Transcription

1 FromDependableComputingforCriticalApplications{5,Champaign,IL,September1995,pp.139{157;Volume10of theseriesindependablecomputingandfaulttolerantsystemspublishedbyieeecomputersocietypress. ByzantineAgreementwithAuthentication:Observationsand ApplicationsinToleratingHybridandLinkFaults LiGongy,PatrickLincoln,andJohnRushby ComputerScienceLaboratory SRIInternational MenloPark,California94025,USA Abstract WeshowthattheassumptionsrequiredoftheauthenticationmechanisminByzantineagreementprotocolsthatuse\signedmessages"arestrongerthan generallyrealized,andrequiremorethansimpledigitalsignatures.theprotocolsmayfailiftheseassumptionsareviolated.wethenpresentnewprotocolsfor Byzantineagreementthataddauthenticationto\oral message"protocolssothatadditionalresilienceisobtainedwithauthentication,butwithnoassumptions requiredaboutthesecurityofauthenticationwhenthe numberandkindoffaultspresentarewithintheresilienceoftheunauthenticatedprotocol. Ouranalysisisperformedundera\hybrid"fault modelthatadmitsmanifest(e.g.,crash)andsymmetricfaultsaswellasarbitrary(i.e.,byzantine)faults. Wealsoextendtheclassicalsignedmessagesprotocol tothisfaultmodel,andshowthatitsfaulttoleranceis matchedbyoneofournewprotocols.wethenexplore thebehaviorofthesevariousprotocolsunderthecombinationofhybridprocessorfaultsandcommunicationslinkfaults.usingformalstate-explorationtechniques,weexaminecasesbeyondthoseguaranteedby simpleworst-caseboundsandndthattheresilience ofoneofthenewprotocolsexceedsthatoftheothers intheseregions. Thenewprotocolsaresuperiortootherknownprotocolsinpropertiesandmeasuresofpracticalinterest,andwerecommendthemforgeneraluse.They areparticularlyattractiveinsecurity-criticalsystems whereauthenticationmaybesubjectedtosophisticated cryptographicattack,andinsafety-criticalembedded ThisworkwassupportedinpartbytheNationalAeronauticsandSpaceAdministration,LangleyResearchCenter,under contractnas ,bytheairforceoceofscienticresearch,airforcematerielcommand,usaf,undercontract F C0044,andbytheNationalScienceFoundationundercontractCCR yligongisnowwithjavasoftandcanbereachedat systemswhereitmaybenecessarytouseveryshort signatures,butwheremaximumresilienceisrequired. 1Introduction Afundamentalrequirementinfault-tolerantsystemsbasedonthe\statemachine"approach[27]is forreplicatedprocessorstoreachagreementonthe valuesofsingle-sourcedata,suchassensorsamples. Initsabstractform,thisistheproblemofByzantineAgreement(anditsvariant,theproblemof\InteractiveConsistency,"alsoknownas\sourcecongruence,"\distributedconsensus,"and\reliablemulticast")[16,23].TherearetwobroadclassesofprotocolsforachievingByzantineagreement.Thosebased on\oralmessage"assumptionsplacenorestrictions onwhatafaultyprocessormaydo;thosebasedon \writtenmessage"assumptionsdisallowfaultyprocessesmakingundetectablemodicationstomessages astheyarerelayedfromoneprocessortoanother,and alsodisallowprocessorsmanufacturingmessagesthat purporttocomefromanotherprocessor.itisgenerallystatedthatthewrittenmessagesassumptionscan besatisedusingcryptographicauthenticationmethods(i.e.,\digitalsignatures"),andprotocolsbasedon theseassumptionsarethereforeoftencalled\signed messages"or\authenticated"protocols[5,11,16]. Bothoralandwrittenmessageprotocolsproceedin \rounds"andtheparametersofinterestinclude:how manyfaultscanbetoleratedbyagivennumberof processors,andhowmanyroundsandhowmanymessagesarerequired?theoreticalstudiesalsoconsider thesizeofthemessages,orthetotalnumberofbits transmitted.theadvantageofwrittenmessagesprotocolsisthattheycangenerallywithstandmorefaults thanoralmessageprotocols,andoftenrequirefewer messages.forexample,oralmessageprotocolsrequire 3t+1processorstowithstandtfaults,whilewritten messagesprotocolsrequireonlyt+2(theproblemis vacuousunlessthereareatleasttwononfaultypro- 1

2 cessors).however,bothclassesofprotocolsprovably requiret+1roundsintheworstcase[5,11],though \earlystopping"protocols(whicharemosteasilyconstructedunderthewrittenmessagesassumptions)use fewerroundswhentheactualnumberoffaultsisless thant[2,7,8,10,12]. Itwouldseemthatthewrittenmessagesprotocols havesignicantadvantagesovertheiroralmessage counterparts(e.g.,asymptotically,athree-foldadvantageinnumberoffaultstolerated).however,these advantagesmaynotbesosignicantinpractice.in embeddedapplications,themostseverepracticalconstraintontheseprotocolsisthenumberofrounds:a givenapplicationwillgenerallyxthenumberrof roundsitcanaord(generallytwo).this,inturn, xesthenumberoffaultsthatcanbetoleratedatr?1, independentlyoftheclassofprotocolschosen.1the classofprotocolsdoesaectthenumberofprocessors required:e.g.,two-roundwrittenmessageprotocols requirethreeprocessorstotolerateasinglefault,while oralmessageprotocolsrequirefour.butifotherpurposes(e.g.,clocksynchronization)alreadyrequirefour ormoreprocessors,thereseemsnocompellingreason tousewrittenmessageprotocols.infact,thereisan argumentagainsttheseprotocolswhichchriswalter,oneofthedevelopersofthemaftarchitecture forfault-tolerantightcontrol[15]expressedtousas follows:\youhavetoassumethatdigitalsignatures satisfytherequirementsforwrittenmessages,andin life-criticalsystemsweprefertomakeasfewassumptionsaspossible."itturnsoutthatthiscautionis justied. Intherestofthepaper,werstdescribethevariousassumptionsthatsuchprotocols(wewillcall them\authenticatedprotocols")dependon,highlightingtherisksinplacingthecorrectnessofbyzantine agreementontheeectivenessofcryptographicprotocolsforwhichcurrentlythereisnomethodofassurancethatisdenitiveandgenerallyaccepted.we note,however,thatauthenticatedprotocolscantoleratemorefaultsthanoralmessageprotocols,andwe showthatthisadvantageisretainedwhentheanalysis isextendedtoahybridfaultmodelthatcountsfaults morecarefullythanthepurelybyzantinefaultmodel. Wethenconsidertheadditionofauthenticationto variantsoftheoralmessagesprotocolandshowthat thisincreasesthenumberoffaultstheycantolerateif theassumptionsontheauthenticationmechanismare warranted,withoutcompromisingtheirinnatefault 1Thesmallnumberofroundsandthedeterministicprocessor andcommunicationsschedulingusedinembeddedapplications alsoobviatethebenetsofearlystopping. toleranceifthoseassumptionsareviolated.assuming authentication,weshowthatoneofthesenewprotocolscantolerateasmanyhybridfaultsastheclassical SignedMessagesprotocol. Wethenexaminethetwo-roundversionsofthe variousprotocolsunderanenlargedfaultmodelthat includescommunicationslinkfaults.formanyapplications,thisisthemostrealisticclassofprotocolandfault-model,andweprovideevidence,derived fromformalstate-explorationtechniques,thatoneof theauthenticatedoralmessageprotocolsprovidesthe greatestfaulttolerance. 2Byzantineagreement,faultmodels, andmessageassumptions IntheclassicalByzantineGeneralsproblem,there areanumberofparticipants,whichwecall\processors."adistinguishedprocessor,whichwecallthe transmitter,possessesavaluetobecommunicatedto alltheotherprocessors,whichwecallthereceivers. (Thesecorrespondtothe\CommandingGeneral"and \LieutenantGenerals,"respectively,intheterminologyofLamport,Shostak,andPease[16].)Itisassumedthattherearepoint-to-pointcommunications pathsbetweeneachpairofprocessors.thebyzantine Agreementproblemcanbestudiedunderseveraldifferentsetsofassumptions.Weconsiderboth\Oral" and\written"messageassumptions,anda\hybrid" faultmodel.theoralmessagesassumptionsarethe following[16,p.387]. A1:Everymessagethatissentbetweennonfaulty processorsiscorrectlydelivered. A2:Thereceiverofamessageknowswhosentit (assumptionofprivatechannels). A3:Theabsenceofamessagecanbedetected (assumptionofsynchrony). WrittenMessagesassumptionsaddthefollowingto thoseoforalmessages[16,p.391]. A4(a):Messagessentbyanonfaultyprocessor(underthehybridfaultmodel seelater thisbecomesanon-arbitrary-faultyprocessor)cannotbe alteredormanufacturedbyotherprocessors. A4(b):Anynonfaultyreceivercanidentifytheprocessorthatoriginatedamessage,ifthatprocessorisnonfaulty(again,underthehybridfault modelthisbecomesanon-arbitrary-faultyprocessor).notethata2concernsthecaseofadirectpathfromsendertoreceiver,whereasa4(b) concernsamessagefroman\originatingsender" 2

3 thatispossiblyrelayedbyotherprocessorsbefore reachingthereceiver. Therearenprocessorsintotal,ofwhichsome(possiblyincludingthetransmitter)maybefaulty.Inthe classicalbyzantinegeneralsproblem,thereareno constraintsotherthanthosegivenaboveonthebehavioroffaultyprocessors.thisleadstopessimistic estimatesofthenumberoffaultsthatcanbetolerated becauseallfaultsareregardedastheworstpossible. Wethereforeconsidera\hybrid"faultmodel(originallyduetoThambiduraiandPark[29]andalsoinvestigatedbyWalter,Suri,andHugue[30])thatdistinguishescertainsimplerkindsoffaultaswellasthose thatareunconstrained.thefaultmodeswedistinguishforprocessorsarearbitrary-faulty,symmetricfaulty,andmanifest-faulty.amanifestfaultisone thatcanbedetectedbymechanismspresentinall nonfaultyprocessors(e.g.,missingorimproperlyformattedmessages).theothertwofaultmodesyield behaviorsthatarenotdetectablybad:asymmetricfaultpresentsthesamefaultybehaviortoevery nonfaultyprocessor;anarbitraryfaultiscompletely unconstrained(i.e.,byzantine)andmaypresent(possibly)dierentaberrantbehaviorstosomenonfaulty processors,andgoodbehaviortoothers. Theabovecharacterizationofthehybridfault modelisagenericone;forbyzantineagreement,the characterizationoffaultmodeshastoberenedin termsoftheprocessorbehaviorsrelevanttothisproblem(see[26]foradierentcharacterizationinterms relevanttoclocksynchronization).thebasicstepin anagreementprotocolisforaprocessortotransmit avaluevtoseveralotherprocessors.theinterpretationofamanifestfaultinthiscontextisonethat producesdetectablymissingvalues(e.g.,timing,omission,orcrashfaults),orthatproducesavaluethatall nonfaultyrecipientscandetectasbad(e.g.,itfails checksumorformattests).symmetricfaultsdeliver wrong,ratherthanmissingormanifestlycorrupted values butdosoconsistently,sothatallreceivers ofagiventransmissionobtainthesamewrongvalue v06=v.arbitraryfaultsareunconstrained,andcan delivercorrect,wrong,ormanifestlyfaultyvaluesin anycombination. Undertheseassumptions,theByzantineAgreementproblemistodeviseaprotocolthatwillallow eachreceiverptocomputeanestimatepofthetransmitter'svaluesatisfyingthefollowingconditions: Agreement:Ifreceiverspandqarenonfaulty, thentheyagreeonthevalueascribedtothe transmitter thatis,forallnonfaultypandq, p=q. Validity:Ifreceiverpisnonfaulty,thevalueascribed tothetransmitterbypis Thevalueactuallysent,ifthetransmitteris nonfaultyorsymmetric-faulty, ThedistinguishedvalueE,ifthetransmitter ismanifest-faulty. AlltheByzantineagreementprotocolsweconsider proceedinrounds:intherstround,thetransmitter sendsavaluetoalltheotherprocessors;insubsequent rounds,theseprocessorsexchangethevaluesreceived amongthemselvesinordertodetectinconsistencies; eachreceiverthendecidesononevalueamongthose receivedandexchanged.howthisdecisionismade, andhowtheexchangesaredone,dependsontheprotocolconsidered. Noticethattheadditionalassumptionsforwrittenmessagesessentiallyconstrainthebehaviorof symmetric-andarbitrary-faultyreceivers:underoral messageassumptions,suchreceiverscanalterormanufacturemessagespurportingtocomefromotherprocessorsinthelaterrounds thisisprohibitedunder writtenmessagesassumptions.authenticatedprotocolsattempttosatisfythewrittenmessagesassumptionsusingdigitalsignatures:eachprocessorsigns themessagesthatitsends.anyreceivercancheck theauthenticityofamessageandconrmtheidentity ofitsclaimedoriginatorbycheckingthesignature. Thereareseveraldigitalsignatureschemesthatprovidethesebasicproperties[4,9,22,25].However,in thefollowingsectionweshowthattheseschemesmust beusedverycarefully. 3 Authenticationissues Themessagesthatarepassedamongtheprocessorsinauthenticatedprotocolshavetheform ff:::fvgp:::gqgrwhichsymbolizesthevaluevin amessagesignedandsentbyprocessorp,received signedandforwardedbyprocessors:::;qandnally received,signedandforwardedbyprocessorr.ifprocessorpisnonfaulty,thenatnostageintheprotocol shouldthereexistff:::fv0gp:::gqgrinwhichv6=v0. (Thisfollowsbecauseifpisnonfaulty,itwouldnot sendouttwodierentvaluesvandv0,andauthenticationpreventsanyotherprocessormanufacturing suchavalue.)itisgenerallyassumedthatthisrequirementissatisedifdigitalsignaturesaresimply computedonandattachedtothemessagesbeingrelayed.thiswouldbetrueifavalidmessageofthe formff:::fvgp:::gqgrcouldonlyariseonceinthe lifetimeoftheprotocol.theoreticalexaminationsof theseprotocolsnormallyconsideronlyasingle\run," 3

4 butinpracticetheywillbecalledrepeatedly(e.g., todistributesensorsamplesatthebeginningofevery processcontrolcycle).itfollowsthatprocessorrcould saveavalidmessagef:::fv0gp:::gqfromonerunof theprotocolandcouldtheninjectthecorrectlysigned messageff:::fv0gp:::gqgrintoalaterrun,whichwill causeanynonfaultyreceivertoconcludethattheoriginalsenderpmustbefaulty,andtherebydefeatthe protocol. Wedonotneedtopostulateactive,intelligentattackstobeconcernedaboutthiskindofproblem:a hardware\obyone"faultthatcausesamessageto bepickedupfromthewrongbuerwhentwoagreementprotocolsareinoperationsimultaneously(as whenallprocessorsareexchangingsensordata)could producethisbehavior.asolutiontothisparticular problemistoincludeadditionalinformationunderthe digitalsignaturesthatwillidentifymessagesas\fresh" (Lamport,Shostak,andPeasesuggestsequencenumbers[16,page400]),butthisneedstobedonecarefully inordertodistinguishthisrunoftheprotocolfrom othersthatmaybeactivesimultaneously. Intherestofthissection,wediscussthisanda numberofotherissuesrequiringcareintheimplementationofauthenticatedbyzantineagreementprotocols. Signaturepermutation.Thesignaturesystemmustnotbecommutative. Otherwise, 8p;q;v;ffvgpgq=ffvgqgpand,ifthesessioninitiator isfaulty,anotherfaultyprocessorcanfalselyaccuse athird,butcorrect,processorofbeingfaultyina several-roundprotocol. Verifyingsignaturesequences.Verifyingasequenceoftsignaturesisnottrivial.Arecipientcan tryallpossiblesequencesoftoutofnsignatures,but thisrequiresanexponentialamountofcomputation. Orthemessagecanincludeahint,suchastheidentityofthesigner,ineachstageofthesigning,sothe messagemaylooklikefq;fp;vgpgq.wecanalternativelyrequirethatalistofhintsisattachedtoeach messageoutsidethesignatures.however,suchhints willaddo(nlogn)bitstothemessagelength(inannroundprotocol),thusexceedingthetightlowerbound onmessagebitsbysrikanthandtoueg[28,theorem 1]byafactorofn.(Intoday'spractice,asecuredigitalsignatureusesabout512to1024bits.)Notethat hintsarenecessarywhetherthesignaturesystemused iscommutativeornot.athirdapproachistogloballyorderthemessagessothatarecipientcandeduce fromthecontextwhichsignaturesequenceshouldbe usedforverication. Processorsareassumedtoknoweachothers'signaturekeys.Borcherding[3]investigatesthecasewhere thereisnocentralauthoritytodistributethesekeys, andproposesthenotionof\localauthentication"to achieveaweakerversionofbyzantineagreement. Distinguishingconcurrentsessions.When multiplesessionscanexecuteatthesametime,itis vitaltodeterminetowhichrunamessagebelongs. Otherwise,supposeeachprocessormaintainsadierentsensorandallprocessorsaretryingtoagreeon thevaluesofallsensors,thenafaultyprocessormay \borrow"asignedmessagefromonerunanduseitin another.evenabenignprocessorcanpossiblymake suchamistake,aswedescribedpreviously.onesolutionistoattachasessionidentier,possiblythe identityofthesessioninitiator,tothesensorvalue. Thissolutionwillincreasethesizeofeachmessageby O(logn)bits.Thisdoesnotexceedthelowerbound bysrikanthandtoueg[28]becausetheyalreadyallocateo(logn)bitsforsignatures. Detectingreplayattacks.Besidedistinguishing concurrentsessionsinitiatedbydierentprocessors, itisequallyimportanttodetectanyattempttoreuse pastmessages(fromthesameinitiator)inanewrun. Theinitiatormustsecurelyattachafreshnessidenti- ertothesignedvalue.forexample,theinitiatorcan signboththefreshnessidentierandthevalueinthe samesignature. Therearethreetypesoffreshnessidentiers,each ofwhichcanbeusedinmorethanoneway[13].the rstisatimestamp,ifprocessorshavesynchronized clocks.inthiscase,theinitiatorattachesthereading fromthelocalclocktothevaluebeforesigningthem. Arecipientrejectsanymessagewithatimestampthat isoutsideanagreedtimewindowrelativetotherecipient'slocalclock.asignicantriskexistswhena faultyprocessorcanalsohaveafaultyclocksothat theprocessorsendsoutvaluessignedwithtimestamps inthefuture.evenifthisprocessorweretorecover, anotherfaultyprocessorcouldplaybacksuchamessagewhenthecorrecttimecomes.thesignicanceof thisattackliesinthefactthatthereisnoguarantee thatanycorrectprocessorwillknowtheexistenceof previouslysignedmessages(withfuturetimestamps). Toinvalidatesuchmessages,arepairedprocessorcan changeitssignaturekeyduringreintegration. Thesecondtypeofafreshnessidentierisarandom number,alsoknownasa\nonce."sincethenonce mustbegeneratedbytheprocessorthatischecking forfreshness,processorsmustexchangenonceswith eachother(thusaddingoneroundtotheprotocol), 4

5 andthevaluemustbesignedwithallo(n)nonces, thusincreasingthemessagelengthsignicantly. Thethirdtypeisacountervalue.Eachprocessormaintainsamonotoniccounter,incrementsthe countervaluebeforeinitiatingasession,andthen signsthevaluetogetherwiththecurrentcounter value.eachprocessoralsomaintainsavectortimestamp,notingthelastseencountervaluefromevery otherprocessor,andrejectsanyvaluesignedwitha pastcountervalue.similartotimestamps,afaulty processormaysign\future"countervalues,soitis prudenttochangetoanewsignaturekeyafterrepair. Repairandrestart.Whenaprocessorfails,it mayloseallitsstateinformation,includingthecur- rentsessionandroundnumbersandfreshnessidenti- ers.ifthefailureisarbitrary,thenthesurvivingstate informationmaybewrong.forexample,itsclockor countersmaybeturnedbackorforward.moreover, simplyaskingeveryprocessortoresettheircounters tozeroisvulnerabletoreplayattacks.therefore,to restorethesynchronybetweenprocessorsafterrepair, arepairedprocessormustusechallenge-response(with nonces)toobtainfromotherprocessorsfreshreplies containingthecurrentstateinformation.giventhe additionalneedofassigninganewsignaturekeyto therestartingprocessorandnotifyingallotherprocessorsofthecorrespondingpublickey,restartcanbe costly. Messageredundancy.Amessagecontainingthe valuetobesignedmustcontainsucientredundancy toprotectagainstforgery.forexample,afaultyprocessorpmaychoosearandomnumberxandbroadcast itasfvgpforsomevaluev.becauseitisquitepossible thatthereisavaluev0suchthatx=ffv0gqgp,pmay eectivelyforgeasignatureofvaluev0signedbyq. Orthefaultyprocessorpcansimplycopyfv0gqfrom apreviousprotocolrunandbroadcastffv0gqgp.any processorrwhofurthersignsffv0gqgpisalsospoofed. Therearemanywaystointroduceredundancyinto themessages.oneistoattachachecksumofasuf- cientlengthtotheoriginalvalue.thesizeofthe messagewillthusincrease,perhapsby128bits(the sizeofatypicalone-wayhashfunctionoutput)orat leasto(logn)bits.notethatincludingauniqueidentierofthecurrentrundoesnotprovidesucientredundancybecausearandomlyselectedvaluexcanbe oftheformfid;vgq,andifidisforafuturerun,an attackcanstillhappeninthefuture. 3.1Practicalimplications Wehaveshownthatauthenticationusingdigital signaturesneedstobemanagedverycarefullyifitis tobesecureagainstattack.howsignicantarethese threats?therearetwomainclassesofapplications forauthenticatedbyzantineagreementprotocols:securesystemsthatmustmaintaincoordinationinthe faceofcaptureandactivesubversionofsystemcomponents(e.g.,theat&t\rampart"architecture[24]), andsafety-criticalembeddedcontrolsystems(e.g.,the MAFTarchitectureforaircraftightcontrol[15]). Sophisticatedcryptographicandotherattacksarea givenintherstclassofapplications,soourconcern aboutthesecurityofauthenticationneedsnofurther justicationhere(theliteratureisrepletewithbroken cryptographicprotocols[1,21]). Intelligentmaliciousattackisnotconsideredaseriouspossibilityinembeddedsystems,andtheargumentinthesecasesisalittledierent.Byzantineresilientarchitecturesareattractiveinthesecontexts becausetheysimplifythecaseforassuranceandcertication:insteadofacollectionoffault-tolerance mechanismstocounterspecicfailuremodes,andfor whichitisnecessarytoprovideevidenceofcoverage andnoninterference,wehaveasinglemechanismthat canwithstandanykindoffault,uptosomenumber,anditisonlynecessarytoprovideevidencefor correctnessandfortheestimatedoverallfaultarrival rate.writtenmessageprotocolscompromisethepurityofthisposition:faultyprocessorscannolonger doabsolutelyanything,butareconstrainedbycertainassumptions.realprocessorscandoabsolutely anythingwhenfaulty,andinimplementationsusing signedmessages,itistheauthenticationmechanism thatconstrainsthemwithintheassumedfaultmode. Forcertication,itisthereforenecessarytoprovide strongevidencethattheauthenticationmechanism doesaccomplishthis:brokenauthenticationisnotjust anotherfaulttobetolerated,itisaviolationofthe assumptionsunderwhichcorrectnessoftheprotocol andhenceoftheentirearchitecture isestablished. Wehaveseenthatcryptographicallystrongauthenticatedprotocolsrequireevensmalldatamessagestobeencapsulatedinlargesignatureand freshness-indicatingwrappers,andtocarryvarious key-managementindicators.hence,embeddedsystemsmayprefertodispensewithtrulysecureauthenticatedprotocolsandtouseshortkeyedchecksums(lamport,pease,andshostaksuggestasuitablechecksumalgorithm[16,page400]),withxed keysandsimplesequence-numberstoindicatefreshness.theauthenticationassumptionsmaysometimes failtoholdinthisarrangement.inthefollowingsectionswepresentandstudyprotocolsthattakeadvantageofauthenticationifitispresent,butthatretainbyzantineresilienceevenwhensignaturesmaybe 5

6 forged.sincechecksumswillonlyrarelybe\forged" byrandommalfunctions,theseprotocolsareverywell suitedtotheneedsofembeddedsystems. Thediscussionhassofarfocussedonauthentication failureinonedirection:failuretoadequatelyconstrain thebehaviorofafaultyprocessor.authenticationcan alsofailintheotherdirection:causinggoodmessages toberejectedasbad.therearetwowaysthiscan comeabout:theauthenticationmechanismmaybe algorithmicallyincorrectornonrobust(e.g.,vulnerabletolossofcrypto-synch),orahardwarefaultmight damageakey.theissuesenumeratedearlierinthis sectionareintendedtohelpdesignersavoidtherst ofthesedangers;thesecondismorelikely,butless serious,becauseitisjustanotherfault,andwillbe toleratedtothesameextentasotherfaults. 4Signedmessageswithhybridfaults Wehavearguedthatgreatcareinimplementationisnecessaryinordertosatisfytheassumptions oftheauthenticatedprotocols.thiscarewouldbe justiediftheauthenticatedprotocolshadsignicant advantagesoveroralmessageprotocols.however,for thecaseofpracticalimportance thatis,two-round protocols thereappearslittletochoosebetweenthe twoclassesofprotocols:thesignedmessageprotocolsm(1)andtheoralmessagesprotocolom(1)of Lamport,Pease,andShostak[16]bothrequiretwo rounds2,andbothtolerateonlyasinglearbitrary fault.thedierenceisthatom(1)requiresfourprocessors,whilesm(1)requiresbutthree.however,a variationonom(1)calledomh(1)[19]thatoperatesunderthehybridfaultmodelcantolerateaarbitrary,ssymmetric,andmmanifestfaultssimultaneously,providedn,thenumberofprocessors,satises n>2a+2s+m+1anda1.thus,omh(1)appears totoleratemorefaultsthansm(1)undercertaincircumstances.ofcourse,thiscomparisonisunfairbecausetheanalysisforomh(1)considersthehybrid faultmodel,whereasthatforsm(1)treatsallfaults asarbitrary.sooneitemthatwarrantsexamination isthebehaviorofsm(1)underthehybridfaultmodel. Theclassicalsignedmessagesprotocol,SM(r)proceedsasfollows[16,p.391]: SM(r) Thetransmittersendsasignedmessageto eachreceiver.eachreceiveraddsitssignaturetothemessageandsendsittothe otherreceiverswhoaddtheirsignaturesand 2Theparameterrtotheseprotocolsstartsatzero,sothat thenumberofroundsisr+1. sendittotheothers,andsoonforrrounds. Whenalltheexchangesarecompleted,each receiverdiscardsanyimproperlysignedmessages,extractsthevaluessentbythetransmitterfromthosethatremainandappliesa deterministicchoicefunctiontothosevalues. Notethatifthetransmitterisnotarbitrarily-faulty, thesetofvaluesconsideredinthechoicewillbeasingleton.lamport,peaseandshostakshow[16,theorem2]thatsm(r)cantolerateuptorfaultyprocessors,theoptimalresult[6,11]. ToextendSM(r)anditsanalysistothehybridfault modelisstraightforward:thehybridprotocolsmh(r) simplyrecognizesanddiscardsmanifest-faultyvalues.authenticationpreventssymmetric-faultyreceiversfrominjectingcorrectlysignednewvalues,so thesereceiverseitherduplicateothermessages(which isharmless),ortheyintroduceincorrectlysignedmessages,whichwillbediscarded.thus,messagesfrom bothmanifest-andsymmetric-faultyreceiverseither duplicateexistingvaluesorareignored;hencethey playnopartintheprotocolanditisasiftheseprocessorswereabsent.itfollowsthatonlyarbitrary-faulty processorsneedbecountedinthefault-tolerancecalculation.thus,bydirectanalogywiththecorrespondingresult(theorem2,page393)in[16],wehavethe followingresult. Theorem1Foranyr,ProtocolSMH(r)satisesValidityandAgreementprovidedra,whereaisthe numberofarbitrary-faultyprocessors. Theresultissomewhatvacuousunlessthereareat leasttwononfaultyprocessors,sowealsohaven> a+s+m+1,andra.thismaybecompared withomh(r),wherewehaven>2a+2s+m+rand ra. ItcanbeseenthatOMH(r)andSMH(r)havethe samefaulttolerancewithregardtorounds,butthat SMH(r)requiresconsiderablyfewerprocessorsthan OMH(r)(or,equivalently,cantoleratemorefaultsfor agivennumberofprocessors).however,thisincreased faulttoleranceisobtainedatthecostofdependingon authentication:iftheauthenticationassumptionsfail foranyreason,thensmh(r)mayfailaltogether. 