2019-03-28 22:54:39 +00:00
# Ethereum 2.0 Phase 1 -- Custody Game
2019-05-06 10:30:32 -05:00
**Notice**: This document is a work-in-progress for researchers and implementers.
2019-03-28 22:54:39 +00:00
## Table of contents
<!-- TOC -->
- [Ethereum 2.0 Phase 1 -- Custody Game ](#ethereum-20-phase-1----custody-game )
- [Table of contents ](#table-of-contents )
- [Introduction ](#introduction )
- [Terminology ](#terminology )
- [Constants ](#constants )
- [Misc ](#misc )
2019-08-11 10:05:17 -07:00
- [Custody game parameters ](#custody-game-parameters )
2019-03-28 22:54:39 +00:00
- [Time parameters ](#time-parameters )
2019-03-31 22:54:46 +08:00
- [Max operations per block ](#max-operations-per-block )
2019-05-03 11:30:55 +02:00
- [Reward and penalty quotients ](#reward-and-penalty-quotients )
2019-07-04 20:52:58 +08:00
- [Signature domain types ](#signature-domain-types )
2019-07-01 04:57:42 +08:00
- [TODO PLACEHOLDER ](#todo-placeholder )
2019-03-28 22:54:39 +00:00
- [Data structures ](#data-structures )
- [Custody objects ](#custody-objects )
- [`CustodyChunkChallenge` ](#custodychunkchallenge )
- [`CustodyBitChallenge` ](#custodybitchallenge )
- [`CustodyChunkChallengeRecord` ](#custodychunkchallengerecord )
- [`CustodyBitChallengeRecord` ](#custodybitchallengerecord )
- [`CustodyResponse` ](#custodyresponse )
2019-05-06 10:30:32 -05:00
- [New beacon operations ](#new-beacon-operations )
2019-03-28 22:54:39 +00:00
- [`CustodyKeyReveal` ](#custodykeyreveal )
2019-05-03 11:30:55 +02:00
- [`EarlyDerivedSecretReveal` ](#earlyderivedsecretreveal )
2019-03-28 22:54:39 +00:00
- [Phase 0 container updates ](#phase-0-container-updates )
- [`Validator` ](#validator )
- [`BeaconState` ](#beaconstate )
- [`BeaconBlockBody` ](#beaconblockbody )
- [Helpers ](#helpers )
2019-05-21 12:41:24 +02:00
- [`ceillog2` ](#ceillog2 )
2019-08-11 10:05:17 -07:00
- [`is_valid_merkle_branch_with_mixin` ](#is_valid_merkle_branch_with_mixin )
2019-03-28 22:54:39 +00:00
- [`get_crosslink_chunk_count` ](#get_crosslink_chunk_count )
2019-08-11 10:05:17 -07:00
- [`legendre_bit` ](#legendre_bit )
- [`custody_subchunkify` ](#custody_subchunkify )
2019-03-28 22:54:39 +00:00
- [`get_custody_chunk_bit` ](#get_custody_chunk_bit )
2019-05-09 14:52:56 +08:00
- [`get_chunk_bits_root` ](#get_chunk_bits_root )
2019-05-03 11:30:55 +02:00
- [`get_randao_epoch_for_custody_period` ](#get_randao_epoch_for_custody_period )
2019-08-11 10:05:17 -07:00
- [`get_custody_period_for_validator` ](#get_custody_period_for_validator )
2019-05-24 01:34:39 +08:00
- [`replace_empty_or_append` ](#replace_empty_or_append )
- [Per-block processing ](#per-block-processing )
- [Operations ](#operations )
- [Custody key reveals ](#custody-key-reveals )
- [Early derived secret reveals ](#early-derived-secret-reveals )
- [Chunk challenges ](#chunk-challenges )
- [Bit challenges ](#bit-challenges )
- [Custody responses ](#custody-responses )
- [Per-epoch processing ](#per-epoch-processing )
- [Handling of custody-related deadlines ](#handling-of-custody-related-deadlines )
2019-03-28 22:54:39 +00:00
<!-- /TOC -->
## Introduction
2019-05-06 10:30:32 -05:00
This document details the beacon chain additions and changes in Phase 1 of Ethereum 2.0 to support the shard data custody game, building upon the [Phase 0 ](0_beacon-chain.md ) specification.
2019-03-28 22:54:39 +00:00
## Terminology
2019-06-30 21:25:58 +02:00
- **Custody game**—
- **Custody period**—
- **Custody chunk**—
- **Custody chunk bit**—
- **Custody chunk challenge**—
- **Custody bit**—
- **Custody bit challenge**—
- **Custody key**—
- **Custody key reveal**—
- **Custody key mask**—
- **Custody response**—
- **Custody response deadline**—
2019-03-28 22:54:39 +00:00
## Constants
### Misc
2019-08-11 10:05:17 -07:00
| `BLS12_381_Q` | `4002409555221667393417789825735904156556882819939007885332058136124031650490837864442687629129015664037894272559787` |
| `MINOR_REWARD_QUOTIENT` | `2**8` (= 256) |
### Custody game parameters
2019-03-28 22:54:39 +00:00
| Name | Value |
| - | - |
| `BYTES_PER_SHARD_BLOCK` | `2**14` (= 16,384) |
| `BYTES_PER_CUSTODY_CHUNK` | `2**9` (= 512) |
2019-08-11 10:05:17 -07:00
| `BYTES_PER_CUSTODY_SUBCHUNK` | `48` |
| `CHUNKS_PER_EPOCH` | `2 * BYTES_PER_SHARD_BLOCK * SLOTS_PER_EPOCH // BYTES_PER_CUSTODY_CHUNK` |
| `MAX_CUSTODY_CHUNKS` | `MAX_EPOCHS_PER_CROSSLINK * CHUNKS_PER_EPOCH` |
| `CUSTODY_DATA_DEPTH` | `ceillog2(MAX_CUSTODY_CHUNKS) + 1` |
| `CUSTODY_CHUNK_BIT_DEPTH` | `ceillog2(MAX_EPOCHS_PER_CROSSLINK * CHUNKS_PER_EPOCH // 256) + 2` |
2019-03-28 22:54:39 +00:00
### Time parameters
| Name | Value | Unit | Duration |
| - | - | :-: | :-: |
| `MAX_CHUNK_CHALLENGE_DELAY` | `2**11` (= 2,048) | epochs | ~9 days |
| `CUSTODY_RESPONSE_DEADLINE` | `2**14` (= 16,384) | epochs | ~73 days |
2019-05-03 11:30:55 +02:00
| `RANDAO_PENALTY_EPOCHS` | `2**1` (= 2) | epochs | 12.8 minutes |
| `EARLY_DERIVED_SECRET_PENALTY_MAX_FUTURE_EPOCHS` | `2**14` | epochs | ~73 days |
| `EPOCHS_PER_CUSTODY_PERIOD` | `2**11` (= 2,048) | epochs | ~9 days |
| `CUSTODY_PERIOD_TO_RANDAO_PADDING` | `2**11` (= 2,048) | epochs | ~9 days |
| `MAX_REVEAL_LATENESS_DECREMENT` | `2**7` (= 128) | epochs | ~14 hours |
2019-03-28 22:54:39 +00:00
2019-03-31 22:54:46 +08:00
### Max operations per block
2019-03-28 22:54:39 +00:00
| Name | Value |
| - | - |
| `MAX_CUSTODY_KEY_REVEALS` | `2**4` (= 16) |
2019-05-03 11:30:55 +02:00
| `MAX_EARLY_DERIVED_SECRET_REVEALS` | `1` |
2019-03-28 22:54:39 +00:00
| `MAX_CUSTODY_CHUNK_CHALLENGES` | `2**2` (= 4) |
| `MAX_CUSTODY_BIT_CHALLENGES` | `2**2` (= 4) |
| `MAX_CUSTODY_RESPONSES` | `2**5` (= 32) |
2019-05-03 11:30:55 +02:00
### Reward and penalty quotients
2019-05-12 13:46:17 -07:00
| Name | Value |
| - | - |
2019-05-03 11:30:55 +02:00
| `EARLY_DERIVED_SECRET_REVEAL_SLOT_REWARD_MULTIPLE` | `2**1` (= 2) |
2019-06-30 22:12:02 +02:00
### Signature domain types
The following types are defined, mapping into `DomainType` (little endian):
2019-03-28 22:54:39 +00:00
| Name | Value |
| - | - |
2019-05-03 11:30:55 +02:00
| `DOMAIN_CUSTODY_BIT_CHALLENGE` | `6` |
2019-03-28 22:54:39 +00:00
2019-06-19 02:14:13 +02:00
### TODO PLACEHOLDER
| Name | Value |
| - | - |
| `PLACEHOLDER` | `2**32` |
2019-03-28 22:54:39 +00:00
## Data structures
### Custody objects
#### `CustodyChunkChallenge`
```python
2019-06-05 15:29:26 +02:00
class CustodyChunkChallenge(Container):
responder_index: ValidatorIndex
attestation: Attestation
chunk_index: uint64
2019-03-28 22:54:39 +00:00
```
#### `CustodyBitChallenge`
```python
2019-06-05 15:29:26 +02:00
class CustodyBitChallenge(Container):
responder_index: ValidatorIndex
attestation: Attestation
challenger_index: ValidatorIndex
2019-06-15 18:25:37 -04:00
responder_key: BLSSignature
2019-08-11 10:05:17 -07:00
chunk_bits: Bitlist[MAX_CUSTODY_CHUNKS]
2019-06-15 18:25:37 -04:00
signature: BLSSignature
2019-03-28 22:54:39 +00:00
```
#### `CustodyChunkChallengeRecord`
```python
2019-06-05 15:29:26 +02:00
class CustodyChunkChallengeRecord(Container):
challenge_index: uint64
challenger_index: ValidatorIndex
responder_index: ValidatorIndex
inclusion_epoch: Epoch
2019-07-04 20:52:58 +08:00
data_root: Hash
2019-06-05 15:29:26 +02:00
depth: uint64
chunk_index: uint64
2019-03-28 22:54:39 +00:00
```
#### `CustodyBitChallengeRecord`
```python
2019-06-05 15:29:26 +02:00
class CustodyBitChallengeRecord(Container):
challenge_index: uint64
challenger_index: ValidatorIndex
responder_index: ValidatorIndex
inclusion_epoch: Epoch
2019-07-04 20:52:58 +08:00
data_root: Hash
2019-06-05 15:29:26 +02:00
chunk_count: uint64
2019-07-04 20:52:58 +08:00
chunk_bits_merkle_root: Hash
2019-06-15 18:25:37 -04:00
responder_key: BLSSignature
2019-03-28 22:54:39 +00:00
```
#### `CustodyResponse`
```python
2019-06-05 15:29:26 +02:00
class CustodyResponse(Container):
challenge_index: uint64
chunk_index: uint64
2019-08-11 10:05:17 -07:00
chunk: BytesN[BYTES_PER_CUSTODY_CHUNK]
data_branch: List[Hash, CUSTODY_DATA_DEPTH]
chunk_bits_branch: List[Hash, CUSTODY_CHUNK_BIT_DEPTH]
chunk_bits_leaf: Bitvector[256]
2019-03-28 22:54:39 +00:00
```
2019-05-06 10:30:32 -05:00
### New beacon operations
2019-05-03 11:30:55 +02:00
2019-03-28 22:54:39 +00:00
#### `CustodyKeyReveal`
```python
2019-06-05 15:29:26 +02:00
class CustodyKeyReveal(Container):
2019-05-03 11:30:55 +02:00
# Index of the validator whose key is being revealed
2019-06-12 20:08:19 -04:00
revealer_index: ValidatorIndex
2019-05-03 11:30:55 +02:00
# Reveal (masked signature)
2019-06-15 18:25:37 -04:00
reveal: BLSSignature
2019-05-03 11:30:55 +02:00
```
#### `EarlyDerivedSecretReveal`
Represents an early (punishable) reveal of one of the derived secrets, where derived secrets are RANDAO reveals and custody reveals (both are part of the same domain).
```python
2019-06-05 15:29:26 +02:00
class EarlyDerivedSecretReveal(Container):
2019-05-03 11:30:55 +02:00
# Index of the validator whose key is being revealed
2019-06-15 18:25:37 -04:00
revealed_index: ValidatorIndex
2019-05-03 11:30:55 +02:00
# RANDAO epoch of the key that is being revealed
2019-06-12 20:08:19 -04:00
epoch: Epoch
2019-05-03 11:30:55 +02:00
# Reveal (masked signature)
2019-06-15 18:25:37 -04:00
reveal: BLSSignature
2019-05-03 11:30:55 +02:00
# Index of the validator who revealed (whistleblower)
2019-06-15 18:25:37 -04:00
masker_index: ValidatorIndex
2019-05-03 11:30:55 +02:00
# Mask used to hide the actual reveal signature (prevent reveal from being stolen)
2019-06-22 16:56:16 +02:00
mask: Hash
2019-03-28 22:54:39 +00:00
```
### Phase 0 container updates
Add the following fields to the end of the specified container objects. Fields with underlying type `uint64` are initialized to `0` and list fields are initialized to `[]` .
#### `Validator`
```python
2019-06-05 15:29:26 +02:00
class Validator(Container):
2019-08-11 10:05:17 -07:00
# next_custody_secret_to_reveal is initialised to the custody period
2019-05-03 11:30:55 +02:00
# (of the particular validator) in which the validator is activated
2019-08-11 10:05:17 -07:00
# = get_custody_period_for_validator(...)
next_custody_secret_to_reveal: uint64
max_reveal_lateness: Epoch
2019-03-28 22:54:39 +00:00
```
#### `BeaconState`
```python
2019-06-05 15:29:26 +02:00
class BeaconState(Container):
2019-06-19 02:14:13 +02:00
custody_chunk_challenge_records: List[CustodyChunkChallengeRecord, PLACEHOLDER]
custody_bit_challenge_records: List[CustodyBitChallengeRecord, PLACEHOLDER]
2019-06-05 15:29:26 +02:00
custody_challenge_index: uint64
2019-05-03 11:30:55 +02:00
# Future derived secrets already exposed; contains the indices of the exposed validator
# at RANDAO reveal period % EARLY_DERIVED_SECRET_PENALTY_MAX_FUTURE_EPOCHS
2019-06-19 02:14:13 +02:00
exposed_derived_secrets: Vector[List[ValidatorIndex, PLACEHOLDER],
EARLY_DERIVED_SECRET_PENALTY_MAX_FUTURE_EPOCHS]
2019-03-28 22:54:39 +00:00
```
#### `BeaconBlockBody`
```python
2019-06-05 15:29:26 +02:00
class BeaconBlockBody(Container):
2019-06-19 02:14:13 +02:00
custody_chunk_challenges: List[CustodyChunkChallenge, PLACEHOLDER]
custody_bit_challenges: List[CustodyBitChallenge, PLACEHOLDER]
custody_responses: List[CustodyResponse, PLACEHOLDER]
custody_key_reveals: List[CustodyKeyReveal, PLACEHOLDER]
early_derived_secret_reveals: List[EarlyDerivedSecretReveal, PLACEHOLDER]
2019-03-28 22:54:39 +00:00
```
## Helpers
2019-05-21 12:41:24 +02:00
### `ceillog2`
```python
2019-06-30 13:00:22 -05:00
def ceillog2(x: uint64) -> int:
2019-08-11 10:05:17 -07:00
return (x - 1).bit_length()
```
### `is_valid_merkle_branch_with_mixin`
```python
def is_valid_merkle_branch_with_mixin(leaf: Hash,
branch: Sequence[Hash],
depth: uint64,
index: uint64,
root: Hash,
mixin: uint64) -> bool:
value = leaf
for i in range(depth):
if index // (2**i) % 2:
value = hash(branch[i] + value)
else:
value = hash(value + branch[i])
value = hash(value + mixin.to_bytes(32, "little"))
return value == root
2019-05-21 12:41:24 +02:00
```
2019-03-28 22:54:39 +00:00
### `get_crosslink_chunk_count`
```python
2019-05-20 09:29:09 +01:00
def get_custody_chunk_count(crosslink: Crosslink) -> int:
crosslink_length = min(MAX_EPOCHS_PER_CROSSLINK, crosslink.end_epoch - crosslink.start_epoch)
2019-08-11 10:05:17 -07:00
return crosslink_length * CHUNKS_PER_EPOCH
2019-03-28 22:54:39 +00:00
```
2019-08-11 10:05:17 -07:00
### `legendre_bit`
Returns the Legendre symbol `(a/q)` normalizes as a bit (i.e. `((a/q) + 1) // 2` ). In a production implementation, a well-optimized library (e.g. GMP) should be used for this.
2019-06-27 12:41:22 +01:00
```python
2019-08-11 10:05:17 -07:00
def legendre_bit(a: int, q: int) -> int:
if a >= q:
return legendre_bit(a % q, q)
if a == 0:
return 0
assert(q > a > 0 and q % 2 == 1)
t = 1
n = q
while a != 0:
while a % 2 == 0:
a //= 2
r = n % 8
if r == 3 or r == 5:
t = -t
a, n = n, a
if a % 4 == n % 4 == 3:
t = -t
a %= n
if n == 1:
return (t + 1) // 2
else:
return 0
```
### ```custody_subchunkify```
Given one proof of custody chunk, returns the proof of custody subchunks of the correct sizes.
