From 389c6346a119d853941b296bdfa99e8ffe01af81 Mon Sep 17 00:00:00 2001 From: lukapercic <lukapercic@pm.me> Date: Fri, 29 Dec 2023 15:11:53 +0100 Subject: [PATCH] Create EOS-Cryptography-Proposal-2-b-Milestone-2.md --- ...S-Cryptography-Proposal-2-b-Milestone-2.md | 62 +++++++++++++++++++ 1 file changed, 62 insertions(+) create mode 100644 deliveries/EOS-Cryptography-Proposal-2-b-Milestone-2.md diff --git a/deliveries/EOS-Cryptography-Proposal-2-b-Milestone-2.md b/deliveries/EOS-Cryptography-Proposal-2-b-Milestone-2.md new file mode 100644 index 0000000..a15cb78 --- /dev/null +++ b/deliveries/EOS-Cryptography-Proposal-2-b-Milestone-2.md @@ -0,0 +1,62 @@ +# Milestone Delivery + +**The [invoice form](https://forms.gle/wLuAzXKa9qYrZQob9) has been filled out correctly for this milestone and the delivery is according to the official [milestone delivery guidelines](https://github.com/eosnetworkfoundation/grant-framework/blob/master/docs/milestone-deliverables-guidelines.md).** + +* **Application Document:** https://github.com/eosnetworkfoundation/grant-framework/blob/main/applications/EOS-Cryptography-Proposal-2-b.md +* **Milestone Number:** 2 +* **Milestone Payment Amount:** $32,000 USD +* **Contact Name:** Luka Percic +* **Contact email:** zeropass@pm.me + +## Context +This delivery shows the power of ACK library and accelerated EC-based signature verification algorithms, by implementing the NIST and Brainpool curves. It also includes ECDSA key recovery from the signatures. + +## Deliverables +| Number | Deliverable | Link/Notes | +| -----: | ----------- | ------------- | +| 0a. | License | MIT | +| 0b. | Documentation | Documentation and step-by-step guide in [README.md](https://github.com/ZeroPass/ack/blob/b8d3ea841d32e1be372c36d0fb57785ec944a218/README.md). | +| 0c. | Testing Guide | [Section in the guide](https://github.com/ZeroPass/ack/blob/b8d3ea841d32e1be372c36d0fb57785ec944a218/README.md#algorithm-testing) | +| 0d. | Running it | We deployed on the [Jungle 4 testnet](https://jungle4.eosq.eosnation.io/account/helloeosiock) the [example contract](https://github.com/ZeroPass/ack/blob/b8d3ea841d32e1be372c36d0fb57785ec944a218/examples/helloack).| +| 1. | Antelope SDK library | Implementation of P-384, P-521 NIST curves | +| 2. | Antelope SDK library | Implementation of brainpoolP256r1, brainpoolP320r1, brainpoolP384r1, brainpoolP512r1 Brainpool curves | +| 3. | Antelope SDK library | Implementing ECDSA key recovery from signature | + +### Benchmark of public key recovery form ECDSA signature vs ECDSA signature verification: +**Native** +|curve | recover | verify | +|------|---------|--------| +| brainpoolP256r1 | 1.631ms | 1.550ms| +| brainpoolP320r1 | 2.708ms | 2.460ms| +| brainpoolP384r1 | 4.060ms | 3.830ms| +| brainpoolP512r1 | 8.256ms | 7.697ms| +| secp256k1 | 0.794ms | 0.740ms| +| secp256r1 | 1.050ms | 1.030ms| +| secp384r1 | 2.110ms | 1.940ms| +| secp521r1 | 5.402ms | 4.920ms| + + +**WASM OC** +|curve | recover | verify | +|------|---------|--------| +| brainpoolP256r1 | 5.552ms - 6.300ms | 5.161ms - 5.500ms| +| brainpoolP320r1 | 8.191ms - 9.100ms | 8.189ms - 8.588ms| +| brainpoolP384r1 | 11.728ms - 17.364ms | 11.401ms - 15.157ms| +| brainpoolP512r1 | 22.604ms - 28.364ms | 18.626ms - 25.198ms| +| secp256k1 | 3.213ms - 3.883ms | 2.893ms - 4.200ms| +| secp256r1 | 3.960ms - 4.670ms | 3.664ms - 4.900ms| +| secp384r1 | 7.225ms - 8.798ms | 6.756ms - 7.743ms| +| secp521r1 | 18.032ms - 20.886ms | 16.012ms - 20.107ms| + +## Additional Information +We encountered challenges when implementing the largest EC curves, `secp521r1`, and `brainpoolP512r1`. Due to the limited available stack space in the WebAssembly environment (8KB), we had to create a new `flexbuffer` to store the big integer state on the heap for these curves. + +Currently, the issue with this new buffer is that, due to the compile-time construction requirements of the ack library, the heap-allocated memory is never freed (C++17 doesn't support compile-time destructors). Therefore, the buffer should only be used in short-lived environments, such as WebAssembly. + +As expected and evident in the benchmark report, brainpool R curves can be significantly slower. The reason for this is the chosen curve parameters for which no special EC arithmetic can be applied (i.e., _a_ ≡ −3 (mod _p_) or _a_ ≡ 0). +It's worth noting that there are also brainpool twisted curves (T) for which _a_ ≡ −3 (mod _p_). However, due to their limited usage in real-world applications, they were omitted from implementation. + +The implementation of public key recovery from ECDSA signature is, as expected, slightly slower than ECDSA signature verification. This is due to the requirement of reconstructing point `R` from the signature component `r`, which requires additional implementation of modular square root. +The modular square root implementation uses the standard Tonelli-Shanks algorithm to calculate square roots in modular arithmetic and has additional optimization for when the curve prime is equal to _p_ ≡ 3 (mod 4). This optimization provides roughly a two-fold boost and applies to all implemented curves in the ack library. + +Additionally, for this milestone, we implemented point decompression from the point's x-coordinate (required for reconstruction of point `R`) and point encoding/decoding (SEC1-v2 section 2.3.3 & 2.3.4).