MD-117: Ximen (Postconfirmations) Standards

Description: Provides a set of liveness and correctness requirements for Postconfirmations protocols.
Authors: Liam Monninger
Approval: :red-cross:
Etymology: These standards were originally drafted as a planned but later alternative to the Dongmen Standards and so bear the name of a “younger” Taipei neighborhood, Ximen.

Overview

The Dongmen Standards (MD-116) acknowledge the inability of fully-synchronous protocols to satisfy traditional BFT assumptions. These standards accept MD-116.D2,3 but reject MD-116.D1 (full synchronicity) instead proposing MD-117.D1 (partial synchronicity) in its place.

As a result, MD-116.D4 (minority awareness) is no longer relevant. However, a request for a clear consideration of attacks on the indefinite nature of the agreement synchronicity is requested.

Definitions

Partially-synchronous: A model of distributed systems in which the network may behave asynchronously for an unbounded (but finite) period of time, after which it stabilizes and messages are guaranteed to arrive within some fixed delay. This transition point, known as the Global Stabilization Time (GST), is not known to the protocol. Unlike in fully-synchronous models, liveness is not guaranteed at any fixed moment, but is guaranteed eventually.
Commitment Hostage Attack: An adversarial strategy in which a network or participant delays confirmation of a block (or decision) indefinitely by exploiting asynchrony, forcing the protocol into a state of limbo. These attacks often require post-facto reasoning or off-path resolution to identify and mitigate.
Synchronicity Attack: A broader class of strategies in which an adversary manipulates message timing or node behavior to degrade the liveness or fairness of a consensus protocol, often without violating safety directly.

Desiderata

D1: Partially-synchronous

User journey: Consumers of Ximen Postconfirmations consensus can rely on agreement to be achieved by a know Global Stabilization Time w.r.t. to the confirming ledger.

Justification: A partially-synchronous protocol is a consensus protocol under FLP. While it does not render predictable points in time at which consensus will be known, it does prevent permanent asynchrony and unliveness.

D2: Describe attacks on indefinite synchronicity

User journey: Consumers of Ximen Postconfirmations consensus can interpret a well-considered discussion of attacks on the indefinite nature of synchronicity. For a given Ximen Postconfirmation protocol, best efforts should be made to mitigate these attacks.

Justification: The Ximen Standards seek to ensure common synchronicity attacks, such as Commitment Hostage Attacks, are well-considered for an adhering protocol. Owing to the complexity and often off-path nature of these attacks, the Ximen Standards recognize that full and rigorous criteria for protections against these attacks are not practical.

Appendix

A1: Example

We build on the example of MD-116.A6.3 to build a simple example of a protocol that satisfies the desiderata above.

We assume the protocol progresses through epochs, which we argue in this this example is the equivalent to a view change. If the epoch changes, new voters must vote on the oldest not decided height. Voters that have been voters in the previous epoch may not have to vote again.

We change step 2 of the algorithm to be:

For each undecided height $h^{+} < h$
1. If $σ_{h^{+}} (s_{h}^{+}) > \frac{2}{3} N$ AND $t \leq t_{h}^{+} + Δ$ , accept the tuple $(s_{h}^{+}, h^{+})$ . Continue processing slot $h^{+} + 1$ .
2. Else Return

What can go wrong?

Liveness may get stuck for epoch lengths. The L1 synchronizes the committee at epoch boundaries, and if enough committee members are honest and live eventually the protocol will be live again.

MIP