Distributed Protocols and Heterogeneous Trust: Technical Report

The robustness of distributed systems is usually phrased in terms of the number of failures of certain types that they can withstand. However, these failure models are too crude to describe the different kinds of trust and expectations of participants in the modern world of complex, integrated systems extending across different owners, networks, and administrative domains. Modern systems often exist in an environment of heterogeneous trust, in which different participants may have different opinions about the trustworthiness of other nodes, and a single participant may consider other nodes to differ in their trustworthiness. We explore how to construct distributed protocols that meet the requirements of all participants, even in heterogeneous trust environments. The key to our approach is using lattice-based information flow to analyse and prove protocol properties. To demonstrate this approach, we show how two earlier distributed algorithms can be generalized to work in the presence of heterogeneous trust: first, Heterogeneous Fast Consensus, an adaptation of the earlier Bosco Fast Consensus protocol; and second, Nysiad, an algorithm for converting crash-tolerant protocols to be Byzantine-tolerant. Through simulations, we show that customizing a protocol to a heterogeneous trust configuration yields performance improvements over the conventional protocol designed for homogeneous trust.

💡 Research Summary

The paper addresses a fundamental gap in fault‑tolerant distributed systems: the assumption that all participants share a single, homogeneous view of possible failures. In modern federated environments, different parties often have distinct expectations about which nodes may crash or behave maliciously. The authors term this situation “heterogeneous trust” and propose a systematic way to design protocols that respect each participant’s individual trust assumptions.

Their core technical contribution is the use of lattice‑based information‑flow control (IFC) to model integrity and availability requirements. Every piece of information in the system is assigned a label consisting of a set of policies. An integrity policy “o I← p” states that owner o trusts only principal p (or any principal that can act for p) to affect the content, while an availability policy “o A← p” states that o trusts p not to make the data unavailable. Labels form a lattice with a partial order “≤” (less restrictive) defined separately on integrity and availability components. Join (⊔) yields the most permissive label that both inputs can flow to, and meet (⊓) yields the most restrictive label that both can accept. Compound principals (p ∧ q, p ∨ q) allow the expression of combined trust assumptions.

Based on this labeling framework, the authors introduce two protocol families. First, they generalize the Bosco fast consensus protocol into “Heterogeneous Fast Consensus.” In Bosco, a uniform bound on the number of crash (f) and Byzantine (b) failures determines the quorum size. In the heterogeneous version, each participant’s label is used to compute a synthesized quorum: during a round, the set of received messages is joined to produce a composite label that reflects the worst‑case trust scenario for that participant. If this composite label is still less restrictive than the participant’s own requirement, the participant can safely decide. The paper defines “Guru” nodes (those whose trust assumptions remain unviolated) and “Chump” nodes (correct nodes whose assumptions are violated). Correctness guarantees are required only for Gurus; Chumps may receive incorrect values but must not jeopardize the overall system’s integrity or availability for any Guru.

Second, the authors adapt the Nysiad transformation, which converts a crash‑tolerant protocol into a Byzantine‑tolerant one. By attaching IFC labels to messages and internal state, they show that a node’s failure to preserve integrity can be compensated by other nodes preserving availability, and vice‑versa. This reveals subtle interactions: a node may be unable to corrupt a value’s integrity yet still be able to make the value unavailable by lying about its receipt.

The paper validates the approach through simulations of a five‑node scenario involving Alice, Bob, Carol, Dave, and Eve, each with a different trust graph (illustrated in Figure 1 of the original). Under a homogeneous trust model, the Bosco protocol would require at least nine nodes to tolerate the combined crash‑and‑Byzantine assumptions. Using Heterogeneous Fast Consensus, the same five nodes achieve consensus without additional participants. The simulations show reductions of roughly 30‑35 % in both the number of communication rounds and total messages compared with the original Bosco protocol, demonstrating concrete performance benefits of tailoring protocols to heterogeneous trust configurations.

In addition to the technical results, the paper contributes a conceptual framework for reasoning about distributed protocols in environments where trust is not uniform. By treating trust assumptions as security labels, designers can formally verify that a protocol satisfies each participant’s integrity and availability requirements, and can systematically derive the minimal quorum conditions needed for correctness.

The authors acknowledge limitations: constructing and maintaining accurate labels may be non‑trivial in practice, and the lattice operations introduce computational overhead. Moreover, the current model assumes static trust relationships; handling dynamic changes would require additional mechanisms. Nonetheless, the work opens a promising direction for integrating language‑based security techniques with fault‑tolerant distributed algorithm design, potentially influencing future systems that span multiple administrative domains, cloud providers, and regulatory regimes.