```python
def custody_subchunkify(bytez: bytes) -> list:
bytez += b'\x00' * (-len(bytez) % BYTES_PER_CUSTODY_SUBCHUNK)
return [bytez[i:i + BYTES_PER_CUSTODY_SUBCHUNK]
for i in range(0, len(bytez), BYTES_PER_CUSTODY_SUBCHUNK)]
2019-06-27 12:41:22 +01:00
```
2019-03-28 22:54:39 +00:00
### `get_custody_chunk_bit`
```python
2019-06-15 18:25:37 -04:00
def get_custody_chunk_bit(key: BLSSignature, chunk: bytes) -> bool:
2019-08-11 10:05:17 -07:00
full_G2_element = bls_signature_to_G2(key)
s = full_G2_element[0].coeffs
bits = [legendre_bit((i + 1) * s[i % 2] + int.from_bytes(subchunk, "little"), BLS12_381_Q)
for i, subchunk in enumerate(custody_subchunkify(chunk))]
return bool(sum(bits) % 2)
2019-03-28 22:54:39 +00:00
```
2019-05-03 17:20:54 +08:00
### `get_chunk_bits_root`
```python
2019-08-11 10:05:17 -07:00
def get_chunk_bits_root(chunk_bits: Bitlist[MAX_CUSTODY_CHUNKS]) -> bit:
aggregated_bits = 0
for i, b in enumerate(chunk_bits):
aggregated_bits += 2**i * b
return legendre_bit(aggregated_bits, BLS12_381_Q)
2019-05-03 17:20:54 +08:00
```
2019-05-03 11:30:55 +02:00
### `get_randao_epoch_for_custody_period`
2019-03-28 22:54:39 +00:00
```python
2019-06-30 13:00:22 -05:00
def get_randao_epoch_for_custody_period(period: uint64, validator_index: ValidatorIndex) -> Epoch:
2019-05-03 11:30:55 +02:00
next_period_start = (period + 1) * EPOCHS_PER_CUSTODY_PERIOD - validator_index % EPOCHS_PER_CUSTODY_PERIOD
2019-06-12 20:08:19 -04:00
return Epoch(next_period_start + CUSTODY_PERIOD_TO_RANDAO_PADDING)
2019-05-03 11:30:55 +02:00
```
2019-08-11 10:05:17 -07:00
### `get_custody_period_for_validator`
2019-05-03 11:30:55 +02:00
2019-05-07 12:13:22 +01:00
```python
2019-08-11 10:05:17 -07:00
def get_custody_period_for_validator(state: BeaconState, validator_index: ValidatorIndex, epoch: Epoch=None) -> int:
2019-05-03 11:30:55 +02:00
'''
2019-06-28 10:19:59 -05:00
Return the reveal period for a given validator.
2019-05-03 11:30:55 +02:00
'''
epoch = get_current_epoch(state) if epoch is None else epoch
return (epoch + validator_index % EPOCHS_PER_CUSTODY_PERIOD) // EPOCHS_PER_CUSTODY_PERIOD
2019-03-28 22:54:39 +00:00
```
2019-03-31 21:20:43 -05:00
### `replace_empty_or_append`
```python
2019-06-25 02:56:49 +02:00
def replace_empty_or_append(list: MutableSequence[Any], new_element: Any) -> int:
2019-03-31 21:20:43 -05:00
for i in range(len(list)):
2019-07-25 17:32:27 +08:00
if is_zero(list[i]):
2019-03-31 21:20:43 -05:00
list[i] = new_element
return i
list.append(new_element)
return len(list) - 1
```
2019-03-28 22:54:39 +00:00
## Per-block processing
2019-03-31 22:54:46 +08:00
### Operations
2019-03-28 22:54:39 +00:00
2019-05-06 10:30:32 -05:00
Add the following operations to the per-block processing, in the order given below and after all other operations in Phase 0.
2019-03-28 22:54:39 +00:00
2019-05-03 11:30:55 +02:00
#### Custody key reveals
2019-03-28 22:54:39 +00:00
Verify that `len(block.body.custody_key_reveals) <= MAX_CUSTODY_KEY_REVEALS` .
For each `reveal` in `block.body.custody_key_reveals` , run the following function:
```python
2019-06-28 10:19:59 -05:00
def process_custody_key_reveal(state: BeaconState, reveal: CustodyKeyReveal) -> None:
2019-05-03 11:30:55 +02:00
"""
Process ``CustodyKeyReveal` ` operation.
Note that this function mutates ``state` `.
"""
2019-06-09 20:41:21 +01:00
revealer = state.validators[reveal.revealer_index]
2019-08-11 10:05:17 -07:00
epoch_to_sign = get_randao_epoch_for_custody_period(revealer.next_custody_secret_to_reveal, reveal.revealer_index)
2019-05-03 11:30:55 +02:00
2019-08-11 10:05:17 -07:00
assert revealer.next_custody_secret_to_reveal < get_custody_period_for_validator ( state , reveal . revealer_index )
2019-05-03 11:30:55 +02:00
# Revealed validator is active or exited, but not withdrawn
assert is_slashable_validator(revealer, get_current_epoch(state))
# Verify signature
assert bls_verify(
pubkey=revealer.pubkey,
message_hash=hash_tree_root(epoch_to_sign),
signature=reveal.reveal,
domain=get_domain(
state=state,
domain_type=DOMAIN_RANDAO,
message_epoch=epoch_to_sign,
),
)
# Decrement max reveal lateness if response is timely
2019-08-11 10:05:17 -07:00
if epoch_to_sign + EPOCHS_PER_CUSTODY_PERIOD >= get_current_epoch(state):
if revealer.max_reveal_lateness >= MAX_REVEAL_LATENESS_DECREMENT:
revealer.max_reveal_lateness -= MAX_REVEAL_LATENESS_DECREMENT
else:
revealer.max_reveal_lateness = 0
else:
revealer.max_reveal_lateness = max(
revealer.max_reveal_lateness,
get_current_epoch(state) - epoch_to_sign - EPOCHS_PER_CUSTODY_PERIOD
)
2019-05-03 11:30:55 +02:00
# Process reveal
2019-08-11 10:05:17 -07:00
revealer.next_custody_secret_to_reveal += 1
2019-05-03 11:30:55 +02:00
# Reward Block Preposer
2019-06-30 12:42:24 -05:00
proposer_index = get_beacon_proposer_index(state)
2019-06-12 20:08:19 -04:00
increase_balance(
state,
proposer_index,
Gwei(get_base_reward(state, reveal.revealer_index) // MINOR_REWARD_QUOTIENT)
)
2019-05-03 11:30:55 +02:00
```
2019-05-24 01:34:39 +08:00
#### Early derived secret reveals
2019-05-03 11:30:55 +02:00
Verify that `len(block.body.early_derived_secret_reveals) <= MAX_EARLY_DERIVED_SECRET_REVEALS` .
For each `reveal` in `block.body.early_derived_secret_reveals` , run the following function:
```python
2019-06-28 10:19:59 -05:00
def process_early_derived_secret_reveal(state: BeaconState, reveal: EarlyDerivedSecretReveal) -> None:
2019-05-03 11:30:55 +02:00
"""
Process ``EarlyDerivedSecretReveal` ` operation.
Note that this function mutates ``state` `.
"""
2019-06-09 20:41:21 +01:00
revealed_validator = state.validators[reveal.revealed_index]
2019-05-20 09:47:44 +02:00
derived_secret_location = reveal.epoch % EARLY_DERIVED_SECRET_PENALTY_MAX_FUTURE_EPOCHS
2019-05-03 11:30:55 +02:00
assert reveal.epoch >= get_current_epoch(state) + RANDAO_PENALTY_EPOCHS
assert reveal.epoch < get_current_epoch ( state ) + EARLY_DERIVED_SECRET_PENALTY_MAX_FUTURE_EPOCHS
2019-06-20 23:02:22 +02:00
assert not revealed_validator.slashed
2019-05-20 09:47:44 +02:00
assert reveal.revealed_index not in state.exposed_derived_secrets[derived_secret_location]
2019-05-03 11:30:55 +02:00
# Verify signature correctness
2019-06-09 20:41:21 +01:00
masker = state.validators[reveal.masker_index]
2019-05-03 11:30:55 +02:00
pubkeys = [revealed_validator.pubkey, masker.pubkey]
message_hashes = [
hash_tree_root(reveal.epoch),
reveal.mask,
]
assert bls_verify_multiple(
pubkeys=pubkeys,
message_hashes=message_hashes,
signature=reveal.reveal,
domain=get_domain(
state=state,
domain_type=DOMAIN_RANDAO,
message_epoch=reveal.epoch,
),
)
2019-03-28 22:54:39 +00:00
2019-05-03 11:30:55 +02:00
if reveal.epoch >= get_current_epoch(state) + CUSTODY_PERIOD_TO_RANDAO_PADDING:
# Full slashing when the secret was revealed so early it may be a valid custody
# round key
slash_validator(state, reveal.revealed_index, reveal.masker_index)
2019-03-28 22:54:39 +00:00
else:
2019-05-05 12:10:39 +01:00
# Only a small penalty proportional to proposer slot reward for RANDAO reveal
2019-05-03 11:30:55 +02:00
# that does not interfere with the custody period
2019-05-05 12:10:39 +01:00
# The penalty is proportional to the max proposer reward
2019-05-03 11:30:55 +02:00
# Calculate penalty
max_proposer_slot_reward = (
2019-05-20 09:47:44 +02:00
get_base_reward(state, reveal.revealed_index)
* SLOTS_PER_EPOCH
// len(get_active_validator_indices(state, get_current_epoch(state)))
// PROPOSER_REWARD_QUOTIENT
)
2019-06-12 20:08:19 -04:00
penalty = Gwei(
2019-05-20 09:47:44 +02:00
max_proposer_slot_reward
* EARLY_DERIVED_SECRET_REVEAL_SLOT_REWARD_MULTIPLE
* (len(state.exposed_derived_secrets[derived_secret_location]) + 1)
2019-05-03 11:30:55 +02:00
)
# Apply penalty
2019-06-30 12:42:24 -05:00
proposer_index = get_beacon_proposer_index(state)
2019-05-03 11:30:55 +02:00
whistleblower_index = reveal.masker_index
2019-06-28 21:35:26 +08:00
whistleblowing_reward = Gwei(penalty // WHISTLEBLOWER_REWARD_QUOTIENT)
2019-06-12 20:08:19 -04:00
proposer_reward = Gwei(whistleblowing_reward // PROPOSER_REWARD_QUOTIENT)
2019-05-03 11:30:55 +02:00
increase_balance(state, proposer_index, proposer_reward)
increase_balance(state, whistleblower_index, whistleblowing_reward - proposer_reward)
decrease_balance(state, reveal.revealed_index, penalty)
2019-05-05 12:10:39 +01:00
# Mark this derived secret as exposed so validator cannot be punished repeatedly
2019-05-20 09:47:44 +02:00
state.exposed_derived_secrets[derived_secret_location].append(reveal.revealed_index)
2019-03-28 22:54:39 +00:00
```
#### Chunk challenges
Verify that `len(block.body.custody_chunk_challenges) <= MAX_CUSTODY_CHUNK_CHALLENGES` .
For each `challenge` in `block.body.custody_chunk_challenges` , run the following function:
```python
2019-06-28 10:19:59 -05:00
def process_chunk_challenge(state: BeaconState, challenge: CustodyChunkChallenge) -> None:
2019-03-28 22:54:39 +00:00
# Verify the attestation
2019-07-01 00:10:28 +02:00
assert is_valid_indexed_attestation(state, get_indexed_attestation(state, challenge.attestation))
2019-03-28 22:54:39 +00:00
# Verify it is not too late to challenge
2019-06-30 23:35:07 +02:00
assert (compute_epoch_of_slot(challenge.attestation.data.slot)
>= get_current_epoch(state) - MAX_CHUNK_CHALLENGE_DELAY)
2019-06-09 20:41:21 +01:00
responder = state.validators[challenge.responder_index]
2019-03-28 22:54:39 +00:00
assert responder.exit_epoch >= get_current_epoch(state) - MAX_CHUNK_CHALLENGE_DELAY
# Verify the responder participated in the attestation
2019-06-28 12:23:22 +01:00
attesters = get_attesting_indices(state, challenge.attestation.data, challenge.attestation.aggregation_bits)
2019-03-28 22:54:39 +00:00
assert challenge.responder_index in attesters
# Verify the challenge is not a duplicate
for record in state.custody_chunk_challenge_records:
assert (
2019-05-06 18:26:14 +01:00
record.data_root != challenge.attestation.data.crosslink.data_root or
2019-03-28 22:54:39 +00:00
record.chunk_index != challenge.chunk_index
)
# Verify depth
2019-05-21 12:41:24 +02:00
depth = ceillog2(get_custody_chunk_count(challenge.attestation.data.crosslink))
2019-03-28 22:54:39 +00:00
assert challenge.chunk_index < 2 * * depth
# Add new chunk challenge record
2019-03-31 21:20:43 -05:00
new_record = CustodyChunkChallengeRecord(
2019-03-28 22:54:39 +00:00
challenge_index=state.custody_challenge_index,
2019-06-30 12:42:24 -05:00
challenger_index=get_beacon_proposer_index(state),
2019-05-07 12:13:22 +01:00
responder_index=challenge.responder_index,
2019-05-03 05:07:11 -05:00
inclusion_epoch=get_current_epoch(state),
2019-05-06 18:26:14 +01:00
data_root=challenge.attestation.data.crosslink.data_root,
2019-03-28 22:54:39 +00:00
depth=depth,
chunk_index=challenge.chunk_index,
2019-03-31 21:20:43 -05:00
)
2019-04-09 05:59:00 -05:00
replace_empty_or_append(state.custody_chunk_challenge_records, new_record)
2019-03-31 21:20:43 -05:00
2019-03-28 22:54:39 +00:00
state.custody_challenge_index += 1
# Postpone responder withdrawability
responder.withdrawable_epoch = FAR_FUTURE_EPOCH
```
#### Bit challenges
Verify that `len(block.body.custody_bit_challenges) <= MAX_CUSTODY_BIT_CHALLENGES` .
For each `challenge` in `block.body.custody_bit_challenges` , run the following function:
```python
2019-06-28 10:19:59 -05:00
def process_bit_challenge(state: BeaconState, challenge: CustodyBitChallenge) -> None:
attestation = challenge.attestation
2019-08-11 10:05:17 -07:00
epoch = attestation.data.target.epoch
2019-06-28 10:19:59 -05:00
shard = attestation.data.crosslink.shard
2019-05-03 11:30:55 +02:00
2019-03-28 22:54:39 +00:00
# Verify challenge signature
2019-06-09 20:41:21 +01:00
challenger = state.validators[challenge.challenger_index]
2019-06-28 10:19:59 -05:00
domain = get_domain(state, DOMAIN_CUSTODY_BIT_CHALLENGE, get_current_epoch(state))
assert bls_verify(challenger.pubkey, signing_root(challenge), challenge.signature, domain)
# Verify challenger is slashable
2019-05-03 11:30:55 +02:00
assert is_slashable_validator(challenger, get_current_epoch(state))
2019-06-28 10:19:59 -05:00
# Verify attestation
2019-07-01 00:10:28 +02:00
assert is_valid_indexed_attestation(state, get_indexed_attestation(state, attestation))
2019-06-28 10:19:59 -05:00
# Verify attestation is eligible for challenging
2019-06-09 20:41:21 +01:00
responder = state.validators[challenge.responder_index]
2019-08-11 10:05:17 -07:00
assert get_current_epoch(state) < = get_randao_epoch_for_custody_period(
get_custody_period_for_validator(state, challenge.responder_index, epoch),
challenge.responder_index
) + 2 * EPOCHS_PER_CUSTODY_PERIOD + responder.max_reveal_lateness
2019-05-03 11:30:55 +02:00
2019-03-28 22:54:39 +00:00
# Verify the responder participated in the attestation
2019-06-28 12:23:22 +01:00
attesters = get_attesting_indices(state, attestation.data, attestation.aggregation_bits)
2019-03-28 22:54:39 +00:00
assert challenge.responder_index in attesters
2019-06-28 10:19:59 -05:00
# Verifier challenger is not already challenging
2019-03-28 22:54:39 +00:00
for record in state.custody_bit_challenge_records:
assert record.challenger_index != challenge.challenger_index
2019-06-28 10:19:59 -05:00
# Verify the responder custody key
2019-05-03 11:30:55 +02:00
epoch_to_sign = get_randao_epoch_for_custody_period(
2019-08-11 10:05:17 -07:00
get_custody_period_for_validator(state, challenge.responder_index, epoch),
2019-06-28 10:19:59 -05:00
challenge.responder_index,
2019-05-03 11:30:55 +02:00
)
2019-06-28 10:19:59 -05:00
domain = get_domain(state, DOMAIN_RANDAO, epoch_to_sign)
assert bls_verify(responder.pubkey, hash_tree_root(epoch_to_sign), challenge.responder_key, domain)
2019-03-28 22:54:39 +00:00
# Verify the chunk count
2019-06-06 11:39:22 +02:00
chunk_count = get_custody_chunk_count(attestation.data.crosslink)
2019-08-11 10:05:17 -07:00
assert chunk_count == len(challenge.chunk_bits)
# Verify custody bit is incorrect
2019-06-28 10:19:59 -05:00
committee = get_crosslink_committee(state, epoch, shard)
2019-06-28 18:17:13 +02:00
custody_bit = attestation.custody_bits[committee.index(challenge.responder_index)]
2019-08-11 10:05:17 -07:00
assert custody_bit != get_chunk_bits_root(challenge.chunk_bits)
2019-03-28 22:54:39 +00:00
# Add new bit challenge record
2019-03-31 21:20:43 -05:00
new_record = CustodyBitChallengeRecord(
2019-03-28 22:54:39 +00:00
challenge_index=state.custody_challenge_index,
challenger_index=challenge.challenger_index,
responder_index=challenge.responder_index,
2019-05-03 05:07:11 -05:00
inclusion_epoch=get_current_epoch(state),
2019-06-06 11:39:22 +02:00
data_root=attestation.data.crosslink.data_root,
2019-05-03 17:20:54 +08:00
chunk_count=chunk_count,
2019-05-20 10:50:07 +02:00
chunk_bits_merkle_root=hash_tree_root(challenge.chunk_bits),
2019-03-28 22:54:39 +00:00
responder_key=challenge.responder_key,
2019-03-31 21:20:43 -05:00
)
2019-04-09 05:59:00 -05:00
replace_empty_or_append(state.custody_bit_challenge_records, new_record)
2019-03-28 22:54:39 +00:00
state.custody_challenge_index += 1
# Postpone responder withdrawability
responder.withdrawable_epoch = FAR_FUTURE_EPOCH
```
#### Custody responses
Verify that `len(block.body.custody_responses) <= MAX_CUSTODY_RESPONSES` .
For each `response` in `block.body.custody_responses` , run the following function:
```python
2019-06-28 10:19:59 -05:00
def process_custody_response(state: BeaconState, response: CustodyResponse) -> None:
2019-05-20 09:47:44 +02:00
chunk_challenge = next((record for record in state.custody_chunk_challenge_records
if record.challenge_index == response.challenge_index), None)
2019-03-28 22:54:39 +00:00
if chunk_challenge is not None:
return process_chunk_challenge_response(state, response, chunk_challenge)
2019-05-20 09:47:44 +02:00
bit_challenge = next((record for record in state.custody_bit_challenge_records
if record.challenge_index == response.challenge_index), None)
2019-03-28 22:54:39 +00:00
if bit_challenge is not None:
return process_bit_challenge_response(state, response, bit_challenge)
assert False
```
```python
def process_chunk_challenge_response(state: BeaconState,
response: CustodyResponse,
challenge: CustodyChunkChallengeRecord) -> None:
# Verify chunk index
assert response.chunk_index == challenge.chunk_index
2019-05-03 17:20:54 +08:00
# Verify bit challenge data is null
2019-06-30 16:10:22 +01:00
assert response.chunk_bits_branch == [] and response.chunk_bits_leaf == Hash()
2019-05-03 05:07:11 -05:00
# Verify minimum delay
assert get_current_epoch(state) >= challenge.inclusion_epoch + ACTIVATION_EXIT_DELAY
2019-03-28 22:54:39 +00:00
# Verify the chunk matches the crosslink data root
2019-06-30 10:11:23 +01:00
assert is_valid_merkle_branch(
2019-03-28 22:54:39 +00:00
leaf=hash_tree_root(response.chunk),
2019-06-30 10:02:18 +01:00
branch=response.data_branch,
2019-03-28 22:54:39 +00:00
depth=challenge.depth,
index=response.chunk_index,
2019-05-06 18:26:14 +01:00
root=challenge.data_root,
2019-03-28 22:54:39 +00:00
)
# Clear the challenge
2019-03-31 21:20:43 -05:00
records = state.custody_chunk_challenge_records
records[records.index(challenge)] = CustodyChunkChallengeRecord()
2019-03-28 22:54:39 +00:00
# Reward the proposer
2019-06-30 12:42:24 -05:00
proposer_index = get_beacon_proposer_index(state)
2019-06-12 20:08:19 -04:00
increase_balance(state, proposer_index, Gwei(get_base_reward(state, proposer_index) // MINOR_REWARD_QUOTIENT))
2019-03-28 22:54:39 +00:00
```
```python
def process_bit_challenge_response(state: BeaconState,
response: CustodyResponse,
challenge: CustodyBitChallengeRecord) -> None:
# Verify chunk index
2019-05-03 17:20:54 +08:00
assert response.chunk_index < challenge.chunk_count
2019-05-03 05:07:11 -05:00
# Verify responder has not been slashed
2019-06-09 20:41:21 +01:00
responder = state.validators[challenge.responder_index]
2019-05-03 05:07:11 -05:00
assert not responder.slashed
2019-03-28 22:54:39 +00:00
# Verify the chunk matches the crosslink data root
2019-06-30 10:11:23 +01:00
assert is_valid_merkle_branch(
2019-03-28 22:54:39 +00:00
leaf=hash_tree_root(response.chunk),
2019-06-30 10:02:18 +01:00
branch=response.data_branch,
2019-05-21 12:41:24 +02:00
depth=ceillog2(challenge.chunk_count),
2019-03-28 22:54:39 +00:00
index=response.chunk_index,
2019-05-06 18:26:14 +01:00
root=challenge.data_root,
2019-03-28 22:54:39 +00:00
)
2019-05-03 17:20:54 +08:00
# Verify the chunk bit leaf matches the challenge data
2019-08-11 10:05:17 -07:00
assert is_valid_merkle_branch_with_mixin(
leaf=hash_tree_root(response.chunk_bits_leaf),
2019-06-30 10:02:18 +01:00
branch=response.chunk_bits_branch,
2019-08-11 10:05:17 -07:00
depth=ceillog2(MAX_CUSTODY_CHUNKS // 256),
2019-05-03 17:20:54 +08:00
index=response.chunk_index // 256,
2019-08-11 10:05:17 -07:00
root=challenge.chunk_bits_merkle_root,
mixin=challenge.chunk_count,
2019-05-03 17:20:54 +08:00
)
2019-03-28 22:54:39 +00:00
# Verify the chunk bit does not match the challenge chunk bit
2019-05-20 09:47:44 +02:00
assert (get_custody_chunk_bit(challenge.responder_key, response.chunk)
2019-08-11 10:05:17 -07:00
!= response.chunk_bits_leaf[response.chunk_index % 256])
2019-03-28 22:54:39 +00:00
# Clear the challenge
2019-03-31 21:20:43 -05:00
records = state.custody_bit_challenge_records
records[records.index(challenge)] = CustodyBitChallengeRecord()
2019-03-28 22:54:39 +00:00
# Slash challenger
slash_validator(state, challenge.challenger_index, challenge.responder_index)
```
## Per-epoch processing
2019-05-03 11:30:55 +02:00
### Handling of custody-related deadlines
2019-05-08 23:30:08 +01:00
Run `process_reveal_deadlines(state)` immediately after `process_registry_updates(state)` :
2019-05-03 11:30:55 +02:00
2019-05-07 12:13:22 +01:00
```python
2019-05-24 16:51:21 +02:00
# begin insert @process_reveal_deadlines
process_reveal_deadlines(state)
# end insert @process_reveal_deadlines
2019-05-03 11:30:55 +02:00
def process_reveal_deadlines(state: BeaconState) -> None:
2019-06-09 20:41:21 +01:00
for index, validator in enumerate(state.validators):
2019-08-11 10:05:17 -07:00
deadline = validator.next_custody_secret_to_reveal + (CUSTODY_RESPONSE_DEADLINE // EPOCHS_PER_CUSTODY_PERIOD)
if get_custody_period_for_validator(state, ValidatorIndex(index)) > deadline:
2019-06-12 20:08:19 -04:00
slash_validator(state, ValidatorIndex(index))
2019-05-03 11:30:55 +02:00
```
Run `process_challenge_deadlines(state)` immediately after `process_reveal_deadlines(state)` :
2019-03-28 22:54:39 +00:00
```python
2019-05-24 16:51:21 +02:00
# begin insert @process_challenge_deadlines
process_challenge_deadlines(state)
# end insert @process_challenge_deadlines
2019-03-28 22:54:39 +00:00
def process_challenge_deadlines(state: BeaconState) -> None:
2019-06-12 20:08:19 -04:00
for custody_chunk_challenge in state.custody_chunk_challenge_records:
if get_current_epoch(state) > custody_chunk_challenge.inclusion_epoch + CUSTODY_RESPONSE_DEADLINE:
slash_validator(state, custody_chunk_challenge.responder_index, custody_chunk_challenge.challenger_index)
records = state.custody_chunk_challenge
records[records.index(custody_chunk_challenge)] = CustodyChunkChallengeRecord()
for custody_bit_challenge in state.custody_bit_challenge_records:
if get_current_epoch(state) > custody_bit_challenge.inclusion_epoch + CUSTODY_RESPONSE_DEADLINE:
slash_validator(state, custody_bit_challenge.responder_index, custody_bit_challenge.challenger_index)
2019-03-31 21:20:43 -05:00
records = state.custody_bit_challenge_records
2019-06-12 20:08:19 -04:00
records[records.index(custody_bit_challenge)] = CustodyBitChallengeRecord()
2019-03-28 22:54:39 +00:00
```
2019-05-03 11:30:55 +02:00
Append this to `process_final_updates(state)` :
```python
2019-05-24 16:51:21 +02:00
# begin insert @after_process_final_updates
after_process_final_updates(state)
# end insert @after_process_final_updates
2019-05-07 12:13:22 +01:00
def after_process_final_updates(state: BeaconState) -> None:
2019-05-08 23:30:08 +01:00
current_epoch = get_current_epoch(state)
2019-05-03 11:30:55 +02:00
# Clean up exposed RANDAO key reveals
state.exposed_derived_secrets[current_epoch % EARLY_DERIVED_SECRET_PENALTY_MAX_FUTURE_EPOCHS] = []
2019-05-03 05:07:11 -05:00
# Reset withdrawable epochs if challenge records are empty
2019-05-24 16:51:21 +02:00
records = state.custody_chunk_challenge_records + state.custody_bit_challenge_records
2019-05-09 14:57:36 +08:00
validator_indices_in_records = set(
[record.challenger_index for record in records] + [record.responder_index for record in records]
)
2019-06-09 20:41:21 +01:00
for index, validator in enumerate(state.validators):
2019-05-09 14:57:36 +08:00
if index not in validator_indices_in_records:
2019-05-17 13:52:23 -04:00
if validator.exit_epoch != FAR_FUTURE_EPOCH and validator.withdrawable_epoch == FAR_FUTURE_EPOCH:
2019-06-12 20:08:19 -04:00
validator.withdrawable_epoch = Epoch(validator.exit_epoch + MIN_VALIDATOR_WITHDRAWABILITY_DELAY)
2019-05-03 11:30:55 +02:00
```