HyperledgerFabric:ADistributedOperatingSystemforPermissionedBlockchains

需积分: 12 30 浏览量 2020-12-23 17:02:45 上传评论收藏 680KB PDF 举报

### Hyperledger Fabric: 分布式操作系统在许可型区块链的应用 #### 概述 Hyperledger Fabric是一种模块化且可扩展的开源系统，专为部署和运行许可型区块链而设计。该平台目前已被应用于超过400个分布式账本技术的原型和概念验证项目，以及多个行业的实际生产系统中。 #### 核心特性与设计理念 Hyperledger Fabric的设计基于一个前提：不存在适用于所有场景的一刀切解决方案。因此，Fabric成为了首个真正可扩展的区块链系统，用于运行分布式应用。它支持可插拔的共识协议，使得系统可以根据特定的用例和信任模型进行定制。此外，Fabric也是首个能够运行使用通用编程语言编写的分布式应用的区块链系统，无需依赖任何原生加密货币。这一点与现有的区块链平台形成了鲜明对比，后者通常要求代码使用特定领域的语言编写或依赖某种加密货币。为了实现这种灵活性，Fabric采用了一种便携式的成员资格概念来实现许可型模型，并可以与行业标准的身份管理方案集成。为了支持这些特性，Fabric对许可型区块链的设计采取了新颖的方法，并重新定义了区块链如何应对非确定性、资源耗尽以及性能攻击等问题。 #### 架构与设计决策 Hyperledger Fabric的架构设计充分考虑了模块化和可扩展性，允许开发者根据不同的需求选择合适的组件。其核心组成部分包括： - **链码（Chaincode）**：用于执行智能合约逻辑，支持多种编程语言。 - **节点（Nodes）**：分为不同类型，如订单节点（Orderer Nodes）、背书节点（Endorser Nodes）和提交节点（Committing Nodes），各自负责处理交易的不同方面。 - **通道（Channels）**：为不同参与者之间提供私密通信途径。 - **成员服务（Membership Service）**：管理网络成员的权限和身份验证。 - **共识机制**：可配置的共识算法，如Kafka、Solo等，以适应不同应用场景的需求。 #### 安全模型与保障安全是Hyperledger Fabric的核心关注之一。其安全模型包括但不限于： - **加密通信**：通过TLS等协议确保数据传输的安全性。 - **身份验证**：利用成员服务实现对参与者的身份验证。 - **访问控制**：细粒度的权限管理确保只有授权用户才能访问特定资源。 - **数据隐私**：通过通道实现数据隔离，保护敏感信息不被未经授权的参与者访问。 #### 应用程序编程模型 Hyperledger Fabric提供了丰富的API接口，支持开发者构建复杂的应用程序。这些API涵盖了从创建链码到处理交易的所有方面。开发人员可以选择使用Go、Java等多种主流编程语言进行开发，这极大地降低了进入门槛并增强了系统的灵活性。 #### 性能评估为了评估Hyperledger Fabric的实际表现，研究人员实现了一个受比特币启发的数字货币系统，并对其进行了基准测试。测试结果表明，Fabric在处理速度、吞吐量和延迟等方面均表现出色，特别是在支持高并发事务处理时。 #### 结论 Hyperledger Fabric作为一种先进的分布式操作系统，为许可型区块链的部署和运行提供了强大的支持。它的模块化架构、灵活的共识机制以及广泛的编程语言支持使其成为企业级应用的理想选择。随着更多企业和组织采用该平台，Hyperledger Fabric有望在推动区块链技术的普及和发展方面发挥关键作用。

资源推荐

资源详情

资源评论

Hyperledger Fabric: A Distributed Operating System

for Permissioned Blockchains

Elli Androulaki Artem Barger Vita Bortnikov Christian Cachin Konstantinos

Christidis Angelo De Caro David Enyeart Christopher Ferris Gennady Laventman

Yacov Manevich Srinivasan Muralidharan

∗

Chet Murthy

†

Binh Nguyen

∗

Manish

Sethi Gari Singh Keith Smith Alessandro Sorniotti Chrysoula Stathakopoulou

Marko Vukoli

c Sharon Weed Cocco Jason Yellick

I B M

Abstract

Hyperledger Fabric is a modular and extensible open-source

system for deploying and operating permissioned block-

chains. Fabric is currently used in more than 400 prototypes

and proofs-of-concept of distributed ledger technology, as

well as several production systems, across different indus-

tries and use cases.

Starting from the premise that there are no “one-size-

ﬁts-all” solutions, Fabric is the ﬁrst truly extensible block-

chain system for running distributed applications. It supports

modular consensus protocols, which allows the system to

be tailored to particular use cases and trust models. Fab-

ric is also the ﬁrst blockchain system that runs distributed

applications written in general-purpose programming lan-

guages, without systemic dependency on a native cryptocur-

rency. This stands in sharp contrast to existing blockchain

platforms for running smart contracts that require code to

be written in domain-speciﬁc languages or rely on a cryp-

tocurrency. Furthermore, it uses a portable notion of mem-

bership for realizing the permissioned model, which may be

integrated with industry-standard identity management. To

support such ﬂexibility, Fabric takes a novel approach to the

design of a permissioned blockchain and revamps the way

blockchains cope with non-determinism, resource exhaus-

tion, and performance attacks.

This paper describes Fabric, its architecture, the ratio-

nale behind various design decisions, its security model and

guarantees, its most prominent implementation aspects, as

∗

Work done at IBM, now with State Street Corp.

†

Work done at IBM.

[Copyright notice will appear here once ’preprint’ option is removed.]

well as its distributed application programming model. We

further evaluate Fabric by implementing and benchmark-

ing a Bitcoin-inspired digital currency. We show that Fabric

achieves end-to-end throughput of more than 3500 transac-

tions per second in certain popular deployment conﬁgura-

tions, with sub-second latency.

1. Introduction

A blockchain can be deﬁned as an immutable ledger for

recording transactions, maintained within a distributed net-

work of mutually untrusting peers. Every peer maintains

a copy of the ledger. The peers execute a consensus pro-

tocol to validate transactions, group them into blocks, and

build a hash chain over the blocks. This process forms the

ledger by ordering the transactions, as is necessary for con-

sistency. Blockchains have emerged with Bitcoin (http:

//bitcoin.org/) and are widely regarded as a promising

technology to run trusted exchanges in the digital world.

In a public or permissionless blockchain anyone can par-

ticipate without a speciﬁc identity. Public blockchains typi-

cally involve a native cryptocurrency and often use consen-

sus based on “proof of work” (PoW) and economic incen-

tives. Permissioned blockchains, on the other hand, run a

blockchain among a set of known, identiﬁed participants. A

permissioned blockchain provides a way to secure the inter-

actions among a group of entities that have a common goal

but which do not fully trust each other, such as businesses

that exchange funds, goods, or information. By relying on

the identities of the peers, a permissioned blockchain can

use traditional Byzantine-fault tolerant (BFT) consensus.

Blockchains may execute arbitrary, programmable trans-

action logic in the form of smart contracts, as exempliﬁed

by Ethereum (http://ethereum.org/). The scripts in Bit-

coin were a predecessor of the concept. A smart contract

functions as a trusted distributed application and gains its

security from the blockchain and the underlying consensus

among the peers. This closely resembles the well-known ap-

proach of building resilient applications with state-machine

replication (SMR) [31]. However, blockchains depart from

traditional SMR with Byzantine faults in important ways: (1)

arXiv:1801.10228v1 [cs.DC] 30 Jan 2018

not only one, but many distributed applications run concur-

rently; (2) applications may be deployed dynamically and by

anyone; and (3) the application code is untrusted, potentially

even malicious. These differences necessitate new designs.

Many existing smart-contract blockchains follow the

blueprint of SMR [31] and implement so-called active repli-

cation [13]: a protocol for consensus or atomic broadcast

ﬁrst orders the transactions and propagates them to all peers;

and second, each peer executes the transactions sequentially.

We call this the order-execute architecture; it requires all

peers to execute every transaction and all transactions to be

deterministic. The order-execute architecture can be found

in virtually all existing blockchain systems, ranging from

public ones such as Ethereum (with PoW-based consensus)

to permissioned ones (with BFT-type consensus) such as

Tendermint (http://tendermint.com/), Chain (http:

//chain.com/), and Quorum (http://www.jpmorgan.

com/global/Quorum). Although the order-execute design

is not immediately apparent in all systems, because the addi-

tional transaction validation step may blur it, the limitations

of order-execute are inherent in all: every peer executes ev-

ery transaction and transactions must be deterministic.

Prior permissioned blockchains suffer from many limita-

tions, which often stem from their permissionless relatives

or from using the order-execute architecture. In particular:

•

Consensus is hard-coded within the platform, which con-

tradicts the well-established understanding that there is

no “one-size-ﬁts-all” (BFT) consensus protocol [33];

•

The trust model of transaction validation is determined

by the consensus protocol and cannot be adapted to the

requirements of the smart contract;

•

Smart contracts must be written in a ﬁxed, non-standard,

or domain-speciﬁc language, which hinders wide-spread

adoption and may lead to programming errors;

•

The sequential execution of all transactions by all peers

limits performance, and complex measures are needed

to prevent denial-of-service attacks against the platform

originating from untrusted contracts (such as accounting

for runtime with “gas” in Ethereum);

•

Transactions must be deterministic, which can be difﬁcult

to ensure programmatically;

•

Every smart contract runs on all peers, which is at odds

with conﬁdentiality, and prohibits the dissemination of

contract code and state to a subset of peers.

In this paper we describe Hyperledger Fabric or simply

Fabric, an open-source (http://github.com/hyperledger/

fabric) blockchain platform that overcomes these limita-

tions. Fabric is one of the projects of Hyperledger (http:

//www.hyperledger.org) under the auspices of the Linux

Foundation (http://www.linuxfoundation.org). Fab-

ric is used in more than 400 prototypes, proofs-of-concept,

and in production distributed-ledger systems, across differ-

ent industries and use cases. These use cases include but are

not limited to areas such as dispute resolution, trade logis-

tics, FX netting, food safety, contract management, diamond

provenance, rewards point management, low liquidity se-

curities trading and settlement, identity management, and

settlement through digital currency.

Fabric introduces a new blockchain architecture aiming

at resiliency, ﬂexibility, scalability, and conﬁdentiality. De-

signed as a modular and extensible general-purpose per-

missioned blockchain, Fabric supports the execution of dis-

tributed applications written in standard programming lan-

guages. This makes Fabric the ﬁrst distributed operating sys-

tem for permissioned blockchains.

The architecture of Fabric follows a novel execute-order-

validate paradigm for distributed execution of untrusted

code in an untrusted environment. It separates the trans-

action ﬂow into three steps, which may be run on different

entities in the system: (1) executing a transaction and check-

ing its correctness, thereby endorsing it (corresponding to

“transaction validation” in other blockchains); (2) order-

ing through a consensus protocol, irrespective of transaction

semantics; and (3) transaction validation per application-

speciﬁc trust assumptions, which also prevents race condi-

tions due to concurrency.

This design departs radically from the order-execute

paradigm in that Fabric typically executes transactions be-

fore reaching ﬁnal agreement on their order. It combines

the two well-known approaches to replication, passive and

active, as follows.

First, Fabric uses passive or primary-backup replica-

tion [6, 13] as often found in distributed databases, but with

middleware-based asymmetric update processing [24, 25]

and ported to untrusted environments with Byzantine faults.

In Fabric, every transaction is executed (endorsed) only by a

subset of the peers, which allows for parallel execution and

addresses potential non-determinism, drawing on “execute-

verify” BFT replication [21]. A ﬂexible endorsement policy

speciﬁes which peers, or how many of them, need to vouch

for the correct execution of a given smart contract.

Second, Fabric incorporates active replication in the

sense that the transaction’s effects on the ledger state are

only written after reaching consensus on a total order among

them, in the deterministic validation step executed by each

peer individually. This allows Fabric to respect application-

speciﬁc trust assumptions according to the transaction en-

dorsement. Moreover, the ordering of state updates is del-

egated to a modular component for consensus (i.e., atomic

broadcast), which is stateless and logically decoupled from

the peers that execute transactions and maintain the ledger.

Since consensus is modular, its implementation can be tai-

lored to the trust assumption of a particular deployment. Al-

though it is readily possible to use the blockchain peers also

for implementing consensus, the separation of the two roles

adds ﬂexibility and allows one to rely on well-established

toolkits for CFT (crash fault-tolerant) or BFT ordering.

2 2018/2/1

Overall, this hybrid replication design, which mixes pas-

sive and active replication in the Byzantine model, and the

execute-order-validate paradigm, represent the main inno-

vation in Fabric architecture. They resolve the issues men-

tioned before and make Fabric a scalable system for permis-

sioned blockchains supporting ﬂexible trust assumptions.

To implement this architecture, Fabric contains modular

building blocks for each of the following components:

Ordering service: An ordering service atomically broad-

casts state updates to peers and establishes consensus on

the order of transactions. It has been implemented with

Apache Kafka/ZooKeeper (http://kafka.apache.

org/) and with BFT-SMaRt [3].

Identity and membership: A membership service provider

is responsible for associating peers with cryptographic

identities. It maintains the permissioned nature of Fabric.

Scalable dissemination: An optional peer-to-peer gossip

service disseminates the blocks output by ordering ser-

vice to all peers.

Smart-contract execution: Smart contracts in Fabric run

within a container environment for isolation. They can

be written in standard programming languages but do not

have direct access to the ledger state.

Ledger maintenance: Each peer locally maintains the ledger

in the form of the append-only blockchain and as a snap-

shot of the most recent state in a key-value store (KVS).

The KVS can be implemented by standard libraries, such

as LevelDB or Apache CouchDB.

The remainder of this paper describes the architecture

of Fabric and our experience with it. Section 2 summa-

rizes the state of the art and explains the rationale behind

various design decisions. Section 3 introduces the architec-

ture and the execute-order-validate approach of Fabric in de-

tail, illustrating the transaction execution ﬂow. In Section 4,

the key components of Fabric are deﬁned, in particular, the

ordering service, membership service, peer-to-peer gossip,

ledger database, and smart-contract API. Results and in-

sights gained in a performance evaluation of Fabric with a

Bitcoin-inspired cryptocurrency, deployed in a cluster en-

vironment on commodity public cloud VMs, are given in

Section 5. They show that Fabric achieves, in popular de-

ployment conﬁgurations, throughput of more than 3500 tps,

achieving ﬁnality [36] with latency of a few hundred ms. Fi-

nally, Section 6 discusses related work.

2. Background

2.1 Order-Execute Architecture for Blockchains

All previous blockchain systems, permissioned or not, fol-

low the order-execute architecture. This means that the

blockchain network orders transactions ﬁrst, using a con-

Update stateOrder Execute

●

Deterministic (!)

execution

●

Persist state on

all peers

●

Consensus or

atomic broadcast

Figure 1. Order-execute architecture in replicated services.

sensus protocol, and then executes them in the same order

on all peers sequentially.

For instance, a PoW-based permissionless blockchain

such as Ethereum combines consensus and execution of

transactions as follows: (1) every peer (i.e., a node that par-

ticipates in consensus) assembles a block containing valid

transactions (to establish validity, this peer already pre-

executes those transactions); (2) the peer tries to solve a PoW

puzzle [28]; (3) if the peer is lucky and solves the puzzle, it

disseminates the block to the network via a gossip protocol;

and (4) every peer receiving the block validates the solution

to the puzzle and all transactions in the block. Effectively,

every peer thereby repeats the execution of the lucky peer

from its ﬁrst step. Moreover, all peers execute the transac-

tions sequentially (within one block and across blocks). The

order-execute architecture is illustrated by Fig. 1.

Existing permissioned blockchains such as Tendermint,

Chain, or Quorum typically use BFT consensus [9], pro-

vided by PBFT [11] or other protocols for atomic broad-

cast. Nevertheless, they all follow the same order-execute

approach and implement classical active SMR [13, 31].

2.2 Limitations of Order-Execute

The order-execute architecture is conceptually simple and

therefore also widely used. However, it has several draw-

backs when used in a general-purpose permissioned block-

chain. We discuss the three most signiﬁcant ones next.

Sequential execution. Executing the transactions sequen-

tially on all peers limits the effective throughput that can be

achieved by the blockchain. In particular, since the through-

put is inversely proportional to the execution latency, this

may become a performance bottleneck for all but the sim-

plest smart contracts. Moreover, recall that in contrast to tra-

ditional SMR, the blockchain forms a universal computing

engine and its payload applications might be deployed by an

adversary. A denial-of-service (DoS) attack, which severely

reduces the performance of such a blockchain, could simply

introduce smart contracts that take a very long time to exe-

cute. For example, a smart contract that executes an inﬁnite

loop has a fatal effect, but cannot be detected automatically

because the halting problem is unsolvable.

To cope with this issue, public programmable block-

chains with a cryptocurrency account for the execution cost.

Ethereum, for example, introduces the concept of gas con-

In many blockchains with a hard-coded primary application, such as

Bitcoin, this transaction execution is called “transaction validation.” Here

we call this step transaction execution to harmonize the terminology.

3 2018/2/1

剩余14页未读，继续阅读

评论收藏

内容反馈

github_33716821

粉丝: 1
资源: 5

Hyperledger Fabric: A Distributed Operating System for Permissio...

最新资源