protocol does not define an enumeration of supported sector sizes #318
Conversation
laser
changed the title
how would "the network" verify these keys? |
|
@laser yeah, this doesnt work. Everyone in the network has to have all the verifying keys. Even if you post the keys on the chain so everyone has them, how do you know someone didn't generate their own parameters and keep the secret keys, thus allowing them to craft arbitrary fake proofs and game the market? |
|
All miners on the network will need to agree on the current set of valid verification keys, and everyone will have to have all verification keys. If and only if this is true, proofs can be trusted. We already have a mechanism for publishing the officially trusted set of verification keys: If we want to centralize publication of that blessed verification key set in some place which is neither As long as all verifiers have access to the full set of verification keys and can validate that no rogue keys have been included, nothing further should be required. The |
|
Some thoughts, @whyrusleeping
When new Groth parameters become available (because we create and distribute them), all nodes in the network which process
The parameters.json file in rust-fil-proofs contains an enumeration of the Groth parameters and verifying keys which we have blessed, along with a hash of each parameter and key. Assuming that miners trust the contents of that file, I do not understand how a malicious miner would be able to convince other miners that their (bogus) verifying key was legitimate. If the malicious miner can't convince others to accept their bogus verifying key, their |
|
@whyrusleeping - After the above messages from myself and @porcuquine, do you still believe that my proposal is not acceptable? |
I don't think this is the best approach. It complicates distribution with an implied guarantee that after a certain amount of time, new keys will have been downloaded. I think it makes most sense to distribute parameters and corresponding keys together as soon as they exist. Miners should still probably wait to use new keys until they can reasonably expect verifiers to have them, but I'm not sure the distribution mechanism should take responsibility for managing how long that waiting period 'should' be. I think it's a matter of individual risk, somewhat like reliance on transaction confirmation times. Verifiers should be motivated to have up-to-date keys, since if most other verifiers do and one doesn't, then the one without valid keys will wrongly reject valid proofs and therefore have a technically wrong view of the chain. |
|
@laser @porcuquine the problem I have is that adding (or removing) parameters is a 'hard fork' level network upgrade. It requires everyone to now have (effectively) new software (even if its something that could be automatically downloaded). So the question is, what is the coordination mechanism? Who gets to make the calls? Do these changes happen automatically? Having the allowable parameters hard coded into the chain is much simpler to reason about than this proposal. |
|
A solution that is easier to think about would be having an actor on chain that holds all the available parameters, and we could add new parameters to that actor via message. However, that's an unworkable solution as it puts an unacceptable amount of responsibility and power in the hands of whoever is able to send that message (and this gets into governance). |
What I'm getting at is that when the network launches, there will have been a single trusted setup. As a result, there will be a single initial set of verification keys. At network launch, everyone participating will need to know what these are and to have received them. We don't actually need anything more. Exactly what characteristics we want when making changes in the future is a decision that can be deferred until then. I believe this approach maximizes freedom to make that decision later because it doesn't require that any particular mechanism be in place — simply releasing and (somehow) 'blessing' new parameters/keys is a minimal solution that would work, but we're free to add more mechanism as part of a hard fork if we feel it adds value. |
|
@porcuquine How about, we have a place on chain for the parameters to go, effectively a mapping of sector size to verification key. This is hard coded, and can be changed during a network upgrade (fork). This way, theres no ambiguity around exactly which parameters are being used when, and it also answers the question of 'where do these parameters come from?' better. |
|
Maybe. However, it's not a straightforward mapping of sector-size -> verification key — because (at least as of now), multiple proof sizes are also possible. So any such mapping would need to be of (sector-size, proof-size) pairs to verification keys. I don't completely understand how it would work, but in principle I don't see a problem with allowing the chain to supply the identify of the verification key -- presumably as a Cid. Is that what you had in mind? I think the cheapest way to allow deterministic verification is probably just to have the chain supply a hash so that the explicit set provided in the manifest can be validated. I don't have strong feelings apart from wanting to minimize the development effort beyond what's strictly necessary. So I'd be curious to hear laser's assessment of the relative implementation cost of the options. |
This sounds sane to me.
How's that sound, @whyrusleeping @porcuquine? |
|
With the stipulation that I would prefer that there be no explicit dependency on the format of |
I think I agree with this, but the computer software needs to be able to pull this and parse it and verify it automatically. It shouldnt arbitrarily change. |
Agreed. I think Since what goes on chain will be part of the protocol, I'm saying it shouldn't depend on the exact content and format of the What we don't want is a situation in which — for example — a whitespace change to |
laser
changed the title
laser
changed the title
We would like to roll out support for new sector sizes without requiring a change to the protocol. A Filecoin node can verify seal and PoSt proofs for any sector size which they have verifying keys for. Adding support for a new sector size is as simple as distributing new verifying keys (for PoSt and seal) for that sector size. The Filecoin node (i.e. not the protocol) should specify an enumeration of sector sizes for which Groth parameters and verifying keys are available. The protocol does not prevent an operator from creating a storage miner actor with a sector size for which no Groth parameters have been published - but they won't be able to generate proofs.
laser
force-pushed
the
feat/protocol-does-not-constrain-sector-sizes
branch
from
d128c2d to
a3434e0
Compare
|
Just rebased; conflicts in |
|
@whyrusleeping - Have we successfully convinced you that supported sector sizes will not be something defined by the protocol? If so, is there anything I can do to move this PR along? |
|
Given that we are not sure how exactly adding sector sizes will work I would suggest for now to keep a hard coded list of supported sector sizes in the spec. |
|
I don't think there's any further work to be done on this PR, since the actor method already calls in to some fantasy |
We would like to roll out support for new sector sizes without requiring a change to the protocol.
A Filecoin node can verify seal and PoSt proofs for any sector size which they have verifying keys for. Adding support for a new sector size is as simple as distributing new verifying keys (for PoSt and seal) for that sector size.
The Filecoin node (i.e. not the protocol) should specify an enumeration of sector sizes for which Groth parameters and verifying keys are available. The protocol does not prevent an operator from creating a storage miner actor with a sector size for which no Groth parameters have been published - but they won't be able to generate proofs.