Skip to content

Implement P256 verification via RIP-7212 precompile with Solidity fallback #4881

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Amxx merged 82 commits into from
Jul 3, 2024
Merged

Implement P256 verification via RIP-7212 precompile with Solidity fallback #4881

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
82 commits
Select commit Hold shift + click to select a range
5e82076
Add P256 implementation and testing
Amxx Feb 7, 2024
da0f27e
enable optimizations by default
Amxx Feb 7, 2024
aa59c67
test recovering address
Amxx Feb 7, 2024
9512947
improved testing
Amxx Feb 7, 2024
a60bf48
spelling
Amxx Feb 7, 2024
9185026
fix lint
Amxx Feb 7, 2024
025e360
expose imports tick
Amxx Feb 7, 2024
803e735
fix lint
Amxx Feb 7, 2024
57fcecd
fix lint
Amxx Feb 7, 2024
4dae298
add changeset
Amxx Feb 7, 2024
6cf039d
improve doc
Amxx Feb 7, 2024
c094fa1
add envvar to force allowUnlimitedContractSize
Amxx Feb 7, 2024
20a03df
fix lint
Amxx Feb 7, 2024
15f1a6b
fix stack too deep error in coverage
Amxx Feb 7, 2024
e2040e4
reoder arguments to match ecrecover and EIP-7212
Amxx Feb 13, 2024
695b732
reduce diff
Amxx Mar 13, 2024
41aaf71
Merge branch 'master' into feature/P256
Amxx Mar 13, 2024
3bf4557
Update contracts/utils/cryptography/P256.sol
Amxx Apr 24, 2024
3cbf426
Merge branch 'master' into feature/P256
Amxx Apr 25, 2024
bba7fa3
update pseudocode reference
Amxx Apr 25, 2024
2812ed8
Update contracts/utils/cryptography/P256.sol
Amxx Apr 25, 2024
e0ef63b
refactor neutral element in jAdd
Amxx Apr 26, 2024
61a244d
add EIP-7212 support
Amxx May 17, 2024
910bc71
Merge branch 'master' into feature/P256
Amxx Jun 12, 2024
2e9d04d
Apply PR suggestions
ernestognw Jun 14, 2024
9062633
move invModPrime to Math.sol
Amxx Jun 17, 2024
a44bb71
update
Amxx Jun 17, 2024
3a6e1f5
update
Amxx Jun 17, 2024
3e71fad
codespell
Amxx Jun 17, 2024
887272b
test signature maleability
Amxx Jun 17, 2024
433548f
Iterate
ernestognw Jun 20, 2024
4f80ca0
Add more comments
ernestognw Jun 21, 2024
be69f5c
remove P256 public key to address derivation
Amxx Jun 21, 2024
fcde23f
Move publicKey from privateKey derivation function to tests
ernestognw Jun 21, 2024
5828566
Remove unnecessary test
ernestognw Jun 21, 2024
9362936
add wycheproof test
cairoeth Jun 21, 2024
921745b
Readd malleability check and rename
ernestognw Jun 22, 2024
2c113f4
Change arguments to bytes32
ernestognw Jun 22, 2024
fb7dc6f
remove unused malleable version
Amxx Jun 24, 2024
f264dae
Update contracts/utils/cryptography/P256.sol
Amxx Jun 24, 2024
2c9a137
Update contracts/utils/cryptography/P256.sol
Amxx Jun 24, 2024
f4cbf51
up
Amxx Jun 24, 2024
0227656
recovery malleability
Amxx Jun 24, 2024
e3a8338
fix bug (inverse return values)
Amxx Jun 24, 2024
cbd2ff5
better private key gen
cairoeth Jun 24, 2024
194f19a
Update contracts/utils/cryptography/P256.sol
ernestognw Jun 24, 2024
704a12e
Fix hardhat tests and add documentation
ernestognw Jun 24, 2024
61d52a5
Update test/utils/cryptography/P256.test.js
Amxx Jun 24, 2024
242c796
Ensure lower s in Foundry tests
ernestognw Jun 24, 2024
787834d
Lint
ernestognw Jun 24, 2024
d8f4f7e
fix bug for valid signatures with large `r` values
cairoeth Jun 24, 2024
fc54017
run original wycheproof in hardhat
Amxx Jun 24, 2024
5a7887b
Merge remote-tracking branch 'amxx/feature/P256' into feature/P256
Amxx Jun 24, 2024
cc82c17
Update test/utils/cryptography/P256.test.js
Amxx Jun 24, 2024
a67e5a2
Almost fix tests
ernestognw Jun 24, 2024
4c93009
Bound r to N so for lower s values
ernestognw Jun 24, 2024
046463c
Remove unnecessary comment
ernestognw Jun 24, 2024
e4df1d1
Remove foundry wycheproof
ernestognw Jun 24, 2024
1bddcf5
Tests nit
ernestognw Jun 24, 2024
e5ba358
Update .changeset/odd-lobsters-wash.md
ernestognw Jun 24, 2024
2eecacf
Update test/utils/cryptography/P256.t.sol
ernestognw Jun 24, 2024
ced4fb8
Update P256.t.sol
Amxx Jun 24, 2024
b82af11
Merge branch 'master' into feature/P256
ernestognw Jun 24, 2024
c6a86d9
Add more docs and nit
ernestognw Jun 24, 2024
9b24014
Manage to compile without via-ir
ernestognw Jun 25, 2024
3616771
Improve comments
ernestognw Jun 25, 2024
be078b1
Remove unnecessary CI flag
ernestognw Jun 25, 2024
ecd3aa2
cleanup _jAdd with memory
Amxx Jun 25, 2024
d83e707
up
Amxx Jun 25, 2024
fbc11f5
Update contracts/utils/cryptography/P256.sol
Amxx Jun 25, 2024
9c88101
Apply suggestions from code review
Amxx Jun 25, 2024
b5e6bd7
Update hardhat.config.js
Amxx Jun 25, 2024
db76353
Update hardhat.config.js
Amxx Jun 25, 2024
0722d93
Update hardhat.config.js
Amxx Jun 25, 2024
306a5f6
Revert all changes to hardhat.config.js
Amxx Jun 26, 2024
e67a456
uniform style
Amxx Jun 26, 2024
1a8cb63
add bound checks to isOnCurve
Amxx Jun 26, 2024
3c3fa27
rename isOnCurve -> isValidPublicKey + add _isProperSignature helper
Amxx Jun 26, 2024
2fe4a16
Update contracts/utils/cryptography/P256.sol
ernestognw Jun 27, 2024
2420d13
Update contracts/utils/cryptography/P256.sol
ernestognw Jul 1, 2024
49f3ad9
Merge branch 'master' into feature/P256
ernestognw Jul 2, 2024
5314727
Enable --ir-minimum in forge coverage
ernestognw Jul 3, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
update
  • Loading branch information
@Amxx
Amxx committed Jun 17, 2024
commit 3a6e1f59307b357b8b10b8383a04ceed5ab0cb85
4 changes: 2 additions & 2 deletions contracts/utils/Errors.sol
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ library Errors {
error FailedDeployment();

/**
* @dev A necessary EIP/RIP is missing on the current network.
* @dev A necessary precompile is missing.
*/
error MissingEIP(uint256);
error MissingPrecompile(address);
}
41 changes: 14 additions & 27 deletions contracts/utils/cryptography/P256.sol
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,9 +39,9 @@ library P256 {
uint256 private constant P1DIV4 = 0x3fffffffc0000000400000000000000000000000400000000000000000000000;

/**
* @dev Verifies a secp256r1 signature using the EIP-7212 or RIP-7212 precompiles and falls back to the Solidity
* implementation if the precompile is not available. This version should work on all chains, but requires the
* deployment of more bytecode.
* @dev Verifies a secp256r1 signature using the RIP-7212 precompile and falls back to the Solidity implementation
* if the precompile is not available. This version should work on all chains, but requires the deployment of more
* bytecode.
*
* @param h - hashed message
* @param r - signature half R
Expand All @@ -50,61 +50,48 @@ library P256 {
* @param qy - public key coordinate Y
*/
function verify(uint256 h, uint256 r, uint256 s, uint256 qx, uint256 qy) internal view returns (bool) {
Copy link
Member

@ernestognw ernestognw Jun 21, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any reason for representing the hash as uint256? I think we're generally more used to bytes32

Copy link
Collaborator Author

@Amxx Amxx Jun 21, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No real reason. All params could be either uint256 or bytes32.

I think that is since the verification is math heavy, we'll need to cast everything into uint256 anyway.

Copy link
Member

@ernestognw ernestognw Jun 21, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My concern is that users may need to cast in the frontend using Javascript where the encoding can be a mess. Although it's trivial to cast using ethers or viem, I don't think it's as straightforward as doing it natively.

I think that is since the verification is math heavy, we'll need to cast everything into uint256 anyway.

We can hide the interface and expose only bytes32

function verifySolidity(bytes32 h, bytes32 r, bytes32 s, bytes32 qx, bytes32 qy) internal view returns (bool) {. 
  return _verifySolidity(uint256(h), uint256(r), uint256(s), uint256(qx), uint256(qy));
}

function _verifySolidity(uint256 h, uint256 r, uint256 s, uint256 qx, uint256 qy) private view returns (bool) {
  // Current solidity verification
}

What do you think?

Copy link
Collaborator Author

@Amxx Amxx Jun 21, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My concern is that users may need to cast in the frontend using Javascript

That really depend on the library you are using. In ethers.js, uint256 is BigNumberish which accepts many format, including hex string and buffers. It is actually less restictive than bytes32.

Copy link
Collaborator Author

@Amxx Amxx Jun 21, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm be ok with changing the types, but not through one more variant of the function (override). We have enough already. More function is more complex testing, more confusion.

Copy link
Member

@ernestognw ernestognw Jun 21, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, agree on not adding more functions. Let's change only the types. I'll push a commit

Copy link
Contributor

@frangio frangio Jun 21, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMO should be bytes32. uint types have arithmetic operations which should not be done on these values.

(bool valid, bool supported) = tryVerifyPrecompile(h, r, s, qx, qy);
(bool valid, bool supported) = tryVerify7212(h, r, s, qx, qy);
return supported ? valid : verifySolidity(h, r, s, qx, qy);
}

/**
* @dev signature verification - using EIP-7212 and RIP-7212 precompiles. This version will only work on chains
* that have one of these precompile available. On chains that do not have these precompile, this function reverts.
* @dev signature verification - using the RIP-7212 precompile. This version will only work on chains that have
* the precompile available. This function will revert on networks that do not have this precompile.
*
* @param h - hashed message
* @param r - signature half R
* @param s - signature half S
* @param qx - public key coordinate X
* @param qy - public key coordinate Y
*/
function verifyPrecompile(uint256 h, uint256 r, uint256 s, uint256 qx, uint256 qy) internal view returns (bool) {
(bool valid, bool supported) = tryVerifyPrecompile(h, r, s, qx, qy);
function verify7212(uint256 h, uint256 r, uint256 s, uint256 qx, uint256 qy) internal view returns (bool) {
(bool valid, bool supported) = tryVerify7212(h, r, s, qx, qy);
if (supported) {
return valid;
} else {
revert Errors.MissingEIP(7212);
revert Errors.MissingPrecompile(address(0x100));
}
}

/**
* @dev try signature verification - using EIP-7212 and RIP-7212 precompiles. This function does not revert is the
* required precompiles are missing. Instead it will return with `supported = false`.
* @dev try signature verification - using the RIP-7212 precompiles. This function does not revert is the required
* precompile is missing. Instead it will return with `supported = false`.
*
* @param h - hashed message
* @param r - signature half R
* @param s - signature half S
* @param qx - public key coordinate X
* @param qy - public key coordinate Y
*/
function tryVerifyPrecompile(
function tryVerify7212(
uint256 h,
uint256 r,
uint256 s,
uint256 qx,
uint256 qy
) internal view returns (bool valid, bool supported) {
bytes memory params = abi.encode(h, r, s, qx, qy);

// try using EIP-7212 precompile at 0x0B
(bool success, bytes memory returndata) = address(0x0B).staticcall(params);
if (success && returndata.length == 0x20) {
return (abi.decode(returndata, (bool)), true);
}

// try using RIP-7212 precompile at 0x100
(success, returndata) = address(0x100).staticcall(params);
if (success && returndata.length == 0x20) {
return (abi.decode(returndata, (bool)), true);
}

return (false, false);
(bool success, bytes memory returndata) = address(0x100).staticcall(abi.encode(h, r, s, qx, qy));
return (success && returndata.length == 0x20) ? (abi.decode(returndata, (bool)), true) : (false, false);
}

/**
Expand Down
24 changes: 12 additions & 12 deletions test/utils/cryptography/P256.test.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,9 +33,9 @@ describe('P256', function () {
it('verify valid signature', async function () {
expect(await this.mock.$verify(this.messageHash, ...this.signature, ...this.publicKey)).to.be.true;
expect(await this.mock.$verifySolidity(this.messageHash, ...this.signature, ...this.publicKey)).to.be.true;
await expect(this.mock.$verifyPrecompile(this.messageHash, ...this.signature, ...this.publicKey))
.to.be.revertedWithCustomError(this.mock, 'MissingEIP')
.withArgs(7212);
await expect(this.mock.$verify7212(this.messageHash, ...this.signature, ...this.publicKey))
.to.be.revertedWithCustomError(this.mock, 'MissingPrecompile')
.withArgs('0x0000000000000000000000000000000000000100');
});

it('recover public key', async function () {
Expand All @@ -50,18 +50,18 @@ describe('P256', function () {
const reversedPublicKey = Array.from(this.publicKey).reverse();
expect(await this.mock.$verify(this.messageHash, ...this.signature, ...reversedPublicKey)).to.be.false;
expect(await this.mock.$verifySolidity(this.messageHash, ...this.signature, ...reversedPublicKey)).to.be.false;
await expect(this.mock.$verifyPrecompile(this.messageHash, ...this.signature, ...reversedPublicKey))
.to.be.revertedWithCustomError(this.mock, 'MissingEIP')
.withArgs(7212);
await expect(this.mock.$verify7212(this.messageHash, ...this.signature, ...reversedPublicKey))
.to.be.revertedWithCustomError(this.mock, 'MissingPrecompile')
.withArgs('0x0000000000000000000000000000000000000100');
});

it('reject signature with flipped signature values ([r,s] >> [s,r])', async function () {
const reversedSignature = Array.from(this.signature).reverse();
expect(await this.mock.$verify(this.messageHash, ...reversedSignature, ...this.publicKey)).to.be.false;
expect(await this.mock.$verifySolidity(this.messageHash, ...reversedSignature, ...this.publicKey)).to.be.false;
await expect(this.mock.$verifyPrecompile(this.messageHash, ...reversedSignature, ...this.publicKey))
.to.be.revertedWithCustomError(this.mock, 'MissingEIP')
.withArgs(7212);
await expect(this.mock.$verify7212(this.messageHash, ...reversedSignature, ...this.publicKey))
.to.be.revertedWithCustomError(this.mock, 'MissingPrecompile')
.withArgs('0x0000000000000000000000000000000000000100');
expect(await this.mock.$recovery(this.messageHash, this.recovery, ...reversedSignature)).to.not.deep.equal(
this.publicKey,
);
Expand All @@ -74,9 +74,9 @@ describe('P256', function () {
const invalidMessageHash = ethers.hexlify(ethers.randomBytes(32));
expect(await this.mock.$verify(invalidMessageHash, ...this.signature, ...this.publicKey)).to.be.false;
expect(await this.mock.$verifySolidity(invalidMessageHash, ...this.signature, ...this.publicKey)).to.be.false;
await expect(this.mock.$verifyPrecompile(invalidMessageHash, ...this.signature, ...this.publicKey))
.to.be.revertedWithCustomError(this.mock, 'MissingEIP')
.withArgs(7212);
await expect(this.mock.$verify7212(invalidMessageHash, ...this.signature, ...this.publicKey))
.to.be.revertedWithCustomError(this.mock, 'MissingPrecompile')
.withArgs('0x0000000000000000000000000000000000000100');
expect(await this.mock.$recovery(invalidMessageHash, this.recovery, ...this.signature)).to.not.deep.equal(
this.publicKey,
);
Expand Down