The Byzantine Generals Problem(M. Pease, R. Shostak, and L. Lamport)

236357 - January 2011Presentation by Avishay Tal

Problem Definition• Neglible Delay• Full Graph• n independent processors

▫ Each has its own private value• m “faulty” (or corrupted) processors

▫ May lie / act against the rules of the protocol▫ May be inconsistent – tell different processors inconsistent

information▫ However, the message sender is known to the recipient

and can’t be forged.• Goal: achieve agreement (consistency) among the

nonfaulty processors• What does this mean?

Goal•Each nonfaulty processor (NFP) will know

the right private value of each other non-faulty processor

•Each two NFPs p, p’ will think each faulty processor q has the same consistent value (though it may be not true).

Interactive Consistency•We’ll use the following formulation:

▫Each processor p has a private value Vp

▫Each processor p computes during the algorithm a vector Fp of n values - one for each processor.

▫Interactive consistency is achieved if: For each two NFPs p and q, Fp(q)=Vq

The NFPs computes exactly the same vector

Protocol Guidelines•An NFP sends its own private value•An NFP relays messages sent to them•A faulty processor may mistake / lie / deny

transfer of messages.

Results•Denote (m, n) to be a setting with n

processors and at most m faulty ones.

•Single Fault - (1,4) protocol•Multiple Fault - (m,3m+1) protocol•Lower bound - (m,3m) impossibility result

Dealing with a single Fault

Message

Buffer

12

34

First Round

12: v1

13: v1

14: v1

1 send

s

2

3

4

First Round

21:v223:v224:v2

1

2 send

s

3

4

First Round

31:v332:v334:v3

1

2

3 send

s

4

First Round

41:v442:v4’43:v4’’

1

2

3

4 send

s

Second Round - Relaying

21p:v231p:v341p:v4

1 send

s

2

3

4

Second Round - Relaying

12p:v132p:v342p:v4’

1

2 send

s

3

4

The Protocol•First Round:

▫In the first round every NFP sends its private value to every other processor

•Second Round:▫For each three different processors p, q, r, if

q is an NFP, then q sends r the value he got from p (we will use the notation: pqr)

•In both rounds, if an NFP doesn’t receive a message after some timeout, it assume that message was NIL.

Decision•For each NFP p, and other processor q, p

performs a majority vote over the 3 observations of q’s value to determine Fp(q):▫qp▫qp1p▫qp2p

•If there is no majority, then Fp(q)=NIL.

• Proof of interactive consistency:

1. For each two NFPs p,q: Fp(q)=Vq. Since at least two of the observations were true.

2. There exist a value v, s.t. for each NFP, p, Fp(4)=v. If F1(4)=F2(4)=F3(4)=NIL then we’re done. Assume some p has a non-NIL value Fp(4)=v.

Let p1 and p2 denote the two other NFPs.Three possible cases: P got 4p1p:v and 4p2p:v P got 4p:v, and 4p2p:v P got 4p:v, and 4p1p:v

In either case, both p1 and p2 will receive at least two messages indicating that 4’s value is v, hence Fp(4)=Fp1(4)=Fp2(4)=v.

For each nonfaulty processor p, and other processor q, p performs a majority vote over the 3 observations of q’s value to determine Fp(q):

qpqp1pqp2p

If there is no majority, then Fp(q)=NIL.

Protocol For (m,3m+1)• m+1 rounds:1. First round: every NFP, p, will send its value to every other

processor:▫ pq:vp

2. In the next m rounds every NFP, p, will relay every message he got on the previous rounds.

▫ If he got prpr-1…p2p1p:v▫ He’ll send prpr-1…p2p1pq:v

to every other processor q.▫ prpr-1…p2p1pq:v is short to:

p2 told p1 that P3 told p2 that

▫ P4 told p3 that …▫ that pr told pr-1 that its value is v.

• As before, if p was supposed to send a message to q and didn’t, q assume that p sent NIL.

Decision – Determining Fp(q) – Post Mortem

1. If there exist a subset of processors Qp of size >(n+m)/2 and a value v such that for any path:

▫ qp1 p2… pr p starting from q going through in p1, …, pr in Qp and ending in p, the message qp1 p2 … pr p:v was sent to p.

▫ In this case Fp(q)=v.2. If there isn’t any such subset, then q is faulty.

▫ Consider only messages said to be originated from q but not passing in it again:qp1 p2 … pr p:v, pi ≠ q

▫ Replace it with the message p1 p2… pr p:v as if it was sent from p1.▫ Perform the decision by recursion with the new set of messages -

denote the resulting vector (Fq)p. ▫ Fp(q) = majority((Fq)p), if there’s no majority then Fp(q)=NIL

Qp

q p

Correctness• Claim 1:

Let pr be an NFP, then a processor p got the message qp1 p2… pr-1pr p:v iff pr got the message qp1 p2… pr-1pr:v and r<m+1.

• Claim 2: A faulty processor can’t convince an NFP that a path of NFPs sent him some (made-up) message.▫This relies on the assumption that the message

sender is known (even if he is faulty)

Protocol without q• In the decision we perform recursion using all the

messages originated from q which doesn’t pass it.• We need to show that such a protocol exists with m-1

faulty out of n-1 processors.• Sketch proof:

▫Every NFP will send the value he got from q as its own▫Every NFP will relay messages.▫Faulty processor, q’ ≠ q, will look at the run of the original

protocol and will send a message iff the message qp1p2p3…prq’p’:v was sent in original protocol (and all pi s are different from q).

▫This will result in the message set we created during step 2 (in each NFP).

Correctness• Induction on m.• Basis: m=0.

