Merge pull request #3521 from ethereum/official-kzg

Use official KZG ceremony output trusted setups

Makefile

@@ -212,7 +212,7 @@ gen_kzg_setups:
 	if ! test -d venv; then python3 -m venv venv; fi; \
 	. venv/bin/activate; \
 	pip3 install -r requirements.txt; \
-	python3 ./gen_kzg_trusted_setups.py --secret=1337 --g1-length=4 --g2-length=65 --output-dir ${CURRENT_DIR}/presets/minimal/trusted_setups; \
+	python3 ./gen_kzg_trusted_setups.py --secret=1337 --g1-length=4096 --g2-length=65 --output-dir ${CURRENT_DIR}/presets/minimal/trusted_setups; \
 	python3 ./gen_kzg_trusted_setups.py --secret=1337 --g1-length=4096 --g2-length=65 --output-dir ${CURRENT_DIR}/presets/mainnet/trusted_setups
 
 # For any generator, build it using the run_generator function.

presets/minimal/deneb.yaml

@@ -2,8 +2,8 @@
 
 # Misc
 # ---------------------------------------------------------------
-# [customized]
-FIELD_ELEMENTS_PER_BLOB: 4
+# `uint64(4096)`
+FIELD_ELEMENTS_PER_BLOB: 4096
 # [customized]
 MAX_BLOB_COMMITMENTS_PER_BLOCK: 16
 # `uint64(6)`

setup.py

@@ -108,21 +108,14 @@ def _is_constant_id(name: str) -> bool:
 
 
 def _load_kzg_trusted_setups(preset_name):
-    """
-    [TODO] it's not the final mainnet trusted setup.
-    We will update it after the KZG ceremony.
-    """
-    file_path = str(Path(__file__).parent) + '/presets/' + preset_name + '/trusted_setups/testing_trusted_setups.json'
+    trusted_setups_file_path = str(Path(__file__).parent) + '/presets/' + preset_name + '/trusted_setups/trusted_setup_4096.json'
 
-    with open(file_path, 'r') as f:
+    with open(trusted_setups_file_path, 'r') as f:
         json_data = json.load(f)
+        trusted_setup_G1_lagrange = json_data['g1_lagrange']
+        trusted_setup_G2_monomial = json_data['g2_monomial']
 
-    trusted_setup_G1 = json_data['setup_G1']
-    trusted_setup_G2 = json_data['setup_G2']
-    trusted_setup_G1_lagrange = json_data['setup_G1_lagrange']
-    roots_of_unity = json_data['roots_of_unity']
-
-    return trusted_setup_G1, trusted_setup_G2, trusted_setup_G1_lagrange, roots_of_unity
+    return trusted_setup_G2_monomial, trusted_setup_G1_lagrange
 
 
 ALL_KZG_SETUPS = {
@@ -158,10 +151,8 @@ def _parse_value(name: str, typed_value: str, type_hint: Optional[str] = None) -
 def _update_constant_vars_with_kzg_setups(constant_vars, preset_name):
     comment = "noqa: E501"
     kzg_setups = ALL_KZG_SETUPS[preset_name]
-    constant_vars['KZG_SETUP_G1'] = VariableDefinition(constant_vars['KZG_SETUP_G1'].value, str(kzg_setups[0]), comment, None)
-    constant_vars['KZG_SETUP_G2'] = VariableDefinition(constant_vars['KZG_SETUP_G2'].value, str(kzg_setups[1]), comment, None)
-    constant_vars['KZG_SETUP_LAGRANGE'] = VariableDefinition(constant_vars['KZG_SETUP_LAGRANGE'].value, str(kzg_setups[2]), comment, None)
-    constant_vars['ROOTS_OF_UNITY'] = VariableDefinition(constant_vars['ROOTS_OF_UNITY'].value, str(kzg_setups[3]), comment, None)
+    constant_vars['KZG_SETUP_G2_MONOMIAL'] = VariableDefinition(constant_vars['KZG_SETUP_G2_MONOMIAL'].value, str(kzg_setups[0]), comment, None)
+    constant_vars['KZG_SETUP_G1_LAGRANGE'] = VariableDefinition(constant_vars['KZG_SETUP_G1_LAGRANGE'].value, str(kzg_setups[1]), comment, None)
 
 
 def get_spec(file_name: Path, preset: Dict[str, str], config: Dict[str, str], preset_name=str) -> SpecObject:

specs/deneb/polynomial-commitments.md

@@ -11,7 +11,6 @@
 - [Constants](#constants)
 - [Preset](#preset)
   - [Blob](#blob)
-  - [Crypto](#crypto)
   - [Trusted setup](#trusted-setup)
 - [Helper functions](#helper-functions)
   - [Bit-reversal permutation](#bit-reversal-permutation)
@@ -30,6 +29,7 @@
     - [`div`](#div)
     - [`g1_lincomb`](#g1_lincomb)
     - [`compute_powers`](#compute_powers)
+    - [`compute_roots_of_unity`](#compute_roots_of_unity)
   - [Polynomials](#polynomials)
     - [`evaluate_polynomial_in_evaluation_form`](#evaluate_polynomial_in_evaluation_form)
   - [KZG](#kzg)
@@ -78,7 +78,7 @@ Public functions MUST accept raw bytes as input and perform the required cryptog
 | `BYTES_PER_BLOB` | `uint64(BYTES_PER_FIELD_ELEMENT * FIELD_ELEMENTS_PER_BLOB)` | The number of bytes in a blob |
 | `G1_POINT_AT_INFINITY` | `Bytes48(b'\xc0' + b'\x00' * 47)` | Serialized form of the point at infinity on the G1 group |
 | `KZG_ENDIANNESS` | `'big'` | The endianness of the field elements including blobs |
-
+| `PRIMITIVE_ROOT_OF_UNITY` | `7` | Primitive root of unity of the BLS12_381 (inner) BLS_MODULUS |
 
 ## Preset
 
@@ -90,23 +90,13 @@ Public functions MUST accept raw bytes as input and perform the required cryptog
 | `FIAT_SHAMIR_PROTOCOL_DOMAIN` | `b'FSBLOBVERIFY_V1_'` |
 | `RANDOM_CHALLENGE_KZG_BATCH_DOMAIN` | `b'RCKZGBATCH___V1_'` |
 
-### Crypto
-
-| Name | Value | Notes |
-| - | - | - |
-| `ROOTS_OF_UNITY` | `Vector[BLSFieldElement, FIELD_ELEMENTS_PER_BLOB]` | Roots of unity of order FIELD_ELEMENTS_PER_BLOB over the BLS12-381 field |
-
 ### Trusted setup
 
-The trusted setup is part of the preset: during testing a `minimal` insecure variant may be used,
-but reusing the `mainnet` settings in public networks is a critical security requirement.
-
 | Name | Value |
 | - | - |
 | `KZG_SETUP_G2_LENGTH` | `65` |
-| `KZG_SETUP_G1` | `Vector[G1Point, FIELD_ELEMENTS_PER_BLOB]`, contents TBD |
-| `KZG_SETUP_G2` | `Vector[G2Point, KZG_SETUP_G2_LENGTH]`, contents TBD |
-| `KZG_SETUP_LAGRANGE` | `Vector[G1Point, FIELD_ELEMENTS_PER_BLOB]`, contents TBD |
+| `KZG_SETUP_G2_MONOMIAL` | `Vector[G2Point, KZG_SETUP_G2_LENGTH]` |
+| `KZG_SETUP_G1_LAGRANGE` | `Vector[G1Point, FIELD_ELEMENTS_PER_BLOB]` |
 
 ## Helper functions
 
@@ -114,7 +104,7 @@ but reusing the `mainnet` settings in public networks is a critical security req
 
 All polynomials (which are always given in Lagrange form) should be interpreted as being in
 bit-reversal permutation. In practice, clients can implement this by storing the lists
-`KZG_SETUP_LAGRANGE` and `ROOTS_OF_UNITY` in bit-reversal permutation, so these functions only
+`KZG_SETUP_G1_LAGRANGE` and roots of unity in bit-reversal permutation, so these functions only
 have to be called once at startup.
 
 #### `is_power_of_two`
@@ -299,6 +289,17 @@ def compute_powers(x: BLSFieldElement, n: uint64) -> Sequence[BLSFieldElement]:
     return powers
 ```
 
+#### `compute_roots_of_unity`
+
+```python
+def compute_roots_of_unity(order: uint64) -> Sequence[BLSFieldElement]:
+    """
+    Return roots of unity of ``order``.
+    """
+    assert (BLS_MODULUS - 1) % int(order) == 0
+    root_of_unity = BLSFieldElement(pow(PRIMITIVE_ROOT_OF_UNITY, (BLS_MODULUS - 1) // int(order), BLS_MODULUS))
+    return compute_powers(root_of_unity, order)
+```
 
 ### Polynomials
 
@@ -318,7 +319,7 @@ def evaluate_polynomial_in_evaluation_form(polynomial: Polynomial,
     assert width == FIELD_ELEMENTS_PER_BLOB
     inverse_width = bls_modular_inverse(BLSFieldElement(width))
 
-    roots_of_unity_brp = bit_reversal_permutation(ROOTS_OF_UNITY)
+    roots_of_unity_brp = bit_reversal_permutation(compute_roots_of_unity(FIELD_ELEMENTS_PER_BLOB))
 
     # If we are asked to evaluate within the domain, we already know the answer
     if z in roots_of_unity_brp:
@@ -346,7 +347,7 @@ def blob_to_kzg_commitment(blob: Blob) -> KZGCommitment:
     Public method.
     """
     assert len(blob) == BYTES_PER_BLOB
-    return g1_lincomb(bit_reversal_permutation(KZG_SETUP_LAGRANGE), blob_to_polynomial(blob))
+    return g1_lincomb(bit_reversal_permutation(KZG_SETUP_G1_LAGRANGE), blob_to_polynomial(blob))
 ```
 
