Replace redundant BLS in QBFT with RSA

[MatheusFranco99]

Overview

This PR adds an RSA check in the Validator.ProcessMessage function and drops redundant BLS signature checks in QBFT.

Changes

• QBFT: Drop redundant checks for Proposal, Prepare, Commit and Round-Change messages
• QBFT: Keep checks for message justification and decided messages
• QBFT: Add a check to ensure that the signers belong to the committee
• Operator: Add SSV PublicKey
• Validator: Change the ProcessMessage function signature to receive SignedSSVMessage instead of SSVMessage and add an RSA signature check

Improvement

New total duty time per number of consensus rounds.

1 Round	2 Rounds	3 Rounds
67%	70%	71%

New consensus n-th round time.

1st Round	2nd Round	3rd Round
21%	73%	73%

[GalRogozinski]

nice! just wondering if MsgValidation also takes care of it?

[MatheusFranco99]

I think it does. But I'm leaving it here because spec doesn't know and it's a light check

[y0sher]

I think we should NEVER assume something happens in msg validation hence we don't need to take care in consensus.

[GalRogozinski]

just from sw engineering point of view
shouldn't we have some baseValidation that keeps on calling this

so we never forget to add this?
because it repeats itself

[MatheusFranco99]

I think we should totally do that. Not only for this check but for many others such as height, msg.Validate(), etc. Since it would require some bigger refactoring, let's do it in a future PR? Just so we can dispatch this to implementation as soon as possible and as simple as possible.

[GalRogozinski]

Approved but you can still fix my comment

[moshe-blox]

switch to dontVerifySignature?

[moshe-blox]

on another thought, maybe we should go for the validateX() and validateXNoVerify() pattern?

[MatheusFranco99]

Agree

[moshe-blox]

if we go for the NoVerify suffix pattern, validateCommit could be validateCommitNoVerify to be explicit

[MatheusFranco99]

Agree

[moshe-blox]

Let's merge this after #345 is on main

[olegshmuelov]

the config is not used here anymore, should we delete it?

[MatheusFranco99]

Indeed. I'll remove it. Thanks

[GalRogozinski]

I just wonder if other readers know that "verification" we mean signatures...
I barely know this 😅

Maybe "IgnoreSignature" is better?

[GalRogozinski]

I decided to finally put an end to my questioning of the usages between the 2 terms and googled this:
https://www.connect2id.com/blog/validate-vs-verify-in-the-context-of-cryptography

TLDR: "verify" is the correct word in term of cryptography but "the Internet security community sometimes uses these two terms inconsistently"...

So I think "IgnoreSignature" is better because it won't confuse anyone

[MatheusFranco99]

Yeah. "IgnoreSignature" is more clear. I'll update it. Thanks!

[olegshmuelov]

the config is not used here anymore, should we delete it?

[MatheusFranco99]

Indeed. I'll remove it. Thanks

[olegshmuelov]

just to understand, it was a bug that we validated only the inner message?

[MatheusFranco99]

I think so

[olegshmuelov]

if so, we have to add a test for message signers is empty, non unique signer & signer ID 0 not allowed

[MatheusFranco99]

Yup, adding these tests.
Btw, the previous version couldn't produce any errors because, even though it should be signedMsg.Validate() and not signedMsg.Message.Validate(), the other checks were also verifying the conditions. But, of course, still better to call signedMsg.Validate()

[GalRogozinski]

It wasn't a bug that we only called the inner check..
It is actually a duplicate call as a shrewed dev once noticed in #326

[MatheusFranco99]

It is not a bug, but all other base validation functions for the other message types call validate on the upper message, and this is the only inconsistent one. Even though, all of these calls are indeed duplicated 😅

[olegshmuelov]

one more cleanup can be done here
to not pass the config to validateCommit

[olegshmuelov]

since #342 was merged already

can we fix small issue in the current pr?

[GalRogozinski]

since #342 was merged already

can we fix small issue in the current pr?

This PR doesn't change runner at all...
Maybe in a subsequent PR when we change runner

[olegshmuelov]

since #342 was merged already
can we fix small issue in the current pr?

This PR doesn't change runner at all... Maybe in a subsequent PR when we change runner

created an issue
#376

[GalRogozinski]

why?

[MatheusFranco99]

The lack of it randomly produces errors around tests

[GalRogozinski]

do we have many different instances with different keys?

if not maybe singleton is better?

[MatheusFranco99]

This is the singleton

[GalRogozinski]

nit:
you can also rename the function

[MatheusFranco99]

Yes, better. Thanks

[GalRogozinski]

does runner use the signer?
in the end we use the network to sign it

[MatheusFranco99]

Indeed. Removing it. Thanks!

[moshe-blox]

this should probably be just ShareSigner like below, and the same for method names

tbh im not sure that we even need the word 'SSV' in the structs, but it's not too bad, lmk what you think @GalRogozinski @MatheusFranco99

[MatheusFranco99]

I agree the word SSV here is redundant. I'll remove it, thx

[y0sher]

I don't want to nit pick on the naming, but WithVerification and IgnoreSignature don't sound related to each other when and fact the functionality should be identical with one difference.
I would go with either WithVerification and NoVerification
or IgnoreSignature and WithSignature/VerifySignature
but leaving it like now is a bit confusing imo

[MatheusFranco99]

Definitely. Forgot about that. Thanks!

[y0sher]

These (Add/Remove) methods are redundant, don't make us satisfy this interface (😆); There is always just a single operator key per instance, so there's never a need to add and remove them.

[y0sher]

some small stuff.

[moshe-blox]

we should probably decode after verifying

[MatheusFranco99]

Agree. Thanks!

[moshe-blox]

is there a reason to not require the expected length of RSA signatures, or is that not the right place to do so, or not the right assumption for the spec to make?

[MatheusFranco99]

Actually, in the beginning, I wanted to let it open. But I've also added the custom decoding function to be used by implementation that sets it to 256 bytes

signatureSize = 256
signature := encoded[signatureOffset : signatureOffset+signatureSize]

I have no opinion right now on whether we should check it here or leave the current check. 🤔

[moshe-blox]

@GalRogozinski any reason why we shouldn't check that len(sig) == signatureSize in spec?

[GalRogozinski]

When you decode the data from pubsub you create a byte array of the expected length
maybe change SignedMessage to have Signature [256]byte

btw @MatheusFranco99 I remember we said the encoded length of the sig we use is actually greater correct?

[MatheusFranco99]

Ok, I'll change it to 256 bytes
This was about an encoded key. For the signature, it's indeed 256

[GalRogozinski]

just final nits and that's it

[GalRogozinski]

heads up for KeyManager...
I think it should be removed either in this PR or the next one (imo do it the next one so we can close this one quickly)

there can still be a KeyManager struct in tests or impl that simply implements them both

[MatheusFranco99]

Yes, other PR

[GalRogozinski]

do we have many different instances with different keys?

if not maybe singleton is better?

[GalRogozinski]

do you see value to keep this file here for now?
if no, you may delete it

[GalRogozinski]

doesn't have to be in this PR and not a blocker

[MatheusFranco99]

Future PR

[GalRogozinski]

change network to operator on all tests I think

[y0sher]

Q: are we signing rsa in consensus ? If we are verifying the we should probably also sign.

[GalRogozinski]

Q: are we signing rsa in consensus ? If we are verifying the we should probably also sign.

In spec we sign in validator.go
In impl from my POV you should sign where you pass all spec tests