Precompiled: PostQuantum Falcon Signature Verifier

config/src/main/java/org/hyperledger/besu/config/GenesisConfigOptions.java

@@ -401,6 +401,13 @@ default boolean isConsensusMigration() {
    */
   OptionalLong getThanosBlockNumber();
 
+  /**
+   * Block number to enable Falcon signature verifier precompiled feature.
+   *
+   * @return block number of falcon signature precompiled verifier
+   */
+  OptionalLong getFalcon512BlockNumber();
+
   /**
    * Block number to activate Magneto on Classic networks.
    *

config/src/main/java/org/hyperledger/besu/config/JsonGenesisConfigOptions.java

@@ -370,6 +370,11 @@ public OptionalLong getThanosBlockNumber() {
     return getOptionalLong("thanosblock");
   }
 
+  @Override
+  public OptionalLong getFalcon512BlockNumber() {
+    return getOptionalLong("falcon512block");
+  }
+
   @Override
   public OptionalLong getMagnetoBlockNumber() {
     return getOptionalLong("magnetoblock");

config/src/main/java/org/hyperledger/besu/config/StubGenesisConfigOptions.java

@@ -42,6 +42,7 @@ public class StubGenesisConfigOptions implements GenesisConfigOptions, Cloneable
   private OptionalLong istanbulBlockNumber = OptionalLong.empty();
   private OptionalLong muirGlacierBlockNumber = OptionalLong.empty();
   private OptionalLong berlinBlockNumber = OptionalLong.empty();
+  private final OptionalLong falcon512BlockNumber = OptionalLong.empty();
   private OptionalLong londonBlockNumber = OptionalLong.empty();
   private OptionalLong arrowGlacierBlockNumber = OptionalLong.empty();
   private OptionalLong grayGlacierBlockNumber = OptionalLong.empty();
@@ -306,6 +307,11 @@ public OptionalLong getThanosBlockNumber() {
     return thanosBlockNumber;
   }
 
+  @Override
+  public OptionalLong getFalcon512BlockNumber() {
+    return falcon512BlockNumber;
+  }
+
   @Override
   public OptionalLong getMagnetoBlockNumber() {
     return magnetoBlockNumber;

config/src/main/resources/dev.json

@@ -2,6 +2,7 @@
   "config": {
     "chainId": 1337,
     "londonBlock": 0,
+    "falcon512block": 0,
     "contractSizeLimit": 2147483647,
     "ethash": {
       "fixeddifficulty": 100

datatypes/src/main/java/org/hyperledger/besu/datatypes/Address.java

@@ -77,6 +77,8 @@ public class Address extends DelegatingBytes {
   public static final Address BLS12_MAP_FP_TO_G1 = Address.precompiled(0x12);
   /** The constant BLS12_MAP_FP2_TO_G2. */
   public static final Address BLS12_MAP_FP2_TO_G2 = Address.precompiled(0x13);
+  /** Constant for Precompiled Falcon verification signature. */
+  public static final Address FALCON512 = Address.precompiled(0x65);
   /** The constant ZERO. */
   public static final Address ZERO = Address.fromHexString("0x0");
 

ethereum/core/src/main/java/org/hyperledger/besu/ethereum/mainnet/Falcon512ProtocolSpecs.java

@@ -0,0 +1,49 @@
+/*
+ * Copyright contributors to Hyperledger Besu
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
+ * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+package org.hyperledger.besu.ethereum.mainnet;
+
+import org.hyperledger.besu.datatypes.Address;
+import org.hyperledger.besu.evm.internal.EvmConfiguration;
+import org.hyperledger.besu.evm.precompile.FalconPrecompiledContract;
+import org.hyperledger.besu.evm.precompile.PrecompileContractRegistry;
+
+import java.math.BigInteger;
+import java.util.Optional;
+import java.util.OptionalInt;
+
+public class Falcon512ProtocolSpecs {
+  public static ProtocolSpecBuilder postQuantumDefinition(
+      final Optional<BigInteger> chainId,
+      final OptionalInt contractSizeLimit,
+      final OptionalInt configStackSizeLimit,
+      final boolean enableRevertReason) {
+    return MainnetProtocolSpecs.istanbulDefinition(
+            chainId,
+            contractSizeLimit,
+            configStackSizeLimit,
+            enableRevertReason,
+            EvmConfiguration.DEFAULT)
+        .precompileContractRegistryBuilder(
+            precompiledContractConfiguration -> {
+              PrecompileContractRegistry falcon512ContractsRegistry =
+                  MainnetPrecompiledContractRegistries.istanbul(precompiledContractConfiguration);
+              falcon512ContractsRegistry.put(
+                  Address.FALCON512,
+                  new FalconPrecompiledContract(
+                      precompiledContractConfiguration.getGasCalculator()));
+              return falcon512ContractsRegistry;
+            });
+  }
+}

ethereum/core/src/main/java/org/hyperledger/besu/ethereum/mainnet/MainnetProtocolSpecFactory.java

@@ -210,6 +210,11 @@ public ProtocolSpecBuilder experimentalEipsDefinition(
         evmConfiguration);
   }
 
+  public ProtocolSpecBuilder falcon512Definition() {
+    return Falcon512ProtocolSpecs.postQuantumDefinition(
+        chainId, contractSizeLimit, evmStackSize, isRevertReasonEnabled);
+  }
+
   ////////////////////////////////////////////////////////////////////////////////////////////////
   ////////////////////////////////////////////////////////////////////////////////////////////////
   // Classic Protocol Specs

ethereum/core/src/main/java/org/hyperledger/besu/ethereum/mainnet/ProtocolScheduleBuilder.java

@@ -309,6 +309,7 @@ private Stream<Optional<BuilderMapEntry>> createMilestones(
             config.getGrayGlacierBlockNumber(), specFactory.grayGlacierDefinition(config)),
         blockNumberMilestone(
             config.getMergeNetSplitBlockNumber(), specFactory.parisDefinition(config)),
+        blockNumberMilestone(config.getFalcon512BlockNumber(), specFactory.falcon512Definition()),
         // Timestamp Forks
         timestampMilestone(config.getShanghaiTime(), specFactory.shanghaiDefinition(config)),
         timestampMilestone(config.getCancunTime(), specFactory.cancunDefinition(config)),

evm/src/main/java/org/hyperledger/besu/evm/gascalculator/FrontierGasCalculator.java

@@ -53,6 +53,10 @@ public class FrontierGasCalculator implements GasCalculator {
 
   private static final long SHA256_PRECOMPILED_WORD_GAS_COST = 12L;
 
+  private static final long FALCON512_VERIFY_PRECOMPILED_BASE_GAS_COST = 1465L;
+
+  private static final long FALCON512_VERIFY_PRECOMPILED_WORD_GAS_COST = 6L;
+
   private static final long RIPEMD160_PRECOMPILED_WORD_GAS_COST = 120L;
 
   private static final long RIPEMD160_PRECOMPILED_BASE_GAS_COST = 600L;
@@ -164,6 +168,12 @@ public long sha256PrecompiledContractGasCost(final Bytes input) {
         + SHA256_PRECOMPILED_BASE_GAS_COST;
   }
 
+  @Override
+  public long falconVerifyPrecompiledContractGasCost(final Bytes input) {
+    return FALCON512_VERIFY_PRECOMPILED_WORD_GAS_COST * Words.numWords(input)
+        + FALCON512_VERIFY_PRECOMPILED_BASE_GAS_COST;
+  }
+
   @Override
   public long ripemd160PrecompiledContractGasCost(final Bytes input) {
     return RIPEMD160_PRECOMPILED_WORD_GAS_COST * Words.numWords(input)

evm/src/main/java/org/hyperledger/besu/evm/gascalculator/GasCalculator.java

@@ -34,6 +34,7 @@
 import org.hyperledger.besu.evm.operation.SLoadOperation;
 import org.hyperledger.besu.evm.operation.SelfDestructOperation;
 import org.hyperledger.besu.evm.precompile.ECRECPrecompiledContract;
+import org.hyperledger.besu.evm.precompile.FalconPrecompiledContract;
 import org.hyperledger.besu.evm.precompile.IDPrecompiledContract;
 import org.hyperledger.besu.evm.precompile.RIPEMD160PrecompiledContract;
 import org.hyperledger.besu.evm.precompile.SHA256PrecompiledContract;
@@ -75,6 +76,14 @@ public interface GasCalculator {
    */
   long getEcrecPrecompiledContractGasCost();
 
+  /**
+   * Returns the gas cost to execute the {@link FalconPrecompiledContract}.
+   *
+   * @param input The input representing the message, signature and the correspondent public key
+   * @return the gas cost to execute the Falcon Signature verification precompiled contract
+   */
+  long falconVerifyPrecompiledContractGasCost(Bytes input);
+
   /**
    * Returns the gas cost to execute the {@link SHA256PrecompiledContract}.
    *

evm/src/main/java/org/hyperledger/besu/evm/precompile/FalconPrecompiledContract.java

@@ -0,0 +1,123 @@
+/*
+ * Copyright contributors to Hyperledger Besu
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
+ * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+package org.hyperledger.besu.evm.precompile;
+
+import static java.nio.charset.StandardCharsets.UTF_8;
+
+import org.hyperledger.besu.crypto.Hash;
+import org.hyperledger.besu.evm.frame.ExceptionalHaltReason;
+import org.hyperledger.besu.evm.frame.MessageFrame;
+import org.hyperledger.besu.evm.gascalculator.GasCalculator;
+
+import java.util.Optional;
+import javax.annotation.Nonnull;
+
+import org.apache.tuweni.bytes.Bytes;
+import org.apache.tuweni.bytes.Bytes32;
+import org.bouncycastle.pqc.crypto.falcon.FalconParameters;
+import org.bouncycastle.pqc.crypto.falcon.FalconPublicKeyParameters;
+import org.bouncycastle.pqc.crypto.falcon.FalconSigner;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/** The Falcon precompiled contract. */
+public class FalconPrecompiledContract extends AbstractPrecompiledContract {
+
+  private static final Logger LOG = LoggerFactory.getLogger(AbstractBLS12PrecompiledContract.class);
+
+  private static final Bytes METHOD_ABI =
+      Hash.keccak256(Bytes.of("verify(bytes,bytes,bytes)".getBytes(UTF_8))).slice(0, 4);
+  private static final String SIGNATURE_ALGORITHM = "Falcon-512";
+
+  private final FalconSigner falconSigner = new FalconSigner();
+
+  /**
+   * Instantiates a new Falcon precompiled contract.
+   *
+   * @param gasCalculator the gas calculator
+   */
+  public FalconPrecompiledContract(final GasCalculator gasCalculator) {
+    super("Falcon", gasCalculator);
+  }
+
+  @Override
+  public long gasRequirement(final Bytes input) {
+    return gasCalculator().falconVerifyPrecompiledContractGasCost(input);
+  }
+
+  @Nonnull
+  @Override
+  public PrecompileContractResult computePrecompile(
+      final Bytes methodInput, @Nonnull final MessageFrame messageFrame) {
+    Bytes methodAbi;
+    try {
+      methodAbi = methodInput.slice(0, METHOD_ABI.size());
+      if (!methodAbi.xor(METHOD_ABI).isZero()) {
+        LOG.trace("Unexpected method ABI: " + methodAbi.toHexString());
+        return PrecompileContractResult.halt(
+            null, Optional.of(ExceptionalHaltReason.PRECOMPILE_ERROR));
+      }
+    } catch (Exception e) {
+      return PrecompileContractResult.halt(
+          null, Optional.of(ExceptionalHaltReason.PRECOMPILE_ERROR));
+    }
+    Bytes signatureSlice;
+    Bytes pubKeySlice;
+    Bytes dataSlice;
+
+    try {
+      Bytes input = methodInput.slice(METHOD_ABI.size());
+      int signatureOffset = input.slice(0, 32).trimLeadingZeros().toInt();
+      int pubKeyOffset = input.slice(32, 32).trimLeadingZeros().toInt();
+      int dataOffset = input.slice(64, 32).trimLeadingZeros().toInt();
+
+      int signatureLength = input.slice(signatureOffset, 32).trimLeadingZeros().toInt();
+      int pubKeyLength = input.slice(pubKeyOffset, 32).trimLeadingZeros().toInt();
+      int dataLength = input.slice(dataOffset, 32).trimLeadingZeros().toInt();
+
+      signatureSlice = input.slice(signatureOffset + 32, signatureLength);
+      pubKeySlice =
+          input.slice(
+              pubKeyOffset + 32 + 1,
+              pubKeyLength - 1); // BouncyCastle omits the first byte since it is always zero
+      dataSlice = input.slice(dataOffset + 32, dataLength);
+    } catch (Exception e) {
+      LOG.trace("Error executing Falcon-512 precompiled contract: '{}'", "invalid input");
+      return PrecompileContractResult.success(Bytes32.leftPad(Bytes.of(1)));
+    }
+
+    if (LOG.isTraceEnabled()) {
+      LOG.trace(
+          "{} verify: signature={}, pubKey={}, data={}",
+          SIGNATURE_ALGORITHM,
+          signatureSlice.toHexString(),
+          pubKeySlice.toHexString(),
+          dataSlice.toHexString());
+    }
+    FalconPublicKeyParameters falconPublicKeyParameters =
+        new FalconPublicKeyParameters(FalconParameters.falcon_512, pubKeySlice.toArray());
+    falconSigner.init(false, falconPublicKeyParameters);
+    final boolean verifies =
+        falconSigner.verifySignature(dataSlice.toArray(), signatureSlice.toArray());
+
+    if (verifies) {
+      LOG.debug("Signature is VALID");
+      return PrecompileContractResult.success(Bytes32.leftPad(Bytes.of(0)));
+    } else {
+      LOG.debug("Signature is INVALID");
+      return PrecompileContractResult.success(Bytes32.leftPad(Bytes.of(1)));
+    }
+  }
+}

evm/src/test/java/org/hyperledger/besu/evm/precompile/Benchmarks.java

@@ -34,11 +34,15 @@
 import org.hyperledger.besu.evm.gascalculator.BerlinGasCalculator;
 import org.hyperledger.besu.evm.gascalculator.IstanbulGasCalculator;
 
+import java.io.IOException;
+import java.io.InputStream;
 import java.math.BigInteger;
 import java.util.Map;
 import java.util.Random;
 import java.util.concurrent.TimeUnit;
 
+import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.databind.ObjectMapper;
 import com.google.common.base.Stopwatch;
 import com.google.common.collect.ImmutableMap;
 import org.apache.tuweni.bytes.Bytes;
@@ -628,6 +632,41 @@ private static void benchBLS12MapFP2TOG2() {
         (int) gasSpent, contract.gasRequirement(arg));
   }
 
+  private static void benchFalcon512() {
+    final FalconPrecompiledContract contract =
+        new FalconPrecompiledContract(new IstanbulGasCalculator());
+    final JsonNode falconVectors;
+    try (final InputStream testVectors =
+        Benchmarks.class.getResourceAsStream("falconBenchVectors.json")) {
+      falconVectors = new ObjectMapper().readTree(testVectors);
+
+    } catch (IOException e) {
+      throw new RuntimeException(e);
+    }
+    for (int i = 0; i < MATH_WARMUP; i++) {
+      contract.computePrecompile(
+          Bytes.fromHexString(falconVectors.get(0).get("Input").asText()), fakeFrame);
+    }
+    for (int len = 0; len < falconVectors.size(); len += 1) {
+      Bytes bytes = Bytes.fromHexString(falconVectors.get(len).get("Input").asText());
+      final Stopwatch timer = Stopwatch.createStarted();
+      for (int i = 0; i < HASH_ITERATIONS; i++) {
+        contract.computePrecompile(bytes, fakeFrame);
+      }
+      timer.stop();
+
+      final double elapsed = timer.elapsed(TimeUnit.NANOSECONDS) / 1.0e9D;
+      final double perCall = elapsed / HASH_ITERATIONS;
+      final double gasSpent = perCall * GAS_PER_SECOND_STANDARD;
+      System.out.printf(
+          "falcon512 - iter #%,d - %,d message bytes for %,d gas. Charging %,d gas.%n",
+          len,
+          (len + 1) * 33,
+          (int) gasSpent,
+          contract.gasRequirement(bytes)); // every message increases in 33 bytes
+    }
+  }
+
   private static double runBenchmark(final Bytes arg, final PrecompiledContract contract) {
     if (contract.computePrecompile(arg, fakeFrame).getOutput() == null) {
       throw new RuntimeException("Input is Invalid");
@@ -665,5 +704,6 @@ public static void main(final String[] args) {
     benchBLS12Pair();
     benchBLS12MapFPTOG1();
     benchBLS12MapFP2TOG2();
+    benchFalcon512();
   }
 }