makes S value in eddsa signatures be 251 bit, uses alias checks with enabled flag and adds eddsamimcsponge test
This commit is contained in:
parent
5ec0744303
commit
42e96c2e1f
@ -32,11 +32,12 @@ template AliasCheck() {
|
|||||||
|
|
||||||
template AliasCheckBabyJub() {
|
template AliasCheckBabyJub() {
|
||||||
signal input in[251];
|
signal input in[251];
|
||||||
|
signal input enabled;
|
||||||
|
|
||||||
component compConstant = CompConstant(2736030358979909402780800718157159386076813972158567259200215660948447373040);
|
component compConstant = CompConstant(2736030358979909402780800718157159386076813972158567259200215660948447373040);
|
||||||
|
|
||||||
for (var i=0; i<251; i++) in[i] ==> compConstant.in[i];
|
for (var i=0; i<251; i++) in[i] ==> compConstant.in[i];
|
||||||
for (var i=0; i<3; i++) 0 ==> compConstant.in[251+i];
|
for (var i=0; i<3; i++) 0 ==> compConstant.in[251+i];
|
||||||
|
|
||||||
compConstant.out === 0;
|
compConstant.out*enabled === 0;
|
||||||
}
|
}
|
||||||
|
@ -17,7 +17,7 @@
|
|||||||
along with circom. If not, see <https://www.gnu.org/licenses/>.
|
along with circom. If not, see <https://www.gnu.org/licenses/>.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
include "compconstant.circom";
|
include "aliascheck.circom";
|
||||||
include "pointbits.circom";
|
include "pointbits.circom";
|
||||||
include "pedersen.circom";
|
include "pedersen.circom";
|
||||||
include "escalarmulany.circom";
|
include "escalarmulany.circom";
|
||||||
@ -40,12 +40,15 @@ template EdDSAVerifier(n) {
|
|||||||
|
|
||||||
// Ensure S<Subgroup Order
|
// Ensure S<Subgroup Order
|
||||||
|
|
||||||
component compConstant = CompConstant(2736030358979909402780800718157159386076813972158567259200215660948447373040);
|
component aliasCheck = AliasCheckBabyJub();
|
||||||
|
aliasCheck.enabled <== 1;
|
||||||
|
|
||||||
for (i=0; i<254; i++) {
|
for (i=0; i<251; i++) {
|
||||||
S[i] ==> compConstant.in[i];
|
S[i] ==> aliasCheck.in[i];
|
||||||
}
|
}
|
||||||
compConstant.out === 0;
|
S[251] === 0;
|
||||||
|
S[252] === 0;
|
||||||
|
S[253] === 0;
|
||||||
S[254] === 0;
|
S[254] === 0;
|
||||||
S[255] === 0;
|
S[255] === 0;
|
||||||
|
|
||||||
|
@ -17,7 +17,7 @@
|
|||||||
along with circom. If not, see <https://www.gnu.org/licenses/>.
|
along with circom. If not, see <https://www.gnu.org/licenses/>.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
include "compconstant.circom";
|
include "aliascheck.circom";
|
||||||
include "pointbits.circom";
|
include "pointbits.circom";
|
||||||
include "mimc.circom";
|
include "mimc.circom";
|
||||||
include "bitify.circom";
|
include "bitify.circom";
|
||||||
@ -39,16 +39,15 @@ template EdDSAMiMCVerifier() {
|
|||||||
|
|
||||||
// Ensure S<Subgroup Order
|
// Ensure S<Subgroup Order
|
||||||
|
|
||||||
component snum2bits = Num2Bits(253);
|
component snum2bits = Num2Bits(251);
|
||||||
snum2bits.in <== S;
|
snum2bits.in <== S;
|
||||||
|
|
||||||
component compConstant = CompConstant(2736030358979909402780800718157159386076813972158567259200215660948447373040);
|
component aliasCheck = AliasCheckBabyJub();
|
||||||
|
aliasCheck.enabled <== 1;
|
||||||
|
|
||||||
for (i=0; i<253; i++) {
|
for (i=0; i<251; i++) {
|
||||||
snum2bits.out[i] ==> compConstant.in[i];
|
snum2bits.out[i] ==> aliasCheck.in[i];
|
||||||
}
|
}
|
||||||
compConstant.in[253] <== 0;
|
|
||||||
compConstant.out === 0;
|
|
||||||
|
|
||||||
// Calculate the h = H(R,A, msg)
|
// Calculate the h = H(R,A, msg)
|
||||||
|
|
||||||
@ -104,8 +103,8 @@ template EdDSAMiMCVerifier() {
|
|||||||
5299619240641551281634865583518297030282874472190772894086521144482721001553,
|
5299619240641551281634865583518297030282874472190772894086521144482721001553,
|
||||||
16950150798460657717958625567821834550301663161624707787222815936182638968203
|
16950150798460657717958625567821834550301663161624707787222815936182638968203
|
||||||
];
|
];
|
||||||
component mulFix = EscalarMulFix(253, BASE8);
|
component mulFix = EscalarMulFix(251, BASE8);
|
||||||
for (i=0; i<253; i++) {
|
for (i=0; i<251; i++) {
|
||||||
mulFix.e[i] <== snum2bits.out[i];
|
mulFix.e[i] <== snum2bits.out[i];
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -17,7 +17,7 @@
|
|||||||
along with circom. If not, see <https://www.gnu.org/licenses/>.
|
along with circom. If not, see <https://www.gnu.org/licenses/>.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
include "compconstant.circom";
|
include "aliascheck.circom";
|
||||||
include "pointbits.circom";
|
include "pointbits.circom";
|
||||||
include "mimcsponge.circom";
|
include "mimcsponge.circom";
|
||||||
include "bitify.circom";
|
include "bitify.circom";
|
||||||
@ -39,16 +39,15 @@ template EdDSAMiMCSpongeVerifier() {
|
|||||||
|
|
||||||
// Ensure S<Subgroup Order
|
// Ensure S<Subgroup Order
|
||||||
|
|
||||||
component snum2bits = Num2Bits(253);
|
component snum2bits = Num2Bits(251);
|
||||||
snum2bits.in <== S;
|
snum2bits.in <== S;
|
||||||
|
|
||||||
component compConstant = CompConstant(2736030358979909402780800718157159386076813972158567259200215660948447373040);
|
component aliasCheck = AliasCheckBabyJub();
|
||||||
|
aliasCheck.enabled <== 1;
|
||||||
|
|
||||||
for (i=0; i<253; i++) {
|
for (i=0; i<251; i++) {
|
||||||
snum2bits.out[i] ==> compConstant.in[i];
|
snum2bits.out[i] ==> aliasCheck.in[i];
|
||||||
}
|
}
|
||||||
compConstant.in[253] <== 0;
|
|
||||||
compConstant.out === 0;
|
|
||||||
|
|
||||||
// Calculate the h = H(R,A, msg)
|
// Calculate the h = H(R,A, msg)
|
||||||
|
|
||||||
@ -104,8 +103,8 @@ template EdDSAMiMCSpongeVerifier() {
|
|||||||
5299619240641551281634865583518297030282874472190772894086521144482721001553,
|
5299619240641551281634865583518297030282874472190772894086521144482721001553,
|
||||||
16950150798460657717958625567821834550301663161624707787222815936182638968203
|
16950150798460657717958625567821834550301663161624707787222815936182638968203
|
||||||
];
|
];
|
||||||
component mulFix = EscalarMulFix(253, BASE8);
|
component mulFix = EscalarMulFix(251, BASE8);
|
||||||
for (i=0; i<253; i++) {
|
for (i=0; i<251; i++) {
|
||||||
mulFix.e[i] <== snum2bits.out[i];
|
mulFix.e[i] <== snum2bits.out[i];
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -38,16 +38,15 @@ template EdDSAPoseidonVerifier() {
|
|||||||
|
|
||||||
// Ensure S<Subgroup Order
|
// Ensure S<Subgroup Order
|
||||||
|
|
||||||
component snum2bits = Num2Bits(253);
|
component snum2bits = Num2Bits(251);
|
||||||
snum2bits.in <== S;
|
snum2bits.in <== S;
|
||||||
|
|
||||||
component compConstant = CompConstant(2736030358979909402780800718157159386076813972158567259200215660948447373040);
|
component aliasCheck = AliasCheckBabyJub();
|
||||||
|
aliasCheck.enabled <== enabled;
|
||||||
|
|
||||||
for (i=0; i<253; i++) {
|
for (i=0; i<251; i++) {
|
||||||
snum2bits.out[i] ==> compConstant.in[i];
|
snum2bits.out[i] ==> aliasCheck.in[i];
|
||||||
}
|
}
|
||||||
compConstant.in[253] <== 0;
|
|
||||||
compConstant.out*enabled === 0;
|
|
||||||
|
|
||||||
// Calculate the h = H(R,A, msg)
|
// Calculate the h = H(R,A, msg)
|
||||||
|
|
||||||
@ -103,8 +102,8 @@ template EdDSAPoseidonVerifier() {
|
|||||||
5299619240641551281634865583518297030282874472190772894086521144482721001553,
|
5299619240641551281634865583518297030282874472190772894086521144482721001553,
|
||||||
16950150798460657717958625567821834550301663161624707787222815936182638968203
|
16950150798460657717958625567821834550301663161624707787222815936182638968203
|
||||||
];
|
];
|
||||||
component mulFix = EscalarMulFix(253, BASE8);
|
component mulFix = EscalarMulFix(251, BASE8);
|
||||||
for (i=0; i<253; i++) {
|
for (i=0; i<251; i++) {
|
||||||
mulFix.e[i] <== snum2bits.out[i];
|
mulFix.e[i] <== snum2bits.out[i];
|
||||||
}
|
}
|
||||||
|
|
||||||
|
3
test/circuits/eddsamimcsponge_test.circom
Normal file
3
test/circuits/eddsamimcsponge_test.circom
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
include "../../circuits/eddsamimcsponge.circom";
|
||||||
|
|
||||||
|
component main = EdDSAMiMCSpongeVerifier();
|
@ -67,7 +67,8 @@ describe("EdDSA MiMC test", function () {
|
|||||||
M: msg});
|
M: msg});
|
||||||
assert(false);
|
assert(false);
|
||||||
} catch(err) {
|
} catch(err) {
|
||||||
assert.equal(err.message, "Constraint doesn't match: 1 != 0");
|
assert(err.message.indexOf("Constraint doesn't match") >= 0);
|
||||||
|
assert(err.message.indexOf("1 != 0") >= 0);
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
|
|
||||||
|
99
test/eddsamimcsponge.js
Normal file
99
test/eddsamimcsponge.js
Normal file
@ -0,0 +1,99 @@
|
|||||||
|
const chai = require("chai");
|
||||||
|
const path = require("path");
|
||||||
|
const snarkjs = require("snarkjs");
|
||||||
|
const compiler = require("circom");
|
||||||
|
|
||||||
|
const eddsa = require("../src/eddsa.js");
|
||||||
|
|
||||||
|
const assert = chai.assert;
|
||||||
|
|
||||||
|
const bigInt = snarkjs.bigInt;
|
||||||
|
|
||||||
|
describe("EdDSA MiMCSponge test", function () {
|
||||||
|
let circuit;
|
||||||
|
|
||||||
|
this.timeout(100000);
|
||||||
|
|
||||||
|
before( async () => {
|
||||||
|
const cirDef = await compiler(path.join(__dirname, "circuits", "eddsamimcsponge_test.circom"));
|
||||||
|
|
||||||
|
circuit = new snarkjs.Circuit(cirDef);
|
||||||
|
|
||||||
|
console.log("NConstrains EdDSA MiMCSponge: " + circuit.nConstraints);
|
||||||
|
});
|
||||||
|
|
||||||
|
it("Sign a single number", async () => {
|
||||||
|
const msg = bigInt(1234);
|
||||||
|
|
||||||
|
const prvKey = Buffer.from("0001020304050607080900010203040506070809000102030405060708090001", "hex");
|
||||||
|
|
||||||
|
const pubKey = eddsa.prv2pub(prvKey);
|
||||||
|
|
||||||
|
const signature = eddsa.signMiMCSponge(prvKey, msg);
|
||||||
|
|
||||||
|
assert(eddsa.verifyMiMCSponge(msg, signature, pubKey));
|
||||||
|
|
||||||
|
const w = circuit.calculateWitness({
|
||||||
|
enabled: 1,
|
||||||
|
Ax: pubKey[0],
|
||||||
|
Ay: pubKey[1],
|
||||||
|
R8x: signature.R8[0],
|
||||||
|
R8y: signature.R8[1],
|
||||||
|
S: signature.S,
|
||||||
|
M: msg});
|
||||||
|
|
||||||
|
assert(circuit.checkWitness(w));
|
||||||
|
});
|
||||||
|
|
||||||
|
it("Detect Invalid signature", async () => {
|
||||||
|
const msg = bigInt(1234);
|
||||||
|
|
||||||
|
const prvKey = Buffer.from("0001020304050607080900010203040506070809000102030405060708090001", "hex");
|
||||||
|
|
||||||
|
const pubKey = eddsa.prv2pub(prvKey);
|
||||||
|
|
||||||
|
|
||||||
|
const signature = eddsa.signMiMCSponge(prvKey, msg);
|
||||||
|
|
||||||
|
assert(eddsa.verifyMiMCSponge(msg, signature, pubKey));
|
||||||
|
try {
|
||||||
|
const w = circuit.calculateWitness({
|
||||||
|
enabled: 1,
|
||||||
|
Ax: pubKey[0],
|
||||||
|
Ay: pubKey[1],
|
||||||
|
R8x: signature.R8[0].add(bigInt(1)),
|
||||||
|
R8y: signature.R8[1],
|
||||||
|
S: signature.S,
|
||||||
|
M: msg});
|
||||||
|
assert(false);
|
||||||
|
} catch(err) {
|
||||||
|
assert(err.message.indexOf("Constraint doesn't match") >= 0);
|
||||||
|
assert(err.message.indexOf("1 != 0") >= 0);
|
||||||
|
}
|
||||||
|
});
|
||||||
|
|
||||||
|
|
||||||
|
it("Test a dissabled circuit with a bad signature", async () => {
|
||||||
|
const msg = bigInt(1234);
|
||||||
|
|
||||||
|
const prvKey = Buffer.from("0001020304050607080900010203040506070809000102030405060708090001", "hex");
|
||||||
|
|
||||||
|
const pubKey = eddsa.prv2pub(prvKey);
|
||||||
|
|
||||||
|
|
||||||
|
const signature = eddsa.signMiMCSponge(prvKey, msg);
|
||||||
|
|
||||||
|
assert(eddsa.verifyMiMCSponge(msg, signature, pubKey));
|
||||||
|
|
||||||
|
const w = circuit.calculateWitness({
|
||||||
|
enabled: 0,
|
||||||
|
Ax: pubKey[0],
|
||||||
|
Ay: pubKey[1],
|
||||||
|
R8x: signature.R8[0].add(bigInt(1)),
|
||||||
|
R8y: signature.R8[1],
|
||||||
|
S: signature.S,
|
||||||
|
M: msg});
|
||||||
|
|
||||||
|
assert(circuit.checkWitness(w));
|
||||||
|
});
|
||||||
|
});
|
@ -67,7 +67,8 @@ describe("EdDSA Poseidon test", function () {
|
|||||||
M: msg});
|
M: msg});
|
||||||
assert(false);
|
assert(false);
|
||||||
} catch(err) {
|
} catch(err) {
|
||||||
assert.equal(err.message, "Constraint doesn't match: 1 != 0");
|
assert(err.message.indexOf("Constraint doesn't match") >= 0);
|
||||||
|
assert(err.message.indexOf("1 != 0") >= 0);
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user