Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PeerDAS fork-choice, validator custody and parameter changes #3779

Open
wants to merge 25 commits into
base: dev
Choose a base branch
from
Open

PeerDAS fork-choice, validator custody and parameter changes #3779

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
25 commits
Select commit Hold shift + click to select a range
2b455c1
create fork-choice.md with availability checks
fradamt May 23, 2024
7c72ec8
validator custody and parameter changes
fradamt May 23, 2024
9159bd0
small fixes
fradamt May 24, 2024
56e9d38
change validator custody to 6, plus two extra per 32 ETH
fradamt May 24, 2024
54157a2
wip
hwwhww Jun 25, 2024
f98241b
simplify is_data_available + small fixes
fradamt Jun 27, 2024
e4e30f3
only run deneb on_block tests with deneb phase
fradamt Jun 27, 2024
6723efd
handle is_chain_available in tests
fradamt Jun 27, 2024
40c55e6
typo fix
fradamt Jun 27, 2024
fcca8fd
fix lint
fradamt Jun 27, 2024
107dda6
deal with the genesis edge case directly in the fork_choice spec
fradamt Jun 27, 2024
e9398f6
move genesis edge case check in is_chain_available
fradamt Jun 27, 2024
22456c8
change validator custody according to Justin's suggestion
fradamt Jun 27, 2024
0f1e471
fix typo
fradamt Jun 27, 2024
ef64924
remove unused helpers
fradamt Jul 9, 2024
82103dd
Apply suggestions from code review
fradamt Jul 10, 2024
4f3c150
apply suggestions from code review
fradamt Jul 11, 2024
908f37d
doctoc
fradamt Jul 11, 2024
1acba8b
Merge branch 'dev' into peerdas-fc
fradamt Jul 11, 2024
a2db18c
remove .history folder
fradamt Jul 11, 2024
19804a3
Apply suggestions from code review
fradamt Jul 11, 2024
1613d2e
Small fix
fradamt Jul 11, 2024
62006c9
doctoc
fradamt Jul 11, 2024
3f5ba2e
typo
fradamt Jul 29, 2024
8dbd874
fix wrong type
fradamt Aug 5, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 6 additions & 4 deletions configs/mainnet.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -157,11 +157,13 @@ WHISK_PROPOSER_SELECTION_GAP: 2
# EIP7594
NUMBER_OF_COLUMNS: 128
MAX_CELLS_IN_EXTENDED_MATRIX: 768
DATA_COLUMN_SIDECAR_SUBNET_COUNT: 32
DATA_COLUMN_SIDECAR_SUBNET_COUNT: 128
MAX_REQUEST_DATA_COLUMN_SIDECARS: 16384
SAMPLES_PER_SLOT: 8
CUSTODY_REQUIREMENT: 1
TARGET_NUMBER_OF_PEERS: 70
SAMPLES_PER_SLOT: 16
CUSTODY_REQUIREMENT: 4
VALIDATOR_CUSTODY_REQUIREMENT: 6
BALANCE_PER_ADDITIONAL_CUSTODY_SUBNET: 16000000000 # 2**4 * 10**9 (= 16,000,000,000)
TARGET_NUMBER_OF_PEERS: 100
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note that most clients don't use this config value, so I guess this is more like a reference / recommendation?

#3766 (comment)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have created a PR to remove TARGET_NUMBER_OF_PEERS as a config variable


# [New in Electra:EIP7251]
MIN_PER_EPOCH_CHURN_LIMIT_ELECTRA: 128000000000 # 2**7 * 10**9 (= 128,000,000,000)
Expand Down
10 changes: 6 additions & 4 deletions configs/minimal.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -156,11 +156,13 @@ WHISK_PROPOSER_SELECTION_GAP: 1
# EIP7594
NUMBER_OF_COLUMNS: 128
MAX_CELLS_IN_EXTENDED_MATRIX: 768
DATA_COLUMN_SIDECAR_SUBNET_COUNT: 32
DATA_COLUMN_SIDECAR_SUBNET_COUNT: 128
asn-d6 marked this conversation as resolved.
Show resolved Hide resolved
MAX_REQUEST_DATA_COLUMN_SIDECARS: 16384
SAMPLES_PER_SLOT: 8
CUSTODY_REQUIREMENT: 1
TARGET_NUMBER_OF_PEERS: 70
SAMPLES_PER_SLOT: 16
CUSTODY_REQUIREMENT: 4
VALIDATOR_CUSTODY_REQUIREMENT: 6
BALANCE_PER_ADDITIONAL_CUSTODY_SUBNET: 16000000000 # 2**4 * 10**9 (= 16,000,000,000)
TARGET_NUMBER_OF_PEERS: 100

