You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

639 lines
22 KiB

  1. <!-- markdown-link-check-disable -->
  2. # Draft of Light Client Supervisor for discussion
  3. ## TODOs
  4. This specification in done in parallel with updates on the
  5. verification specification. So some hyperlinks have to be placed to
  6. the correct files eventually.
  7. # Light Client Sequential Supervisor
  8. The light client implements a read operation of a
  9. [header](TMBC-HEADER-link) from the [blockchain](TMBC-SEQ-link), by
  10. communicating with full nodes, a so-called primary and several
  11. so-called witnesses. As some full nodes may be faulty, this
  12. functionality must be implemented in a fault-tolerant way.
  13. In the Tendermint blockchain, the validator set may change with every
  14. new block. The staking and unbonding mechanism induces a [security
  15. model](TMBC-FM-2THIRDS-link): starting at time *Time* of the
  16. [header](TMBC-HEADER-link),
  17. more than two-thirds of the next validators of a new block are correct
  18. for the duration of *TrustedPeriod*.
  19. [Light Client Verification](https://informal.systems) implements the fault-tolerant read
  20. operation designed for this security model. That is, it is safe if the
  21. model assumptions are satisfied and makes progress if it communicates
  22. to a correct primary.
  23. However, if the [security model](TMBC-FM-2THIRDS-link) is violated,
  24. faulty peers (that have been validators at some point in the past) may
  25. launch attacks on the Tendermint network, and on the light
  26. client. These attacks as well as an axiomatization of blocks in
  27. general are defined in [a document that contains the definitions that
  28. are currently in detection.md](https://informal.systems).
  29. If there is a light client attack (but no
  30. successful attack on the network), the safety of the verification step
  31. may be violated (as we operate outside its basic assumption).
  32. The light client also
  33. contains a defense mechanism against light clients attacks, called detection.
  34. [Light Client Detection](https://informal.systems) implements a cross check of the result
  35. of the verification step. If there is a light client attack, and the
  36. light client is connected to a correct peer, the light client as a
  37. whole is safe, that is, it will not operate on invalid
  38. blocks. However, in this case it cannot successfully read, as
  39. inconsistent blocks are in the system. However, in this case the
  40. detection performs a distributed computation that results in so-called
  41. evidence. Evidence can be used to prove
  42. to a correct full node that there has been a
  43. light client attack.
  44. [Light Client Evidence Accountability](https://informal.systems) is a protocol run on a
  45. full node to check whether submitted evidence indeed proves the
  46. existence of a light client attack. Further, from the evidence and its
  47. own knowledge about the blockchain, the full node computes a set of
  48. bonded full nodes (that at some point had more than one third of the
  49. voting power) that participated in the attack that will be reported
  50. via ABCI to the application.
  51. In this document we specify
  52. - Initialization of the Light Client
  53. - The interaction of [verification](https://informal.systems) and [detection](https://informal.systems)
  54. The details of these two protocols are captured in their own
  55. documents, as is the [accountability](https://informal.systems) protocol.
  56. > Another related line is IBC attack detection and submission at the
  57. > relayer, as well as attack verification at the IBC handler. This
  58. > will call for yet another spec.
  59. # Status
  60. This document is work in progress. In order to develop the
  61. specification step-by-step,
  62. it assumes certain details of [verification](https://informal.systems) and
  63. [detection](https://informal.systems) that are not specified in the respective current
  64. versions yet. This inconsistencies will be addresses over several
  65. upcoming PRs.
  66. # Part I - Tendermint Blockchain
  67. See [verification spec](addLinksWhenDone)
  68. # Part II - Sequential Problem Definition
  69. #### **[LC-SEQ-INIT-LIVE.1]**
  70. Upon initialization, the light client gets as input a header of the
  71. blockchain, or the genesis file of the blockchain, and eventually
  72. stores a header of the blockchain.
  73. #### **[LC-SEQ-LIVE.1]**
  74. The light client gets a sequence of heights as inputs. For each input
  75. height *targetHeight*, it eventually stores the header of height
  76. *targetHeight*.
  77. #### **[LC-SEQ-SAFE.1]**
  78. The light client never stores a header which is not in the blockchain.
  79. # Part III - Light Client as Distributed System
  80. ## Computational Model
  81. The light client communicates with remote processes only via the
  82. [verification](TODO) and the [detection](TODO) protocols. The
  83. respective assumptions are given there.
  84. ## Distributed Problem Statement
  85. ### Two Kinds of Liveness
  86. In case of light client attacks, the sequential problem statement
  87. cannot always be satisfied. The lightclient cannot decide which block
  88. is from the chain and which is not. As a result, the light client just
  89. creates evidence, submits it, and terminates.
  90. For the liveness property, we thus add the
  91. possibility that instead of adding a lightblock, we also might terminate
  92. in case there is an attack.
  93. #### **[LC-DIST-TERM.1]**
  94. The light client either runs forever or it *terminates on attack*.
  95. ### Design choices
  96. #### [LC-DIST-STORE.1]
  97. The light client has a local data structure called LightStore
  98. that contains light blocks (that contain a header).
  99. > The light store exposes functions to query and update it. They are
  100. > specified [here](TODO:onceVerificationIsMerged).
  101. **TODO:** reference light store invariant [LCV-INV-LS-ROOT.2] once
  102. verification is merged
  103. #### **[LC-DIST-SAFE.1]**
  104. It is always the case that every header in *LightStore* was
  105. generated by an instance of Tendermint consensus.
  106. #### **[LC-DIST-LIVE.1]**
  107. Whenever the light client gets a new height *h* as input,
  108. - and there is
  109. no light client attack up to height *h*, then the lightclient
  110. eventually puts the lightblock of height *h* in the lightstore and
  111. wait for another input.
  112. - otherwise, that is, if there
  113. is a light client attack on height *h*, then the light client
  114. must perform one of the following:
  115. - it terminates on attack.
  116. - it eventually puts the lightblock of height *h* in the lightstore and
  117. wait for another input.
  118. > Observe that the "existence of a lightclient attack" just means that some node has generated a conflicting block. It does not necessarily mean that a (faulty) peer sends such a block to "our" lightclient. Thus, even if there is an attack somewhere in the system, our lightclient might still continue to operate normally.
  119. ### Solving the sequential specification
  120. [LC-DIST-SAFE.1] is guaranteed by the detector; in particular it
  121. follows from
  122. [[LCD-DIST-INV-STORE.1]](TODO)
  123. [[LCD-DIST-LIVE.1]](TODO)
  124. # Part IV - Light Client Supervisor Protocol
  125. We provide a specification for a sequential Light Client Supervisor.
  126. The local code for verification is presented by a sequential function
  127. `Sequential-Supervisor` to highlight the control flow of this
  128. functionality. Each lightblock is first verified with a primary, and then
  129. cross-checked with secondaries, and if all goes well, the lightblock
  130. is
  131. added (with the attribute "trusted") to the
  132. lightstore. Intermiate lightblocks that were used to verify the target
  133. block but were not cross-checked are stored as "verified"
  134. > We note that if a different concurrency model is considered
  135. > for an implementation, the semantics of the lightstore might change:
  136. > In a concurrent implementation, we might do verification for some
  137. > height *h*, add the
  138. > lightblock to the lightstore, and start concurrent threads that
  139. >
  140. > - do verification for the next height *h' != h*
  141. > - do cross-checking for height *h*. If we find an attack, we remove
  142. > *h* from the lightstore.
  143. > - the user might already start to use *h*
  144. >
  145. > Thus, this concurrency model changes the semantics of the
  146. > lightstore (not all lightblocks that are read by the user are
  147. > trusted; they may be removed if
  148. > we find a problem). Whether this is desirable, and whether the gain in
  149. > performance is worth it, we keep for future versions/discussion of
  150. > lightclient protocols.
  151. ## Definitions
  152. ### Peers
  153. #### **[LC-DATA-PEERS.1]:**
  154. A fixed set of full nodes is provided in the configuration upon
  155. initialization. Initially this set is partitioned into
  156. - one full node that is the *primary* (singleton set),
  157. - a set *Secondaries* (of fixed size, e.g., 3),
  158. - a set *FullNodes*; it excludes *primary* and *Secondaries* nodes.
  159. - A set *FaultyNodes* of nodes that the light client suspects of
  160. being faulty; it is initially empty
  161. #### **[LC-INV-NODES.1]:**
  162. The detector shall maintain the following invariants:
  163. - *FullNodes \intersect Secondaries = {}*
  164. - *FullNodes \intersect FaultyNodes = {}*
  165. - *Secondaries \intersect FaultyNodes = {}*
  166. and the following transition invariant
  167. - *FullNodes' \union Secondaries' \union FaultyNodes' = FullNodes
  168. \union Secondaries \union FaultyNodes*
  169. #### **[LC-FUNC-REPLACE-PRIMARY.1]:**
  170. ```go
  171. Replace_Primary(root-of-trust LightBlock)
  172. ```
  173. - Implementation remark
  174. - the primary is replaced by a secondary
  175. - to maintain a constant size of secondaries, need to
  176. - pick a new secondary *nsec* while ensuring [LC-INV-ROOT-AGREED.1]
  177. - that is, we need to ensure that root-of-trust = FetchLightBlock(nsec, root-of-trust.Header.Height)
  178. - Expected precondition
  179. - *FullNodes* is nonempty
  180. - Expected postcondition
  181. - *primary* is moved to *FaultyNodes*
  182. - a secondary *s* is moved from *Secondaries* to primary
  183. - Error condition
  184. - if precondition is violated
  185. #### **[LC-FUNC-REPLACE-SECONDARY.1]:**
  186. ```go
  187. Replace_Secondary(addr Address, root-of-trust LightBlock)
  188. ```
  189. - Implementation remark
  190. - maintain [LC-INV-ROOT-AGREED.1], that is,
  191. ensure root-of-trust = FetchLightBlock(nsec, root-of-trust.Header.Height)
  192. - Expected precondition
  193. - *FullNodes* is nonempty
  194. - Expected postcondition
  195. - addr is moved from *Secondaries* to *FaultyNodes*
  196. - an address *nsec* is moved from *FullNodes* to *Secondaries*
  197. - Error condition
  198. - if precondition is violated
  199. ### Data Types
  200. The core data structure of the protocol is the LightBlock.
  201. #### **[LC-DATA-LIGHTBLOCK.1]**
  202. ```go
  203. type LightBlock struct {
  204. Header Header
  205. Commit Commit
  206. Validators ValidatorSet
  207. NextValidators ValidatorSet
  208. Provider PeerID
  209. }
  210. ```
  211. #### **[LC-DATA-LIGHTSTORE.1]**
  212. LightBlocks are stored in a structure which stores all LightBlock from
  213. initialization or received from peers.
  214. ```go
  215. type LightStore struct {
  216. ...
  217. }
  218. ```
  219. We use the functions that the LightStore exposes, which
  220. are defined in the [verification specification](TODO).
