starkshield 1.0.0

package/circomlib/circuits/aliascheck.circom

@@ -0,0 +1,33 @@
+/*
+    Copyright 2018 0KIMS association.
+
+    This file is part of circom (Zero Knowledge Circuit Compiler).
+
+    circom is a free software: you can redistribute it and/or modify it
+    under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    circom is distributed in the hope that it will be useful, but WITHOUT
+    ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+    or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
+    License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with circom. If not, see <https://www.gnu.org/licenses/>.
+*/
+pragma circom 2.0.0;
+
+include "compconstant.circom";
+
+
+template AliasCheck() {
+
+    signal input in[254];
+
+    component  compConstant = CompConstant(-1);
+
+    for (var i=0; i<254; i++) in[i] ==> compConstant.in[i];
+
+    compConstant.out === 0;
+}

package/circomlib/circuits/babyjub.circom

@@ -0,0 +1,107 @@
+/*
+    Copyright 2018 0KIMS association.
+
+    This file is part of circom (Zero Knowledge Circuit Compiler).
+
+    circom is a free software: you can redistribute it and/or modify it
+    under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    circom is distributed in the hope that it will be useful, but WITHOUT
+    ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+    or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
+    License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with circom. If not, see <https://www.gnu.org/licenses/>.
+*/
+pragma circom 2.0.0;
+
+include "bitify.circom";
+include "escalarmulfix.circom";
+
+template BabyAdd() {
+    signal input x1;
+    signal input y1;
+    signal input x2;
+    signal input y2;
+    signal output xout;
+    signal output yout;
+
+    signal beta;
+    signal gamma;
+    signal delta;
+    signal tau;
+
+    var a = 168700;
+    var d = 168696;
+
+    beta <== x1*y2;
+    gamma <== y1*x2;
+    delta <== (-a*x1+y1)*(x2 + y2);
+    tau <== beta * gamma;
+
+    xout <-- (beta + gamma) / (1+ d*tau);
+    (1+ d*tau) * xout === (beta + gamma);
+
+    yout <-- (delta + a*beta - gamma) / (1-d*tau);
+    (1-d*tau)*yout === (delta + a*beta - gamma);
+}
+
+template BabyDbl() {
+    signal input x;
+    signal input y;
+    signal output xout;
+    signal output yout;
+
+    component adder = BabyAdd();
+    adder.x1 <== x;
+    adder.y1 <== y;
+    adder.x2 <== x;
+    adder.y2 <== y;
+
+    adder.xout ==> xout;
+    adder.yout ==> yout;
+}
+
+
+template BabyCheck() {
+    signal input x;
+    signal input y;
+
+    signal x2;
+    signal y2;
+
+    var a = 168700;
+    var d = 168696;
+
+    x2 <== x*x;
+    y2 <== y*y;
+
+    a*x2 + y2 === 1 + d*x2*y2;
+}
+
+// Extracts the public key from private key
+template BabyPbk() {
+    signal input  in;
+    signal output Ax;
+    signal output Ay;
+
+    var BASE8[2] = [
+        5299619240641551281634865583518297030282874472190772894086521144482721001553,
+        16950150798460657717958625567821834550301663161624707787222815936182638968203
+    ];
+
+    component pvkBits = Num2Bits(253);
+    pvkBits.in <== in;
+
+    component mulFix = EscalarMulFix(253, BASE8);
+
+    var i;
+    for (i=0; i<253; i++) {
+        mulFix.e[i] <== pvkBits.out[i];
+    }
+    Ax  <== mulFix.out[0];
+    Ay  <== mulFix.out[1];
+}

package/circomlib/circuits/binsub.circom

@@ -0,0 +1,74 @@
+ /*
+    Copyright 2018 0KIMS association.
+
+    This file is part of circom (Zero Knowledge Circuit Compiler).
+
+    circom is a free software: you can redistribute it and/or modify it
+    under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    circom is distributed in the hope that it will be useful, but WITHOUT
+    ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+    or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
+    License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with circom. If not, see <https://www.gnu.org/licenses/>.
+*/
+
+/*
+This component creates a binary substraction.
+
+
+Main Constraint:
+   (in[0][0]     * 2^0  +  in[0][1]     * 2^1  + ..... + in[0][n-1]    * 2^(n-1))  +
+ +  2^n
+ - (in[1][0]     * 2^0  +  in[1][1]     * 2^1  + ..... + in[1][n-1]    * 2^(n-1))
+ ===
+   out[0] * 2^0  + out[1] * 2^1 +   + out[n-1] *2^(n-1) + aux
+
+
+    out[0]     * (out[0] - 1) === 0
+    out[1]     * (out[0] - 1) === 0
+    .
+    .
+    .
+    out[n-1]   * (out[n-1] - 1) === 0
+    aux * (aux-1) == 0
+
+*/
+pragma circom 2.0.0;
+
+template BinSub(n) {
+    signal input in[2][n];
+    signal output out[n];
+
+    signal aux;
+
+    var lin = 2**n;
+    var lout = 0;
+
+    var i;
+
+    for (i=0; i<n; i++) {
+        lin = lin + in[0][i]*(2**i);
+        lin = lin - in[1][i]*(2**i);
+    }
+
+    for (i=0; i<n; i++) {
+        out[i] <-- (lin >> i) & 1;
+
+        // Ensure out is binary
+        out[i] * (out[i] - 1) === 0;
+
+        lout = lout + out[i]*(2**i);
+    }
+
+    aux <-- (lin >> n) & 1;
+    aux*(aux-1) === 0;
+    lout = lout + aux*(2**n);
+
+    // Ensure the sum;
+    lin === lout;
+}

package/circomlib/circuits/binsum.circom

@@ -0,0 +1,101 @@
+/*
+    Copyright 2018 0KIMS association.
+
+    This file is part of circom (Zero Knowledge Circuit Compiler).
+
+    circom is a free software: you can redistribute it and/or modify it
+    under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    circom is distributed in the hope that it will be useful, but WITHOUT
+    ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+    or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
+    License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with circom. If not, see <https://www.gnu.org/licenses/>.
+*/
+
+/*
+
+Binary Sum
+==========
+
+This component creates a binary sum componet of ops operands and n bits each operand.
+
+e is Number of carries: Depends on the number of operands in the input.
+
+Main Constraint:
+   in[0][0]     * 2^0  +  in[0][1]     * 2^1  + ..... + in[0][n-1]    * 2^(n-1)  +
+ + in[1][0]     * 2^0  +  in[1][1]     * 2^1  + ..... + in[1][n-1]    * 2^(n-1)  +
+ + ..
+ + in[ops-1][0] * 2^0  +  in[ops-1][1] * 2^1  + ..... + in[ops-1][n-1] * 2^(n-1)  +
+ ===
+   out[0] * 2^0  + out[1] * 2^1 +   + out[n+e-1] *2(n+e-1)
+
+To waranty binary outputs:
+
+    out[0]     * (out[0] - 1) === 0
+    out[1]     * (out[0] - 1) === 0
+    .
+    .
+    .
+    out[n+e-1] * (out[n+e-1] - 1) == 0
+
+ */
+
+
+/*
+    This function calculates the number of extra bits in the output to do the full sum.
+ */
+ pragma circom 2.0.0;
+
+function nbits(a) {
+    var n = 1;
+    var r = 0;
+    while (n-1<a) {
+        r++;
+        n *= 2;
+    }
+    return r;
+}
+
+
+template BinSum(n, ops) {
+    var nout = nbits((2**n -1)*ops);
+    signal input in[ops][n];
+    signal output out[nout];
+
+    var lin = 0;
+    var lout = 0;
+
+    var k;
+    var j;
+
+    var e2;
+
+    e2 = 1;
+    for (k=0; k<n; k++) {
+        for (j=0; j<ops; j++) {
+            lin += in[j][k] * e2;
+        }
+        e2 = e2 + e2;
+    }
+
+    e2 = 1;
+    for (k=0; k<nout; k++) {
+        out[k] <-- (lin >> k) & 1;
+
+        // Ensure out is binary
+        out[k] * (out[k] - 1) === 0;
+
+        lout += out[k] * e2;
+
+        e2 = e2+e2;
+    }
+
+    // Ensure the sum;
+
+    lin === lout;
+}

package/circomlib/circuits/bitify.circom

@@ -0,0 +1,106 @@
+/*
+    Copyright 2018 0KIMS association.
+
+    This file is part of circom (Zero Knowledge Circuit Compiler).
+
+    circom is a free software: you can redistribute it and/or modify it
+    under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    circom is distributed in the hope that it will be useful, but WITHOUT
+    ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+    or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
+    License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with circom. If not, see <https://www.gnu.org/licenses/>.
+*/
+pragma circom 2.0.0;
+
+include "comparators.circom";
+include "aliascheck.circom";
+
+
+template Num2Bits(n) {
+    signal input in;
+    signal output out[n];
+    var lc1=0;
+
+    var e2=1;
+    for (var i = 0; i<n; i++) {
+        out[i] <-- (in >> i) & 1;
+        out[i] * (out[i] -1 ) === 0;
+        lc1 += out[i] * e2;
+        e2 = e2+e2;
+    }
+
+    lc1 === in;
+}
+
+template Num2Bits_strict() {
+    signal input in;
+    signal output out[254];
+
+    component aliasCheck = AliasCheck();
+    component n2b = Num2Bits(254);
+    in ==> n2b.in;
+
+    for (var i=0; i<254; i++) {
+        n2b.out[i] ==> out[i];
+        n2b.out[i] ==> aliasCheck.in[i];
+    }
+}
+
+template Bits2Num(n) {
+    signal input in[n];
+    signal output out;
+    var lc1=0;
+
+    var e2 = 1;
+    for (var i = 0; i<n; i++) {
+        lc1 += in[i] * e2;
+        e2 = e2 + e2;
+    }
+
+    lc1 ==> out;
+}
+
+template Bits2Num_strict() {
+    signal input in[254];
+    signal output out;
+
+    component aliasCheck = AliasCheck();
+    component b2n = Bits2Num(254);
+
+    for (var i=0; i<254; i++) {
+        in[i] ==> b2n.in[i];
+        in[i] ==> aliasCheck.in[i];
+    }
+
+    b2n.out ==> out;
+}
+
+template Num2BitsNeg(n) {
+    signal input in;
+    signal output out[n];
+    var lc1=0;
+
+    component isZero;
+
+    isZero = IsZero();
+
+    var neg = n == 0 ? 0 : 2**n - in;
+
+    for (var i = 0; i<n; i++) {
+        out[i] <-- (neg >> i) & 1;
+        out[i] * (out[i] -1 ) === 0;
+        lc1 += out[i] * 2**i;
+    }
+
+    in ==> isZero.in;
+
+
+
+    lc1 + isZero.out * 2**n === 2**n - in;
+}

package/circomlib/circuits/comparators.circom

@@ -0,0 +1,141 @@
+/*
+    Copyright 2018 0KIMS association.
+
+    This file is part of circom (Zero Knowledge Circuit Compiler).
+
+    circom is a free software: you can redistribute it and/or modify it
+    under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    circom is distributed in the hope that it will be useful, but WITHOUT
+    ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+    or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
+    License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with circom. If not, see <https://www.gnu.org/licenses/>.
+*/
+pragma circom 2.0.0;
+
+include "bitify.circom";
+include "binsum.circom";
+
+template IsZero() {
+    signal input in;
+    signal output out;
+
+    signal inv;
+
+    inv <-- in!=0 ? 1/in : 0;
+
+    out <== -in*inv +1;
+    in*out === 0;
+}
+
+
+template IsEqual() {
+    signal input in[2];
+    signal output out;
+
+    component isz = IsZero();
+
+    in[1] - in[0] ==> isz.in;
+
+    isz.out ==> out;
+}
+
+template ForceEqualIfEnabled() {
+    signal input enabled;
+    signal input in[2];
+
+    component isz = IsZero();
+
+    in[1] - in[0] ==> isz.in;
+
+    (1 - isz.out)*enabled === 0;
+}
+
+/*
+// N is the number of bits the input  have.
+// The MSF is the sign bit.
+template LessThan(n) {
+    signal input in[2];
+    signal output out;
+
+    component num2Bits0;
+    component num2Bits1;
+
+    component adder;
+
+    adder = BinSum(n, 2);
+
+    num2Bits0 = Num2Bits(n);
+    num2Bits1 = Num2BitsNeg(n);
+
+    in[0] ==> num2Bits0.in;
+    in[1] ==> num2Bits1.in;
+
+    var i;
+    for (i=0;i<n;i++) {
+        num2Bits0.out[i] ==> adder.in[0][i];
+        num2Bits1.out[i] ==> adder.in[1][i];
+    }
+
+    adder.out[n-1] ==> out;
+}
+*/
+
+template LessThan(n) {
+    assert(n <= 252);
+    signal input in[2];
+    signal output out;
+
+    component n2b = Num2Bits(n+1);
+
+    n2b.in <== in[0]+ (1<<n) - in[1];
+
+    out <== 1-n2b.out[n];
+}
+
+
+
+// N is the number of bits the input  have.
+// The MSF is the sign bit.
+template LessEqThan(n) {
+    signal input in[2];
+    signal output out;
+
+    component lt = LessThan(n);
+
+    lt.in[0] <== in[0];
+    lt.in[1] <== in[1]+1;
+    lt.out ==> out;
+}
+
+// N is the number of bits the input  have.
+// The MSF is the sign bit.
+template GreaterThan(n) {
+    signal input in[2];
+    signal output out;
+
+    component lt = LessThan(n);
+
+    lt.in[0] <== in[1];
+    lt.in[1] <== in[0];
+    lt.out ==> out;
+}
+
+// N is the number of bits the input  have.
+// The MSF is the sign bit.
+template GreaterEqThan(n) {
+    signal input in[2];
+    signal output out;
+
+    component lt = LessThan(n);
+
+    lt.in[0] <== in[1];
+    lt.in[1] <== in[0]+1;
+    lt.out ==> out;
+}
+

package/circomlib/circuits/compconstant.circom

@@ -0,0 +1,74 @@
+/*
+    Copyright 2018 0KIMS association.
+
+    This file is part of circom (Zero Knowledge Circuit Compiler).
+
+    circom is a free software: you can redistribute it and/or modify it
+    under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    circom is distributed in the hope that it will be useful, but WITHOUT
+    ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+    or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
+    License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with circom. If not, see <https://www.gnu.org/licenses/>.
+*/
+pragma circom 2.0.0;
+
+include "bitify.circom";
+
+// Returns 1 if in (in binary) > ct
+
+template CompConstant(ct) {
+    signal input in[254];
+    signal output out;
+
+    signal parts[127];
+    signal sout;
+
+    var clsb;
+    var cmsb;
+    var slsb;
+    var smsb;
+
+    var sum=0;
+
+    var b = (1 << 128) -1;
+    var a = 1;
+    var e = 1;
+    var i;
+
+    for (i=0;i<127; i++) {
+        clsb = (ct >> (i*2)) & 1;
+        cmsb = (ct >> (i*2+1)) & 1;
+        slsb = in[i*2];
+        smsb = in[i*2+1];
+
+        if ((cmsb==0)&&(clsb==0)) {
+            parts[i] <== -b*smsb*slsb + b*smsb + b*slsb;
+        } else if ((cmsb==0)&&(clsb==1)) {
+            parts[i] <== a*smsb*slsb - a*slsb + b*smsb - a*smsb + a;
+        } else if ((cmsb==1)&&(clsb==0)) {
+            parts[i] <== b*smsb*slsb - a*smsb + a;
+        } else {
+            parts[i] <== -a*smsb*slsb + a;
+        }
+
+        sum = sum + parts[i];
+
+        b = b -e;
+        a = a +e;
+        e = e*2;
+    }
+
+    sout <== sum;
+
+    component num2bits = Num2Bits(135);
+
+    num2bits.in <== sout;
+
+    out <== num2bits.out[127];
+}