Consensus for Byzantine failures Advanced Network Security

14-05-18

1

Jaap-Henk Hoepman

Digital Security (DS)Radboud University Nijmegen, the Netherlands

@xotoxot // * [email protected] // 8 www.cs.ru.nl/~jhh

Advanced Network Security5. Agreement and consensus II:

Byzantine failures

Jaap-Henk Hoepman // Radboud University Nijmegen //

Consensus for Byzantine failures

n Remember: Byzantine processors may lie…

n What goes wrong in the protocol for crash failures?● If ! = # + 1 then there is a non faulty processor & with ! = '; &; ).

Then at round ' + 1 processor & sent * = *+, to - as well (as the first processor in )). By construction *+, = *./ (as the processors in )forward this value to each other to finally deliver it to 0). Again * ∈ 23

29-2-2016 // Fault Tolerance - Byzantine Generals 2


Byzantine failures: ! < #/% is necessary

n Suppose & = 3 and ) = 1

29-2-2016 // Fault Tolerance - Byzantine Generals3

1

1 ?

a

b c

a and b must decide 1

+,-,+-, +,/,+/,

+-/,+/-

0

? 0

a

b c

a and c must decide 0

+′′,-,+′′-, +′,/,+′/,

+-/,+/-

?

1 0b c

+,-,+-, +′,/,+′/,

+-/,+/-

b decides 1, as it sees the same messages, yet c decides 0as it sees the same messages

a


A protocol tolerating ! < #/% byzantine failures

n Again each processor & builds the following tree '(


)*+,*-,..,*/( means: 01told &,

that 0123told 01,….that 03’s value is )

Initially all ⊥)5( = 7 & . 89

)5(

)3( )*( ):(

):,3( ):,:23()3,;( )3,:(

Level 0

Level 1

Level 2

Level <

Level = + 1

)@(

Level < + 1 )@;B( for all C ∉ E, i.e. 9 − E = 9 − < children

14-05-18

2


Byzantine failures: decision more complex

n Associate a decision value !"# to each node in the tree● After tree is filled with values top down, it is filled with decision

values bottom up

● !$# is the value for % & . !()*+*,- that & decides on

n Define ./0,1*23 4 be the value that occurs most in a set 4, using some constant ⊥ to break ties

29-2-2016 // Fault Tolerance - Byzantine Generals 5 Jaap-Henk Hoepman // Radboud University Nijmegen //

Lamport’s OM protocol for building the tree

n We write !"#$(&, () to make clear processor * executes this to

propagate ( and to keep track of ‘stack trace’ +● !"#

$ &, ( is executed by * for all + s.t. |+| = . − & and * ∉ +● It sends ( = (#$ to all nodes 1 (as message &#;$

3 , stored by 1 as (#;$3 ), and instructs them to propagate the value through recursion

● It essentially builds *’s part of the subtrees rooted at + for all processors; together with the other !"#

3() the whole subtrees rooted at + are built.

● The protocol starts with !"4$(., 5 * . 78) for all *



m-1 rounds

Lamport’s OM protocol

n !"#$ 0, ' :

● Send v#$ as *#;$, to all -

● All processors - that receive it set '#;$, = *#;$, ; set ⊥ if no value received ; and set 0#;$, = '#;$,

● Set 0#$ = "1234567( 0#;,$ |- ∉ ; )n !"#

$ *, ' for 0 < * ≤ ?● Send ' as *#;$

, to all -● All processors - that receive it set '#;$, = *#;$

, = '; set ⊥ if no value received

● Trigger !"#;$, (* − 1, '#;$, ) for all - ∉ ;; B

« Or rather: when receiving *#;,$ execute !"#;,

$ (* − 1,*#;,$ ) if B ∉ ;; -

● Set 0#$ = "1234567( 0#;,$ |- ∉ ; )n Start as !"C

$(?, D B . 5F) for all B in round 0● Storing D B . 5F as 'C$


Here ;; B = ? + 1


A protocol tolerating ! < #/% byzantine failures

n Again each processor & builds the following tree '(


)*+,*-,..,*/( means: 01told &,

that 0123told 01,….that 03’s value is )

Initially all ⊥)5( = 7 & . 89

)5(

)3( )*

( ):(

):,3( ):,:23

()3,;( )3,:

(

Level 0

Level 1

Level 2

Level <

Level = + 1

)@(

Level < + 1 )@;B( for all C ∉ E, i.e. 9 − E = 9 − < children

GH5(

GH3,:(

GH3(

14-05-18

3


One step in detail


!",$%&'",$%

Level 0

Level 1

Level 2

Level 3

&'"$!"$)",$

% )",$$*"

!",$,%+

&',"

!,"

)",$,%+


So building the tree is the same protocol as for crash failures.

n Before round 1● Initialise tree. Set all !"# =⊥ and !&# = ' ( . *+

n Round ,, 1 ≤ , ≤ 0 + 1● For all 2 with 2 = , − 1 ∧ ( ∉ 2, send !"# to all processors 6 (including ()

«Call this message 7";#9

● Receive all 7";:# addressed to ( and store in !";:#

«By the protocol ; ∉ 2 so ( receives + − (, − 1) such messages from each ;


!9>,9?,..,9@# means: 6Atold (,

that 6ABCtold 6A,….that 6C’s value is !

Initially all ⊥!&# = ' ( . *+


Deciding on a value

n Work from the leaves upwards● !"# = %"# for * = + + 1● !"# = ./012345( !";8# |: ∉ * ) otherwise

● Node = decides on !>#


Correctness

n Lemma 1: If !, #, $ are non faulty, then for all % we have &';)* = &';),● If $ is non faulty, it sends the same value to ! and #. If ! and # are non

faulty the record this value correctly.

n Set -'* = &'* for all leaves, ie % = . + 1


We reason over all trees

14-05-18

4


Correctness

n Lemma 1: If !, #, $ are non faulty, then for all % we have &';)* = &';),n Lemma 2: Let % be arbitrary and let $ be non faulty. Then there is a

value & such that for all non faulty p we have .';)* = &';)* = &.● By induction on the length of %; $ starting with the leaves (length / + 1)● The base case follows from lemma 1 and the fact that for %; $ = / + 1 we

have .';)* = &';)* .● Now suppose 0 ≤ %; $ < / + 1. By lemma 1 all non faulty processors have the

same value &';)* = &. Then all non-faulty processors ! ∉ %; $ send & as 6';);*, to

all other processors #. If non faulty, # sets &';);*, = &.

● By the induction hypothesis we have .';);*, = &';);*, = & for all non faulty #.● The number of children of a node with label %; $ is 7 − %; $ ≥ 7 − / > 2/● Hence the majority of children is non-faulty, and so .';), = <=>?$@AB(D

E.';);*, |! ∉

% ) = & as required


Lemma 2

n ! arbitrary and " be non faulty.

n Base case !; " = % + 1 n Induction !; " = ( + 1 < % + 1


*+, = **+;,- = * *+;,. = *

Level %Level % + 1

/+;,- = * /+;,. = *

Level (Level ( + 1

Decision values equal thereceived values for theleaves in the tree

*+, = **+;,- = * *+;,. = *

*+;,;-. = * *+;,;0. = *

1 − !; " ≥ 1 − % > 2%children.All non faulty (the majority) have *+6. = *

/+;,. = *


Validity

n Theorem: If all non faulty processors have input ! they decide on !● If all non faulty processors have input !, they send ! to all other

nodes in the first round. As a result !"# = ! for all correct % and &.

● By lemma 2 '"# = ! for all correct % and & and hence '(# =)*+,-./0 '"# 1,- *22 & = !


Agreement

n Definition 1. ! is common if "#$ = "#& for all pairs of non faulty ', ).

n Definition 2. A subset * of nodes in a tree + is a path cover of + if all paths from the leaves to the root visit at least one node in *.

n Definition 3. A path cover * is common if all nodes in * are common. (Note: this does not require "#$ = "#,& for different !, !′.


cover

14-05-18

5


Agreement

n Lemma 3. There exists a common path covering of the tree constructed by the consensus algorithm● All paths from the root to a leaf correspond to a label ! with length " + 1.

● Then ! = !'; ); !'' for some non faulty )● By lemma 2 *+’;-. = *+’;-/ for all non faulty 0, 2 and so !’; ) is common

and on the path


Agreement

n Lemma 4. Let ! be a node. If there is a common path covering of the subtree rooted at !, then ! is common itself.● By induction on the length of !● For ! = # + 1 the lemma trivially follows

● Let 0 ≤ ! < # + 1 and assume there is a common path covering ) of the subtree rooted at !. If ! ∈ ) we are done. If not, then the trees rooted in all children have a common path covering and by the induction hypothesis then all children !; , of ! are common.

● Hence -.;/0 = -.;/1 for all pairs of non faulty 2, 4. Hence -.0 = 5678,9:;<=

>?

-.;/0 |, ∉! = 5678,9:; -/1|, ∉ ! = -.1 and hence ! is common as well.

n Theorem: All non faulty nodes decide on the same value● Follows from lemma 3 and 4.


Using authentication


Signing messages

n Every processor ! has a private signing key. The corresponding signature verification key is known to all processors.

n Let us write " # for a message " signed by !. Write " $ for … " #. . ' with ( = !;… ; +

n Processors reject any messages with incorrect signatures.● Byzantine nodes cannot forge values pretending they heard another

value from a correct processor

● But they can send conflicting initial values in the first round!

n Now consider the weak broadcast protocol

14-05-18

6


(Binary) Broadcast (aka agreement)

n Sender ! in round 1● If " ! . $% = 1 then send 1 ( to all, otherwise stay silent

● Decide on " ! . $%n Other nodes )

● For each round * ∈ {1, … , / + 1}«If you receive a valid 1 2 message (note 3 = *)with 3 = !; 3′ then send

1 2 ( = 1 2;7 to all, decide on 1 and terminate

● Decide on 0 and terminate


Correctness

n Agreement● Suppose a correct node decides on 1 in round ". This means it received a

valid 1 # message. If " < % + 1 then ' sends a valid 1 # ( = 1 #;+ message to

all correct , who therefore decide on 1 too. If " = % + 1 then - = % + 1 hence

- = -.; ,; -′′ for some correct , that sent a valid 1 #0;+ message to all correct

nodes that therefore decided on 1 in round -. + 1.

n Validity● Suppose ' is correct. Either it sends 1 ( to all, and all correct nodes decide 1

in round 1. Or it does not send anything. As a result no correct node receivesa valid 1 # message, so all correct nodes decide 0 in round % + 1



Reaching consensus

n Each node uses the broadcast algorithm to send its input valueto all other nodes

n All other nodes obtain (by the agreement property of thebroadcast) the same vector of input values

n All nodes decide on the majority of values in this vector (breaking ties in a deterministic way)

n If ! < #/2 then if all nodes have the same input value, all nodesdecide on this value.


Documents

Consensus for Byzantine failures Advanced Network Security