You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

166 lines
4.7 KiB

  1. /*
  2. Copyright 2018 0KIMS association.
  3. This file is part of circom (Zero Knowledge Circuit Compiler).
  4. circom is a free software: you can redistribute it and/or modify it
  5. under the terms of the GNU General Public License as published by
  6. the Free Software Foundation, either version 3 of the License, or
  7. (at your option) any later version.
  8. circom is distributed in the hope that it will be useful, but WITHOUT
  9. ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  10. or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
  11. License for more details.
  12. You should have received a copy of the GNU General Public License
  13. along with circom. If not, see <https://www.gnu.org/licenses/>.
  14. */
  15. pragma circom 2.0.0;
  16. include "constants.circom";
  17. include "t1.circom";
  18. include "t2.circom";
  19. include "../binsum.circom";
  20. include "sigmaplus.circom";
  21. include "sha256compression_function.circom";
  22. template Sha256compression() {
  23. signal input hin[256];
  24. signal input inp[512];
  25. signal output out[256];
  26. signal a[65][32];
  27. signal b[65][32];
  28. signal c[65][32];
  29. signal d[65][32];
  30. signal e[65][32];
  31. signal f[65][32];
  32. signal g[65][32];
  33. signal h[65][32];
  34. signal w[64][32];
  35. var outCalc[256] = sha256compression(hin, inp);
  36. var i;
  37. for (i=0; i<256; i++) out[i] <-- outCalc[i];
  38. component sigmaPlus[48];
  39. for (i=0; i<48; i++) sigmaPlus[i] = SigmaPlus();
  40. component ct_k[64];
  41. for (i=0; i<64; i++) ct_k[i] = K(i);
  42. component t1[64];
  43. for (i=0; i<64; i++) t1[i] = T1();
  44. component t2[64];
  45. for (i=0; i<64; i++) t2[i] = T2();
  46. component suma[64];
  47. for (i=0; i<64; i++) suma[i] = BinSum(32, 2);
  48. component sume[64];
  49. for (i=0; i<64; i++) sume[i] = BinSum(32, 2);
  50. component fsum[8];
  51. for (i=0; i<8; i++) fsum[i] = BinSum(32, 2);
  52. var k;
  53. var t;
  54. for (t=0; t<64; t++) {
  55. if (t<16) {
  56. for (k=0; k<32; k++) {
  57. w[t][k] <== inp[t*32+31-k];
  58. }
  59. } else {
  60. for (k=0; k<32; k++) {
  61. sigmaPlus[t-16].in2[k] <== w[t-2][k];
  62. sigmaPlus[t-16].in7[k] <== w[t-7][k];
  63. sigmaPlus[t-16].in15[k] <== w[t-15][k];
  64. sigmaPlus[t-16].in16[k] <== w[t-16][k];
  65. }
  66. for (k=0; k<32; k++) {
  67. w[t][k] <== sigmaPlus[t-16].out[k];
  68. }
  69. }
  70. }
  71. for (k=0; k<32; k++ ) {
  72. a[0][k] <== hin[k];
  73. b[0][k] <== hin[32*1 + k];
  74. c[0][k] <== hin[32*2 + k];
  75. d[0][k] <== hin[32*3 + k];
  76. e[0][k] <== hin[32*4 + k];
  77. f[0][k] <== hin[32*5 + k];
  78. g[0][k] <== hin[32*6 + k];
  79. h[0][k] <== hin[32*7 + k];
  80. }
  81. for (t = 0; t<64; t++) {
  82. for (k=0; k<32; k++) {
  83. t1[t].h[k] <== h[t][k];
  84. t1[t].e[k] <== e[t][k];
  85. t1[t].f[k] <== f[t][k];
  86. t1[t].g[k] <== g[t][k];
  87. t1[t].k[k] <== ct_k[t].out[k];
  88. t1[t].w[k] <== w[t][k];
  89. t2[t].a[k] <== a[t][k];
  90. t2[t].b[k] <== b[t][k];
  91. t2[t].c[k] <== c[t][k];
  92. }
  93. for (k=0; k<32; k++) {
  94. sume[t].in[0][k] <== d[t][k];
  95. sume[t].in[1][k] <== t1[t].out[k];
  96. suma[t].in[0][k] <== t1[t].out[k];
  97. suma[t].in[1][k] <== t2[t].out[k];
  98. }
  99. for (k=0; k<32; k++) {
  100. h[t+1][k] <== g[t][k];
  101. g[t+1][k] <== f[t][k];
  102. f[t+1][k] <== e[t][k];
  103. e[t+1][k] <== sume[t].out[k];
  104. d[t+1][k] <== c[t][k];
  105. c[t+1][k] <== b[t][k];
  106. b[t+1][k] <== a[t][k];
  107. a[t+1][k] <== suma[t].out[k];
  108. }
  109. }
  110. for (k=0; k<32; k++) {
  111. fsum[0].in[0][k] <== hin[32*0+k];
  112. fsum[0].in[1][k] <== a[64][k];
  113. fsum[1].in[0][k] <== hin[32*1+k];
  114. fsum[1].in[1][k] <== b[64][k];
  115. fsum[2].in[0][k] <== hin[32*2+k];
  116. fsum[2].in[1][k] <== c[64][k];
  117. fsum[3].in[0][k] <== hin[32*3+k];
  118. fsum[3].in[1][k] <== d[64][k];
  119. fsum[4].in[0][k] <== hin[32*4+k];
  120. fsum[4].in[1][k] <== e[64][k];
  121. fsum[5].in[0][k] <== hin[32*5+k];
  122. fsum[5].in[1][k] <== f[64][k];
  123. fsum[6].in[0][k] <== hin[32*6+k];
  124. fsum[6].in[1][k] <== g[64][k];
  125. fsum[7].in[0][k] <== hin[32*7+k];
  126. fsum[7].in[1][k] <== h[64][k];
  127. }
  128. for (k=0; k<32; k++) {
  129. out[31-k] === fsum[0].out[k];
  130. out[32+31-k] === fsum[1].out[k];
  131. out[64+31-k] === fsum[2].out[k];
  132. out[96+31-k] === fsum[3].out[k];
  133. out[128+31-k] === fsum[4].out[k];
  134. out[160+31-k] === fsum[5].out[k];
  135. out[192+31-k] === fsum[6].out[k];
  136. out[224+31-k] === fsum[7].out[k];
  137. }
  138. }