You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

577 lines
26 KiB

  1. ---
  2. order: 1
  3. parent:
  4. title: Verification
  5. order: 2
  6. ---
  7. # Core Verification
  8. ## Problem statement
  9. We assume that the light client knows a (base) header `inithead` it trusts (by social consensus or because
  10. the light client has decided to trust the header before). The goal is to check whether another header
  11. `newhead` can be trusted based on the data in `inithead`.
  12. The correctness of the protocol is based on the assumption that `inithead` was generated by an instance of
  13. Tendermint consensus.
  14. ### Failure Model
  15. For the purpose of the following definitions we assume that there exists a function
  16. `validators` that returns the corresponding validator set for the given hash.
  17. The light client protocol is defined with respect to the following failure model:
  18. Given a known bound `TRUSTED_PERIOD`, and a block `b` with header `h` generated at time `Time`
  19. (i.e. `h.Time = Time`), a set of validators that hold more than 2/3 of the voting power
  20. in `validators(b.Header.NextValidatorsHash)` is correct until time `b.Header.Time + TRUSTED_PERIOD`.
  21. *Assumption*: "correct" is defined w.r.t. realtime (some Newtonian global notion of time, i.e., wall time),
  22. while `Header.Time` corresponds to the [BFT time](../consensus/bft-time.md). In this note, we assume that clocks of correct processes
  23. are synchronized (for example using NTP), and therefore there is bounded clock drift (`CLOCK_DRIFT`) between local clocks and
  24. BFT time. More precisely, for every correct light client process and every `header.Time` (i.e. BFT Time, for a header correctly
  25. generated by the Tendermint consensus), the following inequality holds: `Header.Time < now + CLOCK_DRIFT`,
  26. where `now` corresponds to the system clock at the light client process.
  27. Furthermore, we assume that `TRUSTED_PERIOD` is (several) order of magnitude bigger than `CLOCK_DRIFT` (`TRUSTED_PERIOD >> CLOCK_DRIFT`),
  28. as `CLOCK_DRIFT` (using NTP) is in the order of milliseconds and `TRUSTED_PERIOD` is in the order of weeks.
  29. We expect a light client process defined in this document to be used in the context in which there is some
  30. larger period during which misbehaving validators can be detected and punished (we normally refer to it as `UNBONDING_PERIOD`
  31. due to the "bonding" mechanism in modern proof of stake systems). Furthermore, we assume that
  32. `TRUSTED_PERIOD < UNBONDING_PERIOD` and that they are normally of the same order of magnitude, for example
  33. `TRUSTED_PERIOD = UNBONDING_PERIOD / 2`.
  34. The specification in this document considers an implementation of the light client under the Failure Model defined above.
  35. Mechanisms like `fork accountability` and `evidence submission` are defined in the context of `UNBONDING_PERIOD` and
  36. they incentivize validators to follow the protocol specification defined in this document. If they don't,
  37. and we have 1/3 (or more) faulty validators, safety may be violated. Our approach then is
  38. to *detect* these cases (after the fact), and take suitable repair actions (automatic and social).
  39. This is discussed in document on [Fork accountability](./accountability.md).
  40. The term "trusted" above indicates that the correctness of the protocol depends on
  41. this assumption. It is in the responsibility of the user that runs the light client to make sure that the risk
  42. of trusting a corrupted/forged `inithead` is negligible.
  43. *Remark*: This failure model might change to a hybrid version that takes heights into account in the future.
  44. ### High Level Solution
  45. Upon initialization, the light client is given a header `inithead` it trusts (by
  46. social consensus). When a light clients sees a new signed header `snh`, it has to decide whether to trust the new
  47. header. Trust can be obtained by (possibly) the combination of three methods.
  48. 1. **Uninterrupted sequence of headers.** Given a trusted header `h` and an untrusted header `h1`,
  49. the light client trusts a header `h1` if it trusts all headers in between `h` and `h1`.
  50. 2. **Trusted period.** Given a trusted header `h`, an untrusted header `h1 > h` and `TRUSTED_PERIOD` during which
  51. the failure model holds, we can check whether at least one validator, that has been continuously correct
  52. from `h.Time` until now, has signed `h1`. If this is the case, we can trust `h1`.
  53. 3. **Bisection.** If a check according to 2. (trusted period) fails, the light client can try to
  54. obtain a header `hp` whose height lies between `h` and `h1` in order to check whether `h` can be used to
  55. get trust for `hp`, and `hp` can be used to get trust for `snh`. If this is the case we can trust `h1`;
  56. if not, we continue recursively until either we found set of headers that can build (transitively) trust relation
  57. between `h` and `h1`, or we failed as two consecutive headers don't verify against each other.
