Paired-key Crypto Scheme #1705
Paired-key Crypto Scheme #1705
Conversation
…ssfuly try to implement ByteArray for paired crypto Public
…ed crypto object in favor of avoiding copy
…me of aux traits for `paired_crypto::Signature`
… of seeds for paired crypto scheme.
…paired (ECDSA, BLS377) crypto
…_crypto.rs`. - put serialize and descerialze under `serde` feature instead of std. - in `primitives/core/src/bls.rs`. - fix documentation in `primitives/core/src/bls.rs`. - cargo fmt pair_crypto.rs
|
I could change the sign algorithm to sign the second signature using the first key. This potentially might give us a 7x speed up on verification time during validators gossip of BEEFY messages: I couldn't find an readily implemented ECDSA for Arkworks so I used Schnorr on Secp256k1 instead but I don't expect a huge difference between ECDSA and a single schnorr verification. The result is on par with this experiment showin BLS verification being 10 times slower than ECDSA. |
…and SCALE. Co-authored-by: Davide Galassi <davxy@datawok.net>
Co-authored-by: Davide Galassi <davxy@datawok.net>
Co-authored-by: Davide Galassi <davxy@datawok.net>
Co-authored-by: Davide Galassi <davxy@datawok.net>
Co-authored-by: Davide Galassi <davxy@datawok.net>
…ZED_SIZE` instead of magic numbers
I think currently it gets the public key from the vote messages. Nonetheless, I could imagine that someone would take advantage of the optimization. It is less relevant with the signatures, but we also for example do other stuff with the signatures, like aggregating them which in BLS, we need them to be in the form of points on the curve rather than the serialized form. But that is much less common than the public key reuse scenario. So I'll try to make it infallible with constraining first. |
|
Doing this: Results in: I'm can not introduce a new const generic only for the implementation of UncheckedFrom because Rust complains that Public does not depends on: Results in: This also doesn't work (not even in nightly): as in This compiles only in nightly: with scary warnings about horrible consequences of using Note that in both of your proposed solutions we need to deal with this, because we need to finally convert So checking |
- implemented `test_length_of_paired_ecdsa_and_bls377_public_key_and_signature_is_correct`
…/polkadot-sdk into skalman-paired-crypto-scheme
|
@davxy feel free to remove the |
|
@davxy I removed the internal object now it is just an array like other cryptos. |
| fn derive<Iter: Iterator<Item = DeriveJunction>>( | ||
| &self, | ||
| path: Iter, | ||
| seed: Option<Self::Seed>, | ||
| ) -> Result<(Self, Option<Self::Seed>), DeriveError> { | ||
| let path: Vec<_> = path.collect(); | ||
|
|
||
| let left = self.left.derive(path.iter().cloned(), seed.map(|s| s.into()))?; | ||
| let right = self.right.derive(path.into_iter(), seed.map(|s| s.into()))?; | ||
|
|
||
| let seed = match (left.1, right.1) { | ||
| (Some(l), Some(r)) if l.as_ref() == r.as_ref() => Some(l.into()), | ||
| _ => None, | ||
| }; | ||
|
|
||
| Ok((Self { left: left.0, right: right.0 }, seed)) |
There was a problem hiding this comment.
Mmm... here if the two crypto schemes have different ways to derive the seed we end up with a None seed.
I don't like this a lot. But if is good for the current application I'm not going to block things for this.
Would be nice to at least write this thing explicitly over this method docs.
There was a problem hiding this comment.
@davxy something like #1705 (comment)?
can also integrate directly into PairT::derive documentation, although it's specific to the implementation here.
There was a problem hiding this comment.
The only way to be able to return a seed is to make the paired_crypto seed 64 bytes which is not inline with all other crypto schemes (and make it not composable i.e. you can't have a pair of paired schemes).
There is a comment in crypto.rs which says in some crypto schemes it is not possible to provide a direct seed after derivation:
We can also add paired_crypto scheme to that comment perhaps.
There was a problem hiding this comment.
tACK - and thanks for removing the seed duplication (a01a814).
I recognize this change muddies the derive return though (#1705 (comment)).
Co-authored-by: Robert Hambrock <roberthambrock@gmail.com>
|
@davxy is this good to merge? |
Yes |
* master: (54 commits) Publish `xcm-emulator` crate (#1881) Adding migrations to clean Rococo Gov 1 storage & reserved funds (#1849) Arkworks Elliptic Curve utils overhaul (#1870) Fix typos (#1878) fix: GoAhead signal only set when runtime upgrade is enacted from parachain side (#1176) Refactor staking ledger (#1484) Paired-key Crypto Scheme (#1705) Include polkadot version in artifact path (#1828) add link to rfc-0001 in broker README (#1862) Discard `Executor` (#1855) Macros to use path instead of ident (#1474) Remove clippy clone-double-ref lint noise (#1860) Refactor alliance benchmarks to v2 (#1868) Check executor params coherence (#1774) frame: use derive-impl for beefy and mmr pallets (#1867) sc-consensus-beefy: improve gossip logic (#1852) Adds instance support for composite enums (#1857) Fix links to implementers' guide (#1865) Disabled validators runtime API (#1257) Adding `try_state` hook for `Treasury` pallet (#1820) ...
…ribution * tsv-disabling-backing: (54 commits) Publish `xcm-emulator` crate (#1881) Adding migrations to clean Rococo Gov 1 storage & reserved funds (#1849) Arkworks Elliptic Curve utils overhaul (#1870) Fix typos (#1878) fix: GoAhead signal only set when runtime upgrade is enacted from parachain side (#1176) Refactor staking ledger (#1484) Paired-key Crypto Scheme (#1705) Include polkadot version in artifact path (#1828) add link to rfc-0001 in broker README (#1862) Discard `Executor` (#1855) Macros to use path instead of ident (#1474) Remove clippy clone-double-ref lint noise (#1860) Refactor alliance benchmarks to v2 (#1868) Check executor params coherence (#1774) frame: use derive-impl for beefy and mmr pallets (#1867) sc-consensus-beefy: improve gossip logic (#1852) Adds instance support for composite enums (#1857) Fix links to implementers' guide (#1865) Disabled validators runtime API (#1257) Adding `try_state` hook for `Treasury` pallet (#1820) ...
|
This pull request has been mentioned on Polkadot Forum. There might be relevant details there: https://forum.polkadot.network/t/polkadot-kusama-bridge/2971/6 |
|
This pull request has been mentioned on Polkadot Forum. There might be relevant details there: https://forum.polkadot.network/t/polkadot-kusama-bridge/2971/7 |
BEEFY needs two cryptographic keys at the same time. Validators should sign BEEFY payload using both ECDSA and BLS key. The network will gossip a payload which contains a valid ECDSA key. The prover nodes aggregate the BLS keys if aggregation fails to verifies the validator which provided a valid ECDSA signature but an invalid BLS signature is subject to slashing. As such BEEFY session should be initiated with both key. Currently there is no straight forward way of doing so, beside having a session with RuntimeApp corresponding to a crypto scheme contains both keys. This pull request implement a generic paired_crypto scheme as well as implementing it for (ECDSA, BLS) pair. --------- Co-authored-by: Davide Galassi <davxy@datawok.net> Co-authored-by: Robert Hambrock <roberthambrock@gmail.com>
…aritytech#1815) Next step in process of making BEEFY being able to generate both ECDSA and BLS signature after paritytech#1705. It allows BEEFY to use a pair of ECDSA and BLS key as a AuthorityId. --------- Co-authored-by: Davide Galassi <davxy@datawok.net> Co-authored-by: Robert Hambrock <roberthambrock@gmail.com>
BEEFY needs two cryptographic keys at the same time. Validators should sign BEEFY payload using both ECDSA and BLS key. The network will gossip a payload which contains a valid ECDSA key. The prover nodes aggregate the BLS keys if aggregation fails to verifies the validator which provided a valid ECDSA signature but an invalid BLS signature is subject to slashing.
As such BEEFY session should be initiated with both key. Currently there is no straight forward way of doing so, beside having a session with RuntimeApp corresponding to a crypto scheme contains both keys.
This pull request implement a generic paired_crypto scheme as well as implementing it for (ECDSA, BLS) pair.