daimo-eth / p256-verifier Goto Github PK

Alongside with pubkey and signature transaction caller may provide an inverted value then we can check the inversion (a * a_inv == 1) mod n. So that modexp call can be skipped

you could differentially fuzz the code vs native code w/ ffi https://book.getfoundry.sh/forge/differential-ffi-testing

Seems worth adding fuzzing against popular implementations like noble/subtlecrypto in future.

from @gakonst

Instead of doubling at each index of the loop, for the bits that are 0 in both u and v we can skip over them while incrementing some counter. When we encounter the next non-zero bit (or the end of the loop), we can perform a single scaling of 2^(counter) on the running sum point. Should reduce cost since scaling can be implemented more gas efficiently than (counter) doubles.

Don’t see other implementations do this probably because scaling cost is close enough in real CPU cycles to double and add, but our use case of Solidity would see improvements I believe.

Add a test that measures gas usage of our implementation and FCL’s implementation.

To match real world use cases exactly, generate 100 random privkeys and 100 random signatures from each. Measure gas used by both implementations and output mean median etc of usage (note that both implementations should have same compilation settings etc)

• Remove all commented-out code from P256Verifier.
• Clean up code, add thorough inline documentation.
• Remove reverts. EIP-7212 spec always returns 1 or 0, never reverts.
• Combine test vectors in a clean JSON file. Use in forge test.
  • Wycheproof vectors
  • Sage vectors
  • others?
• Measure branch coverage
• Measure gas cost
• Deploy on Base Goerli
• Test in Daimo via 4337 contract account

          seems running CREATE2 in tests generates a different address. Worth investigating in more detail but I suspect it's a Foundry bug as we discussed. Maybe we should just pull this out into its own issue for future?

Originally posted by @nalinbhardwaj in #21 (comment)

requires pulling an implementation of sha3 in generate.ts script

couldn't find any online ATM, worst case we could automate selenium or something to generate a large amount ourselves.

https://www.multicall3.com

cool down the line thing

Clarify and mention normalization

Using IR==true in toml crushes FCL performances, leading to incorrect bench.

Provide benchmarks in line with on chain performances:
https://goerli.basescan.org/address/0xe9399d1183a5cf9e14b120875a616b6e2bcb840a