starkshield 1.0.0

package/circomlib/circuits/poseidon_old.circom

@@ -0,0 +1,97 @@
+pragma circom 2.0.0;
+
+include "./poseidon_constants.circom";
+
+template Sigma() {
+    signal input in;
+    signal output out;
+
+    signal in2;
+    signal in4;
+
+    in2 <== in*in;
+    in4 <== in2*in2;
+
+    out <== in4*in;
+}
+
+template Ark(t, C, r) {
+    signal input in[t];
+    signal output out[t];
+
+    for (var i=0; i<t; i++) {
+        out[i] <== in[i] + C[i + r];
+    }
+}
+
+template Mix(t, M) {
+    signal input in[t];
+    signal output out[t];
+
+    var lc;
+    for (var i=0; i<t; i++) {
+        lc = 0;
+        for (var j=0; j<t; j++) {
+            lc += M[i][j]*in[j];
+        }
+        out[i] <== lc;
+    }
+}
+
+template Poseidon(nInputs) {
+    signal input inputs[nInputs];
+    signal output out;
+
+    // Using recommended parameters from whitepaper https://eprint.iacr.org/2019/458.pdf (table 2, table 8)
+    // Generated by https://extgit.iaik.tugraz.at/krypto/hadeshash/-/blob/master/code/calc_round_numbers.py
+    // And rounded up to nearest integer that divides by t
+    var N_ROUNDS_P[16] = [56, 57, 56, 60, 60, 63, 64, 63, 60, 66, 60, 65, 70, 60, 64, 68];
+    var t = nInputs + 1;
+    var nRoundsF = 8;
+    var nRoundsP = N_ROUNDS_P[t - 2];
+    var C[t*(nRoundsF + nRoundsP)] = POSEIDON_C(t);
+    var M[t][t] = POSEIDON_M(t);
+
+    component ark[nRoundsF + nRoundsP];
+    component sigmaF[nRoundsF][t];
+    component sigmaP[nRoundsP];
+    component mix[nRoundsF + nRoundsP];
+
+    var k;
+
+    for (var i=0; i<nRoundsF + nRoundsP; i++) {
+        ark[i] = Ark(t, C, t*i);
+        for (var j=0; j<t; j++) {
+            if (i==0) {
+                if (j>0) {
+                    ark[i].in[j] <== inputs[j-1];
+                } else {
+                    ark[i].in[j] <== 0;
+                }
+            } else {
+                ark[i].in[j] <== mix[i-1].out[j];
+            }
+        }
+
+        if (i < nRoundsF/2 || i >= nRoundsP + nRoundsF/2) {
+            k = i < nRoundsF/2 ? i : i - nRoundsP;
+            mix[i] = Mix(t, M);
+            for (var j=0; j<t; j++) {
+                sigmaF[k][j] = Sigma();
+                sigmaF[k][j].in <== ark[i].out[j];
+                mix[i].in[j] <== sigmaF[k][j].out;
+            }
+        } else {
+            k = i - nRoundsF/2;
+            mix[i] = Mix(t, M);
+            sigmaP[k] = Sigma();
+            sigmaP[k].in <== ark[i].out[0];
+            mix[i].in[0] <== sigmaP[k].out;
+            for (var j=1; j<t; j++) {
+                mix[i].in[j] <== ark[i].out[j];
+            }
+        }
+    }
+
+    out <== mix[nRoundsF + nRoundsP -1].out[0];
+}

package/circomlib/circuits/sha256/ch.circom

@@ -0,0 +1,47 @@
+/*
+    Copyright 2018 0KIMS association.
+
+    This file is part of circom (Zero Knowledge Circuit Compiler).
+
+    circom is a free software: you can redistribute it and/or modify it
+    under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    circom is distributed in the hope that it will be useful, but WITHOUT
+    ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+    or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
+    License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with circom. If not, see <https://www.gnu.org/licenses/>.
+*/
+
+/* Ch
+
+000 0
+001 1
+010 0
+011 1
+100 0
+101 0
+110 1
+111 1
+
+out = a&b ^ (!a)&c =>
+
+out = a*(b-c) + c
+
+*/
+pragma circom 2.0.0;
+
+template Ch_t(n) {
+    signal input a[n];
+    signal input b[n];
+    signal input c[n];
+    signal output out[n];
+
+    for (var k=0; k<n; k++) {
+        out[k] <== a[k] * (b[k]-c[k]) + c[k];
+    }
+}

package/circomlib/circuits/sha256/constants.circom

@@ -0,0 +1,53 @@
+/*
+    Copyright 2018 0KIMS association.
+
+    This file is part of circom (Zero Knowledge Circuit Compiler).
+
+    circom is a free software: you can redistribute it and/or modify it
+    under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    circom is distributed in the hope that it will be useful, but WITHOUT
+    ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+    or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
+    License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with circom. If not, see <https://www.gnu.org/licenses/>.
+*/
+pragma circom 2.0.0;
+
+template H(x) {
+    signal output out[32];
+    var c[8] = [0x6a09e667,
+             0xbb67ae85,
+             0x3c6ef372,
+             0xa54ff53a,
+             0x510e527f,
+             0x9b05688c,
+             0x1f83d9ab,
+             0x5be0cd19];
+
+    for (var i=0; i<32; i++) {
+        out[i] <== (c[x] >> i) & 1;
+    }
+}
+
+template K(x) {
+    signal output out[32];
+    var c[64] = [
+        0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
+        0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
+        0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
+        0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
+        0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
+        0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
+        0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
+        0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
+    ];
+
+    for (var i=0; i<32; i++) {
+        out[i] <== (c[x] >> i) & 1;
+    }
+}

package/circomlib/circuits/sha256/main.circom

@@ -0,0 +1,35 @@
+/*
+    Copyright 2018 0KIMS association.
+
+    This file is part of circom (Zero Knowledge Circuit Compiler).
+
+    circom is a free software: you can redistribute it and/or modify it
+    under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    circom is distributed in the hope that it will be useful, but WITHOUT
+    ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+    or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
+    License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with circom. If not, see <https://www.gnu.org/licenses/>.
+*/
+pragma circom 2.0.0;
+
+include "sha256_2.circom";
+
+template Main() {
+    signal input a;
+    signal input b;
+    signal output out;
+
+    component sha256_2 = Sha256_2();
+
+    sha256_2.a <== a;
+    sha256_2.b <== a;
+    out <== sha256_2.out;
+}
+
+component main = Main();

package/circomlib/circuits/sha256/maj.circom

@@ -0,0 +1,45 @@
+/*
+    Copyright 2018 0KIMS association.
+
+    This file is part of circom (Zero Knowledge Circuit Compiler).
+
+    circom is a free software: you can redistribute it and/or modify it
+    under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    circom is distributed in the hope that it will be useful, but WITHOUT
+    ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+    or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
+    License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with circom. If not, see <https://www.gnu.org/licenses/>.
+*/
+
+/* Maj function for sha256
+
+out = a&b ^ a&c ^ b&c  =>
+
+out = a*b   +  a*c  +  b*c  -  2*a*b*c  =>
+
+out = a*( b + c - 2*b*c ) + b*c =>
+
+mid = b*c
+out = a*( b + c - 2*mid ) + mid
+
+*/
+pragma circom 2.0.0;
+
+template Maj_t(n) {
+    signal input a[n];
+    signal input b[n];
+    signal input c[n];
+    signal output out[n];
+    signal mid[n];
+
+    for (var k=0; k<n; k++) {
+        mid[k] <== b[k]*c[k];
+        out[k] <== a[k] * (b[k]+c[k]-2*mid[k]) + mid[k];
+    }
+}

package/circomlib/circuits/sha256/rotate.circom

@@ -0,0 +1,28 @@
+/*
+    Copyright 2018 0KIMS association.
+
+    This file is part of circom (Zero Knowledge Circuit Compiler).
+
+    circom is a free software: you can redistribute it and/or modify it
+    under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    circom is distributed in the hope that it will be useful, but WITHOUT
+    ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+    or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
+    License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with circom. If not, see <https://www.gnu.org/licenses/>.
+*/
+pragma circom 2.0.0;
+
+template RotR(n, r) {
+    signal input in[n];
+    signal output out[n];
+
+    for (var i=0; i<n; i++) {
+        out[i] <== in[ (i+r)%n ];
+    }
+}

package/circomlib/circuits/sha256/sha256.circom

@@ -0,0 +1,81 @@
+pragma circom 2.0.0;
+
+include "constants.circom";
+include "sha256compression.circom";
+
+template Sha256(nBits) {
+    signal input in[nBits];
+    signal output out[256];
+
+    var i;
+    var k;
+    var nBlocks;
+    var bitsLastBlock;
+
+
+    nBlocks = ((nBits + 64)\512)+1;
+
+    signal paddedIn[nBlocks*512];
+
+    for (k=0; k<nBits; k++) {
+        paddedIn[k] <== in[k];
+    }
+    paddedIn[nBits] <== 1;
+
+    for (k=nBits+1; k<nBlocks*512-64; k++) {
+        paddedIn[k] <== 0;
+    }
+
+    for (k = 0; k< 64; k++) {
+        paddedIn[nBlocks*512 - k -1] <== (nBits >> k)&1;
+    }
+
+    component ha0 = H(0);
+    component hb0 = H(1);
+    component hc0 = H(2);
+    component hd0 = H(3);
+    component he0 = H(4);
+    component hf0 = H(5);
+    component hg0 = H(6);
+    component hh0 = H(7);
+
+    component sha256compression[nBlocks];
+
+    for (i=0; i<nBlocks; i++) {
+
+        sha256compression[i] = Sha256compression() ;
+
+        if (i==0) {
+            for (k=0; k<32; k++ ) {
+                sha256compression[i].hin[0*32+k] <== ha0.out[k];
+                sha256compression[i].hin[1*32+k] <== hb0.out[k];
+                sha256compression[i].hin[2*32+k] <== hc0.out[k];
+                sha256compression[i].hin[3*32+k] <== hd0.out[k];
+                sha256compression[i].hin[4*32+k] <== he0.out[k];
+                sha256compression[i].hin[5*32+k] <== hf0.out[k];
+                sha256compression[i].hin[6*32+k] <== hg0.out[k];
+                sha256compression[i].hin[7*32+k] <== hh0.out[k];
+            }
+        } else {
+            for (k=0; k<32; k++ ) {
+                sha256compression[i].hin[32*0+k] <== sha256compression[i-1].out[32*0+31-k];
+                sha256compression[i].hin[32*1+k] <== sha256compression[i-1].out[32*1+31-k];
+                sha256compression[i].hin[32*2+k] <== sha256compression[i-1].out[32*2+31-k];
+                sha256compression[i].hin[32*3+k] <== sha256compression[i-1].out[32*3+31-k];
+                sha256compression[i].hin[32*4+k] <== sha256compression[i-1].out[32*4+31-k];
+                sha256compression[i].hin[32*5+k] <== sha256compression[i-1].out[32*5+31-k];
+                sha256compression[i].hin[32*6+k] <== sha256compression[i-1].out[32*6+31-k];
+                sha256compression[i].hin[32*7+k] <== sha256compression[i-1].out[32*7+31-k];
+            }
+        }
+
+        for (k=0; k<512; k++) {
+            sha256compression[i].inp[k] <== paddedIn[i*512+k];
+        }
+    }
+
+    for (k=0; k<256; k++) {
+        out[k] <== sha256compression[nBlocks-1].out[k];
+    }
+
+}

package/circomlib/circuits/sha256/sha256_2.circom

@@ -0,0 +1,91 @@
+/*
+    Copyright 2018 0KIMS association.
+
+    This file is part of circom (Zero Knowledge Circuit Compiler).
+
+    circom is a free software: you can redistribute it and/or modify it
+    under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    circom is distributed in the hope that it will be useful, but WITHOUT
+    ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+    or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
+    License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with circom. If not, see <https://www.gnu.org/licenses/>.
+*/
+pragma circom 2.0.0;
+
+include "constants.circom";
+include "sha256compression.circom";
+include "../bitify.circom";
+
+template Sha256_2() {
+    signal input a;
+    signal input b;
+    signal output out;
+
+    var i;
+    var k;
+
+    component bits2num = Bits2Num(216);
+    component num2bits[2];
+
+    num2bits[0] = Num2Bits(216);
+    num2bits[1] = Num2Bits(216);
+
+    num2bits[0].in <== a;
+    num2bits[1].in <== b;
+
+
+    component sha256compression = Sha256compression() ;
+
+    component ha0 = H(0);
+    component hb0 = H(1);
+    component hc0 = H(2);
+    component hd0 = H(3);
+    component he0 = H(4);
+    component hf0 = H(5);
+    component hg0 = H(6);
+    component hh0 = H(7);
+
+    for (k=0; k<32; k++ ) {
+        sha256compression.hin[0*32+k] <== ha0.out[k];
+        sha256compression.hin[1*32+k] <== hb0.out[k];
+        sha256compression.hin[2*32+k] <== hc0.out[k];
+        sha256compression.hin[3*32+k] <== hd0.out[k];
+        sha256compression.hin[4*32+k] <== he0.out[k];
+        sha256compression.hin[5*32+k] <== hf0.out[k];
+        sha256compression.hin[6*32+k] <== hg0.out[k];
+        sha256compression.hin[7*32+k] <== hh0.out[k];
+    }
+
+    for (i=0; i<216; i++) {
+        sha256compression.inp[i] <== num2bits[0].out[215-i];
+        sha256compression.inp[i+216] <== num2bits[1].out[215-i];
+    }
+
+    sha256compression.inp[432] <== 1;
+
+    for (i=433; i<503; i++) {
+        sha256compression.inp[i] <== 0;
+    }
+
+    sha256compression.inp[503] <== 1;
+    sha256compression.inp[504] <== 1;
+    sha256compression.inp[505] <== 0;
+    sha256compression.inp[506] <== 1;
+    sha256compression.inp[507] <== 1;
+    sha256compression.inp[508] <== 0;
+    sha256compression.inp[509] <== 0;
+    sha256compression.inp[510] <== 0;
+    sha256compression.inp[511] <== 0;
+
+    for (i=0; i<216; i++) {
+        bits2num.in[i] <== sha256compression.out[255-i];
+    }
+
+    out <== bits2num.out;
+}

package/circomlib/circuits/sha256/sha256compression.circom

@@ -0,0 +1,166 @@
+/*
+    Copyright 2018 0KIMS association.
+
+    This file is part of circom (Zero Knowledge Circuit Compiler).
+
+    circom is a free software: you can redistribute it and/or modify it
+    under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    circom is distributed in the hope that it will be useful, but WITHOUT
+    ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+    or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
+    License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with circom. If not, see <https://www.gnu.org/licenses/>.
+*/
+pragma circom 2.0.0;
+
+include "constants.circom";
+include "t1.circom";
+include "t2.circom";
+include "../binsum.circom";
+include "sigmaplus.circom";
+include "sha256compression_function.circom";
+
+
+template Sha256compression() {
+    signal input hin[256];
+    signal input inp[512];
+    signal output out[256];
+    signal a[65][32];
+    signal b[65][32];
+    signal c[65][32];
+    signal d[65][32];
+    signal e[65][32];
+    signal f[65][32];
+    signal g[65][32];
+    signal h[65][32];
+    signal w[64][32];
+
+
+    var outCalc[256] = sha256compression(hin, inp);
+
+    var i;
+    for (i=0; i<256; i++) out[i] <-- outCalc[i];
+
+    component sigmaPlus[48];
+    for (i=0; i<48; i++) sigmaPlus[i] = SigmaPlus();
+
+    component ct_k[64];
+    for (i=0; i<64; i++) ct_k[i] = K(i);
+
+    component t1[64];
+    for (i=0; i<64; i++) t1[i] = T1();
+
+    component t2[64];
+    for (i=0; i<64; i++) t2[i] = T2();
+
+    component suma[64];
+    for (i=0; i<64; i++) suma[i] = BinSum(32, 2);
+
+    component sume[64];
+    for (i=0; i<64; i++) sume[i] = BinSum(32, 2);
+
+    component fsum[8];
+    for (i=0; i<8; i++) fsum[i] = BinSum(32, 2);
+
+    var k;
+    var t;
+
+    for (t=0; t<64; t++) {
+        if (t<16) {
+            for (k=0; k<32; k++) {
+                w[t][k] <== inp[t*32+31-k];
+            }
+        } else {
+            for (k=0; k<32; k++) {
+                sigmaPlus[t-16].in2[k] <== w[t-2][k];
+                sigmaPlus[t-16].in7[k] <== w[t-7][k];
+                sigmaPlus[t-16].in15[k] <== w[t-15][k];
+                sigmaPlus[t-16].in16[k] <== w[t-16][k];
+            }
+
+            for (k=0; k<32; k++) {
+                w[t][k] <== sigmaPlus[t-16].out[k];
+            }
+        }
+    }
+
+    for (k=0; k<32; k++ ) {
+        a[0][k] <== hin[k];
+        b[0][k] <== hin[32*1 + k];
+        c[0][k] <== hin[32*2 + k];
+        d[0][k] <== hin[32*3 + k];
+        e[0][k] <== hin[32*4 + k];
+        f[0][k] <== hin[32*5 + k];
+        g[0][k] <== hin[32*6 + k];
+        h[0][k] <== hin[32*7 + k];
+    }
+
+    for (t = 0; t<64; t++) {
+        for (k=0; k<32; k++) {
+            t1[t].h[k] <== h[t][k];
+            t1[t].e[k] <== e[t][k];
+            t1[t].f[k] <== f[t][k];
+            t1[t].g[k] <== g[t][k];
+            t1[t].k[k] <== ct_k[t].out[k];
+            t1[t].w[k] <== w[t][k];
+
+            t2[t].a[k] <== a[t][k];
+            t2[t].b[k] <== b[t][k];
+            t2[t].c[k] <== c[t][k];
+        }
+
+        for (k=0; k<32; k++) {
+            sume[t].in[0][k] <== d[t][k];
+            sume[t].in[1][k] <== t1[t].out[k];
+
+            suma[t].in[0][k] <== t1[t].out[k];
+            suma[t].in[1][k] <== t2[t].out[k];
+        }
+
+        for (k=0; k<32; k++) {
+            h[t+1][k] <== g[t][k];
+            g[t+1][k] <== f[t][k];
+            f[t+1][k] <== e[t][k];
+            e[t+1][k] <== sume[t].out[k];
+            d[t+1][k] <== c[t][k];
+            c[t+1][k] <== b[t][k];
+            b[t+1][k] <== a[t][k];
+            a[t+1][k] <== suma[t].out[k];
+        }
+    }
+
+    for (k=0; k<32; k++) {
+        fsum[0].in[0][k] <==  hin[32*0+k];
+        fsum[0].in[1][k] <==  a[64][k];
+        fsum[1].in[0][k] <==  hin[32*1+k];
+        fsum[1].in[1][k] <==  b[64][k];
+        fsum[2].in[0][k] <==  hin[32*2+k];
+        fsum[2].in[1][k] <==  c[64][k];
+        fsum[3].in[0][k] <==  hin[32*3+k];
+        fsum[3].in[1][k] <==  d[64][k];
+        fsum[4].in[0][k] <==  hin[32*4+k];
+        fsum[4].in[1][k] <==  e[64][k];
+        fsum[5].in[0][k] <==  hin[32*5+k];
+        fsum[5].in[1][k] <==  f[64][k];
+        fsum[6].in[0][k] <==  hin[32*6+k];
+        fsum[6].in[1][k] <==  g[64][k];
+        fsum[7].in[0][k] <==  hin[32*7+k];
+        fsum[7].in[1][k] <==  h[64][k];
+    }
+
+    for (k=0; k<32; k++) {
+        out[31-k]     === fsum[0].out[k];
+        out[32+31-k]  === fsum[1].out[k];
+        out[64+31-k]  === fsum[2].out[k];
+        out[96+31-k]  === fsum[3].out[k];
+        out[128+31-k] === fsum[4].out[k];
+        out[160+31-k] === fsum[5].out[k];
+        out[192+31-k] === fsum[6].out[k];
+        out[224+31-k] === fsum[7].out[k];
+    }
+}