zkevm-rom 0.0.1-security → 6.0.1

package/main/ecrecover/constEc.zkasm

@@ -0,0 +1,13 @@
+CONSTL %FPEC = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2Fn
+CONSTL %FPEC_MINUS_ONE = %FPEC - 1
+CONSTL %FNEC_DIV_TWO = 0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF5D576E7357A4501DDFE92F46681B20A0n
+CONSTL %FPEC_C2_256 = 0x1000003D1n
+CONSTL %FPEC_NON_SQRT = (1n << 256n) - 1n
+
+CONSTL %FNEC = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141n
+CONSTL %FNEC_MINUS_ONE = %FNEC - 1
+
+CONSTL %ECGX = 0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798n
+CONSTL %ECGY = 0x483ADA7726A3C4655DA4FBFC0E1108A8FD17B448A68554199C47D08FFB10D4B8n
+CONSTL %P2_160 = 2n ** 160n
+CONSTL %P2_96 = 2n ** 96n

package/main/ecrecover/ecrecover.zkasm

@@ -0,0 +1,280 @@
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;;
+;; ecrecover in: A = hash, B = r, C = s, D = v
+;;           out: A = result, B = result_code
+;;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+VAR GLOBAL ecrecover_hash
+VAR GLOBAL ecrecover_r
+VAR GLOBAL ecrecover_s
+VAR GLOBAL ecrecover_v
+VAR GLOBAL ecrecover_r_inv
+VAR GLOBAL ecrecover_y
+VAR GLOBAL ecrecover_y2
+VAR GLOBAL ecrecover_k1
+VAR GLOBAL ecrecover_k2
+VAR GLOBAL ecrecover_RR
+VAR GLOBAL ecrecover_v_parity
+VAR GLOBAL ecrecover_s_upperlimit
+
+INCLUDE "constEc.zkasm"
+
+; ERROR CODES (B)
+; 0 - no error
+; 1 - r is zero (0)
+; 2 - r is too big
+; 3 - s is zero (0)
+; 4 - s is too big
+; 5 - v not valid value (1b, 1c)
+; 6 - not exists sqrt of y
+; 100 - fail sqrt, but has solution (!!!)
+
+; MAP: MAlicious Prover
+;
+; RESOURCES:
+;   PATH without root:      1014 arith + 10 binaries + 4527 steps
+;   PATH with root:         528 arith + 523 binaries + 6294 steps - 1 keccak
+;   PATH fail checks:       2 arith + 8 binaries + 45 steps
+
+ecrecover_precompiled:
+        %FNEC_MINUS_ONE :MSTORE(ecrecover_s_upperlimit),JMP(ecrecover_store_args)
+
+ecrecover_tx:
+        %FNEC_DIV_TWO   :MSTORE(ecrecover_s_upperlimit)
+
+ecrecover_store_args:
+
+        ; save arguments
+
+        A           :MSTORE(ecrecover_hash)
+        B           :MSTORE(ecrecover_r)
+        C           :MSTORE(ecrecover_s)
+        D           :MSTORE(ecrecover_v)
+
+
+
+        %MAX_CNT_BINARY - CNT_BINARY - 550   :JMPN(outOfCountersBinary)
+        %MAX_CNT_ARITH - CNT_ARITH - 1100     :JMPN(outOfCountersArith)
+        %MAX_CNT_STEPS - STEP - 6400     :JMPN(outOfCountersStep)
+
+        $ => A         :MLOAD(cntKeccakPreProcess)
+        %MAX_CNT_KECCAK_F - CNT_KECCAK_F - A - 1 :JMPN(outOfCountersKeccak)
+
+        ; save RR to call return at end of routine
+        RR          :MSTORE(ecrecover_RR)
+
+        ; r in [1, FNEC-1]
+        $ => B      :MLOAD(ecrecover_r)
+        0n => A
+        $           :EQ,JMPC(ecrecover_r_is_zero)
+        %FNEC_MINUS_ONE => A
+
+        $           :LT,JMPC(ecrecover_r_is_too_big)
+
+        ; s in [1, ecrecover_s_upperlimit]
+        $ => A      :MLOAD(ecrecover_s_upperlimit)
+        $ => B      :MLOAD(ecrecover_s)
+        $           :LT,JMPC(ecrecover_s_is_too_big)
+        0n => A
+        $           :EQ,JMPC(ecrecover_s_is_zero)
+
+        ; compute r inverse
+        ; [steps: 23, bin: 4]
+        $ => A      :MLOAD(ecrecover_r),CALL(invFnEc)
+        B           :MSTORE(ecrecover_r_inv)
+
+        ; [steps: 37, bin: 6, arith: 2]
+        0x1Bn => B
+        $ => A      :MLOAD(ecrecover_v)
+        $ => E      :EQ,JMPNC(ecrecover_v_not_eq_1b)
+
+        ;  ecrecover_v_eq_1b:
+        0n          :MSTORE(ecrecover_v_parity),JMP(ecrecover_v_ok)
+
+ecrecover_v_not_eq_1b:
+        0x1Cn => B
+        ; [steps: 42, bin: 8, arith: 2]
+        $ => E      :EQ,JMPNC(ecrecover_v_not_eq_1b1c)
+
+        ; ecrecover_v_eq_1c:
+        1n          :MSTORE(ecrecover_v_parity),JMP(ecrecover_v_ok)
+
+ecrecover_v_ok:
+        ;
+        ; y^2 = x^3 + 7
+        ;
+        ; A*B*A + 7 = calculate y from x
+        ;
+        ; [steps: 44, bin: 8, arith: 2]
+        $ => A,B    :MLOAD(ecrecover_r),CALL(mulFpEc)
+
+        C => A
+        $ => B      :MLOAD(ecrecover_r),CALL(mulFpEc)
+
+        7 => A      :CALL(addFpEc)
+
+        ; load on A parity expected
+        ; [steps: 69, bin: 8, arith: 8]
+        $ => A      :MLOAD(ecrecover_v_parity)
+        C           :MSTORE(ecrecover_y2),CALL(sqrtFpEc)
+
+        ; If has root B = 1 else B = 0
+        ; If B = 1 => C is alias-free (see sqrtFpEc)
+
+        ; [steps: 85, bin: 9, arith: 10]
+        B           :JMPNZ(ecrecover_has_sqrt)
+
+        ; hasn't sqrt, now verify
+
+        $ => C      :MLOAD(ecrecover_y2),CALL(checkSqrtFpEc)
+        ; check must return on A register 1, because the root has no solution
+
+        ; [steps: 4524, bin: 10, arith: 1014]
+        1           :ASSERT,JMP(ecrecover_not_exists_sqrt_of_y)
+
+ecrecover_has_sqrt:
+        ; (v == 1b) ecrecover_y_parity = 0x00
+        ; (v == 1c) ecrecover_y_parity = 0x01
+
+        ; C: y = sqrt(y^2)  [it's alias free, verified in previous lines]
+
+        0x01n => A
+        C => B
+
+        ; A = parity(y)
+        $ => A      :AND
+
+        ; how solution y = 0 not exists because -7 not has a cubic root,
+        ; always parity of A must be equal to v_parity
+
+        ; ASSERT (A == ecrecover_v_parity), if it fails => MAP
+        A           :MLOAD(ecrecover_v_parity)
+
+        C           :MSTORE(ecrecover_y)
+
+        ; calculate C as (hash * inv_r) % FNEC
+        $ => A      :MLOAD(ecrecover_hash)
+        ; [steps: 92, bin: 10, arith: 10]
+        $ => B      :MLOAD(ecrecover_r_inv),CALL(mulFnEc)
+
+        ; calculate k1 as (FNEC - hash * inv_r) % FNEC
+        ; C = (hash * inv_r) % FNEC no alias free (MAP)
+        C => A
+        0 => B
+        ; C is zero, special case
+        $   :EQ,JMPNC(k1_c_is_not_zero)
+
+        ; [steps: 100, bin: 9, arith: 12]
+
+k1_c_is_zero:
+        ; k1 = 0 is alias-free
+        0   :MSTORE(mulPointEc_k1), JMP(k1_calculated)
+
+
+k1_c_is_not_zero:
+        ; A,C = (hash * inv_r) % FNEC
+        ; check A is alias-free, if not MAP ==> proof fails
+        %FNEC => B
+        1   :LT         ; ASSERT A < FNEC
+
+        ; FNEC - A = FNEC - (hash * inv_r) % FNEC
+        A => B
+        %FNEC => A
+        ; B != 0 ==> mulPointEc_k1 = FNEC - B
+        ; k1 is alias-free
+        $   :SUB, MSTORE(mulPointEc_k1)
+
+k1_calculated:
+
+        $ => A      :MLOAD(ecrecover_s)
+
+        ; [steps: 105, bin: 9, arith: 13]
+        $ => B      :MLOAD(ecrecover_r_inv),CALL(mulFnEc)
+
+        ;   C = (s * inv_r) % FNEC => k2
+        ; [steps: 113, bin: 9, arith: 15]
+        C => A      :MSTORE(mulPointEc_k2)
+        %FNEC => B
+
+        ; ASSERT(k2 is alias free)
+        1           :LT
+
+        %ECGX       :MSTORE(mulPointEc_p1_x)
+        %ECGY       :MSTORE(mulPointEc_p1_y)
+
+        ; r isn't an alias because the range has been checked at beginning
+        $ => A      :MLOAD(ecrecover_r)
+        A           :MSTORE(mulPointEc_p2_x)
+
+        ; y isn't an alias because was checked before
+        ; (r,y) is a point of curve because it satisfies the curve equation
+        $ => A      :MLOAD(ecrecover_y)
+        ; [steps: 120, bin: 10, arith: 15]
+        A           :MSTORE(mulPointEc_p2_y),CALL(mulPointEc)
+
+        ; check if result of mulPointEc is point at infinity
+        HASHPOS     :JMPZ(ecrecover_p3_point_at_infinity)
+
+        ; [steps: 6280, bin: 522, arith: 527]
+        ; generate keccak of public key to obtain ethereum address
+        $ => E         :MLOAD(lastHashKIdUsed)
+        E + 1 => E     :MSTORE(lastHashKIdUsed)
+        0 => HASHPOS
+        32 => D
+
+        ; p3_x, p3_y are alias free because arithmetic guarantees it
+        $ => A         :MLOAD(mulPointEc_p3_x)
+        A              :HASHK(E)
+        $ => A         :MLOAD(mulPointEc_p3_y)
+        A              :HASHK(E)
+
+        64             :HASHKLEN(E)
+        $ => A         :HASHKDIGEST(E)
+
+        ; for address take only last 20 bytes
+        0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFn => B
+        $ => A         :AND
+        ; AtEnd [steps: 6294, bin: 523, keccak: 1, arith: 528]
+        0 => B         :JMP(ecrecover_end)
+
+; ERRORS
+ecrecover_r_is_zero:
+        1 => B      :JMP(ecrecover_error)
+
+ecrecover_r_is_too_big:
+        2 => B      :JMP(ecrecover_error)
+
+ecrecover_s_is_zero:
+        3 => B      :JMP(ecrecover_error)
+
+ecrecover_s_is_too_big:
+        4 => B      :JMP(ecrecover_error)
+
+ecrecover_v_not_eq_1b1c:
+        ; AtEnd [steps: 45, bin: 8, arith: 2]
+        5 => B      :JMP(ecrecover_error)
+
+ecrecover_not_exists_sqrt_of_y:
+        ; AtEnd [steps: 4527, bin: 10, arith: 1014]
+        6 => B      :JMP(ecrecover_error)
+
+ecrecover_p3_point_at_infinity:
+        7 => B      :JMP(ecrecover_error)
+
+ecrecover_error:
+        0 => A
+
+ecrecover_end:
+        $ => RR     :MLOAD(ecrecover_RR)
+        :RETURN
+
+INCLUDE "addFpEc.zkasm"
+INCLUDE "sqFpEc.zkasm"
+INCLUDE "mulFpEc.zkasm"
+INCLUDE "mulFnEc.zkasm"
+INCLUDE "invFpEc.zkasm"
+INCLUDE "invFnEc.zkasm"
+INCLUDE "sqrtFpEc.zkasm"
+INCLUDE "checkSqrtFpEc.zkasm"
+INCLUDE "mulPointEc.zkasm"

package/main/ecrecover/invFnEc.zkasm

@@ -0,0 +1,44 @@
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;;
+;; invFnEc B = inv(A)
+;;
+;; PRE: A no alias-free
+;; POST: B no alias-free (on MAP)
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+; RESOURCES:
+;   non-normalized: 2 ariths + 2 binaries + 12 steps
+;   normalized: 2 ariths + 1 binaries + 11 steps
+;   TOTAL (worst case): 2 ariths + 2 binaries + 12 steps
+
+VAR GLOBAL invFnEc_tmp
+
+invFnEc:
+
+        %FNEC => B
+        $       :LT,JMPC(invFnEc_normalized)
+        $ => A  :SUB
+
+invFnEc_normalized:
+        0 => C
+
+        ; B = inv(A)
+        ${var _invFnEc_A = inverseFnEc(A)} => B :MSTORE(invFnEc_tmp)
+        ; A * B + 0 = [D] * 2 ** 256 + [E]
+
+        $${var _invFnEc_AB = A * B}
+
+        ${_invFnEc_AB >> 256} => D
+        ${_invFnEc_AB} => E :ARITH
+
+        ;
+        ; with committed E,D
+        ; FnEc * [k] + 1 = D * 2 ** 256 + E
+        ;
+
+        1 => C
+        ${_invFnEc_AB / const.FNEC} => B
+        %FNEC => A
+
+        E :ARITH
+        $ => B   :MLOAD(invFnEc_tmp), RETURN

package/main/ecrecover/invFpEc.zkasm

@@ -0,0 +1,45 @@
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;;
+;; invFpEc B = inv(A)
+;;
+;; PRE: A no alias-free
+;; POST: B no alias-free (on MAP)
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+; RESOURCES:
+;   non-normalized: 2 ariths + 2 binaries + 12 steps
+;   normalized: 2 ariths + 1 binaries + 11 steps
+;   TOTAL (worst case): 2 ariths + 2 binaries + 12 steps
+
+VAR GLOBAL invFpEc_tmp
+
+invFpEc:
+
+        %FPEC => B
+        $       :LT,JMPC(invFpEc_normalized)
+        $ => A  :SUB
+
+invFpEc_normalized:
+        0n => C
+        ; B = inv(A)
+
+        ${var _invFpEc_A = inverseFpEc(A)} => B :MSTORE(invFpEc_tmp);
+
+        ; A * B + 0 = [D] * 2 ** 256 + [E]
+
+        $${var _invFpEc_AB = A * _invFpEc_A}
+
+        ${_invFpEc_AB >> 256} => D
+        ${_invFpEc_AB} => E :ARITH
+
+        ;
+        ; with committed E,D
+        ; FpEc * [k] + 1 = D * 2 ** 256 + E
+        ;
+
+        1n => C
+        ${_invFpEc_AB / const.FPEC} => B
+        %FPEC => A
+
+        E :ARITH
+        $ => B   :MLOAD(invFpEc_tmp),RETURN

package/main/ecrecover/mulFnEc.zkasm

@@ -0,0 +1,36 @@
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;;
+;; mulFnEc (C = A * B)
+;;
+;; PRE: A,B no alias-free
+;; POST: C no alias-free (on MAP)
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+; RESOURCES:
+;   2 arith + 7 steps
+
+mulFnEc:
+        0 => C
+
+        ; A * B + 0 = [D] * 2 ** 256 + [E]
+
+        $${var _mulFnEc_AB = A * B}
+
+        ${_mulFnEc_AB >> 256} => D
+
+        ;;
+        ;; result of command was only 256 bits, not need mask
+        ;; ${_mulFnEc_AB & ((1 << 256) - 1)} == ${_mulFnEc_AB}
+
+        ${_mulFnEc_AB} => E :ARITH
+
+        ;
+        ; with committed E,D
+        ; FnEc * [k] + [C] = D * 2 ** 256 + E
+        ;
+
+        ${_mulFnEc_AB % const.FNEC} => C
+        ${_mulFnEc_AB / const.FNEC} => B
+        %FNEC => A
+
+        E :ARITH,RETURN

package/main/ecrecover/mulFpEc.zkasm

@@ -0,0 +1,36 @@
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;;
+;; mulFpEc (C = A * B)
+;;
+;; PRE: A,B no alias-free
+;; POST: C no alias-free (on MAP)
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+; RESOURCES:
+;   2 arith + 7 steps
+
+mulFpEc:
+        0 => C
+
+        ; A * B + 0 = [D] * 2 ** 256 + [E]
+
+        $${var _mulFpEc_AB = A * B}
+
+        ${_mulFpEc_AB >> 256} => D
+
+        ;;
+        ;; result of command was only 256 bits, not need mask
+        ;; ${_mulFpEc_AB & ((1 << 256) - 1)} == ${_mulFpEc_AB}
+
+        ${_mulFpEc_AB} => E:ARITH
+
+        ;
+        ; with committed E,D
+        ; FpEc * [k] + [C] = D * 2 ** 256 + E
+        ;
+
+        ${_mulFpEc_AB % const.FPEC} => C
+        ${_mulFpEc_AB / const.FPEC} => B
+        %FPEC => A
+
+        E :ARITH,RETURN