Byzantine Generals Problem & FLP Impossibility Addendum Sep. - - PowerPoint PPT Presentation

Byzantine Generals Problem & FLP Impossibility

Addendum

• Sep. 4th, 2019

Byzantine Fault Tolerance

• Given 6 Generals: 4 Loyal General, 2 Traitor
• Why is a solution for this impossible?

G

Each loyal general receives 3 correct values and 2 wrong values => No problem 1 1 1 1

Byzantine Fault Tolerance

• Given 6 Generals: 4 Loyal General, 2 Traitor
• Problem occurs when a traitor needs to send messages
• Other traitors can mirror the general

G

Two of the loyal generals receive 3 times the value 0

Byzantine Fault Tolerance

• Given 6 Generals: 4 Loyal General, 2 Traitor
• Problem occurs when a traitor needs to send messages
• Other traitors can mirror the general

G 1 1

Two of the loyal generals receive 3 times the value 0 1 1 1 1 1 1 Two of the loyal generals receive 3 times the value 1

G

1 1

• 1

Byzantine Fault Tolerance

• Given 6 Generals: 4 Loyal General, 2 Traitor
• Problem occurs when a traitor needs to send messages
• Other traitors can mirror the general

G 1 1

Two of the loyal generals receive 3 times the value 0 1 1 1 1 1 1 Two of the loyal generals receive 3 times the value 1

G

0 0 Not all loyal generals use the same value v(i) for a traitorous general 1 1 1 1 1 1 1 1 1 1

Take away “FLP Result”

Fault tolerance termination (also called liveness, aka “we make progress”) Consensus (also called “safety”, or “agreement”,

• aka. “we all do the same”)

pick 2

Take away “FLP Result”

Fault tolerance termination (also called liveness, aka “we make progress”) Consensus (also called “safety”, or “agreement”,

• aka. “we all do the same”)

pick 2

Blockchains that switch to the longest chain trade consensus for probabilistic finality Basic blockchains where participants simply build

• n top of the existing

block do not care about contenders

Cryptography Essentials and Data Structures

Sep 4, 2019

Today’s goal

• At the end of the next lecture, we will present the first homework:
• Build a simple blockchain
• Verify ownership
• Verify inclusion of data
• For this, we need certain cryptographic tool and
• Hash function
• Cryptographic Signatures
• Merkle-Trees
• Block chains

Hash

• Any arbitrary data (text, images, videos, etc.) can be represented as a

sequence of 0 and 1, written as

• A hash is a function

that maps arbitrary input to a certain value of bits

• Can be used to verify data integrity or as data structure
• A

= dataElement

{0,1}n ℋ : {0,1}n → {0,1}m m [ℋ(dataElement)]

“San Jose is a large city surrounded by rolling hills in Silicon Valley, a major technology hub in California's Bay Area.”

Hash

• Examples:
• Modulo

(amount of 1’s mod n)

• MD5
• MD5("The quick brown fox jumps over the lazy dog")

= 0x9e107d9d372bb6826bd81d3542a419d6

ℋ : {0,1}n → {0,1}m

Cryptographic Hash

• Requirements:

easy to compute

• finding (pre-image) so that

impossible*

• Such functions are called
• One-way functions
• trapdoor functions

ℋ(x) x ℋ(x) = y

*in a reasonable amount of time

Cryptographic Hash

• Examples

Name Year Output size considered safe? MD2 1989 128 bits no MD5 1992 128 bits no RadioGatún 2006 unlimited first 304 bits SHA3 2015 224/256/384/512 yes

• Output value shall be as unpredictable as possible
• changing the input by 1 bit should change each output

bit with a probability of 50%

• Hash("The quick brown fox jumps over the lazy dog")
• 0x 730e109bd7a8a32b1cb9d9a09aa2325d2430587ddbc0c38bad911525
• Hash("The quick brown fox jumps over the lazy dog.")
• 0x 619cba8e8e05826e9b8c519c0a5c68f4fb653e8a3d8aa04bb2c8cd4c

Cryptographic Hash

Sponge-based Hash approaches

• State of the art, e.g. SHA3
• Absorb data, Squeeze out result
• One pass over the data is needed, usable for data streams

Hashes as building blocks

• Use the one-way property of hash functions
• Encryption (later)
• Proof of list membership
• Show that an element was part of a record

List Membership Proof

• Proof that a record was part of a collection
• How to put stuff on the blockchain
• Prove existence by pointing to the item within the record

If an item does not

• ccur in our records, it doesn’t

exist

List Membership Proof

• Proof that a record was part of a collection
• How to put stuff on the blockchain
• Examples
• Assume we store every day list of every person born.
• How this be used as birth certificate?
• A set of transactions happened in a block
• How can I proof a specific transaction?
• I published a great idea (as a patent/on the internet, etc.)
• How can I prove that it was published

Naive Membership Proof

• Proof that a record was part of a collection
• Approach:
• Assemble the (ordered) list of all entries
• store for every day the hash of that list.

Date Hash of list 1 April 1990 0x A4356DE2… 2 April 1990 0x 5BB823A… 3 April 1990 0x 40A03C1… 4 April 1990 0x 563FE22…

…

Naive Membership Proof

• Proof of Membership:
• publish list of all entries
• Point to entry in question

1 April 1990 2 April 1990 … …

Naive Membership Proof

• Proof of Membership:
• publish list of all entries
• Point to entry in question
• Serves the purpose
• Everybody can verify that
• The record in question is in the list
• The hash of the entire list corresponds to the publicly

known value

• Not very efficient
• The space needed to store/transmit a proof is the size of all

entries together

• Computation complexity is one Hash of a (large) list

List Membership Proof

Can we do better?

Merkle-Tree

ABC DEF GHI JKL MNO PQR

h1 = ℋ(

)

ABC h2 = ℋ(

)

DEF h3 = ℋ(

)

GHI h4 = ℋ(

)

JKL h5 = ℋ(

)

MNO h6 = ℋ(

)

PQR

h1,2 = ℋ(h1|h2) h3,4 = ℋ(h3|h4) h5,6 = ℋ(h5|h6)

h12,34 = ℋ(h1,2|h3,4) h56,78 = ℋ(h5,6 h

h1234,5678 = ℋ(h12,34|h56,78)

Merkle Tree

• Compute the binary hash tree
• Start with hashing all entries (as leafs)
• Build the tree from the leafs to the root
• The value of each node is the hash of the 2 children

def buildMerkleTree(listOfElement, posLeft, posRight): # if we are at a leaf if (posLeft == posRight): return HASH(listOfElement[posLeft]) centerElement = (posLeft+posRight)/2 leftHash = buildMerkleTree(listOfElement, posLeft, centerElement) rightHash = buildMerkleTree(listOfElement, centerElement+1, posRight) return HASH(leftHash + rightHash)

Merkle Tree

ABC DEF GHI JKL MNO PQR STU VWX 902fbdd 822dd49 81fe8a9 c0abbff 9500c76 cda131d ec62361 697821b 956878910d85 822d73d3f596 ec0e9d8e9448 80e3665aeab5 9241c2f596b7bf2d2 8bfe92e5f8ac627777 0b768f11c4302d1354

Merkle Tree

• Consider the paths in the tree from the root to a leaf

ABC DEF GHI JKL MNO PQR STU VWX 902fbdd 822dd49 81fe8a9 c0abbff 9500c76 cda131d ec62361 697821b 956878910d85 822d73d3f596 ec0e9d8e9448 80e3665aeab5 9241c2f596b7bf2d2 8bfe92e5f8ac627777 0b768f11c4302d1354

Merkle Tree

• Prover publishes the following proof:
• Consider the Merkle Tree with root “0b768f11c4302d1354”
• The root can be constructed via

0b768f11c4302d1354 = h(9241c2f596b7bf2 + 8bfe92e5f8ac627777)

• The left child can be constructed via

9241c2f596b7bf2d2d = h(956878910d853ef + 822d73d3f596c05538)

• The right child can be constructed via

822d73d3f596c05538 = h(81fe8a9f162d7d7 + c0abbff7cfaca6720f)

• The left child can be constructed via

81fe8a9f162d7d7 = h(“GHI”)

Merkle Tree

• Given a good hash function, nobody can find a pre-image of a hash
• A statement such as can be constructed via

9241c2f596b7bf2d2d = h(956878910d853ef + 822d73d3f596c05538)

can only be recorded during the creation process, but not inferred at a later point.

• Correct paths (proofs of membership) cannot be faked
• Invalid paths can easily be detected
• Efficiency:
• Proof size is 2*sizeOf(Hash) at each node, path length is log(n)

much better than naive way

O(log n) O(n)

Merkle Tree Proof Security

• Merkle Trees are computationally as secure as the hash

function

• for older hash functions (e.g. MD5) it is possible to find

collisions

• I can publish an valid proof that my data is in the

record, even though it is not

• modern hash functions (e.g. SHA3) are still fine

Block chain

Blockchain

• A block chain build upon the idea that

the preimage of a hash cannot be computed.

• A data-holding blockchain needs at

least 2 entries

• History in a blockchain can be

traced backward through a link to the hash of the previous block

• Data can be “put on the

blockchain” by saving the root hash

• f a Merkle-Tree

4b3e14a82aa76bd45 f4a6abaef7e8c06038 f7cfaca6720f66b1ad 0f66b118113fde0d5 caea329c95c8fe288a b36beccadac2a246a d2b1df0c4f7b4a5d23 66b18113fde0d5245

Cryptographic Signatures

Alice pk sk

• secret key, data

that only Alice knows

sk

• public key, data that

everybody knows

pk

Cryptographic Signatures

Alice pk sk Bob

share public key

pk

Cryptographic Signatures

Alice Bob

sk 0xA43B3E87… s=sign(m,sk) message m pk signature s

Cryptographic Signatures

Alice Bob

sk 0xA43B3E87… s=sign(m,sk) message m send message send signature signature s

Cryptographic Signatures

Alice Bob

sk 0xA43B3E87… s=sign(m,sk) message m pk send message send signature verify(m,s,pk) signature s

Use of signature

• Python

from Crypto.Hash import SHA256 from Crypto.PublicKey import RSA from Crypto import Random plaintext = "This is a text by me" rng = Random.new().read RSAkey = RSA.generate(1024, rng) # This may take a while... hash = SHA256.new(plaintext).digest() signature = RSAkey.sign(hash, rng) #RSAkey.verify(hash, signature) # This sig will check out #RSAkey.verify(hash[:-1], signature) # This sig will fail

Python Cryptography Toolkit, https://www.dlitz.net/software/pycrypto/doc/

Summary

• Background for the homework:
• Build a simple blockchain
• Verify ownership
• Verify inclusion of data
• Cryptographic tools
• Hash function
• Cryptographic Signatures
• Merkle-Trees
• Block chains