feat: Patch secp256k1 0.29.0

ratankaliani · ratankaliani · commit 13910d476dbd · 2024-09-23T18:18:39.000-07:00
diff --git a/Cargo.toml b/Cargo.toml
@@ -38,6 +38,7 @@ global-context-less-secure = ["global-context"]
 [dependencies]
 secp256k1-sys = { version = "0.10.0", default-features = false, path = "./secp256k1-sys" }
 serde = { version = "1.0.103", default-features = false, optional = true }
+cfg-if = "1.0"
 
 # You likely only want to enable these if you explicitly do not want to use "std", otherwise enable
 # the respective -std feature e.g., hashes-std
@@ -54,6 +55,11 @@ bincode = "1.3.3"
 wasm-bindgen-test = "0.3"
 getrandom = { version = "0.2", features = ["js"] }
 
+[target.'cfg(all(target_os = "zkvm", target_vendor = "succinct"))'.dependencies]
+sp1-ecdsa = { git = "https://github.com/sp1-patches/signatures", branch = "patch-ecdsa-v0.16.9", package = "ecdsa", features = ["verifying", "alloc"] }
+k256 = { version = "0.13.3", features = ["ecdsa"] }
+elliptic-curve = { version = "0.13.6", default-features = false, features = ["digest", "sec1"] }
+
 
 [[example]]
 name = "sign_verify_recovery"
diff --git a/secp256k1-sys/build.rs b/secp256k1-sys/build.rs
@@ -16,6 +16,41 @@ use std::env;
 fn main() {
     // Actual build
     let mut base_config = cc::Build::new();
+
+    // On riscv32, we need to build C libraries using the riscv-gnu-toolchain and
+    // clang for compiling C code.
+    if env::var("CARGO_CFG_TARGET_ARCH").unwrap() == "riscv32" {
+        const DEFAULT_RISCV_GNU_TOOLCHAIN: &str = "/opt/riscv";
+        println!("cargo:rerun-if-env-changed=RISCV_GNU_TOOLCHAIN");
+
+        let riscv_gnu_toolchain_path = env::var("RISCV_GNU_TOOLCHAIN").unwrap_or_else(|_| {
+            println!("cargo:warning=Variable RISCV_GNU_TOOLCHAIN unset. Assuming '{DEFAULT_RISCV_GNU_TOOLCHAIN}'");
+            println!("cargo:warning=Please make sure to build riscv toolchain:");
+            println!("cargo:warning=  git clone https://github.com/riscv-collab/riscv-gnu-toolchain && cd riscv-gnu-toolchain");
+            println!("cargo:warning=  export RISCV_GNU_TOOLCHAIN={DEFAULT_RISCV_GNU_TOOLCHAIN}");
+            println!("cargo:warning=  configure --prefix=\"$RISCV_GNU_TOOLCHAIN\" --with-arch=rv32im --with-abi=ilp32");
+            println!("cargo:warning=  make -j$(nproc)");
+
+            // if unset, try the default and fail eventually
+            DEFAULT_RISCV_GNU_TOOLCHAIN.into()
+        });
+
+        base_config
+            .compiler("clang")
+            .no_default_flags(true)
+            .flag(&format!("--sysroot={riscv_gnu_toolchain_path}/riscv32-unknown-elf"))
+            .flag(&format!("--gcc-toolchain={riscv_gnu_toolchain_path}"))
+            .flag("--target=riscv32-unknown-none-elf")
+            .flag("-march=rv32im")
+            .flag("-mabi=ilp32")
+            .flag("-mcmodel=medany")
+            .flag("-Os")
+            .flag("-fdata-sections")
+            .flag("-ffunction-sections")
+            .flag("-flto")
+            .target("riscv32-unknown-none-elf");
+    }
+
     base_config.include("depend/secp256k1/")
                .include("depend/secp256k1/include")
                .include("depend/secp256k1/src")
diff --git a/src/ecdsa/mod.rs b/src/ecdsa/mod.rs
@@ -2,6 +2,12 @@
 
