31 KiB
Lite client
A lite client is a process that connects to Tendermint full node(s) and then tries to verify application data using the Merkle proofs.
Problem statement
We assume that the lite client knows a (base) header inithead it trusts (by social consensus or because the lite client has decided to trust the header before). The goal is to check whether another header newhead can be trusted based on the data in inithead.
The correctness of the protocol is based on the assumption that inithead was generated by an instance of Tendermint consensus.
Definitions
Data structures
In the following, only the details of the data structures needed for this specification are given.
type Header struct {
Height int64
Time Time // the chain time when the header (block) was generated
// hashes from the app output from the prev block
ValidatorsHash []byte // hash of the validators for the current block
NextValidatorsHash []byte // hash of the validators for the next block
// hashes of block data
LastCommitHash []byte // hash of the commit from validators from the last block
}
type SignedHeader struct {
Header Header
Commit Commit // commit for the given header
}
type ValidatorSet struct {
Validators []Validator
TotalVotingPower int64
}
type Validator struct {
Address Address // validator address (we assume validator's addresses are unique)
VotingPower int64 // validator's voting power
}
type TrustedState {
SignedHeader SignedHeader
ValidatorSet ValidatorSet
}
Functions
For the purpose of this lite client specification, we assume that the Tendermint Full Node exposes the following functions over Tendermint RPC:
// returns signed header: Header with Commit
func Commit(height int64) (SignedHeader, error)
// returns validator set for the given height
func Validators(height int64) (ValidatorSet, error)
Furthermore, we assume the following auxiliary functions:
// returns the validator set for the given validator hash
func validators(validatorsHash []byte) ValidatorSet
// returns the set of validators from the given validator set that committed the block
func signers(commit Commit, validatorSet ValidatorSet) []Validator
// return the voting power the validators in v1 have according to their voting power in set V2
func votingPowerIn(v1 []Validator, v2 ValidatorSet) int64
// add this state as trusted to the store
func add(store Store, trustedState TrustedState) error
// retrieve the trusted state at given height if it exists (error = nil)
// return an error if there are no trusted state for the given height
// if height = 0, return the latest trusted state
func get(store Store, height int64) (TrustedState, error)
Tendermint Failure Model
If a block b is generated at time Time (and this time is stored in the block), then a set of validators that
hold more than 2/3 of the voting power in validators(b.Header.NextValidatorsHash) is correct until time
b.Header.Time + TRUSTED_PERIOD.
Assumption: "correct" is defined w.r.t. realtime (some Newtonian global notion of time, i.e., wall time),
while Header.Time corresponds to the BFT time. In this note, we assume that clocks of correct processes
are synchronized (for example using NTP), and therefore there is bounded clock drift between clocks and
BFT time. We can make this more precise eventually (incorporating clock drift, accuracy, precision, etc.). Right now,
we consider this assumption sufficient, as clock synchronization (under NTP) is in the order of milliseconds and
TRUSTED_PERIOD is in the order of weeks.
Remark: This failure model might change to a hybrid version that takes heights into account in the future.
The specification in this document considers an implementation of the lite client under the Tendermint Failure Model. Issues
like counter-factual signing, fork accountability and evidence submission are mechanisms that justify this assumption by
incentivizing validators to follow the protocol. If they don't, and we have 1/3 (or more) faults, safety may be violated.
Our approach then is to detect these cases (after the fact), and take suitable repair actions (automatic and social).
This is discussed in document on Fork accountability.
Functions
VerifyAndUpdateSingle. The function VerifyAndUpdateSingle attempts to update
the (trusted) store with the given untrusted header and the corresponding validator sets.
It ensures that the last trusted header from the store hasn't expired yet (it is still within its trusted period),
and that the untrusted header can be verified using the latest trusted state from the store.
Note that this function is not making external (RPC) calls to the full node; the whole logic is
based on the local (given) state. This function is supposed to be used by the IBC handlers.
func VerifyAndUpdateSingle(untrustedSh SignedHeader,
untrustedVs ValidatorSet,
untrustedNextVs ValidatorSet,
trustThreshold TrustThreshold,
trustingPeriod Duration,
now Time,
store Store) error {
// fetch the latest state and ensure it hasn't expired
trustedState, error = get(store, 0)
if error != nil return error
trustedSh = trustedState.SignedHeader
if !isWithinTrustedPeriod(trustedSh.Header, trustingPeriod, now) {
return ErrHeaderNotWithinTrustedPeriod
}
error = verifySingle(
trustedState,
untrustedSh,
untrustedVs,
untrustedNextVs,
trustThreshold)
if error != nil return error
// the untrusted header is now trusted. update the store
newTrustedState = TrustedState(untrustedSh, untrustedNextVs)
return add(store, newTrustedState)
}
VerifyAndUpdateBisection. The function VerifyAndUpdateBisection captures high level logic, i.e., application call
to the lite client module to (optionally download) and verify header for some height. The core verification logic is
captured by CanTrust function that iteratively try to establish trust in given header by relying on CheckSupport function.
func VerifyAndUpdateBisection(height int64,
trustThreshold TrustThreshold,
trustingPeriod Duration,
now Time,
store Store) error {
// fetch the latest state and ensure it hasn't expired
trustedState, error = get(store, 0)
if error != nil return error
trustedSh = trustedState.SignedHeader
assert trustedSh.Header.Height < height
if !isWithinTrustedPeriod(trustedSh.Header, trustingPeriod, now) {
return ErrHeaderNotWithinTrustedPeriod
}
untrustedSh, error := Commit(height)
if error != nil return error
untrustedH = untrustedSh.Header
untrustedVs, error := Validators(untrustedH.Height)
if error != nil return error
untrustedNextVs, error := Validators(untrustedH.Height + 1)
if error != nil return error
error = verifySingle(
trustedState,
untrustedSh,
untrustedVs,
untrustedNextVs,
trustThreshold)
if fatalCheckSupportError(error) return error
if error == nil {
// the untrusted header is now trusted. update the store
newTrustedState = TrustedState(untrustedSh, untrustedNextVs)
return add(store, newTrustedState)
}
// at this point in time we need to do bisection
pivotHeight := ceil((trustedSh.Header.Height + untrustedH.Height) / 2)
error = VerifyAndUpdateBisection(pivotHeight, trustThreshold, trustingPeriod, now, store)
if error != nil return error
error = VerifyAndUpdateBisection(untrustedH.Height, trustThreshold, trustingPeriod, now, store)
if error != nil return error
return nil
}
func verifySingle(trustedState TrustedState,
untrustedSh SignedHeader,
untrustedVs ValidatorSet,
untrustedNextVs ValidatorSet,
trustThreshold TrustThreshold) error {
// ensure the new height is higher
untrustedHeight = untrustedSh.Header.Height
trustedHeight = trustedState.SignedHeader.Header.Height
assert untrustedHeight > trustedHeight
// validate the untrusted header against its commit, vals, and next_vals
untrustedHeader = untrustedSh.Header
untrustedCommit = untrustedSh.Commit
error = validateHeaderAndVals(untrustedSh, untrustedVs, untrustedNextVs)
if error != nil return error
trustedHeader = trustedState.SignedHeader.Header
trustedVs = trustedState.ValidatorSet
// check for adjacent headers
if untrustedHeight == trustedHeight + 1 {
if trustedHeader.NextValidatorsHash != untrustedHeader.ValidatorsHash {
return ErrInvalidAdjacentHeaders
}
} else {
error = verifyCommitTrusting(trustedVs, untrustedCommit, trustThreshold)
if error != nil return error
}
// verify the untrusted commit
return verifyCommitFull(untrustedVs, untrustedCommit)
}
func validateHeaderAndVals(signedHeader SignedHeader, vs ValidatorSet, nextVs ValidatorSet) error {
if hash(nextVs) != signedHeader.Header.NextValidatorsHash or
hash(vs) != signedHeader.Header.ValidatorsHash or
!matchingCommit(signedHeader) { // commit corresponds to the header
return error
}
}
func verifyCommitFull(vs ValidatorSet, commit Commit) error {
totalPower := vs.TotalVotingPower;
signed_power := votingPowerIn(signers(commit, vs), vs)
// check the signers account for +2/3 of the voting power
if signed_power * 3 <= total_power * 2 return error
return nil
}
func verifyCommitTrusting(vs ValidatorSet, commit Commit, trustLevel TrustThreshold) error {
totalPower := vs.TotalVotingPower;
signed_power := votingPowerIn(signers(commit, vs), vs)
// check the signers account for more than max(1/3, trustLevel) of the voting power
if signed_power <= max(1/3, trustLevel) * totalPower return error
return nil
}
// return true if header is within its lite client trusted period; otherwise it returns false
func isWithinTrustedPeriod(header Header,
trustingPeriod Duration,
now Time) bool {
return header.Time + trustedPeriod > now
}
func fatalCheckSupportError(err) bool {
return err == ErrHeaderNotWithinTrustedPeriod or err == ErrInvalidAdjacentHeaders
}
The function CanTrust checks whether to trust header untrusted_h based on the trusted header trusted_h It does so by (potentially)
building transitive trust relation between trusted_h and untrusted_h, over some intermediate headers. For example, in case we cannot trust
header untrusted_h based on the trusted header trusted_h, the function CanTrust will try to find headers such that we can transition trust
from trusted_h over intermediate headers to untrusted_h. We will give two implementations of CanTrust, the one based
on bisection that is recursive and the other that is non-recursive. We give two implementations as recursive version might be easier
to understand but non-recursive version might be simpler to formally express and verify using TLA+/TLC.
Both implementations of CanTrust function are based on CheckSupport function that implements the skipping conditions under which we can trust a
header untrusted_h given the trust in the header trusted_h as a single step,
i.e., it does not assume ensuring transitive trust relation between headers through some intermediate headers.
// return nil in case we can trust header untrusted_h based on header trusted_h; otherwise return error
// where error captures the nature of the error.
// Note that untrusted_h must have been verified by the caller, i.e. verify(untrusted_h) was successful.
func CanTrust(trusted_h,untrusted_h,trustThreshold) error {
assert trusted_h.Header.Height < untrusted_h.header.Height
th := trusted_h // th is trusted header
// untrustedHeader is a list of (?) verified headers that have not passed CheckSupport()
untrustedHeaders := [untrusted_h]
while true {
for h in untrustedHeaders {
// we assume here that iteration is done in the order of header heights
err = CheckSupport(th,h,trustThreshold)
if err == nil {
if !verify(h) { return ErrInvalidHeader(h) }
th = h
Store.Add(h)
untrustedHeaders.RemoveHeadersSmallerOrEqual(h.Header.Height)
if th == untrusted_h { return nil }
}
if fatalCheckSupportError(err) { return err }
}
endHeight = min(untrustedHeaders)
while true {
pivot := ceil((th.Header.height + endHeight) / 2)
hp := Commit(pivot)
// try to move trusted header forward to hp
err = CheckSupport(th,hp,trustThreshold)
if fatalCheckSupportError(err) return err
if err == nil {
if !verify(hp) { return ErrInvalidHeader(hp) }
th = hp
Store.Add(th)
break
}
untrustedHeaders.add(hp)
endHeight = pivot
}
}
return nil // this line should never be reached
}
func CheckSupport(trusted_h,untrusted_h,trustThreshold) error {
assert trusted_h.Header.Height < untrusted_h.header.Height and
trusted_h.Header.bfttime < untrusted_h.Header.bfttime and
untrusted_h.Header.bfttime < now
if !isWithinTrustedPeriod(trusted_h) return ErrHeaderNotWithinTrustedPeriod(trusted_h)
// Although while executing the rest of CheckSupport function, trusted_h can expire based
// on the lite client trusted period, this is not problem as lite client trusted
// period is smaller than trusted period of the header based on Tendermint Failure
// model, i.e., there is a significant time period (measure in days) during which
// validator set that has signed trusted_h can be trusted. Furthermore, CheckSupport function
// is not doing expensive operation (neither rpc nor signature verification), so it
// should execute fast.
// check for adjacent headers
if untrusted_h.Header.height == trusted_h.Header.height + 1 {
if trusted_h.Header.NextV == untrusted_h.Header.V
return nil
return ErrInvalidAdjacentHeaders
}
// total sum of voting power of validators in trusted_h.NextV
vp_all := totalVotingPower(trusted_h.Header.NextV)
// check for non-adjacent headers
if votingPowerIn(signers(untrusted_h.Commit),trusted_h.Header.NextV) > max(1/3,trustThreshold) * vp_all {
return nil
}
return ErrTooMuchChange
}
func fatalCheckSupportError(err) bool {
return err == ErrHeaderNotWithinTrustedPeriod or err == ErrInvalidAdjacentHeaders
func CanTrustBisection(trusted_h,untrusted_h,trustThreshold) error {
assume trusted_h.Header.Height < untrusted_h.header.Height
err = CheckSupport(trusted_h,untrusted_h,trustThreshold)
if err == nil {
Store.Add(untrusted_h)
return nil
}
if err != ErrTooMuchChange return err
pivot := (trusted_h.Header.height + untrusted_h.Header.height) / 2
hp := Commit(pivot)
if !verify(hp) return ErrInvalidHeader(hp)
err = CanTrustBisection(trusted_h,hp,trustThreshold)
if err == nil {
Store.Add(hp)
err2 = CanTrustBisection(hp,untrusted_h,trustThreshold)
if err2 == nil {
Store.Add(untrusted_h)
return nil
}
return err2
}
return err
}
CheckSupport. The following function defines skipping condition under the Tendermint Failure model, i.e., it defines when we can trust the header untrusted_h based on header trusted_h.
Time validity of a header is captured by the isWithinTrustedPeriod function that depends on lite client trusted period (LITE_CLIENT_TRUSTED_PERIOD) and it returns
true in case the header is within its lite client trusted period.
verify function is capturing basic header verification, i.e., it ensures that the header is signed by more than 2/3 of the voting power of the corresponding validator set.
// Captures skipping condition. trusted_h and untrusted_h have already passed basic validation
// (function `verify`).
// Returns nil in case untrusted_h can be trusted based on trusted_h, otherwise returns error.
// ErrHeaderNotWithinTrustedPeriod is used when trusted_h has expired with respect to lite client trusted period,
// ErrInvalidAdjacentHeaders when that adjacent headers are not consistent and
// ErrTooMuchChange when there is not enough intersection between validator sets to have
// skipping condition true.
func CheckSupport(trusted_h,untrusted_h,trustThreshold) error {
assert trusted_h.Header.Height < untrusted_h.header.Height and
trusted_h.Header.bfttime < untrusted_h.Header.bfttime and
untrusted_h.Header.bfttime < now
if !isWithinTrustedPeriod(trusted_h) return ErrHeaderNotWithinTrustedPeriod(trusted_h)
// Although while executing the rest of CheckSupport function, trusted_h can expire based
// on the lite client trusted period, this is not problem as lite client trusted
// period is smaller than trusted period of the header based on Tendermint Failure
// model, i.e., there is a significant time period (measure in days) during which
// validator set that has signed trusted_h can be trusted. Furthermore, CheckSupport function
// is not doing expensive operation (neither rpc nor signature verification), so it
// should execute fast.
// check for adjacent headers
if untrusted_h.Header.height == trusted_h.Header.height + 1 {
if trusted_h.Header.NextV == untrusted_h.Header.V
return nil
return ErrInvalidAdjacentHeaders
}
// total sum of voting power of validators in trusted_h.NextV
vp_all := totalVotingPower(trusted_h.Header.NextV)
// check for non-adjacent headers
if votingPowerIn(signers(untrusted_h.Commit),trusted_h.Header.NextV) > max(1/3,trustThreshold) * vp_all {
return nil
}
return ErrTooMuchChange
}
The case untrusted_h.Header.height < trusted_h.Header.height
In the use case where someone tells the lite client that application data that is relevant for it
can be read in the block of height k and the lite client trusts a more recent header, we can use the
hashes to verify headers "down the chain." That is, we iterate down the heights and check the hashes in each step.
Remark. For the case were the lite client trusts two headers i and j with i < k < j, we should
discuss/experiment whether the forward or the backward method is more effective.
func Backwards(trusted_h,untrusted_h) error {
assert (untrusted_h.Header.height < trusted_h.Header.height)
if !isWithinTrustedPeriod(trusted_h) return ErrHeaderNotTrusted(trusted_h)
old := trusted_h
for i := trusted_h.Header.height - 1; i > untrusted_h.Header.height; i-- {
new := Commit(i)
if (hash(new) != old.Header.hash) {
return ErrInvalidAdjacentHeaders
}
old := new
if !isWithinTrustedPeriod(trusted_h) return ErrHeaderNotTrusted(trusted_h)
}
if hash(untrusted_h) != old.Header.hash return ErrInvalidAdjacentHeaders
return nil
}
In order to incentivize correct behavior of validators that run Tendermint consensus protocol, fork detection protocol (it will be explained in different document) is executed in case of a fork (conflicting
headers are detected). As detecting conflicting headers, its propagation through the network (by the gossip protocol) and execution of the fork accountability
protocol on the chain takes time, the lite client logic assumes conservative value for trusted period. More precisely, in the context of lite client we always
operate with a smaller trusted period that we call lite client trusted period (LITE_CLIENT_TRUSTED_PERIOD). If we assume that upper bound
for fork detection, propagation and processing on the chain is denoted with fork procession period (FORK_PROCESSING_PERIOD), then the following formula
holds:
LITE_CLIENT_TRUSTED_PERIOD + FORK_PROCESSING_PERIOD < TRUSTED_PERIOD, where TRUSTED_PERIOD comes from the Tendermint Failure Model.
Assumption: In the following, we assume that untrusted_h.Header.height > trusted_h.Header.height. We will quickly discuss the other case in the next section.
We consider the following set-up:
- the lite client communicates with one full node
- the lite client locally stores all the headers that has passed basic verification and that are within lite client trust period. In the pseudo code below we write Store.Add(header) for this. If a header failed to verify, then the full node we are talking to is faulty and we should disconnect from it and reinitialise with new peer.
- If
CanTrustreturns error, then the lite client has seen a forged header or the trusted header has expired (it is outside its trusted period).- In case of forged header, the full node is faulty so lite client should disconnect and reinitialise with new peer. If the trusted header has expired, we need to reinitialise lite client with new trusted header (that is within its trusted period), but we don't necessarily need to disconnect from the full node we are talking to (as we haven't observed full node misbehavior in this case).
Context of this document
In order to make sure that full nodes have the incentive to follow the protocol, we have to address the following three Issues
-
The lite client needs a method to verify headers it obtains from a full node it connects to according to trust assumptions -- this document.
-
The lite client must be able to connect to other full nodes to detect and report on failures in the trust assumptions (i.e., conflicting headers) -- a future document (see #4215).
-
In the event the trust assumption fails (i.e., a lite client is fooled by a conflicting header), the Tendermint fork accountability protocol must account for the evidence -- a future document (see #3840).
The term "trusting" above indicates that the correctness of the protocol depends on this assumption. It is in the responsibility of the user that runs the lite client to make sure that the risk of trusting a corrupted/forged inithead is negligible.
-
For each header h it has locally stored, the lite client stores whether it trusts h. We write trust(h) = true, if this is the case.
-
signed header fields: contains a header and a commit for the current header; a "seen commit". In Tendermint consensus the "canonical commit" is stored in header height + 1.
- Validator fields. We will write a validator as a tuple (v,p) such that
- v is the identifier (we assume identifiers are unique in each validator set)
- p is its voting power
- Validator fields. We will write a validator as a tuple (v,p) such that
Definitions
- TRUSTED_PERIOD: trusting period
- for realtime t, the predicate correct(v,t) is true if the validator v follows the protocol until time t (we will see about recovery later).
Tendermint Failure Model
If a block b is generated at time Time (and this time is stored in the block), then a set of validators that
hold more than 2/3 of the voting power in validators(b.Header.NextValidatorsHash) is correct until time
b.Header.Time + TRUSTED_PERIOD.
Formally, [ \sum_{(v,p) \in h.Header.NextV \wedge correct(v,h.Header.bfttime + TRUSTED_PERIOD)} p > 2/3 \sum_{(v,p) \in h.Header.NextV} p ]
Lite Client Trusting Spec
The lite client communicates with a full node and learns new headers. The goal is to locally decide whether to trust a header. Our implementation needs to ensure the following two properties:
-
Lite Client Completeness: If header h was correctly generated by an instance of Tendermint consensus (and its age is less than the trusting period), then the lite client should eventually set trust(h) to true.
-
Lite Client Accuracy: If header h was not generated by an instance of Tendermint consensus, then the lite client should never set trust(h) to true.
Remark: If in the course of the computation, the lite client obtains certainty that some headers were forged by adversaries (that is were not generated by an instance of Tendermint consensus), it may submit (a subset of) the headers it has seen as evidence of misbehavior.
Remark: In Completeness we use "eventually", while in practice trust(h) should be set to true before h.Header.bfttime + tp. If not, the block cannot be trusted because it is too old.
Remark: If a header h is marked with trust(h), but it is too old (its bfttime is more than tp ago), then the lite client should set trust(h) to false again.
Assumption: Initially, the lite client has a header inithead that it trusts correctly, that is, inithead was correctly generated by the Tendermint consensus.
To reason about the correctness, we may prove the following invariant.
Verification Condition: Lite Client Invariant. For each lite client l and each header h: if l has set trust(h) = true, then validators that are correct until time h.Header.bfttime + tp have more than two thirds of the voting power in h.Header.NextV.
Formally, [ \sum_{(v,p) \in h.Header.NextV \wedge correct(v,h.Header.bfttime + tp)} p > 2/3 \sum_{(v,p) \in h.Header.NextV} p ]
Remark. To prove the invariant, we will have to prove that the lite client only trusts headers that were correctly generated by Tendermint consensus, then the formula above follows from the Tendermint failure model.
High Level Solution
Upon initialization, the lite client is given a header inithead it trusts (by social consensus). It is assumed that inithead satisfies the lite client invariant. (If inithead has been correctly generated by Tendermint consensus, the invariant follows from the Tendermint Failure Model.) Note that the inithead should be within its trusted period during initialization.
When a lite clients sees a signed new header snh, it has to decide whether to trust the new header. Trust can be obtained by (possibly) the combination of three methods.
-
Uninterrupted sequence of proof. If a block is appended to the chain, where the last block is trusted (and properly committed by the old validator set in the next block), and the new block contains a new validator set, the new block is trusted if the lite client knows all headers in the prefix. Intuitively, a trusted validator set is assumed to only chose a new validator set that will obey the Tendermint Failure Model.
-
Trusting period. Based on a trusted block h, and the lite client invariant, which ensures the fault assumption during the trusting period, we can check whether at least one validator, that has been continuously correct from h.Header.bfttime until now, has signed snh. If this is the case, similarly to above, the chosen validator set in snh does not violate the Tendermint Failure Model.
-
Bisection. If a check according to the trusting period fails, the lite client can try to obtain a header hp whose height lies between h and snh in order to check whether h can be used to get trust for hp, and hp can be used to get trust for snh. If this is the case we can trust snh; if not, we may continue recursively.
How to use it
We consider the following use case: the lite client wants to verify a header for some given height k. Thus:
- it requests the signed header for height k from a full node
- it tries to verify this header with the methods described here.
This can be used in several settings:
- someone tells the lite client that application data that is relevant for it can be read in the block of height k.
- the lite clients wants the latest state. It asks a full nude for the current height, and uses the response for k.
- in case of inter-blockchain communication protocol (IBC) the light client runs on a chain and someone feeds it signed headers as input and it computes whether it can trust it.
Details
Observation 1. If h.Header.bfttime + tp > now, we trust the old validator set h.Header.NextV.
When we say we trust h.Header.NextV we do not trust that each individual validator in h.Header.NextV is correct, but we only trust the fact that less than 1/3 of them are faulty (more precisely, the faulty ones have less than 1/3 of the total voting power).
Correctness arguments
Towards Lite Client Accuracy:
- Assume by contradiction that
untrusted_hwas not generated correctly and the lite client sets trust to true becauseCheckSupportreturns true. - trusted_h is trusted and sufficiently new
- by Tendermint Fault Model, less than 1/3 of voting power held by faulty validators => at least one correct validator v has signed
untrusted_h. - as v is correct up to now, it followed the Tendermint consensus protocol at least up to signing
untrusted_h=>untrusted_hwas correctly generated, we arrive at the required contradiction.
Towards Lite Client Completeness:
- The check is successful if sufficiently many validators of
trusted_hare still validators inuntrusted_hand signeduntrusted_h. - If untrusted_h.Header.height = trusted_h.Header.height + 1, and both headers were generated correctly, the test passes
Verification Condition: We may need a Tendermint invariant stating that if untrusted_h.Header.height = trusted_h.Header.height + 1 then signers(untrusted_h.Commit) \subseteq trusted_h.Header.NextV.
Remark: The variable trustThreshold can be used if the user believes that relying on one correct validator is not sufficient. However, in case of (frequent) changes in the validator set, the higher the trustThreshold is chosen, the more unlikely it becomes that CheckSupport returns true for non-adjacent headers.
Correctness arguments (sketch)
Lite Client Accuracy:
- Assume by contradiction that
untrusted_hwas not generated correctly and the lite client sets trust to true because CanTrustBisection returns nil. - CanTrustBisection returns true only if all calls to CheckSupport in the recursion return nil.
- Thus we have a sequence of headers that all satisfied the CheckSupport
- again a contradiction
Lite Client Completeness:
This is only ensured if upon Commit(pivot) the lite client is always provided with a correctly generated header.
Stalling
With CanTrustBisection, a faulty full node could stall a lite client by creating a long sequence of headers that are queried one-by-one by the lite client and look OK, before the lite client eventually detects a problem. There are several ways to address this:
- Each call to
Commitcould be issued to a different full node - Instead of querying header by header, the lite client tells a full node which header it trusts, and the height of the header it needs. The full node responds with the header along with a proof consisting of intermediate headers that the light client can use to verify. Roughly, Bisection would then be executed at the full node.
- We may set a timeout how long bisection may take.