circomlib/circuits/eddsa.circom

142 lines
3.5 KiB
Plaintext
Raw Normal View History

2018-12-16 13:27:29 +03:00
/*
Copyright 2018 0KIMS association.
This file is part of circom (Zero Knowledge Circuit Compiler).
circom is a free software: you can redistribute it and/or modify it
under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
circom is distributed in the hope that it will be useful, but WITHOUT
ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
License for more details.
You should have received a copy of the GNU General Public License
along with circom. If not, see <https://www.gnu.org/licenses/>.
*/
include "aliascheck.circom";
2018-11-27 20:30:33 +03:00
include "pointbits.circom";
2018-12-06 14:13:27 +03:00
include "pedersen.circom";
2018-11-27 20:30:33 +03:00
include "escalarmulany.circom";
include "escalarmulfix.circom";
2018-11-11 21:52:07 +03:00
2018-11-27 20:30:33 +03:00
template EdDSAVerifier(n) {
signal input msg[n];
2018-11-11 21:52:07 +03:00
signal input A[256];
signal input R8[256];
signal input S[256];
2018-11-11 21:52:07 +03:00
signal Ax;
signal Ay;
2018-11-11 21:52:07 +03:00
signal R8x;
signal R8y;
2018-11-11 21:52:07 +03:00
var i;
2018-11-11 21:52:07 +03:00
// Ensure S<Subgroup Order
2018-11-11 21:52:07 +03:00
component aliasCheck = AliasCheckBabyJub();
aliasCheck.enabled <== 1;
2018-11-11 21:52:07 +03:00
for (i=0; i<251; i++) {
S[i] ==> aliasCheck.in[i];
}
S[251] === 0;
S[252] === 0;
S[253] === 0;
2018-11-27 20:30:33 +03:00
S[254] === 0;
S[255] === 0;
2018-11-11 21:52:07 +03:00
// Convert A to Field elements (And verify A)
component bits2pointA = Bits2Point_Strict();
for (i=0; i<256; i++) {
bits2pointA.in[i] <== A[i];
}
Ax <== bits2pointA.out[0];
Ay <== bits2pointA.out[1];
// Convert R8 to Field elements (And verify R8)
component bits2pointR8 = Bits2Point_Strict();
for (i=0; i<256; i++) {
bits2pointR8.in[i] <== R8[i];
}
R8x <== bits2pointR8.out[0];
R8y <== bits2pointR8.out[1];
// Calculate the h = H(R,A, msg)
component hash = Pedersen(512+n);
for (i=0; i<256; i++) {
2018-11-27 20:30:33 +03:00
hash.in[i] <== R8[i];
hash.in[256+i] <== A[i];
}
for (i=0; i<n; i++) {
hash.in[512+i] <== msg[i];
}
2018-11-27 20:30:33 +03:00
component point2bitsH = Point2Bits_Strict();
point2bitsH.in[0] <== hash.out[0];
point2bitsH.in[1] <== hash.out[1];
// Calculate second part of the right side: right2 = h*8*A
// Multiply by 8 by adding it 3 times. This also ensure that the result is in
// the subgroup.
component dbl1 = BabyDbl();
dbl1.x <== Ax;
dbl1.y <== Ay;
component dbl2 = BabyDbl();
2018-11-27 20:30:33 +03:00
dbl2.x <== dbl1.xout;
dbl2.y <== dbl1.yout;
component dbl3 = BabyDbl();
2018-11-27 20:30:33 +03:00
dbl3.x <== dbl2.xout;
dbl3.y <== dbl2.yout;
// We check that A is not zero.
component isZero = IsZero();
isZero.in <== dbl3.x;
isZero.out === 0;
component mulAny = EscalarMulAny(256);
for (i=0; i<256; i++) {
2018-11-27 20:30:33 +03:00
mulAny.e[i] <== point2bitsH.out[i];
}
2018-11-27 20:30:33 +03:00
mulAny.p[0] <== dbl3.xout;
mulAny.p[1] <== dbl3.yout;
// Compute the right side: right = R8 + right2
component addRight = BabyAdd();
addRight.x1 <== R8x;
addRight.y1 <== R8y;
addRight.x2 <== mulAny.out[0];
addRight.y2 <== mulAny.out[1];
// Calculate left side of equation left = S*B8
var BASE8 = [
5299619240641551281634865583518297030282874472190772894086521144482721001553,
16950150798460657717958625567821834550301663161624707787222815936182638968203
];
component mulFix = EscalarMulFix(256, BASE8);
for (i=0; i<256; i++) {
mulFix.e[i] <== S[i];
}
// Do the comparation left == right
mulFix.out[0] === addRight.xout;
mulFix.out[1] === addRight.yout;
2018-11-11 21:52:07 +03:00
}