Whisk: fix boostraping induced missed slots - zero proof #3481
Conversation
dapplion
force-pushed
the
whisk-missed-slots
branch
from
f6c6516
to
afcd1c2
Compare
dapplion
force-pushed
the
whisk-missed-slots
branch
from
afcd1c2
to
e47aa5b
Compare
| assert IsValidWhiskOpeningProof(tracker, k_commitment, block.body.whisk_opening_proof) | ||
| if block.body.whisk_opening_proof == WhiskTrackerProof(): | ||
| # no proof signals tracker is created with insecure initial 'k' | ||
| assert tracker.k_r_G == tracker.r_G * get_initial_whisk_k(block.proposer_index, 0) |
There was a problem hiding this comment.
Should this be get_initial_whisk_k() or get_unique_whisk_k()? What happens if that validator had to increase her counter in get_unique_whisk_k()?
There was a problem hiding this comment.
good point, I think both get_initial_whisk_k(0) and get_unique_whisk_k may not return the correct k. get_unique_whisk_k returns a k that unique among the set of commitments when the validator was onboarded. Now the set of commitments is different. So it may return a different k. An option is for the validator to submit k suffixed to the zero proof
There was a problem hiding this comment.
Pushed a fix to allow the proposer to specify the nonce, while still ensuring proof of possession. This whole bootstrapping business is ugly
There was a problem hiding this comment.
Hmm, I'm not used to "nonce" and "proof of possession" being used in the context of Whisk. Can you describe a bit more what the latest changes aim to do? I also see you are digging into the guts of whisk_opening_proof which is an opaque type.
There was a problem hiding this comment.
nonce in this context refers to the second argument of the get_initial_whisk_k function. The output of get_unique_whisk_k is dependent of which specific state it is run on. So we can't just call `get_unique_whisk_k(state) with this block state since it can produce a different result than when the validator was on-boarded into the protocol. I've added an illustrative example here https://hackmd.io/@dapplion/expensive_duty_discovery#Appendix-get_unique_whisk_k-non-determinism
So the proposer must tell protocol participants the specific nonce to use on get_unique_whisk_k(). A hacky way to add this data without extra block body fields is to insert it into the zero-ed proof field.
- If non-zero: check proof
- If zero (section): read nonce from it
From the POV of the protocol the proof is still an opaque type, a string of bytes to pass to the crypto black box, which if partially zero-ed conveys meaning.
dapplion
changed the title
dapplion
changed the title
Whisk on its current spec will induce ~2% missed slot rate on the initial epochs after the fork, and over 12,000 cumulative missed slots during the first year post-fork. I've written this longer form doc that explains the cause of the issue, its likely-hood, and the patch to solve it.
https://hackmd.io/@dapplion/whisk_induced_missed_slots