breaking the o(n 2 ) bit barrier: scalable byzantine agreement with an adaptive adversary valerie...
Post on 20-Dec-2015
215 views
TRANSCRIPT
![Page 1: Breaking the O(n 2 ) Bit Barrier: Scalable Byzantine Agreement with an Adaptive Adversary Valerie King Jared Saia Univ. of VictoriaUniv. of New Mexico](https://reader038.vdocuments.us/reader038/viewer/2022103022/56649d4d5503460f94a2bb36/html5/thumbnails/1.jpg)
Breaking the O(n2) Bit Barrier:
Scalable Byzantine Agreement with an Adaptive Adversary
Valerie King Jared Saia
Univ. of Victoria Univ. of New Mexico
Canada USA
![Page 2: Breaking the O(n 2 ) Bit Barrier: Scalable Byzantine Agreement with an Adaptive Adversary Valerie King Jared Saia Univ. of VictoriaUniv. of New Mexico](https://reader038.vdocuments.us/reader038/viewer/2022103022/56649d4d5503460f94a2bb36/html5/thumbnails/2.jpg)
Byzantine Agreement Byzantine Agreement Each proc. starts with a bit; Goal: All procs. decide the same bit,
which must match at least one of their initial bits.
t= # of bad procs. controlled by malicious Adversary
![Page 3: Breaking the O(n 2 ) Bit Barrier: Scalable Byzantine Agreement with an Adaptive Adversary Valerie King Jared Saia Univ. of VictoriaUniv. of New Mexico](https://reader038.vdocuments.us/reader038/viewer/2022103022/56649d4d5503460f94a2bb36/html5/thumbnails/3.jpg)
Byzantine agreement for large scale networks
If you could do it practically, you would!Why?• Protecting against malicious attacks • Organizing large communities of users• Mediation in game theory
Fundamental building block
![Page 4: Breaking the O(n 2 ) Bit Barrier: Scalable Byzantine Agreement with an Adaptive Adversary Valerie King Jared Saia Univ. of VictoriaUniv. of New Mexico](https://reader038.vdocuments.us/reader038/viewer/2022103022/56649d4d5503460f94a2bb36/html5/thumbnails/4.jpg)
Our Model
• Procs={1,2,…,n}• Message passing:
– A knows if it receives from B
• Synchronous• Private random bits• Private channels• Adaptive adversary• Resilience: t < n(1/3-)• Limit on # bits sent by good procs.:
Bad procs can send any #.
![Page 5: Breaking the O(n 2 ) Bit Barrier: Scalable Byzantine Agreement with an Adaptive Adversary Valerie King Jared Saia Univ. of VictoriaUniv. of New Mexico](https://reader038.vdocuments.us/reader038/viewer/2022103022/56649d4d5503460f94a2bb36/html5/thumbnails/5.jpg)
Our Model
• Procs={1,2,…,n}
• Message passing:– A knows if it receives from B
• Synchronous• Private random bits• Private channels• Adaptive adversary• Resilience: t < n(1/3-)• Limit on # bits sent by good procs.:
Bad procs can send any #.
![Page 6: Breaking the O(n 2 ) Bit Barrier: Scalable Byzantine Agreement with an Adaptive Adversary Valerie King Jared Saia Univ. of VictoriaUniv. of New Mexico](https://reader038.vdocuments.us/reader038/viewer/2022103022/56649d4d5503460f94a2bb36/html5/thumbnails/6.jpg)
Our Model
• Procs={1,2,…,n}• Message passing:
– A knows if it receives from B
•Synchronous w/ rushing adv.• Private random bits• Private channels• Adaptive adversary• Resilience: t < n(1/3-)• Limit on # bits sent by good procs.:
Bad procs can send any #.
![Page 7: Breaking the O(n 2 ) Bit Barrier: Scalable Byzantine Agreement with an Adaptive Adversary Valerie King Jared Saia Univ. of VictoriaUniv. of New Mexico](https://reader038.vdocuments.us/reader038/viewer/2022103022/56649d4d5503460f94a2bb36/html5/thumbnails/7.jpg)
Our Model
• Procs={1,2,…,n}• Message passing:
– A knows if it receives from B• Synchronous
• Private random bits• Private channels• Adaptive adversary• Resilience: t < n(1/3-)• Limit on # bits sent by good procs.:
Bad procs can send any #.
![Page 8: Breaking the O(n 2 ) Bit Barrier: Scalable Byzantine Agreement with an Adaptive Adversary Valerie King Jared Saia Univ. of VictoriaUniv. of New Mexico](https://reader038.vdocuments.us/reader038/viewer/2022103022/56649d4d5503460f94a2bb36/html5/thumbnails/8.jpg)
Our Model
• Procs={1,2,…,n}• Message passing:
– A knows if it receives from B• Synchronous• Private random bits
• Private channels• Adaptive adversary• Resilience: t < n(1/3-)• Limit on # bits sent by good procs.:
Bad procs can send any #.
![Page 9: Breaking the O(n 2 ) Bit Barrier: Scalable Byzantine Agreement with an Adaptive Adversary Valerie King Jared Saia Univ. of VictoriaUniv. of New Mexico](https://reader038.vdocuments.us/reader038/viewer/2022103022/56649d4d5503460f94a2bb36/html5/thumbnails/9.jpg)
Our Model
• Procs={1,2,…,n}• Message passing:
– A knows if it receives from B• Synchronous• Private random bits• Private channels
• Adaptive adversary• Resilience: t < n(1/3-)• Limit on # bits sent by good procs.:
Bad procs can send any #.
![Page 10: Breaking the O(n 2 ) Bit Barrier: Scalable Byzantine Agreement with an Adaptive Adversary Valerie King Jared Saia Univ. of VictoriaUniv. of New Mexico](https://reader038.vdocuments.us/reader038/viewer/2022103022/56649d4d5503460f94a2bb36/html5/thumbnails/10.jpg)
Our Model
• Procs={1,2,…,n}• Message passing:
– A knows if it receives from B• Synchronous• Private random bits• Private channels• Adaptive adversary
• Resilience: t < n(1/3-)• Limit on # bits sent by good procs.:
Bad procs can send any #.
![Page 11: Breaking the O(n 2 ) Bit Barrier: Scalable Byzantine Agreement with an Adaptive Adversary Valerie King Jared Saia Univ. of VictoriaUniv. of New Mexico](https://reader038.vdocuments.us/reader038/viewer/2022103022/56649d4d5503460f94a2bb36/html5/thumbnails/11.jpg)
Our Model
• Procs={1,2,…,n}• Message passing:
– A knows if it receives from B• Synchronous• Private random bits• Private channels• Adaptive adversary• Resilience: t < n(1/3-)
• Limit on # bits sent by good procs.:Bad procs can send any #.
![Page 12: Breaking the O(n 2 ) Bit Barrier: Scalable Byzantine Agreement with an Adaptive Adversary Valerie King Jared Saia Univ. of VictoriaUniv. of New Mexico](https://reader038.vdocuments.us/reader038/viewer/2022103022/56649d4d5503460f94a2bb36/html5/thumbnails/12.jpg)
Goal: Towards practical scalablescalable BA
• Polylog bits sent per processor• Polylog rounds
![Page 13: Breaking the O(n 2 ) Bit Barrier: Scalable Byzantine Agreement with an Adaptive Adversary Valerie King Jared Saia Univ. of VictoriaUniv. of New Mexico](https://reader038.vdocuments.us/reader038/viewer/2022103022/56649d4d5503460f94a2bb36/html5/thumbnails/13.jpg)
Impossibility
• Any BA (randomized) protocol which always uses o(n2) messages in this model has Pr(failure) >0
(Implication of Dolev Reischuk)
![Page 14: Breaking the O(n 2 ) Bit Barrier: Scalable Byzantine Agreement with an Adaptive Adversary Valerie King Jared Saia Univ. of VictoriaUniv. of New Mexico](https://reader038.vdocuments.us/reader038/viewer/2022103022/56649d4d5503460f94a2bb36/html5/thumbnails/14.jpg)
Our results
Theorem 1: (BA) For any consts. c, , there is a const. d and a (1/3- )n resilient protocol which solves BA with prob. 1-1/nc using
Õ(n1/2) bits per processor in O(logd n) rounds
![Page 15: Breaking the O(n 2 ) Bit Barrier: Scalable Byzantine Agreement with an Adaptive Adversary Valerie King Jared Saia Univ. of VictoriaUniv. of New Mexico](https://reader038.vdocuments.us/reader038/viewer/2022103022/56649d4d5503460f94a2bb36/html5/thumbnails/15.jpg)
Also
Theorem 2: (a.e.BA) For any consts. c, , there is a const. d and a (1/3- )-resilient protocol which brings
1-O(1/log n) fraction of good procs to agreemt with prob. 1-1/nc using
Õ(1) bits per proc. in O(logd n) rounds
![Page 16: Breaking the O(n 2 ) Bit Barrier: Scalable Byzantine Agreement with an Adaptive Adversary Valerie King Jared Saia Univ. of VictoriaUniv. of New Mexico](https://reader038.vdocuments.us/reader038/viewer/2022103022/56649d4d5503460f94a2bb36/html5/thumbnails/16.jpg)
Previous work
• An expected constant number of rounds suffice. (Feldman and Micali 1988)
• All previously known protocols use all-to-all communication
![Page 17: Breaking the O(n 2 ) Bit Barrier: Scalable Byzantine Agreement with an Adaptive Adversary Valerie King Jared Saia Univ. of VictoriaUniv. of New Mexico](https://reader038.vdocuments.us/reader038/viewer/2022103022/56649d4d5503460f94a2bb36/html5/thumbnails/17.jpg)
KEY IDEA: The power of a short
somewhat random stream S
• S= s1 s2 … sk be short stream of numbers. – Some a.e. global random
numbers, some numbers fixed by an adversary which can see the preceding stream when choosing.
- S can be generated w.h.p.
![Page 18: Breaking the O(n 2 ) Bit Barrier: Scalable Byzantine Agreement with an Adaptive Adversary Valerie King Jared Saia Univ. of VictoriaUniv. of New Mexico](https://reader038.vdocuments.us/reader038/viewer/2022103022/56649d4d5503460f94a2bb36/html5/thumbnails/18.jpg)
Talk outlineI: Using S to get a.e. BA
II Using S to go from a.e. BA to BA
III Generating S
![Page 19: Breaking the O(n 2 ) Bit Barrier: Scalable Byzantine Agreement with an Adaptive Adversary Valerie King Jared Saia Univ. of VictoriaUniv. of New Mexico](https://reader038.vdocuments.us/reader038/viewer/2022103022/56649d4d5503460f94a2bb36/html5/thumbnails/19.jpg)
Rabin’s BA with Global Coin GCt<n/3
Set vote <-input bit. REPEAT clog n rounds• Send-->all procs.
• Maj <- majority bit from others• Fract <-fraction of votes for Maj
• If Fract > 2/3 agree on bit – then vote <-Maj
• Else if GC =1 – set vote <- 1; else set vote <- 0
![Page 20: Breaking the O(n 2 ) Bit Barrier: Scalable Byzantine Agreement with an Adaptive Adversary Valerie King Jared Saia Univ. of VictoriaUniv. of New Mexico](https://reader038.vdocuments.us/reader038/viewer/2022103022/56649d4d5503460f94a2bb36/html5/thumbnails/20.jpg)
Scalable a.e.BA with a.e.Global Coin GC
t< n/3 - Use averaging sampler to assign neighbors to procs=A deterministic way to have mostly
good samples.
Almost all neighbor setscontain a representative fraction of
good procsAlmost all good procs compute
correct Maj for Fract> 2/3+ /2
-->
![Page 21: Breaking the O(n 2 ) Bit Barrier: Scalable Byzantine Agreement with an Adaptive Adversary Valerie King Jared Saia Univ. of VictoriaUniv. of New Mexico](https://reader038.vdocuments.us/reader038/viewer/2022103022/56649d4d5503460f94a2bb36/html5/thumbnails/21.jpg)
using S instead of GC-->a.e.BA whp
For i=1,…,k, generate bit si
and run a.e. BA using si for a.e.global coin
It suffices that clog n bits of S are known a.e. and random
![Page 22: Breaking the O(n 2 ) Bit Barrier: Scalable Byzantine Agreement with an Adaptive Adversary Valerie King Jared Saia Univ. of VictoriaUniv. of New Mexico](https://reader038.vdocuments.us/reader038/viewer/2022103022/56649d4d5503460f94a2bb36/html5/thumbnails/22.jpg)
II: Using S to go from a.e. BA to BA
• Idea: Query random set of procs to ask bit. Since almost all good procs agree, majority should give correct answer.– Works if bad procs have communication
bound
• But in our model, the adversary can flood all procs with queries!!
• Use s to decide which queries to answer.
![Page 23: Breaking the O(n 2 ) Bit Barrier: Scalable Byzantine Agreement with an Adaptive Adversary Valerie King Jared Saia Univ. of VictoriaUniv. of New Mexico](https://reader038.vdocuments.us/reader038/viewer/2022103022/56649d4d5503460f94a2bb36/html5/thumbnails/23.jpg)
II: Using S to go from a.e. BA to BA
Labels= {1,..,n1/2 }FOR each number s of S=Labelsk :• Each proc. p picks Õ(n1/2) random queries
<proc,label> and sends label to proc. • q answers only if label= s (and not
overloaded)• if 2/3 majority of p’s queries with the
same label are returned and agree on v, then p decides v.
IT SUFFICES TO HAVE AN a.e. AGREED upon S with a RANDOM subsequence!
![Page 24: Breaking the O(n 2 ) Bit Barrier: Scalable Byzantine Agreement with an Adaptive Adversary Valerie King Jared Saia Univ. of VictoriaUniv. of New Mexico](https://reader038.vdocuments.us/reader038/viewer/2022103022/56649d4d5503460f94a2bb36/html5/thumbnails/24.jpg)
III Generating S
![Page 25: Breaking the O(n 2 ) Bit Barrier: Scalable Byzantine Agreement with an Adaptive Adversary Valerie King Jared Saia Univ. of VictoriaUniv. of New Mexico](https://reader038.vdocuments.us/reader038/viewer/2022103022/56649d4d5503460f94a2bb36/html5/thumbnails/25.jpg)
Sparse network Tree of robust supernodes of increasing size with links: procs in child ----> procs in parent node procs in parent node-->leaves of subtrees
All procs.
Supernodes and links generated usingaveraging samplers
![Page 26: Breaking the O(n 2 ) Bit Barrier: Scalable Byzantine Agreement with an Adaptive Adversary Valerie King Jared Saia Univ. of VictoriaUniv. of New Mexico](https://reader038.vdocuments.us/reader038/viewer/2022103022/56649d4d5503460f94a2bb36/html5/thumbnails/26.jpg)
Arrays of rand. #’sEach proc pi generates array Ai of rand #’s and secret shares it with its leaf node.#’s in arrays are revealed as needed to elect which remaining parts of arrays will be passed on to parent node.
A1 A2
![Page 27: Breaking the O(n 2 ) Bit Barrier: Scalable Byzantine Agreement with an Adaptive Adversary Valerie King Jared Saia Univ. of VictoriaUniv. of New Mexico](https://reader038.vdocuments.us/reader038/viewer/2022103022/56649d4d5503460f94a2bb36/html5/thumbnails/27.jpg)
Feige’s alg carried out in each node Each candidate picks a bin;
winners=lightest bin’s contents
1 2 3 4 5 6
-->>> Requires agreement on all bin choices.
![Page 28: Breaking the O(n 2 ) Bit Barrier: Scalable Byzantine Agreement with an Adaptive Adversary Valerie King Jared Saia Univ. of VictoriaUniv. of New Mexico](https://reader038.vdocuments.us/reader038/viewer/2022103022/56649d4d5503460f94a2bb36/html5/thumbnails/28.jpg)
Elections of arrays in node
• We use scalable a.e. BA;bin numbers and S given by numbers
from sequence of winning arrays of children.
s1
s2
![Page 29: Breaking the O(n 2 ) Bit Barrier: Scalable Byzantine Agreement with an Adaptive Adversary Valerie King Jared Saia Univ. of VictoriaUniv. of New Mexico](https://reader038.vdocuments.us/reader038/viewer/2022103022/56649d4d5503460f94a2bb36/html5/thumbnails/29.jpg)
As array moves up, secret shares are split up among more procs on higher levels
and erased from children
so that adversary cannot learn a large fraction of arrays promoted to a higher level by taking over a small sets of processors on lower level.
![Page 30: Breaking the O(n 2 ) Bit Barrier: Scalable Byzantine Agreement with an Adaptive Adversary Valerie King Jared Saia Univ. of VictoriaUniv. of New Mexico](https://reader038.vdocuments.us/reader038/viewer/2022103022/56649d4d5503460f94a2bb36/html5/thumbnails/30.jpg)
Secrets are revealed as needed: by reversing and duplicating communication down every path, reassembling shares at every leaf of subtree.
so that adversary cannot prevent secret from being exposed by blocking a single path.
![Page 31: Breaking the O(n 2 ) Bit Barrier: Scalable Byzantine Agreement with an Adaptive Adversary Valerie King Jared Saia Univ. of VictoriaUniv. of New Mexico](https://reader038.vdocuments.us/reader038/viewer/2022103022/56649d4d5503460f94a2bb36/html5/thumbnails/31.jpg)
Leaves are sampled (det.) by procs in subtree root to learn secret value
![Page 32: Breaking the O(n 2 ) Bit Barrier: Scalable Byzantine Agreement with an Adaptive Adversary Valerie King Jared Saia Univ. of VictoriaUniv. of New Mexico](https://reader038.vdocuments.us/reader038/viewer/2022103022/56649d4d5503460f94a2bb36/html5/thumbnails/32.jpg)
Generation of a short S
Only a polylog number of arrays are left at each of the polylog children of the
root. These form S
When agreement on all of S is needed, a.e. BA can be run using supplemental
bits.
![Page 33: Breaking the O(n 2 ) Bit Barrier: Scalable Byzantine Agreement with an Adaptive Adversary Valerie King Jared Saia Univ. of VictoriaUniv. of New Mexico](https://reader038.vdocuments.us/reader038/viewer/2022103022/56649d4d5503460f94a2bb36/html5/thumbnails/33.jpg)
Conclusions
Uses of S:• Easier to generate than a single random
coinflip:– S can also be generated w.h.p scalably in the full
information nonadaptive adversary model
(whereas a single random coinflip can’t)• A polylog size S has sufficient randomness to
specify a set of n small quorums which are all good w.h.p (submitted to ICDCN)
• Useful in the asynch alg w/nonadaptive adv (SODA08)
![Page 34: Breaking the O(n 2 ) Bit Barrier: Scalable Byzantine Agreement with an Adaptive Adversary Valerie King Jared Saia Univ. of VictoriaUniv. of New Mexico](https://reader038.vdocuments.us/reader038/viewer/2022103022/56649d4d5503460f94a2bb36/html5/thumbnails/34.jpg)
Future work (cont’d)
Asynchronous? Towards more practical scalable BA?Bounds on the communication of the bad
procs makes the a.e. BA to BA easy. Likely this would simplify the a.e. BA
protocol
Other problems (SMPC, handling churn and larger name spaces)
Other user models (selfish)
![Page 35: Breaking the O(n 2 ) Bit Barrier: Scalable Byzantine Agreement with an Adaptive Adversary Valerie King Jared Saia Univ. of VictoriaUniv. of New Mexico](https://reader038.vdocuments.us/reader038/viewer/2022103022/56649d4d5503460f94a2bb36/html5/thumbnails/35.jpg)
Questions?