Skip to content

The fastest in-browser verification of ECDSA signatures in ZK, using Spartan on the secq256k1 curve

Notifications You must be signed in to change notification settings

personaelabs/spartan-ecdsa

Repository files navigation

Spartan-ecdsa

Spartan-ecdsa (which to our knowledge) is the fastest open-source method to verify ECDSA (secp256k1) signatures in zero-knowledge. It can prove ECDSA group membership 10 times faster than efficient-zk-ecdsa, our previous implementation of fast ECDSA signature proving. Please refer to this blog post for further information.

Constraint breakdown

spartan-ecdsa achieves the phenomenal result of hashing becoming the bottleneck instead of ECC operations for the pubkey_membership.circom circuit. In particular, there are 3,039 constraints for efficient ECDSA signature verification, and 5,037 constraints for a depth 20 merkle tree membership check + 1 Poseidon hash of the ECDSA public key. The drop from the original 1.5 million constraints of circom-ecdsa comes primarily from doing right-field arithmetic with secq and avoiding SNARK-unfriendly range checks and big integer math.

We also use efficient ECDSA signatures instead of standard ECDSA siagnatures to save an additional 14,505 constraints. To review, the standard ECDSA signature consists of $(r, s)$ for a public key $Q_a$ and message $m$, where $r$ is the x-coordinate of a random elliptic curve point $R$. Standard ECDSA signature verification checks if

$$R == m s ^{-1} * G + r s ^{-1} * Q_a$$

where $G$ is the generator point of the curve. The efficient ECDSA signature consists of $s$ as well as $T = r^{-1} * R$ and $U = -r^{-1} * m * G$, which can both be computed outside of the SNARK without breaking correctness. Efficient ECDSA signature verification checks if

$$s * T + U == Q_a$$

Thus, verifying a standard ECDSA signature instead of the efficient ECDSA signature requires (1) computing $s^{-1}$, $r * s^{-1}$, $m * s^{-1}$, and (2) an extra ECC scalar multiply to compute $m s ^{-1} * G$. The former computations happen in the scalar field of secp, which is unequal to the scalar field of secq, and so we incur 11,494 additional constraints for the wrong-field math. The latter can use the Secp256k1Mul subroutine and incurs 3,011 additional constraints.

Benchmarks

Proving membership to a group of ECDSA public keys

Benchmark #
Constraints 8,076
Proving time in browser 4s
Proving time in Node.js 2s
Verification time in browser 1s
Verification time in Node.js 300ms
Proof size 16kb
  • Measured on a M1 MacBook Pro with 80Mbps internet speed.
  • Both proving and verification time in browser includes the time to download the circuit.

Disclaimers

  • Spartan-ecdsa is unaudited. Please use it at your own risk.
  • Usage on mobile browsers isn’t currently supported.

Install

yarn add @personaelabs/spartan-ecdsa

Development

Node.js

v18 or later

Build

  1. Install Circom with secq256k1 support
git clone https://github.com/DanTehrani/circom-secq
cd circom-secq && cargo build --release && cargo install --path circom
  1. Install wasm-pack

  2. Install dependencies & Build all packages

yarn && yarn build