Advanced Network Security 6. Agreement and consensus II: Byzantine - PowerPoint PPT Presentation

Advanced Network Security 6. Agreement and consensus II: Byzantine failures Jaap-Henk Hoepman Digital Security (DS) Radboud University Nijmegen, the Netherlands @xotoxot // * jhh@cs.ru.nl // 8 www.cs.ru.nl/~jhh

↳ Byzantine failures are real binair 9 Én 1 -7 teshdd ' Jaap-Henk Hoepman // Radboud University Nijmegen // 29-2-2016 // Fault Tolerance - Byzantine Generals 2

The consensus problem (again) n All processes have a binary input value (0 or 1) ● So it is different from a broadcast n Consistency condition ● All correct processes decide on the same value ( Agreement ) ● If all processors have the same input value ! , then all correct processors must decide ! ( Validity ) n Termination condition ● Deterministic n Now tolerating " < $/& byzantine failures ● Instead of arbitrary number of crash failures Jaap-Henk Hoepman // Radboud University Nijmegen // 29-2-2016 // Fault Tolerance - Byzantine Generals 4

Consensus for Byzantine failures n Remember: Byzantine processors may lie… n So: what goes wrong in the protocol for crash failures? ( essential strategy gossip : ( for failure ) crash ( lle the be problem gossip a mag : Jaap-Henk Hoepman // Radboud University Nijmegen // 29-2-2016 // Fault Tolerance - Byzantine Generals 5

Correctness proof of protocol for crash failures n Lemma: suppose both processors ' and ( are correct (i.e don’t fail). Then if ) ∈ + , then ) ∈ + - n Proof , for some 0 with ' ∉ σ ● If ) ∈ + , then ) = ) / , too, with ' ∉ 3 , « If ' ∈ 0 , i.e. 0 = 3; '; 5 then ' sent ) = 6 7;, and hence ) = ) 7 , = ) to q and then ) /;, - - ● If 0 < 8 + 1 then ' will send 6 /;, = ) / = ) and so ) ∈ + - ● If 0 = 8 + 1 then there is a non faulty processor ; with 0 = 3; ;; 5 such , Then at round 3 + 1 processor ; sent ) = ) 7 < = ) / < to ( as well that ) 7 1- - ). Hence ) 7;< - (as message ) = 6 7;< = ). Again ) ∈ + - Jaap-Henk Hoepman // Radboud University Nijmegen // 29-2-2016 // Fault Tolerance - Byzantine Generals 6

⇒ ⇒ Byzantine failures: " < $/& is necessary ⑧ goud baat n Suppose > = 3 and 8 = 1 (and two rounds) ② byzantijnen ③ ② ° @rmiarym.amia ① % a a @ µ " ËËË iii. . ÷ @ . . . ⑥ Mb b b mis b Mb C C tube It I must must decide are I allo decided b seek decide 0 gameuserset § decide 1 29-2-2016 // Fault Tolerance - Byzantine Generals Jaap-Henk Hoepman // Radboud University Nijmegen // 8

A protocol tolerating " < $/& byzantine failures n Again each processor ' builds the following tree E , , ) M Level 0 , ) - F ,- G ,..,- H means: ( I told ' , , , , ) P Level 1 ) K ) - that ( IJK told ( I , …. , , , , that ( K ’s value is ) ) K,Q ) K,P ) P,K ) P,PJK Level 2 Initially all ⊥ , = N ' . O> ) M , ) / Level R , ) /;S for all T ∉ 0 , i.e. > − 0 = > − R children Level R + 1 Level 8 + 1 Jaap-Henk Hoepman // Radboud University Nijmegen // 29-2-2016 // Fault Tolerance - Byzantine Generals 10

Byzantine failures: decision more complex , to each node in the tree n Associate a decision value V / ● After tree is filled with values top down, it is filled with decision values bottom up , is the value for N ' . VWXOYOZ> that ' decides on ● V M n Define [\TZRO]^ _ be the value that occurs most in a set _ , using some constant ⊥ to break ties Jaap-Henk Hoepman // Radboud University Nijmegen // 29-2-2016 // Fault Tolerance - Byzantine Generals 11

Lamport’s OM protocol for building the tree , (O, )) to make clear processor ' executes this to n We write `[ / propagate ) and to keep track of ‘stack trace’ 0 ● O is recursion parameter (starts at 8 and ends at 0) (Lamport uses 6 in the paper) , O, ) is executed by ' for all 0 s.t. |0| = 8 − O and ' ∉ 0 ● `[ / , to all nodes ( (as message 6 /;, - , stored by ( as ) /;, - ), ● It sends ) = ) / and instructs them to propagate the value through recursion ● It essentially builds ' ’s part of the subtrees rooted at 0 for all - () the whole subtrees rooted processors; together with the other `[ / at 0 are built. , (8, N ' . O>) for all ' ● The protocol starts with `[ M Jaap-Henk Hoepman // Radboud University Nijmegen // 29-2-2016 // Fault Tolerance - Byzantine Generals 12

Lamport’s OM protocol Here 0; ' = 8 + 1 , 0, ) : n `[ / , as 6 /;, - ● Send v / to all ( - - - - ● All processors ( that receive it set ) /;, = 6 /;, ; set ⊥ if no value received ; and set V /;, = ) /;, , = [\TZRO]^( V /;- , |( ∉ 0 ) ● Set V / , O, ) for 0 < O ≤ 8 n `[ / - ● Send ) as 6 /;, to all ( - - ● All processors ( that receive it set ) /;, = 6 /;, = ) ; set ⊥ if no value received - (O − 1, ) /;, - ) for all ( ∉ 0; ' ● Trigger `[ /;, m-1 rounds , (O − 1, 6 /;- , ) if ' ∉ 0; ( , « Or rather: when receiving 6 /;- execute `[ /;- , = [\TZRO]^( V /;- , |( ∉ 0 ) ● Set V / , (8, N ' . O>) for all ' in round 0 n Start as `[ M , ● Storing N ' . O> as ) M Jaap-Henk Hoepman // Radboud University Nijmegen // 29-2-2016 // Fault Tolerance - Byzantine Generals 13

A protocol tolerating " < $/& byzantine failures n Again each processor ' builds the following tree E , , `[ M , ) M Level 0 , ) - F ,- G ,..,- H means: ( I told ' , , , `[ K , , ) P Level 1 ) K ) - that ( IJK told ( I , …. , `[ K,P , , , , that ( K ’s value is ) ) K,Q ) K,P ) P,K ) P,PJK Level 2 Initially all ⊥ , = N ' . O> ) M , ) / Level R , ) /;S for all T ∉ 0 , i.e. > − 0 = > − R children Level R + 1 Level 8 + 1 Jaap-Henk Hoepman // Radboud University Nijmegen // 29-2-2016 // Fault Tolerance - Byzantine Generals 14

One step in detail K `[ M K ) M Level 0 P `[ K , 6 K,P P PJK ) K 6 K,P Level 1 , `[ K,P , ) K,P Level 2 - 6 K,P,, Level 3 - ) K,P,, Jaap-Henk Hoepman // Radboud University Nijmegen // 29-2-2016 // Fault Tolerance - Byzantine Generals 15

So building the tree is the same protocol as for crash failures. , means: ( I told ' , ) - F ,- G ,..,- H that ( IJK told ( I , …. n Before round 1 that ( K ’s value is ) , =⊥ and ) M , = N ' . O> ● Initialise tree. Set all ) / Initially all ⊥ , = N ' . O> ) M n Round R, 1 ≤ R ≤ 8 + 1 , to all processors ( (including ● For all 0 with 0 = R − 1 ∧ ' ∉ 0, send ) / ' ) - « Call this message 6 /;, , , ● Receive all 6 /;y addressed to ' and store in ) /;y « By the protocol z ∉ 0 so ' receives > − (R − 1) such messages from each z Jaap-Henk Hoepman // Radboud University Nijmegen // 29-2-2016 // Fault Tolerance - Byzantine Generals 16

Deciding on a value n Work from the leaves upwards , = ) / , for 0 = 8 + 1 ● V / , = [\TZRO]^( V /;- , |( ∉ 0 ) otherwise ● V / , ● Node ' decides on V M Jaap-Henk Hoepman // Radboud University Nijmegen // 29-2-2016 // Fault Tolerance - Byzantine Generals 17

Correctness We reason over all trees , - n Lemma 1: If ', (, R are non faulty, then for all 0 we have ) /;| = ) /;| it ● Proof: ten is same value so ✓ correct seeds , to de p , = ) / , for all leaves, ie 0 = 8 + 1 n Set V / Jaap-Henk Hoepman // Radboud University Nijmegen // 29-2-2016 // Fault Tolerance - Byzantine Generals 18

⇒ ⇒ Correctness , - n Lemma 1: If ', (, R are non faulty, then for all 0 we have ) /;| = ) /;| n Lemma 2: Let 0 be arbitrary and let R be non faulty. Then there is , , a value ) such that for all non faulty p we have V /;| = ) . = ) /;| inductie tart tortilla Bij on inductieve - - TH lont basecase VI : level k - - tv-Toren In ten level level f II ' ' tweeten levert i. n ( . , er :p other dfr.tv Anodes - amajoin - f tarten div her have n & - > zf df.ru Jaap-Henk Hoepman // Radboud University Nijmegen // 29-2-2016 // Fault Tolerance - Byzantine Generals 20

Correctness , - n Lemma 1: If ', (, R are non faulty, then for all 0 we have ) /;| = ) /;| n Lemma 2: Let 0 be arbitrary and let R be non faulty. Then there is a , , value ) such that for all non faulty p we have V /;| = ) /;| = ) . ● By induction on the length of 0; R starting with the leaves (length 8 + 1 ) ● The base case follows from lemma 1 and the fact that for 0; R = 8 + 1 we , , have V /;| = ) /;| . ● Now suppose 0 ≤ 0; R < 8 + 1 . By lemma 1 all non faulty processors have the , - same value ) /;| = ) . Then all non-faulty processors ' ∉ 0; R send ) as 6 /;|;, to - all other processors ( . If non faulty, ( sets ) /;|;, = ) . - - ● By the induction hypothesis we have V /;|;, = ) /;|;, = ) for all non faulty ( . ● The number of children of a node with label 0; R is > − 0; R ≥ > − 8 > 28 - - ● Hence the majority of children is non-faulty, and so V /;| = [\TZRO]^(É V /;|;, |' ∉ 0 ) = ) as required Ñ Jaap-Henk Hoepman // Radboud University Nijmegen // 29-2-2016 // Fault Tolerance - Byzantine Generals 22

⇒ ⇒ Validity n Theorem: If all non faulty processors have input ) they decide on ) - faalt If her have value alt send U v p nou - firstround - faun te In to q an man ✓ { d correct for 9- an p v = . plot die correct for an lemma 2 - ( Edit brand ) af v Maij = = Jaap-Henk Hoepman // Radboud University Nijmegen // 29-2-2016 // Fault Tolerance - Byzantine Generals 23