Security Analysis of Crosslink

This document analyses the security of Crosslink in terms of liveness and safety. It assumes that you have read The Crosslink Construction which defines the protocol.

Liveness argument

First note that Crosslink intentionally sacrifices availability if there is a long finalization stall.

Info

This is technically independent of the other changes; you can omit the Finality depth rule and the protocol would still have security advantages over Snap‑and‑Chat, as well as solving its "spending from finalized outputs" issue. In that case the incentives to "pull" the finalization point forward to include new final bft‑blocks would be weaker, but honest bc‑block‑producers would still do it.

It would still be a bug if there were any situation in which $Π_{bc}$ failed to be live, though, because that would allow tail‑thrashing attacks.

Crosslink involves a bidirectional dependence between $Π_{bft}$ and $Π_{bc}$ . The Ebb‑and‑Flow paper [NTT2020] argues in Appendix E ("Bouncing Attack on Casper FFG") that it can be more difficult to reason about liveness given a bidirectional dependence between protocols:

To ensure consistency among the two tiers [of Casper FFG], the fork choice rule of the blockchain is modified to always respect ‘the justified checkpoint of the greatest height [*]’ [22]. There is thus a bidirectional interaction between the block proposal and the finalization layer: blocks proposed by the blockchain are input to finalization, while justified checkpoints constrain future block proposals. This bidirectional interaction is intricate to reason about and a gateway for liveness attacks.

Info

[*] The quotation changes this to "[depth]", but our terminology is consistent with Ethereum here and not with [NTT2020]'s idiosyncratic use of "depth" to mean "block height".

The argument is correct as far as it goes. The main reason why this does not present any great difficulty to proving liveness of Crosslink, is due to a fundamental difference from Casper FFG: in Crosslink the fork‑choice rule of $Π_{bc}$ is not modified.

Let $S$ be the subset of bc‑blocks ${B : is-coinbase-only-block (B) and is-safety-block (B)}$ . Assume that $S$ is such that a bc‑block‑producer can always produce a block in $S$ .

In that case it is straightforward to convince ourselves that the additional bc‑block‑validity rules are never an obstacle to producing a new bc‑block in $S$ :

The changes to the definition of contextual validity do not interfere with liveness, since they do not affect coinbase transactions, and therefore do not affect blocks in $S$ . That is, the bc‑block‑producer can always just omit non‑coinbase transactions that are contextually invalid.
The Genesis rule doesn't apply to new bc‑blocks.
The Valid context rule and Extension rule are always satisfiable by referencing the same context bft‑block as the parent bc‑block.
The Finality depth rule always allows the option of producing a safety block, and therefore does not affect blocks in $S$ .

The instructions to an honest bc‑block‑producer allow it to produce a block in $S$ . Therefore, $Π_{bc}$ remains live under the same conditions as $Π_{origbc}$ .

The additional bft‑proposal‑validity, bft‑block‑validity, bft‑finality, and honest voting rules are also not an obstacle to making, voting for, or finalizing bft‑proposals:

Because $Π_{bc}$ is live, there will always be some point in time at which a fresh valid bc‑header chain that satisfies both the Increasing score rule and the Tail confirmation rule exists for use in the $P . headers_bc$ field.
If no fresh valid bc‑header chain is available, the Increasing score rule and Tail confirmation rule allow an honest bft‑proposer to choose $headers_bc$ to be the same as in the previous bft‑block. So, if liveness of $Π_{origbft}$ depends on an honest proposer always being able to make a proposal (as it does in adapted‑Streamlet for example), then this requirement will not be violated.
The changes to voting are only requiring a vote to be for a proposal that could have been honestly proposed.
The bft‑finality rules are unchanged from origbft‑finality.

Therefore, $Π_{bft}$ remains live under the same conditions as in Snap‑and‑Chat applied to $Π_{origbft}$ .

The only other possibility for a liveness issue relative to Snap‑and‑Chat would be if the change to the construction of $LOG_{fin}$ could cause it to stall, even when $Π_{bft}$ and $Π_{bc}$ are both still live.

However, liveness of $Π_{bft}$ and the Increasing score rule together imply that at each point in time, provided there are sufficient honest bft‑proposers/validators, eventually a new bft‑block with a higher-scoring snapshot will become final in the context of the longest bft‑valid‑chain. ==TODO make that more precise.==

Because of the Extension rule, this new bft‑block must be a descendent of the previous final bft‑block in the context visible to bc‑block‑producers. Therefore, the new finalized chain will extend the old finalized chain. It could be the case that all of the new transactions are sanitized out, but that would only happen if they double‑spend or use outputs that were nonexistent in the context computed by $bda-ctx$ at the point at which they are to be contextually checked.

Finally, we need to show that Safety Mode is only triggered when it should be; that is, when the assumptions needed for liveness of $Π_{bft}$ are violated. Informally, that is the case because, as long as there are sufficient honest bc‑block‑producers and sufficient honest bft‑proposers/validators, the finalization point implied by the $context_bft$ field at the tip of the bc‑best chain in any node's view will advance fast enough for the finalization gap bound $L$ not to be hit. This depends on the value of $L$ relative to $σ$ , the network delay, the hash rate of honest bc‑block‑producers, the number of honest bft‑proposers and the proportion of voting units they hold, and other details of the BFT protocol. ==TODO: more detailed argument needed, especially for the dependence on $L$ .==

Safety argument

Discussion

The Extension rule ensures that, informally, if a given node $i$ 's view of its bc‑best‑chain at a depth of $σ$ blocks does not roll back, then neither does its view of the bft‑final block referenced by its bc‑best‑chain, and therefore neither does its view of $LOG_{fin, i}^{t}$ .

This does not by itself imply that all nodes are seeing the "same" confirmed bc‑best‑chain (up to propagation timing), or the same $LOG_{fin, i}^{t}$ . If the network is partitioned and $Π_{bft}$ is subverted, it could be that the nodes on each side of the partition follow a different fork, and the adversary arranges for each node's view of the last final bft‑block to be consistent with the fork it is on. It can potentially do this if it has more than one third of validators, because if the validators are partitioned in the same way as other nodes, it can vote with an additional one third of them on each side of the fork.

This is, if you think about it, unavoidable. $Π_{bc}$ doesn't include the mechanisms needed to maintain finality under partition; it takes a different position on the CAP trilemma. In order to maintain finality under partition, we need $Π_{bft}$ not to be subverted (and to actually work!)

So what is the strongest security property we can realistically get? It is stronger than what Snap‑and‑Chat provides. Snap‑and‑Chat is unsafe even without a partition if $Π_{bft}$ is subverted. Ideally we would have a protocol with safety that is only limited by attacks "like" the unavoidable attack described above --- which also applies to $Π_{bc}$ used on its own.

Proof of safety for LOG_fin

In order to capture the intuition that it is hard in practice to cause a consistent partition of the kind described in the previous section, we will need to assume that the Prefix Agreement safety property holds for the relevant executions of $Π_{bc}$ . The structural and consensus modifications to $Π_{bc}$ relative to $Π_{origbc}$ seem unlikely to have any significant effect on this property, given that we proved above that they do not affect liveness. ==TODO: that is a handwave; we should be able to do better, as we do for $Π_{bft}$ below.== So, to the extent that it is reasonable to assume that Prefix Agreement holds for executions of $Π_{origbc}$ under some conditions, it should also be reasonable to assume it holds for executions of $Π_{bc}$ under the same conditions.

Recall that $LF (H) := bft-last-final (H .context_bft)$ .

Prefix Lemma

If $H_{1}$ , $H_{2}$ are bc‑valid blocks with $H_{1} ⪯_{bc} H_{2}$ , then $LF (H_{1}) ⪯_{bft} LF (H_{2})$ .

Proof: Using the Extension rule, by induction on the distance between $H_{1}$ and $H_{2}$ .

Using the Prefix Lemma once for each direction, we can transfer the Prefix Agreement property to the referenced bft‑blocks:

Prefix Agreement Lemma

In an execution of $Π_{bc}$ that has Prefix Agreement at confirmation depth $σ$ , for all times $t$ , $t^{'}$ and all nodes $i$ , $j$ (potentially the same) such that $i$ is honest at time $t$ and $j$ is honest at time $t^{'}$ , we have $LF (ch_{i}^{t} ⌈_{bc}^{σ}) ⪯ ⪰_{bft} LF (ch_{j}^{t^{'}} ⌈_{bc}^{σ})$ .

