Asynchronous Reconfiguration with Byzantine Failures - arXiv
-
Upload
khangminh22 -
Category
Documents
-
view
1 -
download
0
Transcript of Asynchronous Reconfiguration with Byzantine Failures - arXiv
Asynchronous Reconfiguration with Byzantine FailuresPetr Kuznetsov
[email protected], TΓ©lΓ©com Paris, Institut Polytechnique de Paris
France
Andrei [email protected]
HSE UniversityRussia
ABSTRACT
Replicated services are inherently vulnerable to failures and securitybreaches. In a long-running system, it is, therefore, indispensableto maintain a reconfiguration mechanism that would replace faultyreplicas with correct ones. An important challenge is to enablereconfiguration without affecting the availability and consistencyof the replicated data: the clients should be able to get correctservice even when the set of service replicas is being updated.
In this paper, we address the problem of reconfiguration in thepresence of Byzantine failures: faulty replicas or clients may arbi-trarily deviate from their expected behavior. We describe a generictechnique for building asynchronous and Byzantine fault-tolerant
reconfigurable objects: clients can manipulate the object data and is-sue reconfiguration calls without reaching consensus on the currentconfiguration. With the help of forward-secure digital signatures,our solution makes sure that superseded and possibly compromisedconfigurations are harmless, that slow clients cannot be fooledinto reading stale data, and that Byzantine clients cannot causea denial of service by flooding the system with reconfigurationrequests. Our approach is modular and based on dynamic Byzantine
lattice agreement abstraction, and we discuss how to extend it toenable Byzantine fault-tolerant implementations of a large class ofreconfigurable replicated services.
KEYWORDS
Reconfiguration, Asynchronous system, Byzantine faults
1 INTRODUCTION
Replication and quorums. Replication is a natural way to ensureavailability of shared data in the presence of failures. A collectionof replicas, each holding a version of the data, ensure that the clientsget a desired service, even when some replicas become unavailableor hacked by a malicious adversary. Consistency of the providedservice requires the replicas to synchronize: intuitively, every clientshould be able to operate on the most βup-to-dateβ data, regardlessof the set of replicas it can reach.
It always makes sense to assume as little as possible about theenvironment in which a system we design is expected to run. Forexample, asynchronous distributed systems do not rely on timingassumptions, which makes them extremely robust with respect tocommunication disruptions and computational delays. It is, how-ever, notoriously difficult and sometimes even impossible to makesuch systems fault-tolerant. The folklore CAP theorem [12, 22]states that no replicated service can combine consistency, avail-ability, and partition-tolerance. In particular, no consistent andavailable read-write storage can be implemented in the presence ofpartitions: clients in one partition are unable to keep track of theupdates taking place in another one.
Therefore, fault-tolerant storage systems tend to assume thatpartitions are excluded, e.g., by requiring a majority of replicas tobe correct [6]. More generally, one can assume a quorum system,e.g., a set of subsets of replicas satisfying the intersection and avail-ability properties [21]. Every (read or write) request from a clientshould be accepted by a quorum of replicas. As every two quorumshave at least one replica in common, intuitively, no client can misspreviously written data.
Of course, failures of replicas may jeopardize the underlyingquorum system. In particular, we may find ourselves in a system inwhich no quorum is available and, thus, no operation may be ableto terminate. Even worse, if the replicas are subject to Byzantinefailures, we may not be able to guarantee the very correctness ofread values.
Asynchronous reconfiguration. To anticipate such scenarios in along run, we must maintain a reconfiguration mechanism that en-ables replacing compromised replicas with correct ones and updatethe corresponding quorum assumptions. A challenge here is to findan asynchronous implementation of reconfiguration in a systemwhere both clients and replicas are subject to Byzantine failuresthat can be manifested by arbitrary and even malicious behavior.In the world of selfishly driven blockchain users, a reconfigurationmechanism must be prepared for this.
Recently, a number of reconfigurable systems were proposed forasynchronous crash-fault environments [2, 3, 20, 24, 27, 35] thatwere first applied to (read-write) storage systems [2, 3, 20], andthen extended to max-registers [24, 35] and more general latticedata type [27].
These proposals tend to ensure that the clients reach a form ofβlooseβ agreement on the currently active configurations, whichcan be naturally expressed via the lattice agreement abstraction [8,17]. We allow clients to (temporarily) live in different worlds, aslong as these worlds are properly ordered. For example, we mayrepresent a configuration as a set of updates (additions and removalsof replicas) and require that all installed configurations should berelated by containment. A configuration becomes stale as soon asa new configuration representing a proper superset of updates isinstalled.
Challenges of Byzantine fault-tolerant reconfiguration. In thispaper, we focus on Byzantine fault-tolerant reconfiguration. Wehave to address here several challenges, specific to dynamic systemswith Byzantine faults, which does not allow to simply employ theexisting crash fault-tolerant solutions.
First, when we build a system out of lower-level components,we need to make sure that the outputs provided by these compo-nents are βauthenticβ. Whenever a (potentially Byzantine) processclaims to have obtained a value π£ (e.g., a new configuration esti-mate) from an underlying object (e.g., Lattice Agreement), it should
arX
iv:2
005.
1349
9v3
[cs
.DC
] 1
9 O
ct 2
021
Petr Kuznetsov and Andrei Tonkikh
also provide a proof π that can be independently verified by everycorrect process. The proof typically consists of digital signaturesprovided by a quorum of replicas of some configuration. We ab-stract this requirement out by equipping the object with a functionVerifyOutputValue that returns a boolean value, provided π£ andπ . When invoked by a correct process, the function returns true ifand only if π£ has indeed been produced by the object. When βchain-ingβ the objects, i.e., adopting the output π£ provided by an object π΄as an input for another object π΅, which is the typical scenario inour system, a correct process invokesπ΄.VerifyOutputValue(π£, π),where π is the proof associated with π£ by the implementation of π΄.This way, only values actually produced by π΄ can be used as inputsto π΅.
Second, we face the βI still work hereβ attack [1]. It is possiblethat a client that did not log into the system for a long time triesto access a stale configuration in which some quorum is entirelycompromised by the Byzantine adversary. The client can thereforebe provided with an inconsistent view on the shared data. Thus,before accepting a new configuration, we need to make sure thatthe stale ones are no longer capable of processing data requestsfrom the clients. We address this issue via the use of a forward-
secure signature scheme [10]. Intuitively, every replica is providedwith a distinct private key associated to each configuration. Beforea configuration is replaced with a newer one, at least a quorum ofits replicas are asked to destroy their private keys. Therefore, evenif the replicas are to become Byzantine in the future, they will notbe able to provide slow clients with inconsistent values. The staleconfiguration simply becomes non-responsive, as in crash-fault-tolerant reconfigurable systems.
Unfortunately, in an asynchronous system it is impossible tomake sure that replicas of all stale configurations remove theirprivate keys as it would require solving consensus [18]. However,as we show in this paper, it is possible to make sure that the con-figurations in which replicas do not remove their keys are neveraccessed by correct clients and are incapable of creating βproofsβfor output values.
Finally, there is a subtle, and quite interesting βslow readerβ
attack. Suppose that a client hears from almost all replicas in aquorum of the current configuration each holding a stale state,and not yet from the only correct replica in the quorum that hasthe up-to-date state. The client then falls asleep. Meanwhile, theconfiguration is superseded by a new one. As we do not make anyassumptions about the correctness of replicas in stale configura-tions, the replica that has not yet responded can be compromised.Moreover, due to asynchrony, this replica can still retain its orig-inal private key. The replica can then pretend to be unaware ofthe current state. Therefore, the slow client might still be able tocomplete its request in the superseded configuration and return astale state, which would violate the safety properties of the system.In Section 4, we give a detailed example of this attack and showthat it can be addressed by an additional, βconfirmingβ round-tripexecuted by the client.
Our contribution: Byzantine fault-tolerant reconfigurable services.
We provide a systematic solution to each of the challenges describedabove and present a set of techniques for building reconfigurable ser-vices in asynchronous model with Byzantine faults of both clients
and replicas. We consider a very strong adversary: any numberof clients can be Byzantine and, as soon as some configuration isinstalled, no assumptions are made about the correctness of replicasin any of the prior configurations.
Moreover, in our quest for a simple solution for the Byzantinemodel, we devised a new approach to building asynchronous re-configurable services by further exploring the connection betweenreconfiguration and lattice agreement [24, 27]. We believe that thisapproach can be effectively applied to crash fault-tolerant systemsas well. As we discuss in Section 5.2, the proposed protocol hasthe time complexity that is optimal even for crash fault-tolerantsystems.
Instead of trying to build a complex graph of configurations βonthe flyβ while simultaneously transferring the state between theseconfigurations, we start by simply assuming that we are alreadygiven a linear history (i.e., a sequence of configurations). We intro-duce the notion of a dynamic object β an object that can transfer itsown state between the configurations of a given finite linear his-tory and serve meaningful user requests. We then provide dynamicimplementations of several important object types, such as LatticeAgreement and Max-Register. We expect that other asynchronousstatic algorithms can be translated to the dynamic model usingsimilar techniques.
Finally, we present a general transformation that allows us tocombine any dynamic object with two Dynamic Byzantine Lattice
Agreement objects in such a way that together they constitutea single reconfigurable object, which exports a general-purposereconfiguration interface and supports all the operations of theoriginal dynamic object.
This paper is a revised and extended version of a conferencearticle [28].
Roadmap. The rest of the paper is organized as follows. Weoverview the model assumptions in Section 2 and define our prin-cipal abstractions in Section 3. In Section 4, we describe our imple-mentation of Dynamic Byzantine Lattice Agreement. In Section 5,we show how to use it to implement reconfigurable objects out ofdynamic ones. In Section 6, several possible implementations ofaccess control are discussed. We discuss related work in Section 7and conclude in Section 8.
The proof of correctness for our Dynamic Byzantine LatticeAgreement abstraction is delegated to Appendix A. Finally, as anapplication of our constructions, we provide an implementation ofa dynamic Max-Register in Appendix B.
2 SYSTEM MODEL
Processes and channels. We consider a system of processes. Aprocess can be a replica or a client. Let Ξ¦ and Ξ denote the (possiblyinfinite) sets of replicas and clients, resp., that potentially can takepart in the computation. At any point in a given execution, a processcan be in one of the four states: idle, correct, halted, or Byzantine.Initially, each process is idle. An idle process does not participatein the protocol. Once a process starts executing the protocol andas long as it does not execute the βhaltβ command and does notdeviate from the prescribed protocol, it is considered correct. Aprocess is halted if it executed the special βhaltβ command andstopped taking further steps. Finally, a process is Byzantine if it
Asynchronous Reconfiguration with Byzantine Failures
prematurely stops taking steps of the algorithm or takes stepsthat are not prescribed by it. A correct process can later halt orbecome Byzantine. However, the reverse is impossible: a halted orByzantine process cannot become correct. We assume that a processthat remains correct forever (we call such processes forever-correct)does not prematurely stop taking steps of its algorithm.
We assume asynchronous reliable authenticated point-to-pointlinks between each pair of processes [13]. If a forever-correct pro-cess π sends a message π to a forever-correct process π, then π
eventually deliversπ. Moreover, if a correct process π receives amessageπ from a process π at time π‘ , and π is correct at time π‘ ,then π has indeed sentπ to π before π‘ .
We assume that the adversary is computationally bounded sothat it is unable to break the cryptographic techniques, such asdigital signatures, forward security schemes [10] and one-way hashfunctions.
Configuration lattice. A join semi-lattice (or simply a lattice) isa tuple (L, β), where L is a set partially ordered by the binaryrelation β such that for all elements π₯,π¦ β L, there exists the leastupper bound for the set {π₯,π¦}, i.e., the element π§ β L such thatπ₯,π¦ β π§ and β π€ β L : if π₯,π¦ β π€ , then π§ β π€ . The least upperbound for the set {π₯,π¦} is denoted by π₯ β π¦. β is called the joinoperator. It is an associative, commutative, and idempotent binaryoperator on L. We write π₯ β π¦ whenever π₯ β π¦ and π₯ β π¦. We saythat π₯,π¦ β L are comparable iff either π₯ β π¦ or π¦ β π₯ .
For any (potentially infinite) set π΄, (2π΄, β) is a join semi-lattice,called the powerset lattice of π΄. For all π1, π2 β 2π΄ , π1 β π2 β π1 βπ2 and π1 β π2 β π1 βͺ π2.
A configuration is an element of a join semi-lattice (C, β). Weassume that every configuration is associated with a finite set ofreplicas via amap replicas : C β 2Ξ¦ , and a quorum system via amapquorums : C β 22
Ξ¦
, such that βπΆ β C : quorums(πΆ) β 2replicas (πΆ) .Additionally we assume that there is a map height : C β Z, suchthat βπΆ β C : height (πΆ) β₯ 0 and βπΆ1,πΆ2 β C : if πΆ1 β πΆ2, thenheight (πΆ1) < height (πΆ2). We say that a configuration πΆ is higher(resp., lower) than a configuration π· iff π· β πΆ (resp, πΆ β π·). Notethat βπΆ is higher than π·β implies βheight (πΆ) > height (π·)β, but notvice versa.
We say that quorums(πΆ) is a dissemination quorum system attime π‘ iff every two sets (also called quorums) in quorums(πΆ) haveat least one replica in common that is correct at time π‘ , and at leastone quorum is available (all its replicas are correct) at time π‘ .
A natural (but not the only possible) way to define the lattice Cis as follows: let Updates be {+,β} Γ Ξ¦, where tuple (+, π) meansβadd replica πβ and tuple (β, π) means βremove replica πβ. Then C isthe powerset lattice (2Updates, β). The mappings replicas, quorums,and height are defined as follows: replicas(πΆ) β {π β Ξ¦ | (+, π ) βπΆ β§ (β, π ) β πΆ}, It is straightforward to verify that quorums(πΆ) isa dissemination quorum system when strictly less than one thirdof replicas in replicas(πΆ) are faulty. Note that, when this lattice isused for configurations, once a replica is removed from the system,it cannot be added again with the same identifier. In order to addsuch a replica back to the system, a new identifier must be used.
Forward-secure digital signatures. In a forward-secure digital sig-nature scheme [10, 11, 16, 31], the public key of a process is fixed
while the secret key can evolve. Each signature is associated witha timestamp. To generate a signature with timestamp π‘ , the signeruses secret key skπ‘ . The signer can update its secret key and get skπ‘2from skπ‘1 if π‘1 < π‘2 β€ π .1 However βdowngradingβ the key to alower timestamp is computationally infeasible. Thus, if the signerupdates their secret key to some timestamp π‘ and then removes theoriginal secret key, it will not be able to sign new messages with atimestamp lower than π‘ , even if it later turns Byzantine.
For simplicity, we model a forward-secure signature scheme asan oracle which associates every process π with a timestamp stπ
(initially, stπ = 0). The oracle provides π with three operations:(1) UpdateFSKey(π‘) sets stπ to π‘ β₯ stπ ; (2) FSSign(π, π‘) returns asignature for messageπ and timestamp π‘ if π‘ β₯ stπ , otherwise it re-turns β₯; and (3) FSVerify(π, π, π , π‘) returns true iff π was generatedby invoking FSSign(π, π‘) by process π .2
In our protocols, we use the height of the configuration as thetimestamp. When a replica answers requests in configuration πΆ , itsigns messages with timestamp height (πΆ). When a higher configu-ration π· is installed, the replica invokes UpdateFSKey(height (π·)).This prevents the βI still work hereβ attack described in the intro-duction.
3 ABSTRACTIONS AND DEFINITIONS
In this section, we introduce principal abstractions of this paper(the access-control interface, Byzantine Lattice Agreement, Recon-figurable and Dynamic objects), state our quorum assumptions, andrecall the definitions of broadcast primitives used in our algorithms.
3.1 Access control and object composition
In our implementations and definitions, we parameterizesome abstractions by boolean functions VerifyInputValue(π£, π)and VerifyInputConfig(πΆ, π), where π is called a certifi-
cate. Moreover, some objects also export a boolean functionVerifyOutputValue(π£, π), which lets anyone to verify that thevalue π£ was indeed produced by the object. This helps us to dealwith Byzantine clients. In particular, it achieves three importantgoals.
First, the parameter VerifyInputConfig allows us to preventByzantine clients from reconfiguring the system in an undesirableway or flooding the system with excessively frequent reconfigura-tion requests. In Section 6, we propose three simple implementa-tions of this functionality: each reconfiguration request must besigned by a quorum of replicas of some configuration3 or by aquorum of preconfigured administrators.
Second, the parameter VerifyInputValue(π£, π) allows us to for-mally capture the application-specific notions of well-formed clientrequests and access control. For example, in a key-value storagesystem, each client can be permitted to modify only the key-valuepairs that were created by this client. In this case, the certificate πis just a digital signature of the client.
1π is a parameter of the scheme and can be set arbitrarily large (with a modest over-head). We believe thatπ = 232 orπ = 264 should be sufficient for most applications.2We assume that anyone who knows the id of a process also knows its public key. Forexample, the public key can be directly embedded into the identifier.3Additional care is needed to prevent the βslow readerβ attack. See Section 6 for moredetails.
Petr Kuznetsov and Andrei Tonkikh
Finally, the exported function VerifyOutputValue allows usto compose several distributed objects in such a way that theoutput of one object is passed as input for another one. Forexample, in Section 5, one object (HistLA) operates exclusivelyon outputs of another object (ConfLA). We use the parameterfunction VerifyInputValue of HistLA and the exported functionVerifyOutputValue of ConfLA to guarantee that a Byzantineclient cannot send to HistLA a value that was not produced byConfLA.
3.2 Byzantine Lattice Agreement abstraction
In this section we formally define Byzantine Lattice Agreement
abstraction (BLA for short), which serves as one of themain buildingblocks for constructing reconfigurable objects. Byzantine LatticeAgreement is an adaptation of Lattice Agreement [17] that cantolerate Byzantine failures of processes (both clients and replicas).It is parameterized by a join semi-lattice L, called the object lattice,and a boolean function VerifyInputValue : LΓΞ£β {true, false},where Ξ£ is a set of possible certificates. We say that π is a valid
certificate for input value π£ iff VerifyInputValue(π£, π) = true.We say that π£ β L is a verifiable input value in a given run iff
at some point in time in that run, some process knows a certificateπ that is valid for π£ , i.e., it maintains π£ and a valid certificate π
in its local memory. We require that the adversary is unable toinvert VerifyInputValue by computing a valid certificate for agiven value. This is the case, for example, when π must contain aset of unforgeable digital signatures.
The Byzantine Lattice Agreement abstraction exports one oper-ation and one function.4
β’ Operation Propose(π£, π) returns a response of the formβ¨π€, πβ©, where π£,π€ β L, π is a valid certificate for inputvalue π£ , and π is a certificate for output valueπ€ ;β’ Function VerifyOutputValue(π£, π) returns a booleanvalue.
Similarly to input values, we say that π is a valid certificate for outputvalue π€ iff VerifyOutputValue(π€, π) = true. We say that π€ is averifiable output value in a given run iff at some point in that run,some process knows π that is valid forπ€ .
Implementations of Byzantine Lattice Agreement must satisfythe following properties:β’ BLA-Validity: Every verifiable output value π€ is a join ofsome set of verifiable input values;β’ BLA-Verifiability: If Propose(. . .) returns β¨π€, πβ© to a correctprocess, then VerifyOutputValue(π€, π) = true;β’ BLA-Inclusion: If Propose(π£, π) returns β¨π€, πβ© to a correctprocess, then π£ β π€ ;β’ BLA-Comparability: All verifiable output values are compa-rable;β’ BLA-Liveness: If the total number of verifiable input valuesis finite, every call to Propose(π£, π) by a forever-correctprocess eventually returns.
For the sake of simplicity, we only guarantee liveness when thereare finitely many verifiable input values. This is sufficient for the
4Recall that, unlike an operation, a function can be computed locally, without commu-nicating with other processes, and the result only depends on the functionβs input.
purposes of reconfiguration, as it only guarantees liveness underthe assumption that only finitely many valid reconfiguration callsare issued. In practice, this assumption boils down to providingliveness when not βtoo manyβ conflicting values are concurrentlyproposed. The abstraction that provides unconditional liveness iscalled Generalized Lattice Agreement [17].
3.3 Reconfigurable objects
It is possible to define a reconfigurable version of every static dis-tributed object by enriching its interface and imposing some addi-tional properties. In this section, we define the notion of a reconfig-urable object in a very abstract way. By combining this definitionwith the definition of a Byzantine Lattice Agreement from Sec-tion 3.2, we obtain a formal definition of a Reconfigurable ByzantineLattice Agreement. Similar combination can be performed with thedefinition of any static distributed object (e.g., with the definitionof a Max-Register from Appendix B).
A reconfigurable object exports an operationUpdateConfig(πΆ, π), which can be used to reconfigure thesystem, and must be parameterized by a boolean functionVerifyInputConfig : C Γ Ξ£ β {true, false}, where Ξ£ is a setof possible certificates. Similarly to verifiable input values, wesay that πΆ β C is a verifiable input configuration in a given runiff at some point in that run, some process knows π such thatVerifyInputConfig(πΆ, π) = true.
We require the total number of verifiable input configurations tobe finite in any given infinite execution of the protocol. In practice,this boils down to assuming sufficiently long periods of stabilitywhen no new verifiable input configurations appear. This require-ment is imposed by all asynchronous reconfigurable storage sys-tems [1, 3, 27, 35] we are aware of, and, in fact, can be shown to benecessary [34].
When a correct replica π is ready to serve user requests in aconfiguration πΆ , it triggers upcall InstalledConfig(πΆ). We thensay that π installs configuration πΆ . At any given moment in time, aconfiguration is called installed if some correct replica has installedit and it is called superseded if some higher configuration is installed.
Each reconfigurable object must satisfy the following properties:β’ Reconfiguration Validity: Every installed configurationπΆ is ajoin of some set of verifiable input configurations. Moreover,all installed configurations are comparable;β’ Reconfiguration Liveness: Every call to UpdateConfig(πΆ, π)by a forever-correct client eventually returns. Moreover, πΆor a higher configuration will eventually be installed.β’ Installation Liveness: If some configuration πΆ is installed bysome correct replica, then πΆ or a higher configuration willeventually be installed by all correct replicas.
3.4 Dynamic objects
Reconfigurable objects are hard to build because they need to solvetwo problems at once. First, they need to order and combine con-current reconfiguration requests. Second, the state of the objectneeds to be transferred across installed configurations. We decouplethese two problems by introducing the notion of a dynamic object.Dynamic objects solve the second problem while βoutsourcingβ thefirst one.
Asynchronous Reconfiguration with Byzantine Failures
Before we formally define dynamic objects, let us first define thenotion of a history. In Section 2, we introduced the configurationlattice C. A finite set β β C is called a history iff all elementsof β are comparable (in other words, if they form a sequence).Let HighestConf(β) be πΆ β β such that β πΆ β² β β : πΆ β² β πΆ .HighestConf(β) is well-defined, as the configurations in β aretotally ordered.
Dynamic objects must export an operationUpdateHistory(β, π) and must be parameterized by a booleanfunction VerifyHistory : H Γ Ξ£β {true, false}, whereH is theset of all histories and Ξ£ is the set of all possible certificates. We saythat β is a verifiable history in a given run iff at some point in thatrun, some process knows π such that VerifyHistory(β, π) = true.A configurationπΆ is called candidate iff it belongs to some verifiablehistory. Also, a candidate configuration πΆ is called active iff it isnot superseded by a higher configuration.
As with verifiable input configurations, the total number of ver-ifiable histories is required to be finite. Additionally, we requireall verifiable histories to be related by containment (i.e., compa-rable w.r.t. β). Recall that a history is a totally ordered (w.r.t. β)set of configurations. Formally, if VerifyHistory(β1, π1) = true
and VerifyHistory(β2, π2) = true, then β1 β β2 or β2 β β1. Wediscuss how to build such histories in Section 5.
Similarly to reconfigurable objects, a dynamic object must havethe InstalledConfig(πΆ) upcall. The object must satisfy the fol-lowing properties:β’ Dynamic Validity: Only a candidate configuration can beinstalled by a correct replica;β’ Dynamic Liveness: Every call to UpdateHistory(β, π)by a forever-correct client eventually returns. Moreover,HighestConf(β) or a higher configuration will eventuallybe installed;β’ Installation Liveness (the same as for reconfigurable objects):If some configuration πΆ is installed by some correct replica,then πΆ or a higher configuration will eventually be installedby all correct replicas.
Note that Dynamic Validity implies that all installed configurationsare comparable, since all verifiable histories are related by contain-ment and all configurations within one history are comparable.
While reconfigurable objects provide general-purpose reconfig-uration interface, dynamic objects are weaker, as they require anexternal service to build comparable verifiable histories. As themain contribution of this paper, we show how to build dynamic ob-jects in a Byzantine environment and how to create reconfigurableobjects using dynamic objects as building blocks. We argue thatthis technique is applicable to a large class of objects.
3.5 Quorum system assumptions
Most fault-tolerant implementations of distributed objects imposesome requirements on the subsets of processes that can be faulty.We say that a configuration πΆ is correct at time π‘ iff replicas(πΆ) isa dissemination quorum system at time π‘ (as defined in Section 2).Correctness of our implementations of dynamic objects relies onthe assumption that active candidate configurations are correct.Once a configuration is superseded by a higher configuration, wemake no further assumptions about it.
For reconfigurable objects we impose a slightlymore conservativerequirement: every combination of verifiable input configurationsthat is not yet superseded must be correct. Formally, we require:
Quorum availability: Let πΆ1, . . . ,πΆπ be verifiable input con-figurations such that πΆ = πΆ1 β Β· Β· Β· βπΆπ is not superseded attime π‘ . Then we require quorums(πΆ) to be a disseminationquorum system at time π‘ .
Correctness of our reconfigurable objects relies solely on correct-ness of the dynamic building blocks. Formally, when π configura-tions are concurrently proposed, we require all possible combina-tions, i.e., 2π β 1 configurations, to be correct. However, in practice,at most π of them will be chosen to be put in verifiable histories,and only those configurations will be accessed by correct processes.We impose a more conservative requirement because we do notknow these configurations a priori.
3.6 Broadcast primitives
To make sure that no process is βleft behindβ, we assume that avariant of reliable broadcast primitive [13] is available. The primitivemust ensure two properties:
(1) If a forever-correct process π broadcasts a messageπ, thenπ eventually deliversπ;
(2) If some messageπ is delivered by a forever-correct process,every forever-correct process eventually deliversπ.
Note that we do not make any assumptions involving any processesthat are not forever-correct. In practice such a primitive can beimplemented by a gossip protocol [25]. This primitive is βglobalβin a sense that it is not bound to any particular configuration. Inpseudocode we use βRB-Broadcast β¨. . . β©β to denote a call to theβglobalβ reliable broadcast.
Additionally, we assume a βlocalβ uniform reliable broadcast prim-itive [13]. It has a stronger totality property: if some correct processπ delivered some messageπ, then every forever-correct processwill eventually deliverπ, even if π later turns Byzantine. This prim-itive can be implemented in a static system, provided a quorumsystem. As we deal with dynamic systems, we associate every broad-cast message with a fixed configuration and only guarantee theseproperties if the configuration is never superseded. Note that anystatic implementation of uniform reliable broadcast trivially guar-antees this property. In pseudocode we use βURB-Broadcast β¨. . . β©in πΆβ to denote a call to the βlocalβ uniform reliable broadcast inconfiguration πΆ .
4 DYNAMIC BYZANTINE LATTICE
AGREEMENT
Dynamic Byzantine Lattice Agreement abstraction (DBLA for short)is the main building block in our construction of reconfigurableobjects. Its specification is a combination of the specification ofByzantine Lattice Agreement (Section 3.2) and the specification ofa dynamic object (Section 3.4). It is summarized in Algorithm 1. Inthis section, we provide the implementation of DBLA and analyzethe time complexity of the solution. The proof of correctness isdelegated to Appendix A.
As we mentioned earlier, we use forward-secure digital signa-tures to guarantee that superseded configurations cannot affect
Petr Kuznetsov and Andrei Tonkikh
Algorithm 1 DBLA object specificationParameters:
1: Lattice of configurations C and the initial configuration Cinit β C2: The object lattice L and the initial value Vinit β L3: Boolean functions VerifyHistory(β, π) and VerifyInputValue(π£, π)
Interface:
4: operation Propose(π£ , π)5: operation UpdateHistory(β, π)6: function VerifyOutputValue(π£ , π)7: upcall InstalledConfig(πΆ)
Properties: BLA-Validity, BLA-Verifiability, BLA-Inclusion, BLA-Comparability, BLA-Liveness,8: Dynamic Validity, Dynamic Liveness, Installation Liveness
correct clients or forge certificates for output values. Ideally, beforea new configuration πΆ is installed (i.e., before a correct replica trig-gers InstalledConfig(πΆ) upcall), we would like to make sure thatthe replicas of all candidate configurations lower than πΆ invokeUpdateFSKey(height (πΆ)). However, this would require the replicato know the set of all candidate configurations lower than πΆ . Un-ambiguously agreeing on this set would require solving consensus,which is known to be impossible in a fault-prone asynchronoussystem [18].
Instead, we classify all candidate configurations in two categories:pivotal and tentative. A candidate configuration is called pivotal ifit is the highest configuration in some verifiable history. Otherwiseit is called tentative. A nice property of pivotal configurations isthat it is impossible to βskipβ one in a verifiable history. Indeed,if πΆ1 = HighestConf(β1) and πΆ2 = HighestConf(β2) and πΆ1 βπΆ2, then, since all verifiable histories are related by containment,β1 β β2 and πΆ1 β β2. This allows us to make sure that, before aconfigurationπΆ is installed, the replicas in all pivotal (and, possibly,some tentative) configurations lower than πΆ update their keys.
In order to reconfigure a DBLA object, a correct client mustuse reliable broadcast to distribute the new verifiable history.Each correct process π maintains, locally, the largest (with re-spect to β) verifiable history it delivered so far through reli-able broadcast. It is called the local history of process π andis denoted by historyπ . We use Chighestπ to denote the mostrecent configuration in πβs local history (i.e., Chighestπ =
HighestConf(historyπ )). Whenever a replica π updates historyπ ,it invokes UpdateFSKey(height (Chighestπ )). Recall that if at leastone forever-correct process delivers a message via reliable broad-cast, every other forever-correct process will eventually deliver itas well.
Similarly, each process π keeps track of all verifiable input valuesit has seen curValsπ β L Γ Ξ£, where L is the object lattice and Ξ£ isthe set of all possible certificates. Sometimes, during the executionof the protocol, processes exchange these sets. Whenever a processπ receives a message that contains a set of values with certificatesvs β L Γ Ξ£, it checks that the certificates are valid (i.e., β (π£, π) βvs : VerifyInputValue(π£, π) = true) and adds these values andcertificates to curValsπ .
4.1 Client implementation
The clientβs protocol is simple. The pseudocode for it is presentedin Algorithms 2 and 3. Note that we omit the subscript π in thepseudocode because each process can access only its own variablesdirectly.
As we mentioned earlier, the operation UpdateHistory(β, π) isimplemented as RB-Broadcast β¨NewHistory, β, πβ© (line 30). Therest of the reconfiguration process is handled by the replicas. Theprotocol for the operation Propose(π£, π) (lines 24β29) consists oftwo stages: proposing a value and confirming the result.
The first stage (proposing) mostly follows the implementationof lattice agreement by Faleiro et al. [17]. Client π repeatedlysends message β¨Propose, curValsπ , seqNumπ , πΆβ© to all replicasin replicas(πΆ), where Propose is the message descriptor, πΆ =
Chighestπ , and seqNumπ is a sequence number used by the clientto match sent messages with replies.
After sending these messages to replicas(πΆ), the client waitsfor responses of the form β¨ProposeResp, vs, sig, snβ©, whereProposeResp is the message descriptor, vs is the set of all ver-ifiable input values known to the replica with valid certificates(including those sent by the client), sig is a forward-secure signa-ture with timestamp height (πΆ), and sn is the same sequence numberas in the message from the client.
During the first stage, one of the following cases can take place:(1) the client learns about some new verifiable input values fromone of the ProposeResp messages; (2) the client updates its localhistory (by delivering it through reliable broadcast); and (3) theclient receives a quorum of valid replies with the same set of verifi-able input values. In the latter case, the client proceeds to the secondstage. In the first two cases, the client simply restarts the operation.Recall that, according to the BLA-Liveness property, terminationof client requests is only guaranteed when the number of verifi-able input values is finite. Additionally, the number of verifiablehistories is assumed to be finite. Hence, the number of restarts willalso be finite. This is the main intuition behind the liveness of theclientβs protocol.
The example in Figure 1 illustrates how the first stage of thealgorithm ensures the comparability of the results when no recon-figuration is involved. In this example, clients π and π concurrentlypropose values {1} and {2}, respectively, from the lattice L = 2N.
Asynchronous Reconfiguration with Byzantine Failures
Algorithm 2 DBLA: code for client π (part 1)Parameters:
9: Lattice of configurations C and the initial configuration Cinit
10: The object lattice L and the initial value Vinit
11: Boolean functions VerifyHistory(β, π) and VerifyInputValue(π£, π)Global variables:
12: history β C, initially {Cinit} β² local history of this process13: π
historyβ Ξ£, initially β₯ β² proof for the local history
14: curVals β L Γ Ξ£, initially {β¨Vinit,β₯β©} β² known verifiable input values with proofs15: status β {inactive, proposing, confirming}, initially inactive
16: seqNum β Z, initially 0 β² used to match requests with responses17: acks1, initially β β² a set of pairs of form β¨processId, sigβ©18: acks2, initially β β² a set of pairs of form β¨processId, sigβ©
Auxiliary functions:
19: HighestConf(β) β² returns the highest configuration in history β20: ContainsQuorum(acks,πΆ) β² returns true iff βπ β quorums(πΆ) such that βπ β π : β¨π, ββ© β acks
21: JoinAll(vs) β² returns the lattice join of all elements in vs
22: VerifyInputValues(vs) β² returns true iff ββ¨π£, πβ© β vs : VerifyInputValue(π£, π)23: FSVerify(π, π, π , π‘) β² verifies forward-secure signature (see Section 2)
24: operation Propose(π£ , π)25: Refine({β¨π£, πβ©})26: wait for ContainsQuorum(acks2,HighestConf(history))27: statusβ inactive
28: let π = β¨curVals, history, πhistory
, acks1, acks2β©29: return β¨JoinAll(curVals), πβ©
30: operation UpdateHistory(β, π)31: RB-Broadcast β¨NewHistory, β, πβ©
32: function VerifyOutputValue(π£ , π)33: if π = β₯ then return π£ = Vinit
34: let β¨vs, β, πβ, proposeAcks, confirmAcksβ© = π
35: let πΆ = HighestConf(β)36: return JoinAll(vs) = π£ β§ VerifyHistory(β, πβ)37: β§ ContainsQuorum(proposeAcks,πΆ) β§ ContainsQuorum(confirmAcks,πΆ)38: β§ β β¨π, π β© β proposeAcks : FSVerify(β¨ProposeResp, vsβ©, π , π , height (πΆ))39: β§ β β¨π, π β© β confirmAcks : FSVerify(β¨ConfirmResp, proposeAcksβ©, π , π , height (πΆ))
Client π successfully returns the proposed value {1} while clientπ is forced to refine its proposal and return the combined value{1, 2}. The quorum intersection prevents the clients from returningincomparable values (e.g., x{1} and {2}).
In the second (confirming) stage of the protocol, the client simplysends the acknowledgments it has collected in the first stage tothe replicas of the same configuration. The client then waits for aquorum of replicas to reply with a forward-secure signature withtimestamp height (πΆ).
The example in Figure 2 illustrates how reconfiguration can in-terfere with an ongoing Propose operation in what we call theβslow readerβ attack, and how the second stage of the protocolprevents a safety violation. Imagine that a correct client completedthe Propose operation and received value {2} before client π startedthe execution. As a result, all correct replicas in quorum {π1, π3, π4}store value {2}. Then client π executes Propose({1}, π), where π isa valid certificate for input value {1}. Due to the BLA-Comparability,
BLA-Inclusion, and BLA-Validity properties of Byzantine LatticeAgreement, the only valid output value for client π is {1, 2} (as-suming that there are no other verifiable input values). The clientsuccessfully reaches replicas π2 and π3 before the reconfiguration.Neither π1 nor π2 tells the client about the input value {2}: π2 isoutdated and π3 is Byzantine. The message from π to π1 is delayed.Meanwhile, a new configuration is installed, and all replicas of theoriginal configuration become Byzantine. When the message fromπ finally reaches π1, the replica is already Byzantine and it can pre-tend that it has not seen any verifiable input values other than {1}.The client then finishes the first stage of the protocol with value{1}. Returning this value from from the Propose operation wouldviolate BLA-Comparability.
Luckily, the second stage of the protocol prevents the safety vio-lation. Since replicas π2 and π4 updated their private keys during thereconfiguration, they are unable to send the signed confirmationswith timestamp height (πΆ) to the client. Hence, the client will not
Petr Kuznetsov and Andrei Tonkikh
Algorithm 3 DBLA: code for client π (part 2)
40: procedure Refine(vs)41: acks1 β β ; acks2 β β 42: curValsβ curVals βͺ vs
43: seqNumβ seqNum + 144: statusβ proposing
45: let πΆ = HighestConf(history)46: send β¨Propose, curVals, seqNum, πΆβ© to replicas(πΆ)
47: upon ContainsQuorum(acks1,HighestConf(history))48: statusβ confirming
49: let πΆ = HighestConf(history)50: send β¨Confirm, acks1, seqNum, πΆβ© to replicas(πΆ)
51: upon receive β¨ProposeResp, vs, sig, snβ© from replica π52: let sigValid = FSVerify(β¨ProposeResp, vsβ©, π , sig, height (HighestConf(history)))53: if status = proposing β§ sn = seqNum β§ sigValid then
54: if vs β curVals β§ VerifyInputValues(vs \ curVals) then Refine(vs)55: else if vs = curVals then acks1 β acks1 βͺ {β¨π, sigβ©}
56: upon receive β¨ConfirmResp, sig, snβ© from replica π57: let sigValid = FSVerify(β¨ConfirmResp, acks1β©, π , sig, height (HighestConf(history)))58: if status = confirming β§ sn = seqNum β§ sigValid then acks2 β acks2 βͺ {β¨π, sigβ©}
59: upon RB-deliver β¨NewHistory, β, πβ© from any sender60: if VerifyHistory(β, π) β§ history β β then
61: history β β; πhistory
β π
62: if status β {proposing, confirming} then Refine(β )
π
π4
π1
π2
π3
π
{1}
{}
{}
{}
{2}
{1}
{1}
{1}
{}
{2} {1,2}
{2}
{1,2}
{1,2}
{2}
{1,2}
{1} {1,2}
"
"
Figure 1: An example execution of two concurrent Propose
operations. Solid black arrows and dashed blue arrows rep-
resent the messages exchanged in the first and the second
stages of theProposeprotocol respectively. The sets of num-
bers represent the sets of verifiable input values known to
the processes. Replica π3 is Byzantine and always responds
to Propose messages with the same set of verifiable input
values as in the incoming itself.
be able to complete the operation in configuration πΆ and will waituntil it receives a new verifiable history via reliable broadcast andwill restart the operation in a higher configuration.
The certificate for the output value π£ β L produced by thePropose protocol in a configuration πΆ consists of: (1) the set of
π
π4
π1
π2
π3
{1}
{2}
{2}
{1}
"
{1} restart
{} {1}
new replicas
{1, 2}
Figure 2: An example execution of a Propose operation con-
current with a reconfiguration. The notation follows the
convention from Figure 1. Additionally, dotted red lines rep-
resent the messages exchanged during reconfiguration, the
symbol means that the replica has updated its private key
and can no longer serve client requests in this configuration,
and the symbol means that the replica has become Byzan-
tine.
verifiable input values (with certificates for them) from the firststage of the algorithm (the join of all these values must be equal toπ£); (2) a verifiable history (with a certificate for it) that confirms that
Asynchronous Reconfiguration with Byzantine Failures
πΆ is pivotal (i.e., for which πΆ is the highest configuration); (3) thequorum of signatures from the first stage of the algorithm; and(4) the quorum of signatures from the second stage of the algorithm.Intuitively, the only way for a Byzantine client to obtain such acertificate is to benignly follow the Propose protocol.
It is important that only pivotal configurations can producevalid certificates because non-pivotal (tentative) configurationsmay contain fully compromised quorums with non-updated privatekeys for the forward-secure digital signature scheme.
4.2 Replica implementation
The pseudocode for the replicas is presented in Algorithms 4 and 5.Each replica π maintains, locally, its current configuration (de-
noted by Ccurrπ ) and the last configuration installed by this replica
(denoted by Cinstπ ). Cinstπ β Ccurrπ β Chighestπ . Intuitively,Ccurrπ = πΆ means that replica π knows that there is no need to trans-fer state from configurations lower thanπΆ , either because π alreadyperformed the state transfer from those configurations, or becauseit knows that sufficiently many other replicas did. Cinstπ = πΆ meansthat the replica knows that sufficiently many replicas in πΆ haveup-to-date states, and that configuration πΆ is ready to serve userrequests.
As we saw earlier, each client message is associated with someconfiguration πΆ . The replica only processes the message when πΆ =
Cinstπ = Ccurrπ = Chighestπ . If πΆ β Chighestπ , the replica simplyignores the message. Due to the properties of reliable broadcast,the client will eventually learn about Chighestπ and will repeat itsrequest there (or in an even higher configuration). If Cinstπ β πΆ
and Chighestπ β πΆ , the replica waits until πΆ is installed beforeprocessing the message. Finally, if πΆ is incomparable with Cinstπ
or Chighestπ , then, since all candidate configurations are requiredto be comparable, the message is sent by a Byzantine client and thereplica should ignore it.
When a correct replica π receives a Proposemessage (line 72), itadds the newly learned verifiable input values to curValsπ and sendscurValsπ back to the client with a forward-secure signature withtimestamp height (πΆ). When a correct replica receives a Confirmmessage (line 79), it simply signs the set of acknowledgments init with a forward-secure signature with timestamp height (πΆ) andsends the signature to the client.
A very important part of the replicaβs implementation is the statetransfer protocol. The pseudocode for it is presented in Algorithm 5.Let Cnextπ be the highest configuration in historyπ such that π βreplicas(Cnextπ ). Whenever Ccurrπ β Cnextπ , the replica tries toβmoveβ toCnextπ by reading the current state from all configurationsbetween Ccurrπ and Cnextπ one by one in ascending order (line 90).In order to read the current state from configuration πΆ β Cnextπ ,replica π sends message β¨UpdateRead, seqNumπ , πΆβ© to all replicasin replicas(πΆ). In response, each replica π1 β replicas(πΆ) sendscurValsπ1 to π in anUpdateReadRespmessage (line 103). However,π1 replies only after its private key is updated to a timestamp largerthan height (πΆ) (line 102). We maintain the invariant (line 100) thatfor every correct replica π, the timestamp stπ is always equal toheight (Chighestπ).
If π receives a quorum of replies from the replicas ofπΆ , there aretwo distinct cases:
β’ πΆ is still active at the moment when π receives the last ac-knowledgment. In this case, the quorum intersection prop-erty still holds for πΆ , and replica π can be sure that (1) ifsome Propose operation has completed in configurationπΆ or reached the second stage with some set of verifiableinput values vs, then π£π β curValsπ ; and (2) if some Proposeoperation has not yet reached the second stage, it will notbe able to complete in configuration πΆ (it will have to retryin a higher configuration, see the example in Figure 2).β’ πΆ is already superseded by the time π receives the last ac-knowledgment. This means that some configuration higherthan πΆ is installed, and the state from configuration πΆ wasalready transferred to that higher configuration. We refer toAppendix A for more formal proofs.
If a configuration πΆ is superseded before π receives enoughreplies, it may happen that π will never be able to collect a quorumof replies from πΆ . However, in this case, π will eventually discoverthat some higher configuration is installed, and it will updateCcurrπ
(line 109). The waiting on line 92 will terminate due to the first partof the condition (πΆ β Ccurr).
When a correct replica completes transferring the state to someconfiguration πΆ , it notifies other replicas about it by broadcastingmessage UpdateComplete in configuration πΆ (line 95). A correctreplica installs a configuration πΆ if it receives such messages froma quorum of replicas in πΆ (line 106). Because we want our protocolto satisfy the Installation Liveness property (if one correct replicainstalls a configuration, every forever-correct replica must eventu-ally install this or a higher configuration), the UpdateComplete
messages are distributed through the uniform reliable broadcastprimitive that we introduced in Section 3.6.
4.3 Time complexity
In our analysis we assume that the time complexity of the reli-able broadcast primitive, which we use to disseminate verifiablehistories, is constant. With this assumption, it is easy to see thatthe worst-case time complexity of our DBLA implementation isπ (π +π), whereπ is the number of verifiable input values and π isthe size of the largest verifiable history. Indeed, the time complexityis proportional to the number of calls to Refine. There are onlytwo reasons why a client may call Refine: either it learns abouta new verifiable input value (line 54), which may happen at mostπ times or it learns about a new verifiable history (line 62), whichmay happen at most π times.
As for the complexity of the state transfer protocol, it is linearin the size of the largest verifiable history π . Because a replicaadvances the Ccurr variable at the end of state transfer (line 94),each of the π candidate configurations is accessed at most once byeach replica, and in each configuration, our state transfer protocolmakes a constant number of steps.
4.4 Implementing other dynamic objects
While we do not provide any general approach for building dynamicobjects, we expect that most asynchronous Byzantine fault-tolerantstatic algorithms can be adapted to the dynamic case by applyingthe same set of techniques. These techniques include our statetransfer protocol (relying on forward-secure signatures), the use of
Petr Kuznetsov and Andrei Tonkikh
Algorithm 4 DBLA: code for replica π (part 1)
Parameters: C, L, Cinit, Vinit, VerifyHistory(β, π), and VerifyInputValue(π£, π) (see Algorithm 2)Global variables:
63: history β C, initially {Cinit} β² local history of this process64: curVals β L Γ Ξ£, initially {β¨Vinit,β₯β©} β² known verifiable input values with proofs65: Ccurr β C, initially Cinit β² current configuration66: Cinst β C, initially Cinit β² installed configuration67: seqNum β Z, initially 0 β² used to match requests with responses68: inStateTransfer β {true, false}, initially false
Auxiliary functions:
69: HighestConf, ContainsQuorum, JoinAll, VerifyInputValues (see Algorithm 2).70: FSSign(message, timestamp) β² produces a forward-secure signature (see Section 2)71: UpdateFSKey(π‘) β² updates the signing timestamp (see Section 2)
72: upon receive β¨Propose, vs, sn, πΆβ© from client π73: wait for πΆ = Cinst β¨ HighestConf(history) @ πΆ
74: if πΆ = HighestConf(history) β§ VerifyInputValues(vs \ curVals) then75: curValsβ curVals βͺ vs
76: let sig = FSSign(β¨ProposeResp, curValsβ©, height (πΆ))77: send β¨ProposeResp, curVals, sig, snβ© to π
78: else ignore the message
79: upon receive β¨Confirm, proposeAcks, sn, πΆβ© from client π80: wait for πΆ = Cinst β¨ HighestConf(history) @ πΆ
81: if πΆ = HighestConf(history) then82: let sig = FSSign(β¨ConfirmResp, proposeAcksβ©, height (πΆ))83: send β¨ConfirmResp, sig, snβ© to π
84: else ignore the message
VerifyInputValue
ConfLA HistLA
VerifyHistory
VerifyInputValue
external parameter
VerifyInputConfig DObj
Figure 3: The structure of dependencies in our implemen-
tation of a reconfigurable object. The arrow from object π΄
to object π΅ represents a dependency of object π΄ on object π΅.
The label next to the arrow reflects the nature of this depen-
dency.
an additional round-trip to prevent the βslow readerβ attack, andthe structure of our cryptographic proofs ensuring that tentativeconfigurations cannot create valid certificates for output values.To illustrate this, in Appendix B, we present the dynamic versionof Max-Register [5]. We also discuss the dynamic version of theAccess Control abstraction in Section 6.
5 IMPLEMENTING RECONFIGURABLE
OBJECTS
While dynamic objects are important building blocks, they are notparticularly useful by themselves because they require an exter-nal source of comparable verifiable histories. In this section, weshow how to combine several dynamic objects to obtain a singlereconfigurable object. Similar to dynamic objects, the specificationof a reconfigurable object can be obtained as a combination of thespecification of a static object with the specification of an abstractreconfigurable object from Section 3.3. In particular, compared tostatic objects, reconfigurable objects have one more operation βUpdateConfig(πΆ, π), must be parameterized by a boolean func-tion VerifyInputConfig(πΆ, π), and must satisfy ReconfigurationValidity, Reconfiguration Liveness, and Installation Liveness.
We build a reconfigurable object by combining three dynamic
ones. The first one is the dynamic object that executes clientsβoperations (let us call it DObj). For example, in order to implementa reconfigurable version of Byzantine Lattice Agreement, one needsto take a dynamic version of Byzantine Lattice Agreement as DObj.Similarly, in order to implement a reconfigurable version of Max-Register [5], one needs to take a dynamic version of Max-Registeras DObj (see Appendix B). The two remaining objects are usedto build verifiable histories: ConfLA is a DBLA operating on theconfiguration lattice C, and HistLA is a DBLA operating on thepowerset lattice 2C . The relationships between the three dynamicobjects are depicted in Figure 3.
Asynchronous Reconfiguration with Byzantine Failures
Algorithm 5 DBLA: code for replica π (part 2)β² State transfer
85: upon Ccurr β HighestConf({πΆ β history | π β replicas(πΆ)}) β§ not inStateTransfer
86: let Cnext = HighestConf({πΆ β history | π β replicas(πΆ)})87: let π = {πΆ β history | Ccurr β πΆ β Cnext}88: inStateTransfer β true
89: seqNumβ seqNum + 190: for each πΆ β π in ascending order do91: send β¨UpdateRead, seqNum, πΆβ© to replicas(πΆ)92: wait for (πΆ β Ccurr) β¨ (responses from any π β quorums(πΆ) with s.n. seqNum)93: if Ccurr β Cnext then
94: Ccurr β Cnext
95: URB-Broadcast β¨UpdateCompleteβ© in Cnext
96: inStateTransfer β false
97: upon RB-deliver β¨NewHistory, β, πβ© from any sender98: if VerifyHistory(β, π) β§ history β β then
99: history β β
100: UpdateFSKey(height (HighestConf(history)))
101: upon receive β¨UpdateRead, sn, πΆβ© from replica π β²102: wait for πΆ β HighestConf(history) β² only reply after UpdateFSKey103: send β¨UpdateReadResp, curVals, snβ© to π β²
104: upon receive β¨UpdateReadResp, vs, snβ© from replica π β²105: if VerifyInputValues(vs \ curVals) then curValsβ curVals βͺ vs
106: upon URB-deliver β¨UpdateCompleteβ© in πΆ from quorum π β quorums(πΆ)107: wait for πΆ β history
108: if Cinst β πΆ then
109: if Ccurr β πΆ then Ccurr β πΆ
110: Cinst β πΆ
111: trigger upcall InstalledConfig(πΆ)112: if π β replicas(πΆ) then halt
The pseudocode is presented in Algorithm 6. All data operationsare performed directly on DObj. To update a configuration, theclient first submits its proposal to ConfLA and then submits theresult as a singleton set to HistLA. Due to the BLA-Comparabilityproperty, all verifiable output values produced by ConfLA are com-parable, and any combination of them would create a well-formedhistory as defined in Section 3.4. Moreover, the verifiable outputvalues of HistLA are related by containment, and, therefore, canbe used as verifiable histories in dynamic objects. We use them toreconfigure all three dynamic objects (lines 123β125).
Cryptographic keys. In Algorithm 6, we use several dynamic ob-jects. We assume that correct replicas have separate public/privatekey pairs for each dynamic object. This prevents replay attacksacross objects and allows each dynamic object to manage its keysseparately. We discuss how to avoid this assumption later in thissection.
5.1 Proof of correctness
In the following two lemmas we show that we use the dynamicobjects (ConfLA, HistLA, and DObj) correctly, i.e., all requirementsimposed on verifiable histories are satisfied.
Lemma 5.1. All histories passed to the dynamic objects by correct
processes (lines 123β125) are verifiable with VerifyHistory (line 133).
Proof. Follows from the BLA-Verifiability property of HistLA.β‘
Lemma 5.2. All histories verifiable with VerifyHistory (line 133)
are (1) well-formed (that is, consist of comparable configurations)
and (2) related by containment. Moreover, (3) in any given infinite
execution, there is only a finite number of histories verifiable with
VerifyHistory.
Proof. (1) follows from the BLA-Comparability property ofConfLA, the BLA-Validity property of HistLA, and the definition ofHistLA.VerifyInputValue (line 129).
(2) follows directly from the BLA-Comparability property ofHistLA.
(3) follows from the requirement of finite number of verifiableinput configurations and the BLA-Validity property of ConfLA andHistLA. Only a finite number of configurations can be formed byConfLA out of a finite number of verifiable input configurations,and only a finite number of histories can be formed by HistLA outof the configurations produced by ConfLA. β‘
Petr Kuznetsov and Andrei Tonkikh
Algorithm 6 Reconfigurable objectβ² Common codeParameters:
113: Lattice of configurations C and the initial configuration Cinit
114: Boolean function VerifyInputConfig(πΆ, π)115: Dynamic object DObj, which we want to make reconfigurable
Shared objects:
116: DObj β² the dynamic object being transformed117: ConfLA β² DBLA on lattice C118: HistLA β² DBLA on lattice 2C
β² Code for client π119: Data operations are performed directly on DObj.
120: operation UpdateConfig(πΆ , π)121: let β¨π·, ππ· β© = ConfLA.Propose(πΆ, π)122: let β¨β, πββ© = HistLA.Propose({π·}, ππ· )123: DObj.UpdateHistory(β, πβ)124: ConfLA.UpdateHistory(β, πβ)125: HistLA.UpdateHistory(β, πβ)
β² Code for replica π126: upon receive upcall InstalledConfig(πΆ) from all DObj, ConfLA, and HistLA
127: trigger upcall InstalledConfig(πΆ)
β² Parameters specification128: function ConfLA.VerifyInputValue(π£ , π) = VerifyInputConfig(π£, π)129: function HistLA.VerifyInputValue(π£ , π)130: if π£ is not a set of 1 element then return false
131: let {πΆ} = π£
132: return ConfLA.VerifyOutputValue(πΆ, π)β² All dynamic objects are parameterized with the same VerifyHistory function.
133: function VerifyHistory(β, π) = HistLA.VerifyOutputValue(β, π)
Theorem 5.3 (Transformation safety). Our implementation
satisfies the Reconfiguration Validity property of a reconfigurable
object. That is, (1) every installed configurationπΆ is a join of some set
of verifiable input configurations; and (2) all installed configurations
are comparable.
Proof. (1) follows from the BLA-Validity property of ConfLA
and HistLA and the Dynamic Validity property of the underlyingdynamic objects. (2) follows directly from the Dynamic Validityproperty of the underlying dynamic objects. β‘
Theorem 5.4 (Transformation liveness). Our implementation
satisfies the liveness properties of a reconfigurable object: Reconfigu-
ration Liveness and Installation Liveness.
Proof. Reconfiguration Liveness follows from the BLA-Livenessproperty of ConfLA and HistLA and the Dynamic Liveness propertyof the underlying dynamic objects. Installation Liveness followsfrom line 126 of the implementation and the Installation Livenessof the underlying dynamic objects. β‘
5.2 Discussion
Time complexity. By accessing ConfLA and then HistLA, we min-imize the number of configurations that should be accessed for
a consistent configuration shift. Indeed, due to the BLA-Validityproperty of ConfLA and HistLA, when π reconfiguration requestsare executed concurrently, at most π new verifiable histories will becreated and the total number of candidate configurations will notexceed π + 1 (including the initial configuration). As a result, onlyπ (π) configurations are accessed for state transfer, similar to [20]and [35]. In contrast, in DynaStore [2], a client might have to accessup to Ξ©(min{ππ, 2π }) configurations, whereπ is the number ofconcurrent data operations.
Additionally, every reconfiguration request involves two invo-cations of DBLA.Propose. The worst-case latency of our DBLAPropose implementation is π (π +π), whereπ is the number ofverifiable input values. In this case,π = π . Hence, the worst-caselatency of a reconfiguration request is linear with respect to thenumber of verifiable input configurations, which is known to beoptimal even for crash fault-tolerant systems [35].5
Bootstrapping. The relationship between lattice agreement andreconfiguration has been studied before [24, 27]. In particular, as
5The analogy for the number of verifiable input configurations in crash fault-tolerantsystems is the number of reconfiguration requests. In the context of Byzantine fault-tolerant systems, we have to talk about the number of verifiable input configurationsinstead because a single Byzantine client can simulate an infinite sequence of requests.
Asynchronous Reconfiguration with Byzantine Failures
shown in [24], lattice agreement can be used to build compara-ble configurations. We take a step further and use two separateinstances of lattice agreement: one to build comparable configura-tions (ConfLA) and the other to build histories out of them (HistLA).These two LA objects can then be used to reconfigure a singledynamic object (DObj).
However, this raises a question: how to reconfigure the latticeagreement objects themselves? We found the answer in the ideathat is sometimes referred to as βbootstrappingβ. We use the latticeagreement objects to reconfigure themselves and at least one other
object. This implies that the lattice agreement objects share theconfigurations with DObj. The most natural implementation is thatthe code for all three dynamic objects (ConfLA, HistLA, and DObj)will be executed by the same set of replicas.
Bootstrapping is a dangerous technique because, if applied badly,it can lead to infinite recursion. However, we structured our solutionin such a way that there is no recursion at all: the client first makesnormal requests to ConfLA and HistLA and then uses the resultinghistory to reconfigure all dynamic objects, as if this history wasobtained by the client from the outside of the system. It is importantto note that liveness of the call HistLA.VerifyOutputValue(β, π)is not affected by reconfiguration: the function simply checks somedigital signatures and is guaranteed to always terminate givenenough processing time.
Shared parts. All implementations of dynamic objects presentedin this paper have a similar structure. For example, they all sharethe same state transfer implementation (see Algorithm 5). However,we do not deny the possibility that other implementations of otherdynamic objects might have very different implementations. There-fore, in our transformation we use DObj as a βblack boxβ and donot make any assumptions about its implementation. Moreover, forsimplicity, we use the two DBLA objects as βblack boxesβ as well.In fact, ConfLA and HistLA may have different implementationsand the transformation will still work as long as they satisfy thespecification from Section 3. However, this comes at a cost.
In particular, if implemented naively, a single reconfigurableobject will run several independent state transfer protocols, anda single correct replica will have several private/public key pairs(as mentioned earlier in this section). But if, as in this paper, alldynamic objects have similar implementations of their state trans-fer protocols, this can be done more efficiently by combining allstate transfer protocols into one, which would need to transfer thestates of all dynamic objects and make sure that the supersededconfigurations are harmless.
6 ACCESS CONTROL
Our implementation of reconfigurable objects relies on the pa-rameter function VerifyInputConfig. Moreover, if we apply ourtransformation from Section 5 to our implementation of DBLA fromSection 4, the resulting reconfigurable object will rely on the pa-rameter function VerifyInputValue. The implementation of theseparameters is highly application-specific. For example, in a storagesystem, it is reasonable to only allow requests that modify somedata if they are accompanied by a digital signature of the owner ofthe data. For the sake of completeness, in this section, we presentthree generic implementations for these parameter functions. We
believe that each of these implementations is suitable for someapplications.
In order to do this, we introduce the Access Control object. Itexports one operation and one function:
β’ Operation ReqestCert(π£) returns a certificate π , whichcan be verified with VerifyCert(π£, π), or the special valueβ₯, indicating that the permission was denied;β’ Function VerifyCert(π£, π) returns a boolean value.
The implementation of Access Control must satisfy the followingproperty:
β’ Certificate Verifiability: If ReqestCert(π£) returned π to acorrect process, then VerifyCert(π£, π) = true.
In Sections 6.1β6.3, we present three different implementationsof the dynamic version of the Access Control object, and in Sec-tion 6.4, we show how to use it in order to implement the parameterfunctions VerifyInputValue and VerifyInputConfig.
6.1 Trusted administrators
A naive yet common approach to dynamic systems is to have apre-configured trusted administrator, who signs the reconfigura-tion requests. However, if the administratorβs private key is lost,the system might lose liveness, and if it is compromised, the sys-tem might lose even safety. A more viable approach is to have πadministrators and to require π + 1 of them to sign every certificate,for some π and π such that 0 β€ π < π. In this case, the system willβsurviveβ up to π keys being compromised and up to πβ (π +1) keysbeing lost.
6.2 Sanity-check approach
One of the simplest implementations of access control in a staticsystem is to require at least π + 1 replicas to sign each certificate,where π is the maximal possible number of Byzantine replicas,sometimes called the resilience threshold. The correct replicas canperform some application-specific sanity checks before approvingrequests.
The key property of this approach is that it guarantees thateach valid certificate is signed by at least one correct replica. Inmany cases, this is sufficient to guarantee resilience both againstthe Sybil attacks [15] and against attempts to flood the systemwith reconfiguration requests. The correct replicas can check theidentities of the new participants and refuse to sign excessivelyfrequent requests.
In dynamic asynchronous systems, just providingπ+1 signaturesis not sufficient. Despite the use of forward-secure signatures, ina superseded pivotal configuration there might be significantlymore than π Byzantine replicas with their private keys not removed(in fact, at least 2π). The straightforward way to implement thispolicy in a dynamic system is to add the confirming phase, as inour implementation of Dynamic Byzantine Lattice Agreement (seeSection 4), after collecting π + 1 signed approvals. The confirmingphase guarantees that, during the execution of the first phase, theconfiguration was active. The state transfer protocol should be thesame as for DBLA with the exception that no actual state is beingtransferred. The only goal of the state transfer protocol in this case
Petr Kuznetsov and Andrei Tonkikh
Algorithm 7 Vote-Based Dynamic Access Controlβ² Code for client π
134: operation ReqestCert(π£)135: let πΆ = HighestConf(history)136: seqNumβ seqNum + 1 β² used to match requests with responses
β² Phase one: request137: send β¨Request, π£ , seqNum, πΆβ© to replicas(πΆ)138: β² βenoughβ means π + 1 (Section 6.2) or a quorum (Section 6.3).139: wait for (HighestConf(history) β πΆ) β¨ (received enough Yes-votes with valid signatures)140: β¨ (received a quorum of votes in total)141: if HighestConf(history) β πΆ then restart the operation (goto line 135)142: if received not enough valid Yes-votes then return β₯ β² access denied143: let acks1 = {Yes-votes received on line 140}
β² Phase two: confirm144: send β¨Confirm, acks1, seqNum, πΆβ© to replicas(πΆ)145: wait for (HighestConf(history) β πΆ) β¨ (a quorum of replies with valid signatures)146: if HighestConf(history) β πΆ then restart the operation (goto line 135)147: let acks2 = {acknowledgments received on line 145}
β² Return certificate148: return β¨history, π
history, acks1, acks2β©
β² Code for replica π149: upon receive β¨Request, π£ , sn, πΆβ© from client π150: wait for πΆ = Cinst β¨πΆ β HighestConf(history)151: if πΆ = HighestConf(history) then152: if VoteYes(π£) then send β¨Yes, FSSign(β¨Yes, π£, πβ©, height (πΆ)), snβ© to π
153: else send β¨No, snβ© to π
154: upon receive β¨Confirm, acks, sn, πΆβ© from client π155: wait for πΆ β history
156: if πΆ = HighestConf(history) then157: let sig = FSSign(β¨ConfirmResp, acksβ©, height (πΆ))158: send β¨ConfirmResp, sig, snβ© to π
is to make sure that the replicas update their private keys before anew configuration is installed.
This and the following approach can be generally describedas βvote-basedβ access control policies. The pseudocode for theirdynamic implementation is presented in Algorithm 7.
6.3 Quorum-based approach (βon-chain
governanceβ)
A more powerful strategy in a static system is to require a quorumof replicas to sign each certificate. An important property of thisimplementation is that it can detect and prevent conflicting requests.More formally, suppose that there are values π£1 and π£2, for whichthe following two properties should hold:
β’ Both are acceptable: ReqestCert(π£π ) should not return β₯unless ReqestCert(π£ π ) was invoked in the same execution,where π β π .β’ At most one may be accepted: if some process knows ππsuch that VerifyCert(π£π , ππ ) then no process should knowπ π such that VerifyCert(π£ π , π π ).
Note that it is possible that neither π£1 nor π£2 is accepted by theAccess Control if the requests are made concurrently. To guaranteethat exactly one certificate is issued, we would need to implementconsensus, which is impossible in asynchronous model [18]. If acorrect replica has signed a certificate for value π£π , it should storethis fact in persistent memory and refuse signing π£ π if requested.Due to the quorum intersection property, this guarantees the βatmost oneβ semantic in a static system.
This approach can be implemented in a dynamic system usingthe pseudocode from Algorithm 7 and the state transfer protocolfrom our DBLA implementation (see Algorithm 5).
Using the dynamic version of this approach to certifying re-configuration requests allows us to capture the notion of what issometimes called βon-chain governanceβ. The idea is that the partic-ipants of the system (in our case, the owners of the replicas) decidewhich actions or updates to allow by the means of voting. Everydecision needs a quorum of signed votes to be considered valid andno two conflicting decisions can be made.
Asynchronous Reconfiguration with Byzantine Failures
VIVConfLA HistLA
VIVVH
VH
VIV
DObj
ConfDAC
ObjDAC
(a) Dynamic Access Control inside a reconfigurable object.
RObj
VIVObjRAC
VICConfRAC
VIC
(b) Reconfigurable Access Control in combination with another re-
configurable object.
Figure 4: Two possible ways to integrate the Access Con-
trol abstraction with other types of objects. An arrow
from an object π΄ to another object π΅ marked with VIV,
(resp., VIC or VH) indicates that π΄.VerifyInputValue
(resp., π΄.VerifyInputConfig or π΄.VerifyHistory) is im-
plemented using π΅.VerifyOutputValue or π΅.VerifyCert.
6.4 Combining Access Control with other
objects
There are at least two possible ways to combine the Access Controlabstraction with a reconfigurable object in a practical system.
The simplest, and, perhaps, the most practical approach is toembed two instances of Dynamic Access Control directly into thestructure of a reconfigurable object, as shown in Figure 4a. In thiscase, the replicas that execute the code for the Access Control are thesame replicas as the replicas that execute the code of other dynamicobjects in the implementation of this reconfigurable object.
Alternatively, one can apply the transformation from Section 5to the dynamic Access Control implementation described in thissection to obtain a reconfigurable version of the Access Controlabstraction. It then can be combined with any other reconfigurableobject in a structure depicted in Figure 4b. In this case, the replicasof ConfRAC produce verifiable input configurations for themselvesand for two other objects.
7 RELATEDWORK
Dynamic replicated systems with passive reconfiguration [7, 9, 26]do not explicitly regulate arrivals and departures of replicas. Theirconsistency properties are ensured under strong assumptions onthe churn rate. Except for the recent work [26], churn-tolerantstorage systems do not tolerate Byzantine failures. In contrast, activereconfiguration allows the clients to explicitly propose configurationupdates, e.g., sets of new replica arrivals and departures.
Early proposals of (actively) reconfigurable storage systems tol-erating process crashes, such as RAMBO [23] and reconfigurablePaxos [29], used consensus (and, thus, assumed certain level ofsynchrony) to ensure that the clients agree on the evolution ofconfigurations. DynaStore [2] was the first asynchronous reconfig-urable storage: clients propose incremental additions or removals tothe system configuration. As the proposals commute, the processescan resolve their disagreements without involving consensus.
The parsimonious speculative snapshot task [20] resolves conflictsbetween concurrent configuration updates in a storage system us-ing instances of commit-adopt [19]. Theworst-case time complexity,in the number of message delays, of reconfiguration was later re-duced from π (ππ) [20] to π (π +π) [35], where π is the numberof concurrently proposed configuration updates andπ is the num-ber of concurrent data operations. This coincides with the timecomplexity of our solution.
SmartMerge [24] made an important step forward by treatingreconfiguration as an instance of abstract lattice agreement [17].However, the algorithm assumes an external (reliable) lattice agree-ment service which makes the system not fully reconfigurable.
FreeStore [3] describes an algorithm for reconfigurable storagethat can be seen as a composition of a reconfiguration protocoland a read-write protocol. Reconfiguration is based on the viewgenerator abstraction, which encapsulates the form of agreementrequired to reconcile concurrently proposed reconfiguration re-quests (essentially, very similar to lattice agreement). The use ofview generators helps in optimizing latency, similar to our use ofdynamic lattice agreement objects.
The recently proposed reconfigurable lattice-agreement abstrac-tion [27] enables reconfigurable versions of a large class of ob-jects and constructions, including state-based CRDTs [33], atomic-snapshot, max-register, conflict detector and commit-adopt. Config-urations are treated here in an abstract way, as elements of a config-uration lattice, encapsulating replica sets and quorum assumptions.We believe that the reconfiguration service we introduced in thispaper can be used to derive Byzantine fault-tolerant reconfigurableimplementations of objects in the class.
Byzantine quorum systems [30] introduce abstractions for en-suring availability and consistency of shared data in asynchronoussystems with Byzantine faults. In particular, a dissemination quo-rum system ensures that every two quorums have a correct processin common and that at least one quorum only contains correctprocesses.
Dynamic Byzantine quorum systems [4] appear to be the first at-tempt to implement a form of active reconfiguration in a Byzantinefault-tolerant data service running on a static set of replicas, whereclients can raise or lower the resilience threshold. Dynamic Byzan-tine storage [32] allows a trusted administrator to issue orderedreconfiguration calls that might also change the set of replicas. Theadministrator is also responsible for generating new private keysfor the replicas in each new configuration to anticipate the βI stillwork hereβ attack [1]. In this paper, we propose an implementationof a Byzantine fault-tolerant reconfiguration service that does notrely on this assumption.
Forward-secure signature schemes [10, 11, 14, 16, 31] were origi-nally designed to mitigate the consequences of key exposure: if theprivate key of an agent is compromised, signatures made prior to
Petr Kuznetsov and Andrei Tonkikh
the exposure (i.e., with smaller timestamps) can still be trusted. Inthis paper, a novel application of forward-secure digital signaturesis proposed: timestamps are associated with configurations. Beforea new configuration is installed, the protocol ensures that suffi-ciently many correct processes update their private keys in priorconfigurations. This approach prevents the βI still work hereβ andβslow readerβ attacks. Unlike previously proposed solutions [32], itdoes not rely on a global agreement on the configuration sequenceor a trusted administrator.
8 DISCUSSION
8.1 Possible optimizations
In this paper, our goal was to provide the minimal implementationfor the minimal set of abstractions to demonstrate the ideas and thegeneral techniques for defining and building reconfigurable servicesin the harsh world of asynchrony and Byzantine failures. Therefore,our implementations leave plenty of space for optimizations. Herewe would like to mention a few possible directions. Most of themare dedicated to reducing the communication cost of the protocol.
First, the proofs in our protocol include the full local history ofa process. Moreover, this history comes with its own proof, whichalso usually contains a history, and so on. If implemented naively,the size of one proof in bytes will be at least quadratic with respectto the number of distinct candidate configurations, which is notnecessary. The first observation is that these histories will be relatedby containment. So, in fact, they can be compressed just to the sizeof the largest one, which is linear. But we can go further and saythat, in fact, in a practical implementation, the processes almostnever should actually send full histories to each other because everyprocess maintains its local history and all histories with proofs arealready disseminated via the reliable broadcast primitive. When oneprocess wants to send some history to some other process, it canjust send a cryptographic hash of this history. The other processcan check if it already has this history and, if not, ask the sender toonly send the missing parts, instead of the whole history.
Second, a naive implementation of our DBLA protocol wouldsend ever-growing sets of verifiable input values, which is also notnecessary. The processes should just limit themselves to sendingdiffs between what they know and what they think the recipientknows.
Third, almost every proof in our systems contains signaturesfrom a quorum of replicas. This adds another linear factor to thecommunication cost. However, it can be significantly reduced bythe use of forward-securemulti-signatures, such as Pixel [16], whichwas designed for similar applications.
Finally, we use a suboptimal implementation of lattice agreementas the foundation for our DBLA protocol. Perhaps, we could benefitfrom adapting a more efficient crash fault-tolerant asynchronoussolution [36].
Open questions. We would like to mention two relevant direc-tions for further research.
First, with regard to active reconfiguration, it would be inter-esting to devise algorithms that efficiently adapt to βsmallβ config-uration changes, while still supporting the option of completelychanging the set of replicas in a single reconfiguration request. In
this paper, we allow each reconfiguration request to completelychange the set of replicas, which leads to an expensive quorum-to-quorum communication pattern. This seems unnecessary forreconfiguration requests involving only slight changes to the set ofreplicas.
Second, with regard to Byzantine faults, it would be interestingto consider models with a βweakerβ adversary. In this paper, weassumed a very strong model of the adversary: no assumptionsare made about correctness of replicas in superseded configura-tions. This βpessimisticβ approach leads to more complicated andexpensive protocols.
ACKNOWLEDGMENTS
This work was supported in part by TrustShare Innovation Chair.We would also like to thank the anonymous reviewers from theDISC program committee and the Distributed Computing Journalboard for their constructive comments and suggestions.
REFERENCES
[1] Marcos K Aguilera, Idit Keidar, Dahlia Malkhi, Jean-Philippe Martin, AlexanderShraer, et al. 2010. Reconfiguring replicated atomic storage: A tutorial. Bulletinof the EATCS 102 (2010), 84β108.
[2] Marcos Kawazoe Aguilera, Idit Keidar, Dahlia Malkhi, and Alexander Shraer.2011. Dynamic atomic storage without consensus. J. ACM 58, 2 (2011), 7:1β7:32.
[3] Eduardo Alchieri, Alysson Bessani, FabΓola Greve, and Joni da Silva Fraga. 2017.Efficient andModular Consensus-Free Reconfiguration for Fault-Tolerant Storage.In OPODIS. 26:1β26:17.
[4] Lorenzo Alvisi, Dahlia Malkhi, Evelyn Pierce, Michael K Reiter, and Rebecca NWright. 2000. Dynamic Byzantine quorum systems. In Proceeding International
Conference on Dependable Systems and Networks. DSN 2000. IEEE, 283β292.[5] James Aspnes, Hagit Attiya, and Keren Censor. 2009. Max Registers, Counters,
and Monotone Circuits. In PODC (Calgary, AB, Canada). 36β45.[6] Hagit Attiya, Amotz Bar-Noy, and Danny Dolev. 1995. Sharing memory robustly
in message-passing systems. Journal of the ACM (JACM) 42, 1 (1995), 124β142.[7] Hagit Attiya, Hyun Chul Chung, Faith Ellen, Saptaparni Kumar, and Jennifer L.
Welch. 2019. Emulating a Shared Register in a System That Never Stops Changing.IEEE Trans. Parallel Distrib. Syst. 30, 3 (2019), 544β559.
[8] Hagit Attiya, Maurice Herlihy, and Ophir Rachman. 1995. Atomic SnapshotsUsing Lattice Agreement. Distributed Computing 8, 3 (1995), 121β132.
[9] Roberto Baldoni, Silvia Bonomi, Anne-Marie Kermarrec, and Michel Raynal. 2009.Implementing a Register in a Dynamic Distributed System. In ICDCS. 639β647.
[10] Mihir Bellare and Sara K Miner. 1999. A forward-secure digital signature scheme.In Annual International Cryptology Conference. Springer, 431β448.
[11] Xavier Boyen, Hovav Shacham, Emily Shen, and Brent Waters. 2006. Forward-secure signatures with untrusted update. In Proceedings of the 13th ACM conference
on Computer and communications security. 191β200.[12] Eric A. Brewer. 2000. Towards Robust Distributed Systems (Abstract). In PODC.
7β.[13] Christian Cachin, Rachid Guerraoui, and LuΓs Rodrigues. 2011. Introduction to
reliable and secure distributed programming. Springer Science & Business Media.[14] Ran Canetti, Shai Halevi, and Jonathan Katz. 2007. A forward-secure public-key
encryption scheme. Journal of Cryptology 20, 3 (2007), 265β294.[15] John R Douceur. 2002. The sybil attack. In International workshop on peer-to-peer
systems. Springer, 251β260.[16] Manu Drijvers, Sergey Gorbunov, Gregory Neven, and Hoeteck Wee. 2020. Pixel:
Multi-signatures for Consensus. In 29th USENIX Security Symposium (USENIX
Security 20).[17] Jose Faleiro, Sriram Rajamani, Kaushik Rajan, Ganesan Ramalingam, and Kapil
Vaswani. 2012. Generalized lattice agreement. In PODC. 125β134.[18] Michael J Fischer, Nancy A Lynch, and Michael S Paterson. 1985. Impossibility
of distributed consensus with one faulty process. Journal of the ACM (JACM) 32,2 (1985), 374β382.
[19] Eli Gafni. 1998. Round-by-round fault detectors: Unifying synchrony and asyn-chrony. In PODC. 143β152.
[20] Eli Gafni and Dahlia Malkhi. 2015. Elastic Configuration Maintenance via aParsimonious Speculating Snapshot Solution. In DISC. 140β153.
[21] David K. Gifford. 1979. Weighted Voting for Replicated Data. In SOSP. 150β162.[22] Seth Gilbert and Nancy Lynch. 2002. Brewerβs Conjecture and the Feasibility of
Consistent, Available, Partition-tolerant Web Services. SIGACT News 33, 2 (June2002), 51β59.
Asynchronous Reconfiguration with Byzantine Failures
[23] Seth Gilbert, Nancy A Lynch, and Alexander A Shvartsman. 2010. Rambo: arobust, reconfigurable atomic memory service for dynamic networks. DistributedComputing 23, 4 (2010), 225β272.
[24] Leander Jehl, Roman Vitenberg, and Hein Meling. 2015. SmartMerge: A NewApproach to Reconfiguration for Atomic Storage. In DISC. 154β169.
[25] Anne-Marie Kermarrec and Maarten Van Steen. 2007. Gossiping in distributedsystems. ACM SIGOPS operating systems review 41, 5 (2007), 2β7.
[26] Saptaparni Kumar and Jennifer L Welch. 2019. Byzantine-tolerant register in asystem with continuous churn. arXiv preprint arXiv:1910.06716 (2019).
[27] Petr Kuznetsov, Thibault Rieutord, and Sara Tucci-Piergiovanni. 2019. Reconfig-urable Lattice Agreement and Applications. In OPODIS.
[28] Petr Kuznetsov and Andrei Tonkikh. 2020. Asynchronous Reconfiguration withByzantine Failures. In 34th International Symposium on Distributed Computing,
DISC 2020, October 12-16, 2020, Virtual Conference (LIPIcs, Vol. 179). 27:1β27:17.[29] Leslie Lamport, Dahlia Malkhi, and Lidong Zhou. 2010. Reconfiguring a state
machine. SIGACT News 41, 1 (2010), 63β73.[30] Dahlia Malkhi and Michael Reiter. 1998. Byzantine quorum systems. Distributed
Computing 11, 4 (1998), 203β213.[31] Tal Malkin, Daniele Micciancio, and Sara Miner. 2002. Efficient generic forward-
secure signatures with an unbounded number of time periods. In International
Conference on the Theory and Applications of Cryptographic Techniques. Springer,400β417.
[32] J-P Martin and Lorenzo Alvisi. 2004. A framework for dynamic byzantine storage.In International Conference on Dependable Systems and Networks, 2004. IEEE,325β334.
[33] Marc Shapiro, Nuno M. PreguiΓ§a, Carlos Baquero, and Marek Zawirski. 2011.Conflict-Free Replicated Data Types. In SSS. 386β400.
[34] Alexander Spiegelman and Idit Keidar. 2017. On Liveness of Dynamic Storage.In Structural Information and Communication Complexity - 24th International
Colloquium, SIROCCO 2017, Porquerolles, France, June 19-22, 2017, Revised Selected
Papers. 356β376.[35] Alexander Spiegelman, Idit Keidar, and Dahlia Malkhi. 2017. Dynamic Reconfig-
uration: Abstraction and Optimal Asynchronous Solution. In DISC. 40:1β40:15.[36] Xiong Zheng, Changyong Hu, and Vijay K. Garg. 2018. Lattice Agreement in
Message Passing Systems. In DISC. 41:1β41:17.
Petr Kuznetsov and Andrei Tonkikh
A PROOF OF CORRECTNESS OF DBLA
A.1 Safety
Recall that a configuration is called candidate iff it appears in someverifiable history. The following lemma gathers some obvious yetvery useful statements about candidate configurations.
Lemma A.1 (Candidate configurations).(1) There is a finite number of candidate configurations.
(2) All candidate configurations are comparable with βββ.
Proof. The total number of verifiable histories is required to befinite, and each history is finite, hence (1). All verifiable historiesare required to be related by containment and all configurationswithin one history are required to be comparable, hence (2). β‘
Recall that a configuration is called pivotal if it is the last con-figuration in some verifiable history. Non-pivotal candidate con-figurations are called tentative. Intuitively, the next lemma statesthat in the rest of the proofs we can almost always consider onlypivotal configurations. Tentative configurations are both harmlessand useless.
Lemma A.2 (Tentative configurations).(1) No correct client will ever make a request to a tentative config-
uration.
(2) Tentative configurations cannot be installed.(3) A correct process will never invoke FSVerify with timestamp
height (πΆ) for any tentative configuration πΆ .
(4) A correct replica will never broadcast any message via the uni-
form reliable broadcast primitive in a tentative configuration.
Proof. Follows directly from the algorithm. Both clients andreplicas only operate on configurations that were obtained by in-voking the function HighestConf(β) on some verifiable configu-ration. β‘
The next lemma states that correct processes cannot βmissβ anypivotal configurations in their local histories. This is crucial for thecorrectness of the state transfer protocol.
Lemma A.3. IfπΆ β HighestConf(β), whereπΆ is a pivotal config-
uration and β is the local history of a correct process, then πΆ β β.
Proof. Follows directly from the definition of a pivotal configu-ration and the requirement that all verifiable histories are relatedby containment (see Section 3.4). β‘
Recall that a configuration is called superseded iff some higherconfiguration is installed (see Section 3.3). A configuration is in-stalled iff some correct replica has triggered the InstalledConfigupcall (line 111). For this, the correct replica must receive a quorumof UpdateComplete messages via the uniform reliable broadcastprimitive (line 106).
TheoremA.4 (Dynamic Validity). Our implementation of DBLA
satisfies Dynamic Validity. I.e., only a candidate configuration can be
installed.
Proof. Follows directly from the implementation. A correctreplica will not install a configuration until it is in the replicaβs localhistory (line 107). β‘
In our algorithm, it is possible for a configuration to be installedafter it was superseded. Imagine that a quorum of replicas broad-cast UpdateComplete messages in some configuration πΆ whichis not yet installed. After that, before any replica delivers thosemessages, a higher configuration is installed, makingπΆ superseded.It is possible that some correct replica π β replicas(πΆ) that does notyet know that a higher configuration is installed, will deliver thebroadcast messages and trigger the upcall InstalledConfig(πΆ)(line 111).
Let us call the configurations that were installed while beingactive (i.e., not superseded) βproperly installedβ. We will use thisdefinition to prove next few lemmas.
Lemma A.5. The lowest properly installed configuration higher
than configurationπΆ is the first installed configuration higher thanπΆ
in the real-time order.
Proof. Let π be the lowest properly installed configurationhigher than πΆ . If some configuration higher than π were installedearlier, then π would not be properly installed (by the definition ofa properly installed configuration). If some configuration betweenπΆ and π were installed earlier, then π would not be the lowest. β‘
The following lemma stipulates that our state transfer protocolmakes the superseded pivotal configurations βharmlessβ by lever-aging a forward-secure signature scheme.
Lemma A.6 (Key update). If a pivotal configuration πΆ is su-
perseded, then no quorum of replicas in that configuration is ca-
pable of signing messages with timestamp height (πΆ), i.e., οΏ½π βquorums(πΆ) s.t. βπ β π : stπ β€ height (πΆ).
Proof. Let π be the lowest properly installed configurationhigher than πΆ . Let us consider the moment when π was in-stalled. By the algorithm, all correct replicas in some quorumππ β quorums(π ) had to broadcast UpdateComplete messagesbefore π was installed (line 106). Since π was not yet supersededat that moment, there was at least one correct replica ππ β ππ .
By LemmaA.3,πΆ was in ππ βs local historywhenever it performedstate transfer to any configuration higher than πΆ . By the protocol,a correct replica only advances its Ccurr variable after executingthe state transfer protocol (line 94) or right before installing aconfiguration (line 109). Since no configurations between πΆ and π
were yet installed, ππ had to pass through πΆ in its state transferprotocol and to receive UpdateReadResp messages from somequorum ππΆ β quorums(πΆ) (line 92).
Recall that correct replicas update their private keys wheneverthey learn about a higher configuration (line 100) and that theywill only reply to message β¨UpdateRead, sn,πΆβ© once πΆ is not thehighest configuration in their local histories (line 102). This meansthat all correct replicas in ππΆ actually had to update their privatekeys before π was installed, and, hence, before πΆ was superseded.By the quorum intersection property, this means that in each quo-rum inπΆ at least one replica updated its private key to a timestamphigher than height (πΆ) and will not be capable of signing messageswith timestamp height (πΆ) even if it becomes Byzantine. β‘
Note that in a tentative configuration there might be arbitrarilymany Byzantine replicas that have not updated their private keys.
Asynchronous Reconfiguration with Byzantine Failures
This is inevitable in asynchronous system: forcing the replicas intentative configurations to update their private keys would requiresolving consensus. This does not affect correct processes because,as shown in Lemma A.2, tentative configurations are harmless.However, it is important to remember this when designing newdynamic protocols.
The following lemma implies that the state is correctly trans-ferred between configurations.
Lemma A.7 (State transfer correctness).If π = β¨vs, β, πβ, proposeAcks, confirmAcksβ© is a valid proof
for π£ , then for each active installed configuration π· such that
HighestConf(β) β π· , there is a quorum ππ· β quorums(π·) suchthat for each correct replica π β ππ· : vs β curValsπ .
Proof. Let πΆ = HighestConf(β). We proceed by induction onthe sequence of all properly installed configurations higher than πΆ .Let us denote this sequence by CΜ. By the definition of a properlyinstalled configuration, these are precisely the configurations thatwe consider in the statement of the lemma.
Let π be the lowest configuration in CΜ. LetππΆ β quorums(πΆ) bea quorum of replicas whose signatures are in proposeAcks. Con-sider the moment of installation of π . There must be a quo-rum ππ β quorums(π ) in which all correct replicas broadcastβ¨UpdateComplete, π β© before the moment of installation. For eachcorrect replica ππ β ππ , ππ passed with its state transfer protocolthrough configurationπΆ and receivedUpdateReadRespmessagesfrom some quorum of replicas in πΆ . Note that at that moment con-figuration πΆ was not yet superseded. By the quorum intersectionproperty, there is at least one correct replica ππΆ β ππΆ that sent anUpdateReadResp message to ππ (line 103). Since ππΆ will send theUpdateReadResp message only after updating its private keys(line 102), it had to sign β¨ProposeResp, vsβ© (line 76) before send-ing reply to ππ , which means that the UpdateReadResp messagefrom ππΆ to ππ must have contained a set of values that includes allvalues from vs. This proves the base case of the induction.
Let us consider any configuration π· β CΜ such that π β π· . Letπ be the highest configuration in CΜ such that π β π β π· (inother words, the closest to π· in CΜ). Assume that the statementholds for π , i.e., while π was active, there were a quorum ππ βquorums(π) such that for each correct replica ππ β ππ : vs βcurValsππ . Similarly to the base case, let us consider a quorumππ· β quorums(π·) such that every correct replica in ππ· reliablybroadcast β¨UpdateComplete, π·β© before π· was installed. For eachcorrect replica ππ· β ππ· , by the quorum intersection property, thereis at least one correct replica inππ that sent anUpdateReadRespmessage to ππ· . This replica attached its curVals to the message,which contained vs. This proves the induction step and completesthe proof. β‘
The next lemma states that if two output values were producedin the same configuration, they are comparable. In a static systemit could be proven by simply referring to the quorum intersectionproperty. In a dynamic Byzantine system, however, to use the quo-rum intersection, we need to prove that the configuration was activeduring the whole period when the clients were exchanging datawith the replicas. In other words, we need to prove that the βslow
readerβ attack is impossible. Luckily, we have the second stage ofour algorithm designed for this sole purpose.
Lemma A.8 (BLA-Comparability in one configuration).If π1 = β¨vs1, β1, πβ1, proposeAcks1, confirmAcks1β© is a valid proof foroutput value π£1,and π2 = β¨vs2, β2, πβ2, proposeAcks2, confirmAcks2β© is a valid prooffor output value π£2,andHighestConf(β1) = HighestConf(β2), then π£1 and π£2 are com-
parable.
Proof. Let πΆ = HighestConf(β1) = HighestConf(β2). Bydefinition, the fact that π is a valid proof for π£ implies thatVerifyOutputValue(π£, π) = true (line 32). By the implementa-tion, β1 and β2 are verifiable histories (line 36). Therefore, πΆ is apivotal configuration.
The set confirmAcks1 contains signatures from a quorum ofreplicas of configuration πΆ , with timestamp height (πΆ). Eachof these signatures had to be produced after each of thesignatures in proposeAcks1 because they sign the messageβ¨ConfirmResp, proposeAcks1β© (line 82). Combining this with thestatement of Lemma A.6 (Key Update), it follows that at the momentwhen the last signature in the set proposeAcks1 was created, theconfiguration πΆ was active (otherwise it would be impossible togather confirmAcks1). We can apply the same argument to the setsproposeAcks2 and confirmAcks2.
It follows that there are quorums π1, π2 β quorums(πΆ) and amoment in time π‘ such that: (1)πΆ is not superseded at time π‘ , (2) allcorrect replicas inπ1 signed message β¨ProposeResp, vs1β© before π‘ ,and (3) all correct replica inπ2 signed message β¨ProposeResp, vs2β©before π‘ . SinceπΆ is not superseded at time π‘ , there must be a correctreplica in π1 β© π2 (due to quorum intersection), which signedboth β¨ProposeResp, vs1β© and β¨ProposeResp, vs2β© (line 76). Sincecorrect replicas only sign ProposeRespmessages with comparablesets of values6, vs1 and vs2 are comparable, i.e., either vs1 β vs2or vs2 β vs1. Hence, π£1 = JoinAll(vs1) and π£2 = JoinAll(vs2) arecomparable. β‘
Finally, let us combine the two previous lemmas to prove theBLA-Comparability property of our DBLA implementation.
Theorem A.9 (BLA-Comparability). Our implementation of
DBLA satisfies the BLA-Comparability property. That is, all verifiable
output values are comparable.
Proof. Let π1 = β¨vs1, β1, πβ1, proposeAcks1, confirmAcks1β©be a valid proof for output value π£1, and π2 =
β¨vs2, β2, πβ2, proposeAcks2, confirmAcks2β© be a valid prooffor output value π£2. Also, let πΆ1 = HighestConf(β1) andπΆ2 = HighestConf(β2). Since β1 and β2 are verifiable histories(line 36), both πΆ1 and πΆ2 are pivotal by definition.
If πΆ1 = πΆ2, π£1 and π£2 are comparable by Lemma A.8.Consider the case when πΆ1 β πΆ2. Without loss of generality, as-
sume that πΆ1 β πΆ2. Let π1 β quorums(πΆ2) be a quorum of replicaswhose signatures are in proposeAcks2. Let π‘ be the moment whenfirst correct replica signed β¨ProposeResp, vs2β©. Correct replicasonly start processing user requests in a configuration when this6Indeed, set curVals at each correct replica can only grow, and the replicas only signmessages with the same set of verifiable input values as curVals (see lines 75β76).
Petr Kuznetsov and Andrei Tonkikh
configuration is installed (line 73). Therefore, by Lemma A.7, attime π‘ there was a quorum of replicas π2 β quorums(πΆ2) suchthat for every correct replica in π2: vs1 β curVals. By the quorumintersection property, there must be at least one correct replica inπ1 β©π2. Hence, vs1 β vs2 and JoinAll(vs1) β JoinAll(vs2). β‘
Theorem A.10 (DBLA safety). Our implementation satisfies
the safety properties of DBLA: BLA-Validity, BLA-Verifiability, BLA-
Inclusion, BLA-Comparability, and Dynamic Validity.
Proof.β’ BLA-Validity follows directly from the implementation: acorrect client collects verifiable input values and joins thembefore returning from Propose (line 29);β’ BLA-Verifiability follows directly from how correct replicasform and check the proofs for output values (lines 28 and 34β39);β’ BLA-Inclusion follows from the fact that the set curVals of acorrect client only grows (line 42);β’ BLA-Comparability follows from Theorem A.9;β’ Finally, Dynamic Validity follows from Theorem A.4.
β‘
A.2 Liveness
Lemma A.11 (History Convergence). Local histories of all cor-rect processes will eventually become identical.
Proof. Let π and π be any two forever-correct processes7. Sup-pose, for contradiction, that the local histories of π and π havediverged at some point and will never converge again. Recall thatcorrect processes only adopt verifiable histories, and that we requirethe total number of verifiable histories to be finite. Therefore, thereis some history βπ , which is the the largest history ever adoptedby π , and some history βπ which is the the largest history everadopted by π. Since all verifiable histories are required to be relatedby containment, and we assume that βπ β βπ , one of them mustbe a subset of the other. Without loss of generality, suppose thatβπ β βπ . Since π had to deliver βπ through reliable broadcast (un-less βπ is the initial history) and π remains correct forever, π willeventually deliver βπ as well, and will adopt it. Hence, βπ is not thelargest history ever adopted by π . A contradiction. β‘
Next, we introduce an important definition, which we will usethroughout the rest of the proofs.
Definition A.12 (Maximal installed configuration). In a
given infinite execution, a maximal installed configuration is a con-
figuration that eventually becomes installed and never becomes su-
perseded.
Lemma A.13 (Cmax existence). In any infinite execution there
is a unique maximal installed configuration.
Proof. By Lemma A.1 (Candidate configurations) and Theo-rem A.4 (Dynamic Validity), the total number of installed config-urations is finite and they are comparable. Hence, we can choose
7If either π or π eventually halts or becomes Byzantine, their local histories are notrequired to converge.
a unique maximum among them, which is never superseded bydefinition. β‘
Let us denote the (unique) maximal installed configuration byCmax.
Lemma A.14 (Cmax installation). The maximal installed con-
figuration will eventually be installed by all correct replicas.
Proof. Since Cmax is installed, by definition, at some pointsome correct replica has triggered upcall InstalledConfig(Cmax)(line 111). This, in turn, means that this replica delivered a quorumof UpdateComplete messages via the uniform reliable broadcast
in Cmax when it was correct. Therefore, even if this replica laterbecomes Byzantine, by definition of the uniform reliable broad-cast, either Cmax will become superseded (which is impossible),or every correct replica will eventually deliver the same set ofUpdateComplete messages and install Cmax. β‘
LemmaA.15 (State transfer progress). State transfer (lines 85β96) executed by a forever-correct replica always terminates.
Proof. Let π be a correct replica executing state transfer. ByLemma A.1, the total number of candidate configurations is finite.Therefore, it is enough to prove that there is no such configurationthat π will wait for replies from a quorum of that configurationindefinitely (line 92). Suppose, for contradiction, that there is suchconfiguration πΆ .
If πΆ β Cmax, then, by Lemma A.14, π will eventually installCmax, and Ccurr will become not lower than Cmax (line 109).Hence, π will terminate from waiting through the first condition(πΆ β Ccurr). A contradiction.
Otherwise, if Cmax β πΆ , then, by the definition of Cmax,πΆ will never be superseded. Since π remains correct forever, byLemma A.11 (History Convergence), every correct replica willeventually have πΆ in its local history. Since we assume reliablelinks between processes (see Section 2), every correct replica inreplicas(πΆ) will eventually receive π βs UpdateRead message andwill send a reply, which π will receive (line 103). Hence, the waitingon line 92 will eventually terminate through the second condition (πwill receive responses from someπ β quorums(πΆ) with the correctsequence number). A contradiction. β‘
Intuitively, the following lemma states that Cmax is, in somesense, the βfinalβ configuration. After some point every correctprocess will operate exclusively on Cmax. No correct process willknow about any configuration higher than Cmax or βcareβ aboutany configuration lower than Cmax.
Lemma A.16. Cmax will eventually become the highest configu-
ration in the local history of each correct process.
Proof. By Lemma A.11 (History Convergence), the local histo-ries of all correct processes will eventually converge to the samehistory β. Let π· = HighestConf(β). Since Cmax is installed andnever superseded, it cannot be higher than π· (at least one correctreplica will always have Cmax in its local history).
Suppose, for contradiction, that Cmax β π· . In this case, π·is never superseded, which means that there is a quorum ππ· βquorums(π·) that consists entirely of forever-correct processes. By
Asynchronous Reconfiguration with Byzantine Failures
Lemma A.11 (History Convergence), all replicas in ππ· will even-tually have π· in their local histories and will try to perform statetransfer to it. By Lemma A.15, they will eventually succeed andinstall π·βa contradiction with the definition of Cmax. β‘
Theorem A.17 (BLA-Liveness). Our implementation of DBLA
satisfies the BLA-Liveness property: if the total number of verifiable
input values is finite, every call to Propose(π£, π) by a forever-correct
process eventually returns.
Proof. Let π be a forever-correct client that invokedPropose(π£, π). By Lemma A.16, Cmax will eventually become thehighest configuration in the local history of π . If the clientβs requestwill not terminate by the time it learns about Cmax, the clientwill call Refine(β ) after it (line 62). By Lemma A.14, Cmax willeventually be installed by all correct replicas. Since it will neverbe superseded, there will be a quorum of forever-correct replicas.Thus, every round of messages from the client will eventually beresponded to by a quorum of correct replicas.
Since the total number of verifiable input values is finite, theclient will call Refine only a finite number of times (line 54). Afterthe last call to Refine, the client will inevitably receive acknowl-edgments from a quorum of replicas, and will proceed to sendingConfirm messages (line 50). Again, since there is an availablequorum of correct replicas that installed Cmax, the client will even-tually receive enough acknowledgments and will complete theoperation (line 27). β‘
Theorem A.18 (DBLA liveness). Our implementation satisfies
the liveness properties of DBLA: BLA-Liveness, Dynamic Liveness,
and Installation Liveness.
Proof. BLA-Liveness follows from Theorem A.17. DynamicLiveness and Installation Liveness follow directly from Lem-mas A.16 and A.14 respectively. β‘
B MAX REGISTER
Our methodology of constructing dynamic and reconfigurable ob-jects is not limited to lattice agreement. In this section, we showhow to create an atomic Byzantine fault-tolerant Max-Register indynamic setting.
is a distributed object that has two operations: Read() andWrite(π£, π) and must be parametrized by a boolean functionVerifyInputValue(π£, π). As before, we say that π is a valid certifi-cate for input value π£ iff VerifyInputValue(π£, π) = true and thatvalue π£ is a verifiable input value iff some process knows π such thatVerifyInputValue(π£, π) = true. We assume that correct clientsinvokeWrite(π£, π) only if VerifyInputValue(π£, π) = true. We donot make any assumptions on the number of verifiable input valuesfor this abstraction (i.e., it can be infinite).
The Max-Register object satisfies the following three properties:β’ MR-Validity: if Read() returns value π£ to a correct process,then π£ is verifiable input value;β’ MR-Atomicity: if some correct process π completedWrite(π£, π) or received π£ from Read() strictly before somecorrect process π invoked Read(), then the value returnedto π must be greater than or equal to π£ ;
β’ MR-Liveness: every call to Read() and Write(π£, π) by aforever-correct process eventually returns.
For simplicity, unlike Byzantine Lattice Agreement, our Max-Register does not provide the VerifyOutputValue(π£, π) function.
B.1 Dynamic Max-Register implementation
In this section we present our implementation of the dynamic ver-sion of the Max-Register abstraction (Dynamic Max-Register orDMR for short). Overall, the βapplicationβ part of the implemen-tation is very similar to the classical ABD algorithm [6], and theβdynamicβ part of the implementation is almost the same as inDBLA.
Client implementation. From the clientβs perspective, the twomain procedures are Get() and Set(π£, π) (not to be confused withthe Read and Write operations). Set(π£, π) (lines 175β180) is usedto store the value on a quorum of replicas of the most recent con-figuration. It returns true iff it manages to receive signed acknowl-edgments from a quorum of some configuration. Forward-securesignatures are used to prevent the βI still work hereβ attack. SinceSet does not try to read any information from the replicas, it isnot susceptible to the βslow readerβ attack. Get() (lines 181β187)is very similar to Set(. . .) and is used to request information froma quorum of replicas of the most recent configuration. Since wedo not provide the VerifyOutputValue(. . .) function, the repliesfrom replicas are not signed (line 199). Therefore, Get() is suscepti-ble to both the βI still work hereβ and βslow readerβ attack whenused alone. Later in this section we discuss how the invocation ofSet(. . .) right after Get() (line 167) allows us to avoid these issues.
Operation Write(π£, π) (lines 170β172) is used by correct clientsto store values in the register. It simply performs repeated calls toSet(π£, π) until some call succeeds to reach a quorum of replicas.Retries are safe because, as in lattice agreement, write requests toa max-register are idempotent. Since we assume the total numberof verifiable histories to be finite, only a finite number of retries ispossible.
Operation Read() (lines 164β169) is used to request the currentvalue from the register, and it consists of repeated calls to bothGet() and Set(. . .). The call to Get() is simply used to queryinformation from the replicas. The call to Set(. . .) is usually calledβthe write-back phaseβ and serves two purposes here:β’ It is used instead of the βconfirmingβ phase to prevent the βIstill work hereβ and the βslow-readerβ attacks. Indeed, if theconfiguration was superseded during the execution ofGet(),Set(. . .) will not succeed because it will not be able to gathera quorum of signed replies in the same configuration;β’ Also, it is used to order the calls to Read() and to guaranteethe MR-Atomicity property. Intuitively, if some correct pro-cess successfully completed Set(π£, π) strictly before someother correct process invoked Get(), the later process willreceive a value that is not smaller than π£ (unless the βslowreaderβ attack happens).
Replica implementation. The replica implementation (Algo-rithm 9) essentially follows the DBLA guidelines (Algorithms 4and 5), except that the replica handles client requests specific toMax-Register (lines 196β206). The only other difference is that
Petr Kuznetsov and Andrei Tonkikh
Algorithm 8 Dynamic Max-Register: code for client πParameters:
159: Lattice of configurations C and the initial configuration Cinit β C160: Set of values V and the initial value Vinit β V161: Boolean functions VerifyHistory(β, π) and VerifyInputValue(π£, π)
Global variables:
162: history β C, initially {Cinit} β² local history of this process163: seqNum β Z, initially 0 β² used to match requests with responses
Auxiliary functions: HighestConf(β), FSVerify (see Section 2)
164: operation Read()165: repeat
166: let β¨readOk, β¨π£, πβ©β© = Get()167: let success = if readOk then Set(π£, π) else false
168: until success
169: return π£
170: operation Write(π£ , π)171: repeat let success = Set(π£, π)172: until success
173: operation UpdateHistory(β, π)174: RB-Broadcast β¨NewHistory, β, πβ©
175: procedure Set(π£ , π)176: seqNumβ seqNum + 1177: let πΆ = HighestConf(history)178: send β¨Set, π£ , seqNum, πΆβ© to replicas(πΆ)179: wait for (HighestConf(history) β πΆ) β¨ (replies from π β quorums(πΆ) with valid signatures)180: return HighestConf(history) β πΆ
181: procedure Get()182: seqNumβ seqNum + 1183: let πΆ = HighestConf(history)184: send β¨Get, seqNum, πΆβ© to replicas(πΆ)185: wait for (HighestConf(history) β πΆ) β¨ (replies from π β quorums(πΆ))186: if HighestConf(history) β πΆ then return β¨false,β₯β©187: else return β¨true,maximal verifiable input value among receivedβ©
188: upon RB-deliver β¨NewHistory, β, πβ© from any sender189: if VerifyHistory(β, π) β§ history β β then history β β
in handling the UpdateRead and UpdateReadResp messages(lines 209β214), the replicas exchange π£ππ’ππ and πππ’ππ instead ofcurVals, as in DBLA.
B.2 Proof of correctness
Since our Dynamic Max-Register implementation uses the samestate transfer protocol as DBLA, most proofs from Section A thatapply to DBLA, also apply to DMR (with some minor adaptations).Here we provide only the statements of such theorems, withoutrepeating the proofs. Then we introduce several theorems specificto DMR and sketch the proofs.
Safety.
Lemma B.1 (Candidate configurations).(1) Each candidate configuration is present in some verifiable his-
tory.
(2) There is a finite number of candidate configurations.
(3) All candidate configurations are comparable with βββ.
Lemma B.2 (Tentative configurations).(1) No correct client will ever make a request to a tentative config-
uration.
(2) Tentative configurations cannot be installed.(3) A correct process will never invoke FSVerify with timestamp
height (πΆ) for any tentative configuration πΆ .
(4) A correct replica will never broadcast any message via the uni-
form reliable broadcast primitive in a tentative configuration.
Lemma B.3. If πΆ β HighestConf(β), where πΆ is a pivotal config-
uration and β is the local history of a correct process, then πΆ β β.
Theorem B.4 (Dynamic Validity). Our implementation of DMR
satisfies Dynamic Validity. I.e., only a candidate configuration can be
installed.
Asynchronous Reconfiguration with Byzantine Failures
Algorithm 9 Dynamic Max-Register: code for replica πParameters: same as in Algorithm 8.
Global variables:
190: history β C, initially {Cinit} β² local history of this process191: π£ππ’ππ β V, initially Vinit
192: πππ’ππ β Ξ£, initially πππππ‘193: Ccurr β C, initially Cinit β² current configuration194: Cinst β C, initially Cinit β² installed configuration195: inStateTransfer β {true, false}, initially false
Auxiliary functions: HighestConf(β), FSSign(π, π‘), UpdateFSKey(π‘) (see Section 2)
196: upon receive β¨Get, sn, πΆβ© from client π197: wait for πΆ = Cinst β¨ HighestConf(history) @ πΆ
198: if πΆ = HighestConf(history) then199: send β¨GetResp, π£ππ’ππ , πππ’ππ , snβ© to π
200: else ignore the message
201: upon receive β¨Set, π£ , π , sn, πΆβ© from client π202: wait for πΆ = Cinst β¨ HighestConf(history) @ πΆ
203: if πΆ = HighestConf(history) β§ VerifyInputValue(π£, π) then204: if π£ > π£ππ’ππ then β¨π£ππ’ππ , πππ’ππ β© β β¨π£, πβ©205: send β¨SetResp, FSSign(β¨π, snβ©, height (πΆ)), snβ© to π
206: else ignore the message
β² State transfer207: upon Ccurr β HighestConf({πΆ β history | π β replicas(πΆ)}) β§ not inStateTransfer
208: Same as for DBLA (lines 85β96)
209: upon receive β¨UpdateRead, πΆ , snβ© from replica π β²210: wait for πΆ β HighestConf(history)211: send β¨UpdateReadResp, π£ππ’ππ , πππ’ππ , snβ© to π β²
212: upon receive β¨UpdateReadResp, π£ , π , snβ© from replica π β²213: if VerifyInputValue(π£, π) β§ π£ > π£ππ’ππ then
214: β¨π£ππ’ππ , πππ’ππ β© β β¨π£, πβ©
215: upon RB-deliver β¨NewHistory, β, πβ© from any sender216: Same as for DBLA (lines 97β100)
217: upon URB-deliver β¨UpdateCompleteβ© in πΆ from quorum π β quorums(πΆ)218: Same as for DBLA (lines 106β112)
Lemma B.5 (Key update). If a pivotal configuration πΆ is su-
perseded, then there is no quorum of replicas in that configura-
tion capable of signing messages with timestamp height (πΆ), i.e.,οΏ½π β quorums(πΆ) s.t. βπ β π : stπ β€ height (πΆ).
We say that a correct client completes its operation in configuration
πΆ iff at the moment when the client completes its operation, thehighest configuration in its local history is πΆ .
Lemma B.6 (State transfer correctness).If some correct process completedWrite(π£, π) inπΆ or received π£ from
Read() operation completed in πΆ , then for each active installed con-
figuration π· such that πΆ β π· , there is a quorum ππ· β quorums(π·)such that for each correct replica in ππ· : π£ππ’ππ β₯ π£ .
The following lemma is the first lemma specific to DMR.
Lemma B.7 (MR-Atomicity in one configuration).If some correct process π completed Write(π£, π) in πΆ or received π£
from Read() operation completed in πΆ strictly before some correct
process π invoked Read() and π completed its operation inπΆ , then the
value returned to π is greater than or equal to π£ .
Proof. Recall that Read() operation consists of repeated callsto two procedures: Get() and Set(. . .). If process π successfullycompleted Set(. . .) in configurationπΆ , then, by the use of forward-secure signatures, configuration πΆ was active during the executionof Get() that preceded the call to Set. This also means that config-uration πΆ was active during the execution of Set(π£, π) by processπ , since it was before process π started executing its request. By thequorum intersection property, process π must have received π£ or agreater value from at least one correct replica. β‘
Petr Kuznetsov and Andrei Tonkikh
Theorem B.8 (MR-Atomicity). Our implementation of DMR sat-
isfies the MR-Atomicity property. If some correct process π completed
Write(π£, π) or received π£ from Read() strictly before some correct
process π invoked Read(), then the value returned to π must be greater
than or equal to π£
Proof. LetπΆ (resp., π·) be the highest configuration in πβs (resp.,πβs) local history when it completed its request. Also, let π£ (resp., π’)be the value that π (resp., π) passed to the last call to Set(. . .) (notethat both Read() andWrite(. . .) call Set(. . .)).
If πΆ = π· , then π’ β₯ π£ by Lemma B.7.Suppose, for contradiction, that π· β πΆ . Since correct replicas do
not reply to user requests in a configuration until this configurationis installed (line 197), configuration πΆ had to be installed before πcompleted its request. By Lemma B.5 (Key Update), this would meanthat π would not be able to complete Set(. . .) in π·βa contradiction.
The remaining case is when πΆ β π· . In this case, by Lemma B.6,the quorum intersection property, and the use of forward-securesignatures in Set(. . .), π received π£ or a greater value from at leastone correct replica during the execution of Get(). Therefore, inthis case π’ is also greater than or equal to π£ . β‘
Theorem B.9 (DMR safety). Our implementation satisfies the
safety properties of DMR: MR-Validity, MR-Atomicity, and Dynamic
Validity.
Proof. MR-Validity follows directly from the implementation:correct clients only return verifiable input values from Get()(line 187). MR-Atomicity follows directly from Theorem B.8. Dy-namic Validity follows from Theorem B.4. β‘
Liveness.
Lemma B.10 (History Convergence). Local histories of all cor-rect processes will eventually become identical.
Recall that the maximal installed configuration is the highestinstalled configuration and is denoted by Cmax (see Definition A.12and Lemma A.13 in Section A).
Lemma B.11 (Cmax installation). The maximal installed con-
figuration will eventually be installed by all correct replicas.
Lemma B.12 (State transfer progress). State transfer executedby a forever-correct replica always terminates.
Lemma B.13. Cmax will eventually become the highest configura-
tion in the local history of each correct process.
Theorem B.14 (MR-Liveness). Our implementation of DMR sat-
isfies the MR-Liveness property: every call to Read() andWrite(π£, π)by a forever-correct process eventually returns.
Proof. Let π be a forever-correct client that invoked Read()or Write(. . .). By Lemma A.16, Cmax will eventually become thehighest configuration in the local history of π . If the clientβs requestdoes not terminate by the time the client learns about Cmax, theclient will restart the request in Cmax. Since Cmax will eventuallybe installed by all correct replicas and will never be superseded,there will be a quorum of forever-correct replicas, and π will beable to complete its request there. β‘
Theorem B.15 (DMR liveness). Our implementation satisfies
the liveness properties of DMR: MR-Liveness, Dynamic Liveness, and
Installation Liveness.
Proof. MR-Liveness follows from Theorem B.14. Dynamic Live-ness and Installation Liveness follow directly from Lemmas B.13and B.11 respectively. β‘