Merge pull request #117 from line/feature/bls_aggregation_and_verific…

…ation

BLS Signature Aggregation and Verification

CHANGELOG_PENDING.md

@@ -16,6 +16,7 @@
 
 - Blockchain Protocol
 - [consensus] [\#101](https:/line/tendermint/pull/101) Introduce composite key to delegate features to each function key
+- [consensus] [\#117](https:/line/tendermint/pull/117) BLS Signature Aggregation and Verification
 
 ### FEATURES:
 - [init command] [\#125](https:/line/tendermint/pull/125) Add an option selecting private key type to init, testnet commands

blockchain/v1/reactor_test.go

@@ -229,9 +229,9 @@ func TestFastSyncNoBlockResponse(t *testing.T) {
  for _, tt := range tests {
  block := reactorPairs[1].bcR.store.LoadBlock(tt.height)
  if tt.existent {
- assert.True(t, block != nil)
+ assert.True(t, block != nil, "height=%d, existent=%t", tt.height, tt.existent)
  } else {
- assert.True(t, block == nil)
+ assert.True(t, block == nil, "height=%d, existent=%t", tt.height, tt.existent)
  }
  }
 }

config/config.go

@@ -8,6 +8,7 @@ import (
  "time"
 
  "github.com/pkg/errors"
+
  "github.com/tendermint/tendermint/privval"
 )
 

consensus/byzantine_test.go

@@ -8,6 +8,7 @@ import (
  "time"
 
  "github.com/stretchr/testify/require"
+
  config2 "github.com/tendermint/tendermint/config"
 
  "github.com/tendermint/tendermint/libs/service"

consensus/invalid_test.go

@@ -81,7 +81,9 @@ func invalidDoPrevoteFunc(t *testing.T, height int64, round int, cs *State, sw *
  Hash: blockHash,
  PartsHeader: types.PartSetHeader{Total: 1, Hash: tmrand.Bytes(32)}},
  }
- cs.privValidator.SignVote(cs.state.ChainID, precommit)
+ if err = cs.privValidator.SignVote(cs.state.ChainID, precommit); err != nil {
+ panic(err)
+ }
  cs.privValidator = nil // disable priv val so we don't do normal votes
  cs.mtx.Unlock()
 

consensus/reactor.go

@@ -652,9 +652,11 @@ OUTER_LOOP:
  // Catchup logic
  // If peer is lagging by more than 1, send Commit.
  if prs.Height != 0 && rs.Height >= prs.Height+2 {
- // Load the block commit for prs.Height,
+ // Load the seen commit for prs.Height,
  // which contains precommit signatures for prs.Height.
- commit := conR.conS.blockStore.LoadBlockCommit(prs.Height)
+ // Originally the block commit was used, but with the addition of the BLS signature-aggregation,
+ // we use seen commit instead of the block commit because block commit has no individual signature.
+ commit := conR.conS.blockStore.LoadSeenCommit(prs.Height)
  if ps.PickSendVote(commit) {
  logger.Debug("Picked Catchup commit to send", "height", prs.Height)
  continue OUTER_LOOP

consensus/state.go

@@ -9,6 +9,7 @@ import (
  "time"
 
  "github.com/pkg/errors"
+
  "github.com/tendermint/tendermint/libs/fail"
  "github.com/tendermint/tendermint/libs/log"
  tmos "github.com/tendermint/tendermint/libs/os"
@@ -1086,6 +1087,7 @@ func (cs *State) createProposalBlock(round int) (block *types.Block, blockParts
  case cs.LastCommit.HasTwoThirdsMajority():
  // Make the commit from LastCommit
  commit = cs.LastCommit.MakeCommit()
+ commit.AggregateSignatures()
  default: // This shouldn't happen.
  cs.Logger.Error("enterPropose: Cannot propose anything: No commit for the previous block")
  return

crypto/bls/bls.go

@@ -2,6 +2,7 @@ package bls
 
 import (
  "bytes"
+ "crypto/sha512"
  "crypto/subtle"
  "fmt"
 
@@ -46,6 +47,71 @@ func init() {
 // PrivKeyBLS12 implements crypto.PrivKey.
 type PrivKeyBLS12 [PrivKeyBLS12Size]byte
 
+// AddSignature adds a BLS signature to the init. When the init is nil, then a new aggregate signature is built
+// from specified signature.
+func AddSignature(init []byte, signature []byte) (aggrSign []byte, err error) {
+ if init == nil {
+ blsSign := bls.Sign{}
+ init = blsSign.Serialize()
+ } else if len(init) != SignatureSize {
+ err = fmt.Errorf("invalid BLS signature: aggregated signature size %d is not valid size %d",
+ len(init), SignatureSize)
+ return
+ }
+ if len(signature) != SignatureSize {
+ err = fmt.Errorf("invalid BLS signature: signature size %d is not valid size %d",
+ len(signature), SignatureSize)
+ return
+ }
+ blsSign := bls.Sign{}
+ err = blsSign.Deserialize(signature)
+ if err != nil {
+ return
+ }
+ aggrBLSSign := bls.Sign{}
+ err = aggrBLSSign.Deserialize(init)
+ if err != nil {
+ return
+ }
+ aggrBLSSign.Add(&blsSign)
+ aggrSign = aggrBLSSign.Serialize()
+ return
+}
+
+func VerifyAggregatedSignature(aggregatedSignature []byte, pubKeys []PubKeyBLS12, msgs [][]byte) error {
+ if len(pubKeys) != len(msgs) {
+ return fmt.Errorf("the number of public keys %d doesn't match the one of messages %d",
+ len(pubKeys), len(msgs))
+ }
+ if aggregatedSignature == nil {
+ if len(pubKeys) == 0 {
+ return nil
+ }
+ return fmt.Errorf(
+ "the aggregate signature was omitted, even though %d public keys were specified", len(pubKeys))
+ }
+ aggrSign := bls.Sign{}
+ err := aggrSign.Deserialize(aggregatedSignature)
+ if err != nil {
+ return err
+ }
+ blsPubKeys := make([]bls.PublicKey, len(pubKeys))
+ hashes := make([][]byte, len(msgs))
+ for i := 0; i < len(pubKeys); i++ {
+ blsPubKeys[i] = bls.PublicKey{}
+ err = blsPubKeys[i].Deserialize(pubKeys[i][:])
+ if err != nil {
+ return err
+ }
+ hash := sha512.Sum512_256(msgs[i])
+ hashes[i] = hash[:]
+ }
+ if !aggrSign.VerifyAggregateHashes(blsPubKeys, hashes) {
+ return fmt.Errorf("failed to verify the aggregated hashes by %d public keys", len(blsPubKeys))
+ }
+ return nil
+}
+
 // GenPrivKey generates a new BLS12-381 private key.
 func GenPrivKey() PrivKeyBLS12 {
  sigKey := bls.SecretKey{}
@@ -74,7 +140,8 @@ func (privKey PrivKeyBLS12) Sign(msg []byte) ([]byte, error) {
  if err != nil {
  panic(fmt.Sprintf("Failed to copy the private key: %s", err))
  }
- sign := blsKey.SignByte(msg)
+ hash := sha512.Sum512_256(msg)
+ sign := blsKey.SignHash(hash[:])
  return sign.Serialize(), nil
 }
 
@@ -143,7 +210,8 @@ func (pubKey PubKeyBLS12) VerifyBytes(msg []byte, sig []byte) bool {
  if err != nil {
  return false
  }
- return blsSign.VerifyByte(&blsPubKey, msg)
+ hash := sha512.Sum512_256(msg)
+ return blsSign.VerifyHash(&blsPubKey, hash[:])
 }
 
 // VRFVerify is not supported in BLS12.