Fail-Arbitrary Algorithm: Byzantine Masking Quorum

Distributed implementations of shared storage in the fail-arbitrary model can be separated into two classes: algorithms that use cryptographic digital signatures and algorithms that do not need them. In this section, we introduce a signature-free algorithm that relies on Byzantine masking quorums. An example of a so-called authenticated-dataalgorithm that uses signatures is given in Sect.4.7.2.

The principal difficulty with extending the “Majority Voting” algorithm (Algorithm4.2) to tolerate Byzantine faults lies in filtering out wrong timestamps and return values forged by faulty processes. Algorithm 4.14, called “Byzantine Masking Quorum,” works only for N > 4f. Its write operation proceeds as before:

the writer increments a timestamp, sends a timestamp/value pair to all processes, and expects N − f of them to reply with an acknowledgment. But the read opera-tion is different because a Byzantine process may send an arbitrary timestamp and a value that was never written.

In order to eliminate such faulty data, the reader receives timestamp/value pairs from more than (N + 2f)/2 processes; such a set of processes is also called a Byzantine masking quorum(Sect.2.7.3). From these values, the reader first elim-inates all pairs that occur only f or fewer times and then selects the value from the pair with the highest timestamp. If no pair remains after the elimination, the reader selects a default value v0 from the domain of the register. This filtering and selec-tion operaselec-tion, starting from a list of timestamp/value pairs, is encapsulated in a functionbyzhighestval(·). The algorithm implements only safe semantics because v0may never have been written to the register.

The other changes from Algorithm 4.2 to 4.14 are to use authenticated links for communication and to explicitly restrict the write operation to the given writer process. Note that all processes know the identity of the writer w and the write operation can only be invoked by process w.

Correctness. Assuming that N > 4f, Algorithm4.14implements a(1, N) Byzan-tine safe register. The termination property is obvious from the algorithm, because there are N − f correct processes and the algorithm only waits for more than (N + 2f)/2 messages of a given type. Because N −f > (N + 2f)/2, every correct process eventually stops waiting and returns from an operation.

The validity property follows from the use of Byzantine masking quorums. We show that a read operation that is not concurrent with any write returns the last value written. Suppose, process q executes the read and the last written value was v, written by process p with associated timestamp wts. During the write, process p has received ACKmessages from more than(N + 2f)/2 processes; suppose messages

Algorithm 4.14: Byzantine Masking Quorum Implements:

(1, N )-ByzantineSafeRegister, instance bonsr, with writerw. Uses:

AuthPerfectPointToPointLinks, instance al.

upon event⟨bonsr,Init⟩do (ts, val):=(0,⊥); wts:=0;

acklist:=_[⊥]^N; rid:=0;

readlist:=[⊥]^N;

upon event_⟨bonsr,Write_{| v ⟩}do // only processw

wts:=wts + 1; acklist:=_[⊥]^N; forallq∈ Πdo

trigger_⟨al,Send _{| q},[WRITE,wts, v]⟩;

upon event_⟨al,Deliver| p,[WRITE,ts^′, v^′]⟩such thatp = wdo ifts^′> tsthen

(ts, val):=(ts^′, v^′);

trigger_⟨al,Send_{| p},[ACK,ts^′]⟩;

upon event_⟨al,Deliver_{| q},[ACK,ts^′]⟩such thatts^′= wtsdo acklist[q]:= ACK;

if#(acklist) > (N + 2f )/2then acklist:=_[⊥]^N;

trigger_⟨bonsr,WriteReturn⟩; upon event_⟨bonsr,Read _⟩do

rid:= rid+ 1; readlist:=_[⊥]^N; forallq∈ Πdo

trigger_⟨al,Send _{| q},[READ, rid]⟩; upon event_⟨al,Deliver| p,[READ,r]⟩do

trigger_⟨al,Send_{| p},[VALUE,r, ts, val]⟩;

upon event_⟨al,Deliver_{| q},[VALUE,r, ts^′, v^′]⟩such thatr =riddo readlist[q]:=(ts^′, v^′);

if#(readlist) > ^N+2f₂ then v:=byzhighestval(readlist); readlist:=[⊥]^N;

trigger_⟨bonsr,ReadReturn_{| v ⟩};

from all f faulty processes are included. Thus, after the completion of the write, more than

N + 2f

2 − f

correct and informed processes store the pair(wts, v) in their variables ts and val, and the remaining up to (but less than)

N − N + 2f 2 correct processes are uninformed.

