Example: Byzantine Generals

As an example, we will use the presented methodology to model a popular example from the literature: the Byzantine Generals problem. We will then restate a popular result concerning this problem by giving a proof in our framework.

The Byzantine Generals Problem The Byzantine Generals problem was first introduced by Lamport, Shostak, and Pease [81]. The motivation is as follows: suppose that a commanding general wants to give orders (for the sake of simplicity he will only use “attack” or “retreat”) to his lieutenants but he does not know which of them are trustworthy. Also, the lieutenants do not know whether the general himself is trustworthy. Now suppose that each of the participants can communicate with each other participant via “oral” messages. The Byzantine Generals problem is to find an algorithm that, given a number of partiesn (one of them is the general), ensures that:

1. All loyal lieutenants obey the same order and

2. If the general is loyal, then every loyal lieutenant obeys the order he sends.

Note that a disloyal (corrupted) lieutenant can arbitrarily lie about messages he received and try to deceive other lieutenants. He can also refuse to send any messages. However, it is assumed that loyal parties will notice when messages are missing. Lamport et al. [81] show that there can not be a generic solution to the problem for three parties, but there is a solution for four parties. We will now model the Byzantine Generals problem with four parties according to our methodology and give a formal security proof for a specific solution to the problem.

Modeling the Byzantine Generals Problem The network in this ex- ample is fully connected. Every party can transmit messages to every other party. There is a maximum latency of 2δ until a packet is output by one of the parties: a possible delay ofδ from the general to the lieutenants and another possible delay of δ for a packet from one lieutenant to reach the others.

The Byzantine Generals problem statement implies that a party notices if it will not receive messages from another party anymore, so that it will not wait indefinitely. In reality this is usually realized by timeouts—we will use the same mechanism here.

Figure 4.15 shows the protocol which implements a solution to the generals problem. Figure 4.16 shows the corresponding ideal functionality. This functionality fulfills the requirements for a solution to the Generals problem given earlier.

We will now show that this protocol realizes the ideal functionality. Theorem 26. πbyz realizes Fbyz-ideal in the Fnetbyz,δ-hybrid model.

Proof. We prove the theorem by giving a stepwise transformation from the real model to the ideal model. We argue that the individual transformation steps are indistinguishable for the environment, and thus, by the transitivity of indistinguishability, the real model is indistinguishable from the ideal model. Start with the real protocol.

Regroup all parties into a new machine S. The adversary simulator S will simulate the real network in all transformation steps. Introduce dummy partiesDG,DL1,DL2,DL3 for all protocol parties and relay messages from

and to Z appropriately. Introduce a new machine Fbyz-ideal. Route all

communication from the dummies to S and vice versa through F_byz-ideal. The regrouping of parties is indistinguishable for the environment. In the upcoming transformation steps, we will gradually expand Fbyz-ideal’s functionality:

1. Initialize variables mL1, mL2, and mL3. When receiving a message

m from dummy party G, set mL1 := m, mL2 := m and mL3 := m.

Also initialize and save a round counterd := 2δ. This modification is indistinguishable, since it only stores information and does not alter the communication.

2. If G is corrupted, accept a message (set, m1, m2, m3) from S. Check

if there arei 6= j such that mi = mj. If so, set mL1, mL2, mL3 to mi.

Else set mL1 = m1, mL2 = m2, mL3 = m3. This modification again

only stores information.

3. When S attempts to pass outputm from an uncorrupted party p in the simulation back to the dummy party, only allow it to pass through F_byz-ideal if either

A solution to the Byzantine Generals problem with four parties πbyz

Each party maintains a local round counter r. • Party G:

– “Input”: Upon first activation this round and input m by Z, save m and ignore further inputs.

– “Send”: Upon third activation, call

F_netbyz(send, (L1, m), (L2, m), (L3, m)) if m was saved.

– “RoundOK”: Upon fifth activation, send (RoundOK) to Fclock.

• Party Ln:

– “Fetch”: Upon second activation,

∗ call F_netbyz(fetch, {G, Lk, Lj}) for k 6= j 6= n. If the call

was successful, save the messages for the corresponding parties.

– “Send”: Upon third activation,

∗ if there is a message m by party G which

has not been broadcast yet, broadcast it: call F_netbyz(send, (Lk, m), (Lj, m)) with k, j 6= n.

– “Output”: Upon fourth activation,

∗ if r < 2δ and there are two identical messages m from two different parties (other than G), output m. If there are three different messages from the different parties, output the message from party 1;

∗ if r = 2δ output retreat.

– “RoundOK”: Upon fifth activation, send (RoundOK) to Fclock.

Figure 4.15: The protocol for the Byzantine Generals problem with four parties. The ideal network functionality allows for a maximum delay of δ for each message and messages have to be sent from the general first and from the lieutenants afterwards. Thus a party will assume a timeout after2δ rounds.

The ideal functionality of the Byzantine Generals problem with four parties F_byz-idealδ .

Upon initialization store a delay value d := (2δ) and initialize three variables mL1 := ⊥, mL2 := ⊥, mL3 := ⊥.

• Upon receiving message (input, m, G) from Fwrap and ifG is honest:

store mLp := m for p ∈ {1, 2, 3} and send (input, m, G) to the

adversary.

• Upon receiving message (set, m1, m2, m3) from the adversary and if

G is corrupted: if mL1 = ⊥, mL2 = ⊥, mL3 = ⊥, and there are two

identical messagesmi, mjwithi 6= j, set mL1, mL2, mL3 := mi, else

set mL1, mL2, mL3 := mj where j is the smallest index for which

mj 6= ⊥.

• Upon receiving message (output, p1, p2, p3) from the adversary:

mark messagesmp1,mp2,mp3 as ready for output.

• Upon receiving message (output, p) from Fwrap:

– If d = 0: output retreat to p.

– if d 6= 0 and if mp is marked as ready for output, outputmp

top.

• Upon receiving message (RoundComplete) from Fwrap, decrease d

by1 and send (RoundComplete) to the adversary.

Figure 4.16: The ideal functionality of the three generals problem. If the general is honest, all honest parties will obey his order. If he is corrupted, all parties will obey the same order. As in the real protocol the adversary can not delay the output for more than2δ rounds.

(a) m has been stored as mp in Fbyz-ideal, or

(b) the message is retreat.

We have to argue the indistinguishability of this modification. A real protocol party will only output a message other than retreat when it has received two identical messages. This will only happen if

(a) G is honest—then, m will have been provided by Z through dummy partyG and thus saved for every party in the ideal functionality, or

(b) G is corrupted and sent two identical messages. In this case, S will have used the set-message to provide these messages and they will also have been saved for every party.

4. Introduce Fwrap as a wrapper around Fbyz-ideal. For each notification

that a round is complete from F_wrap decrease the delay value d and notify S that the round is complete. F_wrap will not notify S about activations in phase 4 (“output”), but F_byz-ideal instead. The simulator is thus not able to accurately simulate the exact order of outputs. However, the simulator is still able to determine the set of messages to output for each party in each round: he still is notified about the input to the protocol, when a party sends a message, and when a round is complete. We alter the strategy of S to make the modification indistinguishable: in each round, observe which parties will output a message and notify the ideal functionality that these parties are ready for output. Now, when Z activates a party and expects output, the ideal functionality will output possible messages for that specific party. This allows for all messages other than retreat to be output correctly. So, ifd = 0 after the fourth activation of a party, Fbyz-ideal just outputs

retreat, mimicking the behaviour in the real model. Fbyz-ideal and S

now behave as specified in the ideal model, perfectly emulating the real model.

This concludes the proof. _