Bug audit report says input signal s is not constrained in eff_ecdsa.circom. Based on my tests, I believe there is insufficient constraint on T.
I set s to 0 and varied T, and ultimately found that sMultT is not 0, and the output pubKey does not equal U. This result contradicts the comments in the code.
When I set Tx and Ty to 0, regardless of the value of s, the outputs are pubKeyX = Ux and pubKeyY = Uy.
template EfficientECDSA() {
var bits = 256;
signal input s;
signal input Tx; // T = r^-1 * R
signal input Ty;
signal input Ux; // U = -(m * r^-1 * G)
signal input Uy;
signal output pubKeyX;
signal output pubKeyY;
// sMultT = s * T
component sMultT = Secp256k1Mul();
sMultT.scalar <== s;
sMultT.xP <== Tx;
sMultT.yP <== Ty;
// pubKey = sMultT + U
component pubKey = Secp256k1AddComplete();
pubKey.xP <== sMultT.outX;
pubKey.yP <== sMultT.outY;
pubKey.xQ <== Ux;
pubKey.yQ <== Uy;
log("the value of s: ",s);
log("the value of sMultT.outX: ",sMultT.outX);
log("the value of sMultT.outY: ",sMultT.outY);
pubKeyX <== pubKey.outX;
pubKeyY <== pubKey.outY;
}
Bug audit report says input signal s is not constrained in eff_ecdsa.circom. Based on my tests, I believe there is insufficient constraint on T.
I set s to 0 and varied T, and ultimately found that sMultT is not 0, and the output pubKey does not equal U. This result contradicts the comments in the code.
When I set Tx and Ty to 0, regardless of the value of s, the outputs are pubKeyX = Ux and pubKeyY = Uy.
Test for s
input0
input.json
public.json
input1
input.json
public.json
Analyse
I think the above two sets of inputs should yield the same output, but the results do not match.