5Combiningauthenticationandoral messages TheideaofexaminingSM(r)underthehybridfault modelsuggeststhedualinquiry:examiningoralmessageprotocolsinthepresenceofauthentication.it turnsoutthatthisyieldsprotocolsthatcombinethe advantagesofthetwoclassesofprotocolswithfew 6

7 oftheirdisadvantages.asnotedinthediscussion ofsmh(r),authenticationturnssymmetric-faultyreceiversintomanifest-faultyones:theycanonlygeneratemessagesthatareimproperlysigned.inorder toexploitthisinanoralmessagesprotocol,weneed aprotocolthathasthecapabilitytodiscardbadmessages.theclassicalprotocolom(r)doesnotdothis, butourhybridprotocolomh(r)does.ittherefore seemsthemostpromisingplacetostart. TheprotocolOMH(r)[19]isourmodiedandformallyveried[17]versionofThambiduraiandPark's protocolz(r)[29],whichisinturnamodicationof ther+1-roundoralmessagesprotocolom(r)oflamport,shostak,andpease[16].thekeyideainboth Z(r)andOMH(r)istointroduceadistinguishedvalue Etorecordreceiptofmanifest-faultymessages.E valuesareignoredinthemajorityvotethateachprocessorusestodecideitsnalvalue.inz(r),eis usedtorecordbothmanifest-faultymessagesandthe reportofsuchmessagesrelayedbyanotherprocessor. Thisleadstoconfusionwhenthereisamanifest-faulty transmitterandanarbitrary-orsymmetrically-faulty receiver;z(1)canfailinthiscircumstance,andthis leadstomorecomplexfailuresinther>1cases. OMH(r)repairsthisproblembytreatingthereport ofmanifest-faultyvaluesdierentlythanthosevalues themselves:r(e)indicatesthereportofe,r(r(e)) thereportofareport,andsoon.aninversefunction UnRisusedto\stripo"theseRsatalaterstage intheprotocol.onlye(notr(e),r(r(e)),etc.)is ignoredinthemajorityvote. Asnotedintheprevioussection,OMH(r)isable totolerateaarbitrary,ssymmetric,andmmanifest faultssimultaneously,providedn,thenumberofprocessors,satisesn>2a+2s+m+randra.this isoptimalwhenonlyarbitraryfaultsarepresent(we havea=r,s=m=0,sothatn>3a,satisfyingthe lowerboundestablishedbypease,shostak,andlamport[23]).separateanalysisshowsthattheprotocol isalsooptimalwhenonlymanifestfaultsarepresent, andtheobtainedboundisn>m[18].whenonly symmetricfaultsarepresent,however,theprotocolis denitelysuboptimal,inthatadditionalroundscan reduceitsresilience.forexample,inomh(0)(where receiverssimplyacceptwhatevervaluetheyobtain fromthetransmitter),thenumberofsymmetric-faulty receiversisirrelevant.inomh(1),however,wherereceiversrelayinformationtoeachotherandtakethe majorityofthevaluesobtained,onesymmetric-faulty receivercandefeattheprotocolunlessn4. Supposenowthatweusedigitalsignaturestoadd authenticationtoomh(r),therebycreatingaprotocolwecancallomha(r).first,aslamport,shostak, andpeaseobserve[16,p.393],thereisnopointauthenticatingthenalstepintheprotocol(i.e.,the OMH(0)round),becausewehavepoint-to-pointcommunicationsandthecommunicationportonwhicha messagearrivesservestoauthenticateit(thisisassumptiona2);thusomha(0)isthesameasomh(0). Forthegeneralcase,wesimplymodifyOMH(r)so thatprocessorssignallmessagesthattheysend,and improperlysignedmessagesaretreatedbytheirreceiversase. Noticethataslongasauthenticationdoesnotintroducefaults(i.e.,aslongasaproperlysignedmessage cannotbemistakenlyconsideredimproperlysigned), thenomha(r)musthaveatleastthefaulttolerance ofomh(r),andthisisindependentofthecryptographicstrengthofthesignaturescheme.however,if wemaketheusualassumptionsaboutthestrengthof thesignaturescheme,thenauthenticationreducesthe severityoffaultsthatcanbeintroducedbyreceivers. Inparticular,asymmetric-faultyreceivercannotinjectacompletelyfalsevalueintotheexchanges:at worst,itcaninjectaneorr(e)value;similarly, anarbitrary-faultyreceivercanselectivelyinjecte andr(e),orcanpassonthetruevaluethatitreceived.(faultyprocessorscannotinjectr(r(e))etc., becausethiswouldrequireanr(e)correctlysignedby anotherprocessor.)unfortunately,theresidualabilitytoinjectr(e)issucienttolimitthenumber andcombinationoffaultsthatcanbetoleratedby OMHA(r)tobenobetter,intheworstcase,thanfor OMH(r). Thisdisappointingresultsuggestsconsideration ofaprotocolza(r),derivedfromthambiduraiand Park'sprotocolZ(r)inthesamewaythatOMHA(r) isderivedfromomh(r).sincez(r)andza(r)lack thee,r(e)distinctionsofomh(r)andomha(r),it followsthatsymmetric-faultyreceiversarereducedto manifest-faultyinza(r).similarly,arbitrary-faulty receiversarereducedtomanifest-faultyor\nonfaulty withcommunicationslinkfaults,"whichisacaseconsideredinsection6.furthermore,authentication overcomesthebuginz(r);thisbugarisesinz(1)when anarbitrary-orsymmetric-faultyreceiverinjectsspuriousvaluesintotheexchangesunderamanifest-faulty transmitter:theevaluesfromthetransmitter,and thoserelayedbygoodreceivers,areignoredinthemajorityvotes,whicharethereforewonbythespurious valuesinjectedbythefaultyreceiver.za(r)eliminatesthisbugbecauseitpreventsthefaultyreceivers manufacturingthespuriousvaluesthatotherproces- 7

8 sorswillincorporateintheirmajorityvotes.protocol ZA(r)isdenedasfollows. ZA(0) 1.Thetransmittersendsitsvaluetoeveryreceiver. 2.Eachreceiverusesthevaluereceivedfromthe transmitter,orusesthevalueeifamissingor manifestlyerroneousvalueisreceived. ZA(r),r>0 1.Thetransmittersignsandsendsitsvaluetoevery receiver. 2.Foreachp,letvpbethevaluereceiverpobtains fromthetransmitter,oreifnovalue,oramanifestlybadvalue,orincorrectlysignedvalueis received. EachreceiverpactsasthetransmitterinProtocol ZA(r?1)tocommunicatethevaluevptothe othern?2receivers. 3.Foreachpandq,letvqbethevaluereceiverp receivedfromreceiverqinstep(2)(usingprotocolza(r?1)),orelseeifnosuchvalue,ora manifestlybadvalue,orincorrectlysignedvalue wasreceived.eachreceiverpcalculatesthemajorityvalueamongallnon-evaluesvqreceived; ifnosuchmajorityexists,thereceiverusessome arbitrary,butfunctionallydeterminedvalue. Wehavethefollowingresults,wherea,s,andmare thenumbersofarbitrary-,symmetric-,andmanifestfaultyprocessors,respectively,andnisthetotalnumberofprocessors. Lemma1Ifsignaturesaresecure,thenforanya,s, mandr,protocolza(r)satisesvalidity. Proof:Intherstround,thetransmittersignsand sendsitsvaluetoallreceivers.validityassumesa nonfaultytransmitter,soallnonfaultyreceiverswill obtainthecorrectvalueinthisround.thereceivers exchangevaluesinsubsequentrounds,andfaultyreceiversmayinjectfaultyvaluesintothisprocess.however,authenticationpreventstheinjectionofanycorrectlysignedvalueotherthanthatsentbytheoriginal transmitter.thustheonlyvaluesenteringthemajorityvotewillbethisvalueand,possibly,e.sinceall goodreceiversobtainedatleastonecopyofthevalue vdirectlyfromthetransmitter,andsomecombination ofvsandesfromotherreceivers,thehybridmajority willalwaysbev.2 Theorem2Ifsignaturesaresecure,thenforanyr, ProtocolZA(r)satisesconditionsValidityandAgreementifra. Proof:Theproofisbyinductiononr.Inthebase caser=0therecanbenoarbitrary-faultyprocessors, sincera.iftherearenoarbitrary-faultyprocessors thenthepreviouslemmaensuresthatza(0)satises Agreement,andValidityfollows.Wethereforeassume thatthetheoremistrueforza(r?1)andproveitfor ZA(r),r>0. Firstconsiderthecaseinwhichthetransmitter isnotarbitrary-faulty.thenvalidityisensuredby Lemma1,andAgreementfollowsfromValidity.Now considerthecasewherethetransmitterisarbitraryfaulty.thereareatmostaarbitrary-faultyprocessors,andthetransmitterisoneofthem,soatmost a?1ofthereceiversarearbitrary-faulty.atthenext stage,wehaveonelessroundtoperform,andoneless arbitraryfaulttotolerate.sinceweassumera,we alsoknowr?1a?1,andwemaythereforeapplythe inductionhypothesistoconcludethatza(r?1)satisesconditionsagreementandvalidity.hence,for eachq,anytwononfaultyreceiversgetthesamevalue forvqinstep(3).(thisfollowsfromvalidityifoneof thetworeceiversisprocessorq,andfromagreement otherwise).hence,anytwononfaultyreceiversgetthe samevectorofvaluesv1;:::;vn?1,andthereforeobtainthesamevaluehybrid-majority(v1;:::;vn?1)in step(3)(sincethisvalueisfunctionallydetermined), therebyensuringagreement.2 Theorem2showsthatZA(r)hasthesame(optimal)faulttoleranceasSMH(r)whensignaturesare secure;however,za(r)hasthesignicantadvantage thatitisnottotallybrokenifauthenticationfails. Inthepresenceofauthenticationfailure,ZA(r)revertsto,atworst,thefaulttoleranceofZ(r).To besure,z(r)isvulnerabletocertaincongurations oftwofaultsnomatterhowmanyroundsandreceiversareused(thatiswhywedevelopedomh(r)), butintheimportantcaser=1,itsfailuremodeis verypreciselycharacterized(manifest-faultyreceiver andatleastonesymmetric-faultorarbitrary-faulty receiver thelatterisrequiredtobreakagreement). AnalternativeistousetheprotocolOMHA(r),whose fallback,omh(r)isfullyrobustagainstarbitraryand manifestfaults,butwhoseresilienceinthepresence ofworkingauthenticationisinferiortothatofza(r). Table1comparesthevariousprotocolswehavediscussedintermsofworst-casebounds. 8

9 Protocol SM(r) SMH(r) ViolatedAuthenticationAssumptions OM(r) a=s=0,n>m+1 n>a+s+m+1, Sound OMH(r) n>2a+2s+2m+r,ra n>2a+2s+2m+r,ra(same) OMHA(r)n>2a+2s+m+r,ra n>2a+2s+m+r,ra(same) ra Z(r) ZA(r) yz(1)alsofailswithamanifest-faultytransmitterandonesymmetricorarbitrary-faultyreceiver;z(r),r>1,failsinadditionalcases. n>2a+2s+m+r,rayn>a+s+m+1, n>2a+2s+m+r,rayn>2a+2s+m+r,ray(same) ra 6Linkfaults Table1:ComparisonofByzantineAgreementProtocols classoffaults;wecallthemlinkfaults,withthecharacterizationthatwhenanonfaultyprocessorsendsits valuevtoanonfaultyrecipientoverafaultylink,the valuereceivedmaybeeithervore. Communicationsfailuresrepresentanimportant 7Examiningfaulttoleranceusing alinkfaultisnotattributedtoaprocessor;thus,a processoratthereceivingendofafaultylinkmaybe sirabletotoleratelinkfaultseciently.noticethat connectorsarepronetonoiseandbreakage),itisde- Becausetheyarisefrequentlyinpractice(wiresand rathercrudewaysofcountingfaults:therearemany Theworst-caseboundsgivenabovearebasedon state-explorationtechniques asymmetryandarethereforeasexpensivetotolerate faultsisduetothefactthatthesefaultsdointroduce theagreementandvalidityconditions.thediculty inextendingbyzantineagreementprotocolstolink nonfaultyandtheprotocolmustensurethatitsatises theprotocolsperformundermorene-grainedanalysis scenariosforthebehaviorofasystemwith,say,one twolinkfaults,buttheworst-caseanalysestreatthem allalike.itisthereforeinterestingtoenquirehowwell arbitrary-faultyandonemanifest-faultyprocessorand thosecharacterizedbythesimpleworst-casebounds. and,inparticular,howtheyperforminregionsbeyond presenceoflinkfaultsandhybridprocessorfaults,providedthatthereispathoflengthr+1linksorless fromthetransmittertoeachnonfaultyreceiverthat passesthroughonlynonfaultyprocessorsandgood WecanobservethatZA(r)achievesValidityinthe Theideaistomodelthesystemasthecomposition oftheprotocols,butamoreattractivealternativeis behaviorinspeciccongurationsunderallscenarios. Simulationcouldbeusedtosamplethebehavior asarbitraryfailuresintheworstcase. oftwoconcurrentprocesses:onethatinjectsfaults touseaformalstate-explorationtooltoexaminetheir andonethattoleratesordiagnosesthem.astateexplorationtoolwillthensystematicallyexploreall tocharacterize.wecanalsoobservethatforagreement,alinkfaultisasdisruptive,intheworstcase,as links.smh(r)hasthesameboundsonvalidityas possiblescenariosfortheirinteraction. systemfromdaviddill'sgroupatstanford[20]for ZA(r),whilethatofOMHA(r)isworseanddicult anarbitraryfaultateitherthesenderorreceiveron thelink.thus,iflinkfaultsareattributedtoeither fortheomh(1),omha(1),z(1),za(1),andsmh(1) ofprocessorsneededtoaccountforallsuchfaults,then theirsenderorreceiver,andlistheminimumnumber protocolsinthen=5case,andcausedmurtonondeterministicallyperformasymbolic\faultinjection" thispurpose.essentially,weprovidedmurprograms WehaveusedtheMur(pronounced\Murphy") ZA(r)willachieveAgreementprovidedra+l.SimilarworstcaseboundsapplyforAgreementinSMH(r), thenruntheprotocols.byexploringalldierentruns (ofbothlinkfaultsandhybridprocessorfaults)and whileomha(r)requiresn>2a+2s+m+r+2land (thereareover20,000ofthem),muressentiallyundertakesexhaustivefaultinjectionontheseprotocols (theprocesstakesacoupleofminutesonasparc ra+l. 10).Ofcourse,itwouldbestraightforwardtowritea 9programtodothis,butweconsidertheuseofformal state-explorationtoolsaverypromisingandgeneral

10 techniquefortheexaminationofalgorithmsforfault inthecasen=5andr=1,andrediscoveredthe onfaulttoleranceclaimedforthevariousprotocols toleranceanddiagnosis. knownvulnerabilityofz(1)tomanifest-faultytransmitters[19].thatistosay,exhaustivesearchofall Ourexperimentsconrmedtheworst-casebounds faultcongurationssatisfyingtheboundsclaimedin Table1forthecaseofn=5andr=1foundnoviolationsofValiditynorofAgreement,exceptforthe knowncasesinz(1). tainedwhenweallowedfault-injectiontocontinuebe- yondthesimplecharacterizationsofworst-casefault tolerancefortheprotocolsconcerned.forexample, However,muchmoreinterestingresultswereob- althoughnove-processor,two-roundprotocolcan ZA(1)doestoleratetwosuchfaultsinmostcases. WethereforeusedourMurfault-injectionsystemto withstandtwolinkfaultsintheworstcase,wefound counthowmanyscenarioscausedeachprotocoltofail withandwithouttheassumptionofsecureauthentication Ṗrotocol OMH(1) OMHA(1) AuthenticationAssumptions Z(1) Violated 25 Sound ZA(1) 25 SMH(1) whereeachprotocolfails Table2:Percentageoffaultcongurationsina5-plex cussed,usingexhaustivestateexplorationtocalculate thepercentageoffaultcongurationsthatcausedthe mostresilientoftheseprotocolsunderthecombination protocolstofail.overall,itseemsthatza(1)isthe Table2comparesthevariousprotocolswehavedis- ofhybridandlinkfaults,thoughmoreexperimentsare neededtoconrmthis. faultclass(good,manifest,symmetric,orarbitrary) toeachprocessor,andanassignmentofuptothree faultylinksbetweenprocessors.weexcludedcongurationswithlinkfaultsemanatingfromarbitraryor Faultcongurationsconsistofanassignmentof behavior).foreachconguration,wetestedwhether causegoodreceiverstodisagreeorcauseagoodreceivers(suchlinkfaultshavenorealimpactonsystem manifestlyfaultytransmitters,orarrivingatfaultyre- anyscenarioofmessagesbythefaultyprocessorscould10 congurationsforwhichsuchfailurewaspossible. ceivertofailtoagreewiththetransmitter.foreach protocol,wethencalculatedthepercentageofallfault writtenspecications,reducingthesearchspacedramatically.forexample,thecongurationwhereall processorsaregoodexceptthatthethirdreceiveris ThenewestreleaseoftheMursystemautomaticallydetectsandexploitssymmetryinappropriately intheassignmentofbehaviorstoprocessors.be- areusedintheassignmentoffaultylinksaswellas onlyexploresoneofthesealternatives.symmetries cessorsaregoodexceptthesecondreceiver,andmur manifest-faultyisisomorphictothecasewhenallprosolute,performance.wefurtherreducedthesetof Table2shouldbetakentoindicaterelative,notabcauseofthesesymmetryreductions,notallcongurationsarecountedindividually,sothenumbersin sendingmanifestlybad(e)values,sincethiswould satised.weexcludedsymmetric-faultyprocessors congurationstorequireatleastonegoodreceiver, amounttothesamethingasamanifestfault,andwe sinceotherwisevalidityandagreementaretrivially andthatwhenthetransmitterisgood.however,we tersincethereisverylittledierencebetweenthiscase anyway,includingthepossibilityofbehavingasgood, alsoexcludedthecaseofasymmetric-faultytransmit- didallowanarbitrary-faultytransmittertobehavein iouscombinationsofgood,wrong,andevalues. symmetric-ormanifest-faulty,aswellassendingvar- manifestlybad(e)valuesorthecorrectvalue.inalgorithmomha(1),arbitrary-faultyreceiversalsohave thatauthenticationneverleadstogoodprocessorsdisativenumbersofcongurationswherethevariousalgorithmsbehaveacceptably. signicantlyreducethetotalnumberofcongurations thatneedtobeconsidered,butdonoteecttherelcardinggoodmessages.thesefactors,takentogether, receivedfromthetransmitter.thusforalgorithm ZA(1)arbitrary-faultyreceiversareonlyabletosend werenotallowedtosenddatavaluesotherthanthat Fortheauthenticatedprotocols,faultyreceivers lier,thisisthemainsourceofbrittlenessofomha(1). Wefurthermaketheassumptionintheseexperiments theopportunitytosendr(e)and,asdiscussedear- ornotsignaturesaresecure(dramaticallysoifsignaturesareinsecure).za(1)isalsosuperiorinoverall ZA(1)wringsthemaximumfaulttolerancefroma formstheclassicalsignedmessagesprotocolwhether givenamountofredundanthardware,andoutper- Thetableshowsthattheauthenticatedprotocol resiliencetoomha(1).thisisnottosaythatza(1) isuniformlysuperiortoomha(1).consideragood

11 transmitterwithlinkfaultstoallreceiversexceptp, andphasalinkfaulttoreceiverq.underza(1),q decidesoneandalltheotherreceiversdecideonthe valuesentbythetransmittertop,therebyviolating Agreement.UnderOMHA(1)allreceiverssettleon E.Notethatwearetestingthefaulttoleranceofthese protocolswellbeyondtheirusuallyclaimedfaulttolerance:onlyapproximatelyvepercentofallfault congurationswestudiedfallwithintheworst-case boundsoftheprotocols.thus,alltheseprotocolsare farmoretolerantoffaultsthantheirsimpleworst-case boundswouldsuggest. 8Conclusion Theassumptionsrequiredoftheauthentication mechanisminbyzantineagreementprotocolsthatuse \signedmessages"arestrongerthangenerallyrealized,andrequirethatdigitalsignaturesareusedwith greatcare.violationoftheseassumptionscancause theprotocolstofail.wehavepresentednewprotocolsthatcombineauthenticationwith\oralmessages" protocolssothatadditionalresilienceisobtainedwhen theauthenticationassumptionsaresound,buttheresilienceoftheunauthenticatedprotocolisretained whenauthenticationassumptionsareviolated. Whentheauthenticationassumptionsaresound, oneofthesenewprotocols,calledza(r),matchesthe faulttoleranceoftheclassicalsignedmessagesprotocolunderahybridfaultmodel,andsurpassesitwhen communicationslinkfaultsareconsidered.za(r)also performswelloverallwhenauthenticationassumptionsareviolated,buthasanunfortunate\hole"inits worst-casebound(itisvulnerablewhenthetransmitterismanifest-faulty).anotherofthenewprotocols, OMHA(r)maybepreferredifthiscaseisconsidered important,thoughitislessresilienttolinkfaultsthan ZA(r). Thesenewprotocolsaresuperiortootherknown protocolsinpropertiesandmeasuresofpracticalinterest,andwerecommendthemforgeneraluse.they areparticularlyattractiveinsecurity-criticalsystems whereauthenticationmaybesubjectedtosophisticatedcryptographicattack,andinsafety-criticalembeddedsystemswheremaximumresilienceisrequired butwhereonlyshortorcryptographicallyweaksignatures(e.g.,checksums)maybefeasible.selectionof themostsuitableprotocolforagivensystemmustobviouslydependontheexpectedmodesandfrequencies offaults,andtheconsequencesofsystemfailure. Ouruseofthestate-explorationsystemMurto performsymbolic\faultinjection"is,webelieve, novel.itsuggestsaverypromisingnewapplication areaforthisclassofformalmethodstools,andone thatweintendtopursueinfuturework. Acknowledgments OurunderstandingofthesetopicshasbenettedgreatlyfromdiscussionswithChrisWalterand MicheleHugue(boththenwithAlliedSignal).Commentsbytheanonymousreviewerswerealsovery helpful.malteborcherdingoftheuniversityofkarlsruhepointedoutsomeerrorsintheoriginalpaper. References PapersbySRIauthorscangenerallyberetrieved fromhttp:// [1]MartnAbadiandRogerNeedham.Prudentengineeringpracticeforcryptographicprotocols.InProceedingsoftheSymposiumonResearchinSecurity andprivacy,pages122{136,oakland,ca,may1994. IEEEComputerSociety. [2]BirgitBaum-Waidner.Byzantineagreementwitha minimumnumberofmessagesbothinthefaultless andworstcase.infaulttolerantcomputingsymposium23[14],pages554{563. [3]MalteBorcherding.Ecientfailurediscoverywith limitedauthentication.in15thinternationalconferenceondistributedcomputingsystems,pages78{82, Vancouver,Canada,May1995.IEEEComputerSociety. [4]W.DieandM.E.Hellman.Newdirectionsincryptography.IEEETransactionsonInformationTheory, IT-22(6):644{650,November1976. [5]D.DolevandH.R.Strong.Authenticatedalgorithms forbyzantineagreement.siamjournaloncomputing,12(4):656{666,november1983. [6]DannyDolevandRudigerReischuk.BoundsoninformationexchangeforByzantineagreement.Journal oftheacm,32(1):191{204,january1985. [7]DannyDolev,RudigerReischuk,andH.Raymond Strong.EarlystoppinginByzantineagreement.JournaloftheACM,37(4):720{741,October1990. [8]KlausEchtle.Faultmaskingwithreducedredundant communication.infaulttolerantcomputingsymposium16,pages178{183,vienna,austria,july1986. IEEEComputerSociety. [9]T.ElGamal.Apublickeycryptosystemandasignatureschemebasedondiscretelogarithms.IEEE TransactionsonInformationTheory,IT-31(4):469{ 472,July1985. [10]PaulD.Ezhilchelvan.Earlystoppingalgorithmsfor distributedagreementunderfail-stop,omission,and timingfaulttypes.in6thsymposiumonreliability indistributedsoftwareanddatabasesystems,pages 201{212,Williamsburg,VA,March1987.IEEEComputerSociety. 11

12 [11]M.FischerandN.Lynch.Alowerboundforthe timetoassureinteractiveconsistency.information ProcessingLetters,14:183{186,1982. [12]F.DiGiandomenico,M.L.Guidotti,F.Grandoni, andl.simoncini.agracefuldependablealgorithm forbyzantineagreement.in6thsymposiumonreliabilityindistributedsoftwareanddatabasesystems, pages188{200,williamsburg,va,march1987.ieee ComputerSociety. [13]L.Gong.Variationsonthethemesofmessagefreshnessandreplay.InProceedingsoftheComputerSecurityFoundationsWorkshopVII,pages131{136,Franconia,NH,June1993.IEEEComputerSociety. [14]FaultTolerantComputingSymposium23,Toulouse, France,June1993.IEEEComputerSociety. [15]R.M.Kieckhafer,C.J.Walter,A.M.Finn,andP.M. Thambidurai.TheMAFTarchitecturefordistributed faulttolerance.ieeetransactionsoncomputers, 37(4):398{405,April1988. [16]LeslieLamport,RobertShostak,andMarshallPease. TheByzantineGeneralsproblem.ACMTransactions onprogramminglanguagesandsystems,4(3):382{ 401,July1982. [17]PatrickLincolnandJohnRushby.Formalverication ofanalgorithmforinteractiveconsistencyundera hybridfaultmodel.incostascourcoubetis,editor, Computer-AidedVerication,CAV'93,volume697 oflecturenotesincomputerscience,pages292{304, Elounda,Greece,June/July1993.Springer-Verlag. [18]PatrickLincolnandJohnRushby.Formalverication ofanalgorithmforinteractiveconsistencyundera hybridfaultmodel.technicalreportsri-csl-93-2,computersciencelaboratory,sriinternational, MenloPark,CA,March1993.AlsoavailableasNASA ContractorReport4527,July1993. [19]PatrickLincolnandJohnRushby.Aformallyveried algorithmforinteractiveconsistencyunderahybrid faultmodel.infaulttolerantcomputingsymposium 23[14],pages402{411. [20]RalphMeltonandDavidL.Dill.MurAnnotated ReferenceManual.ComputerScienceDepartment, StanfordUniversity,Stanford,CA,March1993. [21]JudyH.Moore.Protocolfailuresincryptosystems. ProceedingsoftheIEEE,76(5):594{602,May1988. [22]NationalInstituteofStandardsandTechnology.The digitalsignaturestandard.communicationsofthe ACM,37(7):36{40,July1992. [23]M.Pease,R.Shostak,andL.Lamport.Reaching agreementinthepresenceoffaults.journalofthe ACM,27(2):228{234,April1980. [24]MichaelReiter.Asecuregroupmembershipprotocol.InProceedingsoftheSymposiumonResearchin SecurityandPrivacy,pages176{189,Oakland,CA, May1994.IEEEComputerSociety. [25]R.L.Rivest,A.Shamir,andL.Adleman.Amethod forobtainingdigitalsignaturesandpublic-keycryptosystems.communicationsoftheacm,21(2):120{ 126,February1978. [26]JohnRushby.Aformallyveriedalgorithmforclock synchronizationunderahybridfaultmodel.inthirteenthacmsymposiumonprinciplesofdistributed Computing,pages304{313,LosAngeles,CA,August 1994.AssociationforComputingMachinery. [27]FredB.Schneider.Implementingfault-tolerantservicesusingthestatemachineapproach:Atutorial. ACMComputingSurveys,22(4):299{319,December [28]T.K.SrikanthandS.Toueg.Simulatingauthenticated broadcaststoderivesimplefault-tolerantalgorithms. DistributedComputing,2(2):80{94,1987. [29]PhilipThambiduraiandYou-KeunPark.Interactive consistencywithmultiplefailuremodes.in7thsymposiumonreliabledistributedsystems,pages93{ 100,Columbus,OH,October1988.IEEEComputer Society. [30]C.J.Walter,N.Suri,andM.M.Hugue.Continualonlinediagnosisofhybridfaults.InF.Cristian,G.Le Lann,andT.Lunt,editors,DependableComputing forcriticalapplications 4,volume9ofDependable ComputingandFault-TolerantSystems,pages233{ 249.Springer-Verlag,Vienna,Austria,January1994. Theviewsandconclusionscontainedhereinarethoseoftheauthors andshouldnotbeinterpretedasnecessarilyrepresentingtheocial policiesorendorsements,eitherexpressedorimplied,oftheair ForceOceofScienticResearchortheU.S.Government. 12