Remove defensive copies from SecP256k1 (#9817)

benaadams · web-flow · commit e5daa159c510 · 2025-11-28T11:06:09.000Z
* Remove defensive copies from SecP256k1

* Remove type entirely

* Remove unneeded .ToArray()

* Max optimize
diff --git a/src/Nethermind/Nethermind.Consensus/Signer.cs b/src/Nethermind/Nethermind.Consensus/Signer.cs
@@ -40,7 +40,7 @@ public Signer(ulong chainId, IProtectedPrivateKey key, ILogManager logManager)
         public Signature Sign(in ValueHash256 message)
         {
             if (!CanSign) throw new InvalidOperationException("Cannot sign without provided key.");
-            byte[] rs = SpanSecP256k1.SignCompact(message.Bytes, _key!.KeyBytes, out int v);
+            byte[] rs = SecP256k1.SignCompact(message.Bytes, _key!.KeyBytes, out int v);
             return new Signature(rs, v);
         }
 
diff --git a/src/Nethermind/Nethermind.Core.Test/Crypto/SignatureTests.cs b/src/Nethermind/Nethermind.Core.Test/Crypto/SignatureTests.cs
@@ -41,7 +41,7 @@ public void can_recover_from_message()
         var signatureObject = new Signature(signatureSlice, recoveryId);
         var keccak = Keccak.Compute(Bytes.Concat(messageType, data));
         Span<byte> publicKey = stackalloc byte[65];
-        bool result = SpanSecP256k1.RecoverKeyFromCompact(publicKey, keccak.Bytes, signatureObject.Bytes.ToArray(), signatureObject.RecoveryId, false);
+        bool result = SecP256k1.RecoverKeyFromCompact(publicKey, keccak.Bytes, signatureObject.Bytes, signatureObject.RecoveryId, false);
         result.Should().BeTrue();
     }
 }
diff --git a/src/Nethermind/Nethermind.Crypto/Ecdsa.cs b/src/Nethermind/Nethermind.Crypto/Ecdsa.cs
@@ -21,7 +21,7 @@ public Signature Sign(PrivateKey privateKey, in ValueHash256 message)
                 InvalidPrivateKey();
             }
 
-            byte[] signatureBytes = SpanSecP256k1.SignCompact(message.Bytes, privateKey.KeyBytes, out int recoveryId);
+            byte[] signatureBytes = SecP256k1.SignCompact(message.Bytes, privateKey.KeyBytes, out int recoveryId);
             Signature signature = new(signatureBytes, recoveryId);
 
 #if DEBUG
@@ -40,7 +40,7 @@ public Signature Sign(PrivateKey privateKey, in ValueHash256 message)
         public PublicKey? RecoverPublicKey(Signature signature, in ValueHash256 message)
         {
             Span<byte> publicKey = stackalloc byte[65];
-            bool success = SpanSecP256k1.RecoverKeyFromCompact(publicKey, message.Bytes, signature.Bytes, signature.RecoveryId, false);
+            bool success = SecP256k1.RecoverKeyFromCompact(publicKey, message.Bytes, signature.Bytes, signature.RecoveryId, false);
             if (!success)
             {
                 return null;
@@ -52,7 +52,7 @@ public Signature Sign(PrivateKey privateKey, in ValueHash256 message)
         public CompressedPublicKey? RecoverCompressedPublicKey(Signature signature, in ValueHash256 message)
         {
             Span<byte> publicKey = stackalloc byte[33];
-            bool success = SpanSecP256k1.RecoverKeyFromCompact(publicKey, message.Bytes, signature.Bytes, signature.RecoveryId, true);
+            bool success = SecP256k1.RecoverKeyFromCompact(publicKey, message.Bytes, signature.Bytes, signature.RecoveryId, true);
             if (!success)
             {
                 return null;
diff --git a/src/Nethermind/Nethermind.Crypto/EthereumEcdsa.cs b/src/Nethermind/Nethermind.Crypto/EthereumEcdsa.cs
@@ -30,7 +30,7 @@ public class EthereumEcdsa(ulong chainId) : Ecdsa, IEthereumEcdsa
         private static Address? RecoverAddress(Span<byte> signatureBytes64, byte v, ReadOnlySpan<byte> message)
         {
             Span<byte> publicKey = stackalloc byte[65];
-            bool success = SpanSecP256k1.RecoverKeyFromCompact(
+            bool success = SecP256k1.RecoverKeyFromCompact(
                 publicKey,
                 message,
                 signatureBytes64,
@@ -41,7 +41,7 @@ public class EthereumEcdsa(ulong chainId) : Ecdsa, IEthereumEcdsa
         }
 
         public static bool RecoverAddressRaw(ReadOnlySpan<byte> signatureBytes64, byte v, ReadOnlySpan<byte> message, Span<byte> resultPublicKey65) =>
-            SpanSecP256k1.RecoverKeyFromCompact(
+            SecP256k1.RecoverKeyFromCompact(
                 resultPublicKey65,
                 message,
                 signatureBytes64,
diff --git a/src/Nethermind/Nethermind.Crypto/SpanSecP256k1.cs b/src/Nethermind/Nethermind.Crypto/SpanSecP256k1.cs
diff --git a/src/Nethermind/Nethermind.Evm.Precompiles/EcRecoverPrecompile.cs b/src/Nethermind/Nethermind.Evm.Precompiles/EcRecoverPrecompile.cs
@@ -3,6 +3,7 @@
 
 using System;
 using System.Runtime.CompilerServices;
+using System.Runtime.InteropServices;
 using Nethermind.Core;
 using Nethermind.Core.Crypto;
 using Nethermind.Core.Extensions;
@@ -70,8 +71,13 @@ private Result<byte[]> RunInternal(ReadOnlySpan<byte> inputDataSpan)
             return Empty;
         }
 
-        byte[] result = ValueKeccak.Compute(publicKey.Slice(1, 64)).ToByteArray();
-        result.AsSpan(0, 12).Clear();
+        byte[] result = new byte[32];
+        KeccakHash.ComputeHashBytesToSpan(publicKey.Slice(1, 64), result);
+
+        ref byte refResut = ref MemoryMarshal.GetArrayDataReference(result);
+
+        // Clear first 12 bytes, as address is last 20 bytes of the hash
+        Unsafe.InitBlockUnaligned(ref refResut, 0, 12);
         return result;
     }
 }
diff --git a/src/Nethermind/Nethermind.Optimism/CL/P2P/P2PBlockValidator.cs b/src/Nethermind/Nethermind.Optimism/CL/P2P/P2PBlockValidator.cs
@@ -153,7 +153,7 @@ private bool IsSignatureValid(ReadOnlySpan<byte> payloadData, Span<byte> signatu
         byte[] signedHash = KeccakHash.ComputeHashBytes(sequencerSignedData);
 
         Span<byte> publicKey = stackalloc byte[65];
-        bool success = SpanSecP256k1.RecoverKeyFromCompact(
+        bool success = SecP256k1.RecoverKeyFromCompact(
             publicKey,
             signedHash,
             signature.Slice(0, 64),
diff --git a/src/Nethermind/Nethermind.Wallet/DevKeyStoreWallet.cs b/src/Nethermind/Nethermind.Wallet/DevKeyStoreWallet.cs
@@ -100,7 +100,7 @@ public Signature Sign(Hash256 message, Address address, SecureString passphrase)
                 key = _keyStore.GetKey(address, passphrase).PrivateKey;
             }
 
-            var rs = SpanSecP256k1.SignCompact(message.Bytes, key.KeyBytes, out int v);
+            var rs = SecP256k1.SignCompact(message.Bytes, key.KeyBytes, out int v);
             return new Signature(rs, v);
         }
 
@@ -116,7 +116,7 @@ public Signature Sign(Hash256 message, Address address)
                 throw new SecurityException("Can only sign without passphrase when account is unlocked.");
             }
 
-            var rs = SpanSecP256k1.SignCompact(message.Bytes, key.KeyBytes, out int v);
+            var rs = SecP256k1.SignCompact(message.Bytes, key.KeyBytes, out int v);
             return new Signature(rs, v);
         }
     }
diff --git a/src/Nethermind/Nethermind.Wallet/DevWallet.cs b/src/Nethermind/Nethermind.Wallet/DevWallet.cs
@@ -117,7 +117,7 @@ private bool CheckPassword(Address address, SecureString passphrase)
 
         public Signature Sign(Hash256 message, Address address)
         {
-            var rs = SpanSecP256k1.SignCompact(message.Bytes, _keys[address].KeyBytes, out int v);
+            var rs = SecP256k1.SignCompact(message.Bytes, _keys[address].KeyBytes, out int v);
             return new Signature(rs, v);
         }
     }
diff --git a/src/Nethermind/Nethermind.Wallet/ProtectedKeyStoreWallet.cs b/src/Nethermind/Nethermind.Wallet/ProtectedKeyStoreWallet.cs
@@ -97,7 +97,7 @@ private Signature SignCore(Hash256 message, Address address, Func<PrivateKey> ge
         {
             var protectedPrivateKey = (ProtectedPrivateKey)_unlockedAccounts.Get(address.ToString());
             using PrivateKey key = protectedPrivateKey is not null ? protectedPrivateKey.Unprotect() : getPrivateKeyWhenNotFound();
-            var rs = SpanSecP256k1.SignCompact(message.Bytes, key.KeyBytes, out int v);
+            var rs = SecP256k1.SignCompact(message.Bytes, key.KeyBytes, out int v);
             return new Signature(rs, v);
         }
     }

Original file line number	Diff line number	Diff line change
`@@ -40,7 +40,7 @@ public Signer(ulong chainId, IProtectedPrivateKey key, ILogManager logManager)`
`40`	`40`	`public Signature Sign(in ValueHash256 message)`
`41`	`41`	`{`
`42`	`42`	`if (!CanSign) throw new InvalidOperationException("Cannot sign without provided key.");`
`43`		`- byte[] rs = SpanSecP256k1.SignCompact(message.Bytes, _key!.KeyBytes, out int v);`
	`43`	`+ byte[] rs = SecP256k1.SignCompact(message.Bytes, _key!.KeyBytes, out int v);`
`44`	`44`	`return new Signature(rs, v);`
`45`	`45`	`}`
`46`	`46`
Original file line number	Diff line number	Diff line change
`@@ -41,7 +41,7 @@ public void can_recover_from_message()`
`41`	`41`	`var signatureObject = new Signature(signatureSlice, recoveryId);`
`42`	`42`	`var keccak = Keccak.Compute(Bytes.Concat(messageType, data));`
`43`	`43`	`Span<byte> publicKey = stackalloc byte[65];`
`44`		`- bool result = SpanSecP256k1.RecoverKeyFromCompact(publicKey, keccak.Bytes, signatureObject.Bytes.ToArray(), signatureObject.RecoveryId, false);`
	`44`	`+ bool result = SecP256k1.RecoverKeyFromCompact(publicKey, keccak.Bytes, signatureObject.Bytes, signatureObject.RecoveryId, false);`
`45`	`45`	`result.Should().BeTrue();`
`46`	`46`	`}`
`47`	`47`	`}`
Original file line number	Diff line number	Diff line change
`@@ -21,7 +21,7 @@ public Signature Sign(PrivateKey privateKey, in ValueHash256 message)`
`21`	`21`	`InvalidPrivateKey();`
`22`	`22`	`}`
`23`	`23`
`24`		`- byte[] signatureBytes = SpanSecP256k1.SignCompact(message.Bytes, privateKey.KeyBytes, out int recoveryId);`
	`24`	`+ byte[] signatureBytes = SecP256k1.SignCompact(message.Bytes, privateKey.KeyBytes, out int recoveryId);`
`25`	`25`	`Signature signature = new(signatureBytes, recoveryId);`
`26`	`26`
`27`	`27`	`#if DEBUG`
`@@ -40,7 +40,7 @@ public Signature Sign(PrivateKey privateKey, in ValueHash256 message)`
`40`	`40`	`public PublicKey? RecoverPublicKey(Signature signature, in ValueHash256 message)`
`41`	`41`	`{`
`42`	`42`	`Span<byte> publicKey = stackalloc byte[65];`
`43`		`- bool success = SpanSecP256k1.RecoverKeyFromCompact(publicKey, message.Bytes, signature.Bytes, signature.RecoveryId, false);`
	`43`	`+ bool success = SecP256k1.RecoverKeyFromCompact(publicKey, message.Bytes, signature.Bytes, signature.RecoveryId, false);`
`44`	`44`	`if (!success)`
`45`	`45`	`{`
`46`	`46`	`return null;`
`@@ -52,7 +52,7 @@ public Signature Sign(PrivateKey privateKey, in ValueHash256 message)`
`52`	`52`	`public CompressedPublicKey? RecoverCompressedPublicKey(Signature signature, in ValueHash256 message)`
`53`	`53`	`{`
`54`	`54`	`Span<byte> publicKey = stackalloc byte[33];`
`55`		`- bool success = SpanSecP256k1.RecoverKeyFromCompact(publicKey, message.Bytes, signature.Bytes, signature.RecoveryId, true);`
	`55`	`+ bool success = SecP256k1.RecoverKeyFromCompact(publicKey, message.Bytes, signature.Bytes, signature.RecoveryId, true);`
`56`	`56`	`if (!success)`
`57`	`57`	`{`
`58`	`58`	`return null;`
Original file line number	Diff line number	Diff line change
`@@ -100,7 +100,7 @@ public Signature Sign(Hash256 message, Address address, SecureString passphrase)`
`100`	`100`	`key = _keyStore.GetKey(address, passphrase).PrivateKey;`
`101`	`101`	`}`
`102`	`102`
`103`		`- var rs = SpanSecP256k1.SignCompact(message.Bytes, key.KeyBytes, out int v);`
	`103`	`+ var rs = SecP256k1.SignCompact(message.Bytes, key.KeyBytes, out int v);`
`104`	`104`	`return new Signature(rs, v);`
`105`	`105`	`}`
`106`	`106`
`@@ -116,7 +116,7 @@ public Signature Sign(Hash256 message, Address address)`
`116`	`116`	`throw new SecurityException("Can only sign without passphrase when account is unlocked.");`
`117`	`117`	`}`
`118`	`118`
`119`		`- var rs = SpanSecP256k1.SignCompact(message.Bytes, key.KeyBytes, out int v);`
	`119`	`+ var rs = SecP256k1.SignCompact(message.Bytes, key.KeyBytes, out int v);`
`120`	`120`	`return new Signature(rs, v);`
`121`	`121`	`}`
`122`	`122`	`}`
Original file line number	Diff line number	Diff line change
`@@ -117,7 +117,7 @@ private bool CheckPassword(Address address, SecureString passphrase)`
`117`	`117`
`118`	`118`	`public Signature Sign(Hash256 message, Address address)`
`119`	`119`	`{`
`120`		`- var rs = SpanSecP256k1.SignCompact(message.Bytes, _keys[address].KeyBytes, out int v);`
	`120`	`+ var rs = SecP256k1.SignCompact(message.Bytes, _keys[address].KeyBytes, out int v);`
`121`	`121`	`return new Signature(rs, v);`
`122`	`122`	`}`
`123`	`123`	`}`
Original file line number	Diff line number	Diff line change
`@@ -97,7 +97,7 @@ private Signature SignCore(Hash256 message, Address address, Func<PrivateKey> ge`
`97`	`97`	`{`
`98`	`98`	`var protectedPrivateKey = (ProtectedPrivateKey)_unlockedAccounts.Get(address.ToString());`
`99`	`99`	`using PrivateKey key = protectedPrivateKey is not null ? protectedPrivateKey.Unprotect() : getPrivateKeyWhenNotFound();`
`100`		`- var rs = SpanSecP256k1.SignCompact(message.Bytes, key.KeyBytes, out int v);`
	`100`	`+ var rs = SecP256k1.SignCompact(message.Bytes, key.KeyBytes, out int v);`
`101`	`101`	`return new Signature(rs, v);`
`102`	`102`	`}`
`103`	`103`	`}`