ADR 016: Validator consensus key rotation

[Hyung-bharvest]

ref: #5231

---

• Targeted PR against correct branch (see CONTRIBUTING.md)

• Linked to github-issue with discussion and accepted design OR link to spec that describes this work.

• Wrote tests

• Updated relevant documentation (docs/)

• Added a relevant changelog entry to the Unreleased section in CHANGELOG.md

• Re-reviewed Files changed in the github PR explorer

---

For Admin Use:

• Added appropriate labels to PR (ex. wip, ready-for-review, docs)
• Reviewers Assigned
• Squashed all commits, uses message "Merge pull request #XYZ: [title]" (coding standards)

[alexanderbez]

Thanks @dlguddus. Can you reference the ADR in ## ADR Table of Contents in docs/architecture/README.MD?

[Hyung-bharvest]

Thanks @dlguddus. Can you reference the ADR in ## ADR Table of Contents in docs/architecture/README.MD?

done!

[alexanderbez]

Looks good @dlguddus and @dongsam. Look forward to seeing the changes.

[alexanderbez]

Concept ACK ++

The ADR should also make mention of a new on-chain parameter -- MaxConsKeyRotations. In addition, I would love to see feedback from @zmanian and @tarcieri :)

[fedekunze]

ACK, pending conflicts resolved and suggested default params added to the ADR.

[codecov]

Codecov Report

Merging #5233 into master will increase coverage by 0.05%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##           master    #5233      +/-   ##
==========================================
+ Coverage   54.46%   54.51%   +0.05%     
==========================================
  Files         313      311       -2     
  Lines       18892    18740     -152     
==========================================
- Hits        10289    10217      -72     
+ Misses       7812     7743      -69     
+ Partials      791      780      -11

Impacted Files	Coverage Δ
store/types/pruning.go	50% <0%> (-50%)	⬇️
store/types/utils.go	0% <0%> (-19.61%)	⬇️
store/types/validity.go	0% <0%> (-16.67%)	⬇️
types/dec_coin.go	63.21% <0%> (-14.23%)	⬇️
x/upgrade/handler.go	80% <0%> (-5.72%)	⬇️
x/params/proposal_handler.go	73.68% <0%> (-4.1%)	⬇️
crypto/keys/keybase_base.go	64.7% <0%> (-3.72%)	⬇️
x/mock/test_utils.go	60% <0%> (-3.05%)	⬇️
x/auth/types/stdtx.go	58.67% <0%> (-2.87%)	⬇️
client/keys/add.go	39.35% <0%> (-1.79%)	⬇️
... and 101 more

[zmanian]

IMO, this needs some kind of language about costs validator key rotation imposes on light clients and IBC and potentially some solutions to rate limit or charge fees based on that cost.

[Hyung-bharvest]

IMO, this needs some kind of language about costs validator key rotation imposes on light clients and IBC and potentially some solutions to rate limit or charge fees based on that cost.

how about this in Considerations section

• costs related to LCD and IBC
  • LCD and IBC will have traffic/computation burden when there exists frequent power changes
  • In current Tendermint design, consensus key rotations are seen as power changes from LCD or IBC perspective
  • Therefore, to minimize unnecessary frequent key rotation behavior, we limited maximum number of rotation in recent unbonding period and also applied exponentially increasing rotation fee

[AdityaSripal]

Who is the signer of this message?

[Hyung-bharvest]

The validator account key is the signer of MsgRotateConsPubKey

[AdityaSripal]

Will this change the priority of the validator in the RoundRobin proposer selection in Tendermint?

[Hyung-bharvest]

The new rotated key will have the lowest accum because it is seen as a new validator. So it is a slight disadvantage to the key rotated validator

[zmanian]

IMO, this needs some kind of language about costs validator key rotation imposes on light clients and IBC and potentially some solutions to rate limit or charge fees based on that cost.

how about this in Considerations section

• costs related to LCD and IBC

  • LCD and IBC will have traffic/computation burden when there exists frequent power changes
  • In current Tendermint design, consensus key rotations are seen as power changes from LCD or IBC perspective
  • Therefore, to minimize unnecessary frequent key rotation behavior, we limited maximum number of rotation in recent unbonding period and also applied exponentially increasing rotation fee

Sounds good to me.

It just means that we always need to track how many times a validator rotated keys in the period so we can charge them appropriately.

Another point might be to charge more for validators to rotate keys if they have more voting power.

[Hyung-bharvest]

IMO, this needs some kind of language about costs validator key rotation imposes on light clients and IBC and potentially some solutions to rate limit or charge fees based on that cost.

how about this in Considerations section

• costs related to LCD and IBC

  • LCD and IBC will have traffic/computation burden when there exists frequent power changes
  • In current Tendermint design, consensus key rotations are seen as power changes from LCD or IBC perspective
  • Therefore, to minimize unnecessary frequent key rotation behavior, we limited maximum number of rotation in recent unbonding period and also applied exponentially increasing rotation fee

Sounds good to me.

It just means that we always need to track how many times a validator rotated keys in the period so we can charge them appropriately.

Another point might be to charge more for validators to rotate keys if they have more voting power.

your last sentence seems accurately describe the reasoning factor of KeyRotationFee. what I can suggest is as below.

KeyRotationFee = (max(VotingPowerPercentage * 100, 1) * InitialKeyRotationFee) * 2^(number of rotations in ConsPubKeyRotationHistory in recent unbonding period)

Now KeyRotationFee is linearly dependent to the voting power of the validator. The reason why I used max function in the formula is that, we want to charge minimum key rotation fee even though the validator has very small or no voting power.

How do you like the suggestion?

[zmanian]

How do you like the suggestion?

Perfect.

[Hyung-bharvest]

How do you like the suggestion?

Perfect.

done!

[alexanderbez]

@zmanian mind giving an ACK?

[Hyung-bharvest]

How do you like the suggestion?

Perfect.

@zmanian Could you confirm the update? Thank you!

[Hyung-bharvest]

@zmanian please don't block our process if you dont have any further request. It has been too long time.

[ValarDragon]

Missing an important negative of it allows a validator to effectively sell their entity, in a way that before would require hardware assumptions. (They can change their key to give it to new management, without any oversight from their delegators)