Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ECDSA gadget #1240

Merged
merged 114 commits into from
Dec 6, 2023
Merged

ECDSA gadget #1240

merged 114 commits into from
Dec 6, 2023

Conversation

mitschabaude
Copy link
Member

@mitschabaude mitschabaude commented Nov 13, 2023
edited

Closes #1159, #1153, #1154, #1157

This PR adds an ECDSA gadget, which uses 39k rows. Ingredients:

  • add() and double() methods built on top of Foreign fields 5: Optimized multiplication of sums #1262
  • multiScalarMul() gadget which ECDSA uses with 2 points as input. To save constraints, this
    • doubles all points together (i.e. adds all points into a single aggregated sum)
    • uses an initial aggregator point to avoid a degenerate add() result. the aggregator scaled by 2^maxbits is subtracted at the end
    • uses a table of point multiples that is computed on the fly. For each window of scalar bits of size c, we pick from one of 2^c multiples. Picking multiples uses a new optimized gadget for getting the element of an array.
    • The window size c can be picked independently for each point; the optimal value is c=4 for constant points and c=3 for variable points
    • automatically uses fewer constraints for each input point that is constant (like the generator in ECDSA)
  • Includes a unit test and an example in src/examples/zkprogram/ecdsa, which is also used for a new vk regression test
  • New Gadgets.Ecdsa namespace with the verify gadget and a non-provable method for signing EDIT: scrapped in favor of how Foreign curve and ECDSA #1007 exposes ECDSA.
  • New Crypto namespace to generate a curve from curve parameters. Also exposes parameters for secp256k1 and the Pasta curves

bindings: o1-labs/o1js-bindings#207

TODO left for follow-up PR: Expose individual EC operations and Point type on public API

@mitschabaude
double
6c34c9f
@mitschabaude
tweak cs printing
d41f30f
@mitschabaude
initial aggregator for scaling
4c3f6a5
@mitschabaude
another helper method on Field3
c99cee2
@mitschabaude
add constant ecdsa implementation and helper types
95017b3
@mitschabaude
bindings
dd2ebd3
@mitschabaude
helper
fc6f1f8
@mitschabaude
stub out provable ecdsa, skipping the hard part
00a11f7
@mitschabaude
revert explosion of helper methods in favor of general interface
ce389ef
@mitschabaude
add constant cases and a bit more ecdsa logic
e458907
@mitschabaude
bindings
8db8d06
@mitschabaude
implement ecdsa
ab9584f
@mitschabaude
signature from hex
c39e0f8
@mitschabaude
add ecdsa test script
b924cad
@mitschabaude
move initial ec testing code
9a2629f
@mitschabaude
fix bit slicing logic
a1370e8
@mitschabaude
bindings
92318fe
@mitschabaude
several fixes to the scaling algorithm, debugging
92a627e
@mitschabaude
fix uneven window sizes by glueing together overlapping chunk between…
cc4f9b1 
… limbs
@mitschabaude
remove debug logs
90d341f
@mitschabaude
fixup
e7b8d23
@mitschabaude
fix
f7c5176
@mitschabaude
Merge branch 'feature/ffmul' into feature/ecdsa-new
a4f5638
@mitschabaude
adapt to ffmul changes
968a5ae
@mitschabaude
Merge branch 'feature/ffmul' into feature/ecdsa-new
1129739
@mitschabaude
bound y (needed for doubling)
9b29f40
@mitschabaude
tweak initial aggregator
38b9b7f
@mitschabaude
bindings
69a814d
@mitschabaude
remove unused function
be15bf1
@mitschabaude
Merge branch 'feature/ffmul' into feature/ecdsa-new
b025198
@mitschabaude
Copy link
Member Author

Note: I discovered a vulnerability in the ECDSA gadget today, and fixed it in the last few commits:
2731b0c...ba0c361

The issue was that a malicious prover could make the sum in the scalar mul gadget equal 0, but add a multiple of the curve base field modulus to one of the coordinates. Then, the strict not-equals check sum != iaFinal would have passed, but the sum would still be zero when viewed as a curve point, and the final addition would be invalid.

I fixed this by adding a proper equality check which handles multiples of the modulus.

jspada
jspada approved these changes Dec 1, 2023
View reviewed changes
Copy link

@jspada jspada left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Amazing work! Approved, with a few minor things, questions and suggestions.

CHANGELOG.md Outdated Show resolved Hide resolved
CHANGELOG.md Show resolved Hide resolved
src/examples/zkprogram/ecdsa/ecdsa.ts Outdated Show resolved Hide resolved
src/examples/zkprogram/ecdsa/ecdsa.ts Outdated Show resolved Hide resolved
src/examples/zkprogram/ecdsa/ecdsa.ts Outdated Show resolved Hide resolved
src/lib/gadgets/elliptic-curve.ts Outdated Show resolved Hide resolved
src/lib/gadgets/elliptic-curve.ts Show resolved Hide resolved
src/lib/gadgets/elliptic-curve.ts Show resolved Hide resolved
src/lib/gadgets/elliptic-curve.ts Show resolved Hide resolved
src/lib/gadgets/gadgets.ts Outdated Show resolved Hide resolved
Base automatically changed from feature/assert-mul to main December 6, 2023 11:11
@mitschabaude mitschabaude linked an issue Dec 6, 2023 that may be closed by this pull request
Fix all example zkApps inside src/examples, ensure they can all build and execute correctly #1222
Closed
@mitschabaude mitschabaude merged commit 74d1b1b into main Dec 6, 2023
13 checks passed
@mitschabaude mitschabaude deleted the feature/ecdsa-new branch December 6, 2023 21:06
This was referenced Dec 7, 2023
Closed
Closed
Closed
@barriebyron barriebyron mentioned this pull request Dec 7, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jspada jspada jspada approved these changes

@Trivo25 Trivo25 Trivo25 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@mitschabaude @jspada @Trivo25