  221. ### Inputs
  222. The lightclient is initialized with LCInitData
  223. #### **[LC-DATA-INIT.1]**
  224. ```go
  225. type LCInitData struct {
  226. lightBlock LightBlock
  227. genesisDoc GenesisDoc
  228. }
  229. ```
  230. where only one of the components must be provided. `GenesisDoc` is
  231. defined in the [Tendermint
  232. Types](https://github.com/tendermint/tendermint/blob/master/types/genesis.go).
  233. #### **[LC-DATA-GENESIS.1]**
  234. ```go
  235. type GenesisDoc struct {
  236. GenesisTime time.Time `json:"genesis_time"`
  237. ChainID string `json:"chain_id"`
  238. InitialHeight int64 `json:"initial_height"`
  239. ConsensusParams *tmproto.ConsensusParams `json:"consensus_params,omitempty"`
  240. Validators []GenesisValidator `json:"validators,omitempty"`
  241. AppHash tmbytes.HexBytes `json:"app_hash"`
  242. AppState json.RawMessage `json:"app_state,omitempty"`
  243. }
  244. ```
  245. We use the following function
  246. `makeblock` so that we create a lightblock from the genesis
  247. file in order to do verification based on the data from the genesis
  248. file using the same verification function we use in normal operation.
  249. #### **[LC-FUNC-MAKEBLOCK.1]**
  250. ```go
  251. func makeblock (genesisDoc GenesisDoc) (lightBlock LightBlock))
  252. ```
  253. - Implementation remark
  254. - none
  255. - Expected precondition
  256. - none
  257. - Expected postcondition
  258. - lightBlock.Header.Height = genesisDoc.InitialHeight
  259. - lightBlock.Header.Time = genesisDoc.GenesisTime
  260. - lightBlock.Header.LastBlockID = nil
  261. - lightBlock.Header.LastCommit = nil
  262. - lightBlock.Header.Validators = genesisDoc.Validators
  263. - lightBlock.Header.NextValidators = genesisDoc.Validators
  264. - lightBlock.Header.Data = nil
  265. - lightBlock.Header.AppState = genesisDoc.AppState
  266. - lightBlock.Header.LastResult = nil
  267. - lightBlock.Commit = nil
  268. - lightBlock.Validators = genesisDoc.Validators
  269. - lightBlock.NextValidators = genesisDoc.Validators
  270. - lightBlock.Provider = nil
  271. - Error condition
  272. - none
  273. ----
  274. ### Configuration Parameters
  275. #### **[LC-INV-ROOT-AGREED.1]**
  276. In the Sequential-Supervisor, it is always the case that the primary
  277. and all secondaries agree on lightStore.Latest().
  278. ### Assumptions
  279. We have to assume that the initialization data (the lightblock or the
  280. genesis file) are consistent with the blockchain. This is subjective
  281. initialization and it cannot be checked locally.
  282. ### Invariants
  283. #### **[LC-INV-PEERLIST.1]:**
  284. The peer list contains a primary and a secondary.
  285. > If the invariant is violated, the light client does not have enough
  286. > peers to download headers from. As a result, the light client
  287. > needs to terminate in case this invariant is violated.
  288. ## Supervisor
  289. ### Outline
  290. The supervisor implements the functionality of the lightclient. It is
  291. initialized with a genesis file or with a lightblock the user
  292. trusts. This initialization is subjective, that is, the security of
  293. the lightclient is based on the validity of the input. If the genesis
  294. file or the lightblock deviate from the actual ones on the blockchain,
  295. the lightclient provides no guarantees.
  296. After initialization, the supervisor awaits an input, that is, the
  297. height of the next lightblock that should be obtained. Then it
  298. downloads, verifies, and cross-checks a lightblock, and if all tests
  299. go through, the light block (and possibly other lightblocks) are added
  300. to the lightstore, which is returned in an output event to the user.
  301. The following main loop does the interaction with the user (input,
  302. output) and calls the following two functions:
  303. - `InitLightClient`: it initializes the lightstore either with the
  304. provided lightblock or with the lightblock that corresponds to the
  305. first block generated by the blockchain (by the validators defined
  306. by the genesis file)
  307. - `VerifyAndDetect`: takes as input a lightstore and a height and
  308. returns the updated lightstore.
  309. #### **[LC-FUNC-SUPERVISOR.1]:**
  310. ```go
  311. func Sequential-Supervisor (initdata LCInitData) (Error) {
  312. lightStore,result := InitLightClient(initData);
  313. if result != OK {
  314. return result;
  315. }
  316. loop {
  317. // get the next height
  318. nextHeight := input();
  319. lightStore,result := VerifyAndDetect(lightStore, nextHeight);
  320. if result == OK {
  321. output(LightStore.Get(targetHeight));
  322. // we only output a trusted lightblock
  323. }
  324. else {
  325. return result
  326. }
  327. // QUESTION: is it OK to generate output event in normal case,
  328. // and terminate with failure in the (light client) attack case?
  329. }
  330. }
  331. ```
  332. - Implementation remark
  333. - infinite loop unless a light client attack is detected
  334. - In typical implementations (e.g., the one in Rust),
  335. there are mutliple input actions:
  336. `VerifytoLatest`, `LatestTrusted`, and `GetStatus`. The
  337. information can be easily obtained from the lightstore, so that
  338. we do not treat these requests explicitly here but just consider
  339. the request for a block of a given height which requires more
  340. involved computation and communication.
  341. - Expected precondition
  342. - *LCInitData* contains a genesis file or a lightblock.
  343. - Expected postcondition
  344. - if a light client attack is detected: it stops and submits
  345. evidence (in `InitLightClient` or `VerifyAndDetect`)
  346. - otherwise: non. It runs forever.
  347. - Invariant: *lightStore* contains trusted lightblocks only.
  348. - Error condition
  349. - if `InitLightClient` or `VerifyAndDetect` fails (if a attack is
  350. detected, or if [LCV-INV-TP.1] is violated)
  351. ----
  352. ### Details of the Functions
  353. #### Initialization
  354. The light client is based on subjective initialization. It has to
  355. trust the initial data given to it by the user. It cannot do any
  356. detection of attack. So either upon initialization we obtain a
  357. lightblock and just initialize the lightstore with it. Or in case of a
  358. genesis file, we download, verify, and cross-check the first block, to
  359. initialize the lightstore with this first block. The reason is that
  360. we want to maintain [LCV-INV-TP.1] from the beginning.
  361. > If the lightclient is initialized with a lightblock, one might think
  362. > it may increase trust, when one cross-checks the initial light
  363. > block. However, if a peer provides a conflicting
  364. > lightblock, the question is to distinguish the case of a
  365. > [bogus](https://informal.systems) block (upon which operation should proceed) from a
  366. > [light client attack](https://informal.systems) (upon which operation should stop). In
  367. > case of a bogus block, the lightclient might be forced to do
  368. > backwards verification until the blocks are out of the trusting
  369. > period, to make sure no previous validator set could have generated
  370. > the bogus block, which effectively opens up a DoS attack on the lightclient
  371. > without adding effective robustness.
  372. #### **[LC-FUNC-INIT.1]:**
  373. ```go
  374. func InitLightClient (initData LCInitData) (LightStore, Error) {
  375. if LCInitData.LightBlock != nil {
  376. // we trust the provided initial block.
  377. newblock := LCInitData.LightBlock
  378. }
  379. else {
  380. genesisBlock := makeblock(initData.genesisDoc);
  381. result := NoResult;
  382. while result != ResultSuccess {
  383. current = FetchLightBlock(PeerList.primary(), genesisBlock.Header.Height + 1)
  384. // QUESTION: is the height with "+1" OK?
  385. if CANNOT_VERIFY = ValidAndVerify(genesisBlock, current) {
  386. Replace_Primary();
  387. }
  388. else {
  389. result = ResultSuccess
  390. }
  391. }
  392. // cross-check
  393. auxLS := new LightStore
  394. auxLS.Add(current)
  395. Evidences := AttackDetector(genesisBlock, auxLS)
  396. if Evidences.Empty {
  397. newBlock := current
  398. }
  399. else {
  400. // [LC-SUMBIT-EVIDENCE.1]
  401. submitEvidence(Evidences);
  402. return(nil, ErrorAttack);
  403. }
  404. }
  405. lightStore := new LightStore;
  406. lightStore.Add(newBlock);
  407. return (lightStore, OK);
  408. }
  409. ```
  410. - Implementation remark
  411. - none
  412. - Expected precondition
  413. - *LCInitData* contains either a genesis file of a lightblock
  414. - if genesis it passes `ValidateAndComplete()` see [Tendermint](https://informal.systems)
  415. - Expected postcondition
  416. - *lightStore* initialized with trusted lightblock. It has either been
  417. cross-checked (from genesis) or it has initial trust from the
  418. user.
  419. - Error condition
  420. - if precondition is violated
  421. - empty peerList
  422. ----
  423. #### Main verification and detection logic
  424. #### **[LC-FUNC-MAIN-VERIF-DETECT.1]:**
  425. ```go
  426. func VerifyAndDetect (lightStore LightStore, targetHeight Height)
  427. (LightStore, Result) {
  428. b1, r1 = lightStore.Get(targetHeight)
  429. if r1 == true {
  430. if b1.State == StateTrusted {
  431. // block already there and trusted
  432. return (lightStore, ResultSuccess)
  433. }
  434. else {
  435. // We have a lightblock in the store, but it has not been
  436. // cross-checked by now. We do that now.
  437. root_of_trust, auxLS := lightstore.TraceTo(b1);
  438. // Cross-check
  439. Evidences := AttackDetector(root_of_trust, auxLS);
  440. if Evidences.Empty {
  441. // no attack detected, we trust the new lightblock
  442. lightStore.Update(auxLS.Latest(),
  443. StateTrusted,
  444. verfiedLS.Latest().verification-root);
  445. return (lightStore, OK);
  446. }
  447. else {
  448. // there is an attack, we exit
  449. submitEvidence(Evidences);
  450. return(lightStore, ErrorAttack);
  451. }
  452. }
  453. }
  454. // get the lightblock with maximum height smaller than targetHeight
  455. // would typically be the heighest, if we always move forward
  456. root_of_trust, r2 = lightStore.LatestPrevious(targetHeight);
  457. if r2 = false {
  458. // there is no lightblock from which we can do forward
  459. // (skipping) verification. Thus we have to go backwards.
  460. // No cross-check needed. We trust hashes. Therefore, we
  461. // directly return the result
  462. return Backwards(primary, lightStore.Lowest(), targetHeight)
  463. }
  464. else {
  465. // Forward verification + detection
  466. result := NoResult;
  467. while result != ResultSuccess {
  468. verifiedLS,result := VerifyToTarget(primary,
  469. root_of_trust,
  470. nextHeight);
  471. if result == ResultFailure {
  472. // pick new primary (promote a secondary to primary)
  473. Replace_Primary(root_of_trust);
  474. }
  475. else if result == ResultExpired {
  476. return (lightStore, result)
  477. }
  478. }
  479. // Cross-check
  480. Evidences := AttackDetector(root_of_trust, verifiedLS);
  481. if Evidences.Empty {
  482. // no attack detected, we trust the new lightblock
  483. verifiedLS.Update(verfiedLS.Latest(),
  484. StateTrusted,
  485. verfiedLS.Latest().verification-root);
  486. lightStore.store_chain(verifidLS);
  487. return (lightStore, OK);
  488. }
  489. else {
  490. // there is an attack, we exit
  491. return(lightStore, ErrorAttack);
  492. }
  493. }
  494. }
  495. ```
  496. - Implementation remark
  497. - none
  498. - Expected precondition
  499. - none
  500. - Expected postcondition
  501. - lightblock of height *targetHeight* (and possibly additional blocks) added to *lightStore*
  502. - Error condition
  503. - an attack is detected
  504. - [LC-DATA-PEERLIST-INV.1] is violated
  505. ----