starkshield 1.0.0

package/circomlib/circuits/smt/smtverifierlevel.circom

@@ -0,0 +1,71 @@
+/*
+    Copyright 2018 0KIMS association.
+
+    This file is part of circom (Zero Knowledge Circuit Compiler).
+
+    circom is a free software: you can redistribute it and/or modify it
+    under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    circom is distributed in the hope that it will be useful, but WITHOUT
+    ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+    or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
+    License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with circom. If not, see <https://www.gnu.org/licenses/>.
+*/
+
+/******
+
+SMTVerifierLevel
+
+This circuit has 1 hash
+
+Outputs according to the state.
+
+State        root
+=====        =======
+top          H'(child, sibling)
+i0           0
+iold         old1leaf
+inew         new1leaf
+na           0
+
+H' is the Hash function with the inputs shifted acordingly.
+
+*****/
+pragma circom 2.0.0;
+
+template SMTVerifierLevel() {
+    signal input st_top;
+    signal input st_i0;
+    signal input st_iold;
+    signal input st_inew;
+    signal input st_na;
+
+    signal output root;
+    signal input sibling;
+    signal input old1leaf;
+    signal input new1leaf;
+    signal input lrbit;
+    signal input child;
+
+    signal aux[2];
+
+    component proofHash = SMTHash2();
+    component switcher = Switcher();
+
+    switcher.L <== child;
+    switcher.R <== sibling;
+
+    switcher.sel <== lrbit;
+    proofHash.L <== switcher.outL;
+    proofHash.R <== switcher.outR;
+
+    aux[0] <== proofHash.out * st_top;
+    aux[1] <== old1leaf*st_iold;
+
+    root <== aux[0] + aux[1] + new1leaf*st_inew;
+}

package/circomlib/circuits/smt/smtverifiersm.circom

@@ -0,0 +1,106 @@
+/*
+    Copyright 2018 0KIMS association.
+
+    This file is part of circom (Zero Knowledge Circuit Compiler).
+
+    circom is a free software: you can redistribute it and/or modify it
+    under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    circom is distributed in the hope that it will be useful, but WITHOUT
+    ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+    or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
+    License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with circom. If not, see <https://www.gnu.org/licenses/>.
+*/
+
+/*
+Each level in the SMTVerifier has a state.
+
+This is the state machine.
+
+The signals are
+
+levIns: 1 if we are in the level where the insertion should happen
+xor: 1 if the bitKey of the old and new keys are different in this level
+is0: Input that indicates that the oldKey is 0
+fnc:  0 -> VERIFY INCLUSION
+      1 -> VERIFY NOT INCLUSION
+
+err state is not a state itself. It's a lack of state.
+
+The end of the last level will have to be `na`
+
+   levIns=0                                                                                any
+     ┌────┐                                                                              ┌────┐
+     │    │                                                                              │    │
+     │    ▼                          levIns=1                                            ▼    │
+     │    ###########                is0=1      ###########                    ###########    │
+     │   #           #               fnc=1     #           #       any        #           #   │
+     └──#    top      # ─────────────────────▶#     i0      #───────────────▶#    na       #──┘
+         ##         ## ──────────┐             ##         ##         ┌───────▶##         ##
+           ########─────────────┐│               #########           │┌────────▶#########
+                                ││ levIns=1                          ││
+                                ││ is0=0        ###########          ││
+                                ││ fnc=1       #           #       any│
+                                │└──────────▶ #    iold     #────────┘│
+                                │              ##         ##          │
+                                │                #########            │
+                                │                                     │
+                                │  levIns=1     ###########           │
+                                │  fnc=0       #           #        any
+                                └────────────▶#    inew     #─────────┘
+                                               ##         ##
+                                                 #########
+
+ */
+ pragma circom 2.0.0;
+
+
+template SMTVerifierSM() {
+    signal input is0;
+    signal input levIns;
+    signal input fnc;
+
+    signal input prev_top;
+    signal input prev_i0;
+    signal input prev_iold;
+    signal input prev_inew;
+    signal input prev_na;
+
+    signal output st_top;
+    signal output st_i0;
+    signal output st_iold;
+    signal output st_inew;
+    signal output st_na;
+
+    signal prev_top_lev_ins;
+    signal prev_top_lev_ins_fnc;
+
+    prev_top_lev_ins <== prev_top * levIns;
+    prev_top_lev_ins_fnc <== prev_top_lev_ins*fnc;  // prev_top * levIns * fnc
+
+    // st_top = prev_top * (1-levIns)
+    //    = + prev_top
+    //      - prev_top * levIns
+    st_top <== prev_top - prev_top_lev_ins;
+
+    // st_inew = prev_top * levIns * (1-fnc)
+    //   = + prev_top * levIns
+    //     - prev_top * levIns * fnc
+    st_inew <== prev_top_lev_ins - prev_top_lev_ins_fnc;
+
+    // st_iold = prev_top * levIns * (1-is0)*fnc
+    //   = + prev_top * levIns * fnc
+    //     - prev_top * levIns * fnc * is0
+    st_iold <== prev_top_lev_ins_fnc * (1 - is0);
+
+    // st_i0 = prev_top * levIns * is0
+    //  = + prev_top * levIns * is0
+    st_i0 <== prev_top_lev_ins * is0;
+
+    st_na <== prev_na + prev_inew + prev_iold + prev_i0;
+}

package/circomlib/circuits/switcher.circom

@@ -0,0 +1,42 @@
+/*
+    Copyright 2018 0KIMS association.
+
+    This file is part of circom (Zero Knowledge Circuit Compiler).
+
+    circom is a free software: you can redistribute it and/or modify it
+    under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    circom is distributed in the hope that it will be useful, but WITHOUT
+    ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+    or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
+    License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with circom. If not, see <https://www.gnu.org/licenses/>.
+*/
+
+/*
+    Assume sel is binary.
+
+    If sel == 0 then outL = L and outR=R
+    If sel == 1 then outL = R and outR=L
+
+ */
+ 
+pragma circom 2.0.0;
+
+template Switcher() {
+    signal input sel;
+    signal input L;
+    signal input R;
+    signal output outL;
+    signal output outR;
+
+    signal aux;
+
+    aux <== (R-L)*sel;    // We create aux in order to have only one multiplication
+    outL <==  aux + L;
+    outR <== -aux + R;
+}

package/circomlib/index.js

@@ -0,0 +1,2 @@
+
+

package/circomlib/package.json

@@ -0,0 +1,33 @@
+{
+  "name": "circomlib",
+  "version": "2.0.5",
+  "description": "Basic circuits library for Circom",
+  "main": "index.js",
+  "directories": {
+    "test": "test"
+  },
+  "scripts": {
+    "test": "mocha --max-old-space-size=4000"
+  },
+  "keywords": [
+    "pedersen",
+    "hash",
+    "ethereum",
+    "circuit",
+    "circom",
+    "zksnark"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/iden3/circomlib.git"
+  },
+  "author": "0Kims",
+  "license": "GPL-3.0",
+  "devDependencies": {
+    "blake-hash": "^2.0.0",
+    "chai": "^4.3.4",
+    "circom_tester": "0.0.13",
+    "circomlibjs": "^0.1.4",
+    "mocha": "^9.1.3"
+  }
+}

package/circomlib/test/aliascheck.js

@@ -0,0 +1,77 @@
+const chai = require("chai");
+const path = require("path");
+
+const assert = chai.assert;
+
+const Scalar = require("ffjavascript").Scalar;
+const F1Field = require("ffjavascript").F1Field;
+const utils = require("ffjavascript").utils;
+const q = Scalar.fromString("21888242871839275222246405745257275088548364400416034343698204186575808495617");
+const F = new F1Field(q);
+
+const wasm_tester = require("circom_tester").wasm;
+
+function print(circuit, w, s) {
+    console.log(s + ": " + w[circuit.getSignalIdx(s)]);
+}
+
+function getBits(v, n) {
+    const res = [];
+    for (let i=0; i<n; i++) {
+        if (Scalar.isOdd(Scalar.shr(v,i))) {
+            res.push(F.one);
+        } else {
+            res.push(F.zero);
+        }
+    }
+    return res;
+}
+
+
+describe("Aliascheck test", function () {
+    this.timeout(100000);
+
+    let cir;
+    before( async() => {
+
+        cir = await wasm_tester(path.join(__dirname, "circuits", "aliascheck_test.circom"));
+    });
+
+    it("Satisfy the aliastest 0", async () => {
+        const inp = getBits(0, 254);
+        await cir.calculateWitness({in: inp}, true);
+    });
+
+    it("Satisfy the aliastest 3", async () => {
+        const inp = getBits(3, 254);
+        await cir.calculateWitness({in: inp}, true);
+    });
+
+    it("Satisfy the aliastest q-1", async () => {
+        const inp = getBits(F.e(-1), 254);
+        // console.log(JSON.stringify(utils.stringifyBigInts(inp)));
+        await cir.calculateWitness({in: inp}, true);
+    });
+
+    it("Should not satisfy an input of q", async () => {
+        const inp = getBits(q, 254);
+        try {
+            await cir.calculateWitness({in: inp}, true);
+            assert(false);
+        } catch(err) {
+            assert(err.message.includes("Assert Failed"));
+        }
+    });
+
+    it("Should not satisfy all ones", async () => {
+
+        const inp = getBits(Scalar.sub(Scalar.shl(1, 254) , 1) , 254);
+        try {
+            await cir.calculateWitness({in: inp}, true);
+            assert(false);
+        } catch(err) {
+            assert(err.message.includes("Assert Failed"));
+        }
+    });
+
+});

package/circomlib/test/babyjub.js

@@ -0,0 +1,118 @@
+const chai = require("chai");
+const path = require("path");
+
+const createBlakeHash = require("blake-hash");
+const buildEddsa = require("circomlibjs").buildEddsa;
+
+const assert = chai.assert;
+
+const wasm_tester = require("circom_tester").wasm;
+const utils = require("ffjavascript").utils;
+const Scalar = require("ffjavascript").Scalar;
+
+describe("Baby Jub test", function () {
+    let eddsa;
+    let F;
+    let circuitAdd;
+    let circuitTest;
+    let circuitPbk;
+
+    this.timeout(100000);
+
+    before( async() => {
+
+        eddsa = await buildEddsa();
+        F = eddsa.F;
+
+        circuitAdd = await wasm_tester(path.join(__dirname, "circuits", "babyadd_tester.circom"));
+
+        circuitTest = await wasm_tester(path.join(__dirname, "circuits", "babycheck_test.circom"));
+
+        circuitPbk = await wasm_tester(path.join(__dirname, "circuits", "babypbk_test.circom"));
+    });
+
+    it("Should add point (0,1) and (0,1)", async () => {
+
+        const input={
+            x1: 0,
+            y1: 1,
+            x2: 0,
+            y2: 1
+        };
+
+        const w = await circuitAdd.calculateWitness(input, true);
+
+        await circuitAdd.assertOut(w, {xout: 0, yout: 1});
+    });
+
+    it("Should add 2 same numbers", async () => {
+
+        const input={
+            x1: 17777552123799933955779906779655732241715742912184938656739573121738514868268n,
+            y1: 2626589144620713026669568689430873010625803728049924121243784502389097019475n,
+            x2: 17777552123799933955779906779655732241715742912184938656739573121738514868268n,
+            y2: 2626589144620713026669568689430873010625803728049924121243784502389097019475n
+        };
+
+        const w = await circuitAdd.calculateWitness(input, true);
+
+        await circuitAdd.assertOut(w, {
+            xout: 6890855772600357754907169075114257697580319025794532037257385534741338397365n,
+            yout: 4338620300185947561074059802482547481416142213883829469920100239455078257889n
+        });
+
+    });
+
+    it("Should add 2 different numbers", async () => {
+
+        const input={
+            x1: 17777552123799933955779906779655732241715742912184938656739573121738514868268n,
+            y1: 2626589144620713026669568689430873010625803728049924121243784502389097019475n,
+            x2: 16540640123574156134436876038791482806971768689494387082833631921987005038935n,
+            y2: 20819045374670962167435360035096875258406992893633759881276124905556507972311n
+        };
+
+        const w = await circuitAdd.calculateWitness(input, true);
+
+        await circuitAdd.assertOut(w, {
+            xout: 7916061937171219682591368294088513039687205273691143098332585753343424131937n,
+            yout: 14035240266687799601661095864649209771790948434046947201833777492504781204499n
+        });
+
+    });
+
+    it("Should check (0,1) is a valid point", async() => {
+        const w = await circuitTest.calculateWitness({x: 0, y:1}, true);
+
+        await circuitTest.checkConstraints(w);
+    });
+
+    it("Should check (1,0) is an invalid point", async() => {
+        try {
+            await circuitTest.calculateWitness({x: 1, y: 0}, true);
+            assert(false, "Should be a valid point");
+        } catch(err) {
+            assert(err.message.includes("Assert Failed"));
+        }
+    });
+
+    it("Should extract the public key from the private one", async () => {
+
+        const rawpvk = Buffer.from("0001020304050607080900010203040506070809000102030405060708090021", "hex");
+        const pvk    = eddsa.pruneBuffer(createBlakeHash("blake512").update(rawpvk).digest().slice(0,32));
+        const S      = Scalar.shr(utils.leBuff2int(pvk), 3);
+
+        const A      = eddsa.prv2pub(rawpvk);
+
+        const input = {
+            in : S
+        };
+
+        const w = await circuitPbk.calculateWitness(input, true);
+
+        await circuitPbk.assertOut(w, {Ax : F.toObject(A[0]), Ay: F.toObject(A[1])});
+
+        await circuitPbk.checkConstraints(w);
+    });
+
+});

package/circomlib/test/binsub.js

@@ -0,0 +1,52 @@
+const path = require("path");
+
+const Scalar = require("ffjavascript").Scalar;
+const wasm_tester = require("circom_tester").wasm;
+
+function print(circuit, w, s) {
+    console.log(s + ": " + w[circuit.getSignalIdx(s)]);
+}
+
+async function checkSub(_a,_b, circuit) {
+    let a=Scalar.e(_a);
+    let b=Scalar.e(_b);
+    if (Scalar.lt(a, 0)) a = Scalar.add(a, Scalar.shl(1, 16));
+    if (Scalar.lt(b, 0)) b = Scalar.add(b, Scalar.shl(1, 16));
+    const w = await circuit.calculateWitness({a: a, b: b}, true);
+
+    let res = Scalar.sub(a, b);
+    if (Scalar.lt(res, 0)) res = Scalar.add(res, Scalar.shl(1, 16));
+
+    await circuit.assertOut(w, {out: res});
+}
+
+describe("BinSub test", function () {
+
+    this.timeout(100000);
+
+    let circuit;
+    before( async() => {
+        circuit = await wasm_tester(path.join(__dirname, "circuits", "binsub_test.circom"));
+    });
+
+    it("Should check variuos ege cases", async () => {
+        await checkSub(0,0, circuit);
+        await checkSub(1,0, circuit);
+        await checkSub(-1,0, circuit);
+        await checkSub(2,1, circuit);
+        await checkSub(2,2, circuit);
+        await checkSub(2,3, circuit);
+        await checkSub(2,-1, circuit);
+        await checkSub(2,-2, circuit);
+        await checkSub(2,-3, circuit);
+        await checkSub(-2,-3, circuit);
+        await checkSub(-2,-2, circuit);
+        await checkSub(-2,-1, circuit);
+        await checkSub(-2,0, circuit);
+        await checkSub(-2,1, circuit);
+        await checkSub(-2,2, circuit);
+        await checkSub(-2,3, circuit);
+    });
+
+
+});

package/circomlib/test/binsum.js

@@ -0,0 +1,38 @@
+const chai = require("chai");
+const path = require("path");
+
+const wasm_tester = require("circom_tester").wasm;
+
+const F1Field = require("ffjavascript").F1Field;
+const Scalar = require("ffjavascript").Scalar;
+exports.p = Scalar.fromString("21888242871839275222246405745257275088548364400416034343698204186575808495617");
+const Fr = new F1Field(exports.p);
+
+const assert = chai.assert;
+
+describe("Binary sum test", function () {
+    this.timeout(100000000);
+
+    it("Should create a constant circuit", async () => {
+        const circuit = await wasm_tester(path.join(__dirname, "circuits", "constants_test.circom"));
+        await circuit.loadConstraints();
+        assert.equal(circuit.nVars, 2);
+        assert.equal(circuit.constraints.length, 1);
+
+        const witness = await circuit.calculateWitness({ "in": Fr.toString(Fr.e("0xd807aa98"))}, true);
+
+        assert(Fr.eq(Fr.e(witness[0]),Fr.e(1)));
+        assert(Fr.eq(Fr.e(witness[1]),Fr.e("0xd807aa98")));
+    });
+    it("Should create a sum circuit", async () => {
+        const circuit = await wasm_tester(path.join(__dirname, "circuits", "sum_test.circom"));
+        await circuit.loadConstraints();
+
+        assert.equal(circuit.constraints.length, 97);  // 32 (in1) + 32(in2) + 32(out) + 1 (carry)
+
+        const witness = await circuit.calculateWitness({ "a": "111", "b": "222" }, true);
+
+        assert(Fr.eq(Fr.e(witness[0]),Fr.e(1)));
+        assert(Fr.eq(Fr.e(witness[1]),Fr.e("333")));
+    });
+});

package/circomlib/test/circuits/aliascheck_test.circom

@@ -0,0 +1,4 @@
+pragma circom 2.0.0;
+include "../../circuits/aliascheck.circom";
+
+component main = AliasCheck();

package/circomlib/test/circuits/babyadd_tester.circom

@@ -0,0 +1,4 @@
+pragma circom 2.0.0;
+include "../../circuits/babyjub.circom";
+
+component main = BabyAdd();

package/circomlib/test/circuits/babycheck_test.circom

@@ -0,0 +1,4 @@
+pragma circom 2.0.0;
+include "../../circuits/babyjub.circom";
+
+component main = BabyCheck();

package/circomlib/test/circuits/babypbk_test.circom

@@ -0,0 +1,4 @@
+pragma circom 2.0.0;
+include "../../circuits/babyjub.circom";
+
+component main = BabyPbk();

package/circomlib/test/circuits/binsub_test.circom

@@ -0,0 +1,33 @@
+pragma circom 2.0.0;
+
+include "../../circuits/bitify.circom";
+include "../../circuits/binsub.circom";
+
+template A() {
+    signal input a; //private
+    signal input b;
+    signal output out;
+
+    var i;
+
+    component n2ba = Num2Bits(16);
+    component n2bb = Num2Bits(16);
+    component sub = BinSub(16);
+    component b2n = Bits2Num(16);
+
+    n2ba.in <== a;
+    n2bb.in <== b;
+
+    for (i=0; i<16; i++) {
+        sub.in[0][i] <== n2ba.out[i];
+        sub.in[1][i] <== n2bb.out[i];
+    }
+
+    for (i=0; i<16; i++) {
+        b2n.in[i] <== sub.out[i];
+    }
+
+    out <== b2n.out;
+}
+
+component main = A();

package/circomlib/test/circuits/constants_test.circom

@@ -0,0 +1,20 @@
+pragma circom 2.0.0;
+
+include "../../circuits/sha256/constants.circom";
+
+template A() {
+    signal input in;
+    component h0;
+    h0 = K(8);
+
+    var lc = 0;
+    var e = 1;
+    for (var i=0; i<32; i++) {
+        lc = lc + e*h0.out[i];
+        e *= 2;
+    }
+
+    lc === in;
+}
+
+component main {public [in]} = A();

package/circomlib/test/circuits/eddsa_test.circom

@@ -0,0 +1,5 @@
+pragma circom 2.0.0;
+
+include "../../circuits/eddsa.circom";
+
+component main = EdDSAVerifier(80);

package/circomlib/test/circuits/eddsamimc_test.circom

@@ -0,0 +1,5 @@
+pragma circom 2.0.0;
+
+include "../../circuits/eddsamimc.circom";
+
+component main = EdDSAMiMCVerifier();

package/circomlib/test/circuits/eddsaposeidon_test.circom

@@ -0,0 +1,5 @@
+pragma circom 2.0.0;
+
+include "../../circuits/eddsaposeidon.circom";
+
+component main = EdDSAPoseidonVerifier();

package/circomlib/test/circuits/edwards2montgomery.circom

@@ -0,0 +1,5 @@
+pragma circom 2.0.0;
+
+include "../../circuits/montgomery.circom";
+
+component main = Edwards2Montgomery();