-
-
Published
Linked with GitHub
# Safe head with LMD
Call a block $B$ 1-safe if it cannot currently (before a new round of attestations) be reorged by a chain which includes its parent, i.e. if any reorg would have to be started at an earlier slot, because the subtree rooted at $B$ has sufficient weight to be unreacheable for any competitor subtree (given our assumptions on the adversary, equivocations, boost etc). A 1-safe block is safe iff its parent is, and any block is safe iff its parent is safe and it is 1-safe itself.
The safe-head rule essentially checks 1-safety of a block, given some assumptions, and then 1-safety of all of its ancestors up to a finalized block, which all together is equivalent to safety. Without LMD, this works just fine, because current 1-safety implies future 1-safety under sufficient synchrony. With LMD, this is not the case anymore: a block can be 1-safe at slot $t$ and not safe at slot $t+1$ (meaning after all honest attestations for this slot have been taken into account). We'd like a few things:
1. A persistent notion of 1-safety, meaning some property which is stronger than 1-safety and is guaranteed to keep holding in future slots under synchrony
1. A good way to detect that this stronger notion of 1-safety holds, i.e. a safe-head rule which is compatible with LMD
1. Even if we have these two, it might be that a block which is currently 1-safe-detectable (i.e. it is 1-safe and the new safe-head rule can tell that it is) ceases to be such in the future: we'd know that the block should still be safe if none of our assumptions have broken in the meantime, because 1-safety is persistent, but the safe-head rule does not inform us of this while taking into account only the current view. In other words, we'd like a persistent notion of 1-safe-detectability
## Persistent 1-safety
Let's start by defining a persistent notion of 1-safety. Say block $B$ is from slot $t$, and we are currently at slot $T$. Let $p$ be the fraction of honest committee members of slots $[t,T]$ whose latest message currently supports $B$, meaning it is for $B$ or one of its descendants, *not for an ancestor of $B$*. This is exactly the weight which counts for the subtree rooted at $B$ when the fork-choice rule compares it to competitor subtrees at slot $t$
For example, $p=1/2$ means $B$ is supported by 50% of all current honest latest messages among those which could in principle support it, which are the ones whose corresponding validator has had at least a chance to attest to $B$, by being in some committee in slots $[t, T]$
Now, let $W_l$ be the maximum total weight which could support $B$, if all latest messages by committee members of slots $[t,T]$ were for $B$. This is maybe less than $(T-t+1)W$ because some validators might be in multiple committees in $[t,T]$, and only their latest message counts. Assuming unbiasable randomness (but not unpredictable!) we have $\approx (1-\beta)W_l$ of that potential weight coming from honest attestors, and $\approx \beta W_l$ from adversarial ones. Then $\approx p(1- \beta)W_l$ is the actual honest weight currently supporting $B$. In the following, I'll just assume these are exact (to be further justified, but very reasonable given the very large number of validators)
Claim: if $p(1-\beta) > 1/2$, $B$ is 1-safe
Proof: $B$ is clearly currently 1-safe, because the honest weight supporting it is $> \frac{1}{2}W_l$, so the remaining adversarial and honest weight is not sufficient to win against it in the fork-choice at slot $t$.
Claim: if $p(1-\beta) > 1/2$, $p$ is non-decreasing
Proof: Let $p'$ be the new $p$ after the honest attestations at slot $t+1$ are considered Since $B$ is 1-safe at slot $t$, all honest committee members of slot $t+1$ attest to a descendant of it, which implies $p' \geq p$, because all honest latest messages either stay the same or switch to supporting $B$. We then still have $p'(1-\beta) > \frac{1}{2}$, and we get the claim by induction
Therefore, $p(1-\beta) > 1/2$ implies persistent 1-safety.
## Detecting persistent 1-safety
We are left with giving some conditions which imply $p(1-\beta) > 1/2$. We can make assumptions on $\beta$, but $p$ is unobservable because we don't know which validators are honest. What we can observe is $q = \frac{\text{weight supporting }B}{W_l}$, where the numerator includes all latest messages supporting $B$ in our view, without trying to discriminate between honest and adversarial ones since we can't.
Claim: $\beta < q - 1/2 \implies p(1-\beta) > 1/2$
Proof: $q \leq p(1-\beta) + \beta$, because $p(1- \beta)W_l + \beta W_l$ is the maximum weight which could currently be supporting $B$ (if all adversarial weight was supporting it), which by definition has to be $\geq qW_l$
$\beta < q - 1/2, \ q \leq p(1-\beta) + \beta \implies q \leq p(1-\beta) + \beta < p(1-\beta) + q - 1/2 \implies p(1-\beta) > 1/2$
E.g. q = 0.8 implies persistent 1-safety for $\beta < 0.3$
## With boost
With a boost $W_p$, we need $p(1 - \beta) > 1/2(1 + W_p/W_l)$, and we get it when $\beta < q - 1/2(1 + W_p/W_l)$
Still works because $W_l$ is also increasing, so $\frac{1}{2}(1 + \frac{W_p}{W_l})$ is decreasing, i.e. $p' > \frac{1}{2}(1 + \frac{W_p}{W_{l'}})$