Conway: restrict VRF tiebreaker based on slot distance #1047
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
amesgen
force-pushed
the
amesgen/remove-ord-selectview
branch
from
b090efb
to
879ce60
Compare
amesgen
force-pushed
the
amesgen/duncan-tiebreaker
branch
from
9990017
to
cba44f0
Compare
amesgen
force-pushed
the
amesgen/remove-ord-selectview
branch
from
879ce60
to
193d5ee
Compare
amesgen
force-pushed
the
amesgen/duncan-tiebreaker
branch
from
cba44f0
to
b15f2d0
Compare
amesgen
force-pushed
the
amesgen/remove-ord-selectview
branch
from
193d5ee
to
c18f485
Compare
amesgen
force-pushed
the
amesgen/duncan-tiebreaker
branch
2 times, most recently
from
237e0c6
to
cb4b755
Compare
amesgen
force-pushed
the
amesgen/remove-ord-selectview
branch
from
c18f485
to
cd035f7
Compare
amesgen
force-pushed
the
amesgen/duncan-tiebreaker
branch
from
cb4b755
to
943bb25
Compare
amesgen
force-pushed
the
amesgen/remove-ord-selectview
branch
from
cd035f7
to
30c6814
Compare
amesgen
force-pushed
the
amesgen/duncan-tiebreaker
branch
from
943bb25
to
1e16d0f
Compare
amesgen
force-pushed
the
amesgen/remove-ord-selectview
branch
from
30c6814
to
630c9a9
Compare
amesgen
force-pushed
the
amesgen/duncan-tiebreaker
branch
from
1e16d0f
to
41e28be
Compare
amesgen
force-pushed
the
amesgen/remove-ord-selectview
branch
from
630c9a9
to
cbfbb0f
Compare
amesgen
force-pushed
the
amesgen/duncan-tiebreaker
branch
from
41e28be
to
1ff829a
Compare
amesgen
changed the base branch from
amesgen/remove-ord-selectview
to
amesgen/customize-prefer-candidate
amesgen
force-pushed
the
amesgen/customize-prefer-candidate
branch
from
d05e0f7
to
2802b4a
Compare
amesgen
force-pushed
the
amesgen/duncan-tiebreaker
branch
from
1ff829a
to
d05e0f7
Compare
amesgen
force-pushed
the
amesgen/customize-prefer-candidate
branch
from
2802b4a
to
331473c
Compare
amesgen
force-pushed
the
amesgen/duncan-tiebreaker
branch
from
d05e0f7
to
2600839
Compare
amesgen
force-pushed
the
amesgen/customize-prefer-candidate
branch
from
331473c
to
54de587
Compare
amesgen
force-pushed
the
amesgen/duncan-tiebreaker
branch
from
2600839
to
d901502
Compare
amesgen
force-pushed
the
amesgen/customize-prefer-candidate
branch
from
54de587
to
5e2893d
Compare
amesgen
force-pushed
the
amesgen/duncan-tiebreaker
branch
from
d901502
to
df1d571
Compare
nfrisby
reviewed
Apr 23, 2024
ouroboros-consensus-cardano/src/shelley/Ouroboros/Consensus/Shelley/Ledger/Config.hs
Outdated
Show resolved
Hide resolved
ouroboros-consensus-cardano/src/shelley/Ouroboros/Consensus/Shelley/Node/DiffusionPipelining.hs
Outdated
Show resolved
Hide resolved
| data VRFTiebreakerFlavor = | ||
| -- | Always compare the VRF tiebreakers. This is the behavior of all eras | ||
| -- before Conway. Once mainnet has transitioned to Conway, we can remove | ||
| -- this option. |
There was a problem hiding this comment.
Add a parenthetical "(The honest /historical/ Ouroboros chain cannot rely on tiebreakers to win, so /retroactively/ disabling the tiebreaker won't matter)".
There was a problem hiding this comment.
I guess once we do that, then... we could remove the type family, as Joris had asked? #1063 (comment)
There was a problem hiding this comment.
Yes, we could, though the "5 slots" would then be "more hardcoded" than ATM.
| -- number by more than Δ (the maximum message delay from Praos), say | ||
| -- @slot(A) + Δ < slot(B)@, the issuer of B should have been able to mint a | ||
| -- block with a block number higher than A (eg by minting on top of A). | ||
| -- Therefore, we do not want to allow B to win against A by having a better |
There was a problem hiding this comment.
There's also a scenario in which case A was the poorly managed pool. Perhaps B didn't extend A because A was very late sending their block. The tiebreaker still works in that case, since B would (likely) have arrived to the network before A.
There was a problem hiding this comment.
It occurs to me that today's excessively granular tiebreakers mean that short forks resolve themselves ASAP on mainnet. As of this change, the network instead won't resolve until someone creates a sole longest chain again (ie the actual Praos paper). I wonder if the community needs to be "warned" about short forks becoming "relatively long lasting" after this change?
There was a problem hiding this comment.
There's also a scenario in which case A was the poorly managed pool. Perhaps B didn't extend A because A was very late sending their block. The tiebreaker still works in that case, since B would (likely) have arrived to the network before A.
Good point, will expand this to make it clear that both A and B could be the culprit here.
It occurs to me that today's excessively granular tiebreakers mean that short forks resolve themselves ASAP on mainnet. As of this change, the network instead won't resolve until someone creates a sole longest chain again (ie the actual Praos paper). I wonder if the community needs to be "warned" about short forks becoming "relatively long lasting" after this change?
Yeah, that is an advantage of the current "deterministic"1/"consistent"2 tiebreaker. I think it makes sense to mention that in IntersectMBO/ouroboros-network#2913 when the HF approaches 👍
Footnotes
-
That's how it is called in this paper that the researchers referred us to when we talked about this; the high-level summary back then was that you get slightly better settlement bounds with a consistent tiebreaker. The paper only seems to prove a similar asymptotic bound under weaker conditions (Theorem 2 vs Theorem 1); but this is fully consistent that. ↩
...ensus-protocol/src/ouroboros-consensus-protocol/Ouroboros/Consensus/Protocol/Praos/Common.hs
Show resolved
Hide resolved
...ensus-protocol/src/ouroboros-consensus-protocol/Ouroboros/Consensus/Protocol/Praos/Common.hs
Outdated
Show resolved
Hide resolved
...ensus-protocol/src/ouroboros-consensus-protocol/Ouroboros/Consensus/Protocol/Praos/Common.hs
Outdated
Show resolved
Hide resolved
...ensus-protocol/src/ouroboros-consensus-protocol/Ouroboros/Consensus/Protocol/Praos/Common.hs
Outdated
Show resolved
Hide resolved
...ensus-protocol/src/ouroboros-consensus-protocol/Ouroboros/Consensus/Protocol/Praos/Common.hs
Outdated
Show resolved
Hide resolved
amesgen
force-pushed
the
amesgen/customize-prefer-candidate
branch
from
3a5edba
to
ea34993
Compare
amesgen
force-pushed
the
amesgen/customize-prefer-candidate
branch
from
ea34993
to
0796d29
Compare
amesgen
force-pushed
the
amesgen/customize-prefer-candidate
branch
from
c33c03e
to
f28b409
Compare
github-merge-queue bot
pushed a commit
that referenced
this pull request
May 3, 2024
Closes #939 The core idea is to keep a total order (via `Ord`) for `SelectView`, but allowing to customize the logic of `preferCandidate` (previously, it was always defined in terms of `Ord`, i.e. `preferCandidate ours cand = cand > ours`), such that it becomes possible to eg implement the restricted VRF tiebreaker (#524) this way, which is fundamentally intransitive. This is in contrast to #1046 (an alternative to this PR), where `preferCandidate` is not customizable, and we instead live with the fact the ordering might not be transitive, which techically would require replacing our calls to `sortBy` with eg a topological sorting algorithm, or just assume/test that `sortBy` still works "well enough" with non-transitive orders. Also see #1047 as a follow-up PR that leverages the new flexibility offered by this PR. This PR undoes some of the changes of IntersectMBO/ouroboros-network#2743 and IntersectMBO/ouroboros-network#2732 which were back then merged to increase simplicity/ease of exposition in the report, but it now turns out that the flexibility they removed is actually useful for us today.
amesgen
force-pushed
the
amesgen/duncan-tiebreaker
branch
from
df1d571
to
a1eecef
Compare
nfrisby
approved these changes
May 13, 2024
...ensus-protocol/src/ouroboros-consensus-protocol/Ouroboros/Consensus/Protocol/Praos/Common.hs
Show resolved
Hide resolved
ouroboros-consensus-protocol/test/protocol-test/Test/Consensus/Protocol/Praos/SelectView.hs
Show resolved
Hide resolved
amesgen
force-pushed
the
amesgen/duncan-tiebreaker
branch
from
a1eecef
to
f759bee
Compare
disassembler
force-pushed
the
amesgen/duncan-tiebreaker
branch
from
f759bee
to
ff3d19d
Compare
disassembler
force-pushed
the
amesgen/duncan-tiebreaker
branch
from
ff3d19d
to
235a96b
Compare
amesgen
force-pushed
the
amesgen/duncan-tiebreaker
branch
from
235a96b
to
55ea208
Compare
github-merge-queue bot
pushed a commit
that referenced
this pull request
May 13, 2024
Closes #1075 Beware that this PR has a fairly small $\dfrac{\text{severity}}{\text{subtlety}}$ ratio. ### Current non-transitivity of the chain order related to issue numbers Before this PR, the `Ord PraosChainSelectView` instance is defined as the lexicographic-ish[^lexicographic-ish] combination of the following comparisons in descending order: - Chain length, preferring longer chains. - If the issuer identity is the same, compare by the issue/opcert number, preferring higher values, otherwise, no preference. - VRF tiebreaker, preferring lower values. To see why it is not transitive, consider the following three `SelectView`s: | | a | b | c | | ------------ | - | - | - | | Chain length | l | l | l | | Issuer | x | y | x | | Issue no | 2 | o | 1 | | VRF | 3 | 2 | 1 | With the current chain order, we have - `a < b` and `b < c` due to the VRF tiebreaker, and - `c < a` due to the issue number tiebreaker (as `a` and `c` have the same issuer). So we have have `a < b < c < a < ...`. Note that due to `VRF a /= VRF c` and `Issuer a == Issuer c`, we must have `Slot a /= Slot c`, even though `ChainLength a == ChainLength b`. This is because VRFs are collision-resistant, and are a deterministic function of the slot, the (cold) issuer identity and the epoch nonce (which is itself determined by the slot for any given chain). However, this case is not important for the motivating scenario of the issue number tiebreaker, namely when an attacker got hold of the hot key (but not the cold key) of issuer `x`, and the attacked SPO, the owner of the cold key of `x`, creates a new hot key with an incremented issue number, where the issue number tiebreaker is now supposed to "establish precedence"[^precedence]. In this scenario, the attacker minted `c`, and the attacked SPO minted `a`; this is however unrealistic as due to `Slot a /= Slot c`, either party could have minted on top of the other block, superseding the tiebreaker due to having a longer chain. ### Restoring transitivity The natural fix is hence to require `Slot x == Slot y` in addition to `Issuer x == Issuer y` as the condition on whether to compare issue numbers when comparing `SelectView`s `x` and `y`. In the example above, we then have - `a < b` and `b < c` due to the VRF tiebreaker (unchanged), and - `a < c` also due to the VRF tiebreaker (new), as the issue number tiebreaker is not armed. Note that as already mentioned above, the condition `Slot x == Slot y && Issuer x == Issuer y` is equivalent to `VRF x == VRF y`. We could therefore use this condition in this PR, and even remove the issuer from `PraosChainSelectView`. As a historical note, a very similar chain order was in place in the past before the current non-transitivity was accidentally introduced as a side effect in IntersectMBO/ouroboros-network#2348. The approach of this PR is slightly different than (but morally the same as) the one suggested in #891; I think it is nice that the issue numbers are still compared "before" the VRFs in this approach as that matches the high-level intuition. --- Based on top of #1047 [^lexicographic-ish]: Usually, one only considers the lexicographic order constructed out of orders that are at least partial. However, the order "compare opcert numbers when the issuers are identical, otherwise, consider equal" on pairs of issuer identities and opcert numbers is not a partial order as it is non-transitive. Still, the same general principle applies. [^precedence]: See ["Design Specification for Delegation and Incentives in Cardano"](https://github.com/IntersectMBO/cardano-ledger/blob/master/README.md), Section 3.7.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Closes #524
This is a revived version of IntersectMBO/ouroboros-network#3721
Based on top of #1063