From d5ed1c3ce4ca137a6b3ca48bec4ac12c1b38957a Mon Sep 17 00:00:00 2001
From: Jordi Baylina <jordi@baylina.cat>
Date: Sun, 19 Apr 2020 12:23:55 +0200
Subject: [PATCH] Go back to blake

---
 circuits/pedersen.circom     | 21 +++++++++++----------
 circuits/pedersen_old.circom | 21 +++++++++++----------
 package-lock.json            | 10 ++++++++++
 package.json                 |  1 +
 src/eddsa.js                 | 20 ++++++++++----------
 src/pedersenHash.js          | 19 +++++++++++++++----
 src/pedersen_printbases.js   | 10 +++++++++-
 test/babyjub.js              |  4 ++--
 test/eddsa_js.js             | 28 ++++++++++++++--------------
 test/pedersen.js             | 10 +++++-----
 10 files changed, 88 insertions(+), 56 deletions(-)

diff --git a/circuits/pedersen.circom b/circuits/pedersen.circom
index 9b335f2..4d6f8d1 100644
--- a/circuits/pedersen.circom
+++ b/circuits/pedersen.circom
@@ -177,16 +177,17 @@ template Pedersen(n) {
     signal output out[2];
 
     var BASE[10][2] = [
-        [7688621503272331394947188562469131124099290577812125474996268020905176040083,6637287939860384587467947982369268811366630904563077767287326262235485629411],
-        [11549681895645637778324638856880330712650895608496649854094912415387988201330,5771732722784528537721081267383956005090479808901717812009343940574217488577],
-        [18790245153471844934157747708238883966079935875787657036767664036124524381945,18300275459419441151064576487317481499516933849631632883767173501999997278432],
-        [16301069151422548986850494139112207641738464387919729729324473657161689764196,8215273507373494014441104012907835625670941526105528197815397741007626226499],
-        [12597665704678284488008395353749282149622295037737374782196049599390683534185,4072455241781501621593714139281767473040087753548015968773801065193764079468],
-        [4729410576230735258214831208080552588881894465489299233097088872252465832672,14367731890670510422926552586486424937476635415639602730590517235570020260326],
-        [7546420686025050869200393054526306477146836870617678274607971529534032974471,8663210466512842901413293603100781938253817808912549776944118491282484711929],
-        [6544653022506992755201027646251976600601201151329001772892901529509137954387,5932506509962692832681604586561215780097326378431958035490245111470435106811],
-        [12376274813795671622507230443130412169480807188767687554607910279743333852725,10116389110458158800073166533660211332390835019644001845057351607297889034557],
-        [18268098112071835140361074835791174816144587762778386397940339415400583397725,8120955462199046866292537174552276799123029303901205157708576578886090835495]
+        [10457101036533406547632367118273992217979173478358440826365724437999023779287,19824078218392094440610104313265183977899662750282163392862422243483260492317],
+        [2671756056509184035029146175565761955751135805354291559563293617232983272177,2663205510731142763556352975002641716101654201788071096152948830924149045094],
+        [5802099305472655231388284418920769829666717045250560929368476121199858275951,5980429700218124965372158798884772646841287887664001482443826541541529227896],
+        [7107336197374528537877327281242680114152313102022415488494307685842428166594,2857869773864086953506483169737724679646433914307247183624878062391496185654],
+        [20265828622013100949498132415626198973119240347465898028410217039057588424236,1160461593266035632937973507065134938065359936056410650153315956301179689506],
+        [1487999857809287756929114517587739322941449154962237464737694709326309567994,14017256862867289575056460215526364897734808720610101650676790868051368668003],
+        [14618644331049802168996997831720384953259095788558646464435263343433563860015,13115243279999696210147231297848654998887864576952244320558158620692603342236],
+        [6814338563135591367010655964669793483652536871717891893032616415581401894627,13660303521961041205824633772157003587453809761793065294055279768121314853695],
+        [3571615583211663069428808372184817973703476260057504149923239576077102575715,11981351099832644138306422070127357074117642951423551606012551622164230222506],
+        [18597552580465440374022635246985743886550544261632147935254624835147509493269,6753322320275422086923032033899357299485124665258735666995435957890214041481]
+
     ];
 
     var nSegments = ((n-1)\200)+1;
diff --git a/circuits/pedersen_old.circom b/circuits/pedersen_old.circom
index cf867e5..9114286 100644
--- a/circuits/pedersen_old.circom
+++ b/circuits/pedersen_old.circom
@@ -29,16 +29,17 @@ template Pedersen(n) {
     component escalarMuls[nexps];
 
     var PBASE[10][2] = [
-        [7688621503272331394947188562469131124099290577812125474996268020905176040083,6637287939860384587467947982369268811366630904563077767287326262235485629411],
-        [11549681895645637778324638856880330712650895608496649854094912415387988201330,5771732722784528537721081267383956005090479808901717812009343940574217488577],
-        [18790245153471844934157747708238883966079935875787657036767664036124524381945,18300275459419441151064576487317481499516933849631632883767173501999997278432],
-        [16301069151422548986850494139112207641738464387919729729324473657161689764196,8215273507373494014441104012907835625670941526105528197815397741007626226499],
-        [12597665704678284488008395353749282149622295037737374782196049599390683534185,4072455241781501621593714139281767473040087753548015968773801065193764079468],
-        [4729410576230735258214831208080552588881894465489299233097088872252465832672,14367731890670510422926552586486424937476635415639602730590517235570020260326],
-        [7546420686025050869200393054526306477146836870617678274607971529534032974471,8663210466512842901413293603100781938253817808912549776944118491282484711929],
-        [6544653022506992755201027646251976600601201151329001772892901529509137954387,5932506509962692832681604586561215780097326378431958035490245111470435106811],
-        [12376274813795671622507230443130412169480807188767687554607910279743333852725,10116389110458158800073166533660211332390835019644001845057351607297889034557],
-        [18268098112071835140361074835791174816144587762778386397940339415400583397725,8120955462199046866292537174552276799123029303901205157708576578886090835495]
+        [10457101036533406547632367118273992217979173478358440826365724437999023779287,19824078218392094440610104313265183977899662750282163392862422243483260492317],
+        [2671756056509184035029146175565761955751135805354291559563293617232983272177,2663205510731142763556352975002641716101654201788071096152948830924149045094],
+        [5802099305472655231388284418920769829666717045250560929368476121199858275951,5980429700218124965372158798884772646841287887664001482443826541541529227896],
+        [7107336197374528537877327281242680114152313102022415488494307685842428166594,2857869773864086953506483169737724679646433914307247183624878062391496185654],
+        [20265828622013100949498132415626198973119240347465898028410217039057588424236,1160461593266035632937973507065134938065359936056410650153315956301179689506],
+        [1487999857809287756929114517587739322941449154962237464737694709326309567994,14017256862867289575056460215526364897734808720610101650676790868051368668003],
+        [14618644331049802168996997831720384953259095788558646464435263343433563860015,13115243279999696210147231297848654998887864576952244320558158620692603342236],
+        [6814338563135591367010655964669793483652536871717891893032616415581401894627,13660303521961041205824633772157003587453809761793065294055279768121314853695],
+        [3571615583211663069428808372184817973703476260057504149923239576077102575715,11981351099832644138306422070127357074117642951423551606012551622164230222506],
+        [18597552580465440374022635246985743886550544261632147935254624835147509493269,6753322320275422086923032033899357299485124665258735666995435957890214041481]
+
     ];
 
     var i;
diff --git a/package-lock.json b/package-lock.json
index a975e47..67a930b 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -292,6 +292,16 @@
         "safe-buffer": "^5.1.1"
       }
     },
+    "blake-hash": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/blake-hash/-/blake-hash-1.1.0.tgz",
+      "integrity": "sha512-rNbOFPT7DC/0XnLBJ0noWuzcV+9kHwEKzRGljHMDLQzYv6WZT1vjV3UkWQuNFzyr5tIL7zSsw7A834pgTl75xQ==",
+      "requires": {
+        "bindings": "^1.2.1",
+        "inherits": "^2.0.3",
+        "nan": "^2.2.1"
+      }
+    },
     "blake2b": {
       "version": "2.1.3",
       "resolved": "https://registry.npmjs.org/blake2b/-/blake2b-2.1.3.tgz",
diff --git a/package.json b/package.json
index 983489d..26a4bd4 100644
--- a/package.json
+++ b/package.json
@@ -24,6 +24,7 @@
   "author": "0Kims",
   "license": "GPL-3.0",
   "dependencies": {
+    "blake-hash": "^1.1.0",
     "blake2b": "^2.1.3",
     "circom": "0.5.8",
     "ffjavascript": "0.1.0",
diff --git a/src/eddsa.js b/src/eddsa.js
index 34703b6..a47b27f 100644
--- a/src/eddsa.js
+++ b/src/eddsa.js
@@ -1,4 +1,4 @@
-const blake2b = require("blake2b");
+const createBlakeHash = require("blake-hash");
 const Scalar = require("ffjavascript").Scalar;
 const F1Field = require("ffjavascript").F1Field;
 const babyJub = require("./babyjub");
@@ -32,19 +32,19 @@ function pruneBuffer(_buff) {
 }
 
 function prv2pub(prv) {
-    const sBuff = pruneBuffer(blake2b(64).update(prv).digest().slice(0,32));
+    const sBuff = pruneBuffer(createBlakeHash("blake512").update(prv).digest().slice(0,32));
     let s = utils.leBuff2int(sBuff);
     const A = babyJub.mulPointEscalar(babyJub.Base8, Scalar.shr(s,3));
     return A;
 }
 
 function sign(prv, msg) {
-    const h1 = Buffer.from(blake2b(64).update(prv).digest());
+    const h1 = createBlakeHash("blake512").update(prv).digest();
     const sBuff = pruneBuffer(h1.slice(0,32));
     const s = utils.leBuff2int(sBuff);
     const A = babyJub.mulPointEscalar(babyJub.Base8, Scalar.shr(s, 3));
 
-    const rBuff = Buffer.from(blake2b(64).update(Buffer.concat([h1.slice(32,64), msg])).digest());
+    const rBuff = createBlakeHash("blake512").update(Buffer.concat([h1.slice(32,64), msg])).digest();
     let r = utils.leBuff2int(rBuff);
     const Fr = new F1Field(babyJub.subOrder);
     r = Fr.e(r);
@@ -61,13 +61,13 @@ function sign(prv, msg) {
 }
 
 function signMiMC(prv, msg) {
-    const h1 = Buffer.from(blake2b(64).update(prv).digest());
+    const h1 = createBlakeHash("blake512").update(prv).digest();
     const sBuff = pruneBuffer(h1.slice(0,32));
     const s = utils.leBuff2int(sBuff);
     const A = babyJub.mulPointEscalar(babyJub.Base8, Scalar.shr(s, 3));
 
     const msgBuff = utils.leInt2Buff(msg, 32);
-    const rBuff = Buffer.from(blake2b(64).update(Buffer.concat([h1.slice(32,64), msgBuff])).digest());
+    const rBuff = createBlakeHash("blake512").update(Buffer.concat([h1.slice(32,64), msgBuff])).digest();
     let r = utils.leBuff2int(rBuff);
     const Fr = new F1Field(babyJub.subOrder);
     r = Fr.e(r);
@@ -81,13 +81,13 @@ function signMiMC(prv, msg) {
 }
 
 function signMiMCSponge(prv, msg) {
-    const h1 = Buffer.from(blake2b(64).update(prv).digest());
+    const h1 = createBlakeHash("blake512").update(prv).digest();
     const sBuff = pruneBuffer(h1.slice(0,32));
     const s = utils.leBuff2int(sBuff);
     const A = babyJub.mulPointEscalar(babyJub.Base8, Scalar.shr(s, 3));
 
     const msgBuff = utils.leInt2Buff(msg, 32);
-    const rBuff = Buffer.from(blake2b(64).update(Buffer.concat([h1.slice(32,64), msgBuff])).digest());
+    const rBuff = createBlakeHash("blake512").update(Buffer.concat([h1.slice(32,64), msgBuff])).digest();
     let r = utils.leBuff2int(rBuff);
     const Fr = new F1Field(babyJub.subOrder);
     r = Fr.e(r);
@@ -101,13 +101,13 @@ function signMiMCSponge(prv, msg) {
 }
 
 function signPoseidon(prv, msg) {
-    const h1 = Buffer.from(blake2b(64).update(prv).digest());
+    const h1 = createBlakeHash("blake512").update(prv).digest();
     const sBuff = pruneBuffer(h1.slice(0,32));
     const s = utils.leBuff2int(sBuff);
     const A = babyJub.mulPointEscalar(babyJub.Base8, Scalar.shr(s, 3));
 
     const msgBuff = utils.leInt2Buff(msg, 32);
-    const rBuff = Buffer.from(blake2b(64).update(Buffer.concat([h1.slice(32,64), msgBuff])).digest());
+    const rBuff = createBlakeHash("blake512").update(Buffer.concat([h1.slice(32,64), msgBuff])).digest();
     let r = utils.leBuff2int(rBuff);
     const Fr = new F1Field(babyJub.subOrder);
     r = Fr.e(r);
diff --git a/src/pedersenHash.js b/src/pedersenHash.js
index 4444bb8..5c0a376 100644
--- a/src/pedersenHash.js
+++ b/src/pedersenHash.js
@@ -1,4 +1,5 @@
 const babyJub = require("./babyjub");
+const createBlakeHash = require("blake-hash");
 const blake2b = require("blake2b");
 const Scalar = require("ffjavascript").Scalar;
 
@@ -9,7 +10,17 @@ const nWindowsPerSegment = 50;
 exports.hash = pedersenHash;
 exports.getBasePoint = getBasePoint;
 
-function pedersenHash(msg) {
+function baseHash(type, S) {
+    if (type == "blake") {
+        return createBlakeHash("blake256").update(S).digest();
+    } else if (type == "blake2b") {
+        return Buffer.from(blake2b(32).update(Buffer.from(S)).digest());
+    }
+}
+
+function pedersenHash(msg, options) {
+    options = options || {};
+    options.baseHash = options.baseHash || "blake";
     const bitsPerSegment = windowSize*nWindowsPerSegment;
     const bits = buffer2bits(msg);
 
@@ -49,7 +60,7 @@ function pedersenHash(msg) {
             escalar = Scalar.add( escalar, babyJub.subOrder);
         }
 
-        accP = babyJub.addPoint(accP, babyJub.mulPointEscalar(getBasePoint(s), escalar));
+        accP = babyJub.addPoint(accP, babyJub.mulPointEscalar(getBasePoint(options.baseHash, s), escalar));
     }
 
     return babyJub.packPoint(accP);
@@ -57,13 +68,13 @@ function pedersenHash(msg) {
 
 let bases = [];
 
-function getBasePoint(pointIdx) {
+function getBasePoint(baseHashType, pointIdx) {
     if (pointIdx<bases.length) return bases[pointIdx];
     let p= null;
     let tryIdx = 0;
     while (p==null) {
         const S = GENPOINT_PREFIX + "_" + padLeftZeros(pointIdx, 32) + "_" + padLeftZeros(tryIdx, 32);
-        const h = Buffer.from(blake2b(32).update(Buffer.from(S)).digest());
+        const h = baseHash(baseHashType, S);
         h[31] = h[31] & 0xBF;  // Set 255th bit to 0 (256th is the signal and 254th is the last possible bit to 1)
         p = babyJub.unpackPoint(h);
         tryIdx++;
diff --git a/src/pedersen_printbases.js b/src/pedersen_printbases.js
index 3f7e726..457a76b 100644
--- a/src/pedersen_printbases.js
+++ b/src/pedersen_printbases.js
@@ -7,7 +7,15 @@ if (typeof process.argv[2] != "undefined") {
     nBases = 5;
 }
 
+let baseHash;
+if (typeof process.argv[3] != "undefined") {
+    baseHash = process.argv[3];
+} else {
+    baseHash = "blake";
+}
+
+
 for (let i=0; i < nBases; i++) {
-    const p = pedersenHash.getBasePoint(i);
+    const p = pedersenHash.getBasePoint(baseHash, i);
     console.log(`[${p[0]},${p[1]}]`);
 }
diff --git a/test/babyjub.js b/test/babyjub.js
index ddc2a54..eafb0f3 100644
--- a/test/babyjub.js
+++ b/test/babyjub.js
@@ -1,7 +1,7 @@
 const chai = require("chai");
 const path = require("path");
 
-const blake2b = require("blake2b");
+const createBlakeHash = require("blake-hash");
 const eddsa = require("../src/eddsa.js");
 const F = require("../src/babyjub.js").F;
 
@@ -94,7 +94,7 @@ describe("Baby Jub test", function () {
     it("Should extract the public key from the private one", async () => {
 
         const rawpvk = Buffer.from("0001020304050607080900010203040506070809000102030405060708090021", "hex");
-        const pvk    = eddsa.pruneBuffer(Buffer.from(blake2b(64).update(rawpvk).digest().slice(0,32)));
+        const pvk    = eddsa.pruneBuffer(createBlakeHash("blake512").update(rawpvk).digest().slice(0,32));
         const S      = Scalar.shr(utils.leBuff2int(pvk), 3);
 
         const A      = eddsa.prv2pub(rawpvk);
diff --git a/test/eddsa_js.js b/test/eddsa_js.js
index 65798e5..ddbd0d5 100644
--- a/test/eddsa_js.js
+++ b/test/eddsa_js.js
@@ -22,24 +22,24 @@ describe("EdDSA js test", function () {
         const pubKey = eddsa.prv2pub(prvKey);
 
         assert.equal(pubKey[0].toString(),
-            "17579234973106307986399040784563986669343100608865726413246909559198451825625");
+            "13277427435165878497778222415993513565335242147425444199013288855685581939618");
         assert.equal(pubKey[1].toString(),
-            "21581828029826859845363968476425861244058376747493285816141526544272562145486");
+            "13622229784656158136036771217484571176836296686641868549125388198837476602820");
 
         const pPubKey = babyJub.packPoint(pubKey);
 
         const signature = eddsa.signMiMC(prvKey, msg);
         assert.equal(signature.R8[0].toString(),
-            "12672422877531089818651367820728973438446851190471722610781936061829103362897");
+            "11384336176656855268977457483345535180380036354188103142384839473266348197733");
         assert.equal(signature.R8[1].toString(),
-            "12052234579439634484237590306927118446073354173341433290934144373261241958718");
+            "15383486972088797283337779941324724402501462225528836549661220478783371668959");
         assert.equal(signature.S.toString(),
-            "1582013862333331285840015273849085014739146294568319205499642618291614907374");
+            "2523202440825208709475937830811065542425109372212752003460238913256192595070");
 
         const pSignature = eddsa.packSignature(signature);
         assert.equal(pSignature.toString("hex"), ""+
-            "3e417cd811f9c9c545a680b962e45d22ccb62b2284b4fe4bbc9fdb50b252a59a" +
-            "eefbebe2b895393fa0e9b5b31b19e65a63fee5d7b6261d8d5b6b847c5b637f03");
+            "dfedb4315d3f2eb4de2d3c510d7a987dcab67089c8ace06308827bf5bcbe02a2"+
+            "7ed40dab29bf993c928e789d007387998901a24913d44fddb64b1f21fc149405");
 
         const uSignature = eddsa.unpackSignature(pSignature);
         assert(eddsa.verifyMiMC(msg, uSignature, pubKey));
@@ -55,24 +55,24 @@ describe("EdDSA js test", function () {
         const pubKey = eddsa.prv2pub(prvKey);
 
         assert.equal(pubKey[0].toString(),
-            "17579234973106307986399040784563986669343100608865726413246909559198451825625");
+            "13277427435165878497778222415993513565335242147425444199013288855685581939618");
         assert.equal(pubKey[1].toString(),
-            "21581828029826859845363968476425861244058376747493285816141526544272562145486");
+            "13622229784656158136036771217484571176836296686641868549125388198837476602820");
 
         const pPubKey = babyJub.packPoint(pubKey);
 
         const signature = eddsa.signPoseidon(prvKey, msg);
         assert.equal(signature.R8[0].toString(),
-            "12672422877531089818651367820728973438446851190471722610781936061829103362897");
+            "11384336176656855268977457483345535180380036354188103142384839473266348197733");
         assert.equal(signature.R8[1].toString(),
-            "12052234579439634484237590306927118446073354173341433290934144373261241958718");
+            "15383486972088797283337779941324724402501462225528836549661220478783371668959");
         assert.equal(signature.S.toString(),
-            "2318334603430781860679872910160434499077270843466490702990199622594868564504");
+            "248298168863866362217836334079793350221620631973732197668910946177382043688");
 
         const pSignature = eddsa.packSignature(signature);
         assert.equal(pSignature.toString("hex"), ""+
-            "3e417cd811f9c9c545a680b962e45d22ccb62b2284b4fe4bbc9fdb50b252a59a" +
-            "1852c049fc6286138a0ddb57718049a09374fdf0390686c7ac5637b481212005");
+            "dfedb4315d3f2eb4de2d3c510d7a987dcab67089c8ace06308827bf5bcbe02a2"+
+            "28506bce274aa1b3f7e7c2fd7e4fe09bff8f9aa37a42def7994e98f322888c00");
 
         const uSignature = eddsa.unpackSignature(pSignature);
         assert(eddsa.verifyPoseidon(msg, uSignature, pubKey));
diff --git a/test/pedersen.js b/test/pedersen.js
index f580f5c..1285ba1 100644
--- a/test/pedersen.js
+++ b/test/pedersen.js
@@ -8,11 +8,11 @@ const babyJub = require("../src/babyjub.js");
 
 const PBASE =
     [
-        [Fr.e("7688621503272331394947188562469131124099290577812125474996268020905176040083"),Fr.e("6637287939860384587467947982369268811366630904563077767287326262235485629411")],
-        [Fr.e("11549681895645637778324638856880330712650895608496649854094912415387988201330"),Fr.e("5771732722784528537721081267383956005090479808901717812009343940574217488577")],
-        [Fr.e("18790245153471844934157747708238883966079935875787657036767664036124524381945"),Fr.e("18300275459419441151064576487317481499516933849631632883767173501999997278432")],
-        [Fr.e("16301069151422548986850494139112207641738464387919729729324473657161689764196"),Fr.e("8215273507373494014441104012907835625670941526105528197815397741007626226499")],
-        [Fr.e("12597665704678284488008395353749282149622295037737374782196049599390683534185"),Fr.e("4072455241781501621593714139281767473040087753548015968773801065193764079468")]
+        [Fr.e("10457101036533406547632367118273992217979173478358440826365724437999023779287"),Fr.e("19824078218392094440610104313265183977899662750282163392862422243483260492317")],
+        [Fr.e("2671756056509184035029146175565761955751135805354291559563293617232983272177"),Fr.e("2663205510731142763556352975002641716101654201788071096152948830924149045094")],
+        [Fr.e("5802099305472655231388284418920769829666717045250560929368476121199858275951"),Fr.e("5980429700218124965372158798884772646841287887664001482443826541541529227896")],
+        [Fr.e("7107336197374528537877327281242680114152313102022415488494307685842428166594"),Fr.e("2857869773864086953506483169737724679646433914307247183624878062391496185654")],
+        [Fr.e("20265828622013100949498132415626198973119240347465898028410217039057588424236"),Fr.e("1160461593266035632937973507065134938065359936056410650153315956301179689506")]
     ];
 
 describe("Double Pedersen test", function() {