starkshield 1.0.0

package/circomlib/circuits/pedersen_old.circom

@@ -0,0 +1,68 @@
+/*
+    Copyright 2018 0KIMS association.
+
+    This file is part of circom (Zero Knowledge Circuit Compiler).
+
+    circom is a free software: you can redistribute it and/or modify it
+    under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    circom is distributed in the hope that it will be useful, but WITHOUT
+    ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+    or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
+    License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with circom. If not, see <https://www.gnu.org/licenses/>.
+*/
+pragma circom 2.0.0;
+
+include "escalarmul.circom";
+
+template Pedersen(n) {
+    signal input in[n];
+    signal output out[2];
+
+    var nexps = ((n-1) \ 250) + 1;
+    var nlastbits = n - (nexps-1)*250;
+
+    component escalarMuls[nexps];
+
+    var PBASE[10][2] = [
+        [10457101036533406547632367118273992217979173478358440826365724437999023779287,19824078218392094440610104313265183977899662750282163392862422243483260492317],
+        [2671756056509184035029146175565761955751135805354291559563293617232983272177,2663205510731142763556352975002641716101654201788071096152948830924149045094],
+        [5802099305472655231388284418920769829666717045250560929368476121199858275951,5980429700218124965372158798884772646841287887664001482443826541541529227896],
+        [7107336197374528537877327281242680114152313102022415488494307685842428166594,2857869773864086953506483169737724679646433914307247183624878062391496185654],
+        [20265828622013100949498132415626198973119240347465898028410217039057588424236,1160461593266035632937973507065134938065359936056410650153315956301179689506],
+        [1487999857809287756929114517587739322941449154962237464737694709326309567994,14017256862867289575056460215526364897734808720610101650676790868051368668003],
+        [14618644331049802168996997831720384953259095788558646464435263343433563860015,13115243279999696210147231297848654998887864576952244320558158620692603342236],
+        [6814338563135591367010655964669793483652536871717891893032616415581401894627,13660303521961041205824633772157003587453809761793065294055279768121314853695],
+        [3571615583211663069428808372184817973703476260057504149923239576077102575715,11981351099832644138306422070127357074117642951423551606012551622164230222506],
+        [18597552580465440374022635246985743886550544261632147935254624835147509493269,6753322320275422086923032033899357299485124665258735666995435957890214041481]
+
+    ];
+
+    var i;
+    var j;
+    var nexpbits;
+    for (i=0; i<nexps; i++) {
+        nexpbits = (i == nexps-1) ? nlastbits : 250;
+        escalarMuls[i] = EscalarMul(nexpbits, PBASE[i]);
+
+        for (j=0; j<nexpbits; j++) {
+            escalarMuls[i].in[j] <== in[250*i + j];
+        }
+
+        if (i==0) {
+            escalarMuls[i].inp[0] <== 0;
+            escalarMuls[i].inp[1] <== 1;
+        } else {
+            escalarMuls[i].inp[0] <== escalarMuls[i-1].out[0];
+            escalarMuls[i].inp[1] <== escalarMuls[i-1].out[1];
+        }
+    }
+
+    escalarMuls[nexps-1].out[0] ==> out[0];
+    escalarMuls[nexps-1].out[1] ==> out[1];
+}

package/circomlib/circuits/pointbits.circom

@@ -0,0 +1,164 @@
+/*
+    Copyright 2018 0KIMS association.
+
+    This file is part of circom (Zero Knowledge Circuit Compiler).
+
+    circom is a free software: you can redistribute it and/or modify it
+    under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    circom is distributed in the hope that it will be useful, but WITHOUT
+    ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+    or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
+    License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with circom. If not, see <https://www.gnu.org/licenses/>.
+*/
+pragma circom 2.0.0;
+
+include "bitify.circom";
+include "aliascheck.circom";
+include "compconstant.circom";
+include "babyjub.circom";
+
+
+function sqrt(n) {
+
+    if (n == 0) {
+        return 0;
+    }
+
+    // Test that have solution
+    var res = n ** ((-1) >> 1);
+//        if (res!=1) assert(false, "SQRT does not exists");
+    if (res!=1) return 0;
+
+    var m = 28;
+    var c = 19103219067921713944291392827692070036145651957329286315305642004821462161904;
+    var t = n ** 81540058820840996586704275553141814055101440848469862132140264610111;
+    var r = n ** ((81540058820840996586704275553141814055101440848469862132140264610111+1)>>1);
+    var sq;
+    var i;
+    var b;
+    var j;
+
+    while ((r != 0)&&(t != 1)) {
+        sq = t*t;
+        i = 1;
+        while (sq!=1) {
+            i++;
+            sq = sq*sq;
+        }
+
+        // b = c ^ m-i-1
+        b = c;
+        for (j=0; j< m-i-1; j ++) b = b*b;
+
+        m = i;
+        c = b*b;
+        t = t*c;
+        r = r*b;
+    }
+
+    if (r < 0 ) {
+        r = -r;
+    }
+
+    return r;
+}
+
+
+template Bits2Point() {
+    signal input in[256];
+    signal output out[2];
+}
+
+template Bits2Point_Strict() {
+    signal input in[256];
+    signal output out[2];
+
+    var i;
+
+    // Check aliasing
+    component aliasCheckY = AliasCheck();
+    for (i=0; i<254; i++) {
+        aliasCheckY.in[i] <== in[i];
+    }
+    in[254] === 0;
+
+    component b2nY = Bits2Num(254);
+    for (i=0; i<254; i++) {
+        b2nY.in[i] <== in[i];
+    }
+
+    out[1] <== b2nY.out;
+
+    var a = 168700;
+    var d = 168696;
+
+    var y2 = out[1] * out[1];
+
+    var x = sqrt(   (1-y2)/(a - d*y2)  );
+
+    if (in[255] == 1) x = -x;
+
+    out[0] <-- x;
+
+    component babyCheck = BabyCheck();
+    babyCheck.x <== out[0];
+    babyCheck.y <== out[1];
+
+    component n2bX = Num2Bits(254);
+    n2bX.in <== out[0];
+    component aliasCheckX = AliasCheck();
+    for (i=0; i<254; i++) {
+        aliasCheckX.in[i] <== n2bX.out[i];
+    }
+
+    component signCalc = CompConstant(10944121435919637611123202872628637544274182200208017171849102093287904247808);
+    for (i=0; i<254; i++) {
+        signCalc.in[i] <== n2bX.out[i];
+    }
+
+    signCalc.out === in[255];
+}
+
+
+template Point2Bits() {
+    signal input in[2];
+    signal output out[256];
+
+
+}
+
+template Point2Bits_Strict() {
+    signal input in[2];
+    signal output out[256];
+
+    var i;
+
+    component n2bX = Num2Bits(254);
+    n2bX.in <== in[0];
+    component n2bY = Num2Bits(254);
+    n2bY.in <== in[1];
+
+    component aliasCheckX = AliasCheck();
+    component aliasCheckY = AliasCheck();
+    for (i=0; i<254; i++) {
+        aliasCheckX.in[i] <== n2bX.out[i];
+        aliasCheckY.in[i] <== n2bY.out[i];
+    }
+
+    component signCalc = CompConstant(10944121435919637611123202872628637544274182200208017171849102093287904247808);
+    for (i=0; i<254; i++) {
+        signCalc.in[i] <== n2bX.out[i];
+    }
+
+    for (i=0; i<254; i++) {
+        out[i] <== n2bY.out[i];
+    }
+    out[254] <== 0;
+    out[255] <== signCalc.out;
+}

