17/WAKU-RLN-RELAY: Revise spec for its draft version #484
Conversation
content/docs/rfcs/17/README.md
Outdated
| The value of `T` is application-dependent. | ||
| See section [Recommended System Parameters](#recommended-system-parameters) for some recommended ways to set a sensible `T` value. | ||
| Peers subscribed to a spam-protected `pubsubTopic` are only allowed to send one message per `epoch` | ||
| (messaging rate MAY be enforced for `WakuMessages` with a specific `contetTopic` published on a `pubsubTopic`, but that is an implementation choice). |
There was a problem hiding this comment.
| (messaging rate MAY be enforced for `WakuMessages` with a specific `contetTopic` published on a `pubsubTopic`, but that is an implementation choice). | |
| (messaging rate MAY be enforced for `WakuMessages` with a specific `contentTopic` published on a `pubsubTopic`, but that is an implementation choice). |
There was a problem hiding this comment.
thanks, done in e8095c5
content/docs/rfcs/17/README.md
Outdated
|
|
||
|
|
||
| # Flow | ||
| The messaging rate is set to 1 per `epoch`, | ||
| where `epoch` indicates the number of `T` seconds elapsed since the Unix epoch event. |
There was a problem hiding this comment.
Do we need T, or could we consider making T more descriptive? it seems more like a local variable
It seems like we have:
message-rate 1
epoch
There was a problem hiding this comment.
Epoch is a counter for the multiples of T (epoch=current Unix epoch time/ T), so they are not the same. T is the length of each epoch. I guess that the naming is confusing, let me know if you have any suggestions for better naming.
There was a problem hiding this comment.
epoch=current Unix epoch time/ T I find this rather confusing, I keep re-reading it but it doesn't quite seem right to me:
- epoch is being "redefined" inside a definition
- we introduce a generic "T" parameter
Why not do something like:
- unix time epoch is a well understood standard for seconds since 1970
- call T period
Example:
unix_timeis 1644810116speriodis 30sepochislceil(unix_time/period)
Note that epoch refers to epoch in RLN and not Unix epoch. This means a message can only be sent every period, where period is up to the application.
(This assumes we want to keep epoch, but I suppose it is used everywhere so might as well keep using it. We should be explicit about this not being Unix epoch though).
content/docs/rfcs/17/README.md
Outdated
| where `epoch` indicates the number of `T` seconds elapsed since the Unix epoch event. | ||
| The value of `T` is application-dependent. | ||
| See section [Recommended System Parameters](#recommended-system-parameters) for some recommended ways to set a sensible `T` value. | ||
| Peers subscribed to a spam-protected `pubsubTopic` are only allowed to send one message per `epoch` |
There was a problem hiding this comment.
Is one message hardcoded or a variable? Either case should make it explicit
There was a problem hiding this comment.
Messaging rate is always 1 per some unit of time which is defined by T. It is a fixed value and the reason is that
- The current rln lib does not have support for a higher messaging rate (higher degree polynomials)
- In the other library developed by Blagoj, the support for a higher messaging rate is excluded as the same effect can be captured by tweaking the epoch duration. This means probably messaging rate is going to be always 1.
- Changing the messaging rate to higher than 1 will affect the slashing process described in the spec (for which there is no clear definition of internal nullified either), so I'd say let's keep it simple and stick to the messaging rate of 1.
There was a problem hiding this comment.
That makes sense! In that case we can make it explicitly that it is hardcoded to message per epoch per definition.
I'm still not clear the use of T here, seems like this could be clarified. See #484 (comment)
There was a problem hiding this comment.
That makes sense! In that case we can make it explicitly that it is hardcoded to message per epoch per definition.
Sure, I'll update it
I'm still not clear the use of T here, seems like this could be clarified. See #484 (comment)
Please see this comment of mine https://github.com/vacp2p/rfc/pull/484/files#r804929807
content/docs/rfcs/17/README.md
Outdated
| The value of `T` is application-dependent. | ||
| See section [Recommended System Parameters](#recommended-system-parameters) for some recommended ways to set a sensible `T` value. | ||
| Peers subscribed to a spam-protected `pubsubTopic` are only allowed to send one message per `epoch` | ||
| (messaging rate MAY be enforced for `WakuMessages` with a specific `contentTopic` published on a `pubsubTopic`, but that is an implementation choice). |
There was a problem hiding this comment.
What do we mean by an implementation choice?
Perhaps we could add this as a new paragraph, remove () and say "could be" but "not supported right now ~"
There was a problem hiding this comment.
In fact, it is supported in the nim implementation, but it does not affect the specification as nowhere in the specs peers exchange the pubsubTopic or the contetTopic for which the rln-relay is enabled.
There was a problem hiding this comment.
Sounds like it is underspecified right now? Which is ok, we can make it explicit. Implementation choice makes it seem arbitrary, but perhaps it is more that this is deferred to a higher level layer, such a specific chat protocol built on top?
There was a problem hiding this comment.
Right, it is up to the higher-level protocols to dictate such granularity. I'll update the description accordingly.
content/docs/rfcs/17/README.md
Outdated
| ## SetUp and Registration | ||
| A peer willing to publish a message is required to register. | ||
| Peers subscribed to a specific `pubsubTopic` form a [rln group](/spec/32). |
There was a problem hiding this comment.
rln or RLN? I'd say RLN everywhere to be consistent maybe
content/docs/rfcs/17/README.md
Outdated
| See section [Recommended System Parameters](#recommended-system-parameters) for some recommended ways to set a sensible `T` value. | ||
| Peers subscribed to a spam-protected `pubsubTopic` are only allowed to send one message per `epoch` | ||
| (messaging rate MAY be enforced for `WakuMessages` with a specific `contentTopic` published on a `pubsubTopic`, but that is an implementation choice). | ||
|
|
||
| ## SetUp and Registration |
There was a problem hiding this comment.
| ## SetUp and Registration | |
| ## Setup and Registration |
| An overview of routing procedure is depicted in Figure 2. | ||
| Proof generation relies on the knowledge of Merkle tree root `merkle_root` and `authPath` which both require access to the membership Merkle tree. | ||
| Getting access to the Merkle tree can be done in various ways. | ||
| One way is that all the peers construct the tree locally. |
There was a problem hiding this comment.
Below paragraph should be together same
There was a problem hiding this comment.
Can you please clarify this? do you mean to combine the two paragraphs?
content/docs/rfcs/17/README.md
Outdated
|
|
||
| The `merkle_root` is an array of 32 bytes which holds the root of membership group Merkle tree at the time of publishing the message. | ||
| The `merkle_root` is an array of 32 bytes in little-endian order which holds the root of membership group Merkle tree at the time of publishing the message. |
There was a problem hiding this comment.
These data types can we put them in a more clear list, table or ABNF form if protobuf isn't precise enough? E.g. https://rfc.vac.dev/spec/7/#abnf
There was a problem hiding this comment.
I moved them inside a table 5eecaf2
| In the proof of concept implementation of `17/WAKU-RLN-RELAY` protocol which is available in [nim-waku](https://github.com/status-im/nim-waku), the messaging rate is set to 1 per second i.e. `T = 1 second`. | ||
| Nevertheless, this value is also subject to change depending on user experience. | ||
|
|
||
| ## Maximum Epoch Gap |
There was a problem hiding this comment.
Maybe we can add short paragraph with example of possibly sensible value?
There was a problem hiding this comment.
Sure, I'll do a bit of research on this matter, especially the sensible clock drift, and will update the RFC with sensible value in another PR.
oskarth
changed the title
| That is, the peer uses the `share_x` and `share_y` of the new message and the `share'_x` and `share'_y` of the old record to reconstruct the `sk` of the message owner. | ||
| The `sk` then can be used to delete the spammer from the group and withdraw a portion of its staked fund. | ||
| 2. If the `share_x` and `share_y` fields of the previously relayed message are identical to the incoming message, then the message is a duplicate and shall be discarded. | ||
| 3. If none is found, then the message gets relayed. | ||
|
|
There was a problem hiding this comment.
From the description looks like spam detection can be done exclusively by checking the nullifier and thus there is no need to stake. In fact, while 1. economically disincentivize spam, 2. looks more as a replay attack prevention mechanism which in principle can be executed with no group registration against honest users (with the final goal to mark them as spammers). Hence the need for both a nullifier and a stake mechanism.
There was a problem hiding this comment.
From the description looks like spam detection can be done exclusively by checking the
nullifierand thus there is no need to stake. In fact, while 1. economically disincentivize spam, 2. looks more as a replay attack prevention mechanism which in principle can be executed with no group registration against honest users (with the final goal to mark them as spammers). Hence the need for both anullifierand a stake mechanism.
@s1fr0
Right, detection of double signaling i.e., spamming is done by tracking internal nullifiers.
I am not sure about the second point you made about the replay attack, can you please elaborate? In the current design, duplicate messages (or replayed messages) are found using their secret shares i.e., share_x regardless of their nullifier.
There was a problem hiding this comment.
My comment was about stressing the reason of having both a nullifier mechanism and a share detection/stake mechanism. In principle, you can filter redundant/spam messages exclusively by looking at nullifiers and discarding messages which use an already seen one. But marking spammers only based on re-used nullifiers opens to replay attacks, where an attacker simply replays users' messages (i.e., nullifier, proof, etc.) to multiple nodes with the malicious intent of making honest users being tagged as spammers.
There was a problem hiding this comment.
an attacker simply replays users' messages (i.e., nullifier, proof, etc.) to multiple nodes with the malicious intent of making honest users being tagged as spammers.
By replaying old messages it is not possible to make an honest peer look as a spammer, there needs to be a new message published by the same peer in the same epoch for it to be marked as a spammer.
Update: I see what you mean, right, I'd say such motivation should be (and is good to be) included in the RLN-RFC which is going to be soon part of the vac rfcs. The reason I do not recommend including it here is that it directly relates to the RLN construct whereas rln-relay is an application of the RLN construct.
There was a problem hiding this comment.
yes! It was about providing more context on why there are two checks and not only one. In this construction, the two are indeed necessary to detect and disincentivize spammers.
content/docs/rfcs/17/README.md
Outdated
|
|
||
| The `epoch` is an array of 32 bytes that represents the epoch in which the message is published. | ||
| <!-- TODO epoch is going to change to a different type --> | ||
| The `epoch` is an array of 32 bytes in little-endian order that represents the epoch in which the message is published. |
There was a problem hiding this comment.
I expect epoch to be 8 bytes long (Timestamp type) or 16 in case for some reason it will be changed to int128. Is 32 bytes long fields a requirement for public circuit inputs in current implementation? (if so this may make the final circuit more complicated than necessary, i.e., make proof computation slower)
There was a problem hiding this comment.
epoch is not of the timestamp type but is a counter and its type is dictated by the underlying circuit definition.
One important note about the epoch is that it corresponds to the external nullifier in the general rln construct, and conceptually can be any arbitrary value e.g., can represent a voting booth for which only one vote can be cast by each participant. As we are using rln for spam protection in a GossipSub network, we opted for the epoch definition which is smaller than 32 bytes, but in other rln applications, it may not be the case. I imagine the reason for it being 32bytes is to account for arbitrary values.
There was a problem hiding this comment.
A great read! I wonder if the trustless property of the employed Merkle tree accumulator is necessary. Of course, it provides full transparency on accumulated pk, which is great. On the other hand it forces membership proofs to have logarithmic size (rather than constant) and thus the ZK circuit would result inefficient to first users (since the authPath private field length should take into account a possible large number of users). Also a Merkle tree requires membership witness updates on each pk addition/deletion operation which may result inconvenient on users' side and easily make proofs outdated in case of a large number of concurrent registered users.
If Merkle-trees can be replaced by (positive) accumulators managed by a trusted authority, it is then possible to have accumulator values which remain constant on pk additions and change only in case of deletions (ideal in the RLNRELAY setting). Also witnesses are constant-sized and can be updated even after million of pk additions/deletions in few elementary operations (under some assumptions). This might be of interest for future work.
content/docs/rfcs/17/README.md
Outdated
| ## SetUp and Registration | ||
| A peer willing to publish a message is required to register. | ||
| Peers subscribed to a specific `pubsubTopic` form a [rln group](/spec/32). |
content/docs/rfcs/17/README.md
Outdated
| For the registration, a peer creates a transaction that invokes the registration function of the contract via which registers its `pk` in the group. | ||
| The transaction also transfers `v` amount of ether to the contract to be staked. | ||
| `v` is a system parameter. | ||
| The peer who has the "private key" `sk` associated with a registered `pk` would be able to withdraw a portion `p` of the staked fund by providing valid proof. <!-- a secure way to prove the possession of a pk is yet under discussion, maybe via commit and reveal --> |
content/docs/rfcs/17/README.md
Outdated
| The state of the membership contract contains the list of registered members' public identity keys i.e., `pk`s. | ||
| For the registration, a peer creates a transaction that invokes the registration function of the contract via which registers its `pk` in the group. | ||
| The transaction also transfers `v` amount of ether to the contract to be staked. | ||
| `v` is a system parameter. |
There was a problem hiding this comment.
sure, added a table under the "Recommended System Parameters".
content/docs/rfcs/17/README.md
Outdated
|
|
||
|
|
||
| ## Routing | ||
| ## Group Synchronization |
| In the proof of concept implementation of `17/WAKU-RLN-RELAY` protocol which is available in [nim-waku](https://github.com/status-im/nim-waku), the messaging rate is set to 1 per second i.e. `T = 1 second`. | ||
| Nevertheless, this value is also subject to change depending on user experience. | ||
|
|
||
| ## Maximum Epoch Gap |
There was a problem hiding this comment.
Sure, I'll do a bit of research on this matter, especially the sensible clock drift, and will update the RFC with sensible value in another PR.
Thanks for the suggestion @s1fr0, what you proposed directly impacts the rln construct and its circuit. I think it would be good if you open an issue in vac rfc research repo for it and elaborate on your suggested approach (we can also discuss it in our 1:1). In line with your suggestion, there is research on using Verkle trees instead of Merkle tree for efficiency reasons. A quick few points about your suggestion:
|
|
@oskarth please let me know if any further updates are needed. |
Positive accumulators are cryptographic accumulators supporting membership witnesses, i.e. you can prove that an element is accumulated into an accumulator value (in Merkle trees this correspond to "a leaf has a path towards the root"). Negative accumulators are those that support non-membership witnesses, i.e. you can prove that something is not accumulated in the accumulator value. Universal accumulators support both membership and non-membership witnesses.
AFAIK current schemes have some sort of decentralization/efficiency tradeoff, i.e. the more you go decentralized the less efficient the accumulator, and viceversa. Ideally you need a positive accumulator that doesn't change its accumulator value on additions (the most frequent scenario here) in order to avoid users to frequently update their witnesses (note that in case of |
content/docs/rfcs/17/README.md
Outdated
| The messaging rate is hardcoded to `1` message per `epoch` per definition. | ||
| The `epoch` is measured as `epoch` = $\lceil$ current Unix epoch time in seconds / `Epoch_Length` $\rceil$ where `Epoch_Length` indicates the length of the `epoch` in seconds. | ||
| In other words, the `epoch` value gets incremented after every `Epoch_Length` passed from the Unix epoch event. | ||
| The messaging rate `1` is a fixed value whereas the epoch duration `Epoch_Length` is application-dependent. |
There was a problem hiding this comment.
| The messaging rate is hardcoded to `1` message per `epoch` per definition. | |
| The `epoch` is measured as `epoch` = $\lceil$ current Unix epoch time in seconds / `Epoch_Length` $\rceil$ where `Epoch_Length` indicates the length of the `epoch` in seconds. | |
| In other words, the `epoch` value gets incremented after every `Epoch_Length` passed from the Unix epoch event. | |
| The messaging rate `1` is a fixed value whereas the epoch duration `Epoch_Length` is application-dependent. | |
| The messaging rate is hardcoded to `1` message per `epoch` per definition. | |
| The `epoch` is measured as `epoch` = $\lceil$ current Unix epoch time in seconds / `Epoch_Length` $\rceil$ where `Epoch_Length` indicates the length of the `epoch` in seconds. | |
| In other words, the `epoch` value gets incremented after every `Epoch_Length` passed from the Unix epoch event. | |
| The messaging rate `1` is a fixed value whereas the epoch duration `Epoch_Length` is application-dependent. |
The messaging rate is defined by the period which indicates how many messages can be sent in a given period.
We define an epoch as lceil(unix_time / period). For example, if unix_time is 1644810116 and we set period to 30, then epoch is lceil(unix_time/period) = 54827003.
Note that epoch refers to epoch in RLN and not Unix epoch. This means a message can only be sent every period, where period is up to the application.
See see section Recommended System Parameters for some recommended ways to set a sensible period value depending on the application.
There was a problem hiding this comment.
thanks, done 8954039
content/docs/rfcs/17/README.md
Outdated
| The `epoch` is measured as `epoch` = $\lceil$ current Unix epoch time in seconds / `Epoch_Length` $\rceil$ where `Epoch_Length` indicates the length of the `epoch` in seconds. | ||
| In other words, the `epoch` value gets incremented after every `Epoch_Length` passed from the Unix epoch event. | ||
| The messaging rate `1` is a fixed value whereas the epoch duration `Epoch_Length` is application-dependent. | ||
| See section [Recommended System Parameters](#recommended-system-parameters) for some recommended ways to set a sensible `Epoch_Length` value. |
There was a problem hiding this comment.
| See section [Recommended System Parameters](#recommended-system-parameters) for some recommended ways to set a sensible `Epoch_Length` value. |
content/docs/rfcs/17/README.md
Outdated
| editor: Sanaz Taheri <sanaz@status.im> | ||
| --- |
There was a problem hiding this comment.
| editor: Sanaz Taheri <sanaz@status.im> | |
| --- | |
| editor: Sanaz Taheri <sanaz@status.im> | |
| contributors: Oskar Thoren <oskar@status.im> | |
| --- |
Gonna add myself to this one :D
There was a problem hiding this comment.
Sure, done 8954039
content/docs/rfcs/17/README.md
Outdated
| The security objective is to control the number of PubSub messages that each peer can publish per epoch where epoch is a system design parameter, regardless of the published topic. | ||
| The security objective is to contain spam activity in a GossipSub network by enforcing a global messaging rate to all the peers. | ||
| Peers that violate the messaging rate are considered spammers and their message is considered spam. | ||
| Spammers are also financially punished and removed from the system. | ||
|
|
||
|
|
||
| **Protocol identifier***: `/vac/waku/waku-rln-relay/2.0.0-alpha1` |
There was a problem hiding this comment.
Is this still the protocol identifier? Have we ever bumped this? Think calling it beta might be more appropriate if it is a draft
There was a problem hiding this comment.
Good point, In fact, we do not use the waku-rln-relay protocol identifier at all and I am going to delete it from the specs. Rln-relay is a configuration over the relay protocol that applications can switch on-off for specific pubsub topics. More specifically, rln-relay is a topicValidator that can be installed on a pubsub topic if need be.
| To publish at a given `epoch`, the publishing peer proceeds based on the regular [`11/WAKU2-RELAY`](/spec/11) protocol. | ||
| However, to protect against spamming, each `WakuMessage` (which is wrapped inside the `data` field of a PubSub message) MUST carry a [`RateLimitProof`](##RateLimitProof) with the following fields. |
There was a problem hiding this comment.
| To publish at a given `epoch`, the publishing peer proceeds based on the regular [`11/WAKU2-RELAY`](/spec/11) protocol. | |
| However, to protect against spamming, each `WakuMessage` (which is wrapped inside the `data` field of a PubSub message) MUST carry a [`RateLimitProof`](##RateLimitProof) with the following fields. | |
| To publish at a given `epoch`, the publishing peer proceeds based on the regular [`11/WAKU2-RELAY`](/spec/11) protocol. | |
| However, to protect against spamming, each `WakuMessage` (which is wrapped inside the `data` field of a PubSub message) MUST carry a [`RateLimitProof`](##RateLimitProof) with the following fields. |
There was a problem hiding this comment.
Like this, same across document. Makes it hard to read in plain text mode.
There was a problem hiding this comment.
done in 8954039
content/docs/rfcs/17/README.md
Outdated
|
|
||
| <!-- TODO: may shorten or delete the Spam detection and slashing process --> | ||
| **Epoch Validation** | ||
| If the `epoch` attached to the message is more than `Max_Epoch_Gap` apart from the routing peer's current `epoch` then the message is discarded and considered invalid. |
There was a problem hiding this comment.
Nitpick but for constants can we keep them lower_case? E.g. max_epoch_gap (same above)
There was a problem hiding this comment.
sure done in 8954039
* master: RFC16: add version call (#505) fix(noise): update RFC to implementation (#508) fixup: 37/WAKU2-NOISE fix images paths (#506) New RFC: 37/WAKU2-NOISE-SESSIONS (#504) 36/WAKU2-BINDINGS-API (#501) docs(16/WAKU2-RPC): add ENR to waku info (#502) Adding 35/WAKU2-NOISE to menu (#500) add RFC33 to index (#499) feat: 32/RLN raw spec New RFC: 35/WAKU2-NOISE (#496) Update on the rln registration figure to match the current spec (#497) 33/WAKU-DISCV5: Add first raw version (#487) Add pubsubTopic field to index (#492) Fix markdown links (#493) Categorize 22 & 31 (#490) Changed PB Timestamp index to 10 (#491) 13/14/16/21: Change in timestamp format (#483) add: RFC31 copyright statement (#489) 17/WAKU-RLN-RELAY: Revise spec for its draft version (#484)
* master: RFC16: add version call (#505) fix(noise): update RFC to implementation (#508) fixup: 37/WAKU2-NOISE fix images paths (#506) New RFC: 37/WAKU2-NOISE-SESSIONS (#504) 36/WAKU2-BINDINGS-API (#501) docs(16/WAKU2-RPC): add ENR to waku info (#502) Adding 35/WAKU2-NOISE to menu (#500) add RFC33 to index (#499) feat: 32/RLN raw spec New RFC: 35/WAKU2-NOISE (#496) Update on the rln registration figure to match the current spec (#497) 33/WAKU-DISCV5: Add first raw version (#487) Add pubsubTopic field to index (#492) Fix markdown links (#493) Categorize 22 & 31 (#490) Changed PB Timestamp index to 10 (#491) 13/14/16/21: Change in timestamp format (#483) add: RFC31 copyright statement (#489) 17/WAKU-RLN-RELAY: Revise spec for its draft version (#484)
It is the spec counterpart of waku-org/nwaku#714
Closes waku-org/nwaku#714