Conversation
mitinarseny
left a comment
mitinarseny
left a comment
There was a problem hiding this comment.
Hey @bowenwang1996, thank you for this proposal!
We (Near Intents team) are super-excited to have it on mainnet soon, as it would drastically reduce gas costs of verifying p256 signatures in WASM, while leaving more gas for other operations.
I left a couple of comments, would appreciate your feedback.
neps/nep-0635.md
Outdated
| /// | ||
| /// - `signature` MUST be 64 bytes encoded as `r || s` (32 bytes each, big-endian). | ||
| /// - `public_key` MUST be a 33-byte compressed SEC1 encoding. | ||
| /// - `message` is the exact byte sequence to verify (no hashing is performed). |
There was a problem hiding this comment.
AFAIK, all ECDCA signatures MUST be calculated over a digest of cryptographic hash function, while it's up to signing standard which hash function to use: e.g. webauthn uses SHA-256. Do you think it's worth to mention it here?
There was a problem hiding this comment.
As far as I checked: the value will be truncated or padded with zeros inside of <VerifyingKey<C> as PrehashVerifier<Signature<C>>>::verify_prehash if the length is not equal to <C as Curve>::FieldBytesSize, which is 32 bytes for NistP256
gagdiez
added
WG-protocol
|
Thank you @bowenwang1996 for submitting this NEP. I would now request @near/wg-protocol to assign two reviewers т(see expectations below). Just for clarity, Technical Reviewers play a crucial role in scaling the NEAR ecosystem as they provide their in-depth expertise in the niche topic while work group members can stay on guard of the NEAR ecosystem. The discussions may get too deep and it would be inefficient for each WG member to dive into every single comment, so NEAR Developer Governance designed this process that includes subject matter experts helping us to scale by writing a summary with the raised concerns and how they were addressed. Technical Review Guidelines
Here is a nice example and a template for your convenience: Please tag the @near/nep-moderators once you are done, so we can move this NEP to the voting stage. Thanks again. |
gagdiez
added
the
S-review/needs-wg-to-assign-sme
neps/nep-0635.md
Outdated
|
|
||
| The reference implementation in `nearcore`: | ||
|
|
||
| - Uses the RustCrypto `p256` crate to parse `Signature::from_slice` and `VerifyingKey::from_sec1_bytes`. |
There was a problem hiding this comment.
For the reviewer of this NEP, I think it would be nice to mention that this crate was audited recently: https://reports.zksecurity.xyz/reports/near-p256/
Particularly since the maintainers of this crate still claim this crate has never been independently audited: https://github.com/RustCrypto/elliptic-curves/tree/master/p256#%EF%B8%8F-security-warning
even though they have added the suggested changes from the audit: RustCrypto/elliptic-curves#1155
There was a problem hiding this comment.
I feel this would also be relevant for future readers, I will go ahead and add a small comment on the NEP itself
|
@near/wg-protocol sorry to ping again, still waiting on two SME reviewers (cc @walnut-the-cat) |
birchmd
left a comment
birchmd
left a comment
There was a problem hiding this comment.
@gagdiez we had a discussion about this NEP at our monthly Protocol Working Group review call. We decided that it is ok to skip the separate SME review for this proposal and move straight to voting. This because it is using a commonly used and well-specified signature algorithm while also making use of a library that has been audited. Essentially, we fell the SME review has implicitly already taken place in the form of the popularity of this algorithm (e.g. in passkeys) and in the audit of the crate.
To that end, as my role as a WG member, I vote to approve this proposal. My only minor comment is that we should accept @mitinarseny 's comments about making clear the msg passed to the verify function should come from some cryptographically secure hash function (the exact one chosen is dependent on the signature scheme), and enforcing input lengths at the SDK level.
gagdiez
added
S-voting/needs-wg-voting-indication
|
@birchmd completely understandable, I think it would still be quite nice if we could get another member from the @near/wg-protocol to state their vote, as @bowenwang1996 is already the one proposing the NEP maybe @mfornet could give their thumbs up? |
Co-authored-by: Arseny Mitin <mitinarseny@gmail.com>
Co-authored-by: r-near <163825889+r-near@users.noreply.github.com>
|
Giving my thumbs up here as well. I incorporated the suggestions from @mitinarseny and @r-near as @birchmd suggested. I believe in the current state this NEP should be accepted. |
as Iker pointed out, the creators of the `p256` crate claim that their crate was never audited However NEAR recently requested an independent review from zksecurity, which reported "No major issues were found and the codebase was found to be thoroughly tested and well-architected."
|
Both @birchmd [1] and @graphite [2] who are members of the @near/wg-protocol gave their approval, which means we have reached enough quorum for it to be accepted as a Protocol NEP For anyone reading this in the future, we did skip the protocol meeting to vote, as this NEP proposes to add a well-known cryptographical operation using audited |
8 participants
Proposal to add ECDSA P256 signature verification as a host function in the runtime. Implementation in near/nearcore#14927