[ADR -44] Lite Client with Weak Subjectivity

[zmanian]

ADR for Lite Client with Weak Subjectivity ADR.

Closes #2133

Implementation in #3577

[codecov-io]

Codecov Report

Merging #3795 into master will decrease coverage by 0.04%.
The diff coverage is n/a.

@@            Coverage Diff            @@
##           master   #3795      +/-   ##
=========================================
- Coverage   65.65%   65.6%   -0.05%     
=========================================
  Files         217     217              
  Lines       18198   18202       +4     
=========================================
- Hits        11948   11942       -6     
- Misses       5382    5389       +7     
- Partials      868     871       +3

Impacted Files	Coverage Δ
privval/signer_server.go	95.65% <0%> (-4.35%)	⬇️
consensus/ticker.go	91.66% <0%> (-4.17%)	⬇️
consensus/metrics.go	15.17% <0%> (-1.83%)	⬇️
lite/dynamic_verifier.go	66.96% <0%> (-1.37%)	⬇️
blockchain/v0/pool.go	80% <0%> (-0.99%)	⬇️
consensus/reactor.go	76.78% <0%> (-0.47%)	⬇️
p2p/pex/pex_reactor.go	83.76% <0%> (+1.73%)	⬆️
privval/signer_listener_endpoint.go	89.13% <0%> (+2.17%)	⬆️
privval/signer_endpoint.go	84% <0%> (+5.33%)	⬆️

[tac0turtle]

Quick run through, will do another tomorrow.

[melekes]

Great post! However, the choice of the concrete data structures (Provider, UpdatingProvider, ConcurrentProvider, DBProvider, MultiProvider) is still not clear to me. Like why there are so many of them? Could not we just expose two? One for linear verification and one for bisecting verification OR even make this an option. Thanks!

[cwgoes]

Nice! Should we combine this / #3796 / #3710?

I think we can offload more work to the full node in the bisection algorithm.

[cwgoes]

Two things to note:

• Light clients are expected to agree with full nodes on the canonical chain
• Tendermint provides a somewhat different (stronger) light client model under eclipse, since the eclipsing node(s) can only fool the light client if they have two-thirds of the private keys from the last root of trust.

[cwgoes]

"largely trusted" is a bit vague. I think both conditions are necessary - only if misbehaviour is punished and validator set changes are infrequent can a light client skip most of the headers. Note also that the state machine can enforce limits on validator set liquidity, which might be useful to provide tighter efficiency/safety bounds.

[cwgoes]

We should explain why one unbonding window (and I think it should be one unbonding window minus delta, where delta is a parameter set according to the expected synchrony bounds for the light client to be able to report evidence)

[cwgoes]

Should we combine https://github.com/tendermint/tendermint/pull/3796/files here?

[cwgoes]

It's a less bandwidth and compute-intensive mechanism, right?

We can bound the number of headers precisely if we make assumptions about validator set liquidity.

[cwgoes]

I would note that it's safe to ask the full node to provide the specific headers that the client needs, given the root of trust height that it has. Should we do that instead? The full node has to track a bit more, but further reduces bandwidth / compute for the light client.

[milosevic]

Note that +2/3 in the new validator set is not sufficient to establish trust of the new validator set as total voting power of new validators and potential adversary set of the old set could be bigger than +1/3 of total voting power. See #3710.

[zmanian]

So it seems like we should say that in order for bisection to take place, the total voting power of the new block must be greater or equal to the total voting power of the last trusted block to prevent this attack correct?

[milosevic]

I think it's more complex than that. Total voting power of new validators together with 1/3 of voting power of old validators that are also present in new validator set must be in total at most 1/3 of voting power in the new val set.

[zmanian]

Okay here is my proposed check.

After current checks for if LatestHeight is valid in it's own terms, if LatestHeight is valid in terms of TrustedHeight.NextValidatorSet we compute the following. Take the sum of the following, for each validator abs((LatestHeightVotingPower/LatestHeightTotalPower)-TrustedHeightVotingPower/TrustedHeightTotalPower)). if this value is greater than 1/3rd, fail for the height.

[zmanian]

I'm still somewhat split if we want to have this check in the presence of counterfactual slashing.

It does confuse the incentive layers a bit, but counterfactual slashing does ensure that any attack using this kind of change of voting powers is still slashable.

[milosevic]

I still have trouble to see link between counterfactual slashing and the checks about validator power change, i.e., how we can get rid of checks in the presence of counterfactual slashing.

[zmanian]

So an attacker who wants to exploit this vulnerability needs signatures from 2/3rd from the TrustedSet. in attack these signatures are either equivocations or counterfactual signatures.

[jaekwon]

Great post! However, the choice of the concrete data structures (Provider, UpdatingProvider, ConcurrentProvider, DBProvider, MultiProvider) is still not clear to me. Like why there are so many of them? Could not we just expose two? One for linear verification and one for bisecting verification OR even make this an option. Thanks!

I think it just needs a bit of documentation, but otherwise that the separation potentially makes things easier to maintain and understand. For example, it isn't necessary to know how a Provider works underneath the hood to understand how ConcurrentProvider works. Similarly, I like to add caching as a layer, as MultiProvider lets you do w/ DBProviders. Each is solving an orthogonal concern, and can get composed. Otherwise we'd eventually end up with two very-complicated struct implementations that would otherwise be hard to tease out (e.g. not-same-but-similar criticism as Tendermint's consensus state not being split out). But not all of these need to be exposed to the user... It would be sufficient to keep the internal unexposed implementation based on these components, but only expose things that external users need to know.

[cwgoes]

A few more minor suggestions, and I think it would be nice to link this to the formal bisection safety spec (once merged, or leave a pointer to be linked in the future).

[melekes]

@cwgoes: thanks for the thorough review 👍