IA-CCF: Individual accountability for permissioned ledgers
File(s)nsdi22-paper-shamis.pdf (1.39 MB)
Published version
Author(s)
Type
Conference Paper
Abstract
Permissioned ledger systems allow a consortium of members that do not trust one another to execute transactions safely
on a set of replicas. Such systems typically use Byzantine
fault tolerance (BFT) protocols to distribute trust, which only
ensures safety when fewer than 1/3 of the replicas misbehave.
Providing guarantees beyond this threshold is a challenge:
current systems assume that the ledger is corrupt and fail to
identify misbehaving replicas or hold the members that operate them accountable—instead all members share the blame.
We describe IA-CCF, a new permissioned ledger system
that provides individual accountability. It can assign blame
to the individual members that operate misbehaving replicas
regardless of the number of misbehaving replicas or members.
IA-CCF achieves this by signing and logging BFT protocol
messages in the ledger, and by using Merkle trees to provide
clients with succinct, universally-verifiable receipts as evidence of successful transaction execution. Anyone can audit
the ledger against a set of receipts to discover inconsistencies
and identify replicas that signed contradictory statements. IACCF also supports changes to consortium membership and
replicas by tracking signing keys using a sub-ledger of governance transactions. IA-CCF provides strong disincentives to
misbehavior with low overhead: it executes 47,000 tx/s while
providing clients with receipts in two network round trips.
on a set of replicas. Such systems typically use Byzantine
fault tolerance (BFT) protocols to distribute trust, which only
ensures safety when fewer than 1/3 of the replicas misbehave.
Providing guarantees beyond this threshold is a challenge:
current systems assume that the ledger is corrupt and fail to
identify misbehaving replicas or hold the members that operate them accountable—instead all members share the blame.
We describe IA-CCF, a new permissioned ledger system
that provides individual accountability. It can assign blame
to the individual members that operate misbehaving replicas
regardless of the number of misbehaving replicas or members.
IA-CCF achieves this by signing and logging BFT protocol
messages in the ledger, and by using Merkle trees to provide
clients with succinct, universally-verifiable receipts as evidence of successful transaction execution. Anyone can audit
the ledger against a set of receipts to discover inconsistencies
and identify replicas that signed contradictory statements. IACCF also supports changes to consortium membership and
replicas by tracking signing keys using a sub-ledger of governance transactions. IA-CCF provides strong disincentives to
misbehavior with low overhead: it executes 47,000 tx/s while
providing clients with receipts in two network round trips.
Date Issued
2022-04-04
Date Acceptance
2023-04-01
Citation
2022, pp.467-491
Start Page
467
End Page
491
Copyright Statement
© 2022 The Author(s)
Identifier
https://www.usenix.org/conference/nsdi22/presentation/shamis
Source
19th USENIX Symposium on Networked Systems Design and Implementation (NSDI)
Publication Status
Published
Start Date
2022-04-04
Finish Date
2022-04-06
Coverage Spatial
Renton, WA, USA
Date Publish Online
2022-04-04