Add ECDSA over secp256k1 signatures and verification

benchmarks/bench_h_sha256.nim

@@ -5,40 +5,16 @@ import
   helpers/prng_unsafe,
   ./bench_blueprint
 
-proc separator*() = separator(69)
-
-# Deal with platform mess
-# --------------------------------------------------------------------
-when defined(windows):
-  when sizeof(int) == 8:
-    const DLLSSLName* = "(libssl-1_1-x64|ssleay64|libssl64).dll"
-  else:
-    const DLLSSLName* = "(libssl-1_1|ssleay32|libssl32).dll"
-else:
-  when defined(macosx) or defined(macos) or defined(ios):
-    const versions = "(.1.1|.38|.39|.41|.43|.44|.45|.46|.47|.48|.10|.1.0.2|.1.0.1|.1.0.0|.0.9.9|.0.9.8|)"
-  else:
-    const versions = "(.1.1|.1.0.2|.1.0.1|.1.0.0|.0.9.9|.0.9.8|.48|.47|.46|.45|.44|.43|.41|.39|.38|.10|)"
+## NOTE: For a reason that evades me at the moment, if we only `import`
+## the wrapper, we get a linker error of the form:
+##
+## @mopenssl_wrapper.nim.c:(.text+0x110): undefined reference to `Dl_1073742356_'
+## /usr/bin/ld: warning: creating DT_TEXTREL in a PIE
+##
+## So for the moment, we just include the wrapper.
+include ../tests/openssl_wrapper
 
-  when defined(macosx) or defined(macos) or defined(ios):
-    const DLLSSLName* = "libssl" & versions & ".dylib"
-  elif defined(genode):
-    const DLLSSLName* = "libssl.lib.so"
-  else:
-    const DLLSSLName* = "libssl.so" & versions
-
-# OpenSSL wrapper
-# --------------------------------------------------------------------
-
-proc SHA256[T: byte|char](
-       msg: openarray[T],
-       digest: ptr array[32, byte] = nil
-     ): ptr array[32, byte] {.noconv, dynlib: DLLSSLName, importc.}
-
-proc SHA256_OpenSSL[T: byte|char](
-       digest: var array[32, byte],
-       s: openarray[T]) =
-  discard SHA256(s, digest.addr)
+proc separator*() = separator(69)
 
 # --------------------------------------------------------------------
 
@@ -80,6 +56,7 @@ when isMainModule:
       let msg = rng.random_byte_seq(s)
       let iters = int(target_cycles div (s.int64 * worst_cycles_per_bytes))
       benchSHA256_constantine(msg, $s & "B", iters)
-      benchSHA256_openssl(msg, $s & "B", iters)
+      when not defined(windows): # not available on Windows in GH actions atm
+        benchSHA256_openssl(msg, $s & "B", iters)
 
   main()

constantine.nimble

@@ -607,6 +607,9 @@ const testDesc: seq[tuple[path: string, useGMP: bool]] = @[
   ("tests/t_ethereum_verkle_primitives.nim", false),
   ("tests/t_ethereum_verkle_ipa_primitives.nim", false),
 
+  # Signatures
+  ("tests/ecdsa/t_ecdsa_verify_openssl.nim", false),
+
   # Proof systems
   # ----------------------------------------------------------
   ("tests/proof_systems/t_r1cs_parser.nim", false),

