github.com/MetalBlockchain/metalgo@v1.11.9/vms/platformvm/warp/README.md

github.com/MetalBlockchain/metalgo@v1.11.9/vms/platformvm/warp/README.md (about)

     1  # Avalanche Warp Messaging
     2  
     3  Avalanche Warp Messaging (AWM) provides a primitive for cross-subnet communication on the Avalanche Network.
     4  
     5  The Avalanche P-Chain provides an index of every Subnet's validator set on the Avalanche Network, including the BLS public key of each validator (as of the [Banff Upgrade](https://github.com/ava-labs/avalanchego/releases/v1.9.0)). AWM utilizes the weighted validator sets stored on the P-Chain to build a cross-subnet communication protocol between any two Subnets on the Avalanche Network.
     6  
     7  Any Virtual Machine (VM) on Avalanche can integrate Avalanche Warp Messaging to send and receive messages across Avalanche Subnets.
     8  
     9  ## Background
    10  
    11  This README assumes familiarity with:
    12  
    13  - Avalanche P-Chain / [PlatformVM](../)
    14  - [ProposerVM](../../proposervm/README.md)
    15  - Basic familiarity with [BLS Multi-Signatures](https://crypto.stanford.edu/~dabo/pubs/papers/BLSmultisig.html)
    16  
    17  ## BLS Multi-Signatures with Public-Key Aggregation
    18  
    19  Avalanche Warp Messaging utilizes BLS multi-signatures with public key aggregation in order to verify messages signed by another Subnet. When a validator joins a Subnet, the P-Chain records the validator's BLS public key and NodeID, as well as a proof of possession of the validator's BLS private key to defend against [rogue public-key attacks](https://crypto.stanford.edu/~dabo/pubs/papers/BLSmultisig.html#mjx-eqn-eqaggsame).
    20  
    21  AWM utilizes the validator set's weights and public keys to verify that an aggregate signature has sufficient weight signing the message from the source Subnet.
    22  
    23  BLS provides a way to aggregate signatures off chain into a single signature that can be efficiently verified on chain.
    24  
    25  ## AWM Serialization
    26  
    27  Unsigned Message:
    28  ```
    29  +-----------------+----------+--------------------------+
    30  |      network_id :  uint32  |                 4 bytes  |
    31  +-----------------+----------+--------------------------+
    32  | source_chain_id : [32]byte |                32 bytes  |
    33  +-----------------+----------+--------------------------+
    34  |         payload :   []byte |       4 + size(payload)  |
    35  +-----------------+----------+--------------------------+
    36                               |  40 + size(payload) bytes|
    37                               +--------------------------+
    38  ```
    39  
    40  - `networkID` is the unique ID of an Avalanche Network (Mainnet/Testnet) and provides replay protection for BLS Signers across different Avalanche Networks
    41  - `sourceChainID` is the hash of the transaction that created the blockchain on the Avalanche P-Chain. It serves as the unique identifier for the blockchain across the Avalanche Network so that each blockchain can only sign a message with its own id.
    42  - `payload` provides an arbitrary byte array containing the contents of the message. VMs define their own message types to include in the `payload`
    43  
    44  
    45  BitSetSignature:
    46  ```
    47  +-----------+----------+---------------------------+
    48  |   type_id :   uint32 |                   4 bytes |
    49  +-----------+----------+---------------------------+
    50  |   signers :   []byte |          4 + len(signers) |
    51  +-----------+----------+---------------------------+
    52  | signature : [96]byte |                  96 bytes |
    53  +-----------+----------+---------------------------+
    54                         | 104 + size(signers) bytes |
    55                         +---------------------------+
    56  ```
    57  
    58  - `typeID` is the ID of this signature type, which is `0x00000000`
    59  - `signers` encodes a bitset of which validators' signatures are included (a bitset is a byte array where each bit indicates membership of the element at that index in the set)
    60  - `signature` is an aggregated BLS Multi-Signature of the Unsigned Message
    61  
    62  BitSetSignatures are verified within the context of a specific P-Chain height. At any given P-Chain height, the PlatformVM serves a canonically ordered validator set for the source subnet (validator set is ordered lexicographically by the BLS public key's byte representation). The `signers` bitset encodes which validator signatures were included. A value of `1` at index `i` in `signers` bitset indicates that a corresponding signature from the same validator at index `i` in the canonical validator set was included in the aggregate signature.
    63  
    64  The bitset tells the verifier which BLS public keys should be aggregated to verify the warp message.
    65  
    66  Signed Message:
    67  ```
    68  +------------------+------------------+-------------------------------------------------+
    69  | unsigned_message :  UnsignedMessage |                          size(unsigned_message) |
    70  +------------------+------------------+-------------------------------------------------+
    71  |        signature :        Signature |                                 size(signature) |
    72  +------------------+------------------+-------------------------------------------------+
    73                                        |  size(unsigned_message) + size(signature) bytes |
    74                                        +-------------------------------------------------+
    75  ```
    76  
    77  ## Sending an Avalanche Warp Message
    78  
    79  A blockchain on Avalanche sends an Avalanche Warp Message by coming to agreement on the message that every validator should be willing to sign. As an example, the VM of a blockchain may define that once a block is accepted, the VM should be willing to sign a message including the block hash in the payload to attest to any other Subnet that the block was accepted. The contents of the payload, how to aggregate the signature (VM-to-VM communication, off-chain relayer, etc.), is left to the VM.
    80  
    81  Once the validator set of a blockchain is willing to sign an arbitrary message `M`, an aggregator performs the following process:
    82  
    83  1. Gather signatures of the message `M` from `N` validators (where the `N` validators meet the required threshold of stake on the destination chain)
    84  2. Aggregate the `N` signatures into a multi-signature
    85  3. Look up the canonical validator set at the P-Chain height where the message will be verified
    86  4. Encode the selection of the `N` validators included in the signature in a bitset
    87  5. Construct the signed message from the aggregate signature, bitset, and original unsigned message
    88  
    89  ## Verifying / Receiving an Avalanche Warp Message
    90  
    91  Avalanache Warp Messages are verified within the context of a specific P-Chain height included in the [ProposerVM](../../proposervm/README.md)'s header. The P-Chain height is provided as context to the underlying VM when verifying the underlying VM's blocks (implemented by the optional interface [WithVerifyContext](../../../snow/engine/snowman/block/block_context_vm.go)).
    92  
    93  To verify the message, the underlying VM utilizes this `warp` package to perform the following steps:
    94  
    95  1. Lookup the canonical validator set of the Subnet sending the message at the P-Chain height
    96  2. Filter the canonical validator set to only the validators claimed by the signature
    97  3. Verify the weight of the included validators meets the required threshold defined by the receiving VM
    98  4. Aggregate the public keys of the claimed validators into a single aggregate public key
    99  5. Verify the aggregate signature of the unsigned message against the aggregate public key
   100  
   101  Once a message is verified, it is left to the VM to define the semantics of delivering a verified message.
   102  
   103  ## Design Considerations
   104  
   105  ### Processing Historical Avalanche Warp Messages
   106  
   107  Verifying an Avalanche Warp Message requires a lookup of validator sets at a specific P-Chain height. The P-Chain serves lookups maintaining validator set diffs that can be applied in-order to reconstruct the validator set of any Subnet at any height.
   108  
   109  As the P-Chain grows, the number of validator set diffs that needs to be applied in order to reconstruct the validator set needed to verify an Avalanche Warp Messages increases over time.
   110  
   111  Therefore, in order to support verifying historical Avalanche Warp Messages, VMs should provide a mechanism to determine whether an Avalanche Warp Message was treated as valid or invalid within a historical block.
   112  
   113  When nodes bootstrap in the future, they bootstrap blocks that have already been marked as accepted by the network, so they can assume the block was verified by the validators of the network when it was first accepted.
   114  
   115  Therefore, the new bootstrapping node can assume the block was valid to determine whether an Avalanche Warp Message should be treated as valid/invalid within the execution of that block.
   116  
   117  Two strategies to provide that mechanism are:
   118  
   119  - Require warp message validity for transaction inclusion. If the transaction is included, the warp message must have passed verification.
   120  - Include the results of warp message verification in the block itself. Use the results to determine which messages passed verification.
   121