- 92 Views
- Uploaded on
- Presentation posted in: General

Byzantine Agreement and Multi-Party Computation (MPC)

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Byzantine Agreementand Multi-Party Computation (MPC)

Aris Tentes

- History of the name (Byzantium 1453)
- Simulation of broadcasting:
i)P sends a value to n players and they must decide on the same value (B General)

ii)Every player has a value and all players

must decide on the majority(B Agreement)

t of the players may be dishonest.Therefore we achieve broadcasting iff the following are satisfied:

1.Termination

2.Agreement: all correct players decide on

the same value

3.Validity:if P is correct all correct players

decide on his value.(B.Generals)

if all correct players have the same value

the all correct players decide on this value.(B.Agreement)

B.General => B. Agreement:

Every player broadcasts his value and then decides on the majority of the values received

B. Agreement => B.General:

Player P sends his value to all players and then all players decide on the same value using a B. Agreement protocol.

- Perfect BA
- Unconditional BA: A protocol with non zero probability of error
- Cryptographic BA: The adversary has a bounded computational power.

Theorem: We cannot have a secure BA if t >=n/3.

Proof:

Simple case n=3 and t=1 and using contradiction

Intuitively:

- Perfect security for t<n/3.
- Bit complexity O(tn^2)
- Round complexity O(t)
- Includes three subprotocols
I) Weak Agreement

II) Graded Agreement

III) King Agreement

Goal:If Pi is correct with output yi {0,1} then all correct players have output {yi , ┴}.

1) Pi sends xi to every Pj

0 , #0>2t

2) Every Pi yi = 1 , #1>2t

┴, else

Goal:If Pi is correct with yi {0,1} and gi=1then every Pj correct has yj = yi.

1)Run the WeakAgreement protocol with output zi.

2) Pi sends zi to every Pj.

0 , #0>#1

3) Every Pi yi =

1 , #1>#0

1 , if #yi >2t

3) Every Pi gi =

0 , else

Goal:A player Pk is selected to be the king.If the king is correct then all correct players have the same output.

1)Run the GradedAgreement protocol

2) Pk sends zk to every Pj

zj , if gj=1

3) Every Pi yi =

zk , else

- Termination and Validity: Remain always
- Agreement: We run the KingAgreement t+1 times.There is at least one correct king.(B.Agreement)
The general sends his value to all players and then they run the Agreement protocol above.(Broadcast)

A perfectly secure BA protocol cannot have less than:

1) t+1 rounds

2) O(nt) bit complexity

3) t≥n/3

Open problem:It is not known if a protocol exists satisfying these lower bounds.

It is not known if a protocol with both t+1 rounds and O(n^2) bit complexity exists.

Secure function evaluation:

There are N parties who want to compute a function of their inputs but do not trust each other.

Examlpes:

1)Dating problem

2)Yao’s millionair ‘s problem.

The obvious solution is that each party gives his input to a trusted (TP) who does the computation for them.

MPC: A MPC protocol simulates this trusted party.

- Passive Adversary:The adversary can see the results of tp parties.
- Fail-stop Adversary:The adversary can make tf parties stop sending messages.
- Active Adversary: The advarsary has full control of ta parties and make them misbehave randomly.

- Perfect secure MPC
- Unconditional secure MPC: A protocol with non zero probability of error
- Cryptographic secure MPC: The adversary has a bounded computational power.

For the mixed model (passive+active+fail-stop adversary) there exists a perfect secure MPC protocol

iff

3ta + 2tp + tf < n

- Perfect security for t<n/2
- Bit complexity O(mn^2) field elements
- Round complexity O(d)

The dealer P who wants to share a secret s selects a random polynomial of degree t:

fs(x)= s + r1x + . . . . . + rt x^t

and sends to processor Pi his share si = f(ai).

Up to t players cannot reveal the secret.

- a , b are shared with fa ,fb
- We define h(x) = fa(x) + fb(x)
- We observe h(0) = fa(0) + fb(0) = a + b
- Hence ci = ai + bi defines the share of a + b of Pi

- a , b are shared with fa ,fb
- aibi secret share a polynomial of degree 2t ( fab(x)= fa(x)fb(x) , with h(0)=ab )
- We must reduce the share to t

- So: Every processor Pi shares his share aibi with a polynomial hi(x) of degree t with hi(0)= fa(ai)fb(ai) = fab(ai)
- Every processor has now the values h1(ai),……, hn(ai)
- Hence t+1 processors can compute hi(0)= fab(ai), i=1,..,n
- Finally every processor from above can compute fab(0)

- Use of Byzantine Generals protocols
- Every player is commited to the value he shares
- Every player is commited to the value he receives