constantine/ecdsa_secp256k1.nim

@@ -0,0 +1,68 @@
+# Constantine
+# Copyright (c) 2018-2019    Status Research & Development GmbH
+# Copyright (c) 2020-Present Mamy André-Ratsimbazafy
+# Licensed and distributed under either of
+#   * MIT license (license terms in the root directory or at http://opensource.org/licenses/MIT).
+#   * Apache v2 license (license terms in the root directory or at http://www.apache.org/licenses/LICENSE-2.0).
+# at your option. This file may not be copied, modified, or distributed except according to those terms.
+
+import
+  constantine/zoo_exports,
+  constantine/signatures/ecdsa,
+  constantine/hashes/h_sha256,
+  constantine/named/algebras,
+  constantine/math/elliptic/[ec_shortweierstrass_affine],
+  constantine/math/[arithmetic, ec_shortweierstrass],
+  constantine/platforms/[abstractions, views]
+
+export NonceSampler
+
+const prefix_ffi = "ctt_ecdsa_secp256k1_"
+type
+  SecretKey* {.byref, exportc: prefix_ffi & "seckey".} = object
+    ## A Secp256k1 secret key
+    raw: Fr[Secp256k1]
+
+  PublicKey* {.byref, exportc: prefix_ffi & "pubkey".} = object
+    ## A Secp256k1 public key for ECDSA signatures
+    raw: EC_ShortW_Aff[Fp[Secp256k1], G1]
+
+  Signature* {.byref, exportc: prefix_ffi & "signature".} = object
+    ## A Secp256k1 signature for ECDSA signatures
+    r: Fr[Secp256k1]
+    s: Fr[Secp256k1]
+
+func pubkey_is_zero*(pubkey: PublicKey): bool {.libPrefix: prefix_ffi.} =
+  ## Returns true if input is 0
+  bool(pubkey.raw.isNeutral())
+
+func pubkeys_are_equal*(a, b: PublicKey): bool {.libPrefix: prefix_ffi.} =
+  ## Returns true if inputs are equal
+  bool(a.raw == b.raw)
+
+func signatures_are_equal*(a, b: Signature): bool {.libPrefix: prefix_ffi.} =
+  ## Returns true if inputs are equal
+  bool(a.r == b.r and a.s == b.s)
+
+proc sign*(sig: var Signature,
+           secretKey: SecretKey,
+           message: openArray[byte],
+           nonceSampler: NonceSampler = nsRandom) {.libPrefix: prefix_ffi, genCharAPI.} =
+  ## Sign `message` using `secretKey` and store the signature in `sig`. The nonce
+  ## will either be randomly sampled `nsRandom` or deterministically calculated according
+  ## to RFC6979 (`nsRfc6979`)
+  sig.coreSign(secretKey.raw, message, sha256, nonceSampler)
+
+proc verify*(
+    publicKey: PublicKey,
+    message: openArray[byte],
+    signature: Signature
+): bool {.libPrefix: prefix_ffi, genCharAPI.} =
+  ## Verify `signature` using `publicKey` for `message`.
+  result = publicKey.raw.coreVerify(message, signature, sha256)
+
+func derive_pubkey*(public_key: var PublicKey, secret_key: SecretKey) {.libPrefix: prefix_ffi.} =
+  ## Derive the public key matching with a secret key
+  ##
+  ## The secret_key MUST be validated
+  public_key.raw.derivePubkey(secret_key.raw)

constantine/named/constants/secp256k1_generators.nim

@@ -0,0 +1,26 @@
+# Constantine
+# Copyright (c) 2018-2019    Status Research & Development GmbH
+# Copyright (c) 2020-Present Mamy André-Ratsimbazafy
+# Licensed and distributed under either of
+#   * MIT license (license terms in the root directory or at http://opensource.org/licenses/MIT).
+#   * Apache v2 license (license terms in the root directory or at http://www.apache.org/licenses/LICENSE-2.0).
+# at your option. This file may not be copied, modified, or distributed except according to those terms.
+
+import
+  constantine/named/algebras,
+  constantine/math/elliptic/ec_shortweierstrass_affine,
+  constantine/math/io/[io_fields, io_extfields]
+
+{.used.}
+
+# Generators
+# -----------------------------------------------------------------
+# https://www.secg.org/sec2-v2.pdf page 9 (13 of PDF), sec. 2.4.1
+
+# The group G_1 (== G) is defined on the curve Y^2 = X^3 + 7 over the field F_p
+# with p = 2^256 - 2^32 - 2^9 - 2^8 - 2^7 - 2^6 - 2^4 - 1
+# with generator:
+const Secp256k1_generator_G1* = EC_ShortW_Aff[Fp[Secp256k1], G1](
+  x: Fp[Secp256k1].fromHex"0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798",
+  y: Fp[Secp256k1].fromHex"0x483ADA7726A3C4655DA4FBFC0E1108A8FD17B448A68554199C47D08FFB10D4B8"
+)

constantine/named/zoo_generators.nim

@@ -12,7 +12,8 @@ import
   ./constants/bls12_381_generators,
   ./constants/bn254_snarks_generators,
   ./constants/bandersnatch_generators,
-  ./constants/banderwagon_generators
+  ./constants/banderwagon_generators,
+  ./constants/secp256k1_generators
 
 {.experimental: "dynamicbindsym".}
 

constantine/serialization/codecs_ecdsa.nim

@@ -0,0 +1,162 @@
+# Constantine
+# Copyright (c) 2018-2019    Status Research & Development GmbH
+# Copyright (c) 2020-Present Mamy André-Ratsimbazafy
+# Licensed and distributed under either of
+#   * MIT license (license terms in the root directory or at http://opensource.org/licenses/MIT).
+#   * Apache v2 license (license terms in the root directory or at http://www.apache.org/licenses/LICENSE-2.0).
+# at your option. This file may not be copied, modified, or distributed except according to those terms.
+
+##[
+
+Performs (de-)serialization of ECDSA signatures into ASN.1 DER encoded
+data following SEC1:
+
+https://www.secg.org/sec1-v2.pdf
+
+In contrast to `codecs_ecdsa_secp256k1.nim` this file is generic under the choice
+of elliptic curve.
+]##
+
+import
+  constantine/named/algebras,
+  constantine/math/io/[io_bigints, io_fields],
+  constantine/math/elliptic/[ec_shortweierstrass_affine],
+  constantine/platforms/[abstractions, views],
+  constantine/serialization/codecs # for fromHex and (in the future) base64 encoding
+
+type
+  ## Helper type for ASN.1 DER signatures to avoid allocation.
+  ## Has a `data` buffer of 72 bytes (maximum possible size for
+  ## a signature for `secp256k1`) and `len` of actually used data.
+  ## `data[0 ..< len]` is the actual signature.
+  DerSignature*[N: static int] = object
+    data*: array[N, byte] # Max size: 6 bytes overhead + 33 bytes each for r,s
+    len*: int # Actual length used
+
+template DerSigSize*(Name: static Algebra): int =
+  const OctetWidth = 8
+  6 + 2 * (Fr[Name].bits.ceilDiv_vartime(OctetWidth) + 1)
+
+proc toDER*[Name: static Algebra; N: static int](derSig: var DerSignature[N], r, s: Fr[Name]) =
+  ## Converts signature (r,s) to DER format without allocation.
+  ## Max size is 72 bytes (for Secp256k1 or any curve with 32 byte scalars in `Fr`):
+  ## 6 bytes overhead + up to 32+1 bytes each for r,s.
+  ## 6 byte 'overhead' for:
+  ## - `0x30` byte SEQUENCE designator
+  ## - total length of the array
+  ## - integer type designator `0x02` (before `r` and `s`)
+  ## - length of `r` and `s`
+  ##
+  ## Implementation follows ideas of Bitcoin's secp256k1 implementation:
+  ## https://github.com/bitcoin-core/secp256k1/blob/f79f46c70386c693ff4e7aef0b9e7923ba284e56/src/ecdsa_impl.h#L171-L193
+  const OctetWidth = 8
+  const N = Fr[Name].bits.ceilDiv_vartime(OctetWidth) # 32 for `secp256k1`
+
+  template toByteArray(x: Fr[Name]): untyped =
+    ## Convert to a 33 byte array. Leading zero byte required if
+    ## first real byte (idx 1) highest bit set (> 0x80).
+    var a: array[N+1, byte]
+    discard toOpenArray[byte](a, 1, N).marshal(x.toBig(), bigEndian)
+    a
+
+  # 1. Prepare the data & determine required sizes
+
+  # Convert r,s to big-endian bytes
+  var rBytes = r.toByteArray()
+  var sBytes = s.toByteArray()
+  var rLen = N + 1
+  var sLen = N + 1
+
+  # Skip leading zeros but ensure high bit constraint
+  var rPos = 0
+  while rLen > 1 and rBytes[rPos] == 0 and (rBytes[rPos+1] < 0x80.byte):
+    dec rLen
+    inc rPos
+  var sPos = 0
+  while sLen > 1 and sBytes[sPos] == 0 and (sBytes[sPos+1] < 0x80.byte):
+    dec sLen
+    inc sPos
+
+  # Set total length
+  derSig.len = 6 + rLen + sLen
+
+
+  # 2. Write the actual data
+  var pos = 0
+  template setInc(val: byte): untyped =
+    # Set `val` at `pos` and increase `pos`
+    derSig.data[pos] = val
+    inc pos
+
+  # Write DER structure, global
+  setInc 0x30                   # sequence
+  setInc (4 + rLen + sLen).byte # total length
+
+  # `r` prefix
+  setInc 0x02                   # integer
+  setInc rLen.byte              # length of `r`
+  # Write `r` bytes in valid region
+  derSig.data.rawCopy(pos, rBytes, rPos, rLen)
+  inc pos, rLen
+
+  # `s` prefix
+  setInc 0x02                   # integer
+  setInc sLen.byte              # length of `s`
+  # Write `s` bytes in valid region
+  derSig.data.rawCopy(pos, sBytes, sPos, sLen)
+  inc pos, sLen
+
+  assert derSig.len == pos
+
+proc fromRawDER*(r, s: var array[32, byte], sig: openArray[byte]): bool =
+  ## Extracts the `r` and `s` values from a given DER signature.
+  ##
+  ## Returns `true` if the input is a valid DER encoded signature
+  ## for `secp256k1` (or any curve with 32 byte scalars).
+  var pos = 0
+
+  template checkInc(val: untyped): untyped =
+    if pos > sig.high or sig[pos] != val:
+      # Invalid signature
+      return false
+    inc pos
+  template readInc(val: untyped): untyped =
+    if pos > sig.high:
+      return false
+    val = sig[pos]
+    inc pos
+
+  checkInc(0x30) # SEQUENCE
+  var totalLen: byte; readInc(totalLen)
+
+  template parseElement(el: var array[32, byte]): untyped =
+    var eLen: byte; readInc(eLen) # len of `r`
+    if pos + eLen.int > sig.len: # would need more data than available
+      return false
+    # read `r` into *last* `rLen` bytes
+    var eStart = el.len - eLen.int
+    if eStart < 0: # indicates prefix 0 due to first byte >= 0x80 (highest bit set)
+      doAssert eLen == 33
+      inc pos # skip first byte
+      eStart = 0 # start from 0 in `el`
+      dec eLen # decrease eLen by 1
+    el.rawCopy(eStart, sig, pos, eLen.int)
+    inc pos, eLen.int
+
+  # `r`
+  checkInc(0x02) # INTEGER
+  parseElement(r)
+
+  # `s`
+  checkInc(0x02) # INTEGER
+  parseElement(s)
+
+  # NOTE: `totalLen` does not include the prefix [0x30, totalLen] 2 bytes. Hence -2.
+  assert pos - 2 == totalLen.int, "Pos = " & $pos & ", totalLen = " & $totalLen
+
+  result = true
+
+proc fromDER*(r, s: var array[32, byte], derSig: DerSignature) =
+  ## Splits a given `DerSignature` back into the `r` and `s` elements as
+  ## raw byte arrays.
+  fromRawDER(r, s, derSig.data)