Embed Size (px)
Citation preview
The Byzantine Generals Strike Again
Danny Dolev
Introduction
• We’ll build on the LSP presentation.
• Prove a necessary and sufficient condition on the network graph in order for the problem to be solvable.
• The model becomes more specified.
• The problem definition changes.
• Two new concepts – Crusader agreement and explicitly faulty processors.
New Agreement
• IC1 and IC2 are called here “Byzantine Agreement”.
• We change the requirements, postulating the “Crusader Agreement”. (z is the processor which sends the message, previously known as the “commander”).– Cru1. All reliable receivers that do not
explicitly know z is faulty agree on the same message.
– Cru2. If z if reliable, then all the reliable receivers agree on its message.
Upper Bound on Faulty Processors
• We aim at finding t, the upper bound on the number of faulty processors a system can tolerate and still reach the crusader agreement.
• Trivially, t exists – Obviously if t=n then no agreement can be reached and if t=0 both agreements can be reached.
• Intuitively, t depends on the system’s topology (consider a tree graph).
Intermission – Graph Connectivity
• Given a graph G:• G is not connected if there exist two vertices u
and v s.t. there’s no path from u to v.• A cut is a set of vertices whose removal renders
G not connected.• Connectivity of G (denoted k) is the size of the
smallest cut. G is said to be k-connected.• If G is k-connected, there exist at least k disjoint
paths between every pair of vertices. (AKA Menger Theorem).
Result – We’ll Show That
• t is independent of the type of agreements (Byzantine or crusader).
• t depends only on the number of processors and the connectivity of the network.
• Both agreements can be achieved in a network G if and only if:– 1. t is less than half of the connectivity of G. AND– 2. t is less than one third of the total number of
processors in G.
Explicitly Knowing z is Faulty
• Note that if z is faulty, the processors are split into 3 separate groups:– Faulty processors.– Reliable processors who know z is faulty.– Reliable processors who don’t know z is faulty.
• Only the third group is required to agree on a single message of z.
• Intuitively, a processor can know z is faulty if it receives enough conflicting versions of it’s message.
Extra Assumptions (1)
• We add these assumptions about routing:
• A message contains its full routing information. This implies the entire communication graph is known to every processor. Remember a faulty processor can alter any information a message contains, including its routing path.
Extra Assumptions (2)
• A reliable processor relays a message to its neighbor only if the neighbor appears after itself in the message’s route.
• A reliable processor relays a message only if the processor from which it received the message appears immediately before itself in the message’s route.
• A reliable processor relays messages without altering them and without eavesdropping on their values.
Purified Value (1)
• We’ll define an algorithm to choose a “purified value” out of all the values a receiver received.
• Intuitively, the purified value is a value that is possible to be the correct value.
• The default is 0 – Either if the receiver received no values, or if the purified value doesn’t exist.
Suspicious Processors
• Let {a1,… ar} be a set of messages x received.
• Let Ux be a set of processors that does not contain x.
• Ux is a set of suspicious processors determined by x if every message ai that did not pass through processors in Ux carries the same value.
Purified Value (2)
• Algorithm Purify (t; a1,… ar; x):
• 1. If a set Ux of up to t suspicious processors exists then the purified value is the value of the message that did not pass through Ux. If no message is left, the value is 0.
• 2. If there’s no such Ux, purified value is 0.
Purified Value - Note
• If more than one set of suspicious processors exists, then there may be many purified values.
• This will not pose a problem for us.
Purified Values - Example
• Assume t=2.• Assume receiver x got these values from v
through these paths (value – path):• 1. a – v;x• 2. a – v;1;x• 3. a – v;2;x• 4. b – v;7;4;x• 5. b – v;8;5;x• The purified value is a, by choosing {7,8} as the
suspicious processors.
Sufficiency – Under Reliable Transmitter
• Let G be a network of processors which contains at most t faulty processors and the connectivity of which is at least 2t+1. If a reliable transmitter transmits 2t+1 copies of its message to every receiver, through disjoint paths, then, by the use of the purifying algorithm, every reliable receiver can obtain the transmitter value.
Proof of Sufficiency (Reliable Transmitter)
• Let {a1,… ar} be the set of all the messages the receiver x received.
• There are at most t faulty processors.
• Therefore, at least t+1 messages were relayed through reliable processors.
• Therefore, no more than t messages that were sent to x may be lost.
• Therefore, r>t.
• Also, at least t+1 received messages are equal to the original transmitted messages.
• By our assumptions, any message that passed through at least one faulty processor contains at least one faulty processor in its routing path – the last faulty processor it passed through.
• x applies the purifying algorithm.
• Since there are at most t faulty processors and the transmitter is not one of them, Ux exists.
• The purifying algorithm cannot eliminate the original value, since there are at least t+1 copies of it, and Ux can eliminate no more than t independent values.
• QED.
Evidence Set and Explicitly Faulty Transmitters
• Evidence set is the set of messages a receiver received.
• We say that a receiver explicitly knows that the transmitter is faulty if the receiver can’t find a set of t suspicious processors given its evidence set.
• In other words, ignoring messages of every subset of t processors leaves conflicting values.
Explicitly Faulty Transmitters - Correctness
• If the number of faulty processors is at most t, then receiver x explicitly knows that the transmitter z is faulty only if z is a faulty processor.
• We prove by contradiction: Assume z is not faulty.
• Let T be the set of faulty processors.
• Consider G\T: G after removing T from it.
• In G\T there are no faults, and if x received anything, it is the correct value.
• T is a candidate for Ux that x should check.
• When it does so, the purified value is the correct value.
• Contradiction, QED.
Explicitly Faulty Transmitter - Implications
• Above proof implies that a faulty transmitter may be identified as faulty by receivers.
• This is because it has sent too many conflicting values.
• Even if some receivers found out that the transmitter is faulty, others might still consider it reliable (or at least, not explicitly faulty).
• We need to make sure those who don’t know explicitly that the transmitter is faulty will agree on the same value.
Necessity
• Theorem : No crusader agreement can be achieved in a network of n processors if the number of faulty processors is not less than half of the connectivity of the network.
• Intuition – Faulty processors form a bottleneck, filtering messages that passes through them. Messages passing from “right” to “left” are altered systematically so that processors on the “left” can’t know what’s the right message.
Necessity - Proof
• Let G be a network with connectivity k, and let {v1,…,vk} be a set of processors which disconnect the network into two non empty parts G1 and G2.
• Assume the subset {v1,…,vt} is the set of faulty processors (t ≥½k).
• Divide into cases, according to where z can be:
z is in G1
• The faulty processors follow:
• Denote by a the original transmitted value.
• A message passing from G1 to G2 via the faulty transmitters changes its value to b.
• A message passing from G2 to G1 via the faulty transmitters changes its value back to a (if it was changed to b).
• All receivers in G1 consider z to be reliable, and choose a as its value.
• But receivers in G2 obtained conflicting values.
• They can choose either {v1,…,vt} or {vt+1,…,vk} as the set of suspicious processors.
• Since t ≥½k, they have to choose {vt+1,…,vk}.
• Thus their purified value is b.• Contradiction to Cru2. Also proves case
where z is in G2 by symmetry.
z is in {v1,…,vt}
• If z is reliable, the faulty processors can use the same method in order to fail the crusader agreement.
• If z is faulty, it can send a to G1 and b to G2, thus failing the crusader agreement.
• QED necessity.
Sufficiency – The Crusader Alg
• We’ll now show how the crusader agreement can be achieved if the conditions we’ve required are met.
• Scheme: – Transmitter will send it’s value.– Every receiver will send this value again to all
receivers.
The Crusader Alg
• z sends its value to every receiver through 2t+1 disjoint paths.
• Each receiver u obtains a purified value au.
• Receiver u sends au to all other receivers through 2t+1 disjoint paths.
• Each receiver u tries to find a set Uu of t processors ( ) s.t. all values who didn’t pass through Uu are identical. If no such Uu exists, u decides “faulty transmitter”.
uz U
Proof of Cru1
• Receiver x didn’t find out that z is faulty, so it did find a set Ux of t suspicious processors (by definition).
• Let x and y be such receivers, denote their values by ax and ay, respectively.
• Let T be the set of faulty processors, Ux and Uy the set of suspicious processors chosen by x and y, respectively.
• Each of these sets is not larger than t.
• The network contains 3t+1 processors.• Thus, there exists processors w which is not in
• Denote by aw the value w determines in step 2. w is reliable thus it transmits aw faithfully to all other processors.
• Network is at least 2t+1 connected. So the network minus T and Ux is at least 1 connected.
• Therefore there exists a reliable path from w to x. Along such a path x receivers aw.
• Recall w is not determined to be suspicious processor by x.
• Thus, aw = ax. Symmetrically, aw = ay. QED Cru1.
x yT U U
Crusader Alg - Correctness
• We’re left with proving Cru2 holds.• Assume z is reliable.• We’ve already proved that if transmitter is
reliable, every reliable receiver receives the transmitted value.
• No processor could decide faulty transmitter, because it can receive no more than t wrong values (from the faulty processors). QED.
