Vitalik: Eth2 Fragmentation Chain Simplification Proposal

Please note a key detail: now any slot-N+1 block of a slice can know all slot-N blocks of all slices through one path. Therefore, we now have first-class single-slot cross-sliced ​​communication (via Merkle receipts).

Approximate status

New proposal

In this proposal we have changed the structure of the connected object: no longer contains "crosslinks", which include the "data root" of many fragmented blocks represented in a complex serialized form, but only a single The data root of the block, which represents the content within the block (the content is completely determined by the "proposer"). The tiled block will also include the signature from the proposer. In order to promote the stability of the p2p network, the way to calculate the proponent is still based on a persistent-committee-based algorithm. If no proposal is available, members of the Cross-Link Committee may also vote on the “Zero Proposal”.

We still store a map latest_shard_blocks in the state: shard -> (block_hash, slot), the difference is that the storage epoch becomes a time slot. In the "optimistic situation", we hope that this mapping can update each time slot.

The online_validators are defined as a subset of active verifiers, and the active verifier has at least one epoch in the past 8 epochs containing its proof. If 2/3 of the total number of online_validators agree on a new block in a given slice, the mapping will be updated.

Suppose the current time slot is n, but for a given slice i, latest_shard_blocks.slot < n-1 (that is, the slice has a block skip in the previous time slot), we need the proof of the slice Provide the data root of all time slots in the range [latest_shard_blocks.slot + 1….min(latest_shard_blocks.slot + 8, n-1)].

The fragmentation block still needs to point to the "previous fragmentation block", and we still have to enforce consistency, so the protocol requires multi-slot proof to be consistent. We recommend that the committee adopt the following "forking selection rules":

• For each valid and available fragment block B (the ancestor block of the block must also be valid and available), calculate the total weight of the verifier of the descendant of the recent message supporting B or B, and temporarily refer to the weight as the fragmentation area. Fast B's "score". Even a blank tile can have a score.
• Select the highest scored block for slot + 1.
• Select the highest scored block for slot + k(k > 1). Consider the block in the range that needs to point to the last selected block of latest_shard_blocks[i].slot + (k-1).

Overview

The publishing process between the beacon block N and the beacon block N+1 is as follows:

1. Beacon block N is released;
2. For any given slice i, the proposer of slice i proposes a slice block. Execute the block visible beacon block N and the root of the previous block (if necessary, we can reduce the visibility to block N-1 and the old block, which makes it possible to be on the beacon block and the fragment block Make a proposal at the same time);
3. The prover mapped to the slice i performs the proof, including its opinion on the slot N beacon block and the slice block in the slice i (in the special case also includes the previous slice block in the slice i);
4. The beacon block N+1 is released, including these proofs for all shards. The state transition function of block N+1 processes these certificates and updates the "latest state" of all slices.

cost analysis

Please note that participants do not need to actively download the tile data at any time. Conversely, when the proponent issues a proposal, it only needs to upload a data limit of 512 kB in 3 seconds (assuming there are 4 million verifiers, each of which requires an average of 128,000 slots to upload once), and then the committee verifies When proposing, it only needs to download data with an upper limit of 512 kB in 3 seconds (required that each verifier wants to download the data in each epoch because we keep one attribute: the specific time slot in each given epoch Each certifier is assigned to a specific cross-link).

Please note that the requirement for this operation is lower than the current long-term load requirement of each verifier, ie about 2MB per epoch. However, this requires a higher "burst" load: the previous limit of 64KB in 3 seconds, now needs to reach the upper limit of 512KB in 3 seconds.

The beacon chain data for the attestations load is changed as follows.

Each certificate has about 300 bytes of fixed data, plus a bit field, which is 4 million bits per epoch, and 8192 bytes per time slot. Therefore, the maximum load of the current scheme is 128 * 300 + 8192 = 46592, and the load in the average case may be closer to 32 * 300 + 8192 = 17792, even if it can reduce the load by compressing the redundant information in the proof.

In this proposal, we can see two kinds of loads (see the "Compression Certificate" section below for details):

• The proof of slot n will be included in slot n+1. We can allow the inclusion of the two most popular slice/block header combinations, so there are 128 uncompressed certificates.
• The number of compressed versions in slot n after slot n+1 (about 200 bytes per proof) is up to 128

Therefore the maximum load is calculated as 128 * 300 + 128 * 200 + 8192 = 72192 and the average load is approximately 80 * 300 + 10 * 200 + 8192 = 34192.

Also note that the cost of each time slot in each fragment is 65,536 * 300 / 64 = 307,200 bytes. This provides a natural basis for system requirements for running nodes, so there is no point in recompressing block data.

At the computational level, the only significant increase in spending is the need for more pairings (more precisely, more Miller cycles), with the upper limit of each block increasing from 128 to 192, which will make the block The processing time is extended by 200ms.

This allows EEs in different shards to perform ETH transfers immediately, at which point the cost per shard is (32 * log(64) + 48) * 64 = 15360 bytes. Msg_hash can be used to reduce the size of cross-sliced ​​information to be verified with the ETH transfer, so in a highly active system, 15360 bytes of data is essential.

Off topic: data availability root

The operation to prove the usability of a 128 kB data is superfluous and has little value. In contrast, it makes sense to require that a block be able to provide a series root of all the fragmented block data that the block accepts and combines together (perhaps this fragmented block data root exists in a list, where each represents 64 kB data, which makes series connection easier). You can then create a single data availability root based on this data (average 8 MB, worst case 32 MB). Note that creating these roots may take longer than a time slot, so it is best to check the availability of data before an epoch (ie, sampling from these data availability roots will be extra "deterministic" an examination").