formal-models: extend dBFT with additional post-commit phase

Close #111. The additional step is called RMSendAck and allows to send
Ack message once enough Commit messages are received. Block can be
accepted only if BFT number of Ack messages are collected.

Signed-off-by: Anna Shaleva <[email protected]>

formal-models/README.md

@@ -356,6 +356,66 @@ configuration:
 * [TLA⁺ specification](./dbft2.1_centralizedCV/dbftCentralizedCV.tla)
 * [TLC Model Checker configuration](./dbft2.1_centralizedCV/dbftCentralizedCV___AllGoodModel.launch)
 
+## dBFT 3.0 (MEV-resistant) models
+
+The [Neo X chain](https://docs.banelabs.org/) uses dBFT 2.0 algorithm as a consensus engine. As a part of
+the Neo X anti-MEV feature implementation, the dBFT 2.0 extension was designed to
+provide a single-block finality for the encrypted transactions (a.k.a. envelope
+transactions). Compared to the dBFT 2.0, MEV-resistant dBFT algorithm includes an
+additional `post-Commit` phase that is required to be passed through by the consensus
+nodes before the block acceptance. This phase allows consensus nodes to exchange some
+additional data related to the encrypted transactions and to the final state of the
+accepting block using the new type of consensus messages. The improved protocol
+based on the dBFT 2.0 with an additional phase will be referred below as dBFT 3.0.
+
+We've checked dBFT 3.0 model with the TLC Model Checker against the same
+set of launch configurations that was used to reveal the liveness problems of the
+[basic dBFT 2.0 model](#basic-dbft-20-model). The extended 3.0 model brings no extra
+problems to the protocol, but it has been proved that this model has exactly the same
+[liveness bug](https://github.com/neo-project/neo-modules/issues/792) that the
+original dBFT 2.0 model has which is expected.
+
+### Basic dBFT 3.0 (MEV-resistant) model
+
+This specification is an extension of the
+[basic dBFT 2.0 model](#basic-dbft-20-model). Compared to the base model, dBFT 3.0
+specification additionally includes:
+
+1. New message type `Ack` aimed to reflect the additional `Acknowledgement` protocol
+   message that should be sent by resource manager if at least `M` `Commit`
+   messages were collected by the node.
+2. New resource manager state `ackSent` aimed to reflect the `post-Commit` phase of
+   the protocol, i.e. a consensus node state when it has sent the `Acknowledgement`
+   message but has not accepted the block yet.
+3. New specification step `RMSendAck` describing the transition between `Commit` and
+   `post-Commit` phases of the protocol, or, which is the same, the transition from
+   `commitSent` to `ackSent` resource managers state. This step allows the resource
+   manager to send `Ack` message if at least `M` valid `Commit` messages are
+   collected.
+4. Adjusted behaviour of `RMAcceptBlock` step: block acceptance is possible iff the
+   node has sent the `Acknowledgement` message and there are at least `M` `Ack`
+   messages collected by the node.
+5. Adjusted behaviour of "faulty" resource managers: allow malicious nodes to send an
+   `Ack` message via `RMFaultySendAck` step.
+
+It should be noted that, in comparison with the dBFT 2.0 protocol where the node is
+being locked in the `Commit` phase until the block acceptance, the extended dBFT 3.0
+does not allow to accept the block in the `Commit` phase. However, it allows the node
+to move from `Commit` phase further to the `post-Commit` phase and locks the node at
+this state until the block acceptance. No view change may be initiated or accepted by
+a node entered the `post-Commit` phase.
+
+Here's the scheme of transitions between consensus node states for the dBFT 3.0
+algorithm:
+
+![Basic dBFT 3.0 (MEV-resistant) model transitions scheme](./.github/dbft3.0.png)
+
+Here you can find the specification file and the basic dBFT 3.0 TLC Model Checker
+launch configuration for the four "honest" consensus nodes scenario:
+
+* [TLA⁺ specification](./dbft3.0/dbft.tla)
+* [TLC Model Checker configuration](./dbft3.0/dbft___AllGoodModel.launch)
+
 ## How to run/check the TLA⁺ specification
 
 ### Prerequirements