Randomized Algorithms for Reliable Broadcast Vinod Vaikuntanathan IBM

Randomized Algorithms for Reliable Broadcast Vinod Vaikuntanathan (IBM T. J. Watson) Michael Ben-Or Shafi Goldwasser Elan Pavlov

Reliable Broadcast Channel • Physical Device m P 1 Sender P 2 P 3 The Internet • Guarantee: “All players receive the same message” S P 4 Useful: Multiparty protocols [BL’ 85, GMW’ 87, BGW’ 88, RB’ 89, GGL’ 91, RZ’ 98, F’ 99, GVZ’ 01] Unavailable: Point-to-point Networks x P 1 P 3 P 2 P 4 S y

Reliable Broadcast Channel • Physical Device • Guarantee: “All players receive the same message” m P 1 Sender P 2 P 3 S P 4 Useful: Multiparty protocols [BL’ 85, GMW’ 87, BGW’ 88, RB’ 89, GGL’ 91, RZ’ 98, F’ 99, GVZ’ 01] S Unavailable: m Point-to-point Networks Wireless/Radio Networks M m P Q ? ? m

Reliable Broadcast Problem [PSL’ 80] m P 1 Sender P 2 P 3 S “Simulate a reliable broadcast channel over traditional networks” ≡ IN THIS WORK: Point-to-point network P 4 P 1 P 3 P 2 P 4 S

Reliable Broadcast Problem [PSL’ 80] Validity (completeness): If S is honest, all players receive m. m P 1 Sender P 2 P 3 S Agreement (soundness): All players receive the same message (even if S is dishonest) Reliable Broadcast = Byzantine Agreement ≡ P 4 P 1 P 3 P 2 P 4 S

The Model The Network S P P 33 P 2 P 4 • Completely connected • Reliable and authenticated links • Synchronous (“rounds”) The Adversary • Corrupts t players (t = constant fraction of n) • Computationally unbounded • Full-information

Previous Work DETERMINISTIC: [PSL’ 80, DFFLS’ 82, DRS’ 86, BDDS’ 87, BGP’ 89, CW’ 90, BG’ 91, GM’ 93] Best Known: t+1 rounds [PSL’ 80, GM’ 93] Best Possible: t+1 rounds [FL’ 82] RANDOMIZED (probabilistic termination): [B’ 83, R’ 83, CC’ 85, DSS’ 86] Best Known: Expected O(t/log n) rounds [CC’ 85] + Private Channels: O(1) rounds [FM’ 88]

Why Private Channels? • Perfectly private physical devices P 1 P 3 P 2 P 4 • Leaks Nothing • the message sent • Implemented using “strong encryption” [FM’ 88] “Is privacy necessary for

Our Results Theorem: There exists a reliable broadcast protocol in the full-information model: • tolerates t < (1/3 -ε)n faults (for any ε>0). • runs in O(log n/ε 2) rounds, in expectation. Remarks: • Near-best fault-tolerance Optimal: t < n/3 [PSL’ 80, KY’ 86] • Near-best communication complexity n 2·log. O(1)(n) Best known: O(n 2) [KKKSS’ 08]

Classical Approach [B’ 83, R’ 83] Lemma [B’ 83, R’ 83]: Reduction from reliable broadcast protocol to leader election • δ-leader election • r rounds • fault-tolerance t • Reliable broadcast • expected O(r/δ) rounds • fault-tolerance t δ-Leader Election: Collectively elect a player P such that Pr[P is honest] ≥ δ

Our Approach Lemma: Reduction from reliable broadcast protocol to committee election • (c, δ)-committee election • r rounds • fault-tolerance t • Reliable broadcast • expected O((r+c)/δ) rounds • fault-tolerance t (c, δ)-Committee Election: Collectively elect a set of players S such that • S has at most c players • Pr[S has at least one honest player] ≥δ

RZ Committee-Election Lemma [Russell and Zuckerman’ 01]: Committeeelection protocol among n players with (1 -ε)n faults • elects a committee of size O(log n/ε 2) • runs in 1 round! (assuming built-in reliable broadcast channels!) Our Work: Committee-election protocol without built-in reliable broadcast!

RZ Committee-Election IDEA: “Election by Elimination” NOT BUT

RZ Committee-Election Step 1: Fix a collection of prospective committees such that: (a) m = poly(n) committees (b) each committee is “small” (c) number of bad committees is “very small” C 1 C 2 C 3 C 4 Cm P 1 P P 2 P 4 P 1 P P 3 P 5 P 6 P P 3 P 7 P 9 P P 5 P 6 P 4 P P 2 P 10 10 8 9 8 … 7

RZ Committee-Election Step 1: Fix a collection of prospective committees such that: Lemma: There is a collection of committees s. t. (a) m = n 2+1 committees (b) each committee has O(log n) players (c) number of bad committees is at most 3 n Proof: Probabilistic method (existential), or Extractors (explicit) [TZS’ 01] C 1 C 2 C 3 C 4 Cm P 1 P P 2 P 4 P 1 P P 3 P 5 P 6 P P 3 P 7 P 9 P P 5 P 6 P 4 P P 2 P 10 10 8 9 8 … 7

RZ Committee-Election Step 1: Fix a collection of prospective committees Step 2: Vote out n committees “at random” Broadcast the identity of these committees Step 3: Output (any) committee that is not voted out. P 1 P 2 … Pn n C 1 C 2 C 3 C 4 Cm P 1 P P 2 P 4 P 1 P P 3 P 5 P 6 P P 3 P 7 P 9 P P 5 P 6 P 4 P P 2 P 10 10 8 9 8 … 7

RZ Committee-Election Step 1: Fix a collection of prospective committees Step 2: Vote out n committees “at random” Broadcast the identity of these committees Step 3: Output (any) committee that is not voted out. Lemma [RZ’ 01]: With probability 1 -1/n (over the coin -tosses of the honest players), (a) Each bad committee is voted out by a good player “Intuition: ” (b) At least. The onenumber committee of badiscommittees not votedisout “very small” Proof: Total number of committees voted out ≤ n·n < n 2+1 = m

RZ with no broadcast? BAD NEWS: GOOD NEWS: No Agreement! Both P and Q eliminate all bad committees. Pf: (Each bad committee voted out by a good player) Honest Player P’s View Honest Player Q’s View P 1 C 1 C 2 C 3 C 1 P P 2 P 4 P 1 P P 3 P 5 P 6 P P 3 P 7 P 1 P P 2 P 4 10 8 9 10 C 2 C 3 P 1 P P 3 P 5 8 P 6 P P 3 P 7 9

Our Solution AN OLD IDEA “Limit cheating” Use graded broadcast [FM’ 88] TWO NEW IDEAS “Detect disagreement” “Self-destruct” Honest Player P’s View Honest Player Q’s View P 1 C 1 C 2 C 3 C 1 P 4 P 2 P 10 P 1 P P 3 P 5 P 6 P 7 P 3 P P 1 P 4 P 2 P 10 8 9 C 2 C 3 P 1 P 5 P 3 P 8 P 6 P 7 P 3 P 9

Graded Broadcast [FM’ 88] Motivating Example: Radio Networks S m P m Q ? ? m Limit Cheating: P and Q do not get different messages

Graded Broadcast [FM’ 88] Motivating Example: Radio Networks S m P m Q ? ? Graded Broadcast: Each player P gets a pair (m, grade) grade=2: grade=1: grade=0: “P accepts m, and knows that everyone else has seen “P sees m, and knows that m” noone else sees m’ ≠ m” “P sees nothing”

Graded Broadcast [FM’ 88] Motivating Example: Radio Networks S m P m Q ? ? Graded Broadcast: Each player P gets a pair (m, grade) • Completeness: If S is honest, everyone gets (m, 2) • Soundness: (a) If an honest player P gets (m, 2), everyone gets (m, ≥ 1) (b) If P gets (m, ≥ 1) and Q gets (m’, ≥ 1), m=m’

Graded Broadcast [FM’ 88] Motivating Example: Radio Networks m S m P Q ? ? Lemma [FM’ 88]: Deterministic graded broadcast among n players • tolerating t < n/3 faults. • runs in 3 rounds

Our Committee-Election Protocol Step 1: Fix a collection of prospective committees Step 2: Vote out n committees “at random” Graded-broadcast the identity of these committees Step 3: Each committee runs disagreement detection grade ≥ 1 grade=2 Honest Player P Honest Player Q P 1 C 1 C 2 C 3 C 1 P 4 P 2 P 10 P 1 P P 3 P 5 P 6 P 7 P 3 P P 1 P 4 P 2 P 10 8 9 C 2 C 3 P 1 P 5 P 3 P 8 P 6 P 7 P 3 P 9

Our Committee-Election Protocol C -Disagreement Detection and Self-Destruct: 1 Step 1: Fix a collection of prospective committees Participants: All players in C 1 Step 2: Vote out n committees “at random” Goal: Decide if the honest players disagree about C 1 Graded-broadcast the identity of these committees Honest Player P Honest Player Q P 1 C 1 C 2 C 3 C 1 P 4 P 2 P 10 P 1 P P 3 P 5 P 6 P 7 P 3 P P 1 P 4 P 2 P 10 8 9 C 2 C 3 P 1 P 5 P 3 P 8 P 6 P 7 P 3 P 9

Our Committee-Election Protocol C -Disagreement Detection and Self-Destruct: 1 (1) Local If prospective a player in Ccommittees 1 sees C 1 voted Step 1: Fix adetection: collection of out with grade ≥ 1, set C 1 -self-destruct = true Step 2: Vote out nin committees random” (2) Consensus C 1: Agree “at on the majority decision the identity of these committees about CGraded-broadcast 1 -self-destruct • Each player reliable-broadcasts C 1 -self-destruct to all (3) Self-destruct: If majority decide to self-destruct, players in C 1 send “C 1 -self-destruct” msg to all players in the network • Each player computes majority of received values. Honest Player P Honest Player Q P 1 C 1 C 2 C 3 C 1 P 4 P 2 P 10 P 1 P P 3 P 5 P 6 P 7 P 3 P P 1 P 4 P 2 P 10 8 9 C 2 C 3 P 1 P 5 P 3 P 8 P 6 P 7 P 3 P 9

Our Committee-Election Protocol Step 1: Fix a collection of prospective committees Step 2: Vote out n committees “at random” Graded-broadcast the identity of these committees Step 3: Each committee runs disagreement detection Step 4: Eliminate C if (a) C is voted out with grade = 2 OR (b) C self-destructs Honest Player P Honest Player Q P 1 C 1 C 2 C 3 C 1 P 4 P 2 P 10 P 1 P P 3 P 5 P 6 P 7 P 3 P P 1 P 4 P 2 P 10 8 9 C 2 C 3 P 1 P 5 P 3 P 8 P 6 P 7 P 3 P 9

Our Committee-Election Protocol Step 1: Fix a collection of prospective committees Step 2: Vote out n committees “at random” Graded-broadcast the identity of these committees Step 3: Each committee runs disagreement detection Step 4: Eliminate C if (a) C is voted out with grade ≥ 2 OR (b) C self-destructs Honest Player P Honest Player Q P 1 C 1 C 2 C 3 C 1 P 4 P 2 P 10 P 1 P P 3 P 5 P 6 P 7 P 3 P P 1 P 4 P 2 P 10 8 9 C 2 C 3 P 1 P 5 P 3 P 8 P 6 P 7 P 3 P 9

The RZ Protocol Agreement (“win-win” argument) Step • 1: CFix a collection of prospective committees is bad: All players see C i i Step 2: Each player graded broadcasts n random • Ccommittees Ci i is good: Say an honest player P sets Step 3: • Correct Becausepotential Ci self-destructed: All other honest disagreement. get the self-destruct notification Step 4: players Eliminate Ci if Ci • Because P sees Ci after graded broadcast: All honest players in Ci decide to self-destruct Ci Honest Player P Honest Player Q P 1 C 1 C 2 C 3 C 1 P 4 P 2 P 10 P 1 P P 3 P 5 P 6 P 7 P 3 P P 1 P 4 P 2 P 10 8 9 C 2 C 3 P 1 P 5 P 3 P 8 P 6 P 7 P 3 P 9

Extensions and Open Questions TODAY: Fault-tolerance ≈ 1/3 (optimal) THESIS: With PKI and one-way functions, fault-tolerance ≈ 1/2 TODAY: Complete Network THESIS: Simulate complete network over an incomplete network (overhead ≈ diameter) OPEN: Asynchronous Networks [FLP’ 85] Best known: quasi-polynomial rounds [KKKSS’ 08]

Thank you!