|
| 1 | +# Edinburgh Workshop Day 1 Recap |
| 2 | + |
| 3 | +## Ledger Design Solution Space Matrix |
| 4 | + |
| 5 | +| | Labeled UTxOs (Explicit Shards) | Accounts (Implicit Shards) | |
| 6 | +|---------------------|--------------------------------|---------------------------| |
| 7 | +| **Fees** | • Explicit shard labeling<br>• Consumed on every tx<br>• Bootstrap: requires additional transaction<br>• Strong guarantees | • Staking credential defines shard<br>• Requires additional replay protection<br>• No bootstrap transaction needed<br>• Registration costs | |
| 8 | +| **Collateral** | • Only consumed on conflicts<br>• Return address needed<br>• Bootstrap: requires additional transaction| • Only consumed on conflicts<br>• Requires additional replay protection<br>• No bootstrap transaction needed<br>• Registration costs| |
| 9 | +| **Any-Labeled Inputs (Extension)** | • any labeled input gets labeled<br>• Maximum conflict prevention<br>• Higher bootstrapping cost | N/A | |
| 10 | + |
| 11 | +> [!Note] These different options are not either or. They shall just define the solution space. |
| 12 | +
|
| 13 | +### Labeled UTxOs - Fees |
| 14 | +Explicit shard labeling of UTxOs with fees consumed on every transaction. Provides strong guarantees for conflict prevention. Requires one initial bootstrap transaction to transition from Praos to Leios, enabling immediate protocol participation. |
| 15 | + |
| 16 | +### Labeled UTxOs - Collateral |
| 17 | +Collateral consumed only when conflicts occur, requiring a return address. Offers weaker guarantees than the fees approach while maintaining system integrity through explicit shard labeling. |
| 18 | + |
| 19 | +### Labeled UTxOs - All-Labeled Inputs Extension |
| 20 | +Any labeled UTxO can be used as an input as a fee or collateral or an ordinary input. And if it is being in any of them |
| 21 | +it has to be in the matching IB shard. |
| 22 | +The all-labeled inputs extension represents the most comprehensive approach, where every input gets labeled. This provides maximum conflict prevention but comes with higher bootstrapping costs. This approach offers the strongest guarantees but requires significant upfront work for migration. |
| 23 | + |
| 24 | +### Accounts - Fees |
| 25 | +The Accounts approach uses staking credentials to implicitly define shards, eliminating the need for explicit bootstrap transactions. However, it requires additional replay protection ideally by consuming a UTxO and it has registration costs. |
| 26 | + |
| 27 | +### Accounts - Collateral |
| 28 | +In the Accounts approach, collateral is only consumed on conflicts but lacks replay protection. This simpler mechanism avoids double spending but may be less robust against certain types of attacks. The integration with existing staking credentials makes it more user-friendly but potentially less secure. This approach also requires replay protection. |
| 29 | + |
| 30 | +### Accounts - All-Labeled Inputs Extension |
| 31 | +This extension is not applicable to the Accounts approach. |
| 32 | + |
| 33 | +> [!NOTE] |
| 34 | +> Considering any account based solution and making it too powerful could make builders design purely around it, disregarding UTxOs. |
| 35 | +> Simple constraints such as exclusively allowing to withdraw the entire balance from the account could prevent misue of accounts. |
| 36 | +> You likely do not want to present accounts to scripts to further avoid misuse. |
| 37 | +
|
| 38 | +## Key Design Considerations & Insights |
| 39 | + |
| 40 | +### User Bootstrapping Flow |
| 41 | +- Initial transaction requires a UTxO input for replay protection |
| 42 | +- Uses implicit sharding via staking credential |
| 43 | +- Can create labeled outputs in same transaction |
| 44 | +- Provides seamless user experience without separate bootstrap transaction |
| 45 | + |
| 46 | +### Network Transition Considerations |
| 47 | +- Existing Praos UTxOs and reward accounts remain valid |
| 48 | +- Need to consider both: |
| 49 | + 1. Network transition (Praos → Leios) |
| 50 | + 2. Individual user onboarding into Leios |
| 51 | +- Gradual transition possible without hard cutover |
| 52 | + |
| 53 | +### Critical Edge Cases |
| 54 | + |
| 55 | +1. **New User Onboarding** |
| 56 | + - Exchange withdrawals are a critical flow |
| 57 | + - Pure account-based approach problematic: |
| 58 | + - Would require registering staking credential |
| 59 | + - Complex transaction needing receiving wallet signature |
| 60 | + - Impractical for exchange withdrawals |
| 61 | + - shows technically infeasiable |
| 62 | + |
| 63 | +> [!NOTE] |
| 64 | +> You cannot have pure account solutions. We can either have only labeled UTxO or labeled UTxO with accounts. |
| 65 | + |
| 66 | +2. **Self-blocking Account** |
| 67 | + - Risk of users accidentally emptying fee accounts |
| 68 | + - No built-in recovery mechanism for empty reward accounts |
| 69 | + - Requires careful balance management consideration |
| 70 | + |
| 71 | +3. **Fee Payment** |
| 72 | + - Must ensure reward accounts have sufficient funds |
| 73 | + - Need to consider initial distribution and maintenance |
| 74 | + - Balance between user experience and security |
| 75 | + |
| 76 | +### System Properties |
| 77 | + |
| 78 | +1. **Replay Protection** |
| 79 | + - UTxO input requirement prevents transaction replay |
| 80 | + - Critical for system security |
| 81 | + - Must be maintained regardless of sharding approach |
| 82 | + |
| 83 | +2. **Conflict Resolution** |
| 84 | + - Explicit vs implicit sharding tradeoffs |
| 85 | + - Impact on throughput and user experience |
| 86 | + - Balance between complexity and guarantees |
| 87 | + |
| 88 | +3. **Do we need mechanism for protecting from conflicts?** |
| 89 | +The following is an descending, ordered list of ways which transaction can conflict, how likely they all work for non-maliscious or incompetent users to run into: |
| 90 | + - UTxO and reference inputs |
| 91 | + - Votes and proposals |
| 92 | + - Reward account withdrawals |
| 93 | + - Treasury assertions |
| 94 | + - Parameter changes |
| 95 | + - Hardfork events |
| 96 | + |
| 97 | +### Conformance Testing Considerations |
| 98 | + |
| 99 | +Two complementary approaches were discussed for ensuring implementation correctness: |
| 100 | + |
| 101 | +1. **QuickCheck Dynamic Approach** |
| 102 | + - Executable formal specification in Agda |
| 103 | + - Specification converted to Haskell using standard Agda compiler |
| 104 | + - QuickCheck Dynamic test driver for generating test cases |
| 105 | + - Test adapters needed for both Haskell and Rust simulations |
| 106 | + - Challenges: |
| 107 | + - Complex generator development for meaningful test cases |
| 108 | + - Need for adapters to interface with simulations |
| 109 | + - Higher implementation effort but enables adversarial testing |
| 110 | + |
| 111 | +2. **Trace Verification Approach** |
| 112 | + - Uses simulation log files as input |
| 113 | + - Verifies traces against relational specification |
| 114 | + - Lower implementation overhead |
| 115 | + - Requires standardized log format between implementations |
| 116 | + - Limitations: |
| 117 | + - Only tests behaviors that naturally occur in simulations |
| 118 | + - May miss edge cases or adversarial scenarios |
| 119 | + - Cannot directly test invalid behaviors |
| 120 | + |
| 121 | +3. **Coverage Enhancement Strategy** |
| 122 | + - Track which parts of specification are exercised by traces |
| 123 | + - Use Haskell Program Coverage (HPC) on generated code |
| 124 | + - Identify untested branches and conditions |
| 125 | + - Benefits: |
| 126 | + - Clear visibility of test coverage gaps |
| 127 | + - Guide development of targeted test scenarios |
| 128 | + - Help prioritize adversarial test case development |
| 129 | + |
| 130 | +## Next Steps |
| 131 | + |
| 132 | +- start writing a Shelley-like Spec: Rational for Leios Ledger |
| 133 | + - list the options |
| 134 | + - given the constraints give a recommendation |
| 135 | + - marginal benefits/ described trade-offs |
0 commit comments