# [New in Electra:EIP7251]
MIN_PER_EPOCH_CHURN_LIMIT_ELECTRA: 64000000000 # 2**6 * 10**9 (= 64,000,000,000)
Expand Down
21 changes: 16 additions & 5 deletions specs/_features/eip7594/das-core.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,15 +73,18 @@ We define the following Python custom types for type hinting and readability:

| Name | Value | Description |
| - | - | - |
| `DATA_COLUMN_SIDECAR_SUBNET_COUNT` | `32` | The number of data column sidecar subnets used in the gossipsub protocol |
| `DATA_COLUMN_SIDECAR_SUBNET_COUNT` | `128` | The number of data column sidecar subnets used in the gossipsub protocol |

### Custody setting

| Name | Value | Description |
| - | - | - |
| `SAMPLES_PER_SLOT` | `8` | Number of `DataColumn` random samples a node queries per slot |
| `CUSTODY_REQUIREMENT` | `1` | Minimum number of subnets an honest node custodies and serves samples from |
| `TARGET_NUMBER_OF_PEERS` | `70` | Suggested minimum peer count |
| `SAMPLES_PER_SLOT` | `16` | Number of `DataColumn` random samples a node queries per slot |
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is no such thing as DataColumn

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice catch!

| `CUSTODY_REQUIREMENT` | `4` | Minimum number of subnets an honest node custodies and serves samples from |
| `VALIDATOR_CUSTODY_REQUIREMENT` | `6` | Minimum number of subnets an honest node with validators attached custodies and serves samples from |
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think VALIDATOR_CUSTODY_REQUIREMENT is a little misleading. In practice, this will never be 6.

  • Provided a validator with a balance of 32 ETH, get_validators_custody_requirement will return 8.
  • Provided a validator with a balance of 17 ETH, get_validators_custody_requirement will return 7.
  • Provided a validator with a balance of 16 ETH, get_validators_custody_requirement will return 6.
    • But it will never really get to this value, as the validator is queried for ejection at 16.75 ETH.

Why not just have a single CUSTODY_REQUIREMENT plus additional custodies per validator?

Copy link
Contributor Author

@fradamt fradamt May 28, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What I would like to preserve is:

  • a full node custodies only 4 subnets (I don't see much reason to go beyond that)
  • validators custody at least 8 subnets (I think it's a good minimum for security reasons)
  • the custody does not grow too fast with validator count (the distribution of number of validator per nodes is quite bimodal, with either just a few or hundreds, and I think it's good to keep the requirements low for the former). Growing it by 4 per validator (per 32 ETH) is too high imo

How do you feel about this, with VALIDATOR_CUSTODY_REQUIREMENT = 8?

def get_validators_custody_requirement(state: BeaconState, validator_indices: List[ValidatorIndex]) -> uint64:
    total_node_balance = sum(state.balances[index] for index in validator_indices)
    validator_custody_requirement = VALIDATOR_CUSTODY_REQUIREMENT 
    if total_node_balance >= MIN_ACTIVATION_BALANCE:
        validator_custody_requirement += (total_node_balance - MIN_ACTIVATION_BALANCE) // BALANCE_PER_ADDITIONAL_CUSTODY_SUBNET
    return validator_custody_requirement

Copy link
Member

@jtraglia jtraglia May 28, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm I understand the rationale. Your alternative is generally fine, but it does feel a little overly-complex.

How about something like the following?

def get_validators_custody_requirement(state: BeaconState, validator_indices: List[ValidatorIndex]) -> uint64:
    total_node_balance = sum(state.balances[index] for index in validator_indices)
    count = total_node_balance // BALANCE_PER_ADDITIONAL_CUSTODY_SUBNET
    return min(max(count, VALIDATOR_CUSTODY_REQUIREMENT), DATA_COLUMN_SIDECAR_SUBNET_COUNT)

This would provide the following custody requirements:

Validators Custody Requirement
1 8
2 8
3 8
4 8
5 10
6 12
... ...
63 126
64 128
65 128

This makes the computation relatively straight forward:

  • 2 x the number of validators on the node, minimum 8, max 128.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 on using BALANCE_PER_ADDITIONAL_CUSTODY_SUBNET

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Francesco's implementation uses that too. But yes, the constant is a good idea.

Copy link
Member

@jtraglia jtraglia May 29, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah you're right. It was a pseudocode mistake & the declaration/usage of multiplier can be removed. I believe I was thinking that BALANCE_PER_ADDITIONAL_CUSTODY_SUBNET should be defined as:

MAX_EFFECTIVE_BALANCE_ELECTRA // DATA_COLUMN_SIDECAR_SUBNET_COUNT

So that it properly scales if we (1) increase the max EB again or (2) increase the subnet count.

(Also, I fixed the backwards min and max)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like this version, because it only starts increasing from 8 after a few validators, which is imo a fairly desirable property in itself. I would even consider setting BALANCE_PER_ADDITIONAL_CUSTODY_SUBNET to 32 ETH, so that it's "1x the number of validators on the node, minimum 8, max 128", and it only starts increasing from the minimum after 8 validators.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am a bit worried on the direction of dynamically increasing the custody count depending on how many validators you do run with. For context, last year we finally moved to a new attestation subnet backbone structure where the responsibility for subscribing to long-lived attestation subnets was equally distributed amongst all nodes rather than those running many validators:
#2749
#3312

The way validator custody is currently specified, you would reintroduce the same downsides by requiring nodes running with many validators to custody all the subnets. Is it necessary to scale the custody count this way ? anyway we can simply have an upper bound rather than all the subnets being custodied if you run more than > 64 validators.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am a bit worried on the direction of dynamically increasing the custody count depending on how many validators you do run with. For context, last year we finally moved to a new attestation subnet backbone structure where the responsibility for subscribing to long-lived attestation subnets was equally distributed amongst all nodes rather than those running many validators:
#2749
#3312
The way validator custody is currently specified, you would reintroduce the same downsides by requiring nodes running with many validators to custody all the subnets. Is it necessary to scale the custody count this way ?

The rationale behind making custody-count depend on something is as follows:

  1. the system performs much better if we have nodes that can repair on-the-fly. This makes "just available" blocks "overwhelmingly available", which improves the amount of blocks that get canonical (because after repair, these blocks will get enough votes), and it also improves the sampling process (because we will have much less false negatives during sampling). We call this availability amplification.
  2. in the 1D erasure coding case, only nodes that have at least half of the columns can repair. (Note that we do not need this in the 2D case, where any node can repair a row or a column).
  3. The most intuitive way to force the system to have such "supernodes" is to make custody depend on validator count. There could be other ways, like
    • random allocation of "supernode role",
    • hoping that there will be supernodes,
    • having nodes doing incrementalDAS and eventual repair,
      but custody based allocation seems to align best with expected resources needed to actually download the data and do the reconstruction. In other words, if someone has many validators, they can pay for the bandwidth and compute.

This goes agains the "hiding" property achieved by equally distributing, but improves system performance. Once we change to 2D encoding, we can go back to equally distributing custody.

anyway we can simply have an upper bound rather than all the subnets being custodied if you run more than > 64 validators.

I'm not sure I interpret this right, but it is important that we can't stop custody requirement at 64. Otherwise, if there would be exactly 64 columns released, we would need a supernode that is by miracle subscribed to the exact same 64 columns. There are too many combinations for that, we would need too many supernodes. If really needed, we could stop before 128, but we need way more than 64.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Echoing the above, and also @dapplion's comment that validator custody means that in practice, given the actual stake distribution, most of the stake will be run on supernodes, which imho is a good thing, because it hugely derisks the whole system. It basically means that the introduction of DAS is essentially irrelevant for 90% of the validator set, other than moving from gossiping few large objects to a lot of smaller objects. And why shouldn't someone that runs hundreds of validators, with millions or even tens of millions of stake, be downloading the whole data and contributing to the security and stability of the network?

This is quite different from the attestation subnets case imho, because there are huge tangible benefits to be had from linearly scaling the load based on stake. Also, validator custody does not change the fact that all nodes still share the responsibility for forming the backbone of long-lived subscriptions, though not equally.

Another point here is that downloading the whole data is by far the best way to ensure that you always correctly fulfil validator duties, including protecting you when proposing.

| `BALANCE_PER_ADDITIONAL_CUSTODY_SUBNET` | `Gwei(16 * 10**9)` | Balance increment corresponding to one additional subnet to custody |
| `TARGET_NUMBER_OF_PEERS` | `100` | Suggested minimum peer count |

fradamt marked this conversation as resolved.
Show resolved Hide resolved

### Containers

Expand Down Expand Up @@ -201,7 +204,15 @@ def get_data_column_sidecars(signed_block: SignedBeaconBlock,

### Custody requirement

Each node downloads and custodies a minimum of `CUSTODY_REQUIREMENT` subnets per slot. The particular subnets that the node is required to custody are selected pseudo-randomly (more on this below).
Each node *without attached validators* downloads and custodies a minimum of `CUSTODY_REQUIREMENT` subnets per slot. A node with validators attached downloads and custodies a higher minimum of subnets per slot, determined by `get_validators_custody_requirement(state, validator_indices)`. Here, `state` is the current `BeaconState` and `validator_indices` is the list of indices corresponding to validators attached to the node. Any node with at least one validator attached downloads and custodies a minimum of `VALIDATOR_CUSTODY_REQUIREMENT` subnets per slot, as well as `total_node_balance // BALANCE_PER_ADDITIONAL_CUSTODY_SUBNET` additional subnets, where `total_node_balance` is the sum of the balances of all validators attached to that node.

```python
def get_validators_custody_requirement(state: BeaconState, validator_indices: List[ValidatorIndex]) -> uint64:
total_node_balance = sum(state.balances[index] for index in validator_indices)
return VALIDATOR_CUSTODY_REQUIREMENT + (total_node_balance // BALANCE_PER_ADDITIONAL_CUSTODY_SUBNET)
```

The particular subnets that the node is required to custody are selected pseudo-randomly (more on this below).

A node *may* choose to custody and serve more than the minimum honesty requirement. Such a node explicitly advertises a number greater than `CUSTODY_REQUIREMENT` via the peer discovery mechanism -- for example, in their ENR (e.g. `custody_subnet_count: 4` if the node custodies `4` subnets each slot) -- up to a `DATA_COLUMN_SIDECAR_SUBNET_COUNT` (i.e. a super-full node).

Expand Down
173 changes: 173 additions & 0 deletions specs/_features/eip7594/fork-choice.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,173 @@
# EIP-7594 -- Fork Choice

## Table of contents
<!-- TOC -->
<!-- START doctoc generated TOC please keep comment here to allow auto update -->
<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->

- [Introduction](#introduction)
- [Containers](#containers)
- [Helpers](#helpers)
- [Extended `PayloadAttributes`](#extended-payloadattributes)
- [`is_data_available`](#is_data_available)
- [Updated fork-choice handlers](#updated-fork-choice-handlers)
- [`on_block`](#on_block)

<!-- END doctoc generated TOC please keep comment here to allow auto update -->
<!-- /TOC -->

## Introduction

This is the modification of the fork choice accompanying EIP-7594
fradamt marked this conversation as resolved.
Show resolved Hide resolved

### Helpers

### `is_data_available`

```python
def is_data_available(beacon_block_root: Root, require_peer_sampling: bool=False) -> bool:
# Unimplemented function which returns the node_id and custody_subnet_count
node_id, custody_subnet_count = get_custody_parameters()
columns_to_retrieve = get_custody_columns(node_id, custody_subnet_count)
if require_peer_sampling:
columns_to_retrieve += get_sampling_columns()
column_sidecars = retrieve_column_sidecars(beacon_block_root, columns_to_retrieve)
return all(
verify_data_column_sidecar_kzg_proofs(column_sidecar)
for column_sidecar in column_sidecars
)
```

### `is_chain_available`

```python
def is_chain_available(store: Store, beacon_block_root: Root) -> bool:
block = store.blocks[beacon_block_root]
block_epoch = compute_epoch_at_slot(block.slot)
current_epoch = get_current_store_epoch(store)
if block_epoch + MIN_EPOCHS_FOR_BLOB_SIDECARS_REQUESTS <= current_epoch:
return True
parent_root = block.parent_root
return (
is_data_available(beacon_block_root, require_peer_sampling=True)
and is_chain_available(store, parent_root)
)

```
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should delete the blank line.


### `get_head`

```python
def get_head(store: Store) -> Root:
# Get filtered block tree that only includes viable branches
blocks = get_filtered_block_tree(store)
# Execute the LMD-GHOST fork choice
head = store.justified_checkpoint.root
while True:
# Get available children for the current slot
children = [
root for (root, block) in blocks.items()
if (
block.parent_root == head
and is_data_available(
root,
require_peer_sampling=is_peer_sampling_required(store, block.slot)
)
)
]
if len(children) == 0:
return head
# Sort by latest attesting balance with ties broken lexicographically
# Ties broken by favoring block with lexicographically higher root
head = max(children, key=lambda root: (get_weight(store, root), root))
```

```python
def is_peer_sampling_required(store, slot):
return compute_epoch_at_slot(slot) + 2 <= get_current_epoch(store)
```

## Updated fork-choice handlers

### `on_block`

*Note*: The blob data availability check is removed and replaced with an availability
check on the on the justified checkpoint in the "pulled up state" of the block, after
applying `process_justification_and_finalization`.

```python
def on_block(store: Store, signed_block: SignedBeaconBlock) -> None:
"""
Run ``on_block`` upon receiving a new block.
"""
block = signed_block.message
# Parent block must be known
assert block.parent_root in store.block_states
# Make a copy of the state to avoid mutability issues
state = copy(store.block_states[block.parent_root])
# Blocks cannot be in the future. If they are, their consideration must be delayed until they are in the past.
assert get_current_slot(store) >= block.slot

# Check that block is later than the finalized epoch slot (optimization to reduce calls to get_ancestor)
finalized_slot = compute_start_slot_at_epoch(store.finalized_checkpoint.epoch)
assert block.slot > finalized_slot
# Check block is a descendant of the finalized block at the checkpoint finalized slot
finalized_checkpoint_block = get_checkpoint_block(
store,
block.parent_root,
store.finalized_checkpoint.epoch,
)
assert store.finalized_checkpoint.root == finalized_checkpoint_block

# Check the block is valid and compute the post-state
block_root = hash_tree_root(block)
state_transition(state, signed_block, True)

# [New in EIP7594] Do not import the block if its unrealized justified checkpoint is not available
pulled_up_state = state.copy()
process_justification_and_finalization(pulled_up_state)
assert is_chain_available(store, pulled_up_state.current_justified_checkpoint.root)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that we shoud also check the current justified checkpoint for the non-pulled-up: is_chain_available(store, state.current_justified_checkpoint.root).
This is because if a block B is from the current epoch and it is chosed as the head, then the voting source corresponds to the current justied checkpoint for then non-pulled-up state, i.e., store.block_states[B].current_justified_checkpoint.


# Add new block to the store
store.blocks[block_root] = block
# Add new state for this block to the store
store.block_states[block_root] = state

# Add block timeliness to the store
time_into_slot = (store.time - store.genesis_time) % SECONDS_PER_SLOT
is_before_attesting_interval = time_into_slot < SECONDS_PER_SLOT // INTERVALS_PER_SLOT
is_timely = get_current_slot(store) == block.slot and is_before_attesting_interval
store.block_timeliness[hash_tree_root(block)] = is_timely

# Add proposer score boost if the block is timely and not conflicting with an existing block
is_first_block = store.proposer_boost_root == Root()
if is_timely and is_first_block:
store.proposer_boost_root = hash_tree_root(block)

# Update checkpoints in store if necessary
update_checkpoints(store, state.current_justified_checkpoint, state.finalized_checkpoint)

# Eagerly compute unrealized justification and finality.
compute_pulled_up_tip(store, block_root, pulled_up_state)
```

#### Pull-up tip helpers

##### `compute_pulled_up_tip`
fradamt marked this conversation as resolved.
Show resolved Hide resolved

Modified to take `pulled_up_state`, the block's state after applying `processing_justification_and_finalization`.
The application of `processing_justification_and_finalization` now happens in `on_block`.

```python
def compute_pulled_up_tip(store: Store, pulled_up_state: BeaconState, block_root: Root) -> None:
Copy link
Contributor

@saltiniroberto saltiniroberto Aug 13, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Has this function been modified only to avoid executing process_justification_and_finalization twice (as it is already executed at line 146 now) or is there any other reason?
If there is no other reason, I think it is better not to modify this function as the original function is more self-contained and therefore, I think, more readable (e.g. one does not need to track back the value assigned to pulled_up_state)

store.unrealized_justifications[block_root] = pulled_up_state.current_justified_checkpoint
unrealized_justified = pulled_up_state.current_justified_checkpoint
unrealized_finalized = pulled_up_state.finalized_checkpoint
update_unrealized_checkpoints(store, unrealized_justified, unrealized_finalized)

# If the block is from a prior epoch, apply the realized values
block_epoch = compute_epoch_at_slot(store.blocks[block_root].slot)
current_epoch = get_current_store_epoch(store)
if block_epoch < current_epoch:
update_checkpoints(store, unrealized_justified, unrealized_finalized)
```
Loading