Byzantine Generals Outline r Byzantine generals problem Introduction
Byzantine Generals
Outline r Byzantine generals problem
Introduction r Coping with failures in computer systems r Failed component sends conflicting information to different parts of system. r Agreement in the presence of faults. r P 2 P Networks? Good nodes have to “agree to do the same thing”. m Faulty nodes generate corrupted and misleading messages. m Non-malicious: Software bugs, hardware failures, power failures m Malicious reasons: Machine compromised. m
Problem Definition
Problem Definition r Generals = Computer Components r The abstract problem… m Each division of Byzantine army is directed by its own general. m There are n Generals, some of which are traitors. m All armies are camped outside enemy castle, observing enemy. m Communicate with each other by messengers. m Requirements: • G 1: All loyal generals decide upon the same plan of action • G 2: A small number of traitors cannot cause the loyal generals to adopt a bad plan m Note: We do not have to identify the traitors.
Reduction of General Problem q Byzantine Generals Problem (BGP): m A commanding general (commander) must send an order to his n-1 lieutenants. r Interactive Consistency Conditions: m IC 1: All loyal lieutenants obey the same order. m IC 2: If the commanding general is loyal, then every loyal lieutenant obeys the order he sends. r Note: If General is loyal, IC 2 => IC 1.
3 -General Impossibly Example r 3 generals, 1 traitor among them. r Two messages: Attack (A) or Retreat (R) r Shaded – Traitor r L 1 sees (A, R). Who is the traitor? C or L 2? r Fig 1: L 1 has to attack to satisfy IC 2. r Fig 2: L 1 attacks, L 2 retreats. IC 1 violated.
General Impossibility r In general, no solutions with fewer than 3 m+1 generals can cope with m traitors. r Proof by contradiction. Assume there is a solution for 3 m Generals with m traitors. m Reduce to 3 -General problem. m
Solution I – Oral Messages r If there are 3 m+1 generals, solution allows up to m traitors. r Oral messages – the sending of content is entirely under the control of sender. r Assumptions on oral messages: m m m A 1 – Each message that is sent is delivered correctly. A 2 – The receiver of a message knows who sent it. A 3 – The absence of a message can be detected. r Assumes: m Traitors cannot interfere with communication as third party. m Traitors cannot send fake messages m Traitors cannot interfere by being silent. r Default order to “retreat” for silent traitor.
Oral Messages (Cont) r Algorithm OM(0) m Commander send his value to every lieutenant. m Each lieutenant (L) use the value received from commander, or RETREAT if no value is received. r Algorithm OM(m), m>0 1. Commander sends his value to every Lieutenant (vi) 2. Each Lieutenant acts as commander for OM(m-1) and sends vi to the other n-2 lieutenants (or RETREAT) 3. For each i, and each j<>i, let vj be the value lieutenant i receives from lieutenant j in step (2) using OM(m-1). Lieutenant i uses the majority of (v 1, …, vn-1). 4. Why j<>i? “Trust myself more than what others said I said. ”
Restate Algorithm r OM(M): m Commander sends out command. m Each lieutenant acts as commander in OM(m-1). Sends out command to other lieutenants. m Use majority to compute value based on commands received by other lieutenants in OM(m-1) r Revisit Interactive Consistency goals: m IC 1: All loyal lieutenants obey the same command. m IC 2: If the commanding general is loyal, then every loyal lieutenant obeys the command he sends.
Example (n=4, m=1, L 3 is traitor) C v L 1 v v L 2 L 3 r In OM(1) Commander (C) sends command to L 1, L 2, L 3
Example (n=4, m=1, L 3 is traitor) C v L 1 L 2 L 3 v r In OM(0) L 1 sends command to L 2, L 3
Example (n=4, m=1, L 3 is traitor) C v L 1 v L 2 L 3 r In OM(0) L 2 sends command to L 1, L 3
Example (n=4, m=1, L 3 is traitor) C x L 1 L 2 L 3 v r In OM(0) L 3 sends command to L 1, L 2
Example (n=4, m=1, L 3 is faulty) r L 1 m L 1 receives • “v” from commander • “v” from L 2 • “v” from L 3 m Majority(v, v, x) is v r L 2 m L 2 receives • “v” from commander • “v” from L 1 • “x” from L 3 m Majority(v, v, x) is v
Example (n=4, m=1, C is traitor) C x L 1 z y L 2 L 3 r In OM(1) Commander (C) sends command to L 1, L 2, L 3
Example (n=4, m=1, C is traitor) C x L 1 L 2 L 3 x r In OM(0) L 1 sends command to L 2, L 3
Example (n=4, m=1, C is traitor) C y L 1 y L 2 L 3 r In OM(0) L 2 sends command to L 1, L 3
Example (n=4, m=1, C is traitor) C z L 1 L 2 L 3 z r In OM(0) L 3 sends command to L 1, L 2
Example (n=4, m=1, C is faulty) r L 1 m L 1 receives • “x” from commander • “y” from L 2 • “z” from L 3 m Majority(x, y, z) is default value r L 2 m L 2 receives • “y” from commander • “x” from L 1 • “z” from L 3 m Majority(x, y, z) is default value
Example (n=4, m=1, L 3 is faulty) r L 1, L 2, L 3 satisfy IC 1 r IC 2 is irrelevant since commander is traitor
Expensive Communication r OM(m) invokes n-1 OM(m-1) r OM(m-1) invokes n-2 OM(m-2) r OM(m-2) invokes n-3 OM(m-3) r … r OM(m-k) will be called (n-1)…(n-k) times r O(nm) – Expensive!
Problem r Lots of messages required to handle even 1 faulty process r Need minimum 4 processes to handle 1 fault, 7 to handle 2 faults, etc. m But as system gets larger, probability of a fault also increases r If we use signed messages, instead of oral messages, can handle f faults with 2 f+1 processes m m Simple majority requirement Still lots of messages sent though, plus cost of signing
Summary r BGP solutions are expensive (communication r r overheads and signatures) Use of redundancy and voting to achieve reliability. What if >1/3 nodes (processors) are faulty? 3 m+1 replicas for m failures. Is that expensive? Tradeoffs between reliability and performance (E. g. Oceanstore’s primary and secondary replicas) How would you determine m in a practical system?
- Slides: 25