Breaking the
2
O(n )
Bit Barrier:
Scalable Byzantine Agreement
with an Adaptive Adversary
Valerie King
Univ. of Victoria
Canada
Jared Saia
Univ. of New Mexico
USA
Byzantine Agreement
Each proc. starts with a bit;
Goal: All procs. decide the same bit,
which must match at least one of their
initial bits.
t= # of bad procs. controlled by malicious
Adversary
Byzantine agreement for
large scale networks
If you could do it practically, you would!
Why?
• Protecting against malicious attacks
• Organizing large communities of users
• Mediation in game theory
Fundamental building block
Our Model
• Procs={1,2,…,n}
• Message passing:
•
•
•
•
•
•
– A knows if it receives from B
Synchronous
Private random bits
Private channels
Adaptive adversary
Resilience: t < n(1/3-)
Limit on # bits sent by good procs.:
Bad procs can send any #.
Our Model
• Procs={1,2,…,n}
• Message passing:
– A knows if it receives from B
•
•
•
•
•
•
Synchronous
Private random bits
Private channels
Adaptive adversary
Resilience: t < n(1/3-)
Limit on # bits sent by good procs.:
Bad procs can send any #.
Our Model
• Procs={1,2,…,n}
• Message passing:
– A knows if it receives from B
• Synchronous w/ rushing adv.
•
•
•
•
•
Private random bits
Private channels
Adaptive adversary
Resilience: t < n(1/3-)
Limit on # bits sent by good procs.:
Bad procs can send any #.
Our Model
• Procs={1,2,…,n}
• Message passing:
–
A knows if it receives from B
• Synchronous
• Private random bits
•
•
•
•
Private channels
Adaptive adversary
Resilience: t < n(1/3-)
Limit on # bits sent by good procs.:
Bad procs can send any #.
Our Model
• Procs={1,2,…,n}
• Message passing:
–
A knows if it receives from B
• Synchronous
• Private random bits
• Private channels
• Adaptive adversary
• Resilience: t < n(1/3-)
• Limit on # bits sent by good procs.:
Bad procs can send any #.
Our Model
• Procs={1,2,…,n}
• Message passing:
–
A knows if it receives from B
• Synchronous
• Private random bits
• Private channels
• Adaptive adversary
• Resilience: t < n(1/3-)
• Limit on # bits sent by good procs.:
Bad procs can send any #.
Our Model
• Procs={1,2,…,n}
• Message passing:
•
•
•
•
–
A knows if it receives from B
Synchronous
Private random bits
Private channels
Adaptive adversary
• Resilience: t < n(1/3-)
• Limit on # bits sent by good procs.:
Bad procs can send any #.
Our Model
• Procs={1,2,…,n}
• Message passing:
•
•
•
•
•
–
A knows if it receives from B
Synchronous
Private random bits
Private channels
Adaptive adversary
Resilience: t < n(1/3-)
• Limit on # bits sent by good procs.:
Bad procs can send any #.
Goal: Towards practical
scalable BA
• Polylog bits sent per processor
• Polylog rounds
Impossibility
• Any BA (randomized) protocol which
always uses o(n2) messages in this
model has Pr(failure) >0
(Implication of Dolev Reischuk)
Our results
Theorem 1: (BA) For any consts. c, ,
there is a const. d and a (1/3- )n
resilient protocol which solves BA
with prob. 1-1/nc using
Õ(n1/2) bits per processor in O(logd n)
rounds
Also
Theorem 2: (a.e.BA) For any consts. c,
, there is a const. d and a (1/3- )resilient protocol which brings
1-O(1/log n) fraction of good procs to
agreemt with prob. 1-1/nc using
Õ(1) bits per proc. in O(logd n) rounds
Previous work
• An expected constant number of
rounds suffice. (Feldman and Micali 1988)
• All previously known protocols use
all-to-all communication
KEY IDEA:
The power of a short
somewhat random stream S
• S= s1 s2 … sk be short stream of
numbers.
– Some a.e. global random numbers,
some numbers fixed by an
adversary which can see the
preceding stream when choosing.
- S can be generated w.h.p.
Talk outline
I: Using S to get a.e. BA
II Using S to go from a.e. BA to BA
III Generating S
Rabin’s BA with Global Coin GC
t<n/3
Set vote <-input bit. REPEAT clog n rounds
• Send-->all procs.
• Maj <- majority bit from others
• Fract <-fraction of votes for Maj
• If Fract > 2/3 agree on bit
– then vote <-Maj
• Else if GC =1
– set vote <- 1; else set vote <- 0
Scalable a.e.BA with a.e.Global Coin GC
t< n/3 - 
Use averaging sampler to
assign neighbors to procs
=A deterministic way to have
mostly good samples.
Almost all neighbor sets
contain a representative fraction
-->
of good procs
Almost all good procs compute
correct Maj
for Fract> 2/3+ /2
using S instead of GC
-->a.e.BA whp
For i=1,…,k, generate bit si
and run a.e. BA using si for a.e.global coin
It suffices that clog n bits of S are known
a.e. and random
II: Using S to go from a.e.
BA to BA
• Idea: Query random set of procs to ask
bit. Since almost all good procs agree,
majority should give correct answer.
– Works if bad procs have communication bound
• But in our model, the adversary can flood
all procs with queries!!
• Use s to decide which queries to answer.
II: Using S to go from
a.e. BA to BA
Labels= {1,..,n1/2 }
FOR each number s of S=Labelsk :
• Each proc. p picks Õ(n1/2) random queries
<proc,label> and sends label to proc.
• q answers only if label= s (and not overloaded)
• if 2/3 majority of p’s queries with the same
label are returned and agree on v, then p
decides v.
IT SUFFICES TO HAVE AN a.e. AGREED upon
S with a RANDOM subsequence!
III Generating S
Sparse network
Tree of robust supernodes of increasing size with
links: procs in child ----> procs in parent node
procs in parent node-->leaves of subtrees
All procs.
Supernodes and links generated using
averaging samplers
Arrays of rand. #’s
Each proc pi generates array Ai of rand #’s and
secret shares it with its leaf node.
#’s in arrays are revealed as needed to elect which
remaining parts of arrays will be passed on to parent
node.
A1 A2
Feige’s alg carried out in each node
Each candidate picks a bin;
winners=lightest bin’s contents
1
2
3
4
5
6
-->>> Requires agreement on all bin choices.
Elections of arrays in node
s1
s2
• We use scalable a.e. BA;
bin numbers and S given by numbers from
sequence of winning arrays of children.
As array moves up, secret shares are split up
among more procs on higher levels and erased
from children
so that adversary cannot learn a large fraction of
arrays promoted to a higher level by taking over a
small sets of processors on lower level.
Secrets are revealed as needed:
by reversing and duplicating
communication down every path,
reassembling shares at every leaf of
subtree.
so that adversary cannot prevent
secret from being exposed by
blocking a single path.
Leaves are sampled (det.) by procs in
subtree root to learn secret value
Generation of a short S
Only a polylog number of arrays are left at
each of the polylog children of the root.
These form
S
When agreement on all of
S is needed,
a.e. BA can be run using supplemental bits.
Conclusions
Uses of S:
• Easier to generate than a single random
coinflip:
– S can also be generated w.h.p scalably in the
full information nonadaptive adversary model
(whereas a single random coinflip can’t)
• A polylog size S has sufficient randomness
to specify a set of n small quorums which
are all good w.h.p (submitted to ICDCN)
• Useful in the asynch alg w/nonadaptive adv
(SODA08)
Future work (cont’d)
Asynchronous?
Towards more practical scalable BA?
Bounds on the communication of the bad
procs makes the a.e. BA to BA easy.
Likely this would simplify the a.e. BA
protocol
Other problems (SMPC, handling churn and
larger name spaces)
Other user models (selfish)
Questions?