diff --git a/setup.py b/setup.py index b024e8d7f5..451da1b73b 100644 --- a/setup.py +++ b/setup.py @@ -536,8 +536,8 @@ def run(self): "eth-utils>=1.3.0,<2", "eth-typing>=2.1.0,<3.0.0", "pycryptodome==3.9.4", - "py_ecc==4.0.0", - "milagro_bls_binding==1.3.0", + "py_ecc==5.0.0", + "milagro_bls_binding==1.4.0", "dataclasses==0.6", "remerkleable==0.1.17", "ruamel.yaml==0.16.5", diff --git a/specs/phase0/beacon-chain.md b/specs/phase0/beacon-chain.md index 69bc48d69f..1ceb28d21a 100644 --- a/specs/phase0/beacon-chain.md +++ b/specs/phase0/beacon-chain.md @@ -603,7 +603,7 @@ def bytes_to_uint64(data: bytes) -> uint64: #### BLS Signatures -Eth2 makes use of BLS signatures as specified in the [IETF draft BLS specification draft-irtf-cfrg-bls-signature-03](https://tools.ietf.org/html/draft-irtf-cfrg-bls-signature-03). Specifically, eth2 uses the `BLS_SIG_BLS12381G2_XMD:SHA-256_SSWU_RO_POP_` ciphersuite which implements the following interfaces: +Eth2 makes use of BLS signatures as specified in the [IETF draft BLS specification draft-irtf-cfrg-bls-signature-04](https://tools.ietf.org/html/draft-irtf-cfrg-bls-signature-04). Specifically, eth2 uses the `BLS_SIG_BLS12381G2_XMD:SHA-256_SSWU_RO_POP_` ciphersuite which implements the following interfaces: - `def Sign(SK: int, message: Bytes) -> BLSSignature` - `def Verify(PK: BLSPubkey, message: Bytes, signature: BLSSignature) -> bool` diff --git a/tests/core/pyspec/eth2spec/utils/bls.py b/tests/core/pyspec/eth2spec/utils/bls.py index 8b91dd64ee..88edbac619 100644 --- a/tests/core/pyspec/eth2spec/utils/bls.py +++ b/tests/core/pyspec/eth2spec/utils/bls.py @@ -10,6 +10,7 @@ STUB_SIGNATURE = b'\x11' * 96 STUB_PUBKEY = b'\x22' * 48 +Z1_PUBKEY = b'\xc0' + b'\x00' * 47 Z2_SIGNATURE = b'\xc0' + b'\x00' * 95 STUB_COORDINATES = _signature_to_G2(Z2_SIGNATURE) @@ -66,6 +67,11 @@ def AggregateVerify(pubkeys, messages, signature): @only_with_bls(alt_return=True) def FastAggregateVerify(pubkeys, message, signature): + # TODO: remove it when milagro_bls_binding is fixed + # https://github.com/ChihChengLiang/milagro_bls_binding/issues/19 + if Z1_PUBKEY in pubkeys: + return False + try: result = bls.FastAggregateVerify(list(pubkeys), message, signature) except Exception: @@ -81,6 +87,9 @@ def Aggregate(signatures): @only_with_bls(alt_return=STUB_SIGNATURE) def Sign(SK, message): + # TODO: remove it when https://github.com/sigp/milagro_bls/issues/39 is fixed + if SK == 0: + raise Exception("SK should not be zero") if bls == py_ecc_bls: return bls.Sign(SK, message) else: @@ -99,4 +108,7 @@ def AggregatePKs(pubkeys): @only_with_bls(alt_return=STUB_SIGNATURE) def SkToPk(SK): - return bls.SkToPk(SK) + if bls == py_ecc_bls: + return bls.SkToPk(SK) + else: + return bls.SkToPk(SK.to_bytes(32, 'big')) diff --git a/tests/formats/bls/sign.md b/tests/formats/bls/sign.md index 1c328755a5..93001beeed 100644 --- a/tests/formats/bls/sign.md +++ b/tests/formats/bls/sign.md @@ -10,7 +10,7 @@ The test data is declared in a `data.yaml` file: input: privkey: bytes32 -- the private key used for signing message: bytes32 -- input message to sign (a hash) -output: bytes96 -- expected signature +output: BLS Signature -- expected output, single BLS signature or empty. ``` All byte(s) fields are encoded as strings, hexadecimal encoding, prefixed with `0x`. diff --git a/tests/generators/bls/main.py b/tests/generators/bls/main.py index 6fec61de02..8cdc2a94bf 100644 --- a/tests/generators/bls/main.py +++ b/tests/generators/bls/main.py @@ -40,6 +40,7 @@ def hex_to_int(x: str) -> int: bytes(b'\x56' * 32), bytes(b'\xab' * 32), ] +SAMPLE_MESSAGE = b'\x12' * 32 PRIVKEYS = [ # Curve order is 256 so private keys are 32 bytes at most. @@ -48,16 +49,30 @@ def hex_to_int(x: str) -> int: hex_to_int('0x0000000000000000000000000000000047b8192d77bf871b62e87859d653922725724a5c031afeabc60bcef5ff665138'), hex_to_int('0x00000000000000000000000000000000328388aff0d4a5b7dc9205abd374e7e98f3cd9f3418edb4eafda5fb16473d216'), ] +PUBKEYS = [bls.SkToPk(privkey) for privkey in PRIVKEYS] Z1_PUBKEY = b'\xc0' + b'\x00' * 47 NO_SIGNATURE = b'\x00' * 96 Z2_SIGNATURE = b'\xc0' + b'\x00' * 95 +ZERO_PRIVKEY = 0 +ZERO_PRIVKEY_BYTES = b'\x00' * 32 + + +def expect_exception(func, *args): + try: + func(*args) + except Exception: + pass + else: + raise Exception("should have raised exception") def case01_sign(): + # Valid cases for privkey in PRIVKEYS: for message in MESSAGES: sig = bls.Sign(privkey, message) + assert sig == milagro_bls.Sign(to_bytes(privkey), message) # double-check with milagro identifier = f'{int_to_hex(privkey)}_{encode_hex(message)}' yield f'sign_case_{(hash(bytes(identifier, "utf-8"))[:8]).hex()}', { 'input': { @@ -66,6 +81,17 @@ def case01_sign(): }, 'output': encode_hex(sig) } + # Edge case: privkey == 0 + expect_exception(bls.Sign, ZERO_PRIVKEY, message) + # TODO enable it when milagro_bls is ready for IETF BLS draft 04 + # expect_exception(milagro_bls.Sign, ZERO_PRIVKEY_BYTES, message) + yield f'sign_case_zero_privkey', { + 'input': { + 'privkey': encode_hex(ZERO_PRIVKEY_BYTES), + 'message': encode_hex(message), + }, + 'output': None + } def case02_verify(): @@ -120,42 +146,46 @@ def case02_verify(): 'output': False, } - # Valid pubkey and signature with the point at infinity - assert bls.Verify(Z1_PUBKEY, message, Z2_SIGNATURE) - assert milagro_bls.Verify(Z1_PUBKEY, message, Z2_SIGNATURE) - yield f'verify_infinity_pubkey_and_infinity_signature', { - 'input': { - 'pubkey': encode_hex(Z1_PUBKEY), - 'message': encode_hex(message), - 'signature': encode_hex(Z2_SIGNATURE), - }, - 'output': True, - } + # Invalid pubkey and signature with the point at infinity + assert not bls.Verify(Z1_PUBKEY, SAMPLE_MESSAGE, Z2_SIGNATURE) + assert not milagro_bls.Verify(Z1_PUBKEY, SAMPLE_MESSAGE, Z2_SIGNATURE) + yield f'verify_infinity_pubkey_and_infinity_signature', { + 'input': { + 'pubkey': encode_hex(Z1_PUBKEY), + 'message': encode_hex(SAMPLE_MESSAGE), + 'signature': encode_hex(Z2_SIGNATURE), + }, + 'output': False, + } def case03_aggregate(): for message in MESSAGES: sigs = [bls.Sign(privkey, message) for privkey in PRIVKEYS] + aggregate_sig = bls.Aggregate(sigs) + assert aggregate_sig == milagro_bls.Aggregate(sigs) yield f'aggregate_{encode_hex(message)}', { 'input': [encode_hex(sig) for sig in sigs], - 'output': encode_hex(bls.Aggregate(sigs)), + 'output': encode_hex(aggregate_sig), } # Invalid pubkeys -- len(pubkeys) == 0 - try: - bls.Aggregate([]) - except Exception: - pass - else: - raise Exception("Should have been INVALID") - + expect_exception(bls.Aggregate, []) # No signatures to aggregate. Follow IETF BLS spec, return `None` to represent INVALID. - # https://tools.ietf.org/html/draft-irtf-cfrg-bls-signature-02#section-2.8 + # https://tools.ietf.org/html/draft-irtf-cfrg-bls-signature-04#section-2.8 yield f'aggregate_na_signatures', { 'input': [], 'output': None, } + # Valid to aggregate G2 point at infinity + aggregate_sig = bls.Aggregate([Z2_SIGNATURE]) + assert aggregate_sig == milagro_bls.Aggregate([Z2_SIGNATURE]) == Z2_SIGNATURE + yield f'aggregate_infinity_signature', { + 'input': [encode_hex(Z2_SIGNATURE)], + 'output': encode_hex(aggregate_sig), + } + def case04_fast_aggregate_verify(): for i, message in enumerate(MESSAGES): @@ -231,6 +261,23 @@ def case04_fast_aggregate_verify(): 'output': False, } + # Invalid pubkeys and signature -- pubkeys contains point at infinity + pubkeys = PUBKEYS.copy() + pubkeys_with_infinity = pubkeys + [Z1_PUBKEY] + signatures = [bls.Sign(privkey, SAMPLE_MESSAGE) for privkey in PRIVKEYS] + aggregate_signature = bls.Aggregate(signatures) + assert not bls.FastAggregateVerify(pubkeys_with_infinity, SAMPLE_MESSAGE, aggregate_signature) + # TODO enable it when milagro_bls is ready for IETF BLS draft 04 + # assert not milagro_bls.FastAggregateVerify(pubkeys_with_infinity, SAMPLE_MESSAGE, aggregate_signature) + yield f'fast_aggregate_verify_infinity_pubkey', { + 'input': { + 'pubkeys': [encode_hex(pubkey) for pubkey in pubkeys_with_infinity], + 'messages': encode_hex(SAMPLE_MESSAGE), + 'signature': encode_hex(aggregate_signature), + }, + 'output': False, + } + def case05_aggregate_verify(): pubkeys = [] @@ -295,6 +342,20 @@ def case05_aggregate_verify(): 'output': False, } + # Invalid pubkeys and signature -- pubkeys contains point at infinity + pubkeys_with_infinity = pubkeys + [Z1_PUBKEY] + messages_with_sample = messages + [SAMPLE_MESSAGE] + assert not bls.AggregateVerify(pubkeys_with_infinity, messages_with_sample, aggregate_signature) + assert not milagro_bls.AggregateVerify(pubkeys_with_infinity, messages_with_sample, aggregate_signature) + yield f'aggregate_verify_infinity_pubkey', { + 'input': { + 'pubkeys': [encode_hex(pubkey) for pubkey in pubkeys_with_infinity], + 'messages': [encode_hex(message) for message in messages_with_sample], + 'signature': encode_hex(aggregate_signature), + }, + 'output': False, + } + def create_provider(handler_name: str, test_case_fn: Callable[[], Iterable[Tuple[str, Dict[str, Any]]]]) -> gen_typing.TestProvider: diff --git a/tests/generators/bls/requirements.txt b/tests/generators/bls/requirements.txt index 2547052823..fd54b5b322 100644 --- a/tests/generators/bls/requirements.txt +++ b/tests/generators/bls/requirements.txt @@ -1,4 +1,4 @@ -py_ecc==4.0.0 +py_ecc==5.0.0 eth-utils==1.6.0 ../../core/gen_helpers ../../../