search

Electric-Coin-Company / tfl-book

A Trailing Finality Layer book for a proposed Zcash protocol change.
MIT License
5 stars 2 forks source link

Analyze Attack Scenario: Compromised Finality Oracle + Miner only finalizes that miner's blocks #39

Open nathan-at-least opened 1 year ago

nathan-at-least commented 1 year ago

Suggested Improvement

Suppose a node learns of a new final block which correctly directly succeeds its previous most recent final block. However, it has not seen this new final block (or perhaps it has but the new final block is not on the longest PoW suffix). What rule is safe for the node's behavior?

A diagram of this scenario for the node's local view:

A* -> B* -> C -> D -> E
      |
      +---> C2*

Legend: * indicates the node has received a message from a finality oracle that a block is final, and a number indicates an alternative block at the same height as indicated by the letter.

Candidate rule: "The new final block is part of the canonical chain, thus invalidating my current suffix." In this example, this means discard C, D, and E and treat C2* as the current canonical chain tip.

A weakness in this rule is that an attacker controlling the finality oracle plus any miner (of any capacity) can always only finalize blocks from their own miner. In this case, other nodes keep being forced to roll back legitimately PoW-mined each time the malicious miner finds a block. Is this roughly equivalent to the impact of a 51% mining capacity compromise?

OTOH, consider for this rule an attacker scenario where attacker controls 51% mining capacity but finality oracle is completely uncompromised: with some probability some portion of the time a legitimately mined block gets finalized before the 51% attacker can roll it back.

Is this the best/safest consensus rule for this scenario in ebb-and-flow?

nathan-at-least commented 1 year ago

Does this table seem qualitatively correct about the difference between the two protocols and attacker capabilities?

Attack Impact Chain Contents During Attack Required Pure-PoW Attack Capabilities Required Ebb-and-Flow Mining Attack Capabilities Ebb-and-Flow Finality Oracle is Compromised?
Chain makes progress, but attacker can roll back legitimate blocks eventually to produce a sequence completely of their choosing attacker controlled prefix with transient non-attacker suffix 50+ϵ% capacity ϵ% mining capacity Yes
Chain makes progress, and attacker can frequently roll back unfinalized blocks, but legitimately mined blocks still have a probability of inclusion[^1] a mixture of attacker controlled and uncontrolled sequences Scenario Not Possible 50+ϵ% capacity No

[^1]: This is due to legitimate blocks being occasionally finalized before the attacker can roll them back.