You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

335 lines
15 KiB

  1. # Byzantine Consensus Algorithm
  2. ## Terms
  3. - The network is composed of optionally connected _nodes_. Nodes
  4. directly connected to a particular node are called _peers_.
  5. - The consensus process in deciding the next block (at some _height_
  6. `H`) is composed of one or many _rounds_.
  7. - `NewHeight`, `Propose`, `Prevote`, `Precommit`, and `Commit`
  8. represent state machine states of a round. (aka `RoundStep` or
  9. just "step").
  10. - A node is said to be _at_ a given height, round, and step, or at
  11. `(H,R,S)`, or at `(H,R)` in short to omit the step.
  12. - To _prevote_ or _precommit_ something means to broadcast a [prevote
  13. vote](https://godoc.org/github.com/tendermint/tendermint/types#Vote)
  14. or [first precommit
  15. vote](https://godoc.org/github.com/tendermint/tendermint/types#FirstPrecommit)
  16. for something.
  17. - A vote _at_ `(H,R)` is a vote signed with the bytes for `H` and `R`
  18. included in its [sign-bytes](../blockchain/blockchain.md#vote).
  19. - _+2/3_ is short for "more than 2/3"
  20. - _1/3+_ is short for "1/3 or more"
  21. - A set of +2/3 of prevotes for a particular block or `<nil>` at
  22. `(H,R)` is called a _proof-of-lock-change_ or _PoLC_ for short.
  23. ## State Machine Overview
  24. At each height of the blockchain a round-based protocol is run to
  25. determine the next block. Each round is composed of three _steps_
  26. (`Propose`, `Prevote`, and `Precommit`), along with two special steps
  27. `Commit` and `NewHeight`.
  28. In the optimal scenario, the order of steps is:
  29. ```
  30. NewHeight -> (Propose -> Prevote -> Precommit)+ -> Commit -> NewHeight ->...
  31. ```
  32. The sequence `(Propose -> Prevote -> Precommit)` is called a _round_.
  33. There may be more than one round required to commit a block at a given
  34. height. Examples for why more rounds may be required include:
  35. - The designated proposer was not online.
  36. - The block proposed by the designated proposer was not valid.
  37. - The block proposed by the designated proposer did not propagate
  38. in time.
  39. - The block proposed was valid, but +2/3 of prevotes for the proposed
  40. block were not received in time for enough validator nodes by the
  41. time they reached the `Precommit` step. Even though +2/3 of prevotes
  42. are necessary to progress to the next step, at least one validator
  43. may have voted `<nil>` or maliciously voted for something else.
  44. - The block proposed was valid, and +2/3 of prevotes were received for
  45. enough nodes, but +2/3 of precommits for the proposed block were not
  46. received for enough validator nodes.
  47. Some of these problems are resolved by moving onto the next round &
  48. proposer. Others are resolved by increasing certain round timeout
  49. parameters over each successive round.
  50. ## State Machine Diagram
  51. ```
  52. +-------------------------------------+
  53. v |(Wait til `CommmitTime+timeoutCommit`)
  54. +-----------+ +-----+-----+
  55. +----------> | Propose +--------------+ | NewHeight |
  56. | +-----------+ | +-----------+
  57. | | ^
  58. |(Else, after timeoutPrecommit) v |
  59. +-----+-----+ +-----------+ |
  60. | Precommit | <------------------------+ Prevote | |
  61. +-----+-----+ +-----------+ |
  62. |(When +2/3 Precommits for block found) |
  63. v |
  64. +--------------------------------------------------------------------+
  65. | Commit |
  66. | |
  67. | * Set CommitTime = now; |
  68. | * Wait for block, then stage/save/commit block; |
  69. +--------------------------------------------------------------------+
  70. ```
  71. # Background Gossip
  72. A node may not have a corresponding validator private key, but it
  73. nevertheless plays an active role in the consensus process by relaying
  74. relevant meta-data, proposals, blocks, and votes to its peers. A node
  75. that has the private keys of an active validator and is engaged in
  76. signing votes is called a _validator-node_. All nodes (not just
  77. validator-nodes) have an associated state (the current height, round,
  78. and step) and work to make progress.
  79. Between two nodes there exists a `Connection`, and multiplexed on top of
  80. this connection are fairly throttled `Channel`s of information. An
  81. epidemic gossip protocol is implemented among some of these channels to
  82. bring peers up to speed on the most recent state of consensus. For
  83. example,
  84. - Nodes gossip `PartSet` parts of the current round's proposer's
  85. proposed block. A LibSwift inspired algorithm is used to quickly
  86. broadcast blocks across the gossip network.
  87. - Nodes gossip prevote/precommit votes. A node `NODE_A` that is ahead
  88. of `NODE_B` can send `NODE_B` prevotes or precommits for `NODE_B`'s
  89. current (or future) round to enable it to progress forward.
  90. - Nodes gossip prevotes for the proposed PoLC (proof-of-lock-change)
  91. round if one is proposed.
  92. - Nodes gossip to nodes lagging in blockchain height with block
  93. [commits](https://godoc.org/github.com/tendermint/tendermint/types#Commit)
  94. for older blocks.
  95. - Nodes opportunistically gossip `HasVote` messages to hint peers what
  96. votes it already has.
  97. - Nodes broadcast their current state to all neighboring peers. (but
  98. is not gossiped further)
  99. There's more, but let's not get ahead of ourselves here.
  100. ## Proposals
  101. A proposal is signed and published by the designated proposer at each
  102. round. The proposer is chosen by a deterministic and non-choking round
  103. robin selection algorithm that selects proposers in proportion to their
  104. voting power (see
  105. [implementation](https://github.com/tendermint/tendermint/blob/master/types/validator_set.go)).
  106. A proposal at `(H,R)` is composed of a block and an optional latest
  107. `PoLC-Round < R` which is included iff the proposer knows of one. This
  108. hints the network to allow nodes to unlock (when safe) to ensure the
  109. liveness property.
  110. ## State Machine Spec
  111. ### Propose Step (height:H,round:R)
  112. Upon entering `Propose`:
  113. - The designated proposer proposes a block at `(H,R)`.
  114. The `Propose` step ends:
  115. - After `timeoutProposeR` after entering `Propose`. --> goto
  116. `Prevote(H,R)`
  117. - After receiving proposal block and all prevotes at `PoLC-Round`. -->
  118. goto `Prevote(H,R)`
  119. - After [common exit conditions](#common-exit-conditions)
  120. ### Prevote Step (height:H,round:R)
  121. Upon entering `Prevote`, each validator broadcasts its prevote vote.
  122. - First, if the validator is locked on a block since `LastLockRound`
  123. but now has a PoLC for something else at round `PoLC-Round` where
  124. `LastLockRound < PoLC-Round < R`, then it unlocks.
  125. - If the validator is still locked on a block, it prevotes that.
  126. - Else, if the proposed block from `Propose(H,R)` is good, it
  127. prevotes that.
  128. - Else, if the proposal is invalid or wasn't received on time, it
  129. prevotes `<nil>`.
  130. The `Prevote` step ends:
  131. - After +2/3 prevotes for a particular block or `<nil>`. -->; goto
  132. `Precommit(H,R)`
  133. - After `timeoutPrevote` after receiving any +2/3 prevotes. --> goto
  134. `Precommit(H,R)`
  135. - After [common exit conditions](#common-exit-conditions)
  136. ### Precommit Step (height:H,round:R)
  137. Upon entering `Precommit`, each validator broadcasts its precommit vote.
  138. - If the validator has a PoLC at `(H,R)` for a particular block `B`, it
  139. (re)locks (or changes lock to) and precommits `B` and sets
  140. `LastLockRound = R`.
  141. - Else, if the validator has a PoLC at `(H,R)` for `<nil>`, it unlocks
  142. and precommits `<nil>`.
  143. - Else, it keeps the lock unchanged and precommits `<nil>`.
  144. A precommit for `<nil>` means "I didn’t see a PoLC for this round, but I
  145. did get +2/3 prevotes and waited a bit".
  146. The Precommit step ends:
  147. - After +2/3 precommits for `<nil>`. --> goto `Propose(H,R+1)`
  148. - After `timeoutPrecommit` after receiving any +2/3 precommits. --> goto
  149. `Propose(H,R+1)`
  150. - After [common exit conditions](#common-exit-conditions)
  151. ### Common exit conditions
  152. - After +2/3 precommits for a particular block. --> goto
  153. `Commit(H)`
  154. - After any +2/3 prevotes received at `(H,R+x)`. --> goto
  155. `Prevote(H,R+x)`
  156. - After any +2/3 precommits received at `(H,R+x)`. --> goto
  157. `Precommit(H,R+x)`
  158. ### Commit Step (height:H)
  159. - Set `CommitTime = now()`
  160. - Wait until block is received. --> goto `NewHeight(H+1)`
  161. ### NewHeight Step (height:H)
  162. - Move `Precommits` to `LastCommit` and increment height.
  163. - Set `StartTime = CommitTime+timeoutCommit`
  164. - Wait until `StartTime` to receive straggler commits. --> goto
  165. `Propose(H,0)`
  166. ## Proofs
  167. ### Proof of Safety
  168. Assume that at most -1/3 of the voting power of validators is byzantine.
  169. If a validator commits block `B` at round `R`, it's because it saw +2/3
  170. of precommits at round `R`. This implies that 1/3+ of honest nodes are
  171. still locked at round `R' > R`. These locked validators will remain
  172. locked until they see a PoLC at `R' > R`, but this won't happen because
  173. 1/3+ are locked and honest, so at most -2/3 are available to vote for
  174. anything other than `B`.
  175. ### Proof of Liveness
  176. If 1/3+ honest validators are locked on two different blocks from
  177. different rounds, a proposers' `PoLC-Round` will eventually cause nodes
  178. locked from the earlier round to unlock. Eventually, the designated
  179. proposer will be one that is aware of a PoLC at the later round. Also,
  180. `timeoutProposalR` increments with round `R`, while the size of a
  181. proposal are capped, so eventually the network is able to "fully gossip"
  182. the whole proposal (e.g. the block & PoLC).
  183. ### Proof of Fork Accountability
  184. Define the JSet (justification-vote-set) at height `H` of a validator
  185. `V1` to be all the votes signed by the validator at `H` along with
  186. justification PoLC prevotes for each lock change. For example, if `V1`
  187. signed the following precommits: `Precommit(B1 @ round 0)`,
  188. `Precommit(<nil> @ round 1)`, `Precommit(B2 @ round 4)` (note that no
  189. precommits were signed for rounds 2 and 3, and that's ok),
  190. `Precommit(B1 @ round 0)` must be justified by a PoLC at round 0, and
  191. `Precommit(B2 @ round 4)` must be justified by a PoLC at round 4; but
  192. the precommit for `<nil>` at round 1 is not a lock-change by definition
  193. so the JSet for `V1` need not include any prevotes at round 1, 2, or 3
  194. (unless `V1` happened to have prevoted for those rounds).
  195. Further, define the JSet at height `H` of a set of validators `VSet` to
  196. be the union of the JSets for each validator in `VSet`. For a given
  197. commit by honest validators at round `R` for block `B` we can construct
  198. a JSet to justify the commit for `B` at `R`. We say that a JSet
  199. _justifies_ a commit at `(H,R)` if all the committers (validators in the
  200. commit-set) are each justified in the JSet with no duplicitous vote
  201. signatures (by the committers).
  202. - **Lemma**: When a fork is detected by the existence of two
  203. conflicting [commits](../blockchain/blockchain.md#commit), the
  204. union of the JSets for both commits (if they can be compiled) must
  205. include double-signing by at least 1/3+ of the validator set.
  206. **Proof**: The commit cannot be at the same round, because that
  207. would immediately imply double-signing by 1/3+. Take the union of
  208. the JSets of both commits. If there is no double-signing by at least
  209. 1/3+ of the validator set in the union, then no honest validator
  210. could have precommitted any different block after the first commit.
  211. Yet, +2/3 did. Reductio ad absurdum.
  212. As a corollary, when there is a fork, an external process can determine
  213. the blame by requiring each validator to justify all of its round votes.
  214. Either we will find 1/3+ who cannot justify at least one of their votes,
  215. and/or, we will find 1/3+ who had double-signed.
  216. ### Alternative algorithm
  217. Alternatively, we can take the JSet of a commit to be the "full commit".
  218. That is, if light clients and validators do not consider a block to be
  219. committed unless the JSet of the commit is also known, then we get the
  220. desirable property that if there ever is a fork (e.g. there are two
  221. conflicting "full commits"), then 1/3+ of the validators are immediately
  222. punishable for double-signing.
  223. There are many ways to ensure that the gossip network efficiently share
  224. the JSet of a commit. One solution is to add a new message type that
  225. tells peers that this node has (or does not have) a +2/3 majority for B
  226. (or) at (H,R), and a bitarray of which votes contributed towards that
  227. majority. Peers can react by responding with appropriate votes.
  228. We will implement such an algorithm for the next iteration of the
  229. Tendermint consensus protocol.
  230. Other potential improvements include adding more data in votes such as
  231. the last known PoLC round that caused a lock change, and the last voted
  232. round/step (or, we may require that validators not skip any votes). This
  233. may make JSet verification/gossip logic easier to implement.
  234. ### Censorship Attacks
  235. Due to the definition of a block
  236. [commit](../../tendermint-core/validators.md#commit-a-block), any 1/3+ coalition of
  237. validators can halt the blockchain by not broadcasting their votes. Such
  238. a coalition can also censor particular transactions by rejecting blocks
  239. that include these transactions, though this would result in a
  240. significant proportion of block proposals to be rejected, which would
  241. slow down the rate of block commits of the blockchain, reducing its
  242. utility and value. The malicious coalition might also broadcast votes in
  243. a trickle so as to grind blockchain block commits to a near halt, or
  244. engage in any combination of these attacks.
  245. If a global active adversary were also involved, it can partition the
  246. network in such a way that it may appear that the wrong subset of
  247. validators were responsible for the slowdown. This is not just a
  248. limitation of Tendermint, but rather a limitation of all consensus
  249. protocols whose network is potentially controlled by an active
  250. adversary.
  251. ### Overcoming Forks and Censorship Attacks
  252. For these types of attacks, a subset of the validators through external
  253. means should coordinate to sign a reorg-proposal that chooses a fork
  254. (and any evidence thereof) and the initial subset of validators with
  255. their signatures. Validators who sign such a reorg-proposal forego its
  256. collateral on all other forks. Clients should verify the signatures on
  257. the reorg-proposal, verify any evidence, and make a judgement or prompt
  258. the end-user for a decision. For example, a phone wallet app may prompt
  259. the user with a security warning, while a refrigerator may accept any
  260. reorg-proposal signed by +1/2 of the original validators.
  261. No non-synchronous Byzantine fault-tolerant algorithm can come to
  262. consensus when 1/3+ of validators are dishonest, yet a fork assumes that
  263. 1/3+ of validators have already been dishonest by double-signing or
  264. lock-changing without justification. So, signing the reorg-proposal is a
  265. coordination problem that cannot be solved by any non-synchronous
  266. protocol (i.e. automatically, and without making assumptions about the
  267. reliability of the underlying network). It must be provided by means
  268. external to the weakly-synchronous Tendermint consensus algorithm. For
  269. now, we leave the problem of reorg-proposal coordination to human
  270. coordination via internet media. Validators must take care to ensure
  271. that there are no significant network partitions, to avoid situations
  272. where two conflicting reorg-proposals are signed.
  273. Assuming that the external coordination medium and protocol is robust,
  274. it follows that forks are less of a concern than [censorship
  275. attacks](#censorship-attacks).