byzantine agreement

Typically, protocols for Byzantine agreement (BA) are designed to run in either a synchronous network (where all messages are guaranteed to be delivered within some known time ∆ from when they are sent) or an asynchronous network (where messages may be arbitrarily delayed). Protocols designed for synchronous networks are generally insecure if the network in which they run does not ensure synchrony; protocols designed for asynchronous networks are (of course) secure in a synchronous setting as well, but in that case tolerate a lower fraction of faults than would have been possible if synchrony had been assumed from the start. Fix some number of parties n, and 0 < ta < n/3 ≤ ts < n/2. We ask whether it is possible (given a public-key infrastructure) to design a BA protocol that is resilient to (1) ts corruptions when run in a synchronous network and (2) ta faults even if the network happens to be asynchronous. We show matching feasibility and infeasibility results demonstrating that this is possible if and only if ta + 2 • ts < n.

Essentially all work studying the round complexity of secure computation assume broadcast as an atomic primitive. Protocols constructed under this assumption tend to have very poor round complexity when compiled for a point-to-point network due to the high overhead of emulating each invocation of broadcast. This problem is compounded when broadcast is used in more than one round of the original protocol due to the complexity of handling sequential composition (when using round-efficient emulation of broadcast). We argue that if the goal is to optimize round complexity in point-topoint networks, then it is preferable to design protocols -assuming a broadcast channel -minimizing the number of rounds in which broadcast is used rather than minimizing the total number of rounds. With this in mind, we present protocols for secure computation in a number of settings that use only a single round of broadcast. In all cases, we achieve optimal security threshold for adaptive adversaries, and obtain protocols whose round complexity (in a point-to-point network) improves on prior work.

In a seminal paper, Feldman and Micali show an n-party Byzantine agreement protocol in the plain model that tolerates t < n/3 malicious parties and runs in expected constant rounds. Here, resolving a question that had been open since their work, we show an expected constant-round protocol for authenticated Byzantine agreement assuming honest majority (i.e., t < n/2), and relying only on the existence of signature schemes and a public-key infrastructure. Combined with existing results, this gives the first expected constant-round protocol for secure computation with honest majority in a point-to-point network under the same assumptions. Our key technical tool -a new primitive we introduce called moderated VSS -also yields a simpler proof of the Feldman-Micali result. In addition, we show a simple technique for sequential composition of Byzantine agreement protocols that do not achieve simultaneous termination, something that is inherent for protocols using o(t) rounds.

We revisit the following question: what is the optimal round complexity of verifiable secret sharing (VSS)? We focus here on the case of perfect VSS where the number of corrupted parties t satisfies t < n/3, with n the total number of parties. Work of Gennaro et al. (STOC 2001) and Fitzi et al. (TCC 2006) shows that, assuming a broadcast channel, 3 rounds are necessary and sufficient for efficient VSS. Existing protocols, however, treat the broadcast channel as being available "for free" and do not attempt to minimize its usage. This approach leads to relatively poor round complexity when such protocols are compiled to run over a point-to-point network. We show here a VSS protocol that is simultaneously optimal in terms of both the number of rounds and the number of invocations of broadcast. Our protocol also satisfies a certain "2-level sharing" property that makes it useful for constructing protocols for general secure computation.

In a recent article, Chang et al. proposed a quantum secure direct communication protocol using single photons (Chinese Sci Bull, 58: 4571-4576). The protocol is equipped with auhtentication. In this article we present a novel attack on the protocol that can determine the secret key which is already shared between Alice and Bob.

In the Byzantine agreement problem, a set of n processors, any f of whom may be arbitrarily faulty, must reach agreement on a value proposed by one of the correct processors. It is a celebrated result that unless n > 3 f , Byzantine agreement is impossible in a variety of computation and communication models. This is due to the fact that faulty processors can equivocate, that is, say different things to different processors. If this ability is mitigated, for example by assuming a global broadcast channel, then n > 2 f is sufficient. With very few exceptions, the literature on Byzantine agreement has been confined to the n > 2 f and n > 3 f paradigms. We bridge the gap between these two paradigms by assuming partial broadcast channels among sets of three processors, observing that equivocation is fundamentally an act involving three parties: a faulty processor that lies (inconsistently) to two correct processors. We characterize the conditions under which Byzantine agreement is possible for all n = 2 f + h, h an integer in [1.. f ], by giving asymptotically tight bounds on the number of necessary and sufficient partial broadcast channels. We prove these bounds by a reduction to a problem in extremal combinatorics, which itself is a natural generalization of a well-studied hypergraph coloring problem. Algorithmically, we show that deciding whether a given set of broadcast channels enables Byzantine agreement is co-NPcomplete. Although partial broadcast channels have been studied in prior work, the bounds obtained on the number of required channels were sub-optimal by up to a factor of Θ(n 2 ). Moreover, this work has been confined to the synchronous model. In contrast, we apply our results to several distinct models and provide stronger motivation for using partial broadcast channels in practice, drawing from recent work in the systems community.

In this paper, a class of interactive consistency algo- rithms is described, based on authentication and error-cor- recting codes. These algorithms require considerably less data communication than existing algorithms, whereas the required number of modules and communication rounds meet the minimum bounds. The algorithms based on authen- tication and error-correcting codes are defined and proved on basis of a class

In order to make a dependable distributed computer system resilient to arbitrary failures of its processors, deterministic Byzantine agreement protocols (BAPs) can be applied. Many BAPs found in literature require that communication takes place in synchronized rounds of information exchange and require that all correct processors know the start ofthe BAP and start the protocol simultaneously. It is hard to satisfi either or both requirements in a distributed system. As a consequence, it is hard to implement the above BAPs in a distributed system. Authenticated self-synchronizing BAPs evade this problem by guaranteeing Byzantine Agreement while allowing arbitrary clock skew between the clocks of the processors and not requiring correct processors to know the start of the BAP Howevel; authenticated self-synchronizing BAPs require much communication overhead. Therefore, in this papes we introduce so-culled optimized authenticated selfsynchronizing BAPs, that require fewer messages than the existing authenticated self-synchronizing BAPs.

In order to make a dependable distributed computer system resilient to arbitrary failures of its processors, deterministic interactive consistency algorithms (ICAs) are required. Thus far, in order to guarantee interactive con- sistency, all ICAs found in the literature require that all correct processors in the system start the algorithm simul- taneously. In a distributed system, it is hard to satisfy

Verifiable secret sharing (VSS) is a fundamental cryptographic primitive, lying at the core of secure multi-party computation (MPC) and, as the distributed analogue of a commitment functionality, used in numerous applications. In this paper we focus on unconditionally secure VSS protocols with honest majority. In this setting it is typically assumed that parties are connected pairwise by authenticated, private channels, and that in addition they have access to a "broadcast" channel. Because broadcast cannot be simulated on a point-to-point network when a third or more of the parties are corrupt, it is impossible to construct VSS (and more generally, MPC) protocols in this setting without using a broadcast channel (or some equivalent addition to the model). A great deal of research has focused on increasing the efficiency of VSS, primarily in terms of round complexity. In this work we consider a refinement of the round complexity of VSS, by adding a measure we term broadcast complexity. We view the broadcast channel as an expensive resource and seek to minimize the number of rounds in which it is invoked as well. We construct a (linear) VSS protocol which uses the broadcast channel only twice in the sharing phase, while running in an overall constant number of rounds.

The consensus problem is concerned with the agreement on a system status by the fault-free segment of a processor population in spite of the possible inadvertent or even malicious spread of disinformation by the faulty segment of that population. The resulting protocols are useful throughout fault-tolerant parallel and distributed systems and will impact the design of decision systems to come. This paper surveys research on the consensus problem, compares approaches, outlines applications, and suggests directions for future work.

Two different kinds of Byzantine Agreement for distributed systems with processor faults are defined and compared. The first is required when coordinated actions may be performed by each participant at different times. This kind is called Simultaneous Byzantine Agreement (SBA).This paper deals with the number of rounds of message exchange required to reach Byzantine Agreement of either kind (BA). If an algorithm allows its participants to reach Byzantine agreement in every execution in which at mosttparticipants are faulty, then the algorithm is said to toleratetfaults. It is well known that any BA algorithm that toleratestfaults (witht

The standard Byzantine Agreement (BA) problem requires non-faulty processes to agree on a common value. In many real-world applications, it is important that the processes agree on the correct value rather than any value. In this paper, we present a problem called Accurate Byzantine Agreement (ABA) in which all processes get a common feedback (or payoff) from the environment indicating if the value they agreed upon was correct or not. The solution to this problem, referred to as the ABA algorithm, requires the non-faulty processes to incorporate the feedback so that their chance of choosing the correct value improves over subsequent iterations of the algorithm. We present an algorithm that solves the ABA problem based on two key ingredients: a standard solution to the BA problem and a multiplicative method to maintain and update process weights indicative of how often they are correct. We give guarantees on the accuracy of the algorithm based on assumptions on the accuracy of the processes and the proportion of faulty and non-faulty processes in the system. For each iteration, if the weight of accurate processes is at least 3/4 th the weight of the non-faulty processes, the algorithm always decides on the correct value. When the non-faulty processes are accurate with probability greater than 1/2, the algorithm decides on the correct value with very high probability after some initial number of mistakes. In fact, among n processes, if there exists even one process which is accurate for all iterations, the algorithm is wrong only O(log n) times for any large number of iterations of the algorithm.

Byzantine agreement algorithms typically assume implicit initial state consistency and synchronization among the correct nodes and then operate in coordinated rounds of information exchange to reach agreement based on the input values. The implicit initial assumptions enable correct nodes to infer about the progression of the algorithm at other nodes from their local state. This paper considers a more severe fault model than permanent Byzantine failures, one in which the system can in addition be subject to severe transient failures that can temporarily throw the system out of its assumption boundaries. When the system eventually returns to behave according to the presumed assumptions it may be in an arbitrary state in which any synchronization among the nodes might be lost, and each node may be at an arbitrary state. We present a self-stabilizing Byzantine agreement algorithm that reaches agreement among the correct nodes in optimal time, by using only the assumption of bounded message transmission delay. In the process of solving the problem, two additional important and challenging building blocks were developed: a unique self-stabilizing protocol for assigning consistent relative times to protocol initialization and a Reliable Broadcast primitive that progresses at the speed of actual message delivery time.

the reported research in literature for message transformation by a third party does not provide the necessary efficiency and security against different attacks. The data transmitted through the computer network must be confidential and authenticated in advance. In this paper, we develop and improve security of the braided single stage quantum cryptography. This improvement is based on a novel authentication algorithm by using signature verification without using the three stages protocol to share the secret key between the sender and receiver. This approach will work against attacks such as replay and man-in-the-middle by increasing the security as well as the over efficiency, reducing the overhead through using three stages and increasing the speed of the communication between two parties.

Byzantine-Fault-Tolerant (BFT) state machine replication is an appealing technique to tolerate arbitrary failures. However, Byzantine agreement incurs a fundamental trade-off between being fast (i.e. optimal latency) and achieving optimal resilience (i.e. 2f + b + 1 replicas, where f is the bound on failures and b the bound on Byzantine failures [10]). Achieving fast Byzantine replication despite f failures requires at least f + b − 2 additional replicas [11, 7, 9]. In this paper we show, maybe surprisingly, that fast Byzantine agreement despite f failures is practically attainable using only b − 1 additional replicas, which is independent of the number of crashes tolerated. This makes our approach particularly appealing for systems that must tolerate many crashes (large f) and few Byzantine faults (small b). The core principle underlying our approach is to have the correct replicas agree on a quorum of responsive replicas before agreeing on requests. This is key to circumventing the resilience lower bound of fast Byzantine agreement [7].

In this paper, we formulate a new theoretical problem, namely the reliable broadcast problem in unknown fixedidentity networks. This problem arises in the context of developing decentralized security mechanisms in a specificclass of distributed systems: Consider an undirected graph G connecting n nodes where each node is aware of only its neighbors but not of the entire graph. Additionally, each node has a unique identity and cannot fake its identity to its neighbors. Assume that k among the n nodes act in an adversarial manner and the remaining n−k are good nodes. Under what constraints does there exist a distributed algorithm Γ that enables every good node v to reliably broadcast a message m(v) to all other good nodes in G? While good nodes follow the algorithm Γ, an adversary can additionally discard messages, generate spurious messages or collude with other adversaries. In this paper, we prove two results on this problem. First, we provide a distributed algorithm Γ that can achieve reliable broadcast in an unknown fixed-identity network in the presence of k adversaries if G is 2k +1 vertex connected. Additionally, a minimum vertex connectivity of 2k + 1 is a necessary condition for achieving reliable broadcast. Next, we study the problem of reliable broadcast in sparse networks (1−connected and 2-connected) in the presence of a single adversary i.e., k = 1. In sparse networks, we show that a single adversary can partition the good nodes into groups such that nodes within a group can reliably broadcast to each other but nodes across groups cannot. For 1−connected and 2−connected graphs, we prove lower bounds on the number of such groups and provide a distributed algorithm to achieve these lower bounds. We also show that in a powerlaw random graph G(n, α), a single adversary can partition

The popularity of wide-area computer services has generated a compelling need for efficient algorithms that provide high reliability. Byzantine fault-tolerant (BFT) algorithms can be used with this purpose because they allow replicated systems to continue to provide a correct service even when some of their replicas fail arbitrarily, either accidentally or due to malicious faults. Current BFT algorithms perform well on LANs but when the replicas are distributed geographically their performance is affected by the lower bandwidth and the higher and more heterogeneous network latencies. This paper proposes and evaluates a novel BFT algorithm for WANs that requires fewer communication steps, fewer replicas and has better throughput and latency than others in the literature. The paper presents an extensive evaluation of the algorithm's performance in several settings and conditions: in a LAN; in real and emulated WANs; with clients close to servers and dispersed geographically; with similar and different communication latencies between clients and servers.

Secure Multi-Party Computation (MPC) providing information theoretic security allows a set of n parties to securely compute an agreed function F over a finite field F, even if t parties are under the control of a computationally unbounded active adversary. Asynchronous MPC (AMPC) is an important variant of MPC, which works over an asynchronous network. It is well known that perfect AMPC is possible if and only if n ≥ 4t + 1, while statistical AMPC is possible if and only if n ≥ 3t + 1. In this paper, we study the communication complexity of AMPC protocols (both statistical and perfect) designed with exactly n = 4t + 1 parties. Our major contributions in this paper are as follows:

We illustrate in this paper a compositional and stepwise method for designing programs that o er a potentially unique tolerance to each of their fault-classes. More speci cally, our illustration is a design of a repetitive agreement program that o ers two tolerances: (a) it masks the e ects of Byzantine failures and (b) it is stabilizing in the presence of transient and Byzantine failures.

This paper investigates the problem of Byzantine Agreement in a synchronous system where malicious agents can move from process to process, corrupting their host. Earlier works on the problem are based on biased models which, as we argue in the paper, give an unfair advantage either to the correct processes or to the adversary controlling the malicious agents. Indeed, the earlier studies of the problem assume that, after a malicious agent has left a process, that process, said to be cured, is able to instantly and accurately detect the fact that it was corrupted in earlier rounds, and thus can take local actions to recover a valid state (Garay's model). We found no justification for that assumption which clearly favors correct processes. Under that model, an algorithm is known for n > 4t, where n is the number of processes and t the maximum number of malicious agents. The tightness of the bound is unknown. In contrast, more recent work on the problem remove the assumption on detection and assume instead that a malicious agent may have left corrupted messages in the send queue of a cured process. As a result, the adversary controlling the malicious agents can corrupt the messages sent by cured processes, as well as those sent by the newly corrupted ones, thus doubling the number of effective faults. Under that model, which favors the malicious agents, the problem can be solved if and only if n > 6t. In this paper, we refine the latter model to avoid the above biases. While a cured process may send messages (based on a state corrupted by the malicious agent), it will behave correctly in the way it sends those messages: i.e., send messages according to the algorithm. Surprisingly, in this model we could derive a new non-trivial tight bound for Byzantine Agreement. We prove that at least 5t + 1 processors are needed in order to tolerate t mobile Byzantine agents and provide a time optimal algorithm that matches this lower bound, altogether with a formal specification of the problem. This models the situation where, as soon as a faulty node is repaired (e.g., by software rejuvenation), another one becomes compromised. For more than two decades, the main case study problem in this context was Byzantine Agreement. Briefly stated, it requires processors, some of which malicious, that start the computation with an initial value to decide on the same value. When faults are mobile the problem is known as Mobile Byzantine Agreement and requires special attention for preserving agreement once it has been reached. Related work. Byzantine Agreement, introduced by Lamport et al. [12, 16], has been studied for decades in static distributed systems under different aspects (e.g., possibility, complexity, cost) in various models (from synchronous [12,16,17] to asynchronous [5,13], from authenticated [8] to anonymous [14]) with different methodologies (deterministic [12, 16], probabilistic [3, 9]). In all these works, faults are stationary. That is, they do not change their original location during the computation. Santoro et al. [19, 20], and later Schmid et al. [22], investigate the agreement problem in dynamic transmission failure models for both complete and arbitrary networks. These models assume that different communication links may randomly fail at different times. Santoro and Widmayer [19] study the kagreement problem, where the system reaches a k-agreement if, in finite time, k processes choose the same value, either 0 or 1, with k > n/2 , 1 where n is the total number of processes. Based on the bivalent argument of Fischer et al. [10], they state that (n/2 + 1)-agreement is impossible in a synchronous system if at each time there is one processor whose messages may be corrupted. Although not explicitly stated, the impossibility applies to the mobile Byzantine model. Thus, work on Mobile Byzantine Agreement typically rely on the assumption that at least one process remains uncorrupted for Ω(n) rounds of communication. Mobile Byzantine Agreement, introduced by Reischuk [18], has regained much attention recently. Research on the problem, in synchronous systems, follows two main directions: constrained or unconstrained mobility. Constrained mobility. This direction, studied by Buhrman et al. [4], considers that malicious agents move from one node to another only when protocol messages are sent (similar to how viruses would propagate). In that model, they prove a tight bound for Mobile Byzantine Agreement (n > 3t, where t is the maximal number of simultaneously faulty processes) and propose a time optimal protocol that matches this bound. Unconstrained mobility. In this direction, which includes the work in this paper, the mobility of malicious agents is not constrained by message exchanges [1, 11, 15, 18, 21]. Reischuk [18] proposed a first sub-optimal solution under an additional hypothesis on the stability/stationarity of malicious agents for a given period of time. Later, Ostrovsky and Yung [15] introduced the notion of an adversary that can inject and distribute faults in the system at a constant rate in every round

In fault-tolerant multiprocessor systems, different non-faulty processes may arrive at different values for a given system parameter. To resolve this disagreement, processes must exchange and vote upon their respective local values. During voting, faulty processes may attempt to inhibit agreement by acting in a malicious or &quot;Byzantine&quot; manner. Approximate Agreement defines one form of agreement in which the voted values obtained by the non-faulty processes need not be identical. Rather, they need only agree to within a predefined tolerance. Approximate Agreement can be achieved by a sequence of convergent voting rounds, in which the range of values held by non-faulty processes is reduced in each round. Existing convergent voting algorithms assume complete connectivity between processes. Where the physical connectivity is incomplete, messages are relayed between processors to simulate complete connectivity. For large, sparsely connected systems, the message traffic associat...

List of Tables 2.1 (a) Acceptors required to solve asynchronous consensus under various failure models. c is the maximum number of crash failures and b is the maximum number of Byzantine failures tolerated while ensuring the system is both safe and live. u is the maximum number of failures tolerated while ensuring the system is up. r is the maximum number of commission failures tolerated while ensuring the system is right. (b) Acceptors required to solve asynchronous consensus under the crash (Byzantine) failure model for various values of f = b = c. (c) Acceptors required to solve asynchronous consensus under a hybrid failure model with varying values of b and c. (d) Acceptors required to solve asynchronous consensus under the UpRight model with varying values of u and r. Values representing equivalent configurations across tables are marked with emphasis (italicized for BFT configurations, bolded for CFT configurations, or underlined for HFT configurations). 3.1 Observed peak throughput of BFT systems in a fault-free case and when a single faulty client submits a carefully crafted series of requests. We detail our measurements in Section 3.6.2. † The result reported for Q/U is for correct clients issuing conflicting requests. ‡ The HQ prototype demonstrates fault-free performance and does not implement many of the error-handling steps required to resolve

We provide new and tight lower bounds on the ability of players to implement equilibria using cheap talk, that is, just allowing communication among the players. One of our main results is that, in general, it is impossible to implement three-player Nash equilibria in a bounded number of rounds. We also give the first rigorous connection between Byzantine agreement lower bounds and lower bounds on implementation. To this end we consider a number of variants of Byzantine agreement and introduce reduction arguments. We also give lower bounds on the running time of two player implementations. All our results extended to lower bounds on (k, t)-robust equilibria, a solution concept that tolerates deviations by coalitions of size up to k and deviations by up to t players with unknown utilities (who may be malicious).

In a distributed system, it is often necessary for nodes to agree on a particular event or to coordinate their activities. Applications of distributed agreement are many, such as Commit Protocols in distributed database systems, selection of a monitor node in a distributed system, detecting an intruder, or agreeing on the malicious behavior of a node. Among many forms of Distributed Agreement, one form is called Approximate Agreement (AA), in which the nodes, by exchanging their local values with other nodes, need to agree on values which are approximately equal to each other. Research on AA for fully connected networks is relatively mature. In contrast, the study of AA in partially connected networks has been very limited. More specifically, no general solution to the AA problem exists for such networks. This research solves the AA problem for a specific, scalable, partially connected network with limited relays. The research considers the worst failure mode of nodes, called Byzant...

The research in reaching Approximate Agreement (AA) for fully connected networks is relatively mature. In contrast, the literature survey of the AA problem for partially connected networks is evident of considerably less work. This is due to the fact that a node may not have a complete view of the global network, which makes it difficult to attain the convergence properties. The complexity of the problem is compounded in the presence of message dropouts, faults, and orchestrated attacks. This study investigates the AA problem for partially connected networks without node failures. The properties of Markov Chains are exploited to show the approximate convergence of the values of the nodes in the network. The results show that the number of rounds of messageexchange to reach a network-convergence depends on the distribution of values held by the nodes and is bound by ! " 2 / m , where m is the network diameter. The intension of this research is to potentially use the approach as a stepping-stone for future investigation of the AA problem in the presence of faults.

We focus on the problem of synthesizing failsafe fault-tolerance where fault-tolerance is added to an existing (faultintolerant) program. A failsafe fault-tolerant program satisfies its specification (including safety and liveness) in the absence of faults. However, in the presence of faults, it satisfies its safety specification. We present a somewhat unexpected result that, in general, the problem of synthesizing failsafe fault-tolerant distributed programs from their fault-intolerant version is NP-complete in the state space of the program. We also identify a class of specifications, monotonic specifications, and a class of programs, monotonic programs, for which the synthesis of failsafe fault-tolerance can be done in polynomial time (in program state space). As an illustration, we show that the monotonicity restrictions are met for commonly encountered problems, such as Byzantine agreement, distributed consensus, and atomic commitment. Furthermore, we evaluate the role of these restrictions in the complexity of synthesizing failsafe fault-tolerance. Specifically, we prove that if only one of these conditions is satisfied, the synthesis of failsafe fault-tolerance is still NP-complete. Finally, we demonstrate the application of monotonicity property in enhancing the fault-tolerance of (distributed) nonmasking faulttolerant programs to masking.

In this paper we focus on sender-anonymous channels (a.k.a. Dining Cryptographers networks) and present a construction requiring a very low (constant) number of rounds of interaction while tolerating actively malicious behavior by some of the participants (up to less than half of them). Our construction is unconditionally secure (meaning that no bounds are placed on the computational power of the adversary), makes black-box use of a verifiable secret sharing (VSS) protocol, and is based on a special-purpose secure multiparty computation protocol implementing the method of "throwing darts;" its round complexity is essentially equal to that of the VSS protocol. In addition, since broadcast cannot be simulated in a pointto-point network when a third or more of the participants are corrupt, it is impossible to construct VSS (and, more generally, any other basic multiparty protocol) in this setting without using a "physical broadcast channel," and a recent line of research has sought to minimize the use of this expensive resource. Our anonymous channel protocol's reduction to VSS is broadcast-round-preserving, thus making

In the problem of almost-everywhere agreement (denoted a.e. agreement), introduced by Dwork, Peleg, Pippenger, and Upfal [STOC '86], n parties want to reach agreement on an initially held value, despite the possible disruptive and malicious behavior of up to t of them. So far this is reminiscent of the classical Byzantine agreement problem, except that in the alternative formulation the underlying connectivity graph is sparse-i.e., not all parties share point-to-point reliable channels-thus modeling the actual connectivity of real communication networks. In this setting, one may not be able to guarantee agreement amongst all honest parties, and some of them, say x, must be given up. Thus, in this line of work the goal is to be able to tolerate a high value for t (a constant fraction of n is the best possible) while minimizing x. As shown in the original paper, the dependency on d, the degree of the network, to achieve this goal is paramount. Indeed, the best polynomial-time a.e. agreement protocol tolerating a constant fraction of corruptions t = αn, for some constant α > 0 (presented in the original paper, over two decades ago) has parameters, d = n for constant > 0 and x = µt for some constant µ > 1. In this work, we significantly improve on the above parameters obtaining a protocol with t = αn, d = O(log q n), for constant q > 0 and x = O(t log n). Our approach follows that of Dwork et al. of reducing the a.e. agreement problem to constructing a reliable transmission scheme between pairs of nodes for a large fraction of them; however, given our setting's more stringent conditions-poly-logarithmic degree and a linear number of corruptions, such a task is significantly harder. We also consider the problem of secure computation on partially connected networks, as formulated by Garay and Ostrovsky [Eurocrypt '08], and as a corollary to our main result obtain an almost-everywhere secure multi-party computation protocol with the same parameters as above, again significantly improving on the bound on the number of left-out parties-x = O(t log n) for t ≤ αn corruptions, as opposed to x = O(t) in the original work.

The correctness of most randomized distributed algorithms is expressed by a statement of the form \some predicate of the executions holds with high probability, regardless of the order in which actions are scheduled". In this paper, we present a general methodology to prove correctness statements of such randomized algorithms. Speci cally, we show how to prove such statements by a series of re nements, which terminate in a statement independent of the schedule. To demonstrate the subtlety of the issues involved in this type of analysis, we focus on Rabin's randomized distributed algorithm for mutual exclusion 6]. Surprisingly, it turns out that the algorithm does not maintain one of the requirements of the problem under a certain schedule. In particular, we give a schedule under which a set of processes can su er lockout for arbitrary long periods.

In the replacement scheduling problem, a system is composed of n processors drawn from a pool of p. The processors can become faulty while in operation and faulty processors never recover. A report is issued whenever a fault occurs. This report states only the existence of a fault, but does not indicate its location. Based on this report, the scheduler can reconfigure the system and choose another set of n processors. The system operates satisfactorily as long as, upon report of a fault, the scheduler chooses n non-faulty processors. We provide a randomized protocol maximizing the expected number of faults the system can sustain before the occurrence of a crash. The optimality of the protocol is established by considering a closely related dual optimization problem. The game-theoretic technical difficulties that we solve in this paper are very general and encountered whenever proving the optimality of a randomized algorithm in parallel and distributed computation. * One of the first difficulties encountered in randomized computing is that, in most situations, the executions of a randomized algorithm are not solely characterized by random flips; they also depend on nondeterministic choices. (In contrast, the dynamic of a mathematical random walk is purely probabilist.) The choice of the initial input is one of the simplest sources of non-determinism. (See fya791.) Other classical examples are the scheduling order in distributed computing and the pattern of faults in resilient computing. Without loss of generality, when analyzing the worst case behavior of a randomized protocol ', one can assign the non-deterministic "decisions" to a fictitious entity called adversary. We assume that the performance of a given randomized protocol ?r, used in conjunction with an adversary d, is measured by the quantity f(?r, A). Examples of typical performances f(?r, d) are the expected

We present a new proof methodology that uses dynamic process creation to capture the structure of recutsive distributed algorithms&gt; Each recursive invocation of a distributed algorithm is modeled as a separate process, encouraging local reasoning about the individual recursive invocations and making explicit the communicatino that takes place among the concurrently executing invocations. Our methodology involves the construction of hierarchical correctness proofs in which the state of each individual call in a refined algorithm is mapped to the state of a corresponding call in a simpler or more abstract algorithm. Algorithm optimizations that result in the creation of fewer... Read complete abstract on page 2.

In this paper we consider a model where malicious agents can corrupt hosts and move around in a network of processors. We consider a family of mobilefault models MF( t n-1 , ρ). In MF( t n-1 , ρ) there are a total of n processors, the maximum number of mobile faults is t, and their roaming pace is ρ (for example, ρ = 3 means that it takes an agent at least 3 rounds to "hop" to the next host). We study in these models the classical testbed problem for fault-tolerant distributed computing: Byzantine agreement. It has been shown that if ρ = 1, then agreement cannot be reached in the presence of even one fault, unless one of the processors remains uncorrupted for a certain amount of time. Subject to this proviso, we present a protocol for MF( 1 3 , 1), which is optimal. The running time of the protocol is O(n) rounds, also optimal for these models.

In a Distributed Consensus protocol all processors (of which t may be faulty) are given (binary) initial values; after exchanging messages all correct processors must agree on one of them. We measure the quality of a protocol using the following parameters: total number of processors n , number of rounds of message exchange r and maximal message length m . Their optima are respectively 3t+l, t + l and 1. While no known protocol is optimal in all these three aspects simultaneously, the protocols presented in this paper take further steps in this direction. The first protocol, with n 4t, r = t+1 and polynomial message size, improves on the breakthrough result of Moses and Waarts [12]. The second protocol, with n > 3 t , r =3t+3 and m =2, improves on [3] and [13]. Notably, it is asymptotically optimal in all three quality parameters while using the optimal number of processors. Using these protocols as building blocks, we obtain families of protocols with intermediate quality parameters, that offer better tradeoffs than the ones of . All our protocols work in polynomial time and have succint descriptions .

This paper investigates the problem of Byzantine Agreement in a synchronous system where malicious agents can move from process to process, corrupting their host. Earlier works on the problem are based on biased models which, as we argue in the paper, give an unfair advantage either to the correct processes or to the adversary controlling the malicious agents. Indeed, the earlier studies of the problem assume that, after a malicious agent has left a process, that process, said to be cured, is able to instantly and accurately detect the fact that it was corrupted in earlier rounds, and thus can take local actions to recover a valid state (Garay's model). We found no justification for that assumption which clearly favors correct processes. Under that model, an algorithm is known for n > 4t, where n is the number of processes and t the maximum number of malicious agents. The tightness of the bound is unknown. In contrast, more recent work on the problem remove the assumption on detection and assume instead that a malicious agent may have left corrupted messages in the send queue of a cured process. As a result, the adversary controlling the malicious agents can corrupt the messages sent by cured processes, as well as those sent by the newly corrupted ones, thus doubling the number of effective faults. Under that model, which favors the malicious agents, the problem can be solved if and only if n > 6t. In this paper, we refine the latter model to avoid the above biases. While a cured process may send messages (based on a state corrupted by the malicious agent), it will behave correctly in the way it sends those messages: i.e., send messages according to the algorithm. Surprisingly, in this model we could derive a new non-trivial tight bound for Byzantine Agreement. We prove that at least 5t + 1 processors are needed in order to tolerate t mobile Byzantine agents and provide a time optimal algorithm that matches this lower bound, altogether with a formal specification of the problem. This models the situation where, as soon as a faulty node is repaired (e.g., by software rejuvenation), another one becomes compromised. For more than two decades, the main case study problem in this context was Byzantine Agreement. Briefly stated, it requires processors, some of which malicious, that start the computation with an initial value to decide on the same value. When faults are mobile the problem is known as Mobile Byzantine Agreement and requires special attention for preserving agreement once it has been reached. Related work. Byzantine Agreement, introduced by Lamport et al. [12, 16], has been studied for decades in static distributed systems under different aspects (e.g., possibility, complexity, cost) in various models (from synchronous [12,16,17] to asynchronous [5,13], from authenticated [8] to anonymous [14]) with different methodologies (deterministic [12, 16], probabilistic [3, 9]). In all these works, faults are stationary. That is, they do not change their original location during the computation. Santoro et al. [19, 20], and later Schmid et al. [22], investigate the agreement problem in dynamic transmission failure models for both complete and arbitrary networks. These models assume that different communication links may randomly fail at different times. Santoro and Widmayer [19] study the kagreement problem, where the system reaches a k-agreement if, in finite time, k processes choose the same value, either 0 or 1, with k > n/2 , 1 where n is the total number of processes. Based on the bivalent argument of Fischer et al. [10], they state that (n/2 + 1)-agreement is impossible in a synchronous system if at each time there is one processor whose messages may be corrupted. Although not explicitly stated, the impossibility applies to the mobile Byzantine model. Thus, work on Mobile Byzantine Agreement typically rely on the assumption that at least one process remains uncorrupted for Ω(n) rounds of communication. Mobile Byzantine Agreement, introduced by Reischuk [18], has regained much attention recently. Research on the problem, in synchronous systems, follows two main directions: constrained or unconstrained mobility. Constrained mobility. This direction, studied by Buhrman et al. [4], considers that malicious agents move from one node to another only when protocol messages are sent (similar to how viruses would propagate). In that model, they prove a tight bound for Mobile Byzantine Agreement (n > 3t, where t is the maximal number of simultaneously faulty processes) and propose a time optimal protocol that matches this bound. Unconstrained mobility. In this direction, which includes the work in this paper, the mobility of malicious agents is not constrained by message exchanges [1, 11, 15, 18, 21]. Reischuk [18] proposed a first sub-optimal solution under an additional hypothesis on the stability/stationarity of malicious agents for a given period of time. Later, Ostrovsky and Yung [15] introduced the notion of an adversary that can inject and distribute faults in the system at a constant rate in every round

The correctness of most randomized distributed algorithms is expressed by a statement of the form ``some predicate of the executions holds with high probability, regardless of the order in which actions are scheduled&#39;&#39;. In this paper, we present a general methodology to prove correctness statements of such randomized algorithms. Specifically, we show how to prove such statements by a series of refinements, which terminate in a statement independent of the schedule. To demonstrate the subtlety of the issues involved in this type of analysis, we focus on Rabin&#39;s randomized distributed algorithm for mutual exclusion [Rabin 82]. Surprisingly, it turns out that the algorithm does not maintain one of the requirements of the problem under a certain schedule. In particular, we give a schedule under which a set of processes can suffer lockout for arbitrary long periods.

The correctness of most randomized distributed algorithms is expressed by a statement of the form \some predicate of the executions holds with high probability, regardless of the order in which actions are scheduled". In this paper, we present a general methodology to prove correctness statements of such randomized algorithms. Speci cally, we show how to prove such statements by a series of re nements, which terminate in a statement independent of the schedule. To demonstrate the subtlety of the issues involved in this type of analysis, we focus on Rabin's randomized distributed algorithm for mutual exclusion 6]. Surprisingly, it turns out that the algorithm does not maintain one of the requirements of the problem under a certain schedule. In particular, we give a schedule under which a set of processes can su er lockout for arbitrary long periods.

Global consistency or Byzantine Agreement (BA) and reliable point-to-point communication are two of the most important and well-studied problems in distributed computing. Informally, BA is about maintaining a consistent view of the world among all the non-faulty players in the presence of faults. In a synchronous network over n nodes of which up to any t are corrupted by a Byzantine adversary, BA is possible only if all pair point-to-point reliable communication is possible [Dol82, DDWY93]. Specifically, in the standard unauthenticated model, (2t + 1)-connectivity is necessary whereas in the authenticated setting (t + 1)connectivity is required. Thus, a folklore is that maintaining global consistency is at least as hard as the problem of all pair point-to-point communication. Equivalently, it is widely believed that protocols for BA over incomplete graphs exist only if it is possible to simulate an overlay-ed complete graph. Surprisingly, we show that the folklore is far from true -achieving global consistency can be strictly easier than all-pair point-to-point communication. In the authenticated model, it is assumed that the adversary can forge the signatures of only those nodes under its control. In contrast, the unauthenticated model assumes that the adversary can forge the signatures of all the nodes (that is, secure signatures are not used). We initiate a study on the entire gamut of BA's in between, viz., the adversary can forge the signatures of up to any k nodes apart from the up to t nodes that it can actively corrupt. We completely characterize the possibility of BA across the spectrum. Thus, our work attempts to unify the extant literature on agreement. It is, however, more than a mere attempt towards unification as it provides insights into the field. Specifically, apart from the extremes (of k = 0 and k = nt where aforementioned folklore is known to hold), for every intermediate k, there are several networks over which BA is possible but all-pair point-to-point communication is not.

Quantum mechanics provides several methods to generate and securely distribute private lists of numbers suitably correlated to solve the Three Byzantine Generals Problem. So far, these methods are based on three-qutrit singlet states, four-qubit entangled states, and three or two pairwise quantum key distribution channels. Here we show that the problem can be solved using a single qutrit. This scheme presents some advantages over previous schemes, and emphasizes the specific role of qutrits in basic quantum information processing.

We resolve two long-standing open problems in distributed computation by showing that both Byzantine agreement and Leader Election can be solved in sub-exponential time in the asynchronous full information model. Surprisingly, our protocols for both problems run in only polylogarithmic time. We thus achieve a better than exponential speedup over previous results for asynchronous Byzantine agreement. In addition, to the best of our knowledge, ours is the first protocol for asynchronous full-information leader election. Our protocols work in the full information model with a non-adaptive adversary: the adversary is assumed to control up to a constant fraction of the processors, have unlimited computational power as well as access to all communications, but no access to processors ’ private random bits. The adversary is non-adaptive only in the sense that the corrupted processors must be chosen at the outset. Our protocols run in time that is polylogarithmic in the number of processors...

In a heterogeneous ubiquitous peer-to-peer network, different peers may provide different qualities of service, and hence it is very important and helpful to identify those peers that can provide better services than others. In this paper, we use a reputation value to represent the quality of service offered by a peer. We design a novel reputation model which enables any peer to calculate the reputation value of any other peer, so as to differentiate peers that provide good quality of service from peers that provide poor or even faulty service. In order to speed up the convergence of reputation calculation, a peer collects recommendations from its neighbor peers. On the other hand, in order to overcome the problem of malicious recommendations, we propose an auxiliary trust mechanism which calculates a trust value for each peer. Our experimental results show that the reputation model achieves a fast convergence speed, and it is robust against a large portion of malicious peers that provide fraud recommendations.

Abstract. This paper considers a variant of the Byzantine Generals problem, in which processes start with arbitrary real values rather than Boolean values or values from some bounded range, and in which approximate, rather than exact, agreement is the desired goal. Algorithms are presented to reach approximate agreement in asynchronous, as well as synchronous systems. The asynchronous agreement algorithm is an interesting contrast to a result of Fischer et al, who show that exact agreement with guaranteed termination is not attainable in an asynchronous system with as few as one faulty process. The algorithms work by successive approximation, with a provable convergence rate that depends on the ratio between the number of faulty processes and the total number of processes. Lower bounds on the convergence rate for algorithms of this form are proved, and the algorithms presented are shown to

The Scalable Processor-Independent Design for Electromagnetic Resilience (SPIDER) is a new family of fault-tolerant architectures under development at NASA Langley Research Center (LaRC). The SPIDER is a general-purpose computational platform ...

This paper presents a intrusion tolerant architecture for distributed services, especially COTS servers. It is motivated by two observations: First, no security precautions can guarantee that a system will not be penetrated; Second, mission critical applications need to provide minimal level of services even under active attacks or partially compromised. The emphasis of proposed architecture is on the continuity of operation. In this context, effects are more important than causes because a system will have to deal with and survive an adverse effect long before a determination is made as to whether the cause was an malicious attack, or a accidental failure. We utilize the techniques of both redundancy and diversity as our building blocks. Five critical components are defined in this proposed architecture: (1) Proxy Servers enforce the service policy specified by current intrusion tolerant strategy and policies determine which COTS servers the request should be "forwarded" to and how the final result be presented. (2) Acceptance Monitors apply validity checks to the response, optionally forward them to Ballot monitors along with indication of checking results. Acceptance monitors also detect signs of compromise on the COTS servers and generate intrusion triggers. (3) Ballot Monitors serve as "representatives" for the respective COTS servers to solve conflicts, and decide a final response through either a majority voting or Byzantine agreement process. The actual process taken will depend on the current level of detected security threat. (4) Adaptive Reconfiguration module receives intrusion trigger information from other modules (including Acceptance Monitors), evaluates threats, the tolerance objectives, cost/performance impact, and generate new configurations for the system. (5) Audit Control verifies the audit records and identifies abnormal behaviors in components by conducting periodic diagnosis tests.

Abstract—The popularity of wide-area computer services has generated a compelling need for efficient algorithms that provide high reliability. Byzantine fault-tolerant (BFT) algorithms can be used with this purpose because they allow replicated systems to continue to provide a correct service even when some of their replicas fail arbitrarily, either accidentally or due to malicious faults. Current BFT algorithms perform well on LANs but when the replicas are distributed geographically their performance is affected by the lower bandwidth and the ...

We consider the round complexity of a basic cryptographic task: verifiable secret sharing (VSS). This well-studied primitive provides a good "test case" for our understanding of round complexity in general; moreover, VSS is important in its own right as a central building block for, e.g., Byzantine agreement and secure multi-party computation. The round complexity of perfect VSS was settled by Gennaro et al. (STOC 2001) and Fitzi et al. (TCC 2006). In a surprising result, Patra et al. (Crypto 2009) recently showed that if a negligible probability of error is allowed, the previous bounds no longer apply. We settle the key questions left open by their work, and in particular determine the exact round complexity of statistical VSS with optimal threshold. Let n denote the number of parties, at most t of whom are malicious. Their work showed that 2-round statistical VSS is impossible for t ≥ n/3. We show that 3-round statistical VSS is possible iff t < n/2. We also give an efficient 4-round protocol for t < n/2. 1 Following the accepted convention, the round complexity of VSS refers to that of the sharing phase.

Quantum mechanics is the current best description of the world as we know it. Experiments have shown that quantum predictions are accurate up ten places of decimal. In quantum cryptography much work has been devoted to the study of Quantum Key Distribution (QKD). The purpose of QKD is to securely distribute secret keys between the users in a network. As a result, several quantum cryptographic protocols have been implemented and tested after the advent of quantum computing. In this paper, we have given a brief overview of QKD, and some practical networks that integrate QKD in the current Internet security architecture. We have also discussed some aspects of quantum network security with particular attention to Byzantine Agreement Protocol.

This paper describes the Multicomputer Architecture for Fault-Tolerance (MAFT), a distributed system designed to provide extremely reliable computation in real-time control systems. MAFT is based on the physical and functional partitioning of executive functions from application functions. The implementation of the executive functions in a special-purpose hardware processor allows the fault-tolerance functions to be transparent to the application programs and minimizes overhead. Byzantine Agreement and Approximate Agreement algorithms are employed for critical system parameters. MAFT supports the use of multiversion hardware and software to tolerate built-in or generic faults. Graceful degradation and restoration of the application workload is permitted in response to the exclusion and readmission of nodes, respectively.