The Crosslink 2 Construction

We are now ready to give a description of a protocol that takes into account the issues described in Notes on Snap‑and‑Chat, and that implements bounded availability. We call this the “Crosslink” construction; more precisely the version described here is “Crosslink 2”.

This description will attempt to be self-contained, but [NTT2020] (arXiv version) is useful background on the general model of Ebb-and-Flow protocols.

Conventions

“ $*$ ” is a metavariable for the name of a protocol. We also use it as a wildcard in protocol names of a particular type, for example “ $*$ bc” for the name of some best‑chain protocol.

Protocols are referred to as $Π_{*}$ for a name “ $*$ ”. Where it is useful to avoid ambiguity, when referring to a concept defined by $Π_{*}$ we prefix it with “ $*$ ‑”.

We do not take synchrony or partial synchrony as an implicit assumption of the communication model; that is, unless otherwise specified, messages between protocol participants can be arbitrarily delayed or dropped. A given message is received at most once, and messages are nonmalleably authenticated as originating from a given sender whenever needed by the applicable protocol. Particular subprotocols may require a stronger model.

Background

For an overview of communication models used to analyze distributed protocols, see this blog post by Ittai Abraham.

Discussion of incorrect applications of the GST formalization of partial synchrony to continuously operating protocols.

The original context for the definition of the partially synchronous model in [DLS1988] was for “one‑shot” Byzantine Agreement — called “the consensus problem” in that paper. The following argument is used to justify assuming that all messages from the Global Stabilization Time onward are delivered within the upper time bound $Δ$ :

Therefore, we impose an additional constraint: For each execution there is a global stabilization time (GST), unknown to the processors, such that the message system respects the upper bound $Δ$ from time GST onward.

This constraint might at first seem too strong: In realistic situations, the upper bound cannot reasonably be expected to hold forever after GST, but perhaps only for a limited time. However, any good solution to the consensus problem in this model would have an upper bound $L$ on the amount of time after GST required for consensus to be reached; in this case it is not really necessary that the bound $Δ$ hold forever after time GST, but only up to time GST $+ L$ . We find it technically convenient to avoid explicit mention of the interval length $L$ in the model, but will instead present the appropriate upper bounds on time for each of our algorithms.

Several subsequent authors applying the partially synchronous model to block chains appear to have forgotten or neglected this context. In particular, the argument depends on the protocol completing soon after GST. Obviously a block‑chain protocol does not satisfy this assumption; it is not a “one‑shot” consensus problem.

This assumption could be removed, but some authors of papers about block‑chain protocols have taken it to be an essential aspect of modelling partial synchrony. I believe this is contrary to the intent of [DLS1988]:

Instead of requiring that the consensus problem be solvable in the GST model, we might think of separating the correctness conditions into safety and termination properties. The safety conditions are that no two correct processors should ever reach disagreement, and that no correct processor should ever make a decision that is contrary to the specified validity conditions. The termination property is just that each correct processor should eventually make a decision. Then we might require an algorithm to satisfy the safety conditions no matter how asynchronously the message system behaves, that is, even if $Δ$ does not hold eventually. On the other hand, we might only require termination in case $Δ$ holds eventually. It is easy to see that these safety and termination conditions are [for the consensus problem] equivalent to our GST condition: If an algorithm solves the consensus problem when $Δ$ holds from time GST onward, then that algorithm cannot possibly violate a safety property even if the message system is completely asynchronous. This is because safety violations must occur at some finite point in time, and there would be some continuation of the violating execution in which $Δ$ eventually holds.

This argument is correct as stated, i.e. for the one‑shot consensus problem. Subtly, essentially the same argument can be adapted to protocols with safety properties that need to be satisfied continuously. However, it cannot correctly be applied to liveness properties of non‑terminating protocols. The authors (Cynthia Dwork, Nancy Lynch, and Larry Stockmeyer) would certainly have known this: notice how they carefully distinguish “the GST model” from “partial synchrony”. They cannot plausibly have intended this GST formalization to be applied unmodified to analyze liveness in such protocols, which seems to be common in the block‑chain literature, including in the Ebb-and-Flow paper [NTT2020] and the Streamlet paper [CS2020].

The Ebb-and-Flow paper acknowledges the issue by saying “Although in reality, multiple such periods of (a‑)synchrony could alternate, we follow the long‑standing practice in the BFT literature and study only a single such transition.” This is not adequate: “long‑standing practice” notwithstanding, it is not valid in general to infer that properties holding for the first transition to synchrony also apply to subsequent transitions (where the protocol can be in states that would not occur initially), and it is plausible that this inference could fail for real protocols. The Streamlet paper also refers to “periods of synchrony” which indicates awareness of the issue, but then it uses the unmodified GST model in the proofs.

Informally, to solve this issue it is necessary to also prove that existing progress is maintained during periods of asynchrony, and that during such periods the protocol remains in states where it will be able to take advantage of a future period of synchrony to make further progress.

This provides further motivation to avoid taking the GST formalization of partial synchrony as a basic assumption.

Note that the recent result [CGSW2024] does not contradict anything we say here. Although the GST and Unknown Latency models are “equally demanding” in the sense of existence of protocols that satisfy a given goal, this result does not show that the models are equivalent for any specific protocol. In particular the requirements of the “clock‑slowing” technique fail in practice for any protocol involving Proof‑of‑Work.

A $*$ ‑execution is the complete set of events (message sends/receives and decisions by protocol participants) that occur in a particular run of $Π_{*}$ from its initiation up to a given time. A prefix of a $*$ ‑execution is also a $*$ ‑execution. Since executions always start from protocol initiation, a strict suffix of a $*$ ‑execution is not a $*$ ‑execution.

Times are modelled as values of a totally ordered type $Time$ with minimum value $0$ . For convenience, we consider all protocol executions to start at time $0$ .

Remark

Although protocols may be nondeterministic, an execution fixes the events that occur and times at which they occur, for the purpose of modeling.

For simplicity, we assume that all events occur at global times in a total ordering. This assumption is not realistic in an asynchronous communication model, but it is not essential to the design or analysis and could be removed: we could use a partial happens-before ordering on events in place of a total ordering on times.

A “ $*$ ‑node” is a participant in $Π_{*}$ (the protocol may be implicit). A $*$ ‑node is “honest at time $t$ ” in a given execution iff it has followed the protocol up to and including time $t$ in that execution.

A time series on type $U$ is a function $S ⦂ Time \to U$ assigning a value of $U$ to each time in an execution. By convention, we will write the time $t$ as a superscript: $S^{t} = S (t)$ .

A $*$ ‑chain is a nonempty sequence of $*$ ‑blocks, starting at the “genesis block” $O_{*}$ , in which each subsequent block refers to its preceding or “parent block” by a collision‑resistant hash. The “tip” of a $*$ ‑chain is its last element.

For convenience, we conflate $*$ ‑blocks with $*$ ‑chains; that is, we identify a chain with the block at its tip. This is justified because, assuming that the hash function used for parent links is collision‑resistant, there is exactly one $*$ ‑chain corresponding to a $*$ ‑block; and conversely there is exactly one $*$ ‑block at the tip of a $*$ ‑chain.

If $C$ is a $*$ ‑chain, $C ⌈_{*}^{k}$ means $C$ with the last $k$ blocks pruned, except that if $len (C) \leq k$ , the result is the genesis $*$ ‑chain consisting only of $O_{*}$ .

The block at depth $k \in N$ in a $*$ ‑chain $C$ is defined to be the tip of $C ⌈_{*}^{k}$ . Thus the block at depth $k$ in a chain is the last one that cannot be affected by a rollback of length $k$ (this also applies when $len (C) \leq k$ because the genesis $*$ ‑chain cannot roll back).

Terminology

Our usage of “depth” is different from [NTT2020], which uses “depth” to refer to what Bitcoin and Zcash call “height”. It also differs by $1$ from the convention for confirmation depths in zcashd, where the tip is considered to be at depth $1$ , rather than $0$ .

For $*$ ‑blocks $B$ and $C$ :

The notation $B ⪯_{*} C$ means that the $*$ ‑chain with tip $B$ is a prefix of the one with tip $C$ . This includes the case $B = C$ .
The notation $B ⪯ ⪰_{*} C$ means that either $B ⪯_{*} C$ or $C ⪯_{*} B$ . That is, “one of $B$ and $C$ is a prefix of the other”. This also includes the case $B = C$ .
The notation $B / ⪯ ⪰_{*} C$ means that both $B \neq ⪯_{*} C$ and $C \neq ⪯_{*} B$ . That is, “neither of $B$ and $C$ is a prefix of the other”.

A function $S ⦂ I \to * -block$ is $*$ ‑linear iff for every $t, u ⦂ I$ where $t \leq u$ we have $S (t) ⪯_{*} S (u)$ . (This definition can be applied to time series where $I = Time$ , or to sequences of $*$ ‑blocks where values of $I$ are indices.)

Lemma: Linear prefix

If $A ⪯_{*} C$ and $B ⪯_{*} C$ then $A ⪯ ⪰_{*} B$ .

Proof: The chain of ancestors of $C$ is $*$ -linear, and $A$ , $B$ are both on that chain.

The notation $[f (X) for X ⪯_{*} Y]$ means the sequence of $f (X)$ for each $*$ ‑block $X$ in chain order from genesis up to and including $Y$ . ( $X$ is a bound variable within this construct.)

$TODO:$ remove this if not used:

We use $log ⪯ log^{'}$ (without a subscript on $⪯$ ) to mean that the transaction ledger $log$ is a prefix of $log^{'}$ . Similarly to $⪯ ⪰_{*}$ above, $log ⪯ ⪰ log^{'}$ means that either $log ⪯ log^{'}$ or $log^{'} ⪯ log$ ; that is, “one of $log$ and $log^{'}$ is a prefix of the other”.

Views

In the simplest case, a block‑chain protocol $Π_{*}$ provides a single “view” that, for a given $*$ ‑execution, provides each $*$ ‑node with a time series on $*$ ‑chains. More generally a protocol may define several “views” that provide each $*$ ‑node with time series on potentially different chain types.

We model a $*$ ‑view as a function $V ⦂ Node \times Time \to * -chain$ . By convention, we will write the node index $i$ as a subscript and the time $t$ as a superscript: $V_{i}^{t} = V (i, t)$ .

Definition: Agreement on a view

An execution of $Π$ has Agreement on the view $V ⦂ Node \times Time \to * -chain$ iff for all times $t$ , $u$ and all $Π$ nodes $i$ , $j$ (potentially the same) such that $i$ is honest at time $t$ and $j$ is honest at time $u$ , we have $V_{i}^{t} ⪯ ⪰_{*} V_{j}^{u}$ .

Subprotocols

As in Snap‑and‑Chat, we depend on a BFT protocol $Π_{origbft}$ , and a best‑chain protocol $Π_{origbc}$ .

Info

See this terminology note for why we do not call $Π_{origbc}$ a “longest‑chain” protocol.

We modify $Π_{origbft}$ (resp. $Π_{origbc}$ ) to give $Π_{bft}$ (resp. $Π_{bc}$ ) by adding structural elements, changing validity rules, and changing the specified behaviour of honest nodes.

A Crosslink 2 node must participate in both $Π_{bft}$ and $Π_{bc}$ ; that is, it must maintain a view of the state of each protocol. Acting in more specific roles such as bft‑proposer, bft‑validator, or bc‑block‑producer is optional, but we assume that all such actors are Crosslink 2 nodes.

Model for BFT protocols (Π_{{origbft,bft}})

A $*$ bft‑node’s view includes a set of $*$ bft‑block chains each rooted at a fixed genesis $*$ bft‑block $O_{* bft}$ . There is a $*$ bft‑block‑validity rule (specified below), which depends only on the content of the block and its ancestors. A non‑genesis block can only be $*$ bft‑block‑valid if its parent is $*$ bft‑block‑valid. A $*$ bft‑valid‑chain is a chain of $*$ bft‑block‑valid blocks.

Execution proceeds in a sequence of epochs. In each epoch, an honest proposer for that epoch may make a $*$ bft‑proposal.

A $*$ bft‑proposal refers to a parent $*$ bft‑block, and specifies the proposal’s epoch. The content of a proposal is signed by the proposer using a strongly unforgeable signature scheme. We consider the proposal to include this signature. There is a $*$ bft‑proposal‑validity rule, depending only on the content of the proposal and its parent block, and the validity of the proposer’s signature.

We extend the $⌈^{k}$ notation to $*$ bft‑proposals in the obvious way: if $k \geq 1$ , $P$ is a $*$ bft‑proposal and $B$ its parent $*$ bft‑block, then $P ⌈_{* bft}^{k} := B ⌈_{* bft}^{k - 1}$ .

Terminology

We will shorten “ $*$ bft‑block‑valid $*$ bft‑block” to “ $*$ bft‑valid‑block”, and “ $*$ bft‑proposal‑valid $*$ bft‑proposal” to “ $*$ bft‑valid‑proposal”.

For each epoch, there is a fixed number of voting units distributed between the $*$ bft‑nodes, which they use to vote for a $*$ bft‑proposal. We say that a voting unit has been cast for a $*$ bft‑proposal $P$ at a given time in a $*$ bft‑execution, if and only if $P$ is $*$ bft‑proposal‑valid and a ballot for $P$ authenticated by the holder of the voting unit exists at that time.

Using knowledge of ballots cast for a $*$ bft‑proposal $P$ that collectively satisfy a notarization rule at a given time in a $*$ bft‑execution, and only with such knowledge, it is possible to obtain a valid $*$ bft‑notarization‑proof $proof_{P}$ . The notarization rule must require at least a two‑thirds absolute supermajority of voting units in $P$ ’s epoch to have been cast for $P$ . It may also require other conditions.

A voting unit is cast non‑honestly for an epoch’s proposal iff:

it is cast other than by the holder of the unit (due to key compromise or any flaw in the voting protocol, for example); or
it is double‑cast (i.e. there are at least two ballots casting it for distinct proposals); or
the holder of the unit following the conditions for honest voting in $Π_{* bft}$ , according to its view, should not have cast that vote.

Note that a unit should be considered to be cast non-honestly in the case of key compromise, because it is then effectively under the control of an adversary. The key compromise may or may not be attributable to another flaw in the protocol, but such a flaw would not be a break of the consensus mechanism per se.

Definition: One‑third bound on non‑honest voting

An execution of $Π_{bft}$ has the one‑third bound on non‑honest voting property iff for every epoch, strictly fewer than one third of the total voting units for that epoch are ever cast non‑honestly.

Info

It may be the case that a ballot cast for $P$ is not in honest view when it is used to create a notarization proof for $P$ . Since we are not assuming synchrony, it may also be the case that such a ballot is in honest view but that any given node has not received it (and perhaps will never receive it).

There may be multiple distinct ballots or distinct ballot messages attempting to cast a given voting unit for the same proposal; this is undesirable for bandwidth usage, but it is not necessary to consider it to be non‑honest behaviour for the purpose of security analysis, as long as such ballots are not double‑counted toward the two‑thirds threshold.

Security caveat

The one‑third bound on non‑honest voting property considers all ballots cast in the entire execution. In particular, it is possible that a validator’s key is compromised and then used to cast its voting units for a proposal of an epoch long finished. If the number of voting units cast non-honestly for any epoch ever reaches one third of the total voting units for that epoch during an execution, then the one‑third bound on non‑honest voting property is violated for that execution.

Therefore, validator keys of honest nodes must remain secret indefinitely. Whenever a key is rotated, the old key must be securely deleted. For further discussion and potential improvements, see tfl-book issue #140.

A $*$ bft‑block consists of $(P, proof_{P})$ re‑signed by the same proposer using a strongly unforgeable signature scheme. It is $*$ bft‑block‑valid iff:

$P$ is $*$ bft‑proposal‑valid; and
$proof_{P}$ is a valid proof that some subset of ballots cast for $P$ are sufficient to satisfy the notarization rule; and
the proposer’s outer signature on $(P, proof_{P})$ is valid.

A $*$ bft‑proposal’s parent reference hashes the entire parent $*$ bft‑block, i.e. proposal, proof, and outer signature.

Info

Neither $proof_{P}$ nor the proposer’s outer signature is unique for a given $P$ . The proposer’s outer signature is however third‑party nonmalleable, by definition of a strongly unforgeable signature scheme. An “honest $*$ bft‑proposal” is a $*$ bft‑proposal made for a given epoch by a proposer who is honest in that epoch. Such a proposer will only create one proposal and only sign at most once for each epoch, and so there will be at most one “honestly submitted” $*$ bft‑block for each epoch.

It is possible for there to be multiple $*$ bft‑valid‑blocks for the same proposal, with different notarization proofs and/or outer signatures, if the proposer is not honest. However, the property that there will be at most one “honestly submitted” $*$ bft‑block for each epoch is important for liveness, even though we cannot guarantee that any particular proposer for an epoch is honest.

$TODO:$ check that we are correctly using this in the liveness analysis.

There is an efficiently computable function $* bft-last-final ⦂ * bft-block \to * bft-block \cup {⊥}$ . For a $*$ bft‑block‑valid input block $C$ , this function outputs the last ancestor of $C$ that is final in the context of $C$ .

Info

The chain of ancestors is unambiguously determined because a $*$ bft‑proposal’s parent reference hashes the entire parent $*$ bft‑block; each $*$ bft‑block commits to a proposal; and the parent hashes are collision‑resistant. This holds despite the caveat mentioned above that there may be multiple $*$ bft‑valid‑blocks for the same proposal.

$* bft-last-final$ must satisfy all of the following:

$* bft-last-final (C) = ⊥ ⟺ C$ is not $*$ bft‑block‑valid.
If $C$ is $*$ bft‑block‑valid, then:
- $* bft-last-final (C) ⪯_{* bft} C$ (and therefore it must also be $*$ bft‑block‑valid);
- for all $*$ bft‑valid‑blocks $D$ such that $C ⪯_{* bft} D$ , $* bft-last-final (C) ⪯_{* bft} * bft-last-final (D)$ .
$* bft-last-final (O_{* bft}) = O_{* bft}$ .

Info

It is correct to talk about the “last final block” of a given chain (that is, each $*$ bft‑valid-block $C$ unambiguously determines a $*$ bft‑valid-block $* bft-last-final (C)$ ), but it is not correct to refer to a given $*$ bft‑block as objectively “ $*$ bft‑final”.

A particular BFT protocol might need adaptations to fit it into this model for $Π_{origbft}$ , before we apply the Crosslink 2 modifications to obtain $Π_{bft}$ . Any such adaptions are necessarily protocol-specific. In particular:

origbft‑proposal‑validity should correspond to the strongest property of an origbft‑proposal that is objectively and feasibly verifiable from the content of the proposal and its parent origbft‑block at the time the proposal is made. It must include verification of the proposer’s signature.
origbft‑block‑validity should correspond to the strongest property of an origbft‑block that is objectively and feasibly verifiable from the content of the block and its ancestors at the time the block is added to an origbft‑chain. It should typically include all of the relevant checks from origbft‑proposal‑validity that apply to the created block (or equivalent checks). It must also include verification of the notarization proof and the proposer’s outer signature.
If a node observes an origbft‑valid block $C$ , then it should be infeasible for an adversary to cause a rollback in that node’s view past $origbft-last-final (C)$ , and the view of the chain up to $origbft-last-final (C)$ should agree with that of all other honest nodes. This is formalized in the next section.

Safety of $Π_{* bft}$

The intuition behind the following safety property is that:

For $Π_{* bft}$ to be safe, it should never be the case that two honest nodes observe (at any time) $*$ bft‑blocks $B$ and $B^{'}$ respectively that they each consider final in some context, but $B ⪯ ⪰_{* bft} B^{'}$ does not hold.
By definition, an honest node observes a $*$ bft‑block to be final in the context of another $*$ bft‑block $C$ , iff $B ⪯_{* bft} * bft-last-final (C)$ .

We say that a $*$ bft‑block is “in honest view” if a party observes it at some time at which that party is honest.

Definition: Final Agreement

An execution of $Π_{* bft}$ has Final Agreement iff for all $*$ bft‑valid blocks $C$ in honest view at time $t$ and $C^{'}$ in honest view at time $t^{'}$ , we have $* bft-last-final (C) ⪯ ⪰_{* bft} * bft-last-final (C^{'})$ .

Note that it is possible for this property to hold for an execution of a BFT protocol in an asynchronous communication model. As previously mentioned, if the one‑third bound on non‑honest voting property is ever broken at any time in an execution, then it may not be possible to maintain Final Agreement from that point on.

Adapting the Streamlet BFT protocol.

Streamlet as described in [CS2020] has three possible states of a block in a player’s view:

“valid” (but not notarized or final);
“notarized” (but not final);
“final”.

By “valid” the Streamlet paper means just that it satisfies the structural property of being part of a block chain with parent hashes. The role of $*$ bft‑block‑validity in our model corresponds roughly to Streamlet’s “notarized”. It turns out that with some straightforward changes relative to Streamlet, we can identify “origbft‑block‑valid” with “notarized” and consider an origbft‑valid‑chain to only consist of notarized blocks. This is not obvious, but is a useful simplification.

Here is how the paper defines “notarized”:

When a block gains votes from at least $2 n /3$ distinct players, it becomes notarized. A chain is notarized if its constituent blocks are all notarized.

This implies that blocks can be added to chains independently of notarization. However, the paper also says that an honest leader always proposes a block extending from a notarized chain. Therefore, only notarized chains really matter in the protocol.

In unmodified Streamlet, the order in which a player sees signatures might cause it to view blocks as notarized out of order. Streamlet’s security analysis is in a synchronous model, and assumes for liveness that any vote will have been received by all players (Streamlet nodes) within two epochs.

In Crosslink 2, however, we need origbft‑block‑validity to be an objectively and feasibly verifiable property. We also would prefer reliable message delivery within bounded time not to be a basic assumption of our communication model. (This does not dictate what assumptions about message delivery are made for particular security analyses.) If we did not make a modification to the protocol to take this into account, then some Crosslink 2 nodes might receive a two‑thirds absolute supermajority of voting messages and consider a BFT block to be notarized, while others might never receive enough of those messages.

Obviously a proposal cannot include signatures on itself — but the block formed from it can include proofs about the proposal and signatures. We can therefore say that when a proposal gains a two‑thirds absolute supermajority of signatures, a block is created from it that contains a proof (such as an aggregate signature) that it had such a supermajority. For example, we can have the proposer itself make this proof once it has enough votes, sign the resulting $(P, proof_{P})$ to create a block, then submit that block in a separate message. (The proposer has most incentive to do this in order to gain whatever reward attaches to a successful proposal; it can outsource the proving task if needed.) Then the origbft‑block‑validity rule can require a valid supermajority proof, which is objectively and feasibly verifiable. Players that see an origbft‑valid‑block can immediately consider it notarized.

Note that for the liveness analysis to be unaffected, we need to assume that the combined latency of messages, of collecting and aggregating signatures, and of block submission is such that all adapted‑Streamlet nodes will receive a notarized block corresponding to a given proposal (rather than just all of the votes for the proposal) within two epochs. Alternatively we could re‑do the timing analysis.

With this change, “origbft‑block‑valid” and “notarized” do not need to be distinguished.

Streamlet’s finality rule is:

If in any notarized chain, there are three adjacent blocks with consecutive epoch numbers, the prefix of the chain up to the second of the three blocks is considered final. When a block becomes final, all of its prefix must be final too.

We can straightforwardly express this as an $origbft-last-final$ function of a context block $C$ , as required by the model:

For an origbft‑valid‑block $C$ , $origbft-last-final (C)$ is the last origbft‑valid‑block $B ⪯_{origbft} C$ such that either $B = O_{origbft}$ or $B$ is the second block of a group of three adjacent blocks with consecutive epoch numbers.

Note that “When a block becomes final, all of its prefix must be final too.” is implicit in the model.

Model for best-chain protocols (Π_{origbc,bc})

A node’s view in $Π_{* bc}$ includes a set of $*$ bc‑block chains each rooted at a fixed genesis $*$ bc‑block $O_{* bc}$ . There is a $*$ bc‑block‑validity rule (often described as a collection of “consensus rules”), depending only on the content of the block and its ancestors. A non‑genesis block can only be $*$ bc‑block‑valid if its parent is $*$ bc‑block‑valid. By “ $*$ bc‑valid‑chain” we mean a chain of $*$ bc‑block‑valid blocks.

Terminology

The terminology commonly used in the block‑chain community does not distinguish between rules that are part of the consensus protocol proper, and rules required for validity of the economic computation supported by the block chain. Where it is necessary to distinguish, the former can be called “L0” consensus rules, and the latter “L1” consensus rules.

The definition of $*$ bc‑block‑validity is such that it is hard for a block producer to extend a $*$ bc‑valid‑chain unless they are selected by a random process that chooses a block producer in proportion to their resources with an approximately known and consistent time distribution, subject to some assumption about the total proportion of resources held by honest nodes.

There is a function $score ⦂ * bc-valid-chain \to Score$ , with $<$ a strict total ordering on $Score$ . An honest node will choose one of the $*$ bc‑valid‑chains with highest score as the $*$ bc‑best‑chain in its view. Any rule can be specified for breaking ties.

The $score$ function is required to satisfy $score (H ⌈_{* bc}^{1}) < score (H)$ for any non‑genesis $*$ bc‑valid‑chain $H$ .

Info

For a Proof‑of‑Work protocol, the score of a $*$ bc‑chain should be its accumulated work.

Unless an adversary is able to censor knowledge of other chains from a node’s view, it should be difficult to cause the node to switch to a chain with a last common ancestor more than $σ$ blocks back from the tip of its previous $*$ bc‑best‑chain.

Let $ch$ be a view such that $ch_{i}^{t}$ is node $i$ ’s $*$ bc‑best‑chain at time $t$ . (This matches the notation used in [NTT2020].) We define $ch_{i}^{0}$ to be $O_{bc}$ .

A $*$ bc‑valid‑block is assumed to commit to a collection (usually, a sequence) of $*$ bc‑transactions. Unlike in Crosslink 1 or Snap-and-Chat, we do not need to explicitly model $*$ bc‑transaction validity or impose any additional constraints on it. The consensus rules applying to $*$ bc‑transactions are entirely unchanged, including any rules that depend on $*$ bc‑block height or previous $*$ bc‑blocks. This is because Crosslink 2 never reorders or selectively “sanitizes” transactions as Snap-and-Chat does. If a bc‑block is included in a Crosslink 2 block chain then its entire parent bc‑block chain is included just as it would have been in $Π_{origbc}$ (only modified by the structural additions described later), so block heights are also preserved.

A “coinbase transaction” is a $*$ bc‑transaction that only distributes newly issued funds and has no inputs.

Define $is-coinbase-only-block ⦂ * bc-block \to boolean$ so that $is-coinbase-only-block (B) = true$ iff $B$ has exactly one transaction that is a coinbase transaction.

Each $*$ bc‑block is summarized by a $*$ bc‑header that commits to the block. There is a notion of $*$ bc‑header‑validity that is necessary, but not sufficient, for validity of the block. We will only make the distinction between $*$ bc‑headers and $*$ bc‑blocks when it is necessary to avoid ambiguity.

Header validity for Proof‑of‑Work protocols.

In a Proof‑of‑Work protocol, it is normally possible to check the Proof‑of‑Work of a block using only the header. There is a difficulty adjustment function that determines the target difficulty for a block based on its parent chain. So, checking that the correct difficulty target has been used relies on knowing that the header’s parent chain is valid.

Checking header validity before expending further resources on a purported block can be relevant to mitigating denial‑of‑service attacks that attempt to inflate validation cost.

Typically, Bitcoin‑derived best chain protocols do not need much adaptation to fit into this model. The model still omits some details that would be important to implementing Crosslink 2, but distracting for this level of abstraction.

Safety of $Π_{* bc}$

We make an assumption on executions of $Π_{origbc}$ that we will call Prefix Consistency (introduced in [PSS2016, section 3.3] as just “consistency”):

Definition: Prefix Consistency

An execution of $Π_{* bc}$ has Prefix Consistency at confirmation depth $σ$ , iff for all times $t \leq u$ and all nodes $i$ , $j$ (potentially the same) such that $i$ is honest at time $t$ and $j$ is honest at time $u$ , we have that $ch_{i}^{t} ⌈_{* bc}^{σ} ⪯_{* bc} ch_{j}^{u}$ .

Explain the confusion in the literature about what variants of this property are called.

The literature uses the same name, “common‑prefix property”, for two different properties of very different strength.

[PSS2016, section 3.3] introduced the stronger variant. That paper first describes the weaker variant, calling it the “common‑prefix property by Garay et al [GKL2015].” Then it explains what is essentially a bug in that variant, and describes the stronger variant which it just calls “consistency”:

The common‑prefix property by Garay et al [GKL2015], which was already considered and studied by Nakamoto [Nakamoto2008], requires that in any round $r$ , the record chains of any two honest players $i$ , $j$ agree on all, but potentially the last $T$ , records. We note that this property (even in combination with the other two desiderata [of Chain Growth and Chain Quality]) provides quite weak guarantees: even if any two honest parties perfectly agree on the chains, the chain could be completely different on, say, even rounds and odd rounds. We here consider a stronger notion of consistency which additionally stipulates players should be consistent with their “future selves”.

Let $consistent^{T} (view) = 1$ iff for all rounds $r \leq r^{'}$ , and all players $i$ , $j$ (potentially the same) such that $i$ is honest at $view^{r}$ and $j$ is honest at $view^{r^{'}}$ , we have that the prefixes of $C_{i}^{r} (view)$ and $C_{j}^{r^{'}} (view)$ consisting of the first $ℓ = ∣ C_{i}^{r} (view) ∣ - T$ records are identical.

Unfortunately, [GKL2020], which is a revised version of [GKL2015], switches to the stronger variant without changing the name.

(The eprint version history may be useful; the change was made in version 20181013:200033, page 17.)

Note that [GKL2020] uses an adaptive‑corruption model, “meaning that the adversary is allowed to take control of parties on the fly”, and so their wording in Definition 3:

... for any pair of honest players $P_{1}$ , $P_{2}$ adopting the chains $C_{1}$ , $C_{2}$ at rounds $r_{1} \leq r_{2}$ in view $_{Π, A, Z}^{t, n}$ respectively, it holds that $C_{1}^{⌈ k} ⪯ C_{2}$ .

is intended to mean the same as our

... for all times $t \leq u$ and all nodes $i$ , $j$ (potentially the same) such that $i$ is honest at time $t$ and $j$ is honest at time $u$ , we have that $ch_{i}^{t} ⌈_{* bc}^{σ} ⪯_{* bc} ch_{j}^{u}$ .

The latter is closer to [PSS2016].

Incidentally, this property does not seem to be mentioned in [Nakamoto2008], contrary to the [PSS2016] authors’ assertion. Maybe implicitly, but it’s a stretch.

Discussion of [GKL2020]’s communication model and network partition.

When Prefix Consistency is taken to hold of typical PoW-based block‑chain protocols like Bitcoin (as it often is), this implies that, in the relevant executions, the network of honest nodes is never partitioned — unless any partition lasts only for a short length of time relative to $σ$ block times. If node $i$ is on one side of a full partition and node $j$ on the other, then after node $i$ ’s best chain has been extended by more than $σ$ blocks, $ch_{i}^{t} ⌈_{* bc}^{σ}$ will contain information that has no way to get to node $j$ . And even if the partition is incomplete, we cannot guarantee that the Prefix Consistency property will hold for any given pair of nodes.

It might be possible to maintain Prefix Consistency if the honest nodes on one side of the partition knew that they should not continue building on their chain until the partition has healed, but it is unclear how that would be done in general without resorting to a BFT protocol (as opposed to in specific cases like a single node being unable to connect to the rest of the network). Certainly there is no mechanism to explicitly detect and respond to partitions in protocols derived from Bitcoin.

And yet, [GKL2020] claims to prove Prefix Consistency from other assumptions. So we know that those assumptions must also rule out a long partition between honest nodes. In fact the required assumption is implicit in the communication model:

A synchronous network cannot be partitioned.
A partially synchronous network —that is, providing reliable delivery with bounded but unknown delay— cannot be partitioned for longer than the delay.

We might be concerned that these implicit assumptions are stronger than we would like. In practice, the peer‑to‑peer network protocol of Bitcoin and Zcash attempts to flood blocks to all nodes. This protocol might have weaknesses, but it is not intended to (and plausibly does not) depend on all messages being received. (Incidentally, Streamlet also implicitly floods messages to all nodes.)

Also, Streamlet and many other BFT protocols do not assume for safety that the network is not partitioned. That is, BFT protocols can be safe in a fully asynchronous communication model with unreliable messaging. That is why we avoid taking synchrony or partial synchrony as an implicit assumption of the communication model, or else we could end up with a protocol with weaker safety properties than $Π_{origbft}$ alone.

This leaves the question of whether the Prefix Consistency property is still too strong, even if we do not rely on it for the analysis of safety when $Π_{bft}$ has not been subverted. In particular, if a particular node $h$ is not well-connected to the rest of the network, then that will inevitably affect node $h$ ’s security, but should not affect other honest nodes’ security.

Fortunately, it is not the case that disconnecting a single node $h$ from the network causes the security assumption to be voided. The solution is to view $h$ as not honest in that case (even though it would follow the protocol if it could). This achieves the desired effect within the model, because other nodes can no longer rely on $h$ ’s honest input. Although viewing $h$ as potentially adversarial might seem conservative from the point of view of other nodes, bear in mind that an adversary could censor an arbitrary subset of incoming and outgoing messages from the node, and this may be best modelled by considering it to be effectively controlled by the adversary.

Prefix Consistency compares the $σ$ -truncated chain of some node $i$ with the untruncated chain of node $j$ . For our analysis of safety of the derived ledgers, we will also need to make an assumption on executions of $Π_{origbc}$ that at any given time $t$ , any two honest nodes $i$ and $j$ agree on their confirmed prefixes — with only the caveat that one may have observed more of the chain than the other. That is:

Definition: Prefix Agreement

An execution of $Π_{* bc}$ has Prefix Agreement at confirmation depth $σ$ iff it has Agreement on the view $(i, t) \mapsto ch_{i}^{t} ⌈_{* bc}^{σ}$ .

Why are this property, and Prefix Consistency above, stated as unconditional properties of protocol executions, rather than as probabilistic assumptions?

Our security arguments that depend on these properties will all be of the form “in an execution where ⟨safety properties⟩ are not violated, ⟨undesirable thing⟩ cannot happen”.

It is not necessary to involve probability in arguments of this form. Any probabilistic reasoning can be done separately.

In particular, if a statement of this form holds, and ⟨safety properties⟩ are violated with probability at most $p$ under certain conditions, then it immediately follows that under those conditions ⟨undesirable thing⟩ happens with probability at most $p$ . Furthermore, ⟨undesirable thing⟩ can only happen after ⟨safety properties⟩ have been violated, because the execution up to that point has been an execution in which ⟨safety properties⟩ are not violated.

With few exceptions, involving probability in a security argument is best done only to account for nondeterministic choices in the protocol itself. This is opinionated advice, but a lot of security proofs would likely be simpler if inherently probabilistic arguments were more distinctly separated from unconditional ones.

In the case of the Prefix Agreement property, an alternative approach would be to prove that Prefix Agreement holds with some probability given Prefix Consistency and some other chain properties. This is what [NTT2020] does in its Theorem 2, which essentially says that under certain conditions Prefix Agreement holds except with probability $e^{- Ω (σ)}$ .

The conclusions that can be obtained from this approach are necessarily probabilistic, and depending on the techniques used, the proof may not be tight; that is, the proof may obtain a bound on the probability of failure that is (either asymptotically or concretely) higher than needed. This is the case for [NTT2020, Theorem 2]; footnote 10 in that paper points out that the expression for the probability can be asymptotically improved:

Using the recursive bootstrapping argument developed in [DKT+2020, Section 4.2], it is possible to bring the error probability $e^{- Ω (σ)}$ as close to an exponential decay as possible. In this context, for any $ϵ > 0$ , it is possible to find constants $A_{ϵ}$ , $a_{ϵ}$ such that $Π_{lc} (p)$ is secure after C $(max (GST, GAT))$ with confirmation time $T_{lc} = σ$ except with probability $A_{ϵ} e^{- a_{ϵ} σ^{1 - ϵ}}$ .

(Here $p$ is the probability that any given node gets to produce a block in any given time slot.)

In fact none of the proofs of security properties for Snap‑and‑Chat depend on the particular expression $e^{- Ω (σ)}$ ; for example in the proofs of Lemma 5 and Theorem 1, this probability just “passes through” the proof from the premisses to the conclusion, because the argument is not probabilistic. The same will be true of our safety arguments.

Talking about what is possible in particular executions has further advantages:

It sidesteps the issue of how to interpret results in the GST model of partial synchrony, when we do not know what C $(max (GST, GAT))$ is. See also the critique of applying the GST model to block‑chain protocols under “Discussion of [GKL2020]’s communication model and network partition” above. (This is not an inherent problem with analyzing the protocol in the partially synchronous setting, but only with inappropriate use of the GST model of that setting.)
We do not require $Π_{bc}$ to be a Nakamoto‑style Proof‑of‑Work block chain protocol. Some other kind of protocol could potentially satisfy Prefix Consistency and Prefix Agreement.
It is not clear whether a $e^{- Ω (σ)}$ probability of failure would be concretely adequate. That would depend on the value of $σ$ and the constant hidden by the $Ω$ notation. The asymptotic property using $Ω$ tells us whether a sufficiently large $σ$ could be chosen, but we are more interested in what needs to be assumed for a given concrete choice of $σ$ .
If a violation of a required safety property occurs in a given execution, then the safety argument for Crosslink that depended on the property fails for that execution, regardless of what the probability of that occurrence was. This approach therefore more precisely models the consequences of such violations.

Why, intuitively, should we believe that Prefix Agreement and Prefix Consistency for a large enough confirmation depth hold with high probability for executions of a PoW‑based best‑chain protocol?

Roughly speaking, the intuition behind both properties is as follows:

Honest nodes are collectively able to find blocks faster than an adversary, and communication between honest nodes is sufficiently reliable that they act as a combined network racing against that adversary. Then by the argument in [Nakamoto2008], modified by [GP2020] to correct an error in the concrete analysis, a private mining attack that attempts to cause a $σ$ ‑block rollback will, with high probability, fail for large enough $σ$ . A private mining attack is optimal by the argument in [DKT+2020].

Any further analysis of the conditions under which these properties hold should be done in the context of a particular $Π_{* bc}$ .

Why is the quantification in Prefix Agreement over two different times t and t′?

This strengthens the security property, relative to quantifying over a single time. The question can then be split into several parts:

What does the strengthened property mean, intuitively? Consider the full tree of $*$ bc‑valid-blocks that honest nodes have considered to be part of their $*$ bc‑best-chain at any times during the execution. This property holds iff, when we strip off all branches of length up to and including $σ$ blocks, the resulting tree is $*$ bc‑linear.
Why is the strengthening needed? Suppose that time were split into periods such that honest nodes agreed on one chain in odd periods, and a completely different chain in even periods. This would obviously not satisfy the intent, but it would satisfy a version of the property that did not quantify over different times $t$ and $u$ .
Why should we expect the strengthened property to hold? If node $j$ were far ahead, i.e. $u ≫ t$ , then it is obvious that $ch_{i}^{t} ⌈_{* bc}^{σ} ⪯_{* bc} ch_{j}^{u} ⌈_{* bc}^{σ}$ should hold. Conversely, if node $i$ were far ahead then it is obvious that $ch_{j}^{u} ⌈_{* bc}^{σ} ⪯_{* bc} ch_{i}^{t} ⌈_{* bc}^{σ}$ should hold. The case where $t = u$ is the same as quantifying over a single time. By considering intermediate cases where $t$ and $u$ converge from the extremes or where they diverge from being equal, you should be able to convince yourself that the property holds for any relative values of $t$ and $u$ , in executions of a reasonable best‑chain protocol.

Definition of Crosslink 2

Parameters

Crosslink 2 is parameterized by a bc‑confirmation‑depth $σ \in N^{+}$ (as in Snap‑and‑Chat), and also a finalization gap bound $L \in N^{+}$ with $L$ significantly greater than $σ$ .

Each node $i$ always uses the fixed confirmation depth $σ$ to obtain its view of the finalized chain $fin_{i}^{t} ⦂ bc-valid-chain$ . Unlike in Snap‑and‑Chat or Crosslink 1, this is just a block chain; because we do not need sanitization, there is no need to express it as a log of transactions rather than blocks.

Each node $i$ chooses a potentially different bc‑confirmation‑depth $μ \in N$ where $0 < μ \leq σ$ to obtain its view of the bounded‑available ledger at time $t$ , $(ba_{μ})_{i}^{t} ⦂ bc-valid-chain$ . (We make the restriction $μ \leq σ$ because there is no reason to choose a larger $μ$ .)

Security caveat

Choosing $μ < σ$ is at the node’s own risk and may increase the risk of rollback attacks against $(ba_{μ})_{i}^{t}$ (it does not affect $fin_{i}^{t}$ ). Using small values of $μ$ is not recommended. The default should be $μ = σ$ .

Stalled Mode

Consider, roughly speaking, the number of bc‑blocks that are not yet finalized at time $t$ (a more precise definition will be given in the section on $Π_{bc}$ changes from $Π_{origbc}$ ). We call this the “finality gap” at time $t$ . Under an assumption about the distribution of bc‑block intervals, if this gap stays roughly constant then it corresponds to the approximate time that transactions take to be finalized after being included in a bc‑block (if they are finalized at all) just prior to time $t$ .

As explained in detail by The Arguments for Bounded Availability and Finality Overrides, if this bound exceeds a threshold $L$ , then it likely signals an exceptional or emergency condition, in which it is undesirable to keep accepting user transactions that spend funds into new bc‑blocks. In practice, $L$ should be at least $2 σ$ .

The condition that the network enters in such cases will be called “Stalled Mode”. For a given higher‑level transaction protocol, we can define a policy for which bc‑blocks will be accepted in Stalled Mode. This will be modelled by a predicate $is-stalled-block ⦂ bc-block \to boolean$ . A bc‑block for which $is-stalled-block$ returns $true$ is called a “stalled block”.

Caution

A bc‑block producer is only constrained to produce stalled blocks while, roughly speaking, its view of the finalization point is not advancing. In particular an adversary that has subverted the BFT protocol in a way that does not keep the finalization point from advancing, can always avoid being constrained by Stalled Mode.

The desired properties of stalled blocks and a possible Stalled Mode policy for Zcash are discussed in the How to block hazards section of The Arguments for Bounded Availability and Finality Overrides.

In practice a node's view of the finalized chain, $fin_{i}^{t}$ , is likely to lag only a few blocks behind $ba_{i, σ}^{t}$ (depending on the latency overhead imposed by $Π_{bft}$ ), unless the chain has entered Stalled Mode. So when $μ = σ$ , the main factor influencing the choice of a given application to use $fin_{i}^{t}$ or $(ba_{μ})_{i}^{t}$ is not the average latency, but rather the desired behaviour in the case of a finalization stall: i.e. stall immediately, or keep processing user transactions until $L$ blocks have passed.

Structural additions

Each bc‑header has, in addition to origbc‑header fields, a $context_bft$ field that commits to a bft‑block.
Each bft‑proposal has, in addition to origbft‑proposal fields, a $headers_bc$ field containing a sequence of exactly $σ$ bc‑headers (zero‑indexed, deepest first).
Each non‑genesis bft‑block has, in addition to origbft‑block fields, a $headers_bc$ field containing a sequence of exactly $σ$ bc‑headers (zero-indexed, deepest first). The genesis bft‑block has $headers_bc = \emptyset$ .

For a bft‑block or bft‑proposal $B$ , define $LF (H) snapshot (B) := {O_{bc}, B . headers_bc [0] ⌈_{bc}^{1}, if B . headers_bc = \emptyset otherwise.$ For a bc‑block $H$ , define $snapshot (B) LF (H) candidate (H) := bft-last-final (H . context_bft) := last-common-ancestor (snapshot (LF (H)), H ⌈_{bc}^{σ})$

When $H$ is the tip of a node’s bc‑best‑chain, $candidate (H)$ will give the candidate finalization point, subject to a condition described below that prevents local rollbacks.

Use of the headers_bc field, and its relation to the ch field in Snap‑and‑Chat.

For a bft‑proposal or bft‑block $B$ , the role of the bc‑chain snapshot referenced by $B . headers_bc [0] ⌈_{bc}^{1}$ is comparable to the $Π_{lc}$ snapshot referenced by $B . ch$ in the Snap‑and‑Chat construction from [NTT2020]. The motivation for the additional headers is to demonstrate, to any party that sees a bft‑proposal (resp. bft‑block), that the snapshot had been confirmed when the proposal (resp. the block’s proposal) was made.

Typically, a node that is validating an honest bft‑proposal or bft‑block will have seen at least the snapshotted bc‑block (and possibly some of the subsequent bc‑blocks in the $headers_bc$ chain) before. For this not to be the case, the validator’s bc‑best‑chain would have to be more than $σ$ bc‑blocks behind the honest proposer’s bc‑best‑chain at a given time, which would violate the Prefix Consistency property of $Π_{bc}$ .

If the headers do not connect to any bc‑valid‑chain known to the validator, then the validator should be suspicious that the proposer might not be honest. It can assign a lower priority to validating the proposal in this case, or simply drop it. The latter option could drop a valid proposal, but this does not in practice cause a problem as long as a sufficient number of validators are properly synced (so that Prefix Consistency holds for them).

If the headers do connect to a known bc‑valid‑chain, it could still be the case that the whole header chain up to and including $B . headers_bc [σ - 1]$ is not a bc‑valid‑chain. Therefore, to limit denial‑of‑service attacks the validator should first check the Proofs‑of‑Work and difficulty adjustment —which it can do locally using only the headers— before attempting to download and validate any bc‑blocks that it has not already seen. This is why we include the full headers rather than just the block hashes. Nodes may “trim” (i.e. not explicitly store) headers in a bft‑block that overlap with those referred to by its ancestor bft‑block(s).

Why is a distinguished value needed for the headers_bc field in the genesis bft‑block?

It would be conceptually nice for $O_{bft} . headers [0] ⌈_{bc}^{1}$ to refer to $O_{bc}$ , as well as $O_{bc} . context_bft$ being $O_{bft}$ so that $bft-last-final (O_{bc} . context_bft) = O_{bft}$ . That reflects the fact that we know “from the start” that neither genesis block can be rolled back.

This is not literally implementable using block hashes because it would involve a hash cycle, but we achieve the same effect by defining a $snapshot$ function that allows us to “patch” $snapshot (O_{bft})$ to be $O_{bc}$ . We do it this way around rather than “patching” the link from a bc‑block to a bft‑block, because the genesis bft‑block already needs a special case since there are not $σ$ bc‑headers available.

Why is the context_bft field needed? Why not use a final_bft field to refer directly to the last final bft‑block before the context block?

The finality of some bft‑block is only defined in the context of another bft‑block. One possible design would be for a bc‑block to have both $final_bft$ and $context_bft$ fields, so that the finality of $final_bft$ could be checked objectively in the context of $context_bft$ .

However, specifying just the context block is sufficient information to determine its last final ancestor. There would never be any need to give a context block and a final ancestor that is not the last one. The $bft-last-final$ function can be computed efficiently for typical BFT protocols. Therefore, having just the $context_bft$ field is sufficient.

Locally finalized chain

Each node $i$ keeps track of a “locally finalized” bc‑chain $fin_{i}^{t}$ at time $t$ . Each node’s locally finalized bc‑chain starts at $fin_{i}^{0} = O_{bc}$ . However, this chain state should not be exposed to clients of the node until it has synced.

Definition: Local finalization linearity

Node $i$ has Local finalization linearity up to time $t$ iff the time series of bc‑blocks $fin_{i}^{r \leq t}$ is bc‑linear.

When node $i$ ’s bc‑best‑chain view is updated from $ch_{i}^{s}$ to $ch_{i}^{t}$ , the node’s $fin_{i}^{t}$ will become $candidate (ch_{i}^{t})$ if and only if this is a descendant of $fin_{i}^{s}$ . Otherwise $fin_{i}^{t}$ will stay at $fin_{i}^{s}$ . This guarantees Local finalization linearity by construction.

If when making this update, $candidate (ch_{i}^{t}) / ⪯ ⪰ fin_{i}^{s}$ (i.e. $candidate (ch_{i}^{t})$ and $fin_{i}^{s}$ are on different forks), then the node should record a finalization safety hazard. This can only happen if global safety assumptions are violated. Note that Local finalization linearity on each node is not sufficient for Assured Finality, but it is necessary.

This can be expressed by the following state update algorithm, where $s$ is the time of the last update and $t$ is the time of the current update:

$update-fin (mut fin_{i}, ch_{i}^{t}, s) : let N = candidate (ch_{i}^{t}) if N ⪰ fin_{i}^{s} : fin_{i}^{t} \leftarrow N else: fin_{i}^{t} \leftarrow fin_{i}^{s} if N \neq ⪯ fin_{i}^{s} : record finalization safety hazard$

A safety hazard record should include $ch_{i}^{t}$ and the history of $fin_{i}$ updates including and since the last one that was an ancestor of $N$ .

Lemma: Local fin‑depth

In any execution of Crosslink 2, for any node $i$ that is honest at time $t$ , there exists a time $r \leq t$ such that $fin_{i}^{t} ⪯ ch_{i}^{r} ⌈_{bc}^{σ}$ .

Proof: By the definition of $candidate$ we have $candidate (ch_{i}^{u}) ⪯ ch_{i}^{u} ⌈_{bc}^{σ}$ for all times $u$ . Let $r \leq t$ be the last time at which $fin_{i}^{t}$ changed, or the genesis time $0$ if it has never changed. Then for $r > 0$ we have $fin_{i}^{t} = fin_{i}^{r} = candidate (ch_{i}^{r}) ⪯ ch_{i}^{r} ⌈_{bc}^{σ}$ , and for $r = 0$ we have $fin_{i}^{t} = fin_{i}^{r} = O_{bc} ⪯ ch_{i}^{r} ⌈_{bc}^{σ}$ (because $ch_{i}^{0} = O_{bc}$ , and truncating $O_{bc}$ always yields $O_{bc}$ ).

Why does fin_i need to be maintained using local state?

When a node’s view of the bc‑best‑chain reorgs to a different fork (even if the reorg is shorter than $σ$ blocks), it may be the case that $candidate (ch_{i}^{t})$ rolls back. If Final Agreement of $Π_{bft}$ holds up to time $t$ , the new snapshot should in that case be an ancestor of the old one. If all is well then this snapshot will subsequently roll forward along the same path. However, we do not want applications using the node to see the temporary rollback.

Assured Finality is our main safety goal for Crosslink 2. It is essentially the same goal as Final Agreement but applied to nodes’ locally finalized bc‑chains; intuitively it means that honest nodes never see conflicting locally finalized chains. We intend to prove that this goal holds under reasonable assumptions about either $Π_{origbft}$ or $Π_{origbc}$ .

Definition: Assured Finality

An execution of Crosslink 2 has Assured Finality iff for all times $t$ , $u$ and all nodes $i$ , $j$ (potentially the same) such that $i$ is honest at time $t$ and $j$ is honest at time $u$ , we have $fin_{i}^{t} ⪯ ⪰_{bc} fin_{j}^{u}$ .

Note that if an execution of Crosslink 2 has Assured Finality, then all nodes that are honest for that execution have Local finalization linearity. That is because the restriction of Assured Finality to the case $i = j$ is equivalent to Local finalization linearity for node $i$ up to any time at which node $i$ is honest.

Why do we need to use candidate(H) rather than snapshot(LF(H))?

This ensures that the candidate is at least $σ$ ‑confirmed.

In practice $candidate (H)$ will rarely differ from $snapshot (LF (H))$ , but using the former patches over a potential gap in the safety proof. The Last Final Snapshot rule specified later will guarantee that $snapshot (LF (H)) ⪯_{bc} H$ , and this ensures that $snapshot (LF (H)) ⪯ ⪰_{bc} H ⌈_{bc}^{σ}$ . However, the depth of $snapshot (LF (H))$ relative to $H$ is not guaranteed to be $\geq σ$ . For the proof we will need $candidate (H) ⪯_{bc} H ⌈_{bc}^{σ}$ , so that we can use the Local fin‑depth lemma together with Prefix Agreement of $Π_{bc}$ at confirmation depth $σ$ to prove Assured Finality.

An alternative would be to change the Last Final Snapshot rule to directly require $snapshot (LF (H)) ⪯_{bc} H ⌈_{bc}^{σ}$ .

$TODO:$ Choose between these options based on what works well for the security proofs and finalization latency.

Locally bounded‑available chain

Define the locally bounded‑available chain on node $i$ for bc‑confirmation‑depth $μ$ , as $(ba_{μ})_{i}^{t} = {ch_{i}^{t} ⌈_{bc}^{μ}, fin_{i}^{t}, if fin_{i}^{t} ⪯ ch_{i}^{t} ⌈_{bc}^{μ} otherwise.$

Like the locally finalized bc‑chain, this chain state should not be exposed to clients of the node until it has synced.

Theorem: Ledger prefix property

For any node $i$ that is honest at time $t$ , and any confirmation depth $μ$ , $fin_{i}^{t} ⪯ (ba_{μ})_{i}^{t}$ .

Proof: By construction of $(ba_{μ})_{i}^{t}$ .

Lemma: Local ba‑depth

In any execution of Crosslink 2, for any confirmation depth $μ \leq σ$ and any node $i$ that is honest at time $t$ , there exists a time $r \leq t$ such that $(ba_{μ})_{i}^{t} ⪯_{bc} ch_{i}^{r} ⌈_{bc}^{μ}$ .

Proof: Either $(ba_{μ})_{i}^{t} = fin_{i}^{t}$ , in which case the result follows by the Local fin‑depth lemma since $μ \leq σ$ , or $(ba_{μ})_{i}^{t} = ch_{i}^{t} ⌈_{bc}^{μ}$ in which case it follows trivially with $r = t$ .

Our security goal for $ba_{μ}$ will be Agreement on $ba_{μ}$ as already defined.

Why is the ‘otherwise’ case in the definition of (ba_μ)_i^t necessary?

Assume for this discussion that $Π_{bc}$ uses PoW.

Depending on the value of $σ$ , the timestamps of bc‑blocks, and the difficulty adjustment rule, it can be the case that if $fin_{i}$ switches to a different fork, the difficulty on that fork is greater than on the chain of the previous snapshot. Then, the new bc‑chain could reach a higher score than the previous chain in fewer than $σ$ blocks from the fork point, and so $ch_{i}^{t} ⌈_{bc}^{μ}$ might not be a descendant of $fin_{i}^{t}$ (which is more likely if $μ = σ$ ). This can occur even when all safety assumptions are satisfied.

For Zcash’s difficulty adjustment algorithm, the difficulty of each block is adjusted based on the median timestamps and difficulty target thresholds over a range of $PoWAveragingWindow = 17$ blocks, where each median is taken over $PoWMedianBlockSpan = 11$ blocks. Other damping factors and clamps are applied in order to prevent instability and to reduce the influence that adversarially chosen timestamps can have on difficulty adjustment. This makes it unlikely that an adversary could gain a significant advantage by manipulating the difficulty adjustment. So it is safe to use $fin_{i}^{t}$ in this case: even though it does not have $μ$ confirmations relative to $ch_{i}^{t}$ , it does have at least the required amount of work “on top” of it.

Defining $(ba_{μ})_{i}^{t}$ this way also has the advantage of making the proof of the Ledger prefix property trivial.

Syncing and checkpoints

It is recommended that node implementations “bake in” a checkpointed bft‑block $B_{checkpoint}$ to each released version, and that node $i$ should only expose $fin_{i}^{t}$ and $(ba_{μ})_{i}^{t}$ to its clients once it is “synced”, that is:

$B_{checkpoint} ⪯_{bft} LF (ch_{i}^{t})$ ; and
$snapshot (B_{checkpoint}) ⪯_{bc} fin_{i}^{t}$ ; and
the timestamp of $fin_{i}^{t}$ is within some threshold of the current time.

Π_bft changes from Π_origbft

Π_bft proposal and block validity

Genesis bft‑block rule: $O_{bft}$ is bft‑block‑valid.

A bft‑proposal (resp. non‑genesis bft‑block) $B$ is bft‑proposal‑valid (resp. bft‑block‑valid) iff all of the following hold:

Inherited origbft rules: The corresponding origbft‑proposal‑validity (resp. origbft‑block‑validity) rules hold for $B$ .
Linearity rule: $snapshot (B ⌈_{bft}^{1}) ⪯_{bc} snapshot (B)$ .
Tail Confirmation rule: $B . headers_bc$ form the $σ$ ‑block tail of a bc‑valid‑chain.

The “corresponding validity rules” are assumed to include the Parent rule that $B$ ’s parent is bft‑valid.

Note: origbft‑block‑validity rules may be different to origbft‑proposal‑validity rules. For example, in adapted Streamlet, a origbft‑block needs evidence that it was voted for by a supermajority, and an origbft‑proposal doesn’t. Such differences also apply to bft‑block‑validity vs bft‑proposal‑validity.

Why have validity rules been separated from the honest voting condition below?

The reason to separate the validity rules from the honest voting condition, is that the validity rules are objective: they don’t depend on an observer’s view of the bc‑best‑chain. Therefore, they can be checked independently of validator signatures. Even a proposal voted for by 100% of validators will not be considered bft‑proposal‑valid by other nodes unless it satisfies the above rules. If more than two thirds of voting units are cast for an invalid proposal, something is seriously and visibly wrong; in any case, the block will not be accepted as a bft‑valid‑block. Importantly, a purportedly valid bft‑block will not be recognized as such by any honest Crosslink 2 node even if it includes a valid notarization proof, if it does not meet other bft‑block‑validity rules.

This is essential to making the finalized chain safe against a flaw in $Π_{bft}$ or its security assumptions (even, say, a complete break of the validator signature algorithm), as long as $Π_{bc}$ remains safe.

What does the Linearity rule do?

This rule is key to combining simplicity with strong security properties in Crosslink 2. It essentially says that, in a given bft‑valid‑chain, the snapshots pointed to by blocks in that chain cannot roll back.

This allows the informal safety argument for Crosslink 2 to be rather intuitive.

Informally, if $Π_{bft}$ has Final Agreement, then all nodes see only one consistent bft‑linear chain (restricting to bft‑blocks that are final in the context of some bft‑block in honest view). Within such a bft‑chain, the Linearity rule ensures by construction that the sequence of referenced bc‑chain snapshots is bc‑linear. This implies Assured Finality, without needing to assume any safety property of $Π_{bc}$ .

We will also be able to prove safety of the finalized snapshots based only on safety of $Π_{bc}$ (for a confirmation depth of $σ$ ), without needing to assume any safety property of $Π_{bft}$ . Informally, that is because each node sees each candidate final snapshot at a given time as a $σ$ -confirmed prefix of its bc‑best‑chain at that time (this can be proven based on the Last Final Snapshot rule and the fact that a snapshot includes $σ$ subsequent headers), and Prefix Agreement implies that honest nodes agree on this prefix. We will leave a more detailed argument until after we have presented the $Π_{bc}$ changes from $Π_{origbc}$ .

The Linearity rule replaces the “Increasing Score rule” used in Crosslink 1. The Increasing Score rule required that each snapshot in a bft‑valid‑chain either be the same snapshot, or a higher-scoring snapshot to that of its parent block. Since scores strictly increase within a bc‑valid‑chain, the Linearity rule implies the Increasing Score rule. It retains the same or stronger positive effects:

It prevents potential attacks that rely on proposing a bc‑valid‑chain that forks from a much earlier block. This is necessary because the difficulty (or stake threshold) at that point could have been much lower.
It limits the extent of disruption an adversary can feasibly cause to the bounded‑available chain $ch_{i}$ , even if it has subverted $Π_{bft}$ . Informally, because the finalized chain is a $Π_{bc}$ chain, its safety is no worse than $Π_{bc}$ alone for a rollback of any depth.
It ensures that either progress is made (the snapshot advances relative to that of the parent bft‑block), or there is no further validation that needs to be done for the snapshot because it was already validated.

Note that the adversary could take advantage of an “accidental” fork and start its attack from the base of that fork, so that not all of this work is done by it alone. This is also possible in the case of a standard “private mining” attack, and is not so much of a problem in practice because accidental forks are expected to be short. In any case, $σ$ should be chosen to take it into account.

The Linearity rule is also critical to removing the need for one of the most complex elements of Snap‑and‑Chat and Crosslink 1, “sanitization”. In those protocols, because bc‑chain snapshots could be unrelated to each other, it was necessary to sanitize the chain formed from these snapshots to remove transactions that were contextually invalid (e.g. because they double‑spend). The negative consequences of this are described in Notes on Snap‑and‑Chat; avoiding it is much simpler.

The linearity property is intentionally always relative to the snapshot of the parent bft‑block, even if it is not final in the context of the current bft‑block. This is because the rule needs to hold if and when it becomes final in the context of some descendant bft‑block.

$TODO:$ PoS Desideratum: we want leader selection with good security / performance properties that will be relevant to this rule. (Suggested: PoSAT.)

Why does the Linearity rule allow keeping the same snapshot as the parent?

This is necessary in order to preserve liveness of $Π_{bft}$ relative to $Π_{origbft}$ . Liveness of $Π_{origbft}$ might require honest proposers to make proposals at a minimum rate. That requirement could be consistently violated if it were not always possible to make a valid proposal. But given that it is allowed to repeat the same snapshot as in the parent bft‑block, neither the Linearity rule nor the Tail Confirmation rule can prevent making a valid proposal — and all other rules of $Π_{bft}$ affecting the ability to make valid proposals are the same as in $Π_{origbft}$ . (In principle, changes to voting in $Π_{bft}$ could also affect its liveness; we’ll discuss that in the liveness proof later.)

For example, Streamlet requires three notarized blocks in consecutive epochs in order to finalize a block [CS2020, section 1.1]. Its proof of liveness depends on the assumption that in each epoch for which the leader is honest, that leader will make a proposal, and that during a “period of synchrony” this proposal will be received by every node [CS2020, section 3.6]. This argument can also be extended to adapted‑Streamlet.

We could alternatively have allowed to always make a “null” proposal, rather than to always make a proposal with the same snapshot as the parent. We prefer the latter because the former would require specifying the rules for null proposals in $Π_{origbft}$ .

As a clarification, no BFT protocol that uses leader election can require a proposal in each epoch, because the leader might be dishonest. The above issue concerns liveness of the protocol when assumptions about the attacker’s share of bft‑validators or stake are met, so that it can be assumed that sufficiently long periods with enough honest leaders to make progress (5 consecutive epochs in the case of Streamlet), will occur with significant probability.

Π_bft block finality in context

The finality rule for bft‑blocks in a given context is unchanged from origbft‑finality. That is, $bft-last-final$ is defined in the same way as $origbft-last-final$ (modulo referring to bft‑block‑validity and $O_{bft}$ ).

Π_bft honest proposal

An honest proposer of a bft‑proposal $P$ chooses $P . headers_bc$ as the $σ$ ‑block tail of its bc‑best‑chain, provided that it is consistent with the Linearity rule. If it would not be consistent with that rule, it sets $P . headers_bc$ to the same $headers_bc$ field as $P$ ’s parent bft‑block. It does not make proposals until its bc‑best‑chain is at least $σ + 1$ blocks long.

Why σ + 1?

If the length were less than $σ + 1$ blocks, it would be impossible to construct the $headers_bc$ field of the proposal.

Note that when the length of the proposer’s bc‑best‑chain is exactly $σ + 1$ blocks, the snapshot must be of $O_{bc} .$ But this does not violate the Linearity rule, because $O_{bc}$ matches the previous snapshot by $O_{bft}$ .

How is it possible that the Linearity rule would not be satisfied by choosing headers from an honest proposer’s bc‑best‑chain?

As in the answer to Why is the ‘otherwise’ case in the definition of $(ba_{μ})_{i}^{t}$ necessary? above, after a reorg on the bc‑chain, the $σ$ -confirmed block on the new chain might not be a descendant of the $σ$ -confirmed block on the old chain, which could break the Linearity rule.

Π_bft honest voting

An honest validator considering a proposal $P$ , first updates its view of both subprotocols with the bc‑headers given in $P . headers_bc$ , downloading bc‑blocks for these headers and checking their bc‑block‑validity.

For each downloaded bc‑block, the bft‑chain referenced by its $context_bft$ field might need to be validated if it has not been seen before.

Wait what, how much validation is that?

In general the entire referenced bft‑chain needs to be validated, not just the referenced block — and for each bft‑block, the bc‑chain in $headers_bc$ needs to be validated, and so on recursively. If this sounds overwhelming, note that:

We should check the requirement that a bft‑valid‑block must have been voted for by a two‑thirds absolute supermajority of validators, and any other non‑recursive bft‑validity rules, first.
Before validating a bc‑chain referenced by a $headers_bc$ field, we check that it connects to an already-validated bc‑chain and that the Proofs‑of‑Work are valid. This implies that the amount of bc‑block validation is constrained by how fast the network can find valid Proofs‑of‑Work.
The Linearity rule reduces the worst‑case validation effort, by ensuring that only one bc‑chain needs to be validated for any bft‑chain. Assuming safety of $Π_{bft}$ and that the adversary does not have an overwhelming advantage in computing the Proof‑of‑Work, this is effectively only one bc‑chain overall with, at most, short side branches.

In summary, the order of validation is important to avoid denial‑of‑service — but it already is in Bitcoin and Zcash.

After updating its view, the validator will vote for a proposal $P$ only if:

Valid proposal criterion: it is bft‑proposal‑valid, and
Confirmed best‑chain criterion: $snapshot (P)$ is part of the validator’s bc‑best‑chain at a bc‑confirmation‑depth of at least $σ$ .

Blocks in a bc‑best‑chain are by definition bc‑block‑valid. If we’re checking the Confirmed best‑chain criterion, why do we need to have separately checked that the blocks referenced by the headers are bc‑block‑valid?

The Confirmed best‑chain criterion is quite subtle. It ensures that $snapshot (P) = P . headers_bc [0] ⌈_{bc}^{1}$ is bc‑block‑valid and has $σ$ bc‑block‑valid blocks after it in the validator’s bc‑best‑chain. However, it need not be the case that $P . headers_bc [σ - 1]$ is part of the validator’s bc‑best‑chain after it updates its view. That is, the chain could fork after $snapshot (P)$ .

The bft‑proposal‑validity rule must be objective; it can’t depend on what the validator’s bc‑best‑chain is. The validator’s bc‑best‑chain may have been updated to $P . headers_bc [σ - 1]$ (if it has the highest score), but it also may not.

However, if the validator’s bc‑best‑chain was updated, that makes it more likely that it will be able to vote for the proposal.

In any case, if the validator does not check that all of the blocks referenced by the headers are bc‑block‑valid, then its vote may be invalid.

How does this compare to Snap‑and‑Chat?

Snap‑and‑Chat already had the voting condition:

An honest node only votes for a proposed BFT block $B$ if it views $B . ch$ as confirmed.

but it did not give the headers potentially needed to update the validator’s view, and it did not require a proposal to be for an objectively confirmed snapshot as a matter of validity.

If a Crosslink‑like protocol were to require an objectively confirmed snapshot but without including the bc‑headers in the proposal, then validators would not immediately know which bc‑blocks to download to check its validity. This would increase latency, and would be likely to lead proposers to be more conservative and only propose blocks that they think will already be in at least a two‑thirds absolute supermajority of validators’ best chains.

That is, showing $P . headers_bc$ to all of the validators is advantageous to the proposer, because the proposer does not have to guess what blocks the validators might have already seen. It is also advantageous for the protocol goals in general, because it improves the trade‑off between finalization latency and security.

Π_bc changes from Π_origbc

Π_bc block validity

Genesis bc‑block rule: For the genesis bc‑block we must have $O_{bc} . context_bft = O_{bft}$ , and therefore $bft-last-final (O_{bc} . context_bft) = O_{bft}$ .

A bc‑block $H$ is bc‑block‑valid iff all of the following hold:

Inherited origbc rules: $H$ satisfies the corresponding origbc‑block‑validity rules.
Valid context rule: $H . context_bft$ is bft‑block‑valid.
Extension rule: $LF (H ⌈_{bc}^{1}) ⪯_{bft} LF (H)$ .
Last Final Snapshot rule: $snapshot (LF (H)) ⪯_{bc} H$ .
Finality depth rule: Define: $finality-depth (H) := height (H) - height (snapshot (LF (H)))$ Then either $finality-depth (H) \leq L$ or $is-stalled-block (H)$ .

Explain the definition of finality‑depth.

The finality depth must be objectively defined, since it is used in a consensus rule. Therefore it should measure the height of $H$ relative to $snapshot (LF (H))$ , which is an objectively defined function of $H$ , rather than relative to $fin_{i}^{t}$ . (These will only differ for $H = ch_{i}^{t}$ when node $i$ has just reorged, and only then in corner cases.)

Note that the Last Final Snapshot rule ensures that it is meaningful to simply use the difference in heights, since $snapshot (LF (H)) ⪯_{bc} H$ .

Π_bc contextual validity

The consensus rule changes above are all non-contextual. Modulo these changes, contextual validity in $Π_{bc}$ is the same as in $Π_{origbc}$ .

Π_bc honest block production

An honest producer of a bc‑block $H$ must follow the consensus rules under $Π_{bc}$ block validity above. In particular, it must produce a stalled block if required to do so by the Finality depth rule.

To choose $H . context_bft$ , the producer considers a subset of the tips of bft‑valid‑chains in its view: ${T : T is bft‑block‑valid and LF (H ⌈_{bc}^{1}) ⪯_{bft} bft-last-final (T)}$ It chooses one of the longest of these chains, $C$ , breaking ties by maximizing $score (snapshot (bft-last-final (C)))$ , and if there is still a tie then by taking $C$ with the smallest hash.

The honest block producer then sets $H . context_bft$ to $C$ .

Attention

An honest bc‑block‑producer must not use information from the BFT protocol, other than the specified consensus rules, to decide which bc‑valid‑chain to follow. The specified consensus rules that depend on $Π_{bft}$ have been carefully constructed to preserve safety of $Π_{bc}$ relative to $Π_{origbc}$ . Imposing any additional constraints could potentially allow an adversary that is able to subvert $Π_{bft}$ , to influence the evolution of the bc‑best‑chain in ways that are not considered in the safety argument.

Why not choose T such that H ⌈¹_bc . context_bft ⪯_bft bft‑last‑final(T )?

The effect of this would be to tend to more often follow the last bft‑block seen by the producer of the parent bc‑block, if there is a choice. It is not always possible to do so, though: the resulting set of candidates for $C$ might be empty.

Also, it is not clear that giving the parent bc‑block‑producer the chance to “guide” what bft‑block should be chosen next is beneficial, since that producer might be adversarial and the resulting incentives are difficult to reason about.

Why choose the longest C, rather than the longest bft‑last‑final(C )?

We could have instead chosen $C$ to maximize the length of $bft-last-final (C)$ . The rule we chose follows Streamlet, which builds on the longest notarized chain, not the longest finalized chain. This may call for more analysis specific to the chosen BFT protocol.

Why this tie‑breaking rule?

Choosing the bft‑chain that has the last final snapshot with the highest score, tends to inhibit an adversary’s ability to finalize its own chain if it has a lesser score. (If it has a greater score, then it has already won a hash race and we cannot stop the adversary chain from being finalized.)

For discussion of potentially unifying the roles of bc‑block producer and bft‑proposer, see What about making the bc‑block‑producer the bft‑proposer? in Potential changes to Crosslink.

At this point we have completed the definition of Crosslink 2. In Security Analysis of Crosslink 2, we will prove it secure.

Zcash Trailing Finality Layer - v0.1.0