-
Notifications
You must be signed in to change notification settings - Fork 380
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Precompile ECRECOVER #529
Precompile ECRECOVER #529
Conversation
it is time to add the sig lookup? @roynalnaruto |
Yes, I will add it now. |
f136963
to
6ab87ea
Compare
* potential approach (pow of rand lookup) * add lookup for pow of rand * fix: right pad only if needed * fix: missing constraint on padded_rlc * constrain pow of rand table
\b run testool |
Succeed to run testool: |
should have a look at the new failures in testool report: Panic(attempt to subtract with overflow) |
\b run testool |
Succeed to run testool: |
i noticed the ci takes more time than before (even the "default" mode ci fail to run..). retrying |
zkevm-circuits/src/evm_circuit/execution/precompiles/ecrecover.rs
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you can merge it when the above 3 comments addressed
closed #1665 This PR was ported from - scroll-tech#529 - scroll-tech#930 which manly includes, 1. the main logic in ecrecover gadget (`ecrecover.rs`) 2. signature verifcation circuiit (`sig_circuit.rs`). What I did is to change rlc to word lo/hi. 3. a new table, `sig_table.rs` 4. ecc circuit (`ecc_circuit.rs`). It's not be used in `ecRecover`, but it was implemented in Scroll's PR. If I removed ecc_circuit, it would be inconvienent for people porting `ecAdd`, `ecMul` or `ecPairing`. That's why I keep it here. 5. dependencies update, using `halo2lib` (includes `halo2-base` and `halo2-ecc`) --------- Co-authored-by: Rohit Narurkar <rohit.narurkar@protonmail.com> Co-authored-by: Zhang Zhuo <mycinbrin@gmail.com>
Description
Add support for verification of the precompile
ecRecover
.Issue Link
#527
Type of change
Contents
The PR aims at supporting verification of
ecRecover
precompile call.The PR can be summarised by the following parts:
Copy Circuit Updates
There are 3 sets of memory operations associated with a precompile call, namely, memory reads from the `caller` to the precompile `call`, memory writes from the precompile call result to the precompile `call` context and lastly, memory writes from the precompile call result to the original `caller` context.We introduce a new
CopyDataType
for the target precompile, which is the following variant:CopyDataType::Precompile(PrecompileCalls)
wherePrecompileCalls
is another enum that covers various precompile call types.The bytes copied to/from precompile target must support the accumulator check.
Since the
CopyDataType
now has 15 variants, we need an additional bit for theBinaryNumberChip
inside copy circuit. Consequently, this increases the degree of the copy circuit and in order to bring the degree back to9
, the following changes were had to be made:zkevm-circuits/zkevm-circuits/src/copy_circuit.rs
Lines 65 to 73 in 752f4f4
zkevm-circuits/zkevm-circuits/src/copy_circuit.rs
Lines 203 to 213 in 752f4f4
Bus Mapping Updates
The memory RWs mentioned above are handled by the [`CallOp`](https://github.com/scroll-tech/zkevm-circuits/blob/752f4f4af416c5323e7294f83b360067012a5cdb/bus-mapping/src/evm/opcodes/callop.rs#L254) opcode.The
ecRecover
arguments ([v, r, s, msg_hash, recovered_addr]
) must be pushed to theCircuitInputBuilder
's block, so it can later be used as witness data to populate theSignVerifyTable
. TheSignVerifyTable
is a work-in-progress PR and this PR depends on it.ecRecover Gadget
The difference between signature verification (for tx signature) and elliptic-curve signer recovery is that the signature is not verified in the case of ecRecover. For more details refer "4.1.4 (sig verify)" and "4.1.6 (recovery)" in https://www.secg.org/sec1-v2.pdf.So in the lookup to the
SigVerifyTable
,ecRecover
does not care about theis_valid
column. An example is this playground setup in https://evm.codes. Setting thecalldata_length
to0x65
(an arbitrary value between 0x60 and 0x80) does recover a signer address without verifying the signature (the signature in this case would have been invalid).The
ecRecover
gadget is responsible for verifying the internal execution statePrecompileEcrecover
. The gadget also hassig_v
,sig_r
,sig_s
,msg_hash
,recovered_addr
andrecovered
cells to verify theinput
andoutput
from the precompile call (this verification is done in theutil::PrecompileGadget
).Precompile Gadget Updates
Add a conditional constraint for `input_rlc` and `output_rlc` (input and output of the precompile call). The `output_rlc` is `0` for the case where no address could be recovered, so the failure case is covered as well. If the address was recovered, then the output RLC is constrained to be equal to the recovered address.How Has This Been Tested?
zkevm-circuits/zkevm-circuits/src/evm_circuit/execution/precompiles/ecrecover.rs
Line 210 in 752f4f4