goldilocks and poseidon

README.md

@@ -1,3 +1,4 @@
+
 # gnark-ed25519
 ed25519 implementation in Gnark
 
@@ -10,3 +11,5 @@ To build and run:
 ```
 go build gnark-ed25519 && ./gnark-ed25519
 ```
+
+if it panics on compilation.... make vriables capitalzie

ed25519.go

@@ -14,67 +14,101 @@
 
 package main
 
-
 import (
-    "time"
 	"fmt"
-    "os"
+	"gnark-ed25519/poseidon"
-    "encoding/hex"
+	"math/big"
-    "github.com/consensys/gnark/frontend"
+	"time"
+
 	"github.com/consensys/gnark-crypto/ecc"
-    "github.com/consensys/gnark/frontend/cs/r1cs"
 	"github.com/consensys/gnark/backend/groth16"
-    "gnark-ed25519/edwards_curve"
+	"github.com/consensys/gnark/frontend"
-    "gnark-ed25519/sha512"
+	"github.com/consensys/gnark/frontend/cs/r1cs"
+	"github.com/consensys/gnark/test"
 )
 
-type Eddsa25519Circuit struct {
+// type Eddsa25519Circuit struct {
-    M []frontend.Variable
+// 	M   []frontend.Variable
-    Pk []frontend.Variable
+// 	Pk  []frontend.Variable
-    Sig []frontend.Variable
+// 	Sig []frontend.Variable
-}
+// }
 
-func (circuit *Eddsa25519Circuit) Define(api frontend.API) error {
+// func (circuit *Eddsa25519Circuit) Define(api frontend.API) error {
-    c, err := edwards_curve.New[edwards_curve.Ed25519, edwards_curve.Ed25519Scalars](api)
+// 	c, err := edwards_curve.New[edwards_curve.Ed25519, edwards_curve.Ed25519Scalars](api)
-    if err != nil {
+// 	if err != nil {
-        return err
+// 		return err
-    }
+// 	}
-    edwards_curve.CheckValid(c, circuit.Sig, circuit.M, circuit.Pk)
+// 	edwards_curve.CheckValid(c, circuit.Sig, circuit.M, circuit.Pk)
-    return nil
+// 	return nil
-}
+// }
 
+// type Sha512Circuit struct {
+// 	in  []frontend.Variable `gnark:"in"`
+// 	out []frontend.Variable `gnark:"out"`
+// }
 
-type Sha512Circuit struct {
+// func (circuit *Sha512Circuit) Define(api frontend.API) error {
-    in []frontend.Variable `gnark:"in"`
+// 	res := sha512.Sha512(api, circuit.in)
-    out []frontend.Variable `gnark:"out"`
+// 	if len(res) != 512 {
-}
+// 		panic("bad length")
+// 	}
+// 	for i := 0; i < 512; i++ {
+// 		api.AssertIsEqual(res[i], circuit.out[i])
+// 	}
+// 	return nil
+// }
 
-func (circuit *Sha512Circuit) Define(api frontend.API) error {
+// func main() {
-    res := sha512.Sha512(api, circuit.in)
+// 	err := mainImpl()
-    if len(res) != 512 { panic("bad length") }
+// 	if err != nil {
-    for i := 0; i < 512; i++ {
+// 		fmt.Println(err)
-        api.AssertIsEqual(res[i], circuit.out[i])
+// 		os.Exit(1)
-    }
+// 	}
-    return nil
+// }
-}
 
+// // func mainImpl() error {
+// //     in := bytesToBits([]byte("Succinct Labs"))
+// //     out := hexToBits("503ace098aa03f6feec1b5df0a38aee923f744a775508bc81f2b94ad139be297c2e8cd8c44af527b5d3f017a7fc929892c896604047e52e3f518924f52bff0dc")
 
+// //     myCircuit := Sha512Circuit{
+// //         in,
+// //         out,
+// //     }
+// //     fmt.Println(time.Now(), "compiling...")
+// //     r1cs, err := frontend.Compile(ecc.BN254.ScalarField(), r1cs.NewBuilder, &myCircuit)
+// //     if err != nil {
+// //         return err
+// //     }
 
-func main() {
+// //     assignment := &Sha512Circuit{
-    err := mainImpl()
+// //         in,
-    if err != nil {
+// //         out,
-        fmt.Println(err)
+// //     }
-        os.Exit(1)
+// //     fmt.Println(time.Now(), "generating witness...")
-    }
+// //     witness, _ := frontend.NewWitness(assignment, ecc.BN254.ScalarField())
-}
+// //     publicWitness, _ := witness.Public()
+// //     fmt.Println(time.Now(), "groth setup...")
+// //     pk, vk, err := groth16.Setup(r1cs)
+// //     fmt.Println(time.Now(), "groth prove...")
+// //     proof, err := groth16.Prove(r1cs, pk, witness)
+// //     fmt.Println(time.Now(), "groth verify...")
+// //     err = groth16.Verify(proof, vk, publicWitness)
+// //     if err != nil {
+// //         return err
+// //     }
+// //     fmt.Println(proof)
+// //     return nil
+// // }
 
 // func mainImpl() error {
-//     in := bytesToBits([]byte("Succinct Labs"))
+// 	M := "53756363696e6374204c616273"
-//     out := hexToBits("503ace098aa03f6feec1b5df0a38aee923f744a775508bc81f2b94ad139be297c2e8cd8c44af527b5d3f017a7fc929892c896604047e52e3f518924f52bff0dc")
+// 	Pk := "f7ec1c43f4de9d49556de87b86b26a98942cb078486fdb44de38b80864c39731"
+// 	Sig := "35c323757c20640a294345c89c0bfcebe3d554fdb0c7b7a0bdb72222c531b1ec849fed99a053e0f5b02dd9a25bb6eb018885526d9f583cdbde0b1e9f6329da09"
 
-//     myCircuit := Sha512Circuit{
+// 	myCircuit := Eddsa25519Circuit{
-//         in,
+// 		M:   hexToBits(M),
-//         out,
+// 		Pk:  hexToBits(Pk),
+// 		Sig: hexToBits(Sig),
 // 	}
 // 	fmt.Println(time.Now(), "compiling...")
 // 	r1cs, err := frontend.Compile(ecc.BN254.ScalarField(), r1cs.NewBuilder, &myCircuit)
@@ -82,9 +116,10 @@ func main() {
 // 		return err
 // 	}
 
-//     assignment := &Sha512Circuit{
+// 	assignment := &Eddsa25519Circuit{
-//         in,
+// 		M:   hexToBits(M),
-//         out,
+// 		Pk:  hexToBits(Pk),
+// 		Sig: hexToBits(Sig),
 // 	}
 // 	fmt.Println(time.Now(), "generating witness...")
 // 	witness, _ := frontend.NewWitness(assignment, ecc.BN254.ScalarField())
@@ -102,71 +137,141 @@ func main() {
 // 	return nil
 // }
 
-func mainImpl() error {
+// func hexToBits(h string) []frontend.Variable {
-    M := "53756363696e6374204c616273"
+// 	b, err := hex.DecodeString(h)
-    Pk := "f7ec1c43f4de9d49556de87b86b26a98942cb078486fdb44de38b80864c39731"
+// 	if err != nil {
-    Sig := "35c323757c20640a294345c89c0bfcebe3d554fdb0c7b7a0bdb72222c531b1ec849fed99a053e0f5b02dd9a25bb6eb018885526d9f583cdbde0b1e9f6329da09"
+// 		panic(err)
+// 	}
+// 	result := make([]frontend.Variable, len(b)*8)
+// 	for i, v := range b {
+// 		for j := 0; j < 8; j++ {
+// 			if (v & (1 << j)) != 0 {
+// 				result[i*8+j] = 1
+// 			} else {
+// 				result[i*8+j] = 0
+// 			}
+// 		}
+// 	}
+// 	return result
+// }
 
-    myCircuit := Eddsa25519Circuit{
+// func bytesToBits(arr []byte) []frontend.Variable {
-        M: hexToBits(M),
+// 	result := make([]frontend.Variable, len(arr)*8)
-        Pk: hexToBits(Pk),
+// 	for i, v := range arr {
-        Sig: hexToBits(Sig),
+// 		for j := 0; j < 8; j++ {
-    }
+// 			if (v & (1 << (7 - j))) != 0 {
-    fmt.Println(time.Now(), "compiling...")
+// 				result[i*8+j] = 1
-    r1cs, err := frontend.Compile(ecc.BN254.ScalarField(), r1cs.NewBuilder, &myCircuit)
+// 			} else {
-    if err != nil {
+// 				result[i*8+j] = 0
-        return err
+// 			}
+// 		}
+// 	}
+// 	return result
+// }
+
+type PoseidonCircuit struct {
+	In  [12]frontend.Variable
+	Out [12]frontend.Variable
 }
 
-    assignment := &Eddsa25519Circuit{
+func (circuit *PoseidonCircuit) Define(api frontend.API) error {
-        M: hexToBits(M),
+	poseidon.Poseidon(api, circuit.In, circuit.Out)
-        Pk: hexToBits(Pk),
-        Sig: hexToBits(Sig),
-    }
-    fmt.Println(time.Now(), "generating witness...")
-    witness, _ := frontend.NewWitness(assignment, ecc.BN254.ScalarField())
-    publicWitness, _ := witness.Public()
-    fmt.Println(time.Now(), "groth setup...")
-    pk, vk, err := groth16.Setup(r1cs)
-    fmt.Println(time.Now(), "groth prove...")
-    proof, err := groth16.Prove(r1cs, pk, witness)
-    fmt.Println(time.Now(), "groth verify...")
-    err = groth16.Verify(proof, vk, publicWitness)
-    if err != nil {
-        return err
-    }
-    fmt.Println(proof)
 	return nil
 }
 
-func hexToBits(h string) []frontend.Variable {
+func main() {
-    b, err := hex.DecodeString(h)
+	in_str := [12]string{
+		"0",
+		"0",
+		"0",
+		"0",
+		"0",
+		"0",
+		"0",
+		"0",
+		"0",
+		"0",
+		"0",
+		"0",
+	}
+	out_str := [12]string{
+		"4330397376401421145",
+		"14124799381142128323",
+		"8742572140681234676",
+		"14345658006221440202",
+		"15524073338516903644",
+		"5091405722150716653",
+		"15002163819607624508",
+		"2047012902665707362",
+		"16106391063450633726",
+		"4680844749859802542",
+		"15019775476387350140",
+		"1698615465718385111",
+	}
+
+	var in [12]big.Int
+	var out [12]big.Int
+	for i := 0; i < 12; i++ {
+		n := new(big.Int)
+		n, _ = n.SetString(in_str[i], 10)
+		in[i] = *n
+	}
+	for i := 0; i < 12; i++ {
+		n := new(big.Int)
+		n, _ = n.SetString(out_str[i], 10)
+		out[i] = *n
+	}
+
+	var _in [12]frontend.Variable
+	var _out [12]frontend.Variable
+
+	for i := 0; i < 12; i++ {
+		_in[i] = in[i]
+		_out[i] = out[i]
+	}
+
+	myCircuit := PoseidonCircuit{
+		In:  _in,
+		Out: _out,
+	}
+
+	fmt.Println(time.Now(), "compiling...")
+	r1cs, err := frontend.Compile(ecc.BN254.ScalarField(), r1cs.NewBuilder, &myCircuit)
+	if err != nil {
+		fmt.Println(err)
+		panic(err)
+	}
+
+	assignment := &PoseidonCircuit{
+		In:  _in,
+		Out: _out,
+	}
+
+	witness, _ := frontend.NewWitness(assignment, ecc.BN254.ScalarField())
+	publicWitness, err := witness.Public()
 	if err != nil {
 		panic(err)
 	}
-    result := make([]frontend.Variable, len(b) * 8)
+	fmt.Println(time.Now(), "groth setup...")
-    for i, v := range b {
+	pk, vk, err := groth16.Setup(r1cs)
-        for j := 0; j < 8; j++ {
+	if err != nil {
-            if (v & (1 << j)) != 0 {
+		panic(err)
-                result[i*8+j] = 1
-            } else {
-                result[i*8+j] = 0
 	}
-        }
+	err = test.IsSolved(&myCircuit, assignment, ecc.BN254.ScalarField())
-    }
+	if err != nil {
-    return result
+		panic(err)
 	}
 
-func bytesToBits(arr []byte) []frontend.Variable {
+	fmt.Println(time.Now(), "groth prove...")
-    result := make([]frontend.Variable, len(arr) * 8)
+	proof, err := groth16.Prove(r1cs, pk, witness)
-    for i, v := range arr {
+	if err != nil {
-        for j := 0; j < 8; j++ {
+		panic(err)
-            if (v & (1 << (7-j))) != 0 {
-                result[i*8+j] = 1
-            } else {
-                result[i*8+j] = 0
 	}
+	fmt.Println(time.Now(), "groth verify...")
+
+	err = groth16.Verify(proof, vk, publicWitness)
+	if err != nil {
+		panic(err)
 	}
-    }
+
-    return result
 }

goldilocks/goldilocks.go

@@ -0,0 +1,20 @@
+package goldilocks
+
+import (
+	"github.com/consensys/gnark/frontend"
+	"github.com/consensys/gnark/std/math/emulated"
+)
+
+type GoldilocksElement = emulated.Element[emulated.Goldilocks]
+
+func NewGoldilocksElement(x uint64) GoldilocksElement {
+	return GoldilocksElement(emulated.NewElement[emulated.Goldilocks](x))
+}
+
+func NewGoldilocksAPI(api frontend.API) frontend.API {
+	goldilocks, err := emulated.NewField[emulated.Goldilocks](api)
+	if err != nil {
+		panic(err)
+	}
+	return goldilocks
+}

poseidon/poseidon.go

@@ -0,0 +1,191 @@
+package poseidon
+
+import (
+	. "gnark-ed25519/goldilocks"
+
+	"github.com/consensys/gnark/frontend"
+)
+
+/* Note: This package assumes usage of the BN254 curve in various places. */
+
+const HALF_N_FULL_ROUNDS = 4
+const N_FULL_ROUNDS_TOTAL = 2 * HALF_N_FULL_ROUNDS
+const N_PARTIAL_ROUNDS = 22
+const N_ROUNDS = N_FULL_ROUNDS_TOTAL + N_PARTIAL_ROUNDS
+const MAX_WIDTH = 12
+const WIDTH = 12
+const SPONGE_WIDTH = 12
+const SPONGE_RATE = 8
+
+type PoseidonState = [WIDTH]GoldilocksElement
+type PoseidonChip struct {
+	api   frontend.API
+	field frontend.API
+}
+
+func Poseidon(api frontend.API, field frontend.API, input PoseidonState) PoseidonState {
+	chip := &PoseidonChip{api: api, field: field}
+	return chip.Poseidon(input)
+}
+
+func (c *PoseidonChip) Poseidon(input PoseidonState) PoseidonState {
+	state := input
+	roundCounter := 0
+	state = c.fullRounds(state, &roundCounter)
+	state = c.partialRounds(state, &roundCounter)
+	state = c.fullRounds(state, &roundCounter)
+	return state
+}
+
+func (c *PoseidonChip) fullRounds(state PoseidonState, roundCounter *int) PoseidonState {
+	for i := 0; i < HALF_N_FULL_ROUNDS; i++ {
+		state = c.constantLayer(state, roundCounter)
+		state = c.sBoxLayer(state)
+		state = c.mdsLayer(state)
+		if *roundCounter >= 26 && i == 3 {
+			break
+		}
+		*roundCounter += 1
+	}
+	return state
+}
+
+func (c *PoseidonChip) partialRounds(state PoseidonState, roundCounter *int) PoseidonState {
+	state = c.partialFirstConstantLayer(state)
+	state = c.mdsPartialLayerInit(state)
+
+	for i := 0; i < N_PARTIAL_ROUNDS; i++ {
+		state[0] = c.sBoxMonomial(state[0])
+		state[0] = c.field.Add(state[0], FAST_PARTIAL_ROUND_CONSTANTS[i]).(GoldilocksElement)
+		state = c.mdsPartialLayerFast(state, i)
+	}
+
+	*roundCounter += N_PARTIAL_ROUNDS
+
+	return state
+}
+
+func (c *PoseidonChip) constantLayer(state PoseidonState, roundCounter *int) PoseidonState {
+	for i := 0; i < 12; i++ {
+		if i < WIDTH {
+			roundConstant := NewGoldilocksElement(ALL_ROUND_CONSTANTS[i+WIDTH*(*roundCounter)])
+			state[i] = c.field.Add(state[i], roundConstant).(GoldilocksElement)
+		}
+	}
+	return state
+}
+
+func (c *PoseidonChip) sBoxLayer(state PoseidonState) PoseidonState {
+	for i := 0; i < 12; i++ {
+		if i < WIDTH {
+			state[i] = c.sBoxMonomial(state[i])
+		}
+	}
+	return state
+}
+
+func (c *PoseidonChip) sBoxMonomial(x GoldilocksElement) GoldilocksElement {
+	x2 := c.field.Mul(x, x)
+	x4 := c.field.Mul(x2, x2)
+	x3 := c.field.Mul(x2, x)
+	return c.field.Mul(x3, x4).(GoldilocksElement)
+}
+
+func (c *PoseidonChip) mdsRowShf(r int, v [WIDTH]frontend.Variable) frontend.Variable {
+	res := frontend.Variable(0)
+
+	for i := 0; i < 12; i++ {
+		if i < WIDTH {
+			res1 := c.api.Mul(v[(i+r)%WIDTH], frontend.Variable(MDS_MATRIX_CIRC[i]))
+			res = c.api.Add(res, res1)
+		}
+	}
+
+	res = c.api.Add(res, c.api.Mul(v[r], MDS_MATRIX_DIAG[r]))
+	return res
+}
+
+func (c *PoseidonChip) mdsLayer(state_ PoseidonState) PoseidonState {
+	var result PoseidonState
+	for i := 0; i < WIDTH; i++ {
+		result[i] = NewGoldilocksElement(0)
+	}
+
+	var state [WIDTH]frontend.Variable
+	for i := 0; i < WIDTH; i++ {
+		state[i] = c.api.FromBinary(c.field.ToBinary(state_[i])...)
+	}
+
+	for r := 0; r < 12; r++ {
+		if r < WIDTH {
+			sum := c.mdsRowShf(r, state)
+			bits := c.api.ToBinary(sum)
+			result[r] = c.field.FromBinary(bits).(GoldilocksElement)
+		}
+	}
+
+	return result
+}
+
+func (c *PoseidonChip) partialFirstConstantLayer(state PoseidonState) PoseidonState {
+	for i := 0; i < 12; i++ {
+		if i < WIDTH {
+			state[i] = c.field.Add(state[i], NewGoldilocksElement(FAST_PARTIAL_FIRST_ROUND_CONSTANT[i])).(GoldilocksElement)
+		}
+	}
+	return state
+}
+
+func (c *PoseidonChip) mdsPartialLayerInit(state PoseidonState) PoseidonState {
+	var result PoseidonState
+	for i := 0; i < 12; i++ {
+		result[i] = NewGoldilocksElement(0)
+	}
+
+	result[0] = state[0]
+
+	for r := 1; r < 12; r++ {
+		if r < WIDTH {
+			for d := 1; d < 12; d++ {
+				if d < WIDTH {
+					t := NewGoldilocksElement(FAST_PARTIAL_ROUND_INITIAL_MATRIX[r-1][d-1])
+					result[d] = c.field.Add(result[d], c.field.Mul(state[r], t)).(GoldilocksElement)
+				}
+			}
+		}
+	}
+
+	return result
+}
+
+func (c *PoseidonChip) mdsPartialLayerFast(state PoseidonState, r int) PoseidonState {
+	dSum := frontend.Variable(0)
+	for i := 1; i < 12; i++ {
+		if i < WIDTH {
+			t := frontend.Variable(FAST_PARTIAL_ROUND_W_HATS[r][i-1])
+			si := c.api.FromBinary(c.field.ToBinary(state[i])...)
+			dSum = c.api.Add(dSum, c.api.Mul(si, t))
+		}
+	}
+
+	s0 := c.api.FromBinary(c.field.ToBinary(state[0])...)
+	mds0to0 := frontend.Variable(MDS_MATRIX_CIRC[0] + MDS_MATRIX_DIAG[0])
+	dSum = c.api.Add(dSum, c.api.Mul(s0, mds0to0))
+	d := c.field.FromBinary(c.api.ToBinary(dSum))
+
+	var result PoseidonState
+	for i := 0; i < WIDTH; i++ {
+		result[i] = NewGoldilocksElement(0)
+	}
+
+	result[0] = d.(GoldilocksElement)
+
+	for i := 1; i < 12; i++ {
+		if i < WIDTH {
+			t := NewGoldilocksElement(FAST_PARTIAL_ROUND_VS[r][i-1])
+			result[i] = c.field.Add(state[i], c.field.Mul(state[0], t)).(GoldilocksElement)
+		}
+	}
+
+	return result
+}

poseidon/poseidon_test.go

@@ -0,0 +1,145 @@
+package poseidon
+
+import (
+	. "gnark-ed25519/goldilocks"
+	"math/big"
+	"testing"
+
+	"github.com/consensys/gnark-crypto/ecc"
+	"github.com/consensys/gnark/backend/groth16"
+	"github.com/consensys/gnark/frontend"
+	"github.com/consensys/gnark/frontend/cs/r1cs"
+	"github.com/consensys/gnark/test"
+)
+
+var testCurve = ecc.BN254
+
+type TestPoseidonCircuit struct {
+	In  [12]frontend.Variable
+	Out [12]frontend.Variable
+}
+
+func (circuit *TestPoseidonCircuit) Define(api frontend.API) error {
+	goldilocksApi := NewGoldilocksAPI(api)
+
+	// BN254 -> Binary(64) -> GoldilocksElement
+	var input PoseidonState
+	for i := 0; i < 12; i++ {
+		input[i] = goldilocksApi.FromBinary(api.ToBinary(circuit.In[i], 64)).(GoldilocksElement)
+	}
+
+	output := Poseidon(api, goldilocksApi, input)
+
+	// Check that output is correct
+	for i := 0; i < 12; i++ {
+		goldilocksApi.AssertIsEqual(
+			output[i],
+			goldilocksApi.FromBinary(api.ToBinary(circuit.Out[i])).(GoldilocksElement),
+		)
+	}
+
+	return nil
+}
+
+func TestPoseidonWitness(t *testing.T) {
+	assert := test.NewAssert(t)
+
+	testCase := func(inBigInt [12]big.Int, outBigInt [12]big.Int) {
+		var in [12]frontend.Variable
+		var out [12]frontend.Variable
+
+		for i := 0; i < 12; i++ {
+			in[i] = inBigInt[i]
+			out[i] = outBigInt[i]
+		}
+
+		circuit := TestPoseidonCircuit{In: in, Out: out}
+		witness := TestPoseidonCircuit{In: in, Out: out}
+		err := test.IsSolved(&circuit, &witness, testCurve.ScalarField())
+		assert.NoError(err)
+	}
+
+	inStr := [12]string{"0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0"}
+	outStr := [12]string{
+		"4330397376401421145", "14124799381142128323", "8742572140681234676",
+		"14345658006221440202", "15524073338516903644", "5091405722150716653",
+		"15002163819607624508", "2047012902665707362", "16106391063450633726",
+		"4680844749859802542", "15019775476387350140", "1698615465718385111",
+	}
+
+	var inBigInt [12]big.Int
+	var outBigInt [12]big.Int
+
+	for i := 0; i < 12; i++ {
+		inTmp := new(big.Int)
+		inTmp, _ = inTmp.SetString(inStr[i], 10)
+		inBigInt[i] = *inTmp
+
+		outTmp := new(big.Int)
+		outTmp, _ = outTmp.SetString(outStr[i], 10)
+		outBigInt[i] = *outTmp
+	}
+
+	testCase(inBigInt, outBigInt)
+}
+
+func TestPoseidonProof(t *testing.T) {
+	inStr := [12]string{"0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0"}
+	outStr := [12]string{
+		"4330397376401421145", "14124799381142128323", "8742572140681234676",
+		"14345658006221440202", "15524073338516903644", "5091405722150716653",
+		"15002163819607624508", "2047012902665707362", "16106391063450633726",
+		"4680844749859802542", "15019775476387350140", "1698615465718385111",
+	}
+
+	var in [12]frontend.Variable
+	var out [12]frontend.Variable
+
+	for i := 0; i < 12; i++ {
+		inTmp := new(big.Int)
+		inTmp, _ = inTmp.SetString(inStr[i], 10)
+		in[i] = *inTmp
+
+		outTmp := new(big.Int)
+		outTmp, _ = outTmp.SetString(outStr[i], 10)
+		out[i] = *outTmp
+	}
+
+	circuit := TestPoseidonCircuit{In: in, Out: out}
+	assignment := TestPoseidonCircuit{In: in, Out: out}
+
+	r1cs, err := frontend.Compile(testCurve.ScalarField(), r1cs.NewBuilder, &circuit)
+	if err != nil {
+		panic(err)
+	}
+
+	witness, err := frontend.NewWitness(&assignment, testCurve.ScalarField())
+	if err != nil {
+		panic(err)
+	}
+
+	pk, vk, err := groth16.Setup(r1cs)
+	if err != nil {
+		panic(err)
+	}
+
+	err = test.IsSolved(&circuit, &assignment, testCurve.ScalarField())
+	if err != nil {
+		panic(err)
+	}
+
+	proof, err := groth16.Prove(r1cs, pk, witness)
+	if err != nil {
+		panic(err)
+	}
+
+	publicWitness, err := witness.Public()
+	if err != nil {
+		panic(err)
+	}
+
+	err = groth16.Verify(proof, vk, publicWitness)
+	if err != nil {
+		panic(err)
+	}
+}

sha512/sha512.go

@@ -1,21 +1,12 @@
 package sha512
 
-// Based on https://gist.github.com/illia-v/7883be942da5d416521375004cecb68f
+/* Based on https://gist.github.com/illia-v/7883be942da5d416521375004cecb68f */
 
 import (
 	"github.com/consensys/gnark/frontend"
 )
 
-
+func Sha512(api frontend.API, in []frontend.Variable) [512]frontend.Variable {
-func _right_rotate(n [64]frontend.Variable, bits int) [64]frontend.Variable {
-	var result [64]frontend.Variable
-	for i := 0; i < len(n); i++ {
-		result[(i+bits)%len(n)] = n[i]
-	}
-	return result
-}
-
-func Sha512(api frontend.API, in []frontend.Variable) ([512]frontend.Variable) {
 	_not := func(x [64]frontend.Variable) [64]frontend.Variable {
 		return not(api, x)
 	}
@@ -115,7 +106,9 @@ func Sha512(api frontend.API, in []frontend.Variable) ([512]frontend.Variable) {
 	}
 	for chunk_start := 0; chunk_start < divChecked(len(in), 8); chunk_start += 128 {
 		chunk := in[chunk_start*8 : (chunk_start+128)*8]
-		if len(chunk) != 1024 { panic("bad length") }
+		if len(chunk) != 1024 {
+			panic("bad length")
+		}
 		u := make([]frontend.Variable, 80*64)
 		for i, _ := range u {
 			u[i] = 0
@@ -168,6 +161,14 @@ func Sha512(api frontend.API, in []frontend.Variable) ([512]frontend.Variable) {
 	return flatten8(sha512_hash)
 }
 
+func _right_rotate(n [64]frontend.Variable, bits int) [64]frontend.Variable {
+	var result [64]frontend.Variable
+	for i := 0; i < len(n); i++ {
+		result[(i+bits)%len(n)] = n[i]
+	}
+	return result
+}
+
 func reshape(u []frontend.Variable) [][64]frontend.Variable {
 	l := divChecked(len(u), 64)
 	result := make([][64]frontend.Variable, l)
@@ -290,4 +291,3 @@ func divChecked(a, b int) int {
 	}
 	return a / b
 }
-

sha512/sha_test.go

@@ -1,22 +1,24 @@
 package sha512
 
 import (
-	"testing"
 	"encoding/hex"
+	"testing"
 
+	"github.com/consensys/gnark-crypto/ecc"
 	"github.com/consensys/gnark/frontend"
 	"github.com/consensys/gnark/test"
-	"github.com/consensys/gnark-crypto/ecc"
 )
 
-type Sha512Circuit struct {
+type TestSha512Circuit struct {
 	in  []frontend.Variable `gnark:"in"`
 	out []frontend.Variable `gnark:"out"`
 }
 
-func (circuit *Sha512Circuit) Define(api frontend.API) error {
+func (circuit *TestSha512Circuit) Define(api frontend.API) error {
 	res := Sha512(api, circuit.in)
-	if len(res) != 512 { panic("bad length") }
+	if len(res) != 512 {
+		panic("bad length")
+	}
 	for i := 0; i < 512; i++ {
 		api.AssertIsEqual(res[i], circuit.out[i])
 	}
@@ -25,19 +27,23 @@ func (circuit *Sha512Circuit) Define(api frontend.API) error {
 
 var testCurve = ecc.BN254
 
-func TestSha512(t *testing.T) {
+func TestSha512Witness(t *testing.T) {
 	assert := test.NewAssert(t)
 
 	testCase := func(in []byte, output string) {
 		out, err := hex.DecodeString(output)
-		if err != nil { panic(err) }
+		if err != nil {
-		if len(out) != 512 / 8 { panic("bad output length") }
+			panic(err)
+		}
+		if len(out) != 512/8 {
+			panic("bad output length")
+		}
 
-		circuit := Sha512Circuit {
+		circuit := TestSha512Circuit{
 			in:  toBits(in),
 			out: toBits(out),
 		}
-		witness := Sha512Circuit {
+		witness := TestSha512Circuit{
 			in:  toBits(in),
 			out: toBits(out),
 		}