@barryWhiteHat I have computed the number of constraints for eddsa verification here
and I found 7000 constraints + constraints for Pedersen hash function 1881 used twice
which makes total 10762 constraints. I was wondering if these numbers are correct?
def eddsa_check(R,B,S,A, M):
split_to_bits(R) # 252 constraints
split_to_bits(A) # 252 constraints
hash_RAM = H(R, A, M) #1881 constraints
IsValid(R) // is_oncurve and is_notloworder doubled three times so 5*3=15 + 5415 constraints for is_notloworder
lhs = ScalarMult(B, s) # 4.2 * 252 = 1058 constraints // lhs = B*s
M = H(m) # 1881 // M = H(m)
At = ScalarMult(A,hash_RAM) # 4.2 * 252 = 1058 constraints // A*hash_RAM
rhs = PointAdd(R, At) # 6 constraints // rhs = R + (A*hash_RAM)
lhs == rhs # 2 constraints
Going back to not_loworder, I found it cost 5415 constraints by following this algorithm
EdFieldElement x = //...
EdFieldElement y = //...
EdFieldElement a = curve.getA();
EdFieldElement d = curve.getD();
EdFieldElement lhs = 1.add(y.multiply(y).multiply(y.multiply(y).multiply(d)); // 6+5+5+13.252+4.2.252 constraints so 4350
EdFieldElement rhs = x.multiply(x).multiply(a); // 5+4.2*252=1063
boolean pointIsOnCurve = lhs.equals(rhs); // 2 constraints
Total 5415