Elliptic-Curve Verification
Private Inputs
| Input | Type |
|---|---|
| SHA-digest of message | Bytes |
| Pubkey in serial form | Bytes |
| Signature | Two tuples of Fields, r and s |
Public Output
| Left | Right |
|---|---|
| Poseidon-digest of SHA-digest of the message | Poseidon-digest of Pubkey in serial or circuit form |
Implementation Details
Firstly, we parse the pubkey in uncompressed serial form into x and y components, in circuit. For secp256r1, this corresponds to 65 bytes into 6 fields in total.
The in-circuit verification uses the x and y coordinate form, unlike the certificates where they use the uncompressed elliptic curve public key point format.
The reason for using the pubkey in serial form here is, later we will need to find this in a certificate, we need to know they are the same publickey. This requires verifying this conversion at least once, we decided to do it in this step.
A similar conversion is done to turn the SHA-digest of message into scalar format as well, similarly in-circuit.
We verify the signature, which is computationally intensive, and return.
Implicit Variance
There needs to be a circuit per (SHA variant, EC variant) pair.
Also, since the context of the right differs for the Local and Master signature verification, we need to have a circuit for each as well.
| secp256r1 | secp384r1 | brainpoolP256r1 | brainpoolP384r1 | brainpoolP512r1 | |
|---|---|---|---|---|---|
| sha-224 | |||||
| sha-256 | ✔️ | ||||
| sha-384 | |||||
| sha-512 |
Currently, we only have the implementation of secp256r1 for the near future, the other variants are not supported by o1js yet.
We implemented sha-256 and the others are trivial to add.