|
|
|---|
|
|
|
|---|
Check if an
(endorse-possiblep prop endor systate) → yes/no
The
For the event to occur, the network must contain a proposal message that consists of the proposal and the endorser as destination: that is, the proposal must be addressed to the endorser. The message is isomorphic to the event, in fact.
If the endorser is faulty, there is no further condition.
If the faulty validators decided not to endorse the proposal instead,
that would be a non-event, i.e. it would not be represented by this event:
an
If the endorser is correct, the following conditions must hold:
Some of these conditions are the same as in propose-possiblep. This is unsurprising, because (correct) authors and endorsers must perform similar checks.
Note that, as in propose-possiblep, the endorser does not check that the authors of the previous certificates are members of the active committee at the previous round. The reason is that this is an invariant, so it can be safely skipped. Indeed, we use committee-validators-stake to check the quorum the condition.
The same observation about (non-)empty committees applies here, which is made in the documentation of propose-possiblep.
Function:
(defun endorse-possiblep (prop endor systate) (declare (xargs :guard (and (proposalp prop) (addressp endor) (system-statep systate)))) (let ((__function__ 'endorse-possiblep)) (declare (ignorable __function__)) (b* ((msg (make-message-proposal :proposal prop :destination endor)) ((unless (in msg (get-network-state systate))) nil) ((when (not (in (address-fix endor) (correct-addresses systate)))) t) ((proposal prop) prop) ((validator-state vstate) (get-validator-state endor systate)) (commtt (active-committee-at-round prop.round vstate.blockchain)) ((unless commtt) nil) ((unless (in prop.author (committee-members commtt))) nil) ((unless (in (address-fix endor) (committee-members commtt))) nil) ((unless (emptyp (certs-with-author+round prop.author prop.round vstate.dag))) nil) ((unless (emptyp (props-with-author+round prop.author prop.round vstate.endorsed))) nil) ((when (= prop.round 1)) (emptyp prop.previous)) ((when (emptyp prop.previous)) nil) ((unless (subset prop.previous (cert-set->author-set (certs-with-round (1- prop.round) vstate.dag)))) nil) (prev-commtt (active-committee-at-round (1- prop.round) vstate.blockchain)) ((unless (>= (committee-validators-stake prop.previous prev-commtt) (committee-quorum-stake prev-commtt))) nil)) t)))
Theorem:
(defthm booleanp-of-endorse-possiblep (b* ((yes/no (endorse-possiblep prop endor systate))) (booleanp yes/no)) :rule-classes :rewrite)
Theorem:
(defthm endorse-possiblep-of-proposal-fix-prop (equal (endorse-possiblep (proposal-fix prop) endor systate) (endorse-possiblep prop endor systate)))
Theorem:
(defthm endorse-possiblep-proposal-equiv-congruence-on-prop (implies (proposal-equiv prop prop-equiv) (equal (endorse-possiblep prop endor systate) (endorse-possiblep prop-equiv endor systate))) :rule-classes :congruence)
Theorem:
(defthm endorse-possiblep-of-address-fix-endor (equal (endorse-possiblep prop (address-fix endor) systate) (endorse-possiblep prop endor systate)))
Theorem:
(defthm endorse-possiblep-address-equiv-congruence-on-endor (implies (address-equiv endor endor-equiv) (equal (endorse-possiblep prop endor systate) (endorse-possiblep prop endor-equiv systate))) :rule-classes :congruence)
Theorem:
(defthm endorse-possiblep-of-system-state-fix-systate (equal (endorse-possiblep prop endor (system-state-fix systate)) (endorse-possiblep prop endor systate)))
Theorem:
(defthm endorse-possiblep-system-state-equiv-congruence-on-systate (implies (system-state-equiv systate systate-equiv) (equal (endorse-possiblep prop endor systate) (endorse-possiblep prop endor systate-equiv))) :rule-classes :congruence)