Merge pull request #1889 from ethereum/dankrad-custody-0.01bit

0.01 bit proof of custody [depends on 256 bit custody atoms]

configs/mainnet/phase0.yaml

@@ -151,3 +151,9 @@ DOMAIN_DEPOSIT: 0x03000000
 DOMAIN_VOLUNTARY_EXIT: 0x04000000
 DOMAIN_SELECTION_PROOF: 0x05000000
 DOMAIN_AGGREGATE_AND_PROOF: 0x06000000
+<<<<<<< HEAD:configs/mainnet.yaml
+# Phase 1
+DOMAIN_SHARD_PROPOSAL: 0x80000000
+DOMAIN_SHARD_COMMITTEE: 0x81000000
+DOMAIN_LIGHT_CLIENT: 0x82000000
+DOMAIN_CUSTODY_BIT_SLASHING: 0x83000000

configs/mainnet/phase1.yaml

@@ -62,14 +62,26 @@ DOMAIN_CUSTODY_BIT_SLASHING: 0x83000000
 # Time parameters
 # 2**1 (= 2) epochs, 12.8 minutes
 RANDAO_PENALTY_EPOCHS: 2
+# 2**15 (= 32,768) epochs, ~146 days
+EARLY_DERIVED_SECRET_PENALTY_MAX_FUTURE_EPOCHS: 32768
 # 2**14 (= 16,384) epochs ~73 days
-EARLY_DERIVED_SECRET_PENALTY_MAX_FUTURE_EPOCHS: 16384
-# 2**11 (= 2,048) epochs, ~9 days
-EPOCHS_PER_CUSTODY_PERIOD: 2048
+EPOCHS_PER_CUSTODY_PERIOD: 16384
 # 2**11 (= 2,048) epochs, ~9 days
 CUSTODY_PERIOD_TO_RANDAO_PADDING: 2048
 # 2**14 (= 16,384) epochs
 CUSTODY_RESPONSE_DEADLINE: 16384
+# 2**15 (= 32,768) epochs, ~146 days
+MAX_CHUNK_CHALLENGE_DELAY: 32768
+
+# Misc parameters
+# 2**256 - 189
+CUSTODY_PRIME: 115792089237316195423570985008687907853269984665640564039457584007913129639747
+# 3
+CUSTODY_SECRETS: 3
+# 2**5 (= 32) bytes
+BYTES_PER_CUSTODY_ATOM: 32
+# 1/1024 chance of custody bit 1
+CUSTODY_PROBABILITY_EXPONENT: 10
 
 # Max operations
 # 2**8 (= 256)

configs/minimal/phase1.yaml

@@ -65,13 +65,27 @@ DOMAIN_CUSTODY_BIT_SLASHING: 0x83000000
 # 2**1 (= 2) epochs
 RANDAO_PENALTY_EPOCHS: 2
 # [customized] quicker for testing
-EARLY_DERIVED_SECRET_PENALTY_MAX_FUTURE_EPOCHS: 4096
+EARLY_DERIVED_SECRET_PENALTY_MAX_FUTURE_EPOCHS: 128
 # [customized] quicker for testing
-EPOCHS_PER_CUSTODY_PERIOD: 8
+EPOCHS_PER_CUSTODY_PERIOD: 64
 # [customized] quicker for testing
 CUSTODY_PERIOD_TO_RANDAO_PADDING: 8
 # [customized] quicker for testing
-CUSTODY_RESPONSE_DEADLINE: 32
+CUSTODY_RESPONSE_DEADLINE: 128
+# [customize for faster testing]
+MAX_CHUNK_CHALLENGE_DELAY: 128
+
+
+# Misc parameters
+# 2**256 - 189
+CUSTODY_PRIME: 115792089237316195423570985008687907853269984665640564039457584007913129639747
+# 3
+CUSTODY_SECRETS: 3
+# 2**5 (= 32) bytes
+BYTES_PER_CUSTODY_ATOM: 32
+# 1/4 chance of custody bit 1 [customized for faster testing]
+CUSTODY_PROBABILITY_EXPONENT: 2
+
 
 # Max operations
 # 2**8 (= 256)

specs/phase1/beacon-chain.md

@@ -53,15 +53,12 @@
     - [`get_shard_committee`](#get_shard_committee)
     - [`get_light_client_committee`](#get_light_client_committee)
     - [`get_shard_proposer_index`](#get_shard_proposer_index)
-    - [`get_indexed_attestation`](#get_indexed_attestation)
     - [`get_committee_count_delta`](#get_committee_count_delta)
     - [`get_start_shard`](#get_start_shard)
     - [`get_shard`](#get_shard)
     - [`get_latest_slot_for_shard`](#get_latest_slot_for_shard)
     - [`get_offset_slots`](#get_offset_slots)
   - [Predicates](#predicates)
-    - [`verify_attestation_custody`](#verify_attestation_custody)
-    - [Updated `is_valid_indexed_attestation`](#updated-is_valid_indexed_attestation)
     - [`is_on_time_attestation`](#is_on_time_attestation)
     - [`is_winning_attestation`](#is_winning_attestation)
     - [`optional_aggregate_verify`](#optional_aggregate_verify)
@@ -78,7 +75,6 @@
         - [`verify_empty_shard_transition`](#verify_empty_shard_transition)
         - [`process_shard_transitions`](#process_shard_transitions)
       - [New default validator for deposits](#new-default-validator-for-deposits)
-      - [New Attester slashing processing](#new-attester-slashing-processing)
     - [Light client processing](#light-client-processing)
   - [Epoch transition](#epoch-transition)
     - [Phase 1 final updates](#phase-1-final-updates)
@@ -186,7 +182,6 @@ class AttestationData(Container):
 class Attestation(Container):
     aggregation_bits: Bitlist[MAX_VALIDATORS_PER_COMMITTEE]
     data: AttestationData
-    custody_bits_blocks: List[Bitlist[MAX_VALIDATORS_PER_COMMITTEE], MAX_SHARD_BLOCKS_PER_ATTESTATION]
     signature: BLSSignature
 ```
 
@@ -206,8 +201,9 @@ class PendingAttestation(Container):
 
 ```python
 class IndexedAttestation(Container):
-    committee: List[ValidatorIndex, MAX_VALIDATORS_PER_COMMITTEE]
-    attestation: Attestation
+    attesting_indices: List[ValidatorIndex, MAX_VALIDATORS_PER_COMMITTEE]
+    data: AttestationData
+    signature: BLSSignature
 ```
 
 ### Extended `AttesterSlashing`
@@ -593,17 +589,6 @@ def get_shard_proposer_index(beacon_state: BeaconState, slot: Slot, shard: Shard
     return committee[r % len(committee)]
 ```
 
-#### `get_indexed_attestation`
-
-```python
-def get_indexed_attestation(beacon_state: BeaconState, attestation: Attestation) -> IndexedAttestation:
-    committee = get_beacon_committee(beacon_state, attestation.data.slot, attestation.data.index)
-    return IndexedAttestation(
-        committee=committee,
-        attestation=attestation,
-    )
-```
-
 #### `get_committee_count_delta`
 
 ```python
@@ -673,65 +658,6 @@ def get_offset_slots(state: BeaconState, shard: Shard) -> Sequence[Slot]:
 
 ### Predicates
 
-#### `verify_attestation_custody`
-
-```python
-def verify_attestation_custody(state: BeaconState, indexed_attestation: IndexedAttestation) -> bool:
-    """
-    Check if ``indexed_attestation`` has valid signature against non-empty custody bits.
-    """
-    attestation = indexed_attestation.attestation
-    aggregation_bits = attestation.aggregation_bits
-    domain = get_domain(state, DOMAIN_BEACON_ATTESTER, attestation.data.target.epoch)
-    all_pubkeys = []
-    all_signing_roots = []
-    for block_index, custody_bits in enumerate(attestation.custody_bits_blocks):
-        assert len(custody_bits) == len(indexed_attestation.committee)
-        for participant, aggregation_bit, custody_bit in zip(
-            indexed_attestation.committee, aggregation_bits, custody_bits
-        ):
-            if aggregation_bit:
-                all_pubkeys.append(state.validators[participant].pubkey)
-                # Note: only 2N distinct message hashes
-                attestation_wrapper = AttestationCustodyBitWrapper(
-                    attestation_data_root=hash_tree_root(attestation.data),
-                    block_index=block_index,
-                    bit=custody_bit,
-                )
-                all_signing_roots.append(compute_signing_root(attestation_wrapper, domain))
-            else:
-                assert not custody_bit
-    return bls.AggregateVerify(all_pubkeys, all_signing_roots, signature=attestation.signature)
-```
-
-#### Updated `is_valid_indexed_attestation`
-
-Note that this replaces the Phase 0 `is_valid_indexed_attestation`.
-
-```python
-def is_valid_indexed_attestation(state: BeaconState, indexed_attestation: IndexedAttestation) -> bool:
-    """
-    Check if ``indexed_attestation`` has valid indices and signature.
-    """
-    # Verify aggregate signature
-    attestation = indexed_attestation.attestation
-    aggregation_bits = attestation.aggregation_bits
-    if not any(aggregation_bits) or len(aggregation_bits) != len(indexed_attestation.committee):
-        return False
-
-    if len(attestation.custody_bits_blocks) == 0:
-        # fall back on phase0 behavior if there is no shard data.
-        domain = get_domain(state, DOMAIN_BEACON_ATTESTER, attestation.data.target.epoch)
-        all_pubkeys = []
-        for participant, aggregation_bit in zip(indexed_attestation.committee, aggregation_bits):
-            if aggregation_bit:
-                all_pubkeys.append(state.validators[participant].pubkey)
-        signing_root = compute_signing_root(indexed_attestation.attestation.data, domain)
-        return bls.FastAggregateVerify(all_pubkeys, signing_root, signature=attestation.signature)
-    else:
-        return verify_attestation_custody(state, indexed_attestation)
-```
-
 #### `is_on_time_attestation`
 
 ```python
@@ -849,16 +775,11 @@ def validate_attestation(state: BeaconState, attestation: Attestation) -> None:
     else:
         assert attestation.data.source == state.previous_justified_checkpoint
 
-    # Type 1: on-time attestations, the custody bits should be non-empty.
-    if attestation.custody_bits_blocks != []:
-        # Ensure on-time attestation
-        assert is_on_time_attestation(state, attestation)
-        # Correct data root count
-        shard = get_shard(state, attestation)
-        assert len(attestation.custody_bits_blocks) == len(get_offset_slots(state, shard))
+    # Type 1: on-time attestations
+    if is_on_time_attestation(state, attestation):
         # Correct parent block root
         assert data.beacon_block_root == get_block_root_at_slot(state, compute_previous_slot(state.slot))
-    # Type 2: no shard transition, no custody bits
+    # Type 2: no shard transition
     else:
         # Ensure delayed attestation
         assert data.slot < compute_previous_slot(state.slot)
@@ -1081,46 +1002,6 @@ def get_validator_from_deposit(state: BeaconState, deposit: Deposit) -> Validato
     )
 ```
 
-##### New Attester slashing processing
-
-```python
-def get_indices_from_committee(
-        committee: List[ValidatorIndex, MAX_VALIDATORS_PER_COMMITTEE],
-        bits: Bitlist[MAX_VALIDATORS_PER_COMMITTEE]) -> Sequence[ValidatorIndex]:
-    assert len(bits) == len(committee)
-    return [validator_index for i, validator_index in enumerate(committee) if bits[i]]
-```
-
-```python
-def process_attester_slashing(state: BeaconState, attester_slashing: AttesterSlashing) -> None:
-    indexed_attestation_1 = attester_slashing.attestation_1
-    indexed_attestation_2 = attester_slashing.attestation_2
-
-    assert is_slashable_attestation_data(
-        indexed_attestation_1.attestation.data,
-        indexed_attestation_2.attestation.data,
-    )
-    assert is_valid_indexed_attestation(state, indexed_attestation_1)
-    assert is_valid_indexed_attestation(state, indexed_attestation_2)
-
-    indices_1 = get_indices_from_committee(
-        indexed_attestation_1.committee,
-        indexed_attestation_1.attestation.aggregation_bits,
-    )
-    indices_2 = get_indices_from_committee(
-        indexed_attestation_2.committee,
-        indexed_attestation_2.attestation.aggregation_bits,
-    )
-
-    slashed_any = False
-    indices = set(indices_1).intersection(indices_2)
-    for index in sorted(indices):
-        if is_slashable_validator(state.validators[index], get_current_epoch(state)):
-            slash_validator(state, index)
-            slashed_any = True
-    assert slashed_any
-```
-
 #### Light client processing
 
 ```python

specs/phase1/custody-game.md

@@ -60,6 +60,7 @@ This document details the beacon chain additions and changes in Phase 1 of Ether
 | `CUSTODY_PRIME` | `2 ** 256 - 189` | - |
 | `CUSTODY_SECRETS` | `3` | - |
 | `BYTES_PER_CUSTODY_ATOM` | `32` | bytes |
+| `CUSTODY_PROBABILITY_EXPONENT` | `10` | - |
 
 ## Configuration
 
@@ -68,11 +69,11 @@ This document details the beacon chain additions and changes in Phase 1 of Ether
 | Name | Value | Unit | Duration |
 | - | - | :-: | :-: |
 | `RANDAO_PENALTY_EPOCHS` | `2**1` (= 2) | epochs | 12.8 minutes |
-| `EARLY_DERIVED_SECRET_PENALTY_MAX_FUTURE_EPOCHS` | `2**14` (= 16,384) | epochs | ~73 days |
-| `EPOCHS_PER_CUSTODY_PERIOD` | `2**11` (= 2,048) | epochs | ~9 days |
+| `EARLY_DERIVED_SECRET_PENALTY_MAX_FUTURE_EPOCHS` | `2**15` (= 32,768) | epochs | ~146 days |
+| `EPOCHS_PER_CUSTODY_PERIOD` | `2**14` (= 16,384) | epochs | ~73 days |
 | `CUSTODY_PERIOD_TO_RANDAO_PADDING` | `2**11` (= 2,048) | epochs | ~9 days |
-| `MAX_CHUNK_CHALLENGE_DELAY` | `2**11` (= 2,048) | epochs | ~9 days |
-| `CUSTODY_RESPONSE_DEADLINE` | `2**14` (= 16,384) | epochs | ~73 days |
+| `MAX_CHUNK_CHALLENGE_DELAY` | `2**15` (= 32,768) | epochs | ~146 days |
+| `CHUNK_RESPONSE_DEADLINE` | `2**14` (= 16,384) | epochs | ~73 days |
 
 ### Max operations per block
 
@@ -140,7 +141,6 @@ class CustodyChunkResponse(Container):
 
 ```python
 class CustodySlashing(Container):
-    # Attestation.custody_bits_blocks[data_index][committee.index(malefactor_index)] is the target custody bit to check.
     # (Attestation.data.shard_transition_root as ShardTransition).shard_data_roots[data_index] is the root of the data.
     data_index: uint64
     malefactor_index: ValidatorIndex
@@ -276,7 +276,8 @@ def compute_custody_bit(key: BLSSignature, data: ByteList[MAX_SHARD_BLOCK_SIZE])
     custody_atoms = get_custody_atoms(data)
     secrets = get_custody_secrets(key)
     uhf = universal_hash_function(custody_atoms, secrets)
-    return legendre_bit(uhf + secrets[0], CUSTODY_PRIME)
+    legendre_bits = [legendre_bit(uhf + secrets[0] + i, CUSTODY_PRIME) for i in range(CUSTODY_PROBABILITY_EXPONENT)]
+    return all(legendre_bits)
 ```
 
 ### `get_randao_epoch_for_custody_period`
@@ -517,9 +518,6 @@ def process_custody_slashing(state: BeaconState, signed_custody_slashing: Signed
     # Verify the attestation
     assert is_valid_indexed_attestation(state, get_indexed_attestation(state, attestation))
 
-    # TODO: custody_slashing.data is not chunked like shard blocks yet, result is lots of padding.
-    # ??? What does this mean?
-
     # TODO: can do a single combined merkle proof of data being attested.
     # Verify the shard transition is indeed attested by the attestation
     shard_transition = custody_slashing.shard_transition
@@ -544,18 +542,14 @@ def process_custody_slashing(state: BeaconState, signed_custody_slashing: Signed
     signing_root = compute_signing_root(epoch_to_sign, domain)
     assert bls.Verify(malefactor.pubkey, signing_root, custody_slashing.malefactor_secret)
 
-    # Get the custody bit
-    custody_bits = attestation.custody_bits_blocks[custody_slashing.data_index]
-    committee = get_beacon_committee(state, attestation.data.slot, attestation.data.index)
-    claimed_custody_bit = custody_bits[committee.index(custody_slashing.malefactor_index)]
-
     # Compute the custody bit
     computed_custody_bit = compute_custody_bit(custody_slashing.malefactor_secret, custody_slashing.data)
-    
+
     # Verify the claim
-    if claimed_custody_bit != computed_custody_bit:
+    if computed_custody_bit == 1:
         # Slash the malefactor, reward the other committee members
         slash_validator(state, custody_slashing.malefactor_index)
+        committee = get_beacon_committee(state, attestation.data.slot, attestation.data.index)
         others_count = len(committee) - 1
         whistleblower_reward = Gwei(malefactor.effective_balance // WHISTLEBLOWER_REWARD_QUOTIENT // others_count)
         for attester_index in attesters:
@@ -576,15 +570,15 @@ def process_custody_slashing(state: BeaconState, signed_custody_slashing: Signed
 def process_reveal_deadlines(state: BeaconState) -> None:
     epoch = get_current_epoch(state)
     for index, validator in enumerate(state.validators):
-        deadline = validator.next_custody_secret_to_reveal + (CUSTODY_RESPONSE_DEADLINE // EPOCHS_PER_CUSTODY_PERIOD)
+        deadline = validator.next_custody_secret_to_reveal + 1
         if get_custody_period_for_validator(ValidatorIndex(index), epoch) > deadline:
             slash_validator(state, ValidatorIndex(index))
 ```
 
 ```python
 def process_challenge_deadlines(state: BeaconState) -> None:
     for custody_chunk_challenge in state.custody_chunk_challenge_records:
-        if get_current_epoch(state) > custody_chunk_challenge.inclusion_epoch + CUSTODY_RESPONSE_DEADLINE:
+        if get_current_epoch(state) > custody_chunk_challenge.inclusion_epoch + EPOCHS_PER_CUSTODY_PERIOD:
             slash_validator(state, custody_chunk_challenge.responder_index, custody_chunk_challenge.challenger_index)
             index_in_records = state.custody_chunk_challenge_records.index(custody_chunk_challenge)
             state.custody_chunk_challenge_records[index_in_records] = CustodyChunkChallengeRecord()