/* Copyright 2018 0KIMS association. This file is part of circom (Zero Knowledge Circuit Compiler). circom is a free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. circom is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with circom. If not, see . */ include "bitify.circom"; include "escalarmulfix.circom"; template BabyAdd() { signal input x1; signal input y1; signal input x2; signal input y2; signal output xout; signal output yout; signal beta; signal gamma; signal delta; signal tau; var a = 168700; var d = 168696; beta <== x1*y2; gamma <== y1*x2; delta <== (-a*x1+y1)*(x2 + y2); tau <== beta * gamma; xout <-- (beta + gamma) / (1+ d*tau); (1+ d*tau) * xout === (beta + gamma); yout <-- (delta + a*beta - gamma) / (1-d*tau); (1-d*tau)*yout === (delta + a*beta - gamma); } template BabyDbl() { signal input x; signal input y; signal output xout; signal output yout; component adder = BabyAdd(); adder.x1 <== x; adder.y1 <== y; adder.x2 <== x; adder.y2 <== y; adder.xout ==> xout; adder.yout ==> yout; } template BabyCheck() { signal input x; signal input y; signal x2; signal y2; var a = 168700; var d = 168696; x2 <== x*x; y2 <== y*y; a*x2 + y2 === 1 + d*x2*y2; } // Extracts the public key from private key, as mentioned in https://tools.ietf.org/html/rfc8032 template BabyPbk() { signal private input in; signal output Ax; signal output Ay; var BASE8 = [ 5299619240641551281634865583518297030282874472190772894086521144482721001553, 16950150798460657717958625567821834550301663161624707787222815936182638968203 ]; component pvkBits = Num2Bits(253); pvkBits.in <== in; component mulFix = EscalarMulFix(253, BASE8); var i; for (i=0; i<253; i++) { mulFix.e[i] <== pvkBits.out[i]; } Ax <== mulFix.out[0]; Ay <== mulFix.out[1]; }