FIPXXXX: Introducing sealerID #993
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| @@ -0,0 +1,112 @@ | ||||||||||||||||||||||||
| --- | ||||||||||||||||||||||||
| fip: "xxx" | ||||||||||||||||||||||||
| title: Introducing SealerID | ||||||||||||||||||||||||
| author: nicola (@nicola), irene (@irenegia), luca (@lucaniz), kuba (@Kubuxu) | ||||||||||||||||||||||||
| discussions-to: https://github.com/filecoin-project/FIPs/discussions/890 | ||||||||||||||||||||||||
| status: Draft | ||||||||||||||||||||||||
| type: Technical | ||||||||||||||||||||||||
| category: Core | ||||||||||||||||||||||||
| dependency: FIP0090 | ||||||||||||||||||||||||
| created: 2023-04-18 | ||||||||||||||||||||||||
| --- | ||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
| # FIPXXXX: Introducing sealerID | ||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
| ## Simple Summary | ||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
| This adds the notion of `sealerID`, which is used in the sealing process of NI-PoRep. In particular: | ||||||||||||||||||||||||
| * We add a new actor, the Sealer Actor so that SealerIDs can be registered; | ||||||||||||||||||||||||
| * `sealerID` can be used to create `ReplicaID` by parting running the SDR labeling algorithm; | ||||||||||||||||||||||||
| * `sealerID` is added to the parameters of the method `ProveCommitSectorsNI`. | ||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
| ## Abstract | ||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
| With the current protocol, the party that creates the `ReplicaID` needs to use the same `minerID` that will be used for PoRep verifications. This implies that “pre-sealing” sectors is not a viable option: no sector can be sealed (ie, replica created) ahead of time, before knowing the identity of the miner actor who will own it. To enable this scenario, we introduce the concept of `sealerID` to be used in place of the `minerID` only during sealing. | ||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
| ## Motivation | ||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
| We consider the scenario where Storage Providers want to delegate some of their activities to external parties that offer competitive services at lower costs. | ||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
| In particular, we call **Sealing-as-a-Service (SaaS) Provider** an entity that runs all PoRep operations (labeling the graph, column commitments, MT generation, vanilla proofs and SNARKs generation) needed to get a replica and onboard the sector that contains it. | ||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
| The SaaS then transfers the replica and the proofs to a **SaaS Client.** This is an SP that will onboard the sector with the replica R (ie, call a ProveCommit method) and will be responsible for storing R and proving validity of the corresponding sector (ie, running window- and winning-PoSt), and/or adding data to the committed capacity sector via SnapDeals. | ||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
| ### Addressed issues | ||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
| 1. [solved already] With interactive PoRep the SaaS Provider and Client needs coordination and agreement (therefore trust) about the intermediate interaction with the chain (ie, sending commR on chain) and locking down PCD (PreCommitDeposit). This is resolved by using NI-PoRep [FIP0090](https://github.com/filecoin-project/FIPs/blob/master/FIPS/fip-0090.md) that requires no chain interaction and no deposit. | ||||||||||||||||||||||||
| 2. [solved by this FIP] Even with NI-PoRep, some coordination between the SaaS Provider and their client (SP) remains. Indeed during the labelling phase the SaaS Provider creates `ReplicaID` and for this it needs to use the `minerID` and `sectorNumber` from the SaaS Client who will receive the replica to be stored. If these values are not correctly used then the SNARK proof will not be valid. This means that a SaaS Provider needs to “wait” for the request (and info) from a SaaS client to seal sectors. In other words, this prevents a SaaS Provider from sealing sectors in advance using its HW at max capacity (and therefore reducing sealing cost for everyone). | ||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
| ## Specification | ||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
| 1. We add a new type of actor: the Sealer Actor; | ||||||||||||||||||||||||
|
There was a problem hiding this comment.
Suggested change
Suggested change
|
||||||||||||||||||||||||
| - This can be a “disposable” actor, no need for an owner key. If something bad happens, create a new id. This is okay because no tokens are locked for this actor; | ||||||||||||||||||||||||
| - The Sealer Actor is a multiple instance type: Anyone can create a Sealer Actor and `sealerID` will simply be the actor ID. This ensures that the list of sealerIDs is disjoint from the list of minerIDs. | ||||||||||||||||||||||||
| - The new actor needs `sectorNumber` facilities: There is a map `sealerID -> [sealerSectorNumber]` in the state (that is, we have a list of used sector numbers for each sealer); Concretely this sector number list would be a bitfield as is the case of the miner actor. | ||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
| 2. Modify the method `ProveCommitSectorsNI` to accept the sealerID to create `ReplicaID` . | ||||||||||||||||||||||||
| - Add a new field to `SectorNIActivationInfo` for passing the `SealerID`: | ||||||||||||||||||||||||
| - if empty, use the the minerID when creating the `ReplicaID` | ||||||||||||||||||||||||
rvagg marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||||||||||||||||||||
| - if a value is passed, use this for `ReplicaID` (in the place of `minerID`) | ||||||||||||||||||||||||
| - Add a new field to `SectorNIActivationInfo` for passing `SealerSectorNumber`: | ||||||||||||||||||||||||
| - again, if we are in the case EMPTY_SEALER_ID, then `sealerSectorNumber` could either be ignored or enforced to be 0, otherwis eit is used for `ReplicaID`; | ||||||||||||||||||||||||
rvagg marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||||||||||||||||||||
| - note that the miner actor identifies sectors internally using a `SectorID` structure with a `{minerID, sectorNumber}` pair. This is replaced by `{minerID, sectorNumber, minerSectorNumber}` where last value can be 0. | ||||||||||||||||||||||||
|
Comment on lines
+53
to
+59
There was a problem hiding this comment.
Suggested change
So does this get us closer to the diff on top of 0090 @irenegia @ZenGround0 ? |
||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
| 3. [optional/future] ACL (the sealer has control on who can activate their sealed sectors) | ||||||||||||||||||||||||
| - Store in the Sealer Actor another address: this is an address to a proxy contract that can be used to implement ACL. When an SP onboards a sector, then call to the Sealer Actor. If the ACL is enabled, then call the ACL contract. | ||||||||||||||||||||||||
| - TODOs: write the concrete interface to the ACL contract (eg, `check(sectorNumber, minerID) bool`)  | ||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
|
There was a problem hiding this comment. An idea from @jennijuju: One design direction to consider is making the SealerActor an Fevm actor. We could do this by writing a user contract that enforces sector numbers are only claimed once. Then when calling sealer id from miner actor we check that we are 1) calling evm actor 2) the bytecode of the evm actor matches the expected contract. Reasons for and against are pretty split so I don't know which to advocate for. Reasons FOR
Reasons AGAINST
@anorth @Kubuxu @Stebalien any thoughts? There was a problem hiding this comment. Moved design question to #890 (comment) so it’s more discoverable and trackable There was a problem hiding this comment. it seems to me that the conclusion here is to go with the original proposed design (sealer id in actor code and all other feature, as for example the ACL, in FEVM) There was a problem hiding this comment. The sketch of this spec looks fine, but it's missing a lot of detail at the moment.
|
||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
| ## Rationale | ||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
| The design aims to | ||||||||||||||||||||||||
| * Minimize changes with respect to the status quo, particularly maintaining `ReplicaID` as a unique identifier within the entire Filecoin ecosystem; | ||||||||||||||||||||||||
| * Provide future programmability. In particular, as regards the access control feature we decide to implement it using a proxy contract (instead of implementing it directly in the actor) in order to have the possibility of the final users (ie, SaaS providers) to personalize it. | ||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
| ## Backwards Compatibility | ||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
|
There was a problem hiding this comment. I've been looking into the use of prover_id and sector_number by the window post circuit. I think that these values do not need to match the prover_id and sector_number used by sealing as they are used for challenge generation independent of the sealing process. However if these values do need to be the same across sealing and post we will have to change miner actor state to keep around enough information to reconstruct the sealer id and sector number. There was a problem hiding this comment. Are there any other instances where we need the inputs to the ReplicaID (original sector number and prover id) after commiting a sector? Are there any reasons we might want these in the future? If so it is important to identify them so we can make sure we have enough information in the miner actor state. There was a problem hiding this comment.
Correct, they do not need to match. There was a problem hiding this comment.
@lucaniz and I checked for this, we did not find any
Nothing that come to mind to me now :) |
||||||||||||||||||||||||
| TODO | ||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
| ## Test Cases | ||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
| TODO | ||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
| ## Security Considerations | ||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
| * *Front-running Attacks* : | ||||||||||||||||||||||||
| * These are not rational (ie, termination fee will be paid by the front-runner SP); | ||||||||||||||||||||||||
| * If needed, we can implement ACL (see point 3 in the spec) to make this kind of attacks impossible. | ||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
| * *Double spending a Sector*: TODO (add a signature done by sealer to make “double-spending” sectors detectable on chain); | ||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
| ## Incentive Considerations | ||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
| The proposed change (ie, introducing the sealer id to completely decouple computation-heavy tasks for onboarding sector from the sector ownership) allows SaaS providers to seal sectors independently from the current demand and therefore to use their hardware at full capacity. This incentivises the creation of a market for CC sectors and lower the SP cost for onboarding CC sectors, which can later on be upgraded to useful storage via the SnapDeal protocol (`ReplicasUpdate3 `method). | ||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
| ## Product Considerations | ||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
| Having SaaS providers and CC-sector markets lower the entry barrier for SPs to join the Filecoin network. Indeed, with this service in place SPs do not need to have the HW to run the PoRep step in house. Note that the HW for running winning- and window-PoSt is still needed. | ||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
| ## Implementations | ||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
| TODO | ||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
| ## Copyright Waiver | ||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
| Copyright and related rights waived via [CC0](https://creativecommons.org/publicdomain/zero/1.0/). | ||||||||||||||||||||||||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.