You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
208 lines
5.0 KiB
208 lines
5.0 KiB
pragma circom 2.0.0;
|
|
|
|
include "./poseidon_constants.circom";
|
|
|
|
template Sigma() {
|
|
signal input in;
|
|
signal output out;
|
|
|
|
signal in2;
|
|
signal in4;
|
|
|
|
in2 <== in*in;
|
|
in4 <== in2*in2;
|
|
|
|
out <== in4*in;
|
|
}
|
|
|
|
template Ark(t, C, r) {
|
|
signal input in[t];
|
|
signal output out[t];
|
|
|
|
for (var i=0; i<t; i++) {
|
|
out[i] <== in[i] + C[i + r];
|
|
}
|
|
}
|
|
|
|
template Mix(t, M) {
|
|
signal input in[t];
|
|
signal output out[t];
|
|
|
|
var lc;
|
|
for (var i=0; i<t; i++) {
|
|
lc = 0;
|
|
for (var j=0; j<t; j++) {
|
|
lc += M[j][i]*in[j];
|
|
}
|
|
out[i] <== lc;
|
|
}
|
|
}
|
|
|
|
template MixLast(t, M, s) {
|
|
signal input in[t];
|
|
signal output out;
|
|
|
|
var lc = 0;
|
|
for (var j=0; j<t; j++) {
|
|
lc += M[j][s]*in[j];
|
|
}
|
|
out <== lc;
|
|
}
|
|
|
|
template MixS(t, S, r) {
|
|
signal input in[t];
|
|
signal output out[t];
|
|
|
|
|
|
var lc = 0;
|
|
for (var i=0; i<t; i++) {
|
|
lc += S[(t*2-1)*r+i]*in[i];
|
|
}
|
|
out[0] <== lc;
|
|
for (var i=1; i<t; i++) {
|
|
out[i] <== in[i] + in[0] * S[(t*2-1)*r + t + i -1];
|
|
}
|
|
}
|
|
|
|
template PoseidonEx(nInputs, nOuts) {
|
|
signal input inputs[nInputs];
|
|
signal input initialState;
|
|
signal output out[nOuts];
|
|
|
|
// Using recommended parameters from whitepaper https://eprint.iacr.org/2019/458.pdf (table 2, table 8)
|
|
// Generated by https://extgit.iaik.tugraz.at/krypto/hadeshash/-/blob/master/code/calc_round_numbers.py
|
|
// And rounded up to nearest integer that divides by t
|
|
var N_ROUNDS_P[16] = [56, 57, 56, 60, 60, 63, 64, 63, 60, 66, 60, 65, 70, 60, 64, 68];
|
|
var t = nInputs + 1;
|
|
var nRoundsF = 8;
|
|
var nRoundsP = N_ROUNDS_P[t - 2];
|
|
var C[t*nRoundsF + nRoundsP] = POSEIDON_C(t);
|
|
var S[ N_ROUNDS_P[t-2] * (t*2-1) ] = POSEIDON_S(t);
|
|
var M[t][t] = POSEIDON_M(t);
|
|
var P[t][t] = POSEIDON_P(t);
|
|
|
|
component ark[nRoundsF];
|
|
component sigmaF[nRoundsF][t];
|
|
component sigmaP[nRoundsP];
|
|
component mix[nRoundsF-1];
|
|
component mixS[nRoundsP];
|
|
component mixLast[nOuts];
|
|
|
|
|
|
ark[0] = Ark(t, C, 0);
|
|
for (var j=0; j<t; j++) {
|
|
if (j>0) {
|
|
ark[0].in[j] <== inputs[j-1];
|
|
} else {
|
|
ark[0].in[j] <== initialState;
|
|
}
|
|
}
|
|
|
|
for (var r = 0; r < nRoundsF\2-1; r++) {
|
|
for (var j=0; j<t; j++) {
|
|
sigmaF[r][j] = Sigma();
|
|
if(r==0) {
|
|
sigmaF[r][j].in <== ark[0].out[j];
|
|
} else {
|
|
sigmaF[r][j].in <== mix[r-1].out[j];
|
|
}
|
|
}
|
|
|
|
ark[r+1] = Ark(t, C, (r+1)*t);
|
|
for (var j=0; j<t; j++) {
|
|
ark[r+1].in[j] <== sigmaF[r][j].out;
|
|
}
|
|
|
|
mix[r] = Mix(t,M);
|
|
for (var j=0; j<t; j++) {
|
|
mix[r].in[j] <== ark[r+1].out[j];
|
|
}
|
|
|
|
}
|
|
|
|
for (var j=0; j<t; j++) {
|
|
sigmaF[nRoundsF\2-1][j] = Sigma();
|
|
sigmaF[nRoundsF\2-1][j].in <== mix[nRoundsF\2-2].out[j];
|
|
}
|
|
|
|
ark[nRoundsF\2] = Ark(t, C, (nRoundsF\2)*t );
|
|
for (var j=0; j<t; j++) {
|
|
ark[nRoundsF\2].in[j] <== sigmaF[nRoundsF\2-1][j].out;
|
|
}
|
|
|
|
mix[nRoundsF\2-1] = Mix(t,P);
|
|
for (var j=0; j<t; j++) {
|
|
mix[nRoundsF\2-1].in[j] <== ark[nRoundsF\2].out[j];
|
|
}
|
|
|
|
|
|
for (var r = 0; r < nRoundsP; r++) {
|
|
sigmaP[r] = Sigma();
|
|
if (r==0) {
|
|
sigmaP[r].in <== mix[nRoundsF\2-1].out[0];
|
|
} else {
|
|
sigmaP[r].in <== mixS[r-1].out[0];
|
|
}
|
|
|
|
mixS[r] = MixS(t, S, r);
|
|
for (var j=0; j<t; j++) {
|
|
if (j==0) {
|
|
mixS[r].in[j] <== sigmaP[r].out + C[(nRoundsF\2+1)*t + r];
|
|
} else {
|
|
if (r==0) {
|
|
mixS[r].in[j] <== mix[nRoundsF\2-1].out[j];
|
|
} else {
|
|
mixS[r].in[j] <== mixS[r-1].out[j];
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
for (var r = 0; r < nRoundsF\2-1; r++) {
|
|
for (var j=0; j<t; j++) {
|
|
sigmaF[nRoundsF\2 + r][j] = Sigma();
|
|
if (r==0) {
|
|
sigmaF[nRoundsF\2 + r][j].in <== mixS[nRoundsP-1].out[j];
|
|
} else {
|
|
sigmaF[nRoundsF\2 + r][j].in <== mix[nRoundsF\2+r-1].out[j];
|
|
}
|
|
}
|
|
|
|
ark[ nRoundsF\2 + r + 1] = Ark(t, C, (nRoundsF\2+1)*t + nRoundsP + r*t );
|
|
for (var j=0; j<t; j++) {
|
|
ark[nRoundsF\2 + r + 1].in[j] <== sigmaF[nRoundsF\2 + r][j].out;
|
|
}
|
|
|
|
mix[nRoundsF\2 + r] = Mix(t,M);
|
|
for (var j=0; j<t; j++) {
|
|
mix[nRoundsF\2 + r].in[j] <== ark[nRoundsF\2 + r + 1].out[j];
|
|
}
|
|
|
|
}
|
|
|
|
for (var j=0; j<t; j++) {
|
|
sigmaF[nRoundsF-1][j] = Sigma();
|
|
sigmaF[nRoundsF-1][j].in <== mix[nRoundsF-2].out[j];
|
|
}
|
|
|
|
for (var i=0; i<nOuts; i++) {
|
|
mixLast[i] = MixLast(t,M,i);
|
|
for (var j=0; j<t; j++) {
|
|
mixLast[i].in[j] <== sigmaF[nRoundsF-1][j].out;
|
|
}
|
|
out[i] <== mixLast[i].out;
|
|
}
|
|
|
|
}
|
|
|
|
template Poseidon(nInputs) {
|
|
signal input inputs[nInputs];
|
|
signal output out;
|
|
|
|
component pEx = PoseidonEx(nInputs, 1);
|
|
pEx.initialState <== 0;
|
|
for (var i=0; i<nInputs; i++) {
|
|
pEx.inputs[i] <== inputs[i];
|
|
}
|
|
out <== pEx.out[0];
|
|
}
|