Probabilistic rounding up for miners that are ineligible for a whole slot

Research
1

Background

  • There are T_\text{slots}\approx50\cdot 4032=201600 total slots in an epoch according to the current protocol parameters (2 weeks per epoch, 5 minutes per layer, and \approx\!\!50 ballots per layer).
  • For now we have guaranteed elibility for any miner that has the minimum amount of storage (which will remain 256gb unless there’d be a protocol hardfork):
    • This is done by rounding up the number of slots S_\text{id} that the miner M_\text{id} is eligible for if and only if S_\text{id} is less than 1
  • But this guaranteed eligibility is detrimental and insecure, due to several reasons:
    • (1) It allows an attacker to mount a simple DoS attack by exploiting the rounding up rule
      • We’d obviously be exposed to a simple DoS attack if we set a low minimum weight (say 16gb), where an attacker can just create many ATXs for cheap that need to be stored forever.
      • If the total spacetime in the system grows significantly, it’d be because the minimum weight is too cheap and/or because the system became more popular, and in either case it implies that the attack of flooding the system with cheap minimal-storage ATXs is more severe.
        • If spacetime became cheaper, then it’s less costly to mount this attack.
        • If the system is more popular, then the attacker is able to damage a more valuable system for the same cost as with an attack on the less valuable system.
      • In practice, the severity of such attacks can already be significant even without the rounding up rule, see https://community.spacemesh.io/t/finding-correct-type-for-representing-gas-price-values/291/12
    • (2) The Spacemesh protocol isn’t designed to dynamically increase/decrease the number of ballots per layer after each epoch (acccording to how many miners join/quit).
      • It’s unsustainable if too many miners joins (especially with the rounding up).
      • It entails unpredictable workload for full nodes.
        • In some layer the full node works hard, in next layer the workload is easier, etc.

Why we cannot simply round down?

  • Suppose the all the miners have equal spacetime, and the number of miners is 2\cdot T_\text{slots}, so that each miner is eligible to only half a slot in the epoch.
    • If we round down then all the miners will be ineligible.

Proposal: probabilistic rounding up

  • In epoch 101 the miner M_\text{alice} creates her ATX, if Alice is a newcomer then this means that she initializes her storage and creates a local PoST proof, and then (i.e., either if she’s a newcomer or not) she submits the commitment \text{com}^{101}_\text{alice} to a PoET server.
  • In epoch 102 the miner M_\text{alice} takes the PoET output and creates a PoST proof, and then broadcasts her ATX to the Spacemesh network.
    • Let R_{102} denote the beacon value that’s generated in epoch 102
  • In epoch 103 the miner M_\text{alice} broadcasts her first ballot, in which she declares her view V_\text{alice}=(\text{ATX}_1,\text{ATX}_2,\text{ATX}_3,\ldots,\text{ATX}_\text{max\_alice}) of ATXs that she regards as valid for epoch 102
  • Let D_\text{alice}=\text{weight}(\text{ATX}_{\text{alice}})/\text{weight}(V_\text{alice})
  • Let S_\text{alice} = T_\text{slots} \cdot D_\text{alice} be the number of slots that Alice is eligible for in epoch 103
  • If S_\text{alice} < 1 then we regard H_\text{alice}=\text{hash}(R_{102},\ \text{com}^{101}_\text{alice}) as a number between 0 and 1 inclusive.
    • If H_\text{alice} \leq S_\text{alice} then the protocol dictates that S_\text{alice} gets rounded up to 1 and Alice is eligible for a single slot in epoch 103
    • Otherwise the protocol dicates that S_\text{alice} gets rounded down to 0, meaning that Alice is ineligible to submit any ballots/proposals in epoch 103
  • For example:
    • If D_\text{alice}=1/604800 meaning that Alice’s weight is less than 1/600000 of the total weight, then S_\text{alice} = T_\text{slots} \cdot D_\text{alice}=1/3
      • If for example it turned out that H_\text{alice}=\text{hash}(R_{102},\ \text{com}^{101}_\text{alice})=1/4\ then Alice is eligible for a single ballot.
      • If for example it turned out that H_\text{alice}=\text{hash}(R_{102},\ \text{com}^{101}_\text{alice})=1/2\ then Alice is ineligible for any ballots.

Rationally declaring a smaller view

  • The rational Alice may try to obtain S_\text{alice}\geq 1 by including fewer ATXs in V_\text{alice}
    • or even S_\text{alice} < 1 but still larger than what it’d be otherwise.
  • Still, Alice needs to include all the honest ATXs (i.e., those with the highest grade) in V_\text{alice}, due to a protocol rule that entails that other honest miners will vote against her tortoise proposals if she doesn’t include ATXs with the highest grade.
  • If for example 67% of all ATXs are honest, then the rational Alice cannot ensure S_\text{alice}\geq 1 if her spacetime weight is too little relative to 67% of the total weight
    • Specifically, if \ T_\text{slots} \cdot \text{weight}(\text{ATX}_{\text{alice}})/(\text{total\_weight}\cdot 67/100) < 1
  • Thus, the rational miner Alice may tweak her view V_\text{alice}, but she won’t have that much of a wiggle room.
    • She will need an ATX withl greater spacetime when the total weight in system grows significantly.

Non-participation when the honest miner is ineligible

  • In epoch 101, the miner M_\text{alice} doesn’t know yet the result R_{102} of the beacon of epoch 102, so she cannot grind on H_\text{alice} in order to become eligible for a single ballot with S_\text{alice}<1
    • By contrast, if we took H_\text{alice}=\text{hash}(R_{101},\ \text{com}^{101}_\text{alice}) then the newcomer Alice may try to grind.
  • If Alice is ineligible for a single ballot according to the beacon that she declares in her first ballot, then her first ballot can be pruned (if she’s a newcomer then her ATX must be kept, because the dishonest Alice can always broadcast another first ballot with a different beacon).
  • If the honest Alice sees that R_{102} entails that she will be ineligible, then she just won’t broadcast her first ballot (and maybe not even broadcast her ATX).

Syntactic minimal weight in a permissionless system

  • Due to the permissionless nature of Spacemesh, ATXs that meet the syntactic minimum weight (which is 256gb now) need to be kept.
    • Because there can always be an alternative history in which such ATXs are eligible to produce ballots.
  • Flooding with minimal size ATXs (according to the syntactic minimum) is still possible with this “probabilistic rounding up” proposal, but miners are disincentivized from doing so because they won’t be rewarded.