GitBross Home Explore Help
Register Sign In
sol_Bo8des9o
/
openzeppelin-contracts
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: e3cfe1c5dd
Branches Tags
openzeppelin-co...
/
test
/
utils
/
cryptography
/
P256.t.sol

P256.t.sol 5.1 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139 
  1. // SPDX-License-Identifier: MIT
    2. 

  2. 

  3. pragma solidity ^0.8.20;
    4. 

  4. 

  5. import {Test} from "forge-std/Test.sol";
    6. 

  6. 

  7. import {P256} from "@openzeppelin/contracts/utils/cryptography/P256.sol";
    8. 

  8. import {Math} from "@openzeppelin/contracts/utils/math/Math.sol";
    9. 

  9. 

  10. contract P256Test is Test {
    11. 

  11.     /// forge-config: default.fuzz.runs = 512
    12. 

  12.     function testVerify(bytes32 digest, uint256 seed) public {
    13. 

  13.         uint256 privateKey = _asPrivateKey(seed);
    14. 

  14. 

  15.         (bytes32 x, bytes32 y) = P256PublicKey.getPublicKey(privateKey);
    16. 

  16.         (bytes32 r, bytes32 s) = vm.signP256(privateKey, digest);
    17. 

  17.         s = _ensureLowerS(s);
    18. 

  18.         assertTrue(P256.verify(digest, r, s, x, y));
    19. 

  19.         assertTrue(P256.verifySolidity(digest, r, s, x, y));
    20. 

  20.     }
    21. 

  21. 

  22.     /// forge-config: default.fuzz.runs = 512
    23. 

  23.     function testRecover(bytes32 digest, uint256 seed) public {
    24. 

  24.         uint256 privateKey = _asPrivateKey(seed);
    25. 

  25. 

  26.         (bytes32 x, bytes32 y) = P256PublicKey.getPublicKey(privateKey);
    27. 

  27.         (bytes32 r, bytes32 s) = vm.signP256(privateKey, digest);
    28. 

  28.         s = _ensureLowerS(s);
    29. 

  29.         (bytes32 qx0, bytes32 qy0) = P256.recovery(digest, 0, r, s);
    30. 

  30.         (bytes32 qx1, bytes32 qy1) = P256.recovery(digest, 1, r, s);
    31. 

  31.         assertTrue((qx0 == x && qy0 == y) || (qx1 == x && qy1 == y));
    32. 

  32.     }
    33. 

  33. 

  34.     function _asPrivateKey(uint256 seed) private pure returns (uint256) {
    35. 

  35.         return bound(seed, 1, P256.N - 1);
    36. 

  36.     }
    37. 

  37. 

  38.     function _ensureLowerS(bytes32 s) private pure returns (bytes32) {
    39. 

  39.         uint256 _s = uint256(s);
    40. 

  40.         unchecked {
    41. 

  41.             return _s > P256.N / 2 ? bytes32(P256.N - _s) : s;
    42. 

  42.         }
    43. 

  43.     }
    44. 

  44. }
    45. 

  45. 

  46. /**
    47. 

  47.  * @dev Library to derive P256 public key from private key
    48. 

  48.  * Should be removed if Foundry adds this functionality
    49. 

  49.  * See https://github.com/foundry-rs/foundry/issues/7908
    50. 

  50.  */
    51. 

  51. library P256PublicKey {
    52. 

  52.     function getPublicKey(uint256 privateKey) internal view returns (bytes32, bytes32) {
    53. 

  53.         (uint256 x, uint256 y, uint256 z) = _jMult(P256.GX, P256.GY, 1, privateKey);
    54. 

  54.         return _affineFromJacobian(x, y, z);
    55. 

  55.     }
    56. 

  56. 

  57.     function _jMult(
    58. 

  58.         uint256 x,
    59. 

  59.         uint256 y,
    60. 

  60.         uint256 z,
    61. 

  61.         uint256 k
    62. 

  62.     ) private pure returns (uint256 rx, uint256 ry, uint256 rz) {
    63. 

  63.         unchecked {
    64. 

  64.             for (uint256 i = 0; i < 256; ++i) {
    65. 

  65.                 if (rz > 0) {
    66. 

  66.                     (rx, ry, rz) = _jDouble(rx, ry, rz);
    67. 

  67.                 }
    68. 

  68.                 if (k >> 255 > 0) {
    69. 

  69.                     if (rz == 0) {
    70. 

  70.                         (rx, ry, rz) = (x, y, z);
    71. 

  71.                     } else {
    72. 

  72.                         (rx, ry, rz) = _jAdd(rx, ry, rz, x, y, z);
    73. 

  73.                     }
    74. 

  74.                 }
    75. 

  75.                 k <<= 1;
    76. 

  76.             }
    77. 

  77.         }
    78. 

  78.     }
    79. 

  79. 

  80.     /// From P256.sol
    81. 

  81. 

  82.     function _affineFromJacobian(uint256 jx, uint256 jy, uint256 jz) private view returns (bytes32 ax, bytes32 ay) {
    83. 

  83.         if (jz == 0) return (0, 0);
    84. 

  84.         uint256 zinv = Math.invModPrime(jz, P256.P);
    85. 

  85.         uint256 zzinv = mulmod(zinv, zinv, P256.P);
    86. 

  86.         uint256 zzzinv = mulmod(zzinv, zinv, P256.P);
    87. 

  87.         ax = bytes32(mulmod(jx, zzinv, P256.P));
    88. 

  88.         ay = bytes32(mulmod(jy, zzzinv, P256.P));
    89. 

  89.     }
    90. 

  90. 

  91.     function _jDouble(uint256 x, uint256 y, uint256 z) private pure returns (uint256 rx, uint256 ry, uint256 rz) {
    92. 

  92.         uint256 p = P256.P;
    93. 

  93.         uint256 a = P256.A;
    94. 

  94.         assembly ("memory-safe") {
    95. 

  95.             let yy := mulmod(y, y, p)
    96. 

  96.             let zz := mulmod(z, z, p)
    97. 

  97.             let s := mulmod(4, mulmod(x, yy, p), p) // s = 4*x*y²
    98. 

  98.             let m := addmod(mulmod(3, mulmod(x, x, p), p), mulmod(a, mulmod(zz, zz, p), p), p) // m = 3*x²+a*z⁴
    99. 

  99.             let t := addmod(mulmod(m, m, p), sub(p, mulmod(2, s, p)), p) // t = m²-2*s
    100. 

  100. 

  101.             // x' = t
    102. 

  102.             rx := t
    103. 

  103.             // y' = m*(s-t)-8*y⁴
    104. 

  104.             ry := addmod(mulmod(m, addmod(s, sub(p, t), p), p), sub(p, mulmod(8, mulmod(yy, yy, p), p)), p)
    105. 

  105.             // z' = 2*y*z
    106. 

  106.             rz := mulmod(2, mulmod(y, z, p), p)
    107. 

  107.         }
    108. 

  108.     }
    109. 

  109. 

  110.     function _jAdd(
    111. 

  111.         uint256 x1,
    112. 

  112.         uint256 y1,
    113. 

  113.         uint256 z1,
    114. 

  114.         uint256 x2,
    115. 

  115.         uint256 y2,
    116. 

  116.         uint256 z2
    117. 

  117.     ) private pure returns (uint256 rx, uint256 ry, uint256 rz) {
    118. 

  118.         uint256 p = P256.P;
    119. 

  119.         assembly ("memory-safe") {
    120. 

  120.             let zz1 := mulmod(z1, z1, p) // zz1 = z1²
    121. 

  121.             let zz2 := mulmod(z2, z2, p) // zz2 = z2²
    122. 

  122.             let u1 := mulmod(x1, zz2, p) // u1 = x1*z2²
    123. 

  123.             let u2 := mulmod(x2, zz1, p) // u2 = x2*z1²
    124. 

  124.             let s1 := mulmod(y1, mulmod(zz2, z2, p), p) // s1 = y1*z2³
    125. 

  125.             let s2 := mulmod(y2, mulmod(zz1, z1, p), p) // s2 = y2*z1³
    126. 

  126.             let h := addmod(u2, sub(p, u1), p) // h = u2-u1
    127. 

  127.             let hh := mulmod(h, h, p) // h²
    128. 

  128.             let hhh := mulmod(h, hh, p) // h³
    129. 

  129.             let r := addmod(s2, sub(p, s1), p) // r = s2-s1
    130. 

  130. 

  131.             // x' = r²-h³-2*u1*h²
    132. 

  132.             rx := addmod(addmod(mulmod(r, r, p), sub(p, hhh), p), sub(p, mulmod(2, mulmod(u1, hh, p), p)), p)
    133. 

  133.             // y' = r*(u1*h²-x')-s1*h³
    134. 

  134.             ry := addmod(mulmod(r, addmod(mulmod(u1, hh, p), sub(p, rx), p), p), sub(p, mulmod(s1, hhh, p)), p)
    135. 

  135.             // z' = h*z1*z2
    136. 

  136.             rz := mulmod(h, mulmod(z1, z2, p), p)
    137. 

  137.         }
    138. 

  138.     }
    139. 

  139. }
    140.