update comments

circuits/circuits/utils/circomlib/signature/rsapss/mgf1.circom

@@ -2,6 +2,24 @@ pragma circom 2.1.6;
 
 include "circomlib/circuits/bitify.circom";
 
+/*
+ * MGF1 (Mask Generation Function) Implementation
+ * ============================================
+ * MGF1 is used in RSA-PSS to generate a mask of specified length from a seed value.
+ * It uses an underlying hash function (SHA-512/384/256) to generate the mask.
+ *
+ * The function works by:
+ * 1. Concatenating the seed with a 4-byte counter
+ * 2. Hashing the concatenated value
+ * 3. Incrementing counter and repeating until enough output bits are generated
+ */
+
+/// @title MGF1 with SHA-512
+/// @notice Implements MGF1 using SHA-512 as the underlying hash function
+/// @param seedLen Length of the input seed in bytes
+/// @param maskLen Desired length of the output mask in bytes
+/// @input seed Input seed value as array of bits
+/// @output out Generated mask as array of bits
 template Mgf1Sha512(seedLen, maskLen) { //in bytes
     var seedLenBits = seedLen * 8;
     var maskLenBits = maskLen * 8;
@@ -11,8 +29,13 @@ template Mgf1Sha512(seedLen, maskLen) { //in bytes
     signal input seed[seedLenBits]; //each represents a bit
     signal output out[maskLenBits];
 
+    // Verify mask length doesn't exceed maximum allowed
     assert(maskLen <= 0xffffffff * hashLen );
+
+    // Calculate number of iterations needed
     var iterations = (maskLen \ hashLen) + 1; //adding 1, in-case maskLen \ hashLen is 0
+
+    // Initialize components for SHA-512 hashing and counter conversion
     component sha512[iterations];
     component num2Bits[iterations];
 

circuits/circuits/utils/circomlib/signature/rsapss/rsapss3.circom

@@ -17,6 +17,54 @@ include "../FpPowMod.circom";
 * For now, only HASH_TYPE == 384 && SALT_LEN == 48, HASH_TYPE == 256 && SALT_LEN == 64, HASH_TYPE == 256 && SALT_LEN == 32 cases supported.
 * Use this for CHUNK_NUMBER == 2**n, otherwise error will occur.
 */
+
+/*
+* RSA-PSS (Probabilistic Signature Scheme) Signature Verification
+* ============================================================
+*
+* This template implements RSA-PSS signature verification according to PKCS#1 v2.2 (RFC 8017).
+* It verifies that a signature is valid for a given message and public key.
+*
+* Process Overview:
+* 1. Computes s^e mod n where s is the signature, e is public exponent (3), n is modulus
+* 2. Validates the encoded message format
+* 3. Extracts the salt and hash from the encoded message
+* 4. Verifies the signature using MGF1 mask generation and hash comparison
+*
+* Parameters:
+* - CHUNK_SIZE: Size of each chunk in bits (recommended: 120)
+* - CHUNK_NUMBER: Number of chunks in modulus (must be 2^n)
+* - SALT_LEN: Salt length in bytes
+* - HASH_TYPE: Hash function output size in bits (256/384/512)
+* - KEY_LENGTH: RSA key length in bits
+*
+* Supported Configurations:
+* - SHA-512 with 64-byte salt
+* - SHA-384 with 48-byte salt
+* - SHA-256 with 64-byte salt
+* - SHA-256 with 32-byte salt
+*
+* Inputs:
+* - pubkey[CHUNK_NUMBER]: Public key modulus split into chunks
+* - signature[CHUNK_NUMBER]: RSA signature split into chunks
+* - hashed[HASH_TYPE]: Hash of the original message
+*
+* Important Notes:
+* - CHUNK_NUMBER must be a power of 2 (2^n)
+* - Salt length is specified in bytes (not bits)
+*/
+
+/// @title RSA-PSS Signature Verification Circuit
+/// @notice Verifies RSA-PSS signatures according to PKCS#1 v2.1
+/// @dev Implements core RSA-PSS verification logic including MGF1 mask generation
+/// @param CHUNK_SIZE Size of each chunk in bits (recommended: 120)
+/// @param CHUNK_NUMBER Number of chunks in modulus (must be 2^n)
+/// @param SALT_LEN Salt length in bytes
+/// @param HASH_TYPE Hash function output size in bits (256/384/512)
+/// @param KEY_LENGTH RSA key length in bits
+/// @input pubkey The public key modulus split into chunks
+/// @input signature The RSA signature split into chunks
+/// @input hashed The hash of the original message
 template VerifyRsaPss3Sig(CHUNK_SIZE, CHUNK_NUMBER, SALT_LEN, HASH_TYPE, KEY_LENGTH) {
     assert((HASH_TYPE == 512 && SALT_LEN == 64) || (HASH_TYPE == 384 && SALT_LEN == 48) || (HASH_TYPE == 256 && SALT_LEN == 64) || (HASH_TYPE == 256 && SALT_LEN == 32));