▫There’s no faulty processors▫Only the first round is performed where each

processors sends its value and record the other processors true value.

▫So we achieve interactive consistency• Step: m>0

▫We will show two things: for each NFPs p and p’ , Fp(p’)=Vp’ . for each NFPs p and p’ and a faulty processors q

Fp(q)=Fp’(q).

For each NFPs p and p’, Fp(p’)=Vp’

• We will show that p will determine p’ value in step 1 of the protocol

• Consider the set of NFP as N• By the assumption |N|>2m, so |N|>(n+m)/2.• So, for every NFP path:

p’ p1p2p3…prp the message p’ p1p2p3…prp:Vp’ was sent to p.

• By claim 2, a faulty processor can’t forge a message passing only through NFPs.

• There can’t be another set B which will make p choose a different value v’. Because this set will have to be disjoint with N. And thus, |N|+|B|>n. in contradiction.

For each NFPs p and p’, and a faulty processor q:Fp(q)=Fp’(q)•We will consider 3 termination cases:

▫Case 1:Both p,p’ calculation of q terminates in step 1.

▫Case 2:The calculation of Fp(q) terminates in step 1, while Fp’(q) is going through recursion.

▫Case 3:Both calculations are going through recursion.

Case 1:Both p,p’ calculation of q terminates in step 1.

Qp Qp’• Since the size of Qp and Qp’ >(n+m)/2, there are more than

(n+m)-n=m processors in their intersection.• One of them is an NFP, let p’’ denote it.• p’’ got some message from q about q’s value:

• qp’’:v• Since p’’ is an NFP, and m>0, p’’ delivers the messages:

• qp’’p:v (to p)• qp’’p’:v (to p’)

• Hence, p and p’ record of q must be the same.

Case 2:The calculation of Fp(q) terminates in step 1, while Fp’(q) is going through recursion.

Qp

q p

• p has a set Qp of size > (n+m)/2 on which for each path from q to p through Qp, p gets a message with value v.

• p‘ founds that q is a liar, doing step 2, but have to be consistent with p.

• We will show that (Fq)p’(x)=v for every x in Qp-{q}. Thus, by majority (Fq)p’(x)=v• |Qp-{q}| > (n+m)/2 – 1 ≥(n-1)/2

Case 2 (continued):The calculation of Fp(q) terminates in step 1, while Fp’(q) is going through recursion. Q

pq p

•We consider our protocol over the set of processors P-{q} with m-1 faults• The secret value of each processor is the value that q told him in the original

round.•Using the induction hypothesis, (Fq)p(x)= (Fq) p’(x) for every x in P-{q}•We will show that (Fq)p(x)=v to complete the proof of this case.•For every path xp1p2…prp with pi in Qp-{q}• The message qx p1p2…pr p :v was sent in the original protocol• Hence, the message x p1p2…pr p :v was “sent” in the modified protocol.

•Every message x p1p2…pr p:w in the modified protocol corresponds to a message q xp1p2…pr p:w in the original protocol.• hence, w=v.

•|Q-{p}|>(n+m)/2 -1 = ((n-1)+(m-1))/2, hence p will decide on step 1 that (Fq)p(x)=v.

Case 3:Both p and p’ are going through recursion.

•Using the induction hypothesis, (Fq)p and (Fq)p’ vectors are equal.

•Hence, any function (in particular majority) on them must agree.

Complexity•In the i'th round ni+1 messages are sent•The total message complexity is:

▫n2 +n3+… + nm+2 =Θ(nm+2)

Impossibility result for (m,3m)• Assumptions:

▫ Suppose NFPs can only send their original values, or relay other messages sent to them.

• We will show 3 scenarios, such that if all 3 scenarios reach interactive consistency then we’ll get a contradiction.

• Divide the processors to 3 disjoint sets of size m:A,B,C• Each set will be faulty in one of the three scenarios.• The faulty processors will only lie about the C’s values.• And only for the first time it reaches the processor they are

lying to.• Liars won’t lie about the path of the message, only on the

value.• Two values: 0,1.

Scenarios

α• A,C are

NFPs• B is faulty• All

processors with value 0.

β• B,C are

NFPs• A is faulty• A, B’s values

are 0.• C’s values

are 1.

σ• A,B are

NFPs• C is faulty• All

processors with value 0.

Scenario alpha

A(0)

B (0)• Tells A that

v(C)=1, for messages which haven’t yet been in A.

C(0)

Scenario beta A(0)• Tells B that

v(C)=0, for messages which haven’t yet been in B

B (0)C(1)

Scenario sigma A(0)

B (0)

C(0)•Tells A that v(C)=0 (only if the message wasn’t previously in A)

•Tells B that v(C)=1 (only if the message wasn’t previously in B)

A(0)

B (0)• Tells A that v(C)=1, for messages which haven’t yet been in A.

C(0)

A(0)•Tells B that v(C)=0, for messages which haven’t yet been in B

B (0)C(1)

A(0)

B (0)

C(0)• Tells A that v(C)=0 (only if

the message wasn’t previously in A)

• Tells B that v(C)=1 (only if the message wasn’t previously in B)

alpha beta

sigma

Reaching a contradiction• For any a in A, b in B and c in C:• a receives the same messages in scenario alpha

and sigma, and from i.c. of alpha computes 0 as c’s value.▫0=Falpha

a(c)=Fsigmaa(c)

• b receives the same messages in scenario beta and sigma, and from i.c. of beta computes 1 as c’s value.▫1=Fbeta

b(c)=Fsigmab(c)

• From i.c. of sigma▫Fsigma

a(c)=Fsigmab(c), in contradiction.