matter-labs · pompon0 · Nov 6, 2023 · Oct 23, 2023 · Oct 23, 2023 · Oct 27, 2023
diff --git a/node/Cargo.lock b/node/Cargo.lock
diff --git a/node/Cargo.toml b/node/Cargo.toml
@@ -26,17 +26,21 @@ assert_matches = "1.5.0"
 async-trait = "0.1.71"
 bit-vec = "0.6"
 blst = "0.3.10"
+bn254 = "0.0.1"
+ark-bn254 = "0.4.0"
+ark-ec = "0.4.2"
+num-traits = "0.2.17"
 clap = { version = "4.3.3", features = ["derive"] }
 ed25519-dalek = { version = "2.0.0", features = ["serde", "rand_core"] }
 futures = "0.3.28"
 hex = "0.4.3"
-hyper = { version = "0.14.27", features = ["http1", "http2","server","tcp"] }
+hyper = { version = "0.14.27", features = ["http1", "http2", "server", "tcp"] }
 im = "15.1.0"
 once_cell = "1.17.1"
 pin-project = "1.1.0"
 prost = "0.11.0"
 prost-build = "0.11.0"
-prost-reflect = { version = "0.11.0", features = ["derive","serde"] }
+prost-reflect = { version = "0.11.0", features = ["derive", "serde"] }
 prost-reflect-build = "0.11.0"
 protoc-bin-vendored = "3.0.0"
 prettyplease = "0.2.6"

diff --git a/node/actors/consensus/src/leader/error.rs b/node/actors/consensus/src/leader/error.rs
@@ -40,9 +40,9 @@ pub(crate) enum Error {
         current_view: validator::ViewNumber,
     },
     #[error("received replica commit message with invalid signature")]
-    ReplicaCommitInvalidSignature(#[source] crypto::bls12_381::Error),
+    ReplicaCommitInvalidSignature(#[source] crypto::bn254::Error),
     #[error("received replica prepare message with invalid signature")]
-    ReplicaPrepareInvalidSignature(#[source] crypto::bls12_381::Error),
+    ReplicaPrepareInvalidSignature(#[source] crypto::bn254::Error),
     #[error("received replica prepare message with invalid high QC")]
     ReplicaPrepareInvalidHighQC(#[source] anyhow::Error),
 }

diff --git a/node/actors/consensus/src/replica/error.rs b/node/actors/consensus/src/replica/error.rs
@@ -26,9 +26,9 @@ pub(crate) enum Error {
         current_phase: validator::Phase,
     },
     #[error("received leader commit message with invalid signature")]
-    LeaderCommitInvalidSignature(#[source] crypto::bls12_381::Error),
+    LeaderCommitInvalidSignature(#[source] crypto::bn254::Error),
     #[error("received leader prepare message with invalid signature")]
-    LeaderPrepareInvalidSignature(#[source] crypto::bls12_381::Error),
+    LeaderPrepareInvalidSignature(#[source] crypto::bn254::Error),
     #[error("received leader commit message with invalid justification")]
     LeaderCommitInvalidJustification(#[source] anyhow::Error),
     #[error("received leader prepare message with empty map in the justification")]

@@ -1,7 +1,7 @@
 use crate::{frame, noise};
 use anyhow::Context as _;
 use concurrency::{ctx, time};
-use crypto::{bls12_381, ByteFmt};
+use crypto::{bn254, ByteFmt};
 use roles::{node, validator};
 use schema::{proto::network::consensus as proto, read_required, ProtoFmt};
 
@@ -43,7 +43,7 @@ pub(super) enum Error {
     #[error("unexpected peer")]
     PeerMismatch,
     #[error("validator signature {0}")]
-    Signature(#[from] bls12_381::Error),
+    Signature(#[from] bn254::Error),
     #[error("stream {0}")]
     Stream(#[source] anyhow::Error),
 }

@@ -9,6 +9,10 @@ license.workspace = true
 [dependencies]
 anyhow.workspace = true
 blst.workspace = true
+bn254.workspace = true
+ark-bn254.workspace = true
+ark-ec.workspace = true
+num-traits.workspace = true
 ed25519-dalek.workspace = true
 hex.workspace = true
 rand.workspace = true

@@ -0,0 +1,12 @@
+#[derive(Debug, thiserror::Error)]
+pub enum Error {
+    /// Signature verification failure
+    #[error("Signature verification failure: {0:?}")]
+    SignatureVerification(bn254::Error),
+    /// Aggregate signature verification failure
+    #[error("Aggregate signature verification failure:")]
+    AggregateSignatureVerification,
+    /// Error aggregating signatures
+    #[error("Error aggregating signatures:")]
+    SignatureAggregation,
+}
@@ -0,0 +1,201 @@
+//! BLS signature scheme for BN254 curve.
+
+use std::collections::BTreeMap;
+
+use anyhow::anyhow;
+use bn254::{ECDSA, PrivateKey};
+use rand::Rng;
+
+pub use crate::bn254::error::Error;
+use crate::bn254_2::hash;
+use crate::ByteFmt;
+
+mod error;
+
+mod testonly;
+#[cfg(test)]
+mod tests;
+
+pub struct SecretKey(PrivateKey);
+
+impl SecretKey {
+    /// Generates a random secret key
+    pub fn random<R: Rng>(rng: &mut R) -> Self {
+        let private_key = PrivateKey::random(rng);
+        return Self(private_key);
+    }
+
+    /// Produces a signature using this [`SecretKey`]
+    pub fn sign(&self, msg: &[u8]) -> Signature {
+        let sig = ECDSA::sign(&msg, &self.0).unwrap();
+        Signature(sig)
+    }
+
+    /// Gets the corresponding [`PublicKey`] for this [`SecretKey`]
+    pub fn public(&self) -> PublicKey {
+        let pk = bn254::PublicKey::from_private_key(&self.0);
+        PublicKey(pk)
+    }
+}
+
+impl ByteFmt for SecretKey {
+    fn decode(bytes: &[u8]) -> anyhow::Result<Self> {
+        bn254::PrivateKey::try_from(bytes)
+            .map(Self)
+            .map_err(|e| anyhow!("Failed to decode secret key: {e:?}"))
+    }
+
+    fn encode(&self) -> Vec<u8> {
+        self.0.to_bytes().unwrap()
+    }
+}
+
+/// Type safety wrapper around a `bn254` public key.
+#[derive(Clone)]
+pub struct PublicKey(bn254::PublicKey);
+
+impl PartialEq for PublicKey {
+    fn eq(&self, other: &Self) -> bool {
+        ByteFmt::encode(self).eq(&ByteFmt::encode(other))
+    }
+}
+
+impl Eq for PublicKey {}
+
+impl ByteFmt for PublicKey {
+    fn decode(bytes: &[u8]) -> anyhow::Result<Self> {
+        bn254::PublicKey::from_compressed(bytes)
+            .map(Self)
+            .map_err(|err| anyhow!("Error decoding public key: {err:?}"))
+    }
+
+    fn encode(&self) -> Vec<u8> {
+        self.0.to_compressed().unwrap()
+    }
+}
+
+impl std::hash::Hash for PublicKey {
+    fn hash<H: std::hash::Hasher>(&self, state: &mut H) {
+        state.write(&self.0.to_compressed().unwrap())
+    }
+}
+
+impl PartialOrd for PublicKey {
+    fn partial_cmp(&self, other: &Self) -> Option<std::cmp::Ordering> {
+        Some(self.cmp(other))
+    }
+}
+
+impl Ord for PublicKey {
+    fn cmp(&self, other: &Self) -> std::cmp::Ordering {
+        ByteFmt::encode(self).cmp(&ByteFmt::encode(other))
+    }
+}
+
+#[derive(Clone, Debug)]
+pub struct Signature(bn254::Signature);
+
+impl Signature {
+    pub fn verify(&self, msg: &[u8], pk: &PublicKey) -> Result<(), Error> {
+        let result = ECDSA::verify(msg, &self.0, &pk.0);
+        match result {
+            Ok(()) => Ok(()),
+            Err(err) => Err(Error::SignatureVerification(err)),
+        }
+    }
+}
+
+impl PartialEq for Signature {
+    fn eq(&self, other: &Self) -> bool {
+        ByteFmt::encode(self).eq(&ByteFmt::encode(other))
+    }
+}
+
+impl Eq for Signature {}
+
+impl ByteFmt for Signature {
+    fn decode(bytes: &[u8]) -> anyhow::Result<Self> {
+        bn254::Signature::from_compressed(bytes)
+            .map(Self)
+            .map_err(|err| anyhow!("Error decoding signature: {err:?}"))
+    }
+    fn encode(&self) -> Vec<u8> {
+        self.0.to_compressed().unwrap()
+    }
+}
+
+impl PartialOrd for Signature {
+    fn partial_cmp(&self, other: &Self) -> Option<std::cmp::Ordering> {
+        Some(self.cmp(other))
+    }
+}
+
+impl Ord for Signature {
+    fn cmp(&self, other: &Self) -> std::cmp::Ordering {
+        ByteFmt::encode(self).cmp(&ByteFmt::encode(other))
+    }
+}
+
+#[derive(Clone, Debug, PartialEq, Eq)]
+pub struct AggregateSignature(Signature);
+
+impl AggregateSignature {
+    pub fn aggregate<'a>(sigs: impl IntoIterator<Item = &'a Signature>) -> Self {
+        let sigs: Vec<bn254::Signature> = sigs.into_iter().map(|s| s.0).collect();
+        let mut agg = sigs[0];
+        for i in 1..sigs.len() {
+            agg = agg + sigs[i];
+        }
+
+        AggregateSignature(Signature(agg))
+    }
+
+    pub fn verify<'a>(
+        &self,
+        msgs_and_pks: impl Iterator<Item = (&'a [u8], &'a PublicKey)>,
+    ) -> Result<(), Error> {
+        // Aggregate public keys if they are signing the same hash. Each public key aggregated
+        // is one fewer pairing to calculate.
+        let mut tree_map: BTreeMap<_, PublicKey> = BTreeMap::new();
+
+        for (msg, pk) in msgs_and_pks {
+            if let Some(existing_pk) = tree_map.get_mut(msg) {
+                let agg = PublicKey(existing_pk.0 + pk.0);
+                tree_map.insert(msg, agg);
+            } else {
+                tree_map.insert(msg, (*pk).clone());
+            }
+        }
+
+        for (msg, pk) in tree_map {
+            if let Err(err) = self.0.verify(msg, &pk) {
+                return Err(err);
+            }
+        }
+
+        Ok(())
+    }
+}
+
+impl ByteFmt for AggregateSignature {
+    fn decode(bytes: &[u8]) -> anyhow::Result<Self> {
+        let signature = Signature::decode(bytes)?;
+        Ok(AggregateSignature(signature))
+    }
+
+    fn encode(&self) -> Vec<u8> {
+        Signature::encode(&self.0)
+    }
+}
+
+impl PartialOrd for AggregateSignature {
+    fn partial_cmp(&self, other: &Self) -> Option<std::cmp::Ordering> {
+        Some(self.cmp(other))
+    }
+}
+
+impl Ord for AggregateSignature {
+    fn cmp(&self, other: &Self) -> std::cmp::Ordering {
+        ByteFmt::encode(self).cmp(&ByteFmt::encode(other))
+    }
+}
@@ -0,0 +1,35 @@
+//! Random key generation, intended for use in testing
+
+use super::{AggregateSignature, ByteFmt, PublicKey, SecretKey, Signature};
+use rand::{distributions::Standard, prelude::Distribution, Rng};
+
+/// Generates a random SecretKey. This is meant for testing purposes.
+impl Distribution<SecretKey> for Standard {
+    fn sample<R: Rng + ?Sized>(&self, rng: &mut R) -> SecretKey {
+        SecretKey::decode(&rng.gen::<[u8; 32]>()).unwrap()
+    }
+}
+
+/// Generates a random Signature. This is meant for testing purposes.
+impl Distribution<Signature> for Standard {
+    fn sample<R: Rng + ?Sized>(&self, rng: &mut R) -> Signature {
+        let key = rng.gen::<SecretKey>();
+        let msg = rng.gen::<[u8; 4]>();
+        key.sign(&msg)
+    }
+}
+
+/// Generates a random AggregateSignature. This is meant for testing purposes.
+impl Distribution<AggregateSignature> for Standard {
+    fn sample<R: Rng + ?Sized>(&self, rng: &mut R) -> AggregateSignature {
+        let sig: Signature = self.sample(rng);
+        AggregateSignature(sig)
+    }
+}
+
+/// Generates a random PublicKey. This is meant for testing purposes.
+impl Distribution<PublicKey> for Standard {
+    fn sample<R: Rng + ?Sized>(&self, rng: &mut R) -> PublicKey {
+        rng.gen::<SecretKey>().public()
+    }
+}