package/circomlib/circuits/poseidon.circom

@@ -0,0 +1,208 @@
+pragma circom 2.0.0;
+
+include "./poseidon_constants.circom";
+
+template Sigma() {
+    signal input in;
+    signal output out;
+
+    signal in2;
+    signal in4;
+
+    in2 <== in*in;
+    in4 <== in2*in2;
+
+    out <== in4*in;
+}
+
+template Ark(t, C, r) {
+    signal input in[t];
+    signal output out[t];
+
+    for (var i=0; i<t; i++) {
+        out[i] <== in[i] + C[i + r];
+    }
+}
+
+template Mix(t, M) {
+    signal input in[t];
+    signal output out[t];
+
+    var lc;
+    for (var i=0; i<t; i++) {
+        lc = 0;
+        for (var j=0; j<t; j++) {
+            lc += M[j][i]*in[j];
+        }
+        out[i] <== lc;
+    }
+}
+
+template MixLast(t, M, s) {
+    signal input in[t];
+    signal output out;
+
+    var lc = 0;
+    for (var j=0; j<t; j++) {
+        lc += M[j][s]*in[j];
+    }
+    out <== lc;
+}
+
+template MixS(t, S, r) {
+    signal input in[t];
+    signal output out[t];
+
+
+    var lc = 0;
+    for (var i=0; i<t; i++) {
+        lc += S[(t*2-1)*r+i]*in[i];
+    }
+    out[0] <== lc;
+    for (var i=1; i<t; i++) {
+        out[i] <== in[i] +  in[0] * S[(t*2-1)*r + t + i -1];
+    }
+}
+
+template PoseidonEx(nInputs, nOuts) {
+    signal input inputs[nInputs];
+    signal input initialState;
+    signal output out[nOuts];
+
+    // Using recommended parameters from whitepaper https://eprint.iacr.org/2019/458.pdf (table 2, table 8)
+    // Generated by https://extgit.iaik.tugraz.at/krypto/hadeshash/-/blob/master/code/calc_round_numbers.py
+    // And rounded up to nearest integer that divides by t
+    var N_ROUNDS_P[16] = [56, 57, 56, 60, 60, 63, 64, 63, 60, 66, 60, 65, 70, 60, 64, 68];
+    var t = nInputs + 1;
+    var nRoundsF = 8;
+    var nRoundsP = N_ROUNDS_P[t - 2];
+    var C[t*nRoundsF + nRoundsP] = POSEIDON_C(t);
+    var S[  N_ROUNDS_P[t-2]  *  (t*2-1)  ]  = POSEIDON_S(t);
+    var M[t][t] = POSEIDON_M(t);
+    var P[t][t] = POSEIDON_P(t);
+
+    component ark[nRoundsF];
+    component sigmaF[nRoundsF][t];
+    component sigmaP[nRoundsP];
+    component mix[nRoundsF-1];
+    component mixS[nRoundsP];
+    component mixLast[nOuts];
+
+
+    ark[0] = Ark(t, C, 0);
+    for (var j=0; j<t; j++) {
+        if (j>0) {
+            ark[0].in[j] <== inputs[j-1];
+        } else {
+            ark[0].in[j] <== initialState;
+        }
+    }
+
+    for (var r = 0; r < nRoundsF\2-1; r++) {
+        for (var j=0; j<t; j++) {
+            sigmaF[r][j] = Sigma();
+            if(r==0) {
+                sigmaF[r][j].in <== ark[0].out[j];
+            } else {
+                sigmaF[r][j].in <== mix[r-1].out[j];
+            }
+        }
+
+        ark[r+1] = Ark(t, C, (r+1)*t);
+        for (var j=0; j<t; j++) {
+            ark[r+1].in[j] <== sigmaF[r][j].out;
+        }
+
+        mix[r] = Mix(t,M);
+        for (var j=0; j<t; j++) {
+            mix[r].in[j] <== ark[r+1].out[j];
+        }
+
+    }
+
+    for (var j=0; j<t; j++) {
+        sigmaF[nRoundsF\2-1][j] = Sigma();
+        sigmaF[nRoundsF\2-1][j].in <== mix[nRoundsF\2-2].out[j];
+    }
+
+    ark[nRoundsF\2] = Ark(t, C, (nRoundsF\2)*t );
+    for (var j=0; j<t; j++) {
+        ark[nRoundsF\2].in[j] <== sigmaF[nRoundsF\2-1][j].out;
+    }
+
+    mix[nRoundsF\2-1] = Mix(t,P);
+    for (var j=0; j<t; j++) {
+        mix[nRoundsF\2-1].in[j] <== ark[nRoundsF\2].out[j];
+    }
+
+
+    for (var r = 0; r < nRoundsP; r++) {
+        sigmaP[r] = Sigma();
+        if (r==0) {
+            sigmaP[r].in <== mix[nRoundsF\2-1].out[0];
+        } else {
+            sigmaP[r].in <== mixS[r-1].out[0];
+        }
+
+        mixS[r] = MixS(t, S, r);
+        for (var j=0; j<t; j++) {
+            if (j==0) {
+                mixS[r].in[j] <== sigmaP[r].out + C[(nRoundsF\2+1)*t + r];
+            } else {
+                if (r==0) {
+                    mixS[r].in[j] <== mix[nRoundsF\2-1].out[j];
+                } else {
+                    mixS[r].in[j] <== mixS[r-1].out[j];
+                }
+            }
+        }
+    }
+
+    for (var r = 0; r < nRoundsF\2-1; r++) {
+        for (var j=0; j<t; j++) {
+            sigmaF[nRoundsF\2 + r][j] = Sigma();
+            if (r==0) {
+                sigmaF[nRoundsF\2 + r][j].in <== mixS[nRoundsP-1].out[j];
+            } else {
+                sigmaF[nRoundsF\2 + r][j].in <== mix[nRoundsF\2+r-1].out[j];
+            }
+        }
+
+        ark[ nRoundsF\2 + r + 1] = Ark(t, C,  (nRoundsF\2+1)*t + nRoundsP + r*t );
+        for (var j=0; j<t; j++) {
+            ark[nRoundsF\2 + r + 1].in[j] <== sigmaF[nRoundsF\2 + r][j].out;
+        }
+
+        mix[nRoundsF\2 + r] = Mix(t,M);
+        for (var j=0; j<t; j++) {
+            mix[nRoundsF\2 + r].in[j] <== ark[nRoundsF\2 + r + 1].out[j];
+        }
+
+    }
+
+    for (var j=0; j<t; j++) {
+        sigmaF[nRoundsF-1][j] = Sigma();
+        sigmaF[nRoundsF-1][j].in <== mix[nRoundsF-2].out[j];
+    }
+
+    for (var i=0; i<nOuts; i++) {
+        mixLast[i] = MixLast(t,M,i);
+        for (var j=0; j<t; j++) {
+            mixLast[i].in[j] <== sigmaF[nRoundsF-1][j].out;
+        }
+        out[i] <== mixLast[i].out;
+    }
+
+}
+
+template Poseidon(nInputs) {
+    signal input inputs[nInputs];
+    signal output out;
+
+    component pEx = PoseidonEx(nInputs, 1);
+    pEx.initialState <== 0;
+    for (var i=0; i<nInputs; i++) {
+        pEx.inputs[i] <== inputs[i];
+    }
+    out <== pEx.out[0];
+}