Add missing bnonce prose

IntersectMBO / cardano-ledger

The ledger implementation and specifications of the Cardano blockchain.

Apache License 2.0

251 stars 157 forks source link

Add missing bnonce prose #2868

Open SebastienGllmt opened 2 years ago

SebastienGllmt commented 2 years ago

We have a prose description of bleader in the Shelley spec, but nowhere is bnonce ever described.

Notably, bleader is described as "indicates a possible leader for this slot", but it's not clear how a similar definition would apply to bnonce and if bnonce is the same thing as the nonce_vrf from the binary spec of previous eras

JaredCorduan commented 2 years ago

The accessor functions bleader and bnonce are defined in "Figure 53: Block Definitions", right below the definition of BHBody.

The section that you are referring to, "12.9 Verifiable Random Function", is about the VRF checks. The first bullet point in that section describes that both the leader and the nonce VRF values are checked against their proofs in the block header body. The third bullet point describes an additional check involving the leader value, but there is no corresponding check for the nonce value.

The way that the VRF nonce value is used is described in the section "12.5 Update Nonce Transition" and in "Figure 60: Update Nonce rule".

The variable nonce_vrf in the CDDL specification does refer to to VRF nonce value. The accessor function bnonce retrieves the VRF nonce value from the block header body.

Does that clear everything up?

SebastienGllmt commented 2 years ago

Yes, the fact that we have an accessor is fine. The idea that we have some nonce that updates based off some deterministic function is fine. It doesn't explain why we need to run a 2nd VRF on this nonce though. If bleader "indicates a possible leader for this slot", then what is bnonce for?

Notably, I would expect something like this

bnonce is a second invocation of the vrf on the same key(?) and epoch nonce as bleader, but using a different seed(?) as input, which contributes to the epoch nonce for the next epoch. This is required because key missing insight here, which helps avoid stake grinding attacks.

JaredCorduan commented 2 years ago

I see. Section 12.1 (which is where I think this should live) is very sparse on prose, nothing in the block header body is explained.

on the same key(?)

yes

but using a different seed(?)

yes, see mkSeed and vrfChecks in the "VRF helper function" table (which sadly isn't numbered for some reason).

required because key missing insight here, which helps avoid stake grinding attacks.

The epoch nonce, and how it evolves, is the heart and soul of Ouroboros Praos. We could mention this, but without going into all the details. It's where the name "ouroboros" comes from, the snake eating its own tail is a reference to this entropy eating its own previous entropy.