RANDAO reveal slashing, custody period staggering and integration of custody and RANDAO reveals

specs/core/0_beacon-chain.md

@@ -37,6 +37,7 @@
         - [Beacon operations](#beacon-operations)
             - [`ProposerSlashing`](#proposerslashing)
             - [`AttesterSlashing`](#attesterslashing)
+            - [`RandaoKeyReveal`](#RandaoKeyReveal)
             - [`Attestation`](#attestation)
             - [`Deposit`](#deposit)
             - [`VoluntaryExit`](#voluntaryexit)
@@ -133,6 +134,7 @@
             - [Operations](#operations)
                 - [Proposer slashings](#proposer-slashings)
                 - [Attester slashings](#attester-slashings)
+                - [Randao reveal slashings](#randao-reveal-slashings)
                 - [Attestations](#attestations)
                 - [Deposits](#deposits)
                 - [Voluntary exits](#voluntary-exits)
@@ -234,6 +236,9 @@ These configurations are updated for releases, but may be out of sync during `de
 | `MIN_VALIDATOR_WITHDRAWABILITY_DELAY` | `2**8` (= 256) | epochs | ~27 hours |
 | `PERSISTENT_COMMITTEE_PERIOD` | `2**11` (= 2,048)  | epochs | 9 days  |
 | `MAX_CROSSLINK_EPOCHS` | `2**6` (= 64) | epochs | ~7 hours |
+| `RANDAO_PENALTY_EPOCHS` | `2` | epochs | 12.8 minutes |
+| `EPOCHS_PER_CUSTODY_PERIOD` | `2**11` (= 2,048) | epochs | ~9 days |
+| `CUSTODY_PERIOD_TO_RANDAO_PADDING` | `2**11` (= 2,048) | epochs | ~9 days |
 
 * `MAX_CROSSLINK_EPOCHS` should be a small constant times `SHARD_COUNT // SLOTS_PER_EPOCH`
 
@@ -254,6 +259,7 @@ These configurations are updated for releases, but may be out of sync during `de
 | `PROPOSER_REWARD_QUOTIENT` | `2**3` (= 8) |
 | `INACTIVITY_PENALTY_QUOTIENT` | `2**24` (= 16,777,216) |
 | `MIN_PENALTY_QUOTIENT` | `2**5` (= 32) |
+| `RANDAO_REVEAL_PENALTY_QUOTIENT` | `2**7` (= 128) |
 
 * The `BASE_REWARD_QUOTIENT` parameter dictates the per-epoch reward. It corresponds to ~2.54% annual interest assuming 10 million participating ETH in every epoch.
 * The `INACTIVITY_PENALTY_QUOTIENT` equals `INVERSE_SQRT_E_DROP_TIME**2` where `INVERSE_SQRT_E_DROP_TIME := 2**12 epochs` (~18 days) is the time it takes the inactivity penalty to reduce the balance of non-participating [validators](#dfn-validator) to about `1/sqrt(e) ~= 60.6%`. Indeed, the balance retained by offline [validators](#dfn-validator) after `n` epochs is about `(1 - 1/INACTIVITY_PENALTY_QUOTIENT)**(n**2/2)` so after `INVERSE_SQRT_E_DROP_TIME` epochs it is roughly `(1 - 1/INACTIVITY_PENALTY_QUOTIENT)**(INACTIVITY_PENALTY_QUOTIENT/2) ~= 1/sqrt(e)`.
@@ -264,6 +270,7 @@ These configurations are updated for releases, but may be out of sync during `de
 | - | - |
 | `MAX_PROPOSER_SLASHINGS` | `2**4` (= 16) |
 | `MAX_ATTESTER_SLASHINGS` | `2**0` (= 1) |
+| `MAX_RANDAO_KEY_REVEALS` | `2**4` (= 16) |
 | `MAX_ATTESTATIONS` | `2**7` (= 128) |
 | `MAX_DEPOSITS` | `2**4` (= 16) |
 | `MAX_VOLUNTARY_EXITS` | `2**4` (= 16) |
@@ -426,7 +433,9 @@ The types are defined topologically to aid in facilitating an executable version
     # Was the validator slashed
     'slashed': 'bool',
     # Rounded balance
-    'high_balance': 'uint64'
+    'high_balance': 'uint64',
+    # Future RANDAO reveals already exposed 
+    'exposed_randao_reveals': ['uint64'],
 }
 ```
 
@@ -482,6 +491,18 @@ The types are defined topologically to aid in facilitating an executable version
 }
 ```
 
+#### `RandaoKeyReveal`
+
+```python
+{
+    'revealer_index': ValidatorIndex,
+    'epoch': 'uint64',
+    'reveal': 'bytes96',
+    'masker_index': ValidatorIndex,
+    'mask': 'bytes32',
+}
+```
+
 #### `Attestation`
 
 ```python
@@ -539,7 +560,7 @@ The types are defined topologically to aid in facilitating an executable version
     'slot': 'uint64',
     # Sender withdrawal pubkey
     'pubkey': 'bytes48',
-    # Sender signature
+    # Sender signaturerandao_key_reveals
     'signature': 'bytes96',
 }
 ```
@@ -554,6 +575,7 @@ The types are defined topologically to aid in facilitating an executable version
     'eth1_data': Eth1Data,
     'proposer_slashings': [ProposerSlashing],
     'attester_slashings': [AttesterSlashing],
+    'randao_key_reveals': [RandaoKeyReveal],
     'attestations': [Attestation],
     'deposits': [Deposit],
     'voluntary_exits': [VoluntaryExit],
@@ -1429,6 +1451,7 @@ def get_empty_block() -> BeaconBlock:
             ),
             proposer_slashings=[],
             attester_slashings=[],
+            randao_key_reveals=[],
             attestations=[],
             deposits=[],
             voluntary_exits=[],
@@ -2021,6 +2044,12 @@ def finish_epoch_update(state: BeaconState) -> None:
     # Rotate current/previous epoch attestations
     state.previous_epoch_attestations = state.current_epoch_attestations
     state.current_epoch_attestations = []
+
+    # Clean up exposed RANDAO reveals
+    for index, validator in enumerate(state.validator_registry):
+        for reveal_index, reveal_epoch in enumerate(validator.exposed_randao_reveals):
+            if reveal_epoch <= current_epoch:
+                del validator.exposed_randao_reveals[reveal_index]
 ```
 
 ### Per-slot processing
@@ -2161,6 +2190,74 @@ def process_attester_slashing(state: BeaconState,
         slash_validator(state, index)
 ```
 
+##### Custody key reveals
+
+Placeholder for phase 1
+
+
+```python
+def process_custody_reveal(state: BeaconState,
+                           reveal: RandaoKeyReveal) -> None:
+    assert False
+```
+
+##### Randao key reveals
+
+Verify that `len(block.body.randao_key_reveals) <= MAX_RANDAO_KEY_REVEALS`.
+
+For each `randao_key_reveal` in `block.body.randao_key_reveal`, run the following function:
+
+```python
+def process_randao_key_reveal(state: BeaconState,
+                              randao_key_reveal: RandaoKeyReveal) -> None:
+    """
+    Process ``RandaoKeyReveal`` operation.
+    Note that this function mutates ``state``.
+    """
+    if randao_key_reveal.mask == ZERO_HASH:
+        process_custody_reveal(state, randao_key_reveal)
+
+    revealer = state.validator_registry[randao_key_reveal.revealer_index]
+    masker = state.validator_registry[randao_key_reveal.masker_index]
+    pubkeys = [revealer.pubkey, masker.pubkey]
+    message_hashes = [
+        hash_tree_root(randao_key_reveal.epoch),
+        randao_key_reveal.mask,
+    ]
+
+    assert randao_key_reveal.epoch >= get_current_epoch(state) + RANDAO_PENALTY_EPOCHS
+    assert revealer.slashed is False
+    assert randao_key_reveal.epoch not in state.validator_registry[randao_key_reveal.revealer_index].exposed_randao_reveals
+
+    assert bls_verify_multiple(
+        pubkeys=pubkeys,
+        message_hashes=message_hashes,
+        signature=randao_key_reveal.reveal,
+        domain=get_domain(
+            fork=state.fork,
+            epoch=randao_key_reveal.epoch,
+            domain_type=DOMAIN_RANDAO,
+        ),
+    )
+
+    if randao_key_reveal.epoch >= get_current_epoch(state) + CUSTODY_PERIOD_TO_RANDAO_PADDING:
+        # Replacement for custody reveal slashing
+        slash_validator(state, randao_key_reveal.revealer_index, randao_key_reveal.masker_index)
+    else:
+        # Only a small penalty for RANDAO reveal that does not interfere with the custody period
+        penalty = get_effective_balance(state, randao_key_reveal.revealer_index) // RANDAO_REVEAL_PENALTY_QUOTIENT
+        proposer_index = get_beacon_proposer_index(state, state.slot)
+        whistleblower_index = randao_key_reveal.masker_index
+        whistleblowing_reward = penalty // WHISTLEBLOWING_REWARD_QUOTIENT
+        proposer_reward = whistleblowing_reward // PROPOSER_REWARD_QUOTIENT
+        increase_balance(state, proposer_index, proposer_reward)
+        increase_balance(state, whistleblower_index, whistleblowing_reward - proposer_reward)
+        decrease_balance(state, randao_key_reveal.revealer_index, penalty)
+        state.validator_registry[randao_key_reveal.revealer_index].exposed_randao_reveals.append(randao_key_reveal.epoch)
+
+
+```
+
 ##### Attestations
 
 Verify that `len(block.body.attestations) <= MAX_ATTESTATIONS`.
@@ -2272,7 +2369,8 @@ def process_deposit(state: BeaconState, deposit: Deposit) -> None:
             exit_epoch=FAR_FUTURE_EPOCH,
             withdrawable_epoch=FAR_FUTURE_EPOCH,
             slashed=False,
-            high_balance=0
+            high_balance=0,
+            exposed_randao_reveals=[],
         )
 
         # Note: In phase 2 registry indices that have been withdrawn for a long time will be recycled.

specs/core/1_custody-game.md

@@ -22,7 +22,6 @@
             - [`CustodyChunkChallengeRecord`](#custodychunkchallengerecord)
             - [`CustodyBitChallengeRecord`](#custodybitchallengerecord)
             - [`CustodyResponse`](#custodyresponse)
-            - [`CustodyKeyReveal`](#custodykeyreveal)
         - [Phase 0 container updates](#phase-0-container-updates)
             - [`Validator`](#validator)
             - [`BeaconState`](#beaconstate)
@@ -76,7 +75,6 @@ This document details the beacon chain additions and changes in Phase 1 of Ether
 | Name | Value | Unit | Duration |
 | - | - | :-: | :-: |
 | `MAX_CHUNK_CHALLENGE_DELAY` | `2**11` (= 2,048) | epochs | ~9 days |
-| `EPOCHS_PER_CUSTODY_PERIOD` | `2**11` (= 2,048) | epochs | ~9 days |
 | `CUSTODY_RESPONSE_DEADLINE` | `2**14` (= 16,384) | epochs | ~73 days |
 
 ### Max operations per block
@@ -92,8 +90,7 @@ This document details the beacon chain additions and changes in Phase 1 of Ether
 
 | Name | Value |
 | - | - |
-| `DOMAIN_CUSTODY_KEY_REVEAL` | `6` |
-| `DOMAIN_CUSTODY_BIT_CHALLENGE` | `7` |
+| `DOMAIN_CUSTODY_BIT_CHALLENGE` | `6` |
 
 ## Data structures
 
@@ -161,18 +158,6 @@ This document details the beacon chain additions and changes in Phase 1 of Ether
 }
 ```
 
-#### `CustodyKeyReveal`
-
-```python
-{
-    'revealer_index': ValidatorIndex,
-    'period': 'uint64',
-    'key': BLSSignature,
-    'masker_index': ValidatorIndex,
-    'mask': Hash,
-}
-```
-
 ### Phase 0 container updates
 
 Add the following fields to the end of the specified container objects. Fields with underlying type `uint64` are initialized to `0` and list fields are initialized to `[]`.
@@ -195,7 +180,6 @@ Add the following fields to the end of the specified container objects. Fields w
 #### `BeaconBlockBody`
 
 ```python
-    'custody_key_reveals': [CustodyKeyReveal],
     'custody_chunk_challenges': [CustodyChunkChallenge],
     'custody_bit_challenges': [CustodyBitChallenge],
     'custody_responses': [CustodyResponse],
@@ -229,30 +213,29 @@ def epoch_to_custody_period(epoch: Epoch) -> int:
     return epoch // EPOCHS_PER_CUSTODY_PERIOD
 ```
 
+### `get_randao_epoch_for_custody_period`
+
+```python
+def get_randao_epoch_for_custody_period(period: int) -> Epoch:
+    return period * EPOCHS_PER_CUSTODY_PERIOD + CUSTODY_PERIOD_TO_RANDAO_PADDING
+```
+
 ### `verify_custody_key`
 
 ```python
-def verify_custody_key(state: BeaconState, reveal: CustodyKeyReveal) -> bool:
-    # Case 1: non-masked non-punitive non-early reveal
+def verify_custody_key(state: BeaconState, reveal: RandaoKeyReveal) -> bool:
+    epoch_to_sign = get_randao_epoch_for_custody_period(reveal.period)
     pubkeys = [state.validator_registry[reveal.revealer_index].pubkey]
-    message_hashes = [hash_tree_root(reveal.period)]
-
-    # Case 2: masked punitive early reveal
-    # Masking prevents proposer stealing the whistleblower reward
-    # Secure under the aggregate extraction infeasibility assumption
-    # See pages 11-12 of https://crypto.stanford.edu/~dabo/pubs/papers/aggreg.pdf
-    if reveal.mask != ZERO_HASH:
-        pubkeys.append(state.validator_registry[reveal.masker_index].pubkey)
-        message_hashes.append(reveal.mask)
+    message_hashes = [hash_tree_root(epoch_to_sign)]
 
     return bls_verify_multiple(
         pubkeys=pubkeys,
         message_hashes=message_hashes,
         signature=reveal.key,
         domain=get_domain(
             fork=state.fork,
-            epoch=reveal.period * EPOCHS_PER_CUSTODY_PERIOD,
-            domain_type=DOMAIN_CUSTODY_KEY_REVEAL,
+            epoch=epoch_to_sign * EPOCHS_PER_CUSTODY_PERIOD,
+            domain_type=DOMAIN_RANDAO,
         ),
     )
 ```
@@ -265,32 +248,22 @@ Add the following operations to the per-block processing, in order the given bel
 
 #### Custody reveals
 
-Verify that `len(block.body.custody_key_reveals) <= MAX_CUSTODY_KEY_REVEALS`.
-
-For each `reveal` in `block.body.custody_key_reveals`, run the following function:
+Replace process_custody_reveal from phase 0 with this function:
 
 ```python
 def process_custody_reveal(state: BeaconState,
-                           reveal: CustodyKeyReveal) -> None:
+                           reveal: RandaoKeyReveal) -> None:
     assert verify_custody_key(state, reveal)
     revealer = state.validator_registry[reveal.revealer_index]
     current_custody_period = epoch_to_custody_period(get_current_epoch(state))
 
-    # Case 1: non-masked non-punitive non-early reveal
-    if reveal.mask == ZERO_HASH:
-        assert reveal.period == epoch_to_custody_period(revealer.activation_epoch) + revealer.custody_reveal_index
-        # Revealer is active or exited
-        assert is_active_validator(revealer, get_current_epoch(state)) or revealer.exit_epoch > get_current_epoch(state)
-        revealer.custody_reveal_index += 1
-        revealer.max_reveal_lateness = max(revealer.max_reveal_lateness, current_custody_period - reveal.period)
-        proposer_index = get_beacon_proposer_index(state, state.slot)
-        increase_balance(state, proposer_index, base_reward(state, index) // MINOR_REWARD_QUOTIENT)
-
-    # Case 2: masked punitive early reveal
-    else:
-        assert reveal.period > current_custody_period
-        assert revealer.slashed is False
-        slash_validator(state, reveal.revealer_index, reveal.masker_index)
+    assert reveal.period == epoch_to_custody_period(revealer.activation_epoch) + revealer.custody_reveal_index
+    # Revealer is active or exited
+    assert is_active_validator(revealer, get_current_epoch(state)) or revealer.exit_epoch > get_current_epoch(state)
+    revealer.custody_reveal_index += 1
+    revealer.max_reveal_lateness = max(revealer.max_reveal_lateness, current_custody_period - reveal.period)
+    proposer_index = get_beacon_proposer_index(state, state.slot)
+    increase_balance(state, proposer_index, base_reward(state, index) // MINOR_REWARD_QUOTIENT)
 ```
 
 #### Chunk challenges
@@ -368,7 +341,7 @@ def process_bit_challenge(state: BeaconState,
         assert record.challenger_index != challenge.challenger_index
         assert record.responder_index != challenge.responder_index
     # Verify the responder key
-    assert verify_custody_key(state, CustodyKeyReveal(
+    assert verify_custody_key(state, RandaoKeyReveal(
         revealer_index=challenge.responder_index,
         period=epoch_to_custody_period(slot_to_epoch(attestation.data.slot)),
         key=challenge.responder_key,