Barretenberg: src/barretenberg/crypto/ecdsa/ecdsa_impl.hpp Source File

// === AUDIT STATUS ===

// internal:    { status: not started, auditors: [], date: YYYY-MM-DD }

// external_1:  { status: not started, auditors: [], date: YYYY-MM-DD }

// external_2:  { status: not started, auditors: [], date: YYYY-MM-DD }

// =====================


#pragma once


#include "../hmac/hmac.hpp"

#include "barretenberg/common/serialize.hpp"

#include "barretenberg/numeric/uint256/uint256.hpp"


namespace bb::crypto {


template <typename Hash, typename Fq, typename Fr, typename G1>


ecdsa_signature ecdsa_construct_signature(const std::string& message, const ecdsa_key_pair<Fr, G1>& account)

{

    ecdsa_signature sig;


    // use HMAC in PRF mode to derive 32-byte secret `k`

    std::vector<uint8_t> pkey_buffer;

    write(pkey_buffer, account.private_key);

    Fr k = crypto::get_unbiased_field_from_hmac<Hash, Fr>(message, pkey_buffer);


    typename G1::affine_element R(G1::one * k);

    Fq::serialize_to_buffer(R.x, &sig.r[0]);


    std::vector<uint8_t> message_buffer;

    std::copy(message.begin(), message.end(), std::back_inserter(message_buffer));

    auto ev = Hash::hash(message_buffer);


    Fr z = Fr::serialize_from_buffer(&ev[0]);

    Fr r_fr = Fr::serialize_from_buffer(&sig.r[0]);

    Fr s_fr = (z + r_fr * account.private_key) / k;


    // Ensure that the value of s is "low", i.e. s := min{ s_fr, (|Fr| - s_fr) }

    const bool is_s_low = (uint256_t(s_fr) < (uint256_t(Fr::modulus) / 2));

    uint256_t s_uint256 = is_s_low ? uint256_t(s_fr) : (uint256_t(Fr::modulus) - uint256_t(s_fr));


    Fr::serialize_to_buffer(Fr(s_uint256), &sig.s[0]);


    // compute recovery_id: given R = (x, y)

    //   0: y is even  &&  x < |Fr|

    //   1: y is odd   &&  x < |Fr|

    //   2: y is even  &&  |Fr| <= x < |Fq|

    //   3: y is odd   &&  |Fr| <= x < |Fq|

    // v = offset + recovery_id

    Fq r_fq = Fq(R.x);

    bool is_r_finite = (uint256_t(r_fq) == uint256_t(r_fr));

    bool y_parity = uint256_t(R.y).get_bit(0);

    bool recovery_bit = y_parity ^ is_s_low;

    constexpr uint8_t offset = 27;


    int value = offset + recovery_bit + static_cast<uint8_t>(2) * !is_r_finite;

    BB_ASSERT_LTE(value, UINT8_MAX);

    sig.v = static_cast<uint8_t>(value);

    return sig;

}


template <typename Hash, typename Fq, typename Fr, typename G1>


typename G1::affine_element ecdsa_recover_public_key(const std::string& message, const ecdsa_signature& sig)

{

    using serialize::read;

    using Point = G1::affine_element;

    uint256_t r_uint;

    uint256_t s_uint;

    uint8_t v_uint;

    uint256_t mod = uint256_t(Fr::modulus);


    const auto* r_buf = &sig.r[0];

    const auto* s_buf = &sig.s[0];

    const auto* v_buf = &sig.v;

    read(r_buf, r_uint);

    read(s_buf, s_uint);

    read(v_buf, v_uint);


    // We need to check that r and s are in Field according to specification

    BB_ASSERT((r_uint < mod) && (s_uint < mod), "r or s value exceeds the modulus");

    BB_ASSERT((r_uint != 0) && (s_uint != 0), "r or s value is zero");


    // Check that the s value is less than |Fr| / 2

    BB_ASSERT_LTE(s_uint * 2, mod, "s value is not less than curve order by 2");


    // Check that v must either be in {27, 28, 29, 30}

    Fr r = Fr(r_uint);

    Fr s = Fr(s_uint);

    Fq r_fq = Fq(r_uint);

    bool is_r_finite = true;


    if ((v_uint == 27) || (v_uint == 28)) {

        BB_ASSERT_EQ(uint256_t(r), uint256_t(r_fq));

    } else if ((v_uint == 29) || (v_uint == 30)) {

        BB_ASSERT_LT(uint256_t(r), uint256_t(r_fq));

        is_r_finite = false;

    } else {

        bb::assert_failure("v value is not in {27, 28, 29, 30}");

    }


    // Decompress the x-coordinate r_uint to get two possible R points

    // The first uncompressed R point is selected when r < |Fr|

    // The second uncompressed R point is selected when |Fr| <= r < |Fq|

    // Note that the second condition can occur with probability 1/2^128 so its highly unlikely.

    auto uncompressed_points = Point::from_compressed_unsafe(r_uint);

    Point point_R = uncompressed_points[!is_r_finite];


    // Negate the y-coordinate point of R based on the parity of v

    bool y_parity_R = uint256_t(point_R.y).get_bit(0);

    if ((v_uint & 1) ^ y_parity_R) {

        point_R.y = -point_R.y;

    }


    // Start key recovery algorithm

    std::vector<uint8_t> message_buffer;

    std::copy(message.begin(), message.end(), std::back_inserter(message_buffer));

    auto ev = Hash::hash(message_buffer);

    Fr z = Fr::serialize_from_buffer(&ev[0]);


    Fr r_inv = r.invert();


    Fr u1 = -(z * r_inv);

    Fr u2 = s * r_inv;


    Point recovered_public_key(Point(point_R) * u2 + G1::one * u1);

    return recovered_public_key;

}


template <typename Hash, typename Fq, typename Fr, typename G1>


bool ecdsa_verify_signature(const std::string& message,

                            const typename G1::affine_element& public_key,

                            const ecdsa_signature& sig)

{

    using serialize::read;

    uint256_t r_uint;

    uint256_t s_uint;

    uint256_t mod = uint256_t(Fr::modulus);

    if ((!public_key.on_curve()) || (public_key.is_point_at_infinity())) {

        return false;

    }

    const auto* r_buf = &sig.r[0];

    const auto* s_buf = &sig.s[0];

    read(r_buf, r_uint);

    read(s_buf, s_uint);

    // We need to check that r and s are in Field according to specification

    if ((r_uint >= mod) || (s_uint >= mod)) {

        return false;

    }

    if ((r_uint == 0) || (s_uint == 0)) {

        return false;

    }


    // Check that the s value is less than |Fr| / 2

    BB_ASSERT_LT(s_uint, (mod + 1) / 2, "s value is not less than curve order by 2");


    Fr r = Fr(r_uint);

    Fr s = Fr(s_uint);


    std::vector<uint8_t> message_buffer;

    std::copy(message.begin(), message.end(), std::back_inserter(message_buffer));

    auto ev = Hash::hash(message_buffer);

    Fr z = Fr::serialize_from_buffer(&ev[0]);


    Fr s_inv = s.invert();


    Fr u1 = z * s_inv;

    Fr u2 = r * s_inv;


    typename G1::affine_element R((typename G1::element(public_key) * u2) + (G1::one * u1));

    BB_ASSERT_EQ(R.is_point_at_infinity(), false, "Result of the scalar multiplication is the point at infinity.");


    uint256_t Rx(R.x);

    Fr result(Rx);

    return result == r;

}


} // namespace bb::crypto

BB_ASSERT
#define BB_ASSERT(expression,...)
Definition assert.hpp:67

BB_ASSERT_EQ
#define BB_ASSERT_EQ(actual, expected,...)
Definition assert.hpp:77

BB_ASSERT_LTE
#define BB_ASSERT_LTE(left, right,...)
Definition assert.hpp:152

BB_ASSERT_LT
#define BB_ASSERT_LT(left, right,...)
Definition assert.hpp:137

bb::numeric::uint256_t
Definition uint256.hpp:32

bb::numeric::uint256_t::get_bit
constexpr bool get_bit(uint64_t bit_index) const
Definition uint256_impl.hpp:319

offset
ssize_t offset
Definition engine.cpp:36

bb::crypto
Definition aes128.cpp:158

bb::crypto::ecdsa_recover_public_key
G1::affine_element ecdsa_recover_public_key(const std::string &message, const ecdsa_signature &sig)
Definition ecdsa_impl.hpp:61

bb::crypto::read
void read(B &it, SchnorrProofOfPossession< G1, Hash > &proof_of_possession)
Definition proof_of_possession.hpp:130

bb::crypto::ecdsa_construct_signature
ecdsa_signature ecdsa_construct_signature(const std::string &message, const ecdsa_key_pair< Fr, G1 > &account)
Definition ecdsa_impl.hpp:16

bb::crypto::write
void write(B &buf, SchnorrProofOfPossession< G1, Hash > const &proof_of_possession)
Definition proof_of_possession.hpp:137

bb::crypto::ecdsa_verify_signature
bool ecdsa_verify_signature(const std::string &message, const typename G1::affine_element &public_key, const ecdsa_signature &signature)
Definition ecdsa_impl.hpp:128

bb::assert_failure
void assert_failure(std::string const &err)
Definition assert.cpp:11

serialize::read
void read(auto &it, msgpack_concepts::HasMsgPack auto &obj)
Automatically derived read for any object that defines .msgpack() (implicitly defined by MSGPACK_FIEL...
Definition serialize.hpp:504

std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13

Fr
Curve::ScalarField Fr
Definition pippenger.bench.cpp:28

value
FF value
Definition public_data_tree.test.cpp:97

serialize.hpp

bb::crypto::ecdsa_key_pair
Definition ecdsa.hpp:18

bb::crypto::ecdsa_key_pair::private_key
Fr private_key
Definition ecdsa.hpp:19

bb::crypto::ecdsa_signature
Definition ecdsa.hpp:25

bb::crypto::ecdsa_signature::r
std::array< uint8_t, 32 > r
Definition ecdsa.hpp:26

bb::crypto::ecdsa_signature::s
std::array< uint8_t, 32 > s
Definition ecdsa.hpp:27

bb::crypto::ecdsa_signature::v
uint8_t v
Definition ecdsa.hpp:28

bb::field< Bn254FrParams >

bb::field< Bn254FrParams >::modulus
static constexpr uint256_t modulus
Definition field_declarations.hpp:197

bb::field::invert
constexpr field invert() const noexcept
Definition field_impl.hpp:377

bb::field< Bn254FrParams >::serialize_from_buffer
static field serialize_from_buffer(const uint8_t *buffer)
Definition field_declarations.hpp:384

bb::field< Bn254FqParams >::serialize_to_buffer
static void serialize_to_buffer(const field &value, uint8_t *buffer)
Definition field_declarations.hpp:382

Fq
curve::BN254::BaseField Fq
Definition translator.fuzzer.hpp:21

uint256.hpp