rahulghangas
commented
2 years ago @Eikix I have realized there needs to be better documentation regarding this.
One thing to note, the circom way to pass in byte sequences is not as little-endian/big-endian, but rather from lowest significant bit to most significant bit. We have assumed the same in these circuits.
To clarify on your doubts, A is the public key in binary (LSB to MSB)
PointA is the point representing the public key on the elliptic curve (encoded in base 2^51 for brevity)
PointR is the point representing the R8 value on the elliptic curve (encoded in base 2^51)
Ideally, the algorithm we follow only takes in A and R8 in binary form, and is decompressed to get PointA and PointR respectively. However, decompression is an expensive algorithm to perform in a circuit. On the other hand, compression is cheap and easy to implement. So, we use a nifty little trick to push the onus of providing both on the prover and perform equality checks after compressing the points within the circuit. Ref
You can find all helper functions to change encodings from well-known formats to circuit friendly formats here
I will add comments in the circuit files to address your proposed solution, post which we can close this issue
Eikix
Hi all:),
First of: Really cool repo and thank you
I'm a beginner in zero-knowledge field, and i'm exploring different signature verification circuits in circom.
Maybe this is a stupid question but i have a hard time fitting vars' names with their definition,
but what are A, PointA and PointR ?
in my mind there was msg, signature, and pubKey so i'm guessing A, PointA and PointR have something to do with pubkeys.
Proposed fix: adding one-lined comments above signal inputs in verify.circom to help readers map var names to actual definition of concepts