Blockchains Principles and Applications Wenbing Zhao Department of

Blockchains: Principles and Applications Wenbing Zhao Department of Electrical Engineering and Computer Science Cleveland State University w. zhao 1@csuohio. edu 12/14/2021 1

Background Knowledge n n n n Introduction to cryptography Symmetric-key algorithms Public-key algorithms Digital signatures, Message digest, Message authentication code Public key management Distributed consensus Paxos Byzantine fault tolerance 12/14/2021 2

Cryptography Terminology n Encryption is the process of encoding a message so that its meaning is not obvious q n Decryption is the reverse process, transforming an encrypted message back into its normal, original form q n n Equivalent terms: encode, encipher Equivalent terms: decode, decipher Plaintext: message to be encrypted Ciphertext: encrypted message 12/14/2021 3

Cryptography Terminology n n The cryptosystem involves a set of rules for how to encrypt the plaintext and how to decrypt the ciphertext Why encryption? q q It addresses the need for confidentiality of data, also helps to ensure integrity It forms the basis of protocols that enable us to provide security while accomplishing system or network tasks 12/14/2021 4

Cryptography Terminology n n n The encryption and decryption rules are called encryption and decryption algorithms Encryption/decryptions algorithms often use a device called a key, denoted by K, so that the resulting ciphertext depends on the original plaintext message, the algorithm, and the key value An encryption scheme that does not require the use of a key is called a keyless cipher 12/14/2021 5

Symmetric Encryption n n The encryption and decryption keys are the same, so P = D(K, E(K, P)) D and E are closely related. They are mirror-image processes The symmetric systems provide a two-way channel to their users The symmetry of this situation is a major advantage of this type of encryption, but it also leads to a problem: key distribution 12/14/2021 6

Symmetric Encryption n DK(EK(P)) = P 12/14/2021 7

Asymmetric Encryption n n Encryption and decryption keys come in pairs. The decryption key, KD, inverts the encryption of key KE, so that P = D(KD, E(KE, P)) Asymmetric encryption systems excel at key management 12/14/2021 8

Cryptology n n Cryptology is the research into and study of encryption and decryption; it includes both cryptography and cryptanalysis Cryptography – art of devising ciphers q n Comes from Greek words for “secret writing”. It refers to the practice of using encryption to conceal text Cryptanalysis – art of breaking ciphers q Study of encryption and encrypted messages, hoping to find the hidden meanings 12/14/2021 9

Cryptanalysis n n n Attempt to break a single message Attempt to recognize patterns in encrypted messages, to be able to break subsequent ones Attempt to deduce the key, in order to break subsequent messages easily Attempt to find weaknesses in the implementation or environment of use of encryption Attempt to find general weaknesses in an encryption algorithm 12/14/2021 10

Cryptanalysis n Traffic analysis: attempt to infer some meaning without even breaking the encryption, e. g. , q q Noticing an unusual frequency of communication Determining something by whether the communication was short or long 12/14/2021 11

Cryptanalysis – Breaking Encryption Schemes n n n Ciphertext-only: cryptanalyst has a quantity of ciphertext and no plaintext Known plaintext: cryptanalyst has some matched ciphertext and plaintext Chosen plaintext: cryptanalyst has the ability to encrypt pieces of plaintext of his own choosing 12/14/2021 12

Basic Encryption Methods n n Substitution ciphers: one letter is exchanged for another Transposition ciphers: order of letters is rearranged 12/14/2021 13

Substitution Ciphers n n Idea: each letter or group of letters is replaced by another letter or group of letters Caesar cipher – circularly shift by 3 letters q q n a -> D, b -> E, … z -> C More generally, shift by k letters, k is the key Monoalphabetic cipher – map each letter to some other letter q q A b c def … wx yz Q W E R T Y … V B N M <= the key 12/14/2021 14

Cryptanalysis of Substitution Ciphers n n n Brute force cryptanalysis would have to try 26! permutations of a particular ciphertext message Smarter way: use frequencies of letters, pairs of letter etc. , or by guessing a probable word or phrase. Most frequently occurred q Letters: e, t, o, a, n, … q Digrams: th, in, er, re, an, … q Trigrams: the, ing, and, ion, ent q Words: the, of, and, to, a, in, that, … When messages are long enough, the frequency distribution analysis quickly betrays many of the letters of the plaintext 12/14/2021 15

Transposition Ciphers n n n Substitution cipher – preserves order of plaintext symbols but disguises them Transposition cipher – reorders (rearrange) symbols but does not disguise them. It is also called permutation With transposition, the cryptography aims for q q Widely spreading the information from the message or the key across the ciphertext Transpositions try to break established patterns 12/14/2021 16

Columnar Transposition n Plaintext written in rows, number of columns = key length Key is used to number the columns Ciphertext read out by columns, starting with column whose key letter is lowest 12/14/2021 17

Columnar Transposition n A transposition cipher example 12/14/2021 18

One-Time Pads n One-time pad: construct an unbreakable cipher Choose a random bit string as the key q Convert the plaintext into a bit string q Compute the XOR of these two strings, bit by bit q The resulting ciphertext cannot be broken, because in a sufficiently large sample of ciphertext, each letter will occur equally often, as will every digram, every trigram, and so on => There is simply no information in the message because all possible plaintexts of the given length are equally likely q 12/14/2021 19

One-Time Pads n Disadvantages q q q The key cannot be memorized, both sender and receiver must carry a written copy with them Total amount of data can be transmitted is limited by the amount of key available Sensitive to lost or inserted characters 12/14/2021 20

Symmetric-Key Algorithms n n DES – The Data Encryption Standard AES – The Advanced Encryption Standard Other Ciphers Cipher Modes 12/14/2021 21

Data Encryption Standard n n n Developed by IBM. US standard for unclassified info (1977) Same key for encryption as for decryption Encrypts in 64 -bit blocks Uses 56 -bit key Has 19 stages, 16 parameterized by different functions of the key 12/14/2021 22 Wenbing Zhao

Triple DES n Triple DES – effectively increases the key length. It uses two keys and three stages q q q In first stage, the plaintext is encrypted using DES in the usual way with K 1 In second stage, DES is run in decryption mode, using K 2 as the key In third stage, another DES encryption is done with K 1 Triple DES encryption 12/14/2021 Triple DES decryption 23

AES – The Advanced Encryption Standard n AES is a result of a cryptographic contest q n Rules for AES proposals 1. 2. 3. 4. 5. n Organized by NIST in 1997 The algorithm must be a symmetric block cipher The full design must be public Key lengths of 128, 192, and 256 bits supported Both software and hardware implementations required The algorithm must be public or licensed on nondiscriminatory terms Winner: Rijndael (from two Belgian cryptographers: Joan Daemen and Vincent Rijmen) 12/14/2021 24

Other Symmetric-Key Ciphers 12/14/2021 25

Cipher Modes n A block cipher (e. g. , AES & DES) is basically a monoalphabetic substitution cipher using big characters q q q Whenever the same plaintext block goes in the front end, the same ciphertext block comes out the back end If you encrypt the plaintext abcdefgh 100 times with same DES key, you get the same ciphertext 100 times An intruder can exploit this property to help subvert the cipher 12/14/2021 26

Electronic Code Book Mode n n In ECB mode, each plaintext block is encrypted independently with the block cipher ECB allows easy parallelization to yield higher performance. However, no processing is possible before a block is seen 12/14/2021 27

Electronic Code Book Mode - Problems n In ECB, plaintext patterns are not concealed q n Each identical block of plaintext gives an identical block of ciphertext. The plaintext can be easily manipulated by removing, repeating, or interchanging blocks Example 12/14/2021 28

Cipher Block Chaining Mode n n To avoid the ECB mode problem: replacing a block will cause the plaintext decrypted starting at the replaced to become garbage Exclusive OR the encrypted text with the next block of plaintext before encryption: q n n Need an initialization vector (IV) to bootstrap C 0 = E(P 0 XOR IV), C 1 = E(P 1 XOR C 0), etc. Drawback: must wait until full 64 -bit (128 -bit) block to arrive to decrypt 12/14/2021 29

Cipher Block Chaining Mode n Exclusive OR the encrypted text with the next block of plaintext before encryption: C 0 = E(P 0 XOR IV), C 1 = E(P 1 XOR C 0), etc. Initialization Vector Encryption 12/14/2021 Decryption 30

Cipher Feedback Mode n Basic operation (Pi and Ci are blocks): q Ci = E(Ci-1) XOR Pi, Pi = E(Ci-1) XOR Ci, C 0 = IV C 1 C 2 C 1 P 1 12/14/2021 P 2 31

Cipher Feedback Mode n To enable byte-by-byte encryption q q When plaintext byte n (Pn) arrives, DES algorithm operates a 64 -bit register to generate a 64 -bit ciphertext Leftmost byte of that ciphertext is extracted and XORed with Pn That byte is transmitted on the transmission line The shift register is shifted left 8 bits, causing Cn-8 to fall off the left end, and Cn is inserted in the position just vacated at the right end by C 9 12/14/2021 32

Cipher Feedback Mode Encryption 12/14/2021 Decryption 33

Stream Cipher Mode n To be insensitive to transmission error, an arbitrarily large sequence of output blocks, called the keystream, is treated like a one-time pad and XORed with the plaintext to get the ciphertext q q q n It works by encrypting an IV, using a key to get an output block The output block is then encrypted, using the key to get a second output block This block is then encrypted to get a third block, and so on The keystream is independent of the data, so (1) It can be computed in advance (2) It is completely insensitive to transmission errors 12/14/2021 34

Stream Cipher Mode Encryption 12/14/2021 Decryption 35

Stream Cipher Mode n n n It is essential never to use the same (key, IV) pair twice with a stream cipher because doing so will generate the same keystream each time Using the same keystream twice exposes the ciphertext to a keystream reuse attack Stream cipher mode is also called output feedback mode 12/14/2021 36

Keystream Reuse Attack n n n Plaintext block, P 0, is encrypted with the keystream to get P 0 XOR K 0 Later, a second plaintext block, Q 0, is encrypted with the same keystream to get Q 0 XOR K 0 An intruder who captures both ciphertext blocks can simply XOR them together to get P 0 XOR Q 0, which eliminates the key The intruder now has the XOR of the two plaintext blocks If one of them is known or can be guessed, the other can also be found In any event, the XOR of two plaintext streams can be attacked by using statistical properties of the message 12/14/2021 37

Counter Mode n To allow random access to encrypted data q q The IV plus a constant is encrypted, and the resulting ciphertext XORed with the plaintext By stepping the IV by 1 for each new block, it is easy to decrypt a block anywhere in the file without first having to decrypt all of its predecessors 12/14/2021 38

Public-Key Algorithms n Distributing keys => the weakest link in most cryptosystems q q n No matter how strong a cryptosystem was, if an intruder could steal the key, the system was worthless Cryptologists always took for granted that the encryption key and decryption key were the same Diffie and Hellman (1976) proposed a radically new kind of cryptosystem: encryption and decryption keys were different q q q D(E(P)) = P It is exceedingly difficult to deduce D from E E cannot be broken by a chosen plaintext attack 12/14/2021 39

Public-Key Algorithms n Public-key cryptography: q n Encryption algorithm and the encryption key can be made public How to establish a secure channel q q Alice and Bob have never had previous contact Alice sends Bob EB(P) (message P encrypted using Bob’s public encryption key EB) Bob receives the encrypted message and retrieves the plaintext by using his private key P = DB(EB(P)) Bobs then sends a reply EA(R) to Alice 12/14/2021 40

RSA n n Rivest, Shamir, Adleman, 1978: a good method for public-key cryptography RSA method: q q n n Choose two large primes, p and q (typically 1024 bits) Compute n = p q and z = (p-1) (q-1) Choose a number relatively prime to z and call it d Find e such that e d = 1 mod z To encrypt a message, P, Compute C = Pe (mod n) To decrypt C, compute P = Cd (mod n) The public key consists of the pair (e, n) The private key consists of the pair (d, n) 12/14/2021 41

RSA n An example of the RSA algorithm q q 12/14/2021 P = 3, q = 11 => n = 33 and z = 20 A suitable value for d = 7 e can be found by solving the eq. 7 e = 1 (mod 20) => e = 3 C = P 3 (mod 33), P = C 7 (mod 33) 42

Digital Signatures n Requirement on digital signatures: one party can send a signed message to another party in such a way that the following conditions hold: q q q The receiver can verify the claimed identity of the sender The sender cannot later repudiate the contents of the message The receiver cannot possibly have fabricated the message himself 12/14/2021 43

Public-Key Signatures n Digital signatures using public-key cryptography q Requires E(D(P)) = P (in addition to D(E(P)) = P) 12/14/2021 44

Message Digests n n Message digest (MD): using a one-way hash function that takes an arbitrarily long piece of plaintext and from it computes a fixed-length bit string Requirement on the hash function: q q Given P, it is easy to compute MD(P) Given MD(P), it is effectively impossible to find P No collision: given P no one can find P’ such that MD(P’) = MD(P) A change to the input of even 1 bit produces a very different output 12/14/2021 45

Digital Signatures Using Message Digests 12/14/2021 46

MD 5 n n One of the most widely used hash functions MD 5 is the fifth in a series of message digests designed by Ronald Rivest (1992) It operates by mangling bits in a sufficiently complicated way that every output bit is affected by every input bit MD 5 generates a 128 -bit fixed value 12/14/2021 47

SHA-1 n SHA-1: Secure Hash Algorithm 1, developed by National Security Agency (NSA) and blessed by NIST. It generates 160 bit message digest q SHA-2: a set of secure hash algorithms n n SHA-224, SHA-256, SHA-384, SHA-512 Use of SHA-1 and RSA for signing nonsecret messages 12/14/2021 48

Message Authentication Code n n MACs are used between two parties that share a secret key in order to validate information transmitted between these parties The MAC mechanism that is based on cryptographic hash functions is called HMAC: q q Append the key to the plaintext and generate a digest using a hash function Ship the plaintext together with the digest 12/14/2021 49

Management of Public Keys n n Problem statement Certificates X. 509 Public key infrastructure 12/14/2021 50

Problems with Public-Key Management n If Alice and Bob do not know each other, how do they get each other’s public keys to start the communication process ? q n It is essential Alice gets Bob’s public key, not someone else’s A way for Trudy to subvert public-key encryption 12/14/2021 51

Certificates n n Certification Authority (CA): an organization that certifies public keys q It certifies the public keys belonging to people, companies, or even attributes q CA does not need to be on-line all the time (in ideal scenarios) A possible certificate and its signed hash 12/14/2021 52

X. 509 n n Devised and approved by ITU The basic fields of an X. 509 certificate 12/14/2021 53

Public-Key Infrastructures n A Public-Key Infrastructure (PKI) is needed for reasons of q n A PKI has multiple components q n Availability, Scalability, Ease of management Users, CAs, Certificates, RAs (Registration Authorities) A PKI provides a way of structuring these components and define standards for the various documents and protocols q A simple form of PKI is hierarchical CAs 12/14/2021 54

Public-Key Infrastructures n n Hierarchical PKI A chain of trust/certification path: A chain of certificates going back to the root 12/14/2021 55

Public-Key Infrastructures n n Revocation: sometimes certificates can be revoked, due to a number of reasons Reinstatement: a revoked certificate could conceivably be reinstated Each CA periodically issues a CRL (Certificate Revocation List) giving the serial numbers of all certificates that it has revoked q A user who is about to use a certificate must now acquire the CRL to see if the certificate has been revoked Having to deal with revocation (and possibly reinstatement) eliminates one of the best properties of certificates, namely, that they can be used without having to contact a CA 12/14/2021 56

Distributed Consensus n Distributed consensus is a fundamental problem in distributed computing q n Asynchronous distributed system q q q n Ensure replica consistency No upper bound on processing time No upper bound on clock drift rate No upper bound on networking delay In an asynchronous distributed system, you cannot tell a crashed process from a slow one, even if you can assume that messages are sequenced and retransmitted (arbitrary numbers of times), so they eventually get through 12/14/2021 57

FLP Impossibility Results n FLP (Fischer, Lynch and Paterson) Impossibility result q q n n A single faulty process can prevent consensus Because a slow process is indistinguishable from a crashed one Chandra/Toueg Showed that FLP Impossibility applies to many problems, not just consensus q In particular, they show that FLP applies to group membership, reliable multicast q So these practical problems are impossible to solve in asynchronous systems q They also look at the weakest condition under which consensus can be solved Ways to bypass the impossibility result q q Use unreliable failure detector Use a randomized consensus algorithm 12/14/2021 58

Distributed Consensus n Older generation of consensus algorithms rely on the use of an unreliable failure detector to exclude failed processes from the consensus consideration q n Difficult to understand harder to prove for correctness The Paxos algorithm introduced by Lamport q q Separate safety and liveness properties “Paxos is among the simplest and most obvious of distributed algorithm” by Lamport Consensus can be reached during periods of synchrony No consensus is possible if system very asynchronous, but guarantees no disagreement 12/14/2021 59

Consensus Problem n Safety: q q q n Only a value that has been proposed may be chosen If a value is chosen by a process, then the same value must be chosen by any other process that has chosen a value If a process learns a value, then the value must have been chosen by some process Liveness: q Some proposed value is eventually chosen and, if a value has been chosen, then a process can eventually learn the value 12/14/2021 60

The Paxos Algorithm – Consensus for Asynchronous Distributed Systems n n Contribution: separately consider safety and liveness issues. Safety can be guaranteed and liveness is ensured during period of synchrony Participants of the algorithm are divided into three categories q q q Proposers: those who propose values Accepters: those who decide which value to choose Learners: those who are interested in learning the value chosen 12/14/2021 61

The Paxos Algorithm n How to choose a value q q Use a single acceptor: straightforward but not fault tolerant Use a number of acceptors: a value is chosen if the majority of the acceptors have accepted it Accepted does not mean chosen. However, if a value has been chosen, it must have been accepted first 12/14/2021 62

The Paxos Algorithm n Requirements for choosing a value q q n P 1. An acceptor must accept the first proposal that it receives P 2. If a proposal with value v is chosen, then every highernumbered proposal that is chosen has value v The proposal numbers are totally ordered P 2 guarantees the safety property 12/14/2021 => 63

The Paxos Algorithm n How to guarantee P 2? q n But what if an acceptor that has never accepted v accepted a proposal with v’? q n P 2 a: If a proposal with value v is chosen, then every highernumbered proposal accepted by any acceptor has value v P 2 b: if a proposal with value v is chosen, then every highernumbered proposal issued by any proposer has value v P 2 b implies P 2 a, which implies P 2 b V is chosen by some acceptor 12/14/2021 Newer proposal Must propose v P 2 a Only v could Have been accepted P 2 Only v could Have been chosen by other acceptors 64

The Paxos Algorithm n n How to ensure P 2 b? P 2 c: For any v and n, if a proposal with value v and number n is issued, then there is a set S consisting of a majority of acceptors such that either q q (a) no acceptor in S has accepted any proposal numbered less than n, or (b) v is the value of the highest-numbered proposal among all proposals numbered less than n accepted by the acceptors in S 12/14/2021 65

The Paxos Algorithm n To ensure P 2 c, an acceptor must promise: q It will not accept any more proposals numbered less than n, once it has accepted a proposal n Rules on both acceptors and proposers 12/14/2021 66

The Paxos Algorithm n Phase 1. q q (a) A proposer selects a proposal number n and sends a prepare request with number n to a majority of acceptors. (b) If an acceptor receives a prepare request with number n greater than that of any prepare request to which it has already responded, then it responds to the request with a promise not to accept any more proposals numbered less than n and with the highest-numbered proposal (if any) that it has accepted. 12/14/2021 67

The Paxos Algorithm n Phase 2. q (a) If the proposer receives a response to its prepare requests (numbered n) from a majority of acceptors, then it sends an accept request to each of those acceptors for a proposal numbered n with a value v, where v is n n q the value of the highest-numbered proposal among the responses, or is any value if the responses reported no proposals. (b) If an acceptor receives an accept request for a proposal numbered n, it accepts the proposal unless it has already responded to a prepare request having a number greater than n. 12/14/2021 68

The Paxos Algorithm 12/14/2021 69

Importance of Keeping Promises (for not accepting older proposal) n Not a problem if a value has been chosen 12/14/2021 70

Importance of Keeping Promises (for not accepting older proposal) n Safety violated without promise with competing proposers 12/14/2021 71

Importance of Keeping Promises (for not accepting older proposal) n Safety is ensured by the promise with competing proposers 12/14/2021 72

The Byzantine Generals Problem n n Abstract model of a computer system that may have faulty components Faulty components may send conflicting information to different parts of the system q q q n Example: clock synchronization, processes i, j, k, k is faulty When process i queries k for the current time at local time 2: 40 pm, process k reports 2: 50 pm Concurrently process j queries k at local time 2: 30 pm, process k reports 2: 20 pm Scenario where Byzantine Generals must reach agreement in the presence of traitors: Byzantine agreement 12/14/2021 73

Byzantine Generals Problem n n n A group of generals of the Byzantine army encircles an enemy city and decides whether to attack the city together or withdraw One or more generals may be traitors The only way for the Byzantine army to win the battle and conquer the enemy city is for all the loyal generals and their troops attack the enemy city together The generals communicate with each other by using messengers The messengers are trustworthy in that they will deliver a command issued by a general in a timely manner and without any alteration 12/14/2021 74

Byzantine Generals Problem n In a computer system, each general is modeled as a process, and the processes communicate via plain messages that satisfy the following requirements: q q q n A message sent is delivered reliably and promptly The message carries the identifier of its sender and the identifier cannot be forged or altered by the network or any other processes A process can detect the missing of a message that is supposed to be sent by another process To make the problem and its solution more general, we expand the scope of the command issued by the commander process to contain an arbitrary value proposed by the commander 12/14/2021 75

Byzantine Generals Problem n n n A solution of the Byzantine generals problem should ensure the following interactive consistency requirements: IC 1 All non-faulty processes (i. e. , loyal generals) agree on the same value (i. e. , decision) IC 2 If the commander process is not faulty, then the value proposed by the commander must be the value that has been agreed upon by non-faulty processes 12/14/2021 76

Basic Ideas for Solving Byzantine Generals Problems n n The commander issues a command to all its lieutenants The lieutenants exchange the commands they have received with each other Each lieutenant applies a deterministic function, such as the majority function, on the commands it has collected to derive a final decision Main Concern: q q The commander may send different commands to different lieutenants A traitorous general might lie about the command it has received from the commander 12/14/2021 77

Why we need 3 f+1 generals to tolerate f traitors? 12/14/2021 78

Introduction to BFT Paper n n The growing reliance of industry and government on online information services Malicious attacks become more serious and successful More software errors due to increased size and complexity of software This paper presents “practical” algorithm for state machine replication that works in asynchronous systems like the Internet 12/14/2021 79

Assumptions n n n Asynchronous distributed system The network may fail to deliver, delay, duplicate or deliver them out of order Faulty nodes may behave arbitrarily Independent node failures The adversary cannot delay correct nodes indefinitely All messages are cryptographically signed by their sender and these signatures cannot be subverted by the adversary 12/14/2021 80

Service Properties n n n A (deterministic) service is replicated among ≥ 3 f+1 processors. Resilient to ≤ f failures Safety: All non-faulty replicas guaranteed to process the same requests in the same order Liveness: Clients eventually receive replies to their requests 12/14/2021 81

Optimal Resiliency n n n Imagine non-faulty processors trying to agree upon a piece of data by telling each other what they believe the data to be A non-faulty processor must be sure about a piece of data before it can proceed f replicas may refuse to send messages, so each processor must be ready to proceed after having received (n-1)-f messages q Total of n-1 other replicas 12/14/2021 82

Optimal Resiliency But what if f of the (n-1)-f messages come from faulty replicas? n To avoid confusion, the majority of messages must come from non-faulty nodes, i. e, (n-f-1)/2 ≥ f => Need a total of ≥ 3 f+1 replicas n 12/14/2021 83

BFT Algorithm in a Nutshell Backup f + 1 Match (OK) Client Primary Backup 12/14/2021 84

Replicas and Views Set of replicas (R): |R| ≥ 3 f + 1 R 0 R 1 R 2 ……… R|R-1| 0 View 1 For view v: primary p is assigned such that p= v mod |R| 12/14/2021 85

Safeguards n n n If the client does not receive replies soon enough, it broadcasts the request to all replicas If the request has already been processed, the replicas simply re-send the reply (replicas remember the last reply message they sent to each client) If the primary does not multicast the request to the group, it will eventually be suspected to be faulty by enough replicas to cause a view change 12/14/2021 86

Normal Case Operation Client {REQUEST, o, t, c} Primary o – Operation t – Timestamp c - Client Timestamps are totally ordered such that later requests have higher timestamps than earlier ones 12/14/2021 87

Normal Case Operation n n Primary p receives a client request m , it starts a three-phase protocol Three phases are: pre-prepare, commit 12/14/2021 88

Pre-Prepare Phase Backup Primary <<PRE-PREPARE, v, n, d> , m> v – view number n – sequence number d – digest of the message D(m) m – message 12/14/2021 Backup 89

Prepare Phase n A backup accepts the PRE-PREPARE message only if: q q The signatures are valid and the digest matches m It is in view v It has not accepted a PRE-PREPARE for the same v and n Sequence number is within accepted bounds 12/14/2021 90

Prepare Phase n If backup i accepts the pre-prepare message it enters prepare phase by multicasting <PREPARE, v, n, d, i> n n to all other replicas and adds both messages to its log Otherwise does nothing Replica (including primary) accepts prepare message and adds them to its log, provided that q Signatures are correct q View numbers match the current view q Sequence number is within accepted bounds 12/14/2021 91

Prepare Phase n n At replica i, prepared (m, v, n, i) = true, iff 2 f PREPARE from different backups that match the pre-prepare When prepared = true, replica i multicasts <COMMIT, v, n, d , i> to other replicas 12/14/2021 92

Agreement Achieved n n If primary is non-faulty then all 2 f+1 non-faulty replicas agree on the sequence number If primary is faulty q q n Either ≥f+1 non-faulty replicas (majority) agree on some other sequence and the rest realize that the primary is faulty Or, all non-faulty replicas will suspect the primary is faulty When a faulty primary is replaced, the minority of confused non-faulty replicas are brought up to date up by the majority 12/14/2021 93

Commit Phase n n n Replicas accept commit messages and insert them in their log provided signatures are same Define committed and committed-local predicates as q Committed (m, v, n) = true, iff prepared (m, v, n, i) is true for all i in some set of f+1 non-faulty replicas q Committed-local (m, v, n, i) = true iff the replica has accepted 2 f+1 commit message from different replicas that match the pre-prepare for m If Committed-local (m, v, n, i) is true for some non-faulty replica i, then committed (m, v, n) is true 12/14/2021 94

Commit Phase n n n Replica i executes the operation requested by m after committed-local (m, v, n, i) = true and i’s state reflects the sequential execution of all requests with lower sequence numbers The PRE-PREPARE and PREPARE phases of the protocol ensure agreement on the total order of requests within a view The PREPARE and COMMIT phases ensure total ordering across views 12/14/2021 95

Normal Operation Reply n n All replicas sends the reply <REPLY, v, t, c, i, r>, directly to the client v = current view number t = timestamp of the corresponding request i = replica number r = result of executing the requested operation c = client id Client waits for f+1 replies with valid signatures from different replicas, and with same t and r, before accepting the result r 12/14/2021 96

Normal Case Operation: Summery Request Pre-prepare Prepare Commit Reply C Primary: 0 1 2 Faulty: 3 12/14/2021 X 97

View Changes n n Triggered by timeouts that prevent backups from waiting indefinitely for request to execute If the timer of backup expires in view v, the backup starts a view change to move to view v+1 by, q q Not accepting messages (other than checkpoint, viewchange, and new-view messages) Multicasting a VIEW-CHANGE message 12/14/2021 98

View Changes n VIEW-CHANGE message is defined as <VIEW-CHANGE, v+1, n, C, P, i> where, C = 2 f + 1 checkpoint messages P = set of sets Pm Pm = a PRE-PREPARE msg + all PREPARE messages for all messages with committed = false 12/14/2021 99

View Change - Primary n n Primary p of view v+1 receives 2 f valid VIEW-CHANGE messages Multicasts a <NEW-VIEW, v+ 1, V, O> message to all other replicas where q q n V = set of 2 f valid VIEW-CHANGE messages O = set of reissued PRE-PREPARE messages Moves to view v+1 12/14/2021 100

View Changes - Backups n n Accepts NEW-VIEW by checking V and O Sends PREPARE messages for everything in O q n These PREPARE messages carry view v+1 Moves to view v+1 12/14/2021 101

Events Before the View Change n n n Before the view change we have two groups of non-faulty replicas: the Confused minority and the Agreed majority A non-faulty replica becomes Confused when it is kept by the faulty's from agreeing on a sequence number for a request It can't process this request and so it will time out, causing the replica to vote for a new view 12/14/2021 102

Events Before the View Change n n n The minority Confused replicas send a VIEW-CHANGE message and drop off the network The majority Agreed replicas continue working as long as the faulty's help with agreement The two groups can go out of synch but the majority keeps working until the faulty's cease helping with agreement 12/14/2021 103

System State: Faulty Primary Is Erroneous View Change Possible? System State Confused Minority Agreed Majority ≤f non-faulty replicas ≥f+1 non-faulty replicas Agreed Majority ≥f+1 non-faulty replicas Confused Minority ≤f non-faulty replicas Adversary f non-faulty replicas f faulty replicas 12/14/2021 P f non-faulty replicas f faulty replicas P ≤ 2 f replicas: NOT enough to change views 104

Events Before the View Change n Given ≥f+1 non-faulty replicas that are trying to agree, the faulty replicas can either help that or hinder that ➲ ➲ n If they help, then agreement on request ordering is achieved and the clients get ≥f+1 matching replies for all requests with the faulty's help If they hinder, then the ≥f+1 non-faulty's will time out and demand for a new view When the new majority is in favor of a view change, we can proceed to the new view 12/14/2021 105

System State: Faulty Primary Is it possible to continue processing requests? System State Confused Minority ≤f non-faulty replicas Agreed Majority ≥f+1 non-faulty replicas Adversary f non-faulty replicas f faulty replicas 12/14/2021 ≥f+1 non-faulty replicas P Adversary P f faulty replicas YES ≥ 2 f+1 replicas: enough for agreement 106

System State: Faulty Primary Majority now large enough to independently move to a new view Confused Minority ≤f non-faulty replicas Confused Majority 2 f+1 non-faulty replicas Enough to agree to change views Agreed Majority ≥f+1 non-faulty replicas Adversary P f non-faulty replicas f faulty replicas YES ≥ 2 f+1 replicas: enough for agreement Faulty replicas cease helping with agreement 12/14/2021 107

Liveness n n Replicas must move to a new view if they are unable to execute a request To avoid starting a view change too soon, a replica that multicasts a view-change message for view v+1, waits for 2 f+1 view-change messages and then starts the timer T If the timer T expires before receiving new-view message it starts the view change for view v+2 The timer will wait 2 T before starting a view-change from v+2 to v+3 12/14/2021 108

Liveness n n n If a replica receives f+1 valid view-change messages from other replicas for views greater than its current view, it sends a view-change message for the smallest view in the set, even if T has not expired Faulty replicas cannot cause a view-change by sending a view-change message since a viewchange will happen only if at least f+1 replicas send view-change message The above techniques guarantee liveness, unless message delays grow faster than the timeout period indefinitely 12/14/2021 109