Similar documents


Select cell to view, left next event, right hardcopy

V e r d e s I s t v á n a l e z r e d e s V Á L T O Z Á S O K. F E L A D A T O K. GONDOK A S O R K A TO N A I


Smart Integration of Wireless Temperature Monitoring System with Building Automation System

MENTAL HEALTH AND SUBSTANCE ABUSE SERVICES BULLETIN MENTAL RETARDATION BULLETIN COMMONWEALTH OF PENNSYLVANIA DEPARTMENT OF PUBLIC WELFARE

How To Sell Pens For A Year

Northern Arizona University FY 2016 Annual Audit Plan June 2015

U. S. Department of Housing and Urban Development. Office of Inspector General for Investigation. Inspections and Evaluations Division

SIM-K 3030 SIM-K ,- Kè mm mm. 453,- Kè. 453,- Kè mm mm. 566,- Kè. 566,- Kè mm.

ZA-12. Temperature - Liquidus + 45 o C (81 o C) Vacuum = 90mm

Coverage Analysis. Purpose

TROLLEY LOCKS FOR TROLLEY MANAGEMENT

356 As at: 08/2014. Recommended makes and types of summer tyres. Type 356. EU tyre label Noise emission. Rolling

SMH10R. User's Guide. Low Profile Motorcycle Bluetooth Headset & Intercom


State of New Jersey DEPARTMENT OF THE TREASURY DIVISION OF TAXATION PO BOX 269 TRENTON NJ In reply respond to: (609)

The Wireless Network Road Trip

Timeout The Crosspoint Status Request message has a timeout, which means that you need to wait 1 second in between request messages.

Department of Financial Services Superintendent s Regulations

Luxor. Automatic retractable bollard

New IRS Reporting Requirements Forms 1094-C & 1095-C

Dynamic Load Balance Algorithm (DLBA) for IEEE Wireless LAN


Product Safety and RF Exposure for Mobile Two-Way Radios Installed in Vehicles or as Fixed Site Control Stations

UK Radio Licence Interface Requirement 2036 For Mobile Asset Tracking Services

Payment Transaction.

PAYMENT TRANSACTION. Your payment transaction information

Airport Parking Management with Software as a Service (SaaS)

16 Rankings On First Page. 30 Total Keywords. KEYWORD RANKINGS We are tracking Benchmark Date and Current Ranking. Ranking Changes Improved

Certified Platinum Configurations

VARIATION TO LICENCE AREA PLAN

DAP Proxy Server Configuration. Technical Note

INTERIM SITE MONITORING PROCEDURE

OMANTEL REFERENCE INTERCONNECTION OFFER

since 1928 ALBIN PUMP ALH HOSE PUMPS TECHNICAL DATASHEETS

IPThermo206G. Offline/online data collector, SMS alarm sender, watchdog terminal for IPThermo Pro network

RSA Event Source Configuration Guide. IBM iseries AS/400

COMPLIANCE WITH LAWS AND REGULATIONS (CLR)

Thursday September 23 rd 11:30 AM to PM Kerhonkson, New York.

Third-Party Access and Management Policy

Input module, input/output module

By reversing the rules for multiplication of binomials from Section 4.6, we get rules for factoring polynomials in certain forms.

MENTAL HEALTH CONSULTANT PROCEDURE

Note: This article was updated on October 1, 2012, to reflect current Web addresses. All other information remains unchanged.

Weather Radar Basics

IEEE frame format

Safety Plan Reviews in 3D Christopher Santulli, PE. April 23, 2012 Times Square Marriott Marquis

European Wide Certified Diabetes Educator Course (EU-CDEC) Quality Assurance and Risk Management Plan Report (WP7)

WHITE PAPER. Static Load Balancers Implemented with Filters

Arkansas Department Of Health and Human Services Division of Medical Services P.O. Box 1437, Slot S-295 Little Rock, AR


Off Site Access PPD IT How to Guides December 2010

COLLECTION, USE, AND DISCLOSURE LIMITATION

Security Management System. MHPD Module

Remote Access. A Service Guide for Colleges. An overview of the opt-in Remote Access service provided by Ontario College Library Service

Your launch pad for excellence UNIVERSITY. 6 cm filling height. Ferranti Computer Systems MECOMS University Training Overview

0,2 D(0) A(1) D(1) 1,3 D(2) 0,2 D(0) A(1) D(1) 1,3 D(2) D(3) D(3) D(1) D(1) A(4) D(2) 4,6 D(3) A(4) 4,6 GO BACK 3 SELECTIVE REJECT WINDOW SLIDES

Software Defined Radio (SDR) Application Review Guide

Division of Medical Services

REGULATORY ALERT NATIONAL CREDIT UNION ADMINISTRATION 1775 DUKE STREET, ALEXANDRIA, VA DATE: October 2001 NO.: 01-RA-11

3M Electronic Monitoring / SVEP. 3M Domestic Violence GPS Proximity Notification System Web Training

How to travel from Qatar to UAE and Oman by road

What is Process Validation?

B I N G O B I N G O. Hf Cd Na Nb Lr. I Fl Fr Mo Si. Ho Bi Ce Eu Ac. Md Co P Pa Tc. Uut Rh K N. Sb At Md H. Bh Cm H Bi Es. Mo Uus Lu P F.

Mass deployment Smart Gas- (& Electricity) Meters Netherlands

VENDOR SECTION An overview of the Vendor Section which is used to add, edit and send messages to vendors.

OFFICE OF MENTAL HEALTH AND SUBSTANCE ABUSE SERVICES BULLETIN

Appendice 1 al Regolamento ENAC ATSEP Basic training Shared

TP32MTT.03 TP32MTT [ GB ] Probes for soil thermal profile measurement

Frequently Asked Questions. 1. How do I repost a RAL/ERC file using ACA/Lacerte software?

Transcription:

FromDependableComputingforCriticalApplications{5,Champaign,IL,September1995,pp.139{157;Volume10of theseriesindependablecomputingandfaulttolerantsystemspublishedbyieeecomputersocietypress. ByzantineAgreementwithAuthentication:Observationsand ApplicationsinToleratingHybridandLinkFaults LiGongy,PatrickLincoln,andJohnRushby ComputerScienceLaboratory SRIInternational MenloPark,California94025,USA Abstract WeshowthattheassumptionsrequiredoftheauthenticationmechanisminByzantineagreementprotocolsthatuse\signedmessages"arestrongerthan generallyrealized,andrequiremorethansimpledigitalsignatures.theprotocolsmayfailiftheseassumptionsareviolated.wethenpresentnewprotocolsfor Byzantineagreementthataddauthenticationto\oral message"protocolssothatadditionalresilienceisobtainedwithauthentication,butwithnoassumptions requiredaboutthesecurityofauthenticationwhenthe numberandkindoffaultspresentarewithintheresilienceoftheunauthenticatedprotocol. Ouranalysisisperformedundera\hybrid"fault modelthatadmitsmanifest(e.g.,crash)andsymmetricfaultsaswellasarbitrary(i.e.,byzantine)faults. Wealsoextendtheclassicalsignedmessagesprotocol tothisfaultmodel,andshowthatitsfaulttoleranceis matchedbyoneofournewprotocols.wethenexplore thebehaviorofthesevariousprotocolsunderthecombinationofhybridprocessorfaultsandcommunicationslinkfaults.usingformalstate-explorationtechniques,weexaminecasesbeyondthoseguaranteedby simpleworst-caseboundsandndthattheresilience ofoneofthenewprotocolsexceedsthatoftheothers intheseregions. Thenewprotocolsaresuperiortootherknownprotocolsinpropertiesandmeasuresofpracticalinterest,andwerecommendthemforgeneraluse.They areparticularlyattractiveinsecurity-criticalsystems whereauthenticationmaybesubjectedtosophisticated cryptographicattack,andinsafety-criticalembedded ThisworkwassupportedinpartbytheNationalAeronauticsandSpaceAdministration,LangleyResearchCenter,under contractnas1-20334,bytheairforceoceofscienticresearch,airforcematerielcommand,usaf,undercontract F49620-95-C0044,andbytheNationalScienceFoundationundercontractCCR-9509931. yligongisnowwithjavasoftandcanbereachedat gong@eng.sun.com systemswhereitmaybenecessarytouseveryshort signatures,butwheremaximumresilienceisrequired. 1Introduction Afundamentalrequirementinfault-tolerantsystemsbasedonthe\statemachine"approach[27]is forreplicatedprocessorstoreachagreementonthe valuesofsingle-sourcedata,suchassensorsamples. Initsabstractform,thisistheproblemofByzantineAgreement(anditsvariant,theproblemof\InteractiveConsistency,"alsoknownas\sourcecongruence,"\distributedconsensus,"and\reliablemulticast")[16,23].TherearetwobroadclassesofprotocolsforachievingByzantineagreement.Thosebased on\oralmessage"assumptionsplacenorestrictions onwhatafaultyprocessormaydo;thosebasedon \writtenmessage"assumptionsdisallowfaultyprocessesmakingundetectablemodicationstomessages astheyarerelayedfromoneprocessortoanother,and alsodisallowprocessorsmanufacturingmessagesthat purporttocomefromanotherprocessor.itisgenerallystatedthatthewrittenmessagesassumptionscan besatisedusingcryptographicauthenticationmethods(i.e.,\digitalsignatures"),andprotocolsbasedon theseassumptionsarethereforeoftencalled\signed messages"or\authenticated"protocols[5,11,16]. Bothoralandwrittenmessageprotocolsproceedin \rounds"andtheparametersofinterestinclude:how manyfaultscanbetoleratedbyagivennumberof processors,andhowmanyroundsandhowmanymessagesarerequired?theoreticalstudiesalsoconsider thesizeofthemessages,orthetotalnumberofbits transmitted.theadvantageofwrittenmessagesprotocolsisthattheycangenerallywithstandmorefaults thanoralmessageprotocols,andoftenrequirefewer messages.forexample,oralmessageprotocolsrequire 3t+1processorstowithstandtfaults,whilewritten messagesprotocolsrequireonlyt+2(theproblemis vacuousunlessthereareatleasttwononfaultypro- 1

cessors).however,bothclassesofprotocolsprovably requiret+1roundsintheworstcase[5,11],though \earlystopping"protocols(whicharemosteasilyconstructedunderthewrittenmessagesassumptions)use fewerroundswhentheactualnumberoffaultsisless thant[2,7,8,10,12]. Itwouldseemthatthewrittenmessagesprotocols havesignicantadvantagesovertheiroralmessage counterparts(e.g.,asymptotically,athree-foldadvantageinnumberoffaultstolerated).however,these advantagesmaynotbesosignicantinpractice.in embeddedapplications,themostseverepracticalconstraintontheseprotocolsisthenumberofrounds:a givenapplicationwillgenerallyxthenumberrof roundsitcanaord(generallytwo).this,inturn, xesthenumberoffaultsthatcanbetoleratedatr?1, independentlyoftheclassofprotocolschosen.1the classofprotocolsdoesaectthenumberofprocessors required:e.g.,two-roundwrittenmessageprotocols requirethreeprocessorstotolerateasinglefault,while oralmessageprotocolsrequirefour.butifotherpurposes(e.g.,clocksynchronization)alreadyrequirefour ormoreprocessors,thereseemsnocompellingreason tousewrittenmessageprotocols.infact,thereisan argumentagainsttheseprotocolswhichchriswalter,oneofthedevelopersofthemaftarchitecture forfault-tolerantightcontrol[15]expressedtousas follows:\youhavetoassumethatdigitalsignatures satisfytherequirementsforwrittenmessages,andin life-criticalsystemsweprefertomakeasfewassumptionsaspossible."itturnsoutthatthiscautionis justied. Intherestofthepaper,werstdescribethevariousassumptionsthatsuchprotocols(wewillcall them\authenticatedprotocols")dependon,highlightingtherisksinplacingthecorrectnessofbyzantine agreementontheeectivenessofcryptographicprotocolsforwhichcurrentlythereisnomethodofassurancethatisdenitiveandgenerallyaccepted.we note,however,thatauthenticatedprotocolscantoleratemorefaultsthanoralmessageprotocols,andwe showthatthisadvantageisretainedwhentheanalysis isextendedtoahybridfaultmodelthatcountsfaults morecarefullythanthepurelybyzantinefaultmodel. Wethenconsidertheadditionofauthenticationto variantsoftheoralmessagesprotocolandshowthat thisincreasesthenumberoffaultstheycantolerateif theassumptionsontheauthenticationmechanismare warranted,withoutcompromisingtheirinnatefault 1Thesmallnumberofroundsandthedeterministicprocessor andcommunicationsschedulingusedinembeddedapplications alsoobviatethebenetsofearlystopping. toleranceifthoseassumptionsareviolated.assuming authentication,weshowthatoneofthesenewprotocolscantolerateasmanyhybridfaultsastheclassical SignedMessagesprotocol. Wethenexaminethetwo-roundversionsofthe variousprotocolsunderanenlargedfaultmodelthat includescommunicationslinkfaults.formanyapplications,thisisthemostrealisticclassofprotocolandfault-model,andweprovideevidence,derived fromformalstate-explorationtechniques,thatoneof theauthenticatedoralmessageprotocolsprovidesthe greatestfaulttolerance. 2Byzantineagreement,faultmodels, andmessageassumptions IntheclassicalByzantineGeneralsproblem,there areanumberofparticipants,whichwecall\processors."adistinguishedprocessor,whichwecallthe transmitter,possessesavaluetobecommunicatedto alltheotherprocessors,whichwecallthereceivers. (Thesecorrespondtothe\CommandingGeneral"and \LieutenantGenerals,"respectively,intheterminologyofLamport,Shostak,andPease[16].)Itisassumedthattherearepoint-to-pointcommunications pathsbetweeneachpairofprocessors.thebyzantine Agreementproblemcanbestudiedunderseveraldifferentsetsofassumptions.Weconsiderboth\Oral" and\written"messageassumptions,anda\hybrid" faultmodel.theoralmessagesassumptionsarethe following[16,p.387]. A1:Everymessagethatissentbetweennonfaulty processorsiscorrectlydelivered. A2:Thereceiverofamessageknowswhosentit (assumptionofprivatechannels). A3:Theabsenceofamessagecanbedetected (assumptionofsynchrony). WrittenMessagesassumptionsaddthefollowingto thoseoforalmessages[16,p.391]. A4(a):Messagessentbyanonfaultyprocessor(underthehybridfaultmodel seelater thisbecomesanon-arbitrary-faultyprocessor)cannotbe alteredormanufacturedbyotherprocessors. A4(b):Anynonfaultyreceivercanidentifytheprocessorthatoriginatedamessage,ifthatprocessorisnonfaulty(again,underthehybridfault modelthisbecomesanon-arbitrary-faultyprocessor).notethata2concernsthecaseofadirectpathfromsendertoreceiver,whereasa4(b) concernsamessagefroman\originatingsender" 2

thatispossiblyrelayedbyotherprocessorsbefore reachingthereceiver. Therearenprocessorsintotal,ofwhichsome(possiblyincludingthetransmitter)maybefaulty.Inthe classicalbyzantinegeneralsproblem,thereareno constraintsotherthanthosegivenaboveonthebehavioroffaultyprocessors.thisleadstopessimistic estimatesofthenumberoffaultsthatcanbetolerated becauseallfaultsareregardedastheworstpossible. Wethereforeconsidera\hybrid"faultmodel(originallyduetoThambiduraiandPark[29]andalsoinvestigatedbyWalter,Suri,andHugue[30])thatdistinguishescertainsimplerkindsoffaultaswellasthose thatareunconstrained.thefaultmodeswedistinguishforprocessorsarearbitrary-faulty,symmetricfaulty,andmanifest-faulty.amanifestfaultisone thatcanbedetectedbymechanismspresentinall nonfaultyprocessors(e.g.,missingorimproperlyformattedmessages).theothertwofaultmodesyield behaviorsthatarenotdetectablybad:asymmetricfaultpresentsthesamefaultybehaviortoevery nonfaultyprocessor;anarbitraryfaultiscompletely unconstrained(i.e.,byzantine)andmaypresent(possibly)dierentaberrantbehaviorstosomenonfaulty processors,andgoodbehaviortoothers. Theabovecharacterizationofthehybridfault modelisagenericone;forbyzantineagreement,the characterizationoffaultmodeshastoberenedin termsoftheprocessorbehaviorsrelevanttothisproblem(see[26]foradierentcharacterizationinterms relevanttoclocksynchronization).thebasicstepin anagreementprotocolisforaprocessortotransmit avaluevtoseveralotherprocessors.theinterpretationofamanifestfaultinthiscontextisonethat producesdetectablymissingvalues(e.g.,timing,omission,orcrashfaults),orthatproducesavaluethatall nonfaultyrecipientscandetectasbad(e.g.,itfails checksumorformattests).symmetricfaultsdeliver wrong,ratherthanmissingormanifestlycorrupted values butdosoconsistently,sothatallreceivers ofagiventransmissionobtainthesamewrongvalue v06=v.arbitraryfaultsareunconstrained,andcan delivercorrect,wrong,ormanifestlyfaultyvaluesin anycombination. Undertheseassumptions,theByzantineAgreementproblemistodeviseaprotocolthatwillallow eachreceiverptocomputeanestimatepofthetransmitter'svaluesatisfyingthefollowingconditions: Agreement:Ifreceiverspandqarenonfaulty, thentheyagreeonthevalueascribedtothe transmitter thatis,forallnonfaultypandq, p=q. Validity:Ifreceiverpisnonfaulty,thevalueascribed tothetransmitterbypis Thevalueactuallysent,ifthetransmitteris nonfaultyorsymmetric-faulty, ThedistinguishedvalueE,ifthetransmitter ismanifest-faulty. AlltheByzantineagreementprotocolsweconsider proceedinrounds:intherstround,thetransmitter sendsavaluetoalltheotherprocessors;insubsequent rounds,theseprocessorsexchangethevaluesreceived amongthemselvesinordertodetectinconsistencies; eachreceiverthendecidesononevalueamongthose receivedandexchanged.howthisdecisionismade, andhowtheexchangesaredone,dependsontheprotocolconsidered. Noticethattheadditionalassumptionsforwrittenmessagesessentiallyconstrainthebehaviorof symmetric-andarbitrary-faultyreceivers:underoral messageassumptions,suchreceiverscanalterormanufacturemessagespurportingtocomefromotherprocessorsinthelaterrounds thisisprohibitedunder writtenmessagesassumptions.authenticatedprotocolsattempttosatisfythewrittenmessagesassumptionsusingdigitalsignatures:eachprocessorsigns themessagesthatitsends.anyreceivercancheck theauthenticityofamessageandconrmtheidentity ofitsclaimedoriginatorbycheckingthesignature. Thereareseveraldigitalsignatureschemesthatprovidethesebasicproperties[4,9,22,25].However,in thefollowingsectionweshowthattheseschemesmust beusedverycarefully. 3 Authenticationissues Themessagesthatarepassedamongtheprocessorsinauthenticatedprotocolshavetheform ff:::fvgp:::gqgrwhichsymbolizesthevaluevin amessagesignedandsentbyprocessorp,received signedandforwardedbyprocessors:::;qandnally received,signedandforwardedbyprocessorr.ifprocessorpisnonfaulty,thenatnostageintheprotocol shouldthereexistff:::fv0gp:::gqgrinwhichv6=v0. (Thisfollowsbecauseifpisnonfaulty,itwouldnot sendouttwodierentvaluesvandv0,andauthenticationpreventsanyotherprocessormanufacturing suchavalue.)itisgenerallyassumedthatthisrequirementissatisedifdigitalsignaturesaresimply computedonandattachedtothemessagesbeingrelayed.thiswouldbetrueifavalidmessageofthe formff:::fvgp:::gqgrcouldonlyariseonceinthe lifetimeoftheprotocol.theoreticalexaminationsof theseprotocolsnormallyconsideronlyasingle\run," 3

butinpracticetheywillbecalledrepeatedly(e.g., todistributesensorsamplesatthebeginningofevery processcontrolcycle).itfollowsthatprocessorrcould saveavalidmessagef:::fv0gp:::gqfromonerunof theprotocolandcouldtheninjectthecorrectlysigned messageff:::fv0gp:::gqgrintoalaterrun,whichwill causeanynonfaultyreceivertoconcludethattheoriginalsenderpmustbefaulty,andtherebydefeatthe protocol. Wedonotneedtopostulateactive,intelligentattackstobeconcernedaboutthiskindofproblem:a hardware\obyone"faultthatcausesamessageto bepickedupfromthewrongbuerwhentwoagreementprotocolsareinoperationsimultaneously(as whenallprocessorsareexchangingsensordata)could producethisbehavior.asolutiontothisparticular problemistoincludeadditionalinformationunderthe digitalsignaturesthatwillidentifymessagesas\fresh" (Lamport,Shostak,andPeasesuggestsequencenumbers[16,page400]),butthisneedstobedonecarefully inordertodistinguishthisrunoftheprotocolfrom othersthatmaybeactivesimultaneously. Intherestofthissection,wediscussthisanda numberofotherissuesrequiringcareintheimplementationofauthenticatedbyzantineagreementprotocols. Signaturepermutation.Thesignaturesystemmustnotbecommutative. Otherwise, 8p;q;v;ffvgpgq=ffvgqgpand,ifthesessioninitiator isfaulty,anotherfaultyprocessorcanfalselyaccuse athird,butcorrect,processorofbeingfaultyina several-roundprotocol. Verifyingsignaturesequences.Verifyingasequenceoftsignaturesisnottrivial.Arecipientcan tryallpossiblesequencesoftoutofnsignatures,but thisrequiresanexponentialamountofcomputation. Orthemessagecanincludeahint,suchastheidentityofthesigner,ineachstageofthesigning,sothe messagemaylooklikefq;fp;vgpgq.wecanalternativelyrequirethatalistofhintsisattachedtoeach messageoutsidethesignatures.however,suchhints willaddo(nlogn)bitstothemessagelength(inannroundprotocol),thusexceedingthetightlowerbound onmessagebitsbysrikanthandtoueg[28,theorem 1]byafactorofn.(Intoday'spractice,asecuredigitalsignatureusesabout512to1024bits.)Notethat hintsarenecessarywhetherthesignaturesystemused iscommutativeornot.athirdapproachistogloballyorderthemessagessothatarecipientcandeduce fromthecontextwhichsignaturesequenceshouldbe usedforverication. Processorsareassumedtoknoweachothers'signaturekeys.Borcherding[3]investigatesthecasewhere thereisnocentralauthoritytodistributethesekeys, andproposesthenotionof\localauthentication"to achieveaweakerversionofbyzantineagreement. Distinguishingconcurrentsessions.When multiplesessionscanexecuteatthesametime,itis vitaltodeterminetowhichrunamessagebelongs. Otherwise,supposeeachprocessormaintainsadierentsensorandallprocessorsaretryingtoagreeon thevaluesofallsensors,thenafaultyprocessormay \borrow"asignedmessagefromonerunanduseitin another.evenabenignprocessorcanpossiblymake suchamistake,aswedescribedpreviously.onesolutionistoattachasessionidentier,possiblythe identityofthesessioninitiator,tothesensorvalue. Thissolutionwillincreasethesizeofeachmessageby O(logn)bits.Thisdoesnotexceedthelowerbound bysrikanthandtoueg[28]becausetheyalreadyallocateo(logn)bitsforsignatures. Detectingreplayattacks.Besidedistinguishing concurrentsessionsinitiatedbydierentprocessors, itisequallyimportanttodetectanyattempttoreuse pastmessages(fromthesameinitiator)inanewrun. Theinitiatormustsecurelyattachafreshnessidenti- ertothesignedvalue.forexample,theinitiatorcan signboththefreshnessidentierandthevalueinthe samesignature. Therearethreetypesoffreshnessidentiers,each ofwhichcanbeusedinmorethanoneway[13].the rstisatimestamp,ifprocessorshavesynchronized clocks.inthiscase,theinitiatorattachesthereading fromthelocalclocktothevaluebeforesigningthem. Arecipientrejectsanymessagewithatimestampthat isoutsideanagreedtimewindowrelativetotherecipient'slocalclock.asignicantriskexistswhena faultyprocessorcanalsohaveafaultyclocksothat theprocessorsendsoutvaluessignedwithtimestamps inthefuture.evenifthisprocessorweretorecover, anotherfaultyprocessorcouldplaybacksuchamessagewhenthecorrecttimecomes.thesignicanceof thisattackliesinthefactthatthereisnoguarantee thatanycorrectprocessorwillknowtheexistenceof previouslysignedmessages(withfuturetimestamps). Toinvalidatesuchmessages,arepairedprocessorcan changeitssignaturekeyduringreintegration. Thesecondtypeofafreshnessidentierisarandom number,alsoknownasa\nonce."sincethenonce mustbegeneratedbytheprocessorthatischecking forfreshness,processorsmustexchangenonceswith eachother(thusaddingoneroundtotheprotocol), 4

andthevaluemustbesignedwithallo(n)nonces, thusincreasingthemessagelengthsignicantly. Thethirdtypeisacountervalue.Eachprocessormaintainsamonotoniccounter,incrementsthe countervaluebeforeinitiatingasession,andthen signsthevaluetogetherwiththecurrentcounter value.eachprocessoralsomaintainsavectortimestamp,notingthelastseencountervaluefromevery otherprocessor,andrejectsanyvaluesignedwitha pastcountervalue.similartotimestamps,afaulty processormaysign\future"countervalues,soitis prudenttochangetoanewsignaturekeyafterrepair. Repairandrestart.Whenaprocessorfails,it mayloseallitsstateinformation,includingthecur- rentsessionandroundnumbersandfreshnessidenti- ers.ifthefailureisarbitrary,thenthesurvivingstate informationmaybewrong.forexample,itsclockor countersmaybeturnedbackorforward.moreover, simplyaskingeveryprocessortoresettheircounters tozeroisvulnerabletoreplayattacks.therefore,to restorethesynchronybetweenprocessorsafterrepair, arepairedprocessormustusechallenge-response(with nonces)toobtainfromotherprocessorsfreshreplies containingthecurrentstateinformation.giventhe additionalneedofassigninganewsignaturekeyto therestartingprocessorandnotifyingallotherprocessorsofthecorrespondingpublickey,restartcanbe costly. Messageredundancy.Amessagecontainingthe valuetobesignedmustcontainsucientredundancy toprotectagainstforgery.forexample,afaultyprocessorpmaychoosearandomnumberxandbroadcast itasfvgpforsomevaluev.becauseitisquitepossible thatthereisavaluev0suchthatx=ffv0gqgp,pmay eectivelyforgeasignatureofvaluev0signedbyq. Orthefaultyprocessorpcansimplycopyfv0gqfrom apreviousprotocolrunandbroadcastffv0gqgp.any processorrwhofurthersignsffv0gqgpisalsospoofed. Therearemanywaystointroduceredundancyinto themessages.oneistoattachachecksumofasuf- cientlengthtotheoriginalvalue.thesizeofthe messagewillthusincrease,perhapsby128bits(the sizeofatypicalone-wayhashfunctionoutput)orat leasto(logn)bits.notethatincludingauniqueidentierofthecurrentrundoesnotprovidesucientredundancybecausearandomlyselectedvaluexcanbe oftheformfid;vgq,andifidisforafuturerun,an attackcanstillhappeninthefuture. 3.1Practicalimplications Wehaveshownthatauthenticationusingdigital signaturesneedstobemanagedverycarefullyifitis tobesecureagainstattack.howsignicantarethese threats?therearetwomainclassesofapplications forauthenticatedbyzantineagreementprotocols:securesystemsthatmustmaintaincoordinationinthe faceofcaptureandactivesubversionofsystemcomponents(e.g.,theat&t\rampart"architecture[24]), andsafety-criticalembeddedcontrolsystems(e.g.,the MAFTarchitectureforaircraftightcontrol[15]). Sophisticatedcryptographicandotherattacksarea givenintherstclassofapplications,soourconcern aboutthesecurityofauthenticationneedsnofurther justicationhere(theliteratureisrepletewithbroken cryptographicprotocols[1,21]). Intelligentmaliciousattackisnotconsideredaseriouspossibilityinembeddedsystems,andtheargumentinthesecasesisalittledierent.Byzantineresilientarchitecturesareattractiveinthesecontexts becausetheysimplifythecaseforassuranceandcertication:insteadofacollectionoffault-tolerance mechanismstocounterspecicfailuremodes,andfor whichitisnecessarytoprovideevidenceofcoverage andnoninterference,wehaveasinglemechanismthat canwithstandanykindoffault,uptosomenumber,anditisonlynecessarytoprovideevidencefor correctnessandfortheestimatedoverallfaultarrival rate.writtenmessageprotocolscompromisethepurityofthisposition:faultyprocessorscannolonger doabsolutelyanything,butareconstrainedbycertainassumptions.realprocessorscandoabsolutely anythingwhenfaulty,andinimplementationsusing signedmessages,itistheauthenticationmechanism thatconstrainsthemwithintheassumedfaultmode. Forcertication,itisthereforenecessarytoprovide strongevidencethattheauthenticationmechanism doesaccomplishthis:brokenauthenticationisnotjust anotherfaulttobetolerated,itisaviolationofthe assumptionsunderwhichcorrectnessoftheprotocol andhenceoftheentirearchitecture isestablished. Wehaveseenthatcryptographicallystrongauthenticatedprotocolsrequireevensmalldatamessagestobeencapsulatedinlargesignatureand freshness-indicatingwrappers,andtocarryvarious key-managementindicators.hence,embeddedsystemsmayprefertodispensewithtrulysecureauthenticatedprotocolsandtouseshortkeyedchecksums(lamport,pease,andshostaksuggestasuitablechecksumalgorithm[16,page400]),withxed keysandsimplesequence-numberstoindicatefreshness.theauthenticationassumptionsmaysometimes failtoholdinthisarrangement.inthefollowingsectionswepresentandstudyprotocolsthattakeadvantageofauthenticationifitispresent,butthatretainbyzantineresilienceevenwhensignaturesmaybe 5

