Switch from bls12_381 to bn254

node/Cargo.toml

@@ -26,17 +26,21 @@ assert_matches = "1.5.0"
 async-trait = "0.1.71"
 bit-vec = "0.6"
 blst = "0.3.10"
+ark-bn254 = "0.4.0"
+ark-ec = "0.4.2"
+ark-serialize = "0.4.2"
+num-traits = "0.2.17"
 clap = { version = "4.3.3", features = ["derive"] }
 ed25519-dalek = { version = "2.0.0", features = ["serde", "rand_core"] }
 futures = "0.3.28"
 hex = "0.4.3"
-hyper = { version = "0.14.27", features = ["http1", "http2","server","tcp"] }
+hyper = { version = "0.14.27", features = ["http1", "http2", "server", "tcp"] }
 im = "15.1.0"
 once_cell = "1.17.1"
 pin-project = "1.1.0"
 prost = "0.11.0"
 prost-build = "0.11.0"
-prost-reflect = { version = "0.11.0", features = ["derive","serde"] }
+prost-reflect = { version = "0.11.0", features = ["derive", "serde"] }
 prost-reflect-build = "0.11.0"
 protoc-bin-vendored = "3.0.0"
 prettyplease = "0.2.6"
@@ -76,6 +80,9 @@ panic = 'abort'
 [profile.release]
 panic = 'abort'
 
+[profile.dev.package.crypto]
+opt-level = 3
+
 # Compile all the external dependencies with optimizations, because
 # some of them (especially the cryptographic primitives) are extremely
 # slow when compiled without optimizations, and make the tests run slow.

node/actors/consensus/src/leader/replica_commit.rs

@@ -41,7 +41,7 @@ pub(crate) enum Error {
     },
     /// Invalid message signature.
     #[error("invalid signature: {0:#}")]
-    InvalidSignature(#[source] crypto::bls12_381::Error),
+    InvalidSignature(#[source] validator::Error),
 }
 
 impl StateMachine {

node/actors/consensus/src/leader/replica_prepare.rs

@@ -50,7 +50,7 @@ pub(crate) enum Error {
     },
     /// Invalid message signature.
     #[error("invalid signature: {0:#}")]
-    InvalidSignature(#[source] crypto::bls12_381::Error),
+    InvalidSignature(#[source] validator::Error),
     /// Invalid `HighQC` message.
     #[error("invalid high QC: {0:#}")]
     InvalidHighQC(#[source] anyhow::Error),

node/actors/consensus/src/replica/leader_commit.rs

@@ -28,7 +28,7 @@ pub(crate) enum Error {
     },
     /// Invalid message signature.
     #[error("invalid signature: {0:#}")]
-    InvalidSignature(#[source] crypto::bls12_381::Error),
+    InvalidSignature(#[source] validator::Error),
     /// Invalid justification for the message.
     #[error("invalid justification: {0:#}")]
     InvalidJustification(#[source] anyhow::Error),

node/actors/consensus/src/replica/leader_prepare.rs

@@ -32,7 +32,7 @@ pub(crate) enum Error {
     },
     /// Invalid message signature.
     #[error("invalid signature: {0:#}")]
-    InvalidSignature(#[source] crypto::bls12_381::Error),
+    InvalidSignature(#[source] validator::Error),
     /// Invalid `PrepareQC` message.
     #[error("invalid PrepareQC: {0:#}")]
     InvalidPrepareQC(#[source] anyhow::Error),

node/actors/consensus/src/replica/tests.rs

@@ -6,6 +6,7 @@ use roles::validator::{self, ViewNumber};
 
 #[tokio::test]
 async fn start_new_view_not_leader() {
+    concurrency::testonly::abort_on_panic();
     let ctx = &ctx::test_root(&ctx::ManualClock::new());
     let rng = &mut ctx.rng();
 

node/actors/consensus/src/tests.rs

@@ -6,7 +6,7 @@ use concurrency::ctx;
 
 async fn run_test(behavior: Behavior, network: Network) {
     concurrency::testonly::abort_on_panic();
-    let ctx = &ctx::test_root(&ctx::AffineClock::new(4.));
+    let ctx = &ctx::test_root(&ctx::AffineClock::new(1.));
 
     const NODES: usize = 11;
     let mut nodes = vec![behavior; NODES];

node/actors/network/src/consensus/handshake/mod.rs

@@ -1,7 +1,7 @@
 use crate::{frame, noise};
 use anyhow::Context as _;
 use concurrency::{ctx, time};
-use crypto::{bls12_381, ByteFmt};
+use crypto::ByteFmt;
 use roles::{node, validator};
 use schema::{proto::network::consensus as proto, read_required, ProtoFmt};
 
@@ -43,7 +43,7 @@ pub(super) enum Error {
     #[error("unexpected peer")]
     PeerMismatch,
     #[error("validator signature {0}")]
-    Signature(#[from] bls12_381::Error),
+    Signature(#[from] validator::Error),
     #[error("stream {0}")]
     Stream(#[source] anyhow::Error),
 }

node/deny.toml

@@ -60,6 +60,7 @@ skip = [
 
     # Old versions required by hyper.
     { name = "socket2", version = "=0.4.9" },
+    { name = "hashbrown", version = "=0.12.3" }, # (hyper -> h2 -> indexmap -> hashbrown)
 ]
 
 [sources]

node/libs/crypto/Cargo.toml

@@ -9,8 +9,20 @@ license.workspace = true
 [dependencies]
 anyhow.workspace = true
 blst.workspace = true
+ark-bn254.workspace = true
+ark-ec.workspace = true
+ark-serialize.workspace = true
+num-traits.workspace = true
 ed25519-dalek.workspace = true
 hex.workspace = true
 rand.workspace = true
 sha2.workspace = true
 thiserror.workspace = true
+tracing.workspace = true
+
+[dev-dependencies]
+criterion = "0.5.1"
+
+[[bench]]
+name = "bench"
+harness = false

node/libs/crypto/benches/bench.rs

@@ -0,0 +1,48 @@
+#![allow(clippy::missing_docs_in_private_items)]
+#![allow(missing_docs)]
+
+extern crate crypto;
+
+use criterion::{criterion_group, criterion_main, Criterion};
+use rand::Rng;
+use std::iter::repeat_with;
+
+fn bench_bn254(c: &mut Criterion) {
+    use crypto::bn254::{AggregateSignature, PublicKey, SecretKey, Signature};
+    let mut rng = rand::thread_rng();
+    let mut group = c.benchmark_group("bn254");
+    group.bench_function("100 sig aggregation", |b| {
+        b.iter(|| {
+            let sks: Vec<SecretKey> = repeat_with(|| rng.gen::<SecretKey>()).take(100).collect();
+            let pks: Vec<PublicKey> = sks.iter().map(|k| k.public()).collect();
+            let msg = rng.gen::<[u8; 32]>();
+            let sigs: Vec<Signature> = sks.iter().map(|k| k.sign(&msg)).collect();
+            let agg = AggregateSignature::aggregate(&sigs);
+            agg.verify(pks.iter().map(|pk| (&msg[..], pk))).unwrap()
+        });
+    });
+
+    group.finish();
+}
+
+#[allow(missing_docs)]
+fn bench_bls12_381(c: &mut Criterion) {
+    use crypto::bls12_381::{AggregateSignature, PublicKey, SecretKey, Signature};
+    let mut rng = rand::thread_rng();
+    let mut group = c.benchmark_group("bls12_381");
+    group.bench_function("100 sig aggregation", |b| {
+        b.iter(|| {
+            let sks: Vec<SecretKey> = repeat_with(|| rng.gen::<SecretKey>()).take(100).collect();
+            let pks: Vec<PublicKey> = sks.iter().map(|k| k.public()).collect();
+            let msg = rng.gen::<[u8; 32]>();
+            let sigs: Vec<Signature> = sks.iter().map(|k| k.sign(&msg)).collect();
+            let agg = AggregateSignature::aggregate(&sigs)?;
+            agg.verify(pks.iter().map(|pk| (&msg[..], pk)))
+        });
+    });
+
+    group.finish();
+}
+
+criterion_group!(benches, bench_bls12_381, bench_bn254);
+criterion_main!(benches);

node/libs/crypto/src/bn254/error.rs

@@ -0,0 +1,9 @@
+/// Error type for generating and interacting with bn254.
+#[derive(Debug, thiserror::Error)]
+#[non_exhaustive]
+pub enum Error {
+    #[error("Signature verification failure")]
+    SignatureVerificationFailure,
+    #[error("Aggregate signature verification failure")]
+    AggregateSignatureVerificationFailure,
+}

node/libs/crypto/src/bn254/hash.rs

@@ -0,0 +1,28 @@
+//! Hash operations.
+
+use ark_bn254::{G1Affine, G1Projective};
+use ark_ec::AffineRepr as _;
+use sha2::Digest as _;
+use tracing::instrument;
+
+/// Hashes an arbitrary message and maps it to an elliptic curve point in G1.
+#[instrument(level = "trace", skip_all)]
+pub(crate) fn hash_to_g1(msg: &[u8]) -> G1Projective {
+    for i in 0..256 {
+        // Hash the message with the index as suffix.
+        let bytes: [u8; 32] = sha2::Sha256::new()
+            .chain_update(msg)
+            .chain_update((i as u32).to_be_bytes())
+            .finalize()
+            .into();
+
+        // Try to get a G1 point from the hash. The probability that this works is around 1/8.
+        let p = G1Affine::from_random_bytes(&bytes);
+
+        if let Some(p) = p {
+            return p.into();
+        }
+    }
+    // It should be statistically infeasible to finish the loop without finding a point.
+    unreachable!()
+}