You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardexpand all lines: docs/technical-report-1.md
+40-26
Original file line number
Diff line number
Diff line change
@@ -271,36 +271,40 @@ The next subsections contain preliminary analyses of concerns and potential deci
271
271
272
272
Conceptually, a Leios vote contains the following information:
273
273
274
-
- The hash of the EB being voted for
275
-
- The identity of the voter
276
-
- The number of votes cast
277
-
- A proof that the votes cast are valid
278
-
- A signature
274
+
- The hash of the EB being voted for.
275
+
- The identifier for the pipeline.
276
+
- This could be omitted because it can be inferred from the EB.
277
+
- The identity of the voter.
278
+
- The number of votes cast.
279
+
- A proof that the votes cast are valid.
280
+
- A signature.
279
281
280
-
When collecting votes for the same EB, the hash of the EB would only have to be listed once for the whole set. This will save 32 bytes per vote serialized. Note the EB presumably includes information about which pipeline it belongs to, so that information does not also be included in the vote. So, a minimalist vote might only comprise 146 bytes of core information, not counting the hash of the EB.
282
+
When collecting votes for the same EB, the hash of the EB and the identifier for the pipeline would only have to be listed once for the whole set. This will save 64 bytes per vote serialized. So, a minimalist vote might only comprise 209 bytes of core information, not counting the hash of the EB.
281
283
282
284
-*Voter identity:* 32 bytes
283
-
-*Number of votes cast:*2 bytes
284
-
-*Proof of right to vote:* 80 bytes
285
-
-*Signature:*32 bytes
285
+
-*Number of votes cast:*1 bytes
286
+
-*ECVRF signature on pipeline identifier and nonce:* 80 bytes
287
+
-*Compressed BLS12-381 signature:*96 bytes
286
288
287
-
The above assumes that the keys for verifying the signature have already been transmitted. If the signature were a full KES signature, then it would be at least 416 bytes instead of 32 bytes, though the signed time of 32 bytes would be common to all votes of a given pipeline.
289
+
The above assumes that the keys for verifying the signature and the proof of possession have already been transmitted. These would need to be registered on the chain, presumably on the Praos chain.
290
+
291
+
Instead of ephemeral keys, if the signature were a full KES signature, then it would be at least 448 bytes instead of 96 bytes, though the signed time of 32 bytes would be common to all votes of a given pipeline.
So, we have two scenarios for the minimal size of a vote.
302
+
Much of larger size of the KES signature size comes from the Merkle path needed to prove the currently active key. If voting occurs frequently in Leios, that proof would be repeated many times using the 36-hour KES period. Perhaps that proof would only have to be recorded in a certificate during the node's first vote during a KES period. Also, MUSEN is an alternative to KES, but it still suffers from large descriptions of the evolved keys. So, in essence, we have two scenarios for the minimal size of a vote.
299
303
300
-
| Method | Common to all votes for a given EB | Specific to individual vote | Total |
| Ephemeral key| 32 B |209 B |241 B | The ephemeral keys would have to have been registered on-chain. |
307
+
| KES key| 64 B |529 B |593 B | The KES Merkle path for stays constant for one KES period (e.g, 36 hours).|
304
308
305
309
However, it has not been decided what types of keys and signatures will be used for Leios votes. Key considerations are . . .
306
310
@@ -492,20 +496,27 @@ Using the previously mentioned ALBA parameters and setting $n_p / n = 0.9$, we s
492
496
493
497
#### BLS certificate
494
498
499
+
The BLS certificate describe in the Leios paper does not compress votes the way that ALBA does, so votes must be fully stored in the certificate. However, only a quorum of votes, not all of them, need to be stored, which affords a type of compression. Additionally, two aggregate signature must also be stored. A certificate for a quorum of votes attested by ephemeral keys would fit in a Praos block, but a certificate attested by KES keys is about 50% too large.
495
500
496
-
> [!IMPORTANT]
497
-
>
498
-
> -[ ] To be written
501
+
| Method | Common to all votes | Specific to individual vote | Aggregation | Number of votes | Certificate of all votes | Quorum | Certificate of quorum |
| Ephemeral key | 32 B | 209 B | 192 B | 500 | 105 kB | 60% | 63 kB |
504
+
| KES key | 64 B | 529 B | 192 B | 500 | 265 kB | 60% | 159 kB |
499
505
506
+
Also recall that any ephemeral keys would have to be registered on-chain, consuming additional precious space and complicating bookkeeping: that would only provide benefit if the keys were reused for many votes. It might also be possible to only store the Merkle proof for the KES key only at the start of the KES period (e.g., every 36 hours).
500
507
501
-
#### MUSEN certificate
508
+
The construction and verification times below are based on previous experience with Mithril certificates:
502
509
503
-
> [!IMPORTANT]
504
-
>
505
-
> -[ ] To be written
506
-
> -[ ] Include benchmark results
510
+
| Metric | Value |
511
+
| ----------------------------------- | ----- |
512
+
| Proving time (per vote) | 70 ms |
513
+
| Aggregation time (per certificate) | 1.2 s |
514
+
| Verification time (per certificate) | 17 ms |
515
+
516
+
517
+
#### MUSEN certificate
507
518
508
-
[MUSEN](https://iohk.io/en/research/library/papers/musen-aggregatable-key-evolving-verifiable-random-functions-and-applications/) ("MUlti-Stage key-Evolving verifiable random fuNctions.") builds upon the concept of VRFs by introducing a key-evolving feature and allowing for aggregating VRF outputs. The aggregation capability promises to result in small certificates attesting to the Leios votes. However, verification times may be to long for Leios.
519
+
[MUSEN](https://iohk.io/en/research/library/papers/musen-aggregatable-key-evolving-verifiable-random-functions-and-applications/) ("MUlti-Stage key-Evolving verifiable random fuNctions.") builds upon the concept of VRFs by introducing a key-evolving feature and allowing for aggregating VRF outputs. The aggregation capability promises to result in small certificates attesting to the Leios votes, MUSEN suffers from the need to record all of the verification keys (e.g., in a Merkle tree). MUSEN signature are approximately the same size as KES signatures. However, verification times may be too long for Leios. Overall, the benefit of MUSEN's key evolution is minor and its other resource costs may be greater than plain BLS.
509
520
510
521
511
522
### Insights regarding voting and certificates
@@ -519,6 +530,9 @@ Using the previously mentioned ALBA parameters and setting $n_p / n = 0.9$, we s
519
530
1. Each has at least one strength and one drawback related to certificate size, proof time, or verification time.
520
531
2. ALBA is close to being viable if vote size can reduced or if quorum disruption by adversaries with 10% of stake is acceptable.
521
532
3. An ALBA security setting of $\ell_\text{sec} = \ell_\text{rel} = 80$ (i.e., eighty-bit security) seems sufficient for Leios voting.
533
+
4. BLS is viable if ephemeral keys are used, but those would require pre-registration.
534
+
5. BLS with KES keys could work if oversized Praos blocks (~160 kB) are allowed.
535
+
6. ZK variants would result in small certificates but long proving times.
522
536
3. At least 500 votes and a 60% quorum will be needed.
523
537
1. These parameters ensure voting security at least as strong as Praos security over a range of adversary strengths.
0 commit comments