eddsa done

circuit/eddsa.circom

@@ -1,11 +1,15 @@
-
-include "../node_modules/circom/circuits/bitify.circom";
-include "../node_modules/circom/circuits/comparators.circom";
+include "compconstant.circom";
+include "pointbits.circom";
+include "pedersen2.circom";
 include "escalarmulany.circom";
+include "escalarmulfix.circom";
+
+/*
+include "../node_modules/circom/circuits/bitify.circom";
 include "babyjub.circom";
+*/
 
-
-templete EdDSAVerfier(n) {
+template EdDSAVerifier(n) {
     signal input msg[n];
 
     signal input A[256];
@@ -24,12 +28,12 @@ templete EdDSAVerfier(n) {
 
     component  compConstant = CompConstant(2736030358979909402780800718157159386076813972158567259200215660948447373040);
 
-    for (var i=0; i<254; i++) {
+    for (i=0; i<254; i++) {
         S[i] ==> compConstant.in[i];
     }
     compConstant.out === 0;
+    S[254] === 0;
     S[255] === 0;
-    S[256] === 0;
 
 // Convert A to Field elements (And verify A)
 
@@ -56,13 +60,17 @@ templete EdDSAVerfier(n) {
     component hash = Pedersen(512+n);
 
     for (i=0; i<256; i++) {
-        hash.in[i] <== R[i];
+        hash.in[i] <== R8[i];
         hash.in[256+i] <== A[i];
     }
     for (i=0; i<n; i++) {
         hash.in[512+i] <== msg[i];
     }
 
+    component point2bitsH = Point2Bits_Strict();
+    point2bitsH.in[0] <== hash.out[0];
+    point2bitsH.in[1] <== hash.out[1];
+
 // Calculate second part of the right side:  right2 = h*8*A
 
     // Multiply by 8 by adding it 3 times.  This also ensure that the result is in
@@ -71,11 +79,11 @@ templete EdDSAVerfier(n) {
     dbl1.x <== Ax;
     dbl1.y <== Ay;
     component dbl2 = BabyDbl();
-    dbl2.x <== dbl1.outx;
-    dbl2.y <== dbl1.outy;
+    dbl2.x <== dbl1.xout;
+    dbl2.y <== dbl1.yout;
     component dbl3 = BabyDbl();
-    dbl3.x <== dbl2.outx;
-    dbl3.y <== dbl2.outy;
+    dbl3.x <== dbl2.xout;
+    dbl3.y <== dbl2.yout;
 
     // We check that A is not zero.
     component isZero = IsZero();
@@ -84,10 +92,10 @@ templete EdDSAVerfier(n) {
 
     component mulAny = EscalarMulAny(256);
     for (i=0; i<256; i++) {
-        mulAny.e[i] <== hash.out[i];
+        mulAny.e[i] <== point2bitsH.out[i];
     }
-    mulAny.p[0] <== dbl3.outx;
-    mulAny.p[1] <== dbl3.outy;
+    mulAny.p[0] <== dbl3.xout;
+    mulAny.p[1] <== dbl3.yout;
 
 
 // Compute the right side: right =  R8 + right2

circuit/escalarmulany.circom

@@ -11,7 +11,7 @@ template Multiplexor2() {
     out[1] <== (in[1][1] - in[0][1])*sel + in[0][1];
 }
 
-template BitElement() {
+template BitElementMulAny() {
     signal input sel;
     signal input dblIn[2];
     signal input addIn[2];
@@ -47,7 +47,7 @@ template BitElement() {
 // returns out in twisted edwards
 // Double is in montgomery to be linked;
 
-template Segment(n) {
+template SegmentMulAny(n) {
     signal input e[n];
     signal input p[2];
     signal output out[2];
@@ -62,7 +62,7 @@ template Segment(n) {
 
     var i;
 
-    bits[0] = BitElement();
+    bits[0] = BitElementMulAny();
     e2m.out[0] ==> bits[0].dblIn[0]
     e2m.out[1] ==> bits[0].dblIn[1]
     e2m.out[0] ==> bits[0].addIn[0]
@@ -70,7 +70,7 @@ template Segment(n) {
     e[1] ==> bits[0].sel;
 
     for (i=1; i<n-1; i++) {
-        bits[i] = BitElement();
+        bits[i] = BitElementMulAny();
 
         bits[i-1].dblOut[0] ==> bits[i].dblIn[0]
         bits[i-1].dblOut[1] ==> bits[i].dblIn[1]
@@ -129,7 +129,7 @@ template EscalarMulAny(n) {
 
         nseg = (s < nsegments-1) ? 148 : nlastsegment;
 
-        segments[s] = Segment(nseg);
+        segments[s] = SegmentMulAny(nseg);
 
         for (i=0; i<nseg; i++) {
             e[s*148+i] ==> segments[s].e[i];

circuit/pedersen2.circom

@@ -204,7 +204,7 @@ template Pedersen(n) {
             adders[i].y2 <== segments[1].out[1];
         } else {
             adders[i].x1 <== adders[i-1].xout;
-            adders[i].y1 <== adders[i-1].xout;
+            adders[i].y1 <== adders[i-1].yout;
             adders[i].x2 <== segments[i+1].out[0];
             adders[i].y2 <== segments[i+1].out[1];
         }