FIP-0086 updates from implementation #1022
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
anorth
commented
Jun 18, 2024
anorth
commented
Jun 21, 2024
anorth
force-pushed
the
anorth/86-alignment
branch
2 times, most recently
from
e5b14c9
to
3cb71d2
Compare
anorth
requested review from
momack2,
arajasek,
jennijuju,
kaitlin-beegle,
raulk,
jsoares and
TippyFlitsUK
as code owners
anorth
force-pushed
the
anorth/86-alignment
branch
from
3cb71d2
to
180e63a
Compare
anorth
commented
Jun 25, 2024
anorth
commented
Jun 25, 2024
| Given an EC chain state at some epoch, the corresponding F3 committee comprises all miner actors with: | ||
| - at least 10TiB of quality-adjusted power; | ||
| - zero fee debt; and | ||
| - no active consensus fault. |
There was a problem hiding this comment.
@Kubuxu could you please check the EC leader election and confirm there are no other relevant checks? I'm aware that in EC these are applied against both lookback state and current state: we can only do one.
There was a problem hiding this comment.
In the code, I'm using the same rules that apply to the EC election but without the Finality lookback.
There was a problem hiding this comment.
That sounds great. Can you please clarify that I have captured those rules here? Are there any more?
There was a problem hiding this comment.
There is a caveat about not having enough miners (if there are fewer miners than X, the minimum power no longer applies). Other than that, it is the 3 checks you mentioned.
There was a problem hiding this comment.
Should we add that line here that the number of miners must be X to reach consensus?
There was a problem hiding this comment.
Should we add that line here that the number of miners must be X to reach consensus?
There's no minimum on the number of participants, except implicitly 1. The protocol would be unable to recover from dropping below any such number.
Kubuxu
reviewed
Jun 25, 2024
* Specify backoff when EC produces empty tipsets Update FIP to backoff when starting a new instance when EC produces empty tipsets. Relates to filecoin-project/go-f3#371 * Document the increment function of start backoff Introduce a function to concretely document the increment of start backoff and explicitly mention that it must be consistent across all participants for a given instance number. Change the start backoff to epochs for a more concrete unit.
|
Thanks for the contributions @masih @Stebalien. This PR is ready for editorial and detailed technical review, and then merging. |
masih
approved these changes
Jul 2, 2024
momack2
reviewed
Jul 9, 2024
momack2
reviewed
Jul 9, 2024
momack2
approved these changes
Jul 9, 2024
jennijuju
reviewed
Jul 15, 2024
jennijuju
reviewed
Jul 15, 2024
| * **Liveness.** Implementing F3 introduces the risk that an adversary controlling at least ⅓ QAP prevents termination of a GossiPBFT instance. In that case, the F3 component would halt, not finalizing any tipset anymore. At the same time, EC would still operate, outputting tipsets and considering them final after 900 epochs. The liveness of the system is thus not affected by attacks on the liveness of F3. | ||
| * **Safety.** Implementing F3 ensures the safety of finalized outputs during regular or even congested networks against a Byzantine adversary controlling less than ⅓ QAP. For stronger adversaries, F3 provides mitigations to prevent censorship attacks, as outlined above. If deemed necessary, the punishment and recovery from coalitions in the event of an attempted attack on safety can be explored in future FIPs. Note that the (safe) finality time is already significantly improved by F3 compared to the status quo: F3 provides safety of finalized outputs two orders of magnitude faster than the current parameter of 900 epochs during regular network operation. | ||
| * **Denial-of-service (DoS).** The implementation of the F3 preserves resistance against DoS attacks currently ensured by Filecoin, thanks to the fully leaderless nature of GossiPBFT and to the use of a VRF to self-assign tickets during the CONVERGE step. | ||
| * **Committees.** This FIP proposes to have all participants run all instances of GossiPBFT. While this ensures optimal resilience against a Byzantine adversary, it can render the system unusable if the number of participants grows too large. While we are still evaluating the maximum practical number of participants in F3, it is expected to be at least one order of magnitude greater than the current number of participants in Filecoin. This introduces an attack vector: if the scalability limit is 100,000 participants, a participant holding as little as 3% of the current QAP can perform a Sybil attack to render the system unusable, with the minimum QAP required per identity. As a result, the implementation should favor the messages of the more powerful participants if the number of participants grows too large. Given that favoring more powerful participants discriminates against the rest, affecting decentralization, amending F3 to use committees in the event of the number of participants exceeding the practical limit will be the topic of a future FIP, as well as the analysis of optimized message aggregation in the presence of self-selected committees. | ||
| * **Committees.** This FIP proposes to have all eligible EC participants run all instances of GossiPBFT. While this ensures optimal resilience against a Byzantine adversary, it can render the system unusable if the number of participants grows too large. This introduces an attack vector: if the scalability limit is 100,000 participants, a participant holding as little as 3% of the current QAP can perform a Sybil attack to render the system unusable, with the minimum QAP required per identity. As a result, the implementation should favor the messages of the more powerful participants if the number of participants grows too large. Given that favoring more powerful participants discriminates against the rest, affecting decentralization, amending F3 to use committees in the event of the number of participants exceeding the practical limit might be the topic of a future FIP, as well as the analysis of optimized message aggregation in the presence of self-selected committees. |
There was a problem hiding this comment.
what's the practical scalability limit today, i.e., if participant # is approaching X, a FIP is necessary to harden the protocol further?
|
editorial ✅ |
jennijuju
approved these changes
Jul 15, 2024
|
I'm hoping to still read through today, assuming it's not merged before. |
jsoares
reviewed
Jul 15, 2024
| @@ -591,32 +656,27 @@ OR (step=COMMIT | valid COMMIT eviden | |||
| OR (step = DECIDE | valid DECIDE evidence | |||
| AND (∃ M: IsStrongQuorum(M) AND evidence=Aggregate(M)| is a strong quorum | |||
| AND ∀ m’ ∈ M: m’.step = COMMIT | of COMMIT messages | |||
| AND ∀ m’,m'' ∈ M: m’.round = m''.round | from the same round | |||
| AND ∀ m’,m’’ ∈ M: m’.round = m’’.round | from the same (any) round as each other | |||
There was a problem hiding this comment.
Not sure the added "any" contributes to clarity.
Co-authored-by: MollyM <momack2@users.noreply.github.com>
Co-authored-by: Jorge M. Soares <547492+jsoares@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Two notable changes feeding back from the implementation, plus some smaller improvements:
mayHaveStrongQuorumfunction is changed to treat boundary conditions "correctly"Tightened up some language and formatting:
//.A potentially clarifying change we could make would be a change in terminology from power table & power (EC concepts) to committee and weight (F3 concepts). These terms are currently a bit ambiguous since the concepts are not 1:1. I refrained for now.