Replace nonce with request hashing

Author: yujiezhu0

api/clients/v2/disperser_client.go

@@ -2,7 +2,6 @@ package clients
 
 import (
 	"context"
-	"crypto/rand"
 	"fmt"
 	"sync"
 	"time"
@@ -297,21 +296,15 @@ func (c *disperserClient) GetPaymentState(ctx context.Context) (*disperser_rpc.G
 		return nil, fmt.Errorf("error getting signer's account ID: %w", err)
 	}
 
-	nonce, err := GenerateNonce(32)
-	if err != nil {
-		return nil, fmt.Errorf("failed to generate nonce: %v", err)
-	}
-
-	signature, err := c.signer.SignPaymentStateRequest(nonce)
+	signature, err := c.signer.SignPaymentStateRequest()
 	if err != nil {
 		return nil, fmt.Errorf("error signing payment state request: %w", err)
 	}
 
 	request := &disperser_rpc.GetPaymentStateRequest{
 		AccountId: accountID.Hex(),
 		Signature: signature,
-		Timestamp: uint32(time.Now().Unix()),
-		Nonce:     nonce,
+		Timestamp: uint64(time.Now().UnixNano()),
 	}
 	return c.client.GetPaymentState(ctx, request)
 }
@@ -371,13 +364,3 @@ func (c *disperserClient) initOncePopulateAccountant(ctx context.Context) error
 	}
 	return nil
 }
-
-// GenerateNonce creates a random nonce of the specified length.
-func GenerateNonce(length int) ([]byte, error) {
-	nonce := make([]byte, length)
-	_, err := rand.Read(nonce)
-	if err != nil {
-		return nil, err
-	}
-	return nonce, nil
-}

api/clients/v2/disperser_client_test.go

@@ -116,20 +116,3 @@ func TestMutexPreventsSimultaneousRequests(t *testing.T) {
 	require.GreaterOrEqual(t, totalTime.Milliseconds(), expectedMinTime.Milliseconds()-10, // allow small timing variations
 		"Total execution time was less than expected, suggesting concurrent execution")
 }
-
-func TestGenerateNonce(t *testing.T) {
-	nonce, err := GenerateNonce(32)
-	require.NoError(t, err)
-	require.Len(t, nonce, 32, "nonce should be 32 bytes")
-
-	// Test multiple calls to ensure nonces are unique.
-	nonceMap := make(map[string]struct{})
-	for i := 0; i < 100; i++ {
-		n, err := GenerateNonce(32)
-		require.NoError(t, err)
-		require.Len(t, n, 32, "nonce should be 32 bytes")
-		key := string(n)
-		require.NotContains(t, nonceMap, key, "nonce should be unique")
-		nonceMap[key] = struct{}{}
-	}
-}

api/docs/disperser_v2.html

@@ -0,0 +1,23 @@
+package hashing
+
+import (
+	"fmt"
+	pb "github.com/Layr-Labs/eigenda/api/grpc/disperser/v2"
+	"golang.org/x/crypto/sha3"
+)
+
+// HashGetPaymentStateRequest hashes the given GetPaymentStateRequest.
+func HashGetPaymentStateRequest(request *pb.GetPaymentStateRequest) ([]byte, error) {
+	hasher := sha3.NewLegacyKeccak256()
+
+	// Hash the account ID
+	err := hashByteArray(hasher, []byte(request.GetAccountId()))
+	if err != nil {
+		return nil, fmt.Errorf("failed to hash account id: %w", err)
+	}
+
+	// Hash the timestamp
+	hashUint64(hasher, request.GetTimestamp())
+
+	return hasher.Sum(nil), nil
+}

api/docs/eigenda-protos.html

@@ -120,11 +120,9 @@ message GetPaymentStateRequest {
   string account_id = 1;
   // Signature over the account ID
   bytes signature = 2;
-  // Timestamp of the request in seconds since the Unix epoch. If too far out of sync with the server's clock,
+  // Timestamp of the request in nanoseconds since the Unix epoch. If too far out of sync with the server's clock,
   // request may be rejected.
-  uint32 timestamp = 3;
-  // A client-generated nonce to ensure the request is unique.
-  bytes nonce = 4;
+  uint64 timestamp = 3;
 }
 
 // GetPaymentStateReply contains the payment state of an account.

api/grpc/disperser/v2/disperser_v2.pb.go

@@ -2,7 +2,6 @@ package v2_test
 
 import (
 	"crypto/sha256"
-	"encoding/hex"
 	disperser_rpc "github.com/Layr-Labs/eigenda/api/grpc/disperser/v2"
 	"math/big"
 	"testing"
@@ -20,9 +19,8 @@ import (
 
 var (
 	privateKeyHex = "0x0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef"
-	nonce, _      = hex.DecodeString("3132333435363738393031323334353637383930313233343536373839303132")
-	maxPastAge    = 30 * time.Second
-	maxFutureAge  = 30 * time.Second
+	maxPastAge    = 5 * time.Minute
+	maxFutureAge  = 5 * time.Minute
 )
 
 func TestAuthentication(t *testing.T) {
@@ -126,7 +124,7 @@ func TestAuthenticatePaymentStateRequestValid(t *testing.T) {
 	assert.NoError(t, err)
 	authenticator := auth.NewAuthenticator(maxPastAge, maxFutureAge)
 
-	signature, err := signer.SignPaymentStateRequest(nonce)
+	signature, err := signer.SignPaymentStateRequest()
 	assert.NoError(t, err)
 
 	accountId, err := signer.GetAccountID()
@@ -169,7 +167,7 @@ func TestAuthenticatePaymentStateRequestSignatureMismatch(t *testing.T) {
 	accountId, err := signer.GetAccountID()
 	assert.NoError(t, err)
 
-	signature, err := wrongSigner.SignPaymentStateRequest(nonce)
+	signature, err := wrongSigner.SignPaymentStateRequest()
 	assert.NoError(t, err)
 
 	request := mockGetPaymentStateRequest(accountId, signature)
@@ -203,7 +201,6 @@ func mockGetPaymentStateRequest(accountId gethcommon.Address, signature []byte)
 	return &disperser_rpc.GetPaymentStateRequest{
 		AccountId: accountId.Hex(),
 		Signature: signature,
-		Timestamp: uint32(time.Now().Unix()),
-		Nonce:     nonce,
+		Timestamp: uint64(time.Now().UnixNano()),
 	}
 }

api/hashing/payment_state_hashing.go

@@ -5,6 +5,7 @@ import (
 	"errors"
 	"fmt"
 	pb "github.com/Layr-Labs/eigenda/api/grpc/disperser/v2"
+	"github.com/Layr-Labs/eigenda/api/hashing"
 	"time"
 
 	"github.com/Layr-Labs/eigenda/common/replay"
@@ -53,7 +54,7 @@ func (*authenticator) AuthenticateBlobRequest(header *core.BlobHeader, signature
 }
 
 // AuthenticatePaymentStateRequest verifies the signature of the payment state request
-// The signature is signed over the byte representation of the account ID and nonce
+// The signature is signed over the byte representation of the account ID
 // See implementation of BlobRequestSigner.SignPaymentStateRequest for more details
 func (a *authenticator) AuthenticatePaymentStateRequest(accountAddr common.Address, request *pb.GetPaymentStateRequest) error {
 	sig := request.GetSignature()
@@ -63,11 +64,9 @@ func (a *authenticator) AuthenticatePaymentStateRequest(accountAddr common.Addre
 	}
 
 	timestamp := request.GetTimestamp()
-	nonce := request.GetNonce()
 
 	// Verify the signature
-	accountAddrWithNonce := append(accountAddr.Bytes(), nonce...)
-	hash := sha256.Sum256(accountAddrWithNonce)
+	hash := sha256.Sum256(accountAddr.Bytes())
 	sigPublicKeyECDSA, err := crypto.SigToPub(hash[:], sig)
 	if err != nil {
 		return fmt.Errorf("failed to recover public key from signature: %v", err)
@@ -79,8 +78,13 @@ func (a *authenticator) AuthenticatePaymentStateRequest(accountAddr common.Addre
 		return errors.New("signature doesn't match with provided public key")
 	}
 
-	if err := a.replayGuardian.VerifyRequest(nonce, time.Unix(int64(timestamp), 0)); err != nil {
-		return fmt.Errorf("invalid request: the provided nonce has already been used or the request has expired (%v)", err)
+	requestHash, err := hashing.HashGetPaymentStateRequest(request)
+	if err != nil {
+		return fmt.Errorf("failed to hash request: %w", err)
+	}
+
+	if err := a.replayGuardian.VerifyRequest(requestHash, time.Unix(0, int64(timestamp))); err != nil {
+		return fmt.Errorf("failed to verify request: %v", err)
 	}
 
 	return nil

api/proto/disperser/v2/disperser_v2.proto

@@ -44,14 +44,13 @@ func (s *LocalBlobRequestSigner) SignBlobRequest(header *core.BlobHeader) ([]byt
 	return sig, nil
 }
 
-func (s *LocalBlobRequestSigner) SignPaymentStateRequest(nonce []byte) ([]byte, error) {
+func (s *LocalBlobRequestSigner) SignPaymentStateRequest() ([]byte, error) {
 	accountId, err := s.GetAccountID()
 	if err != nil {
 		return nil, fmt.Errorf("failed to get account ID: %v", err)
 	}
 
-	accountAddrWithNonce := append(accountId.Bytes(), nonce...)
-	hash := sha256.Sum256(accountAddrWithNonce)
+	hash := sha256.Sum256(accountId.Bytes())
 	// Sign the account ID using the private key
 	sig, err := crypto.Sign(hash[:], s.PrivateKey)
 	if err != nil {
@@ -78,7 +77,7 @@ func (s *LocalNoopSigner) SignBlobRequest(header *core.BlobHeader) ([]byte, erro
 	return nil, fmt.Errorf("noop signer cannot sign blob request")
 }
 
-func (s *LocalNoopSigner) SignPaymentStateRequest(nonce []byte) ([]byte, error) {
+func (s *LocalNoopSigner) SignPaymentStateRequest() ([]byte, error) {
 	return nil, fmt.Errorf("noop signer cannot sign payment state request")
 }