Praos: use larger nonce stabilization window starting in Conway (#927)

Closes #297, closes
IntersectMBO/cardano-ledger#2478, closes
IntersectMBO/cardano-ledger#1914

See erratum 17.3 (amended in
IntersectMBO/cardano-ledger#4015) in the Shelley
ledger specs for context.

Author: amesgen

docs/website/contents/for-developers/Glossary.md

@@ -137,22 +137,27 @@ In the latest Cardano era, each epoch lasts for 432000 slots (= 5 days).
 
 The ledger rules take snapshots of the nonce and stake distribution at different points of time in the course of an epoch. A snapshot may only be _used_ when it has stabilized, which means that their block has become immutable (being older than `k` blocks). Currently, Cardano `mainnet` uses an epoch length of `10k/f` slots, divided into three parts:
 
-- Part 1, length `4k/f` - At the beginning of this part, which forms the boundary with the previous epoch, the stake distribution snapshot is taken.
+Note that nothing in the implementation happens on the transition from Part 1 to Part 2 (in contrast to "from Part 2 to Part 3"), so there exist no concrete values for the individual length of these two phases. The length of Part 3 is however explicitly recorded in the implementation, so the length of Part 1 and Part 2 combined is `10k/f` minus the length of Part 3.
+
+- Part 1, at least length `3k/f` - At the beginning of this part, which forms the boundary with the previous epoch, the stake distribution snapshot is taken.
   At the end of this part, the stake distribution has stabilized.
 
-- Part 2, length `3k/f` - At the end of this part, the nonce snapshot is taken.
+- Part 2, at least length `k/f` - At the end of this part, the nonce snapshot is taken.
 
   The nonce is snapshotted after the stake distribution to prevent _identity grinding_.
   However, this does not prevent _nonce grinding_.
 
   It must contain at least one honest block (created by an honest party as defined above), so that the nonce cannot be solely influenced by the adversary – otherwise they could identity grind before Part 1, knowing what the nonce would be due to owning all the blocks up to its snapshot.
   This criterion is a minimum requirement and wildly unrealistic not to be satisfied with `mainnet` parameters.
 
-  The nonce snapshot could likely be taken earlier without sacrificing security, like after Part 1.
-  Waiting another `3k/f` is playing it extra safe.
+  The nonce snapshot could likely be taken earlier without sacrificing security, like already after `3k/f` after the start of the epoch.
+  Waiting all the way until the start of Part 3 is playing it extra safe.
+
+- Part 3, length `4k/f` since the Conway era, and `3k/f` for all prior Shelley-based eras - At the end of this part, the nonce snapshot has stabilized and can be used for the leader schedule of the next epoch.
 
-- Part 3, length `3k/f` - At the end of this part, the nonce snapshot has stabilized and can be used for the leader schedule of the next epoch.
+  Most importantly, Part 3 has to be at least `3k/f` slots (one stability window) long for the nonce to stabilize before the start of the next epoch (such that all pools agree on the leader schedule).
 
+  As advised by the IOG researchers, the nonce should be snapshotted even a bit earlier for intricate reasons related to Ouroboros Genesis. See erratum 17.3 in the [Shelley ledger specs](https://github.com/IntersectMBO/cardano-ledger/blob/master/README.md) for context.
 
 ## :Eventual consensus
 

ouroboros-consensus-cardano/changelog.d/20240206_174354_alexander.esgen_change_epoch_structure.md

@@ -0,0 +1,8 @@
+### Non-Breaking
+
+- Change the randomness stabilization window for Conway (and future eras) to
+  `4k/f` instead of `3k/f` (one stability window) that was used for Babbage and
+  TPraos-based eras. See erratum 17.3 in the Shelley ledger specs for context.
+
+  Note that this is a backwards-incompatible change for all existing chains
+  containing (at least one full epoch worth of) Conway blocks.

ouroboros-consensus-cardano/src/ouroboros-consensus-cardano/Ouroboros/Consensus/Cardano/Node.hs

@@ -730,7 +730,13 @@ protocolInfoCardano paramsCardano
         praosMaxMajorPV = maxMajorProtVer,
         praosMaxLovelaceSupply = SL.sgMaxLovelaceSupply genesisShelley,
         praosNetworkId = SL.sgNetworkId genesisShelley,
-        praosSystemStart = SystemStart $ SL.sgSystemStart genesisShelley
+        praosSystemStart = SystemStart $ SL.sgSystemStart genesisShelley,
+        praosRandomnessStabilisationWindow =
+          -- This value is used for all Praos eras /except/ Babbage, see
+          -- 'partialConsensusConfigBabbage'.
+          SL.computeRandomnessStabilisationWindow
+            (SL.sgSecurityParam genesisShelley)
+            (SL.mkActiveSlotCoeff $ SL.sgActiveSlotsCoeff genesisShelley)
       }
 
     PraosParams { praosSlotsPerKESPeriod, praosMaxKESEvo } = praosParams
@@ -827,7 +833,17 @@ protocolInfoCardano paramsCardano
 
     partialConsensusConfigBabbage ::
          PartialConsensusConfig (BlockProtocol (ShelleyBlock (Praos c) (BabbageEra c)))
-    partialConsensusConfigBabbage = praosParams
+    partialConsensusConfigBabbage = praosParams {
+          -- For Praos in Babbage (just as in all TPraos eras) we use the
+          -- smaller (3k/f vs 4k/f slots) stability window here for
+          -- backwards-compatibility. See erratum 17.3 in the Shelley ledger
+          -- specs for context.
+          praosRandomnessStabilisationWindow =
+            SL.computeStabilityWindow
+              (SL.sgSecurityParam genesisShelley)
+              (SL.mkActiveSlotCoeff $ SL.sgActiveSlotsCoeff genesisShelley)
+        }
+
 
     partialLedgerConfigBabbage :: PartialLedgerConfig (ShelleyBlock (Praos c) (BabbageEra c))
     partialLedgerConfigBabbage =

ouroboros-consensus-protocol/changelog.d/20240206_174037_alexander.esgen_change_epoch_structure.md

@@ -0,0 +1,3 @@
+### Breaking
+
+- Remove unused `translateConsensusConfig` from `TranslateProto`.

ouroboros-consensus-protocol/changelog.d/20240206_174209_alexander.esgen_change_epoch_structure.md

@@ -0,0 +1,5 @@
+### Breaking
+
+- Add `praosRandomnessStabilisationWindow` to `PraosParams`, allowing to
+  configure in which slot the epoch nonce is snapshotted (which can now vary
+  between different eras).

ouroboros-consensus-protocol/src/ouroboros-consensus-protocol/Ouroboros/Consensus/Protocol/Praos.hs

@@ -45,7 +45,6 @@ import           Cardano.Ledger.Keys (KeyHash, KeyRole (BlockIssuer),
 import qualified Cardano.Ledger.Keys as SL
 import           Cardano.Ledger.PoolDistr
                      (IndividualPoolStake (IndividualPoolStake))
-import           Cardano.Ledger.Shelley.API (computeStabilityWindow)
 import qualified Cardano.Ledger.Shelley.API as SL
 import           Cardano.Ledger.Slot (Duration (Duration), (+*))
 import           Cardano.Protocol.TPraos.BHeader (BoundedNatural (bvValue),
@@ -183,29 +182,35 @@ forgePraosFields
 -- | Praos parameters that are node independent
 data PraosParams = PraosParams
   { -- | See 'Globals.slotsPerKESPeriod'.
-    praosSlotsPerKESPeriod :: !Word64,
+    praosSlotsPerKESPeriod             :: !Word64,
     -- | Active slots coefficient. This parameter represents the proportion
     -- of slots in which blocks should be issued. This can be interpreted as
     -- the probability that a party holding all the stake will be elected as
     -- leader for a given slot.
-    praosLeaderF           :: !SL.ActiveSlotCoeff,
+    praosLeaderF                       :: !SL.ActiveSlotCoeff,
     -- | See 'Globals.securityParameter'.
-    praosSecurityParam     :: !SecurityParam,
+    praosSecurityParam                 :: !SecurityParam,
     -- | Maximum number of KES iterations, see 'Globals.maxKESEvo'.
-    praosMaxKESEvo         :: !Word64,
+    praosMaxKESEvo                     :: !Word64,
     -- | Quorum for update system votes and MIR certificates, see
     -- 'Globals.quorum'.
-    praosQuorum            :: !Word64,
+    praosQuorum                        :: !Word64,
     -- | All blocks invalid after this protocol version, see
     -- 'Globals.maxMajorPV'.
-    praosMaxMajorPV        :: !MaxMajorProtVer,
+    praosMaxMajorPV                    :: !MaxMajorProtVer,
     -- | Maximum number of lovelace in the system, see
     -- 'Globals.maxLovelaceSupply'.
-    praosMaxLovelaceSupply :: !Word64,
+    praosMaxLovelaceSupply             :: !Word64,
     -- | Testnet or mainnet?
-    praosNetworkId         :: !SL.Network,
+    praosNetworkId                     :: !SL.Network,
     -- | The system start, as projected from the chain's genesis block.
-    praosSystemStart       :: !SystemStart
+    praosSystemStart                   :: !SystemStart,
+    -- | The number of slots before the start of an epoch where the
+    -- corresponding epoch nonce is snapshotted. This has to be at least one
+    -- stability window such that the nonce is stable at the beginning of the
+    -- epoch. Ouroboros Genesis requires this to be even larger, see
+    -- 'SL.computeRandomnessStabilisationWindow'.
+    praosRandomnessStabilisationWindow :: !Word64
   }
   deriving (Generic, NoThunks)
 
@@ -462,7 +467,7 @@ instance PraosCrypto c => ConsensusProtocol (Praos c) where
   -- - Update the operational certificate counter.
   reupdateChainDepState
     _cfg@( PraosConfig
-             PraosParams {praosSecurityParam, praosLeaderF}
+             PraosParams {praosRandomnessStabilisationWindow}
              ei
            )
     b
@@ -473,7 +478,7 @@ instance PraosCrypto c => ConsensusProtocol (Praos c) where
           praosStateLabNonce = prevHashToNonce (Views.hvPrevHash b),
           praosStateEvolvingNonce = newEvolvingNonce,
           praosStateCandidateNonce =
-            if slot +* Duration stabilityWindow < firstSlotNextEpoch
+            if slot +* Duration praosRandomnessStabilisationWindow < firstSlotNextEpoch
               then newEvolvingNonce
               else praosStateCandidateNonce cs,
           praosStateOCertCounters =
@@ -489,8 +494,6 @@ instance PraosCrypto c => ConsensusProtocol (Praos c) where
           let nextEpoch = EpochNo $ currentEpochNo + 1
           epochInfoFirst epochInfoWithErr nextEpoch
         cs = tickedPraosStateChainDepState tcs
-        stabilityWindow =
-          computeStabilityWindow (maxRollbacks praosSecurityParam) praosLeaderF
         eta = vrfNonceValue (Proxy @c) $ Views.hvVrfRes b
         newEvolvingNonce = praosStateEvolvingNonce cs ⭒ eta
         OCert _ n _ _ = Views.hvOCert b

ouroboros-consensus-protocol/src/ouroboros-consensus-protocol/Ouroboros/Consensus/Protocol/Praos/Translate.hs

@@ -18,12 +18,11 @@ import qualified Cardano.Protocol.TPraos.Rules.Prtcl as SL
 import qualified Cardano.Protocol.TPraos.Rules.Tickn as SL
 import           Data.Coerce (coerce)
 import qualified Data.Map.Strict as Map
-import           Ouroboros.Consensus.Protocol.Praos (ConsensusConfig (..),
-                     Praos, PraosParams (..), PraosState (..))
+import           Ouroboros.Consensus.Protocol.Praos (Praos, PraosState (..))
 import           Ouroboros.Consensus.Protocol.Praos.Views
                      (LedgerView (lvMaxBodySize, lvMaxHeaderSize, lvProtocolVersion))
 import qualified Ouroboros.Consensus.Protocol.Praos.Views as Views
-import           Ouroboros.Consensus.Protocol.TPraos (TPraos, TPraosParams (..),
+import           Ouroboros.Consensus.Protocol.TPraos (TPraos,
                      TPraosState (tpraosStateChainDepState, tpraosStateLastSlot))
 import           Ouroboros.Consensus.Protocol.Translate (TranslateProto (..))
 
@@ -45,23 +44,6 @@ instance
   ) =>
   TranslateProto (TPraos c1) (Praos c2)
   where
-  translateConsensusConfig TPraosConfig {tpraosParams, tpraosEpochInfo} =
-    PraosConfig
-      { praosParams =
-          PraosParams
-            { praosSlotsPerKESPeriod = tpraosSlotsPerKESPeriod tpraosParams,
-              praosLeaderF = tpraosLeaderF tpraosParams,
-              praosSecurityParam = tpraosSecurityParam tpraosParams,
-              praosMaxKESEvo = tpraosMaxKESEvo tpraosParams,
-              praosQuorum = tpraosQuorum tpraosParams,
-              praosMaxMajorPV = tpraosMaxMajorPV tpraosParams,
-              praosMaxLovelaceSupply = tpraosMaxLovelaceSupply tpraosParams,
-              praosNetworkId = tpraosNetworkId tpraosParams,
-              praosSystemStart = tpraosSystemStart tpraosParams
-            },
-        praosEpochInfo = tpraosEpochInfo
-      }
-
   translateLedgerView SL.LedgerView {SL.lvPoolDistr, SL.lvChainChecks} =
       Views.LedgerView
         { Views.lvPoolDistr = coercePoolDistr lvPoolDistr,

ouroboros-consensus-protocol/src/ouroboros-consensus-protocol/Ouroboros/Consensus/Protocol/Translate.hs

@@ -9,8 +9,6 @@ import           Ouroboros.Consensus.Protocol.Abstract
 -- | Translate across protocols
 class TranslateProto protoFrom protoTo
   where
-  translateConsensusConfig ::
-    ConsensusConfig protoFrom -> ConsensusConfig protoTo
   -- | Translate the ledger view.
   translateLedgerView ::
     LedgerView protoFrom -> LedgerView protoTo
@@ -20,6 +18,5 @@ class TranslateProto protoFrom protoTo
 -- | Degenerate instance - we may always translate from a protocol to itself.
 instance TranslateProto singleProto singleProto
   where
-  translateConsensusConfig = id
   translateLedgerView = id
   translateChainDepState = id