goldilocks and poseidon

README.md

@@ -1,3 +1,4 @@
+
 # gnark-ed25519
 ed25519 implementation in Gnark
 
@@ -10,3 +11,5 @@ To build and run:
 ```
 go build gnark-ed25519 && ./gnark-ed25519
 ```
+
+if it panics on compilation.... make vriables capitalzie

ed25519.go

@@ -14,159 +14,264 @@
 
 package main
 
-
 import (
-    "time"
-    "fmt"
-    "os"
-    "encoding/hex"
-    "github.com/consensys/gnark/frontend"
-    "github.com/consensys/gnark-crypto/ecc"
-    "github.com/consensys/gnark/frontend/cs/r1cs"
-    "github.com/consensys/gnark/backend/groth16"
-    "gnark-ed25519/edwards_curve"
-    "gnark-ed25519/sha512"
+	"fmt"
+	"gnark-ed25519/poseidon"
+	"math/big"
+	"time"
+
+	"github.com/consensys/gnark-crypto/ecc"
+	"github.com/consensys/gnark/backend/groth16"
+	"github.com/consensys/gnark/frontend"
+	"github.com/consensys/gnark/frontend/cs/r1cs"
+	"github.com/consensys/gnark/test"
 )
 
-type Eddsa25519Circuit struct {
-    M []frontend.Variable
-    Pk []frontend.Variable
-    Sig []frontend.Variable
-}
+// type Eddsa25519Circuit struct {
+// 	M   []frontend.Variable
+// 	Pk  []frontend.Variable
+// 	Sig []frontend.Variable
+// }
 
-func (circuit *Eddsa25519Circuit) Define(api frontend.API) error {
-    c, err := edwards_curve.New[edwards_curve.Ed25519, edwards_curve.Ed25519Scalars](api)
-    if err != nil {
-        return err
-    }
-    edwards_curve.CheckValid(c, circuit.Sig, circuit.M, circuit.Pk)
-    return nil
-}
+// func (circuit *Eddsa25519Circuit) Define(api frontend.API) error {
+// 	c, err := edwards_curve.New[edwards_curve.Ed25519, edwards_curve.Ed25519Scalars](api)
+// 	if err != nil {
+// 		return err
+// 	}
+// 	edwards_curve.CheckValid(c, circuit.Sig, circuit.M, circuit.Pk)
+// 	return nil
+// }
 
+// type Sha512Circuit struct {
+// 	in  []frontend.Variable `gnark:"in"`
+// 	out []frontend.Variable `gnark:"out"`
+// }
 
-type Sha512Circuit struct {
-    in []frontend.Variable `gnark:"in"`
-    out []frontend.Variable `gnark:"out"`
-}
+// func (circuit *Sha512Circuit) Define(api frontend.API) error {
+// 	res := sha512.Sha512(api, circuit.in)
+// 	if len(res) != 512 {
+// 		panic("bad length")
+// 	}
+// 	for i := 0; i < 512; i++ {
+// 		api.AssertIsEqual(res[i], circuit.out[i])
+// 	}
+// 	return nil
+// }
 
-func (circuit *Sha512Circuit) Define(api frontend.API) error {
-    res := sha512.Sha512(api, circuit.in)
-    if len(res) != 512 { panic("bad length") }
-    for i := 0; i < 512; i++ {
-        api.AssertIsEqual(res[i], circuit.out[i])
-    }
-    return nil
-}
+// func main() {
+// 	err := mainImpl()
+// 	if err != nil {
+// 		fmt.Println(err)
+// 		os.Exit(1)
+// 	}
+// }
 
+// // func mainImpl() error {
+// //     in := bytesToBits([]byte("Succinct Labs"))
+// //     out := hexToBits("503ace098aa03f6feec1b5df0a38aee923f744a775508bc81f2b94ad139be297c2e8cd8c44af527b5d3f017a7fc929892c896604047e52e3f518924f52bff0dc")
 
+// //     myCircuit := Sha512Circuit{
+// //         in,
+// //         out,
+// //     }
+// //     fmt.Println(time.Now(), "compiling...")
+// //     r1cs, err := frontend.Compile(ecc.BN254.ScalarField(), r1cs.NewBuilder, &myCircuit)
+// //     if err != nil {
+// //         return err
+// //     }
 
-func main() {
-    err := mainImpl()
-    if err != nil {
-        fmt.Println(err)
-        os.Exit(1)
-    }
-}
+// //     assignment := &Sha512Circuit{
+// //         in,
+// //         out,
+// //     }
+// //     fmt.Println(time.Now(), "generating witness...")
+// //     witness, _ := frontend.NewWitness(assignment, ecc.BN254.ScalarField())
+// //     publicWitness, _ := witness.Public()
+// //     fmt.Println(time.Now(), "groth setup...")
+// //     pk, vk, err := groth16.Setup(r1cs)
+// //     fmt.Println(time.Now(), "groth prove...")
+// //     proof, err := groth16.Prove(r1cs, pk, witness)
+// //     fmt.Println(time.Now(), "groth verify...")
+// //     err = groth16.Verify(proof, vk, publicWitness)
+// //     if err != nil {
+// //         return err
+// //     }
+// //     fmt.Println(proof)
+// //     return nil
+// // }
 
 // func mainImpl() error {
-//     in := bytesToBits([]byte("Succinct Labs"))
-//     out := hexToBits("503ace098aa03f6feec1b5df0a38aee923f744a775508bc81f2b94ad139be297c2e8cd8c44af527b5d3f017a7fc929892c896604047e52e3f518924f52bff0dc")
-
-//     myCircuit := Sha512Circuit{
-//         in,
-//         out,
-//     }
-//     fmt.Println(time.Now(), "compiling...")
-//     r1cs, err := frontend.Compile(ecc.BN254.ScalarField(), r1cs.NewBuilder, &myCircuit)
-//     if err != nil {
-//         return err
-//     }
-
-//     assignment := &Sha512Circuit{
-//         in,
-//         out,
-//     }
-//     fmt.Println(time.Now(), "generating witness...")
-//     witness, _ := frontend.NewWitness(assignment, ecc.BN254.ScalarField())
-//     publicWitness, _ := witness.Public()
-//     fmt.Println(time.Now(), "groth setup...")
-//     pk, vk, err := groth16.Setup(r1cs)
-//     fmt.Println(time.Now(), "groth prove...")
-//     proof, err := groth16.Prove(r1cs, pk, witness)
-//     fmt.Println(time.Now(), "groth verify...")
-//     err = groth16.Verify(proof, vk, publicWitness)
-//     if err != nil {
-//         return err
-//     }
-//     fmt.Println(proof)
-//     return nil
+// 	M := "53756363696e6374204c616273"
+// 	Pk := "f7ec1c43f4de9d49556de87b86b26a98942cb078486fdb44de38b80864c39731"
+// 	Sig := "35c323757c20640a294345c89c0bfcebe3d554fdb0c7b7a0bdb72222c531b1ec849fed99a053e0f5b02dd9a25bb6eb018885526d9f583cdbde0b1e9f6329da09"
+
+// 	myCircuit := Eddsa25519Circuit{
+// 		M:   hexToBits(M),
+// 		Pk:  hexToBits(Pk),
+// 		Sig: hexToBits(Sig),
+// 	}
+// 	fmt.Println(time.Now(), "compiling...")
+// 	r1cs, err := frontend.Compile(ecc.BN254.ScalarField(), r1cs.NewBuilder, &myCircuit)
+// 	if err != nil {
+// 		return err
+// 	}
+
+// 	assignment := &Eddsa25519Circuit{
+// 		M:   hexToBits(M),
+// 		Pk:  hexToBits(Pk),
+// 		Sig: hexToBits(Sig),
+// 	}
+// 	fmt.Println(time.Now(), "generating witness...")
+// 	witness, _ := frontend.NewWitness(assignment, ecc.BN254.ScalarField())
+// 	publicWitness, _ := witness.Public()
+// 	fmt.Println(time.Now(), "groth setup...")
+// 	pk, vk, err := groth16.Setup(r1cs)
+// 	fmt.Println(time.Now(), "groth prove...")
+// 	proof, err := groth16.Prove(r1cs, pk, witness)
+// 	fmt.Println(time.Now(), "groth verify...")
+// 	err = groth16.Verify(proof, vk, publicWitness)
+// 	if err != nil {
+// 		return err
+// 	}
+// 	fmt.Println(proof)
+// 	return nil
 // }
 
-func mainImpl() error {
-    M := "53756363696e6374204c616273"
-    Pk := "f7ec1c43f4de9d49556de87b86b26a98942cb078486fdb44de38b80864c39731"
-    Sig := "35c323757c20640a294345c89c0bfcebe3d554fdb0c7b7a0bdb72222c531b1ec849fed99a053e0f5b02dd9a25bb6eb018885526d9f583cdbde0b1e9f6329da09"
-
-    myCircuit := Eddsa25519Circuit{
-        M: hexToBits(M),
-        Pk: hexToBits(Pk),
-        Sig: hexToBits(Sig),
-    }
-    fmt.Println(time.Now(), "compiling...")
-    r1cs, err := frontend.Compile(ecc.BN254.ScalarField(), r1cs.NewBuilder, &myCircuit)
-    if err != nil {
-        return err
-    }
-
-    assignment := &Eddsa25519Circuit{
-        M: hexToBits(M),
-        Pk: hexToBits(Pk),
-        Sig: hexToBits(Sig),
-    }
-    fmt.Println(time.Now(), "generating witness...")
-    witness, _ := frontend.NewWitness(assignment, ecc.BN254.ScalarField())
-    publicWitness, _ := witness.Public()
-    fmt.Println(time.Now(), "groth setup...")
-    pk, vk, err := groth16.Setup(r1cs)
-    fmt.Println(time.Now(), "groth prove...")
-    proof, err := groth16.Prove(r1cs, pk, witness)
-    fmt.Println(time.Now(), "groth verify...")
-    err = groth16.Verify(proof, vk, publicWitness)
-    if err != nil {
-        return err
-    }
-    fmt.Println(proof)
-    return nil
+// func hexToBits(h string) []frontend.Variable {
+// 	b, err := hex.DecodeString(h)
+// 	if err != nil {
+// 		panic(err)
+// 	}
+// 	result := make([]frontend.Variable, len(b)*8)
+// 	for i, v := range b {
+// 		for j := 0; j < 8; j++ {
+// 			if (v & (1 << j)) != 0 {
+// 				result[i*8+j] = 1
+// 			} else {
+// 				result[i*8+j] = 0
+// 			}
+// 		}
+// 	}
+// 	return result
+// }
+
+// func bytesToBits(arr []byte) []frontend.Variable {
+// 	result := make([]frontend.Variable, len(arr)*8)
+// 	for i, v := range arr {
+// 		for j := 0; j < 8; j++ {
+// 			if (v & (1 << (7 - j))) != 0 {
+// 				result[i*8+j] = 1
+// 			} else {
+// 				result[i*8+j] = 0
+// 			}
+// 		}
+// 	}
+// 	return result
+// }
+
+type PoseidonCircuit struct {
+	In  [12]frontend.Variable
+	Out [12]frontend.Variable
 }
 
-func hexToBits(h string) []frontend.Variable {
-    b, err := hex.DecodeString(h)
-    if err != nil {
-        panic(err)
-    }
-    result := make([]frontend.Variable, len(b) * 8)
-    for i, v := range b {
-        for j := 0; j < 8; j++ {
-            if (v & (1 << j)) != 0 {
-                result[i*8+j] = 1
-            } else {
-                result[i*8+j] = 0
-            }
-        }
-    }
-    return result
+func (circuit *PoseidonCircuit) Define(api frontend.API) error {
+	poseidon.Poseidon(api, circuit.In, circuit.Out)
+	return nil
 }
 
-func bytesToBits(arr []byte) []frontend.Variable {
-    result := make([]frontend.Variable, len(arr) * 8)
-    for i, v := range arr {
-        for j := 0; j < 8; j++ {
-            if (v & (1 << (7-j))) != 0 {
-                result[i*8+j] = 1
-            } else {
-                result[i*8+j] = 0
-            }
-        }
-    }
-    return result
+func main() {
+	in_str := [12]string{
+		"0",
+		"0",
+		"0",
+		"0",
+		"0",
+		"0",
+		"0",
+		"0",
+		"0",
+		"0",
+		"0",
+		"0",
+	}
+	out_str := [12]string{
+		"4330397376401421145",
+		"14124799381142128323",
+		"8742572140681234676",
+		"14345658006221440202",
+		"15524073338516903644",
+		"5091405722150716653",
+		"15002163819607624508",
+		"2047012902665707362",
+		"16106391063450633726",
+		"4680844749859802542",
+		"15019775476387350140",
+		"1698615465718385111",
+	}
+
+	var in [12]big.Int
+	var out [12]big.Int
+	for i := 0; i < 12; i++ {
+		n := new(big.Int)
+		n, _ = n.SetString(in_str[i], 10)
+		in[i] = *n
+	}
+	for i := 0; i < 12; i++ {
+		n := new(big.Int)
+		n, _ = n.SetString(out_str[i], 10)
+		out[i] = *n
+	}
+
+	var _in [12]frontend.Variable
+	var _out [12]frontend.Variable
+
+	for i := 0; i < 12; i++ {
+		_in[i] = in[i]
+		_out[i] = out[i]
+	}
+
+	myCircuit := PoseidonCircuit{
+		In:  _in,
+		Out: _out,
+	}
+
+	fmt.Println(time.Now(), "compiling...")
+	r1cs, err := frontend.Compile(ecc.BN254.ScalarField(), r1cs.NewBuilder, &myCircuit)
+	if err != nil {
+		fmt.Println(err)
+		panic(err)
+	}
+
+	assignment := &PoseidonCircuit{
+		In:  _in,
+		Out: _out,
+	}
+
+	witness, _ := frontend.NewWitness(assignment, ecc.BN254.ScalarField())
+	publicWitness, err := witness.Public()
+	if err != nil {
+		panic(err)
+	}
+	fmt.Println(time.Now(), "groth setup...")
+	pk, vk, err := groth16.Setup(r1cs)
+	if err != nil {
+		panic(err)
+	}
+	err = test.IsSolved(&myCircuit, assignment, ecc.BN254.ScalarField())
+	if err != nil {
+		panic(err)
+	}
+
+	fmt.Println(time.Now(), "groth prove...")
+	proof, err := groth16.Prove(r1cs, pk, witness)
+	if err != nil {
+		panic(err)
+	}
+	fmt.Println(time.Now(), "groth verify...")
+
+	err = groth16.Verify(proof, vk, publicWitness)
+	if err != nil {
+		panic(err)
+	}
+
 }

goldilocks/goldilocks.go

@@ -0,0 +1,20 @@
+package goldilocks
+
+import (
+	"github.com/consensys/gnark/frontend"
+	"github.com/consensys/gnark/std/math/emulated"
+)
+
+type GoldilocksElement = emulated.Element[emulated.Goldilocks]
+
+func NewGoldilocksElement(x uint64) GoldilocksElement {
+	return GoldilocksElement(emulated.NewElement[emulated.Goldilocks](x))
+}
+
+func NewGoldilocksAPI(api frontend.API) frontend.API {
+	goldilocks, err := emulated.NewField[emulated.Goldilocks](api)
+	if err != nil {
+		panic(err)
+	}
+	return goldilocks
+}

poseidon/poseidon.go

@@ -0,0 +1,191 @@
+package poseidon
+
+import (
+	. "gnark-ed25519/goldilocks"
+
+	"github.com/consensys/gnark/frontend"
+)
+
+/* Note: This package assumes usage of the BN254 curve in various places. */
+
+const HALF_N_FULL_ROUNDS = 4
+const N_FULL_ROUNDS_TOTAL = 2 * HALF_N_FULL_ROUNDS
+const N_PARTIAL_ROUNDS = 22
+const N_ROUNDS = N_FULL_ROUNDS_TOTAL + N_PARTIAL_ROUNDS
+const MAX_WIDTH = 12
+const WIDTH = 12
+const SPONGE_WIDTH = 12
+const SPONGE_RATE = 8
+
+type PoseidonState = [WIDTH]GoldilocksElement
+type PoseidonChip struct {
+	api   frontend.API
+	field frontend.API
+}
+
+func Poseidon(api frontend.API, field frontend.API, input PoseidonState) PoseidonState {
+	chip := &PoseidonChip{api: api, field: field}
+	return chip.Poseidon(input)
+}
+
+func (c *PoseidonChip) Poseidon(input PoseidonState) PoseidonState {
+	state := input
+	roundCounter := 0
+	state = c.fullRounds(state, &roundCounter)
+	state = c.partialRounds(state, &roundCounter)
+	state = c.fullRounds(state, &roundCounter)
+	return state
+}
+
+func (c *PoseidonChip) fullRounds(state PoseidonState, roundCounter *int) PoseidonState {
+	for i := 0; i < HALF_N_FULL_ROUNDS; i++ {
+		state = c.constantLayer(state, roundCounter)
+		state = c.sBoxLayer(state)
+		state = c.mdsLayer(state)
+		if *roundCounter >= 26 && i == 3 {
+			break
+		}
+		*roundCounter += 1
+	}
+	return state
+}
+
+func (c *PoseidonChip) partialRounds(state PoseidonState, roundCounter *int) PoseidonState {
+	state = c.partialFirstConstantLayer(state)
+	state = c.mdsPartialLayerInit(state)
+
+	for i := 0; i < N_PARTIAL_ROUNDS; i++ {
+		state[0] = c.sBoxMonomial(state[0])
+		state[0] = c.field.Add(state[0], FAST_PARTIAL_ROUND_CONSTANTS[i]).(GoldilocksElement)
+		state = c.mdsPartialLayerFast(state, i)
+	}
+
+	*roundCounter += N_PARTIAL_ROUNDS
+
+	return state
+}
+
+func (c *PoseidonChip) constantLayer(state PoseidonState, roundCounter *int) PoseidonState {
+	for i := 0; i < 12; i++ {
+		if i < WIDTH {
+			roundConstant := NewGoldilocksElement(ALL_ROUND_CONSTANTS[i+WIDTH*(*roundCounter)])
+			state[i] = c.field.Add(state[i], roundConstant).(GoldilocksElement)
+		}
+	}
+	return state
+}
+
+func (c *PoseidonChip) sBoxLayer(state PoseidonState) PoseidonState {
+	for i := 0; i < 12; i++ {
+		if i < WIDTH {
+			state[i] = c.sBoxMonomial(state[i])
+		}
+	}
+	return state
+}
+
+func (c *PoseidonChip) sBoxMonomial(x GoldilocksElement) GoldilocksElement {
+	x2 := c.field.Mul(x, x)
+	x4 := c.field.Mul(x2, x2)
+	x3 := c.field.Mul(x2, x)
+	return c.field.Mul(x3, x4).(GoldilocksElement)
+}
+
+func (c *PoseidonChip) mdsRowShf(r int, v [WIDTH]frontend.Variable) frontend.Variable {
+	res := frontend.Variable(0)
+
+	for i := 0; i < 12; i++ {
+		if i < WIDTH {
+			res1 := c.api.Mul(v[(i+r)%WIDTH], frontend.Variable(MDS_MATRIX_CIRC[i]))
+			res = c.api.Add(res, res1)
+		}
+	}
+
+	res = c.api.Add(res, c.api.Mul(v[r], MDS_MATRIX_DIAG[r]))
+	return res
+}
+
+func (c *PoseidonChip) mdsLayer(state_ PoseidonState) PoseidonState {
+	var result PoseidonState
+	for i := 0; i < WIDTH; i++ {
+		result[i] = NewGoldilocksElement(0)
+	}
+
+	var state [WIDTH]frontend.Variable
+	for i := 0; i < WIDTH; i++ {
+		state[i] = c.api.FromBinary(c.field.ToBinary(state_[i])...)
+	}
+
+	for r := 0; r < 12; r++ {
+		if r < WIDTH {
+			sum := c.mdsRowShf(r, state)
+			bits := c.api.ToBinary(sum)
+			result[r] = c.field.FromBinary(bits).(GoldilocksElement)
+		}
+	}
+
+	return result
+}
+
+func (c *PoseidonChip) partialFirstConstantLayer(state PoseidonState) PoseidonState {
+	for i := 0; i < 12; i++ {
+		if i < WIDTH {
+			state[i] = c.field.Add(state[i], NewGoldilocksElement(FAST_PARTIAL_FIRST_ROUND_CONSTANT[i])).(GoldilocksElement)
+		}
+	}
+	return state
+}
+
+func (c *PoseidonChip) mdsPartialLayerInit(state PoseidonState) PoseidonState {
+	var result PoseidonState
+	for i := 0; i < 12; i++ {
+		result[i] = NewGoldilocksElement(0)
+	}
+
+	result[0] = state[0]
+
+	for r := 1; r < 12; r++ {
+		if r < WIDTH {
+			for d := 1; d < 12; d++ {
+				if d < WIDTH {
+					t := NewGoldilocksElement(FAST_PARTIAL_ROUND_INITIAL_MATRIX[r-1][d-1])
+					result[d] = c.field.Add(result[d], c.field.Mul(state[r], t)).(GoldilocksElement)
+				}
+			}
+		}
+	}
+
+	return result
+}
+
+func (c *PoseidonChip) mdsPartialLayerFast(state PoseidonState, r int) PoseidonState {
+	dSum := frontend.Variable(0)
+	for i := 1; i < 12; i++ {
+		if i < WIDTH {
+			t := frontend.Variable(FAST_PARTIAL_ROUND_W_HATS[r][i-1])
+			si := c.api.FromBinary(c.field.ToBinary(state[i])...)
+			dSum = c.api.Add(dSum, c.api.Mul(si, t))
+		}
+	}
+
+	s0 := c.api.FromBinary(c.field.ToBinary(state[0])...)
+	mds0to0 := frontend.Variable(MDS_MATRIX_CIRC[0] + MDS_MATRIX_DIAG[0])
+	dSum = c.api.Add(dSum, c.api.Mul(s0, mds0to0))
+	d := c.field.FromBinary(c.api.ToBinary(dSum))
+
+	var result PoseidonState
+	for i := 0; i < WIDTH; i++ {
+		result[i] = NewGoldilocksElement(0)
+	}
+
+	result[0] = d.(GoldilocksElement)
+
+	for i := 1; i < 12; i++ {
+		if i < WIDTH {
+			t := NewGoldilocksElement(FAST_PARTIAL_ROUND_VS[r][i-1])
+			result[i] = c.field.Add(state[i], c.field.Mul(state[0], t)).(GoldilocksElement)
+		}
+	}
+
+	return result
+}

poseidon/poseidon_test.go

@@ -0,0 +1,145 @@
+package poseidon
+
+import (
+	. "gnark-ed25519/goldilocks"
+	"math/big"
+	"testing"
+
+	"github.com/consensys/gnark-crypto/ecc"
+	"github.com/consensys/gnark/backend/groth16"
+	"github.com/consensys/gnark/frontend"
+	"github.com/consensys/gnark/frontend/cs/r1cs"
+	"github.com/consensys/gnark/test"
+)
+
+var testCurve = ecc.BN254
+
+type TestPoseidonCircuit struct {
+	In  [12]frontend.Variable
+	Out [12]frontend.Variable
+}
+
+func (circuit *TestPoseidonCircuit) Define(api frontend.API) error {
+	goldilocksApi := NewGoldilocksAPI(api)
+
+	// BN254 -> Binary(64) -> GoldilocksElement
+	var input PoseidonState
+	for i := 0; i < 12; i++ {
+		input[i] = goldilocksApi.FromBinary(api.ToBinary(circuit.In[i], 64)).(GoldilocksElement)
+	}
+
+	output := Poseidon(api, goldilocksApi, input)
+
+	// Check that output is correct
+	for i := 0; i < 12; i++ {
+		goldilocksApi.AssertIsEqual(
+			output[i],
+			goldilocksApi.FromBinary(api.ToBinary(circuit.Out[i])).(GoldilocksElement),
+		)
+	}
+
+	return nil
+}
+
+func TestPoseidonWitness(t *testing.T) {
+	assert := test.NewAssert(t)
+
+	testCase := func(inBigInt [12]big.Int, outBigInt [12]big.Int) {
+		var in [12]frontend.Variable
+		var out [12]frontend.Variable
+
+		for i := 0; i < 12; i++ {
+			in[i] = inBigInt[i]
+			out[i] = outBigInt[i]
+		}
+
+		circuit := TestPoseidonCircuit{In: in, Out: out}
+		witness := TestPoseidonCircuit{In: in, Out: out}
+		err := test.IsSolved(&circuit, &witness, testCurve.ScalarField())
+		assert.NoError(err)
+	}
+
+	inStr := [12]string{"0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0"}
+	outStr := [12]string{
+		"4330397376401421145", "14124799381142128323", "8742572140681234676",
+		"14345658006221440202", "15524073338516903644", "5091405722150716653",
+		"15002163819607624508", "2047012902665707362", "16106391063450633726",
+		"4680844749859802542", "15019775476387350140", "1698615465718385111",
+	}
+
+	var inBigInt [12]big.Int
+	var outBigInt [12]big.Int
+
+	for i := 0; i < 12; i++ {
+		inTmp := new(big.Int)
+		inTmp, _ = inTmp.SetString(inStr[i], 10)
+		inBigInt[i] = *inTmp
+
+		outTmp := new(big.Int)
+		outTmp, _ = outTmp.SetString(outStr[i], 10)
+		outBigInt[i] = *outTmp
+	}
+
+	testCase(inBigInt, outBigInt)
+}
+
+func TestPoseidonProof(t *testing.T) {
+	inStr := [12]string{"0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0"}
+	outStr := [12]string{
+		"4330397376401421145", "14124799381142128323", "8742572140681234676",
+		"14345658006221440202", "15524073338516903644", "5091405722150716653",
+		"15002163819607624508", "2047012902665707362", "16106391063450633726",
+		"4680844749859802542", "15019775476387350140", "1698615465718385111",
+	}
+
+	var in [12]frontend.Variable
+	var out [12]frontend.Variable
+
+	for i := 0; i < 12; i++ {
+		inTmp := new(big.Int)
+		inTmp, _ = inTmp.SetString(inStr[i], 10)
+		in[i] = *inTmp
+
+		outTmp := new(big.Int)
+		outTmp, _ = outTmp.SetString(outStr[i], 10)
+		out[i] = *outTmp
+	}
+
+	circuit := TestPoseidonCircuit{In: in, Out: out}
+	assignment := TestPoseidonCircuit{In: in, Out: out}
+
+	r1cs, err := frontend.Compile(testCurve.ScalarField(), r1cs.NewBuilder, &circuit)
+	if err != nil {
+		panic(err)
+	}
+
+	witness, err := frontend.NewWitness(&assignment, testCurve.ScalarField())
+	if err != nil {
+		panic(err)
+	}
+
+	pk, vk, err := groth16.Setup(r1cs)
+	if err != nil {
+		panic(err)
+	}
+
+	err = test.IsSolved(&circuit, &assignment, testCurve.ScalarField())
+	if err != nil {
+		panic(err)
+	}
+
+	proof, err := groth16.Prove(r1cs, pk, witness)
+	if err != nil {
+		panic(err)
+	}
+
+	publicWitness, err := witness.Public()
+	if err != nil {
+		panic(err)
+	}
+
+	err = groth16.Verify(proof, vk, publicWitness)
+	if err != nil {
+		panic(err)
+	}
+}

sha512/sha512.go

@@ -1,21 +1,12 @@
 package sha512
 
-// Based on https://gist.github.com/illia-v/7883be942da5d416521375004cecb68f
+/* Based on https://gist.github.com/illia-v/7883be942da5d416521375004cecb68f */
 
 import (
 	"github.com/consensys/gnark/frontend"
 )
 
-
-func _right_rotate(n [64]frontend.Variable, bits int) [64]frontend.Variable {
-	var result [64]frontend.Variable
-	for i := 0; i < len(n); i++ {
-		result[(i+bits)%len(n)] = n[i]
-	}
-	return result
-}
-
-func Sha512(api frontend.API, in []frontend.Variable) ([512]frontend.Variable) {
+func Sha512(api frontend.API, in []frontend.Variable) [512]frontend.Variable {
 	_not := func(x [64]frontend.Variable) [64]frontend.Variable {
 		return not(api, x)
 	}
@@ -43,43 +34,43 @@ func Sha512(api frontend.API, in []frontend.Variable) ([512]frontend.Variable) {
 		}
 	}
 	initial_hash := []uint64{
-	    0x6a09e667f3bcc908,
-	    0xbb67ae8584caa73b,
-	    0x3c6ef372fe94f82b,
-	    0xa54ff53a5f1d36f1,
-	    0x510e527fade682d1,
-	    0x9b05688c2b3e6c1f,
-	    0x1f83d9abfb41bd6b,
-	    0x5be0cd19137e2179,
+		0x6a09e667f3bcc908,
+		0xbb67ae8584caa73b,
+		0x3c6ef372fe94f82b,
+		0xa54ff53a5f1d36f1,
+		0x510e527fade682d1,
+		0x9b05688c2b3e6c1f,
+		0x1f83d9abfb41bd6b,
+		0x5be0cd19137e2179,
 	}
 	round_constants := []uint64{
-	    0x428a2f98d728ae22, 0x7137449123ef65cd, 0xb5c0fbcfec4d3b2f,
-	    0xe9b5dba58189dbbc, 0x3956c25bf348b538, 0x59f111f1b605d019,
-	    0x923f82a4af194f9b, 0xab1c5ed5da6d8118, 0xd807aa98a3030242,
-	    0x12835b0145706fbe, 0x243185be4ee4b28c, 0x550c7dc3d5ffb4e2,
-	    0x72be5d74f27b896f, 0x80deb1fe3b1696b1, 0x9bdc06a725c71235,
-	    0xc19bf174cf692694, 0xe49b69c19ef14ad2, 0xefbe4786384f25e3,
-	    0x0fc19dc68b8cd5b5, 0x240ca1cc77ac9c65, 0x2de92c6f592b0275,
-	    0x4a7484aa6ea6e483, 0x5cb0a9dcbd41fbd4, 0x76f988da831153b5,
-	    0x983e5152ee66dfab, 0xa831c66d2db43210, 0xb00327c898fb213f,
-	    0xbf597fc7beef0ee4, 0xc6e00bf33da88fc2, 0xd5a79147930aa725,
-	    0x06ca6351e003826f, 0x142929670a0e6e70, 0x27b70a8546d22ffc,
-	    0x2e1b21385c26c926, 0x4d2c6dfc5ac42aed, 0x53380d139d95b3df,
-	    0x650a73548baf63de, 0x766a0abb3c77b2a8, 0x81c2c92e47edaee6,
-	    0x92722c851482353b, 0xa2bfe8a14cf10364, 0xa81a664bbc423001,
-	    0xc24b8b70d0f89791, 0xc76c51a30654be30, 0xd192e819d6ef5218,
-	    0xd69906245565a910, 0xf40e35855771202a, 0x106aa07032bbd1b8,
-	    0x19a4c116b8d2d0c8, 0x1e376c085141ab53, 0x2748774cdf8eeb99,
-	    0x34b0bcb5e19b48a8, 0x391c0cb3c5c95a63, 0x4ed8aa4ae3418acb,
-	    0x5b9cca4f7763e373, 0x682e6ff3d6b2b8a3, 0x748f82ee5defb2fc,
-	    0x78a5636f43172f60, 0x84c87814a1f0ab72, 0x8cc702081a6439ec,
-	    0x90befffa23631e28, 0xa4506cebde82bde9, 0xbef9a3f7b2c67915,
-	    0xc67178f2e372532b, 0xca273eceea26619c, 0xd186b8c721c0c207,
-	    0xeada7dd6cde0eb1e, 0xf57d4f7fee6ed178, 0x06f067aa72176fba,
-	    0x0a637dc5a2c898a6, 0x113f9804bef90dae, 0x1b710b35131c471b,
-	    0x28db77f523047d84, 0x32caab7b40c72493, 0x3c9ebe0a15c9bebc,
-	    0x431d67c49c100d4c, 0x4cc5d4becb3e42b6, 0x597f299cfc657e2a,
-	    0x5fcb6fab3ad6faec, 0x6c44198c4a475817,
+		0x428a2f98d728ae22, 0x7137449123ef65cd, 0xb5c0fbcfec4d3b2f,
+		0xe9b5dba58189dbbc, 0x3956c25bf348b538, 0x59f111f1b605d019,
+		0x923f82a4af194f9b, 0xab1c5ed5da6d8118, 0xd807aa98a3030242,
+		0x12835b0145706fbe, 0x243185be4ee4b28c, 0x550c7dc3d5ffb4e2,
+		0x72be5d74f27b896f, 0x80deb1fe3b1696b1, 0x9bdc06a725c71235,
+		0xc19bf174cf692694, 0xe49b69c19ef14ad2, 0xefbe4786384f25e3,
+		0x0fc19dc68b8cd5b5, 0x240ca1cc77ac9c65, 0x2de92c6f592b0275,
+		0x4a7484aa6ea6e483, 0x5cb0a9dcbd41fbd4, 0x76f988da831153b5,
+		0x983e5152ee66dfab, 0xa831c66d2db43210, 0xb00327c898fb213f,
+		0xbf597fc7beef0ee4, 0xc6e00bf33da88fc2, 0xd5a79147930aa725,
+		0x06ca6351e003826f, 0x142929670a0e6e70, 0x27b70a8546d22ffc,
+		0x2e1b21385c26c926, 0x4d2c6dfc5ac42aed, 0x53380d139d95b3df,
+		0x650a73548baf63de, 0x766a0abb3c77b2a8, 0x81c2c92e47edaee6,
+		0x92722c851482353b, 0xa2bfe8a14cf10364, 0xa81a664bbc423001,
+		0xc24b8b70d0f89791, 0xc76c51a30654be30, 0xd192e819d6ef5218,
+		0xd69906245565a910, 0xf40e35855771202a, 0x106aa07032bbd1b8,
+		0x19a4c116b8d2d0c8, 0x1e376c085141ab53, 0x2748774cdf8eeb99,
+		0x34b0bcb5e19b48a8, 0x391c0cb3c5c95a63, 0x4ed8aa4ae3418acb,
+		0x5b9cca4f7763e373, 0x682e6ff3d6b2b8a3, 0x748f82ee5defb2fc,
+		0x78a5636f43172f60, 0x84c87814a1f0ab72, 0x8cc702081a6439ec,
+		0x90befffa23631e28, 0xa4506cebde82bde9, 0xbef9a3f7b2c67915,
+		0xc67178f2e372532b, 0xca273eceea26619c, 0xd186b8c721c0c207,
+		0xeada7dd6cde0eb1e, 0xf57d4f7fee6ed178, 0x06f067aa72176fba,
+		0x0a637dc5a2c898a6, 0x113f9804bef90dae, 0x1b710b35131c471b,
+		0x28db77f523047d84, 0x32caab7b40c72493, 0x3c9ebe0a15c9bebc,
+		0x431d67c49c100d4c, 0x4cc5d4becb3e42b6, 0x597f299cfc657e2a,
+		0x5fcb6fab3ad6faec, 0x6c44198c4a475817,
 	}
 	for _, v := range in {
 		api.AssertIsBoolean(v)
@@ -96,13 +87,13 @@ func Sha512(api frontend.API, in []frontend.Variable) ([512]frontend.Variable) {
 	for i := 0; i < 7; i++ {
 		in = append(in, 0)
 	}
-	for i := 0; i < padding_len * 8; i++ {
+	for i := 0; i < padding_len*8; i++ {
 		in = append(in, 0)
 	}
 	for i := 0; i < 64; i++ {
 		in = append(in, message_length_bits[i])
 	}
-	
+
 	sha512_hash := Array8_64{
 		uint64ToBits(initial_hash[0]),
 		uint64ToBits(initial_hash[1]),
@@ -114,60 +105,70 @@ func Sha512(api frontend.API, in []frontend.Variable) ([512]frontend.Variable) {
 		uint64ToBits(initial_hash[7]),
 	}
 	for chunk_start := 0; chunk_start < divChecked(len(in), 8); chunk_start += 128 {
-		chunk := in[chunk_start * 8 : (chunk_start+128) * 8]
-		if len(chunk) != 1024 { panic("bad length") }
-		u := make([]frontend.Variable, 80 * 64)
+		chunk := in[chunk_start*8 : (chunk_start+128)*8]
+		if len(chunk) != 1024 {
+			panic("bad length")
+		}
+		u := make([]frontend.Variable, 80*64)
 		for i, _ := range u {
 			u[i] = 0
 		}
 		copy(u, chunk)
-		
+
 		w := reshape(u)
-		
+
 		for i := 16; i < 80; i++ {
 			s0 := _xor(
-                _right_rotate(w[i - 15], 1),
-                _right_rotate(w[i - 15], 8),
-                _shr(w[i - 15], 7),
+				_right_rotate(w[i-15], 1),
+				_right_rotate(w[i-15], 8),
+				_shr(w[i-15], 7),
 			)
 			s1 := _xor(
-                _right_rotate(w[i - 2], 19),
-                _right_rotate(w[i - 2], 61),
-                _shr(w[i - 2], 6),
+				_right_rotate(w[i-2], 19),
+				_right_rotate(w[i-2], 61),
+				_shr(w[i-2], 6),
 			)
-			w[i] = _add(w[i - 16], s0, w[i - 7], s1)
+			w[i] = _add(w[i-16], s0, w[i-7], s1)
 		}
 		a, b, c, d, e, f, g, h := unpack8(sha512_hash)
 		for i := 0; i < 80; i++ {
-            sum1 := _xor(
-                _right_rotate(e, 14),
-                _right_rotate(e, 18),
-                _right_rotate(e, 41),
-            )
+			sum1 := _xor(
+				_right_rotate(e, 14),
+				_right_rotate(e, 18),
+				_right_rotate(e, 41),
+			)
 			ch := _xor(_and(e, f), _and(_not(e), g))
 			temp1 := _add(h, sum1, ch, uint64ToBits(round_constants[i]), w[i])
-            sum0 := _xor(
-                _right_rotate(a, 28),
-                _right_rotate(a, 34),
-                _right_rotate(a, 39),
-            )
+			sum0 := _xor(
+				_right_rotate(a, 28),
+				_right_rotate(a, 34),
+				_right_rotate(a, 39),
+			)
 			maj := _xor(_and(a, b), _and(a, c), _and(b, c))
 			temp2 := _add(sum0, maj)
-			
-            h = g
-            g = f
-            f = e
-            e = _add(d, temp1)
-            d = c
-            c = b
-            b = a
-            a = _add(temp1, temp2)
+
+			h = g
+			g = f
+			f = e
+			e = _add(d, temp1)
+			d = c
+			c = b
+			b = a
+			a = _add(temp1, temp2)
 		}
 		sha512_hash = zip_add(sha512_hash, Array8_64{a, b, c, d, e, f, g, h})
 	}
 	return flatten8(sha512_hash)
 }
 
+func _right_rotate(n [64]frontend.Variable, bits int) [64]frontend.Variable {
+	var result [64]frontend.Variable
+	for i := 0; i < len(n); i++ {
+		result[(i+bits)%len(n)] = n[i]
+	}
+	return result
+}
+
 func reshape(u []frontend.Variable) [][64]frontend.Variable {
 	l := divChecked(len(u), 64)
 	result := make([][64]frontend.Variable, l)
@@ -202,7 +203,7 @@ func flatten8(x Array8_64) [512]frontend.Variable {
 func uint64ToBits(value uint64) [64]frontend.Variable {
 	var result [64]frontend.Variable
 	for k := 0; k < 64; k++ {
-		if (value & (1 << (63-k))) != 0 {
+		if (value & (1 << (63 - k))) != 0 {
 			result[k] = 1
 		} else {
 			result[k] = 0
@@ -270,7 +271,7 @@ func _shr(n [64]frontend.Variable, bits int) [64]frontend.Variable {
 		if i < bits {
 			result[i] = 0
 		} else {
-			result[i] = n[i - bits]
+			result[i] = n[i-bits]
 		}
 	}
 	return result
@@ -285,9 +286,8 @@ func not(api frontend.API, n [64]frontend.Variable) [64]frontend.Variable {
 }
 
 func divChecked(a, b int) int {
-	if a % b != 0 {
+	if a%b != 0 {
 		panic("divChecked: does not divide evenly")
 	}
 	return a / b
 }
-

sha512/sha_test.go

@@ -1,22 +1,24 @@
 package sha512
 
 import (
-	"testing"
 	"encoding/hex"
+	"testing"
 
+	"github.com/consensys/gnark-crypto/ecc"
 	"github.com/consensys/gnark/frontend"
 	"github.com/consensys/gnark/test"
-	"github.com/consensys/gnark-crypto/ecc"
 )
 
-type Sha512Circuit struct {
-	in []frontend.Variable `gnark:"in"`
+type TestSha512Circuit struct {
+	in  []frontend.Variable `gnark:"in"`
 	out []frontend.Variable `gnark:"out"`
 }
 
-func (circuit *Sha512Circuit) Define(api frontend.API) error {
+func (circuit *TestSha512Circuit) Define(api frontend.API) error {
 	res := Sha512(api, circuit.in)
-	if len(res) != 512 { panic("bad length") }
+	if len(res) != 512 {
+		panic("bad length")
+	}
 	for i := 0; i < 512; i++ {
 		api.AssertIsEqual(res[i], circuit.out[i])
 	}
@@ -25,20 +27,24 @@ func (circuit *Sha512Circuit) Define(api frontend.API) error {
 
 var testCurve = ecc.BN254
 
-func TestSha512(t *testing.T) {
+func TestSha512Witness(t *testing.T) {
 	assert := test.NewAssert(t)
 
 	testCase := func(in []byte, output string) {
 		out, err := hex.DecodeString(output)
-		if err != nil { panic(err) }
-		if len(out) != 512 / 8 { panic("bad output length") }
+		if err != nil {
+			panic(err)
+		}
+		if len(out) != 512/8 {
+			panic("bad output length")
+		}
 
-		circuit := Sha512Circuit {
-			in: toBits(in),
+		circuit := TestSha512Circuit{
+			in:  toBits(in),
 			out: toBits(out),
 		}
-		witness := Sha512Circuit {
-			in: toBits(in),
+		witness := TestSha512Circuit{
+			in:  toBits(in),
 			out: toBits(out),
 		}
 		err = test.IsSolved(&circuit, &witness, testCurve.ScalarField())
@@ -51,10 +57,10 @@ func TestSha512(t *testing.T) {
 }
 
 func toBits(arr []byte) []frontend.Variable {
-	result := make([]frontend.Variable, len(arr) * 8)
+	result := make([]frontend.Variable, len(arr)*8)
 	for i, v := range arr {
 		for j := 0; j < 8; j++ {
-			if (v & (1 << (7-j))) != 0 {
+			if (v & (1 << (7 - j))) != 0 {
 				result[i*8+j] = 1
 			} else {
 				result[i*8+j] = 0