Logo

dev-resources.site

for different kinds of informations.

Niftyzk tutorials 3 - Edwards-curve Digital Signatures

Published at
1/11/2025
Categories
web3
circom
zkp
cosmwasm
Author
strawberry666
Categories
4 categories in total
web3
open
circom
open
zkp
open
cosmwasm
open
Author
13 person written this
strawberry666
open
Niftyzk tutorials 3 - Edwards-curve Digital Signatures

Niftyzk supports EdDSA which is a public cryptography digital signature scheme.This tutorial will contain information about the generated code and you will need to read the previous tutorials to understand everything.

Let’s start with niftyzk init

Setting up your current directory
? What project do you want to scaffold? EdDSA signature verification
? Choose the hashing algorithm to use:  mimc7
? Do you wish to add public inputs to sign? (E.g: address,amount) yes
? Enter the name of the public inputs in a comma separated list (no numbers or special characters):  address,amount
Generating circuits
Generating javascript
Done
Enter fullscreen mode Exit fullscreen mode

So we selected EdDSA with mimc7 and added some inputs to sign, address, amount

Using MiMC7 hash means we will have to use a key to create hashes which is kept secret. However for signing with EdDSA using MiMC, the key is not used. That decision to not use the key for signing was made by the developers of circomlib, as using a default key is not an issue, the signed data is a public hash.

Let’s see the generated circuits, you see there is a circuit.circom file

pragma circom 2.0.0;

include "../node_modules/circomlib/circuits/eddsamimc.circom";
include "../node_modules/circomlib/circuits/mimc.circom";

template VerifySignature(){
    signal input message;
    signal input address;
    signal input amount;

    signal input k;

    signal input Ax;
    signal input Ay;
    signal input S;
    signal input R8x;
    signal input R8y;

    component eddsa = EdDSAMiMCVerifier();

    component mimc7Hash = MultiMiMC7(3, 91);
    mimc7Hash.k <== k;
    mimc7Hash.in[0] <== message;
    mimc7Hash.in[1] <== address;
    mimc7Hash.in[2] <== amount;


    eddsa.enabled <== 1;
    eddsa.Ax <== Ax;
    eddsa.Ay <== Ay;
    eddsa.S <== S;
    eddsa.R8x <== R8x;
    eddsa.R8y <== R8y;
    eddsa.M <== mimc7Hash.out;

    }

component main {public [message,address,amount]}  = VerifySignature(); 

Enter fullscreen mode Exit fullscreen mode

So we import the required dependencies, we use the same hashing algorithm for the signatures and the message hash.

So we got a message input, address and amount which were extra and these are our public inputs that will be revealed on-chain for verification.

k is the secret used for the mimc hashing

Ax,Ay are the points used for the public key, S, R8x,R8y are signature parameters returned by the signing function.

We compute a MiMC7 hash using k and then just assign the inputs to the eddsa template input signals. By specifying eddsa.enabled <== 1; we assert that the signature must be valid for the hash.Now let’s look at some javascript
Accounts are created using EdDSA:

/**
 * The signature parameters used for verifying pedersen hash signed EdDSA
 * @typedef {Object} Account
 * @property {Buffer} prvKey - Private key buffer
 * @property {Uint8Array[]} pubKey - Public key is a tuple of 32 bit Uint8Array
 */

/**
 * @param {any} eddsa - The EdDSA object
 * @returns {Account}
 * Generate a new account which composes of a private and public key
*/
export function generateAccount(eddsa) {
    const prvKey = rbytes();
    const pubKey = eddsa.prv2pub(prvKey);
    return {
        prvKey,
        pubKey
    }
}
Enter fullscreen mode Exit fullscreen mode

We use 32 bytes for the account, the rbytes() returns a random buffer. It uses crypto.randomBytes(32)The public keys are a tuple of Uint8Array, 32 bits in size each.

/**
 * 
 * @param {Array<bigint>} pubKey - Used for computing an address
 * @param {bigin | number} key -The key used for the mimc7 hash
 * @returns 
 */

export async function getAddressFromPubkey(pubKey, key) {
    return mimc7(pubKey, key);
}

Enter fullscreen mode Exit fullscreen mode

We compute “addresses” from the public key by hashing it. These addresses are not valid blockchain addresses but usable for account abstraction. You can derive addresses from a public key using different schemes and derivation paths. It’s up to you what you choose.

/**
 * @typedef {Object} Message
 * @property {string | bigint} message
 * @property {string | bigint} address
 * @property {string | bigint} amount
 */

/**
 * 
 * @param {Message} data - The data content of the message. The hash of the data object will be signed
 * @param key {number | bigint} - The key used for the mimc7 hash
 * @returns {bigint} Returns a mimc7 hash
 */
export async function computeMessageHash(data, key) {
    return await mimc7(
        [
            BigInt(data.message),
            BigInt(data.address),
            BigInt(data.amount)
        ], key)
}

Enter fullscreen mode Exit fullscreen mode

The message hash is computed using mimc7, it’s the same hashing that happens inside the circuit for verification.

/**
 * @param {any} eddsa - the built EDDSA
 * @param {bigint} messagehash - The poseidon hash of the message
 * @param {Buffer} prvKey - The private key used to sign the message 
 * @returns {Signature} signature
 */
export function signMessage(eddsa, messageHash, prvKey) {
    const signature = eddsa.signMiMC(prvKey, eddsa.F.e(messageHash));
    const pubKey = eddsa.prv2pub(prvKey);
    assert(eddsa.verifyMiMC(eddsa.F.e(messageHash), signature, pubKey))

    return {
        signature,
        pubKey
    }
}

/**
 * @typedef {Object} Signature
 * @property {Uint8Array[]} R8
 * @property {bigint} S
 * /

Enter fullscreen mode Exit fullscreen mode

Message signing uses the above function. You pass an eddsa object, the computed message hash and the private key created for your account. You can see the type of the signature defined with JsDoc.

/**
 * @typedef {Object} SignatureParameters
 * @property {bigint} Ax
 * @property {bigint} Ay
 * @property {bigint} R8x
 * @property {bigint} R8y
 * @property {bigint} S
 */

/**
 * @param {any} eddsa
 * @param {Uint8Array[]} pubKey - The public key of the account
 * @param {Signature} signature - The signature of the signed message
 * @returns {SignatureParameters} - The signature parameters are prepared parameters, ready to use for the circuit
 */
export function getSignatureParameters(eddsa, pubKey, signature) {
    return {
        Ax: eddsa.F.toObject(pubKey[0]),
        Ay: eddsa.F.toObject(pubKey[1]),
        R8x: eddsa.F.toObject(signature.R8[0]),
        R8y: eddsa.F.toObject(signature.R8[1]),
        S: signature.S
    }
}

Enter fullscreen mode Exit fullscreen mode

Now to use this signature in circom, we need to convert it. So we get the signature parameters for verification with the above function. /test/input.js

/**
 * This is a test input, generated for the starting circuit.
 * If you update the inputs, you need to update this function to match it.
 */
export async function getInput(){

    await buildHashImplementation()
    const eddsa = await getEDDSA();

    const account = generateAccount(eddsa);
    const key = 313; // just an example key for tests
    const message = rbigint();
    const address = rbigint()
    const amount = rbigint()
    const messageHash = await computeMessageHash({message,address,amount}, key)

    const signedMessage = signMessage(eddsa, messageHash, account.prvKey);

    const signatureParameters = getSignatureParameters(eddsa, account.pubKey, signedMessage.signature)

    return {
        Ax: signatureParameters.Ax, 
        Ay: signatureParameters.Ay,
        S: signatureParameters.S,
        R8x: signatureParameters.R8x,
        R8y: signatureParameters.R8y,

        k: key,
        address,
        amount,
        message
    }
}
Enter fullscreen mode Exit fullscreen mode

And above you can see how we compute the input for the circuits. it’s used for the hot reload and the tests

Now I’ll show you how the merkle trees work with EdDSA

Setting up your current directory
? What project do you want to scaffold? EdDSA signature verification with Fixed Merkle Tree
? Choose the hashing algorithm to use:  poseidon
? Do you wish to add public inputs to sign? (E.g: address,amount) no

Enter fullscreen mode Exit fullscreen mode

So regenerated the project using niftyzk init and selected different parameters.And this is the circuit.circom file now:

pragma circom 2.0.0;

include "../node_modules/circomlib/circuits/eddsaposeidon.circom";
include "../node_modules/circomlib/circuits/poseidon.circom";
include "./merkletree.circom";


template VerifySignature(levels){

    signal input message;
    signal input root;

    signal input pathIndices[levels];
    signal input pathElements[levels];


    //The parameters for the signature
    //The Ax and Ay parameters are the public key, Ax = pubKey[0], Ay = pubKey[1]
    signal input Ax;
    signal input Ay;
    signal input S;
    signal input R8x;
    signal input R8y;
    component eddsa = EdDSAPoseidonVerifier();

    component poseidon = Poseidon(1);
    poseidon.inputs[0] <== message;

    // Verify the signature on the message hash

    eddsa.enabled <== 1;
    eddsa.Ax <== Ax;
    eddsa.Ay <== Ay;
    eddsa.S <== S;
    eddsa.R8x <== R8x;
    eddsa.R8y <== R8y;
    eddsa.M <== poseidon.out;

    //We compute a public key by hashing Ax and Ay, 
   // this will be later used with the merkle tree
   component pubKeyHasher = Poseidon(2);
   pubKeyHasher.inputs[0] <== Ax;
   pubKeyHasher.inputs[1] <== Ay;

   //Verify the merkle tree
   component tree = MerkleTreeChecker(levels);


  for (var i = 0; i < levels; i++) {
      tree.pathElements[i] <== pathElements[i];
      tree.pathIndices[i] <== pathIndices[i];
  }
  tree.root <== root;
  tree.leaf <== pubKeyHasher.out; 
    }

component main {public [message,root]}  = VerifySignature(20); 

Enter fullscreen mode Exit fullscreen mode

So you can see there are some differences. I didn’t add more extra parameters to sign this time, so there is only two public inputs, message and root.

So root is the merkle tree root we going to verify that the public key that signed this message is contained inside the tree. It’s a way of access control, so we know that the signature is valid and the signer public key is allowed to pass the verification because his key is inside the tree.

We compute the address using the pubKeyHasher from Ax and Ay, you can see it does exactly the same as the Javascript code I showed earlier. The MerkleTreeChecker asserts correctness and will fail if the leaf is not contained in the root.

pathIndices and pathElements are the merkle proof. You can explore the merkle tree circuit in the file merkletree.circom I explained it in a previous tutorial.

So to manually create merkle trees using the cli, we can use npm run new that will generate addresses and create a tree using them as leaves.

CREATING A NEW MERKLE TREE

Enter how many accounts would you like to generate:
4
Generating accounts and addresses. Please wait!
Done
Generating merkle tree from addresses!
Done.Root is 21804813178957116268623645093306988559564490743632413729059072914509024611553 
Serializing data.
Writing to file.
Done

Enter fullscreen mode Exit fullscreen mode

The private keys for the corresponding accounts are placed in the private directory while the rest is placed in the public directory. If you chose MiMC7 or MiMCSponge hashes then the key parameter is saved in the private dir and needed for verification, otherwise you don’t need to use the private details to create a merkle proof and verify it.

so let’s run npm run proof and it will ask for a root and an address and spit out a merkle proof

then npm run verify will ask for a root and the proof and if eveything is running correctly the proof will be valid.

You can use EdDSA for Identity, Rollups, Scaling,Voting or Account Abstraction. It’s up to you :)

web3 Article's
30 articles in total
Favicon
Vyper Data Types (Series 2)
Favicon
2025: The Year of Decentralization – How Nostr Will Make You a Standout Developer
Favicon
🚀 Your Daily Crypto Job Digest For 15 January!! 🚀
Favicon
Top 10 Web3 Careers for Success: Part 1
Favicon
Web3.js vs. Ethers.js: Which Library Should You Use?
Favicon
The Future of Web3 and Blockchain
Favicon
Blockchain: Connecting Digital Futures with Real-World Impact
Favicon
Vyper is redefining smart contract development with its focus on simplicity, security, and efficiency. With its rapidly growing community of developers, Vyper is becoming the go-to for smart contract development, creating a thriving ecosystem.
Favicon
Vyper - Write your First Python Smart Contract (Series)
Favicon
Pop Max — — AI引领的去中心化生态创新与发展先锋
Favicon
🚀 Your Daily Crypto Job Digest For 13 January!! 🚀
Favicon
Have You Fallen for a Phishing Scam? Let’s Talk About It 👀
Favicon
What is Blockchain?
Favicon
Will the Ripple Case Set New Rules for Crypto?
Favicon
The Rise of Payable AI: Shaping the Future of Artificial Intelligence
Favicon
What Is Proof of Attribution? A Complete Guide to Its Role in Blockchain and AI
Favicon
Niftyzk Tutorials 5 - CosmWasm
Favicon
Niftyzk tutorials 3 - Edwards-curve Digital Signatures
Favicon
Niftyzk tutorial 2, The Commit-reveal scheme
Favicon
Niftyzk tutorials 1
Favicon
#Vinnifinni
Favicon
🚀 Your Daily Crypto Job Digest For 14 January!! 🚀
Favicon
Mint Blockchain Community Gathering Vol. 5: Embarking on an Exciting Journey in 2025!
Favicon
Web3 Technologies: How the New Internet Era Works
Favicon
TMA Wallet — a non-custodial MPC wallet for your Telegram Mini App
Favicon
Mint Blockchain: Kicking Off the New Year with Record-Breaking Performance!
Favicon
Building a Solana Wallet Backend with .NET (Part 1)
Favicon
Web3: Fantastic SDAPPS and Where to Find Them!
Favicon
ERC-4337 in 2024 Review, OpenZK’s L2 Launch, Arcana’s Chain Abstraction SDK, and Rethinking Blockchain Modularity in 2025
Favicon
Benefits of Using an AI Benefits of Using an AI Agent Development Platform for Customer Interaction

Featured ones: