Download presentation
Presentation is loading. Please wait.
1
Byzantine Fault-Tolerance
CS1952 L Spring 2019 Maurice Herlihy Brown University
2
Permissionless (or Public) Blockchains
Anyone can participate Rewards & punishments up-front No central authority Partly a myth: Blocksize fork Version 0.7/0.8 fork $54M DAO theft Alice’s Cryptocoupons are permissionless
3
Permissioned (or private) Blockchains
Participants vetted Can penalize after-the-fact Governance easier because authority Alice’s temperature sensors are permissioned
4
Consensus: Each Party has a Private Input
5
They Communicate
6
They Agree on One Party’s Input
7
Crash Failures
8
Crash Failures
9
Byzantine Failures
10
He said, She said … ???
11
He said, She said … ???
12
Identifying Input Values
sorry f
13
Identifying Input Values
! f+1
14
Byzantine Model There are n validators
15
As many as f may be dishonest,
Byzantine Model As many as f may be dishonest, where f < n/3 (or f < n/2 with sigs)
16
Synchronous Model known
In synchronous models, processes take steps at the same rate. After the red process takes a step, it knows the blue process has also taken a step. Synchronous comes from Greek: syn = together, chronos = time. known
17
Asynchronous Model In asynchronous models, processes take steps at any rate. Asynchronous comes from Greek: a (not) + synchronous (at the same time). Synchronous comes from Greek: syn = together, chronos = time.
18
Semi-Synchronous known
In asynchronous models, processes take steps at any rate. Asynchronous comes from Greek: a (not) + synchronous (at the same time). Synchronous comes from Greek: syn = together, chronos = time. known
19
Semi-Synchronous Global Stabilization Time (exactly when unknown)
In asynchronous models, processes take steps at any rate. Asynchronous comes from Greek: a (not) + synchronous (at the same time). Synchronous comes from Greek: syn = together, chronos = time.
20
Adaptive Adversary Adaptively decides which f to corrupt and when to corrupt them Example: DoS attack There are many kinds of adaptive adversaries …
21
Adaptive Adversary How quickly can the adversary corrupt?
Same round, next round, polylog rounds .. Rushing adversary can corrupt honest party in round r but cannot suppress honest round-r messages Strongly rushing adversary can suppress honest round-r messages Example: DoS attack
22
Static Adversary Corrupts validators at start of protocol
Like a “mole” in a spy story Leader-based protocols assume static adversary (or adaptive with slow corruption time)
23
Practical Byzantine Fault-Tolerance
First practical Byzantine agreement protocol Many improvements, optimizations Precedes blockchain Semi-Synchronous model
24
Before PBFT Mainstream Distributed Computing Systems Research
Byzantine fault-tolerance will be super-important! You Theory losers disgust me, wasting your lives on BFT! Mainstream Systems Research Distributed Computing
25
Distributed Computing
After PBFT You theory losers disgust me: we just invented this super-important BFT thing! Why didn’t you do that? Um, blockchains? Mainstream Systems Research Distributed Computing
26
HotStuff “Best of breed” improvement on PBFT Less communication
Semi-Synchronous model
27
BFT vs PoW Well-understood Many protocols, research papers
Proofs and open-source implementations Way faster than PoW Decisions are final
28
Requires node identities
BFT vs PoW Requires node identities Because Sybil attacks
29
Hello, I’m an honest validator
Structure Hello, I’m your leader Hello, I’m honest Hello, I’m an honest validator I’m evil, LOL
30
Jargon Watch Different papers, different terms, same thing
“proposer” == “leader” “replica” == “validator” HotStuff sometimes inconsistent But these mean the exact same thing
31
All messages signed by senders
All signatures checked by receivers Omitted from protocols for brevity
32
PoW vs BFT PoW BFT Identity Don’t care Care Finality No Yes
Node scalability Excellent Limited Power Bad Good Adversary ~25% 33% Synchrony Synchronous Semi-Synchronous Correctness Proof
33
Block Party Each block eventually: Committed, or Rejected
Goal is agreement on … A growing chain of committed blocks
34
Parent Pointers block block block block block
Transitive closure forms ancestors
35
Parent Pointers block block block block height k height k+1
36
Parent Pointers Same branch block block block block height k height
37
Parent Pointers conflicting (different branches) block block block
height k height k+1
38
Validators Hello, I’m an honest validator
I only vote only once per height … Always at increasing heights If I vote on B, then I have seen B’s ancestors
39
Form a quorum certificate (QC) for B If 2f+1 votes collected,
Quorum Certificates I vote for B! whatever Form a quorum certificate (QC) for B If 2f+1 votes collected,
40
Each block’s QC is for ancestor
Quorum Certificates QC | B QC | B’ QC | W QC | W’ QC | W’’ Each block’s QC is for ancestor
41
2f+1 correct validators voted for B at B.height
QC Chains 1-chain: 2f+1 correct validators voted for B at B.height QC | B QC | B’
42
QC Chains 2-chain: 2f+1 correct validators voted for B’’ and received 1-chain B B’ 1-chain: 2f+1 correct validators voted for B at B.height QC | B QC | B’ QC | B QC | B’ QC | B’’
43
QC Chains 2-chain: 2f+1 correct validators voted for B’’ and received 1-chain B B’ 1-chain: 2f+1 correct validators voted for B at B.height 3-chain: 2f+1 correct validators voted for B’’’ and received 2-chain B B’ B’’ QC | B QC | B’ QC | B QC | B’ QC | B’’ QC | B QC | B’ QC | B’’ QC | B’’’
44
Committed Block B is committed if there is a 3-chain
QC | B QC | B’ QC | B’’ QC | B’’’ height k height k+1 height k+2 height ? B is committed if there is a 3-chain B B’ B’’ B’’, where B parent of B’ parent of B’’
45
Hello, I’m an honest validator
Validators Hello, I’m an honest validator
46
And these are my blocks …
Validators And these are my blocks … QC | B QC | B’ QC | B’’
47
B’ B’’ is the highest 1-chain I’ve seen
Validators B’ B’’ is the highest 1-chain I’ve seen QC | B QC | B’ QC | B’’
48
So B is my preferred block
Validators So B is my preferred block QC | B QC | B’ QC | B’’
49
I will vote for Bnew only if it has my preferred block as ancestor
Validators I will vote for Bnew only if it has my preferred block as ancestor QC | B QC | B’ QC | B’’ QC | Bnew
50
Only Two Kinds of Message
propose vote
51
Only Two Kinds of Message
propose: B, Bhqc vote: B, Bhqc Highest QC seen by sender
52
Hello, I’m an honest validator and this is my state
Propose Message Bhqc: tail of highest 1-chain vheight: height of last voted block Hello, I’m an honest validator and this is my state
53
Validators Hello, I’m the leader Bhqc: tail of highest 1-chain
vheight: height of last voted block
54
Is my preferred block an ancestor of Bnew?
Propose Message Bhqc: tail of highest 1-chain vheight: height of last voted block propose: Bnew, Bhqc Is my preferred block an ancestor of Bnew? Update Bhqc? Have I voted at ≥ Bnew.height?
55
Vote Message vote: Bnew, Bhqc Bhqc: tail of highest 1-chain
vheight: height of last voted block vote: Bnew, Bhqc Send current Bhqc Update my vheight If new blocks now committed, execute their smart contracts in block order
56
Vote Message vote: Bnew, Bhqc vote: Bnew, Bhqc vote: Bnew, Bhqc
Collect votes for Bnew until I can form a QC
57
Get QCs from 2f+1 replicas
Pacemaker Picking a leader Round-robin What to propose? Get QCs from 2f+1 replicas Extend from latest QC
58
See Paper for Full Spec
59
Proof of Safety
60
Conflicting blocks with the same height cannot both have valid QCs.
Lemma 1 Conflicting blocks with the same height cannot both have valid QCs.
61
Proof Suppose B and W with the same height both have valid QCs.
Both received 2f+1 votes
62
Proof Quorum for B Quorum for W Quorum: 2f+1
63
Proof Quorum for B Quorum for W Intersection: f+1
64
Intersection has at least 1 correct validator
Proof Quorum for B Quorum for W Intersection has at least 1 correct validator
65
Proof I, a correct validator, must have voted for both, a contradiction! Quorum for B Quorum for W Intersection has at least 1 correct validator
66
Conflicting blocks cannot become committed by honest replicas
Lemma 2 Conflicting blocks cannot become committed by honest replicas
67
Let B,W conflicting blocks, different heights
Proof Let B,W conflicting blocks, different heights
68
B commits at honest replica that sees:
Proof B commits at honest replica that sees: QC | B QC | B’ QC | B’’ QC | B’’’
69
W commits at honest replica that sees:
Proof W commits at honest replica that sees: QC | W QC | W’ QC | W’’ QC | W’’’
70
Without loss of generality ….
Proof Without loss of generality …. B B’ B’’ W W’ W’’
71
Proof By quorum intersection ….
W W’ W’’ I, a correct validator, voted for B’’ and W’’
72
By quorum intersection ….
Proof By quorum intersection …. B B’ B’’ W W’ W’’ I voted for W’ first
73
Proof By quorum intersection …. W was my preferred block B B’ B’’ W W’
74
Proof By quorum intersection ….
W W’ W’’ To vote for B’’, my preference must have changed branches
75
W’’.height < Bs.height ≤ B’.height
Proof There exists Bs B B’ B’’ Bs W W’ W’’ W’’.height < Bs.height ≤ B’.height
76
W’’.height < Bs.height ≤ B’.height
Proof There exists Bs B B’ B’’ Bs W W’ W’’ W’’.height < Bs.height ≤ B’.height Bs has QC from a block
77
Proof There exists Bs B B’ B’’ Bs W W’ W’’
W’’.height < Bs.height ≤ B’.height Bs has QC from a block Bs has QC to block conflicting with W
78
Proof There exists Bs B B’ B’’ Bs W W’ W’’
W’’.height < Bs.height ≤ B’.height Bs height is minimal Bs has QC from a block Bs has QC to block conflicting with W
79
Proof There exists Bs B B’ B’’ Bs W W’ W’’
W’’.height < Bs.height ≤ B’.height Bs height is minimal Bs has QC from a block Bs could be B’ so Bs exists Bs has QC to block conflicting with W
80
Proof B B’ B’’ Bs W W’ W’’ I voted for W’’ then Bs
81
Proof B B’ B’’ Bs W W’ W’’ I prefer W, which conflicts with pred Bs, so I can’t vote for Bs, contradiction
82
Theorem 3 If C1 and C2 are block smart contracts, where some honest replica executes C1 before C2, then every honest replica that executes C2 first executes C1
83
Proof Let blocks be B1, B2 From Lemma 1, different heights There exist
From Lemma 2, B1‘, B2‘ do not conflict B1, B2 do not conflict B2 Each replica executes in order
84
Proof of Liveness
85
Lemma 4 After GST, if any correct replica has B as its preferred block then there exists at least f+1 correct replicas that have a QC for B in a block B’.
86
Proof If a correct replica has B as preferred block,
Then It has a 2-chain … B B’ B’’ The QC for B’ in B’’ contains 2f+1 votes At least f+1 votes from correct replicas Each correct replica that voted B’ saw B B’
87
Theorem 5 A correct proposer that asks replicas for latest blocks, and waits for n−f responses, can propose a block that will make progress after GST
88
Proof Let B be the preferred block in the highest 1-chain by any correct replica. From Lemma 4, any n−f responses intersect the f+1 correct replicas with the highest 1-chain: B B’
89
Proof From Lemma 4, any n−f responses intersect the f+1 correct replicas with the highest 1-chain: B B’ Hence the correct proposer will follow the branch led by B and extend B’ with a new B’’ All correct replicas make B preferred if not already preferred
90
All correct replicas will vote for B’’
Proof All correct replicas make B preferred if not already preferred All correct replicas will vote for B’’
91
Consensus in Byzantine models
Ideas we covered in this lecture Consensus in Byzantine models Semi-Synchronous models HotStuff Protocol Safety proof Liveness Proof
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.