WIP-girazoki-multikey: draft submission #22
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
girazoki
force-pushed
the
multi_key
branch
2 times, most recently
from
0e69ab1
to
e79aea1
Compare
mariocao
suggested changes
Apr 24, 2020
wip-0003.md
Outdated
|
|
||
| This proposal discusses different options to handle both BLS and Secp256K1 keys in the Witnet network. This is a key feature for the connection with Ethereum, in particular to achieve high efficient verifications with subsidized curves by the EVM. | ||
|
|
||
| Nothe that the co-existence of different elliptic curve keys will be crutial in Witnet in order to develop bridges with other chains. For the purpose of the document, we will only discuss the co-existence between Secp256k1 and ALTBN-128, being the latter subsidized in the EVM. However, this WIP can serve as a proposal for adding new curves to Witnet. |
There was a problem hiding this comment.
Suggested change
| Nothe that the co-existence of different elliptic curve keys will be crutial in Witnet in order to develop bridges with other chains. For the purpose of the document, we will only discuss the co-existence between Secp256k1 and ALTBN-128, being the latter subsidized in the EVM. However, this WIP can serve as a proposal for adding new curves to Witnet. | |
| Note that the co-existence of different curve keys will be crucial in Witnet in order to develop bridges with other chains. For the purpose of the document, we will only discuss the co-existence between *Secp256k1* and *ALTBN-128*, being the latter subsidized in the EVM. However, this WIP can serve as a proposal for adding new curves to Witnet. |
wip-0003.md
Outdated
|
|
||
| ## Motivation and Rationale | ||
|
|
||
| Implementing one-way decentralized bridges between two chains becomes a task that higly depends on the consensus protocol implemented by the chain whose transactions need to be verified. We will call this chain the source chain, while the chain in which the transactions are verified will be refered as the target chain. |
There was a problem hiding this comment.
Suggested change
| Implementing one-way decentralized bridges between two chains becomes a task that higly depends on the consensus protocol implemented by the chain whose transactions need to be verified. We will call this chain the source chain, while the chain in which the transactions are verified will be refered as the target chain. | |
| Implementing one-way decentralized bridges between two chains becomes a task that highly depends on the consensus protocol implemented by the chain whose transactions need to be verified. We will call this chain the *source chain* (i.e. the _Witnet chain_), while the chain in which the transactions are verified will be referred as the *target chain*. |
wip-0003.md
Outdated
|
|
||
| Implementing one-way decentralized bridges between two chains becomes a task that higly depends on the consensus protocol implemented by the chain whose transactions need to be verified. We will call this chain the source chain, while the chain in which the transactions are verified will be refered as the target chain. | ||
|
|
||
| Assuming the existence of the source chain block headers in the target chain, one can easily verify that a transaction occurred in the source chain. Typically transactions are grouped in a merkle tree whose root is appended into the block header. Thus, a prover just needs to provide a valid merkle path to the merkle root to prove a transaction ocurred. |
There was a problem hiding this comment.
Suggested change
| Assuming the existence of the source chain block headers in the target chain, one can easily verify that a transaction occurred in the source chain. Typically transactions are grouped in a merkle tree whose root is appended into the block header. Thus, a prover just needs to provide a valid merkle path to the merkle root to prove a transaction ocurred. | |
| Assuming the existence of the source chain block headers in the target chain, one can easily verify that a transaction occurred in the source chain. Typically, transactions are grouped in a merkle tree whose root is appended into the block header. Thus, to prove a transaction you just need to provide a valid merkle path to the merkle root. |
wip-0003.md
Outdated
|
|
||
| Assuming the existence of the source chain block headers in the target chain, one can easily verify that a transaction occurred in the source chain. Typically transactions are grouped in a merkle tree whose root is appended into the block header. Thus, a prover just needs to provide a valid merkle path to the merkle root to prove a transaction ocurred. | ||
|
|
||
| However, ensuring the availability of the block headers in the target chain is not that straight-forward, specially for non-PoW chains. PoW achieves probabilitistic finality thanks to the difficulty of reverting a chain with sufficient work on it, a difficulty that is publicly verifiable. In order to validate new block headers from chains whose consensus relies on an intra-chain metric (stake, reputation) based BFT algorithm the target chain needs to know the previous state of such metrics in the source chain. In the particular case of Witnet, we need to prove that at least 2/3 of the ARS (active reputation) supports a certain block header in order to consider it valid (or more specifically, final). This can become trully challenging in terms of efficiency. |
There was a problem hiding this comment.
Suggested change
| However, ensuring the availability of the block headers in the target chain is not that straight-forward, specially for non-PoW chains. PoW achieves probabilitistic finality thanks to the difficulty of reverting a chain with sufficient work on it, a difficulty that is publicly verifiable. In order to validate new block headers from chains whose consensus relies on an intra-chain metric (stake, reputation) based BFT algorithm the target chain needs to know the previous state of such metrics in the source chain. In the particular case of Witnet, we need to prove that at least 2/3 of the ARS (active reputation) supports a certain block header in order to consider it valid (or more specifically, final). This can become trully challenging in terms of efficiency. | |
| However, ensuring the availability of the block headers in the target chain is not that straight-forward, specially for non-PoW chains. PoW achieves probabilitistic finality thanks to the difficulty of reverting a chain with sufficient work on it, a difficulty that is publicly verifiable. In order to validate new block headers from chains whose consensus relies on an intra-chain metric (stake, reputation) based BFT algorithm, the target chain needs to know the previous state of such metrics in the source chain. In the particular case of Witnet, we need to prove that at least 2/3 of the ARS (active reputation set) supports a certain block header in order to consider it valid (or more specifically, final). This can become truly challenging in terms of efficiency. |
I would be a little bit more generic with the specific conditions for a block valid (e.g. 2/3 of the ARS). They are not yet fully agreed. :P
wip-0003.md
Outdated
|
|
||
| However, ensuring the availability of the block headers in the target chain is not that straight-forward, specially for non-PoW chains. PoW achieves probabilitistic finality thanks to the difficulty of reverting a chain with sufficient work on it, a difficulty that is publicly verifiable. In order to validate new block headers from chains whose consensus relies on an intra-chain metric (stake, reputation) based BFT algorithm the target chain needs to know the previous state of such metrics in the source chain. In the particular case of Witnet, we need to prove that at least 2/3 of the ARS (active reputation) supports a certain block header in order to consider it valid (or more specifically, final). This can become trully challenging in terms of efficiency. | ||
|
|
||
| BLS signatures allow us to aggregate signatures provided by those members of the ARS. The overall aggregated signature can be validated in the target chain in a single verification. However, a BLS verification is 10 times more costly than a regular ECDSA verification. Thus, BLS gives us a big advantage for bridging with other chains, but little advantage when using it to intra-chain sign transactions. |
There was a problem hiding this comment.
Suggested change
| BLS signatures allow us to aggregate signatures provided by those members of the ARS. The overall aggregated signature can be validated in the target chain in a single verification. However, a BLS verification is 10 times more costly than a regular ECDSA verification. Thus, BLS gives us a big advantage for bridging with other chains, but little advantage when using it to intra-chain sign transactions. | |
| BLS signatures allow us to aggregate signatures provided by those members of the ARS. The overall aggregated signature can be validated in the target chain in a single verification. However, a BLS verification is approximately 10 times more costly than a regular ECDSA verification. Thus, BLS gives us a big advantage for bridging with other chains, but little advantage when using it to sign transactions internally in the _Witnet network_. |
I would rephrase the first sentence, e.g. "BLS curves allows us to aggregate signatures such as those provided by ARS members", or something like that 😄
aesedepece
changed the title
aesedepece
changed the title
|
I have renamed the PR to "WIP-girazoki-multikey" as provided for by WIP-0001:
|
girazoki
force-pushed
the
multi_key
branch
5 times, most recently
from
1bbc595
to
170f735
Compare
aesedepece
requested changes
Apr 27, 2020
wip-0003.md
Outdated
|
|
||
| ## Abstract | ||
|
|
||
| This proposal discusses different options to handle both BLS and Secp256K1 keys in the Witnet network. This is a key feature for the connection with Ethereum, in particular to achieve high efficient verifications with subsidized curves by the EVM. |
There was a problem hiding this comment.
Suggested change
| This proposal discusses different options to handle both BLS and Secp256K1 keys in the Witnet network. This is a key feature for the connection with Ethereum, in particular to achieve high efficient verifications with subsidized curves by the EVM. | |
| This proposal discusses different options to handle both BLS and Secp256K1 keys in the Witnet network. This is a key feature for interoperability with Ethereum, in particular to achieve highly efficient signature verifications by leveraging the curves that the EVM subsidizes. |
wip-0003.md
Outdated
|
|
||
| This proposal discusses different options to handle both BLS and Secp256K1 keys in the Witnet network. This is a key feature for the connection with Ethereum, in particular to achieve high efficient verifications with subsidized curves by the EVM. | ||
|
|
||
| Note that the co-existence of different curve keys will be crucial in Witnet in order to develop bridges with other chains. For the purpose of the document, we will only discuss the co-existence between *Secp256k1* and *ALTBN-128*, being the latter subsidized in the EVM. However, this WIP can serve as a proposal for adding new curves to Witnet. |
There was a problem hiding this comment.
Suggested change
| Note that the co-existence of different curve keys will be crucial in Witnet in order to develop bridges with other chains. For the purpose of the document, we will only discuss the co-existence between *Secp256k1* and *ALTBN-128*, being the latter subsidized in the EVM. However, this WIP can serve as a proposal for adding new curves to Witnet. | |
| The co-existence of different curve keys will be crucial in Witnet in order to develop bridges with other chains. For the purpose of the document, we will only discuss the co-existence between *Secp256k1* and *ALTBN-128*, being the latter subsidized in the EVM. However, this WIP can serve as a proposal for adding new curves to Witnet. |
wip-0003.md
Outdated
|
|
||
| Implementing one-way decentralized bridges between two chains becomes a task that highly depends on the consensus protocol implemented by the chain whose transactions need to be verified. We will call this chain the *source chain* (i.e. the _Witnet chain_), while the chain in which the transactions are verified will be referred as the *target chain*. | ||
|
|
||
| Assuming the existence of the source chain block headers in the target chain, one can easily verify that a transaction occurred in the source chain. Typically, transactions are grouped in a merkle tree whose root is appended into the block header. Thus, to prove a transaction you just need to provide a valid merkle path to the merkle root to prove a transaction ocurred. |
There was a problem hiding this comment.
Suggested change
| Assuming the existence of the source chain block headers in the target chain, one can easily verify that a transaction occurred in the source chain. Typically, transactions are grouped in a merkle tree whose root is appended into the block header. Thus, to prove a transaction you just need to provide a valid merkle path to the merkle root to prove a transaction ocurred. | |
| Assuming the availability of the source chain's block headers on the target chain, one can easily verify that a transaction occurred in the source chain. Typically, transactions are grouped in a merkle tree whose root is inserted into the block header. Thus, to prove the existence of a transaction you just need to provide a valid merkle path that evinces that the hash of the transaction was undeniably inserted into the merkle tree at the time the block hash was appended to the source chain. |
wip-0003.md
Outdated
|
|
||
| Assuming the existence of the source chain block headers in the target chain, one can easily verify that a transaction occurred in the source chain. Typically, transactions are grouped in a merkle tree whose root is appended into the block header. Thus, to prove a transaction you just need to provide a valid merkle path to the merkle root to prove a transaction ocurred. | ||
|
|
||
| However, ensuring the availability of the block headers in the target chain is not that straight-forward, specially for non-PoW chains. PoW achieves probabilitistic finality thanks to the difficulty of reverting a chain with sufficient work on it, a difficulty that is publicly verifiable. In order to validate new block headers from chains whose consensus relies on an intra-chain metric (stake, reputation) based BFT algorithm the target chain needs to know the previous state of such metrics in the source chain. In the particular case of Witnet, it is yet not decided which metric to use, but under BFT assumptions we can expect 2/3s of such metric holders to be honest, and therefore a block header validity will likely depend on the ability to demonstrate that those 2/3s agree on a specific value. This can become trully challenging in terms of efficiency. |
There was a problem hiding this comment.
Suggested change
| However, ensuring the availability of the block headers in the target chain is not that straight-forward, specially for non-PoW chains. PoW achieves probabilitistic finality thanks to the difficulty of reverting a chain with sufficient work on it, a difficulty that is publicly verifiable. In order to validate new block headers from chains whose consensus relies on an intra-chain metric (stake, reputation) based BFT algorithm the target chain needs to know the previous state of such metrics in the source chain. In the particular case of Witnet, it is yet not decided which metric to use, but under BFT assumptions we can expect 2/3s of such metric holders to be honest, and therefore a block header validity will likely depend on the ability to demonstrate that those 2/3s agree on a specific value. This can become trully challenging in terms of efficiency. | |
| However, ensuring the availability of the block headers in the target chain is not that straightforward, specially for non-PoW chains. PoW achieves probabilistic finality thanks to the difficulty of reverting a chain with sufficient work on it, a difficulty that is publicly verifiable. In order to validate new block headers from chains whose consensus relies on a BFT algorithm that is based on an intra-chain metric (stake, reputation) the target chain needs to know the previous state of such metrics in the source chain. In the particular case of Witnet, it is yet not decided which metric to use, but under BFT assumptions we can expect 2/3 of such metric holders to be honest, and therefore a block header validity will likely depend on the ability to demonstrate that those 2/3 agree on a specific value. This can become truly challenging in terms of efficiency. |
wip-0003.md
Outdated
|
|
||
| However, ensuring the availability of the block headers in the target chain is not that straight-forward, specially for non-PoW chains. PoW achieves probabilitistic finality thanks to the difficulty of reverting a chain with sufficient work on it, a difficulty that is publicly verifiable. In order to validate new block headers from chains whose consensus relies on an intra-chain metric (stake, reputation) based BFT algorithm the target chain needs to know the previous state of such metrics in the source chain. In the particular case of Witnet, it is yet not decided which metric to use, but under BFT assumptions we can expect 2/3s of such metric holders to be honest, and therefore a block header validity will likely depend on the ability to demonstrate that those 2/3s agree on a specific value. This can become trully challenging in terms of efficiency. | ||
|
|
||
| BLS signatures allow us to aggregate signatures provided by a set of group members. In the case of Witnet, those members will be the ARS, as the consensus of the Witnet chain is highly dependant on the reputation of each fo the peers. The overall aggregated signature can be validated in the target chain in a single verification. However, a BLS verification is approximately 10 times more costly than a regular ECDSA verification. Thus, BLS gives us a big advantage for bridging with other chains, but little advantage when using it to sign transactions internally in the _Witnet network_. |
There was a problem hiding this comment.
Suggested change
| BLS signatures allow us to aggregate signatures provided by a set of group members. In the case of Witnet, those members will be the ARS, as the consensus of the Witnet chain is highly dependant on the reputation of each fo the peers. The overall aggregated signature can be validated in the target chain in a single verification. However, a BLS verification is approximately 10 times more costly than a regular ECDSA verification. Thus, BLS gives us a big advantage for bridging with other chains, but little advantage when using it to sign transactions internally in the _Witnet network_. | |
| BLS signatures allow us to aggregate signatures provided by a set of group members. In the case of Witnet, those members will be the ARS, as the consensus of the Witnet chain is highly dependant on the reputation of each of the peers. The overall aggregated signature can be validated in the target chain in a single verification. However, a BLS verification is approximately 10 times more costly than a regular ECDSA verification. Thus, BLS gives us a big advantage for bridging with other chains, but little advantage when using it to sign transactions internally in the _Witnet network_. |
wip-0003.md
Outdated
|
|
||
| However, note that the reputation is today associated to the PKH of the Secp256K1 public key. However, ARS members in the ARS merkle root should be identifiable by their BLS public key, as this will be used to verify their aggregated signature. | ||
|
|
||
| Additionally, UTXOs are also associated with the PKH of the Secp256k1 public key. Given the clear overhead of implementing a BLS verification compared to a ECDSA verification, UTXOs should keep being spendable by secp256k1 private key holders. |
There was a problem hiding this comment.
Suggested change
| Additionally, UTXOs are also associated with the PKH of the Secp256k1 public key. Given the clear overhead of implementing a BLS verification compared to a ECDSA verification, UTXOs should keep being spendable by secp256k1 private key holders. | |
| Additionally, addresses and transaction outputs are also associated with the hash of the Secp256k1 public key. Given the clear overhead of implementing a BLS verification compared to a ECDSA verification, transaction outputs should keep being spendable by secp256k1 private key holders. |
wip-0003.md
Outdated
| ## Requirements | ||
| As already said before, we need to maintain a state about the ARS in the block headers that future blocks can be validated upon. Such information will be stored as a merkle root of all the identities and their position in the ARS. | ||
|
|
||
| However, note that the reputation is today associated to the PKH of the Secp256K1 public key. However, ARS members in the ARS merkle root should be identifiable by their BLS public key, as this will be used to verify their aggregated signature. |
There was a problem hiding this comment.
