Breaking the O(n 2 ) Bit Barrier: Scalable Byzantine Agreement with an Adaptive Adversary Valerie King Jared Saia Univ. of VictoriaUniv. of New Mexico Canada USA
Byzantine Agreement Each proc. starts with a bit; Goal: All procs. decide the same bit, which must match at least one of their initial bits. t= # of bad procs. controlled by malicious Adversary
Byzantine agreement for large scale networks If you could do it practically, you would! Why? Protecting against malicious attacks Organizing large communities of users Mediation in game theory Fundamental building block
Our Model Procs={1,2,…,n} Message passing: – A knows if it receives from B Synchronous Private random bits Private channels Adaptive adversary Resilience: t < n(1/3- ) Limit on # bits sent by good procs.: Bad procs can send any #.
Our Model Procs={1,2,…,n} Message passing: – A knows if it receives from B Synchronous Private random bits Private channels Adaptive adversary Resilience: t < n(1/3- ) Limit on # bits sent by good procs.: Bad procs can send any #.
Our Model Procs={1,2,…,n} Message passing: – A knows if it receives from B Synchronous w/ rushing adv. Private random bits Private channels Adaptive adversary Resilience: t < n(1/3- ) Limit on # bits sent by good procs.: Bad procs can send any #.
Our Model Procs={1,2,…,n} Message passing: – A knows if it receives from B Synchronous Private random bits Private channels Adaptive adversary Resilience: t < n(1/3- ) Limit on # bits sent by good procs.: Bad procs can send any #.
Our Model Procs={1,2,…,n} Message passing: – A knows if it receives from B Synchronous Private random bits Private channels Adaptive adversary Resilience: t < n(1/3- ) Limit on # bits sent by good procs.: Bad procs can send any #.
Our Model Procs={1,2,…,n} Message passing: – A knows if it receives from B Synchronous Private random bits Private channels Adaptive adversary Resilience: t < n(1/3- ) Limit on # bits sent by good procs.: Bad procs can send any #.
Our Model Procs={1,2,…,n} Message passing: – A knows if it receives from B Synchronous Private random bits Private channels Adaptive adversary Resilience: t < n(1/3- ) Limit on # bits sent by good procs.: Bad procs can send any #.
Our Model Procs={1,2,…,n} Message passing: – A knows if it receives from B Synchronous Private random bits Private channels Adaptive adversary Resilience: t < n(1/3- ) Limit on # bits sent by good procs.: Bad procs can send any #.
scalable Goal: Towards practical scalable BA Polylog bits sent per processor Polylog rounds
Impossibility Any BA (randomized) protocol which always uses o(n 2 ) messages in this model has Pr(failure) >0 (Implication of Dolev Reischuk)
Our results Theorem 1: (BA) For any consts. c, , there is a const. d and a (1/3- )n resilient protocol which solves BA with prob. 1-1/n c using Õ(n 1/2 ) bits per processor in O(log d n) rounds
Also Theorem 2: (a.e.BA) For any consts. c, , there is a const. d and a (1/3- )- resilient protocol which brings 1-O(1/log n) fraction of good procs to agreemt with prob. 1-1/n c using Õ(1) bits per proc. in O(log d n) rounds
Previous work An expected constant number of rounds suffice. ( Feldman and Micali 1988) All previously known protocols use all-to-all communication
KEY IDEA: The power of a short somewhat random stream S S= s 1 s 2 … s k be short stream of numbers. –Some a.e. global random numbers, some numbers fixed by an adversary which can see the preceding stream when choosing. - S can be generated w.h.p.
Talk outline I: Using S to get a.e. BA II Using S to go from a.e. BA to BA III Generating S
Rabin’s BA with Global Coin GC t<n/3 Set vote <-input bit. REPEAT clog n rounds Send-->all procs. Maj <- majority bit from others Fract <-fraction of votes for Maj If Fract > 2/3 agree on bit –then vote <-Maj Else if GC =1 – set vote <- 1; else set vote <- 0
Scalable a.e.BA with a.e.Global Coin GC t< n/3 - Use averaging sampler to assign neighbors to procs =A deterministic way to have mostly good samples. Almost all neighbor sets contain a representative fraction of good procs Almost all good procs compute correct Maj for Fract> 2/3+ /2 -->
using S instead of GC -->a.e.BA whp For i=1,…,k, generate bit s i and run a.e. BA using s i for a.e.global coin It suffices that clog n bits of S are known a.e. and random
II: Using S to go from a.e. BA to BA Idea: Query random set of procs to ask bit. Since almost all good procs agree, majority should give correct answer. –Works if bad procs have communication bound But in our model, the adversary can flood all procs with queries!! Use s to decide which queries to answer.
II: Using S to go from a.e. BA to BA Labels= {1,..,n 1/2 } FOR each number s of S=Labels k : Each proc. p picks Õ(n 1/2 ) random queries and sends label to proc. q answers only if label= s (and not overloaded) if 2/3 majority of p’s queries with the same label are returned and agree on v, then p decides v. IT SUFFICES TO HAVE AN a.e. AGREED upon S with a RANDOM subsequence!
III Generating S
Sparse network Tree of robust supernodes of increasing size with links: procs in child ----> procs in parent node procs in parent node-->leaves of subtrees All procs. Supernodes and links generated using averaging samplers
Arrays of rand. #’s Each proc p i generates array A i of rand #’s and secret shares it with its leaf node. #’s in arrays are revealed as needed to elect which remaining parts of arrays will be passed on to parent node. A1A1 A2A2
Feige’s alg carried out in each node Each candidate picks a bin; winners=lightest bin’s contents >>> Requires agreement on all bin choices.
Elections of arrays in node We use scalable a.e. BA; bin numbers and S given by numbers from sequence of winning arrays of children. s1s1 s2s2
As array moves up, secret shares are split up among more procs on higher levels and erased from children so that adversary cannot learn a large fraction of arrays promoted to a higher level by taking over a small sets of processors on lower level.
Secrets are revealed as needed: by reversing and duplicating communication down every path, reassembling shares at every leaf of subtree. so that adversary cannot prevent secret from being exposed by blocking a single path.
Leaves are sampled (det.) by procs in subtree root to learn secret value
Generation of a short S Only a polylog number of arrays are left at each of the polylog children of the root. These form S When agreement on all of S is needed, a.e. BA can be run using supplemental bits.
Conclusions Uses of S: Easier to generate than a single random coinflip: –S can also be generated w.h.p scalably in the full information nonadaptive adversary model (whereas a single random coinflip can’t) A polylog size S has sufficient randomness to specify a set of n small quorums which are all good w.h.p (submitted to ICDCN) Useful in the asynch alg w/nonadaptive adv (SODA08)
Future work (cont’d) Asynchronous? Towards more practical scalable BA? Bounds on the communication of the bad procs makes the a.e. BA to BA easy. Likely this would simplify the a.e. BA protocol Other problems (SMPC, handling churn and larger name spaces) Other user models (selfish)
Questions?