-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WIP-girazoki-multikey: draft submission #22
Conversation
0e69ab1
to
e79aea1
Compare
wip-0003.md
Outdated
|
||
This proposal discusses different options to handle both BLS and Secp256K1 keys in the Witnet network. This is a key feature for the connection with Ethereum, in particular to achieve high efficient verifications with subsidized curves by the EVM. | ||
|
||
Nothe that the co-existence of different elliptic curve keys will be crutial in Witnet in order to develop bridges with other chains. For the purpose of the document, we will only discuss the co-existence between Secp256k1 and ALTBN-128, being the latter subsidized in the EVM. However, this WIP can serve as a proposal for adding new curves to Witnet. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nothe that the co-existence of different elliptic curve keys will be crutial in Witnet in order to develop bridges with other chains. For the purpose of the document, we will only discuss the co-existence between Secp256k1 and ALTBN-128, being the latter subsidized in the EVM. However, this WIP can serve as a proposal for adding new curves to Witnet. | |
Note that the co-existence of different curve keys will be crucial in Witnet in order to develop bridges with other chains. For the purpose of the document, we will only discuss the co-existence between *Secp256k1* and *ALTBN-128*, being the latter subsidized in the EVM. However, this WIP can serve as a proposal for adding new curves to Witnet. |
wip-0003.md
Outdated
|
||
## Motivation and Rationale | ||
|
||
Implementing one-way decentralized bridges between two chains becomes a task that higly depends on the consensus protocol implemented by the chain whose transactions need to be verified. We will call this chain the source chain, while the chain in which the transactions are verified will be refered as the target chain. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Implementing one-way decentralized bridges between two chains becomes a task that higly depends on the consensus protocol implemented by the chain whose transactions need to be verified. We will call this chain the source chain, while the chain in which the transactions are verified will be refered as the target chain. | |
Implementing one-way decentralized bridges between two chains becomes a task that highly depends on the consensus protocol implemented by the chain whose transactions need to be verified. We will call this chain the *source chain* (i.e. the _Witnet chain_), while the chain in which the transactions are verified will be referred as the *target chain*. |
wip-0003.md
Outdated
|
||
Implementing one-way decentralized bridges between two chains becomes a task that higly depends on the consensus protocol implemented by the chain whose transactions need to be verified. We will call this chain the source chain, while the chain in which the transactions are verified will be refered as the target chain. | ||
|
||
Assuming the existence of the source chain block headers in the target chain, one can easily verify that a transaction occurred in the source chain. Typically transactions are grouped in a merkle tree whose root is appended into the block header. Thus, a prover just needs to provide a valid merkle path to the merkle root to prove a transaction ocurred. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Assuming the existence of the source chain block headers in the target chain, one can easily verify that a transaction occurred in the source chain. Typically transactions are grouped in a merkle tree whose root is appended into the block header. Thus, a prover just needs to provide a valid merkle path to the merkle root to prove a transaction ocurred. | |
Assuming the existence of the source chain block headers in the target chain, one can easily verify that a transaction occurred in the source chain. Typically, transactions are grouped in a merkle tree whose root is appended into the block header. Thus, to prove a transaction you just need to provide a valid merkle path to the merkle root. |
wip-0003.md
Outdated
|
||
Assuming the existence of the source chain block headers in the target chain, one can easily verify that a transaction occurred in the source chain. Typically transactions are grouped in a merkle tree whose root is appended into the block header. Thus, a prover just needs to provide a valid merkle path to the merkle root to prove a transaction ocurred. | ||
|
||
However, ensuring the availability of the block headers in the target chain is not that straight-forward, specially for non-PoW chains. PoW achieves probabilitistic finality thanks to the difficulty of reverting a chain with sufficient work on it, a difficulty that is publicly verifiable. In order to validate new block headers from chains whose consensus relies on an intra-chain metric (stake, reputation) based BFT algorithm the target chain needs to know the previous state of such metrics in the source chain. In the particular case of Witnet, we need to prove that at least 2/3 of the ARS (active reputation) supports a certain block header in order to consider it valid (or more specifically, final). This can become trully challenging in terms of efficiency. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
However, ensuring the availability of the block headers in the target chain is not that straight-forward, specially for non-PoW chains. PoW achieves probabilitistic finality thanks to the difficulty of reverting a chain with sufficient work on it, a difficulty that is publicly verifiable. In order to validate new block headers from chains whose consensus relies on an intra-chain metric (stake, reputation) based BFT algorithm the target chain needs to know the previous state of such metrics in the source chain. In the particular case of Witnet, we need to prove that at least 2/3 of the ARS (active reputation) supports a certain block header in order to consider it valid (or more specifically, final). This can become trully challenging in terms of efficiency. | |
However, ensuring the availability of the block headers in the target chain is not that straight-forward, specially for non-PoW chains. PoW achieves probabilitistic finality thanks to the difficulty of reverting a chain with sufficient work on it, a difficulty that is publicly verifiable. In order to validate new block headers from chains whose consensus relies on an intra-chain metric (stake, reputation) based BFT algorithm, the target chain needs to know the previous state of such metrics in the source chain. In the particular case of Witnet, we need to prove that at least 2/3 of the ARS (active reputation set) supports a certain block header in order to consider it valid (or more specifically, final). This can become truly challenging in terms of efficiency. |
I would be a little bit more generic with the specific conditions for a block valid (e.g. 2/3 of the ARS). They are not yet fully agreed. :P
wip-0003.md
Outdated
|
||
However, ensuring the availability of the block headers in the target chain is not that straight-forward, specially for non-PoW chains. PoW achieves probabilitistic finality thanks to the difficulty of reverting a chain with sufficient work on it, a difficulty that is publicly verifiable. In order to validate new block headers from chains whose consensus relies on an intra-chain metric (stake, reputation) based BFT algorithm the target chain needs to know the previous state of such metrics in the source chain. In the particular case of Witnet, we need to prove that at least 2/3 of the ARS (active reputation) supports a certain block header in order to consider it valid (or more specifically, final). This can become trully challenging in terms of efficiency. | ||
|
||
BLS signatures allow us to aggregate signatures provided by those members of the ARS. The overall aggregated signature can be validated in the target chain in a single verification. However, a BLS verification is 10 times more costly than a regular ECDSA verification. Thus, BLS gives us a big advantage for bridging with other chains, but little advantage when using it to intra-chain sign transactions. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
BLS signatures allow us to aggregate signatures provided by those members of the ARS. The overall aggregated signature can be validated in the target chain in a single verification. However, a BLS verification is 10 times more costly than a regular ECDSA verification. Thus, BLS gives us a big advantage for bridging with other chains, but little advantage when using it to intra-chain sign transactions. | |
BLS signatures allow us to aggregate signatures provided by those members of the ARS. The overall aggregated signature can be validated in the target chain in a single verification. However, a BLS verification is approximately 10 times more costly than a regular ECDSA verification. Thus, BLS gives us a big advantage for bridging with other chains, but little advantage when using it to sign transactions internally in the _Witnet network_. |
I would rephrase the first sentence, e.g. "BLS curves allows us to aggregate signatures such as those provided by ARS members", or something like that 😄
I have renamed the PR to "WIP-girazoki-multikey" as provided for by WIP-0001:
|
1bbc595
to
170f735
Compare
wip-0003.md
Outdated
|
||
## Abstract | ||
|
||
This proposal discusses different options to handle both BLS and Secp256K1 keys in the Witnet network. This is a key feature for the connection with Ethereum, in particular to achieve high efficient verifications with subsidized curves by the EVM. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This proposal discusses different options to handle both BLS and Secp256K1 keys in the Witnet network. This is a key feature for the connection with Ethereum, in particular to achieve high efficient verifications with subsidized curves by the EVM. | |
This proposal discusses different options to handle both BLS and Secp256K1 keys in the Witnet network. This is a key feature for interoperability with Ethereum, in particular to achieve highly efficient signature verifications by leveraging the curves that the EVM subsidizes. |
wip-0003.md
Outdated
|
||
This proposal discusses different options to handle both BLS and Secp256K1 keys in the Witnet network. This is a key feature for the connection with Ethereum, in particular to achieve high efficient verifications with subsidized curves by the EVM. | ||
|
||
Note that the co-existence of different curve keys will be crucial in Witnet in order to develop bridges with other chains. For the purpose of the document, we will only discuss the co-existence between *Secp256k1* and *ALTBN-128*, being the latter subsidized in the EVM. However, this WIP can serve as a proposal for adding new curves to Witnet. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note that the co-existence of different curve keys will be crucial in Witnet in order to develop bridges with other chains. For the purpose of the document, we will only discuss the co-existence between *Secp256k1* and *ALTBN-128*, being the latter subsidized in the EVM. However, this WIP can serve as a proposal for adding new curves to Witnet. | |
The co-existence of different curve keys will be crucial in Witnet in order to develop bridges with other chains. For the purpose of the document, we will only discuss the co-existence between *Secp256k1* and *ALTBN-128*, being the latter subsidized in the EVM. However, this WIP can serve as a proposal for adding new curves to Witnet. |
wip-0003.md
Outdated
|
||
Implementing one-way decentralized bridges between two chains becomes a task that highly depends on the consensus protocol implemented by the chain whose transactions need to be verified. We will call this chain the *source chain* (i.e. the _Witnet chain_), while the chain in which the transactions are verified will be referred as the *target chain*. | ||
|
||
Assuming the existence of the source chain block headers in the target chain, one can easily verify that a transaction occurred in the source chain. Typically, transactions are grouped in a merkle tree whose root is appended into the block header. Thus, to prove a transaction you just need to provide a valid merkle path to the merkle root to prove a transaction ocurred. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Assuming the existence of the source chain block headers in the target chain, one can easily verify that a transaction occurred in the source chain. Typically, transactions are grouped in a merkle tree whose root is appended into the block header. Thus, to prove a transaction you just need to provide a valid merkle path to the merkle root to prove a transaction ocurred. | |
Assuming the availability of the source chain's block headers on the target chain, one can easily verify that a transaction occurred in the source chain. Typically, transactions are grouped in a merkle tree whose root is inserted into the block header. Thus, to prove the existence of a transaction you just need to provide a valid merkle path that evinces that the hash of the transaction was undeniably inserted into the merkle tree at the time the block hash was appended to the source chain. |
wip-0003.md
Outdated
|
||
Assuming the existence of the source chain block headers in the target chain, one can easily verify that a transaction occurred in the source chain. Typically, transactions are grouped in a merkle tree whose root is appended into the block header. Thus, to prove a transaction you just need to provide a valid merkle path to the merkle root to prove a transaction ocurred. | ||
|
||
However, ensuring the availability of the block headers in the target chain is not that straight-forward, specially for non-PoW chains. PoW achieves probabilitistic finality thanks to the difficulty of reverting a chain with sufficient work on it, a difficulty that is publicly verifiable. In order to validate new block headers from chains whose consensus relies on an intra-chain metric (stake, reputation) based BFT algorithm the target chain needs to know the previous state of such metrics in the source chain. In the particular case of Witnet, it is yet not decided which metric to use, but under BFT assumptions we can expect 2/3s of such metric holders to be honest, and therefore a block header validity will likely depend on the ability to demonstrate that those 2/3s agree on a specific value. This can become trully challenging in terms of efficiency. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
However, ensuring the availability of the block headers in the target chain is not that straight-forward, specially for non-PoW chains. PoW achieves probabilitistic finality thanks to the difficulty of reverting a chain with sufficient work on it, a difficulty that is publicly verifiable. In order to validate new block headers from chains whose consensus relies on an intra-chain metric (stake, reputation) based BFT algorithm the target chain needs to know the previous state of such metrics in the source chain. In the particular case of Witnet, it is yet not decided which metric to use, but under BFT assumptions we can expect 2/3s of such metric holders to be honest, and therefore a block header validity will likely depend on the ability to demonstrate that those 2/3s agree on a specific value. This can become trully challenging in terms of efficiency. | |
