2018-10-23 17:22:54 -06:00
|
|
|
# Leader Rotation
|
|
|
|
|
|
2018-12-11 10:24:24 -07:00
|
|
|
At any given moment, a cluster expects only one fullnode to produce ledger
|
|
|
|
|
entries. By having only one leader at a time, all validators are able to replay
|
|
|
|
|
identical copies of the ledger. The drawback of only one leader at a time,
|
|
|
|
|
however, is that a malicious leader is cabable of censoring votes and
|
|
|
|
|
transactions. Since censoring cannot be distinguished from the network dropping
|
|
|
|
|
packets, the cluster cannot simply elect a single node to hold the leader role
|
|
|
|
|
indefinitely. Instead, the cluster minimizes the influence of a malcioius
|
|
|
|
|
leader by rotating which node takes the lead.
|
|
|
|
|
|
|
|
|
|
Each validator selects the expected leader using the same algorithm, described
|
|
|
|
|
below. When the validator receives a new signed ledger entry, it can be certain
|
|
|
|
|
that entry was produced by the expected leader.
|
2018-10-23 17:22:54 -06:00
|
|
|
|
2018-11-30 12:51:40 -08:00
|
|
|
## Leader Schedule Generation
|
2018-10-23 17:22:54 -06:00
|
|
|
|
2018-12-11 10:24:24 -07:00
|
|
|
Leader schedule is generated using a predefined seed. The process is as follows:
|
2018-10-23 17:22:54 -06:00
|
|
|
|
2018-12-11 10:24:24 -07:00
|
|
|
1. Periodically use the PoH tick height (a monotonically increasing counter) to
|
|
|
|
|
seed a stable pseudo-random algorithm.
|
|
|
|
|
2. At that height, sample the bank for all the staked accounts with leader
|
|
|
|
|
identities that have voted within a cluster-configured number of ticks. The
|
|
|
|
|
sample is called the *active set*.
|
|
|
|
|
3. Sort the active set by stake weight.
|
|
|
|
|
4. Use the random seed to select nodes weighted by stake to create a
|
|
|
|
|
stake-weighted ordering.
|
2018-12-10 10:30:05 -07:00
|
|
|
5. This ordering becomes valid after a cluster-configured number of ticks.
|
2018-10-23 17:22:54 -06:00
|
|
|
|
2018-12-11 10:24:24 -07:00
|
|
|
The seed that is selected is predictable but unbiasable. There is no grinding
|
|
|
|
|
attack to influence its outcome. The active set, however, can be biased by a
|
|
|
|
|
leader by censoring validator votes. To reduce the likelihood of censorship,
|
|
|
|
|
the active set is sampled many slots in advance, such that votes will have been
|
|
|
|
|
collected by multiple leaders. If even one node is honest, the malicious
|
|
|
|
|
leaders will not be able to use censorship to influence the leader schedule.
|
2018-10-23 17:22:54 -06:00
|
|
|
|
2018-12-10 10:30:05 -07:00
|
|
|
## Appending Entries
|
2018-10-23 17:22:54 -06:00
|
|
|
|
2018-12-11 10:24:24 -07:00
|
|
|
A leader schedule is split into *slots*, where each slot has a duration of `T`
|
|
|
|
|
PoH ticks.
|
2018-10-23 17:22:54 -06:00
|
|
|
|
2018-12-11 10:24:24 -07:00
|
|
|
A leader transmits entries during its slot. After `T` ticks, all the
|
|
|
|
|
validators switch to the next scheduled leader. Validators must ignore entries
|
|
|
|
|
sent outside a leader's assigned slot.
|
2018-10-23 17:22:54 -06:00
|
|
|
|
2018-12-11 13:54:13 -07:00
|
|
|
All `T` ticks must be observed by the next leader for it to build its own
|
|
|
|
|
entries on. If entries are not observed (leader is down) or entries are invalid
|
2018-12-11 14:00:38 -07:00
|
|
|
(leader is buggy or malicious), the next leader must produce ticks to
|
2018-12-11 13:54:13 -07:00
|
|
|
fill the previous leader's slot. Note that the next leader should do repair
|
2018-12-11 14:00:38 -07:00
|
|
|
requests in parallel, and postpone sending ticks until it is confident other
|
|
|
|
|
validators also failed to observe the previous leader's entries. If a leader
|
|
|
|
|
incorrectly builds on its own ticks, the leader following it must replace all
|
|
|
|
|
its ticks.
|
