Add handling for Auxiliary info

[yacovm]

Introduce an AuxiliaryInfoApp interface abstraction that lets an application
piggyback application-specific data on Simplex epoch changes (e.g.
threshold distributed key generation), and gate the epoch transition on
that data being final. Final doesn't mean finalized as in Simplex,
but rather that the data is "good enough" to be used for the next epoch.

Metadata & encoding:

• Add AuxiliaryInfo (Info, PrevAuxInfoSeq, ApplicationID) to block
  metadata and an AppID type, with Canoto (de)serialization.
• Each block's PrevAuxInfoSeq back-points to the most recent block with a
  non-empty Info, skipping empty-Info blocks. collectAuxiliaryInfo walks
  these pointers to rebuild the epoch's aux info history.

The digest of the last AuxInfo in a final history is signed by the node,
rather than the entire history of non-empty Aux Info.
This is done for flexibility, as some applications like publicly verifiable DKG
have commutative histories.

State machine:

• AuxiliaryInfoApp drives the flow: GenerateAuxInfo contributes to the
  history until IsFinalAuxInfoHistory reports it ready; only then are
  next-epoch approvals collected. IsLegalAuxInfoAppend validates a
  proposed append on the verify path. Each method also receives the
  next epoch's validator set (NodeBLSMappings).
• The builder carries forward / extends aux info, and the verifier
  reconstructs the expected AuxiliaryInfo (ApplicationID, PrevAuxInfoSeq)
  and enforces it via the block-digest comparison.

Approvals:

• Approvals now bind to the auxiliary info: the signed payload is
  (NextPChainReferenceHeight, auxInfoDigest), where auxInfoDigest is the
  sha256 of the last aux info element in the history.
• The ApprovalStore is now keyed by (NodeID, PChainHeight, AuxInfoSeqDigest)
  so approvals for different digests coexist, and sanitizeApprovals only
  aggregates approvals matching the candidate height and digest.

Tests:

• Verify approvals with real ECDSA signatures over the signed payload
  (the test signature verifier now actually checks signatures and
  (NextPChainReferenceHeight, auxInfoDigest), where auxInfoDigest is the
  sha256 of the final aux info history. assembleApprovalToBeSigned
  replaces the previous height-only payload.
  The switch to ECDSA is because this way we make sure we really sign
  the correct digest and not an empty one because of a bug.
• The ApprovalStore is keyed by (NodeID, PChainHeight, AuxInfoSeqDigest)
  so approvals for different digests coexist, and sanitizeApprovals only
  aggregates approvals matching the candidate height and digest.

[samliok]

im not sure I understand application id. I'm assuming it helps the user of AuxInfo to decode the info bytes. So for example DKG would have an application id of 1, and then we would decode all []info bytes in the history message with application id 1 a certain way.

Can't we have multiple application running though? Maybe a DKG and something else in the future so we would have multiple application ids corresponding within the same epoch?

[samliok]

or are you saying if we have multiple applications, they would both be serialized into a single info []byte? in this case the application id is just used for versioning of how to deserialize the bytes?

[yacovm]

Suppose we implement DKG in avalanchego version v1.16.1 and then in version v1.16.2 we improve the DKG implementation or fix a bug that requires changing the encoding.

A node that is mid epoch change and is restarted from v1.16.1 to v1.16.2 needs to continue using the old DKG implementation until the epoch change ends. It cannot use the new implementation mid epoch change.

The application ID is there to ensure every epoch change uses a uniform version of DKG implementation.

[samliok]

do you think it would be easier to reason through if we created a struct
{
[]byte
seq
}

rather than maintaining two separate arrays? it would also ensure the sorting is done correctly for the history since we can just sort by seq in this new struct

[yacovm]

yeah we can do that. Initially I only had the history and then added the seqs. Will change

[samliok]

i think the applicationID returned is actually the oldest

[yacovm]

yeah, you're right and that's by design. Will fix

[samliok]

what if we just had a type approvalKey

type approvalKey struct {
	pChainHeight     uint64
	auxInfoSeqDigest [32]byte
}

then we wouldn't need to have the byte logic makeUint64DigestPair and it would work in the map approvalsByPChainHeightAndAuxInfoDigest by default

[yacovm]

makes sense

[samliok]

Suggested change

	// We're not ready for epoch transition yet, so putting a zero-valure approvals here
	// We're not ready for epoch transition yet, so putting a zero-value approvals here

[samliok]

so if we are not done with generating the AuxInfo we will add our own info to hopefully help finish it up. How does this work in the dkg? Does everyone need to contribute to the DKG setup? i assume this cant be the case because then an adversary can just block the epoch from progressing.

[yacovm]

We'll add our own, but it's a bit tricky because the actual implementation of GenerateAuxInfo needs to make sure we don't add our own twice or more.

How does this work in the dkg? Does everyone need to contribute to the DKG setup?

We need enough randomness such that we consider it non-biased and non-colluded.

i assume this cant be the case because then an adversary can just block the epoch from progressing.

Unless we have synchrony assumptions (which we don't)

[samliok]

should this be simplex.Digest?

[samliok]

isn't isAuxInfoReadyForEpochTransition implied from auxInfoDigest != empty

[yacovm]

no, auxInfoDigest is just the last one, but it doesn't mean we are ready.

[samliok]

one thing i don't get is the aux info is only contributed by the nodes in the current epoch? but for dkg, we want to collect info from nodes in the next epoch? I don't see where we are doing this, as the block builders are only nodes of the current epoch

[yacovm]

Yeah that's a very good question.

So, in the current implementation we cannot do that yet because this will require something similar to what we have with the approvals (an interface that lists approvals that reside in our approval memory pool).

However, when it comes to DKG then if the validator sets of the two adjacent epochs aren't too different, we can use the validator set of the previous epoch.

It's not hard to expand in a later PR to add the Aux Info contribution of nodes of the next epoch, but one thing at a time...

[samliok]

moreso a general thought, but I feel like this logic is a bit complex to test and reason about in scenarios where we fork due to an empty round timeout.

What happens when we collect all the auxiliary information, but the next block is not built of our previous block and proposes something completely different? do we have tests for scenarios like this?

[yacovm]

moreso a general thought, but I feel like this logic is a bit complex to test and reason about in scenarios where we fork due to an empty round timeout.
What happens when we collect all the auxiliary information, but the next block is not built of our previous block and proposes something completely different? do we have tests for scenarios like this?

Good question.

I did think about this scenario when I implemented it, and I don't think we need to do anything special here.

Essentially, as long as blocks cannot be re-ordered (have their parents changed) after they are built, there is no problem that we can have multiple competing histories.

While a block may not end up being part of a chain, every block that is built on top of a parent block will never have its parent changed, so the checks we have that look at the entire history of auxiliary info are always valid in case the block becomes finalized, and if the block doesn't become finalized and ends up being dropped (rewinding the chain), that's fine.

Not every kind of protocol can support safe rewinding (for example, in a commit-reveal protocol, rewinding is fatal) but the kinds of protocol that we aim to support only involve putting encrypted random shares on-chain, so any item that doesn't end up part of the chain (rewinded) just doesn't end up being part of the DKG, and is anyway comprised of random data, so no information can be learned by an adversary that rewinds the chain.