The Contest between Simplicity and Efficiency in Asynchronous Byzantine Agreement Allison Lewko The University of Texas at Austin TexPoint fonts used in.

The Contest between Simplicity and Efficiency in Asynchronous Byzantine Agreement

Allison Lewko

The University of Texas at Austin

Byzantine Agreement• n parties• each has an input bit• t corrupt parties

Goal: agree on a bit equal to input of some ``good” party

0 0 0 0 0

1

Byzantine Agreement• Simple problem, worst case adversary

HistoryImpossibility Constraints:

• >= 1/3 corrupted processors• deterministic algorithm, 1 crash failure [FLP]

Algorithms:

• termination with prob =1• adaptive adversary• exponential expected running time

[Ben-Or, Bracha]

[KKKSS]• termination/correctness with prob 1 – o(1)• non-adaptive adversary• polylogarithmic running time

Landscape of possible algorithms?

[Ben-Or, Bracha]

[KKKSS]

???

LLas Vegas polytime algorithm?

LAdaptive adversary polytime algorithm?

Our Result

𝐸𝑥𝑝𝑜𝑛𝑒𝑛𝑡𝑖𝑎𝑙

𝑇𝑖𝑚𝑒[Ben-Or, Bracha]

Simple Algorithm Recipe

One Round:

bit b

broadcast b

validate set of responses = S

Compute b’ = N(S)b’

Repeat

Randomized function

Ben-Or, Bracha AlgorithmsS = Set of bits

• overwhelming majority

• strong majority

• mixed

Decide

Fix b’ to majority

Define b’ randomly

N = b

Why Exponential Time?

Decide 0 Fix 0 Random Decide 1Fix 1

S: mostly 0 . . . . . . . . mixed . . . . . . . . . mostly 1

N:= number of processorsN := number of participantsT = eg= t

𝑛 :𝑛𝑢𝑚𝑏𝑒𝑟 𝑜𝑓 𝑝𝑟𝑜𝑐𝑒𝑠𝑠𝑜𝑟𝑠𝑡=Ω (𝑛) :𝑛𝑢𝑚𝑏𝑒𝑟 𝑜𝑓 𝑐𝑜𝑟𝑟𝑢𝑝𝑡𝑖𝑜𝑛𝑠

± O(

Exponential Loop!

Generalizing the Algorithm Recipe

t = gg= tx = yg= x

Round i:

bit b

broadcast b

validate set of responses = S

Compute b’ = N(S)

Randomized function

value v

broadcast v

i

S1 , S2 , …, Si

Compute v’ = N(S1, S2, … ,Si )

Randomized function with constant size range

Key Restrictions

• S1, . . . , Si are considered as sets

• N(S1 , . . . , Si) chooses randomly from a constant number of possible values

- messages divorced from senders

- values themselves can vary

How to Prove Exponential Time?Classic strategy:

Executiondeciding 0

Executiondeciding 1Indistinguishable

to some uncorruptedprocessor

Chain of executions, each execution of exponential length

Not deciding!

Challenge for Randomized Algorithms

Any single execution may be unlikely

Takes a class of executions to add up to constant probability

Execution ClassesDivide processors into groups

S

S

SClass defined by sets pergroup per round

Source of Adversary’s ControlSuppose Ω(n) processors receive the same sets:

S1, S2, . . . , Si S1, S2, . . . , Si S1, S2, . . . , Si

. . . N(S1 , . . . , Si) N(S1 , . . . , Si) N(S1 , . . . , Si). . .

Independent samples from same distribution

Chernoff Bound

D - a distribution on R values

R - a constant

X 1; : : : ;X k - independent samples from D

\ k balls in R bins":

. . . p1 p2 p3 pR

bin i \ far" from pik with probabability exponentially small in k

Adversary Can Match Expectations

S1, S2, . . . , Si

Output = Expectation [N(S1, … , Si)]

Chain of Execution Classes• Each group kept in sync• Output sets match expectations

Execution classdeciding 0

Execution classdeciding 1

Execution class

Execution class…

Indistinguishableto some group One of these must

be non-deciding

Generating the Chain of Execution ClassesE rounds

…

0

0

0

1

1

1

Change group inputs onegroup at a time:

Adversary Strategy

• adversary divides processors into groups of t

• corrupts constant fraction per group

• all group members see same message sets

• tries to stay in the non-deciding execution class

Adversary’s Success ProbabilityS1, S2, … , Si Z1, Z2, … , Zi

V1, V2, …,Vi

Output = ExpectationWith Prob = 1 – 1/exp

Output = ExpectationWith Prob = 1 – 1/exp

Output = ExpectationWith Prob = 1 – 1/exp

By Union bound over groups and rounds, # of rounds = Exp with constant probability

Observations

• Adversary Strategy :

- Only leverages message schedulingand random coins of bad processors- No hope to detect bad behavior without risk

• Impossibility proof crucially leverages:

- Received messages treated as sets- Random Variables have bounded support

Open Problems

[KKKSS]

???

LLas Vegas polytime algorithm?

LAdaptive adversary polytime algorithm?

𝐸𝑥𝑝𝑜𝑛𝑒𝑛𝑡𝑖𝑎𝑙

𝑇𝑖𝑚𝑒

• Still simple structure, unbounded randomness?• Weaken symmetry in processing received messages?

[Ben-Or, Bracha]

Thank you!

Questions?