Setup repo for audit round

.gitignore

@@ -14,4 +14,12 @@ remix-compiler.config.js
 *.sym
 *.ptau
 verify_js/
-verify_cpp/
+verify_cpp/
+.idea
+batchverify_js/
+batchverify_cpp/
+*.zkey
+circuits/batchverifier.sol
+proof.json
+public.json
+verification_key.json

batchVerify-README.md

@@ -0,0 +1,248 @@
+# Circom Ed25519
+
+Curve operations and signature verification for Ed25519 digital signature scheme in circom
+
+**WARNING:** This is a research project. It has not been audited and may contain bugs and security flaws. This implementation is NOT ready for production use.
+
+The circuits follow the reference implementation from [IETF RFC8032](https://datatracker.ietf.org/doc/html/rfc8032#section-6)
+
+## 1. Installing dependencies
+- `npm install -g snarkjs`
+- Install Rust: `curl --proto '=https' --tlsv1.2 https://sh.rustup.rs -sSf | sh`
+- Clone and install circom - [circom docs](https://docs.circom.io/getting-started/installation/)
+- If you want to build the `verify` circuit, you'll need to download a Powers of Tau file with `2^22` constraints and copy it into the `circuits` subdirectory of the project, with the name `pot22_final.ptau`. You can download Powers of Tau files from the Hermez trusted setup from [this repository](https://github.com/iden3/snarkjs#7-prepare-phase-2)
+
+## 2. Run the project
+
+### 2.1. Clone code and install dependencies
+
+```bash=
+git clone this-project-code
+```
+
+```bash=
+cd /path/to/this/project/folder/
+```
+
+Run command to install package dependencies
+
+```bash=
+npm install
+```
+
+### 2.2. Compile circuits
+
+Enter the `circuits` directory, we can compile the circuit with the following command:
+
+```bash=
+circom batchverify.circom --r1cs --wasm --sym --c
+```
+
+With these options we generate three types of files:
+
+- `--r1cs`: it generates the file `batchverify.r1cs` that contains the [R1CS constraint system](https://docs.circom.io/background/background#rank-1-constraint-system) of the circuit in binary format.
+- `--wasm`: it generates the directory `batchverify_js` that contains the Wasm code (batchverify.wasm) and other files needed to generate the [witness](https://docs.circom.io/background/background#witness).
+- `--sym` : it generates the file batchverify.sym , a symbols file required for debugging or for printing the constraint system in an annotated mode.
+- `--c` : it generates the directory batchverify_cpp that contains several files (batchverify.cpp, batchverify.dat, and other common files for every compiled program like main.cpp, MakeFile, etc) needed to compile the C code to generate the witness.
+
+`Notice`: If you encounter `JavaScript Heap Out of Memory Error` during operation, please refer to the [documentation](https://www.makeuseof.com/javascript-heap-out-of-memory-error-fix/) to solve it.
+
+### 2.3. Computing the witness
+
+Enter in the directory `batchverify_js`, add the input in a file `batchinput.json` (Simply copy the `batchinput.json` in the root directory of the project) and execute:
+
+```bash=
+node generate_witness.js batchverify.wasm batchinput.json witness.wtns
+```
+
+### 2.4. Proving circuits
+
+#### 2.4.1. Powers of Tau
+
+First, re-enter the `circuits` directory, we start a new "powers of tau" ceremony:
+
+```bash=
+snarkjs powersoftau new bn128 23 pot23_0000.ptau -v
+```
+
+Then, we contribute to the ceremony:
+
+```bash=
+snarkjs powersoftau contribute pot23_0000.ptau pot23_0001.ptau --name="First contribution" -v
+```
+
+Now, we have the contributions to the powers of tau in the file `pot23_0001.ptau` and we can proceed with the `Phase 2`.
+
+#### 2.4.2. Phase 2
+
+The **phase 2** is **circuit-specific**. Execute the following command to start the generation of this phase:
+
+```bash=
+snarkjs powersoftau prepare phase2 pot23_0001.ptau pot23_final.ptau -v
+```
+
+Next, we generate a `.zkey` file that will contain the proving and verification keys together with all phase 2 contributions. Execute the following command to start a new zkey:
+
+```bash=
+snarkjs groth16 setup batchverify.r1cs pot23_final.ptau batchverify_0000.zkey
+```
+**Notice:** Run `export NODE_OPTIONS=--max-old-space-size=8192` to Fix **JavaScript Heap Out of Memory Error**
+
+Contribute to the phase 2 of the ceremony:
+
+```bash=
+snarkjs zkey contribute batchverify_0000.zkey batchverify_0001.zkey --name="1st Contributor Name" -v
+```
+
+Export the verification key:
+
+```bash=
+snarkjs zkey export verificationkey batchverify_0001.zkey verification_key.json
+```
+
+#### 2.4.3. Generating a Proof
+
+Once the witness is computed and the trusted setup is already executed, we can **generate a zk-proof** associated to the circuit and the witness:
+
+```bash=
+use snarkjs:
+snarkjs groth16 prove batchverify_0001.zkey ./batchverify_js/witness.wtns proof.json public.json
+```
+
+This command generates a [Groth16](https://eprint.iacr.org/2016/260) proof and outputs two files:
+
+- `proof.json`: it contains the proof.
+- `public.json`: it contains the values of the public inputs and outputs.
+
+This step can use `rapidsnark` to speed up the generation of zkSnark proofs, please refer to the documentation of [rapidsnark](https://github.com/iden3/rapidsnark).
+
+So you can replace snarkjs command by this one:
+
+```bash=
+./package/bin/prover <batchverify_0001.zkey> <witness.wtns> <proof.json> <public.json>
+
+example:
+./package/bin/prover batchverify_0001.zkey ./batchverify_js/witness.wtns proof.json public.json
+```
+
+#### 2.4.4. Verifying a Proof
+
+To **verify the proof**, execute the following command:
+
+```bash=
+snarkjs groth16 verify verification_key.json public.json proof.json
+```
+
+The command uses the files `verification_key.json` we exported earlier,`proof.json` and `public.json` to check if the proof is valid. If the proof is valid, the command outputs an `OK`.
+
+A valid proof not only proves that we know a set of signals that satisfy the circuit, but also that the public inputs and outputs that we use match the ones described in the `public.json` file.
+
+#### 2.4.5. Verifying from a Smart Contract
+
+It is also possible to generate a **Solidity verifier** that allows **verifying proofs on Ethereum blockchain**.
+
+First, we need to generate the Solidity code using the command:
+
+```bash=
+snarkjs zkey export solidityverifier batchverify_0001.zkey batchverifier.sol
+```
+
+This command takes validation key `batchverify_0001.zkey` and outputs Solidity code in a file named `batchverifier.sol`. You can take the code from this file and cut and paste it in Remix.
+
+The `Verifier` has a `view` function called `verifyProof` that returns `TRUE` if and only if the proof and the inputs are valid. To facilitate the call, you can use `snarkJS` to generate the parameters of the call by typing:
+
+```bash=
+snarkjs generatecall
+```
+
+You can get something like the following in return:
+
+```json=
+["0x19721bf1e6a40b14b136daba5af87aff4f1d9c614dd12796c79f447f0dcdddba", "0x2a4bc5255eae8cfc33d8bce60244258b5160377d73f9f292b27842246d144f70"],[["0x23807555c654ec10dd9de1184fd585b0f235c64c83b0d2b9dc4f7f3934b083d6", "0x2af0c2dd9b462b7b63c0682646422b526d9b82608456ef09eadfd5bf2e3e9fa2"],["0x1688a3c4ded94b6d5958886feeeb697201fde9e6919f5bd6408a865af46de162", "0x07677f9ee01dcd2637a1e690caa8c40db5488ac0c45ba33bc5489c700db676b0"]],["0x27f0ddc72eca4525c42b39feaac1c159909cc09918beb7f63af68451750af042", "0x04ae2a4c2ef49ac3f01a0240eab924079406f552746cf4d18e32654d39101a79"],["0x0000000000000000000000000000000000000000000000000000000000000000"]
+```
+Cut and paste the output of the command to the parameters field of the `verifyProof` method in Remix. If everything works fine, this method should return `TRUE`. You can try to change just a single bit of the parameters, and you will see that the result is verifiable `FALSE`.
+
+## Appendix
+
+### 1. Inputs explanation
+`msg` is the data for the signature
+
+`R8` is the first 256 bits of the signature (LSB to MSB)
+
+`S` is the first 255 bits of the last 256 bits of the signature (LSB to MSB)
+
+`A` is the public key in binary (LSB to MSB)
+
+`PointA` is the point representing the public key on the elliptic curve (encoded in base 2^85 for brevity)
+
+`PointR` is the point representing the R8 value on the elliptic curve (encoded in base 2^85) 
+
+The [algorithm](https://datatracker.ietf.org/doc/html/rfc8032#section-6) we follow only takes in `A` and `R8` in binary form, and is decompressed to get `PointA` and `PointR` respectively. However, decompression is an expensive algorithm to perform in a circuit. On the other hand, compression is cheap and easy to implement. So, we use a nifty little trick to push the onus of providing both on the `prover` and perform equality checks after compressing the points within the circuit. [Ref](https://github.com/Electron-Labs/ed25519-circom/blob/532f638b4d6ae4684a1f0907df6c92676f0ae8df/circuits/verify.circom#L57)
+
+You can find all helper functions to change encodings from well-known formats to circuit friendly formats [here](https://github.com/Electron-Labs/ed25519-circom/blob/master/test/utils.js)
+
+### 2. Input.json format
+
+In your JSON file, you'll structure the input data like this:
+
+`
+{
+  "msg": [
+    [/* Your first message bytes here */],
+    [/* Your second message bytes here */],
+    [/* Your third message bytes here */],
+    [/* Your fourth message bytes here */]
+  ],
+  "msgLengths": [
+    /* Lengths of your messages corresponding to msg array */
+  ],
+  "S": [
+    [/* Your S values for message 1 */],
+    [/* Your S values for message 2 */],
+    [/* Your S values for message 3 */],
+    [/* Your S values for message 4 */]
+  ],
+  "PointA": [
+    [/* Your PointA values for message 1 */],
+    [/* Your PointA values for message 2 */],
+    [/* Your PointA values for message 3 */],
+    [/* Your PointA values for message 4 */]
+  ],
+  "PointR": [
+    [/* Your PointR values for message 1 */],
+    [/* Your PointR values for message 2 */],
+    [/* Your PointR values for message 3 */],
+    [/* Your PointR values for message 4 */]
+  ]
+}
+`
+
+### 2. Circuit information
+
+#### 2.1. `1 message`
+
+```bash=
+template instances: 216
+non-linear constraints: 1307374
+linear constraints: 0
+public inputs: 0
+public outputs: 1
+private inputs: 295
+private outputs: 0
+wires: 1380186
+labels: 13089531
+```
+
+#### 2.2. `2 messages`
+
+```bash=
+template instances: 216
+non-linear constraints: 2614748
+linear constraints: 0
+public inputs: 0
+public outputs: 1
+private inputs: 590 
+private outputs: 0
+wires: 2760371
+labels: 26179059
+```