Unconditional Byzantine Agreement with good majority
Birgit Pfitzmann1991, Lecture Notes in Computer Science
Sign up for access to the world's latest research
checkGet notified about relevant papers
checkSave papers to use in your research
checkJoin the discussion with peers
checkTrack your impact
Abstract
We present a protocol which achieves Byzantine Agreement (BA) if less than half of the processors are faulty and which does not rely on unproved computational assumptions such as the unforgeability of digital signatures. This is the first protocol which achieves this level of security.
Related papers
Unconditional Byzantine Agreement for any Number of Faulty Processors — Extended Abstract
We present the first Byzantine agreement protocol which tolerates any number of maliciously faulty processors without relying on computational assumptions (such as the unforgeability of digital signatures).
Verifiable Secret Sharing and Multiparty Protocols with Honest Majority (Extended Abstract
1989
Under the assumption that each participant can broadcast a message to all other participants and that each pair of participants can communicate secretly, we present a verifiable secret sharing protocol, and show that any multiparty protocol, or game with incomplete information, can be achieved if a majority of the players are honest. The secrecy achieved is unconditional and does not rely on any assumption about computational intractability. Applications of these results to Byzantine Agreement are also presented.
Byzantine agreement in polynomial time with near-optimal resilience
Proceedings of the 54th Annual ACM SIGACT Symposium on Theory of Computing
It has been known since the early 1980s that Byzantine Agreement in the full information, asynchronous model is impossible to solve deterministically against even one crash fault [FLP 1985], but that it can be solved with probability 1 [Ben-Or 1983], even against an adversary that controls the scheduling of all messages and corrupts up to < /3 players [Bracha 1987]. The main downside of [Ben-Or 1983, Bracha 1987] is that they terminate with 2 Θ() latency in expectation whenever = Θ(). King and Saia [KS 2016, KS 2018] developed a polynomial protocol (polynomial latency, polynomial local computation) that is resilient to < (1.14 × 10 −9) Byzantine faults. The new idea in their protocol is to detect-and blacklist-coalitions of likely-bad players by analyzing the deviations of random variables generated by those players over many rounds. In this work we design a simple collective coin-flipping protocol such that if any coalition of faulty players repeatedly does not follow protocol, then they will eventually be detected by one of two simple statistical tests. Using this coin-flipping protocol, we solve Byzantine Agreement in polynomial latency, even in the presence of up to < /4 Byzantine faults. This comes close to the < /3 upper bound on the maximum number of faults [LSP 1982, BT 1985, FLM 1986].
Round Efficient Unconditionally Secure Multiparty Computation Protocol
International Conference on Cryptology, 2008
In this paper, we propose a round efficient unconditionally secure multiparty computation (UMPC) protocol in information theoretic model with n > 2t players, in the absence of any physical broadcast channel. Our protocol communicates \({\cal O}(n^4)\) field elements per multiplication and requires \({\cal O}(n \log(n) + {\cal D})\) rounds, even if up to t players are under the control of an active adversary having unbounded computing power, where \({\cal D}\) denotes the multiplicative depth of the circuit representing the function to be computed securely. In the absence of a physical broadcast channel and with n > 2t players, the best known UMPC protocol with minimum number of rounds, requires \({\cal O}(n^2{\cal D})\) rounds and communicates \({\cal O}(n^6)\) field elements per multiplication. On the other hand, the best known UMPC protocol with minimum communication complexity requires communication overhead of \({\cal O}(n^2)\) field elements per multiplication, but has a round complexity of \({\cal O}(n^3 +{\cal D})\) rounds. Hence our UMPC protocol is the most round efficient protocol so far and ranks second according to communication complexity.
From Consensus to Atomic Broadcast: Time-Free Byzantine-Resistant Protocols Without Signatures
The Computer Journal, 2006
This paper proposes a stack of three Byzantine-resistant protocols aimed to be used in practical distributed systems: multi-valued consensus, vector consensus and atomic broadcast. These protocols are designed as successive transformations from one to another. The first protocol, multi-valued consensus, is implemented on top of a randomized binary consensus and a reliable broadcast protocol. The protocols share a set of important structural properties. First, they do not use digital signatures constructed with public-key cryptography, a well-known performance bottleneck in this kind of protocols. Second, they are time-free, i.e. they make no synchrony assumptions, since these assumptions are often vulnerable to subtle but effective attacks. Third, they are completely decentralized, thus avoiding the cost of detecting corrupt leaders. Fourth, they have optimal resilience, i.e. they tolerate the failure of f = (n − 1)/3 out of a total of n processes. In terms of time complexity, the multi-valued consensus protocol terminates in a constant expected number of rounds, while the vector consensus and atomic broadcast protocols have O(f ) complexity. The paper also proves the equivalence between multivalued consensus and atomic broadcast in the Byzantine failure model without signatures. A similar proof is given for the equivalence between multi-valued consensus and vector consensus. These two results have theoretical relevance since they show once more that consensus is a fundamental problem in distributed systems.
On the practical importance of communication complexity for secure multi-party computation protocols
2009
Many advancements in the area of Secure Multi-Party Computation (SMC) protocols use improvements in communication complexity as a justification. We conducted an experimental study of a specific protocol for a real-world sized problem under realistic conditions and it suggests that the practical performance of the protocol is almost independent of the network performance. We argue that our result can be generalized to a whole class of SMC protocols.
Secure Computation with Minimal Interaction, Revisited
Lecture Notes in Computer Science, 2015
Motivated by the goal of improving the concrete efficiency of secure multiparty computation (MPC), we revisit the question of MPC with only two rounds of interaction. We consider a minimal setting in which parties can communicate over secure point-to-point channels and where no broadcast channel or other form of setup is available. Katz and Ostrovsky (Crypto 2004) obtained negative results for such protocols with n = 2 parties. Ishai et al. (Crypto 2010) showed that if only one party may be corrupted, then n ≥ 5 parties can securely compute any function in this setting, with guaranteed output delivery, assuming one-way functions exist. In this work, we complement the above results by presenting positive and negative results for the cases where n = 3 or n = 4 and where there is a single malicious party. When n = 3, we show a 2-round protocol which is secure with "selective abort" against a single malicious party. The protocol makes a black-box use of a pseudorandom generator or alternatively can offer unconditional security for functionalities in NC 1 . The concrete efficiency of this protocol is comparable to the efficiency of secure two-party computation protocols for semi-honest parties based on garbled circuits. When n = 4 in the setting described above, we show the following: -A statistical VSS protocol that has a 1-round sharing phase and 1-round reconstruction phase. This improves over the state-of-the-art result of Patra et al. (Crypto 2009) whose VSS protocol required 2 rounds in the reconstruction phase. -A 2-round statistically secure protocol for linear functionalities with guaranteed output delivery. This implies a 2-round 4-party fair coin tossing protocol. We complement this by a negative result, showing that there is a (nonlinear) function for which there is no 2-round statistically secure protocol.
Efficient Fair Multiparty Protocols Using Blockchain and Trusted Hardware
Progress in Cryptology – LATINCRYPT 2019, 2019
In ACM CCS'17, Choudhuri et al. designed two fair publicledger-based multi-party protocols (in the malicious model with dishonest majority) for computing an arbitrary function f. One of their protocols is based on a trusted hardware enclave G (which can be implemented using Intel SGX-hardware) and a public ledger (which can be implemented using a blockchain platform, such as Ethereum). Subsequently, in NDSS'19, a stateless version of the protocol was published. This is the first time, (a certain definition of) fairness-that guarantees either all parties learn the final output or nobody does-is achieved without any monetary or computational penalties. However, these protocols are fair, if the underlying core MPC component guarantees both privacy and correctness. While privacy is easy to achieve (using a secret sharing scheme), correctness requires expensive operations (such as ZK proofs and commitment schemes). We improve on this work in three different directions: attack, design and performance. Our first major contribution is building practical attacks that demonstrate: if correctness is not satisfied then the fairness property of the aforementioned protocols collapse. Next, we design two new protocolsstateful and stateless-based on public ledger and trusted hardware that are: resistant against the aforementioned attacks, and made several orders of magnitude more efficient (related to both time and memory) than the existing ones by eliminating ZK proofs and commitment schemes in the design. Last but not the least, we implemented the core MPC part of our protocols using the SPDZ-2 framework to demonstrate the feasibility of its practical implementation.
