Strong Separations Between Broadcast and Authenticated Channels

LIPICS - Leibniz International Proceedings in Informatics, Sep 2018

In the theory of distributed systems and cryptography one considers a setting with n parties, (often) connected via authenticated bilateral channels, who want to achieve a certain goal even if some fraction of the parties is dishonest. A classical goal of this type is to construct a broadcast channel. A broadcast channel guarantees that all honest recipients get the same value v (consistency) and, if the sender is honest, that v is the sender's input (validity). Lamport et al. showed that it is possible to construct broadcast if and only if the fraction of cheaters is less than a third. A natural question, first raised by Lamport, is whether there are weaker, still useful primitives achievable from authenticated channels. He proposed weak broadcast, where the validity condition must hold only if all parties are honest, and showed that it can be achieved with an unbounded number of protocol rounds, while broadcast cannot, suggesting that weak broadcast is in a certain sense weaker than broadcast. The purpose of this paper is to deepen the investigation of the separation between broadcast and authenticated channels. This is achieved by proving the following results. First, we prove a stronger impossibility result for 3-party broadcast. Even if two of the parties can broadcast, one can not achieve broadcast for the third party. Second, we prove a strong separation between authenticated channels and broadcast by exhibiting a new primitive, called XOR-cast, which satisfies two conditions: (1) XOR-cast is strongly unachievable (even with small error probability) from authenticated channels (which is not true for weak broadcast), and (2) broadcast is strongly unachievable from XOR-cast (and authenticated channels). This demonstrates that the hierarchy of primitives has a more complex structure than previously known. Third, we prove a strong separation between weak broadcast and broadcast which is not implied by Lamport's results. The proofs of these results requires the generalization of known techniques for impossibility proofs.

A PDF file should load here. If you do not see its contents the file may be temporarily unavailable at the journal website or you do not have a PDF plug-in installed and enabled in your browser.

Alternatively, you can download the file locally and open with any standalone PDF reader:

http://drops.dagstuhl.de/opus/volltexte/2018/9825/pdf/LIPIcs-DISC-2018-36.pdf

Strong Separations Between Broadcast and Authenticated Channels

D I S C Strong Separations Between Broadcast and Authenticated Channels Ueli Maurer ETH Zurich 0 Switzerland 0 Daniel Tschudi 0 0 Julian Loss Ruhr University Bochum , Germany https://orcid.org/0000-0002-7979-3810 In the theory of distributed systems and cryptography one considers a setting with n parties, (often) connected via authenticated bilateral channels, who want to achieve a certain goal even if some fraction of the parties is dishonest. A classical goal of this type is to construct a broadcast channel. A broadcast channel guarantees that all honest recipients get the same value v (consistency) and, if the sender is honest, that v is the sender's input (validity). Lamport et al. showed that it is possible to construct broadcast if and only if the fraction of cheaters is less than a third. A natural question, first raised by Lamport, is whether there are weaker, still useful primitives achievable from authenticated channels. He proposed weak broadcast, where the validity condition must hold only if all parties are honest, and showed that it can be achieved with an unbounded number of protocol rounds, while broadcast cannot, suggesting that weak broadcast is in a certain sense weaker than broadcast. The purpose of this paper is to deepen the investigation of the separation between broadcast and authenticated channels. This is achieved by proving the following results. First, we prove a stronger impossibility result for 3-party broadcast. Even if two of the parties can broadcast, one can not achieve broadcast for the third party. Second, we prove a strong separation between authenticated channels and broadcast by exhibiting a new primitive, called XOR-cast, which satisfies two conditions: (1) XOR-cast is strongly unachievable (even with small error probability) from authenticated channels (which is not true for weak broadcast), and (2) broadcast is strongly unachievable from XOR-cast (and authenticated channels). This demonstrates that the hierarchy of primitives has a more complex structure than previously known. Third, we prove a strong separation between weak broadcast and broadcast which is not implied by Lamport's results. The proofs of these results requires the generalization of known techniques for impossibility proofs. 2012 ACM Subject Classification Theory of computation ? Cryptographic protocols 1 Author was supported by advanced ERC grant MPCPRO. and phrases cryptography; multi-party computation; broadcast; impossibility - 1 1.1 Introduction Broadcast and Weaker Consistency Guarantees In the theory of distributed systems and in cryptography one often considers a set of n parties which must securely perform a certain computation, even if some of the parties are dishonest. Broadcast, one of the most fundamental and widely used such primitives, allows one (possibly cheating) party to distribute a value m consistently to the other parties, in a context where only bilateral (authenticated) channels between parties are available. More formally, a broadcast protocol allows a sender to distribute a value vs such that: Consistency: Every honest party outputs the same value v. Validity: If the sender is honest, the honest parties output the sender?s value v = vs. The seminal result of [12] and [10] states that given authenticated channels, broadcast can be achieved if and only if strictly less than n3 of the involved parties behave dishonestly, even if an error probability of less than 13 were tolerated. In this work, consistency guarantees of a primitive, e.g. a broadcast channel, to which (potentially) each party has an input and receives an output, are modelled in a very general and natural manner, using so-called consistency specifications [14]. It captures, for every set H of (assumed) honest parties and for every tuple of input values of these honest parties, which tuples of output values are