You can simplify the circuit. Executing full ECDSA verification inside of the circuit is unnecessary. If you’re considering a world where the verifier of a transaction can parse ZK proofs, you may as well do away with that step, and instead implement simple key-generation inside of the circuit, which proves the same statement and doesn’t require as many secp256k1 operations. You need only a single EC point multiplication and a single SHA256 call.
One way to do this would be:
- Witness: (sk, m') (seckey, actual message)
- Public signal (h, m) (pubkey hash, expected message)
- Circuit computes pk = sk \cdot G
- Circuit computes h' = \text{SHA256}(pk)
- Circuit verifies m = m' and h = h'