Circuit Constraints for Digital Signature Algorithms

Digital signatures are crpytographic schemes that provide message authentication (the receiver can verify the origin of the message), integrity (the receiver can verify that the message has not been modified since it was signed) and non-repudiation (the sender cannot falsely claim that they have not signed the message).

In this short note, we discuss arithmetic circuit constraints that ensures that a witness, a set of inputs and outputs, correctly computes (or are related to each other through) the Digital Signature Algorithm (DSA) and its more advanced version that uses elliptic curves. Both algorithms are based on groups of known order and the discrete logarithm (DL) security assumptions.

A signature scheme has three parts, the setup algorithm which involves private and public key generation, the signature algorithm itself, and a verification algorithm for checking if a signature is authentic.

The verification algorithm is the only part of the scheme that is public and is typically the only part that is of importance for circuit constraints. For example, the verification algorithm for DSA appears in smart contracts executed in the Ethereum Virtual Machine. The veracity of the inputs and outputs of this verification algorithm can be shown by encoding a set of contraints into a circuit used to prove a larger set of computations with a ZK-SNARK.

We will introduce the two algorithms, DSA and Elliptic-curve DSA in turn and briefly discuss the circuit constraints associated with each.

Digital Signature Algorithm (DSA)

Setup Algorithm: The setup algorithm generates a private key known only to the sender (or signee) and a corresponding public key. Since the setup algorithm is privately computed and not really relevant to the verification process, it is possible to skip this section, which only provides background information on why DSA works.

The algorithm goes as follows. Security parameters

(p, q)

are chosen and publically shared.

p

is a prime of size

> 1024

bits and

q

is a prime of size

> 160

bits chosen in such a way that

p - 1 = c q

for a particular

c > 0

. The reason for this contraint is as follows.

The signatures created by DSA will be utilizing a cyclic subgroup

G ⩽ Z / p Z^{\times}

of prime order

q

with a generator

g

. Now the question of interest is how to find such a generator.

Z / p Z^{\times}

is the multiplicative group (with non-prime order

p - 1

) of the prime field

F_{p}

, which will act as the base field. Any subgroups of this multiplicative group have orders that can divide

p - 1

due to Lagrange's theorem and are cyclic (all subgroups of a cyclic group are cyclic).

We need

g^{q} = 1 mod p

. Since

q

is prime and have no divisors except

1

and itself, a

g

that satisfies this equation would be a generator of a subgroup of order

q

or would be the identity element

1

. We can generate such a

g

by considering a random element

h \sim Unif ({2, . . ., q - 2})

F_{p}

. Then, we can consider the candidate

\tilde{g} = h^{c} mod p

, as

{\tilde{g}}^{q} = h^{c q} = h^{p - 1} = 1 mod p

for any

h

, due to Fermat's little theorem. Therefore,

\tilde{g}

is either

1

or a generator of the cyclic subgroup

G

and we can find other candidates if we end up with

\tilde{g} = 1

(p, q, g)

are determined through this process. Once these are determined, we can operate within

G

by raising the generator to

i \in [0, 1, 2, . . ., q - 1]

to obtain the sequence

[1, g, g^{2}, . . ., g^{q - 1}]

, which is the

Z / q Z^{+}

isomorphism. Note that the group operation within the subgroup

G

g^{i} mod p

and not

g^{i} mod q

Based on all this setup, the sender choses a private key

k_{pr} \in {2, . . ., q - 1}

to keep hidden and computes a corresponding public key from the subgroup

G

k_{pub} = g^{k_{pr}} \mod p

, which gets published along with the generator

g

. In addition to these, a cryptographic hash function

H

is chosen and published.

Overall, the setup algorithm executed by the sender publishes

(p, q, k_{pub}, g, H)

and keeps hidden

k_{pr}

Signature Algorithm: Similar to the setup algorithm, the signature algorithm itself is not publically computed and therefore is not typically a subject of circuit constraints. The section can be skipped, as it only explains how the signatures are created by the sender.

DSA is a stochastic signature scheme and therefore, each time a signature is generated for a particular fixed message

m

, the signature is different. This requires a source of randomness,

π \sim Unif ({1, . . ., q - 1})

Then, a one-time random key

r

is created by trying a number of

π

until

r \neq 0

(few tries are needed) which are related through the following equation.

\begin{array}{r} r = \tilde{r} mod q = (g^{π} mod p) mod q \end{array}

Note that

\tilde{r} = g^{π} mod p

is an element of

G

. The exponentiation in this computation is the most computationally expensive part of the signing operation, but it may be computed before the message is known, which is an advantage of the scheme. We also need to calculate

π^{- 1} = π^{q - 2} mod q

, using the Extended Euclidean algorithm (EEA), which is the second most expensive operation.

In order to generate the signature for a given message

m

, which can be of variable length, we first hash it to a fixed-size digest,

H (m)

. This digest, along with the randomness variables

π^{- 1}

r

and the public key

k_{pr}

, is then used to compute the following,

\begin{array}{r} σ = (π^{- 1} (H (m) + r k_{pr})) mod q . \end{array}

Then, the triplet

(m, r, σ)

is published as the signed message. Note that the message-sender pair

(m, k_{pub})

is now interlocked to the signature pair

(r, σ)

through this signed message.

Verification Algorithm: The verification algorithm is the only publically computed part of the scheme and is of great interest to proof systems. In this section, we will give a description and then discuss the circuit constraints in the next section.

Given a signed message

(m, r, σ)

and the public variables

(p, q, g, k_{pub})

, verification process is centered around checking a relation between these variables that is efficiently computable. As a preliminary, the algorithm first checks

0 < r

σ < q

, and then computes

σ^{- 1} = σ^{q - 2} mod q

(usually using EEA for efficiency).

Based on how

σ

is computed in the signature algorithm, we can obtain the following candidate relation that could be useful for verification,

\begin{aligned} σ & = (π^{- 1} (H (m) + r k_{pr})) mod q \\ π σ & = (H (m) + r k_{pr}) mod q \\ π & = (H (m) σ^{- 1} + r k_{pr} σ^{- 1}) mod q . \end{aligned}

However, the verification algorithm does not know the private key

k_{pr}

to be able to check this relationship. On the other hand, the subgroup encrypted version of this relationship,

\begin{aligned} g^{π} mod p & = g^{(H (m) σ^{- 1} + r k_{pr} σ^{- 1}) mod q} mod p \end{aligned}

is much more useful, as it replaces the private key

k_{pr}

with the public key

k_{pub}

if the correct set of simplification steps take place (note that

mod q

can be removed, as the subgroup is known to have an order

q

\begin{aligned} g^{π} mod p = g^{(H (m) σ^{- 1} + r k_{pr} σ^{- 1}) mod q} mod p & = g^{(H (m) σ^{- 1} + r k_{pr} σ^{- 1})} mod p \\ = g^{H (m) σ^{- 1}} g^{r k_{pr} σ^{- 1}} mod p \\ \tilde{r} & = g^{H (m) σ^{- 1}} k_{pub}^{r σ^{- 1}} mod p . \end{aligned}

This could further be improved to,

\begin{aligned} r & = \tilde{r} mod q = (g^{H (m) σ^{- 1}} k_{pub}^{r σ^{- 1}} mod p) mod q . \end{aligned}

Based on the above,

(m, r, σ^{- 1}, k_{pub})

are interlocked into this relationship through the generator

g

, the hash function

H

and the

(p, q)

pair, which is checked by the verification algorithm to confirm that the signature

(r, σ)

matches the message-sender pair

(m, k_{pub})

Circuit constraints: Finally, we discuss the circuit constraints that replicate the verification algorithm in proving that the signature in a signed message

(r, σ)

matches the message-sender pair

(m, k_{pub})

As it is the case in most arithmetic circuits, this is accomplished by breaking down the verification check equation into a set of simpler arithmetic equations with the use of auxiliary advice variables, provided as inputs to the circuit, that need to match intermediate computations.

These advice variables are, the output of the hash function

H_{m}

, the inverse of

σ

variable (modulo

q

)

σ_{inv}

, quotients for modulo operations

κ_{inv}, κ_{p}, κ_{q}

, and various intermediate computations

α, β, γ, θ

Given a witness, inputs + advice variables,

\begin{matrix} p, q, k_{pub}, g [public variables] \\ m, r, σ [signed message] \\ H_{m}, σ_{inv}, κ_{inv}, κ_{p}, κ_{q}, α, β, γ, θ [advice variables] \end{matrix}

the following set of circuit constraints can be used to verify the authenticity of a signed message,

\begin{aligned} H_{m} & = H (m) [Using circuit constraints specific to hash function] \\ σ \cdot σ_{inv} & = 1 + κ_{inv} q \\ α & = H_{m} σ_{inv} \\ β & = r σ_{inv} \\ γ & = g^{α} [By decomposing it into \log_{2} α intermediate constraints] \\ θ & = k_{pub}^{β} [By decomposing it into \log_{2} β intermediate constraints] \\ r & = γ θ + κ_{p} p + κ_{q} q \end{aligned}

Exponentiations are handled by decomposing the constraint into many smaller constraints that build upon, e.g.

g_{2} = g \cdot g

and

g_{4} = g_{2} \cdot g_{2}

and so on until some

γ = g_{α / 2} \cdot g_{α / 2}

is reached, similar to the square multiply algorithm used in efficient group exponentiation. There are logarithmic number (in the exponent) of such constraints needed.

In general, doing all this efficiently requires decomposing single constraints with large integers in them, into multiple constraints with smaller integers, as the integers inputted to these constraints can be huge due to security requirements of DSA. This is a topic we explore in another note focused on efficient large number arithmetic circuits.

Elliptic Curve DSA (ECDSA)

Setup Algorithm: Elliptic Curve DSA is identical to DSA, except that it changes the subgroup used. It replaces the prime order

q

subgroup of the multiplicative group of the field

F_{p}

with an elliptic curve

G

constructed on

F_{p} \times F_{p}

. Much of the three algorithms remain the same. Security parameters are again

(p, q)

and

q

is the order of the elliptic curve and the generator of the curve is

g

In the same manner as DSA, the private key is chosen from

k_{pr} \in {2, . . ., q - 1}

and the public key is computed using the curve group operation according to

k_{pub} = g^{k_{pr}}

. We will use the multiplicative notation for the elliptic curve to match the earlier discussion of DSA, even though an additive notation is more common for elliptic curves.

Signature Algorithm: The source of randomness,

π \sim Unif ({1, . . ., q - 1})

, is the same as DSA. However,

\tilde{r} \in G

is now a curve point calculated as

\tilde{r} = g^{π}

In DSA, the one-time random key

r

was a digest of

\tilde{r}

with some bits of information lost through a smaller modulo operation, when

\tilde{r}

was in a larger field of order

p >> q

. Similarly,

r

in ECDSA is calculated as a digest from the curve point

\tilde{r}

by taking its

x

coordinate

{\tilde{r}}_{x}

and then passing it through modulo

q

\begin{array}{r} r = {\tilde{r}}_{x} mod q = (g^{π})_{x} mod q \end{array}

Again, the group operations (exponentiation) in this computation is the most computationally expensive part of the signing operation, but it may be computed before the message is known.

π

needs to be randomly chosen such that

r \neq 1

, the identity element of the elliptic curve at infinity.

The inverse

π^{- 1}

and the signature

σ

are computed exactly in the same way as DSA,

\begin{array}{r} σ = (π^{- 1} (H (m) + r k_{pr})) mod q . \end{array}

The signed message

(m, r, σ)

is then published.

Verification Algorithm: Once again, as a preliminary, the algorithm checks that

0 < r, σ < q

, and then computes

σ^{- 1} = σ^{q - 2} mod q

(usually using EEA for efficiency).

It is still the case that

π = (H (m) σ^{- 1} + r k_{pr} σ^{- 1}) mod q

. Again, the verifier does not know the private key

k_{pr}

to be able to check this. Similarly, since

g

is the generator of

G

with order

q

, the group encrypted version of this relationship

g^{π} = g^{(H (m) σ^{- 1} + r k_{pr} σ^{- 1}) mod q}

is the same as

g^{(H (m) σ^{- 1} + r k_{pr} σ^{- 1})}

, and is much more useful, as it replaces the private key

k_{pr}

with the public key

k_{pub}

if the correct set of simplification steps take place.

\begin{aligned} \tilde{r} = g^{π} = g^{(H (m) σ^{- 1} + r k_{pr} σ^{- 1}) mod q} & = g^{(H (m) σ^{- 1} + r k_{pr} σ^{- 1})} \\ = g^{H (m) σ^{- 1}} g^{r k_{pr} σ^{- 1}} \\ \tilde{r} & = g^{H (m) σ^{- 1}} k_{pub}^{r σ^{- 1}} \end{aligned}

This could further be improved to,

\begin{aligned} r & = {\tilde{r}}_{x} mod q = (g^{H (m) σ^{- 1}} k_{pub}^{r σ^{- 1}})_{x} mod q . \end{aligned}

which interlocks

(m, r, σ^{- 1}, k_{pub})

to each other. Verifying this relationship is enough to verify that the signature

(r, σ)

matches the message/sender pair

(m, k_{pub})

, which can be done efficiently.

As we can see in all of these three algorithm, ECDSA is almost exactly the same as DSA except that the subgroup used is changed from a modulo group to an elliptic curve (digest operation to compute the one-time key

r

also has a slight change).

Circuit constraints: Again, we discuss the circuit constraints that replicate the verification algorithm in proving that the signature in a signed message

(r, σ)

matches the message-sender pair

(m, k_{pub})

The advice variables are, the output of the hash function

H_{m}

, the inverse of

σ

variable (modulo

q

)

σ_{inv}

, quotients for modulo operations

κ_{inv}, κ_{q}

, the coordinates

{\tilde{r}}_{x}, {\tilde{r}}_{y}

and various intermediate computations

α, β, γ, θ

Given a witness, inputs + advice variables,

\begin{matrix} p, q, k_{pub}, g [public variables] \\ m, r, σ [signed message] \\ H_{m}, σ_{inv}, κ_{inv}, κ_{q}, {\tilde{r}}_{x}, {\tilde{r}}_{y}, α, β, γ, θ [advice variables] \end{matrix}

the following set of circuit constraints can be used to verify the authenticity of a signed message,

\begin{aligned} H_{m} & = H (m) [Using circuit constraints specific to hash function] \\ σ \cdot σ_{inv} & = 1 + κ_{inv} q \\ α & = H_{m} σ_{inv} \\ β & = r σ_{inv} \\ γ & = g^{α} [By decomposing it into \log_{2} α intermediate constraints] \\ θ & = k_{pub}^{β} [By decomposing it into \log_{2} β intermediate constraints] \\ ({\tilde{r}}_{x}, {\tilde{r}}_{x}) & = γ θ \\ r & = {\tilde{r}}_{x} + κ_{q} q \end{aligned}

Now, multiplications in the constraints with

α, β, γ, θ

and

γ θ

are no longer integer constraints but elliptic curve constraints, which will have to be expanded to the specific integer computations involved in the group operation of the curve.

Aside from that, the only difference between these constraints and those of DSA is the addition of

({\tilde{r}}_{x}, {\tilde{r}}_{x})

as advice variables that represent the coordinates of the elliptic curve point corresponding to

\tilde{r}

and the removal of the quotients related to modulo

p

Digital Signature Algorithm (DSA)

Elliptic Curve DSA (ECDSA)

Read more

Vector Commitments

Set Commitments

Single-element Commitments

Elements of Commitment Schemes