Ethereum KZG polynomial commitments / EIP-4844 (part 1) (#239)

* common error model for serialization of BLS signatures and KZG objects * [KZG] add Ethereum's test vectors [skip ci] * dump progress on KZG * Stash: trusted setup generator * implement cache optimized bit-reversal-permutation * Add generator for the Ethereum test trusted setups * implement naive deserialization for the trusted setup interchange format * implement verify_kzg_proof * Add test skeleton of verify KZG proof * rebase import fixes
mratsim · Aug 13, 2023 · f57d071 · f57d071
1 parent 47b4f48
commit f57d071
Show file tree

Hide file tree

Showing 277 changed files with 4,937 additions and 755 deletions.
diff --git a/benchmarks/bench_ethereum_bls_signatures.nim b/benchmarks/bench_ethereum_bls_signatures.nim
@@ -36,16 +36,15 @@ proc demoKeyGen(): tuple[seckey: SecretKey, pubkey: PublicKey] =
  # The API for keygen is not ready in ethereum_bls_signatures
  let ikm = rng.random_byte_seq(32)
  doAssert cast[ptr BigInt[255]](result.seckey.addr)[].derive_master_secretKey(ikm)
- let ok = result.pubkey.derive_pubkey(result.seckey)
- doAssert ok == cttBLS_Success
+ result.pubkey.derive_pubkey(result.seckey)
 
 proc benchDeserPubkey*(iters: int) =
  let (sk, pk) = demoKeyGen()
  var pk_comp{.noInit.}: array[48, byte]
 
  # Serialize compressed
- let ok = pk_comp.serialize_pubkey_compressed(pk)
- doAssert ok == cttBLS_Success
+ let status = pk_comp.serialize_pubkey_compressed(pk)
+ doAssert status == cttCodecEcc_Success
 
  var pk2{.noInit.}: PublicKey
 
@@ -57,8 +56,8 @@ proc benchDeserPubkeyUnchecked*(iters: int) =
  var pk_comp{.noInit.}: array[48, byte]
 
  # Serialize compressed
- let ok = pk_comp.serialize_pubkey_compressed(pk)
- doAssert ok == cttBLS_Success
+ let status = pk_comp.serialize_pubkey_compressed(pk)
+ doAssert status == cttCodecEcc_Success
 
  var pk2{.noInit.}: PublicKey
 
@@ -73,12 +72,11 @@ proc benchDeserSig*(iters: int) =
  sig_comp{.noInit.}: array[96, byte]
  sig {.noInit.}: Signature
 
- let status = sig.sign(sk, msg)
- doAssert status == cttBLS_Success
+ sig.sign(sk, msg)
 
  # Serialize compressed
- let ok = sig_comp.serialize_signature_compressed(sig)
- doAssert ok == cttBLS_Success
+ let status = sig_comp.serialize_signature_compressed(sig)
+ doAssert status == cttCodecEcc_Success
 
  var sig2{.noInit.}: Signature
 
@@ -93,12 +91,11 @@ proc benchDeserSigUnchecked*(iters: int) =
  sig_comp{.noInit.}: array[96, byte]
  sig {.noInit.}: Signature
 
- let status = sig.sign(sk, msg)
- doAssert status == cttBLS_Success
+ sig.sign(sk, msg)
 
  # Serialize compressed
- let ok = sig_comp.serialize_signature_compressed(sig)
- doAssert ok == cttBLS_Success
+ let status = sig_comp.serialize_signature_compressed(sig)
+ doAssert status == cttCodecEcc_Success
 
  var sig2{.noInit.}: Signature
 
@@ -112,15 +109,14 @@ proc benchSign*(iters: int) =
  var sig: Signature
 
  bench("BLS signature", "BLS12_381 G2", iters):
- let status = sig.sign(sk, msg)
+ sig.sign(sk, msg)
 
 proc benchVerify*(iters: int) =
  let (sk, pk) = demoKeyGen()
  let msg = "Mr F was here"
 
  var sig: Signature
- let ok = sig.sign(sk, msg)
- doAssert ok == cttBLS_Success
+ sig.sign(sk, msg)
 
  bench("BLS verification", "BLS12_381", iters):
  let valid = pk.verify(msg, sig)
@@ -136,8 +132,7 @@ proc benchFastAggregateVerify*(numKeys, iters: int) =
  for i in 0 ..< numKeys:
  let (sk, pk) = demoKeyGen()
  validators[i] = pk
- let status = sigs[i].sign(sk, msg)
- doAssert status == cttBLS_Success
+ sigs[i].sign(sk, msg)
 
  aggSig.aggregate_signatures_unstable_api(sigs)
 
@@ -155,8 +150,7 @@ proc benchVerifyMulti*(numSigs, iters: int) =
  for i in 0 ..< numSigs:
  let (sk, pk) = demoKeyGen()
  sha256.hash(hashedMsg, "msg" & $i)
- let status = sig.sign(sk, hashedMsg)
- doAssert status == cttBLS_Success
+ sig.sign(sk, hashedMsg)
  triplets.add (pk, hashedMsg, sig)
 
  bench("BLS verif of " & $numSigs & " msgs by "& $numSigs & " pubkeys", "BLS12_381", iters):
@@ -178,8 +172,7 @@ proc benchVerifyBatched*(numSigs, iters: int) =
  for i in 0 ..< numSigs:
  let (sk, pk) = demoKeyGen()
  sha256.hash(hashedMsg, "msg" & $i)
- let status = sig.sign(sk, hashedMsg)
- doAssert status == cttBLS_Success
+ sig.sign(sk, hashedMsg)
 
  pubkeys.add pk
  messages.add hashedMsg

diff --git a/benchmarks/bench_evm_modexp_dos.nim b/benchmarks/bench_evm_modexp_dos.nim
@@ -2,7 +2,7 @@ import
  ../constantine/ethereum_evm_precompiles,
  ./platforms, ./bench_blueprint,
 
- ../constantine/platforms/codecs
+ ../constantine/serialization/codecs
 
 proc report(op: string, elapsedNs: int64, elapsedCycles: int64, iters: int) =
  let ns = elapsedNs div iters

diff --git a/benchmarks/bench_powmod.nim b/benchmarks/bench_powmod.nim
@@ -2,7 +2,8 @@ import
  ../constantine/math/arithmetic,
  ../constantine/math/io/[io_bigints, io_fields],
  ../constantine/math/config/curves,
- ../constantine/platforms/[abstractions, codecs],
+ ../constantine/platforms/abstractions,
+ ../constantine/serialization/codecs,
  ../constantine/math_arbitrary_precision/arithmetic/bigints_views,
  ../helpers/prng_unsafe,
  ./platforms, ./bench_blueprint

diff --git a/bindings_generators/gen_bindings.nim b/bindings_generators/gen_bindings.nim
@@ -23,11 +23,11 @@ template genBindingsField*(Field: untyped) =
  else:
  {.push noconv, exportc, raises: [].} # No exceptions allowed
 
- func `ctt _ Field _ unmarshalBE`(dst: var Field, src: openarray[byte]) =
+ func `ctt _ Field _ unmarshalBE`(dst: var Field, src: openarray[byte]): bool =
  ## Deserialize
  unmarshalBE(dst, src)
 
- func `ctt _ Field _ marshalBE`(dst: var openarray[byte], src: Field) =
+ func `ctt _ Field _ marshalBE`(dst: var openarray[byte], src: Field): bool =
  marshalBE(dst, src)
  # --------------------------------------------------------------------------------------
  func `ctt _ Field _ is_eq`(a, b: Field): SecretBool =

diff --git a/bindings_generators/gen_header.nim b/bindings_generators/gen_header.nim
@@ -68,6 +68,12 @@ typedef __UINT64_TYPE__ uint64_t;
 #else
 #include <stdint.h>
 #endif
+
+#if defined(__STDC_VERSION__) && __STDC_VERSION__>=199901
+# define bool _Bool
+#else
+# define bool unsigned char
+#endif
 """
 
 proc genCttBaseTypedef*(): string =
@@ -115,6 +121,7 @@ void ctt_{libName}_init_NimMain(void);"""
 # -------------------------------------------
 
 let TypeMap {.compileTime.} = newStringTable({
+ "bool": "bool",
  "SecretBool": "secret_bool",
  "SecretWord": "secret_word"
 })
@@ -201,7 +208,10 @@ macro collectBindings*(cBindingsStr: untyped, body: typed): untyped =
  var name = $paramDef[j]
  cBindings &= toCparam(name.split('`')[0], pType)
 
- cBindings &= ");"
+ if fnDef.params[0].eqIdent"bool":
+ cBindings &= ") __attribute__((warn_unused_result));"
+ else:
+ cBindings &= ");"
 
  if defined(CTT_GENERATE_HEADERS):
  result = newConstStmt(cBindingsStr, newLit cBindings)

diff --git a/constantine.nimble b/constantine.nimble
@@ -1,6 +1,6 @@
 packageName = "constantine"
 version = "0.0.1"
-author = "Status Research & Development GmbH"
+author = "Mamy Ratsimbazafy"
 description = "This library provides thoroughly tested and highly-optimized implementations of cryptography protocols."
 license = "MIT or Apache License 2.0"
 

diff --git a/constantine/ciphers/chacha20.nim b/constantine/ciphers/chacha20.nim
@@ -6,7 +6,9 @@
 # * Apache v2 license (license terms in the root directory or at http://www.apache.org/licenses/LICENSE-2.0).
 # at your option. This file may not be copied, modified, or distributed except according to those terms.
 
-import ../platforms/[endians, views]
+import
+ ../platforms/views,
+ ../serialization/endians
 
 # ############################################################
 #

diff --git a/constantine/commitments/README.md b/constantine/commitments/README.md
@@ -0,0 +1,27 @@
+# Commitment schemes
+
+https://en.wikipedia.org/wiki/Commitment_scheme
+
+> A commitment scheme is a cryptographic primitive that allows one to commit to a chosen value (or chosen statement) while keeping it hidden to others, with the ability to reveal the committed value later. Commitment schemes are designed so that a party cannot change the value or statement after they have committed to it: that is, commitment schemes are binding.
+
+## Use-cases
+
+An important use-case missing from the Wikipedia article is:
+
+"There exists a bundle of transactions that change the state of my database/ledger/blockchain to this state.". The whole bundle is not needed, only a short proof.
+
+## KZG Polynomial Commitments
+
+- Constant-Size Commitments to Polynomials and Their Applications\
+ Kate, Zaverucha, Goldberg, 2010\
+ https://www.iacr.org/archive/asiacrypt2010/6477178/6477178.pdf\
+ https://cacr.uwaterloo.ca/techreports/2010/cacr2010-10.pdf
+
+- KZG commitments from the Lagrange basis without FFTs
+ Drake, 2020
+ https://ethresear.ch/t/kate-commitments-from-the-lagrange-basis-without-ffts/6950
+
+- KZG Multiproofs
+ Feist, Khovratovich, 2020
+ https://dankradfeist.de/ethereum/2021/06/18/pcs-multiproofs.html\
+ https://github.com/khovratovich/Kate/blob/master/Kate_amortized.pdf