This implements EdDSA in Solidity and Python, it doesn't yet match the libsnark implementation of JubJub's DSA, however there are some crucial takeaways for this:
The s value from the signature may be the twist point on the curve
The right hand side, for verification, uses the value t to multiply the public key by
The public key is malleable, it must be on the twisted Edwards curve, but it is selectable by the user
Secondly, I'm truncating the output of the hash function to 250 bits, this ensures that it will be clamped to the point of the twist (JUBJUB_L). This is easy to do in EVM and Python, but requires a conversion to bits in the snark circuit. This adds an extra 250 constraints for bitness checks of the input to the scalarMult function.
This implements EdDSA in Solidity and Python, it doesn't yet match the libsnark implementation of JubJub's DSA, however there are some crucial takeaways for this:
svalue from the signature may be the twist point on the curvetto multiply the public key bySecondly, I'm truncating the output of the hash function to 250 bits, this ensures that it will be clamped to the point of the twist (
JUBJUB_L). This is easy to do in EVM and Python, but requires a conversion to bits in the snark circuit. This adds an extra 250 constraints for bitness checks of the input to thescalarMultfunction.