Generalized communication and security models in Byzantine agreement

Byzantine agreement(BA) is a primitiveof fundamentalimportance for fault-tolerant distributed Computing and cryptographic protocols. BA among a set of n players allows them to reach agreementabouta value even if some of the players are malicious and try to prevent agreement among the non-faultyplayersby distributing falseinformation. Sincethe initial statement of theBAproblem, a smallnumberof widely accepted Standard modeis have established, distinguishingbetween aspects suchas whatmeansof communication are given among the play¬ ers orhow powerfulthe faulty players are. Bothin researchon Byzantine agreementand its applications, theseStandard modeis are obstinately followed. Besides a selective overview on some Standard modeis in Byzantine agreement, this thesis gives a broader view on the problem by consid¬ ering natural generalizations of thesemodeis and generalizations of the problem definition itself. Therebythemainfocus is on synchronousnet¬ works and active adversari.es. It turns out that some of thesegeneraliza¬ tions, withoutrestricting the adversarial power, allow for BA protocols that achieve a level of security that is provably unachievable in their cor¬ respondingStandard modeis. The main contributionsare described in the following paragraphs whereby n denotes thenumber of playersand t thenumber of cheatersamong the players. Security. Standard BA provides either unconditional or computational security.Unconditionally secureprotocolsfor BAare provably securebut can only tolerate a relatively small numberof cheaters, typically t < n/3. Computationallysecure ones often tolerate any number of cheaters, t < n, but their security is basedon unproven intractabilityassumptions. So far, every previous computationally secure protocol from the literature has the property that, in case its underlying intractabilityassumptionis false, it does not withstand one single cheater, t = 0. In contrast, we show that computational and unconditional security can be combined by presenting protocolscomputationally secure againstsome large number ti of cheatersbut, at the same time, still unconditionally secure against somesmallernumberto > 0 of cheaters. It is shown that BAof this flavor is achievableif and only if 2to + ti toCommunication. Standard communication modeis assume either pairwise authenticated or pairwise secure Channels among the players. In these modeis, unconditional BA is achievable if and only if t < n/3. A naturalgeneralizationof these modeis is to assume partial broadcast among the players to be possible, i.e., that forsome numberb > 2, broad¬ cast is achievable among each set of b players. It is shown that for any b, 2 < b < n, BA is achievableif and only if t < f^n. New threshold paradigm. The security of Standard BA is defined with respectto one threshold t meaning that BA is achieved in the presence of up to / < t cheaters but that no security is guaranteed at all if / > t In particular, unconditionallysecureprotocolsare completely insecurein the presence of / > n/3 > t cheaters. However, in reality, nothing would really guarantee that / < t and thus the usefulness of non-fullyresilient protocolsis questionable.Preferably, a non-fullyresilient protocolshould guarantee BAfor some thresholdt —but in casethat morethan t players are cheating, / > t, and BA cannot be achieved, it should be guaranteed that all players safely abort the protocol in unison. We show that this is possible if and only if t = 0. More generally, we introduce the notion of two-threshold BA, involving two different thresholdstv and tc: if at most tv playerscheat then the "validity condition" of BA is achieved and, if at most tc playerscheatthen the "consistencycondition" ofBA is achieved. We show that two-threshold BA is achievableif and only if both tv +2tc < n and 2tv +tc