|
|
include "montgomery.circom";include "babyjub.circom";
template Multiplexor2() { signal input sel; signal input in[2][2]; signal output out[2];
out[0] <== (in[1][0] - in[0][0])*sel + in[0][0]; out[1] <== (in[1][1] - in[0][1])*sel + in[0][1];}
template BitElementMulAny() { signal input sel; signal input dblIn[2]; signal input addIn[2]; signal output dblOut[2]; signal output addOut[2];
component doubler = MontgomeryDouble(); component adder = MontgomeryAdd(); component selector = Multiplexor2();
sel ==> selector.sel;
dblIn[0] ==> doubler.in[0]; dblIn[1] ==> doubler.in[1]; doubler.out[0] ==> adder.in1[0]; doubler.out[1] ==> adder.in1[1]; addIn[0] ==> adder.in2[0]; addIn[1] ==> adder.in2[1]; addIn[0] ==> selector.in[0][0]; addIn[1] ==> selector.in[0][1]; adder.out[0] ==> selector.in[1][0]; adder.out[1] ==> selector.in[1][1];
doubler.out[0] ==> dblOut[0]; doubler.out[1] ==> dblOut[1]; selector.out[0] ==> addOut[0]; selector.out[1] ==> addOut[1];}
// p is montgomery point// n must be <= 248// returns out in twisted edwards// Double is in montgomery to be linked;
template SegmentMulAny(n) { signal input e[n]; signal input p[2]; signal output out[2]; signal output dbl[2];
component bits[n-1];
component e2m = Edwards2Montgomery();
p[0] ==> e2m.in[0]; p[1] ==> e2m.in[1];
var i;
bits[0] = BitElementMulAny(); e2m.out[0] ==> bits[0].dblIn[0] e2m.out[1] ==> bits[0].dblIn[1] e2m.out[0] ==> bits[0].addIn[0] e2m.out[1] ==> bits[0].addIn[1] e[1] ==> bits[0].sel;
for (i=1; i<n-1; i++) { bits[i] = BitElementMulAny();
bits[i-1].dblOut[0] ==> bits[i].dblIn[0] bits[i-1].dblOut[1] ==> bits[i].dblIn[1] bits[i-1].addOut[0] ==> bits[i].addIn[0] bits[i-1].addOut[1] ==> bits[i].addIn[1] e[i+1] ==> bits[i].sel; }
bits[n-2].dblOut[0] ==> dbl[0]; bits[n-2].dblOut[1] ==> dbl[1];
component m2e = Montgomery2Edwards();
bits[n-2].addOut[0] ==> m2e.in[0]; bits[n-2].addOut[1] ==> m2e.in[1];
component eadder = BabyAdd();
m2e.out[0] ==> eadder.x1; m2e.out[1] ==> eadder.y1; -p[0] ==> eadder.x2; p[1] ==> eadder.y2;
component lastSel = Multiplexor2();
e[0] ==> lastSel.sel; eadder.xout ==> lastSel.in[0][0]; eadder.yout ==> lastSel.in[0][1]; m2e.out[0] ==> lastSel.in[1][0]; m2e.out[1] ==> lastSel.in[1][1];
lastSel.out[0] ==> out[0]; lastSel.out[1] ==> out[1];}
// This function assumes that p is in the subgroup and it is different to 0
template EscalarMulAny(n) { signal input e[n]; // Input in binary format signal input p[2]; // Point (Twisted format) signal output out[2]; // Point (Twisted format)
var nsegments = (n-1)\148 +1; var nlastsegment = n - (nsegments-1)*148;
component segments[nsegments]; component doublers[nsegments-1]; component m2e[nsegments-1]; component adders[nsegments-1];
var s; var i; var nseg;
for (s=0; s<nsegments; s++) {
nseg = (s < nsegments-1) ? 148 : nlastsegment;
segments[s] = SegmentMulAny(nseg);
for (i=0; i<nseg; i++) { e[s*148+i] ==> segments[s].e[i]; }
if (s==0) { p[0] ==> segments[s].p[0]; p[1] ==> segments[s].p[1]; } else { doublers[s-1] = MontgomeryDouble(); m2e[s-1] = Montgomery2Edwards(); adders[s-1] = BabyAdd();
segments[s-1].dbl[0] ==> doublers[s-1].in[0]; segments[s-1].dbl[1] ==> doublers[s-1].in[1];
doublers[s-1].out[0] ==> m2e[s-1].in[0]; doublers[s-1].out[1] ==> m2e[s-1].in[1];
m2e[s-1].out[0] ==> segments[s].p[0]; m2e[s-1].out[1] ==> segments[s].p[1];
if (s==1) { segments[s-1].out[0] ==> adders[s-1].x1; segments[s-1].out[1] ==> adders[s-1].y1; } else { adders[s-2].xout ==> adders[s-1].x1; adders[s-2].yout ==> adders[s-1].y1; } segments[s].out[0] ==> adders[s-1].x2; segments[s].out[1] ==> adders[s-1].y2; } }
if (nsegments == 1) { segments[0].out[0] ==> out[0]; segments[0].out[1] ==> out[1]; } else { adders[nsegments-2].xout ==> out[0]; adders[nsegments-2].yout ==> out[1]; }}
|
