Initial erasure-coding of availability data #56
Conversation
rphmeier
force-pushed
the
rh-erasure-coding
branch
from
f366062
to
e299095
Compare
rphmeier
added
A0-please_review
erasure-coding/Cargo.toml
Outdated
|
|
||
| [dependencies] | ||
| polkadot-primitives = { path = "../primitives" } | ||
| reed-solomon-erasure = { git = "https://github.com/paritytech/reed-solomon-erasure", branch = "rh-usable-gf16" } |
There was a problem hiding this comment.
We will switch to "0.4" when that is published.
|
I don't know why it says the travis build failed; if you go to the site it says it passed. |
|
would be good to get a review from someone familiar with the underlying algorithm (like jeff?). code looks clean enough from my pov. |
|
(erasure-coding logic was reviewed by @drskalman outside of github) |
| impl CodeParams { | ||
| // the shard length needed for a payload with initial size `base_len`. | ||
| fn shard_len(&self, base_len: usize) -> usize { | ||
| (base_len / self.data_shards) + (base_len % self.data_shards) |
There was a problem hiding this comment.
I'd expect (base_len-1) / self.data_shards + 1 here.
There was a problem hiding this comment.
After the confusion below I'd expect (base_len-1+8) / self.data_shards + 1 here. And modify the last shard to state its length at the end. And @drskalman points out that parity codec just ads the length too.
There was a problem hiding this comment.
8 seems very arbitrary?
There was a problem hiding this comment.
base_len / self.data_shards + (base_len % self.data_shards != 0) as usize
| (base_len / self.data_shards) + (base_len % self.data_shards) | ||
| } | ||
|
|
||
| fn make_shards_for(&self, payload: &[u8]) -> Vec<WrappedShard> { |
There was a problem hiding this comment.
According to @drskalman parity codec handled the length so I'd expect very roughly:
pub(crate) struct WrappedShard<B: Borrow<[u8]>> {
inner: B,
}
fn make_shards_for<'a>(&self, payload: &'a [u8]) -> impl Iterator<Item=WrappedShard<Cow<'a,[u8]>>> {
let shard_len = self.shard_len(payload.len());
payload.chunks(shard_len).map(|c| {
if c.len() == shard_len {
WrappedShard { inner: Cow::Borrowed(c) }
} else {
let mut moo = vec![0; shard_len];
let l = c.len();
moo[..l].copy_from_slice(&c[..l]);
WrappedShard { inner: Cow::Owned(moo) }
}
})
}
but I suppose Cows are complete overkill here, so probably just Vec and the else branch for all.
There was a problem hiding this comment.
I suppose the existing code works fine actually. I just expected to need to change this fn after shortening shard_len above.
There was a problem hiding this comment.
Oh I see! You need the total payload length encoded. Sorry I didn't read very carefully.
In any case, your current shard_len function will give a bunch of zero len shards, but the current code works I think.
There was a problem hiding this comment.
So I suggest to use payload.encode() instead of payload and then don't worry about the length as all shards are the same size and we recover the total length using SCALE codec.
There was a problem hiding this comment.
The reason we prepend the length to each shard is explained in the comment above. It's because lists of element of GF(2^16), when treated as byte-slices, always have even length. However, our shard length might be odd. So we need to signal whether there is a trailing zero byte that we should skip when decoding, and prepending the length to each shard has been an easy way to do that (although not the most efficient). I filed #88 to address that.
I don't think prepending the length to the payload actually helps at all.
There was a problem hiding this comment.
What I will do, I think, is round up shard_len to the next even number. Then, the last shards will have (cumulatively) n_validators more zero bytes, but for long payloads this doesn't really matter much. And it's easier to decode anyway, since we don't have to reason about the extra byte at the end.
| return Err(Error::BadPayload); | ||
| } | ||
|
|
||
| let mut shards = params.make_shards_for(&encoded[..]); |
There was a problem hiding this comment.
