You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

196 lines
5.6 KiB

5 years ago
6 years ago
6 years ago
6 years ago
6 years ago
6 years ago
  1. /*
  2. Copyright 2018 0KIMS association.
  3. This file is part of circom (Zero Knowledge Circuit Compiler).
  4. circom is a free software: you can redistribute it and/or modify it
  5. under the terms of the GNU General Public License as published by
  6. the Free Software Foundation, either version 3 of the License, or
  7. (at your option) any later version.
  8. circom is distributed in the hope that it will be useful, but WITHOUT
  9. ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  10. or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
  11. License for more details.
  12. You should have received a copy of the GNU General Public License
  13. along with circom. If not, see <https://www.gnu.org/licenses/>.
  14. */
  15. include "montgomery.circom";
  16. include "babyjub.circom";
  17. include "comparators.circom";
  18. template Multiplexor2() {
  19. signal input sel;
  20. signal input in[2][2];
  21. signal output out[2];
  22. out[0] <== (in[1][0] - in[0][0])*sel + in[0][0];
  23. out[1] <== (in[1][1] - in[0][1])*sel + in[0][1];
  24. }
  25. template BitElementMulAny() {
  26. signal input sel;
  27. signal input dblIn[2];
  28. signal input addIn[2];
  29. signal output dblOut[2];
  30. signal output addOut[2];
  31. component doubler = MontgomeryDouble();
  32. component adder = MontgomeryAdd();
  33. component selector = Multiplexor2();
  34. sel ==> selector.sel;
  35. dblIn[0] ==> doubler.in[0];
  36. dblIn[1] ==> doubler.in[1];
  37. doubler.out[0] ==> adder.in1[0];
  38. doubler.out[1] ==> adder.in1[1];
  39. addIn[0] ==> adder.in2[0];
  40. addIn[1] ==> adder.in2[1];
  41. addIn[0] ==> selector.in[0][0];
  42. addIn[1] ==> selector.in[0][1];
  43. adder.out[0] ==> selector.in[1][0];
  44. adder.out[1] ==> selector.in[1][1];
  45. doubler.out[0] ==> dblOut[0];
  46. doubler.out[1] ==> dblOut[1];
  47. selector.out[0] ==> addOut[0];
  48. selector.out[1] ==> addOut[1];
  49. }
  50. // p is montgomery point
  51. // n must be <= 248
  52. // returns out in twisted edwards
  53. // Double is in montgomery to be linked;
  54. template SegmentMulAny(n) {
  55. signal input e[n];
  56. signal input p[2];
  57. signal output out[2];
  58. signal output dbl[2];
  59. component bits[n-1];
  60. component e2m = Edwards2Montgomery();
  61. p[0] ==> e2m.in[0];
  62. p[1] ==> e2m.in[1];
  63. var i;
  64. bits[0] = BitElementMulAny();
  65. e2m.out[0] ==> bits[0].dblIn[0]
  66. e2m.out[1] ==> bits[0].dblIn[1]
  67. e2m.out[0] ==> bits[0].addIn[0]
  68. e2m.out[1] ==> bits[0].addIn[1]
  69. e[1] ==> bits[0].sel;
  70. for (i=1; i<n-1; i++) {
  71. bits[i] = BitElementMulAny();
  72. bits[i-1].dblOut[0] ==> bits[i].dblIn[0]
  73. bits[i-1].dblOut[1] ==> bits[i].dblIn[1]
  74. bits[i-1].addOut[0] ==> bits[i].addIn[0]
  75. bits[i-1].addOut[1] ==> bits[i].addIn[1]
  76. e[i+1] ==> bits[i].sel;
  77. }
  78. bits[n-2].dblOut[0] ==> dbl[0];
  79. bits[n-2].dblOut[1] ==> dbl[1];
  80. component m2e = Montgomery2Edwards();
  81. bits[n-2].addOut[0] ==> m2e.in[0];
  82. bits[n-2].addOut[1] ==> m2e.in[1];
  83. component eadder = BabyAdd();
  84. m2e.out[0] ==> eadder.x1;
  85. m2e.out[1] ==> eadder.y1;
  86. -p[0] ==> eadder.x2;
  87. p[1] ==> eadder.y2;
  88. component lastSel = Multiplexor2();
  89. e[0] ==> lastSel.sel;
  90. eadder.xout ==> lastSel.in[0][0];
  91. eadder.yout ==> lastSel.in[0][1];
  92. m2e.out[0] ==> lastSel.in[1][0];
  93. m2e.out[1] ==> lastSel.in[1][1];
  94. lastSel.out[0] ==> out[0];
  95. lastSel.out[1] ==> out[1];
  96. }
  97. // This function assumes that p is in the subgroup and it is different to 0
  98. template EscalarMulAny(n) {
  99. signal input e[n]; // Input in binary format
  100. signal input p[2]; // Point (Twisted format)
  101. signal output out[2]; // Point (Twisted format)
  102. var nsegments = (n-1)\148 +1;
  103. var nlastsegment = n - (nsegments-1)*148;
  104. component segments[nsegments];
  105. component doublers[nsegments-1];
  106. component m2e[nsegments-1];
  107. component adders[nsegments-1];
  108. component zeropoint = IsZero();
  109. zeropoint.in <== p[0];
  110. var s;
  111. var i;
  112. var nseg;
  113. for (s=0; s<nsegments; s++) {
  114. nseg = (s < nsegments-1) ? 148 : nlastsegment;
  115. segments[s] = SegmentMulAny(nseg);
  116. for (i=0; i<nseg; i++) {
  117. e[s*148+i] ==> segments[s].e[i];
  118. }
  119. if (s==0) {
  120. // force G8 point if input point is zero
  121. segments[s].p[0] <== p[0] + (5299619240641551281634865583518297030282874472190772894086521144482721001553 - p[0])*zeropoint.out;
  122. segments[s].p[1] <== p[1] + (16950150798460657717958625567821834550301663161624707787222815936182638968203 - p[1])*zeropoint.out;
  123. } else {
  124. doublers[s-1] = MontgomeryDouble();
  125. m2e[s-1] = Montgomery2Edwards();
  126. adders[s-1] = BabyAdd();
  127. segments[s-1].dbl[0] ==> doublers[s-1].in[0];
  128. segments[s-1].dbl[1] ==> doublers[s-1].in[1];
  129. doublers[s-1].out[0] ==> m2e[s-1].in[0];
  130. doublers[s-1].out[1] ==> m2e[s-1].in[1];
  131. m2e[s-1].out[0] ==> segments[s].p[0];
  132. m2e[s-1].out[1] ==> segments[s].p[1];
  133. if (s==1) {
  134. segments[s-1].out[0] ==> adders[s-1].x1;
  135. segments[s-1].out[1] ==> adders[s-1].y1;
  136. } else {
  137. adders[s-2].xout ==> adders[s-1].x1;
  138. adders[s-2].yout ==> adders[s-1].y1;
  139. }
  140. segments[s].out[0] ==> adders[s-1].x2;
  141. segments[s].out[1] ==> adders[s-1].y2;
  142. }
  143. }
  144. if (nsegments == 1) {
  145. segments[0].out[0]*(1-zeropoint.out) ==> out[0];
  146. segments[0].out[1]+(1-segments[0].out[1])*zeropoint.out ==> out[1];
  147. } else {
  148. adders[nsegments-2].xout*(1-zeropoint.out) ==> out[0];
  149. adders[nsegments-2].yout+(1-adders[nsegments-2].yout)*zeropoint.out ==> out[1];
  150. }
  151. }