Byzantine agreement and multi party computation mpc
This presentation is the property of its rightful owner.
Sponsored Links
1 / 25

Byzantine Agreement and Multi-Party Computation (MPC) PowerPoint PPT Presentation


  • 79 Views
  • Uploaded on
  • Presentation posted in: General

Byzantine Agreement and Multi-Party Computation (MPC). Aris Tentes. What is Byzantine Agreement/General?. History of the name (Byzantium 1453) Simulation of broadcasting: i) P sends a value to n players and they must decide on the same value (B General)

Download Presentation

Byzantine Agreement and Multi-Party Computation (MPC)

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Byzantine agreement and multi party computation mpc

Byzantine Agreementand Multi-Party Computation (MPC)

Aris Tentes


What is byzantine agreement general

What is Byzantine Agreement/General?

  • History of the name (Byzantium 1453)

  • Simulation of broadcasting:

    i)P sends a value to n players and they must decide on the same value (B General)

    ii)Every player has a value and all players

    must decide on the majority(B Agreement)


Conditions

Conditions:

t of the players may be dishonest.Therefore we achieve broadcasting iff the following are satisfied:

1.Termination

2.Agreement: all correct players decide on

the same value

3.Validity:if P is correct all correct players

decide on his value.(B.Generals)

if all correct players have the same value

the all correct players decide on this value.(B.Agreement)


Byzantine agreement and multi party computation mpc

B.General => B. Agreement:

Every player broadcasts his value and then decides on the majority of the values received

B. Agreement => B.General:

Player P sends his value to all players and then all players decide on the same value using a B. Agreement protocol.


Byzantine agreement and multi party computation mpc

  • Perfect BA

  • Unconditional BA: A protocol with non zero probability of error

  • Cryptographic BA: The adversary has a bounded computational power.


Impossibility proof

Impossibility Proof

Theorem: We cannot have a secure BA if t >=n/3.

Proof:

Simple case n=3 and t=1 and using contradiction

Intuitively:


The protocol of bgp89

The protocol of BGP89

  • Perfect security for t<n/3.

  • Bit complexity O(tn^2)

  • Round complexity O(t)

  • Includes three subprotocols

    I) Weak Agreement

    II) Graded Agreement

    III) King Agreement


Weak agreement

Weak Agreement

Goal:If Pi is correct with output yi {0,1} then all correct players have output {yi , ┴}.

1) Pi sends xi to every Pj

0 , #0>2t

2) Every Pi yi = 1 , #1>2t

┴, else


Graded agreement

Graded Agreement

Goal:If Pi is correct with yi {0,1} and gi=1then every Pj correct has yj = yi.

1)Run the WeakAgreement protocol with output zi.

2) Pi sends zi to every Pj.

0 , #0>#1

3) Every Pi yi =

1 , #1>#0

1 , if #yi >2t

3) Every Pi gi =

0 , else


King agreement

King Agreement

Goal:A player Pk is selected to be the king.If the king is correct then all correct players have the same output.

1)Run the GradedAgreement protocol

2) Pk sends zk to every Pj

zj , if gj=1

3) Every Pi yi =

zk , else


Agreement and broadcast

Agreement and Broadcast

  • Termination and Validity: Remain always

  • Agreement: We run the KingAgreement t+1 times.There is at least one correct king.(B.Agreement)

    The general sends his value to all players and then they run the Agreement protocol above.(Broadcast)


Lower bounds

Lower bounds

A perfectly secure BA protocol cannot have less than:

1) t+1 rounds

2) O(nt) bit complexity

3) t≥n/3

Open problem:It is not known if a protocol exists satisfying these lower bounds.


Other protocols

Other protocols

It is not known if a protocol with both t+1 rounds and O(n^2) bit complexity exists.


What is multi party computation

What is Multi Party Computation?

Secure function evaluation:

There are N parties who want to compute a function of their inputs but do not trust each other.

Examlpes:

1)Dating problem

2)Yao’s millionair ‘s problem.


What is multi party computation1

What is Multi Party Computation?

The obvious solution is that each party gives his input to a trusted (TP) who does the computation for them.

MPC: A MPC protocol simulates this trusted party.


Three adversary types

Three Adversary types

  • Passive Adversary:The adversary can see the results of tp parties.

  • Fail-stop Adversary:The adversary can make tf parties stop sending messages.

  • Active Adversary: The advarsary has full control of ta parties and make them misbehave randomly.


Byzantine agreement and multi party computation mpc

  • Perfect secure MPC

  • Unconditional secure MPC: A protocol with non zero probability of error

  • Cryptographic secure MPC: The adversary has a bounded computational power.


Mixed model

Mixed Model

For the mixed model (passive+active+fail-stop adversary) there exists a perfect secure MPC protocol

iff

3ta + 2tp + tf < n


The protocol of bgw88 passive model

The protocol of BGW88 (passive model)

  • Perfect security for t<n/2

  • Bit complexity O(mn^2) field elements

  • Round complexity O(d)


Shamir s secret sharing

Shamir ’s secret sharing

The dealer P who wants to share a secret s selects a random polynomial of degree t:

fs(x)= s + r1x + . . . . . + rt x^t

and sends to processor Pi his share si = f(ai).

Up to t players cannot reveal the secret.


Linear functions

Linear functions

  • a , b are shared with fa ,fb

  • We define h(x) = fa(x) + fb(x)

  • We observe h(0) = fa(0) + fb(0) = a + b

  • Hence ci = ai + bi defines the share of a + b of Pi


Multiplication 1 2

Multiplication(1/2)

  • a , b are shared with fa ,fb

  • aibi secret share a polynomial of degree 2t ( fab(x)= fa(x)fb(x) , with h(0)=ab )

  • We must reduce the share to t


Multiplication 2 2

Multiplication(2/2)

  • So: Every processor Pi shares his share aibi with a polynomial hi(x) of degree t with hi(0)= fa(ai)fb(ai) = fab(ai)

  • Every processor has now the values h1(ai),……, hn(ai)

  • Hence t+1 processors can compute hi(0)= fab(ai), i=1,..,n

  • Finally every processor from above can compute fab(0)


Active model generaly

Active Model generaly

  • Use of Byzantine Generals protocols

  • Every player is commited to the value he shares

  • Every player is commited to the value he receives


Known protocols

Known Protocols


  • Login