Lecture 6. Relaxing PKI: the hexagon argument.

Recollection from last lecture

Assumptions: (1) Permissioned setting (2) PKI (3) Synchronous setting (4) ≤f Byzantine nodes

State Machine Replication (SMR) • Clients submit txs to nodes • Each node maintains local history

Goal is a protocol satisfying - consistency (honest nodes agree) - liveness (valid txs are added to honest nodes’ histories)

Byzantine Broadcast (BB) • One node is a sender, others are non-senders • Sender has a private input $v^* \in V$

Goal is a protocol satisfying: - termination (honest nodes halt) - agreement (honest nodes output the same message) - validity (if the sender is honest, honest nodes output the correct value v*)

An Impossibility result

Theorem. [Pease-Shostak-Lamport 80’, Fischer-Lynch-Merritt 95’] Suppose we are in permissioned synchronous setting of a Byzantine Broadcast problem. Then, if the number of Byzantine nodes is larger than a third $f≥n/3$, no deterministic (without probabilistic instructions) protocol cab satisfy termination+agreement+validity.

Rmk. This doesn’t contradict Dolev-Strong, since the PKI assumption is removed.

Will show: special case of n=3 and f=1 (general case reduces is analogous, see HW).

Some vague intuition

• A could be Byzantine and tell B and C conflicting things
• B & C can compare notes, but C may be Byzantine and trying to fake that A is dishonest
• Honest node B can’t distinguish which of A & C are responsible for conflicting messages

FLM’s Beautiful Proof: A Hexagon Thought Experiment

(key themes: simulation and indistinguishibility)

Let $\pi$ be a deterministic BB protocol satisfying termination+validity+agreement.

Inputs of $\pi$, which are needed to run on a node $i$: (i) names and IP addresses of two other nodes; (ii) which node is a sender; (iii) private input $v^*$, if node $i$ is a sender.

Now, the inventor of $\pi$ surely had in mind that all three nodes have the same informations (i) and (ii). But to run the protocol, it doesn’t have to be the case. Let’s run this protocol on 6 nodes with the following inputs:

This setup is well-defined, and all nodes eventually halt with a certain output (why do they halt? See below). We now proceed to the simulation part of the proof.

Simulation 1

We setup a three-node experiment with a Byzantine sender X that simulates all four machines (A, 0)–(C)–(B’)–(A’, 1).

• Because $\pi$ satisfies agreement, in the thought experiment with X nodes B and C’ need to halt with the same message.
• Because X simulated the four nodes on the right, we conclude that nodes B and C’ halt with the same message in our hexagon thought experiment.

Simulation 2

We now setup a three-node experiment with a Byzantine non-sender X that simulates all four machines (C)–(B’)–(A’, 1)–(C’).

• Because $\pi$ satisfies validity, in the thought experiment on the left with X node B halts with the same message as A, namely “0”.
• Because X simulated the four nodes on the right, we conclude that node B halts with the same message as A, namely “0”, in our hexagon thought experiment.

Simulation 3

We now setup a three-node experiment with a Byzantine non-sender X that simulates all four machines (B)–(A, 0)–(C)–(B’).

• Because $\pi$ satisfies validity, in the thought experiment on the left with X node C’ halts with the same message as A’, namely “1”.
• Because X simulated the four nodes on the right, we conclude that node C’ halts with the same message as A’, namely “1”, in our hexagon thought experiment.

Discussion

Question: why Doesn’t the Dolev-Strong protocol contradict this impossibility result?

Answer: because Dolev-Strong assumed PKI!

The proof above breaks down with PKI, in the following ways:

• How to define the hexagon thought experiment? Well, under PKI the the messages inside the protocol need to be signed only with three private keys. We could try to satisfy this, by demanding that A and A’ have the same pub/priv keys, B and B’ have the same pub/priv keys, and C and C’ have the same pub/priv keys.
• But then the simulation is impossible, since (say in Simulation 1) X would need to simulate signatures of B and C’…