Note on the 0xPARC blog:
Since the random value t can be altered by the prover (the prover can change the snark input data by changing the random k value in a signature) the prover can try search the space of t for a value that would make the check pass for invalid sigs. Finding such a value means trying to find the pre-image of a fixed hash, and this is not feasible.
Warning this code is highly experimental and unaudited. Please use at your own risk.
The algorithm requires the r' sig value for ECDSA*, which is the y-coord of the point calculated in the generation phase. This r' can be calculated from r & s, but I'm not sure if this is secure because 1 step is skipped in the verification. We need to make sure this is still secure.
No build script yet.
Using 0xPARC's batch-ecdsa method (source)
Here is where the method comes from: https://eprint.iacr.org/2012/582
Note on the 0xPARC blog: Since the random value t can be altered by the prover (the prover can change the snark input data by changing the random k value in a signature) the prover can try search the space of t for a value that would make the check pass for invalid sigs. Finding such a value means trying to find the pre-image of a fixed hash, and this is not feasible.
The algorithm requires the r' sig value for ECDSA*, which is the y-coord of the point calculated in the generation phase. This r' can be calculated from r & s, but I'm not sure if this is secure because 1 step is skipped in the verification. We need to make sure this is still secure.
Run this to generate the inputs: