Detectable Byzantine Agreement Secure Against Faulty Majorities

Similar documents
CMSC 858F: Algorithmic Game Theory Fall 2010 Achieving Byzantine Agreement and Broadcast against Rational Adversaries

Secure Multi-Party Computation Without Agreement

Secure Multiparty Computation: Introduction. Ran Cohen (Tel Aviv University)

Adaptively Secure Broadcast, Revisited

Adaptively Secure Broadcast, Revisited

Adaptively Secure Broadcast

On the Composition of Authenticated Byzantine Agreement

Byzantine Agreement with a Rational Adversary

Byzantine Failures. Nikola Knezevic. knl

Asynchronous Proactive Cryptosystems without Agreement

Practical Byzantine Fault Tolerance. Miguel Castro and Barbara Liskov

Parsimonious Asynchronous Byzantine-Fault-Tolerant Atomic Broadcast

Yuval Ishai Technion

Universally Composable Synchronous Computation

Byzantine Techniques

Consensus Problem. Pradipta De

Optimal Resilience for Erasure-Coded Byzantine Distributed Storage

Dfinity Consensus, Explored

SCALABLE MPC WITH STATIC ADVERSARY. Mahnush Movahedi, Jared Saia, Valerie King, Varsha Dani University of New Mexico University of Victoria

ROUND COMPLEXITY LOWER BOUND OF ISC PROTOCOL IN THE PARALLELIZABLE MODEL. Huijing Gong CMSC 858F

Secure Multiparty Computation

Reaching Consensus. Lecture The Problem

On Complete Primitives for Fairness

Failures, Elections, and Raft

Fault Tolerance. Distributed Software Systems. Definitions

SoK: A Consensus Taxonomy in the Blockchain Era

Cryptographic Primitives and Protocols for MANETs. Jonathan Katz University of Maryland

Consensus in Distributed Systems. Jeff Chase Duke University

Distributed Deadlock

CS5412: CONSENSUS AND THE FLP IMPOSSIBILITY RESULT

Reliable Broadcast in Radio Networks: The Bounded Collision Case

Simple and Efficient Perfectly-Secure Asynchronous MPC

Fair exchange and non-repudiation protocols

Asynchronous Secure Multiparty Computation in Constant Time

Secure Multi-Party Computation. Lecture 13

On Composability of Reliable Unicast and Broadcast

Yale University Department of Computer Science

Research Statement. Yehuda Lindell. Dept. of Computer Science Bar-Ilan University, Israel.

Fault-Tolerant Distributed Consensus

Fairness versus Guaranteed Output Delivery in Secure Multiparty Computation

BYZANTINE AGREEMENT CH / $ IEEE. by H. R. Strong and D. Dolev. IBM Research Laboratory, K55/281 San Jose, CA 95193

The Long March of BFT. Weird Things Happen in Distributed Systems. A specter is haunting the system s community... A hierarchy of failure models

Consensus in the Presence of Partial Synchrony

Distributed Systems 11. Consensus. Paul Krzyzanowski

arxiv: v2 [cs.dc] 12 Sep 2017

Probabilistic Termination and Composability of Cryptographic Protocols [Crypto 16]

Proseminar Distributed Systems Summer Semester Paxos algorithm. Stefan Resmerita

Secure Message Transmission with Small Public Discussion. Juan Garay (AT&T Labs Research) Clint Givens (UCLA) Rafail Ostrovsky (UCLA)

Protocols for Multiparty Coin Toss With Dishonest Majority

CS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong

Consensus and related problems

Secure and Efficient Asynchronous Broadcast Protocols

Today: Fault Tolerance

Secure Multi-Party Computation

Hybrid-Secure MPC: Trading Information-Theoretic Robustness for Computational Privacy

Specification of Dependable Trusted Third Parties

Fairness Versus Guaranteed Output Delivery in Secure Multiparty Computation

Fast Asynchronous Consensus with Optimal Resilience

Introduction to Distributed Systems Seif Haridi

Practical Byzantine Fault

Practice: Large Systems Part 2, Chapter 2

Bounded-Concurrent Secure Multi-Party Computation with a Dishonest Majority

On Complete Primitives for Fairness

Broadcast and Consensus in Cryptographic Protocols

21. Distributed Algorithms

Bounded-Concurrent Secure Two-Party Computation Without Setup Assumptions

MTAT Research Seminar in Cryptography Building a secure aggregation database

1/p-Secure Multiparty Computation without Honest Majority and the Best of Both Worlds

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

Today: Fault Tolerance. Fault Tolerance

To do. Consensus and related problems. q Failure. q Raft

Distributed Algorithms Reliable Broadcast

Practical Byzantine Fault Tolerance and Proactive Recovery

Bounded-Concurrent Secure Multi-Party Computation with a Dishonest Majority

Two-Phase Atomic Commitment Protocol in Asynchronous Distributed Systems with Crash Failure

Data Consistency and Blockchain. Bei Chun Zhou (BlockChainZ)

Optimistic Asynchronous Atomic Broadcast

Consensus and agreement algorithms

Asynchronous Verifiable Secret Sharing and Proactive Cryptosystems

Resilient-Optimal Interactive Consistency in Constant Time

Edge Fault Tolerance on Sparse Networks

6.897: Selected Topics in Cryptography Lectures 13 and 14. Lecturer: Ran Canetti

Today: Fault Tolerance. Replica Management

An Overview of Secure Multiparty Computation

Practical Byzantine Fault Tolerance

Solution to Problem Set 8

Cryptocurrency and Blockchain Research

Byzantine Fault Tolerant Raft

Basic vs. Reliable Multicast

RZ 3202 (# 93248) 01/17/00 Computer Science/Mathematics 9 pages Research Report Optimistic Asynchronous Byzantine Agreement Klaus Kursawe IBM Research

Introduction to Secure Multi-Party Computation

Hash Proof Systems and Password Protocols

Self-Stabilizing Byzantine Digital Clock Synchronization

Defining Multi-Party Computation

Self Stabilization. CS553 Distributed Algorithms Prof. Ajay Kshemkalyani. by Islam Ismailov & Mohamed M. Ali

Almost-everywhere Secure Computation

A definition. Byzantine Generals Problem. Synchronous, Byzantine world

BYZANTINE GENERALS BYZANTINE GENERALS (1) A fable: Michał Szychowiak, 2002 Dependability of Distributed Systems (Byzantine agreement)

Middleware and Distributed Systems. System Models. Dr. Martin v. Löwis

The Design and Implementation of a Fault-Tolerant Media Ingest System

Transcription:

Detectable Byzantine Agreement Secure Against Faulty Majorities Matthias Fitzi, ETH Zürich Daniel Gottesman, UC Berkeley Martin Hirt, ETH Zürich Thomas Holenstein, ETH Zürich Adam Smith, MIT (currently at Microsoft Research) 1

Detectable Byzantine Agreement Secure Against Faulty Majorities Broadcast = Single-source Byzantine Agreement = Sender S wants to send value v to all other players In a synchronous network with no previous setup, broadcast requires t < n/3 [PSL,KY,DD] Detectable Broadcast [FGM]: Allow abort. Either all honest players abort, or broadcast is achieved This work: Randomized DB protocols for all t < n 2

Outline What is Detectable Broadcast? Protocols for an arbitrary number of cheaters Extensions Conclusions, Open questions 3

Outline What is Detectable Broadcast? Review: Standard Synchronous Model Detectable Broadcast Our Results Protocols for all t < n Extensions Conclusions, Open questions 4

Review: Standard Synchronous Model Synchronous network of n players (= randomized TM s) Pairwise authenticated, unblockable channels Know identity of all other players Common start time Will be removed Adversary corrupts up to t players Malicious coordination of corrupted players Choice of corruptions is adaptive (= on the fly) Messages may be rushed (= cheaters get to see honest players round i messages before sending their own) 5

Review: Computational Power Results for two models Computational security Adversary runs in polynomial time Assume secure cryptographic primitives (e.g. signatures) Unconditional security Adversary has unbounded computational power Assume secure channels between honest players Theorem ([CFGN 96], non-committing encryption ): Unconditional security Computational security 6

Broadcast (Single-source Byzantine Agreement) Designated sender S with input v {0,1} m Each player P i outputs v (i) {0,1} m Consistency P i, P j honest v (i) = v (j) = v Validity S honest v = v Completeness All players honest v = v 7

Detectable Broadcast Designated sender S with input v {0,1} m Each player P i outputs v (i) {0,1} m { } Consistency P i, P j honest v (i) = v (j) = v Validity S honest v {v, } Completeness All players honest v = v Either broadcast is achieved or all players abort 8

Detectable Broadcast Motivation: Reduce setup assumptions to a minimum Applications: settings in which In case of faults there is recourse to some other system Adversary already has power to disrupt (secure function evaluation) Introduced by [Fitzi, Gisin, Maurer 2001] in context of quantum cryptography Stronger than Weak Broadcast [Lamport 83] 9

Previous Work on (Strong) Broadcast With no previous setup (other than identities + start time) t n/3 is impossible (even randomized or computational) [LSP,PSL] [KY,DD] Other models (additional setup) Signature PKI (pre-distributed verification keys) Computational security for any t < n Preprocessing phase with broadcast Unconditional security for any t < n [DS83] [PW92] 10

Previous Work on Detectable Broadcast [Lamport 83] Impossible for deterministic protocols when t n/3 Mistaken Folklore Impossible even for randomized or computational protocols [FGMR 02] Randomized protocol for t < n/2 (unconditionally secure, very complex) 11

This Work Simple transformation Broadcast protocol which requires previous setup no previous setup, but possibility of aborting Similar idea used in [Goldwasser-Lindell 2002] in context of multi-party computing 12

Contributions Protocols for Detectable Broadcast for any t < n Computational security (signature schemes) t + 3 rounds, O( n 3 k ) message bits per player Unconditional security t + 5 rounds, O( n 6 (log n + k) 3 ) message bits per player Extensions: Detectable Clock Synchronization Secure Function Evaluation (Multi-party Computing) 13

Outline What is Detectable Broadcast? Protocols for all t < n Extensions Conclusions, Open questions 14

Outline What is Detectable Broadcast? Protocols for all t < n General methodology Illustration: Computationally secure protocol Unconditionally secure protocol (in the paper) Extensions Conclusions, Open questions 15

Methodology Start from preprocessing-based protocol Initial Setup phase assumes secure broadcast Subsequent Broadcast phase uses only pair-wise channels Modify preprocessing to remove broadcast: Replace with simple Send-Echo protocol Use agreement phase to decide whether or not the preprocessing was successful 16

Basic Step: Send-Echo (1) Sender S sends value v to all other players (2) Each player echoes received value v (i) to all other players Player P i outputs - Value v (i) received from S - Bit b (i) = 1 if all echoed values agree 0 otherwise S S Round 1 Round 2 17

Basic Step: Send-Echo (1) Sender S sends value v to all other players (2) Each player echoes received value v (i) to all other players Player P i outputs - Value v (i) received from S - Bit b (i) = 1 if all echoed values agree 0 otherwise S honest All honest players output v (i) = v If any honest player has b (i) =1 All honest players output same value v i.e. Broadcast was achieved 18

Computationally Secure Protocol Starting point: Dolev-Strong authenticated broadcast 1. Setup Phase (DSSetup) P i picks (VK i,sk i ) P i broadcasts VK i 2. Agreement Phase (DSBroadcast) Achieves broadcast in t+1 rounds 19

For each i = 1,2,...,n : Each P i picks (VK i,sk i ) (1) Run n copies of Send-Echo (for each i: S=P i and v = VK i ) Set b i = 1 if all n Send-Echo protocols succeed 0 otherwise VK (i) j = Key received from P j (2) Run n copies of DSBroadcast (for each i: S = P i, v = b i ) using keys VK 1 (i),...,vk n (i) Accept VK 1 (i),...,vk n (i) as valid if all received b j =1 (3) If valid, run DSBroadcast with real message and sender Else abort If any honest player has b i =1 all honest players have consistent keys DSBroadcast achieves broadcast 20

For each i = 1,2,...,n : Each P i picks (VK i,sk i ) (1) Run n copies of Send-Echo (for each i: S=P i and v = VK i ) Set b i = 1 if all n Send-Echo protocols succeed 0 otherwise VK (i) j = Key received from P j (2) Run n copies of DSBroadcast (for each i: S = P i, v = b i ) using keys VK 1 (i),...,vk n (i) Accept VK 1 (i),...,vk n (i) as valid if all received b j =1 (3) If valid, run DSBroadcast with real message and sender Else abort If all honest players have b i = 0 All honest players reject at end of phase (2) 21

Outline What is Detectable Broadcast? Protocols for all t < n Extensions Desynchronized clocks Secure Function Evaluation a.k.a. Multi-party Computing (in the paper) Conclusions, Open questions 22

Desynchronized clocks What if Players don t start at the same time? Some player wants to initiate a broadcast? (Idea: minimize assumptions about system) 23

Classic Problem: Firing Squad Synchronous system but not all clocks start at same time Goal: Synchronize clocks Impossible for t n/3 even with previous setup [CDDS 85] What weaker tasks are achievable for all t < n? 24

Detectable Firing Squad Synchronous system but not all clocks start at same time Each P i outputs v (i) {FIRE, FAIL} eventually Consistency Synchrony P i, P j honest v (i) = v (j) = v In case of FAIL, no synchronization v = FIREall honest P i terminate simultaneously Termination Any execution terminates within T steps Theorem [this work]: Can tolerate any t < n without previous setup 25

Outline What is Detectable Broadcast? Protocols for all t < n Extensions Conclusions, Open questions 26

Conclusions Motivation: Reduce assumptions to a minimum (identities) Quite a lot can be done, if you re willing to give up correction of faults in favor of detection by allowing cheaters to force abort Detectable broadcast protocols exist for t < n 27

Open Questions Reduce expected rounds below t (solved for t < n/3) In Broadcast with Preprocessing? In Detectable Broadcast? Asynchronous Settings Does preprocessing allow any improvements? [partial answers known: Cachin et al.] Could such protocols be modified to allow abort and remove preprocessing? 28

Secure Function Evaluation Also called Multi-Party Computing Network of n players Each has input x i Want to compute f(x 1,,x n ) for some known function f E.g. electronic voting x 1 x x 3 2 x n Protocol f(x 1,,x n ) 29

Secure Function Evaluation Even if t out of n players try to cheat: x 1 x x 3 2 x n Protocol 1. Cheaters learn nothing (except output) 2. Cheaters cannot affect output f(x 1,,x n ) 30

Secure Function Evaluation Theorem [folklore]: With a faulty majority, adversary can always force SFE to abort (reduction to 2 player setting) Theorem [BG,BMG,CR,FS,KO]: Using broadcast channel, there is a O(log n) round protocol for Secure Function Evaluation with abort tolerating any t < n. Corollary [this work]: With pairwise authentic channels, we get O(n log n)-round protocols for SFE with abort. 31

Broadcast with Non-Unison Start Designated sender S with input v {0,1} m Each player P i outputs v (i) {0,1} m eventually Consistency P i, P j honest v (i) = v (j) = v Validity S honest v = v Completeness All players honest v = v Bound on interval between outputs 32

Detectable Broadcast, Non-Unison Start Designated sender S with input v {0,1} m Each player P i outputs v (i) {0,1} m { } eventually Consistency P i, P j honest v (i) = v (j) = v Validity S honest v {v, } Completeness All players honest v = v Bound on interval between outputs 33

Results Firing Squad Possible if and only if t < n/3 Broadcast with Non-Unison Start No Preprocessing: Possible if and only if t < n/3 Pre-Agreed Signature Keys: Can tolerate any t < n Detectable Broadcast with Non-Unison Start Possible for any t < n Bonus: Protocol accepts outputs are synchronized 34

Detectable Byzantine Agreement Secure Against Faulty Majorities or How (Well) You Can Agree When You ve Never Agreed Before 35

Agreement is difficult... Alice Sally Yes Yes Yes No Bob 36

Agreement is difficult... 37? Alice No Yes No Yes Sally Yes Bob

Review: Broadcast (Byzantine Agreement) Designated sender S with input v {0,1} m Each player P i outputs v (i) {0,1} m Consistency P i, P j honest v (i) = v (j) = v Validity S honest v = v 38

Previous Work on (Strong) Broadcast With no previous setup (other than identities + start time) t < n/3: Unconditionally secure protocols [LSP80] t n/3: Impossible (even computational or randomized) With preprocessing (broadcast available) Signature PKI (pre-distributed verification keys) Computational security for any t < n Preprocessing phase with broadcast Unconditional security for any t < n [DS83] [PW92] 39

Previous Work on Detectable Broadcast [Lamport 83] Impossible for deterministic protocols when t n/3 Mistaken Folklore Impossible even for randomized or computational protocols [FGMR 02] Randomized protocol for t < n/2 (unconditionally secure, very complex) 40

Feasibility No Setup Broadcast [LSP] Detectable Broadcast [FGMR] Detectable Broadcast [This work] With Previous Setup Broadcast [DS, PW] 0 n/3 n/2 t = number of cheaters n 41

Unconditionally Secure Protocol Start from Pfitzmann-Waidner protocol for broadcast from preprocessing Step 1: Modify Pfitzmann-Waidner for efficiency Step 2: Get rid of preprocessing as before 42

Starting point: Pfitzmann-Waidner 1. Setup Phase (PWSetup) Broadcast available O(n 2 ) rounds 2. Agreement Phase (PWBroadcast) Always succeeds (with high prob.) Achieves broadcast in t+1 rounds One setup allows poly(n,k) broadcasts 43

Step 1: Modified PW protocol 1. Simplified Setup Phase (SPWSetup) Broadcast available O(n 2 ) rounds 3 rounds 2. Agreement Phase (PWBroadcast) Either succeeds or all honest players abort Achieves broadcast in t+1 rounds if setup phase succeeded One setup allows poly(n,k) broadcasts 44

For each i = 1,2,...,n : Run SPWSetup using Send-Echo instead of broadcasts Set b i = 1 if all Send-Echo protocols succeed 0 otherwise V (i) = Values received during SPWSetup Run PWBroadcast with S = P i, v = b i and parameters V (i) Accept V (i) as valid if all received b j =1 If valid, run PWBroadcast with real message and sender Else abort Any honest player has b i =1 Setup completed successfully PWBroadcast achieves broadcast 45

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback