In Tendermint blockchains, the proof-of-stake mechanism and the underlying consensus algorithm entail a dynamic fault model that implies that the active validators (nodes that sign blocks) may change over time, and a quorum of these validators is assumed to be correct only for a limited period of time (called trusting period). The changes of the validator set are under control of the blockchain application, and are committed in every block. In order to check what is the state of the blockchain application at some height h, one needs to know the validator set at that height so that one can verify the corresponding digital signatures and hashes. A naive way of determining the validator set for height h requires one to: (i) download all blocks before h, (ii) verify blocks by checking digital signatures and hashes and (iii) execute the corresponding transactions so the changes in the validator sets are reproduced. This can potentially be very slow and computationally and data intensive. In this paper we formalize the dynamic fault model imposed by Tendermint, and describe a light client protocol that allows to check the state of the blockchain application that, in realistic settings, reduces significantly the amount of data needed to be downloaded, and the number of required computationally expensive signature verification operations. In addition to mathematical proofs, we have formalized the light client protocol in TLA+, and checked safety and liveness with the APALACHE model checker.
翻译:在Tendermint 区块链中,验证获取机制和基本共识的算法包含一个动态错差模式,这意味着活动验证人(标记区块的节点)可能随时间变化而变化,而且假定这些验证人的法定人数只在一定的时期内(所谓的信任期)正确。验证人组的更改在块链应用程序的控制之下,并在每个区块中实施。为了检查块链应用程序在某个高度的状态,人们需要知道该高度的验证人设置的验证人,以便能够核查相应的数字签名和 hashes。确定高度验证人设置的天真的方法需要一种:(一) 在h之前下载所有区块(标记的节点),(二) 通过检查数字签名和 hashes 来核查这些区块,(三) 执行相应的交易,以便复制校验数据组的修改程序。在本文中,我们将Tendermint规定的动态误差模型正式化,并描述一个光客户协议,以便能够核对块链应用程序的状态,在现实的客户端卡路端操作程序中,将数据数量大幅降低到正常的校验客户程序。