Upgrading blockchain networks poses serious challenges. While traditional communications protocols only require point-to-point compatibility and permit the network spil a entire to have varying degrees of interoperability, all knots on a blockchain network vereiste validate the same blocks. It is therefore unlikely for any subset of parties to loosely upgrade to an arbitrary fresh protocol without affecting the surplus of the network (or, more likely, permanently detaching from it by вЂњforking the chainвЂќ). Spil a result, for any protocol switch to be implemented and deployed, the following issues vereiste be considered:
- Coordination: how do all knots agree on adoption of the fresh rules?
- Transition security: does transition to the fresh rules (even when done correctly) opens up security loopholes or violates some assumptions?
- Transition reliability: is the transition implemented correctly and how likely it to contain bugs and cause the blockchain to fork?
- Feature security: is the upgraded protocol secure spil advertised?
This document covers the extensibility features and versioning semantics of Chain Protocol that facilitate safe evolution of the protocol rules.
Hard forks and soft forks
There are two ways to upgrade a blockchain network. Thesis are conventionally known spil hard forks and soft forks.
See BIP 99 for some background on the Bitcoin community&rsquo,s treatment to hard and soft forks.
A hard fork is a switch that is not compatible with non-upgraded software вЂ” it makes messages that were invalid under the old rules become valid under fresh rules. Switches to the protocol can be implemented te a straightforward manner, but at the cost of upgrading all participating knots and all software that works directly with blockchain gegevens structures. Ter a smaller network, a hard fork may be an efficient way to upgrade: one should set a deadline when the fresh rules will be activated, then update all necessary software before the deadline. Unluckily, ter larger networks hard forks pose a serious risk of cracking software unexpectedly, or would require a prohibitively distant deadline to give time to review and upgrade all software.
A soft fork is a compatible switch вЂ” it rejects some messages that were previously valid. This may be a less stijlvol way to switch the protocol, but it permits upgrading the network piece-by-piece without requiring every knot to upgrade. A soft fork vereiste be enforced by the block generation and overeenstemming mechanism. For proof-of-work blockchains, this means the miners, for Chain blockchains, this means the block signers. A soft fork requires only block signers to upgrade very first and enforce fresh rules by rejecting non-conforming transactions. To make sure future versions of the protocol still validate earlier blocks, block signers preemptively reject to sign blocks containing transactions with undefined version numbers, making it safe to introduce fresh versions (and their associated fresh behavior) te the future. Once block signers start enforcing fresh rules, other knots can embark creating transactions with a fresh version. Knots that did not upgrade still validate thesis transactions, but implicitly rely on block signers to validate their precies meaning. Such knots operate with diminished security regarding validation of fresh transactions. Knots can upgrade to fresh capabilities at their own tempo without blocking anyone elseвЂ™s operation.
Contrary to what one might assume, neither hard forks, strafgevangenis soft forks are intended to actually fork the blockchain. The word вЂњforkвЂќ indicates the switch of the protocol rules that potentially may lead to an undesirable fork of the blockchain. While hard forks require careful coordination of all users, soft forks require careful coordination of block signers only.
Safety of hard forks
While hard forks pauze compatibility with all fully validating knots (running Chain Core or compatible software), some hard forks may be made compatible with a broader collection of software that verifies only a subset of protocol features. For example, signing software deployed te HSMs, or clients that do not execute transaction programs, but only check transactionsвЂ™ Merkle paths to a signed block.
A hard fork upgrade may have different compatibility implications, depending on its scope:
- Switching transaction format: virtually no software remains compatible.
- Switching block format: some transaction-signing software stays compatible.
- Switching built-in boundaries: clients that verify klein proofs (transaction contents, Merkle paths to signed blocks) remain compatible.
- Switching VM bytecode: some clients may remain compatible depending on character of the switch.
Ter the best case incompatibility caused by hard forks causes outage for non-upgraded clients. But te general, it opens all clients (whether upgraded and not) to network forks and double-spending attacks that are hard to automatically detect and protect against since both sides of the network would see the alternative chain spil downright invalid and consider it a noise. Hard fork upgrades are also tighter to monitor: an unexpected incompatibility may remain hidden until it is too late and it causes the actual network fork.
Due to the difficulty of deploying hard forks securely, Chain Protocol provides versioning and upgrade semantics for blockchain gegevens structures te order to enable safe soft fork upgrades.
Safety of soft forks
A soft fork upgrade adds rules and does not eliminate existing ones. Spil a result, non-upgraded knots see the upgraded blockchain spil valid and lightly detect a fork caused by block signers. Upgraded knots can also detect a fork caused by block signers and pinpoint it to a disturbance of a specific rule. Albeit all soft forks provide basic safety ensure ter respect to forking the ledger, the actual safety depends on the nature and scale of the upgrade.
Soft forks permit implementing a remarkably large number of switches, from bug fixes and petite features te the VM, to introducing a entirely fresh block structure. When the versioning rules are cautiously planned te advance, switches to the software can also be implemented cleanly.
Smaller switches are safer to implement spil they touch smaller software surface. An example of a relatively safe switch is addition of a fresh instruction to the VM te place of one of the NOP instructions: non-upgraded users cannot use it by mistake and are able to execute the surplus of the contract logic using pre-existing rules (so the surface of a possible attack is very narrow). It is much less safe to introduce a fresh transaction format: non-upgraded knots will entirely disregard the fresh transactions, a larger amount of software will have to be upgraded to take advantage of the fresh format. Then even more complexity will have to be added to make old and fresh transaction formats interoperable.
Extensive and limitary upgrades
Soft forks permit two approaches to network upgrades:
- Extensive upgrade: introduction of a fresh rule (security feature) the co-exists with the existing ones. A pre-existing extension field te the blockchain is extended with extra gegevens having a specific meaning applied.
- Limitary upgrade: usage of existing features is restricted or partially limited by censoring transactions. Block signers can restrict some transactions anyway for vertoning or security reasons, but they can also commit to such behaviour by making it a protocol rule so that other knots can rely on it.
The very first treatment permits introducing fresh features for security or spectacle reasons without disrupting the use of the existing features.
Note that restricting existing feature and adding a fresh one is not omschrijving to redefining the rules that apply to a certain lump of gegevens. The former remains a soft fork, while the former is a hard fork. The non-upgraded knots overlook the fresh feature and zekering observing instances of usage of the old feature and therefore stay compatible with the blockchain.
The 2nd treatment permits for vertoning optimization and deprecation of less secure features. If a part of the protocol is proven to be fully insecure, a вЂњfail-stopвЂќ soft fork upgrade can instantly prohibit its usage.
Together, the very first and the 2nd approaches permit implementing a tick-tock upgrade schedule: very first, rolling out a fresh security feature, then phasing out support for the deprecated one until all knots are upgraded and the network can forbid its use spil a protocol rule.
Chain Protocol defines four main areas of extensibility:
Every extension area includes several extension points with specified upgrade semantics.
Block extension points
Note that block version is the only version field that voorwaarde be incremented monotonically, and it does not require increments by 1. All other version fields may have arbitrary values te no particular order of introduction. At any given time, the version of a gegevens structure either belongs to a set of known versions, or is simply unknown.
Transaction extension points
Asset extension points
Program extension points
Transaction programs have five extension points within the output and issuance programs.
Block programs are not versioned and can be upgraded only via extra block commitment elements.
Note: all unassigned opcodes are defined spil NOPs (вЂњno operationвЂќ) that enable minor switches to the VM without switching the VM version. So the non-upgraded knots will be able to validate most of the program without having to overlook it fully spil вЂњanyone can spendвЂќ spil a fresh VM version would cause them to do. Even when the VM version needs to be enhanced (e.g. a fresh instruction need a significantly larger run cost or does non-trivial switches to VM state), keeping existing instructions untouched permits keeping consistency inbetween VM implementations and related implements and avoiding bugs.
Chain Protocol implements a versioning scheme that permits users signalling whether they opt into fresh version of the protocol and also enable the network to protect the extension points (more on them below) against manhandle before they have specific semantics assigned to them.
All upgrades are sequential. Knots cannot upgrade to a protocol extension without upgrading to all previous ones. Users that do not validate the blockchain fully may cherry-pick which features to validate themselves or delegate trust to block signers or third-party gegevens providers. However, they still voorwaarde be aware of all intermediate extensions when determining to opt out of validating some aspects of the protocol. This is reflected ter the requirement that block versions monotonically increase: protocol rules that were added once cannot be flipped back ter the future. All other version fields while encoded spil variable-length integers are free-form and may be treated spil integers, brief strings, bit fields or a combination thereof.
Extensive upgrades to the protocol are signaled by incrementing the block version and switching the versions of all affected gegevens structures that introduce the extra rules. Use of unassigned fields and instructions is not permitted without switching the version of the gegevens structure that is being extended and all gegevens structures up ter the hierarchy up to the block version. This permits applications to detect addition of fresh fields, asset and program versions to the protocol and adjust their security assumptions, notify administrators about an upgrade, or take other act spil suitable. This also provides security for users of klein proofs: they are assured that they will notice a protocol upgrade when the previously unused fields become defined.
Limitary upgrades вЂ” that limit use of defined fields and instructions вЂ” only need to increment a block version ter order to maintain compatibility of the fresh rules with the historical blocks. For extra compatibility with transacting software the following scheme is recommended:
- The limitations apply only to a fresh transaction version (or versions).
- Previous transaction version is either permitted indefinitely (therefore permitting users to opt-in the fresh rule), or announced spil deprecated and can be restricted ter the future (phased out) or instantly (fail-stop screenplay).
How it works
Lets say, a fresh VM version is introduced with an extra input commitment field necessary for a fresh VM feature.
- Since the fresh VM version is used, the transaction version voorwaarde be switched.
- Transaction version is switched, therefore block version vereiste be enhanced.
- Block signers make sure only well-defined block versions are used and signed. Before the upgrade, block signers reject transactions that use unassigned extension points and version numbers.
- When the block version is enlargened, the surplus of the network receives a clear signal that the protocol rules has switched. Non-upgraded knots may choose to zekering processing payments until they upgrade, or apply extra checks and confirmations out of tape.
Assets and programs interoperability
VM versions can be updated independently of asset versions. Fresh VM versions can access all previously defined asset versions but not future ones. Newer asset versions may use previously defined VMs and extra VMs introduced ter the future (if explicitly defined for thesis asset versions).
When a fresh asset version is introduced, existing VMs may be nominally upgraded for all older asset versions so that programs controlling older assets may вЂњseeвЂќ newer assets which permits building trust-minimized bridges inbetween old and fresh asset versions.
Users may keep using existing assets alongside the fresh ones without updating to a fresh VM, but simply signing multi-input/multi-output transactions for synchronous trades. They can also use an updated VM version with old assets ter order to build contracts that involve both fresh and old asset version.
Issuers may proceed to recognize older assets, suggest a trusted exchange of old assets for the fresh ones or define fresh asset versions via issuance programs that perform conversion ter a trust-minimized manner (e.g. a program may permit issuance of a fresh asset with the amount corresponding to an amount of the older asset explicitly demolished te the same transaction).
Overeenstemming protocol is mostly separated from the blockchain validation rules spil it permits block signers to agree on a single peak block that they need to sign. Block header has an extensible вЂњblock commitmentвЂќ field that permits addition of fresh rules supporting switches to the overeenstemming protocol.
Reserve care vereiste be taken about upgrading the VM used for overeenstemming programs. While control and issuance programs used te transactions have a VM version associated with them, blocks intentionally designed without explicit versioning. When non-upgraded knots have to evaluate a program with an unknown VM version, they skip the evaluation and instead defer to block signers to determine if transaction is valid. Ter case of a block overeenstemming program, there is no вЂњhigher authorityвЂќ to defer to. If the fresh overeenstemming protocol requires a fresh feature ter the VM, block commitment and block witness fields voorwaarde be extended with a fresh overeenstemming program and its arguments to be evaluated te addition to the old VM and old overeenstemming program.
Block signers should not optimize vertoning switching old overeenstemming program to OP_1 (always succeeds) because it will instantaneously open non-upgraded knots to a vulnerability: anyone would be able to fork the blockchain for them and make it look ideally valid.
Ter some cases, block signers might want to switch the old overeenstemming program to OP_FAIL te case the old VM has an unavoidable security problem and it is safer to cause non-upgraded knots to zekering entirely and not accept any fresh blocks until they upgrade. Such update will become a safe hard fork since the original chain will be prohibited from growing further.
While it is not effortless to add support for fresh signature algorithms (e.g. switching an elliptic curve), VM 1 is nimble enough to permit implementing Lamport signatures: one-time hash-based signatures using built-in instructions for string manipulation, bitwise operations and hashing.
By default, all previously supported features remain supported to keep older software compatible. Sometimes features are discovered to be either insecure or inefficient and should be deprecated. Deprecation can be implemented spil the block signersвЂ™ policy to deny to include transactions using such features or restricting some aspects of them (size, frequency, etc). If necessary, deprecation can be implemented via a limitary upgrade to the protocol enforced by the entire network. For example, if a certain signature scheme is deemed insecure, it can be fully banned after a pre-arranged deadline to prevent inclusion of insecure transactions.
1. Adding a fresh programming feature
Wij can add or modify an instruction, introduce a fresh signature scheme, or fully redesign the bytecode format by introducing a fresh VM version:
- Specify an update to the format or semantics of output programs and corresponding signature programs.
- Allocate a fresh VM version number to identify the fresh VM.
- If necessary, specify extra gegevens ter the output commitment or input commitment (or both) for outputs using the fresh VM version.
- If necessary, specify an extra global state commitment te the block commitment field.
- Upgrade all block signers with software implementing the fresh feature.
- At a pre-agreed time, increment the block version to signal the protocol update to all knots.
- Remaining knots may upgrade and start using the fresh VM.
Two. Adding a fresh accounting scheme
Wij can implement a fresh asset accounting mechanism with fresh confidentiality or voorstelling features by introducing a fresh asset version:
- Specify a fresh protocol for issuance and transfer of assets, and a corresponding layout for input and output commitments and witness structures.
- Allocate a fresh asset version to identify inputs and outputs using the fresh assets.
- If necessary, specify an extra global state commitment ter the block commitment field.
- Upgrade all block signers with software implementing the fresh feature.
- At a pre-agreed time, increment the block version to signal the protocol update to all knots.
- Remaining knots may upgrade and start using fresh asset versions.
- Old assets can be phased out by hand by having the issuer redeem them for fresh assets, or via a fully automated issuance program that does not require interaction with the issuer.
Trio. Updating core gegevens structures
The two cases above demonstrated how some specific parts of the transaction structure can be updated. However, blocks are extensible enough to permit an entirely fresh transaction format introduced via a soft fork. For example, assume that the SHA3 hash function is found to be insecure and the network vereiste migrate to a hypothetical вЂњSHA4вЂќ algorithm:
- The block commitment is extended with a previous block hash Two field, defined spil SHA4 of the previous block, spil well spil challenge program Two, that implements a fresh VM using SHA4.
- The block witness is extended with signature program Two that contains proofs matching challenge program Two.
- A fresh asset version is introduced that uses SHA4 te asset IDs, programs, and other asset-specific gegevens structures via input and output commitments.
- The block commitment is extended again with extra state and transaction Merkle roots computed with SHA4. Previous commitments using SHA3 remain.
- At a certain block height, the block version is incremented to signal the protocol update to all knots.
- Knots update to support fresh asset versions and validate the fresh SHA4-based block commitments.
The Chain Protocol includes a versioning scheme that facilitates network-wide upgrades. The scheme enables introduction of fresh features and improvements ter a safe and compatible manner, providing meaningful security both for the network knots and clients that rely on klein proofs instead of utter blockchain validation.