Closed HarryR closed 5 years ago
Here is python implementation https://github.com/barryWhiteHat/baby_jubjub_ecc/blob/master/tests/ed25519.py
In that implementation b
is set to `126.
This significantly weakens the security of the signature scheme, because you're truncating the elements r
and s
to half their size. Bitlength b-1
needs to hold a full field element, with the extra bit used for the sign flag. I think the confusion came from the paper saying (x,y) is encoded in a b-bit string, but you didn't see the part about the sign bit...
See: https://ed25519.cr.yp.to/ed25519-20110926.pdf pg 6
Secondly, there's another concern I have, which is the ℓ referenced in the paper, where ℓB = ∞, this is the order of the curves scalar field, but in https://github.com/barryWhiteHat/baby_jubjub
Where l*8
= ℓ, and B * l * 8 = ∞
, and ℓ is too big to fit into the snark scalar field...
So l < p
and ℓ > p
So, anything mod ℓ may result in a number that's too big to fit in a native field element,
EdDSA for more curves by Bernstein et al. seems a really clear and concise reference
There's also a lot of interesting information on Ristretto, for example: https://ristretto.group/formulas/decoding.html
I'm currently going through the Ristretto documentation/paper and 'EdDSA for more curves' paper to identify which checks/enforcements need to be put in place.
As baby_jubjub was inspired by zcash's jubjub, it may be appear possible to follow their design: https://github.com/zcash/zcash/issues/2853
The Baby JubJub code implements EdDSA.
However, there is no Python nor Solidity implementation which matches.
The aim of this ticket is to create matching Python and Solidity implementations of EdDSA which are compatible with the libsnark version.