B002: Solidity EC Signature Pitfalls

Cryptographic System

The cryptographic system available within Solidity is Elliptic Curve based and in particular utilizes the same curve as Ethereum, secp256k1. For those unfamiliar with cryptography, there are two main methods of cryptography: one based on prime factorization (such as RSA) and one based on the discrete logarithm problem (such as ECDSA).

Signature Malleability

The first EIP that was introduced as a hard-fork of Ethereum was EIP-2 which, among other things, sought to prevent signature malleability by restricting valid signatures to boast a low s value or otherwise be considered invalid. This change was also what brought the update to the Yellow Paper with regards to valid v values.

Example of an Elliptic Curve: Avin Networks
Showcase of Signature Sanitization: Open Zeppelin

Implementation Misbehaviour

The above chapter summarized the potential pitfall with regards to the cryptographic system itself, however, the software implementation can also misbehave as is the case of Ethereum. The EC recovery mechanism is available within Solidity via the ecrecover primitive operation which in turn invokes a pre-compiled contract within the EVM to validate the signatures.

Conclusion

To summarize, code that utilizes the ecrecover mechanism directly should primarily validate that the resulting address is not equal to the 0 address and secondarily validate that the v value is either 27 or 28 and that the s value of the signature is lower-than-or-equal-to the value of (n / 2) of the secp256k1 bonding curve, the value of which can be found here.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store