Byzantine Agreement and Multi-Party Computation (MPC)

1 / 25

# Byzantine Agreement and Multi-Party Computation (MPC) - PowerPoint PPT Presentation

Byzantine Agreement and Multi-Party Computation (MPC). Aris Tentes. What is Byzantine Agreement/General?. History of the name (Byzantium 1453) Simulation of broadcasting: i) P sends a value to n players and they must decide on the same value (B General)

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

## PowerPoint Slideshow about ' Byzantine Agreement and Multi-Party Computation (MPC)' - luann

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

### Byzantine Agreementand Multi-Party Computation (MPC)

Aris Tentes

What is Byzantine Agreement/General?
• History of the name (Byzantium 1453)

i)P sends a value to n players and they must decide on the same value (B General)

ii)Every player has a value and all players

must decide on the majority(B Agreement)

Conditions:

t of the players may be dishonest.Therefore we achieve broadcasting iff the following are satisfied:

1.Termination

2.Agreement: all correct players decide on

the same value

3.Validity:if P is correct all correct players

decide on his value.(B.Generals)

if all correct players have the same value

the all correct players decide on this value.(B.Agreement)

B.General => B. Agreement:

Every player broadcasts his value and then decides on the majority of the values received

B. Agreement => B.General:

Player P sends his value to all players and then all players decide on the same value using a B. Agreement protocol.

Perfect BA
• Unconditional BA: A protocol with non zero probability of error
• Cryptographic BA: The adversary has a bounded computational power.
Impossibility Proof

Theorem: We cannot have a secure BA if t >=n/3.

Proof:

Simple case n=3 and t=1 and using contradiction

Intuitively:

The protocol of BGP89
• Perfect security for t<n/3.
• Bit complexity O(tn^2)
• Round complexity O(t)
• Includes three subprotocols

I) Weak Agreement

III) King Agreement

Weak Agreement

Goal:If Pi is correct with output yi {0,1} then all correct players have output {yi , ┴}.

1) Pi sends xi to every Pj

0 , #0>2t

2) Every Pi yi = 1 , #1>2t

┴, else

Goal:If Pi is correct with yi {0,1} and gi=1then every Pj correct has yj = yi.

1)Run the WeakAgreement protocol with output zi.

2) Pi sends zi to every Pj.

0 , #0>#1

3) Every Pi yi =

1 , #1>#0

1 , if #yi >2t

3) Every Pi gi =

0 , else

King Agreement

Goal:A player Pk is selected to be the king.If the king is correct then all correct players have the same output.

2) Pk sends zk to every Pj

zj , if gj=1

3) Every Pi yi =

zk , else

• Termination and Validity: Remain always
• Agreement: We run the KingAgreement t+1 times.There is at least one correct king.(B.Agreement)

The general sends his value to all players and then they run the Agreement protocol above.(Broadcast)

Lower bounds

A perfectly secure BA protocol cannot have less than:

1) t+1 rounds

2) O(nt) bit complexity

3) t≥n/3

Open problem:It is not known if a protocol exists satisfying these lower bounds.

Other protocols

It is not known if a protocol with both t+1 rounds and O(n^2) bit complexity exists.

What is Multi Party Computation?

Secure function evaluation:

There are N parties who want to compute a function of their inputs but do not trust each other.

Examlpes:

1)Dating problem

2)Yao’s millionair ‘s problem.

What is Multi Party Computation?

The obvious solution is that each party gives his input to a trusted (TP) who does the computation for them.

MPC: A MPC protocol simulates this trusted party.

• Active Adversary: The advarsary has full control of ta parties and make them misbehave randomly.
Perfect secure MPC
• Unconditional secure MPC: A protocol with non zero probability of error
• Cryptographic secure MPC: The adversary has a bounded computational power.
Mixed Model

For the mixed model (passive+active+fail-stop adversary) there exists a perfect secure MPC protocol

iff

3ta + 2tp + tf < n

The protocol of BGW88 (passive model)
• Perfect security for t<n/2
• Bit complexity O(mn^2) field elements
• Round complexity O(d)
Shamir ’s secret sharing

The dealer P who wants to share a secret s selects a random polynomial of degree t:

fs(x)= s + r1x + . . . . . + rt x^t

and sends to processor Pi his share si = f(ai).

Up to t players cannot reveal the secret.

Linear functions
• a , b are shared with fa ,fb
• We define h(x) = fa(x) + fb(x)
• We observe h(0) = fa(0) + fb(0) = a + b
• Hence ci = ai + bi defines the share of a + b of Pi
Multiplication(1/2)
• a , b are shared with fa ,fb
• aibi secret share a polynomial of degree 2t ( fab(x)= fa(x)fb(x) , with h(0)=ab )
• We must reduce the share to t
Multiplication(2/2)
• So: Every processor Pi shares his share aibi with a polynomial hi(x) of degree t with hi(0)= fa(ai)fb(ai) = fab(ai)
• Every processor has now the values h1(ai),……, hn(ai)
• Hence t+1 processors can compute hi(0)= fab(ai), i=1,..,n
• Finally every processor from above can compute fab(0)
Active Model generaly
• Use of Byzantine Generals protocols
• Every player is commited to the value he shares
• Every player is commited to the value he receives