UNPKG

o1js

Version:

TypeScript framework for zk-SNARKs and zkApps

github.com/o1-labs/o1js/

o1-labs/o1js

170 lines (169 loc) 7.6 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
import { CurveParams } from '../../../bindings/crypto/elliptic-curve.js'; import { ProvablePureExtended } from '../types/struct.js'; import { FlexiblePoint, ForeignCurve } from './foreign-curve.js'; import { AlmostForeignField } from '../foreign-field.js'; import { Field3 } from '../gadgets/foreign-field.js'; import { Bytes } from '../wrapped-classes.js'; import type { Bool } from '../bool.js'; export { createEcdsa, EcdsaSignature }; type FlexibleSignature = EcdsaSignature | { r: AlmostForeignField | Field3 | bigint | number; s: AlmostForeignField | Field3 | bigint | number; }; declare class EcdsaSignature { r: AlmostForeignField; s: AlmostForeignField; /** * Create a new {@link EcdsaSignature} from an object containing the scalars r and s. * * Note: Inputs must be range checked if they originate from a different field with a different modulus or if they are not constants. Please refer to the {@link ForeignField} constructor comments for more details. */ constructor(signature: { r: AlmostForeignField | Field3 | bigint | number; s: AlmostForeignField | Field3 | bigint | number; }); /** * Coerce the input to a {@link EcdsaSignature}. */ static from(signature: FlexibleSignature): EcdsaSignature; /** * Create an {@link EcdsaSignature} from a raw 130-char hex string as used in * [Ethereum transactions](https://ethereum.org/en/developers/docs/transactions/#typed-transaction-envelope). */ static fromHex(rawSignature: string): EcdsaSignature; /** * Convert this signature to an object with bigint fields. */ toBigInt(): { r: bigint; s: bigint; }; /** * Verify the ECDSA signature given the message (an array of bytes) and public key (a {@link Curve} point). * * **Important:** This method returns a {@link Bool} which indicates whether the signature is valid. * So, to actually prove validity of a signature, you need to assert that the result is true. * * @throws if one of the signature scalars is zero or if the public key is not on the curve. * * @example * ```ts * // create classes for your curve * class Secp256k1 extends createForeignCurve(Crypto.CurveParams.Secp256k1) {} * class Scalar extends Secp256k1.Scalar {} * class Ecdsa extends createEcdsa(Secp256k1) {} * * let message = 'my message'; * let messageBytes = new TextEncoder().encode(message); * * // outside provable code: create inputs * let privateKey = Scalar.random(); * let publicKey = Secp256k1.generator.scale(privateKey); * let signature = Ecdsa.sign(messageBytes, privateKey.toBigInt()); * * // ... * // in provable code: create input witnesses (or use method inputs, or constants) * let pk = Provable.witness(Secp256k1, () => publicKey); * let msg = Provable.witness(Provable.Array(Field, 9), () => messageBytes.map(Field)); * let sig = Provable.witness(Ecdsa, () => signature); * * // verify signature * let isValid = sig.verify(msg, pk); * isValid.assertTrue('signature verifies'); * ``` */ verify(message: Bytes, publicKey: FlexiblePoint): Bool; /** * Verify an ECDSA signature generated by the ethers.js library, given the message (as a byte array) and a public key (a {@link Curve} point). * The message digest used for signing follows the format defined in EIP-191, with the Ethereum-specific prefix. * * **Important:** This method returns a {@link Bool} which indicates whether the signature is valid. * So, to actually prove validity of a signature, you need to assert that the result is true. * * **Note:** This method is specifically designed to verify signatures generated by ethers.js. * Ensure that the curve being used is Secp256k1, as demonstrated in the example. * * @throws An error will be thrown if one of the signature scalars is zero or if the public key does not lie on the curve. * * @example * ```ts * import { Wallet } from 'ethers'; * * // create the class for Secp256k1 curve * class Secp256k1 extends createForeignCurve(Crypto.CurveParams.Secp256k1) {} * class Ecdsa extends createEcdsa(Secp256k1) {} * * // outside provable code: create inputs * let message = 'my message'; * let signatureRaw = await wallet.signMessage(message); * let compressedPublicKey = wallet.signingKey.compressedPublicKey; * * // this also works for uncompressed public keys (wallet.signingKey.publicKey) * let publicKey = Secp256k1.fromEthers(compressedPublicKey.slice(2)); * let signature = Ecdsa.fromHex(signatureRaw); * * // ... * // in provable code: create input witnesses (or use method inputs, or constants) * // and verify the signature * let isValid = signature.verifyEthers(Bytes.fromString(message), publicKey); * isValid.assertTrue('signature verifies'); * ``` * * @param message - The original message as a byte array. * @param publicKey - The public key as a point on the Secp256k1 elliptic curve. * @returns - A {@link Bool} indicating the validity of the signature. */ verifyEthers(message: Bytes, publicKey: FlexiblePoint): Bool; /** * Verify the ECDSA signature given the message hash (a {@link Scalar}) and public key (a {@link Curve} point). * * This is a building block of {@link EcdsaSignature.verify}, where the input message is also hashed. * In contrast, this method just takes the message hash (a curve scalar, or the output bytes of a hash function) * as input, giving you flexibility in choosing the hashing algorithm. */ verifySignedHash(msgHash: AlmostForeignField | bigint | Bytes, publicKey: FlexiblePoint): Bool; /** * Create an {@link EcdsaSignature} by signing a message with a private key. * * Note: This method is not provable, and only takes JS bigints as input. */ static sign(message: (bigint | number)[] | Uint8Array, privateKey: bigint): EcdsaSignature; /** * Create an {@link EcdsaSignature} by signing a message hash with a private key. * * This is a building block of {@link EcdsaSignature.sign}, where the input message is also hashed. * In contrast, this method just takes the message hash (a curve scalar, or the output bytes of a hash function) * as input, giving you flexibility in choosing the hashing algorithm. * * Note: This method is not provable, and only takes JS bigints or constant Bytes as input. */ static signHash(msgHash: bigint | Bytes, privateKey: bigint): EcdsaSignature; static check(signature: EcdsaSignature): void; get Constructor(): typeof EcdsaSignature; static _Curve?: typeof ForeignCurve; static _provable?: ProvablePureExtended<EcdsaSignature, { r: bigint; s: bigint; }, { r: string; s: string; }>; /** * The {@link ForeignCurve} on which the ECDSA signature is defined. */ static get Curve(): typeof ForeignCurve; /** * `Provable<EcdsaSignature>` */ static get provable(): ProvablePureExtended<EcdsaSignature, { r: bigint; s: bigint; }, { r: string; s: string; }>; } /** * Create a class {@link EcdsaSignature} for verifying ECDSA signatures on the given curve. */ declare function createEcdsa(curve: CurveParams | typeof ForeignCurve): typeof EcdsaSignature;