eddsa

package
v2.0.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 18, 2024 License: Apache-2.0 Imports: 13 Imported by: 0

Documentation

Overview

Package eddsa implements EdDSA signature verification over twisted Edwards elliptic curves available in gnark and gnark-crypto. These are the so-called "embedded curves" (e.g. Baby-Jubjub, Bandersnatch...) defined over the scalar field of the pairing-friendly SNARK curves (e.g. BN254, BLS12-381...)

The package depends on the native/twistededwards package for elliptic curve group operations in twisted Edwards form using native arithmetic. The cost for a single baby-jubjub signature verification in a BN254-SNARK is approximately 7k constraints in R1CS and 11k constraints in PLONKish.

See [EdDSA] for the signature verification algorithm.

[EdDSA]: https://en.wikipedia.org/wiki/EdDSA

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func Verify

func Verify(curve twistededwards.Curve, sig Signature, msg frontend.Variable, pubKey PublicKey, hash hash.FieldHasher) error

Verify verifies an eddsa signature using MiMC hash function cf https://en.wikipedia.org/wiki/EdDSA

Types

type PublicKey

type PublicKey struct {
	A twistededwards.Point
}

PublicKey stores an eddsa public key (to be used in gnark circuit)

func (*PublicKey) Assign

func (p *PublicKey) Assign(curveID tedwards.ID, buf []byte)

Assign is a helper to assigned a compressed binary public key representation into its uncompressed form

type Signature

type Signature struct {
	R twistededwards.Point
	S frontend.Variable
}

Signature stores a signature (to be used in gnark circuit) An EdDSA signature is a tuple (R,S) where R is a point on the twisted Edwards curve and S a scalar. Since the base field of the twisted Edwards is Fr, the number of points N on the Edwards is < r+1+2sqrt(r)+2 (since the curve has 2 points of multiplicity 2). The subgroup l used in eddsa is <1/2N, so the reduction mod l ensures S < r, therefore there is no risk of overflow.

func (*Signature) Assign

func (s *Signature) Assign(curveID tedwards.ID, buf []byte)

Assign is a helper to assigned a compressed binary signature representation into its uncompressed form

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL