Skip to main content
mip.watch
⌘K

MIP-10

Deterministic RaptorCast

Draft Standards Track Core GitHub ↗ Forum ↗
Idea Draft Review Last Call Final Living

Introduces a canonical encoding scheme for RaptorCast that closes asymmetric liveness and equivocation attack surfaces and reduces dissemination latency

Authors
Category Labs
Created
2026-04-28
Updated
Jun 15, 2026

Stakeholder Impact

What this MIP changes for each audience. Severity and action flags are model-derived with deterministic floors per MIP type/category.

TL;DR

MIP-10 introduces Deterministic RaptorCast, a new encoding scheme for RaptorCast that enhances security and reduces latency in block dissemination. It aims to prevent certain attacks and allows validators to vote on block proposals more efficiently.

What's Changing

  • Canonical seed creation - A fixed seed derived from round number, leader identity, and proposal time ensures consistent encoding.
  • Unified Merkle root - Instead of multiple trees, a single global Merkle root binds all chunks to one encoding, improving integrity.
  • Per-round equivocation detection - Validators record the first valid encoding commitment to prevent conflicting proposals.

Developers

Smart contract & dapp builders, RPC consumers, tooling authors

This MIP introduces a new encoding scheme for RaptorCast that changes how chunks are validated and processed, which may require developers to update their implementations to accommodate the new EncodingCommitment and chunk validation rules. Existing contracts using the previous RaptorCast version may not function correctly without recompilation or redeployment.

High action required

Users

Wallet users, EOA holders, dapp visitors

Users may experience improved transaction confirmation speeds due to reduced dissemination latency, but no immediate action is required from them. Asset safety and custody remain unchanged.

Medium

Validators

Node operators, RPC operators, delegators

The introduction of Deterministic RaptorCast enhances the efficiency and security of block dissemination, potentially reducing latency and improving validator performance. However, there is no direct impact on validator revenue or profitability as the changes do not alter block rewards, fees, or staking yields.

Medium

Foundation

Monad Foundation & Category Labs core devs

The introduction of Deterministic RaptorCast requires governance coordination to ensure alignment across clients and partners regarding the new encoding scheme and its implications for the consensus protocol. Additionally, it sets a precedent for future standards related to broadcast modes and encoding schemes.

High action required

Generated May 29, 2026, 8:51 AM · model: gpt-4o-mini

Specification

Cite
Subsystems executionconsensusstakingeconomicsnetworking

## Abstract

This MIP proposes Deterministic RaptorCast (v1), a new broadcast mode for the RaptorCast dissemination layer that fixes the Raptor encoding via a publicly derivable seed and enforces per-round equivocation detection by recording the first valid (Merkle root, leader signature) pair seen for each round, referred to as an ``EncodingCommitment``.

The change delivers three benefits: (1) it can enable validators to vote directly on the Merkle root commitment upon receiving a verified chunk without decoding, saving one message delay on the critical path; (2) it closes asymmetric liveness attacks in which a Byzantine leader selectively withholds singleton Encoding Symbol Identifiers (ESIs) from targeted validators, causing reconstruction delays of several hundred milliseconds; and (3) it closes mixed-commitment equivocation, in which a leader constructs a single Merkle root from chunks encoding multiple distinct payloads. Note that benefit (3) is contingent on the consensus protocol being revised to vote on the Merkle root commitment rather than the decoded payload; without that change, the equivocation attack surface does not arise in the first place.

## Motivation

MonadBFT uses RaptorCast to disseminate block proposals across the validator set. The current protocol (v0) (see [RaptorCast: Designing a Messaging Layer](https://www.category.xyz/blogs/raptorcast-designing-a-messaging-layer)) places no constraint on which ESI the leader assigns to which position in the Merkle tree, nor on which ESIs are delivered to which validator. This delivery freedom has three consequences that Deterministic RaptorCast addresses.

- **Latency** A natural optimization is to overlap block propagation with consensus voting. Rather than waiting to fully reconstruct a block before casting a vote, a validator that receives a chunk and can verify it against the block's Merkle root could vote immediately—saving one message delay on the consensus critical path. Under v0, however, this is unsafe. Because the leader has freedom over ESI assignment, the same Merkle root can be consistent with multiple distinct payloads; a vote on the root therefore does not unambiguously certify a single block. A canonical (deterministic) encoding removes this ambiguity: since the Merkle root now commits to exactly one possible payload, opening the opportunity for validators to vote on the root as soon as they receive a verified chunk.

