CFT-Forensics: High-Performance Byzantine Accountability for Crash Fault Tolerant Protocols
Weizhao Tang, Peiyao Sheng, Ronghao Ni, Pronoy Roy, Xuechao Wang, Giulia Fanti, Pramod Viswanath
TL;DR
This work addresses the vulnerability of crash fault tolerant (CFT) consensus to Byzantine faults by introducing accountability through CFT-Forensics. It defines forensics-compliant protocols (including Raft and Paxos) and adds Commitment Certificates (CC) and Leader Certificates (LC) to enable an auditor to identify culprits when safety is violated, without replacing the core CFT protocol. The authors provide both theoretical overhead analyses and empirical evaluations, showing substantially lower storage and communication overhead than general-purpose approaches like PeerReview, and demonstrate near-Raft performance in Raft-Forensics with meaningful auditing capabilities. They instantiate Raft-Forensics in nuRaft and integrate it into OpenCBDC, achieving throughput close to Raft with modest latency increases in wide-area deployments, thereby highlighting the practical viability of accountable CFT protocols for critical infrastructure. Overall, accountability is presented as a complementary security property that can be implemented with lightweight protocol augmentations to enhance governance and fault attribution in distributed systems.
Abstract
Crash fault tolerant (CFT) consensus algorithms are commonly used in scenarios where system components are trusted -- e.g., enterprise settings and government infrastructure. However, CFT consensus can be broken by even a single corrupt node. A desirable property in the face of such potential Byzantine faults is \emph{accountability}: if a corrupt node breaks protocol and affects consensus safety, it should be possible to identify the culpable components with cryptographic integrity from the node states. Today, the best-known protocol for providing accountability to CFT protocols is called PeerReview; it essentially records a signed transcript of all messages sent during the CFT protocol. Because PeerReview is agnostic to the underlying CFT protocol, it incurs high communication and storage overhead. We propose CFT-Forensics, an accountability framework for CFT protocols. We show that for a special family of \emph{forensics-compliant} CFT protocols (which includes widely-used CFT protocols like Raft and multi-Paxos), CFT-Forensics gives provable accountability guarantees. Under realistic deployment settings, we show theoretically that CFT-Forensics operates at a fraction of the cost of PeerReview. We subsequently instantiate CFT-Forensics for Raft, and implement Raft-Forensics as an extension to the popular nuRaft library. In extensive experiments, we demonstrate that Raft-Forensics adds low overhead to vanilla Raft. With 256 byte messages, Raft-Forensics achieves a peak throughput 87.8\% of vanilla Raft at 46\% higher latency ($+44$ ms). We finally integrate Raft-Forensics into the open-source central bank digital currency OpenCBDC, and show that in wide-area network experiments, Raft-Forensics achieves 97.8\% of the throughput of Raft, with 14.5\% higher latency ($+326$ ms).