019.
https://doi.org/10.1007/978-3-030-34578-5_1
4 E. Shi
and that the public key of every consensus node is common knowledge. This is
the also the classical setting under which consensus has been studied for more
than three decades. Classically, this problem was often called “State Machine
Replication” [12,13,15] or “Byzantine Fault Tolerance” [3,9]. In this work, we
also refer to it as “consensus” for short.
Such permissioned blockchains can serve as the cornerstone not only for a pri-
vate, consortium blockchain, but also for building open-access “proof-of-stake”
systems. In a proof-of-stake setting, a set of nodes (called a committee) are
elected based on their stake in the system to vote in the consensus protocol. The
election is typically repeated over time, using the blockchain protocol itself to
agree on the next committee (and assuming the existence of an initial committee
that is common knowledge).
The goal of this tutorial is to illustrate a new paradigm called “streamlined
blockchains” that enables extremely simple and natural blockchain construc-
tions. This new paradigm emerged as a result of the community’s joint push at
building better consensus protocols in the past few years, motivated by large-
scale cryptocurrency applications. Elements of this idea were developed and
improved in a sequence of works, including Casper-FFT [16], Dfinity [8], Hot-
stuff [1], Pili [5] and Pala [4], but understanding of this line of work still appears
somewhat “scattered”.
In this tutorial, we hope to describe the simplest possible embodiments of
this idea, with concise and clean proofs that are suitable for pedagogy. We hope
that this tutorial helps to illustrate the most compelling advantage of this new
paradigm, i.e., its conceptual simplicity, making the resulting protocols desirable
for practical implementation. We also contrast this new paradigm with classical
blockchain constructions represented by Paxos [9], PBFT [3], and their variants.
We hope that this will shed light on how the community’s push in the past few
years has enabled a leap: we now have practical blockchain constructions that
are significantly simpler and fundamentally better than classical approaches.
1.1 Problem Statement
Slightly informally, we would like to construct a blockchain protocol satisfying

two properties for all but a negligible fraction of executions:
• Consistency: if two blockchains chain and chain are ever considered final by
two honest nodes, it must be that chain chain or chain chain where
means “is a prefix of or equal to”.
• Liveness: if an honest node receives a transaction, the transaction will appear
in every honest node’s finalized blockchain in a bounded amount of time.
In a cryptocurrency application, all transactions contained in a final chain are

considered confirmed and the merchant may ship the product. If all nodes are
honest and always correctly follow the prescribed protocol, then designing a
blockchain protocol is trivial. We consider a setting where a subset of the nodes
can be corrupt; corrupt nodes are controlled by a single adversary and they can
Streamlined Blockchains: A Simple and Elegant Approach 5
deviate from the protocol arbitrarily—such a fault model is commonly referred

to as Byzantine Faults in the classical distributed consensus literature.
In general, we can construct a blockchain protocol in two ways: (1) through
composition of single-shot consensus instances; and (2) direct construction of a
blockchain protocol where there is no clearly defined boundary between consen-
sus instances. From a historical perspective, the study of distributed consensus
in fact originated from the study of one-shot consensus protocols, often called
Byzantine Agreement [10]. While composing single-shot instances is a conceptu-
ally clean approach towards building a blockchain, cross-instance performance
optimizations are often challenging. This is arguably why later approaches such
as Paxos and PBFT and their variants—also coinciding with most deployed
systems—adopt the direct-construction approach. In this tutorial we will also
focus on the direct-construction approach.
1.2 Classical Blockchain Protocols: A Bi-modal Approach
Most approaches in the classical consensus literature adopt a bi-model approach.

We illustrate the idea assuming that fewer than n/3 nodes are corrupt where n
denotes the total number of nodes1 .
1.2.1 Normal Mode: A Natural Voting Protocol

The normal mode is simple and natural and works by super-majority voting. We
shall explain the idea semi-formally, since this is the nice part of the protocol we
would like to preserve in our new paradigm. Recall that every block is part of a
blockchain and henceforth its index within the blockchain is called its position.
We assume that every block encodes its own position.
Imagine that a designated proposer proposes blocks, and nodes vote on the
proposed blocks by signing the block’s hash. Whenever a block gains votes from
at least 2n/3 distinct nodes, it becomes final. If in a blockchain every block is
final, then the chain is considered final too.
An important invariant is that an honest node never votes for two distinct
blocks at the same position (even if the proposer is corrupt and proposes multiple
blocks at the same position). This enforces consistency at every position, i.e., at
each position, there cannot be two different blocks both gaining at least 2n/3
votes. The proof of consistency is extremely simple: suppose that two different
blocks at the same position both gain at least 2n/3 votes. It must be that a
set of at least 2n/3 distinct nodes denoted S1 have voted for one, and a set
of at least 2n/3 distinct nodes denoted S2 have voted for the other. Obviously
|S1 ∩ S2 | ≥ 2n/3 + 2n/3 − n = n/3. Since fewer than n/3 nodes are corrupt, it
must be that an honest node lives in the intersection S1 ∩ S2 and has voted for
1
Our exposition in spirit illustrates the ideas behind most classical blockchain con-
structions although our exposition is not necessarily faithful to any particular pro-
tocol. In fact, we give a simplified exposition of the technical ideas to maximally aid
understanding.
6 E. Shi
both blocks at the same position—but this is ruled out by the aforementioned
invariant.
Such a normal-mode protocol is extremely simple and natural, and it gives
consistency as long as fewer than n/3 nodes are corrupt; and moreover, consis-
tency does not rely on the proposer being honest. However, if the proposer is
corrupt, e.g., if it stops making proposals or makes different proposals to dif-
ferent nodes, then liveness can be stalled and the blockchain can stop growing.
We note also that here, consistency is guaranteed without having to make any
network timing assumptions such as synchrony assumptions.
1.2.2 Recovery Mode: Ensuring Liveness

Given the aforementioned normal-mode protocol, the only remaining problem
is how to achieve liveness when the proposer is corrupt. We informally explain
how classical protocols deal with this problem without going into details, since
this is the complicated part of classical approaches that we would ideally like to
get rid of.
Most classical protocols such as Paxos, PBFT and their variants solve this
problem by falling back to a recovery mode (often called “view change”) when-
ever liveness is stalled. Typically the view change implements a mechanism to
rotate to the next proposer such that progress can be resumed. Thus a view can
be regarded as a phase of the protocol in which a specific node acts as the pro-
poser. Without going into details, and perhaps unsurprisingly, from a technical
standpoint the view change protocol must be a full-fledged consensus protocol
offering both consistency and liveness (c.f. the normal mode guarantees only
consistency assuming fewer than n/3 corrupt).
At an intuitive level, this perhaps explains why in most classical consensus
approaches, the view change is often much more complicated to understand
and subtle to implement correctly than the normal mode. In fact, the need for
such a recovery mode often imposes more requirements on the normal mode
too—and this is why most actual instantiations of this bi-modal idea such as
Paxos and PBFT introduce more iterations of voting in the normal mode (unlike
our earlier description that has only one iteration of voting). Very roughly, the
additional iterations of voting in the normal mode give amplified properties that
the recovery mode can make use of.
1.3 Streamlined Blockchains: A New Paradigm
Classical approaches are somewhat undesirable because most of the time we

expect that the protocol should operate in the normal mode (since faults should
not happen very often); however, the conceptual complications and the heavy-
lifting in implementation stem from the complicated recovery path. Ideally, we
would like to achieve the following holy grail:
Can we have a blockchain protocol that is (almost) as simple as the normal

mode?
Amazingly, it turns out that this is in fact possible! All the protocols we
describe in this tutorial, for different settings, can be obtained by making
small tweaks to the aforementioned normal-path voting protocol. Through these
tweaks we now offer not just consistency but also liveness and thus there is no
need for a separate recovery mode! Specifically, the entire protocol always follows
a unified propose-vote paradigm as described below:
• Every epoch, a proposer proposes a block extending from a parent chain.
Every block encodes its own epoch.
• Nodes vote on the proposed block if they have seen the parent chain’s nota-
rization and if the parent chain is not too old (where “old” means that the
block contains a small epoch number, and we will specify the concrete param-
eter in the later sections).
• Whenever a block gains sufficiently many votes, it becomes notarized.
• Notarized does not mean final. Finality is determined as follows: if all blocks
in a blockchain are notarized and the chain ends at several blocks of consec-
utive epochs, then the entire chain chopping off the trailing few blocks are
considered final.
We show how to use this simple paradigm to obtain protocols under various
network assumptions, by modifying the parameters highlighted in blue, and by
slightly varying a couple other details such as how epochs are determined for
different settings.
So What Became of the View Change? As mentioned earlier, in classical

approaches the view change was necessary to attain liveness under a corrupt pro-
poser. So technically, how can we achieve both consistency and liveness without
the view change? In the streamlined blockchain paradigm described in this tuto-
rial, basically every epoch embeds a proposer-rotation opportunity, and thus
an implicit view change mechanism is already inherently baked in the proto-
col everywhere. This is arguably the coolest feature of this new paradigm: we
show that the traditionally complicated view change can be embedded into an
extremely simple paradigm by small tweaks to the normal-path voting protocol.
For this reason, another advantage of our streamlined blockchain protocols is
that they readily support two distinct proposer-rotation policies: the democracy-
favoring policy where one wishes to rotate proposer every block; and the classi-
cal stability-favoring policy (adopted by classical approaches such as Paxos and
PBFT) where we stick to the same proposer until it starts to misbehave. In new
cryptocurrency applications, the democracy-favoring policy may be more desired
due to better decentralization; however, a stability-favoring policy is likely more
friendly towards performance optimizations.
Throughout this paper, we use the democracy-favoring policy for exposition.
Some recent works [4,5] have shown how minor tweaks to the protocol can sup-
port a stability-favoring policy2 .
2
Author’s note: even if the syntactical changes to the protocol are minor, it is impor-
tant that they be done correctly since some additional subtleties arise in the liveness
proof for a stability-favoring policy. See the recent works [4, 5] for more explanation.
8 E. Shi
2 A Blockchain Tolerating <1/3 Corruptions

