This paper describes a new replication algorithm that is able to tolerate Byzantine faults. We believe that Byzantinefault-tolerant algorithms will be increasingly important in the future because malicious attacks and software errors are increasingly common and can cause faulty nodes to exhibit arbitrary behavior. Whereas previous algorithms assumed a synchronous system or were too slow to be used in practice, the algorithm described in this paper is practical: it works in asynchronous environments like the Internet and incorporates several important optimizations that improve the response time of previous algorithms by more than an order of magnitude. We implemented a Byzantine-fault-tolerant NFS service using our algorithm and measured its performance. The results show that our service is only 3 % slower than a standard unreplicated NFS.

In this paper we present two protocols for asynchronous Byzantine Quorum Systems (BQS) built on top of reliable channels---one for self-verifying data and the other for any data. Our protocols tolerate Byzantine failures with fewer servers than existing solutions by eliminating nonessential work in the write protocol and by using read and write quorums of different sizes. Since engineering a reliable network layer on an unreliable network is difficult, two other possibilities must be explored. The first is to strengthen the model by allowing synchronous networks that use time-outs to identify failed links or machines. We consider running synchronous and asynchronous Byzantine Quorum protocols over synchronous networks and conclude that, surprisingly, "self-timing" asynchronous Byzantine protocols may offer significant advantages for many synchronous networks when network time-outs are long. We show how to extend an existing Byzantine Quorum protocol to eliminate its dependency on reliable networking and to handle message loss and retransmission explicitly.

Group communication systems that provide consistent group membership and reliable, ordered multicast properties in the presence of faults resulting from malicious intrusions have not been analyzed extensively to quantify the cost of tolerating these intrusions. This paper attempts to quantify this cost by presenting results from an experimental evaluation of three new intrusion-tolerant microprotocols that have been added to an existing crash-fault-tolerant group communication system. The results are analyzed to identify the parts that contribute the most overhead during provision of intrusion tolerance at the group communication system level.

This paper presents an erasure-coded Byzantine fault-tolerant block storage protocol that is nearly as efficient as protocols that tolerate only crashes. Previous Byzantine fault-tolerant block storage protocols have either relied upon replication, which is inefficient for large blocks of data when tolerating multiple faults, or a combination of additional servers, extra computation, and versioned storage. To avoid these expensive techniques, our protocol employs novel mechanisms to optimize for the common case when faults and concurrency are rare. In the common case, a write operation completes in two rounds of communication and a read completes in one round. The protocol requires a short checksum comprised of cryptographic hashes and homomorphic fingerprints. It achieves throughput within 10 % of the crash-tolerant protocol for writes and reads in failure-free runs when configured to tolerate up to 6 faulty servers and any number of faulty clients.

This paper presents a new protocol for atomic broadcast in an asynchronous network with a maximal number of Byzantine failures. It guarantees both safety and liveness without making any timing assumptions or using any type of "failure detector." Under normal circumstances, the protocol runs in an "optimistic mode," with extremely low message and computational complexity -- essentially, just performing a Bracha broadcast for each request. In particular, no potentially expensive public-key cryptographic operations are used. In rare circumstances, the protocol may briey switch to a "pessimistic mode," where both the message and computational complexity are significantly higher than in the "optimistic mode," but are still reasonable.

permission of the IEEE. Such permission of the IEEE does not in any way imply IEEE endorsement of any of Network Associates Laboratories's products or services. Internal or personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution must be obtained from the IEEE by sending a blank email message to pubs-permissions@ieee.org. By choosing to view this document, you agree to all provisions of the copyright laws protecting it.

Abstract. This paper establishes the first theorem relating resilience, time complexity and authentication in distributed computing. We study consensus algorithms that tolerate Byzantine failures and arbitrary long periods of asynchrony. We measure the ability of processes to reach a consensus decision in a minimal number of rounds of information exchange, as a function of (a) their ability to use authentication and (b) the number of actual process failures in those rounds, as well as of (c) the total number of failures tolerated and (d) the system constellation. The constellations considered distinguish different roles of processes, such that we can directly derive a meaningful bound on the time complexity of implementing robust general services using several replicas coordinated through consensus. To prove our theorem, we establish certain lower bounds and we give algorithms that match these bounds. The algorithms are all variants of the same generic asynchronous Byzantine consensus algorithm, which is interesting in its own right.

Group Communication Systems have been developed to address the problem of maintaining consistency of replicated information. This thesis describes the research work that resulted in the design, development, and informal validation of a group membership protocol for an intrusion-tolerance group communication system (ITUA GCS). This group membership protocol provides consistent group membership to process groups in the presence of malicious faults resulting from intrusions. We describe the properties guaranteed by this group membership protocol, the assumptions under which the protocol functions, a detailed algorithmic description of the protocol, and an informal proof that the protocol satisfies the stated properties. The group membership protocol has been implemented as a layer in the ITUA GCS, which is a layered protocol stack. We also describe the protocol implementation details, the framework in which this layer was implemented, and the changes made to this framework in order to add the protocol. We then present performance results for the group membership protocol. The protocol was instrumented to provide detailed information about the cost incurred during fault-free operation and while tolerating both single and multiple correlated intrusions. The results are useful in that they provide new insights into the cost of providing intrusion-tolerant group communication, and suggest ways that this cost could be reduced in the future.

We consider the problem of disseminating an update known to a set of servers to other servers in the system via a gossip protocol. Some of the servers can exhibit malicious behavior.

r always being there for me. The research described in this thesis was funded by DARPA grant F30602-00-C-0172. I am grateful to Dr. Jaynarayan Lala and DARPA for providing direction to the ITUA project. iv Tab l e o f Contents ListofFigures ....................................... vi ListofAbbreviations.................................... viii Chapter1 Introduction.................................. 1 1.1 Motivation..................................... 1 1.2 PreviousGCSResearch.............................. 2 1.2.1 Ensemble ................................. 3 1.2.2 PracticalByzantineFaultTolerance................... 3 1.2.3 SecureRing ................................ 3 1.2.4 Rampart.................................. 4 1.3 PreviousStateTransferResearch ........................ 4 1.3.1 Eternal................................... 5 1.3.2 Maestro .................................. 5 1.4 ResearchContributionsandThesisOrganization................ 6 Chapter2 Intrusion-TolerantArc