github.com/aakash4dev/cometbft@v0.38.2/spec/consensus/bft-time.md (about) 1 --- 2 order: 2 3 --- 4 # BFT Time 5 6 CometBFT provides a deterministic, Byzantine fault-tolerant, source of time. 7 Time in CometBFT is defined with the Time field of the block header. 8 9 It satisfies the following properties: 10 11 - Time Monotonicity: Time is monotonically increasing, i.e., given 12 a header H1 for height h1 and a header H2 for height `h2 = h1 + 1`, `H1.Time < H2.Time`. 13 - Time Validity: Given a set of Commit votes that forms the `block.LastCommit` field, a range of 14 valid values for the Time field of the block header is defined only by 15 Precommit messages (from the LastCommit field) sent by correct processes, i.e., 16 a faulty process cannot arbitrarily increase the Time value. 17 18 In the context of CometBFT, time is of type int64 and denotes UNIX time in milliseconds, i.e., 19 corresponds to the number of milliseconds since January 1, 1970. 20 Before defining rules that need to be enforced by Tendermint, the consensus algorithm adopted in CometBFT, 21 so the properties above holds, we introduce the following definition: 22 23 - median of a Commit is equal to the median of `Vote.Time` fields of the `Vote` messages, 24 where the value of `Vote.Time` is counted number of times proportional to the process voting power. As 25 the voting power is not uniform (one process one vote), a vote message is actually an aggregator of the same votes whose 26 number is equal to the voting power of the process that has casted the corresponding votes message. 27 28 Let's consider the following example: 29 30 - we have four processes p1, p2, p3 and p4, with the following voting power distribution (p1, 23), (p2, 27), (p3, 10) 31 and (p4, 10). The total voting power is 70 (`N = 3f+1`, where `N` is the total voting power, and `f` is the maximum voting 32 power of the faulty processes), so we assume that the faulty processes have at most 23 of voting power. 33 Furthermore, we have the following vote messages in some LastCommit field (we ignore all fields except Time field): 34 - (p1, 100), (p2, 98), (p3, 1000), (p4, 500). We assume that p3 and p4 are faulty processes. Let's assume that the 35 `block.LastCommit` message contains votes of processes p2, p3 and p4. Median is then chosen the following way: 36 the value 98 is counted 27 times, the value 1000 is counted 10 times and the value 500 is counted also 10 times. 37 So the median value will be the value 98. No matter what set of messages with at least `2f+1` voting power we 38 choose, the median value will always be between the values sent by correct processes. 39 40 We ensure Time Monotonicity and Time Validity properties by the following rules: 41 42 - let rs denotes `RoundState` (consensus internal state) of some process. Then 43 `rs.ProposalBlock.Header.Time == median(rs.LastCommit) && 44 rs.Proposal.Timestamp == rs.ProposalBlock.Header.Time`. 45 46 - Furthermore, when creating the `vote` message, the following rules for determining `vote.Time` field should hold: 47 48 - if `rs.LockedBlock` is defined then 49 `vote.Time = max(rs.LockedBlock.Timestamp + time.Millisecond, time.Now())`, where `time.Now()` 50 denotes local Unix time in milliseconds 51 52 - else if `rs.Proposal` is defined then 53 `vote.Time = max(rs.Proposal.Timestamp + time.Millisecond,, time.Now())`, 54 55 - otherwise, `vote.Time = time.Now())`. In this case vote is for `nil` so it is not taken into account for 56 the timestamp of the next block.