Randomized byzantine generals

Rabin, M.

Luis Manuel Román García

Proceedings of Twenty - Fourth IEEE Annual Symposium on Foundations of Computer Science, pp. 403 - 409, 1983.

Definitions & Background

Notation

  • Let                               be processes  and lets assume that every        can communicate with every        via messages

\quad G_i, 1 \leq i\leq n
Gi,1in\quad G_i, 1 \leq i\leq n
G_i
GiG_i
G_j
GjG_j

  • Every       has a message       , called           's initial message and they have to agree on a common value for the message.

G_i
GiG_i
G_i
GiG_i
M_i
MiM_i

Notation

  • To this end, each         executes a program         called the Agreement Protocol.
G_i
GiG_i
P_i
PiP_i

  • As long as a        computes according to        it is called proper. Once a process        deviates from         it is faulty.

G_i
GiG_i
G_i
GiG_i
P_i
PiP_i
P_i
PiP_i

Def 1: Agreement

The processes in a set                           are said to  reach an agreement about the value of the message if each       ,             does stop, and at the end of the execution of their protocols, message(i) = message(j)

\{G_i: i\in P\}
{Gi:iP}\{G_i: i\in P\}
\forall i,j\in P
i,jP\forall i,j\in P
G_i
GiG_i
i\in P
iPi\in P

Def 2: Byzantine Agreement

We say that the proper processes have reached Byzantine Agreement if:

 

  1. All the proper processes reach agreement.
  2. If all proper         have same initial message                      then the proper processes agree on M as the value of the message.
G_i
GiG_i
M_i = M
Mi=MM_i = M

Def 3: Byzantine Agreement Protocol (BAP)

Let n and t < n be integers. A set of protocols       for the processes                         , is a solution for the Byzantine Generals problem for (n, t) if the following holds:

Let S be a system of processes       computing according to      and assume that no more than t processes become faulty. Then, whenever the processes have initial messages, the proper       will reach Byzantine Agreement.

P_i
PiP_i
G_i, 1\leq i \leq n
Gi,1inG_i, 1\leq i \leq n
G_i
GiG_i
P_i
PiP_i
G_i
GiG_i

Def 4: Phase

A phase in the computation of a proper      , is the time interval between     's request for information from k other processes, and receipt of at least k-t replies. The computation time required by      , once the information is received, is also included in the phase.

 

We assume that each process       has a local phase-clock

      , and that       assigns                              at the end of each phase.

G_i
GiG_i
G_i
GiG_i
G_i
GiG_i
G_i
GiG_i
p(i)
p(i)p(i)
P_i
PiP_i
p(i):=p(i) + 1
p(i):=p(i)+1p(i):=p(i) + 1

Authentication

Authentication

One implementation is to have a public directory holding for each participant B  a public key        . When the participant needs to authenticate a message M, he employs a secret key       to compute another message                       .

K_B
KBK_B
D_B
DBD_B
\sigma_B(M)=N
σB(M)=N\sigma_B(M)=N

Authentication

Every user can recover M from N by using

K_B
KBK_B
\sigma_i(M, p(i))=N
σi(M,p(i))=N\sigma_i(M, p(i))=N

To avoid fraudulent message passing, every process      incorporates its current reading        . Therefore sending a message:

p(i)
p(i)p(i)
G_i
GiG_i

Authentication

The public key directory is part of the data in each      and must be incorporated by a non-faulty "dealer" at the creation of the processes

P_i
PiP_i
G_i
GiG_i

Lottery

How to share a secret?

Eleven scientists are working on a secret project. They wish to lock up the documents in a cabinet so that the cabinet can be opened only if more than half (at least six) of the scientists are present. What is the smallest number of locks needed? What is the smallest number of keys to the locks each scientist must carry?

How to share a secret?

It is not hard to see....

456 locks

252 keys per scientist

How to share a secret?

More general problem:

The secret is some data D, our goal is to divide D into pieces                       in such a way that:

  1. knowledge of any k or more      pieces makes D easily computable.
  2. knowledge of any k-1 or fewer      pieces leaves  D completely undetermined.
D_1, ..., D_n
D1,...,DnD_1, ..., D_n
D_i
DiD_i
D_i
DiD_i

How to share a secret?

Idea:

Pick a random polynomial q(x) of degree k-1. in which

q(x)=a_0 + a_1x + ...+a_{k-1}x^{k-1}
q(x)=a0+a1x+...+ak1xk1q(x)=a_0 + a_1x + ...+a_{k-1}x^{k-1}

Evaluate

D_1 = q(1), ...,D_i = q(i), ...,D_n=q(n)
D1=q(1),...,Di=q(i),...,Dn=q(n)D_1 = q(1), ...,D_i = q(i), ...,D_n=q(n)
D=a_0
D=a0D=a_0

Back to lottery

We are going to suppose a dealer that is a non-faulty process D which prepares in advance the programs for the individual      's. The dealer D takes k = t+1 to be the bound on the number of faulty processes.

G_i
GiG_i

It randomly and independently generates a sequence

                 where each                or

S_1,..., S_N
S1,...,SNS_1,..., S_N
S_m = 0
Sm=0S_m = 0
S_m = 1
Sm=1S_m = 1

Back to lottery

Then the dealer computes

E_i^{(m)}=(I_i(s_m),m) \quad 1\leq i\leq n, \quad1\leq m\leq N
Ei(m)=(Ii(sm),m)1in,1mNE_i^{(m)}=(I_i(s_m),m) \quad 1\leq i\leq n, \quad1\leq m\leq N

And sends to every process        the  sequence:

G_i
GiG_i
\sigma_D(E_i^{(1)}),...,\sigma_D(E_i^{(N)})
σD(Ei(1)),...,σD(Ei(N))\sigma_D(E_i^{(1)}),...,\sigma_D(E_i^{(N)})

Back to lottery

When playing lottery(m),       requests from 2t other processes their

G_i
GiG_i
\sigma_D(E_j^{(m)})
σD(Ej(m))\sigma_D(E_j^{(m)})

Algorithms

Procedure BAP; {for     }

G_i
GiG_i
begin
message(i) :=Mi; {Gi's initial message}
For k = I to k = R
 do {k local to Pi}
begin
Polling; {k is a parameter of Polling}
Lottery; {k is a parameter of Lottery}
Decision
end {For}
end; {BAP}

Procedure Polling

begin
  send sigma_i(message(i),k) to all; 
  request the k-th version of message(j) from all;
  collect incoming sigma_j(message(j),k), until n - t values received;
  temp (i)  := that M which occurred most often among the received 
               (message(j) ,k);
  count (i) := |{j : (message (j) ,k) = (temp(i) ,k) }|
end;

Procedure Lottery

begin
ask for E_j_k from all;
send E_i_k to all;
wait until t different values of E_j_k have arrived;
compute s_k from E_i_k and the available E_j_k;
end;

Procedure Decision

begin
  s:=s_k; {s_k is the current secret for G_i}
  if (s = 0 and n/2 <= count(i)) or (s = 1 and n-2t <= count(i)) then
     message(i):=temp(i)
  else
     message(i):="system faulty"
end;

Correctness

Correctness

Let             . All the proper processes will end their execution of BAP. If the system is proper and the initial message of every proper process is M, then at the end of BAP we shall have message(i) = M for all proper      .

t \leq \frac{n}{10}
tn10t \leq \frac{n}{10}
G_i
GiG_i

If the system is faulty then at the end of BAP, with probability at least             all proper processes       will have the same value for message(i).

G_i
GiG_i
1-2^R
12R1-2^R

Correctness

Key observation, if the proper processes enter the k-th iteration of the For statement of BAP in a state where all have the same value V, then they will end that iteration with the value message(i)=V.

Correctness

Key observation, if the proper processes enter the k-th iteration of the For statement of BAP in a state where all have the same value V, then they will end that iteration with the value message(i)=V.

begin
  send sigma_i(message(i),k) to all; 
  request the k-th version of message(j) from all;
  collect incoming sigma_j(message(j),k), until n - t values received;
  temp (i)  := that M which occurred most often among the received 
               (message(j) ,k);
  count (i) := |{j : (message (j) ,k) = (temp(i) ,k) }|
end;

Correctness

In particular, if the system is proper and its initial message is M for all proper processes, then all proper         will have message(i)=M at the end of BAP.

G_i
GiG_i

Correctness

H=\{G_1, ...,G_{n-2t}\}
H={G1,...,Gn2t}H=\{G_1, ...,G_{n-2t}\}

Consider the first proper process        to have finished its k-th iteration of Polling. Let (w.l.o.g)

G_i
GiG_i

Be the set of proper processes of whom       received a response

G_i
GiG_i
\sigma_j(message(j),k)
σj(message(j),k)\sigma_j(message(j),k)

And let         be any proper process.

G_m
GmG_m

Correctness

Suppose now that not all  proper processes in H have the same initial message.

Suppose there exists a V such that for at least n-4t proper processes                   message(j) = V.

G_j\in H
GjHG_j\in H

CASE 1:

Correctness

Hence at the end of it's polling phase,        would have received at least n - 5t messages from               of the form message(j) = V.

 

Therefore:

 

temp(m) = V and

G_m
GmG_m
G_j\in H
GjHG_j\in H
\frac{n}{2}< n - 5t \leq count(m)
n2<n5tcount(m)\frac{n}{2}< n - 5t \leq count(m)

Correctness

With probability        we have that             independently of the condition on H.

 

Therefore:

 

With probability       we have that message(m) = V

 

Since       is an arbitrary proper process, this is true for every proper process. Hence we reach an agreement.

s_k=0
sk=0s_k=0
G_m
GmG_m
\frac{1}{2}
12\frac{1}{2}
\frac{1}{2}
12\frac{1}{2}

Correctness

Suppose

|\{j:G_j\in H, V=\sigma_j(message_j,k)\}| < n-4t
{j:GjH,V=σj(messagej,k)}<n4t|\{j:G_j\in H, V=\sigma_j(message_j,k)\}| < n-4t

CASE 2

There are at least n-3t responses that        receives from H. Therefore at most 2t responses from outside.

G_m
GmG_m

Correctness

CASE 2

Even if all these responses are of the form               , we have that:

count(m) < n-4t + 2t = n - 2t
count(m)<n4t+2t=n2tcount(m) < n-4t + 2t = n - 2t
\sigma_l(V,k)
σl(V,k)\sigma_l(V,k)

If now              then at the end of the k-th invocation message(m)="system faulty"

s_k = 1
sk=1s_k = 1

Correctness

CASE 2

In both cases the probability of not reaching and agreement is of        hence after R independent lotteries, the probability of not reaching an agreement is         . Hence the probability of reaching an agreement after R lotteries is

\frac{1}{2}
12\frac{1}{2}
\frac{1}{2}^R
12R\frac{1}{2}^R
1-\frac{1}{2}^R
112R1-\frac{1}{2}^R

Bounded expected time, error-less solution

Procedure Decisionproof

Key observation:

 

If some process        finds that                                    then necessarily every other proper        will have

                                       . Hence message(j) = temp(j) at the end of Decision.

G_i
GiG_i
\frac{n}{2} < n -4t \leq count(j)
n2<n4tcount(j)\frac{n}{2} < n -4t \leq count(j)
n-2t \leq count(i)
n2tcount(i)n-2t \leq count(i)
G_j
GjG_j

Procedure Decisionproof

begin
s:= s_k_i; 
if(s = 0 and n/2 <= count(i)) or (s = 1 and n-2t <= count(i)) then
message(i):= temp(i)
else
message(i):="system faulty";
if(s = 0 and n-2t <= count(i)) then 
send sigma_i ("agreement reached on V") to all Gj;
k(i) := k(i) + 1  {update the index of the secret to be shared}
end;

Procedure ETBAP

begin
inround(i) := true;
k(i):=1;
message(i) := Mi {the initial message for Gi}
repeat
  begin
    Polling;
    Lottery;
    Decisionproof {increase k(i) by 1 each time}
  end
end;{ETBAP}

Procedure Closefinish

begin
  repeat
    If received new sigma_j("agreement reached on V") {Gi's own
    comunication of this form is included. V may differ for faulty
    Gi}
    then send sigma_j("agreement reached V")
        to all
   until t + 1 communications with the same V are counted;
   message(i):=V;
   inround(i):=false;
end;{Closefinish}

Lemma

Within an expected number of four rounds of iterations of the loop ETBAP, every proper       will send

    ("agreement reached on V") for some V

G_j
GjG_j
\sigma_j
σj\sigma_j

Conclusion

Conclusion

  • This algorithm covers fully the asynchronous case of BGP.

  • The solution as written here requires a total of             messages. This can be readily reduced to

O(n^2)
O(n2)O(n^2)
O(nt)
O(nt)O(nt)

  • Under appropriate assumptions the solution is resilient. Transient failures of processes in agreement round do not affect subsequent rounds.

Thanks

Made with Slides.com