-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(tee): add support for recoverable signatures #3414
base: main
Are you sure you want to change the base?
Conversation
9c15a1b
to
1c239e7
Compare
…report_data This PR goes hand in hand with matter-labs/zksync-era#3414
This PR is part of the effort to implement on-chain TEE proof verification. Signatures produced by the TEE Prover are now compatible with the on-chain verifier that uses the `ecrecover` precompile. Until now, we've been using _non-recoverable_ signatures in the TEE prover with a compressed ECDSA public key in each attestation -- it was compressed because there are only 64 bytes available in the report attestation quote. That worked fine for off-chain proof verification, but for on-chain verification, it's better to use the Ethereum address derived from the public key so we can call ecrecover in Solidity to verify the signature. This PR goes hand in hand with matter-labs/teepot#228
1c239e7
to
63a7712
Compare
…report_data This PR is part of the effort to implement on-chain TEE proof verification. This PR goes hand in hand with matter-labs/zksync-era#3414.
…in report_data This PR is part of the effort to implement on-chain TEE proof verification. This PR goes hand in hand with: - matter-labs/zksync-era#3414 - #228
…in report_data This PR is part of the effort to implement on-chain TEE proof verification. This PR goes hand in hand with: - matter-labs/zksync-era#3414 - #228
…in report_data This PR is part of the effort to implement on-chain TEE proof verification. This PR goes hand in hand with: - matter-labs/zksync-era#3414 - #228
…in report_data This PR is part of the effort to implement on-chain TEE proof verification. This PR goes hand in hand with: - matter-labs/zksync-era#3414 - #228
…in report_data This PR is part of the effort to implement on-chain TEE proof verification. This PR goes hand in hand with: - matter-labs/zksync-era#3414 - #228
…in report_data This PR is part of the effort to implement on-chain TEE proof verification. This PR goes hand in hand with: - matter-labs/zksync-era#3414 - #228
…in report_data This PR is part of the effort to implement on-chain TEE proof verification. This PR goes hand in hand with: - matter-labs/zksync-era#3414 - #228
…in report_data This PR is part of the effort to implement on-chain TEE proof verification. This PR goes hand in hand with: - matter-labs/zksync-era#3414 - #228
…report_data This PR is part of the effort to implement on-chain TEE proof verification. This PR goes hand in hand with matter-labs/zksync-era#3414.
…in report_data This PR is part of the effort to implement on-chain TEE proof verification. This PR goes hand in hand with: - matter-labs/zksync-era#3414 - #228
@@ -67,10 +67,24 @@ impl fmt::Debug for TeeProver { | |||
} | |||
|
|||
impl TeeProver { | |||
/// Signs the message in Ethereum-compatible format for on-chain verification. | |||
pub fn sign_message(sec: &SecretKey, message: Message) -> Result<[u8; 65], TeeProverError> { | |||
let s = SECP256K1.sign_ecdsa_recoverable(&message, sec); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can use the zksync_crypto_primitives
library; it has this functionality (and one used in the unit tests below) implemented.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was excited to hear we had all the crypto primitives ready to reuse, but when I dove in, it turned out they were kinda inconvenient or even impossible to use because:
- Some primitives are defined as
pub(super)
,pub(crate)
, or totally private. I don't really get why, TBH. - Some of our crypto wrappers are way less convenient than the primitives they actually wrap.
I reused what I could, but I still had to almost copy-paste some of the existing primitives. :( Overall it seems the number of LOC increased. :P Lemme know if I'm missing something.
zksync-era/core/bin/zksync_tee_prover/src/tee_prover.rs
Lines 223 to 241 in 27ad86e
/// Recovers the public key from the signature for the message | |
fn recover(signature: &Signature, message: &Message) -> Result<Public> { | |
let rsig = RecoverableSignature::from_compact( | |
&signature[0..64], | |
RecoveryId::from_i32(signature[64] as i32 - 27)?, | |
)?; | |
let pubkey = &SECP256K1.recover_ecdsa(&Message::from_slice(&message[..])?, &rsig)?; | |
let serialized = pubkey.serialize_uncompressed(); | |
let mut public = Public::default(); | |
public.as_bytes_mut().copy_from_slice(&serialized[1..65]); | |
Ok(public) | |
} | |
/// Convert public key into the address | |
fn public_to_address(public: &Public) -> Address { | |
let hash = keccak256(public.as_bytes()); | |
let mut result = Address::zero(); | |
result.as_bytes_mut().copy_from_slice(&hash[12..]); | |
result |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@slowli, kindly ping
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The existing primitives are private because so far, there was no use case to make them public, and keeping stuff private by default is a good practice. Now that such a use case has appeared, I'd suggest to make the necessary primitives public and export them from crypto_primitives
.
…patible-recoverable-signatures
279292a
to
c801dd7
Compare
c801dd7
to
27ad86e
Compare
…report_data This PR is part of the effort to implement on-chain TEE proof verification. This PR goes hand in hand with matter-labs/zksync-era#3414.
…report_data This PR is part of the effort to implement on-chain TEE proof verification. This PR goes hand in hand with matter-labs/zksync-era#3414.
…report_data This PR is part of the effort to implement on-chain TEE proof verification. This PR goes hand in hand with matter-labs/zksync-era#3414.
…report_data This PR is part of the effort to implement on-chain TEE proof verification. This PR goes hand in hand with matter-labs/zksync-era#3414.
…report_data This PR is part of the effort to implement on-chain TEE proof verification. This PR goes hand in hand with matter-labs/zksync-era#3414.
…report_data This PR is part of the effort to implement on-chain TEE proof verification. This PR goes hand in hand with matter-labs/zksync-era#3414.
…report_data This PR is part of the effort to implement on-chain TEE proof verification. This PR goes hand in hand with matter-labs/zksync-era#3414.
…report_data This PR is part of the effort to implement on-chain TEE proof verification. This PR goes hand in hand with matter-labs/zksync-era#3414.
…report_data This PR is part of the effort to implement on-chain TEE proof verification. This PR goes hand in hand with matter-labs/zksync-era#3414.
…report_data This PR is part of the effort to implement on-chain TEE proof verification. This PR goes hand in hand with matter-labs/zksync-era#3414.
…report_data This PR is part of the effort to implement on-chain TEE proof verification. This PR goes hand in hand with matter-labs/zksync-era#3414.
Signed-off-by: Harald Hoyer <[email protected]>
…patible-recoverable-signatures
What ❔
This PR is part of the effort to implement on-chain TEE proof verification. Signatures produced by the TEE Prover are now compatible with the on-chain verifier that uses the
ecrecover
precompile.Why ❔
Until now, we've been using non-recoverable signatures in the TEE prover with a compressed ECDSA public key in each attestation – it was compressed because there are only 64 bytes available in the report attestation quote. That worked fine for off-chain proof verification, but for on-chain verification, it's better to use the Ethereum address derived from the public key so we can call
ecrecover
in Solidity to verify the signature.This PR goes hand in hand with:
Checklist
zkstack dev fmt
andzkstack dev lint
.