However, ensuring the availability of the block headers in the target chain is not that straightforward, specially for non-PoW chains. PoW achieves probabilistic finality thanks to the difficulty of reverting a chain with sufficient work on it, a difficulty that is publicly verifiable. In order to validate new block headers from chains whose consensus relies on a BFT algorithm that is based on an intra-chain metric (stake, reputation) the target chain needs to know the previous state of such metrics in the source chain. In the particular case of Witnet, it is yet not decided which metric to use, but under BFT assumptions we can expect 2/3 of such metric holders to be honest, and therefore a block header validity will likely depend on the ability to demonstrate that those 2/3 agree on a specific value. This can become truly challenging in terms of efficiency. |
wip-0003.md
Outdated
|
||
However, ensuring the availability of the block headers in the target chain is not that straight-forward, specially for non-PoW chains. PoW achieves probabilitistic finality thanks to the difficulty of reverting a chain with sufficient work on it, a difficulty that is publicly verifiable. In order to validate new block headers from chains whose consensus relies on an intra-chain metric (stake, reputation) based BFT algorithm the target chain needs to know the previous state of such metrics in the source chain. In the particular case of Witnet, it is yet not decided which metric to use, but under BFT assumptions we can expect 2/3s of such metric holders to be honest, and therefore a block header validity will likely depend on the ability to demonstrate that those 2/3s agree on a specific value. This can become trully challenging in terms of efficiency. | ||
|
||
BLS signatures allow us to aggregate signatures provided by a set of group members. In the case of Witnet, those members will be the ARS, as the consensus of the Witnet chain is highly dependant on the reputation of each fo the peers. The overall aggregated signature can be validated in the target chain in a single verification. However, a BLS verification is approximately 10 times more costly than a regular ECDSA verification. Thus, BLS gives us a big advantage for bridging with other chains, but little advantage when using it to sign transactions internally in the _Witnet network_. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
BLS signatures allow us to aggregate signatures provided by a set of group members. In the case of Witnet, those members will be the ARS, as the consensus of the Witnet chain is highly dependant on the reputation of each fo the peers. The overall aggregated signature can be validated in the target chain in a single verification. However, a BLS verification is approximately 10 times more costly than a regular ECDSA verification. Thus, BLS gives us a big advantage for bridging with other chains, but little advantage when using it to sign transactions internally in the _Witnet network_. | |
BLS signatures allow us to aggregate signatures provided by a set of group members. In the case of Witnet, those members will be the ARS, as the consensus of the Witnet chain is highly dependant on the reputation of each of the peers. The overall aggregated signature can be validated in the target chain in a single verification. However, a BLS verification is approximately 10 times more costly than a regular ECDSA verification. Thus, BLS gives us a big advantage for bridging with other chains, but little advantage when using it to sign transactions internally in the _Witnet network_. |
wip-0003.md
Outdated
|
||
However, note that the reputation is today associated to the PKH of the Secp256K1 public key. However, ARS members in the ARS merkle root should be identifiable by their BLS public key, as this will be used to verify their aggregated signature. | ||
|
||
Additionally, UTXOs are also associated with the PKH of the Secp256k1 public key. Given the clear overhead of implementing a BLS verification compared to a ECDSA verification, UTXOs should keep being spendable by secp256k1 private key holders. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Additionally, UTXOs are also associated with the PKH of the Secp256k1 public key. Given the clear overhead of implementing a BLS verification compared to a ECDSA verification, UTXOs should keep being spendable by secp256k1 private key holders. | |
Additionally, addresses and transaction outputs are also associated with the hash of the Secp256k1 public key. Given the clear overhead of implementing a BLS verification compared to a ECDSA verification, transaction outputs should keep being spendable by secp256k1 private key holders. |
wip-0003.md
Outdated
## Requirements | ||
As already said before, we need to maintain a state about the ARS in the block headers that future blocks can be validated upon. Such information will be stored as a merkle root of all the identities and their position in the ARS. | ||
|
||
However, note that the reputation is today associated to the PKH of the Secp256K1 public key. However, ARS members in the ARS merkle root should be identifiable by their BLS public key, as this will be used to verify their aggregated signature. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
However, note that the reputation is today associated to the PKH of the Secp256K1 public key. However, ARS members in the ARS merkle root should be identifiable by their BLS public key, as this will be used to verify their aggregated signature. | |
Note that reputation score is currently associated to the hash of the Secp256K1 public key. However, ARS members in the ARS merkle root should be identifiable by their BLS public key, as this will be used to verify their aggregated signature. |
wip-0003.md
Outdated
|
||
#### Information storage | ||
|
||
**`secp256k1AltbnMap` mapping.** A new mapping to be stored in memory that is updated every time a new key is proposed. This mapping does not need to be stored on-chain, but can be constructed by information that is on-chain. This can be implemented can be extended to the struct TotalReputationSet: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
**`secp256k1AltbnMap` mapping.** A new mapping to be stored in memory that is updated every time a new key is proposed. This mapping does not need to be stored on-chain, but can be constructed by information that is on-chain. This can be implemented can be extended to the struct TotalReputationSet: | |
**`secp256k1AltbnMap` mapping.** A new mapping to be stored in memory that is updated every time a new key is proposed. This mapping does not need to be stored on-chain, but can be constructed by information that is on-chain. This can be implemented as an extension of the `TotalReputationSet` structure: |
wip-0003.md
Outdated
|
||
```rust | ||
// Everything here is pseudo-Rust, it's obviously not guaranteed to compile | ||
struct TotalReputationSet { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
struct TotalReputationSet { | |
struct ActiveReputationSet { |
The ARS is mentioned earlier, so why do we use the TRS here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
AFAIK the ARS contains the active identities, but the isnt the information of the reputation hold by each identity stored in totalreputationset? I might be wrong here, it would be good if we can clarify a bit more. Since the key is information associated with each pkh, I thought it should be in the same place where the reputation of each identity is stored
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is a small problem with storing the public key in the TRS: identities with null reputation aren't stored there. So for example an identity that mines a block is counted as "active", but has no extra reputation.
We can change the behavior of the TRS to include active identities, or we can store this map in a separate structure.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Interesting, lets use a different structure then. However that means that one should include the BLS key also when proposing a block correct?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, let's just include the BLS key with the VRF proof, since that's the only way to enter the ARS.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great, agree
4b36f40
to
7e7e788
Compare
wip-0003.md
Outdated
DataRequestEligibilityClaim proof = 3; | ||
repeated Input inputs = 4; | ||
repeated ValueTransferOutput outputs = 5; | ||
Bn256PublicKey bn256_pub_key = 6; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I suggest using extended naming as I think we are doing in the rest of witnet-rust
code:
Bn256PublicKey bn256_pub_key = 6; | |
Bn256PublicKey bn256_public_key = 6; |
wip-0003.md
Outdated
Extending such functionality to be able to associate a secp256k1 public key to an additional curve key should be as simple as creating declaring an struct with all curves we want to store the public key for. | ||
|
||
``` rust | ||
struct BlsKeys { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why only BLS curves?
Maybe in the future we might want have other curve types.
Maybe something like:
struct BlsKeys { | |
struct AdditionalKeys { |
wip-0003.md
Outdated
|
||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a few comments about variable names as they will be implemented in the witnet-rust
code.
e447c76
to
74dfc9e
Compare
wip-0003.md
Outdated
Extending such functionality to be able to associate a secp256k1 public key to an additional curve key should be as simple as creating declaring an struct with all curves we want to store the public key for. | ||
|
||
``` rust | ||
struct AltKeys { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
struct AltKeys { | |
struct AltPublicKeys { |
Completed. Can I get a WIP number? |
Close #24