Merge branch 'feature/mimcsponge' of https://github.com/kobigurk/circomlib into kobigurk-feature/mimcsponge

src/eddsa.js

@@ -4,14 +4,17 @@ const babyJub = require("./babyjub");
 const pedersenHash = require("./pedersenHash").hash;
 const mimc7 = require("./mimc7");
 const poseidon = require("./poseidon.js");
+const mimcsponge = require("./mimcsponge");
 
 exports.prv2pub= prv2pub;
 exports.sign = sign;
 exports.signMiMC = signMiMC;
 exports.signPoseidon = signPoseidon;
+exports.signMiMCSponge = signMiMCSponge;
 exports.verify = verify;
 exports.verifyMiMC = verifyMiMC;
 exports.verifyPoseidon = verifyPoseidon;
+exports.verifyMiMCSponge = verifyMiMCSponge;
 exports.packSignature = packSignature;
 exports.unpackSignature = unpackSignature;
 exports.pruneBuffer = pruneBuffer;
@@ -72,6 +75,24 @@ function signMiMC(prv, msg) {
     };
 }
 
+function signMiMCSponge(prv, msg) {
+    const h1 = createBlakeHash("blake512").update(prv).digest();
+    const sBuff = pruneBuffer(h1.slice(0,32));
+    const s = bigInt.leBuff2int(sBuff);
+    const A = babyJub.mulPointEscalar(babyJub.Base8, s.shr(3));
+
+    const msgBuff = bigInt.leInt2Buff(msg, 32);
+    const rBuff = createBlakeHash("blake512").update(Buffer.concat([h1.slice(32,64), msgBuff])).digest();
+    let r = bigInt.leBuff2int(rBuff);
+    r = r.mod(babyJub.subOrder);
+    const R8 = babyJub.mulPointEscalar(babyJub.Base8, r);
+    const hm = mimcsponge.multiHash([R8[0], R8[1], A[0], A[1], msg]);
+    const S = r.add(hm.mul(s)).mod(babyJub.subOrder);
+    return {
+        R8: R8,
+        S: S
+    };
+}
 
 function signPoseidon(prv, msg) {
     const h1 = createBlakeHash("blake512").update(prv).digest();
@@ -84,9 +105,7 @@ function signPoseidon(prv, msg) {
     let r = bigInt.leBuff2int(rBuff);
     r = r.mod(babyJub.subOrder);
     const R8 = babyJub.mulPointEscalar(babyJub.Base8, r);
-
     const hash = poseidon.createHash(6, 8, 57);
-
     const hm = hash([R8[0], R8[1], A[0], A[1], msg]);
     const S = r.add(hm.mul(s)).mod(babyJub.subOrder);
     return {
@@ -166,6 +185,28 @@ function verifyPoseidon(msg, sig, A) {
     return true;
 }
 
+function verifyMiMCSponge(msg, sig, A) {
+    // Check parameters
+    if (typeof sig != "object") return false;
+    if (!Array.isArray(sig.R8)) return false;
+    if (sig.R8.length!= 2) return false;
+    if (!babyJub.inCurve(sig.R8)) return false;
+    if (!Array.isArray(A)) return false;
+    if (A.length!= 2) return false;
+    if (!babyJub.inCurve(A)) return false;
+    if (sig.S>= babyJub.subOrder) return false;
+
+    const hm = mimcsponge.multiHash([sig.R8[0], sig.R8[1], A[0], A[1], msg]);
+
+    const Pleft = babyJub.mulPointEscalar(babyJub.Base8, sig.S);
+    let Pright = babyJub.mulPointEscalar(A, hm.mul(bigInt("8")));
+    Pright = babyJub.addPoint(sig.R8, Pright);
+
+    if (!Pleft[0].equals(Pright[0])) return false;
+    if (!Pleft[1].equals(Pright[1])) return false;
+    return true;
+}
+
 function packSignature(sig) {
     const R8p = babyJub.packPoint(sig.R8);
     const Sp = bigInt.leInt2Buff(sig.S, 32);

src/mimcsponge.js

@@ -0,0 +1,86 @@
+const bn128 = require("snarkjs").bn128;
+const bigInt = require("snarkjs").bigInt;
+const Web3Utils = require("web3-utils");
+const F = bn128.Fr;
+
+const SEED = "mimcsponge";
+const NROUNDS = 220;
+
+exports.getIV = (seed) => {
+    if (typeof seed === "undefined") seed = SEED;
+    const c = Web3Utils.keccak256(seed+"_iv");
+    const cn = bigInt(Web3Utils.toBN(c).toString());
+    const iv = cn.mod(F.q);
+    return iv;
+};
+
+exports.getConstants = (seed, nRounds) => {
+    if (typeof seed === "undefined") seed = SEED;
+    if (typeof nRounds === "undefined") nRounds = NROUNDS;
+    const cts = new Array(nRounds);
+    let c = Web3Utils.keccak256(SEED);
+    for (let i=1; i<nRounds; i++) {
+        c = Web3Utils.keccak256(c);
+
+        const n1 = Web3Utils.toBN(c).mod(Web3Utils.toBN(F.q.toString()));
+        const c2 = Web3Utils.padLeft(Web3Utils.toHex(n1), 64);
+        cts[i] = bigInt(Web3Utils.toBN(c2).toString());
+    }
+    cts[0] = bigInt(0);
+    cts[cts.length - 1] = bigInt(0);
+    return cts;
+};
+
+const cts = exports.getConstants(SEED, NROUNDS);
+
+exports.hash = (_xL_in, _xR_in, _k) =>{
+    let xL = bigInt(_xL_in);
+    let xR = bigInt(_xR_in);
+    const k = bigInt(_k);
+    for (let i=0; i<NROUNDS; i++) {
+        const c = cts[i];
+        const t = (i==0) ? F.add(xL, k) : F.add(F.add(xL, k), c);
+        const xR_tmp = bigInt(xR);
+        if (i < (NROUNDS - 1)) {
+          xR = xL;
+          xL = F.add(xR_tmp, F.exp(t, 5));
+        } else {
+          xR = F.add(xR_tmp, F.exp(t, 5));
+        }
+    }
+    return {
+      xL: F.affine(xL),
+      xR: F.affine(xR),
+    };
+};
+
+exports.multiHash = (arr, key, numOutputs) => {
+    if (typeof(numOutputs) === "undefined") {
+      numOutputs = 1;
+    }
+    if (typeof(key) === "undefined") {
+        key = F.zero;
+    }
+
+    let R = F.zero;
+    let C = F.zero;
+
+    for (let i=0; i<arr.length; i++) {
+      R = F.add(R, bigInt(arr[i]));
+      const S = exports.hash(R, C, key);
+      R = S.xL;
+      C = S.xR;
+    }
+    let outputs = [R];
+    for (let i=1; i < numOutputs; i++) {
+      const S = exports.hash(R, C, key);
+      R = S.xL;
+      C = S.xR;
+      outputs.push(R);
+    }
+    if (numOutputs == 1) {
+      return F.affine(outputs[0]);
+    } else {
+      return outputs.map(x => F.affine(x));
+    }
+};

src/mimcsponge_gencontract.js

@@ -0,0 +1,128 @@
+// Copyright (c) 2018 Jordi Baylina
+// License: LGPL-3.0+
+//
+
+const Web3Utils = require("web3-utils");
+
+const Contract = require("./evmasm");
+
+function createCode(seed, n) {
+
+    let ci = Web3Utils.keccak256(seed);
+
+    const C = new Contract();
+
+    C.push(0x64);
+    C.push("0x00");
+    C.push("0x00");
+    C.calldatacopy();
+    C.push("0x0100000000000000000000000000000000000000000000000000000000");
+    C.push("0x00");
+    C.mload();
+    C.div();
+    C.push("0x3f1a1187"); // MiMCSponge(uint256,uint256,uint256)
+    C.eq();
+    C.jmpi("start");
+    C.invalid();
+
+    C.label("start");
+    C.push("0x30644e72e131a029b85045b68181585d2833e84879b9709143e1f593f0000001");  // q
+    C.push("0x44");
+    C.mload();          // k q
+    C.push("0x04");
+    C.mload();          // xL k q
+    C.dup(2);           // q xL k q
+    C.push("0x24");
+    C.mload();          // xR q xL k q
+    C.dup(1);           // q xR q xL k q
+    C.dup(0);           // q q xR q xL k q
+    C.dup(4);           // xL q q xR q xL k q
+    C.dup(6);           // k xL q q xR q xL k q
+    C.addmod();         // t=k+xL q xR q xL k q
+    C.dup(1);           // q t q xR q xL k q
+    C.dup(0);           // q q t q xR q xL k q
+    C.dup(2);           // t q q t q xR q xL k q
+    C.dup(0);           // t t q q t q xR q xL k q
+    C.mulmod();         // b=t^2 q t q xR q xL k q
+    C.dup(0);           // b b q t q xR q xL k q
+    C.mulmod();         // c=t^4 t q xR q xL k q
+    C.mulmod();         // d=t^5 xR q xL k q
+    C.addmod();         // e=t^5+xR xL k q (for next round: xL xR k q)
+
+    for (let i=0; i<n-1; i++) {
+        if (i < n-2) {
+          ci = Web3Utils.keccak256(ci);
+        } else {
+          ci = "0x00";
+        }
+        C.swap(1);      // xR xL k q
+        C.dup(3);       // q xR xL k q
+        C.dup(3);       // k q xR xL k q
+        C.dup(1);       // q k q xR xL k q
+        C.dup(4);       // xL q k q xR xL k q
+        C.push(ci);     // ci xL q k q xR xL k q
+        C.addmod();     // a=ci+xL k q xR xL k q
+        C.addmod();     // t=a+k xR xL k q
+        C.dup(4);       // q t xR xL k q
+        C.swap(1);      // t q xR xL k q
+        C.dup(1);       // q t q xR xL k q
+        C.dup(0);       // q q t q xR xL k q
+        C.dup(2);       // t q q t q xR xL k q
+        C.dup(0);       // t t q q t q xR xL k q
+        C.mulmod();     // b=t^2 q t q xR xL k q
+        C.dup(0);       // b b q t q xR xL k q
+        C.mulmod();     // c=t^4 t q xR xL k q
+        C.mulmod();     // d=t^5 xR xL k q
+        C.dup(4);       // q d xR xL k q
+        C.swap(2);      // xR d q xL k q
+        C.addmod();     // e=t^5+xR xL k q (for next round: xL xR k q)
+    }
+
+    C.push("0x20");
+    C.mstore();     // Save it to pos 0;
+    C.push("0x00");
+    C.mstore();     // Save it to pos 1;
+    C.push("0x40");
+    C.push("0x00");
+    C.return();
+
+    return C.createTxData();
+}
+
+module.exports.abi = [
+    {
+        "constant": true,
+        "inputs": [
+            {
+                "name": "xL_in",
+                "type": "uint256"
+            },
+            {
+                "name": "xR_in",
+                "type": "uint256"
+            },
+            {
+                "name": "k",
+                "type": "uint256"
+            }
+        ],
+        "name": "MiMCSponge",
+        "outputs": [
+            {
+                "name": "xL",
+                "type": "uint256"
+            },
+            {
+                "name": "xR",
+                "type": "uint256"
+            }
+        ],
+        "payable": false,
+        "stateMutability": "pure",
+        "type": "function"
+    }
+];
+
+module.exports.createCode = createCode;
+
+

src/mimcsponge_printconstants.js

@@ -0,0 +1,13 @@
+const mimcsponge = require("./mimcsponge.js");
+
+const nRounds = 220;
+let S = "[\n";
+const cts = mimcsponge.getConstants();
+for (let i=0; i<nRounds; i++) {
+    S = S + cts[i].toString();
+    if (i<nRounds-1) S = S + ",";
+    S=S+"\n";
+}
+S = S + "]\n";
+
+console.log(S);

src/mimcsponge_printcontract.js

@@ -0,0 +1,13 @@
+const mimcGenContract = require("./mimcsponge_gencontract");
+
+const SEED = "mimcsponge";
+
+let nRounds;
+if (typeof process.argv[2] != "undefined") {
+    nRounds = parseInt(process.argv[2]);
+} else {
+    nRounds = 220;
+}
+
+console.log(mimcGenContract.createCode(SEED, nRounds));
+