BLS Core Crypto attempt #2 #13618
BLS Core Crypto attempt #2 #13618
Conversation
…3311 applied to master's head
davxy
added
B0-silent
|
@drskalman please have a look |
|
@drskalman there are a couple of tests that fail (are failing with the original code as well). The tests are in
Are these supposed to be successful? |
Naming(marginal... but somehow important) what is an appropriate name for this primitive? Plain Maybe a more appropriate name should be found for the implementation? edit: Is the chosen name |
I was not suggesting we stop moving forward with this PR (and future BEEFY ones), but I am interested in having clear communication on the decisions we make and their alternatives and consequences. Like I said, looking at this PR, it was not clear why we choose one or the other - I myself cannot have a preference as it is outside my area of knowledge, but I expect any decision on contested alternatives to be explained well enough for most to understand said decision. Having said that, I did get the gist of the decision from #13618 (comment) |
Yes, the create was named after the name selected for that paper. |
|
Chatted with @drskalman on this again today.
To reconcile both and simultaneously give us more time to converge wrt. I'm not married to the flag's name - other options include |
Lederstrumpf
force-pushed
the
davxyn-skalman-core-bls-crypto
branch
from
c0ed40b
to
3a9c5ed
Compare
|
before continuing the catch-up game with i.e.
Otherwise, please suggest alternatives. |
I'm fine with "bls_non_production" flag (both for its name and its existance) if it helps us merge. If it makes trouble later down the line we could always reconsider it. @davxy probably knows better about its implication in the beefy primitive's code. |
The 'bls' part o |
The 'bls' part of the signature and the proof of possession proposed in the paper and implemented in There were also talks about making the extra part optional in Substrate as in if isn't there then, just perform plain bls verification instead. So maybe calling it Plain 'bls' isn't far fetched and call it something else might gives the impression that we are not complying with the standards. Having said that, I'm not particularly opposed to calling the crypto module |
|
So, my understanding is that this can act plain BLS signature but ships an extra schnorr proof in G1 that doesn't use pairings to verify (signature size = bls-sign-size + 2 * secret-key-size). My 2 cents:
[1] Just to be clear, I've not followed the Beefy developments and but I've just provided this generic interface to the w3f-bls backend, so maybe @acatangiu @Lederstrumpf @andresilva are more expert than me to tell if there are some requirement not satisfied. All in all, @Lederstrumpf I think we can merge this gated by the feature flag (I suggest |
add bls377 to primitives/application-crypto/ add bls_non_production to primitives/keystore and client/keystore bump up w3f-bls version
|
Now that is clear that APK proofs do not work out-of-the-box for Ethereum (to Polkadot bridge) (due to the fact that each committee sign different messages) and we need a new proof system for that, @swasilyev and @AlistairStewart see little value in generating the Polkadots-to-X proofs using BLS12-381 and rather using BLS377 instead given the following benefits:
So I've added the bls377 to application-crypto and the keystore and we are going to used it in beefy. |
ack name change to
ack
agreed, and let me be clear that the purpose of this flag is to be a temporary gatekeeper until we've settled on a production bls lib & API.
We haven't had any related changes to BEEFY since we've coordinated requirements with @drskalman. Thanks to @drskalman & @davxy for all your patience & effort in pushing this PR! |
* Cherry pick all crypto related changes from pull-request paritytech#13311 applied to master's head * Import some stuff just if 'full_crypto' is on * Remove copyright year * Cleanup * First generic BLS draft * Finalize generic implementation * Restore tests * Fix rust docs * Fix after master merge * Fix after master merge * Use double bls with G1 as signature group and verify individual signatures using DLEQ proof. * Fix inclusions and types used within substrate * Remove unused cruft * Restore usage of upstream crates * Fix test * Reduce the diff by aligning Cargo.lock to master * Application-crypto provides bls381 * Implement bls381 for local keystore * Use new generic keystore features * import DoublePublickey[Scheme] from the bls-like root to be less confusing. * fix compilation * Apply suggestions from code review Co-authored-by: Robert Hambrock <roberthambrock@gmail.com> * Clean leftovers * - update bls test vector after applying spec change recommendation. - send message as ref. * Different hard junction ids for different bls12 types * update to new bls-like * bls-like → w3f-bls * Make clippy happy * update test vector after replacing hash and crop with hash to field. * cargo fmt * account for paritytech#13972 * hide BLS behind "bls_non_production" feature flag * Remove Cargo.lock entries duplicated in merge * add bls377 to primitives/keystore and client/keystore add bls377 to primitives/application-crypto/ add bls_non_production to primitives/keystore and client/keystore bump up w3f-bls version * rename feature `bls_non_production` to `bls-experimental` --------- Co-authored-by: Davide Galassi <davxy@datawok.net> Co-authored-by: André Silva <andrerfosilva@gmail.com> Co-authored-by: Robert Hambrock <roberthambrock@gmail.com>
We have cherry picked all crypto related changes from pull-request #13311 in order to facilitate its review and merging. This is a starting point. The goal is to make as much as possible of the bls crypto code generic on the choice of the curve (BLS12-377 and BLS12-381). The signature scheme should follows the scheme described in https://eprint.iacr.org/2022/1611 for individual and aggregated signatures.
This PR provides:
sp-core::cryptomodulesp-application-cryptoKeystoretrait methodssp-io.unimplemented!call has been inserted in theRuntimeAppPublicimplementation (implementation is still required)