|
1 | 1 | # The Zcash P2P Protocol Specification |
2 | 2 |
|
3 | | -A TLA+ model for the zcash p2p network that follows https://zips.z.cash/zip-0204 |
| 3 | +A TLA+ formal specification of the Zcash peer-to-peer network protocol, following [ZIP-0204](https://zips.z.cash/zip-0204). |
4 | 4 |
|
5 | | -- [protocol](protocol.tla) |
| 5 | +## Structure |
| 6 | + |
| 7 | +- [`messages.tla`](messages.tla) — Message constructors for all protocol messages (`version`, `verack`, `ping`, `pong`, `inv`, `getheaders`, `headers`, `getdata`, `block`). |
| 8 | +- [`protocol.tla`](protocol.tla) — Protocol actions, connection state machine, and liveness property. |
| 9 | +- [`protocol.cfg`](protocol.cfg) — TLC model checker configuration. |
| 10 | + |
| 11 | +## What is modeled |
| 12 | + |
| 13 | +The spec covers the connection lifecycle between peers: |
| 14 | + |
| 15 | +1. **Handshake** — `version` / `verack` exchange. |
| 16 | +2. **Keepalive** — `ping` / `pong` with nonce echo, triggered when a connection is idle. |
| 17 | +3. **Block sync** — `inv` → `getheaders` → `headers` → `getdata` → `block`, looping until the lagging peer catches up. |
| 18 | + |
| 19 | +Each connection is modeled as an explicit state machine with states: |
| 20 | +`init` → `version_sent` → `established` → `inv_sent` → `getheaders_sent` → `headers_sent` → `getdata_sent` ⇄ `block_received` → `synced` |
| 21 | + |
| 22 | +The spec verifies the **liveness property** `AllSynced`: eventually all peers reach the same block height (`<> ∀ i, j ∈ InitialPeers : nodes[i].blocks = nodes[j].blocks`). |
| 23 | + |
| 24 | +## Running the model checker |
| 25 | + |
| 26 | +Requires Java and [`tla2tools.jar`](https://github.com/tlaplus/tlaplus/releases/latest). |
| 27 | + |
| 28 | +```bash |
| 29 | +java -jar tla2tools.jar -config protocol.cfg protocol.tla |
| 30 | +``` |
| 31 | + |
| 32 | +## Generated PDFs |
| 33 | + |
| 34 | +Typeset versions of the spec are available in [`documents/`](documents/): |
| 35 | +- [`documents/protocol.pdf`](documents/protocol.pdf) |
| 36 | +- [`documents/messages.pdf`](documents/messages.pdf) |
| 37 | + |
| 38 | +PDFs are automatically regenerated by CI on every push to `main` that modifies `.tla` files. |
| 39 | + |
| 40 | +## Configuration |
| 41 | + |
| 42 | +| Constant | Default | Description | |
| 43 | +|---|---|---| |
| 44 | +| `InitialPeers` | `{"peer1", "peer2"}` | Set of peers in the model. Can be extended to more peers. | |
| 45 | +| `MaxBlock` | `3` | Maximum initial block height per peer | |
6 | 46 |
|
0 commit comments