Barretenberg: src/barretenberg/stdlib/encryption/ecdsa/ecdsa.test.cpp Source File

#include "barretenberg/crypto/ecdsa/ecdsa.hpp"

#include "../../primitives/bigfield/bigfield.hpp"

#include "../../primitives/biggroup/biggroup.hpp"

#include "../../primitives/curves/secp256k1.hpp"

#include "../../primitives/curves/secp256r1.hpp"

#include "barretenberg/circuit_checker/circuit_checker.hpp"

#include "barretenberg/common/test.hpp"

#include "ecdsa.hpp"

#include "ecdsa_tests_data.hpp"


#include <gtest/gtest.h>


#include <algorithm>


using namespace bb;

using namespace bb::crypto;


template <class Curve> class EcdsaTests : public ::testing::Test {

  public:

    using Builder = Curve::Builder;

    using CurveType =

        std::conditional_t<Curve::type == bb::CurveType::SECP256K1, bb::curve::SECP256K1, bb::curve::SECP256R1>;


    // Native Types

    using FrNative = Curve::fr;

    using FqNative = Curve::fq;

    using G1Native = Curve::g1;


    // Stdlib types

    using Fr = Curve::bigfr_ct;

    using Fq = Curve::fq_ct;

    using G1 = Curve::g1_bigfr_ct;

    using bool_t = Curve::bool_ct;


    // Reproducible signature

    static constexpr FrNative private_key =

        FrNative("0xd67abee717b3fc725adf59e2cc8cd916435c348b277dd814a34e3ceb279436c2");


    enum class TamperingMode : std::uint8_t {

        XCoordinateOverflow,

        YCoordinateOverflow,

        InvalidR,

        InvalidS,

        HighS,

        ZeroR,

        ZeroS,

        InfinityScalarMul,

        InvalidPubKey,

        InfinityPubKey,

        None

    };


    std::pair<ecdsa_key_pair<FrNative, G1Native>, ecdsa_signature> generate_dummy_ecdsa_data(std::string message_string,

                                                                                             bool random_signature)

    {

        ecdsa_key_pair<FrNative, G1Native> account;


        account.private_key = random_signature ? FrNative::random_element() : private_key;

        account.public_key = G1Native::one * account.private_key;


        ecdsa_signature signature =

            ecdsa_construct_signature<Sha256Hasher, FqNative, FrNative, G1Native>(message_string, account);


        if (random_signature) {

            // Logging in case of random signature

            info("The private key used generate this signature is: ", private_key);

        }


        return { account, signature };

    }


    std::string tampering(std::string message_string,

                          ecdsa_key_pair<FrNative, G1Native>& account,

                          ecdsa_signature& signature,

                          TamperingMode mode)

    {

        std::string failure_msg;


        switch (mode) {

        case TamperingMode::XCoordinateOverflow: {

            // Invalidate the circuit by passing a public key with x >= q

            // Do nothing here, tampering happens in circuit

            failure_msg = "ECDSA input validation: coordinate(s) of the public key bigger than the base field modulus. "

                          "(x coordinate): hi limb.";

            break;

        }

        case TamperingMode::YCoordinateOverflow: {

            // Invalidate the circuit by passing a public key with y >= q

            // Do nothing here, tampering happens in circuit

            failure_msg = "ECDSA input validation: coordinate(s) of the public key bigger than the base field modulus. "

                          "(y coordinate): hi limb.";

            break;

        }

        case TamperingMode::InvalidR: {

            // Invalidate the signature by changing r.

            FrNative r = FrNative::serialize_from_buffer(&signature.r[0]);

            r += FrNative::one();


            FrNative::serialize_to_buffer(r, &signature.r[0]);

            break;

        }

        case TamperingMode::InvalidS: {

            // Invalidate the signature by changing s.

            FrNative s = FrNative::serialize_from_buffer(&signature.s[0]);

            s += FrNative::one();


            FrNative::serialize_to_buffer(s, &signature.s[0]);

            break;

        }

        case TamperingMode::HighS: {

            // Invalidate the signature by changing s to -s.

            FrNative s = FrNative::serialize_from_buffer(&signature.s[0]);

            s = -s;


            FrNative::serialize_to_buffer(s, &signature.s[0]);

            failure_msg =

                "ECDSA input validation: the s component of the signature is bigger than (Fr::modulus + 1)/2.: "

                "hi limb."; // The second part of the message is added by the range constraint

            break;

        }

        case TamperingMode::ZeroR: {

            // Invalidate signature by setting r to 0

            signature.r = std::array<uint8_t, 32>{};


            failure_msg = "ECDSA input validation: the r component of the signature is zero.";

            break;

        }

        case TamperingMode::ZeroS: {

            // Invalidate signature by setting s to 0

            signature.s = std::array<uint8_t, 32>{};


            failure_msg = "ECDSA input validation: the s component of the signature is zero.";

            break;

        }

        case TamperingMode::InfinityScalarMul: {

            // Invalidate the signature by making making u1 * G + u2 * P return the point at infinity


            // Compute H(m)

            std::vector<uint8_t> buffer;

            std::ranges::copy(message_string, std::back_inserter(buffer));

            auto hash = Sha256Hasher::hash(buffer);


            // Override the public key: new public key is (-hash) * r^{-1} * G

            FrNative fr_hash = FrNative::serialize_from_buffer(&hash[0]);

            FrNative r = FrNative::serialize_from_buffer(&signature.r[0]);

            FrNative r_inverse = r.invert();

            FrNative modified_private_key = r_inverse * (-fr_hash);

            account.public_key = G1Native::one * modified_private_key;


            // Verify that the result is the point at infinity

            auto P = G1Native::one * fr_hash + account.public_key * r;

            BB_ASSERT_EQ(P.is_point_at_infinity(), true);


            failure_msg = "ECDSA validation: the result of the batch multiplication is the point at infinity.";

            break;

        }

        case TamperingMode::InvalidPubKey: {

            // Invalidate the circuit by passing a public key which is not on the curve

            account.public_key.x = account.public_key.y;

            BB_ASSERT_EQ(account.public_key.on_curve(), false);


            failure_msg = "ECDSA input validation: the public key is not a point on the elliptic curve.";

            break;

        }

        case TamperingMode::InfinityPubKey: {

            // Invalidate the circuit by passing a public key which is not on the curve

            account.public_key.self_set_infinity();

            BB_ASSERT_EQ(account.public_key.is_point_at_infinity(), true);


            failure_msg = "ECDSA input validation: the public key is the point at infinity.";

            break;

        }

        case TamperingMode::None:

            break;

        }


        // Natively verify that the tampering was successfull

        bool is_signature_valid = ecdsa_verify_signature<Sha256Hasher, FqNative, FrNative, G1Native>(

            message_string, account.public_key, signature);

        if (mode == TamperingMode::HighS || mode == TamperingMode::InfinityScalarMul) {

            // If either s >= (n+1)/2 or the result of the scalar multiplication is the point at infinity, then the

            // verification function raises an error, we treat it as an invalid signature

            is_signature_valid = false;

        }

        if (mode == TamperingMode::XCoordinateOverflow || mode == TamperingMode::YCoordinateOverflow) {

            // In these tampering modes nothing has changed and the tampering happens in circuit, so we override the

            // result and set it to false

            is_signature_valid = false;

        }


        bool expected = mode == TamperingMode::None;

        BB_ASSERT_EQ(is_signature_valid,

                     expected,

                     "Signature verification returned a different result from the expected one. If the signature was "

                     "randomly generated, there is a (very) small chance this is not a bug.");


        return failure_msg;

    }


    std::pair<G1, stdlib::ecdsa_signature<Builder>> create_stdlib_ecdsa_data(

        Builder& builder,

        const ecdsa_key_pair<FrNative, G1Native>& account,

        const ecdsa_signature& signature,

        const TamperingMode mode)

    {

        // We construct the point via its x,y-coordinates to avoid the on curve check of G1::from_witness. In this way

        // we test the on curve check of the ecdsa verification function

        Fq x = Fq::from_witness(&builder, account.public_key.x);

        Fq y = Fq::from_witness(&builder, account.public_key.y);

        if (mode == TamperingMode::XCoordinateOverflow || mode == TamperingMode::YCoordinateOverflow) {

            // To test the case in which one of the two coordinates is above the modulus of the base field, we need to

            // override the limbs of the coordinates

            uint256_t max_uint = (static_cast<uint256_t>(1) << 256) - 1;

            for (size_t idx = 0; idx < 4; idx++) {

                builder.set_variable(mode == TamperingMode::XCoordinateOverflow

                                         ? x.binary_basis_limbs[idx].element.get_witness_index()

                                         : y.binary_basis_limbs[idx].element.get_witness_index(),

                                     bb::fr(max_uint.slice(64 * idx, 64 * (idx + 1))));

