Embed trusted setup in network config (#3851)

* Load trusted setup in network config

* Fix trusted setup serialize and deserialize

* Load trusted setup from hardcoded preset instead of a file

* Truncate after deserialising trusted setup

* Fix beacon node script

* Remove hardcoded setup file

* Add length checks

beacon_node/Cargo.toml

@@ -39,6 +39,7 @@ eth2_network_config = { path = "../common/eth2_network_config" }
 execution_layer = { path = "execution_layer" }
 lighthouse_network = { path = "./lighthouse_network" }
 serde = "1.0.116"
+serde_json = "1.0.58"
 clap_utils = { path = "../common/clap_utils" }
 hyper = "0.14.4"
 lighthouse_version = { path = "../common/lighthouse_version" }

beacon_node/beacon_chain/src/builder.rs

@@ -21,15 +21,14 @@ use eth1::Config as Eth1Config;
 use execution_layer::ExecutionLayer;
 use fork_choice::{ForkChoice, ResetPayloadStatuses};
 use futures::channel::mpsc::Sender;
-use kzg::Kzg;
+use kzg::{Kzg, TrustedSetup};
 use operation_pool::{OperationPool, PersistedOperationPool};
 use parking_lot::RwLock;
 use proto_array::ReOrgThreshold;
 use slasher::Slasher;
 use slog::{crit, error, info, Logger};
 use slot_clock::{SlotClock, TestingSlotClock};
 use std::marker::PhantomData;
-use std::path::PathBuf;
 use std::sync::Arc;
 use std::time::Duration;
 use store::{Error as StoreError, HotColdDB, ItemStore, KeyValueStoreOp};
@@ -97,7 +96,7 @@ pub struct BeaconChainBuilder<T: BeaconChainTypes> {
     // Pending I/O batch that is constructed during building and should be executed atomically
     // alongside `PersistedBeaconChain` storage when `BeaconChainBuilder::build` is called.
     pending_io_batch: Vec<KeyValueStoreOp>,
-    trusted_setup_path: Option<PathBuf>,
+    trusted_setup: Option<TrustedSetup>,
     task_executor: Option<TaskExecutor>,
 }
 
@@ -137,7 +136,7 @@ where
             slasher: None,
             validator_monitor: None,
             pending_io_batch: vec![],
-            trusted_setup_path: None,
+            trusted_setup: None,
             task_executor: None,
         }
     }
@@ -594,8 +593,8 @@ where
         self
     }
 
-    pub fn trusted_setup(mut self, trusted_setup_file_path: PathBuf) -> Self {
-        self.trusted_setup_path = Some(trusted_setup_file_path);
+    pub fn trusted_setup(mut self, trusted_setup: TrustedSetup) -> Self {
+        self.trusted_setup = Some(trusted_setup);
         self
     }
 
@@ -640,8 +639,8 @@ where
             slot_clock.now().ok_or("Unable to read slot")?
         };
 
-        let kzg = if let Some(trusted_setup_file) = self.trusted_setup_path {
-            let kzg = Kzg::new_from_file(trusted_setup_file)
+        let kzg = if let Some(trusted_setup) = self.trusted_setup {
+            let kzg = Kzg::new_from_trusted_setup(trusted_setup)
                 .map_err(|e| format!("Failed to load trusted setup: {:?}", e))?;
             Some(Arc::new(kzg))
         } else {

beacon_node/beacon_chain/src/lib.rs

@@ -70,6 +70,7 @@ pub use events::ServerSentEventHandler;
 pub use execution_layer::EngineState;
 pub use execution_payload::NotifyExecutionLayer;
 pub use fork_choice::{ExecutionStatus, ForkchoiceUpdateParameters};
+pub use kzg::TrustedSetup;
 pub use metrics::scrape_for_metrics;
 pub use parking_lot;
 pub use slot_clock;

beacon_node/client/src/builder.rs

@@ -185,8 +185,8 @@ where
             builder
         };
 
-        let builder = if let Some(trusted_setup_file) = config.trusted_setup_file {
-            builder.trusted_setup(trusted_setup_file)
+        let builder = if let Some(trusted_setup) = config.trusted_setup {
+            builder.trusted_setup(trusted_setup)
         } else {
             builder
         };

beacon_node/client/src/config.rs

@@ -1,3 +1,4 @@
+use beacon_chain::TrustedSetup;
 use directory::DEFAULT_ROOT_DIR;
 use environment::LoggerConfig;
 use network::NetworkConfig;
@@ -68,7 +69,7 @@ pub struct Config {
     pub chain: beacon_chain::ChainConfig,
     pub eth1: eth1::Config,
     pub execution_layer: Option<execution_layer::Config>,
-    pub trusted_setup_file: Option<PathBuf>,
+    pub trusted_setup: Option<TrustedSetup>,
     pub http_api: http_api::Config,
     pub http_metrics: http_metrics::Config,
     pub monitoring_api: Option<monitoring_api::Config>,
@@ -91,7 +92,7 @@ impl Default for Config {
             sync_eth1_chain: false,
             eth1: <_>::default(),
             execution_layer: None,
-            trusted_setup_file: None,
+            trusted_setup: None,
             graffiti: Graffiti::default(),
             http_api: <_>::default(),
             http_metrics: <_>::default(),

beacon_node/src/cli.rs

@@ -513,13 +513,12 @@ pub fn cli_app<'a, 'b>() -> App<'a, 'b> {
         )
         /* 4844 settings */
         .arg(
-            Arg::with_name("trusted-setup-file")
-                .long("trusted-setup-file")
+            Arg::with_name("trusted-setup-file-override")
+                .long("trusted-setup-file-override")
                 .value_name("FILE")
-                .help("File containing the trusted setup parameters. \
-                      NOTE: This is only for the devnet, the trusted setup params \
-                      must be embedded into the ethspec once parameter loading \
-                      is supported in the ckzg library")
+                .help("Path to a json file containing the trusted setup params. \
+                      NOTE: This will override the trusted setup that is generated \
+                      from the mainnet kzg ceremony. Use with caution")
                 .takes_value(true)
         )
         /*

beacon_node/src/config.rs

@@ -2,6 +2,7 @@ use beacon_chain::chain_config::{
     ReOrgThreshold, DEFAULT_PREPARE_PAYLOAD_LOOKAHEAD_FACTOR,
     DEFAULT_RE_ORG_MAX_EPOCHS_SINCE_FINALIZATION, DEFAULT_RE_ORG_THRESHOLD,
 };
+use beacon_chain::TrustedSetup;
 use clap::ArgMatches;
 use clap_utils::flags::DISABLE_MALLOC_TUNING_FLAG;
 use client::{ClientConfig, ClientGenesis};
@@ -371,8 +372,19 @@ pub fn get_config<E: EthSpec>(
     }
 
     // 4844 params
-    if let Some(trusted_setup_file) = cli_args.value_of("trusted-setup-file") {
-        client_config.trusted_setup_file = Some(PathBuf::from(trusted_setup_file));
+    client_config.trusted_setup = context
+        .eth2_network_config
+        .as_ref()
+        .and_then(|config| config.kzg_trusted_setup.clone());
+
+    // Override default trusted setup file if required
+    // TODO: consider removing this when we get closer to launch
+    if let Some(trusted_setup_file_path) = cli_args.value_of("trusted-setup-file-override") {
+        let file = std::fs::File::open(trusted_setup_file_path)
+            .map_err(|e| format!("Failed to open trusted setup file: {}", e))?;
+        let trusted_setup: TrustedSetup = serde_json::from_reader(file)
+            .map_err(|e| format!("Unable to read trusted setup file: {}", e))?;
+        client_config.trusted_setup = Some(trusted_setup);
     }
 
     if let Some(freezer_dir) = cli_args.value_of("freezer-dir") {

common/eth2_network_config/Cargo.toml

@@ -15,7 +15,9 @@ tempfile = "3.1.0"
 
 [dependencies]
 serde_yaml = "0.8.13"
+serde_json = "1.0.58"
 types = { path = "../../consensus/types"}
+kzg = { path = "../../crypto/kzg" }
 eth2_ssz = "0.4.1"
 eth2_config = { path = "../eth2_config"}
 enr = { version = "0.6.2", features = ["ed25519", "k256"] }

common/eth2_network_config/src/lib.rs

@@ -13,10 +13,11 @@
 
 use enr::{CombinedKey, Enr};
 use eth2_config::{instantiate_hardcoded_nets, HardcodedNet};
+use kzg::TrustedSetup;
 use std::fs::{create_dir_all, File};
 use std::io::{Read, Write};
 use std::path::PathBuf;
-use types::{BeaconState, ChainSpec, Config, EthSpec, EthSpecId};
+use types::{BeaconState, ChainSpec, Config, Epoch, EthSpec, EthSpecId};
 
 pub const DEPLOY_BLOCK_FILE: &str = "deploy_block.txt";
 pub const BOOT_ENR_FILE: &str = "boot_enr.yaml";
@@ -32,6 +33,14 @@ instantiate_hardcoded_nets!(eth2_config);
 
 pub const DEFAULT_HARDCODED_NETWORK: &str = "mainnet";
 
+/// Contains the bytes from the trusted setup json.
+/// The mainnet trusted setup is also reused in testnets.
+///
+/// This is done to ensure that testnets also inherit the high security and
+/// randomness of the mainnet kzg trusted setup ceremony.
+pub const TRUSTED_SETUP: &[u8] =
+    include_bytes!("../built_in_network_configs/testing_trusted_setups.json");
+
 /// Specifies an Eth2 network.
 ///
 /// See the crate-level documentation for more details.
@@ -43,6 +52,7 @@ pub struct Eth2NetworkConfig {
     pub boot_enr: Option<Vec<Enr<CombinedKey>>>,
     pub genesis_state_bytes: Option<Vec<u8>>,
     pub config: Config,
+    pub kzg_trusted_setup: Option<TrustedSetup>,
 }
 
 impl Eth2NetworkConfig {
@@ -58,6 +68,20 @@ impl Eth2NetworkConfig {
 
     /// Instantiates `Self` from a `HardcodedNet`.
     fn from_hardcoded_net(net: &HardcodedNet) -> Result<Self, String> {
+        let config: Config = serde_yaml::from_reader(net.config)
+            .map_err(|e| format!("Unable to parse yaml config: {:?}", e))?;
+        let kzg_trusted_setup = if let Some(epoch) = config.eip4844_fork_epoch {
+            // Only load the trusted setup if the eip4844 fork epoch is set
+            if epoch.value != Epoch::max_value() {
+                let trusted_setup: TrustedSetup = serde_json::from_reader(TRUSTED_SETUP)
+                    .map_err(|e| format!("Unable to read trusted setup file: {}", e))?;
+                Some(trusted_setup)
+            } else {
+                None
+            }
+        } else {
+            None
+        };
         Ok(Self {
             deposit_contract_deploy_block: serde_yaml::from_reader(net.deploy_block)
                 .map_err(|e| format!("Unable to parse deploy block: {:?}", e))?,
@@ -67,8 +91,8 @@ impl Eth2NetworkConfig {
             ),
             genesis_state_bytes: Some(net.genesis_state_bytes.to_vec())
                 .filter(|bytes| !bytes.is_empty()),
-            config: serde_yaml::from_reader(net.config)
-                .map_err(|e| format!("Unable to parse yaml config: {:?}", e))?,
+            config,
+            kzg_trusted_setup,
         })
     }
 
@@ -194,7 +218,7 @@ impl Eth2NetworkConfig {
 
         let deposit_contract_deploy_block = load_from_file!(DEPLOY_BLOCK_FILE);
         let boot_enr = optional_load_from_file!(BOOT_ENR_FILE);
-        let config = load_from_file!(BASE_CONFIG_FILE);
+        let config: Config = load_from_file!(BASE_CONFIG_FILE);
 
         // The genesis state is a special case because it uses SSZ, not YAML.
         let genesis_file_path = base_dir.join(GENESIS_STATE_FILE);
@@ -212,11 +236,25 @@ impl Eth2NetworkConfig {
             None
         };
 
+        let kzg_trusted_setup = if let Some(epoch) = config.eip4844_fork_epoch {
+            // Only load the trusted setup if the eip4844 fork epoch is set
+            if epoch.value != Epoch::max_value() {
+                let trusted_setup: TrustedSetup = serde_json::from_reader(TRUSTED_SETUP)
+                    .map_err(|e| format!("Unable to read trusted setup file: {}", e))?;
+                Some(trusted_setup)
+            } else {
+                None
+            }
+        } else {
+            None
+        };
+
         Ok(Self {
             deposit_contract_deploy_block,
             boot_enr,
             genesis_state_bytes,
             config,
+            kzg_trusted_setup,
         })
     }
 }

crypto/kzg/Cargo.toml

@@ -18,7 +18,7 @@ eth2_serde_utils = "0.1.1"
 hex = "0.4.2"
 eth2_hashing = "0.3.0"
 ethereum-types = "0.12.1"
-c-kzg = {git = "https://github.com/pawanjay176/c-kzg-4844", rev = "69bde8f4e0bbf0da30d92601b7db138bdd7e6a04" }
+c-kzg = {git = "https://github.com/pawanjay176/c-kzg-4844", rev = "c9e4fa0dabdd000738b7fcdf85a72880a5da8748" }
 
 [features]
 default = ["mainnet-spec"]