Babe VRF Signing in keystore (#6225)

* Introduce trait

* Implement VRFSigner in keystore

* Use vrf_sign from keystore

* Convert output to VRFInOut

* Simplify conversion

* vrf_sign secondary slot using keystore

* Fix RPC call to claim_slot

* Use Public instead of Pair

* Check primary threshold in signer

* Fix interface to return error

* Move vrf_sign to BareCryptoStore

* Fix authorship_works test

* Fix BABE logic leaks

* Acquire a read lock once

* Also fix RPC acquiring the read lock once

* Implement a generic way to construct VRF Transcript

* Use make_transcript_data to call sr25519_vrf_sign

* Make sure VRFTranscriptData is serializable

* Cleanup

* Move VRF to it's own module

* Implement & test VRF signing in testing module

* Remove leftover

* Fix feature requirements

* Revert removing vec macro

* Drop keystore pointer to prevent deadlock

* Nitpicks

* Add test to make sure make_transcript works

* Fix mismatch in VRF transcript

* Add a test to verify transcripts match in babe

* Return VRFOutput and VRFProof from keystore

substrate/Cargo.lock

@@ -6092,6 +6092,7 @@ dependencies = [
  "parking_lot 0.10.2",
  "pdqselect",
  "rand 0.7.3",
+ "rand_chacha 0.2.2",
  "sc-block-builder",
  "sc-client-api",
  "sc-consensus-epochs",
@@ -6425,6 +6426,7 @@ version = "2.0.0-rc3"
 dependencies = [
  "derive_more",
  "hex",
+ "merlin",
  "parking_lot 0.10.2",
  "rand 0.7.3",
  "serde_json",
@@ -7456,6 +7458,7 @@ dependencies = [
  "sp-application-crypto",
  "sp-consensus",
  "sp-consensus-vrf",
+ "sp-core",
  "sp-inherents",
  "sp-runtime",
  "sp-std",
@@ -7511,6 +7514,7 @@ dependencies = [
  "pretty_assertions",
  "primitive-types",
  "rand 0.7.3",
+ "rand_chacha 0.2.2",
  "regex",
  "schnorrkel",
  "serde",

substrate/client/consensus/babe/Cargo.toml

@@ -58,6 +58,7 @@ sc-service = { version = "0.8.0-rc3", default-features = false, path = "../../se
 substrate-test-runtime-client = { version = "2.0.0-rc3", path = "../../../test-utils/runtime/client" }
 sc-block-builder = { version = "0.8.0-rc3", path = "../../block-builder" }
 env_logger = "0.7.0"
+rand_chacha = "0.2.2"
 tempfile = "3.1.0"
 
 [features]

substrate/client/consensus/babe/rpc/Cargo.toml

@@ -27,12 +27,12 @@ derive_more = "0.99.2"
 sp-api = { version = "2.0.0-rc3", path = "../../../../primitives/api" }
 sp-consensus = { version = "0.8.0-rc3", path = "../../../../primitives/consensus/common" }
 sp-core = { version = "2.0.0-rc3", path = "../../../../primitives/core" }
+sp-application-crypto = { version = "2.0.0-rc3", path = "../../../../primitives/application-crypto" }
 sc-keystore = { version = "2.0.0-rc3", path = "../../../keystore" }
 
 [dev-dependencies]
 sc-consensus = { version = "0.8.0-rc3", path = "../../../consensus/common" }
 serde_json = "1.0.50"
-sp-application-crypto = { version = "2.0.0-rc3", path = "../../../../primitives/application-crypto" }
 sp-keyring = { version = "2.0.0-rc3", path = "../../../../primitives/keyring" }
 substrate-test-runtime-client = { version = "2.0.0-rc3", path = "../../../../test-utils/runtime/client" }
 tempfile = "3.1.0"

substrate/client/consensus/babe/rpc/src/lib.rs

@@ -32,6 +32,11 @@ use sp_consensus_babe::{
 	digests::PreDigest,
 };
 use serde::{Deserialize, Serialize};
+use sp_core::{
+	crypto::Public,
+	traits::BareCryptoStore,
+};
+use sp_application_crypto::AppKey;
 use sc_keystore::KeyStorePtr;
 use sc_rpc_api::DenyUnsafe;
 use sp_api::{ProvideRuntimeApi, BlockId};
@@ -125,22 +130,23 @@ impl<B, C, SC> BabeApi for BabeRpcHandler<B, C, SC>
 
 			let mut claims: HashMap<AuthorityId, EpochAuthorship> = HashMap::new();
 
-			let key_pairs = {
-				let keystore = keystore.read();
+			let keys = {
+				let ks = keystore.read();
 				epoch.authorities.iter()
 					.enumerate()
-					.flat_map(|(i, a)| {
-						keystore
-							.key_pair::<sp_consensus_babe::AuthorityPair>(&a.0)
-							.ok()
-							.map(|kp| (kp, i))
+					.filter_map(|(i, a)| {
+						if ks.has_keys(&[(a.0.to_raw_vec(), AuthorityId::ID)]) {
+							Some((a.0.clone(), i))
+						} else {
+							None
+						}
 					})
 					.collect::<Vec<_>>()
 			};
 
 			for slot_number in epoch_start..epoch_end {
 				if let Some((claim, key)) =
-					authorship::claim_slot_using_key_pairs(slot_number, &epoch, &key_pairs)
+					authorship::claim_slot_using_keys(slot_number, &epoch, &keystore, &keys)
 				{
 					match claim {
 						PreDigest::Primary { .. } => {

substrate/client/consensus/babe/src/authorship.rs

@@ -16,18 +16,24 @@
 
 //! BABE authority selection and slot claiming.
 
+use sp_application_crypto::AppKey;
 use sp_consensus_babe::{
-	make_transcript, AuthorityId, BabeAuthorityWeight, BABE_VRF_PREFIX,
-	SlotNumber, AuthorityPair,
+	BABE_VRF_PREFIX,
+	AuthorityId, BabeAuthorityWeight,
+	SlotNumber,
+	make_transcript,
+	make_transcript_data,
 };
 use sp_consensus_babe::digests::{
 	PreDigest, PrimaryPreDigest, SecondaryPlainPreDigest, SecondaryVRFPreDigest,
 };
 use sp_consensus_vrf::schnorrkel::{VRFOutput, VRFProof};
-use sp_core::{U256, blake2_256};
+use sp_core::{U256, blake2_256, crypto::Public, traits::BareCryptoStore};
 use codec::Encode;
-use schnorrkel::vrf::VRFInOut;
-use sp_core::Pair;
+use schnorrkel::{
+	keys::PublicKey,
+	vrf::VRFInOut,
+};
 use sc_keystore::KeyStorePtr;
 use super::Epoch;
 
@@ -124,7 +130,8 @@ pub(super) fn secondary_slot_author(
 fn claim_secondary_slot(
 	slot_number: SlotNumber,
 	epoch: &Epoch,
-	key_pairs: &[(AuthorityPair, usize)],
+	keys: &[(AuthorityId, usize)],
+	keystore: &KeyStorePtr,
 	author_secondary_vrf: bool,
 ) -> Option<(PreDigest, AuthorityId)> {
 	let Epoch { authorities, randomness, epoch_index, .. } = epoch;
@@ -139,31 +146,39 @@ fn claim_secondary_slot(
 		*randomness,
 	)?;
 
-	for (pair, authority_index) in key_pairs {
-		if pair.public() == *expected_author {
+	for (authority_id, authority_index) in keys {
+		if authority_id == expected_author {
 			let pre_digest = if author_secondary_vrf {
-				let transcript = super::authorship::make_transcript(
+				let transcript_data = super::authorship::make_transcript_data(
 					randomness,
 					slot_number,
 					*epoch_index,
 				);
-
-				let s = get_keypair(&pair).vrf_sign(transcript);
-
-				PreDigest::SecondaryVRF(SecondaryVRFPreDigest {
-					slot_number,
-					vrf_output: VRFOutput(s.0.to_output()),
-					vrf_proof: VRFProof(s.1),
-					authority_index: *authority_index as u32,
-				})
+				let result = keystore.read().sr25519_vrf_sign(
+					AuthorityId::ID,
+					authority_id.as_ref(),
+					transcript_data,
+				);
+				if let Ok(signature)  = result {
+					Some(PreDigest::SecondaryVRF(SecondaryVRFPreDigest {
+						slot_number,
+						vrf_output: VRFOutput(signature.output),
+						vrf_proof: VRFProof(signature.proof),
+						authority_index: *authority_index as u32,
+					}))
+				} else {
+					None
+				}
 			} else {
-				PreDigest::SecondaryPlain(SecondaryPlainPreDigest {
+				Some(PreDigest::SecondaryPlain(SecondaryPlainPreDigest {
 					slot_number,
 					authority_index: *authority_index as u32,
-				})
+				}))
 			};
 
-			return Some((pre_digest, pair.public()));
+			if let Some(pre_digest) = pre_digest {
+				return Some((pre_digest, authority_id.clone()));
+			}
 		}
 	}
 
@@ -179,26 +194,22 @@ pub fn claim_slot(
 	epoch: &Epoch,
 	keystore: &KeyStorePtr,
 ) -> Option<(PreDigest, AuthorityId)> {
-	let key_pairs = {
-		let keystore = keystore.read();
-		epoch.authorities.iter()
-			.enumerate()
-			.flat_map(|(i, a)| {
-				keystore.key_pair::<AuthorityPair>(&a.0).ok().map(|kp| (kp, i))
-			})
-			.collect::<Vec<_>>()
-	};
-	claim_slot_using_key_pairs(slot_number, epoch, &key_pairs)
+	let authorities = epoch.authorities.iter()
+		.enumerate()
+		.map(|(index, a)| (a.0.clone(), index))
+		.collect::<Vec<_>>();
+	claim_slot_using_keys(slot_number, epoch, keystore, &authorities)
 }
 
 /// Like `claim_slot`, but allows passing an explicit set of key pairs. Useful if we intend
 /// to make repeated calls for different slots using the same key pairs.
-pub fn claim_slot_using_key_pairs(
+pub fn claim_slot_using_keys(
 	slot_number: SlotNumber,
 	epoch: &Epoch,
-	key_pairs: &[(AuthorityPair, usize)],
+	keystore: &KeyStorePtr,
+	keys: &[(AuthorityId, usize)],
 ) -> Option<(PreDigest, AuthorityId)> {
-	claim_primary_slot(slot_number, epoch, epoch.config.c, &key_pairs)
+	claim_primary_slot(slot_number, epoch, epoch.config.c, keystore, &keys)
 		.or_else(|| {
 			if epoch.config.allowed_slots.is_secondary_plain_slots_allowed() ||
 				epoch.config.allowed_slots.is_secondary_vrf_slots_allowed()
@@ -206,7 +217,8 @@ pub fn claim_slot_using_key_pairs(
 				claim_secondary_slot(
 					slot_number,
 					&epoch,
-					&key_pairs,
+					keys,
+					keystore,
 					epoch.config.allowed_slots.is_secondary_vrf_slots_allowed(),
 				)
 			} else {
@@ -215,11 +227,6 @@ pub fn claim_slot_using_key_pairs(
 		})
 }
 
-fn get_keypair(q: &AuthorityPair) -> &schnorrkel::Keypair {
-	use sp_core::crypto::IsWrappedBy;
-	sp_core::sr25519::Pair::from_ref(q).as_ref()
-}
-
 /// Claim a primary slot if it is our turn.  Returns `None` if it is not our turn.
 /// This hashes the slot number, epoch, genesis hash, and chain randomness into
 /// the VRF.  If the VRF produces a value less than `threshold`, it is our turn,
@@ -228,33 +235,49 @@ fn claim_primary_slot(
 	slot_number: SlotNumber,
 	epoch: &Epoch,
 	c: (u64, u64),
-	key_pairs: &[(AuthorityPair, usize)],
+	keystore: &KeyStorePtr,
+	keys: &[(AuthorityId, usize)],
 ) -> Option<(PreDigest, AuthorityId)> {
 	let Epoch { authorities, randomness, epoch_index, .. } = epoch;
 
-	for (pair, authority_index) in key_pairs {
-		let transcript = super::authorship::make_transcript(randomness, slot_number, *epoch_index);
-
+	for (authority_id, authority_index) in keys {
+		let transcript = super::authorship::make_transcript(
+			randomness,
+			slot_number,
+			*epoch_index
+		);
+		let transcript_data = super::authorship::make_transcript_data(
+			randomness,
+			slot_number,
+			*epoch_index
+		);
 		// Compute the threshold we will use.
 		//
 		// We already checked that authorities contains `key.public()`, so it can't
 		// be empty.  Therefore, this division in `calculate_threshold` is safe.
 		let threshold = super::authorship::calculate_primary_threshold(c, authorities, *authority_index);
 
-		let pre_digest = get_keypair(pair)
-			.vrf_sign_after_check(transcript, |inout| super::authorship::check_primary_threshold(inout, threshold))
-			.map(|s| {
-				PreDigest::Primary(PrimaryPreDigest {
+		let result = keystore.read().sr25519_vrf_sign(
+			AuthorityId::ID,
+			authority_id.as_ref(),
+			transcript_data,
+		);
+		if let Ok(signature)  = result {
+			let public = PublicKey::from_bytes(&authority_id.to_raw_vec()).ok()?;
+			let inout = match signature.output.attach_input_hash(&public, transcript) {
+				Ok(inout) => inout,
+				Err(_) => continue,
+			};
+			if super::authorship::check_primary_threshold(&inout, threshold) {
+				let pre_digest = PreDigest::Primary(PrimaryPreDigest {
 					slot_number,
-					vrf_output: VRFOutput(s.0.to_output()),
-					vrf_proof: VRFProof(s.1),
+					vrf_output: VRFOutput(signature.output),
+					vrf_proof: VRFProof(signature.proof),
 					authority_index: *authority_index as u32,
-				})
-			});
+				});
 
-		// early exit on first successful claim
-		if let Some(pre_digest) = pre_digest {
-			return Some((pre_digest, pair.public()));
+				return Some((pre_digest, authority_id.clone()));
+			}
 		}
 	}
 

substrate/client/consensus/babe/src/tests.rs

@@ -21,8 +21,14 @@
 #![allow(deprecated)]
 use super::*;
 use authorship::claim_slot;
-use sp_core::crypto::Pair;
-use sp_consensus_babe::{AuthorityPair, SlotNumber, AllowedSlots};
+use sp_core::{crypto::Pair, vrf::make_transcript as transcript_from_data};
+use sp_consensus_babe::{
+	AuthorityPair,
+	SlotNumber,
+	AllowedSlots,
+	make_transcript,
+	make_transcript_data,
+};
 use sc_block_builder::{BlockBuilder, BlockBuilderProvider};
 use sp_consensus::{
 	NoNetwork as DummyOracle, Proposal, RecordProof,
@@ -35,6 +41,11 @@ use sp_runtime::{generic::DigestItem, traits::{Block as BlockT, DigestFor}};
 use sc_client_api::{BlockchainEvents, backend::TransactionFor};
 use log::debug;
 use std::{time::Duration, cell::RefCell, task::Poll};
+use rand::RngCore;
+use rand_chacha::{
+	rand_core::SeedableRng,
+	ChaChaRng,
+};
 
 type Item = DigestItem<Hash>;
 
@@ -796,3 +807,36 @@ fn verify_slots_are_strictly_increasing() {
 		&mut block_import,
 	);
 }
+
+#[test]
+fn babe_transcript_generation_match() {
+	let _ = env_logger::try_init();
+	let keystore_path = tempfile::tempdir().expect("Creates keystore path");
+	let keystore = sc_keystore::Store::open(keystore_path.path(), None).expect("Creates keystore");
+	let pair = keystore.write().insert_ephemeral_from_seed::<AuthorityPair>("//Alice")
+		.expect("Generates authority pair");
+
+	let epoch = Epoch {
+		start_slot: 0,
+		authorities: vec![(pair.public(), 1)],
+		randomness: [0; 32],
+		epoch_index: 1,
+		duration: 100,
+		config: BabeEpochConfiguration {
+			c: (3, 10),
+			allowed_slots: AllowedSlots::PrimaryAndSecondaryPlainSlots,
+		},
+	};
+
+	let orig_transcript = make_transcript(&epoch.randomness.clone(), 1, epoch.epoch_index);
+	let new_transcript = make_transcript_data(&epoch.randomness, 1, epoch.epoch_index);
+
+	let test = |t: merlin::Transcript| -> [u8; 16] {
+		let mut b = [0u8; 16];
+		t.build_rng()
+			.finalize(&mut ChaChaRng::from_seed([0u8;32]))
+			.fill_bytes(&mut b);
+		b
+	};
+	debug_assert!(test(orig_transcript) == test(transcript_from_data(new_transcript)));
+}

substrate/client/keystore/Cargo.toml

@@ -18,10 +18,11 @@ derive_more = "0.99.2"
 sp-core = { version = "2.0.0-rc3", path = "../../primitives/core" }
 sp-application-crypto = { version = "2.0.0-rc3", path = "../../primitives/application-crypto" }
 hex = "0.4.0"
+merlin = { version = "2.0", default-features = false }
+parking_lot = "0.10.0"
 rand = "0.7.2"
 serde_json = "1.0.41"
 subtle = "2.1.1"
-parking_lot = "0.10.0"
 
 [dev-dependencies]
 tempfile = "3.1.0"

substrate/client/keystore/src/lib.rs

@@ -20,7 +20,9 @@
 use std::{collections::{HashMap, HashSet}, path::PathBuf, fs::{self, File}, io::{self, Write}, sync::Arc};
 use sp_core::{
 	crypto::{IsWrappedBy, CryptoTypePublicPair, KeyTypeId, Pair as PairT, Protected, Public},
-	traits::{BareCryptoStore, BareCryptoStoreError as TraitError},
+	traits::{BareCryptoStore, Error as TraitError},
+	sr25519::{Public as Sr25519Public, Pair as Sr25519Pair},
+	vrf::{VRFTranscriptData, VRFSignature, make_transcript},
 	Encode,
 };
 use sp_application_crypto::{AppKey, AppPublic, AppPair, ed25519, sr25519, ecdsa};
@@ -438,6 +440,23 @@ impl BareCryptoStore for Store {
 	fn has_keys(&self, public_keys: &[(Vec<u8>, KeyTypeId)]) -> bool {
 		public_keys.iter().all(|(p, t)| self.key_phrase_by_type(&p, *t).is_ok())
 	}
+
+	fn sr25519_vrf_sign(
+		&self,
+		key_type: KeyTypeId,
+		public: &Sr25519Public,
+		transcript_data: VRFTranscriptData,
+	) -> std::result::Result<VRFSignature, TraitError> {
+		let transcript = make_transcript(transcript_data);
+		let pair = self.key_pair_by_type::<Sr25519Pair>(public, key_type)
+			.map_err(|e| TraitError::PairNotFound(e.to_string()))?;
+
+		let (inout, proof, _) = pair.as_ref().vrf_sign(transcript);
+		Ok(VRFSignature {
+			output: inout.to_output(),
+			proof,
+		})
+	}
 }
 
 #[cfg(test)]

substrate/primitives/consensus/babe/Cargo.toml

@@ -17,6 +17,7 @@ codec = { package = "parity-scale-codec", version = "1.3.0", default-features =
 merlin = { version = "2.0", default-features = false }
 sp-std = { version = "2.0.0-rc3", default-features = false, path = "../../std" }
 sp-api = { version = "2.0.0-rc3", default-features = false, path = "../../api" }
+sp-core = { version = "2.0.0-rc3", default-features = false, path = "../../core" }
 sp-consensus = { version = "0.8.0-rc3", optional = true, path = "../common" }
 sp-consensus-vrf = { version = "0.8.0-rc3", path = "../vrf", default-features = false }
 sp-inherents = { version = "2.0.0-rc3", default-features = false, path = "../../inherents" }
@@ -26,6 +27,7 @@ sp-timestamp = { version = "2.0.0-rc3", default-features = false, path = "../../
 [features]
 default = ["std"]
 std = [
+	"sp-core/std",
 	"sp-application-crypto/std",
 	"codec/std",
 	"merlin/std",

substrate/primitives/consensus/babe/src/lib.rs

@@ -31,6 +31,8 @@ pub use merlin::Transcript;
 use codec::{Encode, Decode};
 use sp_std::vec::Vec;
 use sp_runtime::{ConsensusEngineId, RuntimeDebug};
+#[cfg(feature = "std")]
+use sp_core::vrf::{VRFTranscriptData, VRFTranscriptValue};
 use crate::digests::{NextEpochDescriptor, NextConfigDescriptor};
 
 mod app {
@@ -94,6 +96,23 @@ pub fn make_transcript(
 	transcript
 }
 
+/// Make a VRF transcript data container
+#[cfg(feature = "std")]
+pub fn make_transcript_data(
+	randomness: &Randomness,
+	slot_number: u64,
+	epoch: u64,
+) -> VRFTranscriptData {
+	VRFTranscriptData {
+		label: &BABE_ENGINE_ID,
+		items: vec![
+			("slot number", VRFTranscriptValue::U64(slot_number)),
+			("current epoch", VRFTranscriptValue::U64(epoch)),
+			("chain randomness", VRFTranscriptValue::Bytes(&randomness[..])),
+		]
+	}
+}
+
 /// An consensus log item for BABE.
 #[derive(Decode, Encode, Clone, PartialEq, Eq)]
 pub enum ConsensusLog {

substrate/primitives/core/Cargo.toml

@@ -59,6 +59,7 @@ hex-literal = "0.2.1"
 rand = "0.7.2"
 criterion = "0.2.11"
 serde_json = "1.0"
+rand_chacha = "0.2.2"
 
 [[bench]]
 name = "bench"

substrate/primitives/core/src/lib.rs

@@ -73,6 +73,8 @@ pub mod traits;
 pub mod testing;
 #[cfg(feature = "std")]
 pub mod tasks;
+#[cfg(feature = "std")]
+pub mod vrf;
 
 pub use self::hash::{H160, H256, H512, convert_hash};
 pub use self::uint::{U256, U512};

substrate/primitives/core/src/testing.rs

@@ -22,10 +22,12 @@ use crate::crypto::KeyTypeId;
 use crate::{
 	crypto::{Pair, Public, CryptoTypePublicPair},
 	ed25519, sr25519, ecdsa,
-	traits::BareCryptoStoreError
+	traits::Error,
+	vrf::{VRFTranscriptData, VRFSignature, make_transcript},
 };
 #[cfg(feature = "std")]
 use std::collections::HashSet;
+
 /// Key type for generic Ed25519 key.
 pub const ED25519: KeyTypeId = KeyTypeId(*b"ed25");
 /// Key type for generic Sr 25519 key.
@@ -76,7 +78,7 @@ impl KeyStore {
 
