# Byzantine Agreement and Multi-Party Computation (MPC) - PowerPoint PPT Presentation

1 / 25

Byzantine Agreement and Multi-Party Computation (MPC). Aris Tentes. What is Byzantine Agreement/General?. History of the name (Byzantium 1453) Simulation of broadcasting: i) P sends a value to n players and they must decide on the same value (B General)

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

Byzantine Agreement and Multi-Party Computation (MPC)

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

## Byzantine Agreementand Multi-Party Computation (MPC)

Aris Tentes

### What is Byzantine Agreement/General?

• History of the name (Byzantium 1453)

i)P sends a value to n players and they must decide on the same value (B General)

ii)Every player has a value and all players

must decide on the majority(B Agreement)

### Conditions:

t of the players may be dishonest.Therefore we achieve broadcasting iff the following are satisfied:

1.Termination

2.Agreement: all correct players decide on

the same value

3.Validity:if P is correct all correct players

decide on his value.(B.Generals)

if all correct players have the same value

the all correct players decide on this value.(B.Agreement)

B.General => B. Agreement:

Every player broadcasts his value and then decides on the majority of the values received

B. Agreement => B.General:

Player P sends his value to all players and then all players decide on the same value using a B. Agreement protocol.

• Perfect BA

• Unconditional BA: A protocol with non zero probability of error

• Cryptographic BA: The adversary has a bounded computational power.

### Impossibility Proof

Theorem: We cannot have a secure BA if t >=n/3.

Proof:

Simple case n=3 and t=1 and using contradiction

Intuitively:

### The protocol of BGP89

• Perfect security for t<n/3.

• Bit complexity O(tn^2)

• Round complexity O(t)

• Includes three subprotocols

I) Weak Agreement

III) King Agreement

### Weak Agreement

Goal:If Pi is correct with output yi {0,1} then all correct players have output {yi , ┴}.

1) Pi sends xi to every Pj

0 , #0>2t

2) Every Pi yi = 1 , #1>2t

┴, else

Goal:If Pi is correct with yi {0,1} and gi=1then every Pj correct has yj = yi.

1)Run the WeakAgreement protocol with output zi.

2) Pi sends zi to every Pj.

0 , #0>#1

3) Every Pi yi =

1 , #1>#0

1 , if #yi >2t

3) Every Pi gi =

0 , else

### King Agreement

Goal:A player Pk is selected to be the king.If the king is correct then all correct players have the same output.

2) Pk sends zk to every Pj

zj , if gj=1

3) Every Pi yi =

zk , else

• Termination and Validity: Remain always

• Agreement: We run the KingAgreement t+1 times.There is at least one correct king.(B.Agreement)

The general sends his value to all players and then they run the Agreement protocol above.(Broadcast)

### Lower bounds

A perfectly secure BA protocol cannot have less than:

1) t+1 rounds

2) O(nt) bit complexity

3) t≥n/3

Open problem:It is not known if a protocol exists satisfying these lower bounds.

### Other protocols

It is not known if a protocol with both t+1 rounds and O(n^2) bit complexity exists.

### What is Multi Party Computation?

Secure function evaluation:

There are N parties who want to compute a function of their inputs but do not trust each other.

Examlpes:

1)Dating problem

2)Yao’s millionair ‘s problem.

### What is Multi Party Computation?

The obvious solution is that each party gives his input to a trusted (TP) who does the computation for them.

MPC: A MPC protocol simulates this trusted party.

• Active Adversary: The advarsary has full control of ta parties and make them misbehave randomly.

• Perfect secure MPC

• Unconditional secure MPC: A protocol with non zero probability of error

• Cryptographic secure MPC: The adversary has a bounded computational power.

### Mixed Model

For the mixed model (passive+active+fail-stop adversary) there exists a perfect secure MPC protocol

iff

3ta + 2tp + tf < n

### The protocol of BGW88 (passive model)

• Perfect security for t<n/2

• Bit complexity O(mn^2) field elements

• Round complexity O(d)

### Shamir ’s secret sharing

The dealer P who wants to share a secret s selects a random polynomial of degree t:

fs(x)= s + r1x + . . . . . + rt x^t

and sends to processor Pi his share si = f(ai).

Up to t players cannot reveal the secret.

### Linear functions

• a , b are shared with fa ,fb

• We define h(x) = fa(x) + fb(x)

• We observe h(0) = fa(0) + fb(0) = a + b

• Hence ci = ai + bi defines the share of a + b of Pi

### Multiplication(1/2)

• a , b are shared with fa ,fb

• aibi secret share a polynomial of degree 2t ( fab(x)= fa(x)fb(x) , with h(0)=ab )

• We must reduce the share to t

### Multiplication(2/2)

• So: Every processor Pi shares his share aibi with a polynomial hi(x) of degree t with hi(0)= fa(ai)fb(ai) = fab(ai)

• Every processor has now the values h1(ai),……, hn(ai)

• Hence t+1 processors can compute hi(0)= fab(ai), i=1,..,n

• Finally every processor from above can compute fab(0)

### Active Model generaly

• Use of Byzantine Generals protocols

• Every player is commited to the value he shares

• Every player is commited to the value he receives