You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
89 lines
3.2 KiB
89 lines
3.2 KiB
/// This file implements the EdDSA verification in-circuit.
|
|
use ark_crypto_primitives::sponge::{
|
|
constraints::CryptographicSpongeVar,
|
|
poseidon::{constraints::PoseidonSpongeVar, PoseidonConfig},
|
|
};
|
|
use ark_ec::CurveGroup;
|
|
use ark_ff::Field;
|
|
use ark_relations::r1cs::ConstraintSystemRef;
|
|
|
|
use ark_r1cs_std::{
|
|
boolean::Boolean, fields::fp::FpVar, fields::nonnative::NonNativeFieldVar, groups::CurveVar,
|
|
ToBitsGadget, ToConstraintFieldGadget,
|
|
};
|
|
|
|
use crate::Error;
|
|
|
|
/// CF stands for ConstraintField
|
|
pub type CF<C> = <<C as CurveGroup>::BaseField as Field>::BasePrimeField;
|
|
|
|
/// gadget to compute the EdDSA verification in-circuit
|
|
pub fn verify<C, GC>(
|
|
cs: ConstraintSystemRef<CF<C>>,
|
|
poseidon_config: PoseidonConfig<CF<C>>,
|
|
pk: GC,
|
|
sig: (GC, NonNativeFieldVar<C::ScalarField, CF<C>>),
|
|
msg: FpVar<CF<C>>,
|
|
) -> Result<Boolean<CF<C>>, Error>
|
|
where
|
|
C: CurveGroup,
|
|
GC: CurveVar<C, CF<C>> + ToConstraintFieldGadget<CF<C>>,
|
|
{
|
|
let (r, s): (GC, NonNativeFieldVar<C::ScalarField, CF<C>>) = sig;
|
|
|
|
let r_xy = r.to_constraint_field().unwrap();
|
|
let pk_xy = pk.to_constraint_field().unwrap();
|
|
|
|
let mut poseidon = PoseidonSpongeVar::new(cs.clone(), &poseidon_config);
|
|
poseidon.absorb(&r_xy).unwrap();
|
|
poseidon.absorb(&pk_xy).unwrap();
|
|
poseidon.absorb(&msg).unwrap();
|
|
let k = poseidon.squeeze_field_elements(1).unwrap();
|
|
let k = k.first().unwrap();
|
|
|
|
let kx_b = pk.scalar_mul_le(k.to_bits_le().unwrap().iter()).unwrap();
|
|
|
|
let g = GC::new_constant(cs.clone(), C::generator()).unwrap();
|
|
let s_b = g.scalar_mul_le(s.to_bits_le().unwrap().iter()).unwrap();
|
|
let r_rec: GC = s_b - kx_b;
|
|
Ok(r_rec.is_eq(&r).unwrap())
|
|
}
|
|
|
|
#[cfg(test)]
|
|
mod tests {
|
|
use ark_ff::PrimeField;
|
|
use ark_r1cs_std::{alloc::AllocVar, eq::EqGadget, fields::nonnative::NonNativeFieldVar};
|
|
use ark_relations::r1cs::ConstraintSystem;
|
|
use rand_core::OsRng;
|
|
|
|
use super::*;
|
|
use crate::ed_on_bn254_twist::{
|
|
constraints::EdwardsVar as GVar, BaseField as Fq, EdwardsConfig, EdwardsProjective as G,
|
|
ScalarField as Fr,
|
|
};
|
|
use crate::{poseidon_config, SigningKey};
|
|
|
|
#[test]
|
|
fn gadget_verify() {
|
|
let poseidon_config = poseidon_config::<Fq>(4, 8, 60);
|
|
let sk = SigningKey::<EdwardsConfig>::generate::<blake2::Blake2b512>(&mut OsRng).unwrap();
|
|
let msg_raw = b"xxx yyy <<< zzz >>> bunny";
|
|
let msg = Fq::from_le_bytes_mod_order(msg_raw);
|
|
let sig = sk.sign::<blake2::Blake2b512>(&poseidon_config, &msg);
|
|
let pk = sk.public_key();
|
|
pk.verify(&poseidon_config, &msg, &sig).unwrap();
|
|
|
|
let cs = ConstraintSystem::<Fq>::new_ref();
|
|
let pk_var: GVar = GVar::new_witness(cs.clone(), || Ok(pk.0)).unwrap();
|
|
let r_var: GVar = GVar::new_witness(cs.clone(), || Ok(sig.r)).unwrap();
|
|
let s_var = NonNativeFieldVar::<Fr, Fq>::new_witness(cs.clone(), || Ok(sig.s)).unwrap();
|
|
let msg_var = FpVar::<Fq>::new_witness(cs.clone(), || Ok(msg)).unwrap();
|
|
|
|
let res = verify::<G, GVar>(cs.clone(), poseidon_config, pk_var, (r_var, s_var), msg_var)
|
|
.unwrap();
|
|
res.enforce_equal(&Boolean::<Fq>::TRUE).unwrap();
|
|
|
|
dbg!(cs.num_constraints());
|
|
assert!(cs.is_satisfied().unwrap());
|
|
}
|
|
}
|