ECDSA gadget

CHANGELOG.md

@@ -19,8 +19,15 @@ This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.htm
 
 ## [Unreleased](https://github.com/o1-labs/o1js/compare/1ad7333e9e...HEAD)
 
+# Breaking changes
+
+- `ZkProgram.compile()` now returns the verification key and its hash, to be consistent with `SmartContract.compile()` https://github.com/o1-labs/o1js/pull/1240
+
 # Added
 
+- **ECDSA signature verification**: new provable method `Gadgets.Ecdsa.verify()` and helpers on `Gadgets.Ecdsa.Signature` https://github.com/o1-labs/o1js/pull/1240
+  - For an example, see `./src/examples/zkprogram/ecdsa`
+- `Crypto` namespace which exposes elliptic curve and finite field arithmetic on bigints, as well as example curve parameters https://github.com/o1-labs/o1js/pull/1240
 - `Gadgets.ForeignField.assertMul()` for efficiently constraining products of sums in non-native arithmetic https://github.com/o1-labs/o1js/pull/1262
 - `Unconstrained` for safely maintaining unconstrained values in provable code https://github.com/o1-labs/o1js/pull/1262
 
@@ -29,12 +36,10 @@ This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.htm
 - Change precondition APIs to use "require" instead of "assert" as the verb, to distinguish them from provable assertions.
   - `this.x.getAndAssertEquals()` is now `this.x.getAndRequireEquals()` https://github.com/o1-labs/o1js/pull/1263
   - `this.x.assertEquals(x)` is now `this.x.requireEquals(x)` https://github.com/o1-labs/o1js/pull/1263
-  - `this.x.assertNothing()` is now `this.x.requireNothing()` https://github.com/o1-labs/o1js/pull/1263
+  - `this.account.x.getAndAssertEquals(x)` is now `this.account.x.requireEquals(x)` https://github.com/o1-labs/o1js/pull/1265
   - `this.account.x.assertBetween()` is now `this.account.x.requireBetween()` https://github.com/o1-labs/o1js/pull/1265
-  - `this.account.x.assertEquals(x)` is now `this.account.x.requireEquals(x)` https://github.com/o1-labs/o1js/pull/1265
-  - `this.account.x.assertNothing()` is now `this.account.x.requireNothing()` https://github.com/o1-labs/o1js/pull/1265
-  - `this.currentSlot.assertBetween(x,y)` is now `this.currentSlot.requireBetween(x,y)` https://github.com/o1-labs/o1js/pull/1265
   - `this.network.x.getAndAssertEquals()` is now `this.network.x.getAndRequireEquals()` https://github.com/o1-labs/o1js/pull/1265
+- `Provable.constraintSystem()` and `{ZkProgram,SmartContract}.analyzeMethods()` return a `print()` method for pretty-printing the constraint system https://github.com/o1-labs/o1js/pull/1240
 
 ## [0.14.2](https://github.com/o1-labs/o1js/compare/26363465d...1ad7333e9e)
 

src/examples/constraint_system.ts

@@ -2,13 +2,13 @@ import { Field, Poseidon, Provable } from 'o1js';
 
 let hash = Poseidon.hash([Field(1), Field(-1)]);
 
-let { rows, digest, gates, publicInputSize } = Provable.constraintSystem(() => {
+let { rows, digest, publicInputSize, print } = Provable.constraintSystem(() => {
   let x = Provable.witness(Field, () => Field(1));
   let y = Provable.witness(Field, () => Field(-1));
   x.add(y).assertEquals(Field(0));
   let z = Poseidon.hash([x, y]);
   z.assertEquals(hash);
 });
 
-console.log(JSON.stringify(gates));
+print();
 console.log({ rows, digest, publicInputSize });

src/examples/zkprogram/ecdsa/ecdsa.ts

@@ -0,0 +1,41 @@
+import { Gadgets, ZkProgram, Struct, Crypto } from 'o1js';
+
+export { ecdsaProgram, Point, Secp256k1 };
+
+let { ForeignField, Field3, Ecdsa } = Gadgets;
+
+// TODO expose this as part of Gadgets.Curve
+
+class Point extends Struct({ x: Field3.provable, y: Field3.provable }) {
+  // point from bigints
+  static from({ x, y }: { x: bigint; y: bigint }) {
+    return new Point({ x: Field3.from(x), y: Field3.from(y) });
+  }
+}
+
+const Secp256k1 = Crypto.createCurve(Crypto.CurveParams.Secp256k1);
+
+const ecdsaProgram = ZkProgram({
+  name: 'ecdsa',
+  publicInput: Point,
+
+  methods: {
+    verifyEcdsa: {
+      privateInputs: [Ecdsa.Signature.provable, Field3.provable],
+      method(
+        publicKey: Point,
+        signature: Gadgets.Ecdsa.Signature,
+        msgHash: Gadgets.Field3
+      ) {
+        // assert that private inputs are valid
+        ForeignField.assertAlmostFieldElements(
+          [signature.r, signature.s, msgHash],
+          Secp256k1.order
+        );
+
+        // verify signature
+        Ecdsa.verify(Secp256k1, signature, msgHash, publicKey);
+      },
+    },
+  },
+});

src/examples/zkprogram/ecdsa/run.ts

@@ -0,0 +1,43 @@
+import { Gadgets } from 'o1js';
+import { Point, Secp256k1, ecdsaProgram } from './ecdsa.js';
+import assert from 'assert';
+
+// create an example ecdsa signature
+
+let privateKey = Secp256k1.Scalar.random();
+let publicKey = Secp256k1.scale(Secp256k1.one, privateKey);
+
+// TODO use an actual keccak hash
+let messageHash = Secp256k1.Scalar.random();
+
+let signature = Gadgets.Ecdsa.sign(Secp256k1, messageHash, privateKey);
+
+// investigate the constraint system generated by ECDSA verify
+
+console.time('ecdsa verify (build constraint system)');
+let cs = ecdsaProgram.analyzeMethods().verifyEcdsa;
+console.timeEnd('ecdsa verify (build constraint system)');
+
+let gateTypes: Record<string, number> = {};
+gateTypes['Total rows'] = cs.rows;
+for (let gate of cs.gates) {
+  gateTypes[gate.type] ??= 0;
+  gateTypes[gate.type]++;
+}
+console.log(gateTypes);
+
+// compile and prove
+
+console.time('ecdsa verify (compile)');
+await ecdsaProgram.compile();
+console.timeEnd('ecdsa verify (compile)');
+
+console.time('ecdsa verify (prove)');
+let proof = await ecdsaProgram.verifyEcdsa(
+  Point.from(publicKey),
+  Gadgets.Ecdsa.Signature.from(signature),
+  Gadgets.Field3.from(messageHash)
+);
+console.timeEnd('ecdsa verify (prove)');
+
+assert(await ecdsaProgram.verify(proof), 'proof verifies');

src/index.ts

@@ -32,7 +32,6 @@ export {
   method,
   declareMethods,
   Account,
-  VerificationKey,
   Reducer,
 } from './lib/zkapp.js';
 export { state, State, declareState } from './lib/state.js';
@@ -45,6 +44,7 @@ export {
   Empty,
   Undefined,
   Void,
+  VerificationKey,
 } from './lib/proof_system.js';
 export { Cache, CacheHeader } from './lib/proof-system/cache.js';
 
@@ -81,6 +81,8 @@ export { Nullifier } from './lib/nullifier.js';
 import { ExperimentalZkProgram, ZkProgram } from './lib/proof_system.js';
 export { ZkProgram };
 
+export { Crypto } from './lib/crypto.js';
+
 // experimental APIs
 import { Callback } from './lib/zkapp.js';
 import { createChildAccountUpdate } from './lib/account_update.js';

src/lib/crypto.ts

@@ -0,0 +1,31 @@
+import { CurveParams as CurveParams_ } from '../bindings/crypto/elliptic-curve-examples.js';
+import {
+  CurveAffine,
+  createCurveAffine,
+} from '../bindings/crypto/elliptic_curve.js';
+
+// crypto namespace
+const Crypto = {
+  /**
+   * Create elliptic curve arithmetic methods.
+   */
+  createCurve(params: Crypto.CurveParams): Crypto.Curve {
+    return createCurveAffine(params);
+  },
+  /**
+   * Parameters defining an elliptic curve in short Weierstraß form
+   * y^2 = x^3 + ax + b
+   */
+  CurveParams: CurveParams_,
+};
+
+namespace Crypto {
+  /**
+   * Parameters defining an elliptic curve in short Weierstraß form
+   * y^2 = x^3 + ax + b
+   */
+  export type CurveParams = CurveParams_;
+
+  export type Curve = CurveAffine;
+}
+export { Crypto };

src/lib/gadgets/basic.ts

@@ -1,15 +1,58 @@
 /**
  * Basic gadgets that only use generic gates
  */
+import { Fp } from '../../bindings/crypto/finite_field.js';
 import type { Field, VarField } from '../field.js';
 import { existsOne, toVar } from './common.js';
 import { Gates } from '../gates.js';
 import { TupleN } from '../util/types.js';
 
-export { assertOneOf };
+export { arrayGet, assertOneOf };
 
 // TODO: create constant versions of these and expose on Gadgets
 
+/**
+ * Get value from array in O(n) rows.
+ *
+ * Assumes that index is in [0, n), returns an unconstrained result otherwise.
+ *
+ * Note: This saves 0.5*n constraints compared to equals() + switch()
+ */
+function arrayGet(array: Field[], index: Field) {
+  let i = toVar(index);
+
+  // witness result
+  let a = existsOne(() => array[Number(i.toBigInt())].toBigInt());
+
+  // we prove a === array[j] + zj*(i - j) for some zj, for all j.
+  // setting j = i, this implies a === array[i]
+  // thanks to our assumption that the index i is within bounds, we know that j = i for some j
+  let n = array.length;
+  for (let j = 0; j < n; j++) {
+    let zj = existsOne(() => {
+      let zj = Fp.div(
+        Fp.sub(a.toBigInt(), array[j].toBigInt()),
+        Fp.sub(i.toBigInt(), Fp.fromNumber(j))
+      );
+      return zj ?? 0n;
+    });
+    // prove that zj*(i - j) === a - array[j]
+    // TODO abstract this logic into a general-purpose assertMul() gadget,
+    // which is able to use the constant coefficient
+    // (snarky's assert_r1cs somehow leads to much more constraints than this)
+    if (array[j].isConstant()) {
+      // zj*i + (-j)*zj + 0*i + array[j] === a
+      assertBilinear(zj, i, [1n, -BigInt(j), 0n, array[j].toBigInt()], a);
+    } else {
+      let aMinusAj = toVar(a.sub(array[j]));
+      // zj*i + (-j)*zj + 0*i + 0 === (a - array[j])
+      assertBilinear(zj, i, [1n, -BigInt(j), 0n, 0n], aMinusAj);
+    }
+  }
+
+  return a;
+}
+
 /**
  * Assert that a value equals one of a finite list of constants:
  * `(x - c1)*(x - c2)*...*(x - cn) === 0`