possible, no matter what the other parties do. In other words, a specification guarantees that no adversarial behavior can result in the honest parties? output values to be outside the specified set of tuples. Note that while this concept captures consistency guarantees in the most general form, it does (intentionally) not capture secrecy guarantees. Broadcast guarantees a very strong form of consistency. The study of primitives with a weaker form of consistency guarantee is well-motivated for two different reasons described below. First, as argued by Lamport in [11], there are settings of practical relevance where a weaker form of broadcast is sufficient. Specifically, in the transaction commit problem, a database transaction is coordinated by some (not necessarily honest) party P1 who decides whether a transaction should be committed or aborted. A single dishonest party Pi may be enough to cause the transaction to be aborted, but in this case, the honest parties must agree on whether to abort the transaction, or to commit to it. To formalize this setting, [11] introduced a weaker form of broadcast, which we will henceforth refer to as a weak broadcast channel. This channel behaves like a regular broadcast channel if all parties are honest, but requires the validity condition to hold only if every party is honest. Such a guarantee may be achievable even if broadcast is not achievable. Second, such a weaker primitive P might be assumed to be available, and one can ask whether a stronger primitive (e.g. a broadcast channel) can be achieved by a protocol that not only can use authenticated channels, but also has access to P . A result of this type, proved in [4], is that broadcast is achievable up to n2 cheaters, assuming that each party can broadcast to any two other parties. The ultimate goal of a theory in this field is a characterization of various levels of consistency guarantees as well as the hierarchy between them. 1.2 Contribution and Outline In this work, we are concerned with refining the hierarchy between different types of consistency guarantees and placing weak broadcast in such a hierarchy. As is common for impossibility results in distributed computing, we first prove all of our results in the setting of three parties and then generalize them to the n-party setting. In order to strengthen the known impossibility result of [12] one can investigate whether it still holds, even if certain primitives are available to the parties, in addition to bilateral authenticated communication. We prove (see Section 4.1) that even if two of the three parties can broadcast values, there is no protocol that would allow the third party to broadcast a value. The proof of this result requires the generalization of known techniques for impossibility proofs to a setting where additional primitives are given. This contribution, which is used throughout the paper, is of independent interest beyond the specific results of this paper. In order to investigate the hierarchy of consistency primitives between authenticated channels and broadcast, we propose an intermediate level which we call XOR-cast (see Section 4.2). This channel takes a bit b1 from P1 and a bit b2 from P2 as input. If all parties behave correctly, the value of b1 ? b2 should be output by all parties. If one of the parties P1 or P2 is dishonest, the honest parties must output the same value. If P3 is dishonest, the remaining parties must output b1 ? b2. We demonstrate a strong separation between authenticated channels and broadcast by proving two strong impossibility results, where we call an impossibility strong if it holds even if a constant error probability is tolerated and even if an arbitrary number of communication rounds are allowed. First, it is strongly impossible to achieve XOR-cast from authenticated communication. Second, it is strongly impossible to achieve broadcast from XOR-cast and authenticated communication. This demonstrates that the hierarchy of primitives has a more complex structure than previously known. The outline of our paper is as follows. In Section 2.1, we introduce the notion of consistency specifications and protocols. We also give some motivating examples of consistency specifications that will be used throughout our work. Here, we extend the work of [14] to case of probabilistic protocols. In Section 3, we introduce the impossibility proof technique used in this work. In Section 4, we prove our main results, as explained above. Finally, in Section 5 we show how to generalize the results to the n-party case. 1.3 Related Work Results on the possibility and impossibility of achieving broadcast when other primitives (stronger than authenticated communication) are available were proved in [4, 1, 6, 16, 13]. In a related line of work, [9, 15] derive combinatorial lower bounds on the number of partial broadcast channels among a set of parties needed in order to still be able to achieve broadcast. The general problem of constructing consistency primitives from assumed such primitives was proposed and formalized in [14]. In [11, 2] it is shown that there exists no perfectly secure protocol which constructs weak broadcast from authenticated channels in a finite number of rounds if n3 or more of the parties behave dishonestly. On the other hand, Lamport provides a protocol which achieves weak broadcast, but requires an infinite amount of runtime. This suggests that weak broadcast is in some sense weaker than broadcast; namely, the result in [12] implies that there exists no such approximation protocol for broadcast. However, in distributed computing or MPC one is mostly interested in protocols which run for a fixed number of rounds (or at least terminate eventually). Here, Lamport?s results show that both weak broadcast and broadcast cannot be achieved with zero error probability given authenticated channels. If one allows protocols with an error probability negligible in the number of rounds, the impossibility for broadcast still holds. On the other hand, it was shown in [3] that weak broadcast can be achieved from authenticated channels with arbitrary small error probability. Moreover, [12, 11, 3] do not consider the relation between weak broadcast and broadcast. Especially, it is not shown whether broadcast can be achieved given weak broadcast. Upper bounds for probabilistic broadcast and Byzantine agreement were also studied in [10, 5]. [10] gives an upper bound of 23 (for the success probability) for the fully synchronous, round-based setting. Somewhat surprisingly, [5] consider a synchronous model with a rushing adversary that can observe the inputs of all other parties in each round before deciding on its own input for the round. In this setting, [5] show the stronger bound of (?5 ? 1)/2 and also give protocols that match this bound. Such a stronger bound is possible only because the guarantee is stronger and includes a secrecy guarantee: the adversary must not learn the output too early. 2 Preliminaries and Notation Let P = {P1, ..., Pn} be a set of n parties (also known as players or processors). For convenience, we will sometimes use i instead of Pi. We distinguish between the subset of honest parties, H ? P, and the dishonest parties in the complement, P \ H. Honest parties will execute protocol instructions whereas dishonest parties can deviate arbitrarily from the protocol. For a set M and a subset S ? P, we denote by M S the Cartesian product ?i?S M . Moreover we write [n] for the set {1, . . . , n}. 2.1 Consistency Specifications Primitives, such as a broadcast channel, provide the honest parties with consistency guarantees. That is, for every set H of honest parties and every possible choice ~xH of inputs, the consistency guarantees restrict the set of possible outputs of the honest parties. In this manner, consistency guarantees limit the influence of dishonest parties on the possible outputs of honest parties. We thus model such primitives as functions called consistency specifications that map a set of honest parties along with their inputs to a non-empty set of possible outputs. A smaller set of possible outputs implies stronger guarantees offered by the consistency specification, as the uncertainty over the actual output is smaller. More formally, a consistency specification (introduced in [14]) with input domain D and output domain R is defined as follows. I Definition 1. A consistency specification with input domain D and output domain R is a function which assigns to every non-empty subset H ? P and every input tuple ~xH ? DH a non-empty set C(H, ~xH ) ? RH of output tuples and satisfies the following monotonicity constraint: For any non-empty subset H0 ? H ? P C(H, ~xH )|H0 ? C(H0, ~xH|H0 ). (1) The monotonicity constraint ensures that larger sets of honest parties do not have weaker consistency guarantees. It is therefore natural to require that C(H, ~xH ) is non-empty for any choice of H and ~xH as having no output is as good as has having an arbitrary output. Important Consistency Specifications. We consider two important examples of consistency specifications that we will use throughout this work. I Definition 2. A bit broadcast channel BCi for sender Pi can be defined as the following consistency specification BCi(H, ~xH ) = ~yH ? {0, 1}H ?v (?j ? H : ~yH|{j} = v) . ? (i ? H ? v = ~xH|{i}) The top right line ensures consistency (all honest parties output the same bit) and the bottom right line ensures validity (if the sender is honest, the output bit is its input bit) condition. I Definition 3. An authenticated bit-channel Authi,j from Pi to Pj can be defined as the following consistency specification Authi,j(H, xH ) = ~yH ? {0, 1}H i, j ? H ? ~yH|{j} = ~xH|{i} . It guarantees that Pj?s output is equal to the input of Pi if both of them are honest. In the above examples, the inputs of all (honest) parties except Pi have no influence on the consistency guarantee. Similarly for Authi,j, the outputs of all (honest) parties except Pj provide no information (they are arbitrary). We say that such parties have no input, respectively no output. Formally, we define empty inputs and outputs as follows. I Definition 4. Let C be a consistency specification with input domain D and output domain R. A party Pi has no input if for every H with Pi ? H and all ~aH ,~bH ? DH with ~aH |H\{i} = ~bH |H\{i} it holds that C(H, ~aH ) = C(H,~bH ). A party Pi has no output if for every H with Pi ? H and all ~xH it holds that C(H, ~xH )|{i} = R. Finally, we note that the parallel composition of several consistency specifications once again forms a consistency specification. More formally, consider consistency specifications C(1), . . . , C(`) where C(j) has input domain Dj and output domain Rj j ? [`]. The parallel composition of C(1), . . . , C(`) is defined as follows. I Definition 5. The parallel composition of C(1), . . . , C(`) is the (D, R)-consistency specification [C(1), . . . , C(`)] where D = Qj?[`] Dj, R = Qj?[`] Rj, and for every H ? P and all ~xH = (xij)j?[`] i?H ? D it holds that [C(1), . . . , C(`)](H, ~xH ) = ( ~yH ? R ~yH = (yij)j?[`] i?H ? ?j (yij)i?H ? C(j) H, (xij)i?H ) . The complete network of authenticated channels can be seen as the parallel composition of authenticated channels. I Definition 6. The complete network Auth of authenticated bit-channels for parties P is the parallel composition of the set {Authi,j | Pi, Pj ? P} of all authenticated bit-channels. 2.2 Protocols and Constructions. Protocols are means to construct new consistency specifications from given consistency specifications. A protocol execution is round-based and proceeds as follows. In each round, a party computes an input to the consistency specification used in this round. This input may depend on its protocol input and outputs from previously invoked consistency specifications. At the end of the protocol execution, each party computes its protocol output as a function of its protocol input and all the outputs it received from invoked specifications over the course of the protocol. Deterministic Protocols. A deterministic protocols runs for ` ? 0 rounds. In each round r, party Pi uses the deterministic round function fi(r) to compute its input for the round specification C(r) which has input domain Dr and output domain Rr. At the end of the last round, party Pi uses its output function gi to compute its protocol output. Denote by C~ = (C(r))r?1,...,` the tuple of invoked specifications. Then we can define a deterministic protocol as follows. I Definition 7 ([14]). A deterministic `-round protocol ? for tuple C~ with input domains D and output domains R consists of round functions fi(r) : D ? R1 ? ? ? ? ? R(r?1) ? Dr ?i ? P ?r ? [`] and output functions gi : D ? R1 ? ? ? ? ? R(`) ? R ?i ? P. We explicitly allow zero-round protocols where no consistency specifications are invoked. By executing the protocol ? using tuple C~, the parties achieve a new consistency specification denoted by ?C~. The following definition formally defines how the output of ?C~ is computed by iteratively applying the round functions of ? to the input tuple ~xH . I Definition 8. For a protocol ? and the corresponding tuple C~ the protocol specification ?C~ is the following consistency specification, such that for every H ? P and ~xH = (xi)i?H ? DH , we have: ?C~(H, ~xH ) ? ? = ? ? ? ?r ? [`] ?(xir)i?H ? DrH ?(yir)i?H ? RrH ?? (yi)i?H ? RH ???i ??(iyH?ir):Hi?xHyiir?==Cgf(iri(()rx)Hi(,xy,ii(,1xy,ii.r1.),.i.?,.Hy.i,`y)ir?1) ??? The goal of a protocol execution is to achieve a consistency specification whose guarantees are at least as strong as the guarantees of some target specification C. As already argued, the consistency guarantee becomes stronger as the set of possible outputs becomes smaller. Therefore, we say that a protocol ? constructs a consistency specification C from the tuple C~, if the set of possible outputs of the protocol specification ?C~(H, ~xH ) for arbitrary inputs H, ~xH to ?C~ is a subset of the corresponding set of possible outputs C(H, ~xH ) of the target specification C. Formally: I Definition 9. A protocol ? constructs a specification C from the tuple C~ if we have for all H ? P and all ~xH ?C~(H, ~xH ) that ? C(H, ~xH ). Often, one is interested in a broader notion of construction where specifications from a set C may be invoked arbitrarily often during a protocol execution. I Definition 10. A specification C can be constructed from a set of specifications C, denoted by C ?? C, if there exists a tuple C~ of specifications from C (including parallel compositions) which allows to construct C. The above definition naturally extends to a construction notion among sets of consistency specifications: A set of consistency specifications C0 is constructible from C, denoted by C ?? C0 if all C ? C0 can be constructed from C. Probabilistic Protocols. In a probabilistic protocol, the parties may additionally use local randomness during the protocol execution. Formally, probabilistic protocols are modeled as distributions over deterministic protocols. I Definition 11. A probabilistic protocol `-round ? for tuple C~? with input domains D and output domains R is a random variable (for some distribution) over a set of deterministic protocols of at most `-rounds for tuple C~? with input domains D and output domains R. Note that our definition allows for protocols where parties have access to correlated randomness. We denote by ?C~? the random variable over the protocol specifications for ? and C~?. A protocol constructs a target specification C within if with probability strictly larger than 1 ? , ?C~? provides better consistency guarantees than C. Formally: I Definition 12. A probabilistic protocol ? for tuple C~? constructs C within if min P ?C~?(H, ~xH ) ? C(H, ~xH ) > 1 ? . H,~xH A construction is called perfect if = 0. A specification C can be constructed within from a set C, denoted by C ?? C, if there exists a tuple C~? from C which allows to construct C within . Note that any deterministic construction is a perfect construction. 3 Impossibility Proofs In this section, we consider a generalized version of so called ?scenario?-proofs (see e.g., [2]). This proof technique, a special type of proof by contradiction, is normally used to prove that a specification, e.g., broadcast, cannot be constructed from authenticated channels within some . Here, we extend ?scenario?-proofs to the setting where parties are given additional setup. This means that we want to prove statements of the form ?There is no construction of a specification C from given specifications C within ? where C is arbitrary set of specification which contains the complete network of authenticated channels. More formally, the technique allows to prove a claim of the form: ?C cannot be constructed from C within = k1 where Auth ? C.? The corresponding ?scenario?-proof goes as follows (for a simple example of such a proof, see the proof of Lemma 14). Towards a contradiction, assume that there exists a protocol ? which allows to construct C from C within k1 . This implies that for each party Pi and for each input xi, there exists a corresponding (probabilistic) protocol system ?xi which executes the protocol part of Pi for input xi2. For every other i party Pj, the protocol system of a party Pi has an interface where one can connect it to Pj?s protocol system. This models the assumption that parties are pair-wise connected via authenticated channels. If the parties are given additional specifications in C (e.g., broadcast channels for some parties) or some setup (e.g. shared randomness) during the protocol execution, this is modeled via a system R that provides the functionality of these specifications. In this case, all protocol systems have an additional interface where they expect to be connected to R. The creative part of the proof is to build a configuration of connected protocol systems and R, which has impossible output guarantees. This implies that there is no construction of C from C within k1 . More formally, we consider a configuration S and the output vector of selected protocol systems which we denote by the random variable Y. To show that S has impossible output guarantees, we use the following technical lemma. I Lemma 13. Let A1, . . . , Ak be sets with non-empty union A = Sik=1 Ai and let Y be a random variable over some set U ? A such that P(Y ? Tik=1 Ai) = 0. Then mini P(Y ? 1 Ai) ? 1 ? k . 2 Such a system can be instantiated, for example, as an interactive Turing machine. Proof. For convenience we denote for any set B by P(B) the probability P(Y ? B). We denote by B the complement of B in U . Using elementary set operations and the union bound we get k k k P(\ Ai) = 1 ? P([ Ai) ? 1 ? X P(Ai) i=1 i=1 i=1 k k = 1 ? X(1 ? P(Ai)) = 1 ? k + X P(Ai). i=1 i=1 As the minimum overall P(Y ? Ai) is smaller than the average we finally get 1 Xk P(Ai) min P(Y ? Ai) ? k i=1 i 1 k 1 ? k k ? 1 + P(\ Ai) = 1 ? k . i=1 J To get to a contradiction, we thus need to show that there are k sets (of outputs) A1, . . . , Ak with empty intersection, where Y ? Ai with probability strictly greater than 1 ? k1 for any i. To do so, we use k so-called scenarios. Each scenario describes S as a protocol execution among three parties where exactly one of them is dishonest. With the exception of two systems (for the two honest parties), all parts of S are considered to be the ?attack strategy? of the dishonest party. The initial assumption implies that the outputs of the two honest parties in this scenario must satisfy some consistency guarantee with probability strictly greater than 1 ? k1 . This directly translates into a condition on Y. Namely, for the ith scenario, there must exist a set of outputs Ai such that P(Y ? Ai) > 1 ? k1 . To arrive at the desired contradiction, the k scenarios are chosen such that the intersection of all Ai?s is empty and therefore P(Y ? Tik=1 Ai) = 0. In this case, the above lemma implies that for at least one Ai, it must hold that P(Y ? Ai) ? 1 ? k1 , thus contradicting the fact that for all i, P(Y ? Ai) > 1 ? k1 (as required by the assumption of a construction within = k1 ). 4 Results In this section we consider specifications for party set P = {P1, P2, P3} where all inputs and outputs are bit-strings. 4.1 Strong Broadcast Impossibility Here, we prove a strong impossibility for the construction of broadcast. That is, we show that broadcast channel, e.g. BC1, cannot be constructed within 13 even if all other broadcast channels are available. This implies the-well known result by Karlin and Yao [10] that broadcast cannot be constructed from authenticated channels within 13 . As a warm up, we prove first the [10] statement using the impossibility techniques from above. 1 3 I Lemma 14. [10] Auth ?6 ? BC1. Proof. Towards a contradiction, let us assume that there exists a protocol ? such that Auth ????,?31 BC1. Then there exist protocol systems ?01, ?11, ?2, ?3. Note that only the ?1 ?1 0 1 ?1 ?1 0 1 ?2 ?3 ?2 ?3 ?1 ?1 0 1 ?1 ?1 0 1 ?2 ?3 ?2 ?3 (a) Configuration S. system of P1 has an input. Each of these systems has two interfaces where it expects to be connected to the systems of the other two parties. We consider the configuration S in Figure 1a where all four systems are arranged in a circle. The random variable Y describes the output behavior of systems ?2 and ?3. This means that Y maps to bit-tuples where the first component represents the output of ?2. We examine the distribution of Y using different protocol execution scenarios. First, we consider the scenario where P2 and P3 are honest while P1 is dishonest, i.e., H = {P2, P3}. In this scenario, consistency of broadcast ensures that the outputs of P2 and P3 are with probability strictly larger than 1 ? 31 the same (independently of the behavior of P1). In the configuration S, this corresponds to the scenario where the system of P1 consists of the two left-most systems (cf. Figure 1b). This implies that Y is in A1 = {(0, 0), (1, 1)} with probability strictly larger than 1 ? 31 . Next, we consider the scenario where P1 and P3 are honest (H = {P1, P3}) and P1 has input 1. In our configuration S, we can perceive the two systems on the top as the system of the dishonest P2 (cf. Figure 1c). This implies (validity of broadcast) that P(Y ? A2) > 1 ? 31 for A2 = {(0, 1), (1, 1)}. Finally, we consider the case H = {P1, P3} where P1 has input 0. In our configuration S, we can perceive the two systems at the bottom as the system of the dishonest P3 (cf. Figure 1d). This implies (validity of broadcast) that P(Y ? A3) > 1 ? 31 for A3 = {(0, 0), (0, 1)}. We observe that A1 ? A2 ? A3 = ? and thus P(Y ? Ti3=1 Ai) = 0. This implies with Lemma 13 that for at least one Ai, P(Y ? Ai) ? 1 ? 13 . This is a contradiction to the fact that P(Y ? Ai) > 1 ? 31 for all Ai, as required by the definition of a construction within = 13 . Thus, there exists no -construction of broadcast for ? 31 . J 1 3 I Theorem 15. {Auth, BC2, BC3} ?6 ? BC1. Proof. To prove this result we use the ?scenario?-proof technique from Section 3. Assume therefore that there exists a probabilistic protocol ? which allows to construct BC1 from {Auth, BC2, BC3} within = 13 . Thus, there exist protocol systems ?01, ?11, ?2, ?3 where the bit on top of ?1 denotes the input of sender P1. Additionally there exists a system [BC2, BC3] which corresponds to the given broadcast channels for P2 and P3. We first show how to construct a system BC from the system [BC2, BC3]. This system BC will be used to build the configuration S, rather than [BC2, BC3] directly. Thus, BC corresponds to the system R in our informal description from Section 3. System BC is essentially the same as [BC2, BC3] except that the interface of P1 is cloned. More precisely, BC has four interfaces. The two interfaces for parties P2 and P3 have the same input/output behavior as in [BC2, BC3]. However, the interface for P1 appears twice in BC, where both copies deliver the same output. Note that this completely describes the behaviour of BC, since P1?s interface does not take input in [BC2, BC3] (and thus, it also does not take an input in BC). System BC can be built from [BC2, BC3] in three different ways. First, one can build it by adding a system e1 to the P1-interface of [BC2, BC3] which relays the outputs of this interface to the two P1-interfaces of BC. Second, one can build BC from [BC2, BC3] by adding a system e2 to the P2-interface of [BC2, BC3]. System e2 relays any input at the BC P2-interface to [BC2, BC3]. Any output at the P2-interface of [BC2, BC3] is relayed to the BC P1-interface and the BC P2-interfaces of e2, respectively. Note that adding system e2 in this way achieves the same as adding e1. This is true, because in [BC2, BC3], the outputs at any interface are always identical, due to the consistency guarantees of BC2 and BC3. Analogously, one can build BC from [BC2, BC3] by adding a system e3 to the P3-interface of [BC2, BC3]. In summary we have that the systems BC, e1[BC2, BC3], e2[BC2, BC3], and e3[BC2, BC3] have the same input/output behavior. We consider now the configuration S in Figure 2a and the output Y of systems ?2 and ?3. It follows from the above argumentation that the configurations seen in Figures 2b-2d have the same output behavior Y as S. We examine the distribution of Y using different protocol execution scenarios. First, we consider the scenario where P1 is dishonest, i.e, H = {P2, P3}. The consistency of BC1 implies that with probability strictly larger than 1 ? 31 , the outputs of P2 and P3 are the same. In this scenario, the adversarial P1 could control a system consisting of the three left-most systems in Figure 2b. The consistency of broadcast thus implies for S that 1 , where A1 = {(0, 0), (1, 1)}. Next, we consider the scenario H = {P1, P3} P(Y ? A1) > 1 ? 3 where P1 has input 1. Here, dishonest P2 could run the top-three systems in Figure 2c. The validity condition of BC1 implies that P(Y ? A2) > 1 ? 31 for A2 = {(0, 1), (1, 1)}. Finally, we consider the scenario H = {P1, P2} where P1 has input 0. Here, dishonest P3 could run the bottom-three systems in Figure 2d. The validity condition of BC1 implies that P(Y ? A3) > 1 ? 31 for A3 = {(0, 0), (0, 1)}. The intersection A1 ? A2 ? A3 is empty and hence P(Y ? A1 ? A2 ? A3) = 0. Now, Lemma 13 implies that for at least one Ai, P(Y ? Ai) ? 1 ? 13 . This is a contradiction to the fact that P(Y ? Ai) > 1 ? 31 for all Ai as required by the definition of a construction within = 13 . Thus no construction of broadcast BC1 from {Auth, BC2, BC3} exists within = 13 . J I Corollary 16. In particular, for every protocol ? which constructs broadcast BC1 from {Auth, BC2, BC3}, there exists H ? P of size two such that Strong Separation of Broadcast and Authenticated Channels In this section, we prove a strong separation between broadcast and authenticated channels. That is, we present a specification, called XOR-cast, which neither can be constructed from authenticated channels within a constant , nor is sufficient to construct broadcast within (a) Configuration S. ?1 0 [BC2,BC3] e3 ?2 ?3 ?2 ?3 a constant . XOR-cast takes a bit bi from Pi and a bit bj from Pj as input. If all parties behave correctly, the value of bi ? bj should be output by all parties. If one of the parties Pi, Pj is dishonest, the honest parties should output the same value. If the third party Pk is dishonest, the remaining parties should output bi ? bj. I Definition 17. Let Pi, Pj ? P be distinct parties. The XOR-cast XCi,j for Pi and Pj is defined as follows. XCi,j(H, ~xH ) = ~y ? {0, 1}H ?v (?` ? H : ~yH|{`} = v) ? (i, j ? H ? v = ~xH|{i} ? ~xH|{j}) . The top right line in the equation ensures that all honest parties output the same value. The bottom right line ensures for honest Pi and Pj that the output is the XOR of their input-bits. We first prove that XOR-cast, e.g., XC1,2, cannot be constructed from the network of authenticated channels. 1 4 I Lemma 18. {Auth} ?6 ? XC1,2. Proof. We again use the ?scenario?-proof technique. Towards a contradiction, assume that there exists a protocol allowing to construct XC1,2 from {Auth} within 14 . Then there exist protocol systems ?1x1 , ?2x2 , ?3 for parties P1, P2, P3 where x1 denotes the input bit of P1 and x2 denotes the input bit of P2. Consider the pentagon configuration S in Figure 3. Let Y be the random variable over the output (a, b, c) of the three left-most systems, i.e., where a is the output of ?02 (top left), b the output of ?3 (middle left), and c the output of ?01 (bottom left). We examine the distribution of Y using four different protocol execution scenarios. First, we consider the scenario where P2 and P3 are honest (H = {P2, P3}) and P2 has input 0. In this scenario, the dishonest P1 could run the three systems in the bottom-left 1 in Figure 3a. The outputs of P2 and P3 must be the same. This implies P(Y ? A1) > 1 ? 4 b ?3 a ?2 0 c ?1 0 ?3 a c ?2 ?1 0 0 ?1 ?2 1 0 (a) P1 dishonest Y ? {(0, 0, 0), (0, 0, 1), (1, 1, 0), (1, 1, 1)}. (b) P2 dishonest Y ? {(0, 0, 0), (0, 1, 1), (1, 0, 0), (1, 1, 1)}. (c) P3 dishonest, first strategy Y ? {(0, 0, 0), (0, 1, 0), (1, 0, 0), (1, 1, 0)}. (d) P3 dishonest, second strategy Y ? {(1, 0, 0), (1, 0, 1), (1, 1, 0), (1, 1, 1)}. for A1 = {(0, 0, 0), (0, 0, 1), (1, 1, 0), (1, 1, 1)}. Next, we consider the scenario H = {P1, P3} where P1 has input 0 (cf. Figure 3b). Here, the outputs of P1 and P3 must be the same. This implies that P(Y ? A2) > 1 ? 41 for A2 = {(0, 0, 0), (0, 1, 1), (1, 0, 0), (1, 1, 1)}. Next, we consider the scenario H = {P1, P2} where both P1 and P2 have input 0 (cf. Figure 3c). Here, the output of P1 must be 0 = 0 ? 0. This implies that P(Y ? A3) > 1 ? 41 for A3 = {(0, 0, 0), (0, 1, 0), (1, 0, 0), (1, 1, 0)}. Finally, we consider the scenario H = {P1, P2} where P1 has input 1 and P2 has input 0 (cf. Figure 3d). Here, the output of P2 must be 1 = 1 ? 0. This implies that P(Y ? A4) > 1 ? 41 for A4 = {(1, 0, 0), (1, 0, 1), (1, 1, 0), (1, 1, 1)}. We observe that the intersection A1 ?A2 ?A3 ?A4 is empty and hence P(Y ? Ti4=1 Ai) = 0. This implies with Lemma 13 that for at least one Ai, P(Y ? Ai) ? 1 ? 14 . This is a contradiction to the fact that P(Y ? Ai) > 1 ? 41 for all Ai as required by the definition of a construction within = 14 . Thus no construction of XC1,2 from Auth exists within 14 . J I Corollary 19. In particular, for every protocol ?, there exists H ? P, |H| = 2, such that 1 P ?(Auth)(H, ~xH ) ? XC1,2(H, ~xH ) ? 1 ? 4 . Next, we show that one can perfectly construct XCi,j given the complete network of authenticated channels and a broadcast channel for Pi or Pj. I Lemma 20. For all i 6= j ? {1, 2, 3} {Auth, BCi} ?? XCi,j. Proof. Let bi be the input of Pi and let bj be the input of Pj and denote by Pk the third party. Consider the following protocol. 1. Pj sends bj to Pi. Denote by ?bj the bit received by Pi. 2. Pi broadcasts bk := bi ? bj using BCi. Denote by ?bk the bit received by Pj and Pk. ? 3. Pi outputs bk, Pj and Pk both output ?bk. If at least Pi and Pj are honest we have ?bj = bj and ?bk = bk. All honest parties will output bk = bi ? bj as required by XCi,j. On the other hand if H = {Pj, Pk} both honest parties will output ?bk as required by XCi,j. If H = {Pi, Pk} we have ?bk = bk. Both honest parties will output bk as required by XCi,j. If at most one party is honest any output is fine, thus the protocol achieves the construction also in those cases. J Auth XC ? 0. 1 3 I Lemma 21. {XC1,2, XC1,3, XC2,3, Auth} ?6 ? BC1. Proof. Towards a contradiction, let us assume that one can construct BC1 given the XORcasts, i.e., {XC1,2, XC1,3, XC2,3, Auth} ?? BC1 within ? 31 . Lemma 20 implies that one can perfectly construct all XOR-casts given broadcast channels BC2, BC3. This implies that one can construct BC1 from {BC2, BC3, Auth} within ? 31 , a contradiction to Lemma 15. J The above lemmas directly imply the following theorem. I Theorem 22. Authenticated channels and broadcast are strongly separated by XOR-cast. 4.3 Weak Broadcast For comparison, we consider weak broadcast which was introduced in [11]. This specification provides the same consistency guarantees as broadcast except that validity only holds if all parties are honest. I Definition 23. Let Ps ? P. A weak broadcast-channel wBCs for sender Ps is defined to be a ({0, 1} , {0, 1})-consistency specification where for every H ? P and all ~xH ? {0, 1}H it holds that wBCs(H, ~xH ) = ~yH ? {0, 1}H ?v (?j ? H : ~yH|{j} = v) ? (H = P ? v = ~xH|{s}) . It was shown in [11] that weak broadcast cannot be constructed from authenticated channels using a deterministic protocol. I Lemma 24. [11] There exists no deterministic r-round protocol ? which allows for {Auth} ?? wBCi. Proof. Without loss of generality, let P1 be the sender. Suppose there exists a deterministic r-round protocol ? which allows to construct wBC1 from Auth. Then, there exist protocol systems ?1x, ?2, ?3 for parties P1, P2, P3, where x denotes the input of P1. Choose k > r + 1 as a multiple of 3 and arrange 4k such systems in a ring as follows: Start with a system ?01 and continue with systems ?2, ?3; each system is connected via authenticated channels to its predecessor and successor. Now repeat this pattern going clockwise, until 2k systems have been connected in this manner. Because k is a multiple of three, the last system in this arrangement will be a system ?3. Now, restart the pattern from the end of this arrangement, but instead of ?01, use ?11. Arrange another 2k nodes in this manner, thereby closing the ring. Consider the system ?01 at ?the top? of the ring. As all systems in the ring are deterministic the view of ?01 after r rounds is the same as if the system were run in a triangular configuration (where the triangle consists of ?01, ?2, ?3). The validity of weak broadcast implies that the system ?01 must output 0. Similarly, the system ?11 at ?the bottom? of the ring must output 1. Now, consider any to adjacent systems in the ring. One can view the rest of the ring as an attack strategy of a corrupted party. Thus by consistency of weak broadcast any two adjacent systems must output the same value. We thus arrive at a contradiction. J On the other hand, the results of [3] imply that weak broadcast can be achieved from authenticated channels for any > 0. I Lemma 25. [3] For any > 0 {Auth} ?? wBCi. Finally, we show that weak broadcast is separated from broadcast. More precisely, we show that broadcast allows to construct weak broadcast while on the other hand broadcast cannot be constructed from weak broadcast within ? 31 . I Theorem 26. Weak broadcast and broadcast are strongly separated. The theorem follows from the following two lemmata. I Lemma 27. For all i ? {1, 2, 3} {BCi} ?? wBCi. Proof. For all H and all ~xH it holds that BCi(H, ~xH ) ? wBCi(H, ~xH ). This directly implies {BCi} ?? wBCi. J 1 3 I Lemma 28. For all i ? {1, 2, 3} {wBCi, Auth} ?6 ? BCi. Proof. We first show that XCi,j for j 6= i is enough to construct wBCi. The following protocol ? allows Pi to weak broadcast its bit b using XCi,j. 1. XCi,j is invoked where Pi inputs b and Pj inputs 0. Denote by bi, bj, bk the bits the parties Pi, Pj, Pk receive as output from XCi,j. 2. Pi outputs bi, Pj outputs bj and Pk outputs bk. The properties of XCi,j ensure that honest parties will always output the same bit, as required by the consistency of wBCi. If at least Pi and Pj are honest, the output of XCi,j is b = b ? 0. The protocol thus achieves the validity condition required by wBCi. 1 3 From Lemma 21, we know that {XCi,j, Auth} ?6 ? BCi. This implies that BCi cannot be constructed from {wBCi, Auth} within ? 31 . J In summary, considering constructions for > 0, weak broadcast is not stronger than authenticated channels. It is only when considering perfect constructions that weak broadcast provides strictly stronger guarantees. This is in contrast to XOR-cast which is stronger than authenticated channels for any ? 0. Extension to the n-Party Case In this section, we show how our theorems can be generalized to the n-party case. Note that our formal definition of XOR-cast can be used without modification for the setting with n parties. An informal explanation of the resulting specification is as follows. Again, parties Pi and Pj each input bits bi and bj. As in the three-party setting, if all parties behave correctly, the value of bi ? bj should be output by all parties. If one or both of the parties Pi, Pj is dishonest, the honest parties should output the same value. In any other case, the remaining honest parties should output bi ? bj. We begin by proving an n-party analogon of Theorem 15. Informally, we prove that, given any set of at most 23n distinct broadcast channels, no further broadcast channels can be achieved. 1 3 I Theorem 29. Let B = {BC n3 +1, ..., BCn}. Then {Auth} ? B ?6 ? BC1. Proof. We show that the existence of such a protocol would contradict Corollary 16. Thus, assume that there exists a protocol ? which allows to construct BCk from {Auth} ? B within = 31 . In particular, ?H0 ? P of size 23n we have that P ?(Auth, B)(H, ~xH0 ) ? BC1(H0, ~xH0 ) > 1 ? . (2) We show now that this implies the existence of a protocol ?0 which allows to construct BC1 within 13 in the three-party setting. In particular, for protocol ?0 it will hold that ?H ? {P1, P2, P3} of size two that P ?0(Auth, BC2, BC3)(H, ~xH ) ? BC1(H, ~xH ) > 1 ? , which is a direct contradiction of Corollary 16. The idea of ?0 is to execute protocol ? where each of the three parties P1, P2, P3 emulates n3 of the n parties. Concretely, party P1 emulates virtual parties P1, ..., P n , party 3 bPe2twemeeunlatveisrtPuan3l+p1,a.r.t.,iePs23nt h,aatndocpcaurrtsy oPv3eremauutlahteenstPic2a3nt+ed1, c..h.,aPnnn.elCslecaarnly,eaaslillycobmemeumniuclaattieodn. Similarly, if a party Pi, i ? { n3 + 1, ..., n} broadcasts in ?, then the party P2 or P3 emulating Pi can use BC2 or BC3, respectively, to carry out Pi?s virtual broadcast over BCi. We can now map the set of real honest parties to sets of virtual honest parties. For instance, for H = {P1, P2} , the virtual parties in H10 = nP1, . . . , P 23n o are honest. Similarly, for H = {P1, P3} and H = {P21, P3} we have virtual honest sets H20 and H30, respectively. By the initial assumptions, in particular the one in Equation 2, it thus follows that P ?0(Auth, BC2, BC3)(H, ~xH ) ? BC1(H, ~xH ) > 1 ? for any H of size two. But this contradicts Corollary 16. J In a similar fashion, one can prove the following statement for the n-party case. 1 4 I Lemma 30. {Auth} ?6 ? XC1,2. Also, using almost the same arguments, we can prove the analogue of Lemma 20. I Lemma 31. For all i 6= j ? [n] {Auth, BCi} ?? XCi,j. Finally, we can also restate Lemma 21 for the n-party case. Like the previous two lemmata, the proof proceeds in a similar fashion as the proof for the three-party case. 1 3 I Lemma 32. {XC1,2, XC1,3, XC2,3, Auth} ?6 ? BC1. 6 Conclusion and Outlook In this work, we showed strong separation results between broadcast and authenticated channels. In particular, we showed that weak broadcast admits a strong separation from broadcast. In order to derive these separations, we generalized known techniques for proving impossibility to cover also probabilistic constructions. We believe that the formal techniques and the framework that we introduced here will prove useful to future efforts in proving similar results. We also initiated the natural study of asymmetric consistency primitives, in which a (strict) subset of the parties has input and every party receives output. Although both broadcast and weak broadcast are examples of such primitives, our work is the first to consider primitives in which the subset of parties with input is not a singleton set. We show that for the example of the XOR-cast, this type of consistency primitive falls into a previously undiscovered intermediate layer between authenticated channels and broadcast. As such, we believe that our work opens up several interesting lines of future research. In regards to further extending the scope of impossibility results, it would be interesting to see whether our techniques for probabilistic constructions can also be used to derive stronger bounds in settings with more complicated setup such as [4, 1]. Another interesting direction for future research would be a closer study of asymmetric consistency primitives in the above sense. A first question in this area would be to see if the hierarchy of three-party specifications considered in this work has an even deeper structure than outlined here, or, more generally, to classify all such specifications. A second immediate question would be to investigate how the picture changes when we consider primitives with more than three parties or when switching to stronger models of corruption, such as the general adversary model [7, 8, 16] (as opposed to the threshold setting we considered here). Conceptually, it would also be worthwhile to derive connections between such results and the field of information theoretic MPC. 1 2 3 4 5 6 Jeffrey Considine , Matthias Fitzi, Matthew K. Franklin , Leonid A. Levin , Ueli M. Maurer , and David Metcalf. Byzantine agreement given partial broadcast . Journal of Cryptology , 18 ( 3 ): 191 - 217 , jul 2005 . Michael J. Fischer , Nancy A. Lynch , and Michael Merritt . Easy impossibility proofs for distributed consensus problems . In Michael A. Malcolm and H. Raymond Strong, editors, 4th ACM Symposium Annual on Principles of Distributed Computing , pages 59 - 70 , Minaki, Ontario, Canada, aug 5-7 , 1985 . Association for Computing Machinery . Detectable byzantine agreement secure against faulty majorities . In Aleta Ricciardi, editor, 21st ACM Symposium Annual on Principles of Distributed Computing , pages 118 - 126 , Monterey, California, USA, jul 21 - 24 , 2002 . Association for Computing Machinery . Matthias Fitzi and Ueli M. Maurer . From partial consistency to global broadcast . In 32nd Annual ACM Symposium on Theory of Computing , pages 494 - 503 , Portland, Oregon, USA, may 21 - 23 , 2000 . ACM Press. Ronald L. Graham and Andrew Chi-Chih Yao . On the improbability of reaching byzantine agreements (preliminary version) . In 21st Annual ACM Symposium on Theory of Computing , pages 467 - 478 , Seattle, Washington, USA, may 15 - 17 , 1989 . ACM Press. Martin Hirt , Ueli Maurer, and Pavel Raykov . Broadcast amplification . In Yehuda Lindell, editor, TCC 2014: 11th Theory of Cryptography Conference , volume 8349 of Lecture Notes in Computer Science, pages 419 - 439 , San Diego, CA, USA, feb 24 - 26 , 2014 . Springer, Berlin, Germany. doi: 10 .1007/978-3- 642 -54242-8_ 18 . Martin Hirt and Ueli M. Maurer . Player simulation and general adversary structures in perfect multiparty computation . Journal of Cryptology , 13 ( 1 ): 31 - 60 , 2000 . Extended abstract in Proc. 16th of ACM PODC '97. Martin Hirt and Daniel Tschudi . Efficient general-adversary multi-party computation . In Kazue Sako and Palash Sarkar , editors, Advances in Cryptology - ASIACRYPT 2013 , Part II , volume 8270 of Lecture Notes in Computer Science, pages 181 - 200 , Bengalore, India, dec 1-5 , 2013 . Springer, Berlin, Germany. doi: 10 .1007/978-3- 642 -42045-0_ 10 . Alexander Jaffe , Thomas Moscibroda, and Siddhartha Sen . On the price of equivocation in byzantine agreement . In Darek Kowalski and Alessandro Panconesi , editors, 31st ACM Symposium Annual on Principles of Distributed Computing , pages 309 - 318 , Funchal, Madeira, Portugal, jul 16 - 18 , 2012 . Association for Computing Machinery . Anna Rochelle Karlin and Andrew Chi-Chih Yao . Probabilistic lower bounds for the byzantine generals problem . unpublished manuscript , 1984 . Leslie Lamport . The weak byzantine generals problem . Journal of the ACM , 30 ( 3 ): 668 - 676 , jul 1983 . ACM Transactions on Programming Languages and Systems (TOPLAS) , 4 ( 3 ): 382 - 401 , jul 1982 . Julian Loss , Ueli Maurer, and Daniel Tschudi. Hierarchy of three-party consistency specifications . In 2016 IEEE International Symposium on Information Theory (ISIT) , pages 3048 - 3052 . IEEE, 2016 . Ueli Maurer . Towards a theory of consistency primitives . In Rachid Guerraoui, editor, International Symposium on Distributed Computing - DISC 2004 , volume 3274 of Lecture Notes in Computer Science, pages 379 - 389 . Springer, Berlin, Germany, 2004 . D. V. S. Ravikant , Venkitasubramaniam Muthuramakrishnan , V. Srikanth , K. Srinathan , and C. Pandu Rangan . On byzantine agreement over (2,3)-uniform hypergraphs . In Rachid Guerraoui, editor, International Symposium on Distributed Computing - DISC 2004 , volume 3274 of Lecture Notes in Computer Science, pages 450 - 464 . Springer, Berlin, Germany, Oct 2004 . Halld?rsson , Kazuo Iwama, Naoki Kobayashi, and Bettina Speckmann, editors, ICALP 2015: 42nd International Colloquium on Automata, Languages and Programming , Part II , volume 9135 of Lecture Notes in Computer Science, pages 701 - 712 , Kyoto, Japan, jul 6 - 10 , 2015 . Springer, Berlin, Germany. doi: 10 .1007/978-3- 662 -47666-6_ 56 .


This is a preview of a remote PDF: http://drops.dagstuhl.de/opus/volltexte/2018/9825/pdf/LIPIcs-DISC-2018-36.pdf

Julian Loss, Ueli Maurer, Daniel Tschudi. Strong Separations Between Broadcast and Authenticated Channels, LIPICS - Leibniz International Proceedings in Informatics, 2018, 36:1-36:17, DOI: 10.4230/LIPIcs.DISC.2018.36