starkshield 1.0.0

package/circomlib/circuits/eddsa.circom

@@ -0,0 +1,139 @@
+/*
+    Copyright 2018 0KIMS association.
+
+    This file is part of circom (Zero Knowledge Circuit Compiler).
+
+    circom is a free software: you can redistribute it and/or modify it
+    under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    circom is distributed in the hope that it will be useful, but WITHOUT
+    ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+    or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
+    License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with circom. If not, see <https://www.gnu.org/licenses/>.
+*/
+pragma circom 2.0.0;
+
+include "compconstant.circom";
+include "pointbits.circom";
+include "pedersen.circom";
+include "escalarmulany.circom";
+include "escalarmulfix.circom";
+
+template EdDSAVerifier(n) {
+    signal input msg[n];
+
+    signal input A[256];
+    signal input R8[256];
+    signal input S[256];
+
+    signal Ax;
+    signal Ay;
+
+    signal R8x;
+    signal R8y;
+
+    var i;
+
+// Ensure S<Subgroup Order
+
+    component  compConstant = CompConstant(2736030358979909402780800718157159386076813972158567259200215660948447373040);
+
+    for (i=0; i<254; i++) {
+        S[i] ==> compConstant.in[i];
+    }
+    compConstant.out === 0;
+    S[254] === 0;
+    S[255] === 0;
+
+// Convert A to Field elements (And verify A)
+
+    component bits2pointA = Bits2Point_Strict();
+
+    for (i=0; i<256; i++) {
+        bits2pointA.in[i] <== A[i];
+    }
+    Ax <== bits2pointA.out[0];
+    Ay <== bits2pointA.out[1];
+
+// Convert R8 to Field elements (And verify R8)
+
+    component bits2pointR8 = Bits2Point_Strict();
+
+    for (i=0; i<256; i++) {
+        bits2pointR8.in[i] <== R8[i];
+    }
+    R8x <== bits2pointR8.out[0];
+    R8y <== bits2pointR8.out[1];
+
+// Calculate the h = H(R,A, msg)
+
+    component hash = Pedersen(512+n);
+
+    for (i=0; i<256; i++) {
+        hash.in[i] <== R8[i];
+        hash.in[256+i] <== A[i];
+    }
+    for (i=0; i<n; i++) {
+        hash.in[512+i] <== msg[i];
+    }
+
+    component point2bitsH = Point2Bits_Strict();
+    point2bitsH.in[0] <== hash.out[0];
+    point2bitsH.in[1] <== hash.out[1];
+
+// Calculate second part of the right side:  right2 = h*8*A
+
+    // Multiply by 8 by adding it 3 times.  This also ensure that the result is in
+    // the subgroup.
+    component dbl1 = BabyDbl();
+    dbl1.x <== Ax;
+    dbl1.y <== Ay;
+    component dbl2 = BabyDbl();
+    dbl2.x <== dbl1.xout;
+    dbl2.y <== dbl1.yout;
+    component dbl3 = BabyDbl();
+    dbl3.x <== dbl2.xout;
+    dbl3.y <== dbl2.yout;
+
+    // We check that A is not zero.
+    component isZero = IsZero();
+    isZero.in <== dbl3.x;
+    isZero.out === 0;
+
+    component mulAny = EscalarMulAny(256);
+    for (i=0; i<256; i++) {
+        mulAny.e[i] <== point2bitsH.out[i];
+    }
+    mulAny.p[0] <== dbl3.xout;
+    mulAny.p[1] <== dbl3.yout;
+
+
+// Compute the right side: right =  R8 + right2
+
+    component addRight = BabyAdd();
+    addRight.x1 <== R8x;
+    addRight.y1 <== R8y;
+    addRight.x2 <== mulAny.out[0];
+    addRight.y2 <== mulAny.out[1];
+
+// Calculate left side of equation left = S*B8
+
+    var BASE8[2] = [
+        5299619240641551281634865583518297030282874472190772894086521144482721001553,
+        16950150798460657717958625567821834550301663161624707787222815936182638968203
+    ];
+    component mulFix = EscalarMulFix(256, BASE8);
+    for (i=0; i<256; i++) {
+        mulFix.e[i] <== S[i];
+    }
+
+// Do the comparation left == right
+
+    mulFix.out[0] === addRight.xout;
+    mulFix.out[1] === addRight.yout;
+}

package/circomlib/circuits/eddsamimc.circom

@@ -0,0 +1,124 @@
+/*
+    Copyright 2018 0KIMS association.
+
+    This file is part of circom (Zero Knowledge Circuit Compiler).
+
+    circom is a free software: you can redistribute it and/or modify it
+    under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    circom is distributed in the hope that it will be useful, but WITHOUT
+    ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+    or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
+    License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with circom. If not, see <https://www.gnu.org/licenses/>.
+*/
+pragma circom 2.0.0;
+
+include "compconstant.circom";
+include "pointbits.circom";
+include "mimc.circom";
+include "bitify.circom";
+include "escalarmulany.circom";
+include "escalarmulfix.circom";
+
+template EdDSAMiMCVerifier() {
+    signal input enabled;
+    signal input Ax;
+    signal input Ay;
+
+    signal input S;
+    signal input R8x;
+    signal input R8y;
+
+    signal input M;
+
+    var i;
+
+// Ensure S<Subgroup Order
+
+    component snum2bits = Num2Bits(253);
+    snum2bits.in <== S;
+
+    component  compConstant = CompConstant(2736030358979909402780800718157159386076813972158567259200215660948447373040);
+
+    for (i=0; i<253; i++) {
+        snum2bits.out[i] ==> compConstant.in[i];
+    }
+    compConstant.in[253] <== 0;
+    compConstant.out === 0;
+
+// Calculate the h = H(R,A, msg)
+
+    component hash = MultiMiMC7(5, 91);
+    hash.in[0] <== R8x;
+    hash.in[1] <== R8y;
+    hash.in[2] <== Ax;
+    hash.in[3] <== Ay;
+    hash.in[4] <== M;
+    hash.k <== 0;
+
+    component h2bits = Num2Bits_strict();
+    h2bits.in <== hash.out;
+
+// Calculate second part of the right side:  right2 = h*8*A
+
+    // Multiply by 8 by adding it 3 times.  This also ensure that the result is in
+    // the subgroup.
+    component dbl1 = BabyDbl();
+    dbl1.x <== Ax;
+    dbl1.y <== Ay;
+    component dbl2 = BabyDbl();
+    dbl2.x <== dbl1.xout;
+    dbl2.y <== dbl1.yout;
+    component dbl3 = BabyDbl();
+    dbl3.x <== dbl2.xout;
+    dbl3.y <== dbl2.yout;
+
+    // We check that A is not zero.
+    component isZero = IsZero();
+    isZero.in <== dbl3.x;
+    isZero.out === 0;
+
+    component mulAny = EscalarMulAny(254);
+    for (i=0; i<254; i++) {
+        mulAny.e[i] <== h2bits.out[i];
+    }
+    mulAny.p[0] <== dbl3.xout;
+    mulAny.p[1] <== dbl3.yout;
+
+
+// Compute the right side: right =  R8 + right2
+
+    component addRight = BabyAdd();
+    addRight.x1 <== R8x;
+    addRight.y1 <== R8y;
+    addRight.x2 <== mulAny.out[0];
+    addRight.y2 <== mulAny.out[1];
+
+// Calculate left side of equation left = S*B8
+
+    var BASE8[2] = [
+        5299619240641551281634865583518297030282874472190772894086521144482721001553,
+        16950150798460657717958625567821834550301663161624707787222815936182638968203
+    ];
+    component mulFix = EscalarMulFix(253, BASE8);
+    for (i=0; i<253; i++) {
+        mulFix.e[i] <== snum2bits.out[i];
+    }
+
+// Do the comparation left == right if enabled;
+
+    component eqCheckX = ForceEqualIfEnabled();
+    eqCheckX.enabled <== enabled;
+    eqCheckX.in[0] <== mulFix.out[0];
+    eqCheckX.in[1] <== addRight.xout;
+
+    component eqCheckY = ForceEqualIfEnabled();
+    eqCheckY.enabled <== enabled;
+    eqCheckY.in[0] <== mulFix.out[1];
+    eqCheckY.in[1] <== addRight.yout;
+}

package/circomlib/circuits/eddsamimcsponge.circom

@@ -0,0 +1,124 @@
+/*
+    Copyright 2018 0KIMS association.
+
+    This file is part of circom (Zero Knowledge Circuit Compiler).
+
+    circom is a free software: you can redistribute it and/or modify it
+    under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    circom is distributed in the hope that it will be useful, but WITHOUT
+    ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+    or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
+    License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with circom. If not, see <https://www.gnu.org/licenses/>.
+*/
+pragma circom 2.0.0;
+
+include "compconstant.circom";
+include "pointbits.circom";
+include "mimcsponge.circom";
+include "bitify.circom";
+include "escalarmulany.circom";
+include "escalarmulfix.circom";
+
+template EdDSAMiMCSpongeVerifier() {
+    signal input enabled;
+    signal input Ax;
+    signal input Ay;
+
+    signal input S;
+    signal input R8x;
+    signal input R8y;
+
+    signal input M;
+
+    var i;
+
+// Ensure S<Subgroup Order
+
+    component snum2bits = Num2Bits(253);
+    snum2bits.in <== S;
+
+    component  compConstant = CompConstant(2736030358979909402780800718157159386076813972158567259200215660948447373040);
+
+    for (i=0; i<253; i++) {
+        snum2bits.out[i] ==> compConstant.in[i];
+    }
+    compConstant.in[253] <== 0;
+    compConstant.out === 0;
+
+// Calculate the h = H(R,A, msg)
+
+    component hash = MiMCSponge(5, 220, 1);
+    hash.ins[0] <== R8x;
+    hash.ins[1] <== R8y;
+    hash.ins[2] <== Ax;
+    hash.ins[3] <== Ay;
+    hash.ins[4] <== M;
+    hash.k <== 0;
+
+    component h2bits = Num2Bits_strict();
+    h2bits.in <== hash.outs[0];
+
+// Calculate second part of the right side:  right2 = h*8*A
+
+    // Multiply by 8 by adding it 3 times.  This also ensure that the result is in
+    // the subgroup.
+    component dbl1 = BabyDbl();
+    dbl1.x <== Ax;
+    dbl1.y <== Ay;
+    component dbl2 = BabyDbl();
+    dbl2.x <== dbl1.xout;
+    dbl2.y <== dbl1.yout;
+    component dbl3 = BabyDbl();
+    dbl3.x <== dbl2.xout;
+    dbl3.y <== dbl2.yout;
+
+    // We check that A is not zero.
+    component isZero = IsZero();
+    isZero.in <== dbl3.x;
+    isZero.out === 0;
+
+    component mulAny = EscalarMulAny(254);
+    for (i=0; i<254; i++) {
+        mulAny.e[i] <== h2bits.out[i];
+    }
+    mulAny.p[0] <== dbl3.xout;
+    mulAny.p[1] <== dbl3.yout;
+
+
+// Compute the right side: right =  R8 + right2
+
+    component addRight = BabyAdd();
+    addRight.x1 <== R8x;
+    addRight.y1 <== R8y;
+    addRight.x2 <== mulAny.out[0];
+    addRight.y2 <== mulAny.out[1];
+
+// Calculate left side of equation left = S*B8
+
+    var BASE8[2] = [
+        5299619240641551281634865583518297030282874472190772894086521144482721001553,
+        16950150798460657717958625567821834550301663161624707787222815936182638968203
+    ];
+    component mulFix = EscalarMulFix(253, BASE8);
+    for (i=0; i<253; i++) {
+        mulFix.e[i] <== snum2bits.out[i];
+    }
+
+// Do the comparation left == right if enabled;
+
+    component eqCheckX = ForceEqualIfEnabled();
+    eqCheckX.enabled <== enabled;
+    eqCheckX.in[0] <== mulFix.out[0];
+    eqCheckX.in[1] <== addRight.xout;
+
+    component eqCheckY = ForceEqualIfEnabled();
+    eqCheckY.enabled <== enabled;
+    eqCheckY.in[0] <== mulFix.out[1];
+    eqCheckY.in[1] <== addRight.yout;
+}

package/circomlib/circuits/eddsaposeidon.circom

@@ -0,0 +1,123 @@
+/*
+    Copyright 2018 0KIMS association.
+
+    This file is part of circom (Zero Knowledge Circuit Compiler).
+
+    circom is a free software: you can redistribute it and/or modify it
+    under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    circom is distributed in the hope that it will be useful, but WITHOUT
+    ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+    or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
+    License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with circom. If not, see <https://www.gnu.org/licenses/>.
+*/
+pragma circom 2.0.0;
+
+include "compconstant.circom";
+include "poseidon.circom";
+include "bitify.circom";
+include "escalarmulany.circom";
+include "escalarmulfix.circom";
+
+template EdDSAPoseidonVerifier() {
+    signal input enabled;
+    signal input Ax;
+    signal input Ay;
+
+    signal input S;
+    signal input R8x;
+    signal input R8y;
+
+    signal input M;
+
+    var i;
+
+// Ensure S<Subgroup Order
+
+    component snum2bits = Num2Bits(253);
+    snum2bits.in <== S;
+
+    component  compConstant = CompConstant(2736030358979909402780800718157159386076813972158567259200215660948447373040);
+
+    for (i=0; i<253; i++) {
+        snum2bits.out[i] ==> compConstant.in[i];
+    }
+    compConstant.in[253] <== 0;
+    compConstant.out*enabled === 0;
+
+// Calculate the h = H(R,A, msg)
+
+    component hash = Poseidon(5);
+
+    hash.inputs[0] <== R8x;
+    hash.inputs[1] <== R8y;
+    hash.inputs[2] <== Ax;
+    hash.inputs[3] <== Ay;
+    hash.inputs[4] <== M;
+
+    component h2bits = Num2Bits_strict();
+    h2bits.in <== hash.out;
+
+// Calculate second part of the right side:  right2 = h*8*A
+
+    // Multiply by 8 by adding it 3 times.  This also ensure that the result is in
+    // the subgroup.
+    component dbl1 = BabyDbl();
+    dbl1.x <== Ax;
+    dbl1.y <== Ay;
+    component dbl2 = BabyDbl();
+    dbl2.x <== dbl1.xout;
+    dbl2.y <== dbl1.yout;
+    component dbl3 = BabyDbl();
+    dbl3.x <== dbl2.xout;
+    dbl3.y <== dbl2.yout;
+
+    // We check that A is not zero.
+    component isZero = IsZero();
+    isZero.in <== dbl3.x;
+    isZero.out*enabled === 0;
+
+    component mulAny = EscalarMulAny(254);
+    for (i=0; i<254; i++) {
+        mulAny.e[i] <== h2bits.out[i];
+    }
+    mulAny.p[0] <== dbl3.xout;
+    mulAny.p[1] <== dbl3.yout;
+
+
+// Compute the right side: right =  R8 + right2
+
+    component addRight = BabyAdd();
+    addRight.x1 <== R8x;
+    addRight.y1 <== R8y;
+    addRight.x2 <== mulAny.out[0];
+    addRight.y2 <== mulAny.out[1];
+
+// Calculate left side of equation left = S*B8
+
+    var BASE8[2] = [
+        5299619240641551281634865583518297030282874472190772894086521144482721001553,
+        16950150798460657717958625567821834550301663161624707787222815936182638968203
+    ];
+    component mulFix = EscalarMulFix(253, BASE8);
+    for (i=0; i<253; i++) {
+        mulFix.e[i] <== snum2bits.out[i];
+    }
+
+// Do the comparation left == right if enabled;
+
+    component eqCheckX = ForceEqualIfEnabled();
+    eqCheckX.enabled <== enabled;
+    eqCheckX.in[0] <== mulFix.out[0];
+    eqCheckX.in[1] <== addRight.xout;
+
+    component eqCheckY = ForceEqualIfEnabled();
+    eqCheckY.enabled <== enabled;
+    eqCheckY.in[0] <== mulFix.out[1];
+    eqCheckY.in[1] <== addRight.yout;
+}

package/circomlib/circuits/escalarmul.circom

@@ -0,0 +1,166 @@
+  /*
+    Copyright 2018 0KIMS association.
+
+    This file is part of circom (Zero Knowledge Circuit Compiler).
+
+    circom is a free software: you can redistribute it and/or modify it
+    under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    circom is distributed in the hope that it will be useful, but WITHOUT
+    ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+    or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
+    License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with circom. If not, see <https://www.gnu.org/licenses/>.
+*/
+
+/*
+
+                                                        ┏━━━━━━━━━━━┓
+                                                        ┃           ┃
+                                                        ┃           ┃
+  (inx, iny) ══════════════════════════════════════════▶┃ EC Point  ┃
+                                                        ┃           ╠═▶ (outx, outy)
+                                                    ╔══▶┃   Adder   ┃
+                                                    ║   ┃           ┃
+                                                    ║   ┃           ┃
+                                                    ║   ┃           ┃
+       ┏━━━━━━━━━━━┓                ┏━━━━━━━━━━━━┓  ║   ┗━━━━━━━━━━━┛
+       ┃           ┃                ┃            ┃  ║
+       ┃           ┃                ┃            ┃  ║
+       ┃           ╠═══(p0x,p0y)═══▶┃            ┃  ║
+       ┃           ╠═══(p1x,p1y)═══▶┃            ┃  ║
+       ┃           ╠═══(p2x,p2y)═══▶┃            ┃  ║
+       ┃           ╠═══(p3x,p3y)═══▶┃            ┃  ║
+       ┃           ╠═══(p4x,p4y)═══▶┃            ┃  ║
+       ┃           ╠═══(p5x,p5y)═══▶┃            ┃  ║
+       ┃           ╠═══(p6x,p6y)═══▶┃            ┃  ║
+       ┃ Constant  ╠═══(p7x,p7y)═══▶┃            ┃  ║
+       ┃  Points   ┃                ┃    Mux4    ╠══╝
+       ┃           ╠═══(p8x,p8y)═══▶┃            ┃
+       ┃           ╠═══(p9x,p9y)═══▶┃            ┃
+       ┃           ╠══(p10x,p10y)══▶┃            ┃
+       ┃           ╠══(p11x,p11y)══▶┃            ┃
+       ┃           ╠══(p12x,p12y)══▶┃            ┃
+       ┃           ╠══(p13x,p13y)══▶┃            ┃
+       ┃           ╠══(p14x,p14y)══▶┃            ┃
+       ┃           ╠══(p15x,p15y)══▶┃            ┃
+       ┃           ┃                ┃            ┃
