Practical byzantine fault tolerance and proactive recovery

Our growing reliance on online services accessible on the Internet demands highly available systems that provide correct service without interruptions. Software bugs, operator mistakes, and malicious attacks are a major cause of service interruptions and they can cause arbitrary behavior, that is, Byzantine faults. This article describes a new replication algorithm, BFT, that can be used to build highly available systems that tolerate Byzantine faults. BFT can be used in practice to implement real services: it performs well, it is safe in asynchronous environments such as the Internet, it incorporates mechanisms to defend against Byzantine-faulty clients, and it recovers replicas proactively. The recovery mechanism allows the algorithm to tolerate any number of faults over the lifetime of the system provided fewer than 1/3 of the replicas become faulty within a small window of vulnerability. BFT has been implemented as a generic program library with a simple interface. We used the library to implement the first Byzantine-fault-tolerant NFS file system, BFS. The BFT library and BFS perform well because the library incorporates several important optimizations, the most important of which is the use of symmetric cryptography to authenticate messages. The performance results show that BFS performs 2% faster to 24% slower than production implementations of the NFS protocol that are not replicated. This supports our claim that the BFT library can be used to build practical systems that tolerate Byzantine faults.

[1]  B. H. Liskov,et al.  Specification techniques for data abstractions , 1975, IEEE Transactions on Software Engineering.

[2]  Stephen N. Zilles,et al.  Specification techniques for data abstractions , 1975 .

[3]  J. D. Day,et al.  A principle for resilient sharing of distributed resources , 1976, ICSE '76.

[4]  Leslie Lamport,et al.  Proving the Correctness of Multiprocess Programs , 1977, IEEE Transactions on Software Engineering.

[5]  Douglas T. Ross,et al.  Guest Editorial - Reflections on Requirements , 1977, IEEE Trans. Software Eng..

[6]  Leslie Lamport,et al.  Time, clocks, and the ordering of events in a distributed system , 1978, CACM.

[7]  J. Goldberg,et al.  SIFT: Design and analysis of a fault-tolerant computer for aircraft control , 1978, Proceedings of the IEEE.

[8]  David K. Gifford,et al.  Weighted voting for replicated data , 1979, SOSP '79.

[9]  Leslie Lamport,et al.  Reaching Agreement in the Presence of Faults , 1980, JACM.

[10]  Jon Postel,et al.  User Datagram Protocol , 1980, RFC.

[11]  Fred B. Schneider,et al.  Synchronization in Distributed Programs , 1982, TOPL.

[12]  Leslie Lamport,et al.  The Byzantine Generals Problem , 1982, TOPL.

[13]  Nancy A. Lynch,et al.  Impossibility of distributed consensus with one faulty process , 1983, PODS '83.

[14]  Leslie Lamport,et al.  Using Time Instead of Timeout for Fault-Tolerant Distributed Systems. , 1984, TOPL.

[15]  Sam Toueg,et al.  Asynchronous consensus and broadcast protocols , 1985, JACM.

[16]  Dan Walsh,et al.  Design and implementation of the Sun network filesystem , 1985, USENIX Conference Proceedings.

[17]  Ralph C. Merkle,et al.  A Digital Signature Based on a Conventional Encryption Function , 1987, CRYPTO.

[18]  Mahadev Satyanarayanan,et al.  Scale and performance in a distributed file system , 1987, SOSP '87.

[19]  Maurice Herlihy,et al.  Axioms for concurrent objects , 1987, POPL '87.

[20]  Scale and performance in a distributed file system , 1988, TOCS.

[21]  John K. Ousterhout,et al.  Why Aren't Operating Systems Getting Faster As Fast as Hardware? , 1990, USENIX Summer.

[22]  Gilles Brassard,et al.  Experimental Quantum Cryptography , 1990, EUROCRYPT.

[23]  Stephen E. Deering,et al.  Multicast routing in datagram internetworks and extended LANs , 1990, TOCS.

[24]  Fred B. Schneider,et al.  Implementing fault-tolerant services using the state machine approach: a tutorial , 1990, CSUR.

[25]  Michael Williams,et al.  Replication in the harp file system , 1991, SOSP '91.

[26]  Rafail Ostrovsky,et al.  How to withstand mobile virus attacks (extended abstract) , 1991, PODC '91.

[27]  Li Gong,et al.  A security risk of depending on synchronized clocks , 1992, OPSR.

[28]  Ronald L. Rivest,et al.  The MD5 Message-Digest Algorithm , 1992, RFC.

[29]  Seif Haridi,et al.  Distributed Algorithms , 1992, Lecture Notes in Computer Science.

[30]  Michael K. Reiter,et al.  The Rampart Toolkit for Building High-Integrity Services , 1994, Dagstuhl Seminar on Distributed Systems.

[31]  Mihir Bellare,et al.  Optimal Asymmetric Encryption , 1994, EUROCRYPT.

[32]  Michael K. Reiter,et al.  Secure agreement protocols: reliable and atomic group multicast in rampart , 1994, CCS '94.

[33]  F. Cristian,et al.  ATOMIC BROADCAST: FROM SIMPLE MESSAGE DIFFUSION TO BYZANTINE AGREEMENT , 1995 .

