Patent Grant
11546145
The invention relates to Scalable Byzantine Fault-Tolerant (BFT) algorithms and also to permissioned blockchains.
Byzantine fault-tolerant (BFT) protocols solve the state machine replication problem of a distributed system by reaching consensus on the order of operations requested to the system. In other words, as long as the operations are deterministic, the system state on the majority of the honest nodes are consistent as they execute the series of operations in the same order. Although the correctness and liveness of the BFT protocols have previously been proven, such protocols have not yet seen significant real-world deployment, due to their poor efficiency and scalability. In a system with n servers (nodes), such protocols need to exchange O(n2) messages to reach consensus on a single operation. Consequently, existing commercial systems, such as those used by Google and Amazon, rely on weaker crash fault-tolerant variants (e.g., Paxos and Raft).
Recent interest in blockchain technology has given fresh impetus for developing and improving BFT protocols. A blockchain is a key enabler for distributed consensus, serving as a public ledger for digital currencies (e.g., Bitcoin) and other applications. Bitcoin's blockchain relies on the well-known proof-of-work (PoW) mechanism to ensure probabilistic consistency guarantees on the order and correctness of transactions. It is a great success to have PoW regulate the transaction order agreement among thousands of nodes, which cannot be achieved by conventional BFT protocols due to the limitation of the communication complexity. However, Bitcoin's PoW has been severely criticized for its considerable waste of energy and meagre transaction throughput (˜7 transactions per second).
To remedy these limitations, there are several proposals to make the traditional BFT protocols, which are excellent in terms of transaction throughput with dozens of nodes, more scalable to handle consensus for thousands of participating nodes. MinBFT (described in G. S. Veronese, M. Correia, A. Neves Bessani, L. C. Lung and P. Verissimo, “Efficient byzantine fault-tolerance,” in IEEE Transactions on Computers, 2013) and CheapBFT, (described in R. Kapitza, S. Johannes Behl, C. Cachin, T. Distler, S. Kuhnle, S. V. Mohammadi, W. Schroder-Preikschat and K. Stengel, “CheapBFT: resource-efficient byzantine fault tolerance,” in Proceedings of the 7th ACM european conference on Computer Systems, 2012) first propose to use TEE (Trusted Execution Environment) to reduce the total number of peers from 3f+1 to 2f+1, where f is the number of tolerated nodes. However, the communication complexity still remains to be O(n2), which prevents the network from scaling up to hundreds of nodes. Cosi (described in E. Syta, I. Tamas, D. Visher, D. Isaac Wolinsky, P. Jovanovic, L. Gasser, N. Gailly, I. Khoffi and B. Ford, “Keeping authorities” honest or bust “with decentralized witness cosigning,” in Security and Privacy, 2016) leverages tree structure and signature aggregation to reduce the communication complexity to O(n), but using public signature on each node is expensive and the system still requires 3f+1 nodes. FastBFT (described in J. Liu, W. Li, G. O. Karame and N. Asokan, Scalable Byzantine Consensus via Hardware-assisted Secret Sharing, arXiv preprint arXiv:1612.04997, 2016) combines TEE with an efficient message aggregation technique based on secret-sharing to achieve a more efficient protocol using only 2f+1 nodes.
In an embodiment, the present invention provides a method for preparing a plurality of distributed nodes connected via a data communication network to perform a protocol to establish a consensus on an order of received requests. The plurality of distributed nodes includes a plurality of active nodes, the plurality of active nodes including a primary node, each of the plurality of distributed nodes including a processor and computer readable media. The method includes preparing a set of random numbers, wherein each of the random numbers is a share of an initial secret. Each share of the initial secret corresponds to one of the plurality of active nodes. The method further includes encrypting, in order to generate encrypted shares of the initial secret, each respective share of the initial secret, binding the initial secret to a last counter value to provide a commitment and a signature for the last counter value, and generating shares of a second and of a plurality of subsequent additional secrets by iteratively applying a hash function to shares of each preceding secret. The method additionally includes binding the second secret to a second-to-last counter value and each subsequent secret to a preceding counter value to provide a commitment and a signature for the second-to-last counter value and for each preceding counter value; and transmitting, to each of the plurality of active nodes, the commitments and signatures for each of the counter values along with the encrypted shares of the initial secret and a set of hash values produced by applying the hash function to the shares of the last secret. Each of the plurality of active nodes is configured to decrypt a corresponding encrypted share of the initial secret and to generate shares of the remaining secrets by applying the hash function to the decrypted share of the initial secret.
The present invention will be described in even greater detail below based on the exemplary figures. The invention is not limited to the exemplary embodiments. All features described and/or illustrated herein can be used alone or combined in different combinations in embodiments of the invention. The features and advantages of various embodiments of the present invention will become apparent by reading the following detailed description with reference to the attached drawing which illustrates the following:
BFT protocols that reduce the total number of nodes necessary to establish consensus, e.g. MinBFT, CheapBFT, and FastBFT, require that all such nodes be equipped with secure hardware. Requiring all participating nodes to be equipped with secure hardware is especially challenging for a large network with hundreds of nodes. Furthermore, such BFT protocols require considerable processing resources of participating nodes, e.g. processing resources required for performing encryption and decryption of a large number of messages. For example, for a network with n nodes and m committed secrets in a batch, the pre-processing phase in FastBFT involves n*m symmetric encryption operations on secret shares.
Embodiments of the present invention provide scalable BFT protocols that require only a selection of nodes to have secure hardware. Specifically, scalable BFT protocols are described herein that require only f+1 nodes to be equipped with secure hardware in order to establish consensus despite the Byzantine failure off nodes. Therefore, use of the scalable BFT protocols described herein can broaden the scope of potential networks in which BFT protocols can be implemented. Furthermore, by relaxing the requirements for secure hardware relative to prior art BFT protocols, the scalable BFT protocols described herein can reduce the costs of providing a network capable of executing BFT protocols or alternatively, the costs of modifying an existing network in order to render it capable of executing BFT protocols.
Embodiments of the invention provide scalable BFT protocols that improve the computational efficiency of nodes that participate in carrying out a BFT consensus protocol and thereby improve the overall computational efficiency of a distributed system for maintaining consensus. Scalable BFT protocols are described herein in which the number of encryptions and decryptions performed by various nodes can be significantly reduced relative to the number required to be performed by prior art BFT protocols. Specifically, scalable BFT protocols are described herein that include a novel pre-processing phase during which a primary node generates n shares of an initial secret bound to a last of m counters in a batch, encrypts only the n shares of the initial secret, and then generates shares of secrets bound to each of the preceding m−1 counters by applying a hash function to the shares of the initial secret. During such pre-processing phase, only n encryptions are needed (instead m×n encryptions as required by prior art BFT protocols). Furthermore, each of the n nodes that receive a share of the secret need only perform a single decryption followed by m−1 hash computations in order to derive shares used to vote for m subsequent messages (as compared to performing m decryptions as required by prior art BFT protocols). As a result of the improved computational efficiency, scalable BFT protocols according to embodiments of the invention enable systems for maintaining consensus to handle greater numbers of transactions in a given period of time while requiring fewer computational resources and utilizing less energy. As a result, the scalable BFT protocols according to embodiments of the invention improve the performance of systems for maintaining consensus among a plurality of distributed nodes, e.g. blockchain systems.
Embodiments of the present invention provide BFT protocols in which a hash chain is used to generate shares of a secret generated according to a secret-sharing, or secret-splitting, scheme. The secret is bound and committed to a counter value in the trusted execution environment (TEE) of a primary node during the preprocessing phase. The shares of the secret are then distributed to the active nodes that participate in carrying out the BFT consensus protocol to improve the efficiency for a batch of committed counter values. Embodiments of the invention also leverage collective remote attestation on a trusted execution environments (TEE) for primary election to avoid using a faulty primary and therefore avoid unnecessary view changes to faulty nodes.
Embodiments of the present invention provide systems, methods, and non-transitory computer readable media for BFT replication of data at a plurality of nodes, e.g. servers. Assuming f nodes are byzantine faulty, BFT protocols according to embodiments of the present invention require at least n=3f+1 nodes in the network, wherein 2f+1 of the nodes are active and f of the nodes are passive. The active nodes are connected in a tree structure or a star structure (a tree structure with height=1 is a star structure). The active nodes respond to messages and update the state, while passive nodes only listen to messages and update a local state. The node at the root position of the tree (or star) is referred to as the primary node and serves as an entry point for client requests. BFT protocols according to embodiments of the present invention require f+1 nodes in the network be equipped with secure hardware and that the endorsement key of the secure hardware of each such node can be verified by all of the other f+1 nodes. In this manner, if the primary node is faulty, e.g. due to a crash, and a view change is required, there are f remaining nodes having secure hardware such that at least one correct node can replace the faulty primary and the system can tolerate f nodes that are byzantine faulty.
Embodiments of the present invention provide BFT protocols that include both offline operations and online operations. The offline operations are performed in an initialization stage and a preprocessing stage. The online operations are performed in the phases of normal-case and view-change. The online operations are triggered by requests from the clients who will then wait for the completion of the phases to obtain the response, while the offline operations are performed in the background when they are required.
According to an embodiment, the present invention provides a method for establishing consensus between a plurality of distributed nodes connected via a data communication network, the plurality of distributed nodes including a primary node and a plurality of active nodes, each of the plurality of distributed nodes including a processor and computer readable media. The method includes preparing a set of random numbers, wherein each of the random numbers is a share of an initial secret, wherein each share of the initial secret corresponds to one of the plurality of nodes; encrypting each respective share of the initial secret with a shared key corresponding to respective one of the plurality of nodes to which the respective share corresponds to generate encrypted shares of the initial secret; applying a bitwise xor function to the set of random numbers to provide the initial secret; and binding the initial secret to a last counter value to provide a commitment and a signature for the last counter. The method further includes generating shares of a second and of a plurality of subsequent additional secrets by iteratively applying a hash function to shares of each preceding secret; binding the second secret to a second-to-last counter and each subsequent secret to a preceding counter to provide a commitment and a signature for the second-to-last counter and for each preceding counter; and broadcasting, to each of the plurality of active nodes, the commitments and signatures for each of the counters along with the encrypted shares of the initial secret and a set of hash values produced by applying the hash function to the shares of the last secret. Each of the plurality of active nodes is configured to decrypt a corresponding encrypted share of the initial secret and to generate shares of the remaining secrets by applying the hash function to the decrypted share of the initial secret.
According to an embodiment, the present invention provides a computer readable medium having stored thereon instructions for carrying out such a method for establishing consensus between a plurality of distributed nodes connected via a data communication network. Furthermore, according to an embodiment, the present invention provides a system including a plurality of distributed nodes connected via a data communication network and configured to establish a consensus.
According to embodiments of the invention, the primary node can organize the plurality of active nodes into a tree structure. The tree structure can be a star structure.
According to embodiments of the invention, the primary node can receive, from a plurality of active nodes, an attestation request including a challenge. The primary node can compute a signature over the challenge in the attestation request and a hash of an application loaded in a trusted execution environment (TEE) of the primary node as a remote attestation proof of integrity of the TEE application.
According to embodiments of the invention, the primary node can receive, from the plurality of active nodes, a plurality of shares of the last secret and reconstruct the last secret based on the plurality of received shares of the last secret.
According to embodiments of the invention, preparing a set of random numbers, wherein each of the random numbers is a share of an initial secret, wherein each share of the initial secret corresponds to one of the plurality of nodes can include preparing n random numbers r1, . . . , rn for each active node Pi, where the ith share of the initial secret hi0=ri. Encrypting each respective share of the initial secret with a shared key corresponding to a respective one of the plurality of nodes to which the respective share corresponds to generate encrypted shares of the initial secret can include encrypting, using a shared key ki corresponding to each active node Pi, the random numbers r1, . . . , rn to provide the encrypted shares of the initial secret Ci=Enc(ki,ri). Applying a bitwise xor function to the set of random numbers to provide the initial secret can include applying a bit-wise xor to all h° to provide the initial secret s0=h10⊕h20 . . . hn0. Binding the initial secret to a last counter value to provide a commitment and a signature for the last counter can include binding the initial secret s0 with the last counter cm to provide the commitment cmtm=H(s0,cm) and the signature Sm=Sign(cmtm,cm) for the last counter, wherein H( ) is a cryptographic hash function. Generating shares of a second and of a plurality of subsequent additional secrets by iteratively applying a hash function to shares of each preceding secret can include generating shares and the plurality of subsequent secrets hij=H(hij-1) for j=1, . . . , m−1. Binding the second secret to a second-to-last counter and each subsequent secret to a preceding counter to provide a commitment and a signature for the second-to-last counter and for each preceding counter can include binding the secrets sj with the counters cm-j to provide the commitments cmtm-j=H(sj,cm-j) and the signatures Sm-j=Sign(cmtm-j,cm-j) for j=m−1.
According to embodiments of the invention, the primary node can receive a request from a client and transmit a reply to the client including the reconstructed last secret. The primary node can further broadcasting the reply to a plurality of passive nodes.
At 200, the nodes connect with each other according to a tree structure. Various algorithms can be utilized for organizing the nodes into the tree structure. For example, a randomization function can be utilized that takes in all the node ids and their current indexes and outputs their new indexes in the tree. The only requirement of the tree-structure is that the root of the tree, i.e. the primary node, must have TEE support.
At 210, the primary node receives a plurality of attestation requests including a challenge from the other active nodes. At 220, the primary node computes a signature over the challenge in the attestation request and a hash of a consensus-establishing application loaded in the TEE and then broadcasts the signature over the challenge and the hash as a remote attestation proof of the integrity of its TEE application. Thereafter, at 230, all nodes verify the proof with the endorsement public key of the primary's secure hardware and reset the local copy of a counter of the primary node. The challenge used to compute the remote attestation proof should be a random number that is unpredictable and verifiable by all nodes. It can be third-party random source that is trusted by all nodes such as the current block hash of Bitcoin. Alternatively, the random number can be generated collectively by all nodes, e.g., through a secret-shared random number, a Bloom filter, or an accumulator that has integrated all random inputs from the nodes to the challenge.
At 310, the TEE application of the primary node randomly generates n=2f+1 random numbers r1, r2, . . . , rn that serve as n initial shares hi0 (i=1, . . . , n) for nactive nodes P1, . . . , Pn, one of which is the primary node. Note that there are N=3f+1 total nodes in the system. At 320, the TEE application of the primary node encrypts each of the initial shares h° (i=1, . . . , n) with a corresponding key ki shared with a corresponding active node Pi to provide Ci=Enc(ki,hi0) for i=1, . . . , n. At 330, the TEE application of the primary node applies bit-wise xor to all shares hi0 to provide initial secret s0=h10⊕h20 . . . ⊕hn0. As a result, only when all active nodes reveal their shares hi0 can they reconstruct the secret s0. At 340, the TEE application of the primary node binds secret s0 with counter value c+m, where c is the offset of the counter value, and m is the batch size for the preprocessing operation. The binding is achieved by generating the commitment cmtm over the secret s0 and the counter value c+m along with a digital signature Sm. A possible commitment scheme utilizes a cryptographic hash function: cmtm=H(s0, c+m) and signature is computed as Sm=Sign(sk1, cmt0, c+m), where sk1 is the private key of the primary node P1 secured by its TEE application. The signed commitment cmtm, Sm
allows all nodes to verify the revealed secret s0, and be able to conclude whether enough votes have been cast to reach consensus on the message which is assigned with counter value c+m.
At 345, an index j is initialized as j=1. At 350, the TEE application of the primary node generates the shares hij=H(hij-1) for the next counter value c+m−j. The shares for counter c+m−j are computed as the hash value of the previous shares: hij=H(hij-1) for i=1, . . . , n. At 360, the TEE application of the primary node applies bit-wise xor to all shares hij to provide secret sj=h1j⊕h2j . . . ⊕hnj. At 370, the TEE application of the primary node binds secret sj with counter value c+m−j. The binding is achieved by generating the commitment cmtm-j over the secret sj and the counter value c+m−j along with a digital signature Sm-j. If the commitment scheme utilizes the cryptographic hash function described above, cmtm-j=H(sj, c+m−j) and signature is computed as Sm-j=Sign(sk1, cmtm-j,c+m−j), where sk1 is the private key of the primary node P1 secured by its TEE application. The signed commitment cmtm-j, Sm-j
allows all nodes to verify the revealed secret sj, and be able to conclude whether enough votes have been casted to reach consensus on the message which is assigned with counter value c+m−j. At 370, the index j is incremented, and at 380, the process compares j with the value m. If j<m, the process returns to 350. If j≥m, the process proceeds to 390.
At 390, the TEE application of the primary node generates the shares him=H(him-1) and then reveals the preprocess result Ci, {h1m, . . . , hn′m}, {
cmt1,S1
, . . . ,
(cmtm,Sm)
}
to the primary node, which then broadcasts it to each active node Pi. Upon receipt of the preprocess result, each active node Pi can first decrypt Ci using the corresponding key ki shared with the primary node to obtain the initial share h0j. Each active node Pi can then derive the remaining shares (hi1, . . . , him-1) by iteratively applying the cryptographic hash function H. Meanwhile, the committed counter values cmtj are accepted once signature Sj is verified.
In the normal-case operations, after node Pi successfully verifies a PREPARE message which assigns (by the primary node) counter value c+1 to a request message M, Pi acknowledges the assigned order of the request by revealing his corresponding share him-1; his parent node Pk in the tree structure verifies the integrity with him and aggregates the votes by computing him-1⊕hkm-1. When all nodes reveal their shares, secret ŝm-1 is reconstructed on the primary node (the root of the tree) with all the aggregated shares ŝm-1=hm-1⊕ . . . ⊕hnm-1. The primary node then reveals the reconstructed secret ŝm-1 to all the other nodes. Each active node can then check whether the revealed secret ŝm-1 is indeed reconstructed correctly by verifying if cmt1=H(ŝm-1,c+1)
Note that {h1m, . . . , hnm} is broadcast to all active nodes, therefore any node is able to verify (through one or more hash functions) the integrity of a revealed share hij. If the integrity check of a share hij revealed by a child node fails, the parent node can broadcast his suspicion with the corresponding evidence and thus the network can replace a misbehaving child node with a passive node in the pool of passive nodes. If multiple nodes are corrupted and the reconstructed secret is wrong, the primary can ask the active nodes to resend the shares directly to him without aggregation, thus enabling the primary to identify and replace the misbehaving nodes. If the secret is constructed wrongly or is not revealed after certain timeout (i.e., the network fails to reach consensus) and the primary takes no further actions, then the active nodes suspect the primary is malicious and thus trigger a view-change process to replace the primary.
The protocol loosens the requirement of the TEE support by requiring more nodes (2f+1 instead of f+1) to be actively involved in the consensus process. But the protocol does not require the secondary nodes to perform any computation in the TEE application thus only the minimum number of nodes are required to have TEE support.
During the preprocessing procedure of
Following the preprocessing procedure illustrated in
At 510, a prepare phase is performed. In the prepare phase, the primary node verifies the signature of the request message and multicasts a PREPARE message (PREPARE, M, v, H(M), c+j
σp
by to its children nodes, and the children nodes forward the prepare message along the tree. Note that H(M) is the message digest of the request message M, v is the view number that increases whenever a view-change happens (after a view-change, the primary node is replaced and the view number increases by 1), and σp is the signature of the PREPARE message by the TEE application of the primary node of the current view. The primary node obtains
H(M), c+j
by submitting the hash of the request H(M) to its TEE application. c+j is the current counter value returned by the advanced monotonic counter inside the primary's TEE application. The result is also signed by the primary's TEE as signature σp. Each peer node Pi verifies the signature σp of the PREPARE message and compares the received counter value c+j with the last recorded primary counter value cp if c+j=cp+1. If the received counter is too advanced as it leaves ‘holes’ in counter sequence, the PREPARE message will be pended until those with succeeding counters are processed. This is to guarantee that the messages M can be executed as soon as they are accepted, for the same reason as in work MinBFT. Once the PREPARE message is validated, the leaf nodes reveal their shares to the parent nodes with reveal responses
REVEAL, c+j,him-j,ϕ
, while non-leaf nodes await responses from their children and then verify their children's responses with the last recorded hash hk if hk=H(hkm-j) for child node Pk. Then the shares are aggregated on Pi as sim-j=⊕khkm-j⊕kŝkm-j before sending the response
REVEAL, c+j,him-j,ŝim-j
to its parent. If the check on the revealed share of a child node fails, a node can broadcast a faulty suspicion on his child node, which can trigger further process to replace the faulty node with a passive node.
At 520 a commit phase is performed. During the commit phase, after receiving the aggregated shares, the primary node reconstructs the secret sm-k and verifies with the commitment cmtj generated by the primary's TEE during the preprocessing stage. If valid, the primary node executes the request and multicasts a COMMIT message with the execution result res: COMMIT, sm-j, res,
H(res), c+j+1
σp
. Each peer node verifies the revealed secret sm-j with the commitment received during the preprocessing phase
cmtj, Sj
. If valid, the peers execute the request M and compare the result res. Then they reveal the shares for counter c+j+1 similarly to the Prepare phase.
At 530, a reply phase is performed. During the reply phase (and similar to the Commit phase), the primary node reconstructs the secret for counter c+j+1 and multicasts a reply message to the other nodes, e.g. the passive nodes: REPLY, c+j+1, sm-j-1
. Additional details of the normal-case operation of the process for establishing consensus between a plurality of distributed nodes can be found in PCT/EP 2016/078883, which is incorporated by reference herein.
According to embodiments of the invention, a view-change procedure similar to the protocol MinBFT can be performed under certain circumstances. For example, when peers receive a request but no REPLY message after a certain timeout, they request a view-change to replace the primary node along with a fresh challenge for the TEE remote attestation of the primary candidate, which is known by all nodes through a pre-defined algorithm.
All nodes send REQ-VIEW-CHANGE requests providing the current counter and the last opened secret along with a history of executed operations in the last view to the next primary candidate. The primary candidate determines the latest counter and the history through the latest opened secret. A NEW-VIEW along with the history of the last view is then broadcast by the primary candidate to all nodes to execute the missing operations and switch to the new view. Meanwhile, the new view also includes the remote attestation proof of the new primary node, as well as the structure of the new tree. Once each node verifies the NEW-VIEW request, they broadcasts VIEW-CHANGE message to acknowledge changing to this new view. Once a node receives at least f consistent VIEW-CHANGE message from other nodes, they migrate to the new view by executing the missing operations and reconstructing the new tree. Then the new primary proceeds with the pre-process stage to generate committed counters for the new view used for online operations to handle incoming requests.
While the invention has been illustrated and described in detail in the drawings and foregoing description, such illustration and description are to be considered illustrative or exemplary and not restrictive. It will be understood that changes and modifications may be made by those of ordinary skill within the scope of the following claims. In particular, the present invention covers further embodiments with any combination of features from different embodiments described above and below.
The terms used in the claims should be construed to have the broadest reasonable interpretation consistent with the foregoing description. For example, the use of the article “a” or “the” in introducing an element should not be interpreted as being exclusive of a plurality of elements. Likewise, the recitation of “or” should be interpreted as being inclusive, such that the recitation of “A or B” is not exclusive of “A and B,” unless it is clear from the context or the foregoing description that only one of A and B is intended. Further, the recitation of “at least one of A, B and C” should be interpreted as one or more of a group of elements consisting of A, B and C, and should not be interpreted as requiring at least one of each of the listed elements A, B and C, regardless of whether A, B and C are related as categories or otherwise. Moreover, the recitation of “A, B and/or C” or “at least one of A, B or C” should be interpreted as including any singular entity from the listed elements, e.g., A, any subset from the listed elements, e.g., A and B, or the entire list of elements A, B and C.
This application is a continuation of U.S. patent application Ser. No. 15/950,185, filed on Apr. 11, 2018, which claims priority to U.S. Provisional Patent Application No. 62/561,726, filed on Sep. 22, 2017. The entire disclosures of which are hereby incorporated by reference herein.
| Number | Name | Date | Kind |
|---|---|---|---|
| 5377270 | Koopman et al. | Dec 1994 | A |
| 6067621 | Yu et al. | May 2000 | A |
| 6104810 | DeBellis | Aug 2000 | A |
| 7043581 | Gulick | May 2006 | B1 |
| 7242766 | Lyle | Jul 2007 | B1 |
| 7249108 | Walmsley | Jul 2007 | B1 |
| 8316237 | Felsher | Nov 2012 | B1 |
| 9430655 | Stockton et al. | Aug 2016 | B1 |
| 9558359 | El Defrawy et al. | Jan 2017 | B1 |
| 9692757 | Mikulski | Jun 2017 | B1 |
| 10608824 | Praus | Mar 2020 | B1 |
| 11182782 | Wright | Nov 2021 | B2 |
| 11223470 | Shea | Jan 2022 | B1 |
| 11232439 | Westland | Jan 2022 | B2 |
| 11310060 | Poelstra | Apr 2022 | B1 |
| 11373152 | Wright | Jun 2022 | B2 |
| 11374753 | Lampkins | Jun 2022 | B2 |
| 20010036275 | Murakami et al. | Nov 2001 | A1 |
| 20020016913 | Wheeler | Feb 2002 | A1 |
| 20020048364 | Gligor et al. | Apr 2002 | A1 |
| 20030204732 | Audebert et al. | Oct 2003 | A1 |
| 20050223230 | Zick | Oct 2005 | A1 |
| 20060136725 | Walmsley | Jun 2006 | A1 |
| 20060153372 | Kim et al. | Jul 2006 | A1 |
| 20070005966 | Aissi et al. | Jan 2007 | A1 |
| 20070101138 | Camenisch | May 2007 | A1 |
| 20070160197 | Kagaya et al. | Jul 2007 | A1 |
| 20070244951 | Gressel | Oct 2007 | A1 |
| 20080095360 | Vuillaume | Apr 2008 | A1 |
| 20090187766 | Vuillaume et al. | Jul 2009 | A1 |
| 20100037056 | Follis et al. | Feb 2010 | A1 |
| 20110010552 | Hoornaert | Jan 2011 | A1 |
| 20110202755 | Orsini et al. | Aug 2011 | A1 |
| 20120255030 | Matsuo | Oct 2012 | A1 |
| 20120297198 | Danezis et al. | Nov 2012 | A1 |
| 20140189359 | Marien | Jul 2014 | A1 |
| 20140245020 | Buldas | Aug 2014 | A1 |
| 20140298027 | Roberts | Oct 2014 | A1 |
| 20150023498 | Asim et al. | Jan 2015 | A1 |
| 20150082399 | Wu | Mar 2015 | A1 |
| 20150113275 | Kim | Apr 2015 | A1 |
| 20150295720 | Buldas | Oct 2015 | A1 |
| 20160065370 | Le Saint | Mar 2016 | A1 |
| 20160119146 | Anderson | Apr 2016 | A1 |
| 20170063559 | Wallrabenstein | Mar 2017 | A1 |
| 20170085380 | Pandrangi et al. | Mar 2017 | A1 |
| 20170099151 | Kim | Apr 2017 | A1 |
| 20170236120 | Herlihy et al. | Aug 2017 | A1 |
| 20170250801 | Chen et al. | Aug 2017 | A1 |
| 20170347264 | Holland | Nov 2017 | A1 |
| 20180025435 | Karame et al. | Jan 2018 | A1 |
| 20180075262 | Auh | Mar 2018 | A1 |
| 20180088814 | Namiki | Mar 2018 | A1 |
| 20180101560 | Christidis et al. | Apr 2018 | A1 |
| 20180157558 | Karame et al. | Jun 2018 | A1 |
| 20180183601 | Campagna | Jun 2018 | A1 |
| 20180183771 | Campagna | Jun 2018 | A1 |
| 20180183774 | Campagna | Jun 2018 | A1 |
| 20180212779 | Bergmann | Jul 2018 | A1 |
| 20180241548 | Dolev et al. | Aug 2018 | A1 |
| 20180248845 | Irwan et al. | Aug 2018 | A1 |
| 20180308091 | Malkhi et al. | Oct 2018 | A1 |
| 20180336552 | Bohli et al. | Nov 2018 | A1 |
| 20180337771 | Baker et al. | Nov 2018 | A1 |
| 20190007218 | Kahoul | Jan 2019 | A1 |
| 20190014124 | Reddy et al. | Jan 2019 | A1 |
| 20190147438 | Micali et al. | May 2019 | A1 |
| 20190245856 | Irwan et al. | Aug 2019 | A1 |
| 20190386829 | Karame et al. | Dec 2019 | A1 |
| 20210312078 | Jayachandran | Oct 2021 | A1 |
| 20210314139 | Zhang | Oct 2021 | A1 |
| 20210336771 | Mukherjee | Oct 2021 | A1 |
| 20210342894 | Pestana | Nov 2021 | A1 |
| 20210344493 | Diehl | Nov 2021 | A1 |
| 20210365943 | Buldas | Nov 2021 | A1 |
| 20220004539 | De Caro | Jan 2022 | A1 |
| 20220014502 | Gauthier | Jan 2022 | A1 |
| 20220027348 | Manevich | Jan 2022 | A1 |
| 20220038285 | Youssef | Feb 2022 | A1 |
| 20220085989 | Yadlin | Mar 2022 | A1 |
| 20220092588 | Jain | Mar 2022 | A1 |
| 20220094560 | Gaur | Mar 2022 | A1 |
| 20220114584 | Conley | Apr 2022 | A1 |
| 20220131698 | Badrinarayanan | Apr 2022 | A1 |
| 20220200789 | Lalande | Jun 2022 | A1 |
| 20220209960 | Zuckerman | Jun 2022 | A1 |
| Entry |
|---|
| Rüdiger Kapitza et al., “CheapBFT: Resource-efficient Byzantine Fault Tolerance”, EuroSys'12, Apr. 10-13, 2012, pp. 1-14. |
| Giuliana Veronese et al., “Efficient Byzantine Fault-Tolerance”, IEEE Transactions on Computers, Jan. 2013, pp. 1-16. |
| Ewa Syta, et al., “Keeping Authorities “Honest or Bust” with Decentralized Witness Cosigning”, 2016 IEEE Symposium on Security and Privacy, Dec. 2016, pp. 1-20. |
| Jian Liu, et al., “Scalable Byzantine Consensus via Hardware-assisted Secret Sharing”, arXiv:1612.04997v1, Dec. 15, 2016, pp. 1-11. |
| Giuliana Santos Veronese et al: “Efficient Byzantine Fault Tolerance”, IEEE Transactions on Computers, IEEE, USA, vol. 62, No. 1, Jan. 1, 2013 (Jan. 1, 2013), pp. 16-30, XP011475447. |
| Leslie Lamport: “Password authentication with insecure communication”, Communications of the ACM, Association for Computing Machinery, Inc, United States, vol. 24, No. 1a, Nov. 1, 1981 (Nov. 1, 1981), pp. 770-772, XP058263014. |
| U.S. Appl. No. 15/950,185, filed Apr. 11, 2018. |
| Number | Date | Country | |
|---|---|---|---|
| 20210075598 A1 | Mar 2021 | US |
| Number | Date | Country | |
|---|---|---|---|
| 62561726 | Sep 2017 | US |
| Number | Date | Country | |
|---|---|---|---|
| Parent | 15950185 | Apr 2018 | US |
| Child | 16952218 | US |