- **Attack 1: Asymmetric liveness** Raptor codes decode most efficiently when the decoder receives at least some degree-1 ([singleton](https://www.category.xyz/blogs/raptorcast-designing-a-messaging-layer#2-encoding-system)) ESIs, since these are the entry point for the Belief Propagation peeling decoder. Without any singletons the decoder stalls immediately and must fall back to Gaussian elimination, which is substantially more expensive. A Byzantine leader can exploit v0's delivery freedom to selectively deprive targeted validators of singletons while supplying adversarially chosen high-degree repair chunks that maximize Gaussian elimination cost. The result is that targeted validators reconstruct upto several hundred milliseconds later (depending on the number of source symbols) than the rest of the set which is enough of a delay to starve them of votes in the current view. This gives the leader discretion to force future view failures.

- **Attack 2: Mixed-commitment equivocation** Lowering the latency by voting on the merkle root of encoded chunks involves decode-re-encode consistency check to make sure encoding is valid. Without a fixed ESI-to-position mapping, the decode-re-encode consistency check cannot be correctly defined for rateless codes. A leader can construct a single Merkle root whose leaves are drawn from encodings of multiple distinct payloads. Every chunk passes Merkle verification, but validators collecting different subsets decode to different payloads. If validators vote on the root without decoding, they believe they are certifying the same block while certifying different ones.


## Specification

### Seed Derivation

The canonical seed (also called encoding seed) is computed by the leader at proposal time. It consists of the hash of (round number, leader identity, and proposal time). The chunk header contains all necessary data for validators to deterministically recompute this seed, which they do upon receiving the chunk. Validators also check that the proposal time falls within an acceptable range of their local clock before accepting the seed as valid.

### Encoding

The leader encodes payload `B` as:

```
(c_1, ..., c_n) = RaptorEnc(B, seed)
R               = MerkleRoot(c_1, ..., c_n)
```

In v0, chunks were organized into multiple Merkle trees of `32` chunks each, with each tree independently signed by the leader. v1 replaces this with a 
single global Merkle root `R` computed over all `n` chunks, providing a unified commitment that binds every chunk to a single canonical encoding of 
the proposal. The Merkle tree depth is dynamically calculated based on the  number of chunks, up to a maximum depth of 15. Each Merkle proof is 
`20 × (merkle_tree_depth - 1)` bytes, giving a worst-case proof size of `280` bytes compared to `100` bytes in v0.

Position `i` MUST contain the chunk generated with `ESI = i` under seed. The pair `(R, σ)` where `σ = Sign(round, timestamp, R)` is the ``EncodingCommitment`` for this proposal.

### Chunk Validation

A validator accepts a v1 chunk packet `(round, timestamp, R, σ, i, π_i, c_i)`. A validator accepts the chunk if and only if all of the following holds:

- **Timeliness** The packet's round is within the accepted round window, and the timestamp is within an acceptable range of the validator's local clock.

- **Leader authenticity** `σ` is a valid leader signature over round, timestamp and `R` (`σ = Sign(round, timestamp, R)`).

- **Encoding commitment consistency** `(R, σ)` matches the encoding commitment already recorded for this round. If no commitment is recorded yet, the validator records this one.

- **Chunk integrity** The Merkle proof `π_i` verifies `c_i` at index `i` against `R`.

Chunks failing any check are silently dropped. A conflicting commitment (same round, different `R` or `σ`) is logged as equivocation evidence and the chunk carrying the conflicting commitment is dropped.

### Encoding Verification (Decode-Re-encode Check)

After collecting sufficient chunks and decoding payload B, a validator MUST verify:

```
MerkleRoot(RaptorEnc(B, seed)) == R
```

The seed is deterministically recomputed from the values given in the chunk header. If the above check fails, the payload is rejected. This check is well-defined under v1 because seed fixes the ESI-to-position mapping: re-encoding `B` always produces the same chunk set that can be validated against the recorded ``EncodingCommitment``. Under v0 this check cannot be reliably applied.

## Rationale

Deterministic RaptorCast requires minimal changes to the existing RaptorCast infrastructure. The encoding scheme, Merkle commitments, chunk delivery, and rebroadcast all remain unchanged. The additions are: a canonical seed derived from existing proposal metadata, per-round equivocation detection at each validator. These changes are sufficient to close both attack surfaces and to make voting on the Merkle root commitment safe before decoding, with no changes to the consensus voting protocol, the quorum certificate format, or the execution layer. The resulting protocol satisfies the following properties.

### Properties

Deterministic RaptorCast satisfies the following three properties.

- **Availability** If a Quorum Certificate for a Merkle root `R` exists, every correct validator eventually terminates.

- **Integrity** If the leader is correct, every correct validator that decodes a payload recovers exactly the payload originally dispersed by the leader.

- **Consistency** Any two correct validators that decode a payload from chunks consistent with `R` recover the same payload. If no valid payload is consistent with `R`, every correct validator returns `⊥`.

Consistency is what makes voting on `R` safe prior to decoding. A validator that casts a vote on `R` implicitly vouches for a unique payload: consistency guarantees that every validator that subsequently decodes arrives at the same one. Absent this property, two validators could vote on the same `R` while holding chunks that decode to different payloads, violating consensus safety.

The canonical seed also unlocks a post-consensus validity gate at the execution layer that was not previously applicable. Because the decode-re-encode check produces the same result at every correct validator, it can be applied after consensus has decided a block: any block whose decoded payload fails the check will be independently rejected by every correct validator, with no risk of a split. Under v0 this gate could not be employed without a canonical seed; different validators re-encoding the same payload could produce different roots and reach different conclusions about the same block.

This is enforced by two complementary mechanisms. First, per-round equivocation detection: upon receiving the first valid v1 chunk for a round, each validator records an ``EncodingCommitment`` — the pair (global_merkle_root, signature) — and rejects any subsequent chunk for that round with different fields. Second, the canonical seed fixes the ESI-to-position mapping, making the decode-re-encode check well-defined: re-encoding any decoded payload under the public seed always produces the same chunk set that can be validated against the same ``EncodingCommitment``.

## Security Considerations

The attacks motivating this MIP, asymmetric liveness and mixed-commitment equivocation, are closed by the canonical seed and per-round equivocation detection as described in the Properties section.

- **Seed grinding** The seed construction bounds a Byzantine leader's payload-grinding advantage to negligible within the available window: a leader cannot do better than random chance in selecting a seed that produces a favorable degree distribution within the time bucket.

- **Round window** Chunks outside the accepted round window are silently dropped. This prevents unbounded buffering but means a node that falls significantly behind the current round will not receive chunks for rounds outside its window until it catches up.

## Reference Implementation
The reference implementation can be found at [https://github.com/category-labs/monad-bft/pull/2811](https://github.com/category-labs/monad-bft/pull/2811).

Forum discussion

3 posts · 7 likes · 2 months ago
Read more on forum ↗
  1. @mjalalzai #1 Apr 29, 2026, 6:19 PM

    MIP-10 - Deterministic RaptorCast Deterministic RaptorCast anchors the Raptor encoding to a publicly derivable seed, making it safe to vote directly on the Merkle root upon receiving a single verified chunk without decoding and saving one message delay on the critical path. It also closes two attack surfaces: asymmetric liveness, where a Byzantine leader deprives targeted validators of efficient decoding inputs causing reconstruction delays of several hundred milliseconds, and mixed-commitment equivocation, where a single Merkle root decodes to different payloads at different validators.

  2. @Vladimir Understanding #2 May 2, 2026, 8:46 PM

    mjalalzai: Deterministic RaptorCast anchors the Raptor encoding to a publicly derivable seed, making it safe to vote directly on the Merkle root upon receiving a single verified chunk without decoding and saving one message delay on the critical path. It also closes two attack surfaces: asymmetric liveness, where a Byzantine leader deprives targeted validators of efficient decoding inputs causing reconstruction delays of several hundred milliseconds, and mixed-commitment equivocation, where a single Merkle root decodes to different payloads at different validators. Regarding the proposal to vote on the Merkle root after receiving a single verified chunk: How does this impact the guarantee of data availability? While it certainly reduces latency, I’m curious if this change introduces a window where a validator might vote on a root for which the full payload hasn’t yet been fully prop...

  3. @mjalalzai #3 May 3, 2026, 11:52 PM

    This is intentional pipelining. Dissemination and the first round of consensus voting proceed in parallel rather than sequentially. If QC forms from 2f+1 such votes, it guarantees that at least f+1 correct validators hold valid chunks, which is sufficient for any correct validator to reconstruct the full payload.