This document presents the finding of the p256-signer smart contract audit conducted by Côme du Crest for Gnosis.
The audit request points to a specific commit of cometh-game/p256-signer: dc1a26543657cca699de202572873552c24c2ea8. The biggest chunk of the repo is p256-signer/contracts/FCL/FCL_elliptic.sol which implements cryptographic optimisations for signature verifications on secp256r1. This file is taken from repository FreshCryptoLib as indicated in the readme. However, it does not use the latest version of the file which contains fixes for certain issues. Notably the fix to this issue is not present: FreshCryptoLib/issues/19 (among other bug fixes). Additionally, this issue initially lowered the confidence I had in the imported code as the implementation's security seems to rely on test cases that did not cover the bug and may not cover other bugs.
The main branch of the requested audit repo cometh-game/p256-signer imports FreshCryptoLib via git submodules instead of copying the necessary file. It uses a much more recent version of the repo at commit c96a95b84c675c8480662a40d9252fbc7e27cccc. Without response from the contact person for the audit, I audited this version of the code instead of the initially requested audit version.
The scope is thus the files of cometh-game/p256-signer at commit 68e8abbbf8f041cd1bdb3892e1691e42acdd082f and used code of rdubois-crypto/FreshCryptoLib at commit c96a95b84c675c8480662a40d9252fbc7e27cccc (FCL_WebAuthn.checkSignature() and dependant functions).
The audit report is being sent and reviewed by concerned team.
ecZZ_mulmuladd_S_asm for doubling pointsMy first feeling with the seemingly over-complex code for signature verification (FCL_elliptic.sol) was that it could not be trusted as I could not make the difference between the bugged version and the more recently fixed version. After reading the literature about ECDSA signature verification, XYZZ coordinates and formulas about doubling and adding points, I am more confident that the current version is bug-free (after the reported issue is fixed).
I rest my knowledge on external material for cryptography and cannot ensure that the signature scheme is secure myself. Notable sources that helped me in the audit are: