Documentation
¶
Overview ¶
Package eddsa implements EdDSA signature verification over twisted Edwards elliptic curves available in gnark and gnark-crypto. These are the so-called "embedded curves" (e.g. Baby-Jubjub, Bandersnatch...) defined over the scalar field of the pairing-friendly SNARK curves (e.g. BN254, BLS12-381...)
The package depends on the native/twistededwards package for elliptic curve group operations in twisted Edwards form using native arithmetic. The cost for a single baby-jubjub signature verification in a BN254-SNARK is approximately 7k constraints in R1CS and 11k constraints in PLONKish.
See [EdDSA] for the signature verification algorithm.
[EdDSA]: https://en.wikipedia.org/wiki/EdDSA
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func Verify ¶
func Verify(curve twistededwards.Curve, sig Signature, msg frontend.Variable, pubKey PublicKey, hash hash.FieldHasher) error
Verify verifies an eddsa signature using MiMC hash function cf https://en.wikipedia.org/wiki/EdDSA
Types ¶
type PublicKey ¶
type PublicKey struct {
A twistededwards.Point
}
PublicKey stores an eddsa public key (to be used in gnark circuit)
type Signature ¶
type Signature struct {
R twistededwards.Point
S frontend.Variable
}
Signature stores a signature (to be used in gnark circuit) An EdDSA signature is a tuple (R,S) where R is a point on the twisted Edwards curve and S a scalar. Since the base field of the twisted Edwards is Fr, the number of points N on the Edwards is < r+1+2sqrt(r)+2 (since the curve has 2 points of multiplicity 2). The subgroup l used in eddsa is <1/2N, so the reduction mod l ensures S < r, therefore there is no risk of overflow.
Source Files