Download Byzantine Agreement (BA) protocol

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Document related concepts

Arrow's impossibility theorem wikipedia , lookup

Rational choice theory wikipedia , lookup

Choice modelling wikipedia , lookup

Preference (economics) wikipedia , lookup

Transcript
Achieving Byzantine Agreement
and Broadcast against Rational
Adversaries
Adam Groce
Aishwarya Thiruvengadam
Ateeq Sharfuddin
CMSC 858F: Algorithmic Game Theory
University of Maryland, College Park
Overview
 Byzantine agreement and broadcast
are central primitives in distributed
computing and cryptography.
 The original paper proves (LPS1982)
that successful protocols can only be
achieved if the number of adversaries
is 1/3rd the number of players.
Our Work
 We take a game-theoretic approach to this problem
 We analyze rational adversaries with preferences on
outputs of the honest players.
 We define utilities rational adversaries might have.
 We then show that with these utilities, Byzantine
agreement is possible with less than half the players
being adversaries
 We also show that broadcast is possible for any
number of adversaries with these utilities.
The Byzantine Generals
Problem
 Introduced in 1980/1982 by Leslie Lamport,
Robert Shostak, and Marshall Pease.
 Originally used to describe distributed
computation among fallible processors in an
abstract manner.
 Has been applied to fields requiring fault
tolerance or with adversaries.
General Idea
 The n generals of the Byzantine empire
have encircled an enemy city.
 The generals are far away from each
other necessitating messengers to be
used for communication.
 The generals must agree upon a
common plan (to attack or to retreat).
General Idea (cont.)
 Up to t generals may be traitors.
 If all good generals agree upon the
same plan, the plan will succeed.
 The traitors may mislead the generals
into disagreement.
 The generals do not know who the
traitors are.
General Idea (cont.)
 A protocol is a Byzantine Agreement
(BA) protocol tolerating t traitors if
the following conditions hold for any
adversary controlling at most t
traitors:
A. All loyal generals act upon the same plan
of action.
B. If all loyal generals favor the same plan,
that plan is adopted.
General Idea (broadcast)
 Assume general i acting as the
commanding general, and sending his order
to the remaining n-1 lieutenant generals.
 A protocol is a broadcast protocol tolerating
t traitors if these two conditions hold:
1. All loyal lieutenants obey the same order.
2. If the commanding general is loyal, then every
loyal lieutenant general obeys the order he
sends.
Impossibility
 Shown impossible for t ≥ n/3
 Consider n = 3, t = 1; Sender is malicious;
all initialized with 1; from A’s perspective:
A1
1
I’m Spartacus!
Sender1
0
A does not know
if Sender or B is
honest.
0
B1
I’m Spartacus!
Equivalence of BA and
Broadcast
 Given a protocol for broadcast, we
can construct a protocol for
Byzantine agreement.
1. All players use the broadcast protocol
to send their input to every other
player.
2. All players output the value they
receive from a majority of the other
players.
Equivalence of BA and
Broadcast
 Given a protocol for Byzantine agreement,
we can construct a protocol for broadcast.
1. The sender sends his message to all other
players.
2. All players use the message they received
in step 1 as input in a Byzantine
agreement protocol.
3. Players output whatever output is given by
the Byzantine agreement protocol.
Previous Works
 It was shown in PSL1980 that algorithms
can be devised to guarantee
broadcast/Byzantine agreement if and only
if n ≥ 3t+1.
 If traitors cannot falsely report messages
(for example, if a digital signature scheme
exists), it can be achieved for n ≥ t ≥ 0.
 PSL1980 and LSP1982 demonstrated an
exponential communication algorithm for
reaching BA in t+1 rounds for t < n/3.
Previous Works
 Dolev, et al. presented a 2t+3 round BA
with polynomially bounded communication
for any t < n/3.
 Probabilistic BA protocols tolerating t < n/3
have been shown running in expected time
O (t / log n); though running time is high in
worst case.
 Faster algorithms tolerating (n - 1)/3 faults
have been shown if both cryptography and
trusted parties are used to initialize the
network.
Rational adversaries
 All results stated so far assume general,
malicious adversaries.
 Several cryptographic problems have been
studied with rational adversaries
 Have known preferences on protocol output
 Will only break the protocol if it benefits them
 In MPC and secret sharing, rational
adversaries allow stronger results
 We apply rational adversaries to Byzantine
agreement and broadcast
Definition: Security against rational
adversaries
A protocol for BA or broadcast is secure
against rational adversaries with a particular
utility function if for any adversary A1 against
which the protocol does not satisfy the
security conditions there is another adversary
A2 such that:
 When the protocol is run with A2 as the
adversary, all security conditions are satisfied.
 The utility achieved by A2 is greater than that
achieved by A1.
Definition: Security against rational
adversaries (cont.)
 This definition requires that, for the
adversary, following the protocol
strictly dominates all strategies
resulting in security violations.
 Guarantees that there is an incentive
not to break the security.
 We do not require honest execution
to strictly dominate other strategies.
Utility Definitions
 Meaning of “secure against rational
adversaries” is dependent on preferences
that adversaries have.
 Some utility functions make adversarycontrolled players similar to honest players, with
incentives to break protocol only in specific
circumstances.
 Other utility functions define adversaries as
strictly malicious.
 We present several utility definitions that
are natural and reasonable.
Utility Definitions (cont.)
 We limit to protocols that attempt to
broadcast or agree in a single bit.
 The output can be one of the
following:
 All honest players output 1.
 All honest players output 0.
 Honest players disagree on output.
Utility Definitions (cont.)
 We assume that the adversary knows
the inputs of the honest players.
 Therefore, the adversary can choose
a strategy to maximize utility for that
particular input set.
Utility Definitions (cont.)
 Both protocol and adversary can act
probabilistically.
 So, an adversary’s choice of strategy
results not in a single outcome but in
a probability distribution over possible
outcomes.
 We establish a preference ordering on
probability distributions.
Strict Preferences
 An adversary with “strict preferences” is
one that will maximize the likelihood of its
first-choice outcome.
 For a particular strategy, let a1 be the
probability of the adversary achieving its firstchoice outcome and a2 be the probability of
achieving the second choice outcome.
 Let b1 and b2 be the same probabilities for a
second potential strategy.
 We say that the first strategy is preferred if and
only if a1 > b1 or a1=b1 and a2 > b2.
Strict Preferences (cont.)
 Not a “utility” function in the classic
sense
 Provides a good model for a very
single-minded adversary.
Strict Preferences (cont.)
 We will use shorthand to refer to the
ordering of outcomes:
 For example: 0s > disagreement > 1s.
 Denotes an adversary who prefers that
all honest players output 0, whose
second choice is disagreement, and last
choice is all honest players output 1.
Linear Utility
 An adversary with “linear utilities” has
its utilities defined by:
Utility =
u1 Pr[players output 0] +
u2 Pr[players output 1] +
u3 Pr [players disagree]
Where u1 + u2 + u3 = 1.
Definition (0-preferring)
 A 0-preferring adversary is one for
which
Utility = E[number of honest players
outputting 0].
 Not a refinement of the strict ordering
adversary with a preference list of 0s >
disagree > 1.
Other possible utility definitions
 The utility definitions do not cover all
preference orderings.
 With n players, there is 2n output
combinations.
 There are an infinite number of probability
distributions on those outcomes.
 Any well-ordering on these probability
distributions is a valid set of preferences
against which security could be guaranteed.
Other possible utility definitions
 Our utility definitions preserve symmetry of
players, but this is not necessary.
 It is also possible that the adversary’s
output preferences are a function of the
input.
 The adversary could be risk-averse
 Adversarial players might not all be
centrally controlled.
 Could have conflicting preferences
Equivalence of Broadcast to BA,
revisited
 Reductions with malicious adversaries
don’t always apply
 Building BA from broadcast fails
 Building broadcast from BA succeeds
Strict preferences case
 Assume a preference ordering of
0 > 1 > disagree.
 t < n/2
 Protocol:
 Each player sends his input to everyone.
 Each player outputs the majority of all
inputs he has received. If there is no
strict majority, output 0.
Strict preferences case (cont.)
 Proof:
 If all honest players held the same input,
the protocol terminates with the honest
players agreeing despite what the
adversary says.
 If the honest players do not form a
majority, it is in adversarial interest to
send 0’s.
Generalizing the proof
 Same protocol:
 Each player sends his input to everyone.
 Each player outputs the majority of all
inputs he has received. If there is no
strict majority, output 0.
 Assume any preference set with allzero output as first choice.
 Proof works as before.
A General Solution
 Task: To define another protocol that
will work for strict preferences with
disagree > 0s > 1s.
 We have not found a simple efficient
solution for this case.
 Instead, we define a protocol based
on Fitzi et al.’s work on detectable
broadcast.
 Solves for a wide variety of preferences
Definition: Detectable Broadcast
 A protocol for detectable broadcast must
satisfy the following three conditions:
 Correctness: All honest players either abort or
accept and output 0 or 1. If any honest player
aborts, so does every other honest player. If no
honest players abort then the output satisfies
the security conditions of broadcast.
 Completeness: If all players are honest, all
players accept (and therefore, achieve broadcast
without error).
 Fairness: If any honest player aborts then the
adversary receives no information about the
sender’s bit (not relevant to us).
Detectable broadcast (cont.)
 Fitzi’s protocol requires t + 5 rounds and O(n8 (log n +
k)3 ) total bits of communication, where k is a security
parameter.
 Assumes computationally bounded adversary.
 This compares to one round and n2 bits for the previous
protocol.
 Using detectable broadcast is much less efficient.
 However, this is not as bad when compared to protocals
that achieve broadcast against malicious adversaries.
General protocol
1. Run the detectable broadcast protocol
2. - If an abort occurs, output adversary’s
least-preferred outcome
- Otherwise, output the result of the
detectable broadcast protocol
 Works any time the adversary has a known
least-favorite outcome
 Works for t<n
Conclusion
 Rational adversaries do allow
improved results on BA/broadcast.
 For many adversary preferences, we
have matching possibility and
impossibility results.
 More complicated adversary
preferences remain to be analyzed.