input-output-hk
diff --git a/‎prover/Cargo.toml‎
Lines changed: 3 additions & 0 deletions b/‎prover/Cargo.toml‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎prover/README.md‎
Lines changed: 19 additions & 12 deletions b/‎prover/README.md‎
Lines changed: 19 additions & 12 deletions
diff --git a/‎prover/docs/atms-primitives.md‎
Lines changed: 103 additions & 0 deletions b/‎prover/docs/atms-primitives.md‎
Lines changed: 103 additions & 0 deletions
diff --git a/‎prover/docs/docs-ecc.md‎
Lines changed: 118 additions & 0 deletions b/‎prover/docs/docs-ecc.md‎
Lines changed: 118 additions & 0 deletions
@@ -32,3 +32,6 @@ criterion = "0.5.1"
 [[bench]]
 name = "atms"
 harness = false
+
+[package.metadata.docs.rs]
+rustdoc-args = [ "--html-in-header", "katex-header.html" ]
@@ -1,3 +1,12 @@
+ # SNARK-based ATMS
+This is the circuit implementation for [Ad-hoc Threshold MultiSignatures (ATMS)](https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=8835275).
+The goal of this library is to provide a proof-of-concept implementation of a circuit to provide a proof that there exists `t` valid signatures of some subset of a given set of public keys. 
+This is the first effort of implementing a SNARK-based Ad-hoc Threshold Multi Signature scheme.
+
+* The Zero Knowledge Proving system is implemented with PLONK with KZG commitments.
+* BLS12-381 curve is used. Therefore, in-circuit elliptic curve operations are implemented with JubJub, which is an elliptic curve defined over the Scalar field of BLS12-381, aka its 'embedded' curve. This enables what is sometimes referred to as SNARK-friendly signature schemes. In particular, Schnorr over the JubJub curve. 
+* As a SNARK-friendly hash algorithm we use Rescue, both for the signature generation/verification as for the Merkle Tree commitments.
+
 ## Compiling the library and header file
 First, one needs to compile the library running:
 ```shell
@@ -15,16 +24,14 @@ and then build the header file by running the following command from the parent
 rustup run nightly cbindgen ./ --config cbindgen.toml --crate atms-halo2 --output target/include/atms_halo2.h
 ```
 
-## Running C tests
-
-We first build the test executable:
-
-``` sh
-gcc -Wl,-dead_strip c-tests/atms_halo2.c -g -o test -L ./target/release -latms_halo2 -lstdc++
-```
-
-then simply run the tests:
+## Documentation
+The library provides a documentation for ATMS functionality. $\rightarrow$ [Documentation][crate::docs].
 
-```shell
-./test
-```
+You can also jump to following sections from following links: 
+- Elliptic curve cryptography preliminaries: [ECC][crate::docs::ecc]
+- Schnorr signature: [Schnorr][crate::docs::schnorr]
+- Ad-hoc threshold multi-signature: [ATMS][crate::docs::atms]
+- Rescue sponge hash function: [Rescue][crate::docs::rescue]
+- I/O specs and encoding: [I/O][crate::docs::encoding_io]
+- Flow of the functionality: [flow][crate::docs::flow]
+- Relation between the cryptographic primitives: [primitives][crate::docs::primitives]
@@ -0,0 +1,103 @@
+Relation between the elliptic curves and signature schemes.
+
+In order to comply with the Cardano main-net, Curve BLS12-381 is used as the parent curve in this library. 
+Therefore, the rest of the primitives are selected considering this case.
+In-circuit elliptic curve operations are implemented with Jubjub curve.
+Jubjub is the embedded curve of BLS12-381.
+We used a SNARK-friendly signature scheme, Schnorr over Jubjub.
+
+In this section, we explain the relation between BLS12-381, Jubjub, Schnorr, and EdDSA.
+
+See the documentation of the related topics:
+- [BLS12-381][crate::docs::ecc#curve-setting]
+- [JubJub][crate::docs::ecc#jubjub]
+- [EdDSA][crate::docs::ecc#edwards-curve-digital-signature-algorithm-eddsa]
+- [Schnorr][crate::docs::schnorr]
+
+## Relation between BLS12-381 and Jubjub
+BLS12-381 is preferred for pairing operations.
+We define two curves:
+- Curve 1: Defined over the field $\mathbb{F}_p$. The curve equation is given below:
+$$E(\mathbb{F}_p): y^2 = x^3 + 4$$
+
+- Curve 2: Defined over the field $\mathbb{F}_{p^2}$. The curve equation is given below:
+
+$$E'(\mathbb{F}_{p^2}): y^2 = x^3 + 4 (1 + i)$$
+
+The prime $p$ is represented in hexadecimal as following:
+```ignore
+  0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab	
+```
+
+Pairings are usually denoted as $e(P, Q)$ where
+* $e: G_1 \times G_2 \rightarrow G_T$
+* $P \in G_1 \sub E(\mathbb{F}_p)$
+* $Q \in G_2 \sub E'(\mathbb{F}_{p^2})$
+* $G_T \sub \mathbb{F}_{p^{12}}$
+
+As described in [here][crate::docs::ecc#pairing], the following identity holds:
+$$e(\[a\]P, \[b\]Q) = e(P, \[b\]Q)^a = e(P, Q)^{ab} = e(P, \[a\]Q)b = e(\[b\]P, \[a\]Q).$$
+
+Note that, in the above identity, we showed some scalar multiplications, i.e., $\[a\]P$.
+The value $a$ is an element of $\mathbb{F}_s$, 
+where $s$ is the size of the subgroup of the curve.
+$\mathbb{F}_s$ is a finite field defined over the prime $s$, which is represented in hexadecimal as follows:
+```ignore
+0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
+```
+(_For sake of simplicity, we won't explain the details of the mentioned subgroup._)
+
+> As a conclusion, we say that the base field of BLS12-381 is $\mathbb{F}_p$ and the scalar field of the curve is $\mathbb{F}_s$.
+
+Our second primitive is the Jubjub curve. 
+Jubjub is an elliptic curve of the [twisted Edward's form][crate::docs::ecc#twisted-edwards-curve].
+
+Let $d = -(10240/10241)$, the Jubjub curve is defined as follows:
+$$E_{d}: -u^2 + v^2 = 1 + du^2v^2.$$
+We use Jubjub for in-circuit elliptic curve operations since it provides efficient EC operations within the proof.
+We define the Jubjub curve over the field $\mathbb{F}_q$ where $q$ is represented in hexadecimal as follows:
+```ignore 
+q = 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
+```
+In addition, it has a subgroup of order $r$ and cofactor $8$.
+```ignore 
+r = 0x0e7db4ea6533afa906673b0101343b00a6682093ccc81082d0970e5ed6f72cb7
+```
+As mentioned before, we set the Jubjub curve as the embedded curve of BLS12-381.
+Meaning that, Jubjub curve is defined over a prime which is also the prime that defines the scalar field of BLS12-381.
+
+> As a conclusion, we say that the base field of Jubjub is $\mathbb{F}_q$ and the scalar field of the curve is $\mathbb{F}_r$.
+
+---
+
+**Note that, the scalar field of BLS12-381 $\mathbb{F}_s$ equals to the base field of Jubjub $\mathbb{F}_q$.**
+**It means that  if I have a result on the base field of the JubJub curve, it is also an element of the scalar field of the BLS curve.**
+
+---
+
+## Relation between Schnorr signature and EdDSA
+EdDSA is a variant of the Schnorr signature scheme designed specifically for Edward's curve. 
+See the [$sign$][crate::docs::schnorr#sign] algorithm of Schnorr and the [sign][crate::docs::ecc#sign] algorithm of EdDSA.
+Note that, the only difference between two algorithms is the first step.
+* In Schnorr signature, we have:
+  * Choose a random scalar: $r \leftarrow Z_p$,
+  * Compute the nonce: $R = r \cdot G$.
+* In EdDSA, we have:
+  * Get the hash of private key and the message: $r = H(H_{b, \ldots, 2b-1}(x) || m)$.