During the read, process q receives more than (N + 2f)/2 V^ALUE messages containing timestamp/value pairs, of which up to f may be from faulty processes and contain arbitrary data, and less than

N − N + 2f 2

may be from uninformed processes. Subtracting the latter from the former, there are still more than f messages from informed processes and contain the pair (wts, v). Consequently, the function byzhighestval(·) does not filter out this pair and wts is the largest timestamp received from any correct process; larger time-stamps received from faulty processes occur at most f times and are eliminated.

Hence,byzhighestval(·) returns v.

Performance. The algorithm uses the same number of messages as Algorithm4.2 for regular registers in the fail-silent model, from which it is derived. In total, it uses one communication roundtrip and O(N) messages for every operation.

4.7 (1, N) Byzantine Regular Register

When a write operation updates the stored data concurrently to a read operation in Algorithm4.14, the read may return the default value v0. Although permitted by safe semantics, this violates regular semantics. The problem is that the reader cannot distinguish old timestamp/value pairs and newly written ones from the ones that may have been forged by the faulty processes, and returns v0in case of doubt.

For extending Algorithm4.14 to implement a (1, N) regular register abstraction, however, the algorithm would need to return either the last written value or the concurrently written one. We define the(1, N) Byzantine regular register abstrac-tion in this secabstrac-tion and consider two algorithms to implement it. The first algorithm (Sect.4.7.2) uses data authentication through digital signatures, where as the second one (Sect.4.7.3) does not.

4.7.1 Specification

The(1, N) Byzantine regular register abstraction is basically the same as a (1, N) regular register, but with an explicit identification of the writer w and the restriction

Module 4.6: Interface and properties of a (1, N) Byzantine regular register Module:

Name: (1, N)-ByzantineRegularRegister, instance bonrr, with writer w.

Events:

Request: ⟨ bonrr, Read ⟩: Invokes a read operation on the register.

Request: ⟨ bonrr, Write | v ⟩: Invokes a write operation with value v on the register.

Executed only by process w.

Indication: ⟨ bonrr, ReadReturn | v ⟩: Completes a read operation on the register with return value v.

Indication: ⟨ bonrr, WriteReturn ⟩: Completes a write operation on the register.

Occurs only at process w.

Properties:

BONRR1–BONRR2: Same as properties ONRR1–ONRR2 in a (1, N) regular register (Module4.1).

of readers and writers to crash faults, as for Byzantine safe registers. The details of the abstraction are given in Module4.6.

4.7.2 Fail-Arbitrary Algorithm: Authenticated-Data Byzantine Quorum With the help of digital signatures one can easily circumvent the problem in Algorithm 4.14 mentioned earlier and obtain an implementation of a (1, N) Byzantine regular register. This solution has even better resilience (requiring only N > 3f ) than Algorithm4.14(whose resilience is N > 4f).

The idea behind the following “Authenticated-Data Byzantine Quorum” algo-rithm, shown in Algorithm 4.15, is for the writer to sign the timestamp/value pair and to store it together with the signature at the processes. The writer auth-enticates the data with its signature. The reader verifies the signature on each timestamp/value pair received in a VALUEmessage and ignores those with invalid signatures. A Byzantine process is thus prevented from returning an arbitrary time-stamp and value in the VALUEmessage, although it may include a signed value with an outdated timestamp. Algorithm4.15is now obtained from the “Majority Voting”

algorithm in the fail-silent model by adding data authentication and by employing Byzantine (majority) quorums (Sect.2.7.3) instead of ordinary (majority) quorums.

Note that only the clients, i.e., the reader and the writer, need to perform crypto-graphic digital signature operations; the server processes simply store the signatures and may ignore their meaning.

