use solana_secp256k1_recover::secp256k1_recover;
use crate::bitmap::{bitmap_is_subset_u256, bitmap_load};
use crate::coalition::CoalitionAccumulator;
use crate::error::DataUpdateError;
use crate::message::compute_message_hash;
use crate::payload::DataUpdate;
use crate::scalar::{
eth_address_from_uncompressed_pubkey, evm_schnorr_ecdsa_inputs,
secp256k1_scalar_is_valid_nonzero,
};
use crate::selection::derive_selection_bitmap;
pub type SignerXy = ([u8; 32], [u8; 32]);
pub fn verify_data_update(
payload: &DataUpdate,
node_count: u32,
redundancy_buffer: u8,
ordered_signers: &[SignerXy],
) -> Result<(), DataUpdateError> {
if payload.agg_sig_s == [0u8; 32] || !secp256k1_scalar_is_valid_nonzero(&payload.agg_sig_s) {
return Err(DataUpdateError::InvalidAggregateSignature);
}
let signers = bitmap_load(&payload.signers_bitmap);
let signer_count = signers.count_ones();
if signer_count < u32::from(payload.signatures_required) {
return Err(DataUpdateError::InsufficientSigners);
}
let expected_selection = derive_selection_bitmap(
&payload.feed_id,
payload.registry_version,
payload.canonical_timestamp,
node_count,
payload.signatures_required,
redundancy_buffer,
)?;
if !bitmap_is_subset_u256(signers, bitmap_load(&expected_selection)) {
return Err(DataUpdateError::SignersNotSubsetOfSelection);
}
if ordered_signers.len() != signer_count as usize {
return Err(DataUpdateError::SignerCountMismatch);
}
let x_coalition = reconstruct_coalition_key(ordered_signers)?;
let message_hash = compute_message_hash(payload, payload.signatures_required);
if recover_and_match(
&x_coalition,
&message_hash,
&payload.agg_sig_s,
&payload.commitment_addr,
) {
Ok(())
} else {
Err(DataUpdateError::InvalidAggregateSignature)
}
}
pub fn verify_data_update_compressed(
payload: &DataUpdate,
node_count: u32,
redundancy_buffer: u8,
ordered_signers_compressed: &[[u8; 33]],
) -> Result<(), DataUpdateError> {
let xy = decompress_all(ordered_signers_compressed)?;
verify_data_update(payload, node_count, redundancy_buffer, &xy)
}
pub fn reconstruct_coalition_key(
ordered_signers: &[SignerXy],
) -> Result<[u8; 33], DataUpdateError> {
if ordered_signers.is_empty() {
return Err(DataUpdateError::InvalidSignersBitmap);
}
let mut coalition = CoalitionAccumulator::default();
for (x, y) in ordered_signers {
coalition.add_stored_xy(x, y)?;
}
coalition.compressed_pubkey()
}
pub fn reconstruct_coalition_key_compressed(
ordered_signers_compressed: &[[u8; 33]],
) -> Result<[u8; 33], DataUpdateError> {
let xy = decompress_all(ordered_signers_compressed)?;
reconstruct_coalition_key(&xy)
}
pub fn verify_aggregate_over_hash(
ordered_signers: &[SignerXy],
agg_sig_s: &[u8; 32],
commitment_addr: &[u8; 20],
message_hash: &[u8; 32],
) -> Result<bool, DataUpdateError> {
if !secp256k1_scalar_is_valid_nonzero(agg_sig_s) {
return Ok(false);
}
let x_coalition = reconstruct_coalition_key(ordered_signers)?;
Ok(recover_and_match(
&x_coalition,
message_hash,
agg_sig_s,
commitment_addr,
))
}
fn recover_and_match(
x_coalition: &[u8; 33],
message_hash: &[u8; 32],
agg_sig_s: &[u8; 32],
commitment_addr: &[u8; 20],
) -> bool {
let (recovery_id, ecdsa_signature, ecdsa_hash) =
match evm_schnorr_ecdsa_inputs(x_coalition, message_hash, agg_sig_s, commitment_addr) {
Ok(v) => v,
Err(_) => return false,
};
let recovered = match secp256k1_recover(&ecdsa_hash, recovery_id, &ecdsa_signature) {
Ok(r) => r,
Err(_) => return false,
};
eth_address_from_uncompressed_pubkey(recovered.to_bytes()) == *commitment_addr
}
fn decompress_all(compressed: &[[u8; 33]]) -> Result<Vec<SignerXy>, DataUpdateError> {
use libsecp256k1::{PublicKey, PublicKeyFormat};
compressed
.iter()
.map(|c| {
let pk = PublicKey::parse_slice(c, Some(PublicKeyFormat::Compressed))
.map_err(|_| DataUpdateError::InvalidAggregateSignature)?;
let full = pk.serialize(); let x: [u8; 32] = full[1..33].try_into().unwrap();
let y: [u8; 32] = full[33..65].try_into().unwrap();
Ok((x, y))
})
.collect()
}
#[cfg(test)]
mod tests {
use super::*;
use crate::message::MESSAGE_PREFIX;
use libsecp256k1::{PublicKey, PublicKeyFormat};
const FIXTURE_FEED_ID: [u8; 32] = [
0x73, 0x6f, 0x6c, 0x61, 0x6e, 0x61, 0x2d, 0x63, 0x6f, 0x6d, 0x70, 0x61, 0x74, 0x2d, 0x6a,
0x6f, 0x62, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00,
];
const FIXTURE_VALUE: [u8; 32] = [
0x73, 0x6f, 0x6c, 0x61, 0x6e, 0x61, 0x2d, 0x63, 0x6f, 0x6d, 0x70, 0x61, 0x74, 0x2d, 0x76,
0x61, 0x6c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00,
];
const FIXTURE_SIGNERS_BITMAP: [u8; 32] = [
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0xff,
];
const FIXTURE_REGISTRY_VERSION: u32 = 1;
const FIXTURE_SIGNATURES_REQUIRED: u8 = 8;
const FIXTURE_CANONICAL_TIMESTAMP: i64 = 1_700_000_123;
const FIXTURE_S: [u8; 32] = [
0xc7, 0xe0, 0x99, 0x60, 0x3c, 0xee, 0xd2, 0xa1, 0x13, 0xd7, 0x5a, 0x9d, 0x95, 0xe2, 0x0f,
0x92, 0x00, 0x6b, 0x06, 0xc5, 0x49, 0x7a, 0xdd, 0x09, 0x81, 0x7d, 0xa8, 0x90, 0x8d, 0x39,
0x0d, 0xa5,
];
const FIXTURE_COMMITMENT: [u8; 20] = [
0xc6, 0xb9, 0x4f, 0xea, 0x5d, 0xd5, 0xf9, 0x65, 0xd8, 0x67, 0x14, 0xb1, 0xd9, 0x9d, 0xcf,
0xaf, 0x1e, 0x72, 0xee, 0x35,
];
const FIXTURE_PUBKEYS: [[u8; 33]; 8] = [
[
0x03, 0xc0, 0x95, 0x27, 0xe9, 0x78, 0xf6, 0xea, 0x69, 0xf0, 0xc6, 0xb7, 0xac, 0x0f,
0xb6, 0x3a, 0xd0, 0x81, 0xa8, 0xa2, 0x91, 0x15, 0x1c, 0x5a, 0x0b, 0x11, 0x5c, 0xce,
0x43, 0x57, 0x51, 0xbe, 0x7d,
],
[
0x02, 0x64, 0xa7, 0x27, 0x04, 0xf3, 0x9f, 0x8d, 0xd1, 0x7f, 0x20, 0xd7, 0x1c, 0x5b,
0x21, 0xf3, 0x7b, 0x58, 0x52, 0x65, 0x6b, 0xc0, 0x55, 0x54, 0x42, 0xbf, 0x72, 0x72,
0x22, 0xf2, 0x9d, 0x7e, 0x58,
],
[
0x02, 0x75, 0xae, 0x1e, 0x3d, 0xac, 0x00, 0xeb, 0x7d, 0xf0, 0x2e, 0x9f, 0xe8, 0xd9,
0x70, 0x9c, 0x8a, 0x2c, 0x09, 0xa1, 0x1e, 0xd4, 0xf7, 0xd9, 0xaa, 0x46, 0xa7, 0xde,
0xa6, 0xcf, 0x37, 0x6d, 0x7f,
],
[
0x02, 0x6c, 0xe2, 0x5b, 0x3a, 0x16, 0x1a, 0xb8, 0xe0, 0xf0, 0x5e, 0x4c, 0xd1, 0xc7,
0x7b, 0x77, 0x69, 0x6d, 0x26, 0xc6, 0x41, 0xeb, 0xde, 0xa4, 0xe8, 0x1a, 0xa8, 0x9a,
0x90, 0xf3, 0x2c, 0xfc, 0x54,
],
[
0x03, 0x5b, 0x95, 0xd7, 0x03, 0x22, 0x8b, 0xef, 0xcc, 0xc3, 0x78, 0x62, 0x9d, 0xc1,
0x98, 0x04, 0xce, 0xfe, 0x56, 0xc3, 0x3c, 0x64, 0x5f, 0xa4, 0xbc, 0x1a, 0xa0, 0xf3,
0x75, 0xe3, 0xb4, 0xfa, 0x5e,
],
[
0x03, 0x99, 0x5e, 0x4b, 0xe0, 0xec, 0xd4, 0x22, 0xbf, 0x25, 0x0a, 0x3d, 0xa3, 0xa0,
0xb8, 0x34, 0x2e, 0x52, 0x89, 0x3a, 0x3e, 0x06, 0x4f, 0xa6, 0x35, 0x55, 0x73, 0x78,
0xb5, 0x9a, 0xfa, 0x8b, 0x50,
],
[
0x03, 0xec, 0x90, 0x6d, 0x0a, 0x1c, 0xfc, 0x3c, 0x7d, 0xec, 0x18, 0x08, 0x8c, 0x3d,
0x14, 0x4f, 0x32, 0x15, 0x80, 0xec, 0xe0, 0xa6, 0xba, 0xe5, 0xce, 0xb2, 0x8d, 0xcf,
0x8d, 0xc6, 0xe3, 0xda, 0x03,
],
[
0x03, 0x27, 0x5f, 0xcf, 0x98, 0x38, 0xb4, 0x7a, 0xac, 0xff, 0x25, 0x1f, 0x4f, 0x09,
0x9f, 0x80, 0xc6, 0x4a, 0x1a, 0x9a, 0xed, 0xbd, 0xb6, 0x28, 0xc2, 0xc8, 0x7f, 0x2c,
0x5e, 0x12, 0x3d, 0xd0, 0x40,
],
];
fn fixture_payload() -> DataUpdate {
DataUpdate {
feed_id: FIXTURE_FEED_ID,
registry_version: FIXTURE_REGISTRY_VERSION,
value: FIXTURE_VALUE,
canonical_timestamp: FIXTURE_CANONICAL_TIMESTAMP,
signatures_required: FIXTURE_SIGNATURES_REQUIRED,
agg_sig_s: FIXTURE_S,
commitment_addr: FIXTURE_COMMITMENT,
signers_bitmap: FIXTURE_SIGNERS_BITMAP,
}
}
fn fixture_signers_xy() -> Vec<SignerXy> {
FIXTURE_PUBKEYS
.iter()
.map(|c| {
let pk = PublicKey::parse_slice(c, Some(PublicKeyFormat::Compressed))
.expect("fixture pubkey must be a valid curve point");
let full = pk.serialize();
let x: [u8; 32] = full[1..33].try_into().unwrap();
let y: [u8; 32] = full[33..65].try_into().unwrap();
(x, y)
})
.collect()
}
#[test]
fn fixture_pubkeys_are_valid_curve_points() {
for (i, pk) in FIXTURE_PUBKEYS.iter().enumerate() {
PublicKey::parse_slice(pk, Some(PublicKeyFormat::Compressed))
.unwrap_or_else(|_| panic!("fixture pubkey {i} is not a valid curve point"));
}
}
#[test]
fn fixture_signers_bitmap_popcount_is_8() {
use crate::bitmap::bitmap_popcount_evm;
assert_eq!(
bitmap_popcount_evm(&FIXTURE_SIGNERS_BITMAP),
FIXTURE_SIGNATURES_REQUIRED as u32
);
}
#[test]
fn reconstruct_coalition_key_matches_combine() {
let pks: Vec<PublicKey> = FIXTURE_PUBKEYS
.iter()
.map(|c| PublicKey::parse_slice(c, Some(PublicKeyFormat::Compressed)).unwrap())
.collect();
let combined = PublicKey::combine(&pks).unwrap().serialize_compressed();
let got = reconstruct_coalition_key(&fixture_signers_xy()).unwrap();
assert_eq!(got, combined);
let got_c = reconstruct_coalition_key_compressed(&FIXTURE_PUBKEYS).unwrap();
assert_eq!(got_c, combined);
}
#[test]
fn verify_data_update_accepts_evm_fixture() {
let payload = fixture_payload();
verify_data_update(&payload, 8, 0, &fixture_signers_xy())
.expect("fixture DataUpdate must verify");
verify_data_update_compressed(&payload, 8, 0, &FIXTURE_PUBKEYS)
.expect("compressed variant must verify");
}
#[test]
fn tampered_s_fails_verification() {
let mut payload = fixture_payload();
payload.agg_sig_s[31] ^= 0x01;
let res = verify_data_update(&payload, 8, 0, &fixture_signers_xy());
assert_eq!(res, Err(DataUpdateError::InvalidAggregateSignature));
}
#[test]
fn wrong_signer_count_is_rejected() {
let payload = fixture_payload();
let mut signers = fixture_signers_xy();
signers.pop();
assert_eq!(
verify_data_update(&payload, 8, 0, &signers),
Err(DataUpdateError::SignerCountMismatch)
);
}
#[test]
fn verify_aggregate_over_hash_roundtrip() {
let payload = fixture_payload();
let signers = fixture_signers_xy();
let message_hash = compute_message_hash(&payload, payload.signatures_required);
assert!(verify_aggregate_over_hash(
&signers,
&payload.agg_sig_s,
&payload.commitment_addr,
&message_hash,
)
.unwrap());
let mut bad_hash = message_hash;
bad_hash[0] ^= 0xff;
assert!(!verify_aggregate_over_hash(
&signers,
&payload.agg_sig_s,
&payload.commitment_addr,
&bad_hash,
)
.unwrap());
}
#[test]
fn message_prefix_matches_known_constant() {
assert_eq!(MESSAGE_PREFIX[0], 0xa7);
}
}