zolfa
/
tendermint

# Interview Transcript with Tendermint core researcher, Zarko Milosevic, by Chjango

**ZM**: Regarding leader election, it's round robin, but a weighted one. Youtake into account the amount of bonded tokens. Depending on how much weightthey have of voting power, they would be elected more frequently. So we dorotate, but just the guys who are having more voting power would be electedmore frequently. We are having 4 validators, and 1 of them have 2 times morevoting power, they have 2 times more elected as a leader.
**CC**: 2x more absolute voting power or probabilistic voting power?
**ZM**: It's actually very deterministic. It's not probabilistic at all. See[Tendermint proposal election specification][1]. In Tendermint, there is nopseudorandom leader election. It's a deterministic protocol. So leader electionis a built-in function in the code, so you know exactly—depending on the votingpower in the validator set, you'd know who exactly would be the leader in roundx, x + 1, and so on. There is nothing random there; we are not trying to hidewho would be the leader. It's really well known. It's just that there is afunction, it's a mathematical function, and it's just basically—it's kind of animplementation detail—it starts from the voting power, and when you areelected, you get decreased some number, and in each round you keep increasingdepending on your voting power, so that you are elected after k rounds again.But knowing the validator set and the voting power, it's very simple function,you can calculate yourself to know exactly who would be next. For each round,this function will return you the leader for that round. In every round, we dothis computation. It's all part of the same flow. It enforces the propertieswhich are: proportional to your voting power, you will be elected, and we keepchanging the leaders. So it can't happen to have one guy being more electedthan other guys, if they have the same voting power. So one time it will be guyB, and next time it will be guy B1. So it's not random.
**CC**: Assuming the validator set remains unchanged for a month, then if yourun this function, are you able to know exactly who is going to go for thatentire month?
**ZM**: Yes.
**CC**: What're the attack scenarios for this?
**ZM**: This is something which is easily attacked by people who argue thatTendermint is not decentralized enough. They say that by knowing the leader,you can DDoS the leader. And by DDoSing the leader, you are able to stop theprogress. Because it's true. If you would be able to DDoS the leader, theleader would not be able to propose and then effectively will not be makingprogress. How we are addressing this thing is Sentry Architecture. So thevalidator—or at least a proper validator—will never be available. You don'tknow the ip address of the validator. You are never able to open the connectionto the validator. So validator is spawning sentry nodes and this is the singleadministration domain and there is only connection from validator in the senseof sentry nodes. And ip address of validator is not shared in the p2p network.It’s completely private. This is our answer to DDoS attack. By playing cleverat this sentry node architecture and spawning additional sentry nodes in case,for ex your sentry nodes are being DDoS’d, bc your sentry nodes are public,then you will be able to connect to sentry nodes. this is where we will expectthe validator to be clever enough that so that in case they are DDoS’d at thesentry level, they will spawn a different sentry node and then you communicatethrough them. We are in a sense pushing the responsibility on the validator.
**CC**: So if I understand this correctly, the public identity of the validatordoesn’t even matter because that entity can obfuscate where their real fullnodes reside via a proxy through this sentry architecture.
**ZM**: Exactly. So you do know what is the address or identity of the validatorbut you don’t know the network address of it; you’re not able to attack itbecause you don’t know where they are. They are completely obfuscated by thesentry nodes. There is now, if you really want to figure out….There is theTendermint protocol, the structure of the protocol is not fully decentralizedin the sense that the flow of information is going from the round proposer, orthe round coordinator, to other nodes, and then after they receive this it’sbasically like [inaudible: “O to 1”]. So by tracking where this information iscoming from, you might be able to identify who are the sentry nodes behind it.So if you are doing some network analysis, you might be able to deducesomething. If the thing would be completely stuck, where the validator wouldnever change their sentry nodes or ip addresses of sentry nodes, it could bepossible to deduce something. This is where economic game comes into play. Weare doing an economics game there. We say that it’s a validator business. Ifthey are not able to hide themselves well enough, they’ll be DDoS’d and theywill be kicked out of the active validator set. So it’s in their interest.
[Proposer Selection Procedure in Tendermint][1]. This is how it should work nomatter what implementation.
**CC**: Going back to the proposer, lets say the validator does get DDoS’d, thenthe proposer goes down. What happens?
**ZM**: How the proposal mechanism works—there’s nothing special there—it goesthrough a sequence of rounds. Normal execution of Tendermint is that for eachheight, we are going through a sequence of rounds, starting from round 0, andthen we are incrementing through the rounds. The nodes are moving through therounds as part of normal procedure until they decide to commit. In case youhave one proposer—the proposer of a single round—being DDoS’d, we will probablynot decide in that round, because he will not be able to send his proposal. Sowe will go to the next round, and hopefully the next proposer will be able tocommunicate with the validators and then we’ll decide in the next round.
**CC**: Are there timeouts between one round to another, if a round getsskipped?
**ZM**: There are timeouts. It’s a bit more complex. I think we have 5 timeouts.We may be able to simplify this a bit. What is important to understand is: Theonly condition which needs to be satisfied so we can go to the next round isthat your validator is able to communicate with more than 2/3rds of votingpower. To be able to move to the next round, you need to receive more than2/3rd of voting power equivalent of pre-commit messages.
We have two kinds of messages: 1) Proposal: Where the current round proposer issuggesting how the next block should look like. This is first one. Every roundstarts with proposer sending a proposal. And then there are two more rounds ofvoting, where the validator is trying to agree whether they will commit theproposal or not. And the first of such vote messages is called `pre-vote` andthe second one is `pre-commit`. Now, to be able to move between steps, betweena `pre-vote` and `pre-commit` step, you need to receive enough number ofmessages where if message is sent by validator A, then also this message has aweight, or voting power which is equal to the voting power of the validator whosent this message. Before you receive more than 2/3 of voting power messages, you are notable to move to the higher round. Only when you receive more than 2/3 ofmessages, you actually start the timeout. The timeout is happening only afteryou receive enough messages. And it happens because of the asynchrony of themessage communication so you give more time to guys with this timeout toreceive some messages which are maybe delayed.
**CC**: In this way that you just described via the whole network gossipingbefore we commit a block, that is what makes Tendermint BFT deterministic in apartially synchronous setting vs Bitcoin which has synchrony assumptionswhereby blocks are first mined and then gossiped to the network.
**ZM**: It's true that in Bitcoin, this is where the synchrony assumption comesto play because if they're not able to communicate timely, they are not able toconverge to a single longest chain. Why are they not able to decrease timeoutin Bitcoin? Because if they would decrease, there would be so many forks thatthey won't be able to converge to a single chain. By increasing thiscomplexity and the block time, they're able to have not so many forks. This iseffectively the timing assumption—the block duration in a sense because it'senough time so that the decided block is propagated through the network beforesomeone else start deciding on the same block and creating forks. It's verydifferent from the consensus algorithms in a distributed computing setup whereTendermint fits. In Tendermint, where we talk about the timing dependency, theyare really part of this 3-communication step protocol I just explained. We havethe following assumption: If the good guys are not able to communicate timelyand reliably without having message loss within a round, the Tendermint willnot make progress—it will not be making blocks. So if you are in a completelyasynchronous network where messages get lost or delayed unpredictably,Tendermint will not make progress, it will not create forks, but it will notdecide, it will not tell you what is the next block. For termination, it's aliveness property of consensus. It's a guarantee to decide. We do need timingassumptions. Within a round, correct validators are able to communicate to eachother the consensus messages, not the transactions, but consensus messages.They need to communicate in a timely and reliable fashion. But this doesn'tneed to hold forever. It's just that what we are assuming when we say it's apartially synchronous system, we assume that the system will be going through aperiod of asynchrony, where we don't have this guarantee; the messages will bedelayed or some will be lost and then will not make progress for some period oftime, or we're not guaranteed to make progress. And the period of synchronywhere these guarantees hold. And if we think about internet, internet is bestdescribed using such a model. Sometimes when we send a message to SF toBelgrade, it takes 100 ms, sometimes it takes 300 ms, sometimes it takes 1 s.But in most cases, it takes 100 ms or less than this.
There is one thing which would be really nice if you understand it. In a globalwide area network, we can't make assumption on the communication unless we arevery conservative about this. If you want to be very fast, then we can't makeassumption and say we'll be for sure communicating with 1 ms communicationdelay. Because of the complexity and various congestion issues on the network,it might happen that during a short period of time, this doesn't hold. If thisdoesn't hold and you depend on this for correctness of your protocol, you willhave a fork. So the partially synchronous protocol, most of them likeTendermint, they don't depend on the timing assumption from the internet forcorrectness. This is where we state: safety always. So we never make a fork nomatter how bad our estimates about the internet communication delays are. We'llnever make a fork, but we do make some assumptions, and these assumptions arebuilt-in our timeouts in our protocol which are actually adaptive. So we areadapting to the current condition and this is where we're saying...We do assumesome properties, or some communication delays, to eventually hold on thenetwork. During this period, we guarantee that we will be deciding andcommitting blocks. And we will be doing this very fast. We will be basically onthe speed of the current network.
**CC**: We make liveness assumptions based on the integrity of the validatorbusinesses, assuming they're up and running fine.
**ZM**: This is where we are saying, the protocol will be live if we have atmost 1/3, or a bit less than 1/3, of faulty validators. Which means that allother guys should be online and available. This is also for liveness. This isrelated to the condition that we are not able to make progress in rounds if wedon't receive enough messages. If half of our voting power, or half of ourvalidators are down, we don't have enough messages, so the protocol iscompletely blocked. It doesn't make progress in a round, which means it's notable to be signed. So it's completely critical for Tendermint that we makeprogress in rounds. It's like breathing. Tendermint is breathing. If there isno progress, it's dead; it's blocked, we're not able to breathe, that's whywe're not able to make progress.
**CC**: How does Tendermint compare to other consensus algos?
**ZM**: Tendermint is a very interesting protocol. From an academic point ofview, I'm convinced that there is value there. Hopefully, we prove it bypublishing it on some good conference. What is novel is, if we compare firstTendermint to this existing BFT problem, it's a continuation of academicresearch on BFT consensus. What is novel in Tendermint is that it somehowmerges consensus protocol with gossip. This is completely novel idea.Originally, in BFT, people were assuming the single administration domain,small number of nodes, local area network, 4-7 nodes max. If you look at theresearch paper, 99% of them have this kind of setup. Wide area was studied butthere is significantly less work in wide area networks. No one studied how toscale those protocols to hundreds or thousands of nodes before blockchain. Itwas always a single administration domain. So in Tendermint now, you are ableto reach consensus among different administration domains which are potentiallyhundreds of them in wide area network. The system model is potentially harderbecause we have more nodes and wide area network. The second thing is that:normally, in bft protocols, the protocol itself are normally designed in a waythat has two phases, or two parts. The one which is called normal case, whichis normally quite simple, in this normal case. In spite of some failures, whichare part of the normal execution of the protocol, like for example leadercrashes or leader being DDoS'd, they need to go through a quite complexprotocol, which is like being called view change or leader election orwhatever. These two parts of the same protocol are having quite differentcomplexity. And most of the people only understand this normal case. InTendermint, there is no this difference. We have only one protocol, there arenot two protocols. It's always the same steps and they are much closer to thenormal case than this complex view change protocol.
_This is a bit too technical but this is on a high level things to remember,that: The system it addresses it's harder than the others and the algorithmcomplexity in Tendermint is simpler._ The initial goal of Jae and Bucky whichis inspired by Raft, is that it's simpler so normal engineers could understand.
**CC**: Can you expand on the termination requirement?
> **Important point about Liveness in Tendermint**

**ZM**: In Tendermint, we are saying, for termination, we are making assumptionthat the system is partially synchronous. And in a partially synchronous systemmodel, we are able to mathematically prove that the protocol will makedecisions; it will decide.
**CC**: What is a persistent peer?
**ZM**: It's a list of peer identities, which you will try to establishconnection to them, in case connection is broken, Tendermint will automaticallytry to reestablish connection. These are important peers, you will really trypersistently to establish connection to them. For other peers, you just drop itand try from your address book to connect to someone else. The address book is alist of peers which you discover that they exist, because we are talking about avery dynamic network—so the nodes are coming and going away—and the gossipingprotocol is discovering new nodes and gossiping them around. So every node willkeep the list of new nodes it discovers, and when you need to establishconnection to a peer, you'll look to address book and get some addresses fromthere. There's categorization/ranking of nodes there.
[1]: https://docs.tendermint.com/master/spec/reactors/consensus/proposer-selection.html