TLDR
- This paper assesses the correctness of Tendermint, one of the industry’s most popular consensus protocols for cryptonetworks.
- By reverse engineering the protocol and setting the correctness criteria for evaluation, the authors find that Tendermint is correct under the most adversarial conditions.
Citation
-
Y, Amoussou-Guenou, A. del Pozzo, M. Potop-Butucaru, S. Tucci-Piergiovanni, “Dissecting Tendermint”, in Networked Systems, pp. 166-182, Springer International Publishing, 2019.
Core Research Question
- Is Tendermint consensus correct?
Background
-
Bitcoin and Ethereum, today’s most notable blockchain networks, achieve consensus using proof-of-work (PoW) algorithms; essentially, nodes run in a trustless network, competing among themselves to solve a crypto-puzzle. The node that gets to solve this puzzle first is granted the right to produce the next block of transactions, which is then appended to the blockchain. The winning node, in turn, receives rewards for proposing the next block.
-
PoW-based systems, however, suffer from two major issues: (1) Due to the complexity of solving the PoW puzzle, network throughput is inherently limited; in Ethereum, the theoretical throughput is 30 transactions per second; (2) when two or more nodes solve the PoW puzzle, different chain suffixes exist until the network agrees on what the canonical chain should be. Until then, the blockchain state is not deterministic, but rather defined in terms of a high probability.
-
Byzantine Fault Tolerance (BFT) consensus protocols comprise a family of protocols initially designed to solve state-machine replication (e.g., a database) so that systems can converge on a single, canonical sequence of events in light of inconsistent database replicas.
-
Over three decades of BFT research has led to practical protocols, such as the one in seminal work by Castro and Liskov: Practical Byzantine Fault Tolerance (PBFT). PBFT protocols stand as an alternative to PoW-based consensus.
-
PBFT protocols guarantee consensus even if some participating network nodes display Byzantine behavior, i.e., they have an arbitrary behavior (which may not necessarily be intentional or malicious), provided the following conditions hold:
- The number of nodes is at least 3f + 1, where f denotes the number of nodes with Byzantine behavior (arbitrary behavior, and may or not be intentional/malicious). An explanation proving this requirement can be found here;
- Nodes participating in the consensus must be known. In Tendermint, these are called validators;
- Communication occurs through an eventually synchronous network, i.e., after a finite but unknown time, a sent message is received within a given amount of expected delay. The intuition is as follows: there is a period of time that the network is asynchronous (a message can be delayed indefinitely), after which it is synchronous (there is an upper bound limit for the delay).
-
As an alternative to previous iterations of consensus protocols, Tendermint provides a PBFT-based consensus implementation. As such, the same conditions imposed by PBFT apply to Tendermint. For a lightweight presentation of the internals of Tendermint’s consensus protocol, we refer readers to Tendermint’s official post: What is Tendermint?.
-
When studying Tendermint, the authors make use of a system model outlining their basic assumptions, which entails: the number of nodes currently running in the network (arrival model), which nodes can exhibit Byzantine behavior (failure model), the network communication model, and the execution steps in which the nodes operate (execution model):
- Arrival model:
- The number of nodes in the network is finite at any given time; the amount of nodes in any given point in is not known beforehand;
- The pool of nodes that could potentially join the network is unlimited;
- Validator nodes are a subset of the nodes in any given point in time. Nodes can become validators based on some merit parameter; for instance, based on a bond provided to the network (stake). The validator set can be changed over time, and its size is always known beforehand.
- Failure model: Any number of nodes in the network can have a Bynzatine behavior. Such nodes are denoted as faulty. Non-faulty nodes are deemed as correct. At any given time, the number of nodes (n) in the network is at least three times the number of faulty nodes (3f) plus one: n >= 3f + 1;
- Communication model: nodes communicate in a eventually synchronous network;
- Execution model: Each correct node operates in rounds made of three phases, namely:
- Send: initially, a node broadcasts messages computed in the previous round, or sends a default one if it is the first round. This operation is atomic (either it fully succeeds or fails);
- Delivery: collect messages sent by other nodes. This operation is also atomic;
- Compute: performs based on the messages delivered, the node updates its state.
- Arrival model:
-
The send and delivery phases are taken to be instantaneous operations whereas the delivery phase is not;
-
No global clock exists; nodes rely solely on their local clock.
Summary
- The authors analyze the correctness of the consensus implementation in Tendermint, with respect to:
- Termination: eventually, every correct validator eventually decides on a state;
- Integrity: no correct nodes decided twice;
- Agreement: if a correct validator decides on a given state s, then eventually all correct nodes also decide that its state should also be s;
- Validity: a state is said to be valid if it satisfies a corresponding predicate, abstracted as valid.
- State essentially means which block should be appended to the local copy of the blockchain as kept by each node.
Method
- The authors reverse engineer the properties of the Tendermint consensus protocol
- They then provide mathematical proofs to reason about the protocol’s properties
Results
- In an eventual synchronous system under Byzantine faults, the Tendermint consensus implementation is correct w.r.t. validity, integrity, agreement, and termination.
Implications & Follow-ups
- While Tendermint scales better than its traditional blockchain consensus counterparts, prior to this work it was unknown whether its consensus implementation was correct. This paper sets this milestone.
Applicability
- The paper presentation provides readers with the grounds to better understand the properties of Tendermint’s consensus protocol. This could be particularly useful to researchers willing to study Tendermint (and PBFT in the context of blockchain), as well as developers willing to contribute to the project’s open-source codebase.
- The results of the paper also provide actors (DApp developer, node operators, validators, etc) interfacing with Tendermint with the specific (and verified) guarantees that the network provides.