+  * Compute the point $R = r \cdot B$.
+
+This means that the randomness used in the first step of the Schnorr signer is generated using a hash function by the EdDSA signer, rather than sampling the value at random. 
+
+* We use the probabilistic Schnorr signature scheme in our setting. We can make this deterministic using EdDSA instead.
+
+## Relation between BLS12-381, Jubjub, and Schnorr
+To implement the Schnorr signature, we use elliptic curve scalar multiplications.
+_(See [$Schnorr signature$][crate::docs::schnorr]) and [scalar multiplication][crate::docs::ecc#basic-ecc-toolbox].)_
+* In this library, the scalar multiplication is implemented as follows:
+  * Let $a$ be scalar and an element of the scalar field of Jubjub curve.
+    * $a \in \mathbb{F}_r$
+  * Let $P$ be an extended point on Jubjub curve. Meaning that, the coordinates of the point are elements of the base field of the Jubjub curve, $\mathbb{F}_q$.
+  * $Q = a \cdot P$ is the result of the scalar multiplication and is an extended point on Jubjub curve.
+  * Convert $Q$ to an affine point. The coordinates of an affine point are elements of the base field of the Jubjub curve, $\mathbb{F}_q$.
+
+> As a conclusion, we can say that the coordinates of both affine and extended points in the above scheme are also elements of the scalar field of BLS12-381 curve.
@@ -0,0 +1,118 @@
+# ECC Preliminaries
+This module includes a brief explanation of the elliptic curve cryptography primitives used in the library.
+- [Basic ECC Toolbox][crate::docs::ecc#basic-ecc-toolbox]
+- [Twisted Edward's Curve][crate::docs::ecc#twisted-edwards-curve]
+  - [EdDSA][crate::docs::ecc#eddsa---edwards-curve-digital-signature-algorithm]
+- [BLS12-381][crate::docs::ecc#bls12-381]
+  - [Pairings][crate::docs::ecc#pairing]
+- [Jubjub][crate::docs::ecc#jubjub]
+
+## Basic ECC Toolbox
+- $p$: a large prime number.
+- $\mathbb{F}_p$: Finite field over prime $p$.
+- $E(\mathbb{F}_p): y^2=x^3+ax+b$: is an elliptic curve of the short Weierstrass form defined over $\mathbb{F}_p$.
+- $P = (x, y)$ is a point on $E(\mathbb{F}_p)$.
+- $-P = (x, -y)$ is the negative of the point $P$.
+- $P + (-P) = \mathcal{O}$ is the identity of the curve.
+- $P + \mathcal{O} = P$.
+- Elliptic curve scalar multiplication:
+    - Let $n \leftarrow \mathbb{Z}_p$,
+    - Let $P$ be a point on $E(\mathbb{F}_p)$,
+    - $Q = n \cdot P$ is a point on $E(\mathbb{F}_p)$.
+- Elliptic curve discrete logarithm problem:
+    - Let $P$ and $Q$ be points on $E(\mathbb{F}_p)$ and $Q = n \cdot P$.
+    - Knowing $P$ and $Q$, finding $n = \log_P^Q$ is a hard problem.
+- Base point: Let $G$ be a base point, then $G$ generates all points at $E(\mathbb{F}_p)$.
+- Order of a point: If $l\cdot P = \mathcal{O}$, then $l$ is the order of $P$.
+
+## Twisted Edward's Curve
+Let $\mathbb{F}_p$ be a field where $p$ is a large prime. The twisted Edward's curve is defined as follows:
+
+$$ E_{E, a, d}: ax^2 + y^2 = 1 + dx^2y^2$$
+
+where $a, d \in \mathbb{F}_p$ and non-zero.
+
+* A point on $E_{E, a, d}$ is represented as $P = (x, y)$.
+* Negative of a point: $-P = (-x, y)$.
+* Neutral element(point at infinity): $\mathcal{O} = (0,1)$.
+* Let $P = (x_1, y_1)$ and $Q = (x_2, y_2)$ be points on $E_{E, a, d}$. $P+Q = (x_3, y_3)$ is written as:
+
+$$(x_3, y_3) = \Bigg(\frac{x_1y_2 + y_1x_2}{1 + dx_1x_2y_1y_2}, \frac{y_1y_2 - ax_1x_2}{1 - dx_1x_2y_1y_2}\Bigg).$$
+
+
+### EdDSA - (Edward's Curve Digital Signature Algorithm)
+Let $B$ be the base point of $E_{E, a, d}$ with order $l$ and $H$ be a hash function with $2b-$bit output size where $2^{b-1} > p$.
+* $keygen$
+    * **Input**: Security parameter $\lambda$.
+    * **Output**: Keypair $(x, P)$.
+    * **Algorithm**:
+        * Choose a random scalar as the private key: $x \leftarrow \mathbb{Z}_p$,
+        * Compute the public key: $P \leftarrow x \cdot B$,
+        * Return $(x, P)$.
+* $sign$
+    * **Input**: Keypair $(x, P)$, message $m$.
+    * **Output**: Signature $\sigma = (R, s)$.
+    * **Algorithm**:
+        * Get the hash of private key and the message: $r = H(H_{b, \ldots, 2b-1}(x) || m)$.
+        * Compute the point $R = r \cdot B$.
+        * Calculate $s \equiv r + H(R || P|| m) x \mod{l}$.
+        * Return $(R, s)$.
+* $verify$
+    * **Input**: Message $m$, public key $P$, signature $\sigma = (R, s)$.
+    * **Output**: $true/false$
+    * **Algorithm**:
+        * If $s \cdot B = R + H(R || P|| m) \cdot P$, return $true$.
+        * Else, return $false$.
+
+
+---
+
+
+## BLS12-381
+
+### Curve setting
+* `z = -0xd201000000010000` (hexadecimal): low hamming weight, few bits set to $1$.
+    * Field modulus: $q = \frac{1}{3}(z-1)^2(z^4 - z^2 + 1) + z$, $381$-bit
+  ```ignore
+  0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab	
+  ```
+    * Subgroup size: $r = (z^4 - z^2 + 1)$, $255$-bit.
+  ```ignore
+  0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
+  ```
+* **Curve 1:** $E(\mathbb{F}_q): y^2 = x^3 + 4$.
+* **Curve 2:** $E'(\mathbb{F}_{q^2}): y^2 = x^3 + 4 (1 + i)$.
+
+### Pairing
+A pairing is a bilinear map, taking as input two points, each from two distinct groups of the same prime order, $r$. This map outputs a point from a group $G_T$. The pairing is defined as follows:
+
+$$e: G_1 \times G_2 \rightarrow G_T$$
+
+* $P \in G_1 \sub E(\mathbb{F}_q)$
+* $Q \in G_2 \sub E'(\mathbb{F}_{q^2})$
+* $G_T \sub \mathbb{F}_{q^{12}}$
+
+Pairing is denoted as $e(P, R)$. Pairing-based cryptography uses the following properties:
+* $e(P, Q+R) = e(P, Q) \cdot e(P, R)$,
+* $e(P+S, R) = e(P, R) \cdot e(S, R)$.
+
+Thus, the following identity holds:
+
+$$e(\[a\]P, \[b\]Q) = e(P, \[b\]Q)^a = e(P, Q)^{ab} = e(P, \[a\]Q)b = e(\[b\]P, \[a\]Q).$$
+
+
+## jubjub
+
+Jubjub is an elliptic curve of the twisted Edward's form. It is defined over finite field $\mathbb{F}_q$ where
+```ignore 
+q = 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
+```
+with a subgroup of order $r$ and cofactor $8$.
+```ignore 
+r = 0x0e7db4ea6533afa906673b0101343b00a6682093ccc81082d0970e5ed6f72cb7
+```
+Let $d = -(10240/10241)$, the Jubjub curve is defined as follows:
+
+$$E_{d}: -u^2 + v^2 = 1 + du^2v^2.$$
+
+* $\mathbb{F}_q$ is chosen to be the scalar field of BLS12-381 curve construction.