Almost-Surely Terminating Asynchronous Byzantine Agreement Revisited
Proceedings of the 2018 ACM Symposium on Principles of Distributed Computing, 2018
The problem of Byzantine Agreement (BA) is of interest to both distributed computing and cryptography community. Following well-known results from the distributed computing literature, BA problem in the asynchronous network setting encounters inevitable non-termination issues. The impasse is overcome via randomization that allows construction of BA protocols in two flavours of termination guarantee-with overwhelming probability and with probability one. The latter type termed as almost-surely terminating BAs are the focus of this paper. An eluding problem in the domain of almost-surely terminating BAs is achieving a constant expected running time. Our work makes progress in this direction. In a setting with n parties and an adversary with unbounded computing power controlling at most t parties in Byzantine fashion, we present two almost-surely terminating BA protocols in the asynchronous setting: • With the optimal resilience of t < n 3 , our first protocol runs for expected O(n) time. The existing protocols in the same setting either runs for expected O(n 2) time (Abraham et al, PODC 2008) or requires exponential computing power from the honest parties (Wang, CoRR 2015). In terms of communication complexity, our construction outperforms all the known constructions that offer almost-surely terminating feature. • With the resilience of t < n 3+ for any > 0, our second protocol runs for expected O(1) time. The expected running time of our protocol turns constant when is a constant fraction. The known constructions with constant expected running time either require to be at least 1 (Feldman-Micali, STOC 1988), implying t < n/4, or calls for exponential computing power from the honest parties (Wang, CoRR 2015).
An almost-surely terminating polynomial protocol for asynchronous byzantine agreement with optimal resilience
2008
Consider an asynchronous system with private channels and n processes, up to t of which may be faulty. We settle a longstanding open question by providing a Byzantine agreement protocol that simultaneously achieves three properties:
Related papers
Secure Multiparty Computation with Minimal Interaction
2010
We revisit the question of secure multiparty computation (MPC) with two rounds of interaction. It was previously shown by Gennaro et al. (Crypto 2002) that 3 or more communication rounds are necessary for general MPC protocols with guaranteed output delivery, assuming that there may be t ≥ 2 corrupted parties. This negative result holds regardless of the total number of parties, even if broadcast is allowed in each round, and even if only fairness is required. We complement this negative result by presenting matching positive results. Our first main result is that if only one party may be corrupted, then n ≥ 5 parties can securely compute any function of their inputs using only two rounds of interaction over secure point-to-point channels (without broadcast or any additional setup). The protocol makes a black-box use of a pseudorandom generator, or alternatively can offer unconditional security for functionalities in NC1. We also prove a similar result in a client-server setting, where there are m ≥ 2 clients who hold inputs and should receive outputs, and n additional servers with no inputs and outputs. For this setting, we obtain a general MPC protocol which requires a single message from each client to each server, followed by a single message from each server to each client. The protocol is secure against a single corrupted client and against coalitions of t < n/3 corrupted servers. The above protocols guarantee output delivery and fairness. Our second main result shows that under a relaxed notion of security, allowing the adversary to selectively decide (after learning its own outputs) which honest parties will receive their (correct) output, there is a general 2-round MPC protocol which tolerates t < n/3 corrupted parties. This protocol relies on the existence of a pseudorandom generator in NC1 (which is implied by standard cryptographic assumptions), or alternatively can offer unconditional security for functionalities in NC1.
Constant-round protocols of stronger security via relaxed set-up assumptions
The main aim of cryptography is to provide the frameworks and solutions for information security.
Unconditional Byzantine agreement for any number of faulty processors
Lecture Notes in Computer Science, 1992
We present the first Byzantine agreement protocol which tolerates any number of maliciously faulty processors without relying on computational assumptions (such as the unforgeability of digital signatures).
Information-Theoretic Pseudosignatures and Byzantine Agreement for t ≥ n/3
Byzantine agreement means achieving reliable broadcast on a point-to-point network of n processors, of which up to t may be maliciously faulty. A well-known result by Pease, Shostak, and Lamport says that perfect Byzantine agreement is only possible if t < n/3. In contrast, so-called authenticated protocols achieve Byzantine agreement for any t based on computational assumptions, typically the existence of a digital signature scheme, an assumption equivalent to the existence of one-way functions. The "folklore" belief based on these two results is that computational assumptions are necessary to achieve Byzantine agreement for t ≥ n/3.
Byzantine Agreement Using Partial Authentication
Lecture Notes in Computer Science, 2011
Three decades ago, Pease et al. introduced the problem of Byzantine Agreement [PSL80] where nodes need to maintain a consistent view of the world in spite of the challenge posed by Byzantine faults. Subsequently, it is well known that Byzantine agreement over a completely connected synchronous graph of n nodes tolerating up to t faults is (efficiently) possible if and only if t < n/3. Pease et al. further empowered the nodes with the ability to authenticate themselves and their messages and proved that agreement in this new model (popularly known as authenticated Byzantine agreement (ABA)) is possible if and only if t < n. (which is a huge improvement over the bound of t < n 3 in the absence of authentication for the same functionality). To understand the utility, potential and limitations of using authentication in distributed protocols for agreement, Gupta et al. [GGBS10] studied ABA in new light. They generalize the existing models and thus, attempt to give a unified theory of agreements over the authenticated and non-authenticated domains. In this paper we extend their results to synchronous (undirected) arbitrary graphs and give a complete characterization of agreement protocols in the aforementioned family of graphs. As a corollary, we show that agreement can be strictly easier than all-pair point-to-point communication. It is well known that in a synchronous graph over n nodes of which up to any t are corrupted by a Byzantine adversary, BA is possible only if all pair point-to-point reliable communication is possible [Dol82, DDWY93]. Specifically, in the standard unauthenticated model, (2t+1)-connectivity is necessary whereas in the authenticated setting (t+1)-connectivity is sufficient. Thus, a folklore in the area is that maintaining global consistency(Agreement) is at least as hard as the problem of all pair point-to-point communication. Equivalently, it is widely believed that protocols for BA over incomplete graphs exist only if it is possible to simulate an overlay-ed complete graph. Surprisingly, we show that the folklore is not always true. Thus, it seems that agreement protocols may be more fundamental to distributed computing than reliable communication.
Oracular Byzantine Reliable Broadcast [Extended Version]
arXiv (Cornell University), 2022
Byzantine Reliable Broadcast (BRB) is a fundamental distributed computing primitive, with applications ranging from notifications to asynchronous payment systems. Motivated by practical consideration, we study Client-Server Byzantine Reliable Broadcast (CSB), a multi-shot variant of BRB whose interface is split between broadcasting clients and delivering servers. We present Draft, an optimally resilient implementation of CSB. Like most implementations of BRB, Draft guarantees both liveness and safety in an asynchronous environment. Under good conditions, however, Draft achieves unparalleled efficiency. In a moment of synchrony, free from Byzantine misbehaviour, and at the limit of infinitely many broadcasting clients, a Draft server delivers a b-bits payload at an asymptotic amortized cost of 0 signature verifications, and (log2(c) + b) bits exchanged, where c is the number of clients in the system. This is the information-theoretical minimum number of bits required to convey the payload (b bits, assuming it is compressed), along with an identifier for its sender (log 2 (c) bits, necessary to enumerate any set of c elements, and optimal if broadcasting frequencies are uniform or unknown). These two achievements have profound practical implications. Real-world BRB implementations are often bottlenecked either by expensive signature verifications, or by communication overhead. For Draft, instead, the network is the limit: a server can deliver payloads as quickly as it would receive them from an infallible oracle.
Fast Actively Secure Five-Party Computation with Security Beyond Abort
Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, 2019
Efficient and secure multi-party computation with faulty majority and complete fairness
To appear, 2004
We study the problem of constructing secure multi-party computation (MPC) protocols that are completely fair-meaning that either all the parties learn the output of the function, or nobody does-even when a majority of the parties are corrupted. We first propose a framework for fair multi-party computation, within which we formulate a definition of secure and fair protocols. The definition follows the standard simulation paradigm, but is modified to allow the protocol to depend on the runing time of the adversary. In this way, we avoid a well-known impossibility result for fair MPC with corrupted majority; in particular, our definition admits constructions that tolerate up to (n − 1) corruptions, where n is the total number of parties. Next, we define a "commit-provefair-open" functionality and construct an efficient protocol that realizes it, using a new variant of a cryptographic primitive known as "time-lines." With this functionality, we show that some of the existing secure MPC protocols can be easily transformed into fair protocols while preserving their security. Putting these results together, we construct efficient, secure MPC protocols that are completely fair even in the presence of corrupted majorities. Furthermore, these protocols remain secure when arbitrarily composed with any protocols, which means, in particular, that they are concurrently-composable and non-malleable. Finally, as an example of our results, we show a very efficient protocol that fairly and securely solves the socialist millionaires' problem.
Efficient Fully Secure Computation via Distributed Zero-Knowledge Proofs
Advances in Cryptology – ASIACRYPT 2020, 2020
Secure computation protocols enable mutually distrusting parties to compute a function of their private inputs while revealing nothing but the output. Protocols with full security (also known as guaranteed output delivery) in particular protect against denial-of-service attacks, guaranteeing that honest parties receive a correct output. This feature can be realized in the presence of an honest majority, and significant research effort has gone toward attaining full security with good asymptotic and concrete efficiency. We present an efficient protocol for any constant number of parties n, with full security against t < n/2 corrupted parties, that makes a black-box use of a pseudorandom generator. Our protocol evaluates an arithmetic circuit C over a finite ring R (either a finite field or R = Z 2 k ) with communication complexity of 3t 2t+1 S + o(S) R-elements per party, where S is the number of multiplication gates in C (namely, < 1.5 elements per party per gate). This matches the best known protocols for the semi-honest model up to the sublinear additive term. For a small number of parties n, this improves over a recent protocol of Goyal et al. (Crypto 2020) by a constant factor for circuits over large fields, and by at least an Ω(log n) factor for Boolean circuits or circuits over rings. Our protocol provides new methods for applying the sublinear-communication distributed zero-knowledge proofs of Boneh et al. (Crypto 2019) for compiling semi-honest protocols into fully secure ones, in the more challenging case of t > 1 corrupted parties. Our protocol relies on replicated secret sharing to minimize communication and simplify the mechanism for achieving full security. This results in computational cost that scales exponentially with n. Our main fully secure protocol builds on a new intermediate honest-majority protocol for verifying the correctness of multiplication triples by making a general use of distributed zeroknowledge proofs. While this intermediate protocol only achieves the weaker notion of security with abort, it applies to any linear secret-sharing scheme and provides a conceptually simpler, more general, and more efficient alternative to previous protocols from the literature. In particular, it can be combined with the Fiat-Shamir heuristic to simultaneously achieve logarithmic communication complexity and constant round complexity. * This is a full version of [BGIN20].
Loading Preview
Sorry, preview is currently unavailable. You can download the paper by clicking the button above.