|
9 | 9 |
|
10 | 10 | Validator consensus key rotation feature has been discussed and requested for a long time, for the sake of safer validator key management policy (e.g. https://github.com/tendermint/tendermint/issues/1136). So, we suggest one of the simplest form of validator consensus key rotation implementation mostly onto Cosmos SDK. |
11 | 11 |
|
12 | | -We don't need to make any update on consensus logic in Tendermint because Tendermint does not have any mapping information of consensus key and validator operator key, meaning that from Tendermint point of view, a consensus key rotation of a validator is simply a replacement of a consensus key to another. |
| 12 | +We don't need to make any update on consensus logic in Tendermint because Tendermint does not have any mapping information of consensus key and validator operator key, meaning that from Tendermint's point of view, a consensus key rotation of a validator is simply a replacement of a consensus key to another. |
13 | 13 |
|
14 | | -Also, it should be noted that this ADR includes only the simplest form of consensus key rotation without considering multiple consensus keys concept. Such multiple consensus keys concept shall remain a long term goal of Tendermint and Cosmos SDK. |
| 14 | +Also, it should be noted that this ADR includes only the simplest form of consensus key rotation without considering the multiple consensus keys concept. Such multiple consensus keys concept shall remain a long term goal of Tendermint and Cosmos SDK. |
15 | 15 |
|
16 | 16 | ## Decision |
17 | 17 |
|
18 | 18 | ### Pseudo procedure for consensus key rotation |
19 | 19 |
|
20 | 20 | * create new random consensus key. |
21 | | -* create and broadcast a transaction with a `MsgRotateConsPubKey` that states the new consensus key is now coupled with the validator operator with signature from the validator's operator key. |
| 21 | +* create and broadcast a transaction with a `MsgRotateConsPubKey` that states the new consensus key is now coupled with the validator operator with a signature from the validator's operator key. |
22 | 22 | * old consensus key becomes unable to participate on consensus immediately after the update of key mapping state on-chain. |
23 | 23 | * start validating with new consensus key. |
24 | | -* validators using HSM and KMS should update the consensus key in HSM to use the new rotated key after the height `h` when `MsgRotateConsPubKey` committed to the blockchain. |
| 24 | +* validators using HSM and KMS should update the consensus key in HSM to use the new rotated key after the height `h` when `MsgRotateConsPubKey` is committed to the blockchain. |
25 | 25 |
|
26 | 26 | ### Considerations |
27 | 27 |
|
28 | 28 | * consensus key mapping information management strategy |
29 | 29 | * store history of each key mapping changes in the kvstore. |
30 | | - * the state machine can search corresponding consensus key paired with given validator operator for any arbitrary height in a recent unbonding period. |
| 30 | + * the state machine can search corresponding consensus key paired with the given validator operator for any arbitrary height in a recent unbonding period. |
31 | 31 | * the state machine does not need any historical mapping information which is past more than unbonding period. |
32 | 32 | * key rotation costs related to LCD and IBC |
33 | | - * LCD and IBC will have traffic/computation burden when there exists frequent power changes |
| 33 | + * LCD and IBC will have a traffic/computation burden when there exists frequent power changes |
34 | 34 | * In current Tendermint design, consensus key rotations are seen as power changes from LCD or IBC perspective |
35 | | - * Therefore, to minimize unnecessary frequent key rotation behavior, we limited maximum number of rotation in recent unbonding period and also applied exponentially increasing rotation fee |
| 35 | + * Therefore, to minimize unnecessary frequent key rotation behavior, we limited the maximum number of rotation in recent unbonding period and also applied exponentially increasing rotation fee |
36 | 36 | * limits |
37 | 37 | * a validator cannot rotate its consensus key more than `MaxConsPubKeyRotations` time for any unbonding period, to prevent spam. |
38 | 38 | * parameters can be decided by governance and stored in genesis file. |
39 | 39 | * key rotation fee |
40 | 40 | * a validator should pay `KeyRotationFee` to rotate the consensus key which is calculated as below |
41 | 41 | * `KeyRotationFee` = (max(`VotingPowerPercentage` *100, 1)* `InitialKeyRotationFee`) * 2^(number of rotations in `ConsPubKeyRotationHistory` in recent unbonding period) |
42 | 42 | * evidence module |
43 | | - * evidence module can search corresponding consensus key for any height from slashing keeper so that it can decide which consensus key is supposed to be used for given height. |
| 43 | + * evidence module can search corresponding consensus key for any height from slashing keeper so that it can decide which consensus key is supposed to be used for the given height. |
44 | 44 | * abci.ValidatorUpdate |
45 | 45 | * tendermint already has ability to change a consensus key by ABCI communication(`ValidatorUpdate`). |
46 | 46 | * validator consensus key update can be done via creating new + delete old by change the power to zero. |
47 | | - * therefore, we expect we even do not need to change tendermint codebase at all to implement this feature. |
| 47 | + * therefore, we expect we do not even need to change Tendermint codebase at all to implement this feature. |
48 | 48 | * new genesis parameters in `staking` module |
49 | 49 | * `MaxConsPubKeyRotations` : maximum number of rotation can be executed by a validator in recent unbonding period. default value 10 is suggested(11th key rotation will be rejected) |
50 | 50 | * `InitialKeyRotationFee` : the initial key rotation fee when no key rotation has happened in recent unbonding period. default value 1atom is suggested(1atom fee for the first key rotation in recent unbonding period) |
@@ -108,12 +108,12 @@ Proposed |
108 | 108 |
|
109 | 109 | ### Positive |
110 | 110 |
|
111 | | -* Validators can immediately or periodically rotate their consensus key to have better security policy |
| 111 | +* Validators can immediately or periodically rotate their consensus key to have a better security policy |
112 | 112 | * improved security against Long-Range attacks (https://nearprotocol.com/blog/long-range-attacks-and-a-new-fork-choice-rule) given a validator throws away the old consensus key(s) |
113 | 113 |
|
114 | 114 | ### Negative |
115 | 115 |
|
116 | | -* Slash module needs more computation because it needs to lookup corresponding consensus key of validators for each height |
| 116 | +* Slash module needs more computation because it needs to look up the corresponding consensus key of validators for each height |
117 | 117 | * frequent key rotations will make light client bisection less efficient |
118 | 118 |
|
119 | 119 | ### Neutral |
|
0 commit comments