 #### `verify_kzg_proof`
@@ -384,7 +385,10 @@ def verify_kzg_proof_impl(commitment: KZGCommitment,
     Verify KZG proof that ``p(z) == y`` where ``p(z)`` is the polynomial represented by ``polynomial_kzg``.
     """
     # Verify: P - y = Q * (X - z)
-    X_minus_z = bls.add(bls.bytes96_to_G2(KZG_SETUP_G2[1]), bls.multiply(bls.G2(), (BLS_MODULUS - z) % BLS_MODULUS))
+    X_minus_z = bls.add(
+        bls.bytes96_to_G2(KZG_SETUP_G2_MONOMIAL[1]),
+        bls.multiply(bls.G2(), (BLS_MODULUS - z) % BLS_MODULUS),
+    )
     P_minus_y = bls.add(bls.bytes48_to_G1(commitment), bls.multiply(bls.G1(), (BLS_MODULUS - y) % BLS_MODULUS))
     return bls.pairing_check([
         [P_minus_y, bls.neg(bls.G2())],
@@ -434,7 +438,7 @@ def verify_kzg_proof_batch(commitments: Sequence[KZGCommitment],
     C_minus_y_lincomb = g1_lincomb(C_minus_y_as_KZGCommitments, r_powers)
     
     return bls.pairing_check([
-        [bls.bytes48_to_G1(proof_lincomb), bls.neg(bls.bytes96_to_G2(KZG_SETUP_G2[1]))],
+        [bls.bytes48_to_G1(proof_lincomb), bls.neg(bls.bytes96_to_G2(KZG_SETUP_G2_MONOMIAL[1]))],
         [bls.add(bls.bytes48_to_G1(C_minus_y_lincomb), bls.bytes48_to_G1(proof_z_lincomb)), bls.G2()]
     ])
 ```
@@ -464,12 +468,12 @@ def compute_quotient_eval_within_domain(z: BLSFieldElement,
                                         ) -> BLSFieldElement:
     """
     Given `y == p(z)` for a polynomial `p(x)`, compute `q(z)`: the KZG quotient polynomial evaluated at `z` for the
-    special case where `z` is in `ROOTS_OF_UNITY`.
+    special case where `z` is in roots of unity.
 
     For more details, read https://dankradfeist.de/ethereum/2021/06/18/pcs-multiproofs.html section "Dividing
     when one of the points is zero". The code below computes q(x_m) for the roots of unity special case.
     """
-    roots_of_unity_brp = bit_reversal_permutation(ROOTS_OF_UNITY)
+    roots_of_unity_brp = bit_reversal_permutation(compute_roots_of_unity(FIELD_ELEMENTS_PER_BLOB))
     result = 0
     for i, omega_i in enumerate(roots_of_unity_brp):
         if omega_i == z:  # skip the evaluation point in the sum
@@ -490,7 +494,7 @@ def compute_kzg_proof_impl(polynomial: Polynomial, z: BLSFieldElement) -> Tuple[
     """
     Helper function for `compute_kzg_proof()` and `compute_blob_kzg_proof()`.
     """
-    roots_of_unity_brp = bit_reversal_permutation(ROOTS_OF_UNITY)
+    roots_of_unity_brp = bit_reversal_permutation(compute_roots_of_unity(FIELD_ELEMENTS_PER_BLOB))
 
     # For all x_i, compute p(x_i) - p(z)
     y = evaluate_polynomial_in_evaluation_form(polynomial, z)
@@ -510,7 +514,7 @@ def compute_kzg_proof_impl(polynomial: Polynomial, z: BLSFieldElement) -> Tuple[
             # Compute: q(x_i) = (p(x_i) - p(z)) / (x_i - z).
             quotient_polynomial[i] = div(a, b)
 
-    return KZGProof(g1_lincomb(bit_reversal_permutation(KZG_SETUP_LAGRANGE), quotient_polynomial)), y
+    return KZGProof(g1_lincomb(bit_reversal_permutation(KZG_SETUP_G1_LAGRANGE), quotient_polynomial)), y
 ```
 
 #### `compute_blob_kzg_proof`

tests/core/pyspec/eth2spec/test/deneb/unittests/polynomial_commitments/test_polynomial_commitments.py

