gitlab.com/SiaPrime/SiaPrime@v1.4.1/doc/Consensus.md (about) 1 Consensus Rules 2 =============== 3 4 This document is meant to provide a good high level overview of the SiaPrime 5 cryptosystem, but does not fully explain all of the small details. The most 6 accurate explanation of the consensus rules is the consensus package (and all 7 dependencies). 8 9 This document will be more understandable if you have a general understanding 10 of proof of work blockchains, and does not try to build up from first 11 principles. 12 13 Cryptographic Algorithms 14 ------------------------ 15 16 SiaPrime uses cryptographic hashing and cryptographic signing, each of which has 17 many potentially secure algorithms that can be used. We acknowledge our 18 inexperience, and that we have chosen these algorithms not because of our own 19 confidence in their properties, but because other people seem confident in 20 their properties. 21 22 For hashing, our primary goal is to use an algorithm that cannot be merge mined 23 with Bitcoin, even partially. A secondary goal is hashing speed on consumer 24 hardware, including phones and other low power devices. 25 26 For signing, our primary goal is verification speed. A secondary goal is an 27 algorithm that supports HD keys. A tertiary goal is an algorithm that supports 28 threshold signatures. 29 30 #### Hashing: blake2b 31 32 [blake2b](http://en.wikipedia.org/wiki/BLAKE_%28hash_function%29#BLAKE2 "Wiki page") has been chosen as a hashing algorithm because it is fast, it has had 33 substantial review, and it has invulnerability to length extension attacks. 34 Another particularly important feature of BLAKE2b is that it is not SHA-2. We 35 wish to avoid merge mining with Bitcoin, because that may result in many 36 apathetic Bitcoin miners mining on our blockchain, which may make soft forks 37 harder to coordinate. 38 39 #### Signatures: variable type signatures 40 41 Each public key will have an specifier (a 16 byte array) and a byte slice 42 containing an encoding of the public key. The specifier will tell the 43 signature verification which signing algorithm to use when verifying a 44 signature. Each signature will be a byte slice, the encoding can be 45 determined by looking at the specifier of the corresponding public key. 46 47 This method allows new signature types to be easily added to the currency in 48 a way that does not invalidate existing outputs and keys. Adding a new 49 signature type requires a soft fork, but allows easy protection against 50 cryptographic breaks, and easy migration to new cryptography if there are any 51 breakthroughs in areas like verification speed, ring signatures, etc. 52 53 Allowed algorithms: 54 55 ed25519: The specifier must match the string "ed25519". The public key 56 must be encoded into 32 bytes. Signatures and public keys will need to 57 follow the ed25519 specification. More information can be found at 58 ed25519.cr.yp.to 59 60 entropy: The specifier must match the string "entropy". The signature will 61 always be invalid. This provides a way to add entropy buffers to 62 SpendCondition objects to protect low entropy information, while being able 63 to prove that the entropy buffers are invalid public keys. 64 65 There are plans to also add ECDSA secp256k1 and Schnorr secp256k1. New 66 signing algorithms can be added to SiaPrime through a soft fork, because 67 unrecognized algorithm types are always considered to have valid signatures. 68 69 Currency 70 -------- 71 72 The SiaPrime cryptosystem has two types of currency. The first is the siaprimecoin. 73 siaprimecoins are generated every block and distributed to the miners. These miners 74 can then use the siaprimecoins to fund file contracts, or can send the siaprimecoins to 75 other parties. The siaprimecoin is represented by an infinite precision unsigned 76 integer. 77 78 The second currency in the SiaPrime cryptosystem is the siaprimefund, which is a special 79 asset limited to 10,000 indivisible units. Each time a file contract payout is 80 made, 3.9% of the payout is put into the siaprimefund pool. The number of siaprimecoins 81 in the siaprimefund pool must always be divisible by 10,000; the number of coins 82 taken from the payout is rounded down to the nearest 10,000. The siaprimefund is 83 also represented by an infinite precision unsigned integer. 84 85 Siaprimefund owners can collect the siaprimecoins in the siaprimefund pool. For every 10,000 86 siaprimecoins added to the siaprimefund pool, a siaprimefund owner can withdraw 1 siaprimecoin. 87 Approx. 8790 siaprimefunds are owned by Nebulous Inc. The remaining siaprimefunds are 88 owned by early backers of the Sia project. 89 90 There are future plans to enable sidechain compatibility with SiaPrime. This would 91 allow other currencies such as Bitcoin to be spent in all the same places that 92 the siaprimecoin can be spent. 93 94 Marshalling 95 ----------- 96 97 Many of the SiaPrime types need to be hashed at some point, which requires having a 98 consistent algorithm for marshalling types into a set of bytes that can be 99 hashed. The following rules are used for hashing: 100 101 - Integers are little-endian, and are always encoded as 8 bytes. 102 - Bools are encoded as one byte, where zero is false and one is true. 103 - Variable length types such as strings are prefaced by 8 bytes containing 104 their length. 105 - Arrays and structs are encoded as their individual elements concatenated 106 together. The ordering of the struct is determined by the struct definition. 107 There is only one way to encode each struct. 108 - The Currency type (an infinite precision integer) is encoded in big endian 109 using as many bytes as necessary to represent the underlying number. As it 110 is a variable length type, it is prefixed by 8 bytes containing the length. 111 112 Block Size 113 ---------- 114 115 The maximum block size is 2e6 bytes. There is no limit on transaction size, 116 though it must fit inside of the block. Most miners enforce a size limit of 117 16e3 bytes per transaction. 118 119 Block Timestamps 120 ---------------- 121 122 Each block has a minimum allowed timestamp. The minimum timestamp is found by 123 taking the median timestamp of the previous 11 blocks. If there are not 11 124 previous blocks, the genesis timestamp is used repeatedly. 125 126 Blocks will be rejected if they are timestamped more than three hours in the 127 future, but can be accepted again once enough time has passed. 128 129 Block ID 130 -------- 131 132 The ID of a block is derived using: 133 Hash(Parent Block ID + 64 bit Nonce + Timestamp + Block Merkle Root) 134 135 The block Merkle root is obtained by creating a Merkle tree whose leaves are 136 the hashes of the miner outputs (one leaf per miner output), and the hashes of 137 the transactions (one leaf per transaction). 138 139 Block Target 140 ------------ 141 142 A running tally is maintained which keeps the total difficulty and total time 143 passed across all blocks. The total difficulty can be divided by the total time 144 to get a hashrate. The total is multiplied by 0.995 each block, to keep 145 exponential preference on recent blocks with a half life of 144 data points. 146 This is about 24 hours. This estimated hashrate is assumed to closely match the 147 actual hashrate on the network. 148 149 There is a target block time. If the difficulty increases or decreases, the 150 total amount of time that has passed will be more or less than the target amount 151 of time passed for the current height. To counteract this, the target block time 152 for each block is adjusted based on how far away from the desired total time 153 passed the current total time passed is. If the total time passed is too low, 154 blocks are targeted to be slightly longer, which helps to correct the network. 155 And if the total time passed is too high, blocks are targeted to be slightly 156 shorter, to help correct the network. 157 158 High variance in block times means that the corrective action should not be very 159 strong if the total time passed has only missed the target time passed by a few 160 hours. But if the total time passed is significantly off, the block time 161 corrections should be much stronger. The square of the total deviation is used 162 to figure out what the adjustment should be. At 10,000 seconds variance (about 3 163 hours), blocks will be adjusted by 10 seconds each. At 20,000 seconds, blocks 164 will be adjusted by 40 seconds each, a 4x adjustment for 2x the error. And at 165 40,000 seconds, blocks will be adjusted by 160 seconds each, and so on. 166 167 The total amount of blocktime adjustment is capped to 1/3 and 3x the target 168 blocktime, to prevent too much disruption on the network. If blocks are actually 169 coming out 3x as fast as intended, there will be a (temporary) significant 170 increase on the amount of strain on nodes to process blocks. And at 1/3 the 171 target blocktime, the total blockchain throughput will decrease dramatically. 172 173 Finally, one extra cap is applied to the difficulty adjustment - the difficulty 174 of finding a block is not allowed to change more than 0.4% every block. This 175 maps to a total possible difficulty change of 55x across 1008 blocks. This clamp 176 helps to prevent wild swings when the hashrate increases or decreases rapidly on 177 the network, and it also limits the amount of damange that a malicious attacker 178 can do if performing a difficulty raising attack. 179 180 It should be noted that the timestamp of a block does not impact the difficulty 181 of the block that follows it, as this can be exploited by selfish miners. 182 Instead, a block does not impact the difficulty adjustment for 2 blocks. This 183 can still be exploited by selfish miners, however the gains they get from 184 exploiting this are massively reduced and make no substantial impact on the 185 overall effectiveness of selfish mining. 186 187 Block Subsidy 188 ------------- 189 190 The coinbase for a block is (300,000 - height) * 10^24, with a minimum of 191 30,000 \* 10^24. Any miner fees get added to the coinbase to create the block 192 subsidy. The block subsidy is then given to multiple outputs, called the miner 193 payouts. The total value of the miner payouts must equal the block subsidy. 194 195 The ids of the outputs created by the miner payouts is determined by taking the 196 block id and concatenating the index of the payout that the output corresponds 197 to. 198 199 The outputs created by the block subsidy cannot be spent for 50 blocks, and are 200 not considered a part of the consensus set until 50 blocks have transpired. 201 This limitation is in place because a simple blockchain reorganization is 202 enough to invalidate the output; double spend attacks and false spend attacks 203 are much easier to execute. 204 205 Transactions 206 ------------ 207 208 A Transaction is composed of the following: 209 210 - siaprimecoin Inputs 211 - siaprimecoin Outputs 212 - File Contracts 213 - File Contract Revisions 214 - Storage Proofs 215 - siaprimefund Inputs 216 - siaprimefund Outputs 217 - Miner Fees 218 - Arbitrary Data 219 - Transaction Signatures 220 221 The sum of all the siaprimecoin inputs must equal the sum of all the miner fees, 222 siaprimecoin outputs, and file contract payouts. There can be no leftovers. The sum 223 of all siaprimefund inputs must equal the sum of all siaprimefund outputs. 224 225 Several objects have unlock hashes. An unlock hash is the Merkle root of the 226 'unlock conditions' object. The unlock conditions contain a timelock, a number 227 of required signatures, and a set of public keys that can be used during 228 signing. 229 230 The Merkle root of the unlock condition objects is formed by taking the Merkle 231 root of a tree whose leaves are the timelock, the public keys (one leaf per 232 key), and the number of signatures. This ordering is chosen specifically 233 because the timelock and the number of signatures are low entropy. By using 234 random data as the first and last public key, you can make it safe to reveal 235 any of the public keys without revealing the low entropy items. 236 237 The unlock conditions cannot be satisfied until enough signatures have 238 provided, and until the height of the blockchain is at least equal to the value 239 of the timelock. 240 241 The unlock conditions contains a set of public keys which can each be used only 242 once when providing signatures. The same public key can be listed twice, which 243 means that it can be used twice. The number of required signatures indicates 244 how many public keys must be used to validate the input. If required signatures 245 is '0', the input is effectively 'anyone can spend'. If the required signature 246 count is greater than the number of public keys, the input is unspendable. 247 There must be exactly enough signatures. For example, if there are 3 public 248 keys and only two required signatures, then only two signatures can be included 249 into the transaction. 250 251 SiaPrimecoin Inputs 252 -------------- 253 254 Each input spends an output. The output being spent must exist in the consensus 255 set. The 'value' field of the output indicates how many siaprimecoins must be used 256 in the outputs of the transaction. Valid outputs are miner fees, siaprimecoin 257 outputs, and contract payouts. 