schnorr.cpp

Go to the documentation of this file.

// === AUDIT STATUS ===
// internal:    { status: not started, auditors: [], date: YYYY-MM-DD }
// external_1:  { status: not started, auditors: [], date: YYYY-MM-DD }
// external_2:  { status: not started, auditors: [], date: YYYY-MM-DD }
// =====================
 
#include "schnorr.hpp"
#include "barretenberg/crypto/pedersen_commitment/pedersen.hpp"
#include "barretenberg/stdlib/hash/blake2s/blake2s.hpp"
#include "barretenberg/stdlib/hash/pedersen/pedersen.hpp"
#include "barretenberg/stdlib/primitives/circuit_builders/circuit_builders_fwd.hpp"
#include "barretenberg/stdlib/primitives/group/cycle_group.hpp"
#include <array>
 
namespace bb::stdlib {
 
template <typename C>
schnorr_signature_bits<C> schnorr_convert_signature(C* context, const crypto::schnorr_signature& signature)
{
    using cycle_scalar = typename cycle_group<C>::cycle_scalar;
 
    uint256_t s_bigint(0);
    uint256_t e_bigint(0);
    const uint8_t* s_ptr = &signature.s[0];
    const uint8_t* e_ptr = &signature.e[0];
    numeric::read(s_ptr, s_bigint);
    numeric::read(e_ptr, e_bigint);
    schnorr_signature_bits<C> sig{ .s = cycle_scalar::from_witness_bitstring(context, s_bigint, 256),
                                   .e = cycle_scalar::from_witness_bitstring(context, e_bigint, 256) };
    return sig;
}
 
template <typename C>
std::array<field_t<C>, 2> schnorr_verify_signature_internal(const byte_array<C>& message,
                                                            const cycle_group<C>& pub_key,
                                                            const schnorr_signature_bits<C>& sig)
{
    cycle_group<C> g1(grumpkin::g1::one);
    // compute g1 * sig.s + key * sig,e
 
    auto x_3 = cycle_group<C>::batch_mul({ g1, pub_key }, { sig.s, sig.e }).x;
    // build input (pedersen(([s]g + [e]pub).x | pub.x | pub.y) | message) to hash function
    // pedersen hash ([r].x | pub.x) to make sure the size of `hash_input` is <= 64 bytes for a 32 byte message
    byte_array<C> hash_input(pedersen_hash<C>::hash({ x_3, pub_key.x, pub_key.y }));
    hash_input.write(message);
 
    // compute  e' = hash(([s]g + [e]pub).x | message)
    byte_array<C> output = stdlib::Blake2s<C>::hash(hash_input);
    static constexpr size_t LO_BYTES = cycle_group<C>::cycle_scalar::LO_BITS / 8;
    static constexpr size_t HI_BYTES = 32 - LO_BYTES;
    field_t<C> output_hi(output.slice(0, LO_BYTES));
    field_t<C> output_lo(output.slice(LO_BYTES, HI_BYTES));
    return { output_lo, output_hi };
}
 
template <typename C>
void schnorr_verify_signature(const byte_array<C>& message,
                              const cycle_group<C>& pub_key,
                              const schnorr_signature_bits<C>& sig)
{
    auto [output_lo, output_hi] = schnorr_verify_signature_internal(message, pub_key, sig);
    output_lo.assert_equal(sig.e.lo, "verify signature failed");
    output_hi.assert_equal(sig.e.hi, "verify signature failed");
}
 
template <typename C>
bool_t<C> schnorr_signature_verification_result(const byte_array<C>& message,
                                                const cycle_group<C>& pub_key,
                                                const schnorr_signature_bits<C>& sig)
{
    auto [output_lo, output_hi] = schnorr_verify_signature_internal(message, pub_key, sig);
    bool_t<C> valid = (output_lo == sig.e.lo) && (output_hi == sig.e.hi);
    return valid;
}
 
#define VERIFY_SIGNATURE_INTERNAL(circuit_type)                                                                        \
    template std::array<field_t<circuit_type>, 2> schnorr_verify_signature_internal<circuit_type>(                     \
        const byte_array<circuit_type>&,                                                                               \
        const cycle_group<circuit_type>&,                                                                              \
        const schnorr_signature_bits<circuit_type>&)
VERIFY_SIGNATURE_INTERNAL(bb::UltraCircuitBuilder);
VERIFY_SIGNATURE_INTERNAL(bb::MegaCircuitBuilder);
#define VERIFY_SIGNATURE(circuit_type)                                                                                 \
    template void schnorr_verify_signature<circuit_type>(const byte_array<circuit_type>&,                              \
                                                         const cycle_group<circuit_type>&,                             \
                                                         const schnorr_signature_bits<circuit_type>&)
VERIFY_SIGNATURE(bb::UltraCircuitBuilder);
VERIFY_SIGNATURE(bb::MegaCircuitBuilder);
#define SIGNATURE_VERIFICATION_RESULT(circuit_type)                                                                    \
    template bool_t<circuit_type> schnorr_signature_verification_result<circuit_type>(                                 \
        const byte_array<circuit_type>&,                                                                               \
        const cycle_group<circuit_type>&,                                                                              \
        const schnorr_signature_bits<circuit_type>&)
SIGNATURE_VERIFICATION_RESULT(bb::UltraCircuitBuilder);
SIGNATURE_VERIFICATION_RESULT(bb::MegaCircuitBuilder);
#define CONVERT_SIGNATURE(circuit_type)                                                                                \
    template schnorr_signature_bits<circuit_type> schnorr_convert_signature<circuit_type>(                             \
        circuit_type*, const crypto::schnorr_signature&)
CONVERT_SIGNATURE(bb::UltraCircuitBuilder);
CONVERT_SIGNATURE(bb::MegaCircuitBuilder);
} // namespace bb::stdlib