Matthias Fitzi

Towards optimal and efficient perfectly secure message transmission

Perfectly secure message transmission (PSMT), a problem formulated by Dolev, Dwork, Waarts and Yung, involves a sender S and a recipient R who are connected by n synchronous channels of which up to t may be corrupted by an active adversary. The goal is to transmit, with perfect security, a message from S to R. PSMT is achievable if and only if n > 2t. For the case n >2t, the lower bound on the number of communication rounds between S and R required for PSMT is 2, and the only known efficient (i.e., polynomial in n) two-round protocol involves a communication complexity ofO(n3l) bits, wherel is the lengthof themessage. A recent solution by Agarwal, Cramer and de Haan is provably communication-optimal by achieving an asymptotic communication complexity of O(nl) bits; however, it requires the messages to be exponentially large, i.e., l=ω(2n). In this paper we present an efficient communication-optimal tworound PSMT protocol for messages of length polynomial in n that is almost optimally resilient in that it requires a number of channels n ≥ (2 + ɛ)t, for any arbitrarily small constant ɛ > 0. In this case, optimal communication complexity is O(l) bits.

Quantum Solution to the Byzantine Agreement Problem

We present a solution to an old problem in distributed computing. In its simplest form, a sender has to broadcast some information to two receivers, but they have access only to pairwise communication channels. Unlike quantum key distribution, here the goal is not secrecy but agreement, and the adversary (one of the receivers or the sender himself) is not outside but inside the game. Using only classical channels this problem is provably impossible. The solution uses pairwise quantum channels and entangled qutrits.

Efficient Byzantine Agreement Secure Against General Adversaries

This paper presents protocols for Byzantine agreement, i.e. for reliable broadcast, among a set of n players, some of which may be controlled by an adversary. It is well-known that Byzantine agreement is possible if and only if the number of cheaters is less than n/3. In this paper we consider a general adversary that is specified by a set of subsets of the player set (the adversary structure), and any one of these subsets may be corrupted by the adversary. The only condition we need is that no three of these subsets cover the full player set. A result of Hirt and Maurer implies that this condition is necessary and sufficient for the existence of a Byzantine agreement protocol, but the complexity of their protocols is generally exponential in the number of players. The purpose of this paper is to present the first protocol with polynomial message and computation complexity for any (even exponentially large) specification of the adversary structure. This closes a gap in a recent result of Cramer, Damgard and Maurer on applying span programs to secure multi-party computation.

From partial consistency to global broadcast

This paper considers unconditionally secure protocols for reliable broadcast among a set of players, some of which may be corrupted by an active (Byzantine) adversary. In the standard model with a complete, synchronous network of pairwise authentic communication channels among the players, broadcast is achievable if and only if the number of corrupted players is less than . We show that, by extending this model only by the existence of a broadcast channel among three players, global broadcast is achievable if and only if the number of corrupted players is less than . Moreover, for this an even weaker primitive than broadcast among three players is sufficient. All protocols are efficient.

Round-Optimal and efficient verifiable secret sharing

We consider perfect verifiable secret sharing (VSS) in a synchronous network of n processors (players) where a designated player called the dealer wishes to distribute a secret s among the players in a way that no t of them obtain any information, but any t + 1 players obtain full information about the secret. The round complexity of a VSS protocol is defined as the number of rounds performed in the sharing phase. Gennaro, Ishai, Kushilevitz and Rabin showed that three rounds are necessary and sufficient when n > 3t. Sufficiency, however, was only demonstrated by means of an inefficient (i.e., exponential-time) protocol, and the construction of an efficient three-round protocol was left as an open problem. In this paper, we present an efficient three-round protocol for VSS. The solution is based on a three-round solution of so-called weak verifiable secret sharing (WSS), for which we also prove that three rounds is a lower bound. Furthermore, we also demonstrate that one round is sufficient for WSS when n > 4t, and that VSS can be achieved in 1 + e amortized rounds (for any e > 0 ) when n>3t.

Optimally efficient multi-valued byzantine agreement

All known protocols for Byzantine agreement (BA) among <i>n</i> players require the message to be communicated at least Ω(<i>n</i>²) times, which results in an overall communication complexity of at least Ω(<i>l</i><i>n</i>²) bits for an <i>l</i>-bit message. We present the first BA protocol in which the message is communicated only <i>O</i>(<i>n</i>) times (the hidden factor is less than 2). More concretely, for a given synchronous broadcast protocol which communicates <i>B</i>(<i>b</i>) bits for reaching agreement on a <i>b</i>-bit message with security parameter κ, our construction yields a synchronous BA protocol with communication complexity <i>O</i>(<i>l</i><i>n</i>+<i>n</i><i>B</i>(<i>n</i>+κ)) bits. Our reduction is information theoretically secure and tolerates up to <i>t</i><<i>n</i>/2 corrupted players, which is optimal for the consensus variant of BA. Although this resilience is not optimal for the broadcast (Byzantine generals) variant, it is sufficient for most distributed applications that involve BA protocols since they typically require <i>t</i><<i>n</i>/2.

Unconditional Byzantine Agreement and Multi-party Computation Secure against Dishonest Minorities from Scratch

It is well-known that n players, connected only by pairwise secure channels, can achieve unconditional broadcast if and only if the number t of cheaters satisfies t < n/3. In this paper, we show that this bound can be improved - at the sole price that the adversary can prevent successful completion of the protocol, but in which case all players will have agreement about this fact. Moreover, a first time slot during which the adversary forgets to cheat can be reliably detected and exploited in order to allowfor future broadcasts with t < n/2. This even allows for secure multi-party computation with t < n/2 after the first detection of such a time slot.

Minimal Complete Primitives for Secure Multi-Party Computation

AbstractThe study of minimal cryptographic primitives needed to implement secure computation among two or more players is a fundamental question in cryptography. The issue of complete primitives for the case of two players has been thoroughly studied. However, in the multi-party setting, when there are n > 2 players and t of them are corrupted, the question of what are the simplest complete primitives remained open for t ≥ n/3. (A primitive is called complete if any computation can be carried out by the players having access only to the primitive and local computation.) In this paper we consider this question, and introduce complete primitives of minimal cardinality for secure multi-party computation. The cardinality issue (number of players accessing the primitive) is essential in settings where primitives are implemented by some other means, and the simpler the primitive the easier it is to realize. We show that our primitives are complete and of minimal cardinality possible for most cases.

Byzantine Agreement Given Partial Broadcast

Abstract This paper considers unconditionally secure protocols for reliable broadcast among a set of n players, where up to t of the players can be corrupted by a (Byzantine) adversary but the remaining h = n - t players remain honest. In the standard model with a complete, synchronous network of bilateral authenticated communication channels among the players, broadcast is achievable if and only if 2n/h < 3. We show that, by extending this model by the existence of partial broadcast channels among subsets of b players, global broadcast can be achieved if and only if the number h of honest players satisfies 2n/h < b + 1. Achievability is demonstrated by protocols with communication and computation complexities polynomial in the size of the network, i.e., in the number of partial broadcast channels. A respective characterization for the related consensus problem is also given.

Byzantine Agreement Secure against General Adversaries in the Dual Failure Model

This paper introduces a new adversary model for Byzantine agreement and broadcast among a set P of players in which the adversary may perform two different types of player corruption: active (Byzantine) corruption and fail-corruption (crash). As a strict generalization of the results of Garay and Perry, who proved tight bounds on the maximal number of actively and fail-corrupted players, the adversarys capability is characterized by a set Z of pairs (A,F) of subsets of P where the adversary may select an arbitrary such pair (Ai, Fi) from Z and corrupt the players in Ai actively and fail-corrupt the players in Fi. For this model we prove that the exact condition on Z for which perfectly secure agreement and broadcast are achievable is that for no three pairs (Ai,Fi),(Aj,Fj), and (Ak,Fk) in Z we have Ai∪Aj∪Ak∪(Fi∩Fj∩Fk)=P. Achievability is demonstrated by efficient protocols. Moreover, for a slightly stronger condition on Z, which covers the previous mixed (active and fail-corruption) threshold condition and the previous purely-active non-threshold condition, we demonstrate agreement and broadcast protocols that are substantially more efficient than all previous protocols for these two settings.