FIP-0086: Changes from 1st Audit #985
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Remove redundant clause
masih
reviewed
Apr 11, 2024
anorth
reviewed
Apr 11, 2024
FIPS/fip-0086.md
Outdated
| ValidEvidence(m= <step, value, instance, round, evidence, ticket>): | ||
|
|
||
| if ( step = PREPARE and round = 0) | in the first round, | ||
| AND (evidence = nil) | evidence for PREPARE |
There was a problem hiding this comment.
Thanks, addressed.
FIPS/fip-0086.md
Outdated
| AND ∀ m’ ∈ M: m’.step = PREPARE | of PREPARE messages | ||
| AND ∀ m’ ∈ M: m’.round = round | from the same round | ||
| AND ∀ m’ ∈ M: m’.value = value) | for the same value, or | ||
| OR (value = 丄)) | COMMIT is for 丄 with |
There was a problem hiding this comment.
This case value = bottom already handled at 480, so should be impossible here (or the message has evidence that it shouldn't)
There was a problem hiding this comment.
Thanks, addressed.
|
Resolved conflicts |
ranchalp
requested review from
momack2,
arajasek,
jennijuju,
kaitlin-beegle,
raulk and
jsoares
as code owners
jsoares
approved these changes
Apr 12, 2024
FIPS/fip-0086.md
Outdated
| 7: evidence ← nil \* used to communicate optional evidence for the voted value | ||
| 5: value ← proposal \* used to communicate the voted value to others (proposal or 丄) | ||
| 6: evidence ← nil \* used to communicate optional evidence for the voted value | ||
| 7: C ← {baseChain} | ||
|
|
||
| 8: while (not decideSent) { |
There was a problem hiding this comment.
Suggested change
| 8: while (not decideSent) { | |
| 8: while (NOT decideSent) { |
not and NOT seem to be inconsistently used throughout the pseudocode. Either is fine, I'd probably go with all caps for consistency with other logical operators.
There was a problem hiding this comment.
Fixed in the latest commit, rejected here.
Comment on lines
+477
to
+509
| ValidEvidence(m= <step, value, instance, round, evidence, ticket>): | ||
|
|
||
| if ( step = PREPARE and round = 0) | in the first round, | ||
| AND (evidence = nil) | evidence for PREPARE | ||
| return True | is nil | ||
|
|
||
| if (step = COMMIT and value = 丄) | a COMMIT for 丄 carries no evidence | ||
| AND (evidence = nil) | ||
| return True | ||
|
|
||
| If (evidence.instance != instance) | the instance of the evidence must be the | ||
| return False | same as that of the message | ||
|
|
||
| | valid evidences for | ||
| return (step = CONVERGE OR (step = PREPARE AND round>0) | CONVERGE and PREPARE in | ||
| AND (∃ M: Power(M)>⅔ AND evidence=Aggregate(M) | round>0 is strong quorum | ||
| AND ((∀ m’ ∈ M: m’.step = COMMIT AND m’.value = 丄) | of COMMIT msgs for 丄 | ||
| OR (∀ m’ ∈ M: m’.step = PREPARE AND | or PREPARE msgs for | ||
| m’.value = value)) | CONVERGE value | ||
| AND (∀ m’ ∈ M: m’.round = round-1))) | from previous round | ||
|
|
||
|
|
||
| OR (step=COMMIT | valid COMMIT evidence | ||
| AND (∃ M: Power(M)>⅔ AND evidence=Aggregate(M) | is a strong quorum | ||
| AND ∀ m’ ∈ M: m’.step = PREPARE | of PREPARE messages | ||
| AND ∀ m’ ∈ M: m’.round = round | from the same round | ||
| AND ∀ m’ ∈ M: m’.value = value)) | for the same value, or | ||
|
|
||
| OR (step = DECIDE | valid DECIDE evidence | ||
| AND (∃ M: Power(M)>⅔ AND evidence=Aggregate(M) | is a strong quorum | ||
| AND ∀ m’ ∈ M: m’.step = COMMIT | of COMMIT messages | ||
| AND ∀ m’ ∈ M: m’.round = round | from the same round | ||
| AND ∀ m’ ∈ M: m’.value = value)) | for the same value |
There was a problem hiding this comment.
The alignment is pretty broken when rendered. Likely a consequence of the mix of space- and tab-based indentation; would be best to go all space as in the previous version. Tabs also show elsewhere in the doc, so maybe configure your editor accordingly.
There was a problem hiding this comment.
I think you meant in the previous block of pseudocode? My rendered version looks fine here. The fix for the previous block of pseudocode was a combination of indents and whitespaces (as a result of the font not being monospace, due to special symbols like 丄 taking more width). If that is what it was, fixed.
FIPS/fip-0086.md
Outdated
| @@ -729,7 +754,7 @@ The modifications proposed in this FIP have far-reaching implications for the se | |||
|
|
|||
| * **Censorship.** F3 and GossiPBFT are designed with censorship resistance in mind. The updated fork choice rule means that an adversary controlling at least more than ⅓ QAP can try to perform a censorship attack if honest participants start an instance of GossiPBFT proposing at least two distinct inputs. While this attack is theoretically possible, it is notably hard to perform on F3 given the QUALITY step of GossiPBFT and other mitigation strategies specifically put in place to protect against this. We strongly believe that, even against a majority adversary, the mitigations designed will prevent such an attack. | |||
| * **Liveness.** Implementing F3 introduces the risk that an adversary controlling at least ⅓ QAP prevents termination of a GossiPBFT instance. In that case, the F3 component would halt, not finalizing any tipset anymore. At the same time, EC would still operate, outputting tipsets and considering them final after 900 epochs. The liveness of the system is thus not affected by attacks on the liveness of F3. | |||
| * **Safety.** Implementing F3 ensures the safety of finalized outputs during regular or even congested networks against a Byzantine adversary controlling less than ⅓ QAP. For stronger adversaries, F3 provides mitigations to prevent censorship attacks, as outlined above. If deemed necessary, the punishment and recovery from coalitions in the event of an attempted attack on safety can be explored in future FIPs. Note that safety is already significantly improved by F3 compared to the status quo: F3 provides safety of finalized outputs two orders of magnitude faster than the current estimate of 900 epochs during regular network operation. | |||
| * **Safety.** Implementing F3 ensures the safety of finalized outputs during regular or even congested networks against a Byzantine adversary controlling less than ⅓ QAP. For stronger adversaries, F3 provides mitigations to prevent censorship attacks, as outlined above. If deemed necessary, the punishment and recovery from coalitions in the event of an attempted attack on safety can be explored in future FIPs. Note that (safe) finality time is already significantly improved by F3 compared to the status quo: F3 provides safety of finalized outputs two orders of magnitude faster than the current estimate of 900 epochs during regular network operation. | |||
There was a problem hiding this comment.
Suggested change
| * **Safety.** Implementing F3 ensures the safety of finalized outputs during regular or even congested networks against a Byzantine adversary controlling less than ⅓ QAP. For stronger adversaries, F3 provides mitigations to prevent censorship attacks, as outlined above. If deemed necessary, the punishment and recovery from coalitions in the event of an attempted attack on safety can be explored in future FIPs. Note that (safe) finality time is already significantly improved by F3 compared to the status quo: F3 provides safety of finalized outputs two orders of magnitude faster than the current estimate of 900 epochs during regular network operation. | |
| * **Safety.** Implementing F3 ensures the safety of finalized outputs during regular or even congested networks against a Byzantine adversary controlling less than ⅓ QAP. For stronger adversaries, F3 provides mitigations to prevent censorship attacks, as outlined above. If deemed necessary, the punishment and recovery from coalitions in the event of an attempted attack on safety can be explored in future FIPs. Note that the (safe) finality time is already significantly improved by F3 compared to the status quo: F3 provides safety of finalized outputs two orders of magnitude faster than the current parameter of 900 epochs during regular network operation. |
Not something you changed now, but I think we should refer to the 900 epochs as a parameter/setting rather than an estimate.
There was a problem hiding this comment.
Fixed in the latest commit (in batch with your other comments and suggestions), rejected here.
jennijuju
approved these changes
Apr 13, 2024
|
editorial review ✅ |
anorth
approved these changes
Apr 16, 2024
This was referenced Apr 22, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Draft for the moment. Track changes here.