The shortest permutation sequence

Mauw, Radomirovi´c and Dashti (MRD) [51] proved that the optimal number of messages of totally-ordered fair contract signing schemes18falls between + n − 1 and  + 2n − 3. Later, Mauw and Radomirovi´c (MR) [53] generalized the result of MRD to DAG-ordered fair contract signing schemes19. Both [51] and [53] considered fair contract signing as fair exchange of 17_{The main difference is that contract signing outputs a proof which binds a contract agreed in advance while}

computation usually does not require such binding.

18_{In a totally-ordered contract signing scheme, signers execute totally-ordered communication steps; i.e., at any}

point in time, only one signer has sufficient messages to calculate and send the next message.

digital signatures. They use a model different from PSW, and fall within the coverage of our Theorem 9. Neither MRD’s result nor MR’s result implies our Theorem 9. Neither allows arbitrarily interleaved messages as our Theorem 9; instead, they assume that communication steps are either totally ordered or ordered following a directed acyclic graph (DAG). In addition, both results [51, 53] propose a range of the optimal efficiency for fair exchange, instead of a concrete lower bound for fair computation in general (as does our Theorem 9).

It is important to note that our Theorem 9 is not a generalization of MRD’s result nor of MR’s result. What MRD or MR count are the messages sent from some signer. This makes the proof difficult to extend: after a message m leaves its source s, due to the asynchronous network, m does not help s’s knowledge about other parties’ possible states. Thus m should not help s reach an agreement if s wants to stop after sending m, unless the messages after m are defined and ordered in advance. On the contrary, what we count throughout our proof are the messages received (or not) at a destination d , which affects d ’s stop event. This is the key in our case for not requiring any ordering.

Another crucial concept used by MRD is the idea of an idealized protocol. An idealized protocol is informally defined as a totally-ordered fair exchange protocol of which the number of messages in an optimistic execution is optimal [51]. (Here a protocol is equivalent as a Compute protocol in our Definition 20. The communication with a third party T is not considered as part of the protocol.) At the end phase of the idealized protocol, each of the n signers is supposed to send exactly one message [51]. It is not clear yet whether the assumption can be justified or not: the main theorem in [51] relates the end of an idealized protocol with part of the shortest permutation sequence; however, (the form of the end of ) the shortest permutation sequence is still open for a large n [129]. This also leads to a non- optimal fair exchange protocol in [51] and a non-optimal protocol compiler in [52] which generates a protocol specification of an optimistic fair contract signing scheme given a shortest permutation sequence.20 Compared with MRD’s idealized protocol, our proof of Theorem 9 shows that, at the end of an optimal protocol, each of the n parties may receive exactly one message, and moreover, the end of an optimal protocol is not related to the shortest permutation sequence. We believe that this has further implications on the design of correct and efficient fair computation protocols.

20_{Although [52] proved that the resulting protocol needs at least + 2n − 3 messages in an optimistic execution,}

the number of messages exchanged during every optimistic execution is actually strictly larger than + 2n − 3 for

In this dissertation, we study the complexity and propose optimal protocols of decentralized solutions for reliable and secure distributed transactions. Here a decentralized solution refers to the one which does not use a distinguished coordinator or use the coordinator as little as possible. To this end, we perform two analyses on atomicity and causal consistency in reliable distributed transactions and one study on optimistic fair computation in secure distributed transactions. We now summarize our complexity results and outline a few open issues and research directions for future work.

5.1 Summary

5.1.1 Distributed transaction commit

We present the first systematic study of the complexity of atomic commit. We study the best- case complexity, i.e., the time and message complexity of any nice execution of a commit protocol. To have a better understanding of the tradeoff between atomicity and efficiency, we have a more fine-grained view of atomicity, compared with previous work [16, 1, 25, 26]. We consider two types of failures, crash and network failures and we study the complexity of a commit protocol by its robustness, i.e., which property (of the classical non-blocking atomic commit) is required in which executions (including less likely executions with failures). Our systematic study exhaustively goes through 27 variants of of non-blocking atomic commit (NBAC) defined by robustness.

Interestingly, our complexity results show that

• The time complexity and the message complexity reach the maximum (among the 27 variants) respectively when NBAC is solved in the face of crash failures and agreement is satisfied despite both types of failures;

• The message complexity increases (from zero to non-zero, and from n− 1 + f messages to 2n− 2 messages for at most f crashes among n processes) when validity needs to be

additionally satisfied;

These complexity results also highlight a tradeoff between time and message complexity in 18 out of the 27 variants. By the complexity results, we answer the open question on the time and message complexity of synchronous NBAC (which solves NBAC only in the face of crash failures) since Dwork and Skeen’s lower bound (on the number of messages) [1].

We propose the INBAC protocol which solves indulgent atomic commit, the most robust form among atomic commit problems we study. INBAC performs almost as efficiently as the widely-used two-phase commit (2PC) [22]: in some special case (for example, where among n processes, at most one can crash), INBAC induces two communication rounds, the same as 2PC, and needs additionally two messages, compared with 2PC. Previous protocols, PaxosCommit, and faster PaxosCommit [73], solve indulgent atomic commit as well. Our INBAC protocol is the most efficient among these protocols in that

• INBAC is delay-optimal: same as faster PaxosCommit and better than PaxosCommit; • INBAC is message-optimal among the delay-optimal protocols.

The comparison between PaxosCommit and our INBAC protocol also illustrates a tradeoff between time and message complexity.

5.1.2 Causal transactions

We present the formal complexity analysis of causal transactions. We study the complexity of read-only transactions, considered the most frequent in practice, and obtain two impossibility results regarding fast read-only transactions:

• In an asynchronous system, if a causally consistent transactional storage system sup- ports every transaction to read and write multiple objects, then even read-only transac- tions alone cannot be fast.

• In an asynchronous system where only servers have access to a global accurate clock (while client requests are oblivious to their local clocks), if a causally consistent transac- tional storage system supports fast read-only transactions and single-write transactions only, then read-only transactions cannot be invisible, where (in)visibility refers to the complexity that a read-only transaction incurs some write to servers (or not).

Our impossibilities apply to causal consistency and hence to stronger consistency criteria. They hold without assuming any message or node failures and hence hold for failure-prone systems. Our impossibility results hold only assuming that no server stores all objects, inde- pendent from any particular partial replication scheme.

To complement our second impossibility result, we propose a protocol that implements visible fast read-only transactions. Compared with COPS-SNOW, the previous protocol that provides fast read-only transactions [44], our protocol also provides fast single-object write transactions while COPS-SNOW does not. We show that under different system assumptions, the impossibility results can break, by proposing two protocols. The first protocol supports generic transactions (that breaks the first impossibility) in a synchronous system where there is a known upper bound on the time spent on the communication and local computation and a global accurate clock is accessible to all servers and clients. The second protocol provides invisible read-only transactions (that breaks the second impossibility) in an asynchronous system where a global accurate clock is accessible to all servers and clients. Both protocols are based on timestamps thanks to the accurate clock.

5.1.3 Optimistic secure transactions

We present, for the first time, a tight lower bound on the message complexity of optimistic secure transactions. We study optimistic secure transaction in the model of optimistic fair computation. Here fairness ensures a property similar to atomicity: either all participants may output the result of the transaction or none can, and also preserves privacy: no participant may know information of others’ private inputs beyond the result of the transaction. We consider the worst adversarial setting: a maximum number (n− 1 out of n) of malicious participants (or Byzantine failures), and study the message complexity of any optimistic execution. Interestingly, our main result shows that in every optimistic execution, if we order all messages according to when they are received and construct a sequence of the destinations of all messages based on this order, then the sequence must contain all permutations of the n participants. This relates the message complexity in our study to the permutation sequence in combinatorics. Although the length of the shortest permutation sequence in combinatorics is still open for large n, by relating our problem to the shortest permutation sequence, we prove that+2n−3 lower bounds the number of messages exchanged; we propose a matching scheme of fair exchange of exact + 2n − 3 messages so that the lower bound is tight. This fair exchange scheme can be applied to exchange digital signature (such as Schnorr signatures [134], DSS signatures [135], Fiat-Shamir signatures [136], Ong-Schnorr signatures [137], GQ signatures [138]), and hence can implement message-optimal electronic contract signing. Clearly, an application of the scheme is to trade items in a secure and transactional way. Compared with previous proposals of secure transactions that involve trusted third parties in every execution, the time complexity of the scheme is+2n −3, which is θ(n) according to the current progress in combinatorics [58, 59, 60, 130], while previous proposals finish in constant time complexity. This highlights a tradeoff between the introduction of trust assumptions to a protocol and the complexity of the protocol.

5.2 Future Directions