🚧 | B1: Hierarchical consensus PoC

[jsoares]

Description

Consensus, or establishing total order across transactions, poses a major scalability bottleneck in blockchain networks. In short, the main challenge with consensus is that it requires all nodes (often called validators or miners) to process all transactions. Regardless of the specific consensus protocol implementation used, this makes blockchain performance limited to that of a single miner at best.

Borrowing ideas from traditional distributed databases, one possible approach to overcoming this limitation is to resort to the partitioning, or sharding, of state processing and transaction ordering. In a sharded system, the blockchain stack is divided into different groups called shards. Each shard is operated by its own set of miners, keeps a subset of the state, and is responsible for processing a part of the transactions sent to the system. The rationale behind sharding is that by dividing the whole blockchain network into different groups, the load of the system is balanced among them, increasing the overall transaction throughput of the system. Instead of every node having to process all transactions sent to the system, each shard processes and handles the state of a subset of transactions and objects.

Existing sharded designs (e.g. OmniLedger and Shard Scheduler) often follow a similar approach to the one traditionally used in distributed databases, where the system is treated monotonically, and a sharded system acts as a distributed controller which assigns miners to different shards, and attempts to distribute the state evenly across shards to balance the load of the system. Many of these designs use a static hash-based assignment to deterministically select what state needs to be kept and what transactions are to be processed by each shard.

The main challenge with applying traditional sharding to the Byzantine fault-tolerant context of the blockchain lies in the security/performance tradeoff. As miners are assigned to shards, there is a danger of dilution of security compared to the original single-chain (single-shard) solution. For instance, in both Proof-of-Work and Proof-of-Stake blockchains sharding may lead to the ability of the attacker to compromise a single shard with only a fraction of the mining power, potentially leading to compromising the system as a whole. Such attacks are often referred to as 1% attacks. To circumvent such attacks, sharding systems need to re-assign randomly and periodically miners to shards in an unpredictable way to cope with a semi-dynamic adversary. In the following, we refer to this approach as traditional sharding.

We believe that the traditional sharding approach to scaling, which considers the system as a monolith, is not suitable for decentralized blockchains. Instead, in this project, we depart from the traditional sharding approach to build hierarchical consensus. In hierarchical consensus, instead of algorithmically assigning node membership and evenly distributing the state, we follow a ``sharding-like'' approach where users and miners are grouped into subnets and where they can freely choose the subnets they want to belong to. What is more, miners can spawn new child subnets from the one they are operating in at will, according to their needs. Even users can spawn a new child subnet, provided they operate as miners in that subnet.

We refer to the state of a subnet as a chain. Each subnet keeps its state in an independent chain and processes transactions that involve objects that are stored in the chain. Every subnet can run its own independent consensus algorithm and have its own security and performance guarantees.

All subnets in the system are organized hierarchically where each of them will have one parent subnet and can have any number of child subnets, except root subnets which have no parent and are hence called root networks, or rootnets. As a major difference compared to traditional sharding, subnets in hierarchical consensus are firewalled, in the sense that a security violation in a given subnet is limited in effect to that particular subnet and its child subnets, without affecting its ancestor subnets. Moreover, ancestor subnets help secure their descendant subnets --- for instance, checkpointing a Proof-of-Stake subnet into its parent may help alleviate notorious long-range and similar attacks. In addition, rootnets in hierarchical consensus are also able to commit in parallel into other blockchains/rootnets with better or complementary security guarantees. For instance, the rootnet in Filecoin's hierarchical consensus can leverage the very high security of the Bitcoin network by periodically committing a checkpoint of its state (see #5).

At a high level, hierarchical consensus allows for incremental, on-demand scaling and simplifies the deployment of new use cases on a blockchain network. Our design is inspired by the Proof-of-Stake sidechain design, to our knowledge first proposed here. Hierarchical consensus generalizes this approach, minding the specifics of Filecoin, which does not use Proof-of-Stake as a Sybil attack protection on the root chain, but rather copes with sybils in a way specifically tailored to data storage (Proof-of-SpaceTime (PoST) and Proofs-of-Replication (PoRep).

Resources

• Project spec (WIP / living document)
• Implementation

Papers

• A. De Rocha, L. Kokoris-Kogias, J. M. Soares, and M. Vukolić, “Hierarchical consensus : A horizontal scaling framework for blockchains," 2022. (preprint)

Talks

2022-02-03 PL Research Seminar: Filecoin Hierarchical Consensus Specification

2022-02-07 ConsensusLab 22Q2 Team Week: B1 update

Demos

2021-10-14, hierarchical consensus MVP

2021-12-09, new actor architecture

2022-02-10, cross-net transactions

2022-03-10, atomic execution between subnets

[jsoares]

2022-02-21 meeting notes

• Updates
  • AR: Updated spec with atomic execution protocol.
    • Kicked-off the implementation of the MVP
      • Sample actor that locks state to perform atomic execution
      • Atomic package with locking primitives.
      • Next: SCA implementation of atomic execution. Off-chain execution and negotiation.
  • AR: Basic template for the paper
    • Deadline 5th March (call)
  • AR: CEL collaboration (doc)
    • Initial idea for gas model of cross-net transactions
  • AR: Lurk in hierarchical consensus.
    • It would simplify atomic execution protocol.
• Discuss:
  • AR: Outline for the paper?

[jsoares]

2022-02-28

✋ Attendees

• @adlrocha
• @matejpavlovic
• @jsoares
• @LefKok
• @vukolic

📣 Updates

• State locking and off-chain execution figured out with sample actor that support atomic execution (PR).
  • Minor change pending: use a temporary blockstore instead of the state manager to avoid "polluting" the state blockstore with off-chain computations.
• Work in progress: implementation of SCA logic for atomic execution
• B1 Paper ready for a second round of feedback/review
  • Pending Related Work and conclusions.
• itests work in progress.

🧵 Discussion

• Should I take another pass to the paper or is there something high-priority that requires my attention?
  • If not I'll wait for your next round of feedback.
  • Jorge having a go this afternoon
  • Marko tomorrow morning
  • Alfonso tomorrow afternoon
• Is firewall property on state attainable?
  • If you interact with a malicious subnet and it sends you "wrong" state, can you prevent that?
  • For funds, you can manage inflow/outflow consistency (this is the IOHK paper). For state, and if the input is incorrect, you might believe an incorrect output. What does it even mean for the input to be correct in this context?
  • Straightforward to build a fraud proof by inspecting state? Data availability becomes an issue. State view might be transaction-specific; no ground truth.
  • Can an honest subnet identify corrupt state? Probably not; at most, hope for synchrony and hope to receive fraud proof. Plus the state might revert -- what you observe at any time might change. There might not be a solution.
  • Can checkpoints save us? You can identify state reversion as long as two checkpoints have been committed. Needs to have the proper content/format in the snapshot.
  • We need a clear definition of the firewall property in the paper: only applies to fungible tokens.

🎯 Up next

• Merge PR with atomic execution primitives
• Unit test and implementation of atomic execution in SCA
• Atomic execution manager
• Final draft of paper by Wednesday.
  • Lefteris will add note on firewall property

[jsoares]

2022-03-07

✋ Attendees

• @adlrocha
• @dnkolegov
• @jsoares
• @matejpavlovic
• @vukolic

📣 Updates

• Stable draft for B1 paper (thank you everyone for your reviews/comments/feedback 🙌)
  • Sent to proof-reading
• Merged PRs with sample atomic execution actor, primitives for atomic execution, and SCA logic for the protocol
• Working on the flow for demoable e2e implementation of atomic execution between subnets
  • Pending submit/initialization stage.
  • I'm targeting this week's Demo Day. Let's see if we can make it).

🧵 Discussion

• Pending tasks to wrap-up B1?
  • Focus long-running deployment / FVM
  • List issues with technical debt before production.
• Long-running deployment of Eudico (a.k.a pre-testnet or "Eudico Garden")
  • What do we want from the testnet?
    • Insights on when crashes and fails in a long-running deployment.
    • Publicize so others can play with it
  • Number of nodes?
    • Dozen of nodes more than enough.
  • Bootstrapping?
    • Manual. Not dynamic (at least yet)
  • Who can access it? Purpose?
  • Do we need Fil Consensus in rootnet? What consensus in rootnet?
    • Fil consensus not yet integrated in subnet. Shouldn't be a lot of work.
    • Proof-of-work or Tendermint for the rootnet.
    • We can have Fil consensus from the beginning with small sector if it is not a lot of work (devnet approach).
    • Less than week? If yes, let's do it.
  • CI/CD?
    • No. Manual. Pull/push. Do it from time to time.
  • Monitoring?
    • Prometheus integration from scratch?
    • External help would help us a lot.
  • What team is responsible for testnet deployment? (to get additional context on how it is done today)
    • Sentinel team: Data collection and monitoring. PL data warehouse.
    • Fil Indra: Infrastructure deployment.
    • Marcus to set up infra in Canada.
• Eurosys meeting
  • Might do it in Paris instead, tentative 4 April (Alfonso can do 4-8)
  • Alfonso's onboarding to Eudico; could be around some issue that needs implementation. Ramp up Sergey quickly.

🎯 Up next

• Working on demo of atomic execution for demo day
• Wrapping up of B1
• Eudico garden (pre-testnet)
  • Figuring out who can help us?
  • EC2/dedicated infra?
  • Ask Marcus, cc Marko
• Review CEL proposal for crypto-econ model for hierarchical consensus

[jsoares]

2022-03-14

✋ Attendees

• @adlrocha
• @dnkolegov
• @jsoares
• @LefKok
• @matejpavlovic
• @vukolic

📣 Updates

• B1 paper submitted and announced to PL.
• Atomic execution merged and available in main branch.
  • Closing MVP stage (and tracking issue)
• Currenlty collecting issues of things that need to be done before deploying into production (things to review, things to revisit, missing features, improvements, etc.).
  • Tracking everything in new github project

🧵 Discussion

• Itests for hierarchical consensus and CI?
  • More of us are contributing to the code now, it would be good to add certain level of CI to ensure that our PRs don't "break things".
  • Can I get support from Denis here? (if he is into it).
    • Let's keep in mind we're ahead of schedule on both B1 and Y5. It's fine to take time to pay off debt.
    • Matej, Denis, Sergey, and Alfonso to work it out.

🎯 Up next

• Review data availability efforts from CryptoNetLab
  • https://www.notion.so/pl-strflt/Data-Retrievability-Research-effort-for-on-chain-solutions-576cd6bdb48b40b9b7598326e108b505
  • https://www.notion.so/pl-strflt/Data-Retrievability-Consortium-252f52f47b3944e8a54e8d0f553c5cd7
• Collection of issues with things pending and worth revisiting before moving into production.
• Integrate Filecoin consensus natively for Eudico rootnets (no support in subnets) for Eudico garden
• Plan (and ideally deploy M1) Eudico garden.
  • M0: Filecoin consensus natively in Eudico (~ 1 week)
  • M1: Five manual nodes (~ 1/2 days)
  • M2: See what can be automated easily to spawn/regenerate/kill the testnet (optional)
  • Next steps: monitoring / dashboards / etc.
  • Target showing Eudico garden in the next Demo Day?
• Plan hierarchical consensus FVM actors
  • M1: Translate SCA and subnet actors into Rust/WASM actor (~ 4-6 weeks)
    • Include unit test coverage
    • Make them builtin actors (this will probably change once we have support for user-defined actors).
  • M2: Rebase Lotus with FVM integration (~ 1 week)
    • Test that the systems works seamlessly replacing hierarchical Go actors with Rust ones.
  • M3: Atomic primitives and sample actor with support for atomic execution. (~ 3-4 weeks)
  • M4: Make hierarchical actors user-defined (TBD)
    • It may require some re-design. This will depend on when this feature is included in Lotus.
  • References
    • FVM integration in Lotus in progress
    • New Rust built-in actors

[jsoares]

Our work here is done! Hierarchical consensus continues in project B3: #6.