Ahh okay no reason in Cows here, even if the ones outside my house are cute. ;) And no reason for the complexity of arenas here.
| // make a reed-solomon instance. | ||
| fn make_encoder(&self) -> ReedSolomon { | ||
| ReedSolomon::new(self.data_shards, self.parity_shards) | ||
| .expect("this struct is not created with invalid shard number; qed") |
There was a problem hiding this comment.
double negative in this expect string
| -> Result<(BlockData, Extrinsic), Error> | ||
| where I: IntoIterator<Item=(&'a [u8], usize)> | ||
| { | ||
| let params = code_params(n_validators)?; |
There was a problem hiding this comment.
We might worry about n_validators being the same on both sides here. We also cannot trust the encoded data for n_validators because then an adversary can manipulate it, so I believe this is fine but maybe the comment should emphasize that n_validators must be correct or else we create invalid slashing attacks.
There was a problem hiding this comment.
Also I think you meant more than 256 here
There was a problem hiding this comment.
I think the generator of the erasure code should append n to each shard along side with the Merkle root and sign on it. I'll talk to Al to update the protocol.
There was a problem hiding this comment.
Al says the number of Validators changes in order of once a year. And it is off course retrievable from state root. He also reiterate there is no harm to add this the pieces. Your call then.
| where I: IntoIterator<Item=(&'a [u8], usize)> | ||
| { | ||
| let params = code_params(n_validators)?; | ||
| let mut shards: Vec<Option<WrappedShard>> = vec![None; n_validators]; |
There was a problem hiding this comment.
You could maybe avoid the option by doing map and collect below, but whatever.
There was a problem hiding this comment.
I haven't looked at this code for a while, but I think the Option is necessary because of the API of erasure-coding.
| let params = code_params(n_validators)?; | ||
| let mut shards: Vec<Option<WrappedShard>> = vec![None; n_validators]; | ||
| let mut shard_len = None; | ||
| for (chunk_data, chunk_idx) in chunks.into_iter().take(n_validators) { |
There was a problem hiding this comment.
I'd probably do
let mut chunks = chunks.into_iter();
for (chunk_data, chunk_idx) in chunks.by_ref().take(n_validators) {
...
}
if chunks.next() != None { return Err(...); }
|
Just curious, I take it both Branches and fns like reconstruct get called from another crate, so presumably reconstruct does not quite work as a method on Branches or whatever? Not that this matters much. :) |
|
I'm happy with this modulo wasting 4 bytes per shard and |
| impl CodeParams { | ||
| // the shard length needed for a payload with initial size `base_len`. | ||
| fn shard_len(&self, base_len: usize) -> usize { | ||
| (base_len / self.data_shards) + (base_len % self.data_shards) |
There was a problem hiding this comment.
base_len=19 data_shards = 10 logically shard of length 2 should do but now we end up with 19/10 + 9= 10 shard of length 10? So what @burdges says: (base_len-1) / self.data_shards + 1
There was a problem hiding this comment.
I don't think that's right, though.
base_len = 19 data_shards = 5. We need shard length 4 to fit the whole payload.
18 / 6 = 3.
There was a problem hiding this comment.
the formula is
((base_len -1)/ self.data_shards) + 1
(divison has higher priority than addition) or simpler
(base_len + self.data_shards - 1)/self.data_shards
but as you said we should avoid odd shard length so check if it is odd and add one to it.
| (base_len / self.data_shards) + (base_len % self.data_shards) | ||
| } | ||
|
|
||
| fn make_shards_for(&self, payload: &[u8]) -> Vec<WrappedShard> { |
There was a problem hiding this comment.
So I suggest to use payload.encode() instead of payload and then don't worry about the length as all shards are the same size and we recover the total length using SCALE codec.
| /// The indices of the present chunks must be indicated. If too few chunks | ||
| /// are provided, recovery is not possible. | ||
| /// | ||
| /// Works only up to 256 validators, and `n_validators` must be non-zero. |
There was a problem hiding this comment.
So this needs to be 65536
| -> Result<(BlockData, Extrinsic), Error> | ||
| where I: IntoIterator<Item=(&'a [u8], usize)> | ||
| { | ||
| let params = code_params(n_validators)?; |
There was a problem hiding this comment.
I think the generator of the erasure code should append n to each shard along side with the Merkle root and sign on it. I'll talk to Al to update the protocol.
|
|
||
| /// Obtain erasure-coded chunks, one for each validator. | ||
| /// | ||
| /// Works only up to 256 validators, and `n_validators` must be non-zero. |
There was a problem hiding this comment.
The bound should be 65536
| -> Result<(BlockData, Extrinsic), Error> | ||
| where I: IntoIterator<Item=(&'a [u8], usize)> | ||
| { | ||
| let params = code_params(n_validators)?; |
There was a problem hiding this comment.
Al says the number of Validators changes in order of once a year. And it is off course retrievable from state root. He also reiterate there is no harm to add this the pieces. Your call then.
|
|
||
| assert_eq!(proofs.len(), 10); | ||
|
|
||
| for (i, proof) in proofs.into_iter().enumerate() { |
There was a problem hiding this comment.
I'm not sure, I'm getting this correctly. I think each Merkle proof should contains the hash value of the siblings of all nodes in your branch. So you can compute your hash way up to the root. Am I missing something?
There was a problem hiding this comment.
we are just including all the nodes on the path -- that's how you generally do merkle proofs for 16-radix (which we are using here)
There was a problem hiding this comment.
I verified with @burdges, you need the co-path not the path. On a binary tree it is all the other children of the nodes on the path.
There was a problem hiding this comment.
@burdges why do we need the co-path? the path seems to work (although can be optimized by omitting the hash of the child we are traversing to from branches)
There was a problem hiding this comment.
(have chatted with @burdges in Riot and confirmed that it is correct as-is for the patricia trie)
|
In a Merkle tree, we always use siblings of the actual path, which I've once or twice heard referred to as a copath. I have not yet understood at what point TrieDB, etc. actually hashes the siblings inside https://github.com/paritytech/trie/blob/master/trie-db/src/triedbmut.rs#L850 but maybe it's buried inside this DB crate, except they looked like just hash maps. Just to clarify terminology: If I have a Merkle tree with four elements then I compute the root like so a proof of inclusion for In usual terminology, the "branch" containing Both sequences do end with the root, but the branch provides no inclusion proof. All values in the branch are computed in verifying the inclusion proof, but the two important values in the inclusion proof cannot be computed from the branch. I presume this module should produce the inclusion proofs somewhere? |
|
Rob explained that each level should contain all 16 children, which explains the extra nested |
|
I'm satisfied. It's a strange library design heavily optimized for other things, but whatever. |
|
At present, we verify a proof by inserting a branch into a patricia trie database using Also, we can compress these proofs by a factor of like 8 by using 16 byte hashes and doing the hashing as a binary tree instead of doing 16 fragments at each depth. |
this is not correct. MemoryDB is just a lookup from hash to node data, and in fact is implemented with a HashMap internally -- whose order is non-deterministic. The Check out the definition of the patricia trie -- I'm not sure that the binary tree hashing method you describe is actually more efficient, because we are currently only doing 1 hash for each node we traverse. The only optimization I am aware that you can do is a space optimization where you inline the nodes in the path that you are interested in and transmit everything inline. |
Ok but the point remains: Your adversary can build anything they like here, which appears harmless but sounds less fault tolerant elsewhere.
A (virtual) binary tree for hashing is 8 times more space efficient. As you consume 8 times less data, it'll have similar performance for creation if you optimize the hash function choice, but verification should be much faster my way. If you look into the blake2b analysis, you might find that chacha alone suffices to hash 2 x 16 bytes into 16 bytes, so creation costs 14 chacha runs vs like 16ish now, but verification cost only like 3 chacha vs the same 16ish the current way. You could reduce to 16 bytes without doing binary tree hashing, but verification remains slower. |
|
Yeah, the weakness in this code right now is that someone providing a proof could provide a bunch of extra data that is not in the lookup path. Because we know about the trie structure and the fact that it is a |
related: #51
This is most of step 2 in that issue -- the remaining bit is that the merkle root should be added to the candidate receipt.
This introduces the
polkadot-erasure-codingcrate, which will be used to create erasure-codings of all parachain data which much be kept available. Withnvalidators,fmaximum faulty, we create a coding ofnpieces where anyf+1can be used to recover the data.The crate for now contains utilities for:
row_number -> hash(row_data)Currently this has a limit on the number of supported validators at 65536, due to the fact that the underlying
reed-solomon-erasurecrate only supportsGF(2^16). This limit is unlikely to prove to be an issue for some time.