2023-09-03 23:47:09 +00:00
|
|
|
|
syntax = "proto3";
|
|
|
|
|
|
|
|
|
|
package quilibrium.node.ceremony.pb;
|
|
|
|
|
|
|
|
|
|
option go_package = "source.quilibrium.com/quilibrium/monorepo/node/protobufs";
|
|
|
|
|
|
|
|
|
|
import "keys.proto";
|
|
|
|
|
|
|
|
|
|
// Describes the transcript of KZG ceremony execution
|
|
|
|
|
message CeremonyTranscript {
|
|
|
|
|
// The active collection of powers over G1
|
|
|
|
|
repeated quilibrium.node.keys.pb.BLS48581G1PublicKey g1_powers = 1;
|
|
|
|
|
// The active collection of powers over G2
|
|
|
|
|
repeated quilibrium.node.keys.pb.BLS48581G2PublicKey g2_powers = 2;
|
|
|
|
|
// The running s^256 G1 witnesses – the choice of the 256th power is to ensure
|
|
|
|
|
// combinatorial birthday paradox-based attacks are not possible. In common
|
|
|
|
|
// KZG ceremonies, the collection of witnesses to PoT pubkeys produce the
|
|
|
|
|
// relationship of e(w*G1, s*G2) == (s'*G1, G2), where w*s == s'. The problem
|
|
|
|
|
// with this is that there are n powers under G2 (excl. the case where PoT
|
|
|
|
|
// ceremonies _only_ have the first G2 power), and so the chance of collision
|
|
|
|
|
// by combination to a target value for s' is feasible such that a sum of a
|
|
|
|
|
// permutation of valid G2 powers could forge witness values to reach a
|
|
|
|
|
// a desired outcome, as there are matching pairs of the G1 and G2 powers to
|
|
|
|
|
// permute. When the number of G2 powers is low, or one, this reduces to the
|
|
|
|
|
// discrete log assumption and so the only viable attack is of
|
|
|
|
|
// O(sqrt(<bit size>)) per Pollard's Rho (barring any advancements), but in
|
|
|
|
|
// many cases the number of G2 powers is high enough such that n! naive
|
|
|
|
|
// combinations of additions are greater (and cheap, since the additions are
|
|
|
|
|
// first tested in G1) than the required time of testing the discrete log,
|
|
|
|
|
// and combined with many generated target values, significantly reduces the
|
|
|
|
|
// amount of time required to complete the attack. This means that in
|
|
|
|
|
// traditional KZG ceremonies, the last contributor to a ceremony can
|
|
|
|
|
// potentially control the secret. Or, we can just track the witnesses to the
|
|
|
|
|
// highest power in the ceremony and avoid the whole problem. :)
|
|
|
|
|
repeated quilibrium.node.keys.pb.BLS48581G1PublicKey running_g1_256_witnesses = 3;
|
|
|
|
|
// The running s^256 G2 powers – see notes on running_g1_256_witnesses for why
|
|
|
|
|
// we do this.
|
|
|
|
|
repeated quilibrium.node.keys.pb.BLS48581G2PublicKey running_g2_256_powers = 4;
|
2023-09-25 02:43:35 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
message CeremonyLobbyState {
|
|
|
|
|
int32 lobby_state = 1;
|
|
|
|
|
oneof ceremony_state {
|
|
|
|
|
CeremonyOpenState ceremony_open_state = 2;
|
|
|
|
|
CeremonyInProgressState ceremony_in_progress_state = 3;
|
|
|
|
|
CeremonyFinalizingState ceremony_finalizing_state = 4;
|
|
|
|
|
CeremonyValidatingState ceremony_validating_state = 5;
|
|
|
|
|
}
|
|
|
|
|
CeremonyTranscript latest_transcript = 6;
|
|
|
|
|
bytes reward_trie = 7;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
message CeremonySeenProverAttestation {
|
|
|
|
|
quilibrium.node.keys.pb.Ed448PublicKey seen_prover_key = 1;
|
|
|
|
|
uint64 last_seen_frame = 2;
|
|
|
|
|
quilibrium.node.keys.pb.Ed448Signature prover_signature = 3;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
message CeremonyDroppedProverAttestation {
|
|
|
|
|
quilibrium.node.keys.pb.Ed448PublicKey dropped_prover_key = 1;
|
|
|
|
|
uint64 last_seen_frame = 2;
|
|
|
|
|
quilibrium.node.keys.pb.Ed448Signature prover_signature = 3;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
message CeremonyTranscriptShare {
|
|
|
|
|
repeated quilibrium.node.keys.pb.BLS48581G1PublicKey additive_g1_powers = 1;
|
|
|
|
|
repeated quilibrium.node.keys.pb.BLS48581G2PublicKey additive_g2_powers = 2;
|
|
|
|
|
quilibrium.node.keys.pb.BLS48581G1PublicKey additive_g1_256_witness = 3;
|
|
|
|
|
quilibrium.node.keys.pb.BLS48581G2PublicKey additive_g2_256_witness = 4;
|
|
|
|
|
quilibrium.node.keys.pb.Ed448Signature prover_signature = 5;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Describes the required proof to commit to a transcript to advance a round,
|
|
|
|
|
// and as a proof to move to the verification state
|
|
|
|
|
message CeremonyTranscriptCommit {
|
|
|
|
|
// Prover key signature over the G1 point of the additive share of the first
|
|
|
|
|
// power.
|
|
|
|
|
quilibrium.node.keys.pb.Ed448Signature prover_signature = 1;
|
|
|
|
|
// BLS short signature over the Ed448 prover public key, using the additive
|
|
|
|
|
// share of the first power.
|
|
|
|
|
quilibrium.node.keys.pb.BLS48581Signature contribution_signature = 2;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
message CeremonyAdvanceRound {
|
|
|
|
|
repeated CeremonyTranscriptCommit commits = 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
message CeremonyLobbyJoin {
|
|
|
|
|
uint64 frame_number = 1;
|
|
|
|
|
quilibrium.node.keys.pb.X448PublicKey identity_key = 2;
|
|
|
|
|
quilibrium.node.keys.pb.X448PublicKey signed_pre_key = 3;
|
|
|
|
|
quilibrium.node.keys.pb.Ed448Signature public_key_signature_ed448 = 4;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
message CeremonyLobbyStateTransition {
|
|
|
|
|
repeated string type_urls = 1;
|
|
|
|
|
repeated bytes transition_inputs = 2;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
message CeremonyOpenState {
|
|
|
|
|
repeated CeremonyLobbyJoin joined_participants = 1;
|
|
|
|
|
repeated quilibrium.node.keys.pb.Ed448PublicKey preferred_participants = 2;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
message CeremonyInProgressState {
|
|
|
|
|
repeated quilibrium.node.keys.pb.Ed448PublicKey active_participants = 1;
|
|
|
|
|
repeated CeremonySeenProverAttestation latest_seen_prover_attestations = 2;
|
|
|
|
|
repeated CeremonyDroppedProverAttestation dropped_participant_attestations = 3;
|
|
|
|
|
repeated CeremonyAdvanceRound transcript_round_advance_commits = 4;
|
|
|
|
|
repeated quilibrium.node.keys.pb.Ed448PublicKey next_round_participants = 5;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
message CeremonyFinalizingState {
|
|
|
|
|
repeated quilibrium.node.keys.pb.Ed448PublicKey active_participants = 1;
|
|
|
|
|
repeated CeremonySeenProverAttestation latest_seen_prover_attestations = 2;
|
|
|
|
|
repeated CeremonyDroppedProverAttestation dropped_participant_attestations = 3;
|
|
|
|
|
repeated CeremonyTranscriptCommit commits = 4;
|
|
|
|
|
repeated CeremonyTranscriptShare shares = 5;
|
|
|
|
|
repeated quilibrium.node.keys.pb.Ed448PublicKey next_round_participants = 6;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
message CeremonyValidatingState {
|
|
|
|
|
repeated CeremonyTranscriptCommit commits = 1;
|
|
|
|
|
CeremonyTranscript updated_transcript = 2;
|
|
|
|
|
repeated quilibrium.node.keys.pb.Ed448PublicKey next_round_participants = 3;
|
2023-09-03 23:47:09 +00:00
|
|
|
|
}
|