Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

BLS12-381 signature verification #2106

Merged
merged 80 commits into from
May 21, 2024
Merged
Changes from 1 commit
Commits
Show all changes
80 commits
Select commit Hold shift + click to select a range
1923d03
Add bls12_318_aggregate_g1/bls12_318_aggregate_g2
webmaster128 Mar 21, 2024
1e26796
Regenerate lockfiles
aumetra Apr 2, 2024
1a13179
Implement pairing functions, and a fast pairing equality function
aumetra Apr 2, 2024
685af55
Pre-allocate storage for terms
aumetra Apr 2, 2024
239a6b6
Add pairing equality tests
aumetra Apr 2, 2024
034cd0b
Test aggregated validation
aumetra Apr 2, 2024
de533a1
Remove generic parameters from hashing to the subgroups
aumetra Apr 3, 2024
bd4eead
Convert to byte-based API
aumetra Apr 4, 2024
2c742eb
Fix compile errors
aumetra Apr 10, 2024
7cf3043
Add CI step for crypto without default features
aumetra Apr 10, 2024
a915beb
Add BLS verify tests
aumetra Apr 10, 2024
1a23904
test hash to g2
aumetra Apr 10, 2024
a69e769
Add fast aggregate verify
aumetra Apr 10, 2024
ede9b65
Add aggregate verify tests
aumetra Apr 10, 2024
756b149
Add batch verify test
aumetra Apr 10, 2024
323a8c4
Fix import warnings
aumetra Apr 10, 2024
83312c0
Replace `.inspect_err` with `.map_err`
aumetra Apr 10, 2024
5d676c2
Fix aggregate verify
aumetra Apr 12, 2024
316f60d
Remove batch verify test for now
aumetra Apr 12, 2024
d6faff7
Attach functions to the VM
aumetra Apr 15, 2024
e3b63de
Write up API functions
aumetra Apr 15, 2024
9c86f93
Fix imports errors
aumetra Apr 15, 2024
7ec4d30
Add supported imports
aumetra Apr 15, 2024
2e3fc32
Vendor own version of `HashFunction`
aumetra Apr 15, 2024
d57682e
Use primitive casts
aumetra Apr 15, 2024
a948c89
Implement more fine-grained errors for aggregation pairing equality
aumetra Apr 16, 2024
eccdd4b
Add cases for empty lists
aumetra Apr 16, 2024
8901589
Bench hash-to-curve and meter gas usage
aumetra Apr 16, 2024
ae268f2
Add pairing equality test to crypto-verify contract
aumetra Apr 16, 2024
4489610
Move to arkworks BLS implementation
aumetra Apr 16, 2024
1d7eb3a
Use assembly feature
aumetra Apr 16, 2024
2a89b9e
Readjust gas values
aumetra Apr 16, 2024
388e9eb
Remove unused impls
aumetra Apr 16, 2024
81ddc81
Add benches for aggregation
aumetra Apr 16, 2024
737b2ee
Add hash-to-curve tests
aumetra Apr 17, 2024
7c6e8d9
Add generator tests
aumetra Apr 17, 2024
d8bfc22
Revert test change
aumetra Apr 17, 2024
305f8ae
Add error tests
aumetra Apr 17, 2024
3c8c7be
Add some mock testing
aumetra Apr 17, 2024
9f04d53
Add aggregate pairing equality test
aumetra Apr 17, 2024
317e770
Add metered cost for aggregation
aumetra Apr 17, 2024
70e33a9
Adjust gas metering for aggregated pairing equality
aumetra Apr 17, 2024
8c3cbec
Add aggregation test for G1 elements
aumetra Apr 17, 2024
6cb0951
Add Changelog entry
aumetra Apr 19, 2024
a32aab9
Add benchmark for aggregated pairing equality
aumetra Apr 22, 2024
5101142
Adjust gas values to represent it more accurately
aumetra Apr 22, 2024
8ce5ad9
Add BLS branch to benchmarking filter
aumetra Apr 22, 2024
7ff01ec
Run crypto benchmarks with std feature
aumetra Apr 22, 2024
f343af0
Remove raw `pairing_equality` function
aumetra Apr 29, 2024
bee4435
Remove par_bridge usage
aumetra Apr 30, 2024
4552450
Adjust gas values
aumetra Apr 30, 2024
edf41e3
Specific error cases on point aggregation
aumetra Apr 30, 2024
554c4eb
Re-export error type
aumetra Apr 30, 2024
19e088b
Make `g1/g2_sum` private
aumetra Apr 30, 2024
bd7018a
Update contracts/crypto-verify/tests/integration.rs
aumetra May 2, 2024
020e2f7
Rename aggregate_pairing_equality -> pairing_equality
webmaster128 May 2, 2024
3597b14
Feature-gate imports
webmaster128 May 2, 2024
120c83b
Add bls12_381_pairing_equality docs
webmaster128 May 2, 2024
ceb3aa7
Fix contract tests
aumetra May 2, 2024
d044e83
Export constants
aumetra May 2, 2024
04fa77e
Add `.unwrap()` disclaimer
aumetra May 2, 2024
5b3cd75
Fix compile-error on WASM
aumetra May 2, 2024
902f399
Update lockfiles
aumetra May 2, 2024
97cfbbb
Refactor contract tests
aumetra May 2, 2024
57aaf8c
Update CHANGELOG.md
aumetra May 7, 2024
6784a00
Replace `.clone_from_slice` with `.copy_from_slice`
aumetra May 7, 2024
f7814dd
Update packages/crypto/src/bls12_318/hash.rs
aumetra May 7, 2024
68bea24
Move constants, add sources
aumetra May 7, 2024
177c9c3
Add generator tests
aumetra May 7, 2024
34afd26
Remove _COMPRESSED from BLS points
webmaster128 May 7, 2024
bcfae4f
Add docs and clarifications to verify_g1/verify_g2
webmaster128 May 7, 2024
2b0a7e3
Remove ark-bls12-381 from crypto-verify contract
webmaster128 May 7, 2024
871c63f
Gate tests behind `std` feature
aumetra May 7, 2024
246ce02
Constants for success
aumetra May 7, 2024
fc70c3e
Remove error checks about empty pairing equality
aumetra May 7, 2024
1bcf5b0
Document bitwise OR operation
aumetra May 10, 2024
2eb1b92
Adjust gas values, move out variables
aumetra May 10, 2024
e326ea8
Port to new region system
aumetra May 10, 2024
62df0e2
Add test pairing_equality_works_for_empty_lhs
webmaster128 May 10, 2024
add97a0
Merge pull request #2142 from CosmWasm/pairing_equality_works_for_emp…
aumetra May 21, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Add benchmark for aggregated pairing equality
  • Loading branch information
aumetra committed May 10, 2024

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
commit a32aab9212c3655753f9103b66b03f3d1709d53a
239 changes: 160 additions & 79 deletions packages/crypto/benches/main.rs
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
use ark_bls12_381::{G1Affine, G2Affine};
use ark_bls12_381::{G1Affine, G2Affine, G2Projective};
use ark_ec::AffineRepr;
use ark_ff::UniformRand;
use ark_serialize::CanonicalSerialize;
use ark_serialize::{CanonicalDeserialize, CanonicalSerialize};
use criterion::{criterion_group, criterion_main, Criterion, PlottingBackend};
use rand_core::OsRng;
use std::{hint::black_box, io, time::Duration};
@@ -15,10 +16,11 @@ use k256::ecdsa::SigningKey; // type alias
use sha2::Sha256;

use cosmwasm_crypto::{
bls12_381_aggregate_g1, bls12_381_aggregate_g2, bls12_381_g1_generator, bls12_381_hash_to_g1,
bls12_381_hash_to_g2, bls12_381_pairing_equality, ed25519_batch_verify, ed25519_verify,
secp256k1_recover_pubkey, secp256k1_verify, secp256r1_recover_pubkey, secp256r1_verify,
HashFunction, BLS12_381_G1_POINT_LEN, BLS12_381_G2_POINT_LEN,
bls12_381_aggregate_g1, bls12_381_aggregate_g2, bls12_381_aggregate_pairing_equality,
bls12_381_g1_generator, bls12_381_hash_to_g1, bls12_381_hash_to_g2, bls12_381_pairing_equality,
ed25519_batch_verify, ed25519_verify, secp256k1_recover_pubkey, secp256k1_verify,
secp256r1_recover_pubkey, secp256r1_verify, HashFunction, BLS12_381_G1_POINT_LEN,
BLS12_381_G2_POINT_LEN,
};
use std::cmp::min;

@@ -92,6 +94,157 @@ fn read_decode_cosmos_sigs() -> (Vec<Vec<u8>>, Vec<Vec<u8>>, Vec<Vec<u8>>) {
(messages, signatures, public_keys)
}

fn bench_bls<M>(group: &mut criterion::BenchmarkGroup<'_, M>)
where
M: criterion::measurement::Measurement,
{
let two_pow_max = 8;
let num_random_points = 2_usize.pow(two_pow_max);

{
let random_points_g1: Vec<G1Affine> = (0..num_random_points)
.map(|_| G1Affine::rand(&mut OsRng))
.collect();
let mut g1_serialized = io::Cursor::new(Vec::new());
random_points_g1
.serialize_compressed(&mut g1_serialized)
.unwrap();
let g1_serialized = &g1_serialized.into_inner()[8..];

let random_points_g2: Vec<G2Affine> = (0..num_random_points)
.map(|_| G2Affine::rand(&mut OsRng))
.collect();
let mut g2_serialized = io::Cursor::new(Vec::new());
random_points_g2
.serialize_compressed(&mut g2_serialized)
.unwrap();
let g2_serialized = &g2_serialized.into_inner()[8..];

for i in 1..=two_pow_max {
let num_points = 2_usize.pow(i);
let points_to_aggregate_g1 = &g1_serialized[..num_points * BLS12_381_G1_POINT_LEN];
group.bench_function(format!("bls12_381_aggregate_g1_{num_points}"), |b| {
b.iter(|| bls12_381_aggregate_g1(points_to_aggregate_g1).unwrap());
});
}

for i in 1..=two_pow_max {
let num_points = 2_usize.pow(i);
let points_to_aggregate_g2 = &g2_serialized[..num_points * BLS12_381_G2_POINT_LEN];
group.bench_function(format!("bls12_381_aggregate_g2_{num_points}"), |b| {
b.iter(|| bls12_381_aggregate_g2(points_to_aggregate_g2).unwrap());
});
}
}

{
const MESSAGE: &[u8] = b"message";
const DST: &[u8] = b"dst";
let secret_keys: Vec<ark_bls12_381::Fr> = (0..num_random_points)
.map(|_| ark_bls12_381::Fr::rand(&mut OsRng))
.collect();
let public_keys: Vec<G1Affine> = secret_keys
.iter()
.map(|secret_key| G1Affine::generator() * secret_key)
.map(Into::into)
.collect();
let messages: Vec<G2Affine> = (0..num_random_points)
.map(|_| bls12_381_hash_to_g2(HashFunction::Sha256, MESSAGE, DST))
.map(|bytes| G2Affine::deserialize_compressed(&bytes[..]).unwrap())
.collect();
let signatures: Vec<G2Projective> = secret_keys
.iter()
.zip(messages.iter())
.map(|(secret_key, message)| *message * secret_key)
.collect();

for i in 1..=two_pow_max {
let num_points = 2_usize.pow(i);
let messages = &messages[..num_points];
let keys = &public_keys[..num_points];
let aggregated_signature: G2Affine =
signatures[..num_points].iter().sum::<G2Projective>().into();

let serialized_pubkeys: Vec<u8> = keys
.iter()
.flat_map(|key| {
let mut serialized = [0_u8; 48];
key.serialize_compressed(&mut serialized[..]).unwrap();
serialized
})
.collect();

let serialized_messages: Vec<u8> = messages
.iter()
.flat_map(|message| {
let mut serialized = [0_u8; 96];
message.serialize_compressed(&mut serialized[..]).unwrap();
serialized
})
.collect();

let mut serialized_signature = [0_u8; 96];
aggregated_signature
.serialize_compressed(&mut serialized_signature[..])
.unwrap();

group.bench_function(
format!("bls12_381_aggregate_pairing_equality_{num_points}"),
|b| {
b.iter(|| {
let is_valid = black_box(bls12_381_aggregate_pairing_equality(
&serialized_pubkeys,
&serialized_messages,
&bls12_381_g1_generator(),
&serialized_signature,
))
.unwrap();

assert!(is_valid);
});
},
);
}
}

group.bench_function("bls12_381_hash_to_g1", |b| {
b.iter(|| {
bls12_381_hash_to_g1(
black_box(HashFunction::Sha256),
black_box(&BLS_MESSAGE),
black_box(BLS_DST),
)
});
});

group.bench_function("bls12_381_hash_to_g2", |b| {
b.iter(|| {
bls12_381_hash_to_g2(
black_box(HashFunction::Sha256),
black_box(&BLS_MESSAGE),
black_box(BLS_DST),
)
});
});

group.bench_function("bls12_381_verify", |b| {
let generator = bls12_381_g1_generator();
let message = bls12_381_hash_to_g2(HashFunction::Sha256, &BLS_MESSAGE, BLS_DST);

b.iter(|| {
let is_equal = bls12_381_pairing_equality(
black_box(&BLS_PUBKEY),
&message,
&generator,
black_box(&BLS_SIGNATURE),
)
.unwrap();

assert!(is_equal);
});
});
}

fn bench_crypto(c: &mut Criterion) {
let mut group = c.benchmark_group("Crypto");

@@ -150,79 +303,7 @@ fn bench_crypto(c: &mut Criterion) {
});
});

let two_pow_max = 8;
let num_random_points = 2_usize.pow(two_pow_max);

let random_points_g1: Vec<G1Affine> = (0..num_random_points)
.map(|_| G1Affine::rand(&mut OsRng))
.collect();
let mut g1_serialized = io::Cursor::new(Vec::new());
random_points_g1
.serialize_compressed(&mut g1_serialized)
.unwrap();
let g1_serialized = &g1_serialized.into_inner()[8..];

let random_points_g2: Vec<G2Affine> = (0..num_random_points)
.map(|_| G2Affine::rand(&mut OsRng))
.collect();
let mut g2_serialized = io::Cursor::new(Vec::new());
random_points_g2
.serialize_compressed(&mut g2_serialized)
.unwrap();
let g2_serialized = &g2_serialized.into_inner()[8..];

for i in 1..=two_pow_max {
let num_points = 2_usize.pow(i);
let points_to_aggregate_g1 = &g1_serialized[..num_points * BLS12_381_G1_POINT_LEN];
group.bench_function(format!("bls12_381_aggregate_g1_{num_points}"), |b| {
b.iter(|| bls12_381_aggregate_g1(points_to_aggregate_g1).unwrap());
});
}

for i in 1..=two_pow_max {
let num_points = 2_usize.pow(i);
let points_to_aggregate_g2 = &g2_serialized[..num_points * BLS12_381_G2_POINT_LEN];
group.bench_function(format!("bls12_381_aggregate_g2_{num_points}"), |b| {
b.iter(|| bls12_381_aggregate_g2(points_to_aggregate_g2).unwrap());
});
}

group.bench_function("bls12_381_hash_to_g1", |b| {
b.iter(|| {
bls12_381_hash_to_g1(
black_box(HashFunction::Sha256),
black_box(&BLS_MESSAGE),
black_box(BLS_DST),
)
});
});

group.bench_function("bls12_381_hash_to_g2", |b| {
b.iter(|| {
bls12_381_hash_to_g2(
black_box(HashFunction::Sha256),
black_box(&BLS_MESSAGE),
black_box(BLS_DST),
)
});
});

group.bench_function("bls12_381_verify", |b| {
let generator = bls12_381_g1_generator();
let message = bls12_381_hash_to_g2(HashFunction::Sha256, &BLS_MESSAGE, BLS_DST);

b.iter(|| {
let is_equal = bls12_381_pairing_equality(
black_box(&BLS_PUBKEY),
&message,
&generator,
black_box(&BLS_SIGNATURE),
)
.unwrap();

assert!(is_equal);
});
});
bench_bls(&mut group);

group.bench_function("ed25519_verify", |b| {
let message = hex::decode(COSMOS_ED25519_MSG_HEX).unwrap();