github.com/ari-anchor/sei-tendermint@v0.0.0-20230519144642-dc826b7b56bb/spec/consensus/proposer-based-timestamp/README.md (about) 1 # Proposer-Based Timestamps (PBTS) 2 3 This section describes a version of the Tendermint consensus protocol 4 that uses proposer-based timestamps. 5 6 ## Context 7 8 Tendermint provides a deterministic, Byzantine fault-tolerant, source of time, 9 defined by the `Time` field present in the headers of committed blocks. 10 11 In the current consensus implementation, the timestamp of a block is 12 computed by the [`BFTTime`][bfttime] algorithm: 13 14 - Validators include a timestamp in the `Precommit` messages they broadcast. 15 Timestamps are retrieved from the validators' local clocks, 16 with the only restriction that they must be **monotonic**: 17 18 - The timestamp of a `Precommit` message voting for a block 19 cannot be earlier than the `Time` field of that block; 20 21 - The timestamp of a block is deterministically computed from the timestamps of 22 a set of `Precommit` messages that certify the commit of the previous block. 23 This certificate, a set of `Precommit` messages from a round of the previous height, 24 is selected by the block's proposer and stored in the `Commit` field of the block: 25 26 - The block timestamp is the *median* of the timestamps of the `Precommit` messages 27 included in the `Commit` field, weighted by their voting power. 28 Block timestamps are **monotonic** because 29 timestamps of valid `Precommit` messages are monotonic; 30 31 Assuming that the voting power controlled by Byzantine validators is bounded by `f`, 32 the cumulative voting power of any valid `Commit` set must be at least `2f+1`. 33 As a result, the timestamp computed by `BFTTime` is not influenced by Byzantine validators, 34 as the weighted median of `Commit` timestamps comes from the clock of a non-faulty validator. 35 36 Tendermint does not make any assumptions regarding the clocks of (correct) validators, 37 as block timestamps have no impact in the consensus protocol. 38 However, the `Time` field of committed blocks is used by other components of Tendermint, 39 such as IBC, the evidence, staking, and slashing modules. 40 And it is used based on the common belief that block timestamps 41 should bear some resemblance to real time, which is **not guaranteed**. 42 43 A more comprehensive discussion of the limitations of `BFTTime` 44 can be found in the [first draft][main_v1] of this proposal. 45 Of particular interest is to possibility of having validators equipped with "faulty" clocks, 46 not fairly accurate with real time, that control more than `f` voting power, 47 plus the proposer's flexibility when selecting a `Commit` set, 48 and thus determining the timestamp for a block. 49 50 ## Proposal 51 52 In the proposed solution, the timestamp of a block is assigned by its 53 proposer, according with its local clock. 54 In other words, the proposer of a block also *proposes* a timestamp for the block. 55 Validators can accept or reject a proposed block. 56 A block is only accepted if its timestamp is acceptable. 57 A proposed timestamp is acceptable if it is *received* within a certain time window, 58 determined by synchronous parameters. 59 60 PBTS therefore augments the system model considered by Tendermint with *synchronous assumptions*: 61 62 - **Synchronized clocks**: simultaneous clock reads at any two correct validators 63 differ by at most `PRECISION`; 64 65 - **Bounded message delays**: the end-to-end delay for delivering a message to all correct validators 66 is bounded by `MSGDELAY`. 67 This assumption is restricted to `Proposal` messages, broadcast by proposers. 68 69 `PRECISION` and `MSGDELAY` are consensus parameters, shared by all validators, 70 that define whether the timestamp of a block is acceptable. 71 Let `t` be the time, read from its local clock, at which a validator 72 receives, for the first time, a proposal with timestamp `ts`: 73 74 - **[Time-Validity]** The proposed timestamp `ts` received at local time `t` 75 is accepted if it satisfies the **timely** predicate: 76 > `ts - PRECISION <= t <= ts + MSGDELAY + PRECISION` 77 78 The left inequality of the *timely* predicate establishes that proposed timestamps 79 should be in the past, when adjusted by the clocks `PRECISION`. 80 The right inequality of the *timely* predicate establishes that proposed timestamps 81 should not be too much in the past, more precisely, not more than `MSGDELAY` in the past, 82 when adjusted by the clocks `PRECISION`. 83 84 A more detailed and formalized description is available in the 85 [System Model and Properties][sysmodel] document 86 87 ## Implementation 88 89 The implementation of PBTS requires some changes in Tendermint consensus algorithm, 90 summarized below: 91 92 - A proposer timestamps a block with the current time, read from its local clock. 93 The block's timestamp represents the time at which it was assembled 94 (after the `getValue()` call in line 18 of the [arXiv][arXiv] algorithm): 95 96 - Block timestamps are definitive, meaning that the original timestamp 97 is retained when a block is re-proposed (line 16); 98 99 - To preserve monotonicity, a proposer might need to wait until its clock 100 reads a time greater than the timestamp of the previous block; 101 102 - A validator only prevotes for *timely* blocks, 103 that is, blocks whose timestamps are considered *timely* (compared to the original Tendermint consensus, a check is added to line 23). 104 If the block proposed in a round is considered *untimely*, 105 the validator prevotes `nil` (line 26): 106 107 - Validators register the time at which they received `Proposal` messages, 108 in order to evaluate the *timely* predicate; 109 110 - Blocks that are re-proposed because they received `2f+1 Prevotes` 111 in a previous round (line 28) are not subject to the *timely* predicate, 112 as they have already been evaluated as *timely* at a previous round. 113 114 The more complex change proposed regards blocks that can be re-proposed in multiple rounds. 115 The current solution improves the [first version of the specification][algorithm_v1] (that never had been implemented) 116 by simplifying the way this situation is handled, 117 from a recursive reasoning regarding valid blocks that are re-proposed. 118 119 The full solution is detailed and formalized in the [Protocol Specification][algorithm] document. 120 121 ## Further details 122 123 - [System Model and Properties][sysmodel] 124 - [Protocol Specification][algorithm] 125 - [TLA+ Specification][proposertla] (first draft, not updated) 126 127 ### Open issues 128 129 - [PBTS: evidence #355][issue355]: not really clear the context, probably not going to be solved. 130 - [PBTS: should synchrony parameters be adaptive? #371][issue371] 131 - [PBTS: Treat proposal and block parts explicitly in the spec #372][issue372] 132 - [PBTS: margins for proposal times assigned by Byzantine proposers #377][issue377] 133 134 ### Closed issues 135 136 - [Proposer time - fix message filter condition #353][issue353] 137 - [PBTS: association between timely predicate and timeout_commit #370][issue370] 138 139 [main_v1]: ./v1/pbts_001_draft.md 140 141 [algorithm]: ./pbts-algorithm_002_draft.md 142 [algorithm_v1]: ./v1/pbts-algorithm_001_draft.md 143 144 [sysmodel]: ./pbts-sysmodel_002_draft.md 145 [sysmodel_v1]: ./v1/pbts-sysmodel_001_draft.md 146 147 [proposertla]: ./tla/TendermintPBT_001_draft.tla 148 149 [bfttime]: https://github.com/tendermint/tendermint/blob/master/spec/consensus/bft-time.md 150 [arXiv]: https://arxiv.org/pdf/1807.04938.pdf 151 152 [issue353]: https://github.com/tendermint/spec/issues/353 153 [issue355]: https://github.com/tendermint/spec/issues/355 154 [issue370]: https://github.com/tendermint/spec/issues/370 155 [issue371]: https://github.com/tendermint/spec/issues/371 156 [issue372]: https://github.com/tendermint/spec/issues/372 157 [issue377]: https://github.com/tendermint/spec/issues/377