270 likes | 414 Views
Byzantine Agreement and Multi-Party Computation (MPC). Aris Tentes. What is Byzantine Agreement/General?. History of the name (Byzantium 1453) Simulation of broadcasting: i) P sends a value to n players and they must decide on the same value (B General)
E N D
Byzantine Agreementand Multi-Party Computation (MPC) Aris Tentes
What is Byzantine Agreement/General? • History of the name (Byzantium 1453) • Simulation of broadcasting: i)P sends a value to n players and they must decide on the same value (B General) ii)Every player has a value and all players must decide on the majority(B Agreement)
Conditions: t of the players may be dishonest.Therefore we achieve broadcasting iff the following are satisfied: 1.Termination 2.Agreement: all correct players decide on the same value 3.Validity:if P is correct all correct players decide on his value.(B.Generals) if all correct players have the same value the all correct players decide on this value.(B.Agreement)
B.General => B. Agreement: Every player broadcasts his value and then decides on the majority of the values received B. Agreement => B.General: Player P sends his value to all players and then all players decide on the same value using a B. Agreement protocol.
Perfect BA • Unconditional BA: A protocol with non zero probability of error • Cryptographic BA: The adversary has a bounded computational power.
Impossibility Proof Theorem: We cannot have a secure BA if t >=n/3. Proof: Simple case n=3 and t=1 and using contradiction Intuitively:
The protocol of BGP89 • Perfect security for t<n/3. • Bit complexity O(tn^2) • Round complexity O(t) • Includes three subprotocols I) Weak Agreement II) Graded Agreement III) King Agreement
Weak Agreement Goal:If Pi is correct with output yi {0,1} then all correct players have output {yi , ┴}. 1) Pi sends xi to every Pj 0 , #0>2t 2) Every Pi yi = 1 , #1>2t ┴, else
Graded Agreement Goal:If Pi is correct with yi {0,1} and gi=1then every Pj correct has yj = yi. 1)Run the WeakAgreement protocol with output zi. 2) Pi sends zi to every Pj. 0 , #0>#1 3) Every Pi yi = 1 , #1>#0 1 , if #yi >2t 3) Every Pi gi = 0 , else
King Agreement Goal:A player Pk is selected to be the king.If the king is correct then all correct players have the same output. 1)Run the GradedAgreement protocol 2) Pk sends zk to every Pj zj , if gj=1 3) Every Pi yi = zk , else
Agreement and Broadcast • Termination and Validity: Remain always • Agreement: We run the KingAgreement t+1 times.There is at least one correct king.(B.Agreement) The general sends his value to all players and then they run the Agreement protocol above.(Broadcast)
Lower bounds A perfectly secure BA protocol cannot have less than: 1) t+1 rounds 2) O(nt) bit complexity 3) t≥n/3 Open problem:It is not known if a protocol exists satisfying these lower bounds.
Other protocols It is not known if a protocol with both t+1 rounds and O(n^2) bit complexity exists.
What is Multi Party Computation? Secure function evaluation: There are N parties who want to compute a function of their inputs but do not trust each other. Examlpes: 1)Dating problem 2)Yao’s millionair ‘s problem.
What is Multi Party Computation? The obvious solution is that each party gives his input to a trusted (TP) who does the computation for them. MPC: A MPC protocol simulates this trusted party.
Three Adversary types • Passive Adversary:The adversary can see the results of tp parties. • Fail-stop Adversary:The adversary can make tf parties stop sending messages. • Active Adversary: The advarsary has full control of ta parties and make them misbehave randomly.
Perfect secure MPC • Unconditional secure MPC: A protocol with non zero probability of error • Cryptographic secure MPC: The adversary has a bounded computational power.
Mixed Model For the mixed model (passive+active+fail-stop adversary) there exists a perfect secure MPC protocol iff 3ta + 2tp + tf < n
The protocol of BGW88 (passive model) • Perfect security for t<n/2 • Bit complexity O(mn^2) field elements • Round complexity O(d)
Shamir ’s secret sharing The dealer P who wants to share a secret s selects a random polynomial of degree t: fs(x)= s + r1x + . . . . . + rt x^t and sends to processor Pi his share si = f(ai). Up to t players cannot reveal the secret.
Linear functions • a , b are shared with fa ,fb • We define h(x) = fa(x) + fb(x) • We observe h(0) = fa(0) + fb(0) = a + b • Hence ci = ai + bi defines the share of a + b of Pi
Multiplication(1/2) • a , b are shared with fa ,fb • aibi secret share a polynomial of degree 2t ( fab(x)= fa(x)fb(x) , with h(0)=ab ) • We must reduce the share to t
Multiplication(2/2) • So: Every processor Pi shares his share aibi with a polynomial hi(x) of degree t with hi(0)= fa(ai)fb(ai) = fab(ai) • Every processor has now the values h1(ai),……, hn(ai) • Hence t+1 processors can compute hi(0)= fab(ai), i=1,..,n • Finally every processor from above can compute fab(0)
Active Model generaly • Use of Byzantine Generals protocols • Every player is commited to the value he shares • Every player is commited to the value he receives