✨ P256 s normalized (#1363)

Author: Vectorized

docs/utils/p256.md

@@ -89,6 +89,14 @@ Includes the malleability check.
 
 ## Other Operations
 
+### normalized(bytes32)
+
+```solidity
+function normalized(bytes32 s) internal pure returns (bytes32 result)
+```
+
+Returns `s` normalized to the lower half of the curve.
+
 ### tryDecodePoint(bytes)
 
 ```solidity

src/utils/P256.sol

@@ -112,6 +112,14 @@ library P256 {
     /*                      OTHER OPERATIONS                      */
     /*.•°:°.´+˚.*°.˚:*.´•*.+°.•°:´*.´•*.•°.•°:°.´:•˚°.*°.˚:*.´+°.•*/
 
+    /// @dev Returns `s` normalized to the lower half of the curve.
+    function normalized(bytes32 s) internal pure returns (bytes32 result) {
+        /// @solidity memory-safe-assembly
+        assembly {
+            result := xor(s, mul(xor(sub(N, s), s), gt(s, _HALF_N)))
+        }
+    }
+
     /// @dev Helper function for `abi.decode(encoded, (bytes32, bytes32))`.
     /// If `encoded.length < 64`, `(x, y)` will be `(0, 0)`, which is an invalid point.
     function tryDecodePoint(bytes memory encoded) internal pure returns (bytes32 x, bytes32 y) {

test/P256.t.sol

@@ -248,6 +248,32 @@ contract P256Test is P256VerifierEtcher {
         assertEq(xDecoded, x);
         assertEq(yDecoded, y);
     }
+
+    function check_P256Normalized(uint256 s) public pure {
+        uint256 n = uint256(P256.N);
+        unchecked {
+            uint256 expected = s > (n / 2) ? n - s : s;
+            assert(uint256(P256.normalized(bytes32(s))) == expected);
+        }
+    }
+
+    function testP256Normalized(uint256 privateKey, bytes32 hash) public {
+        while (privateKey == 0 || privateKey >= P256.N) {
+            privateKey = uint256(keccak256(abi.encode(privateKey)));
+        }
+        (uint256 x, uint256 y) = vm.publicKeyP256(privateKey);
+
+        // Note that `vm.signP256` can produce `s` above `N / 2`.
+        (bytes32 r, bytes32 s) = vm.signP256(privateKey, hash);
+
+        if (uint256(s) > P256.N / 2) {
+            assertFalse(P256.verifySignature(hash, r, s, bytes32(x), bytes32(y)));
+            assertTrue(P256.verifySignature(hash, r, P256.normalized(s), bytes32(x), bytes32(y)));
+        } else {
+            assertTrue(P256.verifySignature(hash, r, s, bytes32(x), bytes32(y)));
+        }
+        assertTrue(P256.verifySignatureAllowMalleability(hash, r, s, bytes32(x), bytes32(y)));
+    }
 }
 
 /// @dev Library to derive P256 public key from private key

test/utils/forge-std/Vm.sol

@@ -1651,6 +1651,12 @@ interface VmSafe {
         string calldata language
     ) external pure returns (uint256 privateKey);
 
+    /// Derives secp256r1 public key from the provided `privateKey`.
+    function publicKeyP256(uint256 privateKey)
+        external
+        pure
+        returns (uint256 publicKeyX, uint256 publicKeyY);
+
     /// Gets the label for the specified address.
     function getLabel(address account) external view returns (string memory currentLabel);