Peer Sampling safety concern

There is a concern regarding Peer Sampling safety if we want to get back to this approach for DAS instead of Subnet Sampling approach in the present EIP-7594 version or next DAS iterations.

• How our draft sampling algorithm (Teku PeerDas) worked for sampling a single column:

  • check local storage
  • if none found, ask existing peers from the corresponding subnet
  • if none found, try finding other peers in the corresponding subnet

• Attack:

  • Make few adversarial nodes to custody all subnets
  • Develop a 'peer-sampling' Req/Resp pattern: when a peer wants to sample and not back-fill its custody
  • Response to any 'peer-sampling' query
  • Don't response to other requests, don't broadcast samples to gossip subnets
  • False positive result:
    • DA peer sampling succeeds for everyone
    • Data is not actually available
  • Attack is possible for either block proposer or an adversary who managed to eclipse block proposer node

• From that perspective Peer Sampling only ensures that data was available (was not withheld)

  • Enough samples was revealed for the network to restore the data
  • but samples retrieved are disposed and are not available to be found and queried

• How subnet sampling is different

  • Sampled columns are stored and available for download
    • In the corner case with 8 samples and 4 columns custody this is not applicable for those columns which are sampled but not stored in custody
  • Sampled columns are propagated further via Pubsub