feat: Native ECDSA audit#20658
Merged
federicobarbacovi merged 12 commits intomerge-train/barretenbergfrom Feb 23, 2026
Merged
Conversation
|
|
||
| // Ensure that the value of s is "low", i.e. s := min{ s_fr, (|Fr| - s_fr) } | ||
| const bool is_s_low = (uint256_t(s_fr) < (uint256_t(Fr::modulus) / 2)); | ||
| const bool is_s_low = (uint256_t(s_fr) < (uint256_t(Fr::modulus) + 1) / 2); |
Contributor
Author
There was a problem hiding this comment.
The previous comparison was wrong: if modulus = 5 and s = 2 then 2 < (5 / 2) is false and we'd get s = 3 in the signature
federicobarbacovi
requested review from
IlyasRidhuan,
fcarreiro and
jeanmon
as code owners
suyash67
reviewed
Feb 19, 2026
| std::vector<uint8_t> pkey_buffer; | ||
| write(pkey_buffer, account.private_key); | ||
| Fr k = crypto::get_unbiased_field_from_hmac<Hash, Fr>(message, pkey_buffer); | ||
| Fr k = crypto::deterministic_nonce_rfc6979<Hash, Fr>(message, pkey_buffer); |
Contributor
There was a problem hiding this comment.
Glad we're now generating nonce as per NIST standard, I always used to be a bit worried about the HMAC usage.
suyash67
reviewed
Feb 19, 2026
| const bool is_s_low = (uint256_t(s_fr) < (uint256_t(Fr::modulus) / 2)); | ||
| uint256_t s_uint256 = is_s_low ? uint256_t(s_fr) : (uint256_t(Fr::modulus) - uint256_t(s_fr)); | ||
| // Ensure that the value of s is "low", i.e. s := min{ s, (|Fr| - s) } | ||
| const bool is_s_low = (uint256_t(s) < (uint256_t(Fr::modulus) + 1) / 2); |
suyash67
reviewed
Feb 19, 2026
| using namespace bb::crypto; | ||
|
|
||
| TEST(ecdsa, msgpack) | ||
| // Templated test fixture for ECDSA operations on different curves |
suyash67
reviewed
Feb 19, 2026
| @@ -19,12 +19,12 @@ struct KeccakHasher { | |||
| static constexpr size_t OUTPUT_SIZE = 32; | |||
| static std::vector<uint8_t> hash(const std::vector<uint8_t>& message) | |||
| { | |||
| keccak256 hash_result = ethash_keccak256(&message[0], message.size()); | |||
| const uint8_t* ptr = message.empty() ? nullptr : message.data(); | |||
| keccak256 hash_result = ethash_keccak256(ptr, message.size()); | |||
Contributor
There was a problem hiding this comment.
I am curious what happens if message is empty. What would be the hash_result?
Contributor
Author
There was a problem hiding this comment.
Good point, I added tests for all three hashers to check that the hash of the empty string is correct.
suyash67
reviewed
Feb 19, 2026
federicobarbacovi
force-pushed
the
fb/native_ecdsa_audit
branch
from
5cd7d00 to
29b68e7
Compare
| ev[0] &= (1 << remainder) - 1; | ||
| } | ||
| ev.insert(ev.begin(), Hash::OUTPUT_SIZE - bit_length, 0); | ||
| const uint8_t* ptr = ev.data(); |
Contributor
Author
There was a problem hiding this comment.
I feel this is easier to understand
| // Temporary buffer for first HMAC round: V || 0x00 || seed_material | ||
| std::vector<uint8_t> tmp_buffer; | ||
| tmp_buffer.reserve(INITIAL_BUFFER_SIZE + 1 + seed_material.size()); | ||
| std::ranges::copy(v_buffer, std::back_inserter(tmp_buffer)); |
Contributor
Author
There was a problem hiding this comment.
Preventing the modification of V but not updating tmp_buffer
|
|
||
| TYPED_TEST(EcdsaTests, HighS) | ||
| { | ||
| // Disable asserts because native ecdsa verification raises an error if s >= (n+1)/2 |
Contributor
Author
There was a problem hiding this comment.
The native functions don't fail anymore, so we shouldn't disable these asserts
| .is_circuit_satisfied = true, | ||
| .comment = "Edge case public key, y coordinate is small", | ||
| }, | ||
| // Modular inverse edge case |
Contributor
Author
There was a problem hiding this comment.
Imported from native testing
suyash67
approved these changes
Feb 23, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🧾 Audit Context
Native ECDSA audit: test refactoring, deterministic nonce derivation according to RFC6979, small code refactoring.
🛠️ Changes Made
✅ Checklist
📌 Notes for Reviewers