Introduce randomness into proposer selection? #7858
Comments
|
I‘d like to add my previous comment: If mempool inclusion depends on the order when a tx is seen first on a node (i.e. checkTx decision), then the proposer rotation needs to be randomized. |
|
Fairly straight forward to create simple lottery based on commit-block hash(-1). Reduce validator public key and block hash to common base, and make a best match. |
|
Block hash can be manipulated and therefore it is not a good entropy source. |
|
Ok good to know. Certainly an immutable source of entropy must exist in the blockheader though. I will keep an eye out. |
|
BTW for clarification, which blockhash can be manipulated? Certainly none stored in the permanent blockchain and used as reference, or is this a seperate blockId?? |
|
Block hash cannot be manipulated after block is confirmed, but it can be manipulated beforehand, for example by adjusting the set of transactions. |
|
Ok. This is why i suggested using the previous block hash. ie. the most recent immutable block in the blockchain. This should be trustable pre-proposal? |
|
The problem is that the current proposer could adjust the block in a way to give himself a higher chance of being selected. |
|
With the hash output being random for any current state, the best any validator could do would be to "brute force" a better result. Would this not mean somehow intentional disruption of proposal process? If every validator tries to brute force it, no transactions get processed, so no point in brute forcing? |
|
As far as I can tell, the only way to exploit it would be as a proposer, and noncing the current block state to try and get a subsequent blockhash which would again make you the proposer. However there is no direct advantage or incentive to this, so it's hard to see much affect of even a hostile actor (you end up where you started, with a deterministic round initiator), while to non-hostile actors there is incentive to honestly participate in the lottery to the extent it does increase the robustness of the network. Am I correct? |
|
I would say that a hostile actor has all incentive to try and brute-force it to become the next proposer again. It would enable him to order transactions on the next block too. Of course, this becomes super obvious if done repeatedly, but if a proposer only does this every 1000 blocks he can use it to manipulate the transaction ordering for the application (example a DEX and the proposer every once in a while can cheat the system for extra profit). |
|
@srmo good point! we're planning to add some kind of priority field so the mempool could sort its txs |
|
Sounds very good. TBH in evangelizing for Tendermint, much technical resistance based on this issue in general for BFT. I suggest a solution would go a long way to broader acceptance of Tendermint. It seems the only problem to solve is whether or not the source of "entropy" in proposer selection is fully known prior to block publishing by consensus round. If this can be prevented, the the "simple lottery" concept could work? |
|
Transaction payload is considered primary source of non-determinism in lottery systems like Bitcoin PoW. Added nonce is controllable (deterministic) aspect. I suppose what is needed is second/unpredictable source of entropy... Interesting aspect of other BFT's (what I understand original Ripple protocol did), is provable consensus on transactions(?) not just blocks(?). AFAIK, Ripple votes on each transaction. If transaction ordering could be "fixed" (ei. added transacition merkle tree) woud this eliminate "transaction ordering manipulation"? Essentially an added proof of "mempool state" among validators. |
|
What do you think of the randomized leader election proposal? The CodeChain team is considering to introduce randomized leader election in Tendermint. |
|
I'm unaware of any deterministic leader election algorithm that maintains some strong notion of fairness in the presence of weight changes at the moment. (Our current one does not) Strongly in favor of randomized proposer election, with the sequence of subsequent proposers known {N} blocks ahead of time! |
|
Does randomized proposer election become easier with epoch-based validator sets (in terms of achieving fairness)? |
|
Hi The solution "randomized proposer election" is implemented in which version of tundermint? |
Nope! Its pretty easy to get fairness without epochs in the randomized case. (What you'd do is define a lagged fairness property. e.g. if I get a stake update in block N, I have a fair probability for this in block N + k, for a fixed k.) This is because using randomness, at block |
"The round-robin algorithm is deterministic for choosing the next leader. So even if there is a timeout, the attacker will know exactly who will be the next proposer and then just direct all his bots to simultaneously attack that proposer and keep doing this in sequence." Joe765 on https://riot.im/app/#/room/#cosmos:matrix.org
The text was updated successfully, but these errors were encountered: