Safrole tickets context and Ring commitment (gavofyork#13)

* Nitpicks

* Fix ring root set

* Tickets generation signing context required to be equal to primary sealing context to generate the same output

* Fix KZG commitment size

* Fill the dots

* Update safrole.tex

* Update safrole.tex

* Update safrole.tex

---------

Co-authored-by: Gavin Wood <[email protected]>

text/bandersnatch.tex

@@ -12,7 +12,7 @@ \section{Bandersnatch Ring VRF}\label{sec:bandersnatch}
 The singly-contextualized Bandersnatch Ring\textsc{vrf} proofs $\bandersnatch{r}{c}{m}$ are a zk-\textsc{snark}-enabled analogue utilizing the Pedersen \textsc{vrf}, also defined by \cite{hosseini2024bandersnatch} and further detailed by \cite{cryptoeprint:2023/002}.
 
 \begin{align}
-  \mathcal{O}(\seq{\H_B}) \in \Y_R &\equiv ...  \\
+  \mathcal{O}(\seq{\H_B}) \in \Y_R &\equiv \text{PCS\_commitment}(\seq{\H_B})  \\
   \bandersnatch{r \in \Y_R}{c \in \H}{m \in \Y} \subset \Y_{784} &\equiv \{ x \mid x \in \Y_{784}, \text{verify}(r, c, m, \text{decode}(x_{:32}), \text{decode}(x_{32:})) = \top \}  \\
   \banderout{p \in \bandersnatch{r}{c}{m}} \in \H &\equiv \text{hashed\_output}(\text{decode}(x_{:32}) \mid x \in \bandersnatch{r}{c}{m})
 \end{align}

text/definitions.tex

@@ -45,7 +45,6 @@ \subsubsection{Custom Notation}
   \begin{description}
     \item[$\H_B$] The set of Bandersnatch public keys. A subset of $\Y_{32}$. See section \ref{sec:cryptography} and appendix \ref{sec:bandersnatch}.
     \item[$\H_E$] The set of Ed25519 public keys. A subset of $\Y_{32}$. See section \ref{sec:signing}.
-    \item[$\Y_R$] The set of Bandersnatch ring roots. A subset of $\Y_{32}$. See section \ref{sec:cryptography} and appendix \ref{sec:bandersnatch}.
   \end{description}
   \item[$\mathbb{I}$] The set of work items. See equation \ref{eq:workitem}.
   \item[$\mathbb{J}$] The set of work execution errors.
@@ -64,7 +63,7 @@ \subsubsection{Custom Notation}
   \item[$\Y$] The set of octet strings/``blobs''. Subscript denotes length. See section \ref{sec:sequences}.
   \begin{description}
     \item[$\Y_{BLS}$] The set of BLS public keys. A subset of $\Y_{144}$. See section \ref{sec:signing}.
-    \item[$\Y_R$] The set of Bandersnatch ring roots. A subset of $\Y_{196608}$. See section \ref{sec:cryptography} and appendix \ref{sec:bandersnatch}.
+    \item[$\Y_R$] The set of Bandersnatch ring roots. A subset of $\Y_{144}$. See section \ref{sec:cryptography} and appendix \ref{sec:bandersnatch}.
   \end{description}
 \end{description}
 
@@ -281,9 +280,8 @@ \subsubsection{Signing Contexts}
   \item[$\mathsf{X}_F = \token{\$jam\_fallback\_seal}$] \emph{Bandersnatch} Fallback block seal.
   \item[$\mathsf{X}_G = \token{\$jam\_guarantee}$] \emph{Ed25519} Guarantee statements.
   \item[$\mathsf{X}_I = \token{\$jam\_announce}$] \emph{Ed25519} Audit announcement statements.
-  \item[$\mathsf{X}_S = \token{\$jam\_seal}$] \emph{Bandersnatch} Regular block seal.
-  \item[$\mathsf{X}_T = \token{\$jam\_ticket}$] \emph{Bandersnatch Ring\textsc{vrf}} Ticket generation.
+  \item[$\mathsf{X}_T = \token{\$jam\_ticket\_seal}$] \emph{Bandersnatch Ring\textsc{vrf}} Ticket generation and regular block seal.
   \item[$\mathsf{X}_U = \token{\$jam\_audit}$] \emph{Bandersnatch} Audit selection entropy.
   \item[$\mathsf{X}_\top = \token{\$jam\_valid}$] \emph{Ed25519} Judgements for valid work-reports.
   \item[$\mathsf{X}_\bot = \token{\$jam\_invalid}$] \emph{Ed25519} Judgements for invalid work-reports.
-\end{description}
+\end{description}

text/notation.tex

@@ -158,7 +158,7 @@ \subsubsection{Signing Schemes}\label{sec:signing}
 
 We denote the set of valid Bandersnatch public keys as $\H_B$, defined in appendix \ref{sec:bandersnatch}. $\bandersig{k \in \H_B}{x \in \Y}{m \in \Y} \subset \Y_{96}$ is the set of valid singly-contextualized signatures of utilizing the secret counterpart to the public key $k$, some context $x$ and message $m$.
 
-$\bandersnatch{r \in \Y_R}{x \in \Y}{m \in \Y} \subset \Y_{784}$, meanwhile, is the set of valid Bandersnatch Ring\textsc{vrf} deterministic singly-contextualized proofs of knowledge of a secret within some set of secrets identified by some root in the set of valid \emph{roots} $\Y_R \in \Y_{196608}$. We denote $\mathcal{O}(\mathbf{s} \in \seq{\H_B}) \in \Y_R$ to be the root specific to the set of public key counterparts $\mathbf{s}$. A root implies a specific set of Bandersnatch key pairs, knowledge of one of the secrets would imply being capable of making a unique, valid---and anonymous---proof of knowledge of a unique secret within the set.
+$\bandersnatch{r \in \Y_R}{x \in \Y}{m \in \Y} \subset \Y_{784}$, meanwhile, is the set of valid Bandersnatch Ring\textsc{vrf} deterministic singly-contextualized proofs of knowledge of a secret within some set of secrets identified by some root in the set of valid \emph{roots} $\Y_R \subset \Y_{144}$. We denote $\mathcal{O}(\mathbf{s} \in \seq{\H_B}) \in \Y_R$ to be the root specific to the set of public key counterparts $\mathbf{s}$. A root implies a specific set of Bandersnatch key pairs, knowledge of one of the secrets would imply being capable of making a unique, valid---and anonymous---proof of knowledge of a unique secret within the set.
 
 Both the Bandersnatch signature and Ring\textsc{vrf} proof strictly imply that a member utilized their secret key in combination with both the context $x$ and the message $m$; the difference is that the member is identified in the former and is anonymous in the latter. Furthermore, both define a \textsc{vrf} \emph{output}, a high entropy hash influenced by $x$ but not by $m$, formally denoted $\banderout{\bandersnatch{r}{x}{m}} \subset \H$ and $\banderout{\bandersig{k}{x}{m}} \subset \H$.
 

text/safrole.tex

@@ -8,11 +8,9 @@ \section{Block Production and Chain Growth}\label{sec:blockproduction}
 
 Because of its tightly scoped role, the core of Safrole's state, $\gamma$, is independent of the rest of the protocol. It interacts with other portions of the protocol through $\iota$ and $\kappa$, the prospective and active sets of validator keys respectively; $\tau$, the most recent block's timeslot; and $\eta$, the entropy accumulator.
 
-%The basis of the Safrole algorithm is to subdivide time following Genesis into fixed length \emph{epoch}s, and then each such epoch into a whole number of 600 ($\mathsf{E}$) \emph{timeslots} (aka \emph{slots}) of uniform length six seconds ($\mathsf{P}$). One epoch therefore equates to exactly one hour, with ten slots occuring per minute. -- ALREADY MENTIONED ABOVE?
-
 The Safrole protocol generates, once per epoch, a sequence of $\mathsf{E}$ \emph{sealing keys}, one for each potential block within a whole epoch. Each block header includes its timeslot index $\mathbf{H}_t$ (the number of six-second periods since the \Jam Common Era began) and a valid seal signature $\mathbf{H}_s$, signed by the sealing key corresponding to the timeslot within the aforementioned sequence. Each sealing key is in fact a pseudonym for some validator which was agreed the privilege of authoring a block in the corresponding timeslot.
 
-In order to generate this sequence of sealing keys, and in particular to do so without making public the correspondence relation between them and the validator set, we use a novel cryptographic structure known as a Ring\textsc{vrf}, utilizing the Bandersnatch curve. Bandersnatch Ring\textsc{vrf} allows for a proof to be provided which simultaneously guarantees the author controlled a key within a set (in our case validators), and secondly provides an output, an unbiasable deterministic hash giving us a secure verifiable random function (\textsc{vrf}) and as a means of determining which validators are able to author in which slots.
+In order to generate this sequence of sealing keys in regular operation, and in particular to do so without making public the correspondence relation between them and the validator set, we use a novel cryptographic structure known as a Ring\textsc{vrf}, utilizing the Bandersnatch curve. Bandersnatch Ring\textsc{vrf} allows for a proof to be provided which simultaneously guarantees the author controlled a key within a set (in our case validators), and secondly provides an output, an unbiasable deterministic hash giving us a secure verifiable random function (\textsc{vrf}). This anonymous and secure random output is a \emph{ticket} and validators' tickets with the best score define the new sealing keys allowing the chosen validators to exercise their privilege and create a new block at the appropriate time.
 
 
 
@@ -119,7 +117,7 @@ \subsection{Sealing and Entropy Accumulation}\label{sec:sealandentropy}
     \label{eq:ticketconditiontrue}
     \gamma'_\mathbf{s} \in \seq{\mathbb{C}} &\implies \left\{\,\begin{aligned}
         &i_\mathbf{y} = \banderout{\mathbf{H}_s}\,,\\
-        &\mathbf{H}_s \in \bandersig{\mathbf{H}_a}{\mathsf{X}_S \concat \eta'_3 \doubleplus i_r}{\mathcal{E}_U(\mathbf{H})}\,,\\
+        &\mathbf{H}_s \in \bandersig{\mathbf{H}_a}{\mathsf{X}_T \concat \eta'_3 \doubleplus i_r}{\mathcal{E}_U(\mathbf{H})}\,,\\
         &\mathbf{T} = 1
     \end{aligned}\right.\\
     \label{eq:ticketconditionfalse}
@@ -131,7 +129,7 @@ \subsection{Sealing and Entropy Accumulation}\label{sec:sealandentropy}
   \mathbf{H}_v &\in \bandersig{\mathbf{H}_a}{\mathsf{X}_E\frown \banderout{\mathbf{H}_s}}{[]} \\
   \mathsf{X}_E &= \token{\$jam\_entropy}\\
   \mathsf{X}_F &= \token{\$jam\_fallback\_seal}\\
-  \mathsf{X}_S &= \token{\$jam\_seal}
+  \mathsf{X}_T &= \token{\$jam\_ticket\_seal}
   \end{align}
 
 Sealing using the ticket is of greater security, and we utilize this knowledge when determining a candidate block on which to extend the chain, detailed in section \ref{sec:bestchain}. We thus note that the block was sealed under the regular security with the boolean marker $\mathbf{T}$. We define this only for the purpose of ease of later specification.
@@ -176,7 +174,7 @@ \subsection{The Slot Key Sequence}
   \end{cases}
 \end{align}
 
-Here, we use $Z$ as the inside-out sequencer function, defined as follows:
+Here, we use $Z$ as the outside-in sequencer function, defined as follows:
 \begin{equation}
   Z\colon\left\{\,\begin{aligned}
     \seq{\mathbb{C}}_\mathsf{E} &\to \seq{\mathbb{C}}_\mathsf{E}\\
@@ -254,7 +252,7 @@ \subsection{The Extrinsic and Tickets}
       \mathsf{K} &\when m' < \mathsf{Y} \\
       0 &\otherwise
   \end{cases}\\
-  \mathsf{X}_T &= \token{\$jam\_ticket}
+  \mathsf{X}_T &= \token{\$jam\_ticket\_seal}
 \end{align}
 
 We define $\mathbf{n}$ as the set of new tickets, with the ticket identity, a hash, defined as the output component of the Bandersnatch Ring\textsc{vrf} proof: