Public key verification issue in circuits

[yinzhenzhen]

I have two questions. First, regarding the example examples/pubkeyhashing/pubkeyhashing_test.go, why does it use SHA256 to calculate the public key hash outside the circuit, but SHA2 is used inside the circuit, and why are these two hash values ​​compared for equality?


Second, I want to generate a signature outside the circuit and verify it inside the circuit. In the circuit, I want to directly use multiple fields concatenated as the original signature for verification. How can I achieve this? Are there any similar examples I can refer to? Below are the fields of my circuit; I want to concatenate all of these fields as the original signature text msg.

type Circuit struct {
	// 公共输入（验证者可知）
	Context  [2]frontend.Variable `gnark:",public"`
	Id       frontend.Variable    `gnark:",public"` // 主体ID哈希（MiMC哈希值），用于电路验证
	Type     frontend.Variable    `gnark:",public"` // 类型
	Issuer   frontend.Variable    `gnark:",public"` // 发行者DID
	Template ZkTemplate           `gnark:",public"` // VC模板
	NowDate  frontend.Variable    `gnark:",public"` // 验证时的当前时间（由验证方提供）
	// 私有输入（持有者保密）
	IssuanceDate      frontend.Variable  // 签发时间
	ExpirationDate    frontend.Variable  // 过期时间
	VcHolder          frontend.Variable  // vc持有者DID
	CredentialSubject []CircuitFieldItem // 声明内容
	//IssuerPubKey      eddsa.PublicKey    `gnark:"-"` // 发行者公钥
	//Signature         eddsa.Signature    // 发行者签名
	Signature ecdsa.Signature[emparams.Secp256k1Fr] `gnark:",public"`
	IssuerPublicKey ecdsa.PublicKey[emparams.Secp256k1Fp, emparams.Secp256k1Fr]
}

type ZkTemplate struct {
	Id      frontend.Variable // 模版id
	Name    frontend.Variable // 模版名称
	Content []TemplateSchema  // 模版内容信息
}

type TemplateSchema struct {
	FieldName frontend.Variable // 字段名称哈希值
	Required  frontend.Variable // 是否必填
}

By the way, are there significant differences between the ECDSA and EDDSA algorithms in GNark, and which algorithm would you recommend?

[ivokub]

Thank you for your interest in gnark. Short answers to your questions are below:

1. it is difference in package names. Outside of circuit to compute the witness we use Go std library crypto/sha256 package, but in circuit we use github.com/consensys/gnark/std/hash/sha2 package (which creates circuit constraints).
2. It is a bit complicated, but doable in general. Usually sha2 hash function takes as input bytes (in-circuit we have corresponding data structure github.com/consensys/gnark/std/math/uints.U8), but the frontend.Variable types are arbitrary variables which can take a value in the full field of definition (i.e. between [0, 21888242871839275222246405745257275088548364400416034343698204186575808495617) in case of BN curve). Now the question becomes how to convert frontend.Variable to []uints.U8 efficiently? For this we have the conversion.NativeToBytes method. So you would have to call this on all the circuit inputs, concatenate the results, hash it using in-circuit sha2 gadget and then provide it as an input to ECDSA.
3. ECDSA implements the standardized ECDSA signature algorithm. It is similar to EDDSA, but it was historically constructed bit differently to avoid patents on EDDSA. As the patents are now expired then EDDSA is also suitable to use. But a lot of tools already assume ECDSA and it is widely used, so it is probably easier to use. But depends on your specific use cases.