@dorafactory/maci-sdk 0.0.35 → 0.0.37

package/src/libs/crypto/babyjub.ts

@@ -0,0 +1,132 @@
+import assert from "assert";
+import { randomBytes } from "crypto";
+
+import type { PrivKey } from "./types";
+
+import { SNARK_FIELD_SIZE } from "./constants";
+
+/**
+ * @notice A class representing a point on the first group (G1)
+ * of the Jubjub curve
+ */
+export class G1Point {
+  x: bigint;
+
+  y: bigint;
+
+  /**
+   * Create a new instance of G1Point
+   * @param x the x coordinate
+   * @param y the y coordinate
+   */
+  constructor(x: bigint, y: bigint) {
+    assert(x < SNARK_FIELD_SIZE && x >= 0, "G1Point x out of range");
+    assert(y < SNARK_FIELD_SIZE && y >= 0, "G1Point y out of range");
+    this.x = x;
+    this.y = y;
+  }
+
+  /**
+   * Check whether two points are equal
+   * @param pt the point to compare with
+   * @returns whether they are equal or not
+   */
+  equals(pt: G1Point): boolean {
+    return this.x === pt.x && this.y === pt.y;
+  }
+
+  /**
+   * Return the point as a contract param in the form of an object
+   * @returns the point as a contract param
+   */
+  asContractParam(): { x: string; y: string } {
+    return {
+      x: this.x.toString(),
+      y: this.y.toString(),
+    };
+  }
+}
+
+/**
+ * @notice A class representing a point on the second group (G2)
+ * of the Jubjub curve. This is usually an extension field of the
+ * base field of the curve.
+ */
+export class G2Point {
+  x: bigint[];
+
+  y: bigint[];
+
+  /**
+   * Create a new instance of G2Point
+   * @param x the x coordinate
+   * @param y the y coordinate
+   */
+  constructor(x: bigint[], y: bigint[]) {
+    this.checkPointsRange(x, "x");
+    this.checkPointsRange(y, "y");
+
+    this.x = x;
+    this.y = y;
+  }
+
+  /**
+   * Check whether two points are equal
+   * @param pt the point to compare with
+   * @returns whether they are equal or not
+   */
+  equals(pt: G2Point): boolean {
+    return this.x[0] === pt.x[0] && this.x[1] === pt.x[1] && this.y[0] === pt.y[0] && this.y[1] === pt.y[1];
+  }
+
+  /**
+   * Return the point as a contract param in the form of an object
+   * @returns the point as a contract param
+   */
+  asContractParam(): { x: string[]; y: string[] } {
+    return {
+      x: this.x.map((n) => n.toString()),
+      y: this.y.map((n) => n.toString()),
+    };
+  }
+
+  /**
+   * Check whether the points are in range
+   * @param x the x coordinate
+   * @param type the type of the coordinate
+   */
+  private checkPointsRange(x: bigint[], type: "x" | "y") {
+    assert(
+      x.every((n) => n < SNARK_FIELD_SIZE && n >= 0),
+      `G2Point ${type} out of range`,
+    );
+  }
+}
+
+/**
+ * Returns a BabyJub-compatible random value. We create it by first generating
+ * a random value (initially 256 bits large) modulo the snark field size as
+ * described in EIP197. This results in a key size of roughly 253 bits and no
+ * more than 254 bits. To prevent modulo bias, we then use this efficient
+ * algorithm:
+ * http://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/lib/libc/crypt/arc4random_uniform.c
+ * @returns A BabyJub-compatible random value.
+ */
+export const genRandomBabyJubValue = (): bigint => {
+  // Prevent modulo bias
+  // const lim = BigInt('0x10000000000000000000000000000000000000000000000000000000000000000')
+  // const min = (lim - SNARK_FIELD_SIZE) % SNARK_FIELD_SIZE
+  const min = BigInt("6350874878119819312338956282401532410528162663560392320966563075034087161851");
+
+  let privKey: PrivKey = SNARK_FIELD_SIZE;
+
+  do {
+    const rand = BigInt(`0x${randomBytes(32).toString("hex")}`);
+
+    if (rand >= min) {
+      privKey = rand % SNARK_FIELD_SIZE;
+    }
+  } while (privKey >= SNARK_FIELD_SIZE);
+
+  return privKey;
+};

package/src/libs/crypto/bigintUtils.ts

@@ -0,0 +1,31 @@
+type MixedData<T> = T | Array<MixedData<T>> | { [key: string]: MixedData<T> };
+
+export const stringizing = (
+  o: MixedData<bigint>,
+  path: MixedData<bigint>[] = []
+): MixedData<string> => {
+  if (path.includes(o)) {
+    throw new Error('loop nesting!');
+  }
+  const newPath = [...path, o];
+
+  if (Array.isArray(o)) {
+    return o.map((item) => stringizing(item, newPath));
+  } else if (typeof o === 'object') {
+    const output: { [key: string]: MixedData<string> } = {};
+    for (const key in o) {
+      output[key] = stringizing(o[key], newPath);
+    }
+    return output;
+  } else {
+    return o.toString();
+  }
+};
+
+export const bigInt2Buffer = (i: bigint) => {
+  let hex = i.toString(16);
+  if (hex.length % 2 === 1) {
+    hex = '0' + hex;
+  }
+  return Buffer.from(hex, 'hex');
+};

package/src/libs/crypto/constants.ts

@@ -0,0 +1,22 @@
+import { r } from '@zk-kit/baby-jubjub';
+import { keccak256, toUtf8Bytes } from 'ethers';
+
+import assert from 'assert';
+
+export const SNARK_FIELD_SIZE = r;
+
+// A nothing-up-my-sleeve zero value
+// Should be equal to 8370432830353022751713833565135785980866757267633941821328460903436894336785
+export const NOTHING_UP_MY_SLEEVE =
+  BigInt(keccak256(toUtf8Bytes('Maci'))) % SNARK_FIELD_SIZE;
+
+assert(
+  NOTHING_UP_MY_SLEEVE ===
+    BigInt(
+      '8370432830353022751713833565135785980866757267633941821328460903436894336785'
+    )
+);
+
+export const PAD_KEY_HASH = BigInt(
+  '1309255631273308531193241901289907343161346846555918942743921933037802809814'
+);

package/src/libs/crypto/hashing.ts

@@ -0,0 +1,167 @@
+import { poseidonPerm } from '@zk-kit/poseidon-cipher';
+import { solidityPackedSha256 } from 'ethers';
+
+import assert from 'assert';
+
+import type { Plaintext, PoseidonFuncs } from './types';
+
+import { SNARK_FIELD_SIZE } from './constants';
+
+/**
+ * Hash an array of uint256 values the same way that the EVM does.
+ * @param input - the array of values to hash
+ * @returns a EVM compatible sha256 hash
+ */
+export const sha256Hash = (input: bigint[]): bigint => {
+  const types: string[] = [];
+
+  input.forEach(() => {
+    types.push('uint256');
+  });
+
+  return (
+    BigInt(
+      solidityPackedSha256(
+        types,
+        input.map((x) => x.toString())
+      )
+    ) % SNARK_FIELD_SIZE
+  );
+};
+
+/**
+ * Generate the poseidon hash of the inputs provided
+ * @param inputs The inputs to hash
+ * @returns the hash of the inputs
+ */
+export const poseidon = (inputs: bigint[]): bigint =>
+  poseidonPerm([BigInt(0), ...inputs.map((x) => BigInt(x))])[0];
+
+/**
+ * Hash up to 2 elements
+ * @param inputs The elements to hash
+ * @returns the hash of the elements
+ */
+export const poseidonT3 = (inputs: bigint[]): bigint => {
+  assert(inputs.length === 2);
+  return poseidon(inputs);
+};
+
+/**
+ * Hash up to 3 elements
+ * @param inputs The elements to hash
+ * @returns the hash of the elements
+ */
+export const poseidonT4 = (inputs: bigint[]): bigint => {
+  assert(inputs.length === 3);
+  return poseidon(inputs);
+};
+
+/**
+ * Hash up to 4 elements
+ * @param inputs The elements to hash
+ * @returns the hash of the elements
+ */
+export const poseidonT5 = (inputs: bigint[]): bigint => {
+  assert(inputs.length === 4);
+  return poseidon(inputs);
+};
+
+/**
+ * Hash up to 5 elements
+ * @param inputs The elements to hash
+ * @returns the hash of the elements
+ */
+export const poseidonT6 = (inputs: bigint[]): bigint => {
+  assert(inputs.length === 5);
+  return poseidon(inputs);
+};
+
+/**
+ * Hash two BigInts with the Poseidon hash function
+ * @param left The left-hand element to hash
+ * @param right The right-hand element to hash
+ * @returns The hash of the two elements
+ */
+export const hashLeftRight = (left: bigint, right: bigint): bigint =>
+  poseidonT3([left, right]);
+
+// hash functions
+const funcs: PoseidonFuncs = {
+  2: poseidonT3,
+  3: poseidonT4,
+  4: poseidonT5,
+  5: poseidonT6,
+};
+
+/**
+ * Hash up to N elements
+ * @param numElements The number of elements to hash
+ * @param elements The elements to hash
+ * @returns The hash of the elements
+ */
+export const hashN = (numElements: number, elements: Plaintext): bigint => {
+  const elementLength = elements.length;
+
+  if (elements.length > numElements) {
+    throw new TypeError(
+      `the length of the elements array should be at most ${numElements}; got ${elements.length}`
+    );
+  }
+  const elementsPadded = elements.slice();
+
+  if (elementLength < numElements) {
+    for (let i = elementLength; i < numElements; i += 1) {
+      elementsPadded.push(BigInt(0));
+    }
+  }
+
+  return funcs[numElements](elementsPadded);
+};
+
+// hash functions
+export const hashLeanIMT = (a: bigint, b: bigint): bigint => hashN(2, [a, b]);
+export const hash2 = (elements: Plaintext): bigint => hashN(2, elements);
+export const hash3 = (elements: Plaintext): bigint => hashN(3, elements);
+export const hash4 = (elements: Plaintext): bigint => hashN(4, elements);
+export const hash5 = (elements: Plaintext): bigint => hashN(5, elements);
+
+/**
+ * A convenience function to use Poseidon to hash a Plaintext with
+ * no more than 13 elements
+ * @param elements The elements to hash
+ * @returns The hash of the elements
+ */
+export const hash12 = (elements: Plaintext): bigint => {
+  const max = 12;
+  const elementLength = elements.length;
+
+  if (elementLength > max) {
+    throw new TypeError(
+      `the length of the elements array should be at most ${max}; got ${elements.length}`
+    );
+  }
+
+  const elementsPadded = elements.slice();
+
+  if (elementLength < max) {
+    for (let i = elementLength; i < max; i += 1) {
+      elementsPadded.push(BigInt(0));
+    }
+  }
+
+  return poseidonT5([
+    poseidonT6(elementsPadded.slice(0, 5)),
+    poseidonT6(elementsPadded.slice(5, 10)),
+    elementsPadded[10],
+    elementsPadded[11],
+  ]);
+};
+
+/**
+ * Hash a single BigInt with the Poseidon hash function
+ * @param preImage The element to hash
+ * @returns The hash of the element
+ */
+export const hashOne = (preImage: bigint): bigint =>
+  poseidonT3([preImage, BigInt(0)]);

package/src/libs/crypto/index.ts

@@ -0,0 +1,9 @@
+export * from './keys';
+export * from './bigintUtils';
+export * from './constants';
+export * from './hashing';
+export * from './sign';
+export * from './types';
+export * from './tree';
+export * from './babyjub';
+export type { Keypair, PubKey, PrivKey } from './types';

package/src/libs/{circom/circomlib.ts → crypto/keys.ts}

@@ -1,126 +1,113 @@
 import { randomBytes } from 'crypto';
+import { bigInt2Buffer, stringizing } from './bigintUtils';
+import { poseidonEncrypt } from '@zk-kit/poseidon-cipher';
+import * as BabyJub from '@zk-kit/baby-jubjub';
+import { Point } from '@zk-kit/baby-jubjub';
 import {
-  babyJub,
-  eddsa,
-  poseidon,
-  poseidonEncrypt,
-  Tree,
-} from '@dorafactory/circomlib';
-import { Scalar, utils } from 'ffjavascript';
-import createBlakeHash from 'blake-hash';
-import { solidityPackedSha256 } from 'ethers';
+  derivePublicKey,
+  signMessage,
+  deriveSecretScalar,
+} from '@zk-kit/eddsa-poseidon';
 
-type MixedData<T> = T | Array<MixedData<T>> | { [key: string]: MixedData<T> };
+import { solidityPackedSha256 } from 'ethers';
 
-export type PrivateKey = bigint;
-export type PublicKey = [bigint, bigint];
+import { mulPointEscalar } from '@zk-kit/baby-jubjub';
+import { packPublicKey, unpackPublicKey } from '@zk-kit/eddsa-poseidon';
 
-export interface Account {
-  privKey: PrivateKey;
-  pubKey: PublicKey;
-  formatedPrivKey: PrivateKey;
-}
+import { genRandomBabyJubValue } from './babyjub';
+import { EcdhSharedKey, Keypair, PrivKey, PubKey } from './types';
+import { poseidon } from './hashing';
+import Tree from './tree';
 
 const SNARK_FIELD_SIZE =
   21888242871839275222246405745257275088548364400416034343698204186575808495617n;
 
-const bigInt2Buffer = (i: bigint) => {
-  let hex = i.toString(16);
-  if (hex.length % 2 === 1) {
-    hex = '0' + hex;
-  }
-  return Buffer.from(hex, 'hex');
-};
-
-const genRandomKey = () => {
-  // Prevent modulo bias
-  // const lim = BigInt('0x10000000000000000000000000000000000000000000000000000000000000000')
-  // const min = (lim - SNARK_FIELD_SIZE) % SNARK_FIELD_SIZE
-  const min =
-    6350874878119819312338956282401532410528162663560392320966563075034087161851n;
-
-  let rand;
-  while (true) {
-    rand = BigInt('0x' + randomBytes(32).toString('hex'));
-
-    if (rand >= min) {
-      break;
-    }
-  }
-
-  const privKey = rand % SNARK_FIELD_SIZE;
-  return privKey;
+/**
+ * Generate a private key
+ * @returns A random seed for a private key.
+ */
+export const genPrivKey = (): bigint =>
+  BigInt(`0x${randomBytes(32).toString('hex')}`);
+
+/**
+ * Generate a random value
+ * @returns A BabyJub-compatible salt.
+ */
+export const genRandomSalt = (): bigint => genRandomBabyJubValue();
+
+/**
+ * An internal function which formats a random private key to be compatible
+ * with the BabyJub curve. This is the format which should be passed into the
+ * PubKey and other circuits.
+ * @param privKey A private key generated using genPrivKey()
+ * @returns A BabyJub-compatible private key.
+ */
+export const formatPrivKeyForBabyJub = (privKey: PrivKey): bigint =>
+  BigInt(deriveSecretScalar(bigInt2Buffer(privKey)));
+
+/**
+ * Losslessly reduces the size of the representation of a public key
+ * @param pubKey The public key to pack
+ * @returns A packed public key
+ */
+export const packPubKey = (pubKey: PubKey): bigint =>
+  BigInt(packPublicKey(pubKey));
+
+/**
+ * Restores the original PubKey from its packed representation
+ * @param packed The value to unpack
+ * @returns The unpacked public key
+ */
+export const unpackPubKey = (packed: bigint): PubKey => {
+  const pubKey = unpackPublicKey(packed);
+  return pubKey.map((x) => BigInt(x)) as PubKey;
 };
 
-const genPubKey = (privKey: bigint) => {
-  return eddsa.prv2pub(bigInt2Buffer(privKey));
+/**
+ * @param privKey A private key generated using genPrivKey()
+ * @returns A public key associated with the private key
+ */
+export const genPubKey = (privKey: PrivKey): PubKey => {
+  const key = derivePublicKey(bigInt2Buffer(privKey));
+  return [BigInt(key[0]), BigInt(key[1])];
 };
 
-export const stringizing = (
-  o: MixedData<bigint>,
-  path: MixedData<bigint>[] = []
-): MixedData<string> => {
-  if (path.includes(o)) {
-    throw new Error('loop nesting!');
-  }
-  const newPath = [...path, o];
-
-  if (Array.isArray(o)) {
-    return o.map((item) => stringizing(item, newPath));
-  } else if (typeof o === 'object') {
-    const output: { [key: string]: MixedData<string> } = {};
-    for (const key in o) {
-      output[key] = stringizing(o[key], newPath);
-    }
-    return output;
-  } else {
-    return o.toString();
-  }
-};
-
-export const genKeypair = (pkey?: PrivateKey): Account => {
-  const privKey = pkey ? pkey % SNARK_FIELD_SIZE : genRandomKey();
+/**
+ * Generates a keypair.
+ * @returns a keypair
+ */
+export const genKeypair = (pkey?: PrivKey): Keypair => {
+  const privKey = pkey ? pkey % SNARK_FIELD_SIZE : genPrivKey();
   const pubKey = genPubKey(privKey);
   const formatedPrivKey = formatPrivKeyForBabyJub(privKey);
 
-  return { privKey, pubKey, formatedPrivKey };
-};
+  const keypair: Keypair = { privKey, pubKey, formatedPrivKey };
 
-const formatPrivKeyForBabyJub = (privKey: PrivateKey) => {
-  const sBuff = eddsa.pruneBuffer(
-    createBlakeHash('blake512')
-      .update(bigInt2Buffer(privKey))
-      .digest()
-      .slice(0, 32)
-  );
-  const s = utils.leBuff2int(sBuff);
-  return Scalar.shr(s, 3);
+  return keypair;
 };
 
+/**
+ * Generates an Elliptic-Curve Diffie–Hellman (ECDH) shared key given a private
+ * key and a public key.
+ * @param privKey A private key generated using genPrivKey()
+ * @param pubKey A public key generated using genPubKey()
+ * @returns The ECDH shared key.
+ */
 export const genEcdhSharedKey = (
-  privKey: PrivateKey,
-  pubKey: PublicKey
-): PublicKey => {
-  const sharedKey = babyJub.mulPointEscalar(
-    pubKey,
-    formatPrivKeyForBabyJub(privKey)
-  );
-  if (sharedKey[0] === 0n) {
-    return [0n, 1n];
-  } else {
-    return sharedKey;
-  }
-};
+  privKey: PrivKey,
+  pubKey: PubKey
+): EcdhSharedKey =>
+  mulPointEscalar(pubKey as Point<bigint>, formatPrivKeyForBabyJub(privKey));
 
 export const genMessageFactory =
   (
     stateIdx: number,
-    signPriKey: PrivateKey,
-    signPubKey: PublicKey,
-    coordPubKey: PublicKey
+    signPriKey: PrivKey,
+    signPubKey: PubKey,
+    coordPubKey: PubKey
   ) =>
   (
-    encPriKey: PrivateKey,
+    encPriKey: PrivKey,
     nonce: number,
     voIdx: number,
     newVotes: number,
@@ -145,7 +132,7 @@ export const genMessageFactory =
     }
 
     const hash = poseidon([packaged, ...newPubKey]);
-    const signature = eddsa.signPoseidon(bigInt2Buffer(signPriKey), hash);
+    const signature = signMessage(bigInt2Buffer(signPriKey), hash);
 
     const command = [packaged, ...newPubKey, ...signature.R8, signature.S];
 
@@ -167,14 +154,14 @@ export const genMessageFactory =
 // and change the public key at command_N
 export const batchGenMessage = (
   stateIdx: number,
-  account: Account,
-  coordPubKey: PublicKey,
+  keypair: Keypair,
+  coordPubKey: PubKey,
   plan: [number, number][]
 ) => {
   const genMessage = genMessageFactory(
     stateIdx,
-    account.privKey,
-    account.pubKey,
+    BigInt(keypair.privKey),
+    keypair.pubKey,
     coordPubKey
   );
 
@@ -183,7 +170,7 @@ export const batchGenMessage = (
     const p = plan[i];
     const encAccount = genKeypair();
     const msg = genMessage(
-      encAccount.privKey,
+      BigInt(encAccount.privKey),
       i + 1,
       p[0],
       p[1],
@@ -218,16 +205,16 @@ export const privateKeyFromTxt = (txt: string) => {
 const rerandomize = (
   pubKey: bigint[],
   ciphertext: { c1: bigint[]; c2: bigint[] },
-  randomVal = genRandomKey()
+  randomVal = genRandomSalt()
 ) => {
-  const d1 = babyJub.addPoint(
-    babyJub.mulPointEscalar(babyJub.Base8, randomVal),
-    ciphertext.c1
+  const d1 = BabyJub.addPoint(
+    BabyJub.mulPointEscalar(BabyJub.Base8, randomVal),
+    ciphertext.c1 as Point<bigint>
   );
 
-  const d2 = babyJub.addPoint(
-    babyJub.mulPointEscalar(pubKey, randomVal),
-    ciphertext.c2
+  const d2 = BabyJub.addPoint(
+    BabyJub.mulPointEscalar(pubKey as Point<bigint>, randomVal),
+    ciphertext.c2 as Point<bigint>
   );
 
   return {
@@ -243,14 +230,14 @@ export const genAddKeyProof = async (
     oldKey,
     deactivates,
   }: {
-    coordPubKey: PublicKey;
-    oldKey: Account;
+    coordPubKey: PubKey;
+    oldKey: Keypair;
     deactivates: bigint[][];
   }
 ) => {
   const sharedKeyHash = poseidon(genEcdhSharedKey(oldKey.privKey, coordPubKey));
 
-  const randomVal = genRandomKey();
+  const randomVal = genRandomSalt();
   const deactivateIdx = deactivates.findIndex((d) => d[4] === sharedKeyHash);
   if (deactivateIdx < 0) {
     return null;
@@ -263,7 +250,10 @@ export const genAddKeyProof = async (
 
   const { d1, d2 } = rerandomize(coordPubKey, { c1, c2 }, randomVal);
 
-  const nullifier = poseidon([oldKey.formatedPrivKey, 1444992409218394441042n]);
+  const nullifier = poseidon([
+    BigInt(oldKey.formatedPrivKey),
+    1444992409218394441042n,
+  ]);
 
   const tree = new Tree(5, depth, 0n);
   const leaves = deactivates.map((d) => poseidon(d));