search

personaelabs / spartan-ecdsa

The fastest in-browser verification of ECDSA signatures in ZK, using Spartan on the secq256k1 curve
192 stars 27 forks source link

Why eff_ecdsa_to_addr_test.circom's output is not the same as the real address from my private key? #38

Open Vap0RSh4wN opened 10 months ago

Vap0RSh4wN commented 10 months ago

Thank you for your time. I encountered some issues when I set up the environment, so I changed _packages/circuits/tests/eff_ecdsa_toaddr.test.ts and _packages/circuits/tests/testutils.ts like this to perform the test:

var EC = require("elliptic").ec;
const { privateToAddress,hashPersonalMessage, ecsign} = require( "ethereumjs-util");
const { computeEffEcdsaPubInput } =require("@personaelabs/spartan-ecdsa");

const { toBigIntBE } =require('bigint-buffer');
const ec = new EC("secp256k1");

const getEffEcdsaCircuitInput = (privKey, msg) => {
  const msgHash = hashPersonalMessage(msg);
  const { v, r: _r, s } = ecsign(msgHash, privKey);
  const r = BigInt("0x" + _r.toString("hex"));

  const circuitPubInput = computeEffEcdsaPubInput(r, BigInt(v), msgHash);
  const input = {
    s: BigInt("0x" + s.toString("hex")),
    Tx: circuitPubInput.Tx,
    Ty: circuitPubInput.Ty,
    Ux: circuitPubInput.Ux,
    Uy: circuitPubInput.Uy
  };

  return input;
};

(async ()=>{
    const privKey = Buffer.from(
        "myprivatekey",
        "hex"
      );
    //   const pubKey = ec.keyFromPrivate(privKey.toString("hex")).getPublic();
      const addr = BigInt(
        "0x" + privateToAddress(privKey).toString("hex")
      ).toString(10);;
      console.log('Address:',addr);

      const msg = Buffer.from("hello world");
      const circuitInput = getEffEcdsaCircuitInput(privKey, msg);

      console.log(circuitInput);
})();

But when I input what I get from the above code as the _packages/circuits/tests/circuits/eff_ecdsa_to_addrtest.circom's input, the output is not the same as the real address from my private key. I would be so grateful if you could answer my question.

Vap0RSh4wN commented 10 months ago

Could this be because I used regular circom instead of your Circom-secq? If I install circom-secq will it overwrite my original circom? Thank you so much.

DanTehrani commented 10 months ago

@ssxssx Yes the problem might be the prime field of Circom! Can you try running with circom-secq? https://github.com/DanTehrani/circom-secq

Vap0RSh4wN commented 9 months ago

@ssxssx Yes the problem might be the prime field of Circom! Can you try running with circom-secq? https://github.com/DanTehrani/circom-secq

THANK YOU SO MUCH FOR YOUR HELP!! Besides, I want to implement verification of signature S while being able to verify the message of signature M at the same time. But Spartan's signature seems to allow the signer to use arbitrary messages. In another word, the signer of the private key does not seem to care what information he or she signs. But I need to verify the signed message (╥﹏╥). I tried using circom-ecdsa, but its constrains are so big. Do you have any suggestions? Thank you very much!

Vap0RSh4wN commented 9 months ago

o(╥﹏╥)o

DanTehrani commented 9 months ago

Really sorry about the late res!

spartan-ecdsa checks the signed message "outside of the circuit" (e.g. in javascript), so the signed message won't be private. Verifying in the circuit that the signed message actually hashes tomsgHash requires a lot of constraints, and I don't think there's a workaround for that unfortunately.