|
|
32f0057700
|
STM BLS verification WORKING against live preprod (milestones A, B, partial C)
Key findings from upstream:
- Mithril's BLS msg is NOT signed_message alone — it's
msgp = signed_message_ascii_bytes || mt_commitment_root_32_bytes
- Mithril uses EMPTY DST for hash-to-G1 (not the IETF BLS suite string)
- Aggregation is NOT plain summation — it's MuSig-style weighted:
t_i = Blake2b-128(Blake2b-128(sigs_concat) || be_u64(i))
aggr_sig = Σ t_i · sig_i (in G1)
aggr_vk = Σ t_i · vk_i (in G2)
This blocks rogue-key attacks.
Shipped:
- internal/stm/types.go: MultiSig + AVK decoders (hex-of-ASCII-JSON wrapping,
polymorphic tuple JSON handling via ByteArray + custom UnmarshalJSON)
- internal/stm/bls.go: BlsVerify (pairing check with gnark-crypto)
- internal/stm/aggregate.go: MuSig-style AggregateBLS + BlsAggregateVerify
- synthetic test + live test (build tag 'live') both green
Live preprod head cert (epoch 284, cert 175051cf…):
- 2 signers, 11 total lottery wins
- aggregate verify: PASS ✓
- single-signer verify: PASS ✓
Next: lottery threshold check, Merkle batch-proof verification, glue into
top-level Verify(msg, multi_sig, avk, params) + wire to 'verify' subcommand.
|
2026-04-23 15:53:00 -07:00 |
|
