arnaucube/gnark-plonky2-verifier
1
0
Fork 0
mirror of https://github.com/arnaucube/gnark-plonky2-verifier.git synced 2026-01-12 09:01:32 +01:00
Code Issues Projects Releases Wiki Activity

Merge pull request #6 from succinctlabs/signature

Browse Source 
Signature
This commit is contained in:
Jacob Jackson
2022-10-07 02:20:32 -04:00
committed by GitHub
parent ef9cc0dc3f 52dade9335
commit 7d2af3d789
8 changed files with 591 additions and 104 deletions
Download Patch File Download Diff File Expand all files Collapse all files

106
cubic.go
View File

@@ -14,61 +14,61 @@
package main package main
import ( // import (
"fmt" // "fmt"
"os" // "os"
"github.com/consensys/gnark/frontend" // "github.com/consensys/gnark/frontend"
"github.com/consensys/gnark-crypto/ecc" // "github.com/consensys/gnark-crypto/ecc"
"github.com/consensys/gnark/frontend/cs/r1cs" // "github.com/consensys/gnark/frontend/cs/r1cs"
"github.com/consensys/gnark/backend/groth16" // "github.com/consensys/gnark/backend/groth16"
_ "gnark-ed25519/edwards_curve" // _ "gnark-ed25519/edwards_curve"
_ "gnark-ed25519/sha512" // _ "gnark-ed25519/sha512"
) // )
// Circuit defines a simple circuit // // Circuit defines a simple circuit
// x**3 + x + 5 == y // // x**3 + x + 5 == y
type Circuit struct { // type Circuit struct {
// struct tags on a variable is optional // // struct tags on a variable is optional
// default uses variable name and secret visibility. // // default uses variable name and secret visibility.
X frontend.Variable `gnark:"x"` // X frontend.Variable `gnark:"x"`
Y frontend.Variable `gnark:",public"` // Y frontend.Variable `gnark:",public"`
} // }
// Define declares the circuit constraints // // Define declares the circuit constraints
// x**3 + x + 5 == y // // x**3 + x + 5 == y
func (circuit *Circuit) Define(api frontend.API) error { // func (circuit *Circuit) Define(api frontend.API) error {
x3 := api.Mul(circuit.X, circuit.X, circuit.X) // x3 := api.Mul(circuit.X, circuit.X, circuit.X)
api.AssertIsEqual(circuit.Y, api.Add(x3, circuit.X, 5)) // api.AssertIsEqual(circuit.Y, api.Add(x3, circuit.X, 5))
return nil // return nil
} // }
func main() { // func main() {
err := mainImpl() // err := mainImpl()
if err != nil { // if err != nil {
fmt.Println(err) // fmt.Println(err)
os.Exit(1) // os.Exit(1)
} // }
} // }
func mainImpl() error { // func mainImpl() error {
var myCircuit Circuit // var myCircuit Circuit
r1cs, err := frontend.Compile(ecc.BN254.ScalarField(), r1cs.NewBuilder, &myCircuit) // r1cs, err := frontend.Compile(ecc.BN254.ScalarField(), r1cs.NewBuilder, &myCircuit)
if err != nil { // if err != nil {
return err // return err
} // }
assignment := &Circuit{ // assignment := &Circuit{
X: "2", // X: "2",
Y: "15", // Y: "15",
} // }
witness, _ := frontend.NewWitness(assignment, ecc.BN254.ScalarField()) // witness, _ := frontend.NewWitness(assignment, ecc.BN254.ScalarField())
publicWitness, _ := witness.Public() // publicWitness, _ := witness.Public()
pk, vk, err := groth16.Setup(r1cs) // pk, vk, err := groth16.Setup(r1cs)
proof, err := groth16.Prove(r1cs, pk, witness) // proof, err := groth16.Prove(r1cs, pk, witness)
err = groth16.Verify(proof, vk, publicWitness) // err = groth16.Verify(proof, vk, publicWitness)
if err != nil { // if err != nil {
return err // return err
} // }
fmt.Println(proof) // fmt.Println(proof)
return nil // return nil
} // }

174
ed25519.go
View File

@@ -14,43 +14,159 @@
package main package main
// import (
// "fmt" import (
// "os" "time"
// "crypto/ed25519" "fmt"
// "crypto/rand" "os"
// "github.com/consensys/gnark/std/math/emulated" "encoding/hex"
// ) "github.com/consensys/gnark/frontend"
"github.com/consensys/gnark-crypto/ecc"
"github.com/consensys/gnark/frontend/cs/r1cs"
"github.com/consensys/gnark/backend/groth16"
"gnark-ed25519/edwards_curve"
"gnark-ed25519/sha512"
)
type Eddsa25519Circuit struct {
M []frontend.Variable
Pk []frontend.Variable
Sig []frontend.Variable
}
func (circuit *Eddsa25519Circuit) Define(api frontend.API) error {
c, err := edwards_curve.New[edwards_curve.Ed25519, edwards_curve.Ed25519Scalars](api)
if err != nil {
return err
}
edwards_curve.CheckValid(c, circuit.Sig, circuit.M, circuit.Pk)
return nil
}
type Sha512Circuit struct {
in []frontend.Variable `gnark:"in"`
out []frontend.Variable `gnark:"out"`
}
func (circuit *Sha512Circuit) Define(api frontend.API) error {
res := sha512.Sha512(api, circuit.in)
if len(res) != 512 { panic("bad length") }
for i := 0; i < 512; i++ {
api.AssertIsEqual(res[i], circuit.out[i])
}
return nil
}
// func main() { func main() {
// err := mainImpl() err := mainImpl()
// if err != nil { if err != nil {
// fmt.Println(err) fmt.Println(err)
// os.Exit(1) os.Exit(1)
// } }
// } }
// func mainImpl() error { // func mainImpl() error {
// pubKey, privKey, err := ed25519.GenerateKey(rand.Reader) // in := bytesToBits([]byte("Succinct Labs"))
// fmt.Println(pubKey) // out := hexToBits("503ace098aa03f6feec1b5df0a38aee923f744a775508bc81f2b94ad139be297c2e8cd8c44af527b5d3f017a7fc929892c896604047e52e3f518924f52bff0dc")
// fmt.Println(privKey)
// message := []byte("string")
// sig := ed25519.Sign(privKey, message)
// fmt.Println(sig)
// verified := ed25519.Verify(pubKey, message, sig)
// fmt.Println(verified)
// verifiedFalse := ed25519.Verify(pubKey, []byte("string1"), sig)
// fmt.Println(verifiedFalse)
// ele := emulated.NewElement[emulated.BN254Fp](1)
// fmt.Println(ele)
// myCircuit := Sha512Circuit{
// in,
// out,
// }
// fmt.Println(time.Now(), "compiling...")
// r1cs, err := frontend.Compile(ecc.BN254.ScalarField(), r1cs.NewBuilder, &myCircuit)
// if err != nil { // if err != nil {
// return err // return err
// } // }
// return nil
// assignment := &Sha512Circuit{
// in,
// out,
// } // }
// fmt.Println(time.Now(), "generating witness...")
// witness, _ := frontend.NewWitness(assignment, ecc.BN254.ScalarField())
// publicWitness, _ := witness.Public()
// fmt.Println(time.Now(), "groth setup...")
// pk, vk, err := groth16.Setup(r1cs)
// fmt.Println(time.Now(), "groth prove...")
// proof, err := groth16.Prove(r1cs, pk, witness)
// fmt.Println(time.Now(), "groth verify...")
// err = groth16.Verify(proof, vk, publicWitness)
// if err != nil {
// return err
// }
// fmt.Println(proof)
// return nil
// }
func mainImpl() error {
M := "53756363696e6374204c616273"
Pk := "f7ec1c43f4de9d49556de87b86b26a98942cb078486fdb44de38b80864c39731"
Sig := "35c323757c20640a294345c89c0bfcebe3d554fdb0c7b7a0bdb72222c531b1ec849fed99a053e0f5b02dd9a25bb6eb018885526d9f583cdbde0b1e9f6329da09"
myCircuit := Eddsa25519Circuit{
M: hexToBits(M),
Pk: hexToBits(Pk),
Sig: hexToBits(Sig),
}
fmt.Println(time.Now(), "compiling...")
r1cs, err := frontend.Compile(ecc.BN254.ScalarField(), r1cs.NewBuilder, &myCircuit)
if err != nil {
return err
}
assignment := &Eddsa25519Circuit{
M: hexToBits(M),
Pk: hexToBits(Pk),
Sig: hexToBits(Sig),
}
fmt.Println(time.Now(), "generating witness...")
witness, _ := frontend.NewWitness(assignment, ecc.BN254.ScalarField())
publicWitness, _ := witness.Public()
fmt.Println(time.Now(), "groth setup...")
pk, vk, err := groth16.Setup(r1cs)
fmt.Println(time.Now(), "groth prove...")
proof, err := groth16.Prove(r1cs, pk, witness)
fmt.Println(time.Now(), "groth verify...")
err = groth16.Verify(proof, vk, publicWitness)
if err != nil {
return err
}
fmt.Println(proof)
return nil
}
func hexToBits(h string) []frontend.Variable {
b, err := hex.DecodeString(h)
if err != nil {
panic(err)
}
result := make([]frontend.Variable, len(b) * 8)
for i, v := range b {
for j := 0; j < 8; j++ {
if (v & (1 << j)) != 0 {
result[i*8+j] = 1
} else {
result[i*8+j] = 0
}
}
}
return result
}
func bytesToBits(arr []byte) []frontend.Variable {
result := make([]frontend.Variable, len(arr) * 8)
for i, v := range arr {
for j := 0; j < 8; j++ {
if (v & (1 << (7-j))) != 0 {
result[i*8+j] = 1
} else {
result[i*8+j] = 0
}
}
}
return result
}

297
edwards_curve/eddsa25519.go Normal file
View File

@@ -0,0 +1,297 @@
package edwards_curve
// This file is little-endian
import (
"math/big"
"github.com/consensys/gnark/frontend"
"github.com/consensys/gnark/std/math/emulated"
"gnark-ed25519/sha512"
)
func H(api frontend.API, m []frontend.Variable) []frontend.Variable {
rawResult := sha512.Sha512(api, swapByteEndianness(m))
sResult := swapByteEndianness(rawResult[:])
return sResult
}
func pow2(n uint) *big.Int {
result := big.NewInt(1)
result.Lsh(result, n)
return result
}
type EdCurve = Curve[Ed25519, Ed25519Scalars]
type EdPoint = AffinePoint[Ed25519]
type EdCoordinate = emulated.Element[Ed25519]
type EdScalar = emulated.Element[Ed25519Scalars]
func bits_to_scalar(c *EdCurve, s []frontend.Variable) EdCoordinate {
if len(s) != 256 { panic("bad length") }
elt := emulated.NewElement[Ed25519](0)
if len(elt.Limbs) != 4 { panic("bad length") }
i := 0
for k := 0; k < 4; k++ {
elt.Limbs[k] = c.api.FromBinary(s[i:i+64]...)
i += 64
}
if i != len(s) { panic("bad length") }
return elt
}
// func bits_to_clamped_scalar(c *EdCurve, input []frontend.Variable) EdScalar {
// if len(input) != 256 { panic("bad length") }
// s := make([]frontend.Variable, len(input))
// copy(s, input)
// s[0] = 0
// s[1] = 0
// s[2] = 0
// s[254] = 1
// return bits_to_scalar[Ed25519Scalars](c, s)
// }
func bits_to_element(c *EdCurve, input []frontend.Variable) EdPoint {
// L := emulated.NewElement[Ed25519Scalars](rEd25519)
unchecked_point := decodepoint(c, input)
// // TODO: https://github.com/warner/python-pure25519 says this check is not necessary:
// //
// // > This library is conservative, and performs full subgroup-membership checks on decoded
// // > points, which adds considerable overhead. The Curve25519/Ed25519 algorithms were
// // > designed to not require these checks, so a careful application might be able to
// // > improve on this slightly (Ed25519 verify down to 6.2ms, DH-finish to 3.2ms).
// c.AssertIsZero(c.ScalarMul(unchecked_point, L))
return unchecked_point
}
// func publickey(c *EdCurve, seed []frontend.Variable) EdPoint {
// if len(seed) != 32 { panic("bad length") }
// a := bits_to_clamped_scalar(c, H(c.api, seed)[:256])
// return c.ScalarMul(c.g, a)
// }
func CheckValid(c *EdCurve, s, m, pk []frontend.Variable) {
if len(s) != 512 { panic("bad signature length") }
if len(pk) != 256 { panic("bad public key length") }
if len(m) % 8 != 0 { panic("bad message length") }
R := bits_to_element(c, s[:256])
A := bits_to_element(c, pk)
h := H(c.api, concat(s[:256], pk, m))
v1 := c.ScalarMulBinary(c.g, s[256:])
v2 := c.Add(R, c.ScalarMulBinary(A, h))
c.AssertIsEqual(v1, v2)
}
func reverse[T interface{}](arr []T) []T {
result := make([]T, len(arr))
for i, v := range arr {
result[len(result)-i-1] = v
}
return result
}
func concat(args ...[]frontend.Variable) []frontend.Variable {
result := []frontend.Variable{}
for _, v := range args {
result = append(result, v...)
}
return result
}
func decodepoint(c *EdCurve, unclamped []frontend.Variable) EdPoint {
if len(unclamped) != 256 { panic("bad length") }
s := make([]frontend.Variable, len(unclamped))
copy(s, unclamped)
s[255] = 0
y := bits_to_scalar(c, s)
// unclamped = int(binascii.hexlify(s[:32][::-1]), 16)
// clamp = (1 << 255) - 1
// y = unclamped & clamp # clear MSB
x := xrecover(c, y)
// x = xrecover(y)
xbits := c.baseApi.ToBinary(x)
if len(xbits) != 256 { panic("bad length") }
mismatch := c.api.Xor(xbits[0], unclamped[255])
x = c.baseApi.Select(mismatch, c.baseApi.Neg(x), x).(EdCoordinate)
// if bool(x & 1) != bool(unclamped & (1<<255)): x = Q-x
P := AffinePoint[Ed25519]{
X: x,
Y: y,
}
// P = [x,y]
c.AssertIsOnCurve(P)
// if not isoncurve(P): raise NotOnCurve("decoding point that is not on curve")
return P
}
func toValue(s EdCoordinate) *big.Int {
result := big.NewInt(0)
placeValue := big.NewInt(1)
for _, v := range s.Limbs {
q := new(big.Int).Mul(placeValue, v.(*big.Int))
result.Add(result, q)
placeValue.Lsh(placeValue, Ed25519{}.BitsPerLimb())
}
return result
}
func _const(x int64) EdCoordinate {
return emulated.NewElement[Ed25519](big.NewInt(x))
}
// Q = 2**255 - 19
// L = 2**252 + 27742317777372353535851937790883648493
// def inv(x):
// return pow(x, Q-2, Q)
// d = -121665 * inv(121666)
// I = pow(2,(Q-1)//4,Q)
func xrecover(c *EdCurve, y EdCoordinate) EdCoordinate {
Q := Ed25519{}.Modulus()
I := emulated.NewElement[Ed25519](newBigInt("2b8324804fc1df0b2b4d00993dfbd7a72f431806ad2fe478c4ee1b274a0ea0b0"))
yy := c.baseApi.Mul(y, y)
xx := c.baseApi.Div(
c.baseApi.Sub(yy, _const(1)),
c.baseApi.Add(c.baseApi.Mul(c.d, yy), _const(1)),
).(EdCoordinate)
// xx = (y*y-1) * inv(d*y*y+1)
power := new(big.Int).Add(Q, big.NewInt(3))
power.Rsh(power, 3)
x := pow(c, xx, power)
// x = pow(xx,(Q+3)//8,Q)
matches := c.baseApi.IsZero(c.baseApi.Sub(
c.baseApi.Mul(x, x),
xx,
))
x = c.baseApi.Select(matches, x, c.baseApi.Mul(x, emulated.NewElement[Ed25519](I))).(EdCoordinate)
// if (x*x - xx) % Q != 0: x = (x*I) % Q
odd := c.baseApi.ToBinary(x)[0]
x = c.baseApi.Select(odd, c.baseApi.Neg(x), x).(EdCoordinate)
// if x % 2 != 0: x = Q-x
return x
}
func pow(c *EdCurve, base EdCoordinate, exponent *big.Int) EdCoordinate {
mul := base
result := _const(1)
for exponent.Sign() > 0 {
if exponent.Bit(0) != 0 {
result = c.baseApi.Mul(result, mul).(EdCoordinate)
}
mul = c.baseApi.Mul(mul, mul).(EdCoordinate)
exponent.Rsh(exponent, 1)
}
return result
}
func swapByteEndianness(in []frontend.Variable) []frontend.Variable {
if len(in) % 8 != 0 { panic("must be a multiple of 8 bits") }
result := make([]frontend.Variable, len(in))
for i := 0; i < len(in); i += 8 {
for j := 0; j < 8; j++ {
result[i+j] = in[i+7-j]
}
}
return result
}
// def checkvalid(s, m, pk):
// if len(s) != 64: raise Exception("signature length is wrong")
// if len(pk) != 32: raise Exception("public-key length is wrong")
// R = bytes_to_element(s[:32])
// A = bytes_to_element(pk)
// S = bytes_to_scalar(s[32:])
// h = Hint(s[:32] + pk + m)
// v1 = Base.scalarmult(S)
// v2 = R.add(A.scalarmult(h))
// return v1==v2
// def publickey(seed):
// # turn first half of SHA512(seed) into scalar, then into point
// assert len(seed) == 32
// a = bytes_to_clamped_scalar(H(seed)[:32])
// A = Base.scalarmult(a)
// return A.to_bytes()
// def bytes_to_scalar(s):
// assert len(s) == 32, len(s)
// return int(binascii.hexlify(s[::-1]), 16)
// from pure25519.basic import (bytes_to_clamped_scalar,
// bytes_to_scalar, scalar_to_bytes,
// bytes_to_element, Base)
// import hashlib, binascii
// def H(m):
// return hashlib.sha512(m).digest()
// def Hint(m):
// h = H(m)
// return int(binascii.hexlify(h[::-1]), 16)
// def signature(m,sk,pk):
// assert len(sk) == 32 # seed
// assert len(pk) == 32
// h = H(sk[:32])
// a_bytes, inter = h[:32], h[32:]
// a = bytes_to_clamped_scalar(a_bytes)
// r = Hint(inter + m)
// R = Base.scalarmult(r)
// R_bytes = R.to_bytes()
// S = r + Hint(R_bytes + pk + m) * a
// return R_bytes + scalar_to_bytes(S)
// def checkvalid(s, m, pk):
// if len(s) != 64: raise Exception("signature length is wrong")
// if len(pk) != 32: raise Exception("public-key length is wrong")
// R = bytes_to_element(s[:32])
// A = bytes_to_element(pk)
// S = bytes_to_scalar(s[32:])
// h = Hint(s[:32] + pk + m)
// v1 = Base.scalarmult(S)
// v2 = R.add(A.scalarmult(h))
// return v1==v2
// # wrappers
// import os
// def create_signing_key():
// seed = os.urandom(32)
// return seed
// def create_verifying_key(signing_key):
// return publickey(signing_key)
// def sign(skbytes, msg):
// """Return just the signature, given the message and just the secret
// key."""
// if len(skbytes) != 32:
// raise ValueError("Bad signing key length %d" % len(skbytes))
// vkbytes = create_verifying_key(skbytes)
// sig = signature(msg, skbytes, vkbytes)
// return sig
// def verify(vkbytes, sig, msg):
// if len(vkbytes) != 32:
// raise ValueError("Bad verifying key length %d" % len(vkbytes))
// if len(sig) != 64:
// raise ValueError("Bad signature length %d" % len(sig))
// rc = checkvalid(sig, msg, vkbytes)
// if not rc:
// raise ValueError("rc != 0", rc)
// return True

65
edwards_curve/eddsa25519_test.go Normal file
View File

@@ -0,0 +1,65 @@
package edwards_curve
import (
"testing"
"encoding/hex"
"github.com/consensys/gnark/frontend"
"github.com/consensys/gnark/test"
)
type Eddsa25519Circuit struct {
m []frontend.Variable
pk []frontend.Variable
sig []frontend.Variable
}
func (circuit *Eddsa25519Circuit) Define(api frontend.API) error {
c, err := New[Ed25519, Ed25519Scalars](api)
if err != nil {
return err
}
CheckValid(c, circuit.sig, circuit.m, circuit.pk)
return nil
}
func TestEddsa25519(t *testing.T) {
assert := test.NewAssert(t)
m := "53756363696e6374204c616273"
pk := "f7ec1c43f4de9d49556de87b86b26a98942cb078486fdb44de38b80864c39731"
sig := "35c323757c20640a294345c89c0bfcebe3d554fdb0c7b7a0bdb72222c531b1ec849fed99a053e0f5b02dd9a25bb6eb018885526d9f583cdbde0b1e9f6329da09"
circuit := Eddsa25519Circuit {
m: hexToBits(m),
pk: hexToBits(pk),
sig: hexToBits(sig),
}
witness := Eddsa25519Circuit {
m: hexToBits(m),
pk: hexToBits(pk),
sig: hexToBits(sig),
}
err := test.IsSolved(&circuit, &witness, testCurve.ScalarField())
assert.NoError(err)
}
func hexToBits(h string) []frontend.Variable {
b, err := hex.DecodeString(h)
if err != nil {
panic(err)
}
result := make([]frontend.Variable, len(b) * 8)
for i, v := range b {
for j := 0; j < 8; j++ {
if (v & (1 << j)) != 0 {
result[i*8+j] = 1
} else {
result[i*8+j] = 0
}
}
}
return result
}

6
edwards_curve/edparams.go
View File

@@ -11,11 +11,7 @@ var (
func init() { func init() {
// https://neuromancer.sk/std/other/Ed25519 // https://neuromancer.sk/std/other/Ed25519
qEd25519 = newBigInt("7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed") qEd25519 = newBigInt("7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed")
n := newBigInt("1000000000000000000000000000000014def9dea2f79cd65812631a5cf5d3ed") rEd25519 = newBigInt("1000000000000000000000000000000014def9dea2f79cd65812631a5cf5d3ed")
// TODO: is this ok?
// h := big.NewInt(8)
// rEd25519 = new(big.Int).Mul(n, h)
rEd25519 = n
} }
type Ed25519 struct{} type Ed25519 struct{}

23
edwards_curve/edpoint.go
View File

@@ -112,6 +112,11 @@ func (c *Curve[T, S]) AssertIsOnCurve(p AffinePoint[T]) {
c.baseApi.AssertIsEqual(lhs, rhs) c.baseApi.AssertIsEqual(lhs, rhs)
} }
func (c *Curve[T, S]) AssertIsZero(p AffinePoint[T]) {
c.baseApi.AssertIsEqual(p.X, 0)
c.baseApi.AssertIsEqual(p.Y, 1)
}
func (c *Curve[T, S]) Add(q, r AffinePoint[T]) AffinePoint[T] { func (c *Curve[T, S]) Add(q, r AffinePoint[T]) AffinePoint[T] {
// u = (x1 + y1) * (x2 + y2) // u = (x1 + y1) * (x2 + y2)
u1 := c.baseApi.Mul(q.X, c.a) u1 := c.baseApi.Mul(q.X, c.a)
@@ -151,7 +156,7 @@ func (c *Curve[T, S]) Double(p AffinePoint[T]) AffinePoint[T] {
v := c.baseApi.Mul(p.X, p.X) v := c.baseApi.Mul(p.X, p.X)
w := c.baseApi.Mul(p.Y, p.Y) w := c.baseApi.Mul(p.Y, p.Y)
n1 := c.baseApi.Mul(2, u) n1 := c.baseApi.Add(u, u)
av := c.baseApi.Mul(v, c.a) av := c.baseApi.Mul(v, c.a)
n2 := c.baseApi.Sub(w, av) n2 := c.baseApi.Sub(w, av)
d1 := c.baseApi.Add(w, av) d1 := c.baseApi.Add(w, av)
@@ -176,17 +181,21 @@ func (c *Curve[T, S]) Select(b frontend.Variable, p, q AffinePoint[T]) AffinePoi
} }
func (c *Curve[T, S]) ScalarMul(p AffinePoint[T], s emulated.Element[S]) AffinePoint[T] { func (c *Curve[T, S]) ScalarMul(p AffinePoint[T], s emulated.Element[S]) AffinePoint[T] {
res := p return c.ScalarMulBinary(p, c.scalarApi.ToBinary(s))
acc := c.Double(p) }
sBits := c.scalarApi.ToBinary(s) func (c *Curve[T, S]) ScalarMulBinary(p AffinePoint[T], sBits []frontend.Variable) AffinePoint[T] {
for i := 1; i < len(sBits); i++ { res := AffinePoint[T]{
X: emulated.NewElement[T](0),
Y: emulated.NewElement[T](1),
}
acc := p
for i := 0; i < len(sBits); i++ {
tmp := c.Add(res, acc) tmp := c.Add(res, acc)
res = c.Select(sBits[i], tmp, res) res = c.Select(sBits[i], tmp, res)
acc = c.Double(acc) acc = c.Double(acc)
} }
tmp := c.Add(res, c.Neg(p))
res = c.Select(sBits[0], res, tmp)
return res return res
} }

16
sha512/sha_test.go
View File

@@ -28,8 +28,7 @@ var testCurve = ecc.BN254
func TestSha512(t *testing.T) { func TestSha512(t *testing.T) {
assert := test.NewAssert(t) assert := test.NewAssert(t)
testCase := func(input, output string) { testCase := func(in []byte, output string) {
in := toBytes(input)
out, err := hex.DecodeString(output) out, err := hex.DecodeString(output)
if err != nil { panic(err) } if err != nil { panic(err) }
if len(out) != 512 / 8 { panic("bad output length") } if len(out) != 512 / 8 { panic("bad output length") }
@@ -46,8 +45,9 @@ func TestSha512(t *testing.T) {
assert.NoError(err) assert.NoError(err)
} }
testCase("", "cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e") testCase([]byte(""), "cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e")
testCase("Succinct Labs", "503ace098aa03f6feec1b5df0a38aee923f744a775508bc81f2b94ad139be297c2e8cd8c44af527b5d3f017a7fc929892c896604047e52e3f518924f52bff0dc") testCase([]byte("Succinct Labs"), "503ace098aa03f6feec1b5df0a38aee923f744a775508bc81f2b94ad139be297c2e8cd8c44af527b5d3f017a7fc929892c896604047e52e3f518924f52bff0dc")
testCase(decode("35c323757c20640a294345c89c0bfcebe3d554fdb0c7b7a0bdb72222c531b1ecf7ec1c43f4de9d49556de87b86b26a98942cb078486fdb44de38b80864c3973153756363696e6374204c616273"), "4388243c4452274402673de881b2f942ff5730fd2c7d8ddb94c3e3d789fb3754380cba8faa40554d9506a0730a681e88ab348a04bc5c41d18926f140b59aed39")
} }
func toBits(arr []byte) []frontend.Variable { func toBits(arr []byte) []frontend.Variable {
@@ -64,6 +64,10 @@ func toBits(arr []byte) []frontend.Variable {
return result return result
} }
func toBytes(s string) []byte { func decode(s string) []byte {
return []byte(s) result, err := hex.DecodeString(s)
if err != nil {
panic(err)
}
return result
} }