The Contest between Simplicity and Efficiency in Asynchronous Byzantine Agreement Allison Lewko The University of Texas at Austin TexPoint fonts used in.
Post on 30-Mar-2015
218 Views
Preview:
Transcript
The Contest between Simplicity and Efficiency in Asynchronous Byzantine Agreement
Allison Lewko
The University of Texas at Austin
Byzantine Agreement• n parties• each has an input bit• t corrupt parties
Goal: agree on a bit equal to input of some ``good” party
0 0 0 0 0
1
Byzantine Agreement• Simple problem, worst case adversary
HistoryImpossibility Constraints:
• >= 1/3 corrupted processors• deterministic algorithm, 1 crash failure [FLP]
Algorithms:
• termination with prob =1• adaptive adversary• exponential expected running time
[Ben-Or, Bracha]
[KKKSS]• termination/correctness with prob 1 – o(1)• non-adaptive adversary• polylogarithmic running time
Landscape of possible algorithms?
[Ben-Or, Bracha]
[KKKSS]
???
LLas Vegas polytime algorithm?
LAdaptive adversary polytime algorithm?
Our Result
𝐸𝑥𝑝𝑜𝑛𝑒𝑛𝑡𝑖𝑎𝑙
𝑇𝑖𝑚𝑒[Ben-Or, Bracha]
Simple Algorithm Recipe
One Round:
bit b
broadcast b
validate set of responses = S
Compute b’ = N(S)b’
Repeat
Randomized function
Ben-Or, Bracha AlgorithmsS = Set of bits
• overwhelming majority
• strong majority
• mixed
Decide
Fix b’ to majority
Define b’ randomly
N = b
Why Exponential Time?
Decide 0 Fix 0 Random Decide 1Fix 1
S: mostly 0 . . . . . . . . mixed . . . . . . . . . mostly 1
N:= number of processorsN := number of participantsT = eg= t
𝑛 :𝑛𝑢𝑚𝑏𝑒𝑟 𝑜𝑓 𝑝𝑟𝑜𝑐𝑒𝑠𝑠𝑜𝑟𝑠𝑡=Ω (𝑛) :𝑛𝑢𝑚𝑏𝑒𝑟 𝑜𝑓 𝑐𝑜𝑟𝑟𝑢𝑝𝑡𝑖𝑜𝑛𝑠
± O(
Exponential Loop!
Generalizing the Algorithm Recipe
t = gg= tx = yg= x
Round i:
bit b
broadcast b
validate set of responses = S
Compute b’ = N(S)
Randomized function
value v
broadcast v
i
S1 , S2 , …, Si
Compute v’ = N(S1, S2, … ,Si )
Randomized function with constant size range
Key Restrictions
• S1, . . . , Si are considered as sets
• N(S1 , . . . , Si) chooses randomly from a constant number of possible values
- messages divorced from senders
- values themselves can vary
How to Prove Exponential Time?Classic strategy:
Executiondeciding 0
Executiondeciding 1Indistinguishable
to some uncorruptedprocessor
Chain of executions, each execution of exponential length
Not deciding!
Challenge for Randomized Algorithms
Any single execution may be unlikely
Takes a class of executions to add up to constant probability
Execution ClassesDivide processors into groups
S
S
SClass defined by sets pergroup per round
Source of Adversary’s ControlSuppose Ω(n) processors receive the same sets:
S1, S2, . . . , Si S1, S2, . . . , Si S1, S2, . . . , Si
. . . N(S1 , . . . , Si) N(S1 , . . . , Si) N(S1 , . . . , Si). . .
Independent samples from same distribution
Chernoff Bound
D - a distribution on R values
R - a constant
X 1; : : : ;X k - independent samples from D
\ k balls in R bins":
. . . p1 p2 p3 pR
bin i \ far" from pik with probabability exponentially small in k
Adversary Can Match Expectations
S1, S2, . . . , Si
Output = Expectation [N(S1, … , Si)]
Chain of Execution Classes• Each group kept in sync• Output sets match expectations
Execution classdeciding 0
Execution classdeciding 1
Execution class
Execution class…
Indistinguishableto some group One of these must
be non-deciding
Generating the Chain of Execution ClassesE rounds
…
0
0
0
1
1
1
Change group inputs onegroup at a time:
Adversary Strategy
• adversary divides processors into groups of t
• corrupts constant fraction per group
• all group members see same message sets
• tries to stay in the non-deciding execution class
Adversary’s Success ProbabilityS1, S2, … , Si Z1, Z2, … , Zi
V1, V2, …,Vi
Output = ExpectationWith Prob = 1 – 1/exp
Output = ExpectationWith Prob = 1 – 1/exp
Output = ExpectationWith Prob = 1 – 1/exp
By Union bound over groups and rounds, # of rounds = Exp with constant probability
Observations
• Adversary Strategy :
- Only leverages message schedulingand random coins of bad processors- No hope to detect bad behavior without risk
• Impossibility proof crucially leverages:
- Received messages treated as sets- Random Variables have bounded support
Open Problems
[KKKSS]
???
LLas Vegas polytime algorithm?
LAdaptive adversary polytime algorithm?
𝐸𝑥𝑝𝑜𝑛𝑒𝑛𝑡𝑖𝑎𝑙
𝑇𝑖𝑚𝑒
• Still simple structure, unbounded randomness?• Weaken symmetry in processing received messages?
[Ben-Or, Bracha]
Thank you!
Questions?
top related