paritytech · davxy · Apr 1, 2025 · Feb 22, 2025 · Feb 26, 2025 · Feb 26, 2025
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -614,6 +614,7 @@ ark-bls12-381-ext = { version = "0.4.1", default-features = false }
 ark-bw6-761 = { version = "0.4.0", default-features = false }
 ark-bw6-761-ext = { version = "0.4.1", default-features = false }
 ark-ec = { version = "0.4.2", default-features = false }
+ark-ec-vrfs = { version = "0.1.1", default-features = false }
 ark-ed-on-bls12-377 = { version = "0.4.0", default-features = false }
 ark-ed-on-bls12-377-ext = { version = "0.4.1", default-features = false }
 ark-ed-on-bls12-381-bandersnatch = { version = "0.4.0", default-features = false }
@@ -1431,6 +1432,7 @@ overflow-checks = true
 #
 # This list is ordered alphabetically.
 [profile.dev.package]
+ark-ec-vrfs = { opt-level = 3 }
 blake2 = { opt-level = 3 }
 blake2b_simd = { opt-level = 3 }
 chacha20poly1305 = { opt-level = 3 }

@@ -90,9 +90,6 @@ pub use pallet::*;
 
 const LOG_TARGET: &str = "sassafras::runtime";
 
-// Contextual string used by the VRF to generate per-block randomness.
-const RANDOMNESS_VRF_CONTEXT: &[u8] = b"SassafrasOnChainRandomness";
-
 // Max length for segments holding unsorted tickets.
 const SEGMENT_MAX_SIZE: u32 = 128;
 
@@ -202,6 +199,12 @@ pub mod pallet {
 	#[pallet::getter(fn randomness_accumulator)]
 	pub(crate) type RandomnessAccumulator<T> = StorageValue<_, Randomness, ValueQuery>;
 
+	/// Per slot randomness used to feed the randomness accumulator.
+	///
+	/// The value is ephemeral and is cleared on block finalization.
+	#[pallet::storage]
+	pub(crate) type SlotRandomness<T> = StorageValue<_, Randomness>;
+
 	/// The configuration for the current epoch.
 	#[pallet::storage]
 	#[pallet::getter(fn config)]
@@ -272,13 +275,7 @@ pub mod pallet {
 
 	/// Ring verifier data for the current epoch.
 	#[pallet::storage]
-	pub type RingVerifierData<T: Config> = StorageValue<_, vrf::RingVerifierData>;
-
-	/// Slot claim VRF pre-output used to generate per-slot randomness.
-	///
-	/// The value is ephemeral and is cleared on block finalization.
-	#[pallet::storage]
-	pub(crate) type ClaimTemporaryData<T> = StorageValue<_, vrf::VrfPreOutput>;
+	pub type RingVerifierData<T: Config> = StorageValue<_, vrf::RingVerifierKey>;
 
 	/// Genesis configuration for Sassafras protocol.
 	#[pallet::genesis_config]
@@ -326,12 +323,8 @@ pub mod pallet {
 				Self::post_genesis_initialize(claim.slot);
 			}
 
-			let randomness_pre_output = claim
-				.vrf_signature
-				.pre_outputs
-				.get(0)
-				.expect("Valid claim must have VRF signature; qed");
-			ClaimTemporaryData::<T>::put(randomness_pre_output);
+			let randomness = claim.vrf_signature.pre_output.make_bytes();
+			SlotRandomness::<T>::put(randomness);
 
 			let trigger_weight = T::EpochChangeTrigger::trigger::<T>(block_num);
 
@@ -343,15 +336,8 @@ pub mod pallet {
 			// to the accumulator. If we've determined that this block was the first in
 			// a new epoch, the changeover logic has already occurred at this point
 			// (i.e. `enact_epoch_change` has already been called).
-			let randomness_input = vrf::slot_claim_input(
-				&Self::randomness(),
-				CurrentSlot::<T>::get(),
-				EpochIndex::<T>::get(),
-			);
-			let randomness_pre_output = ClaimTemporaryData::<T>::take()
+			let randomness = SlotRandomness::<T>::take()
 				.expect("Unconditionally populated in `on_initialize`; `on_finalize` is always called after; qed");
-			let randomness = randomness_pre_output
-				.make_bytes::<RANDOMNESS_LENGTH>(RANDOMNESS_VRF_CONTEXT, &randomness_input);
 			Self::deposit_slot_randomness(&randomness);
 
 			// Check if we are in the epoch's second half.
@@ -399,7 +385,9 @@ pub mod pallet {
 				return Err("Tickets shall be submitted in the first epoch half".into())
 			}
 
-			let Some(verifier) = RingVerifierData::<T>::get().map(|v| v.into()) else {
+			let Some(verifier) =
+				RingVerifierData::<T>::get().map(|vk| vrf::RingContext::verifier_no_context(vk))
+			else {
 				warn!(target: LOG_TARGET, "Ring verifier key not initialized");
 				return Err("Ring verifier key not initialized".into())
 			};
@@ -424,15 +412,8 @@ pub mod pallet {
 			for ticket in tickets {
 				debug!(target: LOG_TARGET, "Checking ring proof");
 
-				let Some(ticket_id_pre_output) = ticket.signature.pre_outputs.get(0) else {
-					debug!(target: LOG_TARGET, "Missing ticket VRF pre-output from ring signature");
-					continue
-				};
-				let ticket_id_input =
-					vrf::ticket_id_input(&randomness, ticket.body.attempt_idx, epoch_idx);
-
 				// Check threshold constraint
-				let ticket_id = vrf::make_ticket_id(&ticket_id_input, &ticket_id_pre_output);
+				let ticket_id = vrf::make_ticket_id(&ticket.signature.pre_output);
 				if ticket_id >= ticket_threshold {
 					debug!(target: LOG_TARGET, "Ignoring ticket over threshold ({:032x} >= {:032x})", ticket_id, ticket_threshold);
 					continue
@@ -445,6 +426,8 @@ pub mod pallet {
 				}
 
 				// Check ring signature
+				let ticket_id_input =
+					vrf::ticket_id_input(&randomness, ticket.body.attempt_idx, epoch_idx);
 				let sign_data = vrf::ticket_body_sign_data(&ticket.body, ticket_id_input);
 				if !ticket.signature.ring_vrf_verify(&sign_data, &verifier) {
 					debug!(target: LOG_TARGET, "Proof verification failure for ticket ({:032x})", ticket_id);
@@ -585,9 +568,7 @@ impl<T: Config> Pallet<T> {
 		let pks: Vec<_> = authorities.iter().map(|auth| *auth.as_ref()).collect();
 
 		debug!(target: LOG_TARGET, "Building ring verifier (ring size: {})", pks.len());
-		let verifier_data = ring_ctx
-			.verifier_data(&pks)
-			.expect("Failed to build ring verifier. This is a bug");
+		let verifier_data = ring_ctx.verifier_key(&pks);
 
 		RingVerifierData::<T>::put(verifier_data);
 	}

@@ -176,7 +176,7 @@ pub fn make_prover(pair: &AuthorityPair) -> RingProver {
 		.collect();
 
 	log::debug!("Building prover. Ring size: {}", pks.len());
-	let prover = ring_ctx.prover(&pks, prover_idx.unwrap()).unwrap();
+	let prover = ring_ctx.prover(&pks, prover_idx.unwrap());
 	log::debug!("Done");
 
 	prover
@@ -201,7 +201,7 @@ pub fn make_ticket_body(attempt_idx: u32, pair: &AuthorityPair) -> (TicketId, Ti
 	let ticket_id_input = vrf::ticket_id_input(&randomness, attempt_idx, epoch);
 	let ticket_id_pre_output = pair.as_inner_ref().vrf_pre_output(&ticket_id_input);
 
-	let id = vrf::make_ticket_id(&ticket_id_input, &ticket_id_pre_output);
+	let id = vrf::make_ticket_id(&ticket_id_pre_output);
 
 	// Make a dummy ephemeral public that hopefully is unique within one test instance.
 	// In the tests, the values within the erased public are just used to compare

@@ -261,7 +261,7 @@ fn on_first_block_after_genesis() {
 
 		// Post-initialization status
 
-		assert!(ClaimTemporaryData::<Test>::exists());
+		assert!(SlotRandomness::<Test>::exists());
 		common_assertions();
 		println!("[DEBUG] {}", b2h(Sassafras::randomness_accumulator()));
 		assert_eq!(
@@ -273,12 +273,11 @@ fn on_first_block_after_genesis() {
 
 		// Post-finalization status
 
-		assert!(!ClaimTemporaryData::<Test>::exists());
+		assert!(!SlotRandomness::<Test>::exists());
 		common_assertions();
-		println!("[DEBUG] {}", b2h(Sassafras::randomness_accumulator()));
 		assert_eq!(
 			Sassafras::randomness_accumulator(),
-			h2b("9f2b9fd19a772c34d437dcd8b84a927e73a5cb43d3d1cd00093223d60d2b4843"),
+			h2b("95a508cf10f877cf0457af3503a6cb3192763d5c15a7b9a58e40dc543efae889"),
 		);
 
 		// Header data check
@@ -332,23 +331,24 @@ fn on_normal_block() {
 
 		// Post-initialization status
 
-		assert!(ClaimTemporaryData::<Test>::exists());
+		assert!(SlotRandomness::<Test>::exists());
 		common_assertions();
 		println!("[DEBUG] {}", b2h(Sassafras::randomness_accumulator()));
 		assert_eq!(
 			Sassafras::randomness_accumulator(),
-			h2b("9f2b9fd19a772c34d437dcd8b84a927e73a5cb43d3d1cd00093223d60d2b4843"),
+			h2b("95a508cf10f877cf0457af3503a6cb3192763d5c15a7b9a58e40dc543efae889"),
 		);
 
 		let header = finalize_block(end_block);
 
 		// Post-finalization status
 
-		assert!(!ClaimTemporaryData::<Test>::exists());
+		assert!(!SlotRandomness::<Test>::exists());
 		common_assertions();
+		println!("[DEBUG] {}", b2h(Sassafras::randomness_accumulator()));
 		assert_eq!(
 			Sassafras::randomness_accumulator(),
-			h2b("be9261adb9686dfd3f23f8a276b7acc7f4beb3137070beb64c282ac22d84cbf0"),
+			h2b("5465cb257ad20cd4b9400a9fc85af7b1e2e72b59debd8ca06580dfb76bfca394"),
 		);
 
 		// Header data check
@@ -389,34 +389,34 @@ fn produce_epoch_change_digest_no_config() {
 
 		// Post-initialization status
 
-		assert!(ClaimTemporaryData::<Test>::exists());
+		assert!(SlotRandomness::<Test>::exists());
 		common_assertions();
 		println!("[DEBUG] {}", b2h(Sassafras::next_randomness()));
 		assert_eq!(
 			Sassafras::next_randomness(),
-			h2b("d3a18b857af6ecc7b52f047107e684fff0058b5722d540a296d727e37eaa55b3"),
+			h2b("c4d374ed47b71e1c29e57143db23861916ff2d0c59ead4c51070d42ff4af2830"),
 		);
 		println!("[DEBUG] {}", b2h(Sassafras::randomness_accumulator()));
 		assert_eq!(
 			Sassafras::randomness_accumulator(),
-			h2b("bf0f1228f4ff953c8c1bda2cceb668bf86ea05d7ae93e26d021c9690995d5279"),
+			h2b("c6d84d1f389853959c39271a38010f2f27abe6ff56cc419cf9e89eafcae1ab5e"),
 		);
 
 		let header = finalize_block(end_block);
 
 		// Post-finalization status
 
-		assert!(!ClaimTemporaryData::<Test>::exists());
+		assert!(!SlotRandomness::<Test>::exists());
 		common_assertions();
 		println!("[DEBUG] {}", b2h(Sassafras::next_randomness()));
 		assert_eq!(
 			Sassafras::next_randomness(),
-			h2b("d3a18b857af6ecc7b52f047107e684fff0058b5722d540a296d727e37eaa55b3"),
+			h2b("c4d374ed47b71e1c29e57143db23861916ff2d0c59ead4c51070d42ff4af2830"),
 		);
 		println!("[DEBUG] {}", b2h(Sassafras::randomness_accumulator()));
 		assert_eq!(
 			Sassafras::randomness_accumulator(),
-			h2b("8a1ceb346036c386d021264b10912c8b656799668004c4a487222462b394cd89"),
+			h2b("6ca02b90e14ef11b3855069794da7e9d4007526b0588c426c3e3533b0b6ade7a"),
 		);
 
 		// Header data check
@@ -670,7 +670,7 @@ fn block_allowed_to_skip_epochs() {
 
 		// Post-initialization status
 
-		assert!(ClaimTemporaryData::<Test>::exists());
+		assert!(SlotRandomness::<Test>::exists());
 		assert_eq!(Sassafras::genesis_slot(), start_slot);
 		assert_eq!(Sassafras::current_slot(), start_slot + offset);
 		assert_eq!(Sassafras::epoch_index(), 4);
@@ -829,9 +829,9 @@ fn submit_tickets_with_ring_proof_check_works() {
 		// Check state after submission
 		assert_eq!(
 			TicketsMeta::<Test>::get(),
-			TicketsMetadata { unsorted_tickets_count: 16, tickets_count: [0, 0] },
+			TicketsMetadata { unsorted_tickets_count: 13, tickets_count: [0, 0] },
 		);
-		assert_eq!(UnsortedSegments::<Test>::get(0).len(), 16);
+		assert_eq!(UnsortedSegments::<Test>::get(0).len(), 13);
 		assert_eq!(UnsortedSegments::<Test>::get(1).len(), 0);
 
 		finalize_block(start_block);

diff --git a/substrate/primitives/consensus/sassafras/src/vrf.rs b/substrate/primitives/consensus/sassafras/src/vrf.rs
@@ -24,88 +24,48 @@ use codec::Encode;
 use sp_consensus_slots::Slot;
 
 pub use sp_core::bandersnatch::{
-	ring_vrf::{RingProver, RingVerifier, RingVerifierData, RingVrfSignature},
+	ring_vrf::{RingProver, RingVerifier, RingVerifierKey, RingVrfSignature},
 	vrf::{VrfInput, VrfPreOutput, VrfSignData, VrfSignature},
 };
 
-/// Ring VRF domain size for Sassafras consensus.
-pub const RING_VRF_DOMAIN_SIZE: u32 = 2048;
+/// Ring size (aka authorities count) for Sassafras consensus.
+pub const RING_SIZE: usize = 1024;
 
-/// Bandersnatch VRF [`RingContext`] specialization for Sassafras using [`RING_VRF_DOMAIN_SIZE`].
-pub type RingContext = sp_core::bandersnatch::ring_vrf::RingContext<RING_VRF_DOMAIN_SIZE>;
+/// Bandersnatch VRF [`RingContext`] specialization for Sassafras using [`RING_SIZE`].
+pub type RingContext = sp_core::bandersnatch::ring_vrf::RingContext<RING_SIZE>;
 
-fn vrf_input_from_data(
-	domain: &[u8],
-	data: impl IntoIterator<Item = impl AsRef<[u8]>>,
-) -> VrfInput {
-	let buf = data.into_iter().fold(Vec::new(), |mut buf, item| {
-		let bytes = item.as_ref();
-		buf.extend_from_slice(bytes);
-		let len = u8::try_from(bytes.len()).expect("private function with well known inputs; qed");
-		buf.push(len);
-		buf
-	});
-	VrfInput::new(domain, buf)
-}
-
-/// VRF input to claim slot ownership during block production.
+/// TODO
 pub fn slot_claim_input(randomness: &Randomness, slot: Slot, epoch: u64) -> VrfInput {
-	vrf_input_from_data(
-		b"sassafras-claim-v1.0",
-		[randomness.as_slice(), &slot.to_le_bytes(), &epoch.to_le_bytes()],
-	)
+	let v = [b"sassafras-ticket", randomness.as_slice(), &slot.to_le_bytes(), &epoch.to_le_bytes()]
+		.concat();
+	VrfInput::new(&v[..])
 }
 
 /// Signing-data to claim slot ownership during block production.
 pub fn slot_claim_sign_data(randomness: &Randomness, slot: Slot, epoch: u64) -> VrfSignData {
-	let input = slot_claim_input(randomness, slot, epoch);
-	VrfSignData::new_unchecked(
-		b"sassafras-slot-claim-transcript-v1.0",
-		Option::<&[u8]>::None,
-		Some(input),
-	)
+	let v = [b"sassafras-ticket", randomness.as_slice(), &slot.to_le_bytes(), &epoch.to_le_bytes()]
+		.concat();
+	VrfSignData::new(&v[..], &[])
 }
 
 /// VRF input to generate the ticket id.
 pub fn ticket_id_input(randomness: &Randomness, attempt: u32, epoch: u64) -> VrfInput {
-	vrf_input_from_data(
-		b"sassafras-ticket-v1.0",
-		[randomness.as_slice(), &attempt.to_le_bytes(), &epoch.to_le_bytes()],
-	)
-}
-
-/// VRF input to generate the revealed key.
-pub fn revealed_key_input(randomness: &Randomness, attempt: u32, epoch: u64) -> VrfInput {
-	vrf_input_from_data(
-		b"sassafras-revealed-v1.0",
-		[randomness.as_slice(), &attempt.to_le_bytes(), &epoch.to_le_bytes()],
-	)
+	let v =
+		[b"sassafras-ticket", randomness.as_slice(), &attempt.to_le_bytes(), &epoch.to_le_bytes()]
+			.concat();
+	VrfInput::new(&v[..])
 }
 
 /// Data to be signed via ring-vrf.
 pub fn ticket_body_sign_data(ticket_body: &TicketBody, ticket_id_input: VrfInput) -> VrfSignData {
-	VrfSignData::new_unchecked(
-		b"sassafras-ticket-body-transcript-v1.0",
-		Some(ticket_body.encode().as_slice()),
-		Some(ticket_id_input),
-	)
+	VrfSignData { vrf_input: ticket_id_input, aux_data: ticket_body.encode() }
 }
 
-/// Make ticket-id from the given VRF input and pre-output.
+/// Make ticket-id from the given VRF pre-output.
 ///
-/// Input should have been obtained via [`ticket_id_input`].
 /// Pre-output should have been obtained from the input directly using the vrf
-/// secret key or from the vrf signature pre-outputs.
-pub fn make_ticket_id(input: &VrfInput, pre_output: &VrfPreOutput) -> TicketId {
-	let bytes = pre_output.make_bytes::<16>(b"ticket-id", input);
+/// secret key or from the vrf signature pre-output.
+pub fn make_ticket_id(preout: &VrfPreOutput) -> TicketId {
+	let bytes: [u8; 16] = preout.make_bytes()[..16].try_into().unwrap();
 	u128::from_le_bytes(bytes)
 }
-
-/// Make revealed key seed from a given VRF input and pre-output.
-///
-/// Input should have been obtained via [`revealed_key_input`].
-/// Pre-output should have been obtained from the input directly using the vrf
-/// secret key or from the vrf signature pre-outputs.
-pub fn make_revealed_key_seed(input: &VrfInput, pre_output: &VrfPreOutput) -> [u8; 32] {
-	pre_output.make_bytes::<32>(b"revealed-seed", input)
-}