Abstract
The increasing popularity of blockchain-based cryptocurrencies has revitalized the search for efficient Byzantine fault-tolerant (BFT) protocols. Many existing BFT protocols can achieve good performance in fault-free cases but suffer severe performance degradation when faults occur. This is also a problem with DiemBFT. To mitigate performance attacks in DiemBFT, we present an improved BFT protocol with optimal liveness called the Golden Snitch. The core idea is to introduce unbiased randomness in leader selection and improve the voting mechanism to protect honest leaders from being dragged down by the previous leader. The performance of the Golden Snitch is evaluated through experiments, turning out it outperforms DiemBFT in the presence of faults.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The Golden Snitch was originally created by writer J.K. Rowling in “Harry Potter”. The Golden Snitch, often simply called the Snitch, is the third and smallest ball used in Quidditch. It appears randomly on the court and moves very fast.
References
Abraham, I., Malkhi, D., Nayak, K., Ren, L., Spiegelman, A.: Solida: a blockchain protocol based on reconfigurable byzantine consensus. arXiv preprint arXiv:1612.02916 (2016)
Aublin, P.L., Mokhtar, S.B., Quéma, V.: Rbft: redundant byzantine fault tolerance. In: 2013 IEEE 33rd International Conference on Distributed Computing Systems, pp. 297–306. IEEE (2013)
Bano, S., et al.: State machine replication in the libra blockchain (2020). https://developers.libra.org/docs/state-machine-replication-paper, Accessed 19 Dec 2020
Baudet, M., et al.: State machine replication in the libra blockchain. The Libra Assn., Technical Report (2019)
Bentov, I., Pass, R., Shi, E.: Snow white: provably secure proofs of stake. IACR Cryptol. ePrint Arch. 2016, 919 (2016)
Bessani, A., Sousa, J., Alchieri, E.E.: State machine replication for the masses with bft-smart. In: 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, pp. 355–362. IEEE (2014)
Buterin, V., Griffith, V.: Casper the friendly finality gadget. arXiv preprint arXiv:1710.09437 (2017)
Canetti, R., Rabin, T.: Fast asynchronous byzantine agreement with optimal resilience. In: Proceedings of the twenty-fifth annual ACM symposium on Theory of computing, pp. 42–51 (1993)
Cascudo, I., David, B.: SCRAPE: scalable randomness attested by public entities. In: Gollmann, D., Miyaji, A., Kikuchi, H. (eds.) ACNS 2017. LNCS, vol. 10355, pp. 537–556. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-61204-1_27
Castro, M., Liskov, B., et al.: Practical byzantine fault tolerance. In: OSDI, vol. 99, pp. 173–186 (1999)
Cowling, J., Myers, D., Liskov, B., Rodrigues, R., Shrira, L.: Hq replication: A hybrid quorum protocol for byzantine fault tolerance. In: Proceedings of the 7th Symposium on Operating Systems Design and Implementation, pp. 177–190 (2006)
Dolev, D., Strong, H.R.: Polynomial algorithms for multiple processor agreement. In: Proceedings of the Fourteenth Annual ACM Symposium on Theory of Computing, pp. 401–407 (1982)
Dwork, C., Lynch, N., Stockmeyer, L.: Consensus in the presence of partial synchrony. J. ACM (JACM) 35(2), 288–323 (1988)
Gilad, Y., Hemo, R., Micali, S., Vlachos, G., Zeldovich, N.: Algorand: scaling byzantine agreements for cryptocurrencies. In: Proceedings of the 26th Symposium on Operating Systems Principles, pp. 51–68 (2017)
Hanke, T., Movahedi, M., Williams, D.: Dfinity technology overview series, consensus system. arXiv preprint arXiv:1805.04548 (2018)
Kiayias, A., Russell, A., David, B., Oliynykov, R.: Ouroboros: a provably secure proof-of-stake blockchain protocol. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 357–388. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63688-7_12
Kogias, E.K., Jovanovic, P., Gailly, N., Khoffi, I., Gasser, L., Ford, B.: Enhancing bitcoin security and performance with strong consistency via collective signing. In: 25th \(\{\)usenix\(\}\) Security Symposium (\(\{\)usenix\(\}\) Security 16), pp. 279–296 (2016)
Kotla, R., Alvisi, L., Dahlin, M., Clement, A., Wong, E.: Zyzzyva: speculative byzantine fault tolerance. In: Proceedings of Twenty-First ACM SIGOPS Symposium on Operating Systems Principles, pp. 45–58 (2007)
Lamport, L., Shostak, R., Pease, M.: The byzantine generals problem. In: Concurrency: The Works of Leslie Lamport, pp. 203–226 (2019)
Micali, S., Rabin, M., Vadhan, S.: Verifiable random functions. In: 40th Annual Symposium on Foundations of Computer cience (cat. No. 99CB37039), pp. 120–130. IEEE (1999)
Nakamoto, S.: Bitcoin: a peer-to-peer electronic cash system (2008). https://bitcoin.org/bitcoin.pdf
Pass, R., Shi, E.: Hybrid consensus: efficient consensus in the permissionless model. In: 31st International Symposium on Distributed Computing (DISC 2017). Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik (2017)
Pease, M., Shostak, R., Lamport, L.: Reaching agreement in the presence of faults. J. ACM (JACM) 27(2), 228–234 (1980)
Schindler, P., Judmayer, A., Stifter, N., Weippl, E.R.: Hydrand: efficient continuous distributed randomness. In: 2020 IEEE Symposium on Security and Privacy, SP 2020, San Francisco, CA, USA, 18–21 May 2020 pp. 73–89. IEEE (2020). https://doi.org/10.1109/SP40000.2020.00003
Veronese, G.S., Correia, M., Bessani, A.N., Lung, L.C., Verissimo, P.: Efficient byzantine fault-tolerance. IEEE Trans. Comput. 62(1), 16–30 (2011)
Yin, M., Malkhi, D., Reiter, M.K., Gueta, G.G., Abraham, I.: Hotstuff: bft consensus with linearity and responsiveness. In: Proceedings of the 2019 ACM Symposium on Principles of Distributed Computing, pp. 347–356 (2019)
Acknowledgment
This work is supported by National Key R&D Program of China (2017YFB0802500), Beijing Municipal Science and Technology Project (No Z191100007119007) and Shandong province major science and technology innovation project (2019JZZY020129).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Analysis of Correctness
A Analysis of Correctness
The correctness of BFT protocols is usually defined by two properties: safety and liveness. This section surveys that the Snitch can guarantee safety and liveness under some reasonable assumptions mentioned previously.
1.1 A.1 Safety
The safety of the Snitch is proved to be provided regardless of the network status.
Definition 1
(safety). The protocol provides safety if it satisfies agreement and validity simultaneously.
Lemma 1
(validity). Any block containing invalid data can not be confirmed.
Proof
Because a valid CC can be formed only with \(n-f=2f+1\) votes for it, there must be a correct replica who voted it. In other words, Malicious replicas cannot generate a certificate without the cooperation of a correct node. As a correct replica, it is impossible to send a positive vote for a block with invalid data. Trivially ensures that only valid blocks can be confirmed.
Lemma 2
(agreement). In BFT model, for round r, the replica \(P_i\) maintains a block \(B_r\) with its confirmation certificate \(CC_r\). If there exits any other replica \(P_j\) that maintains a block \(B_r'\) with its confirmation certificate \(CC_r'\) in the same round, it must be \(B_r=B_r'\) and \(CC_r=CC_r'\).
Proof
We prove Lemma 2 by contradiction. It is assumed that there exists a round r, where two conflicting blocks \(B_r\) and \(B_r'\) are both confirmed, each by a correct replica. As defined before, \(2f+1\) positive votes would be required to form a CC. Hence, \(CC_r\) and \(CC_r'\) need \(2(2f+1)=n+f+1\) votes simultaneously. It implies that at least \(f+1\) replicas vote twice with the original setting of n. It then goes against the assumption that at most f malicious replicas exist. Consequently, there is at most one valid block in a round.
