Node batch verification

[bxue-l2]

Why are these changes needed?

This PR adds Batch Chunks verification to reduce the processing time for a node when receiving a batch

The technical details is well documented in https://ethresear.ch/t/a-universal-verification-equation-for-data-availability-sampling/13240#step-by-step-derivation-of-the-universal-equation-11 (A eth research blog)

Important struct:

• Sample: the basic unit for batch verification, for eigenDA it is a chunk
• SubBatch: groups of Samples that has the same dimension

Big changes:

• Add interfaces to both encoding.go and validator.go for batchVerification
• Replace the previous blob-by-blob verification from the node/node.go with the new batch verification
• Parallel processing for each SubBatch

Some suggestions to the following will be helpful:

• Since batchVerification is defined inside core/validator, the parallelization is done inside core (some feedback appreciated)
• Since batchVerification is defined inside core/validator, I removes the "n.Config.NumBatchValidators" which allows clients to specify how many worker thread for verification. Instead I simply spin a goroutine for each subBatch, otherwise I will have to put the numWorker in the core interface (might be it is fine?)
• Although I can use workerpool for parallelization, but it is unnatural to add that dependency in the core

Checks

• I've made sure the lint is passing in this PR.
• I've made sure the tests are passing. Note that there might be a few flaky tests, in that case, please comment that they are not relevant.
• Testing Strategy
  • Unit tests
  • Integration tests
  • This PR is not tested :(

[ian-shim]

can you take a look at the unit tests failure?
also, do the existing unit tests cover the new verification logic well?

[ian-shim]

remove?

[bxue-l2]

can you take a look at the unit tests failure? also, do the existing unit tests cover the new verification logic well?

The unit tests are added in the library level, pkg/encoding/kzgEncoder, and at the core level core/test/core_test

In the core test, the batch verification is done across multiple setup (security params, bloblength, quant factor).

[bxue-l2]

Added some benchmark test. In general, we get 4.5 - 25 times speedup.

the variable parameters are quant factor, num opr, adv/quo ratio, blob length, and stake distribution.

The stake distribution is either uniform or quadratic (stake= i^2*6+32), where i is opr index. The table is shown below, whose full access is in the link.

For non-uniform stake, there is a histogram of time, please refer to the doc for more info.

One additional thing we can optimize for, is batch verification for length proof . Currently it is taking 0.63*n millisecond out of the entire verification. Effectively it is taking 2/3 of the batch verification time. So in principle we can get an additional 3x speedup.

[ian-shim]

lgtm, but this should get a stamp from @mooselumph

[jianoaix]

I agree that it's better to cap the threading with a pool.
I don't have strong objection to use a threadpool here. But if that's a concern, an alternative is to make the core lib to create the SubBatch map, and the Node to run a threadpool to invoke the execution for each SubBatch.

[bxue-l2]

for the second approach, we need to export the encoder interface from the validator. That will need discussion and a proper code restructure. I will choose option 1. @mooselumph what do you think

[mooselumph]

I don't think the refactoring would be needed... just give the validator a public method to be called by the node worker. But I don't really have a strong opinion about whether the threadpool should go here or in the node.

[bxue-l2]

I add the workerPool to the call, common exposes an interface

[jianoaix]

Does it need to add a random salt to actually make it random (now it's a deterministic hash)?

[bxue-l2]

It is gist of fiat-Shamir transform https://en.wikipedia.org/wiki/Fiat%E2%80%93Shamir_heuristic

[mooselumph]

Does this need to be deterministic? The gob encoder seems to be stateful (will always encoded-decode properly, but the encoded bytes can vary).

[bxue-l2]

No, it does not need to be deterministic.

[jianoaix]

I haven't read details about Fiat Shamir, but intuitively, if this "randomness" is actually deterministic and determined by the input samples, which is supplied by the prover, can the verifier be fooled by the prover?
It looks the verifier needs some randomness that the prover can never guess.

[jianoaix]

It'll be more readability to name ft, st ... more properly. One option I see is: combinedProof, combinedCommitment, combinedInterpolation etc.

[bxue-l2]

I am a bit against it, because combined commitment is not specific enough. You can say addition of two commitment a combined commitment.

[mooselumph]

I feel like it would be nice to find a way to show the hierarchy among the sections. It's unclear without prior knowledge that //second term refers to //rhs g1, for instance

[bxue-l2]

One thing could improve the readability is to break some parts into functions. I will rewrite and decompose some logics.

[bxue-l2]

@jianoaix @mooselumph I refactored the code, please take a look

[jianoaix]

I would like this types of documentation in code, which makes the connection between code and theory clear:

I remember one of the highly useful documentation for me is to comment out that the coefficients in chunk is for interpolation polynomial, which connects the whole thing.

[mooselumph]

Does this need to be deterministic? The gob encoder seems to be stateful (will always encoded-decode properly, but the encoded bytes can vary).

[mooselumph]

I don't think the refactoring would be needed... just give the validator a public method to be called by the node worker. But I don't really have a strong opinion about whether the threadpool should go here or in the node.

[mooselumph]

I feel like it would be nice to find a way to show the hierarchy among the sections. It's unclear without prior knowledge that //second term refers to //rhs g1, for instance

[mooselumph]

Add comment: NumChunks=0 so we can skip this blob

[bxue-l2]

it is part of the preprocessBlob logic.

[jianoaix]

nit: EigenDa -> EigenDA

Also if it's chunk assignment index, can it be named as "ChunkIndex" for readability? "X" does not seem a proper name.

[bxue-l2]

I wil refactor the X a bit. The reason I avoid using assignment because, the pkg should relatively stand alone, X is the evaluation index

[bxue-l2]

refactored

[jianoaix]

nit: this comment is redundant (it's in preprocessBlob where the check is actually happening)

[jianoaix]

LGTM

[jianoaix]

Do you want to stop() the workerpool before return, since there is no point for remaining threads to continue?

[bxue-l2]

the workerpool is created by node thread, so it does not make a lot sense to stop them.

[jianoaix]

I haven't read details about Fiat Shamir, but intuitively, if this "randomness" is actually deterministic and determined by the input samples, which is supplied by the prover, can the verifier be fooled by the prover?
It looks the verifier needs some randomness that the prover can never guess.

[jianoaix]

Randomness -> RandomFactor? (it's the terminology used by the research post anyway)

[bxue-l2]

The prover can fool the verifier based on a randomness by modifying its input. However, since there is a deterministic relation between input and the randomness, the adversarial disperser cannot perform this attack

[jianoaix]

it is possible -> it is always? The chunks from the same blob always share the same encoding param.

[bxue-l2]

but a operator might only be assigned 1 chunk in one blob

[jianoaix]

The context here is that all chunks of the same blob assigned to this operator (will be always validated together)

[jianoaix]

The context here is that all chunks of the same blob assigned to this operator (will be always validated together)

[jianoaix]

btw I checked the code of these 3 terms against the research post and it looks good (quite impressive you nail those details rigorously!), except the 3rd term which I cannot follow (need to understand the coset shifting stuff a bit more)