Recall that we consider a network consisting of n nodes numbered 0, 1, . . . , n − 1
respectively. We assume that there is a public-key infrastructure such that all
nodes’ public keys are common knowledge. In this section we shall assume that
fewer than n/3 nodes are corrupt. In our protocol, whenever a node multicasts
a message to everyone, it means it sends this message to every node.
Delay Parameter Δ. The protocol is parametrized with a parameter Δ which

captures our a-priori guess of the maximum message delay. We will prove that
consistency holds regardless even if our guess of Δ is wrong and network delays
are arbitrary. However, liveness only holds during “periods of synchrony”, i.e.,
periods in which honest messages are delivered in at most Δ rounds.
Remark 1. Although we assume that time progresses in discrete rounds in this
tutorial, all the results still hold if the round is infinitesimally small, i.e., if time
is continuous. We assume that all nodes have local clocks that increment per
round. Since clock offsets can be absorbed by the network delay, our consistency
proof holds even if clock offsets between nodes are arbitrarily large. However,
unsynchronized clocks may stall liveness by preventing a period of synchrony
from happening.
2.1 Valid Blockchain and Freshness

Our protocol will progress in epochs where each epoch contains 2Δ rounds, i.e.,
long enough for honest nodes to make a round trip during a period of synchrony.
Valid Blockchain. A blockchain, often denoted chain, is an ordered sequence

of blocks. Each block chain[] where ≥ 0 is of the format (e, TXs, h−1 ), where
e encodes the epoch number, TXs is application-specific payload (e.g., a set of
transactions to confirm), and h−1 is the parent block’s hash. In a valid blockchain
chain, the 0-th block must be a special genesis block of the form (0, ⊥, ⊥).
When we define a chain’s length denoted |chain|, it does not count the genesis
block. This way, the chain’s length is the same as the index of the last block.
Henceforth for ≥ 0, we use the notation chain[: ] to denote the prefix of the
blockchain up to the -th block and chain[: −] is an alias for chain[: m − ] where
m := |chain| denotes the length of the blockchain. Similarly, chain[−] is an alias
for chain[m − ].
For a blockchain chain to be valid, all the blocks must have strictly increasing
epoch numbers, and moreover for every ≥ 0, the block chain[].h−1 must be
equal to H(chain[: − 1]). In our protocol, all protocol messages containing ill-
formed blockchains are immediately discarded.
Freshness. For a blockchain chain, the larger chain[−1].e is the fresher chain is.
Formally, we say that chain is fresher than chain if chain[−1].e > chain [−1].e.
For a blockchain chain, chain[−1].e is also said to be the blockchain chain’s epoch
number.
2.2 Protocol
Now, imagine that the protocol proceeds in epochs numbered 1, 2, . . .. Each epoch
is 2Δ rounds, i.e., the maximum round-trip delay during a period of synchrony. In
each epoch e ∈ {1, 2, . . . , }, we use a hash function H ∗ (i.e., a random oracle) to
select a random node (H ∗ (e) mod n) to be the designated proposer—note that
here we are using a democracy-favoring proposer-rotation policy as an example.
The protocol proceeds as follows where we assume that a node always signs
every message it wants to send, and that every valid message must be tagged with
the purported sender; further, nodes discard messages with invalid signatures.
The notation “ ” denotes a wildcard field.
Notarization: A valid vote for chain from node i is a valid signature from
node i on H(chain) where H is a global hash function chosen at random from a
collision-resistant hash family upfront. A collection of at least 2n/3 votes from
distinct nodes on some chain is said to be a notarization for chain.
For each epoch e = 1, 2, . . .:
• Propose: At the beginning of the epoch, node (H ∗ (e) mod n) proposes

a new block B := (e, TXs, h−1 ) extending the freshest notarized chain in
its view denoted chain. Here TXs denotes a set of outstanding transactions
to confirm and h−1 = H(chain). The proposal, containing chain||B and a
notarization for chain, is signed and multicast to everyone—here chain is
referred to as the parent chain of B.
• Vote: Every node performs the following: when the first valid proposal of
the form chain||(e, , ) is received from node (H ∗ (e) mod n) with a valid
notarization on chain, vote on the proposal iff chain is at least as fresh as
the freshest notarized chain the node has observed at the beginning of the
previous epoch or if the current epoch e = 1.
To vote on chain||B, simply multicast a signature on the value H(chain||B)
to everyone.
Finalization: At any time, if a notarized chain has been observed ending at

three consecutive epochs, then chain[: −2] is considered final.
Remark 2 (Block and chain as aliases of each other). Suppose that there are no
hash collisions, then due to the structure of the blockchain where every block must
refer to its parent’s hash, in fact a block chain[] and the chain chain[: ] can be used
interchangeably, since the block chain[] uniquely defines the entire prefix chain[: ].
Therefore, henceforth whenever convenient, we use “a vote or a notarization for
chain[]” and “a vote or notarization for chain[: ]” interchangeably.
Remark 3 (Practical considerations). The above protocol is described in a way
that maximizes conceptual simplicity. In practice, a couple of obvious optimiza-
tions can be made. First, the hash H can be computed incrementally by hashing
the parent block’s hash and the current block’s contents. Second, the proposer
10 E. Shi
need not include the entire parent chain in the proposal, it suffices to include
the hash h−1 = H(chain). When a proposal is received, if the recipient has not
received a parent chain consistent with h−1 , it buffers this proposal until it has
received a consistent parent chain.
2.3 Consistency Proof

We now present a very simple consistency proof. Recall that the adversary con-
trols strictly fewer than n/3 nodes. Throughout, we assume that the signature
and hash schemes are ideal, i.e., the adversary cannot forge honest nodes’ signa-
tures or find hash collisions. Technically we are removing from our consideration
the negligible fraction of bad executions in which an honest node’s signature is
forged or hash collisions are found—all the lemmas and theorems below hold for
all but the negligible fraction of such bad executions.
We say that some string is in honest view iff some honest node observes it at
some point during the execution. The following simply lemma is in fact already
proven in Sect. 1, but we restate it for completeness.
A simple fact is the following: if there is a notarization for chain in honest
view, there must be a notarization chain[: −1] in honest view since if not, no
honest node would have voted for chain and chain cannot gain notarization in
honest view. Applying this argument inductively, if there is a notarization of
chain in honest view then there must be a notarization of every prefix of chain
in honest view.
Lemma 2.1 (Uniqueness per epoch). There cannot be two different blocks of
epoch e both notarized in honest view.
Proof. Suppose that two different blocks B1 and B2 of epoch e both gained
notarization in honest view. Let S1 be the set of at least 2n/3 nodes who have
signed B1 and let S2 be the set of at least 2n/3 nodes who have signed B2 . It
must be that |S1 ∩ S2 | ≥ 2n/3 + 2n/3 − n = n/3. This means that at least one
honest node is in S1 ∩ S2 , and this honest node must have signed both B1 and B2
in epoch e. By our protocol definition, every honest node signs only one epoch-e
block in each epoch e. Thus we have reached a contradiction.

Theorem 2.2 (Consistency). Suppose that chain and chain are notarized chains
in honest view both ending at three consecutive epochs, it must be that chain[:
−2] chain [: −2] or chain [: −2] chain[: −2].
Proof. Suppose that chain ends with three blocks of epochs e − 2, e − 1, and
e, and chain ends with three blocks of epochs e − 2, e − 1, and e . Without
loss of generality, assume that e ≥ e. For the sake of reaching a contradiction,
suppose that chain[: −2] and chain [: −2] are not prefixes of each other. Due
to Lemma 2.1, chain cannot have a block at epochs e − 2, e − 1, or e; since
otherwise chain [: −2] must contain the prefix chain[: −2] which ends at a block
of epoch e − 2. Therefore, there is some block in chain with an epoch number
greater than e. Let e > e be the smallest epoch number greater than e in chain ,
and let chain [] be the block in chain with epoch number e . It must be that
chain [ − 1] has epoch smaller than e − 2.
Since (every prefix of) chain gained notarization in honest view, it must be
that at least 2n/3 distinct nodes have signed the block chain[−1] of epoch e − 1,
meaning that more than n/3 honest nodes have signed this block. Moreover,
honest nodes can only sign this block in epoch e − 1. This means that more than
n/3 honest nodes have observed a notarization for chain[: −2] of epoch e − 2 in
epoch e − 1, i.e., before the beginning of epoch e—let S denote this set of more
than n/3 honest nodes. The set S therefore will not vote for chain [] in epoch
e > e which extends from a parent chain of epoch less than e − 2; and thus
chain [] cannot have gained notarization in honest view.

2.4 Liveness Proof
Message Delivery Assumption During Periods of Synchrony. As men-

tioned earlier, a period of synchrony is a period with good network conditions
such that all messages sent by honest nodes are delivered to the recipients within
at most Δ rounds.
Without loss of generality, we shall assume that every honest node always
echos (i.e., multicasts) every fresh message as soon as it is observed. Thus, during
a period of synchrony, the following holds:
If an honest node has observed a message m n round t, then all honest nodes
must have observed m by the beginning of round t + Δ if not earlier.
Liveness Proof. Suppose a period of synchrony eventually takes place. We

now prove liveness during such a period of synchrony. Specifically, we prove
that during a period of synchrony, honest nodes’ finalized blockchains will grow
whenever there are 3 consecutive epochs with honest proposers (note that under
random proposer election, this takes O(1) number of epochs in expectation).
To see this, it suffices to show that every honest node will vote on the pro-
posal of an honest proposer—since an honest proposer makes a proposal at the
beginning of the epoch e, as long as every honest node votes on it, the honest
votes will have been received by all honest nodes by the beginning of epoch e+1;
and thus epoch (e + 1)’s proposer, if honest, will propose to extend a notarized
chain ending at epoch e + 1. We now prove this.
If an honest node i rejects a proposal from an honest proposer j, it must
be that the proposed block extends from a parent chain that is less fresh than
the freshest notarized chain (denoted chain∗ ) observed at the beginning of the
previous epoch. However, if i has observed chain∗ at the beginning of the previous
epoch, then due to the message delivery assumption during a period of synchrony,
by the beginning of this epoch, node j must have observed it and thus j cannot
have proposed to extend from a less fresh parent chain.
12 E. Shi
Remark 4. Alternatively, we can modify the proposer rotation policy for the
same node to serve as a proposer for three consecutive epochs. In this case,
progress will be made whenever an honest proposer makes proposals for 3 con-
secutive epochs.
3 A Synchronous Blockchain Tolerating Minority

Corruptions
In the previous section, we presented a streamlined blockchain protocol whose
consistency guarantee holds with arbitrary network delays, but whose liveness
guarantee may hold only during periods of synchrony—such protocols are said
to be secure in a “partially synchronous” network [6]. Due to a well-known lower
bound by Dwork et al. [6], no partially synchronous protocol can tolerate n/3
or more corruptions, and therefore the protocol in the previous section is in fact
optimal in resilience.
In this section we illustrate another streamlined blockchain protocol that
tolerates up to minority corruptions. To achieve this, however, we must make
a synchrony assumption even for the consistency proof. Recall that earlier in
Sect. 2.4 we made the following synchrony assumption for proving liveness:
If an honest node has observed a message m in round t, then all honest nodes
must have observed m by the beginning of round t + Δ if not earlier.
In this section, we shall make this assumption for proving both consistency and
liveness.
Remark 5. The consensus problem would be trivial if all honest nodes must
observe every message m in the same round. In fact, in the synchronous setting,
the crux of the consensus problem is essentially to overcome the Δ difference in
the timing at which honest nodes observe the same message m.
3.1 Protocol
The protocol is almost identical as the one in Sect. 2 except for two modifications:
(1) the parameters for forming a notarization and for finalizations are chosen
differently; and (2) the finalization rule makes an additional check for conflicting
proposals. The protocol is described below and the difference from the earlier
protocol in Sect. 2 is highlighted in blue.
Notarization: A valid vote for chain from node i is a valid signature from node
i on H(chain) where H is a hash function chosen at random from a collision-
resistant hash family. A collection of at least n/2 votes from distinct nodes on
some chain is said to be a notarization for chain.
For each epoch e = 1, 2, . . .:
• Propose: At the beginning of the epoch, node (H ∗ (e) mod n) proposes

a new block B := (e, TXs, h−1 ) extending the freshest notarized chain in
its view denoted chain. Here TXs denotes a set of outstanding transactions
to confirm and h−1 = H(chain). The proposal, containing chain||B and a
notarization for chain, is signed and multicast to everyone—here chain is
referred to as the parent chain of B.
• Vote: Every node performs the following: when the first valid proposal of
the form chain||(e, , ) is received from node (H ∗ (e) mod n) with a valid
notarization on chain, vote on the proposal iff chain is at least as fresh as
the freshest notarized chain the node has observed at the beginning of the
previous epoch or if the current epoch e = 1.
To vote on chain||B, simply multicast a signature on the value H(chain||B)
to everyone.
Finalization: At any time, if a notarized chain has been observed ending at 6

blocks with consecutive epoch numbers, and moreover for each these 6 epoch
numbers, no conflicting proposal (from an eligible proposer) for a different
block has been seen, then the prefix chain[: −5] is final.
3.2 Consistency Proof

In comparison with Sect. 2.3, under minority corruption, the “uniqueness per
epoch” lemma (Lemma 2.1) no longer holds. Consistency now crucially relies on
the new finalization rule which additionally checks for conflicting proposals. We
thus present a different but nonetheless simple consistency proof. Henceforth we
use the notation chain e to denote the block at epoch e in chain, and we use
chain : e to denote the prefix of chain up to and including the block of epoch e.
Lemma 3.1 (No contiguous skipping). Suppose that a notarized chain with two
consecutive epoch numbers e and e+ 1 appear in honest view. Then, no notarized
chain in honest view whose ending epoch at least e can skip all of the epochs
e, e + 1, e + 2, e + 3 (i.e., one of these epochs must be contained in the notarized
chain).
Proof. Let chain be the notarized chain in honest view with two consecutive
epochs e and e + 1. It must be that at least one honest node i has voted for
chain : e + 1 during epoch e + 1, and thus i has observed a notarization for
chain : e in epoch e + 1. Therefore all honest nodes must have observed a
notarization for chain : e in epoch e + 2, i.e., by the beginning of epoch e + 3.
14 E. Shi
Thus in any epoch e > e + 3 no honest node will vote to extend a parent chain
whose epoch is smaller than e.
Suppose chain is a notarized chain in honest view whose ending epoch is at
least e + 4 and moreover chain does not contain the epochs e, e + 1, e + 2, e + 3.
Let e be the smallest epoch in chain that is greater than e + 3. It must be
that at least one honest node voted on chain : e during epoch e but this is
impossible because chain : e ’s parent has epoch smaller than e.

Theorem 3.2 (Consistency). Suppose that an honest node i triggered the final-
ization rule on chain and an honest node j triggered the finalization rule on
chain , then it must be that either chain[: −5] chain [: −5] or chain [: −5]
chain[: −5].
Note that i and j can be the same or different node in the above theorem.
Proof. Suppose that chain ends at 6 consecutive epochs e − 5, e − 4, . . . , e and

chain ends at 6 consecutive epochs e −5, e −4, . . . , e . Without loss of generality,
assume that e ≥ e.
Since chain contains two consecutive epochs e−5 and e−4, due to Lemma 3.1,
chain cannot skip all of epochs e − 5, e − 4, e − 3, e − 2. Therefore there must
be a block in chain at epoch e ∈ {e − 5, e − 4, e − 3, e − 2}. Thus, at least one
honest node must have voted for chain e in epoch e, and this honest node must
have observed a proposal for chain e from an eligible proposer in epoch e. This
means that all honest nodes must have observed a proposal for chain e from
an eligible proposer by the beginning of e + 2 ≤ e.
Notice that a notarization for chain cannot appear in honest view before
epoch e since honest nodes will only vote for chain in epoch e. Thus the final-
ization rule for chain must be triggered after epoch e starts, but by this time
all honest nodes have observed a proposal for chain : e . Therefore it must be
that chain : e = chain : e since otherwise the finalization rule cannot trigger
on chain due to seeing a conflicting proposal for e.

3.3 Liveness Proof

We can show that honest nodes’ finalized chains must grow whenever there
are 6 consecutive epochs all with honest proposers. The proof follows almost
identically as in Sect. 2.4, where we can prove that an honest proposer’s proposal
never gets rejected by honest recipients. The liveness claim therefore follows by
observing that an honest proposer does not propose two blocks of the same
epoch.
4 Additional Improvements and References

Optimistic Responsiveness. The protocols described earlier are preconfigured
with an anticipated delay parameter Δ, and a new block can only be confirmed
per Θ(Δ) rounds (also called an epoch earlier). In practice, if and whenever
the actual network delay δ is much smaller than Δ, it would be desirable to

confirm transactions as fast as the network makes progress, i.e., the confirmation
time should be dependent only on the actual delay δ and not on the a-priori
upper bound Δ. Protocols that achieve this property are said to be optimistically
responsive [14].
In Pala [4] and Pili [5], the authors show that with very minor tweaks to
protocols described in this tutorial, one can achieve optimistic responsiveness in
the partial synchronous and synchronous settings respectively. Later versions of
the Hotstuff [1] paper and subsequently Sync Hotstuff [2] also achieved optimistic
responsiveness.
Synchronous and Yet Partition Tolerant. The synchronous, honest-

majority protocol described in Sect. 3 makes a strong network synchrony assump-
tion for its consistency proof. Specifically, every honest node’s messages must be
delivered within Δ delay. In other words, if an honest node ever temporarily
drops offline and violates the Δ bound, it is treated as corrupt by the model
and the consensus protocol is no longer required to provide consistency and live-
ness guarantees for this node. In practice, typically no one can deliver 100%
uptime—since blockchains are long running, every node may become offline at
some point, and thus at the end time, the classical synchronous model will treat
everyone as corrupt! This means that protocols proven secure in the classical syn-
chronous model do not necessarily offer strong enough robustness for practical
deployment. A symptom of this is that almost all known synchronous consensus
protocols appear under-specified and unimplementable: typically these protocols
do not fully specify what a node should do if it receives messages out of sync,
e.g., after coming back online after a short outage (and it is dangerous to leave
this decision entirely to an ordinary implementer).
Recently, Guo, Pass, and Shi [7] propose a new model that allows one to cap-
ture a notion of “best-possible partition tolerance” while making mild network
timing assumptions. Specifically, in their model, a secure consensus protocol
must provide both consistency and liveness to all honest nodes, even those who
might have suffered from temporary outages but have come back online, as long
as at any point of time, there exists a set of honest and online nodes that are
majority in size. Moreover, this honest and online set may even churn rapidly over
time. Given Guo et al.’s model, a recent work called Pili showed how to achieve
this notion of best-possible partition tolerance through very minor tweaks to the
protocol described in Sect. 3 (and at the same time offering optimistic respon-
siveness too).
Reference Implementation. We refer the reader to an open-source imple-

mentation of Pala (https://github.com/thundercore/pala). This implementation
adopted a doubly-streamlined, and optimistically responsive variant of the pro-
tocol described in Sect. 2. We briefly explain the “doubly-streamlined” idea: in
the protocol in Sect. 2, a node must have received the parent chain’s notariza-
tion to vote on the next block—this can lead to pipeline stalls in settings with
Another random document with
no related content on Scribd:
myself—the speaker is Francisco Joseph Texere, a fellow hanging between
the heaven and hell of truth and error; one that has not yet decided whether
he is to adhere to the rock of St. Peter, or to follow the standard of Martin
Luther. I have heard of his residence in England, his attention to her new
theories, and the heretical books which he has published, I am not surprized
therefore, to see him abet the cause of an impostor, or at least an apostate!”
Texere frowned severely, and disregarding the speaker further, resumed
his address to the senate: good father Sampayo suffered some tears to
trickle down his aged cheeks.
“It is our well-beloved monarch whom we would support,” he said
mildly, “justice and loyalty demand such conduct at our hands; and
Christian charity should teach us to hope, that when restored to his throne,
and placed again within the reach of spiritual instruction, his pious soul will
retrace its steps, and return to the bosom of the true faith!”
“We are bound to act solely by the Pope’s direction;” gravely observed
the Doge, “if you may obtain his holiness’s permission to hold converse
with this mysterious personage, the republic will cheerfully add her consent
—till then, he remains unseen by any one. This is our answer; you may
withdraw.”
Texere and Sampayo quitted the assembly, and retiring with their
Portuguese friends who waited them without, proceeded to consultation
upon their future movements.
It was deemed expedient for one of them to repair immediately to Rome;
and as father Sampayo’s orthodoxy and ghostly life had never been
impeached, the choice fell upon him. Careless of his age and infirmities, he
departed on the instant, and the remainder of the Portuguese lingered in
Venice to wait the event, to continue their importunities, and to invite all
such persons as remembered the figure of Don Sebastian to join in
demanding permission to see and to peruse him.
The long interval of time which elapsed between this period and that in
which the different travellers met again, was spent in torturing anxiety by
Kara Aziek and Sebastian. Bereft of their faithfulest friend, the devoted
Gaspar, no one remained to share their hearts with each other, but their far
distant Blanche: yet of her, they dared not inquire.
Experience had taught them suspicion of all around them; and since the
very existence of Blanche was a secret between England and the late Don
Emanuel De Castro’s family, they blest his prudence, and resolved to perish
with anxiety, rather than betray their child into danger.
To believe her ignorant of their changed fortune, was to imagine an
impossibility: the interruption of their correspondence alone, would arouse
her inquiries, and those inquiries must lead to explanation. How then, was
she suffering? and how would her tender nature enable her to live through
months, perhaps years of constant apprehension?
These thoughts preyed upon each; yet neither of them gave utterance to
their sorrow. Sebastian never permitted himself to lament any other
misfortune than that of knowing himself the prime cause of so much misery
to the woman he loved; and Kara Aziek, afflicted by this self-reproach,
became solicitous to prove that her sorrows were not yet so insupportable as
he believed.
Mutually endeared by these mutual sacrifices, their prison still enclosed
two hearts that felt not a diminution of love; and even their bitterest hours
were sweetened by the fond glance of approval, the tender smile of
gratitude.
Signor Valdorno witnessed this dignified and true attachment with
feelings that did him honour; and though strict in the performance of his
duty, his manners were full of respectful pity, and his communications on
the events without, as explanatory as he dared hazard. It was from him that
Sebastian at length drew an account of the various exertions which were
still making by his friends; and at this information his hopes revived.
The fitful day of his fate might yet change! so many vicissitudes had
already marked its progress, that he deemed it impious to despair; and the
more so, while allowed to retain those precious objects of his soul, without
whom, no destiny could bestow happiness.
In the midst of reviving hope, father Sampayo returned from Rome with
the Pope’s order to the Senate of Venice for an immediate and private
interview with their prisoner.
A bright sunbeam shone through the window of Sebastian’s chamber, on
the face of old Sampayo, as he entered where Sebastian and Kara Aziek sat
expecting him; a brighter beam, for it emanated from a comforted heart,
was there also.
Sebastian run forward to welcome him; Sampayo whispered a
benediction, and dropt a joyful tear over the hand of Kara Aziek, as he
feebly grasped it within his. “This is a happy or a sad hour to me, as my
Liege shall chuse to make it!” said Sampayo, slowly seating his exhausted
frame. “I come back charged with an important mission: the fate of this dear
lady, your own fate, honored Sire! the lives and comforts of millions are
now in your hands, a single word will destroy or save all.”
Kara Aziek looked on him with an anxiety which suspended her breath
and her pulsation: Sebastian already guessed the mission of Sampayo. “Say
on!” he cried, with a steady voice, “I am prepared to hear you with attention
and singleness of heart.—It is of God and our conscience, that we are about
to speak.”
There was something so impressive in the tone of his last words, and so
much of truth and dignity on his brow, that father Sampayo’s looks took an
impression of still deeper interest, and dropping on his knees, the old man
raised his hoary head and withered hands towards him, while earnestly
repeating.
“Ere I begin my mission, let me, Sire! charge you on my knees, to put
from you all obstinate prejudice, all proud presumption—all vain desire of
men’s praises for a seeming contempt of temporal things! avow conviction
and repentance if they touch your heart, and be content to suffer a short
odium from heretics, for the sake of your eternal salvation, and for the
worldly prosperity of Portugal. Let the example of the pious Henry of
France sustain your courage. I am come to invite you back to the arms of
our indulgent father; he empowers me to exhort and to instruct you. If my
humble endeavours may avail, he promises to command every catholic
Prince to concur in demanding the restitution of Portugal: so must Philip
yield up the crown, and your sceptre pass into your royal hand in peace. No
sword will be drawn, no blood shed, no families divided by civil dispute, no
fortunes ruined. Europe will behold the long-exiled Sebastian calmly retake
his seat amongst her monarchs, and universal gladness will follow.”
Sampayo stopt, and Sebastian raised him kindly from the ground; but the
lofty smile with which he did so, answered the fearful inquiry of Kara
Aziek’s eyes: that smile spoke to her of a heavenly crown, not a temporal
one, and half-raised, half-sunk her trembling spirit. She seated herself near
her husband, while he placed himself in an attitude of attention, requesting
the venerable priest to continue his discourse.
All that zeal, and affection, and ability, can inspire in support of a weak
cause, was urged by father Sampayo: sincerely professing the doctrines of
Rome, he understood and explained them better than any other man, but his
explanations were unsatisfactory, his reasonings barred by mysteries; he
talked eloquently, but he talked in vain, for he convinced not his hearers.
After frequent pauses, and as frequent renewals of the important theme,
his powers were exhausted, and he awaited the reply of Sebastian. The
latter gave him a long look, full of gratitude and esteem, and pressing the
hand of Kara Aziek as it rested trembling on his, he thus addressed him.
“It is not my aim to change or to disturb the opinions of one who stands
on the brink of time, and whose holy life, and sincerity, though in error,
may redeem his creed: I have but to assure you father, on the solemn word
of an accountable man, that my heart has not yet been shaken, nor my
understanding momentarily enlightened by a single argument adduced in
support of papal Christianity. I feel and I believe that the reformed religion
of Luther approaches much nearer to the pure doctrines of our blessed
Redeemer, and as such I will profess it unto death.
“If the recovery of my rights is to depend upon my abjuration of my
principles, I may say at once, “My kingdom is not of this world.” Father! I
fear not the censure of men, I court not their applause; but the voice of God
and of my conscience resounds from the depths of this heart, warning me
not to betray my everlasting soul for a perishable honour.”
He now turned his softened eyes upon his wife, and went on. “I presume
not to read the decrees of Providence; whatever be the cup presented me by
the divine hand, shall we not drink it my Aziek? aye, drink it together!—
Does not thy virtuous spirit make the same covenant with that of him who
has known no joy on earth without thee, and almost fears there would be
none for him in heaven if he had not thee to share it.”
Aziek replied in whispered sighs upon her bosom, where she threw
herself, oppressed to agony: she exulted in the magnanimity of her
Sebastian; she shared his ardours, but she foresaw the price that must be
paid for the immortal crown he preferred to that of earth, and some human
weakness enfeebled without subduing her.
Sebastian knew her thoughts, and prized her heroism the more, from
seeing the tenderness with which it had to struggle. Father Sampayo was
plunged in sorrow; his arguments were now succeeded by lamentations and
entreaties; he wept, he prayed, but his tears only served to make Sebastian
regret without altering his resolution.
Day passed unheeded in this painful contest, till at length the confessor
was obliged to quit the prison. “This hope then is over,” he said, preparing
to withdraw, “your obstinacy, sire, is to be the signal for our great superior’s
pronouncing you once more an impostor, and excommunicating all who
appear in your defence. He persists in declaring that the true Don Sebastian
was the elect of God, and could not fall into such accursed heresy. I have
now no further hopes; all rests on the good offices of your protestant allies.
May the blessed virgin and the saints intercede for your darkened soul! may
a miracle restore you! perhaps these aged eyes will never more behold you
till we wake together in—another world.”—The good man’s voice faltered
as he uttered the last words, for he dared not say in Paradise, since he
addressed a heretic.
Sebastian bent his knee to receive his benediction, and Kara Aziek
partook in the affecting farewel. Sampayo embraced and blessed them
together, then hastened out of the apartment.
The past scene would have dwelt long on their hearts, had not the father,
as he departed, drawn a packet from his vest, and put it into the hand of
Aziek; the writing was unknown to her, but opening it, she glanced over
these words: “A confidential servant of the Duchess Medina Sidonia has
ventured to entrust the enclosed to father Sampayo; he has been long in
Venice anxiously seeking some safe method of transmitting it according to
his instructions.”
Every shew of composure and self-command vanished at this moment
from the countenances of Kara Aziek and Sebastian; they tore open the
letter, they ran over it together with swelling hearts and frequent
exclamations of joy; its contents were indeed balm to their tortured minds.
The Duchess wrote to assure them of her inviolable fidelity to the secret
of their daughter’s birth, and to promise her continued protection to the
amiable girl through any change of fortune; she told them that Blanche’s
real parents had never yet been guessed at even by Paula, the wife of
Gaspar, for whose infant son the Duke of Braganza had sent into Sicily,
proclaiming his intention of repaying to the child the timely service of his
father.
Renewed vows of friendship, repeated exhortations to hope and patience,
and trust in Providence, concluded the letter of the Duchess; that of
Blanche, though filled with expressions of filial sorrow and love, happily
convinced her parents that she knew not the worst of their destiny, but was
encouraged to hope beyond probability or present prospect.
Sweet were the tears that now stole down the cheeks of these illustrious
sufferers! they beheld the writing of their child, they believed her out of the
reach of their misfortunes, and their misfortunes ceased to afflict or to
affright them.
The consolation afforded by this unforeseen blessing, together with the
inward satisfaction of having sacrificed interest to principle, spread a
cheering light through their hitherto dreary prison, they were comforted and
revived; and patient in joy as in sorrow, they cheerfully resigned themselves
to await the good time of heaven.
While all within the prison was peace, all without was confusion and
indecision; every day messages and noble persons arrived from different
states, to know the fate of the extraordinary man whom the Portuguese
called their King. The friends of Sebastian zealously disseminated their
belief of his identity; the partizans of Philip and of Rome as hotly
proclaimed his falsehood. Venice herself knew not how to act; she began to
tremble for the consequences of her rash union with Spain, and to listen
with troubled attention to the remonstrances of France, England, and the
States-General. The city was now crowded with foreigners of various ranks
and ages, daily besieging the Senate with alternate reproach and
solicitation.
In the midst of this tumult, Don Christopher of Crato, arrived from the
court of London with a threatening letter from the English Queen. She
demanded a public trial of the pretended impostor, menacing Venice and
Spain with immediate destruction if they refused compliance. The terror of
a British fleet decided the irresolution of the Venetians, and summoning a
full senate, they consented to hear their royal prisoner.
It was in vain that the Portuguese lords prayed permission to be present
at this examination, in order to compare him with their own recollection of
the unfortunate Sebastian. The Seigniory alleged that the Portuguese were
all too desirous of believing the impostor to give an impartial testimony,
and that by questioning him on the events of his life, they were more certain
to detect him in contradictions.
Venice yet feared and hoped much from Philip, whose ambassador
alternately threatened and caressed her; and armed with assertions which
Morosini’s communications enabled him to fulminate, he now made one of
the assembly, proudly pronouncing himself the umpire, since he had
frequently seen the real Don Sebastian in his palace of Ribera.
It was midnight, and cold December, when Valdorno came to conduct
Sebastian into the presence of the senators: Sebastian wished never more to
lose sight of Kara Aziek, and with an air of high authority that would not be
denied, he persisted in making her his companion.
A solemn expectancy sat on the faces of the numerous senators who with
the Doge, habited in their most imposing habits, formed a semi-circle in the
grand hall of the senate-house. One massy branch of lights threw a sullen
gleam over the more sullen crowd: no sound was heard amongst them, as
the great doors were opened, and Don Sebastian appeared, advancing
between Kara Aziek and Signor Valdorno. He paused when he had passed
the threshold, and cast an undaunted look around the hall.
The King of Portugal was now at that period of life, when manly beauty
assumes a character of majesty, and awes rather than wins: the bright
colours of youth were no longer on his cheek, nor its luxuriant fulness on
his limbs, but his countenance was splendid still, for the fire of his eyes was
unextinguished. He looked
“Not less
Than archangel ruined.”
By his side stood the gentle Aziek, with loveliness faded, not obliterated;
graces so lightly touched by the hand of time, and so interestingly mixed
with looks of unresisting sweetness, that she appeared born to contrast the
severe dignity of Sebastian. But there was a modest nobleness in her air that
seemed as if love had copied the object beloved, and made her worthy of it.
At the first sight of these august sufferers, murmurs of shame and
admiration ran through the assembly. Sebastian advanced to the Castilian
ambassador, whom his eagle glance had singled out, and stopping before
him, said in a high voice, “Here is one that should know me. Sir! whom say
you I am?”
The Spaniard who had half-discredited, half-believed the existence of
Don Sebastian, now amazed into perfect conviction, turned pale, and the
acknowledgment was bursting from his lips, when recollecting himself, he
turned aside, and said coldly, “I know you not.”
“We have sent for you, Stranger!” interrupted the Doge, as he saw
Sebastian hastening to speak, “not to question others, but to answer for
yourself, we are met here, without prejudice or partiality, to decide between
you and the most Christian King Philip III. of Spain, Portugal, and the
Indies. I charge you answer truly to the questions that shall be put to you.”
“As an honest man desirous to have his truth apparent to all the world, I
am ready to answer you,” replied Sebastian, “I will forget awhile that I am a
King—aye Lords! a King: (he added, seeing them look strangely at each
other,) there are some amongst you that know I am so. Woe unto them, sons
of Judas! have they not betrayed me with the kiss of friendship?”
Signor Morosini drew back at this expression, and averted his head; the
Doge proceeded to speak.
“How comes it, that you have thus long suffered the kingdom of
Portugal to be enjoyed by the sovereigns of Spain, if confident that you
were its lawful possessor?”
“Because I had not any direct promise of support from other Princes, and
abhorred the thought of plunging my people into war.”
“Where have you passed the long period of twenty years which has
elapsed since the battle of Alcazar? and how comes it that you are the
husband of a Moorish woman?”
“Part of that period has been spent in Barbary, part in Persia, the
remainder in Brazil. You ask me how it comes that I am the husband of a
Moorish woman, I answer, because I loved her, I owed her eternal gratitude,
and she deserved both sentiments.”
“What say you to the well-known fact of Don Sebastian’s body having
been found in a suit of green armour on the field of Alcazar?”
“I reply, that it was the body of some other person. Near the cave of
Abensallah, a Moorish hermit, who dwelt among the mountains of
Benzeroel, my armour will be found buried under a plane tree; the royal
insignia are on it; since Spain and Morocco are at peace, I challenge you to
have it sought for.”
“How comes it, that having passed this long period, first in Mahometan
countries, and lastly in a Catholic one, that you should profess doctrines
known only to a few miserable European states?”
“I was instructed in them by the Moorish proselyte of an English slave; I
heard, and examined, and believed.”
“Enough!” exclaimed the Doge, “now hear what you are said to be. A
Calabrian impostor: we have inquired, and heard of a strange person
bearing the name of Marco Tullo Cattizone, who abode some time at
Messina, and him thou art. This woman is—I know not what;—thy lawful
wife is the servant of the Duchess Medina Sidonia, and is now in this city
ready to swear to thee as her husband.”
“Peace!” exclaimed Sebastian, with a voice of thunder, and throwing his
arm round Kara Aziek with a look of protection. At that moment his eye
caught Morosini’s, and the tide of resentment turned: it was evident that he
was the informer, since after their first meeting, Sebastian had directed
Giuseppe to address his letters to Cattizone at Messina, and doubtless
having supposed that he bore that name, they had confounded him with
Gaspar, and discovering his wife, who concluding him to be her husband,
without intending to abet falsehood, was beguiled into doing so.
Sebastian briefly stated these circumstances, adding, “of his evidence I
am deprived by the most cruel misfortune; my faithful follower is no more;
but his dying words attest my truth, and the noble Braganza is prepared to
repeat them. Let this woman you speak of, be brought hither; she will
quickly acknowledge that I am not her husband. If I am a Calabrian, bring
forward those who know my birth and lineage.—You have state papers
signed by Don Sebastian’s name, compare these signatures with my hand
writing now. Question me on the secret articles of our various negociations;
if you find me falter in my answers, then brand me with imposture. Let my
person be compared with the description of Don Sebastian’s: shew me to
my Portuguese, they will know the voice and the features of their King,
though time and sorrow have marked me with their heaviest print: if my
own people deny me, then let disgrace and death light on me and mine.”
Sebastian concluded, and seeing that his last words had taken the colour
from Kara Aziek’s cheek, he gave her such a smile as might in calmer times
have transported her to fall upon his neck in an ecstacy of delight: but now,
it redoubled her anguish, by heightening her love, and she remained wildly
gazing on the men who had the fate of her husband in their hands.
A sharp debate ensued amongst the Venetians. Some, moved by the
interesting softness of Kara Aziek, were forward to espouse the cause of her
husband, insisting on the equity of complying with his demands. Some,
awed into admiration of Sebastian, feared to maintain the assertion of his
imposture, but excused their conduct on the plea of his apostacy: others,
denounced him in the same breath as an impostor, an apostate, a magician,
calling for his instant delivery into the hands of Rome, or of the Inquisition.
All questioned him with perplexing varieties of inquiries, which he
compelled himself to satisfy.
The Castillian grew clamorous; and at each convincing explanation,
called out, “He is an impious sorcerer!”
But the senate, though far from unanimously believing this superstitious
assertion of their ally’s envoy, were too much afraid of papal power, and of
protestant indignation, to take a decisive part on either side: they deemed it
best to steer the middle course, and getting rid of Sebastian without
providing for his protection, leave him to his fate in the midst of Philip’s
adherents.
They commanded their prisoner to withdraw, and leave them to
deliberate on the nature of the decision they were about to pronounce.
Sebastian retired with Kara Aziek.
In a vacant anti-chamber, attended only by Signor Valdorno, whom
respectful pity kept silent, they sat awaiting the moment of their recal. The
tumult of sharp debate still reached them from the senate hall: at each noisy
burst, the blood retreated yet further into the heart of Kara Aziek; her lips,
her cheeks, her very eyes were pale: violent tremblings alone gave to her
death-like figure any semblance of life. She sat with one hand closely
grasping that of Sebastian, who continued in low and tender tones to chide
such apprehension.
He felt the King in his breast, and he could not conceive the possibility
of being doomed to leave the world denied and reviled.
At length a person appeared at the door, Sebastian arose, but Kara Aziek
hung on his arm unable to raise her sinking frame. That moment was come
in which their fate was to be pronounced! Scarcely could Valdorno support
her on his stronger arm, as they followed Sebastian into the council room.
The Doge was standing.—“Stranger!” he said, “he to whom you applied
for acknowledgment of your bold pretensions, the ambassador of our noble
ally, Philip of Spain, solemnly assures us, that your features are unknown to
him: we may not therefore, examine you further: to do so, would be to
insult the honour of a great sovereign, in the person of his representative.
We leave you at liberty to seek other investigation: and as we acknowledge
no other King of Portugal, besides Philip III. of Spain, we command him
who usurps that title, to depart this city within three days, on pain of
perpetual imprisonment.”
The Doge reseated himself, and with a shriek of joy, Kara Aziek fell
lifeless at the feet of her husband. Signor Valdorno hastened to raise her in
his arms: Sebastian cast on her a look of sad tenderness, but attempted not
to remove her from Valdorno. He turned to the assembly, and viewing them
with an undaunted and indignant air, that struck conviction of his royal
dignity to every soul, he said aloud, “Once more I tell you, I am Sebastian
King of Portugal. I go, with God’s help, to prove this assertion on the war-
fields of my country, since thus he wills it.”
He vouchsafed no glance to Morosini, but passing his arm round Kara
Aziek, with Valdorno’s aid, carried her forth. A gondola was provided for
their conveyance to the lodgings of Don Juan De Castro: Kara Aziek
recovered her senses at the movement of the boat, and then so many
powerful emotions (joy relapsing into fear, gratitude suddenly checked by
remembrance of former evils, love for her husband, and indignation at his
false friends) shook her frame, that she evidently trembled on the verge of
death and madness.
Sebastian succeeded in beseeching her to let this agitation subside, ere
she mixed in a scene likely to increase it still more; it was long past
midnight, and as they entered De Castro’s house, he resigned her into the
care of a female domestic, whom they encountered in the hall, desiring her
to conduct the exhausted lady to a place where she might take rest.
Having disposed of her who demanded all his care, Sebastian preceded
the courteous Valdorno into a saloon filled with a numerous concourse of
friends and strangers, and glaringly lighted. He advanced with his usual
kingly port into the centre of them, and stopped there without speaking:
Don Juan De Castro fell back amazed at the figure he saw before him.
De Castro retained the vivid image of a young and smiling warrior,
gallantly attired, bright with health, and happiness, and conscious power; he
now saw a man in the autumn of life, negligently habited, darkened by
foreign suns, wasted with many cares, dimmed by long experience of this
world’s uncertainty and emptiness. He scarcely knew how to trust his sight:
but as Sebastian, observing his trouble, and conjecturing its cause,
mournfully smiled, Juan precipitated himself at his feet, exclaiming, “My
King, my King!”
That well-remembered smile was decisive: at the same instant, several
other persons cast themselves on the ground, proclaiming the person they
beheld, to be their King.
Eyes, that had never wept before, now flowed in sympathy with the
Portuguese and their persecuted sovereign: Sebastian’s full heart
overflowed at every side; and calling each friend by their name, he turned
from one to the other, alternately embracing and raising them to his bosom.
When they were standing around him, he cast a look over the circle, and
seeing them variously habited, most of them in disguises, which were
assumed for the purpose of dispatch on their different missions, some in the
fashion of France, some in that of England, some in that of Holland, others
as pilgrims, a few as mendicants; he smiled pensively again, and said with a
heavy sigh, “So many sorts!”—
The sad grace with which he spoke, once more touched every heart, and
renewing their exclamations, the Portuguese crowded about him to kiss his
hands and his garments.
Amongst this groupe he distinguished the Fathers Texere and Sampayo,
De Brito, who had last seen him on the field of Alcazar, when they fought
together in defence of the royal standard, Mascaranhas, his favorite
attendant, and a tall fair young man, whose countenance was peculiar from
its expression.
Sebastian fixed his eyes on this last, with extreme earnestness; the colour
fluctuated on the young man’s cheek; “Is it not a kinsman I behold in you,
young sir!” he said kindly, “Don Christopher of Crato, I think.”
Don Christopher answered by a painful blush; Sebastian resumed, and
his heart yearned towards him as he spoke, “You resemble your father in
complexion; God grant you grace to resemble your grandfather in deeds!”
“The infant Don Louis is the only parent I wish to remember,” replied
Don Christopher, dropping his eyes, while a deeper dye covered his face.
Sebastian’s eyes were still rivetted on him; for now he recalled that
dreadful hour, when he had seen this young man a child in the cradle at
Xabregas, and remembered anguish seized him with a transient pang.
“Where is his father!” he whispered to Don Juan. “He is dead, my liege, at
Florence.” Sebastian gave a sigh to their former attachment, then turning
with animation to those around, said—
“Which of you will compare this wreck of Sebastian, with what the
proud vessel was, in her day of brave appointment? Care may have
furrowed this once smooth brow, but nothing could obliterate these well
known marks.” As he spoke, he lifted aside his hair, and shewed a deep scar
above the right eyebrow, which had been caused in his earliest youth, by an
accident in hunting.
“Here De Brito! is the memorial of a wound you saw me receive, on the
most fatal of days,” and bending his head, he displayed another large cut
above the forehead itself. “This body is flesh, not iron, on which a man may
grave what he pleases, yet these marks are accidental; what I am about to
shew, were imprinted on me by the hand of nature.”
He now pushed down his cloak, and baring one shoulder, discovered on
the exceedingly white skin, a singular mole resembling a dark seal or coin:
at the same time he extricated his left foot from its sandal, and shewed
another curious mark, well remembered by all his familiar associates.
At these convincing evidences, those who secretly wavered between
doubt and belief, uttered a cry of gladness, and again the tumultuous
murmurs of joy and sorrow (for how could such recognition be made
otherwise?) ran through the crowd.
While the King was answering the many questions which followed this
complete conviction, and thanking the surrounding strangers for their
generous sympathy, Father Texere came forward, leading in his hand a
monk in the vigour of life, tall and commanding, on whose acute brow were
stamped energy and ability: “Sire!” he said, “suffer me to claim your notice
for this excellent person, who of all men present, has sacrificed the most for
your sake: it is now some months since he added his powerful support to
our party.”
“What is he, good Texere? to whom stand I indebted for the zeal you
will find me warm to acknowledge?”
“To Father Chrysostom, the most distinguished follower of our holy
Faith. He lately filled the office of almoner and confessor to the Viceroy of
Portugal, but struck by the recital of your story by Caspar Ribeiro, and
indignant at that atrocious act which brought Ribeiro to the grave, he
abandoned his high situation, resigned the revenues and honours granted
him by the Marquis Castel Rodrigo, and having travelled through these
countries at the peril of his life, boldly declaring your existence wherever he
went, and rousing the people to demand their King, he has reached Venice,
and become the most zealous for your Majesty’s enlargement.
“On his eloquence we depend for reconciling his holiness to your
espousal of the new doctrines. Father Chrysostom is unimpeachable in his
own profession, and what he sanctions, no devout catholic may venture to
question. Sampayo and myself fail of surmounting the religious prejudice
which opposes you, Sire! for they accuse me of being a Lutheran in my
heart, and Sampayo of being too little careful for the salvation of others.
“Deign then to accept the services of Father Chrysostom, and to admit
him into the number of your chosen servants.”
Sebastian extended his hand towards the lofty-looking Chrysostom, who
received it with respect, and the calm aspect of a man that is actuated rather
by reflection and principle, than by any enthusiastic impulse. His thoughtful
looks, his temperate words, his unimpassioned manner, when connected
with the knowledge of his ardent actions, made Sebastian muse on the
contrast between this sacrificing friend and the selfish Morosini.
How different, thought he, look truth and falsehood; or rather, how
different does a steady and an unstable character express the same feelings!
When Sebastian had urged many inquiries to Chrysostom respecting the
Braganza family, and the situation of Portugal, some of the Portuguese
would have learned from him the particulars of his own exile, but sadness
shaded his countenance, and praying them to forbear awhile, since the
relation of his adventures must painfully revive the memory of early error,
he proceeded to learn the state of his affairs at foreign courts, fixing on fit
operations for the future.
The unsettled posture of Holland forbade him to seek that asylum there,
which he purposed seeking somewhere; (an asylum was necessary to rest in
till Portugal should proclaim him, and his allies fulfil their engagements of
furnishing him with men and money.) England was beginning to dread a
change, for Essex was fallen into disgrace, Elizabeth, grown so capricious
with age and jealousy, that she changed her humour every hour, and no
longer listened to the solicitations for Don Sebastian, since her favourite
was not nigh to urge them. France was the only country that opened her
arms to the fugitive.
The King, deeply interested in depressing the house of Austria, and
convinced of Sebastian’s identity, from the representations of others, had
empowered Don Christopher to offer the persecuted monarch an honourable
asylum. It was to his court that Sebastian resolved to direct his steps: while
he hastened thither to join the army which Henry offered to raise, [if
swelled by succours from any other Prince;] Sampayo and his companions
were to return into Portugal, and proclaim their sovereign; Braganza was to
seize on the national fleet and the treasury: two acts less difficult than they
appeared, owing to the devotion of the sailors to Don Sebastian’s memory,
and the extreme weakness of the Spanish garrisons.
Sebastian reckoned not on Castillian assistance; he did not even permit
himself to name his friends of Medina Sidonia; for he justly concluded, that
although he might trust implicitly where his own safety alone was
implicated, he should rigidly abstain from all imprudence when it might
endanger another.
He found that the Duke of Medina Sidonia had been suspected of having
favoured his cause, and had been strictly sifted by the minister of Philip; but
as no proof appeared of his knowing the stranger in any other character than
that of a Portuguese from Brazil, to whom his wife had shewn attention out
of regard to her brother’s memory, he was dismissed with nothing more
than a severe warning.
Upon this information Sebastian remarked in such terms that no one
present guessed him at all in correspondence with Medina; and restraining
his anxiety to learn, if possible, whether his daughter had been alarmingly
noticed, he returned to the subject of his departure from Venice. No doubts
could be entertained of the republic’s willingness to further in secret,
Philip’s aim of getting his rival into his power, and this conviction rendered
extreme precaution indispensible. By the influence of Philip’s ambassadors,
all the passages into France and Germany were closed against them;
wherever Sebastian went openly, he must expect to be seized as a subject of
Spain, being pronounced a Calabrian. (Calabria now forming part of its
Italian possessions.) Father Chrysostom therefore proposed that their
numerous party should separate, and by different parcels, and different
ways, seek their different places of destination. He offered to risk himself
through Italy, with Don Sebastian alone, provided he would assume the
disguise of a monk, and travel under that character to a free port, where
they might embark for France.
This advice, after some consideration, met with general concurrence; it
was agreed that the King, with Aziek and their prudent guide, should pass
first to Chiozzi; from thence through Ferrara to Florence, so to Leghorn,
and finally take ship for Marseilles. Such of his Portuguese as chose to join
him on his route might rendezvous at Florence, where they were not likely
to be known or stayed, and they might then proceed all together to
Marseilles.
Upon this arrangement the consultation ended, and leaving their well-
beloved monarch to the care of Juan De Castro and of Don Christopher; the
several Portuguese repaired to their respective lodgings, wishing the
morning soon to appear, since they were permitted to return at noon, in
order to be introduced to their Queen.
The next day re-assembled the friends of Sebastian. Kara Aziek entered
the apartment where they met, with extreme emotion, so much had she to
look back upon with horror, so much to look forward to with anxiety! yet
gratitude and joy were in her bosom, and on her countenance.
She presented herself to the Portuguese with a timid grace, (as if
beseeching them to love her for their sovereign’s sake) her gentle demeanor
won all their hearts, and when the separate nobles repeated their oaths of
fidelity to Sebastian, thanks, mixed with tears and smiles, heightened the
interest excited by her beauty.
Juan De Castro had undertaken the task of conveying letters to his
cousin Medina Sidonia, and to Blanche; this prospect gladdened the
mother’s spirit, and she now entered into discourse of their momentous
departure with cheerful courage.
The assembly separated before dusk, and at night-fall, attired as
pilgrims, with Father Chrysostom in his monk’s habit, Kara Aziek and
Sebastian took their eventful departure from Venice.
The speed with which they journeyed induced them to hope that they
should reach Florence (where Don Christopher and De Castro were gone to
await them) ere suspicion of their route could arise. The Venetians
concluded that Sebastian’s escape would, if possible be made to England,
and of course the Castillian ambassador’s search after him would be
directed to the shores of the Adriatic; this idea was what determined
Chrysostom to take the route of Tuscany.
CHAP. VI.
Day was just breaking when the travellers reached the gates of Florence.
“We are now safe!” exclaimed Father Chrysostom, “here ends our toil.”
“Not absolutely,” replied Sebastian, looking gladly around him, “till I
rest these weary limbs in Portugal, my fatigues cannot be said to cease.”
“But we are almost safe,” whispered Aziek, “beyond the Venetian
territory we may breathe and dismiss apprehension.”
Chrysostom turned on her as she spoke, and his dark grey eyes assumed
an expression that made her recoil; ere she recovered from the strange
alarm they struck into her, he had seized a hand of each, and bringing them
through the gates which were just opening, stopped before a party of
military.
“Here ends our toil!” he repeated, in an altered, triumphant, and
ferocious tone, “Soldiers sieze this Calabrian! my duty is done!”
Sebastian was instantly surrounded by a band of armed men, who
drawing their swords at the same moment with a horrid noise, which drew
forth a shriek from Kara Aziek, flashed them before him with menacing
attitudes.
Sebastian stood root-bound in their circle, his eyes fixed with
amazement on the perfidious Chrysostom: stunned by so atrocious a
perfidy, his faculties were for awhile overpowered: at length bursting into
such a tempest of rage as had been long unknown to him, he called out,
“Traitor! fear you not that heaven’s bolt will fall and strike you?”
“Bridle this madness, impostor or apostate!” (whichever name you affect
most) replied the stern friar, “I fear no bolts; I look rather for the mantle of
Elisha! Chrysostom might indeed have dreaded divine judgment, had he
acted with the inconsistency of his reprobate brethren. Your damnable creed
is my abhorrence: whoever you are, for that creed I would burn you at the
stake, did I rule in Spain. My stratagem has succeeded; I have secured to
myself the gratitude of the whole church; and may every pernicious heretic
thus run into the snare of destruction!”
“And may every—— but no, I will not curse,” exclaimed Sebastian,
interrupting his own fierce transport. “God will avenge.”
“Thy ways are hard to understand, O Father all-powerful! teach me to
adore and to submit.”
His head fell on his breast at the last words, and he remained so awefully
wrapt in meditation that he saw not Kara Aziek fall at the feet of
Chrysostom, and wildly embrace his knees. Her supplicating voice first
awakened him: he recovered himself with a smile almost divine, and
tenderly raising her, said calmly, “kneel not there, my beloved! forget not
that we are in the hands of God as well as man; if he commands to spare,
who shall destroy?”
Aziek answered but with low and grievous groans, while she continued
to hang upon him; and he, motioning for the soldiers to take him where they
would, prepared to follow them.
More confounded by this majestic acquiescence, than by the fiercest
violence, Chrysostom stood with a troubled look: “Is this hypocrisy! or
what is it?” he exclaimed.
“It is Christian submission,” returned Sebastian, not deigning to turn his
eyes on him. The friar made an effort to resume himself: “Rather say,
coward consciousness of base desert! cease to profane the name of our
Redeemer, by uniting it with the accursed doctrines you profess: your
miserable imposture is over: you also, madam, may queen it no longer, or if
you will still appeal to some tribunal, prepare yourselves for answering at
the great judgment-seat of Heaven.”
Chrysostom’s withering eyes were levelled at both his victims; he stood
with his arm extended in the attitude of denunciation, and every lineament
of his gigantic figure seemed to grow in power and malignity. Kara Aziek
shuddered, turned deathly pale, and closing her eyes, suffered her head to
fall back upon the shoulder of her Lord.
Sebastian earnestly gazed on the man before him: “Of what stuff art thou
formed?” he said, “art thou man, or devil? is it avarice, or ambition, or
hellish bigotry, that has prompted thee to a deed like this? O! blind to the
merciful and faithful character of him thou professest to follow! thinkest
thou that he will reward thee for perjury and lies? study his doctrines
better.”
“Away with him!” cried Chrysostom, “the revilings of reprobate souls,
are the testimonies of the saints—my glory is his opprobrium.”
The soldiers now hurried their prisoner forward, who (suffered to hold
her in his arms from whom he trusted nothing but death would hereafter
divide him) still retained a gleam of comfort to illuminate future days of
darkest misery.
The loathsomeness of the dungeon into which they were thrust, was a
melancholy earnest of their intended treatment: but Sebastian complained
not; and all devoted to the hard task of detaining the flitting soul of his
Aziek, in its feeble tenement, he passed a weary day without learning to
what fate he was doomed.
His thoughts were less employed upon personal sufferings, than with
amazed consideration of the black treachery of him whom the Portuguese
had so incautiously trusted; and many were the censures he passed on them
for their credulity.
But in truth Sebastian blamed them unjustly: hypocrisy is the only evil
that walks unseen “by man and angels;” and father Chrysostom was a
hypocrite even to himself: he could cajole and cheat his own soul.
While his thoughts were in reality fixed upon earthly distinctions, he
believed they were solely turned towards heavenly ones. He fasted, he
prayed, he mortified his affections and his senses; he distributed alms, he
visited sufferers, he arrayed his body in “sackcloth and ashes,” and he
persuaded himself that he did all this from love and zeal for our divine
master. But it was the praise of men he coveted, rather than the approbation
of conscience; and having early fixed his eyes on the triple crown, he
placed not his foot except where the step promised to lead towards that
envied object.
His advancement had been gradual and sure: now it was likely to prove
more rapid. In his quality of confessor to the Portuguese viceroy, he
speedily heard of Sebastian’s re-appearance, and of the alarm which the
success of his various agents spread through the Spanish court. Rodrigo
acknowledged that it was Philip’s earnest wish to have the pretender at his
mercy; and upon this acknowledgment Chrysostom suddenly conceived the
bold plan of affecting zeal for the Portuguese monarch, insinuating himself
into his confidence, learning who were his secret abettors, and in case the

Download pdf Advances In Cryptology Asiacrypt 2019 25Th International Conference On The Theory And Application Of Cryptology And Information Security Kobe Japan December 8 12 2019 Proceedings Part I Steven D Galb ebook full chapter

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Download pdf Advances In Cryptology Asiacrypt 2019 25Th International Conference On The Theory And Application Of Cryptology And Information Security Kobe Japan December 8 12 2019 Proceedings Part I Steven D Galb ebook full chapter

Uploaded by

Copyright:

Available Formats

Advances in Cryptology ASIACRYPT

2019 25th International Conference on

Advances in Cryptology ASIACRYPT 2019 25th

Advances in Cryptology ASIACRYPT 2019 25th

Advances in Cryptology – ASIACRYPT 2018: 24th

Advances in Cryptology ASIACRYPT 2020 26th

Advances in Cryptology – ASIACRYPT 2018: 24th

Advances in Cryptology ASIACRYPT 2020 26th

Advances in Cryptology ASIACRYPT 2020 26th

Advances in Cryptology – ASIACRYPT 2017: 23rd

Editorial Board Members

ISSN 0302-9743 ISSN 1611-3349 (electronic)

© International Association for Cryptologic Research 2019

ASIACRYPT 2019, the 25th Annual International Conference on Theory and

December 2019 Steven Galbraith

The 25th Annual International Conference on Theory

Sponsored by the International Association for Cryptologic Research (IACR)

Kobe, Japan, December 8–12, 2019

Jérémy Jean ANSSI, France

Local Organizing Committee

Masayuki Abe Megha Byali Oriol Farràs

Yan Huang Jason LeGrow Kirill Morozov

Somindu Ramanna Boris Skoric Alexandre Wallet

Streamlined Blockchains: A Simple and Elegant Approach

Wave: A New Family of Trapdoor One-Way Preimage Sampleable

Middle-Product Learning with Rounding Problem and Its Applications . . . . . 55

A Novel CCA Attack Using Decryption Errors Against LAC . . . . . . . . . . . . 82

Towards Attribute-Based Encryption for RAMs from LWE: Sub-linear

4-Round Luby-Rackoff Construction is a qPRP . . . . . . . . . . . . . . . . . . . . . 145

Indifferentiability of Truncated Random Permutations . . . . . . . . . . . . . . . . . 175

CSI-FiSh: Efficient Isogeny Based Signatures Through Class

Verifiable Delay Functions from Supersingular Isogenies and Pairings . . . . . . 248

Strongly Secure Authenticated Key Exchange

Dual-Mode NIZKs from Obfuscation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311

Output Compression, MPC, and iO for Turing Machines . . . . . . . . . . . . . . . 342

Collusion Resistant Watermarking Schemes

Multiparty Computation (1)

Valiant’s Universal Circuits Revisited: An Overall Improvement

The Broadcast Message Complexity of Secure Multiparty Computation . . . . . 426

Beyond Honest Majority: The Round Complexity of Fair and Robust

Card-Based Cryptography Meets Formal Verification . . . . . . . . . . . . . . . . . 488

Quantum Algorithms for the Approximate k-List Problem

Quantum Attacks Without Superposition Queries:

Quantum Random Oracle Model with Auxiliary Input . . . . . . . . . . . . . . . . . 584

QFactory: Classically-Instructed Remote Secret Qubits Preparation . . . . . . . . 615

E-cash and Blockchain

Quisquis: A New Design for Anonymous Cryptocurrencies . . . . . . . . . . . . . 649

Divisible E-Cash from Constrained Pseudo-Random Functions . . . . . . . . . . . 679

Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 709

Cornell University, Ithaca, USA

Abstract. A blockchain protocol (also called state machine replication)

1.1 Problem Statement

Slightly informally, we would like to construct a blockchain protocol satisfying

In a cryptocurrency application, all transactions contained in a ﬁnal chain are

deviate from the protocol arbitrarily—such a fault model is commonly referred

1.2 Classical Blockchain Protocols: A Bi-modal Approach

Most approaches in the classical consensus literature adopt a bi-model approach.

1.2.1 Normal Mode: A Natural Voting Protocol

1.2.2 Recovery Mode: Ensuring Liveness

1.3 Streamlined Blockchains: A New Paradigm

Classical approaches are somewhat undesirable because most of the time we

Can we have a blockchain protocol that is (almost) as simple as the normal

So What Became of the View Change? As mentioned earlier, in classical

2 A Blockchain Tolerating <1/3 Corruptions