1. 1 Asynchronous Broadcast Protocols in Distributed System Oct. 10, 2002 JaeHyrk Park ICU

2. 2 Content  Overview  Broadcast Protocols  Cryptographic Primitives  Basic System Model  Previous Work  Multi-Party Protocols  Basic Broadcast Protocol  Byzantine Agreement  Future Work  Reference

3. 3 Overview  Broadcast protocols  Fundamental building block for implementing replication in fault–tolerant distributed systems  Secure service replication in an asynchronous environment with a static set of servers.  Assuming malicious adversary may corrupt up to a threshold of servers and controls the network  A party send to a message to all other parties

4. 4 Cryptographic Primitives  Digital signatures  Key generation algorithm  Signing algorithm  Verification algorithm  Non-interactive threshold signatures  N- parties, up to t of which corrupted  Each Party hold shares of the secret key of a signature scheme  Generate shares of signatures on individual message  K valid signature shares  construct a signature (t < k <= n-t )

5. 5 Cryptographic Primitives(continue)  Threshold Coin-Tossing Scheme  Basic idea – n parties, up to t of which may be corrupted.  Unpredictable function F Mapping the name C of a coin to its value F( C ) ∈ {0,1}  Parties generate shares of a coin- k coin shares (  construct the value of the particular coin)……. t < k <= n-t

6. 6 Basic System Model  Arbitrary multi-party protocol  A number of parties communicate over an insecure, asynchronous network  Adversary may corrupt some of the parties  Trusted dealer generates the initial state for all n parties

7. 7 Previous Work  Multi-Party Protocols  N – party protocol  p 1,…..,p n  Initialization algorithm  Additional party  dealer  Input k,n,t (n <= k)  Generate state information  Party p i activated repeatedly  Update its state  Generate some output message  Wait for the next activation

8. 8 Previous Work  Multi-Party Protocols (continue)  Adversary choose n,t  Protocol restriction t < n/3  Model (PKI for digital signature)  Generate key pair for a digital signature scheme S for each party  Initialize a fixed number of threshold cryptosystem(as required by the implemented protocols)  Generate public output for information associated with n-party protocol

9. 9 Previous Work  Basic broadcast protocol  Reliable broadcast protocol  Provide agreement on a delivered message  Atomic broadcast protocol  Guarantees a total order on messages  Secure casual broadcast protocol  Extends atomic broadcast by encryption to guarantee a casual order among the delivered message

10. 10 Previous Work  Protocol for Byzantine Agreement  Any two honest parties that decide a value for a particular TID must decide the same value.  It is computationally infeasible for an adversary to make two honest parties decide on different values

11. 11 Previous Work  Protocol for Byzantine agreement  Byzantine agreement  N-communicating parties  At most t of N are corrupted  It withstands the maximum number of corrupted parties : t < n/3  Using threshold signatures, coin-tossing protocols  Use a trusted dealer only in a setup phase

12. 12  Asynchronous Byzantine Agreement  N parties : p 1 ….p n  TID : given transaction identifier  Each party p i has an initial value V i ∈ {0,1}  The protocol proceeds in round r = 1,2,….  Pre-processing step  Generate S-signature share on the message (TID,pre-process, V i )  Send message (pre-process,V i,signature share) to all parties  On receiving 2t+1 such votes, each party get a threshold signature of S 0 (at least t+1 votes)

13. 13  Asynchronous Byzantine Agreement  Each round (four step)  After Pre-vote, Main-vote (1,2 step)  Check for decision Collect n-t properly justified main votes of rou nd r. If these are all main-votes for b ∈ {0,1} Decide the value b for TID, continue step 2  Common coin Generate coin share of the coin (TID, r) Send to all parties (coin, r, coin share) Collect n-t shares of the coin (TID,r) Combine these shares to get the value F(TID, r) ∈ {0,1}

14. 14 Future Work  Approach  Integration of both cryptography methods and methods used in distributed methods desirable for developing secure distributed protocols.  Focus on how fault-tolerant broadcasts can benefit from threshold-cryptographic protocols  Future work  Construction or Modification of Asynchronous Broadcast Protocols

15. 15 Reference  C.Cachin, K.Kursawe, F.Petzlod, and V.Shoup, “ Secure and efficient asynchronous broadcast protocols.” Cryptology ePrint Archive, Report 2001/006, Mar2001. http://eprint.iacr.orghttp://eprint.iacr.org  T.Rabin, “A simplified approach to threshold and proactive RSA.” In Advances in Cryptology-Crypto ’98, 1998  C.Cachin, K.Kursawe, and V.Shoup. “Random oracles in Constantinople : practical asynchronous Byzantine agreement using cryptography.”  V.Shoup, “Practical threshold signatures “, Advances in Cryptology: EUROCRYPT 2000(B. Preneel,ed.), Lecture Notes in Computer Science, Springer, 2000  M.Naor, B.Pinkas, and O.Reingold, “Distributed pseudo-random functions and KDSs.” In Advances in Cryptology: EUROCRYPT ‘99(J. Stern, ed.), vol.1592 of Lecture Notes in Computer Science, Springer, 1999.  M.K. Reiter and K.P.Birman,” How to securely replicate services,” ACM Transactions on Programming Languages and Systems, vol.16, pp.986- 1009, May 1994.  S. Goldwasser, “Multi-Party Computations : Past and Present “ (Invited Talk)