Update BabyJubJub EdDSA to last circomlib version

- Update BabyJubJub EdDSA signature to last circomlib version (Poseidon
usage)
- Remove panic on hash error inside verification, to avoid panic due
field overflow of BabyJubJub signature verification

.travis.yml

@@ -1,15 +0,0 @@
-dist: xenial
-language: go
-
-go:
-  - "1.12"
-
-jobs:
-  include:
-    - name: "Unit Tests 64 bit arch"
-      env: GOARCH="amd64"
-    - name: "Unit Test 32 bit arch"
-      env: GOARCH="386"
-
-env:
-  - GO111MODULE=on

babyjub/babyjub.go

@@ -5,15 +5,22 @@ import (
 	"math/big"
 
 	"github.com/iden3/go-iden3-crypto/constants"
+	"github.com/iden3/go-iden3-crypto/ff"
 	"github.com/iden3/go-iden3-crypto/utils"
 )
 
 // A is one of the babyjub constants.
 var A *big.Int
 
+// Aff is A value in *ff.Element representation
+var Aff *ff.Element
+
 // D is one of the babyjub constants.
 var D *big.Int
 
+// Dff is D value in *ff.Element representation
+var Dff *ff.Element
+
 // Order of the babyjub curve.
 var Order *big.Int
 
@@ -29,6 +36,8 @@ var B8 *Point
 func init() {
 	A = utils.NewIntFromString("168700")
 	D = utils.NewIntFromString("168696")
+	Aff = ff.NewElement().SetBigInt(A)
+	Dff = ff.NewElement().SetBigInt(D)
 
 	Order = utils.NewIntFromString(
 		"21888242871839275222246405745257275088614511777268538073601725287587578984328")
@@ -41,6 +50,70 @@ func init() {
 		"16950150798460657717958625567821834550301663161624707787222815936182638968203")
 }
 
+// PointProjective is the Point representation in projective coordinates
+type PointProjective struct {
+	X *ff.Element
+	Y *ff.Element
+	Z *ff.Element
+}
+
+// NewPointProjective creates a new Point in projective coordinates.
+func NewPointProjective() *PointProjective {
+	return &PointProjective{X: ff.NewElement().SetZero(), Y: ff.NewElement().SetOne(), Z: ff.NewElement().SetOne()}
+}
+
+// Affine returns the Point from the projective representation
+func (p *PointProjective) Affine() *Point {
+	if p.Z.Equal(ff.NewElement().SetZero()) {
+		return &Point{
+			X: big.NewInt(0),
+			Y: big.NewInt(0),
+		}
+	}
+	zinv := ff.NewElement().Inverse(p.Z)
+	x := ff.NewElement().Mul(p.X, zinv)
+
+	y := ff.NewElement().Mul(p.Y, zinv)
+	xBig := big.NewInt(0)
+	x.ToBigIntRegular(xBig)
+	yBig := big.NewInt(0)
+	y.ToBigIntRegular(yBig)
+	return &Point{
+		X: xBig,
+		Y: yBig,
+	}
+}
+
+// Add computes the addition of two points in projective coordinates representation
+func (res *PointProjective) Add(p *PointProjective, q *PointProjective) *PointProjective {
+	// add-2008-bbjlp https://hyperelliptic.org/EFD/g1p/auto-twisted-projective.html#doubling-dbl-2008-bbjlp
+	a := ff.NewElement().Mul(p.Z, q.Z)
+	b := ff.NewElement().Square(a)
+	c := ff.NewElement().Mul(p.X, q.X)
+	d := ff.NewElement().Mul(p.Y, q.Y)
+	e := ff.NewElement().Mul(Dff, c)
+	e.MulAssign(d)
+	f := ff.NewElement().Sub(b, e)
+	g := ff.NewElement().Add(b, e)
+	x1y1 := ff.NewElement().Add(p.X, p.Y)
+	x2y2 := ff.NewElement().Add(q.X, q.Y)
+	x3 := ff.NewElement().Mul(x1y1, x2y2)
+	x3.SubAssign(c)
+	x3.SubAssign(d)
+	x3.MulAssign(a)
+	x3.MulAssign(f)
+	ac := ff.NewElement().Mul(Aff, c)
+	y3 := ff.NewElement().Sub(d, ac)
+	y3.MulAssign(a)
+	y3.MulAssign(g)
+	z3 := ff.NewElement().Mul(f, g)
+
+	res.X = x3
+	res.Y = y3
+	res.Z = z3
+	return res
+}
+
 // Point represents a point of the babyjub curve.
 type Point struct {
 	X *big.Int
@@ -59,62 +132,32 @@ func (p *Point) Set(c *Point) *Point {
 	return p
 }
 
-// Add adds Point a and b into res
-func (res *Point) Add(a *Point, b *Point) *Point {
-	// x = (a.x * b.y + b.x * a.y) * (1 + D * a.x * b.x * a.y * b.y)^-1 mod q
-	x1a := new(big.Int).Mul(a.X, b.Y)
-	x1b := new(big.Int).Mul(b.X, a.Y)
-	x1a.Add(x1a, x1b) // x1a = a.x * b.y + b.x * a.y
-
-	x2 := new(big.Int).Set(D)
-	x2.Mul(x2, a.X)
-	x2.Mul(x2, b.X)
-	x2.Mul(x2, a.Y)
-	x2.Mul(x2, b.Y)
-	x2.Add(constants.One, x2)
-	x2.Mod(x2, constants.Q)
-	x2.ModInverse(x2, constants.Q) // x2 = (1 + D * a.x * b.x * a.y * b.y)^-1
-
-	// y = (a.y * b.y - A * a.x * b.x) * (1 - D * a.x * b.x * a.y * b.y)^-1 mod q
-	y1a := new(big.Int).Mul(a.Y, b.Y)
-	y1b := new(big.Int).Set(A)
-	y1b.Mul(y1b, a.X)
-	y1b.Mul(y1b, b.X)
-
-	y1a.Sub(y1a, y1b) // y1a = a.y * b.y - A * a.x * b.x
-
-	y2 := new(big.Int).Set(D)
-	y2.Mul(y2, a.X)
-	y2.Mul(y2, b.X)
-	y2.Mul(y2, a.Y)
-	y2.Mul(y2, b.Y)
-	y2.Sub(constants.One, y2)
-	y2.Mod(y2, constants.Q)
-	y2.ModInverse(y2, constants.Q) // y2 = (1 - D * a.x * b.x * a.y * b.y)^-1
-
-	res.X = x1a.Mul(x1a, x2)
-	res.X = res.X.Mod(res.X, constants.Q)
-
-	res.Y = y1a.Mul(y1a, y2)
-	res.Y = res.Y.Mod(res.Y, constants.Q)
-
-	return res
+// Projective returns a PointProjective from the Point
+func (p *Point) Projective() *PointProjective {
+	return &PointProjective{
+		X: ff.NewElement().SetBigInt(p.X),
+		Y: ff.NewElement().SetBigInt(p.Y),
+		Z: ff.NewElement().SetOne(),
+	}
 }
 
 // Mul multiplies the Point p by the scalar s and stores the result in res,
 // which is also returned.
 func (res *Point) Mul(s *big.Int, p *Point) *Point {
-	res.X = big.NewInt(0)
-	res.Y = big.NewInt(1)
-	exp := NewPoint().Set(p)
+	resProj := &PointProjective{
+		X: ff.NewElement().SetZero(),
+		Y: ff.NewElement().SetOne(),
+		Z: ff.NewElement().SetOne(),
+	}
+	exp := p.Projective()
 
 	for i := 0; i < s.BitLen(); i++ {
 		if s.Bit(i) == 1 {
-			res.Add(res, exp)
+			resProj.Add(resProj, exp)
 		}
-		exp.Add(exp, exp)
+		exp = exp.Add(exp, exp)
 	}
-
+	res = resProj.Affine()
 	return res
 }
 
@@ -181,6 +224,14 @@ func (p *Point) Decompress(leBuf [32]byte) (*Point, error) {
 		leBuf[31] = leBuf[31] & 0x7F
 	}
 	utils.SetBigIntFromLEBytes(p.Y, leBuf[:])
+	return PointFromSignAndY(sign, p.Y)
+}
+
+// PointFromSignAndY returns a Point from a Sign and the Y coordinate
+func PointFromSignAndY(sign bool, y *big.Int) (*Point, error) {
+	var p Point
+	p.X = big.NewInt(0)
+	p.Y = y
 	if p.Y.Cmp(constants.Q) >= 0 {
 		return nil, fmt.Errorf("p.y >= Q")
 	}
@@ -209,5 +260,5 @@ func (p *Point) Decompress(leBuf [32]byte) (*Point, error) {
 	}
 	p.X.Mod(p.X, constants.Q)
 
-	return p, nil
+	return &p, nil
 }

babyjub/babyjub_test.go

@@ -15,7 +15,7 @@ func TestAdd1(t *testing.T) {
 	a := &Point{X: big.NewInt(0), Y: big.NewInt(1)}
 	b := &Point{X: big.NewInt(0), Y: big.NewInt(1)}
 
-	c := NewPoint().Add(a, b)
+	c := NewPoint().Projective().Add(a.Projective(), b.Projective())
 	// fmt.Printf("%v = 2 * %v", *c, *a)
 	assert.Equal(t, "0", c.X.String())
 	assert.Equal(t, "1", c.Y.String())
@@ -34,7 +34,7 @@ func TestAdd2(t *testing.T) {
 		"2626589144620713026669568689430873010625803728049924121243784502389097019475")
 	b := &Point{X: bX, Y: bY}
 
-	c := NewPoint().Add(a, b)
+	c := NewPoint().Projective().Add(a.Projective(), b.Projective()).Affine()
 	// fmt.Printf("%v = 2 * %v", *c, *a)
 	assert.Equal(t,
 		"6890855772600357754907169075114257697580319025794532037257385534741338397365",
@@ -42,6 +42,17 @@ func TestAdd2(t *testing.T) {
 	assert.Equal(t,
 		"4338620300185947561074059802482547481416142213883829469920100239455078257889",
 		c.Y.String())
+
+	d := NewPointProjective().Add(c.Projective(), c.Projective()).Affine()
+	assert.Equal(t, "2f6458832049e917c95867185a96621336df33e13c98e81d1ef4928cdbb77772", hex.EncodeToString(d.X.Bytes()))
+
+	// Projective
+	aP := a.Projective()
+	bP := b.Projective()
+	cP := NewPointProjective().Add(aP, bP)
+	c2 := cP.Affine()
+	assert.Equal(t, c, c2)
+
 }
 
 func TestAdd3(t *testing.T) {
@@ -57,7 +68,7 @@ func TestAdd3(t *testing.T) {
 		"20819045374670962167435360035096875258406992893633759881276124905556507972311")
 	b := &Point{X: bX, Y: bY}
 
-	c := NewPoint().Add(a, b)
+	c := NewPoint().Projective().Add(a.Projective(), b.Projective()).Affine()
 	// fmt.Printf("%v = 2 * %v", *c, *a)
 	assert.Equal(t,
 		"7916061937171219682591368294088513039687205273691143098332585753343424131937",
@@ -80,7 +91,7 @@ func TestAdd4(t *testing.T) {
 		"20819045374670962167435360035096875258406992893633759881276124905556507972311")
 	b := &Point{X: bX, Y: bY}
 
-	c := NewPoint().Add(a, b)
+	c := NewPoint().Projective().Add(a.Projective(), b.Projective()).Affine()
 	// fmt.Printf("%v = 2 * %v", *c, *a)
 	assert.Equal(t,
 		"16540640123574156134436876038791482806971768689494387082833631921987005038935",
@@ -108,8 +119,8 @@ func TestMul0(t *testing.T) {
 	p := &Point{X: x, Y: y}
 	s := utils.NewIntFromString("3")
 
-	r2 := NewPoint().Add(p, p)
-	r2 = NewPoint().Add(r2, p)
+	r2 := NewPoint().Projective().Add(p.Projective(), p.Projective()).Affine()
+	r2 = NewPoint().Projective().Add(r2.Projective(), p.Projective()).Affine()
 	r := NewPoint().Mul(s, p)
 	assert.Equal(t, r2.X.String(), r.X.String())
 	assert.Equal(t, r2.Y.String(), r.Y.String())
@@ -192,6 +203,20 @@ func TestInSubGroup2(t *testing.T) {
 	assert.Equal(t, true, p.InSubGroup())
 }
 
+func TestPointFromSignAndy(t *testing.T) {
+	x := utils.NewIntFromString(
+		"17777552123799933955779906779655732241715742912184938656739573121738514868268")
+	y := utils.NewIntFromString(
+		"2626589144620713026669568689430873010625803728049924121243784502389097019475")
+	p := &Point{X: x, Y: y}
+
+	sign := PointCoordSign(p.X)
+	p2, err := PointFromSignAndY(sign, p.Y)
+	assert.Equal(t, nil, err)
+	assert.Equal(t, p.X.String(), p2.X.String())
+	assert.Equal(t, p.Y.String(), p2.Y.String())
+}
+
 func TestCompressDecompress1(t *testing.T) {
 	x := utils.NewIntFromString(
 		"17777552123799933955779906779655732241715742912184938656739573121738514868268")
@@ -230,7 +255,8 @@ func TestCompressDecompressRnd(t *testing.T) {
 		buf := p1.Compress()
 		p2, err := NewPoint().Decompress(buf)
 		assert.Equal(t, nil, err)
-		assert.Equal(t, p1, p2)
+		assert.Equal(t, p1.X.Bytes(), p2.X.Bytes())
+		assert.Equal(t, p1.Y.Bytes(), p2.Y.Bytes())
 	}
 }
 
@@ -247,6 +273,7 @@ func BenchmarkBabyjub(b *testing.B) {
 	}
 
 	var points [n]*Point
+	var pointsProj [n]*PointProjective
 	baseX := utils.NewIntFromString(
 		"17777552123799933955779906779655732241715742912184938656739573121738514868268")
 	baseY := utils.NewIntFromString(
@@ -255,6 +282,7 @@ func BenchmarkBabyjub(b *testing.B) {
 	for i := 0; i < n; i++ {
 		s := new(big.Int).Rand(rnd, constants.Q)
 		points[i] = NewPoint().Mul(s, base)
+		pointsProj[i] = NewPoint().Mul(s, base).Projective()
 	}
 
 	var scalars [n]*big.Int
@@ -265,17 +293,19 @@ func BenchmarkBabyjub(b *testing.B) {
 	b.Run("AddConst", func(b *testing.B) {
 		p0 := &Point{X: big.NewInt(0), Y: big.NewInt(1)}
 		p1 := &Point{X: big.NewInt(0), Y: big.NewInt(1)}
+		p0Proj := p0.Projective()
+		p1Proj := p1.Projective()
 
-		p2 := NewPoint()
+		p2 := NewPoint().Projective()
 		for i := 0; i < b.N; i++ {
-			p2.Add(p0, p1)
+			p2.Add(p0Proj, p1Proj)
 		}
 	})
 
 	b.Run("AddRnd", func(b *testing.B) {
-		res := NewPoint()
+		res := NewPoint().Projective()
 		for i := 0; i < b.N; i++ {
-			res.Add(points[i%(n/2)], points[i%(n/2)+1])
+			res.Add(pointsProj[i%(n/2)], pointsProj[i%(n/2)+1])
 		}
 	})
 

babyjub/eddsa.go

@@ -2,6 +2,8 @@ package babyjub
 
 import (
 	"crypto/rand"
+	"database/sql/driver"
+	"fmt"
 
 	"github.com/iden3/go-iden3-crypto/mimc7"
 	"github.com/iden3/go-iden3-crypto/poseidon"
@@ -36,6 +38,13 @@ func NewRandPrivKey() PrivateKey {
 // Scalar converts a private key into the scalar value s following the EdDSA
 // standard, and using blake-512 hash.
 func (k *PrivateKey) Scalar() *PrivKeyScalar {
+	s := SkToBigInt(k)
+	return NewPrivKeyScalar(s)
+}
+
+// SkToBigInt converts a private key into the *big.Int value following the
+// EdDSA standard, and using blake-512 hash
+func SkToBigInt(k *PrivateKey) *big.Int {
 	sBuf := Blake512(k[:])
 	sBuf32 := [32]byte{}
 	copy(sBuf32[:], sBuf[:32])
@@ -43,7 +52,7 @@ func (k *PrivateKey) Scalar() *PrivKeyScalar {
 	s := new(big.Int)
 	utils.SetBigIntFromLEBytes(s, sBuf32[:])
 	s.Rsh(s, 3)
-	return NewPrivKeyScalar(s)
+	return s
 }
 
 // Pub returns the public key corresponding to a private key.
@@ -168,6 +177,45 @@ func (s *SignatureComp) Decompress() (*Signature, error) {
 	return new(Signature).Decompress(*s)
 }
 
+// Scan implements Scanner for database/sql.
+func (s *SignatureComp) Scan(src interface{}) error {
+	srcB, ok := src.([]byte)
+	if !ok {
+		return fmt.Errorf("can't scan %T into Signature", src)
+	}
+	if len(srcB) != 64 {
+		return fmt.Errorf("can't scan []byte of len %d into Signature, want %d", len(srcB), 64)
+	}
+	copy(s[:], srcB[:])
+	return nil
+}
+
+// Value implements valuer for database/sql.
+func (s SignatureComp) Value() (driver.Value, error) {
+	return s[:], nil
+}
+
+// Scan implements Scanner for database/sql.
+func (s *Signature) Scan(src interface{}) error {
+	srcB, ok := src.([]byte)
+	if !ok {
+		return fmt.Errorf("can't scan %T into Signature", src)
+	}
+	if len(srcB) != 64 {
+		return fmt.Errorf("can't scan []byte of len %d into Signature, want %d", len(srcB), 64)
+	}
+	buf := [64]byte{}
+	copy(buf[:], srcB[:])
+	_, err := s.Decompress(buf)
+	return err
+}
+
+// Value implements valuer for database/sql.
+func (s Signature) Value() (driver.Value, error) {
+	comp := s.Compress()
+	return comp[:], nil
+}
+
 // SignMimc7 signs a message encoded as a big.Int in Zq using blake-512 hash
 // for buffer hashing and mimc7 for big.Int hashing.
 func (k *PrivateKey) SignMimc7(msg *big.Int) *Signature {
@@ -199,14 +247,16 @@ func (p *PublicKey) VerifyMimc7(msg *big.Int, sig *Signature) bool {
 	hmInput := []*big.Int{sig.R8.X, sig.R8.Y, p.X, p.Y, msg}
 	hm, err := mimc7.Hash(hmInput, nil) // hm = H1(8*R.x, 8*R.y, A.x, A.y, msg)
 	if err != nil {
-		panic(err)
+		return false
 	}
 
 	left := NewPoint().Mul(sig.S, B8) // left = s * 8 * B
 	r1 := big.NewInt(8)
 	r1.Mul(r1, hm)
 	right := NewPoint().Mul(r1, p.Point())
-	right.Add(sig.R8, right) // right = 8 * R + 8 * hm * A
+	rightProj := right.Projective()
+	rightProj.Add(sig.R8.Projective(), rightProj) // right = 8 * R + 8 * hm * A
+	right = rightProj.Affine()
 	return (left.X.Cmp(right.X) == 0) && (left.Y.Cmp(right.Y) == 0)
 }
 
@@ -223,8 +273,8 @@ func (k *PrivateKey) SignPoseidon(msg *big.Int) *Signature {
 	R8 := NewPoint().Mul(r, B8) // R8 = r * 8 * B
 	A := k.Public().Point()
 
-	hmInput := [poseidon.T]*big.Int{R8.X, R8.Y, A.X, A.Y, msg, big.NewInt(int64(0))}
-	hm, err := poseidon.PoseidonHash(hmInput) // hm = H1(8*R.x, 8*R.y, A.x, A.y, msg)
+	hmInput := []*big.Int{R8.X, R8.Y, A.X, A.Y, msg}
+	hm, err := poseidon.Hash(hmInput) // hm = H1(8*R.x, 8*R.y, A.x, A.y, msg)
 	if err != nil {
 		panic(err)
 	}
@@ -240,16 +290,43 @@ func (k *PrivateKey) SignPoseidon(msg *big.Int) *Signature {
 // VerifyPoseidon verifies the signature of a message encoded as a big.Int in Zq
 // using blake-512 hash for buffer hashing and Poseidon for big.Int hashing.
 func (p *PublicKey) VerifyPoseidon(msg *big.Int, sig *Signature) bool {
-	hmInput := [poseidon.T]*big.Int{sig.R8.X, sig.R8.Y, p.X, p.Y, msg, big.NewInt(int64(0))}
-	hm, err := poseidon.PoseidonHash(hmInput) // hm = H1(8*R.x, 8*R.y, A.x, A.y, msg)
+	hmInput := []*big.Int{sig.R8.X, sig.R8.Y, p.X, p.Y, msg}
+	hm, err := poseidon.Hash(hmInput) // hm = H1(8*R.x, 8*R.y, A.x, A.y, msg)
 	if err != nil {
-		panic(err)
+		return false
 	}
 
 	left := NewPoint().Mul(sig.S, B8) // left = s * 8 * B
 	r1 := big.NewInt(8)
 	r1.Mul(r1, hm)
 	right := NewPoint().Mul(r1, p.Point())
-	right.Add(sig.R8, right) // right = 8 * R + 8 * hm * A
+	rightProj := right.Projective()
+	rightProj.Add(sig.R8.Projective(), rightProj) // right = 8 * R + 8 * hm * A
+	right = rightProj.Affine()
 	return (left.X.Cmp(right.X) == 0) && (left.Y.Cmp(right.Y) == 0)
 }
+
+// Scan implements Scanner for database/sql.
+func (p *PublicKey) Scan(src interface{}) error {
+	srcB, ok := src.([]byte)
+	if !ok {
+		return fmt.Errorf("can't scan %T into PublicKey", src)
+	}
+	if len(srcB) != 32 {
+		return fmt.Errorf("can't scan []byte of len %d into PublicKey, want %d", len(srcB), 32)
+	}
+	var comp PublicKeyComp
+	copy(comp[:], srcB)
+	decomp, err := comp.Decompress()
+	if err != nil {
+		return err
+	}
+	*p = *decomp
+	return nil
+}
+
+// Value implements valuer for database/sql.
+func (p PublicKey) Value() (driver.Value, error) {
+	comp := p.Compress()
+	return comp[:], nil
+}

babyjub/eddsa_test.go

@@ -6,6 +6,9 @@ import (
 	"math/big"
 	"testing"
 
+	"database/sql"
+	"database/sql/driver"
+
 	"github.com/iden3/go-iden3-crypto/constants"
 	"github.com/iden3/go-iden3-crypto/utils"
 	"github.com/stretchr/testify/assert"
@@ -93,7 +96,7 @@ func TestSignVerifyPoseidon(t *testing.T) {
 		"15383486972088797283337779941324724402501462225528836549661220478783371668959",
 		sig.R8.Y.String())
 	assert.Equal(t,
-		"248298168863866362217836334079793350221620631973732197668910946177382043688",
+		"1398758333392199195742243841591064350253744445503462896781493968760929513778",
 		sig.S.String())
 
 	ok := pk.VerifyPoseidon(msg, sig)
@@ -105,7 +108,7 @@ func TestSignVerifyPoseidon(t *testing.T) {
 
 	assert.Equal(t, ""+
 		"dfedb4315d3f2eb4de2d3c510d7a987dcab67089c8ace06308827bf5bcbe02a2"+
-		"28506bce274aa1b3f7e7c2fd7e4fe09bff8f9aa37a42def7994e98f322888c00",
+		"32f16b0f2f4c4e1169aa59685637e1429b6581a9531d058d65f4ab224eab1703",
 		hex.EncodeToString(sigBuf[:]))
 
 	ok = pk.VerifyPoseidon(msg, sig2)
@@ -132,6 +135,44 @@ func TestCompressDecompress(t *testing.T) {
 	}
 }
 
+func TestSignatureCompScannerValuer(t *testing.T) {
+	privK := NewRandPrivKey()
+	var value driver.Valuer //nolint:gosimple this is done to ensure interface compability
+	value = privK.SignPoseidon(big.NewInt(674238462)).Compress()
+	scan := privK.SignPoseidon(big.NewInt(1)).Compress()
+	fromDB, err := value.Value()
+	assert.Nil(t, err)
+	assert.Nil(t, scan.Scan(fromDB))
+	assert.Equal(t, value, scan)
+}
+
+func TestSignatureScannerValuer(t *testing.T) {
+	privK := NewRandPrivKey()
+	var value driver.Valuer
+	var scan sql.Scanner
+	value = privK.SignPoseidon(big.NewInt(674238462))
+	scan = privK.SignPoseidon(big.NewInt(1))
+	fromDB, err := value.Value()
+	assert.Nil(t, err)
+	assert.Nil(t, scan.Scan(fromDB))
+	assert.Equal(t, value, scan)
+}
+
+func TestPubKeyScannerValuer(t *testing.T) {
+	privKValue := NewRandPrivKey()
+	pubKValue := privKValue.Public()
+	privKScan := NewRandPrivKey()
+	pubKScan := privKScan.Public()
+	var value driver.Valuer
+	var scan sql.Scanner
+	value = pubKValue
+	scan = pubKScan
+	fromDB, err := value.Value()
+	assert.Nil(t, err)
+	assert.Nil(t, scan.Scan(fromDB))
+	assert.Equal(t, value, scan)
+}
+
 func BenchmarkBabyjubEddsa(b *testing.B) {
 	var k PrivateKey
 	_, err := hex.Decode(k[:], []byte("0001020304050607080900010203040506070809000102030405060708090001"))

go.mod

@@ -7,4 +7,5 @@ require (
 	github.com/ethereum/go-ethereum v1.9.12
 	github.com/stretchr/testify v1.4.0
 	golang.org/x/crypto v0.0.0-20200311171314-f7b00557c8c4
+	golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd // indirect
 )

go.sum

@@ -50,8 +50,6 @@ github.com/dop251/goja v0.0.0-20200219165308-d1232e640a87/go.mod h1:Mw6PkjjMXWbT
 github.com/edsrzf/mmap-go v0.0.0-20160512033002-935e0e8a636c/go.mod h1:YO35OhQPt3KJa3ryjFM5Bs14WD66h8eGKpfaBNrHW5M=
 github.com/elastic/gosigar v0.8.1-0.20180330100440-37f05ff46ffa h1:XKAhUk/dtp+CV0VO6mhG2V7jA9vbcGcnYF/Ay9NjZrY=
 github.com/elastic/gosigar v0.8.1-0.20180330100440-37f05ff46ffa/go.mod h1:cdorVVzy1fhmEqmtgqkoE3bYtCfSCkVyjTyCIo22xvs=
-github.com/ethereum/go-ethereum v1.8.27 h1:d+gkiLaBDk5fn3Pe/xNVaMrB/ozI+AUB2IlVBp29IrY=
-github.com/ethereum/go-ethereum v1.8.27/go.mod h1:PwpWDrCLZrV+tfrhqqF6kPknbISMHaJv9Ln3kPCZLwY=
 github.com/ethereum/go-ethereum v1.9.12 h1:EPtimwsp/KGDSiXcNunzsI4kefdsMHZGJntKx3fvbaI=
 github.com/ethereum/go-ethereum v1.9.12/go.mod h1:PvsVkQmhZFx92Y+h2ylythYlheEDt/uBgFbl61Js/jo=
 github.com/fatih/color v1.3.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
@@ -76,15 +74,16 @@ github.com/graph-gophers/graphql-go v0.0.0-20191115155744-f33e81362277/go.mod h1
 github.com/hashicorp/golang-lru v0.0.0-20160813221303-0a025b7e63ad/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
 github.com/huin/goupnp v0.0.0-20161224104101-679507af18f3/go.mod h1:MZ2ZmwcBpvOoJ22IJsc7va19ZwoheaBk43rKg12SKag=
-github.com/iden3/go-iden3 v0.0.5 h1:NV6HXnLmp+1YmKd2FmymzU6OAP77q1WWDcB/B+BUL9g=
 github.com/influxdata/influxdb v1.2.3-0.20180221223340-01288bdb0883/go.mod h1:qZna6X/4elxqT3yI9iZYdZrWWdeFOOprn86kgg4+IzY=
 github.com/jackpal/go-nat-pmp v1.0.2-0.20160603034137-1fa385a6f458/go.mod h1:QPH045xvCAeXUZOxsnwmrtiCoxIr9eob+4orBN1SBKc=
 github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
 github.com/julienschmidt/httprouter v1.1.1-0.20170430222011-975b5c4c7c21/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
 github.com/karalabe/usb v0.0.0-20190919080040-51dc0efba356/go.mod h1:Od972xHfMJowv7NGVDiWVxk2zxnWgjLlJzE+F4F7AGU=
 github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
+github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
 github.com/mattn/go-colorable v0.1.0/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
@@ -127,6 +126,7 @@ github.com/steakknife/bloomfilter v0.0.0-20180922174646-6819c0d2a570 h1:gIlAHnH1
 github.com/steakknife/bloomfilter v0.0.0-20180922174646-6819c0d2a570/go.mod h1:8OR4w3TdeIHIh1g6EMY5p0gVNOovcWC+1vpc7naMuAw=
 github.com/steakknife/hamming v0.0.0-20180906055917-c99c65617cd3 h1:njlZPzLwU639dk2kqnCPPv+wNjq7Xb6EfUxe/oX0/NM=
 github.com/steakknife/hamming v0.0.0-20180906055917-c99c65617cd3/go.mod h1:hpGUWaI9xL8pRQCTXQgocU38Qw1g0Us7n5PxxTwTCYU=
+github.com/stretchr/objx v0.1.0 h1:4G4v2dO3VZwixGIRoQ5Lfboy6nUhCyYzaqnIAPPhYs4=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0 h1:TivCn/peBQ7UY8ooIcPgZFpTNSz0Q2U6UrFlUfqbe0Q=
@@ -138,8 +138,6 @@ github.com/tyler-smith/go-bip39 v1.0.1-0.20181017060643-dbb3b84ba2ef/go.mod h1:s
 github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
 github.com/wsddn/go-ecdh v0.0.0-20161211032359-48726bab9208/go.mod h1:IotVbo4F+mw0EzQ08zFqg7pK3FebNXpaMsRy2RT+Ees=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20190621222207-cc06ce4a13d4 h1:ydJNl0ENAG67pFbB+9tfhiL2pYqLhfoaZFw/cjLhY4A=
-golang.org/x/crypto v0.0.0-20190621222207-cc06ce4a13d4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200311171314-f7b00557c8c4 h1:QmwruyY+bKbDDL0BaglrbZABEali68eoMFhTZpCjYVA=
 golang.org/x/crypto v0.0.0-20200311171314-f7b00557c8c4/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -154,12 +152,15 @@ golang.org/x/sys v0.0.0-20190412213103-97732733099d h1:+R4KGOnez64A81RvjARKc4UT5
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527 h1:uYVVQ9WP/Ds2ROhcaGPeIdVq0RIXVLwsHlnvJ+cT1So=
 golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd h1:xhmwyvizuTgC2qz7ZlMluP20uW+C3Rm0FD/WLDX8884=
+golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
 gopkg.in/natefinch/npipe.v2 v2.0.0-20160621034901-c1b8fa8bdcce/go.mod h1:5AcXVHNjg+BDxry382+8OKon8SEWiKktQR07RKPsv1c=

mimc7/mimc7.go

@@ -137,7 +137,7 @@ func Hash(arr []*big.Int, key *big.Int) (*big.Int, error) {
 
 // HashBytes hashes a msg byte slice by blocks of 31 bytes encoded as
 // little-endian
-func HashBytes(b []byte) (*big.Int, error) {
+func HashBytes(b []byte) *big.Int {
 	n := 31
 	bElems := make([]*big.Int, 0, len(b)/n+1)
 	for i := 0; i < len(b)/n; i++ {
@@ -150,5 +150,9 @@ func HashBytes(b []byte) (*big.Int, error) {
 		utils.SetBigIntFromLEBytes(v, b[(len(b)/n)*n:])
 		bElems = append(bElems, v)
 	}
-	return Hash(bElems, nil)
+	h, err := Hash(bElems, nil)
+	if err != nil {
+		panic(err)
+	}
+	return h
 }

mimc7/mimc7_test.go

@@ -74,8 +74,7 @@ func TestMIMC7(t *testing.T) {
 	assert.Equal(t, "0x"+hex.EncodeToString((*big.Int)(h4).Bytes()), "0x284bc1f34f335933a23a433b6ff3ee179d682cd5e5e2fcdd2d964afa85104beb")
 
 	msg := []byte("Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.")
-	hmsg, err := HashBytes(msg)
-	assert.Nil(t, err)
+	hmsg := HashBytes(msg)
 	assert.Equal(t, "16855787120419064316734350414336285711017110414939748784029922801367685456065", hmsg.String())
 }
 

poseidon/poseidon.go

@@ -2,196 +2,90 @@ package poseidon
 
 import (
 	"errors"
+	"fmt"
 	"math/big"
-	"strconv"
 
-	"github.com/iden3/go-iden3-crypto/constants"
 	"github.com/iden3/go-iden3-crypto/ff"
 	"github.com/iden3/go-iden3-crypto/utils"
-	"golang.org/x/crypto/blake2b"
 )
 
-const SEED = "poseidon"
 const NROUNDSF = 8
-const NROUNDSP = 57
-const T = 6
 
-var constC []*ff.Element
-var constM [T][T]*ff.Element
+var NROUNDSP = []int{56, 57, 56, 60, 60, 63, 64, 63}
 
-func Zero() *ff.Element {
+func zero() *ff.Element {
 	return ff.NewElement()
 }
 
-func modQ(v *big.Int) {
-	v.Mod(v, constants.Q)
-}
-
-func init() {
-	constC = getPseudoRandom(SEED+"_constants", NROUNDSF+NROUNDSP)
-	constM = getMDS()
-}
-
-func getPseudoRandom(seed string, n int) []*ff.Element {
-	res := make([]*ff.Element, n)
-	hash := blake2b.Sum256([]byte(seed))
-	for i := 0; i < n; i++ {
-		hashBigInt := big.NewInt(int64(0))
-		res[i] = ff.NewElement().SetBigInt(utils.SetBigIntFromLEBytes(hashBigInt, hash[:]))
-		hash = blake2b.Sum256(hash[:])
-	}
-	return res
-}
-
-func nonceToString(n int) string {
-	r := strconv.Itoa(n)
-	for len(r) < 4 {
-		r = "0" + r
-	}
-	return r
-}
-
-// https://eprint.iacr.org/2019/458.pdf pag.8
-func getMDS() [T][T]*ff.Element {
-	nonce := 0
-	cauchyMatrix := getPseudoRandom(SEED+"_matrix_"+nonceToString(nonce), T*2)
-	for !checkAllDifferent(cauchyMatrix) {
-		nonce += 1
-		cauchyMatrix = getPseudoRandom(SEED+"_matrix_"+nonceToString(nonce), T*2)
-	}
-	var m [T][T]*ff.Element
-	for i := 0; i < T; i++ {
-		for j := 0; j < T; j++ {
-			m[i][j] = ff.NewElement().Sub(cauchyMatrix[i], cauchyMatrix[T+j])
-			m[i][j].Inverse(m[i][j])
-		}
-	}
-	return m
-}
-
-func checkAllDifferent(v []*ff.Element) bool {
-	for i := 0; i < len(v); i++ {
-		if v[i].Equal(ff.NewElement()) {
-			return false
-		}
-		for j := i + 1; j < len(v); j++ {
-			if v[i].Equal(v[j]) {
-				return false
-			}
-		}
-	}
-	return true
-}
-
 // ark computes Add-Round Key, from the paper https://eprint.iacr.org/2019/458.pdf
-func ark(state [T]*ff.Element, c *ff.Element) {
-	for i := 0; i < T; i++ {
-		state[i].Add(state[i], c)
+func ark(state []*ff.Element, c []*ff.Element, it int) {
+	for i := 0; i < len(state); i++ {
+		state[i].Add(state[i], c[it+i])
 	}
 }
 
-// cubic performs x^5 mod p
+// exp5 performs x^5 mod p
 // https://eprint.iacr.org/2019/458.pdf page 8
-
-func cubic(a *ff.Element) {
+func exp5(a *ff.Element) {
 	a.Exp(*a, 5)
 }
 
 // sbox https://eprint.iacr.org/2019/458.pdf page 6
-func sbox(state [T]*ff.Element, i int) {
-	if (i < NROUNDSF/2) || (i >= NROUNDSF/2+NROUNDSP) {
-		for j := 0; j < T; j++ {
-			cubic(state[j])
+func sbox(nRoundsF, nRoundsP int, state []*ff.Element, i int) {
+	if (i < nRoundsF/2) || (i >= nRoundsF/2+nRoundsP) {
+		for j := 0; j < len(state); j++ {
+			exp5(state[j])
 		}
 	} else {
-		cubic(state[0])
+		exp5(state[0])
 	}
 }
 
 // mix returns [[matrix]] * [vector]
-func mix(state [T]*ff.Element, newState [T]*ff.Element, m [T][T]*ff.Element) {
-	mul := Zero()
-	for i := 0; i < T; i++ {
+func mix(state []*ff.Element, newState []*ff.Element, m [][]*ff.Element) {
+	mul := zero()
+	for i := 0; i < len(state); i++ {
 		newState[i].SetUint64(0)
-		for j := 0; j < T; j++ {
-			mul.Mul(m[i][j], state[j])
+		for j := 0; j < len(state); j++ {
+			mul.Mul(m[j][i], state[j])
 			newState[i].Add(newState[i], mul)
 		}
 	}
 }
 
-// PoseidonHash computes the Poseidon hash for the given inputs
-func PoseidonHash(inpBI [T]*big.Int) (*big.Int, error) {
+// Hash computes the Poseidon hash for the given inputs
+func Hash(inpBI []*big.Int) (*big.Int, error) {
+	t := len(inpBI) + 1
+	if len(inpBI) == 0 || len(inpBI) >= len(NROUNDSP)-1 {
+		return nil, fmt.Errorf("invalid inputs length %d, max %d", len(inpBI), len(NROUNDSP)-1)
+	}
 	if !utils.CheckBigIntArrayInField(inpBI[:]) {
 		return nil, errors.New("inputs values not inside Finite Field")
 	}
 	inp := utils.BigIntArrayToElementArray(inpBI[:])
-	state := [T]*ff.Element{}
-	for i := 0; i < T; i++ {
-		state[i] = ff.NewElement().Set(inp[i])
+	state := make([]*ff.Element, t)
+	copy(state[:], inp[:])
+	state[len(state)-1] = zero()
+
+	nRoundsF := NROUNDSF
+	nRoundsP := NROUNDSP[t-2]
+
+	newState := make([]*ff.Element, t)
+	for i := 0; i < t; i++ {
+		newState[i] = zero()
 	}
 
 	// ARK --> SBox --> M, https://eprint.iacr.org/2019/458.pdf pag.5
-	var newState [T]*ff.Element
-	for i := 0; i < T; i++ {
-		newState[i] = Zero()
-	}
-	for i := 0; i < NROUNDSF+NROUNDSP; i++ {
-		ark(state, constC[i])
-		sbox(state, i)
-		mix(state, newState, constM)
+	for i := 0; i < nRoundsF+nRoundsP; i++ {
+		ark(state, c.c[t-2], i*t)
+		sbox(nRoundsF, nRoundsP, state, i)
+		if i < nRoundsF+nRoundsP-1 {
+			mix(state, newState, c.m[t-2])
 			state, newState = newState, state
 		}
+	}
 	rE := state[0]
 	r := big.NewInt(0)
 	rE.ToBigIntRegular(r)
 	return r, nil
 }
-
-// Hash performs the Poseidon hash over a ff.Element array
-// in chunks of 5 elements
-func Hash(arr []*big.Int) (*big.Int, error) {
-	r := big.NewInt(int64(1))
-	for i := 0; i < len(arr); i = i + T - 1 {
-		var toHash [T]*big.Int
-		j := 0
-		for ; j < T-1; j++ {
-			if i+j >= len(arr) {
-				break
-			}
-			toHash[j] = arr[i+j]
-		}
-		toHash[j] = r
-		j++
-		for ; j < T; j++ {
-			toHash[j] = big.NewInt(0)
-		}
-
-		ph, err := PoseidonHash(toHash)
-		if err != nil {
-			return nil, err
-		}
-		modQ(r.Add(r, ph))
-	}
-
-	return r, nil
-}
-
-// HashBytes hashes a msg byte slice by blocks of 31 bytes encoded as
-// little-endian
-func HashBytes(b []byte) (*big.Int, error) {
-	n := 31
-	bElems := make([]*big.Int, 0, len(b)/n+1)
-	for i := 0; i < len(b)/n; i++ {
-		v := big.NewInt(int64(0))
-		utils.SetBigIntFromLEBytes(v, b[n*i:n*(i+1)])
-		bElems = append(bElems, v)
-
-	}
-	if len(b)%n != 0 {
-		v := big.NewInt(int64(0))
-		utils.SetBigIntFromLEBytes(v, b[(len(b)/n)*n:])
-		bElems = append(bElems, v)
-	}
-	return Hash(bElems)
-}

poseidon/poseidon_test.go

@@ -15,106 +15,65 @@ func TestBlake2bVersion(t *testing.T) {
 	assert.Equal(t, "e57ba154fb2c47811dc1a2369b27e25a44915b4e4ece4eb8ec74850cb78e01b1", hex.EncodeToString(h[:]))
 }
 
-func TestPoseidon(t *testing.T) {
+func TestPoseidonHash(t *testing.T) {
+	b0 := big.NewInt(0)
 	b1 := big.NewInt(1)
 	b2 := big.NewInt(2)
-	h, err := Hash([]*big.Int{b1, b2})
+
+	h, err := Hash([]*big.Int{b1})
 	assert.Nil(t, err)
-	assert.Equal(t, "4932297968297298434239270129193057052722409868268166443802652458940273154855", h.String())
+	assert.Equal(t, "11043376183861534927536506085090418075369306574649619885724436265926427398571", h.String())
+
+	h, err = Hash([]*big.Int{b1, b2})
+	assert.Nil(t, err)
+	assert.Equal(t, "17117985411748610629288516079940078114952304104811071254131751175361957805920", h.String())
+
+	h, err = Hash([]*big.Int{b1, b2, b0, b0, b0})
+	assert.Nil(t, err)
+	assert.Equal(t, "3975478831357328722254985704342968745327876719981393787143845259590563829094", h.String())
+	h, err = Hash([]*big.Int{b1, b2, b0, b0, b0, b0})
+	assert.Nil(t, err)
+	assert.Equal(t, "19772360636270345724087386688434825760738403416279047262510528378903625000110", h.String())
 
 	b3 := big.NewInt(3)
 	b4 := big.NewInt(4)
-	h, err = Hash([]*big.Int{b3, b4})
+	h, err = Hash([]*big.Int{b3, b4, b0, b0, b0})
 	assert.Nil(t, err)
-	assert.Equal(t, "4635491972858758537477743930622086396911540895966845494943021655521913507504", h.String())
+	assert.Equal(t, "3181200837746671699652342497997860344148947482942465819251904554707352676086", h.String())
+	h, err = Hash([]*big.Int{b3, b4, b0, b0, b0, b0})
+	assert.Nil(t, err)
+	assert.Equal(t, "8386348873272147968934270337233829407378789978142456170950021426339096575008", h.String())
 
 	b5 := big.NewInt(5)
 	b6 := big.NewInt(6)
-	b7 := big.NewInt(7)
-	b8 := big.NewInt(8)
-	b9 := big.NewInt(9)
-	b10 := big.NewInt(10)
-	b11 := big.NewInt(11)
-	b12 := big.NewInt(12)
-	h, err = Hash([]*big.Int{b1, b2, b3, b4, b5, b6, b7, b8, b9, b10, b11, b12})
+	h, err = Hash([]*big.Int{b1, b2, b3, b4, b5, b6})
 	assert.Nil(t, err)
-	assert.Equal(t, "15278801138972282646981503374384603641625274360649669926363020545395022098027", h.String())
-
-	msg := []byte("Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.")
-	n := 31
-	msgElems := make([]*big.Int, 0, len(msg)/n+1)
-	for i := 0; i < len(msg)/n; i++ {
-		v := new(big.Int)
-		utils.SetBigIntFromLEBytes(v, msg[n*i:n*(i+1)])
-		msgElems = append(msgElems, v)
-	}
-	if len(msg)%n != 0 {
-		v := new(big.Int)
-		utils.SetBigIntFromLEBytes(v, msg[(len(msg)/n)*n:])
-		msgElems = append(msgElems, v)
-	}
-	hmsg, err := Hash(msgElems)
-	assert.Nil(t, err)
-	assert.Equal(t, "16019700159595764790637132363672701294192939959594423814006267756172551741065", hmsg.String())
-
-	msg2 := []byte("Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum. Lorem ipsum dolor sit amet.")
-	msg2Elems := make([]*big.Int, 0, len(msg2)/n+1)
-	for i := 0; i < len(msg2)/n; i++ {
-		v := new(big.Int)
-		utils.SetBigIntFromLEBytes(v, msg2[n*i:n*(i+1)])
-		msg2Elems = append(msg2Elems, v)
-	}
-	if len(msg2)%n != 0 {
-		v := new(big.Int)
-		utils.SetBigIntFromLEBytes(v, msg2[(len(msg2)/n)*n:])
-		msg2Elems = append(msg2Elems, v)
-	}
-	hmsg2, err := Hash(msg2Elems)
-	assert.Nil(t, err)
-	assert.Equal(t, "2978613163687734485261639854325792381691890647104372645321246092227111432722", hmsg2.String())
-
-	hmsg2, err = HashBytes(msg2)
-	assert.Nil(t, err)
-	assert.Equal(t, "2978613163687734485261639854325792381691890647104372645321246092227111432722", hmsg2.String())
+	assert.Equal(t, "5202465217520500374834597824465244016759843635092906214933648999760272616044", h.String())
 }
 
-func TestPoseidonBrokenChunks(t *testing.T) {
-	h1, err := Hash([]*big.Int{big.NewInt(0), big.NewInt(1), big.NewInt(2), big.NewInt(3), big.NewInt(4),
-		big.NewInt(5), big.NewInt(6), big.NewInt(7), big.NewInt(8), big.NewInt(9)})
+func TestErrorInputs(t *testing.T) {
+	b0 := big.NewInt(0)
+	b1 := big.NewInt(1)
+	b2 := big.NewInt(2)
+
+	_, err := Hash([]*big.Int{b1, b2, b0, b0, b0, b0})
 	assert.Nil(t, err)
-	h2, err := Hash([]*big.Int{big.NewInt(5), big.NewInt(6), big.NewInt(7), big.NewInt(8), big.NewInt(9),
-		big.NewInt(0), big.NewInt(1), big.NewInt(2), big.NewInt(3), big.NewInt(4)})
-	assert.Nil(t, err)
-	assert.NotEqual(t, h1, h2)
+
+	_, err = Hash([]*big.Int{b1, b2, b0, b0, b0, b0, b0})
+	assert.NotNil(t, err)
+	assert.Equal(t, "invalid inputs length 7, max 7", err.Error())
+
+	_, err = Hash([]*big.Int{b1, b2, b0, b0, b0, b0, b0, b0})
+	assert.NotNil(t, err)
+	assert.Equal(t, "invalid inputs length 8, max 7", err.Error())
 }
 
-func TestPoseidonBrokenPadding(t *testing.T) {
-	h1, err := Hash([]*big.Int{big.NewInt(int64(1))})
-	assert.Nil(t, err)
-	h2, err := Hash([]*big.Int{big.NewInt(int64(1)), big.NewInt(int64(0))})
-	assert.Nil(t, err)
-	assert.NotEqual(t, h1, h2)
-}
+func BenchmarkPoseidonHash(b *testing.B) {
+	b0 := big.NewInt(0)
+	b1 := utils.NewIntFromString("12242166908188651009877250812424843524687801523336557272219921456462821518061")
+	b2 := utils.NewIntFromString("12242166908188651009877250812424843524687801523336557272219921456462821518061")
 
-func BenchmarkPoseidon(b *testing.B) {
-	b12 := big.NewInt(int64(12))
-	b45 := big.NewInt(int64(45))
-	b78 := big.NewInt(int64(78))
-	b41 := big.NewInt(int64(41))
-	bigArray4 := []*big.Int{b12, b45, b78, b41}
-
-	for i := 0; i < b.N; i++ {
-		Hash(bigArray4) //nolint:errcheck
-	}
-}
-
-func BenchmarkPoseidonLarge(b *testing.B) {
-	b12 := utils.NewIntFromString("11384336176656855268977457483345535180380036354188103142384839473266348197733")
-	b45 := utils.NewIntFromString("11384336176656855268977457483345535180380036354188103142384839473266348197733")
-	b78 := utils.NewIntFromString("11384336176656855268977457483345535180380036354188103142384839473266348197733")
-	b41 := utils.NewIntFromString("11384336176656855268977457483345535180380036354188103142384839473266348197733")
-
-	bigArray4 := []*big.Int{b12, b45, b78, b41}
+	bigArray4 := []*big.Int{b1, b2, b0, b0, b0, b0}
 
 	for i := 0; i < b.N; i++ {
 		Hash(bigArray4) //nolint:errcheck

utils/utils.go

@@ -103,6 +103,7 @@ func CheckBigIntArrayInField(arr []*big.Int) bool {
 	return true
 }
 
+// BigIntArrayToElementArray converts an array of *big.Int into an array of *ff.Element
 func BigIntArrayToElementArray(bi []*big.Int) []*ff.Element {
 	var o []*ff.Element
 	for i := range bi {
@@ -110,3 +111,15 @@ func BigIntArrayToElementArray(bi []*big.Int) []*ff.Element {
 	}
 	return o
 }
+
+// ElementArrayToBigIntArray converts an array of *ff.Element into an array of *big.Int
+func ElementArrayToBigIntArray(e []*ff.Element) []*big.Int {
+	var o []*big.Int
+	for i := range e {
+		ei := e[i]
+		bi := big.NewInt(0)
+		ei.ToBigIntRegular(bi)
+		o = append(o, bi)
+	}
+	return o
+}