AztecProtocol · kevaundray · May 11, 2023 · May 10, 2023 · May 11, 2023 · May 11, 2023
diff --git a/cpp/src/barretenberg/dsl/acir_format/acir_format.cpp b/cpp/src/barretenberg/dsl/acir_format/acir_format.cpp
@@ -23,7 +23,6 @@ void create_circuit(Composer& composer, const acir_format& constraint_system)
         if (std::find(constraint_system.public_inputs.begin(), constraint_system.public_inputs.end(), i) !=
             constraint_system.public_inputs.end()) {
             composer.add_public_variable(0);
-
         } else {
             composer.add_variable(0);
         }
@@ -62,7 +61,7 @@ void create_circuit(Composer& composer, const acir_format& constraint_system)
 
     // Add ECDSA constraints
     for (const auto& constraint : constraint_system.ecdsa_constraints) {
-        create_ecdsa_verify_constraints(composer, constraint);
+        create_ecdsa_verify_constraints(composer, constraint, false);
     }
 
     // Add blake2s constraints
@@ -145,7 +144,7 @@ Composer create_circuit(const acir_format& constraint_system,
 
     // Add ECDSA constraints
     for (const auto& constraint : constraint_system.ecdsa_constraints) {
-        create_ecdsa_verify_constraints(composer, constraint);
+        create_ecdsa_verify_constraints(composer, constraint, false);
     }
 
     // Add blake2s constraints

diff --git a/cpp/src/barretenberg/dsl/acir_format/ecdsa_secp256k1.cpp b/cpp/src/barretenberg/dsl/acir_format/ecdsa_secp256k1.cpp
@@ -84,9 +84,15 @@ witness_ct ecdsa_index_to_witness(Composer& composer, uint32_t index)
     return { &composer, value };
 }
 
-void create_ecdsa_verify_constraints(Composer& composer, const EcdsaSecp256k1Constraint& input)
+void create_ecdsa_verify_constraints(Composer& composer,
+                                     const EcdsaSecp256k1Constraint& input,
+                                     bool has_valid_witness_assignments)
 {
 
+    if (has_valid_witness_assignments == false) {
+        dummy_ecdsa_constraint(composer, input);
+    }
+
     auto new_sig = ecdsa_convert_signature(composer, input.signature);
 
     auto message = ecdsa_vector_of_bytes_to_byte_array(composer, input.hashed_message);
@@ -127,4 +133,54 @@ void create_ecdsa_verify_constraints(Composer& composer, const EcdsaSecp256k1Con
     composer.assert_equal(signature_result_normalized.witness_index, input.result);
 }
 
+// Add dummy constraints for ECDSA because when the verifier creates the
+// constraint system, they usually use zeroes for witness values.
+//
+// This does not work for ECDSA as the signature, r, s and public key need
+// to be valid.
+void dummy_ecdsa_constraint(Composer& composer, EcdsaSecp256k1Constraint const& input)
+{
+
+    std::vector<uint32_t> pub_x_indices_;
+    std::vector<uint32_t> pub_y_indices_;
+    std::vector<uint32_t> signature_;
+    signature_.resize(64);
+
+    // Create a valid signature with a valid public key
+    crypto::ecdsa::key_pair<secp256k1_ct::fr, secp256k1_ct::g1> account;
+    account.private_key = 10;
+    account.public_key = secp256k1_ct::g1::one * account.private_key;
+    uint256_t pub_x_value = account.public_key.x;
+    uint256_t pub_y_value = account.public_key.y;
+    std::string message_string = "Instructions unclear, ask again later.";
+    crypto::ecdsa::signature signature =
+        crypto::ecdsa::construct_signature<Sha256Hasher, secp256k1_ct::fq, secp256k1_ct::fr, secp256k1_ct::g1>(
+            message_string, account);
+
+    // Create new variables which will reference the valid public key and signature.
+    // We don't use them in a gate, so when we call assert_equal, they will be
+    // replaced as if they never existed.
+    for (size_t i = 0; i < 32; ++i) {
+        uint32_t x_wit = composer.add_variable(pub_x_value.slice(248 - i * 8, 256 - i * 8));
+        uint32_t y_wit = composer.add_variable(pub_y_value.slice(248 - i * 8, 256 - i * 8));
+        uint32_t r_wit = composer.add_variable(signature.r[i]);
+        uint32_t s_wit = composer.add_variable(signature.s[i]);
+        pub_x_indices_.emplace_back(x_wit);
+        pub_y_indices_.emplace_back(y_wit);
+        signature_[i] = r_wit;
+        signature_[i + 32] = s_wit;
+    }
+
+    // Call assert_equal(from, to) to replace the value in `to` by the value in `from`
+    for (size_t i = 0; i < input.pub_x_indices.size(); ++i) {
+        composer.assert_equal(pub_x_indices_[i], input.pub_x_indices[i]);
+    }
+    for (size_t i = 0; i < input.pub_y_indices.size(); ++i) {
+        composer.assert_equal(pub_y_indices_[i], input.pub_y_indices[i]);
+    }
+    for (size_t i = 0; i < input.signature.size(); ++i) {
+        composer.assert_equal(signature_[i], input.signature[i]);
+    }
+}
+
 } // namespace acir_format
diff --git a/cpp/src/barretenberg/dsl/acir_format/ecdsa_secp256k1.hpp b/cpp/src/barretenberg/dsl/acir_format/ecdsa_secp256k1.hpp
@@ -26,7 +26,11 @@ struct EcdsaSecp256k1Constraint {
     friend bool operator==(EcdsaSecp256k1Constraint const& lhs, EcdsaSecp256k1Constraint const& rhs) = default;
 };
 
-void create_ecdsa_verify_constraints(Composer& composer, const EcdsaSecp256k1Constraint& input);
+void create_ecdsa_verify_constraints(Composer& composer,
+                                     const EcdsaSecp256k1Constraint& input,
+                                     bool has_valid_witness_assignments = true);
+
+void dummy_ecdsa_constraint(Composer& composer, EcdsaSecp256k1Constraint const& input);
 
 template <typename B> inline void read(B& buf, EcdsaSecp256k1Constraint& constraint)
 {

diff --git a/cpp/src/barretenberg/dsl/acir_format/ecdsa_secp256k1.test.cpp b/cpp/src/barretenberg/dsl/acir_format/ecdsa_secp256k1.test.cpp
@@ -110,6 +110,34 @@ TEST(ECDSASecp256k1, TestECDSAConstraintSucceed)
     EXPECT_EQ(verifier.verify_proof(proof), true);
 }
 
+// Test that the verifier can create an ECDSA circuit.
+// The ECDSA circuit requires that certain dummy data is valid
+// even though we are just building the circuit.
+TEST(ECDSASecp256k1, TestECDSACompilesForVerifier)
+{
+    acir_format::EcdsaSecp256k1Constraint ecdsa_constraint;
+    std::vector<fr> witness_values;
+    size_t num_variables = generate_ecdsa_constraint(ecdsa_constraint, witness_values);
+    acir_format::acir_format constraint_system{
+        .varnum = static_cast<uint32_t>(num_variables),
+        .public_inputs = {},
+        .fixed_base_scalar_mul_constraints = {},
+        .logic_constraints = {},
+        .range_constraints = {},
+        .schnorr_constraints = {},
+        .ecdsa_constraints = { ecdsa_constraint },
+        .sha256_constraints = {},
+        .blake2s_constraints = {},
+        .keccak_constraints = {},
+        .hash_to_field_constraints = {},
+        .pedersen_constraints = {},
+        .compute_merkle_root_constraints = {},
+        .constraints = {},
+    };
+    auto crs_factory = std::make_unique<proof_system::ReferenceStringFactory>();
+    auto composer = create_circuit(constraint_system, std::move(crs_factory));
+}
+
 TEST(ECDSASecp256k1, TestECDSAConstraintFail)
 {
     acir_format::EcdsaSecp256k1Constraint ecdsa_constraint;