randomized algorithms for reliable broadcast
DESCRIPTION
Randomized Algorithms for Reliable Broadcast. Vinod Vaikuntanathan. (IBM T.J. Watson). Michael Ben-Or. Shafi Goldwasser. Elan Pavlov. P 1. P 3. S. P 2. P 4. Reliable Broadcast Channel. The Internet. m. P 1. Physical Device. Sender. P 2. S. Guarantee: - PowerPoint PPT PresentationTRANSCRIPT
Randomized Algorithmsfor Reliable Broadcast
(IBM T.J. Watson)Vinod Vaikuntanathan
Michael Ben-Or
Shafi Goldwasser
Elan Pavlov
Reliable Broadcast Channel
S
Useful: Multiparty protocols
Unavailable:
P1
P2
P3
P4
• Guarantee: “All players receive the same message”
m
Sender
[BL’85, GMW’87, BGW’88, RB’89, GGL’91, RZ’98, F’99, GVZ’01]
• Physical Device
P3P1
P2 P4
SPoint-to-point Networks
The Internet
S
x
y
Reliable Broadcast Channel
S
Useful: Multiparty protocols
Unavailable:
P1
P2
P3
P4
• Guarantee: “All players receive the same message”
m
Sender
[BL’85, GMW’87, BGW’88, RB’89, GGL’91, RZ’98, F’99, GVZ’01]
• Physical Device
Point-to-point Networks
Wireless/Radio Networks
m
mm
S
P Q??
M
“Simulate a reliable broadcast channel over traditional networks”
S
P1
P2
P3
P4
m
Sender
P3P1
P2 P4
S
≡IN THIS WORK: Point-to-point network
[PSL’80]
Reliable Broadcast Problem
Reliable Broadcast Problem
Validity (completeness):
Agreement (soundness):
If S is honest, all players receive m.
All players receive the same message
(even if S is dishonest)
S
P1
P2
P3
P4
m
Sender
P3P1
P2 P4
S
≡
[PSL’80]
Reliable Broadcast =
Byzantine Agreement
The Model
The Network• Completely connected
• Reliable and authenticated links
P3S
P2 P4• Synchronous (“rounds”)
The Adversary• Corrupts t players (t = constant fraction of n)• Computationally unbounded
• Full-information
P3
Previous Work
DETERMINISTIC:
Best Known: t+1 roundsBest Possible: t+1 rounds
Best Known: Expected O(t/log n) rounds
+ Private Channels: O(1) rounds
[PSL’80, DFFLS’82, DRS’86, BDDS’87, BGP’89, CW’90, BG’91, GM’93]
[PSL’80, GM’93]
[FL’82]
RANDOMIZED (probabilistic termination):
[CC’85]
[B’83, R’83, CC’85, DSS’86]
[FM’88]
Why Private Channels?
“Is privacy necessary for reliability”?
P3P1
P2 P4
• Leaks Nothing
• Perfectly private physical devices
• the message sent
• Implemented using “strong encryption”
[FM’88]
Our Results
Theorem: There exists a reliable broadcast protocol in the full-information model:
Remarks:
• tolerates t < (1/3-ε)n faults (for any ε>0).
• runs in O(log n/ε2) rounds, in expectation.
• Near-best fault-tolerance
[PSL’80, KY’86]
• Near-best communication complexity n2·logO(1)
(n)
Optimal: t < n/3
[KKKSS’08]Best known: O(n2)
Classical Approach [B’83,R’83]
δ-Leader Election:
Collectively elect a player P such that Pr[P is honest] ≥ δ
Lemma [B’83, R’83]: Reduction from reliable broadcast protocol to leader election
• δ-leader election• r rounds• fault-tolerance t
• Reliable broadcast • expected O(r/δ) rounds• fault-tolerance t
Our Approach
(c,δ)-Committee Election:
Collectively elect a set of players S such that
Lemma: Reduction from reliable broadcast protocol to committee election
• (c,δ)-committee election• r rounds• fault-tolerance t
• Reliable broadcast • expected O((r+c)/δ) rounds• fault-tolerance t
• S has at most c players• Pr[S has at least one honest player] ≥δ
Lemma [Russell and Zuckerman’01]: Committee-election protocol among n players with (1-ε)n faults
Our Work: Committee-election protocol without built-in reliable broadcast!
• runs in 1 round!
• elects a committee of size O(log n/ε2)
RZ Committee-Election
(assuming built-in reliable broadcast channels!)
RZ Committee-Election
IDEA: “Election by Elimination”
NOT BUT
P1
P2
P4
C1
P10
P1
P3
P5
C2
P8
P6
P3
P7
C3
P9
P9
P5
P6
C4
P8
P4
P2
P1
0
Cm
P7
…
(a) m = poly(n) committees(b) each committee is “small”
(c) number of bad committees is “very very small”
P7P6P5 P5
P6
P7
C3 C4
RZ Committee-Election
Step 1:
Fix a collection of prospective committees such that:
(a) m = n2+1 committees(b) each committee has O(log n) players
(c) number of bad committees is at most 3n
Lemma: There is a collection of committees s.t.
P1
P2
P4
C1
P10
P1
P3
P5
C2
P8
P6
P3
P7
C3
P9
P9
P5
P6
C4
P8
P4
P2
P1
0
Cm
P7
…
Proof: Probabilistic method (existential), or
Extractors (explicit) [TZS’01]
Step 1:
Fix a collection of prospective committees such that:
RZ Committee-Election
Step 1:
P1
P2
P4
C1
P10
P1
P3
P5
C2
P8
P6
P3
P7
C3
P9
P9
P5
P6
C4
P8
P4
P2
P1
0
Cm
P7
…
Step 2:
Vote out n committees “at random”
Fix a collection of prospective committees
P1 P2 Pn…
n
Step 3:
Output (any) committee that is not voted out.
RZ Committee-Election
Broadcast the identity of these committees
Step 1:
Fix a collection of prospective committees
(a) Each bad committee is voted out by a good player
Lemma [RZ’01]: With probability 1-1/n (over the coin-tosses of the honest players),
“Intuition:” The number of bad committees is “very very small”(b) At least one committee is not voted out
Proof: Total number of committees voted out ≤ n·n < n2+1 = m
RZ Committee-Election
Step 2:
Step 3:
Output (any) committee that is not voted out.
Vote out n committees “at random”Broadcast the identity of these committees
P1
P2
P4
C1
P10
P1
P3
P5
C2
P8
P6
P3
P7
C3
P9
P1
Honest Player P’s View
P1
P2
P4
C1
P10
P1
P3
P5
C2
P8
P6
P3
P7
C3
P9
P1
Honest Player Q’s View
BAD NEWS: No Agreement!
GOOD NEWS:
Pf: (Each bad committee voted out by a good player)
Both P and Q eliminate all bad committees.
RZ with no broadcast?
P1
P2
P4
C1
P10
P1
P3
P5
C2
P8
P6
P3
P7
C3
P9
P1
Honest Player P’s View
AN OLD IDEA
“Limit cheating”
“Detect disagreement”
“Self-destruct”
[FM’88]
Our Solution
TWO NEW IDEAS
Use graded broadcast
P1
P2
P4
C1
P10
P1
P3
P5
C2
P8
P6
P3
P7
C3
P9
P1
Honest Player Q’s View
Graded Broadcast
Motivating Example: Radio Networks
[FM’88]
m
mm
S
P Q??
Limit Cheating: P and Q do not get different messages
Graded Broadcast
Motivating Example: Radio Networks
[FM’88]
m
m
S
P Q??
Graded Broadcast: Each player P gets a pair (m, grade)grade=2:
“P accepts m, and knows that everyone else has seen m”grade=
1:“P sees m, and knows that noone else sees m’ ≠ m”grade=
0:
“P sees nothing”
Graded Broadcast
Motivating Example: Radio Networks
[FM’88]
m
m
S
P Q??
Graded Broadcast: Each player P gets a pair (m, grade)• Completeness: If S is honest, everyone gets (m,2)• Soundness:(a) If an honest player P gets (m,2), everyone gets (m,≥1)(b) If P gets (m,≥1) and Q gets (m’,≥1), m=m’
Graded Broadcast
Motivating Example: Radio Networks
[FM’88]
Lemma [FM’88]: Deterministic graded broadcast among n players• tolerating t < n/3 faults.
• runs in 3 rounds
m
m
S
P Q??
Our Committee-Election Protocol
grade=2
grade ≥ 1
P1
P2
P4
C1
P10
P1
P3
P5
C2
P8
P6
P3
P7
C3
P9
P1
Honest Player P
P1
P2
P4
C1
P10
P1
P3
P5
C2
P8
P6
P3
P7
C3
P9
P1
Honest Player Q
Step 1:
Fix a collection of prospective committeesStep
2:Vote out n committees “at random”Graded-broadcast the identity of these committeesStep
3:Each committee runs disagreement detection
P1
P2
P4
C1
P10
P1
P3
P5
C2
P8
P6
P3
P7
C3
P9
P1
Honest Player P
Our Committee-Election Protocol
P1
P2
P4
C1
P10
P1
P3
P5
C2
P8
P6
P3
P7
C3
P9
P1
Honest Player Q
Step 1:
Fix a collection of prospective committeesStep
2:Vote out n committees “at random”Graded-broadcast the identity of these committees
C1-Disagreement Detection and Self-Destruct:Participants: All players in C1
Goal: Decide if the honest players disagree about C1
Our Committee-Election Protocol
P1
P2
P4
C1
P10
P1
P3
P5
C2
P8
P6
P3
P7
C3
P9
P1
Honest Player P
P1
P2
P4
C1
P10
P1
P3
P5
C2
P8
P6
P3
P7
C3
P9
P1
Honest Player Q
Step 1:
Fix a collection of prospective committees
Step 2:
Vote out n committees “at random”Graded-broadcast the identity of these committees
(1) Local detection: If a player in C1 sees C1 voted out with grade ≥ 1, set C1-self-destruct = true
C1-Disagreement Detection and Self-Destruct:
(2) Consensus in C1: Agree on the majority decision about C1-self-destruct• Each player reliable-broadcasts C1-self-destruct to all players in C1• Each player computes majority of received values.
(3) Self-destruct: If majority decide to self-destruct, send “C1-self-destruct” msg to all players in the network
Our Committee-Election Protocol
P1
P2
P4
C1
P10
P1
P3
P5
C2
P8
P6
P3
P7
C3
P9
P1
Honest Player P
P1
P2
P4
C1
P10
P1
P3
P5
C2
P8
P6
P3
P7
C3
P9
P1
Honest Player Q
Step 1:
Fix a collection of prospective committeesStep
2:Vote out n committees “at random”Graded-broadcast the identity of these committeesStep
3:Each committee runs disagreement detectionStep
4:Eliminate C if (a) C is voted out with grade = 2 OR (b) C self-destructs
Our Committee-Election Protocol
P1
P2
P4
C1
P10
P1
P3
P5
C2
P8
P6
P3
P7
C3
P9
P1
Honest Player P
P1
P2
P4
C1
P10
P1
P3
P5
C2
P8
P6
P3
P7
C3
P9
P1
Honest Player Q
Step 1:
Fix a collection of prospective committeesStep
2:Vote out n committees “at random”Graded-broadcast the identity of these committeesStep
3:Each committee runs disagreement detectionStep
4:Eliminate C if (a) C is voted out with grade ≥ 2 OR (b) C self-destructs
The RZ ProtocolStep 1:Step 2:
Each player graded broadcasts n random committees
Fix a collection of prospective committees
P1
P2
P4
C1
P10
P1
P3
P5
C2
P8
P6
P3
P7
C3
P9
P1
Honest Player P
P1
P2
P4
C1
P10
P1
P3
P5
C2
P8
P6
P3
P7
C3
P9
P1
Honest Player Q
Step 3:
Correct potential disagreement.Step
4:Eliminate Ci if Ci
• Ci is bad: All players see Ci
Agreement (“win-win” argument)
• Ci is good: Say an honest player P sets Ci • Because Ci self-destructed: All other
honest players get the self-destruct notification• Because P sees Ci after graded broadcast: All honest players in Ci decide to self-destruct Ci
Extensions and Open Questions
Fault-tolerance ≈ 1/3 (optimal)
TODAY:
THESIS:
With PKI and one-way functions, fault-tolerance ≈ 1/2
Complete NetworkTODAY:
THESIS:
Simulate complete network over an incomplete network (overhead ≈ diameter)
OPEN: Asynchronous Networks [FLP’85]
Best known: quasi-polynomial rounds [KKKSS’08]
Thank you!