Implement BDN signature aggregation scheme

.config/rust-f3.dic

@@ -1,4 +1,4 @@
-26
+23
 API/M
 APIs
 benchmark/GD
@@ -41,4 +41,5 @@ G1
 G2
 JSON
 CBOR
-TODO
+TODO
++

Cargo.toml

@@ -14,6 +14,7 @@ ahash = "0.8"
 anyhow = "1"
 base32 = "0.5"
 base64 = "0.22"
+blake2 = { git = "https://github.com/huitseeker/hashes.git", rev = "4d3debf264a45da9e33d52645eb6ee9963336f66", features = ["blake2x"] } # PR: https://github.com/RustCrypto/hashes/pull/704
 bls-signatures = { version = "0.15" }
 bls12_381 = "0.8"
 cid = { version = "0.11", features = ["std"] }
@@ -28,6 +29,7 @@ num-bigint = { version = "0.4", features = ["serde"] }
 num-traits = "0.2"
 parking_lot = "0.12"
 rand = "0.8"
+rayon = "1.10"
 serde = { version = "1", features = ["derive"] }
 serde_cbor = { package = "serde_cbor_2", version = "0.13" }
 serde_json = { version = "1", features = ["raw_value"] }

blssig/Cargo.toml

@@ -10,12 +10,15 @@ edition.workspace = true
 rust-version.workspace = true
 
 [dependencies]
+blake2.workspace = true
 bls-signatures.workspace = true
 bls12_381.workspace = true
 filecoin-f3-gpbft = { path = "../gpbft", version = "0.1.0" }
 hashlink.workspace = true
 parking_lot.workspace = true
+rayon.workspace = true
 thiserror.workspace = true
 
 [dev-dependencies]
+hex.workspace = true
 rand.workspace = true

blssig/src/bdn/mod.rs

@@ -2,16 +2,24 @@
 // SPDX-License-Identifier: Apache-2.0, MIT
 
 //! BDN (Boneh-Drijvers-Neven) signature aggregation scheme, for preventing rogue public-key attacks.
+//! Those attacks could allow an attacker to forge a public-key and then make a verifiable
+//! signature for an aggregation of signatures. It fixes the situation by adding coefficients to the aggregate.
 //!
-//! NOTE: currently uses standard BLS aggregation without coefficient weighting, hence returns incorrect values compared to go-f3.
+//! See the papers:
+//! - <https://eprint.iacr.org/2018/483.pdf>
+//! - <https://crypto.stanford.edu/~dabo/pubs/papers/BLSmultisig.html>
 //!
 use crate::verifier::BLSError;
-use bls_signatures::{PublicKey, Signature};
-use bls12_381::{G1Projective, G2Affine, G2Projective};
+use blake2::Blake2xs;
+use blake2::digest::{ExtendableOutput, Update, XofReader};
+use bls_signatures::{PublicKey, Serialize, Signature};
+use bls12_381::{G1Projective, G2Projective, Scalar};
+use rayon::prelude::*;
 
 /// BDN aggregation context for managing signature and public key aggregation
 pub struct BDNAggregation {
-    pub_keys: Vec<PublicKey>,
+    pub(crate) coefficients: Vec<Scalar>,
+    pub(crate) terms: Vec<PublicKey>,
 }
 
 impl BDNAggregation {
@@ -20,43 +28,114 @@ impl BDNAggregation {
             return Err(BLSError::EmptyPublicKeys);
         }
 
-        Ok(Self { pub_keys })
+        let coefficients = Self::calc_coefficients(&pub_keys)?;
+        let terms = Self::calc_terms(&pub_keys, &coefficients);
+
+        Ok(Self {
+            coefficients,
+            terms,
+        })
     }
 
-    /// Aggregates signatures using standard BLS aggregation
-    /// TODO: Implement BDN aggregation scheme: https://github.com/ChainSafe/rust-f3/issues/29
-    pub fn aggregate_sigs(&self, sigs: Vec<Signature>) -> Result<Signature, BLSError> {
-        if sigs.len() != self.pub_keys.len() {
+    /// Aggregates signatures using BDN aggregation with coefficients.
+    /// Computes: `sum((coef_i + 1) * sig_i)` for signatures at the given indices
+    pub fn aggregate_sigs(
+        &self,
+        indices: &[u64],
+        sigs: &[Signature],
+    ) -> Result<Signature, BLSError> {
+        if sigs.len() != indices.len() {
             return Err(BLSError::LengthMismatch {
-                pub_keys: self.pub_keys.len(),
+                pub_keys: indices.len(),
                 sigs: sigs.len(),
             });
         }
 
-        // Standard BLS aggregation
+        for &idx in indices {
+            if idx as usize >= self.coefficients.len() {
+                return Err(BLSError::SignerIndexOutOfRange(idx as usize));
+            }
+        }
+
         let mut agg_point = G2Projective::identity();
-        for sig in sigs {
-            let sig: G2Affine = sig.into();
-            agg_point += sig;
+        for (sig, &idx) in sigs.iter().zip(indices.iter()) {
+            let coef = self.coefficients[idx as usize];
+            let sig_point: G2Projective = (*sig).into();
+            let sig_c = sig_point * coef;
+            let sig_c = sig_c + sig_point;
+
+            agg_point += sig_c;
         }
 
         // Convert back to Signature
         let agg_sig: Signature = agg_point.into();
         Ok(agg_sig)
     }
 
-    /// Aggregates public keys using standard BLS aggregation
-    /// TODO: Implement BDN aggregation scheme: https://github.com/ChainSafe/rust-f3/issues/29
-    pub fn aggregate_pub_keys(&self) -> Result<PublicKey, BLSError> {
-        // Standard BLS aggregation
+    /// Aggregates public keys indices using BDN aggregation with coefficients.
+    /// Computes: `sum((coef_i + 1) * pub_key_i)`
+    pub fn aggregate_pub_keys(&self, indices: &[u64]) -> Result<PublicKey, BLSError> {
+        for &idx in indices {
+            if idx as usize >= self.terms.len() {
+                return Err(BLSError::SignerIndexOutOfRange(idx as usize));
+            }
+        }
+
+        // Sum of pre-computed terms (which are already `(coef_i + 1) * pub_key_i`)
         let mut agg_point = G1Projective::identity();
-        for pub_key in &self.pub_keys {
-            let pub_key_point: G1Projective = (*pub_key).into();
-            agg_point += pub_key_point;
+        for &idx in indices {
+            let term_point: G1Projective = self.terms[idx as usize].into();
+            agg_point += term_point;
         }
 
         // Convert back to PublicKey
         let agg_pub_key: PublicKey = agg_point.into();
         Ok(agg_pub_key)
     }
+
+    pub fn calc_coefficients(pub_keys: &[PublicKey]) -> Result<Vec<Scalar>, BLSError> {
+        let mut hasher = Blake2xs::new(0xFFFF);
+
+        // Hash all public keys
+        for pub_key in pub_keys {
+            let bytes = pub_key.as_bytes();
+            hasher.update(&bytes);
+        }
+
+        // Read 16 bytes per public key
+        let mut reader = hasher.finalize_xof();
+        let mut output = vec![0u8; pub_keys.len() * 16];
+        reader.read(&mut output);
+
+        // Convert every consecutive 16 bytes chunk to a scalar
+        let mut coefficients = Vec::with_capacity(pub_keys.len());
+        for i in 0..pub_keys.len() {
+            let chunk = &output[i * 16..(i + 1) * 16];
+
+            // Convert 16 bytes to 32 bytes, for scalar (pad with zeros)
+            let mut bytes_32 = [0u8; 32];
+            bytes_32[..16].copy_from_slice(chunk);
+
+            // BLS12-381 scalars expects little-endian byte representation
+            let scalar = Scalar::from_bytes(&bytes_32)
+                .into_option()
+                .ok_or(BLSError::InvalidScalar)?;
+            coefficients.push(scalar);
+        }
+
+        Ok(coefficients)
+    }
+
+    pub fn calc_terms(pub_keys: &[PublicKey], coefficients: &[Scalar]) -> Vec<PublicKey> {
+        pub_keys
+            .par_iter()
+            .enumerate()
+            .map(|(i, pub_key)| {
+                let pub_key_point: G1Projective = (*pub_key).into();
+                let pub_c = pub_key_point * coefficients[i];
+                let term = pub_c + pub_key_point;
+                term.into()
+            })
+            .collect()
+    }
 }

blssig/src/lib.rs

@@ -8,7 +8,10 @@
 //! The BDN (Boneh-Drijvers-Neven) scheme is used for signature and public key aggregation
 //! to prevent rogue public-key attacks.
 
+pub use verifier::{BLSError, BLSVerifier};
+
 mod bdn;
 mod verifier;
 
-pub use verifier::{BLSError, BLSVerifier};
+#[cfg(test)]
+mod tests;