or
or
By clicking below, you agree to our terms of service.
New to HackMD? Sign up
Syntax | Example | Reference | |
---|---|---|---|
# Header | Header | 基本排版 | |
- Unordered List |
|
||
1. Ordered List |
|
||
- [ ] Todo List |
|
||
> Blockquote | Blockquote |
||
**Bold font** | Bold font | ||
*Italics font* | Italics font | ||
~~Strikethrough~~ | |||
19^th^ | 19th | ||
H~2~O | H2O | ||
++Inserted text++ | Inserted text | ||
==Marked text== | Marked text | ||
[link text](https:// "title") | Link | ||
![image alt](https:// "title") | Image | ||
`Code` | Code |
在筆記中貼入程式碼 | |
```javascript var i = 0; ``` |
|
||
:smile: | ![]() |
Emoji list | |
{%youtube youtube_id %} | Externals | ||
$L^aT_eX$ | LaTeX | ||
:::info This is a alert area. ::: |
This is a alert area. |
On a scale of 0-10, how likely is it that you would recommend HackMD to your friends, family or business associates?
Please give us some advice and help us improve HackMD.
Syncing
xxxxxxxxxx
Scope of the audit
The following circuits, which you can find in packages/circuits.
Sessions
Session #1
Session #2
Session #1
1. Spartan-ecdsa
2. Circuit files to cover
3. Run the circuits
4. Efficient ECDSA
Assuming basic knowledge of elliptic curves and ECDSA.
eff_ecdsa.circom
Notations
Standard ECDSA
Sign
Verify
Given \(\text{msg}, r, s\)
More about ECDSA
ECDSA in Spartan-ecdsa (Efficient ECDSA)
Sign (prove)
\[ s * T + U == \text{pubKey}\] without revealing \(s\). In practice, we also prove \(\text{pubKey}\) is in some set.
Verify
5. Merkle tree proof verification
tree.circom
6. Secp256k1 group arithmetic
Addition
Complete addition
Incomplete addition
In spartan-ecdsa, the Plonkish addition constraints below (from the halo2 book) are transformed into R1CS constraints.
Incomplete addition in Plonkish
![](https://hackmd.io/_uploads/Hk2m9PTP2.png)
Complete addition in Plonkish
![](https://hackmd.io/_uploads/B1RI9w6w2.png)
More about complete and incomplete additions
Variable-base scalar multiplication (double-and-add)
Session #2
1. Poseidon
Preliminaries
Why not use Poseidon from circomlib?
We implement Poseidon-secp in Circom and Rust.
The implementation follows Filecoin's Poseidon implementation: Neptune
Generating the constants
Script to generate the Poseidon constants
Sage script to check the security inequalities deinfed in Filecoin's spec.
Quizzes
Session #1
(basic) How many complete additions are used in the optimized double-and-add algorithm implemented in mul.circom?
(medium) What are the base field and scalar field orders of secq256k1?
(advanced) We have an insecure implementation of Efficient ECDSA. The verifier only checks that the proof \(\pi\) is valid, and does not check if \(T, U\) were computed correctly. Let’s say you are an adversary and want to convince this insecure verifier that you can generate a valid signature. How would you set \(T\) and \(U\) to generate the proof \(\pi\)?
Session #2
(basic) How many full rounds does the Poseidon instance in Spartan-ecdsa execute?
(medium) We want to build an arity-8 Merkle tree that uses Poseidon. According to the specification of Neptune, what should the domain tag of the Poseidon hash function be?
(advanced) Confirm that the following parameters are secure.
Hint: You can run the script security_inequalities.sage in SageMathCell.
Appendix
Appendix A
Output of k256_params.sh