-
-
Published
Linked with GitHub
# Ethereum Sharding Implementers Call 0 Notes
### Meeting Date/Time: Thu, Aug 2, 2018 14:00 UTC
### Meeting Duration: ~1 hour
### [GitHub Agenda Page](https://github.com/ethereum/beacon_chain/issues/44)
### [Audio/Video of the meeting](https://www.youtube.com/watch?v=Ynqrka5DQOI&feature=youtu.be)
# Agenda
1. General Introduction of Sharding Meeting
2. Client Updates
3. Research Updates
4. Open Discussion
* [v2.1 spec](https://notes.ethereum.org/SCIg8AH5SA-O4C1G1LYZHQ#)
* [Conforming to p2p messages, prysmatic protocol buffers](https://github.com/ethereum/beacon_chain/issues/44#issuecomment-405298161), and other p2p related discussion
* [BLS signature standard libraries](https://github.com/ethereum/beacon_chain/issues/44#issuecomment-405415540)
* https://github.com/milagro-crypto/amcl/tree/master/version3
* Current state of cross shard communication research
* Actionable items for clients and research
* Format/Timing of future meetings
# Client Updates
* Lighthouse (Paul)
* Waiting for v2.1 spec to finalize
* Have first version of beacon chain implemented
* Working on minimal p2p
* Looking at BLS implementations
* Python beacon_chain (Danny)
* Almost done with v2.1
* Nimbus (Mamy)
* Working on v2.1 from spec
* Exploring BLS options
* Wrapper in NIM for [Milagro Crypto](https://github.com/milagro-crypto/milagro-crypto-c)
* Considering building from scratch
* Prysm (Raul)
* Migrated away from geth -- independent eth2.0
* Local network p2p via gossipsub
* Full beacon node running (v2.1)
* State transition functions
* Shuffling, cutoffs
* Induct incoming validators from pow receipts
* Working on forkchoice and chain sync
* Sharding client (separate process communicates via RPC)
* Simulator tool for simulating incoming blocks
* Pegasys (Ben Edgington)
* Team building -- Olivier and another new hire
* Looking into BLS implementation
* RNG research
* Working on beacon chain implementation
* Harmony (Mikhail)
* Beacon chain
* Deposit contract and induct validators from receipts
* Working on block production, state transition functions, etc
* [Progress and plans](https://github.com/ethereum/ethereumj/wiki/Sharding-Implementation)
* Lodestar Chain (Mikerah)
* Javascript beacon chain implementation
* Looking into BLS options
* Trying to use Milegro crypto primatives to build BLS curve
* Looking into compiling from rust to web assembly
* Beginning to implement v2.1 state transition functions
* Project started at internal hackathon. Steady progress
# Research Updates
* Vitalik
* Recursive Proximity to Justification (RPJ) forkchoice
* [minimal partial spec on ethresearch](https://ethresear.ch/t/beacon-chain-casper-ffg-rpj-mini-spec/2760)
* focuses just on ffg+rpj
* Goal to be analyzed and formally proven
* RPJ design goals
* Maintain safety and liveness of FFG
* Simplicity
* Stability
* Forkchoice is a good prediction of future forkchoice
* hybrid rules are bad at this
* RPJ is good
* Maximize resistance to manipulation of RNG
* resistant up to 80-90% of chain being overtaken by attackers as long as majority of attesters are honest
* 99% fault tolerant article coming soon
* Mamy
* [Collection of research and materials](https://github.com/status-im/athenaeum/blob/master/ethereum_research_records.json) related to sharding
* Please create pull request if anything missing
* Justin
* Randomness Beacon
* how to construct once we have VDF
* Which VDF to use
* Favorite -- [Construction by Benjamin Wesolowski](https://eprint.iacr.org/2018/623)
* True VDF -- exponential gap between compute/verify
* Based on RSA Groups so need to think about setup (how to pick RSA modulus)
* Can use small random numbers as moduli for parallel sub-VDFs
* If at least one modulus cannot be factored, then who construction is safe
* VDF cryptographers meeting in SF to discuss
* Hardware manufacturing
* Build VDF ASIC commodity
* Needs to be close to no-expense-spared attacker ASIC
* Access to these commodity ASICs will counter no-expense-spared attacker
* Full RNG spec likely in 1.5 to 2 months
* WASM execution engine and cross-shard txs (Casey)
* Black box sharding phase 1 in an effort to prototype phase 2 (execution and cross-shard execution)
* black box the ordered data-blobs and links between them
* phase 2 prototype will just process ordered datablobs from json
* Advantages prototyping phase 2 in JS
* libp2p library
* access to native jit engine
* Delayed state execution model
# BeaconChain v2.1
* Vitalik
* Parts of this spec are provisional. Expect to change broadly if RPJ is included
* Dynasty transition
* just have one validator set for now
* Epoch transition
* RNG
* Things worth working on
* BLS aggregate signatures
* General structure
* ActiveState
* CrystallizedState
* bitfield tracking aggregate signatures
* Stub what shard to work on
* each height can just correspond to one particular shard
* If you get to the above and block box the suggested, then try working on p2p
* Rest of protocol details will be filled in likely over next 2 months
* What is v2.1
* Danny: combining block attestations and shard crosslinks also serving as FFG votes
* Vitalik: three things
* ffg voting
* small scale block attestation
* shard crosslinks
* Vitalik
* If num_validators is too small to have one distinct committee at every height, will probably have committees overlap.
# P2P
* p2p message format
* Preston
* Prysmatic currently using [protobufs](https://developers.google.com/protocol-buffers/)
* protobufs have unordered fields which can be a problem with hashing
* Exploring alternatives such as FlatBuffers
* Proposal: Agree early on a schema with wide adoption
* Hsaio-Wei: Is it deterministic serialization?
* Jacek
* Protobuf spec doesn't define the order
* Little extra features that make protobuf difficult to use in a hashing setting
* Stripped down version could work
* Mamy: FlatBuffer and CaptainProto are options
* Hsaio-Wei
* Prysm is using protobufs for messages but which serialization are you using for encoding the data for database?
* If we use different serialization for data and p2p, we might have to do two serializations when syncing
* Raul
* Prysm uses proto for serialization in DB
* protos for all process communication
* Vitalik
* Why crystallizedstate need any special serialization when you can just pack values together
* Raul: because state is communicated between processes
* Signature aggregation wrt network
* Mikhail
* What does this look like? How many messages required to attest?
* Vitalik
* Not much yet
* validators publishing messages that need to be aggregated every ~8 seconds could be a bottleneck and warrant a separate p2p
* If naive is too hard, we can consider hierarchical scheme
* Selected nodes are in charge of aggregation for subset of network
* Justin
* Could use random path strategy
* tag on own signature as attestation is passed around
* Vitalik
* That takes O(N) time
* Need something that takes 2-3 rounds of network communication
* Raul
* Currently setting up pieces of system to be able to test aggregation
* RLP
* Mikhail: what's wrong with RLP
* Hsaio-Wei: Too complicated
* Preston: RLP not very fast
* Jacek
* RLP missing a schema
* Would like a schema
* Further discussion on message format at [ethresearch](https://ethresear.ch/t/discussion-p2p-message-serialization-standard/2781)
* P2P layer (Gossipsub?)
* Paul: Is Prysm using gossipsub?
* Raul: Yes
* Danny: Is the beaconchain and shard chains p2p going to be the same?
* Vitalik: Beacon chain should be on some layer everyone downloads by default
* Raul: Beacon nodes on topic "shard -1" and have network for separate shards
* Kevin
* Beacon chain messages in a global topic
* So everyone in same network but segregated
* Justin
* How many topics per shard?
* could be -- one for headers, one for unsigned blocks and unaggregated signatures, one for fully signed and aggregated blocks
* Mikhail: Does number of channels affect network amplification rate?
* Kevin
* You only broadcast to peers that have subscribed
* If receive message not subscribed to, can band peer
* Mikhail
* More concerned about discovery being impacted by number of channels
* Kevin: worth testing
* Justin
* One strategy is to have common discovery layer for all channels and have gossip on top.
* Kevin
* We currently have a global channel for discovery
* Exploring other discovery protocols
* Danny: gitter channel for testing and discussing [here](https://gitter.im/ethresearch/sharding-p2p-poc)
* Mamy: It's not worth implementing libp2p from scratch because we haven't made a firm decision, right?
* Danny: Yes, we don't have enough testing to say we are going to use it for sure at this point.
# BLS Signatures
* Danny: So it seems that there aren't a ton of standard BLS implementations across the various languages
* Vitalik
* There are standards for BN128 because we put it as [precompile](https://eips.ethereum.org/EIPS/eip-196) in [Byzantium](https://eips.ethereum.org/EIPS/eip-197)
* Not sure how substantial it is to migrate these libraries to BLS12-381
* Danny: What's the benefit of changing the curve?
* Vitalik
* [Higher security margin](https://blog.z.cash/new-snark-curve/) (~100 bits --> 128 bits)
* ZCash and other projects are standardizing so worth going with the flow.
* Justin: Chia too
* Jacek: Chances of community finding another curve?
* Vitalik
* Unlikely due to standardization effort going in
* Unlikely something broken in bls12-381
* One property a new curve could have that would be better:
* if new curve pointed to a pair of curves where one is the modulus of the other, and the other is the curve order of the first. This would be really nice for zkSNARKS
* Danny: What needs to be done to standarize these libraries?
* Vitalik
* I need all the params and a couple hours of hand-holding with a knowledgable cryptographer
* Jacek: Outlook for fully audited reference implementation for this curve?
* Justin
* Rust implementation being spearheaded by ZCash
* Has been audited by security company
* Abstract spec has also been audited another security company
* Rust impl has been worked on for many years
* Paul: Does it have aggregates?
* Justin
* It's for base layer operations
* Aggregation is trivial on top
* Paul
* We hacked together an implementation but probably "as safe as broken glass"
* Vitalik
* Preference for dealing with "rogue key attacks" is [proof of possession](https://rist.tech.cornell.edu/papers/pkreg.pdf) at deposit time.
* Not currently implemented but fairly trivial
* Paul: on PoW chain or separate?
* Vitalik
* Do on beacon chain
* Probably should do as little as possible on PoW chain to facilitate migrating deposits to shard chains
* Paul: Should probably put a note about rogue key attack in reference implementation
* Danny
* It's in the v2.1 spec but still in PoW chain.
* Likely just going to do the burn in the PoW contract and do all the validation of validator init data in beacon chain
* Justin
* As much as possible in beacon chain
* Question remains: how to do the bootstrapping process to onboard initial validators
* Research post coming soon
* Rust BLS implementation is performant but not constant time crypto so possibly vulnerable to timing attacks
* Vitalik
* Pairings do not need anti-side-channel protection because just verification
* Elliptic curve multiplications need it
* There are decades of research on this so no fundamental obstacle here
# Cross-shard communication research
* Mikerah
* v2.1 doesn't really go into cross-shard comms. Does research team have any more formal ideas, writings, etc
* Vitalik
* v2.1 spec doesn't cover state execution at all
* There are various posts on [cross-shard txs](https://github.com/ethereum/wiki/wiki/Sharding-FAQs#how-can-we-facilitate-cross-shard-communication) and [yanking](https://ethresear.ch/t/cross-shard-contract-yanking/1450). That's the extent at this point
* Casey
* In terms of the phase 2 proto type, are phase 1 and 2 sufficiently decoupled for this to work?
* Vitalik
* If they are to be entirely decoupled, execution and data consensus would have to be separate.
* Blocks would not contain state roots
* Casey
* That's delayed state execution?
* Vitalik
* Yes, if we make an agreement that we are doing delayed state execution, then the two are fully decoupled.
* If use eth1.0 model, they are coupled
* Justin
* Considering not shuffling shard proposers often so they don't have to incur the cost of syncing state
* Casey
* In stateless execution, don't have that problem
* In general, execution and cross-shard comm are relatively understudied.
* Hoping to spike more interest in this problem
* Even names phase 1 and phase 2 give impression of not being able to work on phase 2 before phase 1 is built.
* Would like to see more work on phase 2 in parallel
# Last remarks
* Sharding workshop
* Ben Edgington: Any interest in workshop/get-together around devcon?
* Justin: Makes sense to do an event immediately before or after
* Jacek
* Status hosting hack-a-thon before in Prague. Might be able to use venue. Will check with team
* `get_shuffling`
* Paul: Looks like it might have an infinite loop
* Vitalik
* It is the case that there is no upper bound
* But sharp probablistic bounds
* Danny: I remember there being a loop too, will check it out
* Shared repo for testing and contracts
* Raul: Makes sense to open a shared repo for testing and contracts
* Danny: I agree esp on testing. Are we ready for shared testing?
* Raul: No, not yet.
* Danny: Let's get something together in the next couple of weeks.
* [Justin VDF presentation on gitcoin](https://twitter.com/drakefjustin/status/1025040874386939904)
* VDF presentation
* Sharding AMA
# Links shared during meeting
* [Status sharding research records](https://github.com/status-im/athenaeum/blob/master/ethereum_research_records.json)
* [Prysmatic message proto](https://github.com/prysmaticlabs/prysm/blob/master/proto/sharding/p2p/v1/messages.proto)
* [Prysmatic serialization github issue](https://github.com/prysmaticlabs/prysm/issues/150)
* [Cap'n Proto](https://capnproto.org/)
* [Flat Buffers](ttps://google.github.io/flatbuffers/)
* [how protobuf is non-deterministic](https://developers.google.com/protocol-buffers/docs/encoding#order)
* [protobuf notes gist](https://gist.github.com/kchristidis/39c8b310fd9da43d515c4394c3cd9510)
* [Harmony sharding implementation progress](https://github.com/ethereum/ethereumj/wiki/Sharding-Implementation)
* [JS Lodestar Chain](https://github.com/ChainSafeSystems/lodestar_chain)
* [Serialization comparison table](https://notes.ethereum.org/15_FcGc0Rq-GuxaBV5SP2Q)
* [Serialization ethresearch post](https://ethresear.ch/t/discussion-p2p-message-serialization-standard/2781)
* [Milagro crypto](https://github.com/milagro-crypto/milagro-crypto-c)
* [VDF Construction by Benjamin Wesolowski](https://eprint.iacr.org/2018/623)
* [Justin VDF presentation on gitcoin](https://twitter.com/drakefjustin/status/1025040874386939904)
* [VDF Reading list](https://t.co/hDVSNImQ40)
# Attendees
* Justin Drake (EF/Research)
* Danny Ryan (EF/Research)
* Raul Jordan (Prysmatic)
* Nikolay Volf (Parity)
* Mikhail Kalinin (Harmony)
* Dmitry (Harmony)
* Ben Edgington (Pegasys)
* Olivier (Pegasys)
* Preston Van Loon (Prysmatic)
* Jannik Luhn (Brainbot/Research)
* Hsiao-Wei Wang (EF/Research)
* Mamy Ratsimbazafy (Status)
* Ryan (Status)
* Jarrad Hope (Status)
* Jacek Sieka (Status)
* Chris Spannos (EF scaling grant recipient)
* Paul Hauner (Lighthouse/Sigma Prime)
* Adrian Manning (Lighthouse/Sigma Prime)
* Carl Beekhuizen (Decentralized staking pools)
* Chih Cheng Liang (EF/Research)
* Lang Rettig (EF/eWASM)
* Kevin Chia (EF/Research)
* Nicholas Lin (EF/Research)
* Vitalik Buterin (EF/Research)
* Mikerah (Lodestar/ChainSafeSystems)
* Casey Detrio (EF/ethereumJS)
* Alex Beregszaszi (EF/Ewasm)