The Contest between Simplicity and Efficiency in Asynchronous Byzantine Agreement

The Contest between Simplicity and Efficiency in Asynchronous Byzantine Agreement

Allison Lewko

The University of Texas at Austin

Byzantine Agreement• n parties• each has an input bit• t corrupt parties

Goal: agree on a bit equal to input of some ``good” party

0 0 0 0 0

1

Byzantine Agreement• Simple problem, worst case adversary

HistoryImpossibility Constraints:

• >= 1/3 corrupted processors• deterministic algorithm, 1 crash failure [FLP]

Algorithms:

• termination with prob =1• adaptive adversary• exponential expected running time

[Ben-Or, Bracha]

[KKKSS]• termination/correctness with prob 1 – o(1)• non-adaptive adversary• polylogarithmic running time

Landscape of possible algorithms?

[Ben-Or, Bracha]

[KKKSS]

???

LLas Vegas polytime algorithm?

LAdaptive adversary polytime algorithm?

Our Result

𝐸𝑥𝑝𝑜𝑛𝑒𝑛𝑡𝑖𝑎𝑙 𝑇𝑖𝑚

𝑒[Ben-Or, Bracha]

Simple Algorithm Recipe

One Round:

bit b

broadcast b

validate set of responses = S

Compute b’ = N(S)b’

Repeat

Randomized function

Ben-Or, Bracha AlgorithmsS = Set of bits

• overwhelming majority

• strong majority

• mixed

Decide

Fix b’ to majority

Define b’ randomly

N = b

Why Exponential Time?

Decide 0 Fix 0 Random Decide 1Fix 1

S: mostly 0 . . . . . . . . mixed . . . . . . . . . mostly 1

N := number of processorsN := number of participantsT = eg= t

𝑛 :𝑛𝑢𝑚𝑏𝑒𝑟 𝑜𝑓 𝑝𝑟𝑜𝑐𝑒𝑠𝑠𝑜𝑟𝑠𝑡=Ω (𝑛) :𝑛𝑢𝑚𝑏𝑒𝑟 𝑜𝑓 𝑐𝑜𝑟𝑟𝑢𝑝𝑡𝑖𝑜𝑛𝑠

± O(

Exponential Loop!

Generalizing the Algorithm Recipe

t = gg= tx = yg= x

Round i:

bit b

broadcast b

validate set of responses = S

Compute b’ = N(S)

Randomized function

value v

broadcast v

i

S1 , S2 , …, Si

Compute v’ = N(S1, S2, … ,Si )

Randomized function with constant size range

Key Restrictions

• S1, . . . , Si are considered as sets

• N(S1 , . . . , Si) chooses randomly from a constant number of possible values

- messages divorced from senders

- values themselves can vary

How to Prove Exponential Time?Classic strategy:

Executiondeciding 0

Executiondeciding 1Indistinguishable

to some uncorruptedprocessor

Chain of executions, each execution of exponential length

Not deciding!

Challenge for Randomized Algorithms

Any single execution may be unlikely

Takes a class of executions to add up to constant probability

Execution ClassesDivide processors into groups

S

S

SClass defined by sets pergroup per round

Source of Adversary’s ControlSuppose Ω(n) processors receive the same sets:

S1, S2, . . . , Si S1, S2, . . . , Si S1, S2, . . . , Si

. . . N(S1 , . . . , Si) N(S1 , . . . , Si) N(S1 , . . . , Si). . .

Independent samples from same distribution

Chernoff Bound

D - a distribution on R valuesR - a constant

X 1; : : : ;X k - independent samples from D

\ k balls in R bins":

. . . p1 p2 p3 pR

bin i \ far" from pik with probabability exponentially small in k

Adversary Can Match Expectations

S1, S2, . . . , Si

Output = Expectation [N(S1, … , Si)]

Chain of Execution Classes• Each group kept in sync• Output sets match expectations

Execution classdeciding 0

Execution classdeciding 1

Execution class

Execution class…

Indistinguishableto some group One of these must

be non-deciding

Generating the Chain of Execution ClassesE rounds

…

0

0

0

1

1

1

Change group inputs onegroup at a time:

Adversary Strategy

• adversary divides processors into groups of t

• corrupts constant fraction per group

• all group members see same message sets

• tries to stay in the non-deciding execution class

Adversary’s Success ProbabilityS1, S2, … , Si Z1, Z2, … , Zi

V1, V2, …,Vi

Output = ExpectationWith Prob = 1 – 1/exp

Output = ExpectationWith Prob = 1 – 1/exp

Output = ExpectationWith Prob = 1 – 1/exp

By Union bound over groups and rounds, # of rounds = Exp with constant probability

Observations

• Adversary Strategy :

- Only leverages message schedulingand random coins of bad processors- No hope to detect bad behavior without risk

• Impossibility proof crucially leverages:

- Received messages treated as sets- Random Variables have bounded support

Open Problems

[KKKSS]

???

LLas Vegas polytime algorithm?

LAdaptive adversary polytime algorithm?

𝐸𝑥𝑝𝑜𝑛𝑒𝑛𝑡𝑖𝑎𝑙𝑇𝑖𝑚

𝑒

• Still simple structure, unbounded randomness?• Weaken symmetry in processing received messages?

[Ben-Or, Bracha]

Thank you!

Questions?