evmmax: Implement modexp

Author: rodiazet

lib/evmone_precompiles/CMakeLists.txt

@@ -20,6 +20,8 @@ target_sources(
     pairing/bn254/pairing.cpp
     pairing/bn254/utils.hpp
     pairing/field_template.hpp
+    modexp.hpp
+    modexp.cpp
     ripemd160.hpp
     ripemd160.cpp
     secp256k1.hpp

lib/evmone_precompiles/modexp.cpp

@@ -0,0 +1,206 @@
+#include "modexp.hpp"
+#include <evmmax/evmmax.hpp>
+
+#include <bit>
+
+using namespace intx;
+
+namespace
+{
+template <typename UIntT>
+UIntT modexp_odd(const UIntT& base, const evmc::bytes_view& exp, const UIntT& mod)
+{
+    const evmmax::ModArith<UIntT> arith(mod);
+
+    UIntT ret = arith.to_mont(UIntT{1});
+    const auto base_mont = arith.to_mont(base);
+
+    for (auto e : exp)
+    {
+        unsigned char mask = 0x80;
+        while (mask != 0)
+        {
+            ret = arith.mul(ret, ret);
+            if ((mask & e) != 0)
+                ret = arith.mul(ret, base_mont);
+
+            mask >>= 1;
+        }
+    }
+
+    return arith.from_mont(ret);
+}
+
+template <typename UIntT>
+UIntT modexp_pow_of_two(const UIntT& base, const evmc::bytes_view& exp, const UIntT& mod)
+{
+    const auto nlz = clz(mod);
+
+    const UIntT mod_mask = std::numeric_limits<UIntT>::max() >> (nlz + 1);
+    UIntT ret = UIntT{1};
+    for (auto e : exp)
+    {
+        unsigned char mask = 0x80;
+        while (mask != 0)
+        {
+            ret = ret * ret;
+            ret &= mod_mask;
+            if ((mask & e) != 0)
+            {
+                ret = ret * base;
+                ret &= mod_mask;
+            }
+
+            mask >>= 1;
+        }
+    }
+
+    return ret;
+}
+
+template <typename UIntT>
+size_t ctz(const UIntT& value)
+{
+    size_t mod_tailing_zeros = 0;
+    for (size_t i = 0; i < value.num_words; ++i)
+    {
+        if (value[i] == 0)
+        {
+            mod_tailing_zeros += value.word_num_bits;
+            continue;
+        }
+        else
+        {
+            mod_tailing_zeros += static_cast<size_t>(std::countr_zero(value[i]));
+            break;
+        }
+    }
+
+    return mod_tailing_zeros;
+}
+
+template <typename UIntT>
+UIntT modinv_2k(const UIntT& x, size_t k)
+{
+    UIntT b{1};
+    UIntT res;
+    for (size_t i = 0; i < k; ++i)
+    {
+        UIntT t = b & UIntT{1};
+        b = (b - x * t) >> 1;
+        res += t << i;
+    }
+
+    return res;
+}
+
+template <typename UIntT>
+UIntT modexp_impl(const UIntT& base, const evmc::bytes_view& exp, const UIntT& mod)
+{
+    // is odd
+    if ((mod & UIntT{1}) == UIntT{1})
+    {
+        return modexp_odd(base, exp, mod);
+    }
+    else if ((mod << (clz(mod) + 1)) == 0)  // is power of 2
+    {
+        return modexp_pow_of_two(base, exp, mod);
+    }
+    else  // is even
+    {
+        const auto mod_tailing_zeros = ctz(mod);
+
+        auto const N = mod >> mod_tailing_zeros;
+        const UIntT K = UIntT{1} << mod_tailing_zeros;
+
+        const auto x1 = modexp_odd(base, exp, N);
+        const auto x2 = modexp_pow_of_two(base, exp, K);
+
+        const auto N_inv = modinv_2k(N, mod_tailing_zeros);
+
+        return x1 + (((x2 - x1) * N_inv) % K) * N;
+    }
+}
+
+template <typename UIntT>
+UIntT load_from_bytes(const evmc::bytes_view& data)
+{
+    constexpr auto num_bytes = UIntT::num_words * sizeof(typename UIntT::word_type);
+    assert(data.size() <= num_bytes);
+    if (data.size() == num_bytes)
+    {
+        return intx::be::unsafe::load<UIntT>(data.data());
+    }
+    else
+    {
+        evmc::bytes tmp;
+        tmp.resize(num_bytes);
+        std::memcpy(&tmp[num_bytes - data.size()], data.data(), data.size());
+        return intx::be::unsafe::load<UIntT>(tmp.data());
+    }
+}
+
+}  // namespace
+
+namespace evmone::crypto
+{
+bool modexp(uint8_t* output, size_t output_size, const evmc::bytes_view& base,
+    const evmc::bytes_view& exp, const evmc::bytes_view& mod)
+{
+    constexpr auto MAX_INPUT_SIZE = 1024;
+    if (base.size() > MAX_INPUT_SIZE || exp.size() > MAX_INPUT_SIZE || mod.size() > MAX_INPUT_SIZE)
+        return false;
+
+    // mod is zero
+    if (mod.find_first_not_of(uint8_t{0}) == std::string::npos)
+    {
+        memset(output, 0, output_size);
+        return true;
+    }
+
+    const auto size = std::max(mod.size(), base.size());
+
+    assert(output_size >= mod.size());
+
+    evmc::bytes res_bytes;
+    if (size <= 32)
+    {
+        res_bytes.resize(32);
+        intx::be::unsafe::store(res_bytes.data(),
+            modexp_impl(load_from_bytes<uint256>(base), exp, load_from_bytes<uint256>(mod)));
+    }
+    else if (size <= 64)
+    {
+        res_bytes.resize(64);
+        intx::be::unsafe::store(res_bytes.data(),
+            modexp_impl(load_from_bytes<uint512>(base), exp, load_from_bytes<uint512>(mod)));
+    }
+    else if (size <= 128)
+    {
+        res_bytes.resize(128);
+        intx::be::unsafe::store(
+            res_bytes.data(), modexp_impl(load_from_bytes<intx::uint<1024>>(base), exp,
+                                  load_from_bytes<intx::uint<1024>>(mod)));
+    }
+    else if (size <= 256)
+    {
+        res_bytes.resize(256);
+        intx::be::unsafe::store(
+            res_bytes.data(), modexp_impl(load_from_bytes<intx::uint<2048>>(base), exp,
+                                  load_from_bytes<intx::uint<2048>>(mod)));
+    }
+    else
+    {
+        assert(output_size <= 1024);
+        res_bytes.resize(1024);
+        intx::be::unsafe::store(
+            res_bytes.data(), modexp_impl(load_from_bytes<intx::uint<8192>>(base), exp,
+                                  load_from_bytes<intx::uint<8192>>(mod)));
+    }
+
+    memcpy(output, &res_bytes[res_bytes.size() - output_size], output_size);
+    return true;
+}
+
+
+}  // namespace evmone::crypto

lib/evmone_precompiles/modexp.hpp

@@ -0,0 +1,13 @@
+// evmone: Fast Ethereum Virtual Machine implementation
+// Copyright 2025 The evmone Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+#pragma once
+#include <evmc/evmc.hpp>
+#include <intx/intx.hpp>
+
+namespace evmone::crypto
+{
+bool modexp(uint8_t* output, size_t output_size, const evmc::bytes_view& base,
+    const evmc::bytes_view& exp, const evmc::bytes_view& mod);
+}

test/state/CMakeLists.txt

@@ -26,8 +26,6 @@ target_sources(
     precompiles.hpp
     precompiles.cpp
     precompiles_internal.hpp
-    precompiles_stubs.hpp
-    precompiles_stubs.cpp
     requests.hpp
     requests.cpp
     rlp.hpp

test/state/precompiles.cpp

@@ -4,11 +4,11 @@
 
 #include "precompiles.hpp"
 #include "precompiles_internal.hpp"
-#include "precompiles_stubs.hpp"
 #include <evmone_precompiles/blake2b.hpp>
 #include <evmone_precompiles/bls.hpp>
 #include <evmone_precompiles/bn254.hpp>
 #include <evmone_precompiles/kzg.hpp>
+#include <evmone_precompiles/modexp.hpp>
 #include <evmone_precompiles/ripemd160.hpp>
 #include <evmone_precompiles/secp256k1.hpp>
 #include <evmone_precompiles/sha256.hpp>
@@ -405,6 +405,55 @@ ExecutionResult identity_execute(const uint8_t* input, size_t input_size, uint8_
     return {EVMC_SUCCESS, input_size};
 }
 
+ExecutionResult expmod_execute(const uint8_t* input, size_t input_size, uint8_t* output,
+    [[maybe_unused]] size_t output_size) noexcept
+{
+    static constexpr size_t input_header_required_size = 3 * sizeof(intx::uint256);
+    uint8_t input_header[input_header_required_size]{};
+    std::copy_n(input, std::min(input_size, input_header_required_size), input_header);
+    const auto base_len = intx::be::unsafe::load<intx::uint256>(input_header);
+    const auto exp_len = intx::be::unsafe::load<intx::uint256>(&input_header[32]);
+    const auto mod_len = intx::be::unsafe::load<intx::uint256>(&input_header[64]);
+
+    // This is assured by the analysis.
+    assert(output_size == mod_len);
+
+    if (output_size == 0)
+    {
+        return {EVMC_SUCCESS, output_size};
+    }
+
+    // In this case the base, exp and modulus are 0. It means that the results is zero too.
+    if (input_size < input_header_required_size)
+    {
+        memset(output, 0, output_size);
+        return {EVMC_SUCCESS, output_size};
+    }
+
+    // Extend input to full size (input_header_required_size + base_len + exp_len + mod_len).
+    // Filled with zeros
+    const auto full_input_size =
+        input_header_required_size + static_cast<size_t>(base_len + exp_len + mod_len);
+    evmc::bytes full_input(full_input_size, 0);
+    std::copy_n(input, std::min(input_size, full_input_size), full_input.data());
+
+    evmone::crypto::modexp(output, output_size,
+        {
+            &full_input[input_header_required_size],
+            static_cast<size_t>(base_len),
+        },
+        {
+            &full_input[input_header_required_size + static_cast<size_t>(base_len)],
+            static_cast<size_t>(exp_len),
+        },
+        {
+            &full_input[input_header_required_size + static_cast<size_t>(base_len + exp_len)],
+            static_cast<size_t>(mod_len),
+        });
+
+    return {EVMC_SUCCESS, output_size};
+}
+
 ExecutionResult blake2bf_execute(const uint8_t* input, [[maybe_unused]] size_t input_size,
     uint8_t* output, [[maybe_unused]] size_t output_size) noexcept
 {
@@ -573,7 +622,7 @@ inline constexpr auto traits = []() noexcept {
         {sha256_analyze, sha256_execute},
         {ripemd160_analyze, ripemd160_execute},
         {identity_analyze, identity_execute},
-        {expmod_analyze, expmod_stub},
+        {expmod_analyze, expmod_execute},
         {ecadd_analyze, ecadd_execute},
         {ecmul_analyze, ecmul_execute},
         {ecpairing_analyze, ecpairing_execute},

test/state/precompiles_internal.hpp

@@ -45,6 +45,8 @@ ExecutionResult ripemd160_execute(
     const uint8_t* input, size_t input_size, uint8_t* output, size_t output_size) noexcept;
 ExecutionResult identity_execute(
     const uint8_t* input, size_t input_size, uint8_t* output, size_t output_size) noexcept;
+ExecutionResult expmod_execute(
+    const uint8_t* input, size_t input_size, uint8_t* output, size_t max_output_size) noexcept;
 ExecutionResult ecadd_execute(
     const uint8_t* input, size_t input_size, uint8_t* output, size_t output_size) noexcept;
 ExecutionResult ecmul_execute(