Design & Analysis of Optimal Coin-tossing: New Techniques
Hamidreza Amini2020, IACR Cryptol. ePrint Arch.
Sign up for access to the world's latest research
checkGet notified about relevant papers
checkSave papers to use in your research
checkJoin the discussion with peers
checkTrack your impact
Abstract
Collective coin-tossing allows n processors with private randomness sources to agree on a common public coin. Without loss of generality, one can assume that the output is in the set {0, 1}, and the expected output of a coin-tossing protocol is X. The objective of a coin-tossing protocol is to be robust to adversarial interventions. In this paper, we study Byzantine adversaries who can arbitrarily set the messages of the corrupted processors. Historically, the study of coin-tossing protocols, with the introduction of even the mildest of variations in its setting, tends to yield surprising and exciting outcomes. We know several optimal or asymptotically optimal protocols like tribes, baton passing, and threshold protocols. Incidentally, there are several variants of coin-tossing where the majority protocol (or, more generally, the threshold protocols) turn out to be asymptotically optimal. In this work, we consider coin-tossing protocols in two security models and study the susceptib...
Related papers
Byzantine Agreement with Optimal Resilience via Statistical Fraud Detection
Cornell University - arXiv, 2022
Since the mid-1980s it has been known that Byzantine Agreement can be solved with probability 1 asynchronously, even against an omniscient, computationally unbounded adversary that can adaptively corrupt up to f < n/3 parties. Moreover, the problem is insoluble with f ≥ n/3 corruptions. However, Bracha's [Bra87] 1984 protocol (see also Ben-Or [Ben83]) achieved f < n/3 resilience at the cost of exponential expected latency 2 Θ(n) , a bound that has never been improved in this model with f = ⌊(n − 1)/3⌋ corruptions. In this paper we prove that Byzantine Agreement in the asynchronous, full information model can be solved with probability 1 against an adaptive adversary that can corrupt f < n/3 parties, while incurring only polynomial latency with high probability. Our protocol follows earlier polynomial latency protocols of King and Saia [KS16, KS18] and Huang, Pettie, and Zhu [HPZ22], which had suboptimal resilience, namely f ≈ n/10 9 [KS16, KS18] and f < n/4 [HPZ22], respectively. Resilience f = (n−1)/3 is uniquely difficult as this is the point at which the influence of the Byzantine and honest players are of roughly equal strength. The core technical problem we solve is to design a collective coin-flipping protocol that eventually lets us flip a coin with an unambiguous outcome. In the beginning the influence of the Byzantine players is too powerful to overcome and they can essentially fix the coin's behavior at will. We guarantee that after just a polynomial number of executions of the coin-flipping protocol, either (a) the Byzantine players fail to fix the behavior of the coin (thereby ending the game) or (b) we can "blacklist" players such that the blacklisting rate for Byzantine players is at least as large as the blacklisting rate for good players. The blacklisting criterion is based on a simple statistical test of fraud detection. if any corrupt player initiates a broadcast, then either all good players accept the same value v, and only v, or all good players accept nothing. See [Bra87] for details of this primitive. Validation. The Reliable-Broadcast primitive allows us to assume that all relevant communication is public, via broadcasts. Fix any protocol P based on broadcasts. Informally, a player p validates a message m originating from q if p has already accepted and validated a set of broadcasts that, were they to be received by q, would have caused q to make a suitable state transition according to P and broadcast m. See [Bra87] for details of validation. The reliable broadcast primitive prevents the adversary from sending conflicting messages to different players, or convincing one player to accept a broadcast and another not to. The validation mechanism prevents it from making state transitions logically inconsistent with the protocol P. Note, however, that in general P is probabilistic and validation permits a series of transitions that are logically possible but statistically unlikely. In summary, the adversary is characterized by the following powers. Full Information & Scheduling. The adversary knows the internal state of all players and controls the order in which messages are delivered. It may delay messages arbitrarily. Corruption & Coin Flipping. The adversary may adaptively corrupt up to f players as the execution of the protocol progresses. Once corrupted, a player continues to follow protocol , except the adversary now chooses the outcomes of all of its coin flips. Algorithm 1 Bracha-Agreement() from the perspective of player p Require: v p ∈ {−1, 1}. 1: loop 2: Reliable-Broadcast v p and wait until n − f messages are validated from some set of players S p. set v p ← sgn(q∈Sp v q). ⊲ sgn(x) = 1 if x ≥ 0 and −1 otherwise. 3: Reliable-Broadcast v p and wait until n − f messages are validated. if more than n/2 messages have some value v * then set v p ← v * , otherwise set v p ← ⊥.
Byzantine agreement in polynomial time with near-optimal resilience
Proceedings of the 54th Annual ACM SIGACT Symposium on Theory of Computing
It has been known since the early 1980s that Byzantine Agreement in the full information, asynchronous model is impossible to solve deterministically against even one crash fault [FLP 1985], but that it can be solved with probability 1 [Ben-Or 1983], even against an adversary that controls the scheduling of all messages and corrupts up to < /3 players [Bracha 1987]. The main downside of [Ben-Or 1983, Bracha 1987] is that they terminate with 2 Θ() latency in expectation whenever = Θ(). King and Saia [KS 2016, KS 2018] developed a polynomial protocol (polynomial latency, polynomial local computation) that is resilient to < (1.14 × 10 −9) Byzantine faults. The new idea in their protocol is to detect-and blacklist-coalitions of likely-bad players by analyzing the deviations of random variables generated by those players over many rounds. In this work we design a simple collective coin-flipping protocol such that if any coalition of faulty players repeatedly does not follow protocol, then they will eventually be detected by one of two simple statistical tests. Using this coin-flipping protocol, we solve Byzantine Agreement in polynomial latency, even in the presence of up to < /4 Byzantine faults. This comes close to the < /3 upper bound on the maximum number of faults [LSP 1982, BT 1985, FLM 1986].
Unconditional Byzantine Agreement with good majority
Lecture Notes in Computer Science, 1991
We present a protocol which achieves Byzantine Agreement (BA) if less than half of the processors are faulty and which does not rely on unproved computational assumptions such as the unforgeability of digital signatures. This is the first protocol which achieves this level of security.
Tiny Groups Tackle Byzantine Adversaries
2018
A popular technique for tolerating malicious faults in open distributed systems is to establish small groups of participants, each of which has a non-faulty majority. These groups are used as building blocks to design attack-resistant algorithms. Despite over a decade of active research, current constructions require group sizes of O(log n), where n is the number of participants in the system. This group size is important since communication and state costs scale polynomially with this parameter. Given the stubbornness of this logarithmic barrier, a natural question is whether better bounds are possible. Here, we consider an attacker that controls a constant fraction of the total computational resources in the system. By leveraging proof-of-work (PoW), we demonstrate how to reduce the group size exponentially to O(log log n) while maintaining strong security guarantees. This reduction in group size yields a significant improvement in communication and state costs.
Efficient Randomized Byzantine Fault-Tolerant Replication Based on Special Valued Coin Tossing
IEICE Transactions on Information and Systems, 2014
We propose a fast and resource-efficient agreement protocol on a request set, which is used to realize Byzantine fault tolerant server replication. Although most existing randomized protocols for Byzantine agreement exploit a modular approach, that is, a combination of agreement on a bit value and a reduction of request set values to the bit values, our protocol directly solves the multi-valued agreement problem for request sets. We introduce a novel coin tossing scheme to select a candidate of an agreed request set randomly. This coin toss allows our protocol to reduce resource consumption and to attain faster response time than the existing representative protocols.
On the Black-Box Complexity of Optimally-Fair Coin Tossing
Lecture Notes in Computer Science, 2011
A fair two-party coin tossing protocol is one in which both parties output the same bit that is almost uniformly distributed (i.e., it equals 0 and 1 with probability that is at most negligibly far from one half). It is well known that it is impossible to achieve fair coin tossing even in the presence of fail-stop adversaries (Cleve, FOCS 1986). In fact, Cleve showed that for every coin tossing protocol running for r rounds, an efficient fail-stop adversary can bias the output by Ω(1/r). Since this is the best possible, a protocol that limits the bias of any adversary to O(1/r) is called optimally-fair. The only optimally-fair protocol that is known to exist relies on the existence of oblivious transfer, because it uses general secure computation (Moran, Naor and Segev, TCC 2009). However, it is possible to achieve a bias of O(1/ √ r) in r rounds relying only on the assumption that there exist one-way functions. In this paper we show that it is impossible to achieve optimally-fair coin tossing via a black-box construction from one-way functions for r that is less than O(n/ log n), where n is the input/output length of the one-way function used. An important corollary of this is that it is impossible to construct an optimally-fair coin tossing protocol via a black-box construction from one-way functions whose round complexity is independent of the security parameter n determining the security of the one-way function being used. Informally speaking, the main ingredient of our proof is to eliminate the random-oracle from "secure" protocols with "low round-complexity" and simulate the protocol securely against semi-honest adversaries in the plain model. We believe our simulation lemma to be of broader interest.
Optimal Decision Strategies In Byzantine Environments
Journal of Parallel and Distributed Computing, 2006
A Boolean value of given a priori probability distribution is transmitted to a deciding agent by several processes. Each process fails independently with given probability, and faulty processes behave in a Byzantine way. A deciding agent has to make a decision concerning the transmitted value on the basis of messages obtained by processes. We construct a deterministic decision strategy which has the provably highest probability of correctness. It computes the decision in time linear in the number of processes. Decision optimality may be alternatively approached from a local, rather than global, point of view. Instead of maximizing the total probability of correctness of a decision strategy, we may try to find, for every set of values conveyed by processes, the conditionally most probable original value that could yield this set. We call such a strategy locally optimal, as it locally optimizes the probability of a decision, given a set of relayed values, disregarding the impact of such a choice on the overall probability of correctness. We construct a locally optimal decision strategy which again computes the decision value in time linear in the number of processes. We establish the surprising fact that, in general, local probability maximization may lead to a decision strategy which does not have the highest probability of correctness. However, if the probability distribution of the Boolean value to be conveyed is uniform, and all processes have the same failure probability smaller than 1 2 , this anomaly does not occur. We first design and analyze our strategies in the synchronous setting and then show how they should be modified to work in asynchronous systems.
Coin Tossing with Lazy Defense: Hardness of Computation Results
2020
There is a significant interest in securely computing functionalities with guaranteed output delivery, a.k.a., fair computation. For example, consider a 2-party n-round coin-tossing protocol in the information-theoretic setting. Even if one party aborts during the protocol execution, the other party has to receive her outcome. Towards this objective, every round, the sender of that round’s message, preemptively prepares a defense coin, which is her output if the other party aborts prematurely. Cleve and Impagliazzo (1993), Beimel, Haitner, Makriyannis, and Omri (2018), and Khorasgani, Maji, and Mukherjee (2019) show that a fail-stop adversary can alter the distribution of the outcome by Ω(1/ √ n). This hardness of computation result for the representative coin-tossing functionality (using a partition argument) extends to the fair evaluation of any functionality whose output is not apriori fixed and honest parties are not in the majority. However, there are natural scenarios in the d...
From Consensus to Atomic Broadcast: Time-Free Byzantine-Resistant Protocols Without Signatures
The Computer Journal, 2006
This paper proposes a stack of three Byzantine-resistant protocols aimed to be used in practical distributed systems: multi-valued consensus, vector consensus and atomic broadcast. These protocols are designed as successive transformations from one to another. The first protocol, multi-valued consensus, is implemented on top of a randomized binary consensus and a reliable broadcast protocol. The protocols share a set of important structural properties. First, they do not use digital signatures constructed with public-key cryptography, a well-known performance bottleneck in this kind of protocols. Second, they are time-free, i.e. they make no synchrony assumptions, since these assumptions are often vulnerable to subtle but effective attacks. Third, they are completely decentralized, thus avoiding the cost of detecting corrupt leaders. Fourth, they have optimal resilience, i.e. they tolerate the failure of f = (n − 1)/3 out of a total of n processes. In terms of time complexity, the multi-valued consensus protocol terminates in a constant expected number of rounds, while the vector consensus and atomic broadcast protocols have O(f ) complexity. The paper also proves the equivalence between multivalued consensus and atomic broadcast in the Byzantine failure model without signatures. A similar proof is given for the equivalence between multi-valued consensus and vector consensus. These two results have theoretical relevance since they show once more that consensus is a fundamental problem in distributed systems.
Low complexity Byzantine-resilient consensus
Distributed Computing, 2005
The application of the tolerance paradigm to security -intrusion tolerance -has been raising a reasonable amount of attention in the dependability and security communities. In this paper we present a novel approach to intrusion tolerance. The idea is to use privileged components -generically designated by wormholes -to support the execution of intrusion-tolerant protocols, often called Byzantine-resilient in the literature.
Byzantine Processors and Cuckoo Birds: Confining Maliciousness to the Outset
ArXiv, 2016
Are there Byzantine Animals? A Fooling Behavior is exhibited by the Cuckoo bird. It sneakily replaces some of the eggs of other species with its own. Lest the Cuckoo extinct itself by destroying its host, it self-limits its power: It does not replace too large a fraction of the eggs. Here, we show that any Byzantine Behavior that does not destroy the system it attacks, i.e. allows the system to solve an easy task like epsilon-agreement, then its maliciousness can be confined to be the exact replica of the Cuckoo bird behavior: Undetectably replace an input of a processor and let the processor behave correctly thereafter with respect to the new input. In doing so we reduce the study of Byzantine behavior to fail-stop (benign) behavior with the Cuckoo caveat of a fraction of the inputs replaced. We establish a complete correspondence between the Byzantine and the Benign, modulo different thresholds, and replaced inputs. This work is yet another step in a line of work unifying seemingl...
Robust and Speculative Byzantine Randomized Consensus with Constant Time Complexity in Normal Conditions
Abstract—Randomized Byzantine Consensus can be an interesting building block in the implementation of asynchronous distributed systems. Despite its exponential worst-case complexity, which would make it less appealing in practice, a few experimental works have argued quite the opposite. To bridge the gap between theory and practice, we analyze a wellknown state-of-the-art algorithm in normal system conditions, in which crash failures may occur but no malicious attacks, proving that it is fast on average.
On the price of equivocation in byzantine agreement
Proceedings of the 2012 ACM symposium on Principles of distributed computing, 2012
In the Byzantine agreement problem, a set of n processors, any f of whom may be arbitrarily faulty, must reach agreement on a value proposed by one of the correct processors. It is a celebrated result that unless n > 3 f , Byzantine agreement is impossible in a variety of computation and communication models. This is due to the fact that faulty processors can equivocate, that is, say different things to different processors. If this ability is mitigated, for example by assuming a global broadcast channel, then n > 2 f is sufficient. With very few exceptions, the literature on Byzantine agreement has been confined to the n > 2 f and n > 3 f paradigms. We bridge the gap between these two paradigms by assuming partial broadcast channels among sets of three processors, observing that equivocation is fundamentally an act involving three parties: a faulty processor that lies (inconsistently) to two correct processors. We characterize the conditions under which Byzantine agreement is possible for all n = 2 f + h, h an integer in [1.. f ], by giving asymptotically tight bounds on the number of necessary and sufficient partial broadcast channels. We prove these bounds by a reduction to a problem in extremal combinatorics, which itself is a natural generalization of a well-studied hypergraph coloring problem. Algorithmically, we show that deciding whether a given set of broadcast channels enables Byzantine agreement is co-NPcomplete. Although partial broadcast channels have been studied in prior work, the bounds obtained on the number of required channels were sub-optimal by up to a factor of Θ(n 2 ). Moreover, this work has been confined to the synchronous model. In contrast, we apply our results to several distinct models and provide stronger motivation for using partial broadcast channels in practice, drawing from recent work in the systems community.
Asynchronous Byzantine Agreement with optimal resilience
Distributed Computing, 2013
We present an efficient, optimally-resilient Asynchronous Byzantine Agreement (ABA) protocol involving n = 3t + 1 parties over a completely asynchronous network, tolerating a computationally unbounded Byzantine adversary, capable of corrupting at most t out of the n parties. In comparison with the best known optimally-resilient ABA protocols of Canetti and Rabin (STOC 1993) and Abraham, Dolev and Halpern (PODC 2008), our protocol is significantly more efficient in terms of the communication complexity. Our ABA protocol is built on a new statistical asynchronous verifiable secret sharing (AVSS) protocol with optimal resilience. Our AVSS protocol significantly improves the communication complexity of the only known statistical and optimally-resilient AVSS protocol of Canetti et al. Our AVSS protocol is further built on an asynchronous primitive called asynchronous weak commitment (AWC), while the AVSS of Canetti et al. is built on the primitive called asynchronous weak secret sharing (AWSS). We observe that AWC has weaker requirements than AWSS and hence it can be designed more efficiently than AWSS.
Randomness versus Fault-Tolerance
Journal of Cryptology, 2000
We investigate the relations between two major properties of multiparty protocols: fault tolerance (or resilience) and randomness. Fault-tolerance is measured in terms of the maximum number of colluding faulty parties, t, that a protocol can withstand and still maintain the privacy of the inputs and the correctness of the outputs (of the honest parties). Randomness is measured in terms of the total number of random bits needed by the parties in order to execute the protocol.
Consensus in the Presence of an Adversary
2012
Abstract: In this work, we consider two types of adversarial attacks on a network of nodes seeking to reach consensus. The first type involves an adversary that is capable of breaking a specific number of links at each time instant. In the second attack, the adversary is capable of corrupting the values of the nodes by adding a noise signal. In this latter case, we assume that the adversary is constrained by a power budget. We consider the optimization problem of the adversary and fully characterize its optimum strategy for each scenario.
Almost-Surely Terminating Asynchronous Byzantine Agreement Revisited
Proceedings of the 2018 ACM Symposium on Principles of Distributed Computing, 2018
The problem of Byzantine Agreement (BA) is of interest to both distributed computing and cryptography community. Following well-known results from the distributed computing literature, BA problem in the asynchronous network setting encounters inevitable non-termination issues. The impasse is overcome via randomization that allows construction of BA protocols in two flavours of termination guarantee-with overwhelming probability and with probability one. The latter type termed as almost-surely terminating BAs are the focus of this paper. An eluding problem in the domain of almost-surely terminating BAs is achieving a constant expected running time. Our work makes progress in this direction. In a setting with n parties and an adversary with unbounded computing power controlling at most t parties in Byzantine fashion, we present two almost-surely terminating BA protocols in the asynchronous setting: • With the optimal resilience of t < n 3 , our first protocol runs for expected O(n) time. The existing protocols in the same setting either runs for expected O(n 2) time (Abraham et al, PODC 2008) or requires exponential computing power from the honest parties (Wang, CoRR 2015). In terms of communication complexity, our construction outperforms all the known constructions that offer almost-surely terminating feature. • With the resilience of t < n 3+ for any > 0, our second protocol runs for expected O(1) time. The expected running time of our protocol turns constant when is a constant fraction. The known constructions with constant expected running time either require to be at least 1 (Feldman-Micali, STOC 1988), implying t < n/4, or calls for exponential computing power from the honest parties (Wang, CoRR 2015).
On Adaptive vs. Non-adaptive Security of Multiparty Protocols
Lecture Notes in Computer Science, 2001
Security analysis of multiparty cryptographic protocols distinguishes between two types of adversarial settings: In the non-adaptive setting, the set of corrupted parties is chosen in advance, before the interaction begins. In the adaptive setting, the adversary chooses who to corrupt during the course of the computation. We study the relations between adaptive security (i.e., security in the adaptive setting) and non-adaptive security, according to two definitions and in several models of computation. While affirming some prevailing beliefs, we also obtain some unexpected results. Some highlights of our results are:
Further results on noise-enhanced distributed inference in the presence of Byzantines
The problem of Byzantine (malicious sensors) threats in a distributed detection framework for inference networks is addressed. Impact of Byzantines is mitigated by suitably adding Stochastic Resonance (SR) noise. Previously, Independent Malicious Byzantine Attack (IMBA), where each Byzantine decides to attack the network independently relying on its own observation was considered. In this paper, we present further results for Cooperative Malicious Byzantine Attack (CMBA), where Byzantines collaborate to make the decision and use this information for the attack. In order to analyze the network performance, we consider KL-Divergence (KLD)
The Weighted Byzantine Agreement Problem
2011 IEEE International Parallel & Distributed Processing Symposium, 2011
Related topics
Loading Preview
Sorry, preview is currently unavailable. You can download the paper by clicking the button above.