  58. ## Definitions
  59. ### Data structures
  60. In the following, only the details of the data structures needed for this specification are given.
  61. ```go
  62. type Header struct {
  63. Height int64
  64. Time Time // the chain time when the header (block) was generated
  65. LastBlockID BlockID // prev block info
  66. ValidatorsHash []byte // hash of the validators for the current block
  67. NextValidatorsHash []byte // hash of the validators for the next block
  68. }
  69. type SignedHeader struct {
  70. Header Header
  71. Commit Commit // commit for the given header
  72. }
  73. type ValidatorSet struct {
  74. Validators []Validator
  75. TotalVotingPower int64
  76. }
  77. type Validator struct {
  78. Address Address // validator address (we assume validator's addresses are unique)
  79. VotingPower int64 // validator's voting power
  80. }
  81. type TrustedState {
  82. SignedHeader SignedHeader
  83. ValidatorSet ValidatorSet
  84. }
  85. ```
  86. ### Functions
  87. For the purpose of this light client specification, we assume that the Tendermint Full Node
  88. exposes the following functions over Tendermint RPC:
  89. ```go
  90. // returns signed header: Header with Commit, for the given height
  91. func Commit(height int64) (SignedHeader, error)
  92. // returns validator set for the given height
  93. func Validators(height int64) (ValidatorSet, error)
  94. ```
  95. Furthermore, we assume the following auxiliary functions:
  96. ```go
  97. // returns true if the commit is for the header, ie. if it contains
  98. // the correct hash of the header; otherwise false
  99. func matchingCommit(header Header, commit Commit) bool
  100. // returns the set of validators from the given validator set that
  101. // committed the block (that correctly signed the block)
  102. // it assumes signature verification so it can be computationally expensive
  103. func signers(commit Commit, validatorSet ValidatorSet) []Validator
  104. // returns the voting power the validators in v1 have according to their voting power in set v2
  105. // it does not assume signature verification
  106. func votingPowerIn(v1 []Validator, v2 ValidatorSet) int64
  107. // returns hash of the given validator set
  108. func hash(v2 ValidatorSet) []byte
  109. ```
  110. In the functions below we will be using `trustThreshold` as a parameter. For simplicity
  111. we assume that `trustThreshold` is a float between `1/3` and `2/3` and we will not be checking it
  112. in the pseudo-code.
  113. **VerifySingle.** The function `VerifySingle` attempts to validate given untrusted header and the corresponding validator sets
  114. based on a given trusted state. It ensures that the trusted state is still within its trusted period,
  115. and that the untrusted header is within assumed `clockDrift` bound of the passed time `now`.
  116. Note that this function is not making external (RPC) calls to the full node; the whole logic is
  117. based on the local (given) state. This function is supposed to be used by the IBC handlers.
  118. ```go
  119. func VerifySingle(untrustedSh SignedHeader,
  120. untrustedVs ValidatorSet,
  121. untrustedNextVs ValidatorSet,
  122. trustedState TrustedState,
  123. trustThreshold float,
  124. trustingPeriod Duration,
  125. clockDrift Duration,
  126. now Time) (TrustedState, error) {
  127. if untrustedSh.Header.Time > now + clockDrift {
  128. return (trustedState, ErrInvalidHeaderTime)
  129. }
  130. trustedHeader = trustedState.SignedHeader.Header
  131. if !isWithinTrustedPeriod(trustedHeader, trustingPeriod, now) {
  132. return (state, ErrHeaderNotWithinTrustedPeriod)
  133. }
  134. // we assume that time it takes to execute verifySingle function
  135. // is several order of magnitudes smaller than trustingPeriod
  136. error = verifySingle(
  137. trustedState,
  138. untrustedSh,
  139. untrustedVs,
  140. untrustedNextVs,
  141. trustThreshold)
  142. if error != nil return (state, error)
  143. // the untrusted header is now trusted
  144. newTrustedState = TrustedState(untrustedSh, untrustedNextVs)
  145. return (newTrustedState, nil)
  146. }
  147. // return true if header is within its light client trusted period; otherwise returns false
  148. func isWithinTrustedPeriod(header Header,
  149. trustingPeriod Duration,
  150. now Time) bool {
  151. return header.Time + trustedPeriod > now
  152. }
  153. ```
  154. Note that in case `VerifySingle` returns without an error (untrusted header
  155. is successfully verified) then we have a guarantee that the transition of the trust
  156. from `trustedState` to `newTrustedState` happened during the trusted period of
  157. `trustedState.SignedHeader.Header`.
