Byzantine Generals Problem & FLP Impossibility Addendum Sep. - PowerPoint PPT Presentation

Byzantine Generals Problem & FLP Impossibility Addendum Sep. 4th, 2019

Byzantine Fault Tolerance • Given 6 Generals: 4 Loyal General, 2 Traitor • Why is a solution for this impossible? 1 1 G Each loyal general receives 3 0 correct values and 2 wrong 0 0 values => No problem 0 1 1 0 0

Byzantine Fault Tolerance • Given 6 Generals: 4 Loyal General, 2 Traitor • Problem occurs when a traitor needs to send messages • Other traitors can mirror the general G 0 0 Two of the loyal generals 0 0 0 receive 3 times the value 0 0 0 - - 0

Byzantine Fault Tolerance • Given 6 Generals: 4 Loyal General, 2 Traitor • Problem occurs when a traitor needs to send messages • Other traitors can mirror the general G G 1 1 1 1 0 1 Two of the loyal generals 1 1 receive 3 times the value 0 1 1 Two of the loyal generals - 0 1 receive 3 times the value 1 - 1

Byzantine Fault Tolerance • Given 6 Generals: 4 Loyal General, 2 Traitor • Problem occurs when a traitor needs to send messages • Other traitors can mirror the general G G 1 1 1 1 1 1 0 0 0 0 0 1 0 Two of the loyal generals 0 0 1 1 0 1 0 1 receive 3 times the value 0 1 1 0 1 Two of the loyal generals 1 0 0 1 receive 3 times the value 1 1 0 Not all loyal generals use the same value 0 1 v(i) for a traitorous general

Take away “FLP Result” Fault tolerance pick 2 Consensus termination (also called “safety”, or “agreement”, (also called liveness, aka. “we all do the same”) aka “we make progress”)

Take away “FLP Result” Fault tolerance Basic blockchains where Blockchains that switch participants simply build to the longest chain trade on top of the existing consensus for block do not care about probabilistic finality contenders pick 2 Consensus termination (also called “safety”, or “agreement”, (also called liveness, aka. “we all do the same”) aka “we make progress”)

Cryptography Essentials and Data Structures Sep 4, 2019

Today’s goal • At the end of the next lecture, we will present the first homework: • Build a simple blockchain • Verify ownership • Verify inclusion of data • For this, we need certain cryptographic tool and • Hash function • Cryptographic Signatures • Merkle-Trees • Block chains

Hash • Any arbitrary data (text, images, videos, etc.) can be represented as a {0,1} n sequence of 0 and 1, written as � ℋ : {0,1} n → {0,1} m • A hash is a function � that maps arbitrary input to a certain value of � bits m • Can be used to verify data integrity or as data structure • A [ ℋ ( dataElement ) ] = dataElement “San Jose is a large city surrounded by rolling hills in Silicon Valley, a major technology hub in California's Bay Area.”

Hash • Examples: ℋ : {0,1} n → {0,1} m • Modulo � (amount of 1’s mod n) • MD5 • MD5("The quick brown fox jumps over the lazy dog") = 0x 9e107d9d372bb6826bd81d3542a419d6

Cryptographic Hash • Requirements: • � easy to compute ℋ ( x ) • finding � (pre-image) so that � impossible* x ℋ ( x ) = y • Such functions are called • One-way functions • trapdoor functions *in a reasonable amount of time

Cryptographic Hash • Examples Name Year Output size considered safe? MD2 1989 128 bits no MD5 1992 128 bits no RadioGatún 2006 unlimited first 304 bits SHA3 2015 224/256/384/512 yes

Cryptographic Hash • Output value shall be as unpredictable as possible • changing the input by 1 bit should change each output bit with a probability of 50% • Hash("The quick brown fox jumps over the lazy dog") • 0x 730e109bd7a8a32b1cb9d9a09aa2325d2430587ddbc0c38bad911525 • Hash("The quick brown fox jumps over the lazy dog . ") • 0x 619cba8e8e05826e9b8c519c0a5c68f4fb653e8a3d8aa04bb2c8cd4c

Sponge-based Hash approaches • State of the art, e.g. SHA3 • Absorb data, Squeeze out result • One pass over the data is needed, usable for data streams

Hashes as building blocks • Use the one-way property of hash functions • Encryption (later) • Proof of list membership • Show that an element was part of a record

List Membership Proof • Proof that a record was part of a collection • How to put stu ff on the blockchain • Prove existence by pointing to the item within the record If an item does not occur in our records, it doesn’t exist

List Membership Proof • Proof that a record was part of a collection • How to put stu ff on the blockchain • Examples • Assume we store every day list of every person born. • How this be used as birth certificate? • A set of transactions happened in a block • How can I proof a specific transaction? • I published a great idea (as a patent/on the internet, etc.) • How can I prove that it was published

Naive Membership Proof • Proof that a record was part of a collection • Approach: • Assemble the (ordered) list of all entries • store for every day the hash of that list. Date Hash of list 1 April 1990 0x A4356DE2… 2 April 1990 0x 5BB823A… 3 April 1990 0x 40A03C1… 4 April 1990 0x 563FE22… …

Naive Membership Proof • Proof of Membership: • publish list of all entries • Point to entry in question … … 1 April 1990 2 April 1990

Naive Membership Proof • Proof of Membership: • publish list of all entries • Point to entry in question • Serves the purpose • Everybody can verify that • The record in question is in the list • The hash of the entire list corresponds to the publicly known value • Not very e ffi cient • The space needed to store/transmit a proof is the size of all entries together • Computation complexity is one Hash of a (large) list

List Membership Proof Can we do better?

Merkle-Tree � h 1234,5678 = ℋ ( h 12,34 | h 56,78 ) � h 12,34 = ℋ ( h 1,2 | h 3,4 ) � h 56,78 = ℋ ( h 5,6 h � h 1,2 = ℋ ( h 1 | h 2 ) � h 3,4 = ℋ ( h 3 | h 4 ) � h 5,6 = ℋ ( h 5 | h 6 ) ABC DEF GHI JKL MNO PQR � h 1 = ℋ ( ) � h 2 = ℋ ( ) � h 3 = ℋ ( ) � h 4 = ℋ ( ) � h 5 = ℋ ( ) � h 6 = ℋ ( ) ABC DEF GHI JKL MNO PQR

Merkle Tree • Compute the binary hash tree • Start with hashing all entries (as leafs) • Build the tree from the leafs to the root • The value of each node is the hash of the 2 children def buildMerkleTree(listOfElement, posLeft, posRight): # if we are at a leaf if (posLeft == posRight): return HASH(listOfElement[posLeft]) centerElement = (posLeft+posRight)/2 leftHash = buildMerkleTree(listOfElement, posLeft, centerElement) rightHash = buildMerkleTree(listOfElement, centerElement+1, posRight) return HASH(leftHash + rightHash)

Merkle Tree 0b768f11c4302d1354 9241c2f596b7bf2d2 8bfe92e5f8ac627777 956878910d85 822d73d3f596 ec0e9d8e9448 80e3665aeab5 902fbdd 822dd49 81fe8a9 c0abbff 9500c76 cda131d ec62361 697821b ABC DEF GHI JKL MNO PQR STU VWX

Merkle Tree • Consider the paths in the tree from the root to a leaf 0b768f11c4302d1354 9241c2f596b7bf2d2 8bfe92e5f8ac627777 956878910d85 822d73d3f596 ec0e9d8e9448 80e3665aeab5 902fbdd 822dd49 81fe8a9 c0abbff 9500c76 cda131d ec62361 697821b ABC DEF GHI JKL MNO PQR STU VWX

Merkle Tree • Prover publishes the following proof: • Consider the Merkle Tree with root “ 0b768f11c4302d1354 ” • The root can be constructed via 0b768f11c4302d1354 = h( 9241c2f596b7bf2 + 8bfe92e5f8ac627777) • The left child can be constructed via 9241c2f596b7bf2d2d = h(956878910d853ef + 822d73d3f596c05538 ) • The right child can be constructed via 822d73d3f596c05538 = h( 81fe8a9f162d7d7 + c0abbff7cfaca6720f) • The left child can be constructed via 81fe8a9f162d7d7 = h( “ GHI ” )

Merkle Tree • Given a good hash function, nobody can find a pre-image of a hash • A statement such as can be constructed via 9241c2f596b7bf2d2d = h(956878910d853ef + 822d73d3f596c05538 ) can only be recorded during the creation process, but not inferred at a later point. • Correct paths (proofs of membership) cannot be faked • Invalid paths can easily be detected • E ffi ciency: • Proof size is 2*sizeOf(Hash) at each node, path length is log(n) • � much better than � naive way O (log n ) O ( n )

Merkle Tree Proof Security • Merkle Trees are computationally as secure as the hash function • for older hash functions (e.g. MD5) it is possible to find collisions • I can publish an valid proof that my data is in the record, even though it is not • modern hash functions (e.g. SHA3) are still fine

Block chain

Blockchain • A block chain build upon the idea that b36beccadac2a246a the preimage of a hash cannot be computed. caea329c95c8fe288a • A data-holding blockchain needs at 0f66b118113fde0d5 least 2 entries f7cfaca6720f66b1ad • History in a blockchain can be traced backward through a link to f4a6abaef7e8c06038 the hash of the previous block 4b3e14a82aa76bd45 • Data can be “put on the blockchain” by saving the root hash 66b18113fde0d5245 of a Merkle-Tree d2b1df0c4f7b4a5d23

� � Cryptographic Signatures Alice sk pk secret key, data public key, data that sk pk that only Alice knows everybody knows

Cryptographic Signatures Alice Bob share public key pk sk pk

Cryptographic Signatures Alice Bob pk message m sk s =sign( m , sk ) signature s 0xA43B3E87…