没有合适的资源?快使用搜索试试~ 我知道了~
SBFT一种面向区块链的可扩展去中心化信任基础架构_en1
需积分: 0 1 下载量 36 浏览量
2022-08-04
00:09:24
上传
评论
收藏 443KB PDF 举报
温馨提示
试读
23页
SBFT: a Scalable Decentralized Trust Infrastructure forGuy Golan Gueta (VMware R
资源详情
资源评论
资源推荐
SBFT: a Scalable Decentralized Trust Infrastructure for
Blockchains
Guy Golan Gueta (VMware Research) Ittai Abraham (VMware Research)
Shelly Grossman (TAU) Dahlia Malkhi (VMware Research) Benny Pinkas (BIU)
Michael K. Reiter (UNC-Chapel Hill) Dragos-Adrian Seredinschi (EPFL)
Orr Tamir (TAU) Alin Tomescu (MIT)
Abstract
We present SBFT: a scalable decentralized trust infrastructure for Blockchains. SBFT implements a new Byzan-
tine fault tolerant algorithm that addresses the challenges of scalability and decentralization. Unlike many previous
BFT systems that performed well only when centralized around less than 20 replicas, SBFT is optimized for decentral-
ization and can easily handle more than 100 active replicas. SBFT provides a smart contract execution environment
based on Ethereum’s EVM byte-code.
We tested SBFT by running 1 million EVM smart contract transactions taken from a 4-month real-world Ethereum
workload. In a geo-replicated deployment that has about 100 replicas and can withstand f = 32 Byzantine faults our
system shows speedups both in throughput and in latency. SBFT completed this execution at a rate of 50 transactions
per second. This is a 10× speedup compared to Ethereum current limit of 5 transactions per second. SBFT latency
to commit a smart contract execution and make it final is sub-second, this is more than 10× speedup compared to
Ethereum current > 15 second block generation for registering a smart contract execution and several orders of
magnitude speedup relative to Proof-of-Work best-practice finality latency of one-hour.
1 Introduction
There are two trends that we see no current end to. The first is that malicious attacks are becoming increasingly
common. The second is that more and more critical infrastructure, information and businesses are being digitized and
moved on-line. The solution we see to help these two trends better co-exist is to use a scalable decentralized trust
infrastructure.
Why decentralized trust? Centralized solutions often provide very good performance, but centralization comes
with major security and social welfare concerns. From a security perspective, a centralized service (trusted party)
tends to become a single point of failure [Sza01]. From an economic preservative, a centralized service tends towards
a monopoly, which often creates monopoly rents and hampers innovation [Dix18]. The success of Bitcoin [Nak09]
and more recently Ethereum [Woo14] have spurred the imagination of many as to the potential benefits and significant
potential value to society of a scalable decentralized trust infrastructure.
How do Bitcoin and Ethereum decentralize trust? A core innovation of Bitcoin is a method to provide state
machine replication against a malicious adversary that heavily uses the concept of proof-of-work. Decentralizing trust
means that a system should be trustworthy even if some components are malicious. Systems like Bitcoin and Ethereum
use proof-of-work to decentralize trust in a permissionless manner. In Bitcoin and in Ethereum, anyone can join the
system, maintain the replicated state and participate in creating new blocks in a process called mining.
How decentralized are proof-of-work systems? While fundamentally permissionless, the economic friction of
buying and then running a Bitcoin or Ethereum mining rig has inherent economies of scale and unfair advantages to
certain geographical and political regions. This means that miners are strongly incentivized to join a small set of large
mining coalitions.
In a 2018 study, Gencer et al. [GBE
+
18] show that contrary to popular belief, Bitcoin and Ethereum are less
decentralized than previously thought. Their study concludes that for both Bitcoin and Ethereum, the top < 20 mining
1
arXiv:1804.01626v1 [cs.DC] 4 Apr 2018
coalitions control over 90% of the mining power. The authors comment “These results show that a Byzantine quorum
system of size 20 could achieve better decentralization than Proof-of-Work mining at a much lower resource cost”.
This comment leads us to the main research question of this paper: can we provide a decentralized BFT based solution
for blockchain that can scale to large deployments?
