New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add EIP-6493: SSZ Transaction Signature Scheme #6493
Conversation
All reviewers have approved. Auto merging... |
This PR builds on top of prior work from: - @lightclient at ethereum#6385 The signature malleability issue in the original PR is addressed by reusing the consensus `compute_signing_root` mechanism to link each hash with the transaction's underlying `chain_id` and `tx_type`. Note that this makes the transaction hashes different from the plain `hash_tree_root` values. This means that if the `transactions_root` MPT is replaced with SSZ (EIP-6404), that the `transaction_hash` would need to be tracked separately, same as for legacy RLP-based transactions. This is mainly a cosmetic issue, not a practical one. In an SSZ tx tree, we could simply include both the HTR as well as the perpetual tx hash. Cryptographic analysis may be necessary to determine the amount by which the hash collision probability is increased, if we use different hashing algorithms for transactions. On the other hand, using different algo for SSZ transactions reduces the impact of a custom network defining 0x05 as a RLP transaction that might serialize same as the blob SSZ transaction.
Overall, these items need to be mixed into any SHA256 based signature:
Currently, this PR uses an approach as close as possible to the consensus specs:
It doesn't necessarily have to be these constants, and it doesn't necessarily have to be the same schema from consensus. While both these tx signatures and the consensus signatures are SSZ based, they are not signed using the same key. For example, we could also just run For the perpetual TX hash, it could be relaxed, but the same information needs to be mixed into the hash if the goal is to create globally unique TX hashes (across chains). |
There is also https://eips.ethereum.org/EIPS/eip-2124, maybe the "genesis hash" would work to link the signature to the underlying spec document defining the tx type, as the consensus genesis_validators_root equivalent. |
EIPS/eip-4844.md
Outdated
def signed_tx_hash(tx: SignedBlobTransaction) -> Root: | ||
domain = compute_transaction_domain(BLOB_TX_TYPE, node.cfg.chain_id) | ||
return compute_signing_root(tx, domain) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For the signed_tx_hash
, as it already includes the signature (which already signs over compute_transaction_domain
), I think it may be possible to just use plain hash_tree_root
. TBD.
The commit 1e9e198 (as a parent of 0f13409) contains errors. |
hash_tree_root
based transaction hashes
I moved the scheme for SSZ transaction signatures to a separate EIP (6493). Note that this representation is for the way how signatures are signed, identified, and represented before inclusion in a block. For post-block-inclusion, there is EIP-6404. The new signature scheme proposed here is close to what the "SSZ Union" approach in EIP-6404's test section is referring to, so it doesn't conflict with the approach based on "SSZ Union". For "SSZ Normalized" approach, the transaction's mempool encoding is not linked to the post-block-inclusion encoding, so there is no concern either. |
Also, @vbuterin , this is as close as I could get it to your post here: https://notes.ethereum.org/@vbuterin/transaction_ssz_refactoring Means, 1 more SHA256 needed to get from |
Let's move discussion to here: |
tx_to=ExecutionAddress(bytes.fromhex('d8da6bf26964af9d7eed9e03e53415d37aa96045')), | ||
tx_value=3_141_592_653, | ||
) | ||
sig_hash = compute_example_sig_hash(message) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sig_hash = compute_example_sig_hash(message) | |
sig_root = compute_example_sig_root(message) |
would this be clearer to convey that this goes into signature calc
Co-authored-by: g11tech <develop@g11tech.io>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM now (for a draft).
* Update EIP-4844: `hash_tree_root` based transaction hashes This PR builds on top of prior work from: - @lightclient at ethereum#6385 The signature malleability issue in the original PR is addressed by reusing the consensus `compute_signing_root` mechanism to link each hash with the transaction's underlying `chain_id` and `tx_type`. Note that this makes the transaction hashes different from the plain `hash_tree_root` values. This means that if the `transactions_root` MPT is replaced with SSZ (EIP-6404), that the `transaction_hash` would need to be tracked separately, same as for legacy RLP-based transactions. This is mainly a cosmetic issue, not a practical one. In an SSZ tx tree, we could simply include both the HTR as well as the perpetual tx hash. Cryptographic analysis may be necessary to determine the amount by which the hash collision probability is increased, if we use different hashing algorithms for transactions. On the other hand, using different algo for SSZ transactions reduces the impact of a custom network defining 0x05 as a RLP transaction that might serialize same as the blob SSZ transaction. * Fix `signed_tx_hash` * Use static chain ID for purpose of domain computation * Extract SSZ signature scheme to EIP for reuse * Add URL * Split 4844 changes to separate PR * Fix * rm redundant test * Apply most of @g11tech's review Co-authored-by: g11tech <develop@g11tech.io> --------- Co-authored-by: Gavin John <gavinnjohn@gmail.com> Co-authored-by: g11tech <develop@g11tech.io>
* Update EIP-4844: `hash_tree_root` based transaction hashes This PR builds on top of prior work from: - @lightclient at ethereum#6385 The signature malleability issue in the original PR is addressed by reusing the consensus `compute_signing_root` mechanism to link each hash with the transaction's underlying `chain_id` and `tx_type`. Note that this makes the transaction hashes different from the plain `hash_tree_root` values. This means that if the `transactions_root` MPT is replaced with SSZ (EIP-6404), that the `transaction_hash` would need to be tracked separately, same as for legacy RLP-based transactions. This is mainly a cosmetic issue, not a practical one. In an SSZ tx tree, we could simply include both the HTR as well as the perpetual tx hash. Cryptographic analysis may be necessary to determine the amount by which the hash collision probability is increased, if we use different hashing algorithms for transactions. On the other hand, using different algo for SSZ transactions reduces the impact of a custom network defining 0x05 as a RLP transaction that might serialize same as the blob SSZ transaction. * Fix `signed_tx_hash` * Use static chain ID for purpose of domain computation * Extract SSZ signature scheme to EIP for reuse * Add URL * Split 4844 changes to separate PR * Fix * rm redundant test * Apply most of @g11tech's review Co-authored-by: g11tech <develop@g11tech.io> --------- Co-authored-by: Gavin John <gavinnjohn@gmail.com> Co-authored-by: g11tech <develop@g11tech.io>
This PR builds on top of prior work from:
hash_tree_root
for tx hash #6385The signature malleability issue in the original PR is addressed by reusing the consensus
compute_signing_root
mechanism to link each hash with the transaction's underlyingchain_id
andtx_type
.Note that this makes the transaction hashes different from the plain
hash_tree_root
values. This means that if thetransactions_root
MPT is replaced with SSZ (EIP-6404), that thetransaction_hash
would need to be tracked separately, same as for legacy RLP-based transactions. This is mainly a cosmetic issue, not a practical one. In an SSZ tx tree, we could simply include both the HTR as well as the perpetual tx hash.Cryptographic analysis may be necessary to determine the amount by which the hash collision probability is increased, if we use different hashing algorithms for transactions. On the other hand, using different algo for SSZ transactions reduces the impact of a custom network defining 0x05 as a RLP transaction that might serialize same as the blob SSZ transaction.