Theorem 1
(safety). Two conflicting blocks can not be committed according to the commit rule.
Proof
It is assumed that there are three certified blocks chained in consecutive rounds, as shown in the example in Fig. 1(a):
Here, \(n-f\) votes were cast for \(CC_2\) to commit \(B_r\), out of which at least \(f+1\) were from correct replicas. These correct replicas that contributed to the generation of \(CC_2\) remember r as their locked round \(r_l\), and would not vote for block B if it is not a descendant of block \(B_r\), according to the vote rules. Hence, if there exist another three certified blocks chained in consecutive rounds as:
Then \(B_r'\) must be a descendant of \(B_r\).
1.2 A.2 Liveness
Liveness can be provided after GST. Next, we set the timer for \(\varDelta \) to denote the maximum round duration and use \(\delta \) to denote the network delay.
Definition 2
(Liveness). Whenever the network becomes synchronous, the algorithm provides liveness as to commits will be produced in a timely manner.
Lemma 3
(Round Sync). For two consecutive rounds, round \(r-1\) is led by a correct leader and round r is a timeout round. If a correct replica first switches to a new maximum round \(r+1\) at time t, then others will move to round \(r+1\) at time \(t+2\delta \).
Proof
It is assumed that leader \(l_{r-1}\) published \(B_{r-1}\) at time \(t'\). Replicas can be divided into three parts and discussed as follows:
-
Replica A receives \(B_{r-1}\) at time \(t'\):A moves to round r and and starts the timer at time \(t'\). Then the timer expired at time \(t'+\varDelta \).
-
Replica B receives \(B_{r-1}\) at time \(t'+\delta \): Similarly, B sends starts its timer at time \(t'+\delta \) and then broadcasts a timeout message at time \(t'+\delta +\varDelta \).
-
Replica C receives \(B_{r-1}\) at time \(t'+\delta \): C starts its timer at time \(t'+\delta \). While replica C received more than \(f+1\) timeout messages leading to its broadcast for timeout message before the timer expired.
In consequence, replicas broadcast respective timeout messages before time \(t'+\delta +\varDelta \). Then replicas complete the recovery within \(\delta \). Finally, we came to the conclusion that replicas would be synchronized to the same round within \(2\delta \).
Lemma 4
In the situation of all leaders in three consecutive rounds, \(l_r, \dots , l_{r+3}\) are correct, \(B_r\) can be committed within \(4*2\delta \) after it is proposed.
Proof
According to the commit rule, three consecutive confirmation certificates are required to commit a block. For these rounds that generate certificates, each round duration is at most \(2\delta \). Taking round synchronization into consideration, no more than \(3*2\delta +2\delta \) is required to commit a block.
Lemma 5
Malicious nodes cannot impede progress infinitely.
Proof
The recover threshold is \(f+1\), ensuring that malicious nodes can not reveal others’ secrets without at least one correct replica. It is inevitable that a malicious leader can block the process temporarily by means of no response or publishing an invalid block. While these behaviors cannot affect the next-round leader at all. Thanks to the punishment, in the worst case, the process will be made after \(f+1\) rounds.
Theorem 2
(Liveness). The request issued by a correct client eventually completes.
Proof
By Lemma 3, it can be concluded that all replicas enter the same round in time. Besides, owing to Lemma 4 combined with Lemma 5, transaction finality is guaranteed when a succession of three consecutive leaders behave correctly one after another. Hence, correct clients will receive replies to their requests eventually. It means liveness is guaranteed.
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Liao, H., Xu, H., Li, P. (2021). The Golden Snitch: A Byzantine Fault Tolerant Protocol with Activity. In: Gao, D., Li, Q., Guan, X., Liao, X. (eds) Information and Communications Security. ICICS 2021. Lecture Notes in Computer Science(), vol 12918. Springer, Cham. https://doi.org/10.1007/978-3-030-86890-1_1
Download citation
DOI: https://doi.org/10.1007/978-3-030-86890-1_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-86889-5
Online ISBN: 978-3-030-86890-1
eBook Packages: Computer ScienceComputer Science (R0)