Second design for a proof network #197
Conversation
| There are a couple of advantages to this design in which we use a consensus | ||
| protocol to sequence transactions. | ||
|
|
||
| A storage provider only needs to send its proofs to a single validator, and |
There was a problem hiding this comment.
but any validator can decide to censor any provider (and especially if the same SPs play both roles, this can very easily happen), so sending to a single validator seems very dangerous to me
There was a problem hiding this comment.
That is correct. I thought about that, but didn't write it down. When the validator doesn't give you an inclusion proof, you can simply switch to another validator.
I'll update the text to include this.
| The marketplace will then verify the correctness of *inputs* for the *slot id* | ||
| and *period*, and checks that the combined signature is representative for > 2/3 | ||
| stake. If these conditions are met, it will then slash the storage provider | ||
| collateral and reward the validator. |
There was a problem hiding this comment.
Is only the validator who sent the 1st MissingProof transaction rewarded?
There was a problem hiding this comment.
Yes, that would be the simplest I think. The Mysticeti design suggests ordering the blocks from the validators based on a round-robin scheme, so every validator is equally capable of being the first to notice a proof as missing.
|
|
||
| ### Faulty proofs ### | ||
|
|
||
| The storage proofs that a storage provider submits can be faulty for a number of |
There was a problem hiding this comment.
Is it possible to assign different penalties to these faulty proofs?
There was a problem hiding this comment.
i don't think that would make sense, a proof is either present and valid, or not. There are no "qualities" of missing/wrong proofs.
A more interesting case when storage providers also aggregate their proofs. Then it can happen that for example they submit a single proof for 100 slots, but only 99 is valid because they actually lost 1.
| [Mysticeti][6] algorithm seems to be particularly suited because it is highly | ||
| performant. | ||
|
|
||
| The consensus algorithm is only used to sequence transactions. Evaluation of the |
There was a problem hiding this comment.
Out of curiosity: why does sequencing transactions matter?
There was a problem hiding this comment.
I guess, maybe to match the right/current period? If a transaction is added too late will it miss the period?
There was a problem hiding this comment.
Sequencing is not strictly necessary for storage proofs, but for anything else it becomes necessary.
See my reply here: https://github.com/codex-storage/codex-research/pull/197/files#r1820368545
| The consensus algorithm is only used to sequence transactions. Evaluation of the | ||
| transactions is done after sequencing. This means that storage proofs can be | ||
| checked in parallel, which allows validators to scale up and support a large | ||
| storage network that produces many proofs. |
There was a problem hiding this comment.
Do validators post onchain any result of these evaluations?
| The marketplace smart contract only slashes a storage provider when there is a | ||
| combined BLS signature that represents > 2/3 stake. | ||
|
|
||
| It can be expensive to calculate the amount of stake associated with a combined |
There was a problem hiding this comment.
If the stake amount is constant, would be possible to confirm that >2/3 threshold by simply counting the number of signatures?
There was a problem hiding this comment.
Yes, that is possible. However, you'd still need to figure out from how many signatures the combined signature was constructed, and that they are valid signatures from staked validators.
| introduce epochs in which some validators are chosen from a larger set of | ||
| potential validators, but that comes at the expense of added complexity. | ||
|
|
||
| The latency is larger than in a [previous iteration][7] of this design, because |
There was a problem hiding this comment.
If SPs are required to post 1 proof/day, validators would have enough time to reach consensus, wouldn't they?
There was a problem hiding this comment.
It is 1 proof per dataset right? Not per SP.
There was a problem hiding this comment.
If SPs are required to post 1 proof/day, validators would have enough time to reach consensus, wouldn't they?
Yes, latency is not really a problem for our use case.
It is 1 proof per dataset right? Not per SP.
Currently yes, but if we succeed in doing local proof aggregation, then it becomes one proof per storage provider.
There was a problem hiding this comment.
Very well written @markspanbroek, very clear and easy to follow.
I see a lot of potential danger going through this route. It seems to me that we are introducing a whole new colossal attack surface by implementing a blockchain. I see very few advantages to this approach in comparison with storing on an L2.
|
|
||
| A storage provider sends a `StorageProof` transaction to a validator to indicate | ||
| to the network that it calculated a storage proof as required by the | ||
| marketplace. This validator includes it in its next block. |
There was a problem hiding this comment.
The proof is sent to only one validator or the entire network of validators? This validator includes it in its next block? Or rather the validator in charge of producing the next block adds the transaction to it?
There was a problem hiding this comment.
The proof is sent to only one validator. In the Mysticeti design, all validators produce a block each round, so the proof is included in the next block of the validator that you sent it to.
If it fails to provide you with proof that it included the transaction, then you're free to go to another validator.
There was a problem hiding this comment.
How are proofs/transactions propagated across validators?
There was a problem hiding this comment.
How are proofs/transactions propagated across validators?
As part of the consensus protocol blocks of transactions are exchanged between validators.
| required for a slot in the current *period*, it gathers public *inputs* for the | ||
| slot, including the random challenge and calculates a zero-knowledge storage | ||
| *proof*. The provider then submits `StorageProof(slot id, period, inputs, | ||
| proof)` to a single validator. |
There was a problem hiding this comment.
Why a single validator? What if this one is malicious?
There was a problem hiding this comment.
Each validator produces a block every round in the Mysticeti design, and the proof only needs to end up in one of them. If the validator is malicious, it won't be able to give an inclusion proof for the transaction, and you can simply go to another validator to get the transaction included.
| storage provider ---------------------------------------> validator | ||
|
|
||
|
|
||
| The validator will include the transaction in the next block that it proposes to |
There was a problem hiding this comment.
How many validators are we talking about? How often do they produce blocks?
There was a problem hiding this comment.
Not sure yet how many. In the Mysticeti paper they measured less than 5 validators to get sub-second latency numbers. But we don't really care about latency so much, so we can go higher than that. But I don't think it's practical to go for more than 100 validators, unless we go for a scheme where we pick a few validators from a larger pool every epoch.
|
|
||
| The validator that sent the first `MissingProof` transaction for a missing proof | ||
| can now request BLS signatures from the other validators to enact on-chain | ||
| slashing of the storage provider for missing a proof. When the validator |
There was a problem hiding this comment.
Do we slash SP for every single proof missed? Even the very first one?
There was a problem hiding this comment.
No, I do not want to change the rules around slashing with this. So I'd keep the way we slash in the Marketplace smart contract the same. Only the way proofs are as marked as missing changes, but the consequences do not.
| [Mysticeti][6] algorithm seems to be particularly suited because it is highly | ||
| performant. | ||
|
|
||
| The consensus algorithm is only used to sequence transactions. Evaluation of the |
There was a problem hiding this comment.
I guess, maybe to match the right/current period? If a transaction is added too late will it miss the period?
| ------- | ||
|
|
||
| The marketplace smart contract only slashes a storage provider when there is a | ||
| combined BLS signature that represents > 2/3 stake. |
There was a problem hiding this comment.
So validators only make money when SPs fail proofs? Isn't this a motivation to attack SPs?
There was a problem hiding this comment.
This is no different from our current implementation.
I also want to add fees for including storage proofs so that slashing isn't the only source of income for validators.
| introduce epochs in which some validators are chosen from a larger set of | ||
| potential validators, but that comes at the expense of added complexity. | ||
|
|
||
| The latency is larger than in a [previous iteration][7] of this design, because |
There was a problem hiding this comment.
It is 1 proof per dataset right? Not per SP.
| sequenced the transactions. That might be mitigated by using the fast path from | ||
| the Mysticeti protocol for `StorageProof` transactions. | ||
|
|
||
| [7]: https://github.com/codex-storage/codex-research/pull/194 |
There was a problem hiding this comment.
I see many other drawbacks to this approach.
- What motivates a node to become a validator? If everything goes well, they do a big part of the work for no reward.
- How do we avoid SPs and validators colluding?
There was a problem hiding this comment.
- What motivates a node to become a validator? If everything goes well, they do a big part of the work for no reward.
I intend to add fees for including transactions.
- How do we avoid SPs and validators colluding?
Through having multiple staked validators. The scheme works as long as >2/3 stake is not byzantine.
| @@ -0,0 +1,257 @@ | |||
| Storage proof network | |||
There was a problem hiding this comment.
I really would like a different name, as the network is most definitely not doing proofs. It's checking proofs.
This name is so misleading that already within the Codex team I've seen it to be referred as a "prover network", while it's the exact opposite of that.
There was a problem hiding this comment.
I wouldn't mind renaming this, do you have a suggestion? Perhaps "proof checking network"?
There was a problem hiding this comment.
I don't have a really good name in my mind. "Proof checking network" is certainly one possibility, "Verification network" or "Validator network" could be some more. From these 3 maybe I prefer the last one. But open to other suggestions
| Notice that validators do not check the correctness of `StorageProof` | ||
| transactions prior to including them in blocks. In this design sequencing and | ||
| evaluation of transactions are separated. First, the validators reach consensus | ||
| on a sequence of blocks of transactions. Then, each of the validators evaluates |
There was a problem hiding this comment.
What is the motivation for this design? (does it come from Mysticeti?)
It looks overly complicated on first sight:
- we don't really need an ordering of events, proofs are independent from each other (ok maybe to select the first validator noticing a missing proof)
- why try to include possible invalid proofs into a "block" when we can easily check if they are valid or not?
Also, what if the sequence ordering is such that a missing proof is first and the actual proof comes later?
There was a problem hiding this comment.
What is the motivation for this design? (does it come from Mysticeti?)
It mimicks what SUI (and Mysticeti) do. It is part of the reason why they are able to scale to a very high number of transactions per second. It minimizes what is done while forming consensus, so that the rest of the work (evaluating transactions, updating state) can be done in parallel.
- we don't really need an ordering of events, proofs are independent from each other (ok maybe to select the first validator noticing a missing proof)
That is correct, for proofs we can just about get away with it, as we argued in the first design.
However, for anything more consensus is necessary. If we don't want validators to race on-chain to mark a proof as missing, if we want to add payments for including a proof, if we want to punish validators for not doing their work properly, then we need consensus of some sort.
- why try to include possible invalid proofs into a "block" when we can easily check if they are valid or not?
At some point, I'd like to introduce fees for including a transaction. This avoids the validators being spammed, and gives them an incentive to do their work. This is analogous to how you can submit an transaction that reverts to an Ethereum network, and even though it doesn't change the state, you still pay for the transaction fee.
Also, what if the sequence ordering is such that a missing proof is first and the actual proof comes later?
Then the proof was submitted too late. And we have consensus that this is so.
That is certainly a valid concern. But I don't think we can deliver on our promises without doing something in this direction. L2's are too expensive; the numbers don't work. L2's are also centralized; they do not provide protection against censorship. Also, this design is not that different from the first design. Just because we're now calling things "transactions" and "blocks" doesn't mean that we introduce the complexity of a whole blockchain. We're just replacing the "light consensus" from the previous design with an actual consensus mechanism. |
Improves on the previous design (#194) by: