11

Is there a practical way (preferrably OSS library or implementation) to verify Ed25519 signatures in Solidity (compiled for and run on the EVM), in smart contracts?

Update: I've created EIP665

oberstet
  • 175
  • 10

2 Answers2

9

There's no native functions that provide ed25519 cryptographic operations.

Doing it in the EVM would require a substantial amount of processing, and being that:

Fast single-signature verification. The software takes only 273,364 cycles to verify a signature on Intel's widely deployed Nehalem/Westmere lines of CPUs

I'm fairly certain that you'd quickly use up a lot of gas trying, most likely more than the maximum allowed.

In order to accomplish this, you'd need to start an EIP request, and convince the community that there's a valid and compelling use-case for implementing native signature verification in the server itself.

Specifically you'd want to explain in the EIP why the existing ecsign and ecrecover (ECDSA) routines aren't adequately suitable.

supakaity
  • 1,468
  • 7
  • 16
  • 4
    EIP exists – benjaminion Mar 20 '18 at 14:25
  • 2
    The link @benjaminion posted is a proposal for EIP 665, which hasn't been accepted yet. Seems to have stalled at December '17. Might be time to try and drum up some community support for it. – supakaity Mar 20 '18 at 14:59
  • It also needs more content -- current description is quite short. – David Ammouial Mar 20 '18 at 20:38
  • Thanks for the information! So even though it'll be slow/expensive, there is no known implementation in mere Solidity? rgd the Q of why: because ECDSA is inferior to Ed25519. From the crypto/algo (NIST/NSA may have deliberately designed for compromised curves) and technically (available implementations .. eg NaCl is side-channel resistant). – oberstet Mar 22 '18 at 11:51
  • Yeah, but Ethereum is ECDSA based at a foundational level anyhow, so if it's compromised, the entire platform is suspect. I'm not arguing mind you, as I refuse to use ECDSA for any SSH and TLS keys I generate, but as an argument for an EIP, I doubt "cause NSA can crack it" will be sufficient as if NSA can crack it, they can bring the entire platform to it's knees. – supakaity Mar 23 '18 at 00:00
3

If it's an option, there's always something like TrueBit. That is, run the computation off-chain and use partitioned verification on-chain in the case that a computation is contested.

(There's a nice high-level description here in the context of layer-2 scaling, and an intro here.)

Jamie Hale
  • 1,005
  • 7
  • 18