Presentation on theme: "The Contest between Simplicity and Efficiency in Asynchronous Byzantine Agreement Allison Lewko The University of Texas at Austin TexPoint fonts used in."— Presentation transcript:
The Contest between Simplicity and Efficiency in Asynchronous Byzantine Agreement Allison Lewko The University of Texas at Austin TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAA
Byzantine Agreement n parties each has an input bit t corrupt parties Goal: agree on a bit equal to input of some ``good party 0 000 0 1
Byzantine Agreement Simple problem, worst case adversary
History Impossibility Constraints: >= 1/3 corrupted processors deterministic algorithm, 1 crash failure [FLP] Algorithms: termination with prob =1 adaptive adversary exponential expected running time [Ben-Or, Bracha] [KKKSS] termination/correctness with prob 1 – o(1) non-adaptive adversary polylogarithmic running time
Landscape of possible algorithms? [Ben-Or, Bracha] [KKKSS] ??? L Las Vegas polytime algorithm? L Adaptive adversary polytime algorithm?
Generalizing the Algorithm Recipe Round i: bit b broadcast b validate set of responses = S Compute b = N(S) Randomized function value v broadcast v i S 1, S 2, …, S i Compute v = N(S 1, S 2, …, S i ) Randomized function with constant size range
Key Restrictions S 1,..., S i are considered as sets N(S 1,..., S i ) chooses randomly from a constant number of possible values - messages divorced from senders - values themselves can vary
How to Prove Exponential Time? Classic strategy: Execution deciding 0 Execution deciding 1 Indistinguishable to some uncorrupted processor Chain of executions, each execution of exponential length Not deciding!
Challenge for Randomized Algorithms Any single execution may be unlikely Takes a class of executions to add up to constant probability
Execution Classes Divide processors into groups S S S Class defined by sets per group per round
Source of Adversarys Control Suppose Ω(n) processors receive the same sets: S 1, S 2,..., S i... N(S 1,..., S i )... Independent samples from same distribution
Adversary Can Match Expectations S 1, S 2,..., S i Output = Expectation [ N(S 1, …, S i )]
Chain of Execution Classes Each group kept in sync Output sets match expectations Execution class deciding 0 Execution class deciding 1 Execution class Execution class … Indistinguishable to some group One of these must be non-deciding
Generating the Chain of Execution Classes E rounds … 0 0 0 1 1 1 Change group inputs one group at a time:
Adversary Strategy adversary divides processors into groups of t corrupts constant fraction per group all group members see same message sets tries to stay in the non-deciding execution class
Adversarys Success Probability S 1, S 2, …, S i Z 1, Z 2, …, Z i V 1, V 2, …, V i Output = Expectation With Prob = 1 – 1/exp Output = Expectation With Prob = 1 – 1/exp Output = Expectation With Prob = 1 – 1/exp By Union bound over groups and rounds, # of rounds = Exp with constant probability
Observations Adversary Strategy : -Only leverages message scheduling and random coins of bad processors -No hope to detect bad behavior without risk Impossibility proof crucially leverages: -Received messages treated as sets -Random Variables have bounded support
Open Problems [KKKSS] ??? L Las Vegas polytime algorithm? L Adaptive adversary polytime algorithm? Still simple structure, unbounded randomness? Weaken symmetry in processing received messages? [Ben-Or, Bracha]
Your consent to our cookies if you continue to use this website.