Dynamic Probabilistic Input Output Automata

We present probabilistic dynamic I/O automata, a framework to model dynamic probabilistic systems. Our work extends dynamic I/O Automata formalism of Attie & Lynch [Paul C. Attie and Nancy A. Lynch, 2016] to the probabilistic setting. The original dynamic I/O Automata formalism included operators for parallel composition, action hiding, action renaming, automaton creation, and behavioral sub-typing by means of trace inclusion. They can model mobility by using signature modification. They are also hierarchical: a dynamically changing system of interacting automata is itself modeled as a single automaton. Our work extends all these features to the probabilistic setting. Furthermore, we prove necessary and sufficient conditions to obtain the monotonicity of automata creation/destruction with implementation preorder. Our construction uses a novel proof technique based on homomorphism that can be of independent interest. Our work lays down the foundations for extending composable secure-emulation of Canetti et al. [Ran Canetti et al., 2007] to dynamic settings, an important tool towards the formal verification of protocols combining probabilistic distributed systems and cryptography in dynamic settings (e.g. blockchains, secure distributed computation, cybersecure distributed protocols, etc)

Composable Dynamic Secure Emulation

This work extends the composable secure-emulation of Canetti et al. to dynamic settings. Our work builds on top of dynamic probabilistic I/O automata, a recent framework introduced to model dynamic probabilistic systems. Our extension is an important tool towards the formal verification of protocols combining probabilistic distributed systems and cryptography in dynamic settings (e.g. blockchains, secure distributed computation, cybersecure distributed protocols etc)

Polygraph: Accountable Byzantine Agreement

In this paper, we introduce \emph{Polygraph}, the first accountable Byzantine consensus algorithm. If among $n$ users $t<n/3$ are malicious then it ensures consensus; otherwise (if $t \geq n/3$), it eventually detects malicious users that cause disagreement. Polygraph is appealing for blockchain applications as it allows them to totally order blocks in a chain whenever possible, hence avoiding forks and double spending and, otherwise, to punish (e.g., via slashing) at least $n/3$ malicious users when a fork occurs. This problem is more difficult than perhaps it first appears. One could try identifying malicious senders by extending classic Byzantine consensus algorithms to piggyback signed messages. We show however that to achieve accountability the resulting algorithms would then need to exchange $\Omega(\kappa \cdot n^2)$ more bits, where $\kappa$ is the security parameter of the signature scheme. By contrast, Polygraph has communication complexity $O(\kappa \cdot n^4)$. Finally, we implement Polygraph in a blockchain committing more than 10,000\,TPS when deployed on 80 geodistributed machines

All Byzantine Agreement Problems are Expensive

Byzantine agreement, arguably the most fundamental problem in distributed computing, operates among n processes, out of which t < n can exhibit arbitrary failures. The problem states that all correct (non-faulty) processes must eventually decide (termination) the same value (agreement) from a set of admissible values defined by the proposals of the processes (validity). Depending on the exact version of the validity property, Byzantine agreement comes in different forms, from Byzantine broadcast to strong and weak consensus, to modern variants of the problem introduced in today's blockchain systems. Regardless of the specific flavor of the agreement problem, its communication cost is a fundamental metric whose improvement has been the focus of decades of research. The Dolev-Reischuk bound, one of the most celebrated results in distributed computing, proved 40 years ago that, at least for Byzantine broadcast, no deterministic solution can do better than Omega(t^2) exchanged messages in the worst case. Since then, it remained unknown whether the quadratic lower bound extends to seemingly weaker variants of Byzantine agreement. This paper answers the question in the affirmative, closing this long-standing open problem. Namely, we prove that any non-trivial agreement problem requires Omega(t^2) messages to be exchanged in the worst case. To prove the general lower bound, we determine the weakest Byzantine agreement problem and show, via a novel indistinguishability argument, that it incurs Omega(t^2) exchanged messages

