PBTS: should synchrony parameters be adaptive?

[cason]

Original discussion: tendermint/spec#371.

Summary

The issue here is the possibility that the application configures bad (e.g., very conservative) time bounds, resulting in a chain that will halt as proposals will be rejected by all or most of correct nodes. This situation is hard to deal because the synchronous parameters are consensus parameters, which require committing blocks to be updated. Which might become unfeasible if consensus cannot progress due to bad parameters.

There are two synchronous parameters considered by PBTS: PRECISION and MSGDELAY. PRECISION should not be a problem here, as it restricts malicious nodes from proposing timestamps in the future. The MSGDELAY parameter, in its turn, restricts malicious nodes from proposing timestamps "too much in the past". The diagram below can be helpful to understand the use of these parameters to validate proposed timestamps:

By setting a MSGDELAY parameter that is unrealistic (too low), a chain might end up in a situation in which correct validators reject proposals because their timestamps are deemed "too much in the past" because the observed propagation delay for proposals is larger than the configured MSGDELAY parameter.

Adaptive MSGDELAY

The general idea is that we should increase the MSGDELAY parameter adopted by PBTS when we fail to accept proposals in multiple rounds, which may indicate that the value chosen for this parameter was inadequate.

A possible analogy here is timeout_propose, the maximum expected delay for a proposed value (proposal and full block) to reach correct validators. Once a round fails on reaching a decision, the next round considers an increased delay timeout_propose(round - 1) + timeout_propose_delta, which is linearly increased until it represents the actual delay for delivering full proposals to correct validators. The same concept could be adopted for the MSGDELAY parameter.

The original issue several approaches for adaptive synchronous parameters for PBTS. They include a round from which adaptations start being adopted, how we adapt the values (linearly, exponentially) etc. The implemented version (this PR) adopted an exponential increasing of MSGDELAY when more than 10 rounds are needed to decide on a value.

Open questions

1. Do we need adaptive synchrony parameters?
2. If so, how and when we increase the value of MSGDELAY?
3. How we specify/document this approach, making it clear to external components which synchrony parameters were used to validate the timestamp of a given block

Definition of Done

• Mechanism to relax timely verification under certain circumstances is defined
• PBTS: Implement adaptive synchronous parameters for consensus #2432

Documentation:

• docs: document PBTS adaptive delays mechanism #2452
  • ADR 112 describes the implementation of this mechanism
  • PBTS runbook is updated accordingly
  • PBTS documentation is updated accordingly
• PBTS spec: spec: adaptive MSGDELAY parameter included in PBTS spec #2318

[sergio-mena]

This also has to do with discussions we had with the dYdX team last summer. Their argument being that, if PBTS was to be implemented as an ABCI++ application, the PBTS timely predicate, if specified without an adaptive mechanism, would not fulfill PrepareProposal-ProcessProposal's coherence and determinism requirements.
Such discussion led to RFC 105.

[sergio-mena]

This is an attempt to summarize our discussion during today's meeting on this subject (attendees @ancazamfir, @lasarojc, @glnro, @josef-widder):

We have extensively discussed the need for MSGDELAY parameter

• If we remove it, byzantine proposers can set block timestamps arbitrarily in the past up to the timestamp of the previous block
• Assume a relatively big value for MSGDELAY (e.g., 12 seconds for a chain with average block time of 6 seconds)
  • if we have a streak of several byzantine proposers proposing timestamps just 1 ms after the previous block, we may deviate from "real time" by more that 12 seconds at some point (>MSGDELAY).
  • it's true that if $f < n/3$ holds, this detachment of the chain from real time will be temporary (until an honest proposer proposes a block with a timestamp read from its synchronized clock)
• The main problem is that, MSGDELAY allows for simple and elegant formulas and properties to be expressed in the spec, as something can be said about each block
  • However, if we need adaptive MSGDELAY, we can't guarantee strong properties in the spec or implement them in the code

Right toward the end of the meeting, a proposal was made

• @josef-widder said that a compromise would be to still be able to keep the formulas and properties as they are in the spec (i.e., including MSGDELAY), but state that they hold for round 0 only
• If that is done on the spec side, then why not just implementing that (simpler than the solution implemented in 2022):
  • We use the spec's formulas for timely in round 0
  • We remove MSGDELAY from the formulas for timely in any round r > 0

What do folks think about this proposal for the spec/implementation? (@cason)

[josef-widder]

On the spec side, we should then have two sets of properties

• decision in round 0: b.time not too much in the future and not too much in the past
• decision in round >0: b.time not too much in the future

We should also add a paragraph to explain the scenario that

• Byzantine proposers may slow down the progress of b.time: with every block the time in the block could just grow 1ms/6sec (assuming blocktimes of 6 seconds) if the decision is postponed to round 1
• this could accumulate if there are multiple byzantine proposers in successive heights (all going to round 1)
• but with the first correct successful proposer, we are back to having b.time synchronized to NTP time, again

[ancazamfir]

• Byzantine proposers may slow down the progress of b.time: with every block the time in the block could just grow 1ms/6sec (assuming blocktimes of 6 seconds) if the decision is postponed to round 1

same (1ms/6sec) in round 0 if MSGDELAY > blocktime.

In general a byzantine proposer could:

• for round >0 go back in time to: time(h-1) + 1ms
  - for round 0 go back to: ~min( time(h-1) + 1ms, time.now - MSGDELAY)
• for round 0 go back to: ~latest( time(h-1) + 1ms, time.now - MSGDELAY)

It would be nice to have some plots showing worst block times with a network with f pbts-byzantine proposers.

[lasarojc]

Didn't get this piece

for round 0 is ~min( time(h-1) + 1ms, time.now - MSGDELAY)

do you mean that it can go back in time to these values? If so then it should be max instead of min, correct?

[ancazamfir]

Didn't get this piece

for round 0 is ~min( time(h-1) + 1ms, time.now - MSGDELAY)

do you mean that it can go back in time to these values? If so then it should be max instead of min, correct?

yes it is max, good catch

Edit: Just corrected to use latest

[cason]

Just to mention that this discussion has happened here: tendermint/tendermint#7947

It discusses the margins a Byzantine proposer has to produce block times not matching its current time, provided the margins accepted by PBTS.

An important point is that it can go further time.Now() - MSGDELAY, it can "add" (push it to the past) an additional expectation of the actual message delay of the network, or at least its guess of the minimal message delay in the network.

[cason]

* for round 0 go back to: `~latest( time(h-1) + 1ms, time.now - MSGDELAY`)

This is actually wrong, right? As it assumes that the propagation delay will be 0. Namely, if a Byzantine proposer sets ts = time.Now() - MSGDELAY and the Proposal takes D time to get to a given node, we have

ts = time.Now() - MSGDELAY
proposalReceiveTime = time.Now() + D
ts >= proposalReceiveTime - MSGDELAY - PRECISION
time.Now() - MSGDELAY >= time.Now() + D - MSGDELAY - PRECISION
D <= PRECISION

Since we are not considering PRECISION in the first two definitions, this is bet on the best (or maybe worst) case of clock skew.