Expected Constant-Round Protocols for Broadcast Jonathan Katz Chiu-Yuen Koo University of Maryland
Background When designing cryptographic protocols, it is often convenient to assume a broadcast channel In a point-to-point network, this broadcast will have to be “emulated” by a broadcast sub-routine The round complexity of the eventual protocol depends heavily on the round complexity of broadcast! Much work has focused on reducing this round complexity…
Byzantine Agreement n parties P1, …, Pn, t of whom are malicious; each party has an input vi If the inputs of all honest parties initially agree, they should all output this common value (No matter what…) all honest parties should output the same value
Broadcast n parties P1, …, Pn, t of whom are malicious; one party is the dealer who holds a message M If the dealer is honest, all honest parties should output M Even if the dealer is dishonest, all honest parties should output the same value Essentially equivalent to the problem of Byzantine agreement for t < n/2
Prior Work (t < n/3) Broadcast possible in the “plain model” if and only if t < n/3 [PSL80] At least (t+1) rounds are necessary for any deterministic protocol [FL82]; a poly-time protocol with this round complexity is known [GM98] Randomized protocols can beat the lower bound [R83, BO83] [FM87] show an expected O(1)-round protocol
Prior Work (t < n) Given a PKI and signatures, authenticated broadcast is possible for t < n [PSL80, DS83] The (t+1)-round lower bound still holds [FG03] show an expected O(1)-round protocol for t < n/2, using specific number-theoretic assumptions Open since [FM97]: existence of an expected O(1)-round protocol for t < n/2 based on signatures only Note: Feldman-Micali approach does not extend to this case (at least as far as we know)
Our Contributions I We show an expected O(1)-round broadcast protocol for t < n/2, assuming only a PKI and digital signatures Along the way, we improve and simplify(?) the Feldman-Micali protocol for t < n/3 Proof is entirely self-contained… Our approach relies on the new notion of a moderated protocol Has other applications as well (see next talk)
Our Contributions II We show how to deal with parallel/sequential composition of randomized protocols for t < n/2 (extending [LLR02, BOEY03]) Combined with existing results, this gives expected O(1)-round protocols for MPC tolerating t < n/2 malicious players
Protocol Details… The cases of t < n/3 and t < n/2 will be developed in parallel The first is in the plain model and gives unconditional security; the second assumes a PKI + signatures (but is otherwise unconditional) We always assume pairwise authenticated and private channels, and an adaptive, rushing adversary
Constant-round protocol for Overview Constant-round protocol for (a variant of) VSS Constant-round protocol for leader election/coin tossing Expected constant-round protocol for BA Constant-round VSS protocol (using broadcast channel) Constant-round gradecast protocol (in point-to-point model) Compiler Moderated VSS
Gradecast [FM97] A relaxation of broadcast… Dealer holds input M; each honest party Pi outputs a message mi and grade gi If dealer honest, all honest players output (M, 2) If any honest party outputs (mi, 2), then all other honest parties Pj output mj = mi and gj ≥ 1
Theorem There exist constant-round gradecast protocols (in the point-to-point model) for t < n/3 and t < n/2 (Previously known for t < n/3 [FM97]) For details, see paper…
VSS 2-phase protocol (sharing and reconstruction phases); dealer holds input s If the dealer is honest, then the view of the malicious players is independent of s after the first phase, and all honest parties output s in the second phase At the end of the sharing phase, the view of the honest parties defines a value s’ that all honest parties will output in the second phase
Theorem There exist constant-round VSS protocols for t < n/3 and t < n/2 that use broadcast during the sharing phase only (Previously known for t < n/3 [GIKR01]; follows by adapting [CDDHR99] for t < n/2)
VSS for t < n/2 Dealer chooses F(x,y) of degree t in each variable, with F(0,0) = s. Let ai,j = bi,j = F(i,j). Dealer sends to Pi the values a1,i, …, an,i and bi,1, …, bi,n (signed). If insufficient signatures received, Pi broadcasts a complaint. If the values are inconsistent, Pi broadcasts the inconsistent values and their signatures (and the dealer is disqualified) The dealer broadcasts the values (signed) for any party Pi who broadcast a complaint; Pi uses these values in the rest of the protocol (Every party now has consistent vectors with correct dealer signatures)
VSS for t < n/2 continued… Pi signs aj,i and sends it to Pj If ai,j is not equal to bi,j (or no signature received), Pi broadcasts bi,j with the dealer’s signature If any party broadcast a value bi,j different from ai,j, then broadcast ai,j with dealer’s signature. If dealer’s signature on two different values is broadcast, it is disqualified
VSS for t < n/2, continued Reconstruction: Pi sends bi,j for all j (along with signature of Pj) to all other parties. (Note: if no valid signature obtained, Pi has already broadcast bi,j) If Pj sent any incorrect signatures, or bj = (bj,1, …, bj,n) inconsistent, disqualify Pj. For each non-disqualified Pj, interpolate bj to get fj(y). Next, interpolate {fj(y)} to get F(x,y). Output F(0,0).
