owned this note
owned this note
Published
Linked with GitHub
---
slideOptions:
transition: fade
theme: white
---
<style>
.reveal {
font-size: 20px;
}
.reveal pre {
border: none;
box-shadow: none;
}
.reveal .slides {
text-align: left;
}
.reveal .slides section>* {
margin-left: 0;
margin-right: 0;
}
</style>
# Hotstuff
## BFT Consensus in the Lens of Blockchain
By Maofan Yin, Dahlia Malkhi, Michael K. Reiter, Guy Golan Gueta, and Ittai Abraham.
---
### Hotstuff
> A **leader-based** **Byzantine fault-tolerant** replication protocol for the **partially synchronous model**.
- _leader based_ - with leader selection out of scope of the paper.
- _byzantine fault-tolerant_ - in regards to the _Byzantine Generals Problem_.
- _partially synchronous model_
- Safety at all times even in asynchronous networks.
- Liveness once network becomes synchronous.
---
### Constributions
- **Linear communication and view change** with O(#replicas).
Difference to PBFT.
- **Optimistic Responsiveness**: Consensus at the pace of actual (vs. maximum)
network delay.
Difference to Tendermint and Casper.
---
### Related work
#### Classics
- Leslie Lamport, Robert E. Shostak, and Marshall C. Pease. "The byzantine
generals problem." ACM Trans. Program. Lang. Syst., 4(3):382–401, 1982.
- Fischer, Michael J., Nancy A. Lynch, and Michael S. Paterson. "Impossibility
of distributed consensus with one faulty process." Journal of the ACM (JACM)
32.2 (1985): 374-382.
- Dwork, Cynthia, Nancy Lynch, and Larry Stockmeyer. "Consensus in the presence
of partial synchrony." Journal of the ACM (JACM) 35.2 (1988): 288-323.
- Castro, Miguel, and Barbara Liskov. "Practical Byzantine fault tolerance."
OSDI. Vol. 99. No. 1999. 1999.
---
### Related work
#### Blockchain
- Nakamoto, Satoshi, and A. Bitcoin. "A peer-to-peer electronic cash system."
Bitcoin.–URL: https://bitcoin.org/bitcoin.pdf (2008).
- Buchman, Ethan. Tendermint: Byzantine fault tolerance in the age of
blockchains. Diss. 2016.
- Buterin, Vitalik, and Virgil Griffith. "Casper the friendly finality gadget."
arXiv preprint arXiv:1710.09437 (2017).
---
### Basic Hotstuff
( ) New View messages
(1) **Prepare Phase**: Ensure a leader does not send different proposals to
different replicase (Equivocation).
(2) **Pre-Commit Phase**: Solve _hidden lock problem_ and thus achieve linear
view changes.
(3) **Commit Phase**: Ensure that a commit proposal stays commited.
( ) Decide message
---
### Quorum Certificate (QC)
Collection of
- n - f signatures
- for a leader proposal (prepare, pre-commit, commit)
- for a specific view number.
---
### 1. Prepare Phase
4 nodes with one leader and 3 replicas out of which one might be byzantine
(safety in async networks with n = 3k + 1).
```mermaid
sequenceDiagram
participant Leader
participant Replica A
participant Replica B
participant Replica C
Note over Leader,Replica C: Transition into new view.
Replica A->>Leader: prepareQC
Replica B->>Leader: prepareQC
Replica C->>Leader: prepareQC
Leader->>Replica C: Broadcast MSG(PREPARE, current Proposal, highest QC)
Note over Replica A,Replica C: SafeNode predicate either:<br/>(a) proposal extends from current lockedQC<br/>(b) highestQC.viewNumber > lockedQC.viewNumber
Replica A->>Leader: VOTEMSG(PREPARE, m.node)
Replica B->>Leader: VOTEMSG(PREPARE, m.node)
Replica C->>Leader: VOTEMSG(PREPARE, m.node)
```
---
### SafeNode Predicate
Either one has to be true:
(a) proposal extends from current lockedQC
```mermaid
graph LR
Genesis --> ... --> lockedQC.node --> newQC.node
```
(b) newQC.viewNumber > lockedQC.viewNumber
Given that newQC with view number 11 exists, conflicting proposal for lockedQC with view number 10 can not possibly been decided as otherwise honest replicas would not have signed newQC.
```mermaid
graph LR
Genesis --> ... -->|view 9| decidedValue -->|view10| lockedQC10.node --> someFailure
decidedValue -->|view12| newQC11.node
style someFailure fill:#FF0000
```
---
### 2. Pre-Commit Phase
```mermaid
sequenceDiagram
participant Leader
participant Replica A
participant Replica B
participant Replica C
Note over Leader: Wait for n - f PREPARE votes.
Leader->>Replica C: Broadcast MSG(PRE-COMMIT, _, prepareQC)
Note over Replica A,Replica C: prepareQC <- prepareQC
Replica A->>Leader: VOTEMSG(PRE-COMMIT, m.node)
Replica B->>Leader: VOTEMSG(PRE-COMMIT, m.node)
Replica C->>Leader: VOTEMSG(PRE-COMMIT, m.node)
```
---
### 3. Commit Phase
```mermaid
sequenceDiagram
participant Leader
participant Replica A
participant Replica B
participant Replica C
Note over Leader: Wait for n - f PRE-COMMIT votes.
Leader->>Replica C: Broadcast MSG(COMMIT, _, precommitQC)
Note over Replica A,Replica C: lockedQC <- precommitQC.
Replica A->>Leader: VOTEMSG(COMMIT, m.node)
Replica B->>Leader: VOTEMSG(COMMIT, m.node)
Replica C->>Leader: VOTEMSG(COMMIT, m.node)
```
---
### Hidden Lock Problem
Violates liveness even in synchronous (bounded by Δ) networks. Solved through either:
- 2nd (pre-commit) phase in Hotstuff (_Optimistic Responsiveness_).
- By waiting Δ amount of times before leader changes in Tendermint and Casper.
```mermaid
graph LR
Genesis --> ... --> b' --> b
b' --> b''
```
What happens when we do **two**-phase (prepare & commit) Hotstuff with _Optimistic Responsiveness_?
```mermaid
sequenceDiagram
participant Leader 1
participant Leader 2
participant Replicas ...
participant Replica Y
participant Replica Z
Note over Leader 2,Replicas ...: Network Partition
Leader 1->>Replica Z: Broadcast MSG(COMMIT, _, precommitQC(b))
Note over Replica Y: lockedQC <- precommitQC(b).
Replica Y->>Leader 1: VOTEMSG(COMMIT, b)
Note over Leader 1,Replica Z: Transition into new view with Leader 2
Leader 2->>Replica Z: Broadcast MSG(PREPARE, b'', prepareQC(b')
Replicas ...->>Leader 2: Some VOTEMSG(PREPARE, b'')
Replica Z->>Leader 2: VOTEMSG(PREPARE, b'')
Replica Y->>Leader 2: VOTEMSG(REJECT, b'')
Note over Leader 2: No majority yet
Note over Replicas ...: 2f transition into new view
Replicas ...->>Leader 2: Single missing VOTEMSG(PREPARE, b'') from malicious replica
Leader 2->>Replica Z: Broadcast MSG(COMMIT, _, prepareQC(b'')
Note over Replica Z: lockedQC <- prepareQC(b'')
Replica Z->>Leader 2: Honest replica VOTEMSG(COMMIT, b'')
Note over Leader 1,Replica Z: Repeat
```
---
### Chained Hotstuff
- 3 phases are structurally the same.
- Have each leader only do _PREPARE_ phase. Driving block of previous leader along the way.
---
### Comparison
| | Best Case Latency | Normal Case Communication | View Change Communication | View Change Responsiveness |
| -------- | -------- | -------- | ---|---|
| Bitcoin | 1 | O(n) | - | - |
| PBFT | 2 | O(n²) | O(n²) | **Yes** |
| Tendermint / Casper | 2 | **O(n)** | **O(n)** | No |
| Hotstuff | 3 | **O(n)** | **O (n)** | **Yes** |
---
### Additional Sources
- [ZK-TLV 0x09 - Ittai Abraham - The Bitcoin Breakthrough in the less of
Distributed Computing (Part 1)](https://youtu.be/IUwsxssViqc)
- [ZK-TLV 0x09 - Ittai Abraham - State Machine Replication from traditional to
modern (Part 2)](https://youtu.be/-RcYagFNyLU)
- [ZK-TLV 0x09 - Ittai Abraham - The HotStuff approach to BFT (Part
3)](https://youtu.be/ONobI3X70Rc)
- [ZKPodcast: Consensus Algorithms & HotStuff with Ittai Abraham](https://www.zeroknowledge.fm/127)
- [Murat Buffalo: Hotstuff Blog Post](https://muratbuffalo.blogspot.com/2019/12/hotstuff-bft-consensus-in-lens-of.html)
Sign in with Wallet
