-
Notifications
You must be signed in to change notification settings - Fork 3.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ADR 016: Validator consensus key rotation #5233
Changes from 10 commits
0db84f2
8706fe8
df3524c
d0a8030
352cac4
65c1f40
4181be9
a73be81
922fe9d
1a62db4
d7e9c53
afffccd
7708e5e
953a8f8
4c932ee
889e382
a92ce8b
3e9f2d5
6992552
3fbc112
92e8b7e
69b58a1
0da99f7
71ffdc9
ebdc907
21f710a
0b65286
897a2da
744b2f1
523a493
f00e565
4b81ab4
f190c9d
a4119f6
c39d3a2
aa8b632
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,63 @@ | ||
# ADR 016: Validator Consensus Key Rotation | ||
|
||
## Changelog | ||
|
||
- 23-10-2019: initial draft | ||
|
||
## Context | ||
|
||
Validator consensus key rotation feature has been discussed and requested for a long time, for the sake of safer validator | ||
key management policy (e.g. https://github.com/tendermint/tendermint/issues/1136). So, we suggest one of the simplest form of | ||
validator consensus key rotation implementation mostly onto Cosmos-SDK. | ||
|
||
## Decision | ||
|
||
### Pseudo procedure for consensus key rotation | ||
|
||
- create new random consensus key. | ||
- create and broadcast a transaction(RotateValConsensusKey) that the new consensus key is now coupled with the validator operator with signature from validator wallet key. | ||
Hyung-bharvest marked this conversation as resolved.
Show resolved
Hide resolved
|
||
- old consensus key becomes unable to participate on consensus immediately after the update of key mapping state on-chain. | ||
- start validating with new consensus key. | ||
- validators using HSM and KMS should update the consensus key in HSM to use the new rotated key for signing votes. | ||
Hyung-bharvest marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
|
||
alexanderbez marked this conversation as resolved.
Show resolved
Hide resolved
|
||
### Considerations | ||
|
||
- consensus key mapping information management strategy | ||
- store history of each key mapping changes in the kvstore. | ||
- the state machine can search corresponding consensus key paired with given validator operator for any arbitrary height in a recent unbonding period. | ||
- the state machine does not need any historical mapping information which is past more than unbonding period. | ||
- limits | ||
- a validator cannot rotate its consensus key more than N time for any unbonding period, to prevent spam. | ||
- parameters can be decided by governance and stored in genesis file. | ||
- slash module | ||
- slash module can search corresponding consensus key for any height so that it can decide which consensus key is supposed to be used for given height. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. the double sign evidence is now handled by the cc: @alexanderbez There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. thanks for pointing that out! as you said, evidence module gets pubkey from slashing keeper to use for double signing detection. edited as below - evidence module |
||
|
||
|
||
### Special note on implementation | ||
|
||
Hyung-bharvest marked this conversation as resolved.
Show resolved
Hide resolved
|
||
- tendermint already has ability to change a consensus key by ABCI communication(`ValidatorUpdate`). | ||
- validator consensus key update can be done via creating new + delete old by change the power to zero. | ||
- therefore, we expect we even do not need to change tendermint codebase at all to implement this feature. | ||
|
||
## Status | ||
|
||
Proposed | ||
|
||
## Consequences | ||
|
||
### Positive | ||
|
||
- Validators can immediately or periodically rotate their consensus key to have better security policy | ||
|
||
Hyung-bharvest marked this conversation as resolved.
Show resolved
Hide resolved
|
||
### Negative | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Missing an important negative of it allows a validator to effectively sell their entity, in a way that before would require hardware assumptions. (They can change their key to give it to new management, without any oversight from their delegators) |
||
|
||
- Slash module needs more computation because it needs to lookup corresponding consensus key of validators for each height | ||
|
||
Hyung-bharvest marked this conversation as resolved.
Show resolved
Hide resolved
|
||
### Neutral | ||
|
||
## References | ||
|
||
- on tendermint repo : https://github.com/tendermint/tendermint/issues/1136 | ||
- on cosmos-sdk repo : https://github.com/cosmos/cosmos-sdk/issues/5231 | ||
- about multiple consensus keys : https://github.com/tendermint/tendermint/issues/1758#issuecomment-545291698 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I know this has been asked a few times already, but I'd be nice if you could add the reasoning of why does this feature fit into the SDK instead of Tendermint.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks for noting that. I add below sentences to clarify the reason.
We don't need to make any update on consensus logic in Tendermint because Tendermint does not have any mapping information of consensus key and validator operator key, meaning that from Tendermint point of view, a consensus key rotation of a validator is simply a replacement of a consensus key to another.