Endpoints for client state sync

[bobbinth]

Related issues #10, #11, #21, #22, and #32.

When a client wants to sync up with the latest state of the network, the client is interested in the following:

1. Retrieve information about any new notes that have been sent to the client. In the future, this will include full details of public/encrypted notes, but for now we care only about getting the note hash and Merkle inclusion paths so that we can include notes in transactions. There are two Merkle inclusion paths per note:
   a. A path from the note_root in a block header to the note.
   b. A path from an MMR peak to the leaf representing the block header of the block the note was created in.
2. Retrieve information about the notes the client is monitoring. These fall into three categories:
   a. The notes the client has received previously. The information of interest here is whether any of these notes have already been consumed. We also want to update the MMR Merkle path for these notes to match the latest peaks (though, technically, we may get away without this).
   b. The notes the client had previously sent to the network (and which have already been included in the chain). For these notes, we are interested to learn if the notes have already been consumed.
   c. The notes that the client has just recently sent to the network (and which may not have been included in the chain yet). This is also similar to learning whether a given transaction has been included in the chain. Our interest here is to confirm that a transaction has been included, and get Merkle inclusion paths for any newly created notes.
3. Get the latest states (for now just hashes) of all accounts the client is monitoring.
4. Get the block header of the latest block.

In addition to the above requirements, there are additional considerations:

1. The client may want to retrieve the above data while preserving some degree of privacy. That is, the client may request more data than they actually need and then filter out the irrelevant data locally. So, the API must include a way to specify the requested data imprecisely.
2. If the client has been offline for a while (i.e., many months), potentially a lot of data may need to be returned. So, the API must support some sort of pagination capability. We also should specify what size limits we may want to place on requests/responses. For example, we probably may want to avoid responses which are larger than a few hundred KB and requests which are larger than a few dozen KB.
3. If the client is almost synced up (i.e., synced up less than a minute ago), the returned data should be as small as possible so that not to overburden the network.

Specific-object approach

One approach to retrieve the above data could be to ask for specific objects (e.g., notes, accounts, nullifiers).

Note consumption info

Getting info on whether some notes have already been consumes is relatively straightforward in this approach (and this was already implemented in #10). We just send a list of nullifiers we are interested in to the network and get the response back. However, this approach has a drawback: we need to explicitly list all nullifiers we want to get the status of. This means:

• We may need to send a relatively large request. For example, checking the status of 1000 nullifiers will result in sending about 32KB of data.
• It is not clear how to send decoys as the client can't include some existing but irrelevant nullifiers in the list.

The first one is not a huge issue in my mind as clients will likely need to check on a relatively small number of nullifiers at any given time. The second one is a bigger problem as it could leak information about nullifiers for notes a client has sent to the network.

Account status info

We can do something similar to the above for account status checks as well. Specifically, we send a list of accounts we are interested in, and get back a list of their hashes. We could probably combine this request together with request for nullifiers and have a single request which could work as follows:

Request {
    nullifiers: [],
    account_ids: [],
}

Response {
    block_header: <current block header>,
    nullifiers: [list of nullifiers with their inclusion paths],
    accounts: [list of account hashes with their inclusion paths],
}

The benefit of a single request is that Merkle paths for nullifiers and accounts resolve against the same block header.

This request would fulfill items 2 (partially), 3 and 4 in the list at the top of this post. I'm also assuming that for this request we don't need to support pagination as we can put a limit on the number of requested nullifiers/account_ids and that would also limit the response size.

Note info

Fulfilling item 1 and the rest of item 2 is a bit more tricky. There are three ways in which we may want to retrieve note info:

1. By tag (for notes addressed to us).
2. By sender ID (for notes that we send out).
3. By note hash (for notes sent or received out of band).

Here, we could structure the request similarly to how we structured requests for accounts/nullifiers - i.e., list all items we are interested in. Specifically, it could look like so:

Request {
    block_ref: number,
    tags: [],
    sender_ids: [],
    note_hashes: [],
}

Here, we also include the block number (block_ref) of the last block known to the client. This limits the size of the response as the node will need to send matching notes which were created after the specified block.

However, we may still end up with a relatively large response as a lot of notes could match a given tag or sender. So, we need to introduce some sort of pagination. One approach to this was described in #11: we use blocks as a natural pagination mechanism. Specifically, the response could look like this:

Response {
    chain_tip: <number of the latest block in the chain>,
    block_header: <block header of the block with the first note matching the specified criteria>,
    mmr_sync: <data needed to update the partial MMR from `block_ref` to `block_header.block_num`>,
    notes: [a list of all notes together with the Merkle paths from `block_header.note_root`],
}

The user then would make repeated requests until chain_tip = block_header.block_num at which point, the user would have synced up fully to latest state of the chain.

Bloom filter-based approach

One of the downsides of the above approach is that we have to explicitly request every object we are interested in. As mentioned before, this may result in relatively large requests, but more importantly, may leak more info than would be acceptable.

An alternative approach is to use bloom filters to specify the data we are interested in. For example, for the note info request, it would be nice to use something like this:

Request {
    block_ref: number,
    bloom_filter: bytes[],
}

In the above, the bloom filter would include note tags, senders, and note hashes the client is interested in. Then, the node would run all relevant notes through this bloom filter, and send the ones that pass back to the client.

While this is quite convenient, the main concern with the above scheme is how to make it performant.

First consideration is how large to make the bloom filter. Assuming the client wants to request several hundred objects (across tags, senders, and hashes) and be able to vary the false probability rate between 1 in 1K and 1 in 1M, we'd need a bloom filter of 4KB (32768 bits). From the request size standpoint, this is not bad at all. From checking whether a given item is in the bloom filter, this is probably not great.

More importantly, however, it is not clear how to efficiently figure out how we can apply the bloom filter on the node side. As I can see it, there are two options:

1. We can do a linear scan and literally run every note through the filter. This is probably prohibitively expensive (though, I haven't done any benchmarks or any back-of-the envelope computations).
2. We can pre-compute bloom filters for each block and try to do a set disjointness test. Assuming I understood the formula from here currently, for any practical set of parameters, false probability rate will be really high and this will degrade to almost a linear scan.

[bobbinth]

One of the ways to reduce request size and improve privacy when requesting nullifiers is to send prefixes of the nullifiers we are interested in rather than full nullifier digest. For example, if instead of sending a full nullifier we send a 32-bit prefix, a request for 1000 nullifiers will require 4KB (vs. 32KB if we were to send full nullifiers).

We could reduce the prefix size even further - e.g., to 16 bits. The downside is that this could return a large number of nullifiers. For example, if there are 32 billion nullifiers in the system (at 1K TPS this would be generated in about a year), and assuming they are uniformly distributed, a single 16-bit prefix would match almost 500K nullifiers. Even if we strip out Merkle authentication paths (which, it doesn't really makes sense to send when we are requesting nullifiers by prefix), this will be 15MB of data per prefix.

There is, however, an easy way to fix this: the client can send their last known block number, and the node would respond only with the new nullifiers created since then. Assuming the same TPS and if the client has been offline for about a month, a single 16-bit prefix would match about 40K nullifiers (or 1.2MB of data). Obviously, if we send a request for 100 prefixes, we would get 100x of the data back on average. The table below shows how much data a client would need to download for requesting nullifiers for 100 16-bit nullifier prefixes depending on how long the client has been offline for various TPS assumptions:

TPS	1 week	1 month	1 year
100	2.8 MB	12 MB	150 MB
1000	28 MB	120 MB	1.5 GB
10000	280 MB	1.2 GB	15 GB

The values for 100 and 1K TPS seem pretty reasonable to me. For 10K TPS we may need to use a longer prefix, but maybe by the time we get to this throughput downloading this much data won't be an issue.

Based on the above, I think we can modify the endpoint to request nullifier/account data as follows:

Request {
    block_ref: <block number of the last sync>,
    nullifier_prefixes: [list of 16-bit nullifier prefixes],
    account_ids: [list of account Ids]
}

Response {
    block_header: <current block header>,
    nullifiers: [list of nullifiers created after `block_ref`],
    accounts: [list of account hashes with their inclusion paths for accounts modified after `block_ref`],
}

[hackaugusto]

I think we should also have a metric of how much of the response data is useful for the client. The current setting is that additional data is necessary for privacy reasons, this means a ratio smaller than 1 is desirable. The issue is that the current design doesn't have a lower bound to this ratio.

The tables below exemplifies this:

tps	ratio week	size	ratio month	size	ratio year	size
100	1 / 922.85	32B / 28.84KiB	1 / 4021.00	32B / 125.66KiB	1 / 48120.12	32B / 1503.75KiB
1000	1 / 9228.52	32B / 288.39KiB	1 / 40209.96	32B / 1256.56KiB	1 / 481201.17	32B / 15037.54KiB
10000	1 / 92285.16	32B / 2883.91KiB	1 / 402099.61	32B / 12565.61KiB	1 / 4812011.72	32B / 150375.37KiB

The ratio above is also for the best case scenario, it assumes the nullifier the user cares about is included in the request, I left it in as a fraction instead of a decimal because the ratio is too small. Because the nullifiers are produced by a cryptographic hash function, the ratio above would improve only when the user requests more than $2^{16}$ / 65536 nullifiers in a single request, which is too high for the majority of user cases (we are considering 1k nullifiers on the high end for the time being).

The above shows the endpoint is not scaling. The response size increases with the number of transactions to the network, instead of the number of nullifiers the user is interested in and its privacy settings.

An alternative solution is to download nullifiers based on epochs. The user would make a single request to fetch a range of leaves from the nullifier tree of a given epoch. The user would provide an index, e.g. a NodeIndex(depth=8, path=0b0010_1110), and the server would reply with all the nullifiers contained in that subtree. This design has multiple advantages:

• Allows the user to control the response size
• Allows the user to configure its desired privacy settings
• Supports decoy requests which don't leak information
• Allows the server to control the response size, so that it doesn't get DDoS'ed.

code to produce table

bits = 16
TPS = [100, 1000, 10000]
# SIZES = [1, 10, 100, 1000]
SIZES = [1]
secs_in_week = 60 * 60 * 24 * 7  # 604800
secs_in_month = 60 * 60 * 24 * 30.5  # 2635200
secs_in_year = 60 * 60 * 24 * 365  # 31536000
week_to_month = secs_in_month / secs_in_week  # 4.35
week_to_year = secs_in_year / secs_in_week  # 52
bucket_size = 2**bits  # 65536, the number of nullifiers in a 16bit bucket.
nullifier_bytes = (64 / 8) * 4
bytes_to_kib = 2**10

data = []

for tps in TPS:
    for size in SIZES:
        # estimate the count of nullifiers in each bucket
        bucket_per_week = tps * secs_in_week / bucket_size
        bucket_per_month = tps * secs_in_month / bucket_size
        bucket_per_year = tps * secs_in_year / bucket_size
        prefixes = min(size, bucket_size)

        # estimate the number of nullifiers per response
        count_per_week = bucket_per_week * prefixes
        count_per_month = bucket_per_month * prefixes
        count_per_year = bucket_per_year * prefixes

        # size in KB for the response
        size_week = count_per_week * nullifier_bytes / bytes_to_kib
        size_month = count_per_month * nullifier_bytes / bytes_to_kib
        size_year = count_per_year * nullifier_bytes / bytes_to_kib

        data.append(
            [
                str(tps),
                f"{size} / {count_per_week:.2f}",
                f"{size_week:.2f} KiB",
                f"{size} / {count_per_month:.2f}",
                f"{size_month:.2f} KiB",
                f"{size} / {count_per_year:.2f}",
                f"{size_year:.2f} KiB",
            ]
        )


print(
    """\
| tps   | ratio week      | size        | ratio month       | size         | ratio year        | size          |
| --    | --              | --          | --                | --           | --                | --            |
""",
    end="",
)
for columns in data:
    line = " | ".join(columns)
    print(f"| {line} |")