Suggested change
| However, note that the reputation is today associated to the PKH of the Secp256K1 public key. However, ARS members in the ARS merkle root should be identifiable by their BLS public key, as this will be used to verify their aggregated signature. | |
| Note that reputation score is currently associated to the hash of the Secp256K1 public key. However, ARS members in the ARS merkle root should be identifiable by their BLS public key, as this will be used to verify their aggregated signature. |
wip-0003.md
Outdated
|
|
||
| #### Information storage | ||
|
|
||
| **`secp256k1AltbnMap` mapping.** A new mapping to be stored in memory that is updated every time a new key is proposed. This mapping does not need to be stored on-chain, but can be constructed by information that is on-chain. This can be implemented can be extended to the struct TotalReputationSet: |
There was a problem hiding this comment.
Suggested change
| **`secp256k1AltbnMap` mapping.** A new mapping to be stored in memory that is updated every time a new key is proposed. This mapping does not need to be stored on-chain, but can be constructed by information that is on-chain. This can be implemented can be extended to the struct TotalReputationSet: | |
| **`secp256k1AltbnMap` mapping.** A new mapping to be stored in memory that is updated every time a new key is proposed. This mapping does not need to be stored on-chain, but can be constructed by information that is on-chain. This can be implemented as an extension of the `TotalReputationSet` structure: |
tmpolaczyk
reviewed
Apr 27, 2020
wip-0003.md
Outdated
|
|
||
| ```rust | ||
| // Everything here is pseudo-Rust, it's obviously not guaranteed to compile | ||
| struct TotalReputationSet { |
There was a problem hiding this comment.
Suggested change
| struct TotalReputationSet { | |
| struct ActiveReputationSet { |
The ARS is mentioned earlier, so why do we use the TRS here?
There was a problem hiding this comment.
AFAIK the ARS contains the active identities, but the isnt the information of the reputation hold by each identity stored in totalreputationset? I might be wrong here, it would be good if we can clarify a bit more. Since the key is information associated with each pkh, I thought it should be in the same place where the reputation of each identity is stored
There was a problem hiding this comment.
There is a small problem with storing the public key in the TRS: identities with null reputation aren't stored there. So for example an identity that mines a block is counted as "active", but has no extra reputation.
We can change the behavior of the TRS to include active identities, or we can store this map in a separate structure.
There was a problem hiding this comment.
Interesting, lets use a different structure then. However that means that one should include the BLS key also when proposing a block correct?
There was a problem hiding this comment.
Yes, let's just include the BLS key with the VRF proof, since that's the only way to enter the ARS.
girazoki
force-pushed
the
multi_key
branch
4 times, most recently
from
4b36f40
to
7e7e788
Compare
mariocao
reviewed
May 6, 2020
wip-0003.md
Outdated
| DataRequestEligibilityClaim proof = 3; | ||
| repeated Input inputs = 4; | ||
| repeated ValueTransferOutput outputs = 5; | ||
| Bn256PublicKey bn256_pub_key = 6; |
There was a problem hiding this comment.
I suggest using extended naming as I think we are doing in the rest of witnet-rust code:
Suggested change
| Bn256PublicKey bn256_pub_key = 6; | |
| Bn256PublicKey bn256_public_key = 6; |
mariocao
reviewed
May 6, 2020
wip-0003.md
Outdated
| Extending such functionality to be able to associate a secp256k1 public key to an additional curve key should be as simple as creating declaring an struct with all curves we want to store the public key for. | ||
|
|
||
| ``` rust | ||
| struct BlsKeys { |
There was a problem hiding this comment.
Why only BLS curves?
Maybe in the future we might want have other curve types.
Maybe something like:
Suggested change
| struct BlsKeys { | |
| struct AdditionalKeys { |
mariocao
reviewed
May 6, 2020
wip-0003.md
Outdated
Comment on lines
132
to
133
|
|
||
|
|
mariocao
suggested changes
May 6, 2020
girazoki
force-pushed
the
multi_key
branch
2 times, most recently
from
e447c76
to
74dfc9e
Compare
mariocao
reviewed
May 6, 2020
wip-0003.md
Outdated
| Extending such functionality to be able to associate a secp256k1 public key to an additional curve key should be as simple as creating declaring an struct with all curves we want to store the public key for. | ||
|
|
||
| ``` rust | ||
| struct AltKeys { |
There was a problem hiding this comment.
Suggested change
| struct AltKeys { | |
| struct AltPublicKeys { |
|
Completed. Can I get a WIP number? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Close #24