A TLA⁺ specification of the Crosslink2 protocol and its subprotocols, modeled as a state machine.
This specification is currently a proof of concept. It is not a complete or final specification of the Crosslink2 protocol. It is a work in progress and may change over time.
Feedback and improvements are very welcome!
The goal is to create a simple yet expressive model of the Crosslink2 protocol that allows us to reason about properties such as safety and liveness. The model should be easy to understand, modify, and extend while still capturing some of the protocol’s inherent complexity.
We model the Crosslink2 protocol and its subprotocols as a state machine with the following components:
-
bc_chains,bft_chains, andcrosslink2_chainsare sequences of chains. At any execution timetand for each nodei, we have a local chain for that node. For example,bft_chains[i]represents the BFT chain of nodeiat current timet. Chains are updated as the protocol executes. -
Initialization: At
t = 0, each chain for each node starts with the genesis block of its protocol. For example:bft_chains[i] = <<bft_genesis_block>>. -
State transitions (
t > 0): One or more of the following may occur:-
An honest BC-node updates its
bc_chainto the best chain and appends abc-block. -
An honest BFT-node updates its
bft_chainto the best chain and appends abft-block. -
A byzantine BFT-node may update its
bft_chainto a valid chain and append a faultybft-block. -
An honest Crosslink-node updates its view to a new finalized
finchain. -
The state remains unchanged.
-
The TLA⁺ specification is defined in crosslink2.tla. A generated PDF version is available at crosslink2.pdf.
You can run TLC to check invariants and properties of the specification. This is a non-terminating model, so you might want to stop TLC manually after a while.
Feedback, bug reports, and pull requests are welcome!
This project is released under the MIT License. See LICENSE for details.