1 / 41

Expected Constant-Round Protocols for Broadcast

Expected Constant-Round Protocols for Broadcast. Jonathan Katz Chiu-Yuen Koo University of Maryland. Background. When designing cryptographic protocols, it is often convenient to assume a broadcast channel

earl
Download Presentation

Expected Constant-Round Protocols for Broadcast

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Expected Constant-Round Protocols for Broadcast Jonathan Katz Chiu-Yuen Koo University of Maryland

  2. Background • When designing cryptographic protocols, it is often convenient to assume a broadcast channel • In a point-to-point network, this broadcast will have to be “emulated” by a broadcast sub-routine • The round complexity of the eventual protocol depends heavily on the round complexity of broadcast! • Much work has focused on reducing this round complexity…

  3. Byzantine Agreement • n parties P1, …, Pn, t of whom are malicious; each party has an input vi • If the inputs of all honest parties initially agree, they should all output this common value • (No matter what…) all honest parties should output the same value

  4. Broadcast • n parties P1, …, Pn, t of whom are malicious; one party is the dealer who holds a message M • If the dealer is honest, all honest parties should output M • Even if the dealer is dishonest, all honest parties should output the same value • Essentially equivalent to the problem of Byzantine agreement for t < n/2

  5. Prior Work (t < n/3) • Broadcast possible in the “plain model” if and only if t < n/3 [PSL80] • At least (t+1) rounds are necessary for any deterministic protocol [FL82]; a poly-time protocol with this round complexity is known [GM98] • Randomized protocols can beat the lower bound [R83, BO83] • [FM87] show an expected O(1)-round protocol

  6. Prior Work (t < n) • Given a PKI and signatures, authenticated broadcast is possible for t < n [PSL80, DS83] • The (t+1)-round lower bound still holds • [FG03] show an expected O(1)-round protocol for t < n/2, using specific number-theoretic assumptions • Open since [FM97]: existence of an expected O(1)-round protocol for t < n/2 based on signatures only • Note: Feldman-Micali approach does not extend to this case (at least as far as we know)

  7. Our Contributions I • We show an expected O(1)-round broadcast protocol for t < n/2, assuming only a PKI and digital signatures • Along the way, we improve and simplify(?) the Feldman-Micali protocol for t < n/3 • Proof is entirely self-contained… • Our approach relies on the new notion of a moderated protocol • Has other applications as well (see next talk)

  8. Our Contributions II • We show how to deal with parallel/sequential composition of randomized protocols for t < n/2 (extending [LLR02, BOEY03]) • Combined with existing results, this gives expected O(1)-round protocols for MPC tolerating t < n/2 malicious players

  9. Protocol Details… • The cases of t < n/3 and t < n/2 will be developed in parallel • The first is in the plain model and gives unconditional security; the second assumes a PKI + signatures (but is otherwise unconditional) • We always assume pairwise authenticated and private channels, and an adaptive, rushing adversary

  10. Constant-round protocol for (a variant of) VSS Constant-round protocol for leader election/coin tossing Expected constant-round protocol for BA Moderated VSS Constant-round VSS protocol (using broadcast channel) Constant-round gradecast protocol (in point-to-point model) Compiler Overview

  11. Gradecast [FM97] • A relaxation of broadcast… • Dealer holds input M; each honest party Pi outputs a message mi and grade gi • If dealer honest, all honest players output (M, 2) • If any honest party outputs (mi, 2), then all other honest parties Pj output mj = mi and gj≥ 1

  12. Theorem There exist constant-round gradecast protocols (in the point-to-point model) for t < n/3 and t < n/2 (Previously known for t < n/3 [FM97]) For details, see paper…

  13. VSS • 2-phase protocol (sharing and reconstruction phases); dealer holds input s • If the dealer is honest, then the view of the malicious players is independent of s after the first phase, and all honest parties output s in the second phase • At the end of the sharing phase, the view of the honest parties defines a value s’ that all honest parties will output in the second phase

  14. Theorem There exist constant-round VSS protocols for t < n/3 and t < n/2 that use broadcast during the sharing phase only (Previously known for t < n/3 [GIKR01]; follows by adapting [CDDHR99] for t < n/2)

  15. VSS for t < n/2 • Dealer chooses F(x,y) of degree t in each variable, with F(0,0) = s. Let ai,j = bi,j = F(i,j). Dealer sends to Pi the values a1,i, …, an,i and bi,1, …, bi,n (signed). • If insufficient signatures received, Pi broadcasts a complaint. If the values are inconsistent, Pi broadcasts the inconsistent values and their signatures (and the dealer is disqualified) • The dealer broadcasts the values (signed) for any party Pi who broadcast a complaint; Pi uses these values in the rest of the protocol (Every party now has consistent vectors with correct dealer signatures)

  16. VSS for t < n/2 continued… • Pi signs aj,i and sends it to Pj • If ai,j is not equal to bi,j (or no signature received), Pi broadcasts bi,j with the dealer’s signature • If any party broadcast a value bi,j different from ai,j, then broadcast ai,j with dealer’s signature. If dealer’s signature on two different values is broadcast, it is disqualified

  17. VSS for t < n/2, continued • Reconstruction: Pi sends bi,j for all j (along with signature of Pj) to all other parties. (Note: if no valid signature obtained, Pi has already broadcast bi,j) • If Pj sent any incorrect signatures, or bj = (bj,1, …, bj,n) inconsistent, disqualify Pj. • For each non-disqualified Pj, interpolate bj to get fj(y). Next, interpolate {fj(y)} to get F(x,y). Output F(0,0).

  18. Proof (sketch) • If dealer is honest, the information the malicious parties have about s is exactly {F(i,y), F(x, i)}i malicious • Since there are at most t malicious players, and the degree of F is t in each variable, no information about s is leaked • Say dealer, Pi, Pj honest. Then Pi recovers fj(y)=F(j,y). For any malicious Pk (who is not disqualified by Pi), bk,j was “validated” by Pj and so bk,j = F(k,j). Since this holds for t+1 honest players, Pi recovers Fk(y) = F(k,y). Interpolating these thus yields F(x,y).

  19. Proof (sketch) • For the case of dishonest dealer, take the values (bi,1, …, bi,n) of an honest Pi at the end of sharing phase. • These are consistent; let fi(y) be the corresponding polynomial • Since we have t+1 honest players, we can interpolate the {fi(y)} to obtain F(x,y) • Claim: F(0,0) will be the value output in the reconstruction phase • Argument is similar to before…

  20. Moderated VSS • 2-phase protocol; dealer holds input s; there is also a distinguished moderator • Each party Pi outputs a bit fi at the end of the sharing phase • If the moderator is honest, then fi = 1 for all honest parties • If there exists an honest player with fi = 1, then the protocol achieves VSS

  21. Key Result • There exist constant-round protocols for moderated VSS (in the point-to-point model) for t < n/3 and t < n/2 • Proof: We construct such a protocol by compiling any VSS protocol (using broadcast in sharing phase only) with gradecast…

  22. Compiler • Given VSS protocol Π; construct Π’ as follows: • Parties begin with fi = 1 • Whenever a party P is supposed to broadcast a message m (as part of Π): • P gradecasts m • The moderator gradecasts the result • Let (m, g) and (m’, g’) be the outputs of some player. Use m’ as the message broadcast by P (in the execution of Π) • Set f = 0 if (g’ ≠ 2) or (m ≠ m’ and g = 2)

  23. Proof… • If the moderator is honest, then g’=2. Also, if g=2 then all parties output the same message in the gradecast by P, so m’=m. • So, honest parties output f=1 if moderator is honest • If any honest party outputs f=1, then (1) g’=2 always, and so honest parties use the same message within Π; furthermore, (2) if P is honest (so g=2) then m’=m. • So, the functionality of broadcast was achieved whenever needed throughout Π • Hence, Π’ achieves VSS

  24. Oblivious Leader Election (OLE) with Fairness δ • With probability ≥δ, the following holds (i.e., an honest leader is elected):There exists an index j such that (1) each honest party outputs j, and (2) Pj is honest • Theorem:There exist constant round protocols for OLE with fairness 1/2, for t < n/3 and t < n/2

  25. Constructing OLE Pi “trusts” Pj • Assume moderated VSS… • Pi begins with ti,j = 1 for all j • For all i, j, party Pi chooses random 1 ≤ ci,j≤ n3 and then runs mVSS using this value and Pj as moderator • If Pk outputs f=0 here, it sets tk,j=0 • Reconstruct the above. Pk sets cj = Σ ci,j mod n3. • Pk outputs j with tk,j = 1 that minimizes cj

  26. Proof… • Define T = {j : exists honest Pi with ti,j = 1} • If Pi honest, then i  T. • If j  T, then all honest parties agree on cj. Furthermore, cj is uniform in {1, …, n3} (since ci,j is uniform for Pi honest). With high probability, all such cj are unique. • So, with probability at least (t+1)/|T| ≥ ½ an honest leader is elected

  27. No Run a leader election protocol. Each party sends the message it holds to all parties Has agreement been reached? Maybe Yes Exit Each party sets its input to the message sent by the leader From Leader Election to BA

  28. Proof (ideas) • If parties hold the same inputs, they do not change their inputs and will terminate the protocol by the end of the next iteration • No (honest) party terminates until agreement has been reached • Once an honest leader is elected, agreement will be reached in the following iteration • Since an honest leader is elected with constant probability, termination occurs in expected O(1) rounds

  29. Final Result • There exist expected O(1)-round protocols for broadcast for t < n/3 and t < n/2 • Applying some optimizations, we obtain protocols with the following (expected) round complexities: • t < n/3: 24 rounds • t < n/2: 56 rounds

  30. Composition

  31. Parallel composition • In general, parallel composition of n protocols with expected O(1)-round complexity does not yield an expected O(1)-round protocol • For our particular protocols, known techniques give parallel composition without increasing the expected number of rounds • Run OLE once for all parallel executions…

  32. Sequential composition • A different problem may be caused by non-simultaneous termination • Parties terminate one iteration in different rounds, and thus start the next iteration in different rounds • This is inherent for sublinear-round BA protocols • Existing methods for dealing with this are complex [LLR02] or apply only to t < n/3 [BOEY02]

  33. Sequential composition • Protocol Π has staggering gap g if honest parties terminate within g rounds • Theorem: Let Π be a b’cast protocol. Then there is a b’cast protocol Π’ such that: • It is secure as long as all parties start within 1 round of each other • Its staggering gap is 1 • rc(Π’) = 3 rc(Π) + 1

  34. Sequential composition • To sequentially compose Π1, …, Πk, run Π’1, …, Π’k instead • Each Π’i has staggering gap 1 • Each Π’i+1 is secure as long as parties start within 1 round of each other • k sequential executions of a protocol with round complexity r requires ≈3kr rounds

  35. Recent results (with J. Garay and R. Ostrovsky)

  36. Broadcast for t < n? • Our results apply only for t < n/2 • We use VSS, which is possible only for t < n/2 • What about for t < n? • Known: deterministic protocols with round complexity t+1; matching lower bound

  37. Negative result • Theorem: Any broadcast protocol tolerating t malicious parties must have expected round complexity at least O(n/(n-t)) • In particular, tolerating the optimal threshold t = n-1 is not possible in sub-linear rounds

  38. Positive result • First consider case t = n/2: • Dealer gradecasts M and then exits • Remaining parties run as follows: • If received (M’, g ≤ 1), run (n/2)-resilient BA with M’ as input and output the result • If received (M’, 2), run (n/2)-resilient BA with M’ as input for K rounds; output M’

  39. Analysis • If the dealer is honest, then all honest players enter the BA protocol with the same input • In this case, the protocol terminates in a fixed constant number of rounds • If dealer dishonest • If g=2 for some honest player, then all honest players enter BA with same input (and output the same value in K rounds) • Otherwise, all honest players run BA to completion, with honest majority!

  40. General case • Theorem: Let c = t – (n-t) = 2t-n. Then there is a broadcast protocol with resilience t and expected round complexity O(c) • In particular, for t = n/2 + o(n) we get a protocol with sub-linear round complexity

  41. Summary • We have shown an expected O(1)-round broadcast protocol for t < n/2 • First based on general (minimal) assumptions • We also improve/simplify [FM97] for t < n/3 • Sequential composition for t < n/2 • Open questions • Sublinear-round broadcast for t < n? • Lower bounds on round complexity?

More Related