Dedicated crate for the Schnorr contract

2025-12-08 12:19:24 +00:00 · 2024-09-15 00:41:16 -04:00
parent bdf89f5350
commit 1c5bc2259e
20 changed files with 389 additions and 222 deletions
--- a/processor/ethereum/contracts/.gitignore
+++ b/processor/ethereum/contracts/.gitignore
@@ -1,3 +1 @@
-# Solidity build outputs
-cache
 artifacts
--- a/processor/ethereum/contracts/contracts/Schnorr.sol
+++ b/processor/ethereum/contracts/contracts/Schnorr.sol
@@ -1,44 +0,0 @@
-// SPDX-License-Identifier: AGPLv3
-pragma solidity ^0.8.0;
-
-// see https://github.com/noot/schnorr-verify for implementation details
-library Schnorr {
-  // secp256k1 group order
-  uint256 constant public Q =
-    0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141;
-
-  // Fixed parity for the public keys used in this contract
-  // This avoids spending a word passing the parity in a similar style to
-  // Bitcoin's Taproot
-  uint8 constant public KEY_PARITY = 27;
-
-  error InvalidSOrA();
-  error MalformedSignature();
-
-  // px := public key x-coord, where the public key has a parity of KEY_PARITY
-  // message := 32-byte hash of the message
-  // c := schnorr signature challenge
-  // s := schnorr signature
-  function verify(
-    bytes32 px,
-    bytes memory message,
-    bytes32 c,
-    bytes32 s
-  ) internal pure returns (bool) {
-    // ecrecover = (m, v, r, s) -> key
-    // We instead pass the following to obtain the nonce (not the key)
-    // Then we hash it and verify it matches the challenge
-    bytes32 sa = bytes32(Q - mulmod(uint256(s), uint256(px), Q));
-    bytes32 ca = bytes32(Q - mulmod(uint256(c), uint256(px), Q));
-
-    // For safety, we want each input to ecrecover to be 0 (sa, px, ca)
-    // The ecreover precomple checks `r` and `s` (`px` and `ca`) are non-zero
-    // That leaves us to check `sa` are non-zero
-    if (sa == 0) revert InvalidSOrA();
-    address R = ecrecover(sa, KEY_PARITY, px, ca);
-    if (R == address(0)) revert MalformedSignature();
-
-    // Check the signature is correct by rebuilding the challenge
-    return c == keccak256(abi.encodePacked(R, px, message));
-  }
-}
--- a/processor/ethereum/contracts/contracts/tests/Schnorr.sol
+++ b/processor/ethereum/contracts/contracts/tests/Schnorr.sol
@@ -1,15 +0,0 @@
-// SPDX-License-Identifier: AGPLv3
-pragma solidity ^0.8.0;
-
-import "../../../contracts/Schnorr.sol";
-
-contract TestSchnorr {
-  function verify(
-    bytes32 px,
-    bytes calldata message,
-    bytes32 c,
-    bytes32 s
-  ) external pure returns (bool) {
-    return Schnorr.verify(px, message, c, s);
-  }
-}
--- a/processor/ethereum/ethereum-serai/src/crypto.rs
+++ b/processor/ethereum/ethereum-serai/src/crypto.rs
@@ -62,56 +62,6 @@ pub fn deterministically_sign(tx: &TxLegacy) -> Signed<TxLegacy> {
  }
 }

-/// The public key for a Schnorr-signing account.
-#[allow(non_snake_case)]
-#[derive(Clone, Copy, PartialEq, Eq, Debug)]
-pub struct PublicKey {
-  pub(crate) A: ProjectivePoint,
-  pub(crate) px: Scalar,
-}
-
-impl PublicKey {
-  /// Construct a new `PublicKey`.
-  ///
-  /// This will return None if the provided point isn't eligible to be a public key (due to
-  /// bounds such as parity).
-  #[allow(non_snake_case)]
-  pub fn new(A: ProjectivePoint) -> Option<PublicKey> {
-    let affine = A.to_affine();
-    // Only allow even keys to save a word within Ethereum
-    let is_odd = bool::from(affine.y_is_odd());
-    if is_odd {
-      None?;
-    }
-
-    let x_coord = affine.x();
-    let x_coord_scalar = <Scalar as Reduce<KU256>>::reduce_bytes(&x_coord);
-    // Return None if a reduction would occur
-    // Reductions would be incredibly unlikely and shouldn't be an issue, yet it's one less
-    // headache/concern to have
-    // This does ban a trivial amoount of public keys
-    if x_coord_scalar.to_repr() != x_coord {
-      None?;
-    }
-
-    Some(PublicKey { A, px: x_coord_scalar })
-  }
-
-  pub fn point(&self) -> ProjectivePoint {
-    self.A
-  }
-
-  pub fn eth_repr(&self) -> [u8; 32] {
-    self.px.to_repr().into()
-  }
-
-  pub fn from_eth_repr(repr: [u8; 32]) -> Option<Self> {
-    #[allow(non_snake_case)]
-    let A = Option::<AffinePoint>::from(AffinePoint::decompress(&repr.into(), 0.into()))?.into();
-    Option::from(Scalar::from_repr(repr.into())).map(|px| PublicKey { A, px })
-  }
-}
-
 /// The HRAm to use for the Schnorr contract.
 #[derive(Clone, Default)]
 pub struct EthereumHram {}
@@ -128,58 +78,6 @@ impl Hram<Secp256k1> for EthereumHram {
  }
 }

-/// A signature for the Schnorr contract.
-#[derive(Clone, Copy, PartialEq, Eq, Debug)]
-pub struct Signature {
-  pub(crate) c: Scalar,
-  pub(crate) s: Scalar,
-}
-impl Signature {
-  pub fn verify(&self, public_key: &PublicKey, message: &[u8]) -> bool {
-    #[allow(non_snake_case)]
-    let R = (Secp256k1::generator() * self.s) - (public_key.A * self.c);
-    EthereumHram::hram(&R, &public_key.A, message) == self.c
-  }
-
-  /// Construct a new `Signature`.
-  ///
-  /// This will return None if the signature is invalid.
-  pub fn new(
-    public_key: &PublicKey,
-    message: &[u8],
-    signature: SchnorrSignature<Secp256k1>,
-  ) -> Option<Signature> {
-    let c = EthereumHram::hram(&signature.R, &public_key.A, message);
-    if !signature.verify(public_key.A, c) {
-      None?;
-    }
-
-    let res = Signature { c, s: signature.s };
-    assert!(res.verify(public_key, message));
-    Some(res)
-  }
-
-  pub fn c(&self) -> Scalar {
-    self.c
-  }
-  pub fn s(&self) -> Scalar {
-    self.s
-  }
-
-  pub fn to_bytes(&self) -> [u8; 64] {
-    let mut res = [0; 64];
-    res[.. 32].copy_from_slice(self.c.to_repr().as_ref());
-    res[32 ..].copy_from_slice(self.s.to_repr().as_ref());
-    res
-  }
-
-  pub fn from_bytes(bytes: [u8; 64]) -> std::io::Result<Self> {
-    let mut reader = bytes.as_slice();
-    let c = Secp256k1::read_F(&mut reader)?;
-    let s = Secp256k1::read_F(&mut reader)?;
-    Ok(Signature { c, s })
-  }
-}
 impl From<&Signature> for AbiSignature {
  fn from(sig: &Signature) -> AbiSignature {
    let c: [u8; 32] = sig.c.to_repr().into();
--- a/processor/ethereum/ethereum-serai/src/tests/mod.rs
+++ b/processor/ethereum/ethereum-serai/src/tests/mod.rs
@@ -23,8 +23,6 @@ mod crypto;
 #[cfg(test)]
 use contracts::tests as abi;
 #[cfg(test)]
-mod schnorr;
-#[cfg(test)]
 mod router;

 pub fn key_gen() -> (HashMap<Participant, ThresholdKeys<Secp256k1>>, PublicKey) {
--- a/processor/ethereum/ethereum-serai/src/tests/schnorr.rs
+++ b/processor/ethereum/ethereum-serai/src/tests/schnorr.rs
@@ -1,93 +0,0 @@
-use std::sync::Arc;
-
-use rand_core::OsRng;
-
-use group::ff::PrimeField;
-use k256::Scalar;
-
-use frost::{
-  curve::Secp256k1,
-  algorithm::IetfSchnorr,
-  tests::{algorithm_machines, sign},
-};
-
-use alloy_core::primitives::Address;
-
-use alloy_sol_types::SolCall;
-
-use alloy_rpc_types_eth::{TransactionInput, TransactionRequest};
-use alloy_simple_request_transport::SimpleRequest;
-use alloy_rpc_client::ClientBuilder;
-use alloy_provider::{Provider, RootProvider};
-
-use alloy_node_bindings::{Anvil, AnvilInstance};
-
-use crate::{
-  Error,
-  crypto::*,
-  tests::{key_gen, deploy_contract, abi::schnorr as abi},
-};
-
-async fn setup_test() -> (AnvilInstance, Arc<RootProvider<SimpleRequest>>, Address) {
-  let anvil = Anvil::new().spawn();
-
-  let provider = RootProvider::new(
-    ClientBuilder::default().transport(SimpleRequest::new(anvil.endpoint()), true),
-  );
-  let wallet = anvil.keys()[0].clone().into();
-  let client = Arc::new(provider);
-
-  let address = deploy_contract(client.clone(), &wallet, "TestSchnorr").await.unwrap();
-  (anvil, client, address)
-}
-
-#[tokio::test]
-async fn test_deploy_contract() {
-  setup_test().await;
-}
-
-pub async fn call_verify(
-  provider: &RootProvider<SimpleRequest>,
-  contract: Address,
-  public_key: &PublicKey,
-  message: &[u8],
-  signature: &Signature,
-) -> Result<(), Error> {
-  let px: [u8; 32] = public_key.px.to_repr().into();
-  let c_bytes: [u8; 32] = signature.c.to_repr().into();
-  let s_bytes: [u8; 32] = signature.s.to_repr().into();
-  let call = TransactionRequest::default().to(contract).input(TransactionInput::new(
-    abi::verifyCall::new((px.into(), message.to_vec().into(), c_bytes.into(), s_bytes.into()))
-      .abi_encode()
-      .into(),
-  ));
-  let bytes = provider.call(&call).await.map_err(|_| Error::ConnectionError)?;
-  let res =
-    abi::verifyCall::abi_decode_returns(&bytes, true).map_err(|_| Error::ConnectionError)?;
-
-  if res._0 {
-    Ok(())
-  } else {
-    Err(Error::InvalidSignature)
-  }
-}
-
-#[tokio::test]
-async fn test_ecrecover_hack() {
-  let (_anvil, client, contract) = setup_test().await;
-
-  let (keys, public_key) = key_gen();
-
-  const MESSAGE: &[u8] = b"Hello, World!";
-
-  let algo = IetfSchnorr::<Secp256k1, EthereumHram>::ietf();
-  let sig =
-    sign(&mut OsRng, &algo, keys.clone(), algorithm_machines(&mut OsRng, &algo, &keys), MESSAGE);
-  let sig = Signature::new(&public_key, MESSAGE, sig).unwrap();
-
-  call_verify(&client, contract, &public_key, MESSAGE, &sig).await.unwrap();
-  // Test an invalid signature fails
-  let mut sig = sig;
-  sig.s += Scalar::ONE;
-  assert!(call_verify(&client, contract, &public_key, MESSAGE, &sig).await.is_err());
-}