Merge pull request #1 from iden3/feature/poseidon

add Poseidon

README.md

@@ -1,3 +1,4 @@
 # go-iden3-crypto [![Go Report Card](https://goreportcard.com/badge/github.com/iden3/go-iden3-crypto)](https://goreportcard.com/report/github.com/iden3/go-iden3-crypto) [![Build Status](https://travis-ci.org/iden3/go-iden3-crypto.svg?branch=master)](https://travis-ci.org/iden3/go-iden3-crypto) [![GoDoc](https://godoc.org/github.com/iden3/go-iden3-crypto?status.svg)](https://godoc.org/github.com/iden3/go-iden3-crypto)
-Go implementation of some cryptographic primitives used in iden3
+
+Go implementation of some cryptographic primitives (that fit inside the SNARK field) used in iden3
 

babyjub/babyjub.go

@@ -2,27 +2,17 @@ package babyjub
 
 import (
 	"fmt"
+	"github.com/iden3/go-iden3-crypto/constants"
+	"github.com/iden3/go-iden3-crypto/utils"
 	"math/big"
 )
 
-// Q is the order of the integer field where the curve point coordinates are (Zq).
-var Q *big.Int
-
 // A is one of the babyjub constants.
 var A *big.Int
 
 // D is one of the babyjub constants.
 var D *big.Int
 
-// Zero is 0.
-var Zero *big.Int
-
-// One is 1.
-var One *big.Int
-
-// MinusOne is -1.
-var MinusOne *big.Int
-
 // Order of the babyjub curve.
 var Order *big.Int
 
@@ -34,34 +24,19 @@ var SubOrder *big.Int
 // the subgroup in the curve.
 var B8 *Point
 
-// NewIntFromString creates a new big.Int from a decimal integer encoded as a
-// string.  It will panic if the string is not a decimal integer.
-func NewIntFromString(s string) *big.Int {
-	v, ok := new(big.Int).SetString(s, 10)
-	if !ok {
-		panic(fmt.Sprintf("Bad base 10 string %s", s))
-	}
-	return v
-}
-
 // init initializes global numbers and the subgroup base.
 func init() {
-	Zero = big.NewInt(0)
-	One = big.NewInt(1)
-	MinusOne = big.NewInt(-1)
-	Q = NewIntFromString(
-		"21888242871839275222246405745257275088548364400416034343698204186575808495617")
-	A = NewIntFromString("168700")
-	D = NewIntFromString("168696")
-
-	Order = NewIntFromString(
+	A = utils.NewIntFromString("168700")
+	D = utils.NewIntFromString("168696")
+
+	Order = utils.NewIntFromString(
 		"21888242871839275222246405745257275088614511777268538073601725287587578984328")
 	SubOrder = new(big.Int).Rsh(Order, 3)
 
 	B8 = NewPoint()
-	B8.X = NewIntFromString(
+	B8.X = utils.NewIntFromString(
 		"17777552123799933955779906779655732241715742912184938656739573121738514868268")
-	B8.Y = NewIntFromString(
+	B8.Y = utils.NewIntFromString(
 		"2626589144620713026669568689430873010625803728049924121243784502389097019475")
 }
 
@@ -95,9 +70,9 @@ func (res *Point) Add(a *Point, b *Point) *Point {
 	x2.Mul(x2, b.X)
 	x2.Mul(x2, a.Y)
 	x2.Mul(x2, b.Y)
-	x2.Add(One, x2)
-	x2.Mod(x2, Q)
-	x2.ModInverse(x2, Q) // x2 = (1 + D * a.x * b.x * a.y * b.y)^-1
+	x2.Add(constants.One, x2)
+	x2.Mod(x2, constants.Q)
+	x2.ModInverse(x2, constants.Q) // x2 = (1 + D * a.x * b.x * a.y * b.y)^-1
 
 	// y = (a.y * b.y + A * a.x * a.x) * (1 - D * a.x * b.x * a.y * b.y)^-1 mod q
 	y1a := new(big.Int).Mul(a.Y, b.Y)
@@ -112,15 +87,15 @@ func (res *Point) Add(a *Point, b *Point) *Point {
 	y2.Mul(y2, b.X)
 	y2.Mul(y2, a.Y)
 	y2.Mul(y2, b.Y)
-	y2.Sub(One, y2)
-	y2.Mod(y2, Q)
-	y2.ModInverse(y2, Q) // y2 = (1 - D * a.x * b.x * a.y * b.y)^-1
+	y2.Sub(constants.One, y2)
+	y2.Mod(y2, constants.Q)
+	y2.ModInverse(y2, constants.Q) // y2 = (1 - D * a.x * b.x * a.y * b.y)^-1
 
 	res.X = x1a.Mul(x1a, x2)
-	res.X = res.X.Mod(res.X, Q)
+	res.X = res.X.Mod(res.X, constants.Q)
 
 	res.Y = y1a.Mul(y1a, y2)
-	res.Y = res.Y.Mod(res.Y, Q)
+	res.Y = res.Y.Mod(res.Y, constants.Q)
 
 	return res
 }
@@ -146,21 +121,21 @@ func (res *Point) Mul(s *big.Int, p *Point) *Point {
 func (p *Point) InCurve() bool {
 	x2 := new(big.Int).Set(p.X)
 	x2.Mul(x2, x2)
-	x2.Mod(x2, Q)
+	x2.Mod(x2, constants.Q)
 
 	y2 := new(big.Int).Set(p.Y)
 	y2.Mul(y2, y2)
-	y2.Mod(y2, Q)
+	y2.Mod(y2, constants.Q)
 
 	a := new(big.Int).Mul(A, x2)
 	a.Add(a, y2)
-	a.Mod(a, Q)
+	a.Mod(a, constants.Q)
 
 	b := new(big.Int).Set(D)
 	b.Mul(b, x2)
 	b.Mul(b, y2)
-	b.Add(One, b)
-	b.Mod(b, Q)
+	b.Add(constants.One, b)
+	b.Mod(b, constants.Q)
 
 	return a.Cmp(b) == 0
 }
@@ -172,20 +147,20 @@ func (p *Point) InSubGroup() bool {
 		return false
 	}
 	res := NewPoint().Mul(SubOrder, p)
-	return (res.X.Cmp(Zero) == 0) && (res.Y.Cmp(One) == 0)
+	return (res.X.Cmp(constants.Zero) == 0) && (res.Y.Cmp(constants.One) == 0)
 }
 
 // PointCoordSign returns the sign of the curve point coordinate.  It returns
 // false if the sign is positive and false if the sign is negative.
 func PointCoordSign(c *big.Int) bool {
-	if c.Cmp(new(big.Int).Rsh(Q, 1)) == 1 {
+	if c.Cmp(new(big.Int).Rsh(constants.Q, 1)) == 1 {
 		return true
 	}
 	return false
 }
 
 func PackPoint(ay *big.Int, sign bool) [32]byte {
-	leBuf := BigIntLEBytes(ay)
+	leBuf := utils.BigIntLEBytes(ay)
 	if sign {
 		leBuf[31] = leBuf[31] | 0x80
 	}
@@ -210,31 +185,31 @@ func (p *Point) Decompress(leBuf [32]byte) (*Point, error) {
 		sign = true
 		leBuf[31] = leBuf[31] & 0x7F
 	}
-	SetBigIntFromLEBytes(p.Y, leBuf[:])
-	if p.Y.Cmp(Q) >= 0 {
+	utils.SetBigIntFromLEBytes(p.Y, leBuf[:])
+	if p.Y.Cmp(constants.Q) >= 0 {
 		return nil, fmt.Errorf("p.y >= Q")
 	}
 
 	y2 := new(big.Int).Mul(p.Y, p.Y)
-	y2.Mod(y2, Q)
+	y2.Mod(y2, constants.Q)
 	xa := big.NewInt(1)
 	xa.Sub(xa, y2) // xa == 1 - y^2
 
 	xb := new(big.Int).Mul(D, y2)
-	xb.Mod(xb, Q)
+	xb.Mod(xb, constants.Q)
 	xb.Sub(A, xb) // xb = A - d * y^2
 
 	if xb.Cmp(big.NewInt(0)) == 0 {
 		return nil, fmt.Errorf("division by 0")
 	}
-	xb.ModInverse(xb, Q)
+	xb.ModInverse(xb, constants.Q)
 	p.X.Mul(xa, xb) // xa / xb
-	p.X.Mod(p.X, Q)
-	p.X.ModSqrt(p.X, Q)
+	p.X.Mod(p.X, constants.Q)
+	p.X.ModSqrt(p.X, constants.Q)
 	if (sign && !PointCoordSign(p.X)) || (!sign && PointCoordSign(p.X)) {
-		p.X.Mul(p.X, MinusOne)
+		p.X.Mul(p.X, constants.MinusOne)
 	}
-	p.X.Mod(p.X, Q)
+	p.X.Mod(p.X, constants.Q)
 
 	return p, nil
 }

babyjub/babyjub_test.go

@@ -5,6 +5,7 @@ import (
 	"math/big"
 	"testing"
 
+	"github.com/iden3/go-iden3-crypto/utils"
 	"github.com/stretchr/testify/assert"
 )
 
@@ -19,15 +20,15 @@ func TestAdd1(t *testing.T) {
 }
 
 func TestAdd2(t *testing.T) {
-	aX := NewIntFromString(
+	aX := utils.NewIntFromString(
 		"17777552123799933955779906779655732241715742912184938656739573121738514868268")
-	aY := NewIntFromString(
+	aY := utils.NewIntFromString(
 		"2626589144620713026669568689430873010625803728049924121243784502389097019475")
 	a := &Point{X: aX, Y: aY}
 
-	bX := NewIntFromString(
+	bX := utils.NewIntFromString(
 		"17777552123799933955779906779655732241715742912184938656739573121738514868268")
-	bY := NewIntFromString(
+	bY := utils.NewIntFromString(
 		"2626589144620713026669568689430873010625803728049924121243784502389097019475")
 	b := &Point{X: bX, Y: bY}
 
@@ -42,15 +43,15 @@ func TestAdd2(t *testing.T) {
 }
 
 func TestAdd3(t *testing.T) {
-	aX := NewIntFromString(
+	aX := utils.NewIntFromString(
 		"17777552123799933955779906779655732241715742912184938656739573121738514868268")
-	aY := NewIntFromString(
+	aY := utils.NewIntFromString(
 		"2626589144620713026669568689430873010625803728049924121243784502389097019475")
 	a := &Point{X: aX, Y: aY}
 
-	bX := NewIntFromString(
+	bX := utils.NewIntFromString(
 		"16540640123574156134436876038791482806971768689494387082833631921987005038935")
-	bY := NewIntFromString(
+	bY := utils.NewIntFromString(
 		"20819045374670962167435360035096875258406992893633759881276124905556507972311")
 	b := &Point{X: bX, Y: bY}
 
@@ -65,15 +66,15 @@ func TestAdd3(t *testing.T) {
 }
 
 func TestAdd4(t *testing.T) {
-	aX := NewIntFromString(
+	aX := utils.NewIntFromString(
 		"0")
-	aY := NewIntFromString(
+	aY := utils.NewIntFromString(
 		"1")
 	a := &Point{X: aX, Y: aY}
 
-	bX := NewIntFromString(
+	bX := utils.NewIntFromString(
 		"16540640123574156134436876038791482806971768689494387082833631921987005038935")
-	bY := NewIntFromString(
+	bY := utils.NewIntFromString(
 		"20819045374670962167435360035096875258406992893633759881276124905556507972311")
 	b := &Point{X: bX, Y: bY}
 
@@ -98,12 +99,12 @@ func TestInCurve2(t *testing.T) {
 }
 
 func TestMul0(t *testing.T) {
-	x := NewIntFromString(
+	x := utils.NewIntFromString(
 		"17777552123799933955779906779655732241715742912184938656739573121738514868268")
-	y := NewIntFromString(
+	y := utils.NewIntFromString(
 		"2626589144620713026669568689430873010625803728049924121243784502389097019475")
 	p := &Point{X: x, Y: y}
-	s := NewIntFromString("3")
+	s := utils.NewIntFromString("3")
 
 	r2 := NewPoint().Add(p, p)
 	r2 = NewPoint().Add(r2, p)
@@ -120,12 +121,12 @@ func TestMul0(t *testing.T) {
 }
 
 func TestMul1(t *testing.T) {
-	x := NewIntFromString(
+	x := utils.NewIntFromString(
 		"17777552123799933955779906779655732241715742912184938656739573121738514868268")
-	y := NewIntFromString(
+	y := utils.NewIntFromString(
 		"2626589144620713026669568689430873010625803728049924121243784502389097019475")
 	p := &Point{X: x, Y: y}
-	s := NewIntFromString(
+	s := utils.NewIntFromString(
 		"14035240266687799601661095864649209771790948434046947201833777492504781204499")
 	r := NewPoint().Mul(s, p)
 	assert.Equal(t,
@@ -137,12 +138,12 @@ func TestMul1(t *testing.T) {
 }
 
 func TestMul2(t *testing.T) {
-	x := NewIntFromString(
+	x := utils.NewIntFromString(
 		"6890855772600357754907169075114257697580319025794532037257385534741338397365")
-	y := NewIntFromString(
+	y := utils.NewIntFromString(
 		"4338620300185947561074059802482547481416142213883829469920100239455078257889")
 	p := &Point{X: x, Y: y}
-	s := NewIntFromString(
+	s := utils.NewIntFromString(
 		"20819045374670962167435360035096875258406992893633759881276124905556507972311")
 	r := NewPoint().Mul(s, p)
 	assert.Equal(t,
@@ -154,45 +155,45 @@ func TestMul2(t *testing.T) {
 }
 
 func TestInCurve3(t *testing.T) {
-	x := NewIntFromString(
+	x := utils.NewIntFromString(
 		"17777552123799933955779906779655732241715742912184938656739573121738514868268")
-	y := NewIntFromString(
+	y := utils.NewIntFromString(
 		"2626589144620713026669568689430873010625803728049924121243784502389097019475")
 	p := &Point{X: x, Y: y}
 	assert.Equal(t, true, p.InCurve())
 }
 
 func TestInCurve4(t *testing.T) {
-	x := NewIntFromString(
+	x := utils.NewIntFromString(
 		"6890855772600357754907169075114257697580319025794532037257385534741338397365")
-	y := NewIntFromString(
+	y := utils.NewIntFromString(
 		"4338620300185947561074059802482547481416142213883829469920100239455078257889")
 	p := &Point{X: x, Y: y}
 	assert.Equal(t, true, p.InCurve())
 }
 
 func TestInSubGroup1(t *testing.T) {
-	x := NewIntFromString(
+	x := utils.NewIntFromString(
 		"17777552123799933955779906779655732241715742912184938656739573121738514868268")
-	y := NewIntFromString(
+	y := utils.NewIntFromString(
 		"2626589144620713026669568689430873010625803728049924121243784502389097019475")
 	p := &Point{X: x, Y: y}
 	assert.Equal(t, true, p.InSubGroup())
 }
 
 func TestInSubGroup2(t *testing.T) {
-	x := NewIntFromString(
+	x := utils.NewIntFromString(
 		"6890855772600357754907169075114257697580319025794532037257385534741338397365")
-	y := NewIntFromString(
+	y := utils.NewIntFromString(
 		"4338620300185947561074059802482547481416142213883829469920100239455078257889")
 	p := &Point{X: x, Y: y}
 	assert.Equal(t, true, p.InSubGroup())
 }
 
 func TestCompressDecompress1(t *testing.T) {
-	x := NewIntFromString(
+	x := utils.NewIntFromString(
 		"17777552123799933955779906779655732241715742912184938656739573121738514868268")
-	y := NewIntFromString(
+	y := utils.NewIntFromString(
 		"2626589144620713026669568689430873010625803728049924121243784502389097019475")
 	p := &Point{X: x, Y: y}
 
@@ -206,9 +207,9 @@ func TestCompressDecompress1(t *testing.T) {
 }
 
 func TestCompressDecompress2(t *testing.T) {
-	x := NewIntFromString(
+	x := utils.NewIntFromString(
 		"6890855772600357754907169075114257697580319025794532037257385534741338397365")
-	y := NewIntFromString(
+	y := utils.NewIntFromString(
 		"4338620300185947561074059802482547481416142213883829469920100239455078257889")
 	p := &Point{X: x, Y: y}
 

babyjub/eddsa.go

@@ -4,6 +4,7 @@ import (
 	"crypto/rand"
 
 	"github.com/iden3/go-iden3-crypto/mimc7"
+	"github.com/iden3/go-iden3-crypto/utils"
 
 	"math/big"
 )
@@ -39,7 +40,7 @@ func (k *PrivateKey) Scalar() *PrivKeyScalar {
 	copy(sBuf32[:], sBuf[:32])
 	pruneBuffer(&sBuf32)
 	s := new(big.Int)
-	SetBigIntFromLEBytes(s, sBuf32[:])
+	utils.SetBigIntFromLEBytes(s, sBuf32[:])
 	s.Rsh(s, 3)
 	return NewPrivKeyScalar(s)
 }
@@ -76,17 +77,17 @@ type PublicKey Point
 
 func (pk PublicKey) MarshalText() ([]byte, error) {
 	pkc := pk.Compress()
-	return Hex(pkc[:]).MarshalText()
+	return utils.Hex(pkc[:]).MarshalText()
 }
 
 func (pk PublicKey) String() string {
 	pkc := pk.Compress()
-	return Hex(pkc[:]).String()
+	return utils.Hex(pkc[:]).String()
 }
 
 func (pk *PublicKey) UnmarshalText(h []byte) error {
 	var pkc PublicKeyComp
-	if err := HexDecodeInto(pkc[:], h); err != nil {
+	if err := utils.HexDecodeInto(pkc[:], h); err != nil {
 		return err
 	}
 	pkd, err := pkc.Decompress()
@@ -106,9 +107,9 @@ func (p *PublicKey) Point() *Point {
 // point.
 type PublicKeyComp [32]byte
 
-func (buf PublicKeyComp) MarshalText() ([]byte, error)  { return Hex(buf[:]).MarshalText() }
-func (buf PublicKeyComp) String() string                { return Hex(buf[:]).String() }
-func (buf *PublicKeyComp) UnmarshalText(h []byte) error { return HexDecodeInto(buf[:], h) }
+func (buf PublicKeyComp) MarshalText() ([]byte, error)  { return utils.Hex(buf[:]).MarshalText() }
+func (buf PublicKeyComp) String() string                { return utils.Hex(buf[:]).String() }
+func (buf *PublicKeyComp) UnmarshalText(h []byte) error { return utils.HexDecodeInto(buf[:], h) }
 
 func (p *PublicKey) Compress() PublicKeyComp {
 	return PublicKeyComp((*Point)(p).Compress())
@@ -132,15 +133,15 @@ type Signature struct {
 // SignatureComp represents a compressed EdDSA signature.
 type SignatureComp [64]byte
 
-func (buf SignatureComp) MarshalText() ([]byte, error)  { return Hex(buf[:]).MarshalText() }
-func (buf SignatureComp) String() string                { return Hex(buf[:]).String() }
-func (buf *SignatureComp) UnmarshalText(h []byte) error { return HexDecodeInto(buf[:], h) }
+func (buf SignatureComp) MarshalText() ([]byte, error)  { return utils.Hex(buf[:]).MarshalText() }
+func (buf SignatureComp) String() string                { return utils.Hex(buf[:]).String() }
+func (buf *SignatureComp) UnmarshalText(h []byte) error { return utils.HexDecodeInto(buf[:], h) }
 
 // Compress an EdDSA signature by concatenating the compression of
 // the point R8 and the Little-Endian encoding of S.
 func (s *Signature) Compress() SignatureComp {
 	R8p := s.R8.Compress()
-	Sp := BigIntLEBytes(s.S)
+	Sp := utils.BigIntLEBytes(s.S)
 	buf := [64]byte{}
 	copy(buf[:32], R8p[:])
 	copy(buf[32:], Sp[:])
@@ -156,7 +157,7 @@ func (s *Signature) Decompress(buf [64]byte) (*Signature, error) {
 	if s.R8, err = NewPoint().Decompress(R8p); err != nil {
 		return nil, err
 	}
-	s.S = SetBigIntFromLEBytes(new(big.Int), buf[32:])
+	s.S = utils.SetBigIntFromLEBytes(new(big.Int), buf[32:])
 	return s, nil
 }
 
@@ -170,11 +171,11 @@ func (s *SignatureComp) Decompress() (*Signature, error) {
 // for buffer hashing and mimc7 for big.Int hashing.
 func (k *PrivateKey) SignMimc7(msg *big.Int) *Signature {
 	h1 := Blake512(k[:])
-	msgBuf := BigIntLEBytes(msg)
+	msgBuf := utils.BigIntLEBytes(msg)
 	msgBuf32 := [32]byte{}
 	copy(msgBuf32[:], msgBuf[:])
 	rBuf := Blake512(append(h1[32:], msgBuf32[:]...))
-	r := SetBigIntFromLEBytes(new(big.Int), rBuf) // r = H(H_{32..63}(k), msg)
+	r := utils.SetBigIntFromLEBytes(new(big.Int), rBuf) // r = H(H_{32..63}(k), msg)
 	r.Mod(r, SubOrder)
 	R8 := NewPoint().Mul(r, B8) // R8 = r * 8 * B
 	A := k.Public().Point()

babyjub/eddsa_test.go

@@ -5,6 +5,8 @@ import (
 	"encoding/hex"
 	"fmt"
 
+	"github.com/iden3/go-iden3-crypto/constants"
+	"github.com/iden3/go-iden3-crypto/utils"
 	"github.com/stretchr/testify/assert"
 
 	"math/big"
@@ -17,8 +19,8 @@ func genInputs() (*PrivateKey, *big.Int) {
 
 	msgBuf := [32]byte{}
 	rand.Read(msgBuf[:])
-	msg := SetBigIntFromLEBytes(new(big.Int), msgBuf[:])
-	msg.Mod(msg, Q)
+	msg := utils.SetBigIntFromLEBytes(new(big.Int), msgBuf[:])
+	msg.Mod(msg, constants.Q)
 	fmt.Println("msg", msg)
 
 	return &k, msg
@@ -31,7 +33,7 @@ func TestSignVerify1(t *testing.T) {
 	if err != nil {
 		panic(err)
 	}
-	msg := SetBigIntFromLEBytes(new(big.Int), msgBuf)
+	msg := utils.SetBigIntFromLEBytes(new(big.Int), msgBuf)
 
 	pk := k.Public()
 	assert.Equal(t,
@@ -77,7 +79,7 @@ func TestCompressDecompress(t *testing.T) {
 		if err != nil {
 			panic(err)
 		}
-		msg := SetBigIntFromLEBytes(new(big.Int), msgBuf)
+		msg := utils.SetBigIntFromLEBytes(new(big.Int), msgBuf)
 		sig := k.SignMimc7(msg)
 		sigBuf := sig.Compress()
 		sig2, err := new(Signature).Decompress(sigBuf)

babyjub/helpers.go

@@ -1,40 +1,9 @@
 package babyjub
 
 import (
-	"bytes"
-	"encoding/hex"
-	"fmt"
-	"math/big"
-	"strings"
-
 	"github.com/dchest/blake512" // I have personally reviewed that this module doesn't do anything suspicious
 )
 
-// SwapEndianness swaps the endianness of the value encoded in xs.  If xs is
-// Big-Endian, the result will be Little-Endian and viceversa.
-func SwapEndianness(xs []byte) []byte {
-	ys := make([]byte, len(xs))
-	for i, b := range xs {
-		ys[len(xs)-1-i] = b
-	}
-	return ys
-}
-
-// BigIntLEBytes encodes a big.Int into an array in Little-Endian.
-func BigIntLEBytes(v *big.Int) [32]byte {
-	le := SwapEndianness(v.Bytes())
-	res := [32]byte{}
-	copy(res[:], le)
-	return res
-}
-
-// SetBigIntFromLEBytes sets the value of a big.Int from a Little-Endian
-// encoded value.
-func SetBigIntFromLEBytes(v *big.Int, leBuf []byte) *big.Int {
-	beBuf := SwapEndianness(leBuf)
-	return v.SetBytes(beBuf)
-}
-
 // Blake512 performs the blake-512 hash over the buffer m.  Note that this is
 // the original blake from the SHA3 competition and not the new blake2 version.
 func Blake512(m []byte) []byte {
@@ -42,47 +11,3 @@ func Blake512(m []byte) []byte {
 	h.Write(m[:])
 	return h.Sum(nil)
 }
-
-// Hex is a byte slice type that can be marshalled and unmarshaled in hex
-type Hex []byte
-
-// MarshalText encodes buf as hex
-func (buf Hex) MarshalText() ([]byte, error) {
-	return []byte(hex.EncodeToString(buf)), nil
-}
-
-// String encodes buf as hex
-func (buf Hex) String() string {
-	return hex.EncodeToString(buf)
-}
-
-// HexEncode encodes an array of bytes into a string in hex.
-func HexEncode(bs []byte) string {
-	return fmt.Sprintf("0x%s", hex.EncodeToString(bs))
-}
-
-// HexDecode decodes a hex string into an array of bytes.
-func HexDecode(h string) ([]byte, error) {
-	if strings.HasPrefix(h, "0x") {
-		h = h[2:]
-	}
-	return hex.DecodeString(h)
-}
-
-// HexDecodeInto decodes a hex string into an array of bytes (dst), verifying
-// that the decoded array has the same length as dst.
-func HexDecodeInto(dst []byte, h []byte) error {
-	if bytes.HasPrefix(h, []byte("0x")) {
-		h = h[2:]
-	}
-	if len(h)/2 != len(dst) {
-		return fmt.Errorf("expected %v bytes in hex string, got %v", len(dst), len(h)/2)
-	}
-	n, err := hex.Decode(dst, h)
-	if err != nil {
-		return err
-	} else if n != len(dst) {
-		return fmt.Errorf("expected %v bytes when decoding hex string, got %v", len(dst), n)
-	}
-	return nil
-}

constants/constants.go

@@ -0,0 +1,26 @@
+package constants
+
+import (
+	"github.com/iden3/go-iden3-crypto/utils"
+	"math/big"
+)
+
+// Q is the order of the integer field (Zq) that fits inside the SNARK.
+var Q *big.Int
+
+// Zero is 0.
+var Zero *big.Int
+
+// One is 1.
+var One *big.Int
+
+// MinusOne is -1.
+var MinusOne *big.Int
+
+func init() {
+	Zero = big.NewInt(0)
+	One = big.NewInt(1)
+	MinusOne = big.NewInt(-1)
+	Q = utils.NewIntFromString(
+		"21888242871839275222246405745257275088548364400416034343698204186575808495617")
+}

go.mod

@@ -6,5 +6,5 @@ require (
 	github.com/dchest/blake512 v1.0.0
 	github.com/ethereum/go-ethereum v1.8.27
 	github.com/stretchr/testify v1.3.0
-	golang.org/x/crypto v0.0.0-20190621222207-cc06ce4a13d4 // indirect
+	golang.org/x/crypto v0.0.0-20190621222207-cc06ce4a13d4
 )

go.sum

@@ -4,6 +4,7 @@ github.com/dchest/blake512 v1.0.0 h1:oDFEQFIqFSeuA34xLtXZ/rWxCXdSjirjzPhey5EUvmA
 github.com/dchest/blake512 v1.0.0/go.mod h1:FV1x7xPPLWukZlpDpWQ88rF/SFwZ5qbskrzhLMB92JI=
 github.com/ethereum/go-ethereum v1.8.27 h1:d+gkiLaBDk5fn3Pe/xNVaMrB/ozI+AUB2IlVBp29IrY=
 github.com/ethereum/go-ethereum v1.8.27/go.mod h1:PwpWDrCLZrV+tfrhqqF6kPknbISMHaJv9Ln3kPCZLwY=
+github.com/iden3/go-iden3 v0.0.5 h1:NV6HXnLmp+1YmKd2FmymzU6OAP77q1WWDcB/B+BUL9g=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
@@ -14,5 +15,6 @@ golang.org/x/crypto v0.0.0-20190621222207-cc06ce4a13d4 h1:ydJNl0ENAG67pFbB+9tfhi
 golang.org/x/crypto v0.0.0-20190621222207-cc06ce4a13d4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d h1:+R4KGOnez64A81RvjARKc4UT5/tI9ujCIVX+P5KiHuI=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=

mimc7/mimc7.go

@@ -6,6 +6,7 @@ import (
 	"math/big"
 
 	"github.com/ethereum/go-ethereum/crypto"
+	_constants "github.com/iden3/go-iden3-crypto/constants"
 	"github.com/iden3/go-iden3-crypto/field"
 )
 
@@ -31,11 +32,7 @@ func getIV(seed string) {
 func generateConstantsData() constantsData {
 	var constants constantsData
 
-	r, ok := new(big.Int).SetString("21888242871839275222246405745257275088548364400416034343698204186575808495617", 10)
-	if !ok {
-
-	}
-	fqR := field.NewFq(r)
+	fqR := field.NewFq(_constants.Q)
 	constants.fqR = fqR
 
 	// maxFieldVal is the R value of the Finite Field

poseidon/poseidon.go

@@ -0,0 +1,166 @@
+package poseidon
+
+import (
+	"bytes"
+	"errors"
+	"math/big"
+	"strconv"
+
+	_constants "github.com/iden3/go-iden3-crypto/constants"
+	"github.com/iden3/go-iden3-crypto/field"
+	"github.com/iden3/go-iden3-crypto/utils"
+	"golang.org/x/crypto/blake2b"
+)
+
+const SEED = "poseidon"
+const NROUNDSF = 8
+const NROUNDSP = 57
+const T = 6
+
+var constants = generateConstantsData()
+
+type constantsData struct {
+	fqR field.Fq
+	c   []*big.Int
+	m   [][]*big.Int
+}
+
+func generateConstantsData() constantsData {
+	var constants constantsData
+
+	fqR := field.NewFq(_constants.Q)
+	constants.fqR = fqR
+	constants.c = getPseudoRandom(fqR, SEED+"_constants", NROUNDSF+NROUNDSP)
+	constants.m = getMDS(fqR)
+
+	return constants
+}
+
+func leByteArrayToBigInt(b []byte) *big.Int {
+	res := big.NewInt(0)
+	for i := 0; i < len(b); i++ {
+		n := big.NewInt(int64(b[i]))
+		res = new(big.Int).Add(res, new(big.Int).Lsh(n, uint(i*8)))
+	}
+	return res
+}
+
+func getPseudoRandom(fqR field.Fq, seed string, n int) []*big.Int {
+	var res []*big.Int
+	hash := blake2b.Sum256([]byte(seed))
+	for len(res) < n {
+		hashBigInt := new(big.Int)
+		newN := fqR.Affine(utils.SetBigIntFromLEBytes(hashBigInt, hash[:]))
+		// newN := fqR.Affine(leByteArrayToBigInt(hash[:]))
+		res = append(res, newN)
+		hash = blake2b.Sum256(hash[:])
+	}
+	return res
+}
+
+func nonceToString(n int) string {
+	r := strconv.Itoa(n)
+	for len(r) < 4 {
+		r = "0" + r
+	}
+	return r
+}
+
+// https://eprint.iacr.org/2019/458.pdf pag.8
+func getMDS(fqR field.Fq) [][]*big.Int {
+	nonce := 0
+	cauchyMatrix := getPseudoRandom(fqR, SEED+"_matrix_"+nonceToString(nonce), T*2)
+	for !checkAllDifferent(cauchyMatrix) {
+		nonce += 1
+		cauchyMatrix = getPseudoRandom(fqR, SEED+"_matrix_"+nonceToString(nonce), T*2)
+	}
+	var m [][]*big.Int
+	for i := 0; i < T; i++ {
+		var mi []*big.Int
+		for j := 0; j < T; j++ {
+			mi = append(mi, fqR.Inverse(fqR.Sub(cauchyMatrix[i], cauchyMatrix[T+j])))
+		}
+		m = append(m, mi)
+	}
+	return m
+}
+
+func checkAllDifferent(v []*big.Int) bool {
+	for i := 0; i < len(v); i++ {
+		if bytes.Equal(v[i].Bytes(), big.NewInt(int64(0)).Bytes()) {
+			return false
+		}
+		for j := i + 1; j < len(v); j++ {
+			if bytes.Equal(v[i].Bytes(), v[j].Bytes()) {
+				return false
+			}
+		}
+	}
+	return true
+}
+
+// ark computes Add-Round Key, from the paper https://eprint.iacr.org/2019/458.pdf
+func ark(state []*big.Int, c *big.Int) []*big.Int {
+	for i := 0; i < len(state); i++ {
+		state[i] = constants.fqR.Add(state[i], c)
+	}
+	return state
+}
+
+// cubic performs x^3 mod p
+func cubic(a *big.Int) *big.Int {
+	return constants.fqR.Mul(a, constants.fqR.Square(constants.fqR.Square(a)))
+}
+
+// sbox https://eprint.iacr.org/2019/458.pdf pag.6
+func sbox(state []*big.Int, i int) []*big.Int {
+	if (i < NROUNDSF/2) || (i >= NROUNDSF/2+NROUNDSP) {
+		for j := 0; j < T; j++ {
+			state[j] = cubic(state[j])
+		}
+	} else {
+		state[0] = cubic(state[0])
+	}
+	return state
+}
+
+// mix returns [[matrix]] * [vector]
+func mix(state []*big.Int, m [][]*big.Int) []*big.Int {
+	var newState []*big.Int
+	for i := 0; i < len(state); i++ {
+		newState = append(newState, constants.fqR.Zero())
+		for j := 0; j < len(state); j++ {
+			newState[i] = constants.fqR.Add(newState[i], constants.fqR.Mul(m[i][j], state[j]))
+		}
+	}
+	for i := 0; i < len(state); i++ {
+		state[i] = newState[i]
+	}
+	return state
+}
+
+// Hash computes the Poseidon hash for the given inputs
+func Hash(inp []*big.Int) (*big.Int, error) {
+	var state []*big.Int
+	if len(inp) == 0 || len(inp) > T {
+		return nil, errors.New("wrong inputs length")
+	}
+	if !utils.CheckBigIntArrayInField(inp, constants.fqR.Q) {
+		return nil, errors.New("inputs values not inside Finite Field")
+	}
+
+	for i := 0; i < len(inp); i++ {
+		state = append(state, inp[i])
+	}
+	for i := len(inp); i < T; i++ {
+		state = append(state, constants.fqR.Zero())
+	}
+
+	// ARK --> SBox --> M, https://eprint.iacr.org/2019/458.pdf pag.5
+	for i := 0; i < NROUNDSF+NROUNDSP; i++ {
+		state = ark(state, constants.c[i])
+		state = sbox(state, i)
+		state = mix(state, constants.m)
+	}
+	return state[0], nil
+}

poseidon/poseidon_test.go

@@ -0,0 +1,29 @@
+package poseidon
+
+import (
+	"encoding/hex"
+	"math/big"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"golang.org/x/crypto/blake2b"
+)
+
+func TestBlake2bVersion(t *testing.T) {
+	h := blake2b.Sum256([]byte("poseidon_constants"))
+	assert.Equal(t, "e57ba154fb2c47811dc1a2369b27e25a44915b4e4ece4eb8ec74850cb78e01b1", hex.EncodeToString(h[:]))
+}
+
+func TestPoseidon(t *testing.T) {
+	b1 := big.NewInt(int64(1))
+	b2 := big.NewInt(int64(2))
+	h, err := Hash([]*big.Int{b1, b2})
+	assert.Nil(t, err)
+	assert.Equal(t, "12242166908188651009877250812424843524687801523336557272219921456462821518061", h.String())
+
+	b3 := big.NewInt(int64(3))
+	b4 := big.NewInt(int64(4))
+	h, err = Hash([]*big.Int{b3, b4})
+	assert.Nil(t, err)
+	assert.Equal(t, "17185195740979599334254027721507328033796809509313949281114643312710535000993", h.String())
+}

utils/utils.go

@@ -0,0 +1,106 @@
+package utils
+
+import (
+	"bytes"
+	"encoding/hex"
+	"fmt"
+	"math/big"
+	"strings"
+)
+
+// NewIntFromString creates a new big.Int from a decimal integer encoded as a
+// string.  It will panic if the string is not a decimal integer.
+func NewIntFromString(s string) *big.Int {
+	v, ok := new(big.Int).SetString(s, 10)
+	if !ok {
+		panic(fmt.Sprintf("Bad base 10 string %s", s))
+	}
+	return v
+}
+
+// SwapEndianness swaps the endianness of the value encoded in xs.  If xs is
+// Big-Endian, the result will be Little-Endian and viceversa.
+func SwapEndianness(xs []byte) []byte {
+	ys := make([]byte, len(xs))
+	for i, b := range xs {
+		ys[len(xs)-1-i] = b
+	}
+	return ys
+}
+
+// BigIntLEBytes encodes a big.Int into an array in Little-Endian.
+func BigIntLEBytes(v *big.Int) [32]byte {
+	le := SwapEndianness(v.Bytes())
+	res := [32]byte{}
+	copy(res[:], le)
+	return res
+}
+
+// SetBigIntFromLEBytes sets the value of a big.Int from a Little-Endian
+// encoded value.
+func SetBigIntFromLEBytes(v *big.Int, leBuf []byte) *big.Int {
+	beBuf := SwapEndianness(leBuf)
+	return v.SetBytes(beBuf)
+}
+
+// Hex is a byte slice type that can be marshalled and unmarshaled in hex
+type Hex []byte
+
+// MarshalText encodes buf as hex
+func (buf Hex) MarshalText() ([]byte, error) {
+	return []byte(hex.EncodeToString(buf)), nil
+}
+
+// String encodes buf as hex
+func (buf Hex) String() string {
+	return hex.EncodeToString(buf)
+}
+
+// HexEncode encodes an array of bytes into a string in hex.
+func HexEncode(bs []byte) string {
+	return fmt.Sprintf("0x%s", hex.EncodeToString(bs))
+}
+
+// HexDecode decodes a hex string into an array of bytes.
+func HexDecode(h string) ([]byte, error) {
+	if strings.HasPrefix(h, "0x") {
+		h = h[2:]
+	}
+	return hex.DecodeString(h)
+}
+
+// HexDecodeInto decodes a hex string into an array of bytes (dst), verifying
+// that the decoded array has the same length as dst.
+func HexDecodeInto(dst []byte, h []byte) error {
+	if bytes.HasPrefix(h, []byte("0x")) {
+		h = h[2:]
+	}
+	if len(h)/2 != len(dst) {
+		return fmt.Errorf("expected %v bytes in hex string, got %v", len(dst), len(h)/2)
+	}
+	n, err := hex.Decode(dst, h)
+	if err != nil {
+		return err
+	} else if n != len(dst) {
+		return fmt.Errorf("expected %v bytes when decoding hex string, got %v", len(dst), n)
+	}
+	return nil
+}
+
+// CheckBigIntInField checks if given big.Int fits in a Field Q element
+func CheckBigIntInField(a *big.Int, q *big.Int) bool {
+	if a.Cmp(q) != -1 {
+		return false
+	}
+	return true
+}
+
+// CheckBigIntArrayInField checks if given big.Int fits in a Field Q element
+func CheckBigIntArrayInField(arr []*big.Int, q *big.Int) bool {
+	for _, a := range arr {
+		if !CheckBigIntInField(a, q) {
+			return false
+		}
+	}
+	return true
+}