Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ECDSA gadget #1240

Merged
merged 114 commits into from
Dec 6, 2023
Merged

ECDSA gadget #1240

merged 114 commits into from
Dec 6, 2023

Conversation

mitschabaude
Copy link
Member

@mitschabaude mitschabaude commented Nov 13, 2023

Closes #1159, #1153, #1154, #1157

This PR adds an ECDSA gadget, which uses 39k rows. Ingredients:

  • add() and double() methods built on top of Foreign fields 5: Optimized multiplication of sums #1262
  • multiScalarMul() gadget which ECDSA uses with 2 points as input. To save constraints, this
    • doubles all points together (i.e. adds all points into a single aggregated sum)
    • uses an initial aggregator point to avoid a degenerate add() result. the aggregator scaled by 2^maxbits is subtracted at the end
    • uses a table of point multiples that is computed on the fly. For each window of scalar bits of size c, we pick from one of 2^c multiples. Picking multiples uses a new optimized gadget for getting the element of an array.
    • The window size c can be picked independently for each point; the optimal value is c=4 for constant points and c=3 for variable points
    • automatically uses fewer constraints for each input point that is constant (like the generator in ECDSA)
  • Includes a unit test and an example in src/examples/zkprogram/ecdsa, which is also used for a new vk regression test
  • New Gadgets.Ecdsa namespace with the verify gadget and a non-provable method for signing EDIT: scrapped in favor of how Foreign curve and ECDSA #1007 exposes ECDSA.
  • New Crypto namespace to generate a curve from curve parameters. Also exposes parameters for secp256k1 and the Pasta curves

bindings: o1-labs/o1js-bindings#207

TODO left for follow-up PR: Expose individual EC operations and Point type on public API

@mitschabaude
Copy link
Member Author

Note: I discovered a vulnerability in the ECDSA gadget today, and fixed it in the last few commits:
2731b0c...ba0c361

The issue was that a malicious prover could make the sum in the scalar mul gadget equal 0, but add a multiple of the curve base field modulus to one of the coordinates. Then, the strict not-equals check sum != iaFinal would have passed, but the sum would still be zero when viewed as a curve point, and the final addition would be invalid.

I fixed this by adding a proper equality check which handles multiples of the modulus.

Copy link

@jspada jspada left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Amazing work! Approved, with a few minor things, questions and suggestions.

CHANGELOG.md Outdated Show resolved Hide resolved
CHANGELOG.md Show resolved Hide resolved
src/examples/zkprogram/ecdsa/ecdsa.ts Outdated Show resolved Hide resolved
src/examples/zkprogram/ecdsa/ecdsa.ts Outdated Show resolved Hide resolved
src/examples/zkprogram/ecdsa/ecdsa.ts Outdated Show resolved Hide resolved
src/lib/gadgets/elliptic-curve.ts Outdated Show resolved Hide resolved
src/lib/gadgets/elliptic-curve.ts Show resolved Hide resolved
src/lib/gadgets/elliptic-curve.ts Show resolved Hide resolved
src/lib/gadgets/elliptic-curve.ts Show resolved Hide resolved
src/lib/gadgets/gadgets.ts Outdated Show resolved Hide resolved
Base automatically changed from feature/assert-mul to main December 6, 2023 11:11
@mitschabaude mitschabaude merged commit 74d1b1b into main Dec 6, 2023
13 checks passed
@mitschabaude mitschabaude deleted the feature/ecdsa-new branch December 6, 2023 21:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
3 participants