Spartan-ecdsa (which to our knowledge) is the fastest open-source method to verify ECDSA (secp256k1) signatures in zero-knowledge. It can prove ECDSA group membership 10 times faster than efficient-zk-ecdsa, our previous implementation of fast ECDSA signature proving. Please refer to this blog post for further information.
spartan-ecdsa achieves the phenomenal result of hashing becoming the bottleneck instead of ECC operations for the pubkey_membership.circom circuit. In particular, there are 3,039 constraints for efficient ECDSA signature verification, and 5,037 constraints for a depth 20 merkle tree membership check + 1 Poseidon hash of the ECDSA public key. The drop from the original 1.5 million constraints of circom-ecdsa comes primarily from doing right-field arithmetic with secq and avoiding SNARK-unfriendly range checks and big integer math.
We also use efficient ECDSA signatures instead of standard ECDSA siagnatures to save an additional 14,505 constraints. To review, the standard ECDSA signature consists of
where
Thus, verifying a standard ECDSA signature instead of the efficient ECDSA signature requires (1) computing Secp256k1Mul subroutine and incurs 3,011 additional constraints.
Proving membership to a group of ECDSA public keys
| Benchmark | # |
|---|---|
| Constraints | 8,076 |
| Proving time in browser | 4s |
| Proving time in Node.js | 2s |
| Verification time in browser | 1s |
| Verification time in Node.js | 300ms |
| Proof size | 16kb |
- Measured on a M1 MacBook Pro with 80Mbps internet speed.
- Both proving and verification time in browser includes the time to download the circuit.
- Spartan-ecdsa is unaudited. Please use it at your own risk.
- Usage on mobile browsers isn’t currently supported.
yarn add @personaelabs/spartan-ecdsav18 or later
- Install Circom with secq256k1 support
git clone https://github.com/DanTehrani/circom-secq
cd circom-secq && cargo build --release && cargo install --path circom
-
Install wasm-pack
-
Install dependencies & Build all packages
yarn && yarn build