[draft] MIP-103: Baker Confirmations (ZK-FFS) #103
Conversation
l-monninger
changed the title
l-monninger
changed the title
l-monninger
changed the title
|
|
||
| Baker Coin is a class of unidirectional commitment protocols satisfying the [postconfirmations]() scheme proposed in [MIP-37](https://github.com/movementlabsxyz/MIP/pull/37). It has the following additional constraints: | ||
|
|
||
| 1. **Unidirectional**: A Baker Coin protocol MUST intend ONLY to post a commitment the state of a given Ledger B onto Ledger A, not vice versa. |
There was a problem hiding this comment.
| 1. **Unidirectional**: A Baker Coin protocol MUST intend ONLY to post a commitment the state of a given Ledger B onto Ledger A, not vice versa. | |
| 1. **Unidirectional**: A Baker Coin protocol MUST intend ONLY to post a commitment to the state of a given Ledger B onto Ledger A, not vice versa. |
MIP/mip-103/README.md
Outdated
| - **Observing Attesters** perform the role of observing stake events on Ledger A and relaying them to the Baker Network. They thus *broadcast* the following messages. | ||
| - $TRUSTED\\_STAKE(amount, participant, epoch, signature) \rightarrow \text{Baker Coin Validators}$ which indicates a valid stake event on Ledger A as initiated by a Baker Coin Attester via a $STAKE$ message. | ||
| - **Ledger A Participants** perform the basic operations of a participant on Ledger A, as defined by Protocol A which MUST include the emission $STAKE\\_RECEIVED$ events. They thus *broadcast* the following messages: | ||
| - $STAKE\\_RECEIVED(amount, participant, epoch, signature) \rightarrow \text{Observing Attesters}$ which indicates a valid stake event on Ledger A as initiated by a Baker Coin Attester via a $STAKE$ message. |
There was a problem hiding this comment.
Rename to STAKE_INTENT as we should cover also unstake through this. amount could be negative, thus it can handle stake and unstake type intents
There was a problem hiding this comment.
Yeah, good call.
MIP/mip-103/README.md
Outdated
|
|
||
| We render the following assumptions about knowledge after receiving a given message in the Baker Coin protocol: | ||
|
|
||
| 1. Once an **Observing Attester** has received sufficient and accordingly verified $STAKE\\_RECEIVED$ messages from Ledger A Participants, the effects of the corresponding $STAKE$ messages on Ledger A SHALL remain fixed for the remainder of the epoch. |
There was a problem hiding this comment.
Wdym? Would it not make sense to apply the effects of stake at the start of a new epoch.
There was a problem hiding this comment.
Also why "sufficient"? "Verified" or "sufficiently verified" seems enough
There was a problem hiding this comment.
So, "sufficient" here refers to checking multiple peers or otherwise that protocol finality is indeed reached.
There was a problem hiding this comment.
ok its not very clear. i suggest to rewrite a bit, with mention of threshold many verified responses
MIP/mip-103/README.md
Outdated
| We render the following assumptions about knowledge after receiving a given message in the Baker Coin protocol: | ||
|
|
||
| 1. Once an **Observing Attester** has received sufficient and accordingly verified $STAKE\\_RECEIVED$ messages from Ledger A Participants, the effects of the corresponding $STAKE$ messages on Ledger A SHALL remain fixed for the remainder of the epoch. | ||
| 2. Once a **Baker Coin Validator** has received sufficient and accordingly verified $TRUSTED\\_STAKE$ messages from **Observing Attesters**, it SHALL correctly update its internal representation of stake weights for the remainder of the epoch. |
There was a problem hiding this comment.
There should be sufficient delay in making stake effectice for the voting. The easiest would be to demand that stake becomes effective at the end of the next present_epoch (not this present_epoch). Epoch length could be for example 1 hour. Note that i say 1 hour in the current setting since it should be larger than the finality of A, which for Eth is O(15min)
There was a problem hiding this comment.
Yeah, so you should always stake and unstake into the
There was a problem hiding this comment.
this should be mentioned as well in the file.
|
|
||
| ### Baker Coin | ||
|
|
||
| Baker Coin is a class of unidirectional commitment protocols satisfying the [postconfirmations]() scheme proposed in [MIP-37](https://github.com/movementlabsxyz/MIP/pull/37). It has the following additional constraints: |
There was a problem hiding this comment.
why coin? this information is missing and the reasoning not provided.
There was a problem hiding this comment.
Because at the heart of the protocol is a presumed COIN. The effects/hooks are no more abstract than coin slashing and rewarding.
There was a problem hiding this comment.
ok. can we add a note on this. it would help with reading
MIP/mip-103/README.md
Outdated
| - $STAKE(amount, epoch, signature) \rightarrow \text{Ledger A Participants}$ which attempts to stake an amount of Coin A on Ledger A for a given epoch. | ||
| - **Baker Coin Validators** perform the basic operations of a **Validator** but also receive $TRUSTED\\_STAKE$ messages from **Observing Attesters**. They thus *broadcast* the following messages. | ||
| - $COMMITMENT\\_PROOF(commitment, height, Attesters, proof, signature) \rightarrow \text{Ledger A Participants}$ which attempts to post a commitment to a given Ledger B state at a given Ledger B height on Ledger A. | ||
| - **Observing Attesters** perform the role of observing stake events on Ledger A and relaying them to the Baker Network. They thus *broadcast* the following messages. |
There was a problem hiding this comment.
Observing attesters is rather confusing. as lateron we refer to "attester" without Baker. For clarity Obsering Attester --> Observer or A-Observer or similar
There was a problem hiding this comment.
It has the role of Observing and attesting to Ledger A events. We could also go for Light Observer or something .
|
|
||
| ## Specification | ||
|
|
||
|  |
There was a problem hiding this comment.
Figure is missing the A-Observer
There was a problem hiding this comment.
also if the participants are active on or with Ledger A this should be indicated by having the boxes within (or touching) the Ledger A box on the right.
There was a problem hiding this comment.
Yeah, the figure doesn't show the Baker Coin protocol; it's showing high-level Baker Confirmations which are just a gossip of attestations and a race to submit a proof of consensus.
There was a problem hiding this comment.
can we have both a BakerCoin protol figure and Baker Confirmations? Otherwise this is confusing.
MIP/mip-103/README.md
Outdated
|
|
||
| ##### Human Language Description of Procedure | ||
|
|
||
| $RECEIVE\\_TRUSTED\\_STAKE$ takes a stake amount, participant, and epoch from an A-Observer. It verifies the stake amount and epoch and stores it in a table indexed by participant and epoch, but MUST only modify stake weights for the next epoch. If this constraint is not applied, then the epoch staking constraint is violated. |
There was a problem hiding this comment.
when you say participant do you mean A-participant or some other kind of participant? i think participant is too generic and thus confusing. I suggest to use some more descriptive. I updated Leder A participant to A-participant
There was a problem hiding this comment.
Yeah, the participant is an Attester. I will update for clarity.
| Baker Coin is a class of unidirectional commitment protocols satisfying the [postconfirmations]() scheme proposed in [MIP-37](https://github.com/movementlabsxyz/MIP/pull/37). It has the following additional constraints: | ||
|
|
||
| 1. **Unidirectional**: A Baker Coin protocol MUST intend ONLY to post a commitment the state of a given Ledger B onto Ledger A, not vice versa. | ||
| 2. **Staked**: A Baker Coin protocol MUST rely on weighted votes, known as stake, to determine whether consensus has been reached amongst a set of participants. These stake weights must be represented over the field of integers from 0 to 2^256 - 1, $\mathbb{F}_{2^{256}}$. |
There was a problem hiding this comment.
Here and in the figure you refer to participants as actors in the Baker protocol (off-Ledger A).. However you also refer to A-participants as participants. Are these identical ?
There was a problem hiding this comment.
Lower-case participants is always just participants in the most general sense.
There was a problem hiding this comment.
ok. then it is ever more important to distinguish A-participants
…nto l-monninger/zk-ffs
| This problem persists under Baker Confirmations for a Baker Coin Protocol. However, it is possible to remove gas attacks associated with these solutions: | ||
|
|
||
| 1. **Reward Delay**: One partial solution to the Fork Stake problem is to delay the emission of rewards by some number of epochs. The result is that contributing to a fork which does not survive for the duration of the delay period is not profitable. When tabulating on-chain, this delay is, however, problematic because it may lead to the cost of issuing a reward to an honest Partition A being correlated with the cost of issuing a reward to a malicious Partition B. When the delay is applied off-chain, however, these costs are negligible. | ||
| 2. **Gas Splitting**: Another partial solution to the Fork Stake problem is in fact to split the |
There was a problem hiding this comment.
Yeah, needs to be removed.
MIP/mip-103/README.md
Outdated
|
|
||
| As discussed in [MD-4](https://github.com/movementlabsxyz/MIP/pull/4/files), another issue with on-chain confirmation devices is that it becomes difficult to incentivize liveness because the cost of rolling over a commitment round or epoch is proportional to the size of the Validator set. This means that the last Validator to make a commitment in a round or epoch would need to be properly incentivized in order to cover their costs. | ||
|
|
||
| The Baker Coin Protocol still suffers from this problem, as it is provided that the Validator post a proof containing clear-text rewards and slashes. This means that the Validator posting the proof still runs a transaction proportional to the size of the Validator set. |
There was a problem hiding this comment.
this needs explaining. i do not understand the problem. is the validator not simply providing a proof?
There was a problem hiding this comment.
The Validator will have to submit a message containing the outputs of the ZK program as well as the proof. Under the Baker Coin class of protocols, this output contains slashing and reward commands which are inherently
MIP/mip-103/README.md
Outdated
|
|
||
| ##### Liveness Disincentives | ||
|
|
||
| As discussed in [MD-4](https://github.com/movementlabsxyz/MIP/pull/4/files), another issue with on-chain confirmation devices is that it becomes difficult to incentivize liveness because the cost of rolling over a commitment round or epoch is proportional to the size of the Validator set. This means that the last Validator to make a commitment in a round or epoch would need to be properly incentivized in order to cover their costs. |
There was a problem hiding this comment.
this problem does NOT exist in postconfirmation as described in MIP-37, as this is trivially resolved by separting the role of a) attestation and b) postconfirmation+rollover. This paragraph describes a problem that does not necessarily exist any longer and should be revised to reflect a scenario with and without a separation of the roles.
There was a problem hiding this comment.
Yes, the acceptor concept is one way to take care of this, but it does just shift the liveness problem to the liveness of the acceptor. It doesn't go away entirely.
There was a problem hiding this comment.
ok. this was too specific to MCR in this case. i have rewritten it to be more generic
see f2a8892
|
|
||
| ###### Standoffs | ||
|
|
||
| [MD-4](https://github.com/movementlabsxyz/MIP/pull/4/files) also presents the problem of standoffs wherein a Validator, upon realizing it is the last Validator needed to reach a super-majority, may choose to withhold its commitment in order to maximize its reward. |
There was a problem hiding this comment.
this is resolved by the honest supermajority assumption. 2/3 exist that do not perform such strategy. what you describe falls into the strategy of 1/3.
you could carry the argument about the "last validator" forth: find a solution to fix the "the last validator" problem. Now it becomes a problem of the second-to-last validator.
There was a problem hiding this comment.
this is resolved by the honest supermajority assumption. 2/3 exist that do not perform such strategy. what you describe falls into the strategy of 1/3.
Somewhat. By some definitions, the Validator in the standoff is still being honest; it's just maximizing its reward which is more like the phenomena described herein, some which influenced Goldfish development. You still want unliveness disincentives is the bottom line.
you could carry the argument about the "last validator" forth: find a solution to fix the "the last validator" problem. Now it becomes a problem of the second-to-last validator.
Not exactly. The second-to-last validator doesn't actually know if has the chance to be the second-to-last validator.
For simplicity, imagine there are three validators remaining. Any two of which are know to compute the supermajority vote for this commitment.
Validator A doesn't know that if it holds off on committing, Validators B and C won't commit rendering its standoff meaningless.
You could say there is a probabilistic strategy or that the Validators could collude. I can model this as a information incomplete game if you want to dive deeper.
But, the bottom line is that, in contrast, when a validator absolutely knows that committing to a certain state root by itself would cause a rollover, it is rational for them to maximize rewards from this privilege however possible.
If there is no deterrent for being unlive, we could reach a point in our chain where a previously completely honest and live validator realizes it can hold the network for ransom indefinitely.
There was a problem hiding this comment.
This is also again to say that Validator A, B, and C is inherently different from partitions of such weights consisting of more Validators--nor that it matters if all three know and are working together. But, that same point is just another motivation for the to create liveness constraints.
Yes, you can generalize this to halting the protocol on the whole whenever the expected value of not committing and waiting for ransom is greater than committing--not just the simple last validator. No, that does not change the fact that requiring commitments by a certain point in time greatly lessens the expected value of such behavior.
There was a problem hiding this comment.
Somewhat. By some definitions, the Validator in the standoff is still being honest; it's just maximizing its reward which is more like the phenomena described herein, some which influenced Goldfish development. You still want unliveness disincentives is the bottom line.
this is rational, not honest. See e.g. https://arxiv.org/html/2405.07557v1
- Honest Players: Also called altruistic players, they follow the specified protocol honestly.
- Rational Players: These players follow the strategy which gives the highest payoff based off of some utility structure (which is protocol and agent type specific5). Therefore, such players deviate from following the protocol honestly only if there exists a strategy with a higher payoff.
There was a problem hiding this comment.
validator realizes it can hold the network for ransom indefinitely.
this seems a byzantine behaviour and not even rational (a rational actor would have to commit eventually to not miss out on rewards for next rounds)
There was a problem hiding this comment.
Generally i would like to raise the question if we consider more than 1/3 of validators to act rational, why should we not consider 2/3 or 100% to act rational?
If 100% act rational what is the reason to commit at all. everyone may attempt to get close to the 2/3 threshold. The abbys of rational actors is a deep.
There was a problem hiding this comment.
at the core this is why i am trying to separate the attestation from the validation. avoid timing games. attesters should just be comfortable and submit at their earliest point and have no advantage about the when (as submitting later has no advantage). it is a weak nash equilibrium that removes being rational for attester permitting the required >2/3 honest majority.
|
|
||
| ##### Proofs of Differing Consensus | ||
|
|
||
| In theory, each Validator can receive a different--but intersecting--set of commitments from the Attesters to reach a super-majority. Concerning attester rewards, this simply means that the on-chain contract MUST reward by the union of all accepted proofs of commitment to avoid over-rewarding Attesters. |
There was a problem hiding this comment.
yes. and this introduces a censorship problem on A. Unless multiple validators provide proofs on A -- but then what is the advantage of this solution against the postconfirmations described in MIP-37?
There was a problem hiding this comment.
- Multiple Validators providing proofs is still potentially cheaper.
- The off-chain implementation is more flexible.
There was a problem hiding this comment.
can we add those points as motivation compared to MIP-37 at the beginning.
|
|
||
| In theory, Attesters can submit differing commitments to different Validators and arrive at a consensus on a given commitment at each. In simple cases, this behavior would not satisfy our Byzantine assumptions under FFS, and so does not need to be addressed. | ||
|
|
||
| However, this problem becomes more acute when considering that the Validators may allow for the production of forks. In this case, an Attester could submit different commitments to different Validators to potentially earn rewards on different forks. To Validator $V_1$, Attester $Att$ may make Commitment $C_1$ on Fork $F_1$. Attester $Att$ cannot recommit to Validator $V_1$, but could still commit to Validator $V_1$ on Fork $F_2$. |
There was a problem hiding this comment.
The entire point of using a base settlement layer is to prevent equivocation on this. Hence why this is called anchoring. The settlement layer A provides higher priority consensus and this should be utilized (otherwise what is the point of having a settlement layer) This is simply done by only allowing the first successful proof.
revise to also consider this assumption, e.g. a second scenario
There was a problem hiding this comment.
The entire point of using a base settlement layer is to prevent equivocation on this.
I disagree somewhat. The point of using the base settlement layer is to anchor the security of a supermajority vote to that layer. The exact quorum is secondary.
There was a problem hiding this comment.
if there can be A) multiple supermajority votes (forks) settled to L1, then this B) removes the sybil protection, which in turn C) removes the security of the supermajority vote.
At what point of this sentence would you disagree?
|
|
||
| However, this problem becomes more acute when considering that the Validators may allow for the production of forks. In this case, an Attester could submit different commitments to different Validators to potentially earn rewards on different forks. To Validator $V_1$, Attester $Att$ may make Commitment $C_1$ on Fork $F_1$. Attester $Att$ cannot recommit to Validator $V_1$, but could still commit to Validator $V_1$ on Fork $F_2$. | ||
|
|
||
| Because the on-chain contract must accept multiple commitments, it must also accept multiple proofs of consensus. Thus, Attester $Att$'s commitment to both Validator $V_1$ and Validator $V_2$ could be accepted on-chain. |
There was a problem hiding this comment.
the contract on A does only need to accept the first valid proof to commitment
There was a problem hiding this comment.
If we would accept
$C_2$ as well this would defeat the purpose of an anchoring layer.
- It should not be possible to send two different supermajority commitments under the Byzantine assumption. The broadcasted votes in the Baker Network could not contain supermajorities for two completely different commitments.
- If
$C_1 = C_2$ but$Validators(C_1) \neq Validators(C_2)$ "accepting" both commitments is irrelevant as they are the same. This is simply a matter of rewarding.
There was a problem hiding this comment.
under the Byzantine assumption
if honest Attesters are assume to only cast their votes once, it is not possibe to send different supermajority commitments. any byzantine assumption is fine for safety. consensus comes from L1. For liveness, we require at least 51%.
There was a problem hiding this comment.
If
$C_1 = C_2$ but$Validators(C_1) \neq Validators(C_2)$ "accepting" both commitments is irrelevant as they are the same. This is simply a matter of rewarding.
i am bit lost about the lingo of attesters and validators at this point - do you mean attesters, not validators?
My assumption was Atestters A1,A2,A3... can cast for one commitment, e.g. C1 or C2. I am assuming C1 neq C2.
The proofs in my understanding could be Proof_of(V1) = C1(A1,A2), Proof_of(V2) = C2(A3). if Proof_of(V1) is valid (i.e. contains a supermajority of votes) it should be the one recorded as the new postconfirmed state.
Now if A3 equivocates and also votes for C2, and forwards this to yet another validator V3, creating a valid proof e.g. Proof_of(V3)=C1(A1,A2,A4). Then this proof of course should also be accepted. the contract on A should now have : C1 -> A1,A2,A3,A4 + separate slashing of A3 for equivocating.
There was a problem hiding this comment.
Attesters broadcast their votes for given commitments. Validators summarize supermajority agreement on a commitment and post it on
There was a problem hiding this comment.
Now if A3 equivocates and also votes for C2, and forwards this to yet another validator V3, creating a valid proof e.g. Proof_of(V3)=C1(A1,A2,A4). Then this proof of course should also be accepted. the contract on A should now have : C1 -> A1,A2,A3,A4 + separate slashing of A3 for equivocating.
That is Byzantine behavior from
Our Byzantine assumption is that, given
In other words, for any proven supermajority vote
Because
Now, you might naively argue that a Validator could collaborate with
| > [!NOTE] | ||
| > The above roadmap diagrams features key milestones. For a more complete treatment, see [#key-milestones]. | ||
|
|
||
| This document contains a roadmap for Movement Lab's Fast Finality Settlement (FFS), a proof of stake L2 confirmations system. The roadmap advocates for continual community engagement via Staking Games and sees ultimately delivery of `ffs` to the `movement` mainnet by July 9, 2025. |
There was a problem hiding this comment.
a proof of stake L2 confirmations system.
we should distinguish clearly between a confirmation layer and a finality layer. E.g. Fastconfirmations are a confirmation layer, whereas Postconfirmations are a settlement layer (think finality).
Why is this important ? Because the final say is by the settlement layer (the base truth). Would the settlement layer reorg, so would have to do the confirmation layer (ideally with no consequence on the transaction order, but possibly with impact on e.g. hashes - for example if the confirmation layer intakes finalization data from L1.)
Maybe the following is representive of this
| Confirmation Layer | Who Confirms | Settlement Layer | Who Settles |
|---|---|---|---|
| Espresso | Espresso validators | Ethereum | Ethereum Validators |
| Arbitrum Sequencer | Arbitrum Sequencer | Ethereum | Ethereum Validators |
| Optimism Sequencer | Optimism Sequencer | Ethereum | Ethereum Validators |
| StarkWare | StarkWare Provers | Ethereum | Ethereum Validators |
| Polygon PoS | Polygon PoS Validators | Ethereum | Ethereum Validators |
| Avalanche Subnets | Avalanche Subnet Validators | Avalanche C-Chain | Avalanche C-Chain Validators |
| Polkadot Parachains | Parachain Collators | Polkadot Relay Chain | Polkadot Relay Chain Validators |
| Near Aurora | Aurora Validators | Near Protocol | Near Validators |
| Cosmos Hub Zones | Cosmos Zone Validators | Cosmos Hub | Cosmos Hub Validators |
There was a problem hiding this comment.
so are you referring here to the confirmation system or the finality system?
There was a problem hiding this comment.
So, in the long run because of generalization, I was actually thinking we might benefit from a new term because of confusion this can cause. I've used "Confirmations" as the general term here because every layer involved uses this voting mechanism to confirm that a certain state has been reached, whichever one is the ultimate is finality.
In other words, not all confirmations are finalizations, but a finalization is a confirmation.
| The roadmap is grouped into three non-consecutive stages: | ||
|
|
||
| 1. **Primitive**: development and testing of proof of concept implementations of FFS. | ||
| 2. **General**: development and testing relying on the reference implementation of FFS and which is decoupled from Movement Lab's full node logic or any particular VM. |
There was a problem hiding this comment.
would you class this as the prototype stage? would be more clear than General. it looks like prototype as its decoupled from full node logic
There was a problem hiding this comment.
Prototype isn't quite the ambition. It's more a push to extract FFS as a generalizable software. All of what's leading up to that in development is essentially a prototype.
MIP/mip-103/README.md
Outdated
|
|
||
| - **Description**: Proposes a Zero Knowledge means of confirming commitments between layers aligned with the FFS protocol. | ||
| - **Authors**: [Liam Monninger](mailto:[email protected]) | ||
| - **Desiderata**: [MD-34](https://github.com/movementlabsxyz/MIP/pull/34), [MD-3](https://github.com/movementlabsxyz/MIP/pull/3), [MD-4](https://github.com/movementlabsxyz/MIP/pull/4), [MD-5](https://github.com/movementlabsxyz/MIP/pull/5) |
There was a problem hiding this comment.
does this address MD-37: FFS: Postconfirmations or MD-65: FFS: Fastconfirmations ?
There was a problem hiding this comment.
Yes, it would be good to include those.
| ## Key Deliverables | ||
|
|
||
| ### contract-based `ffs` | ||
| 1. MCR |
There was a problem hiding this comment.
should start to think of a suitable name, rather than Multi-Commit-Rollup.
- PCP ( PostConfirmation Protocol)
- AP (Anchoring Protocol)
- APP (Anchoring Postconfirmation Protocol)
There was a problem hiding this comment.
Yeah, I mean MCR is just what we'll keep for that first contract we share for the games as it is what that implementation was originally called and we're not planning to keep it.
Summary
MIP-103
Roadmap for FFS through to Baker Confirmations