Merge pull request #49 from rdubois-crypto/feature_split_ecdsa

adding edge case for ecmulmuladd
rdubois-crypto · Dec 15, 2023 · 4eaa678 · 4eaa678
2 parents e2830cb + 56dfd92
commit 4eaa678
Show file tree

Hide file tree

Showing 4 changed files with 148 additions and 4 deletions.
diff --git a/sage/FCL_common/FCL_elliptic.sage b/sage/FCL_common/FCL_elliptic.sage
@@ -77,3 +77,53 @@ sec256k_gx=0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798 ;
 sec256k_gy=0x483ADA7726A3C4655DA4FBFC0E1108A8FD17B448A68554199C47D08FFB10D4B8;
 sec256k_n=0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141;
 
+#//Init_Curve(sec256p_p, sec256p_a, sec256p_b, sec256p_gx, sec256p_gy, sec256p_n);
+
+stark_p=2^251+17*2^192+1     
+stark_a=1;
+stark_b=0x6f21413efbe40de150e596d72f7a8c5609ad26c15c915c1f4cdfcb99cee9e89;
+stark_q=0x800000000000010ffffffffffffffffb781126dcae7b2321e66a241adc64d2f;
+stark_gx = 0x1ef15c18599971b7beced415a40f0c7deacfd9b0d1819e03d723d8bc943cfca;
+stark_gy = 0x5668060aa49730b7be4801df46ec62de53ecd11abe43a32873000c36e8dc1f;	
+stark_n=0x800000000000010ffffffffffffffffb781126dcae7b2321e66a241adc64d2f;
+
+#//https://github.com/bellesmarta/baby_jubjub is compliant with https://github.com/iden3/circomlibjs/blob/4f094c5be05c1f0210924a3ab204d8fd8da69f49/src/babyjub.js in non reduced Ted form
+#//https://github.com/iden3/circomlib/blob/master/test/babyjub.js
+#//https://github.com/iden3/circomlibjs/blob/4f094c5be05c1f0210924a3ab204d8fd8da69f49/test/eddsa.js
+#//here it is a twisted edwards curve:https://hyperelliptic.org/EFD/g1p/auto-twisted.html
+#//generate poseidon:https://github.com/iden3/circomlibjs/blob/main/src/poseidon_gencontract.js
+babyjj_p=21888242871839275222246405745257275088548364400416034343698204186575808495617;
+babyjj_n=21888242871839275222246405745257275088614511777268538073601725287587578984328;
+babyjj_A=168700;
+babyjj_D=168696;
+#//https://github.com/bellesmarta/baby_jubjub, unreduced
+babyjj_gx=995203441582195749578291179787384436505546430278305826713579947235728471134;
+babyjj_gy=5472060717959818805561601436314318772137091100104008585924551046643952123905;
+
+
+#nes_p=next_prime(sec256k_p);
+#Fp=GF(nes_p); 	
+#Curve=EllipticCurve(Fp, [sec256k_a, sec256k_b]);	
+#order=Curve.order();
+#while(is_prime(order)==false):
+# nes_p=next_prime(nes_p);
+# Fp=GF(nes_p); 	
+# Curve=EllipticCurve(Fp, [sec256k_a, sec256k_b]);	
+# order=Curve.order();
+#print ("nes_p=",nes_p);
+
+#nes_p= 115792089237316195423570985008687907853269984665640564039457584007908834744347;
+#Fp=GF(nes_p); 	
+#Curve=EllipticCurve(Fp, [sec256k_a, sec256k_b]);	
+#q=Curve.order();
+#Fq=GF(q); 	
+#Curveq=EllipticCurve(Fq, [sec256k_a, sec256k_b]);	
+#orderq=Curveq.order();
+
+
+
+
+
+
+
+
diff --git a/sage/FCL_ecdsa/FCL_ecdsa.sage b/sage/FCL_ecdsa/FCL_ecdsa.sage
@@ -39,16 +39,36 @@ _G_BYTESIZE =32;
 _G_HASH = _BITCOIN_HASH
 _G_CURVE, _G_POINT = FCL_ec_Init_Curve(sec256k_p, sec256k_a, sec256k_b, sec256k_gx, sec256k_gy, sec256k_n);
 _G_ORDER = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141;
+
+
+
+#set global variables to stark settings
+_G_CURVE, _G_POINT = FCL_ec_Init_Curve(stark_p, stark_a, stark_b, stark_gx, stark_gy, stark_n);
+_G_ORDER=stark_n;
+
 #set global variables to ethereum settings
 #_G_HASH = _ETHER_HASH
 _G_CURVE, _G_POINT = FCL_ec_Init_Curve(sec256k_p, sec256k_a, sec256k_b, sec256k_gx, sec256k_gy, sec256k_n);
 _G_ORDER = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141;
+_G_ALPHA= 3; #3 is a non square for this prime field
+Fq=GF(_G_ORDER);
+Fp=_G_POINT[0].parent();
+
+
 #set global variables to P256 settings
 _G_CURVE, _G_POINT = FCL_ec_Init_Curve(sec256p_p, sec256p_a, sec256p_b, sec256p_gx, sec256p_gy, sec256p_n);
 _G_ORDER=sec256p_n;
 
-Fq=GF(_G_ORDER);
 
+def FCL_Hash2sec256k1(h):
+ Fp=GF(sec256k_p);
+ y2=Fp(h^3+sec256k_b);
+ if is_square(y2==false):
+ 	h=3*(h+sec256k_b);
+ 	print("swap");	
+ 	y2=h^3+sec256k_b;
+ 	print("square:",is_square(y2));
+ return (h, y2);
 
 def FCL_ecdsa_keygen(random_k):
  pk=random_k*_G_POINT;
@@ -144,10 +164,12 @@ def test_consistency():
     print("Recovery failed !!"); 
     return False;
 
- print("\n Verification and Recovery OK");
+   print("\n Verification and Recovery OK");
  return True;
 
-
+#https://starkscan.co/contract/0x053a2e69119c26977102dae51ba3e87e01e2c43161615aa5af73dd4483dbd73c
+#https://starkscan.co/contract/0x053a2e69119c26977102dae51ba3e87e01e2c43161615aa5af73dd4483dbd73c#read-write-contract0x31d4839cf06868be8d891e486af2765f7e67acd8babaa087bc2d3b8ed9cc046
+#FCL_ecdsa_verify(_G_CURVE, _G_POINT, 0x05f32d2947ac403194b1b788a5828f05b5ef89a577f72f71c33171c75900b8de, 0x31d4839cf06868be8d891e486af2765f7e67acd8babaa087bc2d3b8ed9cc046, 
 
 
 
diff --git a/sage/FCL_musig2/FCL_musig2.py b/sage/FCL_musig2/FCL_musig2.py
@@ -119,7 +119,6 @@ def Musig2_Sig1Agg(vec_Ri, nb_users, _MU):
 		for j in range(0,_MU):#sum the contribution to previous ones
 			Aggregated_Ri[j]+=vec_Ri[i][j];	
 	return Aggregated_Ri;
-
 
 def Musig2_Sig2Agg(vec_s, curve_order, nb_users):
 	Fq=GF(curve_order);

diff --git a/solidity/tests/WebAuthn_forge/test/FCL_ecmulmul_edge.t.sol b/solidity/tests/WebAuthn_forge/test/FCL_ecmulmul_edge.t.sol
@@ -0,0 +1,73 @@
+//********************************************************************************************/
+//  ___           _       ___               _         _    _ _
+// | __| _ ___ __| |_    / __|_ _ _  _ _ __| |_ ___  | |  (_) |__
+// | _| '_/ -_|_-< ' \  | (__| '_| || | '_ \  _/ _ \ | |__| | '_ \
+// |_||_| \___/__/_||_|  \___|_|  \_, | .__/\__\___/ |____|_|_.__/
+//                                |__/|_|
+///* Copyright (C) 2022 - Renaud Dubois - This file is part of FCL (Fresh CryptoLib) project
+///* License: This software is licensed under MIT License
+///* This Code may be reused including license and copyright notice.
+///* See LICENSE file at the root folder of the project.
+///* FILE: FCL_elliptic.sol
+///*
+///*
+///* DESCRIPTION: modified XYZZ system coordinates for EVM elliptic point multiplication
+///*  optimization
+///*
+//**************************************************************************************/
+// SPDX-License-Identifier: MIT
+pragma solidity >=0.8.19 <0.9.0;
+
+import "forge-std/Test.sol";
+import "@solidity/FCL_elliptic.sol";
+import "@solidity/FCL_ecdsa.sol";
+
+//testing edge case as suggested by Mikhail in commit 5d3c3f77f0d296f095bb071e7df5278a1c0cc1be
+contract edgemultTest is Test {
+ /* vector from http://point-at-infinity.org/ecc/nisttv
+//k = 115792089210356248762697446949407573529996955224135760342422259061068512044367
+//x = 7CF27B188D034F7E8A52380304B51AC3C08969E277F21B35A60B48FC47669978
+//y = F888AAEE24712FC0D6C26539608BCF244582521AC3167DD661FB4862DD878C2E*/
+//edge case for Shamir 
+function test_edgeMul() public returns (bool)
+{
+ uint256[3] memory vec=[
+  115792089210356248762697446949407573529996955224135760342422259061068512044367,
+  0x7CF27B188D034F7E8A52380304B51AC3C08969E277F21B35A60B48FC47669978,
+  0xF888AAEE24712FC0D6C26539608BCF244582521AC3167DD661FB4862DD878C2E
+ ];
+ uint256 resX;
+ uint256 resY;
+ uint256[4] memory Q=[uint256(0),0,0,0];
+
+ //(resX, resY)=ec_scalarmulN(vec[0], vec[1], vec[2]);
+ resX=FCL_Elliptic_ZZ.ecZZ_mulmuladd_S_asm(Q[0], Q[1], vec[0], 0);
+ assertEq(0x7CF27B188D034F7E8A52380304B51AC3C08969E277F21B35A60B48FC47669978, resX);
+
+ //edge case from niordell
+ uint256[4] memory vec2=[
+102369864249653057322725350723741461599905180004905897298779971437827381725266,//x
+    14047598098721058250371778545974983789701612908526165355421494088134814672697,//y
+    94632330233094393099906091027057584450760066982961548963789323460936666616340,//u
+    23658082558273598274976522756764396112690016745740387240947330865234166656879];//v
+
+ //expected result using FCL_elliptic.sage, dark side:
+ //_G_POINT*94632330233094393099906091027057584450760066982961548963789323460936666616340+_G_CURVE(102369864249653057322725350723741461599905180004905897298779971437827381725266, 14047598098721058250371778545974983789701612908526165355421494088134814672697)*23658082558273598274976522756764396112690016745740387240947330865234166656879
+//(93995665850302450053183256960521438033484268364047930968443817833761593125805 : 60765861213361593633751918097312828188566711467069305801019119884414110226811 : 1)
+
+
+ resX=FCL_Elliptic_ZZ.ecZZ_mulmuladd_S_asm(vec2[0], vec2[1], vec2[2], vec2[3]);
+ console.log("resX=%x",resX);
+
+ assertEq(93995665850302450053183256960521438033484268364047930968443817833761593125805, resX);
+
+
+
+}
+
+
+
+
+
+
+}