Security Analysis of Crosslink 2
This document analyzes the security of Crosslink 2 in terms of liveness and safety. It assumes that you have read The Crosslink 2 Construction which defines the protocol.
Liveness argument
First note that Crosslink 2 intentionally sacrifices availability if there is a long finalization stall.
This is technically independent of the other changes; you can omit the Finality depth rule and the protocol would still have security advantages over Snap‑and‑Chat, as well as being much simpler and solving its “spending from finalized outputs” issue. In that case the incentives to “pull” the finalization point forward to include new final bft‑blocks would be weaker, but honest bc‑block‑producers would still do it.
It would still be a bug if there were any situation in which failed to be live, though, because that would allow tail‑thrashing attacks.
Crosslink 2 involves a bidirectional dependence between and . The Ebb‑and‑Flow paper [NTT2020] argues in Appendix E ("Bouncing Attack on Casper FFG") that it can be more difficult to reason about liveness given a bidirectional dependence between protocols:
To ensure consistency among the two tiers [of Casper FFG], the fork choice rule of the blockchain is modified to always respect ‘the justified checkpoint of the greatest height [*]’ [22]. There is thus a bidirectional interaction between the block proposal and the finalization layer: blocks proposed by the blockchain are input to finalization, while justified checkpoints constrain future block proposals. This bidirectional interaction is intricate to reason about and a gateway for liveness attacks.
[*] The quotation changes this to “[depth]”, but our terminology is consistent with Ethereum here and not with [NTT2020]’s idiosyncratic use of “depth” to mean “block height”.
The argument is correct as far as it goes. The main reason why this does not present any great difficulty to proving liveness of Crosslink, is due to a fundamental difference from Casper FFG: in Crosslink 2 the fork‑choice rule of is not modified.
Let be the subset of bc‑blocks . Assume that is such that a bc‑block‑producer can always produce a block in .
In that case it is straightforward to convince ourselves that the additional bc‑block‑validity rules are never an obstacle to producing a new bc‑block in :
- The changes to the definition of contextual validity do not interfere with liveness, since they do not affect coinbase transactions, and therefore do not affect blocks in . That is, the bc‑block‑producer can always just omit non‑coinbase transactions that are contextually invalid.
- The Genesis bc‑block rule doesn’t apply to new bc‑blocks.
- The Valid context rule, Extension rule, and Last Final Snapshot rule are always satisfiable by referencing the same context bft‑block as the parent bc‑block.
- The Finality depth rule always allows the option of producing a stalled block, and therefore does not affect blocks in .
The instructions to an honest bc‑block‑producer allow it to produce a block in . Therefore, remains live under the same conditions as .
The additional bft‑proposal‑validity, bft‑block‑validity, bft‑finality, and honest voting rules are also not an obstacle to making, voting for, or finalizing bft‑proposals:
- Because is live, there will always be some point in time at which a fresh valid bc‑header chain that satisfies both the Linearity rule and the Tail confirmation rule exists for use in the field.
- If no fresh valid bc‑header chain is available, the Linearity rule and Tail confirmation rule allow an honest bft‑proposer to choose to be the same as in the previous bft‑block. So, if liveness of depends on an honest proposer always being able to make a proposal (as it does in adapted‑Streamlet for example), then this requirement will not be violated.
- The changes to voting are only requiring a vote to be for a proposal that could have been honestly proposed.
- The bft‑finality rules are unchanged from origbft‑finality.
Therefore, remains live under the same conditions as .
The only other possibility for a liveness issue in Crosslink 2 would be if the change to the constructions of or could cause either of them to stall, even when and are both still live.
However, liveness of and the Linearity rule together imply that at each point in time, provided there are sufficient honest bft‑proposers/validators, eventually a new bft‑block with a higher-scoring snapshot will become final in the context of the longest bft‑valid‑chain. make that more precise.
Because of the Extension rule, this new bft‑block must be a descendent of the previous final bft‑block in the context visible to bc‑block‑producers. Therefore, the new finalized chain will extend the old finalized chain.
Finally, we need to show that Stalled Mode is only triggered when it should be; that is, when the assumptions needed for liveness of are violated. Informally, that is the case because, as long as there are sufficient honest bc‑block‑producers and sufficient honest bft‑proposers/validators, the finalization point implied by the field at the tip of the bc‑best chain in any node’s view will advance fast enough for the finalization gap bound not to be hit. This depends on the value of relative to , the network delay, the hash rate of honest bc‑block‑producers, the number of honest bft‑proposers and the proportion of voting units they hold, and other details of the BFT protocol. more detailed argument needed, especially for the dependence on .
Safety argument
Not updated for Crosslink 2 below this point.
Discussion
Recall the definition of Assured Finality.
An execution of Crosslink 2 has Assured Finality iff for all times , and all nodes , (potentially the same) such that is honest at time and is honest at time , we have .
First we prove that Assured Finality is implied by Prefix Agreement of .
An execution of has Prefix Agreement at confirmation depth , iff for all times , and all nodes , (potentially the same) such that is honest at time and is honest at time , we have .
In an execution of Crosslink 2 for which the subprotocol has Prefix Agreement at confirmation depth , that execution has Assured Finality.
Proof: Suppose that we have times , and nodes , (potentially the same) such that is honest at time and is honest at time . Then, by the Local fin-depth lemma applied to each of node and node , there exist times at which node is honest and at which node is honest, such that and . By Prefix Agreement at confirmation depth , we have . Wlog due to symmetry, suppose . Then (by transitivity of ) and (as above), so by the Linear prefix lemma.
Then we prove that Assured Finality is also implied by Final Agreement of .
An execution of has Final Agreement iff for all bft‑valid blocks in honest view at time and in honest view at time , we have .
In an execution of Crosslink 2 for which the subprotocol has Final Agreement, that execution has Assured Finality.
Proof: Suppose that we have times , and nodes , (potentially the same) such that is honest at time and is honest at time . Then, by the Local fin-depth lemma applied to each of node and node , there exist times at which node is honest and at which node is honest, such that and . By Prefix Agreement at confirmation depth , we have . Wlog due to symmetry, suppose . Then (by transitivity of ) and (as above), so by the Linear prefix lemma.
By the Local ba-depth lemma, we have:
In any execution of Crosslink 2, for any confirmation depth and any node that is honest at time , there exists a time such that .
Renaming to and to in the definition of Prefix Consistency gives:
An execution of has Prefix Consistency at confirmation depth , iff for all times and all nodes , (potentially the same) such that is honest at time and is honest at time , we have that .
Since any node that is honest at time is also honest at time , and by transitivity of , we therefore have:
In any execution of Crosslink 2 that has Prefix Consistency at confirmation depth , for all times and all nodes , (potentially the same) such that is honest at time and is honest at time , we have that .
The Extension rule ensures that, informally, if a given node ’s view of its bc‑best‑chain at a depth of blocks does not roll back, then neither does its view of the bft‑final block referenced by its bc‑best‑chain, and therefore neither does its view of .
This does not by itself imply that all nodes are seeing the “same” confirmed bc‑best‑chain (up to propagation timing), or the same . If the network is partitioned and is subverted, it could be that the nodes on each side of the partition follow a different fork, and the adversary arranges for each node’s view of the last final bft‑block to be consistent with the fork it is on. It can potentially do this if it has more than one third of validators, because if the validators are partitioned in the same way as other nodes, it can vote with an additional one third of them on each side of the fork.
This is, if you think about it, unavoidable. doesn’t include the mechanisms needed to maintain finality under partition; it takes a different position on the CAP trilemma. In order to maintain finality under partition, we need not to be subverted (and to actually work!)
So what is the strongest security property we can realistically get? It is stronger than what Snap‑and‑Chat provides. Snap‑and‑Chat is unsafe even without a partition if is subverted. Ideally we would have a protocol with safety that is only limited by attacks “like” the unavoidable attack described above — which also applies to used on its own.
Proof of safety for LOGfin
In order to capture the intuition that it is hard in practice to cause a consistent partition of the kind described in the previous section, we will need to assume that the Prefix Agreement safety property holds for the relevant executions of . The structural and consensus modifications to relative to seem unlikely to have any significant effect on this property, given that we proved above that they do not affect liveness. ==TODO: that is a handwave; we should be able to do better, as we do for below.== So, to the extent that it is reasonable to assume that Prefix Agreement holds for executions of under some conditions, it should also be reasonable to assume it holds for executions of under the same conditions.
Recall that .
If , are bc‑valid blocks with , then .
Proof: Using the Extension rule, by induction on the distance between and .
Using the Prefix Lemma once for each direction, we can transfer the Prefix Agreement property to the referenced bft‑blocks:
In an execution of that has Prefix Agreement at confirmation depth , for all times , and all nodes , (potentially the same) such that is honest at time and is honest at time , we have .
Let be the sequence of transactions in the given chain , starting from genesis.
Recall that
Because takes the form , we have that . (This would be true for any well‑typed and .)
By this observation and the Prefix Agreement Lemma, we also have that, in an execution of Crosslink 2 where has the Prefix Agreement safety property at confirmation depth , for all times , and all nodes , (potentially the same) such that is honest at time and is honest at time , .
Because only considers previous state, ∘ must be a prefix-preserving map; that is, if then . Therefore:
In an execution of Crosslink 2 where has Prefix Agreement at confirmation depth , for all times , and all nodes , (potentially the same) such that is honest at time and is honest at time , .
Notice that this does not depend on any safety property of , and is an elementary proof. ([NTT2020, Theorem 2] is a much more complicated proof that takes nearly 3 pages, not counting the reliance on results from [PS2017].)
In addition, just as in Snap‑and‑Chat, safety of can be inferred from safety of , which follows from safety of . We prove this based on the Final Agreement property for executions of :
An execution of has the Final Agreement safety property iff for all origbft‑valid blocks in honest view at time and in honest view at time , we have .
The changes in relative to only add structural components and tighten bft‑block‑validity and bft‑proposal‑validity rules. So for any legal execution of there is a corresponding legal execution of , with the structural additions erased and with the same nodes honest at any given time. A safety property, by definition, only asserts that executions not satisfying the property do not occur. Safety properties of necessarily do not refer to the added structural components in . Therefore, for any safety property of , including Final Agreement, the corresponding safety property holds for .
By the definition of as above, in an execution of Crosslink 2 where has Final Agreement, for all times , and all nodes , (potentially the same) such that is honest at time and is honest at time , . Therefore, by an argument similar to the one above using the fact that ∘ is a prefix-preserving map:
In an execution of Crosslink 2 where has Final Agreement, for all times , and all nodes , (potentially the same) such that is honest at time and is honest at time , .
Proof of safety for LOGba
From the two Safety theorems and the Ledger prefix property, we immediately have:
Let be an arbitrary choice of confirmation depth for each node . Consider an execution of Crosslink 2 where either has Prefix Agreement at confirmation depth or has Final Agreement.
In such an execution, for all times , and all nodes , (potentially the same) such that is honest at time and is honest at time , either or .
Corollary: Under the same conditions, if wlog , then .
The above property is not as strong as we would like for practical uses of , because it does not say anything about rollbacks up to the finalization point, and such rollbacks may be of unbounded length. (Loosely speaking, the number of non‑Stalled Mode bc‑blocks after the consensus finalization point is bounded by , but we have also not proven that so far.)
As documented in the Model for BFT protocols section of The Crosslink 2 Construction):
For each epoch, there is a fixed number of voting units distributed between the players, which they use to vote for a bft‑proposal. We say that a voting unit has been cast for a bft‑proposal at a given time in a bft‑execution, if and only if is bft‑proposal‑valid and a ballot for authenticated by the holder of the voting unit exists at that time.
Using knowledge of ballots cast for a bft‑proposal that collectively satisfy a notarization rule at a given time in a bft‑execution, and only with such knowledge, it is possible to obtain a valid bft‑notarization‑proof . The notarization rule must require at least a two‑thirds absolute supermajority of voting units in ’s epoch to have been cast for . It may also require other conditions.
A voting unit is cast non‑honestly for an epoch’s proposal iff:
- it is cast other than by the holder of the unit (due to key compromise or any flaw in the voting protocol, for example); or
- it is double‑cast (i.e. there are two ballots casting it for distinct proposals); or
- the holder of the unit following the conditions for honest voting in , according to its view, should not have cast that vote.
An execution of has the one‑third bound on non‑honest voting property iff for every epoch, strictly fewer than one third of the total voting units for that epoch are ever cast non‑honestly.
By a well known argument often used to prove safety of BFT protocols, in an execution of Crosslink 2 where has the one‑third bound on non‑honest voting property (and assuming soundness of notarization proofs), any bft‑valid block for a given epoch in honest view must commit to the same proposal.
Proof (adapted from [CS2020, Lemma 1]): Suppose there are two bft‑proposals and , both for epoch , such that is committed to by some bft‑block‑valid block , and is committed to by some bft‑block‑valid block . This implies that and have valid notarization proofs. Let the number of voting units for epoch be . Assuming soundness of the notarization proofs, it must be that at least voting units for epoch , denoted as the set , were cast for , and at least voting units for epoch , denoted as the set , were cast for . Since there are voting units for epoch , must have size at least . In an execution of Crosslink 2 where has the one‑third bound on non‑honest voting property, must therefore include at least one voting unit that was cast honestly. Since a voting unit for epoch that is cast honestly is not double-cast, it must be that .
In the case of a network partition, votes may not be seen on both/all sides of the partition. Therefore, it is not necessarily the case that honest nodes can directly see double‑voting. The above argument does not depend on being able to do so.
Therefore, in an execution of Crosslink 2 for which has the one‑third bound on non‑honest voting property, for each epoch there will be at most one bft‑proposal‑valid proposal , and at least one third of honestly cast voting units must have been cast for it. Let be the (necessarily nonempty) set of nodes that cast these honest votes; then, for all at the times of their votes in epoch . (For simplicity, we assume that for each honest node there is only one time at which it obtains a successful check for the voting condition in epoch , which it uses for any votes that it casts in that epoch.)
Let be any bft‑block for epoch such that , where is some bft‑block‑valid block. Since , is bft‑block‑valid. So by the argument above, commits to the only bft‑proposal‑valid proposal for epoch , and was voted for in that epoch by a nonempty subset of honest nodes .
Let be any bc‑valid block. We have by definition: So, taking , each for of epoch in the result of satisfies for all in some nonempty honest set of nodes .
For an execution of Crosslink 2 in which has the Prefix Consistency property at confirmation depth , for every epoch , for every such , for every node that is honest at any time , we have . Let . Then, by transitivity of :
In an execution of Crosslink 2 where has the one‑third bound on non‑honest voting property and has the Prefix Consistency property at confirmation depth , every bc‑chain in (and therefore every snapshot that contributes to ) is, at any time , in the bc‑best‑chain of every node that is honest at time (where commits to at epoch and is the time of the first honest vote for ).
A similar (weaker) statement holds if we replace with , since the time of the first honest vote for necessarily precedes the time at which the signed is submitted as a bft‑block, which necessarily precedes . (Whether or not the notarization proof depends on the first honest vote for ’s proposal , it must depend on some honest vote for that proposal that was not made earlier than .)
Furthermore, we have
So in an execution of Crosslink 2 where has the Prefix Consistency property at confirmation depth , if node is honest at time then is also, at any time , in the bc‑best‑chain of every node that is honest at time .
If an execution of has the Prefix Consistency property at confirmation depth , then it necessarily also has it at confirmation depth . Therefore we have:
In an execution of Crosslink 2 where has the one‑third bound on non‑honest voting property and has the Prefix Consistency property at confirmation depth , every bc‑chain snapshot in (and therefore every snapshot that contributes to ) is, at any time , in the bc‑best‑chain of every node that is honest at time .
Sketch: we also need the sequence of snapshots output from fin to only be extended in the view of any node. In that case we can infer that the node does not observe a rollback in LOG_ba.
Recall that in the proof of safety for , we showed that in an execution of Crosslink 2 where (or ) has Final Agreement, for all times , and all nodes , (potentially the same) such that is honest at time and is honest at time , .
What we want to show is that, under some conditions on executions, ...
Disadvantages of Crosslink
More invasive changes
Unlike Snap‑and‑Chat, Crosslink 2 requires structural and consensus rule changes to both and . On the other hand, several of those changes are arguably necessary to fix a show‑stopping bug in Snap‑and‑Chat (not being able to spend some finalized outputs).
Finalization latency
For a given choice of , the finalization latency is higher. The snapshot of the BFT chain used to obtain is obtained from the block at depth on node ’s best chain, which will on average lead to a finalized view that is about blocks back (in ), rather than \sigma_{\sac}} blocks in Snap‑and‑Chat. This is essentially the cost of ensuring that safety is given by the stronger of the safety of (at confirmations) and the safety of .
On the other hand, the relative increase in expected finalization latency is only \frac{\mu + 1 + \sigma}{\sigma_{\sac}}}, i.e. at most slightly more than a factor of 2 for the case \mu = \sigma = \sigma_{\sac}}.
More involved liveness argument
See the Liveness section above.
Every rule in Crosslink 2 is individually necessary
In order to show that Crosslink 2 is at a local optimum in the security/complexity trade‑off space, for each rule we show attacks on safety and/or liveness that could be performed if that rule were omitted or simplified.
Edit: some rules, e.g. the Linearity rule, only contribute heuristically to security in the analysis so far.