Skip to content

Commit

Permalink
Merge pull request #412 from pirapira/eip155_replay_prevention
Browse files Browse the repository at this point in the history
Spurious Dragon: EIP155 replay protection
  • Loading branch information
nicksavers authored Jan 19, 2018
2 parents 72cc52e + 7a11bff commit 9e09e48
Showing 1 changed file with 17 additions and 8 deletions.
25 changes: 17 additions & 8 deletions Paper.tex
Original file line number Diff line number Diff line change
Expand Up @@ -1404,15 +1404,15 @@ \section{Signing Transactions}\label{app:signing}
\mathtt{\small ECDSARECOVER}(e \in \mathbb{B}_{32}, v \in \mathbb{B}_{1}, r \in \mathbb{B}_{32}, s \in \mathbb{B}_{32}) & \equiv & p_u \in \mathbb{B}_{64}
\end{eqnarray}

Where $p_u$ is the public key, assumed to be a byte array of size 64 (formed from the concatenation of two positive integers each $< 2^{256}$) and $p_r$ is the private key, a byte array of size 32 (or a single positive integer in the aforementioned range). It is assumed that $v$ is the `recovery id', a 1 byte value specifying the sign and finiteness of the curve point; this value is in the range of $[27, 30]$, however we declare the upper two possibilities, representing infinite values, invalid.
Where $p_u$ is the public key, assumed to be a byte array of size 64 (formed from the concatenation of two positive integers each $< 2^{256}$) and $p_r$ is the private key, a byte array of size 32 (or a single positive integer in the aforementioned range). It is assumed that $v$ is either the `recovery identifier' or `chain identifier doubled plus 35 or 36'. The recovery identifier is a 1 byte value specifying the sign and finiteness of the curve point; this value is in the range of $[27, 30]$, however we declare the upper two possibilities, representing infinite values, invalid. The chain identifier $\mathtt{\tiny chain\_id}$ is a constant natural number.

\newcommand{\slimit}{\ensuremath{\text{s-limit}}}

We declare that a signature is invalid unless all the following conditions are true:
\begin{align}
0 < r &< \mathtt{\tiny secp256k1n} \\
0 < s &< \mathtt{\tiny secp256k1n} \div 2 + 1 \\
v &\in \{27,28\}
v &\in \{27,28,\mathtt{\tiny chain\_id} \times 2 + 35, \mathtt{\tiny chain\_id} \times 2 + 36\}
\end{align}
where:
\begin{align}
Expand All @@ -1425,11 +1425,16 @@ \section{Signing Transactions}\label{app:signing}
A(p_r) = \mathcal{B}_{96..255}\big(\mathtt{\tiny KEC}\big( \mathtt{\small ECDSAPUBKEY}(p_r) \big) \big)
\end{equation}

The message hash, $h(T)$, to be signed is the Keccak hash of the transaction without the latter three signature components, formally described as $T_r$, $T_s$ and $T_w$:
The message hash, $h(T)$, to be signed is the Keccak hash of the transaction. Two different flavors of signing schemes are available. One operates without the latter three signature components, formally described as $T_r$, $T_s$ and $T_w$. The other operates on nine elements:
\begin{eqnarray}
L_S(T) & \equiv & \begin{cases}
(T_n, T_p, T_g, T_t, T_v, T_\mathbf{i}) & \text{if} \; T_t = 0\\
(T_n, T_p, T_g, T_t, T_v, T_\mathbf{d}) & \text{otherwise}
(T_n, T_p, T_g, T_t, T_v, \mathbf{p}) & \text{if} \; v \in \{27, 28\} \\
(T_n, T_p, T_g, T_t, T_v, \mathbf{p}, \mathtt{\tiny chain\_id}, (), ()) & \text{otherwise} \\
\end{cases} \\
\nonumber \text{where} \\
\nonumber \mathbf{p} & \equiv & \begin{cases}
T_{\mathbf{i}} & \text{if}\ T_t = 0 \\
T_{\mathbf{d}} & \text{otherwise}
\end{cases} \\
h(T) & \equiv & \mathtt{\small KEC}( L_S(T) )
\end{eqnarray}
Expand All @@ -1441,9 +1446,13 @@ \section{Signing Transactions}\label{app:signing}
\end{eqnarray}

We may then define the sender function $S$ of the transaction as:
\begin{equation}
S(T) \equiv \mathcal{B}_{96..255}\big(\mathtt{\tiny KEC}\big( \mathtt{\small ECDSARECOVER}(h(T), T_w, T_r, T_s) \big) \big)
\end{equation}
\begin{eqnarray}
S(T) &\equiv& \mathcal{B}_{96..255}\big(\mathtt{\tiny KEC}\big( \mathtt{\small ECDSARECOVER}(h(T), v_0, T_r, T_s) \big) \big) \\
v_0 &\equiv& \begin{cases}
T_w &\text{if}\ T_w\in\{27, 28\} \\
28 - (T_w \bmod 2) &\text{otherwise}
\end{cases}
\end{eqnarray}

The assertion that the sender of a signed transaction equals the address of the signer should be self-evident:
\begin{equation}
Expand Down

0 comments on commit 9e09e48

Please sign in to comment.