-
Notifications
You must be signed in to change notification settings - Fork 9
/
deposit_verifier.sol
436 lines (379 loc) · 15.1 KB
/
deposit_verifier.sol
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
// SPDX-License-Identifier: The Unlicense
pragma solidity 0.6.8;
pragma experimental ABIEncoderV2;
import { IDepositContract } from "./eth2-deposit-contract/deposit_contract.sol";
contract DepositVerifier {
uint constant PUBLIC_KEY_LENGTH = 48;
uint constant SIGNATURE_LENGTH = 96;
uint constant WITHDRAWAL_CREDENTIALS_LENGTH = 32;
uint constant WEI_PER_GWEI = 1e9;
uint8 constant BLS12_381_PAIRING_PRECOMPILE_ADDRESS = 0x10;
uint8 constant BLS12_381_MAP_FIELD_TO_CURVE_PRECOMPILE_ADDRESS = 0x12;
uint8 constant BLS12_381_G2_ADD_ADDRESS = 0xD;
string constant BLS_SIG_DST = "BLS_SIG_BLS12381G2_XMD:SHA-256_SSWU_RO_POP_+";
bytes1 constant BLS_BYTE_WITHOUT_FLAGS_MASK = bytes1(0x1f);
uint8 constant MOD_EXP_PRECOMPILE_ADDRESS = 0x5;
// Fp is a field element with the high-order part stored in `a`.
struct Fp {
uint a;
uint b;
}
// Fp2 is an extension field element with the coefficient of the
// quadratic non-residue stored in `b`, i.e. p = a + i * b
struct Fp2 {
Fp a;
Fp b;
}
// G1Point represents a point on BLS12-381 over Fp with coordinates (X,Y);
struct G1Point {
Fp X;
Fp Y;
}
// G2Point represents a point on BLS12-381 over Fp2 with coordinates (X,Y);
struct G2Point {
Fp2 X;
Fp2 Y;
}
IDepositContract immutable depositContract;
// Constant related to versioning serializations of deposits on eth2
bytes32 immutable DEPOSIT_DOMAIN;
constructor(address depositContractAddress, bytes32 deposit_domain) public {
depositContract = IDepositContract(depositContractAddress);
DEPOSIT_DOMAIN = deposit_domain;
}
// Return a `wei` value in units of Gwei and serialize as a (LE) `bytes8`.
function serializeAmount(uint amount) private pure returns (bytes memory) {
uint depositAmount = amount / WEI_PER_GWEI;
bytes memory encodedAmount = new bytes(8);
for (uint i = 0; i < 8; i++) {
encodedAmount[i] = byte(uint8(depositAmount / (2**(8*i))));
}
return encodedAmount;
}
// Compute the "signing root" from the deposit message. This root is the Merkle root
// of a specific tree specified by SSZ serialization that takes as leaves chunks of 32 bytes.
// NOTE: This computation is done manually in ``computeSigningRoot``.
// NOTE: function is exposed for testing...
function computeSigningRoot(
bytes memory publicKey,
bytes memory withdrawalCredentials,
uint amount
) public view returns (bytes32) {
bytes memory serializedPublicKey = new bytes(64);
for (uint i = 0; i < PUBLIC_KEY_LENGTH; i++) {
serializedPublicKey[i] = publicKey[i];
}
bytes32 publicKeyRoot = sha256(serializedPublicKey);
bytes32 firstNode = sha256(abi.encodePacked(publicKeyRoot, withdrawalCredentials));
bytes memory amountRoot = new bytes(64);
bytes memory serializedAmount = serializeAmount(amount);
for (uint i = 0; i < 8; i++) {
amountRoot[i] = serializedAmount[i];
}
bytes32 secondNode = sha256(amountRoot);
bytes32 depositMessageRoot = sha256(abi.encodePacked(firstNode, secondNode));
return sha256(abi.encodePacked(depositMessageRoot, DEPOSIT_DOMAIN));
}
// NOTE: function exposed for testing...
function expandMessage(bytes32 message) public pure returns (bytes memory) {
bytes memory b0Input = new bytes(143);
for (uint i = 0; i < 32; i++) {
b0Input[i+64] = message[i];
}
b0Input[96] = 0x01;
for (uint i = 0; i < 44; i++) {
b0Input[i+99] = bytes(BLS_SIG_DST)[i];
}
bytes32 b0 = sha256(abi.encodePacked(b0Input));
bytes memory output = new bytes(256);
bytes32 chunk = sha256(abi.encodePacked(b0, byte(0x01), bytes(BLS_SIG_DST)));
assembly {
mstore(add(output, 0x20), chunk)
}
for (uint i = 2; i < 9; i++) {
bytes32 input;
assembly {
input := xor(b0, mload(add(output, add(0x20, mul(0x20, sub(i, 2))))))
}
chunk = sha256(abi.encodePacked(input, byte(uint8(i)), bytes(BLS_SIG_DST)));
assembly {
mstore(add(output, add(0x20, mul(0x20, sub(i, 1)))), chunk)
}
}
return output;
}
function sliceToUint(bytes memory data, uint start, uint end) private pure returns (uint) {
uint length = end - start;
assert(length >= 0);
assert(length <= 32);
uint result;
for (uint i = 0; i < length; i++) {
byte b = data[start+i];
result = result + (uint8(b) * 2**(8*(length-i-1)));
}
return result;
}
// Reduce the number encoded as the big-endian slice of data[start:end] modulo the BLS12-381 field modulus.
// Copying of the base is cribbed from the following:
// https://github.com/ethereum/solidity-examples/blob/f44fe3b3b4cca94afe9c2a2d5b7840ff0fafb72e/src/unsafe/Memory.sol#L57-L74
function reduceModulo(bytes memory data, uint start, uint end) private view returns (bytes memory) {
uint length = end - start;
assert (length >= 0);
assert (length <= data.length);
bytes memory result = new bytes(48);
bool success;
assembly {
let p := mload(0x40)
// length of base
mstore(p, length)
// length of exponent
mstore(add(p, 0x20), 0x20)
// length of modulus
mstore(add(p, 0x40), 48)
// base
// first, copy slice by chunks of EVM words
let ctr := length
let src := add(add(data, 0x20), start)
let dst := add(p, 0x60)
for { }
or(gt(ctr, 0x20), eq(ctr, 0x20))
{ ctr := sub(ctr, 0x20) }
{
mstore(dst, mload(src))
dst := add(dst, 0x20)
src := add(src, 0x20)
}
// next, copy remaining bytes in last partial word
let mask := sub(exp(256, sub(0x20, ctr)), 1)
let srcpart := and(mload(src), not(mask))
let destpart := and(mload(dst), mask)
mstore(dst, or(destpart, srcpart))
// exponent
mstore(add(p, add(0x60, length)), 1)
// modulus
let modulusAddr := add(p, add(0x60, add(0x10, length)))
mstore(modulusAddr, or(mload(modulusAddr), 0x1a0111ea397fe69a4b1ba7b6434bacd7)) // pt 1
mstore(add(p, add(0x90, length)), 0x64774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab) // pt 2
success := staticcall(
sub(gas(), 2000),
MOD_EXP_PRECOMPILE_ADDRESS,
p,
add(0xB0, length),
add(result, 0x20),
48)
// Use "invalid" to make gas estimation work
switch success case 0 { invalid() }
}
require(success, "call to modular exponentiation precompile failed");
return result;
}
function convertSliceToFp(bytes memory data, uint start, uint end) private view returns (Fp memory) {
bytes memory fieldElement = reduceModulo(data, start, end);
uint a = sliceToUint(fieldElement, 0, 16);
uint b = sliceToUint(fieldElement, 16, 48);
return Fp(a, b);
}
// NOTE: function is exposed for testing...
function hashToField(bytes32 message) public view returns (Fp2[2] memory result) {
bytes memory some_bytes = expandMessage(message);
result[0] = Fp2(
convertSliceToFp(some_bytes, 0, 64),
convertSliceToFp(some_bytes, 64, 128)
);
result[1] = Fp2(
convertSliceToFp(some_bytes, 128, 192),
convertSliceToFp(some_bytes, 192, 256)
);
}
function mapToCurve(Fp2 memory fieldElement) public view returns (G2Point memory result) {
uint[4] memory input;
input[0] = fieldElement.a.a;
input[1] = fieldElement.a.b;
input[2] = fieldElement.b.a;
input[3] = fieldElement.b.b;
uint[8] memory output;
bool success;
assembly {
success := staticcall(
sub(gas(), 2000),
BLS12_381_MAP_FIELD_TO_CURVE_PRECOMPILE_ADDRESS,
input,
128,
output,
256
)
// Use "invalid" to make gas estimation work
switch success case 0 { invalid() }
}
require(success, "call to map to curve precompile failed");
return G2Point(
Fp2(
Fp(output[0], output[1]),
Fp(output[2], output[3])
),
Fp2(
Fp(output[4], output[5]),
Fp(output[6], output[7])
)
);
}
function addG2(G2Point memory a, G2Point memory b) private view returns (G2Point memory) {
uint[16] memory input;
input[0] = a.X.a.a;
input[1] = a.X.a.b;
input[2] = a.X.b.a;
input[3] = a.X.b.b;
input[4] = a.Y.a.a;
input[5] = a.Y.a.b;
input[6] = a.Y.b.a;
input[7] = a.Y.b.b;
input[8] = b.X.a.a;
input[9] = b.X.a.b;
input[10] = b.X.b.a;
input[11] = b.X.b.b;
input[12] = b.Y.a.a;
input[13] = b.Y.a.b;
input[14] = b.Y.b.a;
input[15] = b.Y.b.b;
uint[8] memory output;
bool success;
assembly {
success := staticcall(
sub(gas(), 2000),
BLS12_381_G2_ADD_ADDRESS,
input,
512,
output,
256
)
// Use "invalid" to make gas estimation work
switch success case 0 { invalid() }
}
require(success, "call to addition in G2 precompile failed");
return G2Point(
Fp2(
Fp(output[0], output[1]),
Fp(output[2], output[3])
),
Fp2(
Fp(output[4], output[5]),
Fp(output[6], output[7])
)
);
}
// Implements "hash to the curve" from the IETF BLS draft.
// NOTE: function is exposed for testing...
function hashToCurve(bytes32 message) public view returns (G2Point memory) {
Fp2[2] memory messageElementsInField = hashToField(message);
G2Point memory firstPoint = mapToCurve(messageElementsInField[0]);
G2Point memory secondPoint = mapToCurve(messageElementsInField[1]);
return addG2(firstPoint, secondPoint);
}
// NOTE: function is exposed for testing...
function blsPairingCheck(G1Point memory publicKey, G2Point memory messageOnCurve, G2Point memory signature) public view returns (bool) {
uint[24] memory input;
input[0] = publicKey.X.a;
input[1] = publicKey.X.b;
input[2] = publicKey.Y.a;
input[3] = publicKey.Y.b;
input[4] = messageOnCurve.X.a.a;
input[5] = messageOnCurve.X.a.b;
input[6] = messageOnCurve.X.b.a;
input[7] = messageOnCurve.X.b.b;
input[8] = messageOnCurve.Y.a.a;
input[9] = messageOnCurve.Y.a.b;
input[10] = messageOnCurve.Y.b.a;
input[11] = messageOnCurve.Y.b.b;
// NOTE: this constant is -P1, where P1 is the generator of the group G1.
input[12] = 31827880280837800241567138048534752271;
input[13] = 88385725958748408079899006800036250932223001591707578097800747617502997169851;
input[14] = 22997279242622214937712647648895181298;
input[15] = 46816884707101390882112958134453447585552332943769894357249934112654335001290;
input[16] = signature.X.a.a;
input[17] = signature.X.a.b;
input[18] = signature.X.b.a;
input[19] = signature.X.b.b;
input[20] = signature.Y.a.a;
input[21] = signature.Y.a.b;
input[22] = signature.Y.b.a;
input[23] = signature.Y.b.b;
uint[1] memory output;
bool success;
assembly {
success := staticcall(
sub(gas(), 2000),
BLS12_381_PAIRING_PRECOMPILE_ADDRESS,
input,
768,
output,
32
)
// Use "invalid" to make gas estimation work
switch success case 0 { invalid() }
}
require(success, "call to pairing precompile failed");
return output[0] == 1;
}
function decodeG1Point(bytes memory encodedX, Fp memory Y) private pure returns (G1Point memory) {
encodedX[0] = encodedX[0] & BLS_BYTE_WITHOUT_FLAGS_MASK;
uint a = sliceToUint(encodedX, 0, 16);
uint b = sliceToUint(encodedX, 16, 48);
Fp memory X = Fp(a, b);
return G1Point(X,Y);
}
function decodeG2Point(bytes memory encodedX, Fp2 memory Y) private pure returns (G2Point memory) {
encodedX[0] = encodedX[0] & BLS_BYTE_WITHOUT_FLAGS_MASK;
// NOTE: the "flag bits" of the second half of `encodedX` are always == 0x0
// NOTE: order is important here for decoding point...
uint aa = sliceToUint(encodedX, 48, 64);
uint ab = sliceToUint(encodedX, 64, 96);
uint ba = sliceToUint(encodedX, 0, 16);
uint bb = sliceToUint(encodedX, 16, 48);
Fp2 memory X = Fp2(
Fp(aa, ab),
Fp(ba, bb)
);
return G2Point(X, Y);
}
// NOTE: function is exposed for testing...
function blsSignatureIsValid(
bytes32 message,
bytes memory encodedPublicKey,
bytes memory encodedSignature,
Fp memory publicKeyYCoordinate,
Fp2 memory signatureYCoordinate
) public view returns (bool) {
G1Point memory publicKey = decodeG1Point(encodedPublicKey, publicKeyYCoordinate);
G2Point memory signature = decodeG2Point(encodedSignature, signatureYCoordinate);
G2Point memory messageOnCurve = hashToCurve(message);
return blsPairingCheck(publicKey, messageOnCurve, signature);
}
function verifyAndDeposit(
bytes calldata publicKey,
bytes calldata withdrawalCredentials,
bytes calldata signature,
bytes32 depositDataRoot,
Fp calldata publicKeyYCoordinate,
Fp2 calldata signatureYCoordinate
) external payable {
require(publicKey.length == PUBLIC_KEY_LENGTH, "incorrectly sized public key");
require(withdrawalCredentials.length == WITHDRAWAL_CREDENTIALS_LENGTH, "incorrectly sized withdrawal credentials");
require(signature.length == SIGNATURE_LENGTH, "incorrectly sized signature");
bytes32 signingRoot = computeSigningRoot(
publicKey,
withdrawalCredentials,
msg.value
);
require(
blsSignatureIsValid(
signingRoot,
publicKey,
signature,
publicKeyYCoordinate,
signatureYCoordinate
),
"BLS signature verification failed"
);
depositContract.deposit{value: msg.value}(publicKey, withdrawalCredentials, signature, depositDataRoot);
}
}