  158. TODO: Explain what happens in case `VerifySingle` returns with an error.
  159. **verifySingle.** The function `verifySingle` verifies a single untrusted header
  160. against a given trusted state. It includes all validations and signature verification.
  161. It is not publicly exposed since it does not check for header expiry (time constraints)
  162. and hence it's possible to use it incorrectly.
  163. ```go
  164. func verifySingle(trustedState TrustedState,
  165. untrustedSh SignedHeader,
  166. untrustedVs ValidatorSet,
  167. untrustedNextVs ValidatorSet,
  168. trustThreshold float) error {
  169. untrustedHeader = untrustedSh.Header
  170. untrustedCommit = untrustedSh.Commit
  171. trustedHeader = trustedState.SignedHeader.Header
  172. trustedVs = trustedState.ValidatorSet
  173. if trustedHeader.Height >= untrustedHeader.Height return ErrNonIncreasingHeight
  174. if trustedHeader.Time >= untrustedHeader.Time return ErrNonIncreasingTime
  175. // validate the untrusted header against its commit, vals, and next_vals
  176. error = validateSignedHeaderAndVals(untrustedSh, untrustedVs, untrustedNextVs)
  177. if error != nil return error
  178. // check for adjacent headers
  179. if untrustedHeader.Height == trustedHeader.Height + 1 {
  180. if trustedHeader.NextValidatorsHash != untrustedHeader.ValidatorsHash {
  181. return ErrInvalidAdjacentHeaders
  182. }
  183. } else {
  184. error = verifyCommitTrusting(trustedVs, untrustedCommit, untrustedVs, trustThreshold)
  185. if error != nil return error
  186. }
  187. // verify the untrusted commit
  188. return verifyCommitFull(untrustedVs, untrustedCommit)
  189. }
  190. // returns nil if header and validator sets are consistent; otherwise returns error
  191. func validateSignedHeaderAndVals(signedHeader SignedHeader, vs ValidatorSet, nextVs ValidatorSet) error {
  192. header = signedHeader.Header
  193. if hash(vs) != header.ValidatorsHash return ErrInvalidValidatorSet
  194. if hash(nextVs) != header.NextValidatorsHash return ErrInvalidNextValidatorSet
  195. if !matchingCommit(header, signedHeader.Commit) return ErrInvalidCommitValue
  196. return nil
  197. }
  198. // returns nil if at least single correst signer signed the commit; otherwise returns error
  199. func verifyCommitTrusting(trustedVs ValidatorSet,
  200. commit Commit,
  201. untrustedVs ValidatorSet,
  202. trustLevel float) error {
  203. totalPower := trustedVs.TotalVotingPower
  204. signedPower := votingPowerIn(signers(commit, untrustedVs), trustedVs)
  205. // check that the signers account for more than max(1/3, trustLevel) of the voting power
  206. // this ensures that there is at least single correct validator in the set of signers
  207. if signedPower < max(1/3, trustLevel) * totalPower return ErrInsufficientVotingPower
  208. return nil
  209. }
  210. // returns nil if commit is signed by more than 2/3 of voting power of the given validator set
  211. // return error otherwise
  212. func verifyCommitFull(vs ValidatorSet, commit Commit) error {
  213. totalPower := vs.TotalVotingPower;
  214. signedPower := votingPowerIn(signers(commit, vs), vs)
  215. // check the signers account for +2/3 of the voting power
  216. if signedPower * 3 <= totalPower * 2 return ErrInvalidCommit
  217. return nil
  218. }
  219. ```
  220. **VerifyHeaderAtHeight.** The function `VerifyHeaderAtHeight` captures high level
  221. logic, i.e., application call to the light client module to download and verify header
  222. for some height.
  223. ```go
  224. func VerifyHeaderAtHeight(untrustedHeight int64,
  225. trustedState TrustedState,
  226. trustThreshold float,
  227. trustingPeriod Duration,
  228. clockDrift Duration) (TrustedState, error)) {
  229. trustedHeader := trustedState.SignedHeader.Header
  230. now := System.Time()
  231. if !isWithinTrustedPeriod(trustedHeader, trustingPeriod, now) {
  232. return (trustedState, ErrHeaderNotWithinTrustedPeriod)
  233. }
  234. newTrustedState, err := VerifyBisection(untrustedHeight,
  235. trustedState,
  236. trustThreshold,
  237. trustingPeriod,
  238. clockDrift,
  239. now)
  240. if err != nil return (trustedState, err)
  241. now = System.Time()
  242. if !isWithinTrustedPeriod(trustedHeader, trustingPeriod, now) {
  243. return (trustedState, ErrHeaderNotWithinTrustedPeriod)
  244. }
  245. return (newTrustedState, err)
  246. }
  247. ```
  248. Note that in case `VerifyHeaderAtHeight` returns without an error (untrusted header
  249. is successfully verified) then we have a guarantee that the transition of the trust
  250. from `trustedState` to `newTrustedState` happened during the trusted period of
  251. `trustedState.SignedHeader.Header`.
  252. In case `VerifyHeaderAtHeight` returns with an error, then either (i) the full node we are talking to is faulty
  253. or (ii) the trusted header has expired (it is outside its trusted period). In case (i) the full node is faulty so
  254. light client should disconnect and reinitialise with new peer. In the case (ii) as the trusted header has expired,
  255. we need to reinitialise light client with a new trusted header (that is within its trusted period),
  256. but we don't necessarily need to disconnect from the full node we are talking to (as we haven't observed full node misbehavior in this case).
  257. **VerifyBisection.** The function `VerifyBisection` implements
  258. recursive logic for checking if it is possible building trust
  259. relationship between `trustedState` and untrusted header at the given height over
  260. finite set of (downloaded and verified) headers.
  261. ```go
  262. func VerifyBisection(untrustedHeight int64,
  263. trustedState TrustedState,
  264. trustThreshold float,
  265. trustingPeriod Duration,
  266. clockDrift Duration,
  267. now Time) (TrustedState, error) {
  268. untrustedSh, error := Commit(untrustedHeight)
  269. if error != nil return (trustedState, ErrRequestFailed)
  270. untrustedHeader = untrustedSh.Header
  271. // note that we pass now during the recursive calls. This is fine as
  272. // all other untrusted headers we download during recursion will be
  273. // for a smaller heights, and therefore should happen before.
  274. if untrustedHeader.Time > now + clockDrift {
  275. return (trustedState, ErrInvalidHeaderTime)
  276. }
  277. untrustedVs, error := Validators(untrustedHeight)
  278. if error != nil return (trustedState, ErrRequestFailed)
  279. untrustedNextVs, error := Validators(untrustedHeight + 1)
  280. if error != nil return (trustedState, ErrRequestFailed)
  281. error = verifySingle(
  282. trustedState,
  283. untrustedSh,
  284. untrustedVs,
  285. untrustedNextVs,
  286. trustThreshold)
  287. if fatalError(error) return (trustedState, error)
  288. if error == nil {
  289. // the untrusted header is now trusted.
  290. newTrustedState = TrustedState(untrustedSh, untrustedNextVs)
  291. return (newTrustedState, nil)
  292. }
  293. // at this point in time we need to do bisection
  294. pivotHeight := ceil((trustedHeader.Height + untrustedHeight) / 2)
  295. error, newTrustedState = VerifyBisection(pivotHeight,
  296. trustedState,
  297. trustThreshold,
  298. trustingPeriod,
  299. clockDrift,
  300. now)
  301. if error != nil return (newTrustedState, error)
  302. return VerifyBisection(untrustedHeight,
  303. newTrustedState,
  304. trustThreshold,
  305. trustingPeriod,
  306. clockDrift,
  307. now)
  308. }
  309. func fatalError(err) bool {
  310. return err == ErrHeaderNotWithinTrustedPeriod OR
  311. err == ErrInvalidAdjacentHeaders OR
  312. err == ErrNonIncreasingHeight OR
  313. err == ErrNonIncreasingTime OR
  314. err == ErrInvalidValidatorSet OR
  315. err == ErrInvalidNextValidatorSet OR
  316. err == ErrInvalidCommitValue OR
  317. err == ErrInvalidCommit
  318. }
  319. ```
  320. ### The case `untrustedHeader.Height < trustedHeader.Height`
  321. In the use case where someone tells the light client that application data that is relevant for it
  322. can be read in the block of height `k` and the light client trusts a more recent header, we can use the
  323. hashes to verify headers "down the chain." That is, we iterate down the heights and check the hashes in each step.
  324. *Remark.* For the case were the light client trusts two headers `i` and `j` with `i < k < j`, we should
  325. discuss/experiment whether the forward or the backward method is more effective.
  326. ```go
  327. func VerifyHeaderBackwards(trustedHeader Header,
  328. untrustedHeader Header,
  329. trustingPeriod Duration,
  330. clockDrift Duration) error {
  331. if untrustedHeader.Height >= trustedHeader.Height return ErrErrNonDecreasingHeight
  332. if untrustedHeader.Time >= trustedHeader.Time return ErrNonDecreasingTime
  333. now := System.Time()
  334. if !isWithinTrustedPeriod(trustedHeader, trustingPeriod, now) {
  335. return ErrHeaderNotWithinTrustedPeriod
  336. }
  337. old := trustedHeader
  338. for i := trustedHeader.Height - 1; i > untrustedHeader.Height; i-- {
  339. untrustedSh, error := Commit(i)
  340. if error != nil return ErrRequestFailed
  341. if (hash(untrustedSh.Header) != old.LastBlockID.Hash) {
  342. return ErrInvalidAdjacentHeaders
  343. }
  344. old := untrustedSh.Header
  345. }
  346. if hash(untrustedHeader) != old.LastBlockID.Hash {
  347. return ErrInvalidAdjacentHeaders
  348. }
  349. now := System.Time()
  350. if !isWithinTrustedPeriod(trustedHeader, trustingPeriod, now) {
  351. return ErrHeaderNotWithinTrustedPeriod
  352. }
  353. return nil
  354. }
  355. ```
  356. *Assumption*: In the following, we assume that *untrusted_h.Header.height > trusted_h.Header.height*. We will quickly discuss the other case in the next section.
  357. We consider the following set-up:
  358. - the light client communicates with one full node
  359. - the light client locally stores all the headers that has passed basic verification and that are within light client trust period. In the pseudo code below we
  360. write *Store.Add(header)* for this. If a header failed to verify, then
  361. the full node we are talking to is faulty and we should disconnect from it and reinitialise with new peer.
  362. - If `CanTrust` returns *error*, then the light client has seen a forged header or the trusted header has expired (it is outside its trusted period).
  363. - In case of forged header, the full node is faulty so light client should disconnect and reinitialise with new peer. If the trusted header has expired,
  364. we need to reinitialise light client with new trusted header (that is within its trusted period), but we don't necessarily need to disconnect from the full node
  365. we are talking to (as we haven't observed full node misbehavior in this case).
  366. ## Correctness of the Light Client Protocols
  367. ### Definitions
  368. - `TRUSTED_PERIOD`: trusted period
  369. - for realtime `t`, the predicate `correct(v,t)` is true if the validator `v`
  370. follows the protocol until time `t` (we will see about recovery later).
  371. - Validator fields. We will write a validator as a tuple `(v,p)` such that
  372. - `v` is the identifier (i.e., validator address; we assume identifiers are unique in each validator set)
  373. - `p` is its voting power
  374. - For each header `h`, we write `trust(h) = true` if the light client trusts `h`.
  375. ### Failure Model
  376. If a block `b` with a header `h` is generated at time `Time` (i.e. `h.Time = Time`), then a set of validators that
  377. hold more than `2/3` of the voting power in `validators(h.NextValidatorsHash)` is correct until time
  378. `h.Time + TRUSTED_PERIOD`.
  379. Formally,
  380. \[
  381. \sum_{(v,p) \in validators(h.NextValidatorsHash) \wedge correct(v,h.Time + TRUSTED_PERIOD)} p >
  382. 2/3 \sum_{(v,p) \in validators(h.NextValidatorsHash)} p
  383. \]
  384. The light client communicates with a full node and learns new headers. The goal is to locally decide whether to trust a header. Our implementation needs to ensure the following two properties:
  385. - *Light Client Completeness*: If a header `h` was correctly generated by an instance of Tendermint consensus (and its age is less than the trusted period),
  386. then the light client should eventually set `trust(h)` to `true`.
  387. - *Light Client Accuracy*: If a header `h` was *not generated* by an instance of Tendermint consensus, then the light client should never set `trust(h)` to true.
  388. *Remark*: If in the course of the computation, the light client obtains certainty that some headers were forged by adversaries
  389. (that is were not generated by an instance of Tendermint consensus), it may submit (a subset of) the headers it has seen as evidence of misbehavior.
  390. *Remark*: In Completeness we use "eventually", while in practice `trust(h)` should be set to true before `h.Time + TRUSTED_PERIOD`. If not, the header
  391. cannot be trusted because it is too old.
  392. *Remark*: If a header `h` is marked with `trust(h)`, but it is too old at some point in time we denote with `now` (`h.Time + TRUSTED_PERIOD < now`),
  393. then the light client should set `trust(h)` to `false` again at time `now`.
  394. *Assumption*: Initially, the light client has a header `inithead` that it trusts, that is, `inithead` was correctly generated by the Tendermint consensus.
  395. To reason about the correctness, we may prove the following invariant.
  396. *Verification Condition: light Client Invariant.*
  397. For each light client `l` and each header `h`:
  398. if `l` has set `trust(h) = true`,
  399. then validators that are correct until time `h.Time + TRUSTED_PERIOD` have more than two thirds of the voting power in `validators(h.NextValidatorsHash)`.
  400. Formally,
  401. \[
  402. \sum_{(v,p) \in validators(h.NextValidatorsHash) \wedge correct(v,h.Time + TRUSTED_PERIOD)} p >
  403. 2/3 \sum_{(v,p) \in validators(h.NextValidatorsHash)} p
  404. \]
  405. *Remark.* To prove the invariant, we will have to prove that the light client only trusts headers that were correctly generated by Tendermint consensus.
  406. Then the formula above follows from the failure model.
  407. ## Details
  408. **Observation 1.** If `h.Time + TRUSTED_PERIOD > now`, we trust the validator set `validators(h.NextValidatorsHash)`.
  409. When we say we trust `validators(h.NextValidatorsHash)` we do `not` trust that each individual validator in `validators(h.NextValidatorsHash)`
  410. is correct, but we only trust the fact that less than `1/3` of them are faulty (more precisely, the faulty ones have less than `1/3` of the total voting power).
  411. *`VerifySingle` correctness arguments*
  412. Light Client Accuracy:
  413. - Assume by contradiction that `untrustedHeader` was not generated correctly and the light client sets trust to true because `verifySingle` returns without error.
  414. - `trustedState` is trusted and sufficiently new
  415. - by the Failure Model, less than `1/3` of the voting power held by faulty validators => at least one correct validator `v` has signed `untrustedHeader`.
  416. - as `v` is correct up to now, it followed the Tendermint consensus protocol at least up to signing `untrustedHeader` => `untrustedHeader` was correctly generated.
  417. We arrive at the required contradiction.
  418. Light Client Completeness:
  419. - The check is successful if sufficiently many validators of `trustedState` are still validators in the height `untrustedHeader.Height` and signed `untrustedHeader`.
  420. - If `untrustedHeader.Height = trustedHeader.Height + 1`, and both headers were generated correctly, the test passes.
  421. *Verification Condition:* We may need a Tendermint invariant stating that if `untrustedSignedHeader.Header.Height = trustedHeader.Height + 1` then
  422. `signers(untrustedSignedHeader.Commit) \subseteq validators(trustedHeader.NextValidatorsHash)`.
  423. *Remark*: The variable `trustThreshold` can be used if the user believes that relying on one correct validator is not sufficient.
  424. However, in case of (frequent) changes in the validator set, the higher the `trustThreshold` is chosen, the more unlikely it becomes that
  425. `verifySingle` returns with an error for non-adjacent headers.
  426. - `VerifyBisection` correctness arguments (sketch)*
  427. Light Client Accuracy:
  428. - Assume by contradiction that the header at `untrustedHeight` obtained from the full node was not generated correctly and
  429. the light client sets trust to true because `VerifyBisection` returns without an error.
  430. - `VerifyBisection` returns without error only if all calls to `verifySingle` in the recursion return without error (return `nil`).
  431. - Thus we have a sequence of headers that all satisfied the `verifySingle`
  432. - again a contradiction
  433. light Client Completeness:
  434. This is only ensured if upon `Commit(pivot)` the light client is always provided with a correctly generated header.
  435. *Stalling*
  436. With `VerifyBisection`, a faulty full node could stall a light client by creating a long sequence of headers that are queried one-by-one by the light client and look OK,
  437. before the light client eventually detects a problem. There are several ways to address this:
  438. - Each call to `Commit` could be issued to a different full node
  439. - Instead of querying header by header, the light client tells a full node which header it trusts, and the height of the header it needs. The full node responds with
  440. the header along with a proof consisting of intermediate headers that the light client can use to verify. Roughly, `VerifyBisection` would then be executed at the full node.
  441. - We may set a timeout how long `VerifyBisection` may take.