feat: eip-7951 ecdsa p256

yelhousni · yelhousni · commit 265d08fd5e74 · 2025-11-12T19:46:40.000-05:00
diff --git a/std/evmprecompiles/256-p256verify.go b/std/evmprecompiles/256-p256verify.go
@@ -0,0 +1,50 @@
+package evmprecompiles
+
+import (
+	"fmt"
+
+	"github.com/consensys/gnark/frontend"
+	"github.com/consensys/gnark/std/algebra/emulated/sw_emulated"
+	"github.com/consensys/gnark/std/math/emulated"
+	"github.com/consensys/gnark/std/signature/ecdsa"
+)
+
+// P256Verify implements [P256Verify] precompile contract at address 0x100.
+//
+// ...
+//
+// [P256Verify]: https://eips.ethereum.org/EIPS/eip-7951
+func P256Verify(api frontend.API,
+	msgHash emulated.Element[emulated.P256Fr],
+	r, s emulated.Element[emulated.P256Fr],
+	qx, qy emulated.Element[emulated.P256Fp],
+) frontend.Variable {
+	// Input validation
+	// 1. input_length == 160 ==> enforced by emulated.P256Fr, and emulated.P256Fp?
+	// 2. 0 < r < n and 0 < s < n ==> enforced by IsValid()
+	// 3. (qx, qy) is a valid point on the curve P256
+	curve, err := sw_emulated.New[emulated.P256Fp, emulated.P256Fr](api, sw_emulated.GetP256Params())
+	if err != nil {
+		panic(fmt.Sprintf("new curve: %v", err))
+	}
+	q := sw_emulated.AffinePoint[emulated.P256Fp]{
+		X: qx,
+		Y: qy,
+	}
+	curve.AssertIsOnCurve(&q) // todo: return bit
+	// 4. (qx, qy) != O
+	// impelemnt in sw_emulated
+
+	pk := ecdsa.PublicKey[emulated.P256Fp, emulated.P256Fr]{
+		X: qx,
+		Y: qy,
+	}
+	sig := ecdsa.Signature[emulated.P256Fr]{
+		R: r,
+		S: s,
+	}
+
+	verified := pk.IsValid(api, sw_emulated.GetCurveParams[emulated.P256Fp](), &msgHash, &sig)
+
+	return verified
+}
diff --git a/std/evmprecompiles/256-p256verify_test.go b/std/evmprecompiles/256-p256verify_test.go
@@ -0,0 +1,71 @@
+package evmprecompiles
+
+import (
+	"crypto/rand"
+	"math/big"
+	"testing"
+
+	"github.com/consensys/gnark-crypto/ecc"
+	"github.com/consensys/gnark-crypto/ecc/secp256r1/ecdsa"
+	"github.com/consensys/gnark/frontend"
+	"github.com/consensys/gnark/std/math/emulated"
+	"github.com/consensys/gnark/test"
+)
+
+type p256verifyCircuit struct {
+	MsgHash  emulated.Element[emulated.P256Fr]
+	R        emulated.Element[emulated.P256Fr]
+	S        emulated.Element[emulated.P256Fr]
+	Qx, Qy   emulated.Element[emulated.P256Fp]
+	Expected frontend.Variable
+}
+
+func (c *p256verifyCircuit) Define(api frontend.API) error {
+	res := P256Verify(api, c.MsgHash, c.R, c.S, c.Qx, c.Qy)
+	api.AssertIsEqual(c.Expected, res)
+	return nil
+}
+
+func TestP256VerifyCircuit(t *testing.T) {
+	assert := test.NewAssert(t)
+	// key generation
+	sk, err := ecdsa.GenerateKey(rand.Reader)
+	if err != nil {
+		t.Fatal("generate", err)
+	}
+	pk := sk.PublicKey
+	// signing
+	msg := []byte("test")
+	sigBuf, err := sk.Sign(msg, nil)
+	if err != nil {
+		t.Fatal("sign", err)
+	}
+	// verification
+	verified, err := sk.PublicKey.Verify(sigBuf, msg, nil)
+	if err != nil {
+		t.Fatal("verify", err)
+	}
+	// marshalling
+	var sig ecdsa.Signature
+	sig.SetBytes(sigBuf[:])
+	var r, s big.Int
+	r.SetBytes(sig.R[:])
+	s.SetBytes(sig.S[:])
+	hash := ecdsa.HashToInt(msg)
+	var expected frontend.Variable
+	if verified {
+		expected = 1
+	}
+
+	circuit := p256verifyCircuit{}
+	witness := p256verifyCircuit{
+		MsgHash:  emulated.ValueOf[emulated.P256Fr](hash),
+		R:        emulated.ValueOf[emulated.P256Fr](r),
+		S:        emulated.ValueOf[emulated.P256Fr](s),
+		Qx:       emulated.ValueOf[emulated.P256Fp](pk.A.X),
+		Qy:       emulated.ValueOf[emulated.P256Fp](pk.A.Y),
+		Expected: expected,
+	}
+	err = test.IsSolved(&circuit, &witness, ecc.BN254.ScalarField())
+	assert.NoError(err)
+}
