New STM registration procedure

[iquerejeta]

Content

This PR implements the new registration procedure and closes #301 and closes #384 . When a registration procedure is initialised, we have to give as input the cardano stake distribution, which is a set of pairs (PoolId, Stake). This would be the stake distribution of all SPOs, and not only the mithril nodes. Then, when an SPO wants to register as a Mithril node, it must provide:

• The operational certificate
• The cold verification key
• KES signature of the Mithril key
• The KES period (we need to figure out how we are going to get this)
• The Mithril key

To this end, this PR introduces the OpCert structure, which contains the KES verification key and a signature using the cold key. There certainly is more fields, but we can complete than once we know which fields a OpCert has. The registration procedure takes as input the raw cbor bytes of the OpCert and parses them to extract the required data. Then, it can verify the validity of OpCert, check that the hash of the cold VK (i.e. the PoolId) is indeed in the stake distribution of cardano, verify the KES signature of the mithril key, and finally verify the validity of the Mithril key.

Wrappers over mithril-core

To avoid making mithril-core Cardano specific, while maintaining its usage in the mithril project, we write wrappers over certain structures to enforce Cardano specific requirements. In particular:

• StmInitializeWrapper: With this wrapper we enforce the usage of a KES key and period during the setup. This allows the initialiser to produce a KES signature of the mithril verification key.
• KeyRegWrapper: The registration wrapper enforces an initialisation with cardano's stake distribution (poolID and stake). Similarly, it enforces that when a party is registering it needs to submit the poolID, the OpCert and the KES sig and period. This allows the registrar to check that the registering party is indeed who it claims to be.

A few things remaining in this PR:

• Introduce a KesSignature of the Mithril key in the StmInitializer. We therefore need to access the bytes of the KES signing key (probably through the mithril server cli)
• Implement parsing of the OpCert
• Handle KES deserialisation with serde
• Compute PoolID from cold verification key

Aggregator/Signer Hybrid Registration implementation

• Use new key registration functions that use KES Secret Key and Operational Certificate
• Implement a KES Period requester inside the Chain Observer
• Implement a hybrid mode: Certified and Legacy to allow for smooth transition (no breaking changes)
• Adapt Aggregator key registration
• Adapt Signer key registration
• Adapt Signer individual signatures registration
• Update crypto tests helpers from Common to handle hybrid modes (and add a test_only feature for them)
• Update devnet
• Update test lab and make it able to verify that Signers from both modes are able to contribute to signatures
• Add Verified Signer badge on the Explorer for certified signers

Pre-submit checklist

• Branch
  • Tests are provided
  • Commit sequence broadly makes sense
  • Key commits have useful messages
• PR
  • No clippy warnings in the CI
  • Rollback test only CI modifications
  • Self-reviewed the diff
  • Useful pull request description
  • Reviewer requested
• Documentation
  • Update documentation website

Issue(s)

Closes #301, #384 and #455

[github-actions]

Unit Test Results

    7 files  ±0    24 suites  ±0   2m 6s ⏱️ -13s
340 tests +3  340 ✔️ +3  0 💤 ±0  0 ❌ ±0 
341 runs  +3  341 ✔️ +3  0 💤 ±0  0 ❌ ±0 

Results for commit d49cdb4. ± Comparison against base commit 329d6fa.

This pull request removes 2 and adds 5 tests. Note that renamed tests count towards both.

crypto_helper::conversions::tests ‑ test_stake_signers_from_into
src/stm.rs - stm::StmSigner<D> ‑ new_epoch (line 405)

chain_observer::cli_observer::tests ‑ test_get_current_kes_period
crypto_helper::cardano::cold_key::tests ‑ test_generate_deterministic_genesis_keypair
crypto_helper::cardano::key_certification::test ‑ test_vector_key_reg
crypto_helper::cardano::opcert::tests ‑ test_vector_opcert
entities::signer::tests ‑ test_stake_signers_from_into

♻️ This comment has been updated with latest results.

[jpraynaud]

@iquerejeta here are the 3 modifications we talked about while pairing 👍

[curiecrypt]

Parameter names are getting longer since we have a lot of resembling parameters. However, it sometimes gets confusing to track the code and decide which is which. I don't think we should change the names, but maybe the parameter documentation should give a little more detail.

[curiecrypt]

The PR satisfies the requirements given here and #301, #384 (note that I did not review the code related to #455). So it can be merged with the main branch.

Please see the suggestions.