EdDSA - Python and Solidity support, compatible with libsnark code

[HarryR]

The Baby JubJub code implements EdDSA.

However, there is no Python nor Solidity implementation which matches.

The aim of this ticket is to create matching Python and Solidity implementations of EdDSA which are compatible with the libsnark version.

[barryWhiteHat]

Here is python implementation https://github.com/barryWhiteHat/baby_jubjub_ecc/blob/master/tests/ed25519.py

[HarryR]

In that implementation b is set to `126.

This significantly weakens the security of the signature scheme, because you're truncating the elements r and s to half their size. Bitlength b-1 needs to hold a full field element, with the extra bit used for the sign flag. I think the confusion came from the paper saying (x,y) is encoded in a b-bit string, but you didn't see the part about the sign bit...

See: https://ed25519.cr.yp.to/ed25519-20110926.pdf pg 6

Secondly, there's another concern I have, which is the ℓ referenced in the paper, where ℓB = ∞, this is the order of the curves scalar field, but in https://github.com/barryWhiteHat/baby_jubjub

• l = 2736030358979909402780800718157159386076813972158567259200215660948447373041
• p = 21888242871839275222246405745257275088548364400416034343698204186575808495617 (snark scalar field)

Where l*8 = ℓ, and B * l * 8 = ∞, and ℓ is too big to fit into the snark scalar field...

So l < p and ℓ > p

So, anything mod ℓ may result in a number that's too big to fit in a native field element,

[swasilyev]

EdDSA for more curves by Bernstein et al. seems a really clear and concise reference

[HarryR]

There's also a lot of interesting information on Ristretto, for example: https://ristretto.group/formulas/decoding.html

I'm currently going through the Ristretto documentation/paper and 'EdDSA for more curves' paper to identify which checks/enforcements need to be put in place.

[swasilyev]

As baby_jubjub was inspired by zcash's jubjub, it may be appear possible to follow their design: https://github.com/zcash/zcash/issues/2853