Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Proteus: Append-Only Ledgers for (Mostly) Trusted Execution Environments

Shubham Mishra, João Gonçalves, Chawinphat Tankuranand, Neil Giridharan, Natacha Crooks, Heidi Howard, Chris Jensen

TL;DR

Proteus addresses the risk of rare but catastrophic TEE compromises by introducing Platform-Fault-Tolerance (PFT), a model that separates platforms from individual nodes and decouples safety and liveness. It embeds a Byzantine fault-tolerant audit inside a crash-fault-tolerant commit protocol, enabling continuous progress while auditing for misbehavior in the background with no extra on-path messages. The protocol uses hash chaining, pipelining, and a novel view-stabilization view-change to ensure committed transactions stay safe and audited transactions remain durable under platform compromises, with an audit window that is tightly bounded. Empirical evaluation across multiple TEEs and deployments shows Proteus achieving common-case performance on par with existing TEEs-based ledgers, while providing stronger integrity guarantees and practical applicability through receipts and a code-transparent workflow. The work advances practical, scalable, and auditable distributed ledgers that tolerate correlated hardware failures without sacrificing throughput.

Abstract

Distributed ledgers are increasingly relied upon by industry to provide trustworthy accountability, strong integrity protection, and high availability for critical data without centralizing trust. Recently, distributed append-only logs are opting for a layered approach, combining crash-fault-tolerant (CFT) consensus with hardware-based Trusted Execution Environments (TEEs) for greater resiliency. Unfortunately, hardware TEEs can be subject to (rare) attacks, undermining the very guarantees that distributed ledgers are carefully designed to achieve. In response, we present Proteus, a new distributed consensus protocol that cautiously trusts the guarantees of TEEs. Proteus carefully embeds a Byzantine fault-tolerant (BFT) protocol inside of a CFT protocol with no additional messages. This is made possible through careful refactoring of both the CFT and BFT protocols such that their structure aligns. Proteus achieves performance in line with regular TEE-enabled consensus protocols, while guaranteeing integrity in the face of TEE platform compromises.

Proteus: Append-Only Ledgers for (Mostly) Trusted Execution Environments

TL;DR

Proteus addresses the risk of rare but catastrophic TEE compromises by introducing Platform-Fault-Tolerance (PFT), a model that separates platforms from individual nodes and decouples safety and liveness. It embeds a Byzantine fault-tolerant audit inside a crash-fault-tolerant commit protocol, enabling continuous progress while auditing for misbehavior in the background with no extra on-path messages. The protocol uses hash chaining, pipelining, and a novel view-stabilization view-change to ensure committed transactions stay safe and audited transactions remain durable under platform compromises, with an audit window that is tightly bounded. Empirical evaluation across multiple TEEs and deployments shows Proteus achieving common-case performance on par with existing TEEs-based ledgers, while providing stronger integrity guarantees and practical applicability through receipts and a code-transparent workflow. The work advances practical, scalable, and auditable distributed ledgers that tolerate correlated hardware failures without sacrificing throughput.

Abstract

Distributed ledgers are increasingly relied upon by industry to provide trustworthy accountability, strong integrity protection, and high availability for critical data without centralizing trust. Recently, distributed append-only logs are opting for a layered approach, combining crash-fault-tolerant (CFT) consensus with hardware-based Trusted Execution Environments (TEEs) for greater resiliency. Unfortunately, hardware TEEs can be subject to (rare) attacks, undermining the very guarantees that distributed ledgers are carefully designed to achieve. In response, we present Proteus, a new distributed consensus protocol that cautiously trusts the guarantees of TEEs. Proteus carefully embeds a Byzantine fault-tolerant (BFT) protocol inside of a CFT protocol with no additional messages. This is made possible through careful refactoring of both the CFT and BFT protocols such that their structure aligns. Proteus achieves performance in line with regular TEE-enabled consensus protocols, while guaranteeing integrity in the face of TEE platform compromises.
Paper Structure (29 sections, 18 theorems, 17 equations, 9 figures, 1 table, 1 algorithm)

This paper contains 29 sections, 18 theorems, 17 equations, 9 figures, 1 table, 1 algorithm.

Table of Contents

  1. Introduction
  2. Towards Platform-Fault-Tolerance
  3. Why a new failure model?
  4. Formalizing Platform Fault Tolerance
  5. Proteus Overview
  6. API and Guarantees
  7. Protocol Overview
  8. Protocol Description
  9. Notation
  10. Steady-state
  11. View-Change
  12. Receipts
  13. Implementation Notes
  14. Evaluation
  15. Common Case Performance
  16. ...and 14 more sections

Key Result

Theorem 1

$N\geq 2(c+f_{live}) + f_{safe} + 1$ where $f_{safe}$ and $f_{live}$ represent, respectively, the maximum number of nodes that can be compromised as a result of $\pi_{safe}$ or $\pi_{live}$ platforms being compromised.

Figures (9)

  • Figure 1: Platform Fault Tolerance. Independent crashes (X) but platform-wide TEE compromises (horns)
  • Figure 2: Log, Batches, and QCs
  • Figure 3: Steady-state with five replicas ($u=1, ~f_{safe}=2$) and four batches (A,B,C,D).
  • Figure 4: Microbenchmarks
  • Figure 5: Effects of failures
  • ...and 4 more figures

Theorems & Definitions (38)

  • Definition 1
  • Theorem 1
  • Definition 2: Committed Transactions
  • Definition 3: Audited Transactions
  • Lemma 1
  • proof
  • Lemma 2
  • proof
  • Lemma 3
  • proof
  • ...and 28 more