doc: add BLS key registration spec

[gitferry]

This PR partly fixed BM-46.

This is a proposal for BLS key registration, which is critical to the safety of checkpointing.

I marked @aakoshh @SebastianElvis @fishermanymc as reviewers but comments from others are also welcome.

[SebastianElvis]

Great spec! I only have minor comments. The high-level idea can definitely work, but I guess there are many technical details that can only be shown in the code-level, e.g., new protobuf structs/messages for the hardcoded message and DB schema for the validator with BLS PK.

[SebastianElvis]

It seems that the predefined message m has to be hardcoded in genesis.proto or params.proto.

[gitferry]

I agree

[fishermanymc]

what about m = BLS public key? Seems at least as secure as a hardcoded message.

[gitferry]

Using the Ed25519 public key also seems to work

[fishermanymc]

Yes. If using the Ed25519 public key as the message, then the message should be first signed using BLS and then Ed25519.

I don't think m= hello Babylon would work: after seen A, anyone will have A and can then use its own BLS private key to sign A to ruin the correct binding between Ed25519 and BLS. For example, when a malicious validator node see a BLS reigestration transaction, it can extract "A" and sign it using its own BLS, and then broadcast its own BLS registration transaction. When this node has better network, this fraud registration might be received by the network earlier than the legitimate one, which will yield a successful front-running attack.

Indeed, if m is not a key-specific plaintext, then no matter it is Ed25519-then-BLS signed or BLS-then-Ed25519 signed, I feel the PoP is not secure.

Given that we will have to include the BLS public key in the transaction anyway, I recommend tha the plaintext is the BLS public key. This key is first Ed25519 signed, and the signature is then BLS signed.

[gitferry]

I don't think m= hello Babylon would work: after seen A, anyone will have A and can then use its own BLS private key to sign A to ruin the correct binding between Ed25519 and BLS. For example, when a malicious validator node see a BLS reigestration transaction, it can extract "A" and sign it using its own BLS, and then broadcast its own BLS registration transaction. When this node has better network, this fraud registration might be received by the network earlier than the legitimate one, which will yield a successful front-running attack.

Since we assume that each replica has been registered, why would a fixed m break the binding between Ed25519 and BLS? You see, the address of the sender is bonded with its Ed25519 public key.

Given that we will have to include the BLS public key in the transaction anyway, I recommend that the plaintext is the BLS public key. This key is first Ed25519 signed, and the signature is then BLS signed.

Thanks for this suggestion. I think it is at least better than a fixed m.

Let's compare two options:

1. m = BLS public key. We need to first sign m using the validator's Ed25519 private key to get A. Otherwise, anyone can claim ownership of the BLS private key. Then we need to sign A using the validator's BLS private key to get B.
2. m= Ed25519 public key. We need to first sign m using the validator's BLS private key to get A. This binds BLS key and Ed25519 key. Then, that's it. We don't need to sign A using Ed25519 private key since the entire transaction will be signed by Ed25519 by default.

It seems that option 2 saves one more round than option 1. Does it make sense?

[gitferry]

Just had a discussion with @fishermanymc and realized that each transaction is signed by ECDSA. So, option 2 also needs a Ed25519 signature over A.

The current decision is to go for option 2.

[SebastianElvis]

Should PoP be stored somewhere on-chain or be discarded after the verification?

[gitferry]

It's a good question. Natively, it would be on-chain since it is a Tendermint transaction. But I don't think we need to store it in the module after the verification. In other words, we don't need to access it from outside.

[fishermanymc]

"has already"

[gitferry]

Nice catch!

[aakoshh]

According to the registration flow and the yet-to-be-defined wrapped version of the MsgCreateValidator, this will happen in a single transaction.

[aakoshh]

Or perhaps you mean the that the user sending the registration should already have an account, which would be associated with a key. I'm not exactly sure how registration works. The way I understand it is it has a validator key and an optional delegator key, and both have to sign the message. I don't see any signature in the message, though, so I assume "signing" here means signing the whole transaction.

That seems to suggest that one of these guys have to have an account and be able to pay the fees, right?

Can it be that the delegator has an account but the validator doesn't? Can I use my account to create a validator by the virtue of registration, delegating some coins to its stake? In that case the validator would not necessarily have to have a key up front.

[gitferry]

Thanks for mentioning this. Would it be possible that the MsgCreateBlsKey (a new message type that will be defined in the checkpointing module) message to be included in the same transaction with the corresponding MsgCreateValidator? That means the operation of creating a validator needs to first register an Ed25519 key and then register a BLS key. Separating the two steps into two messages does not affect the procedure of normal registration. And combining them into a single transaction ensures atomicity. Of course, the original MsgCreateValidator needs to be processed first by the staking module, and then the MsgCreateBlsKey processed by the checkpointing module.

[aakoshh]

Yes, the two will be included in the same transaction, in fact the same message, by the virtue of wrapping.

The wrapped staking message (MsgCreateValidator) will be delayed till the end of the epoch, because it would have an effect on the power distribution, but we can process the BLS part straight away and register the Ed25519<->BLS association at once, rejecting any further attempts to add any other pairing for either keys.

[fishermanymc]

what about m = BLS public key? Seems at least as secure as a hardcoded message.

[fishermanymc]

shouldn't it first check whether this Ed25519 has already been paired with a BLS?

[gitferry]

You are right. Each validator should only be associated with one BLS public key. I will add that check. Thanks!

[aakoshh]

I would mention that this key must come from the signer of the transaction itself, not just the payload, to prevent anyone being able to steal the messages included in the transaction and pretend they have these keys.

[gitferry]

Thank for pointing it out. Yes, there would be a check to ensure that the Ed25519 public key must be the same as the one that the sender's last registration.

[gitferry]

Many thanks for the review @aakoshh @SebastianElvis @fishermanymc. I have updated the spec according to our discussion.

[aakoshh]

I'm not exactly sure what the staking module does, but we should

1. Let the checkpointing module do the processing: check the PoP of both the Ed25519 and BLS keys, and register the association, rejecting the transaction if the BLS or the Ed25519 is already associated with some other key
2. Delay the processing of the staking process to the end of the epoch, at which point it will happen as usual.

[gitferry]

I feel like we'd better not process MsgCreateBlsKey ahead of the corresponding MsgCreateValidator because the registration of the BLS key only makes sense after the validator is created.

Can the epoching module wraps both MsgCreateValidator and MsgCreateBlsKey in a wrapper message like MsgWrappedRegistration and delay the processing of the wrapper to the end of the epoch? During execution, the epoching module uncovers the wrapper and delivers the two messages to the staking module and the checkpointing module, respectively (need to ensure `MsgCreateValidator is processed first)?

[aakoshh]

During execution, the epoching module uncovers the wrapper and delivers the two messages to the staking module and the checkpointing module

I would rather not do that because it would mean the epoching module has to know about the existence of checkpointing, which it currently doesn't have to do.

the registration of the BLS key only makes sense after the validator is created.

I don't disagree, but at the same time, I think there's nothing wrong with registering the BLS-to-ECDSA association immediately. We basically put the validator into a "pre-registered" state where we know about their keys and they cannot deviate from those any more - any other transaction they send with a different BLS key, or any other validator trying to use the same BLS key, will fail immediately, rather than with a delay. It's much easier to learn the outcome now, than at the end of the epoch. See #32

The only way for the delayed transaction to fail is if the delegator doesn't have enough funds. They can just try again.

Can the epoching module wraps both MsgCreateValidator and MsgCreateBlsKey in a wrapper message

It's the checkpointing module doing the wrapping, so epoching can stay oblivious. It only offers its delay service for staking related stuff, except for the creation message.

[gitferry]

I see. It makes sense. Thanks @aakoshh!

[aakoshh]

Suggested change

	To verify PoP, first we need to ensure that the BLS public key has never been registered. Then,
	To verify PoP, first we need to ensure that the BLS public key has never been registered by a different validator, and that the current validator hasn't already registered a different BLS public key. Then,

[aakoshh]

Just a note that A' is not introduced.

I wonder if instead of saying that

PoP is composed of [m, A, B].

We could say that

PoP = encrypt(key = BLS_sk, data = encrypt(key = Ed25519_sk, data = Ed25519_pk))
tx = sign(key = Ed25519_sk, msg = { BLS_pk, PoP })

and checking is

tx.signer.Ed25519_pk ?= decrypt(key = tx.signer.Ed25519_pk, data = decrypt(key = tx.msg.BLS_pk, data = tx.msg.PoP))

It's the same thing, but I find I have to jump up and down less to find what the letters mean.

[gitferry]

Nice point. Thanks!

[gitferry]

Thanks @aakoshh for the great discussions. Please see the updates.

[aakoshh]

Looks good! 🙂