Distributed Computing with Malicious Processors wo Crypto or Private Channels Jared Saia University

1
Distributed Computing with Malicious Processors
w/o Crypto or Private Channels
Jared SaiaUniversity of New Mexico

2
25 Byzantine Agreementin the full information
model
Byzantine Agreement Silver Anniversary
We imagine that several divisions of the
Byzantine army are camped outside an enemy
city, each division commanded by its own
general. The generals can communicate with
one another only by messenger. After observing
the enemy, they must decide upon a common plan
of action. However, some of the generals may be
traitors, trying to prevent the loyal generals
from reaching agreement...
--Lamport, Shostak and Pease, 1982

3
Byzantine Agreement

• Each proc. starts with a bit
• Goal All procs. output the same bit, which must
  match at least one of their initial bits.
• t number of corrupt procs. controlled by
  malicious Adversary
• Resiliency max t

4
Why Hard?

• Note Majority Filtering Fails.

0
0
0
0
VS
1
1
0 ?
1 ?
1
1
0
1
5
Celebrated Impossibility Result

• 1982 Fischer Lynch and Patterson show that one
  fail-stop fault makes (deterministic) agreement
  impossible in the asynchronous model.
• 2007 Nancy Lynch wins the Knuth Prize with this
  result called fundamental in all of computer
  science.

6
1200 Cites Later

• Synchronous, Asynchronous
• Fail-stop, Byzantine, fault detectors
• Private channels, full information
• Adaptive, non-adaptive adversary
• Message passing, shared memory
• Complete, sparse network
• Resiliency, Time and Bit complexity
• Deterministic, Randomized, Quantum
• Byzantine Agreement, Leader Election and Global
  Coin Tossing

7
1200 Cites Later

• Synchronous, Asynchronous
• Fail-stop, Byzantine, fault detectors
• Private channels, full information
• Adaptive, non-adaptive adversary
• Message passing, shared memory
• Complete, sparse network
• Resiliency, Time and Bit complexity
• Deterministic, Randomized, Quantum
• Byzantine Agreement, Leader Election and Global
  Coin Tossing

8
First Results for Asynch with Randomness

• Ben-Ors Algorithm (1983) Full Information
  Model, Exponential Time
• Brachas Algorithm (1985) Private Channels,
  Expected Constant Time,
• Rabins Algorithm (1985) Assumes Global coin toss

9
Ben-Ors Algorithm

• k1 REPEAT until decided.
• Send (xi,R,k) to all procs.
• Wait for messages from n-t procs
• If gt (n-t)/2 t (majority of good) values b
  received, send (b,P,k) to all processors else
  send (?,P,k) to all procs
• Wait for messages from n-t procs
• If gt3t (b,P,k) (gt2t good) received, decide b
• Else if gtt (b,P,k) (1 good) received, set xib
• Else flip coin to pick xi klt-k1.

10
Why this works

• 1) In a given round, only one bit value b can be
  Proposed by any good proc
• Why? Since for a value to be Proposed, a majority
  of good procs must have Reported that value
• 2) If one good proc Decides on the value b, then
  all remaining good procs will set their values to
  b in that round (next slide)
• 3) Eventually all good procs will report the same
  value

11
Why this works
gt 3t

Deciding point
Proposals Received for b
2t
gtt
Setting point
If one proc. decides b --gt gt2t good procs
Proposed b to the other procs--gt gtt Propose b
msgs were received by every proc---gt All procs
set their value to b in this round
12
.
Brachas Algorithm cuts time with private
channels and committees (dispersers,
samplers,extractors)

All but squareroot of total committees are good.
Good committees of size log n output independent
random bits using secret sharing --gt Then O(1)
time to complete

13
Rabins Algorithm uses Global Cointoss
Use global cointoss to choose threshold
High threshold
t
Low threshold
14
Two directions
Atomic Broadcast, Full information non-adaptive
adversary Global coin toss and Leader election
Message passing, Private channels, or Crypto
primitives, Bounded adaptive adversary Byzantine
agreement O(1) expected time, O(n2) messages

Feiges O(logn) time, constant Probability of
success
15
Feiges method for leader election in the
synchronous broadcast modelEach candidate
randomly picks a binnew committeelightest
bins contents
5
6
1
3
4
2
Even if corrupt ones see the choices first
lightest bin will have roughly same fraction of
noncorrupt candidates as whole population. Repeat
until 1 candidate is left.
16
Our results A little from each side
Atomic Broadcast, Full information non-adaptive
adversary Global coin toss and Leader election
Message passing, Private channels, or Crypto
primitives, w/bounded adversary to Byzantine
agreement O(1) expected time, O(n2) messages
17
Previous results for Byzantine agreement in full
information model

• Synchronous full information model, det. Time
  O(n), randomized expected time O(t/log n) , tlt
  n/3, weakly dynamic adversary (Chor, Coan 1984)
• Asynchronous full information model exponential
  expected time, tlt n/3, strong dynamic adversary
  (Ben-Or, improved by Bracha 1983-4)

18
Our protocol constructs a good sample w.h.p











19
Specific results

• (SODA 2006) King, S, Sanwalani, Vee
• Synchronous SCALABLE (polylog bits per proc)
  protocol to construct polylog size committee with
  prob gt1-1/nc in time polylog n, for tlt n/3
• ---gtByzantine agreement (w.h.p) in polylog time
  (previous bound n/log n)
• ---gtLeader election (w. constant probability) in
  polylog time
• Both are scalable for almost everywhere (1-1/log
  n fraction) agreement.
• Related work
• (STOC 2006,FOCS 2006) Byzantine agreement in
  O(log n) time for tltn/4, tltn/3--Ben-Or,Goldwasser,
  Sudan, Vaikuntanathan

20
More results

• Can be implemented on a sparse network
• (FOCS 2006 King,S, Sanwalani, Vee)
• Adapted to ASYNCHRONOUS model for
• O(log log n) size committee, 1-1/logn prob.
• Polylog time Asychnronous protocols for Byzantine
  election and leader election in the full
  information nonadaptive adversary model, for t
  ltn/6.
• (Kempe, Kapron, King, S, Sanwalani)

21
And a lower bound

• Holtby, Kapron, King PODC 06
• Any synchronous protocol which produces agreement
  with probability at least 1/21/log n
• with tcn
• in which each proc sends log n messages and
  specifies log n messages to receive in each round
  (defence against flooding -- true of our scalable
  protocol)
• Leaves out at least gt n1/3/r uncorrupted peers
  from the agreement
• Even if the channels are private.

22
Main ideareduce eligible candidates then use
known protocol at the top
23
.
For each level An averaging sampler ?
ExtractorDisperserBracha Committee

Almost all committees have fraction of no more
than t/n 1/ln n of corrupted processors

24
High level view
25
Remainder of talk

• Overcoming the Asynchronous adversary
• Implementing the protocol on a sparse network

26
How to reduce a committee

• Use Feiges lightest bin method to reduce size of
  committee, designed for synchronous broadcast
  model

27
Feiges subcommittee election techniqueEach
candidate randomly picks a binsubcommitteelight
est bins contents
5
6
1
3
4
2
Even if corrupt ones see the choices first
lightest bin will have roughly same fraction b
of noncorrupt candidates as whole population
28
BUT BIG PROBLEMS
29
Problem 1 No broadcast

• In a committee of size k with t corrupt proc,
  each proc waits to hear bin choices from k-t
  procs.
• FIX Use parallel single source Byzantine
  agreement to agree on each procs choice.

30
Problem 2 More bad than good

• Processors cant wait to hear from everyone so
  some bin choices remain unknown ()
• Since different processors hear from different
  subsets, reduced constant fraction of good
  processors choices are known by gt2/3 good procs,
  rest are
• BAD processors can outnumber good processors
  known to have chosen bin!

31
Problem 3 Adversary can delay all good
processors who choose a particular bin

• ---gt NO good processors in the lightest bin!

32
FIX to problem 3

• Knumber of procs in committee
• Do bin selection k times and with each choice,
  send out previous choices
• There must be a round j such that the entire set
  of procs whose choices were known at round j
  have their choices known for round j1. (Then
  these are almost random)
• Use the choices of round j1 to determine the
  lightest bin

33
Bin choice table
34
(No Transcript)
35
Choosing the lightest bin
36
Fix to Problem 2Only a small fraction of good
procs in bin

• processors in the lightest bin each pick random
  bits
• string lt---gt
• subset of sampler
• Almost all subsets (strings) are good.

• Sampler

37
Putting it together
Each processor has a VIEW of the procs still
participating. Large overlap of views for
almost all nodes Wait until enough predecessors
are known before starting election
38
To speed up

• Recurse twice when running Byzantine agreement
  inside the protocol.
• This reduces the probability of correctness down
  to 1-1/log n but
• The running time becomes polylog.

39
How to implement virtual network with a fixed
sparse network
Procs in the same committee need to find each
other
hi
hi
40
Overlay Networkelection node --gt overlay node
41
Overlay Network

• Size of overlay nodes increases with layer
  polylog in bottom top node has all the procs.
• Parent-child connected via a sampler

Mapping of procs to overlay nodes ensures
almost all nodes have gt1-b1/log n good procs
42
A single election
43
Problem DOS Attack

• Corrupt peers can wait until near end of
  election, see who is about to win and then flood
  them with messages
• We assume each proc can only process polylog
  messages, so must handle this type of denial of
  service attack

44
Solution Permissible Paths
Proc can only send messages through nodes it has
won at. Procs at nodes keep lists of permissible
paths.

• Left Without Permissible Paths d is overloaded
• Right With Permissible Paths d is protected

45
Open Problems

• Is asynch B.A. or coinflipping with an adaptive
  adv. in the full information model possible in
  o(2n) time? sqrt n is best lower bound
  (Ben-Or)
• Is scalable computing possible for everywhere
  Byzantine agreement, even in synch., with crypto
  or private channels? Can procs use received
  messages which are not expected?
• Improve resilience for asynchronous to n/3
• Improve results for expected time, rather than
  worst case time.

46
More discussion

• Uses of the good sample (collecting data,policing
  system (Walfish))
• Efficient constructions for some extractors known
  (Shaltiel)
• When is the full information model useful?
• Can use weaker sources of randomness (Goldwasser,
  Vaikutanathan 05)
• What about the need for entity authentication?
• With weaker source of randomness can have
  authentication but not privacy (Dodis et al 04).
  What can be done with only signature schemes?

47
Rabins with global coin toss

• Low lt-- n/2 t1
• High lt--n/2 2t 1
• Repeat
• Broadcast vote
• Tally lt--count of majority value
• - Toss coin to pick TLow or High threshold
• - If tally gt T, vote lt-majority value
• Else vote 0
• - If tally gt n-t then decide majority value

48
(No Transcript)
49
Rabins with global coin tossO(1) expected time
Global coinflip sets threshold
High threshold
t
Low threshold
Size of majority