[34]  Hugo Krawczyk,et al.  Proactive Secret Sharing Or: How to Cope With Perpetual Leakage , 1995, CRYPTO.

[35]  Flaviu Cristian,et al.  Atomic Broadcast: From Simple Message Diffusion to Byzantine Agreement , 1995, Inf. Comput..

[36]  Mihir Bellare,et al.  Optimal Asymmetric Encryption-How to Encrypt with RSA , 1995 .

[37]  Michael K. Reiter,et al.  A high-throughput secure reliable multicast protocol , 1996, Proceedings 9th IEEE Computer Security Foundations Workshop.

[38]  Idit Keidar,et al.  Efficient message ordering in dynamic networks , 1996, PODC '96.

[39]  Michael K. Reiter A Secure Group Membership Protocol , 1996, IEEE Trans. Software Eng..

[40]  Mihir Bellare,et al.  The Exact Security of Digital Signatures - HOw to Sign with RSA and Rabin , 1996, EUROCRYPT.

[41]  Markus Jakobsson,et al.  Proactive public key and signature systems , 1997, CCS '97.

[42]  염흥렬,et al.  [서평]「Applied Cryptography」 , 1997 .

[43]  Ran Canetti,et al.  Maintaining Authenticated Communication in the Presence of Break-Ins , 1997, PODC '97.

[44]  Jeffrey Katcher,et al.  PostMark: A New File System Benchmark , 1997 .

[45]  Michael K. Reiter,et al.  Unreliable intrusion detection in distributed computations , 1997, Proceedings 10th Computer Security Foundations Workshop.

[46]  Tal Rabin,et al.  Secure distributed storage and retrieval , 1997, Theor. Comput. Sci..

[47]  Mihir Bellare,et al.  A New Paradigm for Collision-Free Hashing: Incrementality at Reduced Cost , 1997, EUROCRYPT.

[48]  Michael K. Reiter,et al.  Byzantine quorum systems , 1997, STOC '97.

[49]  Michael K. Reiter,et al.  Secure and scalable replication in Phalanx , 1998, Proceedings Seventeenth IEEE Symposium on Reliable Distributed Systems (Cat. No.98CB36281).

[50]  Idit Keidar,et al.  Increasing the Resilience of Distributed and Replicated Database Systems , 1998, J. Comput. Syst. Sci..

[51]  Yoram Moses,et al.  Fully Polynomial Byzantine Agreement for n > 3t Processors in t + 1 Rounds , 1998, SIAM J. Comput..

[52]  Louise E. Moser,et al.  The SecureRing protocols for securing group communication , 1998, Proceedings of the Thirty-First Hawaii International Conference on System Sciences.

[53]  Leslie Lamport,et al.  The part-time parliament , 1998, TOCS.

[54]  Rachid Guerraoui,et al.  Muteness Failure Detectors: Specification and Implementation , 1999, EDCC.

[55]  Barbara Liskov,et al.  Viewstamped Replication: A New Primary Copy Method to Support Highly-Available Distributed Systems , 1999, PODC '88.

[56]  Miguel Oom Temudo de Castro,et al.  Practical Byzantine fault tolerance , 1999, OSDI '99.

[57]  Hugo Krawczyk,et al.  UMAC: Fast and Secure Message Authentication , 1999, CRYPTO.

[58]  David Mazières,et al.  Separating key management from file system security , 1999, SOSP.

[59]  Miguel Castro,et al.  A Correctness Proof for a Practical Byzantine-Fault-Tolerant Replication Algorithm , 1999 .

[60]  Michael K. Reiter,et al.  Fault detection for Byzantine quorum systems , 1999, Dependable Computing for Critical Applications 7.

[61]  Rachid Guerraoui,et al.  Abstractions for devising Byzantine-resilient state machine replication , 2000, Proceedings 19th IEEE Symposium on Reliable Distributed Systems SRDS-2000.

[62]  Brendan Murphy,et al.  Windows 2000 Dependability , 2000 .

[63]  Michael K. Reiter,et al.  An Architecture for Survivable Coordination in Large Distributed Systems , 2000, IEEE Trans. Knowl. Data Eng..

[64]  C. Cachin,et al.  Random oracles in constantipole: practical asynchronous Byzantine agreement using cryptography (extended abstract) , 2000, PODC '00.

[65]  Michael K. Reiter,et al.  Dynamic byzantine quorum systems , 2000, Proceeding International Conference on Dependable Systems and Networks. DSN 2000.

[66]  Radek Vingralek,et al.  How to build a trusted database system on untrusted storage , 2000, OSDI.

[67]  Miguel Castro,et al.  BASE: using abstraction to improve fault tolerance , 2001, SOSP.

[68]  Butler W. Lampson,et al.  The ABCD's of Paxos , 2001, PODC '01.

[69]  Michael K. Reiter,et al.  Backoff protocols for distributed mutual exclusion and ordering , 2001, Proceedings 21st International Conference on Distributed Computing Systems.

[70]  David Mazières,et al.  Fast and secure distributed read-only file system , 2000, TOCS.

[71]  Robbert van Renesse,et al.  COCA: a secure distributed online certification authority , 2002, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].