Implement Proof Of Possession capability for all public key crypto types

[drskalman]

Description

• Implement ProofOfPossession traits with default implementation.

• Implement their derive macro in a new proc-macro crate in pubkeycrypto create which eventually should contains all pubkey crypto scheme as recommended by Move crypto implementations out of sp-core #1975

• Derive ProofOfPossession for all pubkey crypto type beside BLS.

• Implement Nugget BLS proof of possession which should certifies that the unique secret key known to the prover is used to generate both public keys in G1 and G2.

• Implement sign Host function for BLS12-381 necessary to be able to generate proof of possion through runtime.

• Implement generation and verification of proof of possession functions in all RuntimeApp and RuntimeAppPublic s.

✄ -----------------------------------------------------------------------------

Checklist

• My PR includes a detailed description as outlined in the "Description" and its two subsections above.
• My PR follows the labeling requirements of this project (at minimum one label for T required)
  • External contributors: ask maintainers to put the right label on your PR.
• I have made corresponding changes to the documentation (if applicable)
• I have added tests that prove my fix is effective or that my feature works (if applicable)

You can remove the "Checklist" section once all have been checked. Thank you for your contribution!

✄ -----------------------------------------------------------------------------

[burdges]

We added backcerts of operator keys alraedy, no? Or was that an RFC but not yet implemented?

We could use backcerts for proof-of-possession. Ideally, we should place system randomness into those backcerts and place them on-chain, but this requires tweaking ed25519 I guess.

[drskalman]

@burdges Could you point to the backcerts PR or its RFC so I can take a look? Thank you.

[burdges]

polkadot-fellows/RFCs#48

It's seemingly just ownership proofs, but really they should sign the operators key, making them backcerts.

I proposed having some master session key too, but that's a bigger change. We could simply back certify both the operators' key and some piece of system randomness sampled at node startup.

[davxy]

@drskalman, as we discussed, I believe that, along with the code (and prior to merging this PR), an amendment to the aforementioned RFC should be proposed and integrated.

[burdges]

It's offten that backcerts get forgotten because we do not see them in TLS since the handshake itself represents the backcert, meaning the site itself sent you their certificate in the authenticated channel, so they approved that certificate.

If we lack them in polkadot, then an adversary could pull tricks like claiming someone else's grandpa key was their grandpa key, maybe some unelected node, and then ignore grandpa themselves. We've no idea what bugs exist in substrate under such scenarios, but even if we handle them gracefully they still cause problems elsewhere.