AAll You Need is DAG
IDIT KEIDAR,
Technion
ELEFTHERIOS KOKORIS-KOGIAS,
IST Austria and Novi Research
ODED NAOR,
Technion โ ALEXANDER SPIEGELMAN,
Novi Research
We present
DAG-Rider , the first asynchronous Byzantine Atomic Broadcast protocol that achieves optimal resilience, optimal amortizedcommunication complexity, and optimal time complexity. DAG-Rider is post-quantum safe and ensures that all messages proposed bycorrect processes eventually get decided. We construct DAG-Rider in two layers: In the first layer, processes reliably broadcast theirproposals and build a structured Directed Acyclic Graph (DAG) of the communication among them. In the second layer, processeslocally observe their DAGs and totally order all proposals with no extra communication.
The amplified need in scalable geo-replicated Byzantine fault-tolerant reliability systems has motivated an enormousamount of study on the Byzantine State Machine Replication (SMR) problem [17, 31]. Many variants of the problemwere defined in recent years [28, 32, 43] to capture the needs of blockchain systems. To address the fairness issues thatnaturally arise in interorganizational deployments, we focus on the classic long-lived Byzantine Atomic Broadcast(BAB) problem [13, 19], which in addition to total order, progress, and validity, guarantees eventual fairness . That is, all proposals by correct processes are eventually included.Up until recently, asynchronous protocols for the Byzantine consensus problem [13, 16, 26] have been consideredtoo costly or complicated to be used in practical SMR solutions. However, two recent single-shot Byzantine consensuspapers, VABA [1] and later Dumbo [35], presented asynchronous solutions with (1) optimal resilience, (2) expectedconstant time complexity, and (3) optimal quadratic communication and optimal amortized linear communicationcomplexity (for the latter). In this paper, we follow this recent line of work and present
DAG-Rider : the first asynchronousBAB protocol with optimal resilience, optimal round complexity, and optimal amortized communication complexity. Inaddition, given a perfect shared coin abstraction, our protocol does not use signatures and does not rely on asymmetriccryptographic assumptions. Therefore, when using a deterministic threshold-based coin implementation with aninformation theoretical agreement guarantee [14, 34], the safety properties of our BAB protocol are post-quantumsecure.
Overview.
We construct
DAG-Rider in two layers: a communication layer and a zero-overhead ordering layer. In thecommunication layer, processes reliably broadcast their proposals with some meta-data that help them form a
DirectedAcyclic Graph (DAG) of the messages they deliver. That is, the DAG consists of rounds s.t. every process broadcasts atmost one message in every round and every message has ๐ ( ๐ ) references to messages in previous rounds, where ๐ isthe total number of processes. The ordering layer does not require any extra communication. Instead, processes observetheir local DAGs and with the help of a little randomization (one coin flip per ๐ ( ๐ ) decisions on values proposed bydifferent processes) locally order all the delivered messages in their local DAGs.A nice feature of DAG-Rider is that the propose operation is simply a single reliable broadcast. The agreementproperty of the reliable broadcast ensures that all correct processes eventually see the same DAG. Moreover, the Validity โ Part of the work done while at Novi Research. 1 a r X i v : . [ c s . D C ] F e b dit Keidar, Eleftherios Kokoris-Kogias, Oded Naor, and Alexander Spiegelman Communication Expected time Post-Quantum EventualComplexity Complexity Safety FairnessVABA SMR ๐ ( ๐ ) ๐ ( log ( ๐ )) no noDumbo SMR amortized ๐ ( ๐ ) ๐ ( log ( ๐ )) no noDAG-Rider + [11] amortized ๐ ( ๐ ) ๐ ( ) yes yesDAG-Rider + [25] amortized ๐ ( ๐ log ( ๐ )) ๐ (cid:16) log ( ๐ ) log ( log ( ๐ )) (cid:17) yes (1- ๐ )-fairDAG-Rider + [15] amortized O(n) ๐ ( ) yes yes Table 1. A comparison between our protocol with different reliable broadcast instantiations and VABA and Dumbo based SMRprotocols. property of the reliable broadcast guarantees that all broadcast messages by correct processes are eventually included inthe DAG. As a result, in contrast to the VABA and Dumbo protocols that retroactively ignore half the protocol messagesand commit one value out of ๐ ( ๐ ) proposals, DAG-Rider does not waste any of the messages and all proposed valuesby correct processes are eventually ordered (i.e., there is no need to re-propose). Complexity.
We measure time complexity as the asynchronous time [16] required to commit ๐ ( ๐ ) values proposedby different correct processes, and we measure communication complexity by the number of bits processes send tocommit a single value. To compare DAG-Rider to the state-of-the-art asynchronous Byzantine agreement protocols, weconsider SMR implementations that run an unbounded sequence of the VABA or Dumbo protocols to independentlyagree on every slot. To compare apples to apples in respect to our time complexity definition, we allow VABA andDumbo based SMRs to run up to ๐ slots concurrently. Note, however, that to satisfy external validity (e.g., no doublespend) processes must output the slot decisions in a sequential order (no gaps). Therefore, based on the proof in [6], thetime complexity of VABA and Dumbo based SMRs is ๐ ( log ( ๐ )) . Table 1 compares DAG-Rider to VABA and Dumbobased SMRs.Since our protocol uses a reliable broadcast abstraction as a basic building block, different instantiations yield differentcomplexity. For example, if we use the classic Bracha broadcast [11] to propose a single value in each message, we get acommunication complexity of ๐ ( ๐ ) per decision. This is because the Bracha broadcast complexity is ๐ ( ๐ ) , and inorder to form a DAG each message has to include an ๐ ( ๐ ) references to previous messages. If we are willing to allow aprobability ๐ to violate progress, then we can use Guerraoui et al.โs broadcast protocol [25] and reduce the complexityto ๐ ( ๐ log ( ๐ )) per decision.Now, just as Dumbo amortizes VABAโs communication complexity from quadratic to linear by using batchingand adding a phase of erasure coding to more economically distribute the data, we can amortize our communicationcomplexity to be linear per decision as well. First, since we are anyway including a vector of ๐ ( ๐ ) references in everybroadcast, batching ๐ ( ๐ ) proposals in each message shaves a factor of ๐ of the total communication complexity evenwith Bracha broadcast. To arrive at the optimal linear complexity, we can replace the reliable broadcast with theasynchronous verifiable information dispersal of Cachin and Tessaro [15]. The communication complexity of thatprotocol is ๐ ( ๐ log ( ๐ ) + ๐ | ๐ |) , where | ๐ | is the message size, which allows us to batch ๐ ( ๐ log ( ๐ )) proposals to achieveoptimal amortized communication complexity.A final feature of our protocol, which is sometimes underestimated and cannot be presented in a table, is elegance: (1)DAG-Riderโs modularity clearly separates the communication layer from the ordering logic; (2) the reliable broadcast ll You Need is DAG abstractionโs different instantiations yield protocols with different trade-offs, and; (3) the entire detailed pseudocode ofthe ordering logic spans less than 30 lines.The rest of this paper is structured as follows: ยง2 describes the model and the building blocks used for DAG-Rider; ยง3formally defines the BAB problem; ยง4 describes the DAG construction layer; ยง5 specifies the DAG-Rider protocol on topof the DAG layer; ยง6 proves the correctness of the protocol and analyzes its performance; ยง7 describes related work;and lastly, ยง8 concludes the paper. The system consists of a set ฮ = { ๐ , . . . , ๐ ๐ } of ๐ processes, up to ๐ < ๐ / of which can act arbitrarily, i.e., be Byzantine .For simplicity, we consider a total of ๐ = ๐ + processes. The link between every two correct processes is reliable.Namely, when a correct process sends a message to another correct process, the message eventually arrives and therecipient can verify the senderโs identity. The communication is asynchronous, i.e., there is no bound on the messagedelivery time.We consider an adaptive adversary that can dynamically corrupt up to ๐ processes during the run. Once the adversarycorrupts a process, it can drop undelivered messages previously sent from that process to others. The adversary controlsthe arrival times of messages.As part of the construction, we use two building blocks: a reliable broadcast layer and a delayed global perfect coin,which we describe next. Reliable broadcast.
We use a reliable broadcast [12] abstraction: Each sender process ๐ ๐ can send messages by calling r_bcast ๐ ( ๐, ๐ ) , where ๐ is a message, ๐ โ N is a round number. Every process ๐ ๐ has an output deliver ๐ ( ๐, ๐, ๐ ๐ ) , where ๐ is a message, ๐ is a round number, and ๐ ๐ is the process that called the corresponding r_bcast ๐ ( ๐, ๐ ) . The reliablebroadcast abstraction guarantees the following properties: Agreement
If a correct processes ๐ ๐ outputs deliver ๐ ( ๐, ๐, ๐ ๐ ) , then every other correct process ๐ ๐ eventually outputs deliver ๐ ( ๐, ๐, ๐ ๐ ) . Integrity
For each round ๐ โ N and process ๐ ๐ โ ฮ , a correct process ๐ ๐ outputs deliver ๐ ( ๐, ๐, ๐ ๐ ) at most once. Validity
If a correct process ๐ ๐ calls r_bcast ๐ ( ๐, ๐ ) , then every correct processes ๐ ๐ eventually outputs deliver ๐ ( ๐, ๐, ๐ ) .There are known algorithms such as Bracha broadcast [11] to realize the reliable broadcast abstraction in theasynchronous network model. There are also efficient gossip protocols [9, 10, 25, 27] that provide reliable broadcast whpat a sub-quadratic communication cost in the number of processes, and asynchronous verifiable information dispersalprotocols [15, 35] that use erasure codes to efficiently batch the broadcast values. Global perfect coin.
We use a global perfect coin , which is unpredictable by the adversary. An instance ๐ค , ๐ค โ N ,of the coin is invoked by process ๐ ๐ โ ฮ by calling choose_leader ๐ ( ๐ค ) . This call returns a process ๐ ๐ โ ฮ , which isthe chosen leader for instance ๐ค . Let ๐ ๐ค be the random variable that represents the probability that the coin returnsprocess ๐ ๐ as the return value of the call choose_leader ๐ ( ๐ค ) . The global perfect coin has the following guarantees: Agreement
If two correct processes call choose_leader ๐ ( ๐ค ) and choose_leader ๐ ( ๐ค ) with respective return values ๐ and ๐ , then ๐ = ๐ . Termination
If at least ๐ + processes call choose_leader ( ๐ค ) , then every choose_leader ( ๐ค ) call eventually returns. dit Keidar, Eleftherios Kokoris-Kogias, Oded Naor, and Alexander Spiegelman Unpredictability
As long as less than ๐ + processes call choose_leader ( ๐ค ) , the return value is indistinguishablefrom a random value except with negligible probability ๐ . Namely, the probability ๐๐ that the adversary can guessthe returned process ๐ ๐ of the call choose_leader ( ๐ค ) is ๐๐ โค Pr [ ๐ ๐ค = ๐ ๐ ] + ๐ . Fairness
The coin is fair, i.e., โ ๐ค โ N , โ ๐ ๐ โ ฮ : Pr [ ๐ ๐ค = ๐ ๐ ] = / ๐ .Such coins were used as part of previous Byzantine Agreement protocols such as [1, 7, 14, 35]. Implementationexamples can be found in [14, 34]. One way to implement a global perfect coin is by using PKI and a threshold signaturescheme [8, 33, 42] with a threshold of ( ๐ + ) -of- ๐ . When a process invokes an instance ๐ค of the coin, it signs ๐ค withits private key and sends the share to all the processes. Once a process receives ๐ + shares, it can combine them to getthe threshold signature and hash it to get a random process. Since the threshold signature value is deterministicallydetermined by the instance name ๐ค such that any ๐ + shares reveal it (e.g., the schema in [42] is based on Shamirโssecret sharing [41]), the coin is perfect (all process agree on the leader) and its agreement property has informationtheoretical guarantee. However, to ensure unpredictability, the PKI must be trusted to ensure that the adversary cannotgenerate enough shares to reveal the randomness before a correct process produces them. Usually, one assumes thata trusted dealer is used to set up the random keys for all processes. However, this assumption can be relaxed byexecuting an ๐ ( ๐ ) message complexity Asynchronous Distributed Key Generation protocol [30]. Either way, thisscheme remains unpredictable only if the adversary is computationally bounded. However, since DAG-Rider relies onthe unpredictability property of the coin only for liveness, its safety properties are post-quantum secure. The problem we solve is
Byzantine Atomic Broadcast (BAB) , which allows processes to agree on a sequence of messagesas needed for State Machine Replication (SMR). To capture the practical settings of a system, we require externalvalidity [13], whereby a well-known predicate validate ( ๐ก๐ฅ ) โ { True , False } returns true if and only if a transaction ๐ก๐ฅ is eligible to be included in the SMR. For instance, in a blockchain system that is used to log payments betweenusers, a transaction is valid if there is no double-spending and the signature is correct. We say that a value ๐ฃ is valid if validate ( ๐ฃ ) returns true.Due to the FLP result [23], BAB cannot be solved deterministically in the asynchronous setting, and therefore we usethe global perfect coin to provide randomness that ensures liveness with probability 1.Atomic broadcast is usually defined in terms of broadcast and deliver events. To avoid confusion with the events ofthe underlying reliable broadcast abstraction, we rename those actions propose and decide . Definition 3.1 (Byzantine Atomic Broadcast) . Each correct process ๐ ๐ โ ฮ can call propose ๐ ( ๐ฃ ) and output decide ๐ ( โ, ๐ฃ ) , โ โ N . We say that ๐ ๐ proposes a value ๐ฃ when propose ๐ ( ๐ฃ ) is called, and decides ๐ฃ in slot โ when decide ๐ ( โ, ๐ฃ ) is output.An Atomic Broadcast protocol provides the following guarantees: Eventual Fairness
If a correct process proposes a valid value ๐ฃ , then all correct processes eventually decide ๐ฃ withprobability 1. External validity
If a correct process decides ๐ฃ , then validate ( ๐ฃ ) = True . Termination
If a correct process decides in slot โ , then all correct processes eventually decide in slot โ withprobability 1. Agreement
If two correct processes ๐ ๐ , ๐ ๐ decide values ๐ฃ , ๐ฃ , respectively in the same slot โ , then ๐ฃ = ๐ฃ . Integrity
For a single slot number โ , a correct process ๐ ๐ decides at most one value ๐ฃ . ll You Need is DAG v round 6 7Source:1234 5 v Fig. 1.
Illustration of the DAG structure at process 1.
Strong edges are illustrated as solid black arrows, the weak edge is illustratedas the dotted arrow.
Note that the Eventual Fairness property requires that if a correct process proposes a valid value ๐ฃ , then eventually ๐ฃ gets decided. In contrast, many Byzantine State Machine Replication (SMR) protocols [17, 37, 43] require that in aninfinite run, an infinite number of decisions are made, but not every proposed valid value has to be decided. Communication measurement.
For the communication analysis, we say that a value ๐ฃ is ordered when all honestparties decide ๐ฃ . We measure communication complexity as the total number of bits sent by honest processes to order asingle proposal. To be able to measure the asynchronous running time we follow [16] and define a time unit for everyexecution ๐ to be the maximum time delay of all messages among correct processes in ๐ . We measure time complexity as the expected number of time units it takes for a correct party to decide on ๐ ( ๐ ) values proposed by different correctprocesses starting from any point in the execution. Our BAB protocol, DAG-Rider, is based on a Directed Acyclic Graph (DAG) abstraction, which represents the commu-nication layer of the processes. In a nutshell, each vertex in the DAG represents a message from a process, and eachmessage contains, among other data, references to previously broadcast vertices. Those references are the edges ofthe DAG. All messages are reliably broadcast and each correct process maintains a copy of the DAG as it perceives it.Different correct processes might observe different states of the DAG during different times of the run, but the reliablebroadcast prevents equivocation and guarantees that all correct processes eventually deliver the same messages, sotheir views of the DAG eventually converge.For each process ๐ ๐ , denote ๐ ๐ โs local view of the DAG as ๐ท๐ด๐บ ๐ , which is stored as an array ๐ท๐ด๐บ ๐ [] . As we shortlyexplain, each vertex in the DAG is associated with a unique round number and a source (its generating process). At anygiven time, ๐ท๐ด๐บ ๐ [ ๐ ] for ๐ โ N is the set of all the vertices associated with round ๐ that ๐ ๐ is aware of. Each round hasat most ๐ vertices, each with a different source. Due to the reliable broadcast, no process can generate two vertices inthe same round.Each vertex ๐ฃ in a round ๐ has two sets of outgoing edges: a set of at least ๐ + strong edges and a set of up to ๐ weak edges . Strong edges point to vertices in round ๐ โ and weak edges point to vertices in rounds ๐ โฒ < ๐ โ such dit Keidar, Eleftherios Kokoris-Kogias, Oded Naor, and Alexander Spiegelman Algorithm 1
Data structures and basic utilities for process ๐ ๐ Local variables: struct vertex ๐ฃ : โฒ The struct of a vertex in the DAG ๐ฃ. round - the round of ๐ฃ in the DAG ๐ฃ. source - the process that broadcast ๐ฃ๐ฃ. block - a block of transactions ๐ฃ. strongEdges - a set of vertices in ๐ฃ. round โ that represent strong edges ๐ฃ. weakEdges - a set of vertices in rounds < ๐ฃ. round โ that represent weak edges ๐ท๐ด๐บ [] - An array of sets of vertices, initially: ๐ท๐ด๐บ ๐ [ ] โ predefined hardcoded set of ๐ + vertices โ ๐ โฅ ๐ท๐ด๐บ ๐ [ ๐ ] โ {} blocksToPropose - A queue, initially empty, ๐ ๐ enqueues valid blocks of transactions from clients procedure path ( ๐ฃ,๐ข ) โฒ Check if exists a path consisting of strong and weak edges in the DAG return exists a sequence of ๐ โ N , vertices ๐ฃ , ๐ฃ , . . . , ๐ฃ ๐ s.t. ๐ฃ = ๐ฃ , ๐ฃ ๐ = ๐ข , and โ ๐ โ [ ..๐ ] : ๐ฃ ๐ โ (cid:208) ๐ โฅ ๐ท๐ด๐บ ๐ [ ๐ ] โง ( ๐ฃ ๐ โ ๐ฃ ๐ โ . weakEdges โช ๐ฃ ๐ โ . strongEdges ) procedure strong_path ( ๐ฃ,๐ข ) โฒ Check if exists a path consisting of only strong edges in the DAG return exists a sequence of ๐ โ N , vertices ๐ฃ , ๐ฃ , . . . , ๐ฃ ๐ s.t. ๐ฃ = ๐ฃ , ๐ฃ ๐ = ๐ข , and โ ๐ โ [ ..๐ ] : ๐ฃ ๐ โ (cid:208) ๐ โฅ ๐ท๐ด๐บ ๐ [ ๐ ] โง ๐ฃ ๐ โ ๐ฃ ๐ โ . strongEdges that otherwise there is no path from ๐ฃ to them. As explained in detail in ยง5, strong edges are used for agreement andweak edges make sure we eventually include all vertices in the decision, to satisfy the Eventual Fairness property of theBAB problem.The data types and variables for process ๐ ๐ are specified in Algorithm 1 and the DAG construction is specified inAlgorithm 2. A vertex ๐ฃ is a struct that holds a round number ๐ , a source which is the process that created ๐ฃ , a block ofvalid transactions that were previously proposed by the upper BAB protocol, strong edges to at least ๐ + vertices inround ๐ โ , and weak edges to vertices in rounds ๐ โฒ < ๐ โ . Vertices in the DAG are reliably broadcast (Line 14), andwhen the reliable broadcast layer delivers a vertex ๐ฃ (Line 20), it uses the round number ๐ and the source process whichare available from the reliable broadcast and adds them to ๐ฃ , and then calls the is_valid_vertex procedure (Line 25) toverify that the transactions that ๐ฃ holds are externally valid and that ๐ฃ has strong edges to at least ๐ + vertices fromround ๐ โ . If ๐ฃ passes the check, it is added to a buffer.The process ๐ ๐ continuously goes through the buffer to check if there is a vertex ๐ฃ in it that can be added to its ๐ท๐ด๐บ ๐ (Line 6). A vertex ๐ฃ can be added to the DAG once the DAG contains all the vertices that ๐ฃ has a strong or weak edgeto (Line 7). When ๐ ๐ has at least ๐ + vertices in the current round ๐ , it moves to the next round ๐ + (Line 9) bycreating and reliably broadcasting a new vertex ๐ฃ โฒ . The new vertex ๐ฃ โฒ includes a block of transactions for which ๐ ๐ previously invoked propose (can be empty), strong edges to the vertices in ๐ท๐ด๐บ ๐ [ ๐ ] (Line 15), and weak edges to anyvertices with no path from ๐ฃ โฒ to them (Line 27). Note that a vertex might be delivered at ๐ ๐ โs DAG after ๐ ๐ has moved toa later round. In this case, the vertex is still added to the DAG, but ๐ ๐ โs vertices do not include strong edges to it. Weakedges are possible. As noted, the weak edges are used to ensure the eventual fairness property of the BAB problem.An example of our DAG construction is illustrated in Fig. 1. The DAG in the example represents ๐ท๐ด๐บ , i.e., theDAG at process 1, out of a total of four processes, numbered 1 to 4. On each horizontal dotted line are the verticesfrom a single source, e.g., the bottom line shows the vertices delivered from process 4. Each vertical column of verticesis a single round. Each completed round has at least ๐ + = vertices. Each vertex in the DAG has at least ๐ + strong edges to vertices from the previous round shown as black solid arrows. Each vertex can also have weak edges to ll You Need is DAG Algorithm 2 DAG Construction , pseudocode for process ๐ ๐ Local variables: ๐ โ โฒ round number buffer โ {} while True do for ๐ฃ โ buffer : ๐ฃ. round โค ๐ do if โ ๐ฃ โฒ โ ๐ฃ. strongEdges โช ๐ฃ. weakEdges : ๐ฃ โฒ โ (cid:208) ๐ โฅ ๐ท๐ด๐บ [ ๐ ] then โฒ We have ๐ฃ โs predecessors ๐ท๐ด๐บ [ ๐ฃ. round ] โ ๐ท๐ด๐บ [ ๐ฃ. round ] โช { ๐ฃ } if | ๐ท๐ด๐บ [ ๐ ] | โฅ ๐ + then โฒ Start a new round if ๐ mod 4 = then โฒ If a new wave is complete wave_ready ( ๐ / ) โฒ Signal to Algorithm 3 that a new wave is complete ๐ โ ๐ + ๐ฃ โ create_new_vertex ( ๐ ) r_bcast ๐ ( ๐ฃ, ๐ ) procedure create_new_vertex (round) ๐ฃ. block โ blocksToPropose . dequeue () โฒ Returns โฅ if the queue is empty. Proposed blocks are enqueued (Line 32) ๐ฃ. strongEdges โ ๐ท๐ด๐บ [ round โ ] set_weak_edges ( ๐ฃ, round ) return ๐ฃ upon deliver ๐ ( ๐ฃ, round , ๐ ๐ ) do โฒ The deliver output from the reliable broadcast ๐ฃ. source โ ๐ ๐ ๐ฃ. round โ round if is_valid_vertex ( ๐ฃ ) then buffer โ buffer โช { ๐ฃ } procedure is_valid_vertex ( ๐ฃ ) return | ๐ฃ. strongEdges | โฅ ๐ + โง โ ๐ก๐ฅ โ ๐ฃ. block : validate ( ๐ก๐ฅ ) โฒ validate ( ๐ก๐ฅ ) checks external validity procedure set_weak_edges ( ๐ฃ, round ) โฒ Add weak edges to orphan vertices ๐ฃ. weakEdges โ {} for ๐ = round โ down to 1 do for every ๐ข โ ๐ท๐ด๐บ ๐ [ ๐ ] s.t. ยฌ path ( ๐ฃ,๐ข ) do ๐ฃ. weakEdges โ ๐ฃ. weakEdges โช { ๐ข } vertices in case there is no other path in the DAG to the vertex. E.g., ๐ฃ in the illustration has a weak edge to ๐ฃ , shownas a dotted arrow to ๐ฃ . In this section, we describe the DAG-Rider protocol, by equipping the DAG from the previous section with a globalperfect coin and show how the DAG and the coin can be used to construct a locally-computed protocol for the BABproblem. That is, given our DAG and a perfect coin, DAG-Rider does not require any extra communication amongthe processes. Instead, each process ๐ ๐ observes its local ๐ท๐ด๐บ ๐ and deduces which blocks of transactions to decideand in what order. The protocol is detailed in Algorithm 3. Below we give a high-level intuition as well as a detaileddescription of the protocol and in ยง6 we analyze complexity and prove the correctness of the full protocol.When a propose ๐ ( ๐ฃ ) is invoked, ๐ ๐ simply pushes ๐ฃ to the DAG layer (line 33), which in turn includes it in a vertex itreliably broadcasts. To interpret the DAG, each process ๐ ๐ divides its local ๐ท๐ด๐บ ๐ into waves, where each wave consists A possible implementation of the coin using threshold signatures is described in ยง2. The coin can be easily implemented as part of the DAG itself byhaving each process send its share of the threshold signature when reliably broadcasting a vertex.7 dit Keidar, Eleftherios Kokoris-Kogias, Oded Naor, and Alexander Spiegelman
Algorithm 3 DAG-Rider: Byzantine Atomic Broadcast based on DAG.
Pseudocode for process ๐ ๐ Local Variables: slot โ decidedWave โ decidedVertices โ {} leadersStack โ initialize empty stack with isEmpty(), push(), and pop() functions upon propose ๐ ( ๐ ) do โฒ The propose call of the BAB problem blocksToPropose . enqueue ( ๐ ) โฒ pushes a block of transactions to Alg 2 upon wave_ready ( ๐ค ) do โฒ Signal from the DAG layer that a new wave is completed (Line 11) ๐ฃ โ get_wave_vertex_leader ( ๐ค ) if ๐ฃ = โฅ โจ |{ ๐ฃ โฒ โ ๐ท๐ด๐บ ๐ [ round ( ๐ค, ) ] : strong_path ( ๐ฃ โฒ , ๐ฃ ) }| < ๐ + then โฒ No commit return leadersStack . push ( ๐ฃ ) for wave ๐ค โฒ from ๐ค โ down to decidedWave + do ๐ฃ โฒ โ get_wave_vertex_leader ( ๐ค โฒ ) if ๐ฃ โฒ โ โฅ โง strong_path ( ๐ฃ, ๐ฃ โฒ ) then leadersStack . push ( ๐ฃ โฒ ) ๐ฃ โ ๐ฃ โฒ decidedWave โ ๐ค order_vertices ( leadersStack ) procedure get_wave_vertex_leader ( ๐ค ) ๐ ๐ โ choose_leader ๐ ( ๐ค ) if โ ๐ฃ โ ๐ท๐ด๐บ [ round ( ๐ค, ) ] s.t. ๐ฃ.๐ ๐๐ข๐๐๐ = ๐ ๐ then return ๐ฃ โฒ There can only be one such vertex return โฅ procedure order_vertices ( leadersStack ) while ยฌ leadersStack . isEmpty () do ๐ฃ โ leadersStack . pop () verticesToDecide โ { ๐ฃ โฒ โ (cid:208) ๐ > ๐ท๐ด๐บ ๐ [ ๐ ] | ๐๐๐กโ ( ๐ฃ, ๐ฃ โฒ ) โง ๐ฃ โฒ โ decidedVertices } for every ๐ฃ โฒ โ verticesToDecide in some deterministic order do decide ๐ ( slot , ๐ฃ โฒ . block ) slot โ slot + decidedVertices โ decidedVertices โช { ๐ฃ โฒ } of 4 consecutive rounds. For example, ๐ ๐ โs first wave consists of ๐ท๐ด๐บ ๐ [ ] , ๐ท๐ด๐บ ๐ [ ] , ๐ท๐ด๐บ ๐ [ ] , and ๐ท๐ด๐บ ๐ [ ] . Formally,the ๐ -th round of wave ๐ค , where ๐ โ [ .. ] , ๐ค โ N , is defined as round ( ๐ค, ๐ ) โ ( ๐ค โ ) + ๐ . We also say that aprocess ๐ ๐ completes round ๐ once ๐ท๐ด๐บ ๐ [ ๐ ] has at least ๐ + vertices, and a process completes wave ๐ค once the processcompletes round ( ๐ค, ) .In a nutshell, the idea is to interpret the DAG as a wave-by-wave protocol and try to commit a randomly chosensingle leader vertex in every wave. Once the sequence of leaders is determined, processes decide on all the blocksincluded in their causal histories. While reading the high-level description below, bear in mind that due to the reliablebroadcast, Byzantine processes cannot equivocate, so two correct processes cannot have different vertices with thesame source in the same round, leading to eventually consistent DAGs among all correct processes.When wave ๐ค completes (Line 34), we use the global perfect coin to retrospectively elect some process and considerits vertex in the waveโs first round as the leader of wave ๐ค (Line 35). The goal of the protocol is to commit this leader,provided that it has been observed by sufficiently many processes in the wave. Note that since we advance rounds assoon as we deliver ๐ + of the ๐ + potential vertices, a process ๐ ๐ might not have ๐ค โs leader in its local ๐ท๐ด๐บ ๐ when ll You Need is DAG round 7 8Source:1234 6 95 wave 2 v
10 11 12 wave 3 v Fig. 2.
Illustration of
DAG i . The highlighted vertices ๐ฃ and ๐ฃ are the leaders of waves 2 and 3, respectively. The commit rule isnot met in wave 2 since there are less than ๐ + vertices in round 8 with a strong path to ๐ฃ . However, the commit rule is met inwave 3 since there are ๐ + vertices in round 12 with a strong path to ๐ฃ . Since there is a strong path from ๐ฃ to ๐ฃ (highlighted), ๐ ๐ commits ๐ฃ before ๐ฃ in wave 3. it completes ๐ค . In this case, ๐ ๐ completes ๐ค without committing any vertex and simply proceeds to the next wave. Note,however, that some other correct process might have ๐ค โs leader in its local DAG and commit it in the same wave. Thus,we need to make sure that if one correct process commits the wave vertex leader ๐ฃ , then all the other correct processeswill commit ๐ฃ later. To this end, we use standard quorum intersection. Process ๐ ๐ commits the wave ๐ค vertex leader ๐ฃ if: (cid:12)(cid:12)(cid:8) ๐ฃ โฒ โ ๐ท๐ด๐บ ๐ [ round ( ๐ค, )] : strong_path ( ๐ฃ โฒ , ๐ฃ ) (cid:9)(cid:12)(cid:12) โฅ ๐ + (Line 36) . In addition, if ๐ ๐ commits vertex ๐ฃ in wave ๐ค and there is a strong path from ๐ฃ to ๐ฃ โฒ such that ๐ฃ โฒ is an uncommittedleader vertex in a wave ๐ค โฒ < ๐ค , then ๐ ๐ commits ๐ฃ โฒ in ๐ค as well. The leaders committed in the same wave are orderedby their round numbers, so that leaders of earlier waves are ordered before those of later ones, meaning ๐ฃ โฒ is orderedbefore ๐ฃ (Lines 39-43).The next lemma, which we formally prove in ยง6, shows that our commit rule guarantees that if a correct processcommits a wave leader vertex ๐ฃ in some wave, then all wave vertex leaders in later waves in the local DAGs of allcorrect processes have a strong path to ๐ฃ , ensuring the agreement property. Lemma 1.
If some process ๐ ๐ commits the leader vertex ๐ฃ of a wave ๐ค , then for every leader vertex ๐ข of a wave ๐ค โฒ > ๐ค and for every process ๐ ๐ , if ๐ข โ ๐ท๐ด๐บ ๐ [ round ( ๐ค โฒ , )] , then strong_path ( ๐ข, ๐ฃ ) returns true in wave ๐ค โฒ . We show below how we leverage the above lemma to satisfy the agreement property, but first, we give an intuitionfor liveness, i.e., the Eventual Fairness and Termination properties. Our protocol achieves progress in a constant numberof waves, in expectation, by guaranteeing that for every wave, the probability for every correct process to committhe wave leader is at least / . To ensure this, we borrow the technique from the common-core abstraction [2], whichguarantees that after three rounds of all-to-all sending and collecting accumulated sets of values, all correct processeshave at least ๐ + common values. The set of these values is referred to as the common-core. In respect to our DAG,we prove in ยง6 the following lemma: dit Keidar, Eleftherios Kokoris-Kogias, Oded Naor, and Alexander Spiegelman Lemma 2.
