Off-Chain Window PoSt #59
Conversation
|
This would be extremely welcome. |
|
I would say that I am not for this proposal. I prefer what @jbenet proposed with a control plane and data plane,#24 (comment), I feel that is more in line with the type of community we should promote. It was compared to making sure emergency service vehicles are able to get where they are going, people move out of the way not because of what they can gain.
and I don't think that this possiblity is appropriate for our communities goals. |
|
@cwhiggins this proposal is complementary to the "fast lane" proposals, it doesn't conflict with them. I completely agree that "necessary" messages should be prioritized. I'm fielding this proposal because:
That's why I'm proposing this solution now.
The goal is to ensure that miners are correctly storing data, that's it. I'm providing both an altruistic and a selfish reason:
|
|
I'm for this enhancement if the it doesn't slow down the sealing process. |
|
Will this have to happen two days in a row before a miner is penalized? How often in a day can it be requested a miner prove their storage? Will it scale with size of miner, say only one request per day for 10Tib miner, 1000 for 10Pib? |
|
Also, the end points of your response 1,2 you use the term "incorrect window posts", the requestor does not know the state of the Post. It is a fishing expedition. The more resources you have, the more you can go fish. Sorry, I don't like this implementation. |
No. A miner will still be able to "miss" a single window post without paying penalties, but they won't be able to submit a bad proof.
Miners will still need to prove their storage as normal using the normal proof mechanisms. The only change here is that the network won't validate these proofs unless some other miner submits a new message disputing the proof. |
I think you're misunderstanding the proposal. This proposal requires no additional work from miners proving their storage. |
|
Could please clarify what will happen when some one submits a dispute to a proof?Will the miner at that point just be required to submit a saved message from the Post? |
This process is explained in detail in the "Change: SubmitWindowedPoSt" and "New: DisputeWindowedPoSt" sections. Simple summary (but you should still actually read the proposal):
|
|
so only other miners can dispute proofs, as they are then doing the work to verify against chain? It seems to me there still needs to be some sort of engagement with the miner in question at the time of the dispute? I have read the proposal, obvious by my first post, really, had to go there? |
No, the proof is recorded in the on-chain state when the miner first submits it. The disputer just tells the chain to check the proof. Steps:
The only difference is the addition of steps 2 and 3 to make step 4 (the expensive part) optional unless someone notices that the proof is incorrect. |
|
I think it looks like a god idea, but the possibility of large miners spamming bad proofs is somewhat concerning. Obviously you don't want to penalize someone for 1 bad proof, but I think once the number reaches a specific point, the penalty should be stiff. |
|
Does the network power only decrease when the dispute lands on chain? What happens in the intermediate time the miner had unlawful power to his name? Is it just the slashing penalty or are possible block rewards he got from that power deducted as well? (It seems difficult to get right though as it's usually just a fraction of his power that got lost). Also, will the process of continuously validating proofs and filing disputes be automated when running a node? In general I am all for doing as much work off chain as possible. However, I feel it is very weird that miners need to pay each other in order to get paid. Especially considering that WindowPoST is very much expected and also required. As soon as a sealed sector is known the system should make room for the expected PoSTs, but not for more. Maybe a variable block size or a fixed fee set at sector commit? |
That's actually not obvious to me and I'm curious what you're thinking here. At the moment, there are pretty stiff penalties (~5.1 days worth of block rewards) for submitting any bad proofs (note, these aren't just missed proofs, they're actually incorrect). The idea is to check these proofs thoroughly locally before submitting them. Great questions! I'll try to work my answers into the proposal.
Unfortunately, yes. Actually, a bit longer because Filecoin determines the winning miner by looking Finality (900) epochs back in the power table.
They will continue to win blocks as normal.
The penalty scales with the amount of incorrectly proven power which is also proportional to the expected number of blocks won. Specifically, this proposal currently sets the penalty to 5.1 "BR". That's the expected block reward earned by the incorrectly proven sectors over 5.1 days. So in theory, a miner could "get lucky" and win more than it loses. But a miner is significantly more likely to lose more than it wins.
The network is secure as long as someone checks the proofs. I expect the Filecoin Foundation to sponsor one, at least, given that the cost of running one such node is reasonably low. For now, any "disputer" process will likely be a special node but I'd personally love to see a world where all lotus nodes randomly sample and check proofs at some user configurable frequency.
I think I'm missing some context here but I'll answer as best I can. Specifically, could you expand on "miners need to pay each other in order to get paid" and "maybe a variable block size or a fixed fee set at sector commit"? There are a number of reasons to verify posts off-chain, but I they all boil down to: it frees up chain bandwidth. Basically, we don't need to synchronously and deterministically verify all proofs in lockstep, so why do it? We can let nodes verify proofs in whatever manner works for them, and report issues to the chain, This enables:
|
|
@Stebalien I think I confused a couple different sections when reading. I was looking at the Risks section. A large miner could spam bad proofs to try to overwhelm the chain with the subsequent verification cost. I was referring to a large miner spamming bad proofs from that section. So if someone disputes a proof 1 time and its actually a valid proof, does the miner that disputes it get penalized? I was thinking the first time you wouldn't, but if you are spamming to overwhelm the chain, the penalty would get increasingly higher. It looks like you are already looking at this, so my post was a bit redundant. This was the part that kind of stuck out to me as a bit concerning since there are some pretty large miners out there. |
|
Can one proof being disputed multiple times within 1800 epochs by the same challenger or different challengers? |
|
@funktafide The poential of spam is not limited to this - all transactions can be used to spam the network. The attacker would be paying the fees according to the computational load that is required to process the transaction in form of gas usage and simultaneously would drive up the base fee as intended by EIP1559.
...in a senes that they need to pay transaction fees for their sector commits and window PoSTs in order to mine blocks, and when they get elected to mine a block they are rewarded with the block reward plus the fees payed by all other miners. Specifically I dislike that gaining power in the network is coupled to the transaction fee market. The tx fee market is mainly dictated by the capacity and energy consumption of the blockchain. IMO it is essential to open blockchain systems that everyone can gain power in the network regardless of congestion and fee market. In fact, I belive congestion should be an additional incentive for brand new miners to get these sweet transaction fees. Having new miners first pay those high fees to get power results in the opposite effect or even a death spral where existing miners will stop adding new storage due to falling profits.
So how could we solve that? Two ideas that come to my mind.
|
FIPS/fip-0010.md
Outdated
| ### Submitting Invalid Proofs Is Irrational | ||
|
|
||
|
|
||
| ### Disputing Proofs Is Rational |
There was a problem hiding this comment.
I am not fully convinced that "disputing proofs is rational": the arguments used here to support that statement are true but what about miners try do be "free riders"?
That is, a miner can choose to let the others do the verification and disputing work (zero work for him, same "rewards" as before).
cc @sa8
There was a problem hiding this comment.
In terms of "minimizing power", I agree that the argument is very weak and I'm happy to remove it. From my perspective, the only argument that really works is the "altruistic" (ish) one. That is, large enough players will verify proofs because:
- It should be relatively cheap. At the moment, everyone is verifying all proofs. Even if we grow by 10x or 100x, verifying proofs should still be relatively inexpensive compared to the cost of actually mining on Filecoin.
- If a significant fraction of proofs on Filecoin are incorrect and go undisputed, people will lose trust in the Filecoin network devaluing the token.
There was a problem hiding this comment.
Updated. How does the new text read?
|
|
||
| TODO | ||
|
|
||
| ## Security Considerations |
There was a problem hiding this comment.
The security considerations section misses this points:
- Short fork attack may be possible and some invalid proof may not be disputed.
If the challenge for an invalid proof arrives close (ie, < 200 epochs) to the end of the challenge window, the miner (the one who submitted the invalid proof) could fork using selfish mining and create a chain where there is no challenges for his invalid proof. - About "Power & sector extension attacks": Note that after this FIP the power for invalid proofs is removed only when the invalid proof is detected and therefor, from the deadline to this moment, there is some small PT inflation we did not have before.
FIPS/fip-0010.md
Outdated
|
|
||
| Given that proofs are accepted optimistically, an attacker can keep a faulty sector "active" by submitting invalid window PoSts. However: | ||
|
|
||
| 1. If these posts are successfully disputed, the attacker will lose 5.1 times the expected block reward per-day for the incorrectly proven sectors. |
There was a problem hiding this comment.
5.1?
I think it is 5.51 (FF + 2*BR), and for completeness I would add the this value is chosen to give a negative profit for miner who sends invalid proofs when we have that an invalid proof is detected in 12h (after deadline) with probability ≥ 1/3.
who is "paying" for the last step? case 1: the Dispute is not justified --> the proof is valid in addition: what keeps miners from collectively ignoring DisputeWindowedPoSt messages? |
@funktafide the party that disputes it pays the gas cost of checking the proof validity, but earns no reward that might cover that cost if the dispute fails. This is not any more prone to spam than any other method. @Stebalien was worried about the case of a miner submitting many bad proofs, thus kind of obligating the network to process valid disputes for them all. It's a very expensive attack. (I expect future proof batch/aggregation techniques to dramatically reduce the cost of disputing en-masse.)
@jennijuju an invalid proof can be disputed only once. A valid proof can be disputed repeatedly (at cost to the disputer, and will always fail to penalize/reward).
@BrunoZell thanks this is a great perspective. I think there's a lot of support for that vision long term, we'd love your help figuring it out. The control/data plane model might be a good fit, or others. But let's take that discussion elsewhere (#24, #47, or a new issue) – it's complementary to this technique of moving most proof verification off-chain, which we will want anyway. |
|
I was suspecting this would be out of scope for this issue, still finding my way around FIL development. Thanks for the pointers! |
FIPS/fip-0010.md
Outdated
|
|
||
| ### Vesting Fund Extraction | ||
|
|
||
| `DisputeWindowedPost` takes feeds from "vesting funds", but burns any fees taken. Therefor, it cannot be used to "take an advance" on vesting funds. |
There was a problem hiding this comment.
We need to describe the reward above, and then outline its potential for extraction here.
There was a problem hiding this comment.
Mostly done. We still need to pin down the exact reward.
FIPS/fip-0010.md
Outdated
|
|
||
| ## Product Considerations | ||
|
|
||
| This FIP will increase chain bandwidth by moving Window PoSt processing off-chain. This will reduce the per-gigabyte network-wide maintenance cost, removing a scalability constraint on the total amount of storage that can be supported by the network. |
There was a problem hiding this comment.
Address benefits specifically to small miners
|
This change increases the length of chain history that must be accessible at low cost by the VM in order to fetch a challenge seed from |
minor edits
Update fip-0010.md
Yeah, I'll switch it. I've stopped inserting line breaks because I've optimized my editor work around the lack there of... but I agree. |
FIPS/fip-0010.md
Outdated
| ### Vesting Fund Extraction | ||
|
|
||
| `DisputeWindowedPost` takes feeds from "vesting funds", but burns any fees taken. Therefor, it | ||
| cannot be used to "take an advance" on vesting funds. |
There was a problem hiding this comment.
I think this is untrue if there is a non-zero reward. We should note here the maximum fund extraction rate for a self-destructing miner (and that it is lower than that already possible from declaring consensus faults). cc @Kubuxu for details.
There was a problem hiding this comment.
The rate is a bit tricky to calculate. The rate for slashing is one reward per day but the rate here is one reward per partition per 2 days. On top of that, the fine to reward ratio depends on how "full" each partition is.
I'd like to consider setting a minimum fine. That would make it easy to reason about this in terms of a tax. E.g., if the minimum fine is 3x the reward, the "advance" would have a 75% tax.
See #42. WIP.