multisig brainstorming

[pro-wh]

#91 from oasisprotocol/oasis-core#3094

due to scope changes, this will fix #120

[codecov]

Codecov Report

Merging #118 (f3606a1) into main (0a5add6) will increase coverage by 1.12%.
The diff coverage is 78.09%.

❗ Current head f3606a1 differs from pull request most recent head 9388aa1. Consider uploading reports for the commit 9388aa1 to get more accurate results

@@            Coverage Diff             @@
##             main     #118      +/-   ##
==========================================
+ Coverage   68.77%   69.90%   +1.12%     
==========================================
  Files          51       53       +2     
  Lines        2729     2931     +202     
==========================================
+ Hits         1877     2049     +172     
- Misses        833      862      +29     
- Partials       19       20       +1     

Impacted Files	Coverage Δ
runtime-sdk/src/dispatcher.rs	0.00% <0.00%> (ø)
runtime-sdk/src/module.rs	34.04% <0.00%> (-1.52%)	⬇️
tests/runtimes/simple-consensus/src/lib.rs	0.00% <0.00%> (ø)
tests/runtimes/simple-keyvalue/src/lib.rs	0.00% <0.00%> (ø)
runtime-sdk/src/types/transaction.rs	10.00% <15.00%> (+6.00%)	⬆️
runtime-sdk/src/modules/consensus/mod.rs	75.36% <50.00%> (ø)
client-sdk/go/types/transaction.go	64.51% <62.50%> (+3.80%)	⬆️
runtime-sdk/src/modules/core/mod.rs	63.33% <92.30%> (+4.84%)	⬆️
client-sdk/go/types/crypto.go	70.00% <93.33%> (+35.00%)	⬆️
runtime-sdk/src/crypto/multisig/mod.rs	93.93% <93.93%> (ø)
... and 11 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 0a5add6...9388aa1. Read the comment docs.

[pro-wh]

update: multisig is moved out to an alternative at the transaction structure level, where SignerInfo.public_key is now an enum allowing you to choose between PublicKey and a multisig config. Likewise, UnverifiedTransaction.1 T is now an enum allowing you to choose between Signature and a multisig signature set. we're 🤏 this close to putting "multisig v0" as a signing algorithm next to ed25519 and secp256k1, but not quite. in this state, we can at least use PublicKey and Signature inside the multisig structures without getting all cyclic.

this all won't build yet, as I haven't updated the surrounding code

[pro-wh]

update: spreading the changes through the rest of the rust part of the sdk, added a verification routine:

check single-key vs multisig consistency -> zip -> extract present signatures for multisig -> bail if weight is below threshold -> flatten public key and signature lists -> call batch verify

[pro-wh]

update: adding sanity checker for multisig configurations, based on the oasis-core version. need to add calls to it.

[kostko]

Don't forget to add #[serde(deny_unknown_fields)] to all the serializable things.

[pro-wh]

yup, gotta add that, gotta add renames, gotta add doc comments

[pro-wh]

opening this for review at this stage. here's the current idea for a data model.

some feedback is in already:

• need doc comments
• need some conventional attributes on rust structures
• need multisig config size limit

we need some discussion on how multisig conceptually fits in to the existing multiple-accounts-i.e.-nonces being able to sign.

in this draft it's not anticipated that a principal that has a key should distinguish between signing any specific SignerInfo slot or any specific entry inside a multisig proof.

btw, the terminology: 'proof,' as introduced in this PR refers to a generalization of (i) a signature satisfying the authentication requirement of a single-public-key account or a (ii) set of signatures satisfying the authentication requirement of a multisig configuration. also 'config' and 'solo.' let me know your thoughts on this too.

and a little weirdness with the encoding of unverified transactions: it's focused on lists that match up one-to-one with the various signer info of the tx, but this results in needing duplicate signatures if the same key would be used in solo and/or multiple multisig proofs. maybe we could flatten and dedup these signatures, if we prefer it that way. it would be more work on the verification side to match them up, maybe. let me know your thoughts on this too

[kostko]

we need some discussion on how multisig conceptually fits in to the existing multiple-accounts-i.e.-nonces being able to sign.

I guess the use case would be that one account pays for fees and another account authorizes some action?

btw, the terminology: 'proof,' as introduced in this PR refers to a generalization of (i) a signature satisfying the authentication requirement of a single-public-key account or a (ii) set of signatures satisfying the authentication requirement of a multisig configuration. also 'config' and 'solo.' let me know your thoughts on this too.

Yeah auth proof and multisig config seem fine. Added a comment regarding "solo".

and a little weirdness with the encoding of unverified transactions: it's focused on lists that match up one-to-one with the various signer info of the tx, but this results in needing duplicate signatures if the same key would be used in solo and/or multiple multisig proofs. maybe we could flatten and dedup these signatures, if we prefer it that way. it would be more work on the verification side to match them up, maybe. let me know your thoughts on this too

I would rather keep it simple and not dedup.

[pro-wh]

adding some limits for number of authinfo slots in tx and number of signer slots in multisig config

[pro-wh]

The new spec naming looks good to me. Also the signature limits are nice, would be nice to also charge gas per signature slot.

tracking in #141

[kostko]

Oh I see, so now you sign all the slots that correspond to the signer.

[pro-wh]

yeah 🤷 the typescript client is different in style

[Yawning]

Why not do the actual verification? I'm of mixed opinion if a batch should fail if it as any invalid signatures regardless of threshold or not. The way this is setup right now is an all-or-nothing design as far as I can tell.

(I assume allowing a MultisigConfig with mixed public-key types is deliberate, though this will complicate batch verification logic.)

[pro-wh]

we'll have to have an additional step to separate the public key types. but are we moving away from batch signature verification in general?

this isn't meant to be all-or-nothing. it'll leave out the nils from the signature set (Option in the rust side). we'd advise that the transaction sender nil out invalid signatures on their own and avoid submitting a transaction with some valid and some invalid signatures

[pro-wh]

I'll open an issue to discuss this

[pro-wh]

#143