@@ -113,7 +113,7 @@ def test_barycentric_outside_domain(spec):
     """
     rng = random.Random(5566)
     poly_coeff, poly_eval = get_poly_in_both_forms(spec)
-    roots_of_unity_brp = spec.bit_reversal_permutation(spec.ROOTS_OF_UNITY)
+    roots_of_unity_brp = spec.bit_reversal_permutation(spec.compute_roots_of_unity(spec.FIELD_ELEMENTS_PER_BLOB))
 
     assert len(poly_coeff) == len(poly_eval) == len(roots_of_unity_brp)
     n_samples = 12
@@ -139,20 +139,22 @@ def test_barycentric_outside_domain(spec):
 @single_phase
 def test_barycentric_within_domain(spec):
     """
-    Test barycentric formula correctness by using it to evaluate a polynomial at all the points of its domain
+    Test barycentric formula correctness by using it to evaluate a polynomial at various points inside its domain
     (the roots of unity).
 
     Then make sure that we would get the same result if we evaluated it from coefficient form without using the
     barycentric formula
     """
+    rng = random.Random(5566)
     poly_coeff, poly_eval = get_poly_in_both_forms(spec)
-    roots_of_unity_brp = spec.bit_reversal_permutation(spec.ROOTS_OF_UNITY)
+    roots_of_unity_brp = spec.bit_reversal_permutation(spec.compute_roots_of_unity(spec.FIELD_ELEMENTS_PER_BLOB))
 
     assert len(poly_coeff) == len(poly_eval) == len(roots_of_unity_brp)
     n = len(poly_coeff)
 
-    # Iterate over the entire domain
-    for i in range(n):
+    # Iterate over some roots of unity
+    for i in range(12):
+        i = rng.randint(0, n - 1)
         # Grab a root of unity and use it as the evaluation point
         z = int(roots_of_unity_brp[i])
 
@@ -175,15 +177,17 @@ def test_compute_kzg_proof_within_domain(spec):
     Create and verify KZG proof that p(z) == y
     where z is in the domain of our KZG scheme (i.e. a relevant root of unity).
     """
+    rng = random.Random(5566)
     blob = get_sample_blob(spec)
     commitment = spec.blob_to_kzg_commitment(blob)
     polynomial = spec.blob_to_polynomial(blob)
 
-    roots_of_unity_brp = spec.bit_reversal_permutation(spec.ROOTS_OF_UNITY)
+    roots_of_unity_brp = spec.bit_reversal_permutation(spec.compute_roots_of_unity(spec.FIELD_ELEMENTS_PER_BLOB))
 
-    for i, z in enumerate(roots_of_unity_brp):
+    # Let's test some roots of unity
+    for _ in range(6):
+        z = rng.choice(roots_of_unity_brp)
         proof, y = spec.compute_kzg_proof_impl(polynomial, z)
-
         assert spec.verify_kzg_proof_impl(commitment, z, y, proof)
 
 

tests/core/pyspec/eth2spec/test/helpers/sharding.py

@@ -80,7 +80,7 @@ def get_poly_in_both_forms(spec, rng=None):
     if rng is None:
         rng = random.Random(5566)
 
-    roots_of_unity_brp = spec.bit_reversal_permutation(spec.ROOTS_OF_UNITY)
+    roots_of_unity_brp = spec.bit_reversal_permutation(spec.compute_roots_of_unity(spec.FIELD_ELEMENTS_PER_BLOB))
 
     coeffs = [
         rng.randint(0, spec.BLS_MODULUS - 1)

tests/core/pyspec/eth2spec/utils/bls.py

@@ -48,8 +48,8 @@ class fastest_bls:
 # Flag to make BLS active or not. Used for testing, do not ignore BLS in production unless you know what you are doing.
 bls_active = True
 
-# To change bls implementation, default to PyECC for correctness. Milagro is a good faster alternative.
-bls = py_ecc_bls
+# Default to fastest_bls
+bls = fastest_bls
 
 STUB_SIGNATURE = b'\x11' * 96
 STUB_PUBKEY = b'\x22' * 48

tests/generators/kzg_4844/main.py

@@ -89,7 +89,7 @@ FE_VALID2 = field_element_bytes(1)
 FE_VALID3 = field_element_bytes(2)
 FE_VALID4 = field_element_bytes(pow(5, 1235, spec.BLS_MODULUS))
 FE_VALID5 = field_element_bytes(spec.BLS_MODULUS - 1)
-FE_VALID6 = field_element_bytes(spec.ROOTS_OF_UNITY[1])
+FE_VALID6 = field_element_bytes(spec.compute_roots_of_unity(spec.FIELD_ELEMENTS_PER_BLOB)[1])
 VALID_FIELD_ELEMENTS = [FE_VALID1, FE_VALID2, FE_VALID3, FE_VALID4, FE_VALID5, FE_VALID6]
 
 FE_INVALID_EQUAL_TO_MODULUS = field_element_bytes_unchecked(spec.BLS_MODULUS)