-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WIP-0002: draft submission #18
Conversation
Given that in this case the author is the same as the WIP editor (myself), this draft will need someone else to act as a WIP editor replacement for assigning it a WIP number and eventually merge into master. |
Full textWIP: WIP-aesedepece-collaterals Layer: Consensus (hard fork) Title: Collateralization of Witnessing Activity Author: Adán SDPC Discussions-To: `#dev-general` channel on Witnet Comunnity's Discord server Status: Draft Type: Standards Track Created: 2020-03-09 License: BSD-2-Clause AbstractThis proposal introduces an upgrade that strengthens the overall security of the Witnet protocol by means of hindering any chance for an attacker to operate an unbounded number of identities in an attempt to tamper with data requests or abusing any of the protocol shared data structures (e.g. TRS and ARS). This crucial security feature is achieved by requiring witnesses to commit a certain amount of tokens to each of their commitment transactions, alike to a collateral, deposit or bond that they can only recoup if they abide by the protocol and pass the filters of the eventual tally function, in a similar fashion to the existing reputation protocol. Motivation and Rationale"Sybil resistance" refers to the ability of a protocol to endure the situation in which a single participant covertly operates multiple identities. These "Sybil attacks" tend to arise as soon as resources can be devoted to operating identities in a non-exclusive way, i.e. resources can be shared among them trivially. Open block chain protocols have traditionally solved this problem through the adoption of Proof-of-Work (PoW). In a PoW system, for a participant to convince the rest of the network to accept its blocks, a cryptographic proof of having performed a costly computation needs to be provided. Given that the computation is cryptographically bound to their private keys, the CPU / GPU cycles that have been devoted by one identity to "mine" a block cannot be reused for a separate identity. A different approach that has been explored in length by many protocols is Proof-of-Stake (PoS). The assumptions are somehow similar to the ones in PoW: each identity needs to commit a consumptive resource (tokens) for a certain amount of time. As those tokens are locked in escrow and cannot be moved from one identity to another (exclusiveness), the cost of operating multiple identities necessarily grows linearly with the number of identities. The main additional consideration in comparison to PoW is that some protocols may provide a "slashing" mechanism that makes attackers lose their staked tokens may someone provide cryptographic evidence of the attack. One of the fundamental design principles in the Witnet protocol is that barriers to entry need to be kept to a minimum so the network welcomes numerous and diverse node operators, as many of the security assumptions made so far are only expected to strictly hold true in a large scale non-coordinated scenario. As a consequence, the Witnet protocol tries to move away from PoW and rather takes an approach more alike to PoS. However, instead of staking tokens, participants are required to stake their "reputation score", which is a separate digital asset that cannot be traded. Reputation scores for each identity in the Witnet network are tracked through a pair of shared data structures called Total Reputation Set (TRS) and Active Reputation Set (ARS). For the scope of this document, it is worth mentioning that the VRF-powered cryptographic sortition algorithm that is used for selecting block proposers (a.k.a. RaPoE) weights in the size of the ARS for adjusting the "mining difficulty". That is, the more nodes that are considered "active", the more unlikely they need to be to produce a block candidate. Given all of that, it is of utmost importance that the ARS is properly curated so that identities appearing in it do represent actual nodes operated by independent participants. However, the current protocol can theoretically be abused in several ways so as to degrade the "representativeness" of the ARS or try to cope it with identities that are controlled by a single node operator or a coordinated operator cartel. This proposal introduces an upgrade to the Witnet protocol that requires identities to lock some of their tokens when participating in witnessing activities, with a view to hindering hypothetical attacks geared towards tampering with the ARS by means of operating a huge amount of identities in parallel (Sybil attack) so as to force some of them to pass the eligibility requirements, i.e. sneaking themselves into VRF committees so that they can always propose blocks or have a say in the result of a majority of the data requests in the network. SpecificationUnspent Transaction Outputs Set (UTXO Set)Age of an UTXO. Entries of the UTXO set need to be tagged with a reference to the block in which they were created so as to track how "old" are they in terms of how many blocks have been consolidated into the block chain since their creation. Age for existing UTXOs. Entries of the UTXO set that predate the eventual activation of this proposal must be tagged with a reference to the last block as of the last UTC midnight preceding the eventual activation of this proposal. In absence of any other block other than the genesis block in the block chain, the genesis block itself must be referenced. Data Request Transactions
message DataRequestOutput {
RADRequest data_request = 1;
uint64 witness_reward = 2;
uint32 witnesses = 3;
uint32 backup_witnesses = 4;
uint64 commit_fee = 5;
uint64 reveal_fee = 6;
uint64 tally_fee = 7;
uint32 extra_commit_rounds = 8;
uint32 extra_reveal_rounds = 9;
uint32 min_consensus_percentage = 10;
uint64 collateral = 11;
} This new Minimum value. The minimum value for the Optionality and defaults. The No maximum value. There is no need for enforcing a maximum value of the Commitment Transactions
message CommitTransactionBody {
Hash dr_pointer = 1;
Hash commitment = 2;
DataRequestEligibilityClaim proof = 3;
repeated Input inputs = 4;
repeated ValueTransferOutput outputs = 5;
} Age of the inputs. Inputs used in the No value is created. The aggregated value of
Collateral value comes from input. The difference between the total input value and the total output value (net value) needs to be greater than the
Miner-claimable fee. Any remaining value after substracting
The miner-claimable fee needs still to be equal than the Tally transactions
message TallyTransaction {
Hash dr_pointer = 1;
bytes tally = 2;
repeated ValueTransferOutput outputs = 3;
repeated PublicKeyHash slashed_witnesses = 4;
} Rewarded identities. In general terms, identities found in Slashed identities. Conversely, all identities found in Only committers are listed. For an identity to be present in All committers must be listed. All identities that produced commitment transactions for a data request that exist in the block chain prior to the tally transaction itself ("committers") must be present in either one of the No identity repetition. No identity can appear more than once in either the Requests with insufficient commits. Given a data request, may not exist enough commitments for it in the Missing reveals. All committers for which no valid reveal transaction exists in the block chain prior to the tally transaction itself must be listed in the Tally evaluation. The rules for deciding whether committers which have produced valid reveal transactions for the referred request such that they exist prior to the tally transaction itself (revealers) belong to the Change output. Given a request such that (1) it had insufficient commits, or (2) its count of committers outnumbers that of revealers, or (3) its count of slashed identies is not zero, or (4) any combination of 1, 2 and 3, a first
All outputs are equal in value. All the Value of the outputs. The value of every each of the
No value is created or destroyed. The aggregated value of all
The reputation system remains the same. Redistribution of reputation points across identities as a consequence of positive or negative consensus in the tally transactions and the rules and constants that govern such part of the protocol remain unchanged. Backwards Compatibility AssessmentConsensusThis proposal introduces significant changes to existing data structures, validation and consensus rules. Two new consensus constant, Protocol sessions that predate these changes are not valid under the validations put forth in this document. Protocol sessions abiding by the data structures and validation rules put forth in this document are not valid from the perspective of any compliant protocol implementation that predates these changes. On the basis of the above, there is more than enough evidence to assert that the content of this proposal is not backwards compatible from a data structures, peering, validations and consensus perspective, and that no healthy protocol session nor cooperative chain construction would be possible among two nodes from which one adopted these changes while the other did not. As it is considered best practice in such situations, an Adoption Plan is hereby proposed. Examples and DocumentationThe data structures affected by this proposal are internal to the block chain protocol and the peering protocol. Therefore this proposal triggers no update on existing examples or documentation. Libraries and ClientsBreaking changesThe data structures affected by this proposal belong to the Protocol Buffers schema definition, and therefore the changes hereby proposed may break existing libraries and clients. RecommendationsUnder the assumption that the amount of tokens that a single identity can possess is not unbounded, this proposal imposes an implicit rate limitation on the amount of data requests that a single identity can process per unit of time, as tokens devoted to participating in one data request cannot be relocated into a second data request until a certain period of time has passed. It is therefore in the best interest of participants willing to maximize their "witnessing bandwidth" to manage their UTXOs wisely so that they always have some spare UTXOs to devote to new data requests for which they may be eligible. For the convenience of those participants, it is recommended and expected that implementations of the witnessing protocol manage the UTXOs automatically, splitting or merging them when necessary so as to get enough spare UTXOs prepared for eventual data requests that may have collateral requirements of different amounts. Reference ImplementationThis proposal is a draft submitted for evaluation and eventual approval from the Witnet community. No reference implementation exists or is provided. More details on this can be found in the Adoption Plan below. Adoption PlanDue to the undeniable impact on consensus of this proposal, it becomes apparent that these protocol changes need to be introduced through a coordinated upgrade of the whole network. No special provision in this proposal mandates the application of distinct validation rules for transactions and blocks that predate its eventual activation. In consequence, the protocol changes proposed herein are expected to be applied on a newly bootstrapped block chain in which the updated protocol must be applied starting from the genesis block itself. With respect to the age of inputs created in the genesis block, in accordance with the Age for existing UTXOs section above, they will refer the genesis block itself. As provided for by WIP-0001, for this proposal to be moved from the Draft to the Proposed stage, it needs to be updated so as to (1) introduce a reference implementation, (2) propose a value for the AcknowledgementsThis proposal has been cooperatively devised by many individuals from the Witnet development community. |
Ok, I assign you the WIP-0002 |
ACK, I'll update the PR. Thanks @lrubiorod ! |
The PR is updated. As per WIP-0001, immediate next step for the editor (@lrubiorod) would be to review and merge this PR, ensuring that the new WIP document is listed as a Draft in README.md (this change is included in this PR for convenience) Once merged, next step would be moving to Proposed:
|
This change clarifies what happens if there is a remainder when sharing out the slashed collateral value among the rewardable identities.
Hey @lrubiorod take a look at the latest changes and if everything looks OK to you, please approve this so it is publicly listed in the README and we can move forward. |
wip-0002.md
Outdated
change = (reward + commit_fee) * (witnesses - committers_count) + | ||
(reward + reveal_fee) * (witnesses - revealers_count) + | ||
reward * slashed_count |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- (witnesses - revealers_count) = non revealers, this guys are included also in slashed_count so you can not include the reward two times
- non- committers are also non revealers so... same comment
Another possible formula could be:
change = reward * (witnesses - honests_count)
+ reveal_fee * (witnesses - reveals_count)
+ commit_fee * (witnesses - commits_count)
(Where honest_ count are node that produces a reveal that is in consensus with the majority)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What about this:
change = (reward + commit_fee) * (witnesses - committers_count) +
reveal_fee * (committers_count - revealers_count) +
reward * slashed_count
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note that it is the same as you posted but using slashed_count
instead of witnesses - honests_count
so as not to introduce another variable (honest_count
) and expressed chronologically (commitment first, then reveal, and finally the slashing).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
in case of Insufficient commits error reveal_fee has to be returned to the data requester so...
change = (reward + commit_fee + reveal_fee) * (witnesses - committers_count) +
reveal_fee * (committers_count - revealers_count) +
reward * slashed_count
All changes applied. Thanks @lrubiorod for all the catches!!! |
This PR submits
WIP-aesedepece-collaterals
for it to be assigned a BIP number and being considered a formal WIP draft.Collateralization of Witnessing Activity
Abstract
This proposal introduces an upgrade that strengthens the overall security of the Witnet protocol by means of hindering any chance for an attacker to operate an unbounded number of identities in an attempt to tamper with data requests or abusing any of the protocol shared data structures (e.g. TRS and ARS).
This crucial security feature is achieved by requiring witnesses to commit a certain amount of tokens to each of their commitment transactions, alike to a collateral, deposit or bond that they can only recoup if they abide by the protocol and pass the filters of the eventual tally function, in a similar fashion to the existing reputation protocol.
Full text is available in a separate comment below.
WIP stage
As provided for by WIP-0001, for this proposal to be moved from the Draft to the Proposed stage, it needs to be updated so as to (1) introduce a reference implementation, (2) propose a value for the
collateral_age
andcollateral_minimum
consensus constant, and (3) propose a date for activation.