Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add ECDSA signature verification #372

Merged
merged 4 commits into from
Jan 19, 2023
Merged

feat: add ECDSA signature verification #372

merged 4 commits into from
Jan 19, 2023

Conversation

ivokub
Copy link
Collaborator

@ivokub ivokub commented Sep 21, 2022

Initial PR for discussion. If the API looks OK, will add documentation and merge for now.

This PR implements also emulated short-Weierstrass package, which for now assumes the special case for secp256k1 (a4=0), but in general can be generalised to any a4. I didn't want to do it now because then we would need to have more parameters etc. and I didn't want to eagerly generalise.

A few things to do before merge:

  • this PR is slightly larger and contains other fixes to field emulation. Should we separate this into three - this, emulated SW and field emulation bugs?
  • add package documentation and code examples
  • add ECRecover?
  • i'm leaking the internal implementation of the field emulation package by type asserting frontend.Variable to emulated.Element[T]. I think long-term would be better to have something which returns actual types not empty interface.

This implementation right now is very heavy and requires 3.7M constraints without range checks, but I think it is a good base for optimisation. There are several optimisation options:

  • implement separate variable and base point scalar mul. Base point scalar mul can take advantage of huge precomputation tables + lookups.
  • variable point scalar multiplication requires building lookup tables per-point. For a single signature this allows to implement windowed scalar multiplication and reduce the cost several times. See https://0xparc.org/blog/zk-ecdsa-2.
  • 0xPARC blog describes an interesting idea for checking only a random linear combination of signatures. This would require applying Fiat-Shamir and a lot of hashing, but may probably be more efficient than point operations.
  • When we combine two lookup tables, then can build window over two scalars at a time for ECDSA.

DRAFT: should be merged after #395.

@ivokub ivokub self-assigned this Sep 21, 2022
@ivokub ivokub requested a review from gbotrel September 21, 2022 09:08
@ivokub ivokub added this to the v0.8.0 milestone Sep 21, 2022
@ivokub ivokub marked this pull request as draft November 15, 2022 00:52
@ivokub ivokub marked this pull request as ready for review December 20, 2022 12:38
@gbotrel gbotrel requested a review from yelhousni December 20, 2022 14:57
@gbotrel
Copy link
Collaborator

gbotrel commented Jan 13, 2023

@yelhousni can you do a review of that one before merge?

@ivokub
Copy link
Collaborator Author

ivokub commented Jan 18, 2023

Merged develop and fixed conflicts. It is good to merge from my side.

@yelhousni said that will post optimisations in separate PR.

Copy link
Contributor

@yelhousni yelhousni left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great! 👍
We can merge this PR and track optimizations in separate PRs.

@gbotrel
Copy link
Collaborator

gbotrel commented Jan 19, 2023

@yelhousni should we merge now or wait for replacing the external dependency for out-of-circuit ecdsa with latest gnark-crypto ?

@yelhousni
Copy link
Contributor

@yelhousni should we merge now or wait for replacing the external dependency for out-of-circuit ecdsa with latest gnark-crypto ?

To do so we have to wait for Consensys/gnark-crypto#310 to be merged I guess. So either we wait or we merge this and follow with a quick PR for the dependency.

@gbotrel gbotrel merged commit 2aab2fb into develop Jan 19, 2023
@gbotrel gbotrel deleted the feat/ecdsa branch January 19, 2023 16:10
@ivokub ivokub mentioned this pull request Feb 16, 2023
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants