TWO-ROUND BYZANTINE FAULT TOLERANT (BFT) STATE MACHINE REPLICATION (SMR) PROTOCOL WITH LINEAR AUTHENTICATOR COMPLEXITY AND OPTIMISTIC RESPONSIVENESS

20220391410

17/339068

June 04, 2021

The present disclosure is directed to a leader-based partially synchronous BFT SMR protocol that improves upon existing protocols by exhibiting two rounds of communication latency, linear authenticator complexity, and optimistic responsiveness. This is achieved through the novel use of an aggregate signature scheme as part of the protocol's view-change procedure.

1. A method for implementing a Byzantine fault tolerant (BFT) state machine replication (SMR) protocol running on a computing system comprising n replicas, the method comprising: receiving, by a leader replica in the n replicas for a current view number of the BFT SMR protocol, n-f NEW-VIEW messages from other replicas in the n replicas, wherein f is a maximum number of replicas in the n replicas that may be faulty, and wherein each NEW-VIEW message in the n-f NEW-VIEW messages includes a null or non-null quorum certificate, a view delta value, and a signature share; selecting, by the leader replica, a high quorum certificate from among the non-null quorum certificates in the n-f NEW-VIEW messages, the high quorum certificate being a quorum certificate associated with a highest view number; converting, by the leader replica, the view delta value in each NEW-VIEW message into a bit vector, resulting in n-f bit vectors; combining, by the leader replica, the n-f bit vectors into a bit vector set; computing, by the leader replica, an aggregate signature by multiplying together the signatures shares in the n-f NEW-VIEW messages; creating a PREPARE message that includes the current view number, the high quorum certificate, the bit vector set, and the aggregate signature; and broadcasting, by the leader replica, the PREPARE message to the n replicas.

2. The method of claim 1 wherein, for each NEW-VIEW message in the n-f NEW-VIEW messages received from a replica i in the n replicas, the signature share included in the NEW-VIEW message is computed by: calculating a hash of the current view number; and raising the hash by an exponent that is computed as Πj=1, . . . , tbj·ski,j, wherein t is a number of bits used to represent the view delta value included in the NEW-VIEW message in binary form, wherein bj is a jth bit of the view delta value in binary form, and wherein ski,j for j=1, . . . , t correspond to a set of secret keys of replica i.

3. The method of claim 1 wherein, for each NEW-VIEW message in the n-f NEW-VIEW messages including a non-null quorum certificate, the view delta value included in the NEW-VIEW message is a delta between the current view number and a view number associated with the non-null quorum certificate.

4. The method of claim 1 wherein upon receiving the PREPARE message, a replica r in the n replicas is configured to: determine that replica r is locked on a quorum certificate that is associated with a higher view number than the high quorum certificate included in the PREPARE message; and verify the aggregate signature included in the PREPARE message using the current view number, the bit vector set, and a plurality of public keys associated with replicas that originally transmitted in the n-f NEW-VIEW messages.

5. The method of claim 4 wherein upon determining that the verification of the aggregate signature is successful, replica r is further configured to: accept the PREPARE message; and send a PREPARE vote message to the leader replica that includes a proposal associated with the high quorum certificate included in the PREPARE message.

6. The method of claim 4 wherein upon determining that the verification of the aggregate signature is unsuccessful, replica r is further configured to: take no action on the PREPARE message.

7. The method of claim 1 wherein the BFT SMR protocol exhibits two rounds of communication latency, linear authenticator complexity, and optimistic responsiveness.

8. A non-transitory computer readable storage medium having stored thereon program code executable by a leader replica in a computing system comprising n replicas, the method implementing a Byzantine fault tolerant (BFT) state machine replication (SMR) protocol running on the computing system and comprising: receiving, for a current view number of the BFT SMR protocol, n-f NEW-VIEW messages from other replicas in the n replicas, wherein f is a maximum number of replicas in the n replicas that may be faulty, and wherein each NEW-VIEW message in the n-f NEW-VIEW messages includes a null or non-null quorum certificate, a view delta value, and a signature share; selecting a high quorum certificate from among the non-null quorum certificates in the n−f NEW-VIEW messages, the high quorum certificate being a quorum certificate associated with a highest view number; converting the view delta value in each NEW-VIEW message into a bit vector, resulting in n-f bit vectors; combining the n-f bit vectors into a bit vector set; computing an aggregate signature by multiplying together the signatures shares in the n−f NEW-VIEW messages; creating a PREPARE message that includes the current view number, the high quorum certificate, the bit vector set, and the aggregate signature; and broadcasting the PREPARE message to the n replicas.

9. The non-transitory computer readable storage medium of claim 8 wherein, for each NEW-VIEW message in the n-f NEW-VIEW messages received from a replica i in the n replicas, the signature share included in the NEW-VIEW message is computed by: calculating a hash of the current view number; and raising the hash by an exponent that is computed as Πj=1, . . . , tbj·ski,j, wherein t is a number of bits used to represent the view delta value included in the NEW-VIEW message in binary form, wherein bj is a jth bit of the view delta value in binary form, and wherein ski,j for j=1, . . . , t correspond to a set of secret keys of replica i.

10. The non-transitory computer readable storage medium of claim 8 wherein, for each NEW-VIEW message in the n-f NEW-VIEW messages including a non-null quorum certificate, the view delta value included in the NEW-VIEW message is a delta between the current view number and a view number associated with the non-null quorum certificate.

11. The non-transitory computer readable storage medium of claim 8 wherein upon receiving the PREPARE message, a replica r in the n replicas is configured to: determine that replica r is locked on a quorum certificate that is associated with a higher view number than the high quorum certificate included in the PREPARE message; and verify the aggregate signature included in the PREPARE message using the current view number, the bit vector set, and a plurality of public keys associated with replicas that originally transmitted in the n-f NEW-VIEW messages.

12. The non-transitory computer readable storage medium of claim 11 wherein upon determining that the verification of the aggregate signature is successful, replica r is further configured to: accept the PREPARE message; and send a PREPARE vote message to the leader replica that includes a proposal associated with the high quorum certificate included in the PREPARE message.

13. The non-transitory computer readable storage medium of claim 11 wherein upon determining that the verification of the aggregate signature is unsuccessful, replica r is further configured to: take no action on the PREPARE message.

14. The non-transitory computer readable storage medium of claim 8 wherein the BFT SMR protocol exhibits two rounds of communication latency, linear authenticator complexity, and optimistic responsiveness.

15. A computer system acting as a leader replica in a distributed computing system comprising n replicas, the computer system comprising: a processor; and a non-transitory computer readable medium having stored thereon program code that, when executed, causes the processor to: receive, for a current view number of a Byzantine fault tolerant (BFT) state machine replication (SMR) protocol running on the distributed computing system, n-f NEW-VIEW messages from other replicas in the n replicas, wherein f is a maximum number of replicas in the n replicas that may be faulty, and wherein each NEW-VIEW message in the n-f NEW-VIEW messages includes a null or non-null quorum certificate, a view delta value, and a signature share; select a high quorum certificate from among the non-null quorum certificates in the n-f NEW-VIEW messages, the high quorum certificate being a quorum certificate associated with a highest view number; convert the view delta value in each NEW-VIEW message into a bit vector, resulting in n-f bit vectors; combine the n-f bit vectors into a bit vector set; compute an aggregate signature by multiplying together the signatures shares in the n-f NEW-VIEW messages; create a PREPARE message that includes the current view number, the high quorum certificate, the bit vector set, and the aggregate signature; and broadcast the PREPARE message to the n replicas.

16. The computer system of claim 15 wherein, for each NEW-VIEW message in the n-f NEW-VIEW messages received from a replica i in the n replicas, the signature share included in the NEW-VIEW message is computed by: calculating a hash of the current view number; and raising the hash by an exponent that is computed as Πj=1, . . . , tbj·ski,j, wherein t is a number of bits used to represent the view delta value included in the NEW-VIEW message in binary form, wherein b1 is a jth bit of the view delta value in binary form, and wherein ski,j for j=1, . . . , t correspond to a set of secret keys of replica i.

17. The computer system of claim 15 wherein, for each NEW-VIEW message in the n-f NEW-VIEW messages including a non-null quorum certificate, the view delta value included in the NEW-VIEW message is a delta between the current view number and a view number associated with the non-null quorum certificate.

18. The computer system of claim 15 wherein upon receiving the PREPARE message, a replica r in the n replicas is configured to: determine that replica r is locked on a quorum certificate that is associated with a higher view number than the high quorum certificate included in the PREPARE message; and verify the aggregate signature included in the PREPARE message using the current view number, the bit vector set, and a plurality of public keys associated with replicas that originally transmitted in the n-f NEW-VIEW messages.

19. The computer system of claim 18 wherein upon determining that the verification of the aggregate signature is successful, replica r is further configured to: accept the PREPARE message; and send a PREPARE vote message to the leader replica that includes a proposal associated with the high quorum certificate included in the PREPARE message.

20. The computer system of claim 18 wherein upon determining that the verification of the aggregate signature is unsuccessful, replica r is further configured to: take no action on the PREPARE message.

21. The computer system of claim 15 wherein the BFT SMR protocol exhibits two rounds of communication latency, linear authenticator complexity, and optimistic responsiveness.

06; 06

edspap.20220391410