Description
I propose to support RSA signature verification through a precompiled contract with appropriate fees.
With the current EVM, verification for very low key lengths is trivially implemented using the native 256 bit arithmetic, although it is useless due to inadequate security. Supporting bigger key lengths is prohibitive cost wise. (Requires implementing a bignum library for mul
and mod
on top of EVM. Alternatively it can be offloaded to an oracle, where trust can be a problem and is also suboptimal.)
Motivation: many PKI schemes, including those employed by government ID cards, rely on RSA. Supporting an easy way to verify a signature would mean to support authentication/authorization using those schemes in a smart contract.
High level method: rsaverify(msg, N, e, S, paddingScheme)
, where
msg
is the message hash,N
is the public key modulus,e
is the public key exponent- and
S
is the signature.
Returns a boolean.
Regarding padding schemes I would definitely include an option none
, where no padding would be applied and the caller would be expected to handle that.
Challenges: Where this gets complex is defining which key lengths and padding schemes to support and how to define the API. Size of N
could be used to determine key length. Possibly the fee would depend on the key length.