From de9c7dda46f3eb64bc89c9f8f8acbe3bd4169361 Mon Sep 17 00:00:00 2001 From: Kobi Gurkan Date: Thu, 14 Nov 2019 12:54:07 +0200 Subject: [PATCH 1/7] mimcsponge: makes rounds constant --- circuits/eddsamimcsponge.circom | 2 +- circuits/mimcsponge.circom | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/circuits/eddsamimcsponge.circom b/circuits/eddsamimcsponge.circom index af38d57..93405e9 100644 --- a/circuits/eddsamimcsponge.circom +++ b/circuits/eddsamimcsponge.circom @@ -52,7 +52,7 @@ template EdDSAMiMCSpongeVerifier() { // Calculate the h = H(R,A, msg) - component hash = MiMCSponge(5, 220, 1); + component hash = MiMCSponge(5, 1); hash.ins[0] <== R8x; hash.ins[1] <== R8y; hash.ins[2] <== Ax; diff --git a/circuits/mimcsponge.circom b/circuits/mimcsponge.circom index 3e84c46..8ccb329 100644 --- a/circuits/mimcsponge.circom +++ b/circuits/mimcsponge.circom @@ -1,11 +1,13 @@ // implements MiMC-2n/n as hash using a sponge construction. // log_5(21888242871839275222246405745257275088548364400416034343698204186575808495617) ~= 110 // => nRounds should be 220 -template MiMCSponge(nInputs, nRounds, nOutputs) { +template MiMCSponge(nInputs, nOutputs) { signal input ins[nInputs]; signal input k; signal output outs[nOutputs]; + var nRounds = 220; + // S = R||C component S[nInputs + nOutputs - 1]; From ba656fefbed44f94d88e6bba46f908b7115230eb Mon Sep 17 00:00:00 2001 From: Kobi Gurkan Date: Thu, 14 Nov 2019 17:31:00 +0200 Subject: [PATCH 2/7] mimcsponge: makes the contract hash-only --- circuits/README.md | 2 +- src/mimcsponge_gencontract.js | 78 +++++++++------------- test/circuits/mimc_sponge_hash_test.circom | 2 +- test/mimcspongecontract.js | 4 +- 4 files changed, 37 insertions(+), 49 deletions(-) diff --git a/circuits/README.md b/circuits/README.md index 30b1cd2..afd4a1f 100644 --- a/circuits/README.md +++ b/circuits/README.md @@ -512,7 +512,7 @@ Implementation of MiMC-7 hash in Fp being... (link to description of the hash) ### mimcsponge -- `MiMCSponge(nInputs, nRounds, nOutputs)` +- `MiMCSponge(nInputs, nOutputs)` - DESCRIPTION - SCHEMA diff --git a/src/mimcsponge_gencontract.js b/src/mimcsponge_gencontract.js index eb7d27b..1fd5bb1 100644 --- a/src/mimcsponge_gencontract.js +++ b/src/mimcsponge_gencontract.js @@ -20,34 +20,29 @@ function createCode(seed, n) { C.push("0x00"); C.mload(); C.div(); - C.push("0x3f1a1187"); // MiMCSponge(uint256,uint256,uint256) + C.push("0xf47d33b5"); // MiMCSponge(uint256,uint256) C.eq(); C.jmpi("start"); C.invalid(); C.label("start"); C.push("0x30644e72e131a029b85045b68181585d2833e84879b9709143e1f593f0000001"); // q - C.push("0x44"); - C.mload(); // k q C.push("0x04"); - C.mload(); // xL k q - C.dup(2); // q xL k q + C.mload(); // xL q + C.dup(1); // q xL q C.push("0x24"); - C.mload(); // xR q xL k q - C.dup(1); // q xR q xL k q - C.dup(0); // q q xR q xL k q - C.dup(4); // xL q q xR q xL k q - C.dup(6); // k xL q q xR q xL k q - C.addmod(); // t=k+xL q xR q xL k q - C.dup(1); // q t q xR q xL k q - C.dup(0); // q q t q xR q xL k q - C.dup(2); // t q q t q xR q xL k q - C.dup(0); // t t q q t q xR q xL k q - C.mulmod(); // b=t^2 q t q xR q xL k q - C.dup(0); // b b q t q xR q xL k q - C.mulmod(); // c=t^4 t q xR q xL k q - C.mulmod(); // d=t^5 xR q xL k q - C.addmod(); // e=t^5+xR xL k q (for next round: xL xR k q) + C.mload(); // xR q xL q + C.dup(1); // q xR q xL q + C.dup(3); // xL q xR q xL q + C.dup(1); // q xL q xR q xL q + C.dup(0); // q q xL q xR q xL q + C.dup(2); // xL q q xL q xR q xL q + C.dup(0); // xL xL q q xL q xR q xL q + C.mulmod(); // b=xL^2 q xL q xR q xL q + C.dup(0); // b b q xL q xR q xL q + C.mulmod(); // c=xL^4 xL q xR q xL q + C.mulmod(); // d=xL^5 xR q xL q + C.addmod(); // e=xL^5+xR xL q (for next round: xL xR q) for (let i=0; i { }); it("Shold calculate the mimc correctly", async () => { - const res = await mimc.methods.MiMCSponge(1,2,3).call(); - const res2 = await mimcjs.hash(1,2,3); + const res = await mimc.methods.MiMCSponge(1,2).call(); + const res2 = await mimcjs.hash(1,2, 0); assert.equal(res.xL.toString(), res2.xL.toString()); assert.equal(res.xR.toString(), res2.xR.toString()); From 451fb51a0d1c67ae692f4c48128bb3876681de3f Mon Sep 17 00:00:00 2001 From: Kobi Gurkan Date: Sat, 23 Nov 2019 19:24:02 +0200 Subject: [PATCH 3/7] adds comments to binsum --- circuits/binsum.circom | 2 ++ 1 file changed, 2 insertions(+) diff --git a/circuits/binsum.circom b/circuits/binsum.circom index 3783e26..34b561f 100644 --- a/circuits/binsum.circom +++ b/circuits/binsum.circom @@ -50,6 +50,7 @@ To waranty binary outputs: This function calculates the number of extra bits in the output to do the full sum. */ +/* a must be < Nq/2, where Nq is the number of elements in the scalar field */ function nbits(a) { var n = 1; var r = 0; @@ -61,6 +62,7 @@ function nbits(a) { } +/* n must be such that (2**(n+1) -2) < Nq/ops, where Nq is the number of bits in the scalar field */ template BinSum(n, ops) { var nout = nbits((2**n -1)*ops); signal input in[ops][n]; From 5ec07443030cf4defc875d7c6a0fb6857793710e Mon Sep 17 00:00:00 2001 From: Kobi Gurkan Date: Sat, 23 Nov 2019 21:19:47 +0200 Subject: [PATCH 4/7] adds alias check for babyjubjub --- circuits/aliascheck.circom | 12 +++- test/aliascheck.js | 6 +- test/aliascheckbabyjub.js | 75 +++++++++++++++++++++ test/babyjub.js | 4 +- test/circuits/aliascheckbabyjub_test.circom | 3 + 5 files changed, 95 insertions(+), 5 deletions(-) create mode 100644 test/aliascheckbabyjub.js create mode 100644 test/circuits/aliascheckbabyjub_test.circom diff --git a/circuits/aliascheck.circom b/circuits/aliascheck.circom index c4dfad5..4352a0a 100644 --- a/circuits/aliascheck.circom +++ b/circuits/aliascheck.circom @@ -21,7 +21,6 @@ include "compconstant.circom"; template AliasCheck() { - signal input in[254]; component compConstant = CompConstant(-1); @@ -30,3 +29,14 @@ template AliasCheck() { compConstant.out === 0; } + +template AliasCheckBabyJub() { + signal input in[251]; + + component compConstant = CompConstant(2736030358979909402780800718157159386076813972158567259200215660948447373040); + + for (var i=0; i<251; i++) in[i] ==> compConstant.in[i]; + for (var i=0; i<3; i++) 0 ==> compConstant.in[251+i]; + + compConstant.out === 0; +} diff --git a/test/aliascheck.js b/test/aliascheck.js index 155bdba..1e94692 100644 --- a/test/aliascheck.js +++ b/test/aliascheck.js @@ -56,7 +56,8 @@ describe("Aliascheck test", () => { circuit.calculateWitness({in: inp}); assert(false); } catch(err) { - assert.equal(err.message, "Constraint doesn't match: 1 != 0"); + assert(err.message.indexOf("Constraint doesn't match") >= 0); + assert(err.message.indexOf("1 != 0") >= 0); } }); @@ -67,7 +68,8 @@ describe("Aliascheck test", () => { circuit.calculateWitness({in: inp}); assert(false); } catch(err) { - assert.equal(err.message, "Constraint doesn't match: 1 != 0"); + assert(err.message.indexOf("Constraint doesn't match") >= 0); + assert(err.message.indexOf("1 != 0") >= 0); } }); diff --git a/test/aliascheckbabyjub.js b/test/aliascheckbabyjub.js new file mode 100644 index 0000000..9b82d58 --- /dev/null +++ b/test/aliascheckbabyjub.js @@ -0,0 +1,75 @@ +const chai = require("chai"); +const path = require("path"); +const snarkjs = require("snarkjs"); +const compiler = require("circom"); + +const assert = chai.assert; + +const bigInt = snarkjs.bigInt; + +function print(circuit, w, s) { + console.log(s + ": " + w[circuit.getSignalIdx(s)]); +} + +function getBits(v, n) { + const res = []; + for (let i=0; i { + let circuit; + before( async() => { + const cirDef = await compiler(path.join(__dirname, "circuits", "aliascheckbabyjub_test.circom")); + + circuit = new snarkjs.Circuit(cirDef); + + console.log("NConstrains: " + circuit.nConstraints); + }); + + it("Satisfy the aliastest 0", async () => { + const inp = getBits(bigInt.zero, 251); + circuit.calculateWitness({in: inp}); + }); + + it("Satisfy the aliastest 3", async () => { + const inp = getBits(bigInt(3), 251); + circuit.calculateWitness({in: inp}); + }); + + it("Satisfy the aliastest r-1", async () => { + const inp = getBits(r.sub(bigInt.one), 251); + circuit.calculateWitness({in: inp}); + }); + + it("Nhot not satisfy an input of r", async () => { + const inp = getBits(r, 251); + try { + circuit.calculateWitness({in: inp}); + assert(false); + } catch(err) { + assert(err.message.indexOf("Constraint doesn't match") >= 0); + assert(err.message.indexOf("1 != 0") >= 0); + } + }); + + it("Nhot not satisfy all ones", async () => { + const inp = getBits(bigInt(1).shl(251).sub(bigInt(1)), 251); + try { + circuit.calculateWitness({in: inp}); + assert(false); + } catch(err) { + assert(err.message.indexOf("Constraint doesn't match") >= 0); + assert(err.message.indexOf("1 != 0") >= 0); + } + }); + +}); diff --git a/test/babyjub.js b/test/babyjub.js index f47db49..9f3a0ca 100644 --- a/test/babyjub.js +++ b/test/babyjub.js @@ -100,7 +100,8 @@ describe("Baby Jub test", function () { circuitTest.calculateWitness({x: 1, y: 0}); assert(false, "Should be a valid point"); } catch(err) { - assert.equal(err.message, "Constraint doesn't match: 168700 != 1"); + assert(err.message.indexOf("Constraint doesn't match") >= 0); + assert(err.message.indexOf("168700 != 1") >= 0); } }); @@ -121,5 +122,4 @@ describe("Baby Jub test", function () { const w = circuitPbk.calculateWitness(input); assert(circuitPbk.checkWitness(w)); }); - }); diff --git a/test/circuits/aliascheckbabyjub_test.circom b/test/circuits/aliascheckbabyjub_test.circom new file mode 100644 index 0000000..2a3e326 --- /dev/null +++ b/test/circuits/aliascheckbabyjub_test.circom @@ -0,0 +1,3 @@ +include "../../circuits/aliascheck.circom"; + +component main = AliasCheckBabyJub() From 42e96c2e1f23da52cac93bb3f7f9c49e0853de93 Mon Sep 17 00:00:00 2001 From: Kobi Gurkan Date: Sat, 23 Nov 2019 21:36:06 +0200 Subject: [PATCH 5/7] makes S value in eddsa signatures be 251 bit, uses alias checks with enabled flag and adds eddsamimcsponge test --- circuits/aliascheck.circom | 3 +- circuits/eddsa.circom | 13 +-- circuits/eddsamimc.circom | 17 ++-- circuits/eddsamimcsponge.circom | 17 ++-- circuits/eddsaposeidon.circom | 15 ++-- test/circuits/eddsamimcsponge_test.circom | 3 + test/eddsamimc.js | 3 +- test/eddsamimcsponge.js | 99 +++++++++++++++++++++++ test/eddsaposeidon.js | 3 +- 9 files changed, 139 insertions(+), 34 deletions(-) create mode 100644 test/circuits/eddsamimcsponge_test.circom create mode 100644 test/eddsamimcsponge.js diff --git a/circuits/aliascheck.circom b/circuits/aliascheck.circom index 