BUIP024: Extension Blocks with Address Sharding

[theZerg]

Proposal for your critical review, I'm not formally submitting this yet. Please respond with any comments you may have.

Part 1:

INTRODUCTION

If a hard fork becomes possible, we need technologies to be ready to take advantage of the opportunity. Today, the network is hobbled because every full node must receive and process every block and transaction. If M is the number of transactions, then every node's bandwidth, CPU and memory requirements are O(M). Since, every node must process all the data flowing through the entire network, the speed of the network is necessarily limited to the speed of the average node. This BUIP proposes a technology that will allow the Bitcoin network to scale to any level of use, by enabling O(log(M)) scaling by splitting (sharding) the network into regions where data does not need to be shared.

Current sharding proposals fail because they conflate the physicality of a node with a single trusted entity, and assume that every node should be capable of mining. In other words, in today's Bitcoin a node trusts only itself. This proposal separates these concepts into a physical machine (a node) with O(log(M)) requirements and a mining "trust entity" with O(M) requirements. The outcome of a breach of trust is not problematic to the network as a whole -- it is just punishing to the trust entity since the effect is that an invalid block is mined with the resulting loss of revenue.

If a node is not mining, there is no need to be part of a larger trust entity. Therefore, this proposal is no worse than Bitcoin today with respect to scalability of the mining trust entity, and much better for individual non-mining nodes and individual mining hardware.

This proposal does not address how trust entities can be formed because the formation mechanism does not affect the proper execution of this algorithm. The simplest mechanism is that a single individual or corporation can run multiple nodes. While some people may feel that this will encourage centralization of the network, this is already the reality of Bitcoin mining and mining pools today. And so it is foolish to limit Bitcoin's growth in an attempt to win a battle that has already been lost. One cannot fail-to-grow your way to success. However, other trust creation mechanisms are possible, such as mining at lower difficulty or block revenue sharing. Exploration and game-theoretic analysis of these organization mechanisms may result in algorithms that help decentralize the transaction validation and mining network by allowing trust entities to form by mutual self-interest.


Finally, arguably the most important aspect of Bitcoin's trustless nature is permissionless partcipitation. The property is preserved. If an individual cannot afford the hardware necessary to validate the entire network and mine blocks he/she can form a group and do so without the permission of the other participants in the network.


ARCHITECTURE

A new block header format is created that contains the SHA-256 hash of up to 8 shard-blocks. Any transaction may be found in the root block, but shard-block 0 may only contain transactions that contain addresses that (in binary) begins with bX000, shard-block 1's transactions' addresses begins with bX001, 2 bX010, and so on, where X is the prefix 1 for normal addresses and 3 for multisig addresses. This is simply a way of sharding the data, so it makes sense to ignore the common prefix in addresses. This proposal covers common address formats, but other address formats would have their own sharding algorithm which would be similar to what is described here.

Shard-blocks may contain shard-shard-blocks (shard-2-block) with a further specialization of address, recursively. Blocks MAY contain no shard-blocks at all, and do not need to contain shard-blocks across the entire address range. If an attacker creates a gigantic tree of shard-chains with few transactions, this will slow down validation so the block risks being orphaned. An option is to require that parent blocks be at least 75% full (say). However, this approach creates a parallelism problem where a machine working on a child shardchain cannot proceed until it knows which transactions the parent shardchain has used to fill its block. With no parent block fill requirement, transactions can be delivered to the machine working on a child shardchain as they come in.

When a transaction contains addresses with the same prefix, the transaction can be located within the shard-block designated for that prefix, or within any parent block.
Therefore paying across address prefixes requires a transaction in the common parent, which could ultimately be the root block for transactions with no common prefix.

Transactions may be sorted in the merkle tree (to implement fraud proofs) and the transaction format may be flex transactions depending on the status of those BUIPs. Anything not covered will default to the root block to ensure that this proposal can handle anything unanticipated in the submitted transactions.

P2P Network

Nodes will need to discover and keep track of where to access data for particular shardchains. This resource discovery problem in a peer-to-peer network is a well known problem solved by distribute hash table protocols like Chord, Tapestry, and Pastry. However, the number of shardchains is anticipated to be so much smaller than that of nodes and node (for the foreseeable future) that a simpler "degenerate" approach of every node simply storing the shardchain metadata of every other node it knows about is possible. A simple flood query protocol can be used to allow a node to request sources for shardchains.

Nodes will only relay transactions only to nodes that track the relevant shardchain, unless the node has no data about that chain. In that case, the node will relay the transaction to all its connected nodes.

 

[theZerg]

Part 2:

CONSEQUENCES

Non-mining Nodes (Individuals and Merchants)

A node could limit itself to storing a particular set of shard blockchains (shardchains) and all parents. It would therefore act as a "full" (fully validating) node for all addresses that fall into a shardchain that it stores. A double spend must exist in that shardchain or a parent so is easily detected by the node. The node would act as an "SPV" wallet for all shardchains that is is not storing. However at any time the node can start requesting blocks of a given shardchain (preferably from most recent to oldest) and thereby build confidence in the correctness of address ranges in that new shardchain. Therefore, the security model is the same as Bitcoin for all blocks that the individual's wallet chooses to download the shard's complete history.

By generating appropriately prefixed addresses just like we generate vanity addreses today, personal wallets can keep their addresses within a few shardchains.

An entity that handles a lot of transactions might have addresses in many shard blocks so that users can pay with addresses convenient for them.

Let us assume 3 main payment models in the world -- P2P, fan-in (high volume low value retail -- a coffee shop, for example), and fan-out (ad networks, for example). Individuals commonly typically engange in P2P use models (pay a friend) and fan-in models (buy things from a store). It is likely that a typical individual's daily P2P payment use is highly localized -- its a network of friends, family, and localized "yard-sale" like transactions. In these cases, if the shard-blocks were more-or-less localized with a specific economic sphere (this may happen naturally, or it may happen with some "help" via human's self-organizing), most of the P2P transactions would occur within a shardchain (remember that a single shardchain can handle the ENTIRE bitcoin economic activity happening today).

Companies with fan-in or fan-out models that could afford higher performance hardware or multiple nodes could keep track of and hold balances in many or all of the shardchains, and in the fan-in case, the QR code (or payment protocol) could be extended to offer several recipient address choices, allowing the sender's wallet to automatically choose a shardchain that he has a balance in. With these strategies, most of the transactions can occur in shardchains. This is not a requirement -- we will allow transactions to cross blocks as described next -- but companies might do this for efficiency reasons.

But there will be times when a transaction must cross blocks. These transactions will be stored in the shardchain that encompasses all address in the transaction. But the transaction's inputs may reference an output in a shardchain that the receiving node does not have. In this case, the receiving node can behave as a SPV wallet or start downloading that shardchain's blocks. If "Fraud Proofs" are deployed, the receiving node has even more validation ability -- it can selectively request blocks in a shardchain to ensure that the transaction exists within it. It would be the individual's choice as to how deeply he wants to validate the coin history in a shard that his client is not tracking. He could rely entirely on miners for validation, he could trace N weeks back in the blockchain, or he could have a trust relationship with a 3rd party service that is doing the tracking, similar to many mobile wallets today.


Miners/Mining Pools

Miners must validate all shardchains within a block or risk mining on an invalid block. However, miners can decompose this task onto multiple nodes that can even be geographically located near the majority of the activity on the shardchain, receive transactions for that shardchain directly from other nodes on the bitcoin P2P network, only forward the hash of the shard block to the "root" mining node, and serve the shard block locally. So as described above, although trust entity scope is O(M), the computing and network resource requirements only that of a portion of the tree of shardchains or O(log(M)).

Miners can delegate the validation of a shardchain to a third party that tracks that shardchain relatively safely (since most blocks will be valid, as an invalid block would cause loss of revenue for the miner of that block).


Fee Market

Competition for space within shardchains will increase as one moves towards the root because blocks closer to the root encompass a larger scope of transactions, and transactions that move coins between shard-chains MUST be placed closer to the root. Also, blocks closer to the root will be generated more often then blocks on the edge, if some miners only validate shardchain blocks or cannot generate a deep shard soon enough. A high transaction fee will encourage a miner to place the transaction in his blocks even if it is not mining the deepest shardchain that that transaction could be placed into.


CONCLUSION

1. Nearly infinite scalability

2. User clients do not require more bandwidth than today. They can be "full nodes" for regional transaction and SPV nodes (or full nodes if they want) for others.

3. Competition for cross block space or faster confirmation creates demand for transaction space closer to the root node, resulting in higher transaction fees -> fee market

4. Encouraging mining pools to start generating blocks in a new shardchain creates higher transaction fees -> fee market

5. Miners (hashers) do not need a higher bandwidth than today

6. Mining pools can distribute the validation work across multiple servers, and move the servers to the regions using different shardchains, rather then the transactions to the servers.

7. User clients with a lot of activity (corporations, exchanges, etc) can validate any/all shardchain "regions" and can delegate this validation to a network of machines.

 

[Peter Tschipper]

This looks really interesting...I'll need more time to read through it in detail.

 

[HelloGuy]

Oct. 10th, 2010, Satoshi said, "Another way they can become more practical is if I implement client-only mode and the number of network nodes consolidates into a smaller number of professional server farms. Whatever size micropayments you need will eventually be practical. "

https://bitcointalk.org/index.php?topic=287.msg7687#msg7687

I don't think Sharding should be a a necessary to be implemented, as it makes the protocol into a hyper complexity. Please don't fall into the trap of the "decentralization" created by some small blockers. If the transaction volume increases, let the block size increase. If the full nodes require more disk spaces, then let the full nodes to consolidate. If we need stronger database, then we develop bitcoin protocol clients that is friendly with server farm.

If we started to waste our intelligent resource and development resource into this idea, it means that we are leaving away the Satoshi vision and fall into the curt church of small blockers.

 

[theZerg]

Its actually pretty simple. Its a tree of blocks, rather than one huge array.

Trees are basic, well understood data structures. Inside the block, we already have a merkle tree of transactions...

The actual technical description took a few paragraphs... the rest of the BUIP is explaining the interesting consequences.

 

[Justus Ranvier]

I think the various ideas for sharding the block chain are examples of deving for the sake of deving, and have the potential to undermine the monetary aspect of Bitcoin.

Finally, arguably the most important aspect of Bitcoin's trustless nature is permissionless partcipitation. The property is preserved. If an individual cannot afford the hardware necessary to validate the entire network and mine blocks he/she can form a group and do so without the permission of the other participants in the network.

This paragraph undermines the rationale for the entire proposal. If it's acceptable for people who wish to validate the entire ledger to pool their resources to buy the necessary hardware, then sharding is neither necessary nor particularly helpful.

It is likely that a typical individual's daily P2P payment use is highly localized

If you build an architecture that locks in this use case by introducing artificial friction for transactions that cross shard boundaries, then you've undermined the monetary aspect of Bitcoin. You'll never see the non-local transactions which would have been possible but which your design made unaffordable.

 

[Justus Ranvier]

To expand a bit:

If the necessary changes are made to the protocol to allow for compact fraud proofs, then it turns out that achieves the what you're really trying to achieve with sharding without undesirable economic side effects.

The reasons a non-miner wants to run a node are:

1) Assurance of the validity of their incoming transactions
2) Assurance of the integrity of the currency supply

At the moment, 2) requires a complete copy of the blockchain because even if somebody else discovers an invalid transaction in a block, they can't provably communicate that fact to you (fraud proof).

If fraud proofs are possible to create, then any entity who knows that a transaction is fraudulent can produce one. Entities producing fraud proofs don't need the entire block chain - they can produce a fraud proof based on as much or as little blockchain knowledge they hold.

This means that validation when fraud proofs can be created is intrinsically sharded, without the introduction of artificial boundaries.

If a mobile phone can store 1% of the block chain, then it can detect 1% of possible double spends and broadcast a fraud proof in the event that it sees one. There's no reason to impose a shard boundary on this phone's verification capability - it can just choose a random 1% of the blockchain to store.

If your home PC can store 25% of the blockchain, then it can store a different random 25%. This difference in capabilities is another reason that sharding along artificial boundaries is counterproductive.

 

[theZerg]

Interesting... and I am very much in favor of fraud proofs.

I'm on my phone right now but my initial concerns are:

How can we be sure that every 1% has a "live" agent watching the network? If no one is watching a shard it won't get mined.

It seems like all txns would still need to be broadcast to every node with fraud proofs since we don't know which node can disprove which tx. Sharding allows you to not broadcast every tx to every node.

 

[Justus Ranvier]

It seems like all txns would still need to be broadcast to every node with fraud proofs since we don't know which node can disprove which tx. Sharding allows you to not broadcast every tx to every node.

The situation we have right now is that every node sees every transaction. It can validate the blockchain for itself, but its validation is entirely unportable. Even if they detect an invalid block (a block which contains an invalid transaction). there is no way they can communicate this knowledge to other users of the network.

Most Bitcoin users do not run their own node. They run clients which depend on the assumption that the majority of hashing power will not mine an invalid chain.

If you add fraud proofs, then suddenly the validation capability of all the existing node becomes portable. This means when they do detect an invalid block they can broadcast a short proof which allows every network user to know they should reject it.

This is an incredible security improvement over the status quo. The network is protected from invalid blocks even if a majority (or all!) of the hash power is mining the invalid chain as long as a minimum of one node is capable of detecting the fraud and broadcasting the proof.

Rebase the sharding proposal onto that scenario and the cost/benefit ratio doesn't look very appealing.

If you have a light client which lacks sufficient storage to store the full blockchain, and which lacks sufficient bandwidth to be a network peer, then we already have a capability in the protocol for allowing that node to receive a subset of broadcast transactions: bloom filters.

If you want to run a partially-validating node once fraud proofs are possible, simply store as much of the blockchain as you can based on the storage you have, and set bloom filters which consume as much bandwidth as you can afford to spare.

That algorithm can obviously be optimized, and it's a lot easier to do so if you aren't locked into being part of a defined shard.

 

[theZerg]

I don't think the bloom filter system works network wide. Bloom filters assume you are talking to a full node not another filtered node. If node A filters 10pct of the txns and I want another random 10pct then there will be a 1pct overlap. So I'd have to connect to many nodes to get what I need.

And we'd have to store and forward these bloom filters to everyone in the net for discovery (routing). These would be large blooms because we fill them with all the addrs we know about not just our own. And I haven't even addressed the false positive issue.

Sharding is an extremely compact and mostly static spec of what addresses a node tracks and actually can be tracked by every other node in the net.

 

[Justus Ranvier]

So I'd have to connect to many nodes to get what I need.

This is already true. It is also the case that existing client nodes that do are not complete (pruned, or SPV only) signal this so that other nodes that require a full node peer don't connect to them.

And we'd have to store and forward these bloom filters to everyone in the net for discovery (routing).

Why do you think discovery is necessary?

Sharding is an extremely compact and mostly static spec of what addresses a node tracks and actually can be tracked by every other node in the net.

Why do you think it's a good idea for a nodes to track what addresses other nodes track?

 

[theZerg]

I am aware of the privacy concerns around communicating to other nodes which address you track. And AFAIK this is why blooms are deprecated in Core. But a properly implemented client that creates a bloom filter that selects for many existing but unnecessary addresses may reduce this privacy issue.

So bloom filters and sharding are both a tradeoff between privacy and scalability. A shard of 1MB or more also dramatically reduces privacy issues -- its carries as much information as the 1MB blockchain is today, and so is likely as private. And a poorly implemented client cannot easily leak which addresses are of particular interest to it.

Discovery is necessary to ensure that transactions propagate through the Bitcoin network. With bloom filters or sharding, the Bitcoin network is essentially comprised of a set of subnetworks that will propagate transaction X. An issue is to ensure that every subnetwork is a connected graph. Otherwise transaction X will not propagate. Solving this problem for every address seems very difficult and space intensive if nodes can individually choose an individual set of addresses to track. And it becomes incredibly difficult, I would hypothesize it may be impossible to solve, if nodes claim to track address Y but actually do not (bloom filter collision).

On the other hand if addresses are sharded into large subsets with universally agreed upon boundaries, the problem becomes much simpler to solve and the data required to solve it much smaller.

With sharding a node doesn't have to connect to many nodes to get the data it needs, it only has to connect to a maximum of one node per shard, to handle all activity within those shards.

Of course, for activity outside of the shards it tracks it must behave like a SPV client today and contact many nodes. However, I believe in the locality of economic activity, essentially that economic activity is not a scaleless graph, and that those companies/services that are big enough to operate in multiple geographical regions are big enough to track multiple shards and therefore provide "local" addresses from the Bitcoin user's perspective.

 

[Justus Ranvier]

However, I believe in the locality of economic activity

Is it a good idea to irrevocably bake this economic hypothesis into the protocol rules?

 

[theZerg]

yes.

If this economic hypothesis is untrue then the sharded system is a bit better than Bitcoin is today because with sharding it is easy to run multiple machines who's combined effort covers the entire Blockchain.

If this hypothesis IS true then massive efficiencies can happen.

The best part is that its not one or the other -- its both simultaneously. Those entities that have economic locality benefit and those that do not simply must pay the presumably higher transaction fees for root block space or incur extra costs in hardware and network to track multiple shards and maintain addresses/balances there.

Other options also take advantage of economic locality although people may not be aware of this. For example, Lightning. It works much more efficiently if a single Lightning provider is connected to both the sender and receiver. Unfortunately, in Lightning's case the structure of the solution encourages centralization -- one Lightning provider that everyone is connected to will be able to offer cheaper transactions than having to route through 2 or more LN nodes. But address sharding encourages decentralization -- it is CHEAPER to place transactions in shard blocks instead of the root block.

Typically, there's no free lunch. If you want to compress data, you need to take advantage of the underlying data's structure and redundancy. If you want to optimize the network, you need to take advantage of data access patterns.

 

[Justus Ranvier]

@theZerg Nowhere in your post did you address the downsides if the hypothesis is false.

 

[HelloGuy]

@theZerg can we do the sharding concept later? Right now the Blockstream blocked the hard fork as a whole. We should push an acceptable hard fork plan, but not involve things that is hard to sell to conservavite hard fork.

 

[theZerg]

@Justus Ranvier did you mean in the BUIP or my recent post? I don't think that there are downsides if the economic locality hypothesis is false, as I said in my recent post. Regardless, you are forcing a false dichotomy. The economic locality hypothesis is clearly in the real world not entirely false or entirely true.

The question is what % of transactions should be able to take advantage of it? And if that number is nearly 0 (which its not, economic locality is well established) then for the majority of the people, the system is reduced to Bitcoin Unlimited as it exists today, except that blocks are divided into 1MB chunks rather than one huge block. And THAT change actually has enough advantages to the network that it is basically worth doing anyway. Jtoomim was working on it, he called it blocktorrent... except it became unnecessary at 1MB block sizes due to Xthin. However to show an extreme example, a 100MB block is going to benefit the network by being broken up into 10 10MB shards and then further XThin-ed down to 10 1MB blocks...

@HelloGuy No, we can't. I am not suggesting/insisting that this change be activated in this first hard fork. But its important to have a roadmap and even completed technologies that show how we can achieve full scalability in the future. And BU as it stands now is fully ready for miners to adopt it and fork larger block sizes. Nothing else needs to be done -- sure some smaller things COULD be done, but the reward of such diminishes.

 

[freetrader]

As the discussion is touching on BU and forks, I thought I'd link to a response I made to /u/HitchSlappy who argued that there is no economic support for a BU fork:


Feel free to add your thoughts, especially on the economic majority topic although my feeling is that it devolves to unverifiable claims on both sides. Which is another reason why I think a non-elective hard fork independent on the co-operation of the existing mining power is needed, to establish the truth of the situation.

 

[theZerg]

@freetrader I think that you are right. If there's an underserved application, Bitcoin can change to serve it, an alt-coin can serve it, or Bitcoin can fork to do so. But let's keep the discussion in this thread to the technical merits of the extension blocks with address sharding scaling proposal

 

[freetrader]

Certainly @theZerg, I didn't know of a better thread to put this notice in, but I don't want to derail the conversation around sharding in here. Rather an opportunity for the more informed BU members to correct me if I'm wrong in my perceptions.