-
Notifications
You must be signed in to change notification settings - Fork 917
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Whisk: fix boostraping induced missed slots - zero proof #3481
base: dev
Are you sure you want to change the base?
Conversation
f6c6516
to
afcd1c2
Compare
afcd1c2
to
e47aa5b
Compare
assert IsValidWhiskOpeningProof(tracker, k_commitment, block.body.whisk_opening_proof) | ||
if block.body.whisk_opening_proof == WhiskTrackerProof(): | ||
# no proof signals tracker is created with insecure initial 'k' | ||
assert tracker.k_r_G == tracker.r_G * get_initial_whisk_k(block.proposer_index, 0) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this be get_initial_whisk_k()
or get_unique_whisk_k()
? What happens if that validator had to increase her counter in get_unique_whisk_k()
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
good point, I think both get_initial_whisk_k(0)
and get_unique_whisk_k
may not return the correct k. get_unique_whisk_k
returns a k that unique among the set of commitments when the validator was onboarded. Now the set of commitments is different. So it may return a different k. An option is for the validator to submit k suffixed to the zero proof
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pushed a fix to allow the proposer to specify the nonce, while still ensuring proof of possession. This whole bootstrapping business is ugly
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm, I'm not used to "nonce" and "proof of possession" being used in the context of Whisk. Can you describe a bit more what the latest changes aim to do? I also see you are digging into the guts of whisk_opening_proof
which is an opaque type.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nonce
in this context refers to the second argument of the get_initial_whisk_k
function. The output of get_unique_whisk_k
is dependent of which specific state it is run on. So we can't just call `get_unique_whisk_k(state) with this block state since it can produce a different result than when the validator was on-boarded into the protocol. I've added an illustrative example here https://hackmd.io/@dapplion/expensive_duty_discovery#Appendix-get_unique_whisk_k-non-determinism
So the proposer must tell protocol participants the specific nonce to use on get_unique_whisk_k()
. A hacky way to add this data without extra block body fields is to insert it into the zero-ed proof field.
- If non-zero: check proof
- If zero (section): read nonce from it
From the POV of the protocol the proof is still an opaque type, a string of bytes to pass to the crypto black box, which if partially zero-ed conveys meaning.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Whisk on its current spec will induce ~2% missed slot rate on the initial epochs after the fork, and over 12,000 cumulative missed slots during the first year post-fork. I've written this longer form doc that explains the cause of the issue, its likely-hood, and the patch to solve it.
https://hackmd.io/@dapplion/whisk_induced_missed_slots