Time-Free and Timer-Based Assumptions Can Be Combined to Solve Authenticated Byzantine Consensus HamoumaMoumen De´partementd’informatique, 5 LMA,Universite´ deBejaia, 06000Bejaia ,Algeria 1 0 [email protected] 2 n a Abstract J 1 TocircumventtheFLPimpossibilityresultinadeterministicwayseveralprotocolshavebeenpro- 3 posedontopofanasynchronousdistributedsystemenrichedwithadditionalassumptions.Inthecontext of Byzantine failures for systems where at most t processes may exhibit a Byzantine behavior, two ] C approaches have been investigated to solve the consensus problem.The first, relies on the addition of D synchrony, called Timer-Based, but the second is based on the pattern of the messages that are ex- changed,calledTime-Free.Thispapershowsthatbothtypesofassumptionsarenotantagonistandcan . s becombinedtosolveauthenticatedByzantineconsensus.Thiscombinedassumptionconsidersacorrect c [ processpi,called⋄2t-BW,andasetX of2tprocessessuchthat,eventually,foreachquerybroadcasted 1 byacorrectprocesspj ofX,pj receivesaresponsefrompi ∈ X amongthe(n−t)firstresponsesto thatqueryorbothlinksconnectingp andp aretimely. Basedonthiscombination,asimplehybridau- v i j 0 thenticatedByzantineconsensusprotocol,benefitingfromthebestofbothworlds,isproposed.Whereas 5 manyhybridprotocolshavebeendesignedfortheconsensusprobleminthecrashmodel,thisis,toour 0 knowledge,thefirsthybriddeterministicsolutiontotheByzantineconsensusproblem. 0 0 . 2 Keywords: Asynchronous distributed system, Byzantine process, Consensus, Distributed algorithm, 0 hybridprotocol,time-freeassumption,timer-basedassumption,Faulttolerance. 5 1 : v 1 Introduction i X r 1.1 Context ofthe Study and Motivation a The Consensus problem is one of the most attractive problems in the the field of asynchronous distributed systems. Itmaybeused asbuilding block todesign ortoimplement several applications on ontopoffault prone asynchronous distributed systems, since it abstracts several basic agreement problems. Solving the Consensus problem in an asynchronous distributed system where processes (even only one) may crash is impossible[12]. This impossibility result comes from the fact that it is impossible to distinguish a crashed process from a process that is slow or with which communication is slow. Toovercome this impossibility, asynchronousdistributedsystemshavetobeenrichedwithadditionalpowersuchasSynchronyassumptions [11],Commoncoins[30],randomization[5,21],unreliablefailuredetectors[7],andinputvectorrestrictions [27]. When considering the Consensus problem in a setting where some processes can behave arbitrarily (Byzantine behavior), solving this problem becomes more beneficial for designers or for developers of applications on top of Byzantine fault prone asynchronous distributed system, but the capacity of a such 1 behavior, makethistaskmorecomplexandmoredifficultcomparatively withcrashfailures. Thisdifficulty comes from the fact that a Byzantine process propose a wrong value and it tries to impose it on correct processes. 1.2 Related Works To solve the consensus with deterministic way , in the context of crash failures, synchrony assumptions must be added [11] or information about failures must be provided by a failures detectors associated with theprocesses ofthesystem [7]. Afailure detector canbeseenasablackboxthatgives(possibly incorrect) informationaboutprocessfailures. Threeapproacheshavebeeninvestigatedtoimplementfailuresdetectors. The first, called Timer-Based, considers the partially synchronous system model [7], which is generalizes themodelof[?],wherethereareboundsontherelativespeedofprocessesandmessagetransferdelays,but these bounds are not known and hold only after some finite but unknown time, called Global Stabilization Time(GST). The second approach, introduced in [22], does not assume timing assumptions about process speeds and communication delays. Thisapproach, called ”Time-Free”, isbased onthepattern ofmessages that are exchanged. It considers the query-response-based winning messages proposed in [22, 28] and the teta-model proposed in [34]. In the third approach,called hybrid , assumptions of both approaches cited abovearecombinedtoimplementfailuredetectors [26],[23]. InthecontextofByzantinefailure,themostofsolutionsfortheconsensusproblemconsiderthepartially synchronous system model where all links are eventually timely [3, 6, 9, 10, 17, 16, 18, 19]. In a such context, the notion of failure detector, originally designed for crash failures, is extended to mute failures [9,17]. Amutenessfailuredetectorprovidesinformationaboutprocessesthataresilent(didnotsendsome consensus protocol messages). Thiscategoryisuseddirectly in[13,14]tosolveByzantine consensus. For the classical partially synchronous models [7, 11] composed of n partially synchronous processes [11]amongwhereatmosttmaycrash,manymodels,thatrequireonlysomelinkswhichhavetobetimely, havebeenproposed[2,15,25]incontrastoftherelatedworkscitedabovewhichassumethatthewholesys- tem is eventually synchronous. The system model considered in [2] assumes at least an eventual t-source. An eventual t-source is a correct process with t outgoing eventually timely links (processes communicate usingpoint-to-point communicationprimitives). Ontheotherhand,thesystemmodelconsideredin[25]as- sumesabroadcastcommunicationprimitiveandatleastonecorrectprocesswithtbidirectional butmoving eventually timely links. These two models are not comparable [15]. In such a context, [2] proved that an t-source(eventualt-source)isnecessaryandsufficienttosolveconsensuswhichmeansthatitisnotpossible tosolveconsensusifthenumberofeventuallytimelylinksissmallerthantoriftheyarenotoutgoinglinks ofasamecorrectprocess. For the second approach [22], used to implement the failure detectors defined in [7], where the are no eventual bounds on process speeds and communication delays (Message Pattern), [23] proposed a leader protocol with very weak assumption on the patten of messages that are exchanged. This protocol assumes a correct process p and a set Q, possibly contains crashed processes, of t processes (with p ∋ Q) such i that, each time aprocess p ∈ Q broadcasts aquery, it receives aresponse from p among the first(n−t) j i corresponding responses (such aresponse iscalled awinning response). Thetwoprevious approaches (⋄t- source and Message Pattern) are combined , in [28], to obtain an eventual leader protocol. This combined assumptionconsiders astarcommunication structureinvolving (t+1)processes (theset+1processes can differ from a run of the system to another run) and is such that each of its t links can satisfy a property independently oftheproperty satisfiedbythet−1otherlinks. In the context of Byzantine consensus where t processes can exhibit an arbitrary behavior, Aguilera et al. [2]propose asystem modelwithweaksynchrony properties thatallowssolving theconsensus problem. 2 The model assumes at least an ⋄bisource (eventual bisource). An ⋄bisource is a correct process with all its outgoing and incoming links eventually timely. This means that the number of eventually timely links could be as low as 2(n−1) links. Their protocol does not need authentication and consists of a series of 3 rounds each made up of 12 communication steps and Ω(n ) messages. In [24] Moumen et al. proposed a system model that considers an eventual bisource with a scope of 2t. The eventual bisource assumed by [2] has the maximal scope (x = n.1). An eventual 2t-bisource (⋄2t-bisource) is a correct process wherethe number ofprivileged neighbors is2t wheret isthemaximum number offaulty processes. Their protocol needs authentication and consists of a series of rounds each made up of 5 communication steps 2 andΩ(n )messages. In[20],MoumenandMostefaoui propose aweaksystem modelthatdoesnotrelyon physicaltimebutonthepatternofmessagesthatareexchanged. Thismodelisbasedonthequery-response mechanism and assumes at least an ⋄2t-winning process (eventual 2twinning process). An ⋄2t-winning is is a correct process where the number of privileged neighbors is 2t , such that eventually, for each query broadcasted byanyofitsprivilegedneighbors ,anyofitsprivileged neighbors receivesaresponse fromthe ⋄2t-winning process among the (n −t) first responses to that query. Their protocol needs authentication 2 and consists of a series of rounds each made up of 5 communication steps and Ω(n ) messages. Note that this assumption does not prevent message delays from always increasing without bound. Hence, it is incomparable withthetimer-based ⋄2t-bisource assumption. 1.3 Contribution ofthe Paper The two previous approaches (Timer-Based and Time-free) have been considered both in the case of crash failures and Byzantine failures , but they have never been combined in the case of Byzantine faults. This paper shows that timer-based and Time-Free assumptions can be combined and proposes a system model where processes are partially synchronous and the communication model satisfies the requirements of the combined assumption. This combined assumption consider a correct processes p , called ⋄2t-BW (B for i Bisource and W for Winning), and a set X of 2t processes (some processes may be Byzantine), such that ,eventually, for each query broadcasted by a correct process p of X, p receives a response from p ∈/ X j j i amongthe(n−t)firstresponsestothatqueryorbothlinksconnectingp andp aretimely. Inthecaseone i j all links that connect p withprocesses of X then the p isa⋄2t-bisource, but in the case one all processes i i of X receives the response ofp among the(n−t)response for each query that have broadcasted, then p i i is⋄2t-winning process. For the assumed model, a simple hybrid authenticated Byzantine consensus protocol, benefiting from the best of both worlds, is proposed. To our knowledge, this is the first protocol that combines between Timer-BasedandTime-FreeAssumptionstosolveauthenticated Byzantine consensus. 1.4 OrganizationofthePaper The paper is made up of six sections. Section 2 presents the basic computation model and the Consensus problem. Then,Section3presentstheconsensusprotocol,witha⋄2t-BW,weproposeandSection4proves itscorrectness.Finally, Section5concludes thepaper. 3 2 Basic Computation Model and Consensus Problem 2.1 Asynchronous Distributed System with Byzantine Process We consider a message-passing system consisting of a finite set Π of n (n > 1) processes, namely, Π = {p1,...,pn}. A process executes steps (send a message, receive a message or execute local computation). Value t denotes the maximum number of processes that can exhibit a Byzantine behavior. A Byzantine process may behave in an arbitrary manner. It can crash, fail to send or receive messages, send arbitrary messages, start in an arbitrary state, send different values to different processes, perform arbitrary state transitions, etc. A correct process is one that does not Byzantine. A faulty process is the one that is not correct. Processes communicate and synchronize with each other by sending and receiving messages over a network. The link from process p to process q is denoted p → q. Every pair of process is connected by two links p → q and q → p. Links are assumed to be reliable: they do not create, alter, duplicate or lose messages. Thereisnoassumption abouttherelativespeedofprocesses ormessagetransferdelays. 2.2 Anauthentication mechanism In order to deal with the power of Byzantine processes, We assume that an authentication mechanism is available. ApublickeycryptographysuchasRSAsignatures[31]isusedbyaprocesstoverifytheoriginal sender of the message and to force a process to relay the original message received. In our authenticated Byzantine model, weassume thatByzantine processes arenotable tosubvert thecryptographic primitives. To prevent a Byzantine process to send different values to different processes, each message has to carry a value and the set of (n−t) values received by a process during the previous step. The included signed valuescanbeusedbyareceiving processtocheckwhetherthevaluesentbyanyprocesscomplieswiththe values received atthe previous step. Thisset ofsigned values iscalled certificate and its role istoprove to thereceiverthatthevalueislegal. To ensure the message validity, each process has an underlying daemon that filters the messages it receives. Forexample, the daemon will discard all duplicate messages (necessarily sent by Byzantine pro- cessesasweassumereliablesendandreceiveoperationsbetweencorrectprocesses). Thedaemon,willalso discardallmessagesthatarenotsyntactically correct, orthatdonotcomplywiththetextoftheprotocol. 2.3 A Time-Free Assumption Query-Response Mechanism In this paper, we consider that each process is provided with a query- response mechanism. More specifically, any process p can broadcast a QUERY () message and then wait for corresponding RESPONSE() messages from (n−t) processes. Each of this RESPONSE() messages isawinning response forthat query, and the corresponding sender processes are thewinning processes for thatquery. Theothersresponsesreceivedafterthe(n−t)RESPONSE()messagesarethelosingresponses for that query, and automatically discarded. A process issues a new query only when the previous one has terminated (the first (n−t)responses received). Finally, the response from aprocess to its ownqueries is assumedtoalwaysarriveamongthefirst(n−t)responses thatiswaitingfor. Henceforth, wereusethedefinitionof[22,26,23,28]todefineformallyawinninglink,anx-winning. Definition1 Letpandq betwoprocesses. Thelinkp → q iseventually winning(denoted ⋄WL)ifthereis atimeτ suchthattheresponsefromptoeachqueryissuedbyqafterτ isawinningresponse(τ isfinitebut unknown). 4 Definition2 A process p is an x-winning at time τ if p is correct and there exists a set X of processes of size x, such that: for any process q in X, the link p → q is winning. The processes of X are said to be privileged neighbors ofp. ′ Definition3 Aprocesspisan⋄x-winningifthereisatimeτ suchthat,forallτ ≥ τ,pisanx-winningat ′ τ . 2.4 A Timer-Based Assumption Hereafter, werephrasethedefinitionof[15]todefineformallyatimelylinkandanx-bisource. Definition4 A link from a process p to any process p is timely at time τ if (1) no message sent by p at i j i timeτ isreceived atp aftertime(τ +δ)or(2)process p isnotcorrect. j j Definition5 Aprocessp isanx-bisourceattimeτ if: i -(1)p iscorrect i -(2)Thereexists asetX ofprocesses ofsizex,suchthat: foranyprocess p inX,bothlinksfromp top j i j andfromp top aretimelyattimeτ. Theprocesses ofX aresaidtobeprivileged neighbors ofp . j i i ′ Definition6 Aprocessp isan⋄x-bisource ifthereisatimeτ suchthat,forallτ ≥ τ,p isanx-bisource i i ′ atτ . 2.5 Combining Time-Free andTimer-Based Assumptions Definition7 Aprocessp isan⋄x-BWattimeτ if: i -(1)ThereexistsasetY ofprocesses ofsizey andasetZ ofprocesses ofsizez suchthat, Y ∩Z = ∅and y+z = x ′ ′ -(2)Thereisatimeτ suchthat,forallτ ≥ τ,p isany-bisourceandanz-winning atthesametimeτ . If i y = 0thenp isanx-winningandifIfz = 0thenp isanx-bisource. i i For the rest of the paper, we consider an asynchronous distributed system where the only additional assumptions arethoseneededbythe⋄x-BW. 2.6 The Consensus Problem We consider the multivalued consensus problem, where there is no bound on the cardinality of the set of proposablevalues. Inthemultivaluedconsensusproblem,everyprocessp proposesavaluevandallcorrect i processes havetoeventually decideonasinglevalueamongthevaluesproposed bytheprocesses. Formally,theconsensus problem isdefinedbythefollowingthreeproperties: Letusobservethat,inaByzantinefailurecontext,theconsensusdefinitionshouldnotbetoostrong. For example,itisnotpossibletoforceafaultyprocesstodecidethesamevalueasthecorrectprocesses, sincea Byzantineprocesscandecidewhateveritwants. Similarly,itisnotreasonabletodecideanyproposedvalue sinceafaultyprocesscaninitiallyproposedifferentvaluestodistinctprocessesandconsequently thenotion of “proposed value” may not be defined for Byzantine processes. Thus, in such a context, the consensus problem isdefinedbythefollowingthreeproperties: • Termination: Everycorrect processeventually decides. 5 • Agreement: Notwocorrect processes decidedifferentvalues. • Validity: Ifallthecorrectprocesses propose thesamevaluev,thenonlythevaluev canbedecided. 3 An Authenticated Byzantine Consensus Protocol With ⋄2t-BW Figure1presents anauthenticated Byzantine consensus protocol inasynchronous distributed system where the only additional assumptions are those needed by the ⋄x-BW. The principle of the proposed protocol is similar to those that have been proposed in[20, 24]except the coordination phase atthe beginning ofeach round. Each process p executes the code of the protocol given by Figure 1. This protocol is composed of i threetasks: amaintask(T1),acoordination task(T2),andadecisiontask(T3). beforeexecutingthefirstround(r = 1),eachprocessp keepsitsestimateofthedecisionvalueinalocal i variableest andstartsbytheinitphaseinordertoguaranteethevalidityproperty.Inthisphase,eachprocess i pi sends INIT(vi)message,thatcontaining itsestimate,toallprocesses.If pi receivesatleast(n−2t) INIT messages forv thenitchange itsestimatetov,elseitkeeps itsownestimate. Afterthisphase, theprotocol proceeds in consecutive asynchronous rounds. Each round r is composed of four communication phases andiscoordinated byapredetermined processp (line4). c Firstphaseofaroundr(lines5-8). Eachprocessthatstartsaround((includingthecoordinatoroftheround) firstsends itsownestimate (withthe associated certificate) tothe coordinator (p )ofthe current round and c setsatimerto(∆ [c]). i In a separate task T2[r](line 21), Each time a process receives a valid QUERY message (perhaps from itself)containinganestimateest,itsendsaRESPONSEmessagetothesender. Iftheprocessthatrespondsto aquerymessageisthecoordinator oftheroundtowhichisassociated thequerymessage,thevalueitsends inthe RESPONSEmessage isthecoordination value. Ifthe process that responds isnot thecoordinator, it responds withanyvalueastheroleofsuchamessageisonlytodefinewinninglinks. asthereadercanfind itinlines 22-23,the valuesent bythe coordinator isthevalue contained inthefirstvalid query message of therounditcoordinates. In the main task at line 6, a process p waits for the response from p (the coordinator of the round) or i c forexpiration ofthetimerofp (∆ [c])andfor(n−t)responses fromothers processes. Inthelattercase, c i process p issure that p isnot the⋄2t-BW asitsresponse isnot winning and itslink withp isnot timely. i c i Ifaprocess p receivesaresponse fromthecoordinator thenitkeepsthevalueinavariableaux otherwise i i it sets aux to a default value ⊥(this value cannot be proposed). If the timer times out while waiting for i the response from p , ∆ [c] is incremented and p considers that its link with p is not eventually timely c i i c or p is Byzantine or the value ∆ [j] is not set to the right value. As ∆ [c] is incremented each time p ’s c i i c responses misses thedeadline, itwilleventually reach the bound ontheround trip between p and p ifthe i c linkbetweenbetweenthemistimely. Ifthe current coordinator isa⋄2t-BW then atleast (t+1)correct processes willgetthe value v ofthe coordinator and thus set their variable aux to v (6= ⊥). The next phases will serve to propagate this value fromthe(t+1)correctprocessestoallcorrectprocesses. Indeed,amongthe2tprivilegedneighborsofthe currentcoordinator atleasttarecorrectprocesses andallofthemwillreceivethevalueofthecoordinator . Ifthecurrentcoordinator isByzantine, itcansendnothing tosomeprocesses and/or perhaps senddifferent certified values to different processes . If the current coordinator is not a ⋄2t-BW or if it is Byzantine, the three next phases allow correct processes to behave in a consistent way. Either none of them decides or if some of them decides a value v despite the Byzantine behavior of the coordinator, then the only certified value for the next round will be v preventing Byzantine processes from introducing other values. The aim 6 ofthefirstphase isthat ifthe coordinator isan⋄2t-BW thenatleast (t+1) correct process willgetitsvalue attheendofline7. Secondphaseofaroundr(lines9-11). Duringthesecondphase,allcorrectprocessesrelay,atline9,either the value they received from the coordinator (with its certificate) or the default value ⊥ if they timed out andtheyreceived(n−t)RESPONSEmessagesfromothersprocesses. Eachprocesscollects (n−t)valid messages and stores the values in a set V (line 9). Atline 9, if the coordinator is correct only one value is i validandcanberelayed. Moreover,ifthecurrentcoordinatorisa⋄2t-BWthenanycorrectprocessp willgetinitssetV atleast i i one copy of the value of the coordinator as among the (t+1) copies sent by the (t+1) correct processes that got the value of the coordinator a correct process cannot miss more than t copies (recall that a correct process collect (n − t) valid messages). If the coordinator is not a ⋄2t-BW or if it is Byzantine, some processescanreceiveonly⊥values,othersmayreceivemorethanonevalue(thecoordinator isnecessarily Byzantine in this case) and some others can receive a unique value. This phase has no particular effect in such a case. The condition (V −{⊥} = {v}) of line 11 means that if there is only one non-⊥ value v in i V then this value is kept in aux otherwise, aux is set to ⊥. The aim of this second phase is that if the i i i coordinator isan⋄2t-BWthenallthecorrectprocesses willgetitsvalue. Thirdphaseofaroundr (lines 12-14).Thisphase isafilter; itensures thatatthe end ofthis phase, atmost one non ⊥ value can be kept in the aux variables in the situations where the coordinator is Byzantine. If the coordinator is correct, this is already the case. When the coordinator is Byzantine twodifferent correct processes mayhavesettheiraux variables todifferent values. Thisphaseconsists ofanall-to-all message i exchange. Each process collects (n −t) valid messages the values of which are stored in a set V . If all i received messages contain the same value v (V = {v}) then v is kept in aux otherwise aux is set to the i i i defaultvalue⊥. Attheendofthisphase, thereisatmostone(ornone)certifiedvaluev (=6 ⊥). Fourthphaseofaroundr(lines15-19). This phase ensures that the Agreement property will never be violated. This prevention is done in the followingway. Ifacorrectprocessp decidesvduringthisroundthenifsomeprocessesprogresstothenext i round, thenv istheonlycertifiedvalue. Inthisdecision phase,aprocessp collects(n−t)validmessages i andstorethevaluesinV . IfthesetV ofaprocessp containsauniquenon ⊥valuev,p decidesv. Indeed i i i i among the (n−t) same values v received by p , at least n−2t have been sent by correct processes. As i (n−t)+(n−2t) > n any set of (n−t) valid signed messages of this phase includes at least one value v. Hence, allprocesses receiveatleast onevaluev (theothervalues couldbev or⊥)andtheonlycertified valueforthenextroundsisv. Thismeansthatduringthenextround(ifany)nocoordinator(whethercorrect orByzantine) cansendavalidvaluedifferent fromv. If during the fourth phase, a process p receives only ⊥ values, it is sure that no process can decide i duringthisroundandthusitcankeepthevalueithasalreadystoredinest (thecertificatecomposedofthe i (n−t)validsignedmessagesreceivedduringphasefourcontaining ⊥values,allowp tokeepitsprevious i valuesest ). i Beforedeciding(line17),aprocessfirstsendstoallotherprocessesasignedmessageDECthatcontains the decision value (and the associated certificate). This will prevent the processes that progress to the next round from blocking because some correct processes have already decided and stopped sending messages. When a process pi receives a valid DEC message at line 24, it first relays is to all other processes and then decides. Indeed,taskT3isusedtoimplementareliablebroadcasttodisseminatetheeventualdecisionvalue 7 preventing somecorrectprocesses fromblocking whileothersdecide. 4 Correctness of the protocol ′ ′ Lemma1 Iftowcorrectsprocesses p andp decidev andv ,respectively, thenv = v . i j ′ ′ Proof Theproofisbycontradiction. Supposethatp andp decidev andv ,respectively, suchthatv 6= v . i j ′ Thismeansthatv appearsatleast(n−t)timesinV andv alsoappears atleast(n−t)timesinV atline i j 16. This means that |V |+ |V | ≥ 2(n − t). Since, the (n − t) correct processes send (according to the i j protocol) thesamemessagetobothprocesses andthetByzantineprocesses cansenddifferent messagesto them, we have |V |+ |V | ≤ (n − t)+ 2t = (n + t). This leads to (n + t) ≥ 2(n − t) i.e. n ≤ 3t a i j contradiction asweassumen > 3t. ✷ Lemma1 Lemma2 Ifacorrectprocess p decidesv 6= ⊥during aroundr,thenallcorrectprocesses startthenext i roundwiththesameestimatev iftheyhavenotdeciding. Proof Letusfirstnotethatifanycorrectprocessdecidesonthevaluev 6= ⊥attheroundrthenallcorrect processes, thathavenotdecided, settheirestimates tov because eachofthese processes receives atline22 at a least one FILT2(ri,aux) message carrying the value v. Moreover, all correct processes start a round r+1withthesameestimatev. The proof is by contradiction. Suppose that a correct process p decides v at a round r (line 17) and a i ′ correct process p hasnotdecided atthisroundandsetsownestimatetov 6= v. ThismeansthatthesetV j j of p contains only values different to v. By assumption, the value v, appears in V at least (n−t) times j i because ithasdecided. Asthere are tByzantine processes, v isreceived byp atleast (n−2t)timesfrom i correctprocesses. Fromthese(n−2t)messagesforp atmosttareloosedbyp ,becauseitwaitfor(n−t) i j messages at (line 16). From this, we can conclude that V contains at least (n− 3t) ≥ times the value v j (n > 3t). Moreover,p setsitsestimatetov . Acontradiction. ✷ j Lemma2 Corollary 1 Ifacorrectprocessp decidesacertifiedvaluev duringaroundr,thenonlyv canbedecided i inthesameorinsubsequent rounds. Proof Letusconsider thataprocessp decidesavaluev inaroundr. Ifacorrectprocessp decides atthe i j sameround r then, bylemma1,itdecides the samevalue v decided byp . Ifacorrect process p does not i j decide at the same round r then, by lemma 2, all correct processes start the next round r +1 by the same estimate value v decided by p at a round r.Indeed, in the latter case, v will be the only certified value as i even⊥isnotcertifiedasacertificateforthevaluethatwillbeusedduringthenextroundiscomposedbya set of(n−t)messages aswesaid above that anysuch set includes atleast one value v. From nowon, the onlyvaluethatcanbeexchanged isv andonlyv canbedecided ✷ Corollary 1 Theorem1(agreement) Notwocorrectprocesses decidedifferently. Proof Ifacorrect process decidesatline24,itdecidesacertifiedvaluedecided byanother process. Letus consider the firstround where aprocess decides atline 17. ByCorollary ??,ifaprocess decides acertified 8 FunctionConsensus(v) i Init:ri←0;∆i[1..n]←1; TaskT1: %basictask% ——————————————————-initphase———————————————————– (1) sendINIT(vi)toall; (2) waituntil(cid:0)INITmessagesreceivedfromatleast(n−t)distinctprocesses(cid:1); (3) if(cid:0)∃v:receivedatleast(n−2t)times(cid:1)thenesti←velseesti←viendif; repeatforever (4) c←(ri mod n)+1;ri ←ri+1; —————————————————-roundr ———————————————————– i (5) sendQUERY(ri,esti)toall;settimer(∆i[c]); (6) waituntil(cid:0)RESPONSE(ri,est)receivedfrompc(cid:1) or(cid:0)time-outand(RESPONSE(ri,est)receivedfrom(n−t)distinctprocesses(cid:1); (7) ifRESPONSE(ri,est)receivedfrompcthenauxi←estelseauxi←⊥; (8) if(timertimesout))then∆i[c]←∆i[c]+1elsedisabletimerendif; (9) sendRELAY(ri,auxi)toall; (10) waituntil(cid:0)RELAY(ri,∗)receivedfromatleast(n−t)distinctprocesses)storevaluesinVi; (11) if(Vi−{⊥}={v})thenauxi←velseauxi←⊥endif; (12) sendFILT1(ri,auxi)toall; (13) waituntil(cid:0)FILT1(ri,∗)receivedfromatleast(n−t)distinctprocesses)storevaluesinVi; (14) if(Vi ={v}) thenauxi←velseauxi←⊥endif; (15) sendFILT2(ri,auxi)toall; (16) waituntil(cid:0)FILT2(ri,∗)receivedfromatleast(n−t)distinctprocesses)storevaluesinVi; (17) case(Vi ={v}) thensendDEC(v)toall;return(v); (18) (Vi ={v,⊥}) thenesti←v; (19) endcase; ————————————————————————————————————————– endrepeat TaskT2[r]: %Query-responsecoordinationtask-Thereisonesuchtaskperroundr% (20) c esti←⊥ (21) uponreceiptofQUERY(r,est)frompj; (22) ifpiisthecoordinatoroftheroundrandc esti←⊥thenc esti←est; (23)sendRESPONSE(ri,c esti)topj TaskT3: (24) uponreceiptofDEC(est):sendDEC(est)toall;return(est); Figure1: AnAuthenticated ByzantineConsensus ProtocolWith⋄2t-BW 9 value during thesameround, itdecides the samevalue. Ifaprocess decides after receiving a DEC message at line 24 it decides the same value. Any process that starts the next round with its local variable est 6= v i willseeitsmessagesrejected(novaluedifferent fromv canbecertified). ✷ Theorem1 ′ Lemma3 Ifnoprocess decidesduringaroundr ≤ r,thenallcorrectprocesses startroundr+1. Proof Letusfirstnotethatacorrectprocesscannotbeblockedforeverintheinitphase. Moreover,itcannot beblockedatline6becauseofthetime-outandatleast(n−t)processes respond toQUERYmessages. ′ Suppose that no process has decided a value v during a round r ≤ r, where r is the smallest round numberinwhichacorrectprocessp blocksforever. Theproofisbycontradiction. i Byassumption, p isblockedatlines10,13or16. i Let us first examine the case where p blocks at line 10, which is the first statement of round r where i a process can block forever. This means that at least (n −t) correct processes eventually execute line 9, because processes are partially synchronous. Consequently as communication is reliable between correct processes the messages sent by correct processes will eventually arrive at p that blocks forever at line 10. i Thecases wherep blocks atline 13or 16are similar to this firstcase. It follows that ifp does not decide, i i itwillproceed tothenextround. Acontradiction. ✷ Lemma3 Theorem2(termination) Ifthereisa⋄2t-BWinthesystem,thenallcorrectprocesses eventually decide. Proof Astheprotocolusesauthentication, ifsomeprocessreceivesavalidDECmessage,itcandecideeven if the message has been sent by a faulty process. Recall that a Byzantine process cannot forge a signature. If a correct process decides at line 17 or at line 24 then, due to the sending of DEC messages at line 17 or line 24, respectively, prior to the decision, any correct process will receive such a message and decide accordingly (line24). So,supposethatnocorrectprocessdecides. Theproofisbycontradiction. Byhypothesis,thereisatime τ afterwhichthereisaprocessp thatisa⋄2t-BW.Letp beacorrectprocessandoneofthe2tprivileged x j neighbors ofp . Letr bethe firstround thatstarts after τ andthat iscoordinated byp . Asbyassumption x x noprocessdecides, duetoLemma3. Allcorrectprocessesp (andpossiblysomeByzantineprocesses)startroundrandsendavalidQUERY i message to p (line 5). This QUERY message contains a value est which is the estimate of process p . x i Whenthecoordinator p ofroundrreceivesthefirstQUERYmessage(line21)possibly fromitself,itsets x a local variable c est to the valid value contained in the message. Then each time process p receives a x x QUERY message related to this round (r), it sends a RESPONSE message to the sending process. If we consideranycorrectprocessp privilegedneighborofp ,theRESPONSEmessagefromp thecoordinator i x x totheQUERYmessageofp willbereceivedbyp amongthefirstn−tresponsesbecausethelinkbetween i i p andp iswinning ortheRESPONSEmessagefrom p willbereceived byp before expiration of∆ [x] i x x i i ,because thelinkbetweenp andp istimely(line21). i x In the worst case, there are t Byzantine processes among the 2t + 1 privileged neighbors of p . A x Byzantine process can either relay the value of p (t Byzantine processes, t correct processes and itself). x Duringthenextphase,aByzantineprocesscaneitherrelaythevalueofp orrelay⊥arguingthat∆ [x]has x i expiredanditdidnotreceivetheresponseofp amongthefirst(n−t)RESPONSEmessages(thevalueof x p and ⊥ are the only twovalid values for this round). This allows to conclude that the value v sent by p x x 10