-
Notifications
You must be signed in to change notification settings - Fork 69
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SIMD-0075: Secp256r1 Precompile (Supersedes SIMD-0048) #75
base: main
Are you sure you want to change the base?
Conversation
Tagging participants of the former discussion around SIMD-0048 for visibility |
This looks great. I'll review in depth ASAP. I'd also like to point out https://github.com/guidovranken/cryptofuzz as a dynamic analysis security tool. |
Noted, thx! Will look into incorporating it into testing 🫡 |
I have re-written the TL;DR: Its ~3x faster than The idea here is to: A. Make implementation comparison/parity between labs/anza and Firedancer easier Let me know what you think |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is a good start! please take a look at rfc2119 and make a pass at this document to correct usage of these key words. there are several SHOULDs that need to be MUSTs
- revise language as per rfc2119 - move rfc design details to security considerations - add language agnostic pseudocode structs
All fixes/resolutions to open comments should be done. I'm unsure if the pseudo-coded structs and the processing logic are okay in the new format, so please leave feedback wrt to changes if you have any 👍 |
Thanks @iceomatic for updating the SIMD and addressing fixes/resolutions in comments. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some clarifications for the pseudocode
If `count == 0` and the length of the instruction data > 1, the program must | ||
return an error. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I know existing precompiles have this check, but I think it's unnecessary.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So in the case of count == 0
the program should pass, irrespective of the instruction data?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That would make sense to me, but I'd be interested in hearing from the folks who made this design decision for the other precompiles to make sure I'm not missing something.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will leave this unresolved until we get some more input from the other contributors 🫡
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For this issue, I think it makes sense either way. This predates me but solana-labs/solana#19300 has the justification for the count, which I think is reasonable.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That would make sense to me, but I'd be interested in hearing from the folks who made this design decision for the other precompiles to make sure I'm not missing something.
This is done as a safeguard for smart-contracts. There have been a number of contracts that wanted to verify a single signature, and thus omitted the check for count.
They just used instruction introspection to assert that the correct data is present in the call to secp verify.
An attacker could thus call secp verify with a count of 0, and pretend to have a valid signature for arbitrary data.
This is obviously a bug in the smart-contract using secp, but having this count=0 check made for an easy fix to prevent this issue from cropping up. It makes no sense to call with a zero count and non-zero data after all.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess as there's no document or SIMD detailing otherwise, I'd we just stay in line with #19300.
Thoughts @ptaffet-jump ?
Co-authored-by: Philip Taffet <123486962+ptaffet-jump@users.noreply.github.com>
Thanks @ptaffet-jump for the input, all comments with the exception of the |
Looks good to me! It is worth noting (I apologize if this has already been discussed before) that there is going to be an inconsistency in the way ecdsa malleability is handled with the existing secp256k1 implementation, which does not handle malleability. |
Yep. In the description of the SIMD we made our case as to why it would be advantageous to handle malleability, but if contributors disagree I can happily remove that check to put it in line with the other precompiles |
With the approval from Anza we're just missing an approval on the FD side now 👍 |
I've updated the SIMD to include all the things discussed in conversation on github and the core-technology channel over the past few days.
This includes:
It has become quite a bit more opinionated and therefore requires more discussion.