Support RSA signature verification

Question

Support RSA signature verification

axic opened this issue 8 years ago · comments

I propose to support RSA signature verification through a precompiled contract with appropriate fees.

With the current EVM, verification for very low key lengths is trivially implemented using the native 256 bit arithmetic, although it is useless due to inadequate security. Supporting bigger key lengths is prohibitive cost wise. (Requires implementing a bignum library for mul and mod on top of EVM. Alternatively it can be offloaded to an oracle, where trust can be a problem and is also suboptimal.)

Motivation: many PKI schemes, including those employed by government ID cards, rely on RSA. Supporting an easy way to verify a signature would mean to support authentication/authorization using those schemes in a smart contract.

High level method: rsaverify(msg, N, e, S, paddingScheme), where

msg is the message hash,
N is the public key modulus,
e is the public key exponent
and S is the signature.

Returns a boolean.

Regarding padding schemes I would definitely include an option none, where no padding would be applied and the caller would be expected to handle that.

Challenges: Where this gets complex is defining which key lengths and padding schemes to support and how to define the API. Size of N could be used to determine key length. Possibly the fee would depend on the key length.

Alex Beregszaszi · Answer 1 · Wed Apr 06 2016 20:39:07 GMT+0800 (China Standard Time)

Here is a sample implementation: https://github.com/axic/ethereum-rsa

And a blog post explaining the situation (a few use cases) a bit more.

Piper Merriam · Answer 2 · Wed Apr 06 2016 22:45:37 GMT+0800 (China Standard Time)

This would be pretty excellent. I've been mulling over how to build an identity bridge between ethereum and keybase and this sort of signature verification would help enable that.

vbuterin · Answer 3 · Wed Apr 06 2016 22:56:22 GMT+0800 (China Standard Time)

I would recommend just adding a whole suite of bigint arithmetic precompiles then; more generalized that way.

Christian Lundkvist · Answer 4 · Thu Apr 07 2016 04:16:40 GMT+0800 (China Standard Time)

This is very cool! We're going to be linking RSA keys to uPort identities probably at first using an external oracle that verifies the signature, but this would be very nice!

murraci · Answer 5 · Thu Apr 28 2016 18:47:32 GMT+0800 (China Standard Time)

This would be very sweet.

Gustav-Simonsson · Answer 6 · Tue May 24 2016 09:48:13 GMT+0800 (China Standard Time)

+1 for bigint arithmetic precompiles from which RSA can be easily be built without significant overhead compared to direct RSA op codes

Renaud · Answer 7 · Thu Jun 16 2016 17:15:10 GMT+0800 (China Standard Time)

I add my vote to this proposal. The support of RSA signature verification will be a bridge to all applications build on electronic Identity Cards. Estonia, Germany and Belgium already use electronic ID card.
This support will ease/automate lots of administrative processes in countries having eID.

Whit Jackson · Answer 8 · Wed Jun 29 2016 06:34:05 GMT+0800 (China Standard Time)

Hi there,

I was wondering what the status is on this EIP is and how I would be able to help. This is something that would be very useful for a project I'm working on

Aakil Fernandes · Answer 9 · Fri Jul 22 2016 04:15:49 GMT+0800 (China Standard Time)

+1. Had a cool idea for a microtipping service for developers using ssh keys.

I would love to do npm install some-project --thankyou. Npm or whatever package manager would look at the repo, see whos been making commits, and then send som eth to a smart contract. The smart contract would require an rsa signature based on the ssh keys used in the project in order to claim the funds.

tristanhoy · Answer 10 · Thu Oct 20 2016 15:49:18 GMT+0800 (China Standard Time)

+1 for generic bigint capability! This would allow the implementation of just about any crypto on the Ethereum network.

The particular use-case I'm looking at is where an Ethereum contract is an "oblivious witness" to a particular type of transaction - it can verify the authenticity/integrity of the transaction, but doesn't know the contents of the transaction. Without bigint support, I can't cryptographically verify the transactions within the contract, which means I can't guarantee the state of the contract, which means the state becomes "optimistic" - ALL transactions are accepted and it's up to the client connecting to the contract to figure out which ones are actually valid. Nightmare.

Absolutely critical bigint methods:

add/sub/mul/div
pow
mod
modExp
eq/gt/gte/lt/lte

And the following, if you're supporting decimals:

floor/ceil

The above primitives can be used to trivally construct all of the following algorithms supporting numerous cryptographic applications:

GCD/EGCD
LCM
modInv
isPrime
nthRoot

Alexander Herranz · Answer 11 · Sun May 07 2017 05:37:26 GMT+0800 (China Standard Time)

Great idea!

Adrian Brink · Answer 12 · Mon Jun 26 2017 15:24:53 GMT+0800 (China Standard Time)

Is this still in active development and what is the status of its implementation?

tadhg · Answer 13 · Sun Jul 09 2017 04:02:04 GMT+0800 (China Standard Time)

@adrianbrink see #101

Noxon · Answer 14 · Wed Sep 20 2017 09:38:37 GMT+0800 (China Standard Time)

Any updates? :(

Nick Johnson · Answer 15 · Wed Sep 20 2017 15:05:08 GMT+0800 (China Standard Time)

Modular exponentiation was implemented instead. Expect an RSA verification solidity library some time soon.

adria0.eth · Answer 16 · Tue Sep 26 2017 03:10:20 GMT+0800 (China Standard Time)

A small implementation of RSA signatures with Pkcs1.5 padding and SHA256 digest in https://github.com/adriamb/SolRsaVerify

Alex Beregszaszi · Answer 17 · Sat Mar 02 2019 01:50:53 GMT+0800 (China Standard Time)

This has been obsoleted by https://eips.ethereum.org/EIPS/eip-198.