Abstract
The problem of Byzantine Fault Tolerance (BFT) has received a lot of attention in the last 30 years. The seminal work by Fisher, Lynch, and Paterson (FLP) shows that there does not exist a deterministic BFT protocol in complete asynchronous networks against a single failure. In order to address this challenge, researchers have designed randomized BFT protocols in asynchronous networks and deterministic BFT protocols in partial synchronous networks. For both kinds of protocols, a basic assumption is that there is an adversary that controls at most a threshold number of participating nodes and that has a full control of the message delivery order in the network. Due to the popularity of Proof of Stake (PoS) blockchains in recent years, several BFT protocols have been deployed in the large scale of Internet environment. We analyze several popular BFT protocols such as Capser FFG/CBC-FBC for Ethereum 2.0 and GRANDPA for Polkadot. Our analysis shows that the security models for these BFT protocols are slightly different from the models commonly accepted in the academic literature. For example, we show that, if the adversary has a full control of the message delivery order in the underlying network, then none of the BFT protocols for Ethereum blockchain 2.0 and Polkadot blockchain could achieve liveness even in a synchronized network. Though it is not clear whether a practical adversary could actually control and re-order the underlying message delivery system (at Internet scale) to mount these attacks, it raises an interesting question on security model gaps between academic BFT protocols and deployed BFT protocols in the Internet scale. With these analysis, this paper proposes a Casper CBC-FBC style binary BFT protocol and shows its security in the traditional academic security model with complete asynchronous networks. Finally, we propose a multi-value BFT protocol XP for complete asynchronous networks and show its security in the traditional academic BFT security model.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Ali, M., Nelson, J., Blankstein, A.: Peer review: CBC Casper. https://medium.com/@muneeb/peer-review-cbc-casper-30840a98c89a. Accessed 6 Dec 2018
Ben-Or, M.: Another advantage of free choice: Completely asynchronous agreement protocols (extended abstract). In: Proceedings of 2nd ACM PODC, pp. 27–30 (1983)
Bracha, G.: An asynchronous \([(n-1)/3]\)-resilient consensus protocol. In: Proceedings of 3rd ACM PODC, pp. 154–162. ACM (1984)
Buterin, V., Griffith, V.: Casper the friendly finality gadget (2019)
Cachin, C., Kursawe, K., Shoup, V.: Random oracles in constantinople: practical asynchronous byzantine agreement using cryptography. J. Cryptol. 18(3), 219–246 (2005)
Dolev, D., Strong, H.R.: Polynomial algorithms for multiple processor agreement. In: Proceedings of 14th ACM STOC, pp. 401–407. ACM (1982)
Dwork, C., Lynch, N., Stockmeyer, L.: Consensus in the presence of partial synchrony. JACM 35(2), 288–323 (1988)
Fischer, M.J., Lynch, N.A., Paterson, M.S.: Impossibility of distributed consensus with one faulty process. JACM 32(2), 374–382 (1985)
Katz, J., Koo, C.Y.: On expected constant-round protocols for byzantine agreement. J. Comput. Syst. Sci. 75(2), 91–112 (2009)
Lamport, L.: The part-time parliament. ACM Trans. Comput. Syst. (TOCS) 16(2), 133–169 (1998)
Lamport, L., Shostak, R., Pease, M.: The Byzantine generals problem. ACM Trans. Program. Lang. Syst. (TOPLAS) 4(3), 382–401 (1982)
Ongaro, D., Ousterhout, J.: In search of an understandable consensus algorithm. In: 2014 USENIX Annual Technical Conference, pp. 305–319
Pease, M., Shostak, R., Lamport, L.: Reaching agreement in the presence of faults. JACM 27(2), 228–234 (1980)
Rabin, M.O.: Randomized byzantine generals. In: 24th IEEE FOCS, pp. 403–409. IEEE (1983)
Research, E.: CBC Casper FAQ. https://github.com/ethereum/cbc-casper/wiki/FAQ. Acceesed 27 Nov 2018
Stewart, A., Kokoris-Kogia, E.: GRANDPA: a byzantine finality gadge. https://github.com/w3f/consensus/blob/master/pdf/grandpa.pdf. Accessed 19 June 2020
Zamfir, V.: Casper the friendly ghost: a correct by construction blockchain consensus protocol, https://github.com/ethereum/research/tree/master/papers. Accessed 18 Dec 2017
Zamfir, V., Rush, N., Asgaonkar, A., Piliouras, G.: Introducing the minimal CBC Casper family of consensus protocols. https://github.com/cbc-casper/. Accessed 5 Feb 2019
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Bracha’s Strongly Reliable Broadcast Primitive
A Bracha’s Strongly Reliable Broadcast Primitive
Assume \(n>3t\). Bracha [3] designed a broadcast protocol for asynchronous networks with the following properties:
-
If an honest participant broadcasts a message, then all honest participants accept the message.
-
If a dishonest participant \(P_i\) broadcasts a message, then either all honest participants accept the same message or no honest participant accepts any value from \(P_i\).
Bracha’s broadcast primitive runs as follows:
-
1.
The transmitter \(P_i\) sends the value \(\langle P_i, initial, v\rangle \) to all participants.
-
2.
If a participant \(P_j\) receives a value v with one of the following messages
-
\(\langle P_i, \mathtt{initial}, v\rangle \)
-
\(\frac{n+t}{2}\) messages of the type \(\langle \mathtt{echo}, P_i, v\rangle \)
-
\(t+1\) message of the type \(\langle \mathtt{ready}, P_i, v\rangle \)
then \(P_j\) sends the message \(\langle \mathtt{echo}, P_i, v\rangle \) to all participants.
-
-
3.
If a participant \(P_j\) receives a value v with one of the following messages
-
\(\frac{n+t}{2}\) messages of the type \(\langle \mathtt{echo}, P_i, v\rangle \)
-
\(t+1\) message of the type \(\langle \mathtt{ready}, P_i, v\rangle \)
then \(P_j\) sends the message \(\langle \mathtt{ready}, P_i, v\rangle \) to all participants.
-
-
4.
If a participant \(P_j\) receives \(2t+1\) messages of the type \(\langle \mathtt{ready}, P_i, v\rangle \), then \(P_j\) accepts the message v from \(P_i\).
Assume that \(n\,=\,3t\,+\,1\). The intuition for the security of Bracha’s broadcast primitive is as follows. First, if an honest participant \(P_i\) sends the value \(\langle P_i, initial, v\rangle \), then all honest participant will receive this message and echo the message v. Then all honest participants send the ready message for v and all honest participants accept the message v.
Secondly, if honest participants \(P_{j_1}\) and \(P_{j_2}\) send ready messages for u and v respectively, then we must have \(u=v\). This is due to the following fact. A participant \(P_j\) sends a \(\langle \mathtt{ready}, P_j, u\rangle \) message only if it receives \(t+1\) ready messages or \(2t+1\) echo messages. That is, there must be an honest participant who received \(2t+1\) echo messages for u. Since an honest participant can only send one message of each type, this means that all honest participants will only sends ready message for the value u.
In order for an honest participant \(P_j\) to accept a message u, it must receive \(2t+1\) ready messages. Among these messages, at least \(t+1\) ready messages are from honest participants. An honest participant can only send one message of each type. Thus if honest participants \(P_{j_1}\) and \(P_{j_2}\) accept messages u and v respectively, then we must have \(u=v\). Furthermore, if a participant \(P_j\) accepts a message u, we just showed that at least \(t+1\) honest participants have sent the ready message for u. In other words, all honest participants will receive and send at least \(t+1\) ready message for u. By the argument from the preceding paragraph, each honest participant sends one ready message for u. That is, all honest participants will accept the message u.
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Wang, Y. (2021). The Adversary Capabilities in Practical Byzantine Fault Tolerance. In: Roman, R., Zhou, J. (eds) Security and Trust Management. STM 2021. Lecture Notes in Computer Science(), vol 13075. Springer, Cham. https://doi.org/10.1007/978-3-030-91859-0_2
Download citation
DOI: https://doi.org/10.1007/978-3-030-91859-0_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-91858-3
Online ISBN: 978-3-030-91859-0
eBook Packages: Computer ScienceComputer Science (R0)