Record messages for rebroadcast after signing #474
Assignees
Milestone
Comments
|
Doing this is going to be a bit tricky because gpbft never actually sees the signed messages. It probably needs a way to trigger rebroadcast by calling the host? Honestly, I'm not a huge fan... Another solution is to have the host remember signed messages (e.g., with the WAL). Then, when GPBFT sends a message, the host would:
We might also be able to use strict message ordering to make this simpler. I.e., record the instance/round/phase of the last signed message and only sign strictly "newer" messages. If we had the keys on the participants, this would be simpler: just have participants remember their last instance/round/phase and report them whenever selecting a client. |
|
I am leaning towards a solution where singing is segregated from rebroadcast: However, I am conscious this approach would mean a larger refactor. |
Stebalien
modified the milestones:
Milestone 0: F3 Alpha Code Freeze,
Milestone 2: Harderning and Mainnet Deployment Readiness
|
Once the integration of WAL is completed, this will be solved: #392 |
|
Separated rebroadcast via WAL into #679. My aim is to get this done as part of the same issue. |
masih
added a commit
that referenced
this issue
Oct 3, 2024
Previously, rebroadcast functioned by keeping track of message templates and calling `RequestBroadcast` again to re-broadcast them. This approach can cause erroneous behaviour when messages are re-signed in conjunction with participant churn. To avoid this category of errors treat broadcast final: Every broadcasted message is recorded in WAL and once recorded the same message is used for re-broadcast; no re-signing. A dedicated re-broadcast API is introduced to take instance, round and phase and use it to then look up broadcast messages. Note that as a result of the changes above, failures are also sicky. In that, if signing of a message fails at the time of original broadcast, future requests to rebroadcast it will have no effect. The changes here also include a series of WAL functionality refactors to make it easier to traverse write-ahead log entries. Fixes #474
masih
added a commit
that referenced
this issue
Oct 3, 2024
Previously, rebroadcast functioned by keeping track of message templates and calling `RequestBroadcast` again to re-broadcast them. This approach can cause erroneous behaviour when messages are re-signed in conjunction with participant churn. To avoid this category of errors treat broadcast final: Every broadcasted message is recorded in WAL and once recorded the same message is used for re-broadcast; no re-signing. A dedicated re-broadcast API is introduced to take instance, round and phase and use it to then look up broadcast messages. Note that as a result of the changes above, failures are also sicky. In that, if signing of a message fails at the time of original broadcast, future requests to rebroadcast it will have no effect. The changes here also include a series of WAL functionality refactors to make it easier to traverse write-ahead log entries. Fixes #474
masih
added a commit
that referenced
this issue
Oct 3, 2024
Previously, rebroadcast functioned by keeping track of message templates and calling `RequestBroadcast` again to re-broadcast them. This approach can cause erroneous behaviour when messages are re-signed in conjunction with participant churn. To avoid this category of errors treat broadcast final: Every broadcasted message is recorded in WAL and once recorded the same message is used for re-broadcast; no re-signing. A dedicated re-broadcast API is introduced to take instance, round and phase and use it to then look up broadcast messages. Note that as a result of the changes above, failures are also sicky. In that, if signing of a message fails at the time of original broadcast, future requests to rebroadcast it will have no effect. The changes here also include a series of WAL functionality refactors to make it easier to traverse write-ahead log entries. Fixes #474
masih
added a commit
that referenced
this issue
Oct 3, 2024
Previously, rebroadcast functioned by keeping track of message templates and calling `RequestBroadcast` again to re-broadcast them. This approach can cause erroneous behaviour when messages are re-signed in conjunction with participant churn. To avoid this category of errors treat broadcast final: Every broadcasted message is recorded in WAL and once recorded the same message is used for re-broadcast; no re-signing. A dedicated re-broadcast API is introduced to take instance, round and phase and use it to then look up broadcast messages. Note that as a result of the changes above, failures are also sicky. In that, if signing of a message fails at the time of original broadcast, future requests to rebroadcast it will have no effect. The changes here also include a series of WAL functionality refactors to make it easier to traverse write-ahead log entries. Fixes #474
masih
added a commit
that referenced
this issue
Oct 3, 2024
Previously, rebroadcast functioned by keeping track of message templates and calling `RequestBroadcast` again to re-broadcast them. This approach can cause erroneous behaviour when messages are re-signed in conjunction with participant churn. To avoid this category of errors treat broadcast final: Every broadcasted message is recorded in WAL and once recorded the same message is used for re-broadcast; no re-signing. A dedicated re-broadcast API is introduced to take instance, round and phase and use it to then look up broadcast messages. Note that as a result of the changes above, failures are also sicky. In that, if signing of a message fails at the time of original broadcast, future requests to rebroadcast it will have no effect. The changes here also include a series of WAL functionality refactors to make it easier to traverse write-ahead log entries. Fixes #474
github-merge-queue bot
pushed a commit
that referenced
this issue
Oct 4, 2024
* Rebroadcast already signed messages from WAL Previously, rebroadcast functioned by keeping track of message templates and calling `RequestBroadcast` again to re-broadcast them. This approach can cause erroneous behaviour when messages are re-signed in conjunction with participant churn. To avoid this category of errors treat broadcast final: Every broadcasted message is recorded in WAL and once recorded the same message is used for re-broadcast; no re-signing. A dedicated re-broadcast API is introduced to take instance, round and phase and use it to then look up broadcast messages. Note that as a result of the changes above, failures are also sicky. In that, if signing of a message fails at the time of original broadcast, future requests to rebroadcast it will have no effect. The changes here also include a series of WAL functionality refactors to make it easier to traverse write-ahead log entries. Fixes #474 * Keep wal exactly as dumb as it is and index messages externally
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We currently record them before signing. Unfortunately, this isn't safe it a participant changes from one client to the other. To be clear, changing from one client to another isn't safe in general but... this is extra unsafe.
This will also let us directly use the rebroadcast queue to fix #392.
The text was updated successfully, but these errors were encountered: