Byzantine agreement and multi party computation mpc
Download
1 / 25

Byzantine Agreement and Multi-Party Computation (MPC) - PowerPoint PPT Presentation


  • 117 Views
  • Uploaded on

Byzantine Agreement and Multi-Party Computation (MPC). Aris Tentes. What is Byzantine Agreement/General?. History of the name (Byzantium 1453) Simulation of broadcasting: i) P sends a value to n players and they must decide on the same value (B General)

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Byzantine Agreement and Multi-Party Computation (MPC)' - luann


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Byzantine agreement and multi party computation mpc

Byzantine Agreementand Multi-Party Computation (MPC)

Aris Tentes


What is byzantine agreement general
What is Byzantine Agreement/General?

  • History of the name (Byzantium 1453)

  • Simulation of broadcasting:

    i)P sends a value to n players and they must decide on the same value (B General)

    ii)Every player has a value and all players

    must decide on the majority(B Agreement)


Conditions
Conditions:

t of the players may be dishonest.Therefore we achieve broadcasting iff the following are satisfied:

1.Termination

2.Agreement: all correct players decide on

the same value

3.Validity:if P is correct all correct players

decide on his value.(B.Generals)

if all correct players have the same value

the all correct players decide on this value.(B.Agreement)


B.General => B. Agreement:

Every player broadcasts his value and then decides on the majority of the values received

B. Agreement => B.General:

Player P sends his value to all players and then all players decide on the same value using a B. Agreement protocol.


  • Perfect BA

  • Unconditional BA: A protocol with non zero probability of error

  • Cryptographic BA: The adversary has a bounded computational power.


Impossibility proof
Impossibility Proof

Theorem: We cannot have a secure BA if t >=n/3.

Proof:

Simple case n=3 and t=1 and using contradiction

Intuitively:


The protocol of bgp89
The protocol of BGP89

  • Perfect security for t<n/3.

  • Bit complexity O(tn^2)

  • Round complexity O(t)

  • Includes three subprotocols

    I) Weak Agreement

    II) Graded Agreement

    III) King Agreement


Weak agreement
Weak Agreement

Goal:If Pi is correct with output yi {0,1} then all correct players have output {yi , ┴}.

1) Pi sends xi to every Pj

0 , #0>2t

2) Every Pi yi = 1 , #1>2t

┴, else


Graded agreement
Graded Agreement

Goal:If Pi is correct with yi {0,1} and gi=1then every Pj correct has yj = yi.

1)Run the WeakAgreement protocol with output zi.

2) Pi sends zi to every Pj.

0 , #0>#1

3) Every Pi yi =

1 , #1>#0

1 , if #yi >2t

3) Every Pi gi =

0 , else


King agreement
King Agreement

Goal:A player Pk is selected to be the king.If the king is correct then all correct players have the same output.

1)Run the GradedAgreement protocol

2) Pk sends zk to every Pj

zj , if gj=1

3) Every Pi yi =

zk , else


Agreement and broadcast
Agreement and Broadcast

  • Termination and Validity: Remain always

  • Agreement: We run the KingAgreement t+1 times.There is at least one correct king.(B.Agreement)

    The general sends his value to all players and then they run the Agreement protocol above.(Broadcast)


Lower bounds
Lower bounds

A perfectly secure BA protocol cannot have less than:

1) t+1 rounds

2) O(nt) bit complexity

3) t≥n/3

Open problem:It is not known if a protocol exists satisfying these lower bounds.


Other protocols
Other protocols

It is not known if a protocol with both t+1 rounds and O(n^2) bit complexity exists.


What is multi party computation
What is Multi Party Computation?

Secure function evaluation:

There are N parties who want to compute a function of their inputs but do not trust each other.

Examlpes:

1)Dating problem

2)Yao’s millionair ‘s problem.


What is multi party computation1
What is Multi Party Computation?

The obvious solution is that each party gives his input to a trusted (TP) who does the computation for them.

MPC: A MPC protocol simulates this trusted party.


Three adversary types
Three Adversary types

  • Passive Adversary:The adversary can see the results of tp parties.

  • Fail-stop Adversary:The adversary can make tf parties stop sending messages.

  • Active Adversary: The advarsary has full control of ta parties and make them misbehave randomly.


  • Perfect secure MPC

  • Unconditional secure MPC: A protocol with non zero probability of error

  • Cryptographic secure MPC: The adversary has a bounded computational power.


Mixed model
Mixed Model

For the mixed model (passive+active+fail-stop adversary) there exists a perfect secure MPC protocol

iff

3ta + 2tp + tf < n


The protocol of bgw88 passive model
The protocol of BGW88 (passive model)

  • Perfect security for t<n/2

  • Bit complexity O(mn^2) field elements

  • Round complexity O(d)


Shamir s secret sharing
Shamir ’s secret sharing

The dealer P who wants to share a secret s selects a random polynomial of degree t:

fs(x)= s + r1x + . . . . . + rt x^t

and sends to processor Pi his share si = f(ai).

Up to t players cannot reveal the secret.


Linear functions
Linear functions

  • a , b are shared with fa ,fb

  • We define h(x) = fa(x) + fb(x)

  • We observe h(0) = fa(0) + fb(0) = a + b

  • Hence ci = ai + bi defines the share of a + b of Pi


Multiplication 1 2
Multiplication(1/2)

  • a , b are shared with fa ,fb

  • aibi secret share a polynomial of degree 2t ( fab(x)= fa(x)fb(x) , with h(0)=ab )

  • We must reduce the share to t


Multiplication 2 2
Multiplication(2/2)

  • So: Every processor Pi shares his share aibi with a polynomial hi(x) of degree t with hi(0)= fa(ai)fb(ai) = fab(ai)

  • Every processor has now the values h1(ai),……, hn(ai)

  • Hence t+1 processors can compute hi(0)= fab(ai), i=1,..,n

  • Finally every processor from above can compute fab(0)


Active model generaly
Active Model generaly

  • Use of Byzantine Generals protocols

  • Every player is commited to the value he shares

  • Every player is commited to the value he receives



ad