You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 
Sam Kleinman 048f6a32f9
lint: fix lint errors (#301)
4 years ago
..
output add Ivy proofs (#210) 4 years ago
Dockerfile add Ivy proofs (#210) 4 years ago
README.md lint: fix lint errors (#301) 4 years ago
abstract_tendermint.ivy A few improvements to the Ivy proof (#288) 4 years ago
accountable_safety_1.ivy A few improvements to the Ivy proof (#288) 4 years ago
accountable_safety_2.ivy A few improvements to the Ivy proof (#288) 4 years ago
check_proofs.sh A few improvements to the Ivy proof (#288) 4 years ago
classic_safety.ivy add Ivy proofs (#210) 4 years ago
count_lines.sh A few improvements to the Ivy proof (#288) 4 years ago
docker-compose.yml add Ivy proofs (#210) 4 years ago
domain_model.ivy add Ivy proofs (#210) 4 years ago
network_shim.ivy A few improvements to the Ivy proof (#288) 4 years ago
tendermint.ivy add Ivy proofs (#210) 4 years ago

README.md

Ivy Proofs

Copyright (c) 2020 Galois, Inc.
SPDX-License-Identifier: Apache-2.0

Contents

This folder contains:

  • tendermint.ivy, a specification of Tendermint algorithm as described in The latest gossip on BFT consensus by E. Buchman, J. Kwon, Z. Milosevic.
  • abstract_tendermint.ivy, a more abstract specification of Tendermint that is more verification-friendly.
  • classic_safety.ivy, a proof that Tendermint satisfies the classic safety property of BFT consensus: if every two quorums have a well-behaved node in common, then no two well-behaved nodes ever disagree.
  • accountable_safety_1.ivy, a proof that, assuming every quorum contains at least one well-behaved node, if two well-behaved nodes disagree, then there is evidence demonstrating at least f+1 nodes misbehaved.
  • accountable_safety_2.ivy, a proof that, regardless of any assumption about quorums, well-behaved nodes cannot be framed by malicious nodes. In other words, malicious nodes can never construct evidence that incriminates a well-behaved node.
  • network_shim.ivy, the network model and a convenience shim object to interface with the Tendermint specification.
  • domain_model.ivy, a specification of the domain model underlying the Tendermint specification, i.e. rounds, value, quorums, etc.

All specifications and proofs are written in Ivy.

The license above applies to all files in this folder.

Building and running

The easiest way to check the proofs is to use Docker.

  1. Install Docker and Docker Compose.
  2. Build a Docker image: docker-compose build
  3. Run the proofs inside the Docker container: docker-compose run tendermint-proof. This will check all the proofs with the ivy_check command and write the output of ivy_check to a subdirectory of `./output/'