Download presentation

Presentation is loading. Please wait.

Published byKade Lindon Modified over 2 years ago

1
The Contest between Simplicity and Efficiency in Asynchronous Byzantine Agreement Allison Lewko The University of Texas at Austin TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAA

2
Byzantine Agreement n parties each has an input bit t corrupt parties Goal: agree on a bit equal to input of some ``good party

3
Byzantine Agreement Simple problem, worst case adversary

4
History Impossibility Constraints: >= 1/3 corrupted processors deterministic algorithm, 1 crash failure [FLP] Algorithms: termination with prob =1 adaptive adversary exponential expected running time [Ben-Or, Bracha] [KKKSS] termination/correctness with prob 1 – o(1) non-adaptive adversary polylogarithmic running time

5
Landscape of possible algorithms? [Ben-Or, Bracha] [KKKSS] ??? L Las Vegas polytime algorithm? L Adaptive adversary polytime algorithm?

6
Our Result [Ben-Or, Bracha]

7
Simple Algorithm Recipe One Round: bit b broadcast b validate set of responses = S Compute b = N(S) b Repeat Randomized function

8
Ben-Or, Bracha Algorithms S = Set of bits overwhelming majority strong majority mixed Decide Fix b to majority Define b randomly

9
Why Exponential Time? Decide 0 Fix 0 Random Decide 1 Fix 1 S: mostly mixed mostly 1 Exponential Loop!

10
Generalizing the Algorithm Recipe Round i: bit b broadcast b validate set of responses = S Compute b = N(S) Randomized function value v broadcast v i S 1, S 2, …, S i Compute v = N(S 1, S 2, …, S i ) Randomized function with constant size range

11
Key Restrictions S 1,..., S i are considered as sets N(S 1,..., S i ) chooses randomly from a constant number of possible values - messages divorced from senders - values themselves can vary

12
How to Prove Exponential Time? Classic strategy: Execution deciding 0 Execution deciding 1 Indistinguishable to some uncorrupted processor Chain of executions, each execution of exponential length Not deciding!

13
Challenge for Randomized Algorithms Any single execution may be unlikely Takes a class of executions to add up to constant probability

14
Execution Classes Divide processors into groups S S S Class defined by sets per group per round

15
Source of Adversarys Control Suppose Ω(n) processors receive the same sets: S 1, S 2,..., S i... N(S 1,..., S i )... Independent samples from same distribution

16
Chernoff Bound...

17
Adversary Can Match Expectations S 1, S 2,..., S i Output = Expectation [ N(S 1, …, S i )]

18
Chain of Execution Classes Each group kept in sync Output sets match expectations Execution class deciding 0 Execution class deciding 1 Execution class Execution class … Indistinguishable to some group One of these must be non-deciding

19
Generating the Chain of Execution Classes E rounds … Change group inputs one group at a time:

20
Adversary Strategy adversary divides processors into groups of t corrupts constant fraction per group all group members see same message sets tries to stay in the non-deciding execution class

21
Adversarys Success Probability S 1, S 2, …, S i Z 1, Z 2, …, Z i V 1, V 2, …, V i Output = Expectation With Prob = 1 – 1/exp Output = Expectation With Prob = 1 – 1/exp Output = Expectation With Prob = 1 – 1/exp By Union bound over groups and rounds, # of rounds = Exp with constant probability

22
Observations Adversary Strategy : -Only leverages message scheduling and random coins of bad processors -No hope to detect bad behavior without risk Impossibility proof crucially leverages: -Received messages treated as sets -Random Variables have bounded support

23
Open Problems [KKKSS] ??? L Las Vegas polytime algorithm? L Adaptive adversary polytime algorithm? Still simple structure, unbounded randomness? Weaken symmetry in processing received messages? [Ben-Or, Bracha]

24
Thank you! Questions?

Similar presentations

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google