Closed YaronWittenstein closed 1 year ago
Thanks Yaron! Made a couple of tiny fixes in the pseudocode, hope that's okay. Some questions:
we need to distinguish between: A Transaction, excluding the DS signatures. The whole Transaction, including the DS Signatures.
Can we refer to these as Transaction
and InnerTransaction
, to disambiguate?
For the multisig case, here we're assuming that there are two distinct signatures (blobs), one per pubkey. What if we wanted to do some form of signature aggregation, e.g., BLS, such that there's only a single signature blob?
The verify expects two numbers
- Doesn't
verify
need a generic function signature, which can handle the single-sig use case as well?
I agree about being more precise. We can interchangeably use the terms InnerTransaction
or Transaction Message.
So when saying a Transaction
, we'd refer to the whole structure (Envelope
+ Message
).
It might be more beneficial to mention whether the Envelope
is included explicitly.
The signature of verify
is generic, of course. In practice, the emitted Wasm will have a function called svm_verify
with an empty input. The data is passed as a blob. Each Template (or even a function) could have its own ABI implemented.
We call it that blob verifydata
(in the same way we call it calldata
for other public functions).
I think the term Signature Scheme
as used in this document is confusing. It's usually used to refer to actual cryptographic signature schemes (e.g. ECDSA, Schnorr, etc.) and not the way they're used (e.g. n-of-m multisig
).
In the single-sig example you made signatures 64 bytes long and then in the multisig example 32 bytes long. It was a little confusing for me, especially since svm_dig_verify
makes an assumption about the sig length. It should probably be 64 bytes in both examples.
Minor terminology comment: Can we please change term DS signatures
to Signature Data
because I think that this is what we are talking about here - data of one or more signatures and it is obvious that this data is for DS, aka digital signatures. It is a bit confusing to me. Typically this data will just be one or more signatures but it is generalized to optionally include other things as far as I understand. If this is not the case then signature data can be defined as a list of one or more signatures.
I actually like Witness Data
to keep it more general.
I actually like
Witness Data
to keep it more general.
Sorry, @avive has asked first to rename to Signature Data
😃
Minor terminology comment: Can we please change term
DS signatures
toSignature Data
because I think that this is what we are talking about here - data of one or more signatures and it is obvious that this data is for DS, aka digital signatures. It is a bit confusing to me. Typically this data will just be one or more signatures but it is generalized to optionally include other things as far as I understand. If this is not the case then signature data can be defined as a list of one or more signatures.
done
I think the term
Signature Scheme
as used in this document is confusing. It's usually used to refer to actual cryptographic signature schemes (e.g. ECDSA, Schnorr, etc.) and not the way they're used (e.g.n-of-m multisig
).In the single-sig example you made signatures 64 bytes long and then in the multisig example 32 bytes long. It was a little confusing for me, especially since
svm_dig_verify
makes an assumption about the sig length. It should probably be 64 bytes in both examples.
Signature
as well.svm_dig_verify
to svm_sig_verify
made obsolete by current implemenation https://github.com/spacemeshos/go-spacemesh/issues/3220
SVM Transaction Signatures
Overview
This SMIP extends the AA Transactions & SVM Integration and SVM Raw Transaction Ranges SMIPs. It outlines how to support in the SVM infrastructure-level different Signatures Schemes. It's highly recommended to read both SMIPs before reading this one.
Goals and Motivation
The introduction of Account Unification to Spacemesh opened doors to extend the system with features that otherwise had to be part of the protocol. One of the implications is being able to shift the Transactions Signatures Schemes implementation to the
Template
level.We want each
Template
to be able to have its Signature Schemes. OneTemplate
might use aSingle Signature Scheme
while the other might applyMultiSig 2-3 Scheme
.High-level design
The
Signatures Schemes
verification will take place within theverify
method of aTemplate
. EachTemplate
may decide about its verification algorithm. Almost anyTemplate
will apply some form of Digital Signatures (DS) as part of theirverify
.In theory, a
Template
might choose to always returntrue
in itsverify
logic - in such a case, noSignature Data
will be involved.The number of parties signing the
Transaction
and the exact algorithms used will be different betweenTemplates
. AnyTemplate
using DS will involve signing theTransaction
(in its binary format) digitally.Terminology-wise, the
Signatures Data
is part of theMessage
part of anyTransaction
. (i.eDeploy/Spawn/Call
), That being said, we need to distinguish between:Transaction
, excluding theSignatures Data
.Transaction
, including theSignatures Data
.This distinction is crucial and can easily be mistaken. When referring to a
Transaction
, we need to know the context - whether it includes theSignatures Data
or not.For example, when sending a
Transaction
over the network, we infer that theSignatures Data
is part of the transmitted data. In other cases, it might require an explicit mention of whether theSignatures Data
are available or not.We'll call the
Signatures Data
in their binary form thesigdata
(using the same convention as incalldata/verifydata/returndata
).From the infrastructure standpoint, it's just a blob of bytes. But, in general, it is a list of
Signatures Data
that theverify
knows how to interpret. That being said, it's advised not to use any fancy ABI here. Instead, the most straightforward implementation will be concatenating theSignatures Data
one next to another.Then the
verify
code will grab eachSignature
by its offsets within thesigdata
. These offsets could be hardcoded within the code. Thesigdata
will be accessible in the Wasm Memory in the same manner as in other similars such assvm_tx_range
The best way to describe the whole mechanism is by examples. Say we have a
Single Signature Scheme
with64 byte-long
signatures and32 byte-long
public keys.In that case, the code of the
verify
could be similar to this pseudo-code:A few notes:
svm_tx_sigdata_range
Should return a tuple containing the memory range holding thesigdata
.section_id
- The additionalsection_id
to part of the host functions is explained at SVM Code Reuse between Templates.svm_sig_verify
- this is the host function that should be implemented as a result of this SMIP. In practice, there might be more than oneDigital Signatures Verification
host function.Now, let's see what the
verify
of aMultiSig 2-3
might look like in pseudo-code:A few notes:
svm_load256
doesn't exist at the time of writing this SMIP. It seems likely thatsvm_load256
,svm_store256
, and similars will have to be added to SVM. (and SVM SDK and SVM ABI).verify
expects two numbers, each pointing to the correspondingPublic Key
variables stored at theImmutable Storage Section.
The code assumes that the three public keys provided to the constructor (as part of theAccount Spawn
) are located atvariables=0,1
and2
under theImmutable Storage Section
. That's why the code asserts that each input is within the range0..3
(exclusive).sigdata
holding the signatures is distinguished from the rest of the Transaction. The inputs toverify
(pk_idx1
andpk_idx2
) are stored in theverifydata
buffer.sigdata
contains two public keys, one after the other. It means that the first public key will be located as offset zero of thesigdata
, and the second one will start atoffset=32
of thesigdata
.Questions/concerns
TBD
Stakeholders and reviewers
@noamnelke @lrettig @neysofu @avive @moshababo