Title: Distributed Computing with Malicious Processors wo Crypto or Private Channels Jared Saia University
1Distributed Computing with Malicious Processors
w/o Crypto or Private Channels
Jared SaiaUniversity of New Mexico
2 25 Byzantine Agreementin the full information
model
Byzantine Agreement Silver Anniversary
We imagine that several divisions of the
Byzantine army are camped outside an enemy
city, each division commanded by its own
general. The generals can communicate with
one another only by messenger. After observing
the enemy, they must decide upon a common plan
of action. However, some of the generals may be
traitors, trying to prevent the loyal generals
from reaching agreement...
--Lamport, Shostak and Pease, 1982
3Byzantine Agreement
- Each proc. starts with a bit
- Goal All procs. output the same bit, which must
match at least one of their initial bits. - t number of corrupt procs. controlled by
malicious Adversary - Resiliency max t
4Why Hard?
- Note Majority Filtering Fails.
0
0
0
0
VS
1
1
0 ?
1 ?
1
1
0
1
5Celebrated Impossibility Result
- 1982 Fischer Lynch and Patterson show that one
fail-stop fault makes (deterministic) agreement
impossible in the asynchronous model. - 2007 Nancy Lynch wins the Knuth Prize with this
result called fundamental in all of computer
science.
61200 Cites Later
- Synchronous, Asynchronous
- Fail-stop, Byzantine, fault detectors
- Private channels, full information
- Adaptive, non-adaptive adversary
- Message passing, shared memory
- Complete, sparse network
- Resiliency, Time and Bit complexity
- Deterministic, Randomized, Quantum
- Byzantine Agreement, Leader Election and Global
Coin Tossing
71200 Cites Later
- Synchronous, Asynchronous
- Fail-stop, Byzantine, fault detectors
- Private channels, full information
- Adaptive, non-adaptive adversary
- Message passing, shared memory
- Complete, sparse network
- Resiliency, Time and Bit complexity
- Deterministic, Randomized, Quantum
- Byzantine Agreement, Leader Election and Global
Coin Tossing
8First Results for Asynch with Randomness
- Ben-Ors Algorithm (1983) Full Information
Model, Exponential Time - Brachas Algorithm (1985) Private Channels,
Expected Constant Time, - Rabins Algorithm (1985) Assumes Global coin toss
9Ben-Ors Algorithm
- k1 REPEAT until decided.
- Send (xi,R,k) to all procs.
- Wait for messages from n-t procs
- If gt (n-t)/2 t (majority of good) values b
received, send (b,P,k) to all processors else
send (?,P,k) to all procs - Wait for messages from n-t procs
- If gt3t (b,P,k) (gt2t good) received, decide b
- Else if gtt (b,P,k) (1 good) received, set xib
- Else flip coin to pick xi klt-k1.
10Why this works
- 1) In a given round, only one bit value b can be
Proposed by any good proc - Why? Since for a value to be Proposed, a majority
of good procs must have Reported that value - 2) If one good proc Decides on the value b, then
all remaining good procs will set their values to
b in that round (next slide) - 3) Eventually all good procs will report the same
value
11Why this works
gt 3t
Deciding point
Proposals Received for b
2t
gtt
Setting point
If one proc. decides b --gt gt2t good procs
Proposed b to the other procs--gt gtt Propose b
msgs were received by every proc---gt All procs
set their value to b in this round
12.
Brachas Algorithm cuts time with private
channels and committees (dispersers,
samplers,extractors)
All but squareroot of total committees are good.
Good committees of size log n output independent
random bits using secret sharing --gt Then O(1)
time to complete
13Rabins Algorithm uses Global Cointoss
Use global cointoss to choose threshold
High threshold
t
Low threshold
14Two directions
Atomic Broadcast, Full information non-adaptive
adversary Global coin toss and Leader election
Message passing, Private channels, or Crypto
primitives, Bounded adaptive adversary Byzantine
agreement O(1) expected time, O(n2) messages
Feiges O(logn) time, constant Probability of
success
15Feiges method for leader election in the
synchronous broadcast modelEach candidate
randomly picks a binnew committeelightest
bins contents
5
6
1
3
4
2
Even if corrupt ones see the choices first
lightest bin will have roughly same fraction of
noncorrupt candidates as whole population. Repeat
until 1 candidate is left.
16Our results A little from each side
Atomic Broadcast, Full information non-adaptive
adversary Global coin toss and Leader election
Message passing, Private channels, or Crypto
primitives, w/bounded adversary to Byzantine
agreement O(1) expected time, O(n2) messages
17Previous results for Byzantine agreement in full
information model
- Synchronous full information model, det. Time
O(n), randomized expected time O(t/log n) , tlt
n/3, weakly dynamic adversary (Chor, Coan 1984) - Asynchronous full information model exponential
expected time, tlt n/3, strong dynamic adversary
(Ben-Or, improved by Bracha 1983-4)
18Our protocol constructs a good sample w.h.p
19Specific results
- (SODA 2006) King, S, Sanwalani, Vee
- Synchronous SCALABLE (polylog bits per proc)
protocol to construct polylog size committee with
prob gt1-1/nc in time polylog n, for tlt n/3 - ---gtByzantine agreement (w.h.p) in polylog time
(previous bound n/log n) - ---gtLeader election (w. constant probability) in
polylog time - Both are scalable for almost everywhere (1-1/log
n fraction) agreement. - Related work
- (STOC 2006,FOCS 2006) Byzantine agreement in
O(log n) time for tltn/4, tltn/3--Ben-Or,Goldwasser,
Sudan, Vaikuntanathan
20More results
- Can be implemented on a sparse network
- (FOCS 2006 King,S, Sanwalani, Vee)
- Adapted to ASYNCHRONOUS model for
- O(log log n) size committee, 1-1/logn prob.
- Polylog time Asychnronous protocols for Byzantine
election and leader election in the full
information nonadaptive adversary model, for t
ltn/6. - (Kempe, Kapron, King, S, Sanwalani)
21And a lower bound
- Holtby, Kapron, King PODC 06
- Any synchronous protocol which produces agreement
with probability at least 1/21/log n - with tcn
- in which each proc sends log n messages and
specifies log n messages to receive in each round
(defence against flooding -- true of our scalable
protocol) - Leaves out at least gt n1/3/r uncorrupted peers
from the agreement - Even if the channels are private.
22 Main ideareduce eligible candidates then use
known protocol at the top
23.
For each level An averaging sampler ?
ExtractorDisperserBracha Committee
Almost all committees have fraction of no more
than t/n 1/ln n of corrupted processors
24High level view
25Remainder of talk
- Overcoming the Asynchronous adversary
- Implementing the protocol on a sparse network
26How to reduce a committee
- Use Feiges lightest bin method to reduce size of
committee, designed for synchronous broadcast
model
27Feiges subcommittee election techniqueEach
candidate randomly picks a binsubcommitteelight
est bins contents
5
6
1
3
4
2
Even if corrupt ones see the choices first
lightest bin will have roughly same fraction b
of noncorrupt candidates as whole population
28BUT BIG PROBLEMS
29Problem 1 No broadcast
- In a committee of size k with t corrupt proc,
each proc waits to hear bin choices from k-t
procs. - FIX Use parallel single source Byzantine
agreement to agree on each procs choice.
30Problem 2 More bad than good
- Processors cant wait to hear from everyone so
some bin choices remain unknown () - Since different processors hear from different
subsets, reduced constant fraction of good
processors choices are known by gt2/3 good procs,
rest are - BAD processors can outnumber good processors
known to have chosen bin!
31Problem 3 Adversary can delay all good
processors who choose a particular bin
- ---gt NO good processors in the lightest bin!
32FIX to problem 3
- Knumber of procs in committee
- Do bin selection k times and with each choice,
send out previous choices - There must be a round j such that the entire set
of procs whose choices were known at round j
have their choices known for round j1. (Then
these are almost random) - Use the choices of round j1 to determine the
lightest bin
33Bin choice table
34(No Transcript)
35Choosing the lightest bin
36Fix to Problem 2Only a small fraction of good
procs in bin
-
- processors in the lightest bin each pick random
bits - string lt---gt
- subset of sampler
- Almost all subsets (strings) are good.
37Putting it together
Each processor has a VIEW of the procs still
participating. Large overlap of views for
almost all nodes Wait until enough predecessors
are known before starting election
38To speed up
- Recurse twice when running Byzantine agreement
inside the protocol. -
- This reduces the probability of correctness down
to 1-1/log n but - The running time becomes polylog.
39How to implement virtual network with a fixed
sparse network
Procs in the same committee need to find each
other
hi
hi
40Overlay Networkelection node --gt overlay node
41Overlay Network
- Size of overlay nodes increases with layer
polylog in bottom top node has all the procs. - Parent-child connected via a sampler
Mapping of procs to overlay nodes ensures
almost all nodes have gt1-b1/log n good procs
42A single election
43Problem DOS Attack
- Corrupt peers can wait until near end of
election, see who is about to win and then flood
them with messages - We assume each proc can only process polylog
messages, so must handle this type of denial of
service attack
44Solution Permissible Paths
Proc can only send messages through nodes it has
won at. Procs at nodes keep lists of permissible
paths.
- Left Without Permissible Paths d is overloaded
- Right With Permissible Paths d is protected
45 Open Problems
- Is asynch B.A. or coinflipping with an adaptive
adv. in the full information model possible in
o(2n) time? sqrt n is best lower bound
(Ben-Or) - Is scalable computing possible for everywhere
Byzantine agreement, even in synch., with crypto
or private channels? Can procs use received
messages which are not expected? - Improve resilience for asynchronous to n/3
- Improve results for expected time, rather than
worst case time.
46More discussion
- Uses of the good sample (collecting data,policing
system (Walfish)) - Efficient constructions for some extractors known
(Shaltiel) - When is the full information model useful?
- Can use weaker sources of randomness (Goldwasser,
Vaikutanathan 05) - What about the need for entity authentication?
- With weaker source of randomness can have
authentication but not privacy (Dodis et al 04).
What can be done with only signature schemes?
47Rabins with global coin toss
- Low lt-- n/2 t1
- High lt--n/2 2t 1
- Repeat
- Broadcast vote
- Tally lt--count of majority value
- - Toss coin to pick TLow or High threshold
- - If tally gt T, vote lt-majority value
- Else vote 0
- - If tally gt n-t then decide majority value
48(No Transcript)
49Rabins with global coin tossO(1) expected time
Global coinflip sets threshold
High threshold
t
Low threshold
Size of majority