Following is an instance of a signature = ($\sigma$, R). \sigma is scalar of ~ 320 bits. R is point on EcGFp5. Signature verification has the following steps:
- Validate $\sigma$ is an element in Scalar field
- Validate R is a valid point on the curve
- Compute e = H(unparsed(R)|unparsed(Q)|m)
- Assert $\sigma$G - eQ == R
fn unparsed() is byte representation of the curve point.
Now I'd take note a few points regarding improving efficiency of validating signature in a circuit.
- Hash function H must be an arithmetic hash function - poseidon
- Usually byte representation of curve point is 40 element bytearray (64*5/8 = 320/8 = 40 bytes). We should modify it have large elements. This should reduce poseidon rounds in the H function. However, I'm unsure of the cost of range check for the large elements.
Following is an instance of a signature = ($\sigma$ , R). \sigma is scalar of ~ 320 bits. R is point on EcGFp5. Signature verification has the following steps:
fn
unparsed()is byte representation of the curve point.Now I'd take note a few points regarding improving efficiency of validating signature in a circuit.