starkshield 1.0.0

package/circomlib/circuits/sha256/sha256compression_function.circom

@@ -0,0 +1,112 @@
+//    signal input hin[256];
+//    signal input inp[512];
+//    signal output out[256];
+pragma circom 2.0.0;
+
+function rrot(x, n) {
+    return ((x >> n) | (x << (32-n))) & 0xFFFFFFFF;
+}
+
+function bsigma0(x) {
+    return rrot(x,2) ^ rrot(x,13) ^ rrot(x,22);
+}
+
+function bsigma1(x) {
+    return rrot(x,6) ^ rrot(x,11) ^ rrot(x,25);
+}
+
+function ssigma0(x) {
+    return rrot(x,7) ^ rrot(x,18) ^ (x >> 3);
+}
+
+function ssigma1(x) {
+    return rrot(x,17) ^ rrot(x,19) ^ (x >> 10);
+}
+
+function Maj(x, y, z) {
+    return (x&y) ^ (x&z) ^ (y&z);
+}
+
+function Ch(x, y, z) {
+    return (x & y) ^ ((0xFFFFFFFF ^x) & z);
+}
+
+function sha256K(i) {
+    var k[64] = [
+        0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
+        0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
+        0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
+        0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
+        0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
+        0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
+        0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
+        0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
+    ];
+    return k[i];
+}
+
+function sha256compression(hin, inp) {
+    var H[8];
+    var a;
+    var b;
+    var c;
+    var d;
+    var e;
+    var f;
+    var g;
+    var h;
+    var out[256];
+    for (var i=0; i<8; i++) {
+        H[i] = 0;
+        for (var j=0; j<32; j++) {
+            H[i] += hin[i*32+j] << j;
+        }
+    }
+    a=H[0];
+    b=H[1];
+    c=H[2];
+    d=H[3];
+    e=H[4];
+    f=H[5];
+    g=H[6];
+    h=H[7];
+    var w[64];
+    var T1;
+    var T2;
+    for (var i=0; i<64; i++) {
+        if (i<16) {
+            w[i]=0;
+            for (var j=0; j<32; j++) {
+                w[i] +=  inp[i*32+31-j]<<j;
+            }
+        } else {
+            w[i] = (ssigma1(w[i-2]) + w[i-7] + ssigma0(w[i-15]) + w[i-16]) & 0xFFFFFFFF;
+        }
+        T1 = (h + bsigma1(e) + Ch(e,f,g) + sha256K(i) + w[i]) & 0xFFFFFFFF;
+        T2 = (bsigma0(a) + Maj(a,b,c)) & 0xFFFFFFFF;
+
+        h=g;
+        g=f;
+        f=e;
+        e=(d+T1) & 0xFFFFFFFF;
+        d=c;
+        c=b;
+        b=a;
+        a=(T1+T2) & 0xFFFFFFFF;
+
+    }
+    H[0] = H[0] + a;
+    H[1] = H[1] + b;
+    H[2] = H[2] + c;
+    H[3] = H[3] + d;
+    H[4] = H[4] + e;
+    H[5] = H[5] + f;
+    H[6] = H[6] + g;
+    H[7] = H[7] + h;
+    for (var i=0; i<8; i++) {
+        for (var j=0; j<32; j++) {
+            out[i*32+31-j] = (H[i] >> j) & 1;
+        }
+    }
+    return out;
+}

package/circomlib/circuits/sha256/shift.circom

@@ -0,0 +1,33 @@
+/*
+    Copyright 2018 0KIMS association.
+
+    This file is part of circom (Zero Knowledge Circuit Compiler).
+
+    circom is a free software: you can redistribute it and/or modify it
+    under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    circom is distributed in the hope that it will be useful, but WITHOUT
+    ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+    or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
+    License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with circom. If not, see <https://www.gnu.org/licenses/>.
+*/
+pragma circom 2.0.0;
+
+template ShR(n, r) {
+    signal input in[n];
+    signal output out[n];
+
+    for (var i=0; i<n; i++) {
+        if (i+r >= n) {
+            out[i] <== 0;
+        } else {
+            out[i] <== in[ i+r ];
+        }
+    }
+}
+

package/circomlib/circuits/sha256/sigma.circom

@@ -0,0 +1,77 @@
+/*
+    Copyright 2018 0KIMS association.
+
+    This file is part of circom (Zero Knowledge Circuit Compiler).
+
+    circom is a free software: you can redistribute it and/or modify it
+    under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    circom is distributed in the hope that it will be useful, but WITHOUT
+    ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+    or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
+    License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with circom. If not, see <https://www.gnu.org/licenses/>.
+*/
+pragma circom 2.0.0;
+
+include "xor3.circom";
+include "rotate.circom";
+include "shift.circom";
+
+template SmallSigma(ra, rb, rc) {
+    signal input in[32];
+    signal output out[32];
+    var k;
+
+    component rota = RotR(32, ra);
+    component rotb = RotR(32, rb);
+    component shrc = ShR(32, rc);
+
+    for (k=0; k<32; k++) {
+        rota.in[k] <== in[k];
+        rotb.in[k] <== in[k];
+        shrc.in[k] <== in[k];
+    }
+
+    component xor3 = Xor3(32);
+    for (k=0; k<32; k++) {
+        xor3.a[k] <== rota.out[k];
+        xor3.b[k] <== rotb.out[k];
+        xor3.c[k] <== shrc.out[k];
+    }
+
+    for (k=0; k<32; k++) {
+        out[k] <== xor3.out[k];
+    }
+}
+
+template BigSigma(ra, rb, rc) {
+    signal input in[32];
+    signal output out[32];
+    var k;
+
+    component rota = RotR(32, ra);
+    component rotb = RotR(32, rb);
+    component rotc = RotR(32, rc);
+    for (k=0; k<32; k++) {
+        rota.in[k] <== in[k];
+        rotb.in[k] <== in[k];
+        rotc.in[k] <== in[k];
+    }
+
+    component xor3 = Xor3(32);
+
+    for (k=0; k<32; k++) {
+        xor3.a[k] <== rota.out[k];
+        xor3.b[k] <== rotb.out[k];
+        xor3.c[k] <== rotc.out[k];
+    }
+
+    for (k=0; k<32; k++) {
+        out[k] <== xor3.out[k];
+    }
+}

package/circomlib/circuits/sha256/sigmaplus.circom

@@ -0,0 +1,50 @@
+/*
+    Copyright 2018 0KIMS association.
+
+    This file is part of circom (Zero Knowledge Circuit Compiler).
+
+    circom is a free software: you can redistribute it and/or modify it
+    under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    circom is distributed in the hope that it will be useful, but WITHOUT
+    ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+    or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
+    License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with circom. If not, see <https://www.gnu.org/licenses/>.
+*/
+pragma circom 2.0.0;
+
+include "../binsum.circom";
+include "sigma.circom";
+
+template SigmaPlus() {
+    signal input in2[32];
+    signal input in7[32];
+    signal input in15[32];
+    signal input in16[32];
+    signal output out[32];
+    var k;
+
+    component sigma1 = SmallSigma(17,19,10);
+    component sigma0 = SmallSigma(7, 18, 3);
+    for (k=0; k<32; k++) {
+        sigma1.in[k] <== in2[k];
+        sigma0.in[k] <== in15[k];
+    }
+
+    component sum = BinSum(32, 4);
+    for (k=0; k<32; k++) {
+        sum.in[0][k] <== sigma1.out[k];
+        sum.in[1][k] <== in7[k];
+        sum.in[2][k] <== sigma0.out[k];
+        sum.in[3][k] <== in16[k];
+    }
+
+    for (k=0; k<32; k++) {
+        out[k] <== sum.out[k];
+    }
+}

package/circomlib/circuits/sha256/t1.circom

@@ -0,0 +1,58 @@
+/*
+    Copyright 2018 0KIMS association.
+
+    This file is part of circom (Zero Knowledge Circuit Compiler).
+
+    circom is a free software: you can redistribute it and/or modify it
+    under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    circom is distributed in the hope that it will be useful, but WITHOUT
+    ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+    or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
+    License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with circom. If not, see <https://www.gnu.org/licenses/>.
+*/
+pragma circom 2.0.0;
+
+include "../binsum.circom";
+include "sigma.circom";
+include "ch.circom";
+
+template T1() {
+    signal input h[32];
+    signal input e[32];
+    signal input f[32];
+    signal input g[32];
+    signal input k[32];
+    signal input w[32];
+    signal output out[32];
+
+    var ki;
+
+    component ch = Ch_t(32);
+    component bigsigma1 = BigSigma(6, 11, 25);
+
+    for (ki=0; ki<32; ki++) {
+        bigsigma1.in[ki] <== e[ki];
+        ch.a[ki] <== e[ki];
+        ch.b[ki] <== f[ki];
+        ch.c[ki] <== g[ki];
+    }
+
+    component sum = BinSum(32, 5);
+    for (ki=0; ki<32; ki++) {
+        sum.in[0][ki] <== h[ki];
+        sum.in[1][ki] <== bigsigma1.out[ki];
+        sum.in[2][ki] <== ch.out[ki];
+        sum.in[3][ki] <== k[ki];
+        sum.in[4][ki] <== w[ki];
+    }
+
+    for (ki=0; ki<32; ki++) {
+        out[ki] <== sum.out[ki];
+    }
+}

package/circomlib/circuits/sha256/t2.circom

@@ -0,0 +1,51 @@
+/*
+    Copyright 2018 0KIMS association.
+
+    This file is part of circom (Zero Knowledge Circuit Compiler).
+
+    circom is a free software: you can redistribute it and/or modify it
+    under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    circom is distributed in the hope that it will be useful, but WITHOUT
+    ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+    or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
+    License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with circom. If not, see <https://www.gnu.org/licenses/>.
+*/
+pragma circom 2.0.0;
+
+include "../binsum.circom";
+include "sigma.circom";
+include "maj.circom";
+
+template T2() {
+    signal input a[32];
+    signal input b[32];
+    signal input c[32];
+    signal output out[32];
+    var k;
+
+    component bigsigma0 = BigSigma(2, 13, 22);
+    component maj = Maj_t(32);
+    for (k=0; k<32; k++) {
+        bigsigma0.in[k] <== a[k];
+        maj.a[k] <== a[k];
+        maj.b[k] <== b[k];
+        maj.c[k] <== c[k];
+    }
+
+    component sum = BinSum(32, 2);
+
+    for (k=0; k<32; k++) {
+        sum.in[0][k] <== bigsigma0.out[k];
+        sum.in[1][k] <== maj.out[k];
+    }
+
+    for (k=0; k<32; k++) {
+        out[k] <== sum.out[k];
+    }
+}

package/circomlib/circuits/sha256/xor3.circom

@@ -0,0 +1,45 @@
+/*
+    Copyright 2018 0KIMS association.
+
+    This file is part of circom (Zero Knowledge Circuit Compiler).
+
+    circom is a free software: you can redistribute it and/or modify it
+    under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    circom is distributed in the hope that it will be useful, but WITHOUT
+    ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+    or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
+    License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with circom. If not, see <https://www.gnu.org/licenses/>.
+*/
+
+/* Xor3 function for sha256
+
+out = a ^ b ^ c  =>
+
+out = a+b+c - 2*a*b - 2*a*c - 2*b*c + 4*a*b*c   =>
+
+out = a*( 1 - 2*b - 2*c + 4*b*c ) + b + c - 2*b*c =>
+
+mid = b*c
+out = a*( 1 - 2*b -2*c + 4*mid ) + b + c - 2 * mid
+
+*/
+pragma circom 2.0.0;
+
+template Xor3(n) {
+    signal input a[n];
+    signal input b[n];
+    signal input c[n];
+    signal output out[n];
+    signal mid[n];
+
+    for (var k=0; k<n; k++) {
+        mid[k] <== b[k]*c[k];
+        out[k] <== a[k] * (1 -2*b[k]  -2*c[k] +4*mid[k]) + b[k] + c[k] -2*mid[k];
+    }
+}

package/circomlib/circuits/sign.circom

@@ -0,0 +1,36 @@
+/*
+    Copyright 2018 0KIMS association.
+
+    This file is part of circom (Zero Knowledge Circuit Compiler).
+
+    circom is a free software: you can redistribute it and/or modify it
+    under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    circom is distributed in the hope that it will be useful, but WITHOUT
+    ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+    or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
+    License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with circom. If not, see <https://www.gnu.org/licenses/>.
+*/
+pragma circom 2.0.0;
+
+include "compconstant.circom";
+
+template Sign() {
+    signal input in[254];
+    signal output sign;
+
+    component comp = CompConstant(10944121435919637611123202872628637544274182200208017171849102093287904247808);
+
+    var i;
+
+    for (i=0; i<254; i++) {
+        comp.in[i] <== in[i];
+    }
+
+    sign <== comp.out;
+}

package/circomlib/circuits/smt/smthash_mimc.circom

@@ -0,0 +1,58 @@
+/*
+    Copyright 2018 0KIMS association.
+
+    This file is part of circom (Zero Knowledge Circuit Compiler).
+
+    circom is a free software: you can redistribute it and/or modify it
+    under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    circom is distributed in the hope that it will be useful, but WITHOUT
+    ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+    or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
+    License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with circom. If not, see <https://www.gnu.org/licenses/>.
+*/
+pragma circom 2.0.0;
+
+include "../mimc.circom";
+
+
+/*
+    Hash1 = H(1 | key | value)
+ */
+
+template SMTHash1() {
+    signal input key;
+    signal input value;
+    signal output out;
+
+    component h = MultiMiMC7(2, 91);   // Constant
+    h.in[0] <== key;
+    h.in[1] <== value;
+    h.k <== 1;
+
+    out <== h.out;
+}
+
+/*
+    This component is used to create the 2 nodes.
+
+    Hash2 = H(Hl | Hr)
+ */
+
+template SMTHash2() {
+    signal input L;
+    signal input R;
+    signal output out;
+
+    component h = MultiMiMC7(2, 91);   // Constant
+    h.in[0] <== L;
+    h.in[1] <== R;
+    h.k <== 0;
+
+    out <== h.out;
+}

package/circomlib/circuits/smt/smthash_poseidon.circom

@@ -0,0 +1,57 @@
+/*
+    Copyright 2018 0KIMS association.
+
+    This file is part of circom (Zero Knowledge Circuit Compiler).
+
+    circom is a free software: you can redistribute it and/or modify it
+    under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    circom is distributed in the hope that it will be useful, but WITHOUT
+    ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+    or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
+    License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with circom. If not, see <https://www.gnu.org/licenses/>.
+*/
+pragma circom 2.0.0;
+
+include "../poseidon.circom";
+
+
+/*
+    Hash1 = H(1 | key | value)
+ */
+
+template SMTHash1() {
+    signal input key;
+    signal input value;
+    signal output out;
+
+    component h = Poseidon(3);   // Constant
+    h.inputs[0] <== key;
+    h.inputs[1] <== value;
+    h.inputs[2] <== 1;
+
+    out <== h.out;
+}
+
+/*
+    This component is used to create the 2 nodes.
+
+    Hash2 = H(Hl | Hr)
+ */
+
+template SMTHash2() {
+    signal input L;
+    signal input R;
+    signal output out;
+
+    component h = Poseidon(2);   // Constant
+    h.inputs[0] <== L;
+    h.inputs[1] <== R;
+
+    out <== h.out;
+}

package/circomlib/circuits/smt/smtlevins.circom

@@ -0,0 +1,103 @@
+/*
+    Copyright 2018 0KIMS association.
+
+    This file is part of circom (Zero Knowledge Circuit Compiler).
+
+    circom is a free software: you can redistribute it and/or modify it
+    under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    circom is distributed in the hope that it will be useful, but WITHOUT
+    ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+    or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
+    License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with circom. If not, see <https://www.gnu.org/licenses/>.
+*/
+
+/*
+
+This component finds the level where the oldInsert is done.
+The rules are:
+
+levIns[i] == 1 if its level and all the child levels have a sibling of 0 and
+the parent level has a sibling != 0.  Considere that the root level always has
+a parent with a sibling != 0.
+
+
+                                  ┌──────────────┐
+                                  │              │
+                                  │              │───▶ levIns[0] <== (1-done[i])
+                                  │              │
+                                  └──────────────┘
+                                          ▲
+                                          │
+                                          │
+                                       done[0]
+
+
+
+                                      done[i-1] <== levIns[i] + done[i]
+                                          ▲
+                                          │
+                                          │
+                   ┌───────────┐  ┌──────────────┐
+                   │           │  │              │
+   sibling[i-1]───▶│IsZero[i-1]│─▶│              │───▶ levIns[i] <== (1-done[i])*(1-isZero[i-1].out)
+                   │           │  │              │
+                   └───────────┘  └──────────────┘
+                                          ▲
+                                          │
+                                          │
+                                       done[i]
+
+
+
+                                     done[n-2] <== levIns[n-1]
+                                         ▲
+                                         │
+                                         │
+                  ┌───────────┐  ┌──────────────┐
+                  │           │  │              │
+  sibling[n-2]───▶│IsZero[n-2]│─▶│              │────▶ levIns[n-1] <== (1-isZero[n-2].out)
+                  │           │  │              │
+                  └───────────┘  └──────────────┘
+
+                  ┌───────────┐
+                  │           │
+  sibling[n-1]───▶│IsZero[n-1]│────▶ === 0
+                  │           │
+                  └───────────┘
+
+ */
+ pragma circom 2.0.0;
+
+template SMTLevIns(nLevels) {
+    signal input enabled;
+    signal input siblings[nLevels];
+    signal output levIns[nLevels];
+    signal done[nLevels-1];        // Indicates if the insLevel has aready been detected.
+
+    var i;
+
+    component isZero[nLevels];
+
+    for (i=0; i<nLevels; i++) {
+        isZero[i] = IsZero();
+        isZero[i].in <== siblings[i];
+    }
+
+    // The last level must always have a sibling of 0. If not, then it cannot be inserted.
+    (isZero[nLevels-1].out - 1) * enabled === 0;
+
+    levIns[nLevels-1] <== (1-isZero[nLevels-2].out);
+    done[nLevels-2] <== levIns[nLevels-1];
+    for (i=nLevels-2; i>0; i--) {
+        levIns[i] <== (1-done[i])*(1-isZero[i-1].out);
+        done[i-1] <== levIns[i] + done[i];
+    }
+
+    levIns[0] <== (1-done[0]);
+}