RANDAO reveal slashing, custody period staggering and integration of custody and RANDAO reveals

specs/core/0_beacon-chain.md

@@ -37,6 +37,7 @@
         - [Beacon operations](#beacon-operations)
             - [`ProposerSlashing`](#proposerslashing)
             - [`AttesterSlashing`](#attesterslashing)
+            - [`RandaoRevealSlashing`](#randaorevealslashing)
             - [`Attestation`](#attestation)
             - [`Deposit`](#deposit)
             - [`VoluntaryExit`](#voluntaryexit)
@@ -135,6 +136,7 @@
             - [Operations](#operations)
                 - [Proposer slashings](#proposer-slashings)
                 - [Attester slashings](#attester-slashings)
+                - [Randao reveal slashings](#randao-reveal-slashings)
                 - [Attestations](#attestations)
                 - [Deposits](#deposits)
                 - [Voluntary exits](#voluntary-exits)
@@ -236,6 +238,10 @@ Code snippets appearing in `this style` are to be interpreted as Python code.
 | `MIN_VALIDATOR_WITHDRAWABILITY_DELAY` | `2**8` (= 256) | epochs | ~27 hours |
 | `PERSISTENT_COMMITTEE_PERIOD` | `2**11` (= 2,048)  | epochs | 9 days  |
 | `MAX_CROSSLINK_EPOCHS` | `2**6` (= 64) |
+| `RANDAO_SLASHING_EPOCHS` | `2` | epochs | 12.8 minutes |
+| `EPOCHS_PER_CUSTODY_PERIOD` | `2**11` (= 2,048) | epochs | ~9 days |
+| `CUSTODY_PERIOD_TO_RANDAO_PADDING` | `2**6` (= 64) | epochs | ~6.8 hours |
+
 
 * `MAX_CROSSLINK_EPOCHS` should be a small constant times `SHARD_COUNT // SLOTS_PER_EPOCH`
 
@@ -257,6 +263,7 @@ Code snippets appearing in `this style` are to be interpreted as Python code.
 | `PROPOSER_REWARD_QUOTIENT` | `2**3` (= 8) |
 | `INACTIVITY_PENALTY_QUOTIENT` | `2**24` (= 16,777,216) |
 | `MIN_PENALTY_QUOTIENT` | `2**5` (= 32) |
+| `RANDAO_REVEAL_PENALTY_QUOTIENT` | `2**7` (= 32) |
 
 * The `BASE_REWARD_QUOTIENT` parameter dictates the per-epoch reward. It corresponds to ~2.54% annual interest assuming 10 million participating ETH in every epoch.
 * The `INACTIVITY_PENALTY_QUOTIENT` equals `INVERSE_SQRT_E_DROP_TIME**2` where `INVERSE_SQRT_E_DROP_TIME := 2**12 epochs` (~18 days) is the time it takes the inactivity penalty to reduce the balance of non-participating [validators](#dfn-validator) to about `1/sqrt(e) ~= 60.6%`. Indeed, the balance retained by offline [validators](#dfn-validator) after `n` epochs is about `(1 - 1/INACTIVITY_PENALTY_QUOTIENT)**(n**2/2)` so after `INVERSE_SQRT_E_DROP_TIME` epochs it is roughly `(1 - 1/INACTIVITY_PENALTY_QUOTIENT)**(INACTIVITY_PENALTY_QUOTIENT/2) ~= 1/sqrt(e)`.
@@ -267,6 +274,7 @@ Code snippets appearing in `this style` are to be interpreted as Python code.
 | - | - |
 | `MAX_PROPOSER_SLASHINGS` | `2**4` (= 16) |
 | `MAX_ATTESTER_SLASHINGS` | `2**0` (= 1) |
+| `MAX_RANDAO_REVEAL_SLASHINGS` | `2**0` (= 1) |
 | `MAX_ATTESTATIONS` | `2**7` (= 128) |
 | `MAX_DEPOSITS` | `2**4` (= 16) |
 | `MAX_VOLUNTARY_EXITS` | `2**4` (= 16) |
@@ -429,7 +437,9 @@ The types are defined topologically to aid in facilitating an executable version
     # Was the validator slashed
     'slashed': 'bool',
     # Rounded balance
-    'high_balance': 'uint64'
+    'high_balance': 'uint64',
+    # Future RANDAO reveals already exposed 
+    'exposed_randao_reveals': ['uint64'],
 }
 ```
 
@@ -485,6 +495,18 @@ The types are defined topologically to aid in facilitating an executable version
 }
 ```
 
+#### `RandaoRevealSlashing`
+
+```python
+{
+    'revealer_index': ValidatorIndex,
+    'epoch': 'uint64',
+    'reveal': 'bytes96',
+    'masker_index': ValidatorIndex,
+    'mask': 'bytes32',
+}
+```
+
 #### `Attestation`
 
 ```python
@@ -557,6 +579,7 @@ The types are defined topologically to aid in facilitating an executable version
     'eth1_data': Eth1Data,
     'proposer_slashings': [ProposerSlashing],
     'attester_slashings': [AttesterSlashing],
+    'randao_reveal_slashings': [RandaoRevealSlashing],
     'attestations': [Attestation],
     'deposits': [Deposit],
     'voluntary_exits': [VoluntaryExit],
@@ -1343,7 +1366,8 @@ def process_deposit(state: BeaconState, deposit: Deposit) -> None:
             withdrawable_epoch=FAR_FUTURE_EPOCH,
             initiated_exit=False,
             slashed=False,
-            high_balance=0
+            high_balance=0,
+            exposed_randao_reveals=[],
         )
 
         # Note: In phase 2 registry indices that have been withdrawn for a long time will be recycled.
@@ -1512,6 +1536,7 @@ def get_empty_block() -> BeaconBlock:
             ),
             proposer_slashings=[],
             attester_slashings=[],
+            randao_reveal_slashings=[],
             attestations=[],
             deposits=[],
             voluntary_exits=[],
@@ -2170,6 +2195,12 @@ def finish_epoch_update(state: BeaconState) -> None:
     # Rotate current/previous epoch attestations
     state.previous_epoch_attestations = state.current_epoch_attestations
     state.current_epoch_attestations = []
+
+    # Clean up exposed RANDAO reveals
+    for index, validator in enumerate(state.validator_registry):
+        for reveal_index, reveal_epoch in enumerate(validator.exposed_randao_reveals):
+            if reveal_epoch <= current_epoch:
+                del validator.exposed_randao_reveals[reveal_index]
 ```
 
