Go back to blake

4 years ago · d5ed1c3ce4
10 changed files with 88 additions and 56 deletions
--- a/circuits/pedersen.circom
+++ b/circuits/pedersen.circom
@ -177,16 +177,17 @@ template Pedersen(n) {
    signal output out[2];

    var BASE[10][2] = [
        [7688621503272331394947188562469131124099290577812125474996268020905176040083,6637287939860384587467947982369268811366630904563077767287326262235485629411],
        [11549681895645637778324638856880330712650895608496649854094912415387988201330,5771732722784528537721081267383956005090479808901717812009343940574217488577],
        [18790245153471844934157747708238883966079935875787657036767664036124524381945,18300275459419441151064576487317481499516933849631632883767173501999997278432],
        [16301069151422548986850494139112207641738464387919729729324473657161689764196,8215273507373494014441104012907835625670941526105528197815397741007626226499],
        [12597665704678284488008395353749282149622295037737374782196049599390683534185,4072455241781501621593714139281767473040087753548015968773801065193764079468],
        [4729410576230735258214831208080552588881894465489299233097088872252465832672,14367731890670510422926552586486424937476635415639602730590517235570020260326],
        [7546420686025050869200393054526306477146836870617678274607971529534032974471,8663210466512842901413293603100781938253817808912549776944118491282484711929],
        [6544653022506992755201027646251976600601201151329001772892901529509137954387,5932506509962692832681604586561215780097326378431958035490245111470435106811],
        [12376274813795671622507230443130412169480807188767687554607910279743333852725,10116389110458158800073166533660211332390835019644001845057351607297889034557],
        [18268098112071835140361074835791174816144587762778386397940339415400583397725,8120955462199046866292537174552276799123029303901205157708576578886090835495]
        [10457101036533406547632367118273992217979173478358440826365724437999023779287,19824078218392094440610104313265183977899662750282163392862422243483260492317],
        [2671756056509184035029146175565761955751135805354291559563293617232983272177,2663205510731142763556352975002641716101654201788071096152948830924149045094],
        [5802099305472655231388284418920769829666717045250560929368476121199858275951,5980429700218124965372158798884772646841287887664001482443826541541529227896],
        [7107336197374528537877327281242680114152313102022415488494307685842428166594,2857869773864086953506483169737724679646433914307247183624878062391496185654],
        [20265828622013100949498132415626198973119240347465898028410217039057588424236,1160461593266035632937973507065134938065359936056410650153315956301179689506],
        [1487999857809287756929114517587739322941449154962237464737694709326309567994,14017256862867289575056460215526364897734808720610101650676790868051368668003],
        [14618644331049802168996997831720384953259095788558646464435263343433563860015,13115243279999696210147231297848654998887864576952244320558158620692603342236],
        [6814338563135591367010655964669793483652536871717891893032616415581401894627,13660303521961041205824633772157003587453809761793065294055279768121314853695],
        [3571615583211663069428808372184817973703476260057504149923239576077102575715,11981351099832644138306422070127357074117642951423551606012551622164230222506],
        [18597552580465440374022635246985743886550544261632147935254624835147509493269,6753322320275422086923032033899357299485124665258735666995435957890214041481]

    ];

    var nSegments = ((n-1)\200)+1;
--- a/circuits/pedersen_old.circom
+++ b/circuits/pedersen_old.circom
@ -29,16 +29,17 @@ template Pedersen(n) {
    component escalarMuls[nexps];

    var PBASE[10][2] = [
        [7688621503272331394947188562469131124099290577812125474996268020905176040083,6637287939860384587467947982369268811366630904563077767287326262235485629411],
        [11549681895645637778324638856880330712650895608496649854094912415387988201330,5771732722784528537721081267383956005090479808901717812009343940574217488577],
        [18790245153471844934157747708238883966079935875787657036767664036124524381945,18300275459419441151064576487317481499516933849631632883767173501999997278432],
        [16301069151422548986850494139112207641738464387919729729324473657161689764196,8215273507373494014441104012907835625670941526105528197815397741007626226499],
        [12597665704678284488008395353749282149622295037737374782196049599390683534185,4072455241781501621593714139281767473040087753548015968773801065193764079468],
        [4729410576230735258214831208080552588881894465489299233097088872252465832672,14367731890670510422926552586486424937476635415639602730590517235570020260326],
        [7546420686025050869200393054526306477146836870617678274607971529534032974471,8663210466512842901413293603100781938253817808912549776944118491282484711929],
        [6544653022506992755201027646251976600601201151329001772892901529509137954387,5932506509962692832681604586561215780097326378431958035490245111470435106811],
        [12376274813795671622507230443130412169480807188767687554607910279743333852725,10116389110458158800073166533660211332390835019644001845057351607297889034557],
        [18268098112071835140361074835791174816144587762778386397940339415400583397725,8120955462199046866292537174552276799123029303901205157708576578886090835495]
        [10457101036533406547632367118273992217979173478358440826365724437999023779287,19824078218392094440610104313265183977899662750282163392862422243483260492317],
        [2671756056509184035029146175565761955751135805354291559563293617232983272177,2663205510731142763556352975002641716101654201788071096152948830924149045094],
        [5802099305472655231388284418920769829666717045250560929368476121199858275951,5980429700218124965372158798884772646841287887664001482443826541541529227896],
        [7107336197374528537877327281242680114152313102022415488494307685842428166594,2857869773864086953506483169737724679646433914307247183624878062391496185654],
        [20265828622013100949498132415626198973119240347465898028410217039057588424236,1160461593266035632937973507065134938065359936056410650153315956301179689506],
        [1487999857809287756929114517587739322941449154962237464737694709326309567994,14017256862867289575056460215526364897734808720610101650676790868051368668003],
        [14618644331049802168996997831720384953259095788558646464435263343433563860015,13115243279999696210147231297848654998887864576952244320558158620692603342236],
        [6814338563135591367010655964669793483652536871717891893032616415581401894627,13660303521961041205824633772157003587453809761793065294055279768121314853695],
        [3571615583211663069428808372184817973703476260057504149923239576077102575715,11981351099832644138306422070127357074117642951423551606012551622164230222506],
        [18597552580465440374022635246985743886550544261632147935254624835147509493269,6753322320275422086923032033899357299485124665258735666995435957890214041481]

    ];

    var i;
--- a/package-lock.json
+++ b/package-lock.json
@ -292,6 +292,16 @@
        "safe-buffer": "^5.1.1"
      }
    },
    "blake-hash": {
      "version": "1.1.0",
      "resolved": "https://registry.npmjs.org/blake-hash/-/blake-hash-1.1.0.tgz",
      "integrity": "sha512-rNbOFPT7DC/0XnLBJ0noWuzcV+9kHwEKzRGljHMDLQzYv6WZT1vjV3UkWQuNFzyr5tIL7zSsw7A834pgTl75xQ==",
      "requires": {
        "bindings": "^1.2.1",
        "inherits": "^2.0.3",
        "nan": "^2.2.1"
      }
    },
    "blake2b": {
      "version": "2.1.3",
      "resolved": "https://registry.npmjs.org/blake2b/-/blake2b-2.1.3.tgz",
--- a/package.json
+++ b/package.json
@ -24,6 +24,7 @@
  "author": "0Kims",
  "license": "GPL-3.0",
  "dependencies": {
    "blake-hash": "^1.1.0",
    "blake2b": "^2.1.3",
    "circom": "0.5.8",
    "ffjavascript": "0.1.0",
--- a/src/eddsa.js
+++ b/src/eddsa.js
@ -1,4 +1,4 @@
 const blake2b = require("blake2b");
 const createBlakeHash = require("blake-hash");
 const Scalar = require("ffjavascript").Scalar;
 const F1Field = require("ffjavascript").F1Field;
 const babyJub = require("./babyjub");
@ -32,19 +32,19 @@ function pruneBuffer(_buff) {
 }

 function prv2pub(prv) {
    const sBuff = pruneBuffer(blake2b(64).update(prv).digest().slice(0,32));
    const sBuff = pruneBuffer(createBlakeHash("blake512").update(prv).digest().slice(0,32));
    let s = utils.leBuff2int(sBuff);
    const A = babyJub.mulPointEscalar(babyJub.Base8, Scalar.shr(s,3));
    return A;
 }

 function sign(prv, msg) {
    const h1 = Buffer.from(blake2b(64).update(prv).digest());
    const h1 = createBlakeHash("blake512").update(prv).digest();
    const sBuff = pruneBuffer(h1.slice(0,32));
    const s = utils.leBuff2int(sBuff);
    const A = babyJub.mulPointEscalar(babyJub.Base8, Scalar.shr(s, 3));

    const rBuff = Buffer.from(blake2b(64).update(Buffer.concat([h1.slice(32,64), msg])).digest());
    const rBuff = createBlakeHash("blake512").update(Buffer.concat([h1.slice(32,64), msg])).digest();
    let r = utils.leBuff2int(rBuff);
    const Fr = new F1Field(babyJub.subOrder);
    r = Fr.e(r);
@ -61,13 +61,13 @@ function sign(prv, msg) {
 }

 function signMiMC(prv, msg) {
    const h1 = Buffer.from(blake2b(64).update(prv).digest());
    const h1 = createBlakeHash("blake512").update(prv).digest();
    const sBuff = pruneBuffer(h1.slice(0,32));
    const s = utils.leBuff2int(sBuff);
    const A = babyJub.mulPointEscalar(babyJub.Base8, Scalar.shr(s, 3));

    const msgBuff = utils.leInt2Buff(msg, 32);
    const rBuff = Buffer.from(blake2b(64).update(Buffer.concat([h1.slice(32,64), msgBuff])).digest());
    const rBuff = createBlakeHash("blake512").update(Buffer.concat([h1.slice(32,64), msgBuff])).digest();
    let r = utils.leBuff2int(rBuff);
    const Fr = new F1Field(babyJub.subOrder);
    r = Fr.e(r);
@ -81,13 +81,13 @@ function signMiMC(prv, msg) {
 }

 function signMiMCSponge(prv, msg) {
    const h1 = Buffer.from(blake2b(64).update(prv).digest());
    const h1 = createBlakeHash("blake512").update(prv).digest();
    const sBuff = pruneBuffer(h1.slice(0,32));
    const s = utils.leBuff2int(sBuff);
    const A = babyJub.mulPointEscalar(babyJub.Base8, Scalar.shr(s, 3));

    const msgBuff = utils.leInt2Buff(msg, 32);
    const rBuff = Buffer.from(blake2b(64).update(Buffer.concat([h1.slice(32,64), msgBuff])).digest());
    const rBuff = createBlakeHash("blake512").update(Buffer.concat([h1.slice(32,64), msgBuff])).digest();
    let r = utils.leBuff2int(rBuff);
    const Fr = new F1Field(babyJub.subOrder);
    r = Fr.e(r);
@ -101,13 +101,13 @@ function signMiMCSponge(prv, msg) {
 }

 function signPoseidon(prv, msg) {
    const h1 = Buffer.from(blake2b(64).update(prv).digest());
    const h1 = createBlakeHash("blake512").update(prv).digest();
    const sBuff = pruneBuffer(h1.slice(0,32));
    const s = utils.leBuff2int(sBuff);
    const A = babyJub.mulPointEscalar(babyJub.Base8, Scalar.shr(s, 3));

    const msgBuff = utils.leInt2Buff(msg, 32);
    const rBuff = Buffer.from(blake2b(64).update(Buffer.concat([h1.slice(32,64), msgBuff])).digest());
    const rBuff = createBlakeHash("blake512").update(Buffer.concat([h1.slice(32,64), msgBuff])).digest();
    let r = utils.leBuff2int(rBuff);
    const Fr = new F1Field(babyJub.subOrder);
    r = Fr.e(r);
--- a/src/pedersenHash.js
+++ b/src/pedersenHash.js
@ -1,4 +1,5 @@
 const babyJub = require("./babyjub");
 const createBlakeHash = require("blake-hash");
 const blake2b = require("blake2b");
 const Scalar = require("ffjavascript").Scalar;

@ -9,7 +10,17 @@ const nWindowsPerSegment = 50;
 exports.hash = pedersenHash;
 exports.getBasePoint = getBasePoint;

 function pedersenHash(msg) {
 function baseHash(type, S) {
    if (type == "blake") {
        return createBlakeHash("blake256").update(S).digest();
    } else if (type == "blake2b") {
        return Buffer.from(blake2b(32).update(Buffer.from(S)).digest());
    }
 }

 function pedersenHash(msg, options) {
    options = options || {};
    options.baseHash = options.baseHash || "blake";
    const bitsPerSegment = windowSize*nWindowsPerSegment;
    const bits = buffer2bits(msg);

@ -49,7 +60,7 @@ function pedersenHash(msg) {
            escalar = Scalar.add( escalar, babyJub.subOrder);
        }

        accP = babyJub.addPoint(accP, babyJub.mulPointEscalar(getBasePoint(s), escalar));
        accP = babyJub.addPoint(accP, babyJub.mulPointEscalar(getBasePoint(options.baseHash, s), escalar));
    }

    return babyJub.packPoint(accP);
@ -57,13 +68,13 @@ function pedersenHash(msg) {

 let bases = [];

 function getBasePoint(pointIdx) {
 function getBasePoint(baseHashType, pointIdx) {
    if (pointIdx<bases.length) return bases[pointIdx];
    let p= null;
    let tryIdx = 0;
    while (p==null) {
        const S = GENPOINT_PREFIX + "_" + padLeftZeros(pointIdx, 32) + "_" + padLeftZeros(tryIdx, 32);
        const h = Buffer.from(blake2b(32).update(Buffer.from(S)).digest());
        const h = baseHash(baseHashType, S);
        h[31] = h[31] & 0xBF;  // Set 255th bit to 0 (256th is the signal and 254th is the last possible bit to 1)
        p = babyJub.unpackPoint(h);
        tryIdx++;
--- a/src/pedersen_printbases.js
+++ b/src/pedersen_printbases.js
@ -7,7 +7,15 @@ if (typeof process.argv[2] != "undefined") {
    nBases = 5;
 }

 let baseHash;
 if (typeof process.argv[3] != "undefined") {
    baseHash = process.argv[3];
 } else {
    baseHash = "blake";
 }


 for (let i=0; i < nBases; i++) {
    const p = pedersenHash.getBasePoint(i);
    const p = pedersenHash.getBasePoint(baseHash, i);
    console.log(`[${p[0]},${p[1]}]`);
 }
--- a/test/babyjub.js
+++ b/test/babyjub.js
@ -1,7 +1,7 @@
 const chai = require("chai");
 const path = require("path");

 const blake2b = require("blake2b");
 const createBlakeHash = require("blake-hash");
 const eddsa = require("../src/eddsa.js");
 const F = require("../src/babyjub.js").F;

@ -94,7 +94,7 @@ describe("Baby Jub test", function () {
    it("Should extract the public key from the private one", async () => {

        const rawpvk = Buffer.from("0001020304050607080900010203040506070809000102030405060708090021", "hex");
        const pvk    = eddsa.pruneBuffer(Buffer.from(blake2b(64).update(rawpvk).digest().slice(0,32)));
        const pvk    = eddsa.pruneBuffer(createBlakeHash("blake512").update(rawpvk).digest().slice(0,32));
        const S      = Scalar.shr(utils.leBuff2int(pvk), 3);

        const A      = eddsa.prv2pub(rawpvk);
--- a/test/eddsa_js.js
+++ b/test/eddsa_js.js
@ -22,24 +22,24 @@ describe("EdDSA js test", function () {
        const pubKey = eddsa.prv2pub(prvKey);

        assert.equal(pubKey[0].toString(),
            "17579234973106307986399040784563986669343100608865726413246909559198451825625");
            "13277427435165878497778222415993513565335242147425444199013288855685581939618");
        assert.equal(pubKey[1].toString(),
            "21581828029826859845363968476425861244058376747493285816141526544272562145486");
            "13622229784656158136036771217484571176836296686641868549125388198837476602820");

        const pPubKey = babyJub.packPoint(pubKey);

        const signature = eddsa.signMiMC(prvKey, msg);
        assert.equal(signature.R8[0].toString(),
            "12672422877531089818651367820728973438446851190471722610781936061829103362897");
            "11384336176656855268977457483345535180380036354188103142384839473266348197733");
        assert.equal(signature.R8[1].toString(),
            "12052234579439634484237590306927118446073354173341433290934144373261241958718");
            "15383486972088797283337779941324724402501462225528836549661220478783371668959");
        assert.equal(signature.S.toString(),
            "1582013862333331285840015273849085014739146294568319205499642618291614907374");
            "2523202440825208709475937830811065542425109372212752003460238913256192595070");

        const pSignature = eddsa.packSignature(signature);
        assert.equal(pSignature.toString("hex"), ""+
            "3e417cd811f9c9c545a680b962e45d22ccb62b2284b4fe4bbc9fdb50b252a59a" +
            "eefbebe2b895393fa0e9b5b31b19e65a63fee5d7b6261d8d5b6b847c5b637f03");
            "dfedb4315d3f2eb4de2d3c510d7a987dcab67089c8ace06308827bf5bcbe02a2"+
            "7ed40dab29bf993c928e789d007387998901a24913d44fddb64b1f21fc149405");

        const uSignature = eddsa.unpackSignature(pSignature);
        assert(eddsa.verifyMiMC(msg, uSignature, pubKey));
@ -55,24 +55,24 @@ describe("EdDSA js test", function () {
        const pubKey = eddsa.prv2pub(prvKey);

        assert.equal(pubKey[0].toString(),
            "17579234973106307986399040784563986669343100608865726413246909559198451825625");
            "13277427435165878497778222415993513565335242147425444199013288855685581939618");
        assert.equal(pubKey[1].toString(),
            "21581828029826859845363968476425861244058376747493285816141526544272562145486");
            "13622229784656158136036771217484571176836296686641868549125388198837476602820");

        const pPubKey = babyJub.packPoint(pubKey);

        const signature = eddsa.signPoseidon(prvKey, msg);
        assert.equal(signature.R8[0].toString(),
            "12672422877531089818651367820728973438446851190471722610781936061829103362897");
            "11384336176656855268977457483345535180380036354188103142384839473266348197733");
        assert.equal(signature.R8[1].toString(),
            "12052234579439634484237590306927118446073354173341433290934144373261241958718");
            "15383486972088797283337779941324724402501462225528836549661220478783371668959");
        assert.equal(signature.S.toString(),
            "2318334603430781860679872910160434499077270843466490702990199622594868564504");
            "248298168863866362217836334079793350221620631973732197668910946177382043688");

        const pSignature = eddsa.packSignature(signature);
        assert.equal(pSignature.toString("hex"), ""+
            "3e417cd811f9c9c545a680b962e45d22ccb62b2284b4fe4bbc9fdb50b252a59a" +
            "1852c049fc6286138a0ddb57718049a09374fdf0390686c7ac5637b481212005");
            "dfedb4315d3f2eb4de2d3c510d7a987dcab67089c8ace06308827bf5bcbe02a2"+
            "28506bce274aa1b3f7e7c2fd7e4fe09bff8f9aa37a42def7994e98f322888c00");

        const uSignature = eddsa.unpackSignature(pSignature);
        assert(eddsa.verifyPoseidon(msg, uSignature, pubKey));
--- a/test/pedersen.js
+++ b/test/pedersen.js
@ -8,11 +8,11 @@ const babyJub = require("../src/babyjub.js");

 const PBASE =
    [
        [Fr.e("7688621503272331394947188562469131124099290577812125474996268020905176040083"),Fr.e("6637287939860384587467947982369268811366630904563077767287326262235485629411")],
        [Fr.e("11549681895645637778324638856880330712650895608496649854094912415387988201330"),Fr.e("5771732722784528537721081267383956005090479808901717812009343940574217488577")],
        [Fr.e("18790245153471844934157747708238883966079935875787657036767664036124524381945"),Fr.e("18300275459419441151064576487317481499516933849631632883767173501999997278432")],
        [Fr.e("16301069151422548986850494139112207641738464387919729729324473657161689764196"),Fr.e("8215273507373494014441104012907835625670941526105528197815397741007626226499")],
        [Fr.e("12597665704678284488008395353749282149622295037737374782196049599390683534185"),Fr.e("4072455241781501621593714139281767473040087753548015968773801065193764079468")]
        [Fr.e("10457101036533406547632367118273992217979173478358440826365724437999023779287"),Fr.e("19824078218392094440610104313265183977899662750282163392862422243483260492317")],
        [Fr.e("2671756056509184035029146175565761955751135805354291559563293617232983272177"),Fr.e("2663205510731142763556352975002641716101654201788071096152948830924149045094")],
        [Fr.e("5802099305472655231388284418920769829666717045250560929368476121199858275951"),Fr.e("5980429700218124965372158798884772646841287887664001482443826541541529227896")],
        [Fr.e("7107336197374528537877327281242680114152313102022415488494307685842428166594"),Fr.e("2857869773864086953506483169737724679646433914307247183624878062391496185654")],
        [Fr.e("20265828622013100949498132415626198973119240347465898028410217039057588424236"),Fr.e("1160461593266035632937973507065134938065359936056410650153315956301179689506")]
    ];

 describe("Double Pedersen test", function() {