1. No category

Flipping Coins In Many Pockets

Flipping coins in many pockets
(Byzantine agreement on uniformly random values)
ANDREI Z . B R O D E R ~
DANNYDO LEV^
IBM Research Center
San Jose, California
Preliminary version
Abstract. It was recently shown by Michael Rabin that a sequence of random 0-1 values,
prepared and distributed by a trusted “dealer,” can be used t o achieve Byzantine agreement
in constant expected time in a network of processors. A natural question is whether it is
possible to generate these values uniformly at rantloin within the network. In this paper
we present a cryptography based protocol for agreement on LL 0-1 random value, if less
than half of the processors are faulty. In fact the protocol allows uniform sampling from
any finite set, and thus solves the problem of choosing a iietwork leader iinifornily at
random. The protocol is usable both when all the comniunication is via “broadcast,” in
which case it needs three rounds of information exchange, and when each pair of processors
communicate on a private line, in which case it needs 3t -t- 3 roiixids, where t is the n~iniber
of faulty procc ssors. The protocol remains valid even if passive eavesdropping is allowed.
On the other hand we show that no (probabilistic) protocol can achievc agreeiiient on a fair
coin in fewer phases then necessary for Byzantine agreeiiient, and licrice the “pre-dealt”
nature of the iandom sequence required for 13,czbin’s algorithm is crucial.
1. Introduction
ltcacliing agrecnient in the prcsence of inalfr~nctioningprocessors is the central issiie of
fault tolerant distributed computing. A recent coniprehensive survey by Michael l h c h e r
([Fisclicr83]) lists O V P P 30 papers on this siibject.
0272-5428/84/oooO~’0157$01.00@ 1984 IEEE
I57
Here we consider the related problem of agreeing on a uniformly distributed random
bit, i.e. (‘afair coin.” (More generally we look at uniform sampling from a finite sel.) This
is quite different from simply reaching agreement. For example, if we assume that the only
possible type of communication is reliable broadcast, (i.e. any message sent by a certain
processor is “heard” by all the other processors) it is easy to reach agreement on a bit,
simply by taking a majority vote. But if there are faulty processors in the network this
bit will be heavily biased. The parity vote is also inadequate because a faulty processor
might wait till it knows all the other votes before it casts its own vote, thus fixing the
outcome. Another tempting solution is a trivial generalizations of the “telephone coin
flipping” protocol [Blurn82]; it fails for a subtler reason: a faulty processor might abandon
the protocol if it perceives that the outcome will be unfavorable. The correct processors
can restart the protocol, but the final outcome will b e biased.
Two immediate applications for such a distributed coin flipping protocol are the problem of choosing a leader at random and the fair allocation of resources in a network, where
some of the processors might be faulty.
The protocol described in this paper works both for broadcast communication networks, such as ETHERNET,
and private coimnunication networks. No secrecy assumption
is made based on the privacy of communication, and hence the protocol is not vulnerable
to passive eavesdropping.
The model we use is a fully interconnected network of synchronous processors. Each
pair of processors is connected via a private line. (We do not assume reliable broadcast,
unless otherwise specified.) Some processors might be faulty and they can behave in a
nialicious and collusive manner, but the communication between processors is perfectly
reliable. These conditions allow us to assume that the computation proceeds in rounds,
(or phases). During a round, each processor first sends a set of messages and then receives
messages addressed to it by other processors. Thus, for correct processors, messages received during a phase do not affect messages sent during the same phase. Of course faulty
processors might not abide by this rule.
A computational primitive in such a network is Byzantine agreement (BA), defined as
follows: All the n processors in the network receive an initial value from a certain processor
called the sender. Byzantine agreement is reached iff
1. All correct processors agree on the same value y.
2. If the sender sent the same value y’ to cvery correct processor then y = y’.
A protocol for BA is called t-resilient if it is valid fox- any niiiii1)cr of faulty piocessors
not exceeding t , and it is called authenticated if it assuines that messages are signed with
unforgeable signatures.
The following are known results [PsL80, LST’821 (for addilional references see
[l?ischer83]).
1. There is a t-resilient, nuthenticatcd, synchronous protocol ilia1 achicves I3A for t
rz -- 1 in t 1- 1 rounds.
158
:-
2. There is a t-resilient, non-authenticated, synchronous protocol that achieves BA for
t < n / 3 iin t 1 rounds.
+
All the above bounds are tight in the worst case. A theoretical motivation for our
paper is the following expected time result:
3. There is a t-resilient, non-authenticated, synchronous protocol that achieves BA for
t < n/4, in constant expected time (4 rounds), providccl that at each round all processors have access to a common random bit, not known in advance [R,abin83].
Rabin’s elegant solution to generate the conimon random bit is to have a dealer prepare a sequence of secret random bits. Before the start of the protocol, each processor
receives a tape containing a share of each secret. (The shares are created using Shsmir’s
method for dividing a secret - see Section 4.2.) Whenever a new random bit is needed, the
corresponding secret can be reconstructed, even if the faulty processors do not collaborate.
The question we address in this paper is how
bit can be generated within the network.
at what cost this conimon random
2. Randomized agreement protocols
In this section we introduce the formalism required to describe randomized agreement
protocols, where each processor, i, has access to an unbiased and independent coin, Ci.
The sequence of all the coin flips done by processor i (the “flip-vector”) is denoted
e*.
For any protocol, the behaviour of processor i, during round r , can be fully described
by a transition function bi(Sr,i,M r - l , i ,
where S;is the current state of processor i,
and M r - l , i is the set of messages received by it during the previous round. The value of
6;(Sr,;,M r - l , l ,Cz)is a pair (Sr.kl,i,mr,z)where Sr+l,zis the next state of processor i cand
mr,*is the set of messages that processor i sends during round r . (Different processors can
be sent differmt messages.)
cz),
Every state Si has an associated value v(Sz). A state is called a decision state if no
sequence of transitions from this state leads to a state with a different associated value. If
processor i enters the decision state S,, then i is said to have decided on U ( & ) . The vector
of the states c ~ fthe processors in round r , is denoted $, that is 3, = ( S r , l ,Sr,2,. ,Sr,n).
..
An agreement protocol must specify, for every processor i, the transition function 6;)
the value assotciated to each state, m i l what are the legal values of 30. A t-resilient protocol
must achieve its stated goal even if Up to t processors behave according to a different and
arbitrary tr;uisition function, 6:.
A legal irtitial configuration for a certain protocol consists of a legal vector of initial
states, So, and a fixed choice for the tiansilioii functions for the faulty processors. What
that nieans is that the faulty processors are allowed to use any strategy whatsoever, as
long as it is based only on the inforiliation available to them. For instance the behaviour
of n faulty prcmxjsor can not, assiiine knowledge of the nip-vector of a corrcct processor.
We say that a protocol runs in d rounds if for any set of llip-veclors and for any legal
initial configuration every corrcct, processor is in a decision state, after d rounds.
I59
Remark that once a n initial configuration is chosen, if we fix the flip-vectors then the
results of the protocol are entirely deterministic.
3. Distributed lottery agreements (DLA)
A binary distributed lottery agreement (2-DLA) is achieved iff
1. Starting from any legal initial configuration, all correct processors decide on the same
value L E ( 0 , I}.
2. For every legal initial configuration
P r ( L = 0 ) = P r ( L = I) = 1/2,
where the probability space is the probability distribution on the flip-vectors C; for
the correct processors. (In other words, whenever a new agreement protocol is started
in any legal initial state, for any strategy of the faulty processors, the agreement
to have a different probability
value is equally likely t o be 0 or 1.) We allow each 6%
distribution, but they must be independent random variables.
Rabiii’s algorithm shows that if the number of faulty processors is less than n / 4 ,
Byzantine agreement can be achieved a t the expected expense of flipping a coininon coin
four times, t h a t is
E (Tirne(BA)) 5 4 Time(2-DLA).
(1)
Note though, that Rabin’s method to recreate an unbiased coin froni shared secrets prepared by a dealer is not a 2-DLA because condition 2 is not satisfied. (If we look at the
shared secrets as part of the state of each processor then the coin is predetermined before
the agreement starts; on the other hand if we look a t the shared secrets as part of the
flip-vectors, then the flip-vectors are not independent.)
The binary DLA generalizes to a m-valued distributed lottery agreement (m-DLA)
defined by:
1. All correct processors decide on the same value L E {0,1,. . . , m
2. For every lcgal initial configuration
P r ( L = i) =
: I/m,
I60
o 5 z < m.
-
l}.
This is a potontially important limitation (but which, of course, can be renioved by cryptographic protocols) because although the usual model for Byzantine agreements problems
is a fully interconnectcd ~ietworls,the underlying structure in real networks is much sparser
(see [BDFS84] for an example). Also this requirement means that Yao's iiiethod i s not
applicable when all communication is via broadcast.
In Section 5 we prcsent an easy to implement protocol that achieves rn-DLA if less than
half of the processors itre faulty, at the expense of three consecutive Byzantine agreements.
The number cif nicssages is polynoinial and the protocol works also when all cominiinication
is via broadcast. That means that for t < n/2
Tinie(n.1-DLA) 5 3 Tinie(BA).
(2)
On the other hand we also prove that any protocol (including randomized and/or cryptographic) that achieves 2-DLA in the private communication model satisfies
t + 1 5 Time(DLA).
(3)
(Compare with equation 1.)
4. Prelimin#aries
Our protocol uses two well known cryptographic devices that are described below.
4.1. Public key cryptosystems
A public key cryptosysteni [DEI761 consists of two functions on a certain message space:
an encryption function E , that i s public, <and a decryption function D = E-', that is
private. I t i s assumerl that knowing only E and E ( z ) ,it is not feasible to compute z in
polynoinial time with inore than an exponentially siuall probability of success. A succesful
coiiiputation cif this type will be called a cryptosysteni break.
For our piirposes we need a family of cryptosysteins that have certain extra properties:
1. A processor in the network can generate a cryptosysteni in t8he family in polynomial time, and there is a nile that ensure tliat each processor generates a diiferent
cryptosys tem.
2. Every cryptosystcrii in the fa~iiilyis such that the encryption function is one to one.
3. Given an mcryption function Id produced by a crrtain processor, it, is possible to cbcck
in polynomial tiiiic that: (a) The rule prescribed by property I was obcyetl n n t l (ti)
the iniplied cryptosysteni l~elongsto the family (hence I!: is one to one).
4. We asstiitie that dctermiiiing the valiie z 11iotl m , for any ni, from tlic knowledge of
the ctic~yptioxifiirrction E ) of t h e v;~lucE ( z ) , and of tlic fact t h a t 0 5 2: < p , in as
Ilnld ;IS bi.cnlriiig i,he crypi osystclll i f p is siiital)ly Iitrgc (sity grc;btcr t h r i SOIIAC lixect
fmctiori of thc size of t h e cloniain of E ) .
161
In practice such a family of cryptosystems can be based on the RSA scheme [RSA781
with a proper choice of parameters. (The RSA scheme encrypts a message M into the
message M‘“mod N , where N is a large composite. The numbers k and N are public, h u t
the factorization of N is kept private <andis used for decoding. If k is a prime larger than
N than the encryption function is 1-1 on the set of numbers less than N and relatively
prime to N . It is easy to ensure that each processor generates a different cryptosystem.)
4.2. Sharing a secret
+
We want to divide a secret in such a way that from the knowledge of any subset of k 1
shares we can retrieve the secret, but the knowledge of only IC shares offers no information
about the secret. The following solution is due to Adi Shamir [Shamir79]
1. Agree on a prime number p (public).
2. Choose a random polynoinial P over G F [ p ]of degree IC, P = ukz’
Let u g be the secret.
3 . A share of the secret is a pair (xi,P ( z , ) ) ,with
xi
+ - + u1z + ao.
# 0.
+
1 pairs
The shares of the secret are pairs of the form (z,P ( z ) ) . For any set of k
(xi,P ( x i ) ) ,there is a unique interpolating polynomial, but for a set of k pairs, there a r e
p interpolating polynomials, and therefore a0 is completely undetermined.
5. A protocol for m-valued distributed lottery agreement
We make the Following assumptions:
1. The number of faulty processors is less or equal t, and there are at least 2 t
processors participating in the protocol.
+1
2. Before the start of the protocol, t -11 processors, A I ,A z , . . . , A t + l , are designated as
“players” and 2 t + l processors, B1, B2,. . . ,B2t+l, are designated as “trustees.” There
is general agreement which processors are players and which processors are trustees.
It is possible for a processor to be both a player and a trustee. (In fact this condition
can b e relaxed, at the expense of extra messages: all processors can be designated to
be both players and trustees.)
3. Each trustee B, can compute a different public key cryptosystem ( E j ,Dj)as described
in Section 4.1.
4. Before the start of the protocol there is general agreement on a large prime p such
that, property 4 in Section 4.1 holds for all the cryptosystcnis ( E,7,D j ) .
The protocol is coniposed of 3 parts described below; during each part Byzantine
agreements on certain values are run concurrently. Wlicn we say that a processor C: makes
public a value U , we niean that a Byzantine agreenicnt is run 011 the value with the
participation of all the processors (i.e. not only the players and thc trustees), If the result
of this 13yzmtinc agreement is ZI = faulty, then we say that G is known l o be lafuzlllyafim t h e
Hyzantine agrccnicnt. T h e protocol clescribes what correct processors should do. l h i l t y
processors might of coursc not abide by it.
162
P r o t o c o l PFILIP
+
Part 1. Each trustee B,, 1 5 j 5 2t 1 computes a public key cryptosystem (E,, Dj)
with E,, being one to one, and makes public Ej. A trustee not known to be faulty after
this point and who inacle public a one to one encryption function is called a participunt
trustee. The set of all the participant trustees is denoted PB.
+
Part 2. Each player Ai, 1 5 i 5 t
1, choses uniformly at random a value Ci E
{0,1,. . . ,m - l},and then choses uniformly at random a polynoiiiial P, of degree t over the
~ ,
ag,,
Cr; (mod p ) .
field GF[p], subject to the condition that its free term, a ~ ,satisfies
For all j E PLi the player A, makes public a pair ( j ,X 2 , J with
)
Xz,3= EJ( P z ( j ) )A. player
not known to be faulty after this point is called a participant player. The set of all the
participant p1,xyers is denoted P A .
Part 3. Each trustee Bj makes public its decryption key Dj.
At the end of the protocol each processor Gk uses the following procedure to decide
the lottery value L.
Procedure DFLIP
1. Choose among the participant trustees that made public a correct decryption key
during part 3 of DFLIP, a set Ck of cardinality t 1. A decryption key D, is deemed
that was made public by a participant player i,
to be correct if for every pair ( j ,X,,,)
D, satisfits EJ( D J( X z , , ) )= X 2 , j . (Note that because E i - 1 ( X 2 , Jis)unique, this means
) is always possible to find such a set because
that indeed D j ( X i , 3 )= E 3 - 1 ( X z , j ) . It
there are (zt least t + 1 correct trustees.
+
2. For each i E P A (i.e. for each participant player) determine the unique polynomial of
degree t orer G F [ p ] pi,k,
,
that satisfies the system of t 1 linear equations
+
) X z , J .If all the
3. $o' r each i E P A and for each j E F'B,
- check whethcr I ! J ( p z , k ( j ) -=
equations <are satisfied then decide C, :
Go,, mod m , whcre
is the free teriii of
@,,k; otherwise decide 6, =-= 0. The final lottery value is
L=
(
inoil m.
I63
Lemma 1. After the protocol PFLIP and the decision procediire DFLTP, for each i E P A ,
all correct processors agree on C,. Furthermore, if i is a correct processor then Ci = C;.
I
Proof: First note that by the definition of the protocol all correct processors agree on
the sets P A and P E , and for every i E P A and every j E P B they agree on X,,,
and
IZJ. For each i E P A , either there dxists a polynomial P, such that for every j E P B ,
Xt,] = E, (Uz( j ) ) ,or there is no such polynomial. In the former case, for every IC, pz,k = P;
(because for every j E X I , the decryption key D, is correct and E3 is 1-1) and all correct
processors agree on C,; in the latter case, for every IC there exists a j that depends on IC
such that X,,,
f E3 (FZ,k(j))
and all correct processors agree on
= 0. It is obvious that
for every i E P A , if i is correct then
= C,.
d.
6,
eZ
Lemma 2. After the end of part 2 of the protocol NFLIP no participant player A; can
change the value
on which all correct processors will agree.
ei
Proof: Obvious from the definition of the protocol.
After the end of part 2 of the protocol NFLIP if Ai is a correct processor then
no fiulty processor knows C;, except for the probability of breaking a cryptosystem.
Lemma 3.
Proof: To determine C, the faulty processors must find ao,,inod m where ag,, is the free
term of the polynomial P,, that has degree t . In the worst case the faulty processors know
t interpolating pairs, corresponding to t faulty parLicipant trustees. Knowing the other
interpolating pairs made public by player i, means knowing, for each correct trustee j ,
the value E , ( Z U ~ , y),
~ where 3; and y are some known values depending on i and j .
By assumption 4 in Section 4.1, inferring from this inforination the value ao,;inod m is
tantamount to breaking the cryptosystem.
+
Let X I , X : ! , . . . , X , E {0,1,. . . , m - l} be random variables. If there exists
an i such that X; is uniformly distributed over the set (0, I , . . . ,m - 1) arid for all j # i,
1 5 j 5 s , X , and X j are hidcpcndent then the random variable I; = (
X J ) mod m is
uniformly distributed over the set {0,1,. . . ,m - I}.
Lemma 4.
Proof: Elementary, using conditional probabilities.
Theorem 5.
The protocol PFLIP and the decision procedure DFLIP ensure t h a t all
correct processors agree on a Zottcry v d u e L that is uniformly tfistribr~ted over the set
{0,1,. . . ,rn -~ l}, except for the probnbilily of breaking a cryptosystcm.
Proof: From 1,cmnia 1 and the definition of DNJP it follows that rill correct processors
agree on thc vailiie 1, =
X,)m o d m. Because tlierc are t + 1 p;irticipant players, there
exists at least wie correct participant, player, A;, . Tlicrcfore io E P A , arid C,, is uniformly
dislrihuted over the set (0, I , . . . , m - J } . IliirtSierinorc, hy IJcmii1ai 2 itnd Leniiria. 3 , Ci, is
iiidcpcndent of the rantloin variiibles G,, for i -$ io, cxccpt (01-t81ieprobaihility of brealiing
n cryptosystcni. Ucncc all Llir conditions of 11c111111a 4 i ~ 1 . 0 sntisficd i111~1the restilt t'ollows.
(E,
164
The proiocol l?t?LIP has several properties that might be useful in certain implementations a i d generalizations:
0
If several DLAs are run in a network, p a r t 1 of the second DLA can be superposed
on part 3 of the first DLA and so on. Also during part 1 of a given DLA it is possible
to agree for each trustee on several encryption keys to be used in subsequent DLA’s.
0
During the protocol, the only usage for Byzantine agreement is to simulate reliable
broadcae t, and therefore if reliable broadcast is “built-in,” then each Byzantine agreement reduces to one communication round. For similar reasons, passive eavesdropping
by the faulty processors is irrelevant.
0
One can use any subprotocol for Byzantine agreement, including randomized protocols, as long as the subprotocol ensures agreement on the termination of each part.
6. Lower bounds
Our lower bound proof generalizes the proof of [DS83] to include randomized algorithms,
a more restrictive type of failures, and a weaker type of agreement.
The type of agreement we consider is t h e probabilistic non-trivial consensus defined
by:
I. All correct processors agree on the same value L E (0, I}.
2. For every legal initial configuration
0 < Pr(L = 0) < 1,
where the probability space is the probability distribution on the flip-vectors
the corrcct processors.
C;for
For the sake of conipletness we review bclow the main deli~iitionsof [DS83]. A roiind
in a protocol is represented by a labelled directed graph 011 n nodes, with each node
corresponding to a processor. The label of t h e node i is Sr,i, that is the state of processor
i in round r If processor i sends a message to processor j during round r then t h e
corresponding graph contains a n edge from 2: to j labelled by the message sent by i. We
assume that when no message is sent there is no edge, and we also allow self-loop edges,
to denote the inforination a processor sends to itself.
T
An 7~ processor lijstory I3 is i i finite sccliience of n notle rounds, iogothcr with a
fictional round, round 0, in which every processor i has a single incoining cdge labeled
by its flip-vec tor 6;)and no coriiiiiiiriicalion occurs ainong processors. (This round is not
counted as a round of ttie protocol in the 10wt:r bound proof.) F‘roni the reiiiark at t h e end
of Section 2, it follows that, for any protocol, if wc fix the iiiitinl configuration and the set
of flip-vectors, thc z~rv10c017s h i a l o r y ia iiniqucly defined.
A subhistory of a history IZ is n copy of with seine etlgcs reniovctl. For each history
II a n c l processor i !,liere is a unique subhistory HI4 callcct thc subhislory according t o i
I65
consisting of only the edges with target
~ [ implies
i ]
fixing Ci.
i. Note that by the definition of round 0 , fixing
Define the value of an history, v(H), to be the value of the states of all the correct
processors in the last round of H ; v ( H ) is undeEned if any two correct processors are in
states of different values. A history 13 is t-faulty with respect to a given protocol if at most
t of the transition functions 6i are not the transition functions specified by the protocol,
but are replaced by some other functions, St*.
Consider an arbitrary consensus protocol and two histories associated to it, N and II‘.
If processor i is not faulty, and H [ z ]1H’[Z],then at the end of both histories, processor i
will be in the same state, and therefore if both v ( H ) and v(f1’) are defined, they must be
the same. This observation is the main tool used in the proof of the lower bound.
In the proof of the lower bound we assume that the only type of faulty behaviour is
fail-stop , (cf. [FI,82]) that is, within the round when a certain processor behaves incorrectly
for the first time it may only omit sending some messages but not send incorrect rnessages,
and from that round on, it does not send any more messages. It should be noted that this
inode of failure can be described precisely within our formalism by imposing appropriate
restrictions on the transition functions Sz*.
We will show that even under this very limited model of failure t
required in order to reach a probabilistic non-trivial consensus.
+ 1 rounds
are
Theorem 6. Any probabilistic algorithm that achieves non- trivial consensus with probability 1 in the presence oft fail-stop faults requires at least t 1 rounds.
+
Proof; Assume to the contrary that there is a nontrivial consensus protocol that satisfies
the conditions of the theorem and runs in d rounds, where d 5 t . Let Ho and 111 be two
histories with values 0 and 1 respectively, in which every processor is correct and starts
from the same state in both histories, but with possibly different flip-vectors. (At least one
of the processor must have a different flip-vector.) Such histories do exist by the definition
of a nontrivial consensus protocol. Let U be the class of n processor, d rounds, t faults
histories in which all processors have initial states identical to their respective initial states
in Ho and HI, and which satisfy: if fl, f2, . . . ,fi are the faulty processors for H in U , then
1. Processor fk becomes faulty at some round IC‘
2 IC.
2. At round k’, all the edges emerging from fk are correctly labelled (i.e. according to
6,) but some edge:; niight be inissing.
3 . In
every round
k“ > IC’, thc
iliatory
II
cloea not contain any cdge emerging
fi-om fk.
Clearly, if the protocol is correct then v ( H ) is well defined for all histories 11 E U and
Iherefore we can construct a n eqiiivaleiice relation on histories in If by the rule If
H‘ iff
v ( H ) = v(H’). On the other hand Zf contains both II(, and H I arid u ( H ( ) )# ~(131).
What
we shall prove is that t h e assumption d _< t implies H() EZ 191,which is a contradiction.
We say the a processor or a node is h i d d e n at ronnd IC if it has no outedgcs (sends no
messages) in round k and in a n y Inter round. We will show by intliiction on k t,l)ai, if i is
a node rcprescnting a processor at round IC of a history 11 in U ,then
I66
a. If i becomes incorrect at round k, then there is a history H' in
following four conditions:
1. H'
U
that satisfies the
H.
2. H' is identical to H through round IC except for the outedges of i.
3. Processor i is correct for H'
4. No processor becomes incorrect in H' after round k.
b. If no processor, other than i, becomes incorrect at round k, then there is a history H'
in U that satisfies the following four conditions:
1. H' E H .
2. H' is identical to H through round k except for the outedges of i.
3. Processor i becomes hidden at round IC of H'
4. No processor becomes incorrect in H' after round
k.
In other words we shall show that we can correct a faulty processor without changing
the decision i d i i e , and that we axe able to hide a correct processor (if there aren't already
too many faulty ones) also without changing the decision value.
The proof of (a) and (b) is carried together by induction on k ; here we shall present
just the inductive step of the proof. Let's assume that the induction holds for all rounds
k' > k <and let's prove it for IC.
Proof of (a):
Let i be a node that became incorrect at round k of a history H E U. The following steps
will preserve membership in U and equivalence to H .
1. Correct a11 processors that bcconie incorrect at any round later than k (one at the
tinic, backwards from d to k). By the induction hypothesis (a) this can be done while
prcserviii g equivalence and menibership in U. Let H" be the resulting history.
2. Let fi, fz, . . , , fi be the faulty processors in HI', besides i, which is also faulty. By
assumption I 5 k - 1 < t - 1. The faultiness of i at round k means that it is missing
some outedges it should have had according to the transition function 6;. We correct
it, while preserving equivalence and menibcrsliip in U by using the following algorithm.
While there are iiiissiiig outedges of i at round k do:
i. Choose a missing edge ( i , j ) and hide the target j of the missing edge at round
k 1 (induction hypothesis (b)).
+
ii. Adcl the inissing edgc (the edge ( i , j ) at round k) with a corrcct label. Because
the partial history according to any correct processors rciiiains the same, the
equivalence of historics is prcscrvcd.
iii. Correct j a t round k 4-I . (induction hypo~licsis(a)).
I67
End of while.
3 . At the end of step 2, processor i hecomes faulty only at round k+1 and by the induction
hypothesis (a) we can correct it in the resulting history while preserving ecpivalence
and membership in U. This completes the proof of (a).
Proof of (b)
Assume t h a t no processor, other than i , becomes incorrect at round k . The following steps
will preserve membership in U and equivalence to H .
1. Correct all processors t h a t become faulty a t rounds later t h a n IC (induction hypothesis
1
(a> *
2. Hide i at round IC
+ 1 (induction hypothesis (b)).
3. While outedges of i remain do:
i. Hide at round k
+ 1 the target j
of an outedge of i. (induction hypothesis (b)).
ii. Remove the edge ( i , j ) (no correct processor “sees” the difference).
iii. Correct j at round k
+ 1. (induction hypothesis (a)).
End of while.
At the end of step 3 we obtain an history H‘ t h a t satisfies the four conditions of
induction hypothesis (b).
We shall apply (a) and (b) t o prove t h a t Ho is equivalent to NI. In Ho all processors
are correct. The only difference between 130 and IfLresides in the flip-vectors, because
both histories start with the same initial configuration (vector of initial state plus strategy
for faulty processors). By assumption the protocol must work for any set of flip-vectors.
We take one processor at a time and
1. Hide it at round 1 (property (11));
2. Change its flip-vector from that in H o to that in
H I ;
3. Correct it at round 1 (property (a)).
The above transformations take 11s to another history that is equivalent to Ho, a i d
has the same initial configaration, t h a t is all processors are correct. When we finish with
all the processors we obtain history TIL, and thus conclude t h a t IT,, is equivalent to NI.
Corollary 7. Aiiy probabilistic algorithm that achieves m-DLA with probability 1 in the
presence of -t fkilts reqiiires at least t -1- 1 ronnds.
cz}
Throughont this section tlic only assuii~pt,ionsmade a h o u t that set of flip-vcctors {
is that there
arc ah least t,wo such sets iinplying tliffrrcnt consciisits values, a n t 1 that the
vectors C, a r c iiidcperitlent,. This 1nr;itis t,hnt 0711’ p r o o f ciin b e iii\t\\v(li:ktcly , \ p l ) l i d to d l
tdie tradilional T3yzantinc problciris, srirli as having a single sendcr, having sevcral senders,
I68
and various other deterministic agreements on 0 or 1, and it is also clear t h a t the theorem
holds for more restrictive models of agreement and less restrictive inodes of failures.
As an example consider the single sender case. Let processor i be the sender. We can
as the sender’s value, and hence the goal of
interpret the first bit of i’s flip-vector,
the protocol is to reach coiisensiis on this bit. Assuming 0 < P r
< 1, any BA
consensus protocol on this bit requires at least t I rounds in the worst case.
cl(1)
+
(cl(1))
The results in this section are relevant t o the worst case performance analysis; there
are probabilkttic algorithms that achieve non trivial consensus in less than t 1 expected
number of rounds ([Bracha84], [CC84]).
+
7. Conclusions and open problems
We have constructed a cryptographic protocol that achieves distributed lottery agreement
if the number of faulty processors, t , does not exceed half the total number of processors,
n. It is not known whether the following protocols are possible:
2 n/2 ?
0
Any DLA protocol for t
0
A faster DLA protocol for n / 3 5 t < n/2 ?
0
A non-cryptographic DLA for t 2 n/3?
e
A non-cryptographic DLA t h a t allows eavesdropping? (conjecture: no such protocol
exists)
The lower bound t h a t we obtained is valid for any non-trivial consensus protocol. It
is open whether this bound can be improved for DLA protocols for -t 2 n / 3 . (For t < n / 3
Yao’s algorithm implies that the bound is tight.)
A trivial extension of the results of [FLP83] and [DDS83] shows that deterministic
DLA is iinpo::sible in the asynchronous case. However BA can be achieved with high probability in constant expected time either via Rabin’s algorithm or via what are essentially
variants of Rabin’s algorithm [BenQr83, I3T83] using the majority vote as an internal
coin. Unfortiinately when a majority coin is used, the constant is exponentially large if
fi = o ( t ) and hence an eflicient asynclironous DLA protocol would be of much interest.
Acknow lcdgement
We wish to tliank Aniotz 13ar-Noi, Silvio Micali, Michael Rabiri, and Andy Yao, €or their
relevant obsc nations atid coniinents 011 tliis paper.
References
[BDFS84] A . Z. Broder, D. Dolev, M. J . Fischer, and 13. Iz. Siiiions, “Efficient fmlt tolcrnnt roiitiiigs in rietworks,” I’?oceedings of the 16-th A4rinual A CM Symposium
o n the Theory uf Computing, 1984, 53G 641.
I69
[Benor831 hrf, Ben-Or, “Another advantage of free choice: completely asynchronous agreement protocols,” Proceedings of the 2-nd Annual A C M Symposium on Principles of Distributed Computing, Montreal, 1983, 27-30.
[Blum82] M. Bluni, “Coin flipping by telephone - a protocol for solving impossible problems,” Spring COMPCON conference, 1982, 133-137.
[Bracha84] G. Bracha, “A randomized Byzantine agreement with an O(1og n) expected
rounds,” manuscript, 1984..
[BT83]
G. Bracha and S. Toueg, “Resilient consensus protocols,” Proceedings of the 2n d Annual ACM Symposium on Principles of Distributed Computing, Montreal,
1983, 12-26.
[CC841
B. Chor and B. Coan, “A simple and efficient Byzantine agreement algorithm,”
manuscript, 1984.
[DDS83]
D. Dolev, S.Dwork, and L. Stoclrmeyer, “On the minimal synchronism needed
for distributed consensus,” Proceedings of the 24-th Annual Symposium o n
Foundations of Computer Science, 1983, 393-402.
[DH76]
W. Dime and M. E. Hellinan, “New directions in cryptography,” I E E E Trans.
Inf. Theory, IT-22(1976), 644-655.
[DS83]
D. Dolev and H. R. Strong, “Authenticated algorithms for Byzantine agreement,” S I A M J. Comput., 12(1983), 656-666.
[Fischer83] M. J. Fischer, “The consensus problem in unreliable distributed systems (A
brief survey) ,” Technical Report, Department of Computer Science, Yale University, 1983.
[FL82]
M. J. Fischer and N. A. Lynch, “A lower bound For the tinic to assure interactive
consistency,” Information Proccessing Letters, 14(1982), 183-186.
[FLP83]
M. J. Fischer, N. A. Lynch, and M. S.Paterson, “Impossibility OF distributed
consensus with one faulty process,” Proceedings of the 2-nd Annual A C M Symposium on the Principles of Database Systems, 1983, 1-7.
[LSP82]
L. Lamport, R. Shostak, and M. Pease, “The Byzantine generals problem,”
A C M T O P L A S , 4(1982), 382-401.
[PSL80]
M. Pease, R. Shostak, and L. Lamport, “Reaching agreement in the presence
of faults,’) J. ACM, 27(1980), 228-234.
[Itabin83] M. 0. Rabin, “1~aiitloiiiizedI3yznntine generals,” Proc. of the ,24-th Annual
Symposium on Foundation of Cornputer Science, 1983, 403-409.
[RSA781
R. L. Rivest, A. Shamir, and L. M. Adleman, “A method for obtaining digital
signatures and public key cryptosystems,” Gomm. A C M , 21( t978), 120-126.
[Sha1nir79] A. Shiiniir, “How to share a secret,” Comm. ACM, 22(1979), 612-613.
[Yao83]
A.’ C. Yao, “On the succession problem for Byzantine gencrals,” Tcclinical
report, Coinputer Science Department, Stanford University, to appear.

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz