The Contest between Simplicity and Efficiency
in Asynchronous Byzantine Agreement
Allison Lewko
The University of Texas at Austin
Byzantine Agreement
• n parties
• each has an input bit
• t corrupt parties
0
0
0
1
0
0
Goal:
agree on a bit equal to input of some ``good” party
Byzantine Agreement
• Simple problem, worst case adversary
History
Impossibility Constraints:
• >= 1/3 corrupted processors
• deterministic algorithm, 1 crash failure [FLP]
Algorithms:
[Ben-Or, Bracha]
• termination with prob =1
• adaptive adversary
• exponential expected running time
[KKKSS]
• termination/correctness with prob 1 – o(1)
• non-adaptive adversary
• polylogarithmic running time
Landscape of possible algorithms?
Las Vegas polytime
L
algorithm?
[Ben-Or, Bracha]
Adaptive adversary
L
polytime algorithm?
???
[KKKSS]
Our Result
[Ben-Or, Bracha]
Simple Algorithm Recipe
One Round:
broadcast b
Repeat
validate set
of responses = S
bit b
b’
Compute b’ = N(S)
Randomized function
Ben-Or, Bracha Algorithms
S = Set of bits
• overwhelming majority
• strong majority
• mixed
Decide
Fix b’ to majority
Define b’ randomly
Why Exponential Time?
S: mostly 0 . . . . . . . . mixed . . . . . . . . . mostly 1
Decide 0
Fix 0
Random
Fix 1
Decide 1
Exponential Loop!
𝑛 ∶ 𝑛𝑢𝑚𝑏𝑒𝑟 𝑜𝑓 𝑝𝑟𝑜𝑐𝑒𝑠𝑠𝑜𝑟𝑠
𝑡 = Ω 𝑛 ∶ 𝑛𝑢𝑚𝑏𝑒𝑟 𝑜𝑓 𝑐𝑜𝑟𝑟𝑢𝑝𝑡𝑖𝑜𝑛𝑠
𝑛
2
± O( 𝑛 ) ∶ 𝑒𝑥𝑝𝑒𝑐𝑡𝑒𝑑 𝑛𝑢𝑚𝑏𝑒𝑟 𝑜𝑓 0′ 𝑠, 1′ 𝑠
Generalizing the Algorithm Recipe
Round i:
broadcast vb
validate set of responses = S
i
bit b v
value
S1 , S2 , …, Si
Compute
= N(S)
Compute
v’ =b’N(S
1, S2, … ,Si )
Randomized function with
Randomized
constantfunction
size range
Key Restrictions
• S1, . . . , Si are considered as sets
- messages divorced from senders
• N(S1 , . . . , Si) chooses randomly from
a constant number of possible values
- values themselves can vary
How to Prove Exponential Time?
Classic strategy:
Chain of executions, each execution of exponential length
Not deciding!
Execution
deciding 0
Indistinguishable
to some uncorrupted
processor
Execution
deciding 1
Challenge for Randomized Algorithms
Any single execution may be unlikely
Takes a class of executions to add up to constant probability
Execution Classes
Divide processors into groups
S
S
S
Class defined by sets per
group per round
Source of Adversary’s Control
Suppose Ω(n) processors receive the same sets:
S1, S2, . . . , Si
S1, S2, . . . , Si
S1, S2, . . . , Si
...
N(S1 , . . . , Si)
N(S1 , . . . , Si)
...
N(S1 , . . . , Si)
Independent samples from same distribution
Chernoff Bound
R - a constant
D - a distribution on R values
X 1 ; : : : ; X k - independent samples from D
\ k balls in R bins" :
...
p1
p2
p3
pR
bin i \ far" from pi k with probabability exponentially small in k
Adversary Can Match Expectations
S1, S2, . . . , Si
Output = Expectation [N(S1, … , Si)]
Chain of Execution Classes
• Each group kept in sync
• Output sets match expectations
Execution
class
deciding 0
Execution
class
Indistinguishable
to some group
…
Execution
class
Execution
class
deciding 1
One of these must
be non-deciding
Generating the Chain of Execution Classes
Change group inputs one
group at a time:
1
0
1
0
01
E rounds
Adversary Strategy
• adversary divides processors into groups of t
• corrupts constant fraction per group
• all group members see same message sets
• tries to stay in the non-deciding execution class
Adversary’s Success Probability
S1, S2, … , Si
Output = Expectation
With Prob = 1 – 1/exp
Z1, Z2, … , Zi
Output = Expectation
With Prob = 1 – 1/exp
V1, V2, …,Vi
Output = Expectation
With Prob = 1 – 1/exp
By Union bound over groups and rounds,
# of rounds = Exp with constant probability
Observations
• Adversary Strategy :
- Only leverages message scheduling
and random coins of bad processors
- No hope to detect bad behavior without risk
• Impossibility proof crucially leverages:
-
Received messages treated as sets
Random Variables have bounded support
Open Problems
[Ben-Or, Bracha]
Las Vegas polytime
L
algorithm?
Adaptive adversary
L
polytime algorithm?
???
[KKKSS]
• Still simple structure, unbounded randomness?
• Weaken symmetry in processing received messages?
Thank you!
Questions?