Skip to content

Add Math.modExp and a Panic library #3298

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Amxx merged 60 commits into from
Feb 2, 2024
Merged

Add Math.modExp and a Panic library #3298

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
60 commits
Select commit Hold shift + click to select a range
91e39eb
Added Wrapper Library for ModularExponentiation along with tests.
mw2000 Mar 27, 2022
712a0f3
Fixed linting issues.
mw2000 Mar 27, 2022
77f33ea
Added function to Math.sol and migrated tests.
mw2000 Apr 9, 2022
4683f26
Merge branch 'master' into modular-exponentiation-precompile-wrapper-…
mw2000 Dec 23, 2022
7489ce4
Merge remote-tracking branch 'origin/master' into modular-exponentiat…
mw2000 Jun 8, 2023
d576641
Added tests
mw2000 Jun 9, 2023
0d78d29
Fixed lint
mw2000 Jun 9, 2023
5d99ed8
Added changeset
mw2000 Jun 9, 2023
acb16f2
Merge branch 'master' into modular-exponentiation-precompile-wrapper-…
mw2000 Jun 9, 2023
d7e81cf
Fixed codespell error
mw2000 Jun 9, 2023
85187dd
Fixed function calling in tests
mw2000 Jun 10, 2023
d458765
Merge branch 'master' into modular-exponentiation-precompile-wrapper-…
mw2000 Jun 11, 2023
01badeb
Update contracts/utils/math/Math.sol
Amxx Jun 12, 2023
a1c1439
Added a restriction to e
mw2000 Jun 25, 2023
d81d69d
Merge branch 'modular-exponentiation-precompile-wrapper-#1985' of htt…
mw2000 Jun 25, 2023
6e8cced
Merge branch 'master' into modular-exponentiation-precompile-wrapper-…
mw2000 Jun 25, 2023
fd7b8de
All args should be non-zero
mw2000 Jun 25, 2023
26a036e
Seperating the e and m != 0 out
mw2000 Jun 25, 2023
4ba0a29
Fixed test when m = 1
mw2000 Nov 8, 2023
988c950
Merge branch 'master' into modular-exponentiation-precompile-wrapper-…
mw2000 Nov 8, 2023
c08ac50
Added last bracket.
mw2000 Nov 8, 2023
98f7994
Fixed lint issues
mw2000 Nov 8, 2023
f634aab
Merge branch 'master' into modular-exponentiation-precompile-wrapper-…
mw2000 Dec 24, 2023
66a0c1f
Added custom errors + tests for it
mw2000 Dec 24, 2023
eecd818
Added comments for errors
mw2000 Dec 24, 2023
1583160
Added a not to be reverted for custom error
mw2000 Dec 24, 2023
19ead8e
Merge branch 'master' into modular-exponentiation-precompile-wrapper-…
Amxx Jan 25, 2024
8cf355f
better fuzzing for modexp
Amxx Jan 25, 2024
113e85e
cleanup tests
Amxx Jan 25, 2024
4e1cf0d
Update .changeset/shiny-poets-whisper.md
Amxx Jan 25, 2024
6d7c154
return 0 instead of reverting in case of error
Amxx Jan 25, 2024
84b285d
fallback to revert
Amxx Jan 25, 2024
9e73f46
simplification
Amxx Jan 25, 2024
76c9afa
cleanup
Amxx Jan 25, 2024
1ff0776
Refactor fuzz test
ernestognw Jan 29, 2024
f84b1b6
Lint
ernestognw Jan 29, 2024
fe32a38
mulDiv fuzzing with no external
Amxx Jan 29, 2024
4accc2e
modExp in assembly to avoid memory leaks
Amxx Jan 31, 2024
cfd80e9
optimise and mark as memory-safe
Amxx Jan 31, 2024
526d6b9
add note about using Ferma's little theorem to compute inverse in big…
Amxx Jan 31, 2024
3718090
Add utils/Panic.sol library
Amxx Feb 1, 2024
cd2f2e9
add missing files
Amxx Feb 1, 2024
104002e
fix lint
Amxx Feb 1, 2024
d149ea6
mark constants as internal
Amxx Feb 1, 2024
05aa60e
slither disable
Amxx Feb 1, 2024
f352681
add unit testing for Panic
Amxx Feb 1, 2024
32ea4bb
Update test/utils/Panic.test.js
Amxx Feb 1, 2024
2e962c8
fix lint
Amxx Feb 1, 2024
275c959
Update Panic.sol
Amxx Feb 1, 2024
24cd52a
Implement tryMod
ernestognw Feb 2, 2024
50374a1
Implement review suggestions
ernestognw Feb 2, 2024
ee91836
fix tryModExp behavior and test
Amxx Feb 2, 2024
d13e52d
better vm.expectRevert check
Amxx Feb 2, 2024
969e259
use stdErrors for forge-std
Amxx Feb 2, 2024
e64c3f9
remove unecessary import
Amxx Feb 2, 2024
06220be
add a mock to force import libraries
Amxx Feb 2, 2024
9137bae
rename panic codes following libsolutil
Amxx Feb 2, 2024
81e8ba0
fix lint
Amxx Feb 2, 2024
2b72050
Merge branch 'master' into modular-exponentiation-precompile-wrapper-…
Amxx Feb 2, 2024
2fc20d4
Nits
ernestognw Feb 2, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
fallback to revert
  • Loading branch information
@Amxx
Amxx committed Jan 25, 2024
commit 84b285db5716c2cc7d44cae02534331eeafc9080
23 changes: 19 additions & 4 deletions contracts/utils/math/Math.sol
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,14 @@ library Math {
* @dev Muldiv operation overflow.
*/
error MathOverflowedMulDiv();
/**
* @dev Modulus zero in Mod Exp operation.
*/
error MathModulusEqualsZero();
/**
* @dev Static call to Mod Exp precompile fails.
*/
error MathModExpCannotBeCalculated();

enum Rounding {
Floor, // Toward negative infinity
Expand Down Expand Up @@ -276,14 +284,21 @@ library Math {
}

/**
* @dev Returns the modular exponentiation of the specified base, exponent and modulus (b ** e % m).
* @dev Returns the modular exponentiation of the specified base, exponent and modulus (b ** e % m)
*
* If the modulus is 0 or if the EIP-198 precompile reverts, return 0 (which is obviously an invalid result).
* Requirements:
* - modulus can't be zero
* - result should be obtained successfully
*/
function modExp(uint256 b, uint256 e, uint256 m) internal view returns (uint256) {
if (m == 0) return 0;
if (m == 0) {
revert MathModulusEqualsZero();
}
Copy link
Member

@ernestognw ernestognw Jan 29, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The default behavior of the precompile is to return 0 when m == 0. Wouldn't make more sense to respect the precompile behavior and treat it as a noop? @Amxx

Copy link
Collaborator

@Amxx Amxx Jan 29, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here, returning 0 if m == 0 would be like returning 0 when dividing something by 0.

Maybe at the precompile level its ok to do so, because they expect callers of the precompile will check they are not doing anything stupid, and because they don't want to handle reverts in precompile (just like ecrecover will return address(0) with invalid signatures).

But we are at the library level, and I think we should revert if someone tries to divide by 0 (or do modulo 0)

Copy link
Member

@ernestognw ernestognw Jan 29, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah but why is it stupid to allow % 0? If there's a concrete reason why this is dangerous, then let's keep it.

The thing is that I haven't come up with any good reason for either other than that it's difficult to remove the check once released 😅

I agree with restricting the precompile at the library level, but the main difference with ECDSA is that it's dangerous to use it without the wrapper because there's a way of replaying a signature.

Copy link
Collaborator

@Amxx Amxx Jan 29, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah but why is it stupid to allow % 0?

x % 0 is the remainder of the division of x by 0. What more can I say ?

The result should be a positive integer that is < 0.

Copy link
Member

@ernestognw ernestognw Jan 29, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And? How is someone stupid for returning 0?

I am really sorry if this still doesn't make sense to you but I can't see a single reason why that is dangerous so that someone using it is stupid.

Copy link
Collaborator

@Amxx Amxx Jan 29, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would you seriously consider that mulDiv(1,1,0) should return 0 as well?

Copy link
Member

@ernestognw ernestognw Jan 29, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But 0 div panics by default. modexp doesn't.

As I said, I don't have reasons for saying it's okay or not. Doesn't seem harmful and restricting is irreversible.

Copy link
Collaborator

@Amxx Amxx Jan 29, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

interrestingly,

contract Test {
    // reverts
    function mod1() public pure returns (uint256 result) {
        result = uint256(1) % uint256(0);
    }
    // reverts
    function mod2() public pure returns (uint256 result) {
        unchecked { result = uint256(1) % uint256(0); }
    }
    // returns 0
    function mod3() public pure returns (uint256 result) {
        assembly { result := mod(1, 0) }
    }
}

Copy link
Collaborator

@Amxx Amxx Jan 29, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Continuing the discussion on slack.

(bool success, bytes memory result) = (address(5).staticcall(abi.encode(32, 32, 32, b, e, m)));
return success ? abi.decode(result, (uint256)) : 0;
if (!success) {
revert MathModExpCannotBeCalculated();
}
Copy link
Member

@ernestognw ernestognw Jan 29, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Couldn't find a way to make the precompile fail, not even with m == 0. I looked at:

I'll try sending less gas than required to test this error.

Copy link
Member

@ernestognw ernestognw Jan 29, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Didn't work, I tried different gasLimit values in the following test;

 it.only('reverts with not enough gas', async function () {
  await expect(
    this.mock.$modExp(
      0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffn,
      0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffn,
      0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffn,
      {
        gasLimit: 25_000,
      },
    ),
  ).to.be.revertedWithCustomError(this.mock, 'MathModExpCannotBeCalculated');
});

It reverts as out of gas but doesn't trigger the MathModExpCannotBeCalculated.

Copy link
Collaborator

@Amxx Amxx Jan 29, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, I guess that is because if the precompile has not enough gas, than the 1/64 that remains after that are not enough to check success and revert with a custom error

return abi.decode(result, (uint256));
}

/**
Expand Down
14 changes: 7 additions & 7 deletions test/utils/math/Math.t.sol
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -208,15 +208,11 @@ contract MathTest is Test {

// MOD EXP
function testModExp(uint256 b, uint256 e, uint256 m) public {
uint256 result = Math.modExp(b, e, m);

if (m == 0) {
// 0 means error
assertEq(result, 0);
} else {
// Result should be less than m, and should match the native implementation
try this.modexp(b, e, m) returns (uint256 result) {
assertTrue(result < m);
assertEq(result, _nativeModExp(b, e, m));
} catch {
assertEq(m, 0);
}
}

Expand All @@ -238,6 +234,10 @@ contract MathTest is Test {
return Math.mulDiv(x, y, d);
}

function modexp(uint256 a, uint256 k, uint256 n) external view returns (uint256) {
return Math.modExp(a, k, n);
}

// Helpers
function _asRounding(uint8 r) private pure returns (Math.Rounding) {
vm.assume(r < uint8(type(Math.Rounding).max));
Expand Down
7 changes: 5 additions & 2 deletions test/utils/math/Math.test.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -345,12 +345,15 @@ describe('Math', function () {
expect(await this.mock.$modExp(base, exponent, modulus)).to.equal(base ** exponent % modulus);
});

it('returns zero when modulus is zero', async function () {
it('is correctly reverting when modulus is zero', async function () {
const base = 3n;
const exponent = 200n;
const modulus = 0n;

expect(await this.mock.$modExp(base, exponent, modulus)).to.equal(0n);
await expect(this.mock.$modExp(base, exponent, modulus)).to.be.revertedWithCustomError(
this.mock,
'MathModulusEqualsZero',
);
});
});

Expand Down