consensus: proposer-based timestamps

[ebuchman]

Current mechanism for BFT time includes a timestamp in every precommit, and just takes the median.

While simple and live despite arbitrary clock drift, it has some problems:

• can't be used for signature aggregation (since each vote has a unique timestamp component)
• gives +1/3 of the validator set complete control over the timestamp (see Interactions between BFT time & unbonding period #2653)

An alternative, originally proposed in #1615, is to let the proposer use their own local timestamp, and for validators to only vote for the block if the timestamp is within some range of their own clock. This requires all nodes to keep their clocks reasonably closely synced, and was originally rejected/postponed for this reason. But in order to solve the above two issues, we should reconsider this solution. We can also include an option to disable it, so folks that don't want to worry about synced clocks won't have to (but of course it means they might not have accurate timestamps in blocks).

We should write a new ADR for this and do some more analysis before fully moving forward with it.

Note there is also a follow up issue from the last BFT-time PR: #2309

[mdyring]

Slack chatter:

bucky
One important thing to note about #2840 (part of v0.33 milestone) is that it will introduce a clock synchronization assumption into Tendermint - ie. validators will be expected to run NTP or equivalent so that their internal clocks are roughly synchronized, else there will be a liveness failure. This is quite different from Tendermint now, and is the reason we didn’t move forward with this last summer when we introduced BFT time. Currently we just take the median of the timestamps, so there is no clock sync assumption, but the new approach will make it so proposed blocks are only valid if the timestamp is within some delta around each validators local timestamp. If you have concerns with this, please comment in the issue! (edited)

Ethan Frey
As long as delta is reasonably large (like 2 minutes, not 2 seconds), this seems like a reasonable assumption to me.

Tendermint halts with network failures, so there are plenty of assumptions about connectivity already

mdyring
Tried to read up on this, perhaps below was already addressed:

What happens once validators (out of malice or clock drift), starts proposing blocks that are right at the upper boundary (future) of true time+delta? Lets call this timestamp F.

Next proposer in turn might have a more accurate view of time, and won't be able to propose a block with timestamp before F (as time must move forward), resulting in missed block.

Seems this could also be exploited to make it hard/impossible for a next block proposer to choose a time (by deliberately proposing with a time in the future). (edited)

bucky
yep this is the kind of stuff we need to be super careful about and why we need more detailed spec write up first

mdyring
Somehow my intuition is that delta should be < block time for this to work, otherwise a validator can create shenanigans for next proposer. I would also expect NTP sync'd servers to be within a few hundred msec worst case.

[ebuchman]

Take heed of whats in #2309. It may be made irrelevant by the work here though.