 //! Structs and functionality related to the ECDSA signature algorithm.
 //!
+#[cfg(all(target_os = "zkvm", target_vendor = "succinct"))]
+use elliptic_curve;
+#[cfg(all(target_os = "zkvm", target_vendor = "succinct"))]
+use k256;
+#[cfg(all(target_os = "zkvm", target_vendor = "succinct"))]
+use sp1_ecdsa;
 
 #[cfg(feature = "recovery")]
 mod recovery;
diff --git a/src/ecdsa/recovery.rs b/src/ecdsa/recovery.rs
@@ -184,6 +184,20 @@ impl<C: Signing> Secp256k1<C> {
     }
 }
 
+/// Takes a 64 byte array and reverses the endian-ness of each 32 byte segment.
+/// Useful for flipping the byte endian-ness of the signature and public key components.
+fn flip_secp256k1_endianness(input: &[u8; 64]) -> [u8; 64] {
+    let mut output = [0u8; 64];
+    for i in 0..2 {
+        let start = i * 32;
+        let end = start + 32;
+        let mut segment: [u8; 32] = input[start..end].try_into().unwrap();
+        segment.reverse();
+        output[start..end].copy_from_slice(&segment);
+    }
+    output
+}
+
 impl<C: Verification> Secp256k1<C> {
     /// Determines the public key for which `sig` is a valid signature for
     /// `msg`. Requires a verify-capable context.
@@ -192,6 +206,41 @@ impl<C: Verification> Secp256k1<C> {
         msg: &Message,
         sig: &RecoverableSignature,
     ) -> Result<key::PublicKey, Error> {
+        cfg_if::cfg_if! {
+            if #[cfg(all(target_os = "zkvm", target_vendor = "succinct"))] {
+                // `msg.0` contains the message data as a byte array.
+                let prehash: &[u8] = &msg.0;
+
+                // `sig` is a 65-byte array containing r (32 bytes), s (32 bytes), and the recovery ID (1 byte). We need to handle the 
+                // signature bytes according to their endianness. The signature is in little-endian format, but needs to be processed
+                // in big-endian format for masking by the ecdsa-core library.
+
+                // Reverse the first 32 bytes (r) and the second 32 bytes (s) of the signature
+                // and concatenate them to get the signature in big-endian format.
+                let mut sig_be_bytes = flip_secp256k1_endianness(&sig.0[..64].try_into().unwrap());
+
+                let signature = sp1_ecdsa::Signature::<k256::Secp256k1>::from_slice(&sig_be_bytes).unwrap();
+
+                // The recovery ID is the last byte of the signature.
+                let recovery_id = sp1_ecdsa::RecoveryId::from_byte(sig.0[64]).unwrap();
+
+                let verifying_key = sp1_ecdsa::VerifyingKey::recover_from_prehash_secp256k1(prehash, &signature, recovery_id).unwrap();
+                let verifying_key_bytes = {
+                    // Convert the verifying key to a byte array. The encoded point returned by `to_encoded_point` is in uncompressed format,
+                    // with the prefix byte (0x04) and two 32-byte coordinates in big-endian format. This needs to be flipped to little-endian
+                    // for the from_array_unchecked constructor.
+                    let bytes = verifying_key.to_encoded_point(false).to_bytes();
+                    flip_secp256k1_endianness(&bytes[1..65].try_into().unwrap())
+                };
+
+                // In recover_from_prehash_secp256k1, the public key is verified to be valid, so we can use the unchecked constructor.
+                unsafe {
+                    let k = key::PublicKey(crate::ffi::PublicKey::from_array_unchecked(verifying_key_bytes));
+                    return Ok(k);
+                }
+            }
+        }
+        
         unsafe {
             let mut pk = super_ffi::PublicKey::new();
             if ffi::secp256k1_ecdsa_recover(
diff --git a/src/key.rs b/src/key.rs
@@ -146,7 +146,7 @@ impl str::FromStr for SecretKey {
 /// [`cbor`]: https://docs.rs/cbor
 #[derive(Copy, Clone, Debug, PartialOrd, Ord, PartialEq, Eq, Hash)]
 #[repr(transparent)]
-pub struct PublicKey(ffi::PublicKey);
+pub struct PublicKey(pub ffi::PublicKey);
 impl_fast_comparisons!(PublicKey);
 
 impl fmt::LowerHex for PublicKey {
