feat: batcher client message signing (#471)

Co-authored-by: MauroFab <[email protected]>

Author: entropidelic

README_SEND_PROOFS.md

@@ -4,6 +4,37 @@ Make sure you have Aligned installed as specified [here](./README.md#how-to-use-
 
 If you run the examples below, make sure you are in Aligned's repository root.
 
+## 1. Import/Create Keystore file
+
+If you already have a keystore file, you can ignore this section and start sending proofs. We give two examples of how to generate one. The first one using Foundry, and the second one using EigenLayerCLI
+
+### Alternative 1: With foundry
+
+Install foundry following this guide:
+
+Install [Foundry](https://book.getfoundry.sh/getting-started/installation):
+
+- If you are creating a new account. Create a private key with:
+
+```bash
+cast wallet new-mnemonic --words 12
+```
+
+If you are using this wallet outside testnet, write down the mnemonic phrase given by anvil
+
+- Import the wallet using the private key previously generated, or whichever you want to use, and write a password to use it.
+
+```bash
+mkdir -p ~/.aligned_keystore/
+cast wallet import --private-key <YOUR_ECDSA_PRIVATE_KEY>  ~/.aligned_keystore/keystore0
+```
+
+This will create the ECDSA keystore file in `~/.aligned_keystore/keystore0`
+
+### Alternative 2: With EigenlayerCLI
+
+- If you have the EigenLayer CLI installed, the keystore can be generated following [this](https://docs.eigenlayer.xyz/eigenlayer/operator-guides/operator-installation#import-keys) instructions. The key will be stored into `~/.eigenlayer/operator_keys`.
+
 ## SP1 proof
 
 The SP1 proof needs the proof file and the vm program file.
@@ -16,7 +47,8 @@ aligned submit \
 --vm_program <vm_program_file> \
 --conn wss://batcher.alignedlayer.com \
 --proof_generator_addr [proof_generator_addr] \
---batch_inclusion_data_directory_path [batch_inclusion_data_directory_path]
+--batch_inclusion_data_directory_path [batch_inclusion_data_directory_path] \
+--keystore_path <path_yo_ecdsa_keystore> 
 ```
 
 **Example**
@@ -27,7 +59,8 @@ aligned submit \
 --proving_system SP1 \
 --proof ./batcher/aligned/test_files/sp1/sp1_fibonacci.proof \
 --vm_program ./batcher/aligned/test_files/sp1/sp1_fibonacci-elf \
---conn wss://batcher.alignedlayer.com
+--conn wss://batcher.alignedlayer.com \
+--keystore_path ~/.aligned_keystore/keystore0
 ```
 
 ## Risc0 proof
@@ -42,7 +75,8 @@ aligned submit \
 --vm_program <vm_program_file> \
 --conn wss://batcher.alignedlayer.com \
 --proof_generator_addr [proof_generator_addr] \
---batch_inclusion_data_directory_path [batch_inclusion_data_directory_path]
+--batch_inclusion_data_directory_path [batch_inclusion_data_directory_path] \
+--keystore_path <path_yo_ecdsa_keystore>
 ```
 
 **Example**
@@ -53,7 +87,8 @@ aligned submit \
 --proving_system Risc0 \
 --proof ./batcher/aligned/test_files/risc_zero/risc_zero_fibonacci.proof \
 --vm_program ./batcher/aligned/test_files/risc_zero/fibonacci_id.bin \
---aligned_verification_data_path ~/.aligned/aligned_verification_data
+--aligned_verification_data_path ~/.aligned/aligned_verification_data \
+--keystore_path ~/.aligned_keystore/keystore0
 ```
 
 ## GnarkPlonkBn254, GnarkPlonkBls12_381 and Groth16Bn254
@@ -69,7 +104,8 @@ aligned submit \
 --vk <verification_key_file> \
 --conn wss://batcher.alignedlayer.com \
 --proof_generator_addr [proof_generator_addr] \
---batch_inclusion_data_directory_path [batch_inclusion_data_directory_path]
+--batch_inclusion_data_directory_path [batch_inclusion_data_directory_path] \
+--keystore_path <path_yo_ecdsa_keystore>
 ```
 
 **Examples**:
@@ -81,7 +117,8 @@ aligned submit \
 --proof ./batcher/aligned/test_files/plonk_bn254/plonk.proof \
 --public_input ./batcher/aligned/test_files/plonk_bn254/plonk_pub_input.pub \
 --vk ./batcher/aligned/test_files/plonk_bn254/plonk.vk \
---conn wss://batcher.alignedlayer.com
+--conn wss://batcher.alignedlayer.com \
+--keystore_path ~/.aligned_keystore/keystore0
 ```
 
 ```bash
@@ -91,7 +128,8 @@ aligned submit \
 --proof ./batcher/aligned/test_files/plonk_bls12_381/plonk.proof \
 --public_input ./batcher/aligned/test_files/plonk_bls12_381/plonk_pub_input.pub \
 --vk ./batcher/aligned/test_files/plonk_bls12_381/plonk.vk \
---conn wss://batcher.alignedlayer.com
+--conn wss://batcher.alignedlayer.com \
+--keystore_path ~/.aligned_keystore/keystore0
 ```
 
 ```bash
@@ -101,5 +139,6 @@ aligned submit \
 --proof ./batcher/aligned/test_files/groth16/ineq_1_groth16.proof \
 --public_input ./batcher/aligned/test_files/groth16/ineq_1_groth16.pub \
 --vk ./batcher/aligned/test_files/groth16/ineq_1_groth16.vk \
---conn wss://batcher.alignedlayer.com
+--conn wss://batcher.alignedlayer.com \
+--keystore_path ~/.aligned_keystore/keystore0
 ```

batcher/Cargo.lock

@@ -11,3 +11,4 @@ serde = { version = "1.0.201", features = ["derive"] }
 sha3 = { version = "0.10.8"}
 lambdaworks-crypto = { version = "0.7.0", features = ["serde"] }
 hex = "0.4.3"
+serde_json = "1.0.117"

batcher/aligned-batcher-lib/Cargo.toml

@@ -1,4 +1,9 @@
+use ethers::core::k256::ecdsa::SigningKey;
+use ethers::signers::Signer;
+use ethers::signers::Wallet;
 use ethers::types::Address;
+use ethers::types::Signature;
+use ethers::types::SignatureError;
 use lambdaworks_crypto::merkle_tree::{
     merkle::MerkleTree, proof::Proof, traits::IsMerkleTreeBackend,
 };
@@ -17,7 +22,7 @@ pub enum ProvingSystemId {
     Risc0,
 }
 
-#[derive(Debug, Serialize, Deserialize, Default, Clone)]
+#[derive(Debug, Serialize, Deserialize, Clone)]
 pub struct VerificationData {
     pub proving_system: ProvingSystemId,
     pub proof: Vec<u8>,
@@ -122,31 +127,39 @@ impl BatchInclusionData {
             .unwrap();
 
         BatchInclusionData {
-            batch_merkle_root: batch_merkle_tree.root.clone(),
+            batch_merkle_root: batch_merkle_tree.root,
             batch_inclusion_proof,
             index_in_batch: verification_data_batch_index,
         }
     }
 }
 
-#[cfg(test)]
-mod test {
-    use super::*;
-
-    #[test]
-    fn hash_new_parent_is_correct() {
-        let mut hasher = Keccak256::new();
-        hasher.update(vec![1u8]);
-        let child_1 = hasher.finalize_reset().into();
-        hasher.update(vec![2u8]);
-        let child_2 = hasher.finalize().into();
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct ClientMessage {
+    pub verification_data: VerificationData,
+    pub signature: Signature,
+}
 
-        let parent = VerificationCommitmentBatch::hash_new_parent(&child_1, &child_2);
+impl ClientMessage {
+    /// Client message is a wrap around verification data and its signature.
+    /// The signature is obtained by calculating the commitments and then hashing them.
+    pub async fn new(verification_data: VerificationData, wallet: Wallet<SigningKey>) -> Self {
+        let hashed_leaf = VerificationCommitmentBatch::hash_data(&verification_data.clone().into());
+        let signature = wallet.sign_message(hashed_leaf).await.unwrap();
 
-        // This value is built using Openzeppelin's module for Merkle Trees, in particular using
-        // the SimpleMerkleTree. For more details see the openzeppelin_merkle_tree/merkle_tree.js script.
-        let expected_parent = "71d8979cbfae9b197a4fbcc7d387b1fae9560e2f284d30b4e90c80f6bc074f57";
+        ClientMessage {
+            verification_data,
+            signature,
+        }
+    }
 
-        assert_eq!(hex::encode(parent), expected_parent)
+    /// The signature of the message is verified, and when it correct, the
+    /// recovered address from the signature is returned.
+    pub fn verify_signature(&self) -> Result<Address, SignatureError> {
+        let hashed_leaf =
+            VerificationCommitmentBatch::hash_data(&self.verification_data.clone().into());
+        let recovered = self.signature.recover(hashed_leaf)?;
+        self.signature.verify(hashed_leaf, recovered)?;
+        Ok(recovered)
     }
 }

batcher/aligned-batcher-lib/src/types/mod.rs

@@ -7,7 +7,8 @@ use std::time::Duration;
 
 use crate::eth::BatchVerifiedEventStream;
 use aligned_batcher_lib::types::{
-    BatchInclusionData, VerificationCommitmentBatch, VerificationData, VerificationDataCommitment,
+    BatchInclusionData, ClientMessage, VerificationCommitmentBatch, VerificationData,
+    VerificationDataCommitment,
 };
 use aws_sdk_s3::client::Client as S3Client;
 use eth::BatchVerifiedFilter;
@@ -167,10 +168,21 @@ impl Batcher {
         ws_conn_sink: Arc<RwLock<SplitSink<WebSocketStream<TcpStream>, Message>>>,
     ) -> Result<(), tokio_tungstenite::tungstenite::Error> {
         // Deserialize verification data from message
-        let verification_data: VerificationData =
+        let client_msg: ClientMessage =
             serde_json::from_str(message.to_text().expect("Message is not text"))
                 .expect("Failed to deserialize task");
 
+        // FIXME: We are not doing anything for the moment with the address from the
+        // sender, this logic should be added for the payment system.
+        info!("Verifying message signature...");
+        if let Ok(_addr) = client_msg.verify_signature() {
+            info!("Message signature verified");
+            // do something with addr
+        } else {
+            error!("Signature verification error")
+        }
+
+        let verification_data = client_msg.verification_data;
         if verification_data.proof.len() <= self.max_proof_size {
             // When pre-verification is enabled, batcher will verify proofs for faster feedback with clients
             if self.pre_verification_is_enabled && !zk_utils::verify(&verification_data) {

batcher/aligned-batcher/src/lib.rs

@@ -1,11 +1,13 @@
 use std::fmt;
 
+use ethers::types::SignatureError;
 use tokio_tungstenite::tungstenite;
 
 pub enum BatcherError {
     ConnectionError(tungstenite::Error),
     BatchVerifiedEventStreamError(String),
     EthereumSubscriptionError(String),
+    SignatureError(SignatureError),
 }
 
 impl From<tungstenite::Error> for BatcherError {
@@ -14,6 +16,12 @@ impl From<tungstenite::Error> for BatcherError {
     }
 }
 
+impl From<SignatureError> for BatcherError {
+    fn from(e: SignatureError) -> Self {
+        BatcherError::SignatureError(e)
+    }
+}
+
 impl fmt::Debug for BatcherError {
     fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
         match self {
@@ -26,6 +34,9 @@ impl fmt::Debug for BatcherError {
             BatcherError::EthereumSubscriptionError(e) => {
                 write!(f, "Ethereum subscription was not successful: {}", e)
             }
+            BatcherError::SignatureError(e) => {
+                write!(f, "Message signature verification error: {}", e)
+            }
         }
     }
 }

batcher/aligned-batcher/src/types/errors.rs

@@ -16,4 +16,5 @@ clap = { version = "4.5.4", features = ["derive"] }
 lambdaworks-crypto = { version = "0.7.0", features = ["serde"] }
 ethers = { version = "2.0", features = ["ws", "rustls"] }
 aligned-batcher-lib = { path = "../aligned-batcher-lib"}
+rpassword = "7.3.1"
 sha3 = { version = "0.10.8"}

batcher/aligned/Cargo.toml

@@ -13,6 +13,8 @@ pub enum BatcherClientError {
     IoError(PathBuf, io::Error),
     SerdeError(serde_json::Error),
     EthError(String),
+    SignerError(String),
+    PasswordError(io::Error),
 }
 
 impl From<tokio_tungstenite::tungstenite::Error> for BatcherClientError {
@@ -35,7 +37,7 @@ impl From<ProviderError> for BatcherClientError {
 
 impl From<WalletError> for BatcherClientError {
     fn from(e: WalletError) -> Self {
-        BatcherClientError::EthError(e.to_string())
+        BatcherClientError::SignerError(e.to_string())
     }
 }
 
@@ -45,6 +47,12 @@ impl From<FromHexError> for BatcherClientError {
     }
 }
 
+impl From<io::Error> for BatcherClientError {
+    fn from(e: io::Error) -> Self {
+        BatcherClientError::PasswordError(e)
+    }
+}
+
 impl fmt::Debug for BatcherClientError {
     fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
         match self {
@@ -64,6 +72,8 @@ impl fmt::Debug for BatcherClientError {
             }
             BatcherClientError::SerdeError(e) => write!(f, "Serialization error: {}", e),
             BatcherClientError::EthError(e) => write!(f, "Ethereum error: {}", e),
+            BatcherClientError::SignerError(e) => write!(f, "Signer error: {}", e),
+            BatcherClientError::PasswordError(e) => write!(f, "Password input error: {}", e),
         }
     }
 }