Transcript scws3 6691
Expected Constant-Round
Protocols for Broadcast
Jonathan Katz
Chiu-Yuen Koo
University of Maryland
Background
When designing cryptographic protocols, it is often
convenient to assume a broadcast channel
In a point-to-point network, this broadcast will have
to be “emulated” by a broadcast sub-routine
The round complexity of the eventual protocol depends
heavily on the round complexity of broadcast!
Much work has focused on reducing this round complexity…
Byzantine Agreement
n parties P1, …, Pn, t of whom are malicious; each
party has an input vi
If the inputs of all honest parties initially agree,
they should all output this common value
(No matter what…) all honest parties should
output the same value
Broadcast
n parties P1, …, Pn, t of whom are malicious; one
party is the dealer who holds a message M
If the dealer is honest, all honest parties should
output M
Even if the dealer is dishonest, all honest parties
should output the same value
Essentially equivalent to the problem of Byzantine
agreement for t < n/2
Prior Work (t < n/3)
Broadcast possible in the “plain model” if and only if
t < n/3 [PSL80]
At least (t+1) rounds are necessary for any
deterministic protocol [FL82]; a poly-time protocol
with this round complexity is known [GM98]
Randomized protocols can beat the lower bound
[R83, BO83]
[FM87] show an expected O(1)-round protocol
Prior Work (t < n)
Given a PKI and signatures, authenticated broadcast
is possible for t < n [PSL80, DS83]
The (t+1)-round lower bound still holds
[FG03] show an expected O(1)-round protocol for
t < n/2, using specific number-theoretic assumptions
Open since [FM97]: existence of an expected O(1)round protocol for t < n/2 based on signatures only
Note: Feldman-Micali approach does not extend to
this case (at least as far as we know)
Our Contributions I
We show an expected O(1)-round broadcast
protocol for t < n/2, assuming only a PKI and
digital signatures
Along the way, we improve and simplify(?) the
Feldman-Micali protocol for t < n/3
Proof is entirely self-contained…
Our approach relies on the new notion of a
moderated protocol
Has other applications as well (see next talk)
Our Contributions II
We show how to deal with parallel/sequential
composition of randomized protocols for
t < n/2 (extending [LLR02, BOEY03])
Combined with existing results, this gives
expected O(1)-round protocols for MPC
tolerating t < n/2 malicious players
Protocol Details…
The cases of t < n/3 and t < n/2 will be
developed in parallel
The first is in the plain model and gives
unconditional security; the second assumes a PKI
+ signatures (but is otherwise unconditional)
We always assume pairwise authenticated and
private channels, and an adaptive, rushing
adversary
Overview
Constant-round protocol for
Constant-round VSS protocol
Constant-round
gradecast
(a variant of)
VSS
(using broadcast channel)
protocol (in point-to-point model)
Constant-round protocolCompiler
for leader election/coin tossing
Moderated VSS
Expected constant-round protocol for BA
Gradecast [FM97]
A relaxation of broadcast…
Dealer holds input M; each honest party Pi
outputs a message mi and grade gi
If dealer honest, all honest players output (M, 2)
If any honest party outputs (mi, 2), then all other
honest parties Pj output mj = mi and gj ≥ 1
Theorem
There exist constant-round gradecast protocols
(in the point-to-point model) for t < n/3 and
t < n/2
(Previously known for t < n/3 [FM97])
For details, see paper…
VSS
2-phase protocol (sharing and reconstruction
phases); dealer holds input s
If the dealer is honest, then the view of the
malicious players is independent of s after the first
phase, and all honest parties output s in the
second phase
At the end of the sharing phase, the view of the
honest parties defines a value s’ that all honest
parties will output in the second phase
Theorem
There exist constant-round VSS protocols for
t < n/3 and t < n/2 that use broadcast during
the sharing phase only
(Previously known for t < n/3 [GIKR01]; follows
by adapting [CDDHR99] for t < n/2)
VSS for t < n/2
Dealer chooses F(x,y) of degree t in each variable,
with F(0,0) = s. Let ai,j = bi,j = F(i,j). Dealer sends
to Pi the values a1,i, …, an,i and bi,1, …, bi,n (signed).
2.
If insufficient signatures received, Pi broadcasts a
complaint. If the values are inconsistent, Pi
broadcasts the inconsistent values and their
signatures (and the dealer is disqualified)
3.
The dealer broadcasts the values (signed) for any
party Pi who broadcast a complaint; Pi uses these
values in the rest of the protocol
(Every party now has consistent vectors with correct
dealer signatures)
1.
VSS for t < n/2 continued…
1.
2.
3.
Pi signs aj,i and sends it to Pj
If ai,j is not equal to bi,j (or no signature received),
Pi broadcasts bi,j with the dealer’s signature
If any party broadcast a value bi,j different from ai,j,
then broadcast ai,j with dealer’s signature. If
dealer’s signature on two different values is
broadcast, it is disqualified
VSS for t < n/2, continued
1.
2.
3.
Reconstruction: Pi sends bi,j for all j (along with
signature of Pj) to all other parties. (Note: if no valid
signature obtained, Pi has already broadcast bi,j)
If Pj sent any incorrect signatures, or bj = (bj,1, …,
bj,n) inconsistent, disqualify Pj.
For each non-disqualified Pj, interpolate bj to get
fj(y). Next, interpolate {fj(y)} to get F(x,y). Output
F(0,0).
Proof (sketch)
If dealer is honest, the information the malicious
parties have about s is exactly {F(i,y), F(x, i)}i malicious
Since there are at most t malicious players, and the
degree of F is t in each variable, no information
about s is leaked
Say dealer, Pi, Pj honest. Then Pi recovers fj(y)=F(j,y).
For any malicious Pk (who is not disqualified by Pi), bk,j
was “validated” by Pj and so bk,j = F(k,j). Since this
holds for t+1 honest players, Pi recovers Fk(y) = F(k,y).
Interpolating these thus yields F(x,y).
Proof (sketch)
For the case of dishonest dealer, take the values (bi,1,
…, bi,n) of an honest Pi at the end of sharing phase.
These are consistent; let fi(y) be the corresponding
polynomial
Since we have t+1 honest players, we can interpolate
the {fi(y)} to obtain F(x,y)
Claim: F(0,0) will be the value output in the
reconstruction phase
Argument is similar to before…
Moderated VSS
2-phase protocol; dealer holds input s; there
is also a distinguished moderator
Each party Pi outputs a bit fi at the end of the
sharing phase
If the moderator is honest, then fi = 1 for all
honest parties
If there exists an honest player with fi = 1, then
the protocol achieves VSS
Key Result
There exist constant-round protocols for
moderated VSS (in the point-to-point model)
for t < n/3 and t < n/2
Proof: We construct such a protocol by
compiling any VSS protocol (using broadcast
in sharing phase only) with gradecast…
Compiler
Given VSS protocol Π; construct Π’ as follows:
Parties begin with fi = 1
Whenever a party P is supposed to broadcast a
message m (as part of Π):
P gradecasts m
The moderator gradecasts the result
Let (m, g) and (m’, g’) be the outputs of some
player. Use m’ as the message broadcast by P
(in the execution of Π)
Set f = 0 if (g’ ≠ 2) or (m ≠ m’ and g = 2)
Proof…
If the moderator is honest, then g’=2. Also, if g=2
then all parties output the same message in the
gradecast by P, so m’=m.
So, honest parties output f=1 if moderator is honest
If any honest party outputs f=1, then (1) g’=2
always, and so honest parties use the same message
within Π; furthermore, (2) if P is honest (so g=2)
then m’=m.
So, the functionality of broadcast was achieved whenever
needed throughout Π
Hence, Π’ achieves VSS
Oblivious Leader Election
(OLE) with Fairness δ
With probability ≥δ, the following holds (i.e.,
an honest leader is elected):
There exists an index j such that (1) each
honest party outputs j, and (2) Pj is honest
Theorem:
There exist constant round protocols for OLE
with fairness 1/2, for t < n/3 and t < n/2
Constructing OLE
Assume moderated VSS…
Pi begins with ti,j = 1 for all j
Pi “trusts” Pj
For all i, j, party Pi chooses random 1 ≤ ci,j ≤ n3 and
then runs mVSS using this value and Pj as moderator
If Pk outputs f=0 here, it sets tk,j=0
Reconstruct the above. Pk sets cj = Σ ci,j mod n3.
Pk outputs j with tk,j = 1 that minimizes cj
Proof…
Define T = {j : exists honest Pi with ti,j = 1}
If Pi honest, then i T.
If j T, then all honest parties agree on cj.
Furthermore, cj is uniform in {1, …, n3} (since ci,j is
uniform for Pi honest). With high probability, all such
cj are unique.
So, with probability at least (t+1)/|T| ≥ ½ an honest
leader is elected
From Leader Election to BA
Has agreement
been reached?
Yes
Exit
No
Maybe
Run a leader election protocol.
Each party sends the message
it holds to all parties
Each party sets its input to
the message sent by the
leader
Proof (ideas)
If parties hold the same inputs, they do not change
their inputs and will terminate the protocol by the
end of the next iteration
No (honest) party terminates until agreement has
been reached
Once an honest leader is elected, agreement will be
reached in the following iteration
Since an honest leader is elected with constant
probability, termination occurs in expected O(1)
rounds
Final Result
There exist expected O(1)-round protocols for
broadcast for t < n/3 and t < n/2
Applying some optimizations, we obtain
protocols with the following (expected) round
complexities:
t < n/3: 24 rounds
t < n/2: 56 rounds
Composition
Parallel composition
In general, parallel composition of n protocols
with expected O(1)-round complexity does
not yield an expected O(1)-round protocol
For our particular protocols, known
techniques give parallel composition without
increasing the expected number of rounds
Run OLE once for all parallel executions…
Sequential composition
A different problem may be caused by nonsimultaneous termination
Parties terminate one iteration in different rounds,
and thus start the next iteration in different
rounds
This is inherent for sublinear-round BA protocols
Existing methods for dealing with this are
complex [LLR02] or apply only to t < n/3
[BOEY02]
Sequential composition
Protocol Π has staggering gap g if honest
parties terminate within g rounds
Theorem: Let Π be a b’cast protocol. Then
there is a b’cast protocol Π’ such that:
It is secure as long as all parties start within 1
round of each other
Its staggering gap is 1
rc(Π’) = 3 rc(Π) + 1
Sequential composition
To sequentially compose Π1, …, Πk, run Π’1,
…, Π’k instead
Each Π’i has staggering gap 1
Each Π’i+1 is secure as long as parties start within
1 round of each other
k sequential executions of a protocol with
round complexity r requires ≈3kr rounds
Recent results (with J. Garay
and R. Ostrovsky)
Broadcast for t < n?
Our results apply only for t < n/2
We use VSS, which is possible only for t < n/2
What about for t < n?
Known: deterministic protocols with round
complexity t+1; matching lower bound
Negative result
Theorem: Any broadcast protocol tolerating t
malicious parties must have expected round
complexity at least O(n/(n-t))
In particular, tolerating the optimal threshold
t = n-1 is not possible in sub-linear rounds
Positive result
First consider case t = n/2:
1.
Dealer gradecasts M and then exits
2.
Remaining parties run as follows:
1.
2.
If received (M’, g ≤ 1), run (n/2)-resilient BA with
M’ as input and output the result
If received (M’, 2), run (n/2)-resilient BA with M’
as input for K rounds; output M’
Analysis
If the dealer is honest, then all honest players
enter the BA protocol with the same input
In this case, the protocol terminates in a fixed
constant number of rounds
If dealer dishonest
If g=2 for some honest player, then all honest
players enter BA with same input (and output the
same value in K rounds)
Otherwise, all honest players run BA to
completion, with honest majority!
General case
Theorem: Let c = t – (n-t) = 2t-n. Then there
is a broadcast protocol with resilience t and
expected round complexity O(c)
In particular, for t = n/2 + o(n) we get a protocol
with sub-linear round complexity
Summary
We have shown an expected O(1)-round
broadcast protocol for t < n/2
First based on general (minimal) assumptions
We also improve/simplify [FM97] for t < n/3
Sequential composition for t < n/2
Open questions
Sublinear-round broadcast for t < n?
Lower bounds on round complexity?