Skip to content

feat(frost/roast): domain-separate evidence-snapshot + transition-message signatures#4057

Merged
mswilkison merged 4 commits into
feat/frost-schnorr-migration-scaffoldfrom
feat/frost-roast-signed-body-domain-separation-2026-06-14
Jun 14, 2026
Merged

feat(frost/roast): domain-separate evidence-snapshot + transition-message signatures#4057
mswilkison merged 4 commits into
feat/frost-schnorr-migration-scaffoldfrom
feat/frost-roast-signed-body-domain-separation-2026-06-14

Conversation

@mswilkison

Copy link
Copy Markdown
Contributor

What

Gives the two remaining operator-key-signed ROAST bodies — LocalEvidenceSnapshot and TransitionMessage — their own distinct domain tags, completing the cross-protocol signature-confusion sweep started for the signing-package envelope on #4056.

The node's operator key signs all of these bodies (snapshots as a member; transition messages + the signing package as the elected coordinator), and their protobuf bodies are wire-compatible (each begins with a field-1 attempt-context binding). Without domain separation, a signature over one body could be presented as a signature over another. #4056 added a tag to the signing package; a reviewer correctly noted the existing snapshot/transition bodies still signed bare bodies, so this PR closes that gap.

How

  • Distinct domain tags, each beginning with byte 0x00 — an illegal protobuf tag (field number 0) — so the signed payload is undecodable as any protobuf message:

    • \x00roast/signed-evidence-snapshot/v1\x00
    • \x00roast/signed-transition-message/v1\x00

    This separates the domains in both directions without relying on field layout: a signature over one body can't be accepted on another envelope (its decoder proto.Unmarshals and rejects the 0x00-leading body), and a genuine serialized protobuf body always starts >= 0x08, so its signature can never verify against domain || body. Same construction as the signing-package fix on feat(frost/roast): Phase 7.2b-2 signed signing-package envelope (wire foundation) #4056.

  • bodyBytes() / SignableBytes() split: bodyBytes() is the bare body that travels on the wire (embedded by wireEnvelopeBytes / Marshal); SignableBytes() is domain || body, the only thing signed/verified. Both Unmarshal paths reset the signable-bytes cache so a reused receiver never verifies against stale bytes.

  • Renamed the bare-body cache signedBodybodyCache and added signaturePayloadCache, so all three signed-body types share one structure.

Compatibility

Sign and verify both flow through SignableBytes(), so the change is transparent to the sign sites and the wire envelope structure is unchanged. It does change the bytes signed, so signatures are not compatible with the pre-change protocol — all nodes must run the new code together. Acceptable pre-mainnet; the external-audit gate is unchanged.

Testing

gofmt / go vet / go build ./pkg/... ./cmd/... clean; full pkg/frost/roast suite green. New domain_separation_test.go pins, for both bodies: domain tagging, undecodability as protobuf, the bare (untagged) wire body, prefix-free distinctness of the tags, and the reused-receiver cache reset. Existing verbatim/round-trip/verify tests continue to pass.

🤖 Generated with Claude Code

…sage signatures

The node's operator key signs LocalEvidenceSnapshot, TransitionMessage, and
(on #4056) the signing package, and their bodies are wire-compatible, so a
signature over one body could be replayed as a signature over another. Each
signed body now prepends a UNIQUE domain tag to the bytes it signs and
verifies, while the body that travels on the wire stays the bare serialized
body.

- Add localEvidenceSnapshotSignatureDomain + transitionMessageSignatureDomain,
  each beginning with byte 0x00 (an illegal protobuf tag, field 0) so the
  signed payload is undecodable as any protobuf message. This separates the
  domains in both directions without relying on field layout: a signature over
  one body cannot be accepted on another envelope (its decoder rejects the
  0x00-leading body), and a genuine protobuf body starts >= 0x08 so its
  signature can never verify against domain||body. Matches the signing-package
  fix on #4056.
- Split each type into bodyBytes() (the bare wire body) and SignableBytes()
  (domain || body). wireEnvelopeBytes / Marshal now embed bodyBytes(), and both
  Unmarshal reset the signable-bytes cache so a reused receiver never verifies
  against stale bytes. Rename signedBody -> bodyCache; add signaturePayloadCache.

Sign and verify both flow through SignableBytes(), so the change is transparent
to the sign sites and the wire envelope structure is unchanged. It DOES change
the bytes signed, so signatures are not compatible with the pre-change
protocol - all nodes must run the new code together (acceptable pre-mainnet;
the external-audit gate stands). Tests pin the domain tagging, undecodability,
prefix-free distinctness, bare wire body, and the reused-receiver cache reset.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jun 14, 2026

Copy link
Copy Markdown

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 3562681d-2290-4fdc-8c41-8bc9b9c7d27b

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/frost-roast-signed-body-domain-separation-2026-06-14

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

mswilkison and others added 3 commits June 14, 2026 10:47
The package comment called all three signed bodies wire-compatible; in fact
only TransitionMessageBody and the signing-package body share field-1 =
attempt_context_hash. LocalEvidenceSnapshotBody's field 1 is sender_id (a
varint), so it is only INCIDENTALLY separated - a difference a later proto
change could erase, which is precisely why the domain tag makes the separation
intentional. Comment-only.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…es (review)

Codex (PR #4057) flagged that the cross-language contract still documented
snapshot and transition signatures as covering the bare body, while this PR
makes Go sign/verify domain || body - so a non-Go implementation built from
evidence.proto or RFC-21 would sign/verify different bytes and reject Go's
evidence messages.

Document the signed payload as `domain_tag || body` in evidence.proto (a
file-level SIGNED PAYLOAD note with both exact tags + the four message
comments) and in the RFC-21 wire-format decision. Regenerated evidence.pb.go is
comment-only (descriptor and symbols unchanged). Same fix class as the
signing-package proto contract on #4056.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…rify race (P1)

Gemini (PR #4057) flagged a data race the lazy-cache change introduced: setting
signaturePayloadCache = nil in Unmarshal means the first SignableBytes call on a
PARSED message writes the cache, so concurrent signature verification of one
received message races on that write. This regressed a prior property - the
pre-PR code primed the cache at Unmarshal because the signed payload equaled the
received body, making a parsed message's SignableBytes a pure read.

Prime the cache in both Unmarshal paths (clear it, then call SignableBytes
once), restoring the race-free read on the verification path. This still
discards any stale cache on a reused value.

Tests: end-to-end cross-protocol rejection in both directions (a transition
coordinator signature does not verify as a snapshot operator signature and vice
versa, even with matching id/attempt), plus a -race regression guard that
verifies a parsed snapshot concurrently. Full pkg/frost/roast suite passes under
-race.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
mswilkison added a commit that referenced this pull request Jun 14, 2026
…verify race)

Mirror of the #4057 fix. SigningPackage.Unmarshal reset signaturePayloadCache to
nil, so the first SignableBytes call on a PARSED package was a racing write -
concurrent signature verification (AuthenticateSigningPackage) of one received
package would race on it. Prime the cache in Unmarshal (clear it, then call
SignableBytes once), restoring a pure-read SignableBytes on the verify path; it
still discards a stale cache on a reused value.

Adds a -race regression guard that verifies a parsed package concurrently. Full
pkg/frost/roast suite passes under -race.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@mswilkison mswilkison merged commit d65ac91 into feat/frost-schnorr-migration-scaffold Jun 14, 2026
16 checks passed
@mswilkison mswilkison deleted the feat/frost-roast-signed-body-domain-separation-2026-06-14 branch June 14, 2026 16:27
mswilkison added a commit that referenced this pull request Jun 14, 2026
…ation) (#4058)

## What

The wire foundation for the **context-bound, member-authenticated Round2
share submission** — the remaining 7.2b-2 piece. After a member
authenticates the elected coordinator's `SignedSigningPackage` (#4056)
and accepts its taproot root, it returns its FROST round-2 signature
share **bound to that exact package**. That binding is the hard
prerequisite for blame adjudication (Phase 7.2b-4): a member's share is
provably tied to the specific package bytes it received, so coordinator
equivocation across members is detectable and a member's submission is
non-repudiable.

This PR is the **wire type only** (mirrors how #4056 landed the
signing-package envelope first). Member sign/retain + network
distribution come next.

## How

- **`share_submission.proto`**:
`ShareSubmissionBody{attempt_context_hash, submitter_id,
signing_package_hash, signature_share}` + `SignedShareSubmission{body,
submitter_signature}`; generated `pb.go`.
- **`ShareSubmission` Go wire type**, structurally identical to the
signing-package envelope:
- `bodyBytes()` (the bare body that travels) + `SignableBytes()`
(`domain ‖ body`) with the leading-`0x00` illegal-tag domain
`roast/signed-share-submission/v1` — consistent with the
domain-separation sweep (#4057), so the share signature is
non-confusable with the signing-package / snapshot / transition
signatures.
- `Marshal`/`Unmarshal`/`Validate`. `Unmarshal` bounds the envelope
before `proto.Unmarshal`, rejects an over-cap `signature_share` before
copying, and **primes the signable-bytes cache** so concurrent
verification is race-free (incorporating the fix from #4056/#4057 up
front). `submitter_id` is bounded to `group.MemberIndex`.

## Testing

`gofmt`/`vet`/`build` clean; full `pkg/frost/roast` suite passes under
`go test -race`. New tests: verbatim round-trip, non-canonical-encoding
survival, domain-separated + undecodable-as-protobuf, **prefix-free
distinctness vs the signing-package / snapshot / transition domains**,
validate-rejects-malformed (incl. submitter out of member-index range,
short hashes, over-cap share), marshal-requires-signature,
unmarshal-rejects-oversize-before-copy, and a `-race` concurrency guard.

## Next

Member-side `AuthenticateShareSubmission` (verify under the submitter's
operator key + bind to the live attempt + the retained signing-package
hash) and the network distribution path — then the equivocation compare
+ f+1 quorum blame (7.2b-4).

🤖 Generated with [Claude Code](https://claude.com/claude-code)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant