|
/*
|
|
Package certifiers allows you to securely validate headers
|
|
without a full node.
|
|
|
|
This library pulls together all the crypto and algorithms,
|
|
so given a relatively recent (< unbonding period) known
|
|
validator set, one can get indisputable proof that data is in
|
|
the chain (current state) or detect if the node is lying to
|
|
the client.
|
|
|
|
Tendermint RPC exposes a lot of info, but a malicious node
|
|
could return any data it wants to queries, or even to block
|
|
headers, even making up fake signatures from non-existent
|
|
validators to justify it. This is a lot of logic to get
|
|
right, to be contained in a small, easy to use library,
|
|
that does this for you, so you can just build nice UI.
|
|
|
|
We design for clients who have no strong trust relationship
|
|
with any tendermint node, just the validator set as a whole.
|
|
Beyond building nice mobile or desktop applications, the
|
|
cosmos hub is another important example of a client,
|
|
that needs undeniable proof without syncing the full chain,
|
|
in order to efficiently implement IBC.
|
|
|
|
Commits
|
|
|
|
There are two main data structures that we pass around - Commit
|
|
and FullCommit. Both of them mirror what information is
|
|
exposed in tendermint rpc.
|
|
|
|
Commit is a block header along with enough validator signatures
|
|
to prove its validity (> 2/3 of the voting power). A FullCommit
|
|
is a Commit along with the full validator set. When the
|
|
validator set doesn't change, the Commit is enough, but since
|
|
the block header only has a hash, we need the FullCommit to
|
|
follow any changes to the validator set.
|
|
|
|
Certifiers
|
|
|
|
A Certifier validates a new Commit given the currently known
|
|
state. There are three different types of Certifiers exposed,
|
|
each one building on the last one, with additional complexity.
|
|
|
|
Static - given the validator set upon initialization. Verifies
|
|
all signatures against that set and if the validator set
|
|
changes, it will reject all headers.
|
|
|
|
Dynamic - This wraps Static and has the same Certify
|
|
method. However, it adds an Update method, which can be called
|
|
with a FullCommit when the validator set changes. If it can
|
|
prove this is a valid transition, it will update the validator
|
|
set.
|
|
|
|
Inquiring - this wraps Dynamic and implements an auto-update
|
|
strategy on top of the Dynamic update. If a call to
|
|
Certify fails as the validator set has changed, then it
|
|
attempts to find a FullCommit and Update to that header.
|
|
To get these FullCommits, it makes use of a Provider.
|
|
|
|
Providers
|
|
|
|
A Provider allows us to store and retrieve the FullCommits,
|
|
to provide memory to the Inquiring Certifier.
|
|
|
|
NewMemStoreProvider - in-memory cache.
|
|
|
|
files.NewProvider - disk backed storage.
|
|
|
|
client.NewHTTPProvider - query tendermint rpc.
|
|
|
|
NewCacheProvider - combine multiple providers.
|
|
|
|
The suggested use for local light clients is
|
|
client.NewHTTPProvider for getting new data (Source),
|
|
and NewCacheProvider(NewMemStoreProvider(),
|
|
files.NewProvider()) to store confirmed headers (Trusted)
|
|
|
|
How We Track Validators
|
|
|
|
Unless you want to blindly trust the node you talk with, you
|
|
need to trace every response back to a hash in a block header
|
|
and validate the commit signatures of that block header match
|
|
the proper validator set. If there is a contant validator
|
|
set, you store it locally upon initialization of the client,
|
|
and check against that every time.
|
|
|
|
Once there is a dynamic validator set, the issue of
|
|
verifying a block becomes a bit more tricky. There is
|
|
background information in a
|
|
github issue (https://github.com/tendermint/tendermint/issues/377).
|
|
|
|
In short, if there is a block at height H with a known
|
|
(trusted) validator set V, and another block at height H'
|
|
(H' > H) with validator set V' != V, then we want a way to
|
|
safely update it.
|
|
|
|
First, get the new (unconfirmed) validator set V' and
|
|
verify H' is internally consistent and properly signed by
|
|
this V'. Assuming it is a valid block, we check that at
|
|
least 2/3 of the validators in V also signed it, meaning
|
|
it would also be valid under our old assumptions.
|
|
That should be enough, but we can also check that the
|
|
V counts for at least 2/3 of the total votes in H'
|
|
for extra safety (we can have a discussion if this is
|
|
strictly required). If we can verify all this,
|
|
then we can accept H' and V' as valid and use that to
|
|
validate all blocks X > H'.
|
|
|
|
If we cannot update directly from H -> H' because there was
|
|
too much change to the validator set, then we can look for
|
|
some Hm (H < Hm < H') with a validator set Vm. Then we try
|
|
to update H -> Hm and Hm -> H' in two separate steps.
|
|
If one of these steps doesn't work, then we continue
|
|
bisecting, until we eventually have to externally
|
|
validate the valdiator set changes at every block.
|
|
|
|
Since we never trust any server in this protocol, only the
|
|
signatures themselves, it doesn't matter if the seed comes
|
|
from a (possibly malicious) node or a (possibly malicious) user.
|
|
We can accept it or reject it based only on our trusted
|
|
validator set and cryptographic proofs. This makes it
|
|
extremely important to verify that you have the proper
|
|
validator set when initializing the client, as that is the
|
|
root of all trust.
|
|
|
|
Or course, this assumes that the known block is within the
|
|
unbonding period to avoid the "nothing at stake" problem.
|
|
If you haven't seen the state in a few months, you will need
|
|
to manually verify the new validator set hash using off-chain
|
|
means (the same as getting the initial hash).
|
|
|
|
*/
|
|
package certifiers
|