Skip to content

Commit 1d3b5c9

Browse files
curiecryptcuriecrypt
committed
rebased on latest design doc
1 parent 52bf28c commit 1d3b5c9

File tree

1 file changed

+190
-28
lines changed

1 file changed

+190
-28
lines changed

docs/leios-design/README.md

Lines changed: 190 additions & 28 deletions
Original file line numberDiff line numberDiff line change
@@ -616,46 +616,208 @@ Corresponding types with instances of `EncCBOR` and `DecCBOR` must be provided i
616616
617617
> [!WARNING]
618618
>
619-
> TODO: Mostly content directly taken from [impact analysis](../ImpactAnalysis.md). Expand on motivation and concreteness of changes.
619+
> Work in progress. Content is created based on [impact analysis](../ImpactAnalysis.md), [Leios crypto project board](https://github.com/orgs/IntersectMBO/projects/75), and [CIP](https://github.com/cardano-scaling/CIPs/blob/leios/CIP-0164/README.md).
620+
>
621+
> TODO: Write: risks and mitigations, roadmap. Complete: implementation plan.
622+
623+
In Leios, EBs are compactly certified for inclusion in RBs.
624+
Certification is achieved through a voting mechanism in which committee members cast votes referencing specific EBs, and these votes are then aggregated into compact certificates.
625+
626+
To participate in the Leios protocol as a voting member or block-producing node, stake pool operators must register an additional cryptographic key dedicated to the voting scheme, alongside their existing VRF and KES keys.
627+
Two types of voters contribute to EB validation, ensuring a balance between security, decentralization, and efficiency.
628+
Persistent voters are selected once per epoch and participate in every election, identified by compact identifiers.
629+
Non-persistent voters, on the other hand, are selected independently for each EB via local sortition.
630+
Registered voters can generate and cast votes, each including an `endorser_block_hash` field that uniquely identifies the target EB.
631+
Collected votes are then aggregated into a compact certificate.
632+
633+
### Leios Voting in a Nutshell
634+
635+
#### Key Generation
636+
- A secret key ($sk$) is created to generate signatures for the corresponding signature scheme.
637+
- The public key ($pk$) is securely derived from $sk$ and used to verify the corresponding signatures.
638+
- A proof of possession ($PoP$) is generated for $sk$ to ensure key ownership.
639+
> Note that keys are not rotated periodically, as forward security is not required for IBs, EBs, or votes.
640+
641+
#### Key Registration
642+
- The registration process is responsible for storing public keys and verifying proof of possession.
643+
- Each stake pool registers with the following information:
644+
- A unique identifier (Pool ID or similar)
645+
- $pk$
646+
- $PoP$
647+
- A KES signature over the Pool ID, $pk$, and $PoP$
648+
- Nodes verify the $PoP$s of all received $pk$s to confirm their validity.
649+
650+
#### Voter Determination
651+
- For each epoch, *persistent voters* are selected based on the stake distribution and participate in every election during that epoch.
652+
- Within the same epoch, *non-persistent voters* are chosen randomly and independently for each election.
653+
654+
#### Voting
655+
- Voters sign the election ID and the EB hash with their $sk$.
656+
- Each vote includes the election ID, the EB hash, and the corresponding signature.
657+
- Persistent votes additionally include an epoch-specific identifier of the stake pool.
658+
- Non-persistent votes include the Pool ID and an eligibility signature on the election ID.
659+
660+
#### Certificate Generation
661+
- Upon receiving votes, both voter identities and their signatures are verified.
662+
- Non-persistent votes are further validated for eligibility.
663+
- Once a quorum of valid votes is collected, a certificate can be generated.
664+
- The certificate includes:
665+
- The election ID and the message (the hash of the EB)
666+
- The identities of participating voters
667+
- Eligibility proofs for non-persistent voters
668+
- An aggregate signature combining all individual voter signatures
669+
670+
### Requirements
671+
672+
The voting and certificate scheme in Leios must satisfy key requirements to ensure security, efficiency, and practical deployability.
620673
621-
The security of the votes cast and the certificates that Leios uses to accept EB blocks depends on the usage of the pairing-based BLS12-381 signature scheme (BLS). This scheme is useful, as it allows for aggregation of public keys and signatures, allowing a big group to signal their approval with one compact artifact. Besides Leios, it is also likely that [Peras](https://github.com/tweag/cardano-peras/issues/128) will use this scheme.
674+
Key registration should be lightweight, requiring minimal data exchange or coordination among participants.
675+
Ideally, it should be integrated into the existing operational certificate framework to keep certificates compact and avoid unnecessary complexity.
622676
623-
This section derives requirements for adding BLS signatures to `cardano-base` and sketches changes to satisfy them. The scope is limited to cryptographic primitives and their integration into existing classes; vote construction/logic is out of scope. This work should align with [this IETF draft](https://www.ietf.org/archive/id/draft-irtf-cfrg-bls-signature-05.html).
677+
Periodic rotation of cryptographic keys for signing Leios votes and certificates is unnecessary.
678+
The timing of voting rounds and the key rotation already present in Praos provide sufficient protection against replay and key compromise attacks.
624679
625-
> Note that with the implementation of [CIP-0381](https://cips.cardano.org/cip/CIP-0381) `cardano-base` already contains basic utility functions needed to create these bindings; the work below is thus expanding on that. The impact of the below requirements thus only extends to [this](https://github.com/IntersectMBO/cardano-base/blob/82e09945726a7650540e0656f01331d09018ac97/cardano-crypto-class/src/Cardano/Crypto/EllipticCurve/BLS12_381/Internal.hs) module and probably [this](https://github.com/IntersectMBO/cardano-base/blob/82e09945726a7650540e0656f01331d09018ac97/cardano-crypto-class/src/Cardano/Crypto/DSIGN/Class.hs) outward facing class.
680+
Deterministic signatures, while useful against weak randomness, are not required for Leios.
681+
Deterministic randomness is only essential in the lottery mechanism, which is securely implemented through VRFs.
626682
627-
### Core functionality
683+
The voting committee must be selected locally and unpredictably to resist adversarial interference.
684+
The process should not be overly deterministic or publicly visible, preventing targeted attacks such as denial-of-service or node subversion.
685+
The protocol must also preserve liveness and soundness—adversaries with significant stake (e.g., over 35%) should not block honest quorums, and even near-majority holders (around 49%) must be unable to form malicious ones.
628686
629-
The following functional requirements define the core BLS signature functionality needed:
687+
Because voting occurs frequently and adds notable network load, votes and certificates must remain compact.
688+
The large size of Praos KES signatures makes them unsuitable, highlighting the need for more space-efficient schemes that fit easily within Praos blocks while leaving room for other transactions.
630689
631-
- **REQ-BlsTypes** Introduce opaque types for `SecretKey`, `PublicKey`, `Signature`, and `AggSignature` (if needed by consensus).
632-
- **REQ-BlsKeyGenSecure** Provide secure key generation with strong randomness requirements, resistance to side-channel leakage.
633-
- **REQ-BlsVariantAbstraction** Support both BLS variants—small public key and small signature—behind a single abstraction. Public APIs are variant-agnostic.
634-
- **REQ-BlsPoP** Proof-of-Possession creation and verification to mitigate rogue-key attacks.
635-
- **REQ-BlsSkToPk** Deterministic sk → pk derivation for the chosen variant.
636-
- **REQ-BlsSignVerify** Signature generation and verification APIs, variant-agnostic and domain-separated (DST supplied by caller). Besides the DST, the interface should also implement a per message augmentation.
637-
- **REQ-BlsAggregateSignatures** Aggregate a list of public keys and signatures into one.
638-
- **REQ-BlsBatchVerify** Batch verification API for efficient verification of many `(pk, msg, sig)` messages.
639-
- **REQ-BlsDSIGNIntegration** Provide a `DSIGN` instance so consensus can use BLS via the existing `DSIGN` class, including aggregation-capable helpers where appropriate.
640-
- **REQ-BlsSerialisation** Deterministic serialisation: `ToCBOR`/`FromCBOR` and raw-bytes for keys/signatures; strict length/subgroup/infinity checks; canonical compressed encodings as per the [Zcash](https://github.com/zcash/librustzcash/blob/6e0364cd42a2b3d2b958a54771ef51a8db79dd29/pairing/src/bls12_381/README.md#serialization) standard for BLS points.
641-
- **REQ-BlsConformanceVectors** Add conformance tests using test vectors from the [initial](https://github.com/input-output-hk/ouroboros-leios/tree/main/crypto-benchmarks.rs) Rust implementation to ensure cross-impl compatibility.
690+
Lastly, the cryptographic operations for eligibility verification, vote generation, and certificate validation must be highly efficient.
691+
The total workload should stay well within the CPU budget for Leios stages, ensuring strong performance and scalability under real-world conditions.
642692
643-
### Performance and quality
693+
### Design Choices
644694
645-
> [!WARNING]
646-
>
647-
> TODO: Move to performance or testing sections?
695+
Several certificate schemes were evaluated for Leios, including ALBA variants, SNARK-based voting schemes, and BLS-based certificates, with the goal of identifying a design that best satisfies the security, efficiency, and deployability requirements described above.
696+
After comparison, BLS certificates based on the *Fait Accompli* sortition scheme were selected as the preferred approach.
697+
Although this choice requires the registration of additional keys and occasional key rotation, it provides a strong balance between efficiency and practicality, producing certificates smaller than 10 kB.
648698
649-
The following non-functional requirements ensure the implementation meets performance and quality standards:
699+
Other voting mechanisms could be considered preferable if they met the following conditions: no need for new key registration (i.e., reusing existing VRF and KES keys for voting), a certificate size well below the 90,112-byte limit of a Praos block, and proof generation and verification times that remain within the CPU budget of the `cardano-node`.
700+
However, among the schemes analyzed, BLS certificates offered the most favorable trade-offs across these dimensions.
650701
651-
- **REQ-BlsPerfBenchmarks** Benchmark single-verify, aggregate-verify, and batch-verify; report the impact of batching vs individual verification.
652-
- **REQ-BlsRustParity** Compare performance against the Rust implementation; document gaps and ensure functional parity on vectors.
653-
- **REQ-BlsDeterminismPortability** Deterministic results across platforms/architectures; outputs independent of CPU feature detection.
654-
- **REQ-BlsDocumentation** Document the outward facing API in cardano-base and provide example usages. Additionally add a section on do's and don'ts with regards to security of this scheme outside the context of Leios.
702+
The BLS voting mechanism relies on a pairing-based signature scheme defined over the BLS12-381 elliptic curve.
703+
This approach is advantageous because it enables the aggregation of public keys and signatures, allowing large groups of participants to collectively signal approval through a single compact artifact.
704+
Beyond Leios, the BLS mechanism is also relevant to other Cardano subsystems; Mithril already employs BLS-based aggregation, and Peras is expected to adopt a similar approach in future implementations.
655705
656-
### Implementation notes
706+
### Implementation Plan
707+
708+
To implement the linear Leios design, efficient BLS signature functionality is essential for achieving fast and compact certificate generation.
709+
With the adoption of [CIP-0381](https://cips.cardano.org/cip/CIP-0381), `cardano-base` already provides foundational utilities for BLS operations, offering a solid basis for this integration.
710+
Building on these capabilities, the implementation plan introduces additional bindings and helper modules to ensure smooth interaction with the Leios protocol within the Haskell node.
711+
712+
This section presents the implementation plan for extending `cardano-base` with BLS signature support and outlines the modifications required to satisfy Leios-specific needs.
713+
The requirements are organized into two main categories: **core functionality**, which defines the essential BLS operations needed, and **performance and quality**, which ensures the implementation meets the expected efficiency, reliability, and maintainability standards.
714+
715+
#### Core functionality
716+
**BLS types**
717+
- The `BLS12_381.Internal` module in `cardano-base` already provides a comprehensive set of types designed for safe interaction with the linked C functions from the `blst` library.
718+
- As part of the integration effort, it is necessary to evaluate which additional types should be introduced beyond those already defined, ensuring full support for the BLS functionality required by Leios.
719+
720+
**Key generation**
721+
- Secure key generation must ensure strong randomness and resilience against side-channel attacks. To achieve this, an integration with the `blst` library through a FFI is required. This involves adding the necessary foreign function imports to the `BLS12_381.Internal` module and implementing the corresponding `SecretKey` type to enable safe and efficient handling of secret keys within the Haskell environment.
722+
- The `blst` library exposes a key-generation function [`blst_keygen`](https://github.com/supranational/blst/blob/e7f90de551e8df682f3cc99067d204d8b90d27ad/bindings/blst.h#L330)
723+
```C
724+
void blst_keygen(blst_scalar *out_SK, const byte *IKM, size_t IKM_len, const byte *info DEFNULL, size_t info_len DEFNULL);
725+
```
726+
which derives a secret key from input keying material (IKM) and optional `info`. To use this safely in `cardano-base`, we need to clarify the security guarantees of this construction: what qualifies as a cryptographically secure IKM (length, entropy, generation source) and how `info` should be used (additional entropy vs. domain/context bytes). In parallel, we should examine how `cardano-base` currently sources seeds for other schemes in the `DSIGN` class, review the `blst` keygen C implementation to assess robustness and side-channel posture, align our requirements with the IETF BLS draft’s guidance on key generation (see the “KeyGen” section in the CFRG draft), and determine whether `info` is treated as entropy input or merely contextual/domain-separation data; documenting these findings will let us standardize secure IKM generation and `info` usage for BLS within `cardano-base`.
727+
728+
**Proof-of-Possession**
729+
- The `blst` C library does not provide a direct interface for generating a proof of possession ($PoP$).
730+
- This functionality must be implemented manually in `cardano-base`, leveraging the existing `blst` bindings to construct a $PoP$ from the available primitives.
731+
732+
**Public key derivation**
733+
- Implement deterministic derivation of the public key ($pk$) from the corresponding secret key ($sk$) for the selected BLS variant.
734+
- This requires adding a FFI binding to the `blst` library to enable secure and efficient key derivation within `cardano-base`.
735+
```C
736+
void blst_sk_to_pk_in_g1(blst_p1 *out_pk, const blst_scalar *SK);
737+
void blst_sk_to_pk_in_g2(blst_p2 *out_pk, const blst_scalar *SK);
738+
```
739+
740+
**Signature**
741+
- Implement signature generation and verification APIs that are variant-agnostic and support domain separation, with DST supplied by the caller. This functionality requires integrating with the `blst` library through FFI bindings, using the following functions:
742+
```C
743+
void blst_sign_pk_in_g1(blst_p2 *out_sig, const blst_p2 *hash, const blst_scalar *SK);
744+
void blst_sign_pk_in_g2(blst_p1 *out_sig, const blst_p1 *hash, const blst_scalar *SK);
745+
```
746+
For single-signature verification, correctness can be established through a standard pairing check between the signature, message hash, and public key. See [this](https://www.ietf.org/archive/id/draft-irtf-cfrg-bls-signature-05.html#name-verify).
747+
748+
**Aggregation**
749+
750+
The core cryptographic feature of Leios EB certificates is the ability to aggregate signatures from persistent voters. By combining multiple signatures into a single compact representation, we achieve significant space efficiency within EB blocks. This aggregation also enables more efficient verification, as a single pairing check can replace many individual ones—saving numerous expensive pairing operations while requiring only a few lightweight point additions in $G_1$ or $G_2$.
751+
752+
To support this functionality, several helper functions should be implemented:
753+
- A function to aggregate multiple public keys into a single aggregated key.
754+
- A function to aggregate multiple signatures into a single aggregated signature.
755+
- A function that, given a message and multiple $(pk, sig)$ pairs over that message, performs batch verification.
756+
757+
The first two functions are particularly useful for building an accumulator that locally tallies Leios votes and aggregates them in advance for block production. The third provides a one-shot approach for efficient verification. Since the optimal aggregation strategy depends on when and how votes are combined, all three functions should be implemented to support flexible and efficient use within Leios.
758+
759+
**Batch verification**
760+
- Implement a batch verification API to efficiently verify multiple $(pk, msg, sig)$ tuples.
761+
- This requires adding FFI bindings to the `blst` library.
762+
- The underlying C functions can be composed to load multiple $(pk, msg, sig)$ combinations into a single pairing context for verification.
763+
- When many of the messages are identical, it becomes more efficient to merge them beforehand.
764+
- It is advisable to use a key-value data structure where each $msg$ serves as the key, and the corresponding values are the multiple $(pk, sig)$ pairs that can be aggregated using the existing aggregation functions.
765+
766+
**DSIGN integration**
767+
768+
...
769+
770+
**Serialization**
771+
772+
...
773+
774+
**Conformance vectors**
775+
776+
...
777+
778+
#### Performance and quality
779+
**Performance benchmarks**
780+
781+
...
782+
783+
**Rust parity**
784+
785+
...
786+
787+
**Determinism portability**
788+
789+
...
790+
791+
**Documentation**
792+
793+
...
794+
795+
#### Other utilities
796+
**Registration**
797+
798+
...
799+
800+
**Fa sortition**
801+
802+
...
803+
804+
**Local sortition**
805+
806+
...
807+
808+
**Implementation notes**
809+
810+
...
811+
812+
### Potential Risks and Mitigations
813+
...
657814

658-
Note that the PoP checks probably are done at the certificate level, and that the above-described API should not be responsible for this. The current code on BLS12-381 already abstracts over both curves `G1`/`G2`, we should maintain this. The `BLST` package also exposes fast verification over many messages and signatures + public keys by doing a combined pairing check. This might be helpful, though it's currently unclear if we can use this speedup. It might be the case, since we have linear Leios, that this is never needed.
815+
### Roadmap
816+
- Delivery cycle 1
817+
- Delivery cycle 2
818+
- Delivery cycle 3
819+
- Delivery cycle 4
820+
- ...
659821

660822
## Performance & Tracing (P&T)
661823

0 commit comments

Comments
 (0)