adsnarks

git submodule update --init --recursive

python3 src/eddsa/generate.py <N> populates keys/signature with N random signatures to be used for testing. More precisely, it:

• generates N random positive integers v
• for each integer v produces a signature (R, S) using a random key pair (sk, pk)
• each signature is represented as 6 binary strings in the following order:

1. the integer signed v (in little-endian bit order)
2. x component of the public key pk.x (in little-endian bit order)
3. y component of the public key pk.y (in little-endian bit order)
4. x component of the point part of the signature R.x (in little-endian bit order)
5. y component of the point part of the signature R.y (in little-endian bit order)
6. scalar part of the signature S (in BIG-endian bit order, don't ask me why)

src/generator.cpp

• produces proving/verifying keys for the circuit for N = 3 signatures
• dumps the proving key to keys/libsnark/pk in libsnark format. It is used by libsnark prover src/proover.cpp
• dumps the proving key to keys/ethsnarks/vk.json in ethsnarks format. It is used
  • to deploy the verifier contract, see migrations/2_deploy_contracts.js
  • to test the verifier contract, see tests/TestVerifier.js
  • to generate Solidity code using ethsnarks.cli.vk2sol
• dumps the verifying key to keys/libsnark/pk. It is used by libsnark verifier src/verifier.cpp

src/prover.cpp

• reads proving key from keys/libsnark/pk
• populates the circuit inputs with data from keys/signature
• dumps the proof to keys/libsnark/proof in libsnark format. It can be verified with libsnark verifier src/verifier.cpp
• dumps the proof to ethsnarks/proof.json in ethsnarks format. It is used
  • to test the verifier contract, see tests/TestVerifier.js
  • to generate Solidity code using ethsnarks.cli.proof2sol

src/verifier.cpp

• is created to test proofs generated by the prover
• reads:
  • the verifying key from keys/libsnark/vk
  • the proof from keys/libsnark/proof
  • the public keys (and median?[TODO]) from keys/signature to be used as public inputs
• and verifies the proof against the public inputs

TODO items:

1. For MVP (n-of-n signature)
   1. ethsnarks: bump solidity version, add proof.json export, and update the submodule
   2. libff doesn't provide inequality operators for field elements, so the easiest way to find the median is to hint the prover with the median index from outside (currently it's hardcoded)
   3. n = 3 is hardcoded in generator/proover/verifier
   4. check that pk and vk match (were generated with the same trapdoor), add n and nonce to key dumps
2. Circuit enhancements
   1. support m-of-n case. For that one should add a flag to eddsa gadget and condition some constraints on that flag
   2. add timestamps/rounds to the signatures
   3. improve signature gadget (security, circuit-friendly hash)
3. Smart-Contract
   1. add public key management
   2. add public inputs packing
4. General improvements
   1. CLI for generating a key pair, signing a particular integer, and verifying a signature
   2. shell script for an end-2-end test
   3. describe library dependencies (or better, provide a Docker image)
   4. introduce CI
   5. readable signatures file
   6. DEBUG profile
   7. document the circuit, measure performance
   8. measure gas consumption