From b983a57fe44591e9139fdf5bd1945c8fb48863a8 Mon Sep 17 00:00:00 2001 From: sdeml Date: Mon, 18 Mar 2019 14:17:54 +0100 Subject: [PATCH] improve docs --- .../stdlib/ecc/babyjubjubParams.code | 34 +++++++++---------- .../stdlib/ecc/edwardsOrderCheck.code | 2 +- .../stdlib/ecc/proofOfOwnership.code | 18 ++++++++-- .../stdlib/signatures/verifyEddsa.code | 20 +++++++++-- 4 files changed, 51 insertions(+), 23 deletions(-) diff --git a/zokrates_stdlib/stdlib/ecc/babyjubjubParams.code b/zokrates_stdlib/stdlib/ecc/babyjubjubParams.code index 4b103c3e..bee7e3c1 100644 --- a/zokrates_stdlib/stdlib/ecc/babyjubjubParams.code +++ b/zokrates_stdlib/stdlib/ecc/babyjubjubParams.code @@ -1,22 +1,22 @@ // Parameters are based on: https://github.com/HarryR/ethsnarks/tree/master/src/jubjub -// Note: paramters will be update soon to be more compatible with zCash's implementation +// Note: parameters will be update soon to be more compatible with zCash's implementation def main() -> (field[10]): -// Order of the curve E - field JUBJUBE = 21888242871839275222246405745257275088614511777268538073601725287587578984328 - field JUBJUBC = 8 // Cofactor - field JUBJUBA = 168700 // Coefficient A - field JUBJUBD = 168696 // Coefficient D - field MONTA = 168698 // int(2*(JUBJUB_A+JUBJUB_D)/(JUBJUB_A-JUBJUB_D)) - field MONTB = 1 // int(4/(JUBJUB_A-JUBJUB_D)) - -// Point at infinity - field[2] infinity = [0, 1] +// Order of the curve E + field JUBJUBE = 21888242871839275222246405745257275088614511777268538073601725287587578984328 + field JUBJUBC = 8 // Cofactor + field JUBJUBA = 168700 // Coefficient A + field JUBJUBD = 168696 // Coefficient D + field MONTA = 168698 // int(2*(JUBJUB_A+JUBJUB_D)/(JUBJUB_A-JUBJUB_D)) + field MONTB = 1 // int(4/(JUBJUB_A-JUBJUB_D)) + +// Point at infinity + field[2] infinity = [0, 1] -// Generator - field Gu = 16540640123574156134436876038791482806971768689494387082833631921987005038935 - field Gv = 20819045374670962167435360035096875258406992893633759881276124905556507972311 +// Generator + field Gu = 16540640123574156134436876038791482806971768689494387082833631921987005038935 + field Gv = 20819045374670962167435360035096875258406992893633759881276124905556507972311 -// Index -// 0 1 2 3 4 5 6 7 8 10 - return [JUBJUBA, JUBJUBD, infinity[0], infinity[1], Gu, Gv, JUBJUBE, JUBJUBC, MONTA, MONTB] \ No newline at end of file +// Index +// 0 1 2 3 4 5 6 7 8 10 +return [JUBJUBA, JUBJUBD, infinity[0], infinity[1], Gu, Gv, JUBJUBE, JUBJUBC, MONTA, MONTB] \ No newline at end of file diff --git a/zokrates_stdlib/stdlib/ecc/edwardsOrderCheck.code b/zokrates_stdlib/stdlib/ecc/edwardsOrderCheck.code index f7763570..153e19fe 100644 --- a/zokrates_stdlib/stdlib/ecc/edwardsOrderCheck.code +++ b/zokrates_stdlib/stdlib/ecc/edwardsOrderCheck.code @@ -4,7 +4,7 @@ import "utils/pack/unpack256.code" as unpack256 // Verifies that the point is not one of the low-order points. // If any of the points is multiplied by the cofactor, the resulting point // will be infinity. -// Returns ture if the point is not one of the low-order points. +// Returns true if the point is not one of the low-order points, false otherwise. // Curve parameters are defined with the last argument // https://github.com/zcash-hackworks/sapling-crypto/blob/master/src/jubjub/edwards.rs#L166 def main(field[2] pt, field[10] context) -> (field): diff --git a/zokrates_stdlib/stdlib/ecc/proofOfOwnership.code b/zokrates_stdlib/stdlib/ecc/proofOfOwnership.code index 6d4e152d..4156b10e 100644 --- a/zokrates_stdlib/stdlib/ecc/proofOfOwnership.code +++ b/zokrates_stdlib/stdlib/ecc/proofOfOwnership.code @@ -1,9 +1,21 @@ import "ecc/edwardsAdd.code" as add import "ecc/edwardsScalarMult.code" as multiply import "utils/pack/unpack256.code" as unpack256 -// Gadget to proof ownership of a private key for a given public key -// Returns true for a valid public and private key pair, false otherwise -// Curve parameters are defined with the last argument + +/// Verifies correctness of a given public/private keypair. +/// +/// Checks if the following equation holds for the provided keypair: +/// pk = sk*G +/// where G is the chosen base point of the subgroup +/// and * is denotes scalar multiplication +/// +/// Arguments: +/// pk: Curve point. Public key. +/// sk: Field element. Private key. +/// context: Curve parameters (including generator G) used to create keypair. +/// +/// Returns: +/// Return true for pk/sk being a valid keypair, false otherwise. def main(field[2] pk, field sk, field[10] context) -> (field): field[2] G = [context[4], context[5]] diff --git a/zokrates_stdlib/stdlib/signatures/verifyEddsa.code b/zokrates_stdlib/stdlib/signatures/verifyEddsa.code index e03c8f0d..4eaa87f5 100644 --- a/zokrates_stdlib/stdlib/signatures/verifyEddsa.code +++ b/zokrates_stdlib/stdlib/signatures/verifyEddsa.code @@ -5,8 +5,24 @@ import "utils/pack/unpack256.code" as unpack256 import "ecc/edwardsOnCurve.code" as onCurve import "ecc/edwardsOrderCheck.code" as orderCheck -// Return true for a valid EdDSA Signature, false otherwise -// Curve parameters are defined with the last argument +/// Verifies the correctness of EdDSA Signature. +/// +/// Checks the correctness of a given EdDSA Signature (R,S) for the provided +/// public key(A) and message (M0 and M1). +/// For more information see: +/// https://en.wikipedia.org/wiki/EdDSA +/// https://eprint.iacr.org/2015/677.pdf +/// +/// Arguments: +/// R: Curve point. Hidden version of the per-message nonce. +/// S: Field element. Signature to be verified. +/// A: Curve point. Public part of the key used to create S. +/// M0: 256bit array. First 256bits of the message used to create S . +/// M1: 256bit array. Trailing 256bits of the message used to create S . +/// context: Curve parameters used to create S. +/// +/// Returns: +/// Return true for S being a valid EdDSA Signature, false otherwise. def main(private field[2] R, private field S, field[2] A, field[256] M0, field[256] M1, field[10] context) -> (field): field[2] G = [context[4], context[5]]