28

It is often the case that Atoms need to wrap the functionality of existing python libraries, or that Atoms that represent abstract syntax trees need to be compiled down to bytecode.

Link Node "edge label" Link Node "from vertex" Node "to vertex"

However, if an atom is added to B that does not exist in A, then it will be in atomspace B only. If later it is added to A, then two independent copies shall exist: one in B and one in A. Its not quite clear if this is the 'right' thing to do; but defacto, this is what happens

When an AtomSpace inherits from multiple contributors, the contents of that AtomSpace is the set-union of the contributing spaces.

The unique ID of a Node is it's string name

One of the keys might hold the truthiness of this statement. Another key might hold its probability.

( Joe , 3 . 5 ) , # T h i s i s n o t v a l i d JSON !

this becomes a column-store

This start-over style of key rotation may well be one of the main reasons that PGP's web-of-trust failed [WOT]. Without a universally verifiable revocation mechanism, then any rotation (revocation and replacement) assertions either explicit or implicit are mutually independent of each other. This lack of universal cryptographic verifiability of a rotation fosters ambiguity at any point in time as to the actual valid mapping between the identifier and its controlling keypair(s). In other words, for a given identifier, any or all assertions made by some set of CAs may be potentially valid

copy, or reference

This enables an extremely beneficial property of TELs; that is, the verifiability of transaction events in the TEL persists in spite of changes to Key States in the sealing KEL. In other words, the verifiability of transaction events persists in spite of changes in the Key State

An Authentication Service (AS) that enables group members to authenticate the credentials presented by other group members.

If a member finds that another member's credential has expired, they may issue a Remove that removes that member.

The Delivery Service cannot guarantee that application messages won't be dropped within the same epoch. To address this, applications can configure the maximum_forward_distance parameter of the SenderRatchetConfiguration. The configuration can be set as the sender_ratchet_configuration parameter of the MlsGroupCreateConfig

The Delivery Service cannot guarantee that application messages will arrive in order within the same epoch. To address this, applications can configure the out_of_order_tolerance parameter of the SenderRatchetConfiguration. The configuration can be set as the sender_ratchet_configuration parameter of the MlsGroupCreateConfig

The Delivery Service cannot guarantee that application messages from one epoch are sent before the beginning of the next epoch. To address this, applications can configure their groups to keep the necessary key material around for past epochs by setting the max_past_epochs field in the MlsGroupCreateConfig to the desired number of epochs

Capabilities per server: Is a given server participating in the room allowed to...

When a client sends a message, the message is delivered to its provider's server using some provider-internal mechanism. If the provider is not the hub, then the server forwards the message to the hub for delivery.

http://example.com/didcomm

Mobile Agents Communicating via UDP

We recommend listening to the Zoom recording of the DUG special meeting

refinement to this approach, which reduces the amount ofinformation exchanged and the size of the tables, is to have the DBMPsexchange only the oldest of the entries in the first table (oftimestamps of last modifications received from other DBMPs).

(T1,D1)>(T2,D2) <=> (T1>T2) or (T1=T2 and D1>D2)

In [2], Berners-Lee and Connolly proposed Delta, an ap-proach in which the RDF-Graphs differences are calculatedon their serialized forms

DAG-based consensus protocol are all the rage

A Grassroots Architecture for the Digital Realm.

virtual blockchains

Given a set of n agents, at most f of which arefaulty and the rest are correct, a fault-resilient supermajority, or supermajorityfor short, is any fraction of agents greater than n+f2 . For example, if f = 0 thena simple majority is a supermajority, and if f < 13 then 23 is a supermajority

The master key may also be used to sign other items such as the backup key

a master key (MSK) that serves as the user’s identity in cross-signing and signs their other cross-signing keys

In addition to connectivity, there are other Matrix-centric problems to be solved. In a world where each device is potentially running its own homeserver, we will need a new approach for handling user identities

Since federation within a Matrix room is effectively full-mesh, you need to be able to exchange data with all servers that are participating in a given room directly

As we discussed in #matrix-spec, since "rooms" are so much more than "chat rooms," and are really a DAG of events

from the perspective of the homeserver which created the event

All API endpoints within the specification are versioned individually. This means that /v3/sync (for example) can get deprecated in favour of /v4/sync without affecting /v3/profile at all. A server supporting /v4/sync would keep serving /v3/profile as it always has

For example, if /test were to be introduced in v1.1 and deprecated in v1.2, then it can be removed in v1.3.

vX.Y

Users may publish arbitrary key/value data associated with their account

Usage of an IS is not required in order for a client application to be part of the Matrix ecosystem. However, without one clients will not be able to look up user IDs using 3PIDs

Each state event updates the value of a given key.

file transfers

Every event graph has a single root event with no parent

Events exchanged in the context of a room are stored in a directed acyclic graph (DAG) called an “event graph”.

type values MUST be uniquely globally namespaced following Java’s package naming conventions, e.g. com.example.myapp.event

In a mobile client, it might be acceptable to reuse the device if a login session expires, provided the user is the same

each device gets its own copy of the decryption keys

each of which would be its own device

signing the message in the context of the graph for integrity

Room data is replicated across all of the homeservers whose users are participating in a given room

and shares data with the wider Matrix ecosystem by synchronising communication history with other homeservers and their clients

Use of 3rd Party IDs (3PIDs) such as email addresses, phone numbers, Facebook accounts to authenticate, identify and discover users on Matrix

Managing user accounts (registration, login, logout)

Extensible user profile management (avatars, display names, etc)

Extensible user management (inviting, joining, leaving, kicking, banning) mediated by a power-level based user privilege system

REST

JSON

The user should know precisely where their data is stored

no single points of control over conversations or the network as a whole

Sending and receiving extensible messages

across a global open network of federated servers and services

Eventually-consistent cryptographically secure synchronisation of room state

causal order does not refer to the actual ‘real’ causality of the messages

Further, we conjecture that the only non-trivial Byzantine-tolerantCRDT design is a grow-only HashDAG as it is done in the Matrix Event Graph

Fig. 2

Equivocation and Omission remain as the only optionsfor an attack on CRDT layer

the MEG builds up a Hash-based DAG (HashDAG) data structure

So this

MERKLE-CLOCKS

ipfs-log24 is, to our knowledge, the first existinginstance of a Merkle-CRDT as described here

This, in turn, requires either having knowledge of thecurrent replica-set or using an external source of truth (i.e. ablockchain), a system constraint that we did not have before

Operations are easy to define, asthey just need to be commutative, so that the resulting state willbe the same in every replica regardless of the order in whichthey have received the operations

wecan sign the broadcast messages, thus leaving signatures outof the Merkle-DAG

Comparing version vectors betweenpayloads is an inclusion check without the need to perform aDAG-walking

It is clear thatthis approach will bring some benefits

Chronofold and co-structures

Figure 9.13. Delegated Establishment Event.

Custodial Key Management

Using seals, the delega-tor’s and delegate’s event streams are cross linked together

applications may benefit from other delegative properties such as the ability to attenuatecontrol authority

A nested set of delegation levels may be used to form a dele-gation chain or a delegation tree

In some critical interactions, however, the trade-off between convenience and security madeby reusing signing keys for multiple interaction events may not be acceptable. In this case, amore secure approach is to combine an interaction event with a rotation event by adding a pay-load data structure to the rotation event.

To elaborate, a successful live exploit must compromise the unexposed next set of private keysfrom the public-keys declared in the latest rotation

Figure 11.5. KERL for a Recovery Rotation Event.

N ≥ 2F + 1

This case is prevented when the inter-section subset of any two agreement sets is large enough to include at least one honest witness

When sufficient agreement may occur on more than one version of an event then a valida-tor may not be able to determine which version is authoritative in order to either to hold the con-troller accountable or to reconcile that event with respect to other validators

but where the witnesses are not under its control such that the a validator or originalcontroller may nonetheless trust that there may be no more that F faulty witnesses

The controller is responsible to promulgate a mutually consistent set of receipts, i.e. a suffi-cient agreement of size M ≥ M C .

Without a threshold a validator may choose to hold a controller ac-countable upon any evidence of duplicity which may make the service fragile in the presence ofany degree of such faulty behavior

Suppose instead that N = 3F + 1 , then a correctagreement is guaranteed as before but the agreement will have 2F + 1 nodes (quorum size) anddespite some F of those 2F + 1nodes becoming unresponsive, the remaining F + 1 honest andresponsive nodes will be able to propagate that correct safe agreement to the next round

But there is no guarantee that the nodes in agreement (quorum) will knowthey came to agreement in a subsequent round because as many as F of the nodes in agreementin a given round may subsequently become unresponsive in the next round

This may be called a multi-controller or collec-

An escrow cache of unverified out-of-order event provides an opportunity for malicious at-tackers to send forged event that may fill up the cache as a type of denial of service attack. Forthis reason escrow caches are typically FIFO (first-in-first-out) where older events are flushed tomake room for newer events.

UTP

Event escrow isan optional implementation specific configurable capability of controllers and witnesses imple-mentations

Each time the controller connects to awitness to send new events and collect the new event receipts, it also sends the receipts it has re-ceived so far from other witnesses

When network bandwidth is less constrained then a gossip proto-col might provide full dissemination with lower latency than a round robin protocol

When a rotation amends the witnesses it includes the new tally, the setof pruned (removed) witnesses and the set of newly grafted (added) witnesses. This is shownbelow.

where K ≤ L

The specific details of this recovery are explained later (see Section 11.6). In gener-al, the witnessing policy is that the first seen version of an event always wins, that is, the firstverified version is witnessed (signed, stored, acknowledged and maybe disseminated) and allother versions are discarded

the message payload inside an IP packet includes aunique identifier provided by the identity system that is exclusive to the sender of the packet

Also more recently theTrusted Computing Group (TCG) uses the term “implicit identity” and “embedded certificateauthority” to describe the process whereby device identifiers are automatically generated by theassociated computing device [143]

Using a DID as an endpoint

An identity is also a topic to subscribe to (i.e. the ledger is based on subscription)

In contrast, a relay is an entity that passes along encrypted messages without understanding or decrypting them. It's focused on network routing only.

Two Dimensions

Therefore, there is no unified absolute ordering of all messages within a thread--but there is an ordering of all messages emitted by a each participant

Again, the discloser can retain the ‘Admit’ message as non-repudiable digital proof that the disclosee has admitted the disclosure of the ACDC

For a given AID, Duplicity refers to the existence of two or more versions of inconsistent instances of a KEL.

Events in the TEL are sealed (anchored) in a Key Event Log (KEL) using seals.

r can provide an API where transaction events or their seal references and their KEL seal references can be looked up by the SAID of the ACDC associated with the transaction event

NOT

When an Edge block does not include a SAID, d field, then the node, n field must appear as the first field in the block.

Notable is the fact that no top-level type fields exist in an ACDC. This is because the Schema, s, field itself is the type field for the ACDC and its parts

where each Edge block is a leaf of a branch

Without the entropy provided the UUID, u, field, an adversary may be able to reconstruct the block contents merely from the SAID of the block and the Schema of the block using a rainbow or dictionary attack on the set of field values allowed by the Schema

It’s just a chain of custody

a little bit about consensus algorithms

but I also have one: a verifiable data tree, not just a chain. So in my view, a verifiable data tree is the solution, not a shared blockchain

blockchains are too expensive, too complex, too hard to scale, and too slow-moving in their governance

Open identity systems should stay agnostic to all silos and blockchains

consensus network called KERI

Any selective disclosure is potentially ineffective unless per-formed within the confines of a contractually protected disclosure that imposes an incentive onthe disclosee (verifier) to protect that disclosure (counter-incentive against the exploitation ofthat discloser).

that a given DID is guarded by M-of-N signature policies, for example

This makes the DID functionally equivalent to a did:key value, and visually similar, except that a peer DID will have the numeric algorithm as a prefix, before the multibase encoded, multicodec-encoded public key

In order to do this, a form of network-wide election takes place, where the node with the numerically highest ed25519 public key will win

Even though the Pinecone address space is considered to be global in scope, it is important to note that there is no true “single” Pinecone network. It is possible for multiple disjoint and disconnected Pinecone network segments to exist

In some cases, source addresses could be sealed/encrypted, although this is not implemented today

implement a better federation routing algorithm than full-mesh routing

Power DAG

yggdrasil

but limiting the conference to 7 or 8 participants given all the duplication of the sent video required. In Element Call Beta 2, end-to-end encryption was enabled; easy, given it’s just a set of 1:1 calls.

instead it’s more of a QoSed incremental sync

So if the network roundtrip time to your server is even 100ms, and Sliding Sync is operating infinitely quickly, you’re still going to end up showing a placeholders for a few frames

Faster Joins (lazy-loading room state when your server joins a room)

The European Union’s Digital Markets Act (DMA) is a huge step in that direction - regulation that mandates that if the large centralised messaging providers are to operate in the EU, they must interoperate

111,873,374 matrix IDs on the public network, spanning 17,289,201 rooms, spread over 64,256 servers

However, certain algo-rithms executed on the MEG do not scale well with thenumber of parent events, i.e., they can become very re-source intensive, especially when old parts of the MEGare referenced as parents [8]. In practice, the maximumnumber of parent events therefore has to be restrictedto a finite value d.

The protocol flow is therefore modified as follows

푏 the first demonstration of 푞 being Byzantine

the blocklace stores notonly valid blocks but also blocks that constitute a proof thattheir creator is Byzantine

Thus only the valid subset of theblocks will be considered as state by the replicated abstrac-tion (the CRDT).

Thus the harm a Byzantine agent may cause is limited to afinite prefix of the computation

On the contrary, sets ofrandomly generated numbers or sets of signed-hashes (inthe case of a blocklace) do not allow such a compact repre-sentation

Virtual chain axiom

Conclusions

For example, in WOOT [ 33]and YATA [ 32 ], an insertion operation must referencethe IDs of the predecessor and successor elements, andthe algorithms depend on the predecessor appearingbefore the successor in the sequence. The order ofthese elements is not apparent from the IDs alone, sothe algorithm must inspect the CRDT state to checkthat the predecessor and successor references are valid

but Byzantine nodes maynot set this metadata correctly

The 3f + 1 assumption meansthese protocols cannot be deployed in open peer-to-peersystems, since they would be vulnerable to Sybil attacks [ 15].

blockchains [ 5 ]

If authentication of updates is desired, i.e. if it is importantto know which node generated which update, then updatescan additionally be cryptographically signed. However, thisis not necessary for achieving Strong Eventual Consistency

When updates are generatedconcurrently and then merged, the next update containsmultiple predecessors

Consequently, if updateu2 depends on update u1, it could happen that somenodes deliver u1 before u2 and hence process bothupdates correctly, but other nodes may try to deliveru2 and fail because they have not yet delivered u1. Thissituation also leads to divergence.

Say a Byzantine node generates twodifferent updates u1 and u2 that create two differentitems with the same ID. If a node has already deliveredu1 and then subsequently delivers u2, the update u2will be rejected, but a node that has not previously de-livered u1 may accept u2. Since one node accepted u2and the other rejected it, those nodes fail to converge,even if we have eventual delivery

Unfortunately, version vectors are not safe in the presenceof Byzantine nodes, as shown in Figure 1. This is because aByzantine node may generate several distinct updates withthe same sequence number, and send them to different nodes(this failure mode is known as equivocation). Subsequently,when correct nodes p and q exchange version vectors, theymay believe that they have delivered the same set of updatesbecause their version vectors are identical, even though theyhave in fact delivered different updates.

This algorithm has the downside thatmany updates may be sent to nodes that have already re-ceived them from another node, wasting network bandwidth

In some cases, a causal de-livery algorithm additionally ensures that when one updatehas a dependency on an earlier update, the earlier update isdelivered before the later update on all replicas

The network is not necessarily com-plete, i.e. it is not required for every node to be able to com-municate with every other node

they must either exer-cise centralised control over which nodes are allowed to jointhe network

Smart Merge is built on a customized adaptation of Myer's diff algorithm and Google's diff-match-patch

Please note that it is impossible to revoke a device

initial

¬∃b′ ∈ blocklace : (b′ ̸ = b ∧ b′.creator = b.creator ∧ observes(b′, b))

received_orders

Once a recipient has received one copy of a message, they MUST ignore subsequent copies that arrive, such that resends are idempotent

When Alice and Bob are both bidding in an auction protocol, each of them marks their first bid with sender_order: 1, their second bid with sender_order: 2, and so forth.

sender_order

We suggest that the messaging standards all erred by treating public-key encryption and digital signatures as if they were fully independent operations

When B receives A's signed & encrypted message, B can't know how many hands it has passed through, even if B trusts A to be careful.

But in reality, when Charlie gets Alice's message via Bob, Charlie very likely will assume that Alice sent it to him directly

In this case, Alice will be blamed conclusively for Bob's exposure of their company's secrets.

Here, Bob has misled Charlie to believe that ``Alice loves Charlie.''

forces the sender to talk “on the record”

centralized servers and certificate authorities perpetuate a power and UX imbalance between servers and clients that doesn’t fit with peer-oriented DIDComm Messaging

web security is provided at the transport level (TLS); it is not an independent attribute of the messages themselves

The Broadcast Channel API allows basic communication between browsing contexts (that is, windows, tabs, frames, or iframes) and workers on the same origin.

withtokens provided by their IdP.

The new device needs to receive the secret s withoutleaking it to any third party

Finally, EL PASSO supports multi-device scenarios. It en-ables users to easily register new devices (e.g., laptop, phone,tablet) and supports easy identity recovery in case of the theftof one device. It natively supports 2FA: An RP may requestand assess that users connect from two different devices inorder to sign on their services (multi-device support).

intra-RP linkability

Commonly, this is accomplished through a pub-licly available list of credential statuses (either listing the revokedor valid credentials).

Trust anchors affirm the provenance of identitiesand public attributes (DIDDocs)

Alternatively, a simple public key canserve as an identifier, eliminating the DID/DIDDoc abstraction2

according to my entire history

Adding time todigital social contracts is an anticipated future extension

If one user marks a word as bold and another user marks the same word as non-bold, thereis no final state that preserves both users’ intentions and also ensures convergence

If the context has changed

Rather than seeing document history as a linear sequence of versions,we could see it as a multitude of projected views on top of a database of granular changes

Another approach is to maintain all operations for a particular document version in anordered log, and to append new operations at the end when they are generated. To mergetwo document versions with logs 𝐿1 and 𝐿2 respectively, we scan over the operations in𝐿1, ignoring any operations that already exist in 𝐿2; any operations that do not exist in 𝐿2are applied to the 𝐿1 document and appended to 𝐿1 in the order they appear in 𝐿2.

Peritext works bycapturing a document’s edit history as a log of operations

but since a given client never uses the same counter value twice, the combination ofcounter and nodeId is globally unique

Another area for future exploration is moving and duplicating text within a document. If twopeople concurrently cut-paste the same text to different places in a document, and then furthermodify the pasted text, what is the most sensible outcome?

span can be deleted once causalstability [2] has ensured that there will be no more concurrent insertions into that span

Fig. 4

For example, a developer mightdecide that colored text marks should be allowed to overlap, with the overlap region rendering ablend of the colors

No

Conflicts occur not only with colors; even simple bold formatting operations canproduce conflicts

Consider assigning colored highlighting to some text

Furthermore, as with plain text CRDTs, this model only preserves low-level syntactic intent,and manual intervention will often be necessary to preserve semantic intent based on a humanunderstanding of the text