swap ed25519-dalek for ed25519-zebra #8764
Conversation
|
User @jakehemmerle, please sign the CLA here. |
jakehemmerle
force-pushed
the
8805-ed25519-zebra
branch
3 times, most recently
from
9fdbbb7
to
cc921fd
Compare
|
You still have the failing test case? If I recall, it looked like a case of using the identity as a key, likely zeros do not represent the identity but zebbra pushes them into being the identity or something. Where was it? |
yes it's still failing. Failing case is I didn't realize your identity key matrix message was from reading the code; I thought it was just an example! |
|
There is a multiplication by the cofactor of 8 in https://github.com/ZcashFoundation/ed25519-zebra/blob/main/src/batch.rs#L212 which turns points of small order into the identity, and makes the batch and non-batch verification agree. I believe a bunch of zeros turns into a curve point of small order, which the multiplication by A_coeffs and R_coeffs preserves, and then zeros in the field turn into zero too. |
jakehemmerle
force-pushed
the
8805-ed25519-zebra
branch
2 times, most recently
from
036ba83
to
bb60e16
Compare
|
Tests fixed! Should close paritytech/polkadot-sdk#351 and #8055. One question: sr25519 (as did ed25519-dalek) throws an error when verifying identity arguments, while ed25519-zebra is fine with verifying identities. I've changed the test to expect this behavior; is this fine or will these differences be an issue in practice? |
|
It depends what you mean by identity. Ristretto has the same identity as Ed25519, but serializes it as Ed25519 serializes its identity not as |
|
As a rule, I would not care too much how we handle public keys consisting of zero bytes, except we avoid some code complexity if single and batch verification agree, which is the point here. |
jakehemmerle
force-pushed
the
8805-ed25519-zebra
branch
from
bb60e16
to
d717bdb
Compare
|
I swapped verifications using zero keys with signatures from another keypair. This should fix the above issues mentioned by Jeff. |
|
I think substrate/primitives/io/src/lib.rs Line 1542 in d717bdb substrate/primitives/io/src/lib.rs Line 1588 in d717bdb |
|
LGTM modulo adding one test. :) We'll get someone else from parity to review though. |
jakehemmerle
force-pushed
the
8805-ed25519-zebra
branch
from
d717bdb
to
4f55730
Compare
|
Sweet; final test fixed! |
|
@jakehemmerle can you please merge master |
|
@bkchr merged |
|
Sorry for the late reply, but the CI wasn't happy about your merge. |
|
Looks like the lockfile. Will update shortly |
jakehemmerle
force-pushed
the
8805-ed25519-zebra
branch
2 times, most recently
from
fb2be90
to
67e99ca
Compare
|
@bkchr I fixed the lockfile and it's now passing the test-linux-stable-int build, but still failing the test-linux-stable due to a pallet_ui.rs test. I just spend almost two hours trying to understand why it's failing, but I see other test-linux-stable builds passing and I don't have enough context to know where to look to fix the error. I see a new trait_constant_valid_bounds.rs test has been added to pallet_ui by Andrew two weeks ago, but on the surface it looks unrelated. That new test is at https://github.com/paritytech/substrate/blob/master/frame/support/test/tests/pallet_ui.rs#L26 and the only file in the test-linux-stable failing at https://gitlab.parity.io/parity/substrate/-/jobs/987864#L988 Do you think you can take a look and point me in the right direction? |
|
@jakehemmerle you just need to merge master. |
|
This should fix your problem |
|
@bkchr just merged, still having the same issue. I had been rebasing before |
gilescope
added
C7-high ❗️
D9-needsaudit 👮
primitives/core/src/ed25519.rs
Outdated
| @@ -484,10 +486,11 @@ impl TraitPair for Pair { | |||
| /// | |||
| /// You should never need to use this; generate(), generate_with_phrase | |||
| fn from_seed_slice(seed_slice: &[u8]) -> Result<Pair, SecretStringError> { | |||
| let secret = ed25519_dalek::SecretKey::from_bytes(seed_slice) | |||
| // does try_into consume the seed? can I consume seed_slice here? I think not right? | |||
There was a problem hiding this comment.
You can't consume the seed in this fn but have raised a PR to make from_seed (above) take ownership of the Seed. ( #9683 )
That then allows SigningKey::from(seed) in the from_seed function.
There was a problem hiding this comment.
This was my first rust ticket and I hadn't wrapped my head around ownership yet :)
I also agree with your point in that PR that the seed should be consumed; will update this if that gets merged
Co-authored-by: Squirrel <gilescope@gmail.com>
…e into 8805-ed25519-zebra
|
We've seemingly never merged this. Anything problematic crop up? Can we get this running on one of the testnets? |
|
@bkchr is there someone on your team that might put this to bed? Might be up @wigy-opensource-developer's street? Zebra is harder to make mistakes with than Dalek - am keen if we can have fewer cryptographic footguns. |
|
Maybe at some point. Going to close this one as it is stale anyway. |
|
Taking another look at this today with a bit more rust under my belt TLDR dalek rejects verification when using the zero public key, while zebra allows this. To procede:
Regarding burn in:
|
|
CC'ing @burdges @gilescope @bkchr on for the above, in case you don't get notifications on closed issues unless you're mentioned ^ |
|
Cool tool! I spent about 15 minutes looking for any sort of mention of how to handle zero keys for ECC (I found, literally, nothing), so I'm just going to do a burn in |
|
Burn in passed. That made my day I'm going to do #2: modify the assertion to accept the all-zero key |
|
We do not care about the zero key verifying everything behavior. Zero session or controller key are byzantine, while other zero account keys have no impact. |
|
Cool, I'll put up a new PR shortly. |
louismerlin
removed
the
D9-needsaudit 👮
|
Ideally this PR should contain a label to indicate a change in the host function (for people still pending to do the dependency upgrade) |
We have done some sync testing on Polkadot/Kusama to ensure that nothing breaks. However, we should extend this process to Parachains as well. |
|
I think, no matter if it impacts an existing chain or not, when an assumption of a host function changes, it should be tagged, don't you think ? |
polkadot companion: paritytech/polkadot#3504
This should close #8055. All tests are pass in
sp-core.This should eventually close paritytech/polkadot-sdk#351, but the
batching_workstest insp-iodoes not pass. Since this passes on the current Substrate master, this needs to get fixed.batching_worksstdout and panic log: https://pastebin.com/bA78t00a@burdges maybe you can take a look at this?