github.com/MetalBlockchain/metalgo@v1.11.9/vms/proposervm/README.md (about)

     1  # Snowman++: congestion control for Snowman VMs
     2  
     3  Snowman++ is a congestion control mechanism available for snowman VMs. Snowman++ can be activated on any snowman VM with no modifications to the VM internals. It is sufficient to wrap the target VM with a wrapper VM called `proposerVM` and to specify an activation time for the congestion-control mechanism. In this document we describe the high level features of Snowman++ and the implementation details of the `proposerVM`.
     4  
     5  ## Congestion control mechanism description
     6  
     7  Snowman++ introduces a **_soft proposer mechanism_** which attempts to select a single proposer with the power to issue a block, but opens up block production to every validator if sufficient time has passed without blocks being generated.
     8  
     9  At a high level, Snowman++ works as follows: for each block a small list of validators is randomly sampled, which will act as "proposers" for the next block. Each proposer is assigned a submission window: a proposer cannot submit its block before its submission window starts (the block would be deemed invalid), but it can submit its block after its submission window expires, competing with next proposers. If no block is produced by the proposers in their submission windows, any validator will be free to propose a block, as happens for ordinary snowman VMs.
    10  
    11  In the following we detail the block extensions, the proposers selection, and the validations introduced for Snowman++.
    12  
    13  ### Snowman++ block extension
    14  
    15  Snowman++ does not modify the blocks produced by the VM it is applied to. It extends these blocks with a header carrying the information needed to control block congestion.
    16  
    17  A standard block header contains the following fields:
    18  
    19  - `ParentID`, the ID of the parent's enriched block (Note: this is different from the inner block ID).
    20  - `Timestamp`, the local time at block production.
    21  - `PChainHeight` the height of the last accepted block on the P-chain at the time the block is produced.
    22  - `Certificate` the TLS certificate of the block producer, to verify the block signature.
    23  - `Signature` the signature attesting this block was proposed by the correct block producer.
    24  
    25  An Option block header contains the field:
    26  
    27  - `ParentID` the ID of the Oracle block to which the Option block is associated.
    28  
    29  Option blocks are not signed, as they are deterministically generated from their Oracle block.
    30  
    31  ### Snowman++ proposers selection mechanism
    32  
    33  For a given block, Snowman++ randomly selects a list of proposers. Block proposers are selected from the subnet's validators. Snowman++ extracts the list of a given subnet's validators from the P-Chain. Let a block have a height `H` and P-Chain height `P` recorded in its header. The proposers list for next block is generated independently but reproducibly by each node as follows:
    34  
    35  - Subnet validators active at block `P` are retrieved from P-chain.
    36  - Validators are canonically sorted by their `nodeID`.
    37  - A seed `S` is generated by xoring `H` and the chainID. The chainID inclusion makes sure that different seeds sequences are generated for different chains.
    38  - Validators are pseudo-randomly sampled without replacement by weight, seeded by `S`.
    39  - `maxWindows` number of subnet validators are retrieved in order from the sampled set. `maxWindows` is currently set to `6`.
    40  - The `maxWindows` validators are the next block's proposer list.
    41  
    42  Each proposer gets assigned a submission window of length `WindowDuration`. currently set at `5 seconds`.
    43  A proposer in position `i` in the proposers list has its submission windows starting `i × WindowDuration` after the parent block's timestamp. Any node can issue a block `maxWindows × WindowDuration` after the parent block's timestamp.
    44  
    45  ### Snowman++ validations
    46  
    47  The following validation rules are enforced:
    48  
    49  - Given a `proposervm.Block` **C** and its parent block **P**, **P**'s inner block must be **C**'s inner block's parent.
    50  - A block must have a `PChainHeight` that is larger or equal to its parent's `PChainHeight` (`PChainHeight` is monotonic).
    51  - A block must have a `PChainHeight` that is less or equal to current P-Chain height.
    52  - A block must have a `Timestamp` larger or equal to its parent's `Timestamp` (`Timestamp` is monotonic)
    53  - A block received by a node at time `t_local` must have a `Timestamp` such that `Timestamp < t_local + maxSkew` (a block too far in the future is invalid). `maxSkew` is currently set to `10 seconds`.
    54  - A block issued by a proposer `p` which has a position `i` in the current proposer list must have its timestamp at least `i × WindowDuration` seconds after its parent block's `Timestamp`. A block issued by a validator not contained in the first `maxWindows` positions in the proposal list must have its timestamp at least `maxWindows × WindowDuration` seconds after its parent block's `Timestamp`.
    55  - A block issued within a time window must have a valid `Signature`, i.e. the signature must be verified to have been by the proposer `Certificate` included in block header.
    56  - A `proposervm.Block`'s inner block must be valid.
    57  
    58  A `proposervm.Block` violating any of these rules will be marked as invalid. Note, however, that a `proposervm.Block` invalidity does not imply its inner block invalidity. Notably the validation rules above enforce the following invariants:
    59  
    60  - Only one verification attempt will be issued to a _valid_ inner block. On the contrary multiple verification calls can be issued to invalid inner blocks.
    61  - Rejection of a `proposervm.Block` does not entail rejection of inner block it wraps. This is necessary since different `proposervm.Blocks` can wrap the same inner block. Without proper handling this could result in an inner block being accepted after being rejected. Therefore, an inner block is only rejected when a sibling block is being accepted.
    62  
    63  ## ProposerVM Implementation Details
    64  
    65  Snowman++ must have an activation time, following which the congestion control mechanism will be enforced.
    66  
    67  ### Block Structure
    68  
    69  Generally speaking the `proposerVM` wraps an inner block generated by the inner VM into a `proposervm.Block`. Once the activation time has past, the `proposervm.Block` will attach a header to inner block, carrying all the fields necessary to implement the congestion mechanism. No changes are performed on the inner block, but the inclusion of the header does change the block ID and the serialized version of the block.
    70  
    71  There are three kinds of `proposervm.Blocks`:
    72  
    73  - `preForkBlock` is a simple wrapper of an inner block. A `preForkBlock` does not change the ID or serialization of an inner block; it's simply an in-memory object allowing correct verification of `preForkBlocks` (see [Execution modes](#execution-modes) section below for further details of why this is required).
    74  - `postForkBlock` adds congestion-control related fields to an inner block, resulting in a different ID and serialization than the inner block. Note that for such blocks, serialization is a two step process: the header is serialized at the `proposerVM` level, while the inner block serialization is deferred to the inner VM.
    75  - `postForkOption` wraps inner blocks that are associated with an Oracle Block. This enables oracle blocks to be issued without enforcing the congestion control mechanism. Similarly to `postForkBlocks`, this changes the block's ID and serialization.
    76  
    77  ### Execution modes
    78  
    79  When creating a `proposerVM`, one must specify an activation time following which the congestion control mechanism will be enforced. Therefore, the `proposerVM` must be able to execute before the mechanism is enforced, after the mechanism is enforced, and during the enabling of the mechanism.
    80  
    81  #### Pre-fork Execution
    82  
    83  Before the congestion control mechanism is enforced, it must hold that the chain's rules are unchanged.
    84  
    85  - `preForkBlocks` are the only blocks that are able to be verified successfully.
    86  
    87  #### Post-fork Execution
    88  
    89  After the congestion control mechanism is enforced, it must hold that the inner VM's rules are still enforced, and that blocks will only be verified if they are signed by the correct validator.
    90  
    91  - If an inner block's `Verify` is called, then it is enforced that the `proposervm.Blocks` additional verification must have already passed. This maintains the invariant that when `Verify` passes, either `Accept` or `Reject` will eventually be called on the block.
    92  - Given a parent block, there must be one deterministic proposer window for every child block. This ensures that modifying the child block doesn't allow conflicting proposal windows.
    93  - The proposal windows should rotate after each block, to avoid a single proposer from dominating the block production.
    94  - `postForkBlocks` are issued only when the local node's ID is currently in their proposal window.
    95  - `postForkOptions` are only allowed after a `postForkBlock` that implements `Options` and do not require signatures.
    96  
    97  #### Fork Transition Execution
    98  
    99  - Each `proposervm.Block` whose timestamp follows the activation time, must have its children made up of `postForkBlocks` or `postForkOptions`.