include "compconstant.circom"; include "pointbits.circom"; include "pedersen.circom"; include "escalarmulany.circom"; include "escalarmulfix.circom"; template EdDSAVerifier(n) { signal input msg[n]; signal input A[256]; signal input R8[256]; signal input S[256]; signal Ax; signal Ay; signal R8x; signal R8y; var i; // Ensure S compConstant.in[i]; } compConstant.out === 0; S[254] === 0; S[255] === 0; // Convert A to Field elements (And verify A) component bits2pointA = Bits2Point_Strict(); for (i=0; i<256; i++) { bits2pointA.in[i] <== A[i]; } Ax <== bits2pointA.out[0]; Ay <== bits2pointA.out[1]; // Convert R8 to Field elements (And verify R8) component bits2pointR8 = Bits2Point_Strict(); for (i=0; i<256; i++) { bits2pointR8.in[i] <== R8[i]; } R8x <== bits2pointR8.out[0]; R8y <== bits2pointR8.out[1]; // Calculate the h = H(R,A, msg) component hash = Pedersen(512+n); for (i=0; i<256; i++) { hash.in[i] <== R8[i]; hash.in[256+i] <== A[i]; } for (i=0; i