 ### Per-slot processing
@@ -2310,6 +2341,60 @@ def process_attester_slashing(state: BeaconState,
         slash_validator(state, index)
 ```
 
+##### Randao reveal slashings
+
+Verify that `len(block.body.randao_reveal_slashings) <= MAX_RANDAO_REVEAL_SLASHINGS`.
+
+For each `randao_reveal_slashing` in `block.body.randao_reveal_slashings`, run the following function:
+
+```python
+def process_randao_reveal_slashing(state: BeaconState,
+                                   randao_reveal_slashing: RandaoRevealSlashing) -> None:
+    """
+    Process ``RandaoRevealSlashing`` operation.
+    Note that this function mutates ``state``.
+    """
+    revealer = state.validator_registry[randao_reveal_slashing.revealer_index]
+    masker = state.validator_registry[randao_reveal_slashing.masker_index]
+    pubkeys = [revealer.pubkey, masker.pubkey]
+    message_hashes = [
+        hash_tree_root(randao_reveal_slashing.epoch),
+        randao_reveal_slashing.mask,
+    ]
+
+    assert randao_reveal_slashing.epoch >= get_current_epoch(state) + RANDAO_SLASHING_EPOCHS
+    assert revealer.slashed is False
+    assert randao_reveal_slashing.epoch not in state.validator_registry[randao_reveal_slashing.revealer_index].exposed_randao_reveals
+
+    assert bls_verify_multiple(
+        pubkeys=pubkeys,
+        message_hashes=message_hashes,
+        signature=randao_reveal_slashing.reveal,
+        domain=get_domain(
+            fork=state.fork,
+            epoch=randao_reveal_slashing.epoch,
+            domain_type=DOMAIN_RANDAO,
+        ),
+    )
+
+    if randao_reveal_slashing.epoch >= get_current_epoch(state) + CUSTODY_PERIOD_TO_RANDAO_PADDING:
+        # Replacement for custody reveal slashing
+        slash_validator(state, randao_reveal_slashing.revealer_index, randao_reveal_slashing.masker_index)
+    else:
+        # Only a small penalty for RANDAO reveal that does not interfere with the custody period
+        penalty = get_effective_balance(state, randao_reveal_slashing.revealer_index) // RANDAO_REVEAL_PENALTY_QUOTIENT
+        proposer_index = get_beacon_proposer_index(state, state.slot)
+        whistleblower_index = randao_reveal_slashing.masker_index
+        whistleblowing_reward = penalty // WHISTLEBLOWING_REWARD_QUOTIENT
+        proposer_reward = whistleblowing_reward // PROPOSER_REWARD_QUOTIENT
+        increase_balance(state, proposer_index, proposer_reward)
+        increase_balance(state, whistleblower_index, whistleblowing_reward - proposer_reward)
+        decrease_balance(state, randao_reveal_slashing.revealer_index, penalty)
+        state.validator_registry[randao_reveal_slashing.revealer_index].exposed_randao_reveals.append(randao_reveal_slashing.epoch)
+
+
+```
+
 ##### Attestations
 
 Verify that `len(block.body.attestations) <= MAX_ATTESTATIONS`.

specs/core/1_custody-game.md

@@ -76,7 +76,6 @@ This document details the beacon chain additions and changes in Phase 1 of Ether
 | Name | Value | Unit | Duration |
 | - | - | :-: | :-: |
 | `MAX_CHUNK_CHALLENGE_DELAY` | `2**11` (= 2,048) | epochs | ~9 days |
-| `EPOCHS_PER_CUSTODY_PERIOD` | `2**11` (= 2,048) | epochs | ~9 days |
 | `CUSTODY_RESPONSE_DEADLINE` | `2**14` (= 16,384) | epochs | ~73 days |
 
 ### Max operations per block
@@ -92,8 +91,7 @@ This document details the beacon chain additions and changes in Phase 1 of Ether
 
 | Name | Value |
 | - | - |
-| `DOMAIN_CUSTODY_KEY_REVEAL` | `6` |
-| `DOMAIN_CUSTODY_BIT_CHALLENGE` | `7` |
+| `DOMAIN_CUSTODY_BIT_CHALLENGE` | `6` |
 
 ## Data structures
 
@@ -168,8 +166,6 @@ This document details the beacon chain additions and changes in Phase 1 of Ether
     'revealer_index': ValidatorIndex,
     'period': 'uint64',
     'key': BLSSignature,
-    'masker_index': ValidatorIndex,
-    'mask': Hash,
 }
 ```
 
@@ -229,30 +225,29 @@ def epoch_to_custody_period(epoch: Epoch) -> int:
     return epoch // EPOCHS_PER_CUSTODY_PERIOD
 ```
 
+### `get_randao_epoch_for_custody_period`
+
+```python
+def get_randao_epoch_for_custody_period(period: int) -> Epoch:
+    return period * EPOCHS_PER_CUSTODY_PERIOD + CUSTODY_PERIOD_TO_RANDAO_PADDING
+```
+
 ### `verify_custody_key`
 
 ```python
 def verify_custody_key(state: BeaconState, reveal: CustodyKeyReveal) -> bool:
-    # Case 1: non-masked non-punitive non-early reveal
+    epoch_to_sign = get_randao_epoch_for_custody_period(reveal.period)
     pubkeys = [state.validator_registry[reveal.revealer_index].pubkey]
-    message_hashes = [hash_tree_root(reveal.period)]
-
-    # Case 2: masked punitive early reveal
-    # Masking prevents proposer stealing the whistleblower reward
-    # Secure under the aggregate extraction infeasibility assumption
-    # See pages 11-12 of https://crypto.stanford.edu/~dabo/pubs/papers/aggreg.pdf
-    if reveal.mask != ZERO_HASH:
-        pubkeys.append(state.validator_registry[reveal.masker_index].pubkey)
-        message_hashes.append(reveal.mask)
+    message_hashes = [hash_tree_root(epoch_to_sign)]
 
     return bls_verify_multiple(
         pubkeys=pubkeys,
         message_hashes=message_hashes,
         signature=reveal.key,
         domain=get_domain(
             fork=state.fork,
-            epoch=reveal.period * EPOCHS_PER_CUSTODY_PERIOD,
-            domain_type=DOMAIN_CUSTODY_KEY_REVEAL,
+            epoch=epoch_to_sign * EPOCHS_PER_CUSTODY_PERIOD,
+            domain_type=DOMAIN_RANDAO,
         ),
     )
 ```
@@ -276,21 +271,13 @@ def process_custody_reveal(state: BeaconState,
     revealer = state.validator_registry[reveal.revealer_index]
     current_custody_period = epoch_to_custody_period(get_current_epoch(state))
 
-    # Case 1: non-masked non-punitive non-early reveal
-    if reveal.mask == ZERO_HASH:
-        assert reveal.period == epoch_to_custody_period(revealer.activation_epoch) + revealer.custody_reveal_index
-        # Revealer is active or exited
-        assert is_active_validator(revealer, get_current_epoch(state)) or revealer.exit_epoch > get_current_epoch(state)
-        revealer.custody_reveal_index += 1
-        revealer.max_reveal_lateness = max(revealer.max_reveal_lateness, current_custody_period - reveal.period)
-        proposer_index = get_beacon_proposer_index(state, state.slot)
-        increase_balance(state, proposer_index, base_reward(state, index) // MINOR_REWARD_QUOTIENT)
-
-    # Case 2: masked punitive early reveal
-    else:
-        assert reveal.period > current_custody_period
-        assert revealer.slashed is False
-        slash_validator(state, reveal.revealer_index, reveal.masker_index)
+    assert reveal.period == epoch_to_custody_period(revealer.activation_epoch) + revealer.custody_reveal_index
+    # Revealer is active or exited
+    assert is_active_validator(revealer, get_current_epoch(state)) or revealer.exit_epoch > get_current_epoch(state)
+    revealer.custody_reveal_index += 1
+    revealer.max_reveal_lateness = max(revealer.max_reveal_lateness, current_custody_period - reveal.period)
+    proposer_index = get_beacon_proposer_index(state, state.slot)
+    increase_balance(state, proposer_index, base_reward(state, index) // MINOR_REWARD_QUOTIENT)
 ```
 
 #### Chunk challenges

tests/phase0/block_processing/test_process_randao_reveal_slashing.py

@@ -0,0 +1,101 @@
+from copy import deepcopy
+import pytest
+
+import build.phase0.spec as spec
+from build.phase0.spec import (
+    get_balance,
+    get_current_epoch,
+    process_randao_reveal_slashing,
+    RANDAO_SLASHING_EPOCHS,
+    CUSTODY_PERIOD_TO_RANDAO_PADDING
+)
+from tests.phase0.helpers import (
+    get_valid_randao_reveal_slashing,
+)
+
+# mark entire file as 'randao_reveal_slashings'
+pytestmark = pytest.mark.randao_reveal_slashings
+
+
+def run_randao_reveal_slashing_processing(state, randao_reveal_slashing, valid=True):
+    """
+    Run ``process_randao_reveal_slashing`` returning the pre and post state.
+    If ``valid == False``, run expecting ``AssertionError``
+    """
+    post_state = deepcopy(state)
+
+    if not valid:
+        with pytest.raises(AssertionError):
+            process_randao_reveal_slashing(post_state, randao_reveal_slashing)
+        return state, None
+
+    process_randao_reveal_slashing(post_state, randao_reveal_slashing)
+
+    slashed_validator = post_state.validator_registry[randao_reveal_slashing.revealer_index]
+    assert not slashed_validator.initiated_exit
+    if randao_reveal_slashing.epoch >= get_current_epoch(state) + CUSTODY_PERIOD_TO_RANDAO_PADDING:
+        assert slashed_validator.slashed
+        assert slashed_validator.exit_epoch < spec.FAR_FUTURE_EPOCH
+        assert slashed_validator.withdrawable_epoch < spec.FAR_FUTURE_EPOCH
+    # lost whistleblower reward
+    assert (
+        get_balance(post_state, randao_reveal_slashing.revealer_index) <
+        get_balance(state, randao_reveal_slashing.revealer_index)
+    )
+
+    return state, post_state
+
+
+def test_success(state):
+    randao_reveal_slashing = get_valid_randao_reveal_slashing(state)
+
+    pre_state, post_state = run_randao_reveal_slashing_processing(state, randao_reveal_slashing)
+
+    return pre_state, randao_reveal_slashing, post_state
+
+
+def test_reveal_from_current_epoch(state):
+    randao_reveal_slashing = get_valid_randao_reveal_slashing(state, get_current_epoch(state))
+
+    pre_state, post_state = run_randao_reveal_slashing_processing(state, randao_reveal_slashing, False)
+
+    return pre_state, randao_reveal_slashing, post_state
+
+
+def test_reveal_from_past_epoch(state):
+    randao_reveal_slashing = get_valid_randao_reveal_slashing(state, get_current_epoch(state) - 1)
+
+    pre_state, post_state = run_randao_reveal_slashing_processing(state, randao_reveal_slashing, False)
+
+    return pre_state, randao_reveal_slashing, post_state
+
+def test_reveal_with_custody_padding(state):
+    randao_reveal_slashing = get_valid_randao_reveal_slashing(state, get_current_epoch(state) + CUSTODY_PERIOD_TO_RANDAO_PADDING)
+    pre_state, post_state = run_randao_reveal_slashing_processing(state, randao_reveal_slashing, True)
+
+    return pre_state, randao_reveal_slashing, post_state
+
+def test_reveal_with_custody_padding_minus_one(state):
+    randao_reveal_slashing = get_valid_randao_reveal_slashing(state, get_current_epoch(state) + CUSTODY_PERIOD_TO_RANDAO_PADDING - 1)
+    pre_state, post_state = run_randao_reveal_slashing_processing(state, randao_reveal_slashing, True)
+
+    return pre_state, randao_reveal_slashing, post_state
+
+def test_double_reveal(state):
+
+    randao_reveal_slashing1 = get_valid_randao_reveal_slashing(state, get_current_epoch(state) + RANDAO_SLASHING_EPOCHS + 1)
+    pre_state, intermediate_state = run_randao_reveal_slashing_processing(state, randao_reveal_slashing1)
+
+    randao_reveal_slashing2 = get_valid_randao_reveal_slashing(intermediate_state, get_current_epoch(pre_state) + RANDAO_SLASHING_EPOCHS + 1)
+    intermediate_state_, post_state = run_randao_reveal_slashing_processing(intermediate_state, randao_reveal_slashing2, False)
+
+
+    return pre_state, [randao_reveal_slashing1, randao_reveal_slashing2], post_state
+
+def test_revealer_is_slashed(state):
+    randao_reveal_slashing = get_valid_randao_reveal_slashing(state, get_current_epoch(state))
+    state.validator_registry[randao_reveal_slashing.revealer_index].slashed = True
+
+    pre_state, post_state = run_randao_reveal_slashing_processing(state, randao_reveal_slashing, False)
+
+    return pre_state, randao_reveal_slashing, post_state