Merge pull request #2548 from input-output-hk/curiecrypt/module-aggregate-signature

Organize STM - Module Aggregate Signature

Author: curiecrypt

mithril-stm/CHANGELOG.md

@@ -5,6 +5,12 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## 0.4.2 (04-06-2025)
+
+### Added
+
+- Added a `aggregate_signature` module and `StmAggrSig`, `StmAggrVerificationKey`, `StmClerk` and `CoreVerifier` functionality covered by its submodules.
+
 ## 0.4.1 (04-06-2025)
 
 ### Added

mithril-stm/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "mithril-stm"
-version = "0.4.1"
+version = "0.4.2"
 edition = { workspace = true }
 authors = { workspace = true }
 homepage = { workspace = true }

mithril-stm/src/aggregate_signature/aggregate_key.rs

@@ -0,0 +1,44 @@
+use blake2::digest::{Digest, FixedOutput};
+use serde::{Deserialize, Serialize};
+
+use crate::merkle_tree::{BatchPath, MerkleTreeCommitmentBatchCompat};
+use crate::{ClosedKeyReg, Stake};
+
+/// Stm aggregate key (batch compatible), which contains the merkle tree commitment and the total stake of the system.
+/// Batch Compat Merkle tree commitment includes the number of leaves in the tree in order to obtain batch path.
+#[derive(Debug, Clone, Serialize, Deserialize)]
+#[serde(bound(
+    serialize = "BatchPath<D>: Serialize",
+    deserialize = "BatchPath<D>: Deserialize<'de>"
+))]
+pub struct StmAggrVerificationKey<D: Clone + Digest + FixedOutput> {
+    mt_commitment: MerkleTreeCommitmentBatchCompat<D>,
+    total_stake: Stake,
+}
+
+impl<D: Digest + Clone + FixedOutput> StmAggrVerificationKey<D> {
+    pub fn get_mt_commitment(&self) -> MerkleTreeCommitmentBatchCompat<D> {
+        self.mt_commitment.clone()
+    }
+
+    pub fn get_total_stake(&self) -> Stake {
+        self.total_stake
+    }
+}
+
+impl<D: Digest + Clone + FixedOutput> PartialEq for StmAggrVerificationKey<D> {
+    fn eq(&self, other: &Self) -> bool {
+        self.mt_commitment == other.mt_commitment && self.total_stake == other.total_stake
+    }
+}
+
+impl<D: Digest + Clone + FixedOutput> Eq for StmAggrVerificationKey<D> {}
+
+impl<D: Clone + Digest + FixedOutput> From<&ClosedKeyReg<D>> for StmAggrVerificationKey<D> {
+    fn from(reg: &ClosedKeyReg<D>) -> Self {
+        Self {
+            mt_commitment: reg.merkle_tree.to_commitment_batch_compat(),
+            total_stake: reg.total_stake,
+        }
+    }
+}

mithril-stm/src/aggregate_signature/clerk.rs

@@ -0,0 +1,95 @@
+use blake2::digest::{Digest, FixedOutput};
+
+use crate::{
+    AggregationError, ClosedKeyReg, CoreVerifier, Index, Stake, StmAggrSig, StmAggrVerificationKey,
+    StmParameters, StmSig, StmSigRegParty, StmSigner, StmVerificationKey,
+};
+
+/// `StmClerk` can verify and aggregate `StmSig`s and verify `StmMultiSig`s.
+/// Clerks can only be generated with the registration closed.
+/// This avoids that a Merkle Tree is computed before all parties have registered.
+#[derive(Debug, Clone)]
+pub struct StmClerk<D: Clone + Digest> {
+    pub(crate) closed_reg: ClosedKeyReg<D>,
+    pub(crate) params: StmParameters,
+}
+
+impl<D: Digest + Clone + FixedOutput> StmClerk<D> {
+    /// Create a new `Clerk` from a closed registration instance.
+    pub fn from_registration(params: &StmParameters, closed_reg: &ClosedKeyReg<D>) -> Self {
+        Self {
+            params: *params,
+            closed_reg: closed_reg.clone(),
+        }
+    }
+
+    /// Create a Clerk from a signer.
+    pub fn from_signer(signer: &StmSigner<D>) -> Self {
+        let closed_reg = signer
+            .get_closed_reg()
+            .clone()
+            .expect("Core signer does not include closed registration. StmClerk, and so, the Stm certificate cannot be built without closed registration!")
+            ;
+
+        Self {
+            params: signer.get_params(),
+            closed_reg,
+        }
+    }
+
+    /// Aggregate a set of signatures for their corresponding indices.
+    ///
+    /// This function first deduplicates the repeated signatures, and if there are enough signatures, it collects the merkle tree indexes of unique signatures.
+    /// The list of merkle tree indexes is used to create a batch proof, to prove that all signatures are from eligible signers.
+    ///
+    /// It returns an instance of `StmAggrSig`.
+    pub fn aggregate(
+        &self,
+        sigs: &[StmSig],
+        msg: &[u8],
+    ) -> Result<StmAggrSig<D>, AggregationError> {
+        let sig_reg_list = sigs
+            .iter()
+            .map(|sig| StmSigRegParty {
+                sig: sig.clone(),
+                reg_party: self.closed_reg.reg_parties[sig.signer_index as usize],
+            })
+            .collect::<Vec<StmSigRegParty>>();
+
+        let avk = StmAggrVerificationKey::from(&self.closed_reg);
+        let msgp = avk.get_mt_commitment().concat_with_msg(msg);
+        let mut unique_sigs = CoreVerifier::dedup_sigs_for_indices(
+            &self.closed_reg.total_stake,
+            &self.params,
+            &msgp,
+            &sig_reg_list,
+        )?;
+
+        unique_sigs.sort_unstable();
+
+        let mt_index_list = unique_sigs
+            .iter()
+            .map(|sig_reg| sig_reg.sig.signer_index as usize)
+            .collect::<Vec<usize>>();
+
+        let batch_proof = self.closed_reg.merkle_tree.get_batched_path(mt_index_list);
+
+        Ok(StmAggrSig {
+            signatures: unique_sigs,
+            batch_proof,
+        })
+    }
+
+    /// Compute the `StmAggrVerificationKey` related to the used registration.
+    pub fn compute_avk(&self) -> StmAggrVerificationKey<D> {
+        StmAggrVerificationKey::from(&self.closed_reg)
+    }
+
+    /// Get the (VK, stake) of a party given its index.
+    pub fn get_reg_party(&self, party_index: &Index) -> Option<(StmVerificationKey, Stake)> {
+        self.closed_reg
+            .reg_parties
+            .get(*party_index as usize)
+            .map(|&r| r.into())
+    }
+}

mithril-stm/src/aggregate_signature/core_verifier.rs

@@ -0,0 +1,209 @@
+use std::collections::{BTreeMap, HashMap, HashSet};
+
+use crate::bls_multi_signature::{Signature, VerificationKey};
+use crate::key_reg::RegParty;
+use crate::merkle_tree::MTLeaf;
+use crate::{
+    AggregationError, CoreVerifierError, Index, Stake, StmParameters, StmSig, StmSigRegParty,
+};
+
+/// Full node verifier including the list of eligible signers and the total stake of the system.
+pub struct CoreVerifier {
+    /// List of registered parties.
+    pub eligible_parties: Vec<RegParty>,
+    /// Total stake of registered parties.
+    pub total_stake: Stake,
+}
+
+impl CoreVerifier {
+    /// Setup a core verifier for given list of signers.
+    ///     * Collect the unique signers in a hash set,
+    ///     * Calculate the total stake of the eligible signers,
+    ///     * Sort the eligible signers.
+    pub fn setup(public_signers: &[(VerificationKey, Stake)]) -> Self {
+        let mut total_stake: Stake = 0;
+        let mut unique_parties = HashSet::new();
+        for signer in public_signers.iter() {
+            let (res, overflow) = total_stake.overflowing_add(signer.1);
+            if overflow {
+                panic!("Total stake overflow");
+            }
+            total_stake = res;
+            unique_parties.insert(MTLeaf(signer.0, signer.1));
+        }
+
+        let mut eligible_parties: Vec<_> = unique_parties.into_iter().collect();
+        eligible_parties.sort_unstable();
+        CoreVerifier {
+            eligible_parties,
+            total_stake,
+        }
+    }
+
+    /// Preliminary verification that checks whether indices are unique and the quorum is achieved.
+    pub(crate) fn preliminary_verify(
+        total_stake: &Stake,
+        signatures: &[StmSigRegParty],
+        parameters: &StmParameters,
+        msg: &[u8],
+    ) -> Result<(), CoreVerifierError> {
+        let mut nr_indices = 0;
+        let mut unique_indices = HashSet::new();
+
+        for sig_reg in signatures {
+            sig_reg
+                .sig
+                .check_indices(parameters, &sig_reg.reg_party.1, msg, total_stake)?;
+            for &index in &sig_reg.sig.indexes {
+                unique_indices.insert(index);
+                nr_indices += 1;
+            }
+        }
+
+        if nr_indices != unique_indices.len() {
+            return Err(CoreVerifierError::IndexNotUnique);
+        }
+        if (nr_indices as u64) < parameters.k {
+            return Err(CoreVerifierError::NoQuorum(nr_indices as u64, parameters.k));
+        }
+
+        Ok(())
+    }
+
+    /// Given a slice of `sig_reg_list`, this function returns a new list of `sig_reg_list` with only valid indices.
+    /// In case of conflict (having several signatures for the same index)
+    /// it selects the smallest signature (i.e. takes the signature with the smallest scalar).
+    /// The function selects at least `self.k` indexes.
+    ///  # Error
+    /// If there is no sufficient signatures, then the function fails.
+    // todo: We need to agree on a criteria to dedup (by default we use a BTreeMap that guarantees keys order)
+    // todo: not good, because it only removes index if there is a conflict (see benches)
+    pub fn dedup_sigs_for_indices(
+        total_stake: &Stake,
+        params: &StmParameters,
+        msg: &[u8],
+        sigs: &[StmSigRegParty],
+    ) -> Result<Vec<StmSigRegParty>, AggregationError> {
+        let mut sig_by_index: BTreeMap<Index, &StmSigRegParty> = BTreeMap::new();
+        let mut removal_idx_by_vk: HashMap<&StmSigRegParty, Vec<Index>> = HashMap::new();
+
+        for sig_reg in sigs.iter() {
+            if sig_reg
+                .sig
+                .verify_core(
+                    params,
+                    &sig_reg.reg_party.0,
+                    &sig_reg.reg_party.1,
+                    msg,
+                    total_stake,
+                )
+                .is_err()
+            {
+                continue;
+            }
+            for index in sig_reg.sig.indexes.iter() {
+                let mut insert_this_sig = false;
+                if let Some(&previous_sig) = sig_by_index.get(index) {
+                    let sig_to_remove_index = if sig_reg.sig.sigma < previous_sig.sig.sigma {
+                        insert_this_sig = true;
+                        previous_sig
+                    } else {
+                        sig_reg
+                    };
+
+                    if let Some(indexes) = removal_idx_by_vk.get_mut(sig_to_remove_index) {
+                        indexes.push(*index);
+                    } else {
+                        removal_idx_by_vk.insert(sig_to_remove_index, vec![*index]);
+                    }
+                } else {
+                    insert_this_sig = true;
+                }
+
+                if insert_this_sig {
+                    sig_by_index.insert(*index, sig_reg);
+                }
+            }
+        }
+
+        let mut dedup_sigs: HashSet<StmSigRegParty> = HashSet::new();
+        let mut count: u64 = 0;
+
+        for (_, &sig_reg) in sig_by_index.iter() {
+            if dedup_sigs.contains(sig_reg) {
+                continue;
+            }
+            let mut deduped_sig = sig_reg.clone();
+            if let Some(indexes) = removal_idx_by_vk.get(sig_reg) {
+                deduped_sig.sig.indexes = deduped_sig
+                    .sig
+                    .indexes
+                    .clone()
+                    .into_iter()
+                    .filter(|i| !indexes.contains(i))
+                    .collect();
+            }
+
+            let size: Result<u64, _> = deduped_sig.sig.indexes.len().try_into();
+            if let Ok(size) = size {
+                if dedup_sigs.contains(&deduped_sig) {
+                    panic!("Should not reach!");
+                }
+                dedup_sigs.insert(deduped_sig);
+                count += size;
+
+                if count >= params.k {
+                    return Ok(dedup_sigs.into_iter().collect());
+                }
+            }
+        }
+
+        Err(AggregationError::NotEnoughSignatures(count, params.k))
+    }
+
+    /// Collect and return `Vec<Signature>, Vec<VerificationKey>` which will be used
+    /// by the aggregate verification.
+    pub(crate) fn collect_sigs_vks(
+        sig_reg_list: &[StmSigRegParty],
+    ) -> (Vec<Signature>, Vec<VerificationKey>) {
+        let sigs = sig_reg_list
+            .iter()
+            .map(|sig_reg| sig_reg.sig.sigma)
+            .collect::<Vec<Signature>>();
+        let vks = sig_reg_list
+            .iter()
+            .map(|sig_reg| sig_reg.reg_party.0)
+            .collect::<Vec<VerificationKey>>();
+
+        (sigs, vks)
+    }
+
+    /// Core verification
+    ///
+    /// Verify a list of signatures with respect to given message with given parameters.
+    pub fn verify(
+        &self,
+        signatures: &[StmSig],
+        parameters: &StmParameters,
+        msg: &[u8],
+    ) -> Result<(), CoreVerifierError> {
+        let sig_reg_list = signatures
+            .iter()
+            .map(|sig| StmSigRegParty {
+                sig: sig.clone(),
+                reg_party: self.eligible_parties[sig.signer_index as usize],
+            })
+            .collect::<Vec<StmSigRegParty>>();
+
+        let unique_sigs =
+            Self::dedup_sigs_for_indices(&self.total_stake, parameters, msg, &sig_reg_list)?;
+
+        Self::preliminary_verify(&self.total_stake, &unique_sigs, parameters, msg)?;
+
+        let (sigs, vks) = Self::collect_sigs_vks(&unique_sigs);
+
+        Signature::verify_aggregate(msg.to_vec().as_slice(), &vks, &sigs)?;
+
+        Ok(())
+    }
+}