 #[cfg(feature = "std")]
 impl crate::traits::BareCryptoStore for KeyStore {
-	fn keys(&self, id: KeyTypeId) -> Result<Vec<CryptoTypePublicPair>, BareCryptoStoreError> {
+	fn keys(&self, id: KeyTypeId) -> Result<Vec<CryptoTypePublicPair>, Error> {
 		self.keys
 			.get(&id)
 			.map(|map| {
@@ -106,11 +108,11 @@ impl crate::traits::BareCryptoStore for KeyStore {
 		&mut self,
 		id: KeyTypeId,
 		seed: Option<&str>,
-	) -> Result<sr25519::Public, BareCryptoStoreError> {
+	) -> Result<sr25519::Public, Error> {
 		match seed {
 			Some(seed) => {
 				let pair = sr25519::Pair::from_string(seed, None)
-					.map_err(|_| BareCryptoStoreError::ValidationError("Generates an `sr25519` pair.".to_owned()))?;
+					.map_err(|_| Error::ValidationError("Generates an `sr25519` pair.".to_owned()))?;
 				self.keys.entry(id).or_default().insert(pair.public().to_raw_vec(), seed.into());
 				Ok(pair.public())
 			},
@@ -137,11 +139,11 @@ impl crate::traits::BareCryptoStore for KeyStore {
 		&mut self,
 		id: KeyTypeId,
 		seed: Option<&str>,
-	) -> Result<ed25519::Public, BareCryptoStoreError> {
+	) -> Result<ed25519::Public, Error> {
 		match seed {
 			Some(seed) => {
 				let pair = ed25519::Pair::from_string(seed, None)
-					.map_err(|_| BareCryptoStoreError::ValidationError("Generates an `ed25519` pair.".to_owned()))?;
+					.map_err(|_| Error::ValidationError("Generates an `ed25519` pair.".to_owned()))?;
 				self.keys.entry(id).or_default().insert(pair.public().to_raw_vec(), seed.into());
 				Ok(pair.public())
 			},
@@ -168,11 +170,11 @@ impl crate::traits::BareCryptoStore for KeyStore {
 		&mut self,
 		id: KeyTypeId,
 		seed: Option<&str>,
-	) -> Result<ecdsa::Public, BareCryptoStoreError> {
+	) -> Result<ecdsa::Public, Error> {
 		match seed {
 			Some(seed) => {
 				let pair = ecdsa::Pair::from_string(seed, None)
-					.map_err(|_| BareCryptoStoreError::ValidationError("Generates an `ecdsa` pair.".to_owned()))?;
+					.map_err(|_| Error::ValidationError("Generates an `ecdsa` pair.".to_owned()))?;
 				self.keys.entry(id).or_default().insert(pair.public().to_raw_vec(), seed.into());
 				Ok(pair.public())
 			},
@@ -201,7 +203,7 @@ impl crate::traits::BareCryptoStore for KeyStore {
 		&self,
 		id: KeyTypeId,
 		keys: Vec<CryptoTypePublicPair>,
-	) -> std::result::Result<Vec<CryptoTypePublicPair>, BareCryptoStoreError> {
+	) -> std::result::Result<Vec<CryptoTypePublicPair>, Error> {
 		let provided_keys = keys.into_iter().collect::<HashSet<_>>();
 		let all_keys = self.keys(id)?.into_iter().collect::<HashSet<_>>();
 
@@ -213,31 +215,48 @@ impl crate::traits::BareCryptoStore for KeyStore {
 		id: KeyTypeId,
 		key: &CryptoTypePublicPair,
 		msg: &[u8],
-	) -> Result<Vec<u8>, BareCryptoStoreError> {
+	) -> Result<Vec<u8>, Error> {
 		use codec::Encode;
 
 		match key.0 {
 			ed25519::CRYPTO_ID => {
 				let key_pair: ed25519::Pair = self
 					.ed25519_key_pair(id, &ed25519::Public::from_slice(key.1.as_slice()))
-					.ok_or(BareCryptoStoreError::PairNotFound("ed25519".to_owned()))?;
+					.ok_or(Error::PairNotFound("ed25519".to_owned()))?;
 				return Ok(key_pair.sign(msg).encode());
 			}
 			sr25519::CRYPTO_ID => {
 				let key_pair: sr25519::Pair = self
 					.sr25519_key_pair(id, &sr25519::Public::from_slice(key.1.as_slice()))
-					.ok_or(BareCryptoStoreError::PairNotFound("sr25519".to_owned()))?;
+					.ok_or(Error::PairNotFound("sr25519".to_owned()))?;
 				return Ok(key_pair.sign(msg).encode());
 			}
 			ecdsa::CRYPTO_ID => {
 				let key_pair: ecdsa::Pair = self
 					.ecdsa_key_pair(id, &ecdsa::Public::from_slice(key.1.as_slice()))
-					.ok_or(BareCryptoStoreError::PairNotFound("ecdsa".to_owned()))?;
+					.ok_or(Error::PairNotFound("ecdsa".to_owned()))?;
 				return Ok(key_pair.sign(msg).encode());
 			}
-			_ => Err(BareCryptoStoreError::KeyNotSupported(id))
+			_ => Err(Error::KeyNotSupported(id))
 		}
 	}
+
+	fn sr25519_vrf_sign(
+		&self,
+		key_type: KeyTypeId,
+		public: &sr25519::Public,
+		transcript_data: VRFTranscriptData,
+	) -> Result<VRFSignature, Error> {
+		let transcript = make_transcript(transcript_data);
+		let pair = self.sr25519_key_pair(key_type, public)
+			.ok_or(Error::PairNotFound("Not found".to_owned()))?;
+
+		let (inout, proof, _) = pair.as_ref().vrf_sign(transcript);
+		Ok(VRFSignature {
+			output: inout.to_output(),
+			proof,
+		})
+	}
 }
 
 /// Macro for exporting functions from wasm in with the expected signature for using it with the
@@ -372,6 +391,7 @@ mod tests {
 	use super::*;
 	use crate::sr25519;
 	use crate::testing::{ED25519, SR25519};
+	use crate::vrf::VRFTranscriptValue;
 
 	#[test]
 	fn store_key_and_extract() {
@@ -403,4 +423,42 @@ mod tests {
 
 		assert!(public_keys.contains(&key_pair.public().into()));
 	}
+
+	#[test]
+	fn vrf_sign() {
+		let store = KeyStore::new();
+
+		let secret_uri = "//Alice";
+		let key_pair = sr25519::Pair::from_string(secret_uri, None).expect("Generates key pair");
+
+		let transcript_data = VRFTranscriptData {
+			label: b"Test",
+			items: vec![
+				("one", VRFTranscriptValue::U64(1)),
+				("two", VRFTranscriptValue::U64(2)),
+				("three", VRFTranscriptValue::Bytes("test".as_bytes())),
+			]
+		};
+
+		let result = store.read().sr25519_vrf_sign(
+			SR25519,
+			&key_pair.public(),
+			transcript_data.clone(),
+		);
+		assert!(result.is_err());
+
+		store.write().insert_unknown(
+			SR25519,
+			secret_uri,
+			key_pair.public().as_ref(),
+		).expect("Inserts unknown key");
+
+		let result = store.read().sr25519_vrf_sign(
+			SR25519,
+			&key_pair.public(),
+			transcript_data,
+		);
+
+		assert!(result.is_ok());
+	}
 }

substrate/primitives/core/src/traits.rs

@@ -19,9 +19,9 @@
 
 use crate::{
 	crypto::{KeyTypeId, CryptoTypePublicPair},
+	vrf::{VRFTranscriptData, VRFSignature},
 	ed25519, sr25519, ecdsa,
 };
-
 use std::{
 	borrow::Cow,
 	fmt::{Debug, Display},
@@ -33,7 +33,7 @@ pub use sp_externalities::{Externalities, ExternalitiesExt};
 
 /// BareCryptoStore error
 #[derive(Debug, derive_more::Display)]
-pub enum BareCryptoStoreError {
+pub enum Error {
 	/// Public key type is not supported
 	#[display(fmt="Key not supported: {:?}", _0)]
 	KeyNotSupported(KeyTypeId),
@@ -64,7 +64,7 @@ pub trait BareCryptoStore: Send + Sync {
 		&mut self,
 		id: KeyTypeId,
 		seed: Option<&str>,
-	) -> Result<sr25519::Public, BareCryptoStoreError>;
+	) -> Result<sr25519::Public, Error>;
 	/// Returns all ed25519 public keys for the given key type.
 	fn ed25519_public_keys(&self, id: KeyTypeId) -> Vec<ed25519::Public>;
 	/// Generate a new ed25519 key pair for the given key type and an optional seed.
@@ -76,7 +76,7 @@ pub trait BareCryptoStore: Send + Sync {
 		&mut self,
 		id: KeyTypeId,
 		seed: Option<&str>,
-	) -> Result<ed25519::Public, BareCryptoStoreError>;
+	) -> Result<ed25519::Public, Error>;
 	/// Returns all ecdsa public keys for the given key type.
 	fn ecdsa_public_keys(&self, id: KeyTypeId) -> Vec<ecdsa::Public>;
 	/// Generate a new ecdsa key pair for the given key type and an optional seed.
@@ -88,7 +88,7 @@ pub trait BareCryptoStore: Send + Sync {
 		&mut self,
 		id: KeyTypeId,
 		seed: Option<&str>,
-	) -> Result<ecdsa::Public, BareCryptoStoreError>;
+	) -> Result<ecdsa::Public, Error>;
 
 	/// Insert a new key. This doesn't require any known of the crypto; but a public key must be
 	/// manually provided.
@@ -108,11 +108,11 @@ pub trait BareCryptoStore: Send + Sync {
 		&self,
 		id: KeyTypeId,
 		keys: Vec<CryptoTypePublicPair>
-	) -> Result<Vec<CryptoTypePublicPair>, BareCryptoStoreError>;
+	) -> Result<Vec<CryptoTypePublicPair>, Error>;
 	/// List all supported keys
 	///
 	/// Returns a set of public keys the signer supports.
-	fn keys(&self, id: KeyTypeId) -> Result<Vec<CryptoTypePublicPair>, BareCryptoStoreError>;
+	fn keys(&self, id: KeyTypeId) -> Result<Vec<CryptoTypePublicPair>, Error>;
 
 	/// Checks if the private keys for the given public key and key type combinations exist.
 	///
@@ -131,7 +131,7 @@ pub trait BareCryptoStore: Send + Sync {
 		id: KeyTypeId,
 		key: &CryptoTypePublicPair,
 		msg: &[u8],
-	) -> Result<Vec<u8>, BareCryptoStoreError>;
+	) -> Result<Vec<u8>, Error>;
 
 	/// Sign with any key
 	///
@@ -144,7 +144,7 @@ pub trait BareCryptoStore: Send + Sync {
 		id: KeyTypeId,
 		keys: Vec<CryptoTypePublicPair>,
 		msg: &[u8]
-	) -> Result<(CryptoTypePublicPair, Vec<u8>), BareCryptoStoreError> {
+	) -> Result<(CryptoTypePublicPair, Vec<u8>), Error> {
 		if keys.len() == 1 {
 			return self.sign_with(id, &keys[0], msg).map(|s| (keys[0].clone(), s));
 		} else {
@@ -154,7 +154,7 @@ pub trait BareCryptoStore: Send + Sync {
 				}
 			}
 		}
-		Err(BareCryptoStoreError::KeyNotSupported(id))
+		Err(Error::KeyNotSupported(id))
 	}
 
 	/// Sign with all keys
@@ -163,15 +163,36 @@ pub trait BareCryptoStore: Send + Sync {
 	/// each key given that the key is supported.
 	///
 	/// Returns a list of `Result`s each representing the SCALE encoded
-	/// signature of each key or a BareCryptoStoreError for non-supported keys.
+	/// signature of each key or a Error for non-supported keys.
 	fn sign_with_all(
 		&self,
 		id: KeyTypeId,
 		keys: Vec<CryptoTypePublicPair>,
 		msg: &[u8],
-	) -> Result<Vec<Result<Vec<u8>, BareCryptoStoreError>>, ()>{
+	) -> Result<Vec<Result<Vec<u8>, Error>>, ()>{
 		Ok(keys.iter().map(|k| self.sign_with(id, k, msg)).collect())
 	}
+
+	/// Generate VRF signature for given transcript data.
+	///
+	/// Receives KeyTypeId and Public key to be able to map
+	/// them to a private key that exists in the keystore which
+	/// is, in turn, used for signing the provided transcript.
+	///
+	/// Returns a result containing the signature data.
+	/// Namely, VRFOutput and VRFProof which are returned
+	/// inside the `VRFSignature` container struct.
+	///
+	/// This function will return an error in the cases where
+	/// the public key and key type provided do not match a private
+	/// key in the keystore. Or, in the context of remote signing
+	/// an error could be a network one.
+	fn sr25519_vrf_sign(
+		&self,
+		key_type: KeyTypeId,
+		public: &sr25519::Public,
+		transcript_data: VRFTranscriptData,
+	) -> Result<VRFSignature, Error>;
 }
 
 /// A pointer to the key store.

substrate/primitives/core/src/vrf.rs

@@ -0,0 +1,99 @@
+// This file is part of Substrate.
+
+// Copyright (C) 2019-2020 Parity Technologies (UK) Ltd.
+// SPDX-License-Identifier: Apache-2.0
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// 	http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//! VRF-specifc data types and helpers
+
+use codec::Encode;
+use merlin::Transcript;
+use schnorrkel::vrf::{VRFOutput, VRFProof};
+/// An enum whose variants represent possible
+/// accepted values to construct the VRF transcript
+#[derive(Clone, Encode)]
+pub enum VRFTranscriptValue<'a> {
+	/// Value is an array of bytes
+	Bytes(&'a [u8]),
+	/// Value is a u64 integer
+	U64(u64),
+}
+/// VRF Transcript data
+#[derive(Clone, Encode)]
+pub struct VRFTranscriptData<'a> {
+	/// The transcript's label
+	pub label: &'static [u8],
+	/// Additional data to be registered into the transcript
+	pub items: Vec<(&'static str, VRFTranscriptValue<'a>)>,
+}
+/// VRF signature data
+pub struct VRFSignature {
+	/// The VRFOutput serialized
+	pub output: VRFOutput,
+	/// The calculated VRFProof
+	pub proof: VRFProof,
+}
+
+/// Construct a `Transcript` object from data.
+///
+/// Returns `merlin::Transcript`
+pub fn make_transcript(data: VRFTranscriptData) -> Transcript {
+	let mut transcript = Transcript::new(data.label);
+	for (label, value) in data.items.into_iter() {
+		match value {
+			VRFTranscriptValue::Bytes(bytes) => {
+				transcript.append_message(label.as_bytes(), &bytes);
+			},
+			VRFTranscriptValue::U64(val) => {
+				transcript.append_u64(label.as_bytes(), val);
+			}
+		}
+	}
+	transcript
+}
+
+
+#[cfg(test)]
+mod tests {
+	use super::*;
+	use crate::vrf::VRFTranscriptValue;
+	use rand::RngCore;
+	use rand_chacha::{
+		rand_core::SeedableRng,
+		ChaChaRng,
+	};
+
+	#[test]
+	fn transcript_creation_matches() {
+		let mut orig_transcript = Transcript::new(b"My label");
+		orig_transcript.append_u64(b"one", 1);
+		orig_transcript.append_message(b"two", "test".as_bytes());
+
+		let new_transcript = make_transcript(VRFTranscriptData {
+			label: b"My label",
+			items: vec![
+				("one", VRFTranscriptValue::U64(1)),
+				("two", VRFTranscriptValue::Bytes("test".as_bytes())),
+			],
+		});
+		let test = |t: Transcript| -> [u8; 16] {
+			let mut b = [0u8; 16];
+			t.build_rng()
+				.finalize(&mut ChaChaRng::from_seed([0u8;32]))
+				.fill_bytes(&mut b);
+			b
+		};
+		debug_assert!(test(orig_transcript) == test(new_transcript));
+	}
+}