Converting emulated element into uint array

[doutv]

In my circuit, I want to hash some emulated elements from P-256 public key and message.

Convert Msg and Pub here into []uints.U8, then use SHA-3 to hash it

gnark/std/signature/ecdsa/ecdsa_secpr_test.go

Lines 54 to 58 in 42dcb0c

	Msg: emulated.ValueOf[emulated.P256Fr](msgHash[:]),
	Pub: PublicKey[emulated.P256Fp, emulated.P256Fr]{
	X: emulated.ValueOf[emulated.P256Fp](privKey.PublicKey.X),
	Y: emulated.ValueOf[emulated.P256Fp](privKey.PublicKey.Y),
	},

Saw comments here

gnark/std/math/uints/uint8.go

Lines 64 to 66 in 42dcb0c

	// TODO: methods for converting uint array into emulated element and native
	// element. Most probably should add the implementation for non-native in its
	// package, but for native we should add it here.

[ivokub]

Yup, we don't have it currently natively implemented in gnark. We should do it at some point, but in practice it is better to use snark-friendly hash functions where we don't need the byte format of the message/pubkey.

But still, see here: https://github.com/ritave/eIDAS-bridge/blob/main/snark/circuits/circuit.go, this is a hackathon project where I implemented X509 certificate verification in-circuit and for that I needed certificate chain verification, including hashing of P384 keys. The trick I used there was that I provided the byte-format of the pubkey and message as private input and then showed that it composes back to the given key/msg. See https://github.com/ritave/eIDAS-bridge/blob/main/snark/circuits/circuit.go#L63-L97

[doutv]

Another method: inside circuit Define, convert limbs frontend.Variable to []uints.U8

type EcdsaCircuit[T, S emulated.FieldParams] struct {
	Commitment frontend.Variable `gnark:",public"` // Keccak256(Pub[0], Msg[0], Sig[1], Msg[1], ...)[1:32], ignore the first byte, since BN254 order < uint256

	Pub [NumSignatures]PublicKey[T, S]     `gnark:",secret"`
	Msg [NumSignatures]emulated.Element[S] `gnark:",secret"`
	Sig [NumSignatures]Signature[S]        `gnark:",secret"`
}

msgLimb := uapi.UnpackMSB(uapi.ValueOf(c.Msg[i].Limbs[j]))
pubXLimb := uapi.UnpackMSB(uapi.ValueOf(c.Pub[i].X.Limbs[j]))

https://github.com/doutv/gnark-benchmark/blob/39fe8a6d7629608faeda102bae00968ff5eff94b/p256/circuit.go#L43-L44

[ivokub]

Oh, that's also possible. But this depends on the representation of non-native element. One thing you should consider is that maybe the non-native elements are not reduced, and then unpacking this way may not be stable. See the similar documentation for the ToBits methods - https://pkg.go.dev/github.com/consensys/[email protected]/std/math/emulated#Field.ToBits and https://pkg.go.dev/github.com/consensys/[email protected]/std/math/emulated#Field.ToBitsCanonical.

But in your case seems it seems this is not an issue, but I skimmed very quickly through.