feat: implement eip-7951

Author: LouisTsai-Csie

setup.cfg

@@ -129,12 +129,13 @@ package_dir =
 
 python_requires = >=3.11
 install_requires =
-    pycryptodome>=3,<4
+    pycryptodome>=3.22.0,<4
     coincurve>=20,<21
     typing_extensions>=4.4
     py-ecc>=8.0.0b2,<9
     ethereum-types>=0.2.1,<0.3
     ethereum-rlp>=0.1.4,<0.2
+    cryptography>=45.0.1,<46
 
 [options.package_data]
 ethereum =

src/ethereum/crypto/elliptic_curve.py

@@ -4,6 +4,11 @@
 """
 
 import coincurve
+from Crypto.Util.asn1 import DerSequence
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives.asymmetric import ec
+from cryptography.hazmat.primitives.asymmetric.utils import Prehashed
 from ethereum_types.bytes import Bytes
 from ethereum_types.numeric import U256
 
@@ -71,3 +76,91 @@ def secp256k1_recover(r: U256, s: U256, v: U256, msg_hash: Hash32) -> Bytes:
 
     public_key = public_key.format(compressed=False)[1:]
     return public_key
+
+
+SECP256R1N = U256(
+    0xFFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551
+)
+SECP256R1P = U256(
+    0xFFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF
+)
+SECP256R1A = U256(
+    0xFFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC
+)
+SECP256R1B = U256(
+    0x5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B
+)
+
+
+def secp256r1_verify(
+    r: U256, s: U256, x: U256, y: U256, msg_hash: Hash32
+) -> None:
+    """
+    Verifies a P-256 signature.
+    Parameters
+    ----------
+    r :
+        the `r` component of the signature
+    s :
+        the `s` component of the signature
+    x:
+        the `x` coordinate of the public key
+    y:
+        the `y` coordinate of the public key
+    msg_hash :
+        Hash of the message being recovered.
+    Returns
+    -------
+    result : `ethereum.base_types.Bytes`
+        return 1 if the signature is valid, empty bytes otherwise
+    """
+    # Convert U256 to regular integers for DerSequence
+    r_int = int(r)
+    s_int = int(s)
+    x_int = int(x)
+    y_int = int(y)
+
+    sig = DerSequence([r_int, s_int]).encode()
+
+    pubnum = ec.EllipticCurvePublicNumbers(x_int, y_int, ec.SECP256R1())
+    pubkey = pubnum.public_key(default_backend())
+    pubkey.verify(sig, msg_hash, ec.ECDSA(Prehashed(hashes.SHA256())))
+
+    return
+
+
+def is_on_curve_secp256r1(x: U256, y: U256) -> bool:
+    """
+    Checks if a point is on the secp256r1 curve.
+
+    The point (x, y) must satisfy the curve equation:
+    y^2 ≡ x^3 + a*x + b (mod p)
+
+    Parameters
+    ----------
+    x : U256
+        The x-coordinate of the point
+    y : U256
+        The y-coordinate of the point
+
+    Returns
+    -------
+    bool
+        True if the point is on the curve, False otherwise
+    """
+    # Convert U256 to int for calculations
+    x_int = int(x)
+    y_int = int(y)
+    p_int = int(SECP256R1P)
+    a_int = int(SECP256R1A)
+    b_int = int(SECP256R1B)
+
+    # Calculate y^2 mod p
+    y_squared = (y_int * y_int) % p_int
+
+    # Calculate x^3 + ax + b mod p
+    x_cubed = (x_int * x_int * x_int) % p_int
+    ax = (a_int * x_int) % p_int
+    right_side = (x_cubed + ax + b_int) % p_int
+
+    return y_squared == right_side

src/ethereum/osaka/vm/gas.py

@@ -53,6 +53,7 @@
 GAS_SELF_DESTRUCT = Uint(5000)
 GAS_SELF_DESTRUCT_NEW_ACCOUNT = Uint(25000)
 GAS_ECRECOVER = Uint(3000)
+GAS_P256VERIFY = Uint(3450)
 GAS_SHA256 = Uint(60)
 GAS_SHA256_WORD = Uint(12)
 GAS_RIPEMD160 = Uint(600)

src/ethereum/osaka/vm/precompiled_contracts/__init__.py

@@ -33,6 +33,7 @@
     "BLS12_PAIRING_ADDRESS",
     "BLS12_MAP_FP_TO_G1_ADDRESS",
     "BLS12_MAP_FP2_TO_G2_ADDRESS",
+    "P256VERIFY_ADDRESS",
 )
 
 ECRECOVER_ADDRESS = hex_to_address("0x01")
@@ -52,3 +53,4 @@
 BLS12_PAIRING_ADDRESS = hex_to_address("0x0f")
 BLS12_MAP_FP_TO_G1_ADDRESS = hex_to_address("0x10")
 BLS12_MAP_FP2_TO_G2_ADDRESS = hex_to_address("0x11")
+P256VERIFY_ADDRESS = hex_to_address("0x100")

src/ethereum/osaka/vm/precompiled_contracts/mapping.py

@@ -29,6 +29,7 @@
     ECRECOVER_ADDRESS,
     IDENTITY_ADDRESS,
     MODEXP_ADDRESS,
+    P256VERIFY_ADDRESS,
     POINT_EVALUATION_ADDRESS,
     RIPEMD160_ADDRESS,
     SHA256_ADDRESS,
@@ -49,6 +50,7 @@
 from .ecrecover import ecrecover
 from .identity import identity
 from .modexp import modexp
+from .p256verify import p256verify
 from .point_evaluation import point_evaluation
 from .ripemd160 import ripemd160
 from .sha256 import sha256
@@ -71,4 +73,5 @@
     BLS12_PAIRING_ADDRESS: bls12_pairing,
     BLS12_MAP_FP_TO_G1_ADDRESS: bls12_map_fp_to_g1,
     BLS12_MAP_FP2_TO_G2_ADDRESS: bls12_map_fp2_to_g2,
+    P256VERIFY_ADDRESS: p256verify,
 }

src/ethereum/osaka/vm/precompiled_contracts/p256verify.py

@@ -0,0 +1,85 @@
+"""
+Ethereum Virtual Machine (EVM) P256VERIFY PRECOMPILED CONTRACT
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+.. contents:: Table of Contents
+    :backlinks: none
+    :local:
+Introduction
+------------
+Implementation of the P256VERIFY precompiled contract.
+"""
+from ethereum_types.numeric import U256
+
+from ethereum.crypto.elliptic_curve import (
+    SECP256R1N,
+    SECP256R1P,
+    is_on_curve_secp256r1,
+    secp256r1_verify,
+)
+from ethereum.crypto.hash import Hash32
+from ethereum.utils.byte import left_pad_zero_bytes
+
+from ...vm import Evm
+from ...vm.gas import GAS_P256VERIFY, charge_gas
+from ...vm.memory import buffer_read
+
+
+def p256verify(evm: Evm) -> None:
+    """
+    Verifies a P-256 signature.
+    Parameters
+    ----------
+    evm :
+        The current EVM frame.
+    """
+    data = evm.message.data
+
+    # GAS
+    charge_gas(evm, GAS_P256VERIFY)
+
+    if len(data) != 160:
+        return
+
+    # OPERATION
+    message_hash_bytes = buffer_read(data, U256(0), U256(32))
+    message_hash = Hash32(message_hash_bytes)
+    r = U256.from_be_bytes(buffer_read(data, U256(32), U256(32)))
+    s = U256.from_be_bytes(buffer_read(data, U256(64), U256(32)))
+    public_key_x = U256.from_be_bytes(
+        buffer_read(data, U256(96), U256(32))
+    )  # qx
+    public_key_y = U256.from_be_bytes(
+        buffer_read(data, U256(128), U256(32))
+    )  # qy
+
+    # Signature component bounds:
+    # Both r and s MUST satisfy 0 < r < n and 0 < s < n
+    if r <= U256(0) or r >= SECP256R1N:
+        return
+    if s <= U256(0) or s >= SECP256R1N:
+        return
+
+    # Public key bounds:
+    # Both qx and qy MUST satisfy 0 ≤ qx < p and 0 ≤ qy < p
+    if public_key_x < U256(0) or public_key_x >= SECP256R1P:
+        return
+    if public_key_y < U256(0) or public_key_y >= SECP256R1P:
+        return
+
+    # Point validity: The point (qx, qy) MUST satisfy the curve equation
+    # qy^2 ≡ qx^3 + a*qx + b (mod p)
+    if not is_on_curve_secp256r1(public_key_x, public_key_y):
+        return
+
+    # Point should not be at infinity (represented as (0, 0))
+    if public_key_x == U256(0) and public_key_y == U256(0):
+        return
+
+    success_return_value = left_pad_zero_bytes(b"\x01", 32)
+
+    try:
+        secp256r1_verify(r, s, public_key_x, public_key_y, message_hash)
+    except Exception:
+        return
+
+    evm.output = success_return_value

whitelist.txt

@@ -476,4 +476,22 @@ blockchain
 listdir
 precompiles
 
+asn1
+backends
+Der
+ECDSA
+Prehashed
+pubnum
+P256VERIFY
+p256verify
+qx
+qy
+SECP256R1
+SECP256R1A
+SECP256R1B
+SECP256R1N
+SECP256R1P
+secp256r1
+sig
+
 CLZ