circomlib/circuit/pedersen.circom

include "escalarmul.circom";

component Pedersen(n) {
    signal input in[n];
    signal output out[2];

    var nexps = ((n-1) \ 253) + 1;
    var nlastbits = n - (nexps-1)*253;

    component escalarMuls[nexps];

    var PBASE = [
                    [17777552123799933955779906779655732241715742912184938656739573121738514868268,
                     2626589144620713026669568689430873010625803728049924121243784502389097019475],
                    [17777552123799933955779906779655732241715742912184938656739573121738514868268,
                     2626589144620713026669568689430873010625803728049924121243784502389097019475],
                    [17777552123799933955779906779655732241715742912184938656739573121738514868268,
                     2626589144620713026669568689430873010625803728049924121243784502389097019475],
                    [17777552123799933955779906779655732241715742912184938656739573121738514868268,
                     2626589144620713026669568689430873010625803728049924121243784502389097019475],
                    [17777552123799933955779906779655732241715742912184938656739573121738514868268,
                     2626589144620713026669568689430873010625803728049924121243784502389097019475]
                ];

    var i;
    var j;
    for (i=0; i<nexps; i++) {
        var nexpbits = (i == nexps-1) ? nlastbits : 253;
        escalarMuls[i] = EscalarMul(nexpbits, PBASE[i][0], PBAS[i][1]);

        for (j=0; j<nexpbits; j++) {
            escalarMuls[i].in[j] <== in[253*i + j];
        }

        if (i==0) {
            escalarMuls[i].inp[0] <== 0;
            escalarMuls[i].inp[1] <== 0;
        } else {
            escalarMuls[i].inp[0] <== escalarMuls[i-1].out[0];
            escalarMuls[i].inp[1] <== escalarMuls[i-1].out[1];
        }
    }

    escalarMuls[nexps-1].out[0] ==> out[0];
    escalarMuls[nexps-1].out[1] ==> out[1];
}