Byzantine Fault-Tolerant Condentiality

This paper discusses how to use redundancy to simultane- ously improve availability, integrity, and confidentiality. We call this problem Confidential BFT (CBFT) and propose the privacy firewall architecture to solve it. Service replicas con- nect to the privacy firewall and can send messages to the out- side world only through it. The firewall runs a majority vot- ing algorithm just like the clients of a traditional BFT system and filters out faulty messages that may contain confidential data. This approach has several advantages, stemming from the fact that the privacy firewall is a separate component from the replicated service. The first advantage is simply the gen- erality of the approach: since virtually all replicated services can be modeled as a replicated state machine, the privacy firewall can protect almost any replicated service that exists today. Second, once built, a privacy firewall can easily be used for a variety of replicated services, with only minor modification to the service (or none at all). Thus, CBFT's privacy firewall can be adapted to legacy applications, pro- viding them with confidentiality after the fact. The third ad- vantage is that the effort spent into building the privacy fire- wall can be amortized over several replicated services: once the privacy firewall is built, it can easily be duplicated to pro- tect additional services. This versatility makes it imaginable that companies would build privacy firewalls and then sell turnkey solutions. The firewall system has to be correct to provide confiden- tiality. Even though the firewall is simple, building a for- mally verified bug-free firewall may not be feasible. How- ever, redundancy can be used to improve the robustness of the firewall. Such a firewall system consists of a group of nodes that are interconnected such that any path from a ser- vice replica to the outside world is longer than a threshold, . Thus, as long as there are or fewer faulty firewall nodes, any communication from any service replica to the outside world must go through at least one correct node. Moreover, a correct node in a firewall chain can independently ensure that a unique sequence of replies results from a sequence of requests just as if this sequence of requests were processed by a single correct server. Thus, faulty machines are pre- vented from using steganography to leak confidential data. In summary, this paper investigates how to build available, high-integrity, and confidential access-anywhere services by using redundancy and it outlines the architecture of one implementation, the Privacy Firewall. The key challenges