Port of FRAME contracts benchmarking from libsecp256k1 to k256

paritytech · bkchr · Feb 23, 2022 · Feb 17, 2022 · Feb 17, 2022 · Feb 18, 2022
commit f6ded34eeb3b161e11086da804217bb76fea8d56
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -250,6 +250,7 @@ hash-db = { opt-level = 3 }
 hmac = { opt-level = 3 }
 httparse = { opt-level = 3 }
 integer-sqrt = { opt-level = 3 }
+k256 = { opt-level = 3 }
 keccak = { opt-level = 3 }
 libm = { opt-level = 3 }
 librocksdb-sys = { opt-level = 3 }

@@ -28,7 +28,8 @@ smallvec = { version = "1", default-features = false, features = [
 wasmi-validation = { version = "0.4", default-features = false }
 
 # Only used in benchmarking to generate random contract code
-libsecp256k1 = { version = "0.7", optional = true, default-features = false, features = ["hmac", "static-context"] }
+k256 = { version = "0.10.2", optional = true }
+ecdsa = { version = "0.13.4", optional = true }
 rand = { version = "0.8", optional = true, default-features = false }
 rand_pcg = { version = "0.3", optional = true }
 
@@ -77,11 +78,11 @@ std = [
 	"pallet-contracts-proc-macro/full",
 	"log/std",
 	"rand/std",
-	"libsecp256k1/std",
 ]
 runtime-benchmarks = [
 	"frame-benchmarking/runtime-benchmarks",
-	"libsecp256k1",
+	"k256",
+	"ecdsa",
 	"rand",
 	"rand_pcg",
 	"unstable-interface",

@@ -195,6 +195,47 @@ macro_rules! load_benchmark {
 	}};
 }
 
+// For security reasons `k256` authors decided to not directly expose the low-level
+// api for pre-hashed messages signature.
+// This is a convenience function to wrap the verbose procedure.
+// Refer to [this](https://github.com/RustCrypto/elliptic-curves/issues/525) issue
+// for some details.
+fn sign_prehashed(hash: [u8; 32]) -> [u8; 65] {
+	use ecdsa::{
+		elliptic_curve::{
+			generic_array::{typenum::U32, GenericArray},
+			ops::Reduce,
+		},
+		hazmat::{rfc6979_generate_k, SignPrimitive},
+		signature::PrehashSignature,
+	};
+	use k256::{
+		ecdsa::{Signature, SigningKey},
+		NonZeroScalar, Scalar, U256,
+	};
+
+	let signing_key = SigningKey::random(&mut rand::rngs::OsRng);
+
+	let hash_array: GenericArray<u8, U32> = GenericArray::from_slice(&hash).clone();
+	let hash_scalar = <Scalar as Reduce<U256>>::from_be_bytes_reduced(hash_array);
+
+	let priv_bytes = signing_key.to_bytes();
+	let priv_scalar = <NonZeroScalar as Reduce<U256>>::from_be_bytes_reduced(priv_bytes);
+
+	let k = rfc6979_generate_k::<_, <Signature as PrehashSignature>::Digest>(
+		&priv_scalar,
+		&hash_scalar,
+		&[],
+	);
+
+	let (sig, recid) = priv_scalar.try_sign_prehashed(**k, hash_scalar).unwrap();
+
+	let mut full_signature = [0; 65];
+	full_signature[..64].copy_from_slice(sig.as_ref());
+	full_signature[64] = recid.unwrap().to_byte();
+	full_signature
+}
+
 benchmarks! {
 	where_clause { where
 		T::AccountId: UncheckedFrom<T::Hash>,
@@ -1866,21 +1907,10 @@ benchmarks! {
 	// It generates different private keys and signatures for the message "Hello world".
 	seal_ecdsa_recover {
 		let r in 0 .. API_BENCHMARK_BATCHES;
-		use rand::SeedableRng;
-		let mut rng = rand_pcg::Pcg32::seed_from_u64(123456);
 
 		let message_hash = sp_io::hashing::blake2_256("Hello world".as_bytes());
 		let signatures = (0..r * API_BENCHMARK_BATCH_SIZE)
-			.map(|i| {
-				use libsecp256k1::{SecretKey, Message, sign};
-
-				let private_key = SecretKey::random(&mut rng);
-				let (signature, recovery_id) = sign(&Message::parse(&message_hash), &private_key);
-				let mut full_signature = [0; 65];
-				full_signature[..64].copy_from_slice(&signature.serialize());
-				full_signature[64] = recovery_id.serialize();
-				full_signature
-			})
+			.map(|i| sign_prehashed(message_hash))
 			.collect::<Vec<_>>();
 		let signatures = signatures.iter().flatten().cloned().collect::<Vec<_>>();
 		let signatures_bytes_len = signatures.len() as i32;