Presentation is loading. Please wait.

Presentation is loading. Please wait.

Byzantine Fault-Tolerance

Similar presentations


Presentation on theme: "Byzantine Fault-Tolerance"— Presentation transcript:

1 Byzantine Fault-Tolerance
CS1952 L Spring 2019 Maurice Herlihy Brown University

2 Permissionless (or Public) Blockchains
Anyone can participate Rewards & punishments up-front No central authority Partly a myth: Blocksize fork Version 0.7/0.8 fork $54M DAO theft Alice’s Cryptocoupons are permissionless

3 Permissioned (or private) Blockchains
Participants vetted Can penalize after-the-fact Governance easier because authority Alice’s temperature sensors are permissioned

4 Consensus: Each Party has a Private Input

5 They Communicate

6 They Agree on One Party’s Input

7 Crash Failures

8 Crash Failures

9 Byzantine Failures

10 He said, She said … ???

11 He said, She said … ???

12 Identifying Input Values
sorry f

13 Identifying Input Values
! f+1

14 Byzantine Model There are n validators

15 As many as f may be dishonest,
Byzantine Model As many as f may be dishonest, where f < n/3 (or f < n/2 with sigs)

16 Synchronous Model known 
In synchronous models, processes take steps at the same rate. After the red process takes a step, it knows the blue process has also taken a step. Synchronous comes from Greek: syn = together, chronos = time. known 

17 Asynchronous Model In asynchronous models, processes take steps at any rate. Asynchronous comes from Greek: a (not) + synchronous (at the same time). Synchronous comes from Greek: syn = together, chronos = time.

18 Semi-Synchronous known 
In asynchronous models, processes take steps at any rate. Asynchronous comes from Greek: a (not) + synchronous (at the same time). Synchronous comes from Greek: syn = together, chronos = time. known 

19 Semi-Synchronous Global Stabilization Time (exactly when unknown)
In asynchronous models, processes take steps at any rate. Asynchronous comes from Greek: a (not) + synchronous (at the same time). Synchronous comes from Greek: syn = together, chronos = time.

20 Adaptive Adversary Adaptively decides which f to corrupt and when to corrupt them Example: DoS attack There are many kinds of adaptive adversaries …

21 Adaptive Adversary How quickly can the adversary corrupt?
Same round, next round, polylog rounds .. Rushing adversary can corrupt honest party in round r but cannot suppress honest round-r messages Strongly rushing adversary can suppress honest round-r messages Example: DoS attack

22 Static Adversary Corrupts validators at start of protocol
Like a “mole” in a spy story Leader-based protocols assume static adversary (or adaptive with slow corruption time)

23 Practical Byzantine Fault-Tolerance
First practical Byzantine agreement protocol Many improvements, optimizations Precedes blockchain Semi-Synchronous model

24 Before PBFT Mainstream Distributed Computing Systems Research
Byzantine fault-tolerance will be super-important! You Theory losers disgust me, wasting your lives on BFT! Mainstream Systems Research Distributed Computing

25 Distributed Computing
After PBFT You theory losers disgust me: we just invented this super-important BFT thing! Why didn’t you do that? Um, blockchains? Mainstream Systems Research Distributed Computing

26 HotStuff “Best of breed” improvement on PBFT Less communication
Semi-Synchronous model

27 BFT vs PoW Well-understood Many protocols, research papers
Proofs and open-source implementations Way faster than PoW Decisions are final

28 Requires node identities
BFT vs PoW Requires node identities Because Sybil attacks

29 Hello, I’m an honest validator
Structure Hello, I’m your leader Hello, I’m honest Hello, I’m an honest validator I’m evil, LOL

30 Jargon Watch Different papers, different terms, same thing
“proposer” == “leader” “replica” == “validator” HotStuff sometimes inconsistent But these mean the exact same thing

31 All messages signed by senders
All signatures checked by receivers Omitted from protocols for brevity

32 PoW vs BFT PoW BFT Identity Don’t care Care Finality No Yes
Node scalability Excellent Limited Power Bad Good Adversary ~25% 33% Synchrony Synchronous Semi-Synchronous Correctness Proof

33 Block Party Each block eventually: Committed, or Rejected
Goal is agreement on … A growing chain of committed blocks

34 Parent Pointers block block block block block
Transitive closure forms ancestors

35 Parent Pointers block block block block height k height k+1

36 Parent Pointers Same branch block block block block height k height

37 Parent Pointers conflicting (different branches) block block block
height k height k+1

38 Validators Hello, I’m an honest validator
I only vote only once per height … Always at increasing heights If I vote on B, then I have seen B’s ancestors

39 Form a quorum certificate (QC) for B If 2f+1 votes collected,
Quorum Certificates I vote for B! whatever Form a quorum certificate (QC) for B If 2f+1 votes collected,

40 Each block’s QC is for ancestor
Quorum Certificates QC | B QC | B’ QC | W QC | W’ QC | W’’ Each block’s QC is for ancestor

41 2f+1 correct validators voted for B at B.height
QC Chains 1-chain: 2f+1 correct validators voted for B at B.height QC | B QC | B’

42 QC Chains 2-chain: 2f+1 correct validators voted for B’’ and received 1-chain B  B’ 1-chain: 2f+1 correct validators voted for B at B.height QC | B QC | B’ QC | B QC | B’ QC | B’’

43 QC Chains 2-chain: 2f+1 correct validators voted for B’’ and received 1-chain B  B’ 1-chain: 2f+1 correct validators voted for B at B.height 3-chain: 2f+1 correct validators voted for B’’’ and received 2-chain B  B’  B’’ QC | B QC | B’ QC | B QC | B’ QC | B’’ QC | B QC | B’ QC | B’’ QC | B’’’

44 Committed Block B is committed if there is a 3-chain
QC | B QC | B’ QC | B’’ QC | B’’’ height k height k+1 height k+2 height ? B is committed if there is a 3-chain B  B’  B’’  B’’, where B parent of B’ parent of B’’

45 Hello, I’m an honest validator
Validators Hello, I’m an honest validator

46 And these are my blocks …
Validators And these are my blocks … QC | B QC | B’ QC | B’’

47 B’  B’’ is the highest 1-chain I’ve seen
Validators B’  B’’ is the highest 1-chain I’ve seen QC | B QC | B’ QC | B’’

48 So B is my preferred block
Validators So B is my preferred block QC | B QC | B’ QC | B’’

49 I will vote for Bnew only if it has my preferred block as ancestor
Validators I will vote for Bnew only if it has my preferred block as ancestor QC | B QC | B’ QC | B’’ QC | Bnew

50 Only Two Kinds of Message
propose vote

51 Only Two Kinds of Message
propose: B, Bhqc vote: B, Bhqc Highest QC seen by sender

52 Hello, I’m an honest validator and this is my state
Propose Message Bhqc: tail of highest 1-chain vheight: height of last voted block Hello, I’m an honest validator and this is my state

53 Validators Hello, I’m the leader Bhqc: tail of highest 1-chain
vheight: height of last voted block

54 Is my preferred block an ancestor of Bnew?
Propose Message Bhqc: tail of highest 1-chain vheight: height of last voted block propose: Bnew, Bhqc Is my preferred block an ancestor of Bnew? Update Bhqc? Have I voted at ≥ Bnew.height?

55 Vote Message vote: Bnew, Bhqc Bhqc: tail of highest 1-chain
vheight: height of last voted block vote: Bnew, Bhqc Send current Bhqc Update my vheight If new blocks now committed, execute their smart contracts in block order

56 Vote Message vote: Bnew, Bhqc vote: Bnew, Bhqc vote: Bnew, Bhqc
Collect votes for Bnew until I can form a QC

57 Get QCs from 2f+1 replicas
Pacemaker Picking a leader Round-robin What to propose? Get QCs from 2f+1 replicas Extend from latest QC

58 See Paper for Full Spec

59 Proof of Safety

60 Conflicting blocks with the same height cannot both have valid QCs.
Lemma 1 Conflicting blocks with the same height cannot both have valid QCs.

61 Proof Suppose B and W with the same height both have valid QCs.
Both received 2f+1 votes

62 Proof Quorum for B Quorum for W Quorum: 2f+1

63 Proof Quorum for B Quorum for W Intersection: f+1

64 Intersection has at least 1 correct validator
Proof Quorum for B Quorum for W Intersection has at least 1 correct validator

65 Proof I, a correct validator, must have voted for both, a contradiction! Quorum for B Quorum for W Intersection has at least 1 correct validator

66 Conflicting blocks cannot become committed by honest replicas
Lemma 2 Conflicting blocks cannot become committed by honest replicas

67 Let B,W conflicting blocks, different heights
Proof Let B,W conflicting blocks, different heights

68 B commits at honest replica that sees:
Proof B commits at honest replica that sees: QC | B QC | B’ QC | B’’ QC | B’’’

69 W commits at honest replica that sees:
Proof W commits at honest replica that sees: QC | W QC | W’ QC | W’’ QC | W’’’

70 Without loss of generality ….
Proof Without loss of generality …. B B’ B’’ W W’ W’’

71 Proof By quorum intersection ….
W W’ W’’ I, a correct validator, voted for B’’ and W’’

72 By quorum intersection ….
Proof By quorum intersection …. B B’ B’’ W W’ W’’ I voted for W’ first

73 Proof By quorum intersection …. W was my preferred block B B’ B’’ W W’

74 Proof By quorum intersection ….
W W’ W’’ To vote for B’’, my preference must have changed branches

75 W’’.height < Bs.height ≤ B’.height
Proof There exists Bs B B’ B’’ Bs W W’ W’’ W’’.height < Bs.height ≤ B’.height

76 W’’.height < Bs.height ≤ B’.height
Proof There exists Bs B B’ B’’ Bs W W’ W’’ W’’.height < Bs.height ≤ B’.height Bs has QC from a block

77 Proof There exists Bs B B’ B’’ Bs W W’ W’’
W’’.height < Bs.height ≤ B’.height Bs has QC from a block Bs has QC to block conflicting with W

78 Proof There exists Bs B B’ B’’ Bs W W’ W’’
W’’.height < Bs.height ≤ B’.height Bs height is minimal Bs has QC from a block Bs has QC to block conflicting with W

79 Proof There exists Bs B B’ B’’ Bs W W’ W’’
W’’.height < Bs.height ≤ B’.height Bs height is minimal Bs has QC from a block Bs could be B’ so Bs exists Bs has QC to block conflicting with W

80 Proof B B’ B’’ Bs W W’ W’’ I voted for W’’ then Bs

81 Proof B B’ B’’ Bs W W’ W’’ I prefer W, which conflicts with pred Bs, so I can’t vote for Bs, contradiction

82 Theorem 3 If C1 and C2 are block smart contracts, where some honest replica executes C1 before C2, then every honest replica that executes C2 first executes C1

83 Proof Let blocks be B1, B2 From Lemma 1, different heights There exist
From Lemma 2, B1‘, B2‘ do not conflict B1, B2 do not conflict B2 Each replica executes in order

84 Proof of Liveness

85 Lemma 4 After GST, if any correct replica has B as its preferred block then there exists at least f+1 correct replicas that have a QC for B in a block B’.

86 Proof If a correct replica has B as preferred block,
Then It has a 2-chain … B B’ B’’ The QC for B’ in B’’ contains 2f+1 votes At least f+1 votes from correct replicas Each correct replica that voted B’ saw B B’

87 Theorem 5 A correct proposer that asks replicas for latest blocks, and waits for n−f responses, can propose a block that will make progress after GST

88 Proof Let B be the preferred block in the highest 1-chain by any correct replica. From Lemma 4, any n−f responses intersect the f+1 correct replicas with the highest 1-chain: B B’

89 Proof From Lemma 4, any n−f responses intersect the f+1 correct replicas with the highest 1-chain: B B’ Hence the correct proposer will follow the branch led by B and extend B’ with a new B’’ All correct replicas make B preferred if not already preferred

90 All correct replicas will vote for B’’
Proof All correct replicas make B preferred if not already preferred All correct replicas will vote for B’’

91 Consensus in Byzantine models
Ideas we covered in this lecture Consensus in Byzantine models Semi-Synchronous models HotStuff Protocol Safety proof Liveness Proof


Download ppt "Byzantine Fault-Tolerance"

Similar presentations


Ads by Google