Download Byzantine Agreement (BA) protocol

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
Document related concepts

Arrow's impossibility theorem wikipedia , lookup

Rational choice theory wikipedia , lookup

Choice modelling wikipedia , lookup

Preference (economics) wikipedia , lookup

Transcript 
Achieving Byzantine Agreement
and Broadcast against Rational
Adversaries
Adam Groce
Aishwarya Thiruvengadam
Ateeq Sharfuddin
CMSC 858F: Algorithmic Game Theory
University of Maryland, College Park
Overview
 Byzantine agreement and broadcast
are central primitives in distributed
computing and cryptography.
 The original paper proves (LPS1982)
that successful protocols can only be
achieved if the number of adversaries
is 1/3rd the number of players.
Our Work
 We take a game-theoretic approach to this problem
 We analyze rational adversaries with preferences on
outputs of the honest players.
 We define utilities rational adversaries might have.
 We then show that with these utilities, Byzantine
agreement is possible with less than half the players
being adversaries
 We also show that broadcast is possible for any
number of adversaries with these utilities.
The Byzantine Generals
Problem
 Introduced in 1980/1982 by Leslie Lamport,
Robert Shostak, and Marshall Pease.
 Originally used to describe distributed
computation among fallible processors in an
abstract manner.
 Has been applied to fields requiring fault
tolerance or with adversaries.
General Idea
 The n generals of the Byzantine empire
have encircled an enemy city.
 The generals are far away from each
other necessitating messengers to be
used for communication.
 The generals must agree upon a
common plan (to attack or to retreat).
General Idea (cont.)
 Up to t generals may be traitors.
 If all good generals agree upon the
same plan, the plan will succeed.
 The traitors may mislead the generals
into disagreement.
 The generals do not know who the
traitors are.
General Idea (cont.)
 A protocol is a Byzantine Agreement
(BA) protocol tolerating t traitors if
the following conditions hold for any
adversary controlling at most t
traitors:
A. All loyal generals act upon the same plan
of action.
B. If all loyal generals favor the same plan,
that plan is adopted.
General Idea (broadcast)
 Assume general i acting as the
commanding general, and sending his order
to the remaining n-1 lieutenant generals.
 A protocol is a broadcast protocol tolerating
t traitors if these two conditions hold:
1. All loyal lieutenants obey the same order.
2. If the commanding general is loyal, then every
loyal lieutenant general obeys the order he
sends.
Impossibility
 Shown impossible for t ≥ n/3
 Consider n = 3, t = 1; Sender is malicious;
all initialized with 1; from A’s perspective:
A1
1
I’m Spartacus!
Sender1
0
A does not know
if Sender or B is
honest.
0
B1
I’m Spartacus!
Equivalence of BA and
Broadcast
 Given a protocol for broadcast, we
can construct a protocol for
Byzantine agreement.
1. All players use the broadcast protocol
to send their input to every other
player.
2. All players output the value they
receive from a majority of the other
players.
Equivalence of BA and
Broadcast
 Given a protocol for Byzantine agreement,
we can construct a protocol for broadcast.
1. The sender sends his message to all other
players.
2. All players use the message they received
in step 1 as input in a Byzantine
agreement protocol.
3. Players output whatever output is given by
the Byzantine agreement protocol.
Previous Works
 It was shown in PSL1980 that algorithms
can be devised to guarantee
broadcast/Byzantine agreement if and only
if n ≥ 3t+1.
 If traitors cannot falsely report messages
(for example, if a digital signature scheme
exists), it can be achieved for n ≥ t ≥ 0.
 PSL1980 and LSP1982 demonstrated an
exponential communication algorithm for
reaching BA in t+1 rounds for t < n/3.
Previous Works
 Dolev, et al. presented a 2t+3 round BA
with polynomially bounded communication
for any t < n/3.
 Probabilistic BA protocols tolerating t < n/3
have been shown running in expected time
O (t / log n); though running time is high in
worst case.
 Faster algorithms tolerating (n - 1)/3 faults
have been shown if both cryptography and
trusted parties are used to initialize the
network.
Rational adversaries
 All results stated so far assume general,
malicious adversaries.
 Several cryptographic problems have been
studied with rational adversaries
 Have known preferences on protocol output
 Will only break the protocol if it benefits them
 In MPC and secret sharing, rational
adversaries allow stronger results
 We apply rational adversaries to Byzantine
agreement and broadcast
Definition: Security against rational
adversaries
A protocol for BA or broadcast is secure
against rational adversaries with a particular
utility function if for any adversary A1 against
which the protocol does not satisfy the
security conditions there is another adversary
A2 such that:
 When the protocol is run with A2 as the
adversary, all security conditions are satisfied.
 The utility achieved by A2 is greater than that
achieved by A1.
Definition: Security against rational
adversaries (cont.)
 This definition requires that, for the
adversary, following the protocol
strictly dominates all strategies
resulting in security violations.
 Guarantees that there is an incentive
not to break the security.
 We do not require honest execution
to strictly dominate other strategies.
Utility Definitions
 Meaning of “secure against rational
adversaries” is dependent on preferences
that adversaries have.
 Some utility functions make adversarycontrolled players similar to honest players, with
incentives to break protocol only in specific
circumstances.
 Other utility functions define adversaries as
strictly malicious.
 We present several utility definitions that
are natural and reasonable.
Utility Definitions (cont.)
 We limit to protocols that attempt to
broadcast or agree in a single bit.
 The output can be one of the
following:
 All honest players output 1.
 All honest players output 0.
 Honest players disagree on output.
Utility Definitions (cont.)
 We assume that the adversary knows
the inputs of the honest players.
 Therefore, the adversary can choose
a strategy to maximize utility for that
particular input set.
Utility Definitions (cont.)
 Both protocol and adversary can act
probabilistically.
 So, an adversary’s choice of strategy
results not in a single outcome but in
a probability distribution over possible
outcomes.
 We establish a preference ordering on
probability distributions.
Strict Preferences
 An adversary with “strict preferences” is
one that will maximize the likelihood of its
first-choice outcome.
 For a particular strategy, let a1 be the
probability of the adversary achieving its firstchoice outcome and a2 be the probability of
achieving the second choice outcome.
 Let b1 and b2 be the same probabilities for a
second potential strategy.
 We say that the first strategy is preferred if and
only if a1 > b1 or a1=b1 and a2 > b2.
Strict Preferences (cont.)
 Not a “utility” function in the classic
sense
 Provides a good model for a very
single-minded adversary.
Strict Preferences (cont.)
 We will use shorthand to refer to the
ordering of outcomes:
 For example: 0s > disagreement > 1s.
 Denotes an adversary who prefers that
all honest players output 0, whose
second choice is disagreement, and last
choice is all honest players output 1.
Linear Utility
 An adversary with “linear utilities” has
its utilities defined by:
Utility =
u1 Pr[players output 0] +
u2 Pr[players output 1] +
u3 Pr [players disagree]
Where u1 + u2 + u3 = 1.
Definition (0-preferring)
 A 0-preferring adversary is one for
which
Utility = E[number of honest players
outputting 0].
 Not a refinement of the strict ordering
adversary with a preference list of 0s >
disagree > 1.
Other possible utility definitions
 The utility definitions do not cover all
preference orderings.
 With n players, there is 2n output
combinations.
 There are an infinite number of probability
distributions on those outcomes.
 Any well-ordering on these probability
distributions is a valid set of preferences
against which security could be guaranteed.
Other possible utility definitions
 Our utility definitions preserve symmetry of
players, but this is not necessary.
 It is also possible that the adversary’s
output preferences are a function of the
input.
 The adversary could be risk-averse
 Adversarial players might not all be
centrally controlled.
 Could have conflicting preferences
Equivalence of Broadcast to BA,
revisited
 Reductions with malicious adversaries
don’t always apply
 Building BA from broadcast fails
 Building broadcast from BA succeeds
Strict preferences case
 Assume a preference ordering of
0 > 1 > disagree.
 t < n/2
 Protocol:
 Each player sends his input to everyone.
 Each player outputs the majority of all
inputs he has received. If there is no
strict majority, output 0.
Strict preferences case (cont.)
 Proof:
 If all honest players held the same input,
the protocol terminates with the honest
players agreeing despite what the
adversary says.
 If the honest players do not form a
majority, it is in adversarial interest to
send 0’s.
Generalizing the proof
 Same protocol:
 Each player sends his input to everyone.
 Each player outputs the majority of all
inputs he has received. If there is no
strict majority, output 0.
 Assume any preference set with allzero output as first choice.
 Proof works as before.
A General Solution
 Task: To define another protocol that
will work for strict preferences with
disagree > 0s > 1s.
 We have not found a simple efficient
solution for this case.
 Instead, we define a protocol based
on Fitzi et al.’s work on detectable
broadcast.
 Solves for a wide variety of preferences
Definition: Detectable Broadcast
 A protocol for detectable broadcast must
satisfy the following three conditions:
 Correctness: All honest players either abort or
accept and output 0 or 1. If any honest player
aborts, so does every other honest player. If no
honest players abort then the output satisfies
the security conditions of broadcast.
 Completeness: If all players are honest, all
players accept (and therefore, achieve broadcast
without error).
 Fairness: If any honest player aborts then the
adversary receives no information about the
sender’s bit (not relevant to us).
Detectable broadcast (cont.)
 Fitzi’s protocol requires t + 5 rounds and O(n8 (log n +
k)3 ) total bits of communication, where k is a security
parameter.
 Assumes computationally bounded adversary.
 This compares to one round and n2 bits for the previous
protocol.
 Using detectable broadcast is much less efficient.
 However, this is not as bad when compared to protocals
that achieve broadcast against malicious adversaries.
General protocol
1. Run the detectable broadcast protocol
2. - If an abort occurs, output adversary’s
least-preferred outcome
- Otherwise, output the result of the
detectable broadcast protocol
 Works any time the adversary has a known
least-favorite outcome
 Works for t<n
Conclusion
 Rational adversaries do allow
improved results on BA/broadcast.
 For many adversary preferences, we
have matching possibility and
impossibility results.
 More complicated adversary
preferences remain to be analyzed.
Related documents
Overview flyer with flags for 8 leaders
Overview flyer with flags for 8 leaders
download
download
Document
Document
Casual and Social Games
Casual and Social Games
Popular Culture - IHMC Public Cmaps (3)
Popular Culture - IHMC Public Cmaps (3)
Student Handbook THEATRE
Student Handbook THEATRE
Slide 1
Slide 1
Definition of `civil resistance`
Definition of `civil resistance`
Name two characteristics of life.
Name two characteristics of life.
Study of United States Institute on U
Study of United States Institute on U