Download - Order-Fairness for Byzantine Consensus
![Page 1: Order-Fairness for Byzantine Consensus](https://reader036.vdocument.in/reader036/viewer/2022062502/62afb5d668fc6d5af0586b16/html5/thumbnails/1.jpg)
Mahimna KelkarCornell University and Cornell Tech
CRYPTO 2020
Joint work with Fan Zhang, Steven Goldfeder, and Ari Juels
Order-Fairness for
Byzantine Consensus
![Page 2: Order-Fairness for Byzantine Consensus](https://reader036.vdocument.in/reader036/viewer/2022062502/62afb5d668fc6d5af0586b16/html5/thumbnails/2.jpg)
State Machine Replication (SMR)also Byzantine consensus, linearly-ordered log
1
Transactions from clients
Agree on a consistent ordered
transaction log
Consensus Nodes
Byzantine
![Page 3: Order-Fairness for Byzantine Consensus](https://reader036.vdocument.in/reader036/viewer/2022062502/62afb5d668fc6d5af0586b16/html5/thumbnails/3.jpg)
State Machine Replication (SMR)also Byzantine consensus, linearly-ordered log
Consistency or SafetyHonest nodes output the same log
LivenessNew TXs are incorporated soon
2
![Page 4: Order-Fairness for Byzantine Consensus](https://reader036.vdocument.in/reader036/viewer/2022062502/62afb5d668fc6d5af0586b16/html5/thumbnails/4.jpg)
State Machine Replication (SMR)also Byzantine consensus, linearly-ordered log
Consistency or SafetyHonest nodes output the same log
LivenessNew TXs are incorporated soon
3
• No restriction on the actual ordering
• Often easy to manipulate
![Page 5: Order-Fairness for Byzantine Consensus](https://reader036.vdocument.in/reader036/viewer/2022062502/62afb5d668fc6d5af0586b16/html5/thumbnails/5.jpg)
• Almost all classical consensus protocols are leader-based• E.g., PBFT, Paxos, Hotstuff etc.
• Leader node can propose any ordering• Adversarial leader can arbitrarily manipulate ordering
• No previous protocol guarantees fair ordering.
4
![Page 6: Order-Fairness for Byzantine Consensus](https://reader036.vdocument.in/reader036/viewer/2022062502/62afb5d668fc6d5af0586b16/html5/thumbnails/6.jpg)
Why is fair ordering important?
5
![Page 7: Order-Fairness for Byzantine Consensus](https://reader036.vdocument.in/reader036/viewer/2022062502/62afb5d668fc6d5af0586b16/html5/thumbnails/7.jpg)
Why is fair ordering important?
• 2014 exposé on high-frequency trading on wall street.
• HFT characteristics• Front-running
• Arbitrage
• Investigation and fines after Lewis’ book (FBI, SEC, etc.)
6
![Page 8: Order-Fairness for Byzantine Consensus](https://reader036.vdocument.in/reader036/viewer/2022062502/62afb5d668fc6d5af0586b16/html5/thumbnails/8.jpg)
Why is fair ordering important?
• HFT back in a new form on decentralized exchanges
• Wild west without much regulation
7
Daian et al. (IEEE S&P 2020)
![Page 9: Order-Fairness for Byzantine Consensus](https://reader036.vdocument.in/reader036/viewer/2022062502/62afb5d668fc6d5af0586b16/html5/thumbnails/9.jpg)
Why is fair ordering important?
Independent Theoretical Motivation• Natural Analog of Validity condition in Byzantine Agreement (BA)• Validity forgotten when BA generalized to SMR
If all honest nodes are input value 𝑣,
then all honest nodes will agree on 𝑣.
If all honest nodes are input 𝑚# before 𝑚$,
then all honest nodes will agree on 𝑚# before 𝑚$.
Agreement Validity Order-Fairness8
![Page 10: Order-Fairness for Byzantine Consensus](https://reader036.vdocument.in/reader036/viewer/2022062502/62afb5d668fc6d5af0586b16/html5/thumbnails/10.jpg)
Comparison to current techniques
• Censorship Resistance [HoneybadgerBFT, Omniledger etc]
• Reordering and insertion still possible
• Random leader election [Algorand, Ouroborous etc]
• Adversarial leader can still order unfairly
• Threshold Encryption [HoneybadgerBFT]
• Transactions ordered before content is revealed• Can still reorder transactions from colluding client first• Possible to blindly reorder
9
Order-Fairness is strictly stronger than
previous notions
![Page 11: Order-Fairness for Byzantine Consensus](https://reader036.vdocument.in/reader036/viewer/2022062502/62afb5d668fc6d5af0586b16/html5/thumbnails/11.jpg)
Defining Fair Ordering
10
![Page 12: Order-Fairness for Byzantine Consensus](https://reader036.vdocument.in/reader036/viewer/2022062502/62afb5d668fc6d5af0586b16/html5/thumbnails/12.jpg)
Model
• Permissioned system with 𝒏 nodes, 𝒇 of which may be adversarial
• Clients can collude with protocol nodes
11
![Page 13: Order-Fairness for Byzantine Consensus](https://reader036.vdocument.in/reader036/viewer/2022062502/62afb5d668fc6d5af0586b16/html5/thumbnails/13.jpg)
Model
• External Network• Communication between clients and protocol nodes
• Clients send transactions to all nodes
• Adversary 𝒜 not in charge of message delivery
• Internal Network• Communication amongst protocol nodes
• Adversary 𝒜 handles all message delivery12
![Page 14: Order-Fairness for Byzantine Consensus](https://reader036.vdocument.in/reader036/viewer/2022062502/62afb5d668fc6d5af0586b16/html5/thumbnails/14.jpg)
Model: Synchrony Definitions
13
If a transaction is input to some node in round 𝑟,
then all honest nodes will receive it as input by round 𝑟 + Δ*+,.
Δ*+, -External Synchrony
If a message is sent by an honest node in round 𝑟,
then all recipient(s) will receive it by round 𝑟 + Δ-.,.
Δ-., -Internal Synchrony
![Page 15: Order-Fairness for Byzantine Consensus](https://reader036.vdocument.in/reader036/viewer/2022062502/62afb5d668fc6d5af0586b16/html5/thumbnails/15.jpg)
So how do we define the fair ordering?
14
Definition (informal): 𝜸-Receive-Order-Fairness
If 𝛾𝑛 nodes are input 𝑚# before 𝑚$,then all honest nodes will deliver 𝑚# before 𝑚$.
12 < 𝛾 ≤ 1
![Page 16: Order-Fairness for Byzantine Consensus](https://reader036.vdocument.in/reader036/viewer/2022062502/62afb5d668fc6d5af0586b16/html5/thumbnails/16.jpg)
Condorcet Paradox
15
• Global ordering can be non-transitive even when individual orderings are transitive
Alice Bob Carol
𝑥1.
2.
3.
𝑦
𝑧
𝑦1.
2.
3.
𝑧
𝑥
𝑧1.
2.
3.
𝑥
𝑦
![Page 17: Order-Fairness for Byzantine Consensus](https://reader036.vdocument.in/reader036/viewer/2022062502/62afb5d668fc6d5af0586b16/html5/thumbnails/17.jpg)
Condorcet Paradox
16
• Global ordering can be non-transitive even when individual orderings are transitive
Alice Bob Carol
𝑥1.
2.
3.
𝑦
𝑧
𝑦1.
2.
3.
𝑧
𝑥
𝑧1.
2.
3.
𝑥
𝑦
𝒙 ≪ 𝒚
![Page 18: Order-Fairness for Byzantine Consensus](https://reader036.vdocument.in/reader036/viewer/2022062502/62afb5d668fc6d5af0586b16/html5/thumbnails/18.jpg)
Condorcet Paradox
17
• Global ordering can be non-transitive even when individual orderings are transitive
Alice Bob Carol
𝑥1.
2.
3.
𝑦
𝑧
𝑦1.
2.
3.
𝑧
𝑥
𝑧1.
2.
3.
𝑥
𝑦
𝒙 ≪ 𝒚
𝒚 ≪ 𝒛
![Page 19: Order-Fairness for Byzantine Consensus](https://reader036.vdocument.in/reader036/viewer/2022062502/62afb5d668fc6d5af0586b16/html5/thumbnails/19.jpg)
Condorcet Paradox
18
• Global ordering can be non-transitive even when individual orderings are transitive
Alice Bob Carol
𝑥1.
2.
3.
𝑦
𝑧
𝑦1.
2.
3.
𝑧
𝑥
𝑧1.
2.
3.
𝑥
𝑦
𝒙 ≪ 𝒚
𝒚 ≪ 𝒛
𝒛 ≪ 𝒙
![Page 20: Order-Fairness for Byzantine Consensus](https://reader036.vdocument.in/reader036/viewer/2022062502/62afb5d668fc6d5af0586b16/html5/thumbnails/20.jpg)
Condorcet Paradox
19
• Global ordering can be non-transitive even when individual orderings are transitive
Alice Bob Carol
𝑥1.
2.
3.
𝑦
𝑧
𝑦1.
2.
3.
𝑧
𝑥
𝑧1.
2.
3.
𝑥
𝑦
𝒙 ≪ 𝒚
𝒚 ≪ 𝒛
𝒛 ≪ 𝒙
Cyclic Ordering!
![Page 21: Order-Fairness for Byzantine Consensus](https://reader036.vdocument.in/reader036/viewer/2022062502/62afb5d668fc6d5af0586b16/html5/thumbnails/21.jpg)
20
Theorem (informal): Impossibility of Receive-Fairness
For any 𝑛, 𝑓 ≥ 1 and 𝛾, no protocol can achieve all of consistency, liveness and 𝛾-receive-order-fairnesswhen Δ*+, ≥ 𝑛.
![Page 22: Order-Fairness for Byzantine Consensus](https://reader036.vdocument.in/reader036/viewer/2022062502/62afb5d668fc6d5af0586b16/html5/thumbnails/22.jpg)
Block-Order-Fairness
21
Definition (informal): 𝜸-Block-Order-Fairness
If 𝛾𝑛 nodes are input 𝑚# before 𝑚$,then all honest nodes will deliver 𝑚# no later than 𝑚$.
![Page 23: Order-Fairness for Byzantine Consensus](https://reader036.vdocument.in/reader036/viewer/2022062502/62afb5d668fc6d5af0586b16/html5/thumbnails/23.jpg)
Block-Order-Fairness
22
Definition (informal): 𝜸-Block-Order-Fairness
If 𝛾𝑛 nodes are input 𝑚# before 𝑚$,then all honest nodes will deliver 𝑚# no later than 𝑚$.
• Key Idea: Deliver transactions with non-transitive ordering in the same block
![Page 24: Order-Fairness for Byzantine Consensus](https://reader036.vdocument.in/reader036/viewer/2022062502/62afb5d668fc6d5af0586b16/html5/thumbnails/24.jpg)
Why can’t we just order based on median timestamp?
• A single adversarial node can cause unfair ordering
23
A B C D E1 𝑡𝑥# 𝑡𝑥#2 𝑡𝑥$ 𝑡𝑥$ 𝑡𝑥#3 𝑡𝑥$4 𝑡𝑥# 𝑡𝑥#5 𝑡𝑥$ 𝑡𝑥$
Round Number
![Page 25: Order-Fairness for Byzantine Consensus](https://reader036.vdocument.in/reader036/viewer/2022062502/62afb5d668fc6d5af0586b16/html5/thumbnails/25.jpg)
Why can’t we just order based on median timestamp?
• A single adversarial node can cause unfair ordering
24
A B C D E1 𝑡𝑥# 𝑡𝑥#2 𝑡𝑥$ 𝑡𝑥$ 𝑡𝑥#3 𝑡𝑥$4 𝑡𝑥# 𝑡𝑥#5 𝑡𝑥$ 𝑡𝑥$
Round Number
2 = 𝒎𝒆𝒅 𝒕𝒙𝟏≤
𝒎𝒆𝒅 𝒕𝒙𝟐 = 3
![Page 26: Order-Fairness for Byzantine Consensus](https://reader036.vdocument.in/reader036/viewer/2022062502/62afb5d668fc6d5af0586b16/html5/thumbnails/26.jpg)
Why can’t we just order based on median timestamp?
• A single adversarial node can cause unfair ordering
25
A B C D E1 𝑡𝑥# 𝑡𝑥#2 𝑡𝑥$ 𝑡𝑥$ 𝑡𝑥$3 𝑡𝑥#4 𝑡𝑥# 𝑡𝑥#5 𝑡𝑥$ 𝑡𝑥$
Round Number
3 = 𝒎𝒆𝒅 𝒕𝒙𝟏≰
𝒎𝒆𝒅 𝒕𝒙𝟐 = 2
![Page 27: Order-Fairness for Byzantine Consensus](https://reader036.vdocument.in/reader036/viewer/2022062502/62afb5d668fc6d5af0586b16/html5/thumbnails/27.jpg)
Fair Ordering Protocols
26
![Page 28: Order-Fairness for Byzantine Consensus](https://reader036.vdocument.in/reader036/viewer/2022062502/62afb5d668fc6d5af0586b16/html5/thumbnails/28.jpg)
Aequitas: A Fair-Ordering Protocol
27
Gossip Stage
Agreement Stage
Finalization Stage
𝑡𝑥#
Inputs
Output
𝑡𝑥%
𝑡𝑥$
𝐵&
𝐵#
⋮
𝐵'
![Page 29: Order-Fairness for Byzantine Consensus](https://reader036.vdocument.in/reader036/viewer/2022062502/62afb5d668fc6d5af0586b16/html5/thumbnails/29.jpg)
The Gossip Stage
(1) Honest nodes broadcast transactions they to all nodes as they are received
(2) Honest nodes store broadcasts received from other nodes
in local logs 𝑙𝑜𝑐𝑎𝑙𝑙𝑜𝑔-I contains 𝑖’s view of broadcasts by 𝑗
28
Guarantees that honest nodes have consistent local logs
![Page 30: Order-Fairness for Byzantine Consensus](https://reader036.vdocument.in/reader036/viewer/2022062502/62afb5d668fc6d5af0586b16/html5/thumbnails/30.jpg)
The Gossip Stage
• FiFo (First-In-First-Out) Broadcast• Messages broadcast by an honest sender are delivered in the
same order as they were broadcast
• Messages broadcast by an adversarial sender are delivered in a consistent order by all honest nodes
• Can be realized from standard reliable broadcast [HDvR 07]
29
![Page 31: Order-Fairness for Byzantine Consensus](https://reader036.vdocument.in/reader036/viewer/2022062502/62afb5d668fc6d5af0586b16/html5/thumbnails/31.jpg)
Agreement Stage
• Agree on which local logs to use to order a transaction
• Can be done using standard Byzantine agreement
30
Guarantees that honest nodes use the same local logs to finalize a transaction
![Page 32: Order-Fairness for Byzantine Consensus](https://reader036.vdocument.in/reader036/viewer/2022062502/62afb5d668fc6d5af0586b16/html5/thumbnails/32.jpg)
Finalization Stage
• The finalization stage orders the transaction in the final output log
• Leaderless• No extra communication
31
![Page 33: Order-Fairness for Byzantine Consensus](https://reader036.vdocument.in/reader036/viewer/2022062502/62afb5d668fc6d5af0586b16/html5/thumbnails/33.jpg)
Finalization Stage
Ordering two transactions
• If many (e.g., 𝛾𝑛 − 𝑓) local logs contain 𝑡𝑥′ before 𝑡𝑥, then 𝑡𝑥is said to wait for 𝑡𝑥′
• Relations between transactions are viewed in a dependency or waiting graph.
