Difference between revisions of "IC consensus layer"
VictorShoup (talk | contribs) |
VictorShoup (talk | contribs) Tag: mw-manual-revert |
||
| Line 3: | Line 3: | ||
There are many protocols in the literature for this problem. | There are many protocols in the literature for this problem. | ||
The IC uses a new consensus protocol, which is described here at a high level. | The IC uses a new consensus protocol, which is described here at a high level. | ||
| − | For more details, see the paper | + | For more details, see the paper https://eprint.iacr.org/2021/1330 (in particular, Protocol ICC1 in that paper). |
Any secure consensus protocol should guarantee three properties, which (roughly stated) are: | Any secure consensus protocol should guarantee three properties, which (roughly stated) are: | ||
| Line 9: | Line 9: | ||
* <b>liveness</b>: all replicas should make steady progress, and | * <b>liveness</b>: all replicas should make steady progress, and | ||
* <b>validity</b>: all transaction requests satisfy some (application specific) validity condition. | * <b>validity</b>: all transaction requests satisfy some (application specific) validity condition. | ||
| − | The paper | + | The paper https://eprint.iacr.org/2021/1330 proves that the IC consensus protocol satisfies all of these properties |
The IC consensus protocol is design to be | The IC consensus protocol is design to be | ||
Revision as of 13:29, 8 October 2021
The job consensus layer of the IC is to order transaction requests so that all replicas in a subnet will process transaction requests in the same order. There are many protocols in the literature for this problem. The IC uses a new consensus protocol, which is described here at a high level. For more details, see the paper https://eprint.iacr.org/2021/1330 (in particular, Protocol ICC1 in that paper).
Any secure consensus protocol should guarantee three properties, which (roughly stated) are:
- safety: all replicas in fact agree on the same ordering of transaction requests,
- liveness: all replicas should make steady progress, and
- validity: all transaction requests satisfy some (application specific) validity condition.
The paper https://eprint.iacr.org/2021/1330 proves that the IC consensus protocol satisfies all of these properties
The IC consensus protocol is design to be
- extremely simple, and
- robust (performance degrades gracefully when some replicas are malicious).
As discussed in the introduction, we assume
- a subnet of [math]\displaystyle{ n }[/math] replicas, and
- at most [math]\displaystyle{ f \lt n/3 }[/math] of the replicas are faulty.
Faulty replicas may exhibit arbitrary, malicious (i.e., Byzantine) behavior.
We assume that communication is asynchronous, with no a priori bound on the delay of messages sent between replicas. In fact, the scheduling of message delivery may be completely under adversarial control. The IC consensus protocol guarantees safety under this very weak communication assumption. However, to guarantee liveness, we need to assume a form of partial synchrony, which (roughly stated) says that the network will be timely periodically. Somewhat more precisely, there exists a bound [math]\displaystyle{ \Delta }[/math] such that periodically all undelivered messages will be delivered within time [math]\displaystyle{ \Delta }[/math]. The bound [math]\displaystyle{ \Delta }[/math] does not have to be known in advance (the protocol can adapt itself to an unknown [math]\displaystyle{ \Delta }[/math] value). Regardless of whether we are assuming an asynchronous or partially synchronous network, we assume that every message sent from one honest party to another will eventually be delivered.
Like a number of consensus protocols, the IC consensus protocol is based in a blockchain. As the protocol progresses, a tree of blocks is grown, starting from a special genesis block that is the root of the tree. Each non-genesis block in the tree contains (among other things) a payload, consisting of a sequence of transaction requests, and a hash of the block's parent in the tree. The honest replicas have a consistent view of this tree: while each replica may have a different, partial view of this tree, all the replicas have a view of the same tree. In addition, as the protocol progresses, there is always a path of finalized blocks in this tree. Again, the honest replicas have a consistent view of this path: while each replica may have a different, partial view of this path, all the parties have a view of the same path. The transaction requests in the payloads of the blocks along this path are the ordered transaction requests will be processed by the execution layer of the Internet Computer.
The protocol proceeds in rounds. In round [math]\displaystyle{ h }[/math] of the protocol, one or more blocks of height [math]\displaystyle{ h }[/math] are added to the tree. That is, the blocks added in round [math]\displaystyle{ h }[/math] are always at a distance of exactly [math]\displaystyle{ h }[/math] from the root. In each round, a random beacon is used to generate a random permutation of the [math]\displaystyle{ n }[/math] parties, so as to assign to each party a rank. The party of lowest rank is the leader of that round. When the leader is honest and the network is timely, the leader will propose a block which will be added to the tree. If the leader is not honest or the network is not timely, some other parties of higher rank may also propose blocks, and also have their blocks added to the tree. In any case, the logic of the protocol gives highest priority to the leader's proposed block.
The message complexity per round of the IC consensus protocol is typically [math]\displaystyle{ O(n^2) }[/math]. The protocol also enjoys the property known as optimistic responsiveness, which means that so long as the leader is honest, the protocol will proceed at the pace of the actual network delay, rather than some upper bound on the network delay.
To implement the protocol, each replica is associated with a
public key for the BLS signature scheme, and each replica also holds
the corresponding secret signing key.
The association of replicas to public keys is maintained by the
network nervous system (NNS) of the Internet Computer.
These BLS signatures will be used to authenticate messages, also called artifacts,
sent by replicas.
The protocol also uses the signature aggregation feature of BLS signatures,
which allows many signatures on the same message to be aggregated into
a compact multi-signature.
FIXME: citation, discussion of rogue key attack mitigation.
In addition to BLS signatures and multi-signatures as discussed above, the protocol makes use of a BLS threshold signature scheme to implement the above-mentioned random beacon. To set up such a threshold signature scheme, the Internet Computer runs a distributed key generation (DKG) protocol. There are many DKG protocols in the literature. The Internet Computer implements a new non-interactive DKG (NiDKG) protocol.
Initialization:
- broadcast a share of the height 1 beacon
- [math]\displaystyle{ D \gets \emptyset }[/math] — the set of disqualified parties
For each height [math]\displaystyle{ h=1, 2, 3, \ldots }[/math]
- wait for [math]\displaystyle{ f+1 }[/math] shares of the height-[math]\displaystyle{ h }[/math] random beacon
- combine these shares to obtain the height-[math]\displaystyle{ h }[/math] random beacon
- this defines the rank of each replica for height [math]\displaystyle{ h }[/math]
TBD: finish writing high-level summary of protocol.
Maybe it is better to write it out more in words than dense pseudocode.