Brief Note: Fast Authenticated Byzantine Consensus
BBrief Note: Fast Authenticated Byzantine Consensus β ITTAI ABRAHAM,
VMware Research, Israel
KARTIK NAYAK,
Duke University, USA
LING REN,
University of Illinois at Urbana-Champaign, USA
ZHUOLUN XIANG,
University of Illinois at Urbana-Champaign, USA
Byzantine fault-tolerant (BFT) state machine replication (SMR) has been studied for over 30 years. Recently it has received moreattention due to its application in permissioned blockchain systems. A sequence of research efforts focuses on improving the commitlatency of the SMR protocol in the common good case, including PBFT [5] with 3-round latency and π β₯ π + π β₯ π +
1. In this paper, we propose an authenticated protocol that solves 2-round BFT SMR with only π β₯ π β π β₯ π + π =
1, our protocol needs only 4 replicas, and strictly improves PBFT by reducing the latency by one round (evenwhen one backup is faulty).
Byzantine fault-tolerant (BFT) state machine replication (SMR), which ensures all non-faulty replicas agree on the samesequence of client inputs to provide the client with the illusion of a single non-faulty server, is an important practicalproblem for building resilient distributed systems such as permissioned blockchain. Most of the existing solutions toBFT SMR are leader-based, where a designated leader will drive consensus decisions for each view in the steady state,until it is replaced by the next leader via view-change due to malicious behavior or network partitions. The design ofBFT SMR usually focuses on optimizing the performance of the protocol under the common good case, when an honestleader is in charge and the network is synchronous . In particular, a sequence of research efforts aim at improving thelatency of the good case [1, 2, 5, 6, 8β11] for BFT SMR protocols.This work also focuses on improving the good-case latency of the BFT SMR protocol under partial synchrony. Themost well-known BFT SMR protocol for partial synchrony is PBFT [5], which requires 3 rounds of message exchange(1 round of proposing and 2 rounds of voting) to commit a value in the good case, and has the optimal resilienceof π β₯ π + the leader is honest but other replicas may be faulty and the network issynchronous, FaB [11] improves the latency to 2 rounds (1 round of proposing and 1 rounds of voting) with π β₯ π + π = π + Summary of results.
In this paper, we refute the above claim made in FaB [11] by showing an authenticated BFT SMRprotocol with 2-round good-case latency that only requires π β₯ π β
1. The BFT SMR protocol is an extension of ourprevious result for partially synchronous validated Byzantine broadcast [3]. A special case of our SMR protocol is that,perhaps surprisingly, for the canonical example with π = π = π β = π + Other Related Works.
For the optimistic case when all replicas are honest and the network is synchronous, Zyzzyva [10]and SBFT [8] adds an optimistic commit path of 2-round latency to PBFT with π β₯ π + β This is a complementary note of our previous paper [3] on the good-case latency of Byzantine broadcast. Quote from Section 4 of FaB [11], βAdding signatures would reduce neither the number of communication steps nor the number of servers since FaB isalready optimal in these two measures.β 1 a r X i v : . [ c s . D C ] F e b ttai Abraham, Kartik Nayak, Ling Ren, and Zhuolun Xiang conditions for achieving the good case is much weaker than the optimistic case, since the good case requires only theleader, instead of all replicas, to be honest. For example, with π = π =
1, our protocol has a 2-round latency evenif one backup replica is malicious, while Zyzzyva or SBFT still requires 3-round latency in this case.
The systems consists π replicas numbered 1 , , ..., π . There exists at most π Byzantine replicas with arbitrary behaviorscontrolled by an adversary. Rest of the replicas are called honest. For simplicity of the presentation, we assume π = π β π β₯ π β
1. The network model is the standard partial synchrony model [7], wherethe message delays are unbounded before an unknown Global Stable Time (GST). After GST, all messages betweenhonest replicas will arrive within time Ξ . The network channels are point-to-point, authenticated and reliable. UnlikePBFT that can be implemented with Message Authentication Code (MAC) instead of digital signatures [5], our protocolrelies on the PKI and digital signatures to detect equivocation. We assume standard digital signatures and public-keyinfrastructure (PKI), and use β¨ π β© π to denote a signed message π by replica π . In the paper, a message π is valid if andonly if π is in the correct format and properly signed. For simplicity, we assume the cryptographic primitives are ideal,to avoid the analysis of security parameters and negligible error probabilities.In the problem of BFT SMR, clients send values to replicas, and the replicas provide the clients with the illusion of asingle honest replica, by ensuring that all honest replicas agree on the same sequence of values.Definition 1 (Byzantine Fault Tolerant State Machine Replication). A Byzantine fault tolerant state machinereplication protocol commits clientsβ values as a linearizable log akin to a single non-faulty server, and provides the followingtwo guarantees. β’ Safety. Honest replicas do not commit different values at the same log position. β’ Liveness. Each client value is eventually committed by all honest replicas. β’ External Validity. If an honest replica commits a value π£ , then π£ is externally valid. Any client can send its value to at least π + π + The good-case latency of a BFT SMR protocol is the number of rounds needed forall honest replicas to commit, when the leader is honest and the network is synchronous.
For instance, the classic PBFT [5] has good-case latency of 3 rounds with π β₯ π + π β₯ π + π β₯ π β -ROUND BFT REPLICATION In this section, we propose an authenticated protocol with good-case latency of 2 rounds that only needs π β₯ π β Block format, block extension and conflicting blocks.
Clientsβ transactions (values) are batched into blocks, andthe protocol outputs a chain of blocks π΅ , π΅ , ..., π΅ π , ... where π΅ π is the block at height π . Each block π΅ π has the following rief Note: Fast Authenticated Byzantine Consensus format π΅ π = ( β π β , π, π‘π₯π ) where π‘π₯π is a batch of new client transactions and β π β = π» ( π΅ π β ) is the hash digest of theprevious block at height π β
1. We say that a block π΅ π extends another block π΅ π , if π΅ π is an ancestor of π΅ π accordingto the hash chaining where π β₯ π . We define two blocks π΅ π and π΅ β² π β² to be conflicting , if they are not equal and do notextend on another. The block chaining simplifies the protocol in the sense that once a block is committed, its ancestorscan also be committed.Since the clientsβ transactions are batched into blocks, the BFT SMR protocol achieves safety if honest replicas alwayscommit the same block π΅ π for each height π , liveness if all honest replicas keep committing new blocks, and externalvalidity if all the committed blocks are externally valid. Quorum certificate, timeout certificate, certificate ranking. C π€ is a valid quorum certificate (QC) of view π€ that certifies an externally valid block π΅ iff it consists of β₯ π β π = π β vote messages for block π΅ inthe form of β¨ vote , β¨ π΅, π€ β© πΏ π€ β© where πΏ π€ is the leader of view π€ . QCs and certified blocks are ranked first by the viewnumbers and then by the heights of the blocks, that is, QCs/blocks with higher views have higher ranks, and QCs/blockswith higher height have higher ranks if the view numbers are equal. T π€ is a valid timeout certificate (TC) of view π€ that locks an externally valid block π΅ iff it consists of β₯ π β timeout messages in the form of β¨ timeout , β¨β , π€ β© πΏ π€ β© where β is β₯ or some externally valid block, and (1) it contains β₯ π β β¨ π΅ β² , π€ β© πΏ π€ where π΅ β² equals or directly extends π΅ , and contains no block that conflicts π΅ , or (2) it contains β₯ π β¨ π΅ β² , π€ β© πΏ π€ where π΅ β² equals or directly extends π΅ , and no timeout message from πΏ π€ . Note that by definition, if T π€ locksa block π΅ , it does not lock on any π΅ β² that conflicts π΅ .To bootstrap, we assume there is a certified genesis block π΅ of height 0 that all honest replicas agree on when theprotocol starts. The first leader of view 1 will propose a block extending π΅ , and every replica will vote for the block.For view-change, all honest replicas are assumed to have voted for π΅ , and have the QC for π΅ . ( π β ) -SMRProtocol Description. Now, we present the protocol in Figure 1, and briefly describe the protocol below. Each leadercan keep proposing blocks until it is replaced by the next leader. All committed blocks form a chain linked by hashdigest and QC, where QC consists π β π = π β π β status messages. If the status messages contain a valid TC of the previous view,the leader proposes the block locked by this TC; otherwise, the leader proposes the block locked by the highest TCamong status messages. Once the first block is voted by π β π = π β π blocks committed within ( π + ) Ξ time), the replica stops voting for the currentview and multicast a timeout message for the current view. The timeout message contains the highest block voted bythe replica in the current view (if not voted then contains β₯ ). The timeout messages serve a similar purpose of the timeout messages in the protocol ( π β ) -psync-VBB of our previous paper [3], that is to form a TC that can lock ablock for the next leader to propose. The guarantee is that, if a block π΅ is committed at any honest replica, then anyhonest replica will have a TC that locks π΅ during the view-change, and no valid TC can lock on other conflicting blocks.The replicas will enter the next view after receiving π β π = π β timeout messages, and send a status messageto the new leader containing its highest TC. Sending the highest TC ensures that even if the previous view has noprogress, the highest TC in the status messages will lock the highest block committed in the earlier views. ttai Abraham, Kartik Nayak, Ling Ren, and Zhuolun Xiang The protocol proceeds in view π€ = , , ... , each with a leader πΏ π€ . Each replica locally maintains the highest timeout certificate T βππβ . The honest replicas will ignore any message for a block that is not externally valid. Steady State Protocol for Replica π Let π€ be the current view number and replica πΏ π€ be the current leader.(1) Propose.
The leader πΏ π€ multicasts β¨ propose , β¨ π΅ π , π€ β© πΏ π€ , C , Sβ© πΏ π€ . If π΅ π is not the first block proposed inview π€ , then π΅ π is a new externally valid block extending the last block π΅ π β proposed by πΏ π€ , C is theQC that certifies π΅ π β , and S = β ; Otherwise π΅ π , C , S are specified in the Status step.(2)
Vote.
Upon receiving a signed proposal β¨ propose , β¨ π΅ π , π€ β© πΏ π€ , C , Sβ© πΏ π€ from the leader πΏ π€ , β’ if π΅ π is the first proposed block in view π€ , check if (1) S is a valid TC of view π€ β π΅ π and C is a valid QC of the parent block of π΅ π , or (2) S contains 4 π β status messages of view π€ β π΅ π is locked by the highest TC in S , and C is a valid QC of the parent block of π΅ π ; β’ otherwise, check if π΅ π extends the highest certified block known to the replica.If one of the above condition is true, and the replica hasnβt voted for any other height- π block, multicast a vote message in the form of β¨ vote , β¨ π΅ π , π€ β© πΏ π€ β© π .(3) Commit.
When receiving 4 π β vote messages of view π€ for the same block π΅ , form a QC,forward the QC to all other replicas, and commit π΅ with all its ancestors blocks. View-change Protocol for Replica π (1) Timeout.
If less than π valid blocks are committed within ( π + ) Ξ time after entering view π€ , timeoutview π€ and stop voting for view π€ , and multicast β¨ timeout , β¨ π΅, π€ β© πΏ π€ β© π where π΅ is the highest block votedin view π€ ( π΅ = β₯ if not voted for any).(2) New View.
Upon receiving 4 π β timeout messages of view π€ β πΏ π€ β , or 4 π β timeout messages from replicas other than πΏ π€ β , perform thefollowing: Forward these timeout messages. If the timeout messages can form a timeout certificate T π€ β that locks a block, then update T βππβ = T π€ β . Timeout view π€ β π€ . Senda status message in the form of β¨ status , π€ β , C , T βππβ β© π to the leader πΏ π€ , where C is the QC of theparent block of the block that T βππβ locks.(3) Status.
After entering view π€ and receiving 4 π β status messages of view π€ β
1, the leader πΏ π€ sets the first new proposal block π΅ , QC of the parent block C , and a proof S as follows. β’ If any valid TC T of view π€ β π΅ β² , set S = T , π΅ = π΅ β² and C to be the QC of the parentblock of π΅ β² . β’ Otherwise, set S to be the set of 4 π β status messages of view π€ β π΅ to be theblock locked by the highest T in S , and set C to be the QC of the parent block of π΅ . Fig. 1. ( π β ) -SMR Protocol with good-case latency of rounds Lemma 1.
If an honest replica directly commits a block π΅ π in view π€ , then any certified block π΅ π β² of view π€ and height π β² β₯ π must equal or extend π΅ π . Proof. Suppose π β² = π . Since any committed or certified block need 4 π β π are both certified, then by quorum intersection, there should exist at least ( π β ) + ( π β ) β ( π β ) = π β > π Byzantine parties, which is a contradiction. Now suppose π β² > π . Since π΅ π β² does not extend π΅ π , there must exist acertified block π΅ β² π that π΅ π β² extends since honest parties only vote for blocks that extend certified blocks, and π΅ β² π and π΅ π conflicts each other. However, such certified π΅ β² π cannot exist by earlier argument, and thus any certified block π΅ π β² ofview π€ and height π β² β₯ π must equal or extend π΅ π . β‘ rief Note: Fast Authenticated Byzantine Consensus Lemma 2.
If block π΅ π is the highest block certified in view π€ , then no valid TC of view π€ can lock any block that conflicts π΅ π , and any honest replica that enters view π€ + has a valid TC of view π€ that locks π΅ π . Proof. By default, any message discussed below is of view π€ . Since π΅ π is certified in view π€ , at least 3 π β π΅ π . Since π΅ π is the highest certified block in view π€ , no honest replica voted for any block π΅ π + (butthey may vote for some π΅ π + that extends π΅ π ). Hence, at least 3 π β π΅ π or some π΅ π + thatextends π΅ π in their timeout messages, but not any π΅ β² that conflicts π΅ π .By definition, a valid TC T that locks π΅ iff it consists of β₯ π β β¨ timeout , β¨β , π€ β© πΏ π€ β© from different replicas,and (1) it contains β₯ π β β¨ π΅ β² , π€ β© where π΅ β² equals or directly extends π΅ , and no block conflicts π΅ , or (2) it contains β₯ π β¨ π΅ β² , π€ β© where π΅ β² equals or directly extends π΅ , and no signature from πΏ π€ .First we prove that no valid TC of view π€ can lock a block π΅ β² that conflicts π΅ π . Suppose that there exists a valid TC T of view π€ that locks a block π΅ β² that conflicts π΅ π . Condition (1) cannot be true: Since 3 π β π΅ β² in their timeout messages, T cannot include these signatures, which implies there need to be atleast 3 π β + π β = π β > π replicas and is impossible. Condition (2) also cannot be true: If πΏ π€ is honest, then noconflicting block can be signed by πΏ π€ . If πΏ π€ is Byzantine, then T contains at most π β πΏ π€ is excluded. Since at most ( π β ) β ( π β ) = π honest replicas include π΅ β² in timeout , atmost π + π β = π β π΅ β² . Therefore, there exists no valid TC T of view π€ that locks any block π΅ β² that conflicts π΅ π .Now we prove that any honest replica that enters view π€ + π€ that locks π΅ π . Consider anyhonest replica that enters view π€ +
1. According to Step 2 of view-change, the replica receives either 4 π β timeout messages of view π€ that contain no conflicting blocks signed by πΏ π€ , or 4 π β timeout messages from replicasother than πΏ π€ . There are two cases. If the received 4 π β timeout messages contain no conflicting blocks signed by πΏ π€ , since at least 4 π β β π = π β π΅ π or some π΅ π + extending π΅ π , condition (1) for locking π΅ issatisfied. If the received 4 π β timeout messages are from replicas other than πΏ π€ , if πΏ π€ is honest then condition (1) alsoholds; Otherwise, if πΏ π€ is Byzantine, then the set of 4 π β timeout messages contains at most π β timeout messagesfrom Byzantine replicas since the leader πΏ π€ is excluded. Since at most ( π β ) β ( π β ) = π honest replicas mayinclude conflicting blocks in timeout , the set of 4 π β timeout messages includes at least ( π β ) β π β ( π β ) = π timeout that contain π΅ π or some π΅ π + extending π΅ π . Then condition also holds. Hence, any honest replica that entersview π€ + π€ that locks π΅ π . β‘ Lemma 3.
If an honest replica directly commits a block π΅ , then any certified block that ranks no lower than π΅ must equalor extend π΅ . Proof. Suppose an honest party β directly commits a block π΅ in view π€ .First, for any certified block of view π€ , the lemma is true by Lemma 1.Now we prove the lemma for view > π€ by first proving that in view > π€ (1) the honest replicas only vote for blocksthat equal or extend π΅ , and (2) any valid TC of view β₯ π€ only locks blocks that equal or extend π΅ . We prove by inductionon the view number. Consider the base case of view π€ +
1. By Lemma 1 and 2, any valid TC of view π€ can only lock ablock that equals or extends π΅ , and any honest replica that enters view π€ + π€ that locks π΅ .Therefore, any set of 4 π β status messages of view π€ must contain a valid TC of view π€ that locks a block thatequals or extends π΅ , and honest replicas will only for blocks that equal or extends π΅ according to Step 2 of the steadystate protocol. Assume the induction hypothesis that any honest replica only votes for a block that equals or extends π΅ in view π€ + , ..., π β
1, and any valid TC of view π€, ..., π β π΅ . Then, any valid ttai Abraham, Kartik Nayak, Ling Ren, and Zhuolun Xiang TC of view π β π΅ by a proof similar to that of Lemma 2. Since any validTC of view π€, ..., π β π΅ , and any honest replica that enters view π€ + π€ that locks π΅ , any honest replica in view π will only vote for blocks that equal or extends π΅ according to Step 2 of the steady state protocol. Therefore, the claim is true by induction, which also implies that anycertified block that ranks no lower than π΅ must equal or extend π΅ . β‘ Theorem 1 (Safety).
Honest replicas always commit the same block π΅ π for each height π . Proof. Suppose two blocks π΅ π and π΅ β² π are committed at height π at any two honest replicas. Suppose π΅ π is committeddue to π΅ π being directly committed in view π£ , and π΅ β² π is committed due to π΅ β² π β² being directly committed in view π£ β² .Without loss of generality, suppose π£ β€ π£ β² , and for π£ = π£ β² , further assume that π β€ π β² . Since π΅ π is directly committed and π΅ π β² is certified and ranks no lower than C π£ ( π΅ π ) , by Lemma 3, π΅ π β² must equal or extend π΅ π . Thus, π΅ β² π = π΅ π . β‘ Theorem 2 (Liveness).
All honest replicas keep committing new blocks.
Proof. After GST, when the leader is honest, all honest replicas will keep committing new blocks and no honestreplica will send timeout message. Since the leader is honest, it will set the first proposal block according to Step 3 ofview-change, and all honest replicas will vote for the block according to Step 2 of the steady state protocol. For laterblocks, since the leader will extend the last proposed block, all honest replicas will vote according to Step 2 of the steadystate protocol. The time window ( π + ) Ξ is sufficient for an honest replica to commit π blocks, since the leader mayenter the view at most Ξ time later, then wait for Ξ to receive the status messages. After that, each proposed blocktakes 2 Ξ to be committed, since after Ξ time the block is received at all honest replicas, and after another Ξ time, all thevotes are received by all honest replicas, leading to the commit. Hence, no honest replica will send timeout message,and the leader will not be replaced.Otherwise, if the network is asynchronous or the leader is Byzantine, the honest replicas may not commit enoughblocks and thus send timeout messages. When π + timeout messages and thus stop votingfor any block in this view, no new blocks can be certified and all 4 π β timeout messages and enter the next view. Eventually, after GST and an honest leader is elected, all honest replicas will keepcommitting new blocks. β‘ Theorem 3 (External Validity).
The block committed by any honest replicas is externally valid.
Proof. Since any honest replica only votes for blocks that are externally valid, the claim is trivially true. β‘ Theorem 4 (Good-case Latency).
When the network is synchronous and the leader is honest, the proposal of theleader will be committed within rounds. Proof. Since the leader is honest, it proposes the same block to all honest replicas. Then all honest replicas will votefor the block as proved in Theorem 2, and therefore commit within 2 rounds of message exchanges after receiving allvotes from the honest replicas. β‘ In this paper, we extend the result for partially synchronous validated Byzantine broadcast from our previous paper [3],to obtain a chain-based BFT SMR protocol with π β₯ π β rief Note: Fast Authenticated Byzantine Consensus REFERENCES [1] Ittai Abraham, Dahlia Malkhi, Kartik Nayak, Ling Ren, and Maofan Yin. 2020. Sync HotStuff: Simple and Practical Synchronous State MachineReplication.
IEEE Symposium on Security and Privacy (SP) (2020).[2] Ittai Abraham, Kartik Nayak, Ling Ren, and Zhuolun Xiang. 2020. Brief Announcement: Byzantine Agreement, Broadcast and State MachineReplication with Optimal Good-Case Latency. In . Schloss Dagstuhl-Leibniz-Zentrum für Informatik.[3] Ittai Abraham, Kartik Nayak, Ling Ren, and Zhuolun Xiang. 2021. Good-case Latency of Byzantine Broadcast: a Complete Categorization. arXivpreprint arXiv:2102.07240 (2021).[4] Mathieu Baudet, Avery Ching, Andrey Chursin, George Danezis, François Garillot, Zekun Li, Dahlia Malkhi, Oded Naor, Dmitri Perelman, andAlberto Sonnino. [n.d.]. State machine replication in the Libra Blockchain.[5] Miguel Castro and Barbara Liskov. 1999. Practical Byzantine fault tolerance. In
Proceedings of the third symposium on Operating systems design andimplementation . USENIX Association, 173β186.[6] T-H Hubert Chan, Rafael Pass, and Elaine Shi. 2018. PiLi: An Extremely Simple Synchronous Blockchain. (2018).[7] Cynthia Dwork, Nancy Lynch, and Larry Stockmeyer. 1988. Consensus in the presence of partial synchrony.
Journal of the ACM (JACM)
35, 2(1988), 288β323.[8] Guy Golan Gueta, Ittai Abraham, Shelly Grossman, Dahlia Malkhi, Benny Pinkas, Michael Reiter, Dragos-Adrian Seredinschi, Orr Tamir, and AlinTomescu. 2019. SBFT: a scalable and decentralized trust infrastructure. In . IEEE, 568β580.[9] Timo Hanke, Mahnush Movahedi, and Dominic Williams. 2018. Dfinity technology overview series, consensus system. arXiv preprint arXiv:1805.04548 (2018).[10] Ramakrishna Kotla, Lorenzo Alvisi, Mike Dahlin, Allen Clement, and Edmund Wong. 2007. Zyzzyva: speculative byzantine fault tolerance. In
Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles . 45β58.[11] J-P Martin and Lorenzo Alvisi. 2006. Fast byzantine consensus.
IEEE Transactions on Dependable and Secure Computing
3, 3 (2006), 202β215.[12] Nibesh Shrestha, Ittai Abraham, Ling Ren, and Kartik Nayak. 2020. On the Optimality of Optimistic Responsiveness. In
Proceedings of the 2020 ACMSIGSAC Conference on Computer and Communications Security . 839β857.[13] Maofan Yin, Dahlia Malkhi, Michael K Reiter, Guy Golan Gueta, and Ittai Abraham. 2019. Hotstuff: Bft consensus with linearity and responsiveness.In