arnaucube
/
circomlib
mirror of https://github.com/arnaucube/circomlib.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
13 Commits
7 Branches
7 Tags
38 MiB
Tree: 2cab572c66
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '2cab572c66'
${ noResults }
circomlib/circuit/eddsa.circom

124 lines
2.9 KiB
Raw Normal View History

Before merging in a single lib
6 years ago
eddsa done
6 years ago
Before merging in a single lib
6 years ago
eddsa done
6 years ago
Pedersen Hash Base Points Calculation
6 years ago
eddsa done
6 years ago
Pedersen2 and BitPoints MulFix and MulAny
6 years ago
eddsa done
6 years ago
Pedersen Hash Base Points Calculation
6 years ago
eddsa done
6 years ago
Pedersen2 and BitPoints MulFix and MulAny
6 years ago
Pedersen Hash Base Points Calculation
6 years ago
Pedersen2 and BitPoints MulFix and MulAny
6 years ago
Pedersen Hash Base Points Calculation
6 years ago
Pedersen2 and BitPoints MulFix and MulAny
6 years ago
Pedersen Hash Base Points Calculation
6 years ago
Pedersen2 and BitPoints MulFix and MulAny
6 years ago
Pedersen Hash Base Points Calculation
6 years ago
Pedersen2 and BitPoints MulFix and MulAny
6 years ago
Pedersen Hash Base Points Calculation
6 years ago
Pedersen2 and BitPoints MulFix and MulAny
6 years ago
Pedersen Hash Base Points Calculation
6 years ago
Pedersen2 and BitPoints MulFix and MulAny
6 years ago
Pedersen Hash Base Points Calculation
6 years ago
eddsa done
6 years ago
Pedersen2 and BitPoints MulFix and MulAny
6 years ago
eddsa done
6 years ago
Pedersen2 and BitPoints MulFix and MulAny
6 years ago
Pedersen Hash Base Points Calculation
6 years ago
Pedersen2 and BitPoints MulFix and MulAny
6 years ago
eddsa done
6 years ago
Pedersen2 and BitPoints MulFix and MulAny
6 years ago
eddsa done
6 years ago
Pedersen2 and BitPoints MulFix and MulAny
6 years ago
eddsa done
6 years ago
Pedersen2 and BitPoints MulFix and MulAny
6 years ago
eddsa done
6 years ago
Pedersen2 and BitPoints MulFix and MulAny
6 years ago
eddsa done
6 years ago
Pedersen2 and BitPoints MulFix and MulAny
6 years ago
eddsa done
6 years ago
Pedersen2 and BitPoints MulFix and MulAny
6 years ago
Pedersen Hash Base Points Calculation
6 years ago
  1. include "../node_modules/circom/circuits/compconstant.circom";
  2. include "pointbits.circom";
  3. include "pedersen.circom";
  4. include "escalarmulany.circom";
  5. include "escalarmulfix.circom";
  7. /*
  8. include "../node_modules/circom/circuits/bitify.circom";
  9. include "babyjub.circom";
  10. */
  12. template EdDSAVerifier(n) {
  13. signal input msg[n];
  15. signal input A[256];
  16. signal input R8[256];
  17. signal input S[256];
  19. signal Ax;
  20. signal Ay;
  22. signal R8x;
  23. signal R8y;
  25. var i;
  27. // Ensure S<Subgroup Order
  29. component compConstant = CompConstant(2736030358979909402780800718157159386076813972158567259200215660948447373040);
  31. for (i=0; i<254; i++) {
  32. S[i] ==> compConstant.in[i];
  33. }
  34. compConstant.out === 0;
  35. S[254] === 0;
  36. S[255] === 0;
  38. // Convert A to Field elements (And verify A)
  40. component bits2pointA = Bits2Point_Strict();
  42. for (i=0; i<256; i++) {
  43. bits2pointA.in[i] <== A[i];
  44. }
  45. Ax <== bits2pointA.out[0];
  46. Ay <== bits2pointA.out[1];
  48. // Convert R8 to Field elements (And verify R8)
  50. component bits2pointR8 = Bits2Point_Strict();
  52. for (i=0; i<256; i++) {
  53. bits2pointR8.in[i] <== R8[i];
  54. }
  55. R8x <== bits2pointR8.out[0];
  56. R8y <== bits2pointR8.out[1];
  58. // Calculate the h = H(R,A, msg)
  60. component hash = Pedersen(512+n);
  62. for (i=0; i<256; i++) {
  63. hash.in[i] <== R8[i];
  64. hash.in[256+i] <== A[i];
  65. }
  66. for (i=0; i<n; i++) {
  67. hash.in[512+i] <== msg[i];
  68. }
  70. component point2bitsH = Point2Bits_Strict();
  71. point2bitsH.in[0] <== hash.out[0];
  72. point2bitsH.in[1] <== hash.out[1];
  74. // Calculate second part of the right side: right2 = h*8*A
  76. // Multiply by 8 by adding it 3 times. This also ensure that the result is in
  77. // the subgroup.
  78. component dbl1 = BabyDbl();
  79. dbl1.x <== Ax;
  80. dbl1.y <== Ay;
  81. component dbl2 = BabyDbl();
  82. dbl2.x <== dbl1.xout;
  83. dbl2.y <== dbl1.yout;
  84. component dbl3 = BabyDbl();
  85. dbl3.x <== dbl2.xout;
  86. dbl3.y <== dbl2.yout;
  88. // We check that A is not zero.
  89. component isZero = IsZero();
  90. isZero.in <== dbl3.x;
  91. isZero.out === 0;
  93. component mulAny = EscalarMulAny(256);
  94. for (i=0; i<256; i++) {
  95. mulAny.e[i] <== point2bitsH.out[i];
  96. }
  97. mulAny.p[0] <== dbl3.xout;
  98. mulAny.p[1] <== dbl3.yout;
  101. // Compute the right side: right = R8 + right2
  103. component addRight = BabyAdd();
  104. addRight.x1 <== R8x;
  105. addRight.y1 <== R8y;
  106. addRight.x2 <== mulAny.out[0];
  107. addRight.y2 <== mulAny.out[1];
  109. // Calculate left side of equation left = S*B8
  111. var BASE8 = [
  112. 17777552123799933955779906779655732241715742912184938656739573121738514868268,
  113. 2626589144620713026669568689430873010625803728049924121243784502389097019475
  114. ];
  115. component mulFix = EscalarMulFix(256, BASE8);
  116. for (i=0; i<256; i++) {
  117. mulFix.e[i] <== S[i];
  118. }
  120. // Do the comparation left == right
  122. mulFix.out[0] === addRight.xout;
  123. mulFix.out[1] === addRight.yout;
  124. }