NOTE: $l$ used in this document is the same as $l$ used in https://eips.ethereum.org/EIPS/eip-2494, and same as $r$ used in Geometry's bug report. The theoretical fix is to ensure $secret < l$. In circom, it'll look like this: LessThan(251)([secret, l]) === 1; Readers may know that just using LessThan template doesn't protect against all cases. For example, run this in zkrepl.dev: https://gist.github.com/0xbok/3f87b9c79fde41759f31fc62de218b80. It shows that LessThan passes when $secret = SNARK_FIELD-1$. $SNARK_FIELD-1$ is the maximum value in circom and hence it's greater than $l$, but LessThan returns 1 interpreting it as $p-1 < l$. We show that enforcing LessThan(251)[secret, l].out === 1 and then using BabyPbk() (as defined in current master branch of circomlib) on $secret$ is enough to enforce that $secret < l$. Proof

The goal of this post is to get through just enough theory to understand the key generation process in Ethereum. Ethereum also uses other elliptic curves for different use cases like validator signatures which is out of scope here. Heavy inspiration has been taken from Martin Kleppmann's Tutorial on Elliptic Curve Cryptography and LeastAuthority's moonmath manual. There may be errors and gaps in this post, so just use it for a broad understanding. Better resources, like the one linked above, are available if you're looking for a detailed description. Prerequisites for Elliptic curves Modular Arithmetic

Tips for safe circom circuits Write documentation and comments Write detailed documentation and spec before writing the circuits.Bugs can be discovered here! Will help you while writing and reviewing the circuits. Example: Something is intended to be private but it's actually not in circuits. ZK stack

circom-bigint audit Goals Security focused review of circom-bigint library. Deliver an audit report at the end. Establish a reference for Circom focused audits. Veridise working on its formal verification. What is bigint?