►
Description
The Ethereum Sharding Meeting #2 - Berlin
7. Proofs-of-Custody by Vitalik Buterin and Justin Drake (Ethereum Foundation)
Resources: https://notes.ethereum.org/s/B1-7aivmX
---
Video: Anton Tal @antontal
Audio: Matteo Tambussi @matlemad
Producer: Chris Hobcroft @chrishobcroft
Executive Producer: Doug Petkanics @petkanics
For @livepeertv on behalf of @LivepeerOrg
A
Okay,
proofs
of
custody,
so
just
to
give
a
little
bit
of
context
proofs
our
custody
at
this
quite
neat,
crypto
economic
construction
and
the
way
they
fit
in
the
context
of
sharding
is
basically
to
do
what
I
call
enhance
voting.
So
shouting
or
part
of
shouting
is
about
scaling
up
the
data
availability
problem.
So
not
everyone
downloads,
every
piece
of
data
and
one
of
the
main
techniques
that
we
have
is
to
basically
sample
validators
at
random
from
a
pool.
A
And
then
we
have
an
honesty
assumption
at
the
pool
level,
which
gives
us
some
assumption
in
terms
of
the
committee's,
but
it'd
be
nice.
If
we
could
go
beyond
just
honesty
and
we
could
start
using
rationality,
so
financial
incentives
to
make
sure
that
people
vote
properly,
in
particular
when
they
vote
on
the
availability
of
data,
it
would
be
nice
if
we
could
have
some
high
level
of
confidence
that
they
actually
have
the
data
that
they're
voting
on
and
if
they
have
the
data
at
the
very
least,
it's
available
for
them.
And
so
that's
really
good.
A
A
So
the
setup
is
that
you
have
a
secret
which
is
unique
to
you
as
a
validator,
and
you
need
to
keep
it
secret.
Otherwise,
if
it
leaks,
there
will
be
a
slashing
condition
which
will
allows
whoever
reveals
the
secret
to
to
take
half
half
your
deposit
and
to
slash
the
other
half
and
unchain.
You
have
a
commitment
for
that
secret
and
that
commitment
is
a
fairly
long-lived.
It
could
be
something
like
a
week
or
30
days.
A
It
doesn't
have
to
be
recycled
very
often,
and
then
the
question
is
given
a
piece
of
data
that
the
validator
is
meant
to
have
and
by
the
way
that
piece
of
data
is
identified
by
its
merkel
route.
So,
instead
of
just
taking
the
data
and
identifying
it
with
with
its
hash,
which,
for
example,
is
what
bitcoin
does
we
have,
the
the
data
be
a
power
of
two?
So
it
means
that
you
can
very
nicely
recognize
it
where
each
leaf
is
a
a
chunk,
what
we
call
chunk,
which
is
32
bytes.
A
So
this
merkel
root
is
what
identifies
the
data
and
you
want
to
come
up
with
a
scheme
where
you,
you
prove
that
you
have
custody
of
the
data
and
just
in
in
in
a
couple
of
sentences.
What
you
do
is
that
you
take
your
your
your
data,
D,
for
which
you
want
to
prove
custody
and
you
split
it
up
into
into
32
byte
chunks
and
then
for
every
single
chunk.
A
So
one
of
the
things
we
want
to
prevent,
for
example,
is
being
able
to
outsource
the
computation
of
this
thing
to
other
people,
but
because
of
the
secret
part,
and
because
of
the
fact
that
the
secret
is
mixed
in
that
at
every
single
piece
of
data
you
can't
and
because
you
can't
give
away
that
secret
to
to
third
party
without
risking
having
your
deposit
slashed.
It
means
that
only
you
can
make
this
computation
and
forevermore.
A
Obviously
you
need
the
data
to
be
able
to
do
this
computation.
So
so
you
had
the
data,
so
one
of
the
just
to
give
a
bit
more
context,
even
one
of
the
reasons
why
it
nice
to
have
this,
this
proof
of
custody
scheme
is,
is
also
to
prevent,
what's
called
copycat
voting.
So
if
you're,
a
lazy
validator-
and
you
don't
have
much
bandwidth
to
verify
the
availability
of
blocks,
then
one
perfectly
rational
strategy
would
be
to
wait
some
period
of
time
and
see
what
other
people
are
voting
on.
A
A
Any
questions
so
far
as
to
why
this
scheme
kind
of
proves
that
that's
but
with
you
would
have
the
data.
So
what
one
thing
that
sorry
I
forget
to
mention,
which
is
very
important,
is
that
after
the
30
days
or
seven
days,
you
reveal
your
secret.
So
once
you've
revealed
your
secret,
then
everyone
else
can
verify
the
the
route,
the
proof
of
custody
that
you've
submitted.
And
if
it
turns
out
that
is
wrong,
then
you
can
start
engaging
in
a
challenge
game
so
something
similar
to
true
bit.
A
B
A
All
right,
so
you
you,
you
you'd
like
to
be
able
to
reuse
the
secret
just
for
for
efficiency,
but
on
the
other
hand,
you
don't
want
to
use
it
for
two
longer
periods,
and
the
reason
is
that
the
the
proof
of
custody
becomes
verifiable.
Only
after
you've
revealed
a
secret,
which
means
that
if
you
start
cheating,
then
you
might
as
well
cheat
as
much
as
much
as
you
can
and
basically
cheat
doing
the
whole
30-day
period.
So
you
know
we
want.
We
want
to
limit
the
period
during
which
bad
things
can
happen.
C
D
Know
like
number
one
that's
like
as
far
as
security
goes
like
hashes
are
pretty
much
the
gold
standard,
the
gold
standard
and
you
have
the
most
guarantee
you'll
never
have
to
change
it
again.
Number
two:
you
get
much
more
efficiency
because
number
three
like
actually
the
fact
that
we're
using
XOR
to
mix
in
the
data
basically
means
that
you
can
use
the
branch
challenging
scheme
also
like
as
a
way
of
actually
recovering
particular
pieces
of
data,
because
if
you
have
the
seed,
then
you
can
get
the
data
right
back
so
like
basically
between
those
three.
D
It
withdraws
the
life,
or
rather
we
know
so
here's
how
it
works
right.
So
basically,
if
so,
there's
some
there's
some
point
in
time
at
which
you
basically
have
to
reveal
a
secret
and
you
could
then,
as
soon
as
you
reveal
the
secret,
then
the
clock
starts
ticking
and
well.
Basically,
if
you
get
challenged
during
that
time,
then
you
have
to
respond
to
those
challenges,
but.
F
C
G
G
D
Know
the
other
thing
that
you
can
do
is
you
can
say
so
like.
First
of
all,
there
is
going
to
be
a
lot
effect,
there's
two
reasons
why
you
might
want
to
start
a
challenge
right.
One
of
them
is
that
you
disagree
with
the
commitment,
and
the
second
is
that
you
think
the
data
is
unavailable.
So
for
that
what
we
can
do
is
we
can
try
to
work
the
first
use
case.
We
can
only
target
it
after
the
seat
is
revealed
for
the
second
use
case.
D
E
E
F
D
D
E
D
C
C
D
F
D
Bit
smaller
and
number
two,
it
makes
the
proof
smaller
number
three
makes
the
proof
much
lighter
to
verify
and
number
four
it
like
gets
to
be
pure
kind
of
like
a
purely
hash
based.
So
there's
like
much
less
like,
which
just
makes
it
more
possible
to
set
the
protocol
and
stone
in
stone
to
not
worry
about
changing
it
later.
D
C
E
E
D
Yeah,
okay,
so,
first
of
all,
the
outsourcer
can
submit
as
ahead
of
time
and
basically
claim
your
money.
Now,
if
you,
if
you
have
a
model,
we're
outsourcing
to
kind
of
partially
trusted
outsourcers
that
have
reputations,
and
so
they
won't
do
that,
then
we
could
introduce
another
kind
of
game
which
is
basically
a
kind
of
deniable
challenge.
D
So
the
idea,
basically,
is
that
we
allow
anyone
to
kind
of
gamble
on,
like
properties
of
your
future
revealed
as
to
some
extent
and
like
basically
to
the
extents
to
which
anyone
has
more
than
50%
certainty
about,
like
some
brought
about
some
property
of
your
seed
then-
and
they
would
be,
they
would
be
able
to
earn
money
off
of
this,
and
they
would
be
like
basically
in
this
it
would
be
totally
unknown.
Who
did
this?
They
could
do
this
with
a
totally
unknown
accountant.
D
F
H
D
H
D
F
D
Oh
right,
yes,
so
one
advantage
of
the
proof
only
being
one
bit
is
basically
that
for
the
purpose
of
BLS
aggregation,
if
you
remember
like
pls
pls
signatures,
you
can
do
them
for
multiple
messages
and
multiple
users,
but
for
every
user,
you're
adding
you're
only
adding
an
elliptic
curve
addition
of
overhead,
but
for
every
message:
you're,
adding
an
extra
lipstick
or
pairing
of
overhead,
and
so
for
efficiency.
You
want
the
number
of
messages
to
people
are
signing
over
to
be
extremely
small
and
also
for
an
information
theoretic
reasons.
D
You
want
it
to
be
extremely
small
because,
like
if
we,
if
every
single
a
tester,
includes
a
separate
proof
of
custody,
then
we're
gone,
we're
going
from
one
bit
per
validator
to
256
bits
per
validator.
So
with
this
model
like
basically,
there
are
only
two
possible
probe
custody
claims
that
any
particular
validator
could
use.
D
D
Reveal
to
the
network,
no,
because
what
the
idea
is
that
the
way
that
you
would
sign
is
you're
basically,
like
whatever
the
signature
is
say
of
the
previous
block.
If
you
wants
to
claim
as
euro,
you
would
just
sign
over
that
plus
zero
and
then,
if
you
want
to
claim
a
one,
you
would
sign
over
that
hash,
plus
one
okay,
I.