How to decentralize trust in a permissioned Blockchain? In a permissioned setting, Byzantine fault tolerant
(BFT) replication systems play a major role in providing a scalable trust infrastructure. In the Consortium model for
blockchain, a group of participants (say a group of financial institutions) collaborates to build a shared trust infrastruc-
ture. This infrastructure allows executing smart contracts on top of a BFT engine. A smart contract layer like EVM
provides a Turing complete abstraction that uses resource limits (like gas) to provide fairness and prevent denial of
service attacks.
Does BFT matter for permissionless blockchains? In addition to being a key ingredient in consortium blockchains,
large scale BFT deployments are becoming an important component of public blockchains [CV17]. There is a grow-
ing interest in replacing or combining the current Proof-of-Work mechanisms with Byzantine fault tolerant replica-
tion [Vuk15, HL, EEA, But17b, SBV17]. Several recent proposals [KJG
+
16, Mic16, PS16, AMN
+
16, GHM
+
17]
explore the idea of building distributed ledgers that elect a committee (potentially of a few tens or hundreds of nodes)
from a large pool of nodes (potentially thousands or more) and have the smaller committee run a Byzantine fault toler-
ant replication protocol. In all these protocols, it seems that to get a high security guarantee the size of the committee
needs to be such that it can tolerate at least tens if not hundreds of malicious nodes.
Why a new BFT system? By now there exists a solid foundation for practical Byzantine fault tolerant replication
systems. There also exists multiple systems that implemented a practical Byzantine Fault Tolerant replication library.
Our goal is to take the best system designs, foundations, past experiences and carefully optimize and engineer a
solution that is optimized to work over a group of hundreds of replicas and supports the execution of modern EVM
smart contract executions.
Our starting point is PBFT [CL99], a major landmark in designing practical Byzantine BFT. PBFT was initially
targeted for high performance when tuned to tolerate a few failures and replicas communicate over a LAN. PBFT
led to a whole line of research in BFT replication systems [CL99, RCL01, CL02, YMV
+
03, ADK
+
06, KAD
+
07,
KAD
+
10, CKL
+
09, CWA
+
09, ACKL11, CGR11, ABQ13, BSA14, MXC
+
16, LVC
+
16].
These papers provided many algorithmic and system design improvements, for example better execution abstrac-
tion [RCL01], exploiting optimism [KAD
+
10], WAN optimizations [ADK
+
06], better fault tolerance [CWA
+
09,
ACKL11, ABQ13, MXC
+
16], durability [BSF
+
13], new timing models [LVC
+
16] and more [POT
+
16].
The PBFT approach has the important guarantee that safety is maintained even during periods of timing violations,
whereas only progress depends on the leader. Furthermore, PBFT is optimized for the common case of a healthy leader.
A leader-based protocol works very well in practice. A stable leader can pipeline efficiently. In the (rare) case a leader
is faulty, it is promptly removed from the system, and does not continue to burden the protocol in any manner. A
similar consideration causes the entire industry to employ Paxos for benign settings. Obviously, even a stable leader
need not reign forever, it may be rotated regularly.
However, most of the PBFT-based systems cited above are either focused on small clusters, or use aggressive
batching (tens of thousands of requests per consensus decision), or both. Engineering a solution that can withstand
tens of malicious nodes with hundreds of replicas, while ensuring sub second latencies and high throughput, required
careful integration of several ingredients.
SBFT: a Scalable Decentralized Trust Infrastructure for Blockchains
The main contribution of this paper is BFT system that is optimized to work over a group of hundreds of replicas
and supports the execution of modern EVM smart contract executions. SBFT can execute a workload of real-world
EVM contracts at a rate of over 70 transactions per second while being replicated by over 200 replicas and able to
withstand up to f = 64 malicious replicas. In a geo-replicated WAN experiment, SBFT can execute real-world EVM
transactions at over 50 transactions per second while being replicated by over 100 replicas and able to withstand up to
f = 32 malicious replicas.
SBFT uses a combination of methods and designs in order to successfully scale to 200 replicas. Some have a novel
aspect or a new variation on previous works. We highlight these methods and designs here.
2
Using a collector to reduce all-to-all communication. Many previous algorithms, including PBFT [CL99], use
an all-to-all message pattern to commit a decision block.
A trivial way to reduce an all-to-all communication pattern to a linear communication pattern is to use a collector.
Instead of sending to everyone, each replica sends to the collector and the collector broadcasts to everyone. When
messages are cryptographically signed, then using threshold signatures [Sho00, CKS00] one can reduce the outgoing
collector message size from linear to constant.
Zyzzyva [KAD
+
10] used this pattern to reduce all-to-all communication by pushing the collector duty to the
clients. SBFT pushes the collector duty to the replicas in a round-robin manner. We believe that moving the coor-
dination burden to the replicas is more suited to a blockchain setting where there are many light weight clients with
limited connectivity. In addition, SBFT uses threshold signatures to reduce the collector message size and the total
computational overhead of verifying signatures. SBFT also uses a round-robin revolving collector to reduce the load
and also uses c + 1 collectors (instead of one) to improve fault tolerance and handle c slow or faulty collectors.
Using threshold signatures to reduce client communication from O(n) to O(1). Once threshold signatures
are used then an obvious next step is to use them to reduce the number of messages a client needs to receive. In
all previous solutions, including [CL99, KAD
+
10, BSA14], each client needs to receive at least f + 1 = O(n)
messages, each requiring a different signature verification for request acknowledgement (where f is the number of
faulty replicas in a system with n = 3f + 1 replicas). When there are many replicas and many clients, this may add
significant overhead. In SBFT, in the common case, each client needs only one message, containing a single public-
key signature for request acknowledgement. This single message improvement means that SBFT can scale to support
many extremely thin clients.
SBFT reduces the per-client linear cost to just one message cost by adding a phase that uses a single collector
to aggregate the threshold signatures and send each client a single message carrying one signature. Just like public
blockchains (Bitcoin and Ethereum) SBFT uses a Merkle tree to efficiently authenticate information that is read from
just one replica.
Exploiting optimism with a correct view change protocol. As in Zyzzyva [KAD
+
10], SBFT allows for a faster
agreement path in optimistic executions: where all replicas are non-faulty and synchronous. No deployed system we
are aware of incorporates optimism correctly; and getting an optimistic protocol to do the right thing, especially the
view-change protocol, proved trickier than one thinks [AGM
+
17, AGMM18]. We note that refined-Quorum-Systems
[GV10], a fast single shot Byzantine consensus, and Azyzzyva [AGK
+
15], a fast State-Machine-Replication, are
protocols that do exploit optimism correctly. However their view change requires replicas to maintain/send information
from all past views while SBFT requires replicas to maintain/send information just from the most recent view.
Furthermore, to make optimism the common case, SBFT allows the fast track to tolerate up to a small number c
(parameter) of crashed or straggler nodes out of n = 3f + 2c + 1 replicas, an approach that has been suggested before
in the context of single-shot consensus algorithms [MA06].
SBFT takes advantage of modern cryptographic advances. SBFT uses Boneh–Lynn–Shacham (BLS) signa-
tures [BLS04] with security that is comparable to 2048-bit RSA signatures but are just 33 bytes long. Threshold
signatures [Bol02] are much faster when implemented over BLS (see Section 2.1).
1.1 Evaluating SBFT’s scalability.
We implemented SBFT as a scalable BFT engine and a blockchain that executes EVM smart contracts [Woo14] (see
Section 7).
We first conduct micro-benchmarks that test the performance of SBFT’s BFT engine in isolation. We conduct
standard micro-benchmark experiments with synthetic workloads for SBFT that compare our replicated library im-
plementation with previous implementations (PBFT) and with variations of SBFT where we turn on only some of its
scalability features (for example we compare to a correct version of Zyzzva where the coordination work is transfered
from the client to a revolving replica collector). Our experiments show that for deployments tailored to withstand
f=8, 32, 64 failures, our implementation exhibits significantly better performance relative to PBFT.
While standard micro-benchmark experiments with synthetic workloads are a good way to compare the BFT engine
internals, we realize that real world blockchains like Ethereum have a very different type of execution workload based
on smart contracts.
3
We conduct experiments on real world workloads for our blockchain that compare its throughput relative to the
current throughput of Ethereum. Our goal is not to do a comparison of a permissioned BFT system against a proof-
of-work system, this is clearly not a fair comparison. Rather, motivated by [GBE
+
18] our goal is just to show that
a scalable BFT system can be much more decentralized than a proof-of-work system and still obtain comparable
(and even significantly better) throughput, finality and latency while running the same real world work-load of smart
contracts.
We take 1 million smart contract executions that were processed by Ethereum during a 4 months period Our
experiments show that this smart contract execution workload takes less than 6 hours to complete when running
on a geo-replicated deployment that can withstand f = 32 failures and uses about 100 replicas. This is about 50
transactions per second which is a 10× speedup over Ethereum’s bound of 5 transactions per second [eth17, But17a].
When running on a single region, an SBFT deployment that can withstand f = 64 failures and uses about 200 replicas
completes these 1 Million transactions in 20 minutes, or about 833 transactions per second.
We conclude that SBFT more scalable and decentralized relative to previous BFT solutions. Relative to state-of-
art proof-of-work systems like Ethereum, SBFT can run the same smart contracts at a higher throughput, much better
finality and latency, and with much better decentralization. Clearly, Ethereum and other proof-of-work systems benefit
from being an open permissionless system while SBFT is a permissioned blockchain system. We leave the integration
of SBFT in a permissionless system for future work.
2 System Model
We assume a standard asynchronous BFT system model where an adversary can control up to f Byzantine nodes and
can delay any message in the network by any finite amount. To obtain liveness and our improved results we also
distinguish two special conditions. We say that the system is in the synchronous mode, when the adversary can control
up to f Byzantine nodes, but messages between any two non-faulty nodes have a bounded delay. Finally we say that
the system is in the common mode, when the adversary can control up to c ≤ f nodes that can only crash or act
slow, and messages between any two non-faulty nodes have a bounded delay. This three-mode model follows that for
Parameterized FaB Paxos [MA06].
2.1 Cryptography
We make extensive use of threshold signatures, where for a threshold parameter k, any subset of k from a total of
n signers can collaborate to produce a valid signature on any given message, but no subset of less than k can do so.
Threshold signatures have proved useful in previous BFT algorithms and systems e.g., [Sho00, CKS00, ADK
+
06,
ADD
+
10]). Each signer holds a distinct private signing key that it can use to generate a signature share. For a Greek
letter α, we denote by α
i
(d) the signature share on digest d by signer i. Any k valid signature shares {α
j
(d) | j ∈
J, |J| = k} on the same digest d can be combined into a single signature α(d) using a public function, yielding a
digital signature α(d). A verifier can verify this signature using a single public key. Some threshold signature schemes
are robust, meaning signers can efficiently filter out invalid signature shares from malicious participants.
Our implementation specifically uses a robust threshold signature scheme based on Boneh–Lynn–Shacham (BLS)
signatures [BLS04]. BLS signatures resemble RSA signatures. However, while RSA is built in a group of hidden
order, BLS is built using pairings [Jou00] over elliptic curve groups of known order. BLS signatures have three major
advantages over RSA that make them particularly attractive for large scale BFT deployments. (1) Compared to RSA
signatures with the same security level, BLS signatures are substantially shorter. BLS requires 33 bytes compared
to 256 bytes for 2048-bit RSA. (2) Because in RSA threshold signatures the group order must remain hidden even
from the parties contributing to a signature, creating and combining signature shares via interpolation in the exponent
requires several expensive operations [Sho00]. In contrast, BLS threshold signatures [Bol02] allow straightforward
interpolation in the exponent with no additional overhead. (3) Unlike RSA, BLS signature shares support batch
verification, allowing multiple signature shares (even of different messages) to be validated at nearly the same cost of
validating only one signature [Bol02].
In our algorithm we use three different threshold signatures: σ, with threshold of 3f + c + 1, for signing messages
in the common mode; τ , with threshold of 2f + c + 1, for the synchronous mode and for the view change protocol
4
剩余22页未读,继续阅读
萌新小白爱学习
- 粉丝: 16
- 资源: 311
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功
评论0