Anoma

Anoma is a cybernetic consensus system for causal accounting. Using Anoma, agents can create, merge, and verify cryptographically content-addressed histories in a manner which enforces arbitrary logical relations, including directed and undirected identity relationships and a distributed linear resource logic. These logics are used as the substrate for a cryptographic accounting system which provides a quantifiable view of entanglement, a pairwise measure of the degree of a particular kind of relationship between two identities. Different measures of entanglement can be fed back into the system to inform local choices which require trust, such as delegation of data storage and consensus provisioning, allowing for automatic reduction of computational resource expenditure in high-entanglement interactions. These measures can also be input into and output from the system in order to track relations of interdependence in the external world.

Consensus over history in conjunction with user data input allows for the provisioning of causal accounting, in that the system can combine local information about local causal dependence and local agent preferences into a gestalt system model of causal and preference relations, and provide pairwise and relative measures of preference satisfaction as outputs which can be used for resource provisioning decisions in the future.

Anoma's architecture is scale-free, in that the system's fundamental unit of cryptographic identity is closed under composition, so the system can model relational topologies spanning arbitrary levels of individuality. Under the assumption of an inverse-power law with regards to economic distance, the network of real relations viewed from outside will take the form of a fractal, i.e. recurrence of form independent of scale.

Anoma provides computational integrity (correctness) and informational locality (privacy) on the basis of cryptographic assumptions. The protocol architecture abstracts cryptographic primitives by their information-theoretic properties, so implementations of particular primitives can be chosen and updated for availability, maturity, and performance over time.

These documents describe the architecture of the Anoma protocol. They are intended to be complete, in that enough is said to define precisely what a valid implementation of Anoma must do, and minimal, in that no more is said than that.

Anoma is free, in both the senses of "free speech" and "free beer". The source for these documents is on Github, permissively licensed, and they can be forked or edited as you like. At present, this particular repository is stewarded by the Anoma Foundation. Contributions are welcome.

NOTE: These documents are not yet complete. If you're reading this page right now, there's a high chance you might be interested in Namada.

Happy reading!

Angles of approach

Anoma can be viewed through the lens of many different languages.

TODO: Write this section. Readers: skip for now, move on to Architecture.

TODO: Write this section. Readers, skip for now.

Blockchain systems architecture

vis-a-vis cosmos/ibc

rollups: rollups-on-demand
cosmos/ibc: state not tied to instances in the same way, consensus provision separate from application logic, automatic resolution of cross-instance state
fractal scaling - implementation of all n layers
mesh security - scale-free implementation architecture

We unify the privacy-preserving double-spend prevention technique of Zerocash/Zexe/Taiga - nullifiers, uniquely binding to note commitments, unlinkable and calculable with secret information - with the double-spend prevention required of distributed database systems / blockchains (preventing multiple valid conflicting descendents of the same block), recasting the mechanism as a distributed enforcement system for a linear resource logic.

We unify various concepts of state-machine-level cryptographic identity -- public-key-based accounts, smart-contract accounts, BFT light clients, threshold keys -- and network-level cryptographic identity into a singular information-theoretic duality of external identity and internal identity, the fundamental abstraction on top of which the protocol is built.
We unify the concepts of message and state, in that each message commits to its own history, and that there is no state other than can be computed from a set of messages at a particular point in partially-ordered logical time.

TODO: Write this section. Readers, skip for now.

Cybernetics of coordination

Cybernetic systems architecture
That paper by Aurora Apolito

TODO: Write this section. Readers, skip for now.

Anthropology of money

Graeber's "wave theory" of credit-cash money

TODO: Write this section. Readers, skip for now.

Web-of-trust history

Twitter trust graph
Facebook trust graph
Money trust graph

Architecture

TODO: Write this section in a clearer way.

Principle of locality

The central principle in the design of Anoma's protocol architecture is that of locality. For now the term itself will be left without explicit definition, but the sense is closest to that in which physics uses it, except that we are concerned principally with proximity in informational space instead of physical space (where the sense used by physics concerns the relation between the two). Locality takes several forms:

Temporal locality, i.e. local orderings only
Informational locality (privacy), i.e. keep information to smallest group by default
Measurement locality, i.e. rely on local measurements only
Value locality, i.e. local values may differ
Name locality, i.e. local names may differ

Conceptual context

The Anoma architecture operates on the basis of agents. The architecture does not presume any sort of global view or global time. It also does not presume any particular motivations of agents, but rather describes the state of the system as a function of the decisions taken by agents over (partially ordered) time.

Agent is a primary notion in the Anoma protocol that aims to extend/replace the notion of process in the distributed systems literature.
Agents are assumed to have the ability to:
- generate local randomness,
- locally store and retrieve data,
- perform arbitrary classical computations,
- create, send, receive and read messages over an arbitrary, asynchronous physical network.
Agents may have local input (e.g. human user input) and/or local randomness (e.g. from a hardware random number generator).
Agents can join and leave the system at any time.
All actions committed by agents are recorded in the history. To commit an action is to send a message. The state of the system at any point in time is a function of the history of messages sent by agents up to that point in time.

The rest of this specification defines the Anoma protocol, which is specific logic that agents run to read, create, and process messages. For convenience, the Anoma protocol shall be referred to henceforth as just the protocol.

Acceptors need to be aware of the different definitions of learners in order to be able to know what correct behavior is defined as. This set of the agents for learners, might empty or have overlaps, the acceptors have to follow the deifnition regardless.

We briefly describe how the communication for a consensus round works. Suppose we have two learners $l_{x}$ and $l_{y}$ which refer to agents that are interested in blockchain $x$ and blockchain $y$ . Proposers propose a chimera block, by sending $1 a$ messages, each carrying a value and unique ballot number (round identifier), to acceptors. All acceptors in all involved chains ( $S$ ) send $1 b$ messages to each other to communicate that they’ve received a $1 a$ message. When an acceptor receives a $1 b$ message for the highest ballot number it has seen from a learner $l_{x}$ ’s quorum of acceptors, it sends a $2 a$ message labeled with $l_{x}$ and that ballot number. There is one exception: once a safe acceptor sends a $2 a$ message $m$ for a learner $l_{x}$ , it never sends a $2 a$ message with a different value for a learner $l_{y}$ , unless one of the following is true:

It knows that a quorum of acceptors has seen $2 a$ messages with learner $l_{x}$ and ballot number higher than $m$ .
It has seen Byzantine behavior that proves $l_{x}$ and $l_{y}$ do not have to agree.

A learner $l_{x}$ decides on a block when it receives $2 a$ messages with the same proposed block and ballot number from one of its quorums of acceptors.

Preliminaries

Base chains are two or more independent chains between which we would like to carry out atomic transactions. The chains must protocol-wise adhere to some specific set of requirements to be compatible. For example, IBC support.

A chimera chain is a chain that allows atomic transactions to be carried out on objects from the base chains. It carries an additional consensus mechanism, that is dependent on the consensus of the base chains.
A learner is a client that is interested in the value decided by the voting process. Learners might be full nodes, light client nodes, or nodes from other chains.
An acceptor is an agent participating in the voting process of the consensus protocol. Non-byzantine acceptors are called real acceptors.

A quorum is a subset of acceptors sufficient to make a learner decide on a value. For a learner to maintain consistency (avoid deciding on two contradictory values), any two of its quorums must have a common real acceptor. Most chains achieve this practically by making the intersection of the quorums big enough, i.e. the acceptors in the intersection being backed by more than >1/3 stake of each chain under <1/3 Byzantine assumption. For example, suppose:
- Base chain A has a total stake of $60 A s t ak e$ .
- Base chain B has a total stake of $300 B s t ak e$ .
- Any set of acceptors backed by $> 40 A s t ak e$ is a quorum of chain A. This means $> 20 A s t ak e$ would have to back unsafe acceptors for chain A to fork.
- Any set of acceptors backed by $> 200 B s t ak e$ is a quorum of chain B. This means $> 100 B s t ak e$ woudl have to back unsafe acceptors for chain B to fork.
- Suppose that, for every quorum $q_{a}$ of chain A, and every quorum $q_{b}$ of chain B, the acceptors in $q_{a} \cap q_{b}$ are backed by $> 10 A s t ak e$ , and $> 50 B s t ak e$ . This would mean that, in order for atomic batches on the chimera chain to lose atomicity, $> 10 A s t ak e$ and $> 50 B s t ak e$ would have to back unsafe acceptors.
  - When a batch loses atomicity, the transactions on one state machine (say, A) are executed, but not the transactions on the other state machine (say, B). However, each state machine itself remains consistent: neither A nor B forks.
  - This means some chimera chains offer atomicity with lower (yet well-defined) levels of integrity than their base chains' no-fork guarantees.
A proposer is an acceptor that may propose a new block according to the rules of the blockchain. For Typhon, the "blocks" of the consensus protocol are the headers produced by the mempool. A potential proposer would need (a) data availability, (b) the ability to sign messages, ( c) something at stake (to prevent spam) and (d) the ability to communicate with the acceptors. Acceptors that are in the overlaps of quorums may especially well suited to be proposers, but other Acceptors (or even other machines) might be proposers as well. The Heterogeneous Paxos technical report effectively uses weighted voting for select proposer, but perhaps there are interesting tricks with VRFs that would improve efficiency.

Assumptions

Acceptors are staked: An acceptor has a certain amount of stake backing them. This stake is either fully their own stake or is partly delegated to them by other token holders.
Quorums are known: Quorums are defined implicitly by the internal logic of each chain. For most proof-of-stake chains, a quorum is a subset of acceptor that have $> \frac{2}{3}$ of stake backing them.
Large Overlap of Quorums: A practical way to ensure a safe acceptors in the overlap between quorums. To guarantee atomicity with the same integrity as base chains, each quorum overlap must be backed by $> \frac{1}{3}$ of the stake of each base chain.
Connectivity: All acceptors in a chimera chain communicate with each other (even if that means talking to acceptors who are not on the same base chain). This communication can be indirect (i.e. gossiping through other acceptors), so long as all pairs of honest acceptors can always communicate.
Only one learner per main chain: We model the learner graph as one learner per main chain, and then full nodes can instantiate their base chain's learner to make decisions. The reason is that in Heterogeneous Paxos the learner graph is a closed graph with known nodes, while in the blockchain context we have a open network where we don't know who all the learners are.

Chimera Chain

In this section we describe how chimera chains operate.

Upon wanting to include an atomic batch of transactions from the transaction pool into a block, a block proposer either creates a genesis block if there is no existing chimera chain or builds on top of an existing chimera chain.

Genesis block

In order to be safe, the guarantee we want here is that future quorum updates on the main chains are guaranteed to be received before voting happens on chimera chains.

Create a genesis block that claims to be a "chimera chain" and allocate some unique name or index.
Register (in a transaction) that genesis block on all base chains and allocate it some unique name, so they know to involve it in any future quorum updates. The guarantee we want here is that future quorum updates are guaranteed to be received before votes happen.
The first block append on the chimera chain requires IBC messages from all base chains explaining that they have registered this genesis block.

Producing Blocks

The block consists of transactions from both chains or just on of the chains. The transaction can be bundled together to make sure they are carried out atomically.

It is possible that more than one block may be finalized like in Grandpa (from Polkadot project) decoupling block prduction from finalization. In thi scase, Heterogeneous Paxos would serve the roll of a "finality gadget" in Grandpa's terms, but blocks could be produced at any rate.

Moving Objects

Suppose state in each state machine is expressed in terms of objects (think object-oriented programming) with state and methods, and a location (each is located on a chain). Our ideas about "movable objects" should be applicable to any program entities which feature:

a unique identifier
a permanent set of public methods (an API) callable by users, or other methods on other objects in the same state machine, which can compute and return values
a set of private methods callable only by other methods on this object
mutable state (which only methods can mutate)

These are much like "smart contracts," which also carry internal mutable state and public APIs much like methods. An example of an "object" is any sort of account: multisignature account or single user account:

accounts usually have a unique identifier
public methods include "send money," which takes as input some signed authorization and deducts money from the account.
mutable state includes some value representing the amount of money in the account.

One might want to move an object to another state machine. For simplicity, let's suppose it's a state machine with the same quorums (on a different, possibly chimera, chain). This is not so very different from various chains trying to get a lock on an account (objects) and then perform atomic operations on them.

This "move" operation should require an IBC send, and then deleting the original object. Or instead of deleting the original object the original object can be made a pointer to the object which now lives primarily on the destination chain. On the destination state machine, an IBC receive should be followed by creating a new copy of the object. Any "object identifiers" found in pointers from other objects will have to be preserved, which could be tricky.

Permissions for moving Objects

We have to consider who is allowed to move which objects where. One way to do this is to have "move" simply be a "private method" of any object: the programmer has to specifically program in any methods that the transactions or other objects can call to move the object. The most straightforward private method definition would allow anyone (e.g.,owners) who can control the object be able to give permission for moving.

We may want to allow chains to specify limits on what objects can move onto that chain. For example, they may require that objects have a method that can move them back to a base chain.

Epoch Change

If new quorums for each base chain do not overlap on a real acceptor, atomicity cannot be guaranteed. We can no longer meaningfully commit atomic batches to the chimera chain. However, extensions to the chimera chain are consistent from the point of view of each base chain (but different base chains may "perceive" different extensions). This allows us to, for example, move objects to base chains even after the chimera chain loses atomic guarantees.

Kill Chains

Likewise, it's probably useful to kill chimera chains no one is using anymore. If we don't kill them, when quorums change all of chimera chains need to get an update, and that can become infeasible. One possibility is to allow chains with no objects on them (everything has moved out) to execute a special "kill" transaction that prohibits any future transactions, and sends an IBC message to all parent chains. On receipt, parent chains could remove that chimera chain from their registry.

Protocol Description

This section describes how a chimera block is appended to the existing chimera chain assuming all the setup has taken place.

For simplicity, this protocol is written as if we're deciding on one thing: the specific block that belongs on a specific blockchain at a specific height. All state and references are specific to this blockchain / height pair. We do not care about messages before this height. This height may be defined using the last finalized block in the blockchain.

Learner Graph

For each learner $a$ , we call its set of quorums $Q_{a}$ .

For each pair of learners $a$ and $b$ , there are a specific set of conditions under which they require agreement. We enumerate these as $a - b$ , a set of "safe sets" of acceptors: whenever at least one set in $a - b$ is composed entirely of safe (non-byzantine, but possibly crashed) acceptors, $a$ and $b$ must not decide different things.

We designate the set of acceptors who are actually safe $S$ . This is of course determined at runtime, and unknown to anyone.

Messages

The protocol is carried out by sending and receiving messsages. The table below describes the structure of a typical heteregenous paxos message.

Field	Type	Description
chainId	`Id`	Identifies this Chimera Chain
height	`uint64`	Current height of the chimera chain
pktType	`enum PktType {1A, 1B, 2A}`
ballot	`Ballot` = `(Timestamp, Hash)`	This consists of the hash of the proposed block and the timestamp of the initiated ballot. There is a total lexicographical order on `Ballot`.
learner	`Id`
sig	`Sig`	The signature field `sig` unforgeably identifying its sender, e.g., the message is signed, and the sender has a known PK in some PKI.
refs	`Vec<Hash>`	The list of hashes of messages received previously.

In general, acceptor relay all sent or received messages to all learners and other acceptors. This ensures that any message received by a real acceptor is received by all real acceptors and learners.

Definition: Message Signer

$Sig (x : M ess a g e) ≜ the acceptor or proposer that signed x$

Definition: Message Set Signers

We can define $Sig ()$ over sets of messages, to mean the set of signers of those messages: $Sig (s : se t (M ess a g e)) ≜ {Sig (m) m \in s}$

Messages also contain a field refs, which includes chained hashes of every message the sender has sent or received since (and including) the last message it sent. As a result, we can define the transitive references of a message, which should include every message the sender has ever sent or received:

Definition: Transitive References

$Tran (x) ≜ {x} \cup m \in x . refs ⋃ Tran (m)$

To ensure that acceptors and learners fully understand each message they receive, they delay doing any computation on it (sometimes called delivery) until they have received all the messages in refs. As a result, acceptors and learners will always process messages from any given sender in the order they were sent, but also from any messages that sender received, and recursively.

Consensus Round: Ballot

Next, we briefly describe how the communication for a consensus round works. Consensus is reached in four steps: proposing the chimera block, acknowledging receipt of proposals, establishing consensus, and termination.

Suppose we have two learners $l_{1}$ and $l_{2}$ from two different blockchains.

$1 a$ message: proposing blocks

A proposer proposes a new block by sending a $1 a$ message to all acceptors, which includes

a value (the atomic transaction for example)
a unique ballot number (round identifier)
a message containing the hash of the proposed block along with a time stamp of the ballot initiation.

If there is an existing chimera chain, the proposer can built upon that chain and if the proposer is starting a new chimera chain it needs to lock some funds for that.

Also, the acceptor needs to check validity as soon as possible: don't even "receive" an invalid proposal (or at least don't send a "1b" message in response).

$1 b$ message: acknowledging receiving proposals

On receipt of a $1 a$ message, an acceptor sends an ackowledgement of its receipt to all other acceptors and learners in the form of $1 b$ message.

$2 a$ message: establishing consensus

When an acceptor receives a $1 b$ message for the highest ballot number it has seen from a learner $l_{1}$ ’s quorum of acceptors, it sends a $2 a$ message labeled with $l_{1}$ and that ballot number.

There is one exception: once a safe acceptor sends a $2 a$ message $m$ for a learner $l_{1}$ , it never sends a $2 a$ message with a different value for a learner $l_{2}$ , unless one of the following is true:

It knows that a quorum of acceptors has seen $2 a$ messages with learner $l_{1}$ and ballot number higher than $m$ .
It has seen Byzantine behavior that proves $l_{1}$ and $l_{2}$ do not have to agree.

Specifics of establishing Consensus

In order to make a learner decide, we need to show that another, Entangled learner could not already have decided.

Definition: Entangled

In an execution, two learners are entangled if their failure assumptions matched the failures that actually happen: $Entangled (a, b) ≜ S \in a - b$

If some learner $l_{1}$ does not agree with some other learner $l_{3}$ , then learner $l_{2}$ cannot possibly agree with both $l_{1}$ and $l_{3}$ .

Definition: Heterogeneous Agreement

Within an execution, two learners have agreement if all decisions for either learner have the same value.
A heterogeneous consensus protocol has agreement if, for all possible executions of that protocol, all entangled pairs of learners have agreement.

Definition: Accurate Learner

An accurate learner is entangled with itself: $Accurate (a) ≜ Entangled (a, a)$

A learner whose quorums contain too many failures is inaccurate. This is the equivalent of a chain that can fork.

In order to prevent entangled disagreement, we must define the conditions that will ultimately make learners decide:

Definition: Get1a

It is useful to refer to the $1 a$ that started the ballot of a message: the highest ballot number $1 a$ in its transitive references. $Get1a (x) ≜ m : 1a \in Tran (x) arg max m . ba ll o t$

Definition: Ballot Numbers

The ballot number of a $1 a$ is part of the message, and the ballot number of anything else is the highest ballot number among the $1 a$ s it (transitively) references. $b (x) ≜ Get1a (x) . ba ll o t$

Definition: Value of a Message

The value of a $1 a$ is part of the message, and the value of anything else is the value of the highest ballot $1 a$ among the messages it (transitively) references. $V (x) ≜ Get1a (x) . v a l u e$

Terminate: Finalizing blocks

A learner $l_{1}$ decides when it receives $2 a$ messages with the same ballot number from one of its quorums of acceptors.

If no decision can be reached within a certain time, proposers must begin a new round (with a higher timestamp, and thus a higher Ballot). Proposers can start a new round by proposing a new block or by trying to finalize the same block again (in case there was no consensus).

Definition: Decision

A learner decides when it has observed a set of $2 a$ messages with the same ballot, sent by a quorum of acceptors. This will allow the learner to decide on the value of the $2 a$ messages in the set. We call such a set a decision: $Decision_{a} (q_{a}) ≜ Sig (q_{a}) \in Q_{a} \land \forall {x, y} \subseteq q_{a} . ⎝ ⎛ \land \land b (x) = b (y) x . l r n = a x : 2a ⎠ ⎞$

Now we are ready to discuss what makes a Well-Formed $2 a$ message. This requires considering whether two learners might be entangled, and (unless we can prove they are not engangled), whether one of them might have already decided:

Definition: Caught

Some behavior can create proof that an acceptor is Byzantine. Unlike Byzantine Paxos, our acceptors and learners must adapt to Byzantine behavior. We say that an acceptor $p$ is Caught in a message $x$ if the transitive references of the messages include evidence such as two messages, $m$ and $m^{'}$ , both signed by $p$ , in which neither is featured in the other's transitive references (safe acceptors transitively reference all prior messages).

$Caught (x) ≜ ⎩ ⎨ ⎧ Sig (m) \land \land \land {m, m^{'}} \subseteq Tran (x) Sig (m) = Sig (m^{'}) m \neq \in Tran (m^{'}) m^{'} \neq \in Tran (m) ⎭ ⎬ ⎫$

Slashing: Caught proofs can be used for slashing.

Definition: Connected

When some acceptors are proved Byzantine, clearly some learners need not agree, meaning that $S$ isn't in the edge between them in the CLG: at least one acceptor in each safe set in the edge is proven Byzantine. Homogeneous learners are always connected unless there are so many failures no consensus is required. $Con_{a} (x) ≜ {b \land s \in a - b \in CLG s \cap Caught (x) = \emptyset}$

Definition: Buried

A $2 a$ message can become irrelevant if, after a time, an entire quorum of acceptors has seen $2 a$ s with different values, the same learner, and higher ballot numbers. We call such a $2 a$ buried (in the context of some later message $y$ ): $Buried (x : 2a, y) ≜ ⎩ ⎨ ⎧ Sig (m) \land \land \land \land \land m \in Tran (y) z : 2a {x, z} \subseteq Tran (m) V (z) \neq = V (x) b (z) > b (x) z . l r n = x . l r n ⎭ ⎬ ⎫ \in Q_{x . l r n}$

Definition: Connected 2a Messages

Entangled learners must agree, but learners that are not connected are not entangled, so they need not agree. Intuitively, a $1 b$ message references a $2 a$ message to demonstrate that some learner may have decided some value. For learner $a$ , it can be useful to find the set of $2 a$ messages from the same sender as a message $x$ (and sent earlier) which are still unburied and for learners connected to $a$ . The $1 b$ cannot be used to make any new $2 a$ messages for learner $a$ that have values different from these $2 a$ messages. $Con2as_{a} (x) ≜ ⎩ ⎨ ⎧ m \land \land \land \land m : 2a m \in Tran (x) Sig (m) = Sig (x) \neg Buried (m, x) m . l r n \in Con_{a} (x) ⎭ ⎬ ⎫$

Definition: Fresh

Acceptors send a $1 b$ message whenever they receive a $1 a$ message with a ballot number higher than they have yet seen. However, this does not mean that the $1 b$ 's value (which is the same as the $1 a$ 's) agrees with that of $2 a$ messages the acceptor has already sent. We call a $1 b$ message fresh (with respect to a learner) when its value agrees with that of unburied $2 a$ messages the acceptor has sent. $fresh_{a} (x : 1b) ≜ \forall m \in Con2as_{a} (x) . V (x) = V (m)$

Definition: Quorums in Messages

$2 a$ messages reference quorums of messages with the same value and ballot. A $2 a$ 's quorums are formed from fresh $1 b$ messages with the same ballot and value. $q (x : 2a) ≜ ⎩ ⎨ ⎧ m \land \land \land m : 1b fresh_{x . l r n} (m) m \in Tran (x) b (m) = b (x) ⎭ ⎬ ⎫$

Definition: Well-Formed

We define what it means for a message to be well-formed. $W e llF or m e d (u : 1a) ≜ u . refs = \emptyset W e llF or m e d (x : 1b) ≜ x . refs \neq = \emptyset \land \forall y \in Tran (x) . x \neq = y \land y \neq = Get1a (x) \Rightarrow b (y) \neq = b (x) W e llF or m e d (z : 2a) ≜ z . refs \neq = \emptyset \land Sig (q (z)) \in Q_{z . l r n}$

An acceptor who has received a $1 b$ sends a $2 a$ for every learner for which it can produce a Well-formed $2 a$ .

Before processing a received message, acceptors and learners check if the message is well-formed. Non-wellformed messages are rejected.

Incentive Model

Goal:

Incentivizing token holders to put down their stake for security
Disincentivizing byzantine behavior

Rewards:

Participating in consensus based on backing stake: this includes validating and voting
Producing blocks

Slashing: there are a number of offenses

Invalid blocks
Equivocation (caught)

Fees

The first question is once there is no demand for atomic batches of transactions, do we keep the chimera chain alive?

We need to figure out whether killing the chimera chain (and potentially requiring a new genesis later) is not too expensive.

The second question is whether we update the quroum changes whenever they happen or when we have a transaction?

The first option is expensive and can lead to attack if not handled well. We need to figure out whether the latter option is safe.

If the answer is yes for first question and we pick the first option for the second question:

Since all chimera chains need to be updated when the quorums on the base chains change, we need to figure out who pays for these updates. For example, a chimera chain might have had a block produced last week, but since the has been updated 200 times that is 200 blocks that do not have any transactions with transaction fees. If this is not paid by anyone, it becomes a burden for acceptors and an attack vector for the adversary.

We may need to add a "locked" fee for making new chimera chains. In particular, we don't want an attacker to make a lot of chains, forcing base chains to update all of them with each quorum change.

Alternatively, each "chimera chain" could keep an account on each base chain that is funded by a portion of transaction fees, from which a small fee is extracted with each validator update. When the account runs dry, the (parent)base chains are allowed to kill the chimera chain (even if there are still objects on there). We could allow anyone to contribute to these accounts. We could even prohibit anyone who did not contribute from sending IBC messages between chimera and parent chains.

Security Discussion

Note that the chimera cannot guarantee atomicty under the same adversary assumption as the base chains. For example, if we assume the adversary to control less than 1/3 of the stake to assure safety on the base chains, atomicity is not guaranteed for such an adversary but only a weaker one. This is important for users so they can decide whether for their transaction chimera chians would be secure enough.

By setting the quorums of each learner to be the same as the quorums of the corresponding base chain, we ensure that each learner's view is as consistent as the base chain. Specifically, two instantiations of the learner for some base chain $A$ should decide on the same blocks in any chimera chain, unless the adversary is powerful enough to fork chain $A$ .

"Accurate" (or "self-engangled") learners (defined above) correspond to base chains where the adversary is in fact powerful enough to fork the chain. Proving that a learner is accurate is equivalent to proving that its base chain cannot fork.

Two learners $a$ and $b$ corresponding to different base chains will decide on the same blocks (which is what makes atomic batches useful), so long as one of the safe sets in $a - b$ is composed entirely of safe acceptors. The stake backing these safe sets represents the "assurance" that atomic batches remain atomic, as well as the maximum slashing punishment should they lose atomicity.

Loss of atomicity is a bit like a "trusted bridge" that turns out not to be trustworthy: each state machine within the chimera chain has as much integrity as its base chain, but atomicity properties of multi-state-machine atomic batches have a lesser, but still well-defined, guarantee. Loss of atomicty allows double spending on the chimera chain. And while misbehavior has happened in such an attack it is not trivial to slash the misbehaving acceptor since according to each chain everything has been carried out correctly.

Open Challenges

Programming Model

Atomic Batches

We'll need a way to specify that a batch of transactions should be committed together or not at all. Ideally, this should communicate to the programmer how reliably this atomicity is (see "practical considerations" below). On an chimera chain, batches can include transactions from any of their "main chains". If we want to have match-making, transactions will need to be able to say something like "if I'm in an atomic batch that matches these criteria, then do this...".

Each atomic batch should be scheduled within one block.

(We encode transactions with Portobuff and Borsht.) We need define structures such that transactions can be bundled and cannot be carried out separately.

Atomic Communication

Transactions within an atomic batch need to be able to send information to each other (and back). For example, in a market with a fluctuating exchange rate, a market transaction could send a message to an account, which transfers money, and sends a message to another account, which transfers goods. We need a language in which this communication takes place with minimal constraints on the state machines involved, so we should probably adapt the IBC communication language.

We need to figure out inter-chain communication works for transactions communicating with each other within an atomic batch.

Can we have synchronous (in terms of blocks) IBC?

Yes: when the quorums involved in two chains are the same, then we can guarantee that (unless there are sufficient failures to fork the chain) an IBC message sent in one chain will arrive at the other chain (in a transaction) within a specific number (perhaps as few as 1?) of blocks. This is because some of the machines in the quorum that approved the "send" transaction must be in the quorum that decides the next block, so they can refuse to decide on blocks that lack the "receive" transaction.

Note that we may need to rate-limit sends to ensure that all sends can be received in time (availability).

Note also that blinding transactions makes this hard.

Match Making

We can in priciple do cross-chain match-making. If we want an on-chain market, an chimera chain might be a good place to do it. However, full nodes in the gossip layer might be able to gather sets of transactions that match the transactions' "If I'm in an atomic batch ..." criteria, bundle them into atomic batches, and then send those off to be committed.

We may want to incorporate some incentive scheme for good match-making. Matchmakers include nodes who are full nodes on both chains, and in principle could include any node who sees the request transactions.

Changing Quorums?

2 Phase Commit

We could require that any quorum-chainging transaction has to be 2-phase committed. Essentially, the "main chain" announces that it won't progress beyond a certain block until everyone has appended a new block that sets the (same) new quorums, and sends a response by IBC. It can then progress only with IBC responses from all the other chains that use these quorums.

Synchronous IBC

We may be able to leverage our "synchronous" IBC idea above for faster quorum changes. The difficulty is that it allows a finite number of blocks to be appended to the chimera chains before they receive the quorum change method. These chains can be arbitrarily slow, so that could take arbitrarily long.

Need to figure out inter-machine communication for acceptors, since they might run many machines.

Discussion Questions /Practical Considerations

Optimizing messgaing: Pipelining (from Hotstuff), Kauri, BFTree
Replicating state machines
Probems Tendermint has:
- Doesnt allow many validators
- Lightclient design
Optimizing recoveryfrom slow finalization: Separating block prosuction from finalizing, finalzing more than one block
ABCI ++? Another version of it
Look into other papers of Dalia Malkhi / Fast HotStuff?

Execution Engine

Summary

Given a total order (from the consensus) of transactions (from the mempool), the execution engine updates and stores the "current" state of the virtual machine, using as much concurrency as possible. Proofs from the execution engine allow light clients to read the current state. When the execution engine has finished with a transaction, it communicates to the mempool that the transaction can be garbage-collected from storage.

Vocabulary

Shards are processes that store and update state.
- Different shards may be on different machines. Redistributing state between shards is called Re-Sharding.
- Each Shard is specific to 1 learner. However, as an optimization, an implementation could conceivably use 1 process to do the work of 2 shards with different learners so long as those shards are identical, and fork that process if / when the learners diverge.
Executors are processes that actually run the VM and compute updates. Executors should probably be co-located with shards.

Either:

We assume the Mempool is using the Heterogeneous Narwhal setup?
- In which case Consensus picks leaders in the DAG
Mempool is treated as some kind of black-box set of processes that can each transmit transactions to Shards.
- In which case Consensus produces more detailed ordering information Perhaps we should have some general notion of Timestamp on transactions?

The VM is largely a black box: we assume we can give it a set of input key-value pairs and a transaction, and get output key-value pairs.

State

State is stored as mutable Values (unlimited size blobs of binary), each of which is identified with an immutable Key. If you want to mutate a Key associated with a specific Value, that's equivalent to deleting the Value associated with the old Key, and writing it to the new Key. Keys that have never had a Value written to them are mapped to an empty value.

For each Learner, all processes can map Transactions to a set of Shards whose state they read, and a set of shards whose state they write. This makes Re-Sharding challenging.

read(L : Learner, T : Transaction) : Set[Shard]

write(L : Learner, T : Transaction) : Set[Shard]

One way to implement this is to partition the space of Keys across Shards, and Label each Transaction with a Sub-Space of keys it touches. One possible Key-space would be to arrange Keys in some kind of tree configuration.

Mempool Interface

We assume, for each Learner, that each transaction has a unique Executor:

executor(L : Learner, T : Transaction) : Executor

It would be more efficient if executor(L, T) $i sco - l oc a t e d w i t ha s ha r d in$ write(L, T) $or$ read(L, T) $. A s an o pt imi z a t i o n, w ec anha v eo n e p rocess d o t h e w or k o f m u lt i pl e l e a r n er s^{'} e x ec u t ors, so l o n g a s t h ose l e a r n ers a re i d e n t i c a l . W e a ss u m e t ha t e a c h t r an s a c t i o n c a rr i es a t im es t am p : t im es t am p (T : T r an s a c t i o n) : T im es t am p W e a ss u m e t ha tt h ese t im es t am p s ha v e an * u nkn o w n * t o t a l or d er, an d t ha tC o n se n s u s an d t h e M e m p oo l c an u p d a t e S ha r d s^{'} kn o wl e d g eo f t hi s t o t a l or d er . I n p a r t i c u l a r, w e a ss u m e t ha tC o n se n s u s in f or m ss ha r d so f an e v er - g ro w in g p re f i x o f t hi s t o t a l or d er . - O n e w a y t o a cco m pl i s h t hi s i ss im pl y t o ha v ee a c h t im es t am p b e t h e ha s h o f t h e t r an s a c t i o n, an d ha v eco n se n s u ss t re ama t o t a ll yor d ere d l i s t o f a ll ha s h es in c l u d e d in t h ec hain t o a llS ha r d s . T hi s ma y n o t b e v erye ff i c i e n t . - W eco u l d in s t e a d co n s i d ero n e t im es t am pt o b e d e f ini t e l y * a f t er * an o t h er i f i t i s a d esce n d e n t in t h e N a r w ha l D A G . N a r w ha lw or k ersco u l d t r an s mi t D A G in f or ma t i o n t o S ha r d s, an d s ha r d s w o u l d l e a r n so m e p a r t ia l or d er in g in f or ma t i o nb e f ore h e a r in g f ro m C o n se n s u s . C o n se n s u sco u l d t h e n t r an s mi t o n l y t h e N a r w ha l b l oc k s i t d ec i d eso n, an d s ha r d sco u l dd e t er min e a t o t a l or d er in g f ro m t h ere . T h e M e m p oo lt r an s mi t se a c h t r an s a c t i o n t o i t se x ec u t or a ssoo na s p oss ib l e, u s in g n e tw or k p r imi t i v es . T h e f ore a c h t r an s a c t i o n$ T $t ha t re a d sor w r i t ess t a t eo n s ha r d$ S $, t h e M e m p oo l * a l so * t r an s mi t s t os ha r d$ SheardAllWrite(S) > heardAllRead(S) $, b u t I d o n^{'} t kn o wt ha tw ere q u i re t hi s t o b e t r u e . I t s h o u l d u p d a t e t hi s b o u n d ba se d o nin f or ma t i o n f ro m t h e M e m p oo l . F ore x am pl e, i t co u l d main t ain p a r t ia l b o u n d s f ro m e a c hm e m p oo lw or k er (u p d a t e d w h e n e v er t ha t m e m p oo lw or k erse n d s t h e S ha r d am ess a g e), an d im pl e m e n t$ heardAllRead $an d$ heardAllWrite as the greatest lower bound of all the partial bounds.

Consensus Interface

Consensus needs to update each Shard's knowledge of the total order of timestamps. In particular, we assume that Consensus informs shards of an ever-growing prefix of this total order.

One way to accomplish this is simply to have each timestamp be the hash of the transaction, and have consensus stream a totally ordered list of all hashes included in the chain to all Shards. This may not be very efficient.
We could instead consider one timestamp to be definitely after another if it is a descendent in the Narwhal DAG. Narwhal workers could transmit DAG information to Shards, and shards would learn some partial ordering information before hearing from Consensus. Consensus could then transmit only the Narwhal blocks it decides on, and shards could determine a total ordering from there.

Execution

For each learner L $, f ore a c h T r an s a c t i o n$ T $, e x ec u t ors w ai tt orece i v e v a l u es f or a ll k eys in$ read(L, T) $, t h e n co m p u t e t h e t r an s a c t i o n, an d t r an s mi tt oe a c h s ha r d$ S $an y v a l u es t ore d o n$ S $in$ write(L, T).

Generally, transactions do not have side effects outside of state writes. However, we could in principle encode client reads as read-only transactions whose side-effect is sending a message, or allow for VMs with other side effects.

Executors can save themselves some communication if they're co-located with Shards. As an optimization, we can save on communication by combining messages for multiple learners if their content is identical and their shards are co-located. Likewise, we can save on computation by using one process to execute for multiple learners so long as they are identical.

State Updates

For each key in its state, each shard S $n ee d s t oes t ab l i s ha t o t a l or d ero f a llw r i t es b e tw ee n$ heardAllRead(S) $an d$ heardAllWrite(S) $. R e a d s t oe a c hk ey n ee d t o b eor d ere d w i t h res p ec tt o w r i t es t o t ha t k ey . T o a cco m pl i s h t hi s, e a c h S ha r d$ S $main t ain s a * De p e n d e n cy M u lt i - G r a p h * o f a llS ha r d S u mma r i es t h ey ha v erece i v e d, w h ere S u mma ry$ T_1 $* d e p e n d so n * S u mma ry$ T_2 $i f t h e S ha r dd oes n^{'} t kn o wt ha t$ timestamp(T_1) < timestamp(T_2) $, an d$ T_1 $c an re a df ro mak ey t o w hi c h$ T_2 $c an w r i t e . Sp ec i f i c a ll y, i f t h e S ha r dd oes n^{'} t kn o wt ha t$ timestamp(T_1) < timestamp(T_2) $, t h e n f ore a c hk ey$ K $t ha t$ T_2 $c an w r i t e t o an d$ T_1 $c an re a d or w r i t e, cre a t e an e d g e l ab e l e d w i t h$ \langle T_2, K \rangle $. T h erec anb ecyc l es in t h e d e p e n d e n cy m u lt i - g r a p h, b u tt h ese w i ll reso l v e a s t h e S ha r d l e a r n s m ore ab o u tt h e t o t a l or d er f ro m co n se n s u s . C o n c u rre n tl y, f or an y S u mma ry$ T $t ha t n o l o n g er d e p e n d so nan yo t h er S u mma ry, i f$ timestamp(T) < heardAllWrite(S) $: - t r an s mi tt h e v a l u es w r i tt e nm os t rece n tl y b e f ore$ timestamp(T) $f or an y k eyo n$ S $in$ read(learner(S), T) $t o$ executor(learner(S), T) $- u p o n rece i v in g t h e v a l u es f or an y k ey$ K $o n$ S $in$ write(learner(S), T) $f ro m$ executor(learner(S), T) $: - recor d t ha tt ha t v a l u e i s w r i tt e n t o k ey$ K $a t$ timestamp(T) $. - d e l e t ee d g es l ab e l e d$ \langle T, K\rangle $f ro m t h e d e p e n d e n cy g r a p h . - A s an o pt imi z a t i o n, w e ma y w an t a co m p a c t " d o n^{'} t c han g e t hi s v a l u e " m ess a g e . - Wh e n e v ery v a l u e in$ write(learner(S), T) $ha s b ee n u p d a t e d, d e l e t e$ T $f ro m t h e d e p e n d e n cy g r a p h . N o t e t ha t re a d - o n l y t r an s a c t i o n sc ana rr i v e w i t h t im es t am p s b e f ore$ heardAllWrite(S). These need to be added to the dependency graph and processed just like all other transactions.

Garbage Collection

Each Shard can delete all but the most recent value written to each key before heardAllRead(S).

Once all of a transaction's Executors (for all learners) have executed the transaction, we can garbage collect it. We no longer need to store that transaction anywhere.

Client Reads

Read-only transactions can, in principle, bypass Mempool and Consensus altogether: they only need to arrive at each of the relevant shards S $, an d ha v e a t im es t am p g re a t er t han$ heardAllRead(S) $. T h eyco u l d a l so b ee x ec u t e d w i t ha s i d ee ff ec t, l ik ese n d in g am ess a g e t o a c l i e n t . W ec an u se t h esere a d - o n l y t r an s a c t i o n s t oco n s t r u c t c h ec k p o in t s : M er k l eroo t so f p or t i o n so f s t a t e, b u i l d in gu pt o a M er k l eroo t o f t h ee n t i res t a t e . L i g h t c l i e n t re a d so n l y n ee d so m e kin d o f s i g n e d m ess a g e p ro d u ce d b y an e x ec u t or f ro m e a c h o f a w e ak q u or u m o f v a l i d a t ors . T h ey d o n o t, t ec hni c a ll y, n ee d a M er k l eroo t o f t h ee n t i res t a t e a t a ll . Ho w e v er, i t ma y b e m oree ff i c i e n tt o g e t a s in g l es i g n e d m ess a g e w i t ha M er k l eroo t o f s t a t e, an d t h e n o n l yo n e Va l i d a t or n ee d s t o d o t h ere a d - o n l y t r an s a c t i o n . T os u pp or tt hi s kin d o f t hin g, w e ma y w an t$ heardAllRead $t o l a g w e ll b e hin d$ heardAllWrite $, so w ec an d ore a d so n rece n t c h ec k p o in t s .$

Taiga

For now, see anoma/taiga.

Ferveo

For now, see anoma/ferveo.

Compiler stack

For now, see anoma/juvix, anoma/vamp-ir, and anoma/geb.

TODO: Write this up in detail. Readers, ignore for now.

Anomanomics

Consensus provisioning

The XAN stakeholder set acts as a consensus provider:

Liquid delegation cubic proof-of-stake
Free gas per time for stakers (non-transferable)
Continuously better staking yield rates with greater lock time
- Some inverse-quadratic curve approaching an asymptote

Randomness beacon

Randomness for Schelling PPGF
Human-provided input cadence & rewards
Threshold randomness from key shares

Liquid RPGF

Consensus on areas of RPGF
Category-separated liquid (chain-delegated) democracy
Privacy of funding decisions, but rewards for agreement
Advance market commitments?

Schelling-human PPGF

Random graph walks
Density of interconnection
bidirectional "humanity" relation

Glossary

Anoma protocol

The Anoma protocol is the logical framework which agents use to read, create, and process messages.

Agent

An agent is a non-deterministic, stateful entity which can send and receive messages.

The term "agent" is similar to "process" used in distributed systems. However, "agent" is used to highlight the possibility of non-deterministic behaviour, such as random events or choices made by external users. The term also emphasizes the idea of decision-making that can affect the state of the system. This is important for ensuring that the state of the system accurately reflects the state of the world. To achieve this, individual agents must provide data inputs that correspond in local ways, as the system protocol itself does not have direct knowledge of the state of the world.

Read more about agents in the conceptual context.

Canonical serialization

A canonical serialization refers to a standardized way of representing data or functions as a series of bytes that can be transmitted across a network.

Canonical serialization are fully discussed in Prerequisites Primitives

Turing-equivalent

"Turing-equivalent" means that the functions and data being transmitted can be computed by a Turing machine, a well-known theoretical model of computation.

Message

A message is any datum sent between agents.

State

A state may refer to the state of an agent, the state of the world, or the state of the system.

The state of an agent is the set of all data stored by the agent.
The state of the system is a function of the decisions taken by agents over (partially ordered) time.
The state of the world is the set of data related to the "real world" that is observed by and of interest to the agents.

System

A system is a virtual environment which consists of a set of agents interacting with each other.

Read more about the world in the conceptual context.

Anoma Specification