feat: use aggregate_pubkey field when processing consensus update

- Use aggregate_pubkey to save on CPU-heavy key aggregation
- Use is_torsion_free method to verify G2 point more efficiently

Author: karen-sarkisyan

ethereum/consensus-core/src/consensus_core.rs

@@ -16,14 +16,14 @@ use crate::proof::{
     is_current_committee_proof_valid, is_execution_payload_proof_valid, is_finality_proof_valid,
     is_next_committee_proof_valid,
 };
-use crate::types::bls::{PublicKey, Signature};
+use crate::types::bls::Signature;
 use crate::types::{
     BeaconBlockHeader, Bootstrap, ExecutionPayloadHeader, FinalityUpdate, Forks, GenericUpdate,
     LightClientHeader, LightClientStore, OptimisticUpdate, Update,
 };
 use crate::utils::{
     calculate_fork_version, compute_committee_sign_root, compute_fork_data_root,
-    get_participating_keys,
+    get_participating_aggregate_pubkey,
 };
 
 pub fn verify_bootstrap<S: ConsensusSpec>(
@@ -343,12 +343,15 @@ pub fn verify_generic_update<S: ConsensusSpec>(
         store.next_sync_committee.as_ref().unwrap()
     };
 
-    let pks = get_participating_keys(sync_committee, &update.sync_aggregate.sync_committee_bits)?;
+    let agg_pk = get_participating_aggregate_pubkey(
+        sync_committee,
+        &update.sync_aggregate.sync_committee_bits,
+    )?;
 
     let fork_version = calculate_fork_version::<S>(forks, update.signature_slot.saturating_sub(1));
     let fork_data_root = compute_fork_data_root(fork_version, genesis_root);
     let is_valid_sig = verify_sync_committee_signature(
-        &pks,
+        &agg_pk,
         update.attested_header.beacon(),
         &update.sync_aggregate.sync_committee_signature,
         fork_data_root,
@@ -484,14 +487,14 @@ fn has_finality_update<S: ConsensusSpec>(update: &GenericUpdate<S>) -> bool {
 }
 
 fn verify_sync_committee_signature(
-    pks: &[PublicKey],
+    aggregate_public_key: &bls12_381::G1Affine,
     attested_header: &BeaconBlockHeader,
     signature: &Signature,
     fork_data_root: B256,
 ) -> bool {
     let header_root = attested_header.tree_hash_root();
     let signing_root = compute_committee_sign_root(header_root, fork_data_root);
-    signature.verify(signing_root.as_slice(), pks)
+    signature.verify_with_aggregate_pubkey(signing_root.as_slice(), aggregate_public_key)
 }
 
 fn safety_threshold<S: ConsensusSpec>(store: &LightClientStore<S>) -> u64 {

ethereum/consensus-core/src/types/bls.rs

@@ -1,6 +1,6 @@
 use bls12_381::{
     hash_to_curve::{ExpandMsgXmd, HashToCurve},
-    multi_miller_loop, G1Affine, G1Projective, G2Affine, G2Prepared, G2Projective, Gt, Scalar,
+    multi_miller_loop, G1Affine, G1Projective, G2Affine, G2Prepared, G2Projective, Gt,
 };
 use eyre::{eyre, Result};
 use serde::{Deserialize, Serialize};
@@ -24,7 +24,7 @@ pub struct Signature {
 }
 
 impl PublicKey {
-    fn point(&self) -> Result<G1Affine> {
+    pub(crate) fn point(&self) -> Result<G1Affine> {
         let bytes = self.inner.inner.to_vec();
         let bytes = bytes.as_slice().try_into()?;
         let point_opt = G1Affine::from_compressed(bytes);
@@ -60,20 +60,26 @@ impl Signature {
         } else {
             return false;
         };
+        verify_with_aggregate_pk(&sig_point, msg, &aggregate_public_key)
+    }
 
-        // Ensure AggregatePublicKey is not infinity
-        if aggregate_public_key.is_identity().into() {
+    pub fn verify_with_aggregate_pubkey(
+        &self,
+        msg: &[u8],
+        aggregate_public_key: &G1Affine,
+    ) -> bool {
+        let sig_point = if let Ok(point) = self.point() {
+            point
+        } else {
             return false;
-        }
-
-        // Points must be affine for pairing
-        let key_point = aggregate_public_key;
-        let msg_hash = G2Affine::from(hash_to_curve(msg));
+        };
 
-        let generator_g1_negative = G1Affine::from(-G1Projective::generator());
+        // Subgroup check for signature
+        if !subgroup_check_g2(&sig_point) {
+            return false;
+        }
 
-        // Faster ate2 evaluation checks e(S, -G1) * e(H, PK) == 1
-        ate2_evaluation(&sig_point, &generator_g1_negative, &msg_hash, &key_point)
+        verify_with_aggregate_pk(&sig_point, msg, aggregate_public_key)
     }
 
     fn point(&self) -> Result<G2Affine> {
@@ -102,12 +108,29 @@ fn aggregate(pks: &[PublicKey]) -> Result<G1Affine> {
     Ok(G1Affine::from(agg_key))
 }
 
+fn verify_with_aggregate_pk(
+    sig_point: &G2Affine,
+    msg: &[u8],
+    aggregate_public_key: &G1Affine,
+) -> bool {
+    // Ensure AggregatePublicKey is not infinity
+    if aggregate_public_key.is_identity().into() {
+        return false;
+    }
+
+    // Points must be affine for pairing
+    let key_point = *aggregate_public_key;
+    let msg_hash = G2Affine::from(hash_to_curve(msg));
+
+    let generator_g1_negative = G1Affine::from(-G1Projective::generator());
+
+    // Faster ate2 evaluation checks e(S, -G1) * e(H, PK) == 1
+    ate2_evaluation(sig_point, &generator_g1_negative, &msg_hash, &key_point)
+}
+
 /// Verifies a G2 point is in subgroup `r`.
 fn subgroup_check_g2(point: &G2Affine) -> bool {
-    const CURVE_ORDER: &str = "73EDA753299D7D483339D80809A1D80553BDA402FFFE5BFEFFFFFFFF00000001";
-    let r = hex_to_scalar(CURVE_ORDER).unwrap();
-    let check = point * r;
-    check.is_identity().into()
+    point.is_torsion_free().into()
 }
 
 /// Evaluation of e(S, -G1) * e(H, PK) == 1
@@ -131,25 +154,3 @@ fn hash_to_curve(msg: &[u8]) -> G2Projective {
     const DST: &[u8] = b"BLS_SIG_BLS12381G2_XMD:SHA-256_SSWU_RO_POP_";
     <G2Projective as HashToCurve<ExpandMsgXmd<sha2::Sha256>>>::hash_to_curve(msg, DST)
 }
-
-/// Converts hex string to scalar
-fn hex_to_scalar(hex: &str) -> Option<Scalar> {
-    if hex.len() != 64 {
-        return None;
-    }
-
-    let mut raw = [0u64; 4];
-    for (i, chunk) in hex.as_bytes().chunks(16).enumerate().take(4) {
-        if let Ok(hex_chunk) = core::str::from_utf8(chunk) {
-            if let Ok(value) = u64::from_str_radix(hex_chunk, 16) {
-                raw[3 - i] = value.to_le();
-            } else {
-                return None;
-            }
-        } else {
-            return None;
-        }
-    }
-
-    Some(Scalar::from_raw(raw))
-}

ethereum/consensus-core/src/utils.rs

@@ -6,8 +6,9 @@ use tree_hash_derive::TreeHash;
 
 use crate::{
     consensus_spec::ConsensusSpec,
-    types::{bls::PublicKey, Forks, SyncCommittee},
+    types::{Forks, SyncCommittee},
 };
+use bls12_381::{G1Affine, G1Projective};
 
 pub fn compute_committee_sign_root(header: B256, fork_data_root: B256) -> B256 {
     let domain_type = [7, 00, 00, 00];
@@ -52,20 +53,35 @@ pub fn compute_fork_data_root(
     fork_data.tree_hash_root()
 }
 
-pub fn get_participating_keys<S: ConsensusSpec>(
+/// Computes the aggregate public key for the participating members of the sync committee.
+/// with given participation bitfield and committee aggregate public key.
+pub fn get_participating_aggregate_pubkey<S: ConsensusSpec>(
     committee: &SyncCommittee<S>,
     bitfield: &BitVector<S::SyncCommitteeSize>,
-) -> Result<Vec<PublicKey>> {
-    let mut pks: Vec<PublicKey> = Vec::new();
+) -> Result<G1Affine> {
+    let total = bitfield.len();
+    let participating = bitfield.iter().filter(|b| *b).count();
+    if participating == 0 {
+        return Err(eyre::eyre!("no participating keys"));
+    }
 
-    bitfield.iter().enumerate().for_each(|(i, bit)| {
-        if bit {
-            let pk = committee.pubkeys[i].clone();
-            pks.push(pk);
+    if participating > total / 2 {
+        let mut agg = G1Projective::from(committee.aggregate_pubkey.point()?);
+        for (i, bit) in bitfield.iter().enumerate() {
+            if !bit {
+                agg -= G1Projective::from(committee.pubkeys[i].point()?);
+            }
         }
-    });
-
-    Ok(pks)
+        Ok(G1Affine::from(agg))
+    } else {
+        let mut agg = G1Projective::identity();
+        for (i, bit) in bitfield.iter().enumerate() {
+            if bit {
+                agg += G1Projective::from(committee.pubkeys[i].point()?);
+            }
+        }
+        Ok(G1Affine::from(agg))
+    }
 }
 
 fn compute_signing_root(object_root: B256, domain: B256) -> B256 {