Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No fraudproofs generated for equivocations #383

Open
ranchalp opened this issue Apr 5, 2023 · 4 comments · May be fixed by #505
Open

No fraudproofs generated for equivocations #383

ranchalp opened this issue Apr 5, 2023 · 4 comments · May be fixed by #505
Labels
ADR Issue that should lead to an ADR

Comments

@ranchalp
Copy link
Contributor

ranchalp commented Apr 5, 2023
edited
Loading

At the moment, availability certificates must contain a majority of signatures, while the Orderers module has no signatures in the PBFT good case (only for the view change). This means that if the adversary controls n/3 or more replicas, it can cause a disagreement (double-spend, triple-spend, ..., n/3-fold-spend even) at the cost of not finding any replica guilty of a disagreement (and the disagreement will not even be detected necessarily).

Also, the availability certificate is generated just by checking the validity of its metadata and including the multisigcollector ID (mscid), so no fraudproof can be generated (multiple certificates can be generated with the same mscid, both in the current implementation that generates multiple certificates for one slot and in the previous one as the mscid was the same for all slots of the same ISS segment.

This is not an issue for the Orderers code under the assumption of f<t, but it is an issue when applied to subnets with collateral and with slashing to deter disagreements (as the rational adversary will never be deterred from causing a disagreement).

The solution would imply one of the following:

a) Improving accountability of the availability certificate by:
1- Having each availability certificate include a new certificateID that is monotonically increasing for all certificates sharing the same mscid,
2- Explicitly requiring a specific number of certificates per slot (suboptimal)
3- Verifying that proposals match their intended slot with mscid and ceritificateIDs before sending a prepare message.
b) Adding signatures to PBFT , and adding a broadcast of a vector of signatures to support fraudproofs. Not sure that view change should not need to suffer certain changes too to ensure fraudproofs there as well.
c) Adding an extra round at the end of orderers, as an optional pluggable module that adds 2 reliable broadcasts at the end of ISS. In the first broadcast, all replicas broadcast a signature of their local decision and second they broadcast a strongQuorum() number of signatures they heard from. (O(n^3) bit complexity). This can be reduced to O(n^2) bit complexity (same as consensus) in the common case with a fallback to O(n^3) in the case of a disagreement with threshold signatures. (see follow-up comment for more details).

I would go with c), as a) only works if adding a synchronization step between availability and ordering modules (which we do not want for performance), and b) requires modifying the orderers code to add signatures (which we may not always want in all applications). Going with c) allows adding detecting disagreements and generating fraudproofs as a module that can be easily plugged in to support accountability/ BFT forensics in any consensus protocol (and thus add support for collateral/slashing in subnets if wanted).

The other nice thing about c) is that it is optimal in communication complexity, resilient-optimal for f<strongQuorum() (not assuming anything on clients-code, otherwise f<n can be achieved), and that it can be plugged in any other consensus protocol module to provide accountability and fraudproofs on it. The drawback is that it can increase latency compared to b), but nothing that we cannot later improve specifically on b) if need be.
@ranchalp
Copy link
Contributor Author

ranchalp commented Apr 6, 2023
edited
Loading

In Trantor, solution c) could be run one per iteration of PBFT or one per iteration of ISS. In the former, we optimize finding disagreements as soon as they happen, in the latter, we optimize throughput. Given that extra communication does not meaningfully takes place in the common case (see next comment), probably the former is the way to go.

If there has been a disagreement, then this extra accountability module receives a certificate that contains equivocating messages. If that occurs, then the accountability module should immediately notify the application layer, and run a reconfiguration followed by a recovery that finds and resolves possible disagreements, at the end of the current ISS iteration. The application layer should not deliver any received output since it is notified of the found disagreement and until it receives the new configuration and the recovery data.

@ranchalp ranchalp added the ADR Issue that should lead to an ADR label Apr 10, 2023
@ranchalp
Copy link
Contributor Author

ranchalp commented Apr 10, 2023
edited
Loading

Implementing solution c) -> Added accountability module
The critique of the general solution c) (which can be applied to all cases and ensure accountability) is (i) that a set of deviants (malicious replicas, either Byzantines or rational) that caused a disagreement in the consensus module can decide to give up in the accountability module; and that (ii) the known optimal solution requires implementing threshold signatures.

(i) is not a huge drawback, because if that occurs then the protocol terminates deciding no disagreements, which is not that bad really. As for (ii), a solution that does not require of threshold signatures consists of a pull approach in the following manner:

Step1- replicas broadcast to all their decision from the consensus module (signed)
Step2- if a replica $p_a$ receives a signed decision $v'$ from replica $p_b$ different from its local decision $v$, then $p_a$ sends to $p_b$ the certificate $cert_v$ containing a strong quorum of signed messages it receives from other replicas alleging deciding $v$.
As a result, $p_b$ either:

  • Never really outputs $v'$ (does not receive a strong quorum for $v'$), or it can create fraudproofs once it receives $cert_v$ from $p_a$ (by finding equivocating messages from replicas in $cert_v$ and $cert_v'$.

Assuming pairwise channels between replicas, this provides the same optimal bit complexity per channel as regular consensus in the common case (t<n/3 deviants, malicious replicas) in all channels involving 2 correct replicas, though deviants can increase the number of bits sent to them (channels from correct to deviants). This can be solved with threshold signatures only in the general module. Below I detail how to reduce this requirement a notch if we specify the solution for Trantor.

Implementing solution c) specifically for Trantor
For Trantor's implementation of PBFT, the above solution works like a charm if slightly more coupled to the orderers module (without threshold signatures). This is because if we just require the leader to sign its preprepare and require that replicas share in Step1, along with its signed decision, the signed preprepare from the leader, then this means that if somebody sends a certificate in Step2 at least the leader will be found guilty of this disagreement attempt. The fact that someone in the deviating coalition will suffer the effects of the extra communication overhead is enough of a deterrent (once we have slashing of collateral in place).

Implementing solution b)
However, if we decided to not implement c), then we could still get accountability specific for the Orderers module in the following way:

  • Require preprepare and prepare messages to be signed
  • Require replicas to attach to their commit messages the signed preprepare from the leader
  • If a replica ready to send a commit for proposal $v'$ receives a commit message from $p_b$ with a matching and correctly signed preprepare from the leader for proposal $v$ (i.e. $cert_v$), then send to $p_b$ its local strong quorum of signed prepare messages signing for $v'$ (i.e. $cert_v'$), and broadcast to all the fraudproof of the leader. Otherwise, ignore. (only added complexity if at least a fraudproof for the leader is generated).

@ranchalp
Copy link
Contributor Author

ranchalp commented Apr 12, 2023
edited
Loading

Also, if any sort of fraudproof were to be generated, we should consider changing many checks on a weak quorum to checks on a strong quorum (for cases where safety can leak from these checks in weird ways not previously considered). Consider this a placeholder for a potential future issue to resolve should we implement fraudproofs/accountability.

@ranchalp
Copy link
Contributor Author

ranchalp commented May 25, 2023
edited
Loading

Following sync, we settled on implementing b) (solution specifically for Trantor):

  • Proposer signatures on preprepare messages (detects at least proposer deviations if safety violation attempted by proposer)
  • (Tentative) voter signatures on prepare messages (detects at least n-StrongQuorum() if safety violated)

Room for ideas on how to detect conflicting signatures and generate so-called Proofs-of-Misbehavior (PoMs) (i.e. how nodes collaborate to efficiently exchange signatures). But common agreement towards:

1- Good case (no misbehaviors) should not be affected beyond local signature verification, (same communication complexity)

2- If more messages than good case, then at least proposer is provably faulty (deterrent from adversary causing spam as someone will be slashed)

For block proposer, all replicas must attach the signature of the proposer's preprepare message to their commit message.

For voters, there are still multiple proposals on how to efficiently check for conflicting messages:

1 - Use threshold signatures attached to commit messages. Though optimal push-based approach, mostly discarded for now due to the complexity of the implementation.
2 - Above-described type of approach, (release locally gathered signed prepares upon generating a PoMs for the proposer at least). An honest node $p_i$ must thus send to the node $p_j$ from which the conflicting signature of the proposer was received a list of signed prepares. This way, $p_j$ can create and broadcast PoMs. Alternatively, $p_i$ can broadcast (though unnecessary and extra comm).
3- Other proposals have been put forward that optimistically accuse nodes, (if for example a decision is made on a value different than what a node signed for in their prepare), but these cannot rule out false positives AFAWK, so mainly discarded.

Implementations of general accountability module also discussed (option c) above), but:

  • Increases critical path by at least an extra round of communication
  • Only by making it a bit specific for Trantor, can it be taken out of the critical path.

This was referenced Jul 23, 2023
Closed
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
ADR Issue that should lead to an ADR
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Accountability module ranchalp/mir
1 participant
@ranchalp