Add generic eddsa impl using sha256 in place of sha512

Author: Avaneesh-axiom

Cargo.lock

@@ -169,6 +169,9 @@ openvm-pairing-transpiler = { path = "extensions/pairing/transpiler", default-fe
 openvm-pairing-guest = { path = "extensions/pairing/guest", default-features = false }
 openvm-verify-stark = { path = "guest-libs/verify_stark", default-features = false }
 
+# Guest Libraries
+openvm-sha2 = { path = "guest-libs/sha2", default-features = false }
+
 # Benchmarking
 openvm-benchmarks-utils = { path = "benchmarks/utils", default-features = false }
 
@@ -247,6 +250,7 @@ num-integer = { version = "0.1.46", default-features = false }
 num-traits = { version = "0.2.19", default-features = false }
 ff = { version = "0.13.1", default-features = false }
 sha2 = { version = "0.10", default-features = false }
+signature = { version = "2.2.0", default-features = false } 
 
 # For local development. Add to your `.cargo/config.toml`
 # [patch."https://github.com/Plonky3/Plonky3.git"]

Cargo.toml

@@ -20,6 +20,7 @@ openvm-algebra-circuit = { workspace = true }
 openvm-rv32-adapters = { workspace = true }
 openvm-ecc-transpiler = { workspace = true }
 openvm-ecc-guest = { workspace = true, features = ["ed25519"] }
+openvm-sha256-circuit = { workspace = true }
 
 num-bigint = { workspace = true }
 num-integer = { workspace = true }

extensions/ecc/circuit/Cargo.toml

@@ -2,6 +2,7 @@ use openvm_algebra_circuit::*;
 use openvm_circuit::arch::{InitFileGenerator, SystemConfig};
 use openvm_circuit_derive::VmConfig;
 use openvm_rv32im_circuit::*;
+use openvm_sha256_circuit::{Sha256, Sha256Executor, Sha256Periphery};
 use openvm_stark_backend::p3_field::PrimeField32;
 use serde::{Deserialize, Serialize};
 
@@ -21,6 +22,8 @@ pub struct Rv32EccConfig {
     pub modular: ModularExtension,
     #[extension]
     pub ecc: EccExtension,
+    #[extension]
+    pub sha256: Sha256,
 }
 
 impl Rv32EccConfig {
@@ -44,6 +47,7 @@ impl Rv32EccConfig {
             io: Default::default(),
             modular: ModularExtension::new(primes),
             ecc: EccExtension::new(sw_curves, te_curves),
+            sha256: Default::default(),
         }
     }
 }

extensions/ecc/circuit/src/config.rs

@@ -22,6 +22,8 @@ openvm-ecc-te-macros = { workspace = true }
 once_cell = { workspace = true, features = ["race", "alloc"] }
 num-bigint = { workspace = true }
 hex-literal = { workspace = true }
+signature = { workspace = true }
+openvm-sha2 = { workspace = true }
 
 # Used for `halo2curves` feature
 halo2curves-axiom = { workspace = true, optional = true }

extensions/ecc/guest/Cargo.toml

@@ -0,0 +1,144 @@
+use openvm_algebra_guest::{IntMod, Reduce};
+use openvm_sha2::sha256;
+
+use crate::{edwards::TwistedEdwardsPoint, CyclicGroup, FromCompressed, IntrinsicCurve};
+
+extern crate alloc;
+use alloc::vec::Vec;
+
+type Coordinate<C> = <<C as IntrinsicCurve>::Point as TwistedEdwardsPoint>::Coordinate;
+type Scalar<C> = <C as IntrinsicCurve>::Scalar;
+type Point<C> = <C as IntrinsicCurve>::Point;
+
+#[repr(C)]
+#[derive(Clone)]
+pub struct VerifyingKey<C: IntrinsicCurve> {
+    /// Affine point
+    point: Point<C>,
+}
+
+impl<C: IntrinsicCurve> VerifyingKey<C>
+where
+    Point<C>: TwistedEdwardsPoint + FromCompressed<Coordinate<C>> + CyclicGroup,
+    Coordinate<C>: IntMod,
+    C::Scalar: IntMod + Reduce,
+{
+    /// Assumes the point is encoded as in https://datatracker.ietf.org/doc/html/rfc8032#section-5.1.2
+    pub fn from_bytes(bytes: &[u8]) -> Option<Self> {
+        if bytes.len() != Coordinate::<C>::NUM_LIMBS {
+            return None;
+        }
+        Some(Self {
+            point: decode_point::<C>(bytes)?,
+        })
+    }
+
+    pub fn verify(&self, message: &[u8], sig: &[u8]) -> bool {
+        let Some(sig) = Signature::<C>::from_bytes(sig) else {
+            return false;
+        };
+
+        // TODO: replace with sha512
+        let prehash = sha256(message);
+
+        // h = SHA512(dom2(F, C) || R || A || PH(M))
+        // RFC reference: https://datatracker.ietf.org/doc/html/rfc8032#section-5.1.7
+        let mut sha_input = Vec::new();
+
+        // dom2(F, C) domain separator
+        // RFC reference: https://datatracker.ietf.org/doc/html/rfc8032#section-2
+        // See definition of dom2 in the RFC. Note that the RFC refers to the prehash
+        // version of Ed25519 as Ed25519ph, and the non-prehash version as Ed25519.
+        sha_input.extend_from_slice(b"SigEd25519 no Ed25519 collisions");
+        sha_input.extend_from_slice(&[1]); // phflag = 1
+
+        // The RFC specifies optional "context" bytes that are shared between a signer and verifier.
+        // We don't use any context bytes.
+        // See: https://datatracker.ietf.org/doc/html/rfc8032#section-5.1
+        sha_input.extend_from_slice(&[0]); // context len = 0
+
+        sha_input.extend_from_slice(&encode_point::<C>(&sig.r));
+        sha_input.extend_from_slice(&encode_point::<C>(&self.point));
+        sha_input.extend_from_slice(&prehash);
+
+        // TOOD: replace with sha512
+        let h = sha256(&sha_input);
+
+        let h = C::Scalar::reduce_le_bytes(&h);
+
+        // assert s * B = R + h * A
+        // <=> R + h * A - s * B = 0
+        // <=> [1, h, s] * [R, A, -B] = 0
+        let res = C::msm(
+            &[C::Scalar::ONE, h, sig.s],
+            &[
+                sig.r,
+                self.point.clone(),
+                <Point<C> as CyclicGroup>::NEG_GENERATOR,
+            ],
+        );
+        res == <Point<C> as TwistedEdwardsPoint>::IDENTITY
+    }
+}
+
+// Internal struct used for decoding the signature from bytes
+struct Signature<C: IntrinsicCurve> {
+    r: C::Point,
+    s: C::Scalar,
+}
+
+impl<C: IntrinsicCurve> Signature<C>
+where
+    C::Point: TwistedEdwardsPoint + FromCompressed<Coordinate<C>>,
+    Coordinate<C>: IntMod,
+    C::Scalar: IntMod,
+{
+    pub fn from_bytes(bytes: &[u8]) -> Option<Self> {
+        if bytes.len() != Coordinate::<C>::NUM_LIMBS + Scalar::<C>::NUM_LIMBS {
+            return None;
+        }
+        // from_le_bytes checks that s is reduced
+        let s = Scalar::<C>::from_le_bytes(&bytes[Coordinate::<C>::NUM_LIMBS..])?;
+        Some(Self {
+            r: decode_point::<C>(&bytes[..Coordinate::<C>::NUM_LIMBS])?,
+            s,
+        })
+    }
+}
+
+/// RFC reference: https://datatracker.ietf.org/doc/html/rfc8032#section-5.1.3
+/// We require that the most significant bit in the little-endian encoding of
+/// elements of the coordinate field is always 0, because we pack the parity
+/// of the x-coordinate there.
+fn decode_point<C: IntrinsicCurve>(bytes: &[u8]) -> Option<Point<C>>
+where
+    Point<C>: TwistedEdwardsPoint + FromCompressed<Coordinate<C>>,
+    Coordinate<C>: IntMod,
+{
+    if bytes.len() != Coordinate::<C>::NUM_LIMBS {
+        return None;
+    }
+    let mut y_bytes = bytes.to_vec();
+    // most significant bit stores the parity of the x-coordinate
+    let rec_id = y_bytes[Coordinate::<C>::NUM_LIMBS - 1] & 0b10000000;
+    y_bytes[Coordinate::<C>::NUM_LIMBS - 1] &= 0b01111111;
+    // from_le_bytes checks that y is reduced
+    let y = Coordinate::<C>::from_le_bytes(&y_bytes)?;
+    Point::<C>::decompress(y, &rec_id)
+}
+
+/// RFC reference: https://datatracker.ietf.org/doc/html/rfc8032#section-5.1.2
+/// We require that the most significant bit in the little-endian encoding of
+/// elements of the coordinate field is always 0, because we pack the parity
+/// of the x-coordinate there.
+fn encode_point<C: IntrinsicCurve>(p: &Point<C>) -> Vec<u8>
+where
+    Point<C>: TwistedEdwardsPoint,
+    Coordinate<C>: IntMod,
+{
+    let mut y_bytes = p.y().as_le_bytes().to_vec();
+    if p.x().as_le_bytes()[0] & 1u8 == 1 {
+        y_bytes[Coordinate::<C>::NUM_LIMBS - 1] |= 0b10000000;
+    }
+    y_bytes
+}

extensions/ecc/guest/src/eddsa.rs

@@ -18,6 +18,8 @@ pub use msm::*;
 
 /// Optimized ECDSA implementation with the same functional interface as the `ecdsa` crate
 pub mod ecdsa;
+/// Optimized EDDSA implementation
+pub mod eddsa;
 /// Edwards curve traits
 pub mod edwards;
 /// Weierstrass curve traits

extensions/ecc/guest/src/lib.rs

@@ -12,6 +12,7 @@ openvm-stark-sdk.workspace = true
 openvm-circuit = { workspace = true, features = ["test-utils"] }
 openvm-transpiler.workspace = true
 openvm-algebra-transpiler.workspace = true
+openvm-sha256-transpiler.workspace = true
 openvm-ecc-transpiler.workspace = true
 openvm-ecc-circuit.workspace = true
 openvm-rv32im-transpiler.workspace = true

extensions/ecc/tests/Cargo.toml

@@ -9,7 +9,7 @@ openvm = { path = "../../../../crates/toolchain/openvm" }
 openvm-platform = { path = "../../../../crates/toolchain/platform" }
 openvm-custom-insn = { path = "../../../../crates/toolchain/custom_insn", default-features = false }
 
-openvm-ecc-guest = { path = "../../guest", default-features = false }
+openvm-ecc-guest = { path = "../../guest", default-features = false, features = ["ed25519"] }
 openvm-ecc-sw-macros = { path = "../../../../extensions/ecc/sw-macros", default-features = false }
 openvm-ecc-te-macros = { path = "../../../../extensions/ecc/te-macros", default-features = false }
 openvm-algebra-guest = { path = "../../../algebra/guest", default-features = false }

extensions/ecc/tests/programs/Cargo.toml

@@ -0,0 +1,28 @@
+#![cfg_attr(not(feature = "std"), no_main)]
+#![cfg_attr(not(feature = "std"), no_std)]
+
+use hex_literal::hex;
+use openvm_ecc_guest::{ed25519::Ed25519Point, eddsa::VerifyingKey};
+
+openvm::entry!(main);
+
+openvm::init!("openvm_init_eddsa_ed25519.rs");
+
+// Ref: https://docs.rs/k256/latest/k256/ecdsa/index.html
+pub fn main() {
+    // Test data taken from the RFC: https://datatracker.ietf.org/doc/html/rfc8032#section-7.3
+    // Unfortuantely, the RFC only provides one test for Ed25519ph
+    // TODO: find/generate more tests
+    let msg = b"abc";
+
+    let signature = hex!(
+            "98a70222f0b8121aa9d30f813d683f809e462b469c7ff87639499bb94e6dae4131f85042463c2a355a2003d062adf5aaa10b8c61e636062aaad11c2a26083406"
+        );
+
+    let vk = VerifyingKey::<Ed25519Point>::from_bytes(&hex!(
+        "ec172b93ad5e563bf4932c70e1245034c35467ef2efd4d64ebf819683467e2bf"
+    ))
+    .unwrap();
+
+    assert!(vk.verify(msg, &signature));
+}