Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Causal Atomic Broadcast, Revisited

Published byLee Griffith Modified over 6 years ago

Similar presentations

Presentation on theme: "Secure Causal Atomic Broadcast, Revisited"— Presentation transcript:

1 Secure Causal Atomic Broadcast, Revisited
Sisi Duan Michael K. Reiter Haibin Zhang Oak Ridge National Lab UNC Chapel Hill University of Connecticut

2 Single Server Architecture
State Machine Replication Single Server Architecture

3 Single Server Architecture
State Machine Replication Single Server Architecture A single point of failure!

4 State Machine Replication
Interactive protocol among servers State machine replication gives safety and liveness.

5 State Machine Replication (SMR)
Replicas maintain the same state Replicas start in the same state Operations are deterministic Replicas execute operations in the same order (i.e., total order) Replicas send replies to clients Clients vote on replica replies

6 State Machine Replication (SMR)
Total order $100 $100 $100

7 State Machine Replication (SMR)
Total order $100 $100 $100

8 State Machine Replication (SMR)
Total order Client 1: “Deposit $100” $100 $200 Client 1: “Deposit $100” $100 $200 $100

9 State Machine Replication (SMR)
Total order Client 1: “Deposit $100” Chase: “Charge 10%” $100 $200 $180 Client 1: “Deposit $100” Chase: “Charge 10%” $100 $200 $180 $100

10 State Machine Replication (SMR)
Total order Client 1: “Deposit $100” Chase: “Charge 10%” $100 $200 $180 Client 1: “Deposit $100” Chase: “Charge 10%” $100 $200 $180 $100

11 State Machine Replication (SMR)
Total order Chase: “Charge 10%” Client 1: “Deposit $100” $100 $90 $190 Chase: “Charge 10%” Client 1: “Deposit $100” $100 $90 $190 $100

12 State Machine Replication (SMR)
Total order Chase: “Charge 10%” Client 1: “Deposit $100” $100 $90 $190 Client 1: “Deposit $100” Chase: “Charge 10%” $100 $200 $180 $100

13 Crash Fault-Tolerant SMR
State Machine Replication Crash Fault-Tolerant SMR 2f+1 replicas to tolerate f failures Example: Paxos: SMR for crash failures The “most” important backbone architecture Each major service BigTable, Chubby, Spanner, Azure, Amazon Web Services, Ceph, IBM SAN, VMware NSX, … [Lamport, ACM TOCS 1998]; going back to 1989

14 State Machine Replication
Paxos [Lamport, ACM TOCS 1998]; going back to 1989 [Lamport. Paxos made simple. ACM SIGACT News 2001] “For fundamental contributions to the theory and practice of distributed and concurrent systems, notably the invention of concepts such as causality and logical clocks, safety and liveness, replicated state machines, and sequential consistency.” Turing Award 2013

15 Byzantine Fault-Tolerant SMR (BFT Protocols)
State Machine Replication Byzantine Fault-Tolerant SMR (BFT Protocols) Traditionally important Powerful: Byzantine/arbitrary failures & attacks Systems, distributed systems, theory, crypto, security, … Recently gain prominence Real threats to real systems Cryptocurrencies/Blockchains Mission-critical systems

16 PBFT 3f+1 replicas to tolerate f Byzantine failures Turing Award 2008
State Machine Replication PBFT 3f+1 replicas to tolerate f Byzantine failures [Castro and Liskov, OSDI 1999] “For contributions to practical and theoretical foundations of programming language and system design, especially related to data abstraction, fault tolerance, and distributed computing.” Turing Award 2008

17 One Blockchain Project Using PBFT
State Machine Replication One Blockchain Project Using PBFT

18 Atomic Broadcast Atomic broadcast
Secure Causal BFT Atomic Broadcast Atomic broadcast State machine replication (Crash failures) BFT (Byzantine failures)

19 This Talk Secure causal atomic broadcast (BFT)
[Duan, Reiter, and Zhang, DSN 2017] Secure causal atomic broadcast (BFT) Atomic broadcast (BFT) + Causal Order

20 Secure Causal BFT Secure Causal BFT The “strongest” consensus protocol in distributed systems literature Hard problem No practical solution for more than 30 years [Reiter and Birman, TOPLAS 94]

21 Secure Causal BFT Overview
Definition Examples (DNS, Transaction, Cloud) CP0 (The existing protocols) CP1 (Byzantine clients + Byzantine servers) CP2 + CP3 (Semi-honest clients + Byzantine servers) Evaluation (Latency, throughput, scalability, and performance under failures)

22 Causal Order Causal order
Secure Causal BFT Causal Order Causal order If the broadcast of message m1 "happens before" or "causally precedes" the broadcast of message m2, then no correct process delivers m2 before it delivers m1. [Lamport, Comm. ACM 1978] [Lamport, Distrib. Comput. 1986] m2 “That is outrageous!” m1 “Chase charges 10%!”

23 ✓ Causal Order Causal order $100 $90 $100 $90 $100 Chase: “Charge 10%”
State Machine Replication Causal Order Causal order Chase: “Charge 10%” Outrageous! $100 $90 Chase: “Charge 10%” Outrageous! $100 $90 $100

24 ✘ Causal Order Causal order $100 $100 $90 $100 $90 $90 $100 Chase:
State Machine Replication Causal Order Causal order Chase: “Charge 10%” Outrageous! $100 $100 $90 Chase: “Charge 10%” Outrageous! $100 $90 $90 $100

25 Causal Order Total Order
State Machine Replication Causal Order Total Order Causal order Total order Chase: “Charge 10%” Client 1: “Deposit $100” Outrageous! $100 $90 $190 Client 1: “Deposit $100” Chase: “Charge 10%” Outrageous! $100 $200 $180 $100

26 Total Order Causal Order
State Machine Replication Total Order Causal Order Total order Causal order Chase: “Charge 10%” Outrageous! $100 $100 $90 Chase: “Charge 10%” Outrageous! $100 $100 $90 $100

27 Total Order + Causal Order
State Machine Replication Total Order Causal Order Total order Causal Order Chase: “Charge 10%” Client 1: “Deposit $100” Outrageous! $100 $90 $190 Chase: “Charge 10%” Client 1: “Deposit $100” Outrageous! $100 $90 $190 $100

28 Secure Causal BFT Crash Failure Model ZooKeeper

29 Byzantine Failure Model
Secure Causal BFT Byzantine Failure Model [Lamport, Shostak, and Pease, TOPLAS 82] a.k.a. BFT protocols [Not formally studied] [Reiter and Birman, TOPLAS 94] Basically satisfying everything; strongest

30 Secure Causal BFT Name Registration

31 Secure Causal BFT Name Registration

32 Secure Causal BFT Name Registration

33 Secure Causal BFT Name Registration

34 Secure Causal BFT Name Registration

35 Secure Causal BFT Name Registration

36 Secure Causal BFT Name Registration

37 Secure Causal BFT Name Registration

38 Secure Causal BFT Name Registration

39 Another Example—Trading Service
Secure Causal BFT Another Example—Trading Service Consider a trading service that trades stocks A client issues a request to purchase stock shares. A corrupt replica could collude with a corrupt client to issue a request for the same stock. If the new request is processed earlier than the original request, this may adjust the demand for the stock.

40 Secure Causal BFT Existing Constructions Use threshold encryption.
Schedule the ciphertext before revealing decryption shares. [Reiter and Birman, TOPLAS 94] [Cachin, Kursawe, Petzold, and Shoup, CRYPTO 2001] [Cachin and Portiz, DSN 2002]

41 CP0—Using Threshold Encryption
Secure Causal BFT CP0—Using Threshold Encryption A public key is associated with the system and a decryption key is shared among all the servers.

42 CP0—Using Threshold Encryption
Secure Causal BFT CP0—Using Threshold Encryption

43 CP0—Using Threshold Encryption
Secure Causal BFT CP0—Using Threshold Encryption M M M Any BFT protocol R M Assign a sequence number N to M R R R C C = ThresEnc(pk, M) C C Any BFT protocol C Assign a sequence number N to C

44 CP0—Using Threshold Encryption
Secure Causal BFT CP0—Using Threshold Encryption Use tagged threshold encryption To distinguish instances of the protocol. Drawbacks Threshold encryption is really expensive Only from a handful of number-theoretical assumptions Trusted setup (or expensive interactive setup)

45 A New Look Key observation A novel framework Benefits
Secure Causal BFT A New Look Key observation Unnecessarily coupled with threshold encryption A novel framework Non-malleable commitment with associated-data Fair BFT Benefits General constructions Efficient instantiations

46 Our Protocol Uses Commitment Scheme
Secure Causal BFT Our Protocol Uses Commitment Scheme Hiding: M is hidden given C. Binding: C can be only opened to M. M Commit Phase C = M Sender Receiver Reveal Phase Sender M Receiver

47 Non-malleable commitment with associated-data (NM-CAD)
Secure Causal BFT Non-malleable commitment with associated-data (NM-CAD) Syntax Associated-data as an additional input Security Additionally ask for non-malleability w.r.t. opening and associated-data (NM-OAD) M tag 2M tag M tag M tag’

48 Non-malleable commitment with associated-data (NM-CAD)
Secure Causal BFT Non-malleable commitment with associated-data (NM-CAD) Generality Any (adaptive) one-way function Efficiency (tag, C) =(tag, H(tag, r, M)), where M is the message, C is the commitment, r is a random coin.

49 Our First Protocol CP1 First schedule the commitment
Secure Causal BFT Our First Protocol CP1 First schedule the commitment Then schedule the opening M Phase 1 M tag Phase 2

50 Secure Causal BFT Our First Protocol CP1 Phase 1

51 Secure Causal BFT Our First Protocol CP1 Phase 1 M

52 Our First Protocol CP1 Phase 1
Secure Causal BFT Our First Protocol CP1 Phase 1 M M = client request, e.g., “Register UConn” Tag = a unique identifier of the message

53 Our First Protocol CP1 Phase 1 Agree on a sequence number to
Secure Causal BFT Our First Protocol CP1 Phase 1 Agree on a sequence number to M

54 Secure Causal BFT Our First Protocol CP1 Phase 1 M

55 Secure Causal BFT Our First Protocol CP1 Phase 2 M

56 Our First Protocol CP1 Phase 2
Secure Causal BFT Our First Protocol CP1 Phase 2 Assign the same sequence number to the opening

57 Secure Causal BFT Our First Protocol CP1 Phase 2

58 Our First Protocol CP1 Above, Gracious Execution!
Secure Causal BFT Our First Protocol CP1 Above, Gracious Execution! Without failures and attacks

59 What Could Go Wrong Under Attacks?
Secure Causal BFT What Could Go Wrong Under Attacks? Malicious clients May fail to send opening to replicas. Malicious replicas May delay/drop opening.

60 1) Malicious clients Malicious clients fail to send opening?
Secure Causal BFT 1) Malicious clients Malicious clients fail to send opening?

61 ☛ Cleaning Committed but Unopened Requests
Secure Causal BFT ☛ Cleaning Committed but Unopened Requests Agree on which requests should be cleaned

62 2) Malicious Replicas Drop/Delay openings from correct clients
Secure Causal BFT 2) Malicious Replicas Drop/Delay openings from correct clients s.t. the requests from correct clients from being incorrectly cleaned.

63 Secure Causal BFT ☛ Fair BFT Fair BFT prevents the BFT service from unfairly delaying or dropping some clients’ requests but not others. [Clement, Wong, Alvisi, Dahlin, and Marchetti, NSDI 2009] [Duan, Levitt, Meling, Sean, and Zhang, SRDS 2014]

64 Secure Causal BFT Another Framework Handling the case of semi-honest clients and Byzantine replicas (as in many BFT protocols) Novel asynchronous robust secret sharing (ARSS) Two instantiations Any commitment scheme and secret sharing (CP2) Information secure (CP3)

65 Implementation and Evaluation
Secure Causal BFT Implementation and Evaluation Using 15 virtual nodes (5 of which are client nodes) LAN: 100 MB bandwidth, 0.1 ms latency WAN: 1 MB bandwidth, 120 ms latency

66 Evaluation Latency in LAN (in ms) Latency in WAN (in ms)
Secure Causal BFT Evaluation Latency in LAN (in ms) Latency in WAN (in ms)

67 Secure Causal BFT Evaluation Throughput LAN WAN

68 Secure Causal BFT Evaluation Scalability (in LAN)

69 Improving Failures Scenarios
Secure Causal BFT Improving Failures Scenarios Free amplification Ordering tentative requests

70 Improving Failures Scenarios
Secure Causal BFT Improving Failures Scenarios Free amplification Ordering tentative requests

71 Improving Failures Scenarios
Secure Causal BFT Improving Failures Scenarios Free amplification Ordering tentative requests

72 Improving Failures Scenarios
Secure Causal BFT Improving Failures Scenarios Free amplification Ordering tentative requests

73 Thank you! Secure causal atomic broadcast paper:

Download ppt "Secure Causal Atomic Broadcast, Revisited"

Similar presentations

Distributed Systems Overview Ali Ghodsi

Distributed Systems Overview Ali Ghodsi
CSE 486/586, Spring 2013 CSE 486/586 Distributed Systems Byzantine Fault Tolerance --- 2 Steve Ko Computer Sciences and Engineering University at Buffalo.

CSE 486/586, Spring 2013 CSE 486/586 Distributed Systems Byzantine Fault Tolerance Steve Ko Computer Sciences and Engineering University at Buffalo.
Virtual Synchrony Jared Cantwell. Review Multicast Causal and total ordering Consistent Cuts Synchronized clocks Impossibility of consensus Distributed.

Virtual Synchrony Jared Cantwell. Review Multicast Causal and total ordering Consistent Cuts Synchronized clocks Impossibility of consensus Distributed.
Yee Jiun Song Cornell University. CS5410 Fall 2008.

Yee Jiun Song Cornell University. CS5410 Fall 2008.
CS 582 / CMPE 481 Distributed Systems Fault Tolerance.

CS 582 / CMPE 481 Distributed Systems Fault Tolerance.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 15 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 15 Wenbing Zhao Department of Electrical and Computer Engineering.
Byzantine fault tolerance

Byzantine fault tolerance
Byzantine Fault Tolerance CS 425: Distributed Systems Fall 2011 1 Material drived from slides by I. Gupta and N.Vaidya.

Byzantine Fault Tolerance CS 425: Distributed Systems Fall Material drived from slides by I. Gupta and N.Vaidya.
BFTCloud: A Byzantine Fault Tolerance Framework for Voluntary-Resource Cloud Computing Yilei Zhang, Zibin Zheng, and Michael R. Lyu

BFTCloud: A Byzantine Fault Tolerance Framework for Voluntary-Resource Cloud Computing Yilei Zhang, Zibin Zheng, and Michael R. Lyu
Practical Byzantine Fault Tolerance

Practical Byzantine Fault Tolerance
Byzantine fault-tolerance COMP 413 Fall 2002. Overview Models –Synchronous vs. asynchronous systems –Byzantine failure model Secure storage with self-certifying.

Byzantine fault-tolerance COMP 413 Fall Overview Models –Synchronous vs. asynchronous systems –Byzantine failure model Secure storage with self-certifying.
From Viewstamped Replication to BFT Barbara Liskov MIT CSAIL November 2007.

From Viewstamped Replication to BFT Barbara Liskov MIT CSAIL November 2007.
1 ZYZZYVA: SPECULATIVE BYZANTINE FAULT TOLERANCE R.Kotla, L. Alvisi, M. Dahlin, A. Clement and E. Wong U. T. Austin Best Paper Award at SOSP 2007.

1 ZYZZYVA: SPECULATIVE BYZANTINE FAULT TOLERANCE R.Kotla, L. Alvisi, M. Dahlin, A. Clement and E. Wong U. T. Austin Best Paper Award at SOSP 2007.
Byzantine fault tolerance

Byzantine fault tolerance
Byzantine Fault Tolerance CS 425: Distributed Systems Fall 2012 Lecture 26 November 29, 2012 Presented By: Imranul Hoque 1.

Byzantine Fault Tolerance CS 425: Distributed Systems Fall 2012 Lecture 26 November 29, 2012 Presented By: Imranul Hoque 1.
CSE 60641: Operating Systems Implementing Fault-Tolerant Services Using the State Machine Approach: a tutorial Fred B. Schneider, ACM Computing Surveys.

CSE 60641: Operating Systems Implementing Fault-Tolerant Services Using the State Machine Approach: a tutorial Fred B. Schneider, ACM Computing Surveys.
D u k e S y s t e m s Asynchronous Replicated State Machines (Causal Multicast and All That) Jeff Chase Duke University.

D u k e S y s t e m s Asynchronous Replicated State Machines (Causal Multicast and All That) Jeff Chase Duke University.
Systems Research Barbara Liskov October 2007. Replication Goal: provide reliability and availability by storing information at several nodes.

Systems Research Barbara Liskov October Replication Goal: provide reliability and availability by storing information at several nodes.
Robustness in the Salus scalable block store Yang Wang, Manos Kapritsos, Zuocheng Ren, Prince Mahajan, Jeevitha Kirubanandam, Lorenzo Alvisi, and Mike.

Robustness in the Salus scalable block store Yang Wang, Manos Kapritsos, Zuocheng Ren, Prince Mahajan, Jeevitha Kirubanandam, Lorenzo Alvisi, and Mike.
CSE 486/586 Distributed Systems Byzantine Fault Tolerance

CSE 486/586 Distributed Systems Byzantine Fault Tolerance

Similar presentations

Ads by Google