258 259 SiaPrimecoin Outputs 260 --------------- 261 262 Siaprimecoin outputs contain a value and an unlock hash (also called a coin 263 address). The unlock hash is the Merkle root of the spend conditions that must 264 be met to spend the output. 265 266 File Contracts 267 -------------- 268 269 A file contract is an agreement by some party to prove they have a file at a 270 given point in time. The contract contains the Merkle root of the data being 271 stored, and the size in bytes of the data being stored. 272 273 The Merkle root is formed by breaking the file into 64 byte segments and 274 hashing each segment to form the leaves of the Merkle tree. The final segment 275 is not padded out. 276 277 The storage proof must be submitted between the 'WindowStart' and 'WindowEnd' 278 fields of the contract. There is a 'Payout', which indicates how many siaprimecoins 279 are given out when the storage proof is provided. 3.9% of this payout (rounded 280 down to the nearest 10,000) is put aside for the owners of siaprimefunds. If the 281 storage proof is provided and is valid, the remaining payout is put in an 282 output spendable by the 'valid proof spend hash', and if a valid storage proof 283 is not provided to the blockchain by 'end', the remaining payout is put in an 284 output spendable by the 'missed proof spend hash'. 285 286 All contracts must have a non-zero payout, 'start' must be before 'end', and 287 'start' must be greater than the current height of the blockchain. A storage 288 proof is acceptable if it is submitted in the block of height 'end'. 289 290 File contracts are created with a 'Revision Hash', which is the Merkle root of 291 an unlock conditions object. A 'file contract revision' can be submitted which 292 fulfills the unlock conditions object, resulting in the file contract being 293 replaced by a new file contract, as specified in the revision. 294 295 File Contract Revisions 296 ----------------------- 297 298 A file contract revision modifies a contract. File contracts have a revision 299 number, and any revision submitted to the blockchain must have a higher 300 revision number in order to be valid. Any field can be changed except for the 301 payout - siaprimecoins cannot be added to or removed from the file contract during a 302 revision, though the destination upon a successful or unsuccessful storage 303 proof can be changed. 304 305 The greatest application for file contract revisions is file-diff channels - a 306 file contract can be edited many times off-blockchain as a user uploads new or 307 different content to the host. This improves the overall scalability of SiaPrime. 308 309 Storage Proofs 310 -------------- 311 312 A storage proof transaction is any transaction containing a storage proof. 313 Storage proof transactions are not allowed to have siaprimecoin or siaprimefund outputs, 314 and are not allowed to have file contracts. 315 316 When creating a storage proof, you only prove that you have a single 64 byte 317 segment of the file. The piece that you must prove you have is chosen 318 randomly using the contract id and the id of the 'trigger block'. The 319 trigger block is the block at height 'Start' - 1, where 'Start' is the value 320 'Start' in the contract that the storage proof is fulfilling. 321 322 The file is composed of 64 byte segments whose hashes compose the leaves of a 323 Merkle tree. When proving you have the file, you must prove you have one of the 324 leaves. To determine which leaf, take the hash of the contract id concatenated 325 to the trigger block id, then take the numerical value of the result modulus 326 the number of segments: 327 328 Hash(file contract id + trigger block id) % num segments 329 330 The proof is formed by providing the 64 byte segment, and then the missing 331 hashes required to fill out the remaining tree. The total size of the proof 332 will be 64 bytes + 32 bytes * log(num segments), and can be verified by anybody 333 who knows the root hash and the file size. 334 335 Storage proof transactions are not allowed to have siaprimecoin outputs, siaprimefund 336 outputs, or contracts. All outputs created by the storage proofs cannot be 337 spent for 50 blocks. 338 339 These limits are in place because a simple blockchain reorganization can change 340 the trigger block, which will invalidate the storage proof and therefore the 341 entire transaction. This makes double spend attacks and false spend attacks 342 significantly easier to execute. 343 344 Siaprimefund Inputs 345 -------------- 346 347 A siaprimefund input works similar to a siaprimecoin input. It contains the id of a 348 siaprimefund output being spent, and the unlock conditions required to spend the 349 output. 350 351 A special output is created when a siaprimefund output is used as input. All of the 352 siaprimecoins that have accrued in the siaprimefund since its last spend are sent to the 353 'claim spend hash' found in the siaprimefund output, which is a normal siaprimecoin 354 address. The value of the siaprimecoin output is determined by taking the size of 355 the siaprimecoin pool when the output was created and comparing it to the current 356 size of the siaprimecoin pool. The equation is: 357 358 ((Current Pool Size - Previous Pool Size) / 10,000) * siaprimefund quantity 359 360 Like the miner outputs and the storage proof outputs, the siaprimefund output cannot 361 be spent for 50 blocks because the value of the output can change if the 362 blockchain reorganizes. Reorganizations will not however cause the transaction 363 to be invalidated, so the ban on contracts and outputs does not need to be in 364 place. 365 366 Siaprimefund Outputs 367 --------------- 368 369 Like siaprimecoin outputs, siaprimefund outputs contain a value and an unlock hash. The 370 value indicates the number of siaprimefunds that are put into the output, and the 371 unlock hash is the Merkle root of the unlock conditions object which allows the 372 output to be spent. 373 374 Siaprimefund outputs also contain a claim unlock hash field, which indicates the 375 unlock hash of the siaprimecoin output that is created when the siaprimefund output is 376 spent. The value of the output that gets created will depend on the growth of 377 the siaprimecoin pool between the creation and the spending of the output. This 378 growth is measured by storing a 'claim start', which indicates the size of the 379 siaprimefund pool at the moment the siaprimefund output was created. 380 381 Miner Fees 382 ---------- 383 384 A miner fee is a volume of siaprimecoins that get added to the block subsidy. 385 386 Arbitrary Data 387 -------------- 388 389 Arbitrary data is a set of data that is ignored by consensus. In the future, it 390 may be used for soft forks, paired with 'anyone can spend' transactions. In the 391 meantime, it is an easy way for third party applications to make use of the 392 siaprimecoin blockchain. 393 394 Transaction Signatures 395 ---------------------- 396 397 Each signature points to a single public key index in a single unlock 398 conditions object. No two signatures can point to the same public key index for 399 the same set of unlock conditions. 400 401 Each signature also contains a timelock, and is not valid until the blockchain 402 has reached a height equal to the timelock height. 403 404 Signatures also have a 'covered fields' object, which indicates which parts of 405 the transaction get included in the signature. There is a 'whole transaction' 406 flag, which indicates that every part of the transaction except for the 407 signatures gets included, which eliminates any malleability outside of the 408 signatures. The signatures can also be individually included, to enforce that 409 your signature is only valid if certain other signatures are present. 410 411 If the 'whole transaction' is not set, all fields need to be added manually, 412 and additional parties can add new fields, meaning the transaction will be 413 malleable. This does however allow other parties to add additional inputs, 414 fees, etc. after you have signed the transaction without invalidating your 415 signature. If the whole transaction flag is set, all other elements in the 416 covered fields object must be empty except for the signatures field. 417 418 The covered fields object contains a slice of indexes for each element of the 419 transaction (siaprimecoin inputs, miner fees, etc.). The slice must be sorted, and 420 there can be no repeated elements. 421 422 Entirely nonmalleable transactions can be achieved by setting the 'whole 423 transaction' flag and then providing the last signature, including every other 424 signature in your signature. Because no frivolous signatures are allowed, the 425 transaction cannot be changed without your signature being invalidated.