Results 1  10
of
27
Secure and efficient asynchronous broadcast protocols (Extended Abstract)
 Advances in Cryptology: CRYPTO 2001
, 2001
"... Broadcast protocols are a fundamental building block for implementing replication in faulttolerant distributed systems. This paper addresses secure service replication in an asynchronous environment with a static set of servers, where a malicious adversary may corrupt up to a threshold of servers ..."
Abstract

Cited by 67 (19 self)
 Add to MetaCart
Broadcast protocols are a fundamental building block for implementing replication in faulttolerant distributed systems. This paper addresses secure service replication in an asynchronous environment with a static set of servers, where a malicious adversary may corrupt up to a threshold of servers and controls the network. We develop a formal model using concepts from modern cryptography, give modular definitions for several broadcast problems, including reliable, atomic, and secure causal broadcast, and present protocols implementing them. Reliable broadcast is a basic primitive, also known as the Byzantine generals problem, providing agreement on a delivered message. Atomic broadcast imposes additionally a total order on all delivered messages. We present a randomized atomic broadcast protocol based on a new, efficient multivalued asynchronous Byzantine agreement primitive with an external validity condition. Apparently, no such efficient asynchronous atomic broadcast protocol maintaining liveness and safety in the Byzantine model has appeared previously in the literature. Secure causal broadcast extends atomic broadcast by encryption to guarantee a causal order among the delivered messages. Our protocols use threshold cryptography for signatures, encryption, and cointossing.
From consensus to atomic broadcast: Timefree byzantineresistant protocols without signatures
 Computer Journal
, 2006
"... This paper proposes a stack of three Byzantineresistant protocols aimed to be used in practical distributed systems: multivalued consensus, vector consensus and atomic broadcast. These protocols are designed as successive transformations from one to another. The first protocol, multivalued consen ..."
Abstract

Cited by 31 (14 self)
 Add to MetaCart
This paper proposes a stack of three Byzantineresistant protocols aimed to be used in practical distributed systems: multivalued consensus, vector consensus and atomic broadcast. These protocols are designed as successive transformations from one to another. The first protocol, multivalued consensus, is implemented on top of a randomized binary consensus and a reliable broadcast protocol. The protocols share a set of important structural properties. First, they do not use digital signatures constructed with publickey cryptography, a wellknown performance bottleneck in this kind of protocols. Second, they are timefree, i.e. they make no synchrony assumptions, since these assumptions are often vulnerable to subtle but effective attacks. Third, they are completely decentralized, thus avoiding the cost of detecting corrupt leaders. Fourth, they have optimal resilience, i.e. they tolerate the failure of f =⌊(n − 1)/3 ⌋ out of a total of n processes. In terms of time complexity, the multivalued consensus protocol terminates in a constant expected number of rounds, while the vector consensus and atomic broadcast protocols have O(f)complexity. The paper also proves the equivalence between multivalued consensus and atomic broadcast in the Byzantine failure model without signatures. A similar proof is given for the equivalence between multivalued consensus and vector consensus. These two results have theoretical relevance since they show once more that consensus is a fundamental problem in distributed systems. 1.
On expected constantround protocols for Byzantine agreement
 In Advances in Cryptology — Crypto ’06
, 2006
"... In a seminal paper, Feldman and Micali show an nparty Byzantine agreement protocol in the plain model that tolerates t < n/3 malicious parties and runs in expected constant rounds. Here, resolving a question that had been open since their work, we show an expected constantround protocol for aut ..."
Abstract

Cited by 21 (5 self)
 Add to MetaCart
In a seminal paper, Feldman and Micali show an nparty Byzantine agreement protocol in the plain model that tolerates t < n/3 malicious parties and runs in expected constant rounds. Here, resolving a question that had been open since their work, we show an expected constantround protocol for authenticated Byzantine agreement assuming honest majority (i.e., t < n/2), and relying only on the existence of signature schemes and a publickey infrastructure. Combined with existing results, this gives the first expected constantround protocol for secure computation with honest majority in a pointtopoint network under the same assumptions. Our key technical tool — a new primitive we introduce called moderated VSS — also yields a simpler proof of the FeldmanMicali result. In addition, we show a simple technique for sequential composition of Byzantine agreement protocols that do not achieve simultaneous termination, something that is inherent for protocols using o(t) rounds.
Optimistic Asynchronous Atomic Broadcast
 in the Proceedings of International Colloqium on Automata, Languages and Programming (ICALP05) (L Caires, G.F. Italiano, L. Monteiro, Eds.) LNCS 3580
, 2001
"... This paper presents a new protocol for atomic broadcast in an asynchronous network with a maximal number of Byzantine failures. It guarantees both safety and liveness without making any timing assumptions or using any type of "failure detector." Under normal circumstances, the protocol run ..."
Abstract

Cited by 17 (2 self)
 Add to MetaCart
This paper presents a new protocol for atomic broadcast in an asynchronous network with a maximal number of Byzantine failures. It guarantees both safety and liveness without making any timing assumptions or using any type of "failure detector." Under normal circumstances, the protocol runs in an "optimistic mode," with extremely low message and computational complexity  essentially, just performing a Bracha broadcast for each request. In particular, no potentially expensive publickey cryptographic operations are used. In rare circumstances, the protocol may briey switch to a "pessimistic mode," where both the message and computational complexity are significantly higher than in the "optimistic mode," but are still reasonable.
Unconditional Byzantine Agreement and MultiParty Computation Secure Against Dishonest Minorities from Scratch
 In Advances in Cryptology  EUROCRYPT 2002, Lecture Notes in Computer Science
, 2002
"... Abstract. It is wellknown that n players, connected only by pairwise secure channels, can achieve unconditional broadcast if and only if the number t of cheaters satisfies t < n/3. In this paper, we show that this bound can be improved — at the sole price that the adversary can prevent successfu ..."
Abstract

Cited by 16 (6 self)
 Add to MetaCart
Abstract. It is wellknown that n players, connected only by pairwise secure channels, can achieve unconditional broadcast if and only if the number t of cheaters satisfies t < n/3. In this paper, we show that this bound can be improved — at the sole price that the adversary can prevent successful completion of the protocol, but in which case all players will have agreement about this fact. Moreover, a first time slot during which the adversary forgets to cheat can be reliably detected and exploited in order to allow for future broadcasts with t < n/2. This even allows for secure multiparty computation with t < n/2 after the first detection of such a time slot.
Twothreshold broadcast and detectable multiparty computation
 In Advances in Cryptology — EUROCRYPT ’03
, 2003
"... Abstract. Classical distributed protocols like broadcast or multiparty computation provide security as long as the number of malicious players f is bounded by some given threshold t, i.e., f ≤ t. If f exceeds t then these protocols are completely insecure. We relax this binary concept to the notion ..."
Abstract

Cited by 12 (4 self)
 Add to MetaCart
Abstract. Classical distributed protocols like broadcast or multiparty computation provide security as long as the number of malicious players f is bounded by some given threshold t, i.e., f ≤ t. If f exceeds t then these protocols are completely insecure. We relax this binary concept to the notion of twothreshold security: Such protocols guarantee full security as long as f ≤ t for some small threshold t, and still provide some degraded security when t < f ≤ T for a larger threshold T. In particular, we propose the following problems. ◦ Broadcast with Extended Validity: Standard broadcast is achieved when f ≤ t. When t < f ≤ T, then either broadcast is achieved, or every player learns that there are too many faults. Furthermore, when the sender is honest, then broadcast is always achieved. ◦ Broadcast with Extended Consistency: Standard broadcast is achieved when f ≤ t. When t < f ≤ T, then either broadcast is achieved, or every player learns that there are too many faults. Furthermore, the players agree on whether or not broadcast is achieved. ◦ Detectable MultiParty Computation: Secure computation is achieved when f ≤ t. When t < f ≤ T, then either the computation is secure, or all players detect that there are too many faults and abort. The above protocols for n players exist if and only if t = 0 or t + 2T < n.
The best of both worlds: guaranteeing termination in fast randomized byzantine agreement protocols
 Information Processing Letters
, 1990
"... ..."
The Byzantine Firing Squad Problem
, 1987
"... A new problem, theJ3xqntin_o. fi_ri_ng s._cl_93_d_2_rob9_, is defined and solved in two versions, permissive and strict. Both problems provide for synchronization of n initially unsynchronized processors in a synchronous network, in the absence of a common clock and in the presence of a limited numb ..."
Abstract

Cited by 10 (3 self)
 Add to MetaCart
A new problem, theJ3xqntin_o. fi_ri_ng s._cl_93_d_2_rob9_, is defined and solved in two versions, permissive and strict. Both problems provide for synchronization of n initially unsynchronized processors in a synchronous network, in the absence of a common clock and in the presence of a limited number of faulty processors. Solutions are given which take the same number of rounds as Byzantine agreement but transmit at most r times as many bits, where r is the number of rounds. Additional solutions are provided which use. one (permissive) or two (strict) additional rounds and send only a constant times the number of bits used by a chosen Byzantine agreement algorithm.
Fast selfstabilizing byzantine tolerant digital clock synchronization
, 2008
"... Consider a distributed network in which up to a third of the nodes may be Byzantine, and in which the nonfaulty nodes may be subject to transient faults that alter their memory in an arbitrary fashion. Within the context of this model, we are interested in the digital clock synchronization problem; ..."
Abstract

Cited by 10 (2 self)
 Add to MetaCart
Consider a distributed network in which up to a third of the nodes may be Byzantine, and in which the nonfaulty nodes may be subject to transient faults that alter their memory in an arbitrary fashion. Within the context of this model, we are interested in the digital clock synchronization problem; which consists of agreeing on bounded integer counters, and increasing these counters regularly. It has been postulated in the past that synchronization cannot be solved in a Byzantine tolerant and selfstabilizing manner. The first solution to this problem had an expected exponential convergence time. Later, a deterministic solution was published with linear convergence time, which is optimal for deterministic solutions. In the current paper we achieve an expected constant convergence time. We thus obtain the optimal probabilistic solution, both in terms of convergence time and in terms of resilience to Byzantine adversaries.
On Protocol Security in the Cryptographic Model
 Concurrency, CONCUR 93 (E. Best, Ed.), LNCS 715, SpringerVerlag
, 2003
"... It seems to be a generally acknowledged fact that you should never trust a computer and that you should trust the person operating the computer even less. This in particular becomes a problem when the party that you do not trust is one which is separated from you and is one on which you depend, e.g. ..."
Abstract

Cited by 10 (2 self)
 Add to MetaCart
It seems to be a generally acknowledged fact that you should never trust a computer and that you should trust the person operating the computer even less. This in particular becomes a problem when the party that you do not trust is one which is separated from you and is one on which you depend, e.g. because that party is the holder of some data or some capability that you need in order to operate correctly. How do you perform a given task involving interaction with other parties while allowing these parties a minimal influence on you and, if privacy is an issue, allowing them to learn as little about you as possible. This is the general problem of secure multiparty computation. The usual way of formalizing the problem is to say that a number of parties who do not trust each other wish to compute some function of their local inputs, while keeping their inputs as secret as possible and guaranteeing the correctness of the output. Both goals should be obtained even if some parties stop participating or some malevolent coalition of the parties start deviating arbitrarily from the agreed protocol. The task is further complicated by the fact that besides their mutual distrust, nor do the parties trust the channels by which they communicate. A general solution to the secure multiparty computation problem is a compiler which given any feasible function describes an e#cient protocol which allows the parties to compute the function securely on their local inputs over an open network.