BFT time: randomize precommit times


#1

In the current implementation of BFT time (to my knowledge), we have it provide the exact time on the local clock, in which it was received / about to be broadcasted (not sure which it is, but that is irrelevant to the point). Providing the exact time may leak the inter-validator network topology. I’m wondering if there is a good way to solve this.

i.e. proposer and validator A are known to be on the east and west coast respectively, and have exactly an 50ms time difference between proposal time, and A’s precommit time. (Suppose 50ms is expected internet latency + signature verification time) This indicates they have a private relay.

Mitigate this problem isn’t easy. You don’t want to make it easy to figure out who your sentry nodes are either. (That would be worse than figuring out the private relays) I’m not really sure what the best way to handle this is.

If we add a uniformly random time in a range [-n, +n] to the precommit time, then if a sentry node ever sends a vote with a precommit time similar to or greater than the precommit time, it strongly hints that that node is your sentry.

If we add a uniformly random time in range [-n, 0], that may achieve the desired result better, I’m unsure. I wanted to make a post here to start a discussion on the topic, if its interesting to people.

To solve the second problem of identifying your sentry, you have to trick the world into thinking that you and your sentry went through more round trip delays than you actually did.