1. The Byzantine Generals Problem L. Lamport R. Shostak M. Pease Presented by: Emmanuel Grumbach Raphael Unglik January 2004

2. Basics Reliable system must cope with computer failures. Failure does not mean that the component stopped. An often overlooked type of failure: sending conflicting information to different parts of the system Coping with this type of failure is expressed abstractly as the Byzantine Generals Problem…

3. Presentation Plan 1. Introduction 2. Impossibility Results 3. A Solution with Oral Messages 4. A Solution with Signed Messages 5. Missing Communication Paths 6. Reliable Systems 7. Conclusion

4. 1. Introduction

5. Introduction - Abstract Problem

6. Introduction - Requirements The generals must decide upon a common plan of action. The generals communicate by sending messengers. BUT: Some generals may be traitors. Traitors try to prevent loyal generals from reaching agreement by sending wrong messages or by non-sending messages. The generals must have an algorithm to guarantee that : – Condition A. All loyal generals decide upon the same plan of action.  all the generals use the same decision function. – Condition B. A small number of traitors cannot cause the loyal generals to adopt a bad plan.  the function is robust.

7. Introduction - Formalization Let v(i) be the information communicated by the ith general. Condition A’: Any two loyal generals use the same value of v(i). Condition B’: If the ith general is loyal, then the value that he sends must be used by every loyal general as the value of v(i). Conditions A’ and B’ are both conditions on the single value sent by the ith general. We can therefore restrict our consideration to the problem of how a single general sends his value to the others.

8. The Byzantine Generals Problem A commanding general must send an order to his n – 1 lieutenants such that: IC1. All loyal lieutenant obey the same order. IC2. If the commanding general is loyal, then every loyal lieutenant obeys the order he sends. To solve our original problem, the ith general sends his value of v(i) by using a solution to the BGP to send the order “use v(i) as my value”, with the other generals acting as lieutenants.

9. 2. Impossibility Results

10. Our army Traitor Loyal General

11. Impossibility Results Definition: An oral message is one whose contents are completely under the control of the sender, so a traitorous sender can transmit any possible message. We make the following assumptions: A1. Every message that is sent is delivered correctly. A2. The receiver of a message knows who sent it. A3. The absence of a message can be detected. Such a message corresponds to the type of message that computers normally send to one another.

12. Impossibility Results (cont) Claim: If the generals send only oral messages, then with only three generals, no solution can work in the presence of a single traitor. (Assuming maximal information exchange)

13. Proof Attack ! Retreat ! Attack ! 2 Retreat ! Attack ! 211

14. Proof (cont.) In the first case, the loyal lieutenant (2) receives two messages: 1. Attack from the general. 2. Retreat from another lieutenant. Since the general is loyal, he must attack in order to fulfill IC2. In the second case, the loyal lieutenant (2) receives the same two messages than in the previous case, so he has to attack. But by symmetry, lieutenant (1) has to retreat  IC1

15. Impossibility Results Claim: If the generals send only oral messages, then no solution will work unless more than two-thirds of the generals are loyal. Proof: By a (not so) simple reduction. Assume there exist a solution for 3m generals to cope with m traitors. We can build from this assumption a solution for 3 generals to cope with a single traitor.

16. The reduction We want to build a solution for 3 Byzantine generals (say A, B and C) in the presence of a single traitor. Each one of A, B and C subdivides in m generals, according to his loyalty. Since one of them is a traitor, there will be m traitors in the new problem (each one of A, B and C knows if he is a traitor or not). We get 3m generals, including m traitors. From reduction’s assumption, there is a solution to this new problem. A, B and C run this solution and take the same decision that all their “sub-generals” take (if there is such a decision). Since IC1, IC2 hold in the extended problem, they also hold in the starting problem (to prove)  we get a solution to an unsolvable problem.

17. 3. A solution with Oral Messages

18. Oral Messages - Definition Definition: An oral message is one whose contents are completely under the control of the sender, so a traitorous sender can transmit any possible message. We make the following assumptions: A1. Every message that is sent is delivered correctly. A2. The receiver of a message knows who sent it. A3. The absence of a message can be detected. Assumption: The communication graph of the generals is a complete graph.

19. Algorithm OM - Intuition Solution without traitors: any ideas ?  Believe what the general tells you… Solution with one traitor…  If the traitor is a lieutenant, no need to change the algorithm  If the traitor is the general our algorithm fails… In this case, we have to satisfy IC1 only. If each lieutenant knows all the values that the general sent, the problem is solved (majority). This solution holds also for the case above.

20. Example: n = 4 and m = 1 Attack ! Retreat ! Attack ! Retreat ! 1 23 Lieutenant 1 received: Attack from the general and 2 Retreat from the Lieutenant 3 He chooses Attack Lieutenant 2 received: Attack from the general and 1 Retreat from a Lieutenant 3 He chooses Attack IC1 IC2

21. Example: n = 4 and m = 1 Attack ! Retreat ! Suicide ! Attack !Retreat ! Suicide ! Attack ! Suicide ! 1 23 Lieutenant 1 chooses maj (Attack, Retreat, Suicide) IC1 IC2 - vacuous Lieutenant 2 chooses maj (Attack, Retreat, Suicide) Lieutenant 3 chooses maj (Attack, Retreat, Suicide)

22. OM - Intuition two traitors If the two traitors are lieutenants the aforementioned algorithm works: take the majority of what all the lieutenants received. If the general and a lieutenant are traitors, not so easy…  Each loyal lieutenant computes a different majority.  In order to satisfy IC1, the loyal lieutenants have to 1. agree on the value the traitor lieutenant sent. 2. compute the majority with the value computed in 1.

23. OM(m) - The algorithm Let m be the number of traitors. OM(0) 1. The general sends his value to every lieutenant. 2. Each lieutenant uses the value he received from the general or the default value if no message is received. OM(m), m > 0 1. The general sends his value to every lieutenant. 2. For each i let v i be the value lieutenant i got from the general j, i acts as a general and runs OM(m-1) sending v i. 3. Let v k be the value i got for general j in OM(m-1) performed by k. i computes v j = majority(v i, v k1,…,v kl ).

24. OM(m) - Remarks Since each lieutenant sends many separate messages to each other lieutenant, there must be some way to distinguish among these different messages  each lieutenant i prefixes the number i to the value v i he sends in step 2. In step 2 lieutenant i runs OM(m-1) to send v i to each lieutenant that does not appear in the list of senders of v i.

25. Messages received by the lieutenant 2 In OM(2), OM(1), OM(0). 1 2 22222 22222222222222222222 11111111111111111111 11111 3 3333 4 44445555 56 66667777 7 44455566363377774536 OM(2) OM(1) OM(0)

26. OM(m) - Message complexity OM(m) invokes n – 1 separates execution of OM(m – 1). Each execution of OM(m – 1) invokes n – 2 separate executions of OM(m – 2) etc…  (n – 1)*(n – 2)*(n – 3)*…*(n – m) = O(n m ) messages are sent. For n = 3m + 1, the algorithm is exponential in n.

27. OM(m) - Proof of Correctness Lemma 1. For any m and k, algorithm OM(m) satisfies IC2 if there are more than 2k + m generals and at most k traitors. Note. If the general is a traitor, lemma 1 is true (why ?), so we will only prove the case in which the general is loyal. Proof: By induction on m. m = 0: Trivial. hypothesis: Lemma 1 holds for m – 1, m > 0. We will prove it for m.

28. OM(m) - Proof of Correctness Proof (cont). In step 1, the loyal general sends a value v to all n – 1 lieutenants. In step 2, each loyal lieutenant j applies OM(m – 1) with n – 2 other lieutenants acting as its lieutenants. 1. n > 2k + m, thus (n – 1) > 2k + (m – 1). 2. Each running of OM(m – 1) includes at most k traitors. From hypothesis, each loyal lieutenant l gets v from each j. Since there is a majority of loyal lieutenants, the majority computation will give the same result - v - for all l.

29. OM(m) - Proof of Correctness Theorem 1. For any m, algorithm OM(m) satisfies conditions IC1 and IC2 if there are more than 3m generals and at most m traitors. Proof: By induction on m. m = 0: Trivial. hypothesis: Theorem 1 holds for m – 1, m > 0. We will prove it for m.

30. OM(m) - Proof of Correctness Note. If the general is loyal, Theorem 1 holds from Lemma 1 (k = m) so we will focus on the case in which the general is a traitor. Proof (cont). In step 2, each loyal lieutenant j applies OM(m – 1) with n – 2 other lieutenants acting as its lieutenants. 1. n > 3m, thus (n – 1) > 3(m – 1). 2. Each running of OM(m – 1) includes at most m traitors.

31. OM(m) - Proof of Correctness Proof (cont). From hypothesis (IC1 holds for each running of OM(m – 1)), we get that each loyal lieutenant gets the same value for each lieutenant, and therefore obtain the same value in the majority computation of step 3, proving IC1.

32. 4. A Solution with Signed Messages

33. Signed messages - Definition It is the traitor’s ability to lie that makes the BGP so difficult. One way to restrict that ability is to allow the generals to send unforgeable signed messages. When the messages are signed, we add the following assumption to A1, A2 and A3 : A4. (a) A loyal general’s signature cannot be forged, and any alteration of the contents of his signed messages can be detected. (b) Anyone can verify the authenticity of a general’s signature.

34. Signed messages - Definition Note that we made no assumption about a traitorous general’s signature  we permit collusion among the traitors. There exist a solution to cope with m traitors for any number of generals (the problem is vacuous for n < m + 2). We assume the existence of a common choice function which maps sets of orders to an order: 1. V = { v }  choice(V) = v 2. choice(  ) = RETREAT

35. Algorithm SM Let x:i be the value x signed by i, v:i:j is the value v signed by i, and then the value v:i signed by j. Each lieutenant i maintains a set V i, containing the set of properly signed orders he has received so far.

36. Algorithm SM(m) Initially, V i = . 1. The general signs and sends his value to every lieutenant. 2. For each i: a. If lieutenant i receives a message of the form v:0 from the general and he has not yet received any order, then i. He lets V i equal {v}; ii. He sends the message v:0:i to every other lieutenant. b. If lieutenant i receives a message of the form v:0:j 1 :…:j k and v is not in the set V i then i. He adds v to V i ; ii. If k < m then he sends the message v:0:j 1 :…:j k :i to every lieutenant other than j 1,…,j k. 3. For each i: When lieutenant i will receive no more messages, he obeys the order choice(V i ).

37. SM(m) - Proof of Correctness Theorem 2. For any m, algorithm SM(m) satisfies conditions IC1 and IC2 if there are at most m traitors. Proof. 1. Loyal general a. He sends his signed order v:0 to every lieutenant in 1. b. Every loyal lieutenant receives the order v in 2. a. c. The signature is unforgeable, so no additional order can be received by a loyal lieutenant in 2. b. Hence, for each loyal lieutenant i, V i = {v}, and we are done.

38. SM(m) - Proof of Correctness Proof (cont). 2. Traitorous general a. Let i and j be two loyal lieutenants. b. If i receives the order v in 2. a. then he sends it to j in 2. a. ii. and j receives it (by A1 ). c. If i receives the order v in 2. b. then he received a message of the form v:0:j 1 :…:j k. i. If j is one of the j r then he received v (by A4 ). ii. If k < m then i sends v:0:j 1 :…:j k :i to j so j receives v. iii. If k = m then one of the j r is loyal (there are m traitors, including the general), and he sent v to j. We got V i = V j so that IC1 holds.

39. 5. Missing Communication Paths

40. p-regular graph Definition: A set of nodes {i 1, i 2, …, i p } is said to be a regular set of neighbors of a node i if: – Each i j is a neighbor of i – For any k different from i there exist paths γ j,k from i j to k not passing through i such that any two different paths γ j,k for different j have no node in common other that k. Definition: A graph G is said to be p-regular if every node has a regular set of neighbors consisting of p distinct nodes.

41. Definition: p-regular graph (cont.) i k All the paths from the neighbors of i to k have no common nodes. Therefore, i has a regular set of neighbors whose size is 4.

42. Example: a 3-regular graph This graph is 3-regular This one is not 3-regular…

43. What happens if we remove a node n from a p-regular graph ? n is the neighbor of r : n is not the neighbor of r : Properties of a p-regular graph In the worst case, n is one of the nodes in the regular set of r, after its removal there remain p -1 nodes in the regular set of r.  G is (p-1)-regular. n r r n In the worst case, n is one of the nodes on a path from a node in the regular set of r, after its removal there remain p -1 nodes in the regular set of r.  G is (p-1)-regular.

44. Extension of OM(m) The extension of OM(m) solves the BGP when the graph of the generals is 3m-regular. For all positive integers m and p, we define the algorithm OM(m,p) when the graph of the generals is p-regular. OM(m,p) is not defined if the graph is not p-regular.

45. Algorithm OM(m,p) (0) Choose a regular set N of neighbors of the general consisting of p lieutenants. (1) The general sends his value to every lieutenant in N. (2) For each i in N, let v i be the value Lieutenant i received from the general, or else RETREAT if he receives no value. Lieutenant i sends v i to every other lieutenant k as follows: (A) If m = 1, then by sending the value along the path γ i,k.. (B) If m > 1, then by acting as a general in the algorithm OM(m-1,p-1) with the graph obtained by removing the original general. (3) For each k and each i in N with i ≠ k, let v i be the value Lieutenant k received from Lieutenant i in step (2) or RETREAT if he received no value. Lieutenant k uses the value majority(v i1,v i2,…,v ip ) where N = {i 1,…,i p }.

46. OM(m,p) - Proof of Correctness Lemma 2. For any m > 0, and any p ≥ 2k + m, algorithm OM(m,p) satisfies IC2 if there are at most k traitors. Note. If the general is a traitor, lemma 2 is trivial so we will only prove the case in which the general is loyal. Proof: By induction on m. m = 1: p ≥ 2k + m  more than half of the paths from the general to any lieutenant are composed entirely of loyal lieutenants. hypothesis: Lemma 2 holds for m – 1, m > 1. We will prove it for m.

47. OM(m,p) - Proof of Correctness Proof (cont). m > 1: – If the general is loyal, then all the p lieutenants in N get the correct value. – p > 2k a majority of them are loyal – By induction hypothesis, each of them send the correct value to every loyal lieutenant.  Each loyal lieutenant gets a majority of correct values.

48. OM(m,p) - Proof of Correctness Theorem 3. For any m > 0 and any p ≥ 3m, algorithm OM(m,p) solves the BGP, if there are at most m traitors. Proof. If k = m then by Lemma 2, IC2 holds. If the general is loyal then IC1 follows from IC2.  We need to prove that IC1 holds when the general is a traitor.

49. OM(m,p) - Proof of Correctness Proof (cont). By induction on m: m = 1: The general is the only traitor. All the loyal lieutenants will get the same value for each i in N. The loyal lieutenants will compute the same majority. hypothesis: Theorem 3 holds for m – 1, m > 1. We will prove it for m.

50. OM(m,p) - Proof of Correctness Proof (cont). m > 1: p ≥ 3m  p - 1 ≥ 3(m - 1). OM(m - 1,p - 1) satisfies Theorem 3. Each loyal lieutenant gets the value each lieutenant in N sent. Every loyal lieutenant will have the same input for the same decision function. Every lieutenant arrive the same decision. QED  OM(m,3m) solves the BGP for a 3m-regular general graph.

51. Connectivity We require 3m-regularity which is a strong connectivity hypothesis. If there are 3m+1 generals, it is equivalent to a complete graph. The weakest connectivity hypothesis for which BGP is solvable is that the sub graph formed by the loyal generals is connected (the traitor may simply block the message). Under this assumption SM(n - 2) is a solution where n is the number of general - regardless of the number of traitors.

52. Diameter and SM(m) Definition: The diameter of a graph is the smallest number d such that any two nodes are connected by a path containing at most d arcs. If the graph is not connected, the diameter can be defined to be ∞. Theorem 4: For any m and d, if there are at most m traitors and the sub graph of loyal generals has diameter d, then SM(m + d -1) solves the BGP. (The SM(m) is slightly modified: a general sends a message to his neighbors only).

53. SM(m+d-1) - Proof of Correctness Proof IC2. By hypothesis there is a path from the loyal general to any lieutenant i going through d - 1 or fewer loyal lieutenants. Those lieutenants will relay the order to i (the message cannot be modified). Proof IC1. We assume that the general is a traitor. We must show that an order received by a loyal lieutenant i is received by a loyal lieutenant j also. i received v:0:j 1 :j 2 :…:j k not signed by j (meaning that j has not received it yet

54. SM(m+d-1) - Proof of Correctness Proof IC1 (cont). If k < m, i will send it to every neighbor that has not received the order yet and it will be relayed to j within d - 1 more steps. If k ≥ m, then one of the first m signers must be loyal and must have sent it to all of his neighbors, again it will reach j within d - 1 steps. Corollary. If the graph of the loyal generals is connected, the SM(n - 2) solves the BGP for n generals.

55. Corollary - Proof d – the diameter of the graph of the loyal generals G(V,E). d ≤ |V|. There must be at least d loyal generals. There must be fewer than n - d traitors.  m = n - d - 1  n = m + d +1  n - 2 = m + d - 1  According to Theorem 4 QED

56. Lack of connectivity What if the loyal lieutenants graph is not connected ? SM(m + d – 1) has the following properties: 1. Any two loyal lieutenants connected by a path of length at most d passing through only loyal lieutenants will obey the same order. 2. If the general is loyal, then any loyal lieutenant connected to him by path of length m + d passing only through loyal lieutenants will obey the same order.

57. 6. Reliable Systems

58. How to reach reliability ? The only known way to reach reliability nowadays is redundancy. This is true at all scales: from a single chip that might fail until the runway of an airport that might be destroyed by the enemy. This means that the “processor” is replicated and the final result is the majority of the result of all the replications. This assumes that all the nonfaulty processors will produce the same output, which is true as long as they use the same input.

59. The input issue Input comes from a single component (a chip, a radar)  a malfunctioning component can give different values to different processors. Lack of synchronization: reading while the value is written. The solution is semaphore usage. In order for majority voting to yield a reliable system, the following two conditions should be satisfied: – All non faulty processors must use the same input value (so they produce the same value). – If the input unit is nonfaulty, then all the nonfaulty processes use the value it provides as input (so they produce the correct output).

60. BGP as a solution to reliability The aforementioned conditions are IC1 and IC2 with – “traitors” = “faulty” – “general” = “input” – “processors” = “lieutenant” The issue of the input is still unsolved: – The general may say something meaningless to all the lieutenants. – In the case the input is important and might be faulty, it may be replicated (several radars). – Redundant inputs cannot achieve reliability (we still need an algorithm as BGP).

61. Synchronization We want that nonfaulty processors obtain a reasonable input value even if they read it while it changes. In case choice or majority are taken to be median functions, the taken value belongs to the domain of the values of the input unit.  the nonfaulty processors will get a reasonable value if the range of values given by the input unit is reasonable.

62. From BGP to reliable systems A1 We have to check if the assumptions A1-A4 (for SM only) are satisfied by a message passing system: A1: every message sent by a nonfaulty processor is delivered correctly. For OM(m) and OM(m,p) a communication failure is equivalent to a processor failure. A failure cannot forge a signed message (A4)  SM(m) is insensitive to communication failure. A failed communication line is equivalent to its removal.

63. From BGP to reliable systems A2 A2: A processor can determine the originator of any message that is received.  A faulty processor must not be able to impersonate a nonfaulty one (IP Spoofing).  The processors communicate over fixed lines and not a message switching network. If A4 holds (signed messages cannot be forged) and all the messages are signed, then A2 is satisfied.

64. From BGP to reliable systems A3 A3: The absence of messages can be detected. A solution: time-out. It must satisfy two conditions: – There is a fixed maximum time for the generation and transmission of a message. – The sender and receiver have clocks that are synchronized to within some maximum error.

65. Why to we need a synchronizer ? Suppose an algorithm in which the generals take action only: –A–At some fixed initial time (the same for all the generals). –U–Upon the receipt of a message. –W–When a randomly chosen length of time has elapsed. (I.e., a general can set a time to a random value and act when the timer goes off). It can be shown that there is no solution to the BGP even if the delay in the network is bounded No solution even if the traitor does not send “false messages” but rather do not send any messages. This will not be proved here

66. Timeout implementation μ: the maximum message generation and transmission delay. τ: the maximal difference between the clocks of two nonfaulty processors.  A message generated at T on the sender’s clock, should arrive at T + μ + τ. If no message is sent until that time, no message has been sent. If the input processor sends its value at a specific time, every processor can calculate at what time it will arrive at the latest. For example in SM(m), a message having k signatures should arrive before T 0 + k*(μ + τ).

67. From BGP to reliable systems A4 A4: The processors should be able to sign their messages in such a way that a nonfaulty processor’s signature cannot be forged. S i (M) is the signature generated by process i from data item M. (M, S i (M)) is a message sent and signed by i. Requirements on S i (M): 1. If processor is nonfaulty, then no faulty processor can generate S i (M). 2. Given M and X, any process can determine if X equals S i (M).

68. Strength of Cryptography A faulty processor will always be able to forge a signature. We can make the probability of violation as small as we wish. How small the probability should be ? This depends on the faults we expect to encounter. What faults do we expect to encounter ?

69. Random Malfunction We try to insert probability in the signature computation – The message is M ≤ P = 2 n. – S i (M) = M*K i mod P (K i <P is random odd why ?) – K i -1 *K i = 1 mod P – A process can check that X = S i (M) by testing that M = X*K i -1 mod P – If a processor does not have K i in memory, the probability of its generating a correct signature is 1/P.

70. Malicious Intelligence The faulty processor is being guided by a malicious intelligence (spy…). S i has to be very strong, and this becomes a cryptographic problem. Several solutions: – RSA – Private key cryptography It is easy to forge S i (M) if the faulty process has already seen that signature.  One should not sign twice on the same message.  A sequence number should be added to each message to guarantee uniqueness.

71. 7. Conclusion

72. BGP is hard to solve… The solution that were presented are expensive in both, time and messages. OM(m) and SM(m) require messages paths of length up to m + 1. Each Lieutenant for messages that originated at the general and were then relayed through m other lieutenants. Fischer and Lynch showed that this solution is optimal. When the connectivity is not complete, message paths of length up to m + d are required. (d is the diameter of the “loyal graph”). This result is suspected to be optimal also.