Proof (sketch) If dealer is honest, the information the malicious parties have about s is exactly {F(i,y), F(x, i)}i malicious Since there are at most t malicious players, and the degree of F is t in each variable, no information about s is leaked Say dealer, Pi, Pj honest. Then Pi recovers fj(y)=F(j,y). For any malicious Pk (who is not disqualified by Pi), bk,j was “validated” by Pj and so bk,j = F(k,j). Since this holds for t+1 honest players, Pi recovers Fk(y) = F(k,y). Interpolating these thus yields F(x,y).
Proof (sketch) For the case of dishonest dealer, take the values (bi,1, …, bi,n) of an honest Pi at the end of sharing phase. These are consistent; let fi(y) be the corresponding polynomial Since we have t+1 honest players, we can interpolate the {fi(y)} to obtain F(x,y) Claim: F(0,0) will be the value output in the reconstruction phase Argument is similar to before…
Moderated VSS 2-phase protocol; dealer holds input s; there is also a distinguished moderator Each party Pi outputs a bit fi at the end of the sharing phase If the moderator is honest, then fi = 1 for all honest parties If there exists an honest player with fi = 1, then the protocol achieves VSS
Key Result There exist constant-round protocols for moderated VSS (in the point-to-point model) for t < n/3 and t < n/2 Proof: We construct such a protocol by compiling any VSS protocol (using broadcast in sharing phase only) with gradecast…
Compiler Given VSS protocol Π; construct Π’ as follows: Parties begin with fi = 1 Whenever a party P is supposed to broadcast a message m (as part of Π): P gradecasts m The moderator gradecasts the result Let (m, g) and (m’, g’) be the outputs of some player. Use m’ as the message broadcast by P (in the execution of Π) Set f = 0 if (g’ ≠ 2) or (m ≠ m’ and g = 2)
Proof… If the moderator is honest, then g’=2. Also, if g=2 then all parties output the same message in the gradecast by P, so m’=m. So, honest parties output f=1 if moderator is honest If any honest party outputs f=1, then (1) g’=2 always, and so honest parties use the same message within Π; furthermore, (2) if P is honest (so g=2) then m’=m. So, the functionality of broadcast was achieved whenever needed throughout Π Hence, Π’ achieves VSS
Oblivious Leader Election (OLE) with Fairness δ With probability ≥δ, the following holds (i.e., an honest leader is elected): There exists an index j such that (1) each honest party outputs j, and (2) Pj is honest Theorem: There exist constant round protocols for OLE with fairness 1/2, for t < n/3 and t < n/2
Constructing OLE Pi “trusts” Pj Assume moderated VSS… Pi begins with ti,j = 1 for all j For all i, j, party Pi chooses random 1 ≤ ci,j ≤ n3 and then runs mVSS using this value and Pj as moderator If Pk outputs f=0 here, it sets tk,j=0 Reconstruct the above. Pk sets cj = Σ ci,j mod n3. Pk outputs j with tk,j = 1 that minimizes cj
Proof… Define T = {j : exists honest Pi with ti,j = 1} If Pi honest, then i T. If j T, then all honest parties agree on cj. Furthermore, cj is uniform in {1, …, n3} (since ci,j is uniform for Pi honest). With high probability, all such cj are unique. So, with probability at least (t+1)/|T| ≥ ½ an honest leader is elected
From Leader Election to BA No Has agreement been reached? Yes Exit Maybe Run a leader election protocol. Each party sends the message it holds to all parties Each party sets its input to the message sent by the leader
Proof (ideas) If parties hold the same inputs, they do not change their inputs and will terminate the protocol by the end of the next iteration No (honest) party terminates until agreement has been reached Once an honest leader is elected, agreement will be reached in the following iteration Since an honest leader is elected with constant probability, termination occurs in expected O(1) rounds
Final Result There exist expected O(1)-round protocols for broadcast for t < n/3 and t < n/2 Applying some optimizations, we obtain protocols with the following (expected) round complexities: t < n/3: 24 rounds t < n/2: 56 rounds
Composition
Parallel composition In general, parallel composition of n protocols with expected O(1)-round complexity does not yield an expected O(1)-round protocol For our particular protocols, known techniques give parallel composition without increasing the expected number of rounds Run OLE once for all parallel executions…
Sequential composition A different problem may be caused by non-simultaneous termination Parties terminate one iteration in different rounds, and thus start the next iteration in different rounds This is inherent for sublinear-round BA protocols Existing methods for dealing with this are complex [LLR02] or apply only to t < n/3 [BOEY02]
Sequential composition Protocol Π has staggering gap g if honest parties terminate within g rounds Theorem: Let Π be a b’cast protocol. Then there is a b’cast protocol Π’ such that: It is secure as long as all parties start within 1 round of each other Its staggering gap is 1 rc(Π’) = 3 rc(Π) + 1
Sequential composition To sequentially compose Π1, …, Πk, run Π’1, …, Π’k instead Each Π’i has staggering gap 1 Each Π’i+1 is secure as long as parties start within 1 round of each other k sequential executions of a protocol with round complexity r requires ≈3kr rounds
Recent results (with J. Garay and R. Ostrovsky)
Broadcast for t < n? Our results apply only for t < n/2 We use VSS, which is possible only for t < n/2 What about for t < n? Known: deterministic protocols with round complexity t+1; matching lower bound
Negative result Theorem: Any broadcast protocol tolerating t malicious parties must have expected round complexity at least O(n/(n-t)) In particular, tolerating the optimal threshold t = n-1 is not possible in sub-linear rounds
Positive result First consider case t = n/2: Dealer gradecasts M and then exits Remaining parties run as follows: If received (M’, g ≤ 1), run (n/2)-resilient BA with M’ as input and output the result If received (M’, 2), run (n/2)-resilient BA with M’ as input for K rounds; output M’
Analysis If the dealer is honest, then all honest players enter the BA protocol with the same input In this case, the protocol terminates in a fixed constant number of rounds If dealer dishonest If g=2 for some honest player, then all honest players enter BA with same input (and output the same value in K rounds) Otherwise, all honest players run BA to completion, with honest majority!
General case Theorem: Let c = t – (n-t) = 2t-n. Then there is a broadcast protocol with resilience t and expected round complexity O(c) In particular, for t = n/2 + o(n) we get a protocol with sub-linear round complexity
Summary We have shown an expected O(1)-round broadcast protocol for t < n/2 First based on general (minimal) assumptions We also improve/simplify [FM97] for t < n/3 Sequential composition for t < n/2 Open questions Sublinear-round broadcast for t < n? Lower bounds on round complexity?