From 7cd26a6a54bc10e120725fa30f31b8f5a2642d29 Mon Sep 17 00:00:00 2001
From: arnaucube <root@arnaucube.com>
Date: Wed, 24 Nov 2021 17:01:19 +0100
Subject: [PATCH] Absorb circuit implemented

---
 circuits/keccak256.circom             | 32 ++++++++++++++
 go-keccak256-bits-impl/keccak_test.go | 57 ++++++++++++++++++++++++
 test/circuits/absorb_test.circom      |  5 +++
 test/keccak256.js                     | 63 ++++++++++++++++++++++++---
 4 files changed, 150 insertions(+), 7 deletions(-)
 create mode 100644 test/circuits/absorb_test.circom

diff --git a/circuits/keccak256.circom b/circuits/keccak256.circom
index 51267a1..de9ae7d 100644
--- a/circuits/keccak256.circom
+++ b/circuits/keccak256.circom
@@ -65,6 +65,38 @@ template KeccakfRound(r) {
     }
 }
 
+template Absorb() {
+    var blockSizeBytes=136;
+
+    signal input s[25*64];
+    signal input block[blockSizeBytes*8];
+    signal output out[25*64];
+    var i;
+    var j;
+
+    component aux[blockSizeBytes/8];
+    component newS = Keccakf();
+
+    for (i=0; i<blockSizeBytes/8; i++) {
+        aux[i] = XorArray(64);
+        for (j=0; j<64; j++) {
+            aux[i].a[j] <== s[i*64+j];
+            aux[i].b[j] <== block[i*64+j];
+        }
+        for (j=0; j<64; j++) {
+            newS.in[i*64+j] <== aux[i].out[j];
+        }
+    }
+    // fill the missing s that was not covered by the loop over
+    // blockSizeBytes/8
+    for (i=(blockSizeBytes/8)*64; i<25*64; i++) {
+            newS.in[i] <== s[i];
+    }
+    for (i=0; i<25*64; i++) {
+        out[i] <== newS.out[i];
+    }
+}
+
 template Keccakf() {
     signal input in[25*64];
     signal output out[25*64];
diff --git a/go-keccak256-bits-impl/keccak_test.go b/go-keccak256-bits-impl/keccak_test.go
index 7605a7f..90d8595 100644
--- a/go-keccak256-bits-impl/keccak_test.go
+++ b/go-keccak256-bits-impl/keccak_test.go
@@ -2,6 +2,7 @@ package keccak
 
 import (
 	"encoding/hex"
+	"fmt"
 	"testing"
 
 	"github.com/ethereum/go-ethereum/crypto"
@@ -107,6 +108,62 @@ func TestKeccakf(t *testing.T) {
 			13518516210247555620})
 }
 
+func printBytes(name string, b []byte) {
+	fmt.Printf("%s\n", name)
+	for _, v := range b {
+		fmt.Printf("\"%v\", ", v)
+	}
+	fmt.Println("")
+}
+func printU64Array(name string, b []uint64) {
+	fmt.Printf("%s\n", name)
+	for _, v := range b {
+		fmt.Printf("\"%v\", ", v)
+	}
+	fmt.Println("")
+}
+
+func TestAbsorb(t *testing.T) {
+	s, _ := newS()
+	block := []byte{0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15,
+		16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31,
+		1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+		0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+		0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+		0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+		0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 128}
+	// printU64Array("s", bitsToU64Array(s[:]))
+	// printBytes("block", block[:])
+
+	absorbed := absorb(s, bytesToBits(block))
+	// printU64Array("absorbed", bitsToU64Array(absorbed[:]))
+
+	qt.Assert(t, bitsToU64Array(absorbed[:]), qt.DeepEquals,
+		[]uint64{8342348566319207042, 319359607942176202, 14410076088654599075,
+			15666111399434436772, 9558421567405313402, 3396178318116504023,
+			794353847439963108, 12717011319735989377, 3503398863218919239,
+			5517201702366862678, 15999361614129160496, 1325524015888689985,
+			11971708408118944333, 14874486179441062217, 12554876384974234666,
+			11129975558302206043, 11257826431949606534, 2740710607956478714,
+			15000019752453010167, 15593606854132419294, 2598425978562809333,
+			8872504799797239246, 1212062965004664308, 5443427421087086722,
+			10946808592826700411})
+
+	absorbed = absorb(absorbed, bytesToBits(block))
+	// printU64Array("absorbed", bitsToU64Array(absorbed[:]))
+
+	qt.Assert(t, bitsToU64Array(absorbed[:]), qt.DeepEquals,
+		[]uint64{8909243822027471379, 1111840847970088140,
+			12093072708540612559, 11255033638786021658, 2082116894939842214,
+			12821085060245261575, 6901785969834988344, 3182430130277914993,
+			2164708585929408975, 14402143231999718904, 16231444410553803968,
+			1850945423480060493, 12856855675247400303, 1137248620532111171,
+			7389129221921446308, 12932467982741614601, 1350606937385760406,
+			10983682292859713641, 10305595434820307765, 13958651111365489854,
+			17206620388135196198, 4238113785249530092, 7230868147643218103,
+			603011106238724524, 16480095441097880488})
+}
+
 func TestFinal(t *testing.T) {
 	b := make([]byte, 32)
 	for i := 0; i < len(b); i++ {
diff --git a/test/circuits/absorb_test.circom b/test/circuits/absorb_test.circom
new file mode 100644
index 0000000..7b7ca3d
--- /dev/null
+++ b/test/circuits/absorb_test.circom
@@ -0,0 +1,5 @@
+pragma circom 2.0.0;
+
+include "../../circuits/keccak256.circom";
+
+component main = Absorb();
diff --git a/test/keccak256.js b/test/keccak256.js
index 0cdf122..19199a9 100644
--- a/test/keccak256.js
+++ b/test/keccak256.js
@@ -350,12 +350,15 @@ describe("keccakfRound test", function () {
 describe("keccakf test", function () {
     this.timeout(100000);
 
-    it ("keccakf 1 (testvector generated from go)", async () => {
+    let cir;
+    before(async () => {
 	// const cir = await wasm_tester(path.join(__dirname, "circuits", "keccakf_test.circom"));
-	const cir = await c_tester(path.join(__dirname, "circuits", "keccakf_test.circom"));
+	cir = await c_tester(path.join(__dirname, "circuits", "keccakf_test.circom"));
 	await cir.loadConstraints();
 	console.log("n_constraints", cir.constraints.length);
+    });
 
+    it ("keccakf 1 (testvector generated from go)", async () => {
 	const input = [0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24];
 	const expectedOut = strsToBigInts(["9472389783892099349", "2159377575142921216", "17826682512249813373", "2325963263767348549", "15086930817298358378", "11661812091723830419", "3517755057770134847", "5223775837645169598", "933274647126506074", "3451250694486589320", "825065683101361807", "6192414258352188799", "14426505790672879210", "3326742392640380689", "16749975585634164134", "17847697619892908514", "11598434253200954839", "6049795840392747215", "8610635351954084385", "18234131770974529925", "15330347418010067760", "12047099911907354591", "4763389569697138851", "6779624089296570504", "15083668107635345971"]);
 
@@ -371,11 +374,6 @@ describe("keccakf test", function () {
     });
 
     it ("keccakf 2 (testvector generated from go)", async () => {
-	// const cir = await wasm_tester(path.join(__dirname, "circuits", "keccakf_test.circom"));
-	const cir = await c_tester(path.join(__dirname, "circuits", "keccakf_test.circom"));
-	await cir.loadConstraints();
-	console.log("n_constraints", cir.constraints.length);
-
 	const input = strsToBigInts(["9472389783892099349", "2159377575142921216", "17826682512249813373", "2325963263767348549", "15086930817298358378", "11661812091723830419", "3517755057770134847", "5223775837645169598", "933274647126506074", "3451250694486589320", "825065683101361807", "6192414258352188799", "14426505790672879210", "3326742392640380689", "16749975585634164134", "17847697619892908514", "11598434253200954839", "6049795840392747215", "8610635351954084385", "18234131770974529925", "15330347418010067760", "12047099911907354591", "4763389569697138851", "6779624089296570504", "15083668107635345971"]);
 	const expectedOut = strsToBigInts(["269318771259381490", "15892848561416382510", "12485559500958802382", "4360182510883008729", "14284025675983944434", "8800366419087562177", "7881853509112258378", "9503857914080778528", "17110477940977988953", "13825318756568052601", "11460650932194163315", "13272167288297399439", "13599957064256729412", "12730838251751851758", "13736647180617564382", "5651695613583298166", "15496251216716036782", "9748494184433838858", "3637745438296580159", "3821184813198767406", "15603239432236101315", "3726326332491237029", "7819962668913661099", "2285898735263816116", "13518516210247555620"]);
 
@@ -390,3 +388,54 @@ describe("keccakf test", function () {
 	assert.deepEqual(stateOutU64, expectedOut);
     });
 });
+
+describe("absorb test", function () {
+    this.timeout(100000);
+
+    let cir;
+
+    before(async () => {
+	// const cir = await wasm_tester(path.join(__dirname, "circuits", "keccakf_test.circom"));
+	cir = await c_tester(path.join(__dirname, "circuits", "absorb_test.circom"));
+	await cir.loadConstraints();
+	console.log("n_constraints", cir.constraints.length);
+    });
+
+    it ("absorb 1 (testvector generated from go)", async () => {
+	const s = strsToBigInts(["0", "1", "2", "3", "4", "5", "6", "7", "8", "9", "10", "11", "12", "13", "14", "15", "16", "17", "18", "19", "20", "21", "22", "23", "24"]);
+
+	const block = strsToBigInts(["0", "1", "2", "3", "4", "5", "6", "7", "8", "9", "10", "11", "12", "13", "14", "15", "16", "17", "18", "19", "20", "21", "22", "23", "24", "25", "26", "27", "28","29", "30", "31", "1", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0","0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "128"]);
+
+	const expectedOut = strsToBigInts(["8342348566319207042", "319359607942176202", "14410076088654599075", "15666111399434436772", "9558421567405313402", "3396178318116504023", "794353847439963108", "12717011319735989377", "3503398863218919239", "5517201702366862678", "15999361614129160496", "1325524015888689985", "11971708408118944333", "14874486179441062217", "12554876384974234666", "11129975558302206043", "11257826431949606534", "2740710607956478714", "15000019752453010167", "15593606854132419294", "2598425978562809333","8872504799797239246", "1212062965004664308", "5443427421087086722", "10946808592826700411"]);
+
+	const sIn = u64ArrayToBits(s);
+	const blockIn = bytesToBits(block);
+	const expectedOutBits = u64ArrayToBits(expectedOut);
+
+	const witness = await cir.calculateWitness({ "s": sIn, "block": blockIn }, true);
+
+	const stateOut = witness.slice(1, 1+(25*64));
+	const stateOutU64 = bitsToU64Array(stateOut);
+	// console.log(stateOutU64, expectedOut);
+	assert.deepEqual(stateOutU64, expectedOut);
+    });
+
+    it ("absorb 2 (testvector generated from go)", async () => {
+	const s = strsToBigInts(["8342348566319207042", "319359607942176202", "14410076088654599075", "15666111399434436772", "9558421567405313402", "3396178318116504023", "794353847439963108", "12717011319735989377", "3503398863218919239", "5517201702366862678", "15999361614129160496", "1325524015888689985", "11971708408118944333", "14874486179441062217", "12554876384974234666", "11129975558302206043", "11257826431949606534", "2740710607956478714", "15000019752453010167", "15593606854132419294", "2598425978562809333","8872504799797239246", "1212062965004664308", "5443427421087086722", "10946808592826700411"]);
+
+	const block = strsToBigInts(["0", "1", "2", "3", "4", "5", "6", "7", "8", "9", "10", "11", "12", "13", "14", "15", "16", "17", "18", "19", "20", "21", "22", "23", "24", "25", "26", "27", "28","29", "30", "31", "1", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0","0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "128"]);
+
+	const expectedOut = strsToBigInts(["8909243822027471379", "1111840847970088140", "12093072708540612559", "11255033638786021658", "2082116894939842214", "12821085060245261575", "6901785969834988344", "3182430130277914993", "2164708585929408975", "14402143231999718904", "16231444410553803968", "1850945423480060493", "12856855675247400303", "1137248620532111171", "7389129221921446308", "12932467982741614601", "1350606937385760406", "10983682292859713641", "10305595434820307765", "13958651111365489854", "17206620388135196198", "4238113785249530092", "7230868147643218103", "603011106238724524", "16480095441097880488"]);
+
+	const sIn = u64ArrayToBits(s);
+	const blockIn = bytesToBits(block);
+	const expectedOutBits = u64ArrayToBits(expectedOut);
+
+	const witness = await cir.calculateWitness({ "s": sIn, "block": blockIn }, true);
+
+	const stateOut = witness.slice(1, 1+(25*64));
+	const stateOutU64 = bitsToU64Array(stateOut);
+	// console.log(stateOutU64, expectedOut);
+	assert.deepEqual(stateOutU64, expectedOut);
+    });
+});