            }

        }

        bool_t is_infinity(

            stdlib::witness_t<Builder>(&builder, account.public_key.is_point_at_infinity() ? fr::one() : fr::zero()),

            false);

        G1 pub_key(x, y, is_infinity, /*assert_on_curve=*/false);

        pub_key.set_free_witness_tag();

        BB_ASSERT_EQ(pub_key.is_point_at_infinity().get_value(), account.public_key.is_point_at_infinity());


        std::vector<uint8_t> rr(signature.r.begin(), signature.r.end());

        std::vector<uint8_t> ss(signature.s.begin(), signature.s.end());


        stdlib::ecdsa_signature<Builder> sig{ stdlib::byte_array<Builder>(&builder, rr),

                                              stdlib::byte_array<Builder>(&builder, ss) };


        return { pub_key, sig };

    }


    size_t ecdsa_verification_circuit(Builder& builder,

                                      const stdlib::byte_array<Builder>& hashed_message,

                                      const ecdsa_key_pair<FrNative, G1Native>& account,

                                      const ecdsa_signature& signature,

                                      const bool signature_verification_result,

                                      const bool circuit_checker_result,

                                      const std::string failure_msg,

                                      const TamperingMode mode)


    {

        auto [public_key, sig] = create_stdlib_ecdsa_data(builder, account, signature, mode);


        // Verify signature

        stdlib::bool_t<Builder> signature_result =

            stdlib::ecdsa_verify_signature<Builder, Curve, Fq, Fr, G1>(hashed_message, public_key, sig);


        // Enforce verification returns the expected result

        signature_result.assert_equal(stdlib::bool_t<Builder>(signature_verification_result));


        // Check native values

        EXPECT_EQ(signature_result.get_value(), signature_verification_result);


        // Log data

        size_t finalized_num_gates = builder.get_num_finalized_gates_inefficient();

        info("num gates = ", finalized_num_gates);

        benchmark_info(Builder::NAME_STRING, "ECDSA", "Signature Verification Test", "Gate Count", finalized_num_gates);


        // Circuit checker

        bool is_circuit_satisfied = CircuitChecker::check(builder);

        EXPECT_EQ(is_circuit_satisfied, circuit_checker_result);


        // Check the error

        EXPECT_EQ(builder.err(), failure_msg);


        return finalized_num_gates;

    }


    size_t test_verify_signature(bool random_signature, TamperingMode mode)

    {

        // Map tampering mode to signature verification result

        bool signature_verification_result = (mode == TamperingMode::None) || (mode == TamperingMode::HighS);

        // Map tampering mode to circuit checker result

        bool circuit_checker_result =

            (mode == TamperingMode::None) || (mode == TamperingMode::InvalidR) || (mode == TamperingMode::InvalidS);


        std::string message_string = "Goblin";

        std::vector<uint8_t> message_bytes(message_string.begin(), message_string.end());

        std::array<uint8_t, 32> hashed_message_bytes_ = Sha256Hasher::hash(message_bytes);

        std::vector<uint8_t> hashed_message_bytes;

        hashed_message_bytes.reserve(32);

        for (auto byte : hashed_message_bytes_) {

            hashed_message_bytes.emplace_back(byte);

        }


        auto [account, signature] = generate_dummy_ecdsa_data(message_string, /*random_signature=*/random_signature);


        // Tamper with the signature

        std::string failure_msg = tampering(message_string, account, signature, mode);


        // Create ECDSA verification circuit

        Builder builder;

        stdlib::byte_array<Builder> hashed_message(&builder, hashed_message_bytes);


        // ECDSA verification

        return ecdsa_verification_circuit(builder,

                                          hashed_message,

                                          account,

                                          signature,

                                          signature_verification_result,

                                          circuit_checker_result,

                                          failure_msg,

                                          mode);

    }


    void test_wycherproof(std::vector<stdlib::WycherproofTest<CurveType>> tests)

    {

        for (auto test : tests) {

            // Keypair

            ecdsa_key_pair<FrNative, G1Native> account;

            account.private_key = FrNative::one(); // Dummy value, unused

            account.public_key = typename G1Native::affine_element(test.x, test.y);


            // Signature

            std::array<uint8_t, 32> r;

            std::array<uint8_t, 32> s;

            uint8_t v = 0; // Dummy value, unused

            FrNative::serialize_to_buffer(test.r, &r[0]);

            FrNative::serialize_to_buffer(test.s, &s[0]);


            // Hashed message

            std::array<uint8_t, 32> hashed_message_bytes_ = Sha256Hasher::hash(test.message);

            std::vector<uint8_t> hashed_message_bytes;

            hashed_message_bytes.reserve(32);

            for (auto byte : hashed_message_bytes_) {

                hashed_message_bytes.emplace_back(byte);

            }


            // Create ECDSA verification circuit

            Builder builder;

            stdlib::byte_array<Builder> hashed_message(&builder, hashed_message_bytes);


            // ECDSA verification

            ecdsa_verification_circuit(builder,

                                       hashed_message,

                                       account,

                                       { r, s, v },

                                       test.is_valid_signature,

                                       test.is_circuit_satisfied,

                                       test.failure_msg,

                                       TamperingMode::None);

        }

    }


};


using Curves = testing::Types<stdlib::secp256k1<UltraCircuitBuilder>,

                              stdlib::secp256r1<UltraCircuitBuilder>,

                              stdlib::secp256k1<MegaCircuitBuilder>,

                              stdlib::secp256r1<MegaCircuitBuilder>>;


TYPED_TEST_SUITE(EcdsaTests, Curves);


TYPED_TEST(EcdsaTests, VerifyRandomSignature)

{

    TestFixture::test_verify_signature(/*random_signature=*/true, TestFixture::TamperingMode::None);

}


TYPED_TEST(EcdsaTests, VerifySignature)

{

    using Curve = TypeParam;


    size_t finalized_num_gates =

        TestFixture::test_verify_signature(/*random_signature=*/false, TestFixture::TamperingMode::None);

    static constexpr size_t NUM_GATES_SECP256K1 = 41965;

    static constexpr size_t NUM_GATES_SECP256R1 = IsMegaBuilder<typename Curve::Builder> ? 72014 : 72012;

    BB_ASSERT_EQ(finalized_num_gates,

                 Curve::type == bb::CurveType::SECP256K1 ? NUM_GATES_SECP256K1 : NUM_GATES_SECP256R1,

                 "There has been a change in the number of gates for ECDSA verification");

}


TYPED_TEST(EcdsaTests, XCoordinateOverflow)

{

    BB_DISABLE_ASSERTS();

    TestFixture::test_verify_signature(/*random_signature=*/false, TestFixture::TamperingMode::XCoordinateOverflow);

}


TYPED_TEST(EcdsaTests, YCoordinateOverflow)

{

    BB_DISABLE_ASSERTS();

    TestFixture::test_verify_signature(/*random_signature=*/false, TestFixture::TamperingMode::YCoordinateOverflow);

}


TYPED_TEST(EcdsaTests, InvalidR)

{

    TestFixture::test_verify_signature(/*random_signature=*/false, TestFixture::TamperingMode::InvalidR);

}


TYPED_TEST(EcdsaTests, InvalidS)

{

    TestFixture::test_verify_signature(/*random_signature=*/false, TestFixture::TamperingMode::InvalidS);

}


TYPED_TEST(EcdsaTests, HighS)

{

    // Disable asserts because native ecdsa verification raises an error if s >= (n+1)/2

    BB_DISABLE_ASSERTS();

    TestFixture::test_verify_signature(/*random_signature=*/false, TestFixture::TamperingMode::HighS);

}


TYPED_TEST(EcdsaTests, ZeroR)

{

    TestFixture::test_verify_signature(/*random_signature=*/false, TestFixture::TamperingMode::ZeroR);

}


TYPED_TEST(EcdsaTests, ZeroS)

{

    TestFixture::test_verify_signature(/*random_signature=*/false, TestFixture::TamperingMode::ZeroS);

}


TYPED_TEST(EcdsaTests, InvalidPubKey)

{

    // Disable asserts because `validate_on_curve` raises an error in the `mult_madd` function:

    // BB_ASSERT_EQ(remainder_1024.lo, uint512_t(0))

    BB_DISABLE_ASSERTS();

    TestFixture::test_verify_signature(/*random_signature=*/false, TestFixture::TamperingMode::InvalidPubKey);

}


TYPED_TEST(EcdsaTests, InfinityPubKey)

{

    // Disable asserts to avoid errors trying to invert zero

    BB_DISABLE_ASSERTS();

    TestFixture::test_verify_signature(/*random_signature=*/false, TestFixture::TamperingMode::InfinityPubKey);

}


TYPED_TEST(EcdsaTests, InfinityScalarMul)

{

    // Disable asserts because native ecdsa verification raises an error if the result of the scalar multiplication is

    // the point at infinity

    BB_DISABLE_ASSERTS();

    TestFixture::test_verify_signature(/*random_signature=*/false, TestFixture::TamperingMode::InfinityScalarMul);

}


TYPED_TEST(EcdsaTests, Wycherproof)

{

    if constexpr (TypeParam::type == bb::CurveType::SECP256K1) {

        TestFixture::test_wycherproof(stdlib::secp256k1_tests);

    } else {

        TestFixture::test_wycherproof(stdlib::secp256r1_tests);

    }

}


BB_ASSERT_EQ
#define BB_ASSERT_EQ(actual, expected,...)
Definition assert.hpp:77

BB_DISABLE_ASSERTS
#define BB_DISABLE_ASSERTS()
Definition assert.hpp:32

circuit_checker.hpp

EcdsaTests
Definition ecdsa.test.cpp:18

EcdsaTests::ecdsa_verification_circuit
size_t ecdsa_verification_circuit(Builder &builder, const stdlib::byte_array< Builder > &hashed_message, const ecdsa_key_pair< FrNative, G1Native > &account, const ecdsa_signature &signature, const bool signature_verification_result, const bool circuit_checker_result, const std::string failure_msg, const TamperingMode mode)
Definition ecdsa.test.cpp:237

EcdsaTests::Fr
Curve::bigfr_ct Fr
Definition ecdsa.test.cpp:30

EcdsaTests::G1
Curve::g1_bigfr_ct G1
Definition ecdsa.test.cpp:32

EcdsaTests::private_key
static constexpr FrNative private_key
Definition ecdsa.test.cpp:36

EcdsaTests::FrNative
Curve::fr FrNative
Definition ecdsa.test.cpp:25

EcdsaTests::tampering
std::string tampering(std::string message_string, ecdsa_key_pair< FrNative, G1Native > &account, ecdsa_signature &signature, TamperingMode mode)
Definition ecdsa.test.cpp:72

EcdsaTests::CurveType
std::conditional_t< Curve::type==bb::CurveType::SECP256K1, bb::curve::SECP256K1, bb::curve::SECP256R1 > CurveType
Definition ecdsa.test.cpp:22

EcdsaTests::generate_dummy_ecdsa_data
std::pair< ecdsa_key_pair< FrNative, G1Native >, ecdsa_signature > generate_dummy_ecdsa_data(std::string message_string, bool random_signature)
Definition ecdsa.test.cpp:53

EcdsaTests::test_verify_signature
size_t test_verify_signature(bool random_signature, TamperingMode mode)
Definition ecdsa.test.cpp:274

EcdsaTests::FqNative
Curve::fq FqNative
Definition ecdsa.test.cpp:26

EcdsaTests::TamperingMode
TamperingMode
Definition ecdsa.test.cpp:39

EcdsaTests::TamperingMode::InvalidPubKey
@ InvalidPubKey

EcdsaTests::TamperingMode::InvalidR
@ InvalidR

EcdsaTests::TamperingMode::InvalidS
@ InvalidS

EcdsaTests::TamperingMode::ZeroS
@ ZeroS

EcdsaTests::TamperingMode::None
@ None

EcdsaTests::TamperingMode::YCoordinateOverflow
@ YCoordinateOverflow

EcdsaTests::TamperingMode::InfinityScalarMul
@ InfinityScalarMul

EcdsaTests::TamperingMode::InfinityPubKey
@ InfinityPubKey

EcdsaTests::TamperingMode::XCoordinateOverflow
@ XCoordinateOverflow

EcdsaTests::TamperingMode::HighS
@ HighS

EcdsaTests::TamperingMode::ZeroR
@ ZeroR

EcdsaTests::test_wycherproof
void test_wycherproof(std::vector< stdlib::WycherproofTest< CurveType > > tests)
Construct tests based on data fetched from the Wycherproof project.
Definition ecdsa.test.cpp:316

EcdsaTests::Fq
Curve::fq_ct Fq
Definition ecdsa.test.cpp:31

EcdsaTests::Builder
Curve::Builder Builder
Definition ecdsa.test.cpp:20

EcdsaTests::bool_t
Curve::bool_ct bool_t
Definition ecdsa.test.cpp:33

EcdsaTests::create_stdlib_ecdsa_data
std::pair< G1, stdlib::ecdsa_signature< Builder > > create_stdlib_ecdsa_data(Builder &builder, const ecdsa_key_pair< FrNative, G1Native > &account, const ecdsa_signature &signature, const TamperingMode mode)
Definition ecdsa.test.cpp:200

EcdsaTests::G1Native
Curve::g1 G1Native
Definition ecdsa.test.cpp:27

bb::TranslatorCircuitChecker::check
static bool check(const Builder &circuit)
Check the witness satisifies the circuit.
Definition translator_circuit_checker.cpp:20

bb::curve::BN254
Definition bn254.hpp:16

bb::numeric::uint256_t
Definition uint256.hpp:32

bb::numeric::uint256_t::slice
constexpr uint256_t slice(uint64_t start, uint64_t end) const
Definition uint256_impl.hpp:291

bb::stdlib::bool_t
Implements boolean logic in-circuit.
Definition bool.hpp:59

bb::stdlib::bool_t::get_value
bool get_value() const
Definition bool.hpp:124

bb::stdlib::bool_t::assert_equal
void assert_equal(const bool_t &rhs, std::string const &msg="bool_t::assert_equal") const
Implements copy constraint for bool_t elements.
Definition bool.cpp:421

bb::stdlib::byte_array
Represents a dynamic array of bytes in-circuit.
Definition byte_array.hpp:28

bb::stdlib::witness_t
Definition witness.hpp:16

benchmark_info
void benchmark_info(Args...)
Info used to store circuit statistics during CI/CD with concrete structure. Writes straight to log.
Definition log.hpp:110

info
void info(Args... args)
Definition log.hpp:75

IsMegaBuilder
Definition circuit_builders.hpp:21

AddressRefMutationOptions::mode
@ mode

builder
AluTraceBuilder builder
Definition alu.test.cpp:124

ecdsa.hpp

ecdsa_tests_data.hpp

buffer
uint8_t buffer[RANDOM_BUFFER_SIZE]
Definition engine.cpp:34

hash
void hash(State &state) noexcept
Definition merkle_tree.bench.cpp:28

bb::crypto
Definition aes128.cpp:158

bb::stdlib::secp256k1_tests
const std::vector< WycherproofSecp256k1 > secp256k1_tests
Test for Secp256k1 ECDSA signatures taken from the Wycherproof project.
Definition ecdsa_tests_data.hpp:40

bb::stdlib::secp256r1_tests
const std::vector< WycherproofSecp256r1 > secp256r1_tests
Test for Secp256r1 ECDSA signatures taken from the Wycherproof project.
Definition ecdsa_tests_data.hpp:95

bb
Entry point for Barretenberg command-line interface.
Definition api.hpp:5

bb::TYPED_TEST_SUITE
TYPED_TEST_SUITE(ShpleminiTest, TestSettings)

bb::fr
field< Bn254FrParams > fr
Definition fr.hpp:174

bb::TYPED_TEST
TYPED_TEST(ShpleminiTest, CorrectnessOfMultivariateClaimBatching)
Definition shplemini.test.cpp:52

bb::SECP256K1
@ SECP256K1
Definition types.hpp:10

bb::Curves
::testing::Types< curve::BN254, curve::Grumpkin > Curves
Definition batched_affine_addition.test.cpp:23

std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13

ecdsa.hpp

bb::crypto::Sha256Hasher::hash
static auto hash(const B &message)
Definition hashers.hpp:36

bb::crypto::ecdsa_key_pair
Definition ecdsa.hpp:18

bb::crypto::ecdsa_key_pair::public_key
G1::affine_element public_key
Definition ecdsa.hpp:20

bb::crypto::ecdsa_key_pair::private_key
Fr private_key
Definition ecdsa.hpp:19

bb::crypto::ecdsa_signature
Definition ecdsa.hpp:25

bb::crypto::ecdsa_signature::r
std::array< uint8_t, 32 > r
Definition ecdsa.hpp:26

bb::crypto::ecdsa_signature::s
std::array< uint8_t, 32 > s
Definition ecdsa.hpp:27

bb::field< Bn254FrParams >::one
static constexpr field one()
Definition field_declarations.hpp:242

bb::field< Bn254FrParams >::zero
static constexpr field zero()
Definition field_declarations.hpp:240

bb::stdlib::WycherproofTest
Definition ecdsa_tests_data.hpp:15

bb::stdlib::ecdsa_signature
Definition ecdsa.hpp:14

bb::stdlib::secp256k1
Definition secp256k1.hpp:17

bb::stdlib::secp256r1
Definition secp256r1.hpp:17

test.hpp