Every Bit Counts in Consensus

Consensus enables n processes to agree on a common valid L-bit value, despite t < n/3 processes being faulty and acting arbitrarily. A long line of work has been dedicated to improving the worst-case communication complexity of consensus in partial synchrony. This has recently culminated in the worst-case word complexity of O(n^2). However, the worst-case bit complexity of the best solution is still O(n^2 L + n^2 kappa) (where kappa is the security parameter), far from the \Omega(n L + n^2) lower bound. The gap is significant given the practical use of consensus primitives, where values typically consist of batches of large size (L > n). This paper shows how to narrow the aforementioned gap while achieving optimal linear latency. Namely, we present a new algorithm, DARE (Disperse, Agree, REtrieve), that improves upon the O(n^2 L) term via a novel dispersal primitive. DARE achieves O(n^{1.5} L + n^{2.5} kappa) bit complexity, an effective sqrt{n}-factor improvement over the state-of-the-art (when L > n kappa). Moreover, we show that employing heavier cryptographic primitives, namely STARK proofs, allows us to devise DARE-Stark, a version of DARE which achieves the near-optimal bit complexity of O(n L + n^2 poly(kappa)). Both DARE and DARE-Stark achieve optimal O(n) latency

Crime and Punishment in Distributed Byzantine Decision Tasks (Extended Version)

A decision task is a distributed input-output problem in which each process starts with its input value and eventually produces its output value. Examples of such decision tasks are broad and range from consensus to reliable broadcast to lattice agreement. A distributed protocol solves a decision task if it enables processes to produce admissible output values despite arbitrary (Byzantine) failures. Unfortunately, it has been known for decades that many decision tasks cannot be solved if the system is overly corrupted, i.e., safety of distributed protocols solving such tasks can be violated in unlucky scenarios. By contrast, only recently did the community discover that some of these distributed protocols can be made accountable by ensuring that correct processes irrevocably detect some faulty processes responsible for any safety violation. This realization is particularly surprising (and positive) given that accountability is a powerful tool to mitigate safety violations in distributed protocols. Indeed, exposing crimes and introducing punishments naturally incentivize exemplarity. In this paper, we propose a generic transformation of any non-synchronous distributed protocol solving a decision task into its accountable version. Our transformation is built upon the well-studied simulation of crash failures on top of Byzantine failures and increases the communication complexity by a quadratic multiplicative factor in the worst case

Specification of Dynamic Probabilistic Secure Distributed Systems

Cette thèse propose un modèle hiérarchique naturel pour les systèmes distribués dynamiques probabilistes. Le modèle étend les systèmes de transition d'états étiquetés capturant l'intuition d'un objet se déplaçant d'un état à un autre. Le modèle comprend: (1) une opération de composition parallèle, notée || , permettant de représenter un nouvel object A||B issue de l'interaction entre deux objets A et B, (2) une relation de préordre <=, où A<=B signifie que l'objet A implémente l'objet B au sens d'une sémantique observationnelle, (3) la propriété de composabilité pour <= , c'est-à-dire A <= B implique C||A <= C||B, (4) une structure hiérarchique, c'est-à-dire qu'un système X, composé d'objets interagissant les uns avec les autres et pouvant rejoindre et quitter le système dynamiquement, est lui aussi un objet du modèle. De plus, la thèse discute des conditions pour obtenir (5) La monotonicité (avec <=) de la création/destruction dynamique d’objets, c'est-à-dire que si (i) A <= B et (ii) X_A et X_B ne diffèrent que par le fait que X_A crée et détruit dynamiquement l'objet A au lieu de créer et détruire dynamiquement l'objet B comme le fait X_B, alors (iii) X_A <= X_B. Le modèle est décliné en plusieurs variantes: asynchrone, temporelle, bornée et permet une méthodologie modulaire de conception basée uniquement sur la notion de comportement observable de l'extérieur.This thesis proposes a natural hierarchical model for dynamic probabilistic distributed systems. The model extends in an intuitive way the labeled transition systems that best capture the intuition of an object moving from one state to another. The model consists of 3 essential ingredients: (1) a parallel composition operation, noted ||, allowing to represent a new object A||B resulting from the interaction between two objects A and B, (2) a pre-order relation <=, where A <= B means that the object A implements the object B in the sense of an observational semantics, (3) the composability property for <=, that is A <= B implies C||A <= C||B, (4) a hierarchical structure, i.e. a system X, composed of objects interacting with each other and able to join and leave the system dynamically, is also an object of the model. Furthermore, the thesis discusses the conditions to obtain (5) the monotonicity (with <=) of dynamic creation/destruction of objects, i.e., if (i) A <= B and (ii) X_A and X_B differ only by the fact that X_A dynamically creates and destroys the object A instead of dynamically creating and destroying the object B as X_B does, then (iii) X_A <= X_B. The model is declined in several variants: asynchronous, timed, bounded and allows a modular design and a refinement methodology based only on the notion of externally observable behavior

Spécification des systèmes distribués dynamiques probabilistes sécurisés

This thesis proposes a natural hierarchical model for dynamic probabilistic distributed systems. The model extends in an intuitive way the labeled transition systems that best capture the intuition of an object moving from one state to another. The model consists of 3 essential ingredients: (1) a parallel composition operation, noted ||, allowing to represent a new object A||B resulting from the interaction between two objects A and B, (2) a pre-order relation <=, where A <= B means that the object A implements the object B in the sense of an observational semantics, (3) the composability property for <=, that is A <= B implies C||A <= C||B, (4) a hierarchical structure, i.e. a system X, composed of objects interacting with each other and able to join and leave the system dynamically, is also an object of the model. Furthermore, the thesis discusses the conditions to obtain (5) the monotonicity (with <=) of dynamic creation/destruction of objects, i.e., if (i) A <= B and (ii) X_A and X_B differ only by the fact that X_A dynamically creates and destroys the object A instead of dynamically creating and destroying the object B as X_B does, then (iii) X_A <= X_B. The model is declined in several variants: asynchronous, timed, bounded and allows a modular design and a refinement methodology based only on the notion of externally observable behavior.Cette thèse propose un modèle hiérarchique naturel pour les systèmes distribués dynamiques probabilistes. Le modèle étend les systèmes de transition d'états étiquetés capturant l'intuition d'un objet se déplaçant d'un état à un autre. Le modèle comprend: (1) une opération de composition parallèle, notée || , permettant de représenter un nouvel object A||B issue de l'interaction entre deux objets A et B, (2) une relation de préordre <=, où A<=B signifie que l'objet A implémente l'objet B au sens d'une sémantique observationnelle, (3) la propriété de composabilité pour <= , c'est-à-dire A <= B implique C||A <= C||B, (4) une structure hiérarchique, c'est-à-dire qu'un système X, composé d'objets interagissant les uns avec les autres et pouvant rejoindre et quitter le système dynamiquement, est lui aussi un objet du modèle. De plus, la thèse discute des conditions pour obtenir (5) La monotonicité (avec <=) de la création/destruction dynamique d’objets, c'est-à-dire que si (i) A <= B et (ii) X_A et X_B ne diffèrent que par le fait que X_A crée et détruit dynamiquement l'objet A au lieu de créer et détruire dynamiquement l'objet B comme le fait X_B, alors (iii) X_A <= X_B. Le modèle est décliné en plusieurs variantes: asynchrone, temporelle, bornée et permet une méthodologie modulaire de conception basée uniquement sur la notion de comportement observable de l'extérieur

As easy as ABC: Optimal (A)ccountable (B)yzantine (C)onsensus is easy!

It is known that the agreement property of the Byzantine consensus problem among $n$ processes can be violated in a non-synchronous system if the number of faulty processes exceeds $t_0 = n / 3 - 1$. In this paper, we investigate the accountable Byzantine consensus problem in non-synchronous systems: the problem of solving Byzantine consensus whenever possible (e.g., when the number of faulty processes does not exceed $t_0$) and allowing correct processes to obtain proof of culpability of (at least) $t_0 + 1$ faulty processes whenever correct processes disagree. We present four complementary contributions: 1) We introduce $ABC$: a simple yet efficient transformation of any Byzantine consensus protocol to an accountable one. $ABC$ introduces an overhead of (1) only two all-to-all communication rounds and $O(n^2)$ additional bits in executions with up to $t_0$ faults (i.e., in the common case). 2) We define the accountability complexity, a complexity metric representing the number of accountability-specific messages that correct processes must send. Furthermore, we prove a tight lower bound. In particular, we show that any accountable Byzantine consensus algorithm incurs cubic accountability complexity. Moreover, we illustrate that the bound is tight by applying the $ABC$ transformation to any Byzantine consensus protocol. 3) We demonstrate that, when applied to an optimal Byzantine consensus protocol, $ABC$ constructs an accountable Byzantine consensus protocol that is (1) optimal in solving consensus whenever consensus is solvable with respect to the communication complexity, and (2) optimal in obtaining accountability whenever disagreement occurs with respect to the accountability complexity. 4) We generalize $ABC$ to other distributed computing problems besides the classic consensus problem. We characterize a class of agreement tasks, including reliable and consistent broadcast, that $ABC$ renders accountable