2025-08-26 14:32:55 -04:00
|
|
|
#![cfg_attr(docsrs, feature(doc_auto_cfg))]
|
|
|
|
|
#![doc = include_str!("../README.md")]
|
2023-01-04 22:52:41 -05:00
|
|
|
#![cfg_attr(not(feature = "std"), no_std)]
|
|
|
|
|
|
2025-08-26 14:32:55 -04:00
|
|
|
extern crate alloc;
|
2025-01-30 12:16:19 +03:00
|
|
|
|
2025-09-02 10:40:57 -04:00
|
|
|
mod embedded_elliptic_curve_keys;
|
|
|
|
|
use embedded_elliptic_curve_keys::*;
|
|
|
|
|
|
2025-08-26 14:32:55 -04:00
|
|
|
mod allocations;
|
|
|
|
|
use allocations::*;
|
2025-01-30 12:16:19 +03:00
|
|
|
|
2025-08-26 14:32:55 -04:00
|
|
|
mod sessions;
|
|
|
|
|
use sessions::{*, GenesisValidators as GenesisValidatorsContainer};
|
|
|
|
|
|
|
|
|
|
/*
|
2023-12-17 01:44:08 +03:00
|
|
|
use core::marker::PhantomData;
|
|
|
|
|
|
|
|
|
|
use scale::{Encode, Decode};
|
|
|
|
|
use scale_info::TypeInfo;
|
|
|
|
|
|
|
|
|
|
use sp_std::{vec, vec::Vec};
|
|
|
|
|
use sp_core::sr25519::{Public, Signature};
|
|
|
|
|
use sp_application_crypto::RuntimePublic;
|
|
|
|
|
use sp_session::{ShouldEndSession, GetSessionNumber, GetValidatorCount};
|
|
|
|
|
use sp_runtime::{KeyTypeId, ConsensusEngineId, traits::IsMember};
|
|
|
|
|
use sp_staking::offence::{ReportOffence, Offence, OffenceError};
|
|
|
|
|
|
|
|
|
|
use frame_system::{pallet_prelude::*, RawOrigin};
|
|
|
|
|
use frame_support::{
|
|
|
|
|
pallet_prelude::*,
|
2024-08-15 06:12:04 +03:00
|
|
|
sp_runtime::SaturatedConversion,
|
2023-12-17 01:44:08 +03:00
|
|
|
traits::{DisabledValidators, KeyOwnerProofSystem, FindAuthor},
|
|
|
|
|
BoundedVec, WeakBoundedVec, StoragePrefixedMap,
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
use serai_primitives::*;
|
|
|
|
|
pub use validator_sets_primitives as primitives;
|
|
|
|
|
use primitives::*;
|
|
|
|
|
|
|
|
|
|
use coins_pallet::{Pallet as Coins, AllowMint};
|
|
|
|
|
use dex_pallet::Pallet as Dex;
|
|
|
|
|
|
|
|
|
|
use pallet_babe::{
|
|
|
|
|
Pallet as Babe, AuthorityId as BabeAuthorityId, EquivocationOffence as BabeEquivocationOffence,
|
|
|
|
|
};
|
|
|
|
|
use pallet_grandpa::{
|
|
|
|
|
Pallet as Grandpa, AuthorityId as GrandpaAuthorityId,
|
|
|
|
|
EquivocationOffence as GrandpaEquivocationOffence,
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
#[derive(Debug, Encode, Decode, TypeInfo, PartialEq, Eq, Clone)]
|
|
|
|
|
pub struct MembershipProof<T: pallet::Config>(pub Public, pub PhantomData<T>);
|
|
|
|
|
impl<T: pallet::Config> GetSessionNumber for MembershipProof<T> {
|
|
|
|
|
fn session(&self) -> u32 {
|
|
|
|
|
let current = Pallet::<T>::session(NetworkId::Serai).unwrap().0;
|
|
|
|
|
if Babe::<T>::is_member(&BabeAuthorityId::from(self.0)) {
|
|
|
|
|
current
|
|
|
|
|
} else {
|
|
|
|
|
// if it isn't in the current session, it should have been in the previous one.
|
|
|
|
|
current - 1
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
impl<T: pallet::Config> GetValidatorCount for MembershipProof<T> {
|
|
|
|
|
// We only implement and this interface to satisfy trait requirements
|
|
|
|
|
// Although this might return the wrong count if the offender was in the previous set, we don't
|
|
|
|
|
// rely on it and Substrate only relies on it to offer economic calculations we also don't rely
|
|
|
|
|
// on
|
|
|
|
|
fn validator_count(&self) -> u32 {
|
2023-12-16 20:54:24 -05:00
|
|
|
u32::try_from(Babe::<T>::authorities().len()).unwrap()
|
2023-12-17 01:44:08 +03:00
|
|
|
}
|
|
|
|
|
}
|
2025-08-26 14:32:55 -04:00
|
|
|
*/
|
2023-12-17 01:44:08 +03:00
|
|
|
|
2025-09-03 06:10:54 -04:00
|
|
|
#[expect(clippy::ignored_unit_patterns, clippy::cast_possible_truncation)]
|
2023-01-04 22:52:41 -05:00
|
|
|
#[frame_support::pallet]
|
2025-08-26 14:32:55 -04:00
|
|
|
mod pallet {
|
|
|
|
|
use sp_core::sr25519::Public;
|
|
|
|
|
|
|
|
|
|
use frame_system::pallet_prelude::*;
|
|
|
|
|
use frame_support::pallet_prelude::*;
|
|
|
|
|
|
|
|
|
|
use serai_primitives::{
|
2025-09-02 10:40:57 -04:00
|
|
|
crypto::KeyPair, network_id::*, coin::*, balance::*, validator_sets::*, address::SeraiAddress,
|
2025-08-26 14:32:55 -04:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
use coins_pallet::Pallet as Coins;
|
|
|
|
|
|
2023-11-22 14:22:46 +03:00
|
|
|
use super::*;
|
|
|
|
|
|
2023-01-04 22:52:41 -05:00
|
|
|
#[pallet::config]
|
2025-09-02 10:40:57 -04:00
|
|
|
pub trait Config: frame_system::Config + coins_pallet::Config {
|
2023-01-04 22:52:41 -05:00
|
|
|
type RuntimeEvent: IsType<<Self as frame_system::Config>::RuntimeEvent> + From<Event<Self>>;
|
2023-11-22 14:22:46 +03:00
|
|
|
|
2025-08-26 14:32:55 -04:00
|
|
|
// type ShouldEndSession: ShouldEndSession<BlockNumberFor<Self>>;
|
2023-01-04 22:52:41 -05:00
|
|
|
}
|
|
|
|
|
|
2025-08-26 14:32:55 -04:00
|
|
|
/* TODO
|
One Round DKG (#589)
* Upstream GBP, divisor, circuit abstraction, and EC gadgets from FCMP++
* Initial eVRF implementation
Not quite done yet. It needs to communicate the resulting points and proofs to
extract them from the Pedersen Commitments in order to return those, and then
be tested.
* Add the openings of the PCs to the eVRF as necessary
* Add implementation of secq256k1
* Make DKG Encryption a bit more flexible
No longer requires the use of an EncryptionKeyMessage, and allows pre-defined
keys for encryption.
* Make NUM_BITS an argument for the field macro
* Have the eVRF take a Zeroizing private key
* Initial eVRF-based DKG
* Add embedwards25519 curve
* Inline the eVRF into the DKG library
Due to how we're handling share encryption, we'd either need two circuits or to
dedicate this circuit to the DKG. The latter makes sense at this time.
* Add documentation to the eVRF-based DKG
* Add paragraph claiming robustness
* Update to the new eVRF proof
* Finish routing the eVRF functionality
Still needs errors and serialization, along with a few other TODOs.
* Add initial eVRF DKG test
* Improve eVRF DKG
Updates how we calculcate verification shares, improves performance when
extracting multiple sets of keys, and adds more to the test for it.
* Start using a proper error for the eVRF DKG
* Resolve various TODOs
Supports recovering multiple key shares from the eVRF DKG.
Inlines two loops to save 2**16 iterations.
Adds support for creating a constant time representation of scalars < NUM_BITS.
* Ban zero ECDH keys, document non-zero requirements
* Implement eVRF traits, all the way up to the DKG, for secp256k1/ed25519
* Add Ristretto eVRF trait impls
* Support participating multiple times in the eVRF DKG
* Only participate once per key, not once per key share
* Rewrite processor key-gen around the eVRF DKG
Still a WIP.
* Finish routing the new key gen in the processor
Doesn't touch the tests, coordinator, nor Substrate yet.
`cargo +nightly fmt && cargo +nightly-2024-07-01 clippy --all-features -p serai-processor`
does pass.
* Deduplicate and better document in processor key_gen
* Update serai-processor tests to the new key gen
* Correct amount of yx coefficients, get processor key gen test to pass
* Add embedded elliptic curve keys to Substrate
* Update processor key gen tests to the eVRF DKG
* Have set_keys take signature_participants, not removed_participants
Now no one is removed from the DKG. Only `t` people publish the key however.
Uses a BitVec for an efficient encoding of the participants.
* Update the coordinator binary for the new DKG
This does not yet update any tests.
* Add sensible Debug to key_gen::[Processor, Coordinator]Message
* Have the DKG explicitly declare how to interpolate its shares
Removes the hack for MuSig where we multiply keys by the inverse of their
lagrange interpolation factor.
* Replace Interpolation::None with Interpolation::Constant
Allows the MuSig DKG to keep the secret share as the original private key,
enabling deriving FROST nonces consistently regardless of the MuSig context.
* Get coordinator tests to pass
* Update spec to the new DKG
* Get clippy to pass across the repo
* cargo machete
* Add an extra sleep to ensure expected ordering of `Participation`s
* Update orchestration
* Remove bad panic in coordinator
It expected ConfirmationShare to be n-of-n, not t-of-n.
* Improve documentation on functions
* Update TX size limit
We now no longer have to support the ridiculous case of having 49 DKG
participations within a 101-of-150 DKG. It does remain quite high due to
needing to _sign_ so many times. It'd may be optimal for parties with multiple
key shares to independently send their preprocesses/shares (despite the
overhead that'll cause with signatures and the transaction structure).
* Correct error in the Processor spec document
* Update a few comments in the validator-sets pallet
* Send/Recv Participation one at a time
Sending all, then attempting to receive all in an expected order, wasn't working
even with notable delays between sending messages. This points to the mempool
not working as expected...
* Correct ThresholdKeys serialization in modular-frost test
* Updating existing TX size limit test for the new DKG parameters
* Increase time allowed for the DKG on the GH CI
* Correct construction of signature_participants in serai-client tests
Fault identified by akil.
* Further contextualize DkgConfirmer by ValidatorSet
Caught by a safety check we wouldn't reuse preprocesses across messages. That
raises the question of we were prior reusing preprocesses (reusing keys)?
Except that'd have caused a variety of signing failures (suggesting we had some
staggered timing avoiding it in practice but yes, this was possible in theory).
* Add necessary calls to set_embedded_elliptic_curve_key in coordinator set rotation tests
* Correct shimmed setting of a secq256k1 key
* cargo fmt
* Don't use `[0; 32]` for the embedded keys in the coordinator rotation test
The key_gen function expects the random values already decided.
* Big-endian secq256k1 scalars
Also restores the prior, safer, Encryption::register function.
2024-08-16 11:26:07 -07:00
|
|
|
#[derive(Clone, PartialEq, Eq, Debug, Encode, Decode, serde::Serialize, serde::Deserialize)]
|
|
|
|
|
pub struct AllEmbeddedEllipticCurveKeysAtGenesis {
|
|
|
|
|
pub embedwards25519: BoundedVec<u8, ConstU32<{ MAX_KEY_LEN }>>,
|
|
|
|
|
pub secq256k1: BoundedVec<u8, ConstU32<{ MAX_KEY_LEN }>>,
|
|
|
|
|
}
|
|
|
|
|
|
2023-01-04 22:52:41 -05:00
|
|
|
#[pallet::genesis_config]
|
2023-01-20 11:00:18 -05:00
|
|
|
#[derive(Clone, PartialEq, Eq, Debug, Encode, Decode)]
|
2023-01-04 22:52:41 -05:00
|
|
|
pub struct GenesisConfig<T: Config> {
|
2023-10-13 00:04:28 -04:00
|
|
|
/// Networks to spawn Serai with, and the stake requirement per key share.
|
2023-10-10 13:53:24 +03:00
|
|
|
///
|
|
|
|
|
/// Every participant at genesis will automatically be assumed to have this much stake.
|
|
|
|
|
/// This stake cannot be withdrawn however as there's no actual stake behind it.
|
2023-10-13 00:04:28 -04:00
|
|
|
pub networks: Vec<(NetworkId, Amount)>,
|
2023-03-25 01:30:53 -04:00
|
|
|
/// List of participants to place in the initial validator sets.
|
One Round DKG (#589)
* Upstream GBP, divisor, circuit abstraction, and EC gadgets from FCMP++
* Initial eVRF implementation
Not quite done yet. It needs to communicate the resulting points and proofs to
extract them from the Pedersen Commitments in order to return those, and then
be tested.
* Add the openings of the PCs to the eVRF as necessary
* Add implementation of secq256k1
* Make DKG Encryption a bit more flexible
No longer requires the use of an EncryptionKeyMessage, and allows pre-defined
keys for encryption.
* Make NUM_BITS an argument for the field macro
* Have the eVRF take a Zeroizing private key
* Initial eVRF-based DKG
* Add embedwards25519 curve
* Inline the eVRF into the DKG library
Due to how we're handling share encryption, we'd either need two circuits or to
dedicate this circuit to the DKG. The latter makes sense at this time.
* Add documentation to the eVRF-based DKG
* Add paragraph claiming robustness
* Update to the new eVRF proof
* Finish routing the eVRF functionality
Still needs errors and serialization, along with a few other TODOs.
* Add initial eVRF DKG test
* Improve eVRF DKG
Updates how we calculcate verification shares, improves performance when
extracting multiple sets of keys, and adds more to the test for it.
* Start using a proper error for the eVRF DKG
* Resolve various TODOs
Supports recovering multiple key shares from the eVRF DKG.
Inlines two loops to save 2**16 iterations.
Adds support for creating a constant time representation of scalars < NUM_BITS.
* Ban zero ECDH keys, document non-zero requirements
* Implement eVRF traits, all the way up to the DKG, for secp256k1/ed25519
* Add Ristretto eVRF trait impls
* Support participating multiple times in the eVRF DKG
* Only participate once per key, not once per key share
* Rewrite processor key-gen around the eVRF DKG
Still a WIP.
* Finish routing the new key gen in the processor
Doesn't touch the tests, coordinator, nor Substrate yet.
`cargo +nightly fmt && cargo +nightly-2024-07-01 clippy --all-features -p serai-processor`
does pass.
* Deduplicate and better document in processor key_gen
* Update serai-processor tests to the new key gen
* Correct amount of yx coefficients, get processor key gen test to pass
* Add embedded elliptic curve keys to Substrate
* Update processor key gen tests to the eVRF DKG
* Have set_keys take signature_participants, not removed_participants
Now no one is removed from the DKG. Only `t` people publish the key however.
Uses a BitVec for an efficient encoding of the participants.
* Update the coordinator binary for the new DKG
This does not yet update any tests.
* Add sensible Debug to key_gen::[Processor, Coordinator]Message
* Have the DKG explicitly declare how to interpolate its shares
Removes the hack for MuSig where we multiply keys by the inverse of their
lagrange interpolation factor.
* Replace Interpolation::None with Interpolation::Constant
Allows the MuSig DKG to keep the secret share as the original private key,
enabling deriving FROST nonces consistently regardless of the MuSig context.
* Get coordinator tests to pass
* Update spec to the new DKG
* Get clippy to pass across the repo
* cargo machete
* Add an extra sleep to ensure expected ordering of `Participation`s
* Update orchestration
* Remove bad panic in coordinator
It expected ConfirmationShare to be n-of-n, not t-of-n.
* Improve documentation on functions
* Update TX size limit
We now no longer have to support the ridiculous case of having 49 DKG
participations within a 101-of-150 DKG. It does remain quite high due to
needing to _sign_ so many times. It'd may be optimal for parties with multiple
key shares to independently send their preprocesses/shares (despite the
overhead that'll cause with signatures and the transaction structure).
* Correct error in the Processor spec document
* Update a few comments in the validator-sets pallet
* Send/Recv Participation one at a time
Sending all, then attempting to receive all in an expected order, wasn't working
even with notable delays between sending messages. This points to the mempool
not working as expected...
* Correct ThresholdKeys serialization in modular-frost test
* Updating existing TX size limit test for the new DKG parameters
* Increase time allowed for the DKG on the GH CI
* Correct construction of signature_participants in serai-client tests
Fault identified by akil.
* Further contextualize DkgConfirmer by ValidatorSet
Caught by a safety check we wouldn't reuse preprocesses across messages. That
raises the question of we were prior reusing preprocesses (reusing keys)?
Except that'd have caused a variety of signing failures (suggesting we had some
staggered timing avoiding it in practice but yes, this was possible in theory).
* Add necessary calls to set_embedded_elliptic_curve_key in coordinator set rotation tests
* Correct shimmed setting of a secq256k1 key
* cargo fmt
* Don't use `[0; 32]` for the embedded keys in the coordinator rotation test
The key_gen function expects the random values already decided.
* Big-endian secq256k1 scalars
Also restores the prior, safer, Encryption::register function.
2024-08-16 11:26:07 -07:00
|
|
|
pub participants: Vec<(T::AccountId, AllEmbeddedEllipticCurveKeysAtGenesis)>,
|
2023-01-04 22:52:41 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
impl<T: Config> Default for GenesisConfig<T> {
|
|
|
|
|
fn default() -> Self {
|
2023-10-13 00:12:10 -04:00
|
|
|
GenesisConfig { networks: Default::default(), participants: Default::default() }
|
2023-01-04 22:52:41 -05:00
|
|
|
}
|
|
|
|
|
}
|
2025-08-26 14:32:55 -04:00
|
|
|
*/
|
2023-01-04 22:52:41 -05:00
|
|
|
|
|
|
|
|
#[pallet::pallet]
|
|
|
|
|
pub struct Pallet<T>(PhantomData<T>);
|
|
|
|
|
|
2025-08-26 14:32:55 -04:00
|
|
|
/*
|
2023-10-12 22:44:10 -04:00
|
|
|
/// The allocation required per key share.
|
2023-10-10 13:53:24 +03:00
|
|
|
// Uses Identity for the lookup to avoid a hash of a severely limited fixed key-space.
|
|
|
|
|
#[pallet::storage]
|
2023-10-12 22:44:10 -04:00
|
|
|
#[pallet::getter(fn allocation_per_key_share)]
|
|
|
|
|
pub type AllocationPerKeyShare<T: Config> =
|
|
|
|
|
StorageMap<_, Identity, NetworkId, Amount, OptionQuery>;
|
2024-06-24 14:41:25 +03:00
|
|
|
/// The validators selected to be in-set (and their key shares), regardless of if removed.
|
|
|
|
|
///
|
|
|
|
|
/// This method allows iterating over all validators and their stake.
|
2023-10-10 13:53:24 +03:00
|
|
|
#[pallet::storage]
|
2023-12-22 21:09:18 -05:00
|
|
|
#[pallet::getter(fn participants_for_latest_decided_set)]
|
2023-12-04 07:04:44 -05:00
|
|
|
pub(crate) type Participants<T: Config> = StorageMap<
|
2023-10-10 13:53:24 +03:00
|
|
|
_,
|
|
|
|
|
Identity,
|
|
|
|
|
NetworkId,
|
2025-01-14 07:51:39 -05:00
|
|
|
BoundedVec<(Public, u64), ConstU32<{ MAX_KEY_SHARES_PER_SET_U32 }>>,
|
2023-12-04 07:04:44 -05:00
|
|
|
OptionQuery,
|
2023-10-10 13:53:24 +03:00
|
|
|
>;
|
2024-06-24 14:41:25 +03:00
|
|
|
/// The validators selected to be in-set, regardless of if removed.
|
|
|
|
|
///
|
|
|
|
|
/// This method allows quickly checking for presence in-set and looking up a validator's key
|
|
|
|
|
/// shares.
|
2023-12-06 05:39:00 -05:00
|
|
|
// Uses Identity for NetworkId to avoid a hash of a severely limited fixed key-space.
|
2023-10-10 13:53:24 +03:00
|
|
|
#[pallet::storage]
|
2023-12-04 07:04:44 -05:00
|
|
|
pub(crate) type InSet<T: Config> =
|
2023-12-06 05:39:00 -05:00
|
|
|
StorageDoubleMap<_, Identity, NetworkId, Blake2_128Concat, Public, u64, OptionQuery>;
|
2023-10-21 20:06:53 -04:00
|
|
|
}
|
2025-08-26 14:32:55 -04:00
|
|
|
*/
|
2023-10-10 13:53:24 +03:00
|
|
|
|
2025-09-02 10:40:57 -04:00
|
|
|
struct Abstractions<T: Config>(PhantomData<T>);
|
|
|
|
|
|
|
|
|
|
// Satisfy the `EmbeddedEllipticCurveKeys` abstraction
|
|
|
|
|
|
One Round DKG (#589)
* Upstream GBP, divisor, circuit abstraction, and EC gadgets from FCMP++
* Initial eVRF implementation
Not quite done yet. It needs to communicate the resulting points and proofs to
extract them from the Pedersen Commitments in order to return those, and then
be tested.
* Add the openings of the PCs to the eVRF as necessary
* Add implementation of secq256k1
* Make DKG Encryption a bit more flexible
No longer requires the use of an EncryptionKeyMessage, and allows pre-defined
keys for encryption.
* Make NUM_BITS an argument for the field macro
* Have the eVRF take a Zeroizing private key
* Initial eVRF-based DKG
* Add embedwards25519 curve
* Inline the eVRF into the DKG library
Due to how we're handling share encryption, we'd either need two circuits or to
dedicate this circuit to the DKG. The latter makes sense at this time.
* Add documentation to the eVRF-based DKG
* Add paragraph claiming robustness
* Update to the new eVRF proof
* Finish routing the eVRF functionality
Still needs errors and serialization, along with a few other TODOs.
* Add initial eVRF DKG test
* Improve eVRF DKG
Updates how we calculcate verification shares, improves performance when
extracting multiple sets of keys, and adds more to the test for it.
* Start using a proper error for the eVRF DKG
* Resolve various TODOs
Supports recovering multiple key shares from the eVRF DKG.
Inlines two loops to save 2**16 iterations.
Adds support for creating a constant time representation of scalars < NUM_BITS.
* Ban zero ECDH keys, document non-zero requirements
* Implement eVRF traits, all the way up to the DKG, for secp256k1/ed25519
* Add Ristretto eVRF trait impls
* Support participating multiple times in the eVRF DKG
* Only participate once per key, not once per key share
* Rewrite processor key-gen around the eVRF DKG
Still a WIP.
* Finish routing the new key gen in the processor
Doesn't touch the tests, coordinator, nor Substrate yet.
`cargo +nightly fmt && cargo +nightly-2024-07-01 clippy --all-features -p serai-processor`
does pass.
* Deduplicate and better document in processor key_gen
* Update serai-processor tests to the new key gen
* Correct amount of yx coefficients, get processor key gen test to pass
* Add embedded elliptic curve keys to Substrate
* Update processor key gen tests to the eVRF DKG
* Have set_keys take signature_participants, not removed_participants
Now no one is removed from the DKG. Only `t` people publish the key however.
Uses a BitVec for an efficient encoding of the participants.
* Update the coordinator binary for the new DKG
This does not yet update any tests.
* Add sensible Debug to key_gen::[Processor, Coordinator]Message
* Have the DKG explicitly declare how to interpolate its shares
Removes the hack for MuSig where we multiply keys by the inverse of their
lagrange interpolation factor.
* Replace Interpolation::None with Interpolation::Constant
Allows the MuSig DKG to keep the secret share as the original private key,
enabling deriving FROST nonces consistently regardless of the MuSig context.
* Get coordinator tests to pass
* Update spec to the new DKG
* Get clippy to pass across the repo
* cargo machete
* Add an extra sleep to ensure expected ordering of `Participation`s
* Update orchestration
* Remove bad panic in coordinator
It expected ConfirmationShare to be n-of-n, not t-of-n.
* Improve documentation on functions
* Update TX size limit
We now no longer have to support the ridiculous case of having 49 DKG
participations within a 101-of-150 DKG. It does remain quite high due to
needing to _sign_ so many times. It'd may be optimal for parties with multiple
key shares to independently send their preprocesses/shares (despite the
overhead that'll cause with signatures and the transaction structure).
* Correct error in the Processor spec document
* Update a few comments in the validator-sets pallet
* Send/Recv Participation one at a time
Sending all, then attempting to receive all in an expected order, wasn't working
even with notable delays between sending messages. This points to the mempool
not working as expected...
* Correct ThresholdKeys serialization in modular-frost test
* Updating existing TX size limit test for the new DKG parameters
* Increase time allowed for the DKG on the GH CI
* Correct construction of signature_participants in serai-client tests
Fault identified by akil.
* Further contextualize DkgConfirmer by ValidatorSet
Caught by a safety check we wouldn't reuse preprocesses across messages. That
raises the question of we were prior reusing preprocesses (reusing keys)?
Except that'd have caused a variety of signing failures (suggesting we had some
staggered timing avoiding it in practice but yes, this was possible in theory).
* Add necessary calls to set_embedded_elliptic_curve_key in coordinator set rotation tests
* Correct shimmed setting of a secq256k1 key
* cargo fmt
* Don't use `[0; 32]` for the embedded keys in the coordinator rotation test
The key_gen function expects the random values already decided.
* Big-endian secq256k1 scalars
Also restores the prior, safer, Encryption::register function.
2024-08-16 11:26:07 -07:00
|
|
|
#[pallet::storage]
|
2025-09-02 10:40:57 -04:00
|
|
|
type EmbeddedEllipticCurveKeys<T: Config> = StorageDoubleMap<
|
One Round DKG (#589)
* Upstream GBP, divisor, circuit abstraction, and EC gadgets from FCMP++
* Initial eVRF implementation
Not quite done yet. It needs to communicate the resulting points and proofs to
extract them from the Pedersen Commitments in order to return those, and then
be tested.
* Add the openings of the PCs to the eVRF as necessary
* Add implementation of secq256k1
* Make DKG Encryption a bit more flexible
No longer requires the use of an EncryptionKeyMessage, and allows pre-defined
keys for encryption.
* Make NUM_BITS an argument for the field macro
* Have the eVRF take a Zeroizing private key
* Initial eVRF-based DKG
* Add embedwards25519 curve
* Inline the eVRF into the DKG library
Due to how we're handling share encryption, we'd either need two circuits or to
dedicate this circuit to the DKG. The latter makes sense at this time.
* Add documentation to the eVRF-based DKG
* Add paragraph claiming robustness
* Update to the new eVRF proof
* Finish routing the eVRF functionality
Still needs errors and serialization, along with a few other TODOs.
* Add initial eVRF DKG test
* Improve eVRF DKG
Updates how we calculcate verification shares, improves performance when
extracting multiple sets of keys, and adds more to the test for it.
* Start using a proper error for the eVRF DKG
* Resolve various TODOs
Supports recovering multiple key shares from the eVRF DKG.
Inlines two loops to save 2**16 iterations.
Adds support for creating a constant time representation of scalars < NUM_BITS.
* Ban zero ECDH keys, document non-zero requirements
* Implement eVRF traits, all the way up to the DKG, for secp256k1/ed25519
* Add Ristretto eVRF trait impls
* Support participating multiple times in the eVRF DKG
* Only participate once per key, not once per key share
* Rewrite processor key-gen around the eVRF DKG
Still a WIP.
* Finish routing the new key gen in the processor
Doesn't touch the tests, coordinator, nor Substrate yet.
`cargo +nightly fmt && cargo +nightly-2024-07-01 clippy --all-features -p serai-processor`
does pass.
* Deduplicate and better document in processor key_gen
* Update serai-processor tests to the new key gen
* Correct amount of yx coefficients, get processor key gen test to pass
* Add embedded elliptic curve keys to Substrate
* Update processor key gen tests to the eVRF DKG
* Have set_keys take signature_participants, not removed_participants
Now no one is removed from the DKG. Only `t` people publish the key however.
Uses a BitVec for an efficient encoding of the participants.
* Update the coordinator binary for the new DKG
This does not yet update any tests.
* Add sensible Debug to key_gen::[Processor, Coordinator]Message
* Have the DKG explicitly declare how to interpolate its shares
Removes the hack for MuSig where we multiply keys by the inverse of their
lagrange interpolation factor.
* Replace Interpolation::None with Interpolation::Constant
Allows the MuSig DKG to keep the secret share as the original private key,
enabling deriving FROST nonces consistently regardless of the MuSig context.
* Get coordinator tests to pass
* Update spec to the new DKG
* Get clippy to pass across the repo
* cargo machete
* Add an extra sleep to ensure expected ordering of `Participation`s
* Update orchestration
* Remove bad panic in coordinator
It expected ConfirmationShare to be n-of-n, not t-of-n.
* Improve documentation on functions
* Update TX size limit
We now no longer have to support the ridiculous case of having 49 DKG
participations within a 101-of-150 DKG. It does remain quite high due to
needing to _sign_ so many times. It'd may be optimal for parties with multiple
key shares to independently send their preprocesses/shares (despite the
overhead that'll cause with signatures and the transaction structure).
* Correct error in the Processor spec document
* Update a few comments in the validator-sets pallet
* Send/Recv Participation one at a time
Sending all, then attempting to receive all in an expected order, wasn't working
even with notable delays between sending messages. This points to the mempool
not working as expected...
* Correct ThresholdKeys serialization in modular-frost test
* Updating existing TX size limit test for the new DKG parameters
* Increase time allowed for the DKG on the GH CI
* Correct construction of signature_participants in serai-client tests
Fault identified by akil.
* Further contextualize DkgConfirmer by ValidatorSet
Caught by a safety check we wouldn't reuse preprocesses across messages. That
raises the question of we were prior reusing preprocesses (reusing keys)?
Except that'd have caused a variety of signing failures (suggesting we had some
staggered timing avoiding it in practice but yes, this was possible in theory).
* Add necessary calls to set_embedded_elliptic_curve_key in coordinator set rotation tests
* Correct shimmed setting of a secq256k1 key
* cargo fmt
* Don't use `[0; 32]` for the embedded keys in the coordinator rotation test
The key_gen function expects the random values already decided.
* Big-endian secq256k1 scalars
Also restores the prior, safer, Encryption::register function.
2024-08-16 11:26:07 -07:00
|
|
|
_,
|
|
|
|
|
Identity,
|
2025-08-26 14:32:55 -04:00
|
|
|
ExternalNetworkId,
|
2025-09-02 10:40:57 -04:00
|
|
|
Blake2_128Concat,
|
|
|
|
|
Public,
|
2025-08-26 14:32:55 -04:00
|
|
|
serai_primitives::crypto::EmbeddedEllipticCurveKeys,
|
One Round DKG (#589)
* Upstream GBP, divisor, circuit abstraction, and EC gadgets from FCMP++
* Initial eVRF implementation
Not quite done yet. It needs to communicate the resulting points and proofs to
extract them from the Pedersen Commitments in order to return those, and then
be tested.
* Add the openings of the PCs to the eVRF as necessary
* Add implementation of secq256k1
* Make DKG Encryption a bit more flexible
No longer requires the use of an EncryptionKeyMessage, and allows pre-defined
keys for encryption.
* Make NUM_BITS an argument for the field macro
* Have the eVRF take a Zeroizing private key
* Initial eVRF-based DKG
* Add embedwards25519 curve
* Inline the eVRF into the DKG library
Due to how we're handling share encryption, we'd either need two circuits or to
dedicate this circuit to the DKG. The latter makes sense at this time.
* Add documentation to the eVRF-based DKG
* Add paragraph claiming robustness
* Update to the new eVRF proof
* Finish routing the eVRF functionality
Still needs errors and serialization, along with a few other TODOs.
* Add initial eVRF DKG test
* Improve eVRF DKG
Updates how we calculcate verification shares, improves performance when
extracting multiple sets of keys, and adds more to the test for it.
* Start using a proper error for the eVRF DKG
* Resolve various TODOs
Supports recovering multiple key shares from the eVRF DKG.
Inlines two loops to save 2**16 iterations.
Adds support for creating a constant time representation of scalars < NUM_BITS.
* Ban zero ECDH keys, document non-zero requirements
* Implement eVRF traits, all the way up to the DKG, for secp256k1/ed25519
* Add Ristretto eVRF trait impls
* Support participating multiple times in the eVRF DKG
* Only participate once per key, not once per key share
* Rewrite processor key-gen around the eVRF DKG
Still a WIP.
* Finish routing the new key gen in the processor
Doesn't touch the tests, coordinator, nor Substrate yet.
`cargo +nightly fmt && cargo +nightly-2024-07-01 clippy --all-features -p serai-processor`
does pass.
* Deduplicate and better document in processor key_gen
* Update serai-processor tests to the new key gen
* Correct amount of yx coefficients, get processor key gen test to pass
* Add embedded elliptic curve keys to Substrate
* Update processor key gen tests to the eVRF DKG
* Have set_keys take signature_participants, not removed_participants
Now no one is removed from the DKG. Only `t` people publish the key however.
Uses a BitVec for an efficient encoding of the participants.
* Update the coordinator binary for the new DKG
This does not yet update any tests.
* Add sensible Debug to key_gen::[Processor, Coordinator]Message
* Have the DKG explicitly declare how to interpolate its shares
Removes the hack for MuSig where we multiply keys by the inverse of their
lagrange interpolation factor.
* Replace Interpolation::None with Interpolation::Constant
Allows the MuSig DKG to keep the secret share as the original private key,
enabling deriving FROST nonces consistently regardless of the MuSig context.
* Get coordinator tests to pass
* Update spec to the new DKG
* Get clippy to pass across the repo
* cargo machete
* Add an extra sleep to ensure expected ordering of `Participation`s
* Update orchestration
* Remove bad panic in coordinator
It expected ConfirmationShare to be n-of-n, not t-of-n.
* Improve documentation on functions
* Update TX size limit
We now no longer have to support the ridiculous case of having 49 DKG
participations within a 101-of-150 DKG. It does remain quite high due to
needing to _sign_ so many times. It'd may be optimal for parties with multiple
key shares to independently send their preprocesses/shares (despite the
overhead that'll cause with signatures and the transaction structure).
* Correct error in the Processor spec document
* Update a few comments in the validator-sets pallet
* Send/Recv Participation one at a time
Sending all, then attempting to receive all in an expected order, wasn't working
even with notable delays between sending messages. This points to the mempool
not working as expected...
* Correct ThresholdKeys serialization in modular-frost test
* Updating existing TX size limit test for the new DKG parameters
* Increase time allowed for the DKG on the GH CI
* Correct construction of signature_participants in serai-client tests
Fault identified by akil.
* Further contextualize DkgConfirmer by ValidatorSet
Caught by a safety check we wouldn't reuse preprocesses across messages. That
raises the question of we were prior reusing preprocesses (reusing keys)?
Except that'd have caused a variety of signing failures (suggesting we had some
staggered timing avoiding it in practice but yes, this was possible in theory).
* Add necessary calls to set_embedded_elliptic_curve_key in coordinator set rotation tests
* Correct shimmed setting of a secq256k1 key
* cargo fmt
* Don't use `[0; 32]` for the embedded keys in the coordinator rotation test
The key_gen function expects the random values already decided.
* Big-endian secq256k1 scalars
Also restores the prior, safer, Encryption::register function.
2024-08-16 11:26:07 -07:00
|
|
|
OptionQuery,
|
|
|
|
|
>;
|
|
|
|
|
|
2025-09-02 10:40:57 -04:00
|
|
|
impl<T: Config> EmbeddedEllipticCurveKeysStorage for Abstractions<T> {
|
|
|
|
|
type EmbeddedEllipticCurveKeys = EmbeddedEllipticCurveKeys<T>;
|
|
|
|
|
}
|
2023-10-10 16:50:48 -04:00
|
|
|
|
2025-08-26 14:32:55 -04:00
|
|
|
// Satisfy the `Allocations` abstraction
|
2023-10-10 16:50:48 -04:00
|
|
|
|
2025-08-26 14:32:55 -04:00
|
|
|
#[pallet::storage]
|
|
|
|
|
type Allocations<T: Config> =
|
|
|
|
|
StorageMap<_, Blake2_128Concat, AllocationsKey, Amount, OptionQuery>;
|
|
|
|
|
// This has to use `Identity` per the documentation of `AllocationsStorage`
|
2023-10-10 13:53:24 +03:00
|
|
|
#[pallet::storage]
|
|
|
|
|
type SortedAllocations<T: Config> =
|
2025-08-26 14:32:55 -04:00
|
|
|
StorageMap<_, Identity, SortedAllocationsKey, (), OptionQuery>;
|
2023-01-04 22:52:41 -05:00
|
|
|
|
2025-08-26 14:32:55 -04:00
|
|
|
impl<T: Config> AllocationsStorage for Abstractions<T> {
|
|
|
|
|
type Allocations = Allocations<T>;
|
|
|
|
|
type SortedAllocations = SortedAllocations<T>;
|
2023-10-12 23:05:29 -04:00
|
|
|
}
|
2024-08-15 06:12:04 +03:00
|
|
|
|
2025-09-02 10:40:57 -04:00
|
|
|
// Satisfy the `Sessions` abstraction
|
2023-10-12 23:05:29 -04:00
|
|
|
|
2025-08-26 14:32:55 -04:00
|
|
|
// We use `Identity` as the hasher for `NetworkId` due to how constrained it is
|
2023-10-11 23:42:15 -04:00
|
|
|
#[pallet::storage]
|
2025-08-26 14:32:55 -04:00
|
|
|
type GenesisValidators<T: Config> = StorageValue<_, GenesisValidatorsContainer, OptionQuery>;
|
|
|
|
|
#[pallet::storage]
|
|
|
|
|
type AllocationPerKeyShare<T: Config> = StorageMap<_, Identity, NetworkId, Amount, OptionQuery>;
|
|
|
|
|
#[pallet::storage]
|
|
|
|
|
type CurrentSession<T: Config> = StorageMap<_, Identity, NetworkId, Session, OptionQuery>;
|
|
|
|
|
#[pallet::storage]
|
|
|
|
|
type LatestDecidedSession<T: Config> = StorageMap<_, Identity, NetworkId, Session, OptionQuery>;
|
|
|
|
|
// This has to use `Identity` per the documentation of `SessionsStorage`
|
|
|
|
|
#[pallet::storage]
|
|
|
|
|
type SelectedValidators<T: Config> =
|
|
|
|
|
StorageMap<_, Identity, SelectedValidatorsKey, u64, OptionQuery>;
|
|
|
|
|
#[pallet::storage]
|
|
|
|
|
type TotalAllocatedStake<T: Config> = StorageMap<_, Identity, NetworkId, Amount, OptionQuery>;
|
|
|
|
|
#[pallet::storage]
|
|
|
|
|
type DelayedDeallocations<T: Config> =
|
|
|
|
|
StorageDoubleMap<_, Blake2_128Concat, Public, Identity, Session, Amount, OptionQuery>;
|
|
|
|
|
|
|
|
|
|
impl<T: Config> SessionsStorage for Abstractions<T> {
|
|
|
|
|
type GenesisValidators = GenesisValidators<T>;
|
|
|
|
|
type AllocationPerKeyShare = AllocationPerKeyShare<T>;
|
|
|
|
|
type CurrentSession = CurrentSession<T>;
|
|
|
|
|
type LatestDecidedSession = LatestDecidedSession<T>;
|
|
|
|
|
type SelectedValidators = SelectedValidators<T>;
|
|
|
|
|
type TotalAllocatedStake = TotalAllocatedStake<T>;
|
|
|
|
|
type DelayedDeallocations = DelayedDeallocations<T>;
|
|
|
|
|
}
|
2023-10-11 23:42:15 -04:00
|
|
|
|
2025-09-02 11:07:45 -04:00
|
|
|
#[pallet::event]
|
|
|
|
|
#[pallet::generate_deposit(pub(super) fn deposit_event)]
|
|
|
|
|
pub enum Event<T: Config> {}
|
|
|
|
|
|
|
|
|
|
/*
|
2023-10-10 13:53:24 +03:00
|
|
|
/// The generated key pair for a given validator set instance.
|
2023-01-04 22:52:41 -05:00
|
|
|
#[pallet::storage]
|
2023-03-30 20:24:11 -04:00
|
|
|
#[pallet::getter(fn keys)]
|
2024-10-07 05:16:11 +03:00
|
|
|
pub type Keys<T: Config> =
|
|
|
|
|
StorageMap<_, Twox64Concat, ExternalValidatorSet, KeyPair, OptionQuery>;
|
2023-01-04 22:52:41 -05:00
|
|
|
|
2024-01-29 03:48:53 -05:00
|
|
|
/// The key for validator sets which can (and still need to) publish their slash reports.
|
|
|
|
|
#[pallet::storage]
|
2024-10-07 05:16:11 +03:00
|
|
|
pub type PendingSlashReport<T: Config> =
|
|
|
|
|
StorageMap<_, Identity, ExternalNetworkId, Public, OptionQuery>;
|
2024-01-29 03:48:53 -05:00
|
|
|
|
2023-12-17 01:44:08 +03:00
|
|
|
/// Disabled validators.
|
|
|
|
|
#[pallet::storage]
|
|
|
|
|
pub type SeraiDisabledIndices<T: Config> = StorageMap<_, Identity, u32, Public, OptionQuery>;
|
|
|
|
|
|
2023-04-15 00:40:33 -04:00
|
|
|
#[pallet::event]
|
|
|
|
|
#[pallet::generate_deposit(pub(super) fn deposit_event)]
|
|
|
|
|
pub enum Event<T: Config> {
|
2023-10-22 03:28:42 -04:00
|
|
|
NewSet {
|
|
|
|
|
set: ValidatorSet,
|
|
|
|
|
},
|
2023-12-04 07:04:44 -05:00
|
|
|
ParticipantRemoved {
|
|
|
|
|
set: ValidatorSet,
|
|
|
|
|
removed: T::AccountId,
|
|
|
|
|
},
|
2023-10-22 03:28:42 -04:00
|
|
|
KeyGen {
|
2024-10-07 05:16:11 +03:00
|
|
|
set: ExternalValidatorSet,
|
2023-10-22 03:28:42 -04:00
|
|
|
key_pair: KeyPair,
|
|
|
|
|
},
|
2024-01-29 03:48:53 -05:00
|
|
|
AcceptedHandover {
|
|
|
|
|
set: ValidatorSet,
|
|
|
|
|
},
|
|
|
|
|
SetRetired {
|
|
|
|
|
set: ValidatorSet,
|
|
|
|
|
},
|
2023-10-22 03:28:42 -04:00
|
|
|
AllocationIncreased {
|
|
|
|
|
validator: T::AccountId,
|
|
|
|
|
network: NetworkId,
|
|
|
|
|
amount: Amount,
|
|
|
|
|
},
|
|
|
|
|
AllocationDecreased {
|
|
|
|
|
validator: T::AccountId,
|
|
|
|
|
network: NetworkId,
|
|
|
|
|
amount: Amount,
|
|
|
|
|
delayed_until: Option<Session>,
|
|
|
|
|
},
|
2023-10-22 03:59:21 -04:00
|
|
|
DeallocationClaimed {
|
|
|
|
|
validator: T::AccountId,
|
|
|
|
|
network: NetworkId,
|
|
|
|
|
session: Session,
|
|
|
|
|
},
|
2023-04-15 00:40:33 -04:00
|
|
|
}
|
|
|
|
|
|
2023-10-10 13:53:24 +03:00
|
|
|
impl<T: Config> Pallet<T> {
|
|
|
|
|
fn new_set(network: NetworkId) {
|
2025-08-26 14:32:55 -04:00
|
|
|
// TODO
|
|
|
|
|
let include_genesis_validators = true;
|
2023-12-05 16:52:50 +03:00
|
|
|
// TODO: prevent new set if it doesn't have enough stake for economic security.
|
2025-08-26 14:32:55 -04:00
|
|
|
Abstractions::<T>::attempt_new_session(network, include_genesis_validators)
|
2023-12-05 16:52:50 +03:00
|
|
|
|
2025-08-26 14:32:55 -04:00
|
|
|
/* TODO
|
2023-10-10 13:53:24 +03:00
|
|
|
let set = ValidatorSet { network, session };
|
|
|
|
|
Pallet::<T>::deposit_event(Event::NewSet { set });
|
2025-08-26 14:32:55 -04:00
|
|
|
*/
|
2023-01-04 22:52:41 -05:00
|
|
|
}
|
|
|
|
|
}
|
2025-09-02 11:07:45 -04:00
|
|
|
*/
|
2023-01-04 22:52:41 -05:00
|
|
|
|
|
|
|
|
#[pallet::error]
|
|
|
|
|
pub enum Error<T> {
|
2025-09-02 11:07:45 -04:00
|
|
|
/// The provided embedded elliptic curve keys were invalid.
|
|
|
|
|
InvalidEmbeddedEllipticCurveKeys,
|
|
|
|
|
/// Allocation was erroneous.
|
|
|
|
|
AllocationError(AllocationError),
|
|
|
|
|
/// Deallocation was erroneous.
|
|
|
|
|
DeallocationError(DeallocationError),
|
2023-10-10 13:53:24 +03:00
|
|
|
}
|
|
|
|
|
|
2025-08-26 14:32:55 -04:00
|
|
|
/* TODO
|
2023-11-22 14:22:46 +03:00
|
|
|
#[pallet::hooks]
|
|
|
|
|
impl<T: Config> Hooks<BlockNumberFor<T>> for Pallet<T> {
|
|
|
|
|
fn on_initialize(n: BlockNumberFor<T>) -> Weight {
|
|
|
|
|
if T::ShouldEndSession::should_end_session(n) {
|
|
|
|
|
Self::rotate_session();
|
|
|
|
|
// TODO: set the proper weights
|
|
|
|
|
T::BlockWeights::get().max_block
|
|
|
|
|
} else {
|
|
|
|
|
Weight::zero()
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2023-10-10 13:53:24 +03:00
|
|
|
#[pallet::genesis_build]
|
|
|
|
|
impl<T: Config> BuildGenesisConfig for GenesisConfig<T> {
|
|
|
|
|
fn build(&self) {
|
2023-10-13 00:04:28 -04:00
|
|
|
for (id, stake) in self.networks.clone() {
|
|
|
|
|
AllocationPerKeyShare::<T>::set(id, Some(stake));
|
One Round DKG (#589)
* Upstream GBP, divisor, circuit abstraction, and EC gadgets from FCMP++
* Initial eVRF implementation
Not quite done yet. It needs to communicate the resulting points and proofs to
extract them from the Pedersen Commitments in order to return those, and then
be tested.
* Add the openings of the PCs to the eVRF as necessary
* Add implementation of secq256k1
* Make DKG Encryption a bit more flexible
No longer requires the use of an EncryptionKeyMessage, and allows pre-defined
keys for encryption.
* Make NUM_BITS an argument for the field macro
* Have the eVRF take a Zeroizing private key
* Initial eVRF-based DKG
* Add embedwards25519 curve
* Inline the eVRF into the DKG library
Due to how we're handling share encryption, we'd either need two circuits or to
dedicate this circuit to the DKG. The latter makes sense at this time.
* Add documentation to the eVRF-based DKG
* Add paragraph claiming robustness
* Update to the new eVRF proof
* Finish routing the eVRF functionality
Still needs errors and serialization, along with a few other TODOs.
* Add initial eVRF DKG test
* Improve eVRF DKG
Updates how we calculcate verification shares, improves performance when
extracting multiple sets of keys, and adds more to the test for it.
* Start using a proper error for the eVRF DKG
* Resolve various TODOs
Supports recovering multiple key shares from the eVRF DKG.
Inlines two loops to save 2**16 iterations.
Adds support for creating a constant time representation of scalars < NUM_BITS.
* Ban zero ECDH keys, document non-zero requirements
* Implement eVRF traits, all the way up to the DKG, for secp256k1/ed25519
* Add Ristretto eVRF trait impls
* Support participating multiple times in the eVRF DKG
* Only participate once per key, not once per key share
* Rewrite processor key-gen around the eVRF DKG
Still a WIP.
* Finish routing the new key gen in the processor
Doesn't touch the tests, coordinator, nor Substrate yet.
`cargo +nightly fmt && cargo +nightly-2024-07-01 clippy --all-features -p serai-processor`
does pass.
* Deduplicate and better document in processor key_gen
* Update serai-processor tests to the new key gen
* Correct amount of yx coefficients, get processor key gen test to pass
* Add embedded elliptic curve keys to Substrate
* Update processor key gen tests to the eVRF DKG
* Have set_keys take signature_participants, not removed_participants
Now no one is removed from the DKG. Only `t` people publish the key however.
Uses a BitVec for an efficient encoding of the participants.
* Update the coordinator binary for the new DKG
This does not yet update any tests.
* Add sensible Debug to key_gen::[Processor, Coordinator]Message
* Have the DKG explicitly declare how to interpolate its shares
Removes the hack for MuSig where we multiply keys by the inverse of their
lagrange interpolation factor.
* Replace Interpolation::None with Interpolation::Constant
Allows the MuSig DKG to keep the secret share as the original private key,
enabling deriving FROST nonces consistently regardless of the MuSig context.
* Get coordinator tests to pass
* Update spec to the new DKG
* Get clippy to pass across the repo
* cargo machete
* Add an extra sleep to ensure expected ordering of `Participation`s
* Update orchestration
* Remove bad panic in coordinator
It expected ConfirmationShare to be n-of-n, not t-of-n.
* Improve documentation on functions
* Update TX size limit
We now no longer have to support the ridiculous case of having 49 DKG
participations within a 101-of-150 DKG. It does remain quite high due to
needing to _sign_ so many times. It'd may be optimal for parties with multiple
key shares to independently send their preprocesses/shares (despite the
overhead that'll cause with signatures and the transaction structure).
* Correct error in the Processor spec document
* Update a few comments in the validator-sets pallet
* Send/Recv Participation one at a time
Sending all, then attempting to receive all in an expected order, wasn't working
even with notable delays between sending messages. This points to the mempool
not working as expected...
* Correct ThresholdKeys serialization in modular-frost test
* Updating existing TX size limit test for the new DKG parameters
* Increase time allowed for the DKG on the GH CI
* Correct construction of signature_participants in serai-client tests
Fault identified by akil.
* Further contextualize DkgConfirmer by ValidatorSet
Caught by a safety check we wouldn't reuse preprocesses across messages. That
raises the question of we were prior reusing preprocesses (reusing keys)?
Except that'd have caused a variety of signing failures (suggesting we had some
staggered timing avoiding it in practice but yes, this was possible in theory).
* Add necessary calls to set_embedded_elliptic_curve_key in coordinator set rotation tests
* Correct shimmed setting of a secq256k1 key
* cargo fmt
* Don't use `[0; 32]` for the embedded keys in the coordinator rotation test
The key_gen function expects the random values already decided.
* Big-endian secq256k1 scalars
Also restores the prior, safer, Encryption::register function.
2024-08-16 11:26:07 -07:00
|
|
|
for participant in &self.participants {
|
2025-08-26 14:32:55 -04:00
|
|
|
if Abstractions::<T>::set_allocation(id, participant.0, stake) {
|
2023-10-16 01:47:15 -04:00
|
|
|
panic!("participants contained duplicates");
|
|
|
|
|
}
|
One Round DKG (#589)
* Upstream GBP, divisor, circuit abstraction, and EC gadgets from FCMP++
* Initial eVRF implementation
Not quite done yet. It needs to communicate the resulting points and proofs to
extract them from the Pedersen Commitments in order to return those, and then
be tested.
* Add the openings of the PCs to the eVRF as necessary
* Add implementation of secq256k1
* Make DKG Encryption a bit more flexible
No longer requires the use of an EncryptionKeyMessage, and allows pre-defined
keys for encryption.
* Make NUM_BITS an argument for the field macro
* Have the eVRF take a Zeroizing private key
* Initial eVRF-based DKG
* Add embedwards25519 curve
* Inline the eVRF into the DKG library
Due to how we're handling share encryption, we'd either need two circuits or to
dedicate this circuit to the DKG. The latter makes sense at this time.
* Add documentation to the eVRF-based DKG
* Add paragraph claiming robustness
* Update to the new eVRF proof
* Finish routing the eVRF functionality
Still needs errors and serialization, along with a few other TODOs.
* Add initial eVRF DKG test
* Improve eVRF DKG
Updates how we calculcate verification shares, improves performance when
extracting multiple sets of keys, and adds more to the test for it.
* Start using a proper error for the eVRF DKG
* Resolve various TODOs
Supports recovering multiple key shares from the eVRF DKG.
Inlines two loops to save 2**16 iterations.
Adds support for creating a constant time representation of scalars < NUM_BITS.
* Ban zero ECDH keys, document non-zero requirements
* Implement eVRF traits, all the way up to the DKG, for secp256k1/ed25519
* Add Ristretto eVRF trait impls
* Support participating multiple times in the eVRF DKG
* Only participate once per key, not once per key share
* Rewrite processor key-gen around the eVRF DKG
Still a WIP.
* Finish routing the new key gen in the processor
Doesn't touch the tests, coordinator, nor Substrate yet.
`cargo +nightly fmt && cargo +nightly-2024-07-01 clippy --all-features -p serai-processor`
does pass.
* Deduplicate and better document in processor key_gen
* Update serai-processor tests to the new key gen
* Correct amount of yx coefficients, get processor key gen test to pass
* Add embedded elliptic curve keys to Substrate
* Update processor key gen tests to the eVRF DKG
* Have set_keys take signature_participants, not removed_participants
Now no one is removed from the DKG. Only `t` people publish the key however.
Uses a BitVec for an efficient encoding of the participants.
* Update the coordinator binary for the new DKG
This does not yet update any tests.
* Add sensible Debug to key_gen::[Processor, Coordinator]Message
* Have the DKG explicitly declare how to interpolate its shares
Removes the hack for MuSig where we multiply keys by the inverse of their
lagrange interpolation factor.
* Replace Interpolation::None with Interpolation::Constant
Allows the MuSig DKG to keep the secret share as the original private key,
enabling deriving FROST nonces consistently regardless of the MuSig context.
* Get coordinator tests to pass
* Update spec to the new DKG
* Get clippy to pass across the repo
* cargo machete
* Add an extra sleep to ensure expected ordering of `Participation`s
* Update orchestration
* Remove bad panic in coordinator
It expected ConfirmationShare to be n-of-n, not t-of-n.
* Improve documentation on functions
* Update TX size limit
We now no longer have to support the ridiculous case of having 49 DKG
participations within a 101-of-150 DKG. It does remain quite high due to
needing to _sign_ so many times. It'd may be optimal for parties with multiple
key shares to independently send their preprocesses/shares (despite the
overhead that'll cause with signatures and the transaction structure).
* Correct error in the Processor spec document
* Update a few comments in the validator-sets pallet
* Send/Recv Participation one at a time
Sending all, then attempting to receive all in an expected order, wasn't working
even with notable delays between sending messages. This points to the mempool
not working as expected...
* Correct ThresholdKeys serialization in modular-frost test
* Updating existing TX size limit test for the new DKG parameters
* Increase time allowed for the DKG on the GH CI
* Correct construction of signature_participants in serai-client tests
Fault identified by akil.
* Further contextualize DkgConfirmer by ValidatorSet
Caught by a safety check we wouldn't reuse preprocesses across messages. That
raises the question of we were prior reusing preprocesses (reusing keys)?
Except that'd have caused a variety of signing failures (suggesting we had some
staggered timing avoiding it in practice but yes, this was possible in theory).
* Add necessary calls to set_embedded_elliptic_curve_key in coordinator set rotation tests
* Correct shimmed setting of a secq256k1 key
* cargo fmt
* Don't use `[0; 32]` for the embedded keys in the coordinator rotation test
The key_gen function expects the random values already decided.
* Big-endian secq256k1 scalars
Also restores the prior, safer, Encryption::register function.
2024-08-16 11:26:07 -07:00
|
|
|
EmbeddedEllipticCurveKeys::<T>::set(
|
|
|
|
|
participant.0,
|
|
|
|
|
EmbeddedEllipticCurve::Embedwards25519,
|
|
|
|
|
Some(participant.1.embedwards25519.clone()),
|
|
|
|
|
);
|
|
|
|
|
EmbeddedEllipticCurveKeys::<T>::set(
|
|
|
|
|
participant.0,
|
|
|
|
|
EmbeddedEllipticCurve::Secq256k1,
|
|
|
|
|
Some(participant.1.secq256k1.clone()),
|
|
|
|
|
);
|
2023-10-10 13:53:24 +03:00
|
|
|
}
|
|
|
|
|
Pallet::<T>::new_set(id);
|
|
|
|
|
}
|
|
|
|
|
}
|
2023-05-13 02:02:47 -04:00
|
|
|
}
|
2025-08-26 14:32:55 -04:00
|
|
|
*/
|
2023-05-13 02:02:47 -04:00
|
|
|
|
2023-01-04 22:52:41 -05:00
|
|
|
impl<T: Config> Pallet<T> {
|
2023-10-22 03:59:21 -04:00
|
|
|
fn account() -> T::AccountId {
|
2025-08-26 14:32:55 -04:00
|
|
|
SeraiAddress::system(b"ValidatorSets").into()
|
2023-05-13 02:02:47 -04:00
|
|
|
}
|
2023-01-04 22:52:41 -05:00
|
|
|
|
2025-08-26 14:32:55 -04:00
|
|
|
/*
|
Support multiple key shares per validator (#416)
* Update the coordinator to give key shares based on weight, not based on existence
Participants are now identified by their starting index. While this compiles,
the following is unimplemented:
1) A conversion for DKG `i` values. It assumes the threshold `i` values used
will be identical for the MuSig signature used to confirm the DKG.
2) Expansion from compressed values to full values before forwarding to the
processor.
* Add a fn to the DkgConfirmer to convert `i` values as needed
Also removes TODOs regarding Serai ensuring validator key uniqueness +
validity. The current infra achieves both.
* Have the Tributary DB track participation by shares, not by count
* Prevent a node from obtaining 34% of the maximum amount of key shares
This is actually mainly intended to set a bound on message sizes in the
coordinator. Message sizes are amplified by the amount of key shares held, so
setting an upper bound on said amount lets it determine constants. While that
upper bound could be 150, that'd be unreasonable and increase the potential for
DoS attacks.
* Correct the mechanism to detect if sufficient accumulation has occured
It used to check if the latest accumulation hit the required threshold. Now,
accumulations may jump past the required threshold. The required mechanism is
to check the threshold wasn't prior met and is now met.
* Finish updating the coordinator to handle a multiple key share per validator environment
* Adjust stategy re: preventing noce reuse in DKG Confirmer
* Add TODOs regarding dropped transactions, add possible TODO fix
* Update tests/coordinator
This doesn't add new multi-key-share tests, it solely updates the existing
single key-share tests to compile and run, with the necessary fixes to the
coordinator.
* Update processor key_gen to handle generating multiple key shares at once
* Update SubstrateSigner
* Update signer, clippy
* Update processor tests
* Update processor docker tests
2023-11-04 19:26:13 -04:00
|
|
|
// is_bft returns if the network is able to survive any single node becoming byzantine.
|
2023-10-22 03:59:21 -04:00
|
|
|
fn is_bft(network: NetworkId) -> bool {
|
|
|
|
|
let allocation_per_key_share = AllocationPerKeyShare::<T>::get(network).unwrap().0;
|
2023-05-13 02:02:47 -04:00
|
|
|
|
2023-10-22 03:59:21 -04:00
|
|
|
let mut validators_len = 0;
|
|
|
|
|
let mut top = None;
|
|
|
|
|
let mut key_shares = 0;
|
2025-08-26 14:32:55 -04:00
|
|
|
for (_, amount) in Abstractions::<T>::iter_allocations(network, allocation_per_key_share) {
|
2023-10-22 03:59:21 -04:00
|
|
|
validators_len += 1;
|
2023-05-13 02:02:47 -04:00
|
|
|
|
2023-10-22 03:59:21 -04:00
|
|
|
key_shares += amount.0 / allocation_per_key_share;
|
|
|
|
|
if top.is_none() {
|
|
|
|
|
top = Some(key_shares);
|
|
|
|
|
}
|
2023-05-13 02:02:47 -04:00
|
|
|
|
2025-01-14 07:51:39 -05:00
|
|
|
if key_shares > u64::from(MAX_KEY_SHARES_PER_SET_U32) {
|
2023-10-22 03:59:21 -04:00
|
|
|
break;
|
|
|
|
|
}
|
2023-01-04 22:52:41 -05:00
|
|
|
}
|
|
|
|
|
|
2023-10-22 03:59:21 -04:00
|
|
|
let Some(top) = top else { return false };
|
2023-10-13 00:31:23 -04:00
|
|
|
|
2024-04-12 20:38:27 -04:00
|
|
|
// key_shares may be over MAX_KEY_SHARES_PER_SET, which will cause a round robin reduction of
|
2023-10-22 03:59:21 -04:00
|
|
|
// each validator's key shares until their sum is MAX_KEY_SHARES_PER_SET
|
|
|
|
|
// post_amortization_key_shares_for_top_validator yields what the top validator's key shares
|
|
|
|
|
// would be after such a reduction, letting us evaluate this correctly
|
|
|
|
|
let top = post_amortization_key_shares_for_top_validator(validators_len, top, key_shares);
|
2025-01-14 07:51:39 -05:00
|
|
|
(top * 3) < key_shares.min(MAX_KEY_SHARES_PER_SET_U32.into())
|
2023-10-13 00:31:23 -04:00
|
|
|
}
|
2023-01-04 22:52:41 -05:00
|
|
|
|
2023-10-22 03:59:21 -04:00
|
|
|
fn increase_allocation(
|
2023-10-10 13:53:24 +03:00
|
|
|
network: NetworkId,
|
|
|
|
|
account: T::AccountId,
|
|
|
|
|
amount: Amount,
|
2024-08-15 06:12:04 +03:00
|
|
|
block_reward: bool,
|
2023-10-12 23:47:00 -04:00
|
|
|
) -> DispatchResult {
|
2025-08-26 14:32:55 -04:00
|
|
|
/* TODO
|
Support multiple key shares per validator (#416)
* Update the coordinator to give key shares based on weight, not based on existence
Participants are now identified by their starting index. While this compiles,
the following is unimplemented:
1) A conversion for DKG `i` values. It assumes the threshold `i` values used
will be identical for the MuSig signature used to confirm the DKG.
2) Expansion from compressed values to full values before forwarding to the
processor.
* Add a fn to the DkgConfirmer to convert `i` values as needed
Also removes TODOs regarding Serai ensuring validator key uniqueness +
validity. The current infra achieves both.
* Have the Tributary DB track participation by shares, not by count
* Prevent a node from obtaining 34% of the maximum amount of key shares
This is actually mainly intended to set a bound on message sizes in the
coordinator. Message sizes are amplified by the amount of key shares held, so
setting an upper bound on said amount lets it determine constants. While that
upper bound could be 150, that'd be unreasonable and increase the potential for
DoS attacks.
* Correct the mechanism to detect if sufficient accumulation has occured
It used to check if the latest accumulation hit the required threshold. Now,
accumulations may jump past the required threshold. The required mechanism is
to check the threshold wasn't prior met and is now met.
* Finish updating the coordinator to handle a multiple key share per validator environment
* Adjust stategy re: preventing noce reuse in DKG Confirmer
* Add TODOs regarding dropped transactions, add possible TODO fix
* Update tests/coordinator
This doesn't add new multi-key-share tests, it solely updates the existing
single key-share tests to compile and run, with the necessary fixes to the
coordinator.
* Update processor key_gen to handle generating multiple key shares at once
* Update SubstrateSigner
* Update signer, clippy
* Update processor tests
* Update processor docker tests
2023-11-04 19:26:13 -04:00
|
|
|
// The above is_bft calls are only used to check a BFT net doesn't become non-BFT
|
|
|
|
|
// Check here if this call would prevent a non-BFT net from *ever* becoming BFT
|
2025-01-14 07:51:39 -05:00
|
|
|
if (new_allocation / allocation_per_key_share) >= (MAX_KEY_SHARES_PER_SET_U32 / 3).into() {
|
Support multiple key shares per validator (#416)
* Update the coordinator to give key shares based on weight, not based on existence
Participants are now identified by their starting index. While this compiles,
the following is unimplemented:
1) A conversion for DKG `i` values. It assumes the threshold `i` values used
will be identical for the MuSig signature used to confirm the DKG.
2) Expansion from compressed values to full values before forwarding to the
processor.
* Add a fn to the DkgConfirmer to convert `i` values as needed
Also removes TODOs regarding Serai ensuring validator key uniqueness +
validity. The current infra achieves both.
* Have the Tributary DB track participation by shares, not by count
* Prevent a node from obtaining 34% of the maximum amount of key shares
This is actually mainly intended to set a bound on message sizes in the
coordinator. Message sizes are amplified by the amount of key shares held, so
setting an upper bound on said amount lets it determine constants. While that
upper bound could be 150, that'd be unreasonable and increase the potential for
DoS attacks.
* Correct the mechanism to detect if sufficient accumulation has occured
It used to check if the latest accumulation hit the required threshold. Now,
accumulations may jump past the required threshold. The required mechanism is
to check the threshold wasn't prior met and is now met.
* Finish updating the coordinator to handle a multiple key share per validator environment
* Adjust stategy re: preventing noce reuse in DKG Confirmer
* Add TODOs regarding dropped transactions, add possible TODO fix
* Update tests/coordinator
This doesn't add new multi-key-share tests, it solely updates the existing
single key-share tests to compile and run, with the necessary fixes to the
coordinator.
* Update processor key_gen to handle generating multiple key shares at once
* Update SubstrateSigner
* Update signer, clippy
* Update processor tests
* Update processor docker tests
2023-11-04 19:26:13 -04:00
|
|
|
Err(Error::<T>::AllocationWouldPreventFaultTolerance)?;
|
|
|
|
|
}
|
2025-08-26 14:32:55 -04:00
|
|
|
*/
|
|
|
|
|
Abstractions::<T>::increase_allocation(network, account, amount, block_reward)
|
2023-10-10 13:53:24 +03:00
|
|
|
}
|
|
|
|
|
|
2023-12-17 01:44:08 +03:00
|
|
|
fn session_to_unlock_on_for_current_set(network: NetworkId) -> Option<Session> {
|
|
|
|
|
let mut to_unlock_on = Self::session(network)?;
|
|
|
|
|
// Move to the next session, as deallocating currently in-use stake is obviously invalid
|
|
|
|
|
to_unlock_on.0 += 1;
|
|
|
|
|
if network == NetworkId::Serai {
|
|
|
|
|
// Since the next Serai set will already have been decided, we can only deallocate one
|
|
|
|
|
// session later
|
|
|
|
|
to_unlock_on.0 += 1;
|
|
|
|
|
}
|
|
|
|
|
// Increase the session by one, creating a cooldown period
|
|
|
|
|
to_unlock_on.0 += 1;
|
|
|
|
|
Some(to_unlock_on)
|
|
|
|
|
}
|
|
|
|
|
|
2023-10-10 13:53:24 +03:00
|
|
|
/// Decreases a validator's allocation to a set.
|
|
|
|
|
///
|
|
|
|
|
/// Errors if the capacity provided by this allocation is in use.
|
|
|
|
|
///
|
2023-10-12 00:51:18 -04:00
|
|
|
/// Errors if a partial decrease of allocation which puts the remaining allocation below the
|
|
|
|
|
/// minimum requirement.
|
2023-10-10 13:53:24 +03:00
|
|
|
///
|
|
|
|
|
/// The capacity prior provided by the allocation is immediately removed, in order to ensure it
|
|
|
|
|
/// doesn't become used (preventing deallocation).
|
2023-10-12 00:51:18 -04:00
|
|
|
///
|
|
|
|
|
/// Returns if the amount is immediately eligible for deallocation.
|
2023-10-22 03:59:21 -04:00
|
|
|
fn decrease_allocation(
|
2023-10-10 13:53:24 +03:00
|
|
|
network: NetworkId,
|
|
|
|
|
account: T::AccountId,
|
|
|
|
|
amount: Amount,
|
2023-10-12 23:47:00 -04:00
|
|
|
) -> Result<bool, DispatchError> {
|
2025-08-26 14:32:55 -04:00
|
|
|
/* TODO
|
2023-12-05 16:52:50 +03:00
|
|
|
// Check it's safe to decrease this set's stake by this amount
|
2024-10-07 05:16:11 +03:00
|
|
|
if let NetworkId::External(n) = network {
|
|
|
|
|
let new_total_staked = Self::total_allocated_stake(NetworkId::from(n))
|
|
|
|
|
.unwrap()
|
|
|
|
|
.0
|
|
|
|
|
.checked_sub(amount.0)
|
|
|
|
|
.ok_or(Error::<T>::NotEnoughAllocated)?;
|
|
|
|
|
let required_stake = Self::required_stake_for_network(n);
|
|
|
|
|
if new_total_staked < required_stake {
|
|
|
|
|
Err(Error::<T>::DeallocationWouldRemoveEconomicSecurity)?;
|
|
|
|
|
}
|
2023-12-05 16:52:50 +03:00
|
|
|
}
|
2023-10-10 13:53:24 +03:00
|
|
|
|
2023-10-12 23:47:00 -04:00
|
|
|
let decreased_key_shares =
|
|
|
|
|
(old_allocation / allocation_per_key_share) > (new_allocation / allocation_per_key_share);
|
2023-10-12 23:05:29 -04:00
|
|
|
|
|
|
|
|
// If this decreases the validator's key shares, error if the new set is unable to handle
|
|
|
|
|
// byzantine faults
|
2023-10-12 23:47:00 -04:00
|
|
|
let mut was_bft = None;
|
|
|
|
|
if decreased_key_shares {
|
|
|
|
|
was_bft = Some(Self::is_bft(network));
|
2023-10-12 23:05:29 -04:00
|
|
|
}
|
2023-10-10 13:53:24 +03:00
|
|
|
|
2023-10-12 23:47:00 -04:00
|
|
|
if let Some(was_bft) = was_bft {
|
|
|
|
|
if was_bft && (!Self::is_bft(network)) {
|
|
|
|
|
Err(Error::<T>::DeallocationWouldRemoveFaultTolerance)?;
|
|
|
|
|
}
|
|
|
|
|
}
|
2025-08-26 14:32:55 -04:00
|
|
|
*/
|
2023-10-12 23:47:00 -04:00
|
|
|
|
2025-08-26 14:32:55 -04:00
|
|
|
Sessions::<T>::decrease_allocation(network, account, amount)
|
2023-10-10 13:53:24 +03:00
|
|
|
}
|
|
|
|
|
|
2023-10-11 23:42:15 -04:00
|
|
|
// Checks if this session has completed the handover from the prior session.
|
|
|
|
|
fn handover_completed(network: NetworkId, session: Session) -> bool {
|
2023-10-21 20:06:53 -04:00
|
|
|
let Some(current_session) = Self::session(network) else { return false };
|
2024-06-21 15:39:17 +03:00
|
|
|
|
|
|
|
|
// If the session we've been queried about is old, it must have completed its handover
|
|
|
|
|
if current_session.0 > session.0 {
|
2023-10-11 23:42:15 -04:00
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
// If the session we've been queried about has yet to start, it can't have completed its
|
|
|
|
|
// handover
|
|
|
|
|
if current_session.0 < session.0 {
|
|
|
|
|
return false;
|
|
|
|
|
}
|
2024-06-21 15:39:17 +03:00
|
|
|
|
2024-10-07 05:16:11 +03:00
|
|
|
let NetworkId::External(n) = network else {
|
|
|
|
|
// Handover is automatically complete for Serai as it doesn't have a handover protocol
|
2024-06-21 15:39:17 +03:00
|
|
|
return true;
|
2024-10-07 05:16:11 +03:00
|
|
|
};
|
2024-06-21 15:39:17 +03:00
|
|
|
|
|
|
|
|
// The current session must have set keys for its handover to be completed
|
2024-10-07 05:16:11 +03:00
|
|
|
if !Keys::<T>::contains_key(ExternalValidatorSet { network: n, session }) {
|
2024-06-21 15:39:17 +03:00
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// This must be the first session (which has set keys) OR the prior session must have been
|
|
|
|
|
// retired (signified by its keys no longer being present)
|
|
|
|
|
(session.0 == 0) ||
|
2024-10-07 05:16:11 +03:00
|
|
|
(!Keys::<T>::contains_key(ExternalValidatorSet {
|
|
|
|
|
network: n,
|
|
|
|
|
session: Session(session.0 - 1),
|
|
|
|
|
}))
|
2023-10-11 23:42:15 -04:00
|
|
|
}
|
|
|
|
|
|
2023-10-22 03:59:21 -04:00
|
|
|
fn new_session() {
|
2023-10-12 23:59:21 -04:00
|
|
|
for network in serai_primitives::NETWORKS {
|
2023-10-21 20:06:53 -04:00
|
|
|
// If this network hasn't started sessions yet, don't start one now
|
|
|
|
|
let Some(current_session) = Self::session(network) else { continue };
|
2023-11-22 14:22:46 +03:00
|
|
|
// Only spawn a new set if:
|
|
|
|
|
// - This is Serai, as we need to rotate Serai upon a new session (per Babe)
|
|
|
|
|
// - The current set was actually established with a completed handover protocol
|
|
|
|
|
if (network == NetworkId::Serai) || Self::handover_completed(network, current_session) {
|
2023-10-10 13:53:24 +03:00
|
|
|
Pallet::<T>::new_set(network);
|
2023-12-05 16:52:50 +03:00
|
|
|
// let the Dex know session is rotated.
|
|
|
|
|
Dex::<T>::on_new_session(network);
|
2023-10-10 13:53:24 +03:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2024-06-21 15:39:17 +03:00
|
|
|
// TODO: This is called retire_set, yet just starts retiring the set
|
|
|
|
|
// Update the nomenclature within this function
|
2023-10-14 16:47:25 -04:00
|
|
|
pub fn retire_set(set: ValidatorSet) {
|
2024-06-24 14:41:25 +03:00
|
|
|
// Serai doesn't set keys and network slashes are handled by BABE/GRANDPA
|
2024-10-07 05:16:11 +03:00
|
|
|
if let NetworkId::External(n) = set.network {
|
|
|
|
|
// If the prior prior set didn't report, emit they're retired now
|
|
|
|
|
if PendingSlashReport::<T>::get(n).is_some() {
|
|
|
|
|
Self::deposit_event(Event::SetRetired {
|
|
|
|
|
set: ValidatorSet { network: set.network, session: Session(set.session.0 - 1) },
|
|
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
|
2024-02-24 22:51:06 +03:00
|
|
|
// This overwrites the prior value as the prior to-report set's stake presumably just
|
|
|
|
|
// unlocked, making their report unenforceable
|
2024-10-07 05:16:11 +03:00
|
|
|
let keys =
|
|
|
|
|
Keys::<T>::take(ExternalValidatorSet { network: n, session: set.session }).unwrap();
|
|
|
|
|
PendingSlashReport::<T>::set(n, Some(keys.0));
|
|
|
|
|
} else {
|
|
|
|
|
// emit the event for serai network
|
|
|
|
|
Self::deposit_event(Event::SetRetired { set });
|
2024-02-24 22:51:06 +03:00
|
|
|
}
|
2024-01-29 03:48:53 -05:00
|
|
|
|
|
|
|
|
// We're retiring this set because the set after it accepted the handover
|
|
|
|
|
Self::deposit_event(Event::AcceptedHandover {
|
|
|
|
|
set: ValidatorSet { network: set.network, session: Session(set.session.0 + 1) },
|
|
|
|
|
});
|
2023-10-10 23:55:59 -04:00
|
|
|
}
|
2023-10-11 23:42:15 -04:00
|
|
|
|
|
|
|
|
/// Take the amount deallocatable.
|
|
|
|
|
///
|
|
|
|
|
/// `session` refers to the Session the stake becomes deallocatable on.
|
2023-10-22 03:59:21 -04:00
|
|
|
fn take_deallocatable_amount(
|
2023-10-11 23:42:15 -04:00
|
|
|
network: NetworkId,
|
|
|
|
|
session: Session,
|
|
|
|
|
key: Public,
|
|
|
|
|
) -> Option<Amount> {
|
|
|
|
|
// Check this Session has properly started, completing the handover from the prior session.
|
|
|
|
|
if !Self::handover_completed(network, session) {
|
|
|
|
|
return None;
|
|
|
|
|
}
|
2023-12-17 01:44:08 +03:00
|
|
|
PendingDeallocations::<T>::take((network, key), session)
|
2023-10-11 23:42:15 -04:00
|
|
|
}
|
2023-11-22 14:22:46 +03:00
|
|
|
|
2025-01-30 12:16:19 +03:00
|
|
|
pub(crate) fn rotate_session() {
|
2023-12-17 01:44:08 +03:00
|
|
|
// next serai validators that is in the queue.
|
|
|
|
|
let now_validators = Participants::<T>::get(NetworkId::Serai)
|
2023-12-04 07:04:44 -05:00
|
|
|
.expect("no Serai participants upon rotate_session");
|
2023-11-22 14:22:46 +03:00
|
|
|
let prior_serai_session = Self::session(NetworkId::Serai).unwrap();
|
|
|
|
|
|
|
|
|
|
// TODO: T::SessionHandler::on_before_session_ending() was here.
|
|
|
|
|
// end the current serai session.
|
|
|
|
|
Self::retire_set(ValidatorSet { network: NetworkId::Serai, session: prior_serai_session });
|
|
|
|
|
|
|
|
|
|
// make a new session and get the next validator set.
|
|
|
|
|
Self::new_session();
|
|
|
|
|
|
|
|
|
|
// Update Babe and Grandpa
|
|
|
|
|
let session = prior_serai_session.0 + 1;
|
2023-12-17 01:44:08 +03:00
|
|
|
let next_validators = Participants::<T>::get(NetworkId::Serai).unwrap();
|
2023-11-22 14:22:46 +03:00
|
|
|
Babe::<T>::enact_epoch_change(
|
|
|
|
|
WeakBoundedVec::force_from(
|
2023-12-17 01:44:08 +03:00
|
|
|
now_validators.iter().copied().map(|(id, w)| (BabeAuthorityId::from(id), w)).collect(),
|
2023-11-22 14:22:46 +03:00
|
|
|
None,
|
|
|
|
|
),
|
|
|
|
|
WeakBoundedVec::force_from(
|
2023-12-16 20:54:24 -05:00
|
|
|
next_validators.iter().copied().map(|(id, w)| (BabeAuthorityId::from(id), w)).collect(),
|
2023-11-22 14:22:46 +03:00
|
|
|
None,
|
|
|
|
|
),
|
|
|
|
|
Some(session),
|
|
|
|
|
);
|
|
|
|
|
Grandpa::<T>::new_session(
|
|
|
|
|
true,
|
|
|
|
|
session,
|
2024-02-24 22:51:06 +03:00
|
|
|
now_validators.into_iter().map(|(id, w)| (GrandpaAuthorityId::from(id), w)).collect(),
|
2023-11-22 14:22:46 +03:00
|
|
|
);
|
2023-12-17 01:44:08 +03:00
|
|
|
|
|
|
|
|
// Clear SeraiDisabledIndices, only preserving keys still present in the new session
|
|
|
|
|
// First drain so we don't mutate as we iterate
|
|
|
|
|
let mut disabled = vec![];
|
|
|
|
|
for (_, validator) in SeraiDisabledIndices::<T>::drain() {
|
|
|
|
|
disabled.push(validator);
|
|
|
|
|
}
|
|
|
|
|
for disabled in disabled {
|
|
|
|
|
Self::disable_serai_validator(disabled);
|
|
|
|
|
}
|
2023-11-22 14:22:46 +03:00
|
|
|
}
|
2023-12-05 16:52:50 +03:00
|
|
|
|
|
|
|
|
/// Returns the required stake in terms SRI for a given `Balance`.
|
2024-10-07 05:16:11 +03:00
|
|
|
pub fn required_stake(balance: &ExternalBalance) -> SubstrateAmount {
|
2023-12-05 16:52:50 +03:00
|
|
|
use dex_pallet::HigherPrecisionBalance;
|
|
|
|
|
|
|
|
|
|
// This is inclusive to an increase in accuracy
|
2024-02-19 20:50:04 -05:00
|
|
|
let sri_per_coin = Dex::<T>::security_oracle_value(balance.coin).unwrap_or(Amount(0));
|
2023-12-05 16:52:50 +03:00
|
|
|
|
|
|
|
|
// See dex-pallet for the reasoning on these
|
|
|
|
|
let coin_decimals = balance.coin.decimals().max(5);
|
|
|
|
|
let accuracy_increase = HigherPrecisionBalance::from(SubstrateAmount::pow(10, coin_decimals));
|
|
|
|
|
|
|
|
|
|
let total_coin_value = u64::try_from(
|
|
|
|
|
HigherPrecisionBalance::from(balance.amount.0) *
|
|
|
|
|
HigherPrecisionBalance::from(sri_per_coin.0) /
|
|
|
|
|
accuracy_increase,
|
|
|
|
|
)
|
|
|
|
|
.unwrap_or(u64::MAX);
|
|
|
|
|
|
|
|
|
|
// required stake formula (COIN_VALUE * 1.5) + margin(20%)
|
|
|
|
|
let required_stake = total_coin_value.saturating_mul(3).saturating_div(2);
|
|
|
|
|
required_stake.saturating_add(total_coin_value.saturating_div(5))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// Returns the current total required stake for a given `network`.
|
2024-10-07 05:16:11 +03:00
|
|
|
pub fn required_stake_for_network(network: ExternalNetworkId) -> SubstrateAmount {
|
2023-12-05 16:52:50 +03:00
|
|
|
let mut total_required = 0;
|
|
|
|
|
for coin in network.coins() {
|
2024-10-07 05:16:11 +03:00
|
|
|
let supply = Coins::<T>::supply(Coin::from(coin));
|
|
|
|
|
total_required += Self::required_stake(&ExternalBalance { coin, amount: Amount(supply) });
|
2023-12-05 16:52:50 +03:00
|
|
|
}
|
|
|
|
|
total_required
|
|
|
|
|
}
|
2023-12-17 01:44:08 +03:00
|
|
|
|
2024-08-15 06:12:04 +03:00
|
|
|
pub fn distribute_block_rewards(
|
|
|
|
|
network: NetworkId,
|
|
|
|
|
account: T::AccountId,
|
|
|
|
|
amount: Amount,
|
|
|
|
|
) -> DispatchResult {
|
|
|
|
|
// TODO: Should this call be part of the `increase_allocation` since we have to have it
|
|
|
|
|
// before each call to it?
|
2025-09-03 00:48:15 -04:00
|
|
|
Coins::<T>::transfer_fn(
|
2024-08-15 06:12:04 +03:00
|
|
|
account,
|
|
|
|
|
Self::account(),
|
|
|
|
|
Balance { coin: Coin::Serai, amount },
|
|
|
|
|
)?;
|
|
|
|
|
Self::increase_allocation(network, account, amount, true)
|
|
|
|
|
}
|
|
|
|
|
|
2023-12-17 01:44:08 +03:00
|
|
|
fn can_slash_serai_validator(validator: Public) -> bool {
|
|
|
|
|
// Checks if they're active or actively deallocating (letting us still slash them)
|
|
|
|
|
// We could check if they're upcoming/still allocating, yet that'd mean the equivocation is
|
|
|
|
|
// invalid (as they aren't actively signing anything) or severely dated
|
|
|
|
|
// It's not an edge case worth being comprehensive to due to the complexity of being so
|
|
|
|
|
Babe::<T>::is_member(&BabeAuthorityId::from(validator)) ||
|
|
|
|
|
PendingDeallocations::<T>::iter_prefix((NetworkId::Serai, validator)).next().is_some()
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
fn slash_serai_validator(validator: Public) {
|
|
|
|
|
let network = NetworkId::Serai;
|
|
|
|
|
|
2025-08-26 14:32:55 -04:00
|
|
|
let mut allocation = Abstractions::<T>::get_allocation((network, validator))
|
|
|
|
|
.unwrap_or(Amount(0));
|
2023-12-17 01:44:08 +03:00
|
|
|
// reduce the current allocation to 0.
|
2025-08-26 14:32:55 -04:00
|
|
|
Abstractions::<T>::set_allocation(network, validator, Amount(0));
|
2023-12-17 01:44:08 +03:00
|
|
|
|
|
|
|
|
// Take the pending deallocation from the current session
|
|
|
|
|
allocation.0 += PendingDeallocations::<T>::take(
|
|
|
|
|
(network, validator),
|
|
|
|
|
Self::session_to_unlock_on_for_current_set(network).unwrap(),
|
|
|
|
|
)
|
|
|
|
|
.unwrap_or(Amount(0))
|
|
|
|
|
.0;
|
|
|
|
|
|
|
|
|
|
// Reduce the TotalAllocatedStake for the network, if in set
|
|
|
|
|
// TotalAllocatedStake is the sum of allocations and pending deallocations from the current
|
|
|
|
|
// session, since pending deallocations can still be slashed and therefore still contribute
|
|
|
|
|
// to economic security, hence the allocation calculations above being above and the ones
|
|
|
|
|
// below being below
|
|
|
|
|
if InSet::<T>::contains_key(NetworkId::Serai, validator) {
|
|
|
|
|
let current_staked = Self::total_allocated_stake(network).unwrap();
|
|
|
|
|
TotalAllocatedStake::<T>::set(network, Some(current_staked - allocation));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Clear any other pending deallocations.
|
|
|
|
|
for (_, pending) in PendingDeallocations::<T>::drain_prefix((network, validator)) {
|
|
|
|
|
allocation.0 += pending.0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// burn the allocation from the stake account
|
|
|
|
|
Coins::<T>::burn(
|
|
|
|
|
RawOrigin::Signed(Self::account()).into(),
|
|
|
|
|
Balance { coin: Coin::Serai, amount: allocation },
|
|
|
|
|
)
|
|
|
|
|
.unwrap();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// Disable a Serai validator, preventing them from further authoring blocks.
|
|
|
|
|
///
|
|
|
|
|
/// Returns true if the validator-to-disable was actually a validator.
|
|
|
|
|
/// Returns false if they weren't.
|
|
|
|
|
fn disable_serai_validator(validator: Public) -> bool {
|
|
|
|
|
if let Some(index) =
|
|
|
|
|
Babe::<T>::authorities().into_iter().position(|(id, _)| id.into_inner() == validator)
|
|
|
|
|
{
|
|
|
|
|
SeraiDisabledIndices::<T>::set(u32::try_from(index).unwrap(), Some(validator));
|
|
|
|
|
|
|
|
|
|
let session = Self::session(NetworkId::Serai).unwrap();
|
|
|
|
|
Self::deposit_event(Event::ParticipantRemoved {
|
|
|
|
|
set: ValidatorSet { network: NetworkId::Serai, session },
|
|
|
|
|
removed: validator,
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
true
|
|
|
|
|
} else {
|
|
|
|
|
false
|
|
|
|
|
}
|
|
|
|
|
}
|
2025-01-30 12:23:03 +03:00
|
|
|
|
|
|
|
|
/// Returns the external network key for a given external network
|
|
|
|
|
pub fn external_network_key(network: ExternalNetworkId) -> Option<Vec<u8>> {
|
|
|
|
|
let current_session = Self::session(NetworkId::from(network))?;
|
|
|
|
|
let keys = Keys::<T>::get(ExternalValidatorSet { network, session: current_session })?;
|
|
|
|
|
|
|
|
|
|
Some(keys.1.into_inner())
|
|
|
|
|
}
|
2025-08-26 14:32:55 -04:00
|
|
|
*/
|
2023-10-10 13:53:24 +03:00
|
|
|
}
|
2023-10-22 03:59:21 -04:00
|
|
|
|
|
|
|
|
#[pallet::call]
|
|
|
|
|
impl<T: Config> Pallet<T> {
|
2025-08-26 14:32:55 -04:00
|
|
|
/*
|
2023-10-22 03:59:21 -04:00
|
|
|
#[pallet::call_index(0)]
|
|
|
|
|
#[pallet::weight(0)] // TODO
|
|
|
|
|
pub fn set_keys(
|
|
|
|
|
origin: OriginFor<T>,
|
2024-10-07 05:16:11 +03:00
|
|
|
network: ExternalNetworkId,
|
2023-10-22 03:59:21 -04:00
|
|
|
key_pair: KeyPair,
|
One Round DKG (#589)
* Upstream GBP, divisor, circuit abstraction, and EC gadgets from FCMP++
* Initial eVRF implementation
Not quite done yet. It needs to communicate the resulting points and proofs to
extract them from the Pedersen Commitments in order to return those, and then
be tested.
* Add the openings of the PCs to the eVRF as necessary
* Add implementation of secq256k1
* Make DKG Encryption a bit more flexible
No longer requires the use of an EncryptionKeyMessage, and allows pre-defined
keys for encryption.
* Make NUM_BITS an argument for the field macro
* Have the eVRF take a Zeroizing private key
* Initial eVRF-based DKG
* Add embedwards25519 curve
* Inline the eVRF into the DKG library
Due to how we're handling share encryption, we'd either need two circuits or to
dedicate this circuit to the DKG. The latter makes sense at this time.
* Add documentation to the eVRF-based DKG
* Add paragraph claiming robustness
* Update to the new eVRF proof
* Finish routing the eVRF functionality
Still needs errors and serialization, along with a few other TODOs.
* Add initial eVRF DKG test
* Improve eVRF DKG
Updates how we calculcate verification shares, improves performance when
extracting multiple sets of keys, and adds more to the test for it.
* Start using a proper error for the eVRF DKG
* Resolve various TODOs
Supports recovering multiple key shares from the eVRF DKG.
Inlines two loops to save 2**16 iterations.
Adds support for creating a constant time representation of scalars < NUM_BITS.
* Ban zero ECDH keys, document non-zero requirements
* Implement eVRF traits, all the way up to the DKG, for secp256k1/ed25519
* Add Ristretto eVRF trait impls
* Support participating multiple times in the eVRF DKG
* Only participate once per key, not once per key share
* Rewrite processor key-gen around the eVRF DKG
Still a WIP.
* Finish routing the new key gen in the processor
Doesn't touch the tests, coordinator, nor Substrate yet.
`cargo +nightly fmt && cargo +nightly-2024-07-01 clippy --all-features -p serai-processor`
does pass.
* Deduplicate and better document in processor key_gen
* Update serai-processor tests to the new key gen
* Correct amount of yx coefficients, get processor key gen test to pass
* Add embedded elliptic curve keys to Substrate
* Update processor key gen tests to the eVRF DKG
* Have set_keys take signature_participants, not removed_participants
Now no one is removed from the DKG. Only `t` people publish the key however.
Uses a BitVec for an efficient encoding of the participants.
* Update the coordinator binary for the new DKG
This does not yet update any tests.
* Add sensible Debug to key_gen::[Processor, Coordinator]Message
* Have the DKG explicitly declare how to interpolate its shares
Removes the hack for MuSig where we multiply keys by the inverse of their
lagrange interpolation factor.
* Replace Interpolation::None with Interpolation::Constant
Allows the MuSig DKG to keep the secret share as the original private key,
enabling deriving FROST nonces consistently regardless of the MuSig context.
* Get coordinator tests to pass
* Update spec to the new DKG
* Get clippy to pass across the repo
* cargo machete
* Add an extra sleep to ensure expected ordering of `Participation`s
* Update orchestration
* Remove bad panic in coordinator
It expected ConfirmationShare to be n-of-n, not t-of-n.
* Improve documentation on functions
* Update TX size limit
We now no longer have to support the ridiculous case of having 49 DKG
participations within a 101-of-150 DKG. It does remain quite high due to
needing to _sign_ so many times. It'd may be optimal for parties with multiple
key shares to independently send their preprocesses/shares (despite the
overhead that'll cause with signatures and the transaction structure).
* Correct error in the Processor spec document
* Update a few comments in the validator-sets pallet
* Send/Recv Participation one at a time
Sending all, then attempting to receive all in an expected order, wasn't working
even with notable delays between sending messages. This points to the mempool
not working as expected...
* Correct ThresholdKeys serialization in modular-frost test
* Updating existing TX size limit test for the new DKG parameters
* Increase time allowed for the DKG on the GH CI
* Correct construction of signature_participants in serai-client tests
Fault identified by akil.
* Further contextualize DkgConfirmer by ValidatorSet
Caught by a safety check we wouldn't reuse preprocesses across messages. That
raises the question of we were prior reusing preprocesses (reusing keys)?
Except that'd have caused a variety of signing failures (suggesting we had some
staggered timing avoiding it in practice but yes, this was possible in theory).
* Add necessary calls to set_embedded_elliptic_curve_key in coordinator set rotation tests
* Correct shimmed setting of a secq256k1 key
* cargo fmt
* Don't use `[0; 32]` for the embedded keys in the coordinator rotation test
The key_gen function expects the random values already decided.
* Big-endian secq256k1 scalars
Also restores the prior, safer, Encryption::register function.
2024-08-16 11:26:07 -07:00
|
|
|
signature_participants: bitvec::vec::BitVec<u8, bitvec::order::Lsb0>,
|
2023-10-22 03:59:21 -04:00
|
|
|
signature: Signature,
|
|
|
|
|
) -> DispatchResult {
|
|
|
|
|
ensure_none(origin)?;
|
|
|
|
|
|
|
|
|
|
// signature isn't checked as this is an unsigned transaction, and validate_unsigned
|
|
|
|
|
// (called by pre_dispatch) checks it
|
One Round DKG (#589)
* Upstream GBP, divisor, circuit abstraction, and EC gadgets from FCMP++
* Initial eVRF implementation
Not quite done yet. It needs to communicate the resulting points and proofs to
extract them from the Pedersen Commitments in order to return those, and then
be tested.
* Add the openings of the PCs to the eVRF as necessary
* Add implementation of secq256k1
* Make DKG Encryption a bit more flexible
No longer requires the use of an EncryptionKeyMessage, and allows pre-defined
keys for encryption.
* Make NUM_BITS an argument for the field macro
* Have the eVRF take a Zeroizing private key
* Initial eVRF-based DKG
* Add embedwards25519 curve
* Inline the eVRF into the DKG library
Due to how we're handling share encryption, we'd either need two circuits or to
dedicate this circuit to the DKG. The latter makes sense at this time.
* Add documentation to the eVRF-based DKG
* Add paragraph claiming robustness
* Update to the new eVRF proof
* Finish routing the eVRF functionality
Still needs errors and serialization, along with a few other TODOs.
* Add initial eVRF DKG test
* Improve eVRF DKG
Updates how we calculcate verification shares, improves performance when
extracting multiple sets of keys, and adds more to the test for it.
* Start using a proper error for the eVRF DKG
* Resolve various TODOs
Supports recovering multiple key shares from the eVRF DKG.
Inlines two loops to save 2**16 iterations.
Adds support for creating a constant time representation of scalars < NUM_BITS.
* Ban zero ECDH keys, document non-zero requirements
* Implement eVRF traits, all the way up to the DKG, for secp256k1/ed25519
* Add Ristretto eVRF trait impls
* Support participating multiple times in the eVRF DKG
* Only participate once per key, not once per key share
* Rewrite processor key-gen around the eVRF DKG
Still a WIP.
* Finish routing the new key gen in the processor
Doesn't touch the tests, coordinator, nor Substrate yet.
`cargo +nightly fmt && cargo +nightly-2024-07-01 clippy --all-features -p serai-processor`
does pass.
* Deduplicate and better document in processor key_gen
* Update serai-processor tests to the new key gen
* Correct amount of yx coefficients, get processor key gen test to pass
* Add embedded elliptic curve keys to Substrate
* Update processor key gen tests to the eVRF DKG
* Have set_keys take signature_participants, not removed_participants
Now no one is removed from the DKG. Only `t` people publish the key however.
Uses a BitVec for an efficient encoding of the participants.
* Update the coordinator binary for the new DKG
This does not yet update any tests.
* Add sensible Debug to key_gen::[Processor, Coordinator]Message
* Have the DKG explicitly declare how to interpolate its shares
Removes the hack for MuSig where we multiply keys by the inverse of their
lagrange interpolation factor.
* Replace Interpolation::None with Interpolation::Constant
Allows the MuSig DKG to keep the secret share as the original private key,
enabling deriving FROST nonces consistently regardless of the MuSig context.
* Get coordinator tests to pass
* Update spec to the new DKG
* Get clippy to pass across the repo
* cargo machete
* Add an extra sleep to ensure expected ordering of `Participation`s
* Update orchestration
* Remove bad panic in coordinator
It expected ConfirmationShare to be n-of-n, not t-of-n.
* Improve documentation on functions
* Update TX size limit
We now no longer have to support the ridiculous case of having 49 DKG
participations within a 101-of-150 DKG. It does remain quite high due to
needing to _sign_ so many times. It'd may be optimal for parties with multiple
key shares to independently send their preprocesses/shares (despite the
overhead that'll cause with signatures and the transaction structure).
* Correct error in the Processor spec document
* Update a few comments in the validator-sets pallet
* Send/Recv Participation one at a time
Sending all, then attempting to receive all in an expected order, wasn't working
even with notable delays between sending messages. This points to the mempool
not working as expected...
* Correct ThresholdKeys serialization in modular-frost test
* Updating existing TX size limit test for the new DKG parameters
* Increase time allowed for the DKG on the GH CI
* Correct construction of signature_participants in serai-client tests
Fault identified by akil.
* Further contextualize DkgConfirmer by ValidatorSet
Caught by a safety check we wouldn't reuse preprocesses across messages. That
raises the question of we were prior reusing preprocesses (reusing keys)?
Except that'd have caused a variety of signing failures (suggesting we had some
staggered timing avoiding it in practice but yes, this was possible in theory).
* Add necessary calls to set_embedded_elliptic_curve_key in coordinator set rotation tests
* Correct shimmed setting of a secq256k1 key
* cargo fmt
* Don't use `[0; 32]` for the embedded keys in the coordinator rotation test
The key_gen function expects the random values already decided.
* Big-endian secq256k1 scalars
Also restores the prior, safer, Encryption::register function.
2024-08-16 11:26:07 -07:00
|
|
|
let _ = signature_participants;
|
2023-10-22 03:59:21 -04:00
|
|
|
let _ = signature;
|
|
|
|
|
|
2024-10-07 05:16:11 +03:00
|
|
|
let session = Self::session(NetworkId::from(network)).unwrap();
|
|
|
|
|
let set = ExternalValidatorSet { network, session };
|
2023-10-22 03:59:21 -04:00
|
|
|
|
|
|
|
|
Keys::<T>::set(set, Some(key_pair.clone()));
|
|
|
|
|
|
2024-07-04 02:11:04 -04:00
|
|
|
// If this is the first ever set for this network, set TotalAllocatedStake now
|
2024-07-04 02:13:34 -04:00
|
|
|
// We generally set TotalAllocatedStake when the prior set retires, and the new set is fully
|
|
|
|
|
// active and liable. Since this is the first set, there is no prior set to wait to retire
|
2024-07-04 02:11:04 -04:00
|
|
|
if session == Session(0) {
|
2024-10-07 05:16:11 +03:00
|
|
|
Self::set_total_allocated_stake(NetworkId::from(network));
|
2024-07-04 02:11:04 -04:00
|
|
|
}
|
|
|
|
|
|
2023-12-14 23:45:15 -05:00
|
|
|
Self::deposit_event(Event::KeyGen { set, key_pair });
|
2023-12-04 07:04:44 -05:00
|
|
|
|
|
|
|
|
Ok(())
|
|
|
|
|
}
|
|
|
|
|
|
2024-01-29 03:48:53 -05:00
|
|
|
#[pallet::call_index(1)]
|
|
|
|
|
#[pallet::weight(0)] // TODO
|
|
|
|
|
pub fn report_slashes(
|
|
|
|
|
origin: OriginFor<T>,
|
2024-10-07 05:16:11 +03:00
|
|
|
network: ExternalNetworkId,
|
2025-01-15 12:08:28 -05:00
|
|
|
slashes: SlashReport,
|
2024-01-29 03:48:53 -05:00
|
|
|
signature: Signature,
|
|
|
|
|
) -> DispatchResult {
|
|
|
|
|
ensure_none(origin)?;
|
|
|
|
|
|
|
|
|
|
// signature isn't checked as this is an unsigned transaction, and validate_unsigned
|
|
|
|
|
// (called by pre_dispatch) checks it
|
|
|
|
|
let _ = signature;
|
|
|
|
|
|
|
|
|
|
// TODO: Handle slashes
|
|
|
|
|
let _ = slashes;
|
|
|
|
|
|
|
|
|
|
// Emit set retireed
|
|
|
|
|
Pallet::<T>::deposit_event(Event::SetRetired {
|
2024-10-07 05:16:11 +03:00
|
|
|
set: ValidatorSet {
|
|
|
|
|
network: network.into(),
|
|
|
|
|
session: Session(Self::session(NetworkId::from(network)).unwrap().0 - 1),
|
|
|
|
|
},
|
2024-01-29 03:48:53 -05:00
|
|
|
});
|
|
|
|
|
|
|
|
|
|
Ok(())
|
|
|
|
|
}
|
2025-08-26 14:32:55 -04:00
|
|
|
*/
|
2024-01-29 03:48:53 -05:00
|
|
|
|
2023-12-04 07:04:44 -05:00
|
|
|
#[pallet::call_index(2)]
|
|
|
|
|
#[pallet::weight(0)] // TODO
|
2025-08-26 14:32:55 -04:00
|
|
|
pub fn set_embedded_elliptic_curve_keys(
|
One Round DKG (#589)
* Upstream GBP, divisor, circuit abstraction, and EC gadgets from FCMP++
* Initial eVRF implementation
Not quite done yet. It needs to communicate the resulting points and proofs to
extract them from the Pedersen Commitments in order to return those, and then
be tested.
* Add the openings of the PCs to the eVRF as necessary
* Add implementation of secq256k1
* Make DKG Encryption a bit more flexible
No longer requires the use of an EncryptionKeyMessage, and allows pre-defined
keys for encryption.
* Make NUM_BITS an argument for the field macro
* Have the eVRF take a Zeroizing private key
* Initial eVRF-based DKG
* Add embedwards25519 curve
* Inline the eVRF into the DKG library
Due to how we're handling share encryption, we'd either need two circuits or to
dedicate this circuit to the DKG. The latter makes sense at this time.
* Add documentation to the eVRF-based DKG
* Add paragraph claiming robustness
* Update to the new eVRF proof
* Finish routing the eVRF functionality
Still needs errors and serialization, along with a few other TODOs.
* Add initial eVRF DKG test
* Improve eVRF DKG
Updates how we calculcate verification shares, improves performance when
extracting multiple sets of keys, and adds more to the test for it.
* Start using a proper error for the eVRF DKG
* Resolve various TODOs
Supports recovering multiple key shares from the eVRF DKG.
Inlines two loops to save 2**16 iterations.
Adds support for creating a constant time representation of scalars < NUM_BITS.
* Ban zero ECDH keys, document non-zero requirements
* Implement eVRF traits, all the way up to the DKG, for secp256k1/ed25519
* Add Ristretto eVRF trait impls
* Support participating multiple times in the eVRF DKG
* Only participate once per key, not once per key share
* Rewrite processor key-gen around the eVRF DKG
Still a WIP.
* Finish routing the new key gen in the processor
Doesn't touch the tests, coordinator, nor Substrate yet.
`cargo +nightly fmt && cargo +nightly-2024-07-01 clippy --all-features -p serai-processor`
does pass.
* Deduplicate and better document in processor key_gen
* Update serai-processor tests to the new key gen
* Correct amount of yx coefficients, get processor key gen test to pass
* Add embedded elliptic curve keys to Substrate
* Update processor key gen tests to the eVRF DKG
* Have set_keys take signature_participants, not removed_participants
Now no one is removed from the DKG. Only `t` people publish the key however.
Uses a BitVec for an efficient encoding of the participants.
* Update the coordinator binary for the new DKG
This does not yet update any tests.
* Add sensible Debug to key_gen::[Processor, Coordinator]Message
* Have the DKG explicitly declare how to interpolate its shares
Removes the hack for MuSig where we multiply keys by the inverse of their
lagrange interpolation factor.
* Replace Interpolation::None with Interpolation::Constant
Allows the MuSig DKG to keep the secret share as the original private key,
enabling deriving FROST nonces consistently regardless of the MuSig context.
* Get coordinator tests to pass
* Update spec to the new DKG
* Get clippy to pass across the repo
* cargo machete
* Add an extra sleep to ensure expected ordering of `Participation`s
* Update orchestration
* Remove bad panic in coordinator
It expected ConfirmationShare to be n-of-n, not t-of-n.
* Improve documentation on functions
* Update TX size limit
We now no longer have to support the ridiculous case of having 49 DKG
participations within a 101-of-150 DKG. It does remain quite high due to
needing to _sign_ so many times. It'd may be optimal for parties with multiple
key shares to independently send their preprocesses/shares (despite the
overhead that'll cause with signatures and the transaction structure).
* Correct error in the Processor spec document
* Update a few comments in the validator-sets pallet
* Send/Recv Participation one at a time
Sending all, then attempting to receive all in an expected order, wasn't working
even with notable delays between sending messages. This points to the mempool
not working as expected...
* Correct ThresholdKeys serialization in modular-frost test
* Updating existing TX size limit test for the new DKG parameters
* Increase time allowed for the DKG on the GH CI
* Correct construction of signature_participants in serai-client tests
Fault identified by akil.
* Further contextualize DkgConfirmer by ValidatorSet
Caught by a safety check we wouldn't reuse preprocesses across messages. That
raises the question of we were prior reusing preprocesses (reusing keys)?
Except that'd have caused a variety of signing failures (suggesting we had some
staggered timing avoiding it in practice but yes, this was possible in theory).
* Add necessary calls to set_embedded_elliptic_curve_key in coordinator set rotation tests
* Correct shimmed setting of a secq256k1 key
* cargo fmt
* Don't use `[0; 32]` for the embedded keys in the coordinator rotation test
The key_gen function expects the random values already decided.
* Big-endian secq256k1 scalars
Also restores the prior, safer, Encryption::register function.
2024-08-16 11:26:07 -07:00
|
|
|
origin: OriginFor<T>,
|
2025-09-02 10:40:57 -04:00
|
|
|
keys: serai_primitives::crypto::SignedEmbeddedEllipticCurveKeys,
|
One Round DKG (#589)
* Upstream GBP, divisor, circuit abstraction, and EC gadgets from FCMP++
* Initial eVRF implementation
Not quite done yet. It needs to communicate the resulting points and proofs to
extract them from the Pedersen Commitments in order to return those, and then
be tested.
* Add the openings of the PCs to the eVRF as necessary
* Add implementation of secq256k1
* Make DKG Encryption a bit more flexible
No longer requires the use of an EncryptionKeyMessage, and allows pre-defined
keys for encryption.
* Make NUM_BITS an argument for the field macro
* Have the eVRF take a Zeroizing private key
* Initial eVRF-based DKG
* Add embedwards25519 curve
* Inline the eVRF into the DKG library
Due to how we're handling share encryption, we'd either need two circuits or to
dedicate this circuit to the DKG. The latter makes sense at this time.
* Add documentation to the eVRF-based DKG
* Add paragraph claiming robustness
* Update to the new eVRF proof
* Finish routing the eVRF functionality
Still needs errors and serialization, along with a few other TODOs.
* Add initial eVRF DKG test
* Improve eVRF DKG
Updates how we calculcate verification shares, improves performance when
extracting multiple sets of keys, and adds more to the test for it.
* Start using a proper error for the eVRF DKG
* Resolve various TODOs
Supports recovering multiple key shares from the eVRF DKG.
Inlines two loops to save 2**16 iterations.
Adds support for creating a constant time representation of scalars < NUM_BITS.
* Ban zero ECDH keys, document non-zero requirements
* Implement eVRF traits, all the way up to the DKG, for secp256k1/ed25519
* Add Ristretto eVRF trait impls
* Support participating multiple times in the eVRF DKG
* Only participate once per key, not once per key share
* Rewrite processor key-gen around the eVRF DKG
Still a WIP.
* Finish routing the new key gen in the processor
Doesn't touch the tests, coordinator, nor Substrate yet.
`cargo +nightly fmt && cargo +nightly-2024-07-01 clippy --all-features -p serai-processor`
does pass.
* Deduplicate and better document in processor key_gen
* Update serai-processor tests to the new key gen
* Correct amount of yx coefficients, get processor key gen test to pass
* Add embedded elliptic curve keys to Substrate
* Update processor key gen tests to the eVRF DKG
* Have set_keys take signature_participants, not removed_participants
Now no one is removed from the DKG. Only `t` people publish the key however.
Uses a BitVec for an efficient encoding of the participants.
* Update the coordinator binary for the new DKG
This does not yet update any tests.
* Add sensible Debug to key_gen::[Processor, Coordinator]Message
* Have the DKG explicitly declare how to interpolate its shares
Removes the hack for MuSig where we multiply keys by the inverse of their
lagrange interpolation factor.
* Replace Interpolation::None with Interpolation::Constant
Allows the MuSig DKG to keep the secret share as the original private key,
enabling deriving FROST nonces consistently regardless of the MuSig context.
* Get coordinator tests to pass
* Update spec to the new DKG
* Get clippy to pass across the repo
* cargo machete
* Add an extra sleep to ensure expected ordering of `Participation`s
* Update orchestration
* Remove bad panic in coordinator
It expected ConfirmationShare to be n-of-n, not t-of-n.
* Improve documentation on functions
* Update TX size limit
We now no longer have to support the ridiculous case of having 49 DKG
participations within a 101-of-150 DKG. It does remain quite high due to
needing to _sign_ so many times. It'd may be optimal for parties with multiple
key shares to independently send their preprocesses/shares (despite the
overhead that'll cause with signatures and the transaction structure).
* Correct error in the Processor spec document
* Update a few comments in the validator-sets pallet
* Send/Recv Participation one at a time
Sending all, then attempting to receive all in an expected order, wasn't working
even with notable delays between sending messages. This points to the mempool
not working as expected...
* Correct ThresholdKeys serialization in modular-frost test
* Updating existing TX size limit test for the new DKG parameters
* Increase time allowed for the DKG on the GH CI
* Correct construction of signature_participants in serai-client tests
Fault identified by akil.
* Further contextualize DkgConfirmer by ValidatorSet
Caught by a safety check we wouldn't reuse preprocesses across messages. That
raises the question of we were prior reusing preprocesses (reusing keys)?
Except that'd have caused a variety of signing failures (suggesting we had some
staggered timing avoiding it in practice but yes, this was possible in theory).
* Add necessary calls to set_embedded_elliptic_curve_key in coordinator set rotation tests
* Correct shimmed setting of a secq256k1 key
* cargo fmt
* Don't use `[0; 32]` for the embedded keys in the coordinator rotation test
The key_gen function expects the random values already decided.
* Big-endian secq256k1 scalars
Also restores the prior, safer, Encryption::register function.
2024-08-16 11:26:07 -07:00
|
|
|
) -> DispatchResult {
|
2025-08-26 14:32:55 -04:00
|
|
|
let signer = ensure_signed(origin)?;
|
2025-09-02 10:40:57 -04:00
|
|
|
<Abstractions<T> as crate::EmbeddedEllipticCurveKeys>::set_embedded_elliptic_curve_keys(
|
|
|
|
|
signer, keys,
|
2025-09-02 11:07:45 -04:00
|
|
|
)
|
|
|
|
|
.map_err(|()| Error::<T>::InvalidEmbeddedEllipticCurveKeys)?;
|
One Round DKG (#589)
* Upstream GBP, divisor, circuit abstraction, and EC gadgets from FCMP++
* Initial eVRF implementation
Not quite done yet. It needs to communicate the resulting points and proofs to
extract them from the Pedersen Commitments in order to return those, and then
be tested.
* Add the openings of the PCs to the eVRF as necessary
* Add implementation of secq256k1
* Make DKG Encryption a bit more flexible
No longer requires the use of an EncryptionKeyMessage, and allows pre-defined
keys for encryption.
* Make NUM_BITS an argument for the field macro
* Have the eVRF take a Zeroizing private key
* Initial eVRF-based DKG
* Add embedwards25519 curve
* Inline the eVRF into the DKG library
Due to how we're handling share encryption, we'd either need two circuits or to
dedicate this circuit to the DKG. The latter makes sense at this time.
* Add documentation to the eVRF-based DKG
* Add paragraph claiming robustness
* Update to the new eVRF proof
* Finish routing the eVRF functionality
Still needs errors and serialization, along with a few other TODOs.
* Add initial eVRF DKG test
* Improve eVRF DKG
Updates how we calculcate verification shares, improves performance when
extracting multiple sets of keys, and adds more to the test for it.
* Start using a proper error for the eVRF DKG
* Resolve various TODOs
Supports recovering multiple key shares from the eVRF DKG.
Inlines two loops to save 2**16 iterations.
Adds support for creating a constant time representation of scalars < NUM_BITS.
* Ban zero ECDH keys, document non-zero requirements
* Implement eVRF traits, all the way up to the DKG, for secp256k1/ed25519
* Add Ristretto eVRF trait impls
* Support participating multiple times in the eVRF DKG
* Only participate once per key, not once per key share
* Rewrite processor key-gen around the eVRF DKG
Still a WIP.
* Finish routing the new key gen in the processor
Doesn't touch the tests, coordinator, nor Substrate yet.
`cargo +nightly fmt && cargo +nightly-2024-07-01 clippy --all-features -p serai-processor`
does pass.
* Deduplicate and better document in processor key_gen
* Update serai-processor tests to the new key gen
* Correct amount of yx coefficients, get processor key gen test to pass
* Add embedded elliptic curve keys to Substrate
* Update processor key gen tests to the eVRF DKG
* Have set_keys take signature_participants, not removed_participants
Now no one is removed from the DKG. Only `t` people publish the key however.
Uses a BitVec for an efficient encoding of the participants.
* Update the coordinator binary for the new DKG
This does not yet update any tests.
* Add sensible Debug to key_gen::[Processor, Coordinator]Message
* Have the DKG explicitly declare how to interpolate its shares
Removes the hack for MuSig where we multiply keys by the inverse of their
lagrange interpolation factor.
* Replace Interpolation::None with Interpolation::Constant
Allows the MuSig DKG to keep the secret share as the original private key,
enabling deriving FROST nonces consistently regardless of the MuSig context.
* Get coordinator tests to pass
* Update spec to the new DKG
* Get clippy to pass across the repo
* cargo machete
* Add an extra sleep to ensure expected ordering of `Participation`s
* Update orchestration
* Remove bad panic in coordinator
It expected ConfirmationShare to be n-of-n, not t-of-n.
* Improve documentation on functions
* Update TX size limit
We now no longer have to support the ridiculous case of having 49 DKG
participations within a 101-of-150 DKG. It does remain quite high due to
needing to _sign_ so many times. It'd may be optimal for parties with multiple
key shares to independently send their preprocesses/shares (despite the
overhead that'll cause with signatures and the transaction structure).
* Correct error in the Processor spec document
* Update a few comments in the validator-sets pallet
* Send/Recv Participation one at a time
Sending all, then attempting to receive all in an expected order, wasn't working
even with notable delays between sending messages. This points to the mempool
not working as expected...
* Correct ThresholdKeys serialization in modular-frost test
* Updating existing TX size limit test for the new DKG parameters
* Increase time allowed for the DKG on the GH CI
* Correct construction of signature_participants in serai-client tests
Fault identified by akil.
* Further contextualize DkgConfirmer by ValidatorSet
Caught by a safety check we wouldn't reuse preprocesses across messages. That
raises the question of we were prior reusing preprocesses (reusing keys)?
Except that'd have caused a variety of signing failures (suggesting we had some
staggered timing avoiding it in practice but yes, this was possible in theory).
* Add necessary calls to set_embedded_elliptic_curve_key in coordinator set rotation tests
* Correct shimmed setting of a secq256k1 key
* cargo fmt
* Don't use `[0; 32]` for the embedded keys in the coordinator rotation test
The key_gen function expects the random values already decided.
* Big-endian secq256k1 scalars
Also restores the prior, safer, Encryption::register function.
2024-08-16 11:26:07 -07:00
|
|
|
Ok(())
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#[pallet::call_index(3)]
|
|
|
|
|
#[pallet::weight(0)] // TODO
|
2023-10-22 03:59:21 -04:00
|
|
|
pub fn allocate(origin: OriginFor<T>, network: NetworkId, amount: Amount) -> DispatchResult {
|
|
|
|
|
let validator = ensure_signed(origin)?;
|
2025-09-03 00:48:15 -04:00
|
|
|
Coins::<T>::transfer_fn(validator, Self::account(), Balance { coin: Coin::Serai, amount })?;
|
2025-09-02 11:07:45 -04:00
|
|
|
Abstractions::<T>::increase_allocation(network, validator, amount, false)
|
|
|
|
|
.map_err(Error::<T>::AllocationError)?;
|
2025-08-26 14:32:55 -04:00
|
|
|
Ok(())
|
2023-10-22 03:59:21 -04:00
|
|
|
}
|
|
|
|
|
|
One Round DKG (#589)
* Upstream GBP, divisor, circuit abstraction, and EC gadgets from FCMP++
* Initial eVRF implementation
Not quite done yet. It needs to communicate the resulting points and proofs to
extract them from the Pedersen Commitments in order to return those, and then
be tested.
* Add the openings of the PCs to the eVRF as necessary
* Add implementation of secq256k1
* Make DKG Encryption a bit more flexible
No longer requires the use of an EncryptionKeyMessage, and allows pre-defined
keys for encryption.
* Make NUM_BITS an argument for the field macro
* Have the eVRF take a Zeroizing private key
* Initial eVRF-based DKG
* Add embedwards25519 curve
* Inline the eVRF into the DKG library
Due to how we're handling share encryption, we'd either need two circuits or to
dedicate this circuit to the DKG. The latter makes sense at this time.
* Add documentation to the eVRF-based DKG
* Add paragraph claiming robustness
* Update to the new eVRF proof
* Finish routing the eVRF functionality
Still needs errors and serialization, along with a few other TODOs.
* Add initial eVRF DKG test
* Improve eVRF DKG
Updates how we calculcate verification shares, improves performance when
extracting multiple sets of keys, and adds more to the test for it.
* Start using a proper error for the eVRF DKG
* Resolve various TODOs
Supports recovering multiple key shares from the eVRF DKG.
Inlines two loops to save 2**16 iterations.
Adds support for creating a constant time representation of scalars < NUM_BITS.
* Ban zero ECDH keys, document non-zero requirements
* Implement eVRF traits, all the way up to the DKG, for secp256k1/ed25519
* Add Ristretto eVRF trait impls
* Support participating multiple times in the eVRF DKG
* Only participate once per key, not once per key share
* Rewrite processor key-gen around the eVRF DKG
Still a WIP.
* Finish routing the new key gen in the processor
Doesn't touch the tests, coordinator, nor Substrate yet.
`cargo +nightly fmt && cargo +nightly-2024-07-01 clippy --all-features -p serai-processor`
does pass.
* Deduplicate and better document in processor key_gen
* Update serai-processor tests to the new key gen
* Correct amount of yx coefficients, get processor key gen test to pass
* Add embedded elliptic curve keys to Substrate
* Update processor key gen tests to the eVRF DKG
* Have set_keys take signature_participants, not removed_participants
Now no one is removed from the DKG. Only `t` people publish the key however.
Uses a BitVec for an efficient encoding of the participants.
* Update the coordinator binary for the new DKG
This does not yet update any tests.
* Add sensible Debug to key_gen::[Processor, Coordinator]Message
* Have the DKG explicitly declare how to interpolate its shares
Removes the hack for MuSig where we multiply keys by the inverse of their
lagrange interpolation factor.
* Replace Interpolation::None with Interpolation::Constant
Allows the MuSig DKG to keep the secret share as the original private key,
enabling deriving FROST nonces consistently regardless of the MuSig context.
* Get coordinator tests to pass
* Update spec to the new DKG
* Get clippy to pass across the repo
* cargo machete
* Add an extra sleep to ensure expected ordering of `Participation`s
* Update orchestration
* Remove bad panic in coordinator
It expected ConfirmationShare to be n-of-n, not t-of-n.
* Improve documentation on functions
* Update TX size limit
We now no longer have to support the ridiculous case of having 49 DKG
participations within a 101-of-150 DKG. It does remain quite high due to
needing to _sign_ so many times. It'd may be optimal for parties with multiple
key shares to independently send their preprocesses/shares (despite the
overhead that'll cause with signatures and the transaction structure).
* Correct error in the Processor spec document
* Update a few comments in the validator-sets pallet
* Send/Recv Participation one at a time
Sending all, then attempting to receive all in an expected order, wasn't working
even with notable delays between sending messages. This points to the mempool
not working as expected...
* Correct ThresholdKeys serialization in modular-frost test
* Updating existing TX size limit test for the new DKG parameters
* Increase time allowed for the DKG on the GH CI
* Correct construction of signature_participants in serai-client tests
Fault identified by akil.
* Further contextualize DkgConfirmer by ValidatorSet
Caught by a safety check we wouldn't reuse preprocesses across messages. That
raises the question of we were prior reusing preprocesses (reusing keys)?
Except that'd have caused a variety of signing failures (suggesting we had some
staggered timing avoiding it in practice but yes, this was possible in theory).
* Add necessary calls to set_embedded_elliptic_curve_key in coordinator set rotation tests
* Correct shimmed setting of a secq256k1 key
* cargo fmt
* Don't use `[0; 32]` for the embedded keys in the coordinator rotation test
The key_gen function expects the random values already decided.
* Big-endian secq256k1 scalars
Also restores the prior, safer, Encryption::register function.
2024-08-16 11:26:07 -07:00
|
|
|
#[pallet::call_index(4)]
|
2023-10-22 03:59:21 -04:00
|
|
|
#[pallet::weight(0)] // TODO
|
|
|
|
|
pub fn deallocate(origin: OriginFor<T>, network: NetworkId, amount: Amount) -> DispatchResult {
|
|
|
|
|
let account = ensure_signed(origin)?;
|
|
|
|
|
|
2025-09-02 11:07:45 -04:00
|
|
|
let deallocation_timeline = Abstractions::<T>::decrease_allocation(network, account, amount)
|
|
|
|
|
.map_err(Error::<T>::DeallocationError)?;
|
2025-08-26 14:32:55 -04:00
|
|
|
if matches!(deallocation_timeline, DeallocationTimeline::Immediate) {
|
2025-09-03 00:48:15 -04:00
|
|
|
Coins::<T>::transfer_fn(Self::account(), account, Balance { coin: Coin::Serai, amount })?;
|
2023-10-22 03:59:21 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
Ok(())
|
|
|
|
|
}
|
|
|
|
|
|
2025-08-26 14:32:55 -04:00
|
|
|
/*
|
One Round DKG (#589)
* Upstream GBP, divisor, circuit abstraction, and EC gadgets from FCMP++
* Initial eVRF implementation
Not quite done yet. It needs to communicate the resulting points and proofs to
extract them from the Pedersen Commitments in order to return those, and then
be tested.
* Add the openings of the PCs to the eVRF as necessary
* Add implementation of secq256k1
* Make DKG Encryption a bit more flexible
No longer requires the use of an EncryptionKeyMessage, and allows pre-defined
keys for encryption.
* Make NUM_BITS an argument for the field macro
* Have the eVRF take a Zeroizing private key
* Initial eVRF-based DKG
* Add embedwards25519 curve
* Inline the eVRF into the DKG library
Due to how we're handling share encryption, we'd either need two circuits or to
dedicate this circuit to the DKG. The latter makes sense at this time.
* Add documentation to the eVRF-based DKG
* Add paragraph claiming robustness
* Update to the new eVRF proof
* Finish routing the eVRF functionality
Still needs errors and serialization, along with a few other TODOs.
* Add initial eVRF DKG test
* Improve eVRF DKG
Updates how we calculcate verification shares, improves performance when
extracting multiple sets of keys, and adds more to the test for it.
* Start using a proper error for the eVRF DKG
* Resolve various TODOs
Supports recovering multiple key shares from the eVRF DKG.
Inlines two loops to save 2**16 iterations.
Adds support for creating a constant time representation of scalars < NUM_BITS.
* Ban zero ECDH keys, document non-zero requirements
* Implement eVRF traits, all the way up to the DKG, for secp256k1/ed25519
* Add Ristretto eVRF trait impls
* Support participating multiple times in the eVRF DKG
* Only participate once per key, not once per key share
* Rewrite processor key-gen around the eVRF DKG
Still a WIP.
* Finish routing the new key gen in the processor
Doesn't touch the tests, coordinator, nor Substrate yet.
`cargo +nightly fmt && cargo +nightly-2024-07-01 clippy --all-features -p serai-processor`
does pass.
* Deduplicate and better document in processor key_gen
* Update serai-processor tests to the new key gen
* Correct amount of yx coefficients, get processor key gen test to pass
* Add embedded elliptic curve keys to Substrate
* Update processor key gen tests to the eVRF DKG
* Have set_keys take signature_participants, not removed_participants
Now no one is removed from the DKG. Only `t` people publish the key however.
Uses a BitVec for an efficient encoding of the participants.
* Update the coordinator binary for the new DKG
This does not yet update any tests.
* Add sensible Debug to key_gen::[Processor, Coordinator]Message
* Have the DKG explicitly declare how to interpolate its shares
Removes the hack for MuSig where we multiply keys by the inverse of their
lagrange interpolation factor.
* Replace Interpolation::None with Interpolation::Constant
Allows the MuSig DKG to keep the secret share as the original private key,
enabling deriving FROST nonces consistently regardless of the MuSig context.
* Get coordinator tests to pass
* Update spec to the new DKG
* Get clippy to pass across the repo
* cargo machete
* Add an extra sleep to ensure expected ordering of `Participation`s
* Update orchestration
* Remove bad panic in coordinator
It expected ConfirmationShare to be n-of-n, not t-of-n.
* Improve documentation on functions
* Update TX size limit
We now no longer have to support the ridiculous case of having 49 DKG
participations within a 101-of-150 DKG. It does remain quite high due to
needing to _sign_ so many times. It'd may be optimal for parties with multiple
key shares to independently send their preprocesses/shares (despite the
overhead that'll cause with signatures and the transaction structure).
* Correct error in the Processor spec document
* Update a few comments in the validator-sets pallet
* Send/Recv Participation one at a time
Sending all, then attempting to receive all in an expected order, wasn't working
even with notable delays between sending messages. This points to the mempool
not working as expected...
* Correct ThresholdKeys serialization in modular-frost test
* Updating existing TX size limit test for the new DKG parameters
* Increase time allowed for the DKG on the GH CI
* Correct construction of signature_participants in serai-client tests
Fault identified by akil.
* Further contextualize DkgConfirmer by ValidatorSet
Caught by a safety check we wouldn't reuse preprocesses across messages. That
raises the question of we were prior reusing preprocesses (reusing keys)?
Except that'd have caused a variety of signing failures (suggesting we had some
staggered timing avoiding it in practice but yes, this was possible in theory).
* Add necessary calls to set_embedded_elliptic_curve_key in coordinator set rotation tests
* Correct shimmed setting of a secq256k1 key
* cargo fmt
* Don't use `[0; 32]` for the embedded keys in the coordinator rotation test
The key_gen function expects the random values already decided.
* Big-endian secq256k1 scalars
Also restores the prior, safer, Encryption::register function.
2024-08-16 11:26:07 -07:00
|
|
|
#[pallet::call_index(5)]
|
2023-10-22 03:59:21 -04:00
|
|
|
#[pallet::weight((0, DispatchClass::Operational))] // TODO
|
|
|
|
|
pub fn claim_deallocation(
|
|
|
|
|
origin: OriginFor<T>,
|
|
|
|
|
network: NetworkId,
|
|
|
|
|
session: Session,
|
|
|
|
|
) -> DispatchResult {
|
|
|
|
|
let account = ensure_signed(origin)?;
|
|
|
|
|
let Some(amount) = Self::take_deallocatable_amount(network, session, account) else {
|
|
|
|
|
Err(Error::<T>::NonExistentDeallocation)?
|
|
|
|
|
};
|
2025-09-03 00:48:15 -04:00
|
|
|
Coins::<T>::transfer_fn(
|
2023-10-22 03:59:21 -04:00
|
|
|
Self::account(),
|
|
|
|
|
account,
|
|
|
|
|
Balance { coin: Coin::Serai, amount },
|
|
|
|
|
)?;
|
2023-10-22 05:37:23 -04:00
|
|
|
Self::deposit_event(Event::DeallocationClaimed { validator: account, network, session });
|
2023-10-22 03:59:21 -04:00
|
|
|
Ok(())
|
|
|
|
|
}
|
2025-08-26 14:32:55 -04:00
|
|
|
*/
|
2023-10-22 03:59:21 -04:00
|
|
|
}
|
|
|
|
|
|
2025-08-26 14:32:55 -04:00
|
|
|
/*
|
2023-10-22 03:59:21 -04:00
|
|
|
#[pallet::validate_unsigned]
|
|
|
|
|
impl<T: Config> ValidateUnsigned for Pallet<T> {
|
|
|
|
|
type Call = Call<T>;
|
|
|
|
|
|
|
|
|
|
fn validate_unsigned(_: TransactionSource, call: &Self::Call) -> TransactionValidity {
|
|
|
|
|
// Match to be exhaustive
|
2023-12-04 07:04:44 -05:00
|
|
|
match call {
|
One Round DKG (#589)
* Upstream GBP, divisor, circuit abstraction, and EC gadgets from FCMP++
* Initial eVRF implementation
Not quite done yet. It needs to communicate the resulting points and proofs to
extract them from the Pedersen Commitments in order to return those, and then
be tested.
* Add the openings of the PCs to the eVRF as necessary
* Add implementation of secq256k1
* Make DKG Encryption a bit more flexible
No longer requires the use of an EncryptionKeyMessage, and allows pre-defined
keys for encryption.
* Make NUM_BITS an argument for the field macro
* Have the eVRF take a Zeroizing private key
* Initial eVRF-based DKG
* Add embedwards25519 curve
* Inline the eVRF into the DKG library
Due to how we're handling share encryption, we'd either need two circuits or to
dedicate this circuit to the DKG. The latter makes sense at this time.
* Add documentation to the eVRF-based DKG
* Add paragraph claiming robustness
* Update to the new eVRF proof
* Finish routing the eVRF functionality
Still needs errors and serialization, along with a few other TODOs.
* Add initial eVRF DKG test
* Improve eVRF DKG
Updates how we calculcate verification shares, improves performance when
extracting multiple sets of keys, and adds more to the test for it.
* Start using a proper error for the eVRF DKG
* Resolve various TODOs
Supports recovering multiple key shares from the eVRF DKG.
Inlines two loops to save 2**16 iterations.
Adds support for creating a constant time representation of scalars < NUM_BITS.
* Ban zero ECDH keys, document non-zero requirements
* Implement eVRF traits, all the way up to the DKG, for secp256k1/ed25519
* Add Ristretto eVRF trait impls
* Support participating multiple times in the eVRF DKG
* Only participate once per key, not once per key share
* Rewrite processor key-gen around the eVRF DKG
Still a WIP.
* Finish routing the new key gen in the processor
Doesn't touch the tests, coordinator, nor Substrate yet.
`cargo +nightly fmt && cargo +nightly-2024-07-01 clippy --all-features -p serai-processor`
does pass.
* Deduplicate and better document in processor key_gen
* Update serai-processor tests to the new key gen
* Correct amount of yx coefficients, get processor key gen test to pass
* Add embedded elliptic curve keys to Substrate
* Update processor key gen tests to the eVRF DKG
* Have set_keys take signature_participants, not removed_participants
Now no one is removed from the DKG. Only `t` people publish the key however.
Uses a BitVec for an efficient encoding of the participants.
* Update the coordinator binary for the new DKG
This does not yet update any tests.
* Add sensible Debug to key_gen::[Processor, Coordinator]Message
* Have the DKG explicitly declare how to interpolate its shares
Removes the hack for MuSig where we multiply keys by the inverse of their
lagrange interpolation factor.
* Replace Interpolation::None with Interpolation::Constant
Allows the MuSig DKG to keep the secret share as the original private key,
enabling deriving FROST nonces consistently regardless of the MuSig context.
* Get coordinator tests to pass
* Update spec to the new DKG
* Get clippy to pass across the repo
* cargo machete
* Add an extra sleep to ensure expected ordering of `Participation`s
* Update orchestration
* Remove bad panic in coordinator
It expected ConfirmationShare to be n-of-n, not t-of-n.
* Improve documentation on functions
* Update TX size limit
We now no longer have to support the ridiculous case of having 49 DKG
participations within a 101-of-150 DKG. It does remain quite high due to
needing to _sign_ so many times. It'd may be optimal for parties with multiple
key shares to independently send their preprocesses/shares (despite the
overhead that'll cause with signatures and the transaction structure).
* Correct error in the Processor spec document
* Update a few comments in the validator-sets pallet
* Send/Recv Participation one at a time
Sending all, then attempting to receive all in an expected order, wasn't working
even with notable delays between sending messages. This points to the mempool
not working as expected...
* Correct ThresholdKeys serialization in modular-frost test
* Updating existing TX size limit test for the new DKG parameters
* Increase time allowed for the DKG on the GH CI
* Correct construction of signature_participants in serai-client tests
Fault identified by akil.
* Further contextualize DkgConfirmer by ValidatorSet
Caught by a safety check we wouldn't reuse preprocesses across messages. That
raises the question of we were prior reusing preprocesses (reusing keys)?
Except that'd have caused a variety of signing failures (suggesting we had some
staggered timing avoiding it in practice but yes, this was possible in theory).
* Add necessary calls to set_embedded_elliptic_curve_key in coordinator set rotation tests
* Correct shimmed setting of a secq256k1 key
* cargo fmt
* Don't use `[0; 32]` for the embedded keys in the coordinator rotation test
The key_gen function expects the random values already decided.
* Big-endian secq256k1 scalars
Also restores the prior, safer, Encryption::register function.
2024-08-16 11:26:07 -07:00
|
|
|
Call::set_keys { network, ref key_pair, ref signature_participants, ref signature } => {
|
2023-12-14 23:45:15 -05:00
|
|
|
let network = *network;
|
2023-12-04 07:04:44 -05:00
|
|
|
|
|
|
|
|
// Confirm this set has a session
|
2024-10-07 05:16:11 +03:00
|
|
|
let Some(current_session) = Self::session(NetworkId::from(network)) else {
|
2023-12-04 07:04:44 -05:00
|
|
|
Err(InvalidTransaction::Custom(1))?
|
|
|
|
|
};
|
2023-12-14 23:45:15 -05:00
|
|
|
|
2024-10-07 05:16:11 +03:00
|
|
|
let set = ExternalValidatorSet { network, session: current_session };
|
2023-12-14 23:45:15 -05:00
|
|
|
|
2023-12-04 07:04:44 -05:00
|
|
|
// Confirm it has yet to set keys
|
|
|
|
|
if Keys::<T>::get(set).is_some() {
|
2023-12-14 23:45:15 -05:00
|
|
|
Err(InvalidTransaction::Stale)?;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// This is a needed precondition as this uses storage variables for the latest decided
|
|
|
|
|
// session on this assumption
|
2024-10-07 05:16:11 +03:00
|
|
|
assert_eq!(Pallet::<T>::latest_decided_session(network.into()), Some(current_session));
|
2023-12-14 23:45:15 -05:00
|
|
|
|
2025-01-30 03:14:24 -05:00
|
|
|
let participants = Participants::<T>::get(NetworkId::from(network))
|
|
|
|
|
.expect("session existed without participants");
|
2023-12-04 07:04:44 -05:00
|
|
|
|
One Round DKG (#589)
* Upstream GBP, divisor, circuit abstraction, and EC gadgets from FCMP++
* Initial eVRF implementation
Not quite done yet. It needs to communicate the resulting points and proofs to
extract them from the Pedersen Commitments in order to return those, and then
be tested.
* Add the openings of the PCs to the eVRF as necessary
* Add implementation of secq256k1
* Make DKG Encryption a bit more flexible
No longer requires the use of an EncryptionKeyMessage, and allows pre-defined
keys for encryption.
* Make NUM_BITS an argument for the field macro
* Have the eVRF take a Zeroizing private key
* Initial eVRF-based DKG
* Add embedwards25519 curve
* Inline the eVRF into the DKG library
Due to how we're handling share encryption, we'd either need two circuits or to
dedicate this circuit to the DKG. The latter makes sense at this time.
* Add documentation to the eVRF-based DKG
* Add paragraph claiming robustness
* Update to the new eVRF proof
* Finish routing the eVRF functionality
Still needs errors and serialization, along with a few other TODOs.
* Add initial eVRF DKG test
* Improve eVRF DKG
Updates how we calculcate verification shares, improves performance when
extracting multiple sets of keys, and adds more to the test for it.
* Start using a proper error for the eVRF DKG
* Resolve various TODOs
Supports recovering multiple key shares from the eVRF DKG.
Inlines two loops to save 2**16 iterations.
Adds support for creating a constant time representation of scalars < NUM_BITS.
* Ban zero ECDH keys, document non-zero requirements
* Implement eVRF traits, all the way up to the DKG, for secp256k1/ed25519
* Add Ristretto eVRF trait impls
* Support participating multiple times in the eVRF DKG
* Only participate once per key, not once per key share
* Rewrite processor key-gen around the eVRF DKG
Still a WIP.
* Finish routing the new key gen in the processor
Doesn't touch the tests, coordinator, nor Substrate yet.
`cargo +nightly fmt && cargo +nightly-2024-07-01 clippy --all-features -p serai-processor`
does pass.
* Deduplicate and better document in processor key_gen
* Update serai-processor tests to the new key gen
* Correct amount of yx coefficients, get processor key gen test to pass
* Add embedded elliptic curve keys to Substrate
* Update processor key gen tests to the eVRF DKG
* Have set_keys take signature_participants, not removed_participants
Now no one is removed from the DKG. Only `t` people publish the key however.
Uses a BitVec for an efficient encoding of the participants.
* Update the coordinator binary for the new DKG
This does not yet update any tests.
* Add sensible Debug to key_gen::[Processor, Coordinator]Message
* Have the DKG explicitly declare how to interpolate its shares
Removes the hack for MuSig where we multiply keys by the inverse of their
lagrange interpolation factor.
* Replace Interpolation::None with Interpolation::Constant
Allows the MuSig DKG to keep the secret share as the original private key,
enabling deriving FROST nonces consistently regardless of the MuSig context.
* Get coordinator tests to pass
* Update spec to the new DKG
* Get clippy to pass across the repo
* cargo machete
* Add an extra sleep to ensure expected ordering of `Participation`s
* Update orchestration
* Remove bad panic in coordinator
It expected ConfirmationShare to be n-of-n, not t-of-n.
* Improve documentation on functions
* Update TX size limit
We now no longer have to support the ridiculous case of having 49 DKG
participations within a 101-of-150 DKG. It does remain quite high due to
needing to _sign_ so many times. It'd may be optimal for parties with multiple
key shares to independently send their preprocesses/shares (despite the
overhead that'll cause with signatures and the transaction structure).
* Correct error in the Processor spec document
* Update a few comments in the validator-sets pallet
* Send/Recv Participation one at a time
Sending all, then attempting to receive all in an expected order, wasn't working
even with notable delays between sending messages. This points to the mempool
not working as expected...
* Correct ThresholdKeys serialization in modular-frost test
* Updating existing TX size limit test for the new DKG parameters
* Increase time allowed for the DKG on the GH CI
* Correct construction of signature_participants in serai-client tests
Fault identified by akil.
* Further contextualize DkgConfirmer by ValidatorSet
Caught by a safety check we wouldn't reuse preprocesses across messages. That
raises the question of we were prior reusing preprocesses (reusing keys)?
Except that'd have caused a variety of signing failures (suggesting we had some
staggered timing avoiding it in practice but yes, this was possible in theory).
* Add necessary calls to set_embedded_elliptic_curve_key in coordinator set rotation tests
* Correct shimmed setting of a secq256k1 key
* cargo fmt
* Don't use `[0; 32]` for the embedded keys in the coordinator rotation test
The key_gen function expects the random values already decided.
* Big-endian secq256k1 scalars
Also restores the prior, safer, Encryption::register function.
2024-08-16 11:26:07 -07:00
|
|
|
// Check the bitvec is of the proper length
|
|
|
|
|
if participants.len() != signature_participants.len() {
|
|
|
|
|
Err(InvalidTransaction::Custom(2))?;
|
|
|
|
|
}
|
|
|
|
|
|
2023-12-14 23:45:15 -05:00
|
|
|
let mut all_key_shares = 0;
|
|
|
|
|
let mut signers = vec![];
|
2023-12-04 07:04:44 -05:00
|
|
|
let mut signing_key_shares = 0;
|
One Round DKG (#589)
* Upstream GBP, divisor, circuit abstraction, and EC gadgets from FCMP++
* Initial eVRF implementation
Not quite done yet. It needs to communicate the resulting points and proofs to
extract them from the Pedersen Commitments in order to return those, and then
be tested.
* Add the openings of the PCs to the eVRF as necessary
* Add implementation of secq256k1
* Make DKG Encryption a bit more flexible
No longer requires the use of an EncryptionKeyMessage, and allows pre-defined
keys for encryption.
* Make NUM_BITS an argument for the field macro
* Have the eVRF take a Zeroizing private key
* Initial eVRF-based DKG
* Add embedwards25519 curve
* Inline the eVRF into the DKG library
Due to how we're handling share encryption, we'd either need two circuits or to
dedicate this circuit to the DKG. The latter makes sense at this time.
* Add documentation to the eVRF-based DKG
* Add paragraph claiming robustness
* Update to the new eVRF proof
* Finish routing the eVRF functionality
Still needs errors and serialization, along with a few other TODOs.
* Add initial eVRF DKG test
* Improve eVRF DKG
Updates how we calculcate verification shares, improves performance when
extracting multiple sets of keys, and adds more to the test for it.
* Start using a proper error for the eVRF DKG
* Resolve various TODOs
Supports recovering multiple key shares from the eVRF DKG.
Inlines two loops to save 2**16 iterations.
Adds support for creating a constant time representation of scalars < NUM_BITS.
* Ban zero ECDH keys, document non-zero requirements
* Implement eVRF traits, all the way up to the DKG, for secp256k1/ed25519
* Add Ristretto eVRF trait impls
* Support participating multiple times in the eVRF DKG
* Only participate once per key, not once per key share
* Rewrite processor key-gen around the eVRF DKG
Still a WIP.
* Finish routing the new key gen in the processor
Doesn't touch the tests, coordinator, nor Substrate yet.
`cargo +nightly fmt && cargo +nightly-2024-07-01 clippy --all-features -p serai-processor`
does pass.
* Deduplicate and better document in processor key_gen
* Update serai-processor tests to the new key gen
* Correct amount of yx coefficients, get processor key gen test to pass
* Add embedded elliptic curve keys to Substrate
* Update processor key gen tests to the eVRF DKG
* Have set_keys take signature_participants, not removed_participants
Now no one is removed from the DKG. Only `t` people publish the key however.
Uses a BitVec for an efficient encoding of the participants.
* Update the coordinator binary for the new DKG
This does not yet update any tests.
* Add sensible Debug to key_gen::[Processor, Coordinator]Message
* Have the DKG explicitly declare how to interpolate its shares
Removes the hack for MuSig where we multiply keys by the inverse of their
lagrange interpolation factor.
* Replace Interpolation::None with Interpolation::Constant
Allows the MuSig DKG to keep the secret share as the original private key,
enabling deriving FROST nonces consistently regardless of the MuSig context.
* Get coordinator tests to pass
* Update spec to the new DKG
* Get clippy to pass across the repo
* cargo machete
* Add an extra sleep to ensure expected ordering of `Participation`s
* Update orchestration
* Remove bad panic in coordinator
It expected ConfirmationShare to be n-of-n, not t-of-n.
* Improve documentation on functions
* Update TX size limit
We now no longer have to support the ridiculous case of having 49 DKG
participations within a 101-of-150 DKG. It does remain quite high due to
needing to _sign_ so many times. It'd may be optimal for parties with multiple
key shares to independently send their preprocesses/shares (despite the
overhead that'll cause with signatures and the transaction structure).
* Correct error in the Processor spec document
* Update a few comments in the validator-sets pallet
* Send/Recv Participation one at a time
Sending all, then attempting to receive all in an expected order, wasn't working
even with notable delays between sending messages. This points to the mempool
not working as expected...
* Correct ThresholdKeys serialization in modular-frost test
* Updating existing TX size limit test for the new DKG parameters
* Increase time allowed for the DKG on the GH CI
* Correct construction of signature_participants in serai-client tests
Fault identified by akil.
* Further contextualize DkgConfirmer by ValidatorSet
Caught by a safety check we wouldn't reuse preprocesses across messages. That
raises the question of we were prior reusing preprocesses (reusing keys)?
Except that'd have caused a variety of signing failures (suggesting we had some
staggered timing avoiding it in practice but yes, this was possible in theory).
* Add necessary calls to set_embedded_elliptic_curve_key in coordinator set rotation tests
* Correct shimmed setting of a secq256k1 key
* cargo fmt
* Don't use `[0; 32]` for the embedded keys in the coordinator rotation test
The key_gen function expects the random values already decided.
* Big-endian secq256k1 scalars
Also restores the prior, safer, Encryption::register function.
2024-08-16 11:26:07 -07:00
|
|
|
for (participant, in_use) in participants.into_iter().zip(signature_participants) {
|
2023-12-14 23:45:15 -05:00
|
|
|
let participant = participant.0;
|
2024-10-07 05:16:11 +03:00
|
|
|
let shares = InSet::<T>::get(NetworkId::from(network), participant)
|
2023-12-14 23:45:15 -05:00
|
|
|
.expect("participant from Participants wasn't InSet");
|
|
|
|
|
all_key_shares += shares;
|
|
|
|
|
|
One Round DKG (#589)
* Upstream GBP, divisor, circuit abstraction, and EC gadgets from FCMP++
* Initial eVRF implementation
Not quite done yet. It needs to communicate the resulting points and proofs to
extract them from the Pedersen Commitments in order to return those, and then
be tested.
* Add the openings of the PCs to the eVRF as necessary
* Add implementation of secq256k1
* Make DKG Encryption a bit more flexible
No longer requires the use of an EncryptionKeyMessage, and allows pre-defined
keys for encryption.
* Make NUM_BITS an argument for the field macro
* Have the eVRF take a Zeroizing private key
* Initial eVRF-based DKG
* Add embedwards25519 curve
* Inline the eVRF into the DKG library
Due to how we're handling share encryption, we'd either need two circuits or to
dedicate this circuit to the DKG. The latter makes sense at this time.
* Add documentation to the eVRF-based DKG
* Add paragraph claiming robustness
* Update to the new eVRF proof
* Finish routing the eVRF functionality
Still needs errors and serialization, along with a few other TODOs.
* Add initial eVRF DKG test
* Improve eVRF DKG
Updates how we calculcate verification shares, improves performance when
extracting multiple sets of keys, and adds more to the test for it.
* Start using a proper error for the eVRF DKG
* Resolve various TODOs
Supports recovering multiple key shares from the eVRF DKG.
Inlines two loops to save 2**16 iterations.
Adds support for creating a constant time representation of scalars < NUM_BITS.
* Ban zero ECDH keys, document non-zero requirements
* Implement eVRF traits, all the way up to the DKG, for secp256k1/ed25519
* Add Ristretto eVRF trait impls
* Support participating multiple times in the eVRF DKG
* Only participate once per key, not once per key share
* Rewrite processor key-gen around the eVRF DKG
Still a WIP.
* Finish routing the new key gen in the processor
Doesn't touch the tests, coordinator, nor Substrate yet.
`cargo +nightly fmt && cargo +nightly-2024-07-01 clippy --all-features -p serai-processor`
does pass.
* Deduplicate and better document in processor key_gen
* Update serai-processor tests to the new key gen
* Correct amount of yx coefficients, get processor key gen test to pass
* Add embedded elliptic curve keys to Substrate
* Update processor key gen tests to the eVRF DKG
* Have set_keys take signature_participants, not removed_participants
Now no one is removed from the DKG. Only `t` people publish the key however.
Uses a BitVec for an efficient encoding of the participants.
* Update the coordinator binary for the new DKG
This does not yet update any tests.
* Add sensible Debug to key_gen::[Processor, Coordinator]Message
* Have the DKG explicitly declare how to interpolate its shares
Removes the hack for MuSig where we multiply keys by the inverse of their
lagrange interpolation factor.
* Replace Interpolation::None with Interpolation::Constant
Allows the MuSig DKG to keep the secret share as the original private key,
enabling deriving FROST nonces consistently regardless of the MuSig context.
* Get coordinator tests to pass
* Update spec to the new DKG
* Get clippy to pass across the repo
* cargo machete
* Add an extra sleep to ensure expected ordering of `Participation`s
* Update orchestration
* Remove bad panic in coordinator
It expected ConfirmationShare to be n-of-n, not t-of-n.
* Improve documentation on functions
* Update TX size limit
We now no longer have to support the ridiculous case of having 49 DKG
participations within a 101-of-150 DKG. It does remain quite high due to
needing to _sign_ so many times. It'd may be optimal for parties with multiple
key shares to independently send their preprocesses/shares (despite the
overhead that'll cause with signatures and the transaction structure).
* Correct error in the Processor spec document
* Update a few comments in the validator-sets pallet
* Send/Recv Participation one at a time
Sending all, then attempting to receive all in an expected order, wasn't working
even with notable delays between sending messages. This points to the mempool
not working as expected...
* Correct ThresholdKeys serialization in modular-frost test
* Updating existing TX size limit test for the new DKG parameters
* Increase time allowed for the DKG on the GH CI
* Correct construction of signature_participants in serai-client tests
Fault identified by akil.
* Further contextualize DkgConfirmer by ValidatorSet
Caught by a safety check we wouldn't reuse preprocesses across messages. That
raises the question of we were prior reusing preprocesses (reusing keys)?
Except that'd have caused a variety of signing failures (suggesting we had some
staggered timing avoiding it in practice but yes, this was possible in theory).
* Add necessary calls to set_embedded_elliptic_curve_key in coordinator set rotation tests
* Correct shimmed setting of a secq256k1 key
* cargo fmt
* Don't use `[0; 32]` for the embedded keys in the coordinator rotation test
The key_gen function expects the random values already decided.
* Big-endian secq256k1 scalars
Also restores the prior, safer, Encryption::register function.
2024-08-16 11:26:07 -07:00
|
|
|
if !in_use {
|
2023-12-14 23:45:15 -05:00
|
|
|
continue;
|
2023-12-04 07:04:44 -05:00
|
|
|
}
|
2023-12-14 23:45:15 -05:00
|
|
|
|
|
|
|
|
signers.push(participant);
|
2023-12-04 07:04:44 -05:00
|
|
|
signing_key_shares += shares;
|
|
|
|
|
}
|
|
|
|
|
|
2023-12-14 23:45:15 -05:00
|
|
|
{
|
|
|
|
|
let f = all_key_shares - signing_key_shares;
|
|
|
|
|
if signing_key_shares < ((2 * f) + 1) {
|
|
|
|
|
Err(InvalidTransaction::Custom(3))?;
|
|
|
|
|
}
|
2023-12-04 07:04:44 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Verify the signature with the MuSig key of the signers
|
2023-12-14 23:45:15 -05:00
|
|
|
// We theoretically don't need set_keys_message to bind to removed_participants, as the
|
|
|
|
|
// key we're signing with effectively already does so, yet there's no reason not to
|
2025-01-30 03:14:24 -05:00
|
|
|
if !musig_key(set.into(), &signers).verify(&set_keys_message(&set, key_pair), signature) {
|
2023-12-04 07:04:44 -05:00
|
|
|
Err(InvalidTransaction::BadProof)?;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ValidTransaction::with_tag_prefix("ValidatorSets")
|
2024-01-29 03:48:53 -05:00
|
|
|
.and_provides((0, set))
|
2023-12-04 07:04:44 -05:00
|
|
|
.longevity(u64::MAX)
|
|
|
|
|
.propagate(true)
|
|
|
|
|
.build()
|
|
|
|
|
}
|
2024-01-29 03:48:53 -05:00
|
|
|
Call::report_slashes { network, ref slashes, ref signature } => {
|
|
|
|
|
let network = *network;
|
|
|
|
|
let Some(key) = PendingSlashReport::<T>::take(network) else {
|
|
|
|
|
// Assumed already published
|
|
|
|
|
Err(InvalidTransaction::Stale)?
|
|
|
|
|
};
|
2024-10-07 05:16:11 +03:00
|
|
|
|
2024-01-29 03:48:53 -05:00
|
|
|
// There must have been a previous session is PendingSlashReport is populated
|
2025-01-30 03:14:24 -05:00
|
|
|
let set = ExternalValidatorSet {
|
|
|
|
|
network,
|
|
|
|
|
session: Session(Self::session(NetworkId::from(network)).unwrap().0 - 1),
|
|
|
|
|
};
|
2025-01-19 02:27:35 -05:00
|
|
|
if !key.verify(&slashes.report_slashes_message(), signature) {
|
2024-01-29 03:48:53 -05:00
|
|
|
Err(InvalidTransaction::BadProof)?;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ValidTransaction::with_tag_prefix("ValidatorSets")
|
|
|
|
|
.and_provides((1, set))
|
2025-01-14 07:51:39 -05:00
|
|
|
.longevity(MAX_KEY_SHARES_PER_SET_U32.into())
|
2024-01-29 03:48:53 -05:00
|
|
|
.propagate(true)
|
|
|
|
|
.build()
|
|
|
|
|
}
|
One Round DKG (#589)
* Upstream GBP, divisor, circuit abstraction, and EC gadgets from FCMP++
* Initial eVRF implementation
Not quite done yet. It needs to communicate the resulting points and proofs to
extract them from the Pedersen Commitments in order to return those, and then
be tested.
* Add the openings of the PCs to the eVRF as necessary
* Add implementation of secq256k1
* Make DKG Encryption a bit more flexible
No longer requires the use of an EncryptionKeyMessage, and allows pre-defined
keys for encryption.
* Make NUM_BITS an argument for the field macro
* Have the eVRF take a Zeroizing private key
* Initial eVRF-based DKG
* Add embedwards25519 curve
* Inline the eVRF into the DKG library
Due to how we're handling share encryption, we'd either need two circuits or to
dedicate this circuit to the DKG. The latter makes sense at this time.
* Add documentation to the eVRF-based DKG
* Add paragraph claiming robustness
* Update to the new eVRF proof
* Finish routing the eVRF functionality
Still needs errors and serialization, along with a few other TODOs.
* Add initial eVRF DKG test
* Improve eVRF DKG
Updates how we calculcate verification shares, improves performance when
extracting multiple sets of keys, and adds more to the test for it.
* Start using a proper error for the eVRF DKG
* Resolve various TODOs
Supports recovering multiple key shares from the eVRF DKG.
Inlines two loops to save 2**16 iterations.
Adds support for creating a constant time representation of scalars < NUM_BITS.
* Ban zero ECDH keys, document non-zero requirements
* Implement eVRF traits, all the way up to the DKG, for secp256k1/ed25519
* Add Ristretto eVRF trait impls
* Support participating multiple times in the eVRF DKG
* Only participate once per key, not once per key share
* Rewrite processor key-gen around the eVRF DKG
Still a WIP.
* Finish routing the new key gen in the processor
Doesn't touch the tests, coordinator, nor Substrate yet.
`cargo +nightly fmt && cargo +nightly-2024-07-01 clippy --all-features -p serai-processor`
does pass.
* Deduplicate and better document in processor key_gen
* Update serai-processor tests to the new key gen
* Correct amount of yx coefficients, get processor key gen test to pass
* Add embedded elliptic curve keys to Substrate
* Update processor key gen tests to the eVRF DKG
* Have set_keys take signature_participants, not removed_participants
Now no one is removed from the DKG. Only `t` people publish the key however.
Uses a BitVec for an efficient encoding of the participants.
* Update the coordinator binary for the new DKG
This does not yet update any tests.
* Add sensible Debug to key_gen::[Processor, Coordinator]Message
* Have the DKG explicitly declare how to interpolate its shares
Removes the hack for MuSig where we multiply keys by the inverse of their
lagrange interpolation factor.
* Replace Interpolation::None with Interpolation::Constant
Allows the MuSig DKG to keep the secret share as the original private key,
enabling deriving FROST nonces consistently regardless of the MuSig context.
* Get coordinator tests to pass
* Update spec to the new DKG
* Get clippy to pass across the repo
* cargo machete
* Add an extra sleep to ensure expected ordering of `Participation`s
* Update orchestration
* Remove bad panic in coordinator
It expected ConfirmationShare to be n-of-n, not t-of-n.
* Improve documentation on functions
* Update TX size limit
We now no longer have to support the ridiculous case of having 49 DKG
participations within a 101-of-150 DKG. It does remain quite high due to
needing to _sign_ so many times. It'd may be optimal for parties with multiple
key shares to independently send their preprocesses/shares (despite the
overhead that'll cause with signatures and the transaction structure).
* Correct error in the Processor spec document
* Update a few comments in the validator-sets pallet
* Send/Recv Participation one at a time
Sending all, then attempting to receive all in an expected order, wasn't working
even with notable delays between sending messages. This points to the mempool
not working as expected...
* Correct ThresholdKeys serialization in modular-frost test
* Updating existing TX size limit test for the new DKG parameters
* Increase time allowed for the DKG on the GH CI
* Correct construction of signature_participants in serai-client tests
Fault identified by akil.
* Further contextualize DkgConfirmer by ValidatorSet
Caught by a safety check we wouldn't reuse preprocesses across messages. That
raises the question of we were prior reusing preprocesses (reusing keys)?
Except that'd have caused a variety of signing failures (suggesting we had some
staggered timing avoiding it in practice but yes, this was possible in theory).
* Add necessary calls to set_embedded_elliptic_curve_key in coordinator set rotation tests
* Correct shimmed setting of a secq256k1 key
* cargo fmt
* Don't use `[0; 32]` for the embedded keys in the coordinator rotation test
The key_gen function expects the random values already decided.
* Big-endian secq256k1 scalars
Also restores the prior, safer, Encryption::register function.
2024-08-16 11:26:07 -07:00
|
|
|
Call::set_embedded_elliptic_curve_key { .. } |
|
|
|
|
|
Call::allocate { .. } |
|
|
|
|
|
Call::deallocate { .. } |
|
|
|
|
|
Call::claim_deallocation { .. } => Err(InvalidTransaction::Call)?,
|
2023-10-22 03:59:21 -04:00
|
|
|
Call::__Ignore(_, _) => unreachable!(),
|
2023-11-18 21:27:06 -05:00
|
|
|
}
|
2023-10-22 03:59:21 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Explicitly provide a pre-dispatch which calls validate_unsigned
|
|
|
|
|
fn pre_dispatch(call: &Self::Call) -> Result<(), TransactionValidityError> {
|
2025-02-04 00:53:22 -05:00
|
|
|
Self::validate_unsigned(TransactionSource::InBlock, call).map(|_| ())
|
2023-10-22 03:59:21 -04:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2023-12-05 16:52:50 +03:00
|
|
|
impl<T: Config> AllowMint for Pallet<T> {
|
2024-10-07 05:16:11 +03:00
|
|
|
fn is_allowed(balance: &ExternalBalance) -> bool {
|
2023-12-05 16:52:50 +03:00
|
|
|
// get the required stake
|
|
|
|
|
let current_required = Self::required_stake_for_network(balance.coin.network());
|
|
|
|
|
let new_required = current_required + Self::required_stake(balance);
|
|
|
|
|
|
|
|
|
|
// get the total stake for the network & compare.
|
2024-10-07 05:16:11 +03:00
|
|
|
let staked =
|
|
|
|
|
Self::total_allocated_stake(NetworkId::from(balance.coin.network())).unwrap_or(Amount(0));
|
2023-12-05 16:52:50 +03:00
|
|
|
staked.0 >= new_required
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2025-08-26 14:32:55 -04:00
|
|
|
impl<T: Config, V: Into<Public> + From<Public>> KeyOwnerProofSystem<(KeyTypeId, V)> for
|
|
|
|
|
Pallet<T> {
|
2023-12-17 01:44:08 +03:00
|
|
|
type Proof = MembershipProof<T>;
|
|
|
|
|
type IdentificationTuple = Public;
|
|
|
|
|
|
|
|
|
|
fn prove(key: (KeyTypeId, V)) -> Option<Self::Proof> {
|
|
|
|
|
Some(MembershipProof(key.1.into(), PhantomData))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
fn check_proof(key: (KeyTypeId, V), proof: Self::Proof) -> Option<Self::IdentificationTuple> {
|
|
|
|
|
let validator = key.1.into();
|
|
|
|
|
|
|
|
|
|
// check the offender and the proof offender are the same.
|
|
|
|
|
if validator != proof.0 {
|
|
|
|
|
return None;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// check validator is valid
|
|
|
|
|
if !Self::can_slash_serai_validator(validator) {
|
|
|
|
|
return None;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
Some(validator)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
impl<T: Config> ReportOffence<Public, Public, BabeEquivocationOffence<Public>> for Pallet<T> {
|
|
|
|
|
/// Report an `offence` and reward given `reporters`.
|
|
|
|
|
fn report_offence(
|
|
|
|
|
_: Vec<Public>,
|
|
|
|
|
offence: BabeEquivocationOffence<Public>,
|
|
|
|
|
) -> Result<(), OffenceError> {
|
|
|
|
|
// slash the offender
|
|
|
|
|
let offender = offence.offender;
|
|
|
|
|
Self::slash_serai_validator(offender);
|
|
|
|
|
|
|
|
|
|
// disable it
|
|
|
|
|
Self::disable_serai_validator(offender);
|
|
|
|
|
|
|
|
|
|
Ok(())
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
fn is_known_offence(
|
|
|
|
|
offenders: &[Public],
|
|
|
|
|
_: &<BabeEquivocationOffence<Public> as Offence<Public>>::TimeSlot,
|
|
|
|
|
) -> bool {
|
|
|
|
|
for offender in offenders {
|
|
|
|
|
// It's not a known offence if we can still slash them
|
|
|
|
|
if Self::can_slash_serai_validator(*offender) {
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
true
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
impl<T: Config> ReportOffence<Public, Public, GrandpaEquivocationOffence<Public>> for Pallet<T> {
|
|
|
|
|
/// Report an `offence` and reward given `reporters`.
|
|
|
|
|
fn report_offence(
|
|
|
|
|
_: Vec<Public>,
|
|
|
|
|
offence: GrandpaEquivocationOffence<Public>,
|
|
|
|
|
) -> Result<(), OffenceError> {
|
|
|
|
|
// slash the offender
|
|
|
|
|
let offender = offence.offender;
|
|
|
|
|
Self::slash_serai_validator(offender);
|
|
|
|
|
|
|
|
|
|
// disable it
|
|
|
|
|
Self::disable_serai_validator(offender);
|
|
|
|
|
|
|
|
|
|
Ok(())
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
fn is_known_offence(
|
|
|
|
|
offenders: &[Public],
|
|
|
|
|
_slot: &<GrandpaEquivocationOffence<Public> as Offence<Public>>::TimeSlot,
|
|
|
|
|
) -> bool {
|
|
|
|
|
for offender in offenders {
|
|
|
|
|
if Self::can_slash_serai_validator(*offender) {
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
true
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
impl<T: Config> FindAuthor<Public> for Pallet<T> {
|
|
|
|
|
fn find_author<'a, I>(digests: I) -> Option<Public>
|
|
|
|
|
where
|
|
|
|
|
I: 'a + IntoIterator<Item = (ConsensusEngineId, &'a [u8])>,
|
|
|
|
|
{
|
|
|
|
|
let i = Babe::<T>::find_author(digests)?;
|
|
|
|
|
Some(Babe::<T>::authorities()[i as usize].0.clone().into())
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2023-11-22 14:22:46 +03:00
|
|
|
impl<T: Config> DisabledValidators for Pallet<T> {
|
2023-12-17 01:44:08 +03:00
|
|
|
fn is_disabled(index: u32) -> bool {
|
|
|
|
|
SeraiDisabledIndices::<T>::get(index).is_some()
|
2023-10-22 03:59:21 -04:00
|
|
|
}
|
|
|
|
|
}
|
2025-08-26 14:32:55 -04:00
|
|
|
*/
|
2023-01-04 22:52:41 -05:00
|
|
|
}
|
|
|
|
|
|
2025-01-30 12:23:03 +03:00
|
|
|
sp_api::decl_runtime_apis! {
|
|
|
|
|
#[api_version(1)]
|
|
|
|
|
pub trait ValidatorSetsApi {
|
|
|
|
|
/// Returns the validator set for a given network.
|
2025-08-26 14:32:55 -04:00
|
|
|
fn validators(
|
|
|
|
|
network_id: serai_primitives::network_id::NetworkId,
|
|
|
|
|
) -> Vec<serai_primitives::crypto::Public>;
|
2025-01-30 12:23:03 +03:00
|
|
|
|
|
|
|
|
/// Returns the external network key for a given external network.
|
|
|
|
|
fn external_network_key(
|
2025-08-26 14:32:55 -04:00
|
|
|
network: serai_primitives::network_id::ExternalNetworkId,
|
|
|
|
|
) -> Option<serai_primitives::crypto::ExternalKey>;
|
2025-01-30 12:23:03 +03:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2023-01-04 22:52:41 -05:00
|
|
|
pub use pallet::*;
|