forged.sincechecksumswillonlyrarelybe\forged" byrandommalfunctions,theseprotocolsareverywell suitedtotheneedsofembeddedsystems. Thediscussionhassofarfocussedonauthentication failureinonedirection:failuretoadequatelyconstrain thebehaviorofafaultyprocessor.authenticationcan alsofailintheotherdirection:causinggoodmessages toberejectedasbad.therearetwowaysthiscan comeabout:theauthenticationmechanismmaybe algorithmicallyincorrectornonrobust(e.g.,vulnerabletolossofcrypto-synch),orahardwarefaultmight damageakey.theissuesenumeratedearlierinthis sectionareintendedtohelpdesignersavoidtherst ofthesedangers;thesecondismorelikely,butless serious,becauseitisjustanotherfault,andwillbe toleratedtothesameextentasotherfaults. 4Signedmessageswithhybridfaults Wehavearguedthatgreatcareinimplementationisnecessaryinordertosatisfytheassumptions oftheauthenticatedprotocols.thiscarewouldbe justiediftheauthenticatedprotocolshadsignicant advantagesoveroralmessageprotocols.however,for thecaseofpracticalimportance thatis,two-round protocols thereappearslittletochoosebetweenthe twoclassesofprotocols:thesignedmessageprotocolsm(1)andtheoralmessagesprotocolom(1)of Lamport,Pease,andShostak[16]bothrequiretwo rounds2,andbothtolerateonlyasinglearbitrary fault.thedierenceisthatom(1)requiresfourprocessors,whilesm(1)requiresbutthree.however,a variationonom(1)calledomh(1)[19]thatoperatesunderthehybridfaultmodelcantolerateaarbitrary,ssymmetric,andmmanifestfaultssimultaneously,providedn,thenumberofprocessors,satises n>2a+2s+m+1anda1.thus,omh(1)appears totoleratemorefaultsthansm(1)undercertaincircumstances.ofcourse,thiscomparisonisunfairbecausetheanalysisforomh(1)considersthehybrid faultmodel,whereasthatforsm(1)treatsallfaults asarbitrary.sooneitemthatwarrantsexamination isthebehaviorofsm(1)underthehybridfaultmodel. Theclassicalsignedmessagesprotocol,SM(r)proceedsasfollows[16,p.391]: SM(r) Thetransmittersendsasignedmessageto eachreceiver.eachreceiveraddsitssignaturetothemessageandsendsittothe otherreceiverswhoaddtheirsignaturesand 2Theparameterrtotheseprotocolsstartsatzero,sothat thenumberofroundsisr+1. sendittotheothers,andsoonforrrounds. Whenalltheexchangesarecompleted,each receiverdiscardsanyimproperlysignedmessages,extractsthevaluessentbythetransmitterfromthosethatremainandappliesa deterministicchoicefunctiontothosevalues. Notethatifthetransmitterisnotarbitrarily-faulty, thesetofvaluesconsideredinthechoicewillbeasingleton.lamport,peaseandshostakshow[16,theorem2]thatsm(r)cantolerateuptorfaultyprocessors,theoptimalresult[6,11]. ToextendSM(r)anditsanalysistothehybridfault modelisstraightforward:thehybridprotocolsmh(r) simplyrecognizesanddiscardsmanifest-faultyvalues.authenticationpreventssymmetric-faultyreceiversfrominjectingcorrectlysignednewvalues,so thesereceiverseitherduplicateothermessages(which isharmless),ortheyintroduceincorrectlysignedmessages,whichwillbediscarded.thus,messagesfrom bothmanifest-andsymmetric-faultyreceiverseither duplicateexistingvaluesorareignored;hencethey playnopartintheprotocolanditisasiftheseprocessorswereabsent.itfollowsthatonlyarbitrary-faulty processorsneedbecountedinthefault-tolerancecalculation.thus,bydirectanalogywiththecorrespondingresult(theorem2,page393)in[16],wehavethe followingresult. Theorem1Foranyr,ProtocolSMH(r)satisesValidityandAgreementprovidedra,whereaisthe numberofarbitrary-faultyprocessors. Theresultissomewhatvacuousunlessthereareat leasttwononfaultyprocessors,sowealsohaven> a+s+m+1,andra.thismaybecompared withomh(r),wherewehaven>2a+2s+m+rand ra. ItcanbeseenthatOMH(r)andSMH(r)havethe samefaulttolerancewithregardtorounds,butthat SMH(r)requiresconsiderablyfewerprocessorsthan OMH(r)(or,equivalently,cantoleratemorefaultsfor agivennumberofprocessors).however,thisincreased faulttoleranceisobtainedatthecostofdependingon authentication:iftheauthenticationassumptionsfail foranyreason,thensmh(r)mayfailaltogether. 5Combiningauthenticationandoral messages TheideaofexaminingSM(r)underthehybridfault modelsuggeststhedualinquiry:examiningoralmessageprotocolsinthepresenceofauthentication.it turnsoutthatthisyieldsprotocolsthatcombinethe advantagesofthetwoclassesofprotocolswithfew 6

oftheirdisadvantages.asnotedinthediscussion ofsmh(r),authenticationturnssymmetric-faultyreceiversintomanifest-faultyones:theycanonlygeneratemessagesthatareimproperlysigned.inorder toexploitthisinanoralmessagesprotocol,weneed aprotocolthathasthecapabilitytodiscardbadmessages.theclassicalprotocolom(r)doesnotdothis, butourhybridprotocolomh(r)does.ittherefore seemsthemostpromisingplacetostart. TheprotocolOMH(r)[19]isourmodiedandformallyveried[17]versionofThambiduraiandPark's protocolz(r)[29],whichisinturnamodicationof ther+1-roundoralmessagesprotocolom(r)oflamport,shostak,andpease[16].thekeyideainboth Z(r)andOMH(r)istointroduceadistinguishedvalue Etorecordreceiptofmanifest-faultymessages.E valuesareignoredinthemajorityvotethateachprocessorusestodecideitsnalvalue.inz(r),eis usedtorecordbothmanifest-faultymessagesandthe reportofsuchmessagesrelayedbyanotherprocessor. Thisleadstoconfusionwhenthereisamanifest-faulty transmitterandanarbitrary-orsymmetrically-faulty receiver;z(1)canfailinthiscircumstance,andthis leadstomorecomplexfailuresinther>1cases. OMH(r)repairsthisproblembytreatingthereport ofmanifest-faultyvaluesdierentlythanthosevalues themselves:r(e)indicatesthereportofe,r(r(e)) thereportofareport,andsoon.aninversefunction UnRisusedto\stripo"theseRsatalaterstage intheprotocol.onlye(notr(e),r(r(e)),etc.)is ignoredinthemajorityvote. Asnotedintheprevioussection,OMH(r)isable totolerateaarbitrary,ssymmetric,andmmanifest faultssimultaneously,providedn,thenumberofprocessors,satisesn>2a+2s+m+randra.this isoptimalwhenonlyarbitraryfaultsarepresent(we havea=r,s=m=0,sothatn>3a,satisfyingthe lowerboundestablishedbypease,shostak,andlamport[23]).separateanalysisshowsthattheprotocol isalsooptimalwhenonlymanifestfaultsarepresent, andtheobtainedboundisn>m[18].whenonly symmetricfaultsarepresent,however,theprotocolis denitelysuboptimal,inthatadditionalroundscan reduceitsresilience.forexample,inomh(0)(where receiverssimplyacceptwhatevervaluetheyobtain fromthetransmitter),thenumberofsymmetric-faulty receiversisirrelevant.inomh(1),however,wherereceiversrelayinformationtoeachotherandtakethe majorityofthevaluesobtained,onesymmetric-faulty receivercandefeattheprotocolunlessn4. Supposenowthatweusedigitalsignaturestoadd authenticationtoomh(r),therebycreatingaprotocolwecancallomha(r).first,aslamport,shostak, andpeaseobserve[16,p.393],thereisnopointauthenticatingthenalstepintheprotocol(i.e.,the OMH(0)round),becausewehavepoint-to-pointcommunicationsandthecommunicationportonwhicha messagearrivesservestoauthenticateit(thisisassumptiona2);thusomha(0)isthesameasomh(0). Forthegeneralcase,wesimplymodifyOMH(r)so thatprocessorssignallmessagesthattheysend,and improperlysignedmessagesaretreatedbytheirreceiversase. Noticethataslongasauthenticationdoesnotintroducefaults(i.e.,aslongasaproperlysignedmessage cannotbemistakenlyconsideredimproperlysigned), thenomha(r)musthaveatleastthefaulttolerance ofomh(r),andthisisindependentofthecryptographicstrengthofthesignaturescheme.however,if wemaketheusualassumptionsaboutthestrengthof thesignaturescheme,thenauthenticationreducesthe severityoffaultsthatcanbeintroducedbyreceivers. Inparticular,asymmetric-faultyreceivercannotinjectacompletelyfalsevalueintotheexchanges:at worst,itcaninjectaneorr(e)value;similarly, anarbitrary-faultyreceivercanselectivelyinjecte andr(e),orcanpassonthetruevaluethatitreceived.(faultyprocessorscannotinjectr(r(e))etc., becausethiswouldrequireanr(e)correctlysignedby anotherprocessor.)unfortunately,theresidualabilitytoinjectr(e)issucienttolimitthenumber andcombinationoffaultsthatcanbetoleratedby OMHA(r)tobenobetter,intheworstcase,thanfor OMH(r). Thisdisappointingresultsuggestsconsideration ofaprotocolza(r),derivedfromthambiduraiand Park'sprotocolZ(r)inthesamewaythatOMHA(r) isderivedfromomh(r).sincez(r)andza(r)lack thee,r(e)distinctionsofomh(r)andomha(r),it followsthatsymmetric-faultyreceiversarereducedto manifest-faultyinza(r).similarly,arbitrary-faulty receiversarereducedtomanifest-faultyor\nonfaulty withcommunicationslinkfaults,"whichisacaseconsideredinsection6.furthermore,authentication overcomesthebuginz(r);thisbugarisesinz(1)when anarbitrary-orsymmetric-faultyreceiverinjectsspuriousvaluesintotheexchangesunderamanifest-faulty transmitter:theevaluesfromthetransmitter,and thoserelayedbygoodreceivers,areignoredinthemajorityvotes,whicharethereforewonbythespurious valuesinjectedbythefaultyreceiver.za(r)eliminatesthisbugbecauseitpreventsthefaultyreceivers manufacturingthespuriousvaluesthatotherproces- 7

sorswillincorporateintheirmajorityvotes.protocol ZA(r)isdenedasfollows. ZA(0) 1.Thetransmittersendsitsvaluetoeveryreceiver. 2.Eachreceiverusesthevaluereceivedfromthe transmitter,orusesthevalueeifamissingor manifestlyerroneousvalueisreceived. ZA(r),r>0 1.Thetransmittersignsandsendsitsvaluetoevery receiver. 2.Foreachp,letvpbethevaluereceiverpobtains fromthetransmitter,oreifnovalue,oramanifestlybadvalue,orincorrectlysignedvalueis received. EachreceiverpactsasthetransmitterinProtocol ZA(r?1)tocommunicatethevaluevptothe othern?2receivers. 3.Foreachpandq,letvqbethevaluereceiverp receivedfromreceiverqinstep(2)(usingprotocolza(r?1)),orelseeifnosuchvalue,ora manifestlybadvalue,orincorrectlysignedvalue wasreceived.eachreceiverpcalculatesthemajorityvalueamongallnon-evaluesvqreceived; ifnosuchmajorityexists,thereceiverusessome arbitrary,butfunctionallydeterminedvalue. Wehavethefollowingresults,wherea,s,andmare thenumbersofarbitrary-,symmetric-,andmanifestfaultyprocessors,respectively,andnisthetotalnumberofprocessors. Lemma1Ifsignaturesaresecure,thenforanya,s, mandr,protocolza(r)satisesvalidity. Proof:Intherstround,thetransmittersignsand sendsitsvaluetoallreceivers.validityassumesa nonfaultytransmitter,soallnonfaultyreceiverswill obtainthecorrectvalueinthisround.thereceivers exchangevaluesinsubsequentrounds,andfaultyreceiversmayinjectfaultyvaluesintothisprocess.however,authenticationpreventstheinjectionofanycorrectlysignedvalueotherthanthatsentbytheoriginal transmitter.thustheonlyvaluesenteringthemajorityvotewillbethisvalueand,possibly,e.sinceall goodreceiversobtainedatleastonecopyofthevalue vdirectlyfromthetransmitter,andsomecombination ofvsandesfromotherreceivers,thehybridmajority willalwaysbev.2 Theorem2Ifsignaturesaresecure,thenforanyr, ProtocolZA(r)satisesconditionsValidityandAgreementifra. Proof:Theproofisbyinductiononr.Inthebase caser=0therecanbenoarbitrary-faultyprocessors, sincera.iftherearenoarbitrary-faultyprocessors thenthepreviouslemmaensuresthatza(0)satises Agreement,andValidityfollows.Wethereforeassume thatthetheoremistrueforza(r?1)andproveitfor ZA(r),r>0. Firstconsiderthecaseinwhichthetransmitter isnotarbitrary-faulty.thenvalidityisensuredby Lemma1,andAgreementfollowsfromValidity.Now considerthecasewherethetransmitterisarbitraryfaulty.thereareatmostaarbitrary-faultyprocessors,andthetransmitterisoneofthem,soatmost a?1ofthereceiversarearbitrary-faulty.atthenext stage,wehaveonelessroundtoperform,andoneless arbitraryfaulttotolerate.sinceweassumera,we alsoknowr?1a?1,andwemaythereforeapplythe inductionhypothesistoconcludethatza(r?1)satisesconditionsagreementandvalidity.hence,for eachq,anytwononfaultyreceiversgetthesamevalue forvqinstep(3).(thisfollowsfromvalidityifoneof thetworeceiversisprocessorq,andfromagreement otherwise).hence,anytwononfaultyreceiversgetthe samevectorofvaluesv1;:::;vn?1,andthereforeobtainthesamevaluehybrid-majority(v1;:::;vn?1)in step(3)(sincethisvalueisfunctionallydetermined), therebyensuringagreement.2 Theorem2showsthatZA(r)hasthesame(optimal)faulttoleranceasSMH(r)whensignaturesare secure;however,za(r)hasthesignicantadvantage thatitisnottotallybrokenifauthenticationfails. Inthepresenceofauthenticationfailure,ZA(r)revertsto,atworst,thefaulttoleranceofZ(r).To besure,z(r)isvulnerabletocertaincongurations oftwofaultsnomatterhowmanyroundsandreceiversareused(thatiswhywedevelopedomh(r)), butintheimportantcaser=1,itsfailuremodeis verypreciselycharacterized(manifest-faultyreceiver andatleastonesymmetric-faultorarbitrary-faulty receiver thelatterisrequiredtobreakagreement). AnalternativeistousetheprotocolOMHA(r),whose fallback,omh(r)isfullyrobustagainstarbitraryand manifestfaults,butwhoseresilienceinthepresence ofworkingauthenticationisinferiortothatofza(r). Table1comparesthevariousprotocolswehavediscussedintermsofworst-casebounds. 8

Protocol SM(r) SMH(r) ViolatedAuthenticationAssumptions OM(r) a=s=0,n>m+1 n>a+s+m+1, Sound OMH(r) n>2a+2s+2m+r,ra n>2a+2s+2m+r,ra(same) OMHA(r)n>2a+2s+m+r,ra n>2a+2s+m+r,ra(same) ra Z(r) ZA(r) yz(1)alsofailswithamanifest-faultytransmitterandonesymmetricorarbitrary-faultyreceiver;z(r),r>1,failsinadditionalcases. n>2a+2s+m+r,rayn>a+s+m+1, n>2a+2s+m+r,rayn>2a+2s+m+r,ray(same) ra 6Linkfaults Table1:ComparisonofByzantineAgreementProtocols classoffaults;wecallthemlinkfaults,withthecharacterizationthatwhenanonfaultyprocessorsendsits valuevtoanonfaultyrecipientoverafaultylink,the valuereceivedmaybeeithervore. Communicationsfailuresrepresentanimportant 7Examiningfaulttoleranceusing alinkfaultisnotattributedtoaprocessor;thus,a processoratthereceivingendofafaultylinkmaybe sirabletotoleratelinkfaultseciently.noticethat connectorsarepronetonoiseandbreakage),itisde- Becausetheyarisefrequentlyinpractice(wiresand rathercrudewaysofcountingfaults:therearemany Theworst-caseboundsgivenabovearebasedon state-explorationtechniques asymmetryandarethereforeasexpensivetotolerate faultsisduetothefactthatthesefaultsdointroduce theagreementandvalidityconditions.thediculty inextendingbyzantineagreementprotocolstolink nonfaultyandtheprotocolmustensurethatitsatises theprotocolsperformundermorene-grainedanalysis scenariosforthebehaviorofasystemwith,say,one twolinkfaults,buttheworst-caseanalysestreatthem allalike.itisthereforeinterestingtoenquirehowwell arbitrary-faultyandonemanifest-faultyprocessorand thosecharacterizedbythesimpleworst-casebounds. and,inparticular,howtheyperforminregionsbeyond presenceoflinkfaultsandhybridprocessorfaults,providedthatthereispathoflengthr+1linksorless fromthetransmittertoeachnonfaultyreceiverthat passesthroughonlynonfaultyprocessorsandgood WecanobservethatZA(r)achievesValidityinthe Theideaistomodelthesystemasthecomposition oftheprotocols,butamoreattractivealternativeis behaviorinspeciccongurationsunderallscenarios. Simulationcouldbeusedtosamplethebehavior asarbitraryfailuresintheworstcase. oftwoconcurrentprocesses:onethatinjectsfaults touseaformalstate-explorationtooltoexaminetheir andonethattoleratesordiagnosesthem.astateexplorationtoolwillthensystematicallyexploreall tocharacterize.wecanalsoobservethatforagreement,alinkfaultisasdisruptive,intheworstcase,as links.smh(r)hasthesameboundsonvalidityas possiblescenariosfortheirinteraction. systemfromdaviddill'sgroupatstanford[20]for ZA(r),whilethatofOMHA(r)isworseanddicult anarbitraryfaultateitherthesenderorreceiveron thelink.thus,iflinkfaultsareattributedtoeither fortheomh(1),omha(1),z(1),za(1),andsmh(1) ofprocessorsneededtoaccountforallsuchfaults,then theirsenderorreceiver,andlistheminimumnumber protocolsinthen=5case,andcausedmurtonondeterministicallyperformasymbolic\faultinjection" thispurpose.essentially,weprovidedmurprograms WehaveusedtheMur(pronounced\Murphy") ZA(r)willachieveAgreementprovidedra+l.SimilarworstcaseboundsapplyforAgreementinSMH(r), thenruntheprotocols.byexploringalldierentruns (ofbothlinkfaultsandhybridprocessorfaults)and whileomha(r)requiresn>2a+2s+m+r+2land (thereareover20,000ofthem),muressentiallyundertakesexhaustivefaultinjectionontheseprotocols (theprocesstakesacoupleofminutesonasparc ra+l. 10).Ofcourse,itwouldbestraightforwardtowritea 9programtodothis,butweconsidertheuseofformal state-explorationtoolsaverypromisingandgeneral

techniquefortheexaminationofalgorithmsforfault inthecasen=5andr=1,andrediscoveredthe onfaulttoleranceclaimedforthevariousprotocols toleranceanddiagnosis. knownvulnerabilityofz(1)tomanifest-faultytransmitters[19].thatistosay,exhaustivesearchofall Ourexperimentsconrmedtheworst-casebounds faultcongurationssatisfyingtheboundsclaimedin Table1forthecaseofn=5andr=1foundnoviolationsofValiditynorofAgreement,exceptforthe knowncasesinz(1). tainedwhenweallowedfault-injectiontocontinuebe- yondthesimplecharacterizationsofworst-casefault tolerancefortheprotocolsconcerned.forexample, However,muchmoreinterestingresultswereob- althoughnove-processor,two-roundprotocolcan ZA(1)doestoleratetwosuchfaultsinmostcases. WethereforeusedourMurfault-injectionsystemto withstandtwolinkfaultsintheworstcase,wefound counthowmanyscenarioscausedeachprotocoltofail withandwithouttheassumptionofsecureauthentication Ṗrotocol OMH(1) OMHA(1) AuthenticationAssumptions Z(1) Violated 25 Sound ZA(1) 25 SMH(1) 24 43 24 12 13 23 whereeachprotocolfails Table2:Percentageoffaultcongurationsina5-plex cussed,usingexhaustivestateexplorationtocalculate thepercentageoffaultcongurationsthatcausedthe mostresilientoftheseprotocolsunderthecombination protocolstofail.overall,itseemsthatza(1)isthe Table2comparesthevariousprotocolswehavedis- ofhybridandlinkfaults,thoughmoreexperimentsare neededtoconrmthis. faultclass(good,manifest,symmetric,orarbitrary) toeachprocessor,andanassignmentofuptothree faultylinksbetweenprocessors.weexcludedcongurationswithlinkfaultsemanatingfromarbitraryor Faultcongurationsconsistofanassignmentof behavior).foreachconguration,wetestedwhether causegoodreceiverstodisagreeorcauseagoodreceivers(suchlinkfaultshavenorealimpactonsystem manifestlyfaultytransmitters,orarrivingatfaultyre- anyscenarioofmessagesbythefaultyprocessorscould10 congurationsforwhichsuchfailurewaspossible. ceivertofailtoagreewiththetransmitter.foreach protocol,wethencalculatedthepercentageofallfault writtenspecications,reducingthesearchspacedramatically.forexample,thecongurationwhereall processorsaregoodexceptthatthethirdreceiveris ThenewestreleaseoftheMursystemautomaticallydetectsandexploitssymmetryinappropriately intheassignmentofbehaviorstoprocessors.be- areusedintheassignmentoffaultylinksaswellas onlyexploresoneofthesealternatives.symmetries cessorsaregoodexceptthesecondreceiver,andmur manifest-faultyisisomorphictothecasewhenallprosolute,performance.wefurtherreducedthesetof Table2shouldbetakentoindicaterelative,notabcauseofthesesymmetryreductions,notallcongurationsarecountedindividually,sothenumbersin sendingmanifestlybad(e)values,sincethiswould satised.weexcludedsymmetric-faultyprocessors congurationstorequireatleastonegoodreceiver, amounttothesamethingasamanifestfault,andwe sinceotherwisevalidityandagreementaretrivially andthatwhenthetransmitterisgood.however,we tersincethereisverylittledierencebetweenthiscase anyway,includingthepossibilityofbehavingasgood, alsoexcludedthecaseofasymmetric-faultytransmit- didallowanarbitrary-faultytransmittertobehavein iouscombinationsofgood,wrong,andevalues. symmetric-ormanifest-faulty,aswellassendingvar- manifestlybad(e)valuesorthecorrectvalue.inalgorithmomha(1),arbitrary-faultyreceiversalsohave thatauthenticationneverleadstogoodprocessorsdisativenumbersofcongurationswherethevariousalgorithmsbehaveacceptably. signicantlyreducethetotalnumberofcongurations thatneedtobeconsidered,butdonoteecttherelcardinggoodmessages.thesefactors,takentogether, receivedfromthetransmitter.thusforalgorithm ZA(1)arbitrary-faultyreceiversareonlyabletosend werenotallowedtosenddatavaluesotherthanthat Fortheauthenticatedprotocols,faultyreceivers lier,thisisthemainsourceofbrittlenessofomha(1). Wefurthermaketheassumptionintheseexperiments theopportunitytosendr(e)and,asdiscussedear- ornotsignaturesaresecure(dramaticallysoifsignaturesareinsecure).za(1)isalsosuperiorinoverall ZA(1)wringsthemaximumfaulttolerancefroma formstheclassicalsignedmessagesprotocolwhether givenamountofredundanthardware,andoutper- Thetableshowsthattheauthenticatedprotocol resiliencetoomha(1).thisisnottosaythatza(1) isuniformlysuperiortoomha(1).consideragood

transmitterwithlinkfaultstoallreceiversexceptp, andphasalinkfaulttoreceiverq.underza(1),q decidesoneandalltheotherreceiversdecideonthe valuesentbythetransmittertop,therebyviolating Agreement.UnderOMHA(1)allreceiverssettleon E.Notethatwearetestingthefaulttoleranceofthese protocolswellbeyondtheirusuallyclaimedfaulttolerance:onlyapproximatelyvepercentofallfault congurationswestudiedfallwithintheworst-case boundsoftheprotocols.thus,alltheseprotocolsare farmoretolerantoffaultsthantheirsimpleworst-case boundswouldsuggest. 8Conclusion Theassumptionsrequiredoftheauthentication mechanisminbyzantineagreementprotocolsthatuse \signedmessages"arestrongerthangenerallyrealized,andrequirethatdigitalsignaturesareusedwith greatcare.violationoftheseassumptionscancause theprotocolstofail.wehavepresentednewprotocolsthatcombineauthenticationwith\oralmessages" protocolssothatadditionalresilienceisobtainedwhen theauthenticationassumptionsaresound,buttheresilienceoftheunauthenticatedprotocolisretained whenauthenticationassumptionsareviolated. Whentheauthenticationassumptionsaresound, oneofthesenewprotocols,calledza(r),matchesthe faulttoleranceoftheclassicalsignedmessagesprotocolunderahybridfaultmodel,andsurpassesitwhen communicationslinkfaultsareconsidered.za(r)also performswelloverallwhenauthenticationassumptionsareviolated,buthasanunfortunate\hole"inits worst-casebound(itisvulnerablewhenthetransmitterismanifest-faulty).anotherofthenewprotocols, OMHA(r)maybepreferredifthiscaseisconsidered important,thoughitislessresilienttolinkfaultsthan ZA(r). Thesenewprotocolsaresuperiortootherknown protocolsinpropertiesandmeasuresofpracticalinterest,andwerecommendthemforgeneraluse.they areparticularlyattractiveinsecurity-criticalsystems whereauthenticationmaybesubjectedtosophisticatedcryptographicattack,andinsafety-criticalembeddedsystemswheremaximumresilienceisrequired butwhereonlyshortorcryptographicallyweaksignatures(e.g.,checksums)maybefeasible.selectionof themostsuitableprotocolforagivensystemmustobviouslydependontheexpectedmodesandfrequencies offaults,andtheconsequencesofsystemfailure. Ouruseofthestate-explorationsystemMurto performsymbolic\faultinjection"is,webelieve, novel.itsuggestsaverypromisingnewapplication areaforthisclassofformalmethodstools,andone thatweintendtopursueinfuturework. Acknowledgments OurunderstandingofthesetopicshasbenettedgreatlyfromdiscussionswithChrisWalterand MicheleHugue(boththenwithAlliedSignal).Commentsbytheanonymousreviewerswerealsovery helpful.malteborcherdingoftheuniversityofkarlsruhepointedoutsomeerrorsintheoriginalpaper. References PapersbySRIauthorscangenerallyberetrieved fromhttp://www.csl.sri.com/fm.html. [1]MartnAbadiandRogerNeedham.Prudentengineeringpracticeforcryptographicprotocols.InProceedingsoftheSymposiumonResearchinSecurity andprivacy,pages122{136,oakland,ca,may1994. IEEEComputerSociety. [2]BirgitBaum-Waidner.Byzantineagreementwitha minimumnumberofmessagesbothinthefaultless andworstcase.infaulttolerantcomputingsymposium23[14],pages554{563. [3]MalteBorcherding.Ecientfailurediscoverywith limitedauthentication.in15thinternationalconferenceondistributedcomputingsystems,pages78{82, Vancouver,Canada,May1995.IEEEComputerSociety. [4]W.DieandM.E.Hellman.Newdirectionsincryptography.IEEETransactionsonInformationTheory, IT-22(6):644{650,November1976. [5]D.DolevandH.R.Strong.Authenticatedalgorithms forbyzantineagreement.siamjournaloncomputing,12(4):656{666,november1983. [6]DannyDolevandRudigerReischuk.BoundsoninformationexchangeforByzantineagreement.Journal oftheacm,32(1):191{204,january1985. [7]DannyDolev,RudigerReischuk,andH.Raymond Strong.EarlystoppinginByzantineagreement.JournaloftheACM,37(4):720{741,October1990. [8]KlausEchtle.Faultmaskingwithreducedredundant communication.infaulttolerantcomputingsymposium16,pages178{183,vienna,austria,july1986. IEEEComputerSociety. [9]T.ElGamal.Apublickeycryptosystemandasignatureschemebasedondiscretelogarithms.IEEE TransactionsonInformationTheory,IT-31(4):469{ 472,July1985. [10]PaulD.Ezhilchelvan.Earlystoppingalgorithmsfor distributedagreementunderfail-stop,omission,and timingfaulttypes.in6thsymposiumonreliability indistributedsoftwareanddatabasesystems,pages 201{212,Williamsburg,VA,March1987.IEEEComputerSociety. 11

[11]M.FischerandN.Lynch.Alowerboundforthe timetoassureinteractiveconsistency.information ProcessingLetters,14:183{186,1982. [12]F.DiGiandomenico,M.L.Guidotti,F.Grandoni, andl.simoncini.agracefuldependablealgorithm forbyzantineagreement.in6thsymposiumonreliabilityindistributedsoftwareanddatabasesystems, pages188{200,williamsburg,va,march1987.ieee ComputerSociety. [13]L.Gong.Variationsonthethemesofmessagefreshnessandreplay.InProceedingsoftheComputerSecurityFoundationsWorkshopVII,pages131{136,Franconia,NH,June1993.IEEEComputerSociety. [14]FaultTolerantComputingSymposium23,Toulouse, France,June1993.IEEEComputerSociety. [15]R.M.Kieckhafer,C.J.Walter,A.M.Finn,andP.M. Thambidurai.TheMAFTarchitecturefordistributed faulttolerance.ieeetransactionsoncomputers, 37(4):398{405,April1988. [16]LeslieLamport,RobertShostak,andMarshallPease. TheByzantineGeneralsproblem.ACMTransactions onprogramminglanguagesandsystems,4(3):382{ 401,July1982. [17]PatrickLincolnandJohnRushby.Formalverication ofanalgorithmforinteractiveconsistencyundera hybridfaultmodel.incostascourcoubetis,editor, Computer-AidedVerication,CAV'93,volume697 oflecturenotesincomputerscience,pages292{304, Elounda,Greece,June/July1993.Springer-Verlag. [18]PatrickLincolnandJohnRushby.Formalverication ofanalgorithmforinteractiveconsistencyundera hybridfaultmodel.technicalreportsri-csl-93-2,computersciencelaboratory,sriinternational, MenloPark,CA,March1993.AlsoavailableasNASA ContractorReport4527,July1993. [19]PatrickLincolnandJohnRushby.Aformallyveried algorithmforinteractiveconsistencyunderahybrid faultmodel.infaulttolerantcomputingsymposium 23[14],pages402{411. [20]RalphMeltonandDavidL.Dill.MurAnnotated ReferenceManual.ComputerScienceDepartment, StanfordUniversity,Stanford,CA,March1993. [21]JudyH.Moore.Protocolfailuresincryptosystems. ProceedingsoftheIEEE,76(5):594{602,May1988. [22]NationalInstituteofStandardsandTechnology.The digitalsignaturestandard.communicationsofthe ACM,37(7):36{40,July1992. [23]M.Pease,R.Shostak,andL.Lamport.Reaching agreementinthepresenceoffaults.journalofthe ACM,27(2):228{234,April1980. [24]MichaelReiter.Asecuregroupmembershipprotocol.InProceedingsoftheSymposiumonResearchin SecurityandPrivacy,pages176{189,Oakland,CA, May1994.IEEEComputerSociety. [25]R.L.Rivest,A.Shamir,andL.Adleman.Amethod forobtainingdigitalsignaturesandpublic-keycryptosystems.communicationsoftheacm,21(2):120{ 126,February1978. [26]JohnRushby.Aformallyveriedalgorithmforclock synchronizationunderahybridfaultmodel.inthirteenthacmsymposiumonprinciplesofdistributed Computing,pages304{313,LosAngeles,CA,August 1994.AssociationforComputingMachinery. [27]FredB.Schneider.Implementingfault-tolerantservicesusingthestatemachineapproach:Atutorial. ACMComputingSurveys,22(4):299{319,December 1990. [28]T.K.SrikanthandS.Toueg.Simulatingauthenticated broadcaststoderivesimplefault-tolerantalgorithms. DistributedComputing,2(2):80{94,1987. [29]PhilipThambiduraiandYou-KeunPark.Interactive consistencywithmultiplefailuremodes.in7thsymposiumonreliabledistributedsystems,pages93{ 100,Columbus,OH,October1988.IEEEComputer Society. [30]C.J.Walter,N.Suri,andM.M.Hugue.Continualonlinediagnosisofhybridfaults.InF.Cristian,G.Le Lann,andT.Lunt,editors,DependableComputing forcriticalapplications 4,volume9ofDependable ComputingandFault-TolerantSystems,pages233{ 249.Springer-Verlag,Vienna,Austria,January1994. Theviewsandconclusionscontainedhereinarethoseoftheauthors andshouldnotbeinterpretedasnecessarilyrepresentingtheocial policiesorendorsements,eitherexpressedorimplied,oftheair ForceOceofScienticResearchortheU.S.Government. 12

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information