crypto/tpke: consensus/dbft: fix signature computation (#463)

* crypto/tpke: consensus/dbft: fix signature computation

* privnet: set neoXEthSigBlock

Author: txhsl

antimev/signature.go

@@ -13,27 +13,27 @@ var (
 )
 
 // SignShare tries to sign a message with local private key.
-func (ks *KeyStore) SignShare(msg []byte) (*tpke.SignatureShare, error) {
+func (ks *KeyStore) SignShare(msg []byte, negateResult bool) (*tpke.SignatureShare, error) {
 	if ks.shared == nil || ks.shared.localPrvKey == nil {
 		return nil, ErrNoPrvKey
 	}
-	return ks.shared.localPrvKey.SignShare(msg), nil
+	return ks.shared.localPrvKey.SignShare(msg, negateResult), nil
 }
 
 // AggregateAndVerifySig tries to aggregate signature shares and returns
 // the final signature if the verification passes. The key of inputs is
 // dkg index which starts from 1, when the array index of a member in the
 // key group starts from 0.
-func (ks *KeyStore) AggregateAndVerifySig(msg []byte, inputs map[int]*tpke.SignatureShare) (*tpke.Signature, error) {
+func (ks *KeyStore) AggregateAndVerifySig(msg []byte, inputs map[int]*tpke.SignatureShare, isNegatedResult bool) (*tpke.Signature, error) {
 	if ks.shared == nil {
 		return nil, ErrNoPubKey
 	}
-	return ks.shared.aggregateAndVerifySig(msg, inputs, ks.threshold, ks.scaler)
+	return ks.shared.aggregateAndVerifySig(msg, inputs, ks.threshold, ks.scaler, isNegatedResult)
 }
 
 // aggregateAndVerifySig tries to aggregate signature shares and returns
 // the final signature if the verification passes.
-func (tkg *thresholdKeyGroup) aggregateAndVerifySig(msg []byte, inputs map[int]*tpke.SignatureShare, threshold int, scaler int) (*tpke.Signature, error) {
+func (tkg *thresholdKeyGroup) aggregateAndVerifySig(msg []byte, inputs map[int]*tpke.SignatureShare, threshold int, scaler int, isNegatedResult bool) (*tpke.Signature, error) {
 	if len(inputs) < threshold {
 		return nil, ErrSigShareNotEnough
 	}
@@ -67,7 +67,7 @@ func (tkg *thresholdKeyGroup) aggregateAndVerifySig(msg []byte, inputs map[int]*
 		}
 		sig, err := tpke.AggregateSigShares(m, s, scaler)
 		// Verify if the aggregation is valid
-		if err == nil && tkg.globalPubKey.VerifySig(msg, sig) {
+		if err == nil && tkg.globalPubKey.VerifySig(msg, sig, isNegatedResult) {
 			return sig, nil
 		}
 	}

antimev/signature_test.go

@@ -5,6 +5,7 @@ import (
 	"maps"
 	"math/big"
 	"path/filepath"
+	"slices"
 	"testing"
 
 	bls12381 "github.com/consensys/gnark-crypto/ecc/bls12-381"
@@ -20,8 +21,40 @@ func TestSingleSignature(t *testing.T) {
 	pk := sk.GetPublicKey()
 
 	msg := []byte("pizza pizza pizza pizza pizza pizza pizza pizza pizza pizza pizza pizza pizza")
-	share := sk.SignShare(msg)
-	if !pk.VerifySigShare(msg, share) {
+	share := sk.SignShare(msg, false)
+	if !pk.VerifySigShare(msg, share, false) {
+		t.Fatalf("invalid signature")
+	}
+	share = sk.SignShare(msg, true)
+	if !pk.VerifySigShare(msg, share, true) {
+		t.Fatalf("invalid signature")
+	}
+}
+
+// Verify against results from https://github.com/ChainSafe/bls
+func TestEthBLSSignEquivalence(t *testing.T) {
+	sk, err := new(tpke.PrivateKey).FromBytes(common.FromHex("0x0075d54c786f77c983e59d452f933f98a8aba65a4c09fca937dfe15cb46631f1"))
+	require.NoError(t, err)
+	pk, err := tpke.NewPublicKeyFromBytes(common.FromHex("0xa257e2f600440a678e23f5db21d28ff65682c08ea20ea90a2a25f0a46340ccb893f04bd789a3b65bebaa298c99c2d220"))
+	require.NoError(t, err)
+	if !pk.Equal(sk.GetPublicKey()) {
+		t.Fatalf("invalid keypair")
+	}
+	msg := []byte("pizza pizza pizza pizza pizza pizza pizza pizza pizza pizza pizza pizza pizza")
+	sig := common.FromHex("0x853c6e915ad9176e6af5bc4b4e258f1457175347d72a393725605de7f33160123682a9eb2bb52bb64e8198a2aa01b0f4171d9ff07ab6589a29dfbe1286444739766f253935a7caefea7920e012794bd5420d4c8d3259251e789a28c54f3b6a2e")
+	if !slices.Equal(sk.SignShare(msg, false).Bytes(), sig) {
+		t.Fatalf("invalid signature")
+	}
+}
+
+// Test vectors from https://github.com/ethereum/consensus-spec-tests
+func TestEthBLSVerifyEquivalence(t *testing.T) {
+	pk, err := tpke.NewPublicKeyFromBytes(common.FromHex("0xa491d1b0ecd9bb917989f0e74f0dea0422eac4a873e5e2644f368dffb9a6e20fd6e10c1b77654d067c0618f6e5a7f79a"))
+	require.NoError(t, err)
+	msg := common.FromHex("0x0000000000000000000000000000000000000000000000000000000000000000")
+	sig, err := tpke.NewSignatureFromBytes(common.FromHex("0xb6ed936746e01f8ecf281f020953fbf1f01debd5657c4a383940b020b26507f6076334f91e2366c96e9ab279fb5158090352ea1c5b0c9274504f4f0e7053af24802e51e4568d164fe986834f41e55c8e850ce1f98458c0cfc9ab380b55285a55"))
+	require.NoError(t, err)
+	if !pk.VerifySig(msg, sig, false) {
 		t.Fatalf("invalid signature")
 	}
 }
@@ -81,7 +114,7 @@ func TestThresholdSignature(t *testing.T) {
 	msg := []byte("pizza pizza pizza pizza pizza pizza pizza pizza pizza pizza pizza pizza pizza")
 	shares := make(map[int]*tpke.SignatureShare)
 	for i := 0; i < size; i++ {
-		share, err := kss[i].SignShare(msg)
+		share, err := kss[i].SignShare(msg, false)
 		require.NoError(t, err)
 		shares[i+1] = share
 	}
@@ -90,12 +123,12 @@ func TestThresholdSignature(t *testing.T) {
 	sh1 := maps.Clone(shares)
 	delete(sh0, 1)
 	delete(sh1, 2)
-	sig, err := kss[0].AggregateAndVerifySig(msg, shares)
+	sig, err := kss[0].AggregateAndVerifySig(msg, shares, false)
 	require.NoError(t, err)
 	require.NotNil(t, sig)
-	sig0, err := kss[0].AggregateAndVerifySig(msg, sh0)
+	sig0, err := kss[0].AggregateAndVerifySig(msg, sh0, false)
 	require.NoError(t, err)
-	sig1, err := kss[0].AggregateAndVerifySig(msg, sh1)
+	sig1, err := kss[0].AggregateAndVerifySig(msg, sh1, false)
 	require.NoError(t, err)
 	require.Equal(t, sig0, sig1)
 }

consensus/dbft/block.go

@@ -108,7 +108,7 @@ func (b *Block) Verify(pub dbft.PublicKey, sign []byte) error {
 		if pub.(*PublicKey).Account != ecrypto.PubkeyBytesToAddress(pubkey) {
 			return errors.New("invalid block signature")
 		}
-	case dbftutil.ExtraV1:
+	case dbftutil.ExtraV1, dbftutil.ExtraV2:
 		switch ss := extra.SignatureScheme(); ss {
 		case dbftutil.ExtraV1ECDSAScheme:
 			sealHash := HonestSealHashV0(b.header)

consensus/dbft/commit.go

@@ -58,7 +58,7 @@ func (c *commit) DecodeRLP(s *rlp.Stream) error {
 // share returns [tpke.SignatureShare] unpacked from commit's signature in case of
 // [dbftutil.ExtraV1] commit version. No error is returned for other commit versions.
 func (c *commit) share() (*tpke.SignatureShare, error) {
-	if c.version != dbftutil.ExtraV1 {
+	if c.version != dbftutil.ExtraV1 && c.version != dbftutil.ExtraV2 {
 		return nil, nil
 	}
 	if c.shareCache == nil {

consensus/dbft/dbft.go

@@ -756,7 +756,7 @@ func (c *DBFT) verifyCommitCb(p dbft.ConsensusPayload[common.Hash]) error {
 	switch v {
 	case dbftutil.ExtraV0:
 		expectedLen = crypto.SignatureLength
-	case dbftutil.ExtraV1:
+	case dbftutil.ExtraV1, dbftutil.ExtraV2:
 		if c.config.enforceECDSASignatures || (!isAMEV && c.chain.Config().IsNeoXAMEV(new(big.Int).Add(h, bigOne))) {
 			expectedLen = crypto.SignatureLength
 		} else {
@@ -801,7 +801,7 @@ func (c *DBFT) verifyPrepareRequestCb(p dbft.ConsensusPayload[common.Hash]) erro
 	// A separate check for post-NeoXAMEV block signing scheme since it depends
 	// on runtime node configuration.
 	extra := dbftutil.Extra(req.SealingProposal.Extra)
-	if c.chain.Config().IsNeoXAMEV(req.SealingProposal.Number) && extra.Version() == dbftutil.ExtraV1 {
+	if c.chain.Config().IsNeoXAMEV(req.SealingProposal.Number) && (extra.Version() == dbftutil.ExtraV1 || extra.Version() == dbftutil.ExtraV2) {
 		var expected = dbftutil.ExtraV1ThresholdScheme
 		if c.config.enforceECDSASignatures {
 			expected = dbftutil.ExtraV1ECDSAScheme
@@ -1367,7 +1367,7 @@ func (c *DBFT) getBlockWitness(pub *tpke.PublicKey, block *Block) ([]byte, error
 	switch v := dbftutil.Extra(block.header.Extra).Version(); v {
 	case dbftutil.ExtraV0:
 		return res, nil
-	case dbftutil.ExtraV1:
+	case dbftutil.ExtraV1, dbftutil.ExtraV2:
 		// Enforce multisignature-based signing scheme for NeoXAMEV-1 height or if
 		// enforcing configured.
 		cfg := c.chain.Config()
@@ -1403,7 +1403,7 @@ func (c *DBFT) getBlockWitness(pub *tpke.PublicKey, block *Block) ([]byte, error
 		c.lock.RLock()
 		ks := c.amevKeystore
 		c.lock.RUnlock()
-		sig, err := ks.AggregateAndVerifySig(msg, shares)
+		sig, err := ks.AggregateAndVerifySig(msg, shares, v == dbftutil.ExtraV1)
 		if err != nil {
 			return nil, fmt.Errorf("failed to aggregate signature: %w", err)
 		}
@@ -1638,20 +1638,25 @@ func (c *DBFT) verifyHeader(chain consensus.ChainHeaderReader, header *types.Hea
 	var (
 		cfg           = chain.Config()
 		isAMEV        = cfg.IsNeoXAMEV(header.Number)
+		isEthSig      = cfg.IsNeoXEthSig(header.Number)
 		isV1Extra     = isAMEV || cfg.IsNeoXAMEV(new(big.Int).Add(header.Number, bigOne))
+		isV2Extra     = isEthSig || cfg.IsNeoXEthSig(new(big.Int).Add(header.Number, bigOne))
 		expectedExtra = dbftutil.ExtraV0
 		extra         = dbftutil.Extra(header.Extra)
 	)
 	if isV1Extra {
 		expectedExtra = dbftutil.ExtraV1
 	}
+	if isV2Extra {
+		expectedExtra = dbftutil.ExtraV2
+	}
 	if v := extra.Version(); v != expectedExtra {
 		return fmt.Errorf("%w: expected %d, got %d", dbftutil.ErrUnexpectedExtraVersion, expectedExtra, v)
 	}
 
 	// Check that extra-data contains hashable part filled.
 	var expectedHashableExtraLen = dbftutil.HashableExtraV0Len
-	if isV1Extra {
+	if isV1Extra || isV2Extra {
 		expectedHashableExtraLen = dbftutil.HashableExtraV1Len
 	}
 	if len(header.Extra) < expectedHashableExtraLen {
@@ -1664,7 +1669,7 @@ func (c *DBFT) verifyHeader(chain consensus.ChainHeaderReader, header *types.Hea
 			m        = crypto.GetBFTHonestNodeCount(n)
 			expected int
 		)
-		if isV1Extra {
+		if isV1Extra || isV2Extra {
 			if !isAMEV && extra.SignatureScheme() != dbftutil.ExtraV1ECDSAScheme {
 				return fmt.Errorf("%w for pre-NeoXAMEV block: expected %d, got %d", dbftutil.ErrUnexpectedBlockSignatureScheme, dbftutil.ExtraV1ECDSAScheme, extra.SignatureScheme())
 			}
@@ -1843,7 +1848,7 @@ func (c *DBFT) verifyExtra(sealHashBytes []byte, extra dbftutil.Extra, parentNex
 			return fmt.Errorf("%w: %s", errUnauthorizedSigner, err)
 		}
 		return nil
-	case dbftutil.ExtraV1:
+	case dbftutil.ExtraV1, dbftutil.ExtraV2:
 		switch ss := extra.SignatureScheme(); ss {
 		case dbftutil.ExtraV1ECDSAScheme:
 			vals, sigs, err := extra.ECDSASigners(len(c.config.StandByValidators))
@@ -1857,7 +1862,7 @@ func (c *DBFT) verifyExtra(sealHashBytes []byte, extra dbftutil.Extra, parentNex
 			switch pv := parentExtra.Version(); pv {
 			case dbftutil.ExtraV0:
 				expected = parentNextConsensus
-			case dbftutil.ExtraV1:
+			case dbftutil.ExtraV1, dbftutil.ExtraV2:
 				var offset = dbftutil.ExtraVersionLen + dbftutil.ExtraV1SignatureSchemeLen
 				expected.SetBytes(parentExtra[offset : offset+common.HashLength])
 			default:
@@ -1887,8 +1892,7 @@ func (c *DBFT) verifyExtra(sealHashBytes []byte, extra dbftutil.Extra, parentNex
 			if err != nil {
 				return fmt.Errorf("seal hash is not a G2 point on BLS12-381: %w", err)
 			}
-
-			return pub.Verify(hash, sig)
+			return pub.Verify(hash, sig, v == dbftutil.ExtraV1)
 		default:
 			return fmt.Errorf("%w: %d", dbftutil.ErrUnexpectedBlockSignatureScheme, ss)
 		}
@@ -1913,14 +1917,20 @@ func (c *DBFT) Prepare(chain consensus.ChainHeaderReader, header *types.Header)
 	// Header's Extra (validators addresses / global TPKE pub and validators
 	// signatures) are treated as changeable and are not filled in during Prepare.
 	if chain.Config().IsNeoXAMEV(new(big.Int).Add(header.Number, bigOne)) {
+		var extraVersion dbftutil.ExtraVersion
+		if chain.Config().IsNeoXEthSig(new(big.Int).Add(header.Number, bigOne)) {
+			extraVersion = dbftutil.ExtraV2
+		} else {
+			extraVersion = dbftutil.ExtraV1
+		}
 		var sigScheme dbftutil.ExtraV1SignatureScheme
 		// Enforce multisignature block signing if we're not at NeoXAMEV yet.
 		if c.config.enforceECDSASignatures || !chain.Config().IsNeoXAMEV(header.Number) {
 			sigScheme = dbftutil.ExtraV1ECDSAScheme
 		} else {
 			sigScheme = dbftutil.ExtraV1ThresholdScheme
 		}
-		header.Extra = []byte{byte(dbftutil.ExtraV1), byte(sigScheme)}
+		header.Extra = []byte{byte(extraVersion), byte(sigScheme)}
 	} else {
 		header.Extra = []byte{byte(dbftutil.ExtraV0)}
 	}
@@ -2343,6 +2353,9 @@ func (c *DBFT) OnPayload(cp *dbftproto.Message) error {
 }
 
 func (c *DBFT) getBlockExtraVersion(height *big.Int) dbftutil.ExtraVersion {
+	if c.chain.Config().IsNeoXEthSig(height) || c.chain.Config().IsNeoXEthSig(new(big.Int).Add(height, bigOne)) {
+		return dbftutil.ExtraV2
+	}
 	if c.chain.Config().IsNeoXAMEV(height) || c.chain.Config().IsNeoXAMEV(new(big.Int).Add(height, bigOne)) {
 		return dbftutil.ExtraV1
 	}
@@ -2560,7 +2573,7 @@ func honestSealHash(header *types.Header) ([]byte, error) {
 	switch v := extra.Version(); v {
 	case dbftutil.ExtraV0:
 		sealHash = HonestSealHashV0(header).Bytes()
-	case dbftutil.ExtraV1:
+	case dbftutil.ExtraV1, dbftutil.ExtraV2:
 		switch ss := extra.SignatureScheme(); ss {
 		case dbftutil.ExtraV1ECDSAScheme:
 			sealHash = HonestSealHashV0(header).Bytes()
@@ -2612,7 +2625,7 @@ func encodeSigHeader(w io.Writer, header *types.Header) {
 	switch v := dbftutil.Extra(header.Extra).Version(); v {
 	case dbftutil.ExtraV0:
 		hashableExtraLen = dbftutil.HashableExtraV0Len
-	case dbftutil.ExtraV1:
+	case dbftutil.ExtraV1, dbftutil.ExtraV2:
 		hashableExtraLen = dbftutil.HashableExtraV1Len
 	default:
 		panic(fmt.Errorf("%w: %d", dbftutil.ErrUnexpectedExtraVersion, v)) // a dangerous program bug

consensus/dbft/dbftutil/util.go

@@ -23,21 +23,25 @@ const (
 	// ExtraV1 is the 1-st version of block's Extra. Extra of this version includes global
 	// TPKE public key followed by aggregated validators' threshold signature.
 	ExtraV1 ExtraVersion = 0x01
+	// ExtraV2 is the 2-nd version of block's Extra. Extra of this version includes global
+	// TPKE public key followed by aggregated validators' threshold signature compatible
+	// with Ethereum CL.
+	ExtraV2 ExtraVersion = 0x02
 )
 
 // ExtraV1SignatureScheme is a scheme of block signature (ECDSA multisignature or
-// threshold signature) that is used for ExtraV1 extra.
+// threshold signature) that is used for ExtraV1 and ExtraV2 extra.
 type ExtraV1SignatureScheme byte
 
 const (
 	// ExtraV1SignatureSchemeLen is the length of block signing scheme version for
-	// ExtraV1 extra.
+	// ExtraV1 and ExtraV2 extra.
 	ExtraV1SignatureSchemeLen = 1
 	// ExtraV1ECDSAScheme denotes fallback ECDSA multisignature block signing scheme
-	// for ExtraV1 extra.
+	// for ExtraV1 and ExtraV2 extra.
 	ExtraV1ECDSAScheme ExtraV1SignatureScheme = 0x00
 	// ExtraV1ThresholdScheme denotes primary threshold signature block signing scheme
-	// for ExtraV1 extra.
+	// for ExtraV1 and ExtraV2 extra.
 	ExtraV1ThresholdScheme ExtraV1SignatureScheme = 0x01
 )
 
@@ -48,7 +52,7 @@ const (
 	// ExtraV0 extra version.
 	HashableExtraV0Len = ExtraVersionLen
 	// HashableExtraV1Len is the length of hashable part of block extra data for
-	// ExtraV1 extra version.
+	// ExtraV1 and ExtraV2 extra version.
 	HashableExtraV1Len = ExtraVersionLen + ExtraV1SignatureSchemeLen + common.HashLength // signing version byte + fallback NextConsensus address
 )
 
@@ -74,8 +78,8 @@ func (e Extra) Version() ExtraVersion {
 	return ExtraVersion(e[0])
 }
 
-// SignatureScheme returns version of block signature for ExtraV1. It's no-op to apply
-// this method to non-V1 extra.
+// SignatureScheme returns version of block signature for ExtraV1 and ExtraV2. It's no-op
+// to apply this method to V0 extra.
 func (e Extra) SignatureScheme() ExtraV1SignatureScheme {
 	return ExtraV1SignatureScheme(e[1])
 }
@@ -90,7 +94,7 @@ func (e Extra) ECDSASigners(n int) ([]common.Address, [][]byte, error) {
 	switch e.Version() {
 	case ExtraV0:
 		buf = e[HashableExtraV0Len:]
-	case ExtraV1:
+	case ExtraV1, ExtraV2:
 		buf = e[HashableExtraV1Len:]
 	default:
 		return nil, nil, fmt.Errorf("%w: %d", ErrUnexpectedExtraVersion, e.Version())
@@ -124,8 +128,8 @@ func (e Extra) ECDSASigners(n int) ([]common.Address, [][]byte, error) {
 // ThresholdSigners returns global public key and threshold signature.
 func (e Extra) ThresholdSigners() (*tpke.PublicKey, *tpke.Signature, error) {
 	// Sanity check.
-	if v := e.Version(); v != ExtraV1 {
-		return nil, nil, fmt.Errorf("%w: expected %d, got %d", ErrUnexpectedExtraVersion, ExtraV1, v)
+	if v := e.Version(); v != ExtraV1 && v != ExtraV2 {
+		return nil, nil, fmt.Errorf("%w: expected %d or %d, got %d", ErrUnexpectedExtraVersion, ExtraV1, ExtraV2, v)
 	}
 	if ss := e.SignatureScheme(); ss != ExtraV1ThresholdScheme {
 		return nil, nil, fmt.Errorf("%w: expected %d, got %d", ErrUnexpectedBlockSignatureScheme, ExtraV1ThresholdScheme, ss)

consensus/dbft/signer.go

@@ -35,12 +35,12 @@ func (s *Signer) signBlock(extra dbftutil.Extra, blockRLP []byte) ([]byte, error
 	switch v := extra.Version(); v {
 	case dbftutil.ExtraV0:
 		return s.SignFn(accounts.Account{Address: s.Signer}, accounts.MimetypeTextPlain, blockRLP)
-	case dbftutil.ExtraV1:
+	case dbftutil.ExtraV1, dbftutil.ExtraV2:
 		switch ss := extra.SignatureScheme(); ss {
 		case dbftutil.ExtraV1ECDSAScheme:
 			return s.SignFn(accounts.Account{Address: s.Signer}, accounts.MimetypeTextPlain, blockRLP)
 		case dbftutil.ExtraV1ThresholdScheme:
-			share, err := s.AmevKeystore.SignShare(blockRLP)
+			share, err := s.AmevKeystore.SignShare(blockRLP, v == dbftutil.ExtraV1)
 			if err != nil {
 				return nil, fmt.Errorf("failed to sign share: %w", err)
 			}

crypto/tpke/private_key.go

@@ -68,12 +68,14 @@ func (sk *PrivateKey) DecryptShare(ct *CipherText) *DecryptionShare {
 }
 
 // SignShare returns a signature share for input message
-func (sk *PrivateKey) SignShare(msg []byte) *SignatureShare {
+func (sk *PrivateKey) SignShare(msg []byte, negateResult bool) *SignatureShare {
 	// S=H(msg)*sk
 	g2Hash, _ := bls12381.HashToG2(msg, Domain)
-	sig := new(bls12381.G2Affine).ScalarMultiplication(&g2Hash, sk.fr)
-	sig.Neg(sig)
-	return &SignatureShare{
-		pg2: sig,
+	sig := &SignatureShare{
+		pg2: new(bls12381.G2Affine).ScalarMultiplication(&g2Hash, sk.fr),
 	}
+	if negateResult {
+		return sig.Neg()
+	}
+	return sig
 }