crypto-snippets/zokrates-eddsa

EdDSA ZoKrates


\(\gdef\system{\mathsf{Sig}}\) \(\gdef\systemprefix{}\) \(\gdef\keygen{\mathsf{\systemprefix{}KGen}}\) \(\gdef\sign{\mathsf{\systemprefix{}Sign}}\) \(\gdef\verify{\mathsf{\systemprefix{}Verify}}\) \(\gdef\hash{\mathsf{Hash}}\) \(\gdef\msgspace{\mathcal{M}}\) \(\gdef\group{\mathbb{G}}\) \(\gdef\generator{G}\) \(\gdef\modulo{q}\)

The EdDSA implementation in ZoKrates slightly deviates from standard EdDSA. It uses a hash function \(\hash(\{0,1\}^*) \to \{0,1\}^{256}\) instead of one with \(512\) bit output. Thus, instead deriving two keys from the secret key (signing key and nonce key), only the nonce key is derived, while the secret key is used directly in the final scalar multiplication step of signing.

Note also that ZoKrates only hashes the x coordinate from the nonce commitment \(R\) and public key \(Y\) points.

\(\keygen(1^n) \to (pk, sk)\)


  • Random scalar \(x\)
  • \(Y := x \generator{}\)
  • Output \((pk := Y, sk := x)\)

\(\sign(sk, m) \to \sigma\)


  • \(x := sk \quad Y = x \generator\)
  • \(r := \hash(x \| m)\)
  • \(R := r \generator\)
  • Parse EC Point \(R\) as \((x_{1}, y_1)\)
  • Parse EC Point \(Y\) as \((x_{2}, y_2)\)
  • \(s=r+(\hash(x_{1} \| x_{2} \| m)) \cdot x\)
  • Output \(\sigma := (R, s)\)

\(\verify(pk, m, \sigma) \to \{0,1\}\)


  • \(Y:= pk \quad (R,s) := \sigma\)
  • \((x_{1}, y_1) := R \quad (x_2, y_2) := Y\)
  • \(S \gets \hash(x_1 \|x_2 \| m)\)
  • \(v_1 := s \generator{}\)
  • \(v_2 := R + Y \cdot S\)
  • Ouput \(1\) if \(v_1 = v_2\) else \(0\)

Last modified June 13, 2025, 4:18 a.m.