Table of Contents
Fetching ...

ERA: Epoch-Resolved Arbitration for Duelling Admins in Group Management CRDTs

Kegan Dougal

TL;DR

This work tackles the Duelling Admins problem in group-management CRDTs by introducing finality nodes that arbitrate event order through epoch-based evidence, enabling a bounded total order within epochs while preserving availability. It formalizes finality and causal stability, distinguishing them from backdating risks, and analyzes how traditional user-based or event-based ordering strategies fail under Byzantine exploitation. The proposed epoch-based arbitration aims to guarantee that certain events become final and cannot be rolled back, addressing safety at the potential cost of reliance on a trusted finality node. The approach presents practical trade-offs between security and liveness, suggesting encryption and reputation mechanisms to curb misbehavior and outlining future directions for expanding finality concepts to broader CRDT use cases.

Abstract

Conflict-Free Replicated Data Types (CRDTs) are used in a range of fields for their coordination-free replication with strong eventual consistency. By prioritising availability over consistency under partition, nodes accumulate events in different orders, and rely on an associative, commutative and idempotent merge function to present a materialised view of the CRDT. Under some circumstances, the state of the materialised view over time can appear to ''roll back'' previously applied events. When the materialised view is used to manage group permissions such as ones found in instant messaging applications, this can lead to surprising behaviour. This can occur when there are multiple concurrent events, such as in the Duelling Admins problem where two equally permissioned admins concurrently revoke each other's permissions. Who wins? This article argues that a Byzantine admin can exploit concurrency to win the duel. As a result, an external arbiter is required to arbitrate an immutable happens-before relation between concurrent events. Arbitration occurs asynchronously in batches via optional ''epoch events'', preserving availability. This introduces a bounded total order within epochs, and the resulting ''finality'' improves on the level of consistency CRDTs can provide.

ERA: Epoch-Resolved Arbitration for Duelling Admins in Group Management CRDTs

TL;DR

This work tackles the Duelling Admins problem in group-management CRDTs by introducing finality nodes that arbitrate event order through epoch-based evidence, enabling a bounded total order within epochs while preserving availability. It formalizes finality and causal stability, distinguishing them from backdating risks, and analyzes how traditional user-based or event-based ordering strategies fail under Byzantine exploitation. The proposed epoch-based arbitration aims to guarantee that certain events become final and cannot be rolled back, addressing safety at the potential cost of reliance on a trusted finality node. The approach presents practical trade-offs between security and liveness, suggesting encryption and reputation mechanisms to curb misbehavior and outlining future directions for expanding finality concepts to broader CRDT use cases.

Abstract

Conflict-Free Replicated Data Types (CRDTs) are used in a range of fields for their coordination-free replication with strong eventual consistency. By prioritising availability over consistency under partition, nodes accumulate events in different orders, and rely on an associative, commutative and idempotent merge function to present a materialised view of the CRDT. Under some circumstances, the state of the materialised view over time can appear to ''roll back'' previously applied events. When the materialised view is used to manage group permissions such as ones found in instant messaging applications, this can lead to surprising behaviour. This can occur when there are multiple concurrent events, such as in the Duelling Admins problem where two equally permissioned admins concurrently revoke each other's permissions. Who wins? This article argues that a Byzantine admin can exploit concurrency to win the duel. As a result, an external arbiter is required to arbitrate an immutable happens-before relation between concurrent events. Arbitration occurs asynchronously in batches via optional ''epoch events'', preserving availability. This introduces a bounded total order within epochs, and the resulting ''finality'' improves on the level of consistency CRDTs can provide.
Paper Structure (15 sections, 5 equations, 8 figures)

This paper contains 15 sections, 5 equations, 8 figures.

Figures (8)

  • Figure 1: DAGs of causal histories demonstrating detectable vs undetectable backdating. Each event points to their causal predecessor. The highlighted event is an attempt to backdate.
  • Figure 2: The duelling admins problem. Which user remains an Admin depends on how $\mathsf{demote}$ events are sorted. Sorting by user centralises authority. Sorting by event ID causes repeated rollbacks.
  • Figure 3: Even if equal-permissioned roles are forbidden from demoting each other, backdating can subvert this. $\mathsf{demote}(a, a, \mathsf{Writer})$ executes first, meaning $a$ is no longer authorised to $\mathsf{promote}(a, b, \mathsf{Admin})$.
  • Figure 4: Admin operations are ordered before Writer operations. As a result, $\mathsf{write}(b)$ is not authorised because $b$ is now a Reader.
  • Figure 5: User $a$ backdated event $\mathsf{demote}(a, b, \mathsf{Reader})$ despite not being authorised to demote anymore. Whether it executes before or after $\mathsf{demote}(a, a, \mathsf{Reader})$ depends solely on attacker-controlled data. This breaks safety property \ref{['prop:safety']}.
  • ...and 3 more figures

Theorems & Definitions (1)

  • definition 1: Causal Stability almeida2024approaches