Mandator and Sporades: Robust Wide-Area Consensus with Efficient Request Dissemination

Consensus algorithms are deployed in the wide area to achieve high availability for geographically replicated applications. Wide-area consensus is challenging due to two main reasons: (1) low throughput due to the high latency overhead of client request dissemination and (2) network asynchrony that causes consensus protocols to lose liveness. In this paper, we propose Mandator and Sporades, a modular state machine replication algorithm that enables high performance and resiliency in the wide-area setting. To address the high client request dissemination overhead challenge, we propose Mandator, a novel consensus-agnostic asynchronous dissemination layer. Mandator separates client request dissemination from the critical path of consensus to obtain high performance. Composing Mandator with Multi-Paxos (Mandator-Paxos) delivers significantly high throughput under synchronous networks. However, under asynchronous network conditions, Mandator-Paxos loses liveness which results in high latency. To achieve low latency and robustness under asynchrony, we propose Sporades, a novel omission fault-tolerant consensus algorithm. Sporades consists of two modes of operations -- synchronous and asynchronous -- that always ensure liveness. The combination of Mandator and Sporades (Mandator-Sporades) provides a robust and high-performing state machine replication system. We implement and evaluate Mandator-Sporades in a wide-area deployment running on Amazon EC2. Our evaluation shows that in the synchronous execution, Mandator-Sporades achieves 300k tx/sec throughput in less than 900ms latency, outperforming Multi-Paxos, EPaxos and Rabia by 650\% in throughput, at a modest expense of latency. Furthermore, we show that Mandator-Sporades outperforms Mandator-Paxos, Multi-Paxos, and EPaxos in the face of targeted distributed denial-of-service attacks

The Bedrock of Byzantine Fault Tolerance: A Unified Platform for BFT Protocol Design and Implementation

Byzantine Fault-Tolerant (BFT) protocols have recently been extensively used by decentralized data management systems with non-trustworthy infrastructures, e.g., permissioned blockchains. BFT protocols cover a broad spectrum of design dimensions from infrastructure settings such as the communication topology, to more technical features such as commitment strategy and even fundamental social choice properties like order-fairness. The proliferation of different BFT protocols has rendered it difficult to navigate the BFT landscape, let alone determine the protocol that best meets application needs. This paper presents Bedrock, a unified platform for BFT protocols design, analysis, implementation, and experiments. Bedrock proposes a design space consisting of a set of design choices capturing the trade-offs between different design space dimensions and providing fundamentally new insights into the strengths and weaknesses of BFT protocols. Bedrock enables users to analyze and experiment with BFT protocols within the space of plausible choices, evolve current protocols to design new ones, and even uncover previously unknown protocols. Our experimental results demonstrate the capability of Bedrock to uniformly evaluate BFT protocols in new ways that were not possible before due to the diverse assumptions made by these protocols. The results validate Bedrock's ability to analyze and derive BFT protocols

Compressed Sigma-Protocols for bilinear circuits and applications to logarithmic-sized transparent Threshold Signature Schemes

Recently, there has been a great development in communication-efficient zero-knowledge (ZK) protocols for arithmetic circuit relations. Since any relation can be translated into an arithmetic circuit relation, these primitives are extremely powerful and widely applied. However, this translation often comes at the cost of losing conceptual simplicity and modularity in cryptographic protocol design.For this reason, Lai et al. (CCS 2019), show how Bulletproof’s communication-efficient circuit zero-knowledge protocol (Bootle et al., EUROCRYPT 2016 and Bünz et al., S&P 2018) can be generalized to work for bilinear group arithmetic circuits directly, without requiring these circuits to be translated into arithmetic circuits. For many natural relations their approach is actually more efficient than the indirect circuit ZK approach. We take a different approach and show that the arithmetic circuit model can be generalized to any circuit model in which (a) all wires take values in (possibly different) Zq-modules and (b) all gates have fan-in2and are either linear or bilinear mappings. We follow a straightforward generalization of Compressed Σ-Protocol Theory (CRYPTO 2020). We compress the communication complexity of a basic Σ-protocol for proving linear statements down to logarithmic. Then, we describe a linearization strategy to handle non-linearities. Besides its conceptual simplicity our approach also has practical advantages; we reduce the constant of the logarithmic component in the communication complexity of the CCS 2019 approach from 16 down to 6 and that of the linear component from 3 down to 1. Moreover, the generalized commitment scheme required for bilinear circuit relations is also advantageous to standard arithmetic circuit ZK protocols, since its application immediately results in a square root reduction of public parameters size. The implications of this improvement can be significant, because many application scenarios result in very large sets of public parameters. As an application of our compressed protocol for proving linear statements we construct the first k-out-of-n threshold signature scheme (TSS) with both transparent setup and threshold signatures of size O(κlog(n)) bits for security parameter κ. Each individual signature is of a so-called BLS type, the threshold signature hides the identities of the k signers and the threshold k can be dynamically chose n at aggregation time. Prior TSSs either result in sub-linear size signatures at the cost of requiring a trusted setup or the cost of the transparent setup amounts to linear (ink) size signatures.</p