4352a0a..a5e8fb7 100644 --- a/circuits/aliascheck.circom +++ b/circuits/aliascheck.circom @@ -32,11 +32,12 @@ template AliasCheck() { template AliasCheckBabyJub() { signal input in[251]; + signal input enabled; component compConstant = CompConstant(2736030358979909402780800718157159386076813972158567259200215660948447373040); for (var i=0; i<251; i++) in[i] ==> compConstant.in[i]; for (var i=0; i<3; i++) 0 ==> compConstant.in[251+i]; - compConstant.out === 0; + compConstant.out*enabled === 0; } diff --git a/circuits/eddsa.circom b/circuits/eddsa.circom index 1026774..93cfbe6 100644 --- a/circuits/eddsa.circom +++ b/circuits/eddsa.circom @@ -17,7 +17,7 @@ along with circom. If not, see . */ -include "compconstant.circom"; +include "aliascheck.circom"; include "pointbits.circom"; include "pedersen.circom"; include "escalarmulany.circom"; @@ -40,12 +40,15 @@ template EdDSAVerifier(n) { // Ensure S compConstant.in[i]; + for (i=0; i<251; i++) { + S[i] ==> aliasCheck.in[i]; } - compConstant.out === 0; + S[251] === 0; + S[252] === 0; + S[253] === 0; S[254] === 0; S[255] === 0; diff --git a/circuits/eddsamimc.circom b/circuits/eddsamimc.circom index aef5df5..0d5b01d 100644 --- a/circuits/eddsamimc.circom +++ b/circuits/eddsamimc.circom @@ -17,7 +17,7 @@ along with circom. If not, see . */ -include "compconstant.circom"; +include "aliascheck.circom"; include "pointbits.circom"; include "mimc.circom"; include "bitify.circom"; @@ -39,16 +39,15 @@ template EdDSAMiMCVerifier() { // Ensure S compConstant.in[i]; + for (i=0; i<251; i++) { + snum2bits.out[i] ==> aliasCheck.in[i]; } - compConstant.in[253] <== 0; - compConstant.out === 0; // Calculate the h = H(R,A, msg) @@ -104,8 +103,8 @@ template EdDSAMiMCVerifier() { 5299619240641551281634865583518297030282874472190772894086521144482721001553, 16950150798460657717958625567821834550301663161624707787222815936182638968203 ]; - component mulFix = EscalarMulFix(253, BASE8); - for (i=0; i<253; i++) { + component mulFix = EscalarMulFix(251, BASE8); + for (i=0; i<251; i++) { mulFix.e[i] <== snum2bits.out[i]; } diff --git a/circuits/eddsamimcsponge.circom b/circuits/eddsamimcsponge.circom index 93405e9..ffa22a5 100644 --- a/circuits/eddsamimcsponge.circom +++ b/circuits/eddsamimcsponge.circom @@ -17,7 +17,7 @@ along with circom. If not, see . */ -include "compconstant.circom"; +include "aliascheck.circom"; include "pointbits.circom"; include "mimcsponge.circom"; include "bitify.circom"; @@ -39,16 +39,15 @@ template EdDSAMiMCSpongeVerifier() { // Ensure S compConstant.in[i]; + for (i=0; i<251; i++) { + snum2bits.out[i] ==> aliasCheck.in[i]; } - compConstant.in[253] <== 0; - compConstant.out === 0; // Calculate the h = H(R,A, msg) @@ -104,8 +103,8 @@ template EdDSAMiMCSpongeVerifier() { 5299619240641551281634865583518297030282874472190772894086521144482721001553, 16950150798460657717958625567821834550301663161624707787222815936182638968203 ]; - component mulFix = EscalarMulFix(253, BASE8); - for (i=0; i<253; i++) { + component mulFix = EscalarMulFix(251, BASE8); + for (i=0; i<251; i++) { mulFix.e[i] <== snum2bits.out[i]; } diff --git a/circuits/eddsaposeidon.circom b/circuits/eddsaposeidon.circom index 0d9faa0..fb6c782 100644 --- a/circuits/eddsaposeidon.circom +++ b/circuits/eddsaposeidon.circom @@ -38,16 +38,15 @@ template EdDSAPoseidonVerifier() { // Ensure S compConstant.in[i]; + for (i=0; i<251; i++) { + snum2bits.out[i] ==> aliasCheck.in[i]; } - compConstant.in[253] <== 0; - compConstant.out*enabled === 0; // Calculate the h = H(R,A, msg) @@ -103,8 +102,8 @@ template EdDSAPoseidonVerifier() { 5299619240641551281634865583518297030282874472190772894086521144482721001553, 16950150798460657717958625567821834550301663161624707787222815936182638968203 ]; - component mulFix = EscalarMulFix(253, BASE8); - for (i=0; i<253; i++) { + component mulFix = EscalarMulFix(251, BASE8); + for (i=0; i<251; i++) { mulFix.e[i] <== snum2bits.out[i]; } diff --git a/test/circuits/eddsamimcsponge_test.circom b/test/circuits/eddsamimcsponge_test.circom new file mode 100644 index 0000000..ee27dc5 --- /dev/null +++ b/test/circuits/eddsamimcsponge_test.circom @@ -0,0 +1,3 @@ +include "../../circuits/eddsamimcsponge.circom"; + +component main = EdDSAMiMCSpongeVerifier(); diff --git a/test/eddsamimc.js b/test/eddsamimc.js index 76f0a4f..e5bdc9a 100644 --- a/test/eddsamimc.js +++ b/test/eddsamimc.js @@ -67,7 +67,8 @@ describe("EdDSA MiMC test", function () { M: msg}); assert(false); } catch(err) { - assert.equal(err.message, "Constraint doesn't match: 1 != 0"); + assert(err.message.indexOf("Constraint doesn't match") >= 0); + assert(err.message.indexOf("1 != 0") >= 0); } }); diff --git a/test/eddsamimcsponge.js b/test/eddsamimcsponge.js new file mode 100644 index 0000000..160e32d --- /dev/null +++ b/test/eddsamimcsponge.js @@ -0,0 +1,99 @@ +const chai = require("chai"); +const path = require("path"); +const snarkjs = require("snarkjs"); +const compiler = require("circom"); + +const eddsa = require("../src/eddsa.js"); + +const assert = chai.assert; + +const bigInt = snarkjs.bigInt; + +describe("EdDSA MiMCSponge test", function () { + let circuit; + + this.timeout(100000); + + before( async () => { + const cirDef = await compiler(path.join(__dirname, "circuits", "eddsamimcsponge_test.circom")); + + circuit = new snarkjs.Circuit(cirDef); + + console.log("NConstrains EdDSA MiMCSponge: " + circuit.nConstraints); + }); + + it("Sign a single number", async () => { + const msg = bigInt(1234); + + const prvKey = Buffer.from("0001020304050607080900010203040506070809000102030405060708090001", "hex"); + + const pubKey = eddsa.prv2pub(prvKey); + + const signature = eddsa.signMiMCSponge(prvKey, msg); + + assert(eddsa.verifyMiMCSponge(msg, signature, pubKey)); + + const w = circuit.calculateWitness({ + enabled: 1, + Ax: pubKey[0], + Ay: pubKey[1], + R8x: signature.R8[0], + R8y: signature.R8[1], + S: signature.S, + M: msg}); + + assert(circuit.checkWitness(w)); + }); + + it("Detect Invalid signature", async () => { + const msg = bigInt(1234); + + const prvKey = Buffer.from("0001020304050607080900010203040506070809000102030405060708090001", "hex"); + + const pubKey = eddsa.prv2pub(prvKey); + + + const signature = eddsa.signMiMCSponge(prvKey, msg); + + assert(eddsa.verifyMiMCSponge(msg, signature, pubKey)); + try { + const w = circuit.calculateWitness({ + enabled: 1, + Ax: pubKey[0], + Ay: pubKey[1], + R8x: signature.R8[0].add(bigInt(1)), + R8y: signature.R8[1], + S: signature.S, + M: msg}); + assert(false); + } catch(err) { + assert(err.message.indexOf("Constraint doesn't match") >= 0); + assert(err.message.indexOf("1 != 0") >= 0); + } + }); + + + it("Test a dissabled circuit with a bad signature", async () => { + const msg = bigInt(1234); + + const prvKey = Buffer.from("0001020304050607080900010203040506070809000102030405060708090001", "hex"); + + const pubKey = eddsa.prv2pub(prvKey); + + + const signature = eddsa.signMiMCSponge(prvKey, msg); + + assert(eddsa.verifyMiMCSponge(msg, signature, pubKey)); + + const w = circuit.calculateWitness({ + enabled: 0, + Ax: pubKey[0], + Ay: pubKey[1], + R8x: signature.R8[0].add(bigInt(1)), + R8y: signature.R8[1], + S: signature.S, + M: msg}); + + assert(circuit.checkWitness(w)); + }); +}); diff --git a/test/eddsaposeidon.js b/test/eddsaposeidon.js index 8b0e82a..b018a0d 100644 --- a/test/eddsaposeidon.js +++ b/test/eddsaposeidon.js @@ -67,7 +67,8 @@ describe("EdDSA Poseidon test", function () { M: msg}); assert(false); } catch(err) { - assert.equal(err.message, "Constraint doesn't match: 1 != 0"); + assert(err.message.indexOf("Constraint doesn't match") >= 0); + assert(err.message.indexOf("1 != 0") >= 0); } }); From 844538143137e43c477890eafaa6a20e3bca6111 Mon Sep 17 00:00:00 2001 From: Kobi Gurkan Date: Sat, 23 Nov 2019 22:00:11 +0200 Subject: [PATCH 6/7] escalarmulfix uses segments of 246 and adds comments on limits --- circuits/bitify.circom | 2 ++ circuits/escalarmulfix.circom | 10 ++++++---- circuits/montgomery.circom | 1 + circuits/pedersen.circom | 1 + 4 files changed, 10 insertions(+), 4 deletions(-) diff --git a/circuits/bitify.circom b/circuits/bitify.circom index 2050e13..470e0c8 100644 --- a/circuits/bitify.circom +++ b/circuits/bitify.circom @@ -21,6 +21,7 @@ include "comparators.circom"; include "aliascheck.circom"; +/* This doesn't check aliasing, so for n > 253 there are multiple bit strings for each number */ template Num2Bits(n) { signal input in; signal output out[n]; @@ -76,6 +77,7 @@ template Bits2Num_strict() { b2n.out ==> out; } +/* n must not exceed 253 */ template Num2BitsNeg(n) { signal input in; signal output out[n]; diff --git a/circuits/escalarmulfix.circom b/circuits/escalarmulfix.circom index 8e3e031..5ea8e09 100644 --- a/circuits/escalarmulfix.circom +++ b/circuits/escalarmulfix.circom @@ -44,6 +44,7 @@ include "babyjub.circom"; A good way to see it is that the accumulator input of the adder >= 2^247*B and the other input is the output of the windows that it's going to be <= 2^246*B */ + /* base must not be the neutral element nor points of small order */ template WindowMulFix() { signal input in[3]; signal input base[2]; @@ -133,11 +134,12 @@ template WindowMulFix() { /* This component does a multiplication of a escalar times a fix base + nWindows must not exceed 82 Signals: e: The scalar in bits base: the base point in edwards format out: The result - dbl: Point in Edwards to be linked to the next segment. + dbl: Point in Montgomery to be linked to the next segment. */ template SegmentMulFix(nWindows) { @@ -236,7 +238,7 @@ template EscalarMulFix(n, BASE) { signal output out[2]; // Point (Twisted format) var nsegments = (n-1)\246 +1; // 249 probably would work. But I'm not sure and for security I keep 246 - var nlastsegment = n - (nsegments-1)*249; + var nlastsegment = n - (nsegments-1)*246; component segments[nsegments]; @@ -250,13 +252,13 @@ template EscalarMulFix(n, BASE) { for (s=0; s Date: Sun, 1 Dec 2019 15:38:38 +0200 Subject: [PATCH 7/7] adds comment about baby pbk public key extraction --- circuits/babyjub.circom | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/circuits/babyjub.circom b/circuits/babyjub.circom index 73cb84c..a9c0432 100644 --- a/circuits/babyjub.circom +++ b/circuits/babyjub.circom @@ -81,7 +81,7 @@ template BabyCheck() { a*x2 + y2 === 1 + d*x2*y2; } -// Extracts the public key from private key +// Extracts the public key from private key, as mentioned in https://tools.ietf.org/html/rfc8032 template BabyPbk() { signal private input in; signal output Ax;