Merge pull request #2005 from o1-labs/feature/reusable-ecdsa

Make ECDSA easier to use with alternative hash functions

Author: Trivo25

CHANGELOG.md

@@ -18,13 +18,16 @@ This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.htm
 ## [Unreleased](https://github.com/o1-labs/o1js/compare/b857516...HEAD)
 
 ### Added
+
 - `setFee` and `setFeePerSnarkCost` for `Transaction` and `PendingTransaction` https://github.com/o1-labs/o1js/pull/1968
 - Doc comments for various ZkProgram methods https://github.com/o1-labs/o1js/pull/1974
 - `MerkleList.popOption()` for popping the last element and also learning if there was one https://github.com/o1-labs/o1js/pull/1997
 
 ### Changed
+
 - Sort order for actions now includes the transaction sequence number and the exact account id sequence https://github.com/o1-labs/o1js/pull/1917
 - Updated typedoc version for generating docs https://github.com/o1-labs/o1js/pull/1973
+- ECDSA `verifySignedHash()` accepts hash `Bytes` directly for easy use with alternative hash functions https://github.com/o1-labs/o1js/pull/2005
 
 ### Fixed
 
@@ -381,7 +384,7 @@ This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.htm
 - `Reducer.reduce()` requires the maximum number of actions per method as an explicit (optional) argument https://github.com/o1-labs/o1js/pull/1450
   - The default value is 1 and should work for most existing contracts
 - `new UInt64()` and `UInt64.from()` no longer unsafely accept a field element as input. https://github.com/o1-labs/o1js/pull/1438 [@julio4](https://github.com/julio4)
-   As a replacement, `UInt64.Unsafe.fromField()` was introduced
+  As a replacement, `UInt64.Unsafe.fromField()` was introduced
   - This prevents you from accidentally creating a `UInt64` without proving that it fits in 64 bits
   - Equivalent changes were made to `UInt32`
 - Fixed vulnerability in `Field.to/fromBits()` outlined in [#1023](https://github.com/o1-labs/o1js/issues/1023) by imposing a limit of 254 bits https://github.com/o1-labs/o1js/pull/1461

src/examples/crypto/ecdsa/ecdsa.ts

@@ -5,6 +5,7 @@ import {
   createForeignCurve,
   Bool,
   Bytes,
+  Hash,
 } from 'o1js';
 
 export { keccakAndEcdsa, ecdsa, Secp256k1, Ecdsa, Bytes32, ecdsaEthers };
@@ -62,3 +63,24 @@ const ecdsaEthers = ZkProgram({
     },
   },
 });
+
+/**
+ * We can also use a different hash function with ECDSA, like SHA-256.
+ */
+const sha256AndEcdsa = ZkProgram({
+  name: 'ecdsa-sha256',
+  publicInput: Bytes32,
+  publicOutput: Bool,
+
+  methods: {
+    verifyEcdsa: {
+      privateInputs: [Ecdsa, Secp256k1],
+      async method(message: Bytes32, signature: Ecdsa, publicKey: Secp256k1) {
+        let messageHash = Hash.SHA2_256.hash(message);
+        return {
+          publicOutput: signature.verifySignedHash(messageHash, publicKey),
+        };
+      },
+    },
+  },
+});

src/lib/provable/crypto/foreign-ecdsa.ts

@@ -104,8 +104,7 @@ class EcdsaSignature {
    */
   verify(message: Bytes, publicKey: FlexiblePoint): Bool {
     let msgHashBytes = Keccak.ethereum(message);
-    let msgHash = keccakOutputToScalar(msgHashBytes, this.Constructor.Curve);
-    return this.verifySignedHash(msgHash, publicKey);
+    return this.verifySignedHash(msgHashBytes, publicKey);
   }
 
   /**
@@ -155,22 +154,23 @@ class EcdsaSignature {
       ...Bytes.fromString(String(message.length)).bytes, // message length as string
       ...message.bytes, // actual message bytes
     ]);
-
-    let msgHash = keccakOutputToScalar(msgHashBytes, this.Constructor.Curve);
-    return this.verifySignedHash(msgHash, publicKey);
+    return this.verifySignedHash(msgHashBytes, publicKey);
   }
 
   /**
    * Verify the ECDSA signature given the message hash (a {@link Scalar}) and public key (a {@link Curve} point).
    *
    * This is a building block of {@link EcdsaSignature.verify}, where the input message is also hashed.
-   * In contrast, this method just takes the message hash (a curve scalar) as input, giving you flexibility in
-   * choosing the hashing algorithm.
+   * In contrast, this method just takes the message hash (a curve scalar, or the output bytes of a hash function)
+   * as input, giving you flexibility in choosing the hashing algorithm.
    */
   verifySignedHash(
-    msgHash: AlmostForeignField | bigint,
+    msgHash: AlmostForeignField | bigint | Bytes,
     publicKey: FlexiblePoint
   ): Bool {
+    if (msgHash instanceof Bytes.Base)
+      msgHash = keccakOutputToScalar(msgHash, this.Constructor.Curve);
+
     let msgHash_ = this.Constructor.Curve.Scalar.from(msgHash);
     let publicKey_ = this.Constructor.Curve.from(publicKey);
     return Ecdsa.verify(
@@ -196,12 +196,15 @@ class EcdsaSignature {
    * Create an {@link EcdsaSignature} by signing a message hash with a private key.
    *
    * This is a building block of {@link EcdsaSignature.sign}, where the input message is also hashed.
-   * In contrast, this method just takes the message hash (a curve scalar) as input, giving you flexibility in
-   * choosing the hashing algorithm.
+   * In contrast, this method just takes the message hash (a curve scalar, or the output bytes of a hash function)
+   * as input, giving you flexibility in choosing the hashing algorithm.
    *
-   * Note: This method is not provable, and only takes JS bigints as input.
+   * Note: This method is not provable, and only takes JS bigints or constant Bytes as input.
    */
-  static signHash(msgHash: bigint, privateKey: bigint) {
+  static signHash(msgHash: bigint | Bytes, privateKey: bigint) {
+    if (msgHash instanceof Bytes.Base)
+      msgHash = keccakOutputToScalar(msgHash, this.Curve).toBigInt();
+
     let { r, s } = Ecdsa.sign(this.Curve.Bigint, msgHash, privateKey);
     return new this({ r, s });
   }