EIP4844: Update cryptography API and Fiat-Shamir logic

specs/eip4844/polynomial-commitments.md

@@ -18,14 +18,19 @@
     - [`bit_reversal_permutation`](#bit_reversal_permutation)
   - [BLS12-381 helpers](#bls12-381-helpers)
     - [`bytes_to_bls_field`](#bytes_to_bls_field)
+    - [`hash_to_bls_field`](#hash_to_bls_field)
     - [`bls_modular_inverse`](#bls_modular_inverse)
     - [`div`](#div)
     - [`g1_lincomb`](#g1_lincomb)
     - [`vector_lincomb`](#vector_lincomb)
+    - [`compute_powers`](#compute_powers)
   - [KZG](#kzg)
     - [`blob_to_kzg_commitment`](#blob_to_kzg_commitment)
     - [`verify_kzg_proof`](#verify_kzg_proof)
     - [`compute_kzg_proof`](#compute_kzg_proof)
+    - [`compute_aggregated_poly_and_commitment`](#compute_aggregated_poly_and_commitment)
+    - [`compute_aggregate_kzg_proof`](#compute_aggregate_kzg_proof)
+    - [`verify_aggregate_kzg_proof`](#verify_aggregate_kzg_proof)
   - [Polynomials](#polynomials)
     - [`evaluate_polynomial_in_evaluation_form`](#evaluate_polynomial_in_evaluation_form)
 
@@ -46,13 +51,18 @@ This document specifies basic polynomial operations and KZG polynomial commitmen
 | `BLSFieldElement` | `uint256` | `x < BLS_MODULUS` |
 | `KZGCommitment` | `Bytes48` | Same as BLS standard "is valid pubkey" check but also allows `0x00..00` for point-at-infinity |
 | `KZGProof` | `Bytes48` | Same as for `KZGCommitment` |
+| `Polynomial` | `Vector[BLSFieldElement, FIELD_ELEMENTS_PER_BLOB]` | a polynomial in evaluation form |
 
 ## Constants
 
 | Name | Value | Notes |
 | - | - | - |
 | `BLS_MODULUS` | `52435875175126190479447740508185965837690552500527637822603658699938581184513` | Scalar field modulus of BLS12-381 |
 | `ROOTS_OF_UNITY` | `Vector[BLSFieldElement, FIELD_ELEMENTS_PER_BLOB]` | Roots of unity of order FIELD_ELEMENTS_PER_BLOB over the BLS12-381 field |
+| `DOMAIN_SEPARATOR_FIELD_ELEMENT` | `b"FIELD_ELEMENT"` | Fiat-Shamir domain separator for field elements |
+| `DOMAIN_SEPARATOR_POINT` | `b"POINT"` | Fiat-Shamir domain separator for G1 points |
+| `DOMAIN_SEPARATOR_SQUEEZE` | `b"SQUEEZE"` | Fiat-Shamir domain separator before hashing |
+
 
 ## Preset
 
@@ -122,6 +132,32 @@ def bytes_to_bls_field(b: Bytes32) -> BLSFieldElement:
     return int.from_bytes(b, "little") % BLS_MODULUS
 ```
 
+#### `hash_to_bls_field`
+
+```python
+def hash_to_bls_field(polys: Sequence[Polynomial], comms: Sequence[KZGCommitment]) -> BLSFieldElement:
+    """
+    Compute 32-byte hash of serialised polynomials and commitments concatenated.
+    This hash is then converted to a BLS field element.
+    The output is not uniform over the BLS field.
+    """
+    data = bytes()
+
+    # Append each polynomial which is composed by field elements
+    for poly in polys:
+        for field_element in poly:
+            data += DOMAIN_SEPARATOR_FIELD_ELEMENT
+            data += int.to_bytes(field_element, 32, ENDIANNESS)
+
+    # Append serialised G1 points
+    for commitment in comms:
+        data += DOMAIN_SEPARATOR_POINT
+        data += commitment
+
+    data += DOMAIN_SEPARATOR_SQUEEZE
+    return bytes_to_bls_field(hash(data))
+```
+
 #### `bls_modular_inverse`
 
 ```python
@@ -171,6 +207,21 @@ def vector_lincomb(vectors: Sequence[Sequence[BLSFieldElement]],
     return [BLSFieldElement(x) for x in result]
 ```
 
+#### `compute_powers`
+
+```python
+def compute_powers(x: BLSFieldElement, n: uint64) -> Sequence[BLSFieldElement]:
+    """
+    Return ``x`` to power of [0, n-1].
+    """
+    current_power = 1
+    powers = []
+    for _ in range(n):
+        powers.append(BLSFieldElement(current_power))
+        current_power = current_power * int(x) % BLS_MODULUS
+    return powers
+```
+
 ### KZG
 
 KZG core functions. These are also defined in EIP-4844 execution specs.
@@ -226,12 +277,64 @@ def compute_kzg_proof(polynomial: Sequence[BLSFieldElement], z: BLSFieldElement)
     return KZGProof(g1_lincomb(bit_reversal_permutation(KZG_SETUP_LAGRANGE), quotient_polynomial))
 ```
 
+#### `compute_aggregated_poly_and_commitment`
+
+```python
+def compute_aggregated_poly_and_commitment(
+        blobs: Sequence[Blob],
+        kzg_commitments: Sequence[KZGCommitment]) -> Tuple[Polynomial, KZGCommitment]:
+    """
+    Return the aggregated polynomial and aggregated KZG commitment.
+    """
+    # Generate random linear combination challenges
+    r = hash_to_bls_field(blobs, kzg_commitments)
+    r_powers = compute_powers(r, len(kzg_commitments))
+
+    # Create aggregated polynomial in evaluation form
+    aggregated_poly = Polynomial(vector_lincomb(blobs, r_powers))
+
+    # Compute commitment to aggregated polynomial
+    aggregated_poly_commitment = KZGCommitment(g1_lincomb(kzg_commitments, r_powers))
+
+    return aggregated_poly, aggregated_poly_commitment
+```
+
+#### `compute_aggregate_kzg_proof`
+
+```python
+def compute_aggregate_kzg_proof(blobs: Sequence[Blob]) -> KZGProof:
+    commitments = [blob_to_kzg_commitment(blob) for blob in blobs]
+    aggregated_poly, aggregated_poly_commitment = compute_aggregated_poly_and_commitment(blobs, commitments)
+    x = hash_to_bls_field([aggregated_poly],[aggregated_poly_commitment])
+    return compute_kzg_proof(aggregated_poly, x)
+```
+
+#### `verify_aggregate_kzg_proof`
+
+```python
+def verify_aggregate_kzg_proof(blobs: Sequence[Blob],
+                               expected_kzg_commitments: Sequence[KZGCommitment],
+                               kzg_aggregated_proof : KZGCommitment) -> bool:
+    aggregated_poly, aggregated_poly_commitment = compute_aggregated_poly_and_commitment(
+        blobs,
+        expected_kzg_commitments,
+    )
+
+    # Generate challenge `x` and evaluate the aggregated polynomial at `x`
+    x = hash_to_bls_field([aggregated_poly], [aggregated_poly_commitment])
+    # Evaluate aggregated polynomial at `x` (evaluation function checks for div-by-zero)
+    y = evaluate_polynomial_in_evaluation_form(aggregated_poly, x)
+
+    # Verify aggregated proof
+    return verify_kzg_proof(aggregated_poly_commitment, x, y, kzg_aggregated_proof)
+```
+
 ### Polynomials
 
 #### `evaluate_polynomial_in_evaluation_form`
 
 ```python
-def evaluate_polynomial_in_evaluation_form(polynomial: Sequence[BLSFieldElement],
+def evaluate_polynomial_in_evaluation_form(polynomial: Polynomial,
                                            z: BLSFieldElement) -> BLSFieldElement:
     """
     Evaluate a polynomial (in evaluation form) at an arbitrary point `z`

specs/eip4844/validator.md

@@ -10,17 +10,9 @@
 
 - [Introduction](#introduction)
 - [Prerequisites](#prerequisites)
-- [Custom types](#custom-types)
-- [Containers](#containers)
-  - [`BlobsAndCommitments`](#blobsandcommitments)
-  - [`PolynomialAndCommitment`](#polynomialandcommitment)
 - [Helpers](#helpers)
   - [`is_data_available`](#is_data_available)
-  - [`hash_to_bls_field`](#hash_to_bls_field)
-  - [`compute_powers`](#compute_powers)
-  - [`compute_aggregated_poly_and_commitment`](#compute_aggregated_poly_and_commitment)
   - [`validate_blobs_sidecar`](#validate_blobs_sidecar)
-  - [`compute_proof_from_blobs`](#compute_proof_from_blobs)
   - [`get_blobs_and_kzg_commitments`](#get_blobs_and_kzg_commitments)
 - [Beacon chain responsibilities](#beacon-chain-responsibilities)
   - [Block proposal](#block-proposal)
@@ -43,31 +35,6 @@ All behaviors and definitions defined in this document, and documents it extends
 All terminology, constants, functions, and protocol mechanics defined in the updated [Beacon Chain doc of EIP4844](./beacon-chain.md) are requisite for this document and used throughout.
 Please see related Beacon Chain doc before continuing and use them as a reference throughout.
 
-## Custom types
-
-| Name | SSZ equivalent | Description |
-| - | - | - |
-| `Polynomial` | `List[BLSFieldElement, FIELD_ELEMENTS_PER_BLOB]` | a polynomial in evaluation form |
-
-## Containers
-
-### `BlobsAndCommitments`
-
-```python
-class BlobsAndCommitments(Container):
-    blobs: List[Blob, MAX_BLOBS_PER_BLOCK]
-    kzg_commitments: List[KZGCommitment, MAX_BLOBS_PER_BLOCK]
-```
-
-### `PolynomialAndCommitment`
-
-```python
-class PolynomialAndCommitment(Container):
-    polynomial: Polynomial
-    kzg_commitment: KZGCommitment
-```
-
-
 ## Helpers
 
 ### `is_data_available`
@@ -88,53 +55,6 @@ def is_data_available(slot: Slot, beacon_block_root: Root, blob_kzg_commitments:
     return True
 ```
 
-### `hash_to_bls_field`
-
-```python
-def hash_to_bls_field(x: Container) -> BLSFieldElement:
-    """
-    Compute 32-byte hash of serialized container and convert it to BLS field.
-    The output is not uniform over the BLS field.
-    """
-    return bytes_to_bls_field(hash(ssz_serialize(x)))
-```
-
-### `compute_powers`
-```python
-def compute_powers(x: BLSFieldElement, n: uint64) -> Sequence[BLSFieldElement]:
-    """
-    Return ``x`` to power of [0, n-1].
-    """
-    current_power = 1
-    powers = []
-    for _ in range(n):
-        powers.append(BLSFieldElement(current_power))
-        current_power = current_power * int(x) % BLS_MODULUS
-    return powers
-```
-
-### `compute_aggregated_poly_and_commitment`
-
-```python
-def compute_aggregated_poly_and_commitment(
-        blobs: Sequence[Blob],
-        kzg_commitments: Sequence[KZGCommitment]) -> Tuple[Polynomial, KZGCommitment]:
-    """
-    Return the aggregated polynomial and aggregated KZG commitment.
-    """
-    # Generate random linear combination challenges
-    r = hash_to_bls_field(BlobsAndCommitments(blobs=blobs, kzg_commitments=kzg_commitments))
-    r_powers = compute_powers(r, len(kzg_commitments))
-
-    # Create aggregated polynomial in evaluation form
-    aggregated_poly = Polynomial(vector_lincomb(blobs, r_powers))
-
-    # Compute commitment to aggregated polynomial
-    aggregated_poly_commitment = KZGCommitment(g1_lincomb(kzg_commitments, r_powers))
-
-    return aggregated_poly, aggregated_poly_commitment
-```
-
 ### `validate_blobs_sidecar`
 
 ```python
@@ -148,33 +68,7 @@ def validate_blobs_sidecar(slot: Slot,
     kzg_aggregated_proof = blobs_sidecar.kzg_aggregated_proof
     assert len(expected_kzg_commitments) == len(blobs)
 
-    aggregated_poly, aggregated_poly_commitment = compute_aggregated_poly_and_commitment(
-        blobs,
-        expected_kzg_commitments,
-    )
-
-    # Generate challenge `x` and evaluate the aggregated polynomial at `x`
-    x = hash_to_bls_field(
-        PolynomialAndCommitment(polynomial=aggregated_poly, kzg_commitment=aggregated_poly_commitment)
-    )
-    # Evaluate aggregated polynomial at `x` (evaluation function checks for div-by-zero)
-    y = evaluate_polynomial_in_evaluation_form(aggregated_poly, x)
-
-    # Verify aggregated proof
-    assert verify_kzg_proof(aggregated_poly_commitment, x, y, kzg_aggregated_proof)
-```
-
-### `compute_proof_from_blobs`
-
-```python
-def compute_proof_from_blobs(blobs: Sequence[Blob]) -> KZGProof:
-    commitments = [blob_to_kzg_commitment(blob) for blob in blobs]
-    aggregated_poly, aggregated_poly_commitment = compute_aggregated_poly_and_commitment(blobs, commitments)
-    x = hash_to_bls_field(PolynomialAndCommitment(
-        polynomial=aggregated_poly,
-        kzg_commitment=aggregated_poly_commitment,
-    ))
-    return compute_kzg_proof(aggregated_poly, x)
+    assert verify_aggregate_kzg_proof(blobs, expected_kzg_commitments, kzg_aggregated_proof)
 ```
 
 ### `get_blobs_and_kzg_commitments`
@@ -231,7 +125,7 @@ def get_blobs_sidecar(block: BeaconBlock, blobs: Sequence[Blob]) -> BlobsSidecar
         beacon_block_root=hash_tree_root(block),
         beacon_block_slot=block.slot,
         blobs=blobs,
-        kzg_aggregated_proof=compute_proof_from_blobs(blobs),
+        kzg_aggregated_proof=compute_aggregate_kzg_proof(blobs),
     )
 ```