From 1e5f1d5550e5b2efe9d290aa8de8ce4b235eb513 Mon Sep 17 00:00:00 2001 From: Wolfgang Welz Date: Thu, 8 Sep 2022 11:59:59 +0200 Subject: [PATCH] TIP-29 Milestone Payload (Stardust) (#69) * add TIP-30 * Swap TIP number * Introduce new payload type value * Add metadata * Update with milestone options * update receipt TIP * Clarify encapsulating message * Remove PoW Milestone Option The PoW option will be part of the upcoming Dynamic PoW TIP * Changes "Last Milestone ID" to "Previous Milestone ID" * Rename "messages" to "blocks" * Add WIP Protocol Parameteres Milestone Option * Add Protocol Version to Milestone Essence * describe Protocol Parameters Milestone Option validation * add Metadata limit * Fix typo * Remove PoW option comment * remove nonce reference * Update tips/TIP-0029/tip-0029.md Co-authored-by: muXxer * Update tips/TIP-0029/tip-0029.md Co-authored-by: muXxer * remove leagacy IOTA reference Co-authored-by: Levente Pap Co-authored-by: muXxer --- tips/TIP-0029/tip-0029.md | 295 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 295 insertions(+) create mode 100644 tips/TIP-0029/tip-0029.md diff --git a/tips/TIP-0029/tip-0029.md b/tips/TIP-0029/tip-0029.md new file mode 100644 index 000000000..ca217323c --- /dev/null +++ b/tips/TIP-0029/tip-0029.md @@ -0,0 +1,295 @@ +--- +tip: 29 +title: Milestone Payload +description: Coordinator issued milestone payload with Ed25519 authentication +author: Angelo Capossele (@capossele) , Wolfgang Welz (@Wollac) +discussions-to: https://github.com/iotaledger/tips/pull/69 +status: Draft +type: Standards +layer: Core +created: 2022-03-25 +replaces: 8 +--- + +# Abstract + +In IOTA, nodes use the milestones issued by the Coordinator to reach a consensus on which transactions are confirmed. This TIP proposes a milestone payload for the blocks described in the IOTA protocol [TIP-24](../TIP-0024/tip-0024.md). It uses Edwards-curve Digital Signature Algorithm (EdDSA) to authenticate the milestones. + +# Motivation + +In order to integrate the concept of milestones consistently into Tangle blocks, this TIP describes a dedicated payload type for milestones. In this context, the document also describes how Ed25519 signatures are used to assure authenticity of the issued milestones. In order to make the management and security of the used private keys easier, simple multisignature features with support for key rotation have been added. + +# Specification + +The [BLAKE2b-256](https://tools.ietf.org/html/rfc7693) hash of the _Milestone Essence_, consisting of the actual milestone information (like its index number or position in the tangle), is signed using the Ed25519 signature scheme as described in the IRTF [RFC 8032](https://tools.ietf.org/html/rfc8032). + +To increase the security of the design, a milestone can (optionally) be independently signed by multiple keys at once. These keys should be operated by detached signature provider services running on independent infrastructure elements. This assists in mitigating the risk of an attacker having access to all the key material necessary for forging milestones. While the Coordinator takes responsibility for forming Milestone Payload Blocks, it delegates signing in to these providers through an ad-hoc RPC connector. Mutual authentication should be enforced between the Coordinator and the signature providers: a [client-authenticated TLS handshake](https://en.wikipedia.org/wiki/Transport_Layer_Security#Client-authenticated_TLS_handshake) scheme is advisable. To increase the flexibility of the mechanism, nodes can be configured to require a quorum of valid signatures to consider a milestone as genuine. + +In addition, a key rotation policy can also be enforced by limiting key validity to certain milestone intervals. Accordingly, nodes need to know which public keys are applicable for which milestone index. This can be provided by configuring a list of entries consisting of the following fields: +- _Index Range_ providing the interval of milestone indices for which this entry is valid. The interval must not overlap with any other entry. +- _Applicable Public Keys_ defining the set of valid public keys. +- _Signature Threshold_ specifying the minimum number of valid signatures. Must be at least one and not greater than the number of _Applicable Public Keys_. + +## Milestone ID + +The _Milestone ID_ is the BLAKE2b-256 hash of the serialized _Milestone Essence_. +It is important to note that the signatures do not impact the _Milestone ID_. + +## Structure + +### Serialized Layout + +All values are serialized in little-endian encoding. The serialized form of the milestone is deterministic, meaning the same logical milestone always results in the same serialized byte sequence. + +The following table describes the entirety of a _Milestone Payload_ in its serialized form following the notation from [TIP-21](../TIP-0021/tip-0021.md): + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescription
Payload Typeuint32Set to value 7 to denote a Milestone Payload.
Essence oneOf +
+ Milestone Essence +
Describes the signed part of a Milestone Payload.
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescription
Index Numberuint32The index number of the milestone.
Timestampuint32The Unix time (seconds since Unix epoch) at which the milestone was issued.
Protocol Versionuint8The protocol version of the Milestone Payload and its block.
Previous Milestone IDByteArray[32]The Milestone ID of the milestone with Index Number - 1.
Parents Countuint8The number of parents referenced by this milestone.
Parents anyOf +
+ Parent +
A block that is directly referenced by this milestone.
+ + + + + + + + + + + +
NameTypeDescription
Block IDByteArray[32]The Block ID of the parent.
+
+
Inclusion Merkle RootByteArray[32]The Merkle tree hash (BLAKE2b-256) of the Block IDs of all blocks included by this milestone.
Applied Merkle RootByteArray[32]The Merkle tree hash (BLAKE2b-256) of the Block IDs of all blocks applied by this milestone that contain a state-mutating transaction (see TIP-4).
Metadata(uint16)ByteArrayBinary data only relevant to the milestone issuer, e.g. internal state. A leading uint16 denotes its length.
Options Countuint8The number of milestone options following.
Options atMostOneOfEach +
+ Receipts Milestone Option +
Defines UTXOs for newly migrated funds.
+
+
+ Protocol Parameters Milestone Option +
Defines dynamic changes to the protocol parameters.
+
+
+
+
Signatures Countuint8The number of signature entries following.
Signatures anyOf +
+ Ed25519 Signature + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescription
Signature Typeuint8 + Set to value 0 to denote an Ed25519 Signature. +
Public KeyByteArray[32]The Ed25519 public key of the signature.
SignatureByteArray[64]The Ed25519 signature signing the BLAKE2b-256 hash of the serialized Milestone Essence.
+
+
+ +### Milestone options + +The `Options` field holds additional data authenticated by the milestone. + +The following table lists all the `Milestone Option Type` that are currently supported as well as links to the corresponding specification: + +| Payload Name | Type Value | TIP | +|---------------------|------------|-------------------------------------------------------------| +| Receipt | 0 | [TIP-34](../TIP-0034/tip-0034.md#receipt-milestone-option) | +| Protocol Parameters | 1 | [TIP-29](#protocol-parameters-milestone-option) | + +#### Protocol Parameters Milestone Option + +This `Milestone Option` is used to signal to nodes the commencing of new protocol parameters, including new protocol +version or PoW difficulty. + +
+Protocol Parameters Milestone Option +
+ Defines changing protocol parameters. +
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescription
Milestone Option Typeuint8Set to value 1 to denote a Protocol Parameters Milestone Option.
Target Milestone Indexuint32The milestone index at which these protocol parameters become active.
Protocol Versionuint8The to be applied protocol version.
Parameters(uint16)ByteArrayThe protocol parameters in binary, serialized form.
+ +##### Syntactic Validation + - `Target Milestone Index` must be greater than `Index Number` of the milestone it is contained in. + - `Target Milestone Index` must be less than or equal to `Index Number` + 30. (This value is fixed and technically not a protocol parameter as defined in [TIP-22](../TIP-0022/tip-0022.md), as it should not be subject to protocol parameter changes induced by this option.) + - `length(Parameters)` must not exceed `Max Metadata Length`. + +## Milestone Validation + +Similar to transaction validation, milestone validation has been separated into two classes. For a milestone to be valid, both of them need to be true. + +### Syntactic validation + +Syntactic validation can be checked from the _Milestone Essence_ plus the blocks in the past cone referenced by it. + +- Essence: + - `Index Number` must not be smaller than `First Milestone Index`. + - If `Index Number` equals `First Milestone Index`, the following fields must be zeroed out: + - `Previous Milestone ID` + - `Inclusion Merkle Root` + - `Applied Merkle Root` + - If `Index Number` is greater than `First Milestone Index`, the milestone must reference (i.e. one of the `Parents` must contain or reference) another syntactically valid milestone whose _Milestone ID_ matches `Previous Milestone ID`. With respect to that referenced milestone, the following must hold: + - `Index Number` must increment by `1`. + - `Timestamp` must be strictly larger (i.e. at least one second later). + - `Inlcusion Merkle Root` must match the Merkle tree hash of the IDs of all blocks in _White Flag Ordering_ (as described in TIP-2) that are newly referenced. (This always includes at least one valid milestone block with `Previous Milestone ID`.) + - `Applied Merkle Root` must match the Merkle tree hash of the not-ignored state-mutating transactions that are newly referenced (see TIP-2). + - `Parents` must match the `Parents` field of the encapsulating _Block_, i.e. the _Block_ that contains the _Milestone Payload_. + - `length(Metadata)` must not exceed `Max Metadata Length`. + - Options: + - `Milestone Option Type` must match one of the values described under [Milestone Options](#milestone-options). + - The option itself must pass syntactic validation. + - The options must be sorted in ascending order based on their `Milestone Option Type`. +- Signatures: + - `Signatures Count` must be at least the _Signature Threshold_ and at most the number of _Applicable Public Keys_ for the current milestone index. + - For each signature block the following must be true: + - `Signature Type` value must denote an `Ed25519 Signature`. + - `Public Key` must be contained in _Applicable Public Keys_ for the current milestone index. + - `Signature` must contain a valid signature for `Public Key`. + - The signature blocks must be sorted with respect to their `Public Key` in lexicographical order. + - Each `Public Key` must be unique. +- Given the type and length information, the _Milestone Payload_ must consume the entire byte array of the `Payload` field of the _Block_. + +### Semantic validation + +Semantic validation is defined in the context of all available blocks. + +- The milestone chain must not fork, i.e. there must not be two different, syntactically valid milestones with the same `Index Number`. In case of a fork, the correct state of the ledger cannot be derived from the milestones alone and usually the node implementation should alert the user and halt. + +# Rationale + +- Due to the layered design of blocks and payloads, it is practically not possible to prevent reattachments of _Milestone Payloads_. Hence, this payload has been designed in a way to be independent from the block it is contained in. A milestone should be considered as a virtual marker (referencing `Parents`) rather than an actual block in the Tangle. This concept is compatible with reattachments and supports a cleaner separation of the block layers. +- Forcing matching `Parents` in the _Milestone Payload_ and its block makes it impossible to reattach the same payload at different positions in the Tangle. Strictly speaking, this violates the separation of payload and block. However, it simplifies milestone processing as the position of the block will be the same as the position encoded in the Milestone Payload. Having these clear structural properties seems to be more desirable than a strict separation of layers. +- While it is always possible to cryptographically prove that a block was confirmed by a given milestone by supplying all the blocks of a path from the milestone to the block, such a proof can become rather large (depending on the blocks). To simplify such proof-of-inclusions, the `Inclusion Merkle Root` of all the included blocks has been added. + +# Copyright + +Copyright and related rights waived via [CC0](https://creativecommons.org/publicdomain/zero/1.0/).