Tendermint epoch transitions

[feynmanliang]

Resolves #6046

[parity-cla-bot]

It looks like @feynmanliang hasn'signed our Contributor License Agreement, yet.

The purpose of a CLA is to ensure that the guardian of a project's outputs has the necessary ownership or grants of rights over all contributions to allow them to distribute under the chosen licence.
Wikipedia

You can read and sign our full Contributor License Agreement at the following URL: https://cla.parity.io

Once you've signed, plesae reply to this thread with [clabot:check] to prove it.

Many thanks,

Parity Technologies CLA Bot

[feynmanliang]

[clabot:check]

[parity-cla-bot]

It looks like @feynmanliang signed our Contributor License Agreement. 👍

Many thanks,

Parity Technologies CLA Bot

[gavofyork]

many thanks for the contribution!

[rphmeier]

@feynmanliang Thanks! It's almost there (and sorry for being a bit ambiguous about this), but there are just a couple things missing:

• There should be an EpochVerifier which has a verify_light function that checks a block's seal under the validator set
• The EpochVerifier should also have a check_finality_proof which does the same.
• The validator set proof should be combined with the block header as a finality proof, and in conjunction can be used to produce an EpochVerifier. Look at how this is done in AuthorityRound for guidance.

How to check the seal:
In tendermint blocks have instant finality, so any block which is correctly signed is finalized. as such, only each block can only finalize itself, unlike authority round where any block can finalize an unbounded amount of others.

For checking the seal of a header, take a look at the verify_block_family function of Tendermint. The basic steps are:

• iterate over header.seal.get(2) (fail if None) as UntrustedRlp
• extract the signatures from each Precommit
• The block is sealed if the number of unique signers is a majority of the epoch set, and unsealed otherwise.

[rphmeier]

tendermint blocks do have instant finality, so the "proof" here would just be an encoded header (which we check for seal validity).

the way warp sync for PoA works is by providing a list of validator set changes along with proofs of finality of the change. A change is signalled, and the old validator set approves the signal by finalizing the block where the signal occurred. From this proved list of validator set handoffs we can get to the most recent finalized block with full security. check_finality_proof is the way we check that signals were finalized, so it can't panic.

[feynmanliang]

👍

To clarify, you're referring to https://github.com/paritytech/parity/blob/master/ethcore/src/snapshot/consensus/authority.rs?utf8=%E2%9C%93#L365?

[rphmeier]

yes, and https://github.com/paritytech/parity/blob/master/ethcore/src/snapshot/consensus/authority.rs?utf8=%E2%9C%93#L199

[rphmeier]

this should also ensure that
a) each signature is a valid signature of header.bare_hash()
b) the public key recovered from each signature corresponds to an address in self.subchain_validators

I would recommend making the hashset store only those Addresses as opposed to the signatures themselves.

[feynmanliang]

I am a little bit lost here. Looking at verify_block_family, it pattern matches on first converting the Header into either a Proposal or VoteStep. Then for Proposals it checks if the proposer is an authority in the parent block and is the proposer of the current proposal, and for VoteStep it does the counting of signatures.

Are we to assume here that the Header will always correspond to a VoteStep?

[rphmeier]

should still return Unconfirmed if some block hash is returned by epoch_set, and finality proofs may be checked (but not here). The "proof" passed here may be invalid, so this is also something of a verification function under the consensus logic.

[feynmanliang]

👍 will add the logic for checking finality of the block hash returned by epoch_set.

Does something need to be done wrt checking validity of the "proof" passed here, or is it sufficient to have that happen at https://github.com/paritytech/parity/blob/master/ethcore/src/snapshot/consensus/authority.rs?utf8=%E2%9C%93#L199?

[rphmeier]

it should decode correctly into the two portions (signal proof and finality proof), and each portion should be checked. signal proof is checked if epoch_set returns Ok, and finality_proof will be checked at that point long as we return ConstructedVerifier::Unconfirmed from epoch_verifier

[feynmanliang]

Is the finality proof for tendermint just ::rlp::encode(header)?

[rphmeier]

i don't understand this comment. rlp has type UntrustedRlp

[feynmanliang]

My bad, this was left over from my debugging >.<

[rphmeier]

Some comments I just made are shown as outdated, but they are still relevant

[feynmanliang]

@rphmeier thank you for your comments and helping me through this!

[rphmeier]

could the tendermint module get its own versions of these functions (as the engines will be split into seperate crates in the future)?

[feynmanliang]

👍

[rphmeier]

if these are kept private it gives us more freedom to upgrade their internal behavior

[feynmanliang]

👍

[rphmeier]

LGTM except for combine_proofs/destructure_proofs grumble. I'll also check out the branch and make sure everything's working before merging. Adding tests for the tendermint::EpochVerifier behavior would be good too.

[feynmanliang]

Copied {combine,destructure}_proofs over; I'm happy to do the tests (can you point me to a reference of what these might look like?).

[feynmanliang]

Should this be a majority (i.e. 1/2) or 2/3 (for Byzantine fault tolerance)

[rphmeier]

Tendermint requires 2/3

[feynmanliang]

👍

[feynmanliang]

Does it matter if it's ">" or ">="? I'd imagine in the case of three subchain_validators we'd want verification to pass when we get 2 of them

[rphmeier]

should always be >. In the case of 3 subchain validators you would actually need all 3 to be honest. With an amount of byzantine players f, we have to have at least 3f + 1 players total for safety.

[feynmanliang]

👍

[rphmeier]

One way you could test is by making EpochVerifier generic over a Recover trait (with fn recover(&self, H520) -> Result<Address, Error> -- in the actual engine this would be instantiated with an implementation that actually does the recovery, but in a test you can mock it with some custom mapping. Then you can test behavior of EpochVerifier<MockRecover> to ensure that check_finality_proof and verify_light work correctly.

[feynmanliang]

@rphmeier I added a recover closure parameter to EpochVerifier's constructor so I could stub it out in the tests.

[rphmeier]

Can we make this a generic parameter instead or even one thing in cfg(test) and another in cfg(not(test))? Doing several virtual calls per header verification will probably be a performance hit we don't have to take during ancient block download after warp sync.

[feynmanliang]

I think we might need a virtual here if we want to have the signatures used in the mock recover to be grabbed from the environment. The alternative would be to hard code those addresses (which should remain fairly stable as long as res/tendermint.json isn't modified) and signatures (which will change whenever vote_info.sha3() or tap.sign change). I'll push a commit for this and see what you think

[rphmeier]

@feynmanliang

Try

struct EpochVerifier<F> 
    where F: Fn(&Signature, &Message) -> Result<Address, Error> + Send + Sync 
{
    subchain_validators: SimpleList,
    recover: F,
}

and just don't box the closures when you instantiate EpochVerifier.

[feynmanliang]

👍

[rphmeier]

style: brace on next line, unindented

[rphmeier]

also the where clause should be indented one level, not two

[feynmanliang]

👍

[rphmeier]

style: brace on next line, unindented

[feynmanliang]

👍

[rphmeier]

@feynmanliang

LGTM, just will ask for another quick look-over by @keorn

[gavofyork]

@keorn ?