diff --git a/Cargo.toml b/Cargo.toml index 4eb6d9d..c34bbb5 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -5,8 +5,7 @@ rust-version = "1.75.0" version = "0.1.0" [dependencies] - -ark-crypto-primitives = {version = "^0.4.0", default-features = false, features = ["sponge", "crh"]} +ark-crypto-primitives = {version = "^0.4.0", default-features = false, features = ["sponge", "crh", "r1cs"]} ark-ec = "^0.4.0" ark-ed-on-bn254 = {version = "0.4.0"} ark-ff = "^0.4.0" @@ -16,6 +15,11 @@ digest = "0.10" rand = "0.8" rand_core = {version = "0.6", default-features = false} +# r1cs deps related under feature="r1cs" +ark-relations = { version = "^0.4.0", default-features = false, optional = true } +ark-r1cs-std = { version = "0.4.0", default-features = false, features = ["parallel"], optional = true } + + [dev-dependencies] ark-algebra-test-templates = "0.4.2" ark-ed-on-bls12-381 = {version = "0.4.0"} @@ -26,3 +30,4 @@ sha2 = "0.10" [features] default = [] +r1cs = ["ark-r1cs-std", "ark-relations"] diff --git a/README.md b/README.md index b7738c5..4ee7ad5 100644 --- a/README.md +++ b/README.md @@ -3,3 +3,8 @@ Do not use in production. EDDSA signature scheme implementation with Poseidon hasher and ark-works backend. Additionally circom compatible `ed_on_bn254_twist` twist is available. + +The `r1cs` feature enables the in-circuit EdDSA verification. + +## test +To test including the constraints use the `r1cs` feature flag: `cargo test --features=r1cs` diff --git a/rust-toolchain b/rust-toolchain index 7c7053a..71fae54 100644 --- a/rust-toolchain +++ b/rust-toolchain @@ -1 +1 @@ -1.75.0 +1.82.0 diff --git a/src/constraints.rs b/src/constraints.rs new file mode 100644 index 0000000..c8c5ace --- /dev/null +++ b/src/constraints.rs @@ -0,0 +1,90 @@ +/// This file implements the EdDSA verification in-circuit. +use ark_crypto_primitives::sponge::{ + constraints::CryptographicSpongeVar, + poseidon::{constraints::PoseidonSpongeVar, PoseidonConfig}, +}; +use ark_ec::CurveGroup; +use ark_ff::Field; +use ark_relations::r1cs::ConstraintSystemRef; + +use ark_r1cs_std::{ + boolean::Boolean, fields::fp::FpVar, fields::nonnative::NonNativeFieldVar, groups::CurveVar, + ToBitsGadget, ToConstraintFieldGadget, +}; + +use crate::Error; + +/// CF stands for ConstraintField +pub type CF = <::BaseField as Field>::BasePrimeField; + +/// gadget to compute the EdDSA verification in-circuit +pub fn verify( + cs: ConstraintSystemRef>, + poseidon_config: PoseidonConfig>, + pk: GC, + sig: (GC, NonNativeFieldVar>), + msg: FpVar>, +) -> Result>, Error> +where + C: CurveGroup, + GC: CurveVar> + ToConstraintFieldGadget>, +{ + let (r, s): (GC, NonNativeFieldVar>) = sig; + + let r_xy = r.to_constraint_field().unwrap(); + let pk_xy = pk.to_constraint_field().unwrap(); + + let mut poseidon = PoseidonSpongeVar::new(cs.clone(), &poseidon_config); + poseidon.absorb(&r_xy).unwrap(); + poseidon.absorb(&pk_xy).unwrap(); + poseidon.absorb(&msg).unwrap(); + let k = poseidon.squeeze_field_elements(1).unwrap(); + let k = k.first().unwrap(); + + let kx_b = pk.scalar_mul_le(k.to_bits_le().unwrap().iter()).unwrap(); + + let g = GC::new_constant(cs.clone(), C::generator()).unwrap(); + let s_b = g.scalar_mul_le(s.to_bits_le().unwrap().iter()).unwrap(); + let r_rec: GC = s_b - kx_b; + Ok(r_rec.is_eq(&r).unwrap()) +} + +#[cfg(test)] +mod tests { + use super::*; + use crate::ed_on_bn254_twist::{ + constraints::EdwardsVar as GVar, BaseField as Fq, EdwardsConfig, EdwardsProjective as G, + ScalarField as Fr, + }; + use ark_ff::PrimeField; + use ark_r1cs_std::{alloc::AllocVar, eq::EqGadget, fields::nonnative::NonNativeFieldVar}; + use ark_relations::r1cs::ConstraintSystem; + use rand_core::OsRng; + + use crate::test::poseidon_config; + use crate::SigningKey; + + #[test] + fn gadget_verify() { + let poseidon_config = poseidon_config::(4, 8, 60); + let sk = SigningKey::::generate::(&mut OsRng).unwrap(); + let msg_raw = b"xxx yyy <<< zzz >>> bunny"; + let msg = Fq::from_le_bytes_mod_order(msg_raw); + let sig = sk.sign::(&poseidon_config, &msg); + let pk = sk.public_key(); + pk.verify(&poseidon_config, &msg, &sig).unwrap(); + + let cs = ConstraintSystem::::new_ref(); + let pk_var: GVar = GVar::new_witness(cs.clone(), || Ok(pk.0)).unwrap(); + let r_var: GVar = GVar::new_witness(cs.clone(), || Ok(sig.r)).unwrap(); + let s_var = NonNativeFieldVar::::new_witness(cs.clone(), || Ok(sig.s)).unwrap(); + let msg_var = FpVar::::new_witness(cs.clone(), || Ok(msg)).unwrap(); + + let res = verify::(cs.clone(), poseidon_config, pk_var, (r_var, s_var), msg_var) + .unwrap(); + res.enforce_equal(&Boolean::::TRUE).unwrap(); + + dbg!(cs.num_constraints()); + assert!(cs.is_satisfied().unwrap()); + } +} diff --git a/src/ed_on_bn254_twist.rs b/src/ed_on_bn254_twist.rs index 747a61f..11817fd 100644 --- a/src/ed_on_bn254_twist.rs +++ b/src/ed_on_bn254_twist.rs @@ -103,3 +103,18 @@ fn test_twist() { let v2 = untwist(u1); assert_eq!(v1, v2); } + +// constraints related logic +#[cfg(feature = "r1cs")] +pub mod constraints { + use ark_r1cs_std::fields::fp::FpVar; + use ark_r1cs_std::groups::curves::twisted_edwards::AffineVar; + + use crate::ed_on_bn254_twist::{BaseField as Fq, EdwardsConfig}; + + /// A variable that is the R1CS equivalent of `crate::Fq`. + pub type FqVar = FpVar; + + /// A variable that is the R1CS equivalent of `crate::EdwardsAffine`. + pub type EdwardsVar = AffineVar; +} diff --git a/src/eddsa.rs b/src/eddsa.rs index 253d2ab..1fea364 100644 --- a/src/eddsa.rs +++ b/src/eddsa.rs @@ -7,7 +7,7 @@ use ark_ec::{ twisted_edwards::{Affine, TECurveConfig}, AffineRepr, }; -use ark_ff::PrimeField; +use ark_ff::{BigInteger, PrimeField}; use ark_serialize::{CanonicalDeserialize, CanonicalSerialize}; use digest::Digest; use digest::OutputSizeUser; @@ -45,7 +45,7 @@ impl SecretKey { /// `PublicKey` is EdDSA signature verification key #[derive(Copy, Clone, Debug, CanonicalSerialize, CanonicalDeserialize)] -pub struct PublicKey(Affine); +pub struct PublicKey(pub Affine); impl PublicKey { pub fn xy(&self) -> (&TE::BaseField, &TE::BaseField) { @@ -121,18 +121,20 @@ where &self.public_key } - pub fn sign( + pub fn sign( &self, poseidon: &PoseidonConfig, - message: &[E], + message: &TE::BaseField, ) -> Signature { let (x, prefix) = self.secret_key.expand::(); let mut h = D::new(); h.update(prefix); - message - .iter() - .for_each(|m| h.update(m.to_sponge_bytes_as_vec())); + let msg_bytes = message.into_bigint().to_bytes_le(); + let mut msg32: [u8; 32] = [0; 32]; + msg32[..msg_bytes.len()].copy_from_slice(&msg_bytes[..]); + h.update(msg32); + let r: TE::ScalarField = crate::from_digest(h); let sig_r: Affine = (Affine::::generator() * r).into(); @@ -144,10 +146,12 @@ where let (pk_x, pk_y) = self.public_key.0.xy().unwrap(); poseidon.absorb(pk_x); poseidon.absorb(pk_y); - message.iter().for_each(|m| poseidon.absorb(m)); + poseidon.absorb(message); - let k = poseidon.squeeze_field_elements::(1); + // use poseidon over Fq, so that it can be done too in-circuit + let k = poseidon.squeeze_field_elements::(1); let k = k.first().unwrap(); + let k = TE::ScalarField::from_le_bytes_mod_order(&k.into_bigint().to_bytes_le()); let sig_s = (x * k) + r; @@ -169,10 +173,10 @@ impl PublicKey where TE::BaseField: PrimeField + Absorb, { - pub fn verify( + pub fn verify( &self, poseidon: &PoseidonConfig, - message: &[E], + message: &TE::BaseField, signature: &Signature, ) -> Result<(), Error> { let mut poseidon = PoseidonSponge::new(poseidon); @@ -183,12 +187,13 @@ where let (pk_x, pk_y) = self.0.xy().unwrap(); poseidon.absorb(pk_x); poseidon.absorb(pk_y); - message.iter().for_each(|m| poseidon.absorb(m)); + poseidon.absorb(message); - let k = poseidon.squeeze_field_elements::(1); + // use poseidon over Fq, so that it can be done too in-circuit + let k = poseidon.squeeze_field_elements::(1); let k = k.first().unwrap(); - let kx_b = self.0 * k; + let kx_b = self.0.mul_bigint(k.into_bigint()); let s_b = Affine::::generator() * signature.s(); let r_rec: Affine = (s_b - kx_b).into(); diff --git a/src/lib.rs b/src/lib.rs index c90c782..190da68 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -2,6 +2,9 @@ pub mod ed_on_bn254_twist; pub mod eddsa; pub mod signature; +#[cfg(feature = "r1cs")] +pub mod constraints; + use ark_ff::PrimeField; use digest::Digest; pub use eddsa::*; @@ -60,14 +63,13 @@ mod test { where TE::BaseField: Absorb + PrimeField, { - let poseidon = poseidon_config(4, 8, 55); + let poseidon = poseidon_config::(4, 8, 55); let signing_key = SigningKey::::generate::(&mut OsRng).unwrap(); - let message = b"xxx yyy <<< zzz >>> bunny"; - let signature = signing_key.sign::(&poseidon, &message[..]); + let message_raw = b"xxx yyy <<< zzz >>> bunny"; + let message = TE::BaseField::from_le_bytes_mod_order(message_raw); + let signature = signing_key.sign::(&poseidon, &message); let public_key = signing_key.public_key(); - public_key - .verify::<_>(&poseidon, &message[..], &signature) - .unwrap(); + public_key.verify(&poseidon, &message, &signature).unwrap(); } #[test] diff --git a/src/signature.rs b/src/signature.rs index 65ea776..3cc1819 100644 --- a/src/signature.rs +++ b/src/signature.rs @@ -6,8 +6,8 @@ use ark_serialize::CanonicalSerialize; /// `SignatureComponents` contains the realized parts of a signature #[derive(Copy, Clone, Debug, CanonicalSerialize, CanonicalDeserialize)] pub struct Signature { - r: Affine, - s: TE::ScalarField, + pub r: Affine, + pub s: TE::ScalarField, } impl Signature {