+       ┃           ┃                ┃            ┃
+       ┗━━━━━━━━━━━┛                ┗━━━━━━━━━━━━┛
+                                      ▲  ▲  ▲  ▲
+                                      │  │  │  │
+  s0 ─────────────────────────────────┘  │  │  │
+  s1 ────────────────────────────────────┘  │  │
+  s2 ───────────────────────────────────────┘  │
+  s3 ──────────────────────────────────────────┘
+
+
+ */
+pragma circom 2.0.0;
+
+include "mux4.circom";
+include "escalarmulw4table.circom";
+include "babyjub.circom";
+
+template EscalarMulWindow(base, k) {
+
+    signal input in[2];
+    signal input sel[4];
+    signal output out[2];
+
+    var table[16][2];
+    component mux;
+    component adder;
+
+    var i;
+
+    table = EscalarMulW4Table(base, k);
+    mux = MultiMux4(2);
+    adder = BabyAdd();
+
+    for (i=0; i<4; i++) {
+        sel[i] ==> mux.s[i];
+    }
+
+    for (i=0; i<16; i++) {
+        mux.c[0][i] <== table[i][0];
+        mux.c[1][i] <== table[i][1];
+    }
+
+    in[0] ==> adder.x1;
+    in[1] ==> adder.y1;
+
+    mux.out[0] ==> adder.x2;
+    mux.out[1] ==> adder.y2;
+
+    adder.xout ==> out[0];
+    adder.yout ==> out[1];
+}
+
+/*
+
+
+                ┏━━━━━━━━━┓      ┏━━━━━━━━━┓                            ┏━━━━━━━━━━━━━━━━━━━┓
+                ┃         ┃      ┃         ┃                            ┃                   ┃
+      inp  ════▶┃Window(0)┃═════▶┃Window(1)┃════════  . . . . ═════════▶┃ Window(nBlocks-1) ┃═════▶ out
+                ┃         ┃      ┃         ┃                            ┃                   ┃
+                ┗━━━━━━━━━┛      ┗━━━━━━━━━┛                            ┗━━━━━━━━━━━━━━━━━━━┛
+                  ▲ ▲ ▲ ▲          ▲ ▲ ▲ ▲                                    ▲ ▲ ▲ ▲
+    in[0]─────────┘ │ │ │          │ │ │ │                                    │ │ │ │
+    in[1]───────────┘ │ │          │ │ │ │                                    │ │ │ │
+    in[2]─────────────┘ │          │ │ │ │                                    │ │ 0 0
+    in[3]───────────────┘          │ │ │ │                                    │ │
+    in[4]──────────────────────────┘ │ │ │                                    │ │
+    in[5]────────────────────────────┘ │ │                                    │ │
+    in[6]──────────────────────────────┘ │                                    │ │
+    in[7]────────────────────────────────┘                                    │ │
+        .                                                                     │ │
+        .                                                                     │ │
+  in[n-2]─────────────────────────────────────────────────────────────────────┘ │
+  in[n-1]───────────────────────────────────────────────────────────────────────┘
+
+ */
+
+template EscalarMul(n, base) {
+    signal input in[n];
+    signal input inp[2];   // Point input to be added
+    signal output out[2];
+
+    var nBlocks = ((n-1)>>2)+1;
+    var i;
+    var j;
+
+    component windows[nBlocks];
+
+    // Construct the windows
+    for (i=0; i<nBlocks; i++) {
+      windows[i] = EscalarMulWindow(base, i);
+    }
+
+    // Connect the selectors
+    for (i=0; i<nBlocks; i++) {
+        for (j=0; j<4; j++) {
+            if (i*4+j >= n) {
+                windows[i].sel[j] <== 0;
+            } else {
+                windows[i].sel[j] <== in[i*4+j];
+            }
+        }
+    }
+
+    // Start with generator
+    windows[0].in[0] <== inp[0];
+    windows[0].in[1] <== inp[1];
+
+    for(i=0; i<nBlocks-1; i++) {
+        windows[i].out[0] ==> windows[i+1].in[0];
+        windows[i].out[1] ==> windows[i+1].in[1];
+    }
+
+    windows[nBlocks-1].out[0] ==> out[0];
+    windows[nBlocks-1].out[1] ==> out[1];
+}