-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathdesignated-verifier-proof.circom
55 lines (40 loc) · 1.41 KB
/
designated-verifier-proof.circom
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
pragma circom 2.0.0;
include "../../circom-ecdsa/circuits/eth_addr.circom";
include "../../circom-ecdsa/circuits/ecdsa.circom";
template DesignatedVerifierSignature(n, k){
// inputs for ecdsa ECDSAVerifyNoPubkeyCheck circuit
signal input r[k];
signal input s[k];
signal input msghash[k];
signal input pubkey[2][k];
// input for PrivKeyToAddr
signal input privkey[k];
// checker against the output of PrivKeyToAddr
signal input addr;
// output of the circuit => 1 if at least one of the condition is valid, 0 otherwise
signal output out;
component eq1 = IsEqual();
// compute proof #1
component verifySignature = ECDSAVerifyNoPubkeyCheck(n, k);
for (var i = 0; i < k; i++) {
verifySignature.r[i] <== r[i];
verifySignature.s[i] <== s[i];
verifySignature.msghash[i] <== msghash[i];
for (var j = 0; j < 2; j++) {
verifySignature.pubkey[j][i] <== pubkey[j][i];
}
}
// compute proof #2
component pk2addr = PrivKeyToAddr(n, k);
for (var i = 0; i < k; i++) {
pk2addr.privkey[i] <== privkey[i];
}
// verify proof #2 => Does the computed address match the one provided as input?
eq1.in[0] <== pk2addr.addr;
eq1.in[1] <== addr;
// check if at least one of the proofs is valid
component or = OR();
or.a <== verifySignature.result;
or.b <== eq1.out;
out <== or.out;
}