International Association
for Cryptologic Research

Minimizing both the round and communication complexity of Byzantine agreement (BA) is fundamental question in distributed computing. A long line of works has focused on early-stopping deterministic protocols that can terminate within a number of synchronous rounds that is proportional to $f$, where $f$ is the \emph{actual number} of corruptions in an execution, as opposed to an upper bound $t$. This can lead to major benefits when $f\ll t$. A very different style of randomized protocol has focused on \emph{player replaceable} BA protocols with communication complexity linear in the number of parties $n$ and adaptive security, which rely on only a small and rotating subcommittee of parties to ever speak in the protocol. One downside of existing player-replaceable protocols is that they require $O(r)$ rounds to terminate with overwhelming probability $1-2^r$. For applications demanding high security guarantees, this can easily become the bottleneck of a player replaceable protocol. Motivated by this gap in the literature, we give the first protocol that is simultaneously player-replaceable \emph{and} early stopping (with overwhelming probability). Let $1>\alpha>0$ and $1>\epsilon>0$ be constants and let $\lambda$ and $\kappa$ denote suitable security parameters. Our protocol is secure against up to $t<(1-\alpha)\cdot n/2$ adaptive Byzantine corruptions and terminates in $(1+\epsilon)\cdot f$ many rounds with probability $1-2^\lambda$, given $f\leq t$ corruptions. Moreover, our protocol has constant expected round complexity and communication bounded by $O(n\cdot \lambda^3 \cdot \kappa ).$