The classic Fischer, Lynch, and Paterson impossibility proof demonstrates that any deterministic protocol for consensus in either a message-passing or shared-memory system must violate at least one of termination, validity, or agreement in some execution. But it does not provide an efficient procedure to find such a bad execution. We show that for wait-free shared memory consensus, given a protocol in which each process performs at most $s$ steps computed with total time complexity at most t, there exists an adversary algorithm that takes the process's programs as input and computes within $O(st)$ time a schedule that violates agreement. We argue that this bound is tight assuming the random oracle hypothesis: there exists a deterministic obfuscated consensus protocol that forces the adversary to spend $Ω(st)$ time to find a bad execution despite having full access to all information available to the protocol. This bound is based on a general algorithm that reduces the constructing an obfuscated consensus protocol to constructing an obfuscated threshold function that provably costs $Ω(t)$ time to evaluate on a single input, where $t$ is a tunable parameter, and for which an adversary with access to the threshold function implementation cannot extract the threshold any faster than by doing binary search. We give a particular implementation of such an obfuscated threshold function that is not very efficient but that is provably secure assuming the random oracle hypothesis. Since our obfuscated consensus protocol does not depend on the specific details of this construction, it may be possible to replace it with one that is more efficient or requires weaker cryptographic assumptions, a task we leave for future work.
翻译:经典的Fischer、Lynch和Paterson不可能性证明表明,在消息传递或共享内存系统中,任何确定性共识协议都必然在某些执行中违反终止性、有效性或一致性中的至少一个条件。但该证明并未提供寻找此类不良执行的高效程序。我们证明,对于无等待共享内存共识,给定一个每个进程最多执行$s$步且总时间复杂度至多为$t$的协议,存在一个对抗算法以进程程序作为输入,在$O(st)$时间内计算出违反一致性的调度方案。我们认为该界限在随机预言机假设下是紧的:存在一个确定性混淆共识协议,迫使对抗方即使完全掌握协议所有可用信息,仍需花费$Ω(st)$时间才能找到不良执行。该界限基于一个通用算法,该算法将构建混淆共识协议归约为构建混淆阈值函数,该函数在单个输入上的评估时间可证明需要$Ω(t)$(其中$t$为可调参数),且拥有阈值函数实现的对抗方无法通过二分搜索更快地提取阈值。我们给出此类混淆阈值函数的具体实现,该实现效率不高,但在随机预言机假设下可证明是安全的。由于我们的混淆共识协议不依赖于该构造的具体细节,未来可能用更高效或需要更弱密码学假设的方案替代,我们将此任务留待后续研究。