feat: add signature aggregation using python bindings

[anshalshukla]

🗒️ Description

Supports aggregation as per our discussion for devnet2.

The current implementation of aggregation bindings don't actually aggregate the signatures and instead return a single 0 byte, same for the verification API. This will be updated when we have aggregation support for current signature encoding scheme on TEST_CONFIG.

✅ Checklist

• Ran tox checks to avoid unnecessary CI fails:

  uvx tox

• Considered adding appropriate tests for the changes.
• Considered updating the online docs in the ./docs/ directory.

[anshalshukla]

In my bindings of leanMultisig I've added a is_test flag which when set return a single 0 byte, similarly in verification API with the is_test flag set it returns true if the payload is single 0 byte.

I've commented out testcases related to invalid signatures as current the aggregation & verification is in test mode.

Once we have working devnet-2 branch on leanMultisig for TEST_CONFIG signatures, it will be a basic upgrade to remove the is_test flag from the aggregation and verification APIs in aggregation.py along with other updates on the bindings repo. I think given the minimal changes we will require here once we have the aggregation stuff starts working we can merge this PR. Client teams can start working on this and they should be able to aggregate as sigs as well as devnet-2 branch works fine for PROD_CONFIG.

[unnawut]

I wonder for the process of build_block(), do we need to manipulate aggregated attestations at all?

If I understand these parts correctly (and I have low confidence I do 😅 ), I think these are all to do with re-using/merging/splitting/deduplicating aggregated attestations that are the complex ones:

• https://github.com/leanEthereum/leanSpec/pull/238/changes#diff-c33ac3d9a3d230286b9b58b4608c6452a177cc99780ab25d661aef495114b147R663-R684
• https://github.com/leanEthereum/leanSpec/pull/238/changes#diff-c33ac3d9a3d230286b9b58b4608c6452a177cc99780ab25d661aef495114b147R881-R904
• https://github.com/leanEthereum/leanSpec/pull/238/changes#diff-c33ac3d9a3d230286b9b58b4608c6452a177cc99780ab25d661aef495114b147R908-R999
• https://github.com/leanEthereum/leanSpec/pull/238/changes#diff-521c2ab2c97f82296cc7caae585e3885a71c5a6b17693ff9bb7a26d7addd7cc7R19-R54

---

But can we say that:

1. Aggregated attestations that are already included in a block is final. Once it's processed, it becomes part of state.justifications and so it never needs to be revisited/reused. It can be dropped after processing into the state. The only need for storing it is for slashing detection (which we don't consider soon).

2. New individual attestations can be aggregated without concerning about existing aggregations. Because 1) leanMultisig can merge duplicate attestations, 2) Duplicate attestations don't affect the state.

3. Each block can already have multiple aggregated attestations, so late aggregation and on-time aggregation don't compete for a block. So multiple aggregations can keep flowing in anyway without the merging/splitting.

4. Eventually we'll have a separate aggregated_attestation gossip topic. We can do the merging by listening & responding to gossips than being part of block building? This would allow for a separate aggregator role in the future too.

---

If this all makes sense then maybe we can drop all the aggregation merging and splitting from the specs and only need 2 features around aggregation?

1. Build block by aggregating individual attestations per unique attestation data. There may be chances a block has multiple aggregations due to different attestation data
2. Ability to process multiple aggregated attestations from a block.body.attestations

[tcoratger]

I don't think that we should have any PROD_CONFIG in the codebase, we should use the env variable right?

[tcoratger]

These implementation details should change in the future (especially when we will not rely on the bindings anylire) so no need to add them here in the doc.

Suggested change

	For each aggregated attestation, collect the participating validators' public keys and
	signatures, then produce a single leanVM aggregated signature proof blob using
	`xmss_aggregate_signatures` (via `aggregate_signatures`).
	For each aggregated attestation, collect the participating validators' public keys and
	signatures, then produce a single leanVM aggregated signature proof.

[tcoratger]

Here maybe we could have a less verbose name such as validate_unique_contributions ? Or maybe another idea?

[tcoratger]

Something like this should be more pythonic and compact no?

groups = defaultdict(list)
for att in self:
    groups[att.data.data_root_bytes()].append(att.aggregation_bits)

for bits_list in groups.values():
    if len(bits_list) <= 1:
        continue

    # 1. Convert bitfields to sets of active indices
    sets = [{i for i, bit in enumerate(bits.data) if bit} for bits in bits_list]

    # 2. Count index occurrences across the entire group
    counts = Counter(idx for s in sets for idx in s)

    # 3. Verify EVERY attestation has ANY index that appears EXACTLY once
    if not all(any(counts[i] == 1 for i in s) for s in sets):
        return False

return True

[g11tech]

yes looks simple to read

[tcoratger]

Same I think that is useless

[tcoratger]

No need for this we can directly put the other tests without this comment.

Suggested change

	# ============================================================================
	# Additional edge case tests for _aggregate_signatures_from_gossip
	# ============================================================================

[tcoratger]

Same

Suggested change

	# ============================================================================
	# Additional edge case tests for _aggregate_signatures_from_block_payload
	# ============================================================================

[tcoratger]

Suggested change

	# ============================================================================
	# Additional edge case tests for split_aggregated_attestations
	# ============================================================================

[tcoratger]

Suggested change

	# ============================================================================
	# Additional edge case tests for compute_aggregated_signatures
	# ============================================================================

[g11tech]

this condition should always be true, we just need to track if we have gossip sig for it or not

[unnawut]

I want to spend a bit more time to understand compute_aggregated_signatures() and split_aggregated_attestations() and the tests, but like Thomas said these can go separate conversations.

[anshalshukla]

I've removed compute_aggregated_signatures() and simplified split_aggregated_attestaations(). I've also removed validate_unique_participants().

In the updated logic there is a possibility that there are some attestations that are do not contribute with any unique validator, this is fine as in the following devnet, we will recursively aggregate the attestations with same data_root so having a little bit of inefficiency for clarity is okay I believe. In the current form, implementing recursive aggregation will be easier as well.

Other changes are nicely described here