From 5336423799ab2b03335b856532df1ca0af83cdd2 Mon Sep 17 00:00:00 2001 From: "Peter J. Keleher" <keleher@cs.umd.edu> Date: Tue, 7 Nov 2023 16:43:00 -0500 Subject: [PATCH] auto --- notes/pbft.md | 44 ++++++++++++++++++++++++++------------------ 1 file changed, 26 insertions(+), 18 deletions(-) diff --git a/notes/pbft.md b/notes/pbft.md index 08f3d9e..81a9355 100644 --- a/notes/pbft.md +++ b/notes/pbft.md @@ -7,9 +7,9 @@ ## Differences from fail-stop consensus - 3*f*+1 replicas instead of 2*f*+1 (non-byzantine consensus): - - must be possible to make progress w/ only *n - f* replicas (because *f* might be faulty and choose not to respond) - - however, the *f* not responding might be correct but slow (asynchrony), so there might be *f* bad responses out of the *n - f* - - implies *(n - f - f) > f*, or *n >= 3f + 1* + - must be possible to make progress w/ only *n - f* replicas (because *f* might be faulty and respond) + - however, the *f* not responding might be correct but slow (asynchrony), so there might be *f* bad responses in the *n - f* responses + - implies *(n - f - f) > f*, or *n >= 3f + 1* in order to guarantee majority - 3 phases instead of two - cryptographic signatures @@ -17,7 +17,7 @@ - safety, liveness (*n >= 3f+1*) - can't prove both in async environment - safety guaranteed through protocol - - liveness "guaranteed" with reasonable assumption on msg delays + - so liveness must be "guaranteed" by limits on asynchrony (e.g., reasonable assumption on msg delays) - performance - one round trip for reads - 2 round trips for read/write @@ -26,16 +26,14 @@ - different security provisions (root passwd etc) - different implementations !! - -**byzantine faults** -- adversary(s) can +## Definitions +- a **view** is a configuration of the system w/ one replica the *primary* and the others *backups*. +- **byzantine faults**: adversary(s) can - coordinate faulty nodes - delay communication of non-faulty nodes (but not indefinitely) -- equivocation - - saying "yes" to Larry, "no" to "Moe" -- lying about received messages -- guarantees: - - safety and liveness (assuming only *floor(n-1/3)* faulty, *delay(t)* does not grow faster than *t* indefinitely + - equivocation + - say "yes" to Larry, "no" to "Moe" + - lie about received messages **cool things** - much more robust/secure than paxos @@ -43,23 +41,33 @@ - little other cost - authenticators +## Rough outline +1. client sends request to invoke an operation to the primary +1. Primary multicasts request to backups +1. Replicas execute the request and send replies to the client +1. Client waits for $f+1$ replies from different reqplicas w/ same result +- guarantees: + - safety and liveness (assuming only $\lfloor{\frac{n-1}{3}}\rfloor$ faulty, *delay(t)* does not grow faster than *t* indefinitely  ## Phases -- *pre-prepare* and *prepare* phases order request even if primary lying +- *pre-prepare* and *prepare* phases order request even if primary faulty - replica tells all others what the primary told it +- *prepare* and *commit* phases ensure commits are totally ordered across views + + - a replica is *prepared* when: - has received a proper pre-prepare from primary, signature, current *view* - 2*f* "prepares" from other replicas that match it - Such a replica then: - multicasts "commit" to other replicas - - a replica is committed-local iff: - - *committed*, and - - has accepted 2*f*+1 commit msgs (possibly including it's own) - - system is *committed* iff *prepared* true for *f*+1 replicas - - *committed* true iff *committed-local* true for some non-faulty replica +- a replica is committed-local iff: + - *committed*, and + - has accepted 2*f*+1 commit msgs (possibly including it's own) +- system is *committed* iff *prepared* true for *f*+1 replicas + - *committed* true iff *committed-local* true for some non-faulty replica ## Optimizations -- GitLab