The Crosslink Construction

We are now ready to give a description of a variant of Snap‑and‑Chat that takes into account the issues described in Notes on Snap‑and‑Chat, and that implements bounded dynamic availability. I call this the “Crosslink” construction. I will try to make the description relatively self-contained, but knowledge of the Snap‑and‑Chat construction from [NTT2020] (arXiv version) is assumed.

Conventions

“ $*$ ” is a metavariable for the name of a protocol. We also use it as a wildcard in protocol names of a particular type, for example “ $*$ bc” for the name of some best‑chain protocol.

Protocols are referred to as $Π_{*}$ for a name “ $*$ ”. Where it is useful to avoid ambiguity, when referring to a concept defined by $Π_{*}$ we prefix it with “ $*$ ‑”.

We do not take synchrony or partial synchrony as an implicit assumption of the communication model; that is, unless otherwise specified, messages between protocol participants can be arbitrarily delayed or dropped. A given message is received at most once, and messages are nonmalleably authenticated as originating from a given sender whenever needed by the applicable protocol. Particular subprotocols may require a stronger model.

Background

For an overview of communication models used to analyse distributed protocols, see this blog post by Ittai Abraham.

Discussion of incorrect applications of the GST formalization of partial synchrony to continuously operating protocols. (You’re doing it wrong!)

The original context for the definition of the partially synchronous model in [DLS1988] was for “one‑shot” Byzantine Agreement — called “the consensus problem” in that paper. The following argument is used to justify assuming that all messages from the Global Stabilization Time onward are delivered within the upper time bound $Δ$ :

Therefore, we impose an additional constraint: For each execution there is a global stabilization time (GST), unknown to the processors, such that the message system respects the upper bound $Δ$ from time GST onward.

This constraint might at first seem too strong: In realistic situations, the upper bound cannot reasonably be expected to hold forever after GST, but perhaps only for a limited time. However, any good solution to the consensus problem in this model would have an upper bound $L$ on the amount of time after GST required for consensus to be reached; in this case it is not really necessary that the bound $Δ$ hold forever after time GST, but only up to time GST $+ L$ . We find it technically convenient to avoid explicit mention of the interval length $L$ in the model, but will instead present the appropriate upper bounds on time for each of our algorithms.

Several subsequent authors applying the partially synchronous model to block chains appear to have forgotten this context. In particular, the argument depends on the protocol completing soon after GST. Obviously a block-chain protocol does not satisfy this assumption; it is not a “one‑shot” consensus problem.

This assumption could be removed, but some authors of papers about block-chain protocols have taken it to be an essential aspect of modelling partial synchrony. I believe this is contrary to the intent of [DLS1988]:

Instead of requiring that the consensus problem be solvable in the GST model, we might think of separating the correctness conditions into safety and termination properties. The safety conditions are that no two correct processors should ever reach disagreement, and that no correct processor should ever make a decision that is contrary to the specified validity conditions. The termination property is just that each correct processor should eventually make a decision. Then we might require an algorithm to satisfy the safety conditions no matter how asynchronously the message system behaves, that is, even if $Δ$ does not hold eventually. On the other hand, we might only require termination in case $Δ$ holds eventually. It is easy to see that these safety and termination conditions are [for the consensus problem] equivalent to our GST condition: If an algorithm solves the consensus problem when $Δ$ holds from time GST onward, then that algorithm cannot possibly violate a safety property even if the message system is completely asynchronous. This is because safety violations must occur at some finite point in time, and there would be some continuation of the violating execution in which $Δ$ eventually holds.

This argument is correct as stated, i.e. for the one-shot consensus problem. Subtly, essentially the same argument can be adapted to protocols with safety properties that need to be satisfied continuously. However, it cannot correctly be applied to liveness properties of non-terminating protocols. The authors (Cynthia Dwork, Nancy Lynch, and Larry Stockmeyer) would certainly have known this: notice how they carefully distinguish “the GST model” from “partial synchrony”. They cannot plausibly have intended this GST formalization to be applied unmodified to analyze liveness in such protocols, which seems to be common in the block-chain literature, including in the Ebb-and-Flow paper [NTT2020] and the Streamlet paper [CS2020]. (The latter does refer to “periods of synchrony” which indicates awareness of the issue, but then it uses the unmodified GST model in the proofs.)

This provides further motivation to avoid taking the GST formalization of partial synchrony as a basic assumption.

For simplicity, we assume that all events occur at global times in a total ordering. This assumption is not realistic in an asynchronous communication model, but it is not essential to the design or analysis and could be removed (essentially: replace times with events and use a partial happens-before ordering on events, in place of a total ordering on times).

A $*$ ‑execution is the complete set of events (message sends/receives and decisions by protocol participants) that occur in a particular run of $Π_{*}$ from its initiation up to a given time. A prefix of a $*$ ‑execution is also a $*$ ‑execution. Since executions always start from protocol initiation, a strict suffix of a $*$ ‑execution is not a $*$ ‑execution.

If $*$ maintains a (single) block chain, $O_{*}$ refers to the genesis block of a $*$ ‑chain.

Let $chain-txns (ch)$ be the sequence of transactions in the given chain $ch$ , starting from genesis.

For convenience we conflate $*$ ‑blocks with $*$ ‑chains; that is, we identify a chain with the block at its tip. This is justified because, assuming that the hash function used for parent links is collision-resistant, there can be only one $*$ ‑chain corresponding to a $*$ ‑block.

If $ch$ is a $*$ ‑chain, $ch ⌈_{*}^{σ}$ means $ch$ with the last $σ$ blocks pruned, except that if $σ \geq len (ch)$ , the result is the $*$ ‑chain consisting only of $O_{*}$ .

The block at depth $k \in N^{+}$ in a $*$ ‑chain $ch$ is defined to be the tip of $ch ⌈_{*}^{k}$ . Thus the block at depth $k$ in a chain is the last one that cannot be affected by a rollback of length $k$ .

Terminology note

Our usage of “depth” is different from [NTT2020], which uses “depth” to refer to what Bitcoin and Zcash call “height”. It also differs by $1$ from the convention for confirmation depths in zcashd, where the tip is considered to be at depth $1$ , rather than $0$ .

For $*$ ‑blocks $B$ and $C$ ,

the notation $B ⪯_{*} C$ means that the $*$ ‑chain with tip $B$ is a prefix of the one with tip $C$ . This includes the case $B = C$ .
the notation $B ⪯ ⪰_{*} C$ means that either $B ⪯_{*} C$ or $C ⪯_{*} B$ . That is, “one of $B$ and $C$ is a prefix of the other”.

We also use $log ⪯ log^{'}$ (without a subscript on $⪯$ ) to mean that the transaction ledger $log$ is a prefix of $log^{'}$ . Similarly to $⪯ ⪰_{*}$ above, $log ⪯ ⪰ log^{'}$ means that either $log ⪯ log^{'}$ or $log^{'} ⪯ log$ ; that is, “one of $log$ and $log^{'}$ is a prefix of the other”.

The notation $[f (X) for X ⪯_{*} Y]$ means the sequence of $f (X)$ for each $*$ ‑block $X$ in chain order from genesis up to and including $Y$ . ( $X$ is a bound variable within this construct.)

Subprotocols

As in Snap‑and‑Chat, we depend on a BFT protocol $Π_{origbft}$ , and a best‑chain protocol $Π_{origbc}$ .

Info

See this terminology note for why we do not call $Π_{origbc}$ a “longest‑chain” protocol.

We modify $Π_{origbft}$ (resp. $Π_{origbc}$ ) to give $Π_{bft}$ (resp. $Π_{bc}$ ) by adding structural elements, changing validity rules, and potentially changing the specified behaviour of honest nodes.

A Crosslink node must participate in both $Π_{bft}$ and $Π_{bc}$ ; that is, it must maintain a view of the state of each protocol. Acting in more specific roles such as bft‑proposer, bft‑validator, or bc‑block‑producer is optional, but we assume that all such actors are Crosslink nodes.

Model for BFT protocols (Π_{{origbft,bft}})

A player’s view in $Π_{* bft}$ includes a set of $*$ bft‑block chains each rooted at a fixed genesis $*$ bft‑block $O_{* bft}$ . There is a $*$ bft‑block‑validity rule (specified below), which depends only on the content of the block and its ancestors. A non‑genesis block can only be $*$ bft‑block‑valid if its parent is $*$ bft‑block‑valid. A $*$ bft‑valid‑chain is a chain of $*$ bft‑block‑valid blocks.

Execution proceeds in a sequence of epochs. In each epoch, an honest proposer for that epoch may make a $*$ bft‑proposal.

A $*$ bft‑proposal refers to a parent $*$ bft‑block, and specifies the proposal’s epoch. The content of a proposal is signed by the proposer using a strongly unforgeable signature scheme. We consider the proposal to include this signature. There is a $*$ bft‑proposal‑validity rule, depending only on the content of the proposal and its parent block, and the validity of the proposer’s signature.

Info

We will shorten “ $*$ bft‑block‑valid $*$ bft‑block” to “ $*$ bft‑valid‑block”, and “ $*$ bft‑proposal‑valid $*$ bft‑proposal” to “ $*$ bft‑valid‑proposal”.

For each epoch, there is a fixed number of voting units distributed between the players, which they use to vote for a $*$ bft‑proposal. We say that a voting unit has been cast for a $*$ bft‑proposal $P$ at a given time in a $*$ bft‑execution, if and only if $P$ is $*$ bft‑proposal‑valid and a ballot for $P$ authenticated by the holder of the voting unit exists at that time.

Using knowledge of ballots cast for a $*$ bft‑proposal $P$ that collectively satisfy a notarization rule at a given time in a $*$ bft‑execution, and only with such knowledge, it is possible to obtain a valid $*$ bft‑notarization‑proof $proof_{P}$ . The notarization rule must require at least a two‑thirds absolute supermajority of voting units in $P$ ’s epoch to have been cast for $P$ . It may also require other conditions.

A voting unit is cast non‑honestly for an epoch’s proposal iff:

it is cast other than by the holder of the unit (due to key compromise or any flaw in the voting protocol, for example); or
it is double‑cast (i.e. there are at least two ballots casting it for distinct proposals); or
the holder of the unit following the conditions for honest voting in $Π_{* bft}$ , according to its view, should not have cast that vote.

Definition: One‑third bound on non‑honest voting

An execution of $Π_{bft}$ has the one‑third bound on non‑honest voting property iff for every epoch, strictly fewer than one third of the total voting units for that epoch are ever cast non‑honestly.

Info

It may be the case that a ballot cast for $P$ is not in honest view when it is used to create a notarisation proof for $P$ . Since we are not assuming synchrony, it may also be the case that such a ballot is in honest view but that any given node has not received it (and perhaps will never receive it).

There may be multiple distinct ballots or distinct ballot messages attempting to cast a given voting unit for the same proposal; this is undesirable for bandwidth usage, but it is not necessary to consider it to be non‑honest behaviour for the purpose of security analysis, as long as such ballots are not double‑counted toward the two‑thirds threshold.

Security caveat

The one‑third bound on non‑honest voting property considers all ballots cast in the entire execution. In particular, it is possible that a validator’s key is compromised and then used to cast its voting units for a proposal of an epoch long finished. If the number of voting units cast non-honestly for any epoch ever reaches one third of the total voting units for that epoch during an execution, then the one‑third bound on non‑honest voting property is violated for that execution.

Therefore, validator keys of honest nodes must remain secret indefinitely. Whenever a key is rotated, the old key must be securely deleted. For further discussion and potential improvements, see tfl-book issue #140.

A $*$ bft‑block consists of $(P, proof_{P})$ re‑signed by the same proposer using a strongly unforgeable signature scheme. It is $*$ bft‑block‑valid iff:

$P$ is $*$ bft‑proposal‑valid; and
$proof_{P}$ is a valid proof that some subset of ballots cast for $P$ are sufficient to satisfy the notarization rule; and
the proposer’s outer signature on $(P, proof_{P})$ is valid.

A $*$ bft‑proposal’s parent reference hashes the entire parent $*$ bft‑block, i.e. proposal, proof, and outer signature.

Info

Neither $proof_{P}$ nor the proposer’s outer signature is unique for a given $P$ . The proposer’s outer signature is however third‑party nonmalleable, by definition of a strongly unforgeable signature scheme. An “honest $*$ bft‑proposal” is a $*$ bft‑proposal made for a given epoch by a proposer who is honest in that epoch. Such a proposer will only create one proposal and only sign at most once for each epoch, and so there will be at most one “honestly submitted” $*$ bft‑block for each epoch.

It is possible for there to be multiple $*$ bft‑valid‑blocks for the same proposal, with different notarization proofs and/or outer signatures, if the proposer is not honest. However, the property that there will be at most one “honestly submitted” $*$ bft‑block for each epoch is important for liveness, even though we cannot guarantee that any particular proposer for an epoch is honest. ==TODO check that we are correctly using this in the liveness analysis.==

There is an efficiently computable function $* bft ‑ last ‑ final :: * bft ‑ block \to * bft ‑ block \cup {⊥}$ . For a $*$ bft‑block‑valid input block $C$ , this function outputs the last ancestor of $C$ that is final in the context of $C$ .

Info

The chain of ancestors is unambiguously determined because a $*$ bft‑proposal’s parent reference hashes the entire parent $*$ bft‑block; each $*$ bft‑block commits to a proposal; and the parent hashes are collision-resistant. This holds despite the caveat mentioned above that there may be multiple $*$ bft‑valid‑blocks for the same proposal.

$* bft ‑ last ‑ final$ must satisfy all of the following:

$* bft-last-final (C) = ⊥ ⟺ C$ is not $*$ bft‑block‑valid.
If $C$ is $*$ bft‑block‑valid, then:
- $* bft-last-final (C) ⪯_{* bft} C$ (and therefore it must also be $*$ bft‑block‑valid);
- for all $*$ bft‑valid‑blocks $D$ such that $C ⪯_{* bft} D$ , $* bft-last-final (C) ⪯_{* bft} * bft-last-final (D)$ .
$* bft-last-final (O_{* bft}) = O_{* bft}$ .

Info

It is correct to talk about the “last final block” of a given chain (that is, each $*$ bft‑valid-block $C$ unambiguously determines a $*$ bft‑valid-block $* bft-last-final (C)$ ), but it is not correct to refer to a given $*$ bft‑block as objectively “ $*$ bft‑final”.

A particular BFT protocol might need adaptations to fit it into this model for $Π_{origbft}$ , before we apply the Crosslink modifications to obtain $Π_{bft}$ . Any such adaptions are necessarily protocol-specific. In particular,

origbft‑proposal‑validity should correspond to the strongest property of an origbft‑proposal that is objectively and feasibly verifiable from the content of the proposal and its parent origbft‑block at the time the proposal is made. It must include verification of the proposer’s signature.
origbft‑block‑validity should correspond to the strongest property of an origbft‑block that is objectively and feasibly verifiable from the content of the block and its ancestors at the time the block is added to an origbft‑chain. It should typically include all of the relevant checks from origbft‑proposal‑validity that apply to the created block (or equivalent checks). It must also include verification of the notarization proof and the proposer’s outer signature.
If a node observes an origbft‑valid block $C$ , then it should be infeasible for an adversary to cause a rollback in that node’s view past $origbft-last-final (C)$ , and the view of the chain up to $origbft-last-final (C)$ should agree with that of all other honest nodes. This is formalized in the next section.

Safety of $Π_{* bft}$

The intuition behind the following safety property is that:

For $Π_{* bft}$ to be safe, it should never be the case that two honest nodes observe (at any time) $*$ bft‑blocks $B$ and $B^{'}$ respectively that they each consider final in some context, but $B ⪯ ⪰_{* bft} B^{'}$ does not hold.
By definition, an honest node observes a $*$ bft‑block to be final in the context of another $*$ bft‑block $C$ , iff $B ⪯_{* bft} * bft-last-final (C)$ .

We say that a $*$ bft‑block is “in honest view” if a party observes it at some time at which that party is honest.

Definition: Final Agreement

An execution of $Π_{* bft}$ has Final Agreement iff for all $*$ bft‑valid blocks $C$ in honest view at time $t$ and $C^{'}$ in honest view at time $t^{'}$ , we have $* bft-last-final (C) ⪯ ⪰_{* bft} * bft-last-final (C^{'})$ .

Note that it is possible for this property to hold for an execution of a BFT protocol in an asynchronous communication model. The following caveat applies: if the one‑third bound on non‑honest voting property is ever broken at any time in an execution, then it may not be possible to maintain Final Agreement from that point on. This is an area of possible improvement in the design and analysis, left for future work.

Adapting the Streamlet BFT protocol.