(The notation $B ⪯ ⪰_{*} C$ means that either $B ⪯_{*} C$ or $C ⪯_{*} B$ . That is, "one of $B$ and $C$ is a prefix of the other".)

Recall that $san-ctx san-ctx (S) LF (H) fin fin (H) fin-ctx (H) bda-ctx (H, μ) LOG_{fin, i}^{t} LOG_{bda, i, μ}^{t} :: := := :: := := := := := [bc-chain] \to bc-context sanitize (concat ([chain-txns (C) for C in S])) bft-last-final (H .context_bft) bc-block \to [bc-chain] [snapshot (B) for B ⪯_{bft} LF (H ⌈_{bc}^{σ})] san-ctx (fin (H)) san-ctx (fin (H) ∣∣ [H ⌈_{bc}^{μ}]) context-txns (fin-ctx (ch_{i}^{t})) context-txns (bda-ctx (ch_{i}^{t}, μ))$

Because $fin$ takes the form $fin (H) := [f (X) for X ⪯_{bft} g (H)]$ , we have that $g (H) ⪯_{bft} g (H^{'}) ⟹ fin (H) ⪯ fin (H^{'})$ . (This would be true for any well‑typed $f$ and $g$ .)

By this observation and the Prefix Agreement Lemma, we also have that, in an execution of Crosslink where $Π_{bc}$ has the Prefix Agreement safety property at confirmation depth $σ$ , for all times $t$ , $t^{'}$ and all nodes $i$ , $j$ (potentially the same) such that $i$ is honest at time $t$ and $j$ is honest at time $t^{'}$ , $fin (ch_{i}^{t}) ⪯ ⪰ fin (ch_{j}^{t^{'}})$ .

Because $sanitize$ only considers previous state, $context-txns$ ∘ $san-ctx$ must be a prefix-preserving map; that is, if $S_{1} ⪯ S_{2}$ then $context-txns (san-ctx (S_{1})) ⪯ context-txns (san-ctx (S_{2}))$ . Therefore:

Theorem: LOG_fin Safety (from Prefix Agreement of Π_bc)

In an execution of Crosslink where $Π_{bc}$ has Prefix Agreement at confirmation depth $σ$ , for all times $t$ , $t^{'}$ and all nodes $i$ , $j$ (potentially the same) such that $i$ is honest at time $t$ and $j$ is honest at time $t^{'}$ , $LOG_{fin, i}^{t} ⪯ ⪰ LOG_{fin, j}^{t^{'}}$ .

Notice that this does not depend on any safety property of $Π_{bft}$ , and is an elementary proof. ([NTT2020, Theorem 2] is a much more complicated proof that takes nearly 3 pages, not counting the reliance on results from [PS2017].)

In addition, just as in Snap‑and‑Chat, safety of $LOG_{fin}$ can be inferred from safety of $Π_{bft}$ , which follows from safety of $Π_{origbft}$ . We prove this based on the Final Agreement property for executions of $Π_{origbft}$ :

Definition: Final Agreement

An execution of $Π_{origbft}$ has the Final Agreement safety property iff for all origbft‑valid blocks $C$ in honest view at time $t$ and $C^{'}$ in honest view at time $t^{'}$ , we have $origbft-last-final (C) ⪯ ⪰_{origbft} origbft-last-final (C^{'})$ .

The changes in $Π_{bft}$ relative to $Π_{origbft}$ only add structural components and tighten bft‑block‑validity and bft‑proposal‑validity rules. So for any legal execution of $Π_{bft}$ there is a corresponding legal execution of $Π_{origbft}$ , with the structural additions erased and with the same nodes honest at any given time. A safety property, by definition, only asserts that executions not satisfying the property do not occur. Safety properties of $Π_{origbft}$ necessarily do not refer to the added structural components in $Π_{bft}$ . Therefore, for any safety property of $Π_{origbft}$ , including Final Agreement, the corresponding safety property holds for $Π_{bft}$ .

By the definition of $fin$ as above, in an execution of Crosslink where $Π_{bft}$ has Final Agreement, for all times $t$ , $t^{'}$ and all nodes $i$ , $j$ (potentially the same) such that $i$ is honest at time $t$ and $j$ is honest at time $t^{'}$ , $fin (ch_{i}^{t}) ⪯ ⪰ fin (ch_{j}^{t^{'}})$ . Therefore, by an argument similar to the one above using the fact that $context-txns$ ∘ $san-ctx$ is a prefix-preserving map:

Theorem: LOG_fin Safety (from Final Agreement of Π_bft or Π_origbft)

In an execution of Crosslink where $Π_{bft}$ has Final Agreement, for all times $t$ , $t^{'}$ and all nodes $i$ , $j$ (potentially the same) such that $i$ is honest at time $t$ and $j$ is honest at time $t^{'}$ , $LOG_{fin, i}^{t} ⪯ ⪰ LOG_{fin, j}^{t^{'}}$ .

Proof of safety for LOG_bda

From the two $LOG_{fin}$ Safety theorems and the Ledger prefix property, we immediately have:

Theorem: LOG_bda does not roll back past the agreed LOG_fin

Let $μ_{i}$ be an arbitrary choice of $LOG_{bda}$ confirmation depth for each node $i$ . Consider an execution of Crosslink where either $Π_{bc}$ has Prefix Agreement at confirmation depth $σ$ or $Π_{bft}$ has Final Agreement.

In such an execution, for all times $t$ , $t^{'}$ and all nodes $i$ , $j$ (potentially the same) such that $i$ is honest at time $t$ and $j$ is honest at time $t^{'}$ , either $LOG_{fin, i}^{t} ⪯_{bc} LOG_{fin, j}^{t^{'}} ⪯_{bc} LOG_{bda, j, μ_{j}}^{t^{'}}$ or $LOG_{fin, j}^{t^{'}} ⪯_{bc} LOG_{fin, i}^{t} ⪯_{bc} LOG_{bda, i, μ_{i}}^{t}$ .

Corollary: Under the same conditions, if wlog $LOG_{fin, i}^{t} ⪯_{bc} LOG_{fin, j}^{t^{'}}$ , then $LOG_{fin, i}^{t} ⪯_{bc} {LOG_{bda, i, μ_{i}}^{t}, LOG_{bda, j, μ_{j}}^{t^{'}}}$ .

The above property is not as strong as we would like for practical uses of $LOG_{bda}$ , because it does not say anything about rollbacks up to the finalization point, and such rollbacks may be of unbounded length. (Loosely speaking, the number of non-Safety Mode bc‑blocks after the consensus finalization point is bounded by $L$ , but we have also not proven that so far.)

As documented in the Model for BFT protocols section of The Crosslink Construction):

For each epoch, there is a fixed number of voting units distributed between the players, which they use to vote for a $*$ bft‑proposal. We say that a voting unit has been cast for a $*$ bft‑proposal $P$ at a given time in a $*$ bft‑execution, if and only if $P$ is $*$ bft‑proposal‑valid and a ballot for $P$ authenticated by the holder of the voting unit exists at that time.

Using knowledge of ballots cast for a $*$ bft‑proposal $P$ that collectively satisfy a notarization rule at a given time in a $*$ bft‑execution, and only with such knowledge, it is possible to obtain a valid $*$ bft‑notarization‑proof $proof_{P}$ . The notarization rule must require at least a two‑thirds absolute supermajority of voting units in $P$ ’s epoch to have been cast for $P$ . It may also require other conditions.

A voting unit is cast non‑honestly for an epoch’s proposal iff:

it is cast other than by the holder of the unit (due to key compromise or any flaw in the voting protocol, for example); or

it is double‑cast (i.e. there are two ballots casting it for distinct proposals); or

the holder of the unit following the conditions for honest voting in $Π_{* bft}$ , according to its view, should not have cast that vote.

Definition: One‑third bound on non‑honest voting

An execution of $Π_{bft}$ has the one‑third bound on non‑honest voting property iff for every epoch, strictly fewer than one third of the total voting units for that epoch are ever cast non‑honestly.

Theorem: On bft‑valid blocks for a given epoch in honest view

By a well known argument often used to prove safety of BFT protocols, in an execution of Crosslink where $Π_{bft}$ has the one‑third bound on non‑honest voting property (and assuming soundness of notarization proofs), any bft‑valid block for a given epoch in honest view must commit to the same proposal.

Proof (adapted from [CS2020, Lemma 1]): Suppose there are two bft‑proposals $P$ and $P^{'}$ , both for epoch $e$ , such that $P$ is committed to by some bft‑block‑valid block $B$ , and $P^{'}$ is committed to by some bft‑block‑valid block $B^{'}$ . This implies that $B$ and $B^{'}$ have valid notarization proofs. Let the number of voting units for epoch $e$ be $n_{e}$ . Assuming soundness of the notarization proofs, it must be that at least $2 n_{e} /3$ voting units for epoch $e$ , denoted as the set $S$ , were cast for $P$ , and at least $2 n_{e} /3$ voting units for epoch $e$ , denoted as the set $S^{'}$ , were cast for $P^{'}$ . Since there are $n_{e}$ voting units for epoch $e$ , $S \cap S^{'}$ must have size at least $n_{e} /3$ . In an execution of Crosslink where $Π_{bft}$ has the one‑third bound on non‑honest voting property, $S \cap S^{'}$ must therefore include at least one voting unit that was cast honestly. Since a voting unit for epoch $e$ that is cast honestly is not double-cast, it must be that $P = P^{'}$ .

Info

In the case of a network partition, votes may not be seen on both/all sides of the partition. Therefore, it is not necessarily the case that honest nodes can directly see double‑voting. The above argument does not depend on being able to do so.

Therefore, in an execution of Crosslink for which $Π_{bft}$ has the one‑third bound on non‑honest voting property, for each epoch $e$ there will be at most one bft‑proposal‑valid proposal $P_{e}$ , and at least one third of honestly cast voting units must have been cast for it. Let $I_{e}$ be the (necessarily nonempty) set of nodes that cast these honest votes; then, $snapshot (P_{e}) ⪯_{bc} ch_{i}^{t_{e, i}} ⌈_{bc}^{σ}$ for all $i \in I_{e}$ at the times $t_{e, i}$ of their votes in epoch $e$ . (For simplicity, we assume that for each honest node $i$ there is only one time $t_{e, i}$ at which it obtains a successful check for the voting condition in epoch $e$ , which it uses for any votes that it casts in that epoch.)

Let $B$ be any bft‑block for epoch $e$ such that $B ⪯_{bft} bft-last-final (C)$ , where $C$ is some bft‑block‑valid block. Since $B ⪯_{bft} C$ , $B$ is bft‑block‑valid. So by the argument above, $B$ commits to the only bft‑proposal‑valid proposal $P_{e}$ for epoch $e$ , and $snapshot (B) = snapshot (P_{e})$ was voted for in that epoch by a nonempty subset of honest nodes $I_{e}$ .

Let $H$ be any bc‑valid block. We have by definition: $fin (H) = = [snapshot (B) for B ⪯_{bft} LF (H ⌈_{bc}^{σ})] [snapshot (B) for B ⪯_{bft} bft-last-final (H ⌈_{bc}^{σ} .context_bft)]$ So, taking $C = H ⌈_{bc}^{σ} .context_bft$ , each $snapshot (B)$ for $B$ of epoch $e$ in the result of $fin (H)$ satisfies $snapshot (B) ⪯_{bc} ch_{i}^{t_{e, i}} ⌈_{bc}^{σ}$ for all $i$ in some nonempty honest set of nodes $I_{e}$ .

For an execution of Crosslink in which $Π_{bc}$ has the Prefix Consistency property at confirmation depth $σ$ , for every epoch $e$ , for every such $(i, t_{e, i})$ , for every node $j$ that is honest at any time $t^{'} \geq t_{e, i}$ , we have $ch_{i}^{t_{e, i}} ⌈_{bc}^{σ} ⪯_{bc} ch_{j}^{t^{'}}$ . Let $t_{e} = min {t_{e, i} : i \in I_{e}}$ . Then, by transitivity of $⪯_{bc}$ :

Theorem: On snapshots in LOG_fin

In an execution of Crosslink where $Π_{bft}$ has the one‑third bound on non‑honest voting property and $Π_{bc}$ has the Prefix Consistency property at confirmation depth $σ$ , every bc‑chain $snapshot (B)$ in $fin (ch_{i}^{t})$ (and therefore every snapshot that contributes to $LOG_{fin, i}^{t}$ ) is, at any time $t^{'} \geq t_{e}$ , in the bc‑best‑chain of every node $j$ that is honest at time $t^{'}$ (where $B$ commits to $P_{e}$ at epoch $e$ and $t_{e}$ is the time of the first honest vote for $P_{e}$ ).

A similar (weaker) statement holds if we replace $t^{'} \geq t_{e}$ with $t^{'} \geq t$ , since the time of the first honest vote for $P$ necessarily precedes the time at which the signed $(P, proof_{P})$ is submitted as a bft‑block, which necessarily precedes $t$ . (Whether or not the notarization proof depends on the first honest vote for $B$ 's proposal $P_{e}$ , it must depend on some honest vote for that proposal that was not made earlier than $t_{e}$ .)

Furthermore, we have $bda-ctx (H, μ) LOG_{bda, i, μ}^{t} = = san-ctx (fin (H) ∣∣ [H ⌈_{bc}^{μ}]) context-txns (bda-ctx (ch_{i}^{t}, μ))$

So in an execution of Crosslink where $Π_{bc}$ has the Prefix Consistency property at confirmation depth $μ$ , if node $i$ is honest at time $t$ then $H ⌈_{bc}^{μ}$ is also, at any time $t^{'} \geq t$ , in the bc‑best‑chain of every node $j$ that is honest at time $t^{'}$ .

If an execution of $Π_{bc}$ has the Prefix Consistency property at confirmation depth $μ \leq σ$ , then it necessarily also has it at confirmation depth $σ$ . Therefore we have:

Theorem: On snapshots in LOG_bda

In an execution of Crosslink where $Π_{bft}$ has the one‑third bound on non‑honest voting property and $Π_{bc}$ has the Prefix Consistency property at confirmation depth $μ \leq σ$ , every bc‑chain snapshot in $fin (ch_{i}^{t}) ∣∣ [ch_{i}^{t} ⌈_{bc}^{μ}]$ (and therefore every snapshot that contributes to $LOG_{bda, i, μ}^{t}$ ) is, at any time $t^{'} \geq t$ , in the bc‑best‑chain of every node $j$ that is honest at time $t^{'}$ .

Sketch: we also need the sequence of snapshots output from fin to only be extended in the view of any node. In that case we can infer that the node does not observe a rollback in LOG_bda.

Recall that in the proof of safety for $LOG_{fin}$ , we showed that in an execution of Crosslink where $Π_{bft}$ (or $Π_{origbft}$ ) has Final Agreement, for all times $t$ , $t^{'}$ and all nodes $i$ , $j$ (potentially the same) such that $i$ is honest at time $t$ and $j$ is honest at time $t^{'}$ , $fin (ch_{i}^{t}) ⪯ ⪰ fin (ch_{j}^{t^{'}})$ .

What we want to show is that, under some conditions on executions, ...

Disadvantages of Crosslink

More invasive changes

Unlike Snap‑and‑Chat, Crosslink requires structural and consensus rule changes to both $Π_{bc}$ and $Π_{bft}$ . On the other hand, several of those changes are arguably necessary to fix a showstopper bug in Snap‑and‑Chat (not being able to spend some finalized outputs).

Finalization latency

For a given choice of $σ$ , the finalization latency is higher. The snapshot of the BFT chain used to obtain $LOG_{fin, i, μ}^{t}$ is obtained from the block at depth $μ$ on node $i$ 's best $Π_{bc}$ chain, which will on average lead to a finalized view that is about $μ + 1 + σ$ blocks back (in $Π_{bc}$ ), rather than $σ_{sac}$ blocks in Snap‑and‑Chat. This is essentially the cost of ensuring that safety is given by the stronger of the safety of $Π_{bc}$ (at $μ$ confirmations) and the safety of $Π_{bft}$ .

On the other hand, the relative increase in expected finalization latency is only $\frac{μ + 1 + σ}{σ _{sac}},$ i.e. at most slightly more than a factor of 2 for the case $μ = σ = σ_{sac}$ .

More involved liveness argument

See the Liveness section above.

Every rule in Crosslink is individually necessary

Warning

In order to show that Crosslink is at a local optimum in the security/complexity trade‑off space, for each rule we show attacks on safety and/or liveness that could be performed if that rule were omitted or simplified.

Edit: some rules, e.g. the Increasing Score rule, only contribute heuristically to security in the analysis so far.

Zcash Trailing Finality Layer - v0.1.0