Adaptively Secure Broadcast

A broadcast protocol allows a sender to distribute a message through a point-to-point network to a set of parties, such that (i) all parties receive the same message, even if the sender is corrupted, and (ii) this is the sender’s message, if he is honest. Broadcast protocols satisfying these properties are known to exist if and only if t<n/3, where n denotes the total number of parties, and t denotes the maximal number of corruptions. When a setup allowing signatures is available to the parties, then such protocols exist even for t<n. Since its invention in [LSP82], broadcast has been used as a primitive in numerous multi-party protocols making it one of the fundamental primitives in the distributed-protocols literature. The security of these protocols is analyzed in a model where a broadcast primitive which behaves in an ideal way is assumed. Clearly, a definition of broadcast should allow for secure composition, namely, it should be secure to replace an assumed broadcast primitive by a protocol satisfying this definition. Following recent cryptographic reasoning, to allow secure composition the ideal behavior of broadcast can be described as an ideal functionality, and a simulation-based definition can be used. In this work, we show that the property-based definition of broadcast does not imply the simulation-based definition for the natural broadcast functionality. In fact, most broadcast protocols in the literature do not securely realize this functionality, which raises a composability issue for these broadcast protocols. In particular, we do not know of any broadcast protocol which could be securely invoked in a multi-party computation protocol in the secure-channels model. The problem is that existing protocols for broadcast do not preserve the secrecy of the message while being broadcasted, and in particular allow the adversary to corrupt the sender (and change the message), depending on the message being broadcasted. For example, when every party should broadcast a random bit, the adversary could corrupt those parties who intend to broadcast 0, and make them broadcast 1. More concretely, we show that simulatable broadcast in a model with secure channels is possible if and only if t<n/3, respectively t≤n/2 when a signature setup is available. The positive results are proven by constructing secure broadcast protocols.

[1]  Ivan Damgård,et al.  Efficient Multiparty Computations Secure Against an Adaptive Adversary , 1999, EUROCRYPT.

[2]  Avi Wigderson,et al.  Completeness theorems for non-cryptographic fault-tolerant distributed computation , 1988, STOC '88.

[3]  Nancy A. Lynch,et al.  An Efficient Algorithm for Byzantine Agreement without Authentication , 1982, Inf. Control..

[4]  Daniele Micciancio,et al.  Simultaneous broadcast revisited , 2005, PODC '05.

[5]  Silvio Micali,et al.  Parallel Reducibility for Information-Theoretically Secure Computation , 2000, CRYPTO.

[6]  Brian A. Coan,et al.  Modular Construction of a Byzantine Agreement Protocol with Optimal Message Bit Complexity , 1992, Inf. Comput..

[7]  Martin Hirt,et al.  Efficient Byzantine Agreement with Faulty Minority , 2007, ASIACRYPT.

[8]  Danny Dolev,et al.  Shifting gears: changing algorithms on the fly to expedite Byzantine agreement , 1987, PODC '87.

[9]  Michael O. Rabin,et al.  Achieving independence in logarithmic number of rounds , 1987, PODC '87.

[10]  Birgit Pfitzmann,et al.  Unconditional Byzantine Agreement with Good Majority , 1991, STACS.

[11]  Matthias Fitzi,et al.  Generalized communication and security models in Byzantine agreement , 2002 .

[12]  David Chaum,et al.  Multiparty unconditionally secure protocols , 1988, STOC '88.

[13]  Piotr Berman,et al.  Towards optimal distributed consensus , 1989, 30th Annual Symposium on Foundations of Computer Science.

[14]  Yoram Moses,et al.  Fully polynomial Byzantine agreement in t + 1 rounds , 1993, STOC.

[15]  Nancy A. Lynch,et al.  A Lower Bound for the Time to Assure Interactive Consistency , 1982, Inf. Process. Lett..

[16]  Baruch Awerbuch,et al.  Verifiable secret sharing and achieving simultaneity in the presence of faults , 1985, 26th Annual Symposium on Foundations of Computer Science (sfcs 1985).

[17]  Tal Rabin,et al.  Verifiable secret sharing and multiparty protocols with honest majority , 1989, STOC '89.

[18]  Danny Dolev,et al.  Polynomial algorithms for multiple processor agreement , 1982, STOC '82.

[19]  Silvio Micali,et al.  Optimal algorithms for Byzantine agreement , 1988, STOC '88.

[20]  Yoram Moses,et al.  Coordinated traversal: (t+1)-round Byzantine agreement in polynomial time , 1988, [Proceedings 1988] 29th Annual Symposium on Foundations of Computer Science.

[21]  Silvio Micali,et al.  An Optimal Probabilistic Algorithm For Synchronous Byzantine Agreement , 1989, ICALP.

[22]  Leslie Lamport,et al.  Reaching Agreement in the Presence of Faults , 1980, JACM.

[23]  Tal Rabin,et al.  Asynchronous secure computations with optimal resilience (extended abstract) , 1994, PODC '94.

[24]  Birgit Pfitzmann,et al.  Unconditional Byzantine Agreement for any Number of Faulty Processors , 1992, STACS.

[25]  Sam Toueg,et al.  Fast Distributed Agreement , 1987, SIAM J. Comput..

[26]  Jesper Buus Nielsen,et al.  On Protocol Security in the Cryptographic Model , 2003 .

[27]  Ran Canetti,et al.  Asynchronous secure computation , 1993, STOC.

[28]  Brian A. Coan,et al.  Modular construction of nearly optimal Byzantine agreement protocols , 1989, PODC '89.

[29]  Yuval Ishai,et al.  On Adaptive vs. Non-adaptive Security of Multiparty Protocols , 2001, EUROCRYPT.

[30]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[31]  Yoram Moses,et al.  Fully Polynomial Byzantine Agreement for n > 3t Processors in t + 1 Rounds , 1998, SIAM J. Comput..

[32]  Birgit Pfitzmann,et al.  Information-Theoretic Pseudosignatures and Byzantine Agreement for t ≥ n/3 , 2007 .

[33]  Yehuda Lindell,et al.  Secure Computation without Agreement , 2002, DISC.

[34]  Leslie Lamport,et al.  The Byzantine Generals Problem , 1982, TOPL.

[35]  Nancy A. Lynch,et al.  Easy impossibility proofs for distributed consensus problems , 1985, PODC '85.

[36]  Alejandro Hevia Universally Composable Simultaneous Broadcast , 2006, SCN.

[37]  Rosario Gennaro A Protocol to Achieve Independence in Constant Rounds , 2000, IEEE Trans. Parallel Distributed Syst..

[38]  Rosario Gennaro Achieving independence efficiently and securely , 1995, PODC '95.

[39]  Danny Dolev,et al.  Authenticated Algorithms for Byzantine Agreement , 1983, SIAM J. Comput..

[40]  Birgit Pfitzmann,et al.  A Universally Composable Cryptographic Library , 2003, IACR Cryptol. ePrint Arch..

[41]  Ran Canetti,et al.  Security and Composition of Multiparty Cryptographic Protocols , 2000, Journal of Cryptology.

[42]  Gabriel Bracha,et al.  An asynchronous [(n - 1)/3]-resilient consensus protocol , 1984, PODC '84.

[43]  Ran Canetti,et al.  Universally composable signature, certification, and authentication , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[44]  David Chaum,et al.  Multiparty Unconditionally Secure Protocols (Extended Abstract) , 1988, STOC.