Correctness. Under the assumption that N > 3f, the termination property is stra-ightforward to verify: as there are N − f correct processes, the reader and the

Algorithm 4.15: Authenticated-Data Byzantine Quorum Implements:

(1, N )-ByzantineRegularRegister, instance bonrr, with writerw. Uses:

AuthPerfectPointToPointLinks, instance al.

upon event⟨bonrr,Init⟩do (ts, val, σ):=(0,⊥, ⊥); wts:=0;

acklist:=_[⊥]^N; rid:=0;

readlist:=[⊥]^N;

upon event_⟨bonrr,Write_{| v ⟩}do // only processw

wts:=wts + 1; acklist:=_[⊥]^N;

σ:=sign(self,bonrr_∥self_∥WRITE∥wts∥v); forallq∈ Πdo

trigger_⟨al,Send | q,[WRITE,wts, v, σ]⟩;

upon event_⟨al,Deliver_{| p},[WRITE,ts^′, v^′, σ^′]⟩such thatp = wdo ifts^′> tsthen

(ts, val, σ):=(ts^′, v^′, σ^′); trigger_⟨al,Send| p,[ACK,ts^′]⟩;

upon event_⟨al,Deliver_{| q},[ACK,ts^′]⟩such thatts^′= wtsdo acklist[q]:= ACK;

if#(acklist) > (N + f )/2then acklist:=_[⊥]^N;

trigger_⟨bonrr,WriteReturn_⟩; upon event_⟨bonrr,Read _⟩do

rid:= rid+ 1; readlist:=[⊥]^N; forallq∈ Πdo

trigger_⟨al,Send | q,[READ, rid]⟩; upon event_⟨al,Deliver_{| p},[READ,r]⟩do

trigger_⟨al,Send_{| p},[VALUE,r, ts, val, σ]⟩;

upon event_⟨al,Deliver| q,[VALUE,r, ts^′, v^′, σ^′]⟩such thatr =riddo if verifysig(q,bonrr_∥w∥WRITE∥ts^′∥v^′, σ^′)then

readlist[q]:=(ts^′, v^′); if#(readlist) > ^N+f₂ then

v:=highestval(readlist); readlist:=[⊥]^N;

trigger_⟨bonrr,ReadReturn| v ⟩;

writer receive

N− f > N + f 2 replies and complete their operations.

To see the validity property, consider a read operation by process q that is not concurrent with any write. Assume that some process p executed the last write, and that p has written value v with associated timestamp wts. When the read is invoked, more than(N + f)/2 processes have acknowledged to p that they would store wts and v in their local state. The writer has not signed any pair with a larger timestamp than wts. When the reader obtains V^ALUE messages from more than (N + f)/2 processes, at least one of these message originates from a correct process and contains wts, v, and a valid signature from p. This holds because every two sets of more than(N + f)/2 processes overlap in at least one correct process, as they form Byzantine quorums. The reader hence returns v, the last written value, because no pair with a timestamp larger than wts passes the signature verification step.

Consider now the case where the read is concurrent with some write of value v with associated timestamp wts, and the previous write was for value v^′ and time-stamp wts − 1. If any process returns wts to the reader q then q returns v, which is a valid reply. Otherwise, the reader receives at least one message containing v^′and associated timestamp wts − 1 from a correct process and returns v^′, which ensures regular semantics.

Performance. The algorithm uses the same communication pattern as Algorithm4.2 for regular registers in the fail-silent model and incurs two communication round-trips and O(N) messages for every operation. The algorithm adds the cryptographic operations for creating and verifying digital signatures by the clients.

The same approach can also be used to transform Algorithm4.6–4.7for a(1, N) atomic register in the fail-silent model into a (1, N) Byzantine atomic register, defined analogously in the fail-arbitrary model.

4.7.3 Fail-Arbitrary Algorithm: Double-Write Byzantine Quorum

In this section, we describe an algorithm with resilience N > 3f that implements a(1, N) Byzantine regular register abstraction and does not use digital signatures.

As we have seen with the previous algorithm, digital signatures greatly simplify the design of fail-arbitrary algorithms.

Tolerating less than N/3 arbitrary-faulty processes is optimal in this context.

For instance, no algorithm for implementing even a safe register on N = 3 pro-cesses without data authentication tolerates only one Byzantine process. Consider how such an algorithm would operate. Even without concurrency, the read operation should be wait-free, that is, not block after receiving a reply from only N − f = 2 processes. Hence, the reader should choose a return value from only two replies. But it may be that the third process is correct and only slow, and one of the replies was forged by the Byzantine process. As the two responses look equally plausible, the reader might return the forged value and violate the validity property of the register in this case.