search

autonomys / subspace

Subspace Network reference implementation
https://subspace.network
380 stars 243 forks source link

A faster timekeeper will outrun its competitors #2141

Closed vanhauser-thc closed 10 months ago

vanhauser-thc commented 1 year ago

[Medium] A faster timekeeper will outrun it's competitors

Summary

Due to how the PoT mechanism is designed, if one or several timekeepers are noticeably faster than all the others, all slower ones will be banned by the network over time, resulting in (a) centralized timekeeper(s).

Issue details

The time it takes to create PoT is basically the heartbeat of the chain. If a timekeeper is slower than others, its PoT messages will becomes too old for the nodes and then will be blocked. If a new CPU or ASIC is being used for the chain that it noticeable faster, all slower timekeepers will be blocked, leaving only the new fast timekeeper(s) being active on the network.

Risk

With a new generation of timekeepers all previous timekeepers become obsolete, reducing the motivation to run a timekeeper, especially if there is no incentive to run one. If only one or a few timekeepers are present, the chain is disrupted if a timekeeper goes offline. A node can produce PoT itself, but the speed is very slow and it is unsure if this would actually work.

Mitigation

We are not aware of a mechanism how this could be mitigated.

nazar-pc commented 1 year ago

If a timekeeper is slower than others, its PoT messages will becomes too old for the nodes and then will be blocked.

I do not think this is the case. Timekeepers will start building on top of newer longer PoT chain instead of extending their old already outdated PoT chain. Moreover, we're planning to implement optimistic reorg as described in https://github.com/subspace/subspace/issues/1977 to make sure they start building on top of potential new longer chain even before it is verified fully.

The only major result from faster (but honest, meaning that they publish checkpoints to everyone as soon as they get it) is that work done by slower timekeepers is wasted, but they will not get banned unless I misunderstand description here.

nazar-pc commented 1 year ago

I must add that PoT will be parametrized according to the fastest hardware we can find. For mainnet it will mean top of the line overclocked desktop chips that will probably be overclocked beyond 24/7 stable even such that they run as fast as possible (with some redundancy of course).

dariolina commented 1 year ago

Faster evaluation is an inherent issue to VDF-based constructions. I believe we have contained it pretty well. First, the speed gains are not cumulative: there is entropy injection every ~5 min that resets their advantage. Then, a faster timekeeper will not get everyone banned, if they gossip their PoT other timekeepers will continuously sync up to them. If a faster timekeeper does not gossip their PoT and only use it to produce blocks, they have some prediction window (depending how much faster they are), but still they either need significant disk storage anyway or attempt on-demand plotting, which is also hard.

nazar-pc commented 10 months ago

@dariolina can we add "risks" section to subnomicon (if we don't have it) and spec or another document as well, then we can close this as an inherent part of the protocol design we acknowledge and accept.

dariolina commented 10 months ago

Added to subnomicon https://subnomicon.subspace.network/docs/consensus/pot#security-considerations

nazar-pc commented 10 months ago

I like the description there and closing this as non-issue. Feel free to continue discussion if necessary.