Let ๐ ๐ be a correct process that completes wave ๐ค . Then there is a set ๐ โ ๐ท๐ด๐บ ๐ [ round ( ๐ค, )] and a set ๐ โ ๐ท๐ด๐บ ๐ [ round ( ๐ค, )] s.t. | ๐ | โฅ ๐ + , | ๐ | โฅ ๐ + and โ ๐ฃ โ ๐ , โ ๐ข โ ๐ : strong_path ( ๐ข, ๐ฃ ) . Note that by the commit rule, if the leader of a wave ๐ค belongs to the set ๐ (from the lemma statement), then ๐ ๐ commits the leader once it completes ๐ค . So to deal with an adversary that totally controls the network, parties flip theglobal coin only after they complete ๐ค (Line 35). Therefore, by the coinโs unpredictability property, the probability ofthe adversary to guess the waveโs leader before the point after which it cannot manipulate the set ๐ is less than ๐ + ๐ .Thus, with a probability of at least / โ ๐ , ๐ค โs leader is in the set ๐ and ๐ ๐ commits it. Thus, in expectation, correctprocesses commit every / waves.To satisfy agreement, we leverage the property proven in Lemma 1 to make sure all processes commit the samewavesโ leaders. Once we find a leader to commit in a wave ๐ค we check if it is possible that some process committed awave in between ๐ค and the previous wave we committed, let it be ๐ค โฒ . We do this iteratively in Lines 39-43, we firstcheck if it is possible that some process committed the leader of ๐ค โ . We do it by checking if there is a strong pathfrom the leader of wave ๐ค to the leader of wave ๐ค โ in our local DAG (Line 41). If no such path exists, by Lemma 1,no correct process will ever commit ๐ค โ . Otherwise, we choose to commit ๐ค โ before ๐ค . Now, if such a path indeedexists, we recursively check if it is possible that some process committed a wave in between ๐ค โ and ๐ค โฒ . Otherwise, ifno such path exists, we check if there is a path from the leader of wave ๐ค to the leader of wave ๐ค โ and continuein the same way. The recursion ends once we reach a wave that we previously committed, ๐ค โฒ in our example. Anillustration of this process is given in Fig. 2.Since vertices are reliably broadcast and since we never add a vertex ๐ฃ to the DAG before we add all the vertices ๐ฃ points to with strong or weak edges, two correct processes always have the same causal history for any vertexthey both have in their DAGs. Therefore, once we agree on a sequence of leaders, all that is left to do is to order thecausal histories of the leaders in some deterministic order. To this end, we go through the wavesโ committed leadersone-by-one and decide, in some deterministic order, on all the transaction blocks in their causal histories that we didnot previously decide on (Procedure order_vertices in Line 51). The causal history of a wave leader vertex ๐ฃ in ๐ท๐ด๐บ ๐ isthe set { ๐ข โ ๐ท๐ด๐บ ๐ | path ( ๐ฃ, ๐ข )} .The purpose of the weak edges is to satisfy the Eventual Fairness property. Recall that strong edges might not pointto all vertices from the previous round in the DAG because we might advance the round before we deliver all thebroadcasts of that round (we advance the round once at least ๐ + vertices are added to the DAG). Therefore, withoutthe weak edges, slow processes may not be able to get vertices from higher rounds to point to theirs. So to satisfyEventual Fairness, each correct process, when creating a new vertex, adds weak edges to all vertices in its local DAG towhich it otherwise does not point. In ยง6.1 we prove the correctness of DAG-Rider, and in ยง6.2 we analyze the communication the time complexity.
We show that DAG-Rider achieves the properties of the BAB problem, as defined in ยง3.
Lemma 3.
DAG-Rider achieves the integrity property of the BAB problem. ll You Need is DAG Proof. When a correct process ๐ ๐ decides on a block in a slot number โ (Line 56) it increases by one the slot variablein the next line, so that next time ๐ ๐ decides on a block, it will be in slot number โ + , ensuring that ๐ ๐ does not decideon more than one block in a single slot number. โก Lemma 4.
DAG-Rider achieves the external validity property of the BAB problem.
Proof. A vertex ๐ฃ is added to the ๐ท๐ด๐บ ๐ of process ๐ ๐ only after ๐ ๐ checks if all transactions in ๐ฃ. block pass theexternal validity predicate (Line 25). Since ๐ ๐ decides only on blocks in vertices that are in its DAG, then any decisionmade is on an externally valid block of transactions. โก Claim 1.
When a correct process ๐ ๐ adds a vertex ๐ฃ to its ๐ท๐ด๐บ ๐ (Line 8), all of ๐ฃ โs causal history is already in ๐ท๐ด๐บ ๐ . Proof. We prove this claim by induction on the execution of every correct process ๐ ๐ . Denote by ๐ฃ ๐ the ๐ -th vertexthat ๐ ๐ adds to ๐ท๐ด๐บ ๐ . We show that for every ๐ โ N , after ๐ฃ ๐ is added to the DAG, the causal histories of all the verticesin the set { ๐ฃ , . . . , ๐ฃ ๐ } , and in particular ๐ฃ ๐ , are in ๐ท๐ด๐บ ๐ .In the base step of the induction, there are no vertices in the DAG, and the property vacuously holds. Next, assumethat after ๐ฃ ๐ is added to the DAG at process ๐ ๐ , all the causal histories of all the vertices in the set ๐ = { ๐ฃ , . . . , ๐ฃ ๐ } arealready in ๐ท๐ด๐บ ๐ .For ๐ฃ ๐ + to be added to the DAG at process ๐ ๐ , its strong and weak edges must reference vertices that are already in ๐ท๐ด๐บ ๐ (Line 7), i.e., ๐ฃ ๐ + โs edges are only to vertices in ๐ . Since all the vertices in ๐ already have their causal historiesin the DAG, when ๐ฃ ๐ + is added to the DAG, its causal history is in the DAG as well, and we are done. โก Claim 2.
If a correct process ๐ ๐ adds a vertex ๐ฃ to its ๐ท๐ด๐บ ๐ , then eventually all correct processes add ๐ฃ to their DAG. Proof. By induction on rounds, for process ๐ ๐ to add a vertex ๐ฃ in round ๐ to its ๐ท๐ด๐บ ๐ , first ๐ฃ needs to be deliveredto ๐ ๐ by the reliable broadcast layer (Line 20), and by the agreement of the reliable broadcast, ๐ฃ will be eventuallydelivered to all other correct processes.Next, ๐ฃ has to be added to the buffer variable at ๐ ๐ , and this is done if the process who broadcast ๐ฃ added the correct ๐ฃ. source and ๐ฃ. round which are verified through the guarantees of the reliable broadcast layer (Line 23). Therefore thesechecks will also pass at any other correct process when ๐ฃ is delivered to it. Vertex ๐ฃ also has to pass the isValidVertex procedure (Line 25), which ensures that the proposed block of transactions passes the external validity condition, aswell as that the block references at least ๐ + vertices from round ๐ฃ. round โ . If ๐ฃ passes the two checks in ๐ ๐ then itwill pass these two checks at any other correct process, since these checks are computed locally based on ๐ฃ โs fields( ๐ฃ. block and ๐ฃ. strongEdges ).Lastly, after ๐ฃ is added to the buffer , for ๐ ๐ to add ๐ฃ to its ๐ท๐ด๐บ ๐ , ๐ ๐ also checks that it has all the vertices that ๐ฃ is referencing to (in ๐ = ๐ฃ. strongEdges โช ๐ฃ. weakEdges ) in its ๐ท๐ด๐บ ๐ as well (Line 7). By the induction assumption, allcorrect processesโ DAGs contain the same vertices in rounds < ๐ .Thus, this ensures that any vertex ๐ฃ that appears in any round at ๐ท๐ด๐บ ๐ of some correct process, will eventually alsoappear in ๐ท๐ด๐บ ๐ of every other correct process ๐ ๐ . โก Claim 3.
If for some correct process ๐ ๐ there is a round ๐ with a set ๐ of at least ๐ + vertices in ๐ท๐ด๐บ ๐ [ ๐ ] s.t. โ ๐ฃ โ ๐ : strong_path ( ๐ฃ, ๐ข ) to some vertex ๐ข โ ๐ท๐ด๐บ ๐ , then every other process ๐ ๐ that completes round ๐ has a set ๐ โฒ โ ๐ท๐ด๐บ ๐ [ ๐ ] s.t. | ๐ โฒ | โฅ ๐ + and โ ๐ฃ โฒ โ ๐ โฒ : strong_path ( ๐ฃ โฒ , ๐ข ) . Proof. Let ๐ โฒ = ๐ โฉ ๐ท๐ด๐บ ๐ [ ๐ ] . Round ๐ is complete for ๐ ๐ and ๐ ๐ when their DAGs have at least ๐ + vertices.Therefore, when ๐ ๐ and ๐ ๐ complete round ๐ , | ๐ โฒ | โฅ ๐ + by a standard quorum intersection of ๐ + out of ๐ + dit Keidar, Eleftherios Kokoris-Kogias, Oded Naor, and Alexander Spiegelman possible vertices of round ๐ (due to the reliable broadcast, Byzantine processes cannot equivocate). Since every ๐ฃ โฒ โ ๐ โฒ is already in ๐ท๐ด๐บ ๐ when ๐ ๐ completes round ๐ , then ๐ข is in ๐ท๐ด๐บ ๐ by ๐ก as well (by Claim 1), and there is a strong pathbetween every ๐ฃ โฒ โ ๐ โฒ to ๐ข in ๐ท๐ด๐บ ๐ . โก For the next part, we say a process commits a wave leader vertex ๐ฃ when ๐ฃ is popped from the stack in Line 53. Claim 4.
In every wave, at most one vertex ๐ฃ can be a wave leader vertex for all correct processes. Proof. For a vertex ๐ฃ to be a wave leader vertex in wave ๐ค it has to be the return value from the get_wave_vertex_leader procedure (Line 46). The procedure gets the waveโs chosen process ๐ ๐ by the global coin,and checks if the ๐ท๐ด๐บ ๐ at process ๐ ๐ has the vertex ๐ฃ from ๐ ๐ in the first round of wave ๐ค . Due to the agreementproperty of the global perfect coin, the same process ๐ ๐ is chosen for all correct processes, and because of the agreementproperty of the reliable broadcast, Byzantine processes cannot equivocate. โก Claim 5.
If a correct process ๐ ๐ commits wave leader vertex ๐ฃ in wave ๐ค and after that ๐ ๐ commits vertex ๐ฃ in wave ๐ค , then ๐ค < ๐ค . Proof. A vertex is committed when it is popped from the stack (Line 53). Vertices are pushed to the stack in Lines 38and 42, which only happens in waves which vertices were not committed before, since the for loop goes down only to decidedWave + (Line 39), where decidedWave is updated each time vertices are pushed to the stack to be the maximumwave in which vertices were committed (Line 44). This means that vertices are pushed to the stack in decreasing wavenumbers.Lastly, all the vertices in the stack are popped out and committed, and this is done in reverse order to the order thatthey were pushed to the stack, therefore, the wave numbers of committed waves are in an increasing order. โก Lemma 5.
If some process ๐ ๐ commits the leader vertex ๐ฃ of a wave ๐ค , then for every leader vertex ๐ข of a wave ๐ค โฒ > ๐ค and for every process ๐ ๐ , if ๐ข โ ๐ท๐ด๐บ ๐ [ round ( ๐ค โฒ , )] , then strong_path ( ๐ข, ๐ฃ ) returns true in wave ๐ค โฒ . Proof. Since vertex ๐ฃ is committed by process ๐ ๐ in wave ๐ค , the commit rule is met, i.e., at the end of wave ๐ค thereare at least ๐ + vertices in ๐ท๐ด๐บ ๐ [ round ( ๐ค, )] with a strong path to ๐ฃ . By Claim 3, every correct process ๐ ๐ (whetherit committs ๐ฃ in ๐ค or not) has a set ๐ of at least ๐ + vertices in ๐ท๐ด๐บ ๐ [ round ( ๐ค, )] with a strong path to ๐ฃ . Any futurevertex ๐ฃ โฒ from waves ๐ค โฒ > ๐ค , including ๐ข , will have a strong path to at least one vertex in ๐ , resulting in a strong pathbetween ๐ข and ๐ฃ . This does not matter if vertex ๐ฃ โฒ is created by a Byzantine process or not, since Byzantine processescannot equivocate due to the reliable broadcast guarantees. โก Lemma 6.
Algorithm 3 satisfies the agreement property of the BAB problem.
Proof. By Claim 4, each wave has only one vertex that can be committed. By Claim 5 every correct process commitsvertices in an increasing wave number. By Lemma 1, if a correct process ๐ ๐ commits a vertex ๐ฃ , then there is a strongpath to ๐ฃ from any vertex ๐ข in future waves that might be committed. By combining all the claims, if two correctprocesses commit the same wave leader vertices, they do so in the same order.Once a correct process commits a wave vertex leader ๐ฃ , it decides on all of ๐ฃ โs causal history in some deterministicorder, which is identical for all other correct processes. By Claim 1, when ๐ฃ is committed, all of ๐ฃ โs causal history isalready in the DAG. Thus, since all correct processes commit the same wave leader vertices in the same order, and sincethose vertices have the same causal histories, all correct processes that decide in some slot, decide the same value. โก ll You Need is DAG Lemma 7.
Let ๐ ๐ be a correct process that completes wave ๐ค . Then there is a set ๐ โ ๐ท๐ด๐บ ๐ [ round ( ๐ค, )] and a set ๐ โ ๐ท๐ด๐บ ๐ [ round ( ๐ค, )] s.t. | ๐ | โฅ ๐ + , | ๐ | โฅ ๐ + and โ ๐ฃ โ ๐ , โ ๐ข โ ๐ : strong_path ( ๐ข, ๐ฃ ) . Proof. First, we show that there is a set ๐ , | ๐ | โฅ ๐ + s.t. when ๐ ๐ completes round ( ๐ค, ) and broadcasts a newvertex ๐ฃ in round ( ๐ค, ) , then ๐ฃ has a strong path to all the vertices in ๐ .To this end, we use the common-core abstraction, that first appeared in [2], and was adapted (and proven) for theByzantine case in [20]. The model for this abstraction is identical to our model. Each correct process ๐ ๐ has some inputvalue ๐ฃ ๐ , and it returns a set ๐ ๐ of input values from different processes. The guarantee of the common-core abstractionis that there is a subset ๐ of at least ๐ + values, s.t. for each correct process ๐ โ ๐ ๐ , i.e., there is a common core of atleast ๐ + input values that appear in the returned sets of all the correct processes that complete the common-coreabstraction.The algorithm to realize the common-core abstraction consists of three rounds of communication: in the first round,each process sends its input value ๐ฃ ๐ , and then waits for ๐ + input values from other processes (including itself).Denote this first set at process ๐ ๐ as ๐น ๐ .In the second stage, each process sends its ๐น ๐ set and waits until it receives ๐ + ๐น ๐ sets from other processes(including itself). When this stage ends, process ๐ ๐ creates the union of all the ๐น ๐ sets it received. Denote this set of setsfor process ๐ ๐ as ๐ ๐ . In the third and last stage, process ๐ ๐ sends the set ๐ ๐ it created and again waits to receive ๐ + ๐ ๐ sets from other processes (including itself). When this stage ends, process ๐ ๐ returns the union of all the ๐ ๐ sets,denoted ๐ ๐ , as the output of the common-core abstraction.We show that the first three rounds of a wave ๐ค can be mapped exactly to the three stages of the common-core algorithm. Denote ๐ , ๐ , ๐ , ๐ as round ( ๐ค, ) , round ( ๐ค, ) , round ( ๐ค, ) , round ( ๐ค, ) , respectively. When a correctprocess ๐ ๐ adds the vertex ๐ฃ created in ๐ to ๐ท๐ด๐บ ๐ [ ๐ ] , by Claim 2, eventually all other correct processes add ๐ฃ to theirDAG, which can be mapped to ๐ ๐ sending its input value to all other processes in the common-core algorithm. Next, ๐ ๐ moves to round ๐ once it has at least ๐ + vertices in ๐ , which is mapped to ๐ ๐ waiting for ๐ + input valuesfrom different processes in the common-core algorithm. When ๐ ๐ enters ๐ it broadcasts a vertex ๐ฃ that references allthe vertices it has in ๐ , which is equivalent to ๐ ๐ sending ๐น ๐ at the beginning of the second stage of the common-corealgorithm. In a similar way, when ๐ ๐ completes ๐ and enters ๐ , it broadcasts ๐ฃ which references all the vertices it hasin ๐ , which is equivalent to sending ๐ ๐ (by Claim 1, when ๐ฃ is added to ๐ท๐ด๐บ ๐ [ ๐ ] of some correct process ๐ ๐ , then allthe vertices ๐ ๐ has in ๐ท๐ด๐บ ๐ [ ๐ ] with a strong path from ๐ฃ are in the ๐ท๐ด๐บ ๐ [ ๐ ] as well). To complete the mapping,when ๐ ๐ completes ๐ and broadcasts ๐ฃ in round ๐ , then ๐ฃ has in its causal history the same values that would havebeen in ๐ ๐ in the equivalent common-core algorithm.Note that since Byzantine processes cannot equivocate, and since every round in the DAG has at least ๐ + vertices,any vertex that ๐ ๐ adds to ๐ท๐ด๐บ ๐ [ ๐ ] has to reference at least ๐ + vertices that ๐ฃ also references, even vertices sentfrom Byzantine processes. Thus, based on the common-core guarantee, there is a set ๐ โ ๐ท๐ด๐บ ๐ [ ๐ ] s.t. | ๐ | โฅ ๐ + and โ ๐ฃ โ ๐ : strong_path ( ๐ฃ , ๐ฃ ) , and also this set ๐ appears in the DAG of any other correct process ๐ ๐ that completesround ๐ . Next, when ๐ ๐ completes wave ๐ค , i.e., when it completes round ๐ , it has in ๐ท๐ด๐บ ๐ [ ๐ ] at least ๐ + vertices,and each of those vertices has a path to each of the vertices in ๐ , which concludes the proof. โก Claim 6.
For every correct process ๐ ๐ and for every wave ๐ค , the expected number of waves, starting from ๐ค , until thecommit rule is met is equal to or smaller than / + ๐ . dit Keidar, Eleftherios Kokoris-Kogias, Oded Naor, and Alexander Spiegelman Proof. By Lemma 2, in each wave ๐ค , the probability that for a correct process ๐ ๐ the commit rule is met is at least ๐๐ = ( ๐ + )/( ๐ + ) โ ๐ . The number of waves until the commit rule is met is geometrically distributed with asuccess probability of ๐๐ . Thus, the expected number of waves is bounded by / + ๐ waves. โก Lemma 8.
DAG-Rider guarantees the termination property of the BAB problem.
Proof. If a correct process ๐ ๐ decides a value in slot โ it means there is some value in the block of some vertex ๐ข that is in the causal history of some wave ๐ค leader vertex ๐ฃ that is decided in that slot. By Claim 6, every other correctprocess ๐ ๐ that has not committed ๐ฃ yet will eventually, with probability 1, have a wave ๐ค โฒ > ๐ค in which the commitrule is met. When ๐ ๐ commits ๐ค โฒ , by the proved agreement property, it will also commit ๐ฃ , and thus decide on all of ๐ฃ โscausal history in the same slots, including vertex ๐ข in slot โ . โก Claim 7.
Every vertex that is broadcast by a correct process is eventually added to the DAG of all correct processes.
Proof. We prove this by showing that for every correct process ๐ ๐ that broadcasts a vertex ๐ฃ , ๐ฃ is eventually addedto ๐ท๐ด๐บ ๐ , and by Claim 2, ๐ฃ is eventually added to the DAG of all other correct processes.When a correct process ๐ ๐ broadcasts a vertex ๐ฃ (Line 14) it broadcasts a valid vertex, i.e., a vertex that passes theexternal validity check, and that references vertices that are already in ๐ท๐ด๐บ ๐ . Because of the validity property of thereliable broadcast, ๐ ๐ eventually delivers ๐ฃ to itself, and when it does so, it adds ๐ฃ to its own ๐ท๐ด๐บ ๐ . Thus, as explained,by Claim 2, ๐ฃ is eventually added to the DAGs of all other correct processes. โก Lemma 9.
DAG-Rider guarantees the eventual fairness property of the BAB problem.
Proof. When a correct process ๐ ๐ proposes a value, it is inserted into a queue (Line 33), and eventually will beincluded in a vertex ๐ฃ created by ๐ ๐ (Line 16). Vertex ๐ฃ is eventually delivered to all the correct processes and added totheir DAGs (Claim 7).When a correct process broadcasts a new vertex ๐ฃ in round ๐ it also makes sure that it has a path (either a strong pathor path that includes weak edges) to all the vertices in rounds ๐ โฒ < ๐ , and if not, it adds weak edges to ๐ฃ that guaranteethis (Line 27), therefore ๐ฃ will eventually be included in the causal history of all correct processes. By Lemma 7, withprobability 1, eventually ๐ฃ will be in the causal history of a committed wave vertex leader, and therefore decided. โก We proved that DAG-Rider achieves all the properties of the BAB problem as described in ยง3.
We analyze DAG-Rider in terms of expected communication complexity and expected time complexity.
Communication complexity.
We analyze the communication complexity of DAG-Rider when instantiated with Cachinand Teseroโs [15] information dispersal protocol. A similar analysis can be made for other broadcast implementationsas well. For clarity, in ยง4, we say that strongEdges and weakEdges are sets of vertices. However, in order to refer to avertex it is enough to only store its source and round number. We assume that any round number during an executioncan be expressed in a constant number of bits, that is, the DAG never reaches round number (note that roundnumbers grow slower than slot numbers).We count the number of bits sent by correct processes in every round of the DAG and divide it by the total numberof ordered values therein. The complexity of [15] is ๐ ( ๐ log ( ๐ ) + ๐๐ ) , where ๐ is the message (vertex) size. Each It is also possible to store vertices hashes. 14 ll You Need is DAG message includes a set of proposed values and ๐ references, and each reference includes a process id of size log ( ๐ ) .Thus, if we batch ๐ log ( ๐ ) values in every message, the bit complexity is ๐ ( ๐ log ( ๐ ) + ๐ log ( ๐ )) = ๐ ( ๐ log ( ๐ )) fora broadcast.Since each process is allowed to broadcast a single message in each round, a correct process will not participate inmore than ๐ reliable broadcasts in a round, and thus the total bit complexity of correct processes in a round is boundedby ๐ ( ๐ log ( ๐ )) . On the other hand, at least ๐ + = ๐ ( ๐ ) vertices are ordered in every round. Thus, ๐ ( ๐ log ( ๐ )) values are ordered in every round, which means that the amortized communication complexity of DAG-Rider is ๐ ( ๐ ) . Time complexity.
By Claim 6, the number of waves, in expectation, between two waves that satisfy the commit rulein
๐ท๐ด๐บ ๐ for a correct process ๐ ๐ is expected constant. Since each wave consists of constant size chains of messages, bythe definition of time units, the number of time units, in expectation, between two ๐ ๐ โs commits is constant. Every time ๐ ๐ commits a wave, it commits the waveโs leader causal history, which contains at least ๐ ( ๐ ) proposals from differentcorrect processes. Therefore, DAG-Riderโs time complexity is ๐ ( ) in expectation. The first asynchronous Byzantine Agreement protocols [5, 39] showed that the FLP [23] impossibility result canbe circumvented with randomization. Their communication and time complexity was exponential and a significantamount of work has been done since then in attempt to achieve optimal complexity under different assumptions.Some works consider the information theoretical settings and present protocols with polylogarithmic complexitythat tolerate adversaries with unbounded computational power [4, 26, 38]. Others follow a more practical approachand consider a computationally bounded adversary in order to be able to use cryptographic primitives to improvecomplexity [1, 13, 14, 35]. The pioneering crypto-based protocols [13, 14] were later realized in HoneyBadgerBFT, thefirst asynchronous Byzantine SMR system [36]. However, while the state-of-the-art asynchronous Byzantine Agreementprotocols VABA [1] and Dumbo [35] rely on cryptographic assumptions for both safety and liveness, DAG-Rideruses a hybrid alternative by providing safety with information theoretical guarantees and relying on cryptographicassumptions only for liveness.Many other works also presented protocols for the BAB problem in the asynchronous setting. Some works like [29, 40]use cryptographic schemes for safety, and others like [19] do not use signatures. Other works like [22] encapsulatetiming assumptions by relying on a failure detector. All these works have higher expected communication complexity.The idea of building a communication DAG and locally interpreting total order was considered before [18, 21]. To thebest of our knowledge, the only algorithms that realize this idea in the Byzantine settings are HashGraph [3] and laterAleph [24]. In contrast to DAG-Rider, HashGraph builds an unstructured DAG in which processes (unreliably) sendmessages with 2 references to previous vertices and on top of it run an inefficient binary agreement protocol, whichleads to expected exponential time complexity. Their communication complexity is not straightforward to analyzesince they did not clearly describe the mechanism that ensures that eventually all DAG information is propagated to allprocesses, and no analysis is provided. Aleph improves HashGraphโs complexity by building a round-based DAG andusing a more efficient binary agreement protocol [14]. They use an expected constant time binary agreement instanceto agree on whether to commit every vertex in a round. However, similarly to VABA and Dumbo based SMR, since theyneed all instances to terminate before they can totally order all vertices in a round, their time complexity is ๐ ( log ( ๐ )) .They do not amortize complexity and have ๐ ( ๐ ) per decision. In contrast to DAG-Rider, both HashGraph and Aleph(1) do not satisfy eventual fairness; and (2) rely on signatures for safety and thus are not post-quantum safe. dit Keidar, Eleftherios Kokoris-Kogias, Oded Naor, and Alexander Spiegelman We presented DAG-Rider: an asynchronous Byzantine Atomic Broadcast protocol with optimal resilience, optimalamortized communication complexity, and optimal time complexity. DAG-Rider does not rely on cryptographicassumptions for safety. Instead, it rules out Byzantine equivocation by relying on the reliable broadcast to guaranteethat all correct processes eventually see the same DAG. Finally, we believe that DAG-Riderโs elegant design, perfectload balancing, and modular separation of concerns make it an adequate candidate for future Byzantine SMR systems.
REFERENCES [1] Ittai Abraham, Dahlia Malkhi, and Alexander Spiegelman. 2019. Asymptotically Optimal Validated Asynchronous Byzantine Agreement. In
Proceedings of the 2019 ACM Symposium on Principles of Distributed Computing (Toronto ON, Canada) (PODC โ19) . ACM, New York, NY, USA,337โ346. https://doi.org/10.1145/3293611.3331612[2] Hagit Attiya and Jennifer Welch. 2004.
Distributed computing: fundamentals, simulations, and advanced topics . Vol. 19. John Wiley & Sons.[3] Leemon Baird. 2016. The swirlds hashgraph consensus algorithm: Fair, fast, Byzantine fault tolerance.
Swirlds Tech Reports SWIRLDS-TR-2016-01,Tech. Rep (2016).[4] Laasya Bangalore, Ashish Choudhury, and Arpita Patra. 2018. Almost-surely terminating asynchronous Byzantine agreement revisited. In
Proceedingsof the 2018 ACM Symposium on Principles of Distributed Computing . 295โ304.[5] Shai Ben-David, Allan Borodin, Richard Karp, Gabor Tardos, and Avi Wigderson. 1994. On the power of randomization in on-line algorithms.
Algorithmica
11, 1 (1994), 2โ14.[6] Michael Ben-Or and Ran El-Yaniv. 2003. Resilient-optimal interactive consistency in constant time.
Distributed Computing
16, 4 (2003), 249โ262.[7] Erica Blum, Jonathan Katz, Chen-Da Liu-Zhang, and Julian Loss. 2020. Asynchronous Byzantine Agreement with Subquadratic Communication. In
Theory of Cryptography Conference . Springer, 353โ380.[8] Dan Boneh, Ben Lynn, and Hovav Shacham. 2001. Short signatures from the Weil pairing. In
International conference on the theory and application ofcryptology and information security . Springer, 514โ532.[9] Edward Bortnikov, Maxim Gurevich, Idit Keidar, Gabriel Kliot, and Alexander Shraer. 2009. Brahms: Byzantine resilient random membershipsampling.
Computer Networks
53, 13 (2009), 2340โ2359.[10] Stephen Boyd, Arpita Ghosh, Balaji Prabhakar, and Devavrat Shah. 2006. Randomized gossip algorithms.
IEEE/ACM Transactions on Networking(TON)
14, SI (2006), 2508โ2530.[11] Gabriel Bracha. 1987. Asynchronous Byzantine agreement protocols.
Information and Computation
75, 2 (1987), 130โ143.[12] Christian Cachin, Rachid Guerraoui, and Luรญs Rodrigues. 2011.
Introduction to reliable and secure distributed programming . Springer Science &Business Media.[13] Christian Cachin, Klaus Kursawe, Frank Petzold, and Victor Shoup. 2001. Secure and efficient asynchronous broadcast protocols. In
AnnualInternational Cryptology Conference . Springer, 524โ541.[14] Christian Cachin, Klaus Kursawe, and Victor Shoup. 2005. Random oracles in Constantinople: Practical asynchronous Byzantine agreement usingcryptography.
Journal of Cryptology
18, 3 (2005), 219โ246.[15] Christian Cachin and Stefano Tessaro. 2005. Asynchronous verifiable information dispersal. In . IEEE, 191โ201.[16] Ran Canetti and Tal Rabin. 1993. Fast asynchronous Byzantine agreement with optimal resilience. In
Proceedings of the twenty-fifth annual ACMsymposium on Theory of computing . 42โ51.[17] Miguel Castro, Barbara Liskov, et al. 1999. Practical Byzantine fault tolerance. In
OSDI , Vol. 99. 173โ186.[18] Gregory V Chockler, Nabil Huleihel, and Danny Dolev. 1998. An adaptive totally ordered multicast protocol that tolerates partitions. In
Proceedingsof the seventeenth annual ACM symposium on Principles of distributed computing . 237โ246.[19] Miguel Correia, Nuno Ferreira Neves, and Paulo Verรญssimo. 2006. From consensus to atomic broadcast: Time-free Byzantine-resistant protocolswithout signatures.
Comput. J.
49, 1 (2006), 82โ96.[20] Danny Dolev and Eli Gafni. 2016. Some garbage in-some garbage out: Asynchronous t-Byzantine as asynchronous benign t-resilient system withfixed t-trojan-horse inputs. arXiv preprint arXiv:1607.01210 (2016).[21] Danny Dolev, Shlomo Kramer, and Dalia Malki. 1993. Early delivery totally ordered multicast in asynchronous environments. In
FTCS-23 TheTwenty-Third International Symposium on Fault-Tolerant Computing . IEEE, 544โ553.[22] Assia Doudou, Benoit Garbinato, and Rachid Guerraoui. 2000. Abstractions for devising Byzantine-resilient state machine replication. In
Proceedings19th IEEE Symposium on Reliable Distributed Systems SRDS-2000 . IEEE, 144โ153.[23] Michael J Fischer, Nancy A Lynch, and Michael S Paterson. 1985. Impossibility of distributed consensus with one faulty process.
Journal of the ACM(JACM)
32, 2 (1985), 374โ382.[24] Adam Gkagol, Damian Lesniak, Damian Straszak, and Michal Swiketek. 2019. Aleph: Efficient atomic broadcast in asynchronous networks withByzantine nodes. In
Proceedings of the 1st ACM Conference on Advances in Financial Technologies . 214โ228.16 ll You Need is DAG [25] Rachid Guerraoui, Petr Kuznetsov, Matteo Monti, Matej Pavlovic, and Dragos-Adrian Seredinschi. 2019. Scalable Byzantine Reliable Broadcast. In . Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik.[26] Bruce M Kapron, David Kempe, Valerie King, Jared Saia, and Vishal Sanwalani. 2010. Fast asynchronous Byzantine agreement and leader electionwith full information.
ACM Transactions on Algorithms (TALG)
6, 4 (2010), 1โ28.[27] Richard Karp, Christian Schindelhauer, Scott Shenker, and Berthold Vocking. 2000. Randomized rumor spreading. In
Proceedings 41st AnnualSymposium on Foundations of Computer Science . IEEE, 565โ574.[28] Mahimna Kelkar, Fan Zhang, Steven Goldfeder, and Ari Juels. 2020. Order-fairness for Byzantine consensus. In
Annual International CryptologyConference . Springer, 451โ480.[29] Kim Potter Kihlstrom, Louise E Moser, and P Michael Melliar-Smith. 2001. The SecureRing group communication system.
ACM Transactions onInformation and System Security (TISSEC)
4, 4 (2001), 371โ406.[30] Eleftherios Kokoris Kogias, Dahlia Malkhi, and Alexander Spiegelman. 2020. Asynchronous Distributed Key Generation for Computationally-SecureRandomness, Consensus, and Threshold Signatures.. In
Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security .1751โ1767.[31] Ramakrishna Kotla, Lorenzo Alvisi, Mike Dahlin, Allen Clement, and Edmund Wong. 2007. Zyzzyva: speculative Byzantine fault tolerance. In
ACMSIGOPS Operating Systems Review , Vol. 41. ACM, 45โ58.[32] Kfir Lev-Ari, Alexander Spiegelman, Idit Keidar, and Dahlia Malkhi. 2020. FairLedger: A Fair Blockchain Protocol for Financial Institutions. In . Schloss Dagstuhl-Leibniz-Zentrum fรผr Informatik.[33] Benoรฎt Libert, Marc Joye, and Moti Yung. 2016. Born and raised distributively: Fully distributed non-interactive adaptively-secure thresholdsignatures with short shares.
Theoretical Computer Science
645 (2016), 1โ24.[34] Julian Loss and Tal Moran. 2018. Combining Asynchronous and Synchronous Byzantine Agreement: The Best of Both Worlds.
IACR Cryptol. ePrintArch.
Proceedings of the 39th Symposium on Principles of Distributed Computing . 129โ138.[36] Andrew Miller, Yu Xia, Kyle Croman, Elaine Shi, and Dawn Song. 2016. The honey badger of BFT protocols. In
Proceedings of the 2016 ACM SIGSACConference on Computer and Communications Security . 31โ42.[37] Satoshi Nakamoto. 2008.
Bitcoin: A peer-to-peer electronic cash system . Technical Report.[38] Arpita Patra, Ashish Choudhury, and C Pandu Rangan. 2014. Asynchronous Byzantine agreement with optimal resilience.
Distributed computing . IEEE, 403โ409.[40] Michael K Reiter. 1994. Secure agreement protocols: Reliable and atomic group multicast in Rampart. In
Proceedings of the 2nd ACM Conference onComputer and Communications Security . 68โ80.[41] Adi Shamir. 1979. How to share a secret.
Commun. ACM
22, 11 (1979), 612โ613.[42] Victor Shoup. 2000. Practical threshold signatures. In
International Conference on the Theory and Applications of Cryptographic Techniques . Springer,207โ220.[43] Maofan Yin, Dahlia Malkhi, MK Reiter and, Guy Golan Gueta, and Ittai Abraham. 2019. HotStuff: BFT consensus with linearity and responsiveness.In38th ACM symposium on Principles of Distributed Computing (PODCโ19)