Add state representation

[adlerjohn]

Define the state and the validator set.

Rendered:

• https://github.com/LazyLedger/lazyledger-specs/blob/adlerjohn-state_representation/specs/data_structures.md
• https://github.com/LazyLedger/lazyledger-specs/blob/adlerjohn-state_representation/specs/consensus.md
• https://github.com/lazyledger/lazyledger-specs/blob/adlerjohn-state_representation/rationale/distributing_rewards.md

[liamsi]

Why can't accounts delegate to several validators? Also maybe:

Suggested change

	| `delegatedValidator` | [Address](#address) | _Optional._ The validator this is account is delegating to. |
	| `delegatedValidator` | [Address](#address) | _Optional._ The validator this account is delegating to. |

[adlerjohn]

Because that would add complexity (you'd have to hold a variable number of validators and the number of coins each of them is delegated), and if someone wants to delegate their coins to two validators they can just...split up their coins into two accounts.

[adlerjohn]

This scheme (which isn't obvious from the data structures, but will be written in the consensus rules) is: "all the coins in an account are either delegated or not; if they're delegated they must be delegated to a single validator."

[liamsi]

From a user (holding coins) and a UX perspective, splitting up coins into separate accounts whenever you want to delegate to more than one validator also adds complexity, but one the human (not on the software).

Note that in the few delegations based PoS systems that launched, you can usually delegate to one or more validators. This is also true in Cosmos / the cosmos-sdk. Most users I know delegate to several validators to keep the network decentralized (and to hedge their risks).

[adlerjohn]

Hmm. I don't see why this can't be abstracted away at the application layer, rather than having to be pushed to the user layer. Moving a portion of your coins to a new address then delegating them (as well as the reverse) can be done just as seamlessly in a wallet---one button press. Users don't even have to know it's happening! It's basically UTXO management; most Bitcoin wallets don't present to lay users each individual UTXO, just their total balance.

Allowing an arbitrary number of delegations per account means fraud proofs are more complex and expensive.

That being said, given that we're using the accounts data model for now, one downside of essentially emulating UTXOs for delegating stake is that the nonce of empty accounts still needs to be kept around forever (which reminds me, a nonce field needs to be added).

[musalbas]

I feel that it would actually be more intuitive from a UX perspective to require users to split their coins into different accounts to delegate to different validators. It's the logical purpose of accounts - the same way you might have multiple savings accounts for different purposes.

It seems more complicated from a UX perspective to have users enter each validator they want to delegate to and the amount in some kind of table.

[liamsi]

It's the logical purpose of accounts - the same way you might have multiple savings accounts for different purposes.

But here you'd have multiple accounts for one purpose: namely delegating to validators. Having a different account per validator would be like opening a broker account per same type of investment (or one "account" per stock or bond you buy).

[adlerjohn]

Major changes since last review:

1. Changed tables to code snippets for consensus rules.
2. Use state subtrees to store accounts, active validator set, active validator count, and inactive validator set. The latter is used to make all delegation operations on inactive validators quite a bit cheaper (less hashing and guaranteed parallelization of hashing).

[liamsi]

Shouldn't this be part of the validator subtree (e.g the left-most branch in the validator subtree contains the count)? Why do we need this again? Isn't that implicitly given by the number of leaves in the subtree that aren't default values (i.e. no active validators).

[adlerjohn]

It could, but mangling multiple leaf types into a single tree (or subtree) makes things more complicated. E.g. you'd need subtree-specific logic if you want to parallelize updating the validator set and the validator count state. If they're in separate subtrees then you can have a single global whole-SMT-level process that handles updating subtrees in parallel.

The validator count is needed not for light nodes knowing they've downloaded the entire validator set, but for proving with a fraud proof that the number of active validators exceeds the maximum.

See other comment further down for some more on this.

[liamsi]

In tendermint, the header references current and next validators:
https://github.com/tendermint/tendermint/blob/206c814a8e64cb4b9eb2abbb2fdadc6933b28584/types/block.go#L352-L353

Should we have two subtrees for that? Or, further split the validator subtree? The number of validators should easily fit into that tree in any case.

[adlerjohn]

This isn't needed with immediate execution. Regardless, the validator set for the current block is the next validator set of the previous block, so we don't need to maintain two trees. Only the next validator set is needed to be stored in the tree at any given time.

[liamsi]

Only the next validator set is needed to be stored in the tree at any given time.

That makes sense. I'm wondering if there is a reason in tendermint for having both validator sets referenced. Might have to do with deferred execution (related tendermint/tendermint#2483) or maybe it is just for convenience 🤔

[liamsi]

Regardless, the validator set for the current block is the next validator set of the previous block,

How would a light client verify this property efficiently if only the next valset is stored & merkelized? Doesn't it need a commit to the next valst (of the previous block) that can be easyily verified on the current block (e.g. via a root included int the header) without recomputing the cur vals?

[adlerjohn]

Transcluding conversation from Slack:

Under immediate execution, the next validator set is actually committed to in the last intermediate state root's active validator set subtree.

It might be worth it to have a dedicated field in the block header for this, and just making sure it matches up with the last intermediate state root's active validator subtree root.

[liamsi]

@buchmann clarified here why both hashes are part of the header (and not just the state root/tree) in tendermint:
celestiaorg/celestia-core#3 (comment)

[liamsi]

Effectively, this means that the hash used in the subtree returns 31 bytes.

[adlerjohn]

Not the hash function in general, but specifically how the key is calculated, yes.

[liamsi]

If we say it's the hash function, this is easier to formalize. e.g. we can say the key for an account in the set Accs tree is computed as:
key := subtree_id || hash_st(address),
where hash_st could be any cryptographic hash function with 31 byte/248 bit output: hash_st: Accs -> {0,1}^248

[adlerjohn]

Hmm. I'm not really a fan because that would mean we need 1) a different hashing function for each subtree (not great, not terrible) and 2) to slice off the first byte of every single hashing operation. That cost will add up quickly, especially if doing proofs in smart contracts.

I'd much prefer just changing how the keys are calculated, which is a one-time calculation per leaf.

[liamsi]

IMO It's just another way to writing down the same thing though (of course in 2) the slicing off could be done more efficiently by replacing the 1st byte instead; but this is just an implementation detail).

[liamsi]

imo this should be part of validator subtree:
f1cba75#r439773622

[adlerjohn]

Unlike moving the inactive validator set into the accounts subtree, I might be okay with moving the validator count into the active validators subtree because it's guaranteed to be in a fixed location.

[liamsi]

I think it semantically belongs to the validator subtree and also a single value tree seems weird.

[adlerjohn]

Alright, will migrate the count into the active validators subtree.

[adlerjohn]

Fixed in 4d87996.

[liamsi]

If it is clear that we will stick with deferred execution for a while (probably after launch even), should the first version of the spec adhere to this too? (then this would be state after the last block's transactions are applied).

Whenever (if) we decide to drop deferred execution, we can update the spec to another version.

[adlerjohn]

We need immediate execution for fee burning (which IMO is 100% necessary, for testnet at the latest). Minting new coins is a source, and there are two ways to have sinks:

1. state rent
2. fee burning

We can't really do the former for obvious reasons, so we're left with the latter. Sinks create intrinsic demand for the currency, a property that cannot be accomplished any way else (which is why taxes---a sink---are still a thing even if the government can print money---a source). And fee burning requires immediate execution.

[liamsi]

I was under the impression, we will have a first test-net without switching to immediate execution. If we will use deferred execution only in dev-nets, it's probably OK that the spec and the implementation diverge for a while I guess.

We might have to re-discuss this when we are closer to a first dev-net iteration.

[adlerjohn]

By testnet above I guess I meant "testnet with mainnet configuration." We could have more public testnets (e.g. PoA ones) before that, along with non-feature-complete devnets, that don't need immediate execution because there are no incentives and we can just assume the single operator isn't making invalid blocks.

[liamsi]

Are these in relation to the current block or a commitment to the next block (i.e. the next block will be signed by the vals in ACTIVE_VALIDATORS_SUBTREE?

[adlerjohn]

These represent the most current state after each and every transaction. But the state root committed to in the block header is after all transactions in the block have been applied (under immediate execution).

[liamsi]

This is amazing work @adlerjohn 💪