304 lines
11 KiB
TeX
304 lines
11 KiB
TeX
\documentclass[11pt]{article}
|
|
|
|
\usepackage[margin=1in]{geometry}
|
|
\usepackage[T1]{fontenc}
|
|
\usepackage[utf8]{inputenc}
|
|
\usepackage{lmodern}
|
|
\usepackage{microtype}
|
|
\usepackage{amsmath,amssymb,amsthm,mathtools}
|
|
\usepackage{thmtools}
|
|
\usepackage{enumitem}
|
|
\usepackage{csquotes}
|
|
\usepackage[hidelinks]{hyperref}
|
|
\usepackage[nameinlink,noabbrev]{cleveref}
|
|
\usepackage[ruled, vlined, linesnumbered, algonl, titlenumbered]{algorithm2e}
|
|
\usepackage{graphicx}
|
|
|
|
\SetKwProg{Fn}{Function}{}{EndFunction}
|
|
\SetKwFunction{Wait}{Wait Until}
|
|
\SetKwProg{Upon}{Upon}{}{EndUpon}
|
|
\SetKwComment{Comment}{}{}
|
|
|
|
\usepackage{tikz}
|
|
\graphicspath{{diagrams/out}}
|
|
\usepackage{xspace}
|
|
% \usepackage{plantuml}
|
|
|
|
\usepackage[fr-FR]{datetime2}
|
|
|
|
\usepackage{fancyhdr}
|
|
\pagestyle{fancy}
|
|
\fancyhf{}
|
|
\fancyfoot[L]{Compilé le \DTMnow}
|
|
\fancyfoot[C]{\thepage}
|
|
\renewcommand{\headrulewidth}{0pt}
|
|
\renewcommand{\footrulewidth}{0pt}
|
|
|
|
\theoremstyle{plain}
|
|
\newtheorem{theorem}{Theorem}
|
|
\newtheorem{lemma}[theorem]{Lemma}
|
|
\newtheorem{corollary}[theorem]{Corollary}
|
|
\theoremstyle{definition}
|
|
\newtheorem{definition}{Definition}
|
|
\theoremstyle{remark}
|
|
\newtheorem{remark}{Remark}
|
|
|
|
\newcommand{\RB}{\textsf{RB}\xspace}
|
|
\newcommand{\res}{\mathsf{res}}
|
|
\newcommand{\ARB}{\textsf{ARB}\xspace}
|
|
\newcommand{\DL}{\textsf{DL}}
|
|
\newcommand{\APPEND}{\textsf{APPEND}}
|
|
\newcommand{\PROVE}{\textsf{PROVE}}
|
|
\newcommand{\PROVEtrace}{\textsf{prove}}
|
|
\newcommand{\READ}{\textsf{READ}}
|
|
|
|
\newcommand{\BFTAPPEND}{\textsf{BFT\text{-}APPEND}}
|
|
\newcommand{\BFTPROVE}{\textsf{BFT\text{-}PROVE}}
|
|
\newcommand{\BFTREAD}{\textsf{BFT\text{-}READ}}
|
|
|
|
|
|
\newcommand{\ABbroadcast}{\textsf{ABroadcast}}
|
|
\newcommand{\ABdeliver}{\textsf{ADeliver}}
|
|
\newcommand{\RBcast}{\textsf{RBroadcast}}
|
|
\newcommand{\RBreceived}{\textsf{RReceived}}
|
|
\newcommand{\ordered}{\textsf{order}}
|
|
\newcommand{\Winners}{\mathsf{Winners}}
|
|
\newcommand{\Messages}{\mathsf{Messages}}
|
|
\newcommand{\ABlisten}{\textsf{AB-listen}}
|
|
|
|
\newcommand{\CANDIDATE}{\textsf{VOTE}}
|
|
\newcommand{\CLOSE}{\textsf{COMMIT}}
|
|
\newcommand{\READGE}{\textsf{RESULT}}
|
|
|
|
\newcommand{\SHARE}{\mathsf{SHARE}}
|
|
\newcommand{\COMBINE}{\mathsf{COMBINE}}
|
|
\newcommand{\VERIFY}{\mathsf{VERIFY}}
|
|
|
|
\newcommand{\RETRIEVE}{\mathsf{RETRIEVE}}
|
|
\newcommand{\SUBMIT}{\mathsf{SUBMIT}}
|
|
|
|
\newcommand{\delivered}{\mathsf{delivered}}
|
|
\newcommand{\received}{\mathsf{received}}
|
|
\newcommand{\prop}{\mathsf{prop}}
|
|
\newcommand{\resolved}{\mathsf{resolved}}
|
|
\newcommand{\current}{\mathsf{current}}
|
|
|
|
\newcommand{\Seq}{\mathsf{Seq}}
|
|
\newcommand{\GE}{\mathsf{GE}}
|
|
\newcommand{\BFTDL}{\textsf{BFT\text{-}DL}}
|
|
|
|
\newcommand{\BFTGE}{\textsf{BFT\text{-}GE}}
|
|
\newcommand{\BFTVOTE}{\textsf{BFT\text{-}VOTE}}
|
|
\newcommand{\BFTCOMMIT}{\textsf{BFT\text{-}COMMIT}}
|
|
\newcommand{\BFTRESULT}{\textsf{BFT\text{-}RESULT}}
|
|
|
|
|
|
\crefname{theorem}{Theorem}{Theorems}
|
|
\crefname{lemma}{Lemma}{Lemmas}
|
|
\crefname{definition}{Definition}{Definitions}
|
|
\crefname{algorithm}{Algorithm}{Algorithms}
|
|
|
|
% Pour pouvoir referencer des lignes dans le pseudocode
|
|
% \crefname{ALC@Line}{Lignes}{Lignes}
|
|
% \Crefname{ALC@Line}{Ligne}{Lignes}
|
|
\crefname{AlgoLine}{ligne}{lignes}
|
|
\Crefname{AlgoLine}{Ligne}{Lignes}
|
|
% Code exécuté par tout processus p_i
|
|
|
|
\begin{document}
|
|
|
|
\section{Model 1: Crash}
|
|
We consider a static set $\Pi$ of $n$ processes with known identities, communicating by reliable point-to-point channels, in a complete graph. Messages are uniquely identifiable. At most $f$ processes can crash, with $n \geq f$.
|
|
|
|
\paragraph{Synchrony.} The network is asynchronous.
|
|
|
|
\paragraph{Communication.} Processes can exchange through a Reliable Broadcast ($\RB$) primitive (defined below) which is invoked with the functions $\RBcast(m)$ and $m = \RBreceived()$. There exists a shared object called DenyList ($\DL$) (defined below) that is interfaced with a set $O$ of operations. There exist three types of these operations: $\APPEND(x)$, $\PROVE(x)$ and $\READ()$.
|
|
|
|
\paragraph{Notation.} For any indice $x$ we defined by $\Pi_x$ a subset of $\Pi$. We consider two subsets $\Pi_M$ and $\Pi_V$ two authorization subsets. Indices $i \in \Pi$ refer to processes, and $p_i$ denotes the process with identifier $i$. Let $\mathcal{M}$ denote the universe of uniquely identifiable messages, with $m \in \mathcal{M}$. Let $\mathcal{R} \subseteq \mathbb{N}$ be the set of round identifiers; we write $r \in \mathcal{R}$ for a round. We use the precedence relation $\prec$ for the \DL{} linearization: $x \prec y$ means that operation $x$ appears strictly before $y$ in the linearized history of \DL. For any finite set $A \subseteq \mathcal{M}$, \ordered$(A)$ returns a deterministic total order over $A$ (e.g., lexicographic order on $(\textit{senderId},\textit{messageId})$ or on message hashes).
|
|
For any operation $F \in O$,$F_i(...)$ denotes that the operation $F$ is invoked by process $p_i$.
|
|
%For any round $r \in \mathcal{R}$, define $\Winners_r \triangleq \{\, j \in \Pi \mid (j,\PROVEtrace(r)) \prec \APPEND(r) \,\}$, i.e., the set of processes whose $\PROVE(r)$ appears before the first $\APPEND(r)$ in the \DL{} linearization.
|
|
%We denoted by $\PROVE^{(j)}(r)$ or $\APPEND^{(j)}(r)$ the operation $\PROVE(r)$ or $\APPEND(r)$ invoked by process $j$.
|
|
|
|
\section{Primitives}
|
|
|
|
\input{2_Primitives/index.tex}
|
|
|
|
\section{Atomic Reliable Broadcast (ARB)}
|
|
|
|
\input{3_ARB_Def/index.tex}
|
|
|
|
\section{ARB over RB and DL}
|
|
|
|
\input{4_ARB_with_RB_DL/index.tex}
|
|
|
|
\section{BFT-ARB over RB and DL}
|
|
|
|
\input{5_BFT_ARB/index.tex}
|
|
|
|
|
|
|
|
|
|
\section{Implementation of BFT-DenyList and Threshold Cryptography}
|
|
|
|
\subsection{DenyList}
|
|
|
|
\paragraph{BFT-DenyList}
|
|
In our algorithm we use multiple DenyList as follows:
|
|
|
|
\begin{itemize}
|
|
\item Let $\mathcal{DL} = \{DL_1, \dots, DL_k\}$ be the set of DenyList used by the algorithm.
|
|
\item We set $k = \binom{n}{f}$.
|
|
\item For each $i \in \{1,\dots,k\}$, let $M_i$ be the set of moderators associated with $DL_i$ according to the DenyList definition, so that $|M_i| = n-f$.
|
|
\item Let $\mathcal{M} = \{M_1, \dots, M_k\}$. We require that the $M_i$ are pairwise distinct:
|
|
\[
|
|
\forall i,j \in \{1,\dots,k\},\ i \neq j \implies M_i \neq M_j.
|
|
\]
|
|
\end{itemize}
|
|
|
|
|
|
\begin{lemma}
|
|
$\exists M_i \in M : \forall p \in M_i$ $p$ is correct.
|
|
\end{lemma}
|
|
|
|
\begin{proof}
|
|
Let consider the set $F$ of faulty processes, with $|F| = f$. We can construct the set $M_i = \Pi \setminus F$ such that $|M_i| = n - |F| = n - f$. By construction, $\forall p \in M_i$ $p$ is correct.
|
|
\end{proof}
|
|
|
|
\begin{lemma}
|
|
$\forall M_i \in M, \exists p \in M_i$ such that $p$ is correct.
|
|
\end{lemma}
|
|
|
|
\begin{proof}
|
|
$\forall i \in \{1, \dots, k\}, |M_i| = n-f$ with $n \geq 2f+1$. We can say that $|M_i| \geq 2f+1-f = f+1 > f$
|
|
\end{proof}
|
|
|
|
Each process can invoke the following functions :
|
|
|
|
\begin{itemize}
|
|
\item $\READ' : () \rightarrow \mathcal{L}(\mathbb{R} \times \PROVEtrace(\mathbb{R}))$
|
|
\item $\APPEND' : \mathbb{R} \rightarrow ()$
|
|
\item $\PROVE' : \mathbb{R} \rightarrow \{0, 1\}$
|
|
\end{itemize}
|
|
|
|
Such that :
|
|
|
|
% \begin{algorithm}[H]
|
|
% \caption{$\READ'() \rightarrow \mathcal{L}(\mathbb{R} \times \PROVEtrace(\mathbb{R}))$}
|
|
% \begin{algorithmic}
|
|
% \Function{READ'}{}
|
|
% \State $j \gets$ the process invoking $\READ'()$
|
|
% \State $res \gets \emptyset$
|
|
% \ForAll{$i \in \{1, \dots, k\}$}
|
|
% \State $res \gets res \cup DL_i.\READ()$
|
|
% \EndFor
|
|
% \State \Return $res$
|
|
% \EndFunction
|
|
% \end{algorithmic}
|
|
% \end{algorithm}
|
|
|
|
% \begin{algorithm}[H]
|
|
% \caption{$\APPEND'(\sigma) \rightarrow ()$}
|
|
% \begin{algorithmic}
|
|
% \Function{APPEND'}{$\sigma$}
|
|
% \State $j \gets$ the process invoking $\APPEND'(\sigma)$
|
|
% \ForAll{$M_i \in \{M_k \in M : j \in M_k\}$}
|
|
% \State $DL_i.\APPEND(\sigma)$
|
|
% \EndFor
|
|
% \EndFunction
|
|
% \end{algorithmic}
|
|
% \end{algorithm}
|
|
|
|
% \begin{algorithm}[H]
|
|
% \caption{$\PROVE'(\sigma) \rightarrow \{0, 1\}$}
|
|
% \begin{algorithmic}
|
|
% \Function{PROVE'}{$\sigma$}
|
|
% \State $j \gets$ the process invoking $\PROVE'(\sigma)$
|
|
% \State $flag \gets false$
|
|
% \ForAll{$i \in \{1, \dots, k\}$}
|
|
% \State $flag \gets flag$ OR $DL_i.\PROVE(\sigma)$
|
|
% \EndFor
|
|
% \State \Return $flag$
|
|
% \EndFunction
|
|
% \end{algorithmic}
|
|
% \end{algorithm}
|
|
|
|
\begin{algorithm}[H]
|
|
\caption{$\READ'() \rightarrow \mathcal{L}(\mathbb{R} \times \PROVEtrace(\mathbb{R}))$}
|
|
$j \gets$ the process invoking $\READ'()$\;
|
|
$res \gets \emptyset$\;
|
|
\ForAll{$i \in \{1, \dots, k\}$}{
|
|
$res \gets res \cup DL_i.\READ()$\;
|
|
}
|
|
\Return{$res$}\;
|
|
\end{algorithm}
|
|
|
|
\begin{algorithm}[H]
|
|
\caption{$\APPEND'(\sigma) \rightarrow ()$}
|
|
$j \gets$ the process invoking $\APPEND'(\sigma)$\;
|
|
\ForAll{$M_i \in \{M_k \in M : j \in M_k\}$}{
|
|
$DL_i.\APPEND(\sigma)$\;
|
|
}
|
|
\end{algorithm}
|
|
|
|
\begin{algorithm}[H]
|
|
\caption{$\PROVE'(\sigma) \rightarrow \{0, 1\}$}
|
|
$j \gets$ the process invoking $\PROVE'(\sigma)$\;
|
|
$flag \gets false$\;
|
|
\ForAll{$i \in \{1, \dots, k\}$}{
|
|
$flag \gets flag$ OR $DL_i.\PROVE(\sigma)$\;
|
|
}
|
|
\Return{$flag$}\;
|
|
\end{algorithm}
|
|
|
|
\subsection{Threshold Cryptography}
|
|
|
|
We are using the Boneh-Lynn-Shacham scheme as cryptography primitive to our threshold signature scheme.
|
|
With :
|
|
|
|
\begin{itemize}
|
|
\item $G : \mathbb{R} \rightarrow \mathbb{R} \times \mathbb{R} $
|
|
\item $S : \mathbb{R} \times \mathcal{R} \rightarrow \mathbb{R} $
|
|
\item $V : \mathbb{R} \times \mathcal{R} \times \mathbb{R} \rightarrow \{0, 1\} $
|
|
\end{itemize}
|
|
|
|
Such that :
|
|
|
|
\begin{itemize}
|
|
\item $G(x) \rightarrow (pk, sk)$ : where $x$ is a random value such that $\nexists x_1, x_2: x_1 \neq x_2, G(x_1) = G(x_2)$
|
|
\item $S(sk, m) \rightarrow \sigma_m$
|
|
\item $V(pk, m_1, \sigma_{m_2}) \rightarrow k$ : with $k = 1$ iff $m_1 == m_2$ and $\exists x \in \mathbb{R}$ such that $G(x) \rightarrow (pk, sk)$; otherwise $k = 0$
|
|
\end{itemize}
|
|
|
|
\paragraph{threshold Scheme}
|
|
|
|
In our algorithm we are only using the following functions :
|
|
|
|
\begin{itemize}
|
|
\item $G' : \mathbb{R} \times \mathbb{N} \times \mathbb{N} \rightarrow \mathbb{R} \times (\mathbb{R} \times \mathbb{R})^n$ : with $n \triangleq |\Pi|$
|
|
\item $S' : \mathbb{R} \times \mathcal{R} \rightarrow \mathbb{R}$
|
|
\item $C' : \mathbb{R}^n \times \mathcal{R} \times \mathbb{R} \times \mathbb{R}^t \rightarrow \{\mathbb{R}, \bot\}$ : with $t \leq n$
|
|
\item $V' : \mathbb{R} \times \mathcal{R} \times \mathbb{R} \rightarrow \{0, 1\}$
|
|
\end{itemize}
|
|
|
|
Such that :
|
|
|
|
\begin{itemize}
|
|
\item $G'(x, n, t) \rightarrow (pk, pk_1, sk_1, \dots, pk_n, sk_n)$ : let define $pkc = {pk_1, \dots, pk_n}$
|
|
\item $S'(sk_i, m) \rightarrow \sigma_m^i$
|
|
\item $C'(pkc, m_1, J, \{\sigma_{m_2}^j\}_{j \in J}) \rightarrow \sigma$ : with $J \subseteq \Pi$; and $\sigma = \sigma_{m_1}$ iff $|J| \geq t, \forall j \in J: V(pk_j, m_1, \sigma_{m_2}^j) == 1$; otherwise $\sigma = \bot$.
|
|
\item $V'(pk, m_1, \sigma_{m_2}) \rightarrow V(pk, m_1, \sigma_{m_2})$
|
|
\end{itemize}
|
|
|
|
|
|
\bibliographystyle{plain}
|
|
\begin{thebibliography}{9}
|
|
% (left intentionally blank)
|
|
\bibitem{Schneider90}
|
|
Fred B.~Schneider.
|
|
\newblock Implementing fault-tolerant services using the state machine
|
|
approach: a tutorial.
|
|
\newblock {\em ACM Computing Surveys}, 22(4):299--319, 1990.
|
|
\end{thebibliography}
|
|
|
|
\end{document}
|