• Vertices represent transactions
• Edge (𝑎,𝑏) represents 𝑏 waiting for 𝑎
32
![Page 34: Order-Fairness for Byzantine Consensus](https://reader036.vdocument.in/reader036/viewer/2022062502/62afb5d668fc6d5af0586b16/html5/thumbnails/34.jpg)
Leaderless Finalization
What if there is no clear winner in the two transactions?
Two problems to solve
1. Graph may not be complete or even connected. • Some transactions may not be comparable
2. Graph may not be acyclic.
33
![Page 35: Order-Fairness for Byzantine Consensus](https://reader036.vdocument.in/reader036/viewer/2022062502/62afb5d668fc6d5af0586b16/html5/thumbnails/35.jpg)
Leaderless Finalization
Key Idea
• Wait for common descendant for transactions without an edge in the graph
• Order using maximum number of dependents
34
𝑡𝑥#
𝑡𝑥%
𝑡𝑥$
𝑡𝑥(
𝑡𝑥)
![Page 36: Order-Fairness for Byzantine Consensus](https://reader036.vdocument.in/reader036/viewer/2022062502/62afb5d668fc6d5af0586b16/html5/thumbnails/36.jpg)
Leaderless Finalization
• Graph can still have cycles
• To get a total ordering, compute the condensation graph by collapsing the strongly-connected components
• Deliver transactions in the same component into the same block.
35
𝑡𝑥#
𝑡𝑥%
𝑡𝑥$
𝑡𝑥(
𝑡𝑥)
![Page 37: Order-Fairness for Byzantine Consensus](https://reader036.vdocument.in/reader036/viewer/2022062502/62afb5d668fc6d5af0586b16/html5/thumbnails/37.jpg)
• Synchronous protocol requires 𝒏 > 𝟐𝒇𝟐𝜸Q𝟏
• i.e., 𝑛 > 2𝑓 even when 𝛾 = 1
• Asynchronous protocol requires 𝒏 > 𝟒𝒇𝟐𝜸Q𝟏
36
![Page 38: Order-Fairness for Byzantine Consensus](https://reader036.vdocument.in/reader036/viewer/2022062502/62afb5d668fc6d5af0586b16/html5/thumbnails/38.jpg)
Some Caveats
• Only Achieves Weak-Liveness• New transactions must be input sufficiently late in order to deliver
current transactions
• Conventional Liveness achieved when external network has small synchrony bound
37
![Page 39: Order-Fairness for Byzantine Consensus](https://reader036.vdocument.in/reader036/viewer/2022062502/62afb5d668fc6d5af0586b16/html5/thumbnails/39.jpg)
Some Caveats
• Adversary can unfairly order if it controls the entire Internet, i.e. if it can also control a client’s connection to the consensus protocol nodes
• In our modeling, this is handled by assuming adversary does not control the external network
38
![Page 40: Order-Fairness for Byzantine Consensus](https://reader036.vdocument.in/reader036/viewer/2022062502/62afb5d668fc6d5af0586b16/html5/thumbnails/40.jpg)
A general order-fairness compiler
• FiFo-broadcast and Byzantine Agreement are weak primitives
• They can be realized from any consensus protocol
• General compiler that takes any consensus protocol and transforms it into one that also provides order-fairness
39
![Page 41: Order-Fairness for Byzantine Consensus](https://reader036.vdocument.in/reader036/viewer/2022062502/62afb5d668fc6d5af0586b16/html5/thumbnails/41.jpg)
Final Thoughts
• Our work is the first to formalize order-fairness and provide protocols that realize it
• Order-Fairness is important for many blockchain applications• Decentralized exchanges (2.4 billion USD market)
• ICO token sales (12 billion USD market)
• Decentralized Finance in general
40
![Page 42: Order-Fairness for Byzantine Consensus](https://reader036.vdocument.in/reader036/viewer/2022062502/62afb5d668fc6d5af0586b16/html5/thumbnails/42.jpg)
Thank you
mahimna @ cs.cornell.edu
ia.cr/2020/269
41