github.com/aakash4dev/cometbft@v0.38.2/spec/consensus/bft-time.md (about)

     1  ---
     2  order: 2
     3  ---
     4  # BFT Time
     5  
     6  CometBFT provides a deterministic, Byzantine fault-tolerant, source of time.
     7  Time in CometBFT is defined with the Time field of the block header.
     8  
     9  It satisfies the following properties:
    10  
    11  - Time Monotonicity: Time is monotonically increasing, i.e., given
    12  a header H1 for height h1 and a header H2 for height `h2 = h1 + 1`, `H1.Time < H2.Time`.
    13  - Time Validity: Given a set of Commit votes that forms the `block.LastCommit` field, a range of
    14  valid values for the Time field of the block header is defined only by  
    15  Precommit messages (from the LastCommit field) sent by correct processes, i.e.,
    16  a faulty process cannot arbitrarily increase the Time value.  
    17  
    18  In the context of CometBFT, time is of type int64 and denotes UNIX time in milliseconds, i.e.,
    19  corresponds to the number of milliseconds since January 1, 1970.
    20  Before defining rules that need to be enforced by Tendermint, the consensus algorithm adopted in CometBFT,
    21  so the properties above holds, we introduce the following definition:
    22  
    23  - median of a Commit is equal to the median of `Vote.Time` fields of the `Vote` messages,
    24  where the value of `Vote.Time` is counted number of times proportional to the process voting power. As
    25  the voting power is not uniform (one process one vote), a vote message is actually an aggregator of the same votes whose
    26  number is equal to the voting power of the process that has casted the corresponding votes message.
    27  
    28  Let's consider the following example:
    29  
    30  - we have four processes p1, p2, p3 and p4, with the following voting power distribution (p1, 23), (p2, 27), (p3, 10)
    31  and (p4, 10). The total voting power is 70 (`N = 3f+1`, where `N` is the total voting power, and `f` is the maximum voting
    32  power of the faulty processes), so we assume that the faulty processes have at most 23 of voting power.
    33  Furthermore, we have the following vote messages in some LastCommit field (we ignore all fields except Time field):
    34      - (p1, 100), (p2, 98), (p3, 1000), (p4, 500). We assume that p3 and p4 are faulty processes. Let's assume that the
    35        `block.LastCommit` message contains votes of processes p2, p3 and p4. Median is then chosen the following way:
    36        the value 98 is counted 27 times, the value 1000 is counted 10 times and the value 500 is counted also 10 times.
    37        So the median value will be the value 98. No matter what set of messages with at least `2f+1` voting power we
    38        choose, the median value will always be between the values sent by correct processes.
    39  
    40  We ensure Time Monotonicity and Time Validity properties by the following rules:
    41    
    42  - let rs denotes `RoundState` (consensus internal state) of some process. Then
    43  `rs.ProposalBlock.Header.Time == median(rs.LastCommit) &&
    44  rs.Proposal.Timestamp == rs.ProposalBlock.Header.Time`.
    45  
    46  - Furthermore, when creating the `vote` message, the following rules for determining `vote.Time` field should hold:
    47  
    48      - if `rs.LockedBlock` is defined then
    49      `vote.Time = max(rs.LockedBlock.Timestamp + time.Millisecond, time.Now())`, where `time.Now()`
    50          denotes local Unix time in milliseconds
    51  
    52      - else if `rs.Proposal` is defined then
    53      `vote.Time = max(rs.Proposal.Timestamp + time.Millisecond,, time.Now())`,
    54  
    55      - otherwise, `vote.Time = time.Now())`. In this case vote is for `nil` so it is not taken into account for
    56      the timestamp of the next block.