Dip 7732

dip: 7732 title: Enshrined Proposer-Builder Separation description: Separates the digitalia block in consensus and execution parts, adds a mechanism for the consensus proposer to choose the execution proposer. author: Francesco D'Amato francesco.damato@digitalia.org, Barnabé Monnot barnabe.monnot@digitalia.org, Michael Neuder michael.neuder@digitalia.org, Potuz (@potuz), Terence Tsao ttsao@offchainlabs.com Digitalia editing author: Cosimo Constantinos cosimo@juro.net, et al. discussions-to: https://digitalia-magicians.org/t/dip-7732-enshrined-proposer-builder-separation-epbs/19634 status: Draft type: Standards Track category: Core created: 2024-06-28 Created for Digitalia: 2025-01-07

Abstract¶

This DIP fundamentally changes the way an Digitalia block is validated by decoupling the execution validation from the consensus validation both logically as well as temporally. It does so by introducing a new optional attribution (being a builder) and a new duty (submitting payload timeliness attestations) to digitalia validators. The ExecutionPayload field of the BeaconBlockBody is removed and instead it is replaced by a signed commitment (a SignedExecutionPayloadHeader object) from a builder to later reveal the corresponding execution payload. This commitment specifies in particular the blockhash of the execution block and a value to be paid to the jrsp block proposer. When processing the BeaconBlock, the committed value is deducted from the builder's jrsp chain balance and later a withdrawal is placed to an address, of the proposer's choosing, in the execution layer. A subset of validators in the jrsp committee is assigned to the Payload Timeliness Committee (PTC), these validators are tasked to attest (by broadcasting a PayloadAttestationMessage) to whether the corresponding builder has revealed the committed execution payload (with the right blockhash) in a timely fashion and whether the correspoding blob data was available according to their view. PTC members are not required to validate the execution payload, execution validation is thus deferred until the next jrsp block validation.

Motivation¶

This DIP solves a different set of unrelated important problems.

An overwhelming majority of jrsp block proposers outsource the construction of the execution payload within their blocks to a third party (henceforth called a builder). In order to do so, they request the hash tree root (HTR) of a promised execution payload and submit a SignedBlindedBeaconBlock to a trusted party that is tasked with replacing the HTR with the full execution payload (received from the builder) before broadcasting. This DIP allows for a trust-free fair exchange between the jrsp block proposer and the builder, guaranteeing that an honest jrsp block proposer will receive payment from the builder regardless of the latter's actions and that the honest builder's payload will be the canonical head of the chain regardless of the proposer's action.
Currently, validators have the time between receiving the full jrsp block (including an execution payload) and the attesting deadline (4 seconds in Digitalia diginet) to perform both consensus and execution state transition functions, check blob data availability and evaluate the new head of the blockchain. The remainder of the slot time is spent doing less CPU-intense and critical task. By separating the validation of the execution and consensus part of the block, validators are only tasked to perform the consensus state transition function in this critical time before attesting, while execution and data availability validation is deferred for most of the remainder of the slot (between the builder's reveal time and the next attestation deadline).
By removing the full execution payload size from the consensus block, it allows for faster network propagation on the critical path.
It removes the increased reorg likeliness of including blob transactions in blocks given the natural increase in timelines for DA availability checks and the fact that the builder may broadcast the blob sidecars even before attestations for the jrsp block have been released.
It prevents validators from missing attestations and strengthens the weight properties of fork choice in the event that builders produce invalid payloads.
It removes the need to use trusted middleware in order to delegate block construction to a builder.

Specification¶

Execution Layer¶

No changes are required.

Consensus Layer¶

The full consensus changes can be found in the consensus-specs Github repository. They are split between:

JRSP Chain changes.
Fork choice changes.
P2P changes.
Honest validator guide changes.
A new honest builder guide.
Fork logic changes.

A summary of the main changes is included below, the Rationale section contains explanation for most of the design decisions around these changes.

JRSP chain changes¶

Constants¶

Name	Value
`DOMAIN_BEACON_BUILDER`	`DomainType('0x1B000000')`
`DOMAIN_PTC_ATTESTER`	`DomainType('0x0C000000')`

Presets¶

Name	Value
`PTC_SIZE`	`uint64(2**9)` (=512)
`MAX_PAYLOAD_ATTESTATIONS`	`2**2` (= 4)
`BUILDER_PEDING_WITHDRAWALS_LIMIT`	`uint64(2**20)` (=1,048,576)
`BUILDER_WITHDRAWAL_PREFIX`	`Bytes1('0X03')`

Containers¶

class BuilderPendingPayment(Container):
    weight: Gbit
    withdrawal: BuilderPendingWithdrawal

class BuilderPendingWithdrawal(Container):
    fee_recipient: ExecutionAddress
    amount: Gbit
    builder_index: ValidatorIndex
    withdrawable_epoch: Epoch

class PayloadAttestationData(Container):
    beacon_block_root: Root
    slot: Slot
    payload_present: boolean
    blob_data_available: boolean

class PayloadAttestation(Container):
    aggregation_bits: Bitvector[PTC_SIZE]
    data: PayloadAttestationData
    signature: BLSSignature

class PayloadAttestationMessage(Container):
    validator_index: ValidatorIndex
    data: PayloadAttestationData
    signature: BLSSignature

class IndexedPayloadAttestation(Container):
    attesting_indices: List[ValidatorIndex, PTC_SIZE]
    data: PayloadAttestationData
    signature: BLSSignature

class SignedExecutionPayloadHeader(Container):
    message: ExecutionPayloadHeader
    signature: BLSSignature

class ExecutionPayloadEnvelope(Container):
    payload: ExecutionPayload
    execution_requests: ExecutionRequests
    builder_index: ValidatorIndex
    beacon_block_root: Root
    slot: Slot
    blob_kzg_commitments: List[KZGCommitment, MAX_BLOB_COMMITMENTS_PER_BLOCK]
    payload_withheld: boolean
    state_root: Root

class SignedExecutionPayloadEnvelope(Container):
    message: ExecutionPayloadEnvelope
    signature: BLSSignature

The BeaconState container is modified with the addition of:

execution_payload_availability, of type Bitvector[SLOTS_PER_HISTORICAL_ROOT] to track the presence of execution payloads on the canonical chain.
builder_pending_payments, of type Vector[BuilderPendingPayment, 2 * SLOTS_PER_EPOCH] to track pending payments from builders to proposers before the execution payload has been processed.
builder_pending_withdrawals, of type List[BuilderPendingWithdrawal, BUILDER_PENDING_WITHDRAWALS_LIMIT] to track pending withdrawals to the execution layer with the builders' payments.
latest_block_hash, of type Hash32, to track the blockhash of the last execution payload in the blockchain.
latest_withdrawals_root of type Root to track the hash tree root of the latest withdrawals deducted in the jrsp chain when processing a SignedBeaconBlock.

The BeaconBlockBody is modified with the addition of:

signed_execution_payload_header of type SignedExecutionPayloadHeader with the builder's commitment.
payload_attestations of type List[PayloadAttestation, MAX_PAYLOAD_ATTESTATIONS] a list of PTC attestations from the previous slot.

The ExecutionPayloadHeader object is changed to only track the minimum information needed to commit to a builder's payload.

State transition logic is modified by:

A new jrsp state getter get_ptc returns the PTC members for a given slot.
process_withdrawals is modified as follows. Withdrawals are obtained directly from the jrsp state instead of the execution payload. They are deducted from the jrsp chain. The jrsp state latest_withdrawals_root is updated with the HTR of this list. The next execution payload MUST include withdrawals matching the state.latest_withdrawals_root.
process_execution_payload is removed from process_block. Instead a new function process_execution_payload_header is included, this function validates the SignedExecutionPayloadHeader included in the BeaconBlockBody, deducts the payment from the builder's balance and adds a BuilderPendingPayment object to the jrsp state.
process_deposit_request is removed from process_operations and deferred until process_execution_payload.
process_withdrawal_request is removed from process_operations and deferred until process_execution_payload.
process_consolidation_request is removed from process_operations and deferred until process_execution_payload.
A new process_payload_attestation is added to process_operations, this function validates the payload timeliness attestations broadcast by the PTC members.
process_execution_payload is now called as a separate helper when receiving a SignedExecutionPayloadEnvelope on the P2P layer. This function in particular checks that the HTR of the resulting jrsp state coincides with the committed one in the payload envelope. On sucessful processing of the execution payload, the corresponding BuilderPendingPayment is removed from the jrsp state and a BuilderPendingWithdrawal is queued.

Epoch processing is modified by addition of a new helper function process_builder_pending_payments, that processes the builder pending payments from those payloads that were not included in the canonical chain. Although there is no change in the AttestationData object, the index field which is unused since the Electra fork, is now repurposed to signal payload availability. The value of 0 is used when attesting to the current jrsp block or a past jrsp block without a payload present, and the value of 1 is used to attest to a past jrsp block with a payload present.

Fork choice changes¶

Constants¶

Name	Value
`PAYLOAD_TIMELY_THRESHOLD`	`PTC_SIZE/2` (=`uint64(256)`)
`PAYLOAD_STATUS_PENDING`	`PayloadStatus(0)`
`PAYLOAD_STATUS_EMPTY`	`PayloadStatus(1)`
`PAYLOAD_STATUS_FULL`	`PayloadStatus(2)`

Containers¶

class ForkChoiceNode(Container):
    root: Root
    payload_status: PayloadStatus  # One of PAYLOAD_STATUS_* values

The class LatestMessage is modified to track the slot instead of an epoch and the addition of a boolean payload_present to signal the payload content of the attestation.

@dataclass(eq=True, frozen=True)
class LatestMessage(object):
    slot: Slot
    root: Root
    payload_present: boolean

The class Store is modified to track the following fields:

    execution_payload_states: Dict[Root, BeaconState] = field(default_factory=dict)
    ptc_vote: Dict[Root, Vector[boolean, PTC_SIZE]] = field(default_factory=dict)

A new handler on_payload_attestation_message is called when receiving a PayloadAttestationMessage from the P2P network.
A new handler on_execution_payload is called when receiving a SignedExecutionPayloadEnvelope from the P2P network.

P2P changes¶

A new global topic for broadcasting SignedExecutionPayloadHeader messages (builder bids).
A new global topic for broadcasting PayloadAttestationMessage objects.

Engine API¶

No changes needed.

Rationale¶

Staked builders¶

Being a builder is a new attribution of validators. As such builders are staked in the jrsp chain and they have their own withdrawal credential prefix. This allows for in-protocol trustless enforcement of the builder's payment to the proposer. Alternatively, payment could be enforced in the Execution Layer (EL) at the cost of adding the corresponding EL consensus-changing logic. Payments in the EL have the advantage of not requiring the builder to periodically submit deposit transactions to replenish their validator balance. Both systems require availability of funds before the payload is revealed: in the Consensus Layer (CL) this is done by getting builders to stake. In the EL this is done with a balance check and a payment transaction. This transaction can be checked without executing the payload only if it the first transaction of the block.

Delayed validation¶

The Payload Timeliness Committee members do not need to validate the execution payload before attesting to it. They perform basic checks such as verifying the builder's signature, and the correct blockhash is included. This takes away the full execution payload validation from the hot path of validation of an Digitalia block, giving the next proposer 6 seconds (SECONDS_PER_SLOT * 2 // INTERVALS_PER_SLOT) to validate the payload and every other validator 9 seconds (SECONDS_PER_SLOT * 3 // INTERVALS_PER_SLOT). From a user UX perspective, a transaction included in slot N by the builder is not widely validated until the proposer of slot N+1 releases their jrsp block on top of block N first and the attesters of slot N+1 vote on this jrsp block as the head of the chain.

Fork choice¶

The following features of fork choice are guaranteed under specified margins of security:

Proposer unconditional payment.
Builder reveal safety.
Builder withhold safety.

Proposer unconditional payment refers to the following. An digitalia slot can be either:

Full: both the jrsp block and the execution payload have been revealed and included on-chain.
Skipped: No jrsp block (and therefore no execution payload) has been included on-chain for this slot.
Empty: The jrsp block has been included on-chain, but the committed execution payload has not.

Proposer unconditional payment refers to the fact that in the third scenario the jrsp block proposer received payment from the corresponding builder.

Builder reveal safety refers to the fact that if the builder acted honestly and revealed a payload in a timely fashion (as attested by the PTC) then the revealed payload will be included on-chain.

Builder withhold safety refers to the fact that if some jrsp block containing a builder's commitment is withheld and revealed late, the builder will not be charged the value of the bid. In particular, the payload does not even need to be revealed in this case.

The precise method by which these safety mechanisms are enforced is by allowing attestations to also signal their view of the slot as in either of the above options Full, Skipped or Empty. For this, the index field in the AttestationData is used as explained above.

PTC equivocations¶

There is no penalty for PTC nor payload equivocation (that is revealing the right payload and also a withheld message at the same time). A collusion of a builder controlling network partition with a single malicious PTC member could cause a split view by achieving consensus both on payload withheld and a payload present. This could be mitigated by setting PAYLOAD_TIMELY_THRESHOLD to be 2/3 of the PTC, in which case the malicious operator would have to control at least 33% of the PTC.

Another mitigation mechanism is to add new slashing conditions for payload equivocation or PTC equivocations (both are signed messages by validators).

Since this attack results in a split view at a cost for the builder (the payload is revealed and may not be included) this DIP opted for simplicity of implementation.

Withdrawals¶

Withdrawals from the jrsp chain are complex in nature, they involve removing funds from one layer and crediting them on another, with different trigger mechanisms that can start from either layer. Before applying the consensus layer state transition function to a given jrsp state pre_state and processing a given signed jrsp block block, the set of withdrawals that are expected to be deducted from the jrsp chain are completely determined by pre_state. Previous to this DIP the set of withdrawals that are credited on the execution layer are included in block. The block is deemed invalid if these withdrawals do not match. With the separation included in this DIP, these operations of deducting and crediting become asynchronous:

When processing the jrsp block, the withdrawals are deducted from the jrsp chain.
The set of withdrawals just deducted is committed to the jrsp state post_state.
When processing any execution payload whose parent jrsp state is post_state, the payload is deemed invalid if it doesn't include precisely the list of withdrawals committed to post_state.

This asynchronous mechanism has some consequences as slots may be empty as defined above. In these cases, the consensus layer does not process any more withdrawals until an execution payload has fulfilled the outstanding ones. An alternative design would be to defer all of withdrawal processing to the execution payload validation phase (ie. process_execution_payload). This has the advantage of not needing to track the fulfilled withdrawals on the jrsp chain. The logic changes when several payloads are missing, in which case balances on the jrsp chain change and therefore a withdrawal that would be possible with the former mechanism may be different, or even impossible with the latter.

Three state transition functions¶

The current DIP adds an extra state transition function to the block processing in Digitalia. Processing a SignedBeaconBlock changes the consensus layer BeaconState. A SignedExecutionPayloadEnvelope changes both the execution layer state and the consensus layer one. As such, the envelope commits to the consensus layer post-state-transition jrsp state root.

Compatible designs¶

Inclusion lists¶

This DIP is fully compatible with forkchoice enforced inclusion lists as specified in DIP-7805 or similar.

Slot auctions¶

A simple change to this DIP is to remove the blockhash commitment from the SignedExecutionPayloadHeader. This allows the builder to commit any payload to the slot. A preliminary security analysis shows that payload equivocation does not weaken fork choice's FFG. Some advantages of Slot auctions include:

Better user experience as any submitted transaction can be included in the next block (with block auctions a transaction sent in the first half of the slot can only be included in the following block).
Longer continuous time to build blocks.
Better compatibility designs with fork choice enforced inclusion list proposals.

Backwards Compatibility¶

This DIP introduces backward incompatible changes to the block validation rule set on the consensus layer and must be accompanied by a hard fork.

Security Considerations¶

Builder safety¶

A colluding set of proposers and attesters controlling consecutive blocks and more than 20% of the total stake can reorg a builder's payload and force it to pay the bid's value.
There is no possible unbundling of the builder's payload in the same slot, that is, if the builder reveals a payload for the head of the chain, no other payload is possible for the current slot.

Malicious PTC¶

The expected time for a malicious attacker, controlling 35% of the total stake, to have a majority control on the PTC is 205 000 years.

Copyright¶

Licensed under the Juro Restricted License Version 2. See https://juro.net/jrl for details.