Zokrates: Support signature verification on curve `bls12_381`

[alv-around]

Currently, ZoKrates only supports signature verification on curve bn128. For that purpose the implementation of Baby JubJub curve was added to ZoKrates stdlib. The Baby jubjub was inspired on the jubjub Curve proposed by Z-Cash (more on the reason for these curves on the Z-Cash link). The original jubjub uses the bls12_381 scalar field. The bls12_381 is popular eliptic curve (ec) used in blockchains such as Z-Cash and Tezos. However, Ethereum uses the bn128 ec and thus the Baby jubjub curve the equivalent to the jubjub curve.

Adding support for the jubjub curve in the zokrates stdlib would enable the verificaton of signatures with Zokrates for the bls12_381 curve (and thus in other blockchains such as Tezos and Z-Cash between others). The feature has been discussed in Tezos Agora and proposed as feature request in ZoKrates

Conversation of the issue on Tezos Agora

🧑‍🏭 Feature: https://github.com/Zokrates/ZoKrates/pull/1282

ZoKrates:

• [x] Proof-Of-Ownership
• [x] VerifyEddsa

Background

• Why do Zokrates use the Baby JubJub curve to verify signatures and not the underlying bn128 curve?

  Detailed answer here

• Paper about eliptic curve circuits for ZKP

[alv-around]

Actual development of feature in https://github.com/Zokrates/ZoKrates/tree/jubjub

[alv-around]

The testing of the implementation is challenging so far there is no specific library which the jubjub is implemented which correctness can be benchmark against.

For this purpose, the plan is to implement the jubjub curve first on pycrypto, collect feedback from the zokrates team and then add it to Zokrates.

Links:

• jubjub parameters
• baby jubjub parameters

[alv-around]

Work in PR

[alv-around]

PR submitted for review.