Streamlet as described in [CS2020] has three possible states of a block in a player’s view:

“valid” (but not notarized or final);
“notarized” (but not final);
“final”.

By “valid” the Streamlet paper means just that it satisfies the structural property of being part of a block chain with parent hashes. The role of $*$ bft‑block‑validity in our model corresponds roughly to Streamlet’s “notarized”. It turns out that with some straightforward changes relative to Streamlet, we can identify “origbft‑block‑valid” with “notarized” and consider an origbft‑valid‑chain to only consist of notarized blocks. This is not obvious, but is a useful simplification.

Here is how the paper defines “notarized”:

When a block gains votes from at least $2 n /3$ distinct players, it becomes notarized. A chain is notarized if its constituent blocks are all notarized.

This implies that blocks can be added to chains independently of notarization. However, the paper also says that a leader always proposes a block extending from a notarized chain. Therefore, only notarized chains really matter in the protocol.

In unmodified Streamlet, the order in which a player sees signatures might cause it to view blocks as notarized out of order. Streamlet’s security analysis is in a synchronous model, and assumes for liveness that any vote will have been received by all players within two epochs.

In Crosslink, however, we need origbft‑block‑validity to be an objectively and feasibly verifiable property. We also would prefer reliable message delivery within bounded time not to be a basic assumption of our communication model. (This does not dictate what assumptions about message delivery are made for particular security analyses.) If we did not make a modification to the protocol to take this into account, then some Crosslink nodes might receive a two‑thirds absolute supermajority of voting messages and consider a BFT block to be notarized, while others might never receive enough of those messages.

Obviously a proposal cannot include signatures on itself — but the block formed from it can include proofs about the proposal and signatures. We can therefore say that when a proposal gains a two‑thirds absolute supermajority of signatures, a block is created from it that contains a proof (such as an aggregate signature) that it had such a supermajority. For example, we can have the proposer itself make this proof once it has enough votes, sign the resulting $(P, proof_{P})$ to create a block, then submit that block in a separate message. (The proposer has most incentive to do this in order to gain whatever reward attaches to a successful proposal; it can outsource the proving task if needed.) Then the origbft‑block‑validity rule can require a valid supermajority proof, which is objectively and feasibly verifiable. Players that see an origbft‑block‑valid block can immediately consider it notarized.

Note that for the liveness analysis to be unaffected, we need to assume that the combined latency of messages, of collecting and aggregating signatures, and of block submission is such that all players will receive a notarized block corresponding to a given proposal (rather than just all of the votes for the proposal) within two epochs. Alternatively we could re‑do the timing analysis.

With this change, “origbft‑block‑valid” and “notarized” do not need to be distinguished.

Streamlet’s finality rule is:

If in any notarized chain, there are three adjacent blocks with consecutive epoch numbers, the prefix of the chain up to the second of the three blocks is considered final. When a block becomes final, all of its prefix must be final too.

We can straightforwardly express this as an $origbft-last-final$ function of a context block $C$ , as required by the model:

For an origbft‑valid block $C$ , $origbft-last-final (C)$ is the last origbft‑valid block $B ⪯_{origbft} C$ such that either $B = O_{origbft}$ or $B$ is the second block of a group of three adjacent blocks with consecutive epoch numbers.

Note that “When a block becomes final, all of its prefix must be final too.” is implicit in the model.

Model for best-chain protocols (Π_{origbc,bc})

A node’s view in $Π_{* bc}$ includes a set of $*$ bc‑block chains each rooted at a fixed genesis $*$ bc‑block $O_{* bc}$ . There is a $*$ bc‑block‑validity rule (often described as a collection of “consensus rules”), depending only on the content of the block and its ancestors. A non‑genesis block can only be $*$ bc‑block‑valid if its parent is $*$ bc‑block‑valid. By “ $*$ bc‑valid‑chain” we mean a chain of $*$ bc‑block‑valid blocks.

The definition of $*$ bc‑block‑validity is such that it is hard for a block producer to extend a $*$ bc‑valid‑chain unless they are selected by a random process that chooses a block producer in proportion to their resources with an approximately known and consistent time distribution, subject to some assumption about the total proportion of resources held by honest nodes.

There is a function $score :: * bc ‑ valid ‑ chain \to Score$ , with $<$ a strict total ordering on $Score$ . An honest node will choose one of the $*$ bc‑valid‑chains with highest score as the $*$ bc‑best‑chain in its view. Any rule can be specified for breaking ties.

The $score$ function is required to satisfy $score (ch ⌈_{* bc}^{1}) < score (ch)$ for any non‑genesis $*$ bc‑valid‑chain $ch$ .

Info

For a Proof‑of‑Work protocol, the score of a $*$ bc‑chain should be its accumulated work.

Unless an adversary is able to censor knowledge of other chains from the node’s view, it should be difficult to cause the node to switch to a chain with a last common ancestor more than $σ$ blocks back from the tip of their previous $*$ bc‑best‑chain.

Following [NTT2020], we use the notation $ch_{i}^{t}$ for node $i$ ’s $*$ bc‑best‑chain at time $t$ .

A $*$ bc‑context allows testing whether a given transaction is contextually valid (“ $*$ bc‑context‑valid”), and adding it to the context if it is. Given a context $ctx$ , the resulting sequence of contextually valid transactions since genesis can be obtained as $context-txns (ctx)$ . It is possible to obtain a $*$ bc‑context corresponding to the state after the genesis $*$ bc‑block.

We assume that the only reasons for a transaction to be contextually invalid are that it double‑spends, or that an input is missing.

Why is this assumption needed?

It is needed for equivalence of the following two ways to construct $LOG_{{fin, bda}}$ :

Concatenate the transactions from each bft‑block snapshot of a bc‑chain, and sanitize the resulting transaction sequence by including each transaction iff it is contextually valid.
Concatenate the bc‑blocks from each bft‑block snapshot of a bc‑chain, remove duplicate blocks, and only then sanitize the resulting transaction sequence by including each transaction iff it is contextually valid.

We want these to be equivalent to enable a crucial optimization. In practice there will be many duplicate blocks from chain prefixes in the input to sanitization, and so a literal implementation of the first variant would have to recheck all duplicate transactions for contextual validity. That would have at least $O (n^{2})$ complexity (more likely $O (n^{2} lo g n)$ ) in the length $n$ of the block chain, because the length of each final snapshot grows with $n$ . But in the second variant, we can just concatenate suffixes of each snapshot omitting any bc‑blocks that are common to a previous snapshot.

Given that the only reasons for a transaction to be contextually invalid are double‑spends and missing inputs, the argument for equivalence is that:

If a transaction is omitted due to a double‑spend, then any subsequent time it is checked, that input will still have been double‑spent.
If a transaction is omitted due to a missing input, this can only be because an earlier transaction in the input to sanitization was omitted. So the structure of omitted transactions forms a DAG in which parent links must be to earlier omitted transactions. The roots of the DAG are at double-spending transactions, which cannot be reinstated (that is, included after they had previously been excluded). A child cannot be reinstated until its parents have been reinstated. Therefore, no transactions are reinstated.

It might be possible to relax this assumption, but it would require additional analysis to ensure that the above equivalence still holds.

A $*$ bc‑block logically contains a sequence of transactions. In addition to other rules, a block is only $*$ bc‑block‑valid if its transactions, taken in order, are all $*$ bc‑context‑valid given previous blocks and previous transactions in the block.

Detail of ‘logically contains’ for Zcash.

In Zcash, a block logically contains its transactions by having the block header commit to a Merkle tree over txids, and another Merkle tree (in the same transaction order) over witness hashes. A txid and witness hash together authenticate all data fields of a transaction.

For v5 transactions, the txid commits to effecting data (that determines the effect of the transaction) and the witness hash commits to witness data (signatures and proofs). For earlier transaction versions, the witness hash is null and the txid commits to all transaction data.

When a block is downloaded, its transactions are parsed and its header is checked against the transaction data. Assuming no bugs or errors in the design, this is effectively equivalent to the block data being directly authenticated by the header.

Is this model of contextual validity sufficient for Zcash?

There are several Zcash consensus rules that mention block height or position within a block, or that depend on other transactions in a block:

Transaction consensus rule:

A coinbase transaction for a non‑genesis block MUST have a script that, as its first item, encodes the block height [in a specified way].

In addition, a coinbase transaction is implicitly able to spend the total amount of fees of other transactions in the block.

Block consensus rule:

The first transaction in a block MUST be a coinbase transaction, and subsequent transactions MUST NOT be coinbase transactions.

Payment of Founders’ Reward:

[Pre‑Canopy] A coinbase transaction at $height \in {1.. FoundersRewardLastBlockHeight}$ MUST include at least one output that pays exactly $FoundersReward (height)$ zatoshi with [details of script omitted].

Payment of Funding Streams:

[Canopy onward] The coinbase transaction at block height $height$ MUST contain at least one output per funding stream $fs$ active at $height$ , that pays $fs.Value (height)$ zatoshi in the prescribed way to the stream’s recipient address [...]

However, none of these need to be treated as contextual validity rules.

The following transaction consensus rule must be modified:

A transaction MUST NOT spend a transparent output of a coinbase transaction from a block less than 100 blocks prior to the spend. Note that transparent outputs of coinbase transactions include Founders’ Reward outputs and transparent funding stream outputs.

To achieve the intent, it is sufficient to change this rule to only allow coinbase outputs to be spent if their coinbase transaction has been finalized.

If we assume that coinbase block subsidies and fees, and the position of coinbase transactions as the first transaction in each block have already been checked as $*$ bc‑block‑validity rules, then the model is sufficient.

A “coinbase transaction” is a $*$ bc‑transaction that only distributes newly issued funds and has no inputs.

Define $is-coinbase-only-block :: * bc-block \to boolean$ so that $is-coinbase-only-block (B) = true$ iff $B$ has exactly one transaction that is a coinbase transaction.

Each $*$ bc‑block is summarized by a $*$ bc‑header that commits to the block. There is a notion of $*$ bc‑header‑validity that is necessary, but not sufficient, for validity of the block. We will only make the distinction between $*$ bc‑headers and $*$ bc‑blocks when it is necessary to avoid ambiguity.

Header validity for Proof‑of‑Work protocols.

In a Proof‑of‑Work protocol, it is normally possible to check the Proof‑of‑Work of a block using only the header. There is a difficulty adjustment function that determines the target difficulty for a block based on its parent chain. So, checking that the correct difficulty target has been used relies on knowing that the header’s parent chain is valid.

Checking header validity before expending further resources on a purported block can be relevant to mitigating denial‑of‑service attacks that attempt to inflate validation cost.

Typically, Bitcoin‑derived best chain protocols do not need much adaptation to fit into this model. The model still omits some details that would be important to implementing Crosslink, but distracting for this level of abstraction.

Safety of $Π_{* bc}$

We make an assumption on executions of $Π_{origbc}$ that we will call Prefix Consistency (introduced in [PSS2016, section 3.3] as just “consistency”):

Definition: Prefix Consistency

An execution of $Π_{* bc}$ has Prefix Consistency at confirmation depth $σ$ , iff for all times $t \leq t^{'}$ and all nodes $i$ , $j$ (potentially the same) such that $i$ is honest at time $t$ and $j$ is honest at time $t^{'}$ , we have that $ch_{i}^{t} ⌈_{* bc}^{σ} ⪯_{* bc} ch_{j}^{t^{'}}$ .

Explain the confusion in the literature about what variants of this property are called.

The literature uses the same name, “common‑prefix property”, for two different properties of very different strength.

[PSS2016, section 3.3] introduced the stronger variant. That paper first describes the weaker variant, calling it the “common‑prefix property by Garay et al [GKL2015].” Then it explains what is essentially a bug in that variant, and describes the stronger variant which it just calls “consistency”:

The common‑prefix property by Garay et al [GKL2015], which was already considered and studied by Nakamoto [Nakamoto2008], requires that in any round $r$ , the record chains of any two honest players $i$ , $j$ agree on all, but potentially the last $T$ , records. We note that this property (even in combination with the other two desiderata [of Chain Growth and Chain Quality]) provides quite weak guarantees: even if any two honest parties perfectly agree on the chains, the chain could be completely different on, say, even rounds and odd rounds. We here consider a stronger notion of consistency which additionally stipulates players should be consistent with their “future selves”.

Let $consistent^{T} (view) = 1$ iff for all rounds $r \leq r^{'}$ , and all players $i$ , $j$ (potentially the same) such that $i$ is honest at $view^{r}$ and $j$ is honest at $view^{r^{'}}$ , we have that the prefixes of $C_{i}^{r} (view)$ and $C_{j}^{r^{'}} (view)$ consisting of the first $ℓ = ∣ C_{i}^{r} (view) ∣ - T$ records are identical.

Unfortunately, [GKL2020], which is a revised version of [GKL2015], switches to the stronger variant without changing the name. (The eprint version history may be useful; the change was made in version 20181013:200033, page 17.)

Note that [GKL2020] uses an adaptive‑corruption model, “meaning that the adversary is allowed to take control of parties on the fly”, and so their wording in Definition 3:

... for any pair of honest players $P_{1}$ , $P_{2}$ adopting the chains $C_{1}$ , $C_{2}$ at rounds $r_{1} \leq r_{2}$ in view $_{Π, A, Z}^{t, n}$ respectively, it holds that $C_{1}^{⌈ k} ⪯ C_{2}$ .

is intended to mean the same as our

... for all times $t \leq t^{'}$ and all nodes $i$ , $j$ (potentially the same) such that $i$ is honest at time $t$ and $j$ is honest at time $t^{'}$ , we have that $ch_{i}^{t} ⌈_{* bc}^{σ} ⪯_{* bc} ch_{j}^{t^{'}}$ .

(The latter is closer to [PSS2016].)

Incidentally, I cannot find any variant of this property in [Nakamoto2008]. Maybe implicitly, but it’s a stretch.

Discussion of [GKL2020]’s communication model and network partition.

Prefix Consistency implies that, in the relevant executions, the network of honest nodes is never partitioned — unless (roughly speaking) any partition lasts only for a short length of time relative to $σ$ block times. If node $i$ is on one side of a full partition and node $j$ on the other, then after node $i$ ’s best chain has been extended by more than $σ$ blocks, $ch_{i}^{t} ⌈_{* bc}^{σ}$ will contain information that has no way to get to node $j$ . And even if the partition is incomplete, we cannot guarantee that the Prefix Consistency property will hold for any given pair of nodes.

And yet, [GKL2020] claims to prove this property from other assumptions. So we know that those assumptions must also rule out a long partition between honest nodes. In fact the required assumption is implicit in the communication model:

A synchronous network cannot be partitioned.
A partially synchronous network —that is, providing reliable delivery with bounded but unknown delay— cannot be partitioned for longer than the delay.

We might be concerned that these implicit assumptions are stronger than we would like. In practice, the peer‑to‑peer network protocol of Bitcoin and Zcash attempts to flood blocks to all nodes. This protocol might have weaknesses, but it is not intended to (and plausibly does not) depend on all messages being received. (Incidentally, Streamlet also implicitly floods messages to all nodes.)

Also, Streamlet and many other BFT protocols do not assume for safety that the network is not partitioned. That is, BFT protocols can be safe in a fully asynchronous communication model with unreliable messaging. That is why we avoid taking synchrony or partial synchrony as an implicit assumption of the communication model, or else we could end up with a protocol with weaker safety properties than $Π_{origbft}$ alone.

This leaves the question of whether the Prefix Consistency property is still too strong, even if we do not rely on it for the analysis of safety when $Π_{bft}$ has not been subverted. In particular, if a particular node $h$ is not well-connected to the rest of the network, then that will inevitably affect node $h$ ’s security, but should not affect other honest nodes’ security.

Fortunately, it is not the case that disconnecting a single node $h$ from the network causes the security assumption to be voided. The solution is to view $h$ as not honest in that case (even though it would follow the protocol if it could). This achieves the desired effect within the model, because other nodes can no longer rely on $h$ ’s honest input. Although viewing $h$ as potentially adversarial might seem conservative from the point of view of other nodes, bear in mind that an adversary could censor an arbitrary subset of incoming and outgoing messages from the node, and this may be best modelled by considering it to be effectively controlled by the adversary.

Prefix Consistency compares the $σ$ -truncated chain of some node $i$ with the untruncated chain of node $j$ . For our analysis of safety of the derived ledgers, we will also need to make an assumption on executions of $Π_{origbc}$ that at any given time $t$ , any two honest nodes $i$ and $j$ agree on their confirmed prefixes — with only the caveat that one may have observed more of the chain than the other. That is:

Definition: Prefix Agreement

An execution of $Π_{* bc}$ has Prefix Agreement at confirmation depth $σ$ , iff for all times $t$ , $t^{'}$ and all nodes $i$ , $j$ (potentially the same) such that $i$ is honest at time $t$ and $j$ is honest at time $t^{'}$ , we have $ch_{i}^{t} ⌈_{* bc}^{σ} ⪯ ⪰_{* bc} ch_{j}^{t^{'}} ⌈_{* bc}^{σ}$ .

Why are this property, and Prefix Consistency above, stated as unconditional properties of protocol executions, rather than as probabilistic assumptions?

Our security arguments that depend on these properties will all be of the form “in an execution where (safety properties) are not violated, (undesirable thing) cannot happen”.

It is not necessary to involve probability in arguments of this form. Any probabilistic reasoning can be done separately.

In particular, if a statement of this form holds, and (safety properties) are violated with probability at most $p$ under certain conditions, then it immediately follows that under those conditions (undesirable thing) happens with probability at most $p$ . Furthermore, (undesirable thing) can only happen after (safety properties) have been violated, because the execution up to that point has been an execution in which (safety properties) are not violated.

With few exceptions, involving probability in a security argument is best done only to account for nondeterministic choices in the protocol itself. This is opinionated advice, but I think a lot of security proofs would be simpler if inherently probabilistic arguments were more distinctly separated from unconditional ones.

In the case of the Prefix Agreement property, an alternative approach would be to prove that Prefix Agreement holds with some probability given Prefix Consistency and some other chain properties. This is what [NTT2020] does in its Theorem 2, which essentially says that under certain conditions Prefix Agreement holds except with probability $e^{- Ω (σ)}$ .

The conclusions that can be obtained from this approach are necessarily probabilistic, and depending on the techniques used, the proof may not be tight; that is, the proof may obtain a bound on the probability of failure that is (either asymptotically or concretely) higher than needed. This is the case for [NTT2020, Theorem 2]; footnote 10 in that paper points out that the expression for the probability can be asymptotically improved:

Using the recursive bootstrapping argument developed in [DKT+2020, Section 4.2], it is possible to bring the error probability $e^{- Ω (σ)}$ as close to an exponential decay as possible. In this context, for any $ϵ > 0$ , it is possible to find constants $A_{ϵ}$ , $a_{ϵ}$ such that $Π_{lc} (p)$ is secure after C $(max (GST, GAT))$ with confirmation time $T_{confirm} = σ$ except with probability $A_{ϵ} e^{- a_{ϵ} σ^{1 - ϵ}}$ .

(Here $p$ is the probability that any given node gets to produce a block in any given time slot.)

In fact none of the proofs of security properties for Snap‑and‑Chat depend on the particular expression $e^{- Ω (σ)}$ ; for example in the proofs of Lemma 5 and Theorem 1, this probability just “passes through” the proof from the premisses to the conclusion, because the argument is not probabilistic. The same will be true of our safety arguments.

Talking about what is possible in particular executions has further advantages:

It sidesteps the issue of how to interpret results in the partially synchronous model, when we do not know what C $(max (GST, GAT))$ is. See also the critique of applying the partially synchronous model to block-chain protocols under “Discussion of [GKL2020]’s communication model and network partition” above.
We do not require $Π_{bc}$ to be a Nakamoto‑style Proof‑of‑Work block chain protocol. Some other kind of protocol could potentially satisfy Prefix Consistency and Prefix Agreement.
It is not clear whether a $e^{- Ω (σ)}$ probability of failure would be concretely adequate. That would depend on the value of $σ$ and the constant hidden by the $Ω$ notation. The asymptotic property using $Ω$ tells us whether a sufficiently large $σ$ could be chosen, but we are more interested in what needs to be assumed for a given concrete choice of $σ$ .
If a violation of a required safety property occurs in a given execution, then the safety argument for Crosslink that depended on the property fails for that execution, regardless of what the probability of that occurrence was. This approach therefore more precisely models the consequences of such violations.

Why, intuitively, should we believe that Prefix Agreement and Prefix Consistency for a large enough confirmation depth hold with high probability for executions of a PoW‑based best‑chain protocol?

Roughly speaking, the intuition behind both properties is as follows:

Honest nodes are collectively able to find blocks faster than an adversary, and communication between honest nodes is sufficiently reliable that they act as a combined network racing against that adversary. Then by the argument in [Nakamoto2008], modified by [GP2020] to correct an error in the concrete analysis, a private mining attack that attempts to cause a $σ$ ‑block rollback will, with high probability, fail for large enough $σ$ . A private mining attack is optimal by the argument in [DKT+2020].

Any further analysis of the conditions under which these properties hold should be done in the context of a particular $Π_{* bc}$ .

Why is the quantification over two different times t and t′?

This strengthens the security property, relative to quantifying over a single time. The question can then be split into several parts:

What does the strengthened property mean, intuitively? Consider the full tree of $*$ bc‑blocks seen by honest nodes at any times during the execution. This property holds iff, when we strip off all branches of length up to and including $σ$ blocks, the resulting tree is linear.
Why is the strengthening needed? Suppose that time were split into periods such that honest nodes agreed on one chain in odd periods, and a completely different chain in even periods. This would obviously not satisfy the intent, but it would satisfy a version of the property that did not quantify over different times $t$ and $t^{'}$ .
Why should we expect the strengthened property to hold? If node $j$ were far ahead, i.e. $t^{'} ≫ t$ , then it is obvious that $ch_{i}^{t} ⌈_{* bc}^{σ} ⪯_{* bc} ch_{j}^{t^{'}} ⌈_{* bc}^{σ}$ should hold. Conversely, if node $i$ were far ahead then it is obvious that $ch_{j}^{t^{'}} ⌈_{* bc}^{σ} ⪯_{* bc} ch_{i}^{t} ⌈_{* bc}^{σ}$ should hold. The case where $t = t^{'}$ is the same as quantifying over a single time. By considering intermediate cases where $t$ and $t^{'}$ converge from the extremes or where they diverge from being equal, you should be able to convince yourself that the property holds for any relative values of $t$ and $t^{'}$ , in executions of a reasonable best‑chain protocol.

Safety Mode

Let $LOG_{fin, i}^{t} :: [bc-transaction]$ be the finalized ledger seen by node $i$ at time $t$ , and let $LOG_{bda, i, μ}^{t} :: [bc-transaction]$ be the more-available ledger at bc‑confirmation‑depth $μ$ seen by node $i$ at time $t$ .

The following definition is rough and only intended to provide intuition.

Consider, at a point in time $t$ , the number of bc‑blocks of transactions that have entered $LOG_{bda, i, 0}^{t}$ but have not (yet) entered $LOG_{fin, i}^{t}$ . We call this the “finality gap” at time $t$ . Under an assumption about the distribution of bc‑block intervals, if this gap stays roughly constant then it corresponds to the approximate time that transactions added to $LOG_{bda, i, 0}$ have taken to enter $LOG_{fin, i}$ (if they do so at all) just prior to time $t$ .

As explained in detail by The Arguments for Bounded Dynamic Availability and Finality Overrides, if this bound exceeds a reasonable threshold then it likely signals an exceptional or emergency condition, in which it is undesirable to keep accepting user transactions that spend funds into $LOG_{bda, i, 0}$ .

The condition that the network enters in such cases will be called “Safety Mode”. For a given higher‑level transaction protocol, we can define a policy for which bc‑blocks will be accepted in Safety Mode. This will be modelled by a predicate $is-safety-block :: bc-block \to boolean$ . A bc‑block for which $is-safety-block$ returns $true$ is called a “safety block”.

Note that a bc‑block producer is only constrained to produce safety blocks while, roughly speaking, its view of the finalization point remains stalled. In particular an adversary that has subverted the BFT protocol in a way that does not keep it in a stalled state can always avoid being constrained by Safety Mode.

The desired properties of safety blocks and a possible Safety Mode policy for Zcash are discussed in the How to block hazards section of The Arguments for Bounded Dynamic Availability and Finality Overrides.

Parameters

Crosslink is parameterized by a bc‑confirmation‑depth $σ \in N^{+}$ (as in Snap‑and‑Chat), and also a finalization gap bound $L \in N^{+}$ with $L$ significantly greater than $σ$ .

Each node $i$ always uses the fixed confirmation depth $σ$ to obtain its view of the finalized ledger $LOG_{fin, i} :: [bc-transaction]$ .

Each node $i$ chooses a potentially different bc‑confirmation‑depth $μ \in N$ to obtain its view of the bounded‑dynamically‑available ledger $LOG_{bda, i, μ} :: [bc-transaction]$ . We will assume that $μ \leq σ$ , since there is no reason to choose $μ > σ$ . Choosing $μ < σ$ is at the node’s own risk and may increase the risk of rollback attacks against $LOG_{bda, i, μ}$ (it does not affect $LOG_{fin, i}$ ). The default should be $μ = σ$ .

Info

The definition of $LOG_{bda, i, μ}$ is also used internally to the protocol with $μ = 0$ .

Structural additions

Each bc‑header has, in addition to origbc‑header fields, a $context_bft$ field that commits to a bft‑block.
Each bft‑proposal has, in addition to origbft‑proposal fields, a $headers_bc$ field containing a sequence of exactly $σ$ bc‑headers (zero‑indexed, deepest first).
Each non‑genesis bft‑block has, in addition to origbft‑block fields, a $headers_bc$ field containing a sequence of exactly $σ$ bc‑headers (zero-indexed, deepest first). The genesis bft‑block has $headers_bc = \emptyset$ .
Each bc‑transaction has, in addition to origbc‑transaction fields, a $block_bc$ field labelling it with the bc‑block that it comes from. (This is not used directly by Crosslink but it may be needed to check $Π_{bc}$ consensus rules.)

For a bft‑block or bft‑proposal $B$ , define $snapshot (B) = {O_{bc}, B .headers_bc [0] ⌈_{bc}^{1}, if B .headers_bc = \emptyset otherwise.$

Use of the headers_bc field, and its relation to the ch field in Snap‑and‑Chat.

For a bft‑proposal or bft‑block $B$ , the role of the bc‑chain snapshot referenced by $B .headers_bc [0] ⌈_{bc}^{1}$ is comparable to the $Π_{lc}$ snapshot referenced by $B .ch$ in the Snap‑and‑Chat construction from [NTT2020]. The motivation for the additional headers is to demonstrate, to any party that sees a bft‑proposal (resp. bft‑block), that the snapshot had been confirmed when the proposal (resp. the block’s proposal) was made.

Typically, a node that is validating an honest bft‑proposal or bft‑block will have seen at least the snapshotted bc‑block (and possibly some of the subsequent bc‑blocks in the $header_bc$ chain) before. For this not to be the case, the validator’s bc‑best‑chain would have to be more than $σ$ bc‑blocks behind the honest proposer’s bc‑best‑chain at a given time, which would violate the Prefix Consistency property of $Π_{bc}$ .

If the headers do not connect to any bc‑valid‑chain known to the validator, then the validator should be suspicious that the proposer might not be honest. It can assign a lower priority to validating the proposal in this case, or simply drop it. The latter option could drop a valid proposal, but this does not in practice cause a problem as long as a sufficient number of validators are properly synced (so that Prefix Consistency holds for them).

If the headers do connect to a known bc‑valid‑chain, it could still be the case that the whole header chain up to and including $B .headers_bc [σ - 1]$ is not a bc‑valid‑chain. Therefore, to limit denial‑of‑service attacks the validator should first check the Proofs‑of‑Work and difficulty adjustment —which it can do locally using only the headers— before attempting to download and validate any bc‑blocks that it has not already seen. This is why we include the full headers rather than just the block hashes.

Why is a distinguished value needed for the headers_bc field in the genesis bft‑block?

It would be conceptually nice for $O_{bft} .headers [0] ⌈_{bc}^{1}$ to refer to $O_{bc}$ , as well as $O_{bc} .context_bft$ being $O_{bft}$ so that $bft-last-final (O_{bc} .context_bft) = O_{bft}$ . That reflects the fact that we know “from the start” that neither genesis block can be rolled back.

This is not literally implementable using block hashes because it would involve a hash cycle, but we achieve the same effect by defining a $snapshot$ function that allows us to “patch” $snapshot (O_{bft})$ to be $O_{bc}$ . We do it this way around rather than “patching” the link from a bc‑block to a bft‑block, because the genesis bft‑block already needs a special case since there are not $σ$ bc‑headers available.

Why is the context_bft field needed? Why not use a final_bft field to refer directly to the last final bft‑block before the context block?

The finality of some bft‑block is only defined in the context of another bft‑block. One possible design would be for a bc‑block to have both $final_bft$ and $context_bft$ fields, so that the finality of $final_bft$ could be checked objectively in the context of $context_bft$ .

However, specifying just the context block is sufficient information to determine its last final ancestor. There would never be any need to give a context block and a final ancestor that is not the last one. The $bft-last-final$ function can be computed efficiently for typical BFT protocols. Therefore, having just the $context_bft$ field is sufficient.

Π_bft changes from Π_origbft

Π_bft proposal and block validity

$O_{bft}$ is bft‑valid.

A bft‑proposal (resp. non‑genesis bft‑block) $B$ is bft‑proposal‑valid (resp. bft‑block‑valid) iff all of the following hold:

Inherited origbft rules: The corresponding origbft‑proposal‑validity (resp. origbft‑block‑validity) rules hold for $B$ .
Increasing Score rule: Either $score (snapshot (B ⌈_{bft}^{1})) < score (snapshot (B))$ or $snapshot (B ⌈_{bft}^{1}) = snapshot (B)$ .
Tail Confirmation rule: $B .headers_bc$ form the $σ$ ‑block tail of a bc‑valid‑chain.

The “corresponding validity rules” are assumed to include the Parent rule that $B$ ’s parent is bft‑valid.

Note: origbft‑block‑validity rules may be different to origbft‑proposal‑validity rules. For example, in adapted Streamlet, a origbft‑block needs evidence that it was voted for by a supermajority, and an origbft‑proposal doesn’t. Such differences also apply to bft‑block‑validity vs bft‑proposal‑validity.

What about making the bc‑block producer the bft‑proposer?

If this were enforced, it could be an alternative way of ensuring that every bft‑proposal snapshots a new bc‑block with a higher score than previous snapshots, potentially making the Increasing Score rule redundant. However, it would require merging bc‑block producers and bft‑proposers, which could have concerning knock‑on effects (such as concentrating security into fewer participants).

For a contrary view, see What about making the bc‑block‑producer the bft‑proposer? in Potential changes to Crosslink.

Why have validity rules been separated from the honest voting condition below?

The reason to separate the validity rules from the honest voting condition, is that the validity rules are objective: they don’t depend on an observer’s view of the bc‑best‑chain. Therefore, they can be checked independently of validator signatures. Even a proposal voted for by 100% of validators will not be considered bft‑proposal‑valid by other nodes unless it satisfies the above rules. If more than two thirds of voting units are cast for an invalid proposal, something is seriously and visibly wrong; in any case, the block will not be accepted as a valid bft‑block. Importantly, a purportedly valid bft‑block will not be recognized as such by any honest Crosslink node even if it includes a valid notarization proof, if it does not meet other bft‑block‑validity rules.

This is essential to making $LOG_{fin}$ safe against a flaw in $Π_{bft}$ or its security assumptions (even, say, a complete break of the validator signature algorithm), as long as $Π_{bc}$ remains safe.

What does the Increasing Score rule do?

This rule ensures that each snapshot in a bft‑valid‑chain is strictly “better” than the last distinct snapshot (and therefore any earlier distinct snapshot), according to the same metric used to choose the bc‑best‑chain.

This rule has several positive effects:

It prevents potential attacks that rely on proposing a bc‑valid‑chain that forks from a much earlier block. This is necessary because the difficulty (or stake threshold) at that point could have been much lower.
It limits the extent of disruption an adversary can feasibly cause to $LOG_{bda, i}$ , even if it has subverted $Π_{bft}$ . In particular, if transactions are inserted into $LOG_{bda, i}$ at the finalization point, this rule ensures that they can only come from a bc‑valid‑chain that has a higher score than the previous snapshot. And since the adversary must prove that its snapshot is confirmed, there must be at least $σ$ blocks’ worth of Proof‑of‑Work on top of that snapshot, at a difficulty close to the current network difficulty. Note that the adversary could take advantage of an “accidental” fork and start its attack from the base of that fork, so that not all of this work is done by it alone. This is also possible in the case of a standard “private mining” attack, and is not so much of a problem in practice because accidental forks are expected to be short. In any case, $σ$ should be chosen to take it into account.
A snapshot with a higher score than any previous snapshot cannot be a prefix of a previous snapshot (because score strictly increases within a bc‑valid‑chain). So, this excludes proposals that would be a no‑op for that reason.

The increase in score is intentionally always relative to the snapshot of the parent bft‑block, even if it is not final in the context of the current bft‑block. This is because the rule needs to hold if and when it becomes final in the context of some descendant bft‑block.

==PoS Desideratum: we want leader selection with good security / performance properties that will be relevant to this rule. (Suggested: PoSAT.)==

Why does the Increasing Score rule allow keeping the same snapshot as the parent?

This is necessary in order to preserve liveness of $Π_{bft}$ relative to $Π_{origbft}$ . Liveness of $Π_{origbft}$ might require honest proposers to make proposals at a minimum rate. That requirement could be consistently violated if it were not always possible to make a valid proposal. But given that it is allowed to repeat the same snapshot as in the parent bft‑block, neither the Increasing Score rule nor the Tail Confirmation rule can prevent making a valid proposal — and all other rules of $Π_{bft}$ affecting the ability to make valid proposals are the same as in $Π_{origbft}$ . (In principle, changes to voting in $Π_{bft}$ could also affect its liveness; we’ll discuss that in the liveness proof later.)

For example, Streamlet requires three notarized blocks in consecutive epochs in order to finalize a block [CS2020, section 1.1]. Its proof of liveness depends on the assumption that in each epoch for which the leader is honest, that leader will make a proposal, and that during a “period of synchrony” this proposal will be received by every node [CS2020, section 3.6]. This argument can also be extended to adapted‑Streamlet.

We could alternatively have allowed to always make a “null” proposal, rather than to always make a proposal with the same snapshot as the parent. We prefer the latter because the former would require specifying the rules for null proposals in $Π_{origbft}$ .

As a clarification, no BFT protocol that uses leader election can require a proposal in each epoch, because the leader might be dishonest. The above issue concerns liveness of the protocol when assumptions about the attacker’s share of bft‑validators or stake are met, so that it can be assumed that sufficiently long periods with enough honest leaders to make progress (5 consecutive epochs in the case of Streamlet), will occur with significant probability.

Why is it not allowed to switch between snapshots with the same score?

Consider the following variant of the Increasing Score rule: $score (snapshot (B ⌈_{bft}^{1})) \leq score (snapshot (B))$ .

This would allow keeping the same snapshot as the parent as discussed in the previous answer. However, it would also allow continually cycling within a given set of snapshots, without making progress and without needing any new Proof‑of‑Work to be performed. This is worse than not making progress due to the same snapshot continually being proposed, because it increases the number of snapshots that need to be considered for sanitization, and therefore it could potentially be used for a denial‑of‑service.

Π_bft block finality in context

The finality rule for bft‑blocks in a given context is unchanged from origbft‑finality. That is, $bft-last-final$ is defined in the same way as $origbft-last-final$ (modulo referring to bft‑block‑validity and $O_{bft}$ ).

Π_bft honest proposal

An honest proposer of a bft‑proposal $P$ chooses $P .headers_bc$ as the $σ$ ‑block tail of its bc‑best‑chain, provided that it is consistent with the Increasing Score rule. If it would not be consistent with that rule, it sets $P .headers_bc$ to the same $headers_bc$ field as $P$ ’s parent bft‑block. It does not make proposals until its bc‑best‑chain is at least $σ + 1$ blocks long.

Why σ + 1?

If the length were less than $σ + 1$ blocks, it would be impossible to construct the $headers_bc$ field of the proposal.

Note that when the length of the proposer’s bc‑best‑chain is exactly $σ + 1$ blocks, the snapshot must be of $O_{bc} .$ But this does not violate the Increasing Score rule, because $O_{bc}$ matches the previous snapshot by $O_{bft}$ .

How is it possible that the Increasing Score rule would not be satisfied by choosing headers from the proposer’s bc‑best‑chain?

Assume for this discussion that $Π_{bc}$ uses PoW.

Depending on the value of $σ$ , the timestamps of bc‑blocks, and the difficulty adjustment rule, it could be the case that the difficulty on the new bc‑best‑chain increases relative to the chain of the previous snapshot. In that case, when there is a fork, the new chain could reach a higher score than the previous chain in less than $σ$ blocks from the fork point, and so its $σ$ ‑confirmed snapshot could be before the previous snapshot.

(For Zcash’s difficulty adjustment algorithm, the difficulty of each block is adjusted based on the median timestamps and difficulty target thresholds over a range of $PoWAveragingWindow = 17$ blocks, where each median is taken over $PoWMedianBlockSpan = 11$ blocks. Other damping factors and clamps are applied in order to prevent instability and to reduce the influence that adversarially chosen timestamps can have on difficulty adjustment. This makes it unlikely that an adversary could gain a significant advantage by manipulating the difficulty adjustment.)

For a variation on the Increasing Score rule that would be automatically satisfied by choosing headers from the proposer’s bc‑best‑chain, see Potential changes to Crosslink.

Π_bft honest voting

An honest validator considering a proposal $P$ , first updates its view of both subprotocols with the bc‑headers given in $P .headers_bc$ , downloading bc‑blocks for these headers and checking their bc‑block‑validity.

For each downloaded bc‑block, the bft‑chain referenced by its $context_bft$ field might need to be validated if it has not been seen before.

Wait what, how much validation is that?

In general the entire referenced bft‑chain needs to be validated, not just the referenced block — and for each bft‑block, the bc‑chain in $headers_bc$ needs to be validated, and so on recursively. If this sounds overwhelming, note that:

We should check the requirement that a bft‑valid‑block must have been voted for by a two‑thirds absolute supermajority of validators, and any other non‑recursive bft‑validity rules, first.
Before validating a bc‑chain referenced by a $headers_bc$ field, we check that it connects to an already-validated bc‑chain and that the Proofs‑of‑Work are valid. This implies that the amount of bc‑block validation is constrained by how fast the network can find valid Proofs‑of‑Work.

In other words, the order of validation is important to avoid denial‑of‑service. But it already is in Bitcoin and Zcash.

After updating its view, the validator will vote for a proposal $P$ only if:

Valid proposal criterion: it is bft‑proposal‑valid, and
Confirmed best‑chain criterion: $snapshot (P)$ is part of the validator’s bc‑best‑chain at a bc‑confirmation‑depth of at least $σ$ .

Blocks in a bc‑best‑chain are by definition bc‑block‑valid. If we’re checking the Confirmed best‑chain criterion, why do we need to have separately checked that the blocks referenced by the headers are bc‑block‑valid?

The Confirmed best‑chain criterion is quite subtle. It ensures that $snapshot (P) = P .headers_bc [0] ⌈_{bc}^{1}$ is bc‑block‑valid and has $σ$ bc‑block‑valid blocks after it in the validator’s bc‑best‑chain. However, it need not be the case that $P .headers_bc [σ - 1]$ is part of the validator’s bc‑best‑chain after it updates its view. That is, the chain could fork after $snapshot (P)$ .

The bft‑proposal‑validity rule must be objective; it can’t depend on what the validator’s bc‑best‑chain is. The validator’s bc‑best‑chain may have been updated to $P .headers_bc [σ - 1]$ (if it has the highest score), but it also may not.

However, if the validator’s bc‑best‑chain was updated, that makes it more likely that it will be able to vote for the proposal.

In any case, if the validator does not check that all of the blocks referenced by the headers are bc‑block‑valid, then its vote may be invalid.

How does this compare to Snap‑and‑Chat?

Snap‑and‑Chat already had the voting condition:

An honest node only votes for a proposed BFT block $B$ if it views $B .ch$ as confirmed.

but it did not give the headers potentially needed to update the validator’s view, and it did not require a proposal to be for an objectively confirmed snapshot as a matter of validity.

If a Crosslink‑like protocol were to require an objectively confirmed snapshot but without including the bc‑headers in the proposal, then validators would not immediately know which bc‑blocks to download to check its validity. This would increase latency, and would be likely to lead proposers to be more conservative and only propose blocks that they think will already be in at least a two‑thirds absolute supermajority of validators’ best chains.

That is, showing $P .headers_bc$ to all of the validators is advantageous to the proposer, because the proposer does not have to guess what blocks the validators might have already seen. It is also advantageous for the protocol goals in general, because it improves the trade‑off between finalization latency and security.

Π_bc changes from Π_origbc

Definitions of LOG^t_fin,i and LOG^t_bda,i,μ

In Snap‑and‑Chat, a node $i$ at time $t$ obtains $LOG_{fin, i}^{t}$ from its latest view of bft‑finality.

In Crosslink, it obtains $LOG_{fin, i}^{t}$ from the view of bft‑finality given by $ch_{i}^{t} ⌈_{bc}^{σ}$ , i.e. the block at depth $σ$ in node $i$ ’s bc‑best‑chain at time $t$ .

Specifically, $san-ctx san-ctx (S) LF (H) fin fin (H) fin-ctx (H) bda-ctx (H, μ) LOG_{fin, i}^{t} LOG_{bda, i, μ}^{t} :: := := :: := := := := := [bc-chain] \to bc-context sanitize (concat ([chain-txns (C) for C in S])) bft-last-final (H .context_bft) bc-block \to [bc-chain] [snapshot (B) for B ⪯_{bft} LF (H ⌈_{bc}^{σ})] san-ctx (fin (H)) san-ctx (fin (H) ∣∣ [H ⌈_{bc}^{μ}]) context-txns (fin-ctx (ch_{i}^{t})) context-txns (bda-ctx (ch_{i}^{t}, μ))$

For the definitions that use it, $μ \in N$ is a confirmation depth.

Security caveat

Using small values of $μ$ is not recommended. $μ = 0$ is an allowed value only because it is used in the definition of contextual validity in the next section.

Sanitization is the same as in Snap‑and‑Chat: it does a left fold over an input sequence of transactions, adding each of them to a running bc‑context if they are bc‑context‑valid. The initial bc‑context for this fold corresponds to the state after the genesis bc‑block. This process can be optimized by immediately discarding duplicate bc‑blocks in the concatenated snapshot chains after their first occurrence.

Implementation advice

Memoize the $san-ctx$ function. If you see an input to $san-ctx$ that extends a previous input (either adding a new snapshot, or adding blocks to the last snapshot), compute the result incrementally from the previous result.

Theorem: Ledger prefix property

For all nodes $i$ , times $t$ , and confirmation depths $μ$ , $LOG_{fin, i} ⪯ LOG_{bda, i, μ}$ .

Proof: By construction of $LOG_{fin, i}$ and $LOG_{bda, i, μ}$ .

Π_bc contextual validity change

In Crosslink or Snap‑and‑Chat, contextual validity is used in three different cases:

a) sanitization of the constructed ledgers $LOG_{fin, i}$ and $LOG_{bda, i, μ}$ ;

b) checking whether a block is bc‑block‑valid in order to append it to a chain;

c) checking whether a transaction in the mempool could be included in a block.

Note that the model we presented earlier considers only adding a transaction to an origbc‑context. It is straightforward to apply this to the sanitization use case a), as described in the previous section. However, the other two use cases raise the question of which starting bc‑context to use.

We resolve this by saying that new blocks and mempool transactions are checked in the bc‑context obtained from $bda-ctx (H^{'}, 0)$ , where $H^{'}$ is the relevant parent bc‑block.

Π_bc block validity

Genesis rule: For the genesis bc‑block we must have $O_{bc} .context_bft = O_{bft}$ , and therefore $bft-last-final (O_{bc} .context_bft) = O_{bft}$ .

A bc‑block $H$ is bc‑block‑valid iff all of the following hold:

Inherited origbc rules: $H$ satisfies the corresponding origbc‑block‑validity rules.
Valid context rule: $H .context_bft$ is bft‑block‑valid.
Extension rule: $LF (H ⌈_{bc}^{1}) ⪯_{bft} LF (H)$ .
Finality depth rule: Define: $tailhead (H) := finality-depth (H) := last-common-ancestor (snapshot (LF (H ⌈_{bc}^{σ})), H) height (H) - height (tailhead (H))$ Then either $finality-depth (H) \leq L$ or $is-safety-block (H)$ .

Explain the definition of finality‑depth.

We need a way to measure how far ahead a given bc‑block is relative to the corresponding finalization point. $LOG_{fin, i}^{t}$ is a sequence of transactions, not blocks, so it is not entirely obvious how to do this.

Let $H = ch_{i}^{t}$ , i.e. the tip of node $i$ ’s bc‑best‑chain at time $t$ .

Then, $LF (H ⌈_{bc}^{σ})$ is the bft‑block providing the last $Π_{bc}$ snapshot that will be used to construct $LOG_{fin, i}^{t}$ . $tailhead (H)$ is the last common ancestor of that snapshot and $H$ .

The idea behind the above definition is that:

If $snapshot (LF (H ⌈_{bc}^{σ}))$ is an ancestor of $H$ , then it is equal to $tailhead (H)$ , and that is the last bc‑block that contributes to $LOG_{fin, i}^{t}$ . If the best chain were to continue from $H$ without a rollback, then the bc‑blocks to be finalized next would be the ones from $tailhead (H)$ to $H$ , and so the number of those blocks gives the finality depth.
Otherwise, $snapshot (LF (H ⌈_{bc}^{σ}))$ must be on a different fork, and the bc‑blocks to be finalized next would resume from the fork point toward $H$ — unless some of those blocks have already been included, as discussed below. $LOG_{fin, i}^{t}$ will definitely contain transactions from blocks up to $tailhead (H)$ , but usually not subsequent transactions on $H$ ’s fork. So it is still reasonable to measure the finality depth from $tailhead (H)$ to $H$ .

Strictly speaking, it is possible that a previous bft‑block took a snapshot $H^{'}$ that is between $tailhead (H)$ and $H$ . This can only happen if there have been at least two rollbacks longer than $σ$ blocks (i.e. we went more than $σ$ blocks down $H$ ’s fork from $tailhead (H)$ , then reorged to more than $σ$ blocks down the fork to $snapshot (LF (H ⌈_{bc}^{σ}))$ , then reorged again to $H$ ’s fork). In that case, the finalized ledger would already have the non‑conflicting transactions from blocks between $tailhead (H)$ and $H^{'}$ — and it could be argued that the correct definition of finality depth in such cases is the number of blocks from $H^{'}$ to $H$ , not from $tailhead (H)$ to $H$ .

However,

The definition above is simpler and easier to compute.
The effect of overestimating the finality depth in such corner cases would only cause us to enforce Safety Mode slightly sooner, which seems fine (and even desirable) in any situation where there have been at least two rollbacks longer than $σ$ blocks.

By the way, the “tailhead” of a tailed animal is the area where the posterior of the tail joins the rump (also called the “dock” in some animals).

Π_bc honest block production

An honest producer of a bc‑block $H$ must follow the consensus rules under $Π_{bc}$ block validity above. In particular, it must produce a safety block if required to do so by the Finality depth rule. It also must only include transactions that are valid in the context specified under $Π_{bc}$ contextual validity change above.

To choose $H .context_bft$ , the producer considers a subset of the tips of bft‑valid‑chains in its view: ${T : T is bft‑block‑valid and LF (H ⌈_{bc}^{1}) ⪯_{bft} bft-last-final (T)}$ It chooses one of the longest of these chains, $C$ , breaking ties by maximizing $score (snapshot (bft-last-final (C)))$ . If there is still a tie then it is broken arbitrarily.

The honest block producer then sets $H .context_bft := C$ .

Why not choose T such that H ⌈¹_bc . context_bft ⪯_bft bft‑last‑final(T )?

The effect of this would be to tend to more often follow the last bft‑block seen by the producer of the parent bc‑block, if there is a choice. It is not always possible to do so, though: the resulting set of candidates for $C$ might be empty.

Also, it is not clear that giving the parent bc‑block‑producer the chance to “guide” what bft‑block should be chosen next is beneficial, since that producer might be adversarial and the resulting incentives are difficult to reason about.

Why choose the longest C, rather than the longest bft‑last‑final(C )?

We could have instead chosen $C$ to maximize the length of $bft-last-final (C)$ . The rule we chose follows Streamlet, which builds on the longest notarized chain, not the longest finalized chain. This may call for more analysis specific to the chosen BFT protocol.

Why this tie‑breaking rule?

Choosing the bft‑chain that has the last final snapshot with the highest score, tends to inhibit an adversary’s ability to finalize its own chain if it has a lesser score. (If it has a greater score, then it has already won a hash race and we cannot stop the adversary chain from being finalized.)

If we switch to using the Increasing Tip Score rule, then it would be more consistent to also change this tie‑breaking rule to use the tip score, i.e. $score (tip (bft-last-final (C)))$ .

At this point we have completed the definition of Crosslink. In Security Analysis of Crosslink, we will prove it secure.

Zcash Trailing Finality Layer - v0.1.0