Difference between revisions of "IC consensus layer"

Revision as of 14:43, 9 November 2022

The job of the consensus layer of the IC is to order transaction requests so that all replicas in a subnet will process such requests in the same order. There are many protocols in the literature for this problem. The IC uses a new consensus protocol, which is described here at a high level. For more details, see the paper https://eprint.iacr.org/2021/1330 (in particular, Protocol ICC1 in that paper).

Any secure consensus protocol should guarantee two properties, which (roughly stated) are:

safety: all replicas in fact agree on the same ordering of transaction requests, and
liveness: all replicas should make steady progress.

The paper https://eprint.iacr.org/2021/1330 proves that the IC consensus protocol satisfies both of these properties

The IC consensus protocol is designed to be

extremely simple, and
robust (performance degrades gracefully when some replicas are malicious).

Assumptions

As discussed in the introduction, we assume

a subnet of $n$ replicas, and
at most $f < n / 3$ of the replicas are faulty.

Faulty replicas may exhibit arbitrary, malicious (i.e., Byzantine) behavior.

We assume that communication is asynchronous, with no a priori bound on the delay of messages sent between replicas. In fact, the scheduling of message delivery may be completely under adversarial control. The IC consensus protocol guarantees safety under this very weak communication assumption. However, to guarantee liveness, we need to assume a form of partial synchrony, which (roughly stated) says that the network will be periodically synchronous for short intervals of time. In such intervals of synchrony, all undelivered messages will be delivered in less than time $δ$ , for some fixed bound $δ$ . The bound $δ$ does not have to be known in advance (the protocol is initialized with a reasonable bound, but will dynamically adapt and increase this bound if it is too small). Regardless of whether we are assuming an asynchronous or a partially synchronous network, we assume that every message sent from one honest party to another will eventually be delivered.

Protocol overview

Like a number of consensus protocols, the IC consensus protocol is based on a blockchain. As the protocol progresses, a tree of blocks is grown, starting from a special genesis block that is the root of the tree. Each non-genesis block in the tree contains (among other things) a payload, consisting of a sequence of transaction requests, and a hash of the block's parent in the tree. The honest replicas have a consistent view of this tree: while each replica may have a different, partial view of this tree, all the replicas have a view of the same tree. In addition, as the protocol progresses, there is always a path of finalized blocks in this tree. Again, the honest replicas have a consistent view of this path: while each replica may have a different, partial view of this path, all the parties have a view of the same path. The transaction requests in the payloads of the blocks along this path are the ordered transaction requests will be processed by the execution layer of the Internet Computer.

The protocol proceeds in rounds. In round $h$ of the protocol, one or more blocks of height $h$ are added to the tree. That is, the blocks added in round $h$ are always at a distance of exactly $h$ from the root. In each round, a pseudo-random process is used to assign each replica a unique rank, which is an integer in the range $0, \dots, n - 1$ . This pseudo-random process is implemented using a random beacon (see below). The party of lowest rank is the leader of that round. When the leader is honest and the network is synchronous, the leader will propose a block, which will be added to the tree; moreover, this will be the only block added to the tree in this round and it will extend the finalized path. If the leader is not honest or the network is not synchronous, some other parties of higher rank may also propose blocks, and also have their blocks added to the tree. In any case, the logic of the protocol gives highest priority to the leader's proposed block and some block or blocks will be added to this tree in this round. Even if the protocol proceeds for a few rounds without extending the finalized path, the height of the tree will continue to grow with each round, so that when the finalized path is extended in round $h$ , the finalized path will be of length $h$ . A consequence of this, even if the latency occasionally occasionally increases because of faulty replicas or unexpectedly high network latency, the throughput of the protocol remains essentially constant.

The protocol also enjoys the property known as optimistic responsiveness, which means that so long as the leader is honest, the protocol may proceed at the pace of the actual network delay, rather than some upper bound on the network delay.

Public keys

To implement the protocol, each replica is associated with a public key for the BLS signature scheme, and each replica also holds the corresponding secret signing key. The association of replicas to public keys is maintained by the Network Nervous System (NNS) of the Internet Computer. These BLS signatures will be used to authenticate messages sent by replicas.

The protocol also uses the signature aggregation feature of BLS signatures, which allows many signatures on the same message to be aggregated into a compact multi-signature. The protocol will use these multi-signatures for notarizations and finalizations, which are aggregations of $n - f$ signatures on messages of a certain form.

Random Beacon

In addition to BLS signatures and multi-signatures as discussed above, the protocol makes use of a BLS threshold signature scheme to implement the above-mentioned random beacon. The random beacon for height $h$ is a $(f + 1)$ -threshold signature on a message unique to height $h$ . In each round of the protocol, each replica broadcasts its share of the beacon for the next round, so that when the next round begins, all replicas should have enough shares to reconstruct the beacon for that round. As discussed above, the random beacon at height $h$ is used to assign a pseudo-random rank to each replica that will be used in round $h$ of the protocol. Because of the security properties of the threshold signature, an adversary will not be able to predict the ranking of the replicas more than one round in advance, and these rankings will effectively be as good as random. To set up such a threshold signature scheme, the Internet Computer runs a distributed key generation (DKG) protocol. There are many DKG protocols in the literature. The Internet Computer implements a new non-interactive DKG (NiDKG) protocol.

Block making

Each replica may at different points in time play the role of a block maker. As a block maker in round $h$ , the replica proposes a block $B$ of height $h$ that to be child of a block $B^{'}$ of height $h - 1$ in the tree of blocks. To do this, the block maker first gathers together a payload consisting of all transaction requests it knows about (but not including those already included in payloads in blocks in the path through the tree ending at $B^{'}$ ). The block $B$ consists of

the payload,
the hash of $B^{'}$ ,
the rank of the block maker,
the height $h$ of the block.

After forming the block $B$ , the block maker forms a block proposal, consisting of

the block $B$ ,
the block maker's identity, and
the block maker's signature on $B$ .

A block maker will broadcast its block proposal to all other replicas.

Notarization

A block is effectively added to the tree of blocks when it becomes notarized. For a block to become notarized, $n - f$ distinct replicas must support its notarization.

Given a proposed block $B$ at height $h$ , a replica will determine if the proposal is valid, which means that $B$ has the syntactic form described above. In particular, $B$ should contain the hash of a block $B^{'}$ of height $h^{'}$ that is already in the tree of blocks (i.e., already notarized). In addition, the payload of $B$ must satisfy certain conditions (in particulat, all of the transaction requests in the payload must satisfy various constraints, but these constraints are unrelated to consensus). Also, the rank of the block maker (as recorded in the block $B$ ) must match the rank assigned in round $h$ by the random beacon to the replica that proposed the block (as recorded in the block proposal) .

If the block is valid and certain other constraints hold, the replica will support the notarization of the block by broadcasting a notarization share for $B$ , consisting of

the hash of $B$ ,
the height $h$ of $B$ ,
the identity of the supporting replica, and
the supporting replica's signature on a message comprising the hash of $B$ and the height $h$ .

Any set of $n - f$ notarization shares on $B$ may be aggregated together to form a notarization for $B$ , consisting of

the hash of $B$ ,
the height $h$ of $B$ ,
the set of identities of the $n - f$ supporting replicas,
an aggregation of the $n - f$ signatures on the message comprising the hash of $B$ and the height $h$ .

As soon as a replica obtains a notarized block of height $h$ , it will finish round $h$ , and will subsequently not support the notarization of any other blocks at height $h$ . At this point in time, such a replica will also relay this notarization to all other replicas. Note that this replica may have obtained the notarization either by (1) receiving it from another replica, or (2) aggregating $n - f$ notarization shares that it has received.

The growth invariant states that each honest replica will eventually complete each round, so that the tree of notarized blocks continues to grow (and this holds only assuming asynchronous eventual delivery, and not partial synchrony). We prove the growth invariant below.

Finalization

There may be more than one notarized block at a given height $h$ . However, if a block is finalized, then we can be sure that there is no other notarized block at height $h$ . Let us call this the safety invariant.

For a block to become finalized, $n - f$ distinct replicas must support its finalization. Recall that round $h$ ends for a replica when it obtains a notarized block $B$ of height $h$ . At that point in time, such a replica will check if it supported the notarization of any block at height $h$ other than block $B$ (it may or may not have supported the notarization of $B$ itself). If not, the replica will support the finalization of $B$ by broadcasting a finalization share for $B$ . A finalization share has exactly the same format as a notarization share (but is tagged in such a way notarization shares and finalization shares cannot be confused with one another). Any set of $n - f$ finalization shares on $B$ may be aggregated together to form a finalization for $B$ , which has exactly the same format as a notarization (but again, is appropriately tagged). Any replica that obtains a finalized block will broadcast the finalization to all other replicas.

We prove the safety invariant below. One consequence of the safety invariant is the following. Suppose two blocks $B$ and $B^{'}$ are finalized, where $B$ has height $h$ , $B^{'}$ has height $h^{'} \leq h$ . Then the safety invariant implies that the path in the tree of notarized blocks ending at $B^{'}$ is a prefix of the path ending at $B$ (if not, then there would be two notarized blocks at height $h^{'}$ , contradicting the finalization invariant). Thus, whenever a replica sees a finalized block $B$ , it may view all ancestors of $B$ as being implicitly finalized, and because of the safety invariant, the safety property is guaranteed to hold for these (explicitly and implicitly) finalized blocks.

Delay functions

The protocol makes use of two delay functions, $Δ_{m}$ and $Δ_{n}$ , which control the timing of block making and notarization activity. Both of these functions map the rank $r$ of the proposing replica no a nonnegative delay amount, and it is assumed that each function is monotonely increasing in $r$ , and that $Δ_{m} (r) \leq Δ_{n} (r)$ for all $r = 0, \dots, n - 1$ . The recommended definition of these functions is $Δ_{m} (r) = 2 δ r$ and $Δ_{n} (r) = 2 δ r + ϵ$ , where $δ$ is an upper bound on the time to deliver messages from one honest replica to another, and $ϵ \geq 0$ is a "governor" to keep the protocol from running too fast. With these definitions, liveness will be ensured in those rounds in which (1) the leader is honest, and (2) messages really are delivered between honest parties within time $δ$ . Indeed, if (1) and (2) both hold in a given round, then the block proposed by the leader in that round will be finalized. Let us call this the liveness invariant. We prove this below.

Putting it all together

We now describe in more detail how the protocol works; specifically, we describe more precisely when a replica will propose a block and when a replica will support the notarization of a block. A given replica $P$ will record the time at which it enters a given round $h$ , which happens when it has obtained (1) some notarization for a block of height $h - 1$ , and (2) the random beacon for round $h$ . Since the random beacon for round $h$ has been determined, $P$ can determine its own rank $r_{P}$ , as well as the rank $r_{Q}$ of each other replica $Q$ for round $h$ .

Random beacon details

As soon as a replica enters round $h$ , it will generate and broadcast its share of the random beacon at round $h + 1$ .

Block making details

Replica $P$ will only propose its own block $B_{P}$ provided (1) at least $Δ_{m} (r_{P})$ time units have passed since the beginning of the round, and (2) there is no valid lower ranked block currently seen by $P$ .

Note that since $P$ is guaranteed to have a notarized block of height $h - 1$ when it enters round $h$ , it can make its proposed block a child of this notarized block (or any other notarized block of height $h - 1$ that it may have). Also note that when $p$ broadcasts its proposal for $B_{P}$ , it must also ensure that it also has relayed the notarization of $B_{P}$ 's parent to all replicas.

Suppose a replica $Q$ sees a valid block proposal from a replica $P$ of rank $r_{P} < r_{Q}$ such that (1) at least $Δ_{m} (r_{P})$ time units have passed since the beginning of the round, and (2) there is no block of rank less than $r_{P}$ currently seen by $Q$ . Then at this point in time, if it has not already done so, $Q$ will relay this block proposal (along with the notarization of the proposed block's parent) to all other replicas.

Notarization details

Replica $P$ will support the notarization of a valid block $B_{Q}$ proposed by a replica $Q$ of rank $r_{Q}$ provided (1) at least $Δ_{n} (r_{Q})$ time units have passed since the beginning of the round, and (2) there is no block of rank less than $r_{Q}$ currently seen by $P$ .

Proof of growth invariant

The growth invariant states that each honest replica will eventually complete each round. Assume that all honest replicas have started round $h$ . Let $r^{*}$ be the rank of the lowest ranked honest replica $P^{*}$ in round $h$ . Eventually, $P^{*}$ will either (1) propose its own block, or (2) relay a valid block proposed by a lower ranked replica. In either case, some block must eventually be supported by all honest replicas, which means that some block will become notarized and all honest replicas will finish round $h$ .

Proof of safety invariant

The safety invariant states that if a block is finalized in a given round, then no other block may be notarized in that round. Here is a proof of the safety invariant:

Suppose that the number of corrupt parties is exactly $f^{*} \leq f < n / 3$ .
If a block $B$ is finalized, then its finalization must have been supported by a set $S$ of at least $n - f - f^{*}$ honest replicas (by the security property for aggregate signatures).
Suppose (by way of contradction) that another block $B^{'} \neq B$ were notarized. Then its notarization must have been supported by a set $S^{'}$ of at least $n - f - f^{*}$ honest replicas (again, by the security property for aggregate signatures).
The sets $S$ and $S^{'}$ are disjoint (by the finalization logic).
Therefore, $n - f^{*} \geq | S \cup S^{'} | = | S | + | S^{'} | \geq 2 (n - f - f^{*})$ , which implies $n \leq 3 f$ , a contradiction.

Proof of liveness invariant

We say that the network is $δ$ -synchronous at time $t$ if if all messages that have been sent by honest replicas at or before time $t$ arrive at their destinations before time $t$ .

The liveness invariant may be stated as follows. Suppose that $Δ_{n} (1) \geq Δ_{m} (0) + 2 δ$ . Also suppose that in a given round $h$ , we have

the leader $P$ in round $h$ is honest,
the first honest replica $Q$ to finish round $h - 1$ does so at time $t$ , and
the network is $δ$ -synchronous at times $t$ and $t + δ + Δ_{m} (0)$ .

Then the block proposed by $P$ in round $h$ will be finalized.

Here is a proof of the liveness invariant:

Under partial synchrony at time $t$ , all honest replicas will enter round $h$ before time $t + δ$ (the notarization that ended round $h - 1$ for $Q$ , as well as the necessary round $h$ random beacon shares, will arrive at all honest replicas before this time).
The leader $P$ in round $h$ will propose a block $B$ before time $t + δ + Δ_{m} (0)$ , and again by partial synchrony, this block proposal will be delivered to all other replicas before time $t + 2 δ + Δ_{m} (0)$ .
Since $Δ_{n} (1) \geq Δ_{m} (0) + 2 δ$ , the protocol logic guarantees that each honest replica supports the notarization of block $B$ and no other block, and thus $B$ will become notarized and finalized.

Other issues

Growth latency

Under a partial synchrony assumption, we can also formulate and prove a quantitative version of the growth invariant. For simplicity, assume that the delay functions are defined as recommended above: $Δ_{m} (r) = 2 δ r$ and $Δ_{n} (r) = 2 δ r + ϵ$ , and further assume that $ϵ \leq δ$ . Suppose that at time $t$ , the highest numbered round entered by any honest replica is $h$ . Let $r^{*}$ be the rank of the lowest ranked honest replica $P^{*}$ in round $h$ . Finally, suppose that the network is $δ$ -synchronous at all times in the interval $[t, t + (3 r^{*} + 2) δ]$ . Then all honest replicas will finish round $h$ before time $t + 3 (r^{*} + 1) δ$ .

Locally adjusted delay functions

When a replica does not see any finalized blocks for several rounds, it will start increasing its own delay function $Δ_{n}$ for notarization. Replicas need not agree on these locally adjusted notarization delay functions.

Also, while replicas do not explicitly adjust the delay function $Δ_{n}$ , we can mathematically model local clock drift by locally adjusting both delay functions.

Thus, there are many delay fucntions, parameterized by replica and round. The critical condition $Δ_{n} (1) \geq Δ_{m} (0) + 2 δ$ needed for liveness then becomes $max Δ_{n} (1) \geq min Δ_{m} (0) + 2 δ$ , where the $max$ and $min$ are taken over all the honest replicas in a given round. Thus, if finalization fails for enough rounds, all honest replicas will eventually increase their notarization delay until this holds and finalization will then resume. If some honest replicas increase their notarization latency function more than other replicas, there no penalty in terms of liveness (but there may be in terms of growth latency).

Fairness

Another property that is important in consensus protocols is fairness. Rather than give a general definition, we simply observe that the liveness invariant also implies a useful fairness property. Recall that the liveness invariant basically says that in any round where the leader is honest and the network is synchronous, then the block proposed by the leader will be finalized. In those rounds where this happens, the fact that the leader is honest ensures that it will include in the payload of its block all of the transaction requests it knows about (modulo limits on the payload size). So, very roughly speaking, any transaction request that is disseminated to enough replicas will be included in a finalized block in a reasonable amount of time with high probability.

@@ Line 114: / Line 114: @@
 a compact multi-signature.
 The protocol will use these multi-signatures
-for [[#Notarization|notarizations]] and [[#Finalization|finalization]],
+for [[#Notarization|notarizations]] and [[#Finalization|finalizations]],
 which are aggregations of <math>n-f</math> signatures on messages
 of a certain form.