sha256 done

circuits/sha256/rotate.circom

@@ -4,7 +4,7 @@ template RotR(n, r) {
     signal input in[n];
     signal output out[n];
 
-    for (i=0; i<n; i++) {
+    for (var i=0; i<n; i++) {
         out[i] <== in[ (i+r)%n ];
     }
 }

circuits/sha256/sha256_2.circom

@@ -8,36 +8,41 @@ template Sha256_2() {
     signal output out;
 
     component bits2num = Bits2Num(216);
-    component num2bits[2] = Num2Bits(216);
+    component num2bits[2];
 
-    num2bits[0].inp <== a;
-    num2bits[1].inp <== b;
+    num2bits[0] = Num2Bits(216);
+    num2bits[1] = Num2Bits(216);
+
+    num2bits[0].in <== a;
+    num2bits[1].in <== b;
 
     component sha256compression = Sha256compression() ;
 
     var i;
 
     for (i=0; i<216; i++) {
-        sha256compression.inp[i] <== num2bits[0].out[i];
-        sha256compression.inp[i+216] <== num2bits[1].out[i];
+        sha256compression.inp[i] <== num2bits[0].out[215-i];
+        sha256compression.inp[i+216] <== num2bits[1].out[215-i];
     }
 
-    for (i=432; i<247; i++) {
+    sha256compression.inp[432] <== 1;
+
+    for (i=433; i<503; i++) {
         sha256compression.inp[i] <== 0;
     }
 
-    sha256compression.inp[247] <== 1;
-    sha256compression.inp[248] <== 1;
-    sha256compression.inp[249] <== 0;
-    sha256compression.inp[250] <== 1;
-    sha256compression.inp[251] <== 1;
-    sha256compression.inp[252] <== 0;
-    sha256compression.inp[253] <== 0;
-    sha256compression.inp[254] <== 0;
-    sha256compression.inp[255] <== 0;
+    sha256compression.inp[503] <== 1;
+    sha256compression.inp[504] <== 1;
+    sha256compression.inp[505] <== 0;
+    sha256compression.inp[506] <== 1;
+    sha256compression.inp[507] <== 1;
+    sha256compression.inp[508] <== 0;
+    sha256compression.inp[509] <== 0;
+    sha256compression.inp[510] <== 0;
+    sha256compression.inp[511] <== 0;
 
     for (i=0; i<216; i++) {
-        bits2num.inp[i] <== sha256compression.out[i];
+        bits2num.in[i] <== sha256compression.out[255-i];
     }
 
     out <== bits2num.out;

circuits/sha256/sha256compression.circom

@@ -8,38 +8,47 @@ include "sigmaplus.circom";
 template Sha256compression() {
     signal input inp[512];
     signal output out[256];
-    signal a[64][32];
-    signal b[64][32];
-    signal c[64][32];
-    signal d[64][32];
-    signal e[64][32];
-    signal f[64][32];
-    signal g[64][32];
-    signal h[64][32];
+    signal a[65][32];
+    signal b[65][32];
+    signal c[65][32];
+    signal d[65][32];
+    signal e[65][32];
+    signal f[65][32];
+    signal g[65][32];
+    signal h[65][32];
     signal w[64][32];
 
     var i;
 
-    component sigmaPlus[48] = SigmaPlus();
+    component sigmaPlus[48];
+    for (i=0; i<48; i++) sigmaPlus[i] = SigmaPlus();
 
     component ct_k[64];
     for (i=0; i<64; i++) ct_k[i] = K(i);
 
-    component ha0 = H0(0);
-    component hb0 = H0(1);
-    component hc0 = H0(2);
-    component hd0 = H0(3);
-    component he0 = H0(4);
-    component hf0 = H0(5);
-    component hg0 = H0(6);
-    component hh0 = H0(7);
+    component ha0 = H(0);
+    component hb0 = H(1);
+    component hc0 = H(2);
+    component hd0 = H(3);
+    component he0 = H(4);
+    component hf0 = H(5);
+    component hg0 = H(6);
+    component hh0 = H(7);
 
-    component t1[64] = T1();
-    component t2[64] = T2();
+    component t1[64];
+    for (i=0; i<64; i++) t1[i] = T1();
 
-    component suma[64] = Sum(32, 2);
-    component sume[64] = Sum(32, 2);
-    component fsum[8]  = Sum(32, 2);
+    component t2[64];
+    for (i=0; i<64; i++) t2[i] = T2();
+
+    component suma[64];
+    for (i=0; i<64; i++) suma[i] = BinSum(32, 2);
+
+    component sume[64];
+    for (i=0; i<64; i++) sume[i] = BinSum(32, 2);
+
+    component fsum[8];
+    for (i=0; i<8; i++) fsum[i] = BinSum(32, 2);
 
     var k;
     var t;
@@ -47,12 +56,12 @@ template Sha256compression() {
     for (t=0; t<64; t++) {
         if (t<16) {
             for (k=0; k<32; k++) {
-                w[t][k] <== inp[t*32+k];
+                w[t][k] <== inp[t*32+31-k];
             }
         } else {
             for (k=0; k<32; k++) {
                 sigmaPlus[t-16].in2[k] <== w[t-2][k];
-                sigmaPlus[t-16].in7[k] <== w[t-2][k];
+                sigmaPlus[t-16].in7[k] <== w[t-7][k];
                 sigmaPlus[t-16].in15[k] <== w[t-15][k];
                 sigmaPlus[t-16].in16[k] <== w[t-16][k];
                 w[t][k] <== sigmaPlus[t-16].out[k];
@@ -71,37 +80,37 @@ template Sha256compression() {
         h[0][k] <== hh0.out[k]
     }
 
-    for (t = 0; t<63; t++) {
+    for (t = 0; t<64; t++) {
         for (k=0; k<32; k++) {
-            t1[t].h[k] <== h[k];
-            t1[t].e[k] <== e[k];
-            t1[t].f[k] <== f[k];
-            t1[t].g[k] <== g[k];
-            t1[t].k[k] <== ct_K[t].out[k];
+            t1[t].h[k] <== h[t][k];
+            t1[t].e[k] <== e[t][k];
+            t1[t].f[k] <== f[t][k];
+            t1[t].g[k] <== g[t][k];
+            t1[t].k[k] <== ct_k[t].out[k];
             t1[t].w[k] <== w[t][k];
 
-            t2[t].a[k] <== a[k];
-            t2[t].b[k] <== b[k];
-            t2[t].c[k] <== c[k];
+            t2[t].a[k] <== a[t][k];
+            t2[t].b[k] <== b[t][k];
+            t2[t].c[k] <== c[t][k];
         }
 
         for (k=0; k<32; k++) {
-            sume[t].a[k] <== d[k];
-            sume[t].b[k] <== t1[t].out[k];
+            sume[t].in[0][k] <== d[t][k];
+            sume[t].in[1][k] <== t1[t].out[k];
 
-            suma[t].a[k] <== t1[t].out[k];
-            suma[t].b[k] <== t2[t].out[k];
+            suma[t].in[0][k] <== t1[t].out[k];
+            suma[t].in[1][k] <== t2[t].out[k];
         }
 
         for (k=0; k<32; k++) {
-            h[t+1] <== g[t];
-            g[t+1] <== f[t];
-            f[t+1] <== e[t];
-            e[t+1] <== sume[t].out[k];
-            d[t+1] <== c[t];
-            c[t+1] <== b[t];
-            b[t+1] <== a[t];
-            a[t+1] <== suma[t].out[k];
+            h[t+1][k] <== g[t][k];
+            g[t+1][k] <== f[t][k];
+            f[t+1][k] <== e[t][k];
+            e[t+1][k] <== sume[t].out[k];
+            d[t+1][k] <== c[t][k];
+            c[t+1][k] <== b[t][k];
+            b[t+1][k] <== a[t][k];
+            a[t+1][k] <== suma[t].out[k];
         }
     }
 
@@ -125,13 +134,13 @@ template Sha256compression() {
     }
 
     for (k=0; k<32; k++) {
-        out[k]     <== fsum[0].out[k];
-        out[32+k]  <== fsum[1].out[k];
-        out[64+k]  <== fsum[2].out[k];
-        out[96+k]  <== fsum[3].out[k];
-        out[128+k] <== fsum[4].out[k];
-        out[160+k] <== fsum[5].out[k];
-        out[192+k] <== fsum[6].out[k];
-        out[224+k] <== fsum[7].out[k];
+        out[31-k]     <== fsum[0].out[k];
+        out[32+31-k]  <== fsum[1].out[k];
+        out[64+31-k]  <== fsum[2].out[k];
+        out[96+31-k]  <== fsum[3].out[k];
+        out[128+31-k] <== fsum[4].out[k];
+        out[160+31-k] <== fsum[5].out[k];
+        out[192+31-k] <== fsum[6].out[k];
+        out[224+31-k] <== fsum[7].out[k];
     }
 }

circuits/sha256/shift.circom

@@ -0,0 +1,14 @@
+
+template ShR(n, r) {
+    signal input in[n];
+    signal output out[n];
+
+    for (var i=0; i<n; i++) {
+        if (i+r >= n) {
+            out[i] <== 0;
+        } else {
+            out[i] <== in[ i+r ];
+        }
+    }
+}
+

circuits/sha256/sigma.circom

@@ -1,9 +1,33 @@
 include "xor3.circom";
 include "rotate.circom";
+include "shift.circom";
 
-template Sigma(ra, rb, rc) {
+template SmallSigma(ra, rb, rc) {
     signal input in[32];
-    signal output out;
+    signal output out[32];
+
+    component xor3 = Xor3(32);
+
+    component rota = RotR(32, ra);
+    component rotb = RotR(32, rb);
+    component shrc = ShR(32, rc);
+
+    for (var k=0; k<32; k++) {
+        rota.in[k] <== in[k];
+        rotb.in[k] <== in[k];
+        shrc.in[k] <== in[k];
+
+        xor3.a[k] <== rota.out[k];
+        xor3.b[k] <== rotb.out[k];
+        xor3.c[k] <== shrc.out[k];
+
+        out[k] <== xor3.out[k];
+    }
+}
+
+template BigSigma(ra, rb, rc) {
+    signal input in[32];
+    signal output out[32];
 
     component xor3 = Xor3(32);
 

circuits/sha256/sigmaplus.circom

@@ -8,9 +8,9 @@ template SigmaPlus() {
     signal input in16[32];
     signal output out[32];
 
-    component sum = Sum(32, 4);
-    component sigma1 = Sigma(17,19,10);
-    component sigma0 = Sigma(7, 18, 3);
+    component sum = BinSum(32, 4);
+    component sigma1 = SmallSigma(17,19,10);
+    component sigma0 = SmallSigma(7, 18, 3);
 
     for (var k=0; k<32; k++) {
         sigma1.in[k] <== in2[k];

circuits/sha256/t1.circom

@@ -11,23 +11,23 @@ template T1() {
     signal input w[32];
     signal output out[32];
 
-    component sum = Sum(32, 5);
+    component sum = BinSum(32, 5);
     component ch = Ch(32);
 
-    component bigsigma1 = Sigma(6, 11, 25);
+    component bigsigma1 = BigSigma(6, 11, 25);
 
-    for (var k=0; k<32; k++) {
-        bigsigma1.in[k] <== e[k];
-        ch.a[k] <== e[k];
-        ch.b[k] <== f[k];
-        ch.c[k] <== g[k]
+    for (var ki=0; ki<32; ki++) {
+        bigsigma1.in[ki] <== e[ki];
+        ch.a[ki] <== e[ki];
+        ch.b[ki] <== f[ki];
+        ch.c[ki] <== g[ki]
 
-        sum.in[0][k] <== h[k];
-        sum.in[1][k] <== bigsigma1.out[k];
-        sum.in[2][k] <== ch.out[k];
-        sum.in[3][k] <== k[k];
-        sum.in[4][k] <== w[k];
+        sum.in[0][ki] <== h[ki];
+        sum.in[1][ki] <== bigsigma1.out[ki];
+        sum.in[2][ki] <== ch.out[ki];
+        sum.in[3][ki] <== k[ki];
+        sum.in[4][ki] <== w[ki];
 
-        out[k] <== sum.out[k];
+        out[ki] <== sum.out[ki];
     }
 }

circuits/sha256/t2.circom

@@ -8,9 +8,9 @@ template T2() {
     signal input c[32];
     signal output out[32];
 
-    component sum = Sum(32, 2);
+    component sum = BinSum(32, 2);
 
-    component bigsigma0 = Sigma(2, 13, 22);
+    component bigsigma0 = BigSigma(2, 13, 22);
     component maj = Maj(32);
 
     for (var k=0; k<32; k++) {