Book: Update SPV section to reflect new account state query mechanism

[t-nelson]

As per Discord convo with @aeyakovenko and @rob-solana

[aeyakovenko]

We can’t enforce the slot boundary for this query. I think it’s basically is the query true when it’s executed by the cluster.

[t-nelson]

Hrm. That's a pretty narrow window to hit on a high throughput account, basically the next slot and 🤞, right?

[rob-solana]

to be able to do "slot of interest": would it be terribly expensive to hang onto the account hash vector at the end of every slot for 256 slots? worst case is 256*2.5*sizeof(Hash)*TPS, similar to StatusCache

[aeyakovenko]

@t-nelson why would the slot boundary provide any safety? The state can change immediately on the next slot. It’s up to the contract to have some meaningful terminal state, like “game over”

[t-nelson]

@rob-solana by "hash vector" you mean the "inclusion proof" or "merkle path"? They'd be log(N) and mergable per-slot, so that's certainly something to explore

@aeyakovenko there's no safety at the boundary. I was getting at the race between receiving the "Don't squash this slot" instruction and the slot being squashed, though after review Carl's snapshot work, I realize we have until the bank in question falls out of the locktower. This will require us scanning all bank forks and taking action on an unfinalized transaction, right?

[aeyakovenko]

@t-nelson we can take action on it after that bank is rooted, and provide the result way later, maybe 1024 slots after or something long enough, or at an epoch boundary.

[aeyakovenko]

Cool! This is missing the checkpoint proof generation.

[t-nelson]

Oof. I got to thinking about whether there was potential for a cheap resource exhaustion attack here and forgot to write it up 😆

[aeyakovenko]

@t-nelson so I think this would work on Ethereum.
vote for BankHash N, links to BankHash N -1

Since the BankHash's are connected, the SPV check on ethereum can skip PoH.

@pgarg66 I think this would replace the "Ancestor Verification" section in:
https://solana-labs.github.io/book/vote-signing-to-implement.html#ancestor-verification

[garious]

@t-nelson, what's this PR blocked by?

[t-nelson]

@aeyakovenko Sorry, this fell off my radar with the colo setup stuff. Last two commits address the issues I think. LMK what you think

[t-nelson]

@rob-solana, since @aeyakovenko is travelling, would you mind giving this a once over to see if it jives with your understanding of the proposal?

[rob-solana]

@rob-solana, since @aeyakovenko is travelling, would you mind giving this a once over to see if it jives with your understanding of the proposal?

I think @sakridge has better information about the current plan.

[sakridge]

So we are considering making the accounts hash value as:

expand_fn(hash(account0)) ^ expand_fn(hash(account1)) ^ ...

where expand_fn(hash) -> [u8; 440] is generating 440 bytes of random data from a crypto RNG with the account hash as the seed value. This allows one to add/remove accounts from the state value without re-computing the entire hash value.

[sakridge]

440 bytes comes from this paper, avoiding xor collision with 0 (or thus any other given bit pattern):
https://link.springer.com/content/pdf/10.1007%2F3-540-45708-9_19.pdf

O(k · 2^(n/(1+lg(k)))
k=2^40 accounts
n=440
2^(40) * 2^(448 * 8 / 41) ~= O(2^(128))

[t-nelson]

@sakridge OK thanks! Funny, I was actually typing up some clarifications that your second reply addressed 🙂

I get that it's cheaper to calculate and add/remove entries from this construction, but I don't see how we can build an inclusion proof? Or is that a tangential requirement?

[sakridge]

@t-nelson well, I was mainly after the performance side of it compared to what we are doing now or potentially computing a merkle tree of the accounts. @aeyakovenko had some idea that it would reduce the need to compute a merkle tree with old account states but I can't say I fully grok how that works yet.

[t-nelson]

@sakridge Gotcha! I think you and I are on the same page. We'll have to await input from the big guy 🙃

[rob-solana]

So we are considering making the accounts hash value as:

expand_fn(hash(account0)) ^ expand_fn(hash(account1)) ^ ...

where expand_fn(hash) -> [u8; 440] is generating 440 bytes of random data from a crypto RNG with the account hash as the seed value. This allows one to add/remove accounts from the state value without re-computing the entire hash value.

oh man, this is gonna get messy... have a PR yet?

[sakridge]

@rob-solana #5573 this is the PR. Yea, it's not super clean, but not the worst. Not sure how it combines with what changes you are planning.

[aeyakovenko]

This is no longer necessary. The bank hash is derived from the snapshot image

[aeyakovenko]

But we may want the bank hash to be the hash of the block transaction merkle root, hash of the snapshot image and the previous bank hash

[t-nelson]

What about the accounts XOR? I think I missed some convo on that somewhere (didn't seem to be more in discord/#consensus, anyway). Do we not need inclusion proofs on the account state anymore?

Oh, and if you're on vacation, feel free to tell me to shove off 🙂

[aeyakovenko]

we don’t have an account inclusion proof. So you still need a tx. Shove off :)

[carllin]

Is the purpose of the account state verification to prove that an account has some expected state, at some given point in the past (some block)?

[t-nelson]

Correct

[carllin]

ah ok, I see, the Accounts-Hash only includes accounts that were modified during a slot, which is why a transaction inclusion proof of the transaction that caused the modification is necessary. Thanks!

[carllin]

If we are generating the SPV of a transaction in a block A, for the vector of validator vote entries mentioned below, do we include all future votes for each validator up until MAX_LOCKOUT? If not, what is the locktower depth that we are interested in for confirmation?

[t-nelson]

The confirmation depth should be configurable (with a safe min and default) and would be dependent on the economic value of the transaction. $10 TX, low confirmation, $10M TX, high confirmation.

Note that this is a little WIP ATM as typically an SPV client would be validating block headers on its own and not have to reveal this information to the full node providing the TX proof. On Solana, this would require them to be capable of keeping up with and validating PoH, which is an atypically high standard for such a client.

[stale]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

[garious]

I haven't been following this one. Is there a subset of stuff you guys agree on that we can get merged?

[t-nelson]

This needs updated for #5885. I'll try to sync it up today.

[garious]

@t-nelson, can you wrap this up?

[t-nelson]

Can do

[stale]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

[stale]

This stale pull request has been automatically closed. Thank you for your contributions.

[stale]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

[stale]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

[stale]

This stale pull request has been automatically closed. Thank you for your contributions.

[stale]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

[garious]

Can you format to 80 char lines?

[t-nelson]

Absolutely

[garious]

@t-nelson, waiting on action from anyone here?