Update BabyJubJub signature with Poseidon

Optimize Poseidon

babyjub/babyjub_test.go

@@ -3,8 +3,10 @@ package babyjub
 import (
 	"encoding/hex"
 	"math/big"
+	"math/rand"
 	"testing"
 
+	"github.com/iden3/go-iden3-crypto/constants"
 	"github.com/iden3/go-iden3-crypto/utils"
 	"github.com/stretchr/testify/assert"
 )
@@ -231,3 +233,74 @@ func TestCompressDecompressRnd(t *testing.T) {
 		assert.Equal(t, p1, p2)
 	}
 }
+
+func BenchmarkBabyjub(b *testing.B) {
+	const n = 256
+
+	rnd := rand.New(rand.NewSource(42))
+
+	var badpoints [n]*Point
+	for i := 0; i < n; i++ {
+		x := new(big.Int).Rand(rnd, constants.Q)
+		y := new(big.Int).Rand(rnd, constants.Q)
+		badpoints[i] = &Point{X: x, Y: y}
+	}
+
+	var points [n]*Point
+	baseX := utils.NewIntFromString(
+		"17777552123799933955779906779655732241715742912184938656739573121738514868268")
+	baseY := utils.NewIntFromString(
+		"2626589144620713026669568689430873010625803728049924121243784502389097019475")
+	base := &Point{X: baseX, Y: baseY}
+	for i := 0; i < n; i++ {
+		s := new(big.Int).Rand(rnd, constants.Q)
+		points[i] = NewPoint().Mul(s, base)
+	}
+
+	var scalars [n]*big.Int
+	for i := 0; i < n; i++ {
+		scalars[i] = new(big.Int).Rand(rnd, constants.Q)
+	}
+
+	b.Run("AddConst", func(b *testing.B) {
+		p0 := &Point{X: big.NewInt(0), Y: big.NewInt(1)}
+		p1 := &Point{X: big.NewInt(0), Y: big.NewInt(1)}
+
+		p2 := NewPoint()
+		for i := 0; i < b.N; i++ {
+			p2.Add(p0, p1)
+		}
+	})
+
+	b.Run("AddRnd", func(b *testing.B) {
+		res := NewPoint()
+		for i := 0; i < b.N; i++ {
+			res.Add(points[i%(n/2)], points[i%(n/2)+1])
+		}
+	})
+
+	b.Run("MulRnd", func(b *testing.B) {
+		res := NewPoint()
+		for i := 0; i < b.N; i++ {
+			res.Mul(scalars[i%n], points[i%n])
+		}
+	})
+
+	b.Run("Compress", func(b *testing.B) {
+		for i := 0; i < b.N; i++ {
+			points[i%n].Compress()
+		}
+	})
+
+	b.Run("InCurve", func(b *testing.B) {
+		for i := 0; i < b.N; i++ {
+			badpoints[i%n].InCurve()
+		}
+	})
+
+	b.Run("InSubGroup", func(b *testing.B) {
+		for i := 0; i < b.N; i++ {
+			points[i%n].InCurve()
+		}
+	})
+}

babyjub/eddsa.go

@@ -222,8 +222,8 @@ func (k *PrivateKey) SignPoseidon(msg *big.Int) *Signature {
 	r.Mod(r, SubOrder)
 	R8 := NewPoint().Mul(r, B8) // R8 = r * 8 * B
 	A := k.Public().Point()
-	hmInput := []*big.Int{R8.X, R8.Y, A.X, A.Y, msg}
-	hm, err := poseidon.Hash(hmInput) // hm = H1(8*R.x, 8*R.y, A.x, A.y, msg)
+	hmInput := [poseidon.T]*big.Int{R8.X, R8.Y, A.X, A.Y, msg, big.NewInt(int64(0))}
+	hm, err := poseidon.PoseidonHash(hmInput) // hm = H1(8*R.x, 8*R.y, A.x, A.y, msg)
 	if err != nil {
 		panic(err)
 	}
@@ -238,8 +238,8 @@ func (k *PrivateKey) SignPoseidon(msg *big.Int) *Signature {
 // VerifyPoseidon verifies the signature of a message encoded as a big.Int in Zq
 // using blake-512 hash for buffer hashing and Poseidon for big.Int hashing.
 func (p *PublicKey) VerifyPoseidon(msg *big.Int, sig *Signature) bool {
-	hmInput := []*big.Int{sig.R8.X, sig.R8.Y, p.X, p.Y, msg}
-	hm, err := poseidon.Hash(hmInput) // hm = H1(8*R.x, 8*R.y, A.x, A.y, msg)
+	hmInput := [poseidon.T]*big.Int{sig.R8.X, sig.R8.Y, p.X, p.Y, msg, big.NewInt(int64(0))}
+	hm, err := poseidon.PoseidonHash(hmInput) // hm = H1(8*R.x, 8*R.y, A.x, A.y, msg)
 	if err != nil {
 		panic(err)
 	}

babyjub/eddsa_test.go

@@ -25,6 +25,16 @@ func genInputs() (*PrivateKey, *big.Int) {
 	return &k, msg
 }
 
+func TestPublicKey(t *testing.T) {
+	var k PrivateKey
+	for i := 0; i < 256; i++ {
+		hex.Decode(k[:], []byte{byte(i)})
+	}
+	pk := k.Public()
+	assert.True(t, pk.X.Cmp(constants.Q) == -1)
+	assert.True(t, pk.Y.Cmp(constants.Q) == -1)
+}
+
 func TestSignVerifyMimc7(t *testing.T) {
 	var k PrivateKey
 	hex.Decode(k[:], []byte("0001020304050607080900010203040506070809000102030405060708090001"))
@@ -131,3 +141,54 @@ func TestCompressDecompress(t *testing.T) {
 		assert.Equal(t, true, ok)
 	}
 }
+
+func BenchmarkBabyjubEddsa(b *testing.B) {
+	var k PrivateKey
+	hex.Decode(k[:], []byte("0001020304050607080900010203040506070809000102030405060708090001"))
+	pk := k.Public()
+
+	const n = 256
+
+	msgBuf, err := hex.DecodeString("00010203040506070809")
+	if err != nil {
+		panic(err)
+	}
+	msg := utils.SetBigIntFromLEBytes(new(big.Int), msgBuf)
+	var msgs [n]*big.Int
+	for i := 0; i < n; i++ {
+		msgs[i] = new(big.Int).Add(msg, big.NewInt(int64(i)))
+	}
+	var sigs [n]*Signature
+
+	b.Run("SignMimc7", func(b *testing.B) {
+		for i := 0; i < b.N; i++ {
+			k.SignMimc7(msgs[i%n])
+		}
+	})
+
+	for i := 0; i < n; i++ {
+		sigs[i%n] = k.SignMimc7(msgs[i%n])
+	}
+
+	b.Run("VerifyMimc7", func(b *testing.B) {
+		for i := 0; i < b.N; i++ {
+			pk.VerifyMimc7(msgs[i%n], sigs[i%n])
+		}
+	})
+
+	b.Run("SignPoseidon", func(b *testing.B) {
+		for i := 0; i < b.N; i++ {
+			k.SignPoseidon(msgs[i%n])
+		}
+	})
+
+	for i := 0; i < n; i++ {
+		sigs[i%n] = k.SignPoseidon(msgs[i%n])
+	}
+
+	b.Run("VerifyPoseidon", func(b *testing.B) {
+		for i := 0; i < b.N; i++ {
+			pk.VerifyPoseidon(msgs[i%n], sigs[i%n])
+		}
+	})
+}

mimc7/mimc7_test.go

@@ -91,9 +91,7 @@ func BenchmarkMIMC7(b *testing.B) {
 	b41 := big.NewInt(int64(41))
 	bigArray4 := []*big.Int{b12, b45, b78, b41}
 
-	var h4 *big.Int
 	for i := 0; i < b.N; i++ {
-		h4, _ = Hash(bigArray4, nil)
+		Hash(bigArray4, nil)
 	}
-	println(h4)
 }

poseidon/poseidon.go

@@ -6,8 +6,7 @@ import (
 	"math/big"
 	"strconv"
 
-	_constants "github.com/iden3/go-iden3-crypto/constants"
-	"github.com/iden3/go-iden3-crypto/field"
+	"github.com/iden3/go-iden3-crypto/constants"
 	"github.com/iden3/go-iden3-crypto/utils"
 	"golang.org/x/crypto/blake2b"
 )
@@ -17,23 +16,20 @@ const NROUNDSF = 8
 const NROUNDSP = 57
 const T = 6
 
-var constants = generateConstantsData()
+var constC []*big.Int
+var constM [T][T]*big.Int
 
-type constantsData struct {
-	fqR field.Fq
-	c   []*big.Int
-	m   [][]*big.Int
+func Zero() *big.Int {
+	return new(big.Int)
 }
 
-func generateConstantsData() constantsData {
-	var constants constantsData
+func modQ(v *big.Int) {
+	v.Mod(v, constants.Q)
+}
 
-	fqR := field.NewFq(_constants.Q)
-	constants.fqR = fqR
-	constants.c = getPseudoRandom(fqR, SEED+"_constants", NROUNDSF+NROUNDSP)
-	constants.m = getMDS(fqR)
-
-	return constants
+func init() {
+	constC = getPseudoRandom(SEED+"_constants", NROUNDSF+NROUNDSP)
+	constM = getMDS()
 }
 
 func leByteArrayToBigInt(b []byte) *big.Int {
@@ -45,14 +41,13 @@ func leByteArrayToBigInt(b []byte) *big.Int {
 	return res
 }
 
-func getPseudoRandom(fqR field.Fq, seed string, n int) []*big.Int {
-	var res []*big.Int
+func getPseudoRandom(seed string, n int) []*big.Int {
+	res := make([]*big.Int, n)
 	hash := blake2b.Sum256([]byte(seed))
-	for len(res) < n {
-		hashBigInt := new(big.Int)
-		newN := fqR.Affine(utils.SetBigIntFromLEBytes(hashBigInt, hash[:]))
-		// newN := fqR.Affine(leByteArrayToBigInt(hash[:]))
-		res = append(res, newN)
+	for i := 0; i < n; i++ {
+		hashBigInt := Zero()
+		res[i] = utils.SetBigIntFromLEBytes(hashBigInt, hash[:])
+		modQ(res[i])
 		hash = blake2b.Sum256(hash[:])
 	}
 	return res
@@ -67,20 +62,20 @@ func nonceToString(n int) string {
 }
 
 // https://eprint.iacr.org/2019/458.pdf pag.8
-func getMDS(fqR field.Fq) [][]*big.Int {
+func getMDS() [T][T]*big.Int {
 	nonce := 0
-	cauchyMatrix := getPseudoRandom(fqR, SEED+"_matrix_"+nonceToString(nonce), T*2)
+	cauchyMatrix := getPseudoRandom(SEED+"_matrix_"+nonceToString(nonce), T*2)
 	for !checkAllDifferent(cauchyMatrix) {
 		nonce += 1
-		cauchyMatrix = getPseudoRandom(fqR, SEED+"_matrix_"+nonceToString(nonce), T*2)
+		cauchyMatrix = getPseudoRandom(SEED+"_matrix_"+nonceToString(nonce), T*2)
 	}
-	var m [][]*big.Int
+	var m [T][T]*big.Int
 	for i := 0; i < T; i++ {
-		var mi []*big.Int
+		// var mi []*big.Int
 		for j := 0; j < T; j++ {
-			mi = append(mi, fqR.Inverse(fqR.Sub(cauchyMatrix[i], cauchyMatrix[T+j])))
+			m[i][j] = new(big.Int).Sub(cauchyMatrix[i], cauchyMatrix[T+j])
+			m[i][j].ModInverse(m[i][j], constants.Q)
 		}
-		m = append(m, mi)
 	}
 	return m
 }
@@ -100,61 +95,64 @@ func checkAllDifferent(v []*big.Int) bool {
 }
 
 // ark computes Add-Round Key, from the paper https://eprint.iacr.org/2019/458.pdf
-func ark(state []*big.Int, c *big.Int) []*big.Int {
-	for i := 0; i < len(state); i++ {
-		state[i] = constants.fqR.Add(state[i], c)
+func ark(state [T]*big.Int, c *big.Int) {
+	for i := 0; i < T; i++ {
+		modQ(state[i].Add(state[i], c))
 	}
-	return state
 }
 
 // cubic performs x^5 mod p
 // https://eprint.iacr.org/2019/458.pdf page 8
-func cubic(a *big.Int) *big.Int {
-	return constants.fqR.Mul(a, constants.fqR.Square(constants.fqR.Square(a)))
+var five = big.NewInt(5)
+
+func cubic(a *big.Int) {
+	a.Exp(a, five, constants.Q)
 }
 
 // sbox https://eprint.iacr.org/2019/458.pdf page 6
-func sbox(state []*big.Int, i int) []*big.Int {
+func sbox(state [T]*big.Int, i int) {
 	if (i < NROUNDSF/2) || (i >= NROUNDSF/2+NROUNDSP) {
 		for j := 0; j < T; j++ {
-			state[j] = cubic(state[j])
+			cubic(state[j])
 		}
 	} else {
-		state[0] = cubic(state[0])
+		cubic(state[0])
 	}
-	return state
 }
 
 // mix returns [[matrix]] * [vector]
-func mix(state []*big.Int, m [][]*big.Int) []*big.Int {
-	var newState []*big.Int
-	for i := 0; i < len(state); i++ {
-		newState = append(newState, constants.fqR.Zero())
-		for j := 0; j < len(state); j++ {
-			newState[i] = constants.fqR.Add(newState[i], constants.fqR.Mul(m[i][j], state[j]))
+func mix(state [T]*big.Int, newState [T]*big.Int, m [T][T]*big.Int) {
+	mul := Zero()
+	for i := 0; i < T; i++ {
+		newState[i].SetInt64(0)
+		for j := 0; j < T; j++ {
+			modQ(mul.Mul(m[i][j], state[j]))
+			newState[i].Add(newState[i], mul)
 		}
+		modQ(newState[i])
 	}
-	return newState
 }
 
 // PoseidonHash computes the Poseidon hash for the given inputs
-func PoseidonHash(inp []*big.Int) (*big.Int, error) {
-	if len(inp) == 0 || len(inp) > T {
-		return nil, errors.New("wrong inputs length")
-	}
-	if !utils.CheckBigIntArrayInField(inp, constants.fqR.Q) {
+func PoseidonHash(inp [T]*big.Int) (*big.Int, error) {
+	if !utils.CheckBigIntArrayInField(inp[:], constants.Q) {
 		return nil, errors.New("inputs values not inside Finite Field")
 	}
-	state := inp
-	for i := len(inp); i < T; i++ {
-		state = append(state, constants.fqR.Zero())
+	state := [T]*big.Int{}
+	for i := 0; i < T; i++ {
+		state[i] = new(big.Int).Set(inp[i])
 	}
 
 	// ARK --> SBox --> M, https://eprint.iacr.org/2019/458.pdf pag.5
+	var newState [T]*big.Int
+	for i := 0; i < T; i++ {
+		newState[i] = Zero()
+	}
 	for i := 0; i < NROUNDSF+NROUNDSP; i++ {
-		state = ark(state, constants.c[i])
-		state = sbox(state, i)
-		state = mix(state, constants.m)
+		ark(state, constC[i])
+		sbox(state, i)
+		mix(state, newState, constM)
+		state, newState = newState, state
 	}
 	return state[0], nil
 }
@@ -162,27 +160,31 @@ func PoseidonHash(inp []*big.Int) (*big.Int, error) {
 // Hash performs the Poseidon hash over a *big.Int array
 // in chunks of 5 elements
 func Hash(arr []*big.Int) (*big.Int, error) {
-	if !utils.CheckBigIntArrayInField(arr, constants.fqR.Q) {
+	if !utils.CheckBigIntArrayInField(arr, constants.Q) {
 		return nil, errors.New("inputs values not inside Finite Field")
 	}
 
-	r := constants.fqR.Zero()
-	for i := 0; i < len(arr); i = i + 5 {
-		var fiveElems []*big.Int
-		for j := 0; j < 5; j++ {
-			if i+j < len(arr) {
-				fiveElems = append(fiveElems, arr[i+j])
-			} else {
-				fiveElems = append(fiveElems, big.NewInt(int64(0)))
+	r := big.NewInt(1)
+	for i := 0; i < len(arr); i = i + T - 1 {
+		var toHash [T]*big.Int
+		j := 0
+		for ; j < T-1; j++ {
+			if i+j >= len(arr) {
+				break
 			}
+			toHash[j] = arr[i+j]
 		}
-		ph, err := PoseidonHash(fiveElems)
+		toHash[j] = r
+		j++
+		for ; j < T; j++ {
+			toHash[j] = constants.Zero
+		}
+
+		ph, err := PoseidonHash(toHash)
 		if err != nil {
 			return nil, err
 		}
-		r = constants.fqR.Add(
-			r,
-			ph)
+		modQ(r.Add(r, ph))
 	}
 
 	return r, nil
@@ -194,12 +196,12 @@ func HashBytes(b []byte) (*big.Int, error) {
 	n := 31
 	bElems := make([]*big.Int, 0, len(b)/n+1)
 	for i := 0; i < len(b)/n; i++ {
-		v := new(big.Int)
+		v := Zero()
 		utils.SetBigIntFromLEBytes(v, b[n*i:n*(i+1)])
 		bElems = append(bElems, v)
 	}
 	if len(b)%n != 0 {
-		v := new(big.Int)
+		v := Zero()
 		utils.SetBigIntFromLEBytes(v, b[(len(b)/n)*n:])
 		bElems = append(bElems, v)
 	}

poseidon/poseidon_test.go

@@ -20,13 +20,13 @@ func TestPoseidon(t *testing.T) {
 	b2 := big.NewInt(int64(2))
 	h, err := Hash([]*big.Int{b1, b2})
 	assert.Nil(t, err)
-	assert.Equal(t, "12242166908188651009877250812424843524687801523336557272219921456462821518061", h.String())
+	assert.Equal(t, "4932297968297298434239270129193057052722409868268166443802652458940273154855", h.String())
 
 	b3 := big.NewInt(int64(3))
 	b4 := big.NewInt(int64(4))
 	h, err = Hash([]*big.Int{b3, b4})
 	assert.Nil(t, err)
-	assert.Equal(t, "17185195740979599334254027721507328033796809509313949281114643312710535000993", h.String())
+	assert.Equal(t, "4635491972858758537477743930622086396911540895966845494943021655521913507504", h.String())
 
 	msg := []byte("Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.")
 	n := 31
@@ -43,7 +43,7 @@ func TestPoseidon(t *testing.T) {
 	}
 	hmsg, err := Hash(msgElems)
 	assert.Nil(t, err)
-	assert.Equal(t, "11821124228916291136371255062457365369197326845706357273715164664419275913793", hmsg.String())
+	assert.Equal(t, "16019700159595764790637132363672701294192939959594423814006267756172551741065", hmsg.String())
 
 	msg2 := []byte("Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum. Lorem ipsum dolor sit amet.")
 	msg2Elems := make([]*big.Int, 0, len(msg2)/n+1)
@@ -59,9 +59,39 @@ func TestPoseidon(t *testing.T) {
 	}
 	hmsg2, err := Hash(msg2Elems)
 	assert.Nil(t, err)
-	assert.Equal(t, "10747013384255785702102976082726575658403084163954725275481577373644732938016", hmsg2.String())
+	assert.Equal(t, "2978613163687734485261639854325792381691890647104372645321246092227111432722", hmsg2.String())
 
 	hmsg2, err = HashBytes(msg2)
 	assert.Nil(t, err)
-	assert.Equal(t, "10747013384255785702102976082726575658403084163954725275481577373644732938016", hmsg2.String())
+	assert.Equal(t, "2978613163687734485261639854325792381691890647104372645321246092227111432722", hmsg2.String())
+}
+
+func TestPoseidonBrokenChunks(t *testing.T) {
+	h1, err := Hash([]*big.Int{big.NewInt(0), big.NewInt(1), big.NewInt(2), big.NewInt(3), big.NewInt(4),
+		big.NewInt(5), big.NewInt(6), big.NewInt(7), big.NewInt(8), big.NewInt(9)})
+	assert.Nil(t, err)
+	h2, err := Hash([]*big.Int{big.NewInt(5), big.NewInt(6), big.NewInt(7), big.NewInt(8), big.NewInt(9),
+		big.NewInt(0), big.NewInt(1), big.NewInt(2), big.NewInt(3), big.NewInt(4)})
+	assert.Nil(t, err)
+	assert.NotEqual(t, h1, h2)
+}
+
+func TestPoseidonBrokenPadding(t *testing.T) {
+	h1, err := Hash([]*big.Int{big.NewInt(1)})
+	assert.Nil(t, err)
+	h2, err := Hash([]*big.Int{big.NewInt(1), big.NewInt(0)})
+	assert.Nil(t, err)
+	assert.NotEqual(t, h1, h2)
+}
+
+func BenchmarkPoseidon(b *testing.B) {
+	b12 := big.NewInt(int64(12))
+	b45 := big.NewInt(int64(45))
+	b78 := big.NewInt(int64(78))
+	b41 := big.NewInt(int64(41))
+	bigArray4 := []*big.Int{b12, b45, b78, b41}
+
+	for i := 0; i < b.N; i++ {
+		Hash(bigArray4)
+	}
 }