Byzantine Agreement and Multi-Party Computation (MPC)

Byzantine AgreementByzantine Agreementand and

Multi-Party Computation Multi-Party Computation (MPC)(MPC)

Aris TentesAris Tentes

What is Byzantine What is Byzantine

Agreement/General?Agreement/General? History of the name (Byzantium 1453)History of the name (Byzantium 1453) Simulation of broadcasting:Simulation of broadcasting:

i)i)P P sends a value to n players and they sends a value to n players and they must decide on the same value (B General)must decide on the same value (B General)

ii)Every player has a value and all playersii)Every player has a value and all players

must decide on the majority(B Agreement)must decide on the majority(B Agreement)

t of the players may be dishonest.Therefore we achieve t of the players may be dishonest.Therefore we achieve broadcasting iff the following are satisfied:broadcasting iff the following are satisfied:

1.1.TerminationTermination 2.2.AgreementAgreement: all correct players decide on : all correct players decide on the same valuethe same value 3.3.ValidityValidity:if :if PP is correct all correct players is correct all correct players decide on his value.(B.Generals)decide on his value.(B.Generals) if all correct players have the same valueif all correct players have the same value the all correct players decide on this value.(B.Agreement)the all correct players decide on this value.(B.Agreement)

Conditions:Conditions:

B.General B.General =>=> B. Agreement B. Agreement::

Every player broadcasts his value and then Every player broadcasts his value and then decides on the majority of the values receiveddecides on the majority of the values received

B. Agreement B. Agreement =>=> B.General B.General:: Player Player PP sends his value to all players and then sends his value to all players and then

all players decide on the same value using a B. all players decide on the same value using a B. Agreement protocol.Agreement protocol.

Perfect BAPerfect BA

Unconditional BA:Unconditional BA: A protocol with non zero A protocol with non zero probability of errorprobability of error

Cryptographic BA: Cryptographic BA: The adversary has a The adversary has a bounded computational power.bounded computational power.

Impossibility ProofImpossibility ProofTheorem: Theorem: We cannot have a secure BA if t >=n/3.We cannot have a secure BA if t >=n/3.ProofProof:: Simple case n=3 and t=1 and using contradictionSimple case n=3 and t=1 and using contradictionIntuitively:Intuitively:

The protocol of BGP89The protocol of BGP89

• Perfect security for t<n/3.Perfect security for t<n/3.

• Bit complexity O(tn^2)Bit complexity O(tn^2)

• Round complexity O(t)Round complexity O(t)

• Includes three subprotocolsIncludes three subprotocols

I) Weak AgreementI) Weak Agreement

II) Graded AgreementII) Graded Agreement

III) King AgreementIII) King Agreement

Weak AgreementWeak Agreement

Goal:Goal:If PIf Pi i is correct with output yis correct with output y ii {0,1} then all {0,1} then all correct players have output {ycorrect players have output {y i , i , ┴┴}.}.

1) P1) Pi i sends xsends xi i to every Pto every Pjj

0 , #0>2t0 , #0>2t

2) Every P2) Every Pi i yyi i = 1 , #1>2t= 1 , #1>2t

┴┴, else, else

Graded AgreementGraded Agreement

Goal:Goal:If PIf Pi i is correct with yis correct with yii {0,1} and g {0,1} and gii=1then every P=1then every Pjj correct has y correct has yjj = y = yi.i.

1)Run the WeakAgreement protocol with output z1)Run the WeakAgreement protocol with output z ii..2) P2) Pi i sends zsends zi i to every Pto every Pjj.. 0 , #0>#10 , #0>#13) Every P3) Every Pi i yyi i = = 1 , #1>#0 1 , #1>#0 1 , if #1 , if # yyi i >2t>2t3) Every P3) Every Pi i ggi i = = 0 , else0 , else

King AgreementKing Agreement

Goal:Goal:A player PA player Pk k is selected to be the king.If is selected to be the king.If the king is correct then all correct players the king is correct then all correct players have the same output.have the same output.

1)Run the GradedAgreement protocol1)Run the GradedAgreement protocol2) P2) Pk k sends zsends zkk to every P to every Pjj

zzjj , if g , if gjj=1=13) Every P3) Every Pi i yyi i = = zzkk , else , else

Agreement and BroadcastAgreement and Broadcast

Termination and Validity:Termination and Validity: Remain Remain alwaysalways

Agreement:Agreement: We run the KingAgreement We run the KingAgreement t+1 times.There is at least one correct t+1 times.There is at least one correct king.(B.Agreement)king.(B.Agreement)

The general sends his value The general sends his value to all players and then they run the to all players and then they run the Agreement protocol above.(Broadcast)Agreement protocol above.(Broadcast)

Lower boundsLower bounds

A perfectly secure BA protocol cannot have A perfectly secure BA protocol cannot have less than:less than:

1) t+1 rounds1) t+1 rounds 2) O(nt) bit complexity2) O(nt) bit complexity 3) t3) t≥n/3≥n/3Open problem:Open problem:It is not known if a protocol It is not known if a protocol

exists satisfying these lower bounds.exists satisfying these lower bounds.

Other protocolsOther protocols

It is not known if a protocol with both t+1 rounds and O(n^2) bit complexity exists.

What is Multi Party Computation?What is Multi Party Computation?

Secure function evaluation:Secure function evaluation:

There are N parties who want to compute a There are N parties who want to compute a function of their inputs but do not trust each function of their inputs but do not trust each other.other.

Examlpes:Examlpes:

1)Dating problem1)Dating problem

2)Yao’s millionair ‘s problem. 2)Yao’s millionair ‘s problem.

What is Multi Party Computation?What is Multi Party Computation?

The obvious solution is that each party gives his input to a The obvious solution is that each party gives his input to a trusted (TP) who does the computation for them.trusted (TP) who does the computation for them.

MPC: MPC: A MPC protocol simulates this trusted party.A MPC protocol simulates this trusted party.

Three Adversary types Three Adversary types

Passive Adversary:Passive Adversary: The adversary can The adversary can see the results of tsee the results of tpp parties. parties.

Fail-stop Adversary:Fail-stop Adversary:The adversary can make The adversary can make ttff parties stop sending messages. parties stop sending messages.

Active AdversaryActive Adversary: : The advarsary has full The advarsary has full control of tcontrol of taa parties and make them misbehave parties and make them misbehave randomly.randomly.

Perfect secure MPCPerfect secure MPC

Unconditional secure MPC:Unconditional secure MPC: A protocol A protocol with non zero probability of errorwith non zero probability of error

Cryptographic secure MPC: Cryptographic secure MPC: The The adversary has a bounded computational adversary has a bounded computational power.power.

Mixed ModelMixed Model

For the mixed model For the mixed model (passive+active+fail-stop adversary) (passive+active+fail-stop adversary) there exists a perfect secure MPC there exists a perfect secure MPC

protocol protocol

iffiff

3t3ta a + 2t+ 2tpp + t + tff < n < n

The protocol of BGW88 The protocol of BGW88 (passive model)(passive model)

Perfect security for t<n/2Perfect security for t<n/2

Bit complexity O(mn^2) field elementsBit complexity O(mn^2) field elements

Round complexity O(d)Round complexity O(d)

Shamir ’s secret sharingShamir ’s secret sharing

The dealer P who wants to share a secret s The dealer P who wants to share a secret s selects a random polynomial of degree t:selects a random polynomial of degree t:

ffss(x)= s + r(x)= s + r11x + . . . . . + rx + . . . . . + rt t x^tx^t

and sends to processor Pand sends to processor Pii his share s his share si i = f(a= f(aii).).

Up to t players cannot reveal the secret. Up to t players cannot reveal the secret.

Linear functionsLinear functions

a , b are shared with fa , b are shared with faa ,f ,fbb

We define h(x) = fWe define h(x) = faa(x) + f(x) + fbb(x)(x) We observe h(0) = fWe observe h(0) = faa(0) + f(0) + fbb(0) = a + b(0) = a + b Hence cHence ci i = a= aii + b + bii defines the share of a + b defines the share of a + b

of Pof Pii

Multiplication(1/2)Multiplication(1/2)

a , b are shared with fa , b are shared with faa ,f ,fbb

aaiibbi i secret share a polynomial of degree 2t secret share a polynomial of degree 2t ( f( fabab(x)= f(x)= faa(x)f(x)fbb(x) , with h(0)=ab )(x) , with h(0)=ab )

We must reduce the share to tWe must reduce the share to t

Multiplication(2/2)Multiplication(2/2)

So: Every processor PSo: Every processor P ii shares his share a shares his share aiibbi i

with a polynomial hwith a polynomial hii(x) of degree t with (x) of degree t with hhii(0)= f(0)= faa(a(aii)f)fbb(a(aii) = f) = fabab(a(aii))

Every processor has now the values hEvery processor has now the values h11(a(aii),),……, h……, hnn(a(aii))

Hence t+1 processors can compute Hence t+1 processors can compute hhii(0)= f(0)= fabab(a(aii), i=1,..,n), i=1,..,n

Finally every processor from above can Finally every processor from above can compute fcompute fabab(0)(0)

Active Model generalyActive Model generaly

Use of Byzantine Generals protocolsUse of Byzantine Generals protocols

Every player is commited to the value he Every player is commited to the value he sharesshares

Every player is commited to the value he Every player is commited to the value he receivesreceives

Known ProtocolsKnown Protocols

ProtocolProtocol SecuritySecurity BCBC RCRC

[Hirt01][Hirt01] PerfectPerfect O(mn^3)O(mn^3) O(d + n^2)O(d + n^2)

[BGW88][BGW88] PerfectPerfect O(mn^6)O(mn^6) O(dn)O(dn)

[CCD88][CCD88] UnconditionalUnconditional O(mn^7)O(mn^7) O(dn^2)O(dn^2)

[Bea91][Bea91] UnconditionalUnconditional O(mn^6)O(mn^6) O(d)O(d)