Skip to content
This repository has been archived by the owner on Nov 15, 2023. It is now read-only.

Initial guide text for approvals and especially approvals assignments #1518

Merged
merged 30 commits into from
Aug 18, 2020
Merged

Initial guide text for approvals and especially approvals assignments #1518

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
30 commits
Select commit Hold shift + click to select a range
c86c667
Initial guide modifications for approvals
burdges Aug 1, 2020
2b93eeb
Split approval assignments keys and approval votes keys
burdges Aug 4, 2020
f52f440
Update roadmap/implementers-guide/src/runtime/validity.md
burdges Aug 5, 2020
d798afd
Update roadmap/implementers-guide/src/node/validity/assignments.md
burdges Aug 5, 2020
4b7c36b
Update roadmap/implementers-guide/src/node/validity/assignments.md
burdges Aug 5, 2020
9bac5af
Update roadmap/implementers-guide/src/node/validity/assignments.md
burdges Aug 5, 2020
99dbb35
Update roadmap/implementers-guide/src/node/validity/assignments.md
burdges Aug 5, 2020
a613466
Update roadmap/implementers-guide/src/node/validity/assignments.md
burdges Aug 5, 2020
19888c9
Update roadmap/implementers-guide/src/node/validity/assignments.md
burdges Aug 5, 2020
2e5a84c
Update roadmap/implementers-guide/src/node/validity/assignments.md
burdges Aug 5, 2020
5848faf
Update roadmap/implementers-guide/src/node/validity/approvals.md
burdges Aug 5, 2020
e49c707
Update roadmap/implementers-guide/src/node/validity/approvals.md
burdges Aug 5, 2020
f656d83
Update roadmap/implementers-guide/src/runtime/validity.md
burdges Aug 5, 2020
db2a8ee
Not sure where these go..
burdges Aug 6, 2020
7b4527c
Update roadmap/implementers-guide/src/node/validity/approvals.md
burdges Aug 6, 2020
94f65ab
Local clock leniency
burdges Aug 6, 2020
1d4b69b
Explain HSM blabla
burdges Aug 6, 2020
dd1d459
double word
burdges Aug 6, 2020
82babb6
Clarify okasing things on-chain
burdges Aug 6, 2020
3bec017
Assignments integration with relative time
burdges Aug 6, 2020
1e133b4
minor tweaks
burdges Aug 6, 2020
d3413e3
Clarify structure and work savings
burdges Aug 6, 2020
bf0b6fc
Use included more
burdges Aug 6, 2020
2b2e4f9
Cleanup and paramaters
burdges Aug 7, 2020
ae67543
More on GRANDPA
burdges Aug 7, 2020
6bd4758
Explain relay equivocation relevance
burdges Aug 7, 2020
ecfce2b
Address postponement and on-chain verification somewhat
burdges Aug 10, 2020
be4ab74
small bit more explination
burdges Aug 10, 2020
328556e
just use ed25519 here: could -> should
burdges Aug 10, 2020
296025d
spelling
burdges Aug 16, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
49 changes: 49 additions & 0 deletions roadmap/implementers-guide/src/node/validity/approvals.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
# Approval subsystem
burdges marked this conversation as resolved.
Show resolved Hide resolved

The approval subsystem determines whether a relay chain block can be considered for finality. It does so by running validity checks on the candidates declared available in that relay chain block.

These approval validity checks differ from the backing validity checks performed before starting availability:

- In backing, adversaries could select when they propose invalid candidates based upon when they control the parachain's backing validators who perform the checks.

- In approvals, we randomly assigns individual validators to check specific candidates without giving adversaries foreknowledge about either which honest validators get assigned to which candidates, or even how many check. Availability prevents adversaries from choosing which validators obtain their possibly invalid candidate.
burdges marked this conversation as resolved.
Show resolved Hide resolved

As such, approval checks provide significantly more security than backing checks, so polkadot achieves some fixed security level most efficiently when we perform more approval checks per backing check or per relay chain block.
burdges marked this conversation as resolved.
Show resolved Hide resolved

...

Approval requires two gossiped message types, assignment notices created by its assignments subsystem, and approval votes sent by our approval checks subsystem when authorized by the candidate validity utility subsystem.
burdges marked this conversation as resolved.
Show resolved Hide resolved

Approval has roughly two parts:

- **Assignments** ensures that each candidates receives enough random checkers, while reducing adversaries odds for obtaining enough checkers, and limiting adversaries foreknowledge. It tracks approval votes to identify "no show" approval check takes suspiciously long, perhaps indicating the node being under attack, and assigns more checks in this case. It tracks relay chain equivocations to determine when adversaries possibly gained foreknowledge about assignments, and adds additional checks in this case.
burdges marked this conversation as resolved.
Show resolved Hide resolved

- **Approval checks** listens to the assignments subsystem for outgoing assignment notices that we shall check specific candidates. It then performs these checks by first invoking the reconstruction subsystem to obtain the candidate, second invoking the candidate validity utility subsystem upon the candidate, and finally sending out an approval vote, or perhaps initiating a dispute.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This references an assignments subsystem which hasn't been defined.

What are "outgoing assignment notices"? Are these notifications from some other piece of code that we need to be checking some particular candidate?

Great that this references reconstruction & candidate validity : ) - that's exactly how this will be implemented.


There are rewards computations on-chain too, which runs the assignments code to determine approval, but does so after the fact.

...

### Approval keys

We need two separate keys for the approval subsystem
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, so this implies yet another session key?

not sure if we have yet migrated a Substrate chain to add more session keys, but it should be doable. However, there is a bootstrapping concern here. When migrating the chain nobody will have yet registered the extra key, but we can't just throw out the validator set.

So I think the process would be that we'd have to add the session key, make an announcement that everyone should rotate session keys, and then enable parachains.

Or is there some way that both of these keys can be the same? It would make the practicalities of upgrading the relay-chain much simpler

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We could make the approval vote key be the grandpa key. We could always separate them if some distant future super-sentry node iteration would support consensus running on a separate machine from candidate worker nodes or whatever.

We need either the assignments key to be some new key immune to large slashes, or else some validators would ask that assignments by run in a remote signer, which sounds absolutely nightmarish.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see, that makes a lot of sense. Expounding on the "risk" these keys have as the reason for the separation would make sense in this section. I'm fine with reusing the GRANDPA key for that, although we will be upgrading that to BLS at some point. Maybe makes most sense to just upgrade and add the extra key type, put out an announcement that every validator should rotate their session keys, and then enable parachains a few weeks later

Copy link
Contributor Author

@burdges burdges Aug 6, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We actually cannot wholly replace Schnorr with BLS because BLS verification seems just too slow. We'll likely add a BLS12-381 G1 point with a Schnorr proof-of-possession as either the only or as a second GRANDPA public key, but we've then two choices:

  1. We could sign GRANDPA messages first with this BLS public key and then sign that signed message with the Ed25519 public key. We could even replace Ed25519 with Rabin-Williams here, which gets shockingly fast. We'll need slashing condition for when something messy happens.

  2. We sign GRANDPA messages with a Schnorr VRF using this BLS public key, so verification runs much slower than Ed25519, but still vastly faster than BLS signatures. At this point the VRF pre-output actually is a BLS signature however, so we can transition smoothly to BLS verification whenever we gain enough signatures for aggregation to help, but doing this avoids any slashing conditions.

I'd wager 1 sounds easiest, so maybe Ed25519 would stick around for quite a while.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just say to use ed25519 for approval vote keys now, which along with previous tweaks seemingly finishes this one. Anything else?


- **Approval assignment keys** are sr25519/schnorrkel keys used only for the assignment criteria VRF. We implicitly sign assignment notices with approval assignment keys by including their relay chain context and additional data in the VRF's extra message, but exclude these from its VRF input.
burdges marked this conversation as resolved.
Show resolved Hide resolved

- **Approval vote keys** would only sign off on candidate parblock validity.
burdges marked this conversation as resolved.
Show resolved Hide resolved

Approval vote keys could easily be handled by some hardened signer tooling, perhaps even HSMs if we select ed25519 for approval vote keys. Approval assignment keys might or might not support hardened signer tooling, but they represent only minimal slashing risk for validator operator.

In future, we shall determine which among the several hardening techniques best benefits the netwrok as a whole. We could provide a multi-process multi-machine architecture for validators, perhaps even reminiscent of GNUNet, or perhaps more resembling smart HSM tooling. We might instead design a system that more resembled full systems, like like Cosmos' sentry nodes. In either case, approval assignments might be handled by a slightly hardened machine, but not necessarily nearly as hardened as approval votes, but approval votes machines must similarly run foreign WASM code, which increases their risk, so assignments being separate sounds helpful.

### Gossip

Any validator could send their assignment notices and/or approval votes too early. We gossip the approval votes because they represent a major commitment by the validator. We delay gossiping the assignment notices until they agree with our local clock.
burdges marked this conversation as resolved.
Show resolved Hide resolved
burdges marked this conversation as resolved.
Show resolved Hide resolved

### Future work

We could consider additional gossip messages with which nodes claims "slow availability" and/or "slow candidate" to fine tune the assignments "no show" system, but long enough "no show" delays suffice probably.
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://github.com/paritytech/polkadot/issues/1269#issuecomment-667650052


We shall develop more practical experience with UDP once the availability system works using direct UDP connections. In this, we should discover if reconstruction performs adequately with a complete graphs or
benefits from topology restrictions. At this point, an assignment notices could implicitly request pieces from a random 1/3rd, perhaps topology restricted, which saves one gossip round. If this preliminary fast reconstruction fails, then nodes' request alternative pieces directly. There is an interesting design space in how this overlaps with "slow availability" claims.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oh, that's cool. cc @infinity0


101 changes: 101 additions & 0 deletions roadmap/implementers-guide/src/node/validity/assignments.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,101 @@
# Approval assignments

Approval assignment determines on which candidate parachain blocks each validator performs approval checks. An approval session consideres only one relay chain block and assigns only those candidates that relay chain block declares available.
burdges marked this conversation as resolved.
Show resolved Hide resolved

Assignment balances several concerns:

- limits adversaries foreknowledge about assignments,
burdges marked this conversation as resolved.
Show resolved Hide resolved
- ensures enough checkers, and
- distributes assignments relatively equitably.

Assignees determine their own assignments to check specific candidates using two or three assignment criteria. Assignees never reveal their assignments until relevant, and gossip delays assignments sent early, which limits others' foreknowledge. Assignees learn their assignment only with the relay chain block.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When do they reveal their assignments?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm afraid this first pass focused primarily upon the assignment module's interface, so I forgot that part presumably, but..

We should clarify that assignment noticed go out only when their delay tranche gets reached. It's more complex actually since they could be delayed further, either by waiting for no shows, or else by legitimately waiting to reduce their workload. I've spent today coding that portion, which became obnoxiously subtle. I'll add some text once I've cleaned up this new code.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://github.com/w3f/research-internal/issues/519

Copy link
Contributor Author

@burdges burdges Aug 6, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

3bec017


All criteria require the validator evaluate a verifiable random function (VRF) using their VRF secret key. All criteria input specific data called "stories" about the session's relay chain block, and output candidates to check and a precedence called a `DelayTranche`.

We liberate availability cores when their candidate becomes available of course, but one approval assignment criteria continues associating each candidate with the core number it occupied when it became available.

Assignment operates in loosely timed rounds determined by this `DelayTranche`s, which proceed roughly 12 times faster than six second block production assuming half second gossip times. If a candidate `C` needs more approval checkers by the time we reach round `t` then any validators with an assignment to `C` in delay tranche `t` gossip their send assignment notice for `C`. We continue until all candidates have enough approval checkers assigned. We take entire tranches together if we do not yet have enough, so we expect strictly more than enough checkers. We also take later tranches if some checkers return their approval votes too slow (see no shows below).
burdges marked this conversation as resolved.
Show resolved Hide resolved
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Another point on delay-tranches. It seems that there is no consensus on which delay-tranches should be used.

For reconstruction and gossip, this seems important. If I receive a reconstruction request, I want it to be legitimized by an assignment proof.

And as I gossip assignments, I will only want to gossip assignments from tranches that I believe should be active. However, how are my peers supposed to know what I accept and what I drop?

The common thread here is to make sure that there is no way for a single validator to create an unbounded amount of assignment proofs that other nodes are forced to circulate or respond to for some reason.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Another point on delay-tranches. It seems that there is no consensus on which delay-tranches should be used.

It's one tranche every k seconds after the relay chain block's slot. I've two numbers in the code: delay tranches start from zero with the relay chain block's slot, while AnV slots are 12 * relay_chain_slot + delay_tranche give an absolute close. I'll let someone else figure out which should be more or less exposed in the interface, etc.

For reconstruction and gossip, this seems important. If I receive a reconstruction request, I want it to be legitimized by an assignment proof.

Yes and no, we could let validators reconstruct anything, but prioritize approval assignments.

And as I gossip assignments, I will only want to gossip assignments from tranches that I believe should be active. However, how are my peers supposed to know what I accept and what I drop?

You need not drop anything:

  • Approval votes are a huge deal, so gossip them always.
  • Assignment notices are inherently somewhat limited in number due to being VRFs, so merely save them, and regossip them only when you believe they become viable.

We still need politeness for relay chain block knowledge of course.


Assignment ensures validators check those relay chain blocks for which they have delay tranche zero aka the highest high precedence, so that adversaries always face honest checkers equal to the expected number of assignments with delay tranche zero.
burdges marked this conversation as resolved.
Show resolved Hide resolved

Among these criteria, the BABE VRF output provides the story for two, which reduces how frequently adversaries could position their own checkers. We have one criteria whose story consists of the candidate's block hash plus external knowledge that a relay chain equivocation exists with a conflicting candidate. It provides unforeseeable assignments when adversaries gain foreknowledge about the other two by committing an equivocation in relay chain block production.
burdges marked this conversation as resolved.
Show resolved Hide resolved

## Announcements / Notices

We gossip assignment notices among nodes so that all validators know which validators should check each candidate, and if any candidate requires more checkers.

Assignment notices consist of a relay chain context given by a block hash, an assignment criteria, consisting of the criteria identifier and optionally a criteria specific field, an assignee identifier, and a VRF signature by the assignee, which itself consists of a VRF pre-output and a DLEQ proof. Its VRF input consists of the criteria, usually including a criteria specific field, and a "story" about its relay chain context block.
burdges marked this conversation as resolved.
Show resolved Hide resolved

We never include stories inside the gossip messages containing assignment notices, but require each validator reconstruct them. We never care about assignments in the disputes process, so this does not complicate remote disputes.

In a Schnorr VRF, there is an extra signed message distinct from this input, which we set to the relay chain block hash. As a result, assignment notices are self signing and can be "politely" gossiped without additional signatures, meaning between nodes who can compute the story from the relay chain context. In other words, if we cannot compute the story required by an assignment notice's VRF part then our self signing property fails and we cannot verify its origin. We could fix this with either another signature layer (64 bytes) or by including the VRF input point computed from the story (32 bytes), but doing so appears unhelpful.
burdges marked this conversation as resolved.
Show resolved Hide resolved

Any validator could send their assignment notices and/or approval votes too early. We gossip the approval votes early because they represent a major commitment by the validator. We delay gossiping the assignment notices until they agree with our local clock however. We also impose a politness condition that the recipient knows the relay chain context used by the assignment notice.
burdges marked this conversation as resolved.
Show resolved Hide resolved

## Stories

We based assignment criteria upon two possible "stories" about the relay chain block `R` that declared the candidate available. All stories have an output that attempts to minimize adversarial influence, which then acts as the VRF input for an assignment criteria.

We first have a `RelayVRFStory` that outputs the randomness from another VRF output known only to the relay chain block producer who created `R`, and unknown even to them two epochs previously.
rphmeier marked this conversation as resolved.
Show resolved Hide resolved
burdges marked this conversation as resolved.
Show resolved Hide resolved

In BABE, we create this value calling `schnorrkel::vrf::VRFInOut::make_bytes` with a context "A&V RC-VRF", with the `VRFInOut` coming from either the VRF that authorized block production for primary blocks, or else form the secondary block VRF for the secondary block type.
rphmeier marked this conversation as resolved.
Show resolved Hide resolved
burdges marked this conversation as resolved.
Show resolved Hide resolved
burdges marked this conversation as resolved.
Show resolved Hide resolved

In Sassafras, we shall always use the non-anonymized recycling VRF output, never the anonymized ring VRF that authorizes block production. We do not currently know if Sassafras shall have a separate schnorrkel key, but if it reuses its ring VRF key there is an equivalent `ring_vrf::VRFInOut::make_bytes`.

We like that `RelayVRFStory` admits relatively few choices, but an adversary who equivocates in relay chain block production might assignments that depend upon it too early.
burdges marked this conversation as resolved.
Show resolved Hide resolved

We therefore provide a secondary `RelayEquivocationStory` that outputs the candidate's block hash, but only for candidate equivocations. We say a candidate `C` in `R` is an equivocation when there exists another relay chain block `R1` that equivocates for `R` in the sense that `R` and `R1` have the same `RelayVRFStory`, but `R` contains `C` and `R1` does not contain `C`.

We want checkers for candidate equivocations that lie outside our preferred relay chain as well, which represents a slightly different usage for the assignments module, and might require more information in the gossip messages.

## Assignment criteria

Assignment criteria compute actual assignments using stories and the validators' secret approval assignment key. Assignment criteria output a `Position` consisting of both a `ParaId` to be checked, as well as a precedence `DelayTranche` for when the assignment becomes valid.

Assignment criteria come in three flavors, `RelayVRFModulo`, `RelayVRFDelay` and `RelayEquivocation`. Among these, both `RelayVRFModulo` and `RelayVRFDelay` run a VRF whose input is the output of a `RelayVRFStory`, while `RelayEquivocation` runs a VRF whose input is the output of a `RelayEquivocationStory`.

Among these, we have two distinct VRF output computations:

`RelayVRFModulo` runs several distinct samples whose VRF input is the `RelayVRFStory` and the sample number. It computes the VRF output with `schnorrkel::vrf::VRFInOut::make_bytes` using the context "core", reduces this number modulo the number of availability cores, and outputs the candidate leaving that availability core. We drop any samples that return no candidate because no candiate was leaving the sampled availability core in this relay chain block. We choose three samples initially, but we could make polkadot more secure and efficient by increasing this to four or five, and reducing the backing checks accordingly. All successful `RelayVRFModulo` samples are assigned delay tranche zero.
burdges marked this conversation as resolved.
Show resolved Hide resolved
rphmeier marked this conversation as resolved.
Show resolved Hide resolved

There is no sampling process for `RelayVRFDelay` and `RelayEquivocation`. We instead run them on specific candidates and they compute a delay from their VRF output. `RelayVRFDelay` inputs a `RelayVRFStory` runs for all candidates entering availability, equivalently all candidates leaving some availability core. `RelayEquivocation` run only candidate lock equivocations, and inputs their block hashes via the `RelayEquivocation` story.
burdges marked this conversation as resolved.
Show resolved Hide resolved
burdges marked this conversation as resolved.
Show resolved Hide resolved

`RelayVRFDelay` and `RelayEquivocation` both compute their output with `schnorrkel::vrf::VRFInOut::make_bytes` using the context "tranche" and reduce the result modulo `num_delay_tranches + zeroth_delay_tranche_width`, and consolidate results 0 through `zeroth_delay_tranche_width` to be 0. In this way, they ensure the zeroth delay tranche has `zeroth_delay_tranche_width+1` times as many assignments as any other tranche.

As future work (or TODO?), we should merge assignment notices with the same delay and story using `vrf_merge`. We cannot merge those with the same delay and different stories because `RelayEquivocationStory`s could change but `RelayVRFStory` never changes.

## Announcer and Watcher/Tracker

We track all validators' announced approval assignments for each candidate associated to each relay chain block.

We permit at most one assignment per candidate per story per validator, so one validator could be assigned under both the `RelayVRFDelay` and `RelayEquivocation` criteria, but not under both `RelayVRFModulo` and `RelayVRFDelay` criteria, since those both use the same story. We permit only one approval vote per candidate per validator, which counts for any applicable criteria.

We announce, and start checking for, our own assignments when their delay is reached, but only if the tracker says the assignee candidate requires more approval checkers. We never announce an assignment we believe unnecessary because early announcements gives an adversary information. All delay tranche zero assignments always get announced, which includes all `RelayVRFModulo` assignments.

We have a "no show" timeout longer than one relay chain slot, so at least six seconds, during which we expect approval checks should succeed in reconstructing the candidate block, in redoing its erasure coding to check the candidate receipt, and in rechecking the candidate block itself.

We consider a validator a "no show" if they do not approve or dispute within this "no show" timeout from our receiving their assignment notice. We worry "no shows" represent a validator under denial of service attack, presumably to prevent it from reconstructing the candidate, but perhaps delaying it form gossiping a dispute too. We always replace "no shows" by adding one entire extra delay tranche worth of validators, so such attacks always result in additional checkers.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What does replacement mean in this context? This happens off-chain, right. What is the significance of any single validator adding an extra tranche of validators? Does that make its way on-chain somehow?

Copy link
Contributor Author

@burdges burdges Aug 5, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd move any more details discussion about the asymptotics to https://github.com/w3f/research-internal/issues/515

We need the same logic on-chain as off-chain to know if a candidate is approved on-chain, but..

I'd expect no shows would usually resolve themselves fast, so the on-chain logic could abandon the replacements too. We'll discuss incentives for replacements later, but incentives impact this..


As an example, imagine we need 20 checkers, but tranche zero produces only 14, and tranche one only 4, then we take all 5 from tranche two, and thus require 23 checkers for that candidate. If one checker Charlie from tranche one-two does not respond within say 6 seconds, then we add all 7 checkers from tranche three. If one checker Cindy from tranche three does not respond within 6 seconds then we take all 3 checkers from tranche four. We now have 33 checkers working on the candidate, so this escalated quickly.
burdges marked this conversation as resolved.
Show resolved Hide resolved

We escalated so quickly because we worried that Charlie and Cindy might be the only honest checkers assigned to that candidate. If therefore either Charlie or Cindy finally return an approval, then we can conclude approval, and abandon the checkers from tranche four.

We require the "no show" timeout to be longer than a relay chain slot so that we can witness "no shows" on-chain and reward. We avoid slashing for "no shows" per se, although being "no show" could enter into some computation that punishes repeated poor performance, presumably replaces ImOnline, and we could reduce their rewards and further rewards those who filled in.
burdges marked this conversation as resolved.
Show resolved Hide resolved

As future work, we foresee expanding the "no show" scheme to anonymizes the additional checkers, like by using assignment noticed with a new criteria that employs a ring VRF and then all validators providing cover by requesting a couple erasure coded pieces, but such anonymity scheme sound extremely complex and lie far beyond our initial functionality.

## Why VRFs?

We do assignments with VRFs to give "enough" checkers some meaning beyond merely "expected" checkers:

We could specify a protocol that used only system randomness, which works because our strongest defense is the expected number of honest checkers who assign themselves. In this, adversaries could trivially flood their own blocks with their own checkers, so this strong defense becomes our only defense, and delay tranches become useless, so some blocks actually have zero approval checkers and possibly only one checker overall.

VRFs though require adversaries wait far longer between such attacks, which also helps against adversaries with little at stake because they compromised validators. VRFs raise user confidence that no such "drive by" attacks occurred because the delay tranche system ensure at least some minimum number of approval checkers. In this vein, VRFs permit reducing backing checks and increasing approval checks, which makes polkadot more efficient.

## Gossip

Any validator could send their assignment notices and/or approval votes too early. We gossip the approval votes because they represent a major commitment by the validator. We delay gossiping the assignment notices until they agree with our local clock.




Loading