SIMD-0075: Secp256r1 Precompile (Supersedes SIMD-0048) #75
Conversation
iceomatic
changed the title
|
Tagging participants of the former discussion around SIMD-0048 for visibility |
|
This looks great. I'll review in depth ASAP. I'd also like to point out https://github.com/guidovranken/cryptofuzz as a dynamic analysis security tool. |
Noted, thx! Will look into incorporating it into testing 🫡 |
iceomatic
changed the title
|
I have re-written the TL;DR: Its ~3x faster than The idea here is to: A. Make implementation comparison/parity between labs/anza and Firedancer easier Let me know what you think |
- revise language as per rfc2119 - move rfc design details to security considerations - add language agnostic pseudocode structs
|
All fixes/resolutions to open comments should be done. I'm unsure if the pseudo-coded structs and the processing logic are okay in the new format, so please leave feedback wrt to changes if you have any 👍 |
|
Thanks @iceomatic for updating the SIMD and addressing fixes/resolutions in comments. |
| If `count == 0` and the length of the instruction data > 1, the program must | ||
| return an error. |
There was a problem hiding this comment.
I know existing precompiles have this check, but I think it's unnecessary.
There was a problem hiding this comment.
So in the case of count == 0 the program should pass, irrespective of the instruction data?
There was a problem hiding this comment.
That would make sense to me, but I'd be interested in hearing from the folks who made this design decision for the other precompiles to make sure I'm not missing something.
There was a problem hiding this comment.
Will leave this unresolved until we get some more input from the other contributors 🫡
There was a problem hiding this comment.
For this issue, I think it makes sense either way. This predates me but solana-labs/solana#19300 has the justification for the count, which I think is reasonable.
There was a problem hiding this comment.
That would make sense to me, but I'd be interested in hearing from the folks who made this design decision for the other precompiles to make sure I'm not missing something.
This is done as a safeguard for smart-contracts. There have been a number of contracts that wanted to verify a single signature, and thus omitted the check for count.
They just used instruction introspection to assert that the correct data is present in the call to secp verify.
An attacker could thus call secp verify with a count of 0, and pretend to have a valid signature for arbitrary data.
This is obviously a bug in the smart-contract using secp, but having this count=0 check made for an easy fix to prevent this issue from cropping up. It makes no sense to call with a zero count and non-zero data after all.
There was a problem hiding this comment.
I guess as there's no document or SIMD detailing otherwise, I'd we just stay in line with #19300.
Thoughts @ptaffet-jump ?
Co-authored-by: Philip Taffet <123486962+ptaffet-jump@users.noreply.github.com>
|
Thanks @ptaffet-jump for the input, all comments with the exception of the |
|
Looks good to me! It is worth noting (I apologize if this has already been discussed before) that there is going to be an inconsistency in the way ecdsa malleability is handled with the existing secp256k1 implementation, which does not handle malleability. |
Yep. In the description of the SIMD we made our case as to why it would be advantageous to handle malleability, but if contributors disagree I can happily remove that check to put it in line with the other precompiles |
|
With the approval from Anza we're just missing an approval on the FD side now 👍 |
I've updated the SIMD to include all the things discussed in conversation on github and the core-technology channel over the past few days.
This includes:
It has become quite a bit more opinionated and therefore requires more discussion.