Lecture 6. Relaxing PKI: the hexagon argument.

HW:

Problem 1 (15 points) Recall the impossibility result from this lecture (for BB with f≥n/3 and no PKI). In lecture we proved only the special case of n = 3 and f = 1. Extend this impossibility result to all n and f with f≥n/3. [Hint: try to avoid redoing the proof from scratch, and come up with a reduction.]

Problem 4 (35 points) Consider again the impossibility result from this lecture. Recall that a protocol instructs a node what messages it should send in a given round, as a function of everything the node knows—its private input (if any) and the messages it has received thus far. In a randomized protocol, the outgoing messages in a given time step can additionally depend on coin flips performed locally at the node. Coin flips are private, meaning that the result of a coin flip is seen only by the node who flipped it.

(a) (15 points) Suppose n = 3 and f = 1. Prove that there is a randomized Byzantine broadcast (BB) protocol for which, no matter what the input and adversary strategy, the probability that at least one of validity or agreement is violated is at most 1/3. (The probability is over the random coin flips of all the nodes. Note that an adversary strategy cannot depend directly on the outcomes of these (private) coin flips.) [Don’t worry about bit complexity issues. E.g., if you find it convenient to have a node sample a real number uniformly from [0, 1], that’s fine. You may also assume that a node can communicate a real number using a single message.] [Hint: It may help to do (b) first, and then reverse engineer a protocol for which your argument is tight.]

(b) (13 points) Suppose n = 3 and f = 1. Prove that the failure probability of 1/3 in part (a) cannot be improved upon by any randomized BB protocol. [Hint: Study carefully the proof from lecture.]

(c) (7 points) Can you generalize (b) to f ≥ n/3, analogously to your solution of Problem 1? Explain why or why not.

Problem 3 (30 points) Consider the impossibility result from Problem 1 (for BB without PKI). (We’re back to considering only deterministic protocols.)

(a) (10 points) Suppose we restrict our attention to protocols that can be implemented in polynomial time (meaning there is a fixed polynomial function p such that, in each round, the amount of computation that an honest node must perform is bounded above by p(n), where n is the number of nodes). Suppose we restrict the adversary to run in time polynomial in n. Does the impossibility result still hold? Either way, prove your answer.

(b) (10 points) Suppose we give all n nodes access to a digital signature scheme, with its key generation, signing, and verification algorithms. A protocol can in particular instruct a node to invoke any of these algorithms at some point during its execution. We also impose assumption from (a), and in addition we assume that a polynomially-bounded adversary cannot break cryptography (e.g., forge signatures). Does the impossibility result still hold? Either way, prove your answer.

(c) (10 points) In light of (a) and (b), why doesn’t the Dolev-Strong protocol contradict the impossibility result from Lecture 3?

Recollection from last lecture

Assumptions: (1) Permissioned setting (2) PKI (3) Synchronous setting (4) ≤f Byzantine nodes
State Machine Replication (SMR) • Clients submit txs to nodes • Each node maintains local history

Goal is a protocol satisfying - consistency (honest nodes agree) - liveness (valid txs are added to honest nodes’ histories)

Byzantine Broadcast (BB) • One node is a sender, others are non-senders • Sender has a private input vVv^* \in V

Goal is a protocol satisfying: - termination (honest nodes halt) - agreement (honest nodes output the same message) - validity (if the sender is honest, honest nodes output the correct value v*)

An Impossibility result

Theorem. [Pease-Shostak-Lamport 80’, Fischer-Lynch-Merritt 95’] Suppose we are in permissioned synchronous setting of a Byzantine Broadcast problem. Then, if the number of Byzantine nodes is larger than a third fn/3f≥n/3, no deterministic (without probabilistic instructions) protocol cab satisfy termination+agreement+validity.

Rmk. This doesn’t contradict Dolev-Strong, since the PKI assumption is removed.

Will show: special case of n=3 and f=1 (general case reduces is analogous, see HW).

Some vague intuition

image
  • A could be Byzantine and tell B and C conflicting things
  • B & C can compare notes, but C may be Byzantine and trying to fake that A is dishonest
  • Honest node B can’t distinguish which of A & C are responsible for conflicting messages

FLM’s Beautiful Proof: A Hexagon Thought Experiment

(key themes: simulation and indistinguishibility)

Let π\pi be a deterministic BB protocol satisfying termination+validity+agreement.

Inputs of π\pi, which are needed to run on a node ii: (i) names and IP addresses of two other nodes; (ii) which node is a sender; (iii) private input vv^*, if node ii is a sender.

Now, the inventor of π\pi surely had in mind that all three nodes have the same informations (i) and (ii). But to run the protocol, it doesn’t have to be the case. Let’s run this protocol on 6 nodes with the following inputs:

image

This setup is well-defined, and all nodes eventually halt with a certain output (why do they halt? See below). We now proceed to the simulation part of the proof.

Simulation 1

We setup a three-node experiment with a Byzantine sender X that simulates all four machines (A, 0)–(C)–(B’)–(A’, 1).

image
  • Because π\pi satisfies agreement, in the thought experiment with X nodes B and C’ need to halt with the same message.
  • Because X simulated the four nodes on the right, we conclude that nodes B and C’ halt with the same message in our hexagon thought experiment.

Simulation 2

We now setup a three-node experiment with a Byzantine non-sender X that simulates all four machines (C)–(B’)–(A’, 1)–(C’).

image
  • Because π\pi satisfies validity, in the thought experiment on the left with X node B halts with the same message as A, namely “0”.
  • Because X simulated the four nodes on the right, we conclude that node B halts with the same message as A, namely “0”, in our hexagon thought experiment.

Simulation 3

We now setup a three-node experiment with a Byzantine non-sender X that simulates all four machines (B)–(A, 0)–(C)–(B’).

image
  • Because π\pi satisfies validity, in the thought experiment on the left with X node C’ halts with the same message as A’, namely “1”.
  • Because X simulated the four nodes on the right, we conclude that node C’ halts with the same message as A’, namely “1”, in our hexagon thought experiment.
In conclusion, because the three simulations above contradict each other, π\pi cannot exist.

Discussion

Question: why Doesn’t the Dolev-Strong protocol contradict this impossibility result?

Answer: because Dolev-Strong assumed PKI!

The proof above breaks down with PKI, in the following ways:

  • How to define the hexagon thought experiment? Well, under PKI the the messages inside the protocol need to be signed only with three private keys. We could try to satisfy this, by demanding that A and A’ have the same pub/priv keys, B and B’ have the same pub/priv keys, and C and C’ have the same pub/priv keys.
  • But then the simulation is impossible, since (say in Simulation 1) X would need to simulate signatures of B and C’…