Join-Accumulate Machine: A Mostly-Coherent Trustless Supercomputer
Draft 0.8.0 - June 3, 2026

Dr. Gavin Wood
Founder, Polkadot & Ethereum
gavin@parity.io

Abstract.

We present a comprehensive and formal definition of Jam, a protocol combining elements of both Polkadot and Ethereum. In a single coherent model, Jam provides a global singleton permissionless object environment—much like the smart-contract environment pioneered by Ethereum—paired with secure sideband computation parallelized over a scalable node network, a proposition pioneered by Polkadot.

Jam introduces a decentralized hybrid system offering smart-contract functionality structured around a secure and scalable in-core/on-chain dualism. While the smart-contract functionality implies some similarities with Ethereum’s paradigm, the overall model of the service offered is driven largely by underlying architecture of Polkadot.

Jam is permissionless in nature, allowing anyone to deploy code as a service on it for a fee commensurate with the resources this code utilizes and to induce execution of this code through the procurement and allocation of core-time, a metric of resilient and ubiquitous computation, somewhat similar to the purchasing of gas in Ethereum. We already envision a Polkadot-compatible CoreChains service.

1. Introduction

1.1. Nomenclature

In this paper, we introduce a decentralized, crypto-economic protocol to which the Polkadot Network will transition itself in a major revision on the basis of approval by its governance apparatus.

An early, unrefined, version of this protocol was first proposed in Polkadot Fellowship rfc31, known as CoreJam. CoreJam takes its name after the collect/refine/join/accumulate model of computation at the heart of its service proposition. While the CoreJam rfc suggested an incomplete, scope-limited alteration to the Polkadot protocol, Jam refers to a complete and coherent overall blockchain protocol.

1.2. Driving Factors

Within the realm of blockchain and the wider Web3, we are driven by the need first and foremost to deliver resilience. A proper Web3 digital system should honor a declared service profile—and ideally meet even perceived expectations—regardless of the desires, wealth or power of any economic actors including individuals, organizations and, indeed, other Web3 systems. Inevitably this is aspirational, and we must be pragmatic over how perfectly this may really be delivered. Nonetheless, a Web3 system should aim to provide such radically strong guarantees that, for practical purposes, the system may be described as unstoppable.

While Bitcoin is, perhaps, the first example of such a system within the economic domain, it was not general purpose in terms of the nature of the service it offered. A rules-based service is only as useful as the generality of the rules which may be conceived and placed within it. Bitcoin’s rules allowed for an initial use-case, namely a fixed-issuance token, ownership of which is well-approximated and autonomously enforced through knowledge of a secret, as well as some further elaborations on this theme.

Later, Ethereum would provide a categorically more general-purpose rule set, one which was practically Turing complete.¹¹ 1 The gas mechanism did restrict what programs can execute on it by placing an upper bound on the number of steps which may be executed, but some restriction to avoid infinite-computation must surely be introduced in a permissionless setting. In the context of Web3 where we are aiming to deliver a massively multiuser application platform, generality is crucial, and thus we take this as a given.

Beyond resilience and generality, things get more interesting, and we must look a little deeper to understand what our driving factors are. For the present purposes, we identify three additional goals:

(1)

Resilience: highly resistant from being stopped, corrupted and censored.
(2)

Generality: able to perform Turing-complete computation.
(3)

Performance: able to perform computation quickly and at low cost.
(4)

Coherency: the causal relationship possible between different elements of state and thus how well individual applications may be composed.
(5)

Accessibility: negligible barriers to innovation; easy, fast, cheap and permissionless.

As a declared Web3 technology, we make an implicit assumption of the first two items. Interestingly, items 3 and 4 are antagonistic according to an information theoretic principle which we are sure must already exist in some form but are nonetheless unaware of a name for it. For argument’s sake we shall name it size-coherency antagonism.

1.3. Scaling under Size-Coherency Antagonism

Size-coherency antagonism is a simple principle implying that as the state-space of information systems grow, then the system necessarily becomes less coherent. It is a direct implication of principle that causality is limited by speed. The maximum speed allowed by physics is $C$ the speed of light in a vacuum, however other information systems may have lower bounds: In biological system this is largely determined by various chemical processes whereas in electronic systems is it determined by the speed of electrons in various substances. Distributed software systems will tend to have much lower bounds still, being dependent on a substrate of software, hardware and packet-switched networks of varying reliability.

The argument goes:

(1)

The more state a system utilizes for its data-processing, the greater the amount of space this state must occupy.
(2)

The more space used, then the greater the mean and variance of distances between state-components.
(3)

As the mean and variance increase, then time for causal resolution (i.e. all correct implications of an event to be felt) becomes divergent across the system, causing incoherence.

Setting the question of overall security aside for a moment, we can manage incoherence by fragmenting the system into causally-independent subsystems, each of which is small enough to be coherent. In a resource-rich environment, a bacterium may split into two rather than growing to double its size. This pattern is rather a crude means of dealing with incoherency under growth: intra-system processing has low size and total coherence, inter-system processing supports higher overall sizes but without coherence. It is the principle behind meta-networks such as Polkadot, Cosmos and the predominant vision of a scaled Ethereum (all to be discussed in depth shortly). Such systems typically rely on asynchronous and simplistic communication with “settlement areas” which provide a small-scoped coherent state-space to manage specific interactions such as a token transfer.

The present work explores a middle-ground in the antagonism, avoiding the persistent fragmentation of state-space of the system as with existing approaches. We do this by introducing a new model of computation which pipelines a highly scalable, mostly coherent element to a synchronous, fully coherent element. Asynchrony is not avoided, but we bound it to the length of the pipeline and substitute the crude partitioning we see in scalable systems so far with a form of “cache affinity” as it typically seen in multi-cpu systems with a shared ram.

Unlike with snark-based L2-blockchain techniques for scaling, this model draws upon crypto-economic mechanisms and inherits their low-cost and high-performance profiles and averts a bias toward centralization.

1.4. Document Structure

We begin with a brief overview of present scaling approaches in blockchain technology in section 2. In section 3 we define and clarify the notation from which we will draw for our formalisms.

We follow with a broad overview of the protocol in section 4 outlining the major areas including the Polkadot Virtual Machine (pvm), the consensus protocols Safrole and Grandpa, the common clock and build the foundations of the formalism.

We then continue with the full protocol definition split into two parts: firstly the correct on-chain state-transition formula helpful for all nodes wishing to validate the chain state, and secondly, in sections 14 and 19 the honest strategy for the off-chain actions of any actors who wield a validator key.

The main body ends with a discussion over the performance characteristics of the protocol in section 20 and finally conclude in section 21.

The appendix contains various additional material important for the protocol definition including the pvm in appendices A & B, serialization and Merklization in appendices C & D and cryptography in appendices E, G & H. We finish with an index of terms which includes the values of all simple constant terms used in the work in appendix I, and close with the bibliography.

2. Previous Work and Present Trends

In the years since the initial publication of the Ethereum YP, the field of blockchain development has grown immensely. Other than scalability, development has been done around underlying consensus algorithms, smart-contract languages and machines and overall state environments. While interesting, these latter subjects are mostly out scope of the present work since they generally do not impact underlying scalability.

2.1. Polkadot

In order to deliver its service, Jam co-opts much of the same game-theoretic and cryptographic machinery as Polkadot known as Elves and described by [4]. However, major differences exist in the actual service offered with Jam, providing an abstraction much closer to the actual computation model generated by the validator nodes its economy incentivizes.

It was a major point of the original Polkadot proposal, a scalable heterogeneous multichain, to deliver high-performance through partition and distribution of the workload over multiple host machines. In doing so it took an explicit position that composability would be lowered. Polkadot’s constituent components, parachains are, practically speaking, highly isolated in their nature. Though a message passing system (xcmp) exists it is asynchronous, coarse-grained and practically limited by its reliance on a high-level slowly evolving interaction language xcm.

As such, the composability offered by Polkadot between its constituent chains is lower than that of Ethereum-like smart-contract systems offering a single and universal object environment and allowing for the kind of agile and innovative integration which underpins their success. Polkadot, as it stands, is a collection of independent ecosystems with only limited opportunity for collaboration, very similar in ergonomics to bridged blockchains though with a categorically different security profile. A technical proposal known as spree would utilize Polkadot’s unique shared-security and improve composability, though blockchains would still remain isolated.

Implementing and launching a blockchain is hard, time-consuming and costly. By its original design, Polkadot limits the clients able to utilize its service to those who are both able to do this and raise a sufficient deposit to win an auction for a long-term slot, one of around 50 at the present time. While not permissioned per se, accessibility is categorically and substantially lower than for smart-contract systems similar to Ethereum.

Enabling as many innovators to participate and interact, both with each other and each other’s user-base, appears to be an important component of success for a Web3 application platform. Accessibility is therefore crucial.

2.2. Ethereum

The Ethereum protocol was formally defined in this paper’s spiritual predecessor, the Yellow Paper, by [36]. This was derived in large part from the initial concept paper by [8]. In the decade since the YP was published, the de facto Ethereum protocol and public network instance have gone through a number of evolutions, primarily structured around introducing flexibility via the transaction format and the instruction set and “precompiles” (niche, sophisticated bonus instructions) of its scripting core, the Ethereum virtual machine (evm).

Almost one million crypto-economic actors take part in the validation for Ethereum.²² 2 Practical matters do limit the level of real decentralization. Validator software expressly provides functionality to allow a single instance to be configured with multiple key sets, systematically facilitating a much lower level of actual decentralization than the apparent number of actors, both in terms of individual operators and hardware. Using data collated by [10] on Ethereum 2, one can see one major node operator, Lido, has steadily accounted for almost one-third of the almost one million crypto-economic participants. Block extension is done through a randomized leader-rotation method where the physical address of the leader is public in advance of their block production.³³ 3 Ethereum’s developers hope to change this to something more secure, but no timeline is fixed. Ethereum uses Casper-ffg introduced by [7] to determine finality, which with the large validator base finalizes the chain extension around every 13 minutes.

Ethereum’s direct computational performance remains broadly similar to that with which it launched in 2015, with a notable exception that an additional service now allows 1mb of commitment data to be hosted per block (all nodes to store it for a limited period). The data cannot be directly utilized by the main state-transition function, but special functions provide proof that the data (or some subsection thereof) is available. According to [12], the present design direction is to improve on this over the coming years by splitting responsibility for its storage amongst the validator base in a protocol known as Dank-sharding.

According to [11], the scaling strategy of Ethereum would be to couple this data availability with a private market of roll-ups, sideband computation facilities of various design, with zk-snark-based roll-ups being a stated preference. Each vendor’s roll-up design, execution and operation comes with its own implications.

One might reasonably assume that a diversified market-based approach for scaling via multivendor roll-ups will allow well-designed solutions to thrive. However, there are potential issues facing the strategy. A research report by [29] on the level of decentralization in the various roll-ups found a broad pattern of centralization, but notes that work is underway to attempt to mitigate this. It remains to be seen how decentralized they can yet be made.

Heterogeneous communication properties (such as datagram latency and semantic range), security properties (such as the costs for reversion, corruption, stalling and censorship) and economic properties (the cost of accepting and processing some incoming message or transaction) may differ, potentially quite dramatically, between major areas of some grand patchwork of roll-ups by various competing vendors. While the overall Ethereum network may eventually provide some or even most of the underlying machinery needed to do the sideband computation it is far from clear that there would be a “grand consolidation” of the various properties should such a thing happen. We have not found any good discussion of the negative ramifications of such a fragmented approach.⁴⁴ 4 Some initial thoughts on the matter resulted in a proposal by [28] to utilize Polkadot technology as a means of helping create a modicum of compatibility between roll-up ecosystems!

2.2.1. Snark Roll-ups

While the protocol’s foundation makes no great presuppositions on the nature of roll-ups, Ethereum’s strategy for sideband computation does centre around snark-based rollups and as such the protocol is being evolved into a design that makes sense for this. Snarks are the product of an area of exotic cryptography which allow proofs to be constructed to demonstrate to a neutral observer that the purported result of performing some predefined computation is correct. The complexity of the verification of these proofs tends to be sub-linear in their size of computation to be proven and will not give away any of the internals of said computation, nor any dependent witness data on which it may rely.

Zk-snarks come with constraints. There is a trade-off between the proof’s size, verification complexity and the computational complexity of generating it. Non-trivial computation, and especially the sort of general-purpose computation laden with binary manipulation which makes smart-contracts so appealing, is hard to fit into the model of snarks.

To give a practical example, risc-zero (as assessed by [2]) is a leading project and provides a platform for producing snarks of computation done by a risc-v virtual machine, an open-source and succinct risc machine architecture well-supported by tooling. A recent benchmarking report by [26] showed that compared to risc-zero’s own benchmark, proof generation alone takes over 61,000 times as long as simply recompiling and executing even when executing on 32 times as many cores, using 20,000 times as much ram and an additional state-of-the-art gpu. According to hardware rental agents https://cloud-gpus.com/, the cost multiplier of proving using risc-zero is 66,000,000x of the cost⁵⁵ 5 In all likelihood actually substantially more as this was using low-tier “spare” hardware in consumer units, and our recompiler was unoptimized. to execute using the Polkavm recompiler.

Many cryptographic primitives become too expensive to be practical to use and specialized algorithms and structures must be substituted. Often times they are otherwise suboptimal. In expectation of the use of snarks (such as plonk as proposed by [14]), the prevailing design of the Ethereum project’s Dank-sharding availability system uses a form of erasure coding centered around polynomial commitments over a large prime field in order to allow snarks to get acceptably performant access to subsections of data. Compared to alternatives, such as a binary field and Merklization in the present work, it leads to a load on the validator nodes orders of magnitude higher in terms of cpu usage.

In addition to their basic cost, snarks present no great escape from decentralization and the need for redundancy, leading to further cost multiples. While the need for some benefits of staked decentralization is averted through their verifiable nature, the need to incentivize multiple parties to do much the same work is a requirement to ensure that a single party not form a monopoly (or several not form a cartel). Proving an incorrect state-transition should be impossible, however service integrity may be compromised in other ways; a temporary suspension of proof-generation, even if only for minutes, could amount to major economic ramifications for real-time financial applications.

Real-world examples exist of the pit of centralization giving rise to monopolies. One would be the aforementioned snark-based exchange framework; while notionally serving decentralized exchanges, it is in fact centralized with Starkware itself wielding a monopoly over enacting trades through the generation and submission of proofs, leading to a single point of failure—should Starkware’s service become compromised, then the liveness of the system would suffer.

It has yet to be demonstrated that snark-based strategies for eliminating the trust from computation will ever be able to compete on a cost-basis with a multi-party crypto-economic platform. All as-yet proposed snark-based solutions are heavily reliant on crypto-economic systems to frame them and work around their issues. Data availability and sequencing are two areas well understood as requiring a crypto-economic solution.

We would note that snark technology is improving and the cryptographers and engineers behind them do expect improvements in the coming years. In a recent article by [34] we see some credible speculation that with some recent advancements in cryptographic techniques, slowdowns for proof generation could be as little as 50,000x from regular native execution and much of this could be parallelized. This is substantially better than the present situation, but still several orders of magnitude greater than would be required to compete on a cost-basis with established crypto-economic techniques such as Elves.

2.3. Fragmented Meta-Networks

Directions for general-purpose computation scalability taken by other projects broadly centre around one of two approaches; either what might be termed a fragmentation approach or alternatively a centralization approach. We argue that neither approach offers a compelling solution.

The fragmentation approach is heralded by projects such as Cosmos (proposed by [22]) and Avalanche (by [33]). It involves a system fragmented by networks of a homogenous consensus mechanic, yet staffed by separately motivated sets of validators. This is in contrast to Polkadot’s single validator set and Ethereum’s declared strategy of heterogeneous roll-ups secured partially by the same validator set operating under a coherent incentive framework. The homogeneity of said fragmentation approach allows for reasonably consistent messaging mechanics, helping to present a fairly unified interface to the multitude of connected networks.

However, the apparent consistency is superficial. The networks are trustless only by assuming correct operation of their validators, who operate under a crypto-economic security framework ultimately conjured and enforced by economic incentives and punishments. To do twice as much work with the same levels of security and no special coordination between validator sets, then such systems essentially prescribe forming a new network with the same overall levels of incentivization.

Several problems arise. Firstly, there is a similar downside as with Polkadot’s isolated parachains and Ethereum’s isolated roll-up chains: a lack of coherency due to a persistently sharded state preventing synchronous composability.

More problematically, the scaling-by-fragmentation approach, proposed specifically by Cosmos, provides no homogenous security—and therefore trustlessness—guarantees. Validator sets between networks must be assumed to be independently selected and incentivized with no relationship, causal or probabilistic, between the Byzantine actions of a party on one network and potential for appropriate repercussions on another. Essentially, this means that should validators conspire to corrupt or revert the state of one network, the effects may be felt across other networks of the ecosystem.

That this is an issue is broadly accepted, and projects propose for it to be addressed in one of two ways. Firstly, to fix the expected cost-of-attack (and thus level of security) across networks by drawing from the same validator set. The massively redundant way of doing this, as proposed by [9] under the name replicated security, would be to require each validator to validate on all networks and for the same incentives and punishments. This is economically inefficient in the cost of security provision as each network would need to independently provide the same level of incentives and punishment-requirements as the most secure with which it wanted to interoperate. This is to ensure the economic proposition remain unchanged for validators and the security proposition remained equivalent for all networks. At the present time, replicated security is not a readily available permissionless service. We might speculate that these punishing economics have something to do with it.

The more efficient approach, proposed by the OmniLedger team, [21], would be to make the validators non-redundant, partitioning them between different networks and periodically, securely and randomly repartitioning them. A reduction in the cost to attack over having them all validate on a single network is implied since there is a chance of having a single network accidentally have a compromising number of malicious validators even with less than this proportion overall. This aside it presents an effective means of scaling under a basis of weak-coherency.

Alternatively, as in Elves by [4], we may utilize non-redundant partitioning, combine this with a proposal-and-auditing game which validators play to weed out and punish invalid computations, and then require that the finality of one network be contingent on all causally-entangled networks. This is the most secure and economically efficient solution of the three, since there is a mechanism for being highly confident that invalid transitions will be recognized and corrected before their effect is finalized across the ecosystem of networks. However, it requires substantially more sophisticated logic and their causal-entanglement implies some upper limit on the number of networks which may be added.

2.4. High-Performance Fully Synchronous Networks

Another trend in the recent years of blockchain development has been to make “tactical” optimizations over data throughput by limiting the validator set size or diversity, focusing on software optimizations, requiring a higher degree of coherency between validators, onerous requirements on the hardware which validators must have, or limiting data availability.

The Solana blockchain is underpinned by technology introduced by [37] and boasts theoretical figures of over 700,000 transactions per second, though according to [25] the network is only seen processing a small fraction of this. The underlying throughput is still substantially more than most blockchain networks and is owed to various engineering optimizations in favor of maximizing synchronous performance. The result is a highly-coherent smart-contract environment with an api not unlike that of YP Ethereum (albeit using a different underlying vm), but with a near-instant time to inclusion and finality which is taken to be immediate upon inclusion.

Two issues arise with such an approach: firstly, defining the protocol as the outcome of a heavily optimized codebase creates structural centralization and can undermine resilience. [19] writes “since January 2022, 11 significant outages gave rise to 15 days in which major or partial outages were experienced”. This is an outlier within the major blockchains as the vast majority of major chains have no downtime. There are various causes to this downtime, but they are generally due to bugs found in various subsystems.

Ethereum, at least until recently, provided the most contrasting alternative with its well-reviewed specification, clear research over its crypto-economic foundations and multiple clean-room implementations. It is perhaps no surprise that the network very notably continued largely unabated when a flaw in its most deployed implementation was found and maliciously exploited, as described by [16].

The second issue is concerning ultimate scalability of the protocol when it provides no means of distributing workload beyond the hardware of a single machine.

In major usage, both historical transaction data and state would grow impractically. Solana illustrates how much of a problem this can be. Unlike classical blockchains, the Solana protocol offers no solution for the archival and subsequent review of historical data, crucial if the present state is to be proven correct from first principle by a third party. There is little information on how Solana manages this in the literature, but according to [30], nodes simply place the data onto a centralized database hosted by Google.⁶⁶ 6 Earlier node versions utilized Arweave network, a decentralized data store, but this was found to be unreliable for the data throughput which Solana required.

Solana validators are encouraged to install large amounts of ram to help hold its large state in memory (512 gb is the current recommendation according to [31]). Without a divide-and-conquer approach, Solana shows that the level of hardware which validators can reasonably be expected to provide dictates the upper limit on the performance of a totally synchronous, coherent execution model. Hardware requirements represent barriers to entry for the validator set and cannot grow without sacrificing decentralization and, ultimately, transparency.

3. Notational Conventions

Much as in the Ethereum Yellow Paper, a number of notational conventions are used throughout the present work. We define them here for clarity. The Ethereum Yellow Paper itself may be referred to henceforth as the YP.

3.1. Typography

We use a number of different typefaces to denote different kinds of terms. Where a term is used to refer to a value only relevant within some localized section of the document, we use a lower-case roman letter e.g. $x$ , $y$ (typically used for an item of a set or sequence) or e.g. $i$ , $j$ (typically used for numerical indices). Where we refer to a Boolean term or a function in a local context, we tend to use a capitalized roman alphabet letter such as $A$ , $F$ . If particular emphasis is needed on the fact a term is sophisticated or multidimensional, then we may use a bold typeface, especially in the case of sequences and sets.

For items which retain their definition throughout the present work, we use other typographic conventions. Sets are usually referred to with a blackboard typeface, e.g. $\mathbb{N}$ refers to all natural numbers including zero. Sets which may be parameterized may be subscripted or be followed by parenthesized arguments. Imported functions, used by the present work but not specifically introduced by it, are written in calligraphic typeface, e.g. $\mathcal{H}$ the Blake2 cryptographic hashing function. For other non-context dependent functions introduced in the present work, we use upper case Greek letters, e.g. $\Upsilon$ denotes the state transition function.

Values which are not fixed but nonetheless hold some consistent meaning throughout the present work are denoted with lower case Greek letters such as $\sigma$ , the state identifier. These may be placed in bold typeface to denote that they refer to an abnormally complex value.

3.2. Functions and Operators

We define the precedes relation to indicate that one term is defined in terms of another. E.g. $y\prec x$ indicates that $y$ may be defined purely in terms of $x$ :

(3.1)

\displaystyle y\prec x\Longleftrightarrow\exists f:y=f(x)

The substitute-if-nothing function $\mathcal{U}$ is equivalent to the first argument which is not $\emptyset$ , or $\emptyset$ if no such argument exists:

(3.2)

\displaystyle\mathcal{U}\mathopen{}\mathclose{{}\left(a_{0},\dots a_{n}}\right% )\equiv a_{x}:(a_{x}\neq\emptyset\vee x=n),\bigwedge_{i=0}^{x-1}a_{i}=\emptyset

Thus, e.g. $\mathcal{U}\mathopen{}\mathclose{{}\left(\emptyset,1,\emptyset,2}\right)=1$ and $\mathcal{U}\mathopen{}\mathclose{{}\left(\emptyset,\emptyset}\right)=\emptyset$ .

3.3. Sets

Given some set $\mathbf{s}$ , its power set and cardinality are denoted as $\mathopen{}\mathclose{{}\left\{\mkern-5.0mu\mathopen{}\mathclose{{}\left[\,s\,% }\right]\mkern-5.0mu}\right\}$ and $\mathopen{}\mathclose{{}\left|\mathbf{s}}\right|$ . When forming a power set, we may use a numeric subscript in order to restrict the resultant expansion to a particular cardinality. E.g. $\mathopen{}\mathclose{{}\left\{\mkern-5.0mu\mathopen{}\mathclose{{}\left[\,% \mathopen{}\mathclose{{}\left\{\,1,2,3\,}\right\}\,}\right]\mkern-5.0mu}\right% \}_{2}=\mathopen{}\mathclose{{}\left\{\,\mathopen{}\mathclose{{}\left\{\,1,2\,% }\right\},\mathopen{}\mathclose{{}\left\{\,1,3\,}\right\},\mathopen{}% \mathclose{{}\left\{\,2,3\,}\right\}\,}\right\}$ .

Sets may be operated on with scalars, in which case the result is a set with the operation applied to each element, e.g. $\mathopen{}\mathclose{{}\left\{\,1,2,3\,}\right\}+3=\mathopen{}\mathclose{{}% \left\{\,4,5,6\,}\right\}$ . Functions may also be applied to all members of a set to yield a new set, but for clarity we denote this with a $\#$ superscript, e.g. $f^{\#}(\mathopen{}\mathclose{{}\left\{\,1,2\,}\right\})\equiv\mathopen{}% \mathclose{{}\left\{\,f(1),f(2)\,}\right\}$ .

We denote set-disjointness with the relation $\downspoon$ . Formally:

A\cap B=\emptyset\Longleftrightarrow A\downspoon B

We commonly use $\emptyset$ to indicate that some term is validly left without a specific value. Its cardinality is defined as zero. We define the operation $\bm{?}$ such that $A\bm{?}\equiv A\cup\mathopen{}\mathclose{{}\left\{\,\emptyset\,}\right\}$ indicating the same set but with the addition of the $\emptyset$ element.

The term $\nabla$ is utilized to indicate the unexpected failure of an operation or that a value is invalid or unexpected. (We try to avoid the use of the more conventional $\bot$ here to avoid confusion with Boolean false, which may be interpreted as some successful result in some contexts.)

3.4. Numbers

$\mathbb{N}$ denotes the set of naturals including zero whereas $\mathbb{N}_{n}$ implies a restriction on that set to values less than $n$ . Formally, $\mathbb{N}=\mathopen{}\mathclose{{}\left\{\,0,1,\dots\,}\right\}$ and $\mathbb{N}_{n}=\mathopen{}\mathclose{{}\left\{\,x\;\middle|\;x\in\mathbb{N},x<% n\,}\right\}$ .

$\mathbb{Z}$ denotes the set of integers. We denote $\mathbb{Z}_{a\dots b}$ to be the set of integers within the interval $[a,b)$ . Formally, $\mathbb{Z}_{a\dots b}=\mathopen{}\mathclose{{}\left\{\,x\;\middle|\;x\in% \mathbb{Z},a\leq x<b\,}\right\}$ . E.g. $\mathbb{Z}_{2\dots 5}=\mathopen{}\mathclose{{}\left\{\,2,3,4\,}\right\}$ . We denote the offset/length form of this set as $\mathbb{Z}_{a\dots+b}$ , a short form of $\mathbb{Z}_{a\dots a+b}$ .

It can sometimes be useful to represent lengths of sequences and yet limit their size, especially when dealing with sequences of octets which must be stored practically. Typically, these lengths can be defined as the set $\mathbb{N}_{2^{32}}$ . To improve clarity, we denote $\mathbb{N}_{L}$ as the set of lengths of octet sequences and is equivalent to $\mathbb{N}_{2^{32}}$ .

We denote the % operator as the modulo operator, e.g. $5\ \text{\scriptsize{\%}}\ 3=2$ . Furthermore, we may occasionally express a division result as a quotient and remainder with the separator R , e.g. $5\div 3=1\text{\hskip 2.0pt\footnotesize{{R}}\hskip 2.0pt}2$ .

3.5. Dictionaries

A dictionary is a possibly partial mapping from some domain into some co-domain in much the same manner as a regular function. Unlike functions however, with dictionaries the total set of pairings are necessarily enumerable, and we represent them in some data structure as the set of all $\mathopen{}\mathclose{{}\left(key\mapsto value}\right)$ pairs. (In such data-defined mappings, it is common to name the values within the domain a key and the values within the co-domain a value, hence the naming.)

Thus, we define the formalism $\mathopen{}\mathclose{{}\left\langlebar\mathrm{K}\to\mathrm{V}}\right\ranglebar$ to denote a dictionary which maps from the domain $\mathrm{K}$ to the range $\mathrm{V}$ . It is a subset of the power set of pairs $\!\mathopen{}\mathclose{{}\left\lgroup K,V}\right\rgroup\!$ :

(3.3)

\mathopen{}\mathclose{{}\left\langlebar\mathrm{K}\to\mathrm{V}}\right% \ranglebar\subset\mathopen{}\mathclose{{}\left\{\mkern-5.0mu\mathopen{}% \mathclose{{}\left[\,\!\mathopen{}\mathclose{{}\left\lgroup\mathrm{K},\mathrm{% V}}\right\rgroup\!\,}\right]\mkern-5.0mu}\right\}

The subset is caused by a constraint that a dictionary’s members must associate at most one unique value for any given key $k$ :

(3.4)

\forall\mathrm{K},\mathrm{V},\mathbf{d}\in\mathopen{}\mathclose{{}\left% \langlebar\mathrm{K}\to\mathrm{V}}\right\ranglebar:\forall\mathopen{}% \mathclose{{}\left(k,v}\right)\in\mathbf{d}:\exists!v^{\prime}:\mathopen{}% \mathclose{{}\left(k,v^{\prime}}\right)\in\mathbf{d}

In the context of a dictionary we denote the pairs with a mapping notation:

(3.5)		$\displaystyle\mathopen{}\mathclose{{}\left\langlebar\mathrm{K}\to\mathrm{V}}% \right\ranglebar\equiv\mathopen{}\mathclose{{}\left\{\mkern-5.0mu\mathopen{}% \mathclose{{}\left[\,\!\mathopen{}\mathclose{{}\left\lgroup\mathrm{K}\to% \mathrm{V}}\right\rgroup\!\,}\right]\mkern-5.0mu}\right\}$
(3.6)		$\displaystyle\mathbf{p}\in\!\mathopen{}\mathclose{{}\left\lgroup\mathrm{K}\to% \mathrm{V}}\right\rgroup\!\Leftrightarrow\exists k\in\mathrm{K},v\in\mathrm{V}% ,\mathbf{p}\equiv\mathopen{}\mathclose{{}\left(k\mapsto v}\right)$

This assertion allows us to unambiguously define the subscript and subtraction operator for a dictionary $d$ :

(3.7)		$\displaystyle\forall\mathrm{K},\mathrm{V},\mathbf{d}\in\mathopen{}\mathclose{{% }\left\langlebar\mathrm{K}\to\mathrm{V}}\right\ranglebar:\mathbf{d}\mathopen{}% \mathclose{{}\left[k}\right]\equiv\begin{cases}v&\text{if}\ \exists k:% \mathopen{}\mathclose{{}\left(k\mapsto v}\right)\in\mathbf{d}\\ \emptyset&\text{otherwise}\end{cases}$
(3.8)		$\displaystyle\begin{aligned} &\forall\mathrm{K},\mathrm{V},\mathbf{d}\in% \mathopen{}\mathclose{{}\left\langlebar\mathrm{K}\to\mathrm{V}}\right% \ranglebar,\mathbf{s}\subseteq K:\\ &\quad\mathbf{d}\setminus\mathbf{s}\equiv\mathopen{}\mathclose{{}\left\{\,% \mathopen{}\mathclose{{}\left(k\mapsto v}\right):\mathopen{}\mathclose{{}\left% (k\mapsto v}\right)\in\mathbf{d},k\not\in\mathbf{s}\,}\right\}\end{aligned}$

Note that when using a subscript, it is an implicit assertion that the key exists in the dictionary. Should the key not exist, the result is undefined and any block which relies on it must be considered invalid.

To denote the active domain (i.e. set of keys) of a dictionary $\mathbf{d}\in\mathopen{}\mathclose{{}\left\langlebar K\to V}\right\ranglebar$ , we use $\mathcal{K}\mathopen{}\mathclose{{}\left(\mathbf{d}}\right)\subseteq K$ and for the range (i.e. set of values), $\mathcal{V}\mathopen{}\mathclose{{}\left(\mathbf{d}}\right)\subseteq V$ . Formally:

(3.9)		$\displaystyle\forall\mathrm{K},\mathrm{V},\mathbf{d}\in\mathopen{}\mathclose{{% }\left\langlebar\mathrm{K}\to\mathrm{V}}\right\ranglebar:\mathcal{K}\mathopen{% }\mathclose{{}\left(\mathbf{d}}\right)$	$\displaystyle\equiv\mathopen{}\mathclose{{}\left\{\,k\;\middle\|\;\exists v:% \mathopen{}\mathclose{{}\left(k\mapsto v}\right)\in\mathbf{d}\,}\right\}$
(3.10)		$\displaystyle\forall\mathrm{K},\mathrm{V},\mathbf{d}\in\mathopen{}\mathclose{{% }\left\langlebar\mathrm{K}\to\mathrm{V}}\right\ranglebar:\mathcal{V}\mathopen{% }\mathclose{{}\left(\mathbf{d}}\right)$	$\displaystyle\equiv\mathopen{}\mathclose{{}\left\{\,v\;\middle\|\;\exists k:% \mathopen{}\mathclose{{}\left(k\mapsto v}\right)\in\mathbf{d}\,}\right\}$

Note that since the co-domain of $\mathcal{V}\mathopen{}\mathclose{{}\left(}\right)$ is a set, should different keys with equal values appear in the dictionary, the set will only contain one such value.

Dictionaries may be combined through the union operator $\cup$ , which priorities the right-side operand in the case of a key-collision:

(3.11)

\forall\mathbf{d}\in\mathrm{K},\mathrm{V},\mathopen{}\mathclose{{}\left(% \mathbf{d},\mathbf{e}}\right)\in\mathopen{}\mathclose{{}\left\langlebar\mathrm% {K}\to\mathrm{V}}\right\ranglebar^{2}:\mathbf{d}\cup\mathbf{e}\equiv(\mathbf{d% }\setminus\mathcal{K}\mathopen{}\mathclose{{}\left(\mathbf{e}}\right))\cup% \mathbf{e}

3.6. Tuples

Tuples are groups of values where each item may belong to a different set. They are denoted with parentheses, e.g. the tuple $t$ of the naturals $3$ and $5$ is denoted $t=\mathopen{}\mathclose{{}\left(3,5}\right)$ , and it exists in the set of natural pairs sometimes denoted $\mathbb{N}\times\mathbb{N}$ , but denoted in the present work as $\!\mathopen{}\mathclose{{}\left\lgroup\mathbb{N},\mathbb{N}}\right\rgroup\!$ .

We have frequent need to refer to a specific item within a tuple value and as such find it convenient to declare a name for each item. E.g. we may denote a tuple with two named natural components $a$ and $b$ as $T=\!\mathopen{}\mathclose{{}\left\lgroup a\in\mathbb{N},\,b\in\mathbb{N}}% \right\rgroup\!$ . We would denote an item $t\in T$ through subscripting its name, thus for some $t=\mathopen{}\mathclose{{}\left(a\mathrel{\mathop{:}}3,\,b\mathrel{\mathop{:}}% 5}\right)$ , $t_{a}=3$ and $t_{b}=5$ .

3.7. Sequences

A sequence is a series of elements with particular ordering not dependent on their values. The set of sequences of elements all of which are drawn from some set $T$ is denoted $\mathopen{}\mathclose{{}\left\lsem T}\right\rsem$ , and it defines a partial mapping $\mathbb{N}\to T$ . The set of sequences containing exactly $n$ elements each a member of the set $T$ may be denoted $\mathopen{}\mathclose{{}\left\lsem T}\right\rsem_{n}$ and accordingly defines a complete mapping $\mathbb{N}_{n}\to T$ . Similarly, sets of sequences of at most $n$ elements and at least $n$ elements may be denoted $\mathopen{}\mathclose{{}\left\lsem T}\right\rsem_{:n}$ and $\mathopen{}\mathclose{{}\left\lsem T}\right\rsem_{n:}$ respectively. Finally, the set of sequences with length in set $N$ may be denoted $\mathopen{}\mathclose{{}\left\lsem T}\right\rsem_{N}$ .

Sequences are subscriptable, thus a specific item at index $i$ within a sequence $\mathbf{s}$ may be denoted $\mathbf{s}\mathopen{}\mathclose{{}\left[i}\right]$ , or where unambiguous, $\mathbf{s}_{i}$ . A range may be denoted using an ellipsis for example: $\mathopen{}\mathclose{{}\left[0,1,2,3}\right]_{\dots 2}=\mathopen{}\mathclose{% {}\left[0,1}\right]$ and $\mathopen{}\mathclose{{}\left[0,1,2,3}\right]_{1\dots+2}=\mathopen{}\mathclose% {{}\left[1,2}\right]$ . The length of such a sequence may be denoted $\mathopen{}\mathclose{{}\left|\mathbf{s}}\right|$ .

We denote modulo subscription as ${\mathbf{s}\mathopen{}\mathclose{{}\left[i}\right]}^{\circlearrowleft}\equiv% \mathbf{s}[\,i\ \text{\scriptsize{\%}}\ \mathopen{}\mathclose{{}\left|\mathbf{% s}}\right|\,]$ . We denote the final element $x$ of a sequence $\mathbf{s}=\mathopen{}\mathclose{{}\left[...,x}\right]$ through the function $\text{last}(\mathbf{s})\equiv x$ .

3.7.1. Construction

We may wish to define a sequence in terms of incremental subscripts of other values: $\mathopen{}\mathclose{{}\left[\mathbf{x}_{0},\mathbf{x}_{1},\dots}\right]_{% \dots n}$ denotes a sequence of $n$ values beginning $\mathbf{x}_{0}$ continuing up to $\mathbf{x}_{n-1}$ . Furthermore, we may also wish to define a sequence as elements each of which are a function of their index $i$ ; in this case we denote $\mathopen{}\mathclose{{}\left[f(i)\;\middle|\;i\mathrel{\mathrlap{<}{\scalebox% {0.95}[1.0]{$-$}}}\mathbb{N}_{n}}\right]\equiv\mathopen{}\mathclose{{}\left[f(% 0),f(1),\dots,f(n-1)}\right]$ . Thus, when the ordering of elements matters we use $\mathrel{\mathrlap{<}{\scalebox{0.95}[1.0]{$-$}}}$ rather than the unordered notation $\in$ . The latter may also be written in short form $\mathopen{}\mathclose{{}\left[f(i\mathrel{\mathrlap{<}{\scalebox{0.95}[1.0]{$-% $}}}\mathbb{N}_{n})}\right]$ . This applies to any set which has an unambiguous ordering, particularly sequences, thus $\mathopen{}\mathclose{{}\left[i^{2}\;\middle|\;i\mathrel{\mathrlap{<}{% \scalebox{0.95}[1.0]{$-$}}}\mathopen{}\mathclose{{}\left[1,2,3}\right]}\right]% =\mathopen{}\mathclose{{}\left[1,4,9}\right]$ . Multiple sequences may be combined, thus $\mathopen{}\mathclose{{}\left[i\cdot j\;\middle|\;i\mathrel{\mathrlap{<}{% \scalebox{0.95}[1.0]{$-$}}}\mathopen{}\mathclose{{}\left[1,2,3}\right],j% \mathrel{\mathrlap{<}{\scalebox{0.95}[1.0]{$-$}}}\mathopen{}\mathclose{{}\left% [2,3,4}\right]}\right]=\mathopen{}\mathclose{{}\left[2,6,12}\right]$ .

As with sets, we use explicit notation $f^{\#}$ to denote a function mapping over all items of a sequence.

Sequences may be constructed from sets or other sequences whose order should be ignored through sequence ordering notation $\mathopen{}\mathclose{{}\left[i\in X\,\middle\lwavy\,f(i)}\right]$ , which is defined to result in the set or sequence of its argument except that all elements $i$ are placed in ascending order of the corresponding value $f(i)$ .

The key component may be elided in which case it is assumed to be ordered by the elements directly; i.e. $\mathopen{}\mathclose{{}\left[i\in X}\right]\equiv\mathopen{}\mathclose{{}% \left[i\in X\,\middle\lwavy\,i}\right]$ . $\mathopen{}\mathclose{{}\left[i\in X\,\middle\lWavy\,i}\right]$ does the same, but excludes any duplicate values of $i$ . E.g. assuming $\mathbf{s}=\mathopen{}\mathclose{{}\left[1,3,2,3}\right]$ , then $\mathopen{}\mathclose{{}\left[i\in\mathbf{s}\,\middle\lWavy\,i}\right]=% \mathopen{}\mathclose{{}\left[1,2,3}\right]$ and $\mathopen{}\mathclose{{}\left[i\in\mathbf{s}\,\middle\lwavy\,-i}\right]=% \mathopen{}\mathclose{{}\left[3,3,2,1}\right]$ .

Sets may be constructed from sequences with the regular set construction syntax, e.g. assuming $\mathbf{s}=\mathopen{}\mathclose{{}\left[1,2,3,1}\right]$ , then $\mathopen{}\mathclose{{}\left\{\,a\;\middle|\;a\in\mathbf{s}\,}\right\}$ would be equivalent to $\mathopen{}\mathclose{{}\left\{\,1,2,3\,}\right\}$ .

Sequences of values which themselves have a defined ordering have an implied ordering akin to a regular dictionary, thus $\mathopen{}\mathclose{{}\left[1,2,3}\right]<\mathopen{}\mathclose{{}\left[1,2,% 4}\right]$ and $\mathopen{}\mathclose{{}\left[1,2,3}\right]<\mathopen{}\mathclose{{}\left[1,2,% 3,1}\right]$ .

3.7.2. Editing

We define the sequence concatenation operator $\frown$ such that $\mathopen{}\mathclose{{}\left[\mathbf{x}_{0},\mathbf{x}_{1},\dots,\mathbf{y}_{% 0},\mathbf{y}_{1},\dots}\right]\equiv\mathbf{x}\frown\mathbf{y}$ . For sequences of sequences, we define a unary concatenate-all operator: $\wideparen{\mathbf{x}}\equiv\mathbf{x}_{0}\frown\mathbf{x}_{1}\frown\dots$ . Further, we denote element concatenation as $x\mathrel{\hbox to0.0pt{\hbox to7.0pt{\hfill\vrule height=5.0pt,depth=0.0pt,wi% dth=0.6pt\hfill\vrule height=5.0pt,depth=0.0pt,width=0.6pt\hfill}}\vbox to5.0% pt{\vfill\hrule height=0.6pt,depth=0.0pt,width=7.0pt\vfill}}i\equiv x\frown% \mathopen{}\mathclose{{}\left[i}\right]$ . We denote the sequence made up of the first $n$ elements of sequence $\mathbf{s}$ to be ${\overrightarrow{\mathbf{s}}}^{n}\equiv\mathopen{}\mathclose{{}\left[\mathbf{s% }_{0},\mathbf{s}_{1},\dots,\mathbf{s}_{n-1}}\right]$ , and only the final elements as ${\overleftarrow{\mathbf{s}}}^{n}$ .

We define ${}^{\text{T}}\mathbf{x}$ as the transposition of the sequence-of-sequences $\mathbf{x}$ , fully defined in equation H.4. We may also apply this to sequences-of-tuples to yield a tuple of sequences.

We denote sequence subtraction with a slight modification of the set subtraction operator; specifically, some sequence $\mathbf{s}$ excepting the left-most element equal to $v$ would be denoted $\mathbf{s}\nwspoon\mathopen{}\mathclose{{}\left\{\,v\,}\right\}$ .

3.7.3. Boolean values

$\mathbb{b}_{s}$ denotes the set of Boolean strings of length $s$ , thus $\mathbb{b}_{s}=\mathopen{}\mathclose{{}\left\lsem{\mathopen{}\mathclose{{}% \left\{\,\bot,\top\,}\right\}}}\right\rsem_{s}$ . When dealing with Boolean values we may assume an implicit equivalence mapping to a bit whereby $\top=1$ and $\bot=0$ , thus $\mathbb{b}_{\Box}=\mathopen{}\mathclose{{}\left\lsem\mathbb{N}_{2}}\right\rsem% _{\Box}$ . We use the function $\text{bits}(\mathbb{B})\in\mathbb{b}$ to denote the sequence of bits, ordered with the most significant first, which represent the octet sequence $\mathbb{B}$ , thus $\text{bits}(\mathopen{}\mathclose{{}\left[160,0}\right])=\mathopen{}\mathclose% {{}\left[1,0,1,0,0,\dots}\right]$ .

The unary-not operator applies to both boolean values and sequences of boolean values, thus $\neg\top=\bot$ and $\neg\mathopen{}\mathclose{{}\left[\top,\bot}\right]=\mathopen{}\mathclose{{}% \left[\bot,\top}\right]$ .

3.7.4. Octets and Blobs

$\mathbb{B}$ denotes the set of octet strings (“blobs”) of arbitrary length. As might be expected, $\mathbb{B}_{x}$ denotes the set of such sequences of length $x$ . $\mathbb{B}_{\$}$ denotes the subset of $\mathbb{B}$ which are ascii-encoded strings. Note that while an octet has an implicit and obvious bijective relationship with natural numbers less than 256, and we may implicitly coerce between octet form and natural number form, we do not treat them as exactly equivalent entities. In particular for the purpose of serialization, an octet is always serialized to itself, whereas a natural number may be serialized as a sequence of potentially several octets, depending on its magnitude and the encoding variant.

3.7.5. Shuffling

We define the sequence-shuffle function $\mathcal{F}$ , originally introduced by [13], with an efficient in-place algorithm described by [35]. This accepts a sequence and some entropy and returns a sequence of the same length with the same elements but in an order determined by the entropy. The entropy may be provided as either an indefinite sequence of naturals or a hash. For a full definition see appendix F.

3.8. Cryptography

3.8.1. Hashing

$\mathbb{H}$ denotes the set of 256-bit values equivalent to $\mathbb{B}_{32}$ . All hash functions in the present work output to this type and $\mathbb{H}_{0}$ is the value equal to $\mathopen{}\mathclose{{}\left[0}\right]_{32}$ . We assume a function $\mathcal{H}\mathopen{}\mathclose{{}\left(m\in\mathbb{B}}\right)\in\mathbb{H}$ denoting the Blake2b 256-bit hash introduced by [27] and a function $\mathcal{H}_{K}\mathopen{}\mathclose{{}\left(m\in\mathbb{B}}\right)\in\mathbb{H}$ denoting the Keccak 256-bit hash as proposed by [1] and utilized by [36].

The inputs of a hash function should be expected to be passed through our serialization codec $\mathcal{E}$ to yield an octet sequence to which the cryptography may be applied. (Note that an octet sequence conveniently yields an identity transform.) We may wish to interpret a sequence of octets as some other kind of value with the assumed decoder function $\mathcal{E}^{-1}\mathopen{}\mathclose{{}\left(x\in\mathbb{B}}\right)$ . In both cases, we may subscript the transformation function with the number of octets we expect the octet sequence term to have. Thus, $r=\mathcal{E}_{4}(x\in\mathbb{N})$ would assert $x\in\mathbb{N}_{2^{32}}$ and $r\in\mathbb{B}_{4}$ , whereas $s=\mathcal{E}^{-1}_{8}\mathopen{}\mathclose{{}\left(y\in\mathbb{B}}\right)$ would assert $y\in\mathbb{B}_{8}$ and $s\in\mathbb{N}_{2^{64}}$ .

3.8.2. Signing Schemes

$\bar{\mathbb{V}}_{k}\mathopen{}\mathclose{{}\left\langle m\in\mathbb{B}}\right% \rangle\subset\mathbb{B}_{64}$ is the set of valid Ed25519 signatures, defined by [20], made through knowledge of a secret key whose public key counterpart is $k\in\mathbb{H}$ and whose message is $m$ . To aid readability, we denote the set of valid public keys $\bar{\mathbb{H}}$ .

We denote the set of valid Bandersnatch public keys as $\accentset{\backsim}{\mathbb{H}}$ , defined in appendix G. $\accentset{\backsim}{\mathbb{V}}_{k\in\accentset{\backsim}{\mathbb{H}}}^{m\in% \mathbb{B}}\mathopen{}\mathclose{{}\left\langle x\in\mathbb{B}}\right\rangle% \subset\mathbb{B}_{96}$ is the set of valid singly-contextualized vrf signatures utilizing the secret counterpart to the public key $k$ , some context $x$ and message $m$ .

$\accentset{\circ}{\mathbb{V}}_{r\in\accentset{\circ}{\mathbb{B}}}^{m\in\mathbb% {B}}\mathopen{}\mathclose{{}\left\langle x\in\mathbb{B}}\right\rangle\subset% \mathbb{B}_{784}$ , meanwhile, is the set of valid Bandersnatch Ringvrf deterministic singly-contextualized proofs of knowledge of a secret within some sequence of public keys identified by a root in the set of valid roots $\accentset{\circ}{\mathbb{B}}\subset\mathbb{B}_{144}$ . We denote $\mathcal{O}\mathopen{}\mathclose{{}\left(\mathbf{s}\in\mathopen{}\mathclose{{}% \left\lsem\accentset{\backsim}{\mathbb{H}}}\right\rsem}\right)\in\accentset{% \circ}{\mathbb{B}}$ to be the root specific to the sequence of public key counterparts $\mathbf{s}$ . A root implies a specific sequence of Bandersnatch key pairs, knowledge of one of the secrets would imply being capable of making a unique, valid—and anonymous—proof of knowledge of a unique secret within the sequence.

Both the Bandersnatch signature and Ringvrf proof strictly imply that a member utilized their secret key in combination with both the context $x$ and the message $m$ ; the difference is that the member is identified in the former and is anonymous in the latter. Furthermore, both define a vrf output, a high entropy hash influenced by $x$ but not by $m$ , formally denoted $\mathcal{Y}\mathopen{}\mathclose{{}\left(\accentset{\circ}{\mathbb{V}}_{r}^{m}% \mathopen{}\mathclose{{}\left\langle x}\right\rangle}\right)\in\mathbb{H}$ and $\mathcal{Y}\mathopen{}\mathclose{{}\left(\accentset{\backsim}{\mathbb{V}}_{k}^% {m}\mathopen{}\mathclose{{}\left\langle x}\right\rangle}\right)\in\mathbb{H}$ .

We use $\accentset{\mathrm{B\!L\!S}}{\mathbb{B}}\subset\mathbb{B}_{144}$ to denote the set of public keys for the bls signature scheme, described by [3], on curve bls12-381 defined by [17]. We correspondingly use the notation $\accentset{\mathrm{B\!L\!S}}{\mathbb{V}}_{k}\mathopen{}\mathclose{{}\left% \langle m}\right\rangle$ to denote the set of valid bls signatures for public key $k\in\accentset{\mathrm{B\!L\!S}}{\mathbb{B}}$ and message $m\in\mathbb{B}$ .

We define the signature functions for creating valid signatures; $\bar{\mathcal{S}}_{k}\mathopen{}\mathclose{{}\left(m}\right)\in\bar{\mathbb{V}% }_{k}\mathopen{}\mathclose{{}\left\langle m}\right\rangle$ , $\accentset{\mathrm{B\!L\!S}}{\mathcal{S}}_{k}\mathopen{}\mathclose{{}\left(m}% \right)\in\accentset{\mathrm{B\!L\!S}}{\mathbb{V}}_{k}\mathopen{}\mathclose{{}% \left\langle m}\right\rangle$ . We assert that the ability to compute a result for this function relies on knowledge of a secret key.

4. Overview

As in the Yellow Paper, we begin our formalisms by recalling that a blockchain may be defined as a pairing of some initial state together with a block-level state-transition function. The latter defines the posterior state given a pairing of some prior state and a block of data applied to it. Formally, we say:

(4.1)

\displaystyle\sigma^{\prime}\equiv\Upsilon(\sigma,\mathbf{B})

Where $\sigma$ is the prior state, $\sigma^{\prime}$ is the posterior state, $B$ is some valid block and $\Upsilon$ is our block-level state-transition function.

Broadly speaking, Jam (and indeed blockchains in general) may be defined simply by specifying $\Upsilon$ and some genesis state $\sigma^{0}$ .⁷⁷ 7 Practically speaking, blockchains sometimes make assumptions of some fraction of participants whose behavior is simply honest, and not provably incorrect nor otherwise economically disincentivized. While the assumption may be reasonable, it must nevertheless be stated apart from the rules of state-transition. We also make several additional assumptions of agreed knowledge: a universally known clock, and the practical means of sharing data with other systems operating under the same consensus rules. The latter two were both assumptions silently made in the YP.

4.1. The Block

To aid comprehension and definition of our protocol, we partition as many of our terms as possible into their functional components. We begin with the block $\mathbf{B}$ which may be restated as the header $\mathbf{H}$ and some input data external to the system and thus said to be extrinsic, $\mathbf{E}$ :

(4.2)		$\displaystyle\mathbf{B}$	$\displaystyle\equiv\mathopen{}\mathclose{{}\left(\mathbf{H},\mathbf{E}}\right)$
(4.3)		$\displaystyle\mathbf{E}$	$\displaystyle\equiv\mathopen{}\mathclose{{}\left(\mathbf{E}_{T},\mathbf{E}_{D}% ,\mathbf{E}_{P},\mathbf{E}_{A},\mathbf{E}_{G}}\right)$

The header is a collection of metadata primarily concerned with cryptographic references to the blockchain ancestors and the operands and result of the present transition. As an immutable known a priori, it is assumed to be available throughout the functional components of block transition. The extrinsic data is split into its several portions:

tickets:: Tickets, used for the mechanism which manages the selection of validators for the permissioning of block authoring. This component is denoted $\mathbf{E}_{T}$ .
preimages:: Static data which is presently being requested to be available for workloads to be able to fetch on demand. This is denoted $\mathbf{E}_{P}$ .
reports:: Reports of newly completed workloads whose accuracy is guaranteed by specific validators. This is denoted $\mathbf{E}_{G}$ .
availability:: Assurances by each validator concerning which of the input data of workloads they have correctly received and are storing locally. This is denoted $\mathbf{E}_{A}$ .
disputes:: Information relating to disputes between validators over the validity of reports. This is denoted $\mathbf{E}_{D}$ .

4.2. The State

Our state may be logically partitioned into several largely independent segments which can both help avoid visual clutter within our protocol description and provide formality over elements of computation which may be simultaneously calculated (i.e. parallelized). We therefore pronounce an equivalence between $\sigma$ (some complete state) and a tuple of partitioned segments of that state:

(4.4)

\displaystyle\sigma

\displaystyle\equiv\mathopen{}\mathclose{{}\left(\alpha,\beta,\theta,\gamma,% \delta,\eta,\iota,\kappa,\lambda,\rho,\tau,\phi,\chi,\psi,\pi,\omega,\xi}\right)

In summary, $\delta$ is the portion of state dealing with services, analogous in Jam to the Yellow Paper’s (smart contract) accounts, the only state of the YP’s Ethereum. The identities of services which hold some privileged status are tracked in $\chi$ .

Validators, who are the set of economic actors uniquely privileged to help build and maintain the Jam chain, are identified within $\kappa$ , archived in $\lambda$ and enqueued from $\iota$ . All other state concerning the determination of these keys is held within $\gamma$ . Note this is a departure from the YP proof-of-work definitions which were mostly stateless, and this set was not enumerated but rather limited to those with sufficient compute power to find a partial hash-collision in the sha2-256 cryptographic hash function. An on-chain entropy pool is retained in $\eta$ .

Our state also tracks two aspects of each core: $\alpha$ , the authorization requirement which work done on that core must satisfy at the time of being reported on-chain, together with the queue which fills this, $\phi$ ; and $\rho$ , each of the cores’ currently assigned work-report guarantees, the availability of whose work-package must yet be assured by a super-majority of validators.

Finally, details of the most recent blocks and timeslot index are tracked in $\beta_{H}$ and $\tau$ respectively, work-reports which are ready to be accumulated and work-packages which were recently accumulated are tracked in $\omega$ and $\xi$ respectively and, judgments are tracked in $\psi$ and validator statistics are tracked in $\pi$ .

4.2.1. State Transition Dependency Graph

Much as in the YP, we specify $\Upsilon$ as the implication of formulating all items of posterior state in terms of the prior state and block. To aid the architecting of implementations which parallelize this computation, we minimize the depth of the dependency graph where possible. The overall dependency graph is specified here:

(4.5)	$\displaystyle\tau^{\prime}$	$\displaystyle\prec\mathbf{H}$
(4.6)	$\displaystyle\beta_{H}^{\dagger}$	$\displaystyle\prec\mathopen{}\mathclose{{}\left(\mathbf{H},\beta_{H}}\right)$
(4.7)	$\displaystyle\gamma^{\prime}$	$\displaystyle\prec\mathopen{}\mathclose{{}\left(\mathbf{H},\tau,\mathbf{E}_{T}% ,\gamma,\iota,\eta^{\prime},\kappa^{\prime},\psi^{\prime}}\right)$
(4.8)	$\displaystyle\eta^{\prime}$	$\displaystyle\prec\mathopen{}\mathclose{{}\left(\mathbf{H},\tau,\eta}\right)$
(4.9)	$\displaystyle\kappa^{\prime}$	$\displaystyle\prec\mathopen{}\mathclose{{}\left(\mathbf{H},\tau,\kappa,\gamma}\right)$
(4.10)	$\displaystyle\lambda^{\prime}$	$\displaystyle\prec\mathopen{}\mathclose{{}\left(\mathbf{H},\tau,\lambda,\kappa% }\right)$
(4.11)	$\displaystyle\psi^{\prime}$	$\displaystyle\prec\mathopen{}\mathclose{{}\left(\mathbf{E}_{D},\psi}\right)$
(4.12)	$\displaystyle\rho^{\dagger}$	$\displaystyle\prec\mathopen{}\mathclose{{}\left(\mathbf{E}_{D},\rho}\right)$
(4.13)	$\displaystyle\rho^{\ddagger}$	$\displaystyle\prec\mathopen{}\mathclose{{}\left(\mathbf{E}_{A},\rho^{\dagger}}\right)$
(4.14)	$\displaystyle\rho^{\prime}$	$\displaystyle\prec\mathopen{}\mathclose{{}\left(\mathbf{E}_{G},\rho^{\ddagger}% ,\kappa,\tau^{\prime}}\right)$
(4.15)	$\displaystyle\mathbf{R}^{*}$	$\displaystyle\prec\mathopen{}\mathclose{{}\left(\mathbf{E}_{A},\rho^{\dagger}}\right)$
(4.16)	$\displaystyle\mathopen{}\mathclose{{}\left(\omega^{\prime},\xi^{\prime},\delta% ^{\ddagger},\chi^{\prime},\iota^{\prime},\phi^{\prime},\theta^{\prime},\mathbf% {S}}\right)$	$\displaystyle\prec\mathopen{}\mathclose{{}\left(\mathbf{R}^{*},\omega,\xi,% \delta,\chi,\iota,\phi,\tau,\tau^{\prime}}\right)$
(4.17)	$\displaystyle\beta_{H}^{\prime}$	$\displaystyle\prec\mathopen{}\mathclose{{}\left(\mathbf{H},\mathbf{E}_{G},% \beta_{H}^{\dagger},\theta^{\prime}}\right)$
(4.18)	$\displaystyle\delta^{\prime}$	$\displaystyle\prec\mathopen{}\mathclose{{}\left(\mathbf{E}_{P},\delta^{% \ddagger},\tau^{\prime}}\right)$
(4.19)	$\displaystyle\alpha^{\prime}$	$\displaystyle\prec\mathopen{}\mathclose{{}\left(\mathbf{H},\mathbf{E}_{G},\phi% ^{\prime},\alpha}\right)$
(4.20)	$\displaystyle\pi^{\prime}$	$\displaystyle\prec\mathopen{}\mathclose{{}\left(\mathbf{E}_{G},\mathbf{E}_{P},% \mathbf{E}_{A},\mathbf{E}_{T},\tau,\kappa^{\prime},\pi,\mathbf{H},\mathbf{S}}% \right)\!\!\!\!\!\!\!\!$

The only synchronous entanglements are visible through the intermediate components superscripted with a dagger and defined in equations 4.6, 4.12, 4.13, 4.14, 4.16, 4.17 and 4.18. The latter two mark a merge and join in the dependency graph and, concretely, imply that the availability extrinsic may be fully processed and accumulation of work happen before the preimage lookup extrinsic is folded into state.

4.3. Which History?

A blockchain is a sequence of blocks, each cryptographically referencing some prior block by including a hash of its header, all the way back to some first block which references the genesis header. We already presume consensus over this genesis header $\mathbf{H}^{0}$ and the state it represents already defined as $\sigma^{0}$ .

By defining a deterministic function for deriving a single posterior state for any (valid) combination of prior state and block, we are able to define a unique canonical state for any given block. We generally call the block with the most ancestors the head and its state the head state.

It is generally possible for two blocks to be valid and yet reference the same prior block in what is known as a fork. This implies the possibility of two different heads, each with their own state. While we know of no way to strictly preclude this possibility, for the system to be useful we must nonetheless attempt to minimize it. We therefore strive to ensure that:

(1)

It be generally unlikely for two heads to form.
(2)

When two heads do form they be quickly resolved into a single head.
(3)

It be possible to identify a block not much older than the head which we can be extremely confident will form part of the blockchain’s history in perpetuity. When a block becomes identified as such we call it finalized and this property naturally extends to all of its ancestor blocks.

These goals are achieved through a combination of two consensus mechanisms: Safrole, which governs the (not-necessarily forkless) extension of the blockchain; and Grandpa, which governs the finalization of some extension into canonical history. Thus, the former delivers point 1, the latter delivers point 3 and both are important for delivering point 2. We describe these portions of the protocol in detail in sections 6 and 19 respectively.

While Safrole limits forks to a large extent (through cryptography, economics and common-time, below), there may be times when we wish to intentionally fork since we have come to know that a particular chain extension must be reverted. In regular operation this should never happen, however we cannot discount the possibility of malicious or malfunctioning nodes. We therefore define such an extension as any which contains a block in which data is reported which any other block’s state has tagged as invalid (see section 10 on how this is done). We further require that Grandpa not finalize any extension which contains such a block. See section 19 for more information here.

4.4. Time

We presume a pre-existing consensus over time specifically for block production and import. While this was not an assumption of Polkadot, pragmatic and resilient solutions exist including the ntp protocol and network. We utilize this assumption in only one way: we require that blocks be considered temporarily invalid if their timeslot is in the future. This is specified in detail in section 6.

Formally, we define the time in terms of seconds passed since the beginning of the Jam Common Era, 1200 utc on January 1, 2025.⁸⁸ 8 1,735,732,800 seconds after the Unix Epoch. Midday utc is selected to ensure that all major timezones are on the same date at any exact 24-hour multiple from the beginning of the common era. Formally, this value is denoted $\mathcal{T}$ .

4.5. Best block

Given the recognition of a number of valid blocks, it is necessary to determine which should be treated as the “best” block, by which we mean the most recent block we believe will ultimately be within of all future Jam chains. The simplest and least risky means of doing this would be to inspect the Grandpa finality mechanism which is able to provide a block for which there is a very high degree of confidence it will remain an ancestor to any future chain head.

However, in reducing the risk of the resulting block ultimately not being within the canonical chain, Grandpa will typically return a block some small period older than the most recently authored block. (Existing deployments suggest around 1-2 blocks in the past under regular operation.) There are often circumstances when we may wish to have less latency at the risk of the returned block not ultimately forming a part of the future canonical chain. E.g. we may be in a position of being able to author a block, and we need to decide what its parent should be. Alternatively, we may care to speculate about the most recent state for the purpose of providing information to a downstream application reliant on the state of Jam.

In these cases, we define the best block as the head of the best chain, itself defined in section 19.

4.6. Economics

The present work describes a crypto-economic system, i.e. one combining elements of both cryptography and economics and game theory to deliver a self-sovereign digital service. In order to codify and manipulate economic incentives we define a token which is native to the system, which we will simply call tokens in the present work.

A value of tokens is generally referred to as a balance, and such a value is said to be a member of the set of balances, $\mathbb{N}_{B}$ , which is exactly equivalent to the set of naturals less than $2^{64}$ (i.e. 64-bit unsigned integers in coding parlance). Formally:

(4.21)

\displaystyle\mathbb{N}_{B}\equiv\mathbb{N}_{2^{64}}

Though unimportant for the present work, we presume that there be a standard named denomination for $10^{9}$ tokens. This is different to both Ethereum (which uses a denomination of $10^{18}$ ), Polkadot (which uses a denomination of $10^{10}$ ) and Polkadot’s experimental cousin Kusama (which uses $10^{12}$ ).

The fact that balances are constrained to being less than $2^{64}$ implies that there may never be more than around $18\times 10^{9}$ tokens (each divisible into portions of $10^{-9}$ ) within Jam. We would expect that the total number of tokens ever issued will be a substantially smaller amount than this.

We further presume that a number of constant prices stated in terms of tokens are known. However we leave the specific values to be determined in following work:

$\mathsf{B}_{I}$ :: the additional minimum balance implied for a single item within a mapping.
$\mathsf{B}_{L}$ :: the additional minimum balance implied for a single octet of data within a mapping.
$\mathsf{B}_{S}$ :: the minimum balance implied for a service.

4.7. The Virtual Machine and Gas

In the present work, we presume the definition of a Polkadot Virtual Machine (pvm). This virtual machine is based around the risc-v instruction set architecture, specifically the rv64em variant, and is the basis for introducing permissionless logic into our state-transition function.

The pvm is comparable to the evm defined in the Yellow Paper, but somewhat simpler: the complex instructions for cryptographic operations are missing as are those which deal with environmental interactions. Overall it is far less opinionated since it alters a pre-existing general purpose design, risc-v, and optimizes it for our needs. This gives us excellent pre-existing tooling, since pvm remains essentially compatible with risc-v, including support from the compiler toolkit llvm and languages such as Rust and C++. Furthermore, the instruction set simplicity which risc-v and pvm share, together with the register size (64-bit), active number (13) and endianness (little) make it especially well-suited for creating efficient recompilers on to common hardware architectures.

The pvm is fully defined in appendix A, but for contextualization we will briefly summarize the basic invocation function $\Psi$ which computes the resultant state of a pvm instance initialized with some registers ( $\mathopen{}\mathclose{{}\left\lsem\mathbb{N}_{R}}\right\rsem_{13}$ ) and ram ( $\mathbb{M}$ ), within the limits of some amount of gas ( $\mathbb{N}_{G}$ ), a number of approximately time-proportional computational steps:

(4.22)

\Psi\colon\!\mathopen{}\mathclose{{}\left\lgroup\,\begin{aligned} &\mathbb{B},% \,\ \ &&\mathbb{N}_{R}\\ &\mathbb{N}_{G},\,\ \ &&{\mathopen{}\mathclose{{}\left\{\,\bot,\top\,}\right\}% }\\ &\mathopen{}\mathclose{{}\left\lsem\mathbb{N}_{R}}\right\rsem_{13},\,\ \ &&% \mathbb{M}\\ \end{aligned}\,}\right\rgroup\!\to\!\mathopen{}\mathclose{{}\left\lgroup\,% \begin{aligned} &\mathopen{}\mathclose{{}\left\{\,\blacksquare,\lightning,% \infty\,}\right\}\cup\mathopen{}\mathclose{{}\left\{\,\text{\raisebox{6.0pt}{% \rotatebox{180.0}{{F}}}},\hbar\,}\right\}\times\mathbb{N}_{R},\mathbb{N}_{R},% \\ &\mathbb{N}_{G},\ \ \ {\mathopen{}\mathclose{{}\left\{\,\bot,\top\,}\right\}},% \ \ \ \mathopen{}\mathclose{{}\left\lsem\mathbb{N}_{R}}\right\rsem_{13},\ \ \ % \mathbb{M}\end{aligned}\,}\right\rgroup\!

We refer to the time-proportional computational steps as gas (much like in the YP) and limit it to a 64-bit quantity. Within the context of the pvm, $\varrho\in\mathbb{N}_{G}$ is typically used to denote gas, but we may also use $\varrho\in\mathbb{Z}_{G}$ internally within the definition of the pvm where it may be convenient.

(4.23)

\mathbb{Z}_{G}\equiv\mathbb{Z}_{-2^{63}\dots 2^{63}}\ ,\quad\mathbb{N}_{G}% \equiv\mathbb{N}_{2^{64}}\ ,\quad\mathbb{N}_{R}\equiv\mathbb{N}_{2^{64}}

It is left as a rather important implementation detail to ensure that the amount of time taken while computing the function $\Psi(\dots,\varrho,\dots)$ has a maximum computation time approximately proportional to the value of $\varrho$ regardless of other operands.

The pvm is a very simple risc register machine and as such has 13 registers, each of which is a 64-bit quantity, denoted as $\mathbb{N}_{R}$ , a natural less than $2^{64}$ .⁹⁹ 9 This is three fewer than risc-v’s 16, however the amount that program code output by compilers uses is 13 since two are reserved for operating system use and the third is fixed as zero Within the context of the pvm, $\varphi\in\mathopen{}\mathclose{{}\left\lsem\mathbb{N}_{R}}\right\rsem_{13}$ is typically used to denote the registers.

(4.24)		$\displaystyle\mathbb{M}$	$\displaystyle\equiv\!\mathopen{}\mathclose{{}\left\lgroup\mathbf{v}\in\mathbb{% B}_{2^{32}},\mathbf{a}\in\mathopen{}\mathclose{{}\left\lsem\mathopen{}% \mathclose{{}\left\{\,\text{W},\text{R},\emptyset\,}\right\}}\right\rsem_{p}}% \right\rgroup\!\,,\ p=\frac{2^{32}}{\mathsf{Z}_{P}}$
(4.25)		$\displaystyle\mathsf{Z}_{P}$	$\displaystyle=2^{12}$

The pvm assumes a simple pageable ram of 32-bit addressable octets situated in pages of $\mathsf{Z}_{P}=4096$ octets where each page may be either immutable, mutable or inaccessible. The ram definition $\mathbb{M}$ includes two components: a value $\mathbf{v}$ and access $\mathbf{a}$ . If the component is unspecified while being subscripted then the value component may be assumed. Within the context of the virtual machine, $\mu\in\mathbb{M}$ is typically used to denote ram.

(4.26)		$\displaystyle\mathbb{V}_{\mu}$	$\displaystyle\equiv\mathopen{}\mathclose{{}\left\{\,i\;\middle\|\;\mu_{\mathbf{% a}}\mathopen{}\mathclose{{}\left[\mathopen{}\mathclose{{}\left\lfloor\nicefrac% {{i}}{{\mathsf{Z}_{P}}}}\right\rfloor}\right]\neq\emptyset\,}\right\}$
(4.27)		$\displaystyle\mathbb{V}_{\mu}^{*}$	$\displaystyle\equiv\mathopen{}\mathclose{{}\left\{\,i\;\middle\|\;\mu_{\mathbf{% a}}\mathopen{}\mathclose{{}\left[\mathopen{}\mathclose{{}\left\lfloor\nicefrac% {{i}}{{\mathsf{Z}_{P}}}}\right\rfloor}\right]=\text{W}\,}\right\}$

We define two sets of indices for the ram $\mu$ : $\mathbb{V}_{\mu}$ is the set of indices which may be read from; and $\mathbb{V}_{\mu}^{*}$ is the set of indices which may be written to.

Invocation of the pvm has an exit-reason as the first item in the resultant tuple. It is either:

•

Regular program termination caused by an explicit halt instruction, $\blacksquare$ .
•

Irregular program termination caused by some exceptional circumstance, $\lightning$ .
•

Exhaustion of gas, $\infty$ .
•

A page fault (attempt to access some address in ram which is not accessible), F . This includes the address of the page at fault.
•

An attempt at progressing a host-call, $\hbar$ . This allows for the progression and integration of a context-dependent state-machine beyond the regular pvm.

The full definition follows in appendix A.

4.8. Epochs and Slots

Unlike the YP Ethereum with its proof-of-work consensus system, Jam defines a proof-of-authority consensus mechanism, with the authorized validators presumed to be identified by a set of public keys and decided by a staking mechanism residing within some system hosted by Jam. The staking system is out of scope for the present work; instead there is an api which may be utilized to update these keys, and we presume that whatever logic is needed for the staking system will be introduced and utilize this api as needed.

The Safrole mechanism subdivides time following genesis into fixed length epochs with each epoch divided into $\mathsf{E}=600$ timeslots each of uniform length $\mathsf{P}=6$ seconds, given an epoch period of $\mathsf{E}\cdot\mathsf{P}=3600$ seconds or one hour.

This six-second slot period represents the minimum time between Jam blocks, and through Safrole we aim to strictly minimize forks arising both due to contention within a slot (where two valid blocks may be produced within the same six-second period) and due to contention over multiple slots (where two valid blocks are produced in different time slots but with the same parent).

Formally when identifying a timeslot index, we use a natural less than $2^{32}$ (in compute parlance, a 32-bit unsigned integer) indicating the number of six-second timeslots from the Jam Common Era. For use in this context we introduce the set $\mathbb{N}_{T}$ :

(4.28)

\displaystyle\mathbb{N}_{T}\equiv\mathbb{N}_{2^{32}}

This implies that the lifespan of the proposed protocol takes us to mid-August of the year 2840, which with the current course that humanity is on should be ample.

4.9. The Core Model and Services

Whereas in the Ethereum Yellow Paper when defining the state machine which is held in consensus amongst all network participants, we presume that all machines maintaining the full network state and contributing to its enlargement—or, at least, hoping to—evaluate all computation. This “everybody does everything” approach might be called the on-chain consensus model. It is unfortunately not scalable, since the network can only process as much logic in consensus that it could hope any individual node is capable of doing itself within any given period of time.

4.9.1. In-core Consensus

In the present work, we achieve scalability of the work done through introducing a second model for such computation which we call the in-core consensus model. In this model, and under normal circumstances, only a subset of the network is responsible for actually executing any given computation and assuring the availability of any input data it relies upon to others. By doing this and assuming a certain amount of computational parallelism within the validator nodes of the network, we are able to scale the amount of computation done in consensus commensurate with the size of the network, and not with the computational power of any single machine. In the present work we expect the network to be able to do upwards of 300 times the amount of computation in-core as that which could be performed by a single machine running the virtual machine at full speed.

Since in-core consensus is not evaluated or verified by all nodes on the network, we must find other ways to become adequately confident that the results of the computation are correct, and any data used in determining this is available for a practical period of time. We do this through a crypto-economic game of three stages called guaranteeing, assuring, auditing and, potentially, judging. Respectively, these attach a substantial economic cost to the invalidity of some proposed computation; then a sufficient degree of confidence that the inputs of the computation will be available for some period of time; and finally, a sufficient degree of confidence that the validity of the computation (and thus enforcement of the first guarantee) will be checked by some party who we can expect to be honest.

All execution done in-core must be reproducible by any node synchronized to the portion of the chain which has been finalized. Execution done in-core is therefore designed to be as stateless as possible. The requirements for doing it include only the refinement code of the service, the code of the authorizer and any preimage lookups it carried out during its execution.

When a work-report is presented on-chain, a specific block known as the lookup-anchor is identified. Correct behavior requires that this must be in the finalized chain and reasonably recent, both properties which may be proven and thus are acceptable for use within a consensus protocol.

We describe this pipeline in detail in the relevant sections later.

4.9.2. On Services and Accounts

In YP Ethereum, we have two kinds of accounts: contract accounts (whose actions are defined deterministically based on the account’s associated code and state) and simple accounts which act as gateways for data to arrive into the world state and are controlled by knowledge of some secret key. In Jam, all accounts are service accounts. Like Ethereum’s contract accounts, they have an associated balance, some code and state. Since they are not controlled by a secret key, they do not need a nonce.

The question then arises: how can external data be fed into the world state of Jam? And, by extension, how does overall payment happen if not by deducting the account balances of those who sign transactions? The answer to the first lies in the fact that our service definition actually includes multiple code entry-points, one concerning refinement and the other concerning accumulation. The former acts as a sort of high-performance stateless processor, able to accept arbitrary input data and distill it into some much smaller amount of output data, which together with some metadata is known as a digest. The latter code is more stateful, providing access to certain on-chain functionality including the possibility of transferring balance and invoking the execution of code in other services. Being stateful this might be said to more closely correspond to the code of an Ethereum contract account.

To understand how Jam breaks up its service code is to understand Jam’s fundamental proposition of generality and scalability. All data extrinsic to Jam is fed into the refinement code of some service. This code is not executed on-chain but rather is said to be executed in-core. Thus, whereas the accumulator code is subject to the same scalability constraints as Ethereum’s contract accounts, refinement code is executed off-chain and subject to no such constraints, enabling Jam services to scale dramatically both in the size of their inputs and in the complexity of their computation.

While refinement and accumulation take place in consensus environments of a different nature, both are executed by the members of the same validator set. The Jam protocol through its rewards and penalties ensures that code executed in-core has a comparable level of crypto-economic security to that executed on-chain, leaving the primary difference between them one of scalability versus synchroneity.

As for managing payment, Jam introduces a new abstraction mechanism based around Polkadot’s Agile Coretime. Within the Ethereum transactive model, the mechanism of account authorization is somewhat combined with the mechanism of purchasing blockspace, both relying on a cryptographic signature to identify a single “transactor” account. In Jam, these are separated and there is no such concept of a “transactor”.

In place of Ethereum’s gas model for purchasing and measuring blockspace, Jam has the concept of coretime, which is prepurchased and assigned to an authorization agent. Coretime is analogous to gas insofar as it is the underlying resource which is being consumed when utilizing Jam. Its procurement is out of scope in the present work and is expected to be managed by a system parachain operating within a parachains service itself blessed with a number of cores for running such system services. The authorization agent allows external actors to provide input to a service without necessarily needing to identify themselves as with Ethereum’s transaction signatures. They are discussed in detail in section 8.

5. The Header

We must first define the header in terms of its components. The header comprises a parent hash and prior state root ( $\mathbf{H}_{P}$ and $\mathbf{H}_{R}$ ), an extrinsic hash $\mathbf{H}_{X}$ , a time-slot index $\mathbf{H}_{T}$ , the epoch, winning-tickets and offenders markers $\mathbf{H}_{E}$ , $\mathbf{H}_{W}$ and $\mathbf{H}_{O}$ , a block author index $\mathbf{H}_{I}$ and two Bandersnatch signatures; the entropy-yielding vrf signature $\mathbf{H}_{V}$ and a block seal $\mathbf{H}_{S}$ . Headers may be serialized to an octet sequence with and without the latter seal component using $\mathcal{E}$ and $\mathcal{E}_{U}$ respectively. Formally:

(5.1)

\mathbf{H}\equiv\mathopen{}\mathclose{{}\left(\mathbf{H}_{P},\mathbf{H}_{R},% \mathbf{H}_{X},\mathbf{H}_{T},\mathbf{H}_{E},\mathbf{H}_{W},\mathbf{H}_{O},% \mathbf{H}_{I},\mathbf{H}_{V},\mathbf{H}_{S}}\right)

The blockchain is a sequence of blocks, each cryptographically referencing some prior block by including a hash derived from the parent’s header, all the way back to some first block which references the genesis header. We already presume consensus over this genesis header $\mathbf{H}^{0}$ and the state it represents defined as $\sigma^{0}$ .

Excepting the Genesis header, all block headers $\mathbf{H}$ have an associated parent header, whose hash is $\mathbf{H}_{P}$ . We denote the parent header ${\mathbf{H}}^{-}=P\mathopen{}\mathclose{{}\left(\mathbf{H}}\right)$ :

(5.2)

\mathbf{H}_{P}\in\mathbb{H}\,,\quad\mathbf{H}_{P}\equiv\mathcal{H}\mathopen{}% \mathclose{{}\left(\mathcal{E}\mathopen{}\mathclose{{}\left(P\mathopen{}% \mathclose{{}\left(\mathbf{H}}\right)}\right)}\right)

$P$ is thus defined as being the mapping from one block header to its parent block header. With $P$ , we are able to define the set of ancestor headers $\mathbf{A}$ :

(5.3)

\displaystyle h\in\mathbf{A}\Leftrightarrow h=\mathbf{H}\vee(\exists i\in% \mathbf{A}:h=P\mathopen{}\mathclose{{}\left(i}\right))

We only require implementations to store headers of ancestors which were authored in the previous $\mathsf{L}=24$ hours of any block $\mathbf{B}$ they wish to validate.

The extrinsic hash is a Merkle commitment to the block’s extrinsic data, taking care to allow for the possibility of reports and preimages to individually have their inclusion proven. Given any block $\mathbf{B}=\mathopen{}\mathclose{{}\left(\mathbf{H},\mathbf{E}}\right)$ , then formally:

(5.4)	$\displaystyle\mathbf{H}_{X}$	$\displaystyle\in\mathbb{H}\ ,\quad\mathbf{H}_{X}\equiv\mathcal{H}\mathopen{}% \mathclose{{}\left(\mathcal{E}\mathopen{}\mathclose{{}\left(\mathcal{H}^{\#}% \mathopen{}\mathclose{{}\left(\mathbf{a}}\right)}\right)}\right)$
(5.5)	$\displaystyle\text{where }\mathbf{a}$	$\displaystyle=\mathopen{}\mathclose{{}\left[\mathcal{E}_{T}\mathopen{}% \mathclose{{}\left(\mathbf{E}_{T}}\right),\mathbf{p},\mathbf{g},\mathcal{E}_{A% }\mathopen{}\mathclose{{}\left(\mathbf{E}_{A}}\right),\mathcal{E}_{D}\mathopen% {}\mathclose{{}\left(\mathbf{E}_{D}}\right)}\right]$
(5.6)	$\displaystyle\text{and }\mathbf{p}$	$\displaystyle=\mathcal{E}\mathopen{}\mathclose{{}\left(\mathopen{}\mathclose{{% }\left\updownarrow\mathopen{}\mathclose{{}\left[\mathopen{}\mathclose{{}\left(% \mathcal{E}_{4}\mathopen{}\mathclose{{}\left(s}\right),\mathcal{H}\mathopen{}% \mathclose{{}\left(\mathbf{d}}\right)}\right)\;\middle\|\;\mathopen{}\mathclose% {{}\left(s,\mathbf{d}}\right)\mathrel{\mathrlap{<}{\scalebox{0.95}[1.0]{$-$}}}% \mathbf{E}_{P}}\right]}\right.\!}\right)$
(5.7)	$\displaystyle\text{and }\mathbf{g}$	$\displaystyle=\mathcal{E}\mathopen{}\mathclose{{}\left(\mathopen{}\mathclose{{% }\left\updownarrow\mathopen{}\mathclose{{}\left[\mathopen{}\mathclose{{}\left(% \mathcal{H}\mathopen{}\mathclose{{}\left(\mathbf{r}}\right),\mathcal{E}_{4}% \mathopen{}\mathclose{{}\left(t}\right),\mathopen{}\mathclose{{}\left% \updownarrow a}\right.\!}\right)\;\middle\|\;\mathopen{}\mathclose{{}\left(% \mathbf{r},t,a}\right)\mathrel{\mathrlap{<}{\scalebox{0.95}[1.0]{$-$}}}\mathbf% {E}_{G}}\right]}\right.\!}\right)$

A block may only be regarded as valid once the time-slot index $\mathbf{H}_{T}$ is in the past. It is always strictly greater than that of its parent. Formally:

(5.8)

\mathbf{H}_{T}\in\mathbb{N}_{T}\,,\quad P\mathopen{}\mathclose{{}\left(\mathbf% {H}}\right)_{T}<\mathbf{H}_{T}\ \wedge\ \mathbf{H}_{T}\cdot\mathsf{P}\leq% \mathcal{T}

Blocks considered invalid by this rule may become valid as $\mathcal{T}$ advances.

The parent state root $\mathbf{H}_{R}$ is the root of a Merkle trie composed by the mapping of the prior state’s Merkle root, which by definition is also the parent block’s posterior state. This is a departure from both Polkadot and the Yellow Paper’s Ethereum, in both of which a block’s header contains the posterior state’s Merkle root. We do this to facilitate the pipelining of block computation and in particular of Merklization.

(5.9)

\mathbf{H}_{R}\in\mathbb{H}\,,\quad\mathbf{H}_{R}\equiv\mathcal{M}_{\sigma}% \mathopen{}\mathclose{{}\left(\sigma}\right)

We assume the state-Merklization function $\mathcal{M}_{\sigma}$ is capable of transforming our state $\sigma$ into a 32-octet commitment. See appendix D for a full definition of these two functions.

All blocks have an associated public key to identify the author of the block. We identify this as an index into the posterior current validator set $\kappa^{\prime}$ . We denote the Bandersnatch key of the author as $\mathbf{H}_{A}$ though note that this is merely an equivalence, and is not serialized as part of the header.

(5.10)

\mathbf{H}_{I}\in\mathbb{N}_{\mathopen{}\mathclose{{}\left|\kappa^{\prime}}% \right|}\,,\quad\mathbf{H}_{A}\equiv\kappa^{\prime}[\mathbf{H}_{I}]_{b}

5.1. The Markers

If not $\emptyset$ , then the epoch marker specifies key and entropy relevant to the following epoch in case the ticket contest does not complete adequately (a very much unexpected eventuality). Similarly, the winning-tickets marker, if not $\emptyset$ , provides the series of 600 slot sealing “tickets” for the next epoch (see the next section). Finally, the offenders marker is the sequence of Ed25519 keys of newly misbehaving validators, to be fully explained in section 10. Formally:

(5.11)

\mathbf{H}_{E}\in\!\mathopen{}\mathclose{{}\left\lgroup\mathbb{H},\mathbb{H},% \mathopen{}\mathclose{{}\left\lsem\!\mathopen{}\mathclose{{}\left\lgroup% \accentset{\backsim}{\mathbb{H}},\bar{\mathbb{H}}}\right\rgroup\!}\right\rsem_% {\mathbb{V}}}\right\rgroup\!\bm{?}\,,\quad\mathbf{H}_{W}\in\mathopen{}% \mathclose{{}\left\lsem\mathbb{T}}\right\rsem_{\mathsf{E}}\bm{?}\,,\quad% \mathbf{H}_{O}\in\mathopen{}\mathclose{{}\left\lsem\bar{\mathbb{H}}}\right\rsem

The terms are fully defined in sections 6.6 and 10.

6. Block Production and Chain Growth

As mentioned earlier, Jam is architected around a hybrid consensus mechanism, similar in nature to that of Polkadot’s Babe/Grandpa hybrid. Jam’s block production mechanism, termed Safrole after the novel Sassafras production mechanism of which it is a simplified variant, is a stateful system rather more complex than the Nakamoto consensus described in the YP.

The chief purpose of a block production consensus mechanism is to limit the rate at which new blocks may be authored and, ideally, preclude the possibility of “forks”: multiple blocks with equal numbers of ancestors.

To achieve this, Safrole limits the possible author of any block within any given six-second timeslot to a single key-holder from within a prespecified sequence of validators. Furthermore, under normal operation, the identity of the key-holder of any future timeslot will have a very high degree of anonymity. As a side effect of its operation, we can generate a high-quality pool of entropy which may be used by other parts of the protocol and is accessible to services running on it.

Because of its tightly scoped role, the core of Safrole’s state, $\gamma$ , is independent of the rest of the protocol. It interacts with other portions of the protocol through $\iota$ and $\kappa$ , the prospective and active sequences of validator keys respectively; $\tau$ , the most recent block’s timeslot; and $\eta$ , the entropy accumulator.

The Safrole protocol determines, once per epoch, a slot-sealer sequence $\gamma_{S}$ of $\mathsf{E}$ entries, one for each potential block within the epoch. Under normal operation, each entry is a ticket: an anonymous claim to a timeslot. Each block header includes its timeslot index $\mathbf{H}_{T}$ (the number of six-second periods since the Jam Common Era began) and a valid seal signature $\mathbf{H}_{S}$ , signed by the validator holding the secret key corresponding to the entry at the relevant index of $\gamma_{S}$ . Each ticket is in fact a pseudonym for some validator which was agreed the privilege of authoring a block in the corresponding timeslot.

In order to generate $\gamma_{S}$ while keeping the correspondence between tickets and validators anonymous, we use a novel Ringvrf cryptographic scheme built on the Bandersnatch curve. This scheme allows validators to provide a proof which simultaneously: (1) guarantees the author controlled a key within the validator key sequence, and (2) produces an unbiasable deterministic hash output, giving us a secure verifiable random function (vrf). This anonymous vrf output is the ticket identifier. Validators submit their tickets throughout the epoch, accumulating them in $\gamma_{A}$ . The tickets with the best scores are then selected to populate the next epoch’s slot-sealer sequence $\gamma_{S}$ , determining which validator may author a block in each corresponding timeslot.

6.1. Timekeeping

Here, $\tau$ defines the most recent block’s slot index, which we transition to the slot index as defined in the block’s header:

(6.1)

\tau\in\mathbb{N}_{T}\ ,\quad\tau^{\prime}\equiv\mathbf{H}_{T}

We track the slot index in state as $\tau$ in order that we are able to easily both identify a new epoch and determine the slot at which the prior block was authored. We denote $e$ as the prior’s epoch index and $m$ as the prior’s slot phase index within that epoch and $e^{\prime}$ and $m^{\prime}$ are the corresponding values for the present block:

(6.2)

\displaystyle\mathrm{let}\quad e\text{\hskip 2.0pt\footnotesize{{R}}\hskip 2.0% pt}m=\frac{\tau}{\mathsf{E}}\,,\quad e^{\prime}\text{\hskip 2.0pt\footnotesize% {{R}}\hskip 2.0pt}m^{\prime}=\frac{\tau^{\prime}}{\mathsf{E}}

6.2. Safrole Basic State

We restate $\gamma$ into a number of components:

(6.3)

\displaystyle\gamma

\displaystyle\equiv\!\mathopen{}\mathclose{{}\left\lgroup\gamma_{P},\,\gamma_{% Z},\,\gamma_{S},\,\gamma_{A}}\right\rgroup\!

$\gamma_{Z}$ is the epoch’s root, a Bandersnatch ring root composed with the one Bandersnatch key of each of the next epoch’s validators, defined in $\gamma_{P}$ (itself defined in the next section).

(6.4)

\displaystyle\gamma_{Z}

\displaystyle\in\accentset{\circ}{\mathbb{B}}

Finally, $\gamma_{A}$ is the ticket accumulator, a sequence of highest-scoring ticket identifiers to be used for the next epoch. $\gamma_{S}$ is the current epoch’s slot-sealer sequence, which is either a full complement of $\mathsf{E}$ tickets or, in the case of a fallback mode, a sequence of $\mathsf{E}$ Bandersnatch keys:

(6.5)

\displaystyle\gamma_{A}\in\mathopen{}\mathclose{{}\left\lsem\mathbb{T}}\right% \rsem_{:\mathsf{E}}\,,\quad\gamma_{S}\in\mathopen{}\mathclose{{}\left\lsem% \mathbb{T}}\right\rsem_{\mathsf{E}}\cup\mathopen{}\mathclose{{}\left\lsem% \accentset{\backsim}{\mathbb{H}}}\right\rsem_{\mathsf{E}}

Here, $\mathbb{T}$ is used to denote the set of tickets, a combination of a verifiably random ticket identifier $y$ and the ticket’s entry-index $e$ :

(6.6)

\displaystyle\mathbb{T}

\displaystyle\equiv\!\mathopen{}\mathclose{{}\left\lgroup y\in\mathbb{H},\,e% \in\mathbb{N}}\right\rgroup\!

As we state in section 6.4, Safrole requires that every block header $\mathbf{H}$ contain a valid seal $\mathbf{H}_{S}$ , which is a Bandersnatch signature produced with the private key corresponding to the entry at index $m^{\prime}$ of the current epoch’s slot-sealer sequence $\gamma_{S}^{\prime}$ .

6.3. Key Rotation

In addition to the active sequence of validator keys $\kappa$ and staging sequence $\iota$ , internal to the Safrole state we retain a pending sequence $\gamma_{P}$ . The active validator keys identifies the nodes which are currently privileged to author blocks and carry out the validation processes, whereas the pending keys $\gamma_{P}$ , which is reset to $\iota$ at the beginning of each epoch, is the sequence of keys which will be active in the next epoch and which determine the Bandersnatch ring root which authorizes tickets into the slot-sealer contest for the next epoch. The length of each sequence is always a multiple of 3 between 6 and $3\mathsf{C}$ .

(6.7)		$\displaystyle\iota\in\mathopen{}\mathclose{{}\left\lsem\mathbb{K}}\right\rsem_% {\mathbb{V}}\;,\quad\gamma_{P}\in\mathopen{}\mathclose{{}\left\lsem\mathbb{K}}% \right\rsem_{\mathbb{V}}\;,\quad\kappa\in\mathopen{}\mathclose{{}\left\lsem% \mathbb{K}}\right\rsem_{\mathbb{V}}\;,\quad\lambda\in\mathopen{}\mathclose{{}% \left\lsem\mathbb{K}}\right\rsem_{\mathbb{V}}$
(6.8)		$\displaystyle\mathbb{V}\equiv\mathopen{}\mathclose{{}\left\{\,3c\;\middle\|\;c% \in\mathbb{N}_{2\dots\mathsf{C}+1}\,}\right\}$

We must introduce $\mathbb{K}$ , the set of validator key tuples. This is a combination of a set of cryptographic public keys and metadata which is an opaque octet sequence, but utilized to specify practical identifiers for the validator, not least a hardware address.

The set of validator keys itself is equivalent to the set of 336-octet sequences. However, for clarity, we divide the sequence into four easily denoted components. For any validator key $k$ , the Bandersnatch key is denoted $k_{b}$ , and is equivalent to the first 32-octets; the Ed25519 key, $k_{e}$ , is the second 32 octets; the bls key denoted $k_{l}$ is equivalent to the following 144 octets, and finally the metadata $k_{m}$ is the last 128 octets. Formally:

(6.9)	$\displaystyle\mathbb{K}$	$\displaystyle\equiv\mathbb{B}_{336}$
(6.10)	$\displaystyle\forall k\in\mathbb{K}:k_{b}\in\accentset{\backsim}{\mathbb{H}}$	$\displaystyle\equiv k_{0\dots+32}$
(6.11)	$\displaystyle\forall k\in\mathbb{K}:k_{e}\in\bar{\mathbb{H}}$	$\displaystyle\equiv k_{32\dots+32}$
(6.12)	$\displaystyle\forall k\in\mathbb{K}:k_{l}\in\accentset{\mathrm{B\!L\!S}}{% \mathbb{B}}$	$\displaystyle\equiv k_{64\dots+144}$
(6.13)	$\displaystyle\forall k\in\mathbb{K}:k_{m}\in\mathbb{B}_{128}$	$\displaystyle\equiv k_{208\dots+128}$

With a new epoch under regular conditions, validator keys get rotated and the epoch’s Bandersnatch ring root is updated into $\gamma_{Z}^{\prime}$ :

(6.14)		$\displaystyle\mathopen{}\mathclose{{}\left(\gamma_{P}^{\prime},\kappa^{\prime}% ,\lambda^{\prime},\gamma_{Z}^{\prime}}\right)$	$\displaystyle\equiv\begin{cases}(\Phi(\iota),\gamma_{P},\kappa,z)&\text{if }e^% {\prime}>e\\ \mathopen{}\mathclose{{}\left(\gamma_{P},\kappa,\lambda,\gamma_{Z}}\right)&% \text{otherwise}\end{cases}$
	$\displaystyle\text{where }z$	$\displaystyle=\mathcal{O}\mathopen{}\mathclose{{}\left(\mathopen{}\mathclose{{% }\left[k_{b}\;\middle\|\;k\mathrel{\mathrlap{<}{\scalebox{0.95}[1.0]{$-$}}}% \gamma_{P}^{\prime}}\right]}\right)$
(6.15)		$\displaystyle\Phi(\mathbf{k})$	$\displaystyle\equiv\mathopen{}\mathclose{{}\left[\begin{rcases}\mathopen{}% \mathclose{{}\left[0,0,\dots}\right]&\text{if }k_{e}\in\psi_{O}^{\prime}\\ k&\text{otherwise}\end{rcases}\;\middle\|\;k\mathrel{\mathrlap{<}{\scalebox{0.9% 5}[1.0]{$-$}}}\mathbf{k}}\right]$

Note that on epoch changes the posterior queued validator key sequence $\gamma_{P}^{\prime}$ is defined such that incoming keys belonging to the offenders $\psi_{O}^{\prime}$ are replaced with a null key containing only zeroes. The origin of the offenders is explained in section 10.

6.4. Sealing and Entropy Accumulation

The header must contain a valid seal and valid entropy source. These are two vrf signatures both using the private key corresponding to the slot-sealer sequence entry for the current timeslot; the message data of the former is the header’s serialization omitting the seal component $\mathbf{H}_{S}$ , whereas the latter is used as a bias-resistant entropy source and thus its message must already have been fixed: we use the entropy stemming from the vrf of the seal signature. Formally:

	$\displaystyle\text{let }i={\gamma_{S}^{\prime}[\mathbf{H}_{T}]}^{% \circlearrowleft}\colon$
(6.16)		$\displaystyle\gamma_{S}^{\prime}\in\mathopen{}\mathclose{{}\left\lsem\mathbb{T% }}\right\rsem$	$\displaystyle\implies\mathopen{}\mathclose{{}\left\{\,\begin{aligned} &i_{y}=% \mathcal{Y}\mathopen{}\mathclose{{}\left(\mathbf{H}_{S}}\right)\,,\\ &\mathbf{H}_{S}\in\accentset{\backsim}{\mathbb{V}}_{\mathbf{H}_{A}}^{\mathcal{% E}_{U}\mathopen{}\mathclose{{}\left(\mathbf{H}}\right)}\mathopen{}\mathclose{{% }\left\langle\mathsf{X}_{T}\frown\eta^{\prime}_{3}\mathrel{\hbox to0.0pt{\hbox to% 7.0pt{\hfill\vrule height=5.0pt,depth=0.0pt,width=0.6pt\hfill\vrule height=5.0% pt,depth=0.0pt,width=0.6pt\hfill}}\vbox to5.0pt{\vfill\hrule height=0.6pt,dept% h=0.0pt,width=7.0pt\vfill}}i_{e}}\right\rangle\,,\\ &\mathbf{T}=1\end{aligned}}\right.$
(6.17)		$\displaystyle\gamma_{S}^{\prime}\in\mathopen{}\mathclose{{}\left\lsem% \accentset{\backsim}{\mathbb{H}}}\right\rsem$	$\displaystyle\implies\mathopen{}\mathclose{{}\left\{\,\begin{aligned} &i=% \mathbf{H}_{A}\,,\\ &\mathbf{H}_{S}\in\accentset{\backsim}{\mathbb{V}}_{\mathbf{H}_{A}}^{\mathcal{% E}_{U}\mathopen{}\mathclose{{}\left(\mathbf{H}}\right)}\mathopen{}\mathclose{{% }\left\langle\mathsf{X}_{F}\frown\eta^{\prime}_{3}}\right\rangle\,,\\ &\mathbf{T}=0\end{aligned}}\right.$
(6.18)		$\displaystyle\mathbf{H}_{V}$	$\displaystyle\in\accentset{\backsim}{\mathbb{V}}_{\mathbf{H}_{A}}^{\mathopen{}% \mathclose{{}\left[}\right]}\mathopen{}\mathclose{{}\left\langle\mathsf{X}_{E}% \frown\mathcal{Y}\mathopen{}\mathclose{{}\left(\mathbf{H}_{S}}\right)}\right\rangle$
(6.19)		$\displaystyle\mathsf{X}_{E}$	$\displaystyle=\text{{\small{\$jam\_entropy}}}$
(6.20)		$\displaystyle\mathsf{X}_{F}$	$\displaystyle=\text{{\small{\$jam\_fallback\_seal}}}$
(6.21)		$\displaystyle\mathsf{X}_{T}$	$\displaystyle=\text{{\small{\$jam\_ticket\_seal}}}$

Sealing using the ticket is of greater security, and we utilize this knowledge when determining a candidate block on which to extend the chain, detailed in section 19. We thus note that the block was sealed under the regular security with the boolean marker $\mathbf{T}$ . We define this only for the purpose of ease of later specification.

In addition to the entropy accumulator $\eta_{0}$ , we retain three additional historical values of the accumulator at the point of each of the three most recently ended epochs, $\eta_{1}$ , $\eta_{2}$ and $\eta_{3}$ . The second-oldest of these $\eta_{2}$ is utilized to help ensure future entropy is unbiased (see equation 6.30) and seed the fallback slot-sealer generation function with randomness (see equation 6.25). The oldest is used to regenerate this randomness when verifying the seal above (see equations 6.17 and 6.16).

(6.22)

\displaystyle\eta

\displaystyle\in\mathopen{}\mathclose{{}\left\lsem\mathbb{H}}\right\rsem_{4}

$\eta_{0}$ defines the state of the randomness accumulator to which the provably random output of the vrf, the signature over some unbiasable input, is combined each block. $\eta_{1}$ , $\eta_{2}$ and $\eta_{3}$ meanwhile retain the state of this accumulator at the end of the three most recently ended epochs in order.

(6.23)

\displaystyle\eta_{0}^{\prime}

\displaystyle\equiv\mathcal{H}\mathopen{}\mathclose{{}\left(\eta_{0}\frown% \mathcal{Y}\mathopen{}\mathclose{{}\left(\mathbf{H}_{V}}\right)}\right)

On an epoch transition (identified as the condition $e^{\prime}>e$ ), we therefore rotate the accumulator value into the history $\eta_{1}$ , $\eta_{2}$ and $\eta_{3}$ :

(6.24)

\displaystyle\mathopen{}\mathclose{{}\left(\eta^{\prime}_{1},\eta^{\prime}_{2}% ,\eta^{\prime}_{3}}\right)

\displaystyle\equiv\begin{cases}\mathopen{}\mathclose{{}\left(\eta_{0},\eta_{1% },\eta_{2}}\right)&\text{if }e^{\prime}>e\\ \mathopen{}\mathclose{{}\left(\eta_{1},\eta_{2},\eta_{3}}\right)&\text{% otherwise}\end{cases}

6.5. The Slot-Sealer Sequence

The posterior slot-sealer sequence $\gamma_{S}^{\prime}$ is one of three expressions depending on the circumstance of the block. If the block is not the first in an epoch, then it remains unchanged from the prior $\gamma_{S}$ . If the block signals the next epoch (by epoch index) and the previous block’s slot was within the closing period of the previous epoch, then it takes the value of the prior ticket accumulator $\gamma_{A}$ . Otherwise, it takes the value of the fallback key sequence. Formally:

(6.25)

\displaystyle\gamma_{S}^{\prime}

\displaystyle\equiv\begin{cases}Z(\gamma_{A})&\text{if }e^{\prime}=e+1\wedge m% \geq\mathsf{Y}\wedge\mathopen{}\mathclose{{}\left|\gamma_{A}}\right|=\mathsf{E% }\!\!\\ \gamma_{S}&\text{if }e^{\prime}=e\\ F(\eta^{\prime}_{2},\kappa^{\prime})\!\!\!&\text{otherwise}\end{cases}

Here, we use $Z$ as the outside-in sequencer function, defined as follows:

(6.26)

Z\colon\mathopen{}\mathclose{{}\left\{\,\begin{aligned} \mathopen{}\mathclose{% {}\left\lsem\mathbb{T}}\right\rsem_{\mathsf{E}}&\to\mathopen{}\mathclose{{}% \left\lsem\mathbb{T}}\right\rsem_{\mathsf{E}}\\ \mathbf{s}&\mapsto\mathopen{}\mathclose{{}\left[\mathbf{s}_{0},\mathbf{s}_{% \mathopen{}\mathclose{{}\left|\mathbf{s}}\right|-1},\mathbf{s}_{1},\mathbf{s}_% {\mathopen{}\mathclose{{}\left|\mathbf{s}}\right|-2},\dots}\right]\\ \end{aligned}}\right.

Finally, $F$ is the fallback key sequence function which selects an epoch’s worth of validator Bandersnatch keys ( $\mathopen{}\mathclose{{}\left\lsem\accentset{\backsim}{\mathbb{H}}}\right\rsem% _{\mathsf{E}}$ ) from the validator key sequence $\mathbf{k}$ using the entropy collected on-chain $r$ :

(6.27)

F\colon\mathopen{}\mathclose{{}\left\{\ \begin{aligned} \!\mathopen{}% \mathclose{{}\left\lgroup\mathbb{H},\,\mathopen{}\mathclose{{}\left\lsem% \mathbb{K}}\right\rsem}\right\rgroup\!&\to\mathopen{}\mathclose{{}\left\lsem% \accentset{\backsim}{\mathbb{H}}}\right\rsem_{\mathsf{E}}\\ \mathopen{}\mathclose{{}\left(r,\,\mathbf{k}}\right)&\mapsto\mathopen{}% \mathclose{{}\left[{\mathbf{k}_{\mathcal{E}^{-1}_{4}\mathopen{}\mathclose{{}% \left(\mathcal{H}\mathopen{}\mathclose{{}\left(r\frown\mathcal{E}_{4}\mathopen% {}\mathclose{{}\left(i}\right)}\right)_{\dots 4}}\right)}}^{\circlearrowleft}_% {b}\;\middle|\;i\in\mathbb{N}_{\mathsf{E}}}\right]\end{aligned}}\right.\!\!\!

6.6. The Markers

The epoch and winning-tickets markers are information placed in the header in order to minimize data transfer necessary to determine the validator keys associated with any given epoch. They are particularly useful to nodes which do not synchronize the entire state for any given block since they facilitate the secure tracking of changes to the validator key sequences using only the chain of headers.

As mentioned earlier, the header’s epoch marker $\mathbf{H}_{E}$ is either empty or, if the block is the first in a new epoch, then a tuple of the next and current epoch randomness, along with a sequence of tuples containing both Bandersnatch keys and Ed25519 keys for each validator defining the validator keys beginning in the next epoch. Formally:

(6.28)

\displaystyle\mathbf{H}_{E}

\displaystyle\equiv\begin{cases}\mathopen{}\mathclose{{}\left(\eta_{0},\eta_{1% },\mathopen{}\mathclose{{}\left[\mathopen{}\mathclose{{}\left(k_{b},k_{e}}% \right)\;\middle|\;k\mathrel{\mathrlap{<}{\scalebox{0.95}[1.0]{$-$}}}\gamma_{P% }^{\prime}}\right]}\right)&\text{if }e^{\prime}>e\\ \emptyset&\text{otherwise}\end{cases}

The winning-tickets marker $\mathbf{H}_{W}$ is either empty or, if the block is the first after the end of the submission period for tickets and if the ticket accumulator is saturated, then the final sequence of ticket identifiers. Formally:

(6.29)

\displaystyle\mathbf{H}_{W}

\displaystyle\equiv\begin{cases}Z(\gamma_{A})&\text{if }e^{\prime}=e\wedge m<% \mathsf{Y}\leq m^{\prime}\wedge\mathopen{}\mathclose{{}\left|\gamma_{A}}\right% |=\mathsf{E}\\ \emptyset&\text{otherwise}\end{cases}

6.7. The Extrinsic and Tickets

The extrinsic $\mathbf{E}_{T}$ is a sequence of proofs of valid tickets; a ticket implies an entry in our epochal “contest” to determine which validators are privileged to author a block for each timeslot in the following epoch. Tickets specify an entry index (a natural number less than the maximum number of ticket entries per validator, defined in equation 6.30) together with a proof of ticket’s validity. The proof implies a ticket identifier, a high-entropy unbiasable 32-octet sequence, which is used both as a score in the aforementioned contest and as input for the block’s entropy source vrf signature.

Towards the end of the epoch (i.e. $\mathsf{Y}$ slots from the start) this contest is closed implying successive blocks within the same epoch must have an empty tickets extrinsic. At this point, the following epoch’s slot-sealer sequence becomes fixed.

We define the extrinsic as a sequence of proofs of valid tickets, each of which is a tuple of an entry index and a proof of ticket validity. To ensure the accumulator can be saturated, when there are fewer validators, each validator is permitted more tickets. Formally:

(6.30)		$\displaystyle\begin{split}\mathbf{E}_{T}&\in\mathopen{}\mathclose{{}\left\lsem% \!\mathopen{}\mathclose{{}\left\lgroup e\in\mathbb{N}_{n},\,p\in\accentset{% \circ}{\mathbb{V}}_{\gamma_{Z}^{\prime}}^{\mathopen{}\mathclose{{}\left[}% \right]}\mathopen{}\mathclose{{}\left\langle\mathsf{X}_{T}\frown\eta^{\prime}_% {2}\mathrel{\hbox to0.0pt{\hbox to7.0pt{\hfill\vrule height=5.0pt,depth=0.0pt,% width=0.6pt\hfill\vrule height=5.0pt,depth=0.0pt,width=0.6pt\hfill}}\vbox to5.% 0pt{\vfill\hrule height=0.6pt,depth=0.0pt,width=7.0pt\vfill}}e}\right\rangle}% \right\rgroup\!}\right\rsem\\ &\phantom{{}\in{}}\text{where }n=\mathopen{}\mathclose{{}\left\lceil\frac{2% \mathsf{E}}{\mathopen{}\mathclose{{}\left\|\gamma_{P}^{\prime}}\right\|}}\right% \rceil\end{split}$
(6.31)		$\displaystyle\mathopen{}\mathclose{{}\left\|\mathbf{E}_{T}}\right\|$	$\displaystyle\leq\begin{cases}\mathsf{K}&\text{if }m^{\prime}<\mathsf{Y}\\ 0&\text{otherwise}\end{cases}$

We define $\mathbf{n}$ as the sequence of new tickets, with the ticket identifier, a hash, defined as the output component of the Bandersnatch Ringvrf proof:

(6.32)

\displaystyle\mathbf{n}

\displaystyle\equiv\mathopen{}\mathclose{{}\left[\mathopen{}\mathclose{{}\left% (y\mathrel{\mathop{:}}\mathcal{Y}\mathopen{}\mathclose{{}\left(i_{p}}\right),% \,e\mathrel{\mathop{:}}i_{e}}\right)\;\middle|\;i\mathrel{\mathrlap{<}{% \scalebox{0.95}[1.0]{$-$}}}\mathbf{E}_{T}}\right]

The tickets submitted via the extrinsic must already have been placed in order of their implied identifier. Duplicate identifiers are never allowed lest a validator submit the same ticket multiple times:

(6.33)		$\displaystyle\mathbf{n}$	$\displaystyle=\mathopen{}\mathclose{{}\left[x\in\mathbf{n}\,\middle\lWavy\,x_{% y}}\right]$
(6.34)		$\displaystyle\mathopen{}\mathclose{{}\left\{\,x_{y}\;\middle\|\;x\in\mathbf{n}% \,}\right\}$	$\displaystyle\downspoon\mathopen{}\mathclose{{}\left\{\,x_{y}\;\middle\|\;x\in% \gamma_{A}\,}\right\}$

The new ticket accumulator $\gamma_{A}^{\prime}$ is constructed by merging new tickets into the previous accumulator value (or the empty sequence if it is a new epoch):

(6.35)

\displaystyle\gamma_{A}^{\prime}

\displaystyle\equiv{\overrightarrow{\mathopen{}\mathclose{{}\left[x\in\mathbf{% n}\cup\begin{cases}\emptyset\ &\text{if }e^{\prime}>e\\ \gamma_{A}\ &\text{otherwise}\end{cases}\,\middle\lwavy\,x_{y}}\right]~{}}}^{% \mathsf{E}}

The maximum size of the ticket accumulator is $\mathsf{E}$ . On each block, the accumulator becomes the lowest items of the sorted union of tickets from prior accumulator $\gamma_{A}$ and the submitted tickets. It is invalid to include useless tickets in the extrinsic, so all submitted tickets must exist in their posterior ticket accumulator. Formally:

(6.36)

\displaystyle\mathbf{n}\subseteq\gamma_{A}^{\prime}

Note that it can be shown that in the case of an empty extrinsic $\mathbf{E}_{T}=\mathopen{}\mathclose{{}\left[}\right]$ , as implied by $m^{\prime}\geq\mathsf{Y}$ , and unchanged epoch ( $e^{\prime}=e$ ), then $\gamma_{A}^{\prime}=\gamma_{A}$ .

7. Recent History

We retain in state information on the most recent $\mathsf{H}$ blocks. This is used to preclude the possibility of duplicate or out of date work-reports from being submitted.

(7.1)	$\displaystyle\beta$	$\displaystyle\equiv\mathopen{}\mathclose{{}\left(\beta_{H},\beta_{B}}\right)$
(7.2)	$\displaystyle\beta_{H}$	$\displaystyle\in\mathopen{}\mathclose{{}\left\lsem\!\mathopen{}\mathclose{{}% \left\lgroup h\in\mathbb{H},s\in\mathbb{H},b\in\mathbb{H},t\in\mathbb{N}_{T},% \mathbf{p}\in\mathopen{}\mathclose{{}\left\langlebar\mathbb{H}\to\mathbb{H}}% \right\ranglebar}\right\rgroup\!}\right\rsem_{:\mathsf{H}}$
(7.3)	$\displaystyle\beta_{B}$	$\displaystyle\in\mathopen{}\mathclose{{}\left\lsem\mathbb{H}\bm{?}}\right\rsem$
(7.4)	$\displaystyle\theta$	$\displaystyle\in\mathopen{}\mathclose{{}\left\lsem\mathopen{}\mathclose{{}% \left(\mathbb{N}_{S},\mathbb{H}}\right)}\right\rsem$

For each recent block, we retain its header hash, its state root, its accumulation-result mmb and the corresponding work-package hashes of each item reported (which is no more than the total number of cores, $\mathsf{C}=341$ ).

During the accumulation stage, a value with the partial transition of this state is provided which contains the correction for the newly-known state-root of the parent block:

(7.5)

\beta_{H}^{\dagger}\equiv\beta_{H}\quad\text{ except }\quad\beta_{H}^{\dagger}% \mathopen{}\mathclose{{}\left[\mathopen{}\mathclose{{}\left|\beta_{H}}\right|-% 1}\right]_{s}=\mathbf{H}_{R}

We define the new Accumulation Output Log $\beta_{B}$ . This is formed from the block’s accumulation-output sequence $\theta^{\prime}$ (defined in section 12), taking its root using the basic binary Merklization function ( $\mathcal{M}_{B}$ , defined in appendix E) and appending it to the previous log value with the mmb append function (defined in appendix E.2). Throughout, the Keccak hash function is used to maximize compatibility with legacy systems:

(7.6)		$\displaystyle\text{let }\mathbf{s}$	$\displaystyle=\mathopen{}\mathclose{{}\left[\mathcal{E}_{4}\mathopen{}% \mathclose{{}\left(s}\right)\frown\mathcal{E}\mathopen{}\mathclose{{}\left(h}% \right)\;\middle\|\;\mathopen{}\mathclose{{}\left(s,h}\right)\mathrel{\mathrlap% {<}{\scalebox{0.95}[1.0]{$-$}}}\theta^{\prime}}\right]$
(7.7)		$\displaystyle\beta_{B}^{\prime}$	$\displaystyle\equiv\mathcal{A}\mathopen{}\mathclose{{}\left(\beta_{B},\mathcal% {M}_{B}\mathopen{}\mathclose{{}\left(\mathbf{s},\mathcal{H}_{K}}\right),% \mathcal{H}_{K}}\right)$

The final state transition for $\beta_{H}$ appends a new item including the new block’s header hash, a Merkle commitment to the block’s Accumulation Output Log and the set of work-reports made into it (for which we use the guarantees extrinsic, $\mathbf{E}_{G}$ ). Formally:

(7.8)		$\displaystyle\beta_{H}^{\prime}$	$\displaystyle\equiv{\overleftarrow{\beta_{H}^{\dagger}\mathrel{\hbox to0.0pt{% \hbox to7.0pt{\hfill\vrule height=5.0pt,depth=0.0pt,width=0.6pt\hfill\vrule he% ight=5.0pt,depth=0.0pt,width=0.6pt\hfill}}\vbox to5.0pt{\vfill\hrule height=0.% 6pt,depth=0.0pt,width=7.0pt\vfill}}\mathopen{}\mathclose{{}\left(h\mathrel{% \mathop{:}}\mathcal{H}\mathopen{}\mathclose{{}\left(\mathbf{H}}\right),s% \mathrel{\mathop{:}}\mathbb{H}_{0},b\mathrel{\mathop{:}}\mathcal{M}_{R}% \mathopen{}\mathclose{{}\left(\beta_{B}^{\prime}}\right),t\mathrel{\mathop{:}}% \mathbf{H}_{T},\mathbf{p}}\right)}}^{\mathsf{H}}$
(7.8)		$\displaystyle\text{where }\mathbf{p}$	$\displaystyle=\mathopen{}\mathclose{{}\left\{\,\mathopen{}\mathclose{{}\left((% (g_{\mathbf{r}})_{\mathbf{s}})_{p}\mapsto((g_{\mathbf{r}})_{\mathbf{s}})_{e}}% \right)\;\middle\|\;g\in\mathbf{E}_{G}\,}\right\}$

The new state-trie root is the zero hash, $\mathbb{H}_{0}$ , which is inaccurate but safe since $\beta^{\prime}$ is not utilized except to define the next block’s $\beta^{\dagger}$ , which contains a corrected value for this, as per equation 7.5.

8. Authorization

We have previously discussed the model of work-packages and services in section 4.9, however we have yet to make a substantial discussion of exactly how some coretime resource may be apportioned to some work-package and its associated service. In the YP Ethereum model, the underlying resource, gas, is procured at the point of introduction on-chain and the purchaser is always the same agent who authors the data which describes the work to be done (i.e. the transaction). Conversely, in Polkadot the underlying resource, a parachain slot, is procured with a substantial deposit for typically 24 months at a time and the procurer, generally a parachain team, will often have no direct relation to the author of the work to be done (i.e. a parachain block).

On a principle of flexibility, we would wish Jam capable of supporting a range of interaction patterns both Ethereum-style and Polkadot-style. In an effort to do so, we introduce the authorization system, a means of disentangling the intention of usage for some coretime from the specification and submission of a particular workload to be executed on it. We are thus able to disassociate the purchase and assignment of coretime from the specific determination of work to be done with it, and so are able to support both Ethereum-style and Polkadot-style interaction patterns.

8.1. Authorizers and Authorizations

The authorization system involves three key concepts: Authorizers, Tokens and Traces. A Token is simply a piece of opaque data to be included with a work-package to help make an argument that the work-package should be authorized. Similarly, a Trace is a piece of opaque data which helps characterize or describe some successful authorization. An Authorizer meanwhile, is a piece of logic which executes within some pre-specified and well-known computational limits and determines whether a work-package—including its Token—is authorized for execution on some particular core and yields a Trace on success.

Authorizers are identified as the hash of their pvm code hash concatenated with their Configuration blob, the latter being, like Tokens and Traces, opaque data meaningful to the pvm code. The process by which work-packages are determined to be authorized (or not) is not the competence of on-chain logic and happens entirely in-core and as such is discussed in section 14.3. However, on-chain logic must identify each set of authorizers assigned to each core in order to verify that a work-package is legitimately able to utilize that resource. It is this subsystem we will now define.

8.2. Pool and Queue

We define the set of authorizers allowable for a particular core $c$ as the authorizer pool $\alpha[c]$ . To maintain this value, a further portion of state is tracked for each core: the core’s current authorizer queue $\phi[c]$ , from which we draw values to fill the pool. Formally:

(8.1)

\alpha\in\mathopen{}\mathclose{{}\left\lsem\mathopen{}\mathclose{{}\left\lsem% \mathbb{H}}\right\rsem_{:\mathsf{O}}}\right\rsem_{\mathsf{C}}\ ,\qquad\phi\in% \mathopen{}\mathclose{{}\left\lsem\mathopen{}\mathclose{{}\left\lsem\mathbb{H}% }\right\rsem_{\mathsf{Q}}}\right\rsem_{\mathsf{C}}

Note: The portion of state $\phi$ may be altered only through an exogenous call made from the accumulate logic of an appropriately privileged service.

The state transition of a block involves placing a new authorization into the pool from the queue:

(8.2)		$\displaystyle\forall c\in\mathbb{N}_{\mathsf{C}}:\alpha^{\prime}\mathopen{}% \mathclose{{}\left[c}\right]\equiv{\overleftarrow{F(c)\mathrel{\hbox to0.0pt{% \hbox to7.0pt{\hfill\vrule height=5.0pt,depth=0.0pt,width=0.6pt\hfill\vrule he% ight=5.0pt,depth=0.0pt,width=0.6pt\hfill}}\vbox to5.0pt{\vfill\hrule height=0.% 6pt,depth=0.0pt,width=7.0pt\vfill}}{\phi^{\prime}\mathopen{}\mathclose{{}\left% [c}\right]\mathopen{}\mathclose{{}\left[\mathbf{H}_{T}}\right]}^{% \circlearrowleft}}}^{\mathsf{O}}$
(8.3)		$\displaystyle F(c)\equiv\begin{cases}\alpha[c]\nwspoon\mathopen{}\mathclose{{}% \left\{\,(g_{\mathbf{r}})_{a}\,}\right\}&\text{if }\exists g\in\mathbf{E}_{G}:% (g_{\mathbf{r}})_{c}=c\\ \alpha[c]&\text{otherwise}\end{cases}$

Since $\alpha^{\prime}$ is dependent on $\phi^{\prime}$ , practically speaking, this step must be computed after accumulation, the stage in which $\phi^{\prime}$ is defined. Note that we utilize the guarantees extrinsic $\mathbf{E}_{G}$ to remove the oldest authorizer which has been used to justify a guaranteed work-package in the current block. This is further defined in equation 11.25.

9. Service Accounts

As we already noted, a service in Jam is somewhat analogous to a smart contract in Ethereum in that it includes amongst other items, a code component, a storage component and a balance. Unlike Ethereum, the code is split over two isolated entry-points each with their own environmental conditions; one, Refinement, is essentially stateless and happens in-core, and the other, Accumulation, which is stateful and happens on-chain. It is the latter which we will concern ourselves with now.

Service accounts are held in state under $\delta$ , a partial mapping from a service identifier $\mathbb{N}_{S}$ into a tuple of named elements which specify the attributes of the service relevant to the Jam protocol. Formally:

(9.1)		$\displaystyle\mathbb{N}_{S}$	$\displaystyle\equiv\mathbb{N}_{2^{32}}$
(9.2)		$\displaystyle\delta$	$\displaystyle\in\mathopen{}\mathclose{{}\left\langlebar\mathbb{N}_{S}\to% \mathbb{A}}\right\ranglebar$

The service account is defined as the tuple of storage dictionary $\mathbf{s}$ , preimage lookup dictionaries $\mathbf{p}$ and $\mathbf{l}$ , code hash $c$ , balance $b$ and gratis storage offset $f$ , as well as the two code gas limits $g$ & $m$ . We also record certain usage characteristics concerning the account: the time slot at creation $r$ , the time slot at the most recent accumulation $a$ and the parent service $p$ . Formally:

(9.3)

\displaystyle\mathbb{A}\equiv\!\mathopen{}\mathclose{{}\left\lgroup\ \begin{% aligned} \mathbf{s}&\in\mathopen{}\mathclose{{}\left\langlebar\mathbb{B}\to% \mathbb{B}}\right\ranglebar\,,\ \mathbf{p}\in\mathopen{}\mathclose{{}\left% \langlebar\mathbb{H}\to\mathbb{B}}\right\ranglebar\,,\\ \mathbf{l}&\in\mathopen{}\mathclose{{}\left\langlebar\!\mathopen{}\mathclose{{% }\left\lgroup\mathbb{H},\mathbb{N}_{L}}\right\rgroup\!\to\mathopen{}\mathclose% {{}\left\lsem\mathbb{N}_{T}}\right\rsem_{:3}}\right\ranglebar\,,\\ f&\in\mathbb{N}_{B}\,,\ c\in\mathbb{H}\,,\ b\in\mathbb{N}_{B}\,,\ g\in\mathbb{% N}_{G}\,,\\ m&\in\mathbb{N}_{G}\,,\ r\in\mathbb{N}_{T}\,,\ a\in\mathbb{N}_{T}\,,\ p\in% \mathbb{N}_{S}\\ \end{aligned}\,}\right\rgroup\!

Thus, the balance of the service of index $s$ would be denoted $\delta\mathopen{}\mathclose{{}\left[s}\right]_{b}$ and the storage item of key $\mathbf{k}\in\mathbb{B}$ for that service is written $\delta\mathopen{}\mathclose{{}\left[s}\right]_{\mathbf{s}}\mathopen{}% \mathclose{{}\left[\mathbf{k}}\right]$ .

9.1. Code and Gas

The code and associated metadata of a service account is identified by a hash which, if the service is to be functional, must be present within its preimage lookup (see section 9.2) and have a preimage which is a proper encoding of the two blobs. We thus define the actual code $\mathbf{c}$ and metadata $\mathbf{m}$ :

(9.4)

\displaystyle\forall\mathbf{a}\in\mathbb{A}:\mathopen{}\mathclose{{}\left(% \mathbf{a}_{\mathbf{m}},\mathbf{a}_{\mathbf{c}}}\right)\equiv\begin{cases}% \mathopen{}\mathclose{{}\left(\mathbf{m},\mathbf{c}}\right)&\text{if }\mathcal% {E}\mathopen{}\mathclose{{}\left(\mathopen{}\mathclose{{}\left\updownarrow% \mathbf{m}}\right.\!,\mathbf{c}}\right)=\mathbf{a}_{\mathbf{p}}[\mathbf{a}_{c}% ]\\ \mathopen{}\mathclose{{}\left(\emptyset,\emptyset}\right)&\text{otherwise}\end% {cases}

There are two entry-points in the code:

0 refine:: Refinement, executed in-core and stateless.¹⁰¹⁰ 10 Technically there is some small assumption of state, namely that some modestly recent instance of each service’s preimages. The specifics of this are discussed in section 14.3.
1 accumulate:: Accumulation, executed on-chain and stateful.

Refinement and accumulation are described in more detail in sections 14.4 and 12.2 respectively.

As stated in appendix A, execution time in the Jam virtual machine is measured deterministically in units of gas, represented as a natural number less than $2^{64}$ and formally denoted $\mathbb{N}_{G}$ . We may also use $\mathbb{Z}_{G}$ to denote the set $\mathbb{Z}_{-2^{63}\dots 2^{63}}$ if the quantity may be negative. There are two limits specified in the account, which determine the minimum gas required in order to execute the Accumulate entry-point of the service’s code. $g$ is the minimum gas required per work-item, while $m$ is the minimum gas required per deferred-transfer.

9.2. Preimage Lookups

In addition to storing data in arbitrary key/value pairs available only on-chain, an account may also solicit data to be made available also in-core, and thus available to the Refine logic of the service’s code. State concerning this facility is held under the service’s $\mathbf{p}$ and $\mathbf{l}$ components.

There are several differences between preimage-lookups and storage. Firstly, preimage-lookups act as a mapping from a hash to its preimage, whereas general storage maps arbitrary keys to values. Secondly, preimage data is supplied extrinsically, whereas storage data originates as part of the service’s accumulation. Thirdly preimage data, once supplied, may not be removed freely; instead it goes through a process of being marked as unavailable, and only after a period of time may it be removed from state. This ensures that historical information on its existence is retained. The final point especially is important since preimage data is designed to be queried in-core, under the Refine logic of the service’s code, and thus it is important that the historical availability of the preimage is known.

We begin by reformulating the portion of state concerning our data-lookup system. The purpose of this system is to provide a means of storing static data on-chain such that it may later be made available within the execution of any service code as a function accepting only the hash of the data and its length in octets.

During the on-chain execution of the Accumulate function, this is trivial to achieve since there is inherently a state which all validators verifying the block necessarily have complete knowledge of, i.e. $\sigma$ . However, for the in-core execution of Refine, there is no such state inherently available to all validators; we thus name a historical state, the lookup anchor which must be considered recently finalized before the work’s implications may be accumulated hence providing this guarantee.

By retaining historical information on its availability, we become confident that any validator with a recently finalized view of the chain is able to determine whether any given preimage was available at any time within the period where auditing may occur. This ensures confidence that judgments will be deterministic even without consensus on chain state.

Restated, we must be able to define some historical lookup function $\Lambda$ which determines whether the preimage of some hash was available for lookup by some service account at some timeslot, and if so, provide it:

(9.5)

\displaystyle\Lambda\colon\mathopen{}\mathclose{{}\left\{\ \begin{aligned} \!% \mathopen{}\mathclose{{}\left\lgroup\mathbb{A},\mathbb{N}_{(\mathbf{H}_{T}-% \mathsf{D})\dots\mathbf{H}_{T}},\mathbb{H}}\right\rgroup\!&\to\mathbb{B}\bm{?}% \\ (\mathbf{a},t,\mathcal{H}\mathopen{}\mathclose{{}\left(\mathbf{p}}\right))&% \mapsto v:v\in\mathopen{}\mathclose{{}\left\{\,\mathbf{p},\emptyset\,}\right\}% \end{aligned}}\right.

This function is defined shortly below in equation LABEL:eq:historicallookup.

The preimage lookup for some service of index $s$ is denoted $\delta\mathopen{}\mathclose{{}\left[s}\right]_{\mathbf{p}}$ is a dictionary mapping a hash to its corresponding preimage. Additionally, there is metadata associated with the lookup denoted $\delta\mathopen{}\mathclose{{}\left[s}\right]_{\mathbf{l}}$ which is a dictionary mapping some hash and presupposed length into historical information.

9.2.1. Invariants

The state of the lookup system naturally satisfies a number of invariants. Firstly, any preimage value must correspond to its hash, equation 9.6. Secondly, a preimage value being in state implies that its hash and length pair has some associated status, also in equation 9.6. Formally:

(9.6)

\forall\mathbf{a}\in\mathbb{A},\mathopen{}\mathclose{{}\left(h\mapsto\mathbf{d% }}\right)\in\mathbf{a}_{\mathbf{p}}\Rightarrow h=\mathcal{H}\mathopen{}% \mathclose{{}\left(\mathbf{d}}\right)\wedge\mathopen{}\mathclose{{}\left(h,% \mathopen{}\mathclose{{}\left|\mathbf{d}}\right|}\right)\in\mathcal{K}% \mathopen{}\mathclose{{}\left(\mathbf{a}_{\mathbf{l}}}\right)

9.2.2. Semantics

The historical status component $h\in\mathopen{}\mathclose{{}\left\lsem\mathbb{N}_{T}}\right\rsem_{:3}$ is a sequence of up to three time slots and the cardinality of this sequence implies one of four modes:

•

$h=\mathopen{}\mathclose{{}\left\lsem}\right\rsem$ : The preimage is requested, but has not yet been supplied.
•

$h\in\mathopen{}\mathclose{{}\left\lsem\mathbb{N}_{T}}\right\rsem_{1}$ : The preimage is available and has been from time $h_{0}$ .
•

$h\in\mathopen{}\mathclose{{}\left\lsem\mathbb{N}_{T}}\right\rsem_{2}$ : The previously available preimage is now unavailable since time $h_{1}$ . It had been available from time $h_{0}$ .
•

$h\in\mathopen{}\mathclose{{}\left\lsem\mathbb{N}_{T}}\right\rsem_{3}$ : The preimage is available and has been from time $h_{2}$ . It had previously been available from time $h_{0}$ until time $h_{1}$ .

The historical lookup function $\Lambda$ may now be defined as:

(9.7)			$\displaystyle\Lambda\colon\!\mathopen{}\mathclose{{}\left\lgroup\mathbb{A},% \mathbb{N}_{T},\mathbb{H}}\right\rgroup\!\to\mathbb{B}\bm{?}$
			$\displaystyle\Lambda(\mathbf{a},t,h)\equiv\begin{cases}\mathbf{a}_{\mathbf{p}}% \mathopen{}\mathclose{{}\left[h}\right]\!\!\!\!&\text{if }h\in\mathcal{K}% \mathopen{}\mathclose{{}\left(\mathbf{a}_{\mathbf{p}}}\right)\wedge I(\mathbf{% a}_{\mathbf{l}}\mathopen{}\mathclose{{}\left[h,\mathopen{}\mathclose{{}\left\|% \mathbf{a}_{\mathbf{p}}\mathopen{}\mathclose{{}\left[h}\right]}\right\|}\right]% ,t)\!\!\!\!\!\\ \emptyset&\text{otherwise}\end{cases}$
			$\displaystyle\text{where }I(\mathbf{l},t)=\begin{cases}\bot&\text{if }% \mathopen{}\mathclose{{}\left[}\right]=\mathbf{l}\\ x\leq t&\text{if }\mathopen{}\mathclose{{}\left[x}\right]=\mathbf{l}\\ x\leq t<y&\text{if }\mathopen{}\mathclose{{}\left[x,y}\right]=\mathbf{l}\\ x\leq t<y\vee z\leq t&\text{if }\mathopen{}\mathclose{{}\left[x,y,z}\right]=% \mathbf{l}\\ \end{cases}$

9.3. Account Footprint and Threshold Balance

We define the dependent values $i$ and $o$ as the storage footprint of the service, specifically the number of items in storage and the total number of octets used in storage. They are defined purely in terms of the storage map of a service, and it must be assumed that whenever a service’s storage is changed, these change also.

Furthermore, as we will see in the account serialization function in section C, these are expected to be found explicitly within the Merklized state data. Because of this we make explicit their set.

We may then define a third dependent term $t$ , the minimum, or threshold, balance needed for any given service account in terms of its storage footprint.

(9.8)

\displaystyle\forall\mathbf{a}\in\mathcal{V}\mathopen{}\mathclose{{}\left(% \delta}\right)\colon\mathopen{}\mathclose{{}\left\{\begin{aligned} \mathbf{a}_% {i}\in\mathbb{N}_{2^{32}}&\equiv 2\cdot\mathopen{}\mathclose{{}\left|\,\mathbf% {a}_{\mathbf{l}}\,}\right|+\mathopen{}\mathclose{{}\left|\,\mathbf{a}_{\mathbf% {s}}\,}\right|\\ \mathbf{a}_{o}\in\mathbb{N}_{2^{64}}&\equiv\sum\limits_{\,\mathopen{}% \mathclose{{}\left(h,z}\right)\in\mathcal{K}\mathopen{}\mathclose{{}\left(% \mathbf{a}_{\mathbf{l}}}\right)\,}\!\!\!\!81+z\\ &\phantom{\equiv\ }+\sum\limits_{\mathopen{}\mathclose{{}\left(x,y}\right)\in% \mathbf{a}_{\mathbf{s}}}34+\mathopen{}\mathclose{{}\left|y}\right|+\mathopen{}% \mathclose{{}\left|x}\right|\\ \mathbf{a}_{t}\in\mathbb{N}_{B}&\equiv\max(0,\mathsf{B}_{S}+\mathsf{B}_{I}% \cdot\mathbf{a}_{i}+\mathsf{B}_{L}\cdot\mathbf{a}_{o}-\mathbf{a}_{f})\end{% aligned}}\right.

9.4. Service Privileges

Jam includes the ability to bestow privileges on a number of services. The portion of state in which this is held is denoted $\chi$ and includes five kinds of privilege. The first, $\chi_{M}$ , is the index of the manager service which is the service able to effect an alteration of $\chi$ from block to block as well as bestow services with storage deposit credits. The next, $\chi_{V}$ , is able to set $\iota$ . Then $\chi_{R}$ alone is able to create new service accounts with indices in the protected range. The following, $\chi_{A}$ , are the service indices capable of altering the authorizer queue $\phi$ , one for each core.

Finally, $\chi_{Z}$ is a small dictionary containing the indices of services which automatically accumulate in each block together with a basic amount of gas with which each accumulates. Formally:

(9.9)	$\displaystyle\chi$	$\displaystyle\equiv\!\mathopen{}\mathclose{{}\left\lgroup\chi_{M},\chi_{V},% \chi_{R},\chi_{A},\chi_{Z}}\right\rgroup\!$
(9.10)	$\displaystyle\chi_{M}$	$\displaystyle\in\mathbb{N}_{S}\ ,\qquad\chi_{V}\in\mathbb{N}_{S}\ ,\qquad\chi_% {R}\in\mathbb{N}_{S}$
(9.11)	$\displaystyle\chi_{A}$	$\displaystyle\in\mathopen{}\mathclose{{}\left\lsem\mathbb{N}_{S}}\right\rsem_{% \mathsf{C}}\ ,\qquad\chi_{Z}\in\mathopen{}\mathclose{{}\left\langlebar\mathbb{% N}_{S}\to\mathbb{N}_{G}}\right\ranglebar$

10. Disputes, Verdicts and Judgments

Jam provides a means of recording judgments: consequential votes amongst most of the validators over the validity of a work-report (a unit of work done within Jam, see section 11). Such collections of judgments are known as verdicts. Jam also provides a means of registering offenses, judgments and guarantees which dissent with an established verdict. Together these form the disputes system.

The registration of a verdict is not expected to happen very often in practice, however it is an important security backstop for removing and banning invalid work-reports from the processing pipeline as well as removing troublesome keys from the validator set where there is consensus over their malfunction. It also helps coordinate nodes to revert chain-extensions containing invalid work-reports and provides a convenient means of aggregating all offending validators for punishment in a higher-level system.

Judgement statements come about naturally as part of the auditing process and are expected to be positive, further affirming the guarantors’ assertion that the work-report is valid. In the event of a negative judgment, then all validators audit said work-report and we assume a verdict will be reached. Auditing and guaranteeing are off-chain processes properly described in sections 14 and 17.

A judgment against a report implies that the chain is already reverted to some point prior to the accumulation of said report, usually forking at the block immediately prior to that at which accumulation happened. The specific strategy for chain selection is described fully in section 19. Authoring a block with a non-positive verdict has the effect of cancelling its imminent accumulation, as can be seen in equation 10.14.

Registering a verdict also has the effect of placing a permanent record of the event on-chain and allowing any offending keys to be placed on-chain both immediately or in forthcoming blocks, again for permanent record.

Having a persistent on-chain record of misbehavior is helpful in a number of ways. It provides a very simple means of recognizing the circumstances under which action against a validator must be taken by any higher-level validator-selection logic. Should Jam be used for a public network such as Polkadot, this would imply the slashing of the offending validator’s stake on the staking parachain.

As mentioned, recording reports found to have a high confidence of invalidity is important to ensure that said reports are not allowed to be resubmitted. Conversely, recording reports found to be valid ensures that additional disputes cannot be raised in the future of the chain.

10.1. The State

The disputes state includes four items, three of which concern verdicts: a good-set ( $\psi_{G}$ ), a bad-set ( $\psi_{B}$ ) and a wonky-set ( $\psi_{W}$ ) containing the hashes of all work-reports which were respectively judged to be correct, incorrect or that it appears impossible to judge. The fourth item, the punish-set ( $\psi_{O}$ ), is a set of Ed25519 keys representing validators which were found to have misjudged a work-report.

(10.1)

\psi\equiv\mathopen{}\mathclose{{}\left(\psi_{G},\psi_{B},\psi_{W},\psi_{O}}\right)

10.2. Extrinsic

The disputes extrinsic $\mathbf{E}_{D}$ is functional grouping of three otherwise independent extrinsics. It comprises verdicts $\mathbf{E}_{V}$ , culprits $\mathbf{E}_{C}$ , and faults $\mathbf{E}_{F}$ . Verdicts are a compilation of judgments coming from either the active validator set or the previous epoch’s validator set, i.e. the Ed25519 keys of $\kappa$ or $\lambda$ . Culprits and faults are proofs of the misbehavior of one or more validators, respectively either by guaranteeing a work-report found to be invalid, or by signing a judgment found to be in contradiction to a work-report’s validity. Both of these are considered a kind of offense. Formally:

(10.2)	$\displaystyle\mathbf{E}_{D}$	$\displaystyle\equiv\!\mathopen{}\mathclose{{}\left\lgroup\mathbf{E}_{V},% \mathbf{E}_{C},\mathbf{E}_{F}}\right\rgroup\!$
	$\displaystyle\text{where }\mathbf{E}_{V}$	$\displaystyle\in\mathopen{}\mathclose{{}\left\lsem\!\mathopen{}\mathclose{{}% \left\lgroup\mathbb{H},\mathopen{}\mathclose{{}\left\lfloor\frac{\tau}{\mathsf% {E}}}\right\rfloor-\mathbb{N}_{2},\mathopen{}\mathclose{{}\left\lsem\!% \mathopen{}\mathclose{{}\left\lgroup\mathopen{}\mathclose{{}\left\{\,\top,\bot% \,}\right\},\mathbb{N},\bar{\mathbb{V}}}\right\rgroup\!}\right\rsem}\right% \rgroup\!}\right\rsem_{:\mathsf{N}_{V}}$
	$\displaystyle\text{and }\mathbf{E}_{C}$	$\displaystyle\in\mathopen{}\mathclose{{}\left\lsem\!\mathopen{}\mathclose{{}% \left\lgroup\mathbb{H},\bar{\mathbb{H}},\bar{\mathbb{V}}}\right\rgroup\!}% \right\rsem_{:\mathsf{N}_{O}}$
	$\displaystyle\text{and }\mathbf{E}_{F}$	$\displaystyle\in\mathopen{}\mathclose{{}\left\lsem\!\mathopen{}\mathclose{{}% \left\lgroup\mathbb{H},\mathopen{}\mathclose{{}\left\{\,\top,\bot\,}\right\},% \bar{\mathbb{H}},\bar{\mathbb{V}}}\right\rgroup\!}\right\rsem_{:\mathsf{N}_{O}}$

The signatures of all judgments must be valid in terms of one of the two allowed validator key-sets, identified by the verdict’s second term which must be either the epoch index of the prior state or one less. Each verdict must contain judgments from exactly two-thirds plus one of the identified validators. Formally:

(10.3)		$\displaystyle K(a)\equiv\begin{cases}\kappa&\text{if }a=\displaystyle\mathopen% {}\mathclose{{}\left\lfloor\frac{\tau}{\mathsf{E}}}\right\rfloor\\ \lambda&\text{otherwise}\end{cases}$
(10.4)		$\displaystyle\begin{aligned} \forall\mathopen{}\mathclose{{}\left(r,a,\mathbf{% j}}\right)\in\mathbf{E}_{V}:\bigwedge&\mathopen{}\mathclose{{}\left\{\begin{% aligned} &\mathopen{}\mathclose{{}\left\|\mathbf{j}}\right\|=\mathopen{}% \mathclose{{}\left\lfloor\nicefrac{{2}}{{3}}\mathopen{}\mathclose{{}\left\|% \mathbf{k}}\right\|}\right\rfloor+1\,,\\ &\forall\mathopen{}\mathclose{{}\left(v,i,s}\right)\in\mathbf{j}:\\ &\quad i<\mathopen{}\mathclose{{}\left\|\mathbf{k}}\right\|\wedge s\in\bar{% \mathbb{V}}_{\mathbf{k}[i]_{e}}\mathopen{}\mathclose{{}\left\langle\mathsf{X}_% {v}\frown r}\right\rangle\end{aligned}}\right.\\ &\text{where }\mathbf{k}=K(a)\end{aligned}$
(10.5)		$\displaystyle\mathsf{X}_{\top}\equiv\text{{\small{\$jam\_valid}}}\,,\ \mathsf{% X}_{\bot}\equiv\text{{\small{\$jam\_invalid}}}$

Offender signatures must be similarly valid and reference work-reports with judgments and may not report keys which are already in the punish-set:

(10.6)		$\displaystyle\forall\mathopen{}\mathclose{{}\left(r,f,s}\right)$	$\displaystyle\in\mathbf{E}_{C}:\bigwedge\mathopen{}\mathclose{{}\left\{\begin{% aligned} &r\in\psi_{B}^{\prime}\,,\\ &f\in\mathbf{k}\,,\\ &s\in\bar{\mathbb{V}}_{f}\mathopen{}\mathclose{{}\left\langle\mathsf{X}_{G}% \frown r}\right\rangle\end{aligned}}\right.$
(10.7)		$\displaystyle\forall\mathopen{}\mathclose{{}\left(r,v,f,s}\right)$	$\displaystyle\in\mathbf{E}_{F}:\bigwedge\mathopen{}\mathclose{{}\left\{\begin{% aligned} &r\in\psi_{B}^{\prime}\Leftrightarrow r\not\in\psi_{G}^{\prime}% \Leftrightarrow v\,,\\ &f\in\mathbf{k}\,,\\ &s\in\bar{\mathbb{V}}_{f}\mathopen{}\mathclose{{}\left\langle\mathsf{X}_{v}% \frown r}\right\rangle\\ \end{aligned}}\right.$
	$\displaystyle\text{where }\mathbf{k}$	$\displaystyle=\mathopen{}\mathclose{{}\left\{\,i_{e}\;\middle\|\;i\in\lambda% \cup\kappa\,}\right\}\setminus\psi_{O}$

Verdicts $\mathbf{E}_{V}$ must be ordered by report hash. Offender signatures $\mathbf{E}_{C}$ and $\mathbf{E}_{F}$ must each be ordered by the validator’s Ed25519 key. There may be no duplicate report hashes within the extrinsic, nor amongst any past reported hashes. Formally:

(10.8)		$\displaystyle\mathbf{E}_{V}=\mathopen{}\mathclose{{}\left[\mathopen{}% \mathclose{{}\left(r,a,\mathbf{j}}\right)\in\mathbf{E}_{V}\,\middle\lWavy\,r}\right]$
(10.9)		$\displaystyle\mathbf{E}_{C}=\mathopen{}\mathclose{{}\left[\mathopen{}% \mathclose{{}\left(r,f,s}\right)\in\mathbf{E}_{C}\,\middle\lWavy\,f}\right]\,,% \ \mathbf{E}_{F}=\mathopen{}\mathclose{{}\left[\mathopen{}\mathclose{{}\left(r% ,v,f,s}\right)\in\mathbf{E}_{F}\,\middle\lWavy\,f}\right]\!\!\!\!\!\!$
(10.10)		$\displaystyle\mathopen{}\mathclose{{}\left\{\,r\;\middle\|\;\mathopen{}% \mathclose{{}\left(r,a,\mathbf{j}}\right)\in\mathbf{E}_{V}\,}\right\}% \downspoon\psi_{G}\cup\psi_{B}\cup\psi_{W}$

The judgments of all verdicts must be ordered by validator index and there may be no duplicates:

(10.11)

\forall\mathopen{}\mathclose{{}\left(r,a,\mathbf{j}}\right)\in\mathbf{E}_{V}:% \mathbf{j}=\mathopen{}\mathclose{{}\left[\mathopen{}\mathclose{{}\left(v,i,s}% \right)\in\mathbf{j}\,\middle\lWavy\,i}\right]

We define $\mathbf{v}$ to derive from the sequence of verdicts introduced in the block’s extrinsic. For each verdict, $\mathbf{v}$ contains only the report hash and whether the report is good ( $\top$ ), bad ( $\bot$ ) or wonky ( $\emptyset$ ), which is determined from the sum of positive judgments. We require this sum to be either exactly two-thirds-plus-one, zero or one-third of the validator set indicating, respectively, that the report is good, that it’s bad, or that it’s wonky.¹¹¹¹ 11 This requirement may seem somewhat arbitrary, but these happen to be the decision thresholds for our three possible actions and are acceptable since the security assumptions include the requirement that at least two-thirds-plus-one validators are live ([4] discusses the security implications in depth). Formally:

(10.12)	$\displaystyle\mathbf{v}$	$\displaystyle\in\mathopen{}\mathclose{{}\left\lsem\mathopen{}\mathclose{{}% \left(\mathbb{H},\mathopen{}\mathclose{{}\left\{\,\top,\bot,\emptyset\,}\right% \}}\right)}\right\rsem$
	$\displaystyle\mathbf{v}$	$\displaystyle\equiv\mathopen{}\mathclose{{}\left[\mathopen{}\mathclose{{}\left% (r,V(a,\mathbf{j})}\right)\;\middle\|\;\mathopen{}\mathclose{{}\left(r,a,% \mathbf{j}}\right)\mathrel{\mathrlap{<}{\scalebox{0.95}[1.0]{$-$}}}\mathbf{E}_% {V}}\right]$
	$\displaystyle V(a,\mathbf{j})$	$\displaystyle\equiv\begin{cases}\top&\text{if }t=\mathopen{}\mathclose{{}\left% \lfloor\nicefrac{{2}}{{3}}\mathopen{}\mathclose{{}\left\|\mathbf{k}}\right\|}% \right\rfloor+1\\ \bot&\text{if }t=0\\ \emptyset&\text{if }t=\mathopen{}\mathclose{{}\left\lfloor\nicefrac{{1}}{{3}}% \mathopen{}\mathclose{{}\left\|\mathbf{k}}\right\|}\right\rfloor\end{cases}$
	$\displaystyle\text{where }t$	$\displaystyle=\sum_{\mathopen{}\mathclose{{}\left(v,i,s}\right)\in\mathbf{j}}% \!\!\!\!v$
	$\displaystyle\text{and }\mathbf{k}$	$\displaystyle=K(a)$

Any verdict containing solely valid judgments implies the same report having at least one valid entry in the faults sequence $\mathbf{E}_{F}$ . Formally:

(10.13)

\displaystyle\forall\mathopen{}\mathclose{{}\left(r,\top}\right)\in\mathbf{v}

\displaystyle:\exists\mathopen{}\mathclose{{}\left(r,\dots}\right)\in\mathbf{E% }_{F}

We clear any availability assignments for work-reports which we judged as uncertain or invalid:

(10.14)

\forall c\in\mathbb{N}_{\mathsf{C}}:\rho^{\dagger}\mathopen{}\mathclose{{}% \left[c}\right]=\begin{cases}\emptyset&\!\!\!\!\text{if }\mathopen{}\mathclose% {{}\left(\mathcal{H}\mathopen{}\mathclose{{}\left((\rho\mathopen{}\mathclose{{% }\left[c}\right]_{\mathbf{g}})_{\mathbf{r}}}\right),v}\right)\in\mathbf{v},v% \in\mathopen{}\mathclose{{}\left\{\,\bot,\emptyset\,}\right\}\\ \rho\mathopen{}\mathclose{{}\left[c}\right]&\!\!\!\!\text{otherwise}\end{cases% }\!\!\!\!\!\!\!

The state’s good-set, bad-set and wonky-set assimilate the hashes of the reports from each verdict. Finally, the punish-set accumulates the keys of any validators who have been found guilty of offending. Formally:

(10.15)	$\displaystyle\psi_{G}^{\prime}$	$\displaystyle\equiv\psi_{G}\cup\mathopen{}\mathclose{{}\left\{\,r\;\middle\|\;% \mathopen{}\mathclose{{}\left(r,\top}\right)\in\mathbf{v}\,}\right\}$
(10.16)	$\displaystyle\psi_{B}^{\prime}$	$\displaystyle\equiv\psi_{B}\cup\mathopen{}\mathclose{{}\left\{\,r\;\middle\|\;% \mathopen{}\mathclose{{}\left(r,\bot}\right)\in\mathbf{v}\,}\right\}$
(10.17)	$\displaystyle\psi_{W}^{\prime}$	$\displaystyle\equiv\psi_{W}\cup\mathopen{}\mathclose{{}\left\{\,r\;\middle\|\;% \mathopen{}\mathclose{{}\left(r,\emptyset}\right)\in\mathbf{v}\,}\right\}$
(10.18)	$\displaystyle\begin{split}\psi_{O}^{\prime}&\equiv\psi_{O}\cup\mathopen{}% \mathclose{{}\left\{\,f\;\middle\|\;\mathopen{}\mathclose{{}\left(f,\dots}% \right)\in\mathbf{E}_{C}\,}\right\}\\ &\phantom{{}\equiv\psi_{O}{}}\cup\mathopen{}\mathclose{{}\left\{\,f\;\middle\|% \;\mathopen{}\mathclose{{}\left(f,\dots}\right)\in\mathbf{E}_{F}\,}\right\}% \end{split}$

10.3. Header

The offenders markers must contain exactly the keys of all new offenders, respectively. Formally:

(10.19)

\displaystyle\mathbf{H}_{O}

\displaystyle\equiv\mathopen{}\mathclose{{}\left[f\;\middle|\;\mathopen{}% \mathclose{{}\left(f,\dots}\right)\mathrel{\mathrlap{<}{\scalebox{0.95}[1.0]{$% -$}}}\mathbf{E}_{C}}\right]\frown\mathopen{}\mathclose{{}\left[f\;\middle|\;% \mathopen{}\mathclose{{}\left(f,\dots}\right)\mathrel{\mathrlap{<}{\scalebox{0% .95}[1.0]{$-$}}}\mathbf{E}_{F}}\right]

11. Reporting and Assurance

Reporting and assurance are the two on-chain processes we do to allow the results of in-core computation to make their way into the state of service accounts, $\delta$ . A work-package, which comprises several work-items, is transformed by validators acting as guarantors into its corresponding work-report, which similarly comprises several work-digests and then presented on-chain within the guarantees extrinsic. At this point, the work-package is erasure coded into a multitude of segments and each segment distributed to the associated validator who then attests to its availability through an assurance placed on-chain. After enough assurances the work-report is considered available, and the work-digests transform the state of their associated service by virtue of accumulation, covered in section 12. The report may also be timed-out, implying it may be replaced by another report without accumulation.

From the perspective of the work-report, therefore, the guarantee happens first and the assurance afterwards. However, from the perspective of a block’s state-transition, the assurances are best processed first since each core may only have one availability assignment (a guaranteed work-report pending availability). Thus, we will first cover the transition arising from processing the availability assurances followed by the work-report guarantees. This synchroneity can be seen formally through the requirement of an intermediate state $\rho^{\ddagger}$ , utilized later in equation 11.32.

11.1. State

The state of the reporting and availability portion of the protocol is largely contained within $\rho$ , which tracks each core’s availability assignment, if any. An availability assignment is a work-report guarantee which has been reported but is not yet known to be available to a super-majority of validators, together with the time at which it was reported. Formally:

(11.1)

\rho\in\mathopen{}\mathclose{{}\left\lsem\!\mathopen{}\mathclose{{}\left% \lgroup\mathbf{g}\in\mathbb{G},\,t\in\mathbb{N}_{T}}\right\rgroup\!\bm{?}}% \right\rsem_{\mathsf{C}}

As usual, intermediate and posterior values ( $\rho^{\dagger}$ , $\rho^{\ddagger}$ , $\rho^{\prime}$ ) are held under the same constraints as the prior value.

A work-report guarantee, of the set $\mathbb{G}$ , consists of a work-report together with signatures from guarantors attesting to its correctness. $\mathbb{G}$ is formally defined and guarantees discussed further in section 11.4. For now, we concern ourselves with the work-reports that guarantees attest to.

11.1.1. Work Report

A work-report, of the set $\mathbb{R}$ , is defined as a tuple of the work-package specification, $\mathbf{s}$ ; the refinement context, $\mathbf{c}$ ; the core-index (i.e. on which the work is done), $c$ ; as well as the authorizer hash $a$ and trace $\mathbf{t}$ ; a segment-root lookup dictionary $\mathbf{l}$ ; the gas consumed during the Is-Authorized invocation, $g$ ; and finally the work-digests $\mathbf{d}$ which comprise the results of the evaluation of each of the items in the package together with some associated data. Formally:

(11.2)

\mathbb{R}\equiv\!\mathopen{}\mathclose{{}\left\lgroup\begin{aligned} &\mathbf% {s}\in\mathbb{Y},\ \mathbf{c}\in\mathbb{C},\ c\in\mathbb{N}_{\mathsf{C}},\ a% \in\mathbb{H},\ \mathbf{t}\in\mathbb{B},\\ &\mathbf{l}\in\mathopen{}\mathclose{{}\left\langlebar\mathbb{H}\to\mathbb{H}}% \right\ranglebar,\ \mathbf{d}\in\mathopen{}\mathclose{{}\left\lsem\mathbb{D}}% \right\rsem_{1:\mathsf{I}},\ g\in\mathbb{N}_{G}\end{aligned}}\right\rgroup\!

We limit the sum of the number of items in the segment-root lookup dictionary and the number of prerequisites to $\mathsf{J}=8$ :

(11.3)

\forall\mathbf{r}\in\mathbb{R}:\mathopen{}\mathclose{{}\left|\mathbf{r}_{% \mathbf{l}}}\right|+\mathopen{}\mathclose{{}\left|(\mathbf{r}_{\mathbf{c}})_{% \mathbf{p}}}\right|\leq\mathsf{J}

11.1.2. Refinement Context

A refinement context, denoted by the set $\mathbb{C}$ , describes the context of the chain at the point that the report’s corresponding work-package was evaluated. It identifies two historical blocks, the anchor, header hash $a$ , timeslot $n$ , posterior state-root $s$ and accumulation output log super-peak $b$ ; and the lookup-anchor, header hash $l$ , timeslot $t$ and posterior state-root $r$ . Finally, it identifies the hash of any prerequisite work-packages $\mathbf{p}$ . Formally:

(11.4)

\mathbb{C}\equiv\!\mathopen{}\mathclose{{}\left\lgroup\,\begin{aligned} a&\in% \mathbb{H}\,,\;&n&\in\mathbb{N}_{T}\,,\;&s&\in\mathbb{H}\,,\;&b&\in\mathbb{H}% \,,\;\\ l&\in\mathbb{H}\,,\;&t&\in\mathbb{N}_{T}\,,\;&r&\in\mathbb{H}\,,\;&\mathbf{p}&% \in\mathopen{}\mathclose{{}\left\{\mkern-5.0mu\mathopen{}\mathclose{{}\left[\,% \mathbb{H}\,}\right]\mkern-5.0mu}\right\}\end{aligned}}\right\rgroup\!

11.1.3. Availability

We define the set of availability specifications, $\mathbb{Y}$ , as the tuple of the work-package’s hash $p$ , an auditable work bundle length $l$ (see section 14.4.1 for more clarity on what this is), together with an erasure-root $u$ , the total number of erasure-coded chunks $v$ , a segment-root $e$ and segment-count $n$ . Work-reports include this availability specification in order to ensure the original work-package is able to be correctly reconstructed and the purported ramifications audited. Formally:

(11.5)

\displaystyle\mathbb{Y}

\displaystyle\equiv\!\mathopen{}\mathclose{{}\left\lgroup p\in\mathbb{H}\,,\;l% \in\mathbb{N}_{L}\,,\;u\in\mathbb{H}\,,\;v\in\mathbb{V}\,,\;e\in\mathbb{H}\,,% \;n\in\mathbb{N}}\right\rgroup\!

The erasure-root ( $u$ ) is the root of a binary Merkle tree whose leaves are the $v$ chunks produced by erasure-coding the work-package bundle and exported segments. As one chunk is distributed to each assurer, the number of chunks must equal the size of the assuring validator set. The erasure-root functions as a commitment to all data required for the auditing of the report and for use by later work-packages should they need to retrieve any data yielded. It is thus used by assurers to verify the correctness of data they have been sent by guarantors, and it is later verified as correct by auditors. It is discussed fully in section 14.

The segment-root ( $e$ ) is the root of a constant-depth, left-biased and zero-hash-padded binary Merkle tree committing to the hashes of each of the exported segments of each work-item. These are used by guarantors to verify the correctness of any reconstructed segments they are called upon to import for evaluation of some later work-package. It is also discussed in section 14.

11.1.4. Work Digest

We finally come to define a work-digest, $\mathbb{D}$ , which is the data conduit by which services’ states may be altered through the computation done within a work-package.

(11.6)

\mathbb{D}\equiv\!\mathopen{}\mathclose{{}\left\lgroup\begin{aligned} s&\in% \mathbb{N}_{S}\,,\;&c&\in\mathbb{H}\,,\;&y&\in\mathbb{H}\,,\;&g&\in\mathbb{N}_% {G}\,,\;&\mathbf{l}&\in\mathbb{B}\cup\mathbb{E}\,,\;\\ u&\in\mathbb{N}_{G}\,,\;&i&\in\mathbb{N}\,,\;&x&\in\mathbb{N}\,,\;&z&\in% \mathbb{N}\,,\;&e&\in\mathbb{N}\end{aligned}}\right\rgroup\!

Work-digests are a tuple comprising several items. Firstly $s$ , the index of the service whose state is to be altered and thus whose refine code was already executed. We include the hash of the code of the service at the time of being reported $c$ , which must be accurately predicted within the work-report according to equation 11.45.

Next, the hash of the payload ( $y$ ) within the work item which was executed in the refine stage to give this result. This has no immediate relevance, but is something provided to the accumulation logic of the service. We follow with the gas limit $g$ for executing this item’s accumulate.

There is the work result, the output blob or error of the execution of the code, $\mathbf{l}$ , which may be either an octet sequence in case it was successful, or a member of the set $\mathbb{E}$ , if not. This latter set is defined as the set of possible errors, formally:

(11.7)

\mathbb{E}\in\mathopen{}\mathclose{{}\left\{\,\infty,\lightning,\circledcirc,% \circleddash,\text{{\small{BAD}}},\text{{\small{BIG}}}\,}\right\}

The first two are special values concerning execution of the virtual machine, $\infty$ denoting an out-of-gas error and $\lightning$ denoting an unexpected program termination. Of the remaining four, the first indicates that the number of exports made was invalidly reported, the second that the size of the digest (refinement output) would cross the acceptable limit, the third indicates that the service’s code was not available for lookup in state at the posterior state of the lookup-anchor block. The fourth indicates that the code was available but was beyond the maximum size allowed $\mathsf{W}_{C}$ .

Finally, we have five fields describing the level of activity which this workload imposed on the core in bringing the result to bear. We include $u$ the actual amount of gas used during refinement; $i$ and $e$ the number of segments imported from, and exported into, the D³L respectively; and $x$ and $z$ the number of, and total size in octets of, the extrinsics used in computing the workload. See section 14 for more information on the meaning of these values.

In order to ensure fair use of a block’s extrinsic space, work-reports are limited in the maximum total size of the successful refinement output blobs together with the authorizer trace, effectively limiting their overall size:

(11.8)	$\displaystyle\forall\mathbf{r}\in\mathbb{R}$	$\displaystyle:\mathopen{}\mathclose{{}\left\|\mathbf{r}_{\mathbf{t}}}\right\|+% \sum\limits_{i=0}^{i<\mathopen{}\mathclose{{}\left\|\mathbf{r}_{\mathbf{d}}}% \right\|}L(\mathbf{r}_{\mathbf{d}}\mathopen{}\mathclose{{}\left[i}\right]_{% \mathbf{l}})\leq\mathsf{W}_{R}$
(11.9)	$\displaystyle L(\mathbf{l}\in\mathbb{B}\cup\mathbb{E})$	$\displaystyle\equiv\begin{cases}\mathopen{}\mathclose{{}\left\|\mathbf{l}}% \right\|&\text{if }\mathbf{l}\in\mathbb{B}\\ 0&\text{otherwise}\end{cases}$
(11.10)	$\displaystyle\mathsf{W}_{R}$	$\displaystyle\equiv 48\cdot 2^{10}$

11.2. Package Availability Assurances

We first define $\rho^{\ddagger}$ , the intermediate state to be utilized next in section 11.4, as well as $\mathbf{R}$ , the set of available work-reports, which we will utilize later in section 12. Both require the integration of information from the assurances extrinsic $\mathbf{E}_{A}$ .

11.2.1. The Assurances Extrinsic

The assurances extrinsic is a sequence of assurance values, at most one per validator. Each assurance is a sequence of binary values (i.e. a bitstring), one per core, together with a signature and the index of the validator who is assuring. A value of $1$ (or $\top$ , if interpreted as a Boolean) at any given index implies that the validator assures they are contributing to its availability.¹²¹² 12 This is a “soft” implication since there is no consequence on-chain if dishonestly reported. For more information on this implication see section 16. Formally:

(11.11)

\displaystyle\mathbf{E}_{A}\in\mathopen{}\mathclose{{}\left\lsem\!\mathopen{}% \mathclose{{}\left\lgroup a\in\mathbb{H},\,f\in\mathbb{b}_{\mathsf{C}},\,v\in% \mathbb{N}_{\mathopen{}\mathclose{{}\left|\kappa}\right|},\,s\in\bar{\mathbb{V% }}}\right\rgroup\!}\right\rsem

The assurances must all be anchored on the parent and ordered by validator index:

(11.12)		$\displaystyle\forall a$	$\displaystyle\in\mathbf{E}_{A}:a_{a}=\mathbf{H}_{P}$
(11.13)		$\displaystyle\forall i$	$\displaystyle\in\mathopen{}\mathclose{{}\left\{\,1\dots\mathopen{}\mathclose{{% }\left\|\mathbf{E}_{A}}\right\|\,}\right\}:\mathbf{E}_{A}\mathopen{}\mathclose{{% }\left[i-1}\right]_{v}<\mathbf{E}_{A}\mathopen{}\mathclose{{}\left[i}\right]_{v}$

The signature must be one whose public key is that of the validator assuring and whose message is the serialization of the parent hash $\mathbf{H}_{P}$ and the aforementioned bitstring:

(11.14)			$\displaystyle\forall a\in\mathbf{E}_{A}:a_{s}\in\bar{\mathbb{V}}_{\kappa% \mathopen{}\mathclose{{}\left[a_{v}}\right]_{e}}\mathopen{}\mathclose{{}\left% \langle\mathsf{X}_{A}\frown\mathcal{H}\mathopen{}\mathclose{{}\left(\mathcal{E% }\mathopen{}\mathclose{{}\left(\mathbf{H}_{P},a_{f}}\right)}\right)}\right\rangle$
(11.15)			$\displaystyle\mathsf{X}_{A}\equiv\text{{\small{\$jam\_available}}}$

A bit may only be set if the corresponding core has an availability assignment:

(11.16)

\forall a\in\mathbf{E}_{A},c\in\mathbb{N}_{\mathsf{C}}:\quad a_{f}\mathopen{}% \mathclose{{}\left[c}\right]\Rightarrow\rho^{\dagger}\mathopen{}\mathclose{{}% \left[c}\right]\neq\emptyset

11.2.2. Available Reports

A work-report is said to become available if and only if there are a clear $\nicefrac{{2}}{{3}}$ super-majority of validators who have marked its core as set within the block’s assurance extrinsic. Formally, we define the sequence of newly available work-reports $\mathbf{R}$ as:

(11.17)

\displaystyle\mathbf{R}

\displaystyle\equiv\mathopen{}\mathclose{{}\left[(\rho^{\dagger}\mathopen{}% \mathclose{{}\left[c}\right]_{\mathbf{g}})_{\mathbf{r}}\;\middle|\;c\mathrel{% \mathrlap{<}{\scalebox{0.95}[1.0]{$-$}}}\mathbb{N}_{\mathsf{C}},\;\sum_{a\in% \mathbf{E}_{A}}\!a_{f}\mathopen{}\mathclose{{}\left[c}\right]\,>\,\nicefrac{{2% }}{{3}}\,\mathopen{}\mathclose{{}\left|\kappa}\right|}\right]

This value is utilized in the definition of both $\delta^{\prime}$ and $\rho^{\ddagger}$ which we will define presently as equivalent to $\rho^{\dagger}$ except for the removal of items which are either now available or have timed out:

(11.18)		$\displaystyle\forall c\in\mathbb{N}_{\mathsf{C}}:\rho^{\ddagger}\mathopen{}% \mathclose{{}\left[c}\right]\equiv{}$	$\displaystyle\begin{cases}\emptyset&\text{if }p=\emptyset\vee(p_{\mathbf{g}})_% {\mathbf{r}}\in\mathbf{R}\vee{}\\ &\phantom{\text{if }}\mathbf{H}_{T}\geq p_{t}+\mathsf{U}\vee\mathopen{}% \mathclose{{}\left\|\kappa}\right\|\neq\mathopen{}\mathclose{{}\left\|\kappa^{% \prime}}\right\|\\ p&\text{otherwise}\end{cases}$
(11.18)			$\displaystyle\text{where }p=\rho^{\dagger}\mathopen{}\mathclose{{}\left[c}\right]$

Note that all items are cleared when the size of the active validator key set $\kappa$ changes. Items cleared in this way can be viewed as having timed out early.

11.3. Guarantor Assignments

As discussed in section 4.9, the amount of in-core computation that is possible scales with the number of validator nodes. Concretely, while there are a fixed number of cores $\mathsf{C}=341$ , only the first $\nicefrac{{\mathopen{}\mathclose{{}\left|\kappa^{\prime}}\right|}}{{3}}$ are active and capable of processing work-packages.

Every block, each active core has three validators uniquely assigned to guarantee work-reports for it. The core index assigned to each of the validators, as well as the validators’ keys are denoted by $\mathbf{M}$ :

(11.19)

\mathbf{M}\in\!\mathopen{}\mathclose{{}\left\lgroup\mathopen{}\mathclose{{}% \left\lsem\mathbb{N}_{\mathsf{C}}}\right\rsem_{\mathopen{}\mathclose{{}\left|% \kappa^{\prime}}\right|},\mathopen{}\mathclose{{}\left\lsem\mathbb{K}}\right% \rsem_{\mathopen{}\mathclose{{}\left|\kappa^{\prime}}\right|}}\right\rgroup\!

We determine the core to which any given validator is assigned through a shuffle using epochal entropy and a periodic rotation to help guard the security and liveness of the network. We use $\eta_{2}$ for the epochal entropy rather than $\eta_{1}$ to avoid the possibility of fork-magnification where uncertainty about chain state at the end of an epoch could give rise to two established forks before it naturally resolves.

We define the rotation function $R$ , the permute function $P$ and finally the guarantor assignments $\mathbf{M}$ as follows:

(11.20)	$\displaystyle R(\mathbf{c},n)$	$\displaystyle\equiv\mathopen{}\mathclose{{}\left[(x+n)\bmod\frac{\mathopen{}% \mathclose{{}\left\|\mathbf{c}}\right\|}{3}\;\middle\|\;x\mathrel{\mathrlap{<}{% \scalebox{0.95}[1.0]{$-$}}}\mathbf{c}}\right]$
(11.21)	$\displaystyle P(v,e,t)$	$\displaystyle\equiv R\mathopen{}\mathclose{{}\left(\mathcal{F}\mathopen{}% \mathclose{{}\left(\mathopen{}\mathclose{{}\left[\mathopen{}\mathclose{{}\left% \lfloor\frac{i}{3}}\right\rfloor\;\middle\|\;i\mathrel{\mathrlap{<}{\scalebox{0% .95}[1.0]{$-$}}}\mathbb{N}_{v}}\right],e}\right),\mathopen{}\mathclose{{}\left% \lfloor\frac{t\bmod\mathsf{E}}{\mathsf{R}}}\right\rfloor}\right)$
(11.22)	$\displaystyle\mathbf{M}$	$\displaystyle\equiv\mathopen{}\mathclose{{}\left(P(\mathopen{}\mathclose{{}% \left\|\kappa^{\prime}}\right\|,\eta^{\prime}_{2},\tau^{\prime}),\Phi(\kappa^{% \prime})}\right)$

We also define $\mathbf{M}^{*}$ , which is equivalent to the value $\mathbf{M}$ as it would have been under the previous rotation:

(11.23)		$\displaystyle\text{let }\mathopen{}\mathclose{{}\left(\mathbf{k},e}\right)$	$\displaystyle=\begin{cases}\mathopen{}\mathclose{{}\left(\kappa^{\prime},\eta^% {\prime}_{2}}\right)&\text{if }\displaystyle\mathopen{}\mathclose{{}\left% \lfloor\frac{\tau^{\prime}-\mathsf{R}}{\mathsf{E}}}\right\rfloor=\mathopen{}% \mathclose{{}\left\lfloor\frac{\tau^{\prime}}{\mathsf{E}}}\right\rfloor\\ \mathopen{}\mathclose{{}\left(\lambda^{\prime},\eta^{\prime}_{3}}\right)&\text% {otherwise}\end{cases}$
(11.23)		$\displaystyle\mathbf{M}^{*}$	$\displaystyle\equiv\mathopen{}\mathclose{{}\left(P(\mathopen{}\mathclose{{}% \left\|\mathbf{k}}\right\|,e,\tau^{\prime}-\mathsf{R}),\Phi(\mathbf{k})}\right)$

11.4. Work Report Guarantees

We begin by defining $\mathbb{G}$ , the set of guarantees. A guarantee is a tuple of a work-report $\mathbf{r}$ , a credential $a$ and its corresponding timeslot $t$ . The credential is a sequence of two or three tuples of a unique validator index and a signature. Formally:

(11.24)

\mathbb{G}\equiv\!\mathopen{}\mathclose{{}\left\lgroup\mathbf{r}\in\mathbb{R},% \,t\in\mathbb{N}_{T},\,a\in\mathopen{}\mathclose{{}\left\lsem\!\mathopen{}% \mathclose{{}\left\lgroup\mathbb{N},\bar{\mathbb{V}}}\right\rgroup\!}\right% \rsem_{2:3}}\right\rgroup\!

We continue by defining the guarantees extrinsic, $\mathbf{E}_{G}$ , a series of guarantees. The core index of each guarantee in $\mathbf{E}_{G}$ must be unique and guarantees must be in ascending order of this. Formally:

(11.25)		$\displaystyle\mathbf{E}_{G}$	$\displaystyle\in\mathopen{}\mathclose{{}\left\lsem\mathbb{G}}\right\rsem_{:% \mathsf{C}}$
(11.26)		$\displaystyle\mathbf{E}_{G}$	$\displaystyle=\mathopen{}\mathclose{{}\left[\mathbf{g}\in\mathbf{E}_{G}\,% \middle\lWavy\,(\mathbf{g}_{\mathbf{r}})_{c}}\right]$

Credentials must be ordered by their validator index:

(11.27)

\displaystyle\forall g

\displaystyle\in\mathbf{E}_{G}:g_{a}=\mathopen{}\mathclose{{}\left[\mathopen{}% \mathclose{{}\left(v,s}\right)\in g_{a}\,\middle\lWavy\,v}\right]

The signature must be one whose public key is that of the validator identified in the credential, and whose message is the serialization of the hash of the work-report. The signing validators must have been assigned to the core in the given timeslot $t$ , which must either be in the same rotation as this block’s timeslot or in the previous rotation. Use of an inactive core is not permitted even if a timeslot in the previous rotation is used and the core was active then. Formally:

(11.28)		$\displaystyle\begin{aligned} &\begin{aligned} \forall\mathopen{}\mathclose{{}% \left(\mathbf{r},t,a}\right)&\in\mathbf{E}_{G},\\ \forall\mathopen{}\mathclose{{}\left(v,s}\right)&\in a\end{aligned}:\mathopen{% }\mathclose{{}\left\{\,\begin{aligned} &v<\mathopen{}\mathclose{{}\left\|% \mathbf{k}}\right\|\wedge\mathbf{c}_{v}=\mathbf{r}_{c}<\frac{\mathopen{}% \mathclose{{}\left\|\kappa^{\prime}}\right\|}{3}\\ &s\in\bar{\mathbb{V}}_{(\mathbf{k}_{v})_{e}}\mathopen{}\mathclose{{}\left% \langle\mathsf{X}_{G}\frown\mathcal{H}\mathopen{}\mathclose{{}\left(\mathbf{r}% }\right)}\right\rangle\\ &\mathsf{R}(\mathopen{}\mathclose{{}\left\lfloor\nicefrac{{\tau^{\prime}}}{{% \mathsf{R}}}}\right\rfloor-1)\leq t\leq\tau^{\prime}\end{aligned}}\right.\\ &k\in\mathbf{G}\Leftrightarrow\exists\mathopen{}\mathclose{{}\left(\mathbf{r},% t,a}\right)\in\mathbf{E}_{G},\exists\mathopen{}\mathclose{{}\left(v,s}\right)% \in a:k=(\mathbf{k}_{v})_{e}\\ &\quad\text{where }\mathopen{}\mathclose{{}\left(\mathbf{c},\mathbf{k}}\right)% =\begin{cases}\mathbf{M}&\text{if }\displaystyle\mathopen{}\mathclose{{}\left% \lfloor\frac{\tau^{\prime}}{\mathsf{R}}}\right\rfloor=\mathopen{}\mathclose{{}% \left\lfloor\frac{t}{\mathsf{R}}}\right\rfloor\\ \mathbf{M}^{*}&\text{otherwise}\end{cases}\end{aligned}$
(11.29)		$\displaystyle\mathsf{X}_{G}\equiv\text{{\small{\$jam\_guarantee}}}$

We note that the Ed25519 key of each validator whose signature is in a credential is placed in the reporters set $\mathbf{G}$ . This is utilized by the validator activity statistics bookkeeping system section 13.

We denote $\mathbf{I}$ to be the set of work-reports in the present extrinsic $\mathbf{E}$ :

(11.30)

\displaystyle\text{let }\mathbf{I}=\mathopen{}\mathclose{{}\left\{\,\mathbf{g}% _{\mathbf{r}}\;\middle|\;\mathbf{g}\in\mathbf{E}_{G}\,}\right\}

The total number of erasure-coded chunks for each report must match the number of active validators:

(11.31)

\forall\mathbf{r}\in\mathbf{I}:(\mathbf{r}_{\mathbf{s}})_{v}=\mathopen{}% \mathclose{{}\left|\kappa^{\prime}}\right|

No guarantees may be placed on cores which already have availability assignments. A guarantee is valid only if the report’s authorizer hash is present in the authorizer pool of the core on which the work is reported. Formally:

(11.32)

\forall\mathbf{r}\in\mathbf{I}:\rho^{\ddagger}\mathopen{}\mathclose{{}\left[% \mathbf{r}_{c}}\right]=\emptyset\wedge\mathbf{r}_{a}\in\alpha\mathopen{}% \mathclose{{}\left[\mathbf{r}_{c}}\right]

We require that the gas allotted for accumulation of each work-digest in each work-report respects its service’s minimum gas requirements. We also require that all work-reports’ total allotted accumulation gas is no greater than the overall gas limit $\mathsf{G}_{A}$ :

(11.33)

\forall\mathbf{r}\in\mathbf{I}:\sum_{\mathbf{d}\in\mathbf{r}_{\mathbf{d}}}\!(% \mathbf{d}_{g})\leq\mathsf{G}_{A}\ \wedge\ \forall\mathbf{d}\in\mathbf{r}_{% \mathbf{d}}:\mathbf{d}_{g}\geq\delta\mathopen{}\mathclose{{}\left[\mathbf{d}_{% s}}\right]_{g}

11.4.1. Contextual Validity of Reports

For convenience, we define two equivalences $\mathbf{x}$ and $\mathbf{p}$ to be, respectively, the set of all contexts and work-package hashes within the extrinsic:

(11.34)

\text{let }\mathbf{x}\equiv\mathopen{}\mathclose{{}\left\{\,\mathbf{r}_{% \mathbf{c}}\;\middle|\;\mathbf{r}\in\mathbf{I}\,}\right\}\ ,\quad\mathbf{p}% \equiv\mathopen{}\mathclose{{}\left\{\,(\mathbf{r}_{\mathbf{s}})_{p}\;\middle|% \;\mathbf{r}\in\mathbf{I}\,}\right\}

There must be no duplicate work-package hashes (i.e. two work-reports of the same package). Therefore, we require the cardinality of $\mathbf{p}$ to be the length of the work-report sequence $\mathbf{I}$ :

(11.35)

\mathopen{}\mathclose{{}\left|\mathbf{p}}\right|=\mathopen{}\mathclose{{}\left% |\mathbf{I}}\right|

We require that the anchor block be within the last $\mathsf{H}$ blocks and that its details be correct by ensuring that it appears within our most recent blocks $\beta_{H}^{\dagger}$ :

(11.36)

\displaystyle\forall x\in\mathbf{x}:\exists y\in\beta_{H}^{\dagger}:x_{a}=y_{h% }\wedge x_{s}=y_{s}\wedge x_{b}=y_{b}\wedge x_{n}=y_{t}\!\!\!\!\!\!

We require that each lookup-anchor block be within the last $\mathsf{L}$ timeslots:

(11.37)

\displaystyle\forall x\in\mathbf{x}:\ x_{t}\geq\mathbf{H}_{T}-\mathsf{L}

We also require that we have a record of it; this is one of the few conditions which cannot be checked purely with on-chain state and must be checked by virtue of retaining the series of the last $\mathsf{L}$ headers as the ancestor set $\mathbf{A}$ . Since it is determined through the header chain, it is still deterministic and calculable. Formally:

(11.38)

\forall x\in\mathbf{x}:\exists h,h^{\prime}\in\mathbf{A}:\bigwedge\mathopen{}% \mathclose{{}\left\{\begin{aligned} h_{T}&=x_{t}\\ \mathcal{H}\mathopen{}\mathclose{{}\left(h}\right)&=x_{l}\\ h^{\prime}_{P}&=\mathcal{H}\mathopen{}\mathclose{{}\left(h}\right)\\ h^{\prime}_{R}&=x_{r}\end{aligned}}\right.

We require that the work-package of the report not be the work-package of some other report made in the past. We ensure that the work-package not appear anywhere within our pipeline. Formally:

(11.39)		$\displaystyle\text{let }\mathbf{q}=\mathopen{}\mathclose{{}\left\{\,(\mathbf{r% }_{\mathbf{s}})_{p}\;\middle\|\;\mathopen{}\mathclose{{}\left(\mathbf{r},% \mathbf{d}}\right)\in\wideparen{\omega}\,}\right\}$
(11.40)		$\displaystyle\text{let }\mathbf{a}=\mathopen{}\mathclose{{}\left\{\,(((\mathbf% {a}_{\mathbf{g}})_{\mathbf{r}})_{\mathbf{s}})_{p}\;\middle\|\;\mathbf{a}\in\rho% ,\mathbf{a}\neq\emptyset\,}\right\}$
(11.41)		$\displaystyle\forall p\in\mathbf{p},p\not\in\bigcup_{x\in\beta_{H}}\mathcal{K}% \mathopen{}\mathclose{{}\left(x_{\mathbf{p}}}\right)\cup\bigcup_{x\in\xi}x\cup% \mathbf{q}\cup\mathbf{a}$

We require that the prerequisite work-packages, if present, and any work-packages mentioned in the segment-root lookup, be either in the extrinsic or in our recent history.

(11.42)

\displaystyle\begin{aligned} &\forall\mathbf{r}\in\mathbf{I},\forall p\in(% \mathbf{r}_{\mathbf{c}})_{\mathbf{p}}\cup\mathcal{K}\mathopen{}\mathclose{{}% \left(\mathbf{r}_{\mathbf{l}}}\right):\\ &\quad p\in\mathbf{p}\cup\mathopen{}\mathclose{{}\left\{\,x\;\middle|\;x\in% \mathcal{K}\mathopen{}\mathclose{{}\left(b_{\mathbf{p}}}\right),\,b\in\beta_{H% }\,}\right\}\end{aligned}

We require that any segment roots mentioned in the segment-root lookup be verified as correct based on our recent work-package history and the present block:

(11.43)		$\displaystyle\text{let }\mathbf{p}=\mathopen{}\mathclose{{}\left\{\,\mathopen{% }\mathclose{{}\left(((g_{\mathbf{r}})_{\mathbf{s}})_{p}\mapsto((g_{\mathbf{r}}% )_{\mathbf{s}})_{e}}\right)\;\middle\|\;g\in\mathbf{E}_{G}\,}\right\}$
(11.44)		$\displaystyle\forall\mathbf{r}\in\mathbf{I}:\mathbf{r}_{\mathbf{l}}\subseteq% \mathbf{p}\cup\bigcup_{b\in\beta_{H}}b_{\mathbf{p}}$

(Note that these checks leave open the possibility of accepting work-reports in apparent dependency loops. We do not consider this a problem: the pre-accumulation stage effectively guarantees that accumulation never happens in these cases and the reports are simply ignored.)

Finally, we require that all work-digests within the extrinsic predicted the correct code hash for their corresponding service:

(11.45)

\displaystyle\forall\mathbf{r}\in\mathbf{I},\forall\mathbf{d}\in\mathbf{r}_{% \mathbf{d}}:\mathbf{d}_{c}=\delta\mathopen{}\mathclose{{}\left[\mathbf{d}_{s}}% \right]_{c}

11.5. Transitioning for Reports

We define $\rho^{\prime}$ as being equivalent to $\rho^{\ddagger}$ , except where the extrinsic replaced an entry. In the case an entry is replaced, the new value includes the present time $\tau^{\prime}$ so that it can be cleared if it is not made available quickly enough (see equation 11.18).

(11.46)

\forall c\in\mathbb{N}_{\mathsf{C}}:\rho^{\prime}\mathopen{}\mathclose{{}\left% [c}\right]\equiv\begin{cases}\mathopen{}\mathclose{{}\left(\mathbf{g},\,t% \mathrel{\mathop{:}}\tau^{\prime}}\right)&\text{if }\exists\mathbf{g}\in% \mathbf{E}_{G},(\mathbf{g}_{\mathbf{r}})_{c}=c\\ \rho^{\ddagger}\mathopen{}\mathclose{{}\left[c}\right]&\text{otherwise}\end{cases}

It is worth noting that $\rho^{\prime}\mathopen{}\mathclose{{}\left[c}\right]$ is always $\emptyset$ for $c\geq\nicefrac{{\mathopen{}\mathclose{{}\left|\kappa^{\prime}}\right|}}{{3}}$ ; this in particular ensures that we will never have more reports to audit than can safely be managed with the number of active validators.

This concludes the section on reporting and assurance. We now have a complete definition of $\rho^{\prime}$ together with $\mathbf{R}$ to be utilized in section 12, describing the portion of the state transition happening once a work-report is guaranteed and made available.

12. Accumulation

Accumulation may be defined as some function whose arguments are $\mathbf{R}$ and $\delta$ together with selected portions of (at times partially transitioned) state and which yields the posterior service state $\delta^{\prime}$ together with additional state elements $\iota^{\prime}$ , $\phi^{\prime}$ and $\chi^{\prime}$ .

The proposition of accumulation is in fact quite simple: we merely wish to execute the Accumulate logic of the service code of each of the services which has at least one work-digest, passing to it relevant data from said digests together with useful contextual information. However, there are three main complications. Firstly, we must define the execution environment of this logic and in particular the host functions available to it. Secondly, we must define the amount of gas to be allowed for each service’s execution. Finally, we must determine the nature of transfers within Accumulate.

12.1. History and Queuing

Accumulation of a work-report is deferred in the case that it has a not-yet-fulfilled dependency and is cancelled entirely in the case of an invalid dependency. Dependencies are specified as work-package hashes and in order to know which work-packages have been accumulated already, we maintain a history of what has been accumulated. This history, $\xi$ , is sufficiently large for an epoch worth of work-reports. Formally:

(12.1)		$\displaystyle\xi$	$\displaystyle\in\mathopen{}\mathclose{{}\left\lsem\mathopen{}\mathclose{{}% \left\{\mkern-5.0mu\mathopen{}\mathclose{{}\left[\,\mathbb{H}\,}\right]\mkern-% 5.0mu}\right\}}\right\rsem_{\mathsf{E}}$
(12.2)		$\displaystyle\overbrace{\xi}$	$\displaystyle\equiv\bigcup_{x\in\xi}(x)$

We also maintain knowledge of ready (i.e. available and/or audited) but not-yet-accumulated work-reports in the state item $\omega$ . Each of these were made available at most one epoch ago but have or had unfulfilled dependencies. Alongside the work-report itself, we retain its unaccumulated dependencies, a set of work-package hashes. Formally:

(12.3)

\displaystyle\omega

\displaystyle\in\mathopen{}\mathclose{{}\left\lsem\mathopen{}\mathclose{{}% \left\lsem\!\mathopen{}\mathclose{{}\left\lgroup\mathbb{R},\mathopen{}% \mathclose{{}\left\{\mkern-5.0mu\mathopen{}\mathclose{{}\left[\,\mathbb{H}\,}% \right]\mkern-5.0mu}\right\}}\right\rgroup\!}\right\rsem}\right\rsem_{\mathsf{% E}}

The newly available work-reports, $\mathbf{R}$ , are partitioned into two sequences based on the condition of having zero prerequisite work-reports. Those meeting the condition, $\mathbf{R}^{!}$ , are accumulated immediately. Those not, $\mathbf{R}^{Q}$ , are for queued execution. Formally:

(12.4)	$\displaystyle\mathbf{R}^{!}$	$\displaystyle\equiv\mathopen{}\mathclose{{}\left[r\;\middle\|\;r\mathrel{% \mathrlap{<}{\scalebox{0.95}[1.0]{$-$}}}\mathbf{R},\mathopen{}\mathclose{{}% \left\|(r_{\mathbf{c}})_{\mathbf{p}}}\right\|=0\wedge r_{\mathbf{l}}=\mathopen{}% \mathclose{{}\left\{}\right\}}\right]$
(12.5)	$\displaystyle\mathbf{R}^{Q}$	$\displaystyle\equiv E(\mathopen{}\mathclose{{}\left[D(r)\mid r\mathrel{% \mathrlap{<}{\scalebox{0.95}[1.0]{$-$}}}\mathbf{R},\mathopen{}\mathclose{{}% \left\|(r_{\mathbf{c}})_{\mathbf{p}}}\right\|>0\vee r_{\mathbf{l}}\neq\mathopen{% }\mathclose{{}\left\{}\right\}}\right],\overbrace{\xi})\!\!\!\!$
(12.6)	$\displaystyle D(r)$	$\displaystyle\equiv(r,\mathopen{}\mathclose{{}\left\{\,(r_{\mathbf{c}})_{% \mathbf{p}}\,}\right\}\cup\mathcal{K}\mathopen{}\mathclose{{}\left(r_{\mathbf{% l}}}\right))$

We define the queue-editing function $E$ , which is essentially a mutator function for items such as those of $\omega$ , parameterized by sets of now-accumulated work-package hashes (those in $\xi$ ). It is used to update queues of work-reports when some of them are accumulated. Functionally, it removes all entries whose work-report’s hash is in the set provided as a parameter, and removes any dependencies which appear in said set. Formally:

(12.7)

E\colon\mathopen{}\mathclose{{}\left\{\begin{aligned} &\!\mathopen{}\mathclose% {{}\left\lgroup\mathopen{}\mathclose{{}\left\lsem\!\mathopen{}\mathclose{{}% \left\lgroup\mathbb{R},\mathopen{}\mathclose{{}\left\{\mkern-5.0mu\mathopen{}% \mathclose{{}\left[\,\mathbb{H}\,}\right]\mkern-5.0mu}\right\}}\right\rgroup\!% }\right\rsem,\mathopen{}\mathclose{{}\left\{\mkern-5.0mu\mathopen{}\mathclose{% {}\left[\,\mathbb{H}\,}\right]\mkern-5.0mu}\right\}}\right\rgroup\!\to% \mathopen{}\mathclose{{}\left\lsem\!\mathopen{}\mathclose{{}\left\lgroup% \mathbb{R},\mathopen{}\mathclose{{}\left\{\mkern-5.0mu\mathopen{}\mathclose{{}% \left[\,\mathbb{H}\,}\right]\mkern-5.0mu}\right\}}\right\rgroup\!}\right\rsem% \\ &\mathopen{}\mathclose{{}\left(\mathbf{r},\mathbf{x}}\right)\mapsto\mathopen{}% \mathclose{{}\left[\mathopen{}\mathclose{{}\left(r,\mathbf{d}\setminus\mathbf{% x}}\right)\;\middle|\;\begin{aligned} &\mathopen{}\mathclose{{}\left(r,\mathbf% {d}}\right)\mathrel{\mathrlap{<}{\scalebox{0.95}[1.0]{$-$}}}\mathbf{r},\\ &(r_{\mathbf{s}})_{p}\not\in\mathbf{x}\end{aligned}}\right]\end{aligned}}\right.

We further define the accumulation priority queue function $Q$ , which provides the sequence of work-reports which are able to be accumulated given a set of not-yet-accumulated work-reports and their dependencies.

(12.8)

Q\colon\mathopen{}\mathclose{{}\left\{\begin{aligned} &\mathopen{}\mathclose{{% }\left\lsem\!\mathopen{}\mathclose{{}\left\lgroup\mathbb{R},\mathopen{}% \mathclose{{}\left\{\mkern-5.0mu\mathopen{}\mathclose{{}\left[\,\mathbb{H}\,}% \right]\mkern-5.0mu}\right\}}\right\rgroup\!}\right\rsem\to\mathopen{}% \mathclose{{}\left\lsem\mathbb{R}}\right\rsem\\ &\mathbf{r}\mapsto\begin{cases}\mathopen{}\mathclose{{}\left[}\right]&\text{if% }\mathbf{g}=\mathopen{}\mathclose{{}\left[}\right]\\ \mathbf{g}\frown Q(E(\mathbf{r},P(\mathbf{g})))\!\!\!\!&\text{otherwise}\\ \lx@intercol\,\text{where }\mathbf{g}=\mathopen{}\mathclose{{}\left[r\;\middle% |\;\mathopen{}\mathclose{{}\left(r,\mathopen{}\mathclose{{}\left\{}\right\}}% \right)\mathrel{\mathrlap{<}{\scalebox{0.95}[1.0]{$-$}}}\mathbf{r}}\right]% \hfil\lx@intercol\end{cases}\end{aligned}}\right.

Finally, we define the mapping function $P$ which extracts the corresponding work-package hashes from a set of work-reports:

(12.9)

P\colon\mathopen{}\mathclose{{}\left\{\begin{aligned} \mathopen{}\mathclose{{}% \left\{\mkern-5.0mu\mathopen{}\mathclose{{}\left[\,\mathbb{R}\,}\right]\mkern-% 5.0mu}\right\}&\to\mathopen{}\mathclose{{}\left\{\mkern-5.0mu\mathopen{}% \mathclose{{}\left[\,\mathbb{H}\,}\right]\mkern-5.0mu}\right\}\\ \mathbf{r}&\mapsto\mathopen{}\mathclose{{}\left\{\,(r_{\mathbf{s}})_{p}\;% \middle|\;r\in\mathbf{r}\,}\right\}\end{aligned}}\right.

We may now define the sequence of accumulatable work-reports in this block as $\mathbf{R}^{*}$ :

(12.10)	$\displaystyle\text{let }m$	$\displaystyle=\mathbf{H}_{T}\bmod\mathsf{E}$
(12.11)	$\displaystyle\mathbf{R}^{*}$	$\displaystyle\equiv\mathbf{R}^{!}\frown Q(\mathbf{q})$
(12.12)	$\displaystyle\quad\text{where }\mathbf{q}$	$\displaystyle=E(\wideparen{\omega_{m\dots}}\frown\wideparen{\omega_{\dots m}}% \frown\mathbf{R}^{Q},P(\mathbf{R}^{!}))$

12.2. Execution

We work with a limited amount of gas per block and therefore may not be able to process all items in $\mathbf{R}^{*}$ in a single block. There are two slightly antagonistic factors allowing us to optimize the amount of work-items, and thus work-reports, accumulated in a single block:

Firstly, while we have a well-known gas-limit for each work-item to be accumulated, accumulation may still result in a lower amount of gas used. Only after a work-item is accumulated can it be known if it uses less gas than the advertised limit. This implies a sequential execution pattern.

Secondly, since pvm setup cannot be expected to be zero-cost, we wish to amortize this cost over as many work-items as possible. This can be done by aggregating work-items associated with the same service into the same pvm invocation. This implies a non-sequential execution pattern.

We resolve this by defining a function $\Delta_{+}$ which accumulates work-reports sequentially, and which itself utilizes a function $\Delta_{*}$ which accumulates work-reports in a non-sequential, service-aggregated manner. In all but the first invocation of $\Delta_{+}$ , we also integrate the effects of any deferred-transfers implied by the previous round of accumulation, thus the accumulation function must accept both the information contained in work-digests and that of deferred-transfers.

Rather than passing whole work-digests into accumulate, we extract the salient information from them and combine with information implied by their work-reports. We call this kind of combined value an operand tuple, $\mathbb{U}$ . Likewise, we denote the set characterizing a deferred transfer as $\mathbb{X}$ , noting that a transfer includes a memo component $m$ of $\mathsf{W}_{T}=128$ octets, together with the service index of the sender $s$ , the service index of the receiver $d$ , the balance to be transferred $a$ and the gas limit $g$ for the transfer. Formally:

(12.13)		$\displaystyle\mathbb{U}$	$\displaystyle\equiv\!\mathopen{}\mathclose{{}\left\lgroup\begin{aligned} p&\in% \mathbb{H},\;&e&\in\mathbb{H},\;&a&\in\mathbb{H},\;y\in\mathbb{H},\;\\ g&\in\mathbb{N}_{G},\;&\mathbf{t}&\in\mathbb{B},\;&\mathbf{l}&\in\mathbb{B}% \cup\mathbb{E}\end{aligned}}\right\rgroup\!$
(12.14)		$\displaystyle\mathbb{X}$	$\displaystyle\equiv\!\mathopen{}\mathclose{{}\left\lgroup s\in\mathbb{N}_{S},d% \in\mathbb{N}_{S},a\in\mathbb{N}_{B},m\in\mathbb{B}_{\mathsf{W}_{T}},g\in% \mathbb{N}_{G}}\right\rgroup\!$

Note that the union of the two characterizes inputs to the Accumulation invocation function $\Psi_{A}$ (defined in equation B.9).

Our formalisms continue by defining $\mathbb{S}$ as a characterization of (i.e. values capable of representing) state components which are both needed and mutable by the accumulation process. This comprises the service accounts state (as in $\delta$ ), the upcoming validator keys $\iota$ , the queue of authorizers $\phi$ and the privileges state $\chi$ . Formally:

(12.15)

\mathbb{S}\equiv\!\mathopen{}\mathclose{{}\left\lgroup\begin{aligned} &\mathbf% {d}\in\mathopen{}\mathclose{{}\left\langlebar\mathbb{N}_{S}\to\mathbb{A}}% \right\ranglebar\,,\;\mathbf{i}\in\mathopen{}\mathclose{{}\left\lsem\mathbb{K}% }\right\rsem_{\mathbb{V}}\,,\;\mathbf{q}\in\mathopen{}\mathclose{{}\left\lsem% \mathopen{}\mathclose{{}\left\lsem\mathbb{H}}\right\rsem_{\mathsf{Q}}}\right% \rsem_{\mathsf{C}}\,,\;m\in\mathbb{N}_{S}\,,\\ &\mathbf{a}\in\mathopen{}\mathclose{{}\left\lsem\mathbb{N}_{S}}\right\rsem_{% \mathsf{C}}\,,\;v\in\mathbb{N}_{S}\,,\;r\in\mathbb{N}_{S}\,,\;\mathbf{z}\in% \mathopen{}\mathclose{{}\left\langlebar\mathbb{N}_{S}\to\mathbb{N}_{G}}\right% \ranglebar\end{aligned}}\right\rgroup\!

Finally, we define $B$ and $U$ , the sets characterizing service-indexed commitments to accumulation output and service-indexed gas usage respectively:

(12.16)

B\equiv\mathopen{}\mathclose{{}\left\{\mkern-5.0mu\mathopen{}\mathclose{{}% \left[\,\!\mathopen{}\mathclose{{}\left\lgroup\mathbb{N}_{S},\mathbb{H}}\right% \rgroup\!\,}\right]\mkern-5.0mu}\right\}\qquad U\equiv\mathopen{}\mathclose{{}% \left\lsem\!\mathopen{}\mathclose{{}\left\lgroup\mathbb{N}_{S},\mathbb{N}_{G}}% \right\rgroup\!}\right\rsem

We define the outer accumulation function $\Delta_{+}$ which transforms a gas-limit, a sequence of deferred transfers, a sequence of work-reports, an initial partial-state and a dictionary of services enjoying free accumulation, into a tuple of the number of work-reports accumulated, a posterior state-context, the resultant accumulation-output pairings, the service-indexed gas usage and the sequence of processed transfers:

(12.17)

\Delta_{+}\colon\mathopen{}\mathclose{{}\left\{\begin{aligned} &\!\mathopen{}% \mathclose{{}\left\lgroup\mathbb{N}_{G},\mathopen{}\mathclose{{}\left\lsem% \mathbb{X}}\right\rsem,\mathopen{}\mathclose{{}\left\lsem\mathbb{R}}\right% \rsem,\mathbb{S},\mathopen{}\mathclose{{}\left\langlebar\mathbb{N}_{S}\to% \mathbb{N}_{G}}\right\ranglebar}\right\rgroup\!\to\!\mathopen{}\mathclose{{}% \left\lgroup\mathbb{N},\mathbb{S},B,U,\mathopen{}\mathclose{{}\left\lsem% \mathbb{X}}\right\rsem}\right\rgroup\!\\ &\mathopen{}\mathclose{{}\left(g,\mathbf{t},\mathbf{r},\mathbf{e},\mathbf{f}}% \right)\!\mapsto\!\begin{cases}\mathopen{}\mathclose{{}\left(0,\mathbf{e},% \mathopen{}\mathclose{{}\left\{}\right\},\mathopen{}\mathclose{{}\left[}\right% ],\mathopen{}\mathclose{{}\left[}\right]}\right)&\text{if }n=0\\ \mathopen{}\mathclose{{}\left(i+j,\mathbf{e}^{\prime},\mathbf{b}^{*}\!\cup% \mathbf{b},\mathbf{u}^{*}\!\!\frown\mathbf{u},\mathbf{t}\frown\mathbf{t}^{% \dagger}}\right)\!\!\!\!&\text{o/w}\!\!\!\!\!\!\!\!\\ \end{cases}\\ &\quad\text{where }i=\max(\mathbb{N}_{\mathopen{}\mathclose{{}\left|\mathbf{r}% }\right|+1}):\\ &\qquad\sum_{r\in\mathbf{r}_{\dots i},d\in r_{\mathbf{d}}}\!\!\!\!\!\!\!\!(d_{% g})+\sum_{t\in\mathbf{t}}(t_{g})+\!\!\!\!\sum_{x\in\mathcal{V}\mathopen{}% \mathclose{{}\left(\mathbf{f}}\right)}\!\!\!\!(x)\leq g\\ &\quad\text{and }n=i+\mathopen{}\mathclose{{}\left|\mathbf{t}}\right|+% \mathopen{}\mathclose{{}\left|\mathbf{f}}\right|\\ &\quad\text{and }\mathopen{}\mathclose{{}\left(\mathbf{e}^{*}\!\!,\mathbf{t}^{% *}\!\!,\mathbf{b}^{*}\!\!,\mathbf{u}^{*}}\right)=\Delta_{*}(\mathbf{e},\mathbf% {t},\mathbf{r}_{\dots i},\mathbf{f})\\ &\quad\text{and }\mathopen{}\mathclose{{}\left(j,\mathbf{e}^{\prime}\!,\mathbf% {b},\mathbf{u},\mathbf{t}^{\dagger}}\right)=\Delta_{+}(g^{*},\mathbf{t}^{*}\!% \!,\mathbf{r}_{i\dots},\mathbf{e}^{*}\!\!,\mathopen{}\mathclose{{}\left\{}% \right\})\\ &\quad\text{and }g^{*}=g+\sum_{t\in\mathbf{t^{*}}}(t_{g})-\!\!\!\!\!\!\sum_{% \mathopen{}\mathclose{{}\left(s,u}\right)\in\mathbf{u}^{*}}\!\!\!\!\!\!(u)\end% {aligned}}\right.

We come to define the parallelized accumulation function $\Delta_{*}$ which, with the help of the single-service accumulation function $\Delta_{1}$ , transforms an initial state-context, together with a sequence of deferred transfers, a sequence of work-reports and a dictionary of privileged always-accumulate services, into a tuple of the posterior state-context, the resultant deferred-transfers and accumulation-output pairings, and the service-indexed gas usage. Note that for the privileges we employ a function $R$ which selects the service to which the manager service changed, or if no change was made, then that which the service itself changed to. This allows privileges to be ‘owned‘ and facilitates the removal of the manager service which we see as a helpful possibility. Formally:

(12.18)

\Delta_{*}\colon\mathopen{}\mathclose{{}\left\{\;\begin{aligned} \begin{% aligned} &\!\mathopen{}\mathclose{{}\left\lgroup\mathbb{S},\mathopen{}% \mathclose{{}\left\lsem\mathbb{X}}\right\rsem,\mathopen{}\mathclose{{}\left% \lsem\mathbb{R}}\right\rsem,\mathopen{}\mathclose{{}\left\langlebar\mathbb{N}_% {S}\to\mathbb{N}_{G}}\right\ranglebar}\right\rgroup\!\to\!\mathopen{}% \mathclose{{}\left\lgroup\mathbb{S},\mathopen{}\mathclose{{}\left\lsem\mathbb{% X}}\right\rsem,B,U}\right\rgroup\!\\ &\mathopen{}\mathclose{{}\left(\mathbf{e},\mathbf{t},\mathbf{r},\mathbf{f}}% \right)\mapsto\mathopen{}\mathclose{{}\left(\mathopen{}\mathclose{{}\left(% \mathbf{d}^{\prime},\mathbf{i}^{\prime},\mathbf{q}^{\prime},m^{\prime},\mathbf% {a}^{\prime},v^{\prime},r^{\prime},\mathbf{z}^{\prime}}\right),\wideparen{% \mathbf{t}^{\prime}},\mathbf{b},\mathbf{u}}\right)\!\!\!\!\!\!\\ &\text{where:}\\ &\ \begin{aligned} \text{let }\mathbf{s}&=\mathopen{}\mathclose{{}\left\{\,d_{% s}\;\middle|\;r\in\mathbf{r},d\in r_{\mathbf{d}}\,}\right\}\cup\mathcal{K}% \mathopen{}\mathclose{{}\left(\mathbf{f}}\right)\cup\mathopen{}\mathclose{{}% \left\{\,t_{d}\;\middle|\;t\in\mathbf{t}\,}\right\}\\ \Delta(s)&\equiv\Delta_{1}(\mathbf{e},\mathbf{t},\mathbf{r},\mathbf{f},s)\\ \mathbf{u}&=\mathopen{}\mathclose{{}\left[\mathopen{}\mathclose{{}\left(s,% \Delta(s)_{u}}\right)\;\middle|\;s\mathrel{\mathrlap{<}{\scalebox{0.95}[1.0]{$% -$}}}\mathbf{s}}\right]\\ \mathbf{b}&=\mathopen{}\mathclose{{}\left\{\,\mathopen{}\mathclose{{}\left(s,b% }\right)\;\middle|\;s\in\mathbf{s},\,b=\Delta(s)_{y},\,b\neq\emptyset\,}\right% \}\\ \mathbf{t}^{\prime}&=\mathopen{}\mathclose{{}\left[\Delta(s)_{\mathbf{t}}\;% \middle|\;s\mathrel{\mathrlap{<}{\scalebox{0.95}[1.0]{$-$}}}\mathbf{s}}\right]% \\ \mathbf{d}^{\prime}&=I((\mathbf{d}\cup\mathbf{n})\setminus\mathbf{m},\bigcup_{% s\in\mathbf{s}}\Delta(s)_{\mathbf{p}})\\ &\mathopen{}\mathclose{{}\left(\mathbf{d},\mathbf{i},\mathbf{q},m,\mathbf{a},v% ,r,\mathbf{z}}\right)=\mathbf{e}\\ \mathbf{e}^{*}&=\Delta(m)_{\mathbf{e}}\\ \mathopen{}\mathclose{{}\left(m^{\prime}\!,\mathbf{z}^{\prime}}\right)&=% \mathbf{e}^{*}_{\mathopen{}\mathclose{{}\left(m,\mathbf{z}}\right)}\\ \forall c\in\mathbb{N}_{\mathsf{C}}:\mathbf{a}^{\prime}_{c}&=R(\mathbf{a}_{c},% (\mathbf{e}^{*}_{\mathbf{a}})_{c},((\Delta(\mathbf{a}_{c})_{\mathbf{e}})_{% \mathbf{a}})_{c})\\ v^{\prime}&=R(v,\mathbf{e}^{*}_{v},(\Delta(v)_{\mathbf{e}})_{v})\\ r^{\prime}&=R(r,\mathbf{e}^{*}_{r},(\Delta(r)_{\mathbf{e}})_{r})\\ \mathbf{i}^{\prime}&=(\Delta(v)_{\mathbf{e}})_{\mathbf{i}}\\ \forall c\in\mathbb{N}_{\mathsf{C}}:\mathbf{q}^{\prime}_{c}&=((\Delta(\mathbf{% a}_{c})_{\mathbf{e}})_{\mathbf{q}})_{c}\\ \mathbf{n}&=\bigcup_{s\in\mathbf{s}}((\Delta(s)_{\mathbf{e}})_{\mathbf{d}}% \setminus\mathcal{K}\mathopen{}\mathclose{{}\left(\mathbf{d}\setminus\mathopen% {}\mathclose{{}\left\{\,s\,}\right\}}\right))\\ \mathbf{m}&=\bigcup_{s\in\mathbf{s}}(\mathcal{K}\mathopen{}\mathclose{{}\left(% \mathbf{d}}\right)\setminus\mathcal{K}\mathopen{}\mathclose{{}\left((\Delta(s)% _{\mathbf{e}})_{\mathbf{d}}}\right))\end{aligned}\end{aligned}\end{aligned}}\right.

(12.19)

R(o,a,b)\equiv\begin{cases}b&\text{if }a=o\\ a&\text{otherwise}\end{cases}

Δ R

And $I$ is the preimage integration function, which transforms a dictionary of service states and a set of service/blob pairs into a new dictionary of service states. Preimage provisions into services which no longer exist or whose relevant request is dropped are disregarded:

(12.20)		$\displaystyle I$	$\displaystyle\colon\mathopen{}\mathclose{{}\left\{\begin{aligned} &\!\mathopen% {}\mathclose{{}\left\lgroup\mathopen{}\mathclose{{}\left\langlebar\mathbb{N}_{% S}\to\mathbb{A}}\right\ranglebar,\mathopen{}\mathclose{{}\left\{\mkern-5.0mu% \mathopen{}\mathclose{{}\left[\,\!\mathopen{}\mathclose{{}\left\lgroup\mathbb{% N}_{S},\mathbb{B}}\right\rgroup\!\,}\right]\mkern-5.0mu}\right\}}\right\rgroup% \!\to\mathopen{}\mathclose{{}\left\langlebar\mathbb{N}_{S}\to\mathbb{A}}\right% \ranglebar\\ &\mathopen{}\mathclose{{}\left(\mathbf{d},\mathbf{p}}\right)\mapsto\mathbf{d}^% {\prime}\;\text{where }\mathbf{d}^{\prime}=\mathbf{d}\;\text{except:}\\ &\quad\forall\mathopen{}\mathclose{{}\left(s,\mathbf{i}}\right)\in\mathbf{p},% \;Y(\mathbf{d},s,\mathbf{i}):\\ &\qquad\mathbf{d}^{\prime}\mathopen{}\mathclose{{}\left[s}\right]_{\mathbf{l}}% \mathopen{}\mathclose{{}\left[\mathopen{}\mathclose{{}\left(\mathcal{H}% \mathopen{}\mathclose{{}\left(\mathbf{i}}\right),\mathopen{}\mathclose{{}\left% \|\mathbf{i}}\right\|}\right)}\right]=\mathopen{}\mathclose{{}\left[\tau^{\prime% }}\right]\\ &\qquad\mathbf{d}^{\prime}\mathopen{}\mathclose{{}\left[s}\right]_{\mathbf{p}}% \mathopen{}\mathclose{{}\left[\mathcal{H}\mathopen{}\mathclose{{}\left(\mathbf% {i}}\right)}\right]=\mathbf{i}\end{aligned}}\right.$
(12.21)		$\displaystyle Y$	$\displaystyle\colon\mathopen{}\mathclose{{}\left\{\begin{aligned} &\!\mathopen% {}\mathclose{{}\left\lgroup\mathopen{}\mathclose{{}\left\langlebar\mathbb{N}_{% S}\to\mathbb{A}}\right\ranglebar,\mathbb{N}_{S},\mathbb{B}}\right\rgroup\!\to{% \mathopen{}\mathclose{{}\left\{\,\bot,\top\,}\right\}}\\ &\mathopen{}\mathclose{{}\left(\mathbf{d},s,\mathbf{i}}\right)\mapsto\begin{% cases}\mathbf{d}\mathopen{}\mathclose{{}\left[s}\right]_{\mathbf{l}}\mathopen{% }\mathclose{{}\left[\mathopen{}\mathclose{{}\left(\mathcal{H}\mathopen{}% \mathclose{{}\left(\mathbf{i}}\right),\mathopen{}\mathclose{{}\left\|\mathbf{i}% }\right\|}\right)}\right]=\mathopen{}\mathclose{{}\left[}\right]&\text{if }s\in% \mathcal{K}\mathopen{}\mathclose{{}\left(\mathbf{d}}\right)\\ \bot&\text{otherwise}\end{cases}\end{aligned}}\right.$

We note that while forming the union of all altered, newly added service and newly removed indices, defined in the above context as $\mathcal{K}\mathopen{}\mathclose{{}\left(\mathbf{n}}\right)\cup\mathbf{m}$ , different services may not each contribute the same index for a new, altered or removed service. This cannot happen for the set of removed and altered services since the code hash of removable services has no known preimage and thus cannot execute itself to make an alteration. For new services this should also never happen since new indices are explicitly selected to avoid such conflicts. In the unlikely event it does happen, the block must be considered invalid.

The single-service accumulation function, $\Delta_{1}$ , transforms an initial state-context, a sequence of deferred-transfers, a sequence of work-reports, a dictionary of services enjoying free accumulation (with the values indicating the amount of free gas) and a service index into an alterations state-context, a sequence of transfers, a possible accumulation-output, the actual pvm gas used and a set of preimage provisions. This function wrangles the work-digests of a particular service from a set of work-reports and invokes pvm execution with said data:

(12.22)

\mathbb{O}\equiv\!\mathopen{}\mathclose{{}\left\lgroup\begin{aligned} \mathbf{% e}&\in\mathbb{S},\;&\mathbf{t}&\in\mathopen{}\mathclose{{}\left\lsem\mathbb{X}% }\right\rsem,\;y\in\mathbb{H}\bm{?},\;\\ u&\in\mathbb{N}_{G},\;&\mathbf{p}&\in\mathopen{}\mathclose{{}\left\{\mkern-5.0% mu\mathopen{}\mathclose{{}\left[\,\!\mathopen{}\mathclose{{}\left\lgroup% \mathbb{N}_{S},\mathbb{B}}\right\rgroup\!\,}\right]\mkern-5.0mu}\right\}\end{% aligned}}\right\rgroup\!

(12.23)

\displaystyle\Delta_{1}\colon\mathopen{}\mathclose{{}\left\{\;\begin{aligned} % &\begin{aligned} \!\mathopen{}\mathclose{{}\left\lgroup\begin{aligned} &% \mathbb{S},\mathopen{}\mathclose{{}\left\lsem\mathbb{X}}\right\rsem,\mathopen{% }\mathclose{{}\left\lsem\mathbb{R}}\right\rsem,\\ &\mathopen{}\mathclose{{}\left\langlebar\mathbb{N}_{S}\to\mathbb{N}_{G}}\right% \ranglebar,\mathbb{N}_{S}\end{aligned}}\right\rgroup\!&\to\mathbb{O}\\ \mathopen{}\mathclose{{}\left(\mathbf{e},\mathbf{t},\mathbf{r},\mathbf{f},s}% \right)&\mapsto\Psi_{A}(\mathbf{e},\tau^{\prime},s,g,\mathbf{i}^{T}\!\!\frown% \mathbf{i}^{U})\end{aligned}\\ &\text{where:}\\ &\ \begin{aligned} g&=\mathcal{U}\mathopen{}\mathclose{{}\left(\mathbf{f}_{s},% 0}\right)+\!\!\!\!\sum_{t\in\mathbf{t},t_{d}=s}\!\!\!\!(t_{g})+\!\!\!\!\!\!\!% \!\sum_{r\in\mathbf{r},d\in r_{\mathbf{d}},d_{s}=s}\!\!\!\!\!\!\!\!(d_{g})\\ \mathbf{i}^{T}&=\mathopen{}\mathclose{{}\left[t\;\middle|\;t\mathrel{\mathrlap% {<}{\scalebox{0.95}[1.0]{$-$}}}\mathbf{t},t_{d}=s}\right]\\ \mathbf{i}^{U}&=\mathopen{}\mathclose{{}\left[\mathopen{}\mathclose{{}\left(% \begin{aligned} \mathbf{l}\mathrel{\mathop{:}}d_{\mathbf{l}},\,g\mathrel{% \mathop{:}}d_{g},\,y\mathrel{\mathop{:}}d_{y},\,&\mathbf{t}\;&\mathrel{\mathop% {:}}r_{\mathbf{t}}&,\\ e\mathrel{\mathop{:}}(r_{\mathbf{s}})_{e},\,p\mathrel{\mathop{:}}(r_{\mathbf{s% }})_{p},\,&a\;&\mathrel{\mathop{:}}r_{a}&\end{aligned}}\right)\;\middle|\;% \begin{aligned} r&\mathrel{\mathrlap{<}{\scalebox{0.95}[1.0]{$-$}}}\mathbf{r},% &\\ d&\mathrel{\mathrlap{<}{\scalebox{0.95}[1.0]{$-$}}}r_{\mathbf{d}},&\ d_{s}=s% \end{aligned}}\right]\end{aligned}\end{aligned}}\right.\!\!\!\!

This draws upon $g$ , the gas limit implied by the selected deferred-transfers, work-reports and gas-privileges.

12.3. Final State Integration

Given the result of the top-level $\Delta_{+}$ , we may define the posterior state $\chi^{\prime}$ , $\phi^{\prime}$ and $\iota^{\prime}$ as well as the first intermediate state of the service-accounts $\delta^{\dagger}$ and the Accumulation Output Log $\theta^{\prime}$ :

	$\displaystyle\text{let }g=\max\mathopen{}\mathclose{{}\left(\mathsf{G}_{T},% \mathsf{G}_{A}\cdot\mathsf{C}+\textstyle\sum_{x\in\mathcal{V}\mathopen{}% \mathclose{{}\left(\chi_{Z}}\right)}(x)}\right)$
	$\displaystyle\text{and }\mathbf{e}=\mathopen{}\mathclose{{}\left(\mathbf{d}% \mathrel{\mathop{:}}\delta,\mathbf{i}\mathrel{\mathop{:}}\iota,\mathbf{q}% \mathrel{\mathop{:}}\phi,m\mathrel{\mathop{:}}\chi_{M},\mathbf{a}\mathrel{% \mathop{:}}\chi_{A},v\mathrel{\mathop{:}}\chi_{V},r\mathrel{\mathop{:}}\chi_{R% },\mathbf{z}\mathrel{\mathop{:}}\chi_{Z}}\right)\!\!\!\!\!$
(12.24)		$\displaystyle\mathopen{}\mathclose{{}\left(n,\mathbf{e}^{\prime},\mathbf{b},% \mathbf{u},\mathbf{t}}\right)\equiv\Delta_{+}(g,\mathopen{}\mathclose{{}\left[% }\right],\mathbf{R}^{*},\mathbf{e},\chi_{Z})$
(12.25)		$\displaystyle\theta^{\prime}\equiv\mathopen{}\mathclose{{}\left[\mathopen{}% \mathclose{{}\left(s,h}\right)\in\mathbf{b}}\right]$
(12.26)		$\displaystyle\mathopen{}\mathclose{{}\left(\mathbf{d}\mathrel{\mathop{:}}% \delta^{\dagger},\mathbf{i}\mathrel{\mathop{:}}\iota^{\prime},\mathbf{q}% \mathrel{\mathop{:}}\phi^{\prime},m\mathrel{\mathop{:}}\chi_{M}^{\prime},% \mathbf{a}\mathrel{\mathop{:}}\chi_{A}^{\prime},v\mathrel{\mathop{:}}\chi_{V}^% {\prime},r\mathrel{\mathop{:}}\chi_{R}^{\prime},\mathbf{z}\mathrel{\mathop{:}}% \chi_{Z}^{\prime}}\right)\equiv\mathbf{e}^{\prime}\!\!\!\!\!$

From this formulation, we also receive $n$ , the total number of work-reports accumulated and $\mathbf{u}$ , the gas used in the accumulation process for each service. We compose $\mathbf{S}$ , our accumulation statistics, which is a mapping from the service indices which were accumulated to the amount of gas used throughout accumulation and the number of work-items and transfers accumulated. Formally:

(12.27)			$\displaystyle\mathbf{S}\in\mathopen{}\mathclose{{}\left\langlebar\mathbb{N}_{S% }\to\!\mathopen{}\mathclose{{}\left\lgroup\mathbb{N},\mathbb{N},\mathbb{N}_{G}% }\right\rgroup\!}\right\ranglebar$
(12.28)			$\displaystyle\textstyle\mathbf{S}\equiv\mathopen{}\mathclose{{}\left\{\,% \mathopen{}\mathclose{{}\left(s\mapsto S(s)}\right)\;\middle\|\;S(s)\neq% \mathopen{}\mathclose{{}\left(0,0,0}\right)\,}\right\}\!\!\!\!$
	where	$\displaystyle S(s)\equiv\mathopen{}\mathclose{{}\left(N(s),T(s),G(s)}\right)$
	and	$\displaystyle N(s)\equiv\mathopen{}\mathclose{{}\left\|\mathopen{}\mathclose{{}% \left[d\;\middle\|\;r\mathrel{\mathrlap{<}{\scalebox{0.95}[1.0]{$-$}}}\mathbf{R% }^{*}_{\dots n},d\mathrel{\mathrlap{<}{\scalebox{0.95}[1.0]{$-$}}}r_{\mathbf{d% }},d_{s}=s}\right]}\right\|$
	and	$\displaystyle T(s)\equiv\mathopen{}\mathclose{{}\left\|\mathopen{}\mathclose{{}% \left[t\;\middle\|\;t\mathrel{\mathrlap{<}{\scalebox{0.95}[1.0]{$-$}}}\mathbf{t% },t_{d}=s}\right]}\right\|$
	and	$\displaystyle G(s)\equiv\sum_{\mathopen{}\mathclose{{}\left(s,u}\right)\in% \mathbf{u}}(u)$

The second intermediate state $\delta^{\ddagger}$ may then be defined with the last-accumulation record being updated for all accumulated services:

(12.29)		$\displaystyle\delta^{\ddagger}$	$\displaystyle\equiv\mathopen{}\mathclose{{}\left\{\,\mathopen{}\mathclose{{}% \left(s\mapsto a^{\prime}}\right)\;\middle\|\;\mathopen{}\mathclose{{}\left(s% \mapsto a}\right)\in\delta^{\dagger}\,}\right\}$
(12.30)			$\displaystyle\text{where }a^{\prime}=\begin{cases}a\text{ except }a^{\prime}_{% a}=\tau^{\prime}&\text{if }s\in\mathcal{K}\mathopen{}\mathclose{{}\left(% \mathbf{S}}\right)\\ a&\text{otherwise}\end{cases}$

We define the final state of the ready queue and the accumulated map by integrating those work-reports which were accumulated in this block and shifting any from the prior state with the oldest such items being dropped entirely:

(12.31)	$\displaystyle\xi^{\prime}_{\mathsf{E}-1}$	$\displaystyle=P(\mathbf{R}^{*}_{\dots n})$
(12.32)	$\displaystyle\forall i\in\mathbb{N}_{\mathsf{E}-1}:\xi^{\prime}_{i}$	$\displaystyle\equiv\xi_{i+1}$
(12.33)	$\displaystyle\forall i\in\mathbb{N}_{\mathsf{E}}:{\omega^{\prime}}^{% \circlearrowleft}_{m-i}$	$\displaystyle\equiv\begin{cases}E(\mathbf{R}^{Q},\xi^{\prime}_{\mathsf{E}-1})&% \text{if }i=0\\ \mathopen{}\mathclose{{}\left[}\right]&\text{if }1\leq i<\tau^{\prime}-\tau\\ E({\omega}^{\circlearrowleft}_{m-i},\xi^{\prime}_{\mathsf{E}-1})&\text{if }i% \geq\tau^{\prime}-\tau\end{cases}\!\!\!\!$

12.4. Preimage Integration

After accumulation, we must integrate all preimages provided in the lookup extrinsic to arrive at the posterior account state. The lookup extrinsic is a sequence of pairs of service indices and data. These pairs must be ordered and without duplicates (equation 12.35 requires this). The data must have been solicited by a service but not yet provided in the prior state. Formally:

(12.34)	$\displaystyle\mathbf{E}_{P}$	$\displaystyle\in\mathopen{}\mathclose{{}\left\lsem\!\mathopen{}\mathclose{{}% \left\lgroup\mathbb{N}_{S},\,\mathbb{B}}\right\rgroup\!}\right\rsem$
(12.35)	$\displaystyle\mathbf{E}_{P}$	$\displaystyle=\mathopen{}\mathclose{{}\left[i\in\mathbf{E}_{P}\,\middle\lWavy% \,i}\right]$
(12.36)	$\displaystyle\forall\mathopen{}\mathclose{{}\left(s,\mathbf{d}}\right)$	$\displaystyle\in\mathbf{E}_{P}:Y(\delta,s,\mathbf{d})$

We disregard, without prejudice, any preimages which due to the effects of accumulation are no longer useful. We define $\delta^{\prime}$ as the state after the integration of the still-relevant preimages:

(12.37)

\delta^{\prime}=I(\delta^{\ddagger},\mathbf{E}_{P})

13. Statistics

13.1. Validator Activity

The Jam chain does not explicitly issue rewards—we leave this as a job to be done by the staking subsystem (in Polkadot’s case envisioned as a system parachain—hosted without fees—in the current imagining of a public Jam network). However, much as with validator punishment information, it is important for the Jam chain to facilitate the arrival of information on validator activity in to the staking subsystem so that it may be acted upon.

Such performance information cannot directly cover all aspects of validator activity; whereas block production, guarantor reports and availability assurance can easily be tracked on-chain, Grandpa, Beefy and auditing activity cannot. In the latter case, this is instead tracked with validator voting activity: validators vote on their impression of each other’s efforts and a median may be accepted as the truth for any given validator. With an assumption of 50% honest validators, this gives an adequate means of oraclizing this information.

The validator statistics are made on a per-epoch basis and we retain one record of completed statistics ( $\pi_{L}$ ) together with one record which serves as an accumulator for the present epoch ( $\pi_{V}$ ). For each epoch we track a performance record for each validator. Together with the core and service statistics defined in the following section $\pi_{C}$ and $\pi_{S}$ , these form $\pi$ , which is thus a tuple of four elements.

(13.1)	$\displaystyle\pi$	$\displaystyle\equiv\mathopen{}\mathclose{{}\left(\pi_{V},\pi_{L},\pi_{C},\pi_{% S}}\right)$
(13.2)	$\displaystyle\!\mathopen{}\mathclose{{}\left\lgroup\pi_{V},\pi_{L}}\right\rgroup\!$	$\displaystyle\in\mathopen{}\mathclose{{}\left\lsem\!\mathopen{}\mathclose{{}% \left\lgroup b\in\mathbb{N}\,,t\in\mathbb{N}\,,p\in\mathbb{N}\,,d\in\mathbb{N}% \,,g\in\mathbb{N}\,,a\in\mathbb{N}}\right\rgroup\!}\right\rsem^{2}\!\!\!\!\!\!% \!\!\!\!$
(13.3)	$\displaystyle\mathopen{}\mathclose{{}\left\|\pi_{V}}\right\|$	$\displaystyle=\mathopen{}\mathclose{{}\left\|\kappa}\right\|\ ,\qquad\mathopen{}% \mathclose{{}\left\|\pi_{L}}\right\|=\mathopen{}\mathclose{{}\left\|\lambda}\right\|$

The six validator statistics we track are:

$b$ :: The number of blocks produced by the validator.
$t$ :: The number of tickets introduced by the validator.
$p$ :: The number of preimages introduced by the validator.
$d$ :: The total number of octets across all preimages introduced by the validator.
$g$ :: The number of reports guaranteed by the validator.
$a$ :: The number of availability assurances made by the validator.

The objective statistics are updated in line with their description, formally:

(13.4)		$\displaystyle\begin{split}\pi_{V}^{\dagger}&\equiv\pi_{V}\text{ except }% \forall v\in\mathbb{N}_{\mathopen{}\mathclose{{}\left\|\kappa}\right\|}:\\ \pi_{V}^{\dagger}\mathopen{}\mathclose{{}\left[v}\right]_{a}&=\pi_{V}\mathopen% {}\mathclose{{}\left[v}\right]_{a}+(\exists a\in\mathbf{E}_{A}:a_{v}=v)\end{split}$
(13.5)		$\displaystyle\begin{split}\mathopen{}\mathclose{{}\left(\pi_{V}^{\ddagger},\pi% _{L}^{\prime}}\right)&\equiv\begin{cases}\mathopen{}\mathclose{{}\left(\pi_{V}% ^{\dagger},\pi_{L}}\right)&\text{if }e^{\prime}=e\\ \mathopen{}\mathclose{{}\left(\mathopen{}\mathclose{{}\left[\mathopen{}% \mathclose{{}\left(0,\dots}\right),\dots}\right],\pi_{V}^{\dagger}}\right)&% \text{otherwise}\end{cases}\\ \text{where }e&=\mathopen{}\mathclose{{}\left\lfloor\frac{\tau}{\mathsf{E}}}% \right\rfloor\ ,\quad e^{\prime}=\mathopen{}\mathclose{{}\left\lfloor\frac{% \tau^{\prime}}{\mathsf{E}}}\right\rfloor\end{split}$
(13.6)		$\displaystyle\begin{split}\pi_{V}^{\prime}&\equiv\pi_{V}^{\ddagger}\text{ % except }\forall v\in\mathbb{N}_{\mathopen{}\mathclose{{}\left\|\kappa^{\prime}}% \right\|}:\\ \pi_{V}^{\prime}\mathopen{}\mathclose{{}\left[v}\right]_{b}&=\pi_{V}^{\ddagger% }\mathopen{}\mathclose{{}\left[v}\right]_{b}+(v=\mathbf{H}_{I})\\ \pi_{V}^{\prime}\mathopen{}\mathclose{{}\left[v}\right]_{t}&=\pi_{V}^{\ddagger% }\mathopen{}\mathclose{{}\left[v}\right]_{t}+\begin{cases}\mathopen{}% \mathclose{{}\left\|\mathbf{E}_{T}}\right\|&\text{if }v=\mathbf{H}_{I}\\ 0&\text{otherwise}\end{cases}\\ \pi_{V}^{\prime}\mathopen{}\mathclose{{}\left[v}\right]_{p}&=\pi_{V}^{\ddagger% }\mathopen{}\mathclose{{}\left[v}\right]_{p}+\begin{cases}\mathopen{}% \mathclose{{}\left\|\mathbf{E}_{P}}\right\|&\text{if }v=\mathbf{H}_{I}\\ 0&\text{otherwise}\end{cases}\\ \pi_{V}^{\prime}\mathopen{}\mathclose{{}\left[v}\right]_{d}&=\pi_{V}^{\ddagger% }\mathopen{}\mathclose{{}\left[v}\right]_{d}+\begin{cases}\sum_{d\in\mathbf{E}% _{P}}\mathopen{}\mathclose{{}\left\|d}\right\|&\text{if }v=\mathbf{H}_{I}\\ 0&\text{otherwise}\end{cases}\\ \pi_{V}^{\prime}\mathopen{}\mathclose{{}\left[v}\right]_{g}&=\pi_{V}^{\ddagger% }\mathopen{}\mathclose{{}\left[v}\right]_{g}+(\kappa^{\prime}_{v}\in\mathbf{G}% )\end{split}$

Note that $\mathbf{G}$ is the Reporters set, as defined in equation 11.28.

13.2. Cores and Services

The other two components of statistics are the core and service activity statistics. These are tracked only on a per-block basis unlike the validator statistics which are tracked over the whole epoch.

(13.7)		$\displaystyle\pi_{C}$	$\displaystyle\in\mathopen{}\mathclose{{}\left\lsem\!\mathopen{}\mathclose{{}% \left\lgroup\begin{aligned} d&\in\mathbb{N}\,,\;&p&\in\mathbb{N}\,,\;&i&\in% \mathbb{N}\,,\;&x&\in\mathbb{N}\,,\;\\ z&\in\mathbb{N}\,,\;&e&\in\mathbb{N}\,,\;&l&\in\mathbb{N}\,,\;&u&\in\mathbb{N}% _{G}\end{aligned}}\right\rgroup\!}\right\rsem_{\mathsf{C}}$
(13.8)		$\displaystyle\pi_{S}$	$\displaystyle\in\mathopen{}\mathclose{{}\left\langlebar\mathbb{N}_{S}\to\!% \mathopen{}\mathclose{{}\left\lgroup\begin{aligned} p&\in\mathopen{}\mathclose% {{}\left(\mathbb{N},\mathbb{N}}\right)\,,\;&r&\in\mathopen{}\mathclose{{}\left% (\mathbb{N},\mathbb{N}_{G}}\right)\,,\;\\ i&\in\mathbb{N}\,,\;x\in\mathbb{N}\,,\;&z&\in\mathbb{N}\,,\;e\in\mathbb{N}\,,% \;\\ a&\in\mathopen{}\mathclose{{}\left(\mathbb{N},\mathbb{N},\mathbb{N}_{G}}\right% )\end{aligned}}\right\rgroup\!}\right\ranglebar$

The core statistics are updated using several intermediate values from across the overall state-transition function; $\mathbf{I}$ , the incoming work-reports, as defined in 11.30 and $\mathbf{R}$ , the newly available work-reports, as defined in 11.17. We define the statistics as follows:

(13.9)	$\displaystyle\forall c\in\mathbb{N}_{\mathsf{C}}:\pi_{C}^{\prime}\mathopen{}% \mathclose{{}\left[c}\right]$	$\displaystyle\equiv\mathopen{}\mathclose{{}\left(\begin{aligned} i&\mathrel{% \mathop{:}}R(c)_{i}\,,\;&x&\mathrel{\mathop{:}}R(c)_{x}\,,\;&z&\mathrel{% \mathop{:}}R(c)_{z}\,,\\ e&\mathrel{\mathop{:}}R(c)_{e}\,,\;&u&\mathrel{\mathop{:}}R(c)_{u}\,,\;&l&% \mathrel{\mathop{:}}L(c)\,,\\ d&\mathrel{\mathop{:}}D(c)\,,\;&p&\mathrel{\mathop{:}}\hfil\hfil\displaystyle% \displaystyle\textstyle\sum_{a\in\mathbf{E}_{A}}a_{f}\mathopen{}\mathclose{{}% \left[c}\right]\qquad\end{aligned}}\right)\!\!\!\!$
(13.10)	$\displaystyle\text{where }R(c\in\mathbb{N}_{\mathsf{C}})$	$\displaystyle\equiv\!\!\!\!\!\!\!\!\!\!\!\sum_{\mathbf{d}\in\mathbf{r}_{% \mathbf{d}},\mathbf{r}\in\mathbf{I},\mathbf{r}_{c}=c}\!\!\!\!\!\!\!\!\!\!\!% \mathopen{}\mathclose{{}\left(\mathbf{d}_{i},\mathbf{d}_{x},\mathbf{d}_{z},% \mathbf{d}_{e},\mathbf{d}_{u},}\right)$
(13.11)	$\displaystyle\text{and }L(c\in\mathbb{N}_{\mathsf{C}})$	$\displaystyle\equiv\!\!\!\!\!\!\!\sum_{\mathbf{r}\in\mathbf{I},\mathbf{r}_{c}=% c}\!\!\!\!\!\!\!(\mathbf{r}_{\mathbf{s}})_{l}$
(13.12)	$\displaystyle\text{and }D(c\in\mathbb{N}_{\mathsf{C}})$	$\displaystyle\equiv\!\!\!\!\!\!\sum_{\mathbf{r}\in\mathbf{R},\mathbf{r}_{c}=c}% \!\!\!\!\!\!(\mathbf{r}_{\mathbf{s}})_{l}+\mathsf{W}_{G}\mathopen{}\mathclose{% {}\left\lceil(\mathbf{r}_{\mathbf{s}})_{n}\nicefrac{{65}}{{64}}}\right\rceil$

Finally, the service statistics are updated using the same intermediate values as the core statistics, but with a different set of calculations:

(13.13)	$\displaystyle\forall s\in\mathbf{s}:\pi_{S}^{\prime}\mathopen{}\mathclose{{}% \left[s}\right]$	$\displaystyle\equiv\mathopen{}\mathclose{{}\left(\begin{aligned} i&\mathrel{% \mathop{:}}R(s)_{i}\,,\;&x&\mathrel{\mathop{:}}R(s)_{x}\,,\;&z&\mathrel{% \mathop{:}}R(s)_{z}\,,\\ e&\mathrel{\mathop{:}}R(s)_{e}\,,\;&r&\mathrel{\mathop{:}}\hfil\hfil% \displaystyle\displaystyle\mathopen{}\mathclose{{}\left(R(s)_{n},R(s)_{u}}% \right)\,,\;\\ p&\mathrel{\mathop{:}}\hfil\hfil\displaystyle\displaystyle\textstyle\sum_{% \mathopen{}\mathclose{{}\left(s,\mathbf{d}}\right)\,\in\mathbf{E}_{P}}% \mathopen{}\mathclose{{}\left(1,\mathopen{}\mathclose{{}\left\|\mathbf{d}}% \right\|}\right)\,,\;\\ a&\mathrel{\mathop{:}}\hfil\hfil\displaystyle\displaystyle\mathcal{U}\mathopen% {}\mathclose{{}\left(\mathbf{S}\mathopen{}\mathclose{{}\left[s}\right],% \mathopen{}\mathclose{{}\left(0,0,0}\right)}\right)\end{aligned}}\right)\!\!\!\!$
(13.14)	$\displaystyle\text{where }\mathbf{s}$	$\displaystyle=\mathbf{s}^{R}\cup\mathbf{s}^{P}\cup\mathcal{K}\mathopen{}% \mathclose{{}\left(\mathbf{S}}\right)$
(13.15)	$\displaystyle\text{and }\mathbf{s}^{R}$	$\displaystyle=\mathopen{}\mathclose{{}\left\{\,\mathbf{d}_{s}\;\middle\|\;% \mathbf{d}\in\mathbf{r}_{\mathbf{d}},\mathbf{r}\in\mathbf{I}\,}\right\}$
(13.16)	$\displaystyle\text{and }\mathbf{s}^{P}$	$\displaystyle=\mathopen{}\mathclose{{}\left\{\,s\;\middle\|\;\exists x:% \mathopen{}\mathclose{{}\left(s,x}\right)\in\mathbf{E}_{P}\,}\right\}$
(13.17)	$\displaystyle\text{and }R(s\in\mathbb{N}_{S})$	$\displaystyle\equiv\!\!\!\!\!\!\!\!\!\!\!\sum_{\mathbf{d}\in\mathbf{r}_{% \mathbf{d}},\mathbf{r}\in\mathbf{I},\mathbf{d}_{s}=s}\!\!\!\!\!\!\!\!\!\!\!% \mathopen{}\mathclose{{}\left(n\mathrel{\mathop{:}}1,\mathbf{d}_{u},\mathbf{d}% _{i},\mathbf{d}_{x},\mathbf{d}_{z},\mathbf{d}_{e}}\right)$

14. Work Packages and Work Reports

14.1. Honest Behavior

We have so far specified how to recognize blocks for a correctly transitioning Jam blockchain. Through defining the state transition function and a state Merklization function, we have also defined how to recognize a valid header. While it is not especially difficult to understand how a new block may be authored for any node which controls a key which would allow the creation of the two signatures in the header, nor indeed to fill in the other header fields, readers will note that the contents of the extrinsic remain unclear.

We define not only correct behavior through the creation of correct blocks but also honest behavior, which involves the node taking part in several off-chain activities. This does have analogous aspects within YP Ethereum, though it is not mentioned so explicitly in said document: the creation of blocks along with the gossiping and inclusion of transactions within those blocks would all count as off-chain activities for which honest behavior is helpful. In Jam’s case, honest behavior is well-defined and expected of at least $\nicefrac{{2}}{{3}}$ of validators.

Beyond the production of blocks, incentivized honest behavior includes:

•

the guaranteeing and reporting of work-packages, along with chunking and distribution of both the chunks and the work-package itself, discussed in section 15;
•

assuring the availability of work-packages after being in receipt of their data;
•

determining which work-reports to audit, fetching and auditing them, and creating and distributing judgments appropriately based on the outcome of the audit;
•

submitting the correct amount of auditing work seen being done by other validators, discussed in section 13.

14.2. Segments and the Manifest

Work-packages are generally small to ensure guarantors need not invest a lot of bandwidth in order to discover whether they can get paid for their evaluation into a work-report. Rather than having much data inline, they instead reference data through commitments. The simplest commitments are extrinsic data.

Extrinsic data are blobs which are being introduced into the system alongside the work-package itself generally by the work-package builder. They are exposed to the Refine logic as an argument. We commit to them through including each of their hashes in the work-package.

Work-packages have two other types of external data associated with them: A cryptographic commitment to each imported segment and finally the number of segments which are exported.

14.2.1. Segments, Imports and Exports

The ability to communicate large amounts of data from one work-package to some subsequent work-package is a key feature of the Jam availability system. An export segment, defined as the set $\mathbb{J}$ , is an octet sequence of fixed length $\mathsf{W}_{G}=4104$ . It is the smallest datum which may individually be imported from—or exported to—the long-term D³L during the Refine function of a work-package.

(14.1)

\mathbb{J}\equiv\mathbb{B}_{\mathsf{W}_{G}}

Exported segments are data which are generated through the execution of the Refine logic and thus are a side effect of transforming the work-package into a work-report. Since their data is deterministic based on the execution of the Refine logic, we do not require any particular commitment to them in the work-package beyond knowing how many are associated with each Refine invocation in order that we can supply an exact index.

On the other hand, imported segments are segments which were exported by previous work-packages. In order for them to be easily fetched and verified they are referenced not by hash but rather the root of a Merkle tree which includes any other segments introduced at the time, together with an index into this sequence. This allows for justifications of correctness to be generated, stored, included alongside the fetched data and verified. This is described in depth in the next section.

14.2.2. Data Collection and Justification

It is the task of a guarantor to reconstitute all imported segments through fetching said segments’ erasure-coded chunks from enough unique validators. Reconstitution alone is not enough since corruption of the data would occur if one or more validators provided an incorrect chunk. For this reason we ensure that the import segment specification (a Merkle root and an index into the tree) be a kind of cryptographic commitment capable of having a justification applied to demonstrate that any particular segment is indeed correct.

Justification data must be available to any node over the course of its segment’s potential requirement. At around 350 bytes to justify a single segment, justification data is too voluminous to have all validators store all data. We therefore use the same overall availability framework for hosting justification metadata as the data itself.

The guarantor is able to use this proof to justify to themselves that they are not wasting their time on incorrect behavior. We do not force auditors to go through the same process. Instead, guarantors build an Auditable Work Package, and place this in the Audit da system. This is the original work-package, its extrinsic data, its imported data and a concise proof of correctness of that imported data. This tactic routinely duplicates data between the D³L and the Audit da, however it is acceptable in order to reduce the bandwidth cost for auditors who must justify the correctness as cheaply as possible as auditing happens on average 30 times for each work-package whereas guaranteeing happens only twice or thrice.

14.3. Packages and Items

We begin by defining a work-package, of set $\mathbb{P}$ , and its constituent work-items, of set $\mathbb{W}$ . A work-package includes a simple blob acting as an authorization token $\mathbf{j}$ , the index of the service which hosts the authorization code $h$ , an authorization code hash $u$ and a configuration blob $\mathbf{f}$ , a context $\mathbf{c}$ and a sequence of work items $\mathbf{w}$ :

(14.2)

\mathbb{P}\equiv\!\mathopen{}\mathclose{{}\left\lgroup\mathbf{j}\in\mathbb{B},% \ h\in\mathbb{N}_{S},\ u\in\mathbb{H},\ \mathbf{f}\in\mathbb{B},\ \mathbf{c}% \in\mathbb{C},\ \mathbf{w}\in\mathopen{}\mathclose{{}\left\lsem\mathbb{W}}% \right\rsem_{1:\mathsf{I}}}\right\rgroup\!

A work item includes: $s$ the identifier of the service to which it relates, the code hash of the service at the time of reporting $c$ (whose preimage must be available from the perspective of the lookup anchor block), a payload blob $\mathbf{y}$ , gas limits for Refinement and Accumulation $g$ & $a$ , and the three elements of its manifest, a sequence of imported data segments $\mathbf{i}$ which identify a prior exported segment through an index and the identity of an exporting work-package, $\mathbf{x}$ , a sequence of extrinsic data hashes and lengths and $e$ the number of data segments exported by this work item.

(14.3)

\mathbb{W}\equiv\!\mathopen{}\mathclose{{}\left\lgroup\begin{aligned} &s\in% \mathbb{N}_{S},c\in\mathbb{H},\mathbf{y}\in\mathbb{B},g\in\mathbb{N}_{G},a\in% \mathbb{N}_{G},e\in\mathbb{N},\\ &\mathbf{i}\in\mathopen{}\mathclose{{}\left\lsem\!\mathopen{}\mathclose{{}% \left\lgroup\mathbb{H}\cup(\mathbb{H}^{\boxplus}),\mathbb{N}}\right\rgroup\!}% \right\rsem,\mathbf{x}\in\mathopen{}\mathclose{{}\left\lsem\!\mathopen{}% \mathclose{{}\left\lgroup\mathbb{H},\mathbb{N}}\right\rgroup\!}\right\rsem\end% {aligned}}\right\rgroup\!

Note that an imported data segment’s work-package is identified through the union of sets $\mathbb{H}$ and a tagged variant $\mathbb{H}^{\boxplus}$ . A value drawn from the regular $\mathbb{H}$ implies the hash value is of the segment-root containing the export, whereas a value drawn from $\mathbb{H}^{\boxplus}$ implies the hash value is the hash of the exporting work-package. In the latter case it must be converted into a segment-root by the guarantor and this conversion reported in the work-report for on-chain validation. Work-packages referenced in this manner are considered dependencies, as are work-packages explicitly listed as prerequisites in the context $\mathbf{c}$ . We limit the total number of dependencies to $\mathsf{J}=8$ :

(14.4)

\forall\mathbf{p}\in\mathbb{P}:\mathopen{}\mathclose{{}\left|\mathopen{}% \mathclose{{}\left\{\,h\;\middle|\;\mathbf{w}\in\mathbf{p}_{\mathbf{w}},% \mathopen{}\mathclose{{}\left(h^{\boxplus},n}\right)\in\mathbf{w}_{\mathbf{i}}% \,}\right\}}\right|+\mathopen{}\mathclose{{}\left|(\mathbf{p}_{\mathbf{c}})_{% \mathbf{p}}}\right|\leq\mathsf{J}

We limit the total number of exported items to $\mathsf{W}_{X}=3072$ , the total number of imported items to $\mathsf{W}_{M}=3072$ , and the total number of extrinsics to $\mathsf{T}=128$ :

(14.5)

\!\!\!\!\begin{aligned} &\forall\mathbf{p}\in\mathbb{P}:\\ &\ \sum_{\mathbf{w}\in\mathbf{p}_{\mathbf{w}}}\mathbf{w}_{e}\leq\mathsf{W}_{X}% \wedge\ \sum_{\mathbf{w}\in\mathbf{p}_{\mathbf{w}}}\mathopen{}\mathclose{{}% \left|\mathbf{w}_{\mathbf{i}}}\right|\leq\mathsf{W}_{M}\wedge\ \sum_{\mathbf{w% }\in\mathbf{p}_{\mathbf{w}}}\mathopen{}\mathclose{{}\left|\mathbf{w}_{\mathbf{% x}}}\right|\leq\mathsf{T}\end{aligned}

We make an assumption that the preimage to each extrinsic hash in each work-item is known by the guarantor. In general this data will be passed to the guarantor alongside the work-package.

We limit the total size of the auditable work-bundle, containing the work-package, import and extrinsic items, together with all payloads, the authorizer configuration and the authorization token to around 13.6mb. This limit allows 2mb/s/core D³L imports, and thus a full complement of 3,072 imports, assuming no extrinsics, 64 bytes for each of the authorization token and trace, and a work-item payload of 4kb:

(14.6)			$\displaystyle\begin{aligned} &\forall\mathbf{p}\in\mathbb{P}:\Big{(}\mathopen{% }\mathclose{{}\left\|\mathbf{p}_{\mathbf{j}}}\right\|+\mathopen{}\mathclose{{}% \left\|\mathbf{p}_{\mathbf{f}}}\right\|+\!\!\sum_{\mathbf{w}\in\mathbf{p}_{% \mathbf{w}}}\!\!S(\mathbf{w})\Big{)}\leq\mathsf{W}_{B}\\ &\text{where }S(\mathbf{w}\in\mathbb{W})\equiv\mathopen{}\mathclose{{}\left\|% \mathbf{w}_{\mathbf{y}}}\right\|+\mathopen{}\mathclose{{}\left\|\mathbf{w}_{% \mathbf{i}}}\right\|\cdot\mathsf{W}_{F}+\!\!\!\!\!\!\sum_{\mathopen{}\mathclose% {{}\left(h,l}\right)\in\mathbf{w}_{\mathbf{x}}}\!\!\!l\end{aligned}$
(14.7)			$\displaystyle\mathsf{W}_{F}\equiv\mathsf{W}_{G}+32\mathopen{}\mathclose{{}% \left\lceil\log_{2}(\mathsf{W}_{X})}\right\rceil$
(14.8)			$\displaystyle\mathsf{W}_{B}\equiv\mathsf{W}_{M}\cdot\mathsf{W}_{F}+4096+64+64=% 13,791,360$

We limit the sums of each of the two gas limits to be at most the maximum gas allocated to a core for the corresponding operation:

(14.9)

\forall\mathbf{p}\in\mathbb{P}:\ \;\sum_{\mathbf{w}\in\mathbf{p}_{\mathbf{w}}}% (\mathbf{w}_{a})<\mathsf{G}_{A}\quad\wedge\ \;\sum_{\mathbf{w}\in\mathbf{p}_{% \mathbf{w}}}(\mathbf{w}_{g})<\mathsf{G}_{R}

Given the result $\mathbf{l}$ and gas used $u$ of some work-item, we define the item-to-digest function $C$ as:

(14.10)

C\colon\mathopen{}\mathclose{{}\left\{\begin{aligned} \!\mathopen{}\mathclose{% {}\left\lgroup\mathbb{W},\mathbb{B}\cup\mathbb{E},\mathbb{N}_{G}}\right\rgroup% \!&\to\mathbb{D}\\ \mathopen{}\mathclose{{}\left(\mathopen{}\mathclose{{}\left(\begin{aligned} &s% ,c,\mathbf{y},\\ &a,e,\mathbf{i},\mathbf{x}\end{aligned}}\right),\mathbf{l},u}\right)&\mapsto% \mathopen{}\mathclose{{}\left(\begin{aligned} &s,\,c,\,y\mathrel{\mathop{:}}% \mathcal{H}\mathopen{}\mathclose{{}\left(\mathbf{y}}\right),\,g\mathrel{% \mathop{:}}a,\,\mathbf{l},\,u,\\ &i\mathrel{\mathop{:}}\mathopen{}\mathclose{{}\left|\mathbf{i}}\right|,\,e,\,x% \mathrel{\mathop{:}}\mathopen{}\mathclose{{}\left|\mathbf{x}}\right|,\,z% \mathrel{\mathop{:}}\!\!\!\!\sum_{\mathopen{}\mathclose{{}\left(h,z}\right)\in% \mathbf{x}}\!\!\!\!z\end{aligned}}\right)\!\!\!\!\end{aligned}}\right.

We define the work-package’s implied authorizer as $\mathbf{p}_{a}$ , the hash of the authorization code hash concatenated with the configuration. We define the authorization code as $\mathbf{p}_{\mathbf{u}}$ and require that it be available at the time of the lookup anchor block from the historical lookup of service $\mathbf{p}_{h}$ . Formally:

(14.11)

\forall\mathbf{p}\in\mathbb{P}:\mathopen{}\mathclose{{}\left\{\,\begin{aligned% } \mathbf{p}_{a}&\equiv\mathcal{H}\mathopen{}\mathclose{{}\left(\mathbf{p}_{u}% \frown\mathbf{p}_{\mathbf{f}}}\right)\\ \mathcal{E}\mathopen{}\mathclose{{}\left(\mathopen{}\mathclose{{}\left% \updownarrow\mathbf{p}_{\mathbf{m}}}\right.\!,\mathbf{p}_{\mathbf{u}}}\right)&% \equiv\Lambda(\delta\mathopen{}\mathclose{{}\left[\mathbf{p}_{h}}\right],(% \mathbf{p}_{\mathbf{c}})_{t},\mathbf{p}_{u})\\ \mathopen{}\mathclose{{}\left(\mathbf{p}_{\mathbf{m}},\mathbf{p}_{\mathbf{u}}}% \right)&\in\!\mathopen{}\mathclose{{}\left\lgroup\mathbb{B},\mathbb{B}}\right% \rgroup\!\end{aligned}}\right.

(The historical lookup function, $\Lambda$ , is defined in equation LABEL:eq:historicallookup.)

14.3.1. Exporting

Any of a work-package’s work-items may export segments and a segments-root is placed in the work-report committing to these, ordered according to the work-item which is exporting. It is formed as the root of a constant-depth binary Merkle tree as defined in equation E.4.

Guarantors are required to erasure-code and distribute two data sets: one blob, the auditable bundle containing the encoded work-package, extrinsic data and self-justifying imported segments which is placed in the short-term Audit da store; and a second set of exported-segments data together with the Paged-Proofs metadata. Items in the first store are short-lived; assurers are expected to keep them only until finality of the block in which the availability of the work-result’s work-package is assured. Items in the second, meanwhile, are long-lived and expected to be kept for a minimum of 28 days (672 complete epochs) following the reporting of the work-report. This latter store is referred to as the Distributed, Decentralized, Data Lake or D³L owing to its large size.

We define the paged-proofs function $P$ which accepts a series of exported segments $\mathbf{s}$ and defines some series of additional segments placed into the D³L via erasure-coding and distribution. The function evaluates to pages of hashes, together with subtree proofs, such that justifications of correctness based on a segments-root may be made from it:

(14.12)

\!\!P\colon\mathopen{}\mathclose{{}\left\{\begin{aligned} \mathopen{}% \mathclose{{}\left\lsem\mathbb{J}}\right\rsem\to\,&\mathopen{}\mathclose{{}% \left\lsem\mathbb{J}}\right\rsem\\ \mathbf{s}\mapsto\,&\mathopen{}\mathclose{{}\left[\mathcal{P}_{l}\mathopen{}% \mathclose{{}\left(\mathcal{E}\mathopen{}\mathclose{{}\left(\mathopen{}% \mathclose{{}\left\updownarrow\mathcal{J}_{6}\mathopen{}\mathclose{{}\left(% \mathbf{s},i}\right)}\right.\!,\mathopen{}\mathclose{{}\left\updownarrow% \mathcal{L}_{6}\mathopen{}\mathclose{{}\left(\mathbf{s},i}\right)}\right.\!}% \right)}\right)\;\middle|\;i\mathrel{\mathrlap{<}{\scalebox{0.95}[1.0]{$-$}}}% \mathbb{N}_{\mathopen{}\mathclose{{}\left\lceil\nicefrac{{\mathopen{}% \mathclose{{}\left|\mathbf{s}}\right|}}{{64}}}\right\rceil}}\right]\\ &\text{where }l=\mathsf{W}_{G}\end{aligned}}\right.\!\!\!\!

14.4. Computation of Work-Report

We now come to the work-report computation function $\Xi$ . This forms the basis for all utilization of cores on Jam. It accepts some work-package $\mathbf{p}$ , nominated core $c$ , segment-root dictionary $\mathbf{l}$ , and assurer set size $v$ , and results in either an error $\nabla$ or the work-report. This function is deterministic and requires only that it be evaluated within eight epochs of a recently finalized block thanks to the historical lookup functionality. It can thus comfortably be evaluated by any node within the auditing period, even allowing for practicalities of imperfect synchronization. Formally:

(14.13)

\Xi\colon\mathopen{}\mathclose{{}\left\{\begin{aligned} &\!\mathopen{}% \mathclose{{}\left\lgroup\mathbb{P},\mathbb{N}_{\mathsf{C}},\mathopen{}% \mathclose{{}\left\langlebar\mathbb{H}\to\mathbb{H}}\right\ranglebar,\mathbb{V% }}\right\rgroup\!\to\mathbb{R}\cup\mathopen{}\mathclose{{}\left\{\,\nabla\,}% \right\}\\ &\mathopen{}\mathclose{{}\left(\mathbf{p},c,\mathbf{l},v}\right)\mapsto\begin{% cases}\nabla&\text{if }E\\ \mathopen{}\mathclose{{}\left(\begin{aligned} &\mathbf{s},\mathbf{c}\mathrel{% \mathop{:}}\mathbf{p}_{\mathbf{c}},c,\\ &a\mathrel{\mathop{:}}\mathbf{p}_{a},\mathbf{t},\mathbf{l},\mathbf{d},g\end{% aligned}}\right)&\text{otherwise}\end{cases}\end{aligned}}\right.

Where:

	$\displaystyle\mathopen{}\mathclose{{}\left(\mathbf{t},g}\right)$	$\displaystyle=\Psi_{I}(\mathbf{p},c)$
	$\displaystyle E$	$\displaystyle=\mathbf{t}\not\in\mathbb{B}_{:\mathsf{W}_{R}}\vee\mathcal{K}% \mathopen{}\mathclose{{}\left(\mathbf{l}}\right)\neq\mathopen{}\mathclose{{}% \left\{\,h\;\middle\|\;\mathbf{w}\in\mathbf{p}_{\mathbf{w}},\mathopen{}% \mathclose{{}\left(h^{\boxplus},n}\right)\in\mathbf{w}_{\mathbf{i}}\,}\right\}$
	$\displaystyle\mathopen{}\mathclose{{}\left(\mathbf{d},\overline{\mathbf{e}}}\right)$	$\displaystyle={}^{\text{T}}\mathopen{}\mathclose{{}\left[(C(\mathbf{p}_{% \mathbf{w}}\mathopen{}\mathclose{{}\left[j}\right],r,u),\mathbf{e})\;\middle\|% \;\mathopen{}\mathclose{{}\left(r,u,\mathbf{e}}\right)=I(\mathbf{p},j),\,j% \mathrel{\mathrlap{<}{\scalebox{0.95}[1.0]{$-$}}}\mathbb{N}_{\mathopen{}% \mathclose{{}\left\|\mathbf{p}_{\mathbf{w}}}\right\|}}\right]$
	$\displaystyle I(\mathbf{p},j)$	$\displaystyle\equiv\begin{cases}\mathopen{}\mathclose{{}\left(\circleddash,u,% \mathopen{}\mathclose{{}\left[\mathbb{J}_{0},\mathbb{J}_{0},\dots}\right]_{% \dots m_{e}}}\right)&\text{if }\mathopen{}\mathclose{{}\left\|r}\right\|+z>% \mathsf{W}_{R}\\ \mathopen{}\mathclose{{}\left(\circledcirc,u,\mathopen{}\mathclose{{}\left[% \mathbb{J}_{0},\mathbb{J}_{0},\dots}\right]_{\dots m_{e}}}\right)&\text{% otherwise if }\mathopen{}\mathclose{{}\left\|\mathbf{e}}\right\|\neq m_{e}\\ \mathopen{}\mathclose{{}\left(r,u,\mathopen{}\mathclose{{}\left[\mathbb{J}_{0}% ,\mathbb{J}_{0},\dots}\right]_{\dots m_{e}}}\right)&\text{otherwise if }r\not% \in\mathbb{B}\\ \mathopen{}\mathclose{{}\left(r,u,\mathbf{e}}\right)&\text{otherwise}\\ \lx@intercol\text{where }\mathopen{}\mathclose{{}\left(r,\mathbf{e},u}\right)=% \Psi_{R}(c,j,\mathbf{p},\mathbf{t},S^{\#}_{\mathbf{l}}(\mathbf{p}_{\mathbf{w}}% ),\ell)\hfil\lx@intercol\\ \lx@intercol\text{and }h=\mathcal{H}\mathopen{}\mathclose{{}\left(\mathbf{p}}% \right)\,,\;m=\mathbf{p}_{\mathbf{w}}\mathopen{}\mathclose{{}\left[j}\right]\,% ,\;\ell=\sum_{k<j}\mathbf{p}_{\mathbf{w}}\mathopen{}\mathclose{{}\left[k}% \right]_{e}\hfil\lx@intercol\\ \lx@intercol\text{and }z=\mathopen{}\mathclose{{}\left\|\mathbf{t}}\right\|+\sum% _{k<j,\mathopen{}\mathclose{{}\left(r\in\mathbb{B},\dots}\right)=I(\mathbf{p},% k)}\mathopen{}\mathclose{{}\left\|r}\right\|\hfil\lx@intercol\end{cases}$

Note that we gracefully handle both the case where the size of the work output would take the work-report beyond its acceptable size and where number of segments exported by a work-item’s Refinement execution is incorrectly reported in the work-item’s export segment count. In both cases, the work-package continues to be valid as a whole, but the work-item’s exported segments are replaced by a sequence of zero-segments equal in size to the export segment count and its output is replaced by an error.

The first term to be introduced, $\mathopen{}\mathclose{{}\left(\mathbf{t},g}\right)$ , is the authorization trace, the result of the Is-Authorized function together with the amount of gas it used. The Is-Authorized logic must be executed first in order to ensure that the work-package warrants the needed core-time.

The next term, $E$ , is $\top$ if there is no valid report for the given arguments. This is the case if the Is-Authorized function fails, or if the segment-root dictionary $\mathbf{l}$ does not contain the expected entries. $\mathbf{l}$ is expected to have entries for all unique work-package hashes of imported segments not identified directly via a segment-root but rather through a work-package hash.

In order to expect to be compensated for a work-report they are building, guarantors must compose a value for $\mathbf{l}$ to ensure not only the above but also a further constraint that all pairs of work-package hashes and segment-roots do properly correspond:

(14.14)			$\displaystyle\forall\mathopen{}\mathclose{{}\left(h\mapsto e}\right)\in\mathbf% {l}:\exists\mathbf{p},c,\mathbf{d},v\in\mathbb{P},\mathbb{N}_{\mathsf{C}},% \mathopen{}\mathclose{{}\left\langlebar\mathbb{H}\to\mathbb{H}}\right% \ranglebar,\mathbb{V}:$
(14.14)			$\displaystyle\mathcal{H}\mathopen{}\mathclose{{}\left(\mathbf{p}}\right)=h% \wedge(\Xi(\mathbf{p},c,\mathbf{d},v)_{\mathbf{s}})_{e}=e$

As long as the guarantor is unable to satisfy the above constraints, then it should consider the work-package unable to be guaranteed. Auditors are not expected to populate $\mathbf{l}$ but rather to reuse the value in the work-report they are auditing.

The third term, $\mathopen{}\mathclose{{}\left(\mathbf{d},\overline{\mathbf{e}}}\right)$ is the sequence of results for each of the work-items in the work-package together with all segments exported by each work-item. The fourth definition $I$ performs an ordered accumulation (i.e. counter) in order to ensure that the Refine function has access to the total number of exports made from the work-package up to the current work-item.

The above relies on two functions, $S_{\mathbf{l}}$ and $X$ which, respectively, define the import segment data (utilising the segment-root dictionary $\mathbf{l}$ ) and the extrinsic data for some work-item argument $\mathbf{w}$ . We also define the segment-root lookup function $L_{\mathbf{l}}$ , which collapses a segment-root or work-package hash into a segment-root, and $J_{\mathbf{l}}$ , which compiles justifications of segment data:

(14.15)	$\displaystyle X(\mathbf{w}\in\mathbb{W})$	$\displaystyle\equiv\mathopen{}\mathclose{{}\left[\mathbf{d}\;\middle\|\;(% \mathcal{H}\mathopen{}\mathclose{{}\left(\mathbf{d}}\right),\mathopen{}% \mathclose{{}\left\|\mathbf{d}}\right\|)\mathrel{\mathrlap{<}{\scalebox{0.95}[1.% 0]{$-$}}}\mathbf{w}_{\mathbf{x}}}\right]$
	$\displaystyle\forall\mathbf{l}\in\mathopen{}\mathclose{{}\left\langlebar% \mathbb{H}\to\mathbb{H}}\right\ranglebar$	$\displaystyle:$
	$\displaystyle L_{\mathbf{l}}(r\in\mathbb{H}\cup\mathbb{H}^{\boxplus})$	$\displaystyle\equiv\begin{cases}r&\text{if }r\in\mathbb{H}\\ \mathbf{l}\mathopen{}\mathclose{{}\left[h}\right]&\text{if }\exists h\in% \mathbb{H}:r=h^{\boxplus}\end{cases}$
	$\displaystyle S_{\mathbf{l}}(\mathbf{w}\in\mathbb{W})$	$\displaystyle\equiv\mathopen{}\mathclose{{}\left[\mathbf{b}\mathopen{}% \mathclose{{}\left[n}\right]\;\middle\|\;\mathcal{M}\mathopen{}\mathclose{{}% \left(\mathbf{b}}\right)=L_{\mathbf{l}}(r),\mathopen{}\mathclose{{}\left(r,n}% \right)\mathrel{\mathrlap{<}{\scalebox{0.95}[1.0]{$-$}}}\mathbf{w}_{\mathbf{i}% }}\right]$
	$\displaystyle J_{\mathbf{l}}(\mathbf{w}\in\mathbb{W})$	$\displaystyle\equiv\mathopen{}\mathclose{{}\left[\mathopen{}\mathclose{{}\left% \updownarrow\mathcal{J}_{0}\mathopen{}\mathclose{{}\left(\mathbf{b},n}\right)}% \right.\!\;\middle\|\;\mathcal{M}\mathopen{}\mathclose{{}\left(\mathbf{b}}% \right)=L_{\mathbf{l}}(r),\mathopen{}\mathclose{{}\left(r,n}\right)\mathrel{% \mathrlap{<}{\scalebox{0.95}[1.0]{$-$}}}\mathbf{w}_{\mathbf{i}}}\right]$

Note that while the formulations of $S_{\mathbf{l}}$ and $J_{\mathbf{l}}$ seem to require (due to the inner term $\mathbf{b}$ ) all segments exported by all work-packages exporting a segment to be imported, such a vast amount of data is not generally needed. In particular, each justification can be derived through a single paged-proof. This reduces the worst case data fetching for a guarantor to two segments for every one to be imported. In the case that contiguously exported segments are imported (which we might assume is a fairly common situation), then a single proof-page should be sufficient to justify many imported segments.

Using these three functions, we may now define the Bundle Assembly function $B$ , which assembles an audit-friendly bundle from a work-package and a segment-root dictionary. The bundle comprises the work-package itself, the extrinsic data, and the concatenated import segments along with their proofs of correctness.

(14.16)

B\colon\mathopen{}\mathclose{{}\left\{\begin{aligned} &\!\mathopen{}\mathclose% {{}\left\lgroup\mathbb{P},\mathopen{}\mathclose{{}\left\langlebar\mathbb{H}\to% \mathbb{H}}\right\ranglebar}\right\rgroup\!\to\mathbb{B}\\ &\mathopen{}\mathclose{{}\left(\mathbf{p},\mathbf{l}}\right)\mapsto\mathcal{E}% \mathopen{}\mathclose{{}\left(\mathbf{p},X^{\#}(\mathbf{p}_{\mathbf{w}}),S_{% \mathbf{l}}^{\#}(\mathbf{p}_{\mathbf{w}}),J_{\mathbf{l}}^{\#}(\mathbf{p}_{% \mathbf{w}})}\right)\end{aligned}}\right.

Note the lack of length prefixes: only the Merkle paths for the justifications have a length prefix. All other sequence lengths are determinable through the work package itself.

Finally, we may define $\mathbf{s}$ as the data availability specification of the package using $B$ together with the yet to be defined Availability Specifier function $A$ (see section 14.4.1):

(14.17)

\mathbf{s}=A(\mathcal{H}\mathopen{}\mathclose{{}\left(\mathbf{p}}\right),B(% \mathbf{p},\mathbf{l}),\wideparen{\overline{\mathbf{e}}},v)

Before executing the Refine function, the guarantor should ensure that all segment-tree roots which form imported segment commitments are known and have not expired. Additionally, the guarantor should ensure that they can fetch all preimage data referenced as the commitments of extrinsic segments.

The guarantor must reconstruct imported segments, though this process may in fact be lazy as the Refine function makes no usage of the data until the fetch host-call is made. Fetching generally implies that, for each imported segment, erasure-coded chunks are retrieved from enough unique validators (approximately one third) and is described in more depth in appendix H. (Since we specify systematic erasure-coding, its reconstruction is trivial in the case that the correct validators are responsive.) Chunks must be fetched for both the data itself and for justification metadata which allows us to ensure that the data is correct.

Validators, in their role as availability assurers, should index such chunks according to the index of the segments-tree whose reconstruction they facilitate. Since the data for segment chunks is so small (12 octets in the case of 1023 assurers), fixed communications costs should be kept to a bare minimum. A good network protocol (out of scope at present) will allow guarantors to specify only the segments-tree root and index together with a Boolean to indicate whether the proof chunk need be supplied. Since we assume enough other validators are online and benevolent, we can assume that the guarantor can compute $S_{\mathbf{l}}$ and $J_{\mathbf{l}}$ above with confidence, based on the general availability of data committed to with $\mathbf{s}^{\clubsuit}$ , which is specified below. Note that each imported segment must be fetched from the validator set which assured its availability; this set may no longer be active and its size may differ from that of the active validator set.

14.4.1. Availability Specifier

We define the availability specifier function $A$ , which creates an availability specifier from the package hash, an octet sequence of the audit-friendly work-package bundle, the sequence of exported segments, and the size of the assuring validator set:

(14.18)

\!\!\!A\colon\mathopen{}\mathclose{{}\left\{\,\begin{aligned} \!\mathopen{}% \mathclose{{}\left\lgroup\mathbb{H},\mathbb{B},\mathopen{}\mathclose{{}\left% \lsem\mathbb{J}}\right\rsem,\mathbb{V}}\right\rgroup\!&\to\mathbb{Y}\\ \mathopen{}\mathclose{{}\left(p,\mathbf{b},\,\mathbf{s},v}\right)&\mapsto% \mathopen{}\mathclose{{}\left(p,\,l\mathrel{\mathop{:}}\mathopen{}\mathclose{{% }\left|\mathbf{b}}\right|,\,u,\,v,\,e\mathrel{\mathop{:}}\mathcal{M}\mathopen{% }\mathclose{{}\left(\mathbf{s}}\right),\,n\mathrel{\mathop{:}}\mathopen{}% \mathclose{{}\left|\mathbf{s}}\right|}\right)\end{aligned}}\right.\!\!\!\!\!

	$\displaystyle\text{where }u$	$\displaystyle=\mathcal{M}_{B}\mathopen{}\mathclose{{}\left(\mathopen{}% \mathclose{{}\left[\wideparen{\mathbf{x}}\;\middle\|\;\mathbf{x}\mathrel{% \mathrlap{<}{\scalebox{0.95}[1.0]{$-$}}}{}^{\text{T}}\mathopen{}\mathclose{{}% \left[\mathbf{b}^{\clubsuit},\mathbf{s}^{\clubsuit}}\right]}\right]}\right)$
	$\displaystyle\text{and }\mathbf{b}^{\clubsuit}$	$\displaystyle=\mathcal{H}^{\#}\mathopen{}\mathclose{{}\left(\mathcal{C}^{v}_{% \mathopen{}\mathclose{{}\left\lceil\nicefrac{{\mathopen{}\mathclose{{}\left\|% \mathbf{b}}\right\|}}{{z}}}\right\rceil}\mathopen{}\mathclose{{}\left(\mathcal{% P}_{z}\mathopen{}\mathclose{{}\left(\mathbf{b}}\right)}\right)}\right)$
	$\displaystyle\text{and }\mathbf{s}^{\clubsuit}$	$\displaystyle=\mathcal{M}_{B}^{\#}\mathopen{}\mathclose{{}\left({}^{\text{T}}% \mathcal{C}^{v\#}_{\nicefrac{{\mathsf{W}_{G}}}{{z}}}\mathopen{}\mathclose{{}% \left(\mathbf{s}\frown P(\mathbf{s})}\right)}\right)$
	$\displaystyle\text{and }z$	$\displaystyle=2\cdot\mathcal{D}(v)$

The paged-proofs function $P$ , defined earlier in equation 14.12, accepts a sequence of segments and returns a sequence of paged-proofs sufficient to justify the correctness of every segment. There are exactly $\mathopen{}\mathclose{{}\left\lceil\nicefrac{{1}}{{64}}}\right\rceil$ paged-proof segments as the number of yielded segments, each composed of a page of 64 hashes of segments, together with a Merkle proof from the root to the subtree-root which includes those 64 segments.

The functions $\mathcal{M}$ and $\mathcal{M}_{B}$ are the fixed-depth and simple binary Merkle root functions, defined in equations E.4 and E.3. The functions $\mathcal{C}$ and $\mathcal{D}$ are the erasure-coding and original-chunk-count functions, defined in appendix H.

And $\mathcal{P}$ is the zero-padding function to take an octet array to some multiple of $n$ in length:

(14.19)

\mathcal{P}_{n\in\mathbb{N}_{1\dots}}\colon\mathopen{}\mathclose{{}\left\{% \begin{aligned} \mathbb{B}&\to\mathbb{B}_{k\cdot n}\\ \mathbf{x}&\mapsto\mathbf{x}\frown\mathopen{}\mathclose{{}\left[0,0,\dots}% \right]_{((\mathopen{}\mathclose{{}\left|x}\right|+n-1)\bmod n)+1\dots n}\end{% aligned}}\right.

Validators are incentivized to distribute each newly erasure-coded data chunk to the relevant validator, since they are not paid for guaranteeing unless a work-report is considered to be available by a super-majority of validators. Given our work-package $\mathbf{p}$ , we should therefore send the corresponding work-package bundle chunk and exported segments chunks to each validator, together with proofs such that each validator can justify completeness according to the work-report’s erasure-root. In the case of a coming epoch change, they may also maximize expected reward by distributing to the new validator set. Note that as erasure-coding depends on the size of the assuring validator set, distribution to two validator sets of different sizes necessitates performing erasure-coding twice and production of two distinct work-reports, only one of which may be reported on-chain.

We will see this function utilized in the next sections, for guaranteeing, auditing and judging.

A C I S P R X b

15. Guaranteeing

Guaranteeing work-packages involves the creation and distribution of a corresponding work-report which requires certain conditions to be met. Along with the report, a signature demonstrating the validator’s commitment to its correctness is needed. With two guarantor signatures, the work-report may be distributed to the forthcoming Jam chain block author in order to be used in the $\mathbf{E}_{G}$ , which leads to a reward for the guarantors.

We presume that in a public system, validators will be punished severely if they malfunction and commit to a report which does not faithfully represent the result of $\Xi$ applied on a work-package. Overall, the process is:

(1)

Evaluation of the work-package’s authorization, and cross-referencing against the authorization pool in the most recent Jam chain state.
(2)

Evaluation of each work-item’s refine logic.
(3)

Chunking of the work-package bundle and the data exported by the refine logic, according to the erasure codec.
(4)

Assembly and publication of a work-package report.
(5)

Distributing the aforementioned chunks across the validator set.
(6)

Providing the work-package bundle and exported data to other validators on request is also helpful for optimal network performance.

For any work-package $\mathbf{p}$ a guarantor is in receipt of, the work-report $\mathbf{r}$ , if any, may be determined by:

(15.1)

\mathbf{r}=\Xi(\mathbf{p},c,\mathbf{l},v)

When Jam chain state is needed, the chain state of the most recent block should always be utilized. The guarantor may choose values for $c$ (the core index), $\mathbf{l}$ (the segment-root dictionary), and $v$ (the size of the assuring validator set), but should be careful to choose values which allow the work-report to be included on-chain (see section 11.4). Typically $c$ should be the core currently assigned to the guarantor, $v$ should be the size of the active validator set, and $\mathbf{l}$ should be derived from previously guaranteed work-reports.

Following production of a work-report $\mathbf{r}$ , a guarantor may safely create and distribute the payload $\mathopen{}\mathclose{{}\left(s,i}\right)$ , where $i$ identifies the guarantor by index and $s$ is a signature created according to equation 11.28. Specifically, $s$ is a signature using the validator’s registered Ed25519 key on a payload $l$ :

(15.2)

l=\mathsf{X}_{G}\frown\mathcal{H}\mathopen{}\mathclose{{}\left(\mathcal{E}% \mathopen{}\mathclose{{}\left(\mathbf{r}}\right)}\right)

To maximize profit, the guarantor should require the work-report meets all expectations which are in place during the guarantee extrinsic described in section 11.4. This includes contextual validity and inclusion of the authorization in the authorization pool. Not doing so does not result in punishment, but will prevent the block author from including the report and so reduces rewards.

Advanced nodes may maximize the likelihood that their reports will be includable on-chain by attempting to predict the state of the chain at the time that the report will get to the block author. Naive nodes may simply use the current chain head when verifying the work-package. To minimize work done, nodes should make all such evaluations prior to evaluating the $\Psi_{R}$ function to calculate the report’s work-digests.

Once evaluated as a reasonable work-package to guarantee, guarantors should maximize the chance that their work is not wasted by attempting to form consensus over the core. To achieve this they should send the work-package to any other guarantors on the same core which they do not believe already know of it.

In order to minimize the work for block authors and thus maximize expected profits, guarantors should attempt to construct their core’s next guarantee extrinsic from the work-report and set of attestations including their own and as many others as possible.

In order to minimize the chance of any block authors disregarding the guarantor for anti-spam measures, guarantors should sign an average of no more than two work-reports per timeslot.

16. Availability Assurance

Every timeslot, each validator should issue a signed statement, called an assurance, indicating which of the current availability assignments the validator has received its erasure-coded shards for. There are two classes of shard a validator must have for an availability assignment before claiming possession in an assurance:

Firstly, their erasure-coded shard for the assigned report’s bundle. This shard is needed to verify the work-report’s validity and completeness and need not be retained after the work-report is considered audited. Until then, it should be provided on request to validators.

Secondly, the validator should have in hand the corresponding erasure-coded shard for each of the exported segments referenced by the assigned report’s segments root. These should be retained for 28 days and provided to any validator on request.

The validity of a validator’s shards for a work-report can be trivially proven through the work-report’s work-package erasure-root and a Merkle-proof of inclusion in the correct location. Shards distributed by guarantors should be accompanied by such proofs, and a validator should not claim possession of shards in an assurance unless it has, and has verified, the corresponding proofs.

17. Auditing and Judging

The auditing and judging system is theoretically equivalent to that in Elves, introduced by [4]. For a full security analysis of the mechanism, see this work. There is a difference in terminology, where the terms backing, approval and inclusion there refer to our guaranteeing, auditing and accumulation, respectively.

17.1. Overview

The auditing process involves each node requiring themselves to fetch, evaluate and issue judgment on a random but deterministic set of work-reports from each Jam chain block in which the work-report becomes available (i.e. from $\mathbf{R}$ ). Prior to any evaluation, a node declares and proves its requirement. At specific common junctures in time thereafter, the set of work-reports which a node requires itself to evaluate from each block’s $\mathbf{R}$ may be enlarged if any declared intentions are not matched by a positive judgment in a reasonable time or in the event of a negative judgment being seen. These enlargement events are called tranches.

If all declared intentions for a work-report are matched by a positive judgment at any given juncture, then the work-report is considered audited. Once all of any given block’s newly available work-reports are audited, then we consider the block to be audited. One prerequisite of a node finalizing a block is for it to view the block as audited. Note that while there will be eventual consensus on whether a block is audited, there may not be consensus at the time that the block gets finalized. This does not affect the crypto-economic guarantees of this system.

In regular operation, no negative judgments will ultimately be found for a work-report, and there will be no direct consequences of the auditing stage. In the unlikely event that a negative judgment is found, then one of several things happens; if greater than $\nicefrac{{2}}{{3}}$ of the validators still issue positive judgments, then validators issuing negative judgments may receive a punishment for time-wasting. If greater than $\nicefrac{{1}}{{3}}$ of the validators issue negative judgments, then the block which includes the work-report is ban-listed. It and all its descendants are disregarded and may not be built on. In all cases, once there are enough votes, a verdict can be constructed by a block author and placed in a disputes extrinsic to denote the outcome. See section 10 for details on this.

All announcements and judgments are published to all validators along with metadata describing the signed material. On receipt of sure data, validators are expected to update their perspective accordingly (later defined as $J$ and $A$ ).

17.2. Data Fetching

For each work-report to be audited, we use its erasure-root to request erasure-coded chunks from enough assurers, and then reconstruct the work-package bundle from these chunks. The bundle contains the work-package together with its extrinsic data, imported segments, and imported segment justifications.

We may validate the work-package by ensuring its hash is equivalent to the hash included as part of the work-package specification in the work-report. We may validate the extrinsic data through ensuring their hashes are each equivalent to those found in the relevant work-item.

Finally, we may validate each imported segment as a justification must follow the concatenated segments which allows verification that each segment’s hash is included in the referencing Merkle root and index of the corresponding work-item.

Exported segments need not be reconstructed in the same way, but rather should be determined in the same manner as with guaranteeing, i.e. through the execution of the Refine logic.

All items in the work-package specification field of the work-report should be recalculated from this now known-good data and verified, essentially retracing the guarantors steps and ensuring correctness.

17.3. Selection of Reports

Each validator shall perform auditing duties on each valid block received. Since we are entering off-chain logic, and we cannot assume consensus, we henceforth consider ourselves a specific validator of index $v$ and assume ourselves focused on some recent block $\mathbf{B}$ with other terms corresponding to the state-transition implied by that block, so $\rho$ is said block’s prior availability assignments, $\kappa$ is its prior validator set, $\mathbf{H}$ is its header &c. Practically, all considerations must be replicated for all blocks and multiple blocks’ considerations may be underway simultaneously.

We define the sequence of work-reports which we may be required to audit as $\mathbf{q}$ , a sequence of length equal to the number of active cores, which functions as a mapping of core index to a work-report which has just become available, or $\emptyset$ if no report became available on the core. Formally:

(17.1)		$\displaystyle\mathbf{q}$	$\displaystyle\in\mathopen{}\mathclose{{}\left\lsem\mathbb{R}\bm{?}}\right\rsem% _{\nicefrac{{\mathopen{}\mathclose{{}\left\|\kappa}\right\|}}{{3}}}$
(17.2)		$\displaystyle\mathbf{q}$	$\displaystyle\equiv\mathopen{}\mathclose{{}\left[\begin{rcases}(\rho\mathopen{% }\mathclose{{}\left[c}\right]_{\mathbf{g}})_{\mathbf{r}}&\text{if }(\rho% \mathopen{}\mathclose{{}\left[c}\right]_{\mathbf{g}})_{\mathbf{r}}\in\mathbf{R% }\\ \emptyset&\text{otherwise}\end{rcases}\;\middle\|\;c\mathrel{\mathrlap{<}{% \scalebox{0.95}[1.0]{$-$}}}\mathbb{N}_{\nicefrac{{\mathopen{}\mathclose{{}% \left\|\kappa}\right\|}}{{3}}}}\right]$

We define our initial audit tranche in terms of a verifiable random quantity $s_{0}$ created specifically for it:

(17.3)		$\displaystyle s_{0}$	$\displaystyle\in\accentset{\backsim}{\mathbb{V}}_{\kappa\mathopen{}\mathclose{% {}\left[v}\right]_{b}}^{\mathopen{}\mathclose{{}\left[}\right]}\mathopen{}% \mathclose{{}\left\langle\mathsf{X}_{U}\frown\mathcal{Y}\mathopen{}\mathclose{% {}\left(\mathbf{H}_{V}}\right)}\right\rangle$
(17.4)		$\displaystyle\mathsf{X}_{U}$	$\displaystyle=\text{{\small{\$jam\_audit}}}$

We may then define $\mathbf{a}_{0}$ as the non-empty items to audit through a verifiably random selection of ten cores:

(17.5)

\mathbf{a}_{0}=\mathopen{}\mathclose{{}\left\{\,\mathbf{r}\;\middle|\;\mathbf{% r}\in\mathcal{F}\mathopen{}\mathclose{{}\left(\mathbf{q},\mathcal{Y}\mathopen{% }\mathclose{{}\left(s_{0}}\right)}\right)_{\dots+10},\mathbf{r}\neq\emptyset\,% }\right\}

Every $\mathsf{A}=8$ seconds following a new time slot, a new tranche begins, and we may determine that additional cores warrant an audit from us. Such items are defined as $\mathbf{a}_{n}$ where $n$ is the current tranche. Formally:

(17.6)

\text{let }n=\mathopen{}\mathclose{{}\left\lfloor\frac{\mathcal{T}-\mathsf{P}% \cdot\mathbf{H}_{T}}{\mathsf{A}}}\right\rfloor

New tranches may contain items from $\mathbf{q}$ stemming from one of two reasons: either a negative judgment has been received; or the number of judgments from the previous tranche is less than the number of announcements from said tranche. In the first case, the validator is always required to issue a judgment on the work-report. In the second case, a new special-purpose vrf must be constructed to determine if an audit and judgment is warranted from us.

In all cases, we publish a signed statement of which of the cores we believe we are required to audit (an announcement) together with evidence of the vrf signature to select them and the other validators’ announcements from the previous tranche unmatched with a judgment in order that all other validators are capable of verifying the announcement. Publication of an announcement should be taken as a contract to complete the audit regardless of any future information.

Formally, for each tranche $n$ we ensure the announcement statement is published and distributed to all other validators along with our validator index $v$ , evidence $s_{n}$ and all signed data. Validator’s announcement statements must be in the set $S$ :

(17.7)	$\displaystyle S$	$\displaystyle\equiv\bar{\mathbb{V}}_{\kappa\mathopen{}\mathclose{{}\left[v}% \right]_{e}}\mathopen{}\mathclose{{}\left\langle\mathsf{X}_{I}\mathrel{\hbox to% 0.0pt{\hbox to7.0pt{\hfill\vrule height=5.0pt,depth=0.0pt,width=0.6pt\hfill% \vrule height=5.0pt,depth=0.0pt,width=0.6pt\hfill}}\vbox to5.0pt{\vfill\hrule h% eight=0.6pt,depth=0.0pt,width=7.0pt\vfill}}n\frown\mathbf{x}_{n}\frown\mathcal% {H}\mathopen{}\mathclose{{}\left(\mathbf{H}}\right)}\right\rangle$
(17.8)	$\displaystyle\text{where }\mathbf{x}_{n}$	$\displaystyle=\mathcal{E}\mathopen{}\mathclose{{}\left(\mathopen{}\mathclose{{% }\left\{\,\mathcal{E}_{2}\mathopen{}\mathclose{{}\left(\mathbf{r}_{c}}\right)% \frown\mathcal{H}\mathopen{}\mathclose{{}\left(\mathbf{r}}\right)\;\middle\|\;% \mathbf{r}\in\mathbf{a}_{n}\,}\right\}}\right)$
(17.9)	$\displaystyle\mathsf{X}_{I}$	$\displaystyle=\text{{\small{\$jam\_announce}}}$

We define $A_{n}$ as our perception of which validators are required to audit each of the work-reports at tranche $n$ . This comes from each other validators’ announcements (defined above). It cannot be correctly evaluated until $n$ is current. We have absolute knowledge about our own audit requirements.

(17.10)

\displaystyle A_{n}:\mathbb{R}

\displaystyle\to\mathopen{}\mathclose{{}\left\{\mkern-5.0mu\mathopen{}% \mathclose{{}\left[\,\mathbb{N}_{\mathopen{}\mathclose{{}\left|\kappa}\right|}% \,}\right]\mkern-5.0mu}\right\}

We further define $J_{\top}$ and $J_{\bot}$ to be the validator indices who we know to have made respectively, positive and negative, judgments mapped from each work-report. We don’t care from which tranche a judgment is made.

(17.12)

\displaystyle J_{\mathopen{}\mathclose{{}\left\{\,\bot,\top\,}\right\}}:% \mathbb{R}\to\mathopen{}\mathclose{{}\left\{\mkern-5.0mu\mathopen{}\mathclose{% {}\left[\,\mathbb{N}_{\mathopen{}\mathclose{{}\left|\kappa}\right|}\,}\right]% \mkern-5.0mu}\right\}

We are able to define $\mathbf{a}_{n}$ for tranches beyond the first on the basis of the number of validators who we know are required to conduct an audit yet from whom we have not yet seen a judgment. It is possible that the late arrival of information alters $\mathbf{a}_{n}$ and nodes should reevaluate and act accordingly should this happen.

We can thus define $\mathbf{a}_{n}$ beyond the initial tranche through a new vrf which acts upon the set of no-show validators.

	$\displaystyle\forall n>0:$
(17.13)		$\displaystyle\ s_{n}(\mathbf{r})$	$\displaystyle\in\accentset{\backsim}{\mathbb{V}}_{\kappa\mathopen{}\mathclose{% {}\left[v}\right]_{b}}^{\mathopen{}\mathclose{{}\left[}\right]}\mathopen{}% \mathclose{{}\left\langle\mathsf{X}_{U}\frown\mathcal{Y}\mathopen{}\mathclose{% {}\left(\mathbf{H}_{V}}\right)\frown\mathcal{H}\mathopen{}\mathclose{{}\left(% \mathbf{r}}\right)\mathrel{\hbox to0.0pt{\hbox to7.0pt{\hfill\vrule height=5.0% pt,depth=0.0pt,width=0.6pt\hfill\vrule height=5.0pt,depth=0.0pt,width=0.6pt% \hfill}}\vbox to5.0pt{\vfill\hrule height=0.6pt,depth=0.0pt,width=7.0pt\vfill}% }n}\right\rangle$
(17.14)		$\displaystyle\ a_{n}(\mathbf{r})$	$\displaystyle\equiv\textstyle\frac{\mathopen{}\mathclose{{}\left\|\kappa}\right% \|}{256\mathsf{F}}\mathcal{Y}\mathopen{}\mathclose{{}\left(s_{n}(\mathbf{r})}% \right)_{0}<\mathopen{}\mathclose{{}\left\|A_{n-1}(\mathbf{r})\setminus J_{\top% }(\mathbf{r})}\right\|$
(17.15)		$\displaystyle\ \mathbf{a}_{n}$	$\displaystyle\equiv\mathopen{}\mathclose{{}\left\{\,\mathbf{r}\;\middle\|\;% \mathbf{r}\in\mathbf{q},\mathbf{r}\neq\emptyset,a_{n}(\mathbf{r})\,}\right\}$

We define our bias factor $\mathsf{F}=2$ , which is the expected number of validators which will be required to issue a judgment for a work-report given a single no-show in the tranche before. Modeling by [4] shows that this is optimal.

Later audits must be announced in a similar fashion to the first. If audit requirements lessen on the receipt of new information (i.e. a positive judgment being returned for a previous no-show), then any audits already announced are completed and judgments published. If audit requirements raise on the receipt of new information (i.e. an additional announcement being found without an accompanying judgment), then we announce the additional audit(s) we will undertake.

As $n$ increases with the passage of time $\mathbf{a}_{n}$ becomes known and defines our auditing responsibilities. We must attempt to reconstruct all work-package bundles corresponding to each work-report we must audit. This may be done through requesting erasure-coded chunks from one-third of the validators, verified through the erasure coding’s Merkle root, and reconstructing the bundles as per the recovery function $\mathcal{R}^{\mathopen{}\mathclose{{}\left|\kappa}\right|}$ defined in section H.

Thus, for any such work-report $\mathbf{r}$ we are assured we will be able to reconstruct some candidate work-package bundle $C(\mathbf{r})\in\mathbb{B}$ . We decode this candidate bundle into a work-package and its associated extrinsic data, imported segments, and imported segment proofs. These are verified as described in section 17.2. We then attempt to reproduce the report on the core to give $e_{n}$ , a mapping from reports to evaluations:

(17.16)			$\displaystyle\forall\mathbf{r}\in\mathbf{a}_{n}:$
			$\displaystyle e_{n}(\mathbf{r})\Leftrightarrow\begin{cases}M(\mathbf{r},% \mathbf{p})&\text{if }\exists\mathbf{p}\in\mathbb{P}:B(\mathbf{p},\mathbf{r}_{% \mathbf{l}})=C(\mathbf{r})\\ \bot&\text{otherwise}\end{cases}$
			$\displaystyle\text{where }M(\mathbf{r},\mathbf{p})\equiv\mathbf{r}=\Xi(\mathbf% {p},\mathbf{r}_{c},\mathbf{r}_{\mathbf{l}},(\mathbf{r}_{\mathbf{s}})_{v})$

Here, $B$ is the bundle assembly function as defined in equation 14.16 and $\Xi$ is the work-report computation function as defined in equation 14.13. Note that a failure to decode or verify the bundle implies an invalid work-report.

It may be possible to bypass the fetching of erasure-coded chunks and reconstruction of the bundle from them by asking a cooperative third party (e.g. an original guarantor) directly for the full bundle data. If this data cannot be decoded or verified however, we must fall back to reconstruction from erasure-coded chunks.

From the mapping $e_{n}$ the validator issues a set of judgments $\mathbf{j}_{n}$ :

(17.17)

\displaystyle\mathbf{j}_{n}

\displaystyle=\mathopen{}\mathclose{{}\left\{\,\bar{\mathcal{S}}_{\kappa% \mathopen{}\mathclose{{}\left[v}\right]_{e}}\mathopen{}\mathclose{{}\left(% \mathsf{X}_{e_{n}(\mathbf{r})}\frown\mathcal{H}\mathopen{}\mathclose{{}\left(% \mathbf{r}}\right)}\right)\;\middle|\;\mathbf{r}\in\mathbf{a}_{n}\,}\right\}

All judgments $\mathbf{j}_{*}$ should be published to other validators in order that they build their view of $J$ and in the case of a negative judgment arising, can form an extrinsic for $\mathbf{E}_{D}$ .

We consider a work-report as audited under two circumstances. Either, when it has no negative judgments and there exists some tranche in which we see a positive judgment from all validators who we believe are required to audit it; or when we see positive judgments for it from greater than two-thirds of the validator set.

(17.18)

\displaystyle U(\mathbf{r})

\displaystyle\Leftrightarrow\bigvee\,\mathopen{}\mathclose{{}\left\{\,\begin{% aligned} &J_{\bot}(\mathbf{r})=\emptyset\wedge\exists n:A_{n}(\mathbf{r})% \subseteq J_{\top}(\mathbf{r})\\ &\mathopen{}\mathclose{{}\left|J_{\top}(\mathbf{r})}\right|>\nicefrac{{2}}{{3}% }\mathopen{}\mathclose{{}\left|\kappa}\right|\end{aligned}}\right.

Our block $\mathbf{B}$ may be considered audited, a condition denoted $\mathbf{U}$ , when all the work-reports which were made available are considered audited. Formally:

(17.19)

\displaystyle\mathbf{U}

\displaystyle\Leftrightarrow\forall\mathbf{r}\in\mathbf{R}:U(\mathbf{r})

For any block we must judge it to be audited (i.e. $\mathbf{U}=\top$ ) before we vote for the block to be finalized in Grandpa. See section 19 for more information here.

Furthermore, we pointedly disregard chains which include the accumulation of a report which we know at least $\nicefrac{{1}}{{3}}$ of validators judge as being invalid. Any chains including such a block are not eligible for authoring on. The best block, i.e. that on which we build new blocks, is defined as the chain with the most regular Safrole blocks which does not contain any such disregarded block. Implementation-wise, this may require reversion to an earlier head or alternative fork.

As a block author, if we have observed a sufficient number of judgments for a work-report, and at least one negative judgment, we may construct a verdict for the work-report and include it in the disputes extrinsic. If the verdict establishes that the work-report is not valid (i.e. fewer than two-thirds-plus-one of judgments confirm validity) then, as per the preceding paragraph, it should be introduced on a chain where the report has not yet been accumulated. The verdict will cause the corresponding availability assignment to be cleared from $\rho$ , preventing accumulation of the invalid work-report. Refer to section 10 for more details on this.

18. Beefy Distribution

For each finalized block $\mathbf{B}$ which a validator imports, said validator shall make a bls signature on the bls12-381 curve, as defined by [17], affirming the Keccak hash of the block’s most recent Beefy mmr. This should be published and distributed freely, along with the signed material. These signatures may be aggregated in order to provide concise proofs of finality to third-party systems. The signing and aggregation mechanism is defined fully by [5].

Formally, let $\mathbf{F}_{v}$ be the signed commitment of validator index $v$ which will be published:

(18.1)		$\displaystyle\mathbf{F}_{v}$	$\displaystyle\equiv\accentset{\mathrm{B\!L\!S}}{\mathcal{S}}_{\kappa^{\prime}% \mathopen{}\mathclose{{}\left[v}\right]_{l}}\mathopen{}\mathclose{{}\left(% \mathsf{X}_{B}\frown\text{last}(\beta_{H})_{b}}\right)$
(18.2)		$\displaystyle\mathsf{X}_{B}$	$\displaystyle=\text{{\small{\$jam\_beefy}}}$

19. Grandpa and the Best Chain

Nodes take part in the Grandpa protocol as defined by [32].

We define the latest finalized block as $\mathbf{B}^{\natural}$ . All associated terms concerning block and state are similarly superscripted. We consider the best block, $\mathbf{B}^{\flat}$ to be that which is drawn from the set of acceptable blocks of the following criteria:

•

Has the finalized block as an ancestor.
•

Contains no unfinalized blocks where we see an equivocation (two valid blocks at the same timeslot).
•

Is considered audited.

Formally:

(19.1)	$\displaystyle\mathbf{A}(\mathbf{H}^{\flat})$	$\displaystyle\owns\mathbf{H}^{\natural}$
(19.2)	$\displaystyle\mathbf{U}^{\flat}$	$\displaystyle\equiv\top$
(19.3)	$\displaystyle\not\exists\mathbf{H}^{A},\mathbf{H}^{B}$	$\displaystyle:\bigwedge\mathopen{}\mathclose{{}\left\{\,\begin{aligned} % \mathbf{H}^{A}&\neq\mathbf{H}^{B}\\ \mathbf{H}^{A}_{T}&=\mathbf{H}^{B}_{T}\\ \mathbf{H}^{A}&\in\mathbf{A}(\mathbf{H}^{\flat})\\ \mathbf{H}^{A}&\not\in\mathbf{A}(\mathbf{H}^{\natural})\end{aligned}}\right.$

Of these acceptable blocks, that which contains the most ancestor blocks whose author used a slot-sealer ticket, rather than a fallback key should be selected as the best head, and thus the chain on which the participant should make Grandpa votes.

Formally, we aim to select $\mathbf{B}^{\flat}$ to maximize the value $m$ where:

(19.4)

m=\sum_{\mathbf{H}^{A}\in\mathbf{A}^{\flat}}\mathbf{T}^{A}

The specific data to be voted on in Grandpa shall be the block header of the best block, $\mathbf{B}^{\flat}$ together with its posterior state root, $\mathcal{M}_{\sigma}\mathopen{}\mathclose{{}\left(\sigma^{\prime}}\right)$ . The state root has no direct relevance to the Grandpa protocol, but is included alongside the header during voting/signing into order to ensure that systems utilizing the output of Grandpa are able to verify the most recent chain state as possible.

This implies that the posterior state must be known at the time that Grandpa voting occurs in order to finalize the block. However, since Grandpa is relied on primarily for state-root verification it makes little sense to finalize a block without an associated commitment to the posterior state.

The posterior state only affects Grandpa voting in so much as votes for the same block hash but with different associated posterior state roots are considered votes for different blocks. This would only happen in the case of a misbehaving node or an ambiguity in the present document.

20. Discussion

20.1. Technical Characteristics

In total, with our stated target of 1,023 validators and three validators per core, along with requiring a mean of ten audits per validator per timeslot, and thus 30 audits per work-report, Jam is capable of trustlessly processing and integrating 341 work-packages per timeslot.

We assume node hardware is a modern 16 core cpu with 64gb ram, 8tb secondary storage and 0.5gbe networking.

Our performance models assume a rough split of cpu time as follows:

	Proportion
Audits	$\nicefrac{{10}}{{16}}$
Merklization	$\nicefrac{{1}}{{16}}$
Block execution	$\nicefrac{{2}}{{16}}$
Grandpa and Beefy	$\nicefrac{{1}}{{16}}$
Erasure coding	$\nicefrac{{1}}{{16}}$
Networking & misc	$\nicefrac{{1}}{{16}}$

Estimates for network bandwidth requirements are as follows:

Throughput, mb/slot	Tx	Rx
Guaranteeing	106	48
Assuring	144	13
Auditing	0	133
Authoring	53	87
Grandpa and Beefy	4	4
Total	304	281
Implied bandwidth, mb/s	387	357

Thus, a connection able to sustain 500mb/s should leave a sufficient margin of error and headroom to serve other validators as well as some public connections, though the burstiness of block publication would imply validators are best to ensure that peak bandwidth is higher.

Under these conditions, we would expect an overall network-provided data availability capacity of 2pb, with each node dedicating at most $6$ tb to availability storage.

Estimates for memory usage are as follows:

	gb
Auditing	20	2 $\times$ 10 pvm instances
Block execution	2	1 pvm instance
State cache	40
Misc	2
Total	64

As a rough guide, each parachain has an average footprint of around 2mb in the Polkadot Relay chain; a 40gb state would allow 20,000 parachains’ information to be retained in state.

What might be called the “virtual hardware” of a Jam core is essentially a regular cpu core executing at somewhere between 25% and 50% of regular speed for the whole six-second portion and which may draw and provide 2mb/s average in general-purpose i/o and utilize up to 2gb in ram. The i/o includes any trustless reads from the Jam chain state, albeit in the recent past. This virtual hardware also provides unlimited reads from a semi-static preimage-lookup database.

Each work-package may occupy this hardware and execute arbitrary code on it in six-second segments to create some result of at most 48kb. This work-result is then entitled to 10ms on the same machine, this time with no “external” i/o, but instead with full and immediate access to the Jam chain state and may alter the service(s) to which the results belong.

20.2. Illustrating Performance

In terms of pure processing power, the Jam machine architecture can deliver extremely high levels of homogeneous trustless computation. However, the core model of Jam is a classic parallelized compute architecture, and for solutions to be able to utilize the architecture well they must be designed with it in mind to some extent. Accordingly, until such use-cases appear on Jam with similar semantics to existing ones, it is very difficult to make direct comparisons to existing systems. That said, if we indulge ourselves with some assumptions then we can make some crude comparisons.

20.2.1. Comparison to Polkadot

Polkadot is at present capable of validating at most 80 parachains each doing one second of native computation and 5mb of i/o in every six. This corresponds to an aggregate compute performance of around 13x native cpu and a total 24-hour distributed availability of around 67mb/s. Accumulation is beyond Polkadot’s capabilities and so not comparable.

For comparison, in our basic models, Jam should be capable of attaining around 85x the computation load of a single native cpu core and a distributed availability of 682mb/s.

20.2.2. Simple Transfers

We might also attempt to model a simple transactions-per-second amount, with each transaction requiring a signature verification and the modification of two account balances. Once again, until there are clear designs for precisely how this would work we must make some assumptions. Our most naive model would be to use the Jam cores (i.e. refinement) simply for transaction verification and account lookups. The Jam chain would then hold and alter the balances in its state. This is unlikely to give great performance since almost all the needed i/o would be synchronous, but it can serve as a basis.

A 12mb work-package can hold around 96k transactions at 128 bytes per transaction. However, a 48kb work-result could only encode around 6k account updates when each update is given as a pair of a 4 byte account index and 4 byte balance, resulting in a limit of 3k transactions per package, or 171k tps in total. It is possible that the eight bytes could typically be compressed by a byte or two, increasing maximum throughput a little. Our expectations are that state updates, with highly parallelized Merklization, can be done at between 500k and 1 million reads/write per second, implying around 250k-350k tps, depending on which turns out to be the bottleneck.

A more sophisticated model would be to use the Jam cores for balance updates as well as transaction verification. We would have to assume that state and the transactions which operate on them can be partitioned between work-packages with some degree of efficiency, and that the 12mb of the work-package would be split between transaction data and state witness data. Our basic models predict that a 32-bit account system paginated into $2^{10}$ accounts/page and 128 bytes per transaction could, assuming only around 1% of oraclized accounts were useful, average upwards of 1.4mtps depending on partitioning and usage characteristics. Partitioning could be done with a fixed fragmentation (essentially sharding state), a rotating partition pattern or a dynamic partitioning (which would require specialized sequencing).

Interestingly, we expect neither model to be bottlenecked in computation, meaning that transactions could be substantially more sophisticated, perhaps with more flexible cryptography or smart-contract functionality, without a significant impact on performance.

20.2.3. Computation Throughput

The tps metric does not lend itself well to measuring distributed systems’ computational performance, so we now turn to another slightly more compute-focussed benchmark: the evm. The basic YP Ethereum network, now approaching a decade old, is probably the best known example of general purpose decentralized computation and makes for a reasonable yardstick. It is able to sustain a computation and i/o rate of 1.25M gas/sec, with a peak throughput of twice that. The evm gas metric was designed to be a time-proportional metric for predicting and constraining program execution. Attempting to determine a concrete comparison to pvm throughput is non-trivial and necessarily opinionated owing to the disparity between the two platforms, including word size, endianness, stack/register architecture and memory model. However, we will attempt to determine a reasonable range of values.

Evm gas does not directly translate into native execution as it also combines state reads and writes as well as transaction input data, implying it is able to process some combination of up to 595 storage reads, 57 storage writes and 1.25M computation-gas as well as 78kb input data in each second, trading one against the other.¹³¹³ 13 The latest “proto-danksharding” changes allow it to accept 87.3kb/s in committed-to data though this is not directly available within state, so we exclude it from this illustration, though including it with the input data would change the results little. We cannot find any analysis of the typical breakdown between storage i/o and pure computation, so to make a very conservative estimate, we assume it does all four. In reality, we would expect it to be able to do on average $\nicefrac{{1}}{{4}}$ of each.

Our experiments¹⁴¹⁴ 14 This is detailed at {https://hackmd.io/@XXX9CM1uSSCWVNFRYaSB5g/HJarTUhJA} and intended to be updated as we get more information. show that on modern, high-end consumer hardware with a high-quality evm implementation, we can expect somewhere between 100 and 500 gas/µs in throughput on pure-compute workloads (we specifically utilized Odd-Product, Triangle-Number and several implementations of the Fibonacci calculation). To make a conservative comparison to pvm, we propose transpilation of the evm code into pvm code and then re-execution of it under the Polkavm prototype.¹⁵¹⁵ 15 It is conservative since we don’t take into account that the source code was originally compiled into evm code and thus the pvm machine code will replicate architectural artifacts and thus is very likely to be pessimistic. As an example, all arithmetic operations in evm are 256-bit and 64-bit native pvm is being forced to honor this even if the source code only actually required 64-bit values.

To help estimate a reasonable lower-bound of evm gas/µs, e.g. for workloads which are more memory and i/o intensive, we look toward real-world permissionless deployments of the evm and see that the Moonbeam network, after correcting for the slowdown of executing within the recompiled WebAssembly platform on the somewhat conservative Polkadot hardware platform, implies a throughput of around 100 gas/µs. We therefore assert that in terms of computation, 1µs approximates to around 100-500 evm gas on modern high-end consumer hardware.¹⁶¹⁶ 16 We speculate that the substantial range could possibly be caused in part by the major architectural differences between the evm isa and typical modern hardware.

Benchmarking and regression tests show that the prototype pvm engine has a fixed preprocessing overhead of around 5ns/byte of program code and, for arithmetic-heavy tasks at least, a marginal factor of 1.6-2% compared to evm execution, implying an asymptotic speedup of around 50-60x. For machine code 1mb in size expected to take of the order of a second to compute, the compilation cost becomes only 0.5% of the overall time. ¹⁷¹⁷ 17 As an example, our odd-product benchmark, a very much pure-compute arithmetic task, execution takes 58s on evm, and 1.04s within our pvm prototype, including all preprocessing. For code not inherently suited to the 256-bit evm isa, we would expect substantially improved relative execution times on pvm, though more work must be done in order to gain confidence that these speed-ups are broadly applicable.

If we allow for preprocessing to take up to the same component within execution as the marginal cost (owing to, for example, an extremely large but short-running program) and for the pvm metering to imply a safety overhead of 2x to execution speeds, then we can expect a Jam core to be able to process the equivalent of around 1,500 evm gas/µs. Owing to the crudeness of our analysis we might reasonably predict it to be somewhere within a factor of three either way—i.e. 500-5,000 evm gas/µs.

Jam cores are each capable of 2mb/s bandwidth, which must include any state i/o and data which must be newly introduced (e.g. transactions). While writes come at comparatively little cost to the core, only requiring hashing to determine an eventual updated Merkle root, reads must be witnessed, with each one costing around 640 bytes of witness conservatively assuming a one-million entry binary Merkle trie. This would result in a maximum of a little over 3k reads/second/core, with the exact amount dependent upon how much of the bandwidth is used for newly introduced input data.

Aggregating everything across Jam, excepting accumulation which could add further throughput, numbers can be multiplied by 341 (with the caveat that each one’s computation cannot interfere with any of the others’ except through state oraclization and accumulation). Unlike for roll-up chain designs such as Polkadot and Ethereum, there is no need to have persistently fragmented state. Smart-contract state may be held in a coherent format on the Jam chain so long as any updates are made through the 8kb/core/sec work-results, which would need to contain only the hashes of the altered contracts’ state roots.

Under our modelling assumptions, we can therefore summarize:

	Eth. L1	Jam Core	Jam
Compute (evm gas/µs)	$1.25^{\dagger}$	500-5,000	0.15-1.5m
State writes (s^-1)	$57^{\dagger}$	n/a	n/a
State reads (s^-1)	$595^{\dagger}$	4k^‡	1.4m^‡
Input data (s^-1)	78kb^†	2mb^‡	682mb^‡

What we can see is that Jam’s overall predicted performance profile implies it could be comparable to many thousands of that of the basic Ethereum L1 chain. The large factor here is essentially due to three things: spacial parallelism, as Jam can host several hundred cores under its security apparatus; temporal parallelism, as Jam targets continuous execution for its cores and pipelines much of the computation between blocks to ensure a constant, optimal workload; and platform optimization by using a vm and gas model which closely fits modern hardware architectures.

It must however be understood that this is a provisional and crude estimation only. It is included only for the purpose of expressing Jam’s performance in tangible terms. Specifically, it does not take into account:

•

that these numbers are based on real performance of Ethereum and performance modelling of Jam (though our models are based on real-world performance of the components);
•

any L2 scaling which may be possible with either Jam or Ethereum;
•

the state partitioning which uses of Jam would imply;
•

the as-yet unfixed gas model for the pvm;
•

that pvm/evm comparisons are necessarily imprecise;
•

(^†) all figures for Ethereum L1 are drawn from the same resource: on average each figure will be only $\nicefrac{{1}}{{4}}$ of this maximum.
•

(^‡) the state reads and input data figures for Jam are drawn from the same resource: on average each figure will be only $\nicefrac{{1}}{{2}}$ of this maximum.

We leave it as further work for an empirical analysis of performance and an analysis and comparison between Jam and the aggregate of a hypothetical Ethereum ecosystem which included some maximal amount of L2 deployments together with full Dank-sharding and any other additional consensus elements which they would require. This, however, is out of scope for the present work.

21. Conclusion

We have introduced a novel computation model which is able to make use of pre-existing crypto-economic mechanisms in order to deliver major improvements in scalability without causing persistent state-fragmentation and thus sacrificing overall cohesion. We call this overall pattern collect-refine-join-accumulate. Furthermore, we have formally defined the on-chain portion of this logic, essentially the join-accumulate portion. We call this protocol the Jam chain.

We argue that the model of Jam provides a novel “sweet spot”, allowing for massive amounts of computation to be done in secure, resilient consensus compared to fully-synchronous models, and yet still have strict guarantees about both timing and integration of the computation into some singleton state machine unlike persistently fragmented models.

21.1. Further Work

While we are able to estimate theoretical computation possible given some basic assumptions and even make broad comparisons to existing systems, practical numbers are invaluable. We believe the model warrants further empirical research in order to better understand how these theoretical limits translate into real-world performance. We feel a proper cost analysis and comparison to pre-existing protocols would also be an excellent topic for further work.

We can be reasonably confident that the design of Jam allows it to host a service under which Polkadot parachains could be validated, however further prototyping work is needed to understand the possible throughput which a pvm-powered metering system could support. We leave such a report as further work. Likewise, we have also intentionally omitted details of higher-level protocol elements including cryptocurrency, coretime sales, staking and regular smart-contract functionality.

A number of potential alterations to the protocol described here are being considered in order to make practical utilization of the protocol easier. These include:

•

Synchronous calls between services in accumulate.
•

Restrictions on the transfer function in order to allow for substantial parallelism over accumulation.
•

The possibility of reserving substantial additional computation capacity during accumulate under certain conditions.
•

Introducing Merklization into the Work Package format in order to obviate the need to have the whole package downloaded in order to evaluate its authorization.

The networking protocol is also left intentionally undefined at this stage and its description must be done in a follow-up proposal.

Validator performance is not presently tracked on-chain. We do expect this to be tracked on-chain in the final revision of the Jam protocol, but its specific format is not yet certain and it is therefore omitted at present.

22. Acknowledgements

Much of this present work is based in large part on the work of others. The Web3 Foundation research team and in particular Alistair Stewart and Jeff Burdges are responsible for Elves, the security apparatus of Polkadot which enables the possibility of in-core computation for Jam. The same team is responsible for Sassafras, Grandpa and Beefy.

Safrole is a mild simplification of Sassafras and was made under the careful review of Davide Galassi and Alistair Stewart.

The original CoreJam rfc was refined under the review of Bastian Köcher and Robert Habermeier and most of the key elements of that proposal have made their way into the present work.

The pvm is a formalization of a partially simplified PolkaVM software prototype, developed by Jan Bujak. Cyrill Leutwiler contributed to the empirical analysis of the pvm reported in the present work.

The PolkaJam team and in particular Arkadiy Paronyan, Emeric Chevalier and Dave Emett have been instrumental in the design of the lower-level aspects of the Jam protocol, especially concerning Merklization and i/o.

Numerous contributors to the repository since publication have helped correct errors. Thank you to all.

And, of course, thanks to the awesome Lemon Jelly, a.k.a. Fred Deakin and Nick Franglen, for three of the most beautiful albums ever produced, the cover art of the first of which was inspiration for this paper’s background art.

Appendix A Polkadot Virtual Machine

A.1. Basic Definition

We declare the general pvm function $\Psi$ . We assume a single-step invocation function define $\Psi_{1}$ and define the full pvm recursively as a sequence of such mutations up until the single-step mutation results in a halting condition. We additionally define the function deblob which extracts the instruction data, opcode bitmask and dynamic jump table from a pvm program blob, validates its structure, and verifies whether the given $\imath$ is a valid instruction counter location within the program:

(A.1)		$\displaystyle\Psi$	$\displaystyle\colon\mathopen{}\mathclose{{}\left\{\begin{aligned} \!\mathopen{% }\mathclose{{}\left\lgroup\mathbb{B},\mathbb{N}_{R},\mathbb{N}_{G},{\mathopen{% }\mathclose{{}\left\{\,\bot,\top\,}\right\}},\mathopen{}\mathclose{{}\left% \lsem\mathbb{N}_{R}}\right\rsem_{13},\mathbb{M}}\right\rgroup\!&\to\!\mathopen% {}\mathclose{{}\left\lgroup\mathopen{}\mathclose{{}\left\{\,\blacksquare,% \lightning,\infty\,}\right\}\cup\mathopen{}\mathclose{{}\left\{\,\text{% \raisebox{6.0pt}{\rotatebox{180.0}{{F}}}},\hbar\,}\right\}\times\mathbb{N}_{R}% ,\mathbb{N}_{R},\mathbb{N}_{G},{\mathopen{}\mathclose{{}\left\{\,\bot,\top\,}% \right\}},\mathopen{}\mathclose{{}\left\lsem\mathbb{N}_{R}}\right\rsem_{13},% \mathbb{M}}\right\rgroup\!\\ \mathopen{}\mathclose{{}\left(\mathfrak{p},\imath,\varrho,\tilde{\varrho},% \varphi,{\mu}}\right)&\mapsto\begin{cases}\Psi(\mathfrak{p},\imath^{\prime},% \varrho^{\prime},\tilde{\varrho}^{\prime},\varphi^{\prime},{\mu}^{\prime})&% \text{if }\varepsilon=\blacktriangleright\\ \mathopen{}\mathclose{{}\left(\varepsilon,0,\varrho^{\prime},\tilde{\varrho}^{% \prime},\varphi^{\prime},{\mu}^{\prime}}\right)&\text{if }\varepsilon\in% \mathopen{}\mathclose{{}\left\{\,\lightning,\blacksquare\,}\right\}\\ \mathopen{}\mathclose{{}\left(\varepsilon,\imath,\varrho^{\prime},\tilde{% \varrho}^{\prime},\varphi,{\mu}}\right)&\text{otherwise}\end{cases}\\ \text{where }\mathopen{}\mathclose{{}\left(\varepsilon,\imath^{\prime},\varrho% ^{\prime},\tilde{\varrho}^{\prime},\varphi^{\prime},{\mu}^{\prime}}\right)&=% \begin{cases}\Psi_{1}(\mathbf{c},\mathbf{k},\mathbf{j},\imath,\varrho,\tilde{% \varrho},\varphi,{\mu})&\text{if }\mathopen{}\mathclose{{}\left(\mathbf{c},% \mathbf{k},\mathbf{j}}\right)=\text{deblob}(\mathfrak{p},\imath)\\ \mathopen{}\mathclose{{}\left(\lightning,\imath,\varrho,\tilde{\varrho},% \varphi,{\mu}}\right)&\text{otherwise}\end{cases}\end{aligned}}\right.$
(A.4)		deblob	$\displaystyle\colon\mathopen{}\mathclose{{}\left\{\begin{array}[]{@{}l@{}}% \begin{aligned} (\mathbb{B},\mathbb{N}_{R})&\to\!\mathopen{}\mathclose{{}\left% \lgroup\mathbb{B},\mathbb{b},\mathopen{}\mathclose{{}\left\lsem\mathbb{N}_{R}}% \right\rsem}\right\rgroup\!\cup\nabla\\ (\mathfrak{p},\imath)&\mapsto\begin{cases}\mathopen{}\mathclose{{}\left(% \mathbf{c},\mathbf{k},\mathbf{j}}\right)&\text{if }\exists!\,\mathbf{c},% \mathbf{k},\mathbf{j}:\mathfrak{p}=\mathcal{E}\mathopen{}\mathclose{{}\left(% \mathopen{}\mathclose{{}\left\|\mathbf{j}}\right\|}\right)\frown\mathcal{E}_{1}% \mathopen{}\mathclose{{}\left(z}\right)\frown\mathcal{E}\mathopen{}\mathclose{% {}\left(\mathopen{}\mathclose{{}\left\|\mathbf{c}}\right\|}\right)\frown\mathcal% {E}_{z}\mathopen{}\mathclose{{}\left(\mathbf{j}}\right)\frown\mathcal{E}% \mathopen{}\mathclose{{}\left(\mathbf{c}}\right)\frown\mathcal{E}\mathopen{}% \mathclose{{}\left(\mathbf{k}}\right)\,,\ \mathfrak{v}_{\text{blob}}(\mathbf{c% },\mathbf{k},0)\land\mathfrak{v}_{\text{inst}}(\mathbf{c},\mathbf{k},\imath)\\ \nabla&\text{otherwise}\end{cases}\\ \end{aligned}\\[14.0pt] \hskip 8.0pt\begin{aligned} \\[0.2pt] \text{where }\mathfrak{v}_{\text{blob}}\colon&\mathopen{}\mathclose{{}\left\{% \begin{aligned} \!\mathopen{}\mathclose{{}\left\lgroup\mathbb{B},\mathbb{b},% \mathbb{N}_{R}}\right\rgroup\!&\to{\mathopen{}\mathclose{{}\left\{\,\bot,\top% \,}\right\}}\\ (\mathbf{c},\mathbf{k},\imath)&\mapsto\begin{cases}\top&\text{if }\imath>0% \land\imath=\mathopen{}\mathclose{{}\left\|\mathbf{k}}\right\|\\ \bot&\text{otherwise if }\imath+1+\text{skip}(\imath)=\mathopen{}\mathclose{{}% \left\|\mathbf{k}}\right\|\land\mathbf{c}_{\imath}\not\in T\\ \mathfrak{v}_{\text{blob}}(\mathbf{c},\mathbf{k},\imath+1+\text{skip}(\imath))% &\text{otherwise if }\mathfrak{v}_{\text{inst}}(\mathbf{c},\mathbf{k},\imath)% \\ \bot&\text{otherwise}\end{cases}\end{aligned}}\right.\\ \mathfrak{v}_{\text{inst}}\colon&\mathopen{}\mathclose{{}\left\{\begin{aligned% } \!\mathopen{}\mathclose{{}\left\lgroup\mathbb{B},\mathbb{b},\mathbb{N}_{R}}% \right\rgroup\!&\to{\mathopen{}\mathclose{{}\left\{\,\bot,\top\,}\right\}}\\ (\mathbf{c},\mathbf{k},\imath)&\mapsto\mathopen{}\mathclose{{}\left\|\mathbf{k}% }\right\|=\mathopen{}\mathclose{{}\left\|\mathbf{c}}\right\|\land\imath<\mathopen% {}\mathclose{{}\left\|\mathbf{k}}\right\|\land\mathbf{k}_{\imath}=1\land\mathbf{% c}_{\imath}\in U\end{aligned}}\right.\\ \\[0.2pt] &U\text{ and }T\text{ are described in sec. \ref{sec:basicblocks}, and \emph{% skip} in eq. \ref{eq:skip}}\end{aligned}\end{array}}\right.$

The pvm exit reason $\varepsilon\in\mathopen{}\mathclose{{}\left\{\,\blacksquare,\lightning,\infty% \,}\right\}\cup\mathopen{}\mathclose{{}\left\{\,\text{\raisebox{6.0pt}{% \rotatebox{180.0}{{F}}}},\hbar\,}\right\}\times\mathbb{N}_{R}$ may be one of regular halt $\blacksquare$ , panic $\lightning$ or out-of-gas $\infty$ , or alternatively a host-call $\hbar$ , in which the host-call identifier is associated, or page-fault F in which case the address into ram is associated.

In the case of a final halt, either through panic or success, the instruction counter returned is zero. In all other cases, the return value of the instruction counter indexes the one which caused the exit to happen and the machine state represents the prior state of said instruction, thus ensuring de facto consistency. In order to continue beyond these exit cases, some environmental factor must be adjusted; for a page-fault, ram must be changed, for a gas-underflow, more gas must be supplied and for a host-call, the instruction-counter must be incremented and the relevant host-call state-transition performed.

A.2. Instructions, Opcodes and Skip-distance

The pvm program blob $\mathfrak{p}$ is split into a series of octets which make up the instruction data $\mathbf{c}$ and the opcode bitmask $\mathbf{k}$ as well as the dynamic jump table, $\mathbf{j}$ . The former two imply an instruction sequence, and by extension a basic-block sequence, itself a sequence of indices of the instructions which follow a block-termination instruction.

The latter, dynamic jump table, is a sequence of indices into the instruction data blob and is indexed into when dynamically-computed jumps are taken. It is encoded as a sequence of natural numbers (i.e. non-negative integers) each encoded with the same length in octets. This length, term $z$ above, is itself encoded prior.

The pvm counts instructions in octet terms (rather than in terms of instructions) and it is thus necessary to define which octets represent the beginning of an instruction, i.e. the opcode octet, and which do not. This is the purpose of $\mathbf{k}$ , the instruction-opcode bitmask. We assert that the length of the bitmask is equal to the length of the instruction blob.

We define the Skip function skip which provides the number of octets, minus one, to the next instruction’s opcode, given the index of instruction’s opcode index into $\mathbf{c}$ (and by extension $\mathbf{k}$ ):

(A.5)

\text{skip}\colon\mathopen{}\mathclose{{}\left\{\begin{aligned} \mathbb{N}&\to% \mathbb{N}\\ i&\mapsto\min(24,\ j\in\mathbb{N}:\mathopen{}\mathclose{{}\left(\mathbf{k}% \frown\mathopen{}\mathclose{{}\left[1,1,\dots}\right]}\right)_{i+1+j}=1)\end{% aligned}}\right.

The Skip function appends $\mathbf{k}$ with a sequence of set bits in order to ensure a well-defined result for the final instruction $\text{skip}(\mathopen{}\mathclose{{}\left|\mathbf{c}}\right|-1)$ .

Given some instruction-index $i$ , its opcode is readily expressed as $\mathbf{c}_{i}$ and the distance in octets to move forward to the next instruction is $1+\text{skip}(i)$ . However, each instruction’s “length” (defined as the number of contiguous octets starting with the opcode which are needed to fully define the instruction’s semantics) is left implicit though limited to being at most 16.

We define $\zeta$ as being equivalent to the instructions $\mathbf{c}$ except with an indefinite sequence of zeroes suffixed to ensure that no out-of-bounds access is possible. This effectively defines any otherwise-undefined arguments to the final instruction and ensures that a trap will occur if the program counter passes beyond the program code. Formally:

(A.6)

\zeta\equiv\mathbf{c}\frown\mathopen{}\mathclose{{}\left[0,0,\dots}\right]

A.3. Basic Blocks and Termination Instructions

Instructions of the following opcodes are considered basic-block termination instructions; other than trap & fallthrough, they correspond to instructions which may define the instruction-counter to be something other than its prior value plus the instruction’s skip amount:

•

Trap and fallthrough: trap , fallthrough
•

Jumps: jump , jump_ind
•

Load-and-Jumps: load_imm_jump , load_imm_jump_ind
•

Branches: branch_eq , branch_ne , branch_ge_u , branch_ge_s , branch_lt_u , branch_lt_s , branch_eq_imm , branch_ne_imm
•

Immediate branches: branch_lt_u_imm , branch_lt_s_imm , branch_le_u_imm , branch_le_s_imm , branch_ge_u_imm , branch_ge_s_imm , branch_gt_u_imm , branch_gt_s_imm

We denote this set, as opcode indices rather than names, as $T$ , which is a subset of all valid opcode indices $U$ . We define the instruction opcode indices denoting the beginning of basic-blocks as $\varpi$ :

(A.7)

\varpi\equiv\mathopen{}\mathclose{{}\left(\mathopen{}\mathclose{{}\left\{\,0\,% }\right\}\cup\mathopen{}\mathclose{{}\left\{\,n+1+\text{skip}(n)\;\middle|\;n% \in\mathbb{N}_{\mathopen{}\mathclose{{}\left|\mathbf{c}}\right|}\wedge\mathbf{% k}_{n}=1\wedge\mathbf{c}_{n}\in T\,}\right\}}\right)\cap\mathopen{}\mathclose{% {}\left\{\,n\;\middle|\;\mathbf{k}_{n}=1\wedge\mathbf{c}_{n}\in U\,}\right\}

For convenience we will define function $\mathfrak{L}$ which represents the start of a basic block for any $\imath$ within that basic block. Formally:

(A.8)

\mathfrak{L}\colon\mathopen{}\mathclose{{}\left\{\begin{aligned} \mathbb{N}_{R% }&\to\mathbb{N}_{R}\\ \imath&\mapsto\max(j\in\varpi:j\leq\imath)\end{aligned}}\right.

A.4. Single-Step State Transition

We must now define the single-step pvm state-transition function $\Psi_{1}$ :

(A.9)

\Psi_{1}\colon\mathopen{}\mathclose{{}\left\{\begin{aligned} \!\mathopen{}% \mathclose{{}\left\lgroup\mathbb{B},\mathbb{b},\mathopen{}\mathclose{{}\left% \lsem\mathbb{N}_{R}}\right\rsem,\mathbb{N}_{R},\mathbb{N}_{G},{\mathopen{}% \mathclose{{}\left\{\,\bot,\top\,}\right\}},\mathopen{}\mathclose{{}\left\lsem% \mathbb{N}_{R}}\right\rsem_{13},\mathbb{M}}\right\rgroup\!&\to\!\mathopen{}% \mathclose{{}\left\lgroup\mathopen{}\mathclose{{}\left\{\,\lightning,% \blacksquare,\blacktriangleright\,}\right\}\cup\mathopen{}\mathclose{{}\left\{% \,\text{\raisebox{6.0pt}{\rotatebox{180.0}{{F}}}},\hbar\,}\right\}\times% \mathbb{N}_{R},\mathbb{N}_{R},\mathbb{N}_{G},{\mathopen{}\mathclose{{}\left\{% \,\bot,\top\,}\right\}},\mathopen{}\mathclose{{}\left\lsem\mathbb{N}_{R}}% \right\rsem_{13},\mathbb{M}}\right\rgroup\!\\ \mathopen{}\mathclose{{}\left(\mathfrak{p},\mathbf{k},\mathbf{j},\imath,% \varrho,\tilde{\varrho},\varphi,{\mu}}\right)&\mapsto\mathopen{}\mathclose{{}% \left(\varepsilon^{*},\imath^{*},\varrho^{*},\tilde{\varrho}^{*},\varphi^{*},{% \mu}^{*}}\right)\end{aligned}}\right.

On the very first step of execution, and every time the execution enters a new basic block or jumps back to the beginning of the current basic block, the gas counter of the machine is updated according to the gas cost function $\varrho^{\Delta}$ (A.56) of the target basic block. No instruction is allowed to execute within a basic block unless the gas cost for the entire basic block has been charged in advance. In case there’s not enough gas remaining to cover the full gas cost, the execution is interrupted and the gas counter remains unchanged. Formally:

(A.10)

\mathopen{}\mathclose{{}\left(\varepsilon^{\varrho},\varrho^{*},\tilde{\varrho% }^{\prime}}\right)=\begin{cases}\mathopen{}\mathclose{{}\left(% \blacktriangleright,\varrho,\top}\right)&\text{if }\tilde{\varrho}=\top\\ \mathopen{}\mathclose{{}\left(\blacktriangleright,\varrho-\varrho^{\Delta}(% \mathbf{c},\mathbf{k},\mathfrak{L}(\imath)),\top}\right)&\text{otherwise if }% \varrho\geq\varrho^{\Delta}(\mathbf{c},\mathbf{k},\mathfrak{L}(\imath))\\ \mathopen{}\mathclose{{}\left(\infty,\varrho,\bot}\right)&\text{otherwise}\end% {cases}

During the course of executing instructions ram may be accessed. When an index of ram below $2^{16}$ is required, the machine always panics immediately without further changes to its state regardless of the apparent (in)accessibility of the value. Otherwise, should the given index of ram not be accessible then machine state remains unchanged and the exit reason is a fault with the lowest inaccessible page address to be read. Similarly, where ram must be mutated and yet mutable access is not possible, then machine state is unchanged, and the exit reason is a fault with the lowest page address to be written which is inaccessible.

Formally, let $\mathbf{r}$ and $\mathbf{w}$ be the set of indices by which ${\mu}$ must be subscripted for inspection and mutation respectively in order to calculate the result of $\Psi_{1}$ . We define the memory-access exceptional execution state $\varepsilon^{\mu}$ as following:

(A.11)		$\displaystyle\varepsilon^{\mu}$	$\displaystyle=\begin{cases}\blacktriangleright&\text{if }\mathbf{x}=\emptyset% \\ \lightning&\text{if }\min(\mathbf{x})\bmod 2^{32}<2^{16}\\ \text{\raisebox{6.0pt}{\rotatebox{180.0}{{F}}}}\times\mathsf{Z}_{P}\mathopen{}% \mathclose{{}\left\lfloor\min(\mathbf{x})\bmod 2^{32}\div\mathsf{Z}_{P}}\right% \rfloor&\text{otherwise}\end{cases}$
(A.11)		$\displaystyle\text{where }\mathbf{x}$	$\displaystyle=\mathopen{}\mathclose{{}\left\{\,x\;\middle\|\;x\in\mathbf{r}% \wedge x\bmod 2^{32}\not\in\mathbb{V}_{{\mu}}\ \vee\ x\in\mathbf{w}\wedge x% \bmod 2^{32}\not\in\mathbb{V}_{{\mu}}^{*}\,}\right\}$

We define the final execution state, the value of the instruction counter, the values of the registers and the memory as follows:

(A.12)

\displaystyle\mathopen{}\mathclose{{}\left(\varepsilon^{*},\imath^{*},\varphi^% {*},{\mu}^{*}}\right)

\displaystyle=\begin{cases}\mathopen{}\mathclose{{}\left(\varepsilon^{\varrho}% ,\imath,\varphi,{\mu}}\right)&\text{if }\varepsilon^{\varrho}\neq% \blacktriangleright\\ \mathopen{}\mathclose{{}\left(\varepsilon^{\mu},\imath,\varphi,{\mu}}\right)&% \text{otherwise if }\varepsilon^{\mu}\neq\blacktriangleright\\ \mathopen{}\mathclose{{}\left(\varepsilon,\imath^{\prime},\varphi^{\prime},{% \mu}^{\prime}}\right)&\text{otherwise}\end{cases}

We also have to adjust the state based on the executed instruction, to force a gas charge on the next step when necessary:

(A.13)

\tilde{\varrho}^{*}=\begin{cases}\bot&\text{if }\tilde{\varrho}^{\prime}=\bot% \lor(\mathbf{c}_{\imath}\in T\land\varepsilon^{*}\in\mathopen{}\mathclose{{}% \left\{\,\blacktriangleright\,}\right\}\cup\mathopen{}\mathclose{{}\left\{\,% \hbar\,}\right\}\times\mathbb{N}_{R})\\ \top&\text{otherwise}\end{cases}

We define $\varepsilon$ together with the posterior values of regular execution (denoted as prime) of each of the items of the machine state as being in accordance with the table below. When transitioning machine state for an instruction, a number of conditions typically hold true and instructions are defined essentially by their exceptions to these rules. Specifically, the machine does not halt, the instruction counter increments by one and ram & registers are unchanged. Formally:

(A.14)

\varepsilon=\blacktriangleright,\quad\imath^{\prime}=\imath+1+\text{skip}(% \imath),\quad\varphi^{\prime}=\varphi,\quad{\mu}^{\prime}={\mu}\text{ except % as indicated }

We define signed/unsigned transitions for various octet widths:

(A.15)	$\displaystyle\mathcal{Z}_{n\in\mathbb{N}}$	$\displaystyle\colon\mathopen{}\mathclose{{}\left\{\begin{aligned} \mathbb{N}_{% 2^{8n}}&\to\mathbb{Z}_{-2^{8n-1}\dots 2^{8n-1}}\\ a&\mapsto\begin{cases}a&\text{if }a<2^{8n-1}\\ a-\ 2^{8n}&\text{otherwise}\end{cases}\end{aligned}}\right.$
(A.16)	$\displaystyle\mathcal{Z}_{n\in\mathbb{N}}^{-1}$	$\displaystyle\colon\mathopen{}\mathclose{{}\left\{\begin{aligned} \mathbb{Z}_{% -2^{8n-1}\dots 2^{8n-1}}&\to\mathbb{N}_{2^{8n}}\\ a&\mapsto(2^{8n}+a)\bmod 2^{8n}\end{aligned}}\right.$
(A.17)	$\displaystyle\mathcal{B}_{n\in\mathbb{N}}$	$\displaystyle\colon\mathopen{}\mathclose{{}\left\{\begin{aligned} \mathbb{N}_{% 2^{8n}}&\to\mathbb{b}_{8n}\\ x&\mapsto\mathbf{y}:\forall i\in\mathbb{N}_{8n}:\mathbf{y}\mathopen{}% \mathclose{{}\left[i}\right]\Leftrightarrow\mathopen{}\mathclose{{}\left% \lfloor\frac{x}{2^{i}}}\right\rfloor\bmod 2\end{aligned}}\right.$
(A.18)	$\displaystyle\mathcal{B}_{n\in\mathbb{N}}^{-1}$	$\displaystyle\colon\mathopen{}\mathclose{{}\left\{\begin{aligned} \mathbb{b}_{% 8n}&\to\mathbb{N}_{2^{8n}}\\ \mathbf{x}&\mapsto y:\sum_{i\in\mathbb{N}_{8n}}\mathbf{x}_{i}\cdot 2^{i}\end{% aligned}}\right.$
(A.19)	$\displaystyle\overleftarrow{\mathcal{B}}_{n\in\mathbb{N}}$	$\displaystyle\colon\mathopen{}\mathclose{{}\left\{\begin{aligned} \mathbb{N}_{% 2^{8n}}&\to\mathbb{b}_{8n}\\ x&\mapsto\mathbf{y}:\forall i\in\mathbb{N}_{8n}:\mathbf{y}[8n-1-i]% \Leftrightarrow\mathopen{}\mathclose{{}\left\lfloor\frac{x}{2^{i}}}\right% \rfloor\bmod 2\end{aligned}}\right.$
(A.20)	$\displaystyle\overleftarrow{\mathcal{B}}_{n\in\mathbb{N}}^{-1}$	$\displaystyle\colon\mathopen{}\mathclose{{}\left\{\begin{aligned} \mathbb{b}_{% 8n}&\to\mathbb{N}_{2^{8n}}\\ \mathbf{x}&\mapsto y:\sum_{i\in\mathbb{N}_{8n}}\mathbf{x}_{8n-1-i}\cdot 2^{i}% \end{aligned}}\right.$

Immediate arguments are encoded in little-endian format with the most-significant bit being the sign bit. They may be compactly encoded by eliding more significant octets. Elided octets are assumed to be zero if the msb of the value is zero, and 255 otherwise. This allows for compact representation of both positive and negative encoded values. We thus define the signed extension function operating on an input of $n$ octets as $\mathcal{X}_{n}$ :

(A.21)

\displaystyle\mathcal{X}_{n\in\mathopen{}\mathclose{{}\left\{\,0,1,2,3,4,8\,}% \right\}}\colon\mathopen{}\mathclose{{}\left\{\begin{aligned} \mathbb{N}_{2^{8% n}}&\to\mathbb{N}_{R}\\ x&\mapsto x+\mathopen{}\mathclose{{}\left\lfloor\frac{x}{2^{8n-1}}}\right% \rfloor(2^{64}-2^{8n})\end{aligned}}\right.

Any alterations of the program counter stemming from an unconditional static jump must be to the start of a basic block or else a panic occurs. Formally:

(A.22)

\text{{\small{sjump}}}(b)\implies\mathopen{}\mathclose{{}\left(\varepsilon,% \imath^{\prime}}\right)=\begin{cases}\mathopen{}\mathclose{{}\left(\lightning,% \imath}\right)&\text{if }b\not\in\varpi\\ \mathopen{}\mathclose{{}\left(\blacktriangleright,b}\right)&\text{otherwise}% \end{cases}

Similarly, conditional jumps are valid if and only if both branches point to the start of a basic block (regardless of whether a branch is taken), otherwise a panic occurs:

(A.23)

\text{{\small{branch}}}(b,C)\implies\mathopen{}\mathclose{{}\left(\varepsilon,% \imath^{\prime}}\right)=\begin{cases}\mathopen{}\mathclose{{}\left(\lightning,% \imath}\right)&\text{if }b\not\in\varpi\lor\imath+1+\text{skip}(\imath)\not\in% \varpi\\ \mathopen{}\mathclose{{}\left(\blacktriangleright,\imath+1+\text{skip}(\imath)% }\right)&\text{otherwise if }\lnot C\\ \mathopen{}\mathclose{{}\left(\blacktriangleright,b}\right)&\text{otherwise}% \end{cases}

Jumps whose next instruction is dynamically computed must use an address which may be indexed into the jump-table $\mathbf{j}$ . Through a quirk of tooling¹⁸¹⁸ 18 The popular code generation backend llvm requires and assumes in its code generation that dynamically computed jump destinations always have a certain memory alignment. Since at present we depend on this for our tooling, we must acquiesce to its assumptions., we define the dynamic address required by the instructions as the jump table index incremented by one and then multiplied by our jump alignment factor $\mathsf{Z}_{A}=2$ .

As with other irregular alterations to the program counter, target code index must be the start of a basic block or else a panic occurs. Formally:

(A.24)

\text{{\small{djump}}}(a)\implies\mathopen{}\mathclose{{}\left(\varepsilon,% \imath^{\prime}}\right)=\begin{cases}\mathopen{}\mathclose{{}\left(% \blacksquare,\imath}\right)&\text{if }a=2^{32}-2^{16}\\ \mathopen{}\mathclose{{}\left(\lightning,\imath}\right)&\text{otherwise if }a=% 0\vee a>\mathopen{}\mathclose{{}\left|\mathbf{j}}\right|\cdot\mathsf{Z}_{A}% \vee a\bmod\mathsf{Z}_{A}\neq 0\vee\mathbf{j}_{(\nicefrac{{a}}{{\mathsf{Z}_{A}% }})-1}\not\in\varpi\\ (\blacktriangleright,\mathbf{j}_{(\nicefrac{{a}}{{\mathsf{Z}_{A}}})-1})&\text{% otherwise}\end{cases}

A.5. Instruction Tables

We assume the skip length $\ell$ is well-defined:

(A.25)

\ell\equiv\text{skip}(\imath)

A.5.1. Instructions without Arguments

$\zeta_{\imath}$	Name	Mutations
0	trap	$\varepsilon=\lightning$
1	fallthrough	$\text{{\small{sjump}}}(\imath+1+\text{skip}(\imath))$
2	unlikely

A.5.2. Instructions with Arguments of One Immediate

(A.26)

\displaystyle\text{let }l_{X}=\min(4,\ell)\,,\quad\nu_{X}\equiv\mathcal{X}_{l_% {X}}\mathopen{}\mathclose{{}\left(\mathcal{E}^{-1}_{l_{X}}\mathopen{}% \mathclose{{}\left(\zeta_{\imath+1\dots+l_{X}}}\right)}\right)

$\zeta_{\imath}$	Name	Mutations
10	ecalli	$\varepsilon=\hbar\times\nu_{X}$

A.5.3. Instructions with Arguments of One Register and One Extended Width Immediate

(A.27)

\text{let }r_{A}=\min(12,\zeta_{\imath+1}\bmod 16)\,,\quad{\varphi}^{\prime}_{% A}\equiv{\varphi}^{\prime}_{r_{A}}\,,\quad\nu_{X}\equiv\mathcal{E}^{-1}_{8}% \mathopen{}\mathclose{{}\left(\zeta_{\imath+2\dots+8}}\right)

$\zeta_{\imath}$	Name	Mutations
20	load_imm_64	${\varphi}^{\prime}_{A}=\nu_{X}$

A.5.4. Instructions with Arguments of Two Immediates

(A.28)		$\displaystyle\text{let }l_{X}$	$\displaystyle=\min(4,\zeta_{\imath+1}\bmod 8)\,,\quad$	$\displaystyle\nu_{X}$	$\displaystyle\equiv\mathcal{X}_{l_{X}}\mathopen{}\mathclose{{}\left(\mathcal{E% }^{-1}_{l_{X}}\mathopen{}\mathclose{{}\left(\zeta_{\imath+2\dots+l_{X}}}\right% )}\right)$
(A.28)		$\displaystyle\text{let }l_{Y}$	$\displaystyle=\min(4,\max(0,\ell-l_{X}-1))\,,\quad$	$\displaystyle\nu_{Y}$	$\displaystyle\equiv\mathcal{X}_{l_{Y}}\mathopen{}\mathclose{{}\left(\mathcal{E% }^{-1}_{l_{Y}}\mathopen{}\mathclose{{}\left(\zeta_{\imath+2+l_{X}\dots+l_{Y}}}% \right)}\right)$

$\zeta_{\imath}$	Name	Mutations
30	store_imm_u8	${{\mu}^{\prime}}^{\circlearrowleft}_{\nu_{X}}=\nu_{Y}\bmod 2^{8}$
31	store_imm_u16	${{\mu}^{\prime}}^{\circlearrowleft}_{\nu_{X}\dots+2}=\mathcal{E}_{2}\mathopen{% }\mathclose{{}\left(\nu_{Y}\bmod 2^{16}}\right)$
32	store_imm_u32	${{\mu}^{\prime}}^{\circlearrowleft}_{\nu_{X}\dots+4}=\mathcal{E}_{4}\mathopen{% }\mathclose{{}\left(\nu_{Y}\bmod 2^{32}}\right)$
33	store_imm_u64	${{\mu}^{\prime}}^{\circlearrowleft}_{\nu_{X}\dots+8}=\mathcal{E}_{8}\mathopen{% }\mathclose{{}\left(\nu_{Y}}\right)$

A.5.5. Instructions with Arguments of One Offset

(A.29)

\displaystyle\text{let }l_{X}=\min(4,\ell)\,,\quad\nu_{X}\equiv\imath+\mathcal% {Z}_{l_{X}}(\mathcal{E}^{-1}_{l_{X}}\mathopen{}\mathclose{{}\left(\zeta_{% \imath+1\dots+l_{X}}}\right))

$\zeta_{\imath}$	Name	Mutations
40	jump	$\text{{\small{sjump}}}(\nu_{X})$

A.5.6. Instructions with Arguments of One Register & One Immediate

(A.30)		$\displaystyle\text{let }r_{A}$	$\displaystyle=\min(12,\zeta_{\imath+1}\bmod 16)\,,\quad$	$\displaystyle{\varphi}_{A}$	$\displaystyle\equiv{\varphi}_{r_{A}}\,,\quad{\varphi}^{\prime}_{A}\equiv{% \varphi}^{\prime}_{r_{A}}$
(A.30)		$\displaystyle\text{let }l_{X}$	$\displaystyle=\min(4,\max(0,\ell-1))\,,\quad$	$\displaystyle\nu_{X}$	$\displaystyle\equiv\mathcal{X}_{l_{X}}\mathopen{}\mathclose{{}\left(\mathcal{E% }^{-1}_{l_{X}}\mathopen{}\mathclose{{}\left(\zeta_{\imath+2\dots+l_{X}}}\right% )}\right)$

$\zeta_{\imath}$	Name	Mutations
50	jump_ind	$\text{{\small{djump}}}(({\varphi}_{A}+\nu_{X})\bmod 2^{32})$
51	load_imm	${\varphi}^{\prime}_{A}=\nu_{X}$
52	load_u8	${\varphi}^{\prime}_{A}={{\mu}}^{\circlearrowleft}_{\nu_{X}}$
53	load_i8	${\varphi}^{\prime}_{A}=\mathcal{X}_{1}\mathopen{}\mathclose{{}\left({{\mu}}^{% \circlearrowleft}_{\nu_{X}}}\right)$
54	load_u16	${\varphi}^{\prime}_{A}=\mathcal{E}^{-1}_{2}\mathopen{}\mathclose{{}\left({{\mu% }}^{\circlearrowleft}_{\nu_{X}\dots+2}}\right)$
55	load_i16	${\varphi}^{\prime}_{A}=\mathcal{X}_{2}\mathopen{}\mathclose{{}\left(\mathcal{E% }^{-1}_{2}\mathopen{}\mathclose{{}\left({{\mu}}^{\circlearrowleft}_{\nu_{X}% \dots+2}}\right)}\right)$
56	load_u32	${\varphi}^{\prime}_{A}=\mathcal{E}^{-1}_{4}\mathopen{}\mathclose{{}\left({{\mu% }}^{\circlearrowleft}_{\nu_{X}\dots+4}}\right)$
57	load_i32	${\varphi}^{\prime}_{A}=\mathcal{X}_{4}\mathopen{}\mathclose{{}\left(\mathcal{E% }^{-1}_{4}\mathopen{}\mathclose{{}\left({{\mu}}^{\circlearrowleft}_{\nu_{X}% \dots+4}}\right)}\right)$
58	load_u64	${\varphi}^{\prime}_{A}=\mathcal{E}^{-1}_{8}\mathopen{}\mathclose{{}\left({{\mu% }}^{\circlearrowleft}_{\nu_{X}\dots+8}}\right)$
59	store_u8	${{\mu}^{\prime}}^{\circlearrowleft}_{\nu_{X}}={\varphi}_{A}\bmod 2^{8}$
60	store_u16	${{\mu}^{\prime}}^{\circlearrowleft}_{\nu_{X}\dots+2}=\mathcal{E}_{2}\mathopen{% }\mathclose{{}\left({\varphi}_{A}\bmod 2^{16}}\right)$
61	store_u32	${{\mu}^{\prime}}^{\circlearrowleft}_{\nu_{X}\dots+4}=\mathcal{E}_{4}\mathopen{% }\mathclose{{}\left({\varphi}_{A}\bmod 2^{32}}\right)$
62	store_u64	${{\mu}^{\prime}}^{\circlearrowleft}_{\nu_{X}\dots+8}=\mathcal{E}_{8}\mathopen{% }\mathclose{{}\left({\varphi}_{A}}\right)$

A.5.7. Instructions with Arguments of One Register & Two Immediates

(A.31)	$\displaystyle\text{let }r_{A}$	$\displaystyle=\min(12,\zeta_{\imath+1}\bmod 16)\,,\quad$	$\displaystyle{\varphi}_{A}$	$\displaystyle\equiv{\varphi}_{r_{A}}\,,\quad{\varphi}^{\prime}_{A}\equiv{% \varphi}^{\prime}_{r_{A}}$
	$\displaystyle\text{let }l_{X}$	$\displaystyle=\min(4,\mathopen{}\mathclose{{}\left\lfloor\frac{\zeta_{\imath+1% }}{16}}\right\rfloor\bmod 8)\,,\quad$	$\displaystyle\nu_{X}$	$\displaystyle=\mathcal{X}_{l_{X}}\mathopen{}\mathclose{{}\left(\mathcal{E}^{-1% }_{l_{X}}\mathopen{}\mathclose{{}\left(\zeta_{\imath+2\dots+l_{X}}}\right)}\right)$
	$\displaystyle\text{let }l_{Y}$	$\displaystyle=\min(4,\max(0,\ell-l_{X}-1))\,,\quad$	$\displaystyle\nu_{Y}$	$\displaystyle=\mathcal{X}_{l_{Y}}\mathopen{}\mathclose{{}\left(\mathcal{E}^{-1% }_{l_{Y}}\mathopen{}\mathclose{{}\left(\zeta_{\imath+2+l_{X}\dots+l_{Y}}}% \right)}\right)$

$\zeta_{\imath}$	Name	Mutations
70	store_imm_ind_u8	${{\mu}^{\prime}}^{\circlearrowleft}_{{\varphi}_{A}+\nu_{X}}=\nu_{Y}\bmod 2^{8}$
71	store_imm_ind_u16	${{\mu}^{\prime}}^{\circlearrowleft}_{{\varphi}_{A}+\nu_{X}\dots+2}=\mathcal{E}% _{2}\mathopen{}\mathclose{{}\left(\nu_{Y}\bmod 2^{16}}\right)$
72	store_imm_ind_u32	${{\mu}^{\prime}}^{\circlearrowleft}_{{\varphi}_{A}+\nu_{X}\dots+4}=\mathcal{E}% _{4}\mathopen{}\mathclose{{}\left(\nu_{Y}\bmod 2^{32}}\right)$
73	store_imm_ind_u64	${{\mu}^{\prime}}^{\circlearrowleft}_{{\varphi}_{A}+\nu_{X}\dots+8}=\mathcal{E}% _{8}\mathopen{}\mathclose{{}\left(\nu_{Y}}\right)$

A.5.8. Instructions with Arguments of One Register, One Immediate and One Offset

(A.32)	$\displaystyle\text{let }r_{A}$	$\displaystyle=\min(12,\zeta_{\imath+1}\bmod 16)\,,\quad$	$\displaystyle{\varphi}_{A}$	$\displaystyle\equiv{\varphi}_{r_{A}}\,,\quad{\varphi}^{\prime}_{A}\equiv{% \varphi}^{\prime}_{r_{A}}$
	$\displaystyle\text{let }l_{X}$	$\displaystyle=\min(4,\mathopen{}\mathclose{{}\left\lfloor\frac{\zeta_{\imath+1% }}{16}}\right\rfloor\bmod 8)\,,\quad$	$\displaystyle\nu_{X}$	$\displaystyle=\mathcal{X}_{l_{X}}\mathopen{}\mathclose{{}\left(\mathcal{E}^{-1% }_{l_{X}}\mathopen{}\mathclose{{}\left(\zeta_{\imath+2\dots+l_{X}}}\right)}\right)$
	$\displaystyle\text{let }l_{Y}$	$\displaystyle=\min(4,\max(0,\ell-l_{X}-1))\,,\quad$	$\displaystyle\nu_{Y}$	$\displaystyle=\imath+\mathcal{Z}_{l_{Y}}(\mathcal{E}^{-1}_{l_{Y}}\mathopen{}% \mathclose{{}\left(\zeta_{\imath+2+l_{X}\dots+l_{Y}}}\right))$

$\zeta_{\imath}$	Name	Mutations
80	load_imm_jump	$\text{{\small{sjump}}}(\nu_{Y})\ ,\qquad{\varphi}_{A}^{\prime}=\nu_{X}$
81	branch_eq_imm	$\text{{\small{branch}}}(\nu_{Y},{\varphi}_{A}=\nu_{X})$
82	branch_ne_imm	$\text{{\small{branch}}}(\nu_{Y},{\varphi}_{A}\neq\nu_{X})$
83	branch_lt_u_imm	$\text{{\small{branch}}}(\nu_{Y},{\varphi}_{A}<\nu_{X})$
84	branch_le_u_imm	$\text{{\small{branch}}}(\nu_{Y},{\varphi}_{A}\leq\nu_{X})$
85	branch_ge_u_imm	$\text{{\small{branch}}}(\nu_{Y},{\varphi}_{A}\geq\nu_{X})$
86	branch_gt_u_imm	$\text{{\small{branch}}}(\nu_{Y},{\varphi}_{A}>\nu_{X})$
87	branch_lt_s_imm	$\text{{\small{branch}}}(\nu_{Y},\mathcal{Z}_{8}({\varphi}_{A})<\mathcal{Z}_{8}% (\nu_{X}))$
88	branch_le_s_imm	$\text{{\small{branch}}}(\nu_{Y},\mathcal{Z}_{8}({\varphi}_{A})\leq\mathcal{Z}_% {8}(\nu_{X}))$
89	branch_ge_s_imm	$\text{{\small{branch}}}(\nu_{Y},\mathcal{Z}_{8}({\varphi}_{A})\geq\mathcal{Z}_% {8}(\nu_{X}))$
90	branch_gt_s_imm	$\text{{\small{branch}}}(\nu_{Y},\mathcal{Z}_{8}({\varphi}_{A})>\mathcal{Z}_{8}% (\nu_{X}))$

A.5.9. Instructions with Arguments of Two Registers

(A.33)		$\displaystyle\text{let }r_{D}$	$\displaystyle=\min(12,(\zeta_{\imath+1})\bmod 16)\,,\quad$	$\displaystyle{\varphi}_{D}$	$\displaystyle\equiv{\varphi}_{r_{D}}\,,\quad{\varphi}^{\prime}_{D}\equiv{% \varphi}^{\prime}_{r_{D}}$
(A.33)		$\displaystyle\text{let }r_{A}$	$\displaystyle=\min(12,\mathopen{}\mathclose{{}\left\lfloor\frac{\zeta_{\imath+% 1}}{16}}\right\rfloor)\,,\quad$	$\displaystyle{\varphi}_{A}$	$\displaystyle\equiv{\varphi}_{r_{A}}\,,\quad{\varphi}^{\prime}_{A}\equiv{% \varphi}^{\prime}_{r_{A}}$

$\zeta_{\imath}$	Name	Mutations
100	move_reg	${\varphi}^{\prime}_{D}={\varphi}_{A}$
101	count_set_bits_64	$\displaystyle{\varphi}^{\prime}_{D}=\sum_{i=0}^{63}\mathcal{B}_{8}({\varphi}_{% A})_{i}$
102	count_set_bits_32	$\displaystyle{\varphi}^{\prime}_{D}=\sum_{i=0}^{31}\mathcal{B}_{4}({\varphi}_{% A}\bmod 2^{32})_{i}$
103	leading_zero_bits_64	$\displaystyle{\varphi}^{\prime}_{D}=\max(n\in\mathbb{N}_{65})\ \text{where }% \sum_{i=0}^{i<n}\overleftarrow{\mathcal{B}}_{8}({\varphi}_{A})_{i}=0$
104	leading_zero_bits_32	$\displaystyle{\varphi}^{\prime}_{D}=\max(n\in\mathbb{N}_{33})\ \text{where }% \sum_{i=0}^{i<n}\overleftarrow{\mathcal{B}}_{4}({\varphi}_{A}\bmod 2^{32})_{i}=0$
105	trailing_zero_bits_64	$\displaystyle{\varphi}^{\prime}_{D}=\max(n\in\mathbb{N}_{65})\ \text{where }% \sum_{i=0}^{i<n}\mathcal{B}_{8}({\varphi}_{A})_{i}=0$
106	trailing_zero_bits_32	$\displaystyle{\varphi}^{\prime}_{D}=\max(n\in\mathbb{N}_{33})\ \text{where }% \sum_{i=0}^{i<n}\mathcal{B}_{4}({\varphi}_{A}\bmod 2^{32})_{i}=0$
107	sign_extend_8	${\varphi}^{\prime}_{D}=\mathcal{Z}_{8}^{-1}(\mathcal{Z}_{1}({\varphi}_{A}\bmod 2% ^{8}))$
108	sign_extend_16	${\varphi}^{\prime}_{D}=\mathcal{Z}_{8}^{-1}(\mathcal{Z}_{2}({\varphi}_{A}\bmod 2% ^{16}))$
109	zero_extend_16	${\varphi}^{\prime}_{D}={\varphi}_{A}\bmod 2^{16}$
110	reverse_bytes	$\forall i\in\mathbb{N}_{8}:\mathcal{E}_{8}\mathopen{}\mathclose{{}\left({% \varphi}^{\prime}_{D}}\right)_{i}=\mathcal{E}_{8}\mathopen{}\mathclose{{}\left% ({\varphi}_{A}}\right)_{7-i}$

A.5.10. Instructions with Arguments of Two Registers & One Immediate

(A.34)	$\displaystyle\text{let }r_{A}$	$\displaystyle=\min(12,(\zeta_{\imath+1})\bmod 16)\,,\quad$	$\displaystyle{\varphi}_{A}$	$\displaystyle\equiv{\varphi}_{r_{A}}\,,\quad{\varphi}^{\prime}_{A}\equiv{% \varphi}^{\prime}_{r_{A}}$
	$\displaystyle\text{let }r_{B}$	$\displaystyle=\min(12,\mathopen{}\mathclose{{}\left\lfloor\frac{\zeta_{\imath+% 1}}{16}}\right\rfloor)\,,\quad$	$\displaystyle{\varphi}_{B}$	$\displaystyle\equiv{\varphi}_{r_{B}}\,,\quad{\varphi}^{\prime}_{B}\equiv{% \varphi}^{\prime}_{r_{B}}$
	$\displaystyle\text{let }l_{X}$	$\displaystyle=\min(4,\max(0,\ell-1))\,,\quad$	$\displaystyle\nu_{X}$	$\displaystyle\equiv\mathcal{X}_{l_{X}}\mathopen{}\mathclose{{}\left(\mathcal{E% }^{-1}_{l_{X}}\mathopen{}\mathclose{{}\left(\zeta_{\imath+2\dots+l_{X}}}\right% )}\right)$

$\zeta_{\imath}$	Name	Mutations
120	store_ind_u8	${{\mu}^{\prime}}^{\circlearrowleft}_{{\varphi}_{B}+\nu_{X}}={\varphi}_{A}\bmod 2% ^{8}$
121	store_ind_u16	${{\mu}^{\prime}}^{\circlearrowleft}_{{\varphi}_{B}+\nu_{X}\dots+2}=\mathcal{E}% _{2}\mathopen{}\mathclose{{}\left({\varphi}_{A}\bmod 2^{16}}\right)$
122	store_ind_u32	${{\mu}^{\prime}}^{\circlearrowleft}_{{\varphi}_{B}+\nu_{X}\dots+4}=\mathcal{E}% _{4}\mathopen{}\mathclose{{}\left({\varphi}_{A}\bmod 2^{32}}\right)$
123	store_ind_u64	${{\mu}^{\prime}}^{\circlearrowleft}_{{\varphi}_{B}+\nu_{X}\dots+8}=\mathcal{E}% _{8}\mathopen{}\mathclose{{}\left({\varphi}_{A}}\right)$
124	load_ind_u8	${\varphi}^{\prime}_{A}={{\mu}}^{\circlearrowleft}_{{\varphi}_{B}+\nu_{X}}$
125	load_ind_i8	${\varphi}^{\prime}_{A}=\mathcal{Z}_{8}^{-1}(\mathcal{Z}_{1}({{\mu}}^{% \circlearrowleft}_{{\varphi}_{B}+\nu_{X}}))$
126	load_ind_u16	${\varphi}^{\prime}_{A}=\mathcal{E}^{-1}_{2}\mathopen{}\mathclose{{}\left({{\mu% }}^{\circlearrowleft}_{{\varphi}_{B}+\nu_{X}\dots+2}}\right)$
127	load_ind_i16	${\varphi}^{\prime}_{A}=\mathcal{Z}_{8}^{-1}(\mathcal{Z}_{2}(\mathcal{E}^{-1}_{% 2}\mathopen{}\mathclose{{}\left({{\mu}}^{\circlearrowleft}_{{\varphi}_{B}+\nu_% {X}\dots+2}}\right)))$
128	load_ind_u32	${\varphi}^{\prime}_{A}=\mathcal{E}^{-1}_{4}\mathopen{}\mathclose{{}\left({{\mu% }}^{\circlearrowleft}_{{\varphi}_{B}+\nu_{X}\dots+4}}\right)$
129	load_ind_i32	${\varphi}^{\prime}_{A}=\mathcal{Z}_{8}^{-1}(\mathcal{Z}_{4}(\mathcal{E}^{-1}_{% 4}\mathopen{}\mathclose{{}\left({{\mu}}^{\circlearrowleft}_{{\varphi}_{B}+\nu_% {X}\dots+4}}\right)))$
130	load_ind_u64	${\varphi}^{\prime}_{A}=\mathcal{E}^{-1}_{8}\mathopen{}\mathclose{{}\left({{\mu% }}^{\circlearrowleft}_{{\varphi}_{B}+\nu_{X}\dots+8}}\right)$
131	add_imm_32	${\varphi}^{\prime}_{A}=\mathcal{X}_{4}\mathopen{}\mathclose{{}\left(({\varphi}% _{B}+\nu_{X})\bmod 2^{32}}\right)$
132	and_imm	$\forall i\in\mathbb{N}_{64}:\mathcal{B}_{8}({\varphi}^{\prime}_{A})_{i}=% \mathcal{B}_{8}({\varphi}_{B})_{i}\wedge\mathcal{B}_{8}(\nu_{X})_{i}$
133	xor_imm	$\forall i\in\mathbb{N}_{64}:\mathcal{B}_{8}({\varphi}^{\prime}_{A})_{i}=% \mathcal{B}_{8}({\varphi}_{B})_{i}\oplus\mathcal{B}_{8}(\nu_{X})_{i}$
134	or_imm	$\forall i\in\mathbb{N}_{64}:\mathcal{B}_{8}({\varphi}^{\prime}_{A})_{i}=% \mathcal{B}_{8}({\varphi}_{B})_{i}\vee\mathcal{B}_{8}(\nu_{X})_{i}$
135	mul_imm_32	${\varphi}^{\prime}_{A}=\mathcal{X}_{4}\mathopen{}\mathclose{{}\left(({\varphi}% _{B}\cdot\nu_{X})\bmod 2^{32}}\right)$
136	set_lt_u_imm	${\varphi}^{\prime}_{A}={\varphi}_{B}<\nu_{X}$
137	set_lt_s_imm	${\varphi}^{\prime}_{A}=\mathcal{Z}_{8}({\varphi}_{B})<\mathcal{Z}_{8}(\nu_{X})$
138	shlo_l_imm_32	${\varphi}^{\prime}_{A}=\mathcal{X}_{4}\mathopen{}\mathclose{{}\left(({\varphi}% _{B}\cdot 2^{\nu_{X}\bmod 32})\bmod 2^{32}}\right)$
139	shlo_r_imm_32	${\varphi}^{\prime}_{A}=\mathcal{X}_{4}\mathopen{}\mathclose{{}\left(\mathopen{% }\mathclose{{}\left\lfloor{\varphi}_{B}\bmod 2^{32}\div 2^{\nu_{X}\bmod 32}}% \right\rfloor}\right)$
140	shar_r_imm_32	${\varphi}^{\prime}_{A}=\mathcal{Z}_{8}^{-1}(\mathopen{}\mathclose{{}\left% \lfloor\mathcal{Z}_{4}({\varphi}_{B}\bmod 2^{32})\div 2^{\nu_{X}\bmod 32}}% \right\rfloor)$
141	neg_add_imm_32	${\varphi}^{\prime}_{A}=\mathcal{X}_{4}\mathopen{}\mathclose{{}\left((\nu_{X}+2% ^{32}-{\varphi}_{B})\bmod 2^{32}}\right)$
142	set_gt_u_imm	${\varphi}^{\prime}_{A}={\varphi}_{B}>\nu_{X}$
143	set_gt_s_imm	${\varphi}^{\prime}_{A}=\mathcal{Z}_{8}({\varphi}_{B})>\mathcal{Z}_{8}(\nu_{X})$
144	shlo_l_imm_alt_32	${\varphi}^{\prime}_{A}=\mathcal{X}_{4}\mathopen{}\mathclose{{}\left((\nu_{X}% \cdot 2^{{\varphi}_{B}\bmod 32})\bmod 2^{32}}\right)$
145	shlo_r_imm_alt_32	${\varphi}^{\prime}_{A}=\mathcal{X}_{4}\mathopen{}\mathclose{{}\left(\mathopen{% }\mathclose{{}\left\lfloor\nu_{X}\bmod 2^{32}\div 2^{{\varphi}_{B}\bmod 32}}% \right\rfloor}\right)$
146	shar_r_imm_alt_32	${\varphi}^{\prime}_{A}=\mathcal{Z}_{8}^{-1}(\mathopen{}\mathclose{{}\left% \lfloor\mathcal{Z}_{4}(\nu_{X}\bmod 2^{32})\div 2^{{\varphi}_{B}\bmod 32}}% \right\rfloor)$
147	cmov_iz_imm	${\varphi}^{\prime}_{A}=\begin{cases}\nu_{X}&\text{if }{\varphi}_{B}=0\\ {\varphi}_{A}&\text{otherwise}\end{cases}$
148	cmov_nz_imm	${\varphi}^{\prime}_{A}=\begin{cases}\nu_{X}&\text{if }{\varphi}_{B}\neq 0\\ {\varphi}_{A}&\text{otherwise}\end{cases}$
149	add_imm_64	${\varphi}^{\prime}_{A}=({\varphi}_{B}+\nu_{X})\bmod 2^{64}$
150	mul_imm_64	${\varphi}^{\prime}_{A}=({\varphi}_{B}\cdot\nu_{X})\bmod 2^{64}$
151	shlo_l_imm_64	${\varphi}^{\prime}_{A}=\mathcal{X}_{8}\mathopen{}\mathclose{{}\left(({\varphi}% _{B}\cdot 2^{\nu_{X}\bmod 64})\bmod 2^{64}}\right)$
152	shlo_r_imm_64	${\varphi}^{\prime}_{A}=\mathcal{X}_{8}\mathopen{}\mathclose{{}\left(\mathopen{% }\mathclose{{}\left\lfloor{\varphi}_{B}\div 2^{\nu_{X}\bmod 64}}\right\rfloor}\right)$
153	shar_r_imm_64	${\varphi}^{\prime}_{A}=\mathcal{Z}_{8}^{-1}(\mathopen{}\mathclose{{}\left% \lfloor\mathcal{Z}_{8}({\varphi}_{B})\div 2^{\nu_{X}\bmod 64}}\right\rfloor)$
154	neg_add_imm_64	${\varphi}^{\prime}_{A}=(\nu_{X}+2^{64}-{\varphi}_{B})\bmod 2^{64}$
155	shlo_l_imm_alt_64	${\varphi}^{\prime}_{A}=(\nu_{X}\cdot 2^{{\varphi}_{B}\bmod 64})\bmod 2^{64}$
156	shlo_r_imm_alt_64	${\varphi}^{\prime}_{A}=\mathopen{}\mathclose{{}\left\lfloor\nu_{X}\div 2^{{% \varphi}_{B}\bmod 64}}\right\rfloor$
157	shar_r_imm_alt_64	${\varphi}^{\prime}_{A}=\mathcal{Z}_{8}^{-1}(\mathopen{}\mathclose{{}\left% \lfloor\mathcal{Z}_{8}(\nu_{X})\div 2^{{\varphi}_{B}\bmod 64}}\right\rfloor)$
158	rot_r_64_imm	$\forall i\in\mathbb{N}_{64}:\mathcal{B}_{8}({\varphi}^{\prime}_{A})_{i}=% \mathcal{B}_{8}({\varphi}_{B})_{(i+\nu_{X})\bmod 64}$
159	rot_r_64_imm_alt	$\forall i\in\mathbb{N}_{64}:\mathcal{B}_{8}({\varphi}^{\prime}_{A})_{i}=% \mathcal{B}_{8}(\nu_{X})_{(i+{\varphi}_{B})\bmod 64}$
160	rot_r_32_imm	${\varphi}^{\prime}_{A}=\mathcal{X}_{4}\mathopen{}\mathclose{{}\left(x}\right)% \ \text{where }x\in\mathbb{N}_{2^{32}},\forall i\in\mathbb{N}_{32}:\mathcal{B}% _{4}(x)_{i}=\mathcal{B}_{4}({\varphi}_{B})_{(i+\nu_{X})\bmod 32}$
161	rot_r_32_imm_alt	${\varphi}^{\prime}_{A}=\mathcal{X}_{4}\mathopen{}\mathclose{{}\left(x}\right)% \ \text{where }x\in\mathbb{N}_{2^{32}},\forall i\in\mathbb{N}_{32}:\mathcal{B}% _{4}(x)_{i}=\mathcal{B}_{4}(\nu_{X})_{(i+{\varphi}_{B})\bmod 32}$

A.5.11. Instructions with Arguments of Two Registers & One Offset

(A.35)	$\displaystyle\text{let }r_{A}$	$\displaystyle=\min(12,(\zeta_{\imath+1})\bmod 16)\,,\quad$	$\displaystyle{\varphi}_{A}$	$\displaystyle\equiv{\varphi}_{r_{A}}\,,\quad{\varphi}^{\prime}_{A}\equiv{% \varphi}^{\prime}_{r_{A}}$
	$\displaystyle\text{let }r_{B}$	$\displaystyle=\min(12,\mathopen{}\mathclose{{}\left\lfloor\frac{\zeta_{\imath+% 1}}{16}}\right\rfloor)\,,\quad$	$\displaystyle{\varphi}_{B}$	$\displaystyle\equiv{\varphi}_{r_{B}}\,,\quad{\varphi}^{\prime}_{B}\equiv{% \varphi}^{\prime}_{r_{B}}$
	$\displaystyle\text{let }l_{X}$	$\displaystyle=\min(4,\max(0,\ell-1))\,,\quad$	$\displaystyle\nu_{X}$	$\displaystyle\equiv\imath+\mathcal{Z}_{l_{X}}(\mathcal{E}^{-1}_{l_{X}}% \mathopen{}\mathclose{{}\left(\zeta_{\imath+2\dots+l_{X}}}\right))$

$\zeta_{\imath}$	Name	Mutations
170	branch_eq	$\text{{\small{branch}}}(\nu_{X},{\varphi}_{A}={\varphi}_{B})$
171	branch_ne	$\text{{\small{branch}}}(\nu_{X},{\varphi}_{A}\neq{\varphi}_{B})$
172	branch_lt_u	$\text{{\small{branch}}}(\nu_{X},{\varphi}_{A}<{\varphi}_{B})$
173	branch_lt_s	$\text{{\small{branch}}}(\nu_{X},\mathcal{Z}_{8}({\varphi}_{A})<\mathcal{Z}_{8}% ({\varphi}_{B}))$
174	branch_ge_u	$\text{{\small{branch}}}(\nu_{X},{\varphi}_{A}\geq{\varphi}_{B})$
175	branch_ge_s	$\text{{\small{branch}}}(\nu_{X},\mathcal{Z}_{8}({\varphi}_{A})\geq\mathcal{Z}_% {8}({\varphi}_{B}))$

A.5.12. Instruction with Arguments of Two Registers and Two Immediates

(A.36)	$\displaystyle\text{let }r_{A}$	$\displaystyle=\min(12,(\zeta_{\imath+1})\bmod 16)\,,\quad$	$\displaystyle{\varphi}_{A}$	$\displaystyle\equiv{\varphi}_{r_{A}}\,,\quad{\varphi}^{\prime}_{A}\equiv{% \varphi}^{\prime}_{r_{A}}$
	$\displaystyle\text{let }r_{B}$	$\displaystyle=\min(12,\mathopen{}\mathclose{{}\left\lfloor\frac{\zeta_{\imath+% 1}}{16}}\right\rfloor)\,,\quad$	$\displaystyle{\varphi}_{B}$	$\displaystyle\equiv{\varphi}_{r_{B}}\,,\quad{\varphi}^{\prime}_{B}\equiv{% \varphi}^{\prime}_{r_{B}}$
	$\displaystyle\text{let }l_{X}$	$\displaystyle=\min(4,\zeta_{\imath+2}\bmod 8)\,,\quad$	$\displaystyle\nu_{X}$	$\displaystyle=\mathcal{X}_{l_{X}}\mathopen{}\mathclose{{}\left(\mathcal{E}^{-1% }_{l_{X}}\mathopen{}\mathclose{{}\left(\zeta_{\imath+3\dots+l_{X}}}\right)}\right)$
	$\displaystyle\text{let }l_{Y}$	$\displaystyle=\min(4,\max(0,\ell-l_{X}-2))\,,\quad$	$\displaystyle\nu_{Y}$	$\displaystyle=\mathcal{X}_{l_{Y}}\mathopen{}\mathclose{{}\left(\mathcal{E}^{-1% }_{l_{Y}}\mathopen{}\mathclose{{}\left(\zeta_{\imath+3+l_{X}\dots+l_{Y}}}% \right)}\right)$

$\zeta_{\imath}$	Name	Mutations
180	load_imm_jump_ind	$\text{{\small{djump}}}(({\varphi}_{B}+\nu_{Y})\bmod 2^{32})\ ,\qquad{\varphi}_% {A}^{\prime}=\nu_{X}$

A.5.13. Instructions with Arguments of Three Registers

(A.37)	$\displaystyle\text{let }r_{A}$	$\displaystyle=\min(12,(\zeta_{\imath+1})\bmod 16)\,,\quad$	$\displaystyle{\varphi}_{A}$	$\displaystyle\equiv{\varphi}_{r_{A}}\,,\quad{\varphi}^{\prime}_{A}\equiv{% \varphi}^{\prime}_{r_{A}}$
	$\displaystyle\text{let }r_{B}$	$\displaystyle=\min(12,\mathopen{}\mathclose{{}\left\lfloor\frac{\zeta_{\imath+% 1}}{16}}\right\rfloor)\,,\quad$	$\displaystyle{\varphi}_{B}$	$\displaystyle\equiv{\varphi}_{r_{B}}\,,\quad{\varphi}^{\prime}_{B}\equiv{% \varphi}^{\prime}_{r_{B}}$
	$\displaystyle\text{let }r_{D}$	$\displaystyle=\min(12,\zeta_{\imath+2})\,,\quad$	$\displaystyle{\varphi}_{D}$	$\displaystyle\equiv{\varphi}_{r_{D}}\,,\quad{\varphi}^{\prime}_{D}\equiv{% \varphi}^{\prime}_{r_{D}}$

$\zeta_{\imath}$	Name	Mutations
190	add_32	${\varphi}^{\prime}_{D}=\mathcal{X}_{4}\mathopen{}\mathclose{{}\left(({\varphi}% _{A}+{\varphi}_{B})\bmod 2^{32}}\right)$
191	sub_32	${\varphi}^{\prime}_{D}=\mathcal{X}_{4}\mathopen{}\mathclose{{}\left(({\varphi}% _{A}+2^{32}-({\varphi}_{B}\bmod 2^{32}))\bmod 2^{32}}\right)$
192	mul_32	${\varphi}^{\prime}_{D}=\mathcal{X}_{4}\mathopen{}\mathclose{{}\left(({\varphi}% _{A}\cdot{\varphi}_{B})\bmod 2^{32}}\right)$
193	div_u_32	${\varphi}^{\prime}_{D}=\begin{cases}2^{64}-1&\text{if }{\varphi}_{B}\bmod 2^{3% 2}=0\\ \mathcal{X}_{4}\mathopen{}\mathclose{{}\left(\mathopen{}\mathclose{{}\left% \lfloor({\varphi}_{A}\bmod 2^{32})\div({\varphi}_{B}\bmod 2^{32})}\right% \rfloor}\right)&\text{otherwise}\end{cases}$
194	div_s_32	${\varphi}^{\prime}_{D}=\begin{cases}2^{64}-1&\text{if }b=0\\ \mathcal{Z}_{8}^{-1}(a)&\text{if }a=-2^{31}\wedge b=-1\\ \mathcal{Z}_{8}^{-1}(\text{rtz}(a\div b))&\text{otherwise}\\[2.0pt] \lx@intercol\quad\text{where }a=\mathcal{Z}_{4}({\varphi}_{A}\bmod 2^{32})\,,% \ b=\mathcal{Z}_{4}({\varphi}_{B}\bmod 2^{32})\hfil\lx@intercol\\ \end{cases}$
195	rem_u_32	${\varphi}^{\prime}_{D}=\begin{cases}\mathcal{X}_{4}\mathopen{}\mathclose{{}% \left({\varphi}_{A}\bmod 2^{32}}\right)&\text{if }{\varphi}_{B}\bmod 2^{32}=0% \\ \mathcal{X}_{4}\mathopen{}\mathclose{{}\left(({\varphi}_{A}\bmod 2^{32})\bmod(% {\varphi}_{B}\bmod 2^{32})}\right)&\text{otherwise}\end{cases}$
196	rem_s_32	${\varphi}^{\prime}_{D}=\begin{cases}0&\text{if }a=-2^{31}\wedge b=-1\\ \mathcal{Z}_{8}^{-1}(\text{smod}(a,b))&\text{otherwise}\\[2.0pt] \lx@intercol\quad\text{where }a=\mathcal{Z}_{4}({\varphi}_{A}\bmod 2^{32})\,,% \ b=\mathcal{Z}_{4}({\varphi}_{B}\bmod 2^{32})\hfil\lx@intercol\\ \end{cases}$
197	shlo_l_32	${\varphi}^{\prime}_{D}=\mathcal{X}_{4}\mathopen{}\mathclose{{}\left(({\varphi}% _{A}\cdot 2^{{\varphi}_{B}\bmod 32})\bmod 2^{32}}\right)$
198	shlo_r_32	${\varphi}^{\prime}_{D}=\mathcal{X}_{4}\mathopen{}\mathclose{{}\left(\mathopen{% }\mathclose{{}\left\lfloor({\varphi}_{A}\bmod 2^{32})\div 2^{{\varphi}_{B}% \bmod 32}}\right\rfloor}\right)$
199	shar_r_32	${\varphi}^{\prime}_{D}=\mathcal{Z}_{8}^{-1}(\mathopen{}\mathclose{{}\left% \lfloor\mathcal{Z}_{4}({\varphi}_{A}\bmod 2^{32})\div 2^{{\varphi}_{B}\bmod 32% }}\right\rfloor)$
200	add_64	${\varphi}^{\prime}_{D}=({\varphi}_{A}+{\varphi}_{B})\bmod 2^{64}$
201	sub_64	${\varphi}^{\prime}_{D}=({\varphi}_{A}+2^{64}-{\varphi}_{B})\bmod 2^{64}$
202	mul_64	${\varphi}^{\prime}_{D}=({\varphi}_{A}\cdot{\varphi}_{B})\bmod 2^{64}$
203	div_u_64	${\varphi}^{\prime}_{D}=\begin{cases}2^{64}-1&\text{if }{\varphi}_{B}=0\\ \mathopen{}\mathclose{{}\left\lfloor{\varphi}_{A}\div{\varphi}_{B}}\right% \rfloor&\text{otherwise}\end{cases}$
204	div_s_64	${\varphi}^{\prime}_{D}=\begin{cases}2^{64}-1&\text{if }{\varphi}_{B}=0\\ {\varphi}_{A}&\text{if }\mathcal{Z}_{8}({\varphi}_{A})=-2^{63}\wedge\mathcal{Z% }_{8}({\varphi}_{B})=-1\\ \mathcal{Z}_{8}^{-1}(\text{rtz}(\mathcal{Z}_{8}({\varphi}_{A})\div\mathcal{Z}_% {8}({\varphi}_{B})))&\text{otherwise}\end{cases}$
205	rem_u_64	${\varphi}^{\prime}_{D}=\begin{cases}{\varphi}_{A}&\text{if }{\varphi}_{B}=0\\ {\varphi}_{A}\bmod{\varphi}_{B}&\text{otherwise}\end{cases}$
206	rem_s_64	${\varphi}^{\prime}_{D}=\begin{cases}0&\text{if }\mathcal{Z}_{8}({\varphi}_{A})% =-2^{63}\wedge\mathcal{Z}_{8}({\varphi}_{B})=-1\\ \mathcal{Z}_{8}^{-1}(\text{smod}(\mathcal{Z}_{8}({\varphi}_{A}),\mathcal{Z}_{8% }({\varphi}_{B})))&\text{otherwise}\end{cases}$
207	shlo_l_64	${\varphi}^{\prime}_{D}=({\varphi}_{A}\cdot 2^{{\varphi}_{B}\bmod 64})\bmod 2^{% 64}$
208	shlo_r_64	${\varphi}^{\prime}_{D}=\mathopen{}\mathclose{{}\left\lfloor{\varphi}_{A}\div 2% ^{{\varphi}_{B}\bmod 64}}\right\rfloor$
209	shar_r_64	${\varphi}^{\prime}_{D}=\mathcal{Z}_{8}^{-1}(\mathopen{}\mathclose{{}\left% \lfloor\mathcal{Z}_{8}({\varphi}_{A})\div 2^{{\varphi}_{B}\bmod 64}}\right\rfloor)$
210	and	$\forall i\in\mathbb{N}_{64}:\mathcal{B}_{8}({\varphi}^{\prime}_{D})_{i}=% \mathcal{B}_{8}({\varphi}_{A})_{i}\wedge\mathcal{B}_{8}({\varphi}_{B})_{i}$
211	xor	$\forall i\in\mathbb{N}_{64}:\mathcal{B}_{8}({\varphi}^{\prime}_{D})_{i}=% \mathcal{B}_{8}({\varphi}_{A})_{i}\oplus\mathcal{B}_{8}({\varphi}_{B})_{i}$
212	or	$\forall i\in\mathbb{N}_{64}:\mathcal{B}_{8}({\varphi}^{\prime}_{D})_{i}=% \mathcal{B}_{8}({\varphi}_{A})_{i}\vee\mathcal{B}_{8}({\varphi}_{B})_{i}$
213	mul_upper_s_s	${\varphi}^{\prime}_{D}=\mathcal{Z}_{8}^{-1}(\mathopen{}\mathclose{{}\left% \lfloor(\mathcal{Z}_{8}({\varphi}_{A})\cdot\mathcal{Z}_{8}({\varphi}_{B}))\div 2% ^{64}}\right\rfloor)$
214	mul_upper_u_u	${\varphi}^{\prime}_{D}=\mathopen{}\mathclose{{}\left\lfloor({\varphi}_{A}\cdot% {\varphi}_{B})\div 2^{64}}\right\rfloor$
215	mul_upper_s_u	${\varphi}^{\prime}_{D}=\mathcal{Z}_{8}^{-1}(\mathopen{}\mathclose{{}\left% \lfloor(\mathcal{Z}_{8}({\varphi}_{A})\cdot{\varphi}_{B})\div 2^{64}}\right\rfloor)$
216	set_lt_u	${\varphi}^{\prime}_{D}={\varphi}_{A}<{\varphi}_{B}$
217	set_lt_s	${\varphi}^{\prime}_{D}=\mathcal{Z}_{8}({\varphi}_{A})<\mathcal{Z}_{8}({\varphi% }_{B})$
218	cmov_iz	${\varphi}^{\prime}_{D}=\begin{cases}{\varphi}_{A}&\text{if }{\varphi}_{B}=0\\ {\varphi}_{D}&\text{otherwise}\end{cases}$
219	cmov_nz	${\varphi}^{\prime}_{D}=\begin{cases}{\varphi}_{A}&\text{if }{\varphi}_{B}\neq 0% \\ {\varphi}_{D}&\text{otherwise}\end{cases}$
220	rot_l_64	$\forall i\in\mathbb{N}_{64}:\mathcal{B}_{8}({\varphi}^{\prime}_{D})_{(i+{% \varphi}_{B})\bmod 64}=\mathcal{B}_{8}({\varphi}_{A})_{i}$
221	rot_l_32	${\varphi}^{\prime}_{D}=\mathcal{X}_{4}\mathopen{}\mathclose{{}\left(x}\right)% \ \text{where }x\in\mathbb{N}_{2^{32}},\forall i\in\mathbb{N}_{32}:\mathcal{B}% _{4}(x)_{(i+{\varphi}_{B})\bmod 32}=\mathcal{B}_{4}({\varphi}_{A})_{i}$
222	rot_r_64	$\forall i\in\mathbb{N}_{64}:\mathcal{B}_{8}({\varphi}^{\prime}_{D})_{i}=% \mathcal{B}_{8}({\varphi}_{A})_{(i+{\varphi}_{B})\bmod 64}$
223	rot_r_32	${\varphi}^{\prime}_{D}=\mathcal{X}_{4}\mathopen{}\mathclose{{}\left(x}\right)% \ \text{where }x\in\mathbb{N}_{2^{32}},\forall i\in\mathbb{N}_{32}:\mathcal{B}% _{4}(x)_{i}=\mathcal{B}_{4}({\varphi}_{A})_{(i+{\varphi}_{B})\bmod 32}$
224	and_inv	$\forall i\in\mathbb{N}_{64}:\mathcal{B}_{8}({\varphi}^{\prime}_{D})_{i}=% \mathcal{B}_{8}({\varphi}_{A})_{i}\wedge\lnot\mathcal{B}_{8}({\varphi}_{B})_{i}$
225	or_inv	$\forall i\in\mathbb{N}_{64}:\mathcal{B}_{8}({\varphi}^{\prime}_{D})_{i}=% \mathcal{B}_{8}({\varphi}_{A})_{i}\vee\lnot\mathcal{B}_{8}({\varphi}_{B})_{i}$
226	xnor	$\forall i\in\mathbb{N}_{64}:\mathcal{B}_{8}({\varphi}^{\prime}_{D})_{i}=\lnot(% \mathcal{B}_{8}({\varphi}_{A})_{i}\oplus\mathcal{B}_{8}({\varphi}_{B})_{i})$
227	max	${\varphi}^{\prime}_{D}=\mathcal{Z}_{8}^{-1}(\max\mathopen{}\mathclose{{}\left(% \mathcal{Z}_{8}({\varphi}_{A}),\mathcal{Z}_{8}({\varphi}_{B})}\right))$
228	max_u	${\varphi}^{\prime}_{D}=\max\mathopen{}\mathclose{{}\left({\varphi}_{A},{% \varphi}_{B}}\right)$
229	min	${\varphi}^{\prime}_{D}=\mathcal{Z}_{8}^{-1}(\min\mathopen{}\mathclose{{}\left(% \mathcal{Z}_{8}({\varphi}_{A}),\mathcal{Z}_{8}({\varphi}_{B})}\right))$
230	min_u	${\varphi}^{\prime}_{D}=\min\mathopen{}\mathclose{{}\left({\varphi}_{A},{% \varphi}_{B}}\right)$

Note that the two signed modulo operations have an idiosyncratic definition, operating as the modulo of the absolute values, but with the sign of the numerator. Formally:

(A.38)

\text{smod}\colon\mathopen{}\mathclose{{}\left\{\begin{aligned} \!\mathopen{}% \mathclose{{}\left\lgroup\mathbb{Z},\mathbb{Z}}\right\rgroup\!&\to\mathbb{Z}\\ \mathopen{}\mathclose{{}\left(a,b}\right)&\mapsto\begin{cases}a&\text{if }b=0% \\ \text{sgn}(a)\cdot(\mathopen{}\mathclose{{}\left|a}\right|\bmod\mathopen{}% \mathclose{{}\left|b}\right|)&\text{otherwise}\\ \end{cases}\end{aligned}}\right.

Division operations always round their result towards zero. Formally:

(A.39)

\text{rtz}\colon\mathopen{}\mathclose{{}\left\{\begin{aligned} \mathbb{Z}&\to% \mathbb{Z}\\ x&\mapsto\begin{cases}\mathopen{}\mathclose{{}\left\lceil x}\right\rceil&\text% {if }x<0\\ \mathopen{}\mathclose{{}\left\lfloor x}\right\rfloor&\text{otherwise}\\ \end{cases}\end{aligned}}\right.

A.6. Host Call Definition

An extended version of the pvm invocation which is able to progress an inner host-call state-machine in the case of a host-call halt condition is defined as $\Psi_{H}$ :

(A.40)		$\displaystyle\Psi_{H}^{}\colon\mathopen{}\mathclose{{}\left\{\begin{aligned} % \!\mathopen{}\mathclose{{}\left\lgroup\begin{aligned} &\mathbb{B},\mathbb{N}_{% R},\mathbb{N}_{G},{\mathopen{}\mathclose{{}\left\{\,\bot,\top\,}\right\}},\\ &\mathopen{}\mathclose{{}\left\lsem\mathbb{N}_{R}}\right\rsem_{13},\mathbb{M},% \Omega\mathopen{}\mathclose{{}\left\langle X}\right\rangle,X\end{aligned}}% \right\rgroup\!&\to\!\mathopen{}\mathclose{{}\left\lgroup\mathopen{}\mathclose% {{}\left\{\,\lightning,\infty,\blacksquare\,}\right\}\cup\mathopen{}\mathclose% {{}\left\{\,\text{\raisebox{6.0pt}{\rotatebox{180.0}{{F}}}}\,}\right\}\times% \mathbb{N}_{R},\mathbb{N}_{R},\mathbb{Z}_{G},{\mathopen{}\mathclose{{}\left\{% \,\bot,\top\,}\right\}},\mathopen{}\mathclose{{}\left\lsem\mathbb{N}_{R}}% \right\rsem_{13},\mathbb{M},X}\right\rgroup\!\\ \mathopen{}\mathclose{{}\left(\mathfrak{p},\imath,\varrho,\tilde{\varrho},% \varphi,{\mu},f,\mathbf{x}}\right)&\mapsto\begin{cases}\lx@intercol\text{let }% (\varepsilon^{\prime},\imath^{\prime},\varrho^{\prime},\tilde{\varrho}^{\prime% },\varphi^{\prime},{\mu}^{\prime})=\Psi(\mathfrak{p},\imath,\varrho,\tilde{% \varrho},\varphi,{\mu}):\hfil\lx@intercol\\[8.0pt] \mathopen{}\mathclose{{}\left(\varepsilon^{\prime},\imath^{\prime},\varrho^{% \prime},\tilde{\varrho}^{\prime},\varphi^{\prime},{\mu}^{\prime},\mathbf{x}}% \right)&\text{if }\varepsilon^{\prime}\in\mathopen{}\mathclose{{}\left\{\,% \blacksquare,\lightning,\infty\,}\right\}\cup\mathopen{}\mathclose{{}\left\{\,% \text{\raisebox{6.0pt}{\rotatebox{180.0}{{F}}}}\,}\right\}\times\mathbb{N}_{R}% \\[4.0pt] \begin{aligned} &\Psi_{H}^{}(\mathfrak{p},\imath^{\prime\prime},\varrho^{% \prime\prime},\tilde{\varrho}^{\prime},\varphi^{\prime\prime},{\mu}^{\prime% \prime},f,\mathbf{x}^{\prime\prime})\\[2.0pt] &\quad\text{where }\imath^{\prime\prime}=\imath^{\prime}+1+\text{skip}(\imath^% {\prime})\end{aligned}&\text{if }\bigwedge\mathopen{}\mathclose{{}\left\{\;% \begin{aligned} &\varepsilon^{\prime}=\hbar\times h\\[2.0pt] &\mathopen{}\mathclose{{}\left(\blacktriangleright,\varrho^{\prime\prime},% \varphi^{\prime\prime},{\mu}^{\prime\prime},\mathbf{x}^{\prime\prime}}\right)=% f(h,\varrho^{\prime},\varphi^{\prime},{\mu}^{\prime},\mathbf{x})\end{aligned}}% \right.\\[8.0pt] \mathopen{}\mathclose{{}\left(\varepsilon^{\prime\prime},\imath^{\prime},% \varrho^{\prime\prime},\tilde{\varrho}^{\prime},\varphi^{\prime\prime},{\mu}^{% \prime\prime},\mathbf{x}^{\prime\prime}}\right)&\text{if }\bigwedge\mathopen{}% \mathclose{{}\left\{\;\begin{aligned} &\varepsilon^{\prime}=\hbar\times h\\[2.% 0pt] &\mathopen{}\mathclose{{}\left(\varepsilon^{\prime\prime},\varrho^{\prime% \prime},\varphi^{\prime\prime},{\mu}^{\prime\prime},\mathbf{x}^{\prime\prime}}% \right)=f(h,\varrho^{\prime},\varphi^{\prime},{\mu}^{\prime},\mathbf{x})\\[2.0% pt] &\varepsilon^{\prime\prime}\in\mathopen{}\mathclose{{}\left\{\,\lightning,% \blacksquare,\infty\,}\right\}\end{aligned}}\right.\\[8.0pt] \end{cases}\\ \end{aligned}}\right.\!\!\!\!\!\!\!\!$
(A.41)		$\displaystyle\Psi_{H}(\mathfrak{p},\imath,\varrho,\varphi,{\mu},f,\mathbf{x})% \equiv\Psi_{H}^{*}(\mathfrak{p},\imath,\varrho,\bot,\varphi,{\mu},f,\mathbf{x})$
(A.42)		$\displaystyle\Omega\mathopen{}\mathclose{{}\left\langle X}\right\rangle\equiv% \!\mathopen{}\mathclose{{}\left\lgroup\mathbb{N},\mathbb{N}_{G},\mathopen{}% \mathclose{{}\left\lsem\mathbb{N}_{R}}\right\rsem_{13},\mathbb{M},X}\right% \rgroup\!\to\!\mathopen{}\mathclose{{}\left\lgroup\mathopen{}\mathclose{{}% \left\{\,\blacktriangleright,\blacksquare,\lightning,\infty\,}\right\},\mathbb% {N}_{G},\mathopen{}\mathclose{{}\left\lsem\mathbb{N}_{R}}\right\rsem_{13},% \mathbb{M},X}\right\rgroup\!$

As with $\Phi$ , on exit the instruction counter references the instruction which caused the exit and the machine state is that prior to this instruction. Should the machine be invoked again using this instruction counter and code, then the same instruction which caused the exit would be executed on the proper (prior) machine state.

With $\Phi_{H}$ , host-calls (i.e. ecalli instructions) are in effect handled internally with the state-mutator function provided as an argument, preventing the possibility of the result being a host-call fault. Note that in the case of a successful host-call transition, we must provide the new instruction counter value $\imath^{\prime\prime}$ explicitly alongside the fresh posterior state for said instruction.

A.7. Standard Program Initialization

The software programs which will run in each of the three instances where the pvm is utilized in the main document have a very typical setup pattern characteristic of an output of a compiler and linker. This means that ram has sections for program-specific read-only data, read-write (heap) data and the stack. An adjunct to this, very typical of our usage patterns is an extra read-only section via which invocation-specific data may be passed (i.e. arguments). It thus makes sense to define this properly in a single initializer function. These sections are quantized into major zones, and one major zone is always left unallocated between sections in order to reduce accidental overrun. Sections are padded with zeroes to the nearest pvm memory page boundary.

We thus define the standard JAM program blob format $\mathfrak{j}$ , which includes not only the raw pvm program blob $\mathfrak{p}$ , but also information on the state of the ram at program start. Given JAM program blob $\mathfrak{j}$ and argument data $\mathbf{a}$ , we can decode the pvm program blob $\mathfrak{p}$ , registers $\varphi$ , and ram ${\mu}$ by invoking the standard initialization function $Y(\mathfrak{j},\mathbf{a})$ :

(A.43)

Y\colon\mathopen{}\mathclose{{}\left\{\begin{aligned} \!\mathopen{}\mathclose{% {}\left\lgroup\mathbb{B},\mathbb{B}_{:\mathsf{Z}_{I}}}\right\rgroup\!&\to\!% \mathopen{}\mathclose{{}\left\lgroup\mathbb{B},\mathopen{}\mathclose{{}\left% \lsem\mathbb{N}_{R}}\right\rsem_{13},\mathbb{M}}\right\rgroup\!?\\ \mathopen{}\mathclose{{}\left(\mathfrak{j},\mathbf{a}}\right)&\mapsto\begin{% cases}\mathopen{}\mathclose{{}\left(\mathfrak{p},\varphi,{\mu}}\right)&\text{% if }\exists!\mathopen{}\mathclose{{}\left(\mathfrak{p},\mathbf{o},\mathbf{w},z% ,s}\right)\text{ which satisfy equation \ref{eq:conditions}}\\ \emptyset&\text{otherwise}\end{cases}\end{aligned}}\right.

With conditions:

(A.44)			$\displaystyle\text{let }\mathcal{E}_{3}(\mathopen{}\mathclose{{}\left\|\mathbf{% o}}\right\|)\frown\mathcal{E}_{3}(\mathopen{}\mathclose{{}\left\|\mathbf{w}}% \right\|)\frown\mathcal{E}_{2}(z)\frown\mathcal{E}_{3}(s)\frown\mathbf{o}\frown% \mathbf{w}\frown\mathcal{E}_{4}(\mathopen{}\mathclose{{}\left\|\mathfrak{p}}% \right\|)\frown\mathfrak{p}=\mathfrak{j}$
(A.45)			$\displaystyle\mathsf{Z}_{Z}=2^{16}\ ,\quad\mathsf{Z}_{I}=2^{24}$
(A.46)			$\displaystyle\text{let }P(x\in\mathbb{N})\equiv\mathsf{Z}_{P}\mathopen{}% \mathclose{{}\left\lceil\frac{x}{\mathsf{Z}_{P}}}\right\rceil\quad,\qquad Z(x% \in\mathbb{N})\equiv\mathsf{Z}_{Z}\mathopen{}\mathclose{{}\left\lceil\frac{x}{% \mathsf{Z}_{Z}}}\right\rceil$
(A.47)			$\displaystyle 5\mathsf{Z}_{Z}+Z(\mathopen{}\mathclose{{}\left\|\mathbf{o}}% \right\|)+Z(\mathopen{}\mathclose{{}\left\|\mathbf{w}}\right\|+z\mathsf{Z}_{P})+Z% (s)+\mathsf{Z}_{I}\leq 2^{32}$

Thus, if the above conditions cannot be satisfied with unique values, then the result is $\emptyset$ , otherwise it is a tuple of $\mathfrak{p}$ as above and ${\mu}$ , $\varphi$ such that:

(A.48)

\forall i\in\mathbb{N}_{2^{32}}:(({\mu}_{\mathbf{v}})_{i},({\mu}_{\mathbf{a}})% _{\mathopen{}\mathclose{{}\left\lfloor\nicefrac{{i}}{{\mathsf{Z}_{P}}}}\right% \rfloor})=\mathopen{}\mathclose{{}\left\{\begin{aligned} &\mathopen{}% \mathclose{{}\left(\mathbf{v}\mathrel{\mathop{:}}\mathbf{o}_{i-\mathsf{Z}_{Z}}% ,\,\mathbf{a}\mathrel{\mathop{:}}R}\right)&&\ \text{if }\mathsf{Z}_{Z}&\ \leq i% <\ &&\mathsf{Z}_{Z}+\mathopen{}\mathclose{{}\left|\mathbf{o}}\right|\\ &\mathopen{}\mathclose{{}\left(0,R}\right)&&\ \text{if }\mathsf{Z}_{Z}+% \mathopen{}\mathclose{{}\left|\mathbf{o}}\right|&\ \leq i<\ &&\mathsf{Z}_{Z}+P% (\mathopen{}\mathclose{{}\left|\mathbf{o}}\right|)\\ &(\mathbf{w}_{i-(2\mathsf{Z}_{Z}+Z(\mathopen{}\mathclose{{}\left|\mathbf{o}}% \right|))},W)&&\ \text{if }2\mathsf{Z}_{Z}+Z(\mathopen{}\mathclose{{}\left|% \mathbf{o}}\right|)&\ \leq i<\ &&2\mathsf{Z}_{Z}+Z(\mathopen{}\mathclose{{}% \left|\mathbf{o}}\right|)+\mathopen{}\mathclose{{}\left|\mathbf{w}}\right|\\ &\mathopen{}\mathclose{{}\left(0,W}\right)&&\ \text{if }2\mathsf{Z}_{Z}+Z(% \mathopen{}\mathclose{{}\left|\mathbf{o}}\right|)+\mathopen{}\mathclose{{}% \left|\mathbf{w}}\right|&\ \leq i<\ &&2\mathsf{Z}_{Z}+Z(\mathopen{}\mathclose{% {}\left|\mathbf{o}}\right|)+P(\mathopen{}\mathclose{{}\left|\mathbf{w}}\right|% )+z\mathsf{Z}_{P}\\ &\mathopen{}\mathclose{{}\left(0,W}\right)&&\ \text{if }2^{32}-2\mathsf{Z}_{Z}% -\mathsf{Z}_{I}-P(s)&\ \leq i<\ &&2^{32}-2\mathsf{Z}_{Z}-\mathsf{Z}_{I}\\ &(\mathbf{a}_{i-(2^{32}-\mathsf{Z}_{Z}-\mathsf{Z}_{I})},R)&&\ \text{if }2^{32}% -\mathsf{Z}_{Z}-\mathsf{Z}_{I}&\ \leq i<\ &&2^{32}-\mathsf{Z}_{Z}-\mathsf{Z}_{% I}+\mathopen{}\mathclose{{}\left|\mathbf{a}}\right|\\ &\mathopen{}\mathclose{{}\left(0,R}\right)&&\ \text{if }2^{32}-\mathsf{Z}_{Z}-% \mathsf{Z}_{I}+\mathopen{}\mathclose{{}\left|\mathbf{a}}\right|&\ \leq i<\ &&2% ^{32}-\mathsf{Z}_{Z}-\mathsf{Z}_{I}+P(\mathopen{}\mathclose{{}\left|\mathbf{a}% }\right|)\\ &\mathopen{}\mathclose{{}\left(0,\emptyset}\right)&&\text{otherwise}&&&\end{% aligned}}\right.\\

(A.49)

\forall i\in\mathbb{N}_{13}:\varphi_{i}=\begin{cases}2^{32}-2^{16}&\text{if }i% =0\\ 2^{32}-2\mathsf{Z}_{Z}-\mathsf{Z}_{I}&\text{if }i=1\\ 2^{32}-\mathsf{Z}_{Z}-\mathsf{Z}_{I}&\text{if }i=7\\ \mathopen{}\mathclose{{}\left|\mathbf{a}}\right|&\text{if }i=8\\ 0&\text{otherwise}\end{cases}

A.8. Argument Invocation Definition

The three instances where the pvm is utilized each expect to be able to pass argument data in and receive some return data back. We thus define the common pvm program-argument invocation function $\Psi_{M}$ :

(A.50)

\Psi_{M}\colon\mathopen{}\mathclose{{}\left\{\begin{aligned} \!\mathopen{}% \mathclose{{}\left\lgroup\mathbb{B},\mathbb{N}_{R},\mathbb{N}_{G},\mathbb{B}_{% :\mathsf{Z}_{I}},\Omega\mathopen{}\mathclose{{}\left\langle X}\right\rangle,X}% \right\rgroup\!&\to\!\mathopen{}\mathclose{{}\left\lgroup\mathbb{N}_{G},% \mathbb{B}\cup\mathopen{}\mathclose{{}\left\{\,\lightning,\infty\,}\right\},X}% \right\rgroup\!\\ \mathopen{}\mathclose{{}\left(\mathfrak{j},\imath,\varrho,\mathbf{a},f,\mathbf% {x}}\right)&\mapsto\begin{cases}\mathopen{}\mathclose{{}\left(0,\lightning,% \mathbf{x}}\right)&\text{if }Y(\mathfrak{j},\mathbf{a})=\emptyset\\ R(\varrho,\Psi_{H}(\mathfrak{p},\imath,\varrho,\varphi,{\mu},f,\mathbf{x}))&% \text{if }Y(\mathfrak{j},\mathbf{a})=\mathopen{}\mathclose{{}\left(\mathfrak{p% },\varphi,{\mu}}\right)\\ \lx@intercol\quad\text{where }R\colon\mathopen{}\mathclose{{}\left(\varrho,% \mathopen{}\mathclose{{}\left(\begin{aligned} &\varepsilon,\,&&\imath^{\prime}% ,\,&&\varrho^{\prime},\\ &\varphi^{\prime},\,&&{\mu}^{\prime},\,&&\mathbf{x}^{\prime}\end{aligned}}% \right)}\right)\mapsto\begin{cases}\mathopen{}\mathclose{{}\left(u,\infty,% \mathbf{x}^{\prime}}\right)&\text{if }\varepsilon=\infty\\ \mathopen{}\mathclose{{}\left(u,\mu^{\prime}_{\varphi^{\prime}_{7}\dots+% \varphi^{\prime}_{8}},\mathbf{x}^{\prime}}\right)&\text{if }\varepsilon=% \blacksquare\wedge\mathbb{N}_{\varphi^{\prime}_{7}\dots+\varphi^{\prime}_{8}}% \subseteq\mathbb{V}_{{\mu}^{\prime}}\\ \mathopen{}\mathclose{{}\left(u,\mathopen{}\mathclose{{}\left[}\right],\mathbf% {x}^{\prime}}\right)&\text{if }\varepsilon=\blacksquare\wedge\mathbb{N}_{% \varphi^{\prime}_{7}\dots+\varphi^{\prime}_{8}}\not\subseteq\mathbb{V}_{{\mu}^% {\prime}}\\ \mathopen{}\mathclose{{}\left(u,\lightning,\mathbf{x}^{\prime}}\right)&\text{% otherwise}\\ \lx@intercol\quad\text{where }u=\varrho-\max(\varrho^{\prime},0)\hfil% \lx@intercol\end{cases}\hfil\lx@intercol\!\!\!\!\!\!\!\!\end{cases}\end{% aligned}}\right.

Note that the first tuple item is the amount of gas consumed by the operation, but never greater than the amount of gas provided for the operation.

A.9. Gas Cost Model

The gas cost model for the pvm is a simplified model of a modern CPU microarchitecture, heavily inspired by what’s used by production-grade compilers to predict how much time a given piece of code will take. For each basic block in the program the model simulates its execution flow and computes the required number of virtual CPU cycles that would be needed to execute it.

A gas simulation state, of set $\mathbb{S}$ , contains the current instruction counter $\imath$ , a cycle counter $c$ , the number of decode slots $d$ remaining in the current cycle, the maximum number of instructions $e$ which are still allowed to start execution in the current cycle, the remaining available execution units $t$ , and the reorder buffer $\mathbf{r}$ . Formally:

(A.51)

\mathbb{S}\equiv\!\mathopen{}\mathclose{{}\left\lgroup\imath\in\mathbb{N}_{R}% \cup\mathopen{}\mathclose{{}\left\{\,\emptyset\,}\right\},c\in\mathbb{N},d\in% \mathbb{N},e\in\mathbb{N},t\in\mathbb{E},\mathbf{r}\in\mathopen{}\mathclose{{}% \left\lsem\mathbb{R}}\right\rsem}\right\rgroup\!\\

A reorder buffer entry, of set $\mathbb{R}$ , contains its current state $s$ , the number of cycles left $c$ , a set of reorder buffer indices considered its dependencies $p$ , a set of clobbered registers $r$ , and the execution units used $t$ . Formally:

(A.52)

\mathbb{R}\equiv\!\mathopen{}\mathclose{{}\left\lgroup s\in\mathopen{}% \mathclose{{}\left\{\,\text{DEC},\text{WAIT},\text{EXE},\text{FIN},\emptyset\,% }\right\},c\in\mathbb{N},p\subseteq\mathbb{N},r\subseteq\mathbb{N}_{13},t\in% \mathbb{E}}\right\rgroup\!\\

A tuple of the set $\mathbb{E}$ maps each execution unit kind ( ${\text{A},\text{L},\text{S},\text{M},\text{D}}$ ) into a number:

(A.53)

\mathbb{E}\equiv\!\mathopen{}\mathclose{{}\left\lgroup\text{A}\in\mathbb{N},% \text{L}\in\mathbb{N},\text{S}\in\mathbb{N},\text{M}\in\mathbb{N},\text{D}\in% \mathbb{N}}\right\rgroup\!

For convenience we define addition and subtraction of two tuples of the set $\mathbb{E}$ to be equivalent to the memberwise operation of the same kind; formally:

(A.54)		$\displaystyle\forall a,b\in\mathbb{E};\forall\oplus\in\mathopen{}\mathclose{{}% \left\{\,+,-\,}\right\}$	$\displaystyle:a\oplus b\equiv c$
(A.54)		$\displaystyle\text{where }c\in\mathbb{E},\forall k\in\mathopen{}\mathclose{{}% \left\{\,\text{A},\text{L},\text{S},\text{M},\text{D}\,}\right\}$	$\displaystyle:c_{k}\equiv a_{k}\oplus b_{k}$

Similarly, a comparison between two tuples of the set $\mathbb{E}$ is true if and only if the chosen comparison holds for all corresponding members:

(A.55)			$\displaystyle\forall a,b\in\mathbb{E};\forall\oplus\in\mathopen{}\mathclose{{}% \left\{\,<,>,\leq,\geq\,}\right\}:$
(A.55)			$\displaystyle\quad a\oplus b\equiv\bigwedge_{k\in\mathopen{}\mathclose{{}\left% \{\,\text{A},\text{L},\text{S},\text{M},\text{D}\,}\right\}}a_{k}\oplus b_{k}$

We define the function $\check{s}(\mathbf{c},\mathbf{k},\imath)$ which returns the set of source registers read by the instruction at $\imath$ , and the function $\check{r}(\mathbf{c},\mathbf{k},\imath)$ which returns the set of destination registers written by the instruction at $\imath$ , as described by the equations in A.5. This is regardless of whether those registers would actually have been modified by that instruction when executed at runtime. ecalli is assumed to neither read nor write to any registers in this model.

We also define the function $\check{c}(\mathbf{c},\mathbf{k},\imath)$ which returns the number of cycles the instruction at $\imath$ needs to finish execution, $\check{d}(\mathbf{c},\mathbf{k},\imath)$ which returns the number of decoding slots necessary to decode it, and $\check{x}(\mathbf{c},\mathbf{k},\imath)$ which returns the number of virtual CPU execution units required to start its execution. These simply return the values as specified in A.10.

The gas cost of a given basic block starting at instruction opcode index $\imath\in\varpi$ and given the instruction data $\mathbf{c}$ and the opcode bitmask $\mathbf{k}$ is defined by the number of virtual CPU cycles as determined by the gas cost model transition function, up until every instruction of the basic block it has ingested has been retired and the simulation has converged. Formally:

(A.56)

\varrho^{\Delta}\colon\mathopen{}\mathclose{{}\left\{\begin{array}[]{@{}l@{}}% \begin{aligned} \mathopen{}\mathclose{{}\left(\mathbb{B},\mathbb{b},\mathbb{N}% _{R}}\right)&\to\mathbb{N}\\ \mathopen{}\mathclose{{}\left(\mathbf{c},\mathbf{k},\imath}\right)&\mapsto\max% (\mathbf{x}^{\text{final}}_{c}-3,1)\\ \end{aligned}\\[14.0pt] \hskip 8.0pt\begin{aligned} \text{where }&\mathbf{x}^{\text{final}}&=&\text{ }% \mathfrak{X}(\mathbf{c},\mathbf{k},\mathbf{x}^{\text{init}})\\ &\mathbf{x}^{\text{init}}&=&\text{ }\mathopen{}\mathclose{{}\left(\imath,0,4,5% ,\mathopen{}\mathclose{{}\left(4,4,4,1,1}\right),\mathopen{}\mathclose{{}\left% [}\right]}\right)\end{aligned}\end{array}}\right.

The gas cost model simulation function $\mathfrak{X}$ is defined as follows:

(A.57)

\mathfrak{X}\colon\mathopen{}\mathclose{{}\left\{\begin{aligned} \mathopen{}% \mathclose{{}\left(\mathbb{B},\mathbb{b},\mathbb{S}}\right)&\to\mathbb{S}\\ \mathopen{}\mathclose{{}\left(\mathbf{c},\mathbf{k},\mathbf{x}}\right)&\mapsto% \begin{cases}\mathfrak{X}(\mathbf{c},\mathbf{k},\mathfrak{X}^{\prime}(\mathbf{% c},\mathbf{k},\mathbf{x}))&\text{if }\mathbf{x}_{\imath}\neq\emptyset\land% \check{d}(\mathbf{c},\mathbf{k},\mathbf{x}_{\imath})\leq\mathbf{x}_{d}\land l<% 32\\ \mathfrak{X}(\mathbf{c},\mathbf{k},\mathfrak{X}^{\prime\prime}(\mathbf{x}))&% \text{otherwise if }\mathfrak{S}(\mathbf{x})\neq\emptyset\land\mathbf{x}_{e}>0% \\ \mathbf{x}&\text{otherwise if }\mathbf{x}_{\imath}=\emptyset\land l=0\\ \mathfrak{X}(\mathbf{c},\mathbf{k},\mathfrak{X}^{\prime\prime\prime}(\mathbf{x% }))&\text{otherwise}\\ \end{cases}\\ \text{where }l&=\mathopen{}\mathclose{{}\left|\mathopen{}\mathclose{{}\left[r% \;\middle|\;r\mathrel{\mathrlap{<}{\scalebox{0.95}[1.0]{$-$}}}{\mathbf{x}_{% \mathbf{r}}},r_{s}\neq\emptyset}\right]}\right|\end{aligned}}\right.

The state transition function $\mathfrak{X}^{\prime}$ which decodes the instructions without triggering the virtual CPU pipeline simulation is defined as follows:

(A.58)

\mathfrak{X}^{\prime}\colon\mathopen{}\mathclose{{}\left\{\begin{aligned} % \mathopen{}\mathclose{{}\left(\mathbb{B},\mathbb{b},\mathbb{S}}\right)&\to% \mathbb{S}\\ \mathopen{}\mathclose{{}\left(\mathbf{c},\mathbf{k},\mathbf{x}}\right)&\mapsto% \begin{cases}\mathfrak{X}^{\text{mov}}(\mathbf{c},\mathbf{k},\mathbf{x})&\text% {if }\imath<\mathopen{}\mathclose{{}\left|\mathbf{c}}\right|\land\mathbf{c}_{% \imath}=\text{{\small{move\_reg}}}\\ \mathfrak{X}^{\text{dec}}(\mathbf{c},\mathbf{k},\mathbf{x})&\text{otherwise}% \end{cases}\end{aligned}}\right.

The move_reg instruction is special-cased to be handled by the frontend of our virtual CPU, without being added to the reorder buffer:

(A.59)

\mathfrak{X}^{\text{mov}}\colon\mathopen{}\mathclose{{}\left\{\begin{array}[]{% @{}l@{}}\begin{aligned} \mathopen{}\mathclose{{}\left(\mathbb{B},\mathbb{b},% \mathbb{S}}\right)&\to\mathbb{S}\\ \mathopen{}\mathclose{{}\left(\mathbf{c},\mathbf{k},\mathbf{x}}\right)&\mapsto% \mathbf{x}^{\prime}\end{aligned}\\[14.0pt] \hskip 8.0pt\begin{aligned} \text{where }\mathbf{x}^{\prime}&=\mathbf{x}\text{% except:}\\ \mathbf{x}^{\prime}_{\imath}&=\mathbf{x}_{\imath}+1+\text{skip}(\mathbf{x}_{% \imath})\\ \mathbf{x}^{\prime}_{d}&=\mathbf{x}_{d}-1\\ \mathbf{x}^{\prime}_{\mathbf{r}}&={\mathbf{x}_{\mathbf{r}}}\text{ except:}\\ &\begin{aligned} \forall j&\in\mathbb{N}_{\mathopen{}\mathclose{{}\left|{% \mathbf{x}_{\mathbf{r}}}}\right|}:\mathbf{x}^{\prime}_{\mathbf{r}}\mathopen{}% \mathclose{{}\left[j}\right]_{r}&=\begin{cases}{{\mathbf{x}_{\mathbf{r}}}% \mathopen{}\mathclose{{}\left[j}\right]}_{r}\cup\check{r}(\mathbf{c},\mathbf{k% },\mathbf{x}_{\imath})&\text{if }{{\mathbf{x}_{\mathbf{r}}}\mathopen{}% \mathclose{{}\left[j}\right]}_{r}\cap\check{s}(\mathbf{c},\mathbf{k},\mathbf{x% }_{\imath})\neq\emptyset\\ {{\mathbf{x}_{\mathbf{r}}}\mathopen{}\mathclose{{}\left[j}\right]}_{r}% \setminus\check{r}(\mathbf{c},\mathbf{k},\mathbf{x}_{\imath})&\text{otherwise}% \end{cases}\\ \end{aligned}\end{aligned}\end{array}}\right.

Every other instruction is fully decoded and added to the reorder buffer as follows:

(A.60)

\mathfrak{X}^{\text{dec}}\colon\mathopen{}\mathclose{{}\left\{\begin{array}[]{% @{}l@{}}\begin{aligned} \mathopen{}\mathclose{{}\left(\mathbb{B},\mathbb{b},% \mathbb{S}}\right)&\to\mathbb{S}\\ \mathopen{}\mathclose{{}\left(\mathbf{c},\mathbf{k},\mathbf{x}}\right)&\mapsto% \mathbf{x}^{\prime}\end{aligned}\\[14.0pt] \hskip 8.0pt\begin{aligned} \text{where }\mathbf{x}^{\prime}&=\mathbf{x}\text{% except:}\\ \mathbf{x}^{\prime}_{\imath}&=\begin{cases}\emptyset&\text{if }\zeta_{\imath}% \in T\\ \mathbf{x}_{\imath}+1+\text{skip}(\mathbf{x}_{\imath})&\text{otherwise}\end{% cases}\\ \mathbf{c}&\mapsto\zeta\text{ according to \ref{eq:instructions}}\\ \mathbf{x}^{\prime}_{d}&=\mathbf{x}_{d}-\check{d}(\mathbf{c},\mathbf{k},% \mathbf{x}_{\imath})\\ \mathbf{r}&={\mathbf{x}_{\mathbf{r}}}\text{ except: }\forall j\in\mathbb{N}_{% \mathopen{}\mathclose{{}\left|{\mathbf{x}_{\mathbf{r}}}}\right|}:\mathbf{r}% \mathopen{}\mathclose{{}\left[j}\right]_{r}={{\mathbf{x}_{\mathbf{r}}}% \mathopen{}\mathclose{{}\left[j}\right]}_{r}\setminus r\\ r&=\check{r}(\mathbf{c},\mathbf{k},\mathbf{x}_{\imath})\\ c&=\check{c}(\mathbf{c},\mathbf{k},\mathbf{x}_{\imath})\\ t&=\check{x}(\mathbf{c},\mathbf{k},\mathbf{x}_{\imath})\\ p&=\mathopen{}\mathclose{{}\left\{\,i\;\middle|\;i\in\mathbb{N}_{\mathopen{}% \mathclose{{}\left|{\mathbf{x}_{\mathbf{r}}}}\right|},\check{s}(\mathbf{c},% \mathbf{k},\mathbf{x}_{\imath})\cap{{\mathbf{x}_{\mathbf{r}}}\mathopen{}% \mathclose{{}\left[i}\right]}_{r}\neq\emptyset\,}\right\}\\ \mathbf{x}^{\prime}_{\mathbf{r}}&=\mathbf{r}\mathrel{\hbox to0.0pt{\hbox to7.0% pt{\hfill\vrule height=5.0pt,depth=0.0pt,width=0.6pt\hfill\vrule height=5.0pt,% depth=0.0pt,width=0.6pt\hfill}}\vbox to5.0pt{\vfill\hrule height=0.6pt,depth=0% .0pt,width=7.0pt\vfill}}\!\mathopen{}\mathclose{{}\left\lgroup\text{DEC},c,p,r% ,t}\right\rgroup\!\\ \end{aligned}\end{array}}\right.

The state transition function $\mathfrak{X}^{\prime\prime}$ which starts the execution of the next pending instruction is defined as follows:

(A.61)

\mathfrak{X}^{\prime\prime}\colon\mathopen{}\mathclose{{}\left\{\begin{array}[% ]{@{}l@{}}\begin{aligned} \mathbb{S}&\to\mathbb{S}\\ \mathbf{x}&\mapsto\mathbf{x}^{\prime}\\ \end{aligned}\\[14.0pt] \hskip 8.0pt\begin{aligned} \text{where }\mathbf{x}^{\prime}&=\mathbf{x}\text{% except:}\\ \mathbf{x}^{\prime}_{e}&=\mathbf{x}_{e}-1\\ n&=\mathfrak{S}(\mathbf{x})\\ \mathbf{x}^{\prime}_{t}&=\mathbf{x}_{t}-{{\mathbf{x}_{\mathbf{r}}}\mathopen{}% \mathclose{{}\left[n}\right]}_{t}\\ \mathbf{x}^{\prime}_{\mathbf{r}}&={\mathbf{x}_{\mathbf{r}}}\text{ except: }% \mathbf{x}^{\prime}_{\mathbf{r}}\mathopen{}\mathclose{{}\left[n}\right]_{s}=% \text{EXE}\end{aligned}\end{array}}\right.

The function $\mathfrak{S}$ which checks which instruction inside of the reorder buffer is ready to start executing (and whether such an instruction even exists) is defined as follows:

(A.62)

\mathfrak{S}\colon\mathopen{}\mathclose{{}\left\{\begin{array}[]{@{}l@{}}% \begin{aligned} \mathbb{S}&\to\mathbb{N}\cup\mathopen{}\mathclose{{}\left\{\,% \emptyset\,}\right\}\\ \mathbf{x}&\mapsto\begin{cases}\emptyset&\text{if }s=\emptyset\\ \min(s)&\text{otherwise}\end{cases}\\ \end{aligned}\\[14.0pt] \hskip 8.0pt\begin{aligned} \\[0.2pt] \text{where }s&=\mathopen{}\mathclose{{}\left\{\,j\in\mathbb{N}_{\mathopen{}% \mathclose{{}\left|{\mathbf{x}_{\mathbf{r}}}}\right|}\;\middle|\;{{\mathbf{x}_% {\mathbf{r}}}\mathopen{}\mathclose{{}\left[j}\right]}_{s}=\text{WAIT}\land{{% \mathbf{x}_{\mathbf{r}}}\mathopen{}\mathclose{{}\left[j}\right]}_{t}\leq% \mathbf{x}_{t}\land(\forall k\in{{\mathbf{x}_{\mathbf{r}}}\mathopen{}% \mathclose{{}\left[j}\right]}_{p}:{{\mathbf{x}_{\mathbf{r}}}\mathopen{}% \mathclose{{}\left[k}\right]}_{c}=0)\,}\right\}\end{aligned}\end{array}}\right.

The state transition function $\mathfrak{X}^{\prime\prime\prime}$ which simulates the rest of the virtual CPU pipeline is defined as follows:

(A.63)

\mathfrak{X}^{\prime\prime\prime}\colon\mathopen{}\mathclose{{}\left\{\begin{% array}[]{@{}l@{}}\begin{aligned} \mathbb{S}&\to\mathbb{S}\\ \mathbf{x}&\mapsto\mathbf{x}^{\prime}\\ \end{aligned}\\[14.0pt] \hskip 8.0pt\begin{aligned} \text{where }\mathbf{x}^{\prime}&=\mathbf{x}\text{% except:}\\ \mathbf{x}^{\prime}_{d}&=4,\mathbf{x}^{\prime}_{e}=5,\mathbf{x}^{\prime}_{c}=% \mathbf{x}_{c}+1\\ \mathbf{x}^{\prime}_{t}&=\mathbf{x}_{t}+\sum_{n\in\mathbb{N}_{\mathopen{}% \mathclose{{}\left|{\mathbf{x}_{\mathbf{r}}}}\right|},{{\mathbf{x}_{\mathbf{r}% }}\mathopen{}\mathclose{{}\left[n}\right]}_{s}=\text{EXE}\land{{\mathbf{x}_{% \mathbf{r}}}\mathopen{}\mathclose{{}\left[n}\right]}_{c}=1}{{\mathbf{x}_{% \mathbf{r}}}\mathopen{}\mathclose{{}\left[n}\right]}_{t}\\ \mathbf{x}^{\prime}_{\mathbf{r}}&={\mathbf{x}_{\mathbf{r}}}\text{ except }% \forall j\in\mathbb{N}_{\mathopen{}\mathclose{{}\left|{\mathbf{x}_{\mathbf{r}}% }}\right|}:\\ &\begin{aligned} \mathbf{x}^{\prime}_{\mathbf{r}}\mathopen{}\mathclose{{}\left% [j}\right]_{s}&=\begin{cases}\emptyset&\text{if }\forall k\in\mathbb{N}_{j+1}:% {{\mathbf{x}_{\mathbf{r}}}\mathopen{}\mathclose{{}\left[k}\right]}_{s}\in% \mathopen{}\mathclose{{}\left\{\,\text{FIN},\emptyset\,}\right\}\\ \text{WAIT}&\text{if }{{\mathbf{x}_{\mathbf{r}}}\mathopen{}\mathclose{{}\left[% j}\right]}_{s}=\text{DEC}\\ \text{FIN}&\text{if }{{\mathbf{x}_{\mathbf{r}}}\mathopen{}\mathclose{{}\left[j% }\right]}_{s}=\text{EXE}\land{{\mathbf{x}_{\mathbf{r}}}\mathopen{}\mathclose{{% }\left[j}\right]}_{c}=0\\ {{\mathbf{x}_{\mathbf{r}}}\mathopen{}\mathclose{{}\left[j}\right]}_{s}&\text{% otherwise}\\ \end{cases}\\ \mathbf{x}^{\prime}_{\mathbf{r}}\mathopen{}\mathclose{{}\left[j}\right]_{c}&=% \begin{cases}{{\mathbf{x}_{\mathbf{r}}}\mathopen{}\mathclose{{}\left[j}\right]% }_{c}-1&\text{if }{{\mathbf{x}_{\mathbf{r}}}\mathopen{}\mathclose{{}\left[j}% \right]}_{s}=\text{EXE}\land{{\mathbf{x}_{\mathbf{r}}}\mathopen{}\mathclose{{}% \left[j}\right]}_{c}>0\\ {{\mathbf{x}_{\mathbf{r}}}\mathopen{}\mathclose{{}\left[j}\right]}_{c}&\text{% otherwise}\\ \end{cases}\\ \end{aligned}\end{aligned}\end{array}}\right.

A.10. Gas Cost Tables

For some of the instructions their cost depends on whether the destination register overlaps with any of the source registers:

(A.64)

\mathfrak{P}\colon\mathopen{}\mathclose{{}\left\{\begin{aligned} (\mathbb{N},% \mathbb{N},\mathbb{B},\mathbb{b},\mathbb{N}_{R})&\to\mathbb{N}\\ (a,b,\mathbf{c},\mathbf{k},\imath)&\mapsto\begin{cases}a&\text{if }\check{s}(% \mathbf{c},\mathbf{k},\imath)\cap\check{r}(\mathbf{c},\mathbf{k},\imath)\neq% \emptyset\\ b&\text{otherwise}\end{cases}\end{aligned}}\right.

For non-immediate shift and rotate instructions only the first source register matters:

(A.65)

\mathfrak{P}_{S}\colon\mathopen{}\mathclose{{}\left\{\begin{array}[]{@{}l@{}}% \begin{aligned} (\mathbb{N},\mathbb{N},\mathbb{B},\mathbb{b},\mathbb{N}_{R})&% \to\mathbb{N}\\ (a,b,\mathbf{c},\mathbf{k},\imath)&\mapsto\begin{cases}a&\text{if }{\varphi}_{% A}={\varphi}_{D}\\ b&\text{otherwise}\end{cases}\\ \end{aligned}\\[14.0pt] \hskip 8.0pt\begin{aligned} \\[0.2pt] &\text{where }(\mathbf{c},\mathbf{k},\imath)\mapsto({\varphi}_{A},{\varphi}_{D% })\text{ according to \ref{sec:programdecoding} and \ref{sec:instructiontables% }}\\ \end{aligned}\end{array}}\right.

The cost of memory accesses is defined as follows:

(A.66)

\mathfrak{m}\equiv 25

The cost of a branch depends on whether any of its targets (either the jump target or the implicit fallthrough) point to an instruction byte which is equal to the opcode for the unlikely or the trap instruction; formally:

(A.67)

\mathfrak{b}\colon\mathopen{}\mathclose{{}\left\{\begin{array}[]{@{}l@{}}% \begin{aligned} (\mathbb{B},\mathbb{N}_{R})&\to\mathbb{N}\\ (\mathbf{c},\imath)&\mapsto\begin{cases}1&\text{if }\{\zeta_{\imath+1+\text{% skip}(\imath)},\zeta_{\imath_{\text{target}}}\}\cap\{\text{{\small{unlikely}}}% ,\text{{\small{trap}}}\}\neq\emptyset\\ 20&\text{otherwise}\end{cases}\end{aligned}\\[14.0pt] \hskip 8.0pt\begin{aligned} \\[0.2pt] \text{where }&\mathbf{c}\mapsto\zeta\text{ according to \ref{eq:instructions}}% \\ &\imath_{\text{target}}\text{ is the target of the branch according to \ref{% sec:instructiontables}}\end{aligned}\end{array}}\right.

In the following table the $\mathbf{c}$ , $\mathbf{k}$ , and $\imath$ arguments are omitted for clarity.

Instruction	$\check{c}$	$\check{d}$	$\check{x}_{\text{A}}$	$\check{x}_{\text{L}}$	$\check{x}_{\text{S}}$	$\check{x}_{\text{M}}$	$\check{x}_{\text{D}}$
move_reg	0	1	0	0	0	0	0
and	1	$\mathfrak{P}(1,2)$	1	0	0	0	0
xor	1	$\mathfrak{P}(1,2)$	1	0	0	0	0
or	1	$\mathfrak{P}(1,2)$	1	0	0	0	0
add_64	1	$\mathfrak{P}(1,2)$	1	0	0	0	0
sub_64	1	$\mathfrak{P}(1,2)$	1	0	0	0	0
add_32	2	$\mathfrak{P}(2,3)$	1	0	0	0	0
sub_32	2	$\mathfrak{P}(2,3)$	1	0	0	0	0
and_imm	1	$\mathfrak{P}(1,2)$	1	0	0	0	0
xor_imm	1	$\mathfrak{P}(1,2)$	1	0	0	0	0
or_imm	1	$\mathfrak{P}(1,2)$	1	0	0	0	0
add_imm_64	1	$\mathfrak{P}(1,2)$	1	0	0	0	0
shlo_r_imm_64	1	$\mathfrak{P}(1,2)$	1	0	0	0	0
shar_r_imm_64	1	$\mathfrak{P}(1,2)$	1	0	0	0	0
shlo_l_imm_64	1	$\mathfrak{P}(1,2)$	1	0	0	0	0
rot_r_64_imm	1	$\mathfrak{P}(1,2)$	1	0	0	0	0
reverse_bytes	1	$\mathfrak{P}(1,2)$	1	0	0	0	0
add_imm_32	2	$\mathfrak{P}(2,3)$	1	0	0	0	0
shlo_r_imm_32	2	$\mathfrak{P}(2,3)$	1	0	0	0	0
shar_r_imm_32	2	$\mathfrak{P}(2,3)$	1	0	0	0	0
shlo_l_imm_32	2	$\mathfrak{P}(2,3)$	1	0	0	0	0
rot_r_32_imm	2	$\mathfrak{P}(2,3)$	1	0	0	0	0
count_set_bits_64	1	1	1	0	0	0	0
count_set_bits_32	1	1	1	0	0	0	0
leading_zero_bits_64	1	1	1	0	0	0	0
leading_zero_bits_32	1	1	1	0	0	0	0
sign_extend_8	1	1	1	0	0	0	0
sign_extend_16	1	1	1	0	0	0	0
zero_extend_16	1	1	1	0	0	0	0
trailing_zero_bits_64	2	1	2	0	0	0	0
trailing_zero_bits_32	2	1	2	0	0	0	0
shlo_l_64	1	$\mathfrak{P}_{S}(2,3)$	1	0	0	0	0
shlo_r_64	1	$\mathfrak{P}_{S}(2,3)$	1	0	0	0	0
shar_r_64	1	$\mathfrak{P}_{S}(2,3)$	1	0	0	0	0
rot_l_64	1	$\mathfrak{P}_{S}(2,3)$	1	0	0	0	0
rot_r_64	1	$\mathfrak{P}_{S}(2,3)$	1	0	0	0	0
shlo_l_32	2	$\mathfrak{P}_{S}(3,4)$	1	0	0	0	0
shlo_r_32	2	$\mathfrak{P}_{S}(3,4)$	1	0	0	0	0
shar_r_32	2	$\mathfrak{P}_{S}(3,4)$	1	0	0	0	0
rot_l_32	2	$\mathfrak{P}_{S}(3,4)$	1	0	0	0	0
rot_r_32	2	$\mathfrak{P}_{S}(3,4)$	1	0	0	0	0
shlo_l_imm_alt_64	1	3	1	0	0	0	0
shlo_r_imm_alt_64	1	3	1	0	0	0	0
shar_r_imm_alt_64	1	3	1	0	0	0	0
rot_r_64_imm_alt	1	3	1	0	0	0	0
shlo_l_imm_alt_32	2	4	1	0	0	0	0
shlo_r_imm_alt_32	2	4	1	0	0	0	0
shar_r_imm_alt_32	2	4	1	0	0	0	0
rot_r_32_imm_alt	2	4	1	0	0	0	0
set_lt_u	3	3	1	0	0	0	0
set_lt_s	3	3	1	0	0	0	0
set_lt_u_imm	3	3	1	0	0	0	0
set_lt_s_imm	3	3	1	0	0	0	0
set_gt_u_imm	3	3	1	0	0	0	0
set_gt_s_imm	3	3	1	0	0	0	0
cmov_iz	2	2	1	0	0	0	0
cmov_nz	2	2	1	0	0	0	0
cmov_iz_imm	2	3	1	0	0	0	0
cmov_nz_imm	2	3	1	0	0	0	0
max	3	$\mathfrak{P}(2,3)$	1	0	0	0	0
max_u	3	$\mathfrak{P}(2,3)$	1	0	0	0	0
min	3	$\mathfrak{P}(2,3)$	1	0	0	0	0
min_u	3	$\mathfrak{P}(2,3)$	1	0	0	0	0
load_ind_u8	$\mathfrak{m}$	1	1	1	0	0	0
load_ind_i8	$\mathfrak{m}$	1	1	1	0	0	0
load_ind_u16	$\mathfrak{m}$	1	1	1	0	0	0
load_ind_i16	$\mathfrak{m}$	1	1	1	0	0	0
load_ind_u32	$\mathfrak{m}$	1	1	1	0	0	0
load_ind_i32	$\mathfrak{m}$	1	1	1	0	0	0
load_ind_u64	$\mathfrak{m}$	1	1	1	0	0	0
load_u8	$\mathfrak{m}$	1	1	1	0	0	0
load_i8	$\mathfrak{m}$	1	1	1	0	0	0
load_u16	$\mathfrak{m}$	1	1	1	0	0	0
load_i16	$\mathfrak{m}$	1	1	1	0	0	0
load_u32	$\mathfrak{m}$	1	1	1	0	0	0
load_i32	$\mathfrak{m}$	1	1	1	0	0	0
load_u64	$\mathfrak{m}$	1	1	1	0	0	0
store_imm_ind_u8	25	1	1	0	1	0	0
store_imm_ind_u16	25	1	1	0	1	0	0
store_imm_ind_u32	25	1	1	0	1	0	0
store_imm_ind_u64	25	1	1	0	1	0	0
store_ind_u8	25	1	1	0	1	0	0
store_ind_u16	25	1	1	0	1	0	0
store_ind_u32	25	1	1	0	1	0	0
store_ind_u64	25	1	1	0	1	0	0
store_imm_u8	25	1	1	0	1	0	0
store_imm_u16	25	1	1	0	1	0	0
store_imm_u32	25	1	1	0	1	0	0
store_imm_u64	25	1	1	0	1	0	0
store_u8	25	1	1	0	1	0	0
store_u16	25	1	1	0	1	0	0
store_u32	25	1	1	0	1	0	0
store_u64	25	1	1	0	1	0	0
branch_eq	$\mathfrak{b}$	1	1	0	0	0	0
branch_ne	$\mathfrak{b}$	1	1	0	0	0	0
branch_lt_u	$\mathfrak{b}$	1	1	0	0	0	0
branch_lt_s	$\mathfrak{b}$	1	1	0	0	0	0
branch_ge_u	$\mathfrak{b}$	1	1	0	0	0	0
branch_ge_s	$\mathfrak{b}$	1	1	0	0	0	0
branch_eq_imm	$\mathfrak{b}$	1	1	0	0	0	0
branch_ne_imm	$\mathfrak{b}$	1	1	0	0	0	0
branch_lt_u_imm	$\mathfrak{b}$	1	1	0	0	0	0
branch_le_u_imm	$\mathfrak{b}$	1	1	0	0	0	0
branch_ge_u_imm	$\mathfrak{b}$	1	1	0	0	0	0
branch_gt_u_imm	$\mathfrak{b}$	1	1	0	0	0	0
branch_lt_s_imm	$\mathfrak{b}$	1	1	0	0	0	0
branch_le_s_imm	$\mathfrak{b}$	1	1	0	0	0	0
branch_ge_s_imm	$\mathfrak{b}$	1	1	0	0	0	0
branch_gt_s_imm	$\mathfrak{b}$	1	1	0	0	0	0
div_u_32	60	4	1	0	0	0	1
div_s_32	60	4	1	0	0	0	1
rem_u_32	60	4	1	0	0	0	1
rem_s_32	60	4	1	0	0	0	1
div_u_64	60	4	1	0	0	0	1
div_s_64	60	4	1	0	0	0	1
rem_u_64	60	4	1	0	0	0	1
rem_s_64	60	4	1	0	0	0	1
and_inv	2	3	1	0	0	0	0
or_inv	2	3	1	0	0	0	0
xnor	2	$\mathfrak{P}(2,3)$	1	0	0	0	0
neg_add_imm_64	2	3	1	0	0	0	0
neg_add_imm_32	3	4	1	0	0	0	0
load_imm	1	1	0	0	0	0	0
load_imm_64	1	2	0	0	0	0	0
mul_64	3	$\mathfrak{P}(1,2)$	1	0	0	1	0
mul_32	4	$\mathfrak{P}(2,3)$	1	0	0	1	0
mul_imm_64	3	$\mathfrak{P}(1,2)$	1	0	0	1	0
mul_imm_32	4	$\mathfrak{P}(2,3)$	1	0	0	1	0
mul_upper_s_s	4	4	1	0	0	1	0
mul_upper_u_u	4	4	1	0	0	1	0
mul_upper_s_u	6	4	1	0	0	1	0
trap	2	1	0	0	0	0	0
fallthrough	2	1	0	0	0	0	0
unlikely	40	1	0	0	0	0	0
jump	15	1	0	0	0	0	0
load_imm_jump	15	1	0	0	0	0	0
jump_ind	22	1	0	0	0	0	0
load_imm_jump_ind	22	1	0	0	0	0	0
ecalli	100	4	1	0	0	0	0

Appendix B Virtual Machine Invocations

We now define the three practical instances where we wish to invoke a pvm instance as part of the protocol. In general, we avoid introducing unbounded data as part of the basic invocation arguments in order to minimize the chance of an unexpectedly large ram allocation, which could lead to gas inflation and unavoidable underflow. This makes for a more cumbersome interface, but one which is more predictable and easier to reason about.

B.1. Host-Call Result Constants

$\mathtt{NONE}=2^{64}-1$ :: The return value indicating an item does not exist.
$\mathtt{WHAT}=2^{64}-2$ :: Name unknown.
$\mathtt{OOB}=2^{64}-3$ :: The inner pvm memory index provided for reading/writing is not accessible.
$\mathtt{WHO}=2^{64}-4$ :: Index unknown.
$\mathtt{FULL}=2^{64}-5$ :: Storage full or resource already allocated.
$\mathtt{CORE}=2^{64}-6$ :: Core index unknown.
$\mathtt{CASH}=2^{64}-7$ :: Insufficient funds.
$\mathtt{LOW}=2^{64}-8$ :: Gas limit too low.
$\mathtt{HUH}=2^{64}-9$ :: The operation is invalid. For example, the item is already solicited, cannot be forgotten, or the service is insufficiently privileged.
$\mathtt{OK}=0$ :: The return value indicating general success.

Inner pvm invocations have their own set of result codes:

$\mathtt{HALT}=0$ :: The invocation completed and halted normally.
$\mathtt{PANIC}=1$ :: The invocation completed with a panic.
$\mathtt{FAULT}=2$ :: The invocation completed with a page fault.
$\mathtt{HOST}=3$ :: The invocation completed with a host-call fault.
$\mathtt{OOG}=4$ :: The invocation completed by running out of gas.

Note return codes for a host-call-request exit are any non-zero value less than $2^{64}-13$ .

B.2. Is-Authorized Invocation

The Is-Authorized invocation is the first and simplest of the three, being totally stateless. It provides only host-call functions for inspecting its environment and parameters. It accepts as arguments only the core on which it should be executed, $c$ . Formally, it is defined as $\Psi_{I}$ :

(B.1)		$\displaystyle\Psi_{I}$	$\displaystyle\colon\mathopen{}\mathclose{{}\left\{\begin{aligned} \!\mathopen{% }\mathclose{{}\left\lgroup\mathbb{P},\mathbb{N}_{\mathsf{C}}}\right\rgroup\!&% \to\!\mathopen{}\mathclose{{}\left\lgroup\mathbb{B}\cup\mathbb{E},\mathbb{N}_{% G}}\right\rgroup\!\\ \mathopen{}\mathclose{{}\left(\mathbf{p},c}\right)&\mapsto\begin{cases}% \mathopen{}\mathclose{{}\left(\text{{\small{BAD}}},0}\right)&\text{if }\mathbf% {p}_{\mathbf{u}}=\emptyset\\ \mathopen{}\mathclose{{}\left(\text{{\small{BIG}}},0}\right)&\text{otherwise % if }\mathopen{}\mathclose{{}\left\|\mathbf{p}_{\mathbf{u}}}\right\|>\mathsf{W}_{% A}\\ \mathopen{}\mathclose{{}\left(\mathbf{r},u}\right)&\text{otherwise}\\ \lx@intercol\text{where }\mathopen{}\mathclose{{}\left(u,\mathbf{r},\emptyset}% \right)=\Psi_{M}(\mathbf{p}_{\mathbf{u}},0,\mathsf{G}_{I},\mathcal{E}_{2}% \mathopen{}\mathclose{{}\left(c}\right),F,\emptyset)\hfil\lx@intercol\\ \end{cases}\\ \end{aligned}}\right.$
(B.2)		$\displaystyle F\in\Omega\mathopen{}\mathclose{{}\left\langle\mathopen{}% \mathclose{{}\left\{}\right\}}\right\rangle$	$\displaystyle\colon\mathopen{}\mathclose{{}\left(n,\varrho,\varphi,\mu}\right)% \mapsto\begin{cases}\Omega_{G}(\varrho,\varphi,\mu)&\text{if }n=\mathtt{gas}\\ \Omega_{\Gemini}(\varrho,\varphi,\mu,\mathbf{p}_{\mathbf{u}})&\text{if }n=% \mathtt{grow\_heap}\\ \Omega_{Y}(\varrho,\varphi,\mu,\mathbf{p},\emptyset,\emptyset,\emptyset,% \emptyset,\emptyset,\emptyset,\emptyset)&\text{if }n=\mathtt{fetch}\\ \mathopen{}\mathclose{{}\left(\infty,\varrho^{\prime},\varphi^{\prime},\mu}% \right)&\text{otherwise if }\varrho^{\prime}<0\\ \mathopen{}\mathclose{{}\left(\blacktriangleright,\varrho^{\prime},\varphi^{% \prime},\mu}\right)&\text{otherwise}\\ \lx@intercol\text{where }\varphi^{\prime}=\varphi\text{ except }\varphi^{% \prime}_{7}=\mathtt{WHAT}\hfil\lx@intercol\\ \lx@intercol\text{and }\varrho^{\prime}=\varrho-\mathsf{M}_{\emptyset}\hfil% \lx@intercol\end{cases}$

Note for the Is-Authorized host-call dispatch function $F$ in equation B.2, we elide the host-call context since, being essentially stateless, it is always $\emptyset$ .

B.3. Refine Invocation

We define the Refine service-account invocation function as $\Psi_{R}$ . It has no general access to the state of the Jam chain, with the slight exception being the ability to make a historical lookup. Beyond this it is able to create inner instances of the pvm and dictate pieces of data to export.

The historical-lookup host-call function, $\Omega_{H}$ , is designed to give the same result regardless of the state of the chain for any time when auditing may occur (which we bound to be less than two epochs from being accumulated). The lookup anchor may be up to $\mathsf{L}$ timeslots before the recent history and therefore adds to the potential age at the time of audit. We therefore set $\mathsf{D}$ to have a safety margin of eight hours:

(B.3)

\mathsf{D}\equiv\mathsf{L}+4,800=19,200

The inner pvm invocation host-calls, meanwhile, depend on an integrated pvm type, which we shall denote $\mathbb{I}$ . It holds a pvm program blob, instruction counter, ram and a flag denoting whether gas was already charged for the currently executing basic block:

(B.4)

\mathbb{I}\equiv\!\mathopen{}\mathclose{{}\left\lgroup\mathfrak{p}\in\mathbb{B% },\mathbf{u}\in\mathbb{M},i\in\mathbb{N}_{R},\tilde{g}\in{\mathopen{}% \mathclose{{}\left\{\,\bot,\top\,}\right\}}}\right\rgroup\!

The Export host-call depends on two pieces of context; one sequence of segments (blobs of length $\mathsf{W}_{G}$ ) to which it may append, and the other an argument passed to the invocation function to dictate the number of segments prior which may assumed to have already been appended. The latter value ensures that an accurate segment index can be provided to the caller.

Unlike the other invocation functions, the Refine invocation function implicitly draws upon some recent service account state item $\delta$ . The specific block from which this comes is not important, as long as it is no earlier than its work-package’s lookup-anchor block. It explicitly accepts the work-package $p$ and the index of the work item to be refined, $i$ together with the core which is doing the refining $c$ . Additionally, the authorizer trace $\mathbf{r}$ is provided together with all work items’ import segments $\overline{\mathbf{i}}$ and an export segment offset $\varsigma$ . It results in a tuple of some error $\mathbb{E}$ or the refinement output blob (signalling success), the export sequence in the case of success and the gas used in evaluation. Formally:

(B.5)			$\displaystyle\Psi_{R}\colon\mathopen{}\mathclose{{}\left\{\begin{aligned} \!% \mathopen{}\mathclose{{}\left\lgroup\mathbb{N}_{\mathsf{C}},\mathbb{N},\mathbb% {P},\mathbb{B},\mathopen{}\mathclose{{}\left\lsem\mathopen{}\mathclose{{}\left% \lsem\mathbb{J}}\right\rsem}\right\rsem,\mathbb{N}}\right\rgroup\!&\to\!% \mathopen{}\mathclose{{}\left\lgroup\mathbb{B}\cup\mathbb{E},\mathopen{}% \mathclose{{}\left\lsem\mathbb{J}}\right\rsem,\mathbb{N}_{G}}\right\rgroup\!\\ \mathopen{}\mathclose{{}\left(c,i,p,\mathbf{r},\overline{\mathbf{i}},\varsigma% }\right)&\mapsto\begin{cases}\mathopen{}\mathclose{{}\left(\text{{\small{BAD}}% },\mathopen{}\mathclose{{}\left[}\right],0}\right)&\text{if }w_{s}\not\in% \mathcal{K}\mathopen{}\mathclose{{}\left(\delta}\right)\vee\Lambda(\delta% \mathopen{}\mathclose{{}\left[w_{s}}\right],(p_{\mathbf{c}})_{t},w_{c})=% \emptyset\\ \mathopen{}\mathclose{{}\left(\text{{\small{BIG}}},\mathopen{}\mathclose{{}% \left[}\right],0}\right)&\text{otherwise if }\mathopen{}\mathclose{{}\left\|% \Lambda(\delta\mathopen{}\mathclose{{}\left[w_{s}}\right],(p_{\mathbf{c}})_{t}% ,w_{c})}\right\|>\mathsf{W}_{C}\\ &\text{otherwise}:\\ &\quad\text{let }\mathbf{a}=\mathcal{E}\mathopen{}\mathclose{{}\left(c,i,w_{s}% ,\mathopen{}\mathclose{{}\left\updownarrow w_{\mathbf{y}}}\right.\!,\mathcal{H% }\mathopen{}\mathclose{{}\left(p}\right)}\right)\;,\ \mathcal{E}\mathopen{}% \mathclose{{}\left(\mathopen{}\mathclose{{}\left\updownarrow\mathbf{z}}\right.% \!,\mathfrak{j}}\right)=\Lambda(\delta\mathopen{}\mathclose{{}\left[w_{s}}% \right],(p_{\mathbf{c}})_{t},w_{c})\\ &\quad\text{and }\mathopen{}\mathclose{{}\left(u,\mathbf{o},\mathopen{}% \mathclose{{}\left(\mathbf{m},\mathbf{e}}\right)}\right)=\Psi_{M}(\mathfrak{j}% ,0,w_{g},\mathbf{a},F,\mathopen{}\mathclose{{}\left(\emptyset,\mathopen{}% \mathclose{{}\left[}\right]}\right))\ \colon\\ \mathopen{}\mathclose{{}\left(\mathbf{o},\mathopen{}\mathclose{{}\left[}\right% ],u}\right)&\quad\text{if }\mathbf{o}\in\mathopen{}\mathclose{{}\left\{\,% \infty,\lightning\,}\right\}\\ \mathopen{}\mathclose{{}\left(\mathbf{o},\mathbf{e},u}\right)&\quad\text{% otherwise}\\ \lx@intercol\text{where }w=p_{\mathbf{w}}\mathopen{}\mathclose{{}\left[i}% \right]\hfil\lx@intercol\end{cases}\\ \end{aligned}}\right.$
(B.6)			$\displaystyle F\in\Omega\mathopen{}\mathclose{{}\left\langle\!\mathopen{}% \mathclose{{}\left\lgroup\mathopen{}\mathclose{{}\left\langlebar\mathbb{N}\to% \mathbb{I}}\right\ranglebar,\mathopen{}\mathclose{{}\left\lsem\mathbb{J}}% \right\rsem}\right\rgroup\!}\right\rangle\colon(n,\varrho,\varphi,\mu,% \mathopen{}\mathclose{{}\left(\mathbf{m},\mathbf{e}}\right))\mapsto\begin{% cases}\Omega_{G}(\varrho,\varphi,\mu,\mathopen{}\mathclose{{}\left(\mathbf{m},% \mathbf{e}}\right))&\text{if }n=\mathtt{gas}\\ \Omega_{\Gemini}(\varrho,\varphi,\mu,\mathfrak{j})&\text{if }n=\mathtt{grow\_% heap}\\ \Omega_{Y}(\varrho,\varphi,\mu,p,\mathbb{H}_{0},\mathbf{r},i,\overline{\mathbf% {i}},\overline{\mathbf{x}},\emptyset,\mathopen{}\mathclose{{}\left(\mathbf{m},% \mathbf{e}}\right))&\text{if }n=\mathtt{fetch}\\ \Omega_{H}(\varrho,\varphi,\mu,w_{s},\delta,(p_{\mathbf{c}})_{t})&\text{if }n=% \mathtt{historical\_lookup}\\ \Omega_{E}(\varrho,\varphi,\mu,\mathbf{e},\varsigma)&\text{if }n=\mathtt{% export}\\ \Omega_{M}(\varrho,\varphi,\mu,\mathbf{m})&\text{if }n=\mathtt{machine}\\ \Omega_{P}(\varrho,\varphi,\mu,\mathbf{m})&\text{if }n=\mathtt{peek}\\ \Omega_{O}(\varrho,\varphi,\mu,\mathbf{m})&\text{if }n=\mathtt{poke}\\ \Omega_{Z}(\varrho,\varphi,\mu,\mathbf{m})&\text{if }n=\mathtt{pages}\\ \Omega_{K}(\varrho,\varphi,\mu,\mathbf{m})&\text{if }n=\mathtt{invoke}\\ \Omega_{X}(\varrho,\varphi,\mu,\mathbf{m})&\text{if }n=\mathtt{expunge}\\ \mathopen{}\mathclose{{}\left(\infty,\varrho^{\prime},\varphi^{\prime},\mu}% \right)&\text{otherwise if }\varrho^{\prime}<0\\ \mathopen{}\mathclose{{}\left(\blacktriangleright,\varrho^{\prime},\varphi^{% \prime},\mu}\right)&\text{otherwise}\\ \lx@intercol\text{where }\varphi^{\prime}=\varphi\text{ except }\varphi^{% \prime}_{7}=\mathtt{WHAT}\hfil\lx@intercol\\ \lx@intercol\text{and }\varrho^{\prime}=\varrho-\mathsf{M}_{\emptyset}\hfil% \lx@intercol\\ \lx@intercol\text{and }\overline{\mathbf{x}}=\mathopen{}\mathclose{{}\left[% \mathopen{}\mathclose{{}\left[\mathbf{x}\;\middle\|\;\mathopen{}\mathclose{{}% \left(\mathcal{H}\mathopen{}\mathclose{{}\left(\mathbf{x}}\right),\mathopen{}% \mathclose{{}\left\|\mathbf{x}}\right\|}\right)\mathrel{\mathrlap{<}{\scalebox{0% .95}[1.0]{$-$}}}\mathbf{w}_{\mathbf{x}}}\right]\;\middle\|\;\mathbf{w}\mathrel{% \mathrlap{<}{\scalebox{0.95}[1.0]{$-$}}}p_{\mathbf{w}}}\right]\hfil% \lx@intercol\end{cases}$

B.4. Accumulate Invocation

Since this is a transition which can directly affect a substantial amount of on-chain state, our invocation context is accordingly complex. It is a tuple with elements for each of the aspects of state which can be altered through this invocation and beyond the account of the service itself includes the deferred transfer list and several dictionaries for alterations to preimage lookup state, core assignments, validator key assignments, newly created accounts and alterations to account privilege levels.

Formally, we define our result context to be $\mathbb{L}$ , and our invocation context to be a pair of these contexts, $\mathbb{L}\times\mathbb{L}$ (and thus for any value $\mathbf{x}\in\mathbb{L}$ there exists $\mathbf{x}^{2}\in\mathbb{L}\times\mathbb{L}$ ), with one dimension being the regular dimension and generally named $\mathbf{x}$ and the other being the exceptional dimension and being named $\mathbf{y}$ . The only function which actually alters this second dimension is $\mathtt{checkpoint}$ , $\Omega_{C}$ and so it is rarely seen.

(B.7)		$\displaystyle\mathbb{L}$	$\displaystyle\equiv\!\mathopen{}\mathclose{{}\left\lgroup s\in\mathbb{N}_{S},% \mathbf{e}\in\mathbb{S},i\in\mathbb{N}_{S},\mathbf{t}\in\mathopen{}\mathclose{% {}\left\lsem\mathbb{X}}\right\rsem,y\in\mathbb{H}\bm{?},\mathbf{p}\in\mathopen% {}\mathclose{{}\left\{\mkern-5.0mu\mathopen{}\mathclose{{}\left[\,\!\mathopen{% }\mathclose{{}\left\lgroup\mathbb{N}_{S},\mathbb{B}}\right\rgroup\!\,}\right]% \mkern-5.0mu}\right\}}\right\rgroup\!$
(B.8)		$\displaystyle\forall\mathbf{x}\in\mathbb{L}:\mathbf{x}_{\mathbf{s}}$	$\displaystyle\equiv(\mathbf{x}_{\mathbf{e}})_{\mathbf{d}}\mathopen{}\mathclose% {{}\left[\mathbf{x}_{s}}\right]$

We define a convenience equivalence $\mathbf{x}_{\mathbf{s}}$ to easily denote the accumulating service account.

We track both regular and exceptional dimensions within our context mutator, but collapse the result of the invocation to one or the other depending on whether the termination was regular or exceptional (i.e. out-of-gas or panic).

We define $\Psi_{A}$ , the Accumulation invocation function as:

(B.9)	$\displaystyle\Psi_{A}$	$\displaystyle\colon\mathopen{}\mathclose{{}\left\{\begin{aligned} \!\mathopen{% }\mathclose{{}\left\lgroup\mathbb{S},\mathbb{N}_{T},\mathbb{N}_{S},\mathbb{N}_% {G},\mathopen{}\mathclose{{}\left\lsem\mathbb{U}\cup\mathbb{X}}\right\rsem}% \right\rgroup\!&\to\mathbb{O}\\ \mathopen{}\mathclose{{}\left(\mathbf{e},t,s,g,\mathbf{i}}\right)&\mapsto% \begin{cases}\mathopen{}\mathclose{{}\left(\mathbf{e}\mathrel{\mathop{:}}% \mathbf{s},\mathbf{t}\mathrel{\mathop{:}}\mathopen{}\mathclose{{}\left[}\right% ],y\mathrel{\mathop{:}}\emptyset,u\mathrel{\mathop{:}}0,\mathbf{p}\mathrel{% \mathop{:}}\mathopen{}\mathclose{{}\left[}\right]}\right)&\text{if }\mathfrak{% j}=\emptyset\vee\mathopen{}\mathclose{{}\left\|\mathfrak{j}}\right\|>\mathsf{W}_% {C}\\ C(\Psi_{M}(\mathfrak{j},5,g,\mathcal{E}\mathopen{}\mathclose{{}\left(t,s,% \mathopen{}\mathclose{{}\left\|\mathbf{i}}\right\|}\right),F,I(\mathbf{s},s)^{2}% ))&\text{otherwise}\\ \begin{aligned} &\quad\text{where }\mathfrak{j}=\mathbf{e}_{\mathbf{d}}% \mathopen{}\mathclose{{}\left[s}\right]_{\mathbf{c}}\\ &\quad\text{and }\mathbf{s}=\mathbf{e}\text{ except }\mathbf{s}_{\mathbf{d}}% \mathopen{}\mathclose{{}\left[s}\right]_{b}=\mathbf{e}_{\mathbf{d}}\mathopen{}% \mathclose{{}\left[s}\right]_{b}+\sum_{r\in\mathbf{x}}r_{a}\\ &\quad\text{and }\mathbf{x}=\mathopen{}\mathclose{{}\left[i\;\middle\|\;i% \mathrel{\mathrlap{<}{\scalebox{0.95}[1.0]{$-$}}}\mathbf{i},i\in\mathbb{X}}% \right]\end{aligned}\\ \end{cases}\\ \end{aligned}}\right.$
(B.10)	$\displaystyle I$	$\displaystyle\colon\mathopen{}\mathclose{{}\left\{\begin{aligned} \!\mathopen{% }\mathclose{{}\left\lgroup\mathbb{S},\mathbb{N}_{S}}\right\rgroup\!&\to\mathbb% {L}\\ \mathopen{}\mathclose{{}\left(\mathbf{e},s}\right)&\mapsto\mathopen{}% \mathclose{{}\left(s,\mathbf{e},i,\mathbf{t}\mathrel{\mathop{:}}\mathopen{}% \mathclose{{}\left[}\right],y\mathrel{\mathop{:}}\emptyset,\mathbf{p}\mathrel{% \mathop{:}}\mathopen{}\mathclose{{}\left[}\right]}\right)\\ &\qquad\text{where }i=\text{check}((\mathcal{E}^{-1}_{4}\mathopen{}\mathclose{% {}\left(\mathcal{H}\mathopen{}\mathclose{{}\left(\mathcal{E}\mathopen{}% \mathclose{{}\left(s,\eta_{0}^{\prime},\mathbf{H}_{T}}\right)}\right)}\right)% \bmod(2^{32}-\mathsf{S}-2^{8}))+\mathsf{S})\\ \end{aligned}}\right.$
(B.11)	$\displaystyle F\in\Omega\mathopen{}\mathclose{{}\left\langle\!\mathopen{}% \mathclose{{}\left\lgroup\mathbb{L},\mathbb{L}}\right\rgroup\!}\right\rangle$	$\displaystyle\colon\mathopen{}\mathclose{{}\left(n,\varrho,\varphi,\mu,% \mathopen{}\mathclose{{}\left(\mathbf{x},\mathbf{y}}\right)}\right)\mapsto% \begin{cases}\Omega_{G}(\varrho,\varphi,\mu,\mathopen{}\mathclose{{}\left(% \mathbf{x},\mathbf{y}}\right))&\text{if }n=\mathtt{gas}\\ \Omega_{\Gemini}(\varrho,\varphi,\mu,\mathfrak{j})&\text{if }n=\mathtt{grow\_% heap}\\ \Omega_{Y}(\varrho,\varphi,\mu,\emptyset,\eta_{0}^{\prime},\emptyset,\emptyset% ,\emptyset,\emptyset,\mathbf{i},\mathopen{}\mathclose{{}\left(\mathbf{x},% \mathbf{y}}\right))&\text{if }n=\mathtt{fetch}\\ G(\Omega_{R}(\varrho,\varphi,\mu,\mathbf{x}_{\mathbf{s}},\mathbf{x}_{s},(% \mathbf{x}_{\mathbf{e}})_{\mathbf{d}}),\mathopen{}\mathclose{{}\left(\mathbf{x% },\mathbf{y}}\right))&\text{if }n=\mathtt{read}\\ G(\Omega_{W}(\varrho,\varphi,\mu,\mathbf{x}_{\mathbf{s}},\mathbf{x}_{s}),% \mathopen{}\mathclose{{}\left(\mathbf{x},\mathbf{y}}\right))&\text{if }n=% \mathtt{write}\\ G(\Omega_{L}(\varrho,\varphi,\mu,\mathbf{x}_{\mathbf{s}},\mathbf{x}_{s},(% \mathbf{x}_{\mathbf{e}})_{\mathbf{d}}),\mathopen{}\mathclose{{}\left(\mathbf{x% },\mathbf{y}}\right))&\text{if }n=\mathtt{lookup}\\ G(\Omega_{I}(\varrho,\varphi,\mu,\mathbf{x}_{s},(\mathbf{x}_{\mathbf{e}})_{% \mathbf{d}}),\mathopen{}\mathclose{{}\left(\mathbf{x},\mathbf{y}}\right))&% \text{if }n=\mathtt{info}\\ \Omega_{B}(\varrho,\varphi,\mu,\mathopen{}\mathclose{{}\left(\mathbf{x},% \mathbf{y}}\right))&\text{if }n=\mathtt{bless}\\ \Omega_{A}(\varrho,\varphi,\mu,\mathopen{}\mathclose{{}\left(\mathbf{x},% \mathbf{y}}\right))&\text{if }n=\mathtt{assign}\\ \Omega_{D}(\varrho,\varphi,\mu,\mathopen{}\mathclose{{}\left(\mathbf{x},% \mathbf{y}}\right))&\text{if }n=\mathtt{designate}\\ \Omega_{C}(\varrho,\varphi,\mu,\mathopen{}\mathclose{{}\left(\mathbf{x},% \mathbf{y}}\right))&\text{if }n=\mathtt{checkpoint}\\ \Omega_{N}(\varrho,\varphi,\mu,\mathopen{}\mathclose{{}\left(\mathbf{x},% \mathbf{y}}\right),\mathbf{H}_{T})&\text{if }n=\mathtt{new}\\ \Omega_{U}(\varrho,\varphi,\mu,\mathopen{}\mathclose{{}\left(\mathbf{x},% \mathbf{y}}\right))&\text{if }n=\mathtt{upgrade}\\ \Omega_{T}(\varrho,\varphi,\mu,\mathopen{}\mathclose{{}\left(\mathbf{x},% \mathbf{y}}\right))&\text{if }n=\mathtt{transfer}\\ \Omega_{J}(\varrho,\varphi,\mu,\mathopen{}\mathclose{{}\left(\mathbf{x},% \mathbf{y}}\right),\mathbf{H}_{T})&\text{if }n=\mathtt{eject}\\ \Omega_{Q}(\varrho,\varphi,\mu,\mathopen{}\mathclose{{}\left(\mathbf{x},% \mathbf{y}}\right))&\text{if }n=\mathtt{query}\\ \Omega_{S}(\varrho,\varphi,\mu,\mathopen{}\mathclose{{}\left(\mathbf{x},% \mathbf{y}}\right),\mathbf{H}_{T})&\text{if }n=\mathtt{solicit}\\ \Omega_{F}(\varrho,\varphi,\mu,\mathopen{}\mathclose{{}\left(\mathbf{x},% \mathbf{y}}\right),\mathbf{H}_{T})&\text{if }n=\mathtt{forget}\\ \Omega_{\Taurus}(\varrho,\varphi,\mu,\mathopen{}\mathclose{{}\left(\mathbf{x},% \mathbf{y}}\right))&\text{if }n=\mathtt{yield}\\ \Omega_{\Aries}(\varrho,\varphi,\mu,\mathopen{}\mathclose{{}\left(\mathbf{x},% \mathbf{y}}\right))&\text{if }n=\mathtt{provide}\\ \mathopen{}\mathclose{{}\left(\infty,\varrho^{\prime},\varphi^{\prime},\mu,% \mathopen{}\mathclose{{}\left(\mathbf{x},\mathbf{y}}\right)}\right)&\text{% otherwise if }\varrho^{\prime}<0\\ \mathopen{}\mathclose{{}\left(\blacktriangleright,\varrho^{\prime},\varphi^{% \prime},\mu,\mathopen{}\mathclose{{}\left(\mathbf{x},\mathbf{y}}\right)}\right% )&\text{otherwise}\\ \lx@intercol\text{where }\varphi^{\prime}=\varphi\text{ except }\varphi^{% \prime}_{7}=\mathtt{WHAT}\hfil\lx@intercol\\ \lx@intercol\text{and }\varrho^{\prime}=\varrho-\mathsf{M}_{\emptyset}\hfil% \lx@intercol\end{cases}$
(B.12)	$\displaystyle G$	$\displaystyle\colon\mathopen{}\mathclose{{}\left\{\begin{aligned} \!\mathopen{% }\mathclose{{}\left\lgroup\!\mathopen{}\mathclose{{}\left\lgroup\mathopen{}% \mathclose{{}\left\{\,\blacktriangleright,\blacksquare,\lightning,\infty\,}% \right\},\mathbb{N}_{G},\mathopen{}\mathclose{{}\left\lsem\mathbb{N}_{R}}% \right\rsem_{13},\mathbb{M},\mathbb{A}}\right\rgroup\!,\!\mathopen{}\mathclose% {{}\left\lgroup\mathbb{L},\mathbb{L}}\right\rgroup\!}\right\rgroup\!&\to\!% \mathopen{}\mathclose{{}\left\lgroup\mathopen{}\mathclose{{}\left\{\,% \blacktriangleright,\blacksquare,\lightning,\infty\,}\right\},\mathbb{N}_{G},% \mathopen{}\mathclose{{}\left\lsem\mathbb{N}_{R}}\right\rsem_{13},\mathbb{M},% \!\mathopen{}\mathclose{{}\left\lgroup\mathbb{L},\mathbb{L}}\right\rgroup\!}% \right\rgroup\!\\ \mathopen{}\mathclose{{}\left(\mathopen{}\mathclose{{}\left(\varepsilon,% \varrho,\varphi,\mu,\mathbf{s}}\right),\mathopen{}\mathclose{{}\left(\mathbf{x% },\mathbf{y}}\right)}\right)&\mapsto\mathopen{}\mathclose{{}\left(\varepsilon,% \varrho,\varphi,\mu,\mathopen{}\mathclose{{}\left(\mathbf{x}^{},\mathbf{y}}% \right)}\right)\\ &\qquad\text{where }\mathbf{x}^{}=\mathbf{x}\text{ except }\mathbf{x}^{*}_{% \mathbf{s}}=\mathbf{s}\end{aligned}}\right.$
(B.13)	$\displaystyle C$	$\displaystyle\colon\mathopen{}\mathclose{{}\left\{\begin{aligned} \!\mathopen{% }\mathclose{{}\left\lgroup\mathbb{N}_{G},\mathbb{B}\cup\mathopen{}\mathclose{{% }\left\{\,\infty,\lightning\,}\right\},\!\mathopen{}\mathclose{{}\left\lgroup% \mathbb{L},\mathbb{L}}\right\rgroup\!}\right\rgroup\!&\to\mathbb{O}\\ \mathopen{}\mathclose{{}\left(u,\mathbf{o},\mathopen{}\mathclose{{}\left(% \mathbf{x},\mathbf{y}}\right)}\right)&\mapsto\begin{cases}\mathopen{}% \mathclose{{}\left(\mathbf{e}\mathrel{\mathop{:}}\mathbf{y}_{\mathbf{e}},% \mathbf{t}\mathrel{\mathop{:}}\mathbf{y}_{\mathbf{t}},y\mathrel{\mathop{:}}% \mathbf{y}_{y},u,\mathbf{p}\mathrel{\mathop{:}}\mathbf{y}_{\mathbf{p}}}\right)% &\text{if }\mathbf{o}\in\mathopen{}\mathclose{{}\left\{\,\infty,\lightning\,}% \right\}\\ \mathopen{}\mathclose{{}\left(\mathbf{e}\mathrel{\mathop{:}}\mathbf{x}_{% \mathbf{e}},\mathbf{t}\mathrel{\mathop{:}}\mathbf{x}_{\mathbf{t}},y\mathrel{% \mathop{:}}\mathbf{o},u,\mathbf{p}\mathrel{\mathop{:}}\mathopen{}\mathclose{{}% \left(\mathbf{x},\mathbf{y}}\right)_{\mathbf{p}}}\right)&\text{otherwise if }% \mathbf{o}\in\mathbb{H}\\ \mathopen{}\mathclose{{}\left(\mathbf{e}\mathrel{\mathop{:}}\mathbf{x}_{% \mathbf{e}},\mathbf{t}\mathrel{\mathop{:}}\mathbf{x}_{\mathbf{t}},y\mathrel{% \mathop{:}}\mathbf{x}_{y},u,\mathbf{p}\mathrel{\mathop{:}}\mathbf{x}_{\mathbf{% p}}}\right)&\text{otherwise}\\ \end{cases}\end{aligned}}\right.$

The mutator $F$ governs how this context will alter for any given parameterization, and the collapse function $C$ selects one of the two dimensions of context depending on whether the virtual machine’s halt was regular or exceptional.

The initializer function $I$ maps some partial state along with a service account index to yield a mutator context such that no alterations to the given state are implied in either exit scenario. Note that the component $a$ utilizes the random accumulator $\eta_{0}^{\prime}$ and the block’s timeslot $\mathbf{H}_{T}$ to create a deterministic sequence of identifiers which are extremely likely to be unique.

Concretely, we create the identifier from the Blake2 hash of the identifier of the creating service, the current random accumulator $\eta_{0}^{\prime}$ and the block’s timeslot. Thus, within a service’s accumulation it is almost certainly unique, but it is not necessarily unique across all services, nor at all times in the past. We utilize a check function to find the first such index in this sequence which does not already represent a service:

(B.14)

\text{check}(i\in\mathbb{N}_{S})\equiv\begin{cases}i&\text{if }i\not\in% \mathcal{K}\mathopen{}\mathclose{{}\left(\mathbf{e}_{\mathbf{d}}}\right)\\ \text{check}((i-\mathsf{S}+1)\bmod(2^{32}-2^{8}-\mathsf{S})+\mathsf{S})&\text{% otherwise}\end{cases}

nb In the highly unlikely event that a block executes to find that a single service index has inadvertently been attached to two different services, then the block is considered invalid. Since no service can predict the identifier sequence ahead of time, they cannot intentionally disadvantage the block author.

B.5. General Functions

We come now to defining the host functions which are utilized by the pvm invocations. Generally, these map some pvm state, including invocation context, possibly together with some additional parameters, to a new pvm state.

The general functions are all broadly of the form $\mathopen{}\mathclose{{}\left(\varrho^{\prime}\in\mathbb{Z}_{G},\varphi^{% \prime}\in\mathopen{}\mathclose{{}\left\lsem\mathbb{N}_{R}}\right\rsem_{13},% \mu^{\prime}\in\mathbb{M}}\right)=\Omega_{\square}(\varrho\in\mathbb{N}_{G},% \varphi\in\mathopen{}\mathclose{{}\left\lsem\mathbb{N}_{R}}\right\rsem_{13},% \mu\in\mathbb{M})$ . Functions which have a result component which is equivalent to the corresponding argument may have said components elided in the description. Functions may also depend upon particular additional parameters.

Unlike the Accumulate functions in appendix B.7, these do not mutate an accumulation context. Some, such as $\mathtt{write}$ mutate a service account and both accept and return some $\mathbf{s}\in\mathbb{A}$ . Others are more general functions, such as $\mathtt{fetch}$ and do not assume any context but have a parameter list suffixed with an ellipsis to denote that the context parameter may be taken and is provided transparently into its result. This allows it to be easily utilized in multiple pvm invocations.

Elements of pvm state are each assumed to remain unchanged by the host-call unless explicitly specified.

(B.15)		$\displaystyle\varrho^{\prime}$	$\displaystyle\equiv\varrho-g\text{ unless $\varrho^{\prime}$ is explicitly % defined below}$
(B.16)		$\displaystyle\mathopen{}\mathclose{{}\left(\varepsilon^{\prime},\varphi^{% \prime},\mu^{\prime},\mathbf{s}^{\prime}}\right)$	$\displaystyle\equiv\begin{cases}\mathopen{}\mathclose{{}\left(\infty,\varphi,% \mu,\mathbf{s}}\right)&\text{if }\varrho<g\\ \mathopen{}\mathclose{{}\left(\blacktriangleright,\varphi,\mu,\mathbf{s}}% \right)\text{ except as indicated below}&\text{otherwise}\end{cases}$

Memory-sized gas for host-calls is given by a rate $L$ (gas per 1024 octets) and size $\ell$ (octets). The following defines the gas cost for such a size:

(B.17)

\mathcal{G}(L,\ell)\equiv\mathopen{}\mathclose{{}\left\lceil\frac{L\cdot\ell}{% 1024}}\right\rceil

With base cost $c$ , total gas is $c+\mathcal{G}(L,\ell)$ . The host-call table below uses this formula for all memory-sized terms.

Function
Identifier
Gas usage ( $g$ )	Mutations
$\Omega_{G}(\varrho,\varphi,\dots)$
gas = 0
$g=\mathsf{M}_{G}$	$\begin{aligned} \varphi^{\prime}_{7}&\equiv\varrho^{\prime}\end{aligned}$
$\Omega_{\Gemini}(\varrho,\varphi,\mu,\mathfrak{j})$
grow_heap = 1
$g=\mathsf{M}_{\Gemini,c}+(\varphi_{7}-h)\cdot\mathsf{M}_{\Gemini,p}$	$\begin{aligned} \text{let }(\mathbf{o},s)&\mapsto\mathfrak{j}\text{ according % to eq. \ref{eq:conditions}}\\ \text{let }a&=\frac{2\mathsf{Z}_{Z}+Z(\mathopen{}\mathclose{{}\left\|\mathbf{o}% }\right\|)}{\mathsf{Z}_{P}}\\ \text{let }b&=\frac{2^{32}-3\mathsf{Z}_{Z}-\mathsf{Z}_{I}-P(s)}{\mathsf{Z}_{P}% }\\ \text{let }c&=\|\mathopen{}\mathclose{{}\left\{\,p\in\mathbb{N}_{a\dots b}\;% \middle\|\;\mu_{\mathbf{a}}\mathopen{}\mathclose{{}\left[p}\right]=\mathrm{W}\,% }\right\}\|\\ \text{let }h&=a+c\\ \mathopen{}\mathclose{{}\left(\varepsilon^{\prime},\varrho^{\prime},\varphi^{% \prime}_{7}}\right)&\equiv\begin{cases}\mathopen{}\mathclose{{}\left(% \blacktriangleright,\varrho-\mathsf{M}_{\Gemini,c},h}\right)&\text{if }\varphi% _{7}\leq h\lor\varphi_{7}>b\\ \mathopen{}\mathclose{{}\left(\infty,\varrho,h}\right)&\text{otherwise if }% \varrho<g\\ \mathopen{}\mathclose{{}\left(\blacktriangleright,\varrho-g,\varphi_{7}}\right% )&\text{otherwise}\\ \end{cases}\\ (\mu^{\prime}_{\mathbf{a}})_{a\dots\varphi_{7}^{\prime}}&\equiv\mathopen{}% \mathclose{{}\left[\mathrm{W},\dots,\mathrm{W}}\right]\end{aligned}$
$\Omega_{Y}(\varrho,\varphi,\mu,p,n,\mathbf{r},i,\overline{\mathbf{i}},% \overline{\mathbf{x}},\mathbf{i},\dots)$
fetch = 2
$g=\mathsf{M}_{Y,c,c}+\mathcal{G}(\mathsf{M}_{Y,c,\ell},z)$	$\begin{aligned} \text{let }c&=\begin{cases}\varphi_{10}&\text{if }\varphi_{10}% <16\\ \emptyset&\text{otherwise}\end{cases}\\ \text{let }\mathbf{v}&=\begin{cases}\mathbf{c}&\text{if }\varphi_{10}=0\\ \lx@intercol\text{where }\mathbf{c}=\mathcal{E}\mathopen{}\mathclose{{}\left(% \begin{aligned} &\mathcal{E}_{8}\mathopen{}\mathclose{{}\left(\mathsf{B}_{I}}% \right),\mathcal{E}_{8}\mathopen{}\mathclose{{}\left(\mathsf{B}_{L}}\right),% \mathcal{E}_{8}\mathopen{}\mathclose{{}\left(\mathsf{B}_{S}}\right),\mathcal{E% }_{2}\mathopen{}\mathclose{{}\left(\mathsf{C}}\right),\mathcal{E}_{4}\mathopen% {}\mathclose{{}\left(\mathsf{D}}\right),\mathcal{E}_{4}\mathopen{}\mathclose{{% }\left(\mathsf{E}}\right),\mathcal{E}_{8}\mathopen{}\mathclose{{}\left(\mathsf% {G}_{A}}\right),\\ &\mathcal{E}_{8}\mathopen{}\mathclose{{}\left(\mathsf{G}_{I}}\right),\mathcal{% E}_{8}\mathopen{}\mathclose{{}\left(\mathsf{G}_{R}}\right),\mathcal{E}_{8}% \mathopen{}\mathclose{{}\left(\mathsf{G}_{T}}\right),\mathcal{E}_{2}\mathopen{% }\mathclose{{}\left(\mathsf{H}}\right),\mathcal{E}_{2}\mathopen{}\mathclose{{}% \left(\mathsf{I}}\right),\mathcal{E}_{2}\mathopen{}\mathclose{{}\left(\mathsf{% J}}\right),\mathcal{E}_{2}\mathopen{}\mathclose{{}\left(\mathsf{K}}\right),\\ &\mathcal{E}_{4}\mathopen{}\mathclose{{}\left(\mathsf{L}}\right),\mathcal{E}_{% 2}\mathopen{}\mathclose{{}\left(\mathsf{O}}\right),\mathcal{E}_{2}\mathopen{}% \mathclose{{}\left(\mathsf{P}}\right),\mathcal{E}_{2}\mathopen{}\mathclose{{}% \left(\mathsf{Q}}\right),\mathcal{E}_{2}\mathopen{}\mathclose{{}\left(\mathsf{% R}}\right),\mathcal{E}_{2}\mathopen{}\mathclose{{}\left(\mathsf{T}}\right),% \mathcal{E}_{2}\mathopen{}\mathclose{{}\left(\mathsf{U}}\right),\\ &\mathcal{E}_{4}\mathopen{}\mathclose{{}\left(\mathsf{W}_{A}}\right),\mathcal{% E}_{4}\mathopen{}\mathclose{{}\left(\mathsf{W}_{B}}\right),\mathcal{E}_{4}% \mathopen{}\mathclose{{}\left(\mathsf{W}_{C}}\right),\mathcal{E}_{4}\mathopen{% }\mathclose{{}\left(\mathsf{W}_{M}}\right),\mathcal{E}_{4}\mathopen{}% \mathclose{{}\left(\mathsf{W}_{R}}\right),\\ &\mathcal{E}_{4}\mathopen{}\mathclose{{}\left(\mathsf{W}_{T}}\right),\mathcal{% E}_{4}\mathopen{}\mathclose{{}\left(\mathsf{W}_{X}}\right),\mathcal{E}_{4}% \mathopen{}\mathclose{{}\left(\mathsf{Y}}\right)\end{aligned}}\right)\hfil% \lx@intercol\\ n&\text{if }n\neq\emptyset\wedge\varphi_{10}=1\\ \mathbf{r}&\text{if }\mathbf{r}\neq\emptyset\wedge\varphi_{10}=2\\ \overline{\mathbf{x}}[\varphi_{11}]_{\varphi_{12}}&\text{if }\overline{\mathbf% {x}}\neq\emptyset\wedge\varphi_{10}=3\wedge\varphi_{11}<\mathopen{}\mathclose{% {}\left\|\overline{\mathbf{x}}}\right\|\wedge\varphi_{12}<\mathopen{}\mathclose{% {}\left\|\overline{\mathbf{x}}[\varphi_{11}]}\right\|\\ \overline{\mathbf{x}}\mathopen{}\mathclose{{}\left[i}\right]_{\varphi_{11}}&% \text{if }\overline{\mathbf{x}}\neq\emptyset\wedge i\neq\emptyset\wedge\varphi% _{10}=4\wedge\varphi_{11}<\mathopen{}\mathclose{{}\left\|\overline{\mathbf{x}}% \mathopen{}\mathclose{{}\left[i}\right]}\right\|\\ \overline{\mathbf{i}}[\varphi_{11}]_{\varphi_{12}}&\text{if }\overline{\mathbf% {i}}\neq\emptyset\wedge\varphi_{10}=5\wedge\varphi_{11}<\mathopen{}\mathclose{% {}\left\|\overline{\mathbf{i}}}\right\|\wedge\varphi_{12}<\mathopen{}\mathclose{% {}\left\|\overline{\mathbf{i}}[\varphi_{11}]}\right\|\\ \overline{\mathbf{i}}\mathopen{}\mathclose{{}\left[i}\right]_{\varphi_{11}}&% \text{if }\overline{\mathbf{i}}\neq\emptyset\wedge i\neq\emptyset\wedge\varphi% _{10}=6\wedge\varphi_{11}<\mathopen{}\mathclose{{}\left\|\overline{\mathbf{i}}% \mathopen{}\mathclose{{}\left[i}\right]}\right\|\\ \mathcal{E}\mathopen{}\mathclose{{}\left(p}\right)&\text{if }p\neq\emptyset% \wedge\varphi_{10}=7\\ p_{\mathbf{f}}&\text{if }p\neq\emptyset\wedge\varphi_{10}=8\\ p_{\mathbf{j}}&\text{if }p\neq\emptyset\wedge\varphi_{10}=9\\ \mathcal{E}\mathopen{}\mathclose{{}\left(p_{\mathbf{c}}}\right)&\text{if }p% \neq\emptyset\wedge\varphi_{10}=10\\ \mathcal{E}\mathopen{}\mathclose{{}\left(\mathopen{}\mathclose{{}\left% \updownarrow\mathopen{}\mathclose{{}\left[S(w)\;\middle\|\;w\mathrel{\mathrlap{% <}{\scalebox{0.95}[1.0]{$-$}}}p_{\mathbf{w}}}\right]}\right.\!}\right)&\text{% if }p\neq\emptyset\wedge\varphi_{10}=11\\ S(p_{\mathbf{w}}[\varphi_{11}])&\text{if }p\neq\emptyset\wedge\varphi_{10}=12% \wedge\varphi_{11}<\mathopen{}\mathclose{{}\left\|p_{\mathbf{w}}}\right\|\\ \lx@intercol\text{where }S(w)\equiv\mathcal{E}\mathopen{}\mathclose{{}\left(% \mathcal{E}_{4}\mathopen{}\mathclose{{}\left(w_{s}}\right),w_{c},\mathcal{E}_{% 8}\mathopen{}\mathclose{{}\left(w_{g},w_{a}}\right),\mathcal{E}_{2}\mathopen{}% \mathclose{{}\left(w_{e},\mathopen{}\mathclose{{}\left\|w_{\mathbf{i}}}\right\|,% \mathopen{}\mathclose{{}\left\|w_{\mathbf{x}}}\right\|}\right),\mathcal{E}_{4}% \mathopen{}\mathclose{{}\left(\mathopen{}\mathclose{{}\left\|w_{\mathbf{y}}}% \right\|}\right)}\right)\hfil\lx@intercol\\ p_{\mathbf{w}}[\varphi_{11}]_{\mathbf{y}}&\text{if }p\neq\emptyset\wedge% \varphi_{10}=13\wedge\varphi_{11}<\mathopen{}\mathclose{{}\left\|p_{\mathbf{w}}% }\right\|\\ \mathcal{E}\mathopen{}\mathclose{{}\left(\mathopen{}\mathclose{{}\left% \updownarrow\mathbf{i}}\right.\!}\right)&\text{if }\mathbf{i}\neq\emptyset% \wedge\varphi_{10}=14\\ \mathcal{E}\mathopen{}\mathclose{{}\left(\mathbf{i}[\varphi_{11}]}\right)&% \text{if }\mathbf{i}\neq\emptyset\wedge\varphi_{10}=15\wedge\varphi_{11}<% \mathopen{}\mathclose{{}\left\|\mathbf{i}}\right\|\\ \emptyset&\text{otherwise}\end{cases}\\ \text{let }\mathopen{}\mathclose{{}\left[o,f_{0},z}\right]&=\varphi_{7\dots+3}% \\ \text{let }f&=\min(f_{0},\mathopen{}\mathclose{{}\left\|\mathbf{v}}\right\|)\\ \text{let }l&=\min(z,\mathopen{}\mathclose{{}\left\|\mathbf{v}}\right\|-f)\\ \mathopen{}\mathclose{{}\left(\varepsilon^{\prime},\varphi^{\prime}_{7},\mu^{% \prime}_{o\dots+l}}\right)&\equiv\begin{cases}\mathopen{}\mathclose{{}\left(% \lightning,\varphi_{7},\mu_{o\dots+l}}\right)&\text{if }\mathbb{N}_{o\dots+l}% \not\subseteq\mathbb{V}_{\mu}^{*}\\ \mathopen{}\mathclose{{}\left(\blacktriangleright,\mathtt{NONE},\mu_{o\dots+l}% }\right)&\text{otherwise if }\mathbf{v}=\emptyset\\ \mathopen{}\mathclose{{}\left(\blacktriangleright,\mathopen{}\mathclose{{}% \left\|\mathbf{v}}\right\|,\mathbf{v}_{f\dots+l}}\right)&\text{otherwise}\\ \end{cases}\end{aligned}$
$\Omega_{L}(\varrho,\varphi,\mu,\mathbf{s},s,\mathbf{d})$
lookup = 3
$g=\mathsf{M}_{L,c}+\mathcal{G}(\mathsf{M}_{L,\ell},z)$	$\begin{aligned} \text{let }\mathbf{a}&=\begin{cases}\mathbf{s}&\text{if }% \varphi_{7}\in\mathopen{}\mathclose{{}\left\{\,s,2^{64}-1\,}\right\}\\ \mathbf{d}[\varphi_{7}]&\text{otherwise if }\varphi_{7}\in\mathcal{K}\mathopen% {}\mathclose{{}\left(\mathbf{d}}\right)\\ \emptyset&\text{otherwise}\end{cases}\\ \text{let }\mathopen{}\mathclose{{}\left[h,o}\right]&=\varphi_{8\dots+2}\\ \text{let }z&=\varphi_{11}\\ \text{let }\mathbf{v}&=\begin{cases}\nabla&\text{if }\mathbb{N}_{h\dots+32}% \not\subseteq\mathbb{V}_{\mu}\\ \emptyset&\text{otherwise if }\mathbf{a}=\emptyset\vee\mu_{h\dots+32}\not\in% \mathcal{K}\mathopen{}\mathclose{{}\left(\mathbf{a}_{\mathbf{p}}}\right)\\ \mathbf{a}_{\mathbf{p}}[\mu_{h\dots+32}]&\text{otherwise}\\ \end{cases}\\ \text{let }f&=\min(\varphi_{10},\mathopen{}\mathclose{{}\left\|\mathbf{v}}% \right\|)\\ \text{let }l&=\min(z,\mathopen{}\mathclose{{}\left\|\mathbf{v}}\right\|-f)\\ \mathopen{}\mathclose{{}\left(\varepsilon^{\prime},\varphi^{\prime}_{7},\mu^{% \prime}_{o\dots+l}}\right)&\equiv\begin{cases}\mathopen{}\mathclose{{}\left(% \lightning,\varphi_{7},\mu_{o\dots+l}}\right)&\text{if }\mathbf{v}=\nabla\vee% \mathbb{N}_{o\dots+l}\not\subseteq\mathbb{V}_{\mu}^{*}\\ \mathopen{}\mathclose{{}\left(\blacktriangleright,\mathtt{NONE},\mu_{o\dots+l}% }\right)&\text{otherwise if }\mathbf{v}=\emptyset\\ \mathopen{}\mathclose{{}\left(\blacktriangleright,\mathopen{}\mathclose{{}% \left\|\mathbf{v}}\right\|,\mathbf{v}_{f\dots+l}}\right)&\text{otherwise}\\ \end{cases}\end{aligned}$
$\Omega_{R}(\varrho,\varphi,\mu,\mathbf{s},s,\mathbf{d})$
read = 4
$g=\mathsf{M}_{R,c}+\mathcal{G}(\mathsf{M}_{R,\mathrm{k},\ell},k_{Z})+\mathcal{% G}(\mathsf{M}_{R,\mathrm{v},\ell},v_{Z})$	$\begin{aligned} \text{let }s^{}&=\begin{cases}s&\text{if }\varphi_{7}=2^{64}-% 1\\ \varphi_{7}&\text{otherwise}\end{cases}\\ \text{let }\mathbf{a}&=\begin{cases}\mathbf{s}&\text{if }s^{}=s\\ \mathbf{d}[s^{}]&\text{otherwise if }s^{}\in\mathcal{K}\mathopen{}\mathclose% {{}\left(\mathbf{d}}\right)\\ \emptyset&\text{otherwise}\end{cases}\\ \text{let }\mathopen{}\mathclose{{}\left[k_{O},k_{Z},o}\right]&=\varphi_{8% \dots+3}\\ \text{let }v_{Z}&=\varphi_{12}\\ \text{let }\mathbf{v}&=\begin{cases}\nabla&\text{if }\mathbb{N}_{k_{O}\dots+k_% {Z}}\not\subseteq\mathbb{V}_{\mu}\\ \mathbf{a}_{\mathbf{s}}\mathopen{}\mathclose{{}\left[\mathbf{k}}\right]&\text{% otherwise if }\mathbf{a}\neq\emptyset\wedge\mathbf{k}\in\mathcal{K}\mathopen{}% \mathclose{{}\left(\mathbf{a}_{\mathbf{s}}}\right)\,,\ \text{where }\mathbf{k}% =\mu_{k_{O}\dots+k_{Z}}\\ \emptyset&\text{otherwise}\end{cases}\\ \text{let }f&=\min(\varphi_{11},\mathopen{}\mathclose{{}\left\|\mathbf{v}}% \right\|)\\ \text{let }l&=\min(v_{Z},\mathopen{}\mathclose{{}\left\|\mathbf{v}}\right\|-f)\\ \mathopen{}\mathclose{{}\left(\varepsilon^{\prime},\varphi^{\prime}_{7},\mu^{% \prime}_{o\dots+l}}\right)&\equiv\begin{cases}\mathopen{}\mathclose{{}\left(% \lightning,\varphi_{7},\mu_{o\dots+l}}\right)&\text{if }\mathbf{v}=\nabla\vee% \mathbb{N}_{o\dots+l}\not\subseteq\mathbb{V}_{\mu}^{*}\\ \mathopen{}\mathclose{{}\left(\blacktriangleright,\mathtt{NONE},\mu_{o\dots+l}% }\right)&\text{otherwise if }\mathbf{v}=\emptyset\\ \mathopen{}\mathclose{{}\left(\blacktriangleright,\mathopen{}\mathclose{{}% \left\|\mathbf{v}}\right\|,\mathbf{v}_{f\dots+l}}\right)&\text{otherwise}\\ \end{cases}\end{aligned}$
$\Omega_{W}(\varrho,\varphi,\mu,\mathbf{s},s)$
write = 5
$g=\mathsf{M}_{W,c}+\mathcal{G}(\mathsf{M}_{W,\mathrm{k},\ell},k_{Z})+\mathcal{% G}(\mathsf{M}_{W,\mathrm{v},\ell},v_{Z})$	$\begin{aligned} \text{let }\mathopen{}\mathclose{{}\left[k_{O},k_{Z},v_{O},v_{% Z}}\right]&=\varphi_{7\dots+4}\\ \text{let }\mathbf{k}&=\begin{cases}\mu_{k_{O}\dots+k_{Z}}&\text{if }\mathbb{N% }_{k_{O}\dots+k_{Z}}\subseteq\mathbb{V}_{\mu}\\ \nabla&\text{otherwise}\end{cases}\\ \text{let }\mathbf{a}&=\begin{cases}\mathbf{s}\,,\ \text{ except }\mathcal{K}% \mathopen{}\mathclose{{}\left(\mathbf{a}_{\mathbf{s}}}\right)=\mathcal{K}% \mathopen{}\mathclose{{}\left(\mathbf{a}_{\mathbf{s}}}\right)\setminus% \mathopen{}\mathclose{{}\left\{\,k\,}\right\}&\text{if }v_{Z}=0\\ \mathbf{s}\,,\ \text{ except }\mathbf{a}_{\mathbf{s}}\mathopen{}\mathclose{{}% \left[\mathbf{k}}\right]=\mu_{v_{O}\dots+v_{Z}}&\text{otherwise if }\mathbb{N}% _{v_{O}\dots+v_{Z}}\subseteq\mathbb{V}_{\mu}\\ \nabla&\text{otherwise}\end{cases}\\ \text{let }l&=\begin{cases}\mathopen{}\mathclose{{}\left\|\mathbf{s}_{\mathbf{s% }}\mathopen{}\mathclose{{}\left[k}\right]}\right\|&\text{if }\mathbf{k}\in% \mathcal{K}\mathopen{}\mathclose{{}\left(\mathbf{s}_{\mathbf{s}}}\right)\\ \mathtt{NONE}&\text{otherwise}\end{cases}\\ \mathopen{}\mathclose{{}\left(\varepsilon^{\prime},\varphi^{\prime}_{7},% \mathbf{s}^{\prime}}\right)&\equiv\begin{cases}\mathopen{}\mathclose{{}\left(% \lightning,\varphi_{7},\mathbf{s}}\right)&\text{if }\mathbf{k}=\nabla\vee% \mathbf{a}=\nabla\\ \mathopen{}\mathclose{{}\left(\blacktriangleright,\mathtt{FULL},\mathbf{s}}% \right)&\text{otherwise if }\mathbf{a}_{t}>\mathbf{a}_{b}\\ \mathopen{}\mathclose{{}\left(\blacktriangleright,l,\mathbf{a}}\right)&\text{% otherwise}\\ \end{cases}\end{aligned}$
$\Omega_{I}(\varrho,\varphi,\mu,s,\mathbf{d})$
info = 6
$g=\mathsf{M}_{I}$	$\begin{aligned} \text{let }\mathbf{a}&=\begin{cases}\mathbf{d}\mathopen{}% \mathclose{{}\left[s}\right]&\text{if }\varphi_{7}=2^{64}-1\\ \mathbf{d}\mathopen{}\mathclose{{}\left[\varphi_{7}}\right]&\text{otherwise}% \end{cases}\\ \text{let }o&=\varphi_{8}\\ \text{let }\mathbf{v}&=\begin{cases}\mathcal{E}\mathopen{}\mathclose{{}\left(% \mathbf{a}_{c},\mathcal{E}_{8}\mathopen{}\mathclose{{}\left(\mathbf{a}_{b},% \mathbf{a}_{t},\mathbf{a}_{g},\mathbf{a}_{m},\mathbf{a}_{o}}\right),\mathcal{E% }_{4}\mathopen{}\mathclose{{}\left(\mathbf{a}_{i}}\right),\mathcal{E}_{8}% \mathopen{}\mathclose{{}\left(\mathbf{a}_{f}}\right),\mathcal{E}_{4}\mathopen{% }\mathclose{{}\left(\mathbf{a}_{r},\mathbf{a}_{a},\mathbf{a}_{p}}\right)}% \right)&\text{if }\mathbf{a}\neq\emptyset\\ \emptyset&\text{otherwise}\end{cases}\\ \text{let }f&=\min(\varphi_{9},\mathopen{}\mathclose{{}\left\|\mathbf{v}}\right% \|)\\ \text{let }l&=\min(\varphi_{10},\mathopen{}\mathclose{{}\left\|\mathbf{v}}% \right\|-f)\\ \mathopen{}\mathclose{{}\left(\varepsilon^{\prime},\varphi^{\prime}_{7},\mu^{% \prime}_{o\dots+l}}\right)&\equiv\begin{cases}\mathopen{}\mathclose{{}\left(% \lightning,\varphi_{7},\mu_{o\dots+l}}\right)&\text{if }\mathbf{v}=\nabla\vee% \mathbb{N}_{o\dots+l}\not\subseteq\mathbb{V}_{\mu}^{*}\\ \mathopen{}\mathclose{{}\left(\blacktriangleright,\mathtt{NONE},\mu_{o\dots+l}% }\right)&\text{otherwise if }\mathbf{v}=\emptyset\\ \mathopen{}\mathclose{{}\left(\blacktriangleright,\mathopen{}\mathclose{{}% \left\|\mathbf{v}}\right\|,\mathbf{v}_{f\dots+l}}\right)&\text{otherwise}\\ \end{cases}\end{aligned}$

B.6. Refine Functions

These assume some refine context pair $\mathopen{}\mathclose{{}\left(\mathbf{m},\mathbf{e}}\right)\in\!\mathopen{}% \mathclose{{}\left\lgroup\mathopen{}\mathclose{{}\left\langlebar\mathbb{N}\to% \mathbb{I}}\right\ranglebar,\mathopen{}\mathclose{{}\left\lsem\mathbb{J}}% \right\rsem}\right\rgroup\!$ , which are both initially empty. Other than the gas-counter which is explicitly defined, elements of pvm state are each assumed to remain unchanged by the host-call unless explicitly specified.

(B.18)		$\displaystyle\varrho^{\prime}$	$\displaystyle\equiv\varrho-g$
(B.19)		$\displaystyle\mathopen{}\mathclose{{}\left(\varepsilon^{\prime},\varphi^{% \prime},\mu^{\prime}}\right)$	$\displaystyle\equiv\begin{cases}\mathopen{}\mathclose{{}\left(\infty,\varphi,% \mu}\right)&\text{if }\varrho<g\\ \mathopen{}\mathclose{{}\left(\blacktriangleright,\varphi,\mu}\right)\text{ % except as indicated below}&\text{otherwise}\end{cases}$

Function
Identifier
Gas usage ( $g$ )	Mutations
$\Omega_{H}(\varrho,\varphi,\mu,s,\mathbf{d},t)$
historical_lookup = 7
$g=\mathsf{M}_{H,c}+\mathcal{G}(\mathsf{M}_{H,\ell},z)$	$\begin{aligned} \text{let }\mathbf{a}&=\begin{cases}\mathbf{d}\mathopen{}% \mathclose{{}\left[s}\right]&\text{if }\varphi_{7}=2^{64}-1\wedge s\in\mathcal% {K}\mathopen{}\mathclose{{}\left(\mathbf{d}}\right)\\ \mathbf{d}[\varphi_{7}]&\text{if }\varphi_{7}\in\mathcal{K}\mathopen{}% \mathclose{{}\left(\mathbf{d}}\right)\\ \emptyset&\text{otherwise}\end{cases}\\ \text{let }\mathopen{}\mathclose{{}\left[h,o}\right]&=\varphi_{8\dots+2}\\ \text{let }z&=\varphi_{11}\\ \text{let }\mathbf{v}&=\begin{cases}\nabla&\text{if }\mathbb{N}_{h\dots+32}% \not\subseteq\mathbb{V}_{\mu}\\ \emptyset&\text{otherwise if }\mathbf{a}=\emptyset\\ \Lambda(\mathbf{a},t,\mu_{h\dots+32})&\text{otherwise}\\ \end{cases}\\ \text{let }f&=\min(\varphi_{10},\mathopen{}\mathclose{{}\left\|\mathbf{v}}% \right\|)\\ \text{let }l&=\min(z,\mathopen{}\mathclose{{}\left\|\mathbf{v}}\right\|-f)\\ \mathopen{}\mathclose{{}\left(\varepsilon^{\prime},\varphi^{\prime}_{7},\mu^{% \prime}_{o\dots+l}}\right)&\equiv\begin{cases}\mathopen{}\mathclose{{}\left(% \lightning,\varphi_{7},\mu_{o\dots+l}}\right)&\text{if }\mathbf{v}=\nabla\vee% \mathbb{N}_{o\dots+l}\not\subseteq\mathbb{V}_{\mu}^{*}\\ \mathopen{}\mathclose{{}\left(\blacktriangleright,\mathtt{NONE},\mu_{o\dots+l}% }\right)&\text{otherwise if }\mathbf{v}=\emptyset\\ \mathopen{}\mathclose{{}\left(\blacktriangleright,\mathopen{}\mathclose{{}% \left\|\mathbf{v}}\right\|,\mathbf{v}_{f\dots+l}}\right)&\text{otherwise}\\ \end{cases}\end{aligned}$
$\Omega_{E}(\varrho,\varphi,\mu,\mathbf{e},\varsigma)$
export = 8
$g=\mathsf{M}_{E}$	$\begin{aligned} \text{let }p&=\varphi_{7}\\ \text{let }z&=\min(\varphi_{8},\mathsf{W}_{G})\\ \text{let }\mathbf{x}&=\begin{cases}\mathcal{P}_{\mathsf{W}_{G}}\mathopen{}% \mathclose{{}\left({\mu}_{p\dots+z}}\right)&\text{if }\mathbb{N}_{p\dots+z}% \subseteq\mathbb{V}_{\mu}\\ \nabla&\text{otherwise}\end{cases}\\ \mathopen{}\mathclose{{}\left(\varepsilon^{\prime},\varphi^{\prime}_{7},% \mathbf{e}^{\prime}}\right)&\equiv\begin{cases}\mathopen{}\mathclose{{}\left(% \lightning,\varphi_{7},\mathbf{e}}\right)&\text{if }\mathbf{x}=\nabla\\ \mathopen{}\mathclose{{}\left(\blacktriangleright,\mathtt{FULL},\mathbf{e}}% \right)&\text{otherwise if }\varsigma+\mathopen{}\mathclose{{}\left\|\mathbf{e}% }\right\|\geq\mathsf{W}_{X}\\ \mathopen{}\mathclose{{}\left(\blacktriangleright,\varsigma+\mathopen{}% \mathclose{{}\left\|\mathbf{e}}\right\|,\mathbf{e}\mathrel{\hbox to0.0pt{\hbox to% 7.0pt{\hfill\vrule height=5.0pt,depth=0.0pt,width=0.6pt\hfill\vrule height=5.0% pt,depth=0.0pt,width=0.6pt\hfill}}\vbox to5.0pt{\vfill\hrule height=0.6pt,dept% h=0.0pt,width=7.0pt\vfill}}\mathbf{x}}\right)&\text{otherwise}\end{cases}\end{aligned}$
$\Omega_{M}(\varrho,\varphi,\mu,\mathbf{m})$
machine = 9
$g=\mathsf{M}_{M,c}+\mathcal{G}(\mathsf{M}_{M,\ell},p_{Z})$	$\begin{aligned} \text{let }\mathopen{}\mathclose{{}\left[p_{O},p_{Z},i}\right]% &=\varphi_{7\dots+3}\\ \text{let }\mathbf{p}&=\begin{cases}\mu_{p_{O}\dots+p_{Z}}&\text{if }\mathbb{N% }_{p_{O}\dots+p_{Z}}\subseteq\mathbb{V}_{\mu}\\ \nabla&\text{otherwise}\end{cases}\\ \text{let }n&=\min(n\in\mathbb{N}:n\not\in\mathcal{K}\mathopen{}\mathclose{{}% \left(\mathbf{m}}\right))\\ \text{let }\mathbf{u}&=\mathopen{}\mathclose{{}\left(\mathbf{v}\mathrel{% \mathop{:}}[0,0,\dots],\mathbf{a}\mathrel{\mathop{:}}[\emptyset,\emptyset,% \dots]}\right)\\ \mathopen{}\mathclose{{}\left(\varepsilon^{\prime},\varphi^{\prime}_{7},% \mathbf{m}}\right)&\equiv\begin{cases}\mathopen{}\mathclose{{}\left(% \blacktriangleright,\mathtt{FULL},\mathbf{m}}\right)&\text{if }\mathopen{}% \mathclose{{}\left\|\mathbf{m}}\right\|\geq 63\\ \mathopen{}\mathclose{{}\left(\lightning,\varphi_{7},\mathbf{m}}\right)&\text{% otherwise if }\mathbf{p}=\nabla\\ \mathopen{}\mathclose{{}\left(\blacktriangleright,\mathtt{HUH},\mathbf{m}}% \right)&\text{otherwise if }\text{deblob}(\mathbf{p},i)=\nabla\\ \mathopen{}\mathclose{{}\left(\blacktriangleright,n,\mathbf{m}\cup\mathopen{}% \mathclose{{}\left\{\,\mathopen{}\mathclose{{}\left(n\mapsto\mathopen{}% \mathclose{{}\left(\mathbf{p},\mathbf{u},i,\bot}\right)}\right)\,}\right\}}% \right)&\text{otherwise}\\ \end{cases}\\ \end{aligned}$
$\Omega_{P}(\varrho,\varphi,\mu,\mathbf{m})$
peek = 10
$g=\mathsf{M}_{P,c}+\mathcal{G}(\mathsf{M}_{P,\ell},z)$	$\begin{aligned} \text{let }\mathopen{}\mathclose{{}\left[n,o,s,z}\right]&=% \varphi_{7\dots+4}\\ \mathopen{}\mathclose{{}\left(\varepsilon^{\prime},\varphi^{\prime}_{7},{\mu}^% {\prime}}\right)&\equiv\begin{cases}\mathopen{}\mathclose{{}\left(\lightning,% \varphi_{7},{\mu}}\right)&\text{if }\mathbb{N}_{o\dots+z}\not\subseteq\mathbb{% V}_{\mu}^{*}\\ \mathopen{}\mathclose{{}\left(\blacktriangleright,\mathtt{WHO},{\mu}}\right)&% \text{otherwise if }n\not\in\mathcal{K}\mathopen{}\mathclose{{}\left(\mathbf{m% }}\right)\\ \mathopen{}\mathclose{{}\left(\blacktriangleright,\mathtt{OOB},{\mu}}\right)&% \text{otherwise if }\mathbb{N}_{s\dots+z}\not\subseteq\mathbb{V}_{\mathbf{m}% \mathopen{}\mathclose{{}\left[n}\right]_{\mathbf{u}}}\\ \mathopen{}\mathclose{{}\left(\blacktriangleright,\mathtt{OK},{\mu}^{\prime}}% \right)&\text{otherwise}\\ \lx@intercol\text{where }{\mu}^{\prime}={\mu}\text{ except }{\mu}_{o\dots+z}=(% \mathbf{m}\mathopen{}\mathclose{{}\left[n}\right]_{\mathbf{u}})_{s\dots+z}% \hfil\lx@intercol\end{cases}\\ \end{aligned}$
$\Omega_{O}(\varrho,\varphi,\mu,\mathbf{m})$
poke = 11
$g=\mathsf{M}_{O,c}+\mathcal{G}(\mathsf{M}_{O,\ell},z)$	$\begin{aligned} \text{let }\mathopen{}\mathclose{{}\left[n,s,o,z}\right]&=% \varphi_{7\dots+4}\\ \mathopen{}\mathclose{{}\left(\varepsilon^{\prime},\varphi^{\prime}_{7},% \mathbf{m}^{\prime}}\right)&\equiv\begin{cases}\mathopen{}\mathclose{{}\left(% \lightning,\varphi_{7},\mathbf{m}}\right)&\text{if }\mathbb{N}_{s\dots+z}\not% \subseteq\mathbb{V}_{\mu}\\ \mathopen{}\mathclose{{}\left(\blacktriangleright,\mathtt{WHO},\mathbf{m}}% \right)&\text{otherwise if }n\not\in\mathcal{K}\mathopen{}\mathclose{{}\left(% \mathbf{m}}\right)\\ \mathopen{}\mathclose{{}\left(\blacktriangleright,\mathtt{OOB},\mathbf{m}}% \right)&\text{otherwise if }\mathbb{N}_{o\dots+z}\not\subseteq\mathbb{V}_{% \mathbf{m}\mathopen{}\mathclose{{}\left[n}\right]_{\mathbf{u}}}^{*}\\ \mathopen{}\mathclose{{}\left(\blacktriangleright,\mathtt{OK},\mathbf{m}^{% \prime}}\right)&\text{otherwise}\\ \lx@intercol\text{where }\mathbf{m}^{\prime}=\mathbf{m}\text{ except }(\mathbf% {m}^{\prime}\mathopen{}\mathclose{{}\left[n}\right]_{\mathbf{u}})_{o\dots+z}={% \mu}_{s\dots+z}\hfil\lx@intercol\end{cases}\\ \end{aligned}$
$\Omega_{Z}(\varrho,\varphi,\mu,\mathbf{m})$
pages = 12
$g=\begin{cases}\mathsf{M}_{Z,f,c}+c\cdot\mathsf{M}_{Z,f,p}&\text{if }r=0\\ \mathsf{M}_{Z,a,c}+c\cdot\mathsf{M}_{Z,a,p}&\text{if }r\in\mathopen{}% \mathclose{{}\left\{\,1,2\,}\right\}\\ \mathsf{M}_{Z,s,c}+c\cdot\mathsf{M}_{Z,s,p}&\text{if }r\in\mathopen{}% \mathclose{{}\left\{\,3,4\,}\right\}\\ \mathsf{M}_{Z,i}&\text{otherwise}\end{cases}$	$\begin{aligned} \text{let }\mathopen{}\mathclose{{}\left[n,p,c,r}\right]&=% \varphi_{7\dots+4}\\ \text{let }\mathbf{u}&=\begin{cases}\mathbf{m}\mathopen{}\mathclose{{}\left[n}% \right]_{\mathbf{u}}&\text{if }n\in\mathcal{K}\mathopen{}\mathclose{{}\left(% \mathbf{m}}\right)\\ \nabla&\text{otherwise}\\ \end{cases}\\ \text{let }\mathbf{u}^{\prime}&=\mathbf{u}\text{ except }\begin{cases}(\mathbf% {u}^{\prime}_{\mathbf{v}})_{p\mathsf{Z}_{P}\dots+c\mathsf{Z}_{P}}=\begin{cases% }\mathopen{}\mathclose{{}\left[0,0,\dots}\right]&\text{if }r<3\\ (\mathbf{u}_{\mathbf{v}})_{p\mathsf{Z}_{P}\dots+c\mathsf{Z}_{P}}&\text{% otherwise}\end{cases}\\ (\mathbf{u}^{\prime}_{\mathbf{a}})_{p\dots+c}=\begin{cases}\mathopen{}% \mathclose{{}\left[\emptyset,\emptyset,\dots}\right]&\text{if }r=0\\ \mathopen{}\mathclose{{}\left[\mathrm{R},\mathrm{R},\dots}\right]&\text{if }r=% 1\vee r=3\\ \mathopen{}\mathclose{{}\left[\mathrm{W},\mathrm{W},\dots}\right]&\text{if }r=% 2\vee r=4\\ \end{cases}\end{cases}\\ \mathopen{}\mathclose{{}\left(\varphi^{\prime}_{7},\mathbf{m}^{\prime}}\right)% &\equiv\begin{cases}\mathopen{}\mathclose{{}\left(\mathtt{WHO},\mathbf{m}}% \right)&\text{if }\mathbf{u}=\nabla\\ \mathopen{}\mathclose{{}\left(\mathtt{HUH},\mathbf{m}}\right)&\text{otherwise % if }r>4\vee p<16\vee p+c\geq\nicefrac{{2^{32}}}{{\mathsf{Z}_{P}}}\\ \mathopen{}\mathclose{{}\left(\mathtt{HUH},\mathbf{m}}\right)&\text{otherwise % if }r>2\wedge(\mathbf{u}_{\mathbf{a}})_{p\dots+c}\ni\emptyset\\ \mathopen{}\mathclose{{}\left(\mathtt{OK},\mathbf{m}^{\prime}}\right)&\text{% otherwise}\,,\ \text{where }\mathbf{m}^{\prime}=\mathbf{m}\text{ except }% \mathbf{m}^{\prime}\mathopen{}\mathclose{{}\left[n}\right]_{\mathbf{u}}=% \mathbf{u}^{\prime}\\ \end{cases}\\ \end{aligned}$
$\Omega_{K}(\varrho,\varphi,\mu,\mathbf{m})$
invoke = 13
$g=\mathsf{M}_{K}+g_{R}$	$\begin{aligned} \text{let }\mathopen{}\mathclose{{}\left[n,o}\right]&=\varphi_% {7,8}\\ \text{let }\mathopen{}\mathclose{{}\left(g_{R},\mathbf{w}}\right)&=\begin{% cases}\mathopen{}\mathclose{{}\left(g_{R},\mathbf{w}}\right):\mathcal{E}_{8}% \mathopen{}\mathclose{{}\left(g_{R}}\right)\frown\mathcal{E}_{8}\mathopen{}% \mathclose{{}\left(\mathbf{w}}\right)={\mu}_{o\dots+112}&\text{if }\mathbb{N}_% {o\dots+112}\subseteq\mathbb{V}_{{\mu}}^{}\\ \mathopen{}\mathclose{{}\left(0,\nabla}\right)&\text{otherwise}\end{cases}\\ \text{let }\mathopen{}\mathclose{{}\left(c,i^{\prime},g_{R}^{\prime},\tilde{g}% ^{\prime},\mathbf{w}^{\prime},\mathbf{u}^{\prime}}\right)&=\Psi(\mathbf{m}% \mathopen{}\mathclose{{}\left[n}\right]_{\mathfrak{p}},\mathbf{m}\mathopen{}% \mathclose{{}\left[n}\right]_{i},g_{R},\mathbf{m}\mathopen{}\mathclose{{}\left% [n}\right]_{\tilde{g}},\mathbf{w},\mathbf{m}\mathopen{}\mathclose{{}\left[n}% \right]_{\mathbf{u}})\\ \text{let }{\mu}^{}&={\mu}\text{ except }{\mu}^{}_{o\dots+112}=\mathcal{E}_{% 8}\mathopen{}\mathclose{{}\left(g_{R}^{\prime}}\right)\frown\mathcal{E}_{8}% \mathopen{}\mathclose{{}\left(\mathbf{w}^{\prime}}\right)\\ \text{let }\mathbf{m}^{}&=\mathbf{m}\text{ except }\begin{cases}\mathbf{m}^{% }\mathopen{}\mathclose{{}\left[n}\right]_{\mathbf{u}}=\mathbf{u}^{\prime}\\ \mathbf{m}^{}\mathopen{}\mathclose{{}\left[n}\right]_{i}=\begin{cases}i^{% \prime}+\text{skip}(i^{\prime})+1&\text{if }c\in\mathopen{}\mathclose{{}\left% \{\,\hbar\,}\right\}\times\mathbb{N}_{R}\\ i^{\prime}&\text{otherwise}\end{cases}\\ \mathbf{m}^{}\mathopen{}\mathclose{{}\left[n}\right]_{\tilde{g}}=\tilde{g}^{% \prime}\\ \end{cases}\\ \varrho^{\prime}&\equiv\begin{cases}\varrho-g&\text{if }\mathbf{w}=\nabla\vee n% \not\in\mathcal{K}\mathopen{}\mathclose{{}\left(\mathbf{m}}\right)\vee\varrho<% g\\ \varrho-g+g_{R}^{\prime}&\text{otherwise}\end{cases}\\ \mathopen{}\mathclose{{}\left(\varepsilon^{\prime},\varphi^{\prime}_{7},% \varphi^{\prime}_{8},{\mu}^{\prime},\mathbf{m}^{\prime}}\right)&\equiv\begin{% cases}\mathopen{}\mathclose{{}\left(\lightning,\varphi_{7},\varphi_{8},{\mu},% \mathbf{m}}\right)&\text{if }\mathbf{w}=\nabla\\ \mathopen{}\mathclose{{}\left(\blacktriangleright,\mathtt{WHO},\varphi_{8},{% \mu},\mathbf{m}}\right)&\text{otherwise if }n\not\in\mathbf{m}\\ \mathopen{}\mathclose{{}\left(\blacktriangleright,\mathtt{HOST},h,{\mu}^{},% \mathbf{m}^{}}\right)&\text{otherwise if }c=\hbar\times h\\ \mathopen{}\mathclose{{}\left(\blacktriangleright,\mathtt{FAULT},x,{\mu}^{},% \mathbf{m}^{}}\right)&\text{otherwise if }c=\text{\raisebox{6.0pt}{\rotatebox% {180.0}{{F}}}}\times x\\ \mathopen{}\mathclose{{}\left(\blacktriangleright,\mathtt{OOG},\varphi_{8},{% \mu}^{},\mathbf{m}^{}}\right)&\text{otherwise if }c=\infty\\ \mathopen{}\mathclose{{}\left(\blacktriangleright,\mathtt{PANIC},\varphi_{8},{% \mu}^{},\mathbf{m}^{}}\right)&\text{otherwise if }c=\lightning\\ \mathopen{}\mathclose{{}\left(\blacktriangleright,\mathtt{HALT},\varphi_{8},{% \mu}^{},\mathbf{m}^{*}}\right)&\text{otherwise if }c=\blacksquare\\ \end{cases}\\ \end{aligned}$
$\Omega_{X}(\varrho,\varphi,\mu,\mathbf{m})$
expunge = 14
$g=\mathsf{M}_{X}$	$\begin{aligned} \text{let }n&=\varphi_{7}\\ \mathopen{}\mathclose{{}\left(\varphi^{\prime}_{7},\mathbf{m}^{\prime}}\right)% &\equiv\begin{cases}\mathopen{}\mathclose{{}\left(\mathtt{WHO},\mathbf{m}}% \right)&\text{if }n\not\in\mathcal{K}\mathopen{}\mathclose{{}\left(\mathbf{m}}% \right)\\ \mathopen{}\mathclose{{}\left(\mathbf{m}\mathopen{}\mathclose{{}\left[n}\right% ]_{i},\mathbf{m}\setminus n}\right)&\text{otherwise}\\ \end{cases}\\ \end{aligned}$

B.7. Accumulate Functions

This defines a number of functions broadly of the form $(\varrho^{\prime}\in\mathbb{Z}_{G},\varphi^{\prime}\in\mathopen{}\mathclose{{}% \left\lsem\mathbb{N}_{R}}\right\rsem_{13},\mu^{\prime},\mathopen{}\mathclose{{% }\left(\mathbf{x}^{\prime},\mathbf{y}^{\prime}}\right))=\Omega_{\square}(% \varrho\in\mathbb{N}_{G},\varphi\in\mathopen{}\mathclose{{}\left\lsem\mathbb{N% }_{R}}\right\rsem_{13},\mu\in\mathbb{M},\mathopen{}\mathclose{{}\left(\mathbf{% x},\mathbf{y}}\right)\in\mathbb{L}^{2},\dots)$ . Functions which have a result component which is equivalent to the corresponding argument may have said components elided in the description. Functions may also depend upon particular additional parameters.

Other than the gas-counter which is explicitly defined, elements of pvm state are each assumed to remain unchanged by the host-call unless explicitly specified.

(B.20)		$\displaystyle\varrho^{\prime}$	$\displaystyle\equiv\varrho-g$
(B.21)		$\displaystyle\mathopen{}\mathclose{{}\left(\varepsilon^{\prime},\varphi^{% \prime},\mu^{\prime},\mathbf{x}^{\prime},\mathbf{y}^{\prime}}\right)$	$\displaystyle\equiv\begin{cases}\mathopen{}\mathclose{{}\left(\infty,\varphi,% \mu,\mathbf{x},\mathbf{y}}\right)&\text{if }\varrho<g\\ \mathopen{}\mathclose{{}\left(\blacktriangleright,\varphi,\mu,\mathbf{x},% \mathbf{y}}\right)\text{ except as indicated below}&\text{otherwise}\end{cases}$

Function
Identifier
Gas usage ( $g$ )	Mutations
$\Omega_{B}(\varrho,\varphi,\mu,\mathopen{}\mathclose{{}\left(\mathbf{x},% \mathbf{y}}\right))$
bless = 15
$g=\mathsf{M}_{B,c}+n\cdot\mathsf{M}_{B,\ell}$	$\begin{aligned} \text{let }\mathopen{}\mathclose{{}\left[m,a,v,r,o,n}\right]&=% \varphi_{7\dots+6}\\ \text{let }\mathbf{a}&=\begin{cases}\mathcal{E}^{-1}_{4}\mathopen{}\mathclose{% {}\left(\mu_{a\dots+4\mathsf{C}}}\right)&\text{if }\mathbb{N}_{a\dots+4\mathsf% {C}}\subseteq\mathbb{V}_{\mu}\\ \nabla&\text{otherwise}\end{cases}\\ \text{let }\mathbf{z}&=\begin{cases}\mathopen{}\mathclose{{}\left\{\,\mathopen% {}\mathclose{{}\left(s\mapsto g}\right)\ \text{where }\mathcal{E}_{4}\mathopen% {}\mathclose{{}\left(s}\right)\frown\mathcal{E}_{8}\mathopen{}\mathclose{{}% \left(g}\right)=\mu_{o+12i\dots+12}\;\middle\|\;i\in\mathbb{N}_{n}\,}\right\}&% \text{if }\mathbb{N}_{o\dots+12n}\subseteq\mathbb{V}_{\mu}\\ \nabla&\text{otherwise}\end{cases}\\ \mathopen{}\mathclose{{}\left(\varepsilon^{\prime},\varphi^{\prime}_{7},(% \mathbf{x}^{\prime}_{\mathbf{e}})_{\mathopen{}\mathclose{{}\left(m,\mathbf{a},% v,r,\mathbf{z}}\right)}}\right)&=\begin{cases}\mathopen{}\mathclose{{}\left(% \lightning,\varphi_{7},(\mathbf{x}_{\mathbf{e}})_{\mathopen{}\mathclose{{}% \left(m,\mathbf{a},v,r,\mathbf{z}}\right)}}\right)&\text{if }\mathopen{}% \mathclose{{}\left\{\,\mathbf{z},\mathbf{a}\,}\right\}\ni\nabla\\ \mathopen{}\mathclose{{}\left(\blacktriangleright,\mathtt{HUH},(\mathbf{x}_{% \mathbf{e}})_{\mathopen{}\mathclose{{}\left(m,\mathbf{a},v,r,\mathbf{z}}\right% )}}\right)&\text{otherwise if }\mathbf{x}_{s}\neq(\mathbf{x}_{\mathbf{e}})_{m}% \\ \mathopen{}\mathclose{{}\left(\blacktriangleright,\mathtt{WHO},(\mathbf{x}_{% \mathbf{e}})_{\mathopen{}\mathclose{{}\left(m,\mathbf{a},v,r,\mathbf{z}}\right% )}}\right)&\text{otherwise if }\mathopen{}\mathclose{{}\left(m,v,r}\right)\not% \in\mathbb{N}_{S}^{3}\\ \mathopen{}\mathclose{{}\left(\blacktriangleright,\mathtt{OK},\!\mathopen{}% \mathclose{{}\left\lgroup m,\mathbf{a},v,r,\mathbf{z}}\right\rgroup\!}\right)&% \text{otherwise}\\ \end{cases}\end{aligned}$
$\Omega_{A}(\varrho,\varphi,\mu,\mathopen{}\mathclose{{}\left(\mathbf{x},% \mathbf{y}}\right))$
assign = 16
$g=\mathsf{M}_{A}$	$\begin{aligned} \text{let }\mathopen{}\mathclose{{}\left[c,o,a}\right]&=% \varphi_{7\dots+3}\\ \text{let }\mathbf{q}&=\begin{cases}\mathopen{}\mathclose{{}\left[\mu_{o+32i% \dots+32}\;\middle\|\;i\mathrel{\mathrlap{<}{\scalebox{0.95}[1.0]{$-$}}}\mathbb% {N}_{\mathsf{Q}}}\right]&\text{if }\mathbb{N}_{o\dots+32\mathsf{Q}}\subseteq% \mathbb{V}_{\mu}\\ \nabla&\text{otherwise}\end{cases}\\ \mathopen{}\mathclose{{}\left(\varepsilon^{\prime},\varphi^{\prime}_{7},(% \mathbf{x}^{\prime}_{\mathbf{e}})_{\mathbf{q}}\mathopen{}\mathclose{{}\left[c}% \right],(\mathbf{x}^{\prime}_{\mathbf{e}})_{\mathbf{a}}\mathopen{}\mathclose{{% }\left[c}\right]}\right)&=\begin{cases}\mathopen{}\mathclose{{}\left(% \lightning,\varphi_{7},(\mathbf{x}_{\mathbf{e}})_{\mathbf{q}}\mathopen{}% \mathclose{{}\left[c}\right],(\mathbf{x}_{\mathbf{e}})_{\mathbf{a}}\mathopen{}% \mathclose{{}\left[c}\right]}\right)&\text{if }\mathbf{q}=\nabla\\ \mathopen{}\mathclose{{}\left(\blacktriangleright,\mathtt{CORE},(\mathbf{x}_{% \mathbf{e}})_{\mathbf{q}}\mathopen{}\mathclose{{}\left[c}\right],(\mathbf{x}_{% \mathbf{e}})_{\mathbf{a}}\mathopen{}\mathclose{{}\left[c}\right]}\right)&\text% {otherwise if }c\geq\mathsf{C}\\ \mathopen{}\mathclose{{}\left(\blacktriangleright,\mathtt{HUH},(\mathbf{x}_{% \mathbf{e}})_{\mathbf{q}}\mathopen{}\mathclose{{}\left[c}\right],(\mathbf{x}_{% \mathbf{e}})_{\mathbf{a}}\mathopen{}\mathclose{{}\left[c}\right]}\right)&\text% {otherwise if }\mathbf{x}_{s}\neq(\mathbf{x}_{\mathbf{e}})_{\mathbf{a}}% \mathopen{}\mathclose{{}\left[c}\right]\\ \mathopen{}\mathclose{{}\left(\blacktriangleright,\mathtt{WHO},(\mathbf{x}_{% \mathbf{e}})_{\mathbf{q}}\mathopen{}\mathclose{{}\left[c}\right],(\mathbf{x}_{% \mathbf{e}})_{\mathbf{a}}\mathopen{}\mathclose{{}\left[c}\right]}\right)&\text% {otherwise if }a\not\in\mathbb{N}_{S}\\ \mathopen{}\mathclose{{}\left(\blacktriangleright,\mathtt{OK},\mathbf{q},a}% \right)&\text{otherwise}\\ \end{cases}\\ \end{aligned}$
$\Omega_{D}(\varrho,\varphi,\mu,\mathopen{}\mathclose{{}\left(\mathbf{x},% \mathbf{y}}\right))$
designate = 17
$g=\mathsf{M}_{D,c}+z\cdot\mathsf{M}_{D,\ell}$	$\begin{aligned} \text{let }\mathopen{}\mathclose{{}\left[o,z}\right]&=\varphi_% {7\dots+2}\\ \text{let }\mathbf{v}&=\begin{cases}\mathopen{}\mathclose{{}\left[\mu_{o+336i% \dots+336}\;\middle\|\;i\mathrel{\mathrlap{<}{\scalebox{0.95}[1.0]{$-$}}}% \mathbb{N}_{z}}\right]&\text{if }\mathbb{N}_{o\dots+336z}\subseteq\mathbb{V}_{% \mu}\\ \nabla&\text{otherwise}\end{cases}\\ \mathopen{}\mathclose{{}\left(\varepsilon^{\prime},\varphi^{\prime}_{7},(% \mathbf{x}^{\prime}_{\mathbf{e}})_{\mathbf{i}}}\right)&=\begin{cases}\mathopen% {}\mathclose{{}\left(\lightning,\varphi_{7},(\mathbf{x}_{\mathbf{e}})_{\mathbf% {i}}}\right)&\text{if }\mathbf{v}=\nabla\\ \mathopen{}\mathclose{{}\left(\blacktriangleright,\mathtt{HUH},(\mathbf{x}_{% \mathbf{e}})_{\mathbf{i}}}\right)&\text{otherwise if }z\not\in\mathbb{V}\vee% \mathbf{x}_{s}\neq(\mathbf{x}_{\mathbf{e}})_{v}\\ \mathopen{}\mathclose{{}\left(\blacktriangleright,\mathtt{OK},\mathbf{v}}% \right)&\text{otherwise}\\ \end{cases}\\ \end{aligned}$
$\Omega_{C}(\varrho,\varphi,\mu,\mathopen{}\mathclose{{}\left(\mathbf{x},% \mathbf{y}}\right))$
checkpoint = 18
$g=\mathsf{M}_{C}$	$\begin{aligned} \mathbf{y}^{\prime}&\equiv\mathbf{x}\\ \varphi^{\prime}_{7}&\equiv\varrho^{\prime}\end{aligned}$
$\Omega_{N}(\varrho,\varphi,\mu,\mathopen{}\mathclose{{}\left(\mathbf{x},% \mathbf{y}}\right),t)$
new = 19
$g=\mathsf{M}_{N}$	$\begin{aligned} \text{let }\mathopen{}\mathclose{{}\left[o,l,g,m,f,i}\right]&=% \varphi_{7\dots+6}\\ \text{let }c&=\begin{cases}\mu_{o\dots+32}&\text{if }\mathbb{N}_{o\dots+32}% \subseteq\mathbb{V}_{\mu}\wedge l\in\mathbb{N}_{2^{32}}\\ \nabla&\text{otherwise}\end{cases}\\ \text{let }\mathbf{a}\in\mathbb{A}\cup\mathopen{}\mathclose{{}\left\{\,\nabla% \,}\right\}&=\begin{cases}\mathopen{}\mathclose{{}\left(c,\mathbf{\mathbf{s}}% \mathrel{\mathop{:}}\mathopen{}\mathclose{{}\left\{}\right\},\mathbf{\mathbf{l% }}\mathrel{\mathop{:}}\mathopen{}\mathclose{{}\left\{\,\mathopen{}\mathclose{{% }\left(\mathopen{}\mathclose{{}\left(c,l}\right)\mapsto\mathopen{}\mathclose{{% }\left[}\right]}\right)\,}\right\},b\mathrel{\mathop{:}}\mathbf{a}_{t},g,m,% \mathbf{\mathbf{p}}\mathrel{\mathop{:}}\mathopen{}\mathclose{{}\left\{}\right% \},r\mathrel{\mathop{:}}t,f,a\mathrel{\mathop{:}}0,p\mathrel{\mathop{:}}% \mathbf{x}_{s}}\right)&\text{if }c\neq\nabla\\ \nabla&\text{otherwise}\end{cases}\\ \text{let }\mathbf{s}&=\mathbf{x}_{\mathbf{s}}\text{ except }\mathbf{s}_{b}=(% \mathbf{x}_{\mathbf{s}})_{b}-\mathbf{a}_{t}\\ \mathopen{}\mathclose{{}\left(\varepsilon^{\prime},\varphi^{\prime}_{7},% \mathbf{x}^{\prime}_{i},(\mathbf{x}^{\prime}_{\mathbf{e}})_{\mathbf{d}}}\right% )&\equiv\begin{cases}\mathopen{}\mathclose{{}\left(\lightning,\varphi_{7},% \mathbf{x}_{i},(\mathbf{x}_{\mathbf{e}})_{\mathbf{d}}}\right)&\text{if }c=% \nabla\\ \mathopen{}\mathclose{{}\left(\blacktriangleright,\mathtt{HUH},\mathbf{x}_{i},% (\mathbf{x}_{\mathbf{e}})_{\mathbf{d}}}\right)&\text{otherwise if }f\neq 0% \wedge\mathbf{x}_{s}\neq(\mathbf{x}_{\mathbf{e}})_{m}\\ \mathopen{}\mathclose{{}\left(\blacktriangleright,\mathtt{CASH},\mathbf{x}_{i}% ,(\mathbf{x}_{\mathbf{e}})_{\mathbf{d}}}\right)&\text{otherwise if }\mathbf{s}% _{b}<(\mathbf{x}_{\mathbf{s}})_{t}\\ \mathopen{}\mathclose{{}\left(\blacktriangleright,\mathtt{FULL},\mathbf{x}_{i}% ,(\mathbf{x}_{\mathbf{e}})_{\mathbf{d}}}\right)&\text{otherwise if }\mathbf{x}% _{s}=(\mathbf{x}_{\mathbf{e}})_{r}\wedge i<\mathsf{S}\wedge i\in\mathcal{K}% \mathopen{}\mathclose{{}\left((\mathbf{x}_{\mathbf{e}})_{\mathbf{d}}}\right)\\ \mathopen{}\mathclose{{}\left(\blacktriangleright,i,\mathbf{x}_{i},(\mathbf{x}% _{\mathbf{e}})_{\mathbf{d}}\cup\mathbf{d}}\right)&\text{otherwise if }\mathbf{% x}_{s}=(\mathbf{x}_{\mathbf{e}})_{r}\wedge i<\mathsf{S}\\ \lx@intercol\quad\text{where }\mathbf{d}=\mathopen{}\mathclose{{}\left\{\,% \mathopen{}\mathclose{{}\left(i\mapsto\mathbf{a}}\right),\mathopen{}\mathclose% {{}\left(\mathbf{x}_{s}\mapsto\mathbf{s}}\right)\,}\right\}\hfil\lx@intercol\\ \mathopen{}\mathclose{{}\left(\blacktriangleright,\mathbf{x}_{i},i^{},(% \mathbf{x}_{\mathbf{e}})_{\mathbf{d}}\cup\mathbf{d}}\right)&\text{otherwise}\\ \lx@intercol\quad\text{where }i^{}=\text{check}(\mathsf{S}+(\mathbf{x}_{i}-% \mathsf{S}+42)\bmod(2^{32}-\mathsf{S}-2^{8}))\hfil\lx@intercol\\ \lx@intercol\quad\text{and }\mathbf{d}=\mathopen{}\mathclose{{}\left\{\,% \mathopen{}\mathclose{{}\left(\mathbf{x}_{i}\mapsto\mathbf{a}}\right),% \mathopen{}\mathclose{{}\left(\mathbf{x}_{s}\mapsto\mathbf{s}}\right)\,}\right% \}\hfil\lx@intercol\\ \end{cases}\\ \end{aligned}$
$\Omega_{U}(\varrho,\varphi,\mu,\mathopen{}\mathclose{{}\left(\mathbf{x},% \mathbf{y}}\right))$
upgrade = 20
$g=\mathsf{M}_{U}$	$\begin{aligned} \text{let }\mathopen{}\mathclose{{}\left[o,g,m}\right]&=% \varphi_{7\dots+3}\\ \text{let }c&=\begin{cases}\mu_{o\dots+32}&\text{if }\mathbb{N}_{o\dots+32}% \subseteq\mathbb{V}_{\mu}\\ \nabla&\text{otherwise}\end{cases}\\ \mathopen{}\mathclose{{}\left(\varepsilon^{\prime},\varphi^{\prime}_{7},(% \mathbf{x}^{\prime}_{\mathbf{s}})_{c},(\mathbf{x}^{\prime}_{\mathbf{s}})_{g},(% \mathbf{x}^{\prime}_{\mathbf{s}})_{m}}\right)&\equiv\begin{cases}\mathopen{}% \mathclose{{}\left(\lightning,\varphi_{7},(\mathbf{x}_{\mathbf{s}})_{c},(% \mathbf{x}_{\mathbf{s}})_{g},(\mathbf{x}_{\mathbf{s}})_{m}}\right)&\text{if }c% =\nabla\\ \mathopen{}\mathclose{{}\left(\blacktriangleright,\mathtt{OK},c,g,m}\right)&% \text{otherwise}\\ \end{cases}\end{aligned}$
$\Omega_{T}(\varrho,\varphi,\mu,\mathopen{}\mathclose{{}\left(\mathbf{x},% \mathbf{y}}\right))$
transfer = 21
$g=\mathsf{M}_{T}+t$	$\begin{aligned} \text{let }\mathopen{}\mathclose{{}\left[d,a,l,o}\right]&=% \varphi_{7\dots+4},\\ \text{let }\mathbf{d}&=(\mathbf{x}_{\mathbf{e}})_{\mathbf{d}}\\ \text{let }\mathbf{t}\in\mathbb{X}\cup\mathopen{}\mathclose{{}\left\{\,\nabla% \,}\right\}&=\begin{cases}\mathopen{}\mathclose{{}\left(s\mathrel{\mathop{:}}% \mathbf{x}_{s},d,a,m\mathrel{\mathop{:}}\mu_{o\dots+\mathsf{W}_{T}},g\mathrel{% \mathop{:}}l}\right)&\text{if }\mathbb{N}_{o\dots+\mathsf{W}_{T}}\subseteq% \mathbb{V}_{\mu}\\ \nabla&\text{otherwise}\end{cases}\\ \text{let }b&=(\mathbf{x}_{\mathbf{s}})_{b}-a\\ \text{let }\mathopen{}\mathclose{{}\left(c,t}\right)&=\begin{cases}\mathopen{}% \mathclose{{}\left(\lightning,0}\right)&\text{if }\mathbf{t}=\nabla\\ \mathopen{}\mathclose{{}\left(\mathtt{WHO},0}\right)&\text{otherwise if }d\not% \in\mathcal{K}\mathopen{}\mathclose{{}\left(\mathbf{d}}\right)\\ \mathopen{}\mathclose{{}\left(\mathtt{LOW},0}\right)&\text{otherwise if }l<% \mathbf{d}[d]_{m}\\ \mathopen{}\mathclose{{}\left(\mathtt{CASH},0}\right)&\text{otherwise if }b<(% \mathbf{x}_{\mathbf{s}})_{t}\\ \mathopen{}\mathclose{{}\left(\mathtt{OK},l}\right)&\text{otherwise}\end{cases% }\\ \mathopen{}\mathclose{{}\left(\varepsilon^{\prime},\varphi^{\prime}_{7},% \mathbf{x}^{\prime}_{\mathbf{t}},(\mathbf{x}^{\prime}_{\mathbf{s}})_{b}}\right% )&\equiv\begin{cases}\mathopen{}\mathclose{{}\left(\lightning,\varphi_{7},% \mathbf{x}_{\mathbf{t}},(\mathbf{x}_{\mathbf{s}})_{b}}\right)&\text{if }c=% \lightning\\ \mathopen{}\mathclose{{}\left(\blacktriangleright,c,\mathbf{x}_{\mathbf{t}},(% \mathbf{x}_{\mathbf{s}})_{b}}\right)&\text{otherwise if }c\neq\mathtt{OK}\\ \mathopen{}\mathclose{{}\left(\blacktriangleright,\mathtt{OK},\mathbf{x}_{% \mathbf{t}}\mathrel{\hbox to0.0pt{\hbox to7.0pt{\hfill\vrule height=5.0pt,dept% h=0.0pt,width=0.6pt\hfill\vrule height=5.0pt,depth=0.0pt,width=0.6pt\hfill}}% \vbox to5.0pt{\vfill\hrule height=0.6pt,depth=0.0pt,width=7.0pt\vfill}}\mathbf% {t},b}\right)&\text{otherwise}\end{cases}\\ \end{aligned}$
$\Omega_{J}(\varrho,\varphi,\mu,\mathopen{}\mathclose{{}\left(\mathbf{x},% \mathbf{y}}\right),t)$
eject = 22
$g=\mathsf{M}_{J}$	$\begin{aligned} \text{let }\mathopen{}\mathclose{{}\left[d,o}\right]&=\varphi_% {7,8}\\ \text{let }h&=\begin{cases}\mu_{o\dots+32}&\text{if }\mathbb{N}_{o\dots+32}% \subseteq\mathbb{V}_{\mu}\\ \nabla&\text{otherwise}\end{cases}\\ \text{let }\mathbf{d}&=\begin{cases}(\mathbf{x}_{\mathbf{e}})_{\mathbf{d}}% \mathopen{}\mathclose{{}\left[d}\right]&\text{if }d\neq\mathbf{x}_{s}\wedge d% \in\mathcal{K}\mathopen{}\mathclose{{}\left((\mathbf{x}_{\mathbf{e}})_{\mathbf% {d}}}\right)\\ \nabla&\text{otherwise}\\ \end{cases}\\ \text{let }l&=\max(81,\mathbf{d}_{o})-81\\ \text{let }\mathbf{s}^{\prime}&=\mathbf{x}_{\mathbf{s}}\text{ except }\mathbf{% s}^{\prime}_{b}=(\mathbf{x}_{\mathbf{s}})_{b}+\mathbf{d}_{b}\\ \mathopen{}\mathclose{{}\left(\varepsilon^{\prime},\varphi^{\prime}_{7},(% \mathbf{x}^{\prime}_{\mathbf{e}})_{\mathbf{d}}}\right)&\equiv\begin{cases}% \mathopen{}\mathclose{{}\left(\lightning,\varphi_{7},(\mathbf{x}_{\mathbf{e}})% _{\mathbf{d}}}\right)&\text{if }h=\nabla\\ \mathopen{}\mathclose{{}\left(\blacktriangleright,\mathtt{WHO},(\mathbf{x}_{% \mathbf{e}})_{\mathbf{d}}}\right)&\text{otherwise if }\mathbf{d}=\nabla\vee% \mathbf{d}_{c}\neq\mathcal{E}_{32}\mathopen{}\mathclose{{}\left(\mathbf{x}_{s}% }\right)\\ \mathopen{}\mathclose{{}\left(\blacktriangleright,\mathtt{HUH},(\mathbf{x}_{% \mathbf{e}})_{\mathbf{d}}}\right)&\text{otherwise if }\mathbf{d}_{i}\neq 2\vee% \mathopen{}\mathclose{{}\left(h,l}\right)\not\in\mathbf{d}_{\mathbf{l}}\\ \mathopen{}\mathclose{{}\left(\blacktriangleright,\mathtt{OK},(\mathbf{x}_{% \mathbf{e}})_{\mathbf{d}}\setminus\mathopen{}\mathclose{{}\left\{\,d\,}\right% \}\cup\mathopen{}\mathclose{{}\left\{\,\mathopen{}\mathclose{{}\left(\mathbf{x% }_{s}\mapsto\mathbf{s}^{\prime}}\right)\,}\right\}}\right)&\text{otherwise if % }\mathbf{d}_{\mathbf{l}}\mathopen{}\mathclose{{}\left[h,l}\right]=\mathopen{}% \mathclose{{}\left[x,y}\right],y<t-\mathsf{D}\\ \mathopen{}\mathclose{{}\left(\blacktriangleright,\mathtt{HUH},(\mathbf{x}_{% \mathbf{e}})_{\mathbf{d}}}\right)&\text{otherwise}\\ \end{cases}\\ \end{aligned}$
$\Omega_{Q}(\varrho,\varphi,\mu,\mathopen{}\mathclose{{}\left(\mathbf{x},% \mathbf{y}}\right))$
query = 23
$g=\mathsf{M}_{Q}$	$\begin{aligned} \text{let }\mathopen{}\mathclose{{}\left[o,z}\right]&=\varphi_% {7,8}\\ \text{let }h&=\begin{cases}\mu_{o\dots+32}&\text{if }\mathbb{N}_{o\dots+32}% \subseteq\mathbb{V}_{\mu}\\ \nabla&\text{otherwise}\end{cases}\\ \text{let }\mathbf{a}&=\begin{cases}(\mathbf{x}_{\mathbf{s}})_{\mathbf{l}}% \mathopen{}\mathclose{{}\left[h,z}\right]&\text{if }\mathopen{}\mathclose{{}% \left(h,z}\right)\in\mathcal{K}\mathopen{}\mathclose{{}\left((\mathbf{x}_{% \mathbf{s}})_{\mathbf{l}}}\right)\\ \nabla&\text{otherwise}\\ \end{cases}\\ \mathopen{}\mathclose{{}\left(\varepsilon^{\prime},\varphi^{\prime}_{7},% \varphi^{\prime}_{8}}\right)&\equiv\begin{cases}\mathopen{}\mathclose{{}\left(% \blacktriangleright,\mathtt{HUH},\varphi_{8}}\right)&\text{if }z\not\in\mathbb% {N}_{L}\\ \mathopen{}\mathclose{{}\left(\lightning,\varphi_{7},\varphi_{8}}\right)&\text% {otherwise if }h=\nabla\\ \mathopen{}\mathclose{{}\left(\blacktriangleright,\mathtt{NONE},0}\right)&% \text{otherwise if }\mathbf{a}=\nabla\\ \mathopen{}\mathclose{{}\left(\blacktriangleright,0,0}\right)&\text{otherwise % if }\mathbf{a}=\mathopen{}\mathclose{{}\left[}\right]\\ \mathopen{}\mathclose{{}\left(\blacktriangleright,1+2^{32}x,0}\right)&\text{% otherwise if }\mathbf{a}=\mathopen{}\mathclose{{}\left[x}\right]\\ \mathopen{}\mathclose{{}\left(\blacktriangleright,2+2^{32}x,y}\right)&\text{% otherwise if }\mathbf{a}=\mathopen{}\mathclose{{}\left[x,y}\right]\\ \mathopen{}\mathclose{{}\left(\blacktriangleright,3+2^{32}x,y+2^{32}z}\right)&% \text{otherwise if }\mathbf{a}=\mathopen{}\mathclose{{}\left[x,y,z}\right]\\ \end{cases}\\ \end{aligned}$
$\Omega_{S}(\varrho,\varphi,\mu,\mathopen{}\mathclose{{}\left(\mathbf{x},% \mathbf{y}}\right),t)$
solicit = 24
$g=\mathsf{M}_{S}$	$\begin{aligned} \text{let }\mathopen{}\mathclose{{}\left[o,z}\right]&=\varphi_% {7,8}\\ \text{let }h&=\begin{cases}\mu_{o\dots+32}&\text{if }\mathbb{N}_{o\dots+32}% \subseteq\mathbb{V}_{\mu}\\ \nabla&\text{otherwise}\end{cases}\\ \text{let }\mathbf{a}&=\begin{cases}\mathbf{x}_{\mathbf{s}}\text{ except: }&\\ \quad\mathbf{a}_{\mathbf{l}}\mathopen{}\mathclose{{}\left[\mathopen{}% \mathclose{{}\left(h,z}\right)}\right]=\mathopen{}\mathclose{{}\left[}\right]&% \text{if }h\neq\nabla\wedge\mathopen{}\mathclose{{}\left(h,z}\right)\not\in% \mathcal{K}\mathopen{}\mathclose{{}\left((\mathbf{x}_{\mathbf{s}})_{\mathbf{l}% }}\right)\\ \quad\mathbf{a}_{\mathbf{l}}\mathopen{}\mathclose{{}\left[\mathopen{}% \mathclose{{}\left(h,z}\right)}\right]=(\mathbf{x}_{\mathbf{s}})_{\mathbf{l}}% \mathopen{}\mathclose{{}\left[\mathopen{}\mathclose{{}\left(h,z}\right)}\right% ]\mathrel{\hbox to0.0pt{\hbox to7.0pt{\hfill\vrule height=5.0pt,depth=0.0pt,wi% dth=0.6pt\hfill\vrule height=5.0pt,depth=0.0pt,width=0.6pt\hfill}}\vbox to5.0% pt{\vfill\hrule height=0.6pt,depth=0.0pt,width=7.0pt\vfill}}t&\text{if }(% \mathbf{x}_{\mathbf{s}})_{\mathbf{l}}\mathopen{}\mathclose{{}\left[\mathopen{}% \mathclose{{}\left(h,z}\right)}\right]=\mathopen{}\mathclose{{}\left[x,y}% \right]\\ \nabla&\text{otherwise}\\ \end{cases}\\ \mathopen{}\mathclose{{}\left(\varepsilon^{\prime},\varphi^{\prime}_{7},% \mathbf{x}^{\prime}_{\mathbf{s}}}\right)&\equiv\begin{cases}\mathopen{}% \mathclose{{}\left(\blacktriangleright,\mathtt{HUH},\mathbf{x}_{\mathbf{s}}}% \right)&\text{if }z\not\in\mathbb{N}_{L}\\ \mathopen{}\mathclose{{}\left(\lightning,\varphi_{7},\mathbf{x}_{\mathbf{s}}}% \right)&\text{otherwise if }h=\nabla\\ \mathopen{}\mathclose{{}\left(\blacktriangleright,\mathtt{HUH},\mathbf{x}_{% \mathbf{s}}}\right)&\text{otherwise if }\mathbf{a}=\nabla\\ \mathopen{}\mathclose{{}\left(\blacktriangleright,\mathtt{FULL},\mathbf{x}_{% \mathbf{s}}}\right)&\text{otherwise if }\mathbf{a}_{b}<\mathbf{a}_{t}\\ \mathopen{}\mathclose{{}\left(\blacktriangleright,\mathtt{OK},\mathbf{a}}% \right)&\text{otherwise}\\ \end{cases}\\ \end{aligned}$
$\Omega_{F}(\varrho,\varphi,\mu,\mathopen{}\mathclose{{}\left(\mathbf{x},% \mathbf{y}}\right),t)$
forget = 25
$g=\mathsf{M}_{F}$	$\begin{aligned} \text{let }\mathopen{}\mathclose{{}\left[o,z}\right]&=\varphi_% {7,8}\\ \text{let }h&=\begin{cases}\mu_{o\dots+32}&\text{if }\mathbb{N}_{o\dots+32}% \subseteq\mathbb{V}_{\mu}\\ \nabla&\text{otherwise}\end{cases}\\ \text{let }\mathbf{a}&=\begin{cases}\mathbf{x}_{\mathbf{s}}\text{ except:}&\\ \quad\mathopen{}\mathclose{{}\left.\begin{aligned} \mathcal{K}\mathopen{}% \mathclose{{}\left(\mathbf{a}_{\mathbf{l}}}\right)&=\mathcal{K}\mathopen{}% \mathclose{{}\left((\mathbf{x}_{\mathbf{s}})_{\mathbf{l}}}\right)\setminus% \mathopen{}\mathclose{{}\left\{\,\mathopen{}\mathclose{{}\left(h,z}\right)\,}% \right\}\ ,\\[2.0pt] \mathcal{K}\mathopen{}\mathclose{{}\left(\mathbf{a}_{\mathbf{p}}}\right)&=% \mathcal{K}\mathopen{}\mathclose{{}\left((\mathbf{x}_{\mathbf{s}})_{\mathbf{p}% }}\right)\setminus\mathopen{}\mathclose{{}\left\{\,h\,}\right\}\end{aligned}\ % }\right\}&\text{if }(\mathbf{x}_{\mathbf{s}})_{\mathbf{l}}\mathopen{}% \mathclose{{}\left[h,z}\right]\in\mathopen{}\mathclose{{}\left\{\,\mathopen{}% \mathclose{{}\left[}\right],\mathopen{}\mathclose{{}\left[x,y}\right]\,}\right% \},\ y<t-\mathsf{D}\\ \quad\mathbf{a}_{\mathbf{l}}\mathopen{}\mathclose{{}\left[h,z}\right]=% \mathopen{}\mathclose{{}\left[x,t}\right]&\text{if }(\mathbf{x}_{\mathbf{s}})_% {\mathbf{l}}\mathopen{}\mathclose{{}\left[h,z}\right]=\mathopen{}\mathclose{{}% \left[x}\right]\\ \quad\mathbf{a}_{\mathbf{l}}\mathopen{}\mathclose{{}\left[h,z}\right]=% \mathopen{}\mathclose{{}\left[w,t}\right]&\text{if }(\mathbf{x}_{\mathbf{s}})_% {\mathbf{l}}\mathopen{}\mathclose{{}\left[h,z}\right]=\mathopen{}\mathclose{{}% \left[x,y,w}\right],\ y<t-\mathsf{D}\\ \nabla&\text{otherwise}\\ \end{cases}\\ \mathopen{}\mathclose{{}\left(\varepsilon^{\prime},\varphi^{\prime}_{7},% \mathbf{x}^{\prime}_{\mathbf{s}}}\right)&\equiv\begin{cases}\mathopen{}% \mathclose{{}\left(\blacktriangleright,\mathtt{HUH},\mathbf{x}_{\mathbf{s}}}% \right)&\text{if }z\not\in\mathbb{N}_{L}\\ \mathopen{}\mathclose{{}\left(\lightning,\varphi_{7},\mathbf{x}_{\mathbf{s}}}% \right)&\text{otherwise if }h=\nabla\\ \mathopen{}\mathclose{{}\left(\blacktriangleright,\mathtt{HUH},\mathbf{x}_{% \mathbf{s}}}\right)&\text{otherwise if }\mathbf{a}=\nabla\\ \mathopen{}\mathclose{{}\left(\blacktriangleright,\mathtt{OK},\mathbf{a}}% \right)&\text{otherwise}\\ \end{cases}\\ \end{aligned}$
$\Omega_{\Taurus}(\varrho,\varphi,\mu,\mathopen{}\mathclose{{}\left(\mathbf{x},% \mathbf{y}}\right))$
yield = 26
$g=\mathsf{M}_{\Taurus}$	$\begin{aligned} \text{let }o&=\varphi_{7}\\ \text{let }h&=\begin{cases}\mu_{o\dots+32}&\text{if }\mathbb{N}_{o\dots+32}% \subseteq\mathbb{V}_{\mu}\\ \nabla&\text{otherwise}\end{cases}\\ \mathopen{}\mathclose{{}\left(\varepsilon^{\prime},\varphi^{\prime}_{7},% \mathbf{x}^{\prime}_{y}}\right)&\equiv\begin{cases}\mathopen{}\mathclose{{}% \left(\lightning,\varphi_{7},\mathbf{x}_{y}}\right)&\text{if }h=\nabla\\ \mathopen{}\mathclose{{}\left(\blacktriangleright,\mathtt{OK},h}\right)&\text{% otherwise}\\ \end{cases}\\ \end{aligned}$
$\Omega_{\Aries}(\varrho,\varphi,\mu,\mathopen{}\mathclose{{}\left(\mathbf{x},% \mathbf{y}}\right))$
provide = 27
$g=\mathsf{M}_{\Aries,c}+\mathcal{G}(\mathsf{M}_{\Aries,\ell},z)$	$\begin{aligned} \text{let }\mathopen{}\mathclose{{}\left[o,z}\right]&=\varphi_% {8,9}\\ \text{let }\mathbf{d}&=(\mathbf{x}_{\mathbf{e}})_{\mathbf{d}}\\ \text{let }s&=\begin{cases}\mathbf{x}_{s}&\text{if }\varphi_{7}=2^{64}-1\\ \varphi_{7}&\text{otherwise}\end{cases}\\ \text{let }\mathbf{i}&=\begin{cases}\mu_{o\dots+z}&\text{if }\mathbb{N}_{o% \dots+z}\subseteq\mathbb{V}_{\mu}\\ \nabla&\text{otherwise}\end{cases}\\ \text{let }\mathbf{a}&=\begin{cases}\mathbf{d}[s]&\text{if }s\in\mathcal{K}% \mathopen{}\mathclose{{}\left(\mathbf{d}}\right)\\ \emptyset&\text{otherwise}\end{cases}\\ \mathopen{}\mathclose{{}\left(\varepsilon^{\prime},\varphi^{\prime}_{7},% \mathbf{x}^{\prime}_{\mathbf{p}}}\right)&\equiv\begin{cases}\mathopen{}% \mathclose{{}\left(\blacktriangleright,\mathtt{HUH},\mathbf{x}_{\mathbf{p}}}% \right)&\text{if }z\not\in\mathbb{N}_{L}\\ \mathopen{}\mathclose{{}\left(\lightning,\varphi_{7},\mathbf{x}_{\mathbf{p}}}% \right)&\text{otherwise if }\mathbf{i}=\nabla\\ \mathopen{}\mathclose{{}\left(\blacktriangleright,\mathtt{WHO},\mathbf{x}_{% \mathbf{p}}}\right)&\text{otherwise if }\mathbf{a}=\emptyset\\ \mathopen{}\mathclose{{}\left(\blacktriangleright,\mathtt{HUH},\mathbf{x}_{% \mathbf{p}}}\right)&\text{otherwise if }\mathbf{a}_{\mathbf{l}}[\mathopen{}% \mathclose{{}\left(\mathcal{H}\mathopen{}\mathclose{{}\left(\mathbf{i}}\right)% ,z}\right)]\neq\mathopen{}\mathclose{{}\left[}\right]\\ \mathopen{}\mathclose{{}\left(\blacktriangleright,\mathtt{HUH},\mathbf{x}_{% \mathbf{p}}}\right)&\text{otherwise if }\mathopen{}\mathclose{{}\left(s,% \mathbf{i}}\right)\in\mathbf{x}_{\mathbf{p}}\\ \mathopen{}\mathclose{{}\left(\blacktriangleright,\mathtt{OK},\mathbf{x}_{% \mathbf{p}}\cup\mathopen{}\mathclose{{}\left\{\,\mathopen{}\mathclose{{}\left(% s,\mathbf{i}}\right)\,}\right\}}\right)&\text{otherwise}\\ \end{cases}\\ \end{aligned}$

Appendix C Serialization Codec

C.1. Common Terms

Our codec function $\mathcal{E}$ is used to serialize some term into a sequence of octets. We define the deserialization function $\mathcal{E}^{-1}$ as the inverse of $\mathcal{E}$ and able to decode some sequence into the original value. The codec is designed such that exactly one value is encoded into any given sequence of octets, and in cases where this is not desirable then we use special codec functions.

C.1.1. Trivial Encodings

We define the serialization of $\emptyset$ as the empty sequence:

(C.1)

\mathcal{E}\mathopen{}\mathclose{{}\left(\emptyset}\right)\equiv\mathopen{}% \mathclose{{}\left[}\right]

We also define the serialization of an octet-sequence as itself:

(C.2)

\mathcal{E}\mathopen{}\mathclose{{}\left(x\in\mathbb{B}}\right)\equiv x

We define anonymous tuples to be encoded as the concatenation of their encoded elements:

(C.3)

\mathcal{E}\mathopen{}\mathclose{{}\left(\mathopen{}\mathclose{{}\left(a,b,% \dots}\right)}\right)\equiv\mathcal{E}\mathopen{}\mathclose{{}\left(a}\right)% \frown\mathcal{E}\mathopen{}\mathclose{{}\left(b}\right)\frown\dots

Passing multiple arguments to the serialization functions is equivalent to passing a tuple of those arguments. Formally:

(C.4)

\displaystyle\mathcal{E}\mathopen{}\mathclose{{}\left(a,b,\dots}\right)

\displaystyle\equiv\mathcal{E}\mathopen{}\mathclose{{}\left(\mathopen{}% \mathclose{{}\left(a,b,\dots}\right)}\right)

We define general natural number serialization, able to encode naturals of up to $2^{64}$ , as:

(C.5)

\mathcal{E}\colon\mathopen{}\mathclose{{}\left\{\begin{aligned} \mathbb{N}_{2^% {64}}&\to\mathbb{B}_{1:9}\\ x&\mapsto\begin{cases}\mathopen{}\mathclose{{}\left[0}\right]&\text{if }x=0\\ \mathopen{}\mathclose{{}\left[2^{8}-2^{8-l}+\mathopen{}\mathclose{{}\left% \lfloor\frac{x}{2^{8l}}}\right\rfloor}\right]\frown\mathcal{E}_{l}\mathopen{}% \mathclose{{}\left(x\bmod 2^{8l}}\right)&\text{if }\exists l\in\mathbb{N}_{8}:% 2^{7l}\leq x<2^{7(l+1)}\\ \mathopen{}\mathclose{{}\left[2^{8}-1}\right]\frown\mathcal{E}_{8}\mathopen{}% \mathclose{{}\left(x}\right)&\text{otherwise if }x<2^{64}\\ \end{cases}\end{aligned}}\right.

C.1.2. Sequence Encoding

We define the sequence serialization function $\mathcal{E}\mathopen{}\mathclose{{}\left(\mathopen{}\mathclose{{}\left\lsem T}% \right\rsem}\right)$ for any $T$ which is itself a subset of the domain of $\mathcal{E}$ . We simply concatenate the serializations of each element in the sequence in turn:

(C.6)

\mathcal{E}\mathopen{}\mathclose{{}\left([\mathbf{i}_{0},\mathbf{i}_{1},...]}% \right)\equiv\mathcal{E}\mathopen{}\mathclose{{}\left(\mathbf{i}_{0}}\right)% \frown\mathcal{E}\mathopen{}\mathclose{{}\left(\mathbf{i}_{1}}\right)\frown\dots

Thus, conveniently, fixed length octet sequences (e.g. hashes $\mathbb{H}$ and its variants) have an identity serialization.

C.1.3. Discriminator Encoding

When we have sets of heterogeneous items such as a union of different kinds of tuples or sequences of different length, we require a discriminator to determine the nature of the encoded item for successful deserialization. Discriminators are encoded as a natural and are encoded immediately prior to the item.

We generally use a length discriminator when serializing sequence terms which have variable length (e.g. general blobs $\mathbb{B}$ or unbound numeric sequences $\mathopen{}\mathclose{{}\left\lsem\mathbb{N}}\right\rsem$ ) (though this is omitted in the case of fixed-length terms such as hashes $\mathbb{H}$ ).¹⁹¹⁹ 19 Note that since specific values may belong to both sets which would need a discriminator and those that would not then we are sadly unable to introduce a function capable of serializing corresponding to the term’s limitation. A more sophisticated formalism than basic set-theory would be needed, capable of taking into account not simply the value but the term from which or to which it belongs in order to do this succinctly. In this case, we simply prefix the term its length prior to encoding. Thus, for some term $y\in\mathopen{}\mathclose{{}\left(x\in\mathbb{B},\dots}\right)$ , we would generally define its serialized form to be $\mathcal{E}\mathopen{}\mathclose{{}\left(\mathopen{}\mathclose{{}\left|x}% \right|}\right)\frown\mathcal{E}\mathopen{}\mathclose{{}\left(x}\right)\frown\dots$ . To avoid repetition of the term in such cases, we define the notation $\mathopen{}\mathclose{{}\left\updownarrow x}\right.\!$ to mean that the term of value $x$ is variable in size and requires a length discriminator. Formally:

(C.7)

\mathopen{}\mathclose{{}\left\updownarrow x}\right.\!\equiv\mathopen{}% \mathclose{{}\left(\mathopen{}\mathclose{{}\left|x}\right|,x}\right)\text{ % thus }\mathcal{E}\mathopen{}\mathclose{{}\left(\mathopen{}\mathclose{{}\left% \updownarrow x}\right.\!}\right)\equiv\mathcal{E}\mathopen{}\mathclose{{}\left% (\mathopen{}\mathclose{{}\left|x}\right|}\right)\frown\mathcal{E}\mathopen{}% \mathclose{{}\left(x}\right)

We also define a convenient discriminator operator $\mathord{\text{¿}}x$ specifically for terms defined by some serializable set in union with $\emptyset$ (generally denoted for some set $S$ as $S\bm{?}$ ):

(C.8)

\displaystyle\mathord{\text{¿}}x\equiv\begin{cases}0&\text{if }x=\emptyset\\ \mathopen{}\mathclose{{}\left(1,x}\right)&\text{otherwise}\end{cases}

C.1.4. Bit Sequence Encoding

A sequence of bits $b\in\mathbb{b}$ is a special case since encoding each individual bit as an octet would be very wasteful. We instead pack the bits into octets in order of least significant to most, and arrange into an octet stream. In the case of a variable length sequence, then the length is prefixed as in the general case.

(C.9)

\displaystyle\mathcal{E}\mathopen{}\mathclose{{}\left(b\in\mathbb{b}}\right)

\displaystyle\equiv\begin{cases}\mathopen{}\mathclose{{}\left[}\right]&\text{% if }b=\mathopen{}\mathclose{{}\left[}\right]\\ \mathopen{}\mathclose{{}\left[\sum\limits_{i=0}^{i<\min(8,\mathopen{}% \mathclose{{}\left|b}\right|)}b_{i}\cdot 2^{i}}\right]\frown\mathcal{E}% \mathopen{}\mathclose{{}\left(b_{8\dots}}\right)&\text{otherwise}\\ \end{cases}

C.1.5. Dictionary Encoding

In general, dictionaries are placed in the Merkle trie directly (see appendix E for details). However, small dictionaries may reasonably be encoded as a sequence of pairs ordered by the key. Formally:

(C.10)

\forall K,V:\mathcal{E}\mathopen{}\mathclose{{}\left(d\in\mathopen{}\mathclose% {{}\left\langlebar K\to V}\right\ranglebar}\right)\equiv\mathcal{E}\mathopen{}% \mathclose{{}\left(\mathopen{}\mathclose{{}\left\updownarrow\mathopen{}% \mathclose{{}\left[\mathopen{}\mathclose{{}\left(\mathcal{E}\mathopen{}% \mathclose{{}\left(k}\right),\mathcal{E}\mathopen{}\mathclose{{}\left(d% \mathopen{}\mathclose{{}\left[k}\right]}\right)}\right)\;\middle|\;k\in% \mathcal{K}\mathopen{}\mathclose{{}\left(d}\right)\,\middle\lwavy\,k}\right]}% \right.\!}\right)

C.1.6. Set Encoding

For any values which are sets and don’t already have a defined encoding above, we define the serialization of a set as the serialization of the set’s elements in proper order. Formally:

(C.11)

\mathcal{E}\mathopen{}\mathclose{{}\left(\mathopen{}\mathclose{{}\left\{\,a,b,% c,\dots\,}\right\}}\right)\equiv\mathcal{E}\mathopen{}\mathclose{{}\left(a}% \right)\frown\mathcal{E}\mathopen{}\mathclose{{}\left(b}\right)\frown\mathcal{% E}\mathopen{}\mathclose{{}\left(c}\right)\frown\dots\text{where }a<b<c<\dots

C.1.7. Fixed-length Integer Encoding

We first define the trivial natural number serialization functions which are subscripted by the number of octets of the final sequence. Values are encoded in a regular little-endian fashion. This is utilized for almost all integer encoding across the protocol. Formally:

(C.12)

\mathcal{E}_{l\in\mathbb{N}}\colon\mathopen{}\mathclose{{}\left\{\begin{% aligned} \mathbb{N}_{2^{8l}}&\to\mathbb{B}_{l}\\ x&\mapsto\begin{cases}\mathopen{}\mathclose{{}\left[}\right]&\text{if }l=0\\ \mathopen{}\mathclose{{}\left[x\bmod 256}\right]\frown\mathcal{E}_{l-1}% \mathopen{}\mathclose{{}\left(\mathopen{}\mathclose{{}\left\lfloor\frac{x}{256% }}\right\rfloor}\right)&\text{otherwise}\end{cases}\end{aligned}}\right.

For non-natural arguments, $\mathcal{E}_{l\in\mathbb{N}}$ corresponds to the definitions of $\mathcal{E}$ , except that recursive elements are made as $\mathcal{E}_{l}$ rather than $\mathcal{E}$ . Thus:

(C.13)	$\displaystyle\mathcal{E}_{l\in\mathbb{N}}\mathopen{}\mathclose{{}\left(a,b,% \dots}\right)$	$\displaystyle\equiv\mathcal{E}_{l}\mathopen{}\mathclose{{}\left(\mathopen{}% \mathclose{{}\left(a,b,\dots}\right)}\right)$
(C.14)	$\displaystyle\mathcal{E}_{l\in\mathbb{N}}\mathopen{}\mathclose{{}\left(% \mathopen{}\mathclose{{}\left(a,b,\dots}\right)}\right)$	$\displaystyle\equiv\mathcal{E}_{l}\mathopen{}\mathclose{{}\left(a}\right)% \frown\mathcal{E}_{l}\mathopen{}\mathclose{{}\left(b}\right)\frown\dots$
(C.15)	$\displaystyle\mathcal{E}_{l\in\mathbb{N}}\mathopen{}\mathclose{{}\left(% \mathopen{}\mathclose{{}\left[\mathbf{i}_{0},\mathbf{i}_{1},\dots}\right]}\right)$	$\displaystyle\equiv\mathcal{E}_{l}\mathopen{}\mathclose{{}\left(\mathbf{i}_{0}% }\right)\frown\mathcal{E}_{l}\mathopen{}\mathclose{{}\left(\mathbf{i}_{1}}% \right)\frown\dots$

And so on.

C.2. Block Serialization

A block $\mathbf{B}$ is serialized as a tuple of its elements in regular order, as implied in equations 4.2, 4.3 and 5.1. For the header, we define both the regular serialization and the unsigned serialization $\mathcal{E}_{U}$ . Formally:

(C.16)	$\displaystyle\mathcal{E}\mathopen{}\mathclose{{}\left(\mathbf{B}}\right)$	$\displaystyle=\mathcal{E}\mathopen{}\mathclose{{}\left(\mathbf{H},\mathcal{E}_% {T}\mathopen{}\mathclose{{}\left(\mathbf{E}_{T}}\right),\mathcal{E}_{P}% \mathopen{}\mathclose{{}\left(\mathbf{E}_{P}}\right),\mathcal{E}_{G}\mathopen{% }\mathclose{{}\left(\mathbf{E}_{G}}\right),\mathcal{E}_{A}\mathopen{}% \mathclose{{}\left(\mathbf{E}_{A}}\right),\mathcal{E}_{D}\mathopen{}\mathclose% {{}\left(\mathbf{E}_{D}}\right)}\right)$
(C.17)	$\displaystyle\mathcal{E}_{T}\mathopen{}\mathclose{{}\left(\mathbf{E}_{T}}\right)$	$\displaystyle=\mathcal{E}\mathopen{}\mathclose{{}\left(\mathopen{}\mathclose{{% }\left\updownarrow\mathopen{}\mathclose{{}\left[\mathopen{}\mathclose{{}\left(% \mathcal{E}_{1}\mathopen{}\mathclose{{}\left(e}\right),p}\right)\;\middle\|\;% \mathopen{}\mathclose{{}\left(e,p}\right)\mathrel{\mathrlap{<}{\scalebox{0.95}% [1.0]{$-$}}}\mathbf{E}_{T}}\right]}\right.\!}\right)$
(C.18)	$\displaystyle\mathcal{E}_{P}\mathopen{}\mathclose{{}\left(\mathbf{E}_{P}}\right)$	$\displaystyle=\mathcal{E}\mathopen{}\mathclose{{}\left(\mathopen{}\mathclose{{% }\left\updownarrow\mathopen{}\mathclose{{}\left[\mathopen{}\mathclose{{}\left(% \mathcal{E}_{4}\mathopen{}\mathclose{{}\left(s}\right),\mathopen{}\mathclose{{% }\left\updownarrow\mathbf{d}}\right.\!}\right)\;\middle\|\;\mathopen{}% \mathclose{{}\left(s,\mathbf{d}}\right)\mathrel{\mathrlap{<}{\scalebox{0.95}[1% .0]{$-$}}}\mathbf{E}_{P}}\right]}\right.\!}\right)$
(C.19)	$\displaystyle\mathcal{E}_{G}\mathopen{}\mathclose{{}\left(\mathbf{E}_{G}}\right)$	$\displaystyle=\mathcal{E}\mathopen{}\mathclose{{}\left(\mathopen{}\mathclose{{% }\left\updownarrow\mathbf{E}_{G}}\right.\!}\right)$
(C.20)	$\displaystyle\mathcal{E}_{A}\mathopen{}\mathclose{{}\left(\mathbf{E}_{A}}\right)$	$\displaystyle=\mathcal{E}\mathopen{}\mathclose{{}\left(\mathopen{}\mathclose{{% }\left\updownarrow\mathopen{}\mathclose{{}\left[\mathopen{}\mathclose{{}\left(% a,f,\mathcal{E}_{2}\mathopen{}\mathclose{{}\left(v}\right),s}\right)\;\middle\|% \;\mathopen{}\mathclose{{}\left(a,f,v,s}\right)\mathrel{\mathrlap{<}{\scalebox% {0.95}[1.0]{$-$}}}\mathbf{E}_{A}}\right]}\right.\!}\right)$
(C.21)	$\displaystyle\mathcal{E}_{D}\mathopen{}\mathclose{{}\left(\mathopen{}% \mathclose{{}\left(\mathbf{v},\mathbf{c},\mathbf{f}}\right)}\right)$	$\displaystyle=\mathcal{E}\mathopen{}\mathclose{{}\left(\mathopen{}\mathclose{{% }\left\updownarrow\mathopen{}\mathclose{{}\left[\mathopen{}\mathclose{{}\left(% r,\mathcal{E}_{4}\mathopen{}\mathclose{{}\left(a}\right),\mathopen{}\mathclose% {{}\left\updownarrow\mathopen{}\mathclose{{}\left[\mathopen{}\mathclose{{}% \left(v,\mathcal{E}_{2}\mathopen{}\mathclose{{}\left(i}\right),s}\right)\;% \middle\|\;\mathopen{}\mathclose{{}\left(v,i,s}\right)\mathrel{\mathrlap{<}{% \scalebox{0.95}[1.0]{$-$}}}\mathbf{j}}\right]}\right.\!}\right)\;\middle\|\;% \mathopen{}\mathclose{{}\left(r,a,\mathbf{j}}\right)\mathrel{\mathrlap{<}{% \scalebox{0.95}[1.0]{$-$}}}\mathbf{v}}\right]}\right.\!,\mathopen{}\mathclose{% {}\left\updownarrow\mathbf{c}}\right.\!,\mathopen{}\mathclose{{}\left% \updownarrow\mathbf{f}}\right.\!}\right)$
(C.22)	$\displaystyle\mathcal{E}\mathopen{}\mathclose{{}\left(\mathbf{H}}\right)$	$\displaystyle=\mathcal{E}\mathopen{}\mathclose{{}\left(\mathcal{E}_{U}% \mathopen{}\mathclose{{}\left(\mathbf{H}}\right),\mathbf{H}_{S}}\right)$
(C.23)	$\displaystyle\mathcal{E}_{U}\mathopen{}\mathclose{{}\left(\mathbf{H}}\right)$	$\displaystyle=\mathcal{E}\mathopen{}\mathclose{{}\left(\mathbf{H}_{P},\mathbf{% H}_{R},\mathbf{H}_{X},\mathcal{E}_{4}\mathopen{}\mathclose{{}\left(\mathbf{H}_% {T}}\right),\mathcal{E}_{E}\mathopen{}\mathclose{{}\left(\mathbf{H}_{E}}\right% ),\mathord{\text{¿}}\mathbf{H}_{W},\mathcal{E}_{2}\mathopen{}\mathclose{{}% \left(\mathbf{H}_{I}}\right),\mathbf{H}_{V},\mathopen{}\mathclose{{}\left% \updownarrow\mathbf{H}_{O}}\right.\!}\right)$
(C.24)	$\displaystyle\mathcal{E}_{E}\mathopen{}\mathclose{{}\left(\emptyset}\right)$	$\displaystyle=\mathcal{E}\mathopen{}\mathclose{{}\left(0}\right)$
(C.25)	$\displaystyle\mathcal{E}_{E}\mathopen{}\mathclose{{}\left(\mathopen{}% \mathclose{{}\left(\eta_{0},\eta_{1},\mathbf{k}}\right)}\right)$	$\displaystyle=\mathcal{E}\mathopen{}\mathclose{{}\left(1,\eta_{0},\eta_{1},% \mathopen{}\mathclose{{}\left\updownarrow\mathbf{k}}\right.\!}\right)$
(C.26)	$\displaystyle\mathcal{E}\mathopen{}\mathclose{{}\left(\mathbf{x}\in\mathbb{C}}\right)$	$\displaystyle\equiv\mathcal{E}\mathopen{}\mathclose{{}\left(\mathbf{x}_{a},% \mathcal{E}_{4}\mathopen{}\mathclose{{}\left(\mathbf{x}_{n}}\right),\mathbf{x}% _{s},\mathbf{x}_{b},\mathbf{x}_{l},\mathcal{E}_{4}\mathopen{}\mathclose{{}% \left(\mathbf{x}_{t}}\right),\mathbf{x}_{r},\mathopen{}\mathclose{{}\left% \updownarrow\mathbf{x}_{\mathbf{p}}}\right.\!}\right)$
(C.27)	$\displaystyle\mathcal{E}\mathopen{}\mathclose{{}\left(\mathbf{x}\in\mathbb{Y}}\right)$	$\displaystyle\equiv\mathcal{E}\mathopen{}\mathclose{{}\left(\mathbf{x}_{p},% \mathcal{E}_{4}\mathopen{}\mathclose{{}\left(\mathbf{x}_{l}}\right),\mathbf{x}% _{u},\mathcal{E}_{2}\mathopen{}\mathclose{{}\left(\mathbf{x}_{v}}\right),% \mathbf{x}_{e},\mathcal{E}_{2}\mathopen{}\mathclose{{}\left(\mathbf{x}_{n}}% \right)}\right)$
(C.28)	$\displaystyle\mathcal{E}\mathopen{}\mathclose{{}\left(\mathbf{d}\in\mathbb{D}}\right)$	$\displaystyle\equiv\mathcal{E}\mathopen{}\mathclose{{}\left(\mathcal{E}_{4}% \mathopen{}\mathclose{{}\left(\mathbf{d}_{s}}\right),\mathbf{d}_{c},\mathbf{d}% _{y},\mathcal{E}_{8}\mathopen{}\mathclose{{}\left(\mathbf{d}_{g}}\right),O% \mathopen{}\mathclose{{}\left(\mathbf{d}_{\mathbf{l}}}\right),\mathbf{d}_{u},% \mathbf{d}_{i},\mathbf{d}_{x},\mathbf{d}_{z},\mathbf{d}_{e}}\right)$
(C.29)	$\displaystyle\mathcal{E}\mathopen{}\mathclose{{}\left(\mathbf{r}\in\mathbb{R}}\right)$	$\displaystyle\equiv\mathcal{E}\mathopen{}\mathclose{{}\left(\mathbf{r}_{% \mathbf{s}},\mathbf{r}_{\mathbf{c}},\mathbf{r}_{c},\mathbf{r}_{a},\mathbf{r}_{% g},\mathopen{}\mathclose{{}\left\updownarrow\mathbf{r}_{\mathbf{t}}}\right.\!,% \mathopen{}\mathclose{{}\left\updownarrow\mathbf{r}_{\mathbf{l}}}\right.\!,% \mathopen{}\mathclose{{}\left\updownarrow\mathbf{r}_{\mathbf{d}}}\right.\!}\right)$
(C.30)	$\displaystyle\mathcal{E}\mathopen{}\mathclose{{}\left(\mathbf{g}\in\mathbb{G}}\right)$	$\displaystyle\equiv\mathcal{E}\mathopen{}\mathclose{{}\left(\mathbf{g}_{% \mathbf{r}},\mathcal{E}_{4}\mathopen{}\mathclose{{}\left(\mathbf{g}_{t}}\right% ),\mathopen{}\mathclose{{}\left\updownarrow\mathopen{}\mathclose{{}\left[% \mathopen{}\mathclose{{}\left(\mathcal{E}_{2}\mathopen{}\mathclose{{}\left(v}% \right),s}\right)\;\middle\|\;\mathopen{}\mathclose{{}\left(v,s}\right)\mathrel% {\mathrlap{<}{\scalebox{0.95}[1.0]{$-$}}}\mathbf{g}_{a}}\right]}\right.\!}\right)$
(C.31)	$\displaystyle\mathcal{E}\mathopen{}\mathclose{{}\left(\mathbf{p}\in\mathbb{P}}\right)$	$\displaystyle\equiv\mathcal{E}\mathopen{}\mathclose{{}\left(\mathcal{E}_{4}% \mathopen{}\mathclose{{}\left(\mathbf{p}_{h}}\right),\mathbf{p}_{u},\mathbf{p}% _{\mathbf{c}},\mathopen{}\mathclose{{}\left\updownarrow\mathbf{p}_{\mathbf{j}}% }\right.\!,\mathopen{}\mathclose{{}\left\updownarrow\mathbf{p}_{\mathbf{f}}}% \right.\!,\mathopen{}\mathclose{{}\left\updownarrow\mathbf{p}_{\mathbf{w}}}% \right.\!}\right)$
(C.32)	$\displaystyle\mathcal{E}\mathopen{}\mathclose{{}\left(\mathbf{w}\in\mathbb{W}}\right)$	$\displaystyle\equiv\mathcal{E}\mathopen{}\mathclose{{}\left(\mathcal{E}_{4}% \mathopen{}\mathclose{{}\left(\mathbf{w}_{s}}\right),\mathbf{w}_{c},\mathcal{E% }_{8}\mathopen{}\mathclose{{}\left(\mathbf{w}_{g}}\right),\mathcal{E}_{8}% \mathopen{}\mathclose{{}\left(\mathbf{w}_{a}}\right),\mathcal{E}_{2}\mathopen{% }\mathclose{{}\left(\mathbf{w}_{e}}\right),\mathopen{}\mathclose{{}\left% \updownarrow\mathbf{w}_{\mathbf{y}}}\right.\!,\mathopen{}\mathclose{{}\left% \updownarrow I^{\#}\mathopen{}\mathclose{{}\left(\mathbf{w}_{\mathbf{i}}}% \right)}\right.\!,\mathopen{}\mathclose{{}\left\updownarrow\mathopen{}% \mathclose{{}\left[\mathopen{}\mathclose{{}\left(h,\mathcal{E}_{4}\mathopen{}% \mathclose{{}\left(i}\right)}\right)\;\middle\|\;\mathopen{}\mathclose{{}\left(% h,i}\right)\mathrel{\mathrlap{<}{\scalebox{0.95}[1.0]{$-$}}}\mathbf{w}_{% \mathbf{x}}}\right]}\right.\!}\right)$
(C.33)	$\displaystyle\mathcal{E}\mathopen{}\mathclose{{}\left(x\in\mathbb{T}}\right)$	$\displaystyle\equiv\mathcal{E}\mathopen{}\mathclose{{}\left(x_{y},\mathcal{E}_% {1}\mathopen{}\mathclose{{}\left(x_{e}}\right)}\right)$
(C.34)	$\displaystyle\mathcal{E}\mathopen{}\mathclose{{}\left(x\in\mathbb{X}}\right)$	$\displaystyle\equiv\mathcal{E}\mathopen{}\mathclose{{}\left(1,\mathcal{E}_{4}% \mathopen{}\mathclose{{}\left(x_{s}}\right),\mathcal{E}_{4}\mathopen{}% \mathclose{{}\left(x_{d}}\right),\mathcal{E}_{8}\mathopen{}\mathclose{{}\left(% x_{a}}\right),x_{m},\mathcal{E}_{8}\mathopen{}\mathclose{{}\left(x_{g}}\right)% }\right)$
(C.35)	$\displaystyle\mathcal{E}\mathopen{}\mathclose{{}\left(\mathbf{x}\in\mathbb{U}}\right)$	$\displaystyle\equiv\mathcal{E}\mathopen{}\mathclose{{}\left(0,\mathbf{x}_{p},% \mathbf{x}_{e},\mathbf{x}_{a},\mathbf{x}_{y},\mathbf{x}_{g},O\mathopen{}% \mathclose{{}\left(\mathbf{x}_{\mathbf{l}}}\right),\mathopen{}\mathclose{{}% \left\updownarrow\mathbf{x}_{\mathbf{t}}}\right.\!}\right)$
(C.36)	$\displaystyle O\mathopen{}\mathclose{{}\left(o\in\mathbb{E}\cup\mathbb{B}}\right)$	$\displaystyle\equiv\begin{cases}\mathopen{}\mathclose{{}\left(0,\mathopen{}% \mathclose{{}\left\updownarrow o}\right.\!}\right)&\text{if }o\in\mathbb{B}\\ 1&\text{if }o=\infty\\ 2&\text{if }o=\lightning\\ 3&\text{if }o=\circledcirc\\ 4&\text{if }o=\circleddash\\ 5&\text{if }o=\text{{\small{BAD}}}\\ 6&\text{if }o=\text{{\small{BIG}}}\\ \end{cases}$
(C.37)	$\displaystyle I\mathopen{}\mathclose{{}\left(\mathopen{}\mathclose{{}\left(h% \in\mathbb{H}\cup\mathbb{H}^{\boxplus},i\in\mathbb{N}_{2^{15}}}\right)}\right)$	$\displaystyle\equiv\begin{cases}\mathopen{}\mathclose{{}\left(h,\mathcal{E}_{2% }\mathopen{}\mathclose{{}\left(i}\right)}\right)&\text{if }h\in\mathbb{H}\\ \mathopen{}\mathclose{{}\left(r,\mathcal{E}_{2}\mathopen{}\mathclose{{}\left(i% +2^{15}}\right)}\right)&\text{if }\exists r\in\mathbb{H},h=r^{\boxplus}\\ \end{cases}$

Note the use of $O$ above to succinctly encode the result of a work item and the slight transformations of e.g. $\mathbf{E}_{G}$ and $\mathbf{E}_{P}$ to take account of the fact their inner tuples contain variable-length sequence terms $a$ and $p$ which need length discriminators.

Appendix D State Merklization

The Merklization process defines a cryptographic commitment from which arbitrary information within state may be provided as being authentic in a concise and swift fashion. We describe this in two stages; the first defines a mapping from 31-octet sequences to (unlimited) octet sequences in a process called state serialization. The second forms a 32-octet commitment from this mapping in a process called Merklization.

D.1. Serialization

The serialization of state primarily involves placing all the various components of $\sigma$ into a single mapping from 31-octet sequence state-keys to octet sequences of indefinite length. The state-key is constructed from a hash component and a chapter component, equivalent to either the index of a state component or, in the case of the inner dictionaries of $\delta$ , a service index.

We define the state-key constructor functions $C$ as:

(D.1)

C\colon\mathopen{}\mathclose{{}\left\{\begin{aligned} \mathbb{N}_{2^{8}}\cup% \mathopen{}\mathclose{{}\left(\mathbb{N}_{2^{8}},\mathbb{N}_{S}}\right)\cup% \mathopen{}\mathclose{{}\left(\mathbb{N}_{S},\mathbb{B}}\right)&\to\mathbb{B}_% {31}\\ i\in\mathbb{N}_{2^{8}}&\mapsto\mathopen{}\mathclose{{}\left[i,0,0,\dots}\right% ]\\ \mathopen{}\mathclose{{}\left(i,s\in\mathbb{N}_{S}}\right)&\mapsto\mathopen{}% \mathclose{{}\left[i,n_{0},0,n_{1},0,n_{2},0,n_{3},0,0,\dots}\right]\ \text{% where }n=\mathcal{E}_{4}\mathopen{}\mathclose{{}\left(s}\right)\\ \mathopen{}\mathclose{{}\left(s,h}\right)&\mapsto\mathopen{}\mathclose{{}\left% [n_{0},a_{0},n_{1},a_{1},n_{2},a_{2},n_{3},a_{3},a_{4},a_{5},\dots,a_{26}}% \right]\ \text{where }n=\mathcal{E}_{4}\mathopen{}\mathclose{{}\left(s}\right)% ,a=\mathcal{H}\mathopen{}\mathclose{{}\left(h}\right)\end{aligned}}\right.

The state serialization is then defined as the dictionary built from the amalgamation of each of the components. Cryptographic hashing ensures that there will be no duplicate state-keys given that there are no duplicate inputs to $C$ . Formally, we define $T$ which transforms some state $\sigma$ into its serialized form:

(D.2)

T(\sigma)\equiv\mathopen{}\mathclose{{}\left\{\begin{aligned} &&C(1)&\mapsto% \mathcal{E}\mathopen{}\mathclose{{}\left(\mathopen{}\mathclose{{}\left[% \mathopen{}\mathclose{{}\left\updownarrow x}\right.\!\;\middle|\;x\mathrel{% \mathrlap{<}{\scalebox{0.95}[1.0]{$-$}}}\alpha}\right]}\right)\;,\\ &&C(2)&\mapsto\mathcal{E}\mathopen{}\mathclose{{}\left(\phi}\right)\;,\\ &&C(3)&\mapsto\mathcal{E}\mathopen{}\mathclose{{}\left(\mathopen{}\mathclose{{% }\left\updownarrow\mathopen{}\mathclose{{}\left[\mathopen{}\mathclose{{}\left(% h,b,s,\mathcal{E}_{4}\mathopen{}\mathclose{{}\left(t}\right),\mathopen{}% \mathclose{{}\left\updownarrow\mathbf{p}}\right.\!}\right)\;\middle|\;% \mathopen{}\mathclose{{}\left(h,b,s,t,\mathbf{p}}\right)\mathrel{\mathrlap{<}{% \scalebox{0.95}[1.0]{$-$}}}\beta_{H}}\right]}\right.\!,\mathcal{E}_{M}% \mathopen{}\mathclose{{}\left(\beta_{B}}\right)}\right)\;,\\ &&C(4)&\mapsto\mathcal{E}\mathopen{}\mathclose{{}\left(\mathopen{}\mathclose{{% }\left\updownarrow\gamma_{P}}\right.\!,\gamma_{Z},\mathopen{}\mathclose{{}% \left\{\begin{aligned} 0\ &\text{if }\gamma_{S}\in\mathopen{}\mathclose{{}% \left\lsem\mathbb{T}}\right\rsem_{\mathsf{E}}\\ 1\ &\text{if }\gamma_{S}\in\mathopen{}\mathclose{{}\left\lsem\accentset{% \backsim}{\mathbb{H}}}\right\rsem_{\mathsf{E}}\\ \end{aligned}}\right\},\gamma_{S},\mathopen{}\mathclose{{}\left\updownarrow% \gamma_{A}}\right.\!}\right)\;,\\ &&C(5)&\mapsto\mathcal{E}\mathopen{}\mathclose{{}\left(\mathopen{}\mathclose{{% }\left\updownarrow\mathopen{}\mathclose{{}\left[x\in\psi_{G}\,\middle\lwavy\,x% }\right]}\right.\!,\mathopen{}\mathclose{{}\left\updownarrow\mathopen{}% \mathclose{{}\left[x\in\psi_{B}\,\middle\lwavy\,x}\right]}\right.\!,\mathopen{% }\mathclose{{}\left\updownarrow\mathopen{}\mathclose{{}\left[x\in\psi_{W}\,% \middle\lwavy\,x}\right]}\right.\!,\mathopen{}\mathclose{{}\left\updownarrow% \mathopen{}\mathclose{{}\left[x\in\psi_{O}\,\middle\lwavy\,x}\right]}\right.\!% }\right)\;,\\ &&C(6)&\mapsto\mathcal{E}\mathopen{}\mathclose{{}\left(\eta}\right)\;,\\ &&C(7)&\mapsto\mathcal{E}\mathopen{}\mathclose{{}\left(\mathopen{}\mathclose{{% }\left\updownarrow\iota}\right.\!}\right)\;,\\ &&C(8)&\mapsto\mathcal{E}\mathopen{}\mathclose{{}\left(\mathopen{}\mathclose{{% }\left\updownarrow\kappa}\right.\!}\right)\;,\\ &&C(9)&\mapsto\mathcal{E}\mathopen{}\mathclose{{}\left(\mathopen{}\mathclose{{% }\left\updownarrow\lambda}\right.\!}\right)\;,\\ &&C(10)&\mapsto\mathcal{E}\mathopen{}\mathclose{{}\left(\mathopen{}\mathclose{% {}\left[\mathord{\text{¿}}\mathopen{}\mathclose{{}\left(\mathbf{g},\mathcal{E}% _{4}\mathopen{}\mathclose{{}\left(t}\right)}\right)\;\middle|\;\mathopen{}% \mathclose{{}\left(\mathbf{g},t}\right)\mathrel{\mathrlap{<}{\scalebox{0.95}[1% .0]{$-$}}}\rho}\right]}\right)\;,\\ &&C(11)&\mapsto\mathcal{E}_{4}\mathopen{}\mathclose{{}\left(\tau}\right)\;,\\ &&C(12)&\mapsto\mathcal{E}\mathopen{}\mathclose{{}\left(\mathcal{E}_{4}% \mathopen{}\mathclose{{}\left(\chi_{M},\chi_{A},\chi_{V},\chi_{R}}\right),\chi% _{Z}}\right)\;,\\ &&C(13)&\mapsto\mathcal{E}\mathopen{}\mathclose{{}\left(\mathopen{}\mathclose{% {}\left\updownarrow\mathopen{}\mathclose{{}\left[\mathcal{E}_{4}\mathopen{}% \mathclose{{}\left(\mathbf{v}}\right)\;\middle|\;\mathbf{v}\mathrel{\mathrlap{% <}{\scalebox{0.95}[1.0]{$-$}}}\pi_{V}}\right]}\right.\!,\mathopen{}\mathclose{% {}\left\updownarrow\mathopen{}\mathclose{{}\left[\mathcal{E}_{4}\mathopen{}% \mathclose{{}\left(\mathbf{v}}\right)\;\middle|\;\mathbf{v}\mathrel{\mathrlap{% <}{\scalebox{0.95}[1.0]{$-$}}}\pi_{L}}\right]}\right.\!,\pi_{C},\pi_{S}}\right% )\;,\\ &&C(14)&\mapsto\mathcal{E}\mathopen{}\mathclose{{}\left(\mathopen{}\mathclose{% {}\left[\mathopen{}\mathclose{{}\left\updownarrow\mathopen{}\mathclose{{}\left% [\mathopen{}\mathclose{{}\left(\mathbf{r},\mathopen{}\mathclose{{}\left% \updownarrow\mathbf{d}}\right.\!}\right)\;\middle|\;\mathopen{}\mathclose{{}% \left(\mathbf{r},\mathbf{d}}\right)\mathrel{\mathrlap{<}{\scalebox{0.95}[1.0]{% $-$}}}\mathbf{i}}\right]}\right.\!\;\middle|\;\mathbf{i}\mathrel{\mathrlap{<}{% \scalebox{0.95}[1.0]{$-$}}}\omega}\right]}\right)\;,\\ &&C(15)&\mapsto\mathcal{E}\mathopen{}\mathclose{{}\left(\mathopen{}\mathclose{% {}\left[\mathopen{}\mathclose{{}\left\updownarrow\mathbf{i}}\right.\!\;\middle% |\;\mathbf{i}\mathrel{\mathrlap{<}{\scalebox{0.95}[1.0]{$-$}}}\xi}\right]}% \right)\;,\\ &&C(16)&\mapsto\mathcal{E}\mathopen{}\mathclose{{}\left(\mathopen{}\mathclose{% {}\left\updownarrow\mathopen{}\mathclose{{}\left[\mathopen{}\mathclose{{}\left% (\mathcal{E}_{4}\mathopen{}\mathclose{{}\left(s}\right),\mathcal{E}\mathopen{}% \mathclose{{}\left(h}\right)}\right)\;\middle|\;\mathopen{}\mathclose{{}\left(% s,h}\right)\mathrel{\mathrlap{<}{\scalebox{0.95}[1.0]{$-$}}}\theta}\right]}% \right.\!}\right)\;,\\ \forall\mathopen{}\mathclose{{}\left(s\mapsto\mathbf{a}}\right)\in\delta:&&C(2% 55,s)&\mapsto\mathcal{E}\mathopen{}\mathclose{{}\left(0,\mathbf{a}_{c},% \mathcal{E}_{8}\mathopen{}\mathclose{{}\left(\mathbf{a}_{b},\mathbf{a}_{g},% \mathbf{a}_{m},\mathbf{a}_{o},\mathbf{a}_{f}}\right),\mathcal{E}_{4}\mathopen{% }\mathclose{{}\left(\mathbf{a}_{i},\mathbf{a}_{r},\mathbf{a}_{a},\mathbf{a}_{p% }}\right)}\right)\;,\\ \forall\mathopen{}\mathclose{{}\left(s\mapsto\mathbf{a}}\right)\in\delta,% \mathopen{}\mathclose{{}\left(\mathbf{k}\mapsto\mathbf{v}}\right)\in\mathbf{a}% _{\mathbf{s}}:&&C(s,\mathcal{E}_{4}\mathopen{}\mathclose{{}\left(2^{32}-1}% \right)\frown\mathbf{k})&\mapsto\mathbf{v}\;,\\ \forall\mathopen{}\mathclose{{}\left(s\mapsto\mathbf{a}}\right)\in\delta,% \mathopen{}\mathclose{{}\left(h\mapsto\mathbf{p}}\right)\in\mathbf{a}_{\mathbf% {p}}:&&C(s,\mathcal{E}_{4}\mathopen{}\mathclose{{}\left(2^{32}-2}\right)\frown h% )&\mapsto\mathbf{p}\;,\\ \forall\mathopen{}\mathclose{{}\left(s\mapsto\mathbf{a}}\right)\in\delta,% \mathopen{}\mathclose{{}\left(\mathopen{}\mathclose{{}\left(h,l}\right)\mapsto% \mathbf{t}}\right)\in\mathbf{a}_{\mathbf{l}}:&&C(s,\mathcal{E}_{4}\mathopen{}% \mathclose{{}\left(l}\right)\frown h)&\mapsto\mathcal{E}\mathopen{}\mathclose{% {}\left(\mathopen{}\mathclose{{}\left\updownarrow\mathopen{}\mathclose{{}\left% [\mathcal{E}_{4}\mathopen{}\mathclose{{}\left(x}\right)\;\middle|\;x\mathrel{% \mathrlap{<}{\scalebox{0.95}[1.0]{$-$}}}\mathbf{t}}\right]}\right.\!}\right)% \end{aligned}}\right.

Note that most rows describe a single mapping between a key derived from a natural and the serialization of a state component. However, the final four rows each define sets of mappings since these items act over all service accounts and in the case of the final three rows, the keys of a nested dictionary with the service.

Also note that all non-discriminator numeric serialization in state is done in fixed-length according to the size of the term.

Finally, be aware that Jam does not allow service storage keys to be directly inspected or enumerated. Thus the key values themselves are not required to be known by implementations, and only the Merklisation-ready serialisation is important, which is a fixed-size hash (alongside the service index and item marker). Implementations are free to use this fact in order to avoid storing the keys themselves.

D.2. Merklization

With $T$ defined, we now define the rest of $\mathcal{M}_{\sigma}$ which primarily involves transforming the serialized mapping into a cryptographic commitment. We define this commitment as the root of the binary Patricia Merkle Trie with a format optimized for modern compute hardware, primarily by optimizing sizes to fit succinctly into typical memory layouts and reducing the need for unpredictable branching.

D.2.1. Node Encoding and Trie Identification

We identify (sub-)tries as the hash of their root node, with one exception: empty (sub-)tries are identified as the zero-hash, $\mathbb{H}_{0}$ .

Nodes are fixed in size at 512 bit (64 bytes). Each node is either a branch or a leaf. The first bit discriminate between these two types.

In the case of a branch, the remaining 511 bits are split between the two child node hashes, using the last 255 bits of the 0-bit (left) sub-trie identity and the full 256 bits of the 1-bit (right) sub-trie identity.

Leaf nodes are further subdivided into embedded-value leaves and regular leaves. The second bit of the node discriminates between these.

In the case of an embedded-value leaf, the remaining 6 bits of the first byte are used to store the embedded value size. The following 31 bytes are dedicated to the state key. The last 32 bytes are defined as the value, filling with zeroes if its length is less than 32 bytes.

In the case of a regular leaf, the remaining 6 bits of the first byte are zeroed. The following 31 bytes store the state key. The last 32 bytes store the hash of the value.

Formally, we define the encoding functions $B$ and $L$ :

(D.3)		$\displaystyle B$	$\displaystyle\colon\mathopen{}\mathclose{{}\left\{\begin{aligned} \!\mathopen{% }\mathclose{{}\left\lgroup\mathbb{H},\mathbb{H}}\right\rgroup\!&\to\mathbb{b}_% {512}\\ \mathopen{}\mathclose{{}\left(l,r}\right)&\mapsto\mathopen{}\mathclose{{}\left% [0}\right]\frown\text{bits}(l)_{1\dots}\frown\text{bits}(r)\end{aligned}}\right.$
(D.4)		$\displaystyle L$	$\displaystyle\colon\mathopen{}\mathclose{{}\left\{\begin{aligned} \!\mathopen{% }\mathclose{{}\left\lgroup\mathbb{B}_{31},\mathbb{B}}\right\rgroup\!&\to% \mathbb{b}_{512}\\ \mathopen{}\mathclose{{}\left(k,v}\right)&\mapsto\begin{cases}\mathopen{}% \mathclose{{}\left[1,0}\right]\frown\text{bits}(\mathcal{E}_{1}\mathopen{}% \mathclose{{}\left(\mathopen{}\mathclose{{}\left\|v}\right\|}\right))_{2\dots}% \frown\text{bits}(k)\frown\text{bits}(v)\frown\mathopen{}\mathclose{{}\left[0,% 0,\dots}\right]&\text{if }\mathopen{}\mathclose{{}\left\|v}\right\|\leq 32\\ \mathopen{}\mathclose{{}\left[1,1,0,0,0,0,0,0}\right]\frown\text{bits}(k)% \frown\text{bits}(\mathcal{H}\mathopen{}\mathclose{{}\left(v}\right))&\text{% otherwise}\end{cases}\end{aligned}}\right.$

We may then define the basic Merklization function $\mathcal{M}_{\sigma}$ as:

(D.5)		$\displaystyle\mathcal{M}_{\sigma}\mathopen{}\mathclose{{}\left(\sigma}\right)$	$\displaystyle\equiv M(\mathopen{}\mathclose{{}\left\{\,\mathopen{}\mathclose{{% }\left(\text{bits}(k)\mapsto\mathopen{}\mathclose{{}\left(k,v}\right)}\right)% \;\middle\|\;\mathopen{}\mathclose{{}\left(k\mapsto v}\right)\in T(\sigma)\,}% \right\})$
(D.6)		$\displaystyle M(d:\mathopen{}\mathclose{{}\left\langlebar\mathbb{b}\to\!% \mathopen{}\mathclose{{}\left\lgroup\mathbb{B}_{31},\mathbb{B}}\right\rgroup\!% }\right\ranglebar)$	$\displaystyle\equiv\begin{cases}\mathbb{H}_{0}&\text{if }\mathopen{}\mathclose% {{}\left\|d}\right\|=0\\ \mathcal{H}\mathopen{}\mathclose{{}\left(\text{bits}^{-1}(L(k,v))}\right)&% \text{if }\mathcal{V}\mathopen{}\mathclose{{}\left(d}\right)=\mathopen{}% \mathclose{{}\left\{\,\mathopen{}\mathclose{{}\left(k,v}\right)\,}\right\}\\ \mathcal{H}\mathopen{}\mathclose{{}\left(\text{bits}^{-1}(B(M(l),M(r)))}\right% )&\text{otherwise}\\ \lx@intercol\quad\text{where }\forall b,p:\mathopen{}\mathclose{{}\left(b% \mapsto p}\right)\in d\Leftrightarrow\mathopen{}\mathclose{{}\left(b_{1\dots}% \mapsto p}\right)\in\begin{cases}l&\text{if }b_{0}=0\\ r&\text{if }b_{0}=1\end{cases}\hfil\lx@intercol\end{cases}$

Appendix E General Merklization

E.1. Binary Merkle Trees

The Merkle tree is a cryptographic data structure yielding a hash commitment to a specific sequence of values. It provides $O(N)$ computation and $O(\log(N))$ proof size for inclusion. This well-balanced formulation ensures that the maximum depth of any leaf is minimal and that the number of leaves at that depth is also minimal.

The underlying function for our Merkle trees is the node function $N$ , which accepts some sequence of blobs of some length $n$ and provides either such a blob back or a hash:

(E.1)

N\colon\mathopen{}\mathclose{{}\left\{\begin{aligned} \!\mathopen{}\mathclose{% {}\left\lgroup\mathopen{}\mathclose{{}\left\lsem\mathbb{B}_{n}}\right\rsem,% \mathbb{B}\to\mathbb{H}}\right\rgroup\!&\to\mathbb{B}_{n}\cup\mathbb{H}\\ \mathopen{}\mathclose{{}\left(\mathbf{v},H}\right)&\mapsto\begin{cases}\mathbb% {H}_{0}&\text{if }\mathopen{}\mathclose{{}\left|\mathbf{v}}\right|=0\\ \mathbf{v}_{0}&\text{if }\mathopen{}\mathclose{{}\left|\mathbf{v}}\right|=1\\ H(\text{{\small{\$node}}}\frown N(\mathbf{v}_{\dots\mathopen{}\mathclose{{}% \left\lceil\nicefrac{{\mathopen{}\mathclose{{}\left|\mathbf{v}}\right|}}{{2}}}% \right\rceil},H)\frown N(\mathbf{v}_{\mathopen{}\mathclose{{}\left\lceil% \nicefrac{{\mathopen{}\mathclose{{}\left|\mathbf{v}}\right|}}{{2}}}\right% \rceil\dots},H))&\text{otherwise}\end{cases}\end{aligned}}\right.

The astute reader will realize that if our $\mathbb{B}_{n}$ happens to be equivalent $\mathbb{H}$ then this function will always evaluate into $\mathbb{H}$ . That said, for it to be secure care must be taken to ensure there is no possibility of preimage collision. For this purpose we include the hash prefix $node to minimize the chance of this; simply ensure any items are hashed with a different prefix and the system can be considered secure.

We also define the trace function $T$ , which returns each opposite node from top to bottom as the tree is navigated to arrive at some leaf corresponding to the item of a given index into the sequence. It is useful in creating justifications of data inclusion.

(E.2)

T\colon\mathopen{}\mathclose{{}\left\{\begin{aligned} \!\mathopen{}\mathclose{% {}\left\lgroup\mathopen{}\mathclose{{}\left\lsem\mathbb{B}_{n}}\right\rsem,% \mathbb{N}_{\mathopen{}\mathclose{{}\left|\mathbf{v}}\right|},\mathbb{B}\to% \mathbb{H}}\right\rgroup\!\ &\to\mathopen{}\mathclose{{}\left\lsem\mathbb{B}_{% n}\cup\mathbb{H}}\right\rsem\\ \mathopen{}\mathclose{{}\left(\mathbf{v},i,H}\right)&\mapsto\begin{cases}% \mathopen{}\mathclose{{}\left[N(P^{\bot}(\mathbf{v},i),H)}\right]\frown T(P^{% \top}(\mathbf{v},i),i-P_{I}(\mathbf{v},i),H)&\text{if }\mathopen{}\mathclose{{% }\left|\mathbf{v}}\right|>1\\ \mathopen{}\mathclose{{}\left[}\right]&\text{otherwise}\\ \lx@intercol\begin{aligned} \quad\text{where }P^{s}(\mathbf{v},i)&\equiv\begin% {cases}\mathbf{v}_{\dots\mathopen{}\mathclose{{}\left\lceil\nicefrac{{% \mathopen{}\mathclose{{}\left|\mathbf{v}}\right|}}{{2}}}\right\rceil}&\text{if% }(i<\mathopen{}\mathclose{{}\left\lceil\nicefrac{{\mathopen{}\mathclose{{}% \left|\mathbf{v}}\right|}}{{2}}}\right\rceil)=s\\ \mathbf{v}_{\mathopen{}\mathclose{{}\left\lceil\nicefrac{{\mathopen{}% \mathclose{{}\left|\mathbf{v}}\right|}}{{2}}}\right\rceil\dots}&\text{% otherwise}\end{cases}\\[4.0pt] \quad\text{and }P_{I}(\mathbf{v},i)&\equiv\begin{cases}0&\text{if }i<\mathopen% {}\mathclose{{}\left\lceil\nicefrac{{\mathopen{}\mathclose{{}\left|\mathbf{v}}% \right|}}{{2}}}\right\rceil\\ \mathopen{}\mathclose{{}\left\lceil\nicefrac{{\mathopen{}\mathclose{{}\left|% \mathbf{v}}\right|}}{{2}}}\right\rceil&\text{otherwise}\end{cases}\\ \end{aligned}\hfil\lx@intercol\end{cases}\\ \end{aligned}}\right.

From this we define our other Merklization functions.

E.1.1. Well-Balanced Tree

We define the well-balanced binary Merkle function as $\mathcal{M}_{B}$ :

(E.3)

\mathcal{M}_{B}\colon\mathopen{}\mathclose{{}\left\{\begin{aligned} \!% \mathopen{}\mathclose{{}\left\lgroup\mathopen{}\mathclose{{}\left\lsem\mathbb{% B}}\right\rsem,\mathbb{B}\to\mathbb{H}}\right\rgroup\!&\to\mathbb{H}\\ \mathopen{}\mathclose{{}\left(\mathbf{v},H}\right)&\mapsto\begin{cases}H(% \mathbf{v}_{0})&\text{if }\mathopen{}\mathclose{{}\left|\mathbf{v}}\right|=1\\ N(\mathbf{v},H)&\text{otherwise}\end{cases}\\ \end{aligned}}\right.

This is suitable for creating proofs on data which is not much greater than 32 octets in length since it avoids hashing each item in the sequence. For sequences with larger data items, it is better to hash them beforehand to ensure proof-size is minimal since each proof will generally contain a data item.

Note: In the case that no hash function argument $H$ is supplied, we may assume Blake 2b.

E.1.2. Constant-Depth Tree

We define the constant-depth binary Merkle function as $\mathcal{M}$ . We define two corresponding functions for working with subtree pages, $\mathcal{J}_{x}$ and $\mathcal{L}_{x}$ . The latter provides a single page of leaves, themselves hashed, prefixed data. The former provides the Merkle path to a single page. Both assume size-aligned pages of size $2^{x}$ and accept page indices.

(E.4)	$\displaystyle\mathcal{M}$	$\displaystyle\colon\mathopen{}\mathclose{{}\left\{\begin{aligned} \!\mathopen{% }\mathclose{{}\left\lgroup\mathopen{}\mathclose{{}\left\lsem\mathbb{B}}\right% \rsem,\mathbb{B}\to\mathbb{H}}\right\rgroup\!&\to\mathbb{H}\\ \mathopen{}\mathclose{{}\left(\mathbf{v},H}\right)&\mapsto N(C(\mathbf{v},H),H% )\end{aligned}}\right.$
(E.5)	$\displaystyle\mathcal{J}_{x}$	$\displaystyle\colon\mathopen{}\mathclose{{}\left\{\begin{aligned} \!\mathopen{% }\mathclose{{}\left\lgroup\mathopen{}\mathclose{{}\left\lsem\mathbb{B}}\right% \rsem,\mathbb{N}_{\mathopen{}\mathclose{{}\left\|\mathbf{v}}\right\|},\mathbb{B}% \to\mathbb{H}}\right\rgroup\!&\to\mathopen{}\mathclose{{}\left\lsem\mathbb{H}}% \right\rsem\\ \mathopen{}\mathclose{{}\left(\mathbf{v},i,H}\right)&\mapsto T(C(\mathbf{v},H)% ,2^{x}i,H)_{\dots\max(0,\mathopen{}\mathclose{{}\left\lceil\log_{2}(\max(1,% \mathopen{}\mathclose{{}\left\|\mathbf{v}}\right\|))-x}\right\rceil)}\end{% aligned}}\right.$
(E.6)	$\displaystyle\mathcal{L}_{x}$	$\displaystyle\colon\mathopen{}\mathclose{{}\left\{\begin{aligned} \!\mathopen{% }\mathclose{{}\left\lgroup\mathopen{}\mathclose{{}\left\lsem\mathbb{B}}\right% \rsem,\mathbb{N}_{\mathopen{}\mathclose{{}\left\|\mathbf{v}}\right\|},\mathbb{B}% \to\mathbb{H}}\right\rgroup\!&\to\mathopen{}\mathclose{{}\left\lsem\mathbb{H}}% \right\rsem\\ \mathopen{}\mathclose{{}\left(\mathbf{v},i,H}\right)&\mapsto\mathopen{}% \mathclose{{}\left[H(\text{{\small{\$leaf}}}\frown l)\;\middle\|\;l\mathrel{% \mathrlap{<}{\scalebox{0.95}[1.0]{$-$}}}\mathbf{v}_{2^{x}i\dots\min(2^{x}i+2^{% x},\mathopen{}\mathclose{{}\left\|\mathbf{v}}\right\|)}}\right]\end{aligned}}\right.$

For the latter justification $\mathcal{J}_{x}$ to be acceptable, we must assume the target observer also knows not merely the value of the item at the given index, but also all other leaves within its $2^{x}$ size subtree, given by $\mathcal{L}_{x}$ .

As above, we may assume a default value for $H$ of Blake 2b.

For justifications and Merkle root calculations, a constancy preprocessor function $C$ is applied which hashes all data items with a fixed prefix “leaf” and then pads the overall size to the next power of two with the zero hash $\mathbb{H}_{0}$ :

(E.7)

C\colon\mathopen{}\mathclose{{}\left\{\begin{aligned} \!\mathopen{}\mathclose{% {}\left\lgroup\mathopen{}\mathclose{{}\left\lsem\mathbb{B}}\right\rsem,\mathbb% {B}\to\mathbb{H}}\right\rgroup\!&\to\mathopen{}\mathclose{{}\left\lsem\mathbb{% H}}\right\rsem\\ \mathopen{}\mathclose{{}\left(\mathbf{v},H}\right)&\mapsto\mathbf{v}^{\prime}% \ \text{where }\mathopen{}\mathclose{{}\left\{\;\begin{aligned} \mathopen{}% \mathclose{{}\left|\mathbf{v}^{\prime}}\right|&=2^{\mathopen{}\mathclose{{}% \left\lceil\log_{2}(\max(1,\mathopen{}\mathclose{{}\left|\mathbf{v}}\right|))}% \right\rceil}\\ \mathbf{v}^{\prime}_{i}&=\begin{cases}H(\text{{\small{\$leaf}}}\frown\mathbf{v% }_{i})&\text{if }i<\mathopen{}\mathclose{{}\left|\mathbf{v}}\right|\\ \mathbb{H}_{0}&\text{otherwise}\\ \end{cases}\end{aligned}}\right.\end{aligned}}\right.

E.2. Merkle Mountain Ranges and Belts

The Merkle Mountain Range (mmr) is an append-only cryptographic data structure which yields a commitment to a sequence of values. Appending to an mmr and proof of inclusion of some item within it are both $O(\log(N))$ in time and space for the size of the set.

We define a Merkle Mountain Range as being within the set $\mathopen{}\mathclose{{}\left\lsem\mathbb{H}\bm{?}}\right\rsem$ , a sequence of peaks, each peak the root of a Merkle tree containing $2^{i}$ items where $i$ is the index in the sequence. Since we support set sizes which are not always powers-of-two-minus-one, some peaks may be empty, $\emptyset$ rather than a Merkle root.

Since the sequence of hashes is somewhat unwieldy as a commitment, Merkle Mountain Ranges are themselves generally hashed before being published. Hashing them removes the possibility of further appending so the range itself is kept on the system which needs to generate future proofs.

We define the mmb append function $\mathcal{A}$ as:

(E.8)	$\displaystyle\mathcal{A}$	$\displaystyle\colon\mathopen{}\mathclose{{}\left\{\,\begin{aligned} \!% \mathopen{}\mathclose{{}\left\lgroup\mathopen{}\mathclose{{}\left\lsem\mathbb{% H}\bm{?}}\right\rsem,\mathbb{H},\mathbb{B}\to\mathbb{H}}\right\rgroup\!&\to% \mathopen{}\mathclose{{}\left\lsem\mathbb{H}\bm{?}}\right\rsem\\ \mathopen{}\mathclose{{}\left(\mathbf{r},l,H}\right)&\mapsto P(\mathbf{r},l,0,% H)\vphantom{x^{\prime}_{i}}\end{aligned}}\right.$
	$\displaystyle\text{where }P$	$\displaystyle\colon\mathopen{}\mathclose{{}\left\{\,\begin{aligned} \!% \mathopen{}\mathclose{{}\left\lgroup\mathopen{}\mathclose{{}\left\lsem\mathbb{% H}\bm{?}}\right\rsem,\mathbb{H},\mathbb{N},\mathbb{B}\to\mathbb{H}}\right% \rgroup\!&\to\mathopen{}\mathclose{{}\left\lsem\mathbb{H}\bm{?}}\right\rsem\\ \mathopen{}\mathclose{{}\left(\mathbf{r},l,n,H}\right)&\mapsto\begin{cases}% \mathbf{r}\mathrel{\hbox to0.0pt{\hbox to7.0pt{\hfill\vrule height=5.0pt,depth% =0.0pt,width=0.6pt\hfill\vrule height=5.0pt,depth=0.0pt,width=0.6pt\hfill}}% \vbox to5.0pt{\vfill\hrule height=0.6pt,depth=0.0pt,width=7.0pt\vfill}}l&\text% {if }n\geq\mathopen{}\mathclose{{}\left\|\mathbf{r}}\right\|\\ R(\mathbf{r},n,l)&\text{if }n<\mathopen{}\mathclose{{}\left\|\mathbf{r}}\right\|% \wedge\mathbf{r}_{n}=\emptyset\\ P(R(\mathbf{r},n,\emptyset),H(\mathbf{r}_{n}\frown l),n+1,H)&\text{otherwise}% \end{cases}\vphantom{x^{\prime}_{i}}\end{aligned}}\right.$
	$\displaystyle\text{and }R$	$\displaystyle\colon\mathopen{}\mathclose{{}\left\{\,\begin{aligned} \!% \mathopen{}\mathclose{{}\left\lgroup\mathopen{}\mathclose{{}\left\lsem T}% \right\rsem,\mathbb{N},T}\right\rgroup\!&\to\mathopen{}\mathclose{{}\left\lsem T% }\right\rsem\\ \mathopen{}\mathclose{{}\left(\mathbf{s},i,v}\right)&\mapsto\mathbf{s}^{\prime% }\ \text{where }\mathbf{s}^{\prime}=\mathbf{s}\text{ except }\mathbf{s}^{% \prime}_{i}=v\vphantom{x^{\prime}_{i}}\end{aligned}}\right.$

We define the mmr encoding function as $\mathcal{E}_{M}$ :

(E.9)

\mathcal{E}_{M}\colon\mathopen{}\mathclose{{}\left\{\,\begin{aligned} % \mathopen{}\mathclose{{}\left\lsem\mathbb{H}\bm{?}}\right\rsem&\to\mathbb{B}\\ \mathbf{b}&\mapsto\mathcal{E}\mathopen{}\mathclose{{}\left(\mathopen{}% \mathclose{{}\left\updownarrow\mathopen{}\mathclose{{}\left[\mathord{\text{¿}}% x\;\middle|\;x\mathrel{\mathrlap{<}{\scalebox{0.95}[1.0]{$-$}}}\mathbf{b}}% \right]}\right.\!}\right)\vphantom{x^{\prime}_{i}}\end{aligned}}\right.

We define the mmr super-peak function as $\mathcal{M}_{R}$ :

(E.10)

\mathcal{M}_{R}\colon\mathopen{}\mathclose{{}\left\{\,\begin{aligned} % \mathopen{}\mathclose{{}\left\lsem\mathbb{H}\bm{?}}\right\rsem&\to\mathbb{H}\\ \mathbf{b}&\mapsto\begin{cases}\mathbb{H}_{0}&\text{if }\mathopen{}\mathclose{% {}\left|\mathbf{h}}\right|=0\\ \mathbf{h}_{0}&\text{if }\mathopen{}\mathclose{{}\left|\mathbf{h}}\right|=1\\ \mathcal{H}_{K}\mathopen{}\mathclose{{}\left(\text{{\small{\$peak}}}\frown% \mathcal{M}_{R}\mathopen{}\mathclose{{}\left(\mathbf{h}_{\dots\mathopen{}% \mathclose{{}\left|\mathbf{h}}\right|-1}}\right)\frown\mathbf{h}_{\mathopen{}% \mathclose{{}\left|\mathbf{h}}\right|-1}}\right)&\text{otherwise}\\ \lx@intercol\text{where }\mathbf{h}=\mathopen{}\mathclose{{}\left[h\;\middle|% \;h\mathrel{\mathrlap{<}{\scalebox{0.95}[1.0]{$-$}}}\mathbf{b},h\neq\emptyset}% \right]\hfil\lx@intercol\end{cases}\vphantom{x^{\prime}_{i}}\end{aligned}}\right.

Appendix F Shuffling

The Fisher-Yates shuffle function is defined formally as:

(F.1)

\forall T,l\in\mathbb{N}:\mathcal{F}\colon\mathopen{}\mathclose{{}\left\{% \begin{aligned} \!\mathopen{}\mathclose{{}\left\lgroup\mathopen{}\mathclose{{}% \left\lsem T}\right\rsem_{l},\mathopen{}\mathclose{{}\left\lsem\mathbb{N}}% \right\rsem_{l:}}\right\rgroup\!&\to\mathopen{}\mathclose{{}\left\lsem T}% \right\rsem_{l}\\ \mathopen{}\mathclose{{}\left(\mathbf{s},\mathbf{r}}\right)&\mapsto\begin{% cases}\mathopen{}\mathclose{{}\left[\mathbf{s}_{\mathbf{r}_{0}\bmod l}}\right]% \frown\mathcal{F}\mathopen{}\mathclose{{}\left(\mathbf{s}^{\prime}_{\dots l-1}% ,\mathbf{r}_{1\dots}}\right)\ \text{where }\mathbf{s}^{\prime}=\mathbf{s}\text% { except }\mathbf{s^{\prime}}_{\mathbf{r}_{0}\bmod l}=\mathbf{s}_{l-1}&\text{% if }\mathbf{s}\neq\mathopen{}\mathclose{{}\left[}\right]\\ \mathopen{}\mathclose{{}\left[}\right]&\text{otherwise}\end{cases}\end{aligned% }}\right.

Since it is often useful to shuffle a sequence based on some random seed in the form of a hash, we provide a secondary form of the shuffle function $\mathcal{F}$ which accepts a 32-byte hash instead of the numeric sequence. We define $\mathcal{Q}$ , the numeric-sequence-from-hash function, thus:

(F.2)		$\displaystyle\forall l\in\mathbb{N}:\ \mathcal{Q}_{l}$	$\displaystyle\colon\mathopen{}\mathclose{{}\left\{\begin{aligned} \mathbb{H}&% \to\mathopen{}\mathclose{{}\left\lsem\mathbb{N}_{2^{32}}}\right\rsem_{l}\\ h&\mapsto\mathopen{}\mathclose{{}\left[\mathcal{E}^{-1}_{4}\mathopen{}% \mathclose{{}\left(\mathcal{H}\mathopen{}\mathclose{{}\left(h\frown\mathcal{E}% _{4}\mathopen{}\mathclose{{}\left(\mathopen{}\mathclose{{}\left\lfloor% \nicefrac{{i}}{{8}}}\right\rfloor}\right)}\right)_{4i\bmod 32\dots+4}}\right)% \;\middle\|\;i\mathrel{\mathrlap{<}{\scalebox{0.95}[1.0]{$-$}}}\mathbb{N}_{l}}% \right]\end{aligned}}\right.$
(F.3)		$\displaystyle\forall T,l\in\mathbb{N}:\ \mathcal{F}$	$\displaystyle\colon\mathopen{}\mathclose{{}\left\{\begin{aligned} \!\mathopen{% }\mathclose{{}\left\lgroup\mathopen{}\mathclose{{}\left\lsem T}\right\rsem_{l}% ,\mathbb{H}}\right\rgroup\!&\to\mathopen{}\mathclose{{}\left\lsem T}\right% \rsem_{l}\\ \mathopen{}\mathclose{{}\left(\mathbf{s},h}\right)&\mapsto\mathcal{F}\mathopen% {}\mathclose{{}\left(\mathbf{s},\mathcal{Q}_{l}\mathopen{}\mathclose{{}\left(h% }\right)}\right)\end{aligned}}\right.$

Appendix G Bandersnatch VRF

The Bandersnatch curve is defined by [24].

The singly-contextualized Bandersnatch Schnorr-like signatures $\accentset{\backsim}{\mathbb{V}}_{k}^{m}\mathopen{}\mathclose{{}\left\langle c% }\right\rangle$ are defined as a formulation under the IETF vrf template specified by [18] (as IETF VRF) and further detailed by [15].

(G.1)		$\displaystyle\accentset{\backsim}{\mathbb{V}}_{k\in\accentset{\backsim}{% \mathbb{H}}}^{m\in\mathbb{B}}\mathopen{}\mathclose{{}\left\langle c\in\mathbb{% B}}\right\rangle\subset\mathbb{B}_{96}$	$\displaystyle\equiv\mathopen{}\mathclose{{}\left\{\,x\;\middle\|\;x\in\mathbb{B% }_{96},\text{verify}(k,c,m,x)=\top\,}\right\}$
(G.2)		$\displaystyle\mathcal{Y}\mathopen{}\mathclose{{}\left(s\in\accentset{\backsim}% {\mathbb{V}}_{k}^{m}\mathopen{}\mathclose{{}\left\langle c}\right\rangle}% \right)\in\mathbb{H}$	$\displaystyle\equiv\text{output}(x\mid x\in\accentset{\backsim}{\mathbb{V}}_{k% }^{m}\mathopen{}\mathclose{{}\left\langle c}\right\rangle)_{\dots 32}$

The singly-contextualized Bandersnatch Ringvrf proofs $\accentset{\circ}{\mathbb{V}}_{r}^{m}\mathopen{}\mathclose{{}\left\langle c}\right\rangle$ are a zk-snark-enabled analogue utilizing the Pedersen vrf, also defined by [18] and further detailed by [6].

(G.3)	$\displaystyle\mathcal{O}\mathopen{}\mathclose{{}\left(\mathopen{}\mathclose{{}% \left\lsem\accentset{\backsim}{\mathbb{H}}}\right\rsem}\right)\in\accentset{% \circ}{\mathbb{B}}$	$\displaystyle\equiv\text{commit}(\mathopen{}\mathclose{{}\left\lsem\accentset{% \backsim}{\mathbb{H}}}\right\rsem)$
(G.4)	$\displaystyle\accentset{\circ}{\mathbb{V}}_{r\in\accentset{\circ}{\mathbb{B}}}% ^{m\in\mathbb{B}}\mathopen{}\mathclose{{}\left\langle c\in\mathbb{B}}\right% \rangle\subset\mathbb{B}_{784}$	$\displaystyle\equiv\mathopen{}\mathclose{{}\left\{\,x\;\middle\|\;x\in\mathbb{B% }_{784},\text{verify}(r,c,m,x)=\top\,}\right\}$
(G.5)	$\displaystyle\mathcal{Y}\mathopen{}\mathclose{{}\left(p\in\accentset{\circ}{% \mathbb{V}}_{r}^{m}\mathopen{}\mathclose{{}\left\langle c}\right\rangle}\right% )\in\mathbb{H}$	$\displaystyle\equiv\text{output}(x\mid x\in\accentset{\circ}{\mathbb{V}}_{r}^{% m}\mathopen{}\mathclose{{}\left\langle c}\right\rangle)_{\dots 32}$

Note that in the case a key $\accentset{\backsim}{\mathbb{H}}$ has no corresponding Bandersnatch point when constructing the ring, then the Bandersnatch padding point as stated by [18] should be substituted.

Appendix H Erasure Coding

The foundation of the data-availability and distribution system of Jam is a systematic Reed-Solomon erasure coding function in gf( $2^{16}$ ), the same transform as done by the algorithm of [23]. The coding rate is $\mathcal{D}(v)$ : $v$ , where $v\in\mathbb{V}$ is the number of validators.

(H.1)

\mathcal{D}(v\in\mathbb{V})\equiv\max\mathopen{}\mathclose{{}\left(\mathopen{}% \mathclose{{}\left\{\,d\;\middle|\;d\in\mathbb{N}_{\nicefrac{{v}}{{3}}+2},% \mathsf{W}_{G}\ \text{\scriptsize{\%}}\ 2d=0\,}\right\}}\right)

This rate is derived from the fact we wish to be able to reconstruct even should almost two-thirds of the $v$ validators be malicious or incapacitated, the 16-bit Galois field on which the erasure-code is based and the desire to support, for simplicity, encoding segments of size $\mathsf{W}_{G}$ without padding. The rate is optimal, i.e. there is no more redundancy than necessary, when $\mathcal{D}(v)=\nicefrac{{v}}{{3}}+1$ . This occurs when $v\in\mathopen{}\mathclose{{}\left\{\,6,9,15,24,33,51,54,78,105,111,159,168,225% ,321,339,510,681,1023\,}\right\}$ . Note that the rate is least efficient when $v$ is slightly below one of these values. For example, when $v=1022$ , the rate is approximately 1:4.5. It is recommended, for efficiency of the data availability system, that validator set sizes be chosen from the given set.

We use a little-endian $\mathbb{B}_{2}$ form of the 16-bit gf points with a functional equivalence given by $\mathcal{E}_{2}$ . From this we may assume the encoding function $\mathcal{C}^{v\in\mathbb{V}}:\mathopen{}\mathclose{{}\left\lsem\mathbb{B}_{2}}% \right\rsem_{\mathcal{D}(v)}\to\mathopen{}\mathclose{{}\left\lsem\mathbb{B}_{2% }}\right\rsem_{v}$ and the recovery function $\mathcal{R}^{v\in\mathbb{V}}:\mathopen{}\mathclose{{}\left\{\mkern-5.0mu% \mathopen{}\mathclose{{}\left[\,\!\mathopen{}\mathclose{{}\left\lgroup\mathbb{% B}_{2},\mathbb{N}_{v}}\right\rgroup\!\,}\right]\mkern-5.0mu}\right\}_{\mathcal% {D}(v)}\to\mathopen{}\mathclose{{}\left\lsem\mathbb{B}_{2}}\right\rsem_{% \mathcal{D}(v)}$ . Encoding is done by extrapolating a data blob of size $2\cdot\mathcal{D}(v)$ octets (provided in $\mathcal{C}^{v}$ here as $\mathcal{D}(v)$ octet pairs) into $v$ octet pairs. Recovery is done by collecting together any distinct $\mathcal{D}(v)$ octet pairs, together with their indices, and transforming this into the original sequence of $\mathcal{D}(v)$ octet pairs.

Practically speaking, this allows for the efficient encoding and recovery of data whose size is a multiple of $2\cdot\mathcal{D}(v)$ octets. Data whose length is not divisible by $2\cdot\mathcal{D}(v)$ must be padded (we pad with zeroes). We use this erasure-coding in two contexts within the Jam protocol; one where we encode variable sized (but typically very large) data blobs for the Audit da and block-distribution system, and the other where we encode much smaller fixed-size data segments for the Import da system.

For the Import da system, we deal with an input size of $\mathsf{W}_{G}=\text{4,104}$ octets resulting in data-parallelism of order 6 with 1023 validators. We may attain a greater degree of data parallelism if encoding or recovering more than one segment at a time though for recovery, we may be restricted to requiring each segment to be formed from the same set of indices (depending on the specific algorithm).

H.1. Blob Encoding and Recovery

We assume $v\in\mathbb{V}$ validators and some data blob $\mathbf{d}\in\mathbb{B}_{2k\cdot\mathcal{D}(v)},k\in\mathbb{N}$ . This blob is split into a whole number of $k$ pieces, each a sequence of $\mathcal{D}(v)$ octet pairs. Each piece is erasure-coded using $\mathcal{C}^{v}$ as above to give $v$ octet pairs per piece.

The resulting matrix is grouped by its pair-index and concatenated to form $v$ chunks, each of $k$ octet-pairs. Any $\mathcal{D}(v)$ of these chunks may then be used to reconstruct the original data $\mathbf{d}$ .

Formally we begin by defining two utility functions for splitting some large sequence into a number of equal-sized sub-sequences and for reconstituting such subsequences back into a single large sequence:

(H.2)		$\displaystyle\forall n\in\mathbb{N},k\in\mathbb{N}:\$	$\displaystyle\text{split}_{n}(\mathbf{d}\in\mathbb{B}_{kn})\in\mathopen{}% \mathclose{{}\left\lsem\mathbb{B}_{n}}\right\rsem_{k}\equiv\mathopen{}% \mathclose{{}\left[\mathbf{d}_{0\dots+n},\mathbf{d}_{n\dots+n},\cdots,\mathbf{% d}_{(k-1)n\dots+n}}\right]$
(H.3)		$\displaystyle\forall n\in\mathbb{N},k\in\mathbb{N}:\$	$\displaystyle\text{join}(\mathbf{c}\in\mathopen{}\mathclose{{}\left\lsem% \mathbb{B}_{n}}\right\rsem_{k})\in\mathbb{B}_{kn}\equiv\mathbf{c}_{0}\frown% \mathbf{c}_{1}\frown\dots$

We define the transposition operator hence:

(H.4)

{}^{\text{T}}\mathopen{}\mathclose{{}\left[\mathopen{}\mathclose{{}\left[% \mathbf{x}_{0,0},\mathbf{x}_{0,1},\mathbf{x}_{0,2},\dots}\right],\mathopen{}% \mathclose{{}\left[\mathbf{x}_{1,0},\mathbf{x}_{1,1},\dots}\right],\dots}% \right]\equiv\mathopen{}\mathclose{{}\left[\mathopen{}\mathclose{{}\left[% \mathbf{x}_{0,0},\mathbf{x}_{1,0},\mathbf{x}_{2,0},\dots}\right],\mathopen{}% \mathclose{{}\left[\mathbf{x}_{0,1},\mathbf{x}_{1,1},\dots}\right],\dots}\right]

We may then define our erasure-code chunking function which accepts an arbitrary sized data blob whose length divides wholly into $2\cdot\mathcal{D}(v)$ octets and results in a sequence of $v$ smaller blobs:

(H.5)

\mathcal{C}^{v\in\mathbb{V}}_{k\in\mathbb{N}}\colon\mathopen{}\mathclose{{}% \left\{\begin{aligned} \mathbb{B}_{2k\cdot\mathcal{D}(v)}&\to\mathopen{}% \mathclose{{}\left\lsem\mathbb{B}_{2k}}\right\rsem_{v}\\ \mathbf{d}&\mapsto\text{join}^{\#}\mathopen{}\mathclose{{}\left({}^{\text{T}}% \mathopen{}\mathclose{{}\left[\mathcal{C}^{v}\mathopen{}\mathclose{{}\left(% \mathbf{p}}\right)\;\middle|\;\mathbf{p}\mathrel{\mathrlap{<}{\scalebox{0.95}[% 1.0]{$-$}}}{}^{\text{T}}\text{split}_{2}^{\#}(\text{split}_{2k}(\mathbf{d}))}% \right]}\right)\end{aligned}}\right.

The original data may be reconstructed with any $\mathcal{D}(v)$ of the $v$ resultant items (along with their indices). If the original $\mathcal{D}(v)$ items are known then reconstruction is just their concatenation.

(H.6)

\mathcal{R}^{v\in\mathbb{V}}_{k\in\mathbb{N}}\colon\mathopen{}\mathclose{{}% \left\{\begin{aligned} \mathopen{}\mathclose{{}\left\{\mkern-5.0mu\mathopen{}% \mathclose{{}\left[\,\!\mathopen{}\mathclose{{}\left\lgroup\mathbb{B}_{2k},% \mathbb{N}_{v}}\right\rgroup\!\,}\right]\mkern-5.0mu}\right\}_{\mathcal{D}(v)}% &\to\mathbb{B}_{2k\cdot\mathcal{D}(v)}\\ \mathbf{c}&\mapsto\begin{cases}\mathcal{E}\mathopen{}\mathclose{{}\left(% \mathopen{}\mathclose{{}\left[\mathbf{x}\;\middle|\;\mathopen{}\mathclose{{}% \left(\mathbf{x},i}\right)\mathrel{\mathrlap{<}{\scalebox{0.95}[1.0]{$-$}}}% \mathopen{}\mathclose{{}\left[\mathopen{}\mathclose{{}\left(\mathbf{x},i}% \right)\in\mathbf{c}\,\middle\lwavy\,i}\right]}\right]}\right)&\text{if }% \mathopen{}\mathclose{{}\left\{\,i\;\middle|\;\mathopen{}\mathclose{{}\left(% \mathbf{x},i}\right)\in\mathbf{c}\,}\right\}=\mathbb{N}_{\mathcal{D}(v)}\\ \text{join}(\text{join}^{\#}({}^{\text{T}}\mathopen{}\mathclose{{}\left[% \mathcal{R}^{v}\mathopen{}\mathclose{{}\left({\mathopen{}\mathclose{{}\left\{% \,(\text{split}_{2}(\mathbf{x})_{p},i)\;\middle|\;\mathopen{}\mathclose{{}% \left(\mathbf{x},i}\right)\in\mathbf{c}\,}\right\}}}\right)\;\middle|\;p\in% \mathbb{N}_{k}}\right]))&\text{always}\\ \end{cases}\end{aligned}}\right.

Segment encoding/decoding may be done using the same functions albeit with a fixed $k=\nicefrac{{\mathsf{W}_{G}}}{{2\cdot\mathcal{D}(v)}}$ . Note that the definition of $\mathcal{D}$ ensures this is always an integer, i.e. no padding is required.

H.2. Code Word representation

For the sake of brevity we call each octet pair a word. The code words (including the message words) are treated as element of $\mathbb{F}_{2^{16}}$ finite field. The field is generated as an extension of $\mathbb{F}_{2}$ using the irreducible polynomial:

(H.7)

x^{16}+x^{5}+x^{3}+x^{2}+1

Hence:

(H.8)

\mathbb{F}_{2^{16}}\equiv\frac{\mathbb{F}_{2}\mathopen{}\mathclose{{}\left[x}% \right]}{x^{16}+x^{5}+x^{3}+x^{2}+1}

We name the generator of $\frac{\mathbb{F}_{2^{16}}}{\mathbb{F}_{2}}$ , the root of the above polynomial, $\alpha$ as such: $\mathbb{F}_{2^{16}}=\mathbb{F}_{2}(\alpha)$ .

Instead of using the standard basis $\mathopen{}\mathclose{{}\left\{\,1,\alpha,\alpha^{2},\dots,\alpha^{15}\,}\right\}$ , we opt for a representation of $\mathbb{F}_{2^{16}}$ which performs more efficiently for the encoding and the decoding process. To that aim, we name this specific representation of $\mathbb{F}_{2^{16}}$ as $\tilde{\mathbb{F}}_{2^{16}}$ and define it as a vector space generated by the following Cantor basis:

$v_{0}$	$1$
$v_{1}$	$\alpha^{15}+\alpha^{13}+\alpha^{11}+\alpha^{10}+\alpha^{7}+\alpha^{6}+\alpha^{% 3}+\alpha$
$v_{2}$	$\alpha^{13}+\alpha^{12}+\alpha^{11}+\alpha^{10}+\alpha^{3}+\alpha^{2}+\alpha$
$v_{3}$	$\alpha^{12}+\alpha^{10}+\alpha^{9}+\alpha^{5}+\alpha^{4}+\alpha^{3}+\alpha^{2}+\alpha$
$v_{4}$	$\alpha^{15}+\alpha^{14}+\alpha^{10}+\alpha^{8}+\alpha^{7}+\alpha$
$v_{5}$	$\alpha^{15}+\alpha^{14}+\alpha^{13}+\alpha^{11}+\alpha^{10}+\alpha^{8}+\alpha^% {5}+\alpha^{3}+\alpha^{2}+\alpha$
$v_{6}$	$\alpha^{15}+\alpha^{12}+\alpha^{8}+\alpha^{6}+\alpha^{3}+\alpha^{2}$
$v_{7}$	$\alpha^{14}+\alpha^{4}+\alpha$
$v_{8}$	$\alpha^{14}+\alpha^{13}+\alpha^{11}+\alpha^{10}+\alpha^{7}+\alpha^{4}+\alpha^{3}$
$v_{9}$	$\alpha^{12}+\alpha^{7}+\alpha^{6}+\alpha^{4}+\alpha^{3}$
$v_{10}$	$\alpha^{14}+\alpha^{13}+\alpha^{11}+\alpha^{9}+\alpha^{6}+\alpha^{5}+\alpha^{4% }+\alpha$
$v_{11}$	$\alpha^{15}+\alpha^{13}+\alpha^{12}+\alpha^{11}+\alpha^{8}$
$v_{12}$	$\alpha^{15}+\alpha^{14}+\alpha^{13}+\alpha^{12}+\alpha^{11}+\alpha^{10}+\alpha% ^{8}+\alpha^{7}+\alpha^{5}+\alpha^{4}+\alpha^{3}$
$v_{13}$	$\alpha^{15}+\alpha^{14}+\alpha^{13}+\alpha^{12}+\alpha^{11}+\alpha^{9}+\alpha^% {8}+\alpha^{5}+\alpha^{4}+\alpha^{2}$
$v_{14}$	$\alpha^{15}+\alpha^{14}+\alpha^{13}+\alpha^{12}+\alpha^{11}+\alpha^{10}+\alpha% ^{9}+\alpha^{8}+\alpha^{5}+\alpha^{4}+\alpha^{3}$
$v_{15}$	$\alpha^{15}+\alpha^{12}+\alpha^{11}+\alpha^{8}+\alpha^{4}+\alpha^{3}+\alpha^{2% }+\alpha$

Every message word $m_{i}=m_{i,15}\ldots m_{i,0}$ consists of 16 bits. As such it could be regarded as binary vector of length 16:

(H.9)

m_{i}=\mathopen{}\mathclose{{}\left(m_{i,0}\ldots m_{i,15}}\right)

Where $m_{i,0}$ is the least significant bit of message word $m_{i}$ . Accordingly we consider the field element $\widetilde{m_{i}}=\sum^{15}_{j=0}m_{i,j}v_{j}$ to represent that message word.

Similarly, we assign a unique index to each validator between 0 and $v-1$ and we represent validator $i$ with the field element:

(H.10)

\tilde{i}=\sum^{15}_{j=0}i_{j}v_{j}

where $i=i_{15}\ldots i_{0}$ is the binary representation of $i$ .

H.3. The Generator Polynomial

To erasure code a message of $d=\mathcal{D}(v)$ words into $v$ code words, we represent each message as a field element as described in previous section and we interpolate the polynomial $p(y)$ of maximum $d-1$ degree which satisfies the following equalities:

(H.11)

\begin{array}[]{l}p(\tilde{0})=\widetilde{m_{0}}\\ p(\tilde{1})=\widetilde{m_{1}}\\ \vdots\\ p(\widetilde{d-1})=\widetilde{m_{d-1}}\end{array}

After finding $p(y)$ with such properties, we evaluate $p$ at the following points:

(H.12)

\begin{array}[]{l}\widetilde{r_{d}}:=p(\widetilde{d})\\ \widetilde{r_{d+1}}:=p(\widetilde{d+1})\\ \vdots\\ \widetilde{r_{v-1}}:=p(\widetilde{v-1})\end{array}

We then distribute the message words and the extra code words among the validators according to their corresponding indices.

Appendix I Index of Notation

I.1. Sets

I.1.1. Regular Notation

$\mathbb{F}$ :

The set of finite fields.

$\mathbb{N}$ :

The set of non-negative integers. Subscript denotes one greater than the maximum. See section 3.4.

$\mathbb{N}^{+}$ :: The set of positive integers (not including zero).
$\mathbb{N}_{B}$ :: The set of balance values. Equivalent to $\mathbb{N}_{2^{64}}$ . See equation 4.21.
$\mathbb{N}_{G}$ :: The set of unsigned gas values. Equivalent to $\mathbb{N}_{2^{64}}$ . See equation 4.23.
$\mathbb{N}_{L}$ :: The set of blob length values. Equivalent to $\mathbb{N}_{2^{32}}$ . See section 3.4.
$\mathbb{N}_{R}$ :: The set of register values. Equivalent to $\mathbb{N}_{2^{64}}$ . See equation 4.23.
$\mathbb{N}_{S}$ :: The set from which service indices are drawn. Equivalent to $\mathbb{N}_{2^{32}}$ . See section 9.1.
$\mathbb{N}_{T}$ :: The set of timeslot values. Equivalent to $\mathbb{N}_{2^{32}}$ . See equation 4.28.

$\mathbb{Q}$ :

The set of rational numbers. Unused.

$\mathbb{Z}$ :

The set of integers. Subscript denotes range. See section 3.4.

$\mathbb{Z}_{G}$ :: The set of signed gas values. Equivalent to $\mathbb{Z}_{-2^{63}\dots 2^{63}}$ . See equation 4.23.

I.1.2. Custom Notation

$\mathopen{}\mathclose{{}\left\langlebar K\to V}\right\ranglebar$ :

The set of dictionaries making a partial bijection of domain $k$ to range $v$ . See section 3.5.

$\mathbb{A}$ :

The set of service $\mathbb{A}$ ccounts. See equation 9.3.

$\mathbb{b}$ :

The set of $\mathbb{b}$ itstrings (Boolean sequences). Subscript denotes length. See section 3.7.

$\mathbb{B}$ :

The set of $\mathbb{B}$ lobs (octet sequences). Subscript denotes length. See section 3.7.

$\accentset{\mathrm{B\!L\!S}}{\mathbb{B}}$ :: The set of bls public keys. A subset of $\mathbb{B}_{144}$ . See section 3.8.2.
$\accentset{\circ}{\mathbb{B}}$ :: The set of Bandersnatch ring roots. A subset of $\mathbb{B}_{144}$ . See section 3.8 and appendix G.

$\mathbb{C}$ :

The set of work- $\mathbb{C}$ ontexts. See equation 11.4. Not used as the set of complex numbers.

$\mathbb{D}$ :

The set of work- $\mathbb{D}$ igests. See equation 11.6.

$\mathbb{E}$ :

The set of work execution $\mathbb{E}$ rrors. See equation 11.7.

$\mathbb{G}$ :

The set of work-report $\mathbb{G}$ uarantees. See equation 11.24.

$\mathbb{H}$ :

The set of 32-octet cryptographic values, equivalent to $\mathbb{B}_{32}$ . Often a $\mathbb{H}$ ash function’s result. See section 3.8.

$\bar{\mathbb{H}}$ :: The set of Ed25519 public keys. A subset of $\mathbb{B}_{32}$ . See section 3.8.2.
$\accentset{\backsim}{\mathbb{H}}$ :: The set of Bandersnatch public keys. A subset of $\mathbb{B}_{32}$ . See section 3.8 and appendix G.

$\mathbb{I}$ :

The set representing the state of an $\mathbb{I}$ nner pvm instance. See equation B.4.

$\mathbb{J}$ :

The set of data segments, equivalent to $\mathbb{B}_{\mathsf{W}_{G}}$ . See equation 14.1.

$\mathbb{K}$ :

The set of validator $\mathbb{K}$ ey-sets. See equation 6.7.

$\mathbb{L}$ :

The set representing implications of accumulation. See equation B.7.

$\mathbb{M}$ :

The set of pvm $\mathbb{M}$ emory (ram) states. See equation 4.24.

$\mathbb{O}$ :

The set of single-service accumulation $\mathbb{O}$ utputs. See equation 12.22.

$\mathbb{P}$ :

The set of work- $\mathbb{P}$ ackages. See equation 14.2.

$\mathbb{R}$ :

The set of work- $\mathbb{R}$ eports. See equation 11.2. Note used for the set of real numbers.

$\mathbb{S}$ :

The set representating a portion of overall $\mathbb{S}$ tate, used during accumulation. See equation 12.15.

$\mathbb{T}$ :

The set of slot-sealer $\mathbb{T}$ ickets. See equation 6.6.

$\mathbb{U}$ :

The information concerning a single work-item once prepared as an operand for the accumulation function. See equation 12.13.

$\mathbb{V}$ :

The set of $\mathbb{V}$ alidator key-set sizes. See equation 6.8.

$\mathbb{V}_{\mu}$ :

The set of $\mathbb{V}$ alidly readable indices for pvm ram $\mu$ . See appendix A.

$\mathbb{V}_{\mu}^{*}$ :

The set of $\mathbb{V}$ alidly writable indices for pvm ram $\mu$ . See appendix A.

$\bar{\mathbb{V}}_{k}\mathopen{}\mathclose{{}\left\langle m}\right\rangle$ :

The set of $\mathbb{V}$ alid Ed25519 signatures of the key $k$ and message $m$ . A subset of $\mathbb{B}_{64}$ . See section 3.8.

$\accentset{\backsim}{\mathbb{V}}_{k}^{m}\mathopen{}\mathclose{{}\left\langle c% }\right\rangle$ :

The set of $\mathbb{V}$ alid Bandersnatch signatures of the public key $k$ , context $c$ and message $m$ . A subset of $\mathbb{B}_{96}$ . See section 3.8.

$\accentset{\circ}{\mathbb{V}}_{r}^{m}\mathopen{}\mathclose{{}\left\langle c}\right\rangle$ :

The set of $\mathbb{V}$ alid Bandersnatch Ringvrf proofs of the root $r$ , context $c$ and message $m$ . A subset of $\mathbb{B}_{784}$ . See section 3.8.

$\mathbb{W}$ :

The set of $\mathbb{W}$ ork items. See equation 14.3.

$\mathbb{X}$ :

The set of deferred transfers. See equation 12.14.

$\mathbb{Y}$ :

The set of availability specifications. See equation 11.5.

I.2. Functions

$\Delta$ :

The accumulation functions (see section 12.2):

$\Delta_{1}$ :: The single-step accumulation function. See equation 12.23.
$\Delta_{*}$ :: The parallel accumulation function. See equation 12.18.
$\Delta_{+}$ :: The full sequential accumulation function. See equation 12.17.

$\Lambda$ :

The historical lookup function. See equation LABEL:eq:historicallookup.

$\Xi$ :

The work-report computation function. See equation 14.13.

$B$ :

The bundle assembly function. See equation 14.16.

$\Upsilon$ :

The general state transition function. See equations 4.1, 4.5.

$\Phi$ :

The key-nullifier function. See equation 6.15.

$\Psi$ :

The whole-program pvm machine state-transition function. See equation A.

$\Psi_{1}$ :: The single-step (pvm) machine state-transition function. See appendix A.
$\Psi_{A}$ :: The Accumulate pvm invocation function. See appendix B.
$\Psi_{H}$ :: The host-function invocation (pvm) with host-function marshalling. See appendix A.
$\Psi_{I}$ :: The Is-Authorized pvm invocation function. See appendix B.
$\Psi_{M}$ :: The marshalling whole-program pvm machine state-transition function. See appendix A.
$\Psi_{R}$ :: The Refine pvm invocation function. See appendix B.

$\Omega$ :

Virtual machine host-call functions. See appendix B.

$\Omega_{A}$ :: Assign-core host-call.
$\Omega_{B}$ :: Empower-service host-call.
$\Omega_{C}$ :: Checkpoint host-call.
$\Omega_{D}$ :: Designate-validators host-call.
$\Omega_{E}$ :: Export segment host-call.
$\Omega_{F}$ :: Forget-preimage host-call.
$\Omega_{G}$ :: Gas-remaining host-call.
$\Omega_{H}$ :: Historical-lookup-preimage host-call.
$\Omega_{I}$ :: Information-on-service host-call.
$\Omega_{J}$ :: Eject-service host-call.
$\Omega_{K}$ :: Kickoff-pvm host-call.
$\Omega_{L}$ :: Lookup-preimage host-call.
$\Omega_{M}$ :: Make-pvm host-call.
$\Omega_{N}$ :: New-service host-call.
$\Omega_{O}$ :: Poke-pvm host-call.
$\Omega_{P}$ :: Peek-pvm host-call.
$\Omega_{Q}$ :: Query-preimage host-call.
$\Omega_{R}$ :: Read-storage host-call.
$\Omega_{S}$ :: Solicit-preimage host-call.
$\Omega_{T}$ :: Transfer host-call.
$\Omega_{U}$ :: Upgrade-service host-call.
$\Omega_{W}$ :: Write-storage host-call.
$\Omega_{X}$ :: Expunge-pvm host-call.
$\Omega_{Y}$ :: Fetch data host-call.
$\Omega_{Z}$ :: Pages inner-pvm memory host-call.
$\Omega_{\Taurus}$ :: Yield accumulation trie result host-call.
$\Omega_{\Aries}$ :: Provide preimage host-call.
$\Omega_{\Gemini}$ :: Grow heap host-call.

I.3. Utilities, Externalities and Standard Functions

$\mathcal{A}(\dots)$ :: The Merkle mountain range append function. See equation E.8.
$\mathcal{B}_{n}(\dots)$ :: The octets-to-bits function for $n$ octets. Superscripted ^-1 to denote the inverse. See equation A.17.
$\mathcal{C}^{v}_{n}\mathopen{}\mathclose{{}\left(\dots}\right)$ :: The erasure-coding function for $v$ validators and $n$ pieces. See equation H.5.
$\mathcal{D}(\dots)$ :: The original-chunk-count function. See equation H.1.
$\mathcal{E}\mathopen{}\mathclose{{}\left(\dots}\right)$ :: The octet-sequence encode function. Superscripted ^-1 to denote the inverse. See appendix C.
$\mathcal{F}(\dots)$ :: The Fisher-Yates shuffle function. See equation F.1.
$\mathcal{G}(L,\ell)$ :: The memory-sized gas function. See equation B.17.
$\mathcal{H}\mathopen{}\mathclose{{}\left(\dots}\right)$ :: The Blake 2b 256-bit hash function. See section 3.8.
$\mathcal{H}_{K}\mathopen{}\mathclose{{}\left(\dots}\right)$ :: The Keccak 256-bit hash function. See section 3.8.
$\mathcal{J}_{x}(\dots)$ :: The justification path to a specific $2^{x}$ size page of a constant-depth Merkle tree. See equation E.5.
$\mathcal{K}\mathopen{}\mathclose{{}\left(\dots}\right)$ :: The domain, or set of keys, of a dictionary. See section 3.5.
$\mathcal{L}_{x}(\dots)$ :: The $2^{x}$ size page function for a constant-depth Merkle tree. See equation E.6.
$\mathcal{M}\mathopen{}\mathclose{{}\left(\dots}\right)$ :: The constant-depth binary Merklization function. See appendix E.
$\mathcal{M}_{B}\mathopen{}\mathclose{{}\left(\dots}\right)$ :: The well-balanced binary Merklization function. See appendix E.
$\mathcal{M}_{\sigma}\mathopen{}\mathclose{{}\left(\dots}\right)$ :: The state Merklization function. See appendix D.
$\mathcal{O}\mathopen{}\mathclose{{}\left(\dots}\right)$ :: The Bandersnatch ring root function. See section 3.8 and appendix G.
$\mathcal{P}_{n}\mathopen{}\mathclose{{}\left(\dots}\right)$ :: The octet-array zero-padding function. See equation 14.19.
$\mathcal{Q}\mathopen{}\mathclose{{}\left(\dots}\right)$ :: The numeric-sequence-from-hash function. See equation F.3.
$\mathcal{R}^{v}_{n}\mathopen{}\mathclose{{}\left(\dots}\right)$ :: The erasure-coding recovery function for $v$ validators and $n$ pieces. See equation H.6.
$\bar{\mathcal{S}}_{k}\mathopen{}\mathclose{{}\left(\dots}\right)$ :: The Ed25519 signing function. See section 3.8.
$\accentset{\mathrm{B\!L\!S}}{\mathcal{S}}_{k}\mathopen{}\mathclose{{}\left(% \dots}\right)$ :: The bls signing function. See section 3.8.
$\mathcal{T}$ :: The current time expressed in seconds after the start of the Jam Common Era. See section 4.4.
$\mathcal{U}\mathopen{}\mathclose{{}\left(\dots}\right)$ :: The substitute-if-nothing function. See equation 3.2.
$\mathcal{V}\mathopen{}\mathclose{{}\left(\dots}\right)$ :: The range, or set of values, of a dictionary or sequence. See section 3.5.
$\mathcal{X}_{n}\mathopen{}\mathclose{{}\left(\dots}\right)$ :: The signed-extension function for a value in $\mathbb{N}_{2^{8n}}$ . See equation A.21.
$\mathcal{Y}\mathopen{}\mathclose{{}\left(\dots}\right)$ :: The alias/output/entropy function of a Bandersnatch vrf signature/proof. See section 3.8 and appendix G.
$\mathcal{Z}_{n}(\dots)$ :: The into-signed function for a value in $\mathbb{N}_{2^{8n}}$ . Superscripted with ^-1 to denote the inverse. See equation A.15.

I.4. Values

I.4.1. Block-context Terms

These terms are all contextualized to a single block. They may be superscripted with some other term to alter the context and reference some other block.

$\mathbf{A}$ :: The ancestor set of the block. See equation 5.3.
$\mathbf{B}$ :: The block. See equation 4.2.
$\mathbf{E}$ :: The block extrinsic. See equation 4.3.
$\mathbf{F}_{v}$ :: The Beefy signed commitment of validator $v$ . See equation 18.1.
$\mathbf{G}$ :: The set of Ed25519 guarantor keys who made a work-report. See equation 11.28.
$\mathbf{H}$ :: The block header. See equation 5.1.
$\mathbf{S}$ :: Service-indexed accumulation statistics for this block. See equations 12.27 and 12.28.
$\mathbf{M}$ :: The current core assignments. See section 11.3.
$\mathbf{M}^{*}$ :: The core assignments in the previous rotation. See section 11.3.
$\mathbf{R}$ :: The sequence of work-reports which have now become available and ready for accumulation. See equation 11.17.
$\mathbf{T}$ :: The ticketed condition, true if the block was sealed with a ticket signature rather than a fallback. See equations 6.16 and 6.17.
$\mathbf{U}$ :: The audit condition, equal to $\top$ once the block is audited. See section 17.

Without any superscript, the block is assumed to the block being imported or, if no block is being imported, the head of the best chain (see section 19). Explicit block-contextualizing superscripts include:

$\mathbf{B}^{\natural}$ :: The latest finalized block. See equation 19.
$\mathbf{B}^{\flat}$ :: The block at the head of the best chain. See equation 19.

I.4.2. State components

Here, the prime annotation indicates posterior state. Individual components may be identified with a letter subscript.

$\alpha$ :

The core $\alpha$ uthorizations pool. See equation 8.1.

$\beta$ :

Log of recent activity. See equation 7.1.

$\beta_{H}$ :: Information on the most recent blocks. See equation 7.2.
$\beta_{B}$ :: The Merkle mountain belt for accumulating Accumulation outputs. See equations 7.3 and 7.7.

$\gamma$ :

State concerning Safrole. See equation 6.3.

$\gamma_{A}$ :: The sealing lottery ticket accumulator. See equation 6.5.
$\gamma_{P}$ :: The keys for the validators of the next epoch, equivalent to those keys which constitute $\gamma_{Z}$ . See equation 6.7.
$\gamma_{S}$ :: The slot-sealer sequence of the current epoch. See equation 6.5.
$\gamma_{Z}$ :: The Bandersnatch root for the current epoch’s ticket submissions. See equation 6.4.

$\delta$ :

The (prior) state of the service accounts. See equation 9.1.

$\delta^{\dagger}$ :: The post-accumulation, pre-preimage integration intermediate state. See equation 12.26.

$\eta$ :

The entropy accumulator and epochal randomness. See equation 6.22.

$\iota$ :

The validator keys and metadata to be drawn from next. See equation 6.7.

$\kappa$ :

The validator keys and metadata currently active. See equation 6.7.

$\lambda$ :

The validator keys and metadata which were active in the prior epoch. See equation 6.7.

$\rho$ :

The availability assignments. A core’s availability assignment is the work-report guarantee which is being made available prior to accumulation. See equation 11.1.

$\rho^{\dagger}$ :: The post-judgment, pre-assurances-extrinsic intermediate state. See equation 10.14.
$\rho^{\ddagger}$ :: The post-assurances-extrinsic, pre-guarantees-extrinsic intermediate state. See equation 11.18.

$\sigma$ :

The overall state of the system. See equations 4.1, 4.4.

$\tau$ :

The most recent block’s timeslot. See equation 6.1.

$\phi$ :

The authorization queue. See equation 8.1.

$\psi$ :

Past judgments on work-reports and validators. See equation 10.1.

$\psi_{B}$ :: Work-reports judged to be incorrect. See equation 10.16.
$\psi_{G}$ :: Work-reports judged to be correct. See equation 10.15.
$\psi_{W}$ :: Work-reports whose validity is judged to be unknowable. See equation 10.17.
$\psi_{O}$ :: Validators who made a judgment found to be incorrect. See equation 10.18.

$\chi$ :

The privileged service indices. See equation 9.9.

$\chi_{M}$ :: The index of the blessed service. See equation 12.26.
$\chi_{A}$ :: The indices of the services able to assign each core’s authorizer queue. See equation 12.26.
$\chi_{V}$ :: The index of the designate service. See equation 12.26.
$\chi_{R}$ :: The index of the registrar service. See equation 12.26.
$\chi_{Z}$ :: The always-accumulate service indices and their basic gas allowance. See equation 12.26.

$\pi$ :

The activity statistics for the validators. See equation 13.1.

$\omega$ :

The accumulation queue. See equation 12.3.

$\xi$ :

The accumulation history. See equation 12.1.

$\theta$ :

The most recent Accumulation outputs. See equations 7.4 and 12.24.

I.4.3. Virtual Machine components

$\varepsilon$ :: The exit-reason resulting from all machine state transitions.
$\nu$ :: The immediate values of an instruction.
$\mu$ :: The memory sequence; a member of the set $\mathbb{M}$ .
$\varrho$ :: The gas counter.
$\varphi$ :: The registers.
$\zeta$ :: The instruction sequence.
$\varpi$ :: The sequence of basic blocks of the program.
$\imath$ :: The instruction counter.

I.4.4. Constants

$\mathsf{A}=8$ :: The period, in seconds, between audit tranches. See section 17.3.
$\mathsf{B}_{I}=10$ :: The additional minimum balance required per item of elective service state. See equation 9.8.
$\mathsf{B}_{L}=1$ :: The additional minimum balance required per octet of elective service state. See equation 9.8.
$\mathsf{B}_{S}=100$ :: The basic minimum balance which all services require. See equation 9.8.
$\mathsf{C}=341$ :: The total number of cores.
$\mathsf{D}=19,200$ :: The period in timeslots after which an unreferenced preimage may be expunged. See eject definition in section B.7.
$\mathsf{E}=600$ :: The length of an epoch in timeslots. See section 4.8.
$\mathsf{F}=2$ :: The audit bias factor, the expected number of additional validators who will audit a work-report in the following tranche for each no-show in the previous. See equation 17.13.
$\mathsf{G}_{A}=10,000,000$ :: The gas allocated to invoke a work-report’s Accumulation logic.
$\mathsf{G}_{I}=50,000,000$ :: The gas allocated to invoke a work-package’s Is-Authorized logic.
$\mathsf{G}_{R}=5,000,000,000$ :: The gas allocated to invoke a work-package’s Refine logic.
$\mathsf{G}_{T}=3,500,000,000$ :: The total gas allocated across for all Accumulation. Should be no smaller than $\mathsf{G}_{A}\cdot\mathsf{C}+\sum_{g\in\mathcal{V}\mathopen{}\mathclose{{}% \left(\chi_{Z}}\right)}(g)$ .
$\mathsf{H}=8$ :: The size of recent history, in blocks. See equation 7.8.
$\mathsf{I}=16$ :: The maximum amount of work items in a package. See equations 11.2 and 14.2.
$\mathsf{J}=8$ :: The maximum sum of dependency items in a work-report. See equation 11.3.
$\mathsf{K}=16$ :: The maximum number of tickets which may be submitted in a single extrinsic. See equation 6.31.
$\mathsf{L}=14,400$ :: The maximum age in timeslots of the lookup anchor. See equation 11.37.
$\mathsf{M}$ :: Host-function gas costs, see below.
$\mathsf{N}_{V}=16$ :: The maximum number of verdicts which may be included in a single extrinsic. See equation 10.2.
$\mathsf{N}_{O}=16$ :: The maximum number each of culprits or faults which may be included in a single extrinsic. See equation 10.2.
$\mathsf{O}=8$ :: The maximum number of items in the authorizations pool. See equation 8.1.
$\mathsf{P}=6$ :: The slot period, in seconds. See equation 4.8.
$\mathsf{Q}=80$ :: The number of items in the authorizations queue. See equation 8.1.
$\mathsf{R}=10$ :: The rotation period of validator-core assignments, in timeslots. See sections 11.3 and 11.4.
$\mathsf{S}=2^{16}$ :: The minimum public service index. Services of indices below these may only be created by the Registrar. See equation B.14.
$\mathsf{T}=128$ :: The maximum number of extrinsics in a work-package. See equation 14.5.
$\mathsf{U}=5$ :: The period in timeslots after which reported but unavailable work is cleared. See equation 11.18.
$\mathsf{W}_{A}=64,000$ :: The maximum size of is-authorized code in octets. See equation B.1.
$\mathsf{W}_{B}=13,791,360$ :: The maximum size of the concatenated variable-size blobs, extrinsics and imported segments of a work-package, in octets. See equation 14.6.
$\mathsf{W}_{C}=4,000,000$ :: The maximum size of service code in octets. See equations B.5, B.9 & LABEL:eq:onxferinvocation.
$\mathsf{W}_{G}=4104$ :: The size of a segment in octets. See section 14.2.1.
$\mathsf{W}_{F}=\mathsf{W}_{G}+32\mathopen{}\mathclose{{}\left\lceil\log_{2}(% \mathsf{W}_{X})}\right\rceil=4488$ :: The additional footprint in the Audits DA of a single imported segment. See equation 14.7.
$\mathsf{W}_{M}=3,072$ :: The maximum number of imports in a work-package. See equation 14.5.
$\mathsf{W}_{R}=48\cdot 2^{10}$ :: The maximum total size of all unbounded blobs in a work-report, in octets. See equation 11.8.
$\mathsf{W}_{T}=128$ :: The size of a transfer memo in octets. See equation 12.14.
$\mathsf{W}_{X}=3,072$ :: The maximum number of exports in a work-package. See equation 14.5.
$\mathsf{X}$ :: Context strings, see below.
$\mathsf{Y}=500$ :: The number of slots into an epoch at which ticket-submission ends. See sections 6.5, 6.6 and 6.7.
$\mathsf{Z}_{A}=2$ :: The pvm dynamic address alignment factor. See equation A.24.
$\mathsf{Z}_{I}=2^{24}$ :: The standard pvm program initialization input data size. See equation A.7.
$\mathsf{Z}_{P}=2^{12}$ :: The pvm memory page size. See equation 4.24.
$\mathsf{Z}_{Z}=2^{16}$ :: The standard pvm program initialization zone size. See section A.7.

I.4.5. Host-function gas costs

These constants are used in the host function gas cost equations in appendix B. The constant term for the host function $\Omega_{\square}$ is denoted $\mathsf{M}_{\square,c}$ , or simply $\mathsf{M}_{\square}$ if there are no other terms. The octet-linear term, if there is one, is denoted $\mathsf{M}_{\square,\ell}$ and specifies gas per 1024 octets. The page-linear term, again optional, is denoted $\mathsf{M}_{\square,p}$ and specifies gas per page. The gas for a host call with constant term $c$ and octet-linear term $L$ with $\ell$ octets is $c+\mathcal{G}(L,\ell)$ (see equation B.17).

$\mathsf{M}_{\emptyset}=1000$ :: Gas cost charged for an unknown host-call.
$\mathsf{M}_{A}=1818$ :: $\Omega_{A}$ (assign) base gas cost.
$\mathsf{M}_{B,c}=422$ :: $\Omega_{B}$ (bless) base gas cost.
$\mathsf{M}_{B,\ell}=20$ :: $\Omega_{B}$ (bless) gas per item.
$\mathsf{M}_{C}=103$ :: $\Omega_{C}$ (checkpoint) base gas cost.
$\mathsf{M}_{D,c}=1100$ :: $\Omega_{D}$ (designate) base gas cost.
$\mathsf{M}_{D,\ell}=302$ :: $\Omega_{D}$ (designate) gas per validator.
$\mathsf{M}_{E}=3521$ :: $\Omega_{E}$ (export) base gas cost.
$\mathsf{M}_{F}=3250$ :: $\Omega_{F}$ (forget) base gas cost.
$\mathsf{M}_{G}=48$ :: $\Omega_{G}$ (gas) base gas cost.
$\mathsf{M}_{H,c}=1125$ :: $\Omega_{H}$ (historical_lookup) base gas cost.
$\mathsf{M}_{H,\ell}=264$ :: $\Omega_{H}$ (historical_lookup) gas per 1024 octets ( $\mathcal{G}(\mathsf{M}_{H,\ell},\ell)$ ).
$\mathsf{M}_{I}=703$ :: $\Omega_{I}$ (info) base gas cost.
$\mathsf{M}_{J}=458$ :: $\Omega_{J}$ (eject) base gas cost.
$\mathsf{M}_{K}=968$ :: $\Omega_{K}$ (invoke) base gas cost.
$\mathsf{M}_{L,c}=600$ :: $\Omega_{L}$ (lookup) base gas cost.
$\mathsf{M}_{L,\ell}=248$ :: $\Omega_{L}$ (lookup) gas per 1024 octets ( $\mathcal{G}(\mathsf{M}_{L,\ell},\ell)$ ).
$\mathsf{M}_{M,c}=1862$ :: $\Omega_{M}$ (machine) base gas cost.
$\mathsf{M}_{M,\ell}=112$ :: $\Omega_{M}$ (machine) gas per 1024 octets, program size ( $\mathcal{G}(\mathsf{M}_{M,\ell},\ell)$ ).
$\mathsf{M}_{N}=3855$ :: $\Omega_{N}$ (new) base gas cost.
$\mathsf{M}_{O,c}=297$ :: $\Omega_{O}$ (poke) base gas cost.
$\mathsf{M}_{O,\ell}=224$ :: $\Omega_{O}$ (poke) gas per 1024 octets ( $\mathcal{G}(\mathsf{M}_{O,\ell},\ell)$ ).
$\mathsf{M}_{P,c}=377$ :: $\Omega_{P}$ (peek) base gas cost.
$\mathsf{M}_{P,\ell}=336$ :: $\Omega_{P}$ (peek) gas per 1024 octets ( $\mathcal{G}(\mathsf{M}_{P,\ell},\ell)$ ).
$\mathsf{M}_{Q}=643$ :: $\Omega_{Q}$ (query) base gas cost.
$\mathsf{M}_{R,c}=2407$ :: $\Omega_{R}$ (read) base gas cost.
$\mathsf{M}_{R,\mathrm{k},\ell}=1736$ :: $\Omega_{R}$ (read) key gas per 1024 octets ( $\mathcal{G}(\mathsf{M}_{R,\mathrm{k},\ell},\ell)$ ).
$\mathsf{M}_{R,\mathrm{v},\ell}=248$ :: $\Omega_{R}$ (read) value gas per 1024 octets ( $\mathcal{G}(\mathsf{M}_{R,\mathrm{v},\ell},\ell)$ ).
$\mathsf{M}_{S}=2193$ :: $\Omega_{S}$ (solicit) base gas cost.
$\mathsf{M}_{T}=575$ :: $\Omega_{T}$ (transfer) base gas cost.
$\mathsf{M}_{U}=1028$ :: $\Omega_{U}$ (upgrade) base gas cost.
$\mathsf{M}_{W,c}=2442$ :: $\Omega_{W}$ (write) base gas cost.
$\mathsf{M}_{W,\mathrm{v},\ell}=216$ :: $\Omega_{W}$ (write) gas per 1024 octets ( $\mathcal{G}(\mathsf{M}_{W,\mathrm{v},\ell},\ell)$ ).
$\mathsf{M}_{W,\mathrm{k},\ell}=3358$ :: $\Omega_{W}$ (write) key gas per 1024 octets ( $\mathcal{G}(\mathsf{M}_{W,\mathrm{k},\ell},\ell)$ ).
$\mathsf{M}_{X}=335$ :: $\Omega_{X}$ (expunge) base gas cost.
$\mathsf{M}_{Y,0,c}=390,\mathsf{M}_{Y,0,\ell}=0$ :: $\Omega_{Y}$ (fetch) case 0: protocol parameters.
$\mathsf{M}_{Y,1,c}=103,\mathsf{M}_{Y,1,\ell}=0$ :: $\Omega_{Y}$ (fetch) case 1: entropy.
$\mathsf{M}_{Y,2,c}=80,\mathsf{M}_{Y,2,\ell}=96$ :: $\Omega_{Y}$ (fetch) case 2: auth trace.
$\mathsf{M}_{Y,3,c}=85,\mathsf{M}_{Y,3,\ell}=96$ :: $\Omega_{Y}$ (fetch) case 3: any extrinsic, by index.
$\mathsf{M}_{Y,4,c}=85,\mathsf{M}_{Y,4,\ell}=96$ :: $\Omega_{Y}$ (fetch) case 4: our extrinsic, by index.
$\mathsf{M}_{Y,5,c}=171,\mathsf{M}_{Y,5,\ell}=0$ :: $\Omega_{Y}$ (fetch) case 5: any import, by index.
$\mathsf{M}_{Y,6,c}=171,\mathsf{M}_{Y,6,\ell}=0$ :: $\Omega_{Y}$ (fetch) case 6: our import, by index.
$\mathsf{M}_{Y,7,c}=85,\mathsf{M}_{Y,7,\ell}=96$ :: $\Omega_{Y}$ (fetch) case 7: encoded work-package.
$\mathsf{M}_{Y,8,c}=84,\mathsf{M}_{Y,8,\ell}=0$ :: $\Omega_{Y}$ (fetch) case 8: auth config.
$\mathsf{M}_{Y,9,c}=88,\mathsf{M}_{Y,9,\ell}=0$ :: $\Omega_{Y}$ (fetch) case 9: auth token.
$\mathsf{M}_{Y,10,c}=111,\mathsf{M}_{Y,10,\ell}=0$ :: $\Omega_{Y}$ (fetch) case 10: refine context.
$\mathsf{M}_{Y,11,c}=317,\mathsf{M}_{Y,11,\ell}=0$ :: $\Omega_{Y}$ (fetch) case 11: items summary.
$\mathsf{M}_{Y,12,c}=250,\mathsf{M}_{Y,12,\ell}=0$ :: $\Omega_{Y}$ (fetch) case 12: any item summary.
$\mathsf{M}_{Y,13,c}=95,\mathsf{M}_{Y,13,\ell}=96$ :: $\Omega_{Y}$ (fetch) case 13: any payload.
$\mathsf{M}_{Y,14,c}=287,\mathsf{M}_{Y,14,\ell}=400$ :: $\Omega_{Y}$ (fetch) case 14: accumulate items.
$\mathsf{M}_{Y,15,c}=355,\mathsf{M}_{Y,15,\ell}=344$ :: $\Omega_{Y}$ (fetch) case 15: any accumulate item.
$\mathsf{M}_{Y,\emptyset,c}=80,\mathsf{M}_{Y,\emptyset,\ell}=0$ :: $\Omega_{Y}$ (fetch) otherwise: nothing.
$\mathsf{M}_{Z,a,c}=275$ :: $\Omega_{Z}$ (pages) alloc base gas cost.
$\mathsf{M}_{Z,a,p}=121$ :: $\Omega_{Z}$ (pages) alloc gas per page.
$\mathsf{M}_{Z,f,c}=212$ :: $\Omega_{Z}$ (pages) free base gas cost.
$\mathsf{M}_{Z,f,p}=118$ :: $\Omega_{Z}$ (pages) free gas per page.
$\mathsf{M}_{Z,s,c}=130$ :: $\Omega_{Z}$ (pages) setmode base gas cost.
$\mathsf{M}_{Z,s,p}=29$ :: $\Omega_{Z}$ (pages) setmode gas per page.
$\mathsf{M}_{Z,i}=80$ :: $\Omega_{Z}$ (pages) invalid- $r$ base gas cost.
$\mathsf{M}_{\Taurus}=98$ :: $\Omega_{\Taurus}$ (yield) base gas cost.
$\mathsf{M}_{\Aries,c}=3980$ :: $\Omega_{\Aries}$ (provide) base gas cost.
$\mathsf{M}_{\Aries,\ell}=2264$ :: $\Omega_{\Aries}$ (provide) gas per 1024 octets ( $\mathcal{G}(\mathsf{M}_{\Aries,\ell},\ell)$ ).
$\mathsf{M}_{\Gemini,c}=275$ :: $\Omega_{\Gemini}$ (grow_heap) base gas cost.
$\mathsf{M}_{\Gemini,p}=121$ :: $\Omega_{\Gemini}$ (grow_heap) gas per additional page.

I.4.6. Signing Contexts

$\mathsf{X}_{A}=\text{{\small{\$jam\_available}}}$ :: Ed25519 Availability assurances. See equation 11.14.
$\mathsf{X}_{B}=\text{{\small{\$jam\_beefy}}}$ :: bls Accumulate-result-root-mmr commitment. See equation 18.1.
$\mathsf{X}_{E}=\text{{\small{\$jam\_entropy}}}$ :: On-chain entropy generation. See equation 6.18.
$\mathsf{X}_{F}=\text{{\small{\$jam\_fallback\_seal}}}$ :: Bandersnatch Fallback block seal. See equation 6.17.
$\mathsf{X}_{G}=\text{{\small{\$jam\_guarantee}}}$ :: Ed25519 Guarantee statements. See equation 11.28.
$\mathsf{X}_{I}=\text{{\small{\$jam\_announce}}}$ :: Ed25519 Audit announcement statements. See equation 17.7.
$\mathsf{X}_{T}=\text{{\small{\$jam\_ticket\_seal}}}$ :: Bandersnatch Ringvrf Ticket generation and regular block seal. See equation 6.16.
$\mathsf{X}_{U}=\text{{\small{\$jam\_audit}}}$ :: Bandersnatch Audit selection entropy. See equations 17.3 and 17.13.
$\mathsf{X}_{\top}=\text{{\small{\$jam\_valid}}}$ :: Ed25519 Judgments for valid work-reports. See equation 17.17.
$\mathsf{X}_{\bot}=\text{{\small{\$jam\_invalid}}}$ :: Ed25519 Judgments for invalid work-reports. See equation 17.17.

References

[1] G. Bertoni, J. Daemen, M. Peeters, and G. Van Assche (2013) Keccak. In Annual international conference on the theory and applications of cryptographic techniques, pp. 313–314. Cited by: §3.8.1.
[2] R. Bögli (2024) Assessing risc zero using zkit: an extensible testing and benchmarking suite for zkp frameworks. Ph.D. Thesis, OST Ostschweizer Fachhochschule. Cited by: §2.2.1.
[3] D. Boneh, B. Lynn, and H. Shacham (2004) Short signatures from the weil pairing. J. Cryptology 17, pp. 297–319. External Links: Document Cited by: §3.8.2.
[4] J. Burdges, A. Cevallos, H. Kılınç Alper, C. Liu-Zhang, F. Shirazi, A. Stewart, R. Habermeier, R. Klotzner, and A. Ordian (2024) Efficient execution auditing for blockchains under byzantine assumptions. Note: Cryptology ePrint Archive, Paper 2024/961 External Links: Link Cited by: §17.3, §17, §2.1, §2.3, footnote 11.
[5] J. Burdges, O. Ciobotaru, S. Lavasani, and A. Stewart (2022) Efficient aggregatable bls signatures with chaum-pedersen proofs. Note: Cryptology ePrint Archive, Paper 2022/1611 External Links: Link Cited by: §18.
[6] J. Burdges, O. Ciobotaru, H. K. Alper, A. Stewart, and S. Vasilyev (2023) Ring verifiable random functions and zero-knowledge continuations. Note: Cryptology ePrint Archive, Paper 2023/002 External Links: Link Cited by: Appendix G.
[7] V. Buterin and V. Griffith (2019) Casper the friendly finality gadget. External Links: 1710.09437, Link Cited by: §2.2.
[8] V. Buterin (2013) Ethereum: A Next-Generation Smart Contract and Decentralized Application Platform. External Links: Link Cited by: §2.2.
[9] Cosmos Project (2023) Interchain security begins a new era for cosmos. Note: Fetched 18th March, 2024 External Links: Link Cited by: §2.3.
[10] Dune and hildobby (2024) Ethereum Staking. Note: Fetched 18th March, 2024 External Links: Link Cited by: footnote 2.
[11] Ethereum Foundation (2024) A digital future on a global scale. Note: Fetched 4th April, 2024 External Links: Link Cited by: §2.2.
[12] Ethereum Foundation (2024) Danksharding. Note: Fetched 18th March, 2024 External Links: Link Cited by: §2.2.
[13] R. A. Fisher and F. Yates (1938) Statistical tables for biological, agricultural and medical research. Oliver and Boyd. Cited by: §3.7.5.
[14] A. Gabizon, Z. J. Williamson, and O. Ciobotaru (2019) PLONK: permutations over lagrange-bases for oecumenical noninteractive arguments of knowledge. Note: Cryptology ePrint Archive, Paper 2019/953 External Links: Link Cited by: §2.2.1.
[15] S. Goldberg, L. Reyzin, D. Papadopoulos, and J. Včelák (2023-08) Verifiable Random Functions (VRFs). Request for Comments, RFC Editor. Note: RFC 9381 External Links: Document, Link Cited by: Appendix G.
[16] A. Hertig (2016) So, ethereum’s blockchain is still under attack…. Note: Fetched 18th March, 2024 External Links: Link Cited by: §2.4.
[17] D. Hopwood, S. Bowe, I. Miers, I. Lovecruft, J. Grigg, G. Tankersley, and Z. Zhang (2020) BLS12-381. External Links: Link Cited by: §18, §3.8.2.
[18] S. Hosseini and D. Galassi (2024) Bandersnatch vrf-ad specification. Note: Draft 29, Fetched 17th March, 2026 External Links: Link Cited by: Appendix G, Appendix G, Appendix G.
[19] P. Jha (2024) Solana outage raises questions about client diversity and beta status. Note: Fetched 18th March, 2024 External Links: Link Cited by: §2.4.
[20] S. Josefsson and I. Liusvaara (2017-01) Edwards-Curve Digital Signature Algorithm (EdDSA). Request for Comments, RFC Editor. Note: RFC 8032 External Links: Document, Link Cited by: §3.8.2.
[21] E. Kokoris-Kogias, P. Jovanovic, L. Gasser, N. Gailly, E. Syta, and B. Ford (2017) OmniLedger: a secure, scale-out, decentralized ledger via sharding. Note: Cryptology ePrint Archive, Paper 2017/406 External Links: Link Cited by: §2.3.
[22] J. Kwon and E. Buchman (2019) Cosmos whitepaper. A Netw. Distrib. Ledgers 27, pp. 1–32. Cited by: §2.3.
[23] S. Lin, W. Chung, and Y. S. Han (2014) Novel polynomial basis and its application to reed-solomon erasure codes. In 2014 IEEE 55th Annual Symposium on Foundations of Computer Science, Vol. , pp. 316–325. External Links: Document Cited by: Appendix H.
[24] S. Masson, A. Sanso, and Z. Zhang (2021) Bandersnatch: a fast elliptic curve built over the bls12-381 scalar field. Note: Cryptology ePrint Archive, Paper 2021/1152 External Links: Link Cited by: Appendix G.
[25] F. Ng (2024) Is measuring blockchain transactions per second stupid in 2024?. Note: Fetched 18th March, 2024 External Links: Link Cited by: §2.4.
[26] Polkavm Project (2024) PolkaVM/risc0 benchmark results. Note: Fetched 3rd April, 2024 External Links: Link Cited by: §2.2.1.
[27] M. O. Saarinen and J. Aumasson (2015-11) The BLAKE2 Cryptographic Hash and Message Authentication Code (MAC). Request for Comments, RFC Editor. Note: RFC 7693 External Links: Document, Link Cited by: §3.8.1.
[28] A. Sadana (2024) Bringing polkadot tech to ethereum. Note: Fetched 18th March, 2024 External Links: Link Cited by: footnote 4.
[29] S. Sharma (2023) Ethereum’s rollups are centralized. External Links: Link Cited by: §2.2.
[30] Solana Foundation (2023) Solana data goes live on google cloud bigquery. Note: Fetched 18th March, 2024 External Links: Link Cited by: §2.4.
[31] Solana Labs (2024) Solana validator requirements. Note: Fetched 18th March, 2024 External Links: Link Cited by: §2.4.
[32] A. Stewart and E. Kokoris-Kogia (2020) Grandpa: a byzantine finality gadget. arXiv preprint arXiv:2007.01560. Cited by: §19.
[33] D. Tanana (2019) Avalanche blockchain protocol for distributed computing security. In 2019 IEEE International Black Sea Conference on Communications and Networking (BlackSeaCom), pp. 1–3. Cited by: §2.3.
[34] J. Thaler (2023) A technical faq on lasso, jolt, and recent advancements in snark design. Note: Fetched 3rd April, 2024 External Links: Link Cited by: §2.2.1.
[35] Wikipedia (2024) Fisher-Yates shuffle: The modern algorithm. External Links: Link Cited by: §3.7.5.
[36] G. Wood (2014) Ethereum: a secure decentralised generalised transaction ledger. Ethereum project yellow paper 151, pp. 1–32. Cited by: §2.2, §3.8.1.
[37] A. Yakovenko (2018) Solana: a new architecture for a high performance blockchain v0. 8.13. Cited by: §2.4.

Join-Accumulate Machine: A Mostly-Coherent Trustless Supercomputer Draft 0.8.0 ​​​​ - June 3, 2026