Commit 934d1a6
hardening(frost/roast): require accuser quorum for exclusion; overflow can only park
The NextAttempt exclusion policy permanently excluded members on
unverifiable observer counters: reject/conflict threshold 1, overflow
4, summed across observers and categories so a single byzantine
observer could fabricate evidence and grind honest members out of the
included set toward ErrAttemptInfeasible -- inverting ROAST's
robustness guarantee.
Bundle evidence entries are observer-signed claims, not
self-incriminating proofs, so the policy now refuses to take
permanent action on any accusation that is not group-established:
- ExclusionAccuserQuorum(groupSize, threshold) = f+1 distinct
accusers, where f = groupSize - threshold is the byzantine
tolerance. At f+1 at least one accuser is honest under the
protocol's own t-of-n assumption. Real faults reach the quorum
naturally because contributions are broadcast and every honest
member observes them; fabricated ones cannot.
- Accusers are counted distinctly (one per observer per accused per
category); claimed count magnitudes are no longer summed into
blame. Reject reasons no longer multiply accusers, and categories
are tallied independently instead of summing into each other.
- Only members of the previous IncludedSet are credible accusers;
accusations against members outside the original signer set are
ignored.
- Established overflow accusations (transport-blamable) now park
transiently instead of excluding permanently: transport pressure
can never be made self-incriminating, so it may cost an attempt of
liveness but not permanence.
- Established reject/conflict accusations still exclude permanently.
- Sub-quorum claims are ignored entirely so a single byzantine
observer cannot even impose parking liveness costs.
RFC-21 Layer B is updated to match, including the verifiability
roadmap: once the wire format carries self-incriminating proof (the
accused's own signed conflicting bytes; a re-checkable invalid
contribution), single-proof exclusion becomes sound and the quorum
gate can be relaxed per category.
New regression coverage: quorum boundary at f vs f+1 for both
permanent categories, fabricated-blame grinding across six attempts,
count-magnitude fabrication, cross-category non-summing, non-credible
accusers, non-original accused, established-overflow park-and-
reinstate cycle, and the production-shape quorum pin (100, 51) = 50.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>1 parent b7317f2 commit 934d1a6
5 files changed
Lines changed: 762 additions & 184 deletions
Lines changed: 58 additions & 32 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
307 | 307 | | |
308 | 308 | | |
309 | 309 | | |
310 | | - | |
311 | | - | |
312 | | - | |
313 | | - | |
314 | | - | |
315 | | - | |
| 310 | + | |
| 311 | + | |
| 312 | + | |
| 313 | + | |
| 314 | + | |
| 315 | + | |
| 316 | + | |
| 317 | + | |
| 318 | + | |
| 319 | + | |
| 320 | + | |
| 321 | + | |
| 322 | + | |
| 323 | + | |
| 324 | + | |
| 325 | + | |
| 326 | + | |
| 327 | + | |
| 328 | + | |
| 329 | + | |
| 330 | + | |
| 331 | + | |
| 332 | + | |
| 333 | + | |
| 334 | + | |
| 335 | + | |
| 336 | + | |
| 337 | + | |
| 338 | + | |
| 339 | + | |
| 340 | + | |
| 341 | + | |
| 342 | + | |
| 343 | + | |
316 | 344 | | |
317 | 345 | | |
318 | | - | |
319 | | - | |
320 | | - | |
321 | | - | |
322 | | - | |
323 | | - | |
324 | | - | |
325 | | - | |
| 346 | + | |
| 347 | + | |
| 348 | + | |
| 349 | + | |
| 350 | + | |
326 | 351 | | |
327 | 352 | | |
328 | 353 | | |
329 | 354 | | |
330 | | - | |
331 | | - | |
332 | | - | |
333 | | - | |
334 | | - | |
335 | | - | |
336 | | - | |
337 | | - | |
338 | | - | |
339 | | - | |
340 | | - | |
341 | | - | |
342 | | - | |
343 | | - | |
344 | | - | |
345 | | - | |
346 | | - | |
347 | | - | |
| 355 | + | |
| 356 | + | |
| 357 | + | |
| 358 | + | |
| 359 | + | |
| 360 | + | |
| 361 | + | |
| 362 | + | |
| 363 | + | |
| 364 | + | |
| 365 | + | |
| 366 | + | |
| 367 | + | |
| 368 | + | |
| 369 | + | |
| 370 | + | |
| 371 | + | |
| 372 | + | |
| 373 | + | |
348 | 374 | | |
349 | 375 | | |
350 | 376 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
265 | 265 | | |
266 | 266 | | |
267 | 267 | | |
268 | | - | |
| 268 | + | |
269 | 269 | | |
270 | 270 | | |
271 | 271 | | |
272 | 272 | | |
273 | | - | |
274 | | - | |
| 273 | + | |
| 274 | + | |
| 275 | + | |
| 276 | + | |
275 | 277 | | |
276 | 278 | | |
277 | 279 | | |
| |||
280 | 282 | | |
281 | 283 | | |
282 | 284 | | |
283 | | - | |
284 | | - | |
| 285 | + | |
| 286 | + | |
| 287 | + | |
| 288 | + | |
| 289 | + | |
| 290 | + | |
| 291 | + | |
| 292 | + | |
285 | 293 